Statistical zero-knowledge and analysis of rank-metric zero-knowledge proofs of knowledge

A series of Stern-like Code-Based Zero-Knowledge Proofs of Knowledge (CBZKPoKs) in the rank setting have been proposed since 2011. These CBZKPoKs (RStern, RJKPT, RVDC, RankId, RCVE, RVeronID) are rank metric adaptations of Stern, JKPT, AGS, CVE, and Veron protocols in the Hamming setting. RVeronID has been analyzed and the witness can be recovered because improper permutation leaks the information of witness. However, there are several open problems in the rest of rank metric CBZKPoKs: (1) statistical zero -knowledge property; (2) security and completeness. In this paper, we deeply analyze rank metric permutation and its cryptographic properties, and rigorously show that RStern and RJKPT can achieve statistical zero-knowledge property. We then analyze RVDC, RankId, and RCVE and show that they do not satisfy completeness and RVDC can be broken by the rank support learning attack. To repair and strengthen security, we reconstruct the rank metric protocols (RAGS and RVeron), in which two protocols work on random linear codes without the limitation of cyclic structure. The performance analysis shows that: their communication costs (20 KB and 26 KB) are the lowest among existing Stern-like CBZKPoKs for 128-bit security. When compared with lattice-based zero-knowledge proofs of knowledge with a non-negligible soundness error such as improved Stern (PKC 2013), Bootle et al. (CRYPTO 2019), and Beullens (EUROCRYPT 2020), our protocols perform a significant advantage in communication costs.(c) 2023 Elsevier B.V. All rights reserved.