If j = 2 it sends c 1 ,c 2 and c 3 such that:

c 1 = hash ( x ) ,c 2 = hash ( Q ∗ xP ) ,c 3 = hash ( Q ∗

( x + z ) P )

2. B chooses b ∈{

.

3. If b =0, S sends x , Q and P .

If b =1, S sends x , Q and P .

If b =2, S sends Q ∗ xP and Q ∗ zP .

0 , 1 , 2

}

4. If b = j the execution works (it was made for it) and the simulator saves the

execution, otherwise the simulator restarts this execution.

The simulation succeeds if it can save l executions of this scheme with b = j .This

can be done in about 3 l executions since the probability that b = j is

1

3 .The

simulator creates a simulated execution of the protocol which is indistinguishable

from a real execution because of the use of the hash function, it was not the case

in the Chen protocol. The value x , Q and P are clearly constructed with a uni-

form distribution, which is the same as the distribution given by Q ∗

( x + s ) P in

the real scheme. The last value z has the same distribution as the value Q ∗ sP

because of the use of Q and P . Indeed, if Q and P are randomly chosen, for s a

vector of rank r , we saw in Section 2.2 that the vector Q ∗ sP could be any vector

of rank r with a uniform probability. It is possible for the simulator to guess in ad-

vance all challenge values b with a uniform distribution. All distributions are equal

to those in the real scheme, it makes this simulator indistinguishable from a real

execution. With this simulator anyone can simulate an execution of the scheme

without knowing the secret key, which proves the zero-knowledge property.

Remark: This proof is made possible because of the use of matrices P and Q on

one hand and of the hash function on the other hand which assure the indistin-

guishability between a real execution of the protocol and a simulation. The Chen

protocol did not use these features, for instance for l executions of the Chen pro-

tocol it is possible to distinguish between random words z of rank r (in the sim-

ulation) and vectors sP which by construction always belong to the same vector

space. The same phenomenon occurs with the use of hash functions in the com-

mitment step.

7 Parameters, Improvements and Comparison

7.1 Parameters

The soundness proof we proposed in the previous section enables us to take for

the weight of the secret s a value just below the minimum distance of the code. If

one considers random codes, it is known that with high probability they lie on the

Gilbert-Varshamov bound (cf. [9] for the details on the exact formulae for these

parameters). If we consider, q =2 ,n =20 ,m =20and k =11oneobtainsa

minimal distance of 7, hence we can take r = 6 for the rank weight of the secret.

In that case the known attacks lead to a complexity of at least 2 83 operations.