IMPERSONATION ATTACK ON THE STRONG IDENTIFICATION BASED ON A HARD-ON-AVERAGE PROBLEM

Abstract

Abstract. In this paper, we analyze a zero-knowledge identificationscheme presented in [1], which is based on an average-case hard prob-lem, called distributional matrix representability problem . On the con-trary to the soundness property claimed in [1], we show that a simpleimpersonation attack is feasible. 1. IntroductionZero-knowledge proof is an interactive method for one party to convinceanother of knowledge of a secret without revealing any information on thesecret. It has been used in authentication systems where a prover wants toprove her identity to a verifier via some secret information, but does not wantthe verifier or a wiretapper to learn anything about the secret. The zero-knowledge proof must satisfy completeness, soundness, and zero-knowledgeproperty. Completeness is satisfied if an honest verifier always verifies an hon-est prover. Soundness is satisfied if no cheating prover can convince an honestverifier of knowledge of the secret. Zero-knowledge property stipulates that nocheating verifier learns any information on the secret except the fact that theprover knows the secret. Zero-knowledge proofs was introduced in the semi-nal paper of Goldwasser, Micali, and Rackoff [3] and realized as Fiat-Shamirscheme and Schnorr’s scheme [2, 6]. They are based on well known problemsin number theory such like integer factoring problem and discrete logarithmproblem. Since there are no proofs on the hardness of these problems, cryptog-raphers have published alternative schemes based on NP-complete problems incombinatorics, coding theory, graph theory, and so on.NP-complete problems are widely used as basis of cryptographic protocols.However, most of NP-complete problems allow for efficient solvers on randominstances, making useless their worst-case difficulty. For this reason, Levin et al.introduced a notion of