Paper 2025/359

A Note on Zero-Knowledge Simulator of the CROSS Identification Protocol

Shai Levin, University of Auckland
Abstract

We point out flaw in zero-knowledge of the CROSS identification protocol, $\textsf{CROSS-ID}$, which allows a distinguisher to distinguish real and simulated transcripts given access to the witness. Moreover, we show that the real and simulated transcripts are not statistically indistinguishable, and therefore the protocol can only satisfy weak computational (rather than strong, statistical or perfect) Honest Verifier Zero-knowledge. This issue is still present in version 2.0 updated on January 31, 2025, which resolves the security losses attained via the attacks of [BLP+25]

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
NIST-signaturesCryptanalysiszero-knowledgecode-based cryptography
Contact author(s)
shai levin @ auckland ac nz
History
2025-03-04: approved
2025-02-25: received
See all versions
Short URL
https://ia.cr/2025/359
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/359,
      author = {Shai Levin},
      title = {A Note on Zero-Knowledge Simulator of the {CROSS} Identification Protocol},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/359},
      year = {2025},
      url = {https://eprint.iacr.org/2025/359}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.