Zero-knowledge authentication schemes from actions on graphs, groups, or rings

We propose a general way of constructing zero-knowledge authentication schemes from actions of a semigroup on a set, without exploiting any specific algebraic properties of the set acted upon. Then we give several concrete realizations of this general idea, and in particular, we describe several zero-knowledge authentication schemes where forgery (a.k.a. impersonation) is NP-hard. Computationally hard problems that can be employed in these realizations include (Sub)graph Isomorphism, Graph Colorability, Diophantine Problem, and many others.

💡 Research Summary

The paper introduces a unified framework for constructing zero‑knowledge authentication (ZKA) protocols based on the action of a semigroup (or partial semigroup) on a set. The authors argue that any action that is efficiently computable in the forward direction but hard to invert can serve as the cryptographic primitive. Building on this observation, they present two generic Feige‑Fiat‑Shamir‑type protocols.

Protocol I uses a public key consisting of a semigroup S, a set X, a public element x∈X and a commitment u = s(x) for a secret element s∈S. During authentication, the prover (Alice) picks a random t∈S and sends v = t(u) as a commitment. The verifier (Bob) issues a random challenge bit c. If c = 0, Alice reveals t; Bob checks v = t(u). If c = 1, Alice reveals the composition ts; Bob checks v = ts(x). Successful forgery requires the adversary to produce a valid response for both challenges, which is equivalent to finding the secret s.

Protocol II assumes the public set S possesses a property P that is preserved under isomorphisms. The prover’s secret is a witness that S indeed has property P. Alice sends an isomorphic copy S₁ as a commitment. Upon challenge c = 0 she reveals the isomorphism φ : S → S₁; upon c = 1 she provides a proof that S₁ has property P. Forgery is thus equivalent to constructing a proof that S has property P, a task that can be instantiated with any NP‑hard search problem.

The authors instantiate these abstract protocols with several concrete, well‑studied computational problems, each known (or believed) to be NP‑hard or even undecidable in the worst case:

1. Graph Isomorphism (GI) – Public key: two isomorphic graphs Γ and Γ₁; secret: a specific isomorphism φ. Authentication proceeds by committing a third graph Γ₂ = ψ(Γ₁) for a random ψ, then revealing ψ or ψ∘φ depending on the challenge. Forgery reduces to finding an isomorphism between Γ and Γ₁. Although GI is not known to be NP‑complete, the promise version (finding an explicit isomorphism) is believed to be hard.

2. Subgraph Isomorphism (SGI) – Public key: a small graph Γ and a larger graph Λ₁ that contains Γ as a subgraph; secret: the embedding φ : Γ → Λ₁. The prover commits a larger graph Λ₂ containing a transformed copy of Γ, then reveals the embedding or its composition with a random automorphism. Since SGI is NP‑complete, forging the protocol is NP‑hard.

3. Graph k‑Colorability – Public key: a k‑colorable graph Γ; secret: a concrete k‑coloring. The prover commits an isomorphic copy Γ₁, then either reveals the isomorphism or a k‑coloring of Γ₁. Forgery requires solving the k‑coloring problem, which is NP‑complete.

4. Endomorphism Problem in Groups/Rings – Public key: a group (or ring) G together with elements g, h such that there exists an endomorphism φ with φ(g)=h; secret: such an endomorphism. The prover commits v = ψ(h) for a random automorphism ψ, then reveals ψ or ψ∘φ. For certain platforms (e.g., free metabelian groups of rank 2) the endomorphism problem is known to be NP‑hard or even undecidable, making forgery computationally infeasible.

Each concrete scheme includes practical considerations: representation of graphs by adjacency matrices, encoding of permutations (≈ n·log n bits), and verification of automorphisms or endomorphisms via group presentations. The authors stress that the security of these protocols relies not merely on worst‑case hardness but on “generic‑NP” hardness, meaning that a random instance drawn from the natural distribution remains hard with overwhelming probability—a property essential for cryptographic security.

The protocols are designed to be repeated multiple times; each round halves the probability of a successful impersonation, leading to exponential security amplification. The paper also discusses the need for efficient generation of random isomorphisms (citing known algorithms) and the feasibility of checking whether a given map respects the defining relations of the underlying algebraic structure.

In conclusion, the work broadens the landscape of zero‑knowledge authentication by abstracting it to semigroup actions and then grounding it in a variety of combinatorial and algebraic problems whose hardness is well‑studied. By showing that impersonation in each instantiated protocol is equivalent to solving an NP‑hard (or harder) problem, the authors provide a compelling argument for the practical security of these schemes and open avenues for further exploration of other hard problems as cryptographic primitives.