Advertisement

G-Merkle: A Hash-Based Group Signature Scheme from Standard Assumptions

  • Rachid El Bansarkhani
  • Rafael Misoczki
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10786)

Abstract

Hash-based signature schemes are the most promising cryptosystem candidates in a post-quantum world, but offer little structure to enable more sophisticated constructions such as group signatures. Group signatures allow a group member to anonymously sign messages on behalf of the whole group (as needed for anonymous remote attestation). In this work, we introduce G-Merkle, the first (stateful) hash-based group signature scheme. Our proposal relies on minimal assumptions, namely the existence of one-way functions, and offers performance equivalent to the Merkle single-signer setting. The public key size (as small as in the single-signer setting) outperforms all other post-quantum group signatures. Moreover, for N group members issuing at most B signatures each, the size of a hash-based group signature is just as large as a Merkle signature with a tree composed by \(N\cdot B\) leaf nodes. This directly translates into fast signing and verification engines. Different from lattice-based counterparts, our construction does not require any random oracle. Note that due to the randomized structure of our Merkle tree, the signature authentication paths are pre-stored or deduced from a public tree, which seems a requirement hard to circumvent. To conclude, we present implementation results to demonstrate the practicality of our proposal.

Keywords

Group signatures Hash-based signatures Post-quantum cryptography 

Notes

Acknowledgements

We thank Andreas Hülsing for engaging in helpful discussions and the anonymous reviewers for providing detailed comments.

References

  1. [ACJT00]
    Ateniese, G., Camenisch, J., Joye, M., Tsudik, G.: A practical and provably secure coalition-resistant group signature scheme. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 255–270. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44598-6_16CrossRefGoogle Scholar
  2. [AW04]
    Abdalla, M., Warinschi, B.: On the minimal assumptions of group signature schemes. In: Lopez, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 1–13. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-30191-2_1CrossRefGoogle Scholar
  3. [BBS04]
    Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-28628-8_3CrossRefGoogle Scholar
  4. [BDH11]
    Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25405-5_8CrossRefGoogle Scholar
  5. [BDS08]
    Buchmann, J., Dahmen, E., Schneider, M.: Merkle tree traversal revisited. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 63–78. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-88403-3_5CrossRefGoogle Scholar
  6. [BL09]
    Brickell, E., Li, J.: Enhanced privacy ID from bilinear pairing (2009)Google Scholar
  7. [BMW03]
    Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-39200-9_38CrossRefGoogle Scholar
  8. [BSZ05]
    Bellare, M., Shi, H., Zhang, C.: Foundations of group signatures: the case of dynamic groups. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 136–153. Springer, Heidelberg (2005).  https://doi.org/10.1007/978-3-540-30574-3_11CrossRefGoogle Scholar
  9. [BW06]
    Boyen, X., Waters, B.: Compact group signatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 427–444. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_26CrossRefGoogle Scholar
  10. [BW07]
    Boyen, X., Waters, B.: Full-domain subgroup hiding and constant-size group signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 1–15. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-71677-8_1CrossRefGoogle Scholar
  11. [CG05]
    Camenisch, J., Groth, J.: Group signatures: better efficiency and new theoretical aspects. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 120–133. Springer, Heidelberg (2005).  https://doi.org/10.1007/978-3-540-30598-9_9CrossRefGoogle Scholar
  12. [CL02]
    Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45708-9_5CrossRefGoogle Scholar
  13. [CL04]
    Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-28628-8_4CrossRefGoogle Scholar
  14. [Cv91]
    Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991).  https://doi.org/10.1007/3-540-46416-6_22Google Scholar
  15. [DP06]
    Delerablée, C., Pointcheval, D.: Dynamic fully anonymous short group signatures. In: Nguyen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 193–210. Springer, Heidelberg (2006).  https://doi.org/10.1007/11958239_13CrossRefGoogle Scholar
  16. [ELL+15]
    Ezerman, M.F., Lee, H.T., Ling, S., Nguyen, K., Wang, H.: A provably secure group signature scheme from code-based assumptions. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 260–285. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48797-6_12CrossRefGoogle Scholar
  17. [GGM86]
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  18. [GKV10]
    Gordon, S.D., Katz, J., Vaikuntanathan, V.: A group signature scheme from lattice assumptions. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 395–412. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-17373-8_23CrossRefGoogle Scholar
  19. [GMO16]
    Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: faster zero-knowledge for Boolean circuits. In: 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, pp. 1069–1083. USENIX (2016)Google Scholar
  20. [Gro96]
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: 28th Annual ACM Symposium on Theory of Computing, Philadelphia, Pennsylvania, USA, 22–24 May 1996, pp. 212–219. ACM Press (1996)Google Scholar
  21. [Gro07]
    Groth, J.: Fully anonymous group signatures without random oracles. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 164–180. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-76900-2_10CrossRefGoogle Scholar
  22. [HBGM18]
    Hülsing, A., Butin, D., Gazdag, S., Mohaisen, A.: XMSS: extended hash-based signatures. Technical report, Internet Draft draft-irtf-cfrg-xmss-hash-based-signatures-12 (2018). https://datatracker.ietf.org/doc/draft-irtf-cfrg-xmss-hash-based-signatures/
  23. [HILL93]
    Hstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: Construction of a pseudo-random generator from any one-way function. SIAM J. Comput. 28, 12–24 (1993)Google Scholar
  24. [HRB13]
    Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSSMT. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40588-4_14CrossRefGoogle Scholar
  25. [Hül13]
    Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38553-7_10CrossRefGoogle Scholar
  26. [IR89]
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing, 14–17 May 1989, Seattle, Washington, USA, pp. 44–61 (1989)Google Scholar
  27. [LLLS13]
    Laguillaumie, F., Langlois, A., Libert, B., Stehlé, D.: Lattice-based group signatures with logarithmic signature size. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 41–61. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-42045-0_3CrossRefGoogle Scholar
  28. [LLNW14]
    Langlois, A., Ling, S., Nguyen, K., Wang, H.: Lattice-based group signature scheme with verifier-local revocation. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 345–361. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-54631-0_20CrossRefGoogle Scholar
  29. [LNW15]
    Ling, S., Nguyen, K., Wang, H.: Group signatures from lattices: simpler, tighter, shorter, ring-based. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 427–449. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46447-2_19Google Scholar
  30. [LR86]
    Luby, M., Rackoff, C.: How to construct pseudo-random permutations from pseudo-random functions. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, p. 447. Springer, Heidelberg (1986).  https://doi.org/10.1007/3-540-39799-X_34CrossRefGoogle Scholar
  31. [Mer90]
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990).  https://doi.org/10.1007/0-387-34805-0_21CrossRefGoogle Scholar
  32. [MKF+16]
    McGrew, D., Kampanakis, P., Fluhrer, S., Gazdag, S.-L., Butin, D., Buchmann, J.: State management for hash-based signatures. In: Chen, L., McGrew, D., Mitchell, C. (eds.) SSR 2016. LNCS, vol. 10074, pp. 244–260. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-49100-4_11CrossRefGoogle Scholar
  33. [MV03]
    Micciancio, D., Vadhan, S.P.: Statistical zero-knowledge proofs with efficient provers: lattice problems and more. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 282–298. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_17CrossRefGoogle Scholar
  34. [NR96]
    Naor, M., Reingold, O.: On the construction of pseudo-random permutations: Luby-rackoff revisited. IACR ePrint 1996:11 (1996)Google Scholar
  35. [NSA15]
    National Security Agency NSA: Commercial national security algorithm suite (2015). https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm
  36. [NZZ15]
    Nguyen, P.Q., Zhang, J., Zhang, Z.: Simpler efficient group signatures from lattices. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 401–426. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46447-2_18Google Scholar
  37. [oSN16]
    National Institute of Standards and Technology NIST: Post-quantum crypto project (2016). http://csrc.nist.gov/groups/ST/post-quantum-crypto/
  38. [PQC16]
    PQCRYPTO: Post-quantum cryptography for long-term security pqcrypto ict-645622 (2016). https://pqcrypto.eu.org/
  39. [Rog04]
    Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-25937-4_22CrossRefGoogle Scholar
  40. [Sho94]
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, 20–22 November 1994, pp. 124–134. IEEE Computer Society Press (1994)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Technische Universität DarmstadtDarmstadtGermany
  2. 2.Intel CorporationSanta ClaraUSA

Personalised recommendations