DGM: A Dynamic and Revocable Group Merkle Signature

Abstract

Group signatures are considered as one of the most prominent cryptographic primitives to ensure privacy. In essence, group signatures ensure the authenticity of messages while the author of the message remains anonymous. In this study, we propose a dynamic post-quantum group signature (GS) extending the static G-Merkle group signature (PQCRYPTO 2018). In particular, our dynamic G-Merkle (DGM) allows new users to join the group at any time. Similar to G-Merkle scheme, our DGM only involves symmetric primitives and makes use of a One-Time Signature scheme (OTS). Each member of the group receives a certain amount of OTS key pairs and can ask the Manager \(\mathcal {M}\) for more if needed. Our DGM also provides an innovative way of signing revocation by employing Symmetric Puncturable Encryption (SPE) recently appeared in (ACM CCS 2018). DGM provides a significantly smaller signature size than other GSs based on symmetric primitives and also reduces the influence of the number of group members on the signature size and on the limitations of the application of G-Merkle.

Appendices

A Security Games

To prove the security of a DGS, we defined games (see Fig. 4, where unrestricted queries means that the oracle can be called multiple time). An adversary \(\mathcal {A}\) can call the following oracles:

Oracles:

• \(Setup(\lambda ,\mathsf {DGS.set})\): runs the set up algorithm according to the parameters \(\lambda \) and \(\mathsf {DGS.set}\).

• \(Chal_b(\mathsf {id}_{\mathcal {U}}^1,\mathsf {id}_{\mathcal {U}}^2,m,\mathsf {DGS.param})\): returns the signature of \(\mathsf {id}_{\mathcal {U}}^b\) for \( b \in \{ 0,1 \}\)

• \(AddMember(\mathsf {id}_{\mathcal {U}})\): adds a new honest member \(\mathsf {id}_{\mathcal {U}}\) to the group.

• \(addCorruptMember(\mathsf {id}_{\mathcal {U}})\): creates a new corrupted member. \(\mathcal {A}\) will have access to all private information of corrupted members.

• \(Corrupt(\mathsf {id}_{\mathcal {U}})\): returns one OTS key pair of the non-corrupted member \(\mathsf {id}_{\mathcal {U}}\).

• \(Open(m,\mathsf {DGS}.\sigma )\): returns the identity of the author of \(\mathsf {DGS}.\sigma \).

• \(Sign(m,\mathsf {id}_{\mathcal {U}})\): returns a valid signature from the user \(\mathsf {id}_{\mathcal {U}}\) for the message m.

Fig. 4.

Security games

B Symmetric Primitives

The second part of the Appendix provides the definition of symmetric primitives used.

Hash Function:

A hash function \(H:\{ 0,1 \}^* \rightarrow \{ 0,1 \}^\lambda \) is a function which takes as input a message x of any length and outputs the hash value h with the length n of x. A hash function is characterized by three properties:

• One-wayness: A function is one way if and only if knowing a hash value h is unfeasible in polynomial time to find x such that \(h=H(x)\).

• Collision Resistance: A function achieves collision resistance if and only if a polynomial time algorithm which finds \(x_0\) and \(x_1\) such that \(x_0 \ne x_1\) and \(H(x_0)=H(x_1) \) do not exist.

• Second Pre-image Resistance: A function achieves second pre-image resistance if and only if knowing a pair \((x_0,H(x_0))\) it is unfeasible for a polynomial time algorithm to find another input \(x_1\) such that \(H(x_1)=H(x_0)\).

Symmetric Encryption: [29] is composed of the following algorithms:

• \(\mathsf {SE.KeyGen}(1^\lambda )=\mathsf {SE.sk}\): This algorithm takes as input the security parameter and outputs a secret key \(\in \{0,1\}^\lambda \)

• \(\mathsf {SE.Enc}(p,\mathsf {SE.sk})=c\): the encryption takes as input the secret key \( \mathsf {SE.sk}\in \{0,1\}^\lambda \) and a plaintext \(p\in \{0,1\}^\lambda \), outputs the ciphertext \(c\in \{0,1\}^\lambda \).

• \(\mathsf {SE.Dec}(c,\mathsf {SE.sk})=p\): the decryption takes as input the secret key \(sk\in \{0,1\}^\lambda \) and a ciphertext \(c\in \{0,1\}^\lambda \), outputs the plaintext \(p\in \{0,1\}^\lambda \).

Semantical Security: Let be \(\mathsf {SE}=(\mathsf {SE.KeyGen},\mathsf {SE.Enc},\mathsf {SE.Dec})\) be symmetric cryptosystem. We say that \(\mathsf {SE}\) is \(\mathsf {IND-CPA}\) secure if the advantage of an adversary

$$\begin{aligned} \begin{aligned} \mathsf {Adv}_{\mathsf {SE.sk}}^{\mathsf {IND-CPA}}=| \Pr [\mathcal {A}(\mathsf {SE.Enc}(p_0,\mathsf {SE.sk})=1]- \Pr [\mathcal {A}(\mathsf {SE.Enc}(p_1,\mathsf {SE.sk})=0] | \\ < \textsf {negl}(\lambda ), \end{aligned} \end{aligned}$$

(7)

when \(\mathcal {A}\) can choose \(p_0\) and \(p_1\) and for a security parameters \(\lambda \).

One-Time Signature (OTS):

One-Time Signature schemes (OTS) can sign a message once. An OTS scheme is a digital signature scheme constructed with the help of three algorithms: \(\mathsf {OTS.KeyGen}\), \(\mathsf {OTS.Sign}\) and \(\mathsf {OTS.Verify}\).

• \(\mathsf {OTS.KeyGen}(1^\lambda )=(\mathsf {OTS.pk},\mathsf {OTS.priv})\) generates one key pair, one public key \(\mathsf {OTS.pk}\), and one private key \(\mathsf {OTS.priv}\), depending on the security wanted \(\lambda \).

• \(\mathsf {OTS.Sign}(m,\mathsf {OTS.priv})=\mathsf {OTS}.\sigma \) signs a digital message m with the private key \(\mathsf {OTS.priv}\). It outputs a valid digital signature \(\mathsf {OTS}.\sigma \).

• \(\mathsf {OTS.Verify}(m,\mathsf {OTS}.\sigma , \mathsf {OTS.pk})=0/1\) is a deterministic algorithm which verifies the validity of a signature \(\mathsf {OTS}.\sigma \) for a message m with the public key \(\mathsf {OTS.pk}\).

OTS security: We assume that a secure OTS scheme achieves unforgeability and key one-wayness.

Unforgeability means that for a security parameter \(\lambda \)

$$\begin{aligned} \Pr [\mathsf {OTS.Verify}(m,\mathsf {OTS}.\sigma ', \mathsf {OTS.pk})]=1 < \textsf {negl}(\lambda ) \end{aligned}$$

if an adversary generates a signature \(\mathsf {OTS}.\sigma '\) from \(\mathsf {OTS.pk}\).

Key one-wayness means that knowing \(\mathsf {OTS.pk}\) it is unfeasible in polynomial time to recover the corresponding \(\mathsf {OTS.priv}\).