Abstract
Group signatures are considered as one of the most prominent cryptographic primitives to ensure privacy. In essence, group signatures ensure the authenticity of messages while the author of the message remains anonymous. In this study, we propose a dynamic post-quantum group signature (GS) extending the static G-Merkle group signature (PQCRYPTO 2018). In particular, our dynamic G-Merkle (DGM) allows new users to join the group at any time. Similar to G-Merkle scheme, our DGM only involves symmetric primitives and makes use of a One-Time Signature scheme (OTS). Each member of the group receives a certain amount of OTS key pairs and can ask the Manager \(\mathcal {M}\) for more if needed. Our DGM also provides an innovative way of signing revocation by employing Symmetric Puncturable Encryption (SPE) recently appeared in (ACM CCS 2018). DGM provides a significantly smaller signature size than other GSs based on symmetric primitives and also reduces the influence of the number of group members on the signature size and on the limitations of the application of G-Merkle.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
PQC. https://csrc.nist.gov/projects/post-quantum-cryptography
Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: ACM CCS, pp. 2087–2104. ACM (2017)
Bellare, M., Goldreich, O.: On defining proofs of knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_28
Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_38
Bellare, M., Shi, H., Zhang, C.: Foundations of group signatures: the case of dynamic groups. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 136–153. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_11
Boneh, D., Eskandarian, S., Fisch, B.: Post-quantum EPID group signatures from symmetric primitives. Technical report, Cryptology ePrint Archive, report 2018/261 (2018). https://eprint.iacr.org/2018/261
Bootle, J., Cerulli, A., Chaidos, P., Ghadafi, E., Groth, J.: Foundations of fully dynamic group signatures. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 117–136. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_7
Chalkias, K., Brown, J., Hearn, M., Lillehagen, T., Nitto, I., Schroeter, T.: Blockchained post-quantum signatures (2018)
Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: ACM CCS, pp. 1825–1842. ACM (2017)
Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_22
El Bansarkhani, R., Misoczki, R.: G-Merkle: a hash-based group signature scheme from standard assumptions. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 441–463. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_21
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: faster zero-knowledge for Boolean circuits. In: USENIX Security, pp. 1069–1083 (2016)
Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM (JACM) 38(3), 690–728 (1991)
Gordon, S.D., Katz, J., Vaikuntanathan, V.: A group signature scheme from lattice assumptions. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 395–412. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_23
Hohenberger, S., Koppula, V., Waters, B.: Adaptively secure puncturable pseudorandom functions in the standard model. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 79–102. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_4
Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38553-7_10
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121–1152 (2009)
Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. Technical report, Cryptology ePrint Archive, report 2018/475 (2018)
Laguillaumie, F., Langlois, A., Libert, B., Stehlé, D.: Lattice-based group signatures with logarithmic signature size. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 41–61. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_3
Lamport, L.: Constructing digital signatures from a one-way function. Technical report CSL-98, SRI International Palo Alto (1979)
Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H.: Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 373–403. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_13
Libert, B., Ling, S., Nguyen, K., Wang, H.: Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoors. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 1–31. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_1
Ling, S., Nguyen, K., Wang, H.: Group signatures from lattices: simpler, tighter, shorter, ring-based. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 427–449. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_19
Ling, S., Nguyen, K., Wang, H., Xu, Y.: Lattice-based group signatures: achieving full dynamicity with ease. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 293–312. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61204-1_15
Ling, S., Nguyen, K., Wang, H., Xu, Y.: Constant-size group signatures from lattices. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10770, pp. 58–88. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5_3
McIlroy, P.: Optimistic sorting and information theoretic complexity. In: Proceedings of the Fourth Annual ACM-SIAM Symposium on Discrete algorithms, pp. 467–474. Society for Industrial and Applied Mathematics (1993)
Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21
Sun, S.-F., et al.: Practical backward-secure searchable encryption from symmetric puncturable encryption. In: ACM CCS 2018, pp. 763–780. ACM (2018)
Unruh, D.: Non-interactive zero-knowledge proofs in the quantum random Oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_25
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Security Games
To prove the security of a DGS, we defined games (see Fig. 4, where unrestricted queries means that the oracle can be called multiple time). An adversary \(\mathcal {A}\) can call the following oracles:
Oracles:
-
\(Setup(\lambda ,\mathsf {DGS.set})\): runs the set up algorithm according to the parameters \(\lambda \) and \(\mathsf {DGS.set}\).
-
\(Chal_b(\mathsf {id}_{\mathcal {U}}^1,\mathsf {id}_{\mathcal {U}}^2,m,\mathsf {DGS.param})\): returns the signature of \(\mathsf {id}_{\mathcal {U}}^b\) for \( b \in \{ 0,1 \}\)
-
\(AddMember(\mathsf {id}_{\mathcal {U}})\): adds a new honest member \(\mathsf {id}_{\mathcal {U}}\) to the group.
-
\(addCorruptMember(\mathsf {id}_{\mathcal {U}})\): creates a new corrupted member. \(\mathcal {A}\) will have access to all private information of corrupted members.
-
\(Corrupt(\mathsf {id}_{\mathcal {U}})\): returns one OTS key pair of the non-corrupted member \(\mathsf {id}_{\mathcal {U}}\).
-
\(Open(m,\mathsf {DGS}.\sigma )\): returns the identity of the author of \(\mathsf {DGS}.\sigma \).
-
\(Sign(m,\mathsf {id}_{\mathcal {U}})\): returns a valid signature from the user \(\mathsf {id}_{\mathcal {U}}\) for the message m.
B Symmetric Primitives
The second part of the Appendix provides the definition of symmetric primitives used.
Hash Function:
A hash function \(H:\{ 0,1 \}^* \rightarrow \{ 0,1 \}^\lambda \) is a function which takes as input a message x of any length and outputs the hash value h with the length n of x. A hash function is characterized by three properties:
-
One-wayness: A function is one way if and only if knowing a hash value h is unfeasible in polynomial time to find x such that \(h=H(x)\).
-
Collision Resistance: A function achieves collision resistance if and only if a polynomial time algorithm which finds \(x_0\) and \(x_1\) such that \(x_0 \ne x_1\) and \(H(x_0)=H(x_1) \) do not exist.
-
Second Pre-image Resistance: A function achieves second pre-image resistance if and only if knowing a pair \((x_0,H(x_0))\) it is unfeasible for a polynomial time algorithm to find another input \(x_1\) such that \(H(x_1)=H(x_0)\).
Symmetric Encryption: [29] is composed of the following algorithms:
-
\(\mathsf {SE.KeyGen}(1^\lambda )=\mathsf {SE.sk}\): This algorithm takes as input the security parameter and outputs a secret key \(\in \{0,1\}^\lambda \)
-
\(\mathsf {SE.Enc}(p,\mathsf {SE.sk})=c\): the encryption takes as input the secret key \( \mathsf {SE.sk}\in \{0,1\}^\lambda \) and a plaintext \(p\in \{0,1\}^\lambda \), outputs the ciphertext \(c\in \{0,1\}^\lambda \).
-
\(\mathsf {SE.Dec}(c,\mathsf {SE.sk})=p\): the decryption takes as input the secret key \(sk\in \{0,1\}^\lambda \) and a ciphertext \(c\in \{0,1\}^\lambda \), outputs the plaintext \(p\in \{0,1\}^\lambda \).
Semantical Security: Let be \(\mathsf {SE}=(\mathsf {SE.KeyGen},\mathsf {SE.Enc},\mathsf {SE.Dec})\) be symmetric cryptosystem. We say that \(\mathsf {SE}\) is \(\mathsf {IND-CPA}\) secure if the advantage of an adversary
when \(\mathcal {A}\) can choose \(p_0\) and \(p_1\) and for a security parameters \(\lambda \).
One-Time Signature (OTS):
One-Time Signature schemes (OTS) can sign a message once. An OTS scheme is a digital signature scheme constructed with the help of three algorithms: \(\mathsf {OTS.KeyGen}\), \(\mathsf {OTS.Sign}\) and \(\mathsf {OTS.Verify}\).
-
\(\mathsf {OTS.KeyGen}(1^\lambda )=(\mathsf {OTS.pk},\mathsf {OTS.priv})\) generates one key pair, one public key \(\mathsf {OTS.pk}\), and one private key \(\mathsf {OTS.priv}\), depending on the security wanted \(\lambda \).
-
\(\mathsf {OTS.Sign}(m,\mathsf {OTS.priv})=\mathsf {OTS}.\sigma \) signs a digital message m with the private key \(\mathsf {OTS.priv}\). It outputs a valid digital signature \(\mathsf {OTS}.\sigma \).
-
\(\mathsf {OTS.Verify}(m,\mathsf {OTS}.\sigma , \mathsf {OTS.pk})=0/1\) is a deterministic algorithm which verifies the validity of a signature \(\mathsf {OTS}.\sigma \) for a message m with the public key \(\mathsf {OTS.pk}\).
OTS security: We assume that a secure OTS scheme achieves unforgeability and key one-wayness.
Unforgeability means that for a security parameter \(\lambda \)
if an adversary generates a signature \(\mathsf {OTS}.\sigma '\) from \(\mathsf {OTS.pk}\).
Key one-wayness means that knowing \(\mathsf {OTS.pk}\) it is unfeasible in polynomial time to recover the corresponding \(\mathsf {OTS.priv}\).
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Buser, M., Liu, J.K., Steinfeld, R., Sakzad, A., Sun, SF. (2019). DGM: A Dynamic and Revocable Group Merkle Signature. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11735. Springer, Cham. https://doi.org/10.1007/978-3-030-29959-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-29959-0_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29958-3
Online ISBN: 978-3-030-29959-0
eBook Packages: Computer ScienceComputer Science (R0)