G-Merkle: A Hash-Based Group Signature Scheme From Standard Assumptions

Hash-based signature schemes are the most promising cryptosystem candidates in a post-quantum world, but offer little structure to enable more sophisticated constructions such as group signatures. Group signatures allow a group member to anonymously sign messages on behalf of the whole group (as needed for anonymous remote attestation). In this work, we introduce G-Merkle, the first (stateful) hash-based group signature scheme. Our proposal relies on minimal assumptions, namely the existence of one-way functions, and offers performance equivalent to the Merkle single-signer setting. The public key size (as small as in the single-signer setting) outperforms all other post-quantum group signatures. Moreover, for N group members issuing at most B signatures each, the size of a hash-based group signature is just as large as a Merkle signature with a tree composed by \(N\cdot B\) leaf nodes. This directly translates into fast signing and verification engines. Different from lattice-based counterparts, our construction does not require any random oracle. Note that due to the randomized structure of our Merkle tree, the signature authentication paths are pre-stored or deduced from a public tree, which seems a requirement hard to circumvent. To conclude, we present implementation results to demonstrate the practicality of our proposal.

[1]  Scott R. Fluhrer,et al.  State Management for Hash-Based Signatures , 2016, SSR.

[2]  Aziz Mohaisen,et al.  XMSS: eXtended Merkle Signature Scheme , 2018, RFC.

[3]  Jesper Madsen,et al.  ZKBoo: Faster Zero-Knowledge for Boolean Circuits , 2016, USENIX Security Symposium.

[4]  Bogdan Warinschi,et al.  On the Minimal Assumptions of Group Signature Schemes , 2004, ICICS.

[5]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[6]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[7]  Andreas Hülsing,et al.  W-OTS+ - Shorter Signatures for Hash-Based Signature Schemes , 2013, AFRICACRYPT.

[8]  Phillip Rogaway,et al.  Nonce-Based Symmetric Encryption , 2004, FSE.

[9]  Jens Groth,et al.  Fully Anonymous Group Signatures without Random Oracles , 2007, IACR Cryptol. ePrint Arch..

[10]  Zhenfeng Zhang,et al.  Simpler Efficient Group Signatures from Lattices , 2015, Public Key Cryptography.

[11]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1985, CRYPTO.

[12]  Johannes A. Buchmann,et al.  XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions , 2011, IACR Cryptol. ePrint Arch..

[13]  David Pointcheval,et al.  Dynamic Fully Anonymous Short Group Signatures , 2006, VIETCRYPT.

[14]  Jiangtao Li,et al.  Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities , 2007, IEEE Transactions on Dependable and Secure Computing.

[15]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[16]  Jiangtao Li,et al.  Enhanced Privacy ID from Bilinear Pairing for Hardware Authentication and Attestation , 2010, 2010 IEEE Second International Conference on Social Computing.

[17]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[18]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[19]  Daniele Micciancio,et al.  Statistical Zero-Knowledge Proofs with Efficient Provers: Lattice Problems and More , 2003, CRYPTO.

[20]  Brent Waters,et al.  Full-Domain Subgroup Hiding and Constant-Size Group Signatures , 2007, Public Key Cryptography.

[21]  Denis Butin,et al.  XMSS: Extended Hash-Based Signatures , 2015 .

[22]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[23]  Marc Joye,et al.  A Practical and Provably Secure Coalition-Resistant Group Signature Scheme , 2000, CRYPTO.

[24]  Russell Impagliazzo,et al.  Limits on the provable consequences of one-way permutations , 1988, STOC '89.

[25]  Moni Naor,et al.  On the Construction of Pseudorandom Permutations: Luby—Rackoff Revisited , 1996, Journal of Cryptology.

[26]  Damien Stehlé,et al.  Lattice-Based Group Signatures with Logarithmic Signature Size , 2013, ASIACRYPT.

[27]  Huaxiong Wang,et al.  Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-Based , 2015, Public Key Cryptography.

[28]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[29]  Lea Rausch,et al.  Optimal Parameters for XMSS MT , 2013, CD-ARES Workshops.

[30]  Moni Naor,et al.  On the construction of pseudo-random permutations: Luby-Rackoff revisited (extended abstract) , 1997, STOC '97.

[31]  Jonathan Katz,et al.  A Group Signature Scheme from Lattice Assumptions , 2010, IACR Cryptol. ePrint Arch..

[32]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[33]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[34]  Huaxiong Wang,et al.  Provably Secure Group Signature Schemes From Code-Based Assumptions , 2015, IEEE Transactions on Information Theory.

[35]  Brent Waters,et al.  Compact Group Signatures Without Random Oracles , 2006, EUROCRYPT.

[36]  Michael Schneider,et al.  Merkle Tree Traversal Revisited , 2008, PQCrypto.

[37]  Johan Hstad,et al.  Construction of a pseudo-random generator from any one-way function , 1989 .

[38]  Jan Camenisch,et al.  Group Signatures: Better Efficiency and New Theoretical Aspects , 2004, SCN.

[39]  Huaxiong Wang,et al.  Lattice-based Group Signature Scheme with Verifier-local Revocation , 2014, IACR Cryptol. ePrint Arch..

[40]  Mihir Bellare,et al.  Foundations of Group Signatures: The Case of Dynamic Groups , 2005, CT-RSA.