GMMT: A Revocable Group Merkle Multi-Tree Signature Scheme

G-Merkle (GM) (PQCrypto 2018) is the first hash-based group signature scheme where it was stated that multi-tree approaches are not applicable, thus limiting the maximum number of supported signatures to 2. DGM (ESORICS 2019) is a dynamic and revocable GM-based group signature scheme that utilizes a computationally expensive puncturable encryption for revocation and requires interaction between verifiers and the group manager for signature verification. In this paper, we propose GM, a hash-based group signature scheme that provides solutions to the aforementioned challenges of the two schemes. GM builds on GM and adopts a multi-tree construction that constructs new GM trees for new signing leaves assignment while keeping the group public key unchanged, Compared to a single GM instance which enables 2 signature, GM allows growing the multi-tree structure adaptively to support 2 signatures under the same public key. Moreover, GM has a revocation mechanism that attains linkable anonymity of revoked signatures and has a logarithmic verification computational complexity compared to the linear complexity of DGM. The group manager in GM requires storage that is linear in the number of members while the corresponding storage in DGM is linear in the number of signatures supported by the system. Concretely, for a system that supports 2 signatures with 2 members and provides 256-bit security, the required storage of the group manager is 1 MB (resp. 10 TB) in GM(resp. DGM).

[1]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[2]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[3]  Huaxiong Wang,et al.  Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions , 2016, ASIACRYPT.

[4]  Claudio Soriente,et al.  Solving Revocation with Efficient Update of Anonymous Credentials , 2010, SCN.

[5]  Jean-Philippe Aumasson,et al.  Improving Stateless Hash-Based Signatures , 2017, IACR Cryptol. ePrint Arch..

[6]  Huaxiong Wang,et al.  Provably Secure Group Signature Schemes From Code-Based Assumptions , 2020, IEEE Transactions on Information Theory.

[7]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[8]  Peter Schwabe,et al.  The SPHINCS+ Signature Framework , 2019, IACR Cryptol. ePrint Arch..

[9]  El Mamoun Souidi,et al.  A New Dynamic Code-Based Group Signature Scheme , 2017, C2SI.

[10]  Hovav Shacham,et al.  Group signatures with verifier-local revocation , 2004, CCS '04.

[11]  Pin-Han Ho,et al.  GSIS: A Secure and Privacy-Preserving Protocol for Vehicular Communications , 2007, IEEE Transactions on Vehicular Technology.

[12]  Guang Gong,et al.  Mesh: A Supply Chain Solution with Locally Private Blockchain Transactions , 2019, Proc. Priv. Enhancing Technol..

[13]  Aziz Mohaisen,et al.  XMSS: eXtended Merkle Signature Scheme , 2018, RFC.

[14]  Fang Song,et al.  Mitigating Multi-Target Attacks in Hash-based Signatures , 2016, IACR Cryptol. ePrint Arch..

[15]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[16]  Ron Steinfeld,et al.  Practical Backward-Secure Searchable Encryption from Symmetric Puncturable Encryption , 2018, CCS.

[17]  Zhenfeng Zhang,et al.  Simpler Efficient Group Signatures from Lattices , 2015, Public Key Cryptography.

[18]  Man Ho Au,et al.  Efficient Lattice-Based Zero-Knowledge Arguments with Standard Soundness: Construction and Applications , 2019, IACR Cryptol. ePrint Arch..

[19]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[20]  Damien Stehlé,et al.  Lattice-Based Group Signatures with Logarithmic Signature Size , 2013, ASIACRYPT.

[21]  Peter Schwabe,et al.  SPHINCS: Practical Stateless Hash-Based Signatures , 2015, EUROCRYPT.

[22]  Moti Yung,et al.  Scalable Group Signatures with Revocation , 2012, EUROCRYPT.

[23]  Jan Camenisch,et al.  Group Signatures: Better Efficiency and New Theoretical Aspects , 2004, SCN.

[24]  Ron Steinfeld,et al.  DGM: A Dynamic and Revocable Group Merkle Signature , 2019, ESORICS.

[25]  Jonathan Katz,et al.  A Group Signature Scheme from Lattice Assumptions , 2010, IACR Cryptol. ePrint Arch..

[26]  Olivier Blazy,et al.  A code-based group signature scheme , 2015, Designs, Codes and Cryptography.

[27]  T. Aaron Gulliver,et al.  Security Analysis of DGM and GM Group Signature Schemes Instantiated with XMSS-T , 2021, Conference on Information Security and Cryptology.

[28]  Sean W. Smith,et al.  PEREA: towards practical TTP-free revocation in anonymous authentication , 2008, CCS.

[29]  Sean W. Smith,et al.  Blacklistable anonymous credentials: blocking misbehaving users without ttps , 2007, CCS '07.

[30]  Moti Yung,et al.  Group Signatures with Almost-for-Free Revocation , 2012, CRYPTO.

[31]  Ray A. Perlner,et al.  Status report on the second round of the NIST post-quantum cryptography standardization process , 2020 .

[32]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[33]  Huaxiong Wang,et al.  Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-Based , 2015, Public Key Cryptography.

[34]  Rafael Misoczki,et al.  G-Merkle: A Hash-Based Group Signature Scheme From Standard Assumptions , 2018, IACR Cryptol. ePrint Arch..

[35]  Vadim Lyubashevsky,et al.  Lattice-Based Group Signatures and Zero-Knowledge Proofs of Automorphism Stability , 2018, IACR Cryptol. ePrint Arch..

[36]  Olivier Blazy,et al.  A Practical Group Signature Scheme Based on Rank Metric , 2016, WAIFI.

[37]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[38]  Gene Tsudik,et al.  Some Open Issues and New Directions in Group Signatures , 1999, Financial Cryptography.