Paper 2021/1496
Security Analysis Of DGM and GM Group Signature Schemes Instantiated With XMSS-T
Mahmoud Yehia, Riham AlTawy, and T. Aaron Gulliver
Abstract
Group Merkle (GM) (PQCrypto 2018) and Dynamic Group Merkle (DGM) (ESORICS 2019) are recent proposals for post-quantum hash-based group signature schemes. They are designed as generic constructions that employ any stateful Merkle hash-based signature scheme. XMSS-T (PKC 2016, RFC8391) is the latest stateful Merkle hash-based signature scheme where (almost) optimal parameters are provided. In this paper, we show that the setup phase of both GM and DGM does not enable drop-in instantiation by XMSS-T which limits both designs in employing earlier XMSS versions with sub-optimal parameters which negatively affects the performance of both schemes. Thus, we provide a tweak to the setup phase of GM and DGM to overcome this limitation and enable the adoption of XMSS-T. Moreover, we analyze the bit security of DGM when instantiated with XMSS-T and show that it is susceptible to multi-target attacks because of the parallel Signing Merkle Trees (SMT) approach. More precisely, when DGM is used to sign 264 messages, its bit security is 44 bits less than that of XMSS-T. Finally, we provide a DGM variant that mitigates multi-target attacks and show that it attains the same bit security as XMSS-T.
Metadata
- Available format(s)
-
PDF
- Category
- Public-key cryptography
- Publication info
- Published elsewhere. INSCRYPT 2021
- Keywords
- Hash-based group signatures
- Contact author(s)
- raltawy @ uvic ca
- History
- 2021-11-15: received
- Short URL
- https://ia.cr/2021/1496
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2021/1496,
author = {Mahmoud Yehia and Riham AlTawy and T. Aaron Gulliver},
title = {Security Analysis Of {DGM} and {GM} Group Signature Schemes Instantiated With {XMSS}-T},
howpublished = {Cryptology {ePrint} Archive, Paper 2021/1496},
year = {2021},
url = {https://eprint.iacr.org/2021/1496}
}
