• home
• current students
• graduate
• events

Presenter: Mahmoud Mahmoud
Supervisor:

Date: Fri, August 6, 2021
Time: 11:00:00 - 00:00:00
Place: ZOOM - Please see below.

ABSTRACT

Zoom Meeting Link:  https://uvic.zoom.us/j/83458894205?pwd=aHhlZmpUcWplQ09qVDE1OUszcTNYQT09

Meeting ID: 834 5889 4205
Password: 028875
One tap mobile
+17789072071,,83458894205# Canada
+16475580588,,83458894205# Canada

Dial by your location
        +1 778 907 2071 Canada
        +1 647 558 0588 Canada
Meeting ID: 834 5889 4205
Find your local number: https://uvic.zoom.us/u/ki5lmfAfk

Note: Please log in to Zoom via SSO and your UVic Netlink ID

Abstract: A Group Signature Scheme (GSS) is a signature scheme where N members share one public key, and any member is allowed to sign anonymously on behalf of the whole group. Such a scheme designates a group manager that is responsible for setup, revealing the signer's identity, and revoking the membership of group members when required. Most of the group signature schemes rely on number-theoretic assumptions and thus are not post-quantum secure.  Hash-based group signature schemes have recently attracted research interest due to recent advances in the design of stateless hash-based signature schemes and the confidence in their PQ security. Group Merkle (GM) (PQCrypto 2018) and Dynamic Group Merkle (DGM) (ESORICS 2019) are recent proposals for post-quantum hash-based group signature schemes. They are designed as generic constructions that employ any stateful Merkle hash-based signature scheme. XMSS-T (PKC 2016, RFC8391) is the latest stateful Markle hash-based signature scheme where (almost) optimal parameters are provided.  

In this seminar, we show that the setup phase of both GM and DGM does not enable their drop-in instantiation by XMSS-T, thus limiting both designs to employing earlier XMSS versions with sub-optimal parameters which negatively affects the performance of both schemes. We provide a tweak to the setup phase of both GM and DGM to tackle such a limitation and enable the adoption of XMSS-T. Moreover, we analyze the bit security of DGM when instantiated with XMSS-T and show that it is susceptible to multi-target attacks because of its parallel Signing Merkle Trees (SMT) approach. More precisely, when DGM is used to sign 2^64 messages, its bit security is 44 bits less than that of XMSS-T. Then, we provide a DGM variant that mitigates multi-target attacks and show that it attains the same bit of security as XMSS-T. Finally, we propose GMMT A Revocable Group Merkle Multi-Tree Signature Scheme that provides solutions to some of the limitations of the two aforementioned schemes.