Kwangsu Lee,Dong Hoon Lee,Moti Yung

DOI: https://doi.org/10.1016/j.tcs.2015.02.019

2015-02-24

Abstract:The notion of aggregate signature has been motivated by applications and it enables any user to compress different signatures signed by different signers on different messages into a short signature. Sequential aggregate signature, in turn, is a special kind of aggregate signature that only allows a signer to add his signature into an aggregate signature in sequential order. This latter scheme has applications in diversified settings such as in reducing bandwidth of certificate chains and in secure routing protocols. Lu, Ostrovsky, Sahai, Shacham, and Waters (EUROCRYPT 2006) presented the first sequential aggregate signature scheme in the standard model. The size of their public key, however, is quite large (i.e., the number of group elements is proportional to the security parameter), and therefore, they suggested as an open problem the construction of such a scheme with short keys. In this paper, we propose the first sequential aggregate signature schemes with short public keys (i.e., a constant number of group elements) in prime order (asymmetric) bilinear groups that are secure under static assumptions in the standard model. Furthermore, our schemes employ a constant number of pairing operations per message signing and message verification operation. Technically, we start with a public-key signature scheme based on the recent dual system encryption technique of Lewko and Waters (TCC 2010). This technique cannot directly provide an aggregate signature scheme since, as we observed, additional elements should be published in a public key to support aggregation. Thus, our constructions are careful augmentation techniques for the dual system technique to allow it to support sequential aggregate signature schemes. We also propose a multi-signature scheme with short public parameters in the standard model.

Cryptography and Security

Yunlei Zhao

DOI: https://doi.org/10.1145/3321705.3329826

2019-01-01

Abstract:Aggregate signature (AS) allows non-interactively condensing multiple individual signatures into a compact one. Besides faster verification, it is useful to reduce storage and bandwidth, and is especially attractive for blockchain and cryptocurrency. In this work, we first demonstrate the subtlety of achieving AS from general groups, by a concrete attack that actually works against the natural implementations of AS based on almost all the variants of DSA and Schnorr's. Then, we show that aggregate signature can be de- rived from the -signature scheme proposed by Yao, et al. To the best of our knowledge, this is the first aggregate signature scheme from general elliptic curves without bilinear maps (in particular, the secp256k1 curve used by Bitcoin). The security of aggregate -signature is proved based on a new assumption proposed and justified in this work, referred to as non-malleable discrete-logarithm (NMDL), which might be of independent interest. When applying the resultant aggregate -signature to Bitcoin, the storage volume of signatures reduces about 49.8%, and the signature verification time can even reduce about 72%. Finally, we specify in detail the application of the proposed AS scheme to Bitcoin, with the goal of maximizing performance and compatibility. We adopt a Merkle-Patricia tree based implementation, and the resulting system is also more friendly to segregated witness and provides better protection against transaction malleability attacks.

Hu Xiong,Zhi Guan,Zhong Chen,Fagen Li

DOI: https://doi.org/10.1016/j.ins.2012.07.004

IF: 8.1

2013-01-01

Information Sciences

Abstract:An aggregate signature scheme enables an algorithm to aggregate n signatures of n distinct messages from n users into a single short signature. This primitive is useful in resource-constrained environment since they allow bandwidth and computational savings. Recently, in order to eliminate the use of certificates in certified public key cryptography and the key-escrow problem in identity-based cryptography, the notion of certificateless public key cryptography was introduced. In this paper, we present an efficient certificateless aggregate signature scheme with constant pairing computations. The security of the proposed scheme can be proved to be equivalent to the standard computational Diffie–Hellman problem in the random oracle with a tight reduction. Furthermore, our scheme does not require synchronization for aggregating randomness, which makes it more suitable for ad hoc networks.

Jiang Deng,Chunxiang Xu,Huai Wu,Liju Dong

DOI: https://doi.org/10.1002/cpe.3551

2016-01-01

Abstract:SummaryTo satisfy the applications in certificateless environment, many researchers have been investigating certificateless aggregate signature schemes. Several schemes that are independent with the aggregated numbers are proposed to reduce the computation overhead. In these schemes, the pairing computations that in verification procedure needs are a constant value. Recently, Hou et al. proposed an improved certificateless aggregate signature scheme. They demonstrated the scheme is provably secure in the random oracle model. However, we find that their scheme is insecure in their security model by giving a concrete attack. Then, we propose an improved certificateless signature scheme and use it to construct a new certificateless signature scheme with enhanced security and aggregation. Furthermore, we provide formal security proof of our new scheme. Compared with other four schemes, our enhanced protocol is more suitable for realistic applications. Copyright © 2015 John Wiley & Sons, Ltd.

Zhou Xuhua,Lai Junzuo,Liu Shengli,Chen Kefei

DOI: https://doi.org/10.1049/cje.2015.04.019

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:At Eurocrypt'06, Lu et al. presented the first Sequential aggregate signature (SAS) provably secure without random oracles. The drawback of their scheme is that users need long public keys and the security model makes the Knowledge of secure key (KOSK) assumption. We present the first SAS scheme, which the user needs short public keys and the security is proven without random oracles, in the plain public key model. We also present the first Multisignature (MS) scheme in the plain public key model, which the security is proven without random oracles.

Andrew C. Yao,Yunlei Zhao

2012-01-01

Abstract:Digital signature is one of the basic primitives in cryptography. A common paradigm of obtaining signatures, known as the Fiat-Shamir (FS) paradigm, is to collapse any Σ-protocol (which is 3-round public-coin honest-verifier zero-knowledge) into a non-interactive scheme with hash functions that are modeled to be random oracles (RO). The Digital Signature Standard (DSS) and Schnorr’s signature schemes are two salient examples following the FS-paradigm. In this work, we present a modified Fiat-Shamir paradigm, named challenge-divided Fiat-Shamir paradigm, which is applicable to a variant of Σ-protocol with divided random challenges. This new paradigm yields a new family of (online/offline efficient) digital signatures from challenge-divided Σ-protocols, including in particular a variant of Schnorr’s signature scheme called challenge-divided Schnorr signature. We then present a formal analysis of the challenge-divided Schnorr signature in the random oracle model. Finally, we give comparisons between the challenge-divided Schnorr signature and DSS and Schnorr’s signature, showing that the newly developed challenge-divided Schnorr signature can enjoy better (online/offline) efficiency (besides provable security in the random oracle model). Of independent interest is a new forking lemma, referred to as divided forking lemma, for dealing with multiple ordered rewinding points in the RO model, which is of independent interest and can be applied to analyzing other cryptographic schemes in the RO model.

Yan XU,Liu-sheng HUANG,Miao-miao TIAN,Hong ZHONG,Jie CUI

DOI: https://doi.org/10.3969/j.issn.0372-2112.2016.08.011

2016-01-01

Abstract:Aggregate signature schemes are particularly useful for authentication in resource-constrained wireless net-works for realizing batch verification.Certificateless cryptosystems can resolve the certificate management problem or key es-crow problem in aggregate signature schemes.This paper firstly analyzed a certificatelss aggregate signature(CLAS)scheme. Then,a more efficient CLAS scheme that requires less bilinear paring operations was provided.The security analysis showed that this scheme can resist the forgery attack under the random oracle model,the security was equal to resolve CDH problem.

Masayuki Tezuka,Keisuke Tanaka

DOI: https://doi.org/10.1007/978-3-031-29371-9_16

2023-04-01

Abstract:Synchronized aggregate signature is a special type of signature that all signers have a synchronized time period and allows aggregating signatures which are generated in the same period. This signature has a wide range of applications for systems that have a natural reporting period such as log and sensor data, or blockchain protocol. In CT-RSA 2016, Pointcheval and Sanders proposed the new randomizable signature scheme. Since this signature scheme is based on type-3 pairing, this signature achieves a short signature size and efficient signature verification. In this paper, we design the Pointchcval-Sanders signature-based synchronized aggregate signature scheme and prove its security under the generalized Pointcheval-Sanders assumption in the random oracle model. Our scheme offers the most efficient aggregate signature verification among synchronized aggregate signature schemes based on bilinear groups.

Cryptography and Security

Zheng Gong,Yu Long,Xuan Hong,Kefei Chen

2008-01-01

Abstract:Aggregate signature is a digital signature with a striking property that anyone can aggregate n individual signatures on n different messages which are signed by n distinct signers, into a single compact signature to reduce computational and storage costs. In this work, two practical certificateless aggregate signature schemes are proposed from bilinear maps. The first scheme CAS-1 reduces the costs of communication and signer-side computation but trades off the storage, while CAS-2 minimizes the storage but sacrifices the communication costs. One can choose either of the schemes by consideration of the application requirement. Compare with ID-based schemes, our schemes do not entail public key certificates as well and achieve the trust Level 3, which imply the frauds of the authority are detectable. Both of the schemes are proven secure in the random oracle model by assuming the intractability of the computational Diffie-Hellman problem over the groups with bilinear maps, where the forking lemma technique is avoided.

Kwangsu Lee,Dong Hoon Lee

DOI: https://doi.org/10.1371/journal.pone.0128081

2014-11-18

Abstract:Aggregate signatures allow anyone to combine different signatures signed by different signers on different messages into a single short signature. An ideal aggregate signature scheme is an identity-based aggregate signature (IBAS) scheme that supports full aggregation since it can reduce the total transmitted data by using an identity string as a public key and anyone can freely aggregate different signatures. Constructing a secure IBAS scheme that supports full aggregation in bilinear maps is an important open problem. Recently, Yuan {\it et al.} proposed an IBAS scheme with full aggregation in bilinear maps and claimed its security in the random oracle model under the computational Diffie-Hellman assumption. In this paper, we show that there exists an efficient forgery attacker on their IBAS scheme and their security proof has a serious flaw.

Cryptography and Security

Chanhyeok Park,Sangrae Cho,Young-Seob Cho,Soohyung Kim,Hyung Tae Lee

DOI: https://doi.org/10.1109/access.2024.3358849

IF: 3.9

2024-02-07

IEEE Access

Abstract:Recently, Chait et al. proposed a new aggregate signature scheme under the RSA setting (IEEE Access, 2023). In this paper, we show that Chait et al.'s aggregate signature scheme is insecure when two signers collude with their own secret keys, by presenting an attack algorithm that forges aggregate signatures of aggregator or individual signatures of all other (non-colluding) users. More concretely, our attack algorithm consists of three sub-algorithms: The first sub-algorithm computes a multiple of from secret keys of two users where is the RSA modulus that is included in the public parameter of the system and is the Euler totient function. The second sub-algorithm recovers an equivalent secret key of a target user that is congruent to his/her original secret key modulo from his/her public key and the multiple of which is the output of the first sub-algorithm. Finally, with the equivalent secret key obtained by the second sub-algorithm, the last sub-algorithm generates valid aggregate/individual signatures of the target user. Our attack algorithm always succeeds in forging aggregate/individual signatures. Furthermore, it is lightweight in the sense that it requires several integer operations, gcd computations, and an execution of aggregate/individual signing algorithm only. For example, when the pubic parameter and secret keys of all users, except the target user, are provided, our experimental results demonstrate that the proposed attack algorithm takes less than 1 second only in total to forge an aggregate signature of 29 individual signatures including that of the target user, where is 3,072 bits for 128-bit security.

computer science, information systems,telecommunications,engineering, electrical & electronic

Huai Wu,Chunxiang Xu,Jiang Deng

DOI: https://doi.org/10.1109/INCoS.2013.95

2013-01-01

Abstract:Fast signature verification is desirable in many applications, especially for numerous low computation scenarios such as RFID, wireless network. Up to now, many techniques have been suggested to reduce the computational load. For example, server-aided verification aims at saving computational overhead and aggregated signatures have been used for saving the bandwidth by compressing a list of signatures into a single signature. Therefore, it is interesting to study how to combine these two tricks together, namely server-aided aggregate verification signature, to achieve both short signature length and secure server-aided verification. The contribution of this paper is three folds. Firstly, we formalize a new security model of server-aided aggregate verification signature scheme (SAAV-?). Secondly, we propose a concrete server-aided aggregate verification signature scheme based BGLS signature scheme. Finally, we show that our construction is secure in our model.

Peng Zhang,Fa Ge,Yuhong Liu

DOI: https://doi.org/10.48550/arXiv.2305.13699

2023-05-23

Abstract:Multi-signature aggregates signatures from multiple users on the same message into a joint signature, which is widely applied in blockchain to reduce the percentage of signatures in blocks and improve the throughput of transactions. The $k$-sum attacks are one of the major challenges to design secure multi-signature schemes. In this work, we address $k$-sum attacks from a novel angle by defining a Public Third Party (PTP), which is an automatic process that can be verifiable by the public and restricts the signing phase from continuing until receiving commitments from all signers. Further, a two-round multi-signature scheme MEMS with PTP is proposed, which is secure based on discrete logarithm assumption in the random oracle model. As each signer communicates directly with the PTP instead of other co-signers, the total amount of communications is significantly reduced. In addition, as PTP participates in the computation of the aggregation and signing algorithms, the computation cost left for each signer and verifier remains the same as the basis Schnorr signature. To the best of our knowledge, this is the maximum efficiency that a Schnorr-based multi-signature scheme can achieve. Further, MEMS is applied in blockchain platform, e.g., Fabric, to improve the transaction efficiency.

Cryptography and Security

Hu Xiong,Qianhong Wu,Zhong Chen

2012-01-01

Abstract:An aggregate signature scheme allows a public algorithm to aggregate n signatures on n distinct messages from n signers into a single signature. By validating the single resulting signature, one can be convinced that the messages have been endorsed by all the signers. Certificateless aggregate signatures allow the signers to authenticate messages without suffering from the complex certificate management in the traditional public key cryptography or the key escrow problem in identity-based cryptography. In this paper, we present a new efficient certificateless aggregate signature scheme. Compared with up-to-date certificateless aggregate signatures, our scheme is equipped with a number of attracting features: (1) it is shown to be secure under the standard computational Diffie-Hellman assumption in the random oracle model; (2) the security is proven in the strongest security model so far; (3) the signers do not need to be synchronized; and (4) its performance is comparable to the most efficient up-to-date schemes. These features are desirable in a mobile networking and computing environment where the storage/computation capacity of the end devices are limited, and due to the wireless connection and distributed feature, the computing devices are easy to be attacked and hard to be synchronized.

Han Shen,Jianhua Chen,Hao Hu,Jian Shen

DOI: https://doi.org/10.1587/transfun.E99.A.660

2016-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:Recently, H. Liu et al. [H. Liu, M. Liang, and H. Sun, A secure and efficient certificateless aggregate signature scheme, IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences, vol.E97-A, no.4, pp.991-915, 2014] proposed a new certificateless aggregate signature (CLAS) scheme and demonstrated that it was provably secure in the random oracle model. However, in this letter, we show that their scheme cannot provide unforgeability, i.e., an adversary having neither the user's secret value nor his/her partial private key can forge a legal signature of any message.

Hu Xiong,Qianhong Wu,Zhong Chen

DOI: https://doi.org/10.1109/INCoS.2011.151

2011-01-01

Abstract:An aggregate signature scheme allows a public algorithm to aggregate n signatures of n distinct messages from n signers into a single signature. By validating the single resulting signature, one can be convinced that the messages have been endorsed by all the signers. Certificateless aggregate signatures allow the signers to authenticate messages without suffering from the complex certificate management in the traditional public key cryptography or the key escrow problem in identity-based cryptography. In this paper, we present a new efficient certificate less aggregate signature scheme. Compared with up-to-date certificate less aggregate signatures, our scheme is equipped with a number of attracting features: (1) it is shown to be secure under the standard computational Diffie-Hellman assumption in the random oracle model, (2) the security is proven in the strongest security model so far, (3) the signers do not need to be synchronized, and (4) its performance is comparable to the most efficient up-to-date schemes. These features are desirable in a mobile networking and computing environment where the storage/computation capacity of the end devices are limited, and due to the wireless connection and distributed feature, the computing devices are easy to be attacked and hard to be synchronized.

Debiao He,Miaomiao Tian,Jianhua Chen

DOI: https://doi.org/10.1016/j.ins.2013.09.032

IF: 8.1

2014-01-01

Information Sciences

Abstract:Recently, Xiong et al. [H. Xiong, Z. Guan, Z. Chen, F. Li, An efficient certificateless aggregate signature with constant pairing computations, Information Science 219 (2013) 225–235] proposed a certificateless signature (CLS) scheme and used it to construct a certificateless aggregate signature (CLAS) scheme with constant pairing computations. They demonstrated that both of their schemes are provably secure in the random oracle model under the computational Diffie–Hellman assumption. Unfortunately, by giving concrete attack, we demonstrate that their schemes are not secure against the Type II adversary, i.e. a Type II adversary could forge a legal signature of any message.

Yanyan Gu,Limin Shen,Futai Zhang,Jinbo Xiong

DOI: https://doi.org/10.3390/math10152588

IF: 2.4

2022-07-26

Mathematics

Abstract:In recent years, deploying Internet of Things (IoT) in electronic healthcare systems (EHS) has made great progress in healthcare detection. It is extremely important to reduce the cost of communication and ensure the authenticity and integrity of data. A linearly homomorphic signature scheme can solve the above problems. However, when the scale of EHS is too large, the transmission, storage and verification of signatures need a high cost. An aggregate signature can combine many signatures generated by many different users into a short one. Therefore, only one aggregate signature needs to be processed during verification, transmission and storage. Combining the advantages of aggregate signature and linearly homomorphic signature, this paper proposes an aggregate signature scheme based on a linearly homomorphic signature for EHS, which has both linear homomorphism and aggregation, and realizes double data compression. Moreover, our scheme can resist a potential real attack, named a coalition attack. The security of this scheme is rigorously demonstrated based on the computational Diffie–Hellman assumption in the random oracle model.

mathematics

Yamin Wen,Zheng Gong,Zhengan Huang,Weidong Qiu

DOI: https://doi.org/10.1007/s10586-017-0940-2

2017-01-01

Cluster Computing

Abstract:Private set intersection (PSI) has been proposed to achieve sharing sensitive information with privacy, which allows two participators to compute the intersection of their private sets without revealing any other information. Authorized private set intersection (APSI) is a variant of PSI such that APSI requires client sets for intersection must be authorized. Although many schemes have been proposed for linear optimization in the existing APSI publications, how to linearly optimize the APSI protocol based on the Schnorr signature has not been proposed yet. In this paper, we propose a new efficient APSI protocol with linear complexity (denoted by LC-APSI) from the Schnorr signature. LC-APSI is proven secure in the random oracle model by assuming the intractability of the gap Diffie–Hellman problem. Apart from the existed efficient APSI protocols based on RSA and IBE, the new proposal fills up the technical extensions and applications of APSI. In particular, our proposal on sharing sensitive information is also instantiated which can be used to the practical applications in cloud computing or outsourced data sharing.

Liangliang Wang,Kefei Chen,Yu Long,Huige Wang

DOI: https://doi.org/10.1002/sec.1421

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:An aggregate signature refers to a signature, by which n signatures sigma(1),...,sigma(n) corresponding to n messages m(1),...,m(n) and n users u(1),...,u(n) can be transformed into a single short signature (sigma) over bar. Besides, anyone can be convinced by the single short signature that the n messages m(1),...,m(n) were definitely signed by the n users u(1),...,u(n) correspondingly. The concept of certificateless cryptography is proposed, so as to settle the key escrow problem in ID-based cryptography and eliminate the demand for certificates in certified cryptography. A certificateless signature scheme was proposed by Chen et al. in 2014, which was extended into a certificateless aggregate signature scheme. In this paper, two attacks are firstly provided, so as to indicate that the certificateless signature scheme is insecure against a Type I adversary and a Type II adversary. And then, it is demonstrated that the certificateless aggregate signature scheme is not able to achieve the security levels they claimed due to the weaknesses of the certificateless signature scheme. Copyright (c) 2016 John Wiley & Sons, Ltd.