Advertisement

Synchronized Aggregate Signatures from the RSA Assumption

  • Susan Hohenberger
  • Brent Waters
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10821)

Abstract

In this work we construct efficient aggregate signatures from the RSA assumption in the synchronized setting. In this setting, the signing algorithm takes as input a (time) period t as well the secret key and message. A signer should sign at most once for each t. A set of signatures can be aggregated so long as they were all created for the same period t. Synchronized aggregate signatures are useful in systems where there is a natural reporting period such as log and sensor data, or for signatures embedded in a blockchain protocol.

We design a synchronized aggregate signature scheme that works for a bounded number of periods T that is given as a parameter to a global system setup. The big technical question is whether we can create solutions that will perform well with the large T values that we might use in practice. For instance, if one wanted signing keys to last up to ten years and be able to issue signatures every second, then we would need to support a period bound of upwards of \(2^{28}\).

We build our solution in stages where we start with an initial solution that establishes feasibility, but has an impractically large signing time where the number of exponentiations and prime searches grows linearly with T. We prove this scheme secure in the standard model under the RSA assumption with respect to honestly-generated keys. We then provide a tradeoff method where one can tradeoff the time to create signatures with the space required to store private keys. One point in the tradeoff is where each scales with \(\sqrt{T}\).

Finally, we reach our main innovation which is a scheme where both the signing time and storage scale with \(\lg {T}\) which allows for us to keep both computation and storage costs modest even for large values of T. Conveniently, our final scheme uses the same verification algorithm, and has the same distribution of public keys and signatures as the first scheme. Thus we are able to recycle the existing security proof for the new scheme.

We also extend our results to the identity-based setting in the random oracle model, which can further reduce the overall cryptographic overhead. We conclude with a detailed evaluation of the signing time and storage requirements for various settings of the system parameters.

Notes

Acknowledgments

We thank the anonymous reviewers for their helpful comments and Joseph Ayo Akinyele for implementation discussions.

Supplementary material

References

  1. 1.
    Ahn, J.H., Green, M., Hohenberger, S.: Synchronized aggregate signatures: new definitions, constructions and applications. In: ACM Conference on Computer and Communications Security, pp. 473–484 (2010)Google Scholar
  2. 2.
    Anonymous. Increasing anonymity in bitcoin (2013). https://bitcointalk.org/index.php?topic=1377298.0
  3. 3.
    Bagherzandi, A., Jarecki, S.: Identity-based aggregate and multi-signature schemes based on RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 480–498. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13013-7_28CrossRefGoogle Scholar
  4. 4.
    El Bansarkhani, R., Mohamed, M.S.E., Petzoldt, A.: MQSAS - a multivariate sequential aggregate signature scheme. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 426–439. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-45871-7_25CrossRefGoogle Scholar
  5. 5.
    Barak, B., Canetti, R., Nielsen, J.B., Pass, R.: Universally composable protocols with relaxed set-up assumptions. In: Symposium on Foundations of Computer Science, pp. 186–195. IEEE Computer Society (2004)Google Scholar
  6. 6.
    Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997).  https://doi.org/10.1007/3-540-69053-0_33CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Namprempre, C., Neven, G.: Unrestricted aggregate signatures. In: Arge, L., Cachin, C., Jurdziński, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 411–422. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-73420-8_37CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Neven, G.: Identity-based multi-signatures from RSA. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 145–162. Springer, Heidelberg (2006).  https://doi.org/10.1007/11967668_10CrossRefGoogle Scholar
  9. 9.
    Benaloh, J., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48285-7_24CrossRefGoogle Scholar
  10. 10.
    Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the Gap-Diffie-Hellman-Group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36288-6_3CrossRefGoogle Scholar
  11. 11.
    Boldyreva, A., Gentry, C., O’Neill, A., Yum, D.H.: Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing. In: ACM Conference on Computer and Communications Security (CCS), pp. 276–285 (2007), http://www.cc.gatech.edu/~amoneill/bgoy.html
  12. 12.
    Boneh, D., Franklin, M.K.: Efficient generation of shared RSA keys. J. ACM 48(4), 702–722 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-39200-9_26CrossRefGoogle Scholar
  14. 14.
    Boneh, D., Gentry, C., Lynn, B., Shacham, H.: A survey of two signature aggregation techniques. RSA Cryptobytes 6(2), 1–9 (2003)Google Scholar
  15. 15.
    Brogle, K., Goldberg, S., Reyzin, L.: Sequential aggregate signatures with lazy verification from trapdoor permutations. Inf. Comput. 239, 356–376 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Cramer, R., Shoup, V.: Signature schemes based on the strong RSA assumption. ACM Trans. Inf. Syst. Secur. 3(3), 161–185 (2000)CrossRefGoogle Scholar
  17. 17.
    Fischlin, M., Lehmann, A., Schröder, D.: History-free sequential aggregate signatures. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 113–130. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32928-9_7CrossRefGoogle Scholar
  18. 18.
    Freire, E.S.V., Hofheinz, D., Paterson, K.G., Striecks, C.: Programmable hash functions in the multilinear setting. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 513–530. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4_28CrossRefGoogle Scholar
  19. 19.
    Gentry, C., Ramzan, Z.: Identity-based aggregate signatures. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 257–273. Springer, Heidelberg (2006).  https://doi.org/10.1007/11745853_17CrossRefGoogle Scholar
  20. 20.
    Guo, X., Wang, Z.: An efficient synchronized aggregate signature scheme from standard RSA assumption. Int. J. Future Gener. Commun. Netw. 7(3), 229–240 (2014)CrossRefGoogle Scholar
  21. 21.
    Hofheinz, D., Jager, T., Kiltz, E.: Short signatures from weaker assumptions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 647–666. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_35CrossRefGoogle Scholar
  22. 22.
    Hohenberger, S., Koppula, V., Waters, B.: Universal signature aggregators. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 3–34. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46803-6_1Google Scholar
  23. 23.
    Hohenberger, S., Sahai, A., Waters, B.: Full domain hash from (leveled) multilinear maps and identity-based aggregate signatures. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 494–512. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4_27CrossRefGoogle Scholar
  24. 24.
    Hohenberger, S., Waters, B.: Short and stateless signatures from the RSA assumption. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 654–670. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_38CrossRefGoogle Scholar
  25. 25.
    Hohenberger, S., Waters, B.: Synchronized aggregate signatures from the RSA assumption. In: Eurocrypt (This Issue) (2018). The full version appears, https://eprint.iacr.org/2018/082
  26. 26.
    Itkis, G., Reyzin, L.: Forward-secure signatures with optimal signing and verifying. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 332–354. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44647-8_20CrossRefGoogle Scholar
  27. 27.
    Lee, K., Lee, D.H., Yung, M.: Sequential aggregate signatures made shorter. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 202–217. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38980-1_13CrossRefGoogle Scholar
  28. 28.
    Lee, K., Lee, D.H., Yung, M.: Sequential aggregate signatures with short public keys: design, analysis and implementation studies. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 423–442. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36362-7_26CrossRefGoogle Scholar
  29. 29.
    Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential aggregate signatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 465–485. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_28. http://cseweb.ucsd.edu/~hovav/dist/agg-sig.pdfCrossRefGoogle Scholar
  30. 30.
    Lysyanskaya, A., Micali, S., Reyzin, L., Shacham, H.: Sequential aggregate signatures from trapdoor permutations. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 74–90. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24676-3_5CrossRefGoogle Scholar
  31. 31.
    Ma, D., Tsudik, G.: Extended abstract: forward-secure sequential aggregate authentication. In: IEEE Symposium on Security and Privacy, pp. 86–91 (2007)Google Scholar
  32. 32.
    Miller, G.L.: Riemann’s hypothesis and tests for primality. J. Comput. Syst. Sci. 13, 300–317 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    Neven, G.: Efficient sequential aggregate signed data. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 52–69. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_4CrossRefGoogle Scholar
  34. 34.
    Rabin, M.O.: Probabilistic algorithm for testing primality. J. Number Theory 12, 128–138 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Comm. ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Rückert, M., Schröder, D.: Aggregate and verifiably encrypted signatures from multilinear maps without random oracles. In: Park, J.H., Chen, H.-H., Atiquzzaman, M., Lee, C., Kim, T., Yeo, S.-S. (eds.) ISA 2009. LNCS, vol. 5576, pp. 750–759. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-02617-1_76CrossRefGoogle Scholar
  37. 37.
    Sharmila Deva Selvi, S., Sree Vivek, S., Pandu Rangan, C.: Deterministic identity based signature scheme and its application for aggregate signatures. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 280–293. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-31448-3_21CrossRefGoogle Scholar
  38. 38.
    Shoup, V.: NTL: A Library for doing Number Theory, v10.5.0 (2017). http://www.shoup.net/ntl/

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Johns Hopkins UniversityBaltimoreUSA
  2. 2.University of Texas at AustinAustinUSA

Personalised recommendations