Aggregate signature scheme proposed by Boneh, Gentry, Lynn, and Shacham allows

An aggregate signature scheme as introduced by Boneh et al. [

Since Boneh et al.’s aggregate signature scheme, many aggregate signature schemes are proposed [

Recently, Rückert et al. [

The rest of the paper is organized as follows. In Section

Let

Bilinearity: for any

In particular, for any

Nondegeneracy: there exists

Computability: there is an efficient algorithm to compute

The typical way of obtaining such pairings is by deriving them from the Weil-pairing or the Tate-pairing on an elliptic curve over a finite field.

Let

The decisional Diffie-Hellman (DDH) problem is to decide whether

The computational Diffie-Hellman (CDH) problem is to compute

The advantage of an algorithm _{F} is at least

A group

We take identity-based aggregate signature (IBAS) for example to give the definition of aggregate signature and its security model. An identity-based aggregate signature is composed of five algorithms [

Take a security parameter

Take params, msk. and a user identity

Take private key

Given

Given an aggregate signature

An IBAS scheme should be secure against traditional existential forgery under an adaptive chosen-message and an adaptive-chosen-identity attack. We formalize the security model as follows. The adversary’s goal is the existential forgery of an aggregate signature. We give the adversary the power to choose the identities on which it wishes to forge a signature, the power to request the identity-based private key on all but one of these identities. The adversary’s advantage is defined as its probability of success in the following game.

The adversary is given the needed parameters and an identity

Given an identity

Proceeding adaptively, the adversary may request signatures with respect to identity

Finally, the adversary outputs

The adversary wins if the aggregate signature

We defined one new secure concept of aggregate signature as inside attack. It means the included signers to generate an aggregate signature

The concept of inside attack is closely related to the basic property of aggregate signature that it should convince any verifier that every user indeed signed the message which should be signed by him.

In Rückert et al.’s scheme [

The key generation algorithm takes as input the security parameter. It randomly selects

It accepts as input a message

It returns 1 iff

It builds an aggregate signature

It takes as input a set of public keys

In Rückert et al.’s scheme, let

Let

However, when

In this situation, the aggregate signature cannot convince the verifier that signer

Shim’s scheme [

Given security parameter

Generate a prime

Pick a random

Choose cryptographic hash functions

The system parameters are

For a given string

Compute

Set the private key

Given a private

Choose

Compute

For the aggregating set of users

Each user

Compute

Given an aggregate signature

Compute

Verify whether

Let

respectively.

They generate aggregate signature

But, if the aggregate signature satisfies the verification equation, can the verifier be convinced that

respectively. They have not signed

They claim that they generate aggregate signature

Since

The weakness of Shim’s scheme against this inside forgery attack is due to the separation of the message signed and the private key in the signing equation

We can investigate the security of Boneh et al.’s aggregate signature scheme [

In Boneh et al.’s aggregate signature, two cyclic multiplicative groups

Boneh et al.’s aggregate signature scheme comprises five algorithms.

For a user, pick random

Given the secret key

Given user’s public key

For the aggregating set of users

Given an aggregate signature

In Boneh et al.’s scheme, given an aggregate signature of two different messages

The improved scheme comprises five algorithms.

Given security parameter

Generate a prime

Pick a random

Choose cryptographic hash functions

The system parameters are

For a given string

Compute

Set the private key

Given a private

Choose

Compute

For the aggregating set of users

Each user

Compute

Given an aggregate signature

Compute

Verify whether

Following the method in [

Take two signers as example, let

respectively. Note that they have not signed

They claim that they generate aggregate signature

But, when

This is impossible. So the inside attack is not successful in improved scheme in two signers’ setting.

In

In this paper, we analyse the security of some aggregate signature schemes. We show that Rückert et al.’s scheme cannot convince the verifier that every signer indeed signed the message which should be signed by him. Shim’s scheme also suffers such flaw. As a comparison, we investigate Boneh et al.’s scheme and show that under the assumption that each signer signs one message correctly, Boneh et al.’s aggregate scheme can convince the verifier that every signer indeed signed the message which should be signed by him under two users. Furthermore, we propose the concept of inside attack on aggregate signatures and give an improved scheme based on Shim’s scheme. We also prove that the improved scheme is secured against the inside attack.