Paper 2011/222

Sequential Aggregate Signatures with Lazy Verification from Trapdoor Permutations

Kyle Brogle, Sharon Goldberg, and Leonid Reyzin

Abstract

Sequential aggregate signature schemes allow n signers, in order, to sign a message each, at a lower total cost than the cost of n individual signatures. We present a sequential aggregate signature scheme based on trapdoor permutations (e.g., RSA). Unlike prior such proposals, our scheme does not require a signer to retrieve the keys of other signers and verify the aggregate-so-far before adding its own signature. Indeed, we do not even require a signer to know the public keys of other signers! Moreover, for applications that require signers to verify the aggregate anyway, our schemes support lazy verification: a signer can add its own signature to an unverified aggregate and forward it along immediately, postponing verification until load permits or the necessary public keys are obtained. This is especially important for applications where signers must access a large, secure, and current cache of public keys in order to verify messages. The price we pay is that our signature grows slightly with the number of signers. We report a technical analysis of our scheme (which is provably secure in the random oracle model), a detailed implementation-level specification, and implementation results based on RSA and OpenSSL. To evaluate the performance of our scheme, we focus on the target application of BGPsec (formerly known as Secure BGP), a protocol designed for securing the global Internet routing system. There is a particular need for lazy verification with BGPsec, since it is run on routers that must process signatures extremely quickly, while being able to access tens of thousands of public keys. We compare our scheme to the algorithms currently proposed for use in BGPsec, and find that our signatures are considerably shorter nonaggregate RSA (with the same sign and verify times) and have an order of magnitude faster verification than nonaggregate ECDSA, although ECDSA has shorter signatures when the number of signers is small.

Note: Project website with code: http://www.cs.bu.edu/~goldbe/papers/bgpsec-sigs.html

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Minor revision. This is the full version of the Asiacrypt 2012 paper.
Keywords
aggregate signaturesRSAlazy verificationBGP
Contact author(s)
goldbe @ cs bu edu
History
2014-06-09: last of 4 revisions
2011-05-08: received
See all versions
Short URL
https://ia.cr/2011/222
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2011/222,
      author = {Kyle Brogle and Sharon Goldberg and Leonid Reyzin},
      title = {Sequential Aggregate Signatures with Lazy Verification from Trapdoor Permutations},
      howpublished = {Cryptology {ePrint} Archive, Paper 2011/222},
      year = {2011},
      url = {https://eprint.iacr.org/2011/222}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.