Paper 2012/562

Aggregating CL-Signatures Revisited: Extended Functionality and Better Efficiency

Kwangsu Lee and Dong Hoon Lee and Moti Yung

Abstract

Aggregate signature is public-key signature that allows anyone to aggregate different signatures generated by different signers on different messages into a short aggregate signature. Although aggregate signatures have many applications like secure routing protocols and software module authentications, it is not easy to devise a suitable aggregate signature scheme that satisfies the conditions of real applications such that the size of public keys should be short, the size of aggregate signatures should be short, and the aggregate signing and aggregate verification should be efficient. In this paper, we propose two aggregate signature schemes based on the Camenisch-Lysyanskaya signature scheme that sufficiently satisfy the conditions of real applications. At first, we construct an efficient sequential aggregate signature scheme and prove its security under the LRSW assumption without random oracles. The proposed scheme has the shortest size of public keys among the sequential aggregate signature schemes and very short size of aggregate signatures. Additionally, the aggregate verification of this scheme is very efficient since it only requires constant number of pairing operations and $l$ number of exponentiations where $l$ is the number of signers in an aggregate signature. Next, we construct an efficient synchronized aggregate signature scheme and prove its security under the LRSW assumption in the random oracle model. The proposed scheme has very short size of public keys and the shortest size of aggregate signatures among the synchronized aggregate signature schemes. The signing and aggregate verification is also very efficient since these requires constant number of pairing operations and $l$ number of exponentiations. Furthermore, a signer of our aggregate signature schemes can use two mode of aggregation ``sequential'' and ``synchronized'' at the same time just using the same private key and the public key since the private keys and the public keys of two schemes are the same.