**Synchronized Aggregate Signatures from the RSA Assumption**

*Susan Hohenberger and Brent Waters*

**Abstract: **In this work we construct efficient aggregate signatures from the RSA assumption in the synchronized setting.
In this setting, the signing algorithm takes
as input a (time) period $t$ as well the secret key and message. A signer should sign at most once
for each $t$. A set of signatures can be aggregated so long as they were all created for the same
period $t$. Synchronized aggregate signatures are useful in systems where there is a natural
reporting period such as log and sensor data, or for signatures embedded
in a blockchain protocol where the creation of an additional block is a natural synchronization event.

We design a synchronized aggregate signature scheme that works for a bounded number of periods $T$ that is given as a parameter to a global system setup. The big technical question is whether we can create solutions that will perform well with the large $T$ values that we might use in practice. For instance, if one wanted signing keys to last up to ten years and be able to issue signatures every second, then we would need to support a period bound of upwards of $2^{28}$.

We build our solution in stages where we start with an initial solution that establishes feasibility, but has an impractically large signing time where the number of exponentiations and prime searches grows linearly with $T$. We prove this scheme secure in the standard model under the RSA assumption with respect to honestly-generated keys. We then provide a tradeoff method where one can tradeoff the time to create signatures with the space required to store private keys. One point in the tradeoff is where each scales with $\sqrt{T}$.

Finally, we reach our main innovation which is a scheme where both the signing time and storage scale with $\lg{T}$ which allows for us to keep both computation and storage costs modest even for large values of $T$. Conveniently, our final scheme uses the same verification algorithm, and has the same distribution of public keys and signatures as the first scheme. Thus we are able to recycle the existing security proof for the new scheme.

We also show how to extend our results to the identity-based setting in the random oracle model, which can further reduce the overall cryptographic overhead. We conclude with a detailed evaluation of the signing time and storage requirements for various practical settings of the system parameters.

**Category / Keywords: **public-key cryptography / signatures, aggregate, RSA, synchronized, identity-based

**Original Publication**** (with minor differences): **IACR-EUROCRYPT-2018

**Date: **received 18 Jan 2018, last revised 24 Jan 2018

**Contact author: **susan at cs jhu edu, bwaters@cs utexas edu

**Available format(s): **PDF | BibTeX Citation

**Version: **20180124:220732 (All versions of this report)

**Short URL: **ia.cr/2018/082

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]