Paper 2022/867

The State of the Union: Union-Only Signatures for Data Aggregation

Diego F. Aranha, Aarhus University
Felix Engelmann, IT University of Copenhagen
Sebastian Kolby, Aarhus University
Sophia Yakoubov, Aarhus University

A union-only signature (UOS) scheme (informally introduced by Johnson et al. at CT-RSA 2002) allows signers to sign sets of messages in such a way that (1) any third party can merge two signatures to derive a signature on the union of the message sets, and (2) no adversary, given a signature on some set, can derive a valid signature on any strict subset of that set (unless it has seen such a signature already). Johnson et al. originally posed building a UOS as an open problem. In this paper, we make two contributions: we give the first formal definition of a UOS scheme, and we give the first UOS constructions. Our main construction uses hashing, regular digital signatures, Pedersen commitments and signatures of knowledge. We provide an implementation that demonstrates its practicality. Our main construction also relies on the hardness of the short integer solution (SIS) problem; we show how that this assumption can be replaced with the use of groups of unknown order. Finally, we sketch a UOS construction using SNARKs; this additionally gives the property that the size of the signature does not grow with the number of merges.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. SCN 2022
homomorphic signaturesunion-only signature schemes anonymity software implementation
Contact author(s)
dfaranha @ cs au dk
fe-research @ nlogn org
sk @ cs au dk
sophia yakoubov @ cs au dk
2022-07-04: approved
2022-07-02: received
See all versions
Short URL
Creative Commons Attribution


      author = {Diego F. Aranha and Felix Engelmann and Sebastian Kolby and Sophia Yakoubov},
      title = {The State of the Union: Union-Only Signatures for Data Aggregation},
      howpublished = {Cryptology ePrint Archive, Paper 2022/867},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.