#### Abstract

Aggregate signature scheme proposed by Boneh, Gentry, Lynn, and Shacham allows *n* signatures on *n* distinct messages from *n* distinct users to aggregate a single signature that convince any verifier that *n* users did indeed sign the *n* messages, respectively. The main benefit of such schemes is that they allow bandwidth and computational savings. In this paper, we question about whether the existing aggregate signature schemes satisfy the basic property that they can convince any verifier that every user indeed signed the message which should be signed by him. We show that Rückert et al.’s scheme, and Shim’s scheme do not satisfy the property. As a comparison, we investigate Boneh et al.’s scheme and show that under the assumption that each signer correctly signs one message, Boneh et al.’s scheme satisfies this property under two users' setting. Furthermore, we propose the concept of inside attack on aggregate signatures and give an improved aggregate signature scheme based on Shim’s scheme. We also prove that the improved scheme is secure against inside attack.

#### 1. Introduction

An aggregate signature scheme as introduced by Boneh et al. [1] is a method for combining signatures from different signers on different messages into a single signature. This single signature (and the original messages) will convince the verifier that the signers did indeed sign the original messages (i.e., signer signed message for ). Typical applications for aggregate signatures are, for example, secure routing [2] or certificate chain compression [1]. The main benefit of aggregate signature is that it saves bandwidth, which makes it an optimal solution for networks of small, battery-powered devices that communicate over energy-consuming wireless channels [3].

Since Boneh et al.’s aggregate signature scheme, many aggregate signature schemes are proposed [4–10]. There even are aggregate proxy signature [11] and aggregate signcryption schemes [12]. However, about the security of aggregate signature schemes, only traditional unforgeability was discussed in all existing schemes. We question that whether every existing aggregate signature satisfies the basic property proposed by Boneh et al. that it convinces any verifier that, for all , signer indeed signed message which should be signed by him; he didnot signed message . Because in some situation an aggregate signature may satisfy the verification, even though signer signed message . We call this attack an inside attack on aggregate signatures. We think this is an important issue to aggregate signatures. Shao [13] discussed the security of aggregate signatures, but its issue was another aspect. He pointed that every signer forges a signature on message ; here is the true signature of message , when and also satisfies the aggregate signature verification.

Recently, Rückert et al. [6] proposed the first aggregate signature in standard model. The scheme was based on the Boneh-Silverberg signature [14]. They proved its traditional unforgeability in the standard model while maintaining an optimal signature size and reasonable efficiency. However, in this paper, we show that Rückert et al.’s scheme does not satisfy the basic property that a verifier, given the aggregate signature along with the identities if the parties involved and their respective messages, can be convinced that signer indeed signed message which should be signed by him. In 2010, Shim proposed an efficient ID-based aggregate signature scheme with constant pairing computations [8]. It is the first scheme whose number of pairing computation in verification is independent of the number of users. But, in this paper we point that Shim’s scheme also does not satisfy the basic property. As a comparison, we investigate Boneh et al.’s scheme [1] and show that under the assumption that each signer signs one message correctly, Boneh et al.’s scheme satisfies this property under two users’ setting. Furthermore, we propose an improved scheme based on Shim’s scheme and prove that the improved scheme is secure against the inside attack.

The rest of the paper is organized as follows. In Section 2 we introduce preliminaries and the computational assumption. Section 3 investigates the security of Rückert et al.’s aggregate signature. Section 4 investigates the security of the aggregate signature of Shim. As a comparison, we study Boneh et al.’s aggregate signature scheme in Section 5. The improved scheme is in Section 6. Section 7 concludes this paper.

#### 2. Preliminary

##### 2.1. The Bilinear Pairing

Let be a cyclic additive group generated by , whose order is a prime , and a cyclic multiplicative group of the same order. Let be a pairing map which satisfies the following conditions.(1) Bilinearity: for any , we have and In particular, for any , .(2) Nondegeneracy: there exists , such that .(3) Computability: there is an efficient algorithm to compute for all .

The typical way of obtaining such pairings is by deriving them from the Weil-pairing or the Tate-pairing on an elliptic curve over a finite field.

##### 2.2. Gap Diffie-Hellman (GDH) Groups

Let be a cyclic additive group of prime order , and let be a generator of .(1)The decisional Diffie-Hellman (DDH) problem is to decide whether in for given . If so, is called a valid Diffie-Hellman tuple.(2)The computational Diffie-Hellman (CDH) problem is to compute for given .

*Definition 2.1. *The advantage of an algorithm in solving the computational Diffie-Hellman problem on group is
The probability took over the choice of and ’s coin tosses. An algorithm is said to be -breaks the computational Diffie-Hellman problem on group if F runs in time at most , and AdvCDH_{F} is at least .

*Definition 2.2. *A group is said to be -gap Diffie-Hellman (GDH) group if the decisional Diffie-Hellman problem in can be efficiently computable and there exists no algorithm -breaks the computational Diffie-Hellman problem on group .

##### 2.3. Security Model of Aggregate Signature

We take identity-based aggregate signature (IBAS) for example to give the definition of aggregate signature and its security model. An identity-based aggregate signature is composed of five algorithms [5]: key generation by the private key generation center (PKG), private key extraction by the PKG for individual users, signing by an individual user, aggregation of multiple individual signatures, and verification of an identity-based aggregate signature.

*KeyGen*

Take a security parameter as input and output system parameters params and master key msk.

*KeyExt*

Take params, msk. and a user identity as input and output a user private key .

*Sign*

Take private key and a message as input and output an individual identity-based signature .

*Agg*

Given signatures along with users’ identities and messages , output an aggregate signature .

*Verify*

Given an aggregate signature , the message, and identities’ pair list , verify the aggregate signature that if it is valid.

###### 2.3.1. Security Model against Traditional Existential Forgery Attack

An IBAS scheme should be secure against traditional existential forgery under an adaptive chosen-message and an adaptive-chosen-identity attack. We formalize the security model as follows. The adversary’s goal is the existential forgery of an aggregate signature. We give the adversary the power to choose the identities on which it wishes to forge a signature, the power to request the identity-based private key on all but one of these identities. The adversary’s advantage is defined as its probability of success in the following game.

*Setup. *The adversary is given the needed parameters and an identity at random.

*Extraction Queries*

Given an identity (), the challenger returns the private key corresponding to .

*Signature Queries*

Proceeding adaptively, the adversary may request signatures with respect to identity on messages of his choice.

*Response*

Finally, the adversary outputs additional identities , messages and an aggregate signature with respect to these identities, and messages .

The adversary wins if the aggregate signature is a valid signature on under and the adversary did not request the private key for and did not request a signature on under .

###### 2.3.2. Security Model against Inside Existential Forgery Attack

We defined one new secure concept of aggregate signature as inside attack. It means the included signers to generate an aggregate signature on messages for identities . But, they claim that they generate an aggregate signature on messages for identities , here(1),(2) really satisfies the aggregate signature verification equation on messages for identities .

The concept of inside attack is closely related to the basic property of aggregate signature that it should convince any verifier that every user indeed signed the message which should be signed by him.

#### 3. The Security of the Aggregate Signature Rückert et al.’s Scheme

##### 3.1. Brief Review of Rückert et al.’s Scheme

In Rückert et al.’s scheme [6], two groups and of prime order and a multilinear map are used; is a generator of . If , and , then . Rückert et al.’s scheme comprises five algorithms.

*Key Generation*

The key generation algorithm takes as input the security parameter. It randomly selects elements . The algorithm computes
and returns the private key and the public key pair:

*Signature Issue*

It accepts as input a message as well as signing key and computes the signature .

*Signature Verification*

It returns 1 iff .

*Signature Aggregation*

It builds an aggregate signature on messages , under public keys , respectively. It outputs the triple . Here , , , and is the signature on message produced by the user with public key .

*Aggregate Verification*

It takes as input a set of public keys , a set of messages , and an aggregate signature . It returns 1 iff

##### 3.2. The Security of Rückert et al.’s Scheme

In Rückert et al.’s scheme, let , two users , with private key and pubic key pairs: respectively.

Let , be two messages. Then is the signature on by , is the signature on by . So the aggregate signature produced by users , is The aggregate verification equation holds.

However, when , , , , and , The equation holds. So when the user with public key signs , the user with public key signs , they generate aggregate signature and also satisfies the aggregate verification equation

In this situation, the aggregate signature cannot convince the verifier that signer signed message . So Rückert et al.’s aggregate signature is not secure; it does not satisfy the property that a verifier, given the aggregate signature along with the identities if the parties involved and their respective messages, can be convinced that signer indeed signed message which should be signed by him. It is not secure against the inside forgery attack.

#### 4. The Security of Shim’s Aggregate Signature Scheme

##### 4.1. Brief Review of Shim’s Scheme

Shim’s scheme [8] comprises five algorithms.

*Setup. *Given security parameter , the algorithm works as follows.(1)Generate a prime , a cyclic additive group and a cyclic multiplicative group of prime order , a generator in and an admissible pairing .(2)Pick a random and set .(3)Choose cryptographic hash functions and .

The system parameters are .

*Extract*

For a given string .(1)Compute .(2)Set the private key to be , where is a master secret.

*Sign*

Given a private and a message .(1)Choose and compute .(2)Compute and . The signature on is .

*Agg*

For the aggregating set of users , assign to each user an index , ranging from 1 to . (1)Each user computes signature on a message .(2) Compute and output as an aggregate signature on .

*AVerify*

Given an aggregate signature as above.(1)Compute and for .(2)Verify whether holds or not. If it holds, accept the aggregate signature .

##### 4.2. Attack on Shim’s Scheme

Let be an identity of signer and let be an identity of signer . They claim that they generate an aggregate signature on messages for identities . Then, should sign , and should sign . That is to say, they should do as following: (1) and choose and compute and , respectively.(2) and compute respectively. (3) They generate aggregate signature on messages for identities . Here .

But, if the aggregate signature satisfies the verification equation, can the verifier be convinced that indeed has signed , and indeed has signed ? They may cooperate to do on purpose as following: (1) and Choose and compute and . (2) and compute respectively. They have not signed and , respectively. (3) They claim that they generate aggregate signature on messages for identities . Here .

Since , the verification equation Holds. and succeed in forging aggregate signature for on .

The weakness of Shim’s scheme against this inside forgery attack is due to the separation of the message signed and the private key in the signing equation .

#### 5. The Security of Boneh et al.’s Aggregate Schemes

We can investigate the security of Boneh et al.’s aggregate signature scheme [1] to provide further illustration to this flaw of about two schemes.

##### 5.1. Brief Review of Boneh et al.’s Scheme

In Boneh et al.’s aggregate signature, two cyclic multiplicative groups and of prime order and a bilinear map are used. is a generator of . The scheme employs a hash function .

Boneh et al.’s aggregate signature scheme comprises five algorithms.

*Key Generation *

For a user, pick random , and compute . The user’s public key is , and secret key is .

*Signing *

Given the secret key and a message , compute , and the signature .

*Verification*

Given user’s public key , a message , and a signature , compute ; accept if holds.

*Aggregation*

For the aggregating set of users , assign to each user an index , ranging from 1 to . Each user provides a signature on a message of his choice. Compute the aggregate signature .

*Aggregate Verification *

Given an aggregate signature for an aggregating set of users , indexed as before, and given the original messages and public keys for all users . Compute for , and accept if holds.

##### 5.2. The Security of Boneh et al.’s Scheme

In Boneh et al.’s scheme, given an aggregate signature of two different messages and under two users with public keys and , respectively, if then, it will be impossible to know whether signer signed message , and Boneh et al.’s scheme will have the same flaw as that of Rückert et al.’s scheme. But if then So if the hash function is secured, , then, under the assumption that each signer signs one message correctly, Boneh et al.’s scheme does not suffer the same flaw as about two schemes under two users.

#### 6. An Improvement of Shim’s Identity-Based Aggregate Signature Scheme

##### 6.1. The Improved Scheme

The improved scheme comprises five algorithms.

*Setup. *Given security parameter , the algorithm works as follows.(1)Generate a prime , a cyclic additive group and a cyclic multiplicative group of prime order , two random generators and in , and an admissible pairing .(2)Pick a random and set .(3)Choose cryptographic hash functions and .

The system parameters are .

*Extract *

For a given string .(1)Compute .(2)Set the private key to be , where is a master secret.

*Sign *

Given a private and a message .(1)Choose and compute .(2)Compute and . The signature on is .

*Agg*

For the aggregating set of users , assign to each user an index , ranging from 1 to . (1)Each user computes signature on a message .(2)Compute and output as an aggregate signature on .

*Averify*

Given an aggregate signature as above.(1)Compute and for .(2)Verify whether holds or not. If it holds, accept the aggregate signature .

##### 6.2. Security of the Improved Scheme

Following the method in [10], it is easy to prove that the improved scheme is secure against the traditional existential forgery under an adaptive chosen message and an adaptive-chosen identity attack. Here, we only show that our improvement is secure against the inside attack proposed by us.

Take two signers as example, let be the identity of signer , and the identity of signer . If they cooperate to do as following:(1) and Choose and compute and . (2) and compute respectively. Note that they have not signed and , respectively. (3) They claim that they generate aggregate signature on messages for identities . Here .

But, when is a valid aggregate signature on messages for identities , the following equation holds: In fact If then So

This is impossible. So the inside attack is not successful in improved scheme in two signers’ setting.

In signers’ setting, if they generate an aggregate signature on messages for identities . But they claim that they generate an aggregate signature on messages for identities , here . Then the probability of satisfying the aggregate signature verification equation on messages for identities is equal to the probability of the following equation holding Here O denotes the identity of the cyclic additive group . So the improved aggregate signature scheme is secured against the inside attack.

#### 7. Conclusion

In this paper, we analyse the security of some aggregate signature schemes. We show that Rückert et al.’s scheme cannot convince the verifier that every signer indeed signed the message which should be signed by him. Shim’s scheme also suffers such flaw. As a comparison, we investigate Boneh et al.’s scheme and show that under the assumption that each signer signs one message correctly, Boneh et al.’s aggregate scheme can convince the verifier that every signer indeed signed the message which should be signed by him under two users. Furthermore, we propose the concept of inside attack on aggregate signatures and give an improved scheme based on Shim’s scheme. We also prove that the improved scheme is secured against the inside attack.