Security and Communication Networks

Volume 2019, Article ID 3424890, 14 pages

https://doi.org/10.1155/2019/3424890

## A Short Server-Aided Certificateless Aggregate Multisignature Scheme in the Standard Model

Hong Duc University, Thanh Hoa, Vietnam

Correspondence should be addressed to Viet Cuong Trinh; nv.ude.udh@gnoucteivhnirt

Received 5 November 2018; Accepted 20 February 2019; Published 18 March 2019

Academic Editor: Bela Genge

Copyright © 2019 Viet Cuong Trinh. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Aggregate signature scheme allows each signer to sign a different message and then all those signatures are aggregated into a single short signature. In contrast, multisignature scheme allows multisigners to jointly sign only one message. Aggregate multisignature scheme is a combination of both aforementioned signature schemes, where signers can choose to generate either a multisignature or an aggregate signature. This combination scheme has many concrete application scenarios such as Bitcoin blockchain, Healthcare, Multicast Acknowledgment Aggregation, and so on. On the other hand, to deal with the problems of expensive certificates in certified public key cryptography and key escrow in identity-based cryptography, the notion of* certificateless* public key cryptography has been introduced by Riyami and Paterson at Asiacrypt’03. In this paper, we propose the first certificateless aggregate multisignature scheme that achieves the constant-size of signature and is secure in the standard model under a generalization of the Diffie-Hellman exponent assumption. In our scheme, however, the signature is generated with the help of the authority.

#### 1. Introduction

*Certificateless Cryptography. *In public key cryptography, a public key is just a random number, to certify that a public key belongs to a specific user we need to provide for this public key a certificate. Public Key Infrastructure () was introduced for such purpose; however implementing such in the real world requires using a lot of resources since we need to provide, maintain, and revoke a large amount of certificates. Shamir [1] came up with an idea that if a public key is an identity of a specific user (official email address, for example), there is no need to certify this public key; this leads to the introducing of the notion of identity-based cryptography. However, since each identity is mapped to an arbitrary given fixed number, the public key is an arbitrary given fixed number. In traditional public key cryptosystems such as RSA or ElGamal, given such public key, user cannot generate the corresponding secret key. In all identity-based cryptosystems, user’s secret key is in fact generated by a private key generator () who knows the master key of the system; this leads to the fact that knows all secret keys of users in the system; this problem is so-called key escrow problem. To deal with the problems of providing, maintaining, and revoking a large amount of certificates in traditional and key escrow in identity-based cryptography, the notion of* certificateless* public key cryptography has been introduced by Riyami and Paterson at Asiacrypt’03 [2]. In a certificateless cryptosystem, the user’s full secret key includes two parts: the first part is a partial secret key generated by from master key and user’s identity; the second part is a secret value chosen by user himself/herself. Due to the fact that user’s public key is still associated with user’s identity and the user’s full secret key includes a secret value chosen by user himself/herself, there is no need to use certificate to certify user’s public key and does not know the user’s full secret key.

Certificateless signature scheme was first introduced in [2] and then has been deeply studied in [6–15] to name a few. Regarding the certificateless signature schemes secured in the standard model, there are currently two approaches to construct. First, using the Waters’ hash function [8, 9] or Yum-Lee generic transformations [6, 7], the advantage of this approach is that the resulting schemes can be secure under standard assumptions. However, due to using Waters’ hash function or Yum-Lee generic transformations, these schemes suffer relatively large public parameters and heavy computing time. Second, using direct approach [14, 15], which leads to quite efficient resulted schemes (constant-size of both public parameters and signature, as well as efficient computing time); however these schemes are only secure under strong assumptions (generalization of the Diffie-Hellman exponent assumption, assumption), although assumption introduced by Boneh and Boyen at Eurocrypt’05 [16] now has been accepted widely by researchers [17–22].

*Aggregate Signature. *Aggregate signature was first introduced by Boneh* et al.* at Eurocrypt’03 [23]. In this scheme, each signer in an aggregating set signs a different message and then all those signatures are aggregated into a single short signature, which is called aggregate signature. As shown in [5, 23–25], aggregate signature can be applied well to several practical applications such as Bitcoin blockchain, Secure BGP protocol (SBGP) [26], Healthcare, and so on. Certificateless aggregate signature was first proposed in [27], since then it has been studied in numerous of papers such as [5, 28–35], to name a few. However, all of these schemes either are insecure [29, 30, 35] or suffer a drawback that the signature size is linear in the number of signers in the aggregating set [5, 28, 31–34]. Moreover, all of these schemes need to use random oracle to prove the security. Very recently, the authors in [5] proposed a new certificateless aggregate scheme with short public parameters and achieving the highest level of security according to the classification given by Huang* el al.* [13] under a standard assumption. However, their scheme still suffers two drawbacks: the signature size is linear in the number of signers in the aggregating set and their scheme needs to use random oracle to prove the security. To our knowledge, the task of designing a certificateless aggregate signature scheme with short signature size and secured in the standard model is still open.

*Multisignature. *In contrast to aggregate signature, multisignature scheme allows multisigners to jointly sign only one message. This scheme was first introduced in [36], and then it has been the topic of many other works such as [25, 37–43], to name a few. At ACM CCS’01, Micali* el al.* [37] first formalized the security model for a multisignature scheme; they also proposed a multisignature scheme based on Schnorr-signature secured in this model. In [25], the authors defined a multisignature scheme with public key aggregation, for which all public keys of signers in the aggregating set are aggregated into a short aggregate public key through a new additional Key Aggregation algorithm. The advantage of this scheme is that the verifier can only take a constant-size of input (multisignature and aggregate public key) to verify the multisignature, which were showed in [25, 43] that this type of scheme can be applied well to the Bitcoin blockchain application. However, the downside of this scheme is that each aggregating set of signers needs to publish in advance its aggregate public key. Very recently, Boneh* el al.* [43] proposed a new such compact multisignature scheme with public key aggregation; their scheme however is secure in the random oracle model. Regarding the multisignature scheme in the certificateless setting, several schemes were proposed [3, 4, 44, 45]. The authors in [3] addressed the problem of fast verification but they did not give a formal security proof of their schemes. The authors in [4] proposed a certificateless multisignature scheme without using Pairings; they also gave a formal security proof for their scheme under standard assumption. All of these schemes achieve constant-size of signature; however they did not address the problem of public key aggregation and still need to use random oracle to prove the security.

##### 1.1. Our Contribution and Organization of the Paper

In this paper, we extend the work in [14] to consider the combination of an aggregate signature scheme and a multisignature scheme, and in the context of certificateless. More precisely, in our server-aided certificateless aggregate multisignature scheme (- for short), an aggregating set of signers can choose to generate either an aggregate signature or a multisignature with the help of private key generator (); for simplicity such signature is called an aggregate multisignature. If the aggregating set of signers contains only one signer, the resulting signature is a usual signature and the signer does not need the help from .

More precisely, our - scheme has following properties:(i)the first certificateless aggregate multisignature scheme;(ii)the signature which contains four elements in all cases;(iii)being secure against strong Type I and strong Type II adversaries (according to the classification given by Huang* el al.* [13]) in the standard model under assumptions;(iv)server-aided scheme;(v)support public key aggregation;(vi)public key size, signing time, and verifying time which depend on the maximum number of signers for one aggregating set, which is fixed at the setup. More details can be found in the Tables 1 and 2.