In future, hundreds of years of mathematical problems that the security of public key cryptography algorithms rely on may be defeated by quantum algorithms. How can a digital signature scheme gracefully balance security and efficiency? This study uses the conjugate search problem and the left self-distributive system to combine and uses the RSA-like algorithm as the underlying structure to propose a new aggregated signature scheme. We, through the EUF game, under the random metaphor model, prove that the security of the scheme satisfies the adaptation unforgeability under selective message attack, the scheme can be finally reduced to the discrete logarithm problem or large prime number decomposition problem. In addition, we can achieve antiquantum attack and exhaustive attack by performing matrix calculations on the message, defining and changing the structure of the matrix by encoding, and setting thresholds for the matrix dimension and the length of the private key. In terms of efficiency, the message signature implementation is linear compared with the expansion rate in terms of storage and computing overhead, and the generation and verification of the final signature pair have nothing to do with the number of users. In addition, the length of the signature is fixed and the size is only the length of a single group, which effectively reduces the generation of public and private key pairs and saves a lot of storage space. The storage space and computational complexity are also effectively improved compared with other solutions.

1. Introduction

Throughout the ages, information security has played an important role in both ordinary life and military strategy. Cryptography provides the theory and technical support of information security and meets the four requirements of information security from the two aspects of data encryption and digital signature: confidentiality means information content cannot be accessed by unauthorized persons. Integrity means no information modification during transmission and storage. Authentication means identification and authentication service technology applied to both the entity and the information itself. Nonrepudiation means users cannot deny their existing actions and commitments [13]. Among them, data encryption can realize the confidentiality of data, and a digital signature can realize the integrity, authentication, and nonrepudiation of information. The digital signature is a digital simulation of a handwritten signature. With the advent of the information age, most standard protocols, and software support digital signatures, at present, many countries have legislation that stipulates that digital signatures and handwritten signatures have the same legal effect. In 1978, Rivest et al. realized the first public-key encryption scheme [4] for the large integer factorization problem, and at the same time, using this public-key encryption scheme, we realized the first digital signature scheme, namely, the famous RSA scheme. Since the proposal of this scheme, the research on digital signatures has always been one of the main research topics and hotspots in the field of cryptography. Digital signatures often involve multiuser scenarios: on the one hand, the signature itself needs to be signed by multiple users; on the other hand, although the signature is generated by a single user, security in a multiuser environment needs to be considered. Boneh et al. first proposed the concept of aggregated signatures in 2003 [5] and constructed the first aggregated signature scheme using pairings on elliptic curves. Roughly speaking, the aggregated signature is the synthesis of different signatures by users to different pairs of documents into a single signature , which reduces not only the storage space requirements for signatures but also the requirements for transmission network bandwidth. At the same time, the verification of multiple signatures is simplified into one verification, which reduces the workload of the verifier. Especially, in some computing resources and a large number of fast authentication situations at the same time, such as online ticket purchases, virtual currency, safety routing protocol, and vehicle ad hoc networks, whether it is the Spring Festival transport of 1.4 billion people in China or the routing topology in a certain area, it has a greater application demand for short-signed fast algorithms. In the direction of protecting user data privacy and communication security, even 6 G networks with endogenous security face many problems, such as AI-induced concerns about security and privacy issues, including data security, AI model and algorithm security, and malicious use of AI technology. Traditional computational complexity-based cryptographic mechanisms (such as encryption, authentication, authorization, signature, and privacy protection) will remain the primary method for maintaining network security and data privacy. However, due to the characteristics of 6 G networks, lightweight and efficient encryption and signature mechanisms are very popular. The combination of 6 G and blockchain, through the application of encryption algorithms such as aggregate signature and ring signature in the data structure, makes the data highly anonymous and improves the efficiency of authentication, which is also a promising solution. The achievement of these goals requires an efficient and secure signature algorithm as the underlying technical support. In the near future, quantum computers are expected to break the modern public key cryptosystem. Postquantum cryptography must be an important means to protect future information security. The past cryptosystems cannot be abandoned. How to migrate from public key cryptosystems to postquantum cryptosystems has become a hot topic.

1.1. Contributions

Given the problems of existing schemes such as excessive storage signature overhead, low signature verification efficiency, insufficient security, and inability to achieve antiquantum computing in the future, we propose a new scheme; the main contributions of this study are summarized as follows:(1)This study uses the combination of RSA, CSP (conjugate search problem), and LD (left self-distributive system) to construct a new aggregated signature scheme, and we utilize the RSA-like as the underlying structure of the scheme, which can eventually be reduced to the DLP problem or the large prime number decomposition problem because the RSA algorithm is based on the large prime number decomposition problem.(2)In terms of security, the proposed scheme satisfies that EUF-CMA can resist existential forgery attacks under adaptive selection messages. Through the EUF game, adversary A uses his scheme to attack the challenger as a subroutine, designs computational targets for adversary B, and then defines the advantage that B can solve for a given RSA-like scheme to achieve the proof.(3)In terms of efficiency, since all messages are encoded as low-dimensional matrices with a certain regularity, and with the help of the characteristics of the CSP-LD system, the signatures of all signers will be synthesized into the final unique signature through calculation.As a result, the signature storage and verification become more efficient. The overhead is greatly reduced, the expansion rate of message signature implementation is linear compared with the storage and computing overhead, and the length of the final aggregated signature is fixed, which saves the maximum amount of signed storage space without losing accuracy.(4)What is more prominent is that the scheme we propose can customize the format of the encoded message matrix. By setting the system parameters to reach a certain threshold, it can achieve antiquantum attacks. Other problems using RSA or DLP include digital signature schemes based on pairing problems, neither can resist the quantum computer attack under Shor’s algorithm.

How to construct efficient and secure aggregated signatures has always been highly concerning for cryptographers. Hashimoto and Ogata [6] proposed the first unrestricted and compact aggregated signature scheme, in which the signature size is constant, and the generated pair signatures can have different information states and can aggregate any combination of signatures. Iwasaki et al. [7] extended from the two perspectives of structured signature and identity-based signature and constructed an identity-based structured aggregated signature scheme, and the security of the scheme will not be reduced due to the ability of the adversary. It can successfully defend against switching attacks (CCS 2007, Boldyreva et al. [8]) and reordering attacks (ISPEC 2007, Shao [9]). In recent years, the combination of signature scheme and blockchain technology [1012], federated learning technology [13], 6G network [14], homomorphic learning [15], network routing protocol [16], edge computing [17], vehicular ad hoc networks [18], and software-defined vehicular network [1921] by applying signature algorithms and encryption algorithms to the experimental scheme to further strengthen the security of the scheme and improve the privacy protection capability of the scheme is also a hot topic. In the blockchain, the digital signature is one of the three basic technologies, and its importance is self-evident. The blockchain mainly uses digital signatures to control permissions, identify the legal identity of transaction initiators, and prevent malicious nodes from impersonating. Coincidentally, the distributed and decentralized edge nodes inherent in the 6 G network allow blockchain technology to be used to improve the endogenous security performance of 6 G, based on blockchain technology to achieve what is considered a promising solution in the field of data security and privacy in 6 G networks. Data have a high level of anonymity by applying encryption algorithms such as aggregate signature signatures and ring signatures in the data structure. In edge computing, federated learning, and homomorphic learning, edge computing processes and applies data to the nearest computing facility to protect its privacy or federated learning uses other remote data and protects the privacy of remote data, and at the same time collaborative modeling, or the cloud computing model based on homomorphic encryption, solves the problem of users trusting cloud service providers not to steal or even user data and to achieve data confidentiality and computability. Verifying the identity legitimacy of a user or terminal based on a digital signature is both basic and necessary work. SDVN (software-defined virtual network) is a new type of VANET (vehicle ad hoc network), a promising networking paradigm, that can provide intelligent information exchange by separating network management and data transfer. For such applications that combine vehicles with networks, frequently changing topology networks, real-time routing calculations, and efficient service requests all play a crucial role in vehicle networks. Before designing a routing strategy for vehicles in these operations, it is undoubtedly a wise move to use an aggregated signature scheme that is fast and can protect its identity privacy to verify the legitimacy of vehicle units. Domestic Li et al. [22] constructed an efficient aggregated signature scheme under the certificateless public-key cryptosystem based on bilinear pairing, and the signature length of the scheme is only two group elements. Only 4 pair operations (of constant magnitude) and scalar multiplication operations are required in signature verification, which has a fast signature verification algorithm and fast transmission efficiency. Zhou et al. [23] proposed two certificateless aggregated signature schemes that do not use bilinear mapping for different network environments. However, due to the long aggregate signature length of Scheme I, it can only be used in a network environment with high bandwidth and the final signature length is positively correlated with the number of users, Scheme II has a shorter signature length, and the length has nothing to do with the number of users and will be used in a network environment with low bandwidth. Whether the security proofs of these two schemes have existential unforgeability under adaptive chosen message attack remains to be further analyzed. At present, most aggregated signature schemes are constructed according to the pairings on elliptic curves. For example, Yang et al. [24], aiming at the problems of privacy leakage and low signature verification efficiency in VANET (vehicular ad hoc network), combined with identity-based cryptography and aggregated signature technology, designed a message authentication scheme for VANET to improve the security of the system and the efficiency of road traffic.

However, there are still many deficiencies in the pairing-based scheme: one is that the hardware devices currently implemented are all oriented towards RSA and DLP (discrete logarithm problem), and the pairing-based cryptography scheme still has a long way to go before it can be applied in reality. Another is that the pairing problem was not introduced into cryptography for research until 2000. Unlike RSA and DLP problems, hundreds of years of research have made them well-understood in the cryptography community. Therefore, most of the current digital signature schemes are based on the discrete logarithm problem and the RSA problem. For example, many people learn from the ideas of Bellare and Neven [25] and propose RSA-based identity-based sequential signature schemes, which need to be further strengthened and improved in terms of the storage efficiency of signatures and whether they can achieve EUF-CMA (existential unforgeability under adaptive chosen message attack) security. What makes us more motivated is that almost no one aggregates signatures based on RSA.

More importantly, with the development of quantum computers, the abovementioned mathematical problems that the security of public key cryptographic algorithms depends on can be solved by efficient quantum algorithms [26, 27]. As the underlying mathematical problems are solved, including discrete logarithms (elliptic curve versions) and large integer factorization, all these public key cryptographic algorithms will no longer be secure, which directly affects Diffie-Hellman, Elliptic Curve, RSA, and those currently used algorithms. In 2016–2017, NIST focused on the solicitation of the following three categories of postquantum cryptographic algorithms: encryption, key exchange, and digital signatures. Among the 69 “complete and suitable” candidate drafts, postquantum cryptographic algorithms constructed by the following 4 mathematical methods are mainly included lattice-based, code-based, multivariate-based, and hash-based. The scheme discussed in this study does not have a self-made wheel, but through the fusion of CSP and matrix, using the encoding of the message to achieve antiquantum attacks, the specific form is in the follow-up content.

3. Preliminaries

Before introducing definitions, let us review the concept of groups.

When an algebraic system has a certain operation , is a binary operation. When satisfies the following properties, we call the algebraic system a group, in which is simply denoted as :(1)Closedness: it means for satisfying .(2)Unitary: it means, for , there are existing . At the same time, we call the identity element of .(3)Inverse element exists: it means, for , there are existing . Then, is called the inverse of , denoted as .(4)Associativity: it means satisfying .

An algebraic system is called a semigroup if it only satisfies closure and associativity. For example, multiplication and addition of real numbers. If the operation in an algebraic system also satisfies the commutative law, that is, has , then is called a commutative group, also called an Able group.

Note that not all elements in have inverses. At the same time, , times, and , times, where .

Let be the set of all invertible elements belonging to , expressed as follows:

The so-called CSP problem can be roughly explained in the group: there is a group , where and ; there must be an element ; and are isomorphic so that ; we say that, for the element , , and are conjugated.

Definition 1. (conjugacy search problem, CSP). Suppose is a noncommutative group, and are two elements belonging to , denoted as , and the unknown is an element in , denoted as , satisfying . The so-called CSP (conjugate search problem) problem in the noncommutative group refers to finding another in , denoted as , so that , where does not need to be exactly the same as .

Lemma 1. The same applies to transforming and into matrix form in the above search problem. For example, write and as the simplest two-dimensional upper triangular matrix:

Satisfying ,

CSP (conjugate search problem) problem in the noncommutative group refers to finding another in , denoted as , so that , where does not need to be exactly the same as :

Theorem 1. If the matrix is invertible, then the inverse matrix of is unique, and the proof is omitted.

Definition 2. (left self-distributive system, LD [28]). is a nonempty subset and is a complete and closed function satisfying ; we denote as . If satisfies the following formula, then we call a left self-distributive system or LD system for short:If we consider as a binary operation , the above expression becomesThe operator is left self-distributive.

Definition 3. (CSP-LD system [29]). Assuming that is a noncommutative group, the binary function satisfies the following conjugation operations:Then, is a CSP-LD system.
The proof is as follows:The CSP-LD system also has some very simple but very useful properties in the field of cryptography. A few are listed below, and readers can prove it by themselves.Property 1: Property 2: Property 3: The power-law property of in the CSP-LD system will be described in detail below.

Lemma 2. Suppose and are given and fixed, . Then, for any three integers , as long as is satisfied, there must be the following formula:

The first proof of the formula is as follows:

The second proof of the formula is as follows:

The two formulas are of great help to our follow-up content. One satisfies the internal and external exchange of power, transforming the exponent of the variable into the exponent of the function, and the other satisfies the addition of the power law.

Definition 4. (security definition of EUF-CMA). Currently, there are two main types of attacks against digital signatures: key-only attacks and known-message attacks. A key-only attack means that the adversary only knows the signer's public key without any other message. Among the many known-message attacks, the attack method with the highest attack strength is called adaptively chosen message attacks. In this type of attack, the adversary uses the signer as a querier, which can query not only the challenger for messages that depend on the signer's public key but also the signed message that has already been queried. If a signature scheme still has signature unforgeability under this attack, in other words, the signature constructed by the adversary through this optional challenge is still illegal and cannot be verified, the scheme is said to have existential unforgeability under adaptive chosen message attack, which is referred to as EUF-CMA security [30, 31]. The advantage of the adversary in the following experiments is negligible:Let denote that accesses the message set of signature metaphor .
Returns 1 if , otherwise returns 0, where has access to the signed idiom machine polynomial bounded degree. The specific meaning is whether the challenger can judge whether the signature of the message comes from the message set of the signature metaphor visited by the adversary through . If it returns 1, it means that the challenger believes that the signature of the message is naturally generated by legal means. If it returns 0, it means that the challenger believes that the signature of the message is generated by accessing the metaphor .
The advantage of is defined as follows:When , which is a negligible function, then we say the scheme is EUF-CMA safe.

4. EUF-CMA Security Signature Scheme Based on CSP

We first review the basic process of the RSA algorithm and specifically prove why the classical RSA signature algorithm does not have the existence of unforgeability under the adaptive chosen message attack.

The basic description of the RSA-like signature algorithm is as follows.(1)Key generation is as follows:(2)Signature is as follows:(3)Verify is as follows:

Obviously, this signature algorithm is not antiforgery under the adaptive chosen message attack. When the attacker performs a -bounded query, can submit for the signature query. At this point, the challenger answers, computes , and returns it to . forges the signature of message and outputs because of

Therefore, is the legal signature of .

According to the previous Definition 4, EUF-CMA security definition, we can make the following analysis:

Let denote the message set of accessing signature metaphor , denoted as , where has access to the signed metaphor polynomial bounded times.

At this time, the adversary has the message and its corresponding signature after accessing the signature machine . At the same time, calculates , and the challenger calculates and returns it to . Then, has another pair of signatures . Verified by the challenger for legitimacy,

However, the adversary has not used to access the signature metaphor, so . That is to say, the challenger believes that the message signature is naturally generated through legal means. The advantage of at this time is defined as follows:

How to solve this problem? The previous method is to use the FDH (global hash function) that the output bit length of the hash function is the same as the modulus bit length to ensure the security of the scheme [32], but the hash function itself is a relatively complex algorithm, and the so-called randomness itself is controversial. Because no algorithm is truly random, such as , whose output is a pseudorandom process from to . In addition, using a hash function will reduce the efficiency of the scheme. Below, we will propose a new solution that satisfies EUF-CMA and prove that its security is improved based on the comparison above.

4.1. Definition of the RSA Problem (RSAP)

Given a positive integer ( is the product of two different odd prime numbers ), a positive integer , and an integer , we find an integer such that . That is to say, the RSA problem is to find the root of times in the case of modulo ( is a composite integer).

4.2. The Difficult Problem of CSP Based on DDH

is a noncommutative group. Suppose is a function that satisfies the above CSP-LD system while having an adversary . For any , we perform the following two experiments in parallel:

For adversary , the advantage of successful attacks in a CSP system based on the DDH assumption is defined as follows:

In other words, when are taken randomly from , we can consider that and are computationally indistinguishable when distributed. At present, there is no specific statement in the academic community to judge whether the CSP-DDH problem is hard, but we know that, in a general cyclic group, the DLP problem and the DDH problem are equivalent. From the above CSP-LD system reasoning, we know that, on a noncommutative semigroup, the CSP problem and the CSP-DDH problem can be directly replaced by the DLP problem and the DDH problem. Therefore, by logical reasoning, we can conclude that in a general noncommutative semigroup, the CSP problem and the CSP-DDH problem are equivalents [27].

4.3. Digital Signature Scheme Based on CSP-LD System

Assuming that and are random numbers, , which have been fixed for the system parameters. Assuming that is a general noncommutative semigroup, the binary function satisfies the following conjugate operations:

We mark as .(1)Key generation is as follows:(2)Signature is as follows:(3)Verify is as follows:

Under the CSP-LD system, the above scheme RSA-CSP-LD is EUF-CMA safe if the GenRSA-related RSA problem is difficult. Compared with the predecessors using the global hash function FDH to map to prevent signature forgery, our scheme has a more compact security reduction.

Theorem 2. Specifically, assuming that there is an adversary that breaks the RSA-CSP-LD scheme with the advantage of , then there must be an adversary that solves the RSA problem at least with the advantage of the following:

Proof. The EUF game is as follows.
In this proof process, all references to refer to a universal noncommutative group, is the CSP-LD system function defined on , and are two fixed elements.(1)The challenger runs to get and runs CSP-LD to get . Adversary gets the public key .(2)The adversary can ask the challenger and the signature of the message; when requests the signature of the message , the challenger returns to .(3) outputs a message-signature pair where has not previously requested a signature for a message . If , the adversary attack is successful.The following proves that the RSA-CSP-LD scheme can be reduced to the RSA problem.
The adversary knows where is uniformly random on . Using to attack RSA-CSP-LD as a subroutine, the goal is to calculate . Because if can get such that , then . Because of , if is the value of of a message in the CSP-LD system, then is the signature of the message. is generated by adversary , but is generated by , and can be set to . Since does not know which message generates a forged pair signature when generating , has to make a guess, where the jth query of corresponds to the final forged result of . Before the reduction, for the sake of generality, we assume that the adversary will not issue the same query to twice. If requests the signature of , we take that it has been asked before.
The reduction process is as follows:(1) gives the public key to .(2) inquiry (at most times): creates a list query, which is initially empty and the element type is a quadruple , indicating that has set , . When initiates a query (set to ), will answer as follows:(a)If there is already an item corresponding to in query, we reply with .(b)Otherwise, randomly chooses a and sets . If , we return .Otherwise, we select a random value , calculate , take as the answer to this query, and store in the table query.(3)Signature query (up to times): when requests message as a signature, looks up in the list query such that .If , we return .Otherwise, , interrupts.(4)Output: outputs (M, . looks for in the query list corresponding to the quadruple , if , interrupts.In the above reduction process, is the guess of . corresponding to the message that in the quadruple is the signature that will eventually forge and the role of in the quadruple is an identifier.
The success of is determined by the following three events: does not break in 's signature query produces a valid message-signature pair occurs and is equal to 0 in the quadruplet corresponding to ., , and . So, the success rate of is .
Considering as a function of , when can be obtained, reaches the maximum, and the maximum value is . The proof is complete.
Compared to previous pair schemes, our scheme has a larger pair advantage in terms of efficiency, since all messages are encoded as low-dimensional matrices, and the scaling rate in terms of storage and computational overhead is linear compared to plaintext implementations. Horan K. et al. [33] mentioned that the CSP problem is in a general linear group (where represents the real number field); if , CSP can be proved to be antiquantum secure, so when we encode the message as a matrix, it is necessary to keep its dimension greater than 4. Specifically, we assume that is a general noncommutative semigroup, , and the function can be regarded as a pair of preprocessing for the message . For any message originating from the real domain , we can encode as a 6-dimensional upper triangular matrix, denoted by .
We use three pairs of random numbers to represent the message , while satisfying certain properties: , where is a system random number. With these elements, we construct the matrix as follows:Combining the above three small matrices, the final encoding form of the message is as follows:0 here also represents an all-zero matrix of 2 × 2. represents a random matrix uniformly sampled from the real number domain .
Next, we perform the encoding operation on . We uniformly randomly sample a matrix from to represent , which can also be considered as 9 random matrices of 2 × 2, as expressed in the following form:The probability that message space communicates with elements in is negligible. It can be understood in this way that here is similar to a key for encrypting a message , so there are the following operations:where is the input parameter for the subsequent execution of the RSA algorithm, which can also be regarded as the encryption of the message , where can be understood as a symmetric key. In some specific cases, we can perform conflict tracking, use to solve , recover the message from , and recover the signer pair identity from (assuming the user identity information is placed in it).
The security (antiforgery) of proves the following.
First, we carry out the following operations:where are random matrices. The representation of is as follows:among them is randomly sampled from . The adversary is defined to launch a forgery attack according to the following algorithm, which is formally described as follows [34]:The adversary's advantage is defined as follows:We will try to expand the content of the if conditional statement :among themHowever, by borrowing the scheme of Li et al. [35], we can clarify . So, the part of always satisfies positive, and . Therefore, for an attacking adversary, to distinguish whether the signed message is or , he only needs to calculate according to the sign of the returned value. If a positive value is returned, 1 is output, representing the guessed signature message as . If a negative value is returned, 0 is output, which means the guessed signature message is . Therefore, the advantage of the adversary is 1, which means that the scheme is not anticounterfeiting.
The advantage of our proposed scheme is that we are a probabilistic encryption scheme. There can be multiple encoding forms for . First, a random even number is selected to encrypt , and the following form is obtained:According to the properties of the CSP-LD system, we mentioned earlier, and the upper triangular matrix encoding form of isWe can inferTherefore,Because is an even number, the adversary always has a positive value when calculating , and it is impossible to determine whether the signature comes from or .

5. RSA-like Aggregate Signature Scheme Based on CSP-LD System

Before formally introducing the aggregate signature scheme, we need to make a formal specification of the paired element in for a secure and valid pair.Specification 1: in a CSP-LD system, the representation of elements in is uniqueSpecification 2: it is possible to efficiently convert an element in to its regular formSpecification 3: the length of does not show any information about .

According to Definition 3, we suppose a and b are random numbers, , which are given and fixed for the system parameters, and we assume that is a general noncommutative semigroup, and the binary function satisfies the following conjugation operations:

We denote as .

Assuming that there are different users , in a multiuser environment, the message needs to be co-signed. Our RSA aggregate signature scheme based on the CSP-LD system consists of the following algorithms.

(1–1) message encoding: the message is composed of satisfying some certain property, , where is a system random number, and an even number is sampled from the random number in the real number domain. We construct the matrix as follows:

Combining the above three submatrices, the final encoding form of the message is as follows:

0 here also represents an all-zero matrix of 2 × 2. represents a random matrix uniformly sampled from the real number domain .

(1–2) coding form of : we uniformly randomly sample a matrix from for encoding, representing , which can also be considered as 9 random matrices of 2 × 2, expressed in the following form:(1)Key generation is as follows:(2)Signature is as follows:(3)Verify is as follows:

If , we return 1; otherwise, we return 0.

Proof of the correctness of the scheme: according to Lemma 2, the CSP-LD system satisfies the following properties:

Because of , we get . On the question of whether the security is satisfied, we can infer from the previous point that since is an upper triangular matrix, it satisfies

When the adversary tries to distinguish or by computing the determinant,

Because the value of is an even number (it can be set to ), the adversary cannot determine whether the signature comes from or based on the value calculated by , so satisfies the selection of plaintext antiforgery. According to the previous inference in Definition 4, the aggregated signature scheme proposed by us is still antiforgery under the adaptive chosen message attack.

According to the algorithm proposed by Shor, a quantum computer with qubits can perform operations at a time. In theory, the key is the 1024 bit long RSA algorithm, which can be cracked in 1 second with a 512 bit quantum computer. At present, as long as the proposed scheme is set to a 160 bit integer, it can resist the exhaustion-resistant attack [27].

6. Efficiency Analysis

Now, we compare the computational efficiency of the RSA aggregate signature scheme under the CSP-LD system with some other aggregate signature schemes. Still assume that there are users signing messages at the same time. For each signature, if the aggregation method is not used, the original RSA signature method without aggregation method needs to store a total of pairs of signatures. While the scheme in [36] improves the efficiency by 50%, the signature they store is . In our scheme, no matter how many users there are, we only need to store a pair of signatures, namely, , which benefits from the advantages of the CSP-LD system. Compared with [36], our improved efficiency has a linear relationship with the value of , and the larger the value, the greater the advantage of our scheme. Compared with the pairing-based scheme in [24], our advantage is even more obvious, since it is known that a pairing operation takes approximately 6–20 times the time of a modulo-exponential operation [25].

In addition, since all messages are encoded as low-dimensional matrices, the scaling rate in terms of storage and computation overhead is linear compared to message signature implementations and the length of aggregated signatures is fixed, maximizing signature storage savings space without losing accuracy. In terms of security, our scheme is also indestructible to a large extent, and the strongest attack method against the signature scheme, the adaptive chosen message attack, is still existentially unforgeable. Moreover, by setting the system parameter thresholds on the matrix dimension and the length of the private key, antiquantum attacks, and exhaustive attacks can be achieved.

Explanation of symbols in Table 1: represents a power of 1 operation, represents a hash operation, represents a bilinear pairing operation, and represents the number of users. Assuming that the following three schemes all select the group whose order is the same prime number , if the system parameter is 160 bits, the length of the group is calculated as . The details are shown in Table 1.

The details of the security comparison between our scheme and literature are shown in Table 2.

7. Conclusion

This study improves the RSA-like signature scheme by proposing new schemes that take advantage of CSP-LD systems to encode messages with the low-dimensional matrix. By flexibly changing the encoding structure, it can perfectly satisfy the antiforgery under the adaptive choice message attack (EUF-CMA) without using the global hash function. Setting the matrix dimension greater than the critical value can achieve the antiquantum attack, and controlling the length of the user's element longer than a certain bit can resist exhaustive attacks. In the environment where users sign a message, we implement the aggregated signature under the RSA structure according to the CSP-LD system, which greatly reduces the generation of public and private key pairs. Moreover, the final signature pair has nothing to do with the number of users, which saves a lot of storage space and improves computing efficiency. In the future, we look forward to combining the signature scheme with cutting-edge technologies such as blockchain technology, smart contracts [37], and machine learning [38] to improve the deployment of the scheme, learn from each other's strengths, and furthermore, improve efficiency and security.

7.1. The notations of this work

In this section, we explain all the specific characters in the study; the details are shown in Table 3.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


This work was supported by the “Chengdu-Chongqing Economic Circle Construction” Scientific and Technological Innovation Project of Chongqing Municipal Education Commission, under Grant KJCX2020033, the National Natural Science Foundation of P.R., China, under Grants 61903053 and 62273065, the Opening Project of Shanghai Key Laboratory of Integrated Administration Technologies for Information Security, under Grant AGK2020006, and the Chongqing Municipal Education Commission Research Program, under Grants KJQN201900702 and KJZD-K201800701.