Security Analysis of the Unrestricted Identity-Based Aggregate Signature Scheme

Aggregate signatures allow anyone to combine different signatures signed by different signers on different messages into a short signature. An ideal aggregate signature scheme is an identity-based aggregate signature (IBAS) scheme that supports full aggregation since it can reduce the total transmitted data by using an identity string as a public key and anyone can freely aggregate different signatures. Constructing a secure IBAS scheme that supports full aggregation in bilinear maps is an important open problem. Recently, Yuan et al. proposed such a scheme and claimed its security in the random oracle model under the computational Diffie-Hellman assumption. In this paper, we show that there is an efficient forgery on their IBAS scheme and that their security proof has a serious flaw.

[1]  Hovav Shacham,et al.  Sequential Aggregate Signatures from Trapdoor Permutations , 2004, EUROCRYPT.

[2]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[3]  Dominique Schröder,et al.  How to Aggregate the CL Signature Scheme , 2011, ESORICS.

[4]  Craig Gentry,et al.  Identity-Based Aggregate Signatures , 2006, Public Key Cryptography.

[5]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[6]  Rafail Ostrovsky,et al.  Sequential Aggregate Signatures and Multisignatures Without Random Oracles , 2006, EUROCRYPT.

[7]  Dong Hoon Lee,et al.  Aggregating CL-Signatures Revisited: Extended Functionality and Better Efficiency , 2013, Financial Cryptography.

[8]  Craig Gentry,et al.  Candidate Multilinear Maps from Ideal Lattices , 2013, EUROCRYPT.

[9]  Yumin Yuan,et al.  Efficient Unrestricted Identity-Based Aggregate Signature Scheme , 2014, PloS one.

[10]  Craig Gentry,et al.  Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing , 2007, CCS '07.

[11]  PointchevalDavid,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2000 .

[12]  Brent Waters,et al.  Full Domain Hash from (Leveled) Multilinear Maps and Identity-Based Aggregate Signatures , 2013, CRYPTO.

[13]  Allison Bishop,et al.  Dual Form Signatures: An Approach for Proving Security from Static Assumptions , 2012, IACR Cryptol. ePrint Arch..

[14]  Dong Hoon Lee,et al.  Sequential Aggregate Signatures with Short Public Keys: Design, Analysis and Implementation Studies , 2013, Public Key Cryptography.

[15]  Matthew Green,et al.  Synchronized aggregate signatures: new definitions, constructions and applications , 2010, CCS '10.

[16]  Rafail Ostrovsky,et al.  Sequential Aggregate Signatures, Multisignatures, and Verifiably Encrypted Signatures Without Random Oracles , 2013, Journal of Cryptology.

[17]  Mihir Bellare,et al.  Multi-signatures in the plain public-Key model and a general forking lemma , 2006, CCS '06.

[18]  Dong Hoon Lee,et al.  Sequential Aggregate Signatures Made Shorter , 2013, ACNS.

[19]  Dong Hoon Lee,et al.  Universal forgery of the identity-based sequential aggregate signature scheme , 2009, ASIACCS '09.