Aggregate and Verifiably Encrypted Signatures from Bilinear Maps

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2656)


An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verifier that the n users did indeed sign the n original messages (i.e., user i signed message M i for i = 1,..., n). In this paper we introduce the concept of an aggregate signature, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M. Verifiably encrypted signatures are used in contract-signing protocols. Finally, we show that similar ideas can be used to extend the short signature scheme to give simple ring signatures.


Signature Scheme Ring Signature Random Oracle Aggregate Signature Coin Toss 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    N. Asokan, V. Shoup, and M. Waidner. Optimistic fair exchange of digital signatures. IEEE J. Selected Areas in Comm., 18(4):593–610, April 2000.CrossRefGoogle Scholar
  2. 2.
    F. Bao, R. Deng, and W. Mao. Efficient and practical fair exchange protocols with offline TTP. In Proceedings of IEEE Symposium on Security and Privacy, pages 77–85, 1998.Google Scholar
  3. 3.
    M. Bellare and P. Rogaway. The exact security of digital signatures: How to sign with RSA and Rabin. In Proceedings of Eurocrypt’ 96, volume 1070 of LNCS, pages 399–416. Springer-Verlag, 1996.Google Scholar
  4. 4.
    A. Boldyreva. Efficient threshold signature, multisignature and blind signature schemes based on the gap-Diffie-Hellman-group signature scheme. In Proceedings of PKC 2003, volume 2567 of LNCS, pages 31–46. Springer-Verlag, 2003.Google Scholar
  5. 5.
    D. Boneh and M. Franklin. Identity-based encryption from the Weil pairing. In Proceedings of Crypto 2001, volume 2139 of LNCS, pages 213–29. Springer-Verlag, 2001.Google Scholar
  6. 6.
    D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and verifiably encrypted signatures from bilinear maps. Cryptology ePrint Archive, Report 2002/175, 2002.
  7. 7.
    D. Boneh, B. Lynn, and H. Shacham. Short signatures from the Weil pairing. In Proceedings of Asiacrypt 2001, volume 2248 of LNCS, pages 514–32. Springer-Verlag, 2001. Full paper: Scholar
  8. 8.
    Y. Dodis. Efficient construction of (distributed) verifiable random functions. In Proceedings of PKC 2003, volume 2567 of LNCS, pages 1–17. Springer-Verlag, 2003.Google Scholar
  9. 9.
    A. Fiat. Batch RSA. In Proceedings of Crypto’ 89, pages 175–185, 1989.Google Scholar
  10. 10.
    J. Garay, M. Jakobsson, and P. MacKenzie. Abuse-free optimistic contract signing. In Proceedings of Crypto’ 99, volume 1666 of LNCS, pages 449–466. Springer-Verlag, 1999.Google Scholar
  11. 11.
    P. Gemmel. An introduction to threshold cryptography. RSA CryptoBytes, 2(3):7–12, 1997.Google Scholar
  12. 12.
    R. Gennaro, T. Rabin, S. Jarecki, and H. Krawczyk. Robust and efficient sharing of RSA functions. J. Cryptology, 13(2):273–300, 2000.zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    C. Gentry and A. Silverberg. Hierarchical ID-based cryptography. In Proceedings of Asiacrypt 2002, volume 2501 of LNCS, pages 548–66. Springer-Verlag, 2002.CrossRefGoogle Scholar
  14. 14.
    S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing, 17(2):281–308, 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    J. Horwitz and B. Lynn. Toward hierarchical identity-based encryption. In Proceedings of Eurocrypt 2002, volume 2332 of LNCS, pages 466–81. Springer-Verlag, 2002.Google Scholar
  16. 16.
    A. Joux. A one round protocol for tripartite Diffie-Hellman. In Proceedings of ANTS IV, volume 1838 of LNCS, pages 385–94. Springer-Verlag, 2000.Google Scholar
  17. 17.
    S. Kent, C. Lynn, and K. Seo. Secure border gateway protocol (Secure-BGP). IEEE J. Selected Areas in Comm., 18(4):582–92, April 2000.CrossRefGoogle Scholar
  18. 18.
    A. Lysyanskaya. Unique signatures and verifiable random functions from the DHDDH separation. In Proceedings of Crypto 2002, volume 2442 of LNCS, pages 597–612. Springer-Verlag, 2002.Google Scholar
  19. 19.
    S. Micali, K. Ohta, and L. Reyzin. Accountable-subgroup multisignatures (extended abstract). In Proceedings of CCS 2001, pages 245–54. ACM Press, 2001.Google Scholar
  20. 20.
    S. Micali and R. Rivest. Transitive signature schemes. In Proceedings of RSA 2002, volume 2271 of LNCS, pages 236–43. Springer-Verlag, 2002.Google Scholar
  21. 21.
    A. Miyaji, M. Nakabayashi, and S. Takano. New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundamentals, E84-A(5):1234–43, May 2001.Google Scholar
  22. 22.
    M. Naor. Deniable ring authentication. In Proceedings of Crypto 2002, volume 2442 of LNCS, pages 481–98. Springer-Verlag, 2002.Google Scholar
  23. 23.
    K. Ohta and T. Okamoto. Multisignature schemes secure against active insider attacks. IEICE Trans. Fundamentals, E82-A(1):21–31, 1999.Google Scholar
  24. 24.
    T. Okamoto. A digital multisignature scheme using bijective public-key cryptosystems. ACM Trans. Computer Systems, 6(4):432–441, 1998.CrossRefGoogle Scholar
  25. 25.
    T. Okamoto and D. Pointcheval. The gap problems: A new class of problems for the security of cryptographic primitives. In Proceedings of PKC 2001, volume 1992 of LNCS, pages 104–118. Springer-Verlag, 2001.Google Scholar
  26. 26.
    G. Poupard and J. Stern. Fair encryption of RSA keys. In Proceedings of Eurocrypt 2000, volume 1807 of LNCS, pages 172–89. Springer-Verlag, 2000.CrossRefGoogle Scholar
  27. 27.
    R. Rivest, A. Shamir, and Y. Tauman. How to leak a secret. In Proceedings of Asiacrypt 2001, volume 2248 of LNCS, pages 552–65. Springer-Verlag, 2001.CrossRefGoogle Scholar
  28. 28.
    F. Zhang and K. Kim. ID-based blind signature and ring signature from pairings. In Proceedings of Asiacrypt 2002, volume 2501 of LNCS, pages 533–47. Springer-Verlag, 2002.CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2003

Authors and Affiliations

  1. 1.Stanford UniversityUSA
  2. 2.DoCoMo LabsUSA

Personalised recommendations