Identity-Based Aggregate Signatures

  • Craig Gentry
  • Zulfikar Ramzan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3958)


An aggregate signature is a single short string that convinces any verifier that, for all 1 ≤ in, signer S i signed message M i , where the n signers and n messages may all be distinct. The main motivation of aggregate signatures is compactness. However, while the aggregate signature itself may be compact, aggregate signature verification might require potentially lengthy additional information – namely, the (at most) n distinct signer public keys and the (at most) n distinct messages being signed. If the verifier must obtain and/or store this additional information, the primary benefit of aggregate signatures is largely negated.

This paper initiates a line of research whose ultimate objective is to find a signature scheme in which the total information needed to verify is minimized. In particular, the verification information should preferably be as close as possible to the theoretical minimum: the complexity of describing which signer(s) signed what message(s). We move toward this objective by developing identity-based aggregate signature schemes. In our schemes, the verifier does not need to obtain and/or store various signer public keys to verify; instead, the verifier only needs a description of who signed what, along with two constant-length “tags”: the short aggregate signature and the single public key of a Private Key Generator. Our scheme is secure in the random oracle model under the computational Diffie-Hellman assumption over pairing-friendly groups against an adversary that chooses its messages and its target identities adaptively.


Signature Scheme Security Proof Random Oracle Model Aggregate Signature Signature Query 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [BA05]
    Barr, K.C., Asanovic, K.: Energy aware lossless data compression. In: Proc. of Mobisys 2005 (2005)Google Scholar
  2. [BF03]
    Boneh, D., Franklin, M.: Identity-based encryption from theWeil pairing. SIAM J. of Computing 32(3), 586–615 (2003)CrossRefMATHGoogle Scholar
  3. [BGLS03]
    Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003)Google Scholar
  4. [BLS01]
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001)Google Scholar
  5. [BNN04]
    Bellare, M., Namprempre, C., Neven, G.: Security proofs for identity-based identification and signature schemes. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 268–286. Springer, Heidelberg (2004)Google Scholar
  6. [Bol03]
    Boldyreva, A.: Efficient threshold signature, multisignature and blind signature schemes based on the gap-Diffie-Hellman-group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2002)Google Scholar
  7. [Boy03]
    Boyen, X.: Multipurpose identity-based signcryption (a swiss army knife for identity-based cryptography). In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 383–399. Springer, Heidelberg (2003)Google Scholar
  8. [BZ04]
    Baek, J., Zheng, Y.: Identity-based threshold signature scheme from the bilinear pairings. In: Proc. of ITCC (1), pp. 124–128 (2004)Google Scholar
  9. [CC03]
    Cha, J.C., Cheon, J.H.: An identity-based signature from gap diffiehellman groups. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 18–30. Springer, Heidelberg (2002)Google Scholar
  10. [CLW05]
    Cheng, X., Liu, J., Wang, X.: Identity-based aggregate and verifiably encrypted signatures from bilinear pairing. In: Gervasi, O., Gavrilova, M.L., Kumar, V., Laganá, A., Lee, H.P., Mun, Y., Taniar, D., Tan, C.J.K. (eds.) ICCSA 2005. LNCS, vol. 3483, pp. 1046–1054. Springer, Heidelberg (2005)Google Scholar
  11. [Coc01]
    Cocks, C.: An identity based encryption scheme based on quadratic residues. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 360–363. Springer, Heidelberg (2001)Google Scholar
  12. [FS86]
    Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  13. [GR06]
    Gentry, C., Ramzan, Z.: Identity-Based Aggregate Signatures. Full Version. Cryptology E-print Archive (2006)Google Scholar
  14. [GQ88]
    Guillou, L.C., Quisquater, J.-J.: A “paradoxical” identity-based signature scheme resulting from zero-knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 216–231. Springer, Heidelberg (1990)Google Scholar
  15. [GS02]
    Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002)Google Scholar
  16. [Her05]
    Herranz, J.: Deterministic identity-based signatures for partial aggregation. Cryptology ePrint Archive, Report 2005/313 (2005),
  17. [KLS00]
    Kent, S., Lynn, C., Seo, K.: Secure border gateway protocol (secure-bgp). IEEE J. Selected Areas in Comm. 19(4), 582–592 (2000)Google Scholar
  18. [LMRS04]
    Lysyanskaya, A., Micali, S., Reyzin, L., Shacham, H.: Sequential aggregate signatures from trapdoor permutations. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 74–90. Springer, Heidelberg (2004)Google Scholar
  19. [LQ04]
    Libert, B., Quisquater, J.-J.: Identity based undeniable signatures. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 112–125. Springer, Heidelberg (2004)Google Scholar
  20. [MNT04]
    Mykletun, E., Narasimha, M., Tsudik, G.: Signature bouquets: Immutability for aggregated/condensed signatures. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 160–176. Springer, Heidelberg (2004)Google Scholar
  21. [MOR01]
    Micali, S., Ohta, K., Reyzin, L.: Accountable subgroup multisignatures (extended abstract). In: Proc. of CCS 2001, pp. 245–254. ACM Press, New York (2001)Google Scholar
  22. [Oka98]
    Okamoto, T.: A digital multisignature scheme using bijective public-key cryptosystems. ACM Trans. Computer Systems 6(4), 432–441 (1998)Google Scholar
  23. [OO99]
    Ohta, K., Okamoto, T.: Multisignature schemes secure against active insider attacks. IEICE Trans. Fundamentals E82-A(1), 21–31 (1999)Google Scholar
  24. [PS96]
    Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996)Google Scholar
  25. [PS00]
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. Journal of Cryptology 13(3), 361–396 (2000)Google Scholar
  26. [Sha84]
    Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1984)Google Scholar
  27. [Sho00]
    Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000)Google Scholar
  28. [SRF+04]
    Suzuki, T., Ramzan, Z., Fujimoto, H., Gentry, C., Nakayama, T., Jain, R.: A system for end-to-end authentication of adaptive multimedia content. In: Proc. of Conference on Communications and Multimedia Security (2004)Google Scholar
  29. [Szy04]
    Szydlo, M.: Merkle tree traversal in log space and time. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 541–554. Springer, Heidelberg (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Craig Gentry
    • 1
  • Zulfikar Ramzan
    • 2
  1. 1.Stanford UniversityUSA
  2. 2.DoCoMo Communications Laboratories USA, Inc.USA

Personalised recommendations