Synchronized Aggregate Signatures from the RSA Assumption

Hohenberger, Susan; Waters, Brent

doi:10.1007/978-3-319-78375-8_7

Susan Hohenberger¹⁵ &
Brent Waters¹⁶

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10821))

Included in the following conference series:

Annual International Conference on the Theory and Applications of Cryptographic Techniques

3600 Accesses
27 Citations

Abstract

In this work we construct efficient aggregate signatures from the RSA assumption in the synchronized setting. In this setting, the signing algorithm takes as input a (time) period t as well the secret key and message. A signer should sign at most once for each t. A set of signatures can be aggregated so long as they were all created for the same period t. Synchronized aggregate signatures are useful in systems where there is a natural reporting period such as log and sensor data, or for signatures embedded in a blockchain protocol.

We design a synchronized aggregate signature scheme that works for a bounded number of periods T that is given as a parameter to a global system setup. The big technical question is whether we can create solutions that will perform well with the large T values that we might use in practice. For instance, if one wanted signing keys to last up to ten years and be able to issue signatures every second, then we would need to support a period bound of upwards of $2^{28}$.

We build our solution in stages where we start with an initial solution that establishes feasibility, but has an impractically large signing time where the number of exponentiations and prime searches grows linearly with T. We prove this scheme secure in the standard model under the RSA assumption with respect to honestly-generated keys. We then provide a tradeoff method where one can tradeoff the time to create signatures with the space required to store private keys. One point in the tradeoff is where each scales with $\sqrt{T}$.

Finally, we reach our main innovation which is a scheme where both the signing time and storage scale with $\lg {T}$ which allows for us to keep both computation and storage costs modest even for large values of T. Conveniently, our final scheme uses the same verification algorithm, and has the same distribution of public keys and signatures as the first scheme. Thus we are able to recycle the existing security proof for the new scheme.

We also extend our results to the identity-based setting in the random oracle model, which can further reduce the overall cryptographic overhead. We conclude with a detailed evaluation of the signing time and storage requirements for various settings of the system parameters.

S. Hohenberger—Supported by the National Science Foundation CNS-1228443 and CNS-1414023, the Office of Naval Research N00014-15-1-2778, and a Microsoft Faculty Fellowship.

B. Waters—Supported by NSF CNS-1414082, DARPA SafeWare, Microsoft Faculty Fellowship, and Packard Foundation Fellowship. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Department of Defense or the U.S. Government.

You have full access to this open access chapter, Download conference paper PDF

Pointcheval-Sanders Signature-Based Synchronized Aggregate Signature

Identity-Based Key-Insulated Aggregate Signatures, Revisited

Half-Aggregation of Schnorr Signatures with Tight Reductions

1 Introduction

Aggregate signatures, as introduced by Boneh, Gentry, Lynn and Shacham [13], allow a third party to compress an arbitrary group of signatures $(\sigma _1, \dots , \sigma _n)$ that verify with respect to a corresponding collection of public key and message pairs $(( pk _1,m_1), \ldots $, $( pk _n,m_n))$ and produce a short aggregated signature that verifies the same collection. There are many applications where reducing the cryptographic overhead is desirable including BGP routing [11, 13, 29], bundling software updates [1], sensor data [1] and block chain protocols [2].

When exploring a primitive such as aggregate signatures, it is desirable to have multiple realizations under different cryptographic assumptions or constructs. This provides redundancy in the case that one of the assumptions proves to be false. Also different approaches often yield a menu of performance tradeoffs that one can select from in an application-dependent manner.

To date, the design of aggregate signature schemes has mostly been dominated by bilinear (or multilinear) map-based proposals [1, 7, 10, 11, 13, 14, 18, 19, 22, 23, 29, 31, 36]. Most proposals to aggregate outside of the bilinear setting have required signers to interact either by signing in a sequential chain [4, 15, 17, 27, 28, 30, 33] or otherwise cooperate interactively on signature creation or verification [3, 8]. Here we seek a solution that does not require bilinear maps or signer interaction. We are aware of two prior attempts [20, 37] to aggregate RSA-based signatures (without interaction), but to the best of our understanding, both schemes appear to lack basic correctness (that is, each user creates and signs with his own unique modulus, but then the signatures are aggregated and verified with respect to the same modulus).

In this work we construct efficient aggregate signatures from the RSA assumption in the synchronized setting of Gentry and Ramzan [19]. In the synchronized setting the signing algorithm will take as input a (time) period t as well the secret key and message. A signer should sign at most once for each t. A set of signatures can be aggregated so long as they were all created for the same period t. Synchronized aggregate signatures are useful in systems where there is a natural reporting period such as log or sensor data. Another example is for use in signatures embedded in a blockchain protocol where the creation of an additional block is a natural synchronization event. For instance, consider a blockchain protocol that records several signed transactions in each new block creation. These signed transactions could use a synchronized aggregate signature scheme with the block iteration as the period number. This would reduce the signature overhead from one per transaction to only one synchronized signature per block iteration.

Ahn, Green and Hohenberger [1] gave a synchronized aggregate signature scheme in bilinear groups from the (standard model) computational Diffie-Hellman assumption by adapting the Hohenberger-Waters [24] short signature scheme. Since Hohenberger and Waters in the same work also provided a similar scheme from the RSA assumption it is natural to wonder why that one could not be adapted as well. Unfortunately, this approach will not work as the HW RSA-based signature scheme requires the signer to have knowledge of $\phi (N)$ and thus the factorization of N. This trapdoor information cannot be securely dispensed among all signers that might work in $\mathbb {Z}_N^*$.

In this work we design a synchronized aggregate signature scheme that works for a bounded number of periods T that is given as a parameter to a global system setup. We believe that such a bound is acceptable in the synchronized setting where a reasonable estimate of it can be derived by first determining a fixed lifetime of keys in the system (e.g., 10 years) and dividing it by the expected frequency that periods will occur (e.g., every minute). The big question is whether we can create solutions that will perform well with the larger T values that we might use in practice. For instance, suppose that we wanted signing keys to last up to ten years and wanted to have the capability of signing on periods as short as a second. In this case we would need to be able to support a period bound of upwards of $2^{28}$.

We will build our solution in stages where we start with an initial solution that establishes feasibility of synchronized aggregation in the RSA setting, but has an impractically large signing time where the number of exponentiations and prime searches grows linearly with T. We prove this scheme secure in the standard model under the RSA assumption. We then provide a basic tradeoff that allows one to tradeoff the time to create signatures with the space required to store private keys. One point in the tradeoff is where each scales with $\sqrt{T}$.

We reach our main innovation which is a scheme where both the signing time and storage scale with $\lg (T)$ which allows for us to keep both computation and storage costs modest even for large values of T. Conveniently, our final scheme uses the same verification algorithm, and has the same distribution of public keys and signatures as the first scheme. Thus we are able to recycle the existing security proof for the new scheme.

We continue our exploration of using RSA in the synchronized aggregate setting by demonstrating how to extend our results to be identity-based. Since identity strings are typically much shorter than public keys, this setting can help achieve better overall reduction of cryptographic overhead. Our solution is secure under the standard RSA assumption in the random oracle model.

Finally, we provide a detailed performance evaluation of the various schemes from both a signing time and private key storage perspective, concluding that the $\lg (T)$ construction is relatively practical for realistic settings of the system parameters and far exceeds the performance of the others for most settings.

Overview of the Schemes. In our schemes, messages will be of length L bits which will be broken up into k chunks of $\ell $ bits each. In our initial scheme a global system setup will first choose an RSA modulus $N=p \cdot q$ where we let g be a generator of the quadratic residues of $\mathbb {Z}_N^*$. Next it picks a key K that is used to define a hash function $H_K(t)=e_t$ that maps a period $t \in [1,T]$ to a prime value $e_t$. We will defer the details of how this function works to the main body. Finally, the setup computes $E = \prod _{j=1}^T e_j \mod \phi (N)$ and $Y= g^E \mod N$ and publishes the public parameters as $\mathsf {pp}=(T, N, g, Y, K)$.

Key generation is performed by choosing random $u_0,u_1,\dots ,u_k$ in [1, N] and setting the secret key as $ sk =(u_0,u_1,\dots ,u_k)$ and the public key $ pk =(U_0,U_1,\dots ,U_k)$ where $U_j = Y^{u_j} = g^{u_j \prod _{i \in T} e_i}$ , for $j=0$ to k. To sign a message first compute all the primes $e_i \leftarrow H_K(i)$ for $i \ne t$ and then output $\sigma = \big (g^{u_0} \prod _{j=1}^k g^{u_j \cdot m_j}\big )^{\prod _{i \in T\setminus \{t\}} e_i} = \big ( U_0 \prod _{j=1}^k U_j^{m_j}\big )^{1/e_t} \pmod N$. Verification is performed by testing if $\sigma ^{e_t} {\mathop {=}\limits ^{?}} U_0 \prod _{i=1}^k U_{i}^{m_{i}}$. Aggregation is done by simply multiplying individual signatures together (mod N) and testing against the product of the individual verification tests. We remark that our group hash function falls into a more general group hash framework proposed by Hofheinz, Jager and Kiltz [21]. In Sect. 4, we discuss potential future improvements by incorporating their framework.

We give a proof of security under the RSA assumption. Our proof is standard model with respect to honestly-generated keys and uses techniques from [24] for embedding an RSA challenge into the function $H_K$. The choice of k provides a tradeoff between the secret key storage size which grows linearly with k to the tightness in the reduction which has a loss factor of $2^{\ell } = 2^{L / k}$.

Taking a step back, our signature scheme involves reconstructing $e_t$-th roots of a public key and then manipulating these according to the message. Here the secret key simply holds a group element that is root of all the $e_i$ values. The underlying structure is reminiscent of earlier RSA-based accumulator schemes (e.g., [6, 9]). The problem, however, is that building up this root from the secret key is quite costly and requires $T-1$ exponentiations and calls to $H_K(\cdot )$ which are roughly equivalent to prime searches. Returning to our example of $T=2^{28}$, our measured cost of signing one message was more than one day on a common processor. Clearly, we must do better.

We next show how to obtain a basic tradeoff between the time to sign and the size of the private key storage. Very roughly the time to sign will scale linearly with a parameter a and the storage with a parameter b with the constraint that $a \cdot b = T$. Thus we can explore tradeoffs such as setting $a=T, b=1$ which corresponds to the scheme above, go the opposite direction and set $a=1, b=T$ to achieve fast signing at the expense of large storage, or try to balance these by choosing $a = b = \sqrt{T}$.

The main technical idea is for the key generation algorithm to organize T into b “windows” each of size a. (We will assume a divides T evenly for ease of exposition.) Each window will be connected with a group element that has g raised to the exponents associated with every period except for a window of a of them. Thus to sign we need to do $a-1$ exponentiations and prime searches and our private keys roughly grow as b group elements.

While this simple tradeoff technique provides more flexibility, there is still a significant gap from the performance numbers we would like to achieve. Let’s return again to our $T=2^{28}$ example. In setting $a=1$, we would get very fast signing (a few tens of milliseconds), but with very huge keys of 64 GB. On the other hand, if we aimed for the $\sqrt{T}$ tradeoff we would end up with 4 MB private keys and roughly 9 s per signature. This achieves greater balance, but is still impractical.

This finally moves us to our last solution. Here we wish to find a more intricate way of handling the key storage that allows us to sign efficiently, but without a significant storage penalty. To do this we design a key storage mechanism that has about $2\lg (T)$ group elements and requires $\lg (T)$ exponentiations per signing. Returning to our example of $T=2^{28}$, we can now achieve the much more practical 16 KB private key storage with 58 ms per signature.

To achieve this, we leverage the fact that the synchronized signatures are performed in sequence over the total number of periods. The goal is to maintain a data structure which (1) is small, (2) is ready to quickly produce a signature for the next period and (3) can perform a small amount of work to update it for future periods. To this end we organize a data structure according to a $\mathtt {levels}$ parameter where $T=2^{\mathtt {levels}+1}-2$. In addition, a current $\mathtt {index}$ value is associated with the structure that indicates how many periods have passed so far. At level i at any time there will be one or two tuples which include a group element which is g raised to all exponents corresponding to periods except those with indices anywhere from $2^i$ to $2^{i-1}$. During each signature the signing algorithm will grab an element from level 1 and use it to sign as well as perform a little bit of work on each level to close the window of exponents further. We defer the details of how this is achieved to Sect. 6. We remark that this approach is conceptually similar to the pebbling optimization used by Itkis and Reyzin [26] to realize efficient forward-secure signatures.

Organization and Summary of the Results. In Sect. 2, we provide the specifications and security definitions. Section 3 covers the algebraic setting, assumptions and related lemmas. Section 4 gives the base construction as well as its proof of security in the standard model under the RSA assumption. Section 5 describes changes to the key generation and signing algorithms that can achieve a tradeoff in private key size versus signing time; one point achieves a balance of $\sqrt{T}$ for both. Section 6 provides a deeper innovation on how change key generation and signing to scale with $\lg (T)$. Recall that the distribution of the public keys and signatures in all of these schemes are the same as are the verification algorithms and thus the security proof in Sect. 4 suffices for all. We then show how to extend these results to the identity-based setting in Sect. 7. Finally, we conclude with a detailed time and space performance analysis of these constructions in Sect. 8 showing that the $\lg (T)$ constructions can be practical even for very large bounds on T.

2 Scheme Specifications and Definitions of Security

In a basic aggregate signature scheme [13], anyone given n signatures on n messages from n users can aggregate all these signatures into a single short signature. This aggregate signature (together with the n public keys and n messages) can be publicly verified to convince anyone that user i authenticated message i for $i=1$ to n. This is also true for synchronized aggregate signatures except that we assume all signers have a synchronized period identifier (such as a clock) and the following restrictions apply:

1.
A signer can issue at most one signature per period and keeps state to ensure this.
2.
Only signatures created during the same period can be aggregated.

Gentry and Ramzan [19] were the first to consider this “synchronized” setting in the context of aggregate signatures. In their model, they assumed that signatures were issued using a special tag (which could not be re-used) and only signatures with the same tag could be aggregated. Ahn, Green and Hohenberger [1] formalized this synchronization as a time period, assuming all signers have access to the same clock.^{Footnote 1} Here, we include a bound T on the periods.

Definition 1

(Synchronized Aggregate Signatures [1, 19]). A synchronized aggregate signature scheme for a bounded number of periods and message space $\mathcal {M}(\cdot )$ is a tuple of algorithms $(\mathsf {Setup}, \mathsf {KeyGen},\mathsf {Sign},\mathsf {Verify},\mathsf {Aggregate}$, $\mathsf {AggVerify})$ such that

Setup($1^\lambda , 1^T$):: : On input the security parameter $\lambda $ and the period bound T, the setup algorithm outputs public parameters $\mathsf {pp}$.
KeyGen($\mathsf {pp}$):: : On input the public parameters $\mathsf {pp}$, the key generation algorithm outputs a keypair $( pk , sk )$.
Sign($\mathsf {pp}, sk , M, t$):: : On input the public parameters $\mathsf {pp}$, the signing algorithm takes in a secret key $ sk $, a message $M \in \mathcal {M}(\lambda )$, the current period $t \le T$, and produces a signature $\sigma $.
Verify($\mathsf {pp}, pk , M, t, \sigma $):: : On input the public parameters $\mathsf {pp}$, the verification algorithm takes in a public key $ pk $, a message M, a period t and a purported signature $\sigma $, and returns 1 if and only if the signature is valid and $t \le T$, and 0 otherwise.
Aggregate($\mathsf {pp}, t, ( pk _1,M_1,\sigma _1),\dots ,( pk _n,M_n,\sigma _n)$):: : On input the public parameters $\mathsf {pp}$, a period t, a sequence of public keys $( pk _1,\dots , pk _n)$, messages $(M_1$, $\dots ,M_n)$, and purported signatures $(\sigma _1,\dots ,\sigma _n)$ for period $t \le T$, it outputs an aggregate signature $\sigma _{agg}$ or error message $\perp $.
AggVerify($\mathsf {pp}, t, ( pk _1,\dots , pk _n), (M_1, \dots ,M_n),\sigma _{agg}$):: : On input the public parameters $\mathsf {pp}$, a period t, a sequence of public keys $( pk _1,\dots , pk _n)$ and messages $(M_1,\dots ,M_n)$, and a purported aggregate signature $\sigma _{agg}$, the aggregate-verification algorithm outputs 1 if and only if $\sigma _{agg}$ is a valid aggregate signature and $t \le T$, and 0 otherwise.

Efficiency. We require that the setup algorithm run in time polynomial in its inputs and all other algorithms run in time polynomial in $\lambda , T$.

Correctness. Let $\mathsf {poly}(x)$ denote the set of polynomials in x. In addition to the standard correctness properties of the basic signature scheme, for a synchronized aggregation scheme, the correctness requirements on $\mathsf {Aggregate}$ and $\mathsf {AggVerify}$ stipulate that for all $\lambda \in \mathbb {N}$, $T \in \mathsf {poly}(\lambda ), n \in \mathsf {poly}(\lambda )$, $\mathsf {pp}\in \mathsf {Setup}(1^\lambda , 1^T)$, $( pk _1, sk _1), \dots ,( pk _n, sk _n) \in \mathsf {KeyGen}(\mathsf {pp})$, $1 \le t \le T$, $M_i \in \mathcal {M}(\lambda )$, $\sigma _i \in \mathsf {Sign}(\mathsf {pp}$, $ sk _i,M_i,t)$ and $\sigma _{agg} \in \mathsf {Aggregate}(\mathsf {pp},t,( pk _1,M_1,\sigma _1),\dots ,( pk _n,M_n,\sigma _n))$, it holds that

$$\mathsf {AggVerify}(\mathsf {pp}, t, ( pk _1,\dots , pk _n), (M_1, \dots ,M_n),\sigma _{agg}) = 1.$$

Unforgeability. The definition uses the following game between a challenger and an adversary $\mathcal{A}$ for a given scheme $\varPi =(\mathsf {Setup},\mathsf {KeyGen},\mathsf {Sign},\mathsf {Verify},\mathsf {Aggregate}$, $\mathsf {AggVerify})$, security parameter $\lambda $, and message space $\mathcal {M}(\lambda )$:

Setup::: The adversary sends $1^T, 1^n$ to the challenger, who runs $\mathsf {Setup}(1^\lambda ,1^T)$ to obtain the public parameters $\mathsf {pp}$.^{Footnote 2} Then the challenger runs $\mathsf {KeyGen}(\mathsf {pp})$ a total of n times to obtain the key pairs $( pk _1, sk _1), \dots , ( pk _{n}, sk _{n})$. The adversary is sent $(\mathsf {pp}, pk _1, ( pk _2, sk _2)$, $\dots , ( pk _{n}, sk _{n}))$.
Queries::: For each period t starting with 1 and incrementing up to T, the adversary can request one signature on a message of its choice in $\mathcal {M}$ under $ sk _1$, or it can choose to skip that period. The challenger responds to a query for $M_i$ during period $t_i \in [1,T]$ as $\mathsf {Sign}(\mathsf {pp}, sk _1, M_i, t_i)$.
Output::: Let $\gamma $ be a function mapping integers to [1, n]. Eventually, the adversary outputs a tuple $(t, ( pk _{\gamma (1)}, \dots , pk _{\gamma (k)}), (M_1', \dots , M_k'), \sigma _{agg})$ and wins the game if:

1.
$1 \le t \le T$; and
2.
there exists an $z^* \in [1,k]$ such that $\gamma (z^*)=1$; and
3.
all $M_i' \in \mathcal {M}$; and
4.
$M_{z^*}'$ is not in the set of messages $\mathcal{A}$ queried during the Queries phase^{Footnote 3}; and
5.
$\mathsf {AggVerify}(\mathsf {pp}, t,( pk _{\gamma (1)}, \dots , pk _{\gamma (k)}), (M_1', \dots , M_k'), \sigma _{agg}) = 1$, where $1 \le k \le n$.

We define $\mathsf {SigAdv}_{\mathcal{A},\varPi ,\mathcal {M}}(\lambda )$ to be the probability that the adversary $\mathcal{A}$ wins in the above game with scheme $\varPi $ for message space $\mathcal {M}$ and security parameter $\lambda $ taken over the coin tosses made by $\mathcal{A}$ and the challenger.

Definition 2

(Unforgeability). A synchronized aggregate signature scheme $\varPi $ for message space $\mathcal {M}$ is existentially unforgeable under an adaptive chosen message attack if for all sufficiently large $\lambda \in \mathbb {N}$ and all probabilistic polynomial-time in $\lambda $ adversaries $\mathcal{A}$, there exists a negligible function $\mathsf {negl}$, such that

$$\mathsf {SigAdv}_{\mathcal{A},\varPi ,\mathcal {M}}(\lambda ) \le \mathsf {negl}(\lambda ).$$

Discussion. Above, we require that the $\mathsf {Setup}$ algorithm is honestly executed, so in practice this could be run by a trusted party or realized via a specialized multiparty protocol (see Sect. 4 for more). We also require that the non-challenge public keys be chosen honestly instead of adversarially. Our later proof requires that the challenger has knowledge of the secret keys corresponding to the non-challenge public keys. This can be realized by working in the Registered Key Model [5] or adding an appropriate NIZK to the user’s public key.

3 Number Theoretic Assumptions and Related Lemmas

There are many variants of the RSA assumption [35]. Here we use a variant involving safe primes. A safe prime is a prime number of the form $2p+1$, where p is also a prime.

Assumption 1

(RSA). Let $\lambda $ be the security parameter. Let integer N be the product of two $\lambda $-bit, distinct safe primes primes p, q where $p = 2p'+1$ and $q= 2q'+1$. Let e be a randomly chosen prime between $2^{\lambda }$ and $2^{\lambda +1}-1$. Let $\mathrm {QR}_N$ be the group of quadratic residues in $\mathbb {Z}_N^*$ of order $p'q'$. Given (N, e) and a random $h \in \mathrm {QR}_N$, it is hard to compute x such that $x^e \equiv h \mod N$.

We note that a randomly chosen element in $\mathbb {Z}_N^*$ would be a quadratic residue 1/4-th of the time, so the restriction to $h \in \mathrm {QR}_N$ is for convenience and could be relaxed.

In our schemes, we will refer to and require a primality test. For our purposes, it will be sufficient to use the efficient Miller-Rabin test [32, 34]. We will also make use of the following lemmas:

Lemma 1

(Cramer-Shoup [16]). Given $x,y \in \mathbb {Z}_n$ together with $a,b \in \mathbb {Z}$ such that $x^a = y^b$ and $\gcd (a,b)=1$, there is an efficient algorithm for computing $z \in \mathbb {Z}_n$ such that $z^a = y$.

Theorem 2

(Prime Number Theorem). Define $\pi (x)$ as the number of primes $\le x$. For $x >1$,

$$\frac{7}{8} \cdot \frac{x}{\mathrm {ln~}x}< \pi (x) < \frac{9}{8} \cdot \frac{x}{\mathrm {ln~}x}.$$

4 A Base Scheme for Aggregation from RSA

We begin with a base scheme that assumes a trusted global setup and works in the registered key model, where every signer needs to show their key pair to an authority that certifies their public key. The global setup of our scheme will take as input a security parameter $\lambda $ and the maximum number of periods T. The message space $\mathcal {M}$ will be $\{0,1\}^L$ where L is some polynomial function of $\lambda $. (One can handle messages of arbitrary length by first applying a collision-resistant hash.)

In addition, associated with the scheme will be a “message chunking alphabet” where we break each L-bit message into k chunks each of $\ell $ bits where $k \cdot \ell = L$ with the restriction that $\ell \le \lambda $ and thus $2^{\ell } \le 2^\lambda $. As we will see the choice of $\ell $ will effect both the tightness of the security reduction as well as the size of the signatures.^{Footnote 4} We make use of a variant of the hash function in [24] to map integers to primes of an appropriate size.

Setup($1^\lambda , 1^T$) The setup algorithm chooses an integer $N=pq$ as the product of two safe primes where $p-1 = 2p'$ and $q-1=2q'$, such that $2^{\lambda }< \phi (N) < 2^{\lambda + 1}$. Let $\mathrm {QR}_N$ denote the group of quadratic residues of order $p'q'$ with generator g.

Next, it sets up a hash function $H: [1,T] \rightarrow \{0,1\}^{\lambda +1}$ where H will take as input a period $t \in [1,T]$ and output a prime between $2^\lambda $ and $2^{\lambda +1}-1$. It begins by randomly choosing a $K'$ for the PRF function $F: [1,T] \times [1,\lambda ^2] \rightarrow \{0,1\}^{\lambda }$, a random $c \in \{0,1\}^{\lambda }$ as well as an arbitrary prime $e_{\mathrm {default}}$ between $2^\lambda $ and $2^{\lambda +1}-1$. We let $K= (K', c, e_{\mathrm {default}})$.

We define how to compute $H_K(t)$. For each $i=1$ to $\lambda \cdot (\lambda ^2+\lambda )$, let $y_i= c \oplus F_K(t,i)$. If $2^\lambda +y_i$ is prime return it. Else increment i and repeat. If no such $i \le \lambda \cdot (\lambda ^2 + \lambda )$ exists, return $e_{\mathrm {default}}$.^{Footnote 5} We note that this computation returns the smallest i such that $2^\lambda +y_i$ is a prime. Notationally, for $t \in [1,T]$ we will let $e_t = H_K(t)$.

The algorithm concludes by computing $E = \prod _{j=1}^T e_j \mod \phi (N)$ and $Y= g^E \mod N$.

It publishes the public parameters as $\mathsf {pp}=(T, N, g, Y, K)$.

$KeyGen(\mathsf {pp})$ The algorithm retrieves Y from the $\mathsf {pp}$. It chooses random integers $u_0,u_1,\dots ,u_k$ in [1, N]. It sets the secret key as $ sk =(u_0,u_1,\dots ,u_k)$ and the public key $ pk =(U_0,U_1,\dots ,U_k)$ where

$$ U_j = Y^{u_j} = g^{u_j \prod _{i \in T} e_i} \text {, for }\, j=0\, \text { to } k.$$

$Sign(\mathsf {pp}, sk , M, t)$ The signing algorithm takes as input a time period $1 \le t \le T$ and an $L=(\ell k)$-bit message $M=m_1 | m_2 | \dots | m_k$, where each $m_i$ contains $\ell $-bits and these are concatenated together to form M. It computes the primes $(e_1,\dots ,e_{t-1},e_{t+1},\dots ,e_T)$ from $\mathsf {pp}$ and then outputs

$$ \sigma = \big (g^{u_0} \prod _{j=1}^k g^{u_j \cdot m_j}\big )^{\prod _{i \in T\setminus \{t\}} e_i} = \big ( U_0 \prod _{j=1}^k U_j^{m_j}\big )^{1/e_t} \pmod N. $$

$Verify(\mathsf {pp}, pk , M, t, \sigma )$ Let $M=m_1 | m_2 | \dots | m_k$. The algorithm computes the prime $e_t$ from $\mathsf {pp}$. Output 1 if $1 \le t \le T$ and

$$ \sigma ^{e_t} {\mathop {=}\limits ^{?}} U_0 \prod _{i=1}^k U_{i}^{m_{i}} \pmod N $$

or 0 otherwise.

$Aggregate(\mathsf {pp}, t, ( pk _1,M_1,\sigma _1),\dots ,( pk _n,M_n,\sigma _n))$ An aggregate signature on signatures from the same time period $ 1\le t \le T$ is computed as $\sigma _{agg} = \prod _{ j=1}^n \sigma _j \pmod N.$

$AggVerify(\mathsf {pp}, t, ( pk _1,\dots , pk _n), (M_1, \dots ,M_n),\sigma _{agg})$ Let $ pk _j = (U_{j,0}, U_{j,1}, \dots $, $U_{j,k})$ and $M_j = m_{j,1} | m_{j,2} | \dots | m_{j,k}$. The algorithm computes the prime $e_t$ from $\mathsf {pp}$. Output 1 if $1 \le t \le T$, each public key is unique (i.e., $\forall i \ne j \in [1,n]$, $ pk _i \ne pk _j$) and

$$ \sigma _{agg}^{e_t} {\mathop {=}\limits ^{?}} \prod _{j=1}^n (U_{j,0}\prod _{i=1}^k U_{j,i}^{m_{j,i}}) \pmod N $$

or 0 otherwise.

Discussion. Observe that the above group hash function we employ falls into a more general group hash framework proposed by Hofheinz, Jager and Kiltz [21] that uses programmable hash functions. One might use their general framework to explore further concrete efficiency tradeoffs, such as letting the group hash function be more complex and letting the hash function output the product of multiple smaller primes. Our concrete analysis, however, will focus on the core scheme above along with tradeoffs in key storage and signing time that we explore later. We leave open the interesting question of what other tradeoffs can be realized via [21], keeping in mind that some of those instantiations add per signer randomness, which makes aggregation challenging.

Recall from Sect. 2 that Setup must be executed honestly. It seems possible that, for this scheme, this might be realized efficiently using a specialized multiparty computation protocol, such as an adaptation of one due to Boneh and Franklin [12] for efficiently allowing a group of parties to generate an RSA modulus, where each party learns N, but no party learns the factorization of N.

4.1 Proof of Security

Theorem 3

If the RSA assumption (Assumption 1) holds and F is a secure pseudorandom function, then the above synchronized aggregate signature construction is existentially unforgeable under an adaptive chosen message attack.

Proof

The reduction algorithm receives an RSA challenge $(N,e^*,h)$ and needs to use the attacker to compute $h^{1/e^*} \mod N$. Define a “conforming” attacker as one that will always make a signing query on the period $t^*$ that it forges on. We can assume our attacker is conforming without loss of generality because if there exists an attacker that breaks the scheme, there exits one that breaks it and queries for a signature on period $t^*$ by simply adding a signature query on a random message at that period. Our proof will assume a conforming attacker.

Next, we define a sequence of games.

Game 1::: (Security Game) This game is defined to be the same as the security game of the scheme.
Game 2::: (Guessing the forgery period and part of its queried message) The same as Game 1, except the game guesses the period the attacker will forge on and a part of the message queried for a signature during the period that will be different from the forgery message, and the adversary only wins if these guesses were correct. Formally, the game chooses random $t' \in [1,T]$, $\alpha \in [1,k]$ and $\beta \in \{0,1\}^{\ell }$. An adversary wins this game iff: (1) it would have won in Game 1 with a forgery on period $t^*$ for some message $M^* = m_1^* | m_2^* | \dots | m_k^*$ with some message $M=m_1| m_2 | \dots | m_k$ queried to the signing oracle on period $t^*$, (2) $t' = t^*$, (3) $\beta = m_{\alpha }$ and (4) $m_{\alpha } \ne m_{\alpha }^*$.
Game 3::: ($H_K$ does not default) The attacker wins only if it meets all the conditions to win in Game 2 and $H_K(t^*) \ne e_{\mathrm {default}}$ (that is, the default condition of the hash is not triggered on the forgery message or otherwise equal to the default prime.)
Game 4::: ($H_K$ does not collide) The attacker wins only if it meets all the conditions to win in Game 3 and $H_K(t^*) \ne H_K(t)$ for all $t \in [1,T]$ where $t \ne t^*$.
Game 5::: (Guess resolving $i^*$ for $H_K$) The game chooses a random $i^* \in [1,\lambda ^3 + \lambda ^2]$. Attacker wins only if it meets all the conditions of Game 4 and $i^*$ was the “resolving” index in $H_K(t^*)$; that is, $i^*$ was the smallest i such that $y_i = F_{K'}(t^*,i) \oplus c$ and $(2^{\lambda } + y_i)$ was a prime.
Game 6::: (Programming $H_K$ with random value) The same as Game 5, except that it chooses a random $y' \in \{0,1\}^{\lambda }$ and set $c = y' \oplus F_{K'}(t^*,i^*)$.
Game 7::: (Programming $H_K$ with $e^*$) The same as Game 6, except choose $e^*$ as a random prime in the range $[2^{\lambda },2^{\lambda +1}-1]$ and let $y'$ be the $\lambda $ least significant bits of $e^*$; that is, drop the leading 1. As before, set $c = y' \oplus F_{K'}(t^*,i^*)$.

We now establish a series of claims that show that if an adversary is successful against the real security game (Game 1) then it will be successful against in Game 7 as well. We will then shortly describe a simulator that can use any adversary successful in Game 7 to solve the RSA challenge.

Define $\mathbf {Adv}_{\mathcal{A}}[\mathrm {Game~}x]$ as the advantage of an adversary $\mathcal{A}$ in Game x.

Claim 4

$$\mathbf {Adv}_{\mathcal{A}}[\mathrm {Game~}2] \ge \frac{\mathbf {Adv}_{\mathcal{A}}[\mathrm {Game~}1]}{T \cdot k \cdot 2^{\ell }}.$$

Proof

Since there is no change to the adversary’s view of the game, the probability of the adversary winning in Game 2 is the same as Game 1 times the probability of the game’s guesses being correct. There is a 1 / T probability of guessing the forging period, at least a 1 / k probability of guessing a message chunk in the signing query that will be different in the forgery (there may be more than one), and a $2^{\ell }$ probability of guessing that chunk’s value in the queried message. We note that this gives a polynomial-time reduction for whenever $\ell $ is polylogarithmic in $\lambda $. Recall that any adversary that is polynomial time in $\lambda $ must give out a $1^T$ that is polynomially bounded in $\lambda $.

Claim 5

If F is a secure pseudorandom function and $\lambda \ge 4$, then

$$\mathbf {Adv}_{\mathcal{A}}[\mathrm {Game~}3] = \mathbf {Adv}_{\mathcal{A}}[\mathrm {Game~}2] - \mathsf {negl}(\lambda ).$$

Proof

We here need to understand the probability that $H_K(t^*) = e_{\mathrm {default}}$. Using the Prime Number Theorem, we can bound the number of primes in the range $[2^{\lambda },2^{\lambda +1}-1]$ as follows. Plugging into the formula in Lemma 2, we have that the number of primes less than $2^{\lambda +1}-1$ is at least $\frac{7}{8} \cdot \frac{2^{\lambda +1}}{(\lambda +1)}$ (the value $2^{\lambda +1}$ is not prime, since it is a power of two, for any $\lambda \ge 1$) and the number of primes less than $2^{\lambda }$ is at most $\frac{9}{8} \cdot \frac{2^{\lambda }}{\lambda }$. Thus, the total number of primes in our range of interest is at least

$$\begin{aligned} \frac{7}{8} \cdot \frac{2^{\lambda +1}}{(\lambda +1)} - \frac{9}{8} \cdot \frac{2^{\lambda }}{\lambda }&= \frac{7 \cdot \lambda \cdot 2^{\lambda +1} - 9 \cdot (\lambda + 1)\cdot 2^{\lambda }}{8 (\lambda + 1) \lambda } \end{aligned}$$

(1)

$$\begin{aligned} = \frac{14 \cdot \lambda \cdot 2^{\lambda } - 9 \cdot (\lambda + 1)\cdot 2^{\lambda }}{8 (\lambda + 1) \lambda }&= \frac{5 \cdot \lambda \cdot 2^{\lambda }- 9 \cdot 2^{\lambda }}{8 (\lambda + 1) \lambda } \end{aligned}$$

(2)

$$\begin{aligned} = \frac{(5 \lambda - 9) \cdot 2^{\lambda }}{8(\lambda ^2 + \lambda )}&> \frac{2^{\lambda }}{\lambda ^2 + \lambda }, ~\text {for all}~ \lambda \ge 4. \end{aligned}$$

(3)

Let R be a random function that outputs a value in the range $[2^{\lambda },2^{\lambda +1}]$. Then the probability that R outputs a prime is at least:

$$\begin{aligned} \frac{2^\lambda /(\lambda ^2 + \lambda )}{2^{\lambda +1}-2^{\lambda }} = \frac{2^\lambda }{2^{\lambda }(\lambda ^2 + 1)} = \frac{1}{\lambda ^2 + \lambda } \end{aligned}$$

(4)

The probability that R fails to output a prime after $\lambda (\lambda ^2 + \lambda )$ tries is as follows. We again use the fact that $2^{\lambda +1}$ is not a prime. Recall Chernoff’s bound for any $\epsilon \ge 0$, we have $\Pr [X \le (1-\epsilon )\mu ] \le e^{- \frac{\epsilon ^2 \mu }{2}}$. Here when X is the number of primes output by R in $\lambda (\lambda ^2+\lambda )$ trials, $\epsilon =1$ and $\mu = \sum ^{\lambda (\lambda ^2 + \lambda )} \Pr [R\,\, \text {fails to output a prime on one trial}]$, we have that

$$\begin{aligned} \Pr [R\,\, \text {fails to output a prime in}\, \lambda ^3+\lambda ^2\, \text {trials}]&= \Pr [X \le 0] \le e^{-\frac{\mu }{2}} \end{aligned}$$

(5)

$$\begin{aligned}&\le e^{-\frac{\lambda (\lambda ^2+\lambda ) \cdot \frac{1}{\lambda ^2 + \lambda }}{2}} = e^{-\lambda /2} \end{aligned}$$

(6)

The PRF we employ to sample from this range cannot non-negligibly differ from R in its probability of selecting primes or this provides for a distinguishing attack on the PRF. Thus, the probability that $H_K(t^*) = e_{\mathrm {default}}$ is the probability that the PRF chose the same prime as the setup algorithm, which is negligible at 1 in the number of primes in that range ($> 2^{\lambda }/(\lambda ^2 + \lambda )$), plus the probability that $H_K$ triggers the default condition by failing to output a prime, which we also argued was negligibly close to the negligible probability of R doing the same.

Claim 6

If F is a secure pseudorandom function and $T \in \mathsf {poly}(\lambda )$, then

$$\mathbf {Adv}_{\mathcal{A}}[\mathrm {Game~}4] = \mathbf {Adv}_{\mathcal{A}}[\mathrm {Game~}3] - \mathsf {negl}(\lambda ).$$

Proof

These games differ only in the event that $H_K(t^*) = H_K(t)$ for some $t \in [1,T]$ where $t \ne t^*$. Let R be a random function that outputs a value in the range $[2^{\lambda },2^{\lambda +1}]$. Suppose $H_K$ uses R instead of the PRF. Then the probability of a collision for a single t is one in the number of primes in $[2^{\lambda },2^{\lambda +1}]$ or at most $1/\frac{2^{\lambda }}{\lambda ^2 + \lambda } = \frac{\lambda ^2 + \lambda }{2^{\lambda }}$, which is negligible. So the probability of a collision for any $t\in [1,T]$ (recall that T is polynomial in $\lambda $) is $T \cdot \frac{\lambda ^2 + \lambda }{2^{\lambda }} = \frac{\mathsf {poly}(\lambda )(\lambda ^2 + \lambda )}{2^{\lambda }} = \frac{\mathsf {poly}(\lambda )}{2^\lambda } = \mathsf {negl}(\lambda )$. When we replace R with the PRF, the probability of a collision cannot non-negligibly differ or this provides a distinguishing attack on the PRF.

Claim 7

$$\mathbf {Adv}_{\mathcal{A}}[\mathrm {Game~}5] = \frac{\mathbf {Adv}_{\mathcal{A}}[\mathrm {Game~}4]}{\lambda ^3 + \lambda ^2}.$$

Proof

The attacker’s view in these games is identical. The only difference is whether the game correctly guesses the resolving index $i^*$ for $H_K(t^*)$. Since $i^* \in [1,\lambda ^3 + \lambda ^2]$, the game has a $1/(\lambda ^3 + \lambda ^2)$ chance of guessing this correctly.

Claim 8

$$\mathbf {Adv}_{\mathcal{A}}[\mathrm {Game~}6] = \mathbf {Adv}_{\mathcal{A}}[\mathrm {Game~}5].$$

Proof

In Game 5, c is chosen randomly in $\{0,1\}^\lambda $. In Game 6, c is set by randomly selecting $y' \in \{0,1\}^\lambda $ and setting $c = y' \oplus F_{K'}(t^*,i^*)$, where $t^*$ is the period on which the attacker will attack and $i^*$ is the resolving index for this value. Since $y'$ is chosen randomly and independently of $F_{K'}(t^*,i^*)$, the resulting c will be from the same distribution as Game 5.

Claim 9

$$\mathbf {Adv}_{\mathcal{A}}[\mathrm {Game~}7] = \mathbf {Adv}_{\mathcal{A}}[\mathrm {Game~}6].$$

Proof

An adversary’s advantage in these games is the same. In Game 6, the attacker could only win if $2^{\lambda }+y'$ was a prime, and thus the distributions are the same.

Main Reduction. We now show that if there exists a polynomial-time (in $\lambda $) attacker that has advantage $\epsilon = \epsilon (\lambda )$ in Game 7, then there exists a polynomial-time (in $\lambda $) attacker for the RSA problem in Assumption 1 with advantage $\epsilon $.

On input an RSA challenge $(N,e^*,h)$, the reduction algorithm proceeds as follows:

Setup.

1.
Obtain $1^T,1^n$ from the aggregate signature adversary $\mathcal{A}$.
2.
Make random guesses of $t^* \in [1,T], \alpha \in [1,k], \beta \in \{0,1\}^{\ell }, i^* \in [1,\lambda ^3+\lambda ^2]$.
3.
Choose a random PRF key $K'$. Let $y'$ be the $\lambda $ least significant bits of the RSA input $e^*$ (note that this is a prime randomly chosen from the appropriate range by the RSA challenger) and set $c= y' \oplus F_{K'}(t^*,i^*)$. Choose a random prime $e_{\mathrm {default}} \in [2^{\lambda },2^{\lambda +1}-1]$. Set $K = (K',c,e_{\mathrm {default}})$. Thus, note that by construction when $i^*$ is the resolving index for $t^*$,
$$e_{t^*} = H_K(t^*) = 2^{\lambda } + (c \oplus F_{K'}(t^*,i^*)) = 2^{\lambda }+ y' = e^*.$$
4.
Choose a random $g \in \mathrm {QR}_N$. Compute Y as before.
5.
Set the $\mathsf {pp}= (T,N,g,Y,K)$.
6.
Set up the “target” user’s public key $ pk _1$ as:
1. (a)
  Choose random $u_0,u_1,\dots ,u_k \in [1,N]$.
2. (b)
  Set $U_0 = (h^{-\beta })^{\prod _{i \ne t^*}^T e_i} \cdot Y^{u_0}$. We note that the reduction algorithm can take the $e_t$ root of $U_0$ so long as $t \ne t^*$.
3. (c)
  For $j = 1$ to k such that $j \ne \alpha $, compute $U_j = Y^{u_j}$.
4. (d)
  Set $U_\alpha = h^{\prod _{i \ne t^*}^T e_i} \cdot Y^{u_\alpha }$.
7.
Set $ pk _1 = (U_0,U_1,\dots ,U_k)$. For $j=2$ to n, $( pk _j, sk _j) = \mathsf {KeyGen}(\mathsf {pp})$.
8.
Send to $\mathcal{A}$ the tuple $(\mathsf {pp},pk_1,( pk _2, sk _2),\dots ,( pk _n, sk _n))$.

Queries. For each period $t=1$ to T, the adversary can request one signature on a message of its choice in the message space under $ sk _1$ or skip that period. Recall that the adversary must be conforming and thus will request some signature on the forgery period $t^*$. In our construction, signing during period t requires taking the $e_t$-th root of each $U_j$ value. By construction, the reduction algorithm can do this so long as: (1) $t \ne t^*$ or (2) for $t^*$, when the $\alpha $-th $\ell $-bits of the message are the string $\beta $. If the reduction is ever asked a query it cannot answer, then it will abort. We note that this only occurs when the guesses of $t^*, \alpha ,\beta $ are incorrect, which is consistent with the attacker not winning in Game 7 anyway. Formally, when asked to sign $M = m_1 | m_2 | \dots | m_k$ for period $t \ne t^*$, the reduction outputs:

$$\begin{aligned} \sigma&= (h^{-\beta } \cdot h^{m_{\alpha }})^{\prod _{i \ne t^*, i \ne t}^T e_i} \cdot \big ( g^{u_0} \prod _{j=1}^{k} g^{u_j m_j} \big )^{\prod _{i \in T\setminus \{t\}}e_i} \end{aligned}$$

(7)

$$\begin{aligned}&= (h^{-\beta \prod _{i \ne t^*}^T e_i} \cdot Y^{u_0})^{1/e_t} \cdot (\prod _{j =1, j \ne \alpha }^{k} U_j^{m_j})^{1/e_t} \cdot (h^{\prod _{i \ne t^*}^T e_i} \cdot Y^{u_\alpha })^{m_\alpha /e_t}\end{aligned}$$

(8)

$$\begin{aligned}&= (U_0 \prod _{j=1}^k U_j^{m_j})^{1/e_t} \mod N. \end{aligned}$$

(9)

and when $t = t^*$ and $m_{\alpha } = \beta $, it outputs the signature:

$$\begin{aligned} \sigma&= \big ( g^{u_0} \prod _{j=1}^{k} g^{u_j m_j} \big )^{\prod _{i \in T\setminus \{t\}}e_i} \end{aligned}$$

(10)

$$\begin{aligned}&= (1)^{\prod _{i \ne t^*, i \ne t}^T e_i} \cdot \big ( g^{u_0} \prod _{j=1}^{k} g^{u_j m_j} \big )^{\prod _{i \in T\setminus \{t\}}e_i}\end{aligned}$$

(11)

$$\begin{aligned}&= (h^{-\beta } \cdot h^{m_\alpha })^{\prod _{i \ne t^*, i \ne t}^T e_i} \cdot \big ( g^{u_0} \prod _{j=1}^{k} g^{u_j m_j} \big )^{\prod _{i \in T\setminus \{t\}}e_i} \end{aligned}$$

(12)

$$\begin{aligned}&= (h^{-\beta \prod _{i \ne t^*}^T e_i} \cdot Y^{u_0})^{1/e_t} \cdot (\prod _{j =1, j \ne \alpha }^{k} U_j^{m_j})^{1/e_t} \cdot (h^{\prod _{i \ne t^*}^T e_i} \cdot Y^{u_\alpha })^{m_\alpha /e_t}\end{aligned}$$

(13)

$$\begin{aligned}&= (U_0 \prod _{j=1}^k U_j^{m_j})^{1/e_t} \mod N. \end{aligned}$$

(14)

Output. Eventually $\mathcal{A}$ outputs a tuple $(t_f,( pk _{\gamma (1)},\ldots , pk _{\gamma (z)}),(M_1,\dots ,M_z),$$\sigma _{agg})$. Since aggregation order does not matter here^{Footnote 6}, we can w.l.o.g. assume that $\gamma (1)=1$ (corresponding to the target key $ pk _1$); we also drop $\gamma $ from the subscript below. If the aggregate signature does not verify or if any of the reduction’s guesses of $t^*,i^*,\alpha ,\beta $ were incorrect, then abort. These abort conditions are all consistent with the adversary not winning Game 7. Let $E' = \prod _{i \in T \setminus \{t^*\}} e_i$. Otherwise we have that:

$$\begin{aligned} \sigma _{agg}^{e^*}&= \prod _{j=1}^n (U_{j,0}\prod _{i=1}^k U_{j,i}^{m_{j,i}})\end{aligned}$$

(15)

$$\begin{aligned}&= (U_{1,0} \prod _{i=1}^k U_{1,i}^{m_{1,i}}) \cdot \prod _{j=2}^n (U_{j,0}\prod _{i=1}^k U_{j,i}^{m_{j,i}})\end{aligned}$$

(16)

$$\begin{aligned}&= (h^{E'(\beta -m_\alpha )} \cdot Y^{u_0} \prod _{j=1}^k Y^{u_{j}m_j }) \cdot \prod _{j=2}^n (U_{j,0}\prod _{i=1}^k U_{j,i}^{m_{j,i}}) \end{aligned}$$

(17)

Since the reduction can compute the $e^*$-th root of all values not in the h term, it can divide them out as:

$$\begin{aligned}&\left( \frac{\sigma _{agg}}{\prod _{j=1}^n (g^{u_{j,0}}\prod _{i=1}^k g^{u_{j,i} m_{j,i}})^{E'}}\right) ^{e^*} \end{aligned}$$

(18)

$$\begin{aligned}&= \frac{(h^{E'(\beta -m_\alpha )} \cdot Y^{u_0} \prod _{j=1}^k Y^{u_{j}m_j }) \cdot \prod _{j=2}^n (U_{j,0}\prod _{i=1}^k U_{j,i}^{m_{j,i}})}{\prod _{j=1}^n (g^{u_{j,0}}\prod _{i=1}^k g^{u_{j,i} m_{j,i}})^{e^* \cdot E'}}\end{aligned}$$

(19)

$$\begin{aligned}&= h^{E'(\beta -m_{\alpha })}. \end{aligned}$$

(20)

Now, we have an equation of the form $x^a = y^b$, for $x = \frac{\sigma _{agg}}{\prod _{j=1}^n (g^{u_{j,0}}\prod _{i=1}^k g^{u_{j,i} m_{j,i}})^{E'}}$, $a = e^*$, $y= h$ and $b=E'(\beta - m_{\alpha })$. Recall that the game would have already aborted if $e^*$ was output for any period other than $t^*$ and thus, $\gcd (e^*,E')=1$. The game would also have aborted if $\beta = m_\alpha $. Finally since the $|\beta | = |m_{\alpha }| = \ell < \lambda $ and $e^* > 2^{\lambda }$, we can conclude that $\gcd (a,b)=1$. This allows the reduction to apply Lemma 1 to efficiently compute $\hat{h} \in \mathbb {Z}_N$ such that $\hat{h}^{e^*} = h \mod N$. The reduction outputs this value as the RSA solution.

Analysis. We argue that the above reduction will succeed in outputting the RSA solution whenever the adversary wins in Game 7. The adversary’s view in these scenarios differs only in the way that public key elements $U_0$ and $U_\alpha $ are chosen. We will first argue that the way they are chosen in Game 7 (and the actual scheme) is statistically close to choosing a random element in $\mathrm {QR}_N$. Next, we argue that the (different) way they are chosen in the reduction above is also statistically close to choosing a random element in $\mathrm {QR}_N$. It follows then that the public key in both Game 7 and the reduction are statistically close and thus cannot be distinguished by our polynomial-time adversary. Moreover, while the signatures are computed via a different method in Game 7 and the reduction, the signature the adversary sees is identical (and unique) given the public information known to the adversary, so there is no information the adversary can use to distinguish. For any given $U \in \mathrm {QR}_N$, prime $e \in [1,N]$, and $m < 2^\lambda $, the values $U^{em}$ and $U^{1/e}$ are unique since each $e_i$ is relatively prime to $\phi (N)$. It remains to support the arguments listed above.

First, recall how $U_0, U_\alpha $ are chosen in Game 7 (and the actual scheme). Here $u_0,u_\alpha $ are randomly chosen from [1, N] and the public key elements are set as:

$$U_0 = Y^{u_0} = g^{u_0 \prod _{i=1}^T e_i} \quad , \quad U_\alpha = Y^{u_\alpha } = g^{u_\alpha \prod _{i \in T} e_i}.$$

Observe that the group of $\mathrm {QR}_N$ has order $p'q'$. Thus $Y= g^{\prod _{i=1}^T e_i}$ is also a generator since all the $e_i$ values are relatively prime to $p'q'$. Since Y is a generator, if we take $Y^r$ for a random $r \in [1,\phi (N)]$ that has the same distribution as choosing a random element in $\mathrm {QR}_N$. Now, the process of raising $Y^r$ for a random $r \in [1,N]$ is statistically close to the process of raising it to a random $r \in [1, \phi (N)]$. The reason is that $N= \phi (N) + p +q -1$ where the difference $(p+q-1)$ is negligible. Thus, we achieve our first argument.

Second, recall how $U_0, U_\alpha $ are chosen in the reduction. Here $u_0,u_\alpha $ are randomly chosen from [1, N] and the public key elements are set as:

$$U_0' = (h^{-\beta })^{\prod _{i \ne t^*}^T e_i} \cdot Y^{u_0} = h^{-\beta \prod _{i \ne t^*}^T e_i} \cdot g^{u_0 \prod _{i=1}^{T} e_i} \quad , \quad U_\alpha ' = h^{\prod _{i \ne t^*}^T e_i} \cdot Y^{u_\alpha }.$$

We previously argued that the $Y^{u_0}$ and $Y^{u_\alpha }$ components are distributed statistically close to a random element in $\mathrm {QR}_N$. We assume that $h \in \mathrm {QR}_N$; this will be true for a random element in $\mathbb {Z}_N^*$ with 1/4 probability. Each value has an h term that is in $\mathrm {QR}_N$ but not necessarily distributed randomly. However, once we multiply this value in the group by a (statistically close to) random element of the group, we have a product that is distributed statistically close to a random element in $\mathrm {QR}_N$. Thus, we achieve our second argument.

Since the adversary cannot distinguish either distribution of public keys from a random distribution, then it cannot distinguish them from each other as well. Thus, whenever the adversary succeeds in Game 7, we can conclude it will also succeed in helping the reduction solve RSA.

5 Trading Off Signing Time with Storage

In this section we show a basic tradeoff between the time to sign and the size of the private key storage. Very roughly the time to sign will scale linearly with a parameter a and the storage with a parameter b with the constraint that $a \cdot b = T$. Thus we can explore tradeoffs such as setting $a=T, b=1$ as we saw in the last section or go the opposite direction and set $a=1, b=T$ to achieve fast signing at the expense of large storage, or try to balance these by choosing $a = b = \sqrt{T}$.

Our system will use the same setup, verification and aggregation algorithms as in Sect. 4 and just replace the KeyGen and Sign algorithms. Moreover, the public keys output by the KeyGen algorithm and corresponding signatures output by the Sign algorithm will have an identical distribution to the original Sect. 4 scheme and thus not require a new security proof.

Let the public parameters output from Setup be $\mathsf {pp}=(T, N, g, Y, K)$ as before. Our KeyGeneration algorithm will organize T into b “windows” each of size a. (We assume a divides T evenly for ease of exposition.) Then the private key will be setup to contain a sequence of values $R_w$ which is g raised to all $e_i$ except those in a sliding window of periods. To sign faster during time period t, select these partially computed values where t is in the window and complete its computation for signing by raising to all $e_i$ in that window except $e_t$.

The new key generation and signing algorithms follow.

$KeyGen'(\mathsf {pp},a)$ It obtains the primes $(e_1, \dots , e_T)$ and sets $b=T/a$ (we assume it divides evenly for ease of exposition). Next it chooses random integers $u_0,u_1,\dots ,u_k$ in [1, N] and computes $ pk = (U_0,U_1,\dots ,U_k)$. For $w=1$ to b, define $\varSigma _w$ as the set of integers in [1, T] other than those in the set $\{a(w-1)+1, a(w-1)+2, \dots , a(w-1)+a\}$.

For $w=1$ to b, it then computes:

$$ R_{w} = g^{ \prod _{i \in \varSigma _w} e_i} $$

where the $e_i$ values are computed using K from $\mathsf {pp}$. It sets the secret key as $ sk =(\{R_{w}\}_{ 1 \le w \le b}, \{u_{i}\}_{ 0 \le i \le k} )$. The public key $ pk =(U_0,U_1,\dots ,U_k)$ is computed as $U_j = Y^{u_j} = g^{u_j \prod _{i \in T} e_i} \text {, for}\, j=0\, \text {to }\, k$ as in Sect. 4.

$Sign'(\mathsf {pp}, sk , M, t)$ It computes the necessary subset of primes in $(e_1,\dots ,e_T)$ using K in $\mathsf {pp}$ and then for period t, selects the window $w =\lceil t/a \rceil $. Let $\varSigma _w'$ denote the set of periods in the window $\{a(w-1)+1, a(w-1)+2, \dots , a(w-1)+a\}_{1 \le w \le b}$. It outputs

$$ \sigma = \big (R_{w}^{u_0} \prod _{j=1}^k R_{w}^{u_j \cdot m_j}\big )^{\prod _{i \in \varSigma '_w \setminus \{t\}} e_i} = \big ( U_0 \prod _{j=1}^k U_j^{m_j}\big )^{1/e_t} \pmod N. $$

Analysis. Observe that the public keys and signatures are of the same form and distribution as those of the base system in Sect. 4, as are the verification equations, and thus the security of this tradeoff system follows. We analyze the performance of this system in Sect. 8.

6 Obtaining $O(\lg (T))$ Signing Time and Private Key Size

The previous section showed a basic tradeoff between signing time and private key size. However, it was limited in that the most “balanced” version required both time and storage to grow with the square root of the number of periods.

In this section we show how a more intricate key storage technique can give us much better results with a scheme where the number of exponentiations and prime searches is $\approx \lg (T)$ per signing operation and where we store $\approx \lg (T)$ elements of $\mathbb {Z}_N^*$ in the private key. Unlike the previous schemes where the private key remained static, our method here will require us to update the private key on each signing period. As a consequence a signer will be required to sign using each period in sequence.^{Footnote 7} Again, our new scheme will produce public keys and signatures with exactly the same distribution as the base scheme of Sect. 4. Therefore we will only need to describe and analyze the new method of key generation and storage and are not required to produce a new security proof. As mentioned earlier, this approach has conceptual roots in the pebbling optimization used by Itkis and Reyzin [26] to realize efficient forward-secure signatures.

We present our method by introducing new two algorithms. The first algorithm $\mathtt {StorageInit}(\mathsf {pp}, v)$ takes in the public parameters and an element $v \in \mathbb {Z}_N^*$ and outputs the initial key storage state $\mathtt {store}$. The second algorithm $\mathtt {StorageUpdate}( \mathtt {store})$ takes in the storage $\mathtt {store}$ and outputs an updated storage value $\mathtt {store}$ as well as a group element $s \in \mathbb {Z}_N^*$.

6.1 Storage Algorithms

We assume that there exists an integer ‘$\mathtt {levels}$’ such that $T=2^{\mathtt {levels} +1}-2$. (One could always pad T out to match this.) The key storage will be structured as a sequence of sets $S_1, \ldots , S_{\mathtt {levels}}$ where elements of set $S_i$ are of the form

$$ w \in \mathbb {Z}_N^*, \mathtt {open} \in [1,T], \mathtt {closing} \in [1,T], \mathtt {count} \in [1,T]. $$

Let R be the set of integers $ [ \mathtt {open}, \mathtt {open}+2^{i-1}-1] \cup [ \mathtt {closing}+ \mathtt {count}, \mathtt {closing}+2^{i-1}-1]$. Then $w= v^{\prod _{j \in T\setminus R} e_j}$. Intuitively, w is v raised to all of the e exponents except the sequence of $2^{i-1}$ values starting at $\mathtt {open}$ and a second sequence of length $2^{i-1}-\mathtt {count}$ starting at $ \mathtt {closing}+ \mathtt {count}$. When the $\mathtt {StorageUpdate}$ algorithm runs for each i, it will find an element of the set $S_i$ and help “move it forward” by incrementing its counter $\mathtt {count}$ and updating w accordingly. When $\mathtt {count}$ reaches $2^i$ the update storage algorithm removes the tuple from the set $S_i$ at level i and then splits it into two parts and puts these in set $S_{i-1}$. We now describe the algorithms.

$StorageInit(\mathsf {pp}, v)$ Initially, sets $S_1, \ldots , S_{\mathtt {levels}}$ are empty. Then for $i=1$ to $\mathtt {levels}$ perform the following:

Let $R= [2^i -1, 2^{i+1}-2]$.
Compute $w= v^{\prod _{j \in T\setminus R} e_j}$.
Put in $S_i$ $(w, 2^i-1, (2^i-1) +2^{i-1}, 0)$.
Put in $S_i$ $(w, (2^i-1) +2^{i-1}, 2^i-1, 0)$.

The storage value $\mathtt {store} = \big ( (S_1, \ldots , S_{\mathtt {levels}}), \mathtt {index}=0 \big )$ is output.

$StorageUpdate(\mathsf {pp}, \mathtt {store})$ For $i=1$ to $\mathtt {levels}$ perform the following:

Find a tuple (if any exist) in $S_i$ of $(w, \mathtt {open}, \mathtt {closing}, \mathtt {count})$ with the smallest $\mathtt {open}$ value.^{Footnote 8}
Replace it with a new tuple $(w' = w^{e_{\mathtt {closing} + \mathtt {count}} }, \mathtt {open}' = \mathtt {open}, \mathtt {closing}'= \mathtt {closing}, \mathtt {count}' = \mathtt {count} +1)$ where $(w', \mathtt {open}', \mathtt {closing}', \mathtt {count}')$ is the newly added tuple.

Then for $i=\mathtt {levels}$ down to 2

Find a tuple (if any) of the form $(w, \mathtt {open}, \mathtt {closing}, \mathtt {count} =2^{i-1})$ in $S_i$.
Remove this tuple from the set $S_i$.
To the set $S_{i-1}$ add the tuple $(w'=w, \mathtt {open}'=\mathtt {open}, \mathtt {closing}'= \mathtt {open}+2^{i-2}, \mathtt {count}'=0 )$ where $(w', \mathtt {open}', \mathtt {closing}', \mathtt {count}')$ is the newly added tuple.
Also add to the set $S_{i-1}$ the tuple $(w'=w, \mathtt {open}'= \mathtt {open}+2^{i-2}, \mathtt {closing}' = \mathtt {open}, \mathtt {count}'=0)$.

Finally, from $S_1$ find the tuple $(w, \mathtt {open} = \mathtt {index} +1, \mathtt {closing}, 1)$. Remove this from $S_1$ and output $s=w$ which gives $s= v^{\prod _{j \in T\setminus \{(\mathtt {index}+1) \}} e_j}$ as needed. Finally, the storage value $\mathtt {store} = ((S_1, \ldots , S_{\mathtt {levels}}), \mathtt {index}= \mathtt {index}+1$) is output.

6.2 Analysis

We need to show that the storage primitives give the desired correctness and performance properties. To analyze correctness and storage size we consider what the key storage state will look like for each value of $\mathtt {index}$ between 0 and T. Recall that in a stored key, $\mathtt {index}$ represents the number of signatures generated so far. We describe what each $S_i$ set contains for a particular $\mathtt {index}$ value — breaking things into three cases. We will refer to this as our “state description” given below.

Case 1::

$T- \mathtt {index} \le 2^{i} -2$. In this case the set $S_i$ will be empty.

Case 2::

Not Case 1 and $\mathtt {index} = k \cdot 2^i + r$ for $0 \le r < 2^{i-1}$. $S_i$ will contain two elements. The first is a tuple

$$\begin{aligned} (w= v^{\prod _{j \in T\setminus R} e_j}, \mathtt {open}=(k+1) \cdot 2^i-1, \mathtt {closing}= (k+1)\cdot 2^i-1 +2^{i-1},&\\ \mathtt {count}=r). \end{aligned}$$

Where we let $R= [\mathtt {open}, \mathtt {open}+2^{i-1}-1] \,\cup \, [\mathtt {closing} + \mathtt {count}, \mathtt {closing}+2^{i-1}-1]$. The second is a tuple

$$\begin{aligned} (w= v^{\prod _{j \in T\setminus R} e_j}, \mathtt {open}= (k+1)\cdot 2^i-1 + 2^{i-1}, \mathtt {closing}= (k+1) \cdot 2^i-1,&\\ \mathtt {count}=0). \end{aligned}$$

Where $R= [\mathtt {open}, \mathtt {open}+2^{i-1}-1] \cup [\mathtt {closing} + \mathtt {count}, \mathtt {closing}+2^{i-1}-1]$. (Here $\mathtt {count}=0$.)

Case 3::

Not Case 1 and $\mathtt {index} = k \cdot 2^i + r$ for $2^{i-1} \le r < 2^{i}$. $S_i$ has a single element. A tuple

$$\begin{aligned} (w= v^{\prod _{j \in T\setminus R} e_j}, \mathtt {open} = (k+1)\cdot 2^i-1 + 2^{i-1}, \mathtt {closing}= (k+1) \cdot 2^i-1,&\\ \mathtt {count}=r - 2^{i-1}). \end{aligned}$$

Where $R= [\mathtt {open}, \mathtt {open}+2^{i-1}] \cup [\mathtt {closing} + \mathtt {count}, \mathtt {closing}+2^{i-1}]$.

Proof of State Description Accuracy.

Theorem 10

The above state description for variable $\mathtt {index}$ accurately describes the key storage state after an initial call to $\mathtt {StorageInit}(\mathsf {pp}, v)$ and $\mathtt {index}$ subsequent calls to $\mathtt {StorageUpdate}(\mathsf {pp}, \mathtt {store})$.

Proof

We begin by establishing two claims about when the “pass down” operation can and cannot happen which will be used later on in the proof.

Claim 11

Suppose that our state description is accurate for period $\mathtt {index}$. Consider an update operation where the period moves from $\mathtt {index}$ to $\mathtt {index}+1$. This will result in an tuple being “passed down” from $S_i$ to $S_{i-1}$ only if $\mathtt {index}+1$ is a multiple of $2^{i-1}$, if anything is passed down at all.

Proof

If ($\mathtt {index},i$) were in Case 1, then $S_i$ is empty and there is nothing that could be passed down. If in Case 2, then one tuple has a $\mathtt {count}=r$ which is the remainder of $\mathtt {index}$ mod $2^i$. It will trigger a pass down operation only when $\mathtt {count}$ increments to $\mathtt {count}=2^{i-1}$. Similarly, in Case 3 there is a tuple with $\mathtt {count}=r- 2^{i-1}$. A push down operation is only triggered when it increments to $2^{i}$ which means $\mathtt {index}+1$ is a multiple of $2^{i-1}$.

Claim 12

Suppose that our state description is accurate for period $\mathtt {index}$ and all smaller values. Further suppose that $\mathtt {index}+1 =0 \mod 2^i$ for some i and that set $S_{i+1}$ is in Case 1 at $\mathtt {index}$. (I.e. $T- \mathtt {index} \le 2^{i+1} -2$.) Then it will be that at period $\mathtt {index}+1$ we have $T- \mathtt {index} \le 2^{i} -2$ and set $S_i$ is designated as Case 1 by our description.

Proof

Let z be the value where $T- z = 2^{i+1} -2$ since $T= 2^{\mathtt {levels}+1} -2$ it follows that $z= y \cdot 2^{i+1}$ for some y. Also note that z must be the smallest value of $\mathtt {index}$ where $T- \mathtt {index} \le 2^{i+1} -2$. It then follows that $z+2^{i}-1$ is the smallest value of $\mathtt {index}$ where $T- \mathtt {index} \le 2^{i+1} -2$ AND $\mathtt {index} \mod 2^i$. Now let’s consider the next value of $\mathtt {index}+1$ which is equal to $z+2^{i}$ and use it to prove that at $\mathtt {index}+1$ the set $S_i$ is assigned to be in Case 1. Then

$$ T- (\mathtt {index}+1) = T -(z + 2^i)= (T-z) -2^i = 2^{i+1} - 2 -2^i = 2^i -2. $$

Then we have that at $\mathtt {index}+1$ the set $S_i$ is categorized at Case 1 (and empty) by our description.

We now show that for each $\mathtt {index}$ if the state description was valid at $\mathtt {index}$ then it is valid at $\mathtt {index}+1$. We break this into three separate claims showing that if a set $S_i$ is in Case 1, 2 and 3 respectively at $\mathtt {index}$ that in $\mathtt {index}+1$ it will match the state description.

Claim 13

Suppose at period $\mathtt {index}$ the state description is accurate and for a set $S_i$ we are in Case 1 where $T - \mathtt {index} \le 2^{i} -2$ and the set $S_i$ is empty. Then at period $\mathtt {index}+1$ the state description is accurate for set $S_i$.

Proof

For period $\mathtt {index}+1$ we have that $T - (\mathtt {index}+1)$ is also $\le 2^{i} -2$ and therefore it should also be Case 1 and $S_i$ should remain empty. The only way for it not to remain empty would be if the $\mathtt {StorageUpdate}$ algorithm “passed down” a new tuple from $S_{i+1}$. However, if $S_i$ was in Case 1 for period $\mathtt {index}$ then $S_{i+1}$ must also be and also be empty. Since $S_{i+1}$ is empty there is nothing to pass down.

Claim 14

Suppose at period $\mathtt {index}$ the state description is accurate and for a set $S_i$ we are in Case 2 where $\mathtt {index} = k \cdot 2^i + r$ for $0 \le r < 2^{i-1}$. Then at period $\mathtt {index}+1$ the state description is accurate for set $S_i$.

Proof

First consider the subcase where $r \ne 2^{i-1}-1$ which should keep $S_i$ in Case 2 on period $\mathtt {index}+1$. We will verify this. Since at period $\mathtt {index}$ we are in Case 2 there are two tuples in $S_i$ where the one with the smaller $\mathtt {open}$ value is of the form $ (w= v^{\prod _{j \in T\setminus R} e_j}, \mathtt {open}=(k+1) \cdot 2^i-1, \mathtt {closing}= (k+1)\cdot 2^i-1 +2^{i-1}, \mathtt {count}=r)$. The update algorithm will increment $ \mathtt {count}$ to $r+1$ and update w to $w=w^{e_{\mathtt {closing} + \mathtt {count}}}$ which gives the needed form to remain in Case 2. The second tuple will is of the form $(w= v^{\prod _{j \in T\setminus R} e_j}, \mathtt {open}= (k+1)\cdot 2^i-1 + 2^{i-1}, \mathtt {closing}= (k+1) \cdot 2^i-1, \mathtt {count}=0)$. The update algorithm will not modify it as the other tuple had the smaller $\mathtt {open}$ value. Thus it remains the same which matches the behavior for $S_i$ remaining in Case 2. Finally, we need to check that no new tuples are passed down from $S_{i+1}$. This follows from the fact (Claim 11) that $\mathtt {index} \mod 2^i = r \ne 2^i-1$ and that a pushdown would only happen as $\mathtt {index}$ transfers to being a multiple of $2^i$.

We now consider the subcase where $r = 2^{i-1}-1$ at $\mathtt {index}$ and thus at $\mathtt {index}+1$ we should be moving into Case 3. In this subcase the set $S_i$ begins with two tuples with one of the form $ (w= v^{\prod _{j \in T\setminus R} e_j}, \mathtt {open}=(k+1) \cdot 2^i-1, \mathtt {closing}= (k+1)\cdot 2^i-1 +2^{i-1}, \mathtt {count}=r=2^{i-1}-1)$. The update operation will first modify the tuple to a new $\mathtt {count}$ value of $\mathtt {count}=2^{i-1}$. This will trigger the pushdown operation to move the tuple out of $S_i$. It then leaves it with one tuple of the needed form which transitions $S_i$ to Case 3 as needed. Again no new elements are pushed onto $S_i$ from $S_{i+1}$ due to Claim 11.

Claim 15

Suppose at period $\mathtt {index}$ the state description is accurate and for a set $S_i$ we are in Case 3 where $\mathtt {index} = k \cdot 2^i + r$ for $2^{i-1} \le r < 2^{i}$ for some k. Then at period $\mathtt {index}+1$ the state description is accurate for set $S_i$.

Proof

We first focus on the subcase where $r \ne 2^i -1$ and thus at $\mathtt {index}+1$ we want to verify that we stay in Case 3. Initially there is one tuple of the form $(w= v^{\prod _{j \in T\setminus R} e_j}, \mathtt {open} = (k+1)\cdot 2^i-1 + 2^{i-1}, \mathtt {closing}= (k+1) \cdot 2^i-1, \mathtt {count}=r - 2^{i-1})$. The update algorithm will increment $ \mathtt {count}$ to $r+1$ and update w to $w=w^{e_{\mathtt {closing} + \mathtt {count}}}$ which gives the needed form to remain in Case 3. As before no new tuples will be added since $\mathtt {index}+1 \mod 2^i \ne 0$.

We end by considering the subcase where $r = 2^i -1$. In this subcase there is initially a single tuple with a $\mathtt {count}$ value of $\mathtt {count}=2^{i-1} -1$. The update algorithm will increment this $\mathtt {count}$ which triggers its removal from the set. What remains to be seen is whether a new element is added or if it becomes empty.

We now consider two possibilities. If $T- (\mathtt {index}+1) \le 2^{i} -2$, then our description states that set $S_i$ should enter Case 1 on $\mathtt {index}+1$. It is easy to see that if this is true that the set $S_{i+1}$ was already Case 1 and empty on $\mathtt {index}$ and nothing new will be added so the set $S_i$ is empty as needed.

The somewhat trickier case is when $T- (\mathtt {index}+1) > 2^{i} -2$. Here we need to verify that the set $S_i$ ends up in Case 2 with the appropriate tuple at $\mathtt {index}+1$. First, since $\mathtt {index}+1 \mod 2^i = 0$ we can apply Claim 12. It states that if set $S_{i+1}$ were in Case 1 (empty) at $\mathtt {index}$ then set $S_i$ would be in Case 1 for $\mathtt {index}+1$. Since this is not the case, we have that $S_{i+1}$ must be non empty and in Case 2 or 3.

If $S_{i+1}$ started in Case 2 at $\mathtt {index}$, it initially has a tuple of the form:

$$\begin{aligned} (w= v^{\prod _{j \in T\setminus R} e_j}, \mathtt {open}=(\tilde{k}+1) \cdot 2^{i+1}-1, \mathtt {closing}= (\tilde{k}+1)\cdot 2^{i+1}-1 +2^{i},&\\ \mathtt {count}=2^i-1). \end{aligned}$$

Where we let $R= [\mathtt {open}, \mathtt {open}+2^{i} - 1] \cup [\mathtt {closing} + \mathtt {count}, \mathtt {closing}+2^{i} -1 ]$. Note by the description $\mathtt {index} = 2^{i+1} \tilde{k} +2^{i} -1$. After the update algorithm has its first pass, $\mathtt {count}$ is incremented to $2^i$ and an exponentiation is done that updates w where it is now for $R= [\mathtt {open}, \mathtt {open}+2^{i} - 1 ]$ as the second half of the range falls off with the new count value. The update algorithm then removes this tuple from $S_{i+1}$ and creates two new tuples from it. One with an $\mathtt {open}'= \mathtt {open}$ and $\mathtt {closing}'=\mathtt {open} + 2^i$; the second with $\mathtt {open}'= \mathtt {open} + 2^i $ and $\mathtt {closing}'= \mathtt {open}$.

To verify correctness recall that $\mathtt {index} = 2^{i} k +2^{i} -1$ and $\mathtt {index} = 2^{i+1} \tilde{k} +2^{i} -1$. It follows that $k=2\cdot \tilde{k}$. Second, $\mathtt {index+1} = 2^{i} \cdot k'$ where $k' = k+1$. To match the description for $\mathtt {index+1}$ we must have that the first tuple created has an $\mathtt {open}'$ value of $\mathtt {open}'=(k'+1) 2^i -1$. Plugging in terms:

$$ (k'+1) 2^i -1 = (k+1+1) 2^i -1 = (2\tilde{k} +2) 2^i -1 = (\tilde{k} + 1) 2^{i+1 }-1. $$

However, this is exactly the value it inherited from $\mathtt {open}$ as needed.

The argument that the right tuple is inherited when set $S_{i+1}$ is in Case 3 proceeds in almost the same way as above.

The proof of our theorem now comes via induction. The accuracy of the state description for $\mathtt {index}=0$ can be verified by inspection. We can prove the rest by induction on $\mathtt {index}$. For any $\mathtt {index}$ the accuracy of the description $\mathtt {index}+1$ follows from its accuracy on period $\mathtt {index}$. In particular, our previous three claims show that for any i if the state $S_i$ is accurate in period $\mathtt {index}$ then after the update algorithm executes, $S_i$ will be accurate in period $\mathtt {index}+1$ too.

Computational and Storage Efficiency. Analyzing the running time for these storage operations is straightforward. We have that $\mathtt {levels} = \lfloor \lg {T} \rfloor $. In each storage update operation there is at each level at most one prime search operation and at most one exponentiation. This comes from the fact that for each i the algorithm updates a single set element — the one with the smallest $\mathtt {open}$ value (if any). Therefore the number of prime searches and exponentiations is bounded by $\lg (T)$ as desired.

The above state description immediately gives us the storage efficiency we desire. There are at most $\lg (T)$ sets i which have at most two tuples. Each tuple has a single group element. As written, a tuple also has three (small) integers (of value at most T), although a program could drop these because they can be inferred from $\mathtt {index}$, so we will not count them in our Sect. 8 analysis.

Sample Snapshot of Storage. To help the reader better understand these storage algorithms, we provide an example of the storage states for $\mathtt {levels}=3$ and $T = 2^{\mathtt {levels}+1}-2 = 2^4-2=14$ in Appendix A.

6.3 Using the Storage Primitives and Optimizations

We can use the storage primitive above to modify our signing algorithm and key storage of Sect. 4. We describe two slightly different methods to do this.

Method 1. The Setup algorithm will run as before and output the core public parameters as $\mathsf {pp}=(T, N, g, Y, K)$. However, it will also run $\mathtt {StorageInit}(\mathsf {pp}, g)$ which outputs a value $\mathtt {store}$ which is appended to the public parameters.

The secret key algorithm will choose random integers $u_0,u_1,\dots ,u_k$ in [1, N]. It sets the secret key as $ sk =(u_0,u_1,\dots ,u_k)$ and the public key $ pk =(U_0,U_1,\dots $, $U_k)$ where $U_j = Y^{u_j} = g^{u_j \prod _{i \in T} e_i} \text {, for}\, j=0\, \text {to }\, k.$ Note all of this is identical to the Sect. 4 scheme. However, it additionally appends $\mathtt {store}$ from the public parameters to its secret key. The $\mathtt {store}$ is the part of the secret key that will be modified at each signing.

During each the t-th signing step, it will call $\mathtt {StorageUpdate}(\mathsf {pp}, \mathtt {store}_{t-1})$ and as output get a new storage value $\mathtt {store}_{t}$ that is uses to replace the previous one as well as $J=Y^{1/e_t}$. It uses this to sign by computing:

$$ \sigma = J^{u_0} \prod _{j=1}^k J^{u_j \cdot m_j} = \big ( U_0 \prod _{j=1}^k U_j^{m_j}\big )^{1/e_t} \pmod N. $$

Method 2. This will be similar to Method 1 except that instead of raising to the $u_0, \ldots , u_k$ values at the end of signing the algorithm will keep $k+1$ parallel copies of storage that already have each respective $u_i$ exponent raised. The description below will need to slightly “break into” the abstraction that we gave earlier.

Setup will run as before and output the core public parameters as $\mathsf {pp}=(T, N, g, Y, K)$. However, it will also run $\mathtt {StorageInit}(\mathsf {pp}, g)$ which outputs a value $\mathtt {store}$ which is appended to the public parameters.

The secret key algorithm will choose random integers $u_0,u_1,\dots ,u_k$ in [1, N]. It sets the public key $ pk =(U_0,U_1,\dots ,U_k)$ where $U_j = Y^{u_j} = g^{u_j \prod _{i \in T} e_i}$, for $j=0$ to k (as in the Sect. 4 scheme). For $j =0$ to k it computes $\mathtt {store}^{(j)}$ by taking each of the group elements in $\mathtt {store}$ and raising it to $u_j$. This process effectively changes $\mathtt {store}$ from being a storage of $v=g$ to being a storage of $v_j=g^{u_j}$ for the respective $u_j$. Note that each conversion takes $2 \cdot \mathtt {levels}$ exponentiations since there are $2 \cdot \mathtt {levels}$ group elements per storage.

During each t-th signing step, for each $j \in [0,k]$ it will call $\mathtt {StorageUpdate}(\mathsf {pp}$, $\mathtt {store}_{t-1}^{(j)})$ and as output get a new storage value $\mathtt {store}^{(j)}_{t}$ that is uses to replace the previous one as well as $J_j=U_j^{1/e_t}$. It uses these to sign by computing:

$$ \sigma = J_0 \prod _{j=1}^k J_j^{ m_j} = \big ( U_0 \prod _{j=1}^k U_j^{m_j}\big )^{1/e_t} \pmod N. $$

Efficiency note: in the scheme above, the update operation will perform $\mathtt {levels}$ prime searches for each of the $k+1$ stores. (By prime search we mean computing the relevant $e_i$ values needed in update.) This gives $(k+1) \cdot \mathtt {levels}$ total prime searches. However, each of these stores will be computing the same e values. Thus if we slightly break into the abstraction then one can do only $\mathtt {levels}$ total prime searches by sharing that part of the computation across all $k+1$ storage updates.

7 Identity-Based Aggregation from RSA

In the full version [25], we provide the definition for synchronized identity-based aggregate signatures. We now give a construction based on the RSA assumption.

$Setup(1^\lambda , 1^T)$ The setup algorithm chooses an integer $N=pq$ as the product of two safe primes where $p-1 = 2p'$ and $q-1=2q'$, such that $2^{\lambda }< \phi (N) < 2^{\lambda + 1}$. The scheme assumes a hash function (modeled as a random oracle) $G: \mathcal {I}\rightarrow \mathbb {Z}_N^{*(k+1)}$. It also uses the hash function $H: [1,T] \rightarrow \{0,1\}^{\lambda +1}$ with key K as specified in Sect. 4. It computes:

$$D = \prod _{i=1}^T H_K(i)^{-1} \mod \phi (N).$$

It publishes the public parameters as $\mathsf {pp}=(T, N, K)$ and we assume all parties have access to G. The master secret key includes the factorization of N and the value D.

$Extract( msk , ID )$ The algorithm computes $(U_0,\dots ,U_k) \leftarrow G( ID )$. For $i=1$ to k, it computes $d_i = U_i^D \mod N$. It returns the secret key as $ sk =(d_0,d_1,\dots ,d_k)$.

$Sign(\mathsf {pp}, sk _{ ID }, M, t)$ The signing algorithm takes as input a time period $1 \le t \le T$ and an $L=(\ell k)$-bit message $M=m_1 | m_2 | \dots | m_k$, where each $m_i$ contains $\ell $-bits and these are concatenated together to form M. It computes the primes $(e_1,\dots ,e_T)$ from $\mathsf {pp}$ and then outputs

$$ \sigma = \big (d_0 \prod _{j=1}^k d_j^{m_j}\big )^{\prod _{i \in T \setminus \{t\}} e_i} = \big ( U_0 \prod _{j=1}^k U_j^{m_j}\big )^{1/e_t} \pmod N. $$

$Verify(\mathsf {pp}, ID , M, t, \sigma )$ Let $M=m_1 | m_2 | \dots | m_k$ and $G( ID ) = (U_0,\dots ,U_k)$ The algorithm computes the prime $e_t$ from $\mathsf {pp}$. Output 1 if $1 \le t \le T$ and $\sigma ^{e_t} {\mathop {=}\limits ^{?}} U_0 \prod _{i=1}^k U_{i}^{m_{i}}$ or 0 otherwise.

$Aggregate(\mathsf {pp}, t, ( ID _1,M_1,\sigma _1),\dots ,( ID _n,M_n,\sigma _n))$ As before, $\sigma _{agg} = \prod _{ j=1}^n \sigma _j \pmod N.$

$AggVerify(\mathsf {pp}, t, ( ID _1,\dots , ID _n), (M_1, \dots ,M_n),\sigma _{agg})$ As before, output 1 if and only if all inputs are in the correct range, each identity is unique and $\sigma _{agg}^{e_t} {\mathop {=}\limits ^{?}} \prod _{j=1}^n (U_{j,0}\prod _{i=1}^k U_{j,i}^{m_{j,i}})$ where here $G( ID _i) = (U_{i,0},\dots ,U_{i,k})$.

Remarks. We remark that the same performance enhancements explored in Sects. 5 and 6 apply here. For simplicity, we present the identity-based version only for the scheme in Sect. 4.

Theorem 16

If the RSA assumption (as stated in Assumption 1) holds, F is a secure pseudorandom function and G is modeled as a random oracle, then the above identity-based synchronized aggregate signature construction is existentially unforgeable under an adaptive chosen message attack.

Proof of this theorem appears in the full version [25] of this work.

8 Performance Evaluation

We now analyze the performance of the various RSA-based aggregate signature schemes in this work. In particular we consider: our core signature scheme of Sect. 4, our scheme with $\approx \sqrt{(T)}$ storage and signing time of Sect. 5, our “big storage for fast signing” scheme also of Sect. 5 and our scheme of $\approx \lg (T)$ storage and signing of Sect. 6 via two different methods of implementing signing (which may out perform each other based on the selection of various implementation parameters). The scheme of Sect. 4 has similar performance to that of Sect. 5 when $a=T$ and therefore we do not separately analyze it.

For each scheme, we first evaluate its run-time performance with a signing algorithm operations count in Fig. 1. We then proceed to inspect its practical performance using a 2048-bit RSA modulus and a 256-bit message (the latter corresponding to an output of SHA-256). In Fig. 3, we evaluate each scheme with each of the following parameters: 1 message chunk size of 256 bits, 8 message chunks of 32 bits and 256 messages chunks of 1 bit. When message chunks are 256 bits, we use 257-bit prime e values and for chunks of size 32 bits or 1 bit we consider 80-bit e values. Here we make sure that the size of the RSA primes are at least as big as the message chunks, but let them fall no further than 80 bits to avoid collisions.^{Footnote 9} These evaluations will be considered for a maximum number of periods of $T \in \{2^{12}, 2^{16}, 2^{20}, 2^{24}, 2^{28}, 2^{32}\}$. Technically, for the log scheme the numbers of time periods is $T = 2^{\mathtt {levels}+1}-2$, however for the sake of these comparisons we will ignore the small constants.

To perform the timing evaluations in Fig. 3, we utilized the high-performance NTL number theory library in C++ v10.5.0 by Victor Shoup [38]. Averaged over 1000 iterations, we measured the cost of a prime search of the relevant size as well as the time to compute modular multiplications and modular exponentiations for the relevant exponent sizes using a 2048-bit RSA modulus. We took all time measurements on an early 2015 MacBook Air with a 1.6 GHz Intel Core i5 processor and 8 GB 1600 MHz DDR3 memory. These timing results are recorded in Fig. 2.

We next report on the signer’s storage space requirements in Fig. 4 for all of these combinations. And in Fig. 5, we show how to view T in practical terms for how often one can issue signatures according to the synchronized restrictions over the lifespan of a private key.

Some Conclusions. As expected the initial core scheme of Sect. 4 is much too costly for signing. Even for $T=2^{20}$ (where one signature is permitted every 5 min for 10 years), it takes roughly 10 min to sign a single message, so the processor we took these measurements on could not “break even” by keeping up with the modest pace of one signature every 5 min using the base scheme. At larger time periods, the signing time moves into days. One noticeable aspect is that the $k=1$ (where k is the number of message chunks) time measurements are about a factor of three greater than when $k \in \{8,256\}$ for this scheme and the square root one. This is due to the cost difference of searching for and raising to 257-bit primes versus 80-bit primes which dominate these schemes.

The square root tradeoff certainly does better, but cannot break even (on the processor measured) once we hit $T=2^{28}$. Additionally, the keys are somewhat large on the order of a few megabytes. This could be an issue if we would want to store several keys or a single key on a low memory device.

On the other end of the spectrum when setting $a=1$, we get relatively fast signatures. Here things flip where it is significantly more expensive to sign for $k=256$ than $k \in \{1,8\}$. The reason is that at this point the cost of raising to the $u_i$ values now dominates the computation — whereas in the earlier schemes it was dominated by raising to the $e_i$ values. The main downside of this setting is that the key sizes are huge — breaking into the terabyte range for $T=2^{32}$.

We finally move to our log scheme of Sect. 6 where we start with Method 1. It scales well with the number of time periods where even for $T=2^{32}$ it is only about 60 ms for $k \in \{1,8\}$. For $k=256$ the time is again dominated by the raising to the $u_i$ values at the end. Also, the private keys can be kept in the range of ten to twenty kilobytes for lower k values. (We note that for $k=256$ one possibility is that the $u_i$ values could be generated from a pseudo random function which could lower the key storage cost.) The second method of using the log storage is more costly in terms of key storage cost. Its performance in signing time is slightly better for smaller values of T, but for values higher than $2^{20}$ turns worse. For this reason the first method seems to perform better overall than the second.

Altogether, the log storage solution (of Sect. 6 using Method 1) offers practical time/space costs and appears to provide the best overall practical performance of all schemes analyzed.

Notes

1.
In this work, as in the case of [1], if the signers’ clocks become out of sync with each other, this will lead to inefficiencies in the system, as it will not be possible to aggregate some signatures, but this will not open up security issues. As in [1, 19], there is a security issue if a tag or period value is reused by the signer, so an adversary’s ability to move a user’s clock backward could lead to forgeries for that signer.
2.
For any adversary $\mathcal {A}$ that runs in time polynomial in $\lambda $ will be restricted (by its own running time) to giving T values out that are polynomial in $\lambda $.
3.
As observed by [1], one can relax this unforgeability condition to allow the forgery message, $M_{z^*}'$, to have been previously queried to the signing oracle provided that it was not done during the same period used in the forgery. This “stronger” notion can be achieved by any scheme satisfying the above unforgeability definition by having the signer incorporate the period into each message.
4.
In practice, one might use a collision-resistant hash function to map arbitrarily long messages into $L=256$ bits and then set $\ell =32$ and $k=8$. We discuss the efficiency implications of these choices in Sect. 8.
5.
We expect this default case to be exercised only with negligible probability, but define it so that the function $H_K(t)$ is guaranteed to terminate in a bounded amount of time.
6.
Our scheme has the property that any $\sigma _{agg}$ that verifies on period t for $ pk _1,\dots , pk _z$ and $M_1,\dots ,M_z$ also verifies on any permutation applied to both sequences.
7.
We expect this to be the normal mode of operation in a synchronized scheme, however, the previous schemes have the ability to sign for periods in an arbitrary order.
8.
In a particular $S_i$ there might be zero, one or two tuples. If there are two, the one with the larger $\mathtt {open}$ value is ignored. Ties will not occur, as we will see from the case analysis in Sect. 6.2.
9.
We remark that the parameters given for this evaluation do not have a total correspondence to the scheme description. For example, using 80-bit e values will technically require a variant of the RSA assumption with smaller exponents. And we do not attempt to set the modulus size to match the security loss of our reduction. (It is unknown whether this loss can actually be utilized by an attacker or not.) Our focus here is to give the reader a sense of the relative performance of the scheme variants for parameters that might be used in practice.

References

Ahn, J.H., Green, M., Hohenberger, S.: Synchronized aggregate signatures: new definitions, constructions and applications. In: ACM Conference on Computer and Communications Security, pp. 473–484 (2010)
Google Scholar
Anonymous. Increasing anonymity in bitcoin (2013). https://bitcointalk.org/index.php?topic=1377298.0
Bagherzandi, A., Jarecki, S.: Identity-based aggregate and multi-signature schemes based on RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 480–498. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_28
Chapter Google Scholar
El Bansarkhani, R., Mohamed, M.S.E., Petzoldt, A.: MQSAS - a multivariate sequential aggregate signature scheme. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 426–439. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45871-7_25
Chapter Google Scholar
Barak, B., Canetti, R., Nielsen, J.B., Pass, R.: Universally composable protocols with relaxed set-up assumptions. In: Symposium on Foundations of Computer Science, pp. 186–195. IEEE Computer Society (2004)
Google Scholar
Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_33
Chapter Google Scholar
Bellare, M., Namprempre, C., Neven, G.: Unrestricted aggregate signatures. In: Arge, L., Cachin, C., Jurdziński, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 411–422. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73420-8_37
Chapter Google Scholar
Bellare, M., Neven, G.: Identity-based multi-signatures from RSA. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 145–162. Springer, Heidelberg (2006). https://doi.org/10.1007/11967668_10
Chapter Google Scholar
Benaloh, J., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_24
Chapter Google Scholar
Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the Gap-Diffie-Hellman-Group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_3
Chapter Google Scholar
Boldyreva, A., Gentry, C., O’Neill, A., Yum, D.H.: Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing. In: ACM Conference on Computer and Communications Security (CCS), pp. 276–285 (2007), http://www.cc.gatech.edu/~amoneill/bgoy.html
Boneh, D., Franklin, M.K.: Efficient generation of shared RSA keys. J. ACM 48(4), 702–722 (2001)
Article MathSciNet MATH Google Scholar
Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_26
Chapter Google Scholar
Boneh, D., Gentry, C., Lynn, B., Shacham, H.: A survey of two signature aggregation techniques. RSA Cryptobytes 6(2), 1–9 (2003)
Google Scholar
Brogle, K., Goldberg, S., Reyzin, L.: Sequential aggregate signatures with lazy verification from trapdoor permutations. Inf. Comput. 239, 356–376 (2014)
Article MathSciNet MATH Google Scholar
Cramer, R., Shoup, V.: Signature schemes based on the strong RSA assumption. ACM Trans. Inf. Syst. Secur. 3(3), 161–185 (2000)
Article Google Scholar
Fischlin, M., Lehmann, A., Schröder, D.: History-free sequential aggregate signatures. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 113–130. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32928-9_7
Chapter Google Scholar
Freire, E.S.V., Hofheinz, D., Paterson, K.G., Striecks, C.: Programmable hash functions in the multilinear setting. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 513–530. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_28
Chapter Google Scholar
Gentry, C., Ramzan, Z.: Identity-based aggregate signatures. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 257–273. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_17
Chapter Google Scholar
Guo, X., Wang, Z.: An efficient synchronized aggregate signature scheme from standard RSA assumption. Int. J. Future Gener. Commun. Netw. 7(3), 229–240 (2014)
Article Google Scholar
Hofheinz, D., Jager, T., Kiltz, E.: Short signatures from weaker assumptions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 647–666. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_35
Chapter Google Scholar
Hohenberger, S., Koppula, V., Waters, B.: Universal signature aggregators. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 3–34. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_1
Google Scholar
Hohenberger, S., Sahai, A., Waters, B.: Full domain hash from (leveled) multilinear maps and identity-based aggregate signatures. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 494–512. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_27
Chapter Google Scholar
Hohenberger, S., Waters, B.: Short and stateless signatures from the RSA assumption. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 654–670. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_38
Chapter Google Scholar
Hohenberger, S., Waters, B.: Synchronized aggregate signatures from the RSA assumption. In: Eurocrypt (This Issue) (2018). The full version appears, https://eprint.iacr.org/2018/082
Itkis, G., Reyzin, L.: Forward-secure signatures with optimal signing and verifying. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 332–354. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_20
Chapter Google Scholar
Lee, K., Lee, D.H., Yung, M.: Sequential aggregate signatures made shorter. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 202–217. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38980-1_13
Chapter Google Scholar
Lee, K., Lee, D.H., Yung, M.: Sequential aggregate signatures with short public keys: design, analysis and implementation studies. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 423–442. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_26
Chapter Google Scholar
Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential aggregate signatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 465–485. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_28. http://cseweb.ucsd.edu/~hovav/dist/agg-sig.pdf
Chapter Google Scholar
Lysyanskaya, A., Micali, S., Reyzin, L., Shacham, H.: Sequential aggregate signatures from trapdoor permutations. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 74–90. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_5
Chapter Google Scholar
Ma, D., Tsudik, G.: Extended abstract: forward-secure sequential aggregate authentication. In: IEEE Symposium on Security and Privacy, pp. 86–91 (2007)
Google Scholar
Miller, G.L.: Riemann’s hypothesis and tests for primality. J. Comput. Syst. Sci. 13, 300–317 (1976)
Article MathSciNet MATH Google Scholar
Neven, G.: Efficient sequential aggregate signed data. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 52–69. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_4
Chapter Google Scholar
Rabin, M.O.: Probabilistic algorithm for testing primality. J. Number Theory 12, 128–138 (1980)
Article MathSciNet MATH Google Scholar
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Comm. ACM 21(2), 120–126 (1978)
Article MathSciNet MATH Google Scholar
Rückert, M., Schröder, D.: Aggregate and verifiably encrypted signatures from multilinear maps without random oracles. In: Park, J.H., Chen, H.-H., Atiquzzaman, M., Lee, C., Kim, T., Yeo, S.-S. (eds.) ISA 2009. LNCS, vol. 5576, pp. 750–759. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02617-1_76
Chapter Google Scholar
Sharmila Deva Selvi, S., Sree Vivek, S., Pandu Rangan, C.: Deterministic identity based signature scheme and its application for aggregate signatures. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 280–293. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31448-3_21
Chapter Google Scholar
Shoup, V.: NTL: A Library for doing Number Theory, v10.5.0 (2017). http://www.shoup.net/ntl/

Download references

Acknowledgments

We thank the anonymous reviewers for their helpful comments and Joseph Ayo Akinyele for implementation discussions.

Author information

Authors and Affiliations

Johns Hopkins University, Baltimore, USA
Susan Hohenberger
University of Texas at Austin, Austin, USA
Brent Waters

Authors

Susan Hohenberger
View author publications
You can also search for this author in PubMed Google Scholar
Brent Waters
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Susan Hohenberger .

Editor information

Editors and Affiliations

Aarhus University, Aarhus, Denmark
Jesper Buus Nielsen
University of Leuven, Leuven, Belgium
Vincent Rijmen

A Sample Snapshot of Storage for Sect. 6 Scheme

To aid the reader, we provide an example of the storage states for $\mathtt {levels}=3$ and $T = 2^{\mathtt {levels}+1}-2 = 2^4-2=14$ in Fig. 6. This example shows the states after updates; it does not show any intermediate states during an update operation. The example gives just the $\mathtt {open}$, $\mathtt {closing}$ and $\mathtt {count}$ values. The prior section describes how the corresponding group element w is computed based on these values (see the description of R as the range of indices of $e_i$ values excluded from the product in the exponent.) Initially, we have sets $S_1, \dots , S_{\mathtt {levels}=3}$ that are empty. The values at $\mathtt {index}=0$ show the states after running $\mathtt {StorageInit}$. The values at $\mathtt {index} >0$ show the state after a call to $\mathtt {StorageUpdate}$.

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Hohenberger, S., Waters, B. (2018). Synchronized Aggregate Signatures from the RSA Assumption. In: Nielsen, J., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2018 . EUROCRYPT 2018. Lecture Notes in Computer Science(), vol 10821. Springer, Cham. https://doi.org/10.1007/978-3-319-78375-8_7

Download citation

DOI: https://doi.org/10.1007/978-3-319-78375-8_7
Published: 31 March 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78374-1
Online ISBN: 978-3-319-78375-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Synchronized Aggregate Signatures from the RSA Assumption

Abstract

Similar content being viewed by others

Pointcheval-Sanders Signature-Based Synchronized Aggregate Signature

Identity-Based Key-Insulated Aggregate Signatures, Revisited

Half-Aggregation of Schnorr Signatures with Tight Reductions

1 Introduction

2 Scheme Specifications and Definitions of Security

Definition 1

Definition 2

3 Number Theoretic Assumptions and Related Lemmas

Assumption 1

Lemma 1

Theorem 2

4 A Base Scheme for Aggregation from RSA

4.1 Proof of Security

Theorem 3

Proof

Claim 4

Proof

Claim 5

Proof

Claim 6

Proof

Claim 7

Proof

Claim 8

Proof

Claim 9

Proof

5 Trading Off Signing Time with Storage

6 Obtaining \(O(\lg (T))\) Signing Time and Private Key Size

6.1 Storage Algorithms

6.2 Analysis

Theorem 10

Proof

Claim 11

Proof

Claim 12

Proof

Claim 13

Proof

Claim 14

Proof

Claim 15

Proof

6.3 Using the Storage Primitives and Optimizations

7 Identity-Based Aggregation from RSA

Theorem 16

8 Performance Evaluation

Notes

References

Acknowledgments

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

A Sample Snapshot of Storage for Sect. 6 Scheme

A Sample Snapshot of Storage for Sect. 6 Scheme

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation