Sequential Aggregate Signatures Made Shorter

Transcription

1 Sequentia ggregate Signatures Made Shorter Kwangsu Lee Dong Hoon Lee Moti Yung bstract Sequentia aggregate signature (SS) is a specia type of pubic-key signature that aows a signer to add his signature into a previous aggregate signature in sequentia order. In this case since many pubic keys are used and many signatures are empoyed and compressed it is important to reduce the sizes of signatures and pubic keys. Recenty Lee Lee and Yung (PKC 2013) proposed an efficient SS scheme with short pubic keys and proved its security without random oraces under static assumptions. In this paper we propose an improved SS scheme that has a shorter signature size compared with that of Lee et a. s SS scheme. Our SS scheme is aso secure without random oraces under static assumptions. To achieve the improvement we devise a new pubic-key signature scheme that supports muti-users and pubic re-randomization. Compared with the SS scheme of Lee et a. our SS scheme empoys new techniques which aow us to reduce the size of signatures by increasing the size of the pubic keys (obviousy since signature compression is at the heart of aggregate signature this is a further step in understanding the aggregation capabiity of such schemes). Keywords: Pubic-key signature ggregate signature Sequentia ggregation Muti-signature Biinear map. Korea University Korea. Emai: guspin@korea.ac.kr. This work was partiay done whie the author was at Coumbia University. Supported by the MKE (The Ministry of Knowedge Economy) Korea under the ITRC (Information Technoogy Research Center) support program (NIP-2012-H ) supervised by the NIP (Nationa IT Industry Promotion gency). Korea University Korea. Emai: donghee@korea.ac.kr. Supported by the Nationa Research Foundation of Korea (NRF) grant funded by the Korea government (MEST) (No ). Googe Inc. and Coumbia University US. Emai: moti@cs.coumbia.edu. 1

2 1 Introduction ggregate signature is a reativey new type of pubic-key signature (PKS) that aows a signer to aggregate different signatures generated by different signers on different messages into a short aggregate signature [6]. ggregate signature has many appications ike signing certificate chains proxy signing secure routing protocos and more. fter the introduction of aggregate signature by Boneh Gentry Lynn and Shacham [6] many aggregate signature schemes were proposed by using biinear groups [ ] and trapdoor permutations [ ]. However the security of many aggregate signature schemes was proven in the random orace mode. The random orace mode was very successfu to prove the security of practica schemes but the security proof in the random orace mode is not entirey sound [8] and schemes in the standard mode are needed. Standard mode soutions for the cases of sequentia aggregate signature (introduced in [19]) [ ] (where signatures are aggregated in a sequence as in appications ike certification chains) and synchronized aggregate signature (where a signers share a synchronized same vaue as introduced by [11]) [1] were given. sequentia aggregate signature (SS) scheme without random orace assumption is what we concentrate on here such a scheme was first proposed by Lu et a. [18] but the pubic-key size of this scheme is too arge since the scheme is based on the PKS scheme of Waters [25]. In pubic-key based aggregate signature reducing the size of pubic keys is very important since a verifier shoud retrieve a the pubic keys of signers to check the vaidity of the aggregate signature and needess to say the size of the aggregated signature is important as we. The importance of constructing a SS scheme with short pubic keys was addressed by Lu et a. [18] but they eft it as an interesting open probem. Schröder proposed the first SS scheme with short pubic keys based on the Camenisch-Lysyanskaya (CL) signature scheme [24] but it is ony secure under the interactive LRSW assumption. Recenty Lee et a. [16] proposed another SS scheme with short pubic keys based on the identity-based encryption (IBE) scheme of Lewko and Waters [17] and proved its security without random oraces under static assumptions. 1.1 Our Contributions In this paper we revisit the SS scheme of Lee et a. [16] and propose an improved SS scheme with shorter signature size. The proposed SS scheme trades off signature for pubic-key size since the signature size of our SS scheme is shorter than that of Lee et a. s SS scheme by two group eements but the pubic-key size of our SS scheme is onger by two group eements. To construct the SS scheme with shorter signature size that supports sequentia aggregation we first propose a new PKS scheme and prove its security without random oraces under static assumptions. dditionay we propose a muti-signature (MS) scheme with shorter signature size and shorter pubic parameters and prove its security without random oraces under static assumptions. We suggest new ideas and technicay speaking we construct a PKS scheme that supports muti-users and pubic re-randomization for a SS scheme with shorter signature size. We start the construction from the PKS scheme derived from the IBE scheme of Lewko and Waters [17] (as was done earier). However this directy converted PKS scheme does not support muti-users and pubic re-randomization as pointed out by Lee et a. [16] since the eements guh G cannot be pubished in the pubic key. Lee et a. soved this probem by modifying the verification agorithm of the PKS scheme but the size of signatures increased by two group eements. In this paper we sove this obstace in a different way and pubish gw c g 1 uwc u 1 hwc h 1 G in the pubic key instead of pubishing guh G to maintain the same size of signatures (oosey speaking we ift the verification parameters to the exponent). However note that this method increases the size of pubic keys by two group eements compared with that of Lee et a. s scheme since additiona group eements 2

3 shoud be pubished in the pubic key to make pubic gw c g 1 uwc u 1 hwc h Reated Work ggregate Signature. The concept of aggregate signatures was introduced by Boneh et a. [6] and they proposed the first aggregate signature scheme in biinear groups. Their aggregate signature scheme is the ony unique one that supports fu aggregation but the security is proven in the random orace mode and the verification agorithm requires number of pairing where is the number of signers in the aggregate signature. To remedy this situation other types of aggregate signatures were introduced. Lysyanskaya et a. [19] introduced the concept of sequentia aggregate signature (SS) and proposed a SS scheme in trapdoor permutations. Lu et a. [18] proposed the first SS scheme without random oraces but the size of pubic keys is very arge. To reduce the size of pubic keys SS schemes with short pubic key was proposed [ ]. Recenty SS schemes that do not require a verifier to check the vaidity of the previous signature were proposed [7 10]. Bodyreva et a. [4] proposed an identitybased sequentia aggregate signature scheme in biinear groups and proved its security under an interactive assumption. Recenty Gerbush et a. [12] proposed a modified identity-based sequentia aggregate signature scheme in composite order biinear groups and proved its security in the random orace mode under static assumptions. Gentry and Ramzan [11] introduced the concept of synchronized aggregate signature and proposed an identity-based synchronized aggregate signature scheme in the random orace mode. hn et a. [1] proposed an synchronized aggregate signature scheme and proved its security without random oraces. Recenty Lee et a. [15] proposed a synchronized aggregate signature scheme with shorter aggregate signatures based on the CL signature and proved its security in the random orace mode. Muti-Signature. The concept of muti-signature (MS) was introduced by Itakura and Nakamura [14]. MS is a specia type of aggregate signatures where a signers generate signatures for the same message. Micai et a. [20] defined the first forma security mode of MS and proposed a MS scheme based on the Schnorr signature. Bodyreva defined a genera security mode for muti-signatures and proposed a MS scheme in biinear groups that is secure in the random orace mode [3]. Lu et a. [18] proposed the first MS scheme that is secure without random oraces by modifying their SS scheme. Recenty Lee et a. [16] proposed a MS scheme with short pubic parameters and proved its security without random oraces. 2 Preiminaries In this section we define asymmetric biinear groups and introduce compexity assumptions in this biinear groups. 2.1 symmetric Biinear Groups Let GĜ and G T be mutipicative cycic groups of prime order p. Let gĝ be generators of GĜ. The biinear map e : G Ĝ G T has the foowing properties: 1. Biinearity: u G ˆv Ĝ and ab Z p e(u a ˆv b ) = e(u ˆv) ab. 2. Non-degeneracy: gĝ such that e(gĝ) has order p that is e(gĝ) is a generator of G T. 3

4 We say that GĜG T are biinear groups with no efficienty computabe isomorphisms if the group operations in GĜ and G T as we as the biinear map e are a efficienty computabe but there are no efficienty computabe isomorphisms between G and Ĝ. 2.2 Compexity ssumptions We empoy three static assumptions in prime order (asymmetric) biinear groups. ssumptions 1 and 2 were introduced by Lewko and Waters [17] whie ssumption 3 has been used extensivey. ssumption 1 (LW1) Let (pgĝg T e) be a description of the asymmetric biinear group of prime order p with the security parameter λ. Let gĝ be generators of GĜ respectivey. The assumption is that if the chaenge vaues D = ((pgĝg T e)gg b ĝĝ a ĝ b ĝ ab2 ĝ b2 ĝ b3 ĝ c ĝ ac ĝ bc ĝ b2c ĝ b3c ) and T are given no PPT agorithm B can distinguish T = T 0 = ĝ ab2c from T = T 1 = ĝ d with more than a negigibe advantage. The advantage of B is defined as dv 1 B (λ) = Pr[B(DT0 ) = 0] Pr[B(DT 1 ) = 0] where the probabiity is taken over the random choice of abcd Z p. ssumption 2 (LW2) Let (pgĝg T e) be a description of the asymmetric biinear group of prime order p. Let gĝ be generators of GĜ respectivey. The assumption is that if the chaenge vaues D = ((pgĝg T e)gg a g b g c ĝĝ a ĝ a2 ĝ bx ĝ abx ĝ a2x ) and T are given no PPT agorithm B can distinguish T = T 0 = g bc from T = T 1 = g d with more than a negigibe advantage. The advantage of B is defined as dv 2 B (λ) = Pr[B(DT 0 ) = 0] Pr[B(DT 1 ) = 0] where the probabiity is taken over the random choice of abcxd Z p. ssumption 3 (Decisiona Biinear Diffie-Heman) Let (pgĝg T e) be a description of the asymmetric biinear group of prime order p. Let gĝ be generators of GĜ respectivey. The assumption is that if the chaenge vaues D = ((pgĝg T e)gg a g b g c ĝĝ a ĝ b ĝ c ) and T are given no PPT agorithm B can distinguish T = T 0 = e(gĝ) abc from T = T 1 = e(gĝ) d with more than a negigibe advantage. The advantage of B is defined as dv 3 B (λ) = Pr[B(DT 0 ) = 0] Pr[B(DT 1 ) = 0] where the probabiity is taken over the random choice of abcd Z p. 3 Pubic-Key Signature In this section we propose an efficient pubic-key signature (PKS) scheme with short pubic keys that supports muti-users and pubic re-randomization and prove its security without random oraces under static assumption. 3.1 Definitions The concept of PKS was introduced by Diffie and Heman [9] and the first PKS scheme was proposed by Rivest et a. [23] based on trapdoor permutations. In PKS a signer first generates a pubic key and a private key and he keeps the private key himsef and pubishes the pubic key. The signer generates a signature on a message by using the private key. verifier can check the vaidity of the signature of the signer on the message by using the signer s pubic key. PKS scheme is formay defined as foows: 4

5 Definition 3.1 (Pubic-Key Signature). pubic key signature (PKS) scheme consists of three PPT agorithms KeyGen Sign and Verify which are defined as foows: KeyGen(1 λ ). The key generation agorithm takes as input the security parameters 1 λ and outputs a pubic key PK and a private key SK. Sign(MSK). The signing agorithm takes as input a message M and a private key SK and outputs a signature σ. Verify(σMPK). The verification agorithm takes as input a signature σ a message M and a pubic key PK and outputs either 1 or 0 depending on the vaidity of the signature. The correctness requirement is that for any (PKSK) output by KeyGen and any M M we have that Verify(Sign(M SK) M PK) = 1. We can reax this notion to require that the verification is correct with overwheming probabiity over a the randomness of the experiment. The security mode of PKS is defined as existentia unforgeabiity under a chosen message attack (EUF- CM) and this was formay defined by Godwasser et a. [13]. In this security mode an adversary adaptivey can request a poynomia number of signatures on messages through the signing orace and he finay outputs a forged signature on a message M. If the message M was not queried to the signing orace and the forged signature is vaid then the adversary wins this game. The security of PKS is formay defined as foows: Definition 3.2 (Security). The security notion of existentia unforgeabiity under a chosen message attack is defined in terms of the foowing experiment between a chaenger C and a PPT adversary : 1. Setup: C first generates a key pair (PKSK) by running KeyGen and gives PK to. 2. Signature Query: Then adaptivey and poynomiay many times requests a signature query on a message M under the chaenge pubic key PK and receives a signature σ generated by running Sign. 3. Output: Finay outputs a forged signature σ on a message M. C then outputs 1 if the forged signature satisfies the foowing two conditions or outputs 0 otherwise: 1) Verify(σ M PK) = 1 and 2) M was not queried by to the signing orace. The advantage of is defined as dv PKS = Pr[C = 1] where the probabiity is taken over a the randomness of the experiment. PKS scheme is existentiay unforgeabe under a chosen message attack if a PPT adversaries have at most a negigibe advantage in the above experiment (for arge enough security parameter). 3.2 Design Principe To construct a PKS scheme with short pubic keys that supports muti-users and pubic re-randomization we can derive a PKS scheme with short pubic keys from the IBE scheme in prime order groups of Lewko and Waters [17] by appying the transformation of Naor [5] and representing the signature in G to reduce the size of signatures. However this PKS scheme does not support muti-users and pubic re-randomization since the eements guh G cannot be pubished in the pubic key. Lee et a. [16] soved this probem by rerandomizing the verification eements of the signature verification agorithm but the number of signatures increased by two group eements and our main issue here is further compression of the signature size. 5

6 To this end we present another soution for the above probem that aows the eements guh to be safey pubished in the pubic key. In the PKS scheme of Lewko and Waters [17] if guh G are pubished in the pubic key then the simuator of the security proof can easiy distinguish norma verification components from semi-functiona verification components of the signature verification agorithm for a forged signature without the hep of an adversary. Thus the simuator of Lewko and Waters sets the CDH vaue into the eements guh to prevent the simuator from creating these eements. Our idea for soving this probem is to ift the pubished vaues into the exponent and pubish gw c g 1 uwc u 1 hwc h 1 that are additionay mutipied with random eements instead of directy pubishing g u h. In this case the simuator can create these eements since the random exponents c g c u c h can be used to cance out the CDH vaue embedded in the eements g u h. dditionay the simuator cannot distinguish the changes of verification components for the forged signature because of the added eements w c g 1 wc u 1 wc h 1. This soution does not increase the number of group eements in the signatures rather it increases the number of pubic keys since additiona eements w c g 2 wc g w c u 2 wc u w c h 2 wc h shoud be pubished. 3.3 Construction Our PKS scheme in prime order biinear groups is described as foows: PKS.KeyGen(1 λ ): This agorithm first generates the asymmetric biinear groups GĜ of prime order p of bit size Θ(λ). It chooses random eements g w G and ĝ Ĝ. Next it seects random exponents νφ 1 φ 2 Z p and sets τ = φ 1 +νφ 2. It aso seects random exponents αxy Z p and sets u = g x h = g y û = ĝ x ĥ = ĝ y w 1 = w φ 1w 2 = w φ 2. It outputs a private key SK = (αguh) and a pubic key by seecting random vaues c g c u c h Z p as PK = ( gw c g 1 wc g 2 wc g uw c u 1 wc u 2 wc u hw c h 1 wc h 2 wc h w 1 w 2 w ĝĝ ν ĝ τ ûû ν û τ ĥĥ ν ĥ τ Ω = e(gĝ) α ). PKS.Sign(MSK): This agorithm takes as input a message M Z p and a private key SK = (αguh) with PK. It seects random exponents rc 1 c 2 Z p and outputs a signature as σ = ( W 11 = g α (u M h) r w c 1 1 W 12 = w c 1 2 W 13 = w c 1 W 21 = g r w c 2 1 W 22 = w c 2 2 W 23 = w c ) 2. PKS.Rand(σ MPK): This agorithm takes as input a signature σ = (W 11...W 23 ) a message M Z p and a pubic key PK. It seects random exponents rc 1 c 2 Z p and outputs a randomized signature as σ = ( W 11 = W 11 ((uw c u 1 )M (hw c h 1 ))r w c 1 1 W 12 = W 12 ((w c u 2 )M w c h 2 )r w c 1 2 W 13 = W 13 ((w c u ) M w c h ) r w c 1 W 21 = W 21 (gw c g 1 )r w c 2 1 W 22 = W 22 (w c g 2 )r w c 2 2 W 23 = W 23 (w c g ) r w c ) 2. PKS.Verify(σMPK): This agorithm takes as input a signature σ on a message M Z p under a pubic key PK. It chooses a random exponent t Z p and computes verification components as V 11 = ĝ t V 12 = (ĝ ν ) t V 13 = (ĝ τ ) t V 21 = (û M ĥ) t V 22 = ((û ν ) M ĥ ν ) t V 23 = ((û τ ) M ĥ τ ) t. Next it verifies that 3 e(w 1iV 1i ) 3 e(w 2iV 2i ) 1? = Ω t. If this equation hods then it outputs 1. Otherwise it outputs 0. 6

7 If we impicity sets c 1 = c g α + (c u M + c h )r + c 1 c 2 = c g r + c 2 then the randomized signature is aso correcty distributed as 3.4 Security naysis W 11 = g α (u M h) r w c 1 1 W 12 = w c 1 2 W 13 = w c 1 W 21 = g r w c 2 1 W 22 = w c 2 2 W 23 = w c 2. We prove the security of our PKS scheme without random oraces under static assumptions. To prove the security we use the dua system encryption technique of Lewko and Waters [17]. The dua system encryption technique was originay deveoped to prove the fu-mode security of IBE and its extensions but it aso can be used to prove the security of PKS by using the transformation of Naor [5]. Recenty Lee et a. [16] proved the security of their PKS scheme by using the dua system encryption technique and Gerbush et a. [12] deveoped the dua form signature technique that is a variation of the dua system encryption technique to prove the security of theirs PKS schemes. Theorem 3.3. The above PKS scheme is existentiay unforgeabe under a chosen message attack if ssumptions 1 2 and 3 hod. That is for any PPT adversary there exist PPT agorithms B 1 B 2 B 3 such that dv PKS (λ) dv1 B 1 (λ)+qdv 2 B 2 (λ)+dv 3 B 3 (λ) where q is the maximum number of signature queries of. Proof. Before proving the security we first define two additiona agorithms for semi-functiona types. For the semi-functionaity we set f = g y f ˆf = ĝ y f where y f is a random exponent in Z p. PKS.SignSF. The semi-functiona signing agorithm first creates a norma signature using the private key. Let (W 11...W 23 ) be the norma signature of a message M with random exponents rc 1c 2 Z p. It seects random exponents s k z k Z p and outputs a semi-functiona signature as σ = ( W 11 = W 11 ( f ν ) s kz k W 12 = W 12 f s kz k W 13 = W 13 W 21 = W 21 ( f ν ) s k W 22 = W 22 f s k W 23 = W 23 ). PKS.VerifySF. The semi-functiona verification agorithm first creates a norma verification components using the pubic key. Let (V 11...V 23 ) be the norma verification components with a random exponent t Z p. It chooses random exponents s c z c Z p and computes semi-functiona verification components as V 11 = V 11 V 12 = V 12 ˆf s c V 13 = V 13 ( ˆf φ 2 ) s c V 21 = V 21 V 22 = V 22 ˆf s cz c V 23 = V 23 ( ˆf φ 2 ) s cz c. Next it verifies that 3 e(w 1iV 1i ) 3 e(w 2iV 2i ) 1? = Ω t. If this equation hods then it outputs 1. Otherwise it outputs 0. If the semi-functiona verification agorithm is used to verify a semi-functiona signature then an additiona random eement e( f ˆf ) s ks c (z k z c ) is eft in the eft part of the above verification equation. If z k = z c then the semi-functiona verification agorithm succeeds. In this case we say that the signature is nominay semi-functiona. The security proof uses a sequence of games G 0 G 1 G 2 G 3 : The first game G 0 wi be the origina security game and the ast game G 3 wi be a game such that an adversary has no advantage. Formay the hybrid games are defined as foows: 7

8 Game G 0. This game is the origina security game. In this game the signatures that are given to are norma and the chaenger use the norma verification agorithm PKS.Verify to check the vaidity of the forged signature of. Note that can forge a norma signature or a semi-functiona signature to win this game since norma or semi-functiona signatures are aways verified in the norma verification agorithm. Game G 1. This game is amost identica to G 0 except that the chaenger use the semi-functiona verification agorithm PKS.VerifySF to check the vaidity of the forged signature of. Note that shoud forge a norma signature to win this game since semi-functiona signatures cannot be verified in the semi-functiona verification agorithm. Game G 2. This game is the same as the G 1 except that the signatures that are given to wi be semifunctiona. t this moment the signatures are semi-functiona and the chaenger use the semifunctiona verification agorithm PKS.VerifySF to check the vaidity of the forged signature. Suppose that makes at most q signature queries. For the security proof we define a sequence of hybrid games G 10...G 1k...G 1q where G 10 = G 1. In G 1k a norma signature is given to for a j-th signature queries such that j > k and a semi-functiona signature is given to for a j-th signature queries such that j k. It is obvious that G 1q is equa to G 2. Game G 3. This fina game differs from G 2 in that the chaenger aways rejects the forged signature of by repacing the eement Ω in the verification equation to a random eement. Therefore the advantage of this game is zero since cannot win this game. To prove the security using the dua system encryption technique we shoud show that it is hard for to forge a norma signature and a semi-functiona signature. t first from the indistinguishabiity between G 0 and G 1 we obtain that can forge a norma signature with a non-negigibe probabiity whie he cannot forge a semi-functiona signature when ony norma signatures are given to. To finish the proof we additionay shoud show that it is hard for to forge a norma signature. From the indistinguishabiity between G 1 and G 2 we obtain that the probabiity of to forge a norma signature does not change when the signatures given to are changed from a norma type to a semi-functiona type. Finay from the indistinguishabiity between G 2 and G 3 we obtain that it is hard for to forge a norma signature when ony semi-functiona signatures are given to the adversary. Therefore we have the unforgeabiity of the adversary through the indistinguishabiity of hybrid games. Let dv G j be the advantage of in G j for j = Let dv G 1k be the advantage of in G 1k for k = 0...q. It is cear that dv G 0 = dvpks (λ) dvg 10 = dvg 1 dvg 1q = dvg 2 and dvg 3 = 0. From the foowing three emmas we prove that it is hard for to distinguish G i 1 from G i under the given assumptions. Therefore we have that This competes our proof. dv PKS 2 (λ) = dvg 0 + ( dv G i ) dvg i dv G 3 = dv 1 B 1 (λ) + q k=1 dv 2 B 2 (λ) + dv 3 B 3 (λ). 3 dv G i 1 dvg i Lemma 3.4. If ssumption 1 hods then no poynomia-time adversary can distinguish between G 0 and G 1 with non-negigibe advantage. That is for any adversary there exists a PPT agorithm B 1 such that dv G 0 dvg 1 = dv 1 B 1 (λ). 8

9 Proof. The proof of this emma is amost simiar to the proof of Lemma 1 in [17] except that the pubic key is generated differenty and the proof is empoyed in the PKS setting. Suppose there exists an adversary that distinguishes between G 0 and G 1 with non-negigibe advantage. simuator B 1 that soves ssumption 1 using is given: a chaenge tupe D = ((pgĝg T e)kk b ˆk ˆk a ˆk b ˆk ab2 ˆk b2 ˆk b3 ˆk c ˆk ac ˆk bc ˆk b2c ˆk b3c ) and T where T = T 0 = ˆk ab2c or T = T 1 = ˆk ab2 c+d. Then B 1 that interacts with is described as foows: B 1 first chooses random exponents φ 2 Bα Z p random vaues y g y u y h y w Z p. It computes w 1 = w φ 1 = (k b ) y w w 2 = w φ 2 = k y wφ 2 w = k y w by impicity setting φ 1 = b. It impicity sets c g = b/y w +c gc u = b/y w + c uc h = bb/y w + c h ν = aτ = b + aφ 2 and pubishes a pubic key by seecting random vaues c gc uc h Z p as gw c g 1 = ky g w c g 1 wc g 2 = (kb ) b 2 w c g 2 wc g = (k b ) 1 w c g uw c u 1 = ky u w c u 1 wc u 2 = (kb ) b 2 w c u 2 wc u = (k b ) w c u hw c h 1 = ky h w c h 1 wc h 2 = (kb ) b 2B w c h 2 wc h = (k b ) B w c h w1 w 2 w ĝ = ˆk b2 ˆk y g ĝ ν = ˆk ab2 (ˆk a ) y g ĝ τ = (ˆk b3 (ˆk b ) y g (ˆk ab2 ) b 2 (ˆk a ) y gb 2 ) 1 û = (ˆk b2 ) ˆk y u û ν = (ˆk ab2 ) (ˆk a ) y u û τ = ((ˆk b3 ) (ˆk b ) y u (ˆk ab2 ) b 2 (ˆk a ) y ub 2 ) 1 ĥ = (ˆk b2 ) Bˆk y h ĥ ν = (ˆk ab2 ) B (ˆk a ) y h ĥ τ = ((ˆk b3 ) B (ˆk b ) y h (ˆk ab2 ) Bb 2 (ˆk a ) y hb 2 ) 1 Ω = (e(k b3 ˆk b ) e(k b2 ˆk) 2yg e(k ˆk) y2 g) α. It impicity sets g = k b2 k y g u = (k b2 ) k y u h = (k b2 ) B k y h but it cannot create these eements since k b2 is not given. dditionay it sets f = k ˆf = ˆk for the semi-functiona signature and verification. adaptivey requests a signature for a message M. To response this sign query B 1 first seects random exponents rc 1 c 2 Z p. It impicity sets c 1 = b(α + (M + B)r)/y w + c 1 c 2 = br 1 /y w + c 2 and creates a norma signature as W 11 = k y gα+(y u M+y h )r (w 1 ) c 1 W12 = (W 13 ) φ 2 W 13 = (k b ) (α+(m+b)r) w c 1 W 21 = k y gr (w 1 ) c 2 W22 = (W 23 ) φ 2 W 23 = (k b ) r w c 2. Finay outputs a forged signature σ = (W 11...W 23 ) on a message M from. To verify the forged signature B 1 first chooses a random exponent t Z p and computes verification components by impicity setting t = c as V 11 = ˆk b2c (ˆk c ) y g V 12 = T (ˆk ac ) y g V 13 = ((ˆk b3c )(ˆk bc ) y g (T ) φ 2 (ˆk ac ) y gφ 2 ) 1 V 21 = (ˆk b2c ) M +B (ˆk c ) y um +y h V 22 = (T ) M +B (ˆk ac ) y um +y h V 23 = ( (ˆk b3c ) M +B (ˆk bc ) y um +y h (T ) φ 2(M +B) (ˆk ac ) φ 2(y u M +y h ) ) 1. Next it verifies that 3 e(w 1i V 1i) 3 e(w 2i V 2i) 1? = Ω t. If this equation hods then it outputs 0. Otherwise it outputs 1. To finish this proof we show that the distribution of the simuation is correct. We first show that the distribution using DT 0 = ˆk ab2c is the same as G 0. The pubic key is correcty distributed as gw c g 1 = (kb2 k y g )(k by w ) b/y w+c g = k y g w c g 1 uw c u 1 = (kb2 k y u )(k by w ) b/y w+c u = k y u w c u 1 hw c h 1 = (kb2b k y h )(k by w ) bb/y w+c h = k y h w c h 1. 9

10 The simuator cannot create guh since k b2 is not given in the assumption but it can create gw c g 1 uwc u 1 hwc h 1 since c g c u c h can be used to cance out k b2. The signature is correcty distributed as W 11 = g α (u M h) r w c 1 1 = (kb2 +y g ) α (k (b2 +y u )M k b2 B+y h ) r (k by w ) b(α+(m+b)r)/y w+c 1 = k y gα+(y u M+y h )r w c 1 1 W 21 = g r (w b 1 ) c 2 = (k b2 +y g ) r (k by w ) br/y w+c 2 = k y g r (w b 1 ) c 2. It can create a norma signature since c 1 c 2 enabe the canceation of k b2 but it cannot create a semifunctiona signature since k a is not given. The verification components are correcty distributed as V 11 = ĝ t = (ˆk b2 +y g ) c = ˆk b2c (ˆk c ) y g V 12 = (ĝ ν ) t = ˆk (b2 +y g )ac = T 0 (ˆk ac ) y g V 13 = (ĝ τ ) t = (ˆk (b2 +y g )(b+aφ 2 )c ) 1 = ((ˆk b3c )(ˆk bc ) y g (T 0 ) φ 2 (ˆk ac ) y gφ 2 ) 1 V 21 = (u M h) t = (k (b2 +y u )M k b2 B+y h ) c = (k b2c ) M +B (k c ) y um +y h V 22 = ((u ν ) M h ν ) t = (k (b2 +y u )am k (b2 B+y h )a ) c = (T 0 ) M +B (k ac ) y um +y h V 23 = ((u τ ) M h τ ) t = ((k (b2 +y u )(b+aφ 2 )M k (b2 B+y h )(b+aφ 2 ) ) c ) 1 = ((k b3c ) M +B (k bc ) y um +y h (T 0 ) φ 2(M +B) (k ac ) φ 2(y u M +y h ) ) 1. We next show that the distribution of the simuation using DT 1 = ˆk ab2c+d is the same as G 1. We ony consider the distribution of the verification components since T is ony used in the verification components. The difference between T 0 and T 1 is that T 1 additionay has ˆk d. Thus V 12 V 13 V 22 V 23 that have T in the simuation additionay have ˆk d (ˆk d ) φ 2(ˆk d ) M +B (ˆk d ) φ 2(M +B) respectivey. If we impicity set s c = dz c = M + B then the verification components of the forged signature are semi-functiona since and B are information-theoreticay hidden to the adversary. We obtain Pr[B 1 (DT 0 ) = 0] = dv G 0 and Pr[B 1 (DT 1 ) = 0] = dv G 1 from the above anaysis. Thus we can easiy derive the advantage of B 1 as dv 1 B 1 (λ) = Pr[B 1 (DT 0 ) = 0] Pr[B 1 (DT 1 ) = 0] = dv G 0 dvg 1. Note that if forge a semi-functiona signature then B 1 can distinguish T by using the forged semifunctiona signature. However if forge a norma signature then B 1 cannot distinguish T since a norma signature is aways verified in the norma or semi-functiona verification agorithms. This competes our proof. Lemma 3.5. If ssumption 2 hods then no poynomia-time adversary can distinguish between G 1 and G 2 with non-negigibe advantage. That is for any adversary there exists a PPT agorithm B 2 such that dv G 1k 1 dv G 1k = dv 2 B 2 (λ). Proof. The proof of this emma is amost same as the proof of Lemma 2 in [17] except that the proof is empoyed in the PKS setting. Suppose there exists an adversary that distinguishes between G 1k 1 and G 1k with non-negigibe advantage. simuator B 2 that soves ssumption 2 using is given: a chaenge tupe D = ((pgĝg T e)kk a k b k c ˆk a ˆk a2 ˆk bx ˆk abx ˆk a2x ) and T where T = T 0 = k bc or T = T 1 = k bc+d. Then B 2 that interacts with is described as foows: B 2 first seects random exponents νy τ Bαy u y h y w Z p. It computes w 1 = w φ 1 = ((k b ) ν k a k y τ ) y w w 2 = w φ 2 = (k b ) y w w = k y w by impicity setting φ 1 = νb + (a + y τ )φ 2 = b. It impicity sets τ = a + y τ and pubishes a pubic key by seecting 10

11 random vaues c g c u c h Z p as gw c g 1 = ka w c g 1 wc g 2 wc g uw c u 1 = (ka ) k y u w c u 1 wc u 2 wc u hw c h 1 = (ka ) B k y h w c h 1 wc h 2 wc h w 1 w 2 w ĝ = ˆk a ĝ ν ĝ τ = (ˆk a2 (ˆk a ) y τ ) 1 ) û = (ˆk a ) ˆk y u û ν û τ = ((ˆk a2 ) (ˆk a ) y u+y τ ˆk y uy τ ) 1 ĥ = (ˆk a ) Bˆk y h ĥ ν ĥ τ = ((ˆk a2 ) B (ˆk a ) y h+by τ ˆk y hy τ ) 1 Ω = e(k a ˆk a ) α. dditionay it sets f = k ˆf = ˆk for the semi-functiona signature and verification. adaptivey requests a signature for a message M. If this is a j-th signature query then B 2 handes this query as foows: Case j < k : It creates a semi-functiona signature by caing PKS.SignSF since it knows the tupe ( f ν f 1) for the semi-functiona signature. Case j = k : It seects random exponents r c 1 c 2 Z p and creates a signature by impicity setting r = c + r c 1 = c(m + B)/y w + c 1 c 2 = c/y w + c 2 as W 11 = g α (k c ) (y um+y h ) (u M h) r (T ) ν(m+b) (k c ) y τ(m+b) w c 1 1 W 12 = (T ) (M+B) w c 1 2 W 13 = (k c ) (M+B) w c 1 W 21 = g r (T ) ν (k c ) y τ w c 2 1 W 22 = Tw c 2 2 W 23 = k c w c 2. Case j > k : It creates a norma signature by caing PKS.Sign since it knows the private key. Finay outputs a forged signature σ = (W 11...W 23 ) on a message M. To verify the forged signature B 2 first chooses a random exponent t Z p and computes semi-functiona verification components by impicity setting t = bx +t s c = a 2 x z c = M + B as V 11 = ˆk abx (ˆk a ) t V 12 = (ˆk abx ) ν (ˆk a ) νt (ˆk a2x ) 1 V 13 = (ˆk abx ) y τ (ĝ y τ ) t V 21 = (ˆk abx ) M +B (ˆk bx ) y um +y h (û M ĥ) t V 22 = (ˆk abx ) (M +B)ν (ˆk bx ) (y um +y h )ν (û M ĥ) νt V 23 = (ˆk abx ) (M +B)y τ (ˆk abx ) (y um +y h ) (ˆk bx ) (y um +y h )y τ ((û τ ) M ĥ τ ) t. Next it verifies that 3 e(w 1i V 1i) 3 e(w 2i V 2i) 1? = e(k a ˆk abx ) α e(k a ˆk a ) αt. If this equation hods then it outputs 0. Otherwise it outputs 1. To finish the proof we shoud show that the distribution of the simuation is correct. We first show that the distribution of the simuation using DT 0 = k bc is the same as G 1k 1. The pubic key is correcty distributed since the random binding vaues y u y h y w y v are used. The k-th signature is correcty distributed as W 11 = g α (u M h) r w c 1 1 = gα (k (a+y u)m k ab+y h ) c+r (k y w( νb+a+y τ ) ) c(m+b)/y w+c 1 = g α (k c ) (y um+y h ) (u M h) r (T ) nu(m+b) (k c ) y τ(m+b) w c 1 1 W 12 = w c 1 2 = (ky wb ) c(m+b)/y w+c 1 = (T ) (M+B) w c 1 2 W 13 = w c 1 = (k y w ) c(m+b)/y w+c 1 = (k c ) (M+B) w c 1. 11

12 The semi-functiona verification components are correcty distributed as V 21 = (û M ĥ) t = (ˆk (a+y u)m ˆk ab+y h ) bx+t = (ˆk abx ) M +B (ˆk bx ) y um +y h (û M ĥ) t V 22 = ((û ν ) M ĥ ν ) t ˆf s cz c = (ˆk (a+y u)νm ˆk (ab+y h)ν ) bx+t ˆk a2 x(m +B) = (ˆk abx ) (M +B)ν (ˆk bx ) (y um +y h )ν ((û ν ) M ĥ ν ) t (ˆk a2x ) (M +B) V 23 = ((û τ ) M ĥ τ ) t ( ˆf φ 2 ) s cz c = (ˆk (a+y u)(a+y τ )M ˆk (ab+y h)(a+y τ ) ) bx+t ˆk b( a2 x)(m +B) = (ˆk abx ) (M +B)y τ (y u M +y h ) (ˆk bx ) (y um +y h )y τ ((û τ ) M ĥ τ ) t. The simuator can create the semi-functiona verification components with ony fixed z c = M + B since s c s c enabe the canceation of ˆk a2bx. Even though it uses the fixed z c the distribution of z c is correct since B are information theoreticay hidden to. We next show that the distribution of the simuation using DT 1 = k bc+d is the same as G 1k. We ony consider the distribution of the k-th signature since T is ony used in the k-th signature. The ony difference between T 0 and T 1 is that T 1 additionay has k d. The signature components W 11 W 12 W 21 W 22 that have T in the simuation additionay have (k d ) ν(m+b) (k d ) (M+B) (k d ) ν k d respectivey. If we impicity set s k = dz k = M + B then the distribution of the k-th signature is the same as G 1k except that the k-th signature is nominay semi-functiona. Finay we show that cannot distinguish the nominay semi-functiona signature from the semifunctiona signature. The main idea of this is that cannot request a signature for the forgery message M in the security mode. Suppose there exists an unbounded adversary then he can gather the vaues z k = M + B from the k-th signature and z c = M + B from the forged signature. It is easy to show that z k z c ook random to the unbounded adversary since f (M) = M + B is pair-wise independent function and B are information theoreticay hidden to the adversary. We obtain Pr[B 2 (DT 0 ) = 0] = dv G 1k 1 and Pr[B 2 (DT 1 ) = 0] = dv G 1k from the above anaysis. Thus we can easiy derive the advantage of B 2 as dv 2 B 2 (λ) = Pr[B 2 (DT 0 ) = 0] Pr[B 2 (DT 1 ) = 0] = dv G 1k 1 dv G 1k. This competes our proof. Lemma 3.6. If ssumption 3 hods then no poynomia-time adversary can distinguish between G 2 and G 3 with non-negigibe advantage. That is for any adversary there exists a PPT agorithm B 3 such that dv G 2 dvg 3 = dv 3 B 3 (λ). Proof. The proof of this emma is amost same as the proof of Lemma 3 in [17] except that the proof is empoyed in the PKS setting. Suppose there exists an adversary that distinguish G 2 from G 3 with non-negigibe advantage. simuator B 3 that soves ssumption 3 using is given: a chaenge tupe D = ((pgĝg T e)kk a k b k c ˆk ˆk a ˆk b ˆk c ) and T where T = T 0 = e(k ˆk) abc or T = T 1 = e(k ˆk) d. Then B 3 that interacts with is described as foows: B 3 first chooses random exponents φ 1 φ 2 y g xy Z p and random eements w G. It computes g = k y g u = g x h = g y ĝ = ˆk y g û = ĝ x ĥ = ĝ y w 1 = w φ 1w 2 = w φ 2. It impicity sets ν = aτ = φ 1 + aφ 2 α = ab and pubishes a pubic key by seecting random vaues c g c u c h Z p as gw c g 1 wc g 2 wc g uw c u 1 wc u 2 wc u hw c h 1 wc h 2 wc h w 1 w 2 w ĝĝ ν = (ˆk a ) y g ĝ τ = ˆk y gφ 1 (ˆk a ) y gφ 2 ûû ν = (ĝ ν ) x û τ = (ĝ τ ) x ĥĥ ν = (ĝ ν ) y ĥ τ = (ĝ τ ) y Ω = e(k a ˆk b ) y2 g. 12

13 dditionay it sets f = k ˆf = ˆk for the semi-functiona signature and semi-functiona verification. adaptivey requests a signature for a message M. To respond to this query B 3 seects random exponents rc 1 c 2 s k z k Z p and creates a semi-functiona signature by impicity setting z k = by g /s k + z k as W 11 = (u M h) r w c 1 1 (ka ) s kz k W12 = w c 1 2 (kb ) y g k s kz k W13 = w c 1 W 21 = g r w c 2 1 (ka ) s k W 22 = w c 2 2 ks k W 23 = w c 2. It can ony create a semi-functiona signature since s k z k enabes the canceation of k ab. Finay outputs a forged signature σ = (W 11...W 23 ) on a message M. To verify the forged signature B 3 first chooses random exponents s 1 s 2 s cz c Z p and computes semi-functiona verification components by impicity setting t = c s c = acy g + s c z c = acy g (xm + y)/s c + z c/s c as V 11 = (ˆk c ) y g V 12 = ˆk s c V 13 = (ˆk c ) y gφ 1 ˆk φ 2s c V 21 = (ˆk c ) y g(xm +y) V 22 = ˆk z c V 23 = (ˆk c ) y gφ 1 (xm +y)ˆk φ 2z c. Next it verifies that 3 e(w 1i V 1i) 3 e(w 2i V 2i) 1? = (T ) y2 g. If this equation hods then it outputs 0. Otherwise it outputs 1. To finish the proof we first show that the distribution of the simuation using DT = e(k ˆk) abc is the same as G 2. The pubic key is correcty distributed since the random vaues y g xyc g c u c h are used. The semi-functiona signature is correcty distributed as W 11 = g α (u M h) r w c 1 1 ( f ν ) s kz k = k y gab (u M h) r w c 1 1 (k a ) s k(by g /s k +z k ) = (u M h) r w c 1 1 (ka ) s kz k. The simuator can ony create a semi-functiona signature since z k = by g /s k + z k enabes the canceation of k ab. The semi-functiona verification components are correcty distributed as V 11 = ĝ t = (ˆk y g ) c = (ˆk c ) y g V 12 = (ĝ ν ) t ˆf s c = (ˆk y ga ) cˆk acy g+s c = ˆk s c V 14 = (ĝ τ ) t ( ˆf φ 2 ) s c = (ˆk y g(φ 1 +aφ 2 ) ) cˆk φ 2( acy g +s c) = (ˆk c ) y gφ 1 ˆk φ 2s c V 21 = (û M ĥ) t = (ˆk y g(xm +y) ) c = (ˆk c ) y g(xm +y) V 22 = (û νm ĥ ν ) t ˆf s cz c = (ˆk y ga(xm +y) ) cˆk acy g(xm +y)+z c = ˆk z c V 23 = (û τm ĥ τ ) t ( ˆf φ 2 ) s cz c = (ˆk y g(φ 1 +aφ 2 )(xm +y) ) c (ˆk φ 2 ) acy g(xm +y)+z c = (ˆk c ) y gφ 1 (xm +y)ˆk φ 2z c Ω t = e(gĝ) αt = e(k ˆk) y2 gabc = (T 0 ) y2 g. We next show that the distribution of the simuation using DT 1 = e(k ˆk) d is amost the same as G 3. It is obvious that the signature verification for the forged signature aways fais if T 1 = e(k ˆk) d is used except with 1/p probabiity since d is a random vaue in Z p. We obtain Pr[B 3 (DT 0 ) = 0] = dv G 2 and Pr[B 3(DT 1 ) = 0] = dv G 3 from the above anaysis. Thus we can easiy derive the advantage of B 3 as dv 3 B 3 (λ) = Pr[B 3 (DT 0 ) = 0] Pr[B 3 (DT 1 ) = 0] = dv G 2 dvg 3 Note that if forge a norma signature then B 3 can distinguish T by using the forged norma signature. However if forge a semi-functiona signature then B 3 cannot distinguish T since the verification of B 3 by using the semi-functiona verification components aways fais except negigibe probabiity. This competes our proof.. 13

14 4 Sequentia ggregate Signature In this section we propose an efficient sequentia aggregate signature (SS) scheme with short pubic keys and prove its security without random oraces. 4.1 Definitions The concept of SS was introduced by Lysyanskaya et a. [19]. In SS a signers first generate pubic keys and private keys and then pubishes their pubic keys. To generate a sequentia aggregate signature a signer may receive an aggregate-so-far from a previous signer and creates a new aggregate signature by adding his signature to the aggregate-so-far in sequentia order. fter that the signer may send the aggregate signature to a next signer. verifier can check the vaidity of the aggregate signature by using the pubic keys of a signers in the aggregate signature. SS scheme is formay defined as foows: Definition 4.1 (Sequentia ggregate Signature). sequentia aggregate signature (SS) scheme consists of four PPT agorithms Setup KeyGen ggsign and ggverify which are defined as foows: Setup(1 λ ). The setup agorithm takes as input a security parameter 1 λ and outputs pubic parameters PP. KeyGen(PP). The key generation agorithm takes as input the pubic parameters PP and outputs a pubic key PK and a private key SK. ggsign(s MPKMSK). The aggregate signing agorithm takes as input an aggregate-so-far S on messages M = (M 1...M ) under pubic keys PK = (PK 1...PK ) a message M and a private key SK and outputs a new aggregate signature S. ggverify(s M PK). The aggregate verification agorithm takes as input an aggregate signature S on messages M = (M 1...M ) under pubic keys PK = (PK 1...PK ) and outputs either 1 or 0 depending on the vaidity of the sequentia aggregate signature. The correctness requirement is that for each PP output by Setup for a (PKSK) output by KeyGen any M we have that ggverify(ggsign(s M PK MSK)M MPK PK) = 1 where S is a vaid aggregate-so-far signature on messages M under pubic keys PK. trivia SS scheme can be constructed from a PKS scheme by concatenating each signer s signature in sequentia order but the size of aggregate signature is proportiona to the size of signers. Therefore a non-trivia SS scheme shoud satisfy the signature compactness property that requires the size of aggregate signature to be independent of the size of signers. The security mode of SS was defined by Lysyanskaya et a. [19] but we use the security mode of Lu et a. [18] that requires for an adversary to register the key-pairs of other signers except the target signer namey the knowedge of secret key (KOSK) setting or the proof of knowedge (POK) setting. In this security mode an adversary first given the pubic key of a target signer. fter that the adversary adaptivey requests a certification for a pubic key by registering the key-pair of other signer and he adaptivey requests a sequentia aggregate signature by providing a previous aggregate signature to the signing orace. Finay the adversary outputs a forged sequentia aggregate signature on messages under pubic keys. If the forged sequentia signature satisfies the conditions of the security mode then the adversary wins the security game. The security mode of SS is formay defined as foows: Definition 4.2 (Security). The security notion of existentia unforgeabiity under a chosen message attack is defined in terms of the foowing experiment between a chaenger C and a PPT adversary : 14

15 1. Setup: C first initiaizes a certification ist CL as empty. Next it runs Setup to obtain pubic parameters PP and KeyGen to obtain a key pair (PKSK) and gives PK to. 2. Certification Query: adaptivey requests the certification of a pubic key by providing a key pair (PKSK). Then C adds the key pair (PKSK) to CL if the key pair is a vaid one. 3. Signature Query: adaptivey requests a sequentia aggregate signature (by providing an aggregateso-far S on messages M under pubic keys PK ) on a message M to sign under the chaenge pubic key PK and receives a sequentia aggregate signature S. 4. Output: Finay (after a sequence of the above queries) outputs a forged sequentia aggregate signature S on messages M under pubic keys PK. C outputs 1 if the forged signature satisfies the foowing three conditions or outputs 0 otherwise: 1) ggverify(s M PK ) = 1 2) The chaenge pubic key PK must exists in PK and each pubic key in PK except the chaenge pubic key must be in CL and 3) The corresponding message M in M of the chaenge pubic key PK must not have been queried by to the sequentia aggregate signing orace. The advantage of is defined as dv SS = Pr[C = 1] where the probabiity is taken over a the randomness of the experiment. SS scheme is existentiay unforgeabe under a chosen message attack if a PPT adversaries have at most a negigibe advantage in the above experiment. 4.2 Construction To construct a SS scheme from a PKS scheme the PKS scheme shoud support muti-users by sharing some eements among a signers and the randomness of signatures shoud be sequentiay aggregated to a singe vaue. We can empoy the randomness reuse method of Lu et a. [18] to aggregate the randomness of signatures. To appy the randomness reuse method we shoud re-randomize the aggregate signature to prevent a forgery attack. Thus we buid on the PKS scheme of the previous section that supports muti-users and pubic re-randomization to construct a SS scheme. The SS scheme in prime order biinear groups is described as foows: SS.Setup(1 λ ): This agorithm first generates the asymmetric biinear groups GĜ of prime order p of bit size Θ(λ). It chooses random eements g w G and ĝ Ĝ. Next it seects random exponents νφ 1 φ 2 Z p and sets τ = φ 1 + νφ 2 w 1 = w φ 1w 2 = w φ 2. It pubishes pubic parameters by seecting a random vaue c g Z p as PP = ( gw c g 1 wc g 2 wc g w 1 w 2 w ĝĝ ν ĝ τ Λ = e(gĝ) ). SS.KeyGen(PP): This agorithm takes as input the pubic parameters PP. It seects random exponents αxy Z p and sets û = ĝ x ĥ = ĝ y. It outputs a private key SK = (αxy) and a pubic key by seecting random vaues c uc h Z p as PK = ( uw c u 1 = (gwc g 1 )x w c u 1 wc u 2 = (wc g 2 )x w c u 2 wc u = (w c g ) x w c u 2 hw c h 1 = (gwc g 1 )y w c u 1 wc h 2 = (wc g 2 )y w c u 2 wc h = (w c g ) y w c u 2 ûû ν = (ĝ ν ) x û τ = (ĝ τ ) x ĥĥ ν = (ĝ ν ) y ĥ τ = (ĝ τ ) y Ω = Λ α ). 15

16 SS.ggSign(S M PK MSK): This agorithm takes as input an aggregate-so-far S = (S 11...S 23 ) on messages M = (M 1...M 1 ) under pubic keys PK = (PK 1...PK 1 ) where PK i = (u i w c ui 1...Ω i) a message M Z p a private key SK = (αxy) with PK = (uw c u 1...Ω) and PP. It first checks the vaidity of S by caing SS.ggVerify(S M PK ). If S is not vaid then it hats. If the pubic key PK of SK does aready exist in PK then it hats. Next it computes a tempora aggregate signature as T S = ( S 11 = S 11(gw c g 1 )α (S 21) xm+y S 12 = S 12(w c g 2 )α (S 22) xm+y S 13 = S 13(w c g ) α (S 23) xm+y S 21 = S 21 S 22 = S 22 S 23 = S 23 ). Finay it output a re-randomized aggregate signature S by running SS.ggRand(T SMPKPP) where M = M M and PK = PK PK. SS.ggRand(S M PK PP): This agorithm takes as input an aggregate signature S = (S 11...S 23 ) on messages M = (M 1...M ) under pubic keys PK = (PK 1...PK ) where PK i = (u i w c ui 1...Ω i) and PP. Next it seects random exponents rc 1 c 2 Z p and outputs a randomized aggregate signature as S = ( S 11 = S 11 S 13 = S 13 ((u i w c ui 1 )M i (h i w c hi 1 ))r w c 1 1 S 12 = S 12 ((w c ui ) M i (w c hi )) r w c 1 ((w c ui 2 )M i (w c hi 2 ))r w c 1 S 21 = S 21 (gw c g 1 )r w c 2 1 S 22 = S 22 (w c g 2 )r w c 2 2 S 23 = S 23 (w c g ) r w c 2 ). SS.ggVerify(S M PK): This agorithm takes as input a sequentia aggregate signature S on messages M = (M 1...M ) under pubic keys PK = (PK 1...PK ) where PK i = (u i w c ui 1...Ω i). It first checks that any pubic key does not appear twice in PK and that any pubic key in PK has been certified. If these checks fai then it outputs 0. If = 0 then it outputs 1 if S 11 = = S 23 = 1 0 otherwise. It chooses a random exponent t Z p and computes verification components as C 11 = ĝ t C 12 = (ĝ ν ) t C 13 = (ĝ τ ) t C 21 = (û M iĥ i ) t C 22 = i ((û ν i ) M i ĥ ν i ) t C 23 = ((û τ i ) M i ĥ τ i ) t. Next it verifies that 3 e(s 1iC 1i ) 3 e(s 2iC 2i ) 1 =? Ωt i. If this equation hods then it outputs 1. Otherwise it outputs 0. Let r c 1 c 2 be the randomness of an aggregate-so-far. If we impicity sets r = r + r c 1 = c 1 + c gα + (c uim i + c hi )r + c 1 c 2 = c 2 + c gr + c 2 then the aggregate signature is correcty distributed as S 11 = g α i (u M i i h ) r i w c 1 1 S 12 = w c 1 2 S 13 = w c 1 S 21 = g r w c 2 1 S 22 = w c 2 2 S 23 = w c

17 4.3 Security naysis Theorem 4.3. The above SS scheme is existentiay unforgeabe under a chosen message attack if the PKS scheme is existentiay unforgeabe under a chosen message attack. That is for any PPT adversary for the above SS scheme there exists a PPT agorithm B for the PKS scheme such that dv SS (λ) dvpks B (λ). Proof. The security proof of this theorem is simiar to that of Lu et a. [18]. That is a simuator can simuate the generation of aggregate signatures since the verification agorithm of aggregate signatures does not check the order of aggregation and the simuator knows the private keys of other signers except the target signer. To extract a forged PKS signature from the forged aggregate signature the simuator uses the knowedge of private keys of other signers. Suppose there exists an adversary that forges the above SS scheme with non-negigibe advantage ε. simuator B that forges the PKS scheme is first given: a chaenge pubic key PK PKS = (gw c g 1 wc g 2 wc g uw c u 1...w c hw 1 w 2 wĝĝ ν ĝ τ û...ĥ τ Ω). Then B that interacts with is described as foows: B first constructs PP = (gw c g 1 wc g 2 wc g w 1 w 2 wĝĝ ν ĝ τ Λ) by computing Λ = e(gw c g 1 ĝ) e(wc g 2 ĝν ) e(w c g ĝ τ ) = e(gĝ) and PK = (uw c u 1...wc hû...ĥ τ Ω) from PK PKS. Next it initiaizes a certification ist CL as an empty one and gives PP and PK to. may adaptivey requests certification queries or sequentia aggregate signature queries. If requests the certification of a pubic key by providing a pubic key PK i = (u i w c ui 1...Ω i) and its private key SK i = (α i x i y i ) then B checks the private key and adds the key pair (PK i SK i ) to CL. If requests a sequentia aggregate signature by providing an aggregate-so-far S on messages M = (M 1...M 1 ) under pubic keys PK = (PK 1...PK 1 ) and a message M to sign under the chaenge private key of PK then B proceeds the aggregate signature query as foows: 1. It first checks that the signature S is vaid and that each pubic key in PK exits in CL. 2. It queries its signing orace that simuates PKS.Sign on the message M for the chaenge pubic key PK and obtains a signature σ. 3. For each 1 i 1 it constructs an aggregate signature on message M i using SS.ggSign since it knows the private key that corresponds to PK i. The resut signature is an aggregate signature for messages M M under pubic keys PK PK since this scheme does not check the order of aggregation. It gives the resut signature S to. Finay outputs a forged aggregate signature S = (S 11...S 23 ) on messages M = (M 1...M ) under pubic keys PK = (PK 1...PK ) for some. Without oss of generaity we assume that PK 1 = PK. B proceeds as foows: 1. B first checks the vaidity of S by using SS.ggVerify. dditionay the forged signature shoud not be trivia: the chaenge pubic key PK must be in PK and the message M 1 must not be queried by to the signature query orace. 2. For each 2 i it parses PK i = (u i w c ui 1...Ω i) from PK and it retrieves the private key SK i = (α i x i y i ) of PK i from CL. It then computes W 11 = S 11 ( g α j (S 21) x im i +y i ) 1 W12 = S 12 W 21 = S 21 W 22 = S 22 W 23 = S 23. ( (S 22 ) x im i +y i ) 1 W13 = S 13 ( (S 23 ) x im i +y i ) 1 17