1

Sequential Aggregate Signatures

and MultisignaturesWithout Random Oracles

Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters

2

Secure BGP

BGP “Speakers” send path updates messages

S-BGP sequence of messages + sigs.

4096 byte size limit

(M1,1)

(M1,1), (M2,2)

(M1,1), (M2,2), (M3,3)

3

Aggregate Sigs [BGLS03]

Sign Aggregate

4

Aggregate Signatures [BGLS03]

A single short aggregate provides nonrepudiation for many different messages under many different keys

More general than multisignatures

Applications:

X.509 certificate chains

Secure BGP route attestations

PGP web of trust

Verisign

Versign Europe

NatWest

NatWest WWW

5

BGLS Aggregate Sigs

BLS Sigs:

PK = ga SK=a

Sign(SK,M): =H(M)a

Verify(PK,M,): e(,g)=e( H(M), PK)

Secure in R.O. Model --- Deterministic Signatures

6

BGLS Aggregate Sigs

PKi = gai SKi=ai

Sign(SKi,Mi): i=H(M)i

Aggregate(1,…n): *=i=1… i

Verify(PKi,M1,…,Mn ,*): e(*,g)= i=1,…n e( H(Mi), PKi)

Verification requires n pairings

7

Difficulty w/o Random Oracles

Known efficient signatures have a random component•Strong RSA sigs[GHR’ 99, CS’99]•B-Map [BB’04,CL’04.W’05]•Tree- sigs

Difficult to aggregate • Independent signatures => Independent

randomness

8

Sequential Aggregates [LMRS’04]

Signing and Aggregation are a single operation

Inherently sequenced; not appropriate for PGP

Sign and Aggregate

9

Our Approach

Build from W’05 signatures

Signer uses same randomess from previous sig

Then re-randomizes

10

Our Aggregate Sigs

W’05 Sigs:

PK = e(g,g)a ,h, u1,…,um SK=a

Sign(SK,M): =(’,’’)=ga (h i=1,…m uMi)r , g-r

Verify(PK,M,): e(’,g) e( ’’, h i=1,…m uMi)=e(g,g)a

Secure w/o R.O.s

11

Our Aggregate Sigs

PKi = e(g,g)ai ,hi=gyi’, ui,1=gyi,1…,um, =gyi,m

SK =ai ,yi’, yi,1,…,yi,m

Agg(SKi,Mi,*=1,2):

x=DL(h j=1,…m uMi,j )

=(’,’’)=ga 2

x 1, 2

Verify(PK,M1,…Mn,*=(’,’’)):

e(’,g) e( ’’, i1…n hj j=1,…m uMi,j)=i=1…n e(g,g)ai

Know DL PK

12

Comparisons

Scheme R.O. Sequential

Size Ver. Sign

BGLS YES NO 160 bits

n+1 parings

1 exp.

LMRS-2 YES YES 1024 bits

4 mult. Ver. +1 exp.

Ours NO YES 320 bits

2 pairings

Ver. +1 exp.

Shorter than LMRS Faster Ver. than BGLS

13

Summary and Open Problems

Sequential Aggregate Signatures w/o R.O.•Use same randomness sequentially•Arguably better Performance than R.O.

schemes

Multi-Sigs and Verifiable Enc. Sigs

Shorter Public Parameters•Certificate Chains

Full Aggregate Signatures

14

THE END

15

Sequential Aggregate Chosen-Key Model

Nontriviality:

σ* is a valid sequential aggregate

challenge key pk = pkj* for some j;

No oracle query at pk1*,…,pk

j*;M

1*,…,M

j*.

AdversaryAggSign() oracle