## Aggregate and Verifiably Encrypted Signatures from Bilinear Maps (2002)

### Cached

### Download Links

Citations: | 251 - 14 self |

### BibTeX

@MISC{Boneh02aggregateand,

author = {Dan Boneh and Craig Gentry and Ben Lynn and Hovav Shacham},

title = {Aggregate and Verifiably Encrypted Signatures from Bilinear Maps},

year = {2002}

}

### Years of Citing Articles

### OpenURL

### Abstract

An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verifier that the n users did indeed sign the n original messages (i.e., user i signed message M i for i = 1; : : : ; n). In this paper we introduce the concept of an aggregate signature scheme, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M . Verifiably encrypted signatures are used in contract-signing protocols. Finally, we show that similar ideas can be used to extend the short signature scheme to give simple ring signatures.

### Citations

2746 | Handbook of Applied Cryptography - Menezes, Oorschot, et al. - 1996 |

1959 | How to Share a Secret
- Shamir
- 1979
(Show Context)
Citation Context ...alidated efficiently. We note that the resulting contract signing protocol is not abuse-free in the sense of [9]. As a third application of these ideas we construct in Sect. 5 a simple ring signature =-=[27]-=- using bilinear maps. As above, the construction using a bilinear map is simpler and more efficient than constructions that only make use of gap groups. 2 Signature Schemes Based on Co-Gap Diffie-Hell... |

1266 | Identity-based encryption from the Weil pairing
- Boneh, Franklin
(Show Context)
Citation Context ...a verifiably encrypted signature. ffl A message-signature pair in the co-GDH signature scheme is of the same form as an identityprivate-key pair in the Boneh-Franklin Identity-Based Encryption Scheme =-=[5]-=-. Thus the verifiably encrypted signature scheme can potentially be modified to yield a verifiably encrypted encryption scheme for IBE private keys. Verifiably encrypted private keys have many applica... |

876 | A digital signature scheme secure against adaptive chosen-message attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...ves these signatures are very short: they are half the size of DSA signatures with similar security. Theorem 1 of [6] proves the existential unforgeability of the scheme under a chosen message attack =-=[13]-=- in the random oracle model assuming (G1; G2) is a co-gap group pair for Diffie-Hellman. 3 Aggregate Signatures We define aggregate signatures and describe an aggregate signature scheme based on co-GD... |

604 | Short signatures from the Weil pairing
- Boneh, Lynn, et al.
- 2001
(Show Context)
Citation Context ...signature provides non-repudiation at once on many different messages by many users. We construct an aggregate signature scheme based on a recent short signature due to Boneh, Lynn, and Shacham (BLS) =-=[6]-=-. This signature scheme works in any group where the Decision DiffieHellman problem (DDH) is easy, but the Computational Diffie-Hellman problem (CDH) is hard. We refer to such groups as gap groups [6,... |

357 | The exact security of digital signature – how to sign with RSA
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...ure scheme of [6], which can be based on any gap group. It comprises three algorithms, KeyGen, Sign, and Verify, and uses a full-domain hash function H : f0; 1g\Lambdas! G1, viewed as a random oracle =-=[3]-=-. Key Generation. Pick random x RsZp, and compute vsgx2 . The public key is v 2 G2. The secret key is x 2 Zp. Signing. Given a secret key x and a message M 2 f0; 1g\Lambda , compute hsH(M ), where h 2... |

286 |
A one round protocol for tripartite Diffie-Hellman. In: Algorithmic number theory symposium
- Joux
- 2000
(Show Context)
Citation Context ...ps. Thus, our construction is an example where the bilinear map provides extra functionality beyond a simple algorithm for solving DDH. Bilinear maps were previously used for three-way Diffie-Hellman =-=[15]-=-, Identity-Based Encryption (IBE) [5], and Hierarchical IBE [14, 12]. Aggregate signatures are related to multisignatures [19, 24, 23, 4]. In multisignatures, a set of users all sign the same message ... |

252 | Optimistic fair exchange of digital signatures
- Asokan, Shoup, et al.
(Show Context)
Citation Context ...re on a message M encrypted using a third party's public key and Bob to verify that the encrypted signature is valid. Verifiably encrypted signatures are used in optimistic contract signing protocols =-=[1, 2]-=- to enable fair exchange. Previous constructions [1, 26] require zero knowledge proofs to verify an encrypted signature. The verifiably encrypted signatures in Section 4 are short and can be validated... |

203 | Hierarchical id-based cryptography
- Gentry, Silverberg
- 2002
(Show Context)
Citation Context ...provides extra functionality beyond a simple algorithm for solving DDH. Bilinear maps were previously used for three-way Diffie-Hellman [15], Identity-Based Encryption (IBE) [5], and Hierarchical IBE =-=[14, 12]-=-. Aggregate signatures are related to multisignatures [19, 24, 23, 4]. In multisignatures, a set of users all sign the same message and the result is a single signature. Recently, Micali et al. [19] d... |

171 | Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-DiffieHellman-Group Signature Scheme, Public Key Cryptography 2003
- Boldyreva
- 2003
(Show Context)
Citation Context ...blem (DDH) is easy, but the Computational Diffie-Hellman problem (CDH) is hard. We refer to such groups as gap groups [6, 25]. Recently there have been a number of constructions using such gap groups =-=[6, 18, 7, 4]-=-. Surprisingly, general gap groups are insufficient for constructing efficient aggregate signatures. Instead, our construction uses a pair of groups G1; GT and a bilinear map e : G1 \ThetasG1 ! GT whe... |

131 | The Gap-Problems: A new class of problems for the security of cryptographic schemes
- Okamoto, Pointcheval
- 1992
(Show Context)
Citation Context ...[6]. This signature scheme works in any group where the Decision DiffieHellman problem (DDH) is easy, but the Computational Diffie-Hellman problem (CDH) is hard. We refer to such groups as gap groups =-=[6, 25]-=-. Recently there have been a number of constructions using such gap groups [6, 18, 7, 4]. Surprisingly, general gap groups are insufficient for constructing efficient aggregate signatures. Instead, ou... |

118 | Toward hierarchical identity-based encryption
- Horwitz, Lynn
- 2002
(Show Context)
Citation Context ...provides extra functionality beyond a simple algorithm for solving DDH. Bilinear maps were previously used for three-way Diffie-Hellman [15], Identity-Based Encryption (IBE) [5], and Hierarchical IBE =-=[14, 12]-=-. Aggregate signatures are related to multisignatures [19, 24, 23, 4]. In multisignatures, a set of users all sign the same message and the result is a single signature. Recently, Micali et al. [19] d... |

105 | Efficient and practical fair exchange protocols with off-line ttp
- Bao, Deng, et al.
- 1998
(Show Context)
Citation Context ...re on a message M encrypted using a third party's public key and Bob to verify that the encrypted signature is valid. Verifiably encrypted signatures are used in optimistic contract signing protocols =-=[1, 2]-=- to enable fair exchange. Previous constructions [1, 26] require zero knowledge proofs to verify an encrypted signature. The verifiably encrypted signatures in Section 4 are short and can be validated... |

105 | New explicit conditions of elliptic curve traces for FR-reduction
- Miyaji, Nakabayashi, et al.
- 2001
(Show Context)
Citation Context ...e could set G1 = G2. However, we allow for the more general case where G1 6= G2 so that our constructions can make use of certain families of nonsupersingular elliptic curves defined by Miyaji et al. =-=[21]-=-. These curves give rise to very short signatures [6]. This will lead in turn to short aggregate signatures, ring signatures, etc. To handle the case G1 6= G2 we define the co-CDH and co-DDH problems ... |

104 | Secure Border Gateway Protocol (Secure-BGP
- Kent, Lynn, et al.
- 2000
(Show Context)
Citation Context ...) of depth n, each user is given a chain of n certificates. The chain contains n signatures by n Certificate Authorities (CAs) on n distinct certificates. Similarly, in the Secure BGP protocol (SBGP) =-=[17]-=- each router receives a list of n signatures attesting to a certain path of length n in the network. A router signs its own segment in the path and forwards the resulting list of n + 1 signatures to t... |

84 | Robust and efficient sharing of rsa functions
- Gennaro, Jarecki, et al.
(Show Context)
Citation Context ...signature to a verifiably encrypted signature. The same applies to unencrypted aggregate signatures. – An adjudicator’s private key can be shared amongst n parties using k-of-n threshold cryptography =-=[12, 11]-=-, so that k parties are needed to adjudicate a verifiably encrypted signature. – A message-signature pair in the co-GDH signature scheme is of the same form as an identity–private-key pair in the Bone... |

79 | ID-based blind signature and ring signature from pairings[A]. Proc ASIACRYPT’02[C
- ZHANG, KIM
(Show Context)
Citation Context ...le to determine which one. This property is called signer-ambiguity [27]. Applications for ring signatures include authenticated (yet repudiable) communication and leaking secrets [27]. Zhang and Kim =-=[28]-=- devised a bilinear ring signature in an identity-based setting. Our scheme differs from theirs, as our goal is to extend co-GDH signatures to obtain efficient ring signatures; the system parameters a... |

70 | Separating Decision Diffie-Hellman from Diffie-Hellman in Cryptographic Groups,” Cryptology ePrint Archive, Report 2001/03, available at http://eprint.iacr.org/2001/03
- Joux, nguyen
(Show Context)
Citation Context ... insufficient for constructing efficient aggregate signatures. Instead, our construction uses a pair of groups G1; GT and a bilinear map e : G1 \ThetasG1 ! GT where CDH is hard in G1. Joux and Nguyen =-=[16]-=- showed that the map e can be used to solve DDH in G1, and so G1 is a gap group. It is the extra structure provided by the bilinear map that enables us to construct an efficient aggregate signature sc... |

64 | Abuse-free optimistic contract signing
- Garay, Jakobsson, et al.
(Show Context)
Citation Context ...ncrypted signature. The verifiably encrypted signatures in Section 4 are short and can be validated efficiently. We note that the resulting contract signing protocol is not abuse-free in the sense of =-=[10]-=-. As a third application of these ideas we construct in Sect. 5 a simple ring signature [27] using bilinear maps. As above, the construction using a bilinear map is simpler and more efficient than con... |

53 | Unique Signatures and Verifiable Random Functions from the DH-DDH Separation
- Lysyanskaya
- 2002
(Show Context)
Citation Context ...blem (DDH) is easy, but the Computational Diffie-Hellman problem (CDH) is hard. We refer to such groups as gap groups [6, 25]. Recently there have been a number of constructions using such gap groups =-=[6, 18, 7, 4]-=-. Surprisingly, general gap groups are insufficient for constructing efficient aggregate signatures. Instead, our construction uses a pair of groups G1; GT and a bilinear map e : G1 \ThetasG1 ! GT whe... |

53 | Transitive Signature Schemes
- Micali, Rivest
- 2002
(Show Context)
Citation Context ...signatures, one needs the extra structure provided by bilinear maps. Our application of aggregate signatures to compressing certificate chains is related to an open problem posed by Micali and Rivest =-=[20]-=-: Given a certificate chain and some special additional signatures, can intermediate links in the chain be cut out? Aggregate signatures allow the compression of certificate chains without any additio... |

49 | Accountablesubgroup multisignatures (extended abstract
- Micali, Ohta, et al.
- 2001
(Show Context)
Citation Context ...ving DDH. Bilinear maps were previously used for three-way Diffie-Hellman [15], Identity-Based Encryption (IBE) [5], and Hierarchical IBE [14, 12]. Aggregate signatures are related to multisignatures =-=[19, 24, 23, 4]-=-. In multisignatures, a set of users all sign the same message and the result is a single signature. Recently, Micali et al. [19] defined a security model for multisignatures and gave some constructio... |

47 | Threshold ring signatures and applications to ad-hoc groups[A]. Proc CRYPTO’02[C - BRESSON, STERN, et al. |

42 | A one round protocol for tripartite Die-Hellman - Joux - 2000 |

34 | Batch RSA
- Fiat
- 1989
(Show Context)
Citation Context ...te chainss418 Dan Boneh, Craig Gentry, Ben Lynn, and Hovav Shacham without any additional signatures, but a verifier must still be aware of all intermediate links in the chain. We note that batch RSA =-=[9]-=- also provides some signature compression, but only for signatures produced by a single signer. As a further application for aggregate signatures we show in Sect. 4 that certain aggregate signature sc... |

32 |
A digital multisignature scheme using bijective public-key cryptosystems
- Okamoto
- 1988
(Show Context)
Citation Context ...ving DDH. Bilinear maps were previously used for three-way Diffie-Hellman [15], Identity-Based Encryption (IBE) [5], and Hierarchical IBE [14, 12]. Aggregate signatures are related to multisignatures =-=[19, 24, 23, 4]-=-. In multisignatures, a set of users all sign the same message and the result is a single signature. Recently, Micali et al. [19] defined a security model for multisignatures and gave some constructio... |

31 | Efficient construction of (distributed) verifiable random functions
- Dodis
- 2003
(Show Context)
Citation Context ...munication bandwidth in protocols such as SBGP. We also showed that our specific aggregate signature scheme gives verifiably encrypted signatures. Previous signature constructions using bilinear maps =-=[6, 18, 7, 4]-=- only required a gap DiffieHellman group (i.e., DDH easy, but CDH hard). The signature constructions in this paper require the extra structure provided by the bilinear map. These constructions are an ... |

31 | Deniable ring authentication
- Naor
- 2002
(Show Context)
Citation Context ... RSA and Rabin cryptosystems [27]. Naor defines the closely-related notion of deniable ring authentication and proposes such a scheme that relies only on the existence of a strong encryption function =-=[22]-=-. We shall see that co-GDH signatures give rise to natural ring signatures. 5.1 Ring Signatures Consider a set U of users. Each user u 2 U has a signing keypair (PKu; SKu). A ring signature on U is a ... |

23 |
Multi-signature schemes secure against active insider attacks
- Ohta, Okamoto
- 1999
(Show Context)
Citation Context ...ving DDH. Bilinear maps were previously used for three-way Diffie-Hellman [15], Identity-Based Encryption (IBE) [5], and Hierarchical IBE [14, 12]. Aggregate signatures are related to multisignatures =-=[19, 24, 23, 4]-=-. In multisignatures, a set of users all sign the same message and the result is a single signature. Recently, Micali et al. [19] defined a security model for multisignatures and gave some constructio... |

22 |
An introduction to threshold cryptography
- Gemmel
- 1997
(Show Context)
Citation Context ...gnature to a verifiably encrypted signature. The same applies to unencrypted aggregate signatures. ffl An adjudicator's private key can be shared amongst n parties using k-of-n threshold cryptography =-=[11, 10]-=-, so that k parties are needed to adjudicate a verifiably encrypted signature. ffl A message-signature pair in the co-GDH signature scheme is of the same form as an identityprivate-key pair in the Bon... |

22 | Seperating decision Di#e-Hellman from Di#e-Hellman in cryptographic groups", J. Cryptology Online First, available from http://eprint.iacr.org/2001/003 - Joux, Nguyen |

21 | Fair encryption of RSA keys
- Poupard, Stern
- 2000
(Show Context)
Citation Context ...c key and Bob to verify that the encrypted signature is valid. Verifiably encrypted signatures are used in optimistic contract signing protocols [1, 2] to enable fair exchange. Previous constructions =-=[1, 26]-=- require zero knowledge proofs to verify an encrypted signature. The verifiably encrypted signatures in Section 4 are short and can be validated efficiently. We note that the resulting contract signin... |

12 | Robust and E±cient Sharing of RSA Functions - Gennaro, Jarecki, et al. |

6 | Unique signatures and veri random functions from the DH-DDH separation - Lysyanskaya - 2002 |

3 | Ecient construction of (distributed) veri random functions - Dodis - 2003 |

1 |
Abuse-free optimistic contract signing
- RSA
- 1989
(Show Context)
Citation Context ...? Aggregate signatures allow the compression of certificate chains without any additional signatures, but a verifier must still be aware of all intermediate links in the chain. We note that batch RSA =-=[8]-=- also provides some signature compression, but only for signatures produced by a single signer. As a further application for aggregate signatures we show in Sect. 4 that certain aggregate signature sc... |