Efficient and Provably Secure Identity Based Aggregate Signature

Schemes With Partial and Full Aggregation

S. Sharmila Deva Selvi1 , S. Sree Vivek1,⌅⌅ , J.Shriram2 , C. Pandu Rangan1,⌅

1
Department of Computer Science and Engineering,
Indian Institute of Technology Madras.
[email protected],[email protected], [email protected].
2
National Institute of Technology Trichy, India

Abstract. An identity based signature allows users to sign their documents using their private keys
and the signature can be verified by any user by using the identity of the signer and public parameters of
the system. This allows secure communication between the users without any exchange of certificates.
An aggregate signature scheme is a digital signature scheme which allows aggregation of different
signatures by different users on different messages. An aggregate signature on n messages mi by n
users Ui convinces the verifier that each user Ui has signed the corresponding message mi . The primary
objective of the aggregate signature scheme is to achieve both computational and communication
e⇤ciency. Here we discuss two identity based aggregate signature schemes. The first aggregate scheme
IBAS-1 uses a variation of light weight Schnorr based signature. IBAS-1 does not involve any pairing
operations in signature verification. IBAS-1 is computationally e⇤cient since it avoids the costlier
operation in elliptic curve groups(pairings). Also because of the light weight property of IBAS-1, it
is much suitable for practice. The second aggregate signature scheme IBAS-2, which also has Schnorr
type key construct, achieves full aggregation of signatures without agreeing on common randomness
and without having any kind of interaction among all the signers. IBAS-2 achieves communication
e⇤ciency. But the computational complexity of IBAS-2 is higher than the IBAS-1 because it involves
bilinear pairing.

Keywords: Identity Based Signature, Aggregate Signature, Random Oracle Model, Provable Security.

1 Introduction

The idea of identity based cryptography is to derive the public key of the user using the identity, which
uniquely defines the user. This reduces the overhead of storage of certificates that are typical in public key
systems. Identity based cryptography was introduced by Shamir [15]. Since then, several identity based sig-
nature schemes have been proposed [16] [3] [20] [10]. Different variations such as proxy, group, ring signatures
etc. have been proposed in the identity based settings depending on various practical applications.

One such variation of identity-based signature is Aggregate Signature. The major requirements in the
recent scenario of technological development are computation and communication e⌅ciency. In any com-
munication network, the bandwidth is the limiting constraint. One must make sure that during the design
of aggregate signature scheme the communication e⌅ciency is improved by reducing the amount of data
to be communicated. Another limiting constraint is the cost involved in verifying the aggregate signature.
Decreasing either the computation or the communication cost or both makes the aggregate signature scheme
highly e⌅cient.

Using aggregate signature schemes, signatures from different users on different messages can be aggre-
gated into a single compact signature. The desired property of aggregate signature is that an adversary
should not be able to extract a single signature from the aggregated signature. Aggregate signatures are of
two kinds. In the first type the signatures can be aggregated in any order and aggregation can be done by
any user(signer or a third party) in the system. The second type is called sequential aggregation, where each
Work supported by Project No. CSE/05-06/076/DITX/CPAN on Protocols for Secure Communication and Com-
putation sponsored by Department of Information Technology, Government of India
user aggregates his signature to the previous aggregated signature. Sequential aggregation is a weaker model
compared to the former model.

Application of aggregate signature include tra⌅c control, military applications, banking transactions and
also for ordinary business use. Certificate chains in hierarchical PKI systems consists of various signatures
at different levels in the hierarchy. By using aggregate signature one can combine all these signatures and
thus reduce the certificate length. Sequential aggregation is used in communication between the routers in
a network where each router receives the data and signature of the previous router. It aggregates its own
signature to the previous aggregate signature and routes it to the next router. This aggregated signature
can be used to find the path travelled by the data from source to destination by using a single aggregate
signature. Aggregate signatures can also be used in wireless network scenarios. Since the major constraint
in wireless networks is communication complexity, the use of e⌅cient aggregate signature helps in reducing
the amount of data to be communicated.

A number of aggregate signature schemes have been proposed in literature. Some of them achieve partial
aggregation and some achieve full aggregation. An aggregate signature scheme is claimed to achieve partial
aggregation if a part of the signature is aggregated, namely the part with the secret key component of
signers is fully aggregated and the randomness part is propagated without aggregation. If both the parts in
the signature are fully aggregated then the scheme is said to achieve full aggregation. We provide a brief
survey about the e⌅ciency and weakness various identity based aggregate signature schemes.
Survey of Existing Schemes : Currently, in literature we have number of identity based aggregate signa-
ture schemes and batch verification schemes. Though batch verification schemes do not exactly morph the
aggregation technique, it has a similar goal of reducing the computational complexity. So we have included
batch verification schemes in our discussion.

Shi et al. proposed an e⌅cient identity based signature scheme [5] with batch verification. Though the
scheme in [5] achieves e⌅ciency in computation with just two pairing operations and linear exponentiation
operations, it is required to pass all the signatures separately and hence increases the communication com-
plexity. Also a universal forgery of the signature of any singer is possible in this scheme as shown in [14].

Wang et al. designed an identity based aggregate signature [16] and it is claimed to be the most e⌅cient
scheme. It uses constant pairing operation for signature verification. But the aggregate signature in this
scheme [16] is not secure since universal forgery of signature of any user is possible in this scheme. Also, the
scheme achieves only partial aggregation. The attack in Wang et al. scheme [16] is shown in [14].

Xiangguo et al. gave a aggregate signature scheme [4] which uses the BLSR scheme [2] as the base sig-
nature scheme. In this scheme all the signers have to broadcast their own random values used for singing
to all the cosigners so that everyone agrees upon a common randomness before the generation of aggregate
signature. This result in quadratic communication complexity which is a big overhead. Mutual interaction
between all the signers is not a desirable step in aggregate signatures.

Hyo et al. gave a number of batch verification techniques [19]. In their paper, the type 3 batch verification
is the scheme whose properties have close resemblance to that of aggregate signatures. Only partial aggrega-
tion is achieved in the scheme [19]. Also, during verification it requires linear number of pairings which also
increases the computation complexity considerably.

Yiling et al. proposed an e⌅cient aggregate signature scheme with full aggregation and constant pairing
operations in [17]. But the scheme in [17] is not secure since universal forgery of the base signature scheme
used in [17] is possible as shown in [14].

Javier Herranz came up with an identity based signature scheme [9] with partial aggregation. But his
scheme produces deterministic signature where the signature component on a message will always be the
same. This is a major draw back in real world scenarios. It also uses linear number of pairing operations
leading to ine⌅ciency in computation.

Xu et al. in [18] proposed an identity based aggregate signature scheme. This scheme uses Sakai et al.’s
signature construct as the base signature scheme. This achieves only partial aggregation and also requires
linear number of pairings during signature verification.

Gentry and Ramzan proposed an e⌅cient identity based aggregate signature scheme [8]. This scheme
achieves both full aggregation and also constant number of pairing operations during signature verification.
But the scheme in [8] has certain weaknesses which makes it unsuitable for real life scenarios. The weaknesses
of the scheme are briefly reported in the appendix.

Boldyreva et al. proposed an identity based sequential signature scheme [1]. Hwang et al. in [11] proposed
an attack on [1] and claimed that the only existing e⌅cient aggregate signature scheme is of Gentry and
Ramzan [8] which involves interaction between all the signers whose signatures are to be aggregated. The
design of an e⌅cient identity based aggregate signature scheme without any interaction between the signers
was left open by Hwang et al. [11]

Our contribution : In this paper, we propose two aggregate signature schemes. Our first scheme addresses
the open problem posed by Hwang et al. [11]. We develop a scheme which does not require any pairing
operation during aggregate signature verification. Also, we eliminate the interaction among the signers before
signature generation which reduces the communication complexity to a large extent. We also achieve e⌅ciency
in computation (i.e we eliminate the costly operation, pairing). However in this scheme we are able to achieve
only partial aggregation and not full aggregation. We use the identity based signature construct of Galindo
et al. [7]. It is a light weight schnorr based signature construct which can be used in practice. We formally
prove the security of our first scheme in the random oracle model. Our second scheme achieves e⌅ciency
in communication. This scheme achieves full aggregation with no interaction among the signers before the
generation of aggregate signature, but the scheme requires linear number of pairing operations for aggregate
signature verification. In the literature, there is no aggregate signature scheme that achieves full aggregation
without any interaction among the users. Thus, this scheme is the first in literature to achieve this property.
We formally prove the security of the scheme in the random oracle model.

2 Preliminary
2.1 Bilinear Pairing
Let G be an additive cyclic group generated by P , with prime order q, and GT be a multiplicative cyclic
group of the same order q. Let ê be a pairing defined as ê : G ⇥ G ⌃ GT . It satisfies the following properties.
For any P, Q, R G and a, b Z⇥q

– Bilinearity : ê(aP, bQ) = ê(P, Q)ab .

– Non Degenerate : ê(P, P ) = 1.
– Easily Computable : ê(P, Q) must be easily and e⌅ciently computable.

2.2 Computational Assumptions

In this section, we review the computational assumptions related to bilinear maps that are relevant to the
protocol we discuss.
Bilinear Diffie-Hellman Problem (BDHP): Given (P, aP, bP, cP ) G4 for unknown a, b, c Z⇥q , the
BDH problem in G is to compute ê(P, P )abc . The advantage of any probabilistic polynomial time algorithm
A in solving the BDH problem in G is defined as
BDH
AdvA = P r[A(P, aP, bP, cP ) = ê(P, P )abc |a, b, c Z⇥q ]
The BDH Assumption is that, for any probabilistic polynomial time algorithm A, the advantage AdvA
BDH

is negligibly small.
 Computation Diffie-Hellman Problem (CDHP): Given (P, aP, bP ) G3 for unknown a, b Z⇥q , the
CDHP problem in G is to compute abP . The advantage of any probabilistic polynomial time algorithm A
in solving the CDH problem in G is defined as
CDH
AdvA = P r[A(P, aP, bP ) = abP |a, b Z⇥q ]
The CDH Assumption is that, for any probabilistic polynomial time algorithm A, the advantage AdvA CDH

is negligibly small.
Discrete Logarithm Problem (DLP): Let (G, ⇤) be a multiplicative group of order p, g ⌥ G be a
generator of G and h = g x ⌥ G, where x ⌥ Zp be unknown. Given g and h, the discrete logarithm problem
is to find x.
An algorithm A has an advantage in solving DLPG1 if

P r[A(g, h) = x] ⇧ .

3 Generic Model
An identity based aggregate signature scheme (IBAS) consists of following six algorithms.
– Setup : The private key generator (PKG) provides the security parameter ⇥ as the input to this al-
gorithm, generates the system parameters params and the master private key M sk. PKG publishes
params and keeps M sk secret.
– KeyGen : The user Ui provides his identity IDi to PKG. The PKG runs this algorithm with identity
IDi , params and M sk as the input and obtains the private key Di . The private key Di is sent to user
Ui through a secure channel.
– Sign : For generating a signature on a message mi , the user Ui provides his identity IDi , his private
key Di , params and message mi as input. This algorithm generates a valid signature ⌅i on message mi
by user Ui .
– Verify : This algorithm on input of a signature ⌅ on message m by user U with identity ID checks
whether ⌅ is a valid signature on message m by ID. If true it outputs “V alid”, else it outputs “Invalid”.
– Aggregate : On receiving the various signatures (⌅i )i=1 to n from different users (Ui )i=1 to n , any third
party or one of the signers can run this algorithm and generate the aggregate signature ⌅agg for the set
of < message, identity > pairs (mi , IDi )i=1 to n .
– AggregateVerify : This algorithm on input of an aggregate signature ⌅agg , the list for (mi , IDi )i=1 to n
and the params checks whether ⌅agg is a valid aggregate signature on mi by IDi for all i = 1 to n. If
true, it outputs “V alid”, else outputs “Invalid”.
– Token Generation : In some models of identity based systems, the PKG may generate a random value
that corresponds to the registered user at the time of registration / key generation. This value will be
made public by the user. We refer this value as ’token’ and tokens are not used for any encryption
schemes. These tokens will always be send as a part of the signature. This extended version of identity
based signatures is not considered as violation because this toke is used only for signing purpose. More
on this have been discussed in section 5.
Important Remark: As encryption algorithms only use the publicly known identities of the user alone as
public key, tokens are never used in encryption schemes. Since ours is an identity based signature scheme,
introduction of token in our cryptosystem is not a violation of the definition of identity based system.

4 Security Model
4.1 Unforgeability
Gentry et al. in [8] proposed a formal model for aggregate signature scheme. Their scheme used a common
randomness. We follow the security model proposed by Gentry et al. with slight variations since we do
not have a common random value. An IBAS scheme is secure against existential forgery under adaptive-
chosen-identity and adaptive-chosen-message attack if no probabilistic polynomial time algorithm A has
non-negligible advantage in the following game.
 – Setup phase : The challenger C runs the setup algorithm and generates the params and M sk. Chal-
lenger C gives params to adversary A.
– Training phase : After the setup, A starts interacting with C by querying the various oracles provided
by C in the following way:
• KeyGen oracle : When A makes a query with IDi , C outputs Di , the private key of IDi to A,
provided C knows the private key for the queried identity. Else it aborts.
• Signing oracle : When A makes a signing query with IDi , message mi , C outputs a valid signature
⌅i on mi by IDi .
– Forgery phase : A outputs an aggregate signature ⌅Agg for signatures (⌅)i=1 to n from the users
(IDi )i=1 to n on messages (mi )i=1 to n where there exists at least one target identity IDT ⌥ {IDi }i=1 to n ,
for which private key has not been queried for. The adversary A wins the game if ⌅agg is a valid aggregate
signature and A has not queried for the signature from the signing oracle for (IDT , mT ) pair on which
it has generated the forgery.

AdvIBAS
A = {P r[A(V erif y(⌅agg ) = valid)}

5 Identity Based Aggregate Signature scheme Without Pairings-IBAS-1

Normally, the public key of a user in identity based cryptography is obtained by hashing the user’s identity,
which uniquely identifies him. In the identity based signature by Galindo et al. [7], we find an interesting and
subtle difference between all existing schemes and [7]. In [7], Galindo et al. have used a Schnorr signature
which in turn uses a purely random value chosen by the PKG to generate the private key of the user. This
random value can be interpreted as a ’token’ which we discussed in section 3 on generic model of identity
based aggregate signature scheme. This token along with the identity of the user is hashed together to obtain
the public key corresponding the user. It should be noted that this is not a violation of the property of identity
based cryptosystem with respect to digital signature schemes because in a digital signature scheme all the
components of a signature on an arbitrary message are generated by the signer who is in possession of the
private key. Hence, the signer has to send the random value obtained with his private key from the PKG
along with each signature he generates. The interesting part is that, if the signer or any potential forger tries
to alter the random value obtained from the PKG for the signer, both will fail miserably in generating a valid
signature because neither signer nor the forger will be able to generate a valid private key corresponding to
the altered random value. We emphasize again that tokens can never be used for encryption schemes and
can always be used in signature schemes. In Galindo et al.’s [7] paper, the component g r is send by the PKG
to the user. This component is called as ’token’ in our convention.
Similar kind of key constructs for identity based cryptosystem can be seen in [6] and [12]. In [6], an
identity based key agreement protocol was proposed by Dario et al. and in [12] an identity based online/o⇧ine
signature was proposed. In this section, we describe a new identity based aggregate signature scheme based
on the identity based signature scheme by Galindo et al. [7]. This scheme consists of six algorithms which
are described below.

– IBAS-1.Setup : Let ⇥ be the security parameter of the system. Let G be a multiplicative group of order
q. Choose a random generator g of G. Choose three cryptographic hash functions which are defined as
H1 : {0, 1}⇥ ⇥G ⌃ Z⇥q , H2 : {0, 1}⇥ ⇥{0, 1}⇥ ⇥G⇥G ⌃ Z⇥q and H3 : {0, 1}⇥ ⇥{0, 1}⇥ ⇥Z⇥q ⇥G⇥G ⌃ Z⇥q .
Let s ⌥R Z⇥q be the master private key and the master public key is set to be g s . The public parameters
are params=< g, g s , G, H1 , H2 , H3 > and the master private key s is kept secret.

– IBAS-1.KeyGen : The user Ui provides his identity IDi to the Private Key Generator(PKG). The
PKG runs this algorithm with IDi , params and master private key s as the input. The algorithm does
the following:
• Choose a random xi ⌥ Zq
• Computes Xi = g xi and qi = H1 (IDi , Xi )mod(q)
• Computes di = (xi + sqi )mod(q)
• Outputs < qi , Xi , di >
 The PKG sends < qi , Xi , di > securely to the user Ui . The user Ui keeps the di as secret and < qi , Xi >
as public. Here Xi is called the token.
Remark: It is to be noted that the private key di is a Schnorr signature on the identity IDi and thus a
user who is capable of producing another private key d⇤i for the same identity IDi or a private key d⇤⇤i for
an arbitrary identity IDi⇤⇤ can effectively forge the underlying Schnorr signature. As a consequence, the
private key generated by the PKG is secure and cannot be generated by any user by altering the token
value, unless he knows the master private key s. Therefore, we do not consider token as a separate entity
for the formal proof of unforgeability of our schemes.
– IBAS-1.Sign : The user Ui who wishes to sign a message mi gives his IDi , private key di and params
as input to this algorithm. The algorithm does the following to generate the signature:
• Chooses a random ri ⌥ Zq .
• Computes Wi = g ri
• Generates h1i = H2 (mi , IDi , Wi , Xi )
• Generates h2i = H3 (mi , IDi , h1i , Wi , Xi )
• Computes Vi = (ri h1i + h2i di )mod(q)
• Outputs Vi , Wi ✏ as the signature of IDi on message mi .
– IBAS-1.Verify : Any user can run this verification algorithm. The user provides < Vi , Wi >, IDi , mi
and params as input to this algorithm. The verification is done as follows:
?
• Check whether g Vi = (Wi )h1i (Xi )h2i (g s )qi h2i , where
h1i = H2 (mi , IDi , Wi , Xi ).
h2i = H3 (mi , IDi , h1i , Wi , Xi ).
• Outputs “V alid” if the signature passes the verification, else it outputs “Invalid”.
Correctness
g Vi = g ri h1i +h2i di
= g ri h1i .g h2i di
= (g ri )h1i .g h2i (xi +sqi )
= (Wi )h1i .(Xi )h2i .(g s )qi h2i
This shows that the above verification check is valid and consistent. Note that the verification can be
done by anyone as it involves only publicly known parameters such as Vi , Wi , h1i , h2i , g s , Xi , qi
– IBAS-1.Aggregate : This algorithm takes as input a set of n signatures {Vi , Wi }i=1 to n and the cor-
responding identity, message pairs < IDi , mi >, such that i = 1 to n < Vi , Wi > is the signature on
message mi by IDi . The aggregation is done as follows:
n
⇤
Vagg = Vi .
i=1

The algorithm outputs the final aggregate signature < Vagg , W1 , W2 , ...., Wn > and the corresponding
message identity pair {mi , < IDi , Xi >}i=1 to n .
– IBAS-1.AggregateVerify : This algorithm takes the aggregate signature < Vagg , W1 , W2 , ...., Wn >
and the corresponding message identity pair {mi , IDi , Xi }i=1 to n as does the following:
• For all i=1 to n
Compute h1i = H2 (mi , IDi , Wi , Xi )
Compute h2i = H3 (mi , IDi , h1i , Wi , Xi )
⇥
n ⇥
n Pn
• If (g Vagg = (Wi )h1i . (Xi )h2i .(g s ) i=1 qi h2i ) then outputs “V alid” else outputs “Invalid”.
i=1 i=1
Correctness
Pn Pn
g Vagg = g Pi=1 ri h1i + Pi=1 h2i di
n n
= g i=1 ri h1i .g i=1 h2i di
⇥ ri h1i
n P n
= (g ) .g i=1 h2i (xi +sqi )
i=1
⇥
n ⇥
n Pn
= (Wi )h1i . (Xi )h2i .(g s ) i=1 qi h2i
i=1 i=1
This shows that the aggregate verification test is correct and consistent.
6 Security Proof for IBAS-1

In this section, we prove the security of our identity based aggregate signature scheme(IBAS-1). We show
that if a polynomial time bounded adversary exists who can break our scheme with non-negligible probability
then we will be able to solve the discrete logarithm problem with non-negligible probability 0 . We prove
that our scheme is secure against existential forgery under adaptive chosen message and adaptive chosen
identity attack. We also use the oracle replay attack technique and forking lemma [13] to prove the security
of our scheme.
Theorem 1. Our aggregate signature scheme IBAS-1 is secure against existential forgery under adaptively
chosen identity and adaptively chosen message attack, if there exists a polynomially bounded (t, ) adversary
A making qH1 , qH2 , qH3 hash queries, qS signcryption queries and qE extraction queries, who can break our
scheme with a non-negligible advantage , then there exists a DL solver C with a non-negligible advantage,
qE
10(qS +1)(qS +qH3 +qH2 ).(1 qH ).n
0 = 19 . 2k+1
1
. qH1 and in polynomial time t0 .
1

The proof of this theorem will be added later.

7 Identity Based Aggregate Signature Scheme-IBAS-2

For any identity based signature the secret key and the signature belongs to the same group(mostly elliptic
curve groups) and the verification of the signature will be carried out in a different group(usually a mul-
tiplicative group). In IBAS-2 we use a different strategy compared to this traditional approach in identity
based signature schemes. IBAS-2 has the private key, signature and verification in three different groups
namely (Z⇥q , G1 , G2 ) In this section we propose another e⌅cient identity based aggregate signature scheme
which achieves full aggregation thus reducing the communication complexity considerably. Currently there
is no aggregate signature scheme which achieves full aggregation without any interaction among the users.
We achieve full aggregation without any kind of interaction among the signers. This scheme consists of six
algorithms which are defined as follows:

– IBAS-2.Setup : Let ⇥ be the security parameter of the system. The Private Key Generator(PKG)
runs this algorithm with ⇥ as input. This algorithm chooses an additive group G1 and a multiplicative
group G2 , both of order q. It randomly selects P which is generator of group G1 , randomly selects
s1 , s2 ⌥R Z⇥q and sets Ppub1 = s1 P and Ppub2 = s2 P . It chooses two cryptographic hash functions which
are defined as H1 : {0, 1}⇥ ⇥ G1 ⌃ Z⇥q and H2 : {0, 1}l ⇥ G1 ⇥ {0, 1}⇥ ⌃ G1 . It also chooses a bilinear
pairing ê which is defined as ê : G1 ⇥ G1 ⌃ G2 . Finally it outputs the public parameters params as
< P, Ppub1 , Ppub2 , ê, G1 , G2 , H1 , H2 > and the master private keys s1 , s2 is kept secret.

– IBAS-2.KeyGen : The user Ui submits his identity IDi to the PKG. The PKG runs this algorithm
with IDi , s1 and params as input. This algorithm does the following:
• Chooses a random xi ⌥ Zq⇥
• Computes Xi = xi P and qi = H1 (IDi , Xi )
• Computes di = xi + s1 qi mod(q)
• Outputs < Xi , qi , di >
The PKG returns < qi , Xi , di > securely to the user Ui . The user Ui keeps di as secret and makes
< qi , Xi > public.

– IBAS-2.Sign : The user Ui who wishes to sign the message mi gives his identity IDi , private key di ,
public parameters params and message mi as input to this algorithm. The computations performed are
the following:

• Chooses a random ri ⌥ Zq⇥

• Computes Wi = ri P
• Generates Hi = H2 (mi , Xi , IDi )
• Computes Vi = ri Ppub2 + di Hi
 • Outputs the signature ⌅i =< Wi , Vi > on message mi by user with identity IDi .

– IBAS-2.Verify : Any user can run the verification algorithm. This algorithm takes as inputs the sig-
nature ⌅i =< Wi , Vi > and the message, identity pair < mi , IDi >. The verification is done as follows:
?
• Check ê(Vi , P ) = ê(Wi , Ppub2 )ê(qi Ppub1 + Xi , Hi )
where Hi = H2 (mi , Xi , IDi )
• If the signature passes the verification test it outputs “V alid” else it outputs “Invalid”.

Correctness :
ê(Vi , P )= ê(ri Ppub2 + di Hi , P )
= ê(ri P, Ppub2 )ê((xi + s1 qi )Hi , P )
= ê(ri P, Ppub2 )ê(Hi , xi P )ê(Hi , qi s1 P )
= ê(ri P, Ppub2 )ê(Hi , Xi )ê(Hi , qi Ppub1 )
= ê(Wi , Ppub2 )ê(Hi , Xi + qi Ppub1 )
This shows that the above verification is valid and consistent. Note that the verification can be done by
anyone as it involves only publicly known parameters such as Vi , Wi , h1i , h2i , g s , Xi .

– IBAS-2.Aggregate : This algorithm takes in as input a set of n signatures {Vi , Wi }i=1 to n and the
corresponding identity message pair IDi , mi such that i = 1 to n < Vi , Wi > is the signature on
message mi by IDi . The aggregation is done as follows:
n
Vagg = i=1 Vi
n
Wagg = i=1 Wi

The algorithm outputs the aggregated signature < Vagg , Wagg > and the list of message, identity pairs
{mi , IDi }i=1 to n .

– IBAS-2.AggregateVerify : Any user can run this aggregate verify algorithm. This algorithm takes as
input the aggregate signature < Vagg , Wagg >, params and the list of message,identity pairs {mi , IDi }i=1 to n .
This checks whether the following relation holds.

• For all i = 1 to n Computes Hi = H2 (mi , Xi , IDi )

? ⇥
n
• Check if ê(Vagg , P ) = ê(Wagg , Ppub2 ) ê(qi Ppub1 + Xi , Hi )
i=1
• If the aggregate signature passes the verification it outputs “V alid” else the algorithm outputs
“Invalid”.

Correctness :
n
ê(Vagg , P )= ê( i=1 ri Ppub2 + di Hi , P )
n n
= ê( i=1 ri P, Ppub2 )ê( i=1 (xi + s1 qi )Hi , P )
n ⇥n ⇥
n
= ê( i=1 Wi , Ppub2 ) ê(Hi , xi P ) ê(Hi , qi s1 P )
i=1 i=1
⇥
n ⇥
n
= ê(Wagg , Ppub2 ) ê(Hi , Xi ) ê(Hi , qi Ppub1 )
i=1 i=1
⇥
n
= ê(Wagg , Ppub2 ) ê(Hi , Xi + qi Ppub1 )
i=1

This shows that the above verification is valid and consistent.

8 Security Proof for IBAS-2

In this section we formally prove the security of our scheme. We prove that if there is a polynomial time
adversary A exists with non-negligible advantage to break our scheme then we will be able to solve an
instance of CDH problem with non-negligible probability.
8.1 Unforgeability

Theorem 2. Our aggregate signature scheme IBAS-2 is secure against existential forgery under adaptively
chosen identity and adaptively chosen message attack, if there exists a polynomialy bounded (t, ) adversary
A making qH1 , qH2 hash queries, qS signcryption queries and qE extraction queries, who can break our
scheme with a non-negligible advantage , then there exists a CDH solver C with non-negligible advantage
0 = (1 µ)qE (1 µn ) and in polynomial time t0 .

The proof of this theorem will be added later.

9 Efficiency Comparison :

In this section we compare the e⌅ciency of our schemes with few existing schemes. We also give some remarks
on the e⌅ciency and merits of our schemes over others.

Table 1. Comparing various aggregate signature schemes

Scheme Signing for each signer Verification

Exp Pt.Mul Exp Pt.Mul Pairing
Gentry et al. [8] - 3 - n 3
Jung Cheon et al. [19] - 3 - n n+1
Jing Xu et al. [18] - 2 - - n+2
Javier Herranz [9] 1 - n - n
Cheng et al. [4] - 3 - n 2
Our scheme IBAS-1 1 - 2n+2 - -
Our scheme IBAS-2 - 3 - n n+2

Remarks :

– In Gentry Ramzan scheme [8] all the signers have to agree upon a common value ⇧ in order to produce a
valid aggregate signature. That will increase the communication complexity. Further weakness of Gentry
et al.’s scheme is explained in the appendix.
– Jung et al. [19],Jing Xu et al. [18] achieve only partial aggregation and also requires linear number of
pairings.
– Javier Herranz [9] also achieves only partial aggregation and also has the disadvantage that the underlying
signature scheme is deterministic. The signature on a message by a user always remains the same.
– In Cheng et al. [4] scheme achieves full aggregation and also seems e⌅cient. But in this scheme all the
signers have to broadcast their respective randomness to other signers so that all agree upon a common
randomness finally. This broadcast technique increases the communication complexity enormously and
also it is rather like threshold signature and not like a pure aggregate signature.
– It has to be taken into account that the signing part is for each signer. So if n signers are signing the
complexity in signing part will be multiplied by n.
– Our first scheme IBAS-1 achieves only partial aggregation but does verification without any pairing
operation making it the most e⌅cient scheme of all the above. We used a light weight schnorr based
signature as proposed by Galindo et al. [7] which is highly e⌅cient and practically implementable.
– Our second scheme IBAS-2, though it has linear number of pairings, achieves full aggregation without
any kind of interaction among the signers something which has not been achieved by any of the existing
schemes. Our scheme has a trivial weakness similar to that of Gentry et al.’s scheme which will be dis-
cussed as the fourth weakness in appendix. To achieve a full aggregation scheme without any interactions
and without the specified weakness seems to be a really interesting open problem.
10 Conclusion
In this paper, we have considered an identity based signature in which the private key for a user is a Schnorr
signature on his identity. This private key is generated by the PKG. Besides, the PKG sends a random ’token’
to every user along with his private key. This token cannot be altered by the user and the token can never
be used in any encryption scheme. Since, for encryption schemes, only identities are used as public keys. The
presence of tokens in the scheme is not a violation to the definition of identity based scheme. However, the
concept of ’token’ can be cleverly deployed to avoid all pairing based computations in aggregate signature
schemes. We have demonstrated that Galindo et al’s [7] signature scheme which uses the concept of ’tokens’
can be used to design an aggregate signature scheme without pairing.
We have proposed two identity based aggregate signature schemes IBAS-1 and IBAS-2. IBAS-1 and IBAS-
2 uses schnorr signature based private key construct. IBAS-1 employs a variant of schnorr signature, with
no pairing operation, which is the first aggregate scheme without pairing and achieves partial aggregation.
IBAS-2 is the only identity based aggregate signature scheme which achieves full aggregation. Both IBAS-1
and IBAS-2 eliminates the need for interaction among the signers which is a overhead in existing e⌅cient
aggregate signature schemes. We have formally proved the security of both the schemes in the random oracle
model. We have also addressed the open problem posed by Hwang et al. in [11]. Presently, there seems to
be no scheme which achieves e⌅ciency in both communication and computation front without any kind
of interaction among the signers. Achieving this, seems to be an important open problem considering its
practical significance.

References
1. Alexandra Boldyreva, Craig Gentry, Adam O’Neill, and Dae Hyun Yum. Ordered multisignatures and identity-
based sequential aggregate signatures, with applications to secure routing. In Peng Ning, Sabrina De Capitani
di Vimercati, and Paul F. Syverson, editors, ACM Conference on Computer and Communications Security, pages
276–285. ACM, 2007.
2. Dan Boneh. Bls short digital signatures. In Henk C. A. van Tilborg, editor, Encyclopedia of Cryptography and
Security. Springer, 2005.
3. Jae Choon Cha and Jung Hee Cheon. An identity-based signature from gap di⇤e-hellman groups. In Yvo
Desmedt, editor, Public Key Cryptography, volume 2567 of Lecture Notes in Computer Science, pages 18–30.
Springer, 2003.
4. Xiangguo Cheng, Jingmei Liu, and Xinmei Wang. Identity-based aggregate and verifiably encrypted signatures
from bilinear pairing. In Osvaldo Gervasi, Marina L. Gavrilova, Vipin Kumar, Antonio Laganà, Heow Pueh Lee,
Youngsong Mun, David Taniar, and Chih Jeng Kenneth Tan, editors, ICCSA (4), volume 3483 of Lecture Notes
in Computer Science, pages 1046–1054. Springer, 2005.
5. Shi Cui, Pu Duan, and Choong Wah Chan. An e⇤cient identity-based signature scheme with batch verifications.
In Xiaohua Jia, editor, Infoscale, volume 152 of ACM International Conference Proceeding Series, page 22. ACM,
2006.
6. Dario Fiore and Rosario Gennaro. Making the di⇤e-hellman protocol identity-based. Cryptology ePrint Archive,
Report 2009/174, 2009. http://eprint.iacr.org/ (An extended abstract of this paper appears in the proceedings
of CT-RSA 2010).
7. David Galindo and F. D. Garcia. A schnorr-like lightweight identity-based signature scheme. In In Proceedings
of 2nd African International Conference on Cryptology, AfricaCrypt 2009, Lecture Notes in Computer Science
5580, pages 135–148, 2009.
8. Craig Gentry and Zulfikar Ramzan. Identity-based aggregate signatures. In Moti Yung, Yevgeniy Dodis, Aggelos
Kiayias, and Tal Malkin, editors, Public Key Cryptography, volume 3958 of Lecture Notes in Computer Science,
pages 257–273. Springer, 2006.
9. Javier Herranz. Deterministic identity-based signatures for partial aggregation. Comput. J., 49(3):322–330, 2006.
10. Florian Hess. E⇤cient identity based signature schemes based on pairings. In Kaisa Nyberg and Howard M.
Heys, editors, Selected Areas in Cryptography, volume 2595 of Lecture Notes in Computer Science, pages 310–324.
Springer, 2002.
11. Jung Yeon Hwang, Dong Hoon Lee, and Moti Yung. Universal forgery of the identity-based sequential aggre-
gate signature scheme. In Wanqing Li, Willy Susilo, Udaya Kiran Tupakula, Reihaneh Safavi-Naini, and Vijay
Varadharajan, editors, ASIACCS, pages 157–160. ACM, 2009.
12. Joseph K. Liu, Joonsang Baek, Jianying Zhou, Yanjiang Yang, and Jun Wen Wong. E⇤cient online/o⌅ine
identity-based signature for wireless sensor network. Cryptology ePrint Archive, Report 2010/003, 2010.
http://eprint.iacr.org/.
13. David Pointcheval and Jacques Stern. Security arguments for digital signatures and blind signatures. J. Cryp-
tology, 13(3):361–396, 2000.
14. S.Sharmila Deva Selvi, S.Sree Vivek, J.Shriram, S.Kalaivani, and C.Pandu Rangan. Security analysis of aggre-
gate signature and batch verification signature schemes. Cryptology ePrint Archive, Report 2009/290, 2009.
http://eprint.iacr.org/.
15. Adi Shamir. Identity-based cryptosystems and signature schemes. In CRYPTO, pages 47–53, 1984.
16. Zhu Wang, Huiyan Chen, Ding feng Ye, and Qian Wu. Practical identity-based aggregate signature scheme from
bilinear maps. volume 13(6), pages 684–687. Shangai Jiao Tong University Press, 2008.
17. Yiling Wen and Jianfeng Ma. An aggregate signature scheme with constant pairing operations. In CSSE (3),
pages 830–833. IEEE Computer Society, 2008.
18. Jing Xu, Zhenfeng Zhang, and Dengguo Feng. Id-based aggregate signatures from bilinear pairings. In Yvo
Desmedt, Huaxiong Wang, Yi Mu, and Yongqing Li, editors, CANS, volume 3810 of Lecture Notes in Computer
Science, pages 110–119. Springer, 2005.
19. HyoJin Yoon, Jung Hee Cheon, and Yongdae Kim. Batch verifications with id-based signatures. In Choonsik
Park and Seongtaek Chee, editors, ICISC, volume 3506 of Lecture Notes in Computer Science, pages 233–248.
Springer, 2004.
20. Fangguo Zhang, Reihaneh Safavi-Naini, and Willy Susilo. An e⇤cient signature scheme from bilinear pairings
and its applications. In Feng Bao, Robert H. Deng, and Jianying Zhou, editors, Public Key Cryptography, volume
2947 of Lecture Notes in Computer Science, pages 277–290. Springer, 2004.

11 APPENDIX :
In this section we show the various weakness in the Gentry et al.’s scheme [8]. Though it is claimed to be
currently the most e⌅cient scheme it has the following weakness.
1. According to the scheme in [8], the signers have to store all the ⇧ they have used previously in a database
in order to avoid the re-use of randomness. Every time the signer before signing needs to check whether
the current ⇧ was not previously used for any signature generation on any message. This leads to increase
in storage cost and checking cost, becoming a huge overhead.
2. Not only this, the common randomness ⇧ chosen by the first signer should satisfy the constraint that it
was not used previously for signing any message by any o the other signers participating in the aggregation
process. Even if n 1 signers agree and nth signer disagrees then they have to run the protocol again by
picking up a new ⇧ value. This accounts to a lot of wastage of time and network bandwidth.
3. Any signer, if he/she reuse a ⇧ value even once with or without his/her knowledge then universal forgery
of their signature is possible. The universal forgery of signature is as follows:
– Let < S1 , T1 > be a signature on m1 by ID using the value ⇧.
– Let < S2 , T2 > be a signature on m2 by ID using the same ⇧
– The signature components is of the form

S1 = r1 P + D1 + c1 D2 (1)
T 1 = r1 P (2)
S2 = r2 P + D1 + c2 D2 (3)
T 2 = r2 P (4)

where r1 , r2 is unknown random numbers, P = H2 (⇧), c1 = H3 (m1 , ID, ⇧), c2 = H3 (m2 , ID, ⇧).

– Subtracting 1 from 3 we get

S ⇥ = (r2 r1 )P + (c2 c1 )D2 (5)

Dividing by (c2 c1 ) we get, S ⇥⇥ = r 2 r1
c2 c1 P + D2

– Compute a new hash value c3 = H3 (m3 , ID, ⇧) where m3 is some random message.

– Multiply S ⇥⇥ by c3 and we get S = r2 r1

c2 c1 c3 P + c3 D2
 – Dividing 1 by c1 and dividing 3 by c2 we get the two equations

r1 1
S1 = P + D1 + D2 (6)
c1 c1
r2 1
S2 = P + D1 + D2 (7)
c2 c2
– Subtracting 7 from 6 we get
S3 = ( rc11 c2 )P + ( c1
r2 1
c2 )D1
1

– Dividing S3 ⇤ by ( c11 c2 )
1
we get
r r2
( c1 )
S3 = 1
( c1
c2
1
)
P + D1
1 c2

S3 = r1 c2 r2 c1
c2 c1 P + D1

– Adding S to S we get S3 = ( rc22 r1

c1 c3 + c2 c1 )P
r1 c2 r2 c1
+ D1 + c3 D2

– S3 = r⇥ P + D1 + c3 D2 where r⇥ = ( rc22 r1
c1 c3 + c2 c1 )
r1 c2 r2 c1

– We can derive T3 = r⇥ P also knowing the T1 and T2 values as follows:

Multiplying T1 by ( cc22 cc31 ) and multiplying T2 by ( cc23 c1 )

c1
and adding the two we get
T3 = ( cc22 cc13 r1 + cc32 cc11 r2 )P

= ( rc22 r1
c1 c3 + c2 c1 )P
r1 c2 r2 c1

T3 = r ⇥ P

– Thus S3 and T3 is a valid signature on message m3 since its of the standard signature format of
Gentry et al.’s scheme where c3 = H3 (m3 , ID, ⇧).

Thus universal forgery of signature is possible in case of Gentry et al.’s scheme. The the signer has to
be very careful that he/she does not reuse the ⇧ value. So the storage and checking of all used ⇧ values
becomes essential in their scheme. The extension which the authors have stated for using ⇧ repeatedly
is to get different private keys equal to number of times ⇧ is reused. That again is not a viable solution
since the user will have no idea as to how many times he will reuse ⇧ if he does.

4. Using a single signature on a message one can generate a different signature which is valid on the same
message by the same user. Though this is not a flaw in the scheme it is considered as a weakness in
certain scenarios (strong unforgeability is not satisfied).