
For FullText PDF, please login, if you are a member of IEICE,
or go to Pay Per View on menu list, if you are a nonmember of IEICE.

Achieving PairingFree Aggregate Signatures using PreCommunication between Signers
Kaoru TAKEMURE Yusuke SAKAI Bagus SANTOSO Goichiro HANAOKA Kazuo OHTA
Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences
Vol.E104A
No.9
pp.11881205 Publication Date: 2021/09/01 Publicized: 2021/06/10 Online ISSN: 17451337
DOI: 10.1587/transfun.2020DMP0023 Type of Manuscript: Special Section PAPER (Special Section on Discrete Mathematics and Its Applications) Category: Cryptography and Information Security Keyword: aggregate signatures, precommunication, knowledge of secret key model, roguekey attack,
Full Text: PDF(1.9MB)>>
Summary:
Most aggregate signature schemes are relying on pairings, but high computational and storage costs of pairings limit the feasibility of those schemes in practice. Zhao proposed the first pairingfree aggregate signature scheme (AsiaCCS 2019). However, the security of Zhao's scheme is based on the hardness of a newly introduced nonstandard computational problem. The recent impossibility results of Drijvers et al. (IEEE S&P 2019) on tworound pairingfree multisignature schemes whose security based on the standard discrete logarithm (DL) problem have strengthened the view that constructing a pairingfree aggregate signature scheme which is proven secure based on standard problems such as DL problem is indeed a challenging open problem. In this paper, we offer a novel solution to this open problem. We introduce a new paradigm of aggregate signatures, i.e., aggregate signatures with an additional precommunication stage. In the precommunication stage, each signer interacts with the aggregator to agree on a specific random value before deciding messages to be signed. We also discover that the impossibility results of Drijvers et al. take effect if the adversary can decide the whole randomness part of any individual signature. Based on the new paradigm and our discovery of the applicability of the impossibility result, we propose a pairingfree aggregate signature scheme such that any individual signature includes a random nonce which can be freely generated by the signer. We prove the security of our scheme based on the hardness of the standard DL problem. As a tradeoff, in contrast to the plain publickey model, which Zhao's scheme uses, we employ a more restricted key setup model, i.e., the knowledge of secretkey model.


