Jung Yeon Hwang
Moti Yung
ABSTRACT
At CCS'07, a novel identity-based sequential aggregate signature scheme was proposed and the security of the scheme was proven under the hardness assumption of a new computational problem called modified LRSW problem. In the paper, unfortunately, we show that the scheme is universally forgeable, i.e., anyone can generate forged signatures on any messages of its choice. In addition, we show that the computational assumption is not correct by concretely presenting a constant-time algorithm solving the problem. The contribution of the new scheme and assumption is a natural step in cryptologic research that calls for further investigation, which is a step we perform in the current work.
- W. Aiello, J. Ioannidis, and P. McDaniel. Origin authentication in interdomain routing. In 10th ACM Conference on Computer and Communications Security - CCS 2003, pages 165--178. ACM, 2003. Google Scholar
Digital Library
- A. Boldyreva, C. Gentry, A. O'Neill, and D. H. Yum. Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing. In 14th ACM Conference on Computer and Communications Security - CCS 2007, pages 276--285. ACM. The full version is available at www.cc.gatech.edu/ aboldyre/publications.html, 2007. Google ScholarDigital Library
- A. Boldyreva, C. Gentry, A. O'Neill, and D. H. Yum. New multiparty signature schemes for network routing applications. ACM Transactions and Information and Systems Security, 12(1):1--39, 2008. Google ScholarDigital Library
- D. Boneh and X. Boyen. Short signatures without random oracles. In Proc. Eurocrypt 2004, volume 3027 of LNCS, pages 56--73. Springer, 2004.Google Scholar
- D. Boneh, X. Boyen, and E. Goh. Hierarchical identity based encryption with constant size ciphertext. In Proc. Eurocrypt 2005, volume 3494 of LNCS, pages 440--456. Springer, 2005. Google ScholarDigital Library
- D. Boneh, C. Gentry, B. Lynn, and M. Franklin. Aggregate and verifiably encrypted signatures from bilinear maps. In Proc. Eurocrypt 2003, volume 2656 of LNCS, pages 416--432. Springer, 2003. Google ScholarDigital Library
- K. Bulter and W. Aiello. Optimizing bgp security by exploiting path stability. In 13th ACM Conference on Computer and Communications Security - CCS 2006, pages 298--310. ACM, 2006. Google ScholarDigital Library
- C. Gentry and Z. Ramzan. Identity-based aggregate signatures. In Proc. PKC 2006, volume 3958 of LNCS, pages 257--273. Springer, 2006. Google ScholarDigital Library
- S. Kent, C. Lynn, and K. Seo. Secure border gateway protocol (secure-bgp). IEEE Journal on Selected Areas in Communications, 18(4):582--592, 2000. Google ScholarDigital Library
- A. Lysyanskaya, R. Rivest, A. Sahai, and S. Wolf. Pseudonym systems. In Proc. Selected Areas in Cryptography 1999, volume 1758 of LNCS, pages 184--199. Springer, 1999. Google ScholarDigital Library
- A. Lysyanskya, S. Micali, L. Reyzin, and H. Shacham. Sequential aggregate signatures from trapdoor permutations. In Proc. Eurocrypt 2004, volume 3027 of LNCS, pages 74--90. Springer, 2004.Google Scholar
- A. Lysyanskya, R. Ostrovsky, A. Sahai, H. Shacham, and B. Waters. Sequential aggregate signatures and multisignatures without random oracles. In Proc. Eurocrypt 2006, volume 4004 of LNCS, pages 465--485. Springer, 2006. Google ScholarDigital Library
- A. Shmair. Identity-based cryptosystems and signature schemes. In Proc. CRYPTO 1984, volume 196 of LNCS, pages 47--53. Springer, 1984. Google ScholarDigital Library
- V. Shoup. Lower bounds for discrete logarithms and related problems. In Proc. Eurocrypt 1997, volume 1592 of LNCS, pages 256--266. Springer, 1997. Google ScholarDigital Library
Index Terms
- Universal forgery of the identity-based sequential aggregate signature scheme
Recommendations
Identity-Based Sequential Aggregate Signature from RSA
CHINAGRID '09: Proceedings of the 2009 Fourth ChinaGrid Annual ConferenceSequential aggregate signature (SAS) schemes allow multiple signers to sequentially produce a short signature of different messages and also allow signers to attest to these messages as well as the order in which they signed. Identity-based signature (...
An ID-based multi-signer universal designated multi-verifier signature scheme
In an ID-based universal designated verifier signature scheme, a single signer generates a signature that can only be verified by a designated verifier using a simplified public identity such as an e-mail address. In this paper, we expand the scheme to ...
Secure universal designated verifier identity-based signcryption
In 2003, Steinfeld et al. introduced the notion of universal designated verifier signature UDVS, which allows a signature holder, who receives a signature from the signer, to convince a designated verifier whether he is possession of a signer's ...
Comments