Fast Authentication from Aggregate Signatures with Improved Security

Abstract

An attempt to derive signer-efficient digital signatures from aggregate signatures was made in a signature scheme referred to as Structure-free Compact Rapid Authentication (SCRA) (IEEE TIFS 2017). In this paper, we first mount a practical universal forgery attack against the NTRU instantiation of SCRA by observing only 8161 signatures. Second, we propose a new signature scheme (\(\texttt {FAAS}\)), which transforms any single-signer aggregate signature scheme into a signer-efficient scheme. We show two efficient instantiations of \(\texttt {FAAS}\), namely, \(\texttt {FAAS}\hbox {-}{} \texttt {NTRU}\) and \(\texttt {FAAS}\hbox {-}{} \texttt {RSA}\), both of which achieve high computational efficiency. Our experiments confirmed that \(\texttt {FAAS}\) schemes achieve up to 100\(\times \) faster signature generation compared to their underlying schemes. Moreover, \(\texttt {FAAS}\) schemes eliminate some of the costly operations such as Gaussian sampling, rejection sampling, and exponentiation at the signature generation that are shown to be susceptible to side-channel attacks. This enables \(\texttt {FAAS}\) schemes to enhance the security and efficiency of their underlying schemes. Finally, we prove that \(\texttt {FAAS}\) schemes are secure (in random oracle model), and open-source both our attack and \(\texttt {FAAS}\) implementations for public testing purposes.

Work done in part while Attila A. Yavuz was at Oregon State University.

Appendix A Security Definitions

Definition 6

Aggregate Existential Unforgeability under Chosen Message Attack \(( A\hbox {-}EU\hbox {-}CMA )\) for a single user aggregate signature is as follows.

\(Exp^{ A\hbox {-}EU\hbox {-}CMA }_{\texttt {Asig}, \mathcal {A}}(1^\kappa ):\)

We say \(\mathcal {A}\) wins in time t, and after \( q_S \) and \( q_h \) queries if \( ( (\texttt {Asig.Ver} (\overrightarrow{m}^{*}{}, \sigma ^*, PK {}) \wedge (\overrightarrow{m}^{*}{}\cap L_m =\emptyset ) )\) .The \( A\hbox {-}EU\hbox {-}CMA \) advantage of \( \mathcal {A}\) is defined as \( Adv ^{ A \hbox {-} EU \hbox {-} CMA }_{\texttt {Asig}, \mathcal {A}} (t, q_S,q_h) = \Pr [ Exp ^{ A \hbox {-} EU \hbox {-} CMA }_{\texttt {Asig}, \mathcal {A}}= 1]\).

\(\texttt {FAAS}\) requires that the underlying aggregate signature achieves k -element Aggregate Extraction (AE) property [10, 14], which is defined in the following.

Definition 7

For a given aggregate signature \(s \leftarrow {}\texttt {SigA}_ sk {}( \overrightarrow{m}{})\) computed on k individual data items \( \overrightarrow{m}{}=(m_1,\ldots ,m_k)\), it is difficult to extract the individual signatures \((\gamma _1,\ldots ,\gamma _k)\) of \((m_1,\ldots ,m_k)\) provided that only s is known to the extractor.

Initially, Boneh et al. [10] assumed that it is a hard problem to extract individual BLS signatures given an aggregate BLS signature, which was then proven to hold in [14] under the Computational Diffie-Hellmann assumption. We note that C-RSA [31] and pqNTRUsign [25], which are used in \(\texttt {FAAS}\) instantiations, achieve this property.