Group Testing Aggregate Signatures with Soundness

Abstract

In this paper, we comprehensively study group testing aggregate signatures that have functionality of both keyless aggregation of multiple signatures and identifying an invalid message from the aggregate signature, in order to reduce a total amount of signature-size for lots of messages. Our contribution is (i) to formalize strong security notions including soundness for group testing aggregate signatures by taking into account related work such as fault-tolerant aggregate signatures and non-interactive aggregate MACs with detecting functionality (i.e., symmetric case); (ii) to construct group testing aggregate signatures from aggregate signatures in a generic and comprehensive way; and (iii) to present an aggregate signature scheme which we can apply to our generic construction of group testing aggregate signatures with the formalized security.

Appendix A: Bilinear Groups for Co-Diffie-Hellman

We define bilinear groups for co-Diffie-Hellman, which are used in the aggregate signature scheme of [3]. The following notation is used: \(G_1\), \(G_2\), and \(G_T\) are multiplicative cyclic groups of prime order p. \(g_1\) and \(g_2\) are generators of \(G_1\) and \(G_2\), respectively. \(\phi : G_2 \rightarrow G_1\) is an isomorphism with \(\phi (g_2) = g_1\). \(e: G_1 \times G_2 \rightarrow G_T\) is a bilinear map. Then, Co-computational Diffie-Hellman (\(\mathsf {co- CDH}\)) problem, co-decision Diffie-Hellman (\(\mathsf {co- DDH}\)) problem, and co-Gap Diffie-Hellman (\(\mathsf {co- GDH}\)) group pairs are defined.

Definition 10

( \(\mathsf {co- CDH}\) and \(\mathsf {co- DDH}\) problems).

• \(\mathsf {co- CDH}\). Given \(g_2,g_2^a \in G_2\) and \(h \in G_1\), compute \(h^a \in G_1\)

• \(\mathsf {co- DDH}\). Given \(g_2, g_2^a \in G_2\) and \(h,h^b \in G_1\), determine if \(a = b\) or not.

In [4], it is known that in the case of \(G_1 = G_2\) and \(g_1 = g_2\), there are reductions from \(\mathsf {co- CDH}\) and \(\mathsf {co- DDH}\) to the standard CDH and DDH problems, respectively.

Next, co-Gap Diffie-Hellman (\(\mathsf {co- GDH}\)) group pairs are defined, as follows.

Definition 11 (Decision Group Pair)

The pair \((G_1,G_2)\) of two groups is a decision group pair for co-Diffie-Hellman if the group action on \(G_1\), the group action on \(G_2\), and the map \(\phi \) from \(G_2\) to \(G_1\) can be computed in one time unit, and co-decision Diffie-Hellman on \((G_1,G_2)\) can be solved in one time unit.

Definition 12 (Co-GDH Group Pair)

Suppose two groups \(G_1,G_2\) are selected by following a security parameter \(\lambda \). The advantage of a PPT algorithm \(\textsf{A}\) solving the \(\mathsf {co- CDH}\) problem in groups \(G_1,G_2\) is defined as \(\textsf{Adv}_{\textsf{A}}^{co-cdh }(\lambda ) := \Pr [\textsf{A}(g_2,g_2^a,h) \rightarrow h^a \mid a \overset{\tiny \$}{\leftarrow }\mathbb {Z}_p, h \overset{\tiny \$}{\leftarrow }G_1]\). The pair \((G_1,G_2)\) is a \(\mathsf {co- GDH}\) group pair if the pair is a decision group pair for co-Diffie-Hellman, and \(\textsf{Adv}_{\textsf{A}}^{co-cdh }(\lambda ) \le \textsf{negl}(\lambda )\) holds for any PPT algorithm \(\textsf{A}\).

We define bilinear group pairs for co-Diffie-Hellman, which are used in the aggregate signature scheme of [3].

Definition 13 (Bilinear Group Pair for co-Diffie-Hellman)

Suppose two groups \(G_1,G_2\) are selected by following a security parameter \(\lambda \). The pair \((G_1,G_2)\) is a bilinear group pair if the group action on either can be computed in one time unit, the map \(\phi \) from \(G_2\) to \(G_1\) can be computed in one time unit, a bilinear map e is computable in one time unit. Furthermore, the pair \((G_1,G_2)\) is a bilinear group pair for co-Diffie-Hellman if it is a bilinear group pair and \(\textsf{Adv}_{\textsf{A}}^{co-cdh }(\lambda ) \le \textsf{negl}(\lambda )\) holds for any PPT algorithm \(\textsf{A}\).