Abstract
In this paper, we comprehensively study group testing aggregate signatures that have functionality of both keyless aggregation of multiple signatures and identifying an invalid message from the aggregate signature, in order to reduce a total amount of signature-size for lots of messages. Our contribution is (i) to formalize strong security notions including soundness for group testing aggregate signatures by taking into account related work such as fault-tolerant aggregate signatures and non-interactive aggregate MACs with detecting functionality (i.e., symmetric case); (ii) to construct group testing aggregate signatures from aggregate signatures in a generic and comprehensive way; and (iii) to present an aggregate signature scheme which we can apply to our generic construction of group testing aggregate signatures with the formalized security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We should notice the difference between \(\mathsf {asig- soundness}\) and batch verification, as follows: In the \(\mathsf {asig- soundness}\) game, the adversary is allowed to generate key-pairs except for the key-pair generated by the challenger, while batch verification requires all key-pairs to be generated according to the key generation algorithm. See [5] on details of the definition of batch verification.
- 2.
One may wonder if the detecting functionality of GT-ASIGs can be achieved by cryptographic methodology, rather than combinatorial methodology (i.e., group testing with d-disjunct matrices). However, to the best of our knowledge, the property of d-disjunct matrices is necessary to achieve the non-interactive detecting functionality, in a practical way. As described in Conclusion, constructing an aggregate signature scheme with this functionality (in a practical way) is important as future work in this research.
- 3.
\(J = \emptyset \) means that the given pairs of public keys and signed messages are all valid.
References
Bellare, M., Garay, J.A., Rabin, T.: Fast batch verification for modular exponentiation and digital signatures. In: EUROCRYPT. LNCS, vol. 1403, pp. 236–250. Springer (1998)
Boneh, D., Drijvers, M., Neven, G.: Compact Multi-signatures for Smaller Blockchains. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11273, pp. 435–464. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_15
Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and Verifiably Encrypted Signatures from Bilinear Maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_26
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. J. Cryptology 17(4), 297–319 (2004)
Camenisch, J., Hohenberger, S., Pedersen, M.Ø.: Batch Verification of Short Signatures. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 246–263. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_14
Dorfman, R.: The detection of defective members of large populations. Ann. Math. Stat. 14(4), 436–440 (1943)
Du, D.Z., Hwang, F.K.: Combinatorial Group Testing and Its Applications. Series on Applied Mathematics, 2nd edn. vol. 12. World Scientific (2000)
Eppstein, D., Goodrich, M.T., Hirschberg, D.S.: Improved combinatorial group testing algorithms for real-world problem sizes. SIAM J. Comput. 36(5), 1360–1375 (2007)
Ferrara, A.L., Green, M., Hohenberger, S., Pedersen, M.Ø.: Practical short signature batch verification. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 309–324. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00862-7_21
Gentry, C., Ramzan, Z.: Identity-based aggregate signatures. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 257–273. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_17
Hartung, G., Kaidel, B., Koch, A., Koch, J., Rupp, A.: Fault-tolerant aggregate signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 331–356. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_13
Hirose, S., Shikata, J.: Aggregate message authentication code capable of non-adaptive group-testing. IEEE Access 8, 216116–216126 (2020)
Hohenberger, S., Sahai, A., Waters, B.: Full domain hash from (leveled) multilinear maps and identity-based aggregate signatures. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 494–512. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_27
Hwang, F.K.: A method for detecting all defective members in a population by group testing. J. Am. Stat. Assoc. 67(339), 605–608 (1972)
Katz, J., Lindell, A.Y.: Aggregate message authentication codes. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 155–169. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-79263-5_10
Li, C.H.: A sequential method for screening experimental variables. J. Am. Stat. Assoc. 57(298), 455–477 (1962)
Minematsu, K.: Efficient message authentication codes with combinatorial group testing. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 185–202. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_10
Minematsu, K., Kamiya, N.: Symmetric-key corruption detection: when XoR-macs meet combinatorial group testing. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11735, pp. 595–615. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29959-0_29
Ogawa, Y., Sato, S., Shikata, J., Imai, H.: Aggregate message authentication codes with detecting functionality from biorthogonal codes. In: 2020 IEEE International Symposium on Information Theory (ISIT 2020). IEEE (2020)
Porat, E., Rothschild, A.: Explicit non-adaptive combinatorial group testing schemes. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5125, pp. 748–759. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70575-8_61
Rückert, M., Schröder, D.: Aggregate and verifiably encrypted signatures from multilinear maps without random oracles. In: Park, J.H., Chen, H.-H., Atiquzzaman, M., Lee, C., Kim, T., Yeo, S.-S. (eds.) ISA 2009. LNCS, vol. 5576, pp. 750–759. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02617-1_76
Sato, S., Hirose, S., Shikata, J.: Sequential aggregate MACs with detecting functionality revisited. In: Liu, J.K., Huang, X. (eds.) NSS 2019. LNCS, vol. 11928, pp. 387–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36938-5_23
Sato, S., Shikata, J.: Interactive aggregate message authentication scheme with detecting functionality. In: Barolli, L., Takizawa, M., Xhafa, F., Enokido, T. (eds.) AINA 2019. AISC, vol. 926, pp. 1316–1328. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-15032-7_110
Sato, S., Shikata, J.: Interactive aggregate message authentication equipped with detecting functionality from adaptive group testing. In: Cryptology ePrint Archive. IACR, October 2020
Thierry-Mieg, N.: A new pooling strategy for high-throughput screening: the shifted transversal design. BMC Bioinform. 7, 28 (2006)
Acknowledgements
This paper is in part based on results obtained from a project, JPNP16007, commissioned by the New Energy and Industrial Technology Development Organization (NEDO). In addition, this work was in part supported by JSPS KAKENHI Grant Numbers JP22K19773, JP21H03395. The authors would like to thank the anonymous referees for their helpful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A: Bilinear Groups for Co-Diffie-Hellman
Appendix A: Bilinear Groups for Co-Diffie-Hellman
We define bilinear groups for co-Diffie-Hellman, which are used in the aggregate signature scheme of [3]. The following notation is used: \(G_1\), \(G_2\), and \(G_T\) are multiplicative cyclic groups of prime order p. \(g_1\) and \(g_2\) are generators of \(G_1\) and \(G_2\), respectively. \(\phi : G_2 \rightarrow G_1\) is an isomorphism with \(\phi (g_2) = g_1\). \(e: G_1 \times G_2 \rightarrow G_T\) is a bilinear map. Then, Co-computational Diffie-Hellman (\(\mathsf {co- CDH}\)) problem, co-decision Diffie-Hellman (\(\mathsf {co- DDH}\)) problem, and co-Gap Diffie-Hellman (\(\mathsf {co- GDH}\)) group pairs are defined.
Definition 10
( \(\mathsf {co- CDH}\) and \(\mathsf {co- DDH}\) problems).
-
\(\mathsf {co- CDH}\). Given \(g_2,g_2^a \in G_2\) and \(h \in G_1\), compute \(h^a \in G_1\)
-
\(\mathsf {co- DDH}\). Given \(g_2, g_2^a \in G_2\) and \(h,h^b \in G_1\), determine if \(a = b\) or not.
In [4], it is known that in the case of \(G_1 = G_2\) and \(g_1 = g_2\), there are reductions from \(\mathsf {co- CDH}\) and \(\mathsf {co- DDH}\) to the standard CDH and DDH problems, respectively.
Next, co-Gap Diffie-Hellman (\(\mathsf {co- GDH}\)) group pairs are defined, as follows.
Definition 11 (Decision Group Pair)
The pair \((G_1,G_2)\) of two groups is a decision group pair for co-Diffie-Hellman if the group action on \(G_1\), the group action on \(G_2\), and the map \(\phi \) from \(G_2\) to \(G_1\) can be computed in one time unit, and co-decision Diffie-Hellman on \((G_1,G_2)\) can be solved in one time unit.
Definition 12 (Co-GDH Group Pair)
Suppose two groups \(G_1,G_2\) are selected by following a security parameter \(\lambda \). The advantage of a PPT algorithm \(\textsf{A}\) solving the \(\mathsf {co- CDH}\) problem in groups \(G_1,G_2\) is defined as \(\textsf{Adv}_{\textsf{A}}^{co-cdh }(\lambda ) := \Pr [\textsf{A}(g_2,g_2^a,h) \rightarrow h^a \mid a \overset{\tiny \$}{\leftarrow }\mathbb {Z}_p, h \overset{\tiny \$}{\leftarrow }G_1]\). The pair \((G_1,G_2)\) is a \(\mathsf {co- GDH}\) group pair if the pair is a decision group pair for co-Diffie-Hellman, and \(\textsf{Adv}_{\textsf{A}}^{co-cdh }(\lambda ) \le \textsf{negl}(\lambda )\) holds for any PPT algorithm \(\textsf{A}\).
We define bilinear group pairs for co-Diffie-Hellman, which are used in the aggregate signature scheme of [3].
Definition 13 (Bilinear Group Pair for co-Diffie-Hellman)
Suppose two groups \(G_1,G_2\) are selected by following a security parameter \(\lambda \). The pair \((G_1,G_2)\) is a bilinear group pair if the group action on either can be computed in one time unit, the map \(\phi \) from \(G_2\) to \(G_1\) can be computed in one time unit, a bilinear map e is computable in one time unit. Furthermore, the pair \((G_1,G_2)\) is a bilinear group pair for co-Diffie-Hellman if it is a bilinear group pair and \(\textsf{Adv}_{\textsf{A}}^{co-cdh }(\lambda ) \le \textsf{negl}(\lambda )\) holds for any PPT algorithm \(\textsf{A}\).
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Sato, S., Shikata, J., Matsumoto, T. (2023). Group Testing Aggregate Signatures with Soundness. In: Seo, SH., Seo, H. (eds) Information Security and Cryptology – ICISC 2022. ICISC 2022. Lecture Notes in Computer Science, vol 13849. Springer, Cham. https://doi.org/10.1007/978-3-031-29371-9_18
Download citation
DOI: https://doi.org/10.1007/978-3-031-29371-9_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-29370-2
Online ISBN: 978-3-031-29371-9
eBook Packages: Computer ScienceComputer Science (R0)