On the security of some aggregate signature schemes (Q1952845)

Summary: The aggregate signature scheme proposed by Boneh, Gentry, Lynn, and Shacham allows \(n\) signatures on \(n\) distinct messages from \(n\) distinct users to aggregate a single signature that convinces any verifier that \(n\) users did indeed sign the \(n\) messages, respectively. The main benefit of such schemes is that they allow for bandwidth and computational savings. In this paper, we ask whether the existing aggregate signature schemes satisfy the basic property that they can convince any verifier that every user indeed signed the message which should be signed by him. We show that Rückert et al.'s scheme, and Shim's scheme do not satisfy the property. As a comparison, we investigate Boneh et al.'s scheme and show that, under the assumption that each signer correctly signs one message, Boneh et al.'s scheme satisfies this property under two users' setting. Furthermore, we propose the concept of inside attack on aggregate signatures and give an improved aggregate signature scheme based on Shim's scheme. We also prove that the improved scheme is secure against inside attacks.