1. 引言
Standford大學Dan Boneh等人2003年論文《A Survey of Two Signature Aggregation Techniques》。
針對的場景主要爲:
Given signatures on distinct messages from distinct users, it is possible to aggregate all these signatures into a single signature.
This single signature (and all original messages) will convince any verifier that the users signed the original messages (i.e., for , user signed message number ).
實際應用有:
- in a Public Key Infrastructure (PKI) of depth , user signatures are accompanied by a chain of certificates. The chain contains signatures by Certificate Authorities (CAs) on distinct certificates.
- in the Secure BGP protocol (SBGP) each router receves a list of signatures attesting to a certain path of length in the network. A router signs its own segment in the path and forwards the resulting list of signatures to the next router. The number of signatures in routing messages is linear in the length of the path.
以上兩種應用場景,都將受益於a method for compressing the list of signatures on distinct messages issued by distinct parties. 而aggregate signature可實現這樣的compression壓縮。
1.1 aggregate signature與multisignature的關係
multisignature是多個用戶對 同一消息 進行簽名,最終結果爲a single signature。
而aggregate signature 是需要combine signatures on distinct messages into an aggregate。
本論文中,主要調查了2套簽名方案:
- general aggregation: short signature scheme of Boneh, Lynn, and Shacham.
- sequential aggregation: Micali, Ohta, and Reyzin的multisignature scheme——built from any trapdoor permutation.
假設個users的公私鑰對分別爲,User 希望簽名的消息爲。
2. General aggregate signatures
在general aggregate signature機制中,user 對它的消息生成簽名。
將個不同的簽名通過a public aggregation algorithm來壓縮爲a single signature 。同時存在aggregate verification algorithm,根據,來驗證aggregate signature是否有效。
aggregation algorithm和aggregate verification algorithm:
- aggregation algorithm:輸入爲signatures on respective messages under respective public keys 。輸出爲a single aggregate signature 。
- aggregate verification algorithm:輸入爲an aggregate signature ,messages 以及public keys ,驗證 is a valid aggregate signature on the given messages under the given keys。
an aggregate signature可提供non-repudiation不可抵賴性at once on many different messages by many users。
general aggregate signature之所以爲general,是因爲public aggregation algorithm可由任何人執行,且不需要與簽名者進行交互。
Boneh, Lynn, and Shacham等人2003年論文《Aggregate and verifiably encrypted signatures from bilinear maps》中利用bilinear maps form algebraic geometry 實現了a general aggregate signature scheme。
2.1 Bilinear Maps
general aggregate signature的底層數學基礎主要有:
- Gap Diffie-Hellman groups:arise from a separation between Computational Diffie-Hellman and Decision Diffie-Hellman;
- bilinear groups:arise from the presence of a bilinear map, a function with certain properties。
Consider a multiplicative cyclic group of prime order , with generator 。
- Computational Diffie-Hellman(CDH):Given ,計算。CDH assumption是指計算爲computationally infeasible。
- Decision Diffie-Hellman(DDH):Given , decide whether equals . Tuples of this form————are termed Diffie-Hellman tuple。DDH assumption是指在不知道的或者的情況下,很難判斷是否等於。【但是,參見2.2.2節,藉助bilinear group 可使DDH assumption不成立。】(參見博客 基於Sigma protocol實現的零知識證明protocol集錦 2.7節 Inequality of discrete logs中,若知道witness 或,則可判斷是否成立。)
2.1.1 GDH Groups (Gap Diffie-Hellman groups)
對於大多數的cyclic group 來說,如subgroups of ,CDH和DDH assumption均成立。
但是,on certain elliptic-curve groups【如存在bilinear map的groups】,DDH problem is easy to solve, whereas CDH is believed hard [6,22]. CDH assumption成立而DDH assumption不成立的groups 稱爲 Gap Diffie-Hellman (GDH) groups。
2.1.2 Bilinear groups
目前,the only known examples of GDH groups have additional structure, namely, a bilinear map.
A bilinear map is a map ,其中爲another multiplicative cyclic group of prime order 。具有如下屬性:
- Computable可計算性:即存在有效的算法用於計算,for all 。
- Bilinear:對於所有的,成立。
- Non-degenerate:即。
以上屬性還可衍生爲:【參見Boneh, Lynn, and Shacham等人2003年論文《Aggregate and verifiably encrypted signatures from bilinear maps》】
- for any ,成立。
- for any ,成立。
任何擁有map (滿足如上屬性)且CDH assumption成立的group,都可稱爲bilinear group。
bilinear map 可用於解決DDH問題,如已知有:
從而使得DDH assumption不成立。
結論爲:
若group 爲bilinear group,則也爲GDH group。
假設 爲an elliptic curve,設置爲 a subgroup (of prime order ) of the curve’s group of points 。
On certain cuves, the Weil pairing和modified Tate pairing可生成a bilinear map ,其中group 爲a subgroup of ,爲a security multiplier that depends on the curve and on the group 。
multiplier 的取值需要權衡efficiency和security。值越小,bilinear map的運算越快;而值越大,則安全係數更高,the more difficult is the CDH problem on 。
目前的CDH algorithms on require solving the discrete logarithm problem either in the generic group (of order ) or in the finite field 。
MNT 家族curves具有large subgroups with security multiplier ,可滿足要求。
2.2 BLS Signature Scheme
(可參見博客 ECDSA VS Schnorr signature VS BLS signature 第3節內容。)
BLS short signature scheme works in any Gap Diffie-Hellman group ,同時額外需要a hash function from the message space onto the group 。
假設爲a GDH group of prime order ,with a hash function (可被認爲是a random oracle)。
任何string可都被前面,BLS signature爲 a single element of ,整個BLS signature的流程如下:
- Key Generation:選擇隨機數,計算。公鑰爲,私鑰爲。
- Signing:輸入爲私鑰和消息,計算。BLS簽名爲。
- Verification:輸入爲公鑰,消息以及a signature ,計算,驗證爲a valid Diffie-Hellman tuple。(其實即是驗證是否成立。)
Its security against existential forgery under a chosen message attack can be shown based on the CDH assumption in [6].
BLS簽名,可只取座標表示(BLS remains valid and secure even if only the x-coordinate of every signature point is transimitted.)。
對於MNT curve (with ) over a 170-bit field, BLS簽名的長度爲170bits,同時provide security comparable to that of 1024-bit RSA或者是320-bit DSA。
BLS signatures are half the size of DSA with comparable security。
BLS signature可擴展爲threshold signature, multisignature以及blind signature。
2.3 Bilinear Aggregate Signatures
bilinear aggregate signature要求group 爲a bilinear group,而僅僅爲general GDH group是不夠的。
bilinear aggregate signature中引入了a random oracle hash function,輸入爲a string和an element of :。
bilinear aggregate signature可支持general aggregation,可允許任何人來combine pre-existing signatures into an aggregate,對aggregated elements的順序無要求,如果確實需要的話,可在待簽名消息上附加index numbers。
Bilinear Aggregate Signatures在BLS Signature Scheme的基礎上,增加了Aggregation
和Aggregate Verification
算法:
- Key Generation:選擇隨機數,計算。公鑰爲,私鑰爲。
- Signing:輸入爲私鑰、消息和公鑰,計算。BLS簽名爲。
- Verification:輸入爲公鑰,消息以及a signature ,計算,驗證爲a valid Diffie-Hellman tuple。(其實即是驗證是否成立。)
- Aggregation:Arbitrarily assign to each user whose signature will be aggregated an index , ranging from to . Each user provides a signature on a message of her choice. 計算。The aggregate signature is 。
- Aggregation Verification:輸入爲an aggregate signature for a set of users indexed as before,original messages and public keys 。計算 for ,驗證是否成立。(根據2.1.2節衍生屬性可知其應成立。)
Bilinear Aggregate Signatures的安全性:當僅僅知道messages,public keys和the aggregate signature 時,從中恢復各個單獨的signatures 爲hard。其安全性等價爲CDH assumption,詳細可參見Coron等人2003年論文《k-element aggregate extraction assumption is equivalent to the Diffie-Hellman assumption》。
Bilinear Aggregate Signatures支持incremental aggregation,即:
已知一個基於消息 under public keys 的aggregate signature 。
- 增加一個簽名 (on a message M_{n+1} under public key ) 可以aggregate爲:。
- 若中的某個signature 已知,則可從aggregate中移除:。
3. Sequential aggregate signature
在sequential aggregation signature機制中,signature aggregation僅能在簽名過程中實現。每個簽名者依次在current aggregate的基礎上添加自己的簽名。在aggregate signature中有明確的順序要求,簽名者之間在aggregation過程中must communicate with each other。
sequential aggregation signature是分層構建的,像洋蔥依樣,第一各簽名aggregate後在最裏層。基本流程爲:
- User 1 signs to obtain ;
- User 2 then combines and to obtain ;(aggregate和簽名操作是在一起進行的。)
- The final signature binds user to for all 。
sequential aggregation signature的最終長度與ordinary signature的長度一樣。
可基於類似RSA的homomorphic trapdoor permutation來實現sequential aggregate signature。
Micali, Ohta, and Reyzin 1999年論文《Provable subgroup signatures》(手稿,未發表)中的multisignature scheme可實現sequential aggregate signature,且Shacham 在其2003年論文《Sequential aggregate signatures from trapdoor homomorphic permutations》中進行了分析。
儘管general aggregation is more powerful than sequential aggregation,但是sequential aggregation可基於標準的primitives如RSA等來構建。
general aggregation和sequential aggregation均可用於compressing signatures in a certificate chain。
3.1 Trapdoor Homomorphic Permutations
sequential aggregation signature是基於trapdoor homomorphic permutation構建的。
permutation family 定義:
a collection of permutations of some domain . 每個中的permutation均有a description 。Anyone given a description can evaluate the corresponding permutation。
permutation family 具有one-way屬性,即給定permutation description , it’s infeasible to invert the corresponding permutation.
permutation family 具有trapdoor屬性,若每個description 都有相應的trapdoor 使得it’s easy to invert the permutation corresponding to with ,而infeasible without 。
trapdoor permutation family肯定是one-way的。
permutation family 主要由Generate
,Evaluate
和Invert
算法組成:
- Generate:輸出description of a permutation along with the corresponding trapdoor 。
- Evaluate:輸入爲description 和a value ,輸出爲,爲the image of under the permutation。
- Invert:輸入爲description ,trapdoor 和a value ,輸出爲the preimage of under the permutation。
以上算法需滿足: be a permutation of for all ,而 hold for all and for all 。
trapdoor permutation具有homomorphic屬性,若在group內滿足:若,則有。
可將Generate算法的輸出理解爲a probability distribution on permutations,表示爲,其中對應爲the permutation ,而爲the inverse permutation 。
permutation family 中的每個permutation可對應different domain 。
3.2 Full-domain signatures
Full-domain signatures scheme中引入了一個random-oracle hash function 。該hash函數可maps bit strings into the entire domain (rather than some subset of )。
Full-domain signatures算法流程爲:
- Key Generation:對於特定用戶,選擇隨機。該用戶的公鑰爲,私鑰爲。
- Signing:對於特定用戶,輸入爲私鑰,message ,計算,其中,計算。The signature is 。
- Verification:輸入爲特定用戶的公鑰,message 和a signature ,計算,驗證是否成立。
即,用戶通過來簽名,通過判斷來驗籤。
若爲a trapdoor permutation family,則對當前已存在的existential forgery under a chosen message attack是安全的;若同時具有Homomorphic屬性,則其security reduction將更有效。
3.3 Sequential Aggregate Signatures
Sequential Aggregate Signatures是基於具有homomorphic屬性trapdoor permutation的full-domain hash signature scheme構建的。
以下Sequential Aggregate Signatures scheme是基於Micali, Ohta, and Reyzin 1999年論文《Provable subgroup signatures》(手稿,未發表)中的multisignature scheme來實現的。
論文中用到的向量基本定義如下:
Sequential Aggregate Signatures算法流程爲:
- Key Generation:對於特定用戶,選擇隨機。該用戶的公鑰爲,私鑰爲。
- Aggregate Signing:輸入爲私鑰,待簽名message 以及a sequential aggregate signature on a vector of messages under a vector of public keys 。 No key may appear twice in ,同時要求vectors 和的長度應該相同。當時,值必須爲1(即the unit of )。
計算,其中,計算。The sequential aggregate signature is 。 - Aggregate Verification:輸入爲a sequential aggregate signature on messages under public keys ,其中。驗證時,首先設置,然後 for ,依次計算,驗證是否等於。
以理念表示的話,sequential aggregate signature可表示爲:
其中。
若爲homomorphic trapdoor permutation family,則 trapdoor sequential aggregate signature scheme也是安全的。同時認爲,只要forger沒有獲取到所有的私鑰(如有1個私鑰是安全的),則該forger無法frame the remaining honest user。
3.4 Aggregating with RSA
RSA算法可參見博客 密碼學算法——RSA。
具體爲:
- ,爲2個large primes。
- ,其中爲私鑰,爲公鑰。
- 爲a permutation on ,爲其inverse。
難點在於,兩個用戶無法共享相同的modulus ,有2種方法來解決:
(假設個用戶的moduli分別爲,要求這些moduli具有接近的size,即,假設爲所有中的最小值。The hash function maps into the set ,對於無法map進去的,可iterating the hash(參見Bellare and Rogaway 1993論文《A paradigm for designing efficient protocols》第4章方法)。)
- 第一種方法:約束。
- 第二種方法:對moduli無約束。
第一種方法對signing keys的選擇限制更多。而第二種方法生成的aggregate signatures grow by one bit per signature。兩種方法都不再是full-domain hash signature schemes,但是由於所有的moduli具有幾乎相同的size, Coron的partial-domain hash anayasis [9]可適用。