Compact Sequential Aggregate Signatures Yi Mu
Willy Susilo
Huafei Zhu
School of Information Technology and Computer Science University of Wollongong Wollongong, NSW 2522, Australia
School of Information Technology and Computer Science University of Wollongong Wollongong, NSW 2522, Australia
Department of System and Information Security Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singpaore
[email protected]
[email protected]
[email protected]
ABSTRACT In this paper, a new notion which we call compact sequential aggregate signatures is introduced and formalized. Informally, a compact sequential aggregate signature states the following thing: for a given message vector m=(m1 , · · · , mι ), a public key vector PK=(PK1 , · · · , PKι ) and a path p=(v1 , · · · , vι ), where vi =(idi , PKi ), the size of third component σ in a sequential aggregate signature (m, p, σ) is independent of the path length ι. We propose a novel implementation of RSA-based regular signature scheme that works in an extended domain, and then transform it into a compact sequential aggregate signature scheme that works in a common domain such that the size of overflow bits is independent of the path length ι. Finally, we show that our implementation is provably secure in the random oracle model assuming that the RSA problem is hard.
Categories and Subject Descriptors C.2.0 [Computer Security]: Security
General Terms Communication, computer, security
Keywords Compact sequential aggregate signatures, Routing discovery protocol, RSA problem
1.
INTRODUCTION
At Eurocrypt’03, Boneh, Gentry, Lynn and Shacham first introduced and formalized a new notion called aggregate signatures [1]. An aggregate signature provides non-repudiation on many messages by many keys. The order of messages and keys in an aggregate signature can be non-sequenced (hereafter the notion of non-sequential aggregate signatures which
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SAC’07 March 11-15, 2007, Seoul, Korea Copyright 2007 ACM 1-59593-480-4 /07/0003 ...$5.00.
is referred to as aggregate signatures at [1]) or sequenced (hereafter the notion of sequential aggregate signatures first introduced and formalized by [8]). An aggregate signature scheme allows a user with a public/private key pair (PKi , SKi ) to sign a message mi and obtain a signature σi individually. The obtained n signatures σi (1 ≤ i ≤ n) can be combined by an unrelated party into an aggregate signature σ. The notion of sequential aggregate signatures was first introduced and formalized by Lysyanskaya, Micali, Reyzin and Shacham at Eurocrypt’04 [8]. A sequential aggregate signature differs from an aggregate signature (non-sequential aggregate signature) in that the signing and aggregation are a single operation. Sequential aggregate signatures are also useful for many network applications. For example, sequential aggregate signatures have been applied to implement routing protocols and broadcasting protocols with lower communication complexity [13, 14].
1.1
Motivation problem
At ICICS’05, Zhu, Bao and Deng [12] (including applications of their schemes [13, 14]) proposed a generic construction of sequential aggregate signatures from families of certificated trapdoor one-way permutations and showed that their implementation is provably secure in the random oracle model assuming that the underlying homomorphic permutations are trapdoor one-way. This is an interesting implementation of sequential aggregate signature scheme from the RSA problem that works for any modulus. Unfortunately, the size of overflow bits still grows by one bit per signature in their scheme and thus grows linearly with the number of hops in the underlying path. Very recently, Lu, Ostrovsky, Sahai, Shacham and Waters (LOSSW) proposed the first sequential aggregate signatures without random oracles [9] from a novel application of Waters’ signature[11]. The authors further presented their observations on reducing the size of overflow bits by applying Hayashi, Okamoto and Tanaka’ technique [7] if the underlying aggregate signatures are constructed from the RSA problem. As noted by [9], with this RSA permutation family, the improved Lysyanskaya, Micali, Reyzin and Shacham (LMRS) signature does not grow by 1 bit with each signature but evaluating the permutation requires two applications of the underlying RSA function, i.e., the cost is doubled. Since there appears no satisfactory solution to sequential aggregate signatures from the RSA problem such that the
size of overflow bits is independent of the underlying path length, and at the same time the proposed scheme is as efficiency as that of original LMRS scheme, we thus provide an interesting problem below: how to construct a secure yet practical sequential aggregate signature from the RSA problems such that the size of overflow bits is independent of the length of a path while the computation complexity of the proposed scheme should be approximate to that of the original LMRS schemes assuming that all moduli are bounded by a fixed size c?
1.2
This work
In this paper, a new notion which we call compact sequential aggregate signatures is introduced and formalized. The security definition of sequential aggregate signatures in this paper is classified into two cases: security of weak sequential aggregate signatures and security of strong aggregate signatures. We will show that a sequential aggregate signature scheme is secure if and only if the underlying individual signature is secure against adaptive chosen message attack and then prove the equivalence of two security notions. Finally, we propose a secure yet efficient implementation of compact sequential aggregate signatures which is provably secure in the random oracle mode assuming that the RSA problem is hard.
2.
SIGNATURES WORKING OVER LARGE DOMAINS
Since the security of our signature scheme is based on the difficulty of inverting RSA functions[10], we would like to sketch the related notions below: Definition 1: A collection of permutation F ={fi : Di → Di |i ∈ I} over some index set I ⊂ {0, 1}∗ is said to be a family of trapdoor one-way permutations if: 1) there is an efficient sampling algorithm S(1k ) which outputs a random string index i ∈ {0, 1}k ∩ I, and a trapdoor information ski ; there is an efficient sampling algorithm which, on input i, outputs a random x ∈ Di . Notice that there must be a mathematical structure associated with Di . For simplicity, we assume that Gi is a group (not necessary a cyclic group, e.g., Di = Zn∗i , if fi is the RSA function); 2) each fi is efficiently computable given i and input x ∈ Di ; 3) each fi is efficiently invertible given the trapdoor information ski and output y ∈ Di . For any probabilistic algorithm A, A is said (t(k), ε(k))F break F , if A runs in time at most t(k) and AdvA (k) ≥ (k), F where the advantage of A is defined as AdvA (k) =Pr[x0 = x|(i, ski ) ← S(1k ), x ← Gi , y = fi (x), x0 ← A(i, y)]. F is said to be (t(k), ε(k))-secure if no adversary A can (t(k), ε(k))-break it. RSA problem: If Di ← Zn∗i , fi is the RSA function, i.e., fi (x) =xei mod ni , and ski ← di such that ei di =1 mod φ(ni ), where φ() is Euler function, then a family of RSA trap-door one-way permutation can be defined. The F RSA problem is hard if AdvA (k) is at most an negligible amount (in the sense above).
2.1
The definition of security
We review the well-known security definition for ordinary digital signatures [6]. Existential unforgeability under a chosen message attack in the random oracle [3] for a signature scheme (KG, Sig, V f ) with a random oracle is defined using the following game between a challenger and an adv:
The challenger runs KG to obtain a public key pk and private key sk. The adversary adv is given pk; Proceeding adaptively, adv requests signatures with pk on at most qsig messages of his choice m1 , · · · , mqsig . The challenge responds to each query with a signature σi . Algorithm adv also adaptively asks for at most qH queries of the random oracle H; adv outputs a pair (m, σ) and wins the game if m ∈ / {m1 , · · · , mqsig }, and V f (pk, m, σ)=1 (a valid signature of the message m). By AdvSigA , we denote the probability of success of an adversary. Definition 2: we say a signature scheme is secure against adaptive chosen-message attack if for every polynomial time Turing machine A, the probability AdvSigA that it wins the game is at most a negligible amount, where the probability is taken over coin tosses of KG and Sig and A.
2.2
Encoding and decoding algorithms
Let f be an RSA trapdoor one-way permutation defined ∗ over ZN , where N =P Q, P and Q are two large prime numbers and |N |=k. Let H: {0, 1}∗ → {0, 1}l be a cryptographic hash function. Let f (x) = xe mod N and f −1 (x) = xd mod N , where ed ≡ 1 mod φ(N ), e is a public key, and d is the correspondent secret key. Throughout this section, we assume that l ≥ k + 1. On input a message m ∈ {0, 1}∗ , we obtain a string H(m) ∈ {0, 1}l which in turn can be rewritten as the form qN +r (= H(m)), where 0 ≤ r < N . Let g1 (m) =f −1 (r) and g2 (m) =Enc(q), where Enc is an encoding algorithm and Dec is the correspondent decoding algorithm, which are defined details below. • Encoding algorithm (Enc): on input a random string q ∈ {0, 1}τ , Enc outputs a (l−k)-bit codeword 0l−k−τ ||q of q which is denoted by Enc(q); • Decoding algorithm (Dec): on input a valid (l − k)-bit codeword Enc(q), Dec outputs a τ -bit string q.
2.3
The construction and proof of security
By (N, e, H, k, l, (Enc, Dec)), we denote the public key of a signature scheme. The secret key is (d, N ). Our signature scheme working in an extended domain is defined as follows: • Signing algorithm: on input a message m, the signer computes H(m), and then writes H(m) as the form qN + r (0 ≤ r < N , |N | =k); Finally it computes g1 (m) ← f −1 (r) and g2 (m) ← Enc(q), where Enc(q) is a padding of q; The signature σ of message m is (g1 (m), g2 (m)); • Verification algorithm: given a putative signature σ(m), a verifier computes r ← f (g1 (m)), and q ← Dec ?
(g2 (m)); Finally, the verifier checks H(m) = qN + r. Theorem 1: assuming that the RSA function is a trap∗ door one-way permutation defined over ZN , our signature scheme defined above is provably secure against existential forgery under an adaptive chosen-message attack in the random oracle model. Proof: applying the argument presented in [12], we have the above statement immediately.
3.
SYNTAX AND SECURITY DEFINITIONS
3.1
Syntax
A sequential aggregate signature scheme [(SKG, IKG), SASig, SAVf] in the public key infrastructure setting consists of the following algorithms: • System key generation algorithm (SKG): on input l, SKG outputs an initial value IV=0l and a cryptographic hash function H with output length l; • Individual key generation algorithm (IKG): on input ki , IKG outputs a public key and secret key pair (PKi , SKi ) of a trapdoor one-way permutation fi for a user i defined over Di , where the length of |Di | is ki , and l > ki . Let p={v1 , · · · , vι } be a path, where each node vi in the path p is of the form vi =(idi , PKi ), where idi is identity of node vi which cannot be forged, and PKi is a certified public key of vertex vi in the PKI setting. • Sequential aggregate signing algorithm (SASig): given a message mi , and a sequential aggregate σi−1 on messages {m1 , · · · , mi−1 } under respective public keys PK1 , · · · , PKi−1 , where m1 is the inmost message. All of m1 , · · · , mi−1 and PK1 , · · · , PKi−1 must be provided as inputs. SASig first verifies that σi−1 is a valid aggregate for messages {m1 , · · · , mi−1 } using the verification algorithm defined below (if i=1, the aggregate σ0 is taken to be zero strings 0l ). If not, it outputs ⊥, otherwise, it then adds a signature on mi under SKi to the aggregate and outputs a sequential aggregate σi on all i messages m1 , · · · , mi .
the distinct public keys PK1 , · · · , PKi−1 , and an additional message mi to be signed by the signing oracle under public key PK. Finally, A outputs a valid signature σi of a message mi which is associated with the aggregate σi−1 . The forger wins if A did not request (mi , σi−1 ) in the previous signing oracle queries. By SASigA , we denote the probability of success of an adversary. Definition 4: A sequential aggregate signature is called weakly secure if for every polynomial time Turing machine A, the probability SASigA that it wins the game is at most a negligible amount, where the probability is taken over coin tosses of (SKG, IKG) and SASig and A. A necessary and sufficient condition can be derived immediately from security definition of weakly secure sequential aggregate signatures which is stated below. Theorem 2: A sequential aggregate signature is weakly secure if and only if the underlying individual signatures is secure against adaptive chosen message attack. Security of strong sequential aggregate signatures: The security of strong sequential aggregate signatures is due to Lysyanskaya et al [8]. In this model, an adversary is given a single public key and generates other public/private key pairs himself. The adversary’s goal is the existential forgery of a sequential aggregate signature. To define the security of strong sequential aggregate signatures, the aggregate forger A is allowed to run the following game (By SASigA , we denote the probability of success in the game): • The aggregate forger A is provided with a pubic key PK, generated at random; • A generates other (n−1) public/private key pairs himself say PK1 , · · · , PKn−1 (for convenience, we here simply assume that an initial vector of a sequential aggregate signature is 0l since it does not affect the security of underlying sequential aggregate signature at all, see [8] for more details).
• Sequential aggregate verifying algorithm (SAVf): given a putative sequential aggregate signature σi on the messages {m1 , · · · , mi } under the respective public keys {PK1 , · · · , PKi }. If any key appears twice, if any element PKi does not describe a permutation or if the size of the messages is different from the size of the respective public keys reject. Otherwise, for j = i, · · · , 1, set σj−1 = fj (PK1 , · · · , PKj , σj ). The verification of σi−1 is processed recursively. The base case for recursion is i = 0, in which case simply check that σ0 . Accepts if σ0 equals the zero strings. Let p={v1 , · · · , vι } be a path and {m1 , · · · , mι } be a message set such that each message mi is associated with the node vi (1 ≤ i ≤ ι). Definition 3: a sequential aggregate signature is called compact if the sizes of third component σ for a signature {(m1 , · · · , mι ), p, σ} is independent of the path length ι.
3.2
The definition of security
The security definition of sequential aggregate signatures in this paper is classified into two cases: security of weak sequential aggregate signatures and security of strong aggregate signatures. Security of weak sequential aggregate signatures: The security of weak aggregate signatures allows an aggregate forger A is provided with a initial value IV, a set of public keys PK1 , · · · , PKi−1 and P K, generated at random. The adversary is then provided with SK1 , · · · , SKi−1 ; PK is called target public key. A requests sequential aggregate signatures with PK on messages of his choice. For each oracle query, the adversary supplies a sequential aggregate signature σi−1 on some messages m1 , · · · , mi−1 under
• for each query A, supplies a sequential aggregate signature σj on messages m1 , · · · , mj−1 under the distinct public keys PK1 , · · · , PKj , and additional message mj under PK; • A then outputs i distinguish public keys PK1 , · · · , PKi and PKj =PK (for some j ≤ i ≤ n); • Finally, A outputs messages m1 , · · · , mi and a sequential aggregate signature σ by the i users, each on his corresponding message with PK1 inmost. The forger A wins game if the sequential aggregate signature σ is a valid sequential aggregate signature on messages m1 , · · · , mi , under PK1 , · · · , PKi , and σ is non-trivia in the sense that A did not request a sequential aggregate signature on messages m1 , · · · , mi∗ under keys PK1 , · · · , PKi∗ , where i∗ is the index f the challenge key PK in the forgery. Definition 5: a sequential aggregate signature is called strongly secure if for every polynomial time Turing machine A, the probability SASigA that it wins the game is at most a negligible amount, where the probability is taken over coin tosses of (SKG, IKG) and SASig and A.
4.
EQUIVALENCE BETWEEN NOTIONS
By definitions above, we know that any strongly secure sequential aggregate signature is a weakly secure sequential aggregate signature. However, it is unclear whether
any weakly secure sequential aggregate signature is also a strongly secure sequential aggregate signature. This leaves the following interesting research problem: is any weakly secure sequential aggregate signature also a strongly secure sequential aggregate signature? Universally composable (UC) model: The universally composable (UC) model is first introduced and formalized by Canetti at FOCS 2001 [4]. In this approach, two models are constructed for a protocol under investigation: a real-world model, which describes the operation of the protocol with all its details in a particular computational model, and an ideal-world model, which describes the protocol in an abstract way mainly focusing on the services that the protocol should provide. The real-world adversary is an arbitrary process, while the abilities of the ideal-world adversary are usually constrained. The ideal-world adversary models the tolerable imperfections of the system; these are attacks that are unavoidable or very costly to defend against, and hence, they should be tolerated instead of being completely eliminated. The protocol is said to be secure if the real-world and the ideal-world models are equivalent, where the equivalence is defined as computational indistinguishability from the point of view of the honest protocol participants. More precisely, let n ∈ N . Let F be an ideal functionality and let ρ be an n-party protocol. Definition 6: we say a protocol ρ securely realizes F if for any adversary A there exists an ideal-process adversary S such that for any environment Z, we have IDEALF ,S,Z ≈ REALπ,A,Z . Universal composable theorem [4]: Let F be an ideal functionality. Let π be an n-party protocol in the F -hybrid model, and let ρ be an n-party protocol that securely realizes F . Then for any real-life adversary A there exists a hybridmodel adversary H such that for any environment machine Z we have REALπρ ,A,Z ≈ HYBF π,H,Z . In particular if π securely realizes some ideal functionality G in the F -hybrid model, then the protocol securely realizes G from scratch. Security of signatures in the UC model: the notion of ideal signature functionality Fsig has been formalized by Canetti in [5]. The basic idea is to have Fsig provide a registry service where a distinguished party S can register (message, signature) pairs. Any party that provides the right verification key can check whether a given pair is registered. More precisely, the basic functionality Fsig in [5] is defined as follows: • Key Generation: Upon receiving a value (KeyGen, sid) from some party S, verify that sid = (S, sid’) for some sid’. If not, then ignore the request. Else, hand (KeyGen, sid) to the adversary. Upon receiving (Verification Key, sid, v) from the adversary, output (Verification Key, sid, v) to S, and record the pair (S, v). • Signature Generation: Upon receiving a value (Sign, sid, m) from S, verify that sid = (S, sid’ ) for some sid’. If not, then ignore the request. Else, send (Sign, sid, m) to the adversary. Upon receiving (Sign, sid, m, σ) from the adversary, verify that no entry (m, σ, v, 0) is recorded. If it is, then output an error message to S and halt. Else, output (Signature, sid, m, σ) to S, and record the entry (m, σ, v, 1). • Signature Verification: Upon receiving a value (Verify,
sid, m, σ, v 0 ) from some party P, hand (Verify, sid, m, σ, v 0 ) to the adversary. Upon receiving (Verified, sid, m, φ) from the adversary do: – If v 0 = v and the entry (m, σ, 1) is recorded, then set f = 1. – Else, if v 0 = v, the signer is not corrupted, and no entry (m, σ 0 , 1) for any σ 0 is recorded, then set f = 0. – Else, if there is an entry (m, σ, f 0 ) recorded, then let f = f 0 . – Else, let f = φ and record the entry (m, σ 0 , φ). Output (Verified, id, m, f ) to P. Canetti ([5]): πΣ securely realizes Fsig if and only if Σ is existentially unforgeable against adaptive chosen-message attack (EU-CMA). Equivalence between two notions: we provide alternative view of sequential aggregate signatures by sequentially composable of the underlying signatures and show that the security of weak sequential aggregate signatures is equivalent to the security of strong sequential aggregate signatures with the help of Canett’s universally composable theorem. Since, the security of strong sequential aggregate signatures implies the security of weak sequential aggregate signature, it is sufficient to show that any weakly secure sequential aggregate signature is also a strongly secure sequential aggregate signature. Theorem 3: the security of weak sequential aggregate signatures implies the security of strong sequential aggregate signatures. Proof: For a given weakly secure sequential aggregate signature (say n-party), we know that the underlying individual signature schemes are existentially unforgeable against adaptive chosen-message attack. By πi , we denote the ith underlying signature scheme. Since πi securely realizes Fsig if and only if πi is existentially unforgeable against adaptive chosen-message attack (EU-CMA). For i = 1, we assume that π1 securely realizes Fsig , and ρ be the second signature scheme that securely realizes the functionality of a signature scheme Fsig . Now, we define the composed protocol π1 ρ by modifying the code of each interactive Turing machine in π1 so that the first message sent to each copy of Fsig is replaced with an invocation of a new copy of π1 with fresh random input, and with the contents of the message as input. Each subsequent message to that copy of Fsig is replaced with an activation of the corresponding copy of ρ, with the contents of that message given to ρ as new input. Each output value generated by a copy of ρ is treated as a message received from the corresponding copy of Fsig . By application of universally composable theorem, we know that the second order weak sequential aggregate signature π1 ρ is secure in the universal composable model. Recursively, we can make use of sequentially composable theorem for constructing the nth order of sequential aggregate signature from the underlying n signatures. By A, we denote a strong forger in the sense of Definition 5. Now, for a given challenge public key PK, A is allowed to corrupt all participants except the simulator who holds the challenge public key. Since the given sequential aggregate signature is secure in the UC model, it follows that it is there exists an interface (or simulator) such that it can simulate
the case that A corrupts up to the (n−1) participants except for the participant who holds the target public key PK. [2]
5.
COMPACT SEQUENTIAL AGGREGATE SIGNATURES
Let H: {0, 1}∗ → {0, 1}l be a cryptographic hash function and IV = 0l . Our sequential aggregate signature scheme is described as follows: Key generation algorithm (KG): Each user i generates an RSA public key (Ni , ei ) and secret key (Ni , di ), ensuring that |Ni | = ki . By fi (x) we define the RSA permutation xei mod Ni and by f −1 (x) we define the RSA permutation xdi mod Ni . By (Enc, Dec), we define a pair of encoding and decoding algorithms. Signing algorithm (SASig): User i is given an aggregate signature σi−1 , a sequence of messages m1 , · · · , mi−1 , and a path p = (v1 , · · · , vi−1 ). User i first verifies σi−1 , using the verification procedure below, where σ0 = 0l . If this succeeds, user i performs the following computations: -computing Hi = H(m1 , v1 , · · · , mi , vi ), where vj =(idj , PKj ); -computing gH (mi , vi ) = Hi ⊕ σi−1 ; -computing (qi , ri ) from the equation gH (mi ) =qi Ni + ri ; -computing gi,1 (mi ) ← fi−1 (ri ) and gi,2 (mi ) ← Enc(qi ); -σi ← (gi,1 (mi ), gi,2 (mi )). Verification algorithm (SAVf ): The verification is given as input an aggregate signature σi , a collection of messages (m1 , · · · , mi ), and a path (v1 , · · · , vk ), a verifier performs the following computations: -checking that no idi appears twice; -computing Hi = H(m1 , v1 , · · · , mi , vi ); -computing ri ← fi (gi,1 (mi )) and qi ← Dec(gi,2 (mi )); -recovering σi−1 from the equation Hi ⊕ σi−1 =qi Ni + ri (the right side of equation should be viewed as l-bit representation of qi Ni + ri ); The verification of σi is processed recursively. The base case for recursion is i = 0, in which case simply check that σ0 =0l . Theorem 4: Let ∪i∈I fi be a certificated RSA permutation family. Then the sequential aggregate signature scheme described above is strongly secure in the random oracle model. Proof: By Theorem 1, we know that the underlying signatures is EU-CMA. By Theorem 2, we know that the proposed sequential aggregate signature scheme described above is is weakly secure in the random oracle model. Since the security of weak sequential aggregate signatures implies the security of strong sequential aggregate signatures (by Theorem 3), it follows that the sequential aggregate signature scheme described above is strongly secure in the random oracle model assuming that the RSA problem is hard.
6.
CONCLUSION
We have proposed an efficient signature scheme working in an extended domain based on the RSA problem and then transformed it to compact sequential aggregate signature scheme working in a common domain. We have shown that our implementation is provably secure in the random oracle model assuming that the RSA problem is hard.
7.
REFERENCES [1] D.Boneh, C.Gentry, B.Lynn and H.Shacham: Aggregate and Verifiably Encrypted Signatures
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
from Bilinear Maps. EUROCRYPT 2003: 416 -432. D.Boneh, B.Lynn, H.Shacham: Short Signatures from the Weil Pairing. ASIACRYPT 2001: 514 -532. M.Bellare and P.Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In D. Denning, R.Pyle, R.Ganesan, R.Sandhu, and V.Ashby, editors, Proceedings of CCS 1993, pages 62-73. ACM Press, 1993. R. Canetti: Universally Composable Security: A New Paradigm for Cryptographic Protocols. FOCS 2001: 136-145 R. Canetti. Universally Composable Signatures, Certification, and Authentication. Proceedings of the 17th Computer Security Foundations Workshop (CSFW), June 2004. S.Goldwasser, S.Micali, R.Rivest: A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM J. Comput. 17(2): 281-308 (1988). R.Hayashi, T.Okamoto, K.Tanaka: An RSA Family of Trap-Door Permutations with a Common Domain and Its Applications. Public Key Cryptography 2004: 291 -304. A.Lysyanskaya, S.Micali, L.Reyzin and H.Shacham: Sequential Aggregate Signatures from trapdoor one-way permutations. EUROCRYPT 2004: 74-90. S.Lu, R.Ostrovsky, A.Sahai, H.Shacham, and B.Waters: Sequential Aggregate Signatures and Multisignatures without Random Oracles. Eurocrypt 2006, page 465-485. R.Rivest, A.Shamir, and L.M.Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM 21(2): 120-126 (1978). B.Waters: Efficient Identity-Based Encryption Without Random Oracles. EUROCRYPT 2005: 114 -127. H.Zhu, F.Bao, R.Deng: Sequential Aggregate Signatures Working over Independent Homomorphic Trapdoor One-Way Permutation Domains. ICICS 2005: 207 -219. H.Zhu, F.Bao, T.Chigan. Compact Routing Discovery Protocol with Lower Communication Complexity, IEEE Wireless Communications and Networking Conference 2006. H.Zhu, J.Zhou: Finding Compact Reliable Broadcast Communications in Unknown Fixed-identity Networks. ICICS 2006, December 4 -7, 2006, Raleigh, North Carolina, USA.