Efficient Unrestricted Identity-Based Aggregate Signature Scheme

An aggregate signature scheme allows anyone to compress multiple individual signatures from various users into a single compact signature. The main objective of such a scheme is to reduce the costs on storage, communication and computation. However, among existing aggregate signature schemes in the identity-based setting, some of them fail to achieve constant-length aggregate signature or require a large amount of pairing operations which grows linearly with the number of signers, while others have some limitations on the aggregated signatures. The main challenge in building efficient aggregate signature scheme is to compress signatures into a compact, constant-length signature without any restriction. To address the above drawbacks, by using the bilinear pairings, we propose an efficient unrestricted identity-based aggregate signature. Our scheme achieves both full aggregation and constant pairing computation. We prove that our scheme has existential unforgeability under the computational Diffie-Hellman assumption.


Introduction
An aggregate signature [1] is a useful primitive that allows anyone to compress n individual signatures, say s 1 , . . . ,s n where s i is a signature from user with identity ID i on message m i for 1ƒiƒn, into a single (shorter) signature even if these signatures are on the same message or are produced by the same signer. The main goal in the design of such protocols is to reduce the costs on storage, communication and computation. Informally, the length of the aggregate signature should be constant, independent of the number of messages and signers. The resulting signature can convince a verifier that the user ID i indeed signed the corresponding message m i for all i:1ƒiƒn. This primitive is useful in many real-world applications (which involve multiple signatures on multiple messages generated by multiple users) especially in environments with low-band-width communication, low-storage and low computability. Typical applications for such schemes are Wireless sensor networks (WSNs) since WSNs are resource constraint: limited power supply, bandwidth for communication, memory space [2]. For example, in an environment monitoring network, the sensors record measurements from the environment, sign its data and send them to a monitoring center. The center aggregates these data and the signatures to save storage [3]. Aggregate signature scheme can also be applied to vehicular communications [4], many-to-one authentication [5], electronic transactions [6] and cloud computing [7] to enhance the efficiency of verification and reduce the communication over-head.
Boneh, Gentry, Lynn and Shacham [1] first defined of aggregate signature and presented a concrete aggregate signature which was constructed under traditional public key cryptography (PKC). In traditional PKC, a digital signature provides the authenticity of a signed message with respect to a public key, while the authenticity of the public key with respect to a signer is contained in a certificate provided by a certificate authority (CA). Whenever a verifier wants to verify a signature, he has first to verify the corresponding certificate. Therefore, aggregate signature working under traditional PKC requires heavy management, communication and computation cost to achieve authenticity of all signers' public keys, making the scheme both space and time inefficient, especially when the number of signers is large. To reduce this burden, Shamir [8] proposed the concept of identitybased public key cryptography (IB-PKC). The IB-PKC requires a trusted third party, typically called a ''Private Key Generator'' (PKG) which serves a similar role to the CA in a PKC system, to generate system parameters and user's private key. In an identitybased cryptosystem, only the PKG has a traditional public key, and the public key of each user is derived directly from his identity information, such as his email address. The direct derivation of users' public keys in these infrastructures eliminates the need for the certificate and some of the problem associated with them. In an identity-based signature (IBS) scheme, to generate valid signatures of a signer with the identity ID, one needs to know the private key of ID, while verifier can directly use the signer's identity ID and the PKG's public key to verify signatures. This advantage of identity-based aggregate signature (IBAS) becomes more compelling when we consider multiple signers. In this setting, when all signers have their secret keys issued by the same private key generator (PKG), the verifier needs only one traditional public key (of the PKG) to verify multiple identitybased signatures on multiple messages.
To shorten the length of signatures and to avoid the authentication of the public keys, Cheon et al. [9] presented the first identity-based aggregate signature (IBAS) scheme. To date several IBAS schemes have been proposed [9][10][11][12][13][14][15][16][17][18][19][20]. However, some of them have additional restrictions conditions on aggregation step. The schemes [10,11] do not support simultaneous aggregation, which only allow each signer to aggregate his signature to a previously aggregated signature in turn. The scheme [12] requires that all signers participating in aggregation have to agree upon a common random string which was never used by any of the signers. Secure use of the scheme [12] is restricted to the aggregation of signatures from distinct signers. The scheme [13] requires interactive communication between signers to generate an aggregate signature, and hence increases the communication complexity.
Among existing unrestricted aggregate signature schemes (which enable any user to freely aggregate multiple signatures) in the identity-based setting [9,[14][15][16][17][18][19][20], all but one of them [9,[14][15][16][17][18][19] are able to achieve only partial aggregation and not full aggregation, i.e., the length of the resulting aggregate signature grows with the number of aggregated individual signatures, which departs from the main goals of aggregate signatures. Obviously, such schemes are impractical for some wireless network scenarios.
Only the scheme in [20] achieves constant-length aggregate signature. But this scheme requires a large number of pairing operations in which the number of pairing operations in the aggregate signature verification algorithm is proportional to the number of aggregated individual signatures.
In this paper, we construct an efficient IBAS scheme without any restriction. The proposed protocol is based on bilinear pairings. The new scheme simultaneously achieves constant-length aggregate signature and constant pairing operations during signature verification, and is shown to be existentially unforgeable against adaptive chosen message attacks under the computational Diffie-Hellman assumption in the random oracle model.

Preliminaries
In this section, we review the basic concept of bilinear pairings and the complexity assumption on which our scheme relies.

Bilinear pairings
Let G 1 be a cyclic additive group of prime order q and G 2 be a cyclic multiplicative group of the same order. A map e : G 1 |G 1 ?G 2 is called a bilinear pairing if it satisfies the following properties: 1. Bilinear: e(aP,bQ)~e(P,Q) ab for all P,Q[G 1 and all a,b[Z q . 2. Non-degeneracy: There exist P,Q[G 1 such that e(P,Q)=1. 3. Computable: There is an efficient algorithm to compute e(P,Q) for any P,Q[G 1 .  Otherwise, we call non-negligible. Definition 2. Let G be a group of prime order q §2 k where k is a security parameter. Computational Diffie-Hellman (CDH) Problem is that given three elements P,aP,bP[G for unknown randomly chosen a,b[Z q , compute abP.

Related complexity assumption
Let A be a probabilistic polynomial-time algorithm. The advantage of A in solving the CDH problem in group G is defined to be.

Adv CDH
A~P r½A(P,aP,bP)~abP where the probability is taken over the uniformly and independently chosen instance with a given security parameter k and over the random choices of A.
The CDH assumption states that for every probabilistic polynomial-time algorithm A, Adv CDH A is negligible.

Definitions and Security Models
We first review the definition and the formal security model for IBS schemes. Then we describe the definition and the formal security model for IBAS schemes. N Setup. This algorithm is run by a private key generator (PKG). It takes a security parameter k as input and outputs a master key msk and a list of system parameters params. The system parameters will be publicly known while the master key will be known to the PKG only.
N Extract. This algorithm takes a user's identity ID i , a system parameters params and a master key msk as input, and outputs the user's private key D i . Usually, this algorithm is run by the PKG. The PKG sends D i to the user ID i through a secure channel.
N Sign. This algorithm takes a system parameters params, a message m i , an identity ID i and corresponding private key D i as input, and outputs an individual signature s i on the message m i for the user with identity ID i . This algorithm is executed by the user ID i . N Verify. This algorithm takes a system parameters params, an identity ID i , a message m i and an individual signature s i as input, and outputs 1 or 0 for valid or invalid, respectively.
3.1.2 Security requirements for identity-based signature schemes. We review the usual security model of IBS [17,21] which is an extension of the usual notion of existential unforgeability under chosen-message attacks [22]. The security model mainly captures the following two attacks: 1. Adaptive chosen message attack: It allows an adversary to ask the signer to sign any message of its choice in an adaptive way, it can adapt its queries according to previous answers; 2. Adaptive chosen identity attack: It allows the adversary to forge a signature with respect to an identity chosen by the adversary.
Finally, the adversary could not provide a new messagesignature pair with non-negligible advantage. The security for an IBS scheme is defined via the following game.
Game I (Unforgeability of IBS). This game is performed between a challenger C and an adversary A with respect to scheme (Setup, Extract, Sign, Verify), which captures the attacking scenario where a dishonest user who is allowed to have access to the signing oracle for any desired messages and identities, but he is not able to obtain victim's private key, and wants to create a new valid signature.
Setup. Taking a security parameter k as input, the challenger C runs the Setup algorithm to obtain a master secret key msk and system parameters params. Then C sends params to the adversary A, but keeps msk secret.
Queries. A makes a polynomially bounded number of the following queries in an adaptive manner. N Extraction queries. Given an identity ID i , the challenger returns the private key D i corresponding to ID i . N Signature queries. Given an identity ID i and a message m i , C returns an individual signature s i on m i with respect to ID i .
Forgery. Eventually, A outputs an identity-based signature s Ã on a message m Ã for an identity ID Ã . We say that A wins Game I, iff.
(1) s Ã is a valid signature on message m Ã under identity ID Ã .
(2) ID Ã has never been queried during the Extraction queries.
And (ID Ã ,m Ã ) has never been queried during the Signature queries.
The advantage of A is defined as the probability that it wins in Game I.
Definition 3. An IBS scheme is said to satisfy the property of existential unforgeability against adaptive chosen-message attack and adaptive chosen-identity attack (EUF-IBS-CMA) if there is no probabilistic polynomial-time adversary A with non-negligible advantage in Game I.

Formal model of identity-based aggregate signature schemes
3.2.1 Definition of identity-based signature aggregate signature schemes. An IBAS scheme involves a PKG, an aggregating multiset of n users and an aggregate signature generator. It allows the generator to compress any n individual signatures along with a multiset of n message-identity pairs, which include on the same message from the same signer, into a single signature. An IBAS scheme is a tuple (Setup, Extract, Sign, Verify, Agg, AggVerify) based on the IBS scheme (Setup, Extract, Sign, Verify) by six polynomial-time algorithms with the following functionality: N Setup, Extract, Sign, Verify. These algorithms are the same as those in the IBS scheme in Section 3.1.1.
N Agg. This algorithm is run by an aggregate signature generator and allows the generator to compress multiple individual signatures into an aggregate signature. It takes a system parameters params, n signatures (s 1 , . . . ,s n ) with each signature s i under an identity ID i on a message m i as input, and outputs an aggregate signature s Agg for the multiset of message-identity pairs f(m 1 ,ID 1 ), . . . ,(m n ,ID n )g. N AggVerify. This algorithm takes an aggregate signature s Agg , a multiset of n message-identity pairs f(m 1 ,ID 1 ), . . . , (m n ,ID n )g as input, and outputs 1 if the aggregate signature is valid, or 0 otherwise.

Security requirements for identity-based aggregate
signature schemes. An IBAS scheme should be secure against traditional existential forgery under adaptive chosen-message attack and adaptive chosen-identity attack. An unforgeability of IBAS is defined via the following unforgeability game which is performed between a challenger and an adversary. The adver-sary's goal is the existential forgery of an aggregate signature. Informally, it should be computationally infeasible for any adversary to produce a forgery. We formalize the security model as follows.
Game II (Unforgeability of IBAS). This game is performed between a challenger C and an adversary A with respect to scheme (Setup, Extract, Sign, Verify, Agg, AggVerify), which captures the attacking scenario where a dishonest user who is allowed to have access to the signing oracle for any desired messages and identities, wants to create a forgery without knowing the private keys of all the signers.
Setup. Taking a security parameter k as input, the challenger C runs the Setup algorithm to obtain a master secret key msk and system parameters params. Then C sends params to the adversary A, but keeps msk secret.
Queries. A makes a polynomially bounded number of the following queries in an adaptive manner. Forgery. Eventually, A outputs a multiset of n messageidentity pairs {(m Ã 1 ,ID Ã 1 ), . . . ,(m Ã n ,ID Ã n )} and an aggregate signature s Ã Agg . We say that A wins the game, iff.
(1) s Ã Agg is a valid aggregate signature on message-identity pairs (2) At least one of the identities, without loss of generality, say has never been queried during the Extraction queries. And (ID Ã ,m Ã ) has never been queried during the Signature queries.
The advantage of A is defined as the probability that it wins in Game II.
Definition 4. An IBAS scheme is said to satisfy the property of existential unforgeability against adaptive chosen-message attack and an adaptive chosen-identity attack (EUF-IBAS-CMA) if there is no probabilistic polynomial-time adversary A with nonnegligible advantage in Game II.

A New Identity-Based Signature Scheme
In this section, we propose a provably secure identity-based signature scheme which can be used to construct an unrestricted IBAS scheme.

Proposed basic identity-based signature scheme
The proposed IBS scheme consists of the following four concrete algorithms: N Setup. Given a security parameter k, the private key generator (PKG) chooses a prime q, a cyclic additive group G 1 and a cyclic multiplicative group G 2 of prime order q, a random generator P in G 1 , an admissible pairing e : G 1 |G 1 ?G 2 , and two cryptographic hash functions H 1 : f0,1g Ã ?G 1 and H 2 : f0,1g Ã ?Z Ã q . It also randomly chooses s 1 ,s 2 [Z Ã q , sets the master key msk~(s 1 ,s 2 ), and computes P 1 = s 1 P and P 2~s2 P. Finally, it broadcasts the system parameters, params~(q,G 1 ,G 2 ,e,P,P 1 ,P 2 ,H 1 , H 2 ). N Extract. For a given identity ID i , the PKG computes Q i~H1 (ID i ) and sets this user's private key D i to be (s 1 Q i ,s 2 Q i )~(D i,1 ,D i,2 ). N Sign. To sign a message m i with private key D i , the signer q a n d c o m p u t e s U i~ri P, h i~H2 (m i ,ID i ), V i~hi D i,1 zr i P 1 and W i~Di,2 zr i P 2 . The signature on m i is s i~( U i ,V i ,W i ).
N Verify. Upon receipt of an individual signature s i~( U i ,V i ,W i ), the verifier computes Q i~H1 (ID i ) and h i~H2 (m i ,ID i ), and checks e(V i ,P)~e(h i Q i zU i ,P 2 ) and e(W i ,P)~e(Q i zU i ,P 2 ). If both the equations hold, then the individual signature s i~( U i ,V i ,W i ) is valid.

Security proof of the IBS scheme
The following theorem shows that in the random oracle model, our IBS scheme is existentially unforgeable against adaptive chosen-message attack and adaptive chosen-identity attack under the assumption that CDH problem in G 1 is intractable. Concretely, we show that if a probabilistic polynomial-time bounded adversary exists who can break our IBS scheme with non-negligible probability , we will be able to solve the computational Diffie-Hellman problem with non-negligible probability 0 , which contradicts the CDH assumption.
In the random oracle model, if there exists a polynomial-time adversary A who has an advantage in forging a signature of our IBS scheme in an attack modeled by Game I of Section 3.12 within a time at most t, after asking at most q Hi times H i (i = 1, 2) queries, q E times Extraction queries and q S times Signature queries, then the CDH problem in G 1 can be solved within time.
where e is the base of the natural logarithm, t M is the time of computing a scalar multiplication in G 1 , and t I is the time of computing an inversion in Z Ã q . Proof. Using a similar proof technique in [17,23,24], we are going to construct a probabilistic polynomial-time algorithm C to solve the CDH problem by using the adversary A who can break our IBS scheme. Suppose that C is given an random instance of the CDH problem (P,aP,bP) [G 3 1 for some unknown a,b[Z Ã q . The task of C is to compute abP. C plays the role of A's challenger in Game I and interacts with A as follows: Setup. C simulates the Setup algorithm as follows: 1. Choose a random value s[Z Ã q and sets P 1 = aP, P 2~s P, where a[Z q is unknown to C. 2. Choose a cyclic group G 2 of prime order q, a bilinear map e : G 1 |G 1 ?G 2 . 3. Choose two hash functions H 1 and H 2 as random oracle. 4. Send the system parameters params = (q, G 1 , G 2 , e, P, P 1 , P 2 , H 1 , H 2 ) to A.
Query. Proceeding adaptively, A is allowed to query the random oracles H 1 , H 2 , Extraction oracle and Signature oracle in a polynomial number of times. C simulates these oracles for A as follows: H 1 queries. At any time, A can issue an H 1 query on an identity. To avoid collision and consistently respond to H 1 queries, C maintains a list L H1 of tuples (ID, t, c, Q) which stores his responses to such queries. This list is initially empty. When querying the oracle H 1 on ID, C responds as follows: 1. If the query ID already appears on L H1 in a tuple (ID,t,c,Q),C responds to A with H 1 (ID)~Q. Extraction queries. When A queries the private key corresponding to ID, C first finds the corresponding tuple (ID, t, c, Q) from the L H1 .
1. If c~0, C fails and aborts the simulation. 2. Otherwise, C computes D 1~t P 1 and D 2~t P 2 , and responds to A with D~(D 1 ,D 2 ).
Signature queries. When A makes a Signature query on m for ID, C randomly chooses r[Z Ã q and computes U~(rP{hQ), V~rP 1 . Then, C computes W~s(QzU) and responds to A with signature s = (U, V, W).
Forgery. Eventually, A outputs a forged signature s Ã~( U Ã ,V Ã ,W Ã ) on a message m Ã for an identity ID Ã . C finds the corresponding tuple (ID Ã ,t Ã ,c Ã ,Q Ã ) from the L H1 . If c Ã =0, C fails and aborts. Otherwise, by applying the forking lemma [25], after replaying A with the same random tape but different choices of oracle H 2 , C can get two valid signatures Combining the above two equations, we have Note that P 1~a P and H 1 (ID Ã )~Q Ã~tÃ (bP) since c Ã~0 . We have Consequently, C could solve the CDH by computing Probability analysis. It remains to evaluate the probability 0 that C solves the given instance of CDH. First, we analyze the events needed for C to succeed before the rewinding. N E 1 : C does not abort as a result of any of A's Extraction query. N E 2 : A generates a valid and nontrivial aggregate signature i is the c-component of the tuple containing ID i on the L H1 .
C succeeds before the rewinding if all of these events occur. The probability E~Pr½E 1^E2^E3 is decomposed as The following claims give a lower bound for each of these terms. Claim 1. The probability that algorithm C does not abort as a result of A's Extraction query is at least (1{d) qE . Hence we have Proof. Since A makes at most q E queries to the Extraction oracle and Pr½c~1~(1{d), the probability that algorithm C does not abort as a result of A's Extraction queries is at least (1{d) qE .
Claim 2. If C does not abort as a result of A's Extraction query, then A's view is identical to its view in the real attack. Hence, Pr½E 2 jE 1 §{1=q.
Proof. Since the probability that A generates a valid and nontrivial signature for (m Ã ,ID Ã ) without asking H 2 oracle in advance is less than 1=q, the probability that A outputs a valid forgery s Ã after querying H 2 (m Ã ,ID Ã ) is at least {1=q.
Claim 3. The probability that C does not abort after A outputs a valid and nontrivial forgery is at least d. Hence, Pr½E 3 jE 1^E2 §d.
Proof. After A outputs a valid and nontrivial forgery, algorithm C does not abort if and only if c Ã~0 . Since Pr½c Ã~0 ~d, the probability that C does not abort is at least d.
Combining all of the above results, the probability E~Pr½E 1^E2^E3 is at least Therefore, in the first run of A, C does not abort with probability.
According to the general forking lemma [25], the probability that C obtains two successful forgeries of A and does not abort is Therefore, the probability of solving the CDH problem is which is non-negligible if is non-negligible. Algorithm C's running time is roughly the same as A's running time plus the time it takes to respond to hash queries, Extraction queries and Signature queries, and the time to transform A's final forgery into the CDH solution. The H 1 query requires a scalar multiplication. The Extraction query requires two scalar multiplications. The Signature query requires 4 scalar multiplications and the output phase requires a scalar multiplication and two inversions. Hence, the total running time is at most 2(tzt M (q H1 z2q E z4q S )) zt M z2t I .
A New Identity-Based Aggregate Signature Scheme

Proposed identity-based aggregate signature scheme
Now, we construct an IBAS scheme using our basic IBS scheme constructed in the previous section. If both the equations hold, then the aggregate signature s Agg is valid.

2 Security proof of the IBAS scheme
In this subsection, we are going to prove the security of our identity based aggregate signature scheme. The proof outline is as follows.
We assume on the contrary that our IBAS scheme is not EUF-IBAS-CMA secure. That is, assume there exists a polynomial time bounded adversary A who can forge a signature in IBAS under the adaptive chosen message and chosen identity attacks. The proof's goal is to show that under this assumption, our IBS scheme is not EUF-IBS-CMA secure.
Theorem 2. If there exists an adversary A who has an advantage in forging an aggregate signature of our IBAS scheme in the chosen aggregate modeled by Game II within a time at most t, after asking at most q Hi times H i (i = 1, 2) queries, q E times Extraction queries, q S times Signature queries and at most N signers, then there exists an algorithm which in forging a signature of our IBS scheme in an attack modeled wins Game I within time.
and with advantage where e and t M denote the same quantities as in Theorem 1.
Proof. Here we follow the idea from [17,26,27]. Suppose that A is a forger who breaks the IBAS scheme. By using A, we will construct an algorithm C which outputs a forgery of our IBS scheme. Algorithm C performs the following simulation by interacting with the adversary A.
Setup. It is the same as that described in the proof of Theorem 1.
H 1 queries. To respond to H 1 queries, C maintains a list L H1 of tuples (ID, t, c, Q), which is initially empty. When A queries the oracle H 1 on ID, C responds as follows: 1. If the query ID already appears on the L H1 in a tuple (ID, t, c, Q), C responds with H 1 (ID) = Q. H 2 queries, Extraction queries, Signature queries. When A make H 2 queries, Extraction queries, Signature queries, C responds as those defined in the proof of Theorem 1.
Forgery. Eventually, A outputs an aggregate signature It requires that there exists k[f1, . . . ,ng such that c Ã j~1 for j = 1, …, n, j=k, c Ã k~0 (without loss of generality, we let k~1), A has not made a query Signature oracle on (ID Ã 1 ,m Ã 1 ) and Therefore, the aggregate signature s Ã Agg~( U Ã ,V Ã ,W Ã ) should satisfy the aggregate verification equations.
since it satisfies the verification equations as follows: Finally, C outputs s 0Ã as a forgery of the IBS scheme. Probability analysis. Similar to the analysis in Theorem 1, we analyze three events needed for C to succeed. N E 1 : C does not abort as a result of any of A's Extraction query. N E 2 : A generates a valid and nontrivial aggregate signature i is the c-component of the tuple containing ID i on the L H1 .
C succeeds if all of these events happen. The probability Pr[E 1 ' E 2 ' E 3 ] is the same as in Theorem 1 Claim 1. The probability that C does not abort as a result of A's Extraction query is at least (1{d) qE . Hence, Claim 2. If C does not abort as a result of A's Extraction query and Signature queries, then A's view is identical to its view in the real attack. Hence, 0 w (q E zN)e .
Claim 3. The probability that C does not abort after A outputs a valid and nontrivial forgery is at least (1{d) N{1 : d.
Proof. Algorithm C will abort unless A generates a forgery such that c Ã 1~0 and c Ã j~1 for 2# j # n. Thus, c Ã 1 = 0 occurs with probability d. And the probability that c Ã j~1 , for 2# j # n, is at least (1{d) N{1 . Therefore .
Combining all of the above results, the advantage 0 that C produces the correct answer is at least d(1{d) qE (1{d) N{1~d (1{d) qE zN{1 which is maximized at d~1=(q E zN). Therefore, the advantage 0 is With Theorems 1 and 2, we can get the conclusion that the proposed IBAS scheme is secure against adaptively chosenmessage and chosen-identity attacks under the hardness assumption of CDH problem in the random oracle model.

Performance analysis
Computation cost and aggregate signature size are two important parameters affecting the efficiency of an IBAS scheme. In this section, we compare our scheme with the existing unrestricted identity-based aggregate signature schemes [9,[14][15][16][17]19,20] from the aspects of aggregate signature size and computation cost in signature phase and aggregate signature verify phase, respectively. Detailed comparisons are summarized in Table 1. Here we only consider the costly operations (i.e., pairing operation, MapToPoint hash operation and multiplication operation in G 1 ) and omit the computational efforts which can be pre-computed. We use notations as follows:  Table 1, we can see that the aggregate signature length of both of the scheme in [20] and our scheme is the same as that of a single individual signature regardless of the number n of signatures while that of the other schemes is directly proportional to either the number n of signatures or the number t of signers.
We also can observe that although the aggregate signature size overhead of Hohenberger et al.'s scheme [20] is better than that of ours (which is the shortest among the protocols under comparison), their scheme is less efficient in signing and aggregate verifying, which requires O(jmj) pairing operations to generate a signature and O(n(jmjzjIDj)) pairing operations to verify an aggregate signature. Our IBAS scheme requires no pairing operations for the signer and only four pairing operations for the verifier. As the pairing computation is the most time consuming in pairing-based cryptosystems [28], the computation overhead in our scheme is much faster than that in the scheme [20]. Therefore, the proposed scheme is more practical.

Conclusions
In this paper, we proposed a new identity-based signature scheme that is provably secure in the random oracle model under the CDH assumption. We constructed an identity-based aggregate signature scheme using our IBS as the base signature scheme. The proposed IBAS enjoys significant advantages: aggregation is very general in that it allows for the aggregation of any multiple signatures from various users on various messages into a single compact signature; the aggregation operation does not require any restricted; AS meets the merit of signatures in ID-PKC which is free from the public key certificate management burden. The most important point is the compared with previous unrestricted IBAS schemes, our proposed scheme is the first IBAS scheme which satisfies both constant length aggregate signature and constant pairing operations. The security analysis has been provided and shown that the proposed schemes are secure against adaptive chosen-message attack and chosen-identity attack in the random oracle model. These features render our IBAS scheme an efficient solution to reduce bandwidth and storage, and are especially attractive for mobile devices like sensors, cell phones and PDAs where communication is more power-expensive than computation and contributes significantly to reducing battery life. Moreover, our scheme can adaptively work as a multi-signature scheme or a proxy signature scheme or a sequential aggregate scheme without any modifications.