Security Analysis of the Unrestricted Identity-Based Aggregate Signature Scheme

Aggregate signatures allow anyone to combine different signatures signed by different signers on different messages into a short signature. An ideal aggregate signature scheme is an identity-based aggregate signature (IBAS) scheme that supports full aggregation since it can reduce the total transmitted data by using an identity string as a public key and anyone can freely aggregate different signatures. Constructing a secure IBAS scheme that supports full aggregation in bilinear maps is an important open problem. Recently, Yuan et al. proposed such a scheme and claimed its security in the random oracle model under the computational Diffie-Hellman assumption. In this paper, we show that there is an efficient forgery on their IBAS scheme and that their security proof has a serious flaw.


Introduction
Aggregate signature schemes allow anyone to combine n different signatures on different n messages signed by different n signers into a short aggregate signature. The main advantage of aggregate signature schemes is the reduction of signature communication and storage requirements by the compression of multiple signatures into a single one. The applications of aggregate signature schemes include secure routing protocols, public-key infrastructure systems, and sensor networks. Boneh et al. [1] proposed the first aggregate signature scheme allowing anyone to combine different signatures in bilinear groups and proved its security in the random oracle model. Subsequently Lysyanskaya et al. [2] constructed a sequential aggregate signature scheme in which signatures can be combined sequentially, and Gentry and Ramzan [3] proposed a synchronized aggregate signature scheme in which all signers should share synchronized information. There are many additional aggregate signature schemes with different properties [4][5][6][7][8][9][10][11][12][13].
Although aggregate signature schemes can reduce the size of signatures by their aggregating them, they usually cannot reduce the total amount of transmitted data significantly since a verifier should additionally retrieve the public keys of all signers. Therefore, an important issue in aggregate signature schemes is reducing the size of public keys [7,[10][11][12]. An ideal solution to this problem is the use of an identity-based aggregate signature (IBAS) scheme since it uses an already known identity string as a user's public key [3]. However, there is only one IBAS scheme with full aggregation proposed by Hohenberger et al. [9] in multilinear maps.
Multilinear maps are attractive tools for cryptographic constructions, but they are currently impractical since they are based on leveled homomorphic encryption schemes [14]. There are some IBAS schemes in bilinear maps, but those schemes only support sequential or synchronized aggregation [3,6,8]. Therefore, constructing an IBAS scheme featuring full aggregation in bilinear maps is an important open problem.
The main challenge when devising an IBAS scheme with full aggregation is aggregating the random values of all signers such that each one hides the private key in the signature [3]. For this reason, current IBAS schemes can only aggregate the randomness of all signers through synchronized or sequential aggregation [3,6]. Additionally, designing a secure IBAS scheme is not an easy task. In fact, even the original IBAS scheme of Boldyreva et al. [6] was broken by Hwang et al. [15] and had to be corrected later. Recently, Yuan et al. [16] proposed an IBAS scheme featuring full aggregation in bilinear maps and claimed its security in random oracle models. The authors first proposed an IBS scheme in bilinear maps and from that constructed an IBAS scheme. To demonstrate the security of their IBS scheme, the authors claimed that its security could be proven under the computational Diffie-Hellman (CDH) assumption by using Forking Lemma in the random oracle model.
In this paper, we show that the IBS and IBAS schemes of Yuan et al. [16] are not secure at all. First, we show that there is a universal forgery algorithm against their IBS scheme which outputs a forged signature by using two valid signatures. This forgery algorithm also applies to their IBAS scheme. One may wonder whether our forgery algorithm contradicts the security claims of their schemes or not. To explain this, we then show that the security proof of Yuan et al.'s IBS scheme has a serious flaw. The proof essentially relies on the condition that two forged signatures obtained using Forking Lemma have the same randomness. However, we reveal that the forged signatures of an adversary cannot satisfy this condition since the signatures of Yuan et al.'s IBS scheme are publicly re-randomized. This paper is organized as follows: In Section 2, we review bilinear groups and the IBS and IBAS schemes of Yuan et al. In Section 3, we present a universal forgery against the IBS scheme.
In Section 4, we analyze the security proof of Yuan et al.'s IBS scheme and show that it has a serious flaw.

The IBAS Scheme of Yuan et al
In this section, we review bilinear groups, complexity assumptions, and the IBS and IBAS schemes of Yuan et al. [16]. For more details, refer to [16].

Bilinear Groups and Complexity Assumptions
Let G and G T be two multiplicative cyclic groups of prime order p. Let g be a generator of G. A bilinear map is a map e:G × G ! G T with the following properties: 1. Bilinearity: for all u, v 2 G and all a, b 2 Z p , we have e(u a , v b ) = e(u, v) ab .
We say that G is a bilinear group if the group operations in G and G T as well as the bilinear map e are all efficiently computable.
Assumption 2.1 (Computational Diffie-Hellman, CDH). Let G be a cyclic group of prime order p and g be a generator of G. The CDH assumption is that if the challenge tuple D ¼ p; G; g; g a ; g b ð Þis given, no probabilistic polynomial-time (PPT) algorithm A can compute g ab 2 G with more than a negligible advantage. The advantage of A is defined as Adv CDH A ðlÞ ¼ Pr½AðDÞ ¼ g ab where the probability is taken over random choices of a,b 2 Z p .

The Identity-Based Signature Scheme
The IBS scheme of Yuan et al. [16] consists of the algorithms, Setup, GenKey, Sign, and Verify, which are described as follows: • Setup(1 λ ): This algorithm takes as input a security parameter 1 λ . It generates bilinear groups G, G T of prime order p. Let g be a random generator of G. It chooses random exponents s 1 ; s 2 2 Z Ã p and two cryptographic hash functions H 1 :{0,1} Ã ! G and H 2 : f0; 1g Ã ! Z Ã p . It outputs a master key MK = (s 1 , s 2 ) and public parameters PP ¼ ðp; G; G T ; eÞ; g; • GenKey(ID, MK, PP): This algorithm takes as input an identity ID 2 {0,1} Ã , the master key MK = (s 1 , s 2 ), and the public parameters PP. It outputs a private key • Sign(M, SK ID , PP): This algorithm takes as input a message M 2 {0,1} Ã , a private key SK ID = (D 1 , D 2 ), and the public parameters PP. It selects a random exponent r 2 Z Ã p and computes h = H 2 (IDkM). It outputs a signature s ¼

Forgery Attacks on the IBAS Scheme
In this section, we show that the IBS and IBAS schemes of Yuan et al. are not secure at all by presenting an efficient forgery algorithm. In fact, our forgery algorithm is universal since anyone who has two valid signatures on the same identity and different messages can generate a forged signature on the same identity and any message of its choice. Proof. The basic idea of our forgery attack is that if a forger obtains two valid signatures on an identity, then he can derive another valid signature by computing a linear combination of those signatures with carefully chosen scalar values. A forgery algorithm F is described as follows: 1. F randomly selects a target identity ID Ã and two different messages M 1 and M 2 . It obtains a signature σ 1 = (U 1 , V 1 , W 1 ) on the pair (ID Ã , M 1 ) and a signature σ 2 = (U 2 , V 2 , W 2 ) on the pair (ID Ã , M 2 ) from the signing oracle.
2. It randomly selects a target message M Ã for a forged signature. Next, it computes h 1 = H 2 (ID Ã kM 1 ), h 2 = H 2 (ID Ã kM 2 ), and h Ã = H 2 (ID Ã kM Ã ). It computes two exponents δ 1 , δ 2 that satisfy the following equation Note that δ 1 and δ 2 can be computed using linear algebra since the determinant h 1 −h 2 of the left matrix is not zero if h 1 6 ¼ h 2 .
3. Finally, F outputs a forged signature σ Ã on the identity and message pair (ID Ã , M Ã ) as To finish the proof, we should show that the forger F outputs a (forged) signature with nonnegligible probability and that the forged signature passes the verification algorithm. We know that F always outputs a signature if h 1 6 ¼ h 2 . Because H 2 is a collision-resistant hash function and M 1 6 ¼ M 2 , h 1 6 ¼ h 2 is of non-negligible probability. Now we should show that the forged signature is correct according to the verification algorithm. Let r 1 and r 2 be the randomness of σ 1 and σ 2 respectively. The correctness of the forged signature is easily verified as follows: where the randomness of the forged signature is defined as r Ã = r 1 δ 1 +r 2 δ 2 mod p. This completes the proof.

Corollary 3.2 There is a PPT algorithm F that can forge the IBAS scheme of Yuan et al. with non-negligible probability if F makes just two signature queries.
The proof of this corollary is trivial from the proof of the previous Lemma since the IBAS scheme uses the IBS scheme as its underlying signature scheme. We omit the proof.

Our Analysis of the Security Proof
From the forgery algorithm presented in the previous section, it is evident that the IBS and IBAS schemes of Yuan et al. are not secure. However, Yuan et al. [16] claimed that their IBS scheme is secure in the random oracle model under the CDH assumption. In this section, we analyze the security proof of Yuan et al. and show that it has a critical flaw.

The Original Proof
In this subsection, we briefly review the security proof of Yuan et al.'s IBS scheme [16] that solves the CDH problem by using Forking Lemma [17,18].
Suppose there is an adversary A that outputs a forged signature of the IBS scheme with a non-negligible advantage. A simulator ℬ that solves the CDH problem using A when it is given a challenge tuple D = ((p, G, G T , e), g, g a , g b ) is described as follows: • Setup: ℬ chooses a random exponent s 2 2 Z Ã p and maintains an H 1 -list and an H 2 -list for random oracles. It implicitly sets s 1 = a and publishes the public parameters PP ¼ ðp; G; G T ; eÞ; g; g 1 ¼ g a ; g 2 ¼ g s 2 ; H 1 ; H 2 ð Þ . • Private-Key Query: ℬ handles a private key query for an identity ID i as follows: It first retrieves (ID i , t i , c, Q i ) from the H 1 -list. If c = 0, then it aborts the simulation since it cannot create a private key. Otherwise, it creates the private key Þ and responds to A with SK ID i .
• Signature Query: ℬ handles a signature query on an identity ID i and a message M i as follows: It randomly chooses r 0 2 Z Ã p and computes h = H 2 (ID i kM i ). Next, it responds to A with a sig- • Output: A finally outputs a forged signature σ Ã = (U Ã , V Ã , W Ã ) on an identity ID Ã and a message M Ã .
To solve the CDH problem, ℬ retrieves the tuple (ID Ã , t Ã , c Ã , Q Ã ) from the H 1 -list. If c Ã 6 ¼ 0, then it aborts since it cannot extract the CDH value. Otherwise, it obtains two valid signatures on the same identity and message tuple (ID Ã , M Ã ) such that U Ã 1 ¼ U Ã 2 and h Ã 1 6 ¼ h Ã 2 by applying Forking Lemma. That is, it replays F with the same random tape but with a different choice of the random oracle H 2 . If U Ã 1 ¼ U Ã 2 , then we have the following equation Thus, ℬ can compute the CDH value as ðV Ã

A Non-Extractable Forgery
To extract the CDH value from forged signatures by applying Forking Lemma, it is essential for the simulator to obtain two valid signatures s Ã 1 and s Ã 2 such that By replaying the forgery with the same random tape, but with a different choice of random oracle H 2 , it is possible for the simulator to obtain two valid signatures s Ã Proof. The basic idea of this proof is that anyone can re-randomize the signature of Yuan et al.'s IBS scheme by using the public parameters. In this case, even though a simulator uses the same random tape for Forking Lemma, a forgery outputs a forged signature σ Ã on an identity ID Ã and a message M Ã after re-randomizing it by using the information h Ã = H 2 (ID Ã kM Ã ). Let H 0 :{0,1} Ã ! Z p be a collision resistant hash function that is not modeled as the random oracle. A new forgery F that uses A as a sub-routine is described as follows: 1. F is first given PP and runs A by giving PP. F also handles the private key and signature queries of A by using his own private key and signature oracles.

2.
A outputs a forged signature σ 0 = (U 0 , V 0 , W 0 ) on an identity ID Ã and a message M Ã .
To finish the proof, we should show that the forged signature of F is correct and the simulator of Yuan et al. cannot extract the CDH value from the forged signatures by using Forking Lemma. Let r 0 be the randomness of σ 0 . The correctness of the forged signature is easily checked as follows where h Ã = H 2 (ID Ã kM Ã ) and r Ã = r 0 +h 0 .  respectively. Therefore, the event of obtaining two valid signatures only occurs with negligible probability. This completes our proof.

Discussions
From the above analysis, we know that the security of the original IBS scheme of Yuan et al. cannot be proven under the CDH assumption by applying Forking Lemma since the forger can easily re-randomize the signatures. To fix this problem, we may modify the IBS scheme to compute h = H 2 (UkIDkM) instead of computing h = H 2 (IDkM) where U is the first element of a signature. In this case, the forger cannot re-randomize the signature of the modified IBS scheme since U is an input of H 2 . Unfortunately, this modified IBS scheme cannot be used to construct an IBAS scheme since the U from the individual signatures cannot be aggregated. Note that if each U is aggregated, then a verifier cannot check the validity of an aggregate signature since each U is not included in the aggregate signature. Therefore, there is no easy solution to the problem.

Conclusion
In this paper, we showed that the IBAS scheme of Yuan et al. that achieves both full aggregation and constant pairing computation is not secure at all. We presented an efficient forgery algorithm against the IBS scheme and showed that their security proof of the scheme has a serious flaw. To invalidate the security of their IBS scheme, we showed that a linear combination of two valid signatures is also a new signature. Since the security of their IBAS scheme is based on the security of their IBS scheme, their IBAS scheme is also insecure. Therefore, constructing an IBAS scheme with full aggregation in bilinear maps still remains an important open problem.