2.1 Bilinear Groups and Complexity Assumptions

Let 𝔾 and 𝔾_T be two multiplicative cyclic groups of prime order p. Let g be a generator of 𝔾. A bilinear map is a map e:𝔾 × 𝔾 → 𝔾_T with the following properties:

1. Bilinearity: for all u, v ∈ 𝔾 and all a, b ∈ ℤ_p, we have e(u^a, v^b) = e(u, v)^ab.
2. Non-degeneracy: e(g, g) ≠ 1.

We say that 𝔾 is a bilinear group if the group operations in 𝔾 and 𝔾_T as well as the bilinear map e are all efficiently computable.

Assumption 2.1 (Computational Diffie-Hellman, CDH). Let 𝔾 be a cyclic group of prime order p and g be a generator of 𝔾. The CDH assumption is that if the challenge tuple $D=(p,𝔾,g,g^a,g^b)$ is given, no probabilistic polynomial-time (PPT) algorithm 𝓐 can compute g^ab ∈ 𝔾 with more than a negligible advantage. The advantage of 𝓐 is defined as ${\mathit{\text{Adv}}}_{𝓐}^{CDH}(\lambda )=\text{Pr}[𝓐(D)=g^{ab}]$ where the probability is taken over random choices of a,b ∈ ℤ_p.

2.2 The Identity-Based Signature Scheme

The IBS scheme of Yuan et al. [16] consists of the algorithms, Setup, GenKey, Sign, and Verify, which are described as follows:

• Setup(1^λ): This algorithm takes as input a security parameter 1^λ. It generates bilinear groups 𝔾, 𝔾_T of prime order p. Let g be a random generator of 𝔾. It chooses random exponents $s_1,s_2\in {\mathbb{Z}}_p^{*}$ and two cryptographic hash functions H₁:{0,1}* → 𝔾 and $H_2:{\{0,1\}}^{*}\to {\mathbb{Z}}_p^{*}$. It outputs a master key MK = (s₁, s₂) and public parameters $PP=((p,𝔾,{𝔾}_T,e),g,g_1=g^{s_1},g_2=g^{s_2},H_1,H_2)$.
• GenKey(ID, MK, PP): This algorithm takes as input an identity ID ∈ {0,1}*, the master key MK = (s₁, s₂), and the public parameters PP. It outputs a private key $S{K}_{ID}=(D_1=H_1{(ID)}^{s_1},D_2=H_1{(ID)}^{s_2})$.
• Sign(M, SK_ID, PP): This algorithm takes as input a message M ∈ {0,1}*, a private key SK_ID = (D₁, D₂), and the public parameters PP. It selects a random exponent $r\in {\mathbb{Z}}_p^{*}$ and computes h = H₂(ID‖M). It outputs a signature $\sigma =(U=g^r,V=D_1^h\cdot g_1^r,W=D_2\cdot g_2^r)$.
• Verify(σ, ID, M, PP): This algorithm takes as input a signature σ = (U, V, W), an identity ID ∈ {0,1}*, a message M{0,1}*, and the public parameters PP. It computes h = H(ID‖M) and checks whether $e(V,g)\stackrel{?}{=}e(H_1{(ID)}^h\cdot U,g_1)$ and $e(W,g)\stackrel{?}{=}e(H_1(ID)\cdot U,g_2)$. If both equations hold, then it outputs 1. Otherwise, it outputs 0.

Claim 2.2 ([16]) The above IBS scheme is existentially unforgeable under chosen message attacks in the random oracle model if the CDH assumption holds.

Remark 2.3 The original IBS and IBAS schemes of Yuan et al. are described in the additive notation in bilinear groups. However, in this paper, we use the multiplicative notation for notational simplicity.

Remark 2.4 The signatures of Yuan et al.’s IBS scheme are publicly re-randomized. If σ = (U, V, W) is a valid signature, then a re-randomized signature ${\sigma }^{\prime }=(U\cdot g^{r^{\prime }},V\cdot g_1^{r^{\prime }},W\cdot g_2^{r^{\prime }})$ is also valid where r′ is a random exponent in ${\mathbb{Z}}_p^{*}$ .

2.3 The Identity-Based Aggregate Signature Scheme

The IBAS scheme consists of the algorithms, Setup, GenKey, Sign, Verify, Aggregate, and AggVerify. The Setup, GenKey, Sign, and Verify algorithms of Yuan et al.’s IBAS scheme are the same as their IBS scheme counterparts. The additional algorithms of the IBAS scheme of Yuan et al. [16] are described as follows:

• Aggregate(σ₁, σ₂, S₁, S₂, PP): This algorithm takes as input a signature σ₁ = (U₁, V₁, W₁) on a multiset S₁ = {(ID_1,1, M_1,1), …, (ID_{1, n1}, M_{1, n1})} of identity and message pairs, a signature σ₂ = (U₂, V₂, W₂) on a multiset S₂ = {(ID_2,1, M_2,1), …, (ID_{2, n2}, M_{2, n2})} of identity and message pairs, and the public parameters PP. It outputs an aggregate signature $\sigma =(U=U_1\cdot U_2,V=V_1\cdot V_2,W=W_1\cdot W_2)$ on the multiset S = S₁∪S₂.
• AggVerify(σ, S, PP): This algorithm takes as input an aggregate signature σ = (U, V, W), a multiset S = {(ID₁, M₁), …, (ID_n, M_n)} of identity and message pairs, and the public parameters PP. It computes h_i = H(ID_i‖M_i) for i = 1, …, n and checks whether $e(V,g)\stackrel{?}{=}e({\prod }_{i=1}^n{H}_1{(I{D}_i)}^{h_i}\cdot U,g_1)$ and $e(W,g)\stackrel{?}{=}e({\prod }_{i=1}^n{H}_1(I{D}_i)\cdot U,g_2)$. If both equations hold, then it outputs 1. Otherwise, it outputs 0.

Claim 2.5 ([16]) The above IBAS scheme is existentially unforgeable under chosen message attacks in the random oracle model if the underlying IBS scheme is unforgeable under chosen message attacks.

4.1 The Original Proof

In this subsection, we briefly review the security proof of Yuan et al.’s IBS scheme [16] that solves the CDH problem by using Forking Lemma [17, 18].

Suppose there is an adversary 𝓐 that outputs a forged signature of the IBS scheme with a non-negligible advantage. A simulator ℬ that solves the CDH problem using 𝓐 when it is given a challenge tuple D = ((p, 𝔾, 𝔾_T, e), g, g^a, g^b) is described as follows:

• Setup: ℬ chooses a random exponent $s_2\in {\mathbb{Z}}_p^{*}$ and maintains an H₁-list and an H₂-list for random oracles. It implicitly sets s₁ = a and publishes the public parameters $PP=((p,𝔾,{𝔾}_T,e),g,g_1=g^a,g_2=g^{s_2},H_1,H_2)$.
• Hash Query: If this is an H₁ hash query on an identity ID_i, then ℬ handles this query as follows: If the identity ID_i already appears in the H₁-list, then it responds with the value in the list. Otherwise, it picks a random coin c ∈ {0,1} with Pr[c = 0] = δ for some δ and proceeds as follows: If c = 0, then it chooses $t_i\in {\mathbb{Z}}_p^{*}$ and sets $Q_i={(g^b)}^{t_i}$. If c = 1, then it chooses $t_i\in {\mathbb{Z}}_p^{*}$ and sets $Q_i=g^{t_i}$. Next, it adds (ID_i, t_i, c, Q_i) to the H₁-list and responds to 𝓐 with H₁(ID_i) = Q_i.
  If this is an H₂ hash query on an identity ID_i and a message M_i, then ℬ handles this query as follows: If the tuple (ID_i, M_i) already appears in the H₂-list, then it responds with the value in the list. Otherwise, it randomly chooses $h_i\in {\mathbb{Z}}_p^{*}$, adds (ID_i, M_i, h_i) to the H₂-list, and responds with H₂(ID_i‖M_i) = h_i.
• Private-Key Query: ℬ handles a private key query for an identity ID_i as follows: It first retrieves (ID_i, t_i, c, Q_i) from the H₁-list. If c = 0, then it aborts the simulation since it cannot create a private key. Otherwise, it creates the private key $S{K}_{I{D}_i}=(D_1=g_1^{t_i},D_2=g_2^{t_i})$ and responds to 𝓐 with SK_IDi.
• Signature Query: ℬ handles a signature query on an identity ID_i and a message M_i as follows: It randomly chooses $r^{\prime }\in {\mathbb{Z}}_p^{*}$ and computes h = H₂(ID_i‖M_i). Next, it responds to 𝓐 with a signature $\sigma =(U=g^{r^{\prime }}\cdot H_1{(I{D}_i)}^{-h},V=g_1^{r^{\prime }},W=H_1{(I{D}_i)}^{s_2}\cdot U^{s_2})$.
• Output: 𝓐 finally outputs a forged signature σ* = (U*, V*, W*) on an identity ID* and a message M*.

To solve the CDH problem, ℬ retrieves the tuple (ID*, t*, c*, Q*) from the H₁-list. If c* ≠ 0, then it aborts since it cannot extract the CDH value. Otherwise, it obtains two valid signatures ${\sigma }_1^{*}=(U_1^{*},V_1^{*},W_1^{*})$ and ${\sigma }_2^{*}=(U_2^{*},V_2^{*},W_2^{*})$ on the same identity and message tuple (ID*, M*) such that $U_1^{*}=U_2^{*}$ and $h_1^{*}\ne h_2^{*}$ by applying Forking Lemma. That is, it replays ℱ with the same random tape but with a different choice of the random oracle H₂. If $U_1^{*}=U_2^{*}$, then we have the following equation Thus, ℬ can compute the CDH value as ${(V_1^{*}\cdot {(V_2^{*})}^{-1})}^{1/(t^{*}(h_1^{*}-h_2^{*}))}$ if $h_1^{*}\ne h_2^{*}modp$.

4.2 A Non-Extractable Forgery

To extract the CDH value from forged signatures by applying Forking Lemma, it is essential for the simulator to obtain two valid signatures ${\sigma }_1^{*}$ and ${\sigma }_2^{*}$ such that $U_1^{*}=U_2^{*}$ and $h_1^{*}\ne h_2^{*}$. By replaying the forgery with the same random tape, but with a different choice of random oracle H₂, it is possible for the simulator to obtain two valid signatures ${\sigma }_1^{*}=(U_1^{*},V_1^{*},W_1^{*})$ and ${\sigma }_2^{*}=(U_2^{*},V_2^{*},W_2^{*})$ with $h_1^{*}\ne h_2^{*}$ because of Forking Lemma. However, we show that the probability of $U_1^{*}=U_2^{*}$ can be negligible if the forgery is clever.

Lemma 4.1 If there is a PPT algorithm 𝓐 that can forge the IBS scheme of Yuan et al., then there is another PPT algorithm ℱ that can forge the IBS scheme with almost identical probability, but the simulator of Yuan et al. cannot extract the CDH value from the forged signatures of ℱ.

Proof. The basic idea of this proof is that anyone can re-randomize the signature of Yuan et al.’s IBS scheme by using the public parameters. In this case, even though a simulator uses the same random tape for Forking Lemma, a forgery outputs a forged signature σ* on an identity ID* and a message M* after re-randomizing it by using the information h* = H₂(ID*‖M*). Let H′:{0,1}* → ℤ_p be a collision resistant hash function that is not modeled as the random oracle. A new forgery ℱ that uses 𝓐 as a sub-routine is described as follows:

1. ℱ is first given PP and runs 𝓐 by giving PP. ℱ also handles the private key and signature queries of 𝓐 by using his own private key and signature oracles.
2. 𝓐 outputs a forged signature σ′ = (U′, V′, W′) on an identity ID* and a message M*.
3. ℱ computes h* = H₂(ID*‖M*) and h′ = H′(U′‖h*), and then re-randomizes the forged signature of 𝓐 as
4. Finally, ℱ outputs a forged signature σ* = (U*, V*, W*) on an identity ID* and M*.

To finish the proof, we should show that the forged signature of ℱ is correct and the simulator of Yuan et al. cannot extract the CDH value from the forged signatures by using Forking Lemma. Let r′ be the randomness of σ′. The correctness of the forged signature is easily checked as follows where h* = H₂(ID*‖M*) and r* = r′+h′. To extract the CDH value from the forged signature of ℱ by using Forking Lemma, the simulator of Yuan et al. should obtain two valid signatures ${\sigma }_1^{*}=(U_1^{*},V_1^{*},W_1^{*})$ and ${\sigma }_2^{*}=(U_2^{*},V_2^{*},W_2^{*})$ on the same identity and message pair (ID*, M*) such that $U_1^{*}=U_2^{*}$ and $h_1^{*}\ne h_2^{*}$ after replaying ℱ with the same random tape but with a different choice of the hash oracle H₂. Let ${\sigma }_1^{*}=(U_1^{*},V_1^{*},W_1^{*})$ and ${\sigma }_2^{*}=(U_2^{*},V_2^{*},W_2^{*})$ be the two valid signatures obtained from ℱ by using Forking Lemma. Let ${\sigma }_{{}^{{}_1}}^{\prime }=(U_{{}^{{}_1}}^{\prime },V_{{}^{{}_1}}^{\prime },W_{{}_1}^{{}^{\prime }})$ and ${\sigma }_{{}^{{}_2}}^{\prime }=(U_{{}^{{}_2}}^{\prime },V_{{}^{{}_2}}^{\prime },W_{{}^{{}_2}}^{\prime })$ be the original signatures before the re-randomization of ℱ. If $h_1^{*}\ne h_2^{*}$, then we have $h_{{}^{{}_1}}^{\prime }\ne h_{{}^{{}_1}}^{\prime }$ with non-negligible probability since H′ is a collision-resistance hash function and the inputs of the hash function are different. From $h_{{}^{{}_1}}^{\prime }\ne h_{{}^2}^{\prime }$, we have $U_1^{*}\ne U_2^{*}$ with non-negligible probability since $U_{{}^{{}_1}}^{\prime }$ and $U_{{}^{{}_2}}^{\prime }$ are re-randomized with difference values $g^{h_{{}^{{}_1}}^{\prime }}$ and $g^{h_2^{\prime }}$ respectively. Therefore, the event of obtaining two valid signatures only occurs with negligible probability. This completes our proof.

4.3 Discussions

From the above analysis, we know that the security of the original IBS scheme of Yuan et al. cannot be proven under the CDH assumption by applying Forking Lemma since the forger can easily re-randomize the signatures. To fix this problem, we may modify the IBS scheme to compute h = H₂(U‖ID‖M) instead of computing h = H₂(ID‖M) where U is the first element of a signature. In this case, the forger cannot re-randomize the signature of the modified IBS scheme since U is an input of H₂. Unfortunately, this modified IBS scheme cannot be used to construct an IBAS scheme since the U from the individual signatures cannot be aggregated. Note that if each U is aggregated, then a verifier cannot check the validity of an aggregate signature since each U is not included in the aggregate signature. Therefore, there is no easy solution to the problem.