Lattice-based sequential aggregate signatures with lazy verification  被引量：4

作　　者：Zhang Yanhua Hu Yupu Jiang Mingming Xue Lili 

机构地区：[1]State Key Laboratory of Integrated Service Networks, Xidian University [2]School of Computer Science and Technology, Huaibei Normal University

出　　处：《The Journal of China Universities of Posts and Telecommunications》2015年第6期36-44,共9页中国邮电高校学报（英文版）

基　　金：supported by the National Natural Science Foundations of China (61173151, 61472309)

摘　　要：This paper proposes the first lattice-based sequential aggregate signature （SAS） scheme with lazy verification that is provably secure in the random oracle model. As opposed to large integer factoring and discrete logarithm based systems, the security of the construction relies on worst-case lattice problem, namely, under the small integer solution （SIS） assumption. Generally speaking, SAS schemes enable any group of signers ordered in a chain to sequentially combine their signatures such that the size of the aggregate signature is much smaller than the total size of all individual signatures. Unlike prior such proposals, the new scheme does not require a signer to retrieve the keys of other signers and verify the aggregate-so-far before adding its own signature, and the signer can add its own signature to an unverified aggregate and forward it along immediately, postponing verification until load permits or the necessary public keys are obtained. Indeed, the new scheme does not even require a signer to know the public keys of other signers.This paper proposes the first lattice-based sequential aggregate signature （SAS） scheme with lazy verification that is provably secure in the random oracle model. As opposed to large integer factoring and discrete logarithm based systems, the security of the construction relies on worst-case lattice problem, namely, under the small integer solution （SIS） assumption. Generally speaking, SAS schemes enable any group of signers ordered in a chain to sequentially combine their signatures such that the size of the aggregate signature is much smaller than the total size of all individual signatures. Unlike prior such proposals, the new scheme does not require a signer to retrieve the keys of other signers and verify the aggregate-so-far before adding its own signature, and the signer can add its own signature to an unverified aggregate and forward it along immediately, postponing verification until load permits or the necessary public keys are obtained. Indeed, the new scheme does not even require a signer to know the public keys of other signers.

关 键 词：sequential aggregate signatures lattice-based cryptography lazy verification small integer solution 

分 类 号：TN918.4[电子电信—通信与信息系统]