Identity-Based Aggregate Signatures Craig Gentry 1,⋆ and Zulfikar Ramzan 2 1 Stanford University cgentry@cs.stanford.edu 2 DoCoMo Communications Laboratories USA, Inc. ramzan@docomolabs-usa.com Abstract. An aggregate signature is a single short string that convinces any verifier that, for all 1 ≤ i ≤ n, signer Si signed message Mi , where the n signers and n messages may all be distinct. The main motivation of aggregate signatures is compactness. However, while the aggregate sig- nature itself may be compact, aggregate signature verification might re- quire potentially lengthy additional information – namely, the (at most) n distinct signer public keys and the (at most) n distinct messages being signed. If the verifier must obtain and/or store this additional informa- tion, the primary benefit of aggregate signatures is largely negated. This paper initiates a line of research whose ultimate objective is to find a signature scheme in which the total information needed to verify is minimized. In particular, the verification information should preferably be as close as possible to the theoretical minimum: the complexity of describing which signer(s) signed what message(s). We move toward this objective by developing identity-based aggregate signature schemes. In our schemes, the verifier does not need to obtain and/or store various signer public keys to verify; instead, the verifier only needs a description of who signed what, along with two constant-length “tags”: the short ag- gregate signature and the single public key of a Private Key Generator. Our scheme is secure in the random oracle model under the computa- tional Diffie-Hellman assumption over pairing-friendly groups against an adversary that chooses its messages and its target identities adaptively. 1 Introduction Authentication is crucial for many cryptographic applications. Improving the performance of building blocks, like digital signatures, that provide a means for authentication is therefore an essential goal. While time complexity is a well- known traditional measure for evaluating performance, communication complex- ity is becoming increasingly important for two reasons. First, consider wireless devices (e.g., PDAs, cell phones, RFID chips, and sensors). Here battery life is often more of a limiting bottleneck than processor speed. Communicating a sin- gle bit of data consumes several orders of magnitude more power than executing a basic 32-bit arithmetic instruction [BA05]. Second, consider wireless network scenarios (e.g., MANETS, cellular networks, tactical networks, and sensor nets). ⋆ This research was conducted while the author was at DoCoMo Labs, USA. M. Yung et al. (Eds.): PKC 2006, LNCS 3958, pp. 257–273, 2006. c  International Association for Cryptologic Research 2006