How to Aggregate the CL Signature Scheme Dominique Schr¨ oder ∗ University of Maryland, USA schroeder @ me.com www.dominique-schroeder.de Abstract. We present an aggregate signature scheme whose public key consists of only two group elements. It is therefore the first sequential aggregate signature scheme with short keys in the standard model. Our construction relies on the Camenisch- Lysyanskaya signature scheme (Crypto 2004) and is provably secure under the LRSW assumption. Moreover, we develop a novel aggregation technique that we call aggregate- extension technique. The basic idea is to extend the aggregate by a single element and to use this additional space to “store” some information that would be lost due to the compression of the signatures. We believe that this technique might be of independent interest. 1 Introduction Aggregate signature schemes allow the combination of several signatures into a single el- ement, the aggregate, that has roughly the same size as an ordinary signature. Here, we consider the sequential case where a signer receives an aggregate-so-far, adds its own sig- nature to the aggregate and forwards the aggregate (containing the new signature) to the next signer. The size of the aggregate is independent of the number of signers, i.e., it has the roughly the same size as an ordinary signature scheme. Typical applications for such schemes are sensor networks where communication is prohibitively expensive [BNN07]. Since the transmission range of each sensor is limited, the sensor forwards its data to the next sensor node towards the base station. Moreover, each sensor signs its measurement to prevent attackers from raising a false alarm. One example of such a monitoring network is the Tsunami early warning system that is already in operation in the Indian Ocean [IOC09]. Further applications are the compression of certificate chains [BGLS03] and secure routing protocols, such as the Secure Border Gateway Protocol (S-BGP) [BGOY07]. Public-key size. Efficiency refers to three kinds of costs: computational, storing data, and the cost of communication. In practice, however, computational costs play a minor role * Supported in part by a DAAD postdoctoral fellowship.