Sequential aggregate signatures with lazy verification from trapdoor permutations

Sequential aggregate signature schemes allow n signers, in order, to sign a message each, at a lower total cost than the cost of n individual signatures. We present a sequential aggregate signature scheme based on trapdoor permutations (e.g., RSA). Unlike prior such proposals, our scheme does not re...

Full description

Saved in:
Bibliographic Details
Published in:Information and computation Vol. 239; pp. 356 - 376
Main Authors: Brogle, Kyle, Goldberg, Sharon, Reyzin, Leonid
Format: Journal Article
Language:English
Published: Elsevier Inc 01.12.2014
Subjects:
Aggregate signatures
BGP
Lazy verification
RSA
RSA
Lazy verification
BGP
Aggregate signatures
ISSN:0890-5401, 1090-2651
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Abstract Sequential aggregate signature schemes allow n signers, in order, to sign a message each, at a lower total cost than the cost of n individual signatures. We present a sequential aggregate signature scheme based on trapdoor permutations (e.g., RSA). Unlike prior such proposals, our scheme does not require a signer to retrieve the keys of other signers and verify the aggregate-so-far before adding its own signature. Indeed, we do not even require a signer to know the public keys of other signers! Moreover, for applications that require signers to verify the aggregate anyway, our schemes support lazy verification: a signer can add its own signature to an unverified aggregate and forward it along immediately, postponing verification until load permits or the necessary public keys are obtained. This is especially important for applications where signers must access a large, secure, and current cache of public keys in order to verify messages. The price we pay is that our signature grows slightly with the number of signers. We report a technical analysis of our scheme (which is provably secure in the random oracle model), a detailed implementation-level specification, and implementation results based on RSA and OpenSSL. To evaluate the performance of our scheme, we focus on the target application of BGPsec (formerly known as Secure BGP), a protocol designed for securing the global Internet routing system. There is a particular need for lazy verification with BGPsec, since it is run on routers that must process signatures extremely quickly, while being able to access tens of thousands of public keys. We compare our scheme to the algorithms currently proposed for use in BGPsec, and find that our signatures are considerably shorter than nonaggregate RSA (with the same sign and verify times) and have an order of magnitude faster verification than nonaggregate ECDSA, although ECDSA has shorter signatures when the number of signers is small.
AbstractList Sequential aggregate signature schemes allow n signers, in order, to sign a message each, at a lower total cost than the cost of n individual signatures. We present a sequential aggregate signature scheme based on trapdoor permutations (e.g., RSA). Unlike prior such proposals, our scheme does not require a signer to retrieve the keys of other signers and verify the aggregate-so-far before adding its own signature. Indeed, we do not even require a signer to know the public keys of other signers! Moreover, for applications that require signers to verify the aggregate anyway, our schemes support lazy verification: a signer can add its own signature to an unverified aggregate and forward it along immediately, postponing verification until load permits or the necessary public keys are obtained. This is especially important for applications where signers must access a large, secure, and current cache of public keys in order to verify messages. The price we pay is that our signature grows slightly with the number of signers. We report a technical analysis of our scheme (which is provably secure in the random oracle model), a detailed implementation-level specification, and implementation results based on RSA and OpenSSL. To evaluate the performance of our scheme, we focus on the target application of BGPsec (formerly known as Secure BGP), a protocol designed for securing the global Internet routing system. There is a particular need for lazy verification with BGPsec, since it is run on routers that must process signatures extremely quickly, while being able to access tens of thousands of public keys. We compare our scheme to the algorithms currently proposed for use in BGPsec, and find that our signatures are considerably shorter than nonaggregate RSA (with the same sign and verify times) and have an order of magnitude faster verification than nonaggregate ECDSA, although ECDSA has shorter signatures when the number of signers is small.
Author Goldberg, Sharon
Brogle, Kyle
Reyzin, Leonid
Author_xml – sequence: 1
  givenname: Kyle
  surname: Brogle
  fullname: Brogle, Kyle
– sequence: 2
  givenname: Sharon
  surname: Goldberg
  fullname: Goldberg, Sharon
– sequence: 3
  givenname: Leonid
  surname: Reyzin
  fullname: Reyzin, Leonid
  email: reyzin@cs.bu.edu
BookMark eNp9kEtPwzAQhC0EEm3hztF_IGGdh5NwQxUvqRJCwNlynHXYKk2K7RaVX09KOSHBaVfa-VYzM2XH_dAjYxcCYgFCXi5jMnECIouhiAHEEZsIqCBKZC6O2QTKcc8zEKds6v1yFIg8kxP29IzvG-wD6Y7rtnXY6oDcU9vrsHHo-QeFN97pzx3foiNLRgcaem7dsOLB6XUzDI6v0a024fviz9iJ1Z3H8585Y6-3Ny_z-2jxePcwv15EJk2KEBlblrpsUNZFJksLDYpUWACrZQVJo2ub1abSYyJr0ipPytrmopB13uiqqA2mMyYPf40bvHdolaGDhdEWdUqA2hejloqM2hejoFBj7hGEX-Da0Uq73X_I1QHBMdCW0ClvCHuDDTk0QTUD_Q1_AXiTfzY
CitedBy_id crossref_primary_10_1093_comjnl_bxy108
crossref_primary_10_1016_j_comcom_2018_04_013
Cites_doi 10.1109/TPDS.2008.261
10.1137/0217017
10.1109/TIT.1976.1055638
10.17487/rfc6485
10.1145/2445566.2445568
10.1109/49.839934
10.1093/comjnl/bxh153
10.1007/s10623-009-9334-7
10.1145/359340.359342
10.1145/6490.6503
ContentType Journal Article
Copyright 2014 Elsevier Inc.
Copyright_xml – notice: 2014 Elsevier Inc.
DBID 6I.
AAFTH
AAYXX
CITATION
DOI 10.1016/j.ic.2014.07.001
DatabaseName ScienceDirect Open Access Titles
Elsevier:ScienceDirect:Open Access
CrossRef
DatabaseTitle CrossRef
DatabaseTitleList
DeliveryMethod fulltext_linktorsrc
Discipline Engineering
Computer Science
EISSN 1090-2651
EndPage 376
ExternalDocumentID 10_1016_j_ic_2014_07_001
S089054011400087X
GroupedDBID --K
--M
--Z
-~X
.~1
0R~
1B1
1~.
1~5
29I
4.4
457
4G.
5GY
5VS
6I.
6TJ
7-5
71M
8P~
9JN
AACTN
AAEDT
AAEDW
AAFTH
AAIAV
AAIKJ
AAKOC
AALRI
AAOAW
AAQFI
AAQXK
AAXUO
AAYFN
ABAOU
ABBOA
ABFNM
ABJNI
ABMAC
ABTAH
ABVKL
ABXDB
ABYKQ
ACAZW
ACDAQ
ACGFS
ACNNM
ACRLP
ACZNC
ADBBV
ADEZE
ADFGL
ADMUD
AEBSH
AEKER
AENEX
AEXQZ
AFKWA
AFTJW
AGHFR
AGUBO
AGYEJ
AHHHB
AHZHX
AIALX
AIEXJ
AIKHN
AITUG
AJBFU
AJOXV
ALMA_UNASSIGNED_HOLDINGS
AMFUW
AMRAJ
AOUOD
ARUGR
ASPBG
AVWKF
AXJTR
AZFZN
BKOJK
BLXMC
CAG
COF
CS3
DM4
DU5
E3Z
EBS
EFBJH
EFLBG
EJD
EO8
EO9
EP2
EP3
FDB
FEDTE
FGOYB
FIRID
FNPLU
FYGXN
G-Q
G8K
GBLVA
GBOLZ
HVGLF
HZ~
H~9
IHE
IXB
J1W
KOM
LG5
LX9
M41
MHUIS
MO0
MVM
N9A
NCXOZ
O-L
O9-
OAUVE
OK1
OZT
P-8
P-9
P2P
PC.
Q38
R2-
RIG
RNS
ROL
RPZ
SDF
SDG
SDP
SES
SEW
SPC
SPCBC
SSV
SSW
SSZ
T5K
TN5
WH7
WUQ
XJT
XPP
ZMT
ZU3
ZY4
~G-
9DU
AATTM
AAXKI
AAYWO
AAYXX
ABDPE
ABWVN
ACLOT
ACRPL
ACVFH
ADCNI
ADNMO
ADVLN
AEIPS
AEUPX
AFJKZ
AFPUW
AGQPQ
AIGII
AIIUN
AKBMS
AKRWK
AKYEP
ANKPU
APXCP
CITATION
EFKBS
~HD
ID FETCH-LOGICAL-c327t-cf88a8de6b7468f0de131f00fa6902dabf4bc9a201fc39528bf5176b5da97bce3
ISICitedReferencesCount 9
ISICitedReferencesURI http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000345658400020&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
ISSN 0890-5401
IngestDate Tue Nov 18 21:18:24 EST 2025
Sat Nov 29 01:56:33 EST 2025
Fri Feb 23 02:25:03 EST 2024
IsDoiOpenAccess true
IsOpenAccess true
IsPeerReviewed true
IsScholarly true
Keywords RSA
Lazy verification
BGP
Aggregate signatures
Language English
License http://www.elsevier.com/open-access/userlicense/1.0
LinkModel OpenURL
MergedId FETCHMERGED-LOGICAL-c327t-cf88a8de6b7468f0de131f00fa6902dabf4bc9a201fc39528bf5176b5da97bce3
OpenAccessLink https://dx.doi.org/10.1016/j.ic.2014.07.001
PageCount 21
ParticipantIDs crossref_citationtrail_10_1016_j_ic_2014_07_001
crossref_primary_10_1016_j_ic_2014_07_001
elsevier_sciencedirect_doi_10_1016_j_ic_2014_07_001
PublicationCentury 2000
PublicationDate 2014-12-01
PublicationDateYYYYMMDD 2014-12-01
PublicationDate_xml – month: 12
  year: 2014
  text: 2014-12-01
  day: 01
PublicationDecade 2010
PublicationTitle Information and computation
PublicationYear 2014
Publisher Elsevier Inc
Publisher_xml – name: Elsevier Inc
References Cheng, Liu, Wang (br0160) 2005; vol. 3483
Coron (br0170) 28 April–2 May 2002; vol. 2332
Kent, Lynn, Seo (br0330) 2000; 18
Ahn, Green, Hohenberger (br0010) 2010
Bellare, Namprempre, Neven (br0100) 2007; vol. 4596
Rivest, Shamir, Adleman (br0430) 1978; 21
Department of Homeland Security, Science and Technology Directorate, Cyber Security Division, Secure Protocols for Routing Infrastructure project, Personal Communication.
Rückert, Schröder (br0420) 2009; vol. 5576
FIPS publication 186-3: Digital signature standard (DSS), June 2009, available from
Gilad, Herzberg (br0260) 2013; 15
Boldyreva, Gentry, O'Neill, Yum (br0040) 2007
Selvi, Vivek, Shriram, Kalaivani, Rangan (br0480) 2009
Chakrabarti 0002, Chandrasekhar, Singhal, Calvert (br0190) 2009; 20
Diffie, Hellman (br0200) 1976; IT-22
Bagherzandi, Jarecki (br0080) 2010; vol. 6056
Yoon, Cheon, Kim (br0530) 2004; vol. 3506
Lu, Ostrovsky, Sahai, Shacham, Waters (br0380) 2006; vol. 4004
Dodis, Reyzin (br0220) 2002; vol. 2576
Katz, Wang (br0350) 2003
Herranz (br0290) 2006; 49
.
Michael Scott. MIRACL library, 2011.
IEEE Std 1363-2000, IEEE standard specifications for public-key cryptography, 2002.
See historical data—e.g., APNIC analysis summary for Sep. 7, 2012 at
Zhu, Bao, Deng (br0540) 2005; vol. 3783
Bellare, Canetti, Krawczyk (br0020) 1996; vol. 1109
Barreto, Naehrig (br0090) 2005; vol. 3897
The CIDR report
Karpilovsky, Rexford (br0340) 2006
K. Sriram, editor. BGPSEC Design Choices and Summary of Supporting Discussions. The Internet Engineering Task Force (IETF) Network Working Group, July 2012.
Chi, Oliveira, Zhang (br0180) 2008
Eikemeier, Fischlin, Götzmann, Lehmann, Schröder, Schröder, Wagner (br0230) 2010; vol. 6280
Fischlin, Lehmann, Schröder (br0240) 2011
Selvi, Vivek, Shriram, Rangan (br0490) 2010
Bellare, Rogaway (br0110) 1993
Goldreich, Goldwasser, Micali (br0250) 1986; 33
Boneh, Gentry, Lynn, Shacham (br0030) 2003; vol. 2656
Chatterjee, Hankerson, Knapp, Menezes (br0130) 2010; 55
Gentry, Ramzan (br0280) 2006; vol. 3958
Brogle, Goldberg, Reyzin (br0060) 2012; vol. 7658
OpenSSL toolkit
Brogle, Goldberg, Reyzin (br0050) 2011
Lysyanskaya, Micali, Reyzin, Shacham (br0370) 2004; vol. 3027
Xu, Zhang, Feng (br0520) 2005; vol. 3810
Goldwasser, Micali, Rivest (br0270) 1988; 17
Ben Houidi, Meulle, Teixeira (br0070) 2009
Zhao, Smith, Nicol (br0550) 2005
Philip Smith. BGP routing table analysis, 2012.
Wen, Ma (br0510) 2008
M. Lepinski (Ed.) BGPSEC Protocol Specification. IETF Network Working Group, Internet-Draft, July 2012, available from
Vanstone (br0500) July 1992; 35
PKCS #1: RSA Encryption Standard. Version 2.1. RSA Laboratories, June 2002, available from
Bellare, Rogaway (br0120) 12–16 May 1996; vol. 1070
Neven (br0390) 2008; vol. 4965
Cheng, Liu, Guo, Wang (br0150) 2006; 23
G. Huston (Ed.) The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure (RPKI). IETF RFC 6485, February 2012, available from
Hwang, Lee, Yung (br0300) 2009
10.1016/j.ic.2014.07.001_br0400
Chatterjee (10.1016/j.ic.2014.07.001_br0130) 2010; 55
Brogle (10.1016/j.ic.2014.07.001_br0050)
Ben Houidi (10.1016/j.ic.2014.07.001_br0070) 2009
Coron (10.1016/j.ic.2014.07.001_br0170) 2002; vol. 2332
Zhao (10.1016/j.ic.2014.07.001_br0550) 2005
Bagherzandi (10.1016/j.ic.2014.07.001_br0080) 2010; vol. 6056
Hwang (10.1016/j.ic.2014.07.001_br0300) 2009
Zhu (10.1016/j.ic.2014.07.001_br0540) 2005; vol. 3783
Boneh (10.1016/j.ic.2014.07.001_br0030) 2003; vol. 2656
Selvi (10.1016/j.ic.2014.07.001_br0490)
Brogle (10.1016/j.ic.2014.07.001_br0060) 2012; vol. 7658
Bellare (10.1016/j.ic.2014.07.001_br0120) 1996; vol. 1070
Kent (10.1016/j.ic.2014.07.001_br0330) 2000; 18
10.1016/j.ic.2014.07.001_br0360
10.1016/j.ic.2014.07.001_br0320
10.1016/j.ic.2014.07.001_br0440
Chakrabarti 0002 (10.1016/j.ic.2014.07.001_br0190) 2009; 20
Cheng (10.1016/j.ic.2014.07.001_br0150) 2006; 23
Bellare (10.1016/j.ic.2014.07.001_br0020) 1996; vol. 1109
Rückert (10.1016/j.ic.2014.07.001_br0420) 2009; vol. 5576
Bellare (10.1016/j.ic.2014.07.001_br0110) 1993
Diffie (10.1016/j.ic.2014.07.001_br0200) 1976; IT-22
Karpilovsky (10.1016/j.ic.2014.07.001_br0340) 2006
Ahn (10.1016/j.ic.2014.07.001_br0010) 2010
Gilad (10.1016/j.ic.2014.07.001_br0260) 2013; 15
Barreto (10.1016/j.ic.2014.07.001_br0090) 2005; vol. 3897
Boldyreva (10.1016/j.ic.2014.07.001_br0040) 2007
Eikemeier (10.1016/j.ic.2014.07.001_br0230) 2010; vol. 6280
10.1016/j.ic.2014.07.001_br0450
10.1016/j.ic.2014.07.001_br0210
Chi (10.1016/j.ic.2014.07.001_br0180) 2008
10.1016/j.ic.2014.07.001_br0410
Bellare (10.1016/j.ic.2014.07.001_br0100) 2007; vol. 4596
Goldwasser (10.1016/j.ic.2014.07.001_br0270) 1988; 17
Neven (10.1016/j.ic.2014.07.001_br0390) 2008; vol. 4965
Dodis (10.1016/j.ic.2014.07.001_br0220) 2002; vol. 2576
Lu (10.1016/j.ic.2014.07.001_br0380) 2006; vol. 4004
Selvi (10.1016/j.ic.2014.07.001_br0480)
Gentry (10.1016/j.ic.2014.07.001_br0280) 2006; vol. 3958
10.1016/j.ic.2014.07.001_br0140
Lysyanskaya (10.1016/j.ic.2014.07.001_br0370) 2004; vol. 3027
10.1016/j.ic.2014.07.001_br0460
Fischlin (10.1016/j.ic.2014.07.001_br0240)
Goldreich (10.1016/j.ic.2014.07.001_br0250) 1986; 33
Yoon (10.1016/j.ic.2014.07.001_br0530) 2004; vol. 3506
Katz (10.1016/j.ic.2014.07.001_br0350) 2003
Wen (10.1016/j.ic.2014.07.001_br0510) 2008
Herranz (10.1016/j.ic.2014.07.001_br0290) 2006; 49
Vanstone (10.1016/j.ic.2014.07.001_br0500) 1992; 35
Rivest (10.1016/j.ic.2014.07.001_br0430) 1978; 21
Xu (10.1016/j.ic.2014.07.001_br0520) 2005; vol. 3810
10.1016/j.ic.2014.07.001_br0470
Cheng (10.1016/j.ic.2014.07.001_br0160) 2005; vol. 3483
10.1016/j.ic.2014.07.001_br0310
References_xml – volume: vol. 4004
  start-page: 465
  year: 2006
  end-page: 485
  ident: br0380
  article-title: Sequential aggregate signatures and multisignatures without random oracles
  publication-title: EUROCRYPT
– volume: vol. 3027
  start-page: 74
  year: 2004
  end-page: 90
  ident: br0370
  article-title: Sequential aggregate signatures from trapdoor permutations
  publication-title: EUROCRYPT
– volume: vol. 3897
  start-page: 319
  year: 2005
  end-page: 331
  ident: br0090
  article-title: Pairing-friendly elliptic curves of prime order
  publication-title: Selected Areas in Cryptography
– volume: 20
  start-page: 1059
  year: 2009
  end-page: 1072
  ident: br0190
  article-title: An efficient and scalable quasi-aggregate signature scheme based on lfsr sequences
  publication-title: IEEE Trans. Parallel Distrib. Syst.
– start-page: 473
  year: 2010
  end-page: 484
  ident: br0010
  article-title: Synchronized aggregate signatures: new definitions, constructions and applications
  publication-title: ACM Conference on Computer and Communications Security
– year: 2010
  ident: br0490
  article-title: Identity based partial aggregate signature scheme without pairing
– start-page: 62
  year: 1993
  end-page: 73
  ident: br0110
  article-title: Random oracles are practical: a paradigm for designing efficient protocols
  publication-title: ACM Conference on Computer and Communications Security
– reference: Philip Smith. BGP routing table analysis, 2012.
– volume: vol. 3958
  start-page: 257
  year: 2006
  end-page: 273
  ident: br0280
  article-title: Identity-based aggregate signatures
  publication-title: Public Key Cryptography
– reference: Michael Scott. MIRACL library, 2011.
– volume: vol. 6056
  start-page: 480
  year: 2010
  end-page: 498
  ident: br0080
  article-title: Identity-based aggregate and multi-signature schemes based on rsa
  publication-title: Public Key Cryptography
– reference: Department of Homeland Security, Science and Technology Directorate, Cyber Security Division, Secure Protocols for Routing Infrastructure project, Personal Communication.
– year: 2011
  ident: br0050
  article-title: Implementation of sequential aggregate signatures with lazy verification
– volume: vol. 5576
  start-page: 750
  year: 2009
  end-page: 759
  ident: br0420
  article-title: Aggregate and verifiably encrypted signatures from multilinear maps without random oracles
  publication-title: ISA
– reference: OpenSSL toolkit,
– volume: 35
  start-page: 50
  year: July 1992
  end-page: 52
  ident: br0500
  article-title: Responses to NIST's proposal
  publication-title: Commun. ACM
– start-page: 128
  year: 2005
  end-page: 138
  ident: br0550
  article-title: Aggregated path authentication for efficient BGP security
  publication-title: ACM Conference on Computer and Communications Security
– year: 2011
  ident: br0240
  article-title: History-free sequential aggregate signatures
– volume: vol. 2656
  start-page: 416
  year: 2003
  end-page: 432
  ident: br0030
  article-title: Aggregate and verifiably encrypted signatures from bilinear maps
  publication-title: Advances in Cryptology—EUROCRYPT 2003
– reference: The CIDR report,
– volume: 15
  start-page: 16
  year: 2013
  ident: br0260
  article-title: Fragmentation considered vulnerable
  publication-title: ACM Trans. Inf. Syst. Secur.
– volume: 17
  start-page: 281
  year: 1988
  end-page: 308
  ident: br0270
  article-title: A digital signature scheme secure against adaptive chosen-message attacks
  publication-title: SIAM J. Comput.
– volume: vol. 1070
  start-page: 399
  year: 12–16 May 1996
  end-page: 416
  ident: br0120
  article-title: The exact security of digital signatures: how to sign with RSA and Rabin
  publication-title: Advances in Cryptology—EUROCRYPT12 96
– volume: vol. 2332
  start-page: 272
  year: 28 April–2 May 2002
  end-page: 287
  ident: br0170
  article-title: Optimal security proofs for PSS and other signature schemes
  publication-title: Advances in Cryptology—EUROCRYPT 2002
– reference: M. Lepinski (Ed.) BGPSEC Protocol Specification. IETF Network Working Group, Internet-Draft, July 2012, available from
– volume: vol. 3506
  start-page: 233
  year: 2004
  end-page: 248
  ident: br0530
  article-title: Batch verifications with id-based signatures
  publication-title: ICISC
– start-page: 155
  year: 2003
  end-page: 164
  ident: br0350
  article-title: Efficiency improvements for signature schemes with tight security reductions
  publication-title: ACM Conference on Computer and Communications Security
– volume: vol. 4965
  start-page: 52
  year: 2008
  end-page: 69
  ident: br0390
  article-title: Efficient sequential aggregate signed data
  publication-title: EUROCRYPT
– volume: 23
  year: 2006
  ident: br0150
  article-title: Identity-based multisignature and aggregate signature schemes from
  publication-title: Chin. J. Electron.
– reference: FIPS publication 186-3: Digital signature standard (DSS), June 2009, available from
– reference: . See historical data—e.g., APNIC analysis summary for Sep. 7, 2012 at
– volume: vol. 4596
  start-page: 411
  year: 2007
  end-page: 422
  ident: br0100
  article-title: Unrestricted aggregate signatures
  publication-title: ICALP
– year: 2009
  ident: br0480
  article-title: Security analysis of aggregate signature and batch verification signature schemes
– volume: vol. 2576
  start-page: 55
  year: 2002
  end-page: 73
  ident: br0220
  article-title: On the power of claw-free permutations
  publication-title: Third Conference on Security in Communication Networks SCN '02
– start-page: 157
  year: 2009
  end-page: 160
  ident: br0300
  article-title: Universal forgery of the identity-based sequential aggregate signature scheme
  publication-title: ASIACCS
– volume: 21
  start-page: 120
  year: 1978
  end-page: 126
  ident: br0430
  article-title: A method for obtaining digital signatures and public-key cryptosystems
  publication-title: Commun. ACM
– start-page: 350
  year: 2009
  end-page: 355
  ident: br0070
  article-title: Understanding slow bgp routing table transfers
  publication-title: Proc. ACM SIGCOMM Internet measurement conference
– volume: vol. 3483
  start-page: 1046
  year: 2005
  end-page: 1054
  ident: br0160
  article-title: Identity-based aggregate and verifiably encrypted signatures from bilinear pairing
  publication-title: ICCSA (4)
– volume: 49
  start-page: 322
  year: 2006
  end-page: 330
  ident: br0290
  article-title: Deterministic identity-based signatures for partial aggregation
  publication-title: Comput. J.
– volume: IT-22
  start-page: 644
  year: 1976
  end-page: 654
  ident: br0200
  article-title: New directions in cryptography
  publication-title: IEEE Trans. Inf. Theory
– volume: 33
  start-page: 792
  year: 1986
  end-page: 807
  ident: br0250
  article-title: How to construct random functions
  publication-title: J. ACM
– volume: 55
  start-page: 141
  year: 2010
  end-page: 167
  ident: br0130
  article-title: Comparing two pairing-based aggregate signature schemes
  publication-title: Des. Codes Cryptogr.
– reference: K. Sriram, editor. BGPSEC Design Choices and Summary of Supporting Discussions. The Internet Engineering Task Force (IETF) Network Working Group, July 2012.
– year: 2008
  ident: br0180
  article-title: Cyclops: the Internet AS-level observatory
  publication-title: ACM SIGCOMM CCR
– start-page: 276
  year: 2007
  end-page: 285
  ident: br0040
  article-title: Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing
  publication-title: ACM Conference on Computer and Communications Security
– reference: IEEE Std 1363-2000, IEEE standard specifications for public-key cryptography, 2002.
– start-page: 2:1
  year: 2006
  end-page: 2:12
  ident: br0340
  article-title: Using forgetful routing to control bgp table size
  publication-title: Proceedings of the 2006 ACM CoNEXT conference
– volume: 18
  start-page: 582
  year: 2000
  end-page: 592
  ident: br0330
  article-title: Secure border gateway protocol (S-BGP)
  publication-title: J. Sel. Areas Commun.
– start-page: 830
  year: 2008
  end-page: 833
  ident: br0510
  article-title: An aggregate signature scheme with constant pairing operations
  publication-title: CSSE (3)
– volume: vol. 3783
  start-page: 207
  year: 2005
  end-page: 219
  ident: br0540
  article-title: Sequential aggregate signatures working over independent homomorphic trapdoor one-way permutation domains
  publication-title: ICICS
– reference: .
– volume: vol. 6280
  start-page: 309
  year: 2010
  end-page: 328
  ident: br0230
  article-title: History-free aggregate message authentication codes
  publication-title: SCN
– reference: PKCS #1: RSA Encryption Standard. Version 2.1. RSA Laboratories, June 2002, available from
– volume: vol. 3810
  start-page: 110
  year: 2005
  end-page: 119
  ident: br0520
  article-title: Id-based aggregate signatures from bilinear pairings
  publication-title: CANS
– volume: vol. 1109
  start-page: 1
  year: 1996
  end-page: 15
  ident: br0020
  article-title: Keying hash functions for message authentication
  publication-title: CRYPTO
– volume: vol. 7658
  start-page: 644
  year: 2012
  end-page: 662
  ident: br0060
  article-title: Sequential aggregate signatures with lazy verification from trapdoor permutations – (extended abstract)
  publication-title: ASIACRYPT
– reference: G. Huston (Ed.) The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure (RPKI). IETF RFC 6485, February 2012, available from
– volume: vol. 3897
  start-page: 319
  year: 2005
  ident: 10.1016/j.ic.2014.07.001_br0090
  article-title: Pairing-friendly elliptic curves of prime order
– volume: vol. 3483
  start-page: 1046
  year: 2005
  ident: 10.1016/j.ic.2014.07.001_br0160
  article-title: Identity-based aggregate and verifiably encrypted signatures from bilinear pairing
– volume: vol. 4965
  start-page: 52
  year: 2008
  ident: 10.1016/j.ic.2014.07.001_br0390
  article-title: Efficient sequential aggregate signed data
– ident: 10.1016/j.ic.2014.07.001_br0450
– volume: 20
  start-page: 1059
  issue: 7
  year: 2009
  ident: 10.1016/j.ic.2014.07.001_br0190
  article-title: An efficient and scalable quasi-aggregate signature scheme based on lfsr sequences
  publication-title: IEEE Trans. Parallel Distrib. Syst.
  doi: 10.1109/TPDS.2008.261
– volume: vol. 3027
  start-page: 74
  year: 2004
  ident: 10.1016/j.ic.2014.07.001_br0370
  article-title: Sequential aggregate signatures from trapdoor permutations
– start-page: 473
  year: 2010
  ident: 10.1016/j.ic.2014.07.001_br0010
  article-title: Synchronized aggregate signatures: new definitions, constructions and applications
– volume: vol. 3506
  start-page: 233
  year: 2004
  ident: 10.1016/j.ic.2014.07.001_br0530
  article-title: Batch verifications with id-based signatures
– volume: vol. 2332
  start-page: 272
  year: 2002
  ident: 10.1016/j.ic.2014.07.001_br0170
  article-title: Optimal security proofs for PSS and other signature schemes
– volume: vol. 3958
  start-page: 257
  year: 2006
  ident: 10.1016/j.ic.2014.07.001_br0280
  article-title: Identity-based aggregate signatures
– volume: vol. 1109
  start-page: 1
  year: 1996
  ident: 10.1016/j.ic.2014.07.001_br0020
  article-title: Keying hash functions for message authentication
– volume: vol. 2656
  start-page: 416
  year: 2003
  ident: 10.1016/j.ic.2014.07.001_br0030
  article-title: Aggregate and verifiably encrypted signatures from bilinear maps
– ident: 10.1016/j.ic.2014.07.001_br0470
– volume: 17
  start-page: 281
  issue: 2
  year: 1988
  ident: 10.1016/j.ic.2014.07.001_br0270
  article-title: A digital signature scheme secure against adaptive chosen-message attacks
  publication-title: SIAM J. Comput.
  doi: 10.1137/0217017
– year: 2008
  ident: 10.1016/j.ic.2014.07.001_br0180
  article-title: Cyclops: the Internet AS-level observatory
– ident: 10.1016/j.ic.2014.07.001_br0460
– volume: IT-22
  start-page: 644
  issue: 6
  year: 1976
  ident: 10.1016/j.ic.2014.07.001_br0200
  article-title: New directions in cryptography
  publication-title: IEEE Trans. Inf. Theory
  doi: 10.1109/TIT.1976.1055638
– start-page: 155
  year: 2003
  ident: 10.1016/j.ic.2014.07.001_br0350
  article-title: Efficiency improvements for signature schemes with tight security reductions
– volume: vol. 5576
  start-page: 750
  year: 2009
  ident: 10.1016/j.ic.2014.07.001_br0420
  article-title: Aggregate and verifiably encrypted signatures from multilinear maps without random oracles
– volume: vol. 3810
  start-page: 110
  year: 2005
  ident: 10.1016/j.ic.2014.07.001_br0520
  article-title: Id-based aggregate signatures from bilinear pairings
– start-page: 157
  year: 2009
  ident: 10.1016/j.ic.2014.07.001_br0300
  article-title: Universal forgery of the identity-based sequential aggregate signature scheme
– ident: 10.1016/j.ic.2014.07.001_br0310
  doi: 10.17487/rfc6485
– volume: 15
  start-page: 16
  issue: 4
  year: 2013
  ident: 10.1016/j.ic.2014.07.001_br0260
  article-title: Fragmentation considered vulnerable
  publication-title: ACM Trans. Inf. Syst. Secur.
  doi: 10.1145/2445566.2445568
– ident: 10.1016/j.ic.2014.07.001_br0050
– volume: vol. 4596
  start-page: 411
  year: 2007
  ident: 10.1016/j.ic.2014.07.001_br0100
  article-title: Unrestricted aggregate signatures
– start-page: 128
  year: 2005
  ident: 10.1016/j.ic.2014.07.001_br0550
  article-title: Aggregated path authentication for efficient BGP security
– start-page: 350
  year: 2009
  ident: 10.1016/j.ic.2014.07.001_br0070
  article-title: Understanding slow bgp routing table transfers
– volume: vol. 2576
  start-page: 55
  year: 2002
  ident: 10.1016/j.ic.2014.07.001_br0220
  article-title: On the power of claw-free permutations
– volume: 18
  start-page: 582
  issue: 4
  year: 2000
  ident: 10.1016/j.ic.2014.07.001_br0330
  article-title: Secure border gateway protocol (S-BGP)
  publication-title: J. Sel. Areas Commun.
  doi: 10.1109/49.839934
– ident: 10.1016/j.ic.2014.07.001_br0140
– volume: 23
  issue: 4
  year: 2006
  ident: 10.1016/j.ic.2014.07.001_br0150
  article-title: Identity-based multisignature and aggregate signature schemes from m-torsion groups
  publication-title: Chin. J. Electron.
– volume: 49
  start-page: 322
  issue: 3
  year: 2006
  ident: 10.1016/j.ic.2014.07.001_br0290
  article-title: Deterministic identity-based signatures for partial aggregation
  publication-title: Comput. J.
  doi: 10.1093/comjnl/bxh153
– ident: 10.1016/j.ic.2014.07.001_br0440
– volume: vol. 4004
  start-page: 465
  year: 2006
  ident: 10.1016/j.ic.2014.07.001_br0380
  article-title: Sequential aggregate signatures and multisignatures without random oracles
– ident: 10.1016/j.ic.2014.07.001_br0490
– ident: 10.1016/j.ic.2014.07.001_br0240
– ident: 10.1016/j.ic.2014.07.001_br0320
– ident: 10.1016/j.ic.2014.07.001_br0410
– ident: 10.1016/j.ic.2014.07.001_br0480
– start-page: 62
  year: 1993
  ident: 10.1016/j.ic.2014.07.001_br0110
  article-title: Random oracles are practical: a paradigm for designing efficient protocols
– start-page: 830
  year: 2008
  ident: 10.1016/j.ic.2014.07.001_br0510
  article-title: An aggregate signature scheme with constant pairing operations
– volume: vol. 3783
  start-page: 207
  year: 2005
  ident: 10.1016/j.ic.2014.07.001_br0540
  article-title: Sequential aggregate signatures working over independent homomorphic trapdoor one-way permutation domains
– volume: 35
  start-page: 50
  year: 1992
  ident: 10.1016/j.ic.2014.07.001_br0500
  article-title: Responses to NIST's proposal
  publication-title: Commun. ACM
– volume: 55
  start-page: 141
  issue: 2–3
  year: 2010
  ident: 10.1016/j.ic.2014.07.001_br0130
  article-title: Comparing two pairing-based aggregate signature schemes
  publication-title: Des. Codes Cryptogr.
  doi: 10.1007/s10623-009-9334-7
– volume: vol. 7658
  start-page: 644
  year: 2012
  ident: 10.1016/j.ic.2014.07.001_br0060
  article-title: Sequential aggregate signatures with lazy verification from trapdoor permutations – (extended abstract)
– volume: 21
  start-page: 120
  issue: 2
  year: 1978
  ident: 10.1016/j.ic.2014.07.001_br0430
  article-title: A method for obtaining digital signatures and public-key cryptosystems
  publication-title: Commun. ACM
  doi: 10.1145/359340.359342
– start-page: 276
  year: 2007
  ident: 10.1016/j.ic.2014.07.001_br0040
  article-title: Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing
– volume: vol. 6056
  start-page: 480
  year: 2010
  ident: 10.1016/j.ic.2014.07.001_br0080
  article-title: Identity-based aggregate and multi-signature schemes based on rsa
– ident: 10.1016/j.ic.2014.07.001_br0210
– start-page: 2:1
  year: 2006
  ident: 10.1016/j.ic.2014.07.001_br0340
  article-title: Using forgetful routing to control bgp table size
– ident: 10.1016/j.ic.2014.07.001_br0360
– volume: vol. 6280
  start-page: 309
  year: 2010
  ident: 10.1016/j.ic.2014.07.001_br0230
  article-title: History-free aggregate message authentication codes
– volume: 33
  start-page: 792
  issue: 4
  year: 1986
  ident: 10.1016/j.ic.2014.07.001_br0250
  article-title: How to construct random functions
  publication-title: J. ACM
  doi: 10.1145/6490.6503
– ident: 10.1016/j.ic.2014.07.001_br0400
– volume: vol. 1070
  start-page: 399
  year: 1996
  ident: 10.1016/j.ic.2014.07.001_br0120
  article-title: The exact security of digital signatures: how to sign with RSA and Rabin
SSID ssj0011546
Score 2.1142492
Snippet Sequential aggregate signature schemes allow n signers, in order, to sign a message each, at a lower total cost than the cost of n individual signatures. We...
SourceID crossref
elsevier
SourceType Enrichment Source
Index Database
Publisher
StartPage 356
SubjectTerms Aggregate signatures
BGP
Lazy verification
RSA
Title Sequential aggregate signatures with lazy verification from trapdoor permutations
URI https://dx.doi.org/10.1016/j.ic.2014.07.001
Volume 239
WOSCitedRecordID wos000345658400020&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
journalDatabaseRights – providerCode: PRVESC
  databaseName: ScienceDirect
  customDbUrl:
  eissn: 1090-2651
  dateEnd: 20171231
  omitProxy: false
  ssIdentifier: ssj0011546
  issn: 0890-5401
  databaseCode: AIEXJ
  dateStart: 19950101
  isFulltext: true
  titleUrlDefault: https://www.sciencedirect.com
  providerName: Elsevier
link http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwtV1Jb9QwFLag5QAHlgKibPKBC6oCWZzYPlaorFUFtKC5RV6rGQ2Z0TSDOv31PMd2JsMmQOISRZadOHlfXvzs731G6Ik2LBc2r5LC6jIhjNiEl7lIJNdWSUW57pSYPh_SoyM2GvH3YcX0rNtOgDYNOz_n8_9qaigDY7vU2b8wd39RKIBzMDocwexw_CPDH3fk6NbNhItTiKbdPNmeo2l0Ep4hm20qLlZ78GiOKBTohl2eyULM9Wy2cGrGX5btYDZvEhnvfbZjzIibLzdX8yGwP_Uc5XeraQ-bV7OpjlQyJxK9rv_RrC68kMGhAQejh_MQGfmO09EnyGzwN1PGU8e98PWM97EplOVV0JkNTjj3kkbBjRZlNfgjF36HmB-cvZ93mDwbOynKjHQirPFOGxLax64brhcQTToNvtFltJ3TkoMj395_czB62687ZSG1K3Y7LGx7RuDmfX4-kBkMTk5uoushqsD7Hg230CXT7KAbcccOHBz4Dro2kJ-8jT6soYJ7qOA1VLCDCnZQwUOoYAcVHKGCh1C5gz69PDh58ToJW2wkqshpmyjLmGDaVJKSitlUm6zIbJpaUfE010JaIhUX8NhWFfARM2nLjFay1IJTqUxxF201s8bcQ5gIGE2qilGqCJFW8jIVwgiiIQIpSmF20fP4vmoV9OfdNijTOhINJ_VY1e4N16kjRWS76GnfYu61V35Tt4gmqMPY0Y8Ja0DLL1vd_6dWD9DV9QfwEG21i6V5hK6or-34bPE4QOobNSWWmg
linkProvider Elsevier
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Sequential+aggregate+signatures+with+lazy+verification+from+trapdoor+permutations&rft.jtitle=Information+and+computation&rft.au=Brogle%2C+Kyle&rft.au=Goldberg%2C+Sharon&rft.au=Reyzin%2C+Leonid&rft.date=2014-12-01&rft.pub=Elsevier+Inc&rft.issn=0890-5401&rft.eissn=1090-2651&rft.volume=239&rft.spage=356&rft.epage=376&rft_id=info:doi/10.1016%2Fj.ic.2014.07.001&rft.externalDocID=S089054011400087X
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0890-5401&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0890-5401&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0890-5401&client=summon