Notes on the security of certificateless aggregate signature schemes

Secure aggregate signature schemes are very useful tools in special areas where the signatures on many different messages generated by many different users need to be compressed. Quite recently, an efficient certificateless aggregate signature scheme was presented by Xiong et al. (2013). Although they proved its security in the random oracle model under the standard computational Diffie–Hellman assumption, we find that their conclusion is wrong. In this paper, we give security analysis to their scheme by showing four kinds of concrete attacks. The first two kinds of attacks come from an honest-but-curious KGC and a malicious-but-passive KGC respectively. While the last two are from the collusion of inside signers or the collusion of an insider signer with a malicious-but-passive KGC. Our analysis indicates coalition attacks, especially those from the collusion of an inside signer with a malicious KGC are practical and destructive, and hence should be prevented in the design of CLAS schemes. We also put forward a secure certificateless aggregate signature scheme. Our new aggregate signature scheme results in a short aggregate signature that is valid if and only if every individual signature involved in the aggregation is valid.