研究成果

Sequential aggregate signature (SAS) schemes provide a single, compact signature, which is generated from a number of signatures, that simultaneously ensures that each signature is legally generated from the corresponding message with a defined order. Although SAS schemes have various applications such as a secure border gateway protocol, all existing schemes are computationally secure (i.e., assuming computationally bounded adversaries). In this paper, we first propose sequential aggregate authentication codes (SAA-codes), which has similar functionality of SAS in the information theoretic security setting. Specifically, we give a model and security formalization of SAA-codes, derive lower bounds on sizes of secret keys and authenticators required in secure SAA-codes, and present two kinds of optimal constructions in the sense that each construction meets the lower bounds with equalities.