Efficient Batch Signature Generation Using Tree Structures

Christopher J. Pavlovski� and Colin BoydInformation Security Research Centre

School of Data CommunicationsQueensland University of Technology

Brisbane, Australia

E-mail:fpavlovsk, boydg@fit.qut.edu.auAbstract

We propose an efficient batch signature generationscheme for signing multiple messages simultaneously. Thescheme can be based on any signature scheme with ap-pendix and resultant signatures preserve the property of in-dependent verification by different recipients. The schemeisshown to be of almost constant complexity for both gener-ation and verification as the number of messages increaseswhile the size of the signature increases only logarithmi-cally with the number of messages in the batch. It is demon-strated that the security of the batch signature is equivalentto the security of the underlying signature mechanisms.

Keywords: Batch Cryptography, Digital Signature, Effi-ciency, Binary Tree.

1 Introduction

Electronic commerce is already presenting many newmarketing opportunities for commercial organizations.Whilst the notion of electronic commerce pre-existed its us-age over the Internet, today electronic commerce and theInternet are often considered as natural allies. A key re-quirement for the practical acceptance and wide usage ofall forms of electronic commerce is the efficiency of anyproposed security mechanism employed.

A major factor contributing to high computational loadis the expense of digital signature schemes, which typi-cally require modular exponentiation. Digital signaturesarenormally considered an essential mechanism for electroniccommerce applications due to the need for non-repudiationand because they can provide authorisation in a distributedenvironment. We specifically address this inefficiency by�Conference attendance sponsored by IBM Global Services Australia

introducing a new signature generation scheme that is ableto sign many messages for almost the cost of one signa-ture operation at the server, or signing, entity. We usebatchcryptography, demonstrating an efficient means to generatesignatures simultaneously on a number of messages. Thescheme produces signed messages that may then be for-warded to unrelated recipients for independent verification.

Our approach for signing can be used together with anyexisting signature schemewith appendix. (Signatures inschemes employing an appendix must be accompanied bythe message from which they are generated, rather than al-lowing the message to be extracted from the signature itself[13].) A batch signature consists of an ordinary signaturewhich depends on every message in the batch, and abatchresiduewhich varies with every message (the batch residueis a component of the batch signature on the message). Sig-nature verification consists of recalculating the input to theordinary signature using the message and batch residue, andthen verifying the ordinary signature. Because calculationof the batch residue, and its verification, only use hash cal-culations, the generation of the batch signature is almost asefficient as generation of a single ordinary signature. How-ever, batch signatures are longer than ordinary signaturesbecause of the need to accommodate a batch residue.

We use a binary tree construction to limit the size ofthe batch residue in a similar fashion to its use by Merkle[15, 13] for tree authentication. (It is interesting that a treestructure is also used in Fiat’s batch RSA signature scheme[6].) However, to the best of our knowledge tree authentica-tion has not been proposed for use in quite this way before.

Employing such a tree structure, with messages repre-senting the leaves of the tree, we are able to marshall an ar-bitrary number of messages into one batch for signing. Thesubsequently signed batch, and a unique batch residue, arethen forwarded as independent signatures to different recip-ients for individual verification of their particular message.

There have been several previous batch signature

schemes which detail procedures to either verify or sign anumber of messages [7, 8, 9, 10, 11, 22, 24, 1]. Whilstthese techniques produce certain distinct efficiencies, eachspecific scheme possesses some restriction, by way of batchsize limitations, verification only, or no support for hetero-geneous signature generation for different recipients . Thescheme we propose addresses some unresolved issues ofthese batch signature techniques. This includes, an im-proved signature size, the ability to sign in batch for inde-pendent recipients, and no batch size limitations.

The objectives of this paper include:

1. to propose a new batch signature scheme that is capa-ble of generating multiple signed messages simultane-ously for individual verification by different recipients.

2. to analyse the security and efficiency of the new tech-niques.

3. to illustrate the applicability of the scheme.

The following section discusses previous batch signaturegeneration schemes and provides background to the basicconcepts. This is followed by a detailed description of ournew batch technique. We then analyse the security of thenew scheme and compare its efficiency to existing signa-ture protocols. Some potential applications of the new batchsignature scheme are also described.

2 Previous Work

As well as work on batch verification, there have beentwo main previous approaches to batch signature genera-tion. These are Fiat’s batch RSA approach [6, 7] and var-ious work on general batch exponentiation, particularly byM’Raı̈hi and Naccache [16]. We will look at these in turnin sufficient detail to compare their performance and prop-erties with our proposed technique.

2.1 Fiat’s Batch RSA

Fiat’s paper [6] appears to be the first to introduce thenotion of batched operations, and he applied the idea to thegeneration of RSA signatures [19]. The fundamental phi-losophy is to spread the computational complexity of one‘full-strength’ operation over many individual operations.

Fiat’s scheme requires that the signer has several privateexponents which are prime with respect to each other andrelies on multiplication to form a batch of messages forsigning. The batch signing process produces a number ofindividually signed messages that may then be forwardedto individual recipients in the usual manner. There are threestages in the batch signature procedure (which can also beused for batch RSA decryption).

Stage 1 The messages to be signed are combined using aseries of small exponentiations, defined by a tree struc-ture formed from the public exponents.

Stage 2 The combined message set is ‘signed’ with a fulllength exponentiation.

Stage 3 The message set is split up, again using the treestructure, to form the individual signatures.

The reader may gain the general idea of Fiat’s schemeby examining the signing process for two messagesm1 andm2, using respective exponentse1 ande2.Stage 1 Compute the product of the public keysE =e1e2, then combine the messages to formM =mE=e11 mE=e22 mod n.

Stage 2 Sign the batch of messages using one modular ex-ponentiation,S = M1=E mod n. Note thatS =m1=e11 m1=e22 mod n.

Stage 3 Split the signed batch into individual signatures.First find the unique valueX moduloE with X =1 mod e1 andX = 0 mod e2. Then one signature isme22 mod n = SX=(mX=e11 m(X�1)=e22 ) mod n, andthe other signature can be found asme11 mod n =S=me22 mod n. Note that the valueX is found usingthe Chinese remainder theorem, made possible as ex-ponents are relatively prime.

After the final step, the signed (distinct) messages may thenbe forwarded to recipients for individual verification undernormal RSA verification procedures. This basic approachmay be applied to any number of messages using a binarytree construction.

It is shown by Fiat that as the number of bitsjnj in theRSA modulus increases, the number of multiplications re-quired per message increases asO(log2 jnj). However, inpractice the modulus size is likely to be fixed, and we willbe more interested in how the performance varies with dif-ferent size batches. We now calculate a theoretical lowerbound on the computation required with Fiat’s scheme asthe batch size varies. This bound is sufficient to demon-strate the computational advantage of our scheme.

Before continuing, we provide a little more detail on thefirst step of the scheme. A binary tree is constructed whereeach messagemi and corresponding exponentei are as-signed to a leaf node (see the appendix for basic definitionsand terminology of binary trees). Each arcai connecting theleaf node to its parent node is assigned the exponent valueof its opposite leaf node (i.e. interchange exponents). In asimilar fashion, each arcai associated with internal nodesis assigned the exponentEi, whereEi is the product of allexponents assigned to arcs on the opposite branch.

Number of Total Length of Effective ModulusMessages Exponents in Stage 1 Per Message

5 31 21110 118 11420 400 7150 1734 5575 3194 56100 4872 59200 13035 70500 45243 92

Table 1. Lower bounds on computation forFiat’s scheme with modulus size of 1024 bits

Performance is best when the public exponents are takento be the firstb primes, whereb is the batch size, so we as-sume this case from now on. As is stated by Fiat, the num-ber of multiplications required in the first stage is minimisedby choosing the tree to minimiseW = Pbi=1 di log eiwheredi is the depth of the leaf node ofei. If we letT = Pbi=1 log ei then the setf(log ei)=T j1 � i � bgis a probability distribution and the tree defines a prefixfree code on any memoryless source withb symbols hav-ing this probability disttribution. Then by Shannon’s Noise-less Coding Theorem [4] the entropy,H , of that source is abound on the average codeword length (which is the averagevalue ofdi), and henceTH is a lower bound onW .

Table 1 shows how this estimate of the effective modu-lus size varies when the size of the RSA modulus used is1024 bits. The middle column shows that total length of allexponents used in stage 1, while the final column shows theeffective size modulus per message signed. It is interestingto note that the scheme is most efficient when the numberof messages is around 75, and in this case the total effortis roughly equivalent to 4 full signature calculations. Notethat in table 1 we have only included the first and secondstages (i.e. excluding the split-up phase) of Fiat’s scheme,so the effort shown is a conservative estimate. The effortin the third stage will usually be less than that of the firststage, and is shown by Fiat to be asymptotically (withjnj)the same as the first stage1.

The main points to note in comparison with Fiat’smethod and the proposed method are the following.� Our scheme is considerably more efficient for fixed pa-

rameter sizes in the signature, and the efficiency con-tinues to grow as the batch size increases.� Our scheme is applicable to all signature schemes with

1It seems more difficult to give a useful lower bound on the effort forthe third stage, and since it is not necessary for our comparison we ignoreit.

appendix, while Fiat’s is applicable only to RSA.� Our scheme has a small expansion (logarithmic in thenumber of messages) over the original signature size,while Fiat’s has no expansion. Fiat’s scheme, however,requires that verifiers know which verification expo-nent to use.� Both schemes allow signatures to be verified indepen-dently.� Both schemes are provably as secure as the originalsignature scheme with reasonable assumptions.

2.2 Batch Exponentiation Techniques

Because exponentiation is a fundamental computationalprocess for most public key cryptosystems, there has beenintense research in optimising exponentiation algorithms.M’Raı̈hi and Naccache [16], and also Naccacheet al. [17],have proposed methods to produce batch random exponen-tiations. (Similar algorithms are also due to Tsuruoka [21].)These can be used in ElGamal type signatures, such as theDigital Signature Standard (DSS) [5], and are particularlyuseful for low powered devices.

A major gain can be obtained from a straightforwardparallel square and multiply algorithm [16] which allowsall squarings (the main computational effort) to be sharedamongst any number of exponentiations. A number of moresophisticated techniques allow further substantial savings tobe made. Some tables showing typical performance [16]show that for batches of Schnorr signatures of size around100 savings of over 80% of computations can be made.

The main points to note, in comparison with batch expo-nentiation and the proposed method, are the following.� Our scheme is considerably more efficient for fixed pa-

rameter sizes in the signature, and the efficiency con-tinues to grow as the batch size increases.� Our scheme is applicable to all signature schemeswith appendix, while batch exponentiation is applica-ble only those requiring random exponentiations to thesame base, particularly ElGamal type signatures.� Our scheme has a small expansion (logarithmic in thenumber of messages) over the original scheme, whilebatch exponentiation can be used without changing theexisting signatures at all.� Both schemes allow signatures to be verified indepen-dently.� Both schemes are provably as secure as the originalsignature scheme (with reasonable assumptions in ourcase).

3 Proposed Batch Signature GenerationScheme

The method we propose may be used with trees that ac-commodate an arbitrary number of child nodes. It is notcleara priori that binary trees are always the best choice.However, we demonstrate below that if we wish to min-imise the length of the residue then binary trees are indeedthe optimal choice. Following on, we shall only considerthe binary tree approach.

As stated before, the method can be used with any sig-nature scheme with appendix. This includes all the mostpopular signatures schemes such as RSA and ElGamal typesignatures including the DSS (either in its original form oran elliptic curve variant). Any signature scheme with ap-pendix can be defined by two functions.Sign :M� Pri! SigThe functionSign takes any message from a message spaceM and any private key from the key spacePri and out-puts a signature in the spaceSig. If KA is the privatekey of entityA andm is any message, then we will denoteSign(m;KA) by SigA(m).V er : Sig �M� Pub! f0; 1gThe verification functionV er takes a claimed signature ona specific message and a public key, and outputs a booleanvalue which indicates whether the verification is satisfied(output 1) or unsatisfied (output 0).

For our scheme we require two collision resistant hashfunctionsh0 andh1. In fact, to minimise assumptions, wecan defineh0(x) = h(0jjx) andh1(x) = h(1jjx) for anycollision resistant functionh, where the symboljj denotesconcatenation of bit strings. This means that finding anyxandy with h0(x) = h1(y) gives a collision forh.

In order to generate the batch signature of a set of mes-sages, the hash of each message is placed at a leaf nodeof the tree. Each parent node is formed by concatenatingeach of its child nodes and hashing the result. Finally theroot node of the tree is signed using the ordinary signaturescheme on which the batch signature is based. In orderto prevent messages representing the internal nodes fromhaving valid signature (even though they would be randommessages) we use the functionh0 to hash the leaves and thedifferent functionh1 to hash the internal nodes.

Now, to form the batch signature of any individual mes-sage, consider the unique path from the node representingthe message to the root of the tree, found by taking the par-ent node of each node traversed. The batch residue for thatmessage consists of the sibling nodes of all nodes in thispath, together with their direction, which is a single bit de-notedL or R. An example with three messages is shown

in 1. In this example the residue ofm1 consists of the twonodes(h0(m2); R) and(h0(m3); R) while the residue form3 consists of the single node(h1(h0(m1)jjh0(m2)); L).

We now give a more formal treatment of the signaturegeneration and verification processes.

Suppose that the number of messages to be signed is2k+r for somer < 2k. Then the tree to be used will have2k � r nodes of depthk and2r nodes of depthk + 1. (Wewill justify below that this is the best choice of tree withreasonable assumptions.) The Kraft inequality [4] can beused to show that such a tree exists, and in fact this is thetree that will be built by the Huffman code [4] with2k + rsymbols if all symbols are equally likely.

The signer must assign the hash of each message (arbi-trarily) to a leaf node. Then all the internal nodes are as-signed their values so that a node with left and right childnodesN1 andN2 respectively, has valueh1(N1jjN2). Allthe required hashes can be calculated in a single tree build-up phase. Once the value of the rootM has been foundit can be signed to form the batch signature by userA asS = SigA(M).

If the node for messagemi has depthdi then its residueconsists of the valuesr1; r2; : : : ; rdi which can be found asfollows. The direction of a nodeN is denoted bydir(N)and the sibling node ofN is denotedsib(N). := h0(mi)

for j := 1 to didor := sib( )if dir( ) = L then := h1( jjrj)else := h1(rj jj )od

(Note that the formation of a specific batch residue is merelya selection process after the tree build-up phase.) The batchsignature for messagemi is then the following sequence.S; r1; dir(r1); r2; dir(r2); : : : ; rdi ; dir(di)

We will consider the overhead caused by the use of thebatch signature below. Verification of a claimed signatureT; s1; t1; s2; t2; : : : ; sd; td of userA with public keyKAconsists of the following procedure. := h0(m)

for j := 1 to ddoif tj = R then := h1( jjsj)else := h1(sj jj )od

h0(m1) h0(m2) h0(m3)h1(h0(m1)jjh0(m2)) h1(h1(h0(m1)jjh0(m2))jjh0(m3))Figure 1. Batch tree

Then, using the verification procedure for the ordinary sig-nature,V er(T; ;KA) is evaluated, to give the result of theverification of the batch signature.

4 Analysis of Batch Signature Scheme

In this section we consider the security and efficiencyissues surrounding our new proposed scheme.

4.1 Security Analysis

As long as we assume that the hash functionh used in theconstruction of the signature scheme is collision resistantthen the following result can be easily proved.

Lemma 1 If the ordinary signature scheme used as thebasis for the batch signature is secure against existentialforgery with an adaptive chosen signature attack then so isthe batch signature scheme.

Lemma 1 can be proven by observing that a forgery of anew tree root implies an existential forgery for the ordinarysignature. So the only possible forgeries must leave the rootunchanged. However it can be seen that the tree values can-not be changed because any new value away from the rootleads to a collision at the parent node. Finally we note thatthe tree cannot be truncated to change an internal node intoa leaf because, for this to be a valid forgery, there must be avaluesx andy with h0(x) = h1(y) which is again a colli-sion forh. This is essentially the same argument as for thesecurity of Merkle’s authentication trees [15].

There are variants of both RSA [3] and ElGamal [18] sig-nature which are known to be secure against adaptive cho-sen signature attacks in the widely accepted random oraclemodel. It follows that there are practical implementationsof the batch signature that are provably secure in this sense.

4.2 Efficiency of Batch Signature

To quantify the efficiencies of the batch signature tech-nique we now consider the computational costs, and the

communications and storage requirements of the generatedbatch signature. We first show that binary trees are the bestchoice, based on the assumption that the most importantissue is to minimise the average size of the batch residue.Note that adding more child nodes to every node results ina longer average batch residue but reduces the number ofhashes required for both signer and receiver. We expect thatin most applications a few extra hash values will be less im-portant than an increased signature size, but if this is not thecase then non-binary trees could be considered.

Lemma 2 Use of a binary tree minimises the average sizeof the batch residue.

Proof sketch We can show that reducing the number ofbranches from any node reduces the average residue size.Consider, for example, a node which is the parent of threeleaf nodes. Each leaf node must include the other two in itsresidue so for this subtree each node carries a residue of twohash values. By replacing this subtree with a binary subtree(see figure 2) the single node only requires one hash in itsresidue while the other two nodes still require only two, andthus the average size of the residue is reduced.

Given that a binary tree will be used there are still manydifferent trees possible. It seems likely that in most applica-tions it will be desirable to minimise the average size of thebatch residue. This is the same as minimising the averagedepth of the leaves of the tree, and is achieved by using theHuffman construction mentioned in section 3 which makesthe tree as balanced as possible. Recall that the residue con-sists of hash values, whose length we denotejhj, and thedirection which is a single bit denoting right or left. Thenas stated before, there are2k � r leaf nodes of depthk and2r leaf nodes of depthk + 1. Since the depth of the leafnode determines exactly the number of nodes in the residuethe following result can be easily derived. Note in particularthat the size of the residue increases only asO(log b) for bsigned messages.

h0(m1)h0(m1) h0(m2)h0(m2) h0(m3)h0(m3) h1(h0(m1)jjh0(m2))h1(h1(h0(m1)jjh0(m2))jjh0(m3))h1(h0(m1)jjh0(m2)jjh0(m3))Figure 2. Reduction of hash residue with binary tree

Lemma 3 The average size of the batch residue is�k + 2r2k + r� (jhj+ 1)It is interesting to note that there may be applications in

which it is desirable to minimise the batch residue size forcertain signatures at the cost of increasing it for others. Inthis event batch signatures may still be used but an alterna-tive tree can be built. A simple way to do this would be touse the Huffman algorithm again, but instead of assigningall messages the same probability as before, one or moremessages may be assigned a high probability, and the oth-ers smaller probabilities. Of course this will increase theaverage residue size, but will have little effect on computa-tion.

With regard to computational efficiency the main obser-vation is that for the signer only one ordinary signature gen-eration is required no matter how large the batch is. Theonly additional computation required is dictated by the hashtransformations for tree building. It can be seen that to signup to2k messages no more than2k+1 hashes are required,or 2 hashes per signed message. For all known signatureschemes a hash computation can be regarded as trivial incomparison to the modular exponentiation of signature gen-eration. Therefore, we claim that for the signer the compu-tational cost can be regarded as almost constant in the num-ber of messages signed for any reasonable batch size.

For the signature verifier the extra computation requiredis one hash for every node in the batch residue. As remarkedabove, this number is not more than the base 2 logarithmof the size of the batch. Even for quite large batch sizesthis is a minor additional cost compared with the effort ofsignature verification. Even for RSA verification with smallexponents, batch sizes up to a thousand will not cause amajor increase in verification time.

5 Discussion

In the previous sections we have presented a new batchsignature generation scheme that uses efficient tree con-struction to minimise the batch signature size. The schemeis able to produce multiple signatures simultaneously onmultiple messages, in a manner that allows each messageto be independently verified by unrelated recipients. Wehave demonstrated that the signing effort required is signifi-cantly improved, with batches of hundreds, or even thou-sands of messages, being quite practical. We have alsoshown that security is equivalent to the ordinary digital sig-nature scheme employed.

An important feature of the proposed new scheme is thatthe signature scheme allows for independent verification ofeach signed message while there is no restriction for batchverification of multiple messages. This provides many op-portunities for applications in electronic commerce wheresigned authorisations are currently viewed as a necessarycomputational burden. Two example applications are forsignatures of servers in payment schemes and batch pro-cessing of coins.

Many electronic commerce payment schemes, such asSET [20], include a payment authorisation server (thepay-ment gatewayin SET) in their architecture, whose job is toauthorise payments for multiple merchants. These serversare likely to receive large numbers of requests almost simul-taneously. Use of batch signature generation would have asignificant effect in reducing delay and minimising the du-plication of server machines.

Anonymous cash schemes [2] are computationally ex-pensive for all parties involved. However, the worst com-putational burden is carried by the bank which needs tosign each coin withdrawn for every customer. (It shouldbe remembered that all practical off-line anonymous cashschemes use ‘single term’ coins which can be spent onlyonce). Batch signature generation allows for multiple coinsto be signed together. This will allow for linking of thebatch of coins (thereby weakening the anonymity) in return

for a major saving in computational costs at the bank.

A Binary Trees

A binary tree(see figure 3) has a unique root node. Allother nodes have a uniqueparentnode, while all nodes havezero or twochild nodes. A node with zero child nodes iscalled aleafnode. Pairs of nodes which share the same par-ent are calledsibling nodes. Note that each non-root nodehas a unique sibling node. We need to distinguish any twosiblings and so we assign each node the directionleft orright. Each node, except the root node, is connected to itsparent node via anarc. The number of edges traversed inthe shortest path from a node to the root is called thedepthof the node.

Root Node

Right Child of Root Node

Pair of Sibling Nodes

Figure 3. Binary tree

References

[1] M. Bellare, J. A. Garay, T. Rabin, Fast Batch Verifi-cation for Modular Exponentiation and Digital Signa-tures, Proceedings of Eurocrypt’98, LNCS, Vol. 1403,Springer-Verlag, 1998.

[2] Stefan Brands, Untraceable Off-line Cash in Walletswith Observers. In Advances in Cryptology - Proceed-ings of Crypto ’93, LNCS, Springer-Verlag, volume773, pp 302-318, 1993.

[3] M. Bellare, P. Rogaway, The exact security of dig-ital signatures: How to sign with RSA and Rabin,Advances in Cryptology - Eurocrypt 96 Proceedings,Lecture Notes in Computer Science, Vol. 1070, U.Maurer ed., Springer-Verlag, 1996.

[4] T.M.Cover and J.A.Thomas, Elements of InformationTheory, Wiley, 1991.

[5] NIST, Digital Signature Standard (DSS), FIPS FederalRegister, Vol. 56, No. 169, 1991.

[6] Amos Fiat, Batch RSA, Crypto 89, Lecture Notes inComputer Science, Vol. 435, Springer-Verlag, 1990,pp. 175-185.

[7] Amos Fiat, Batch RSA, Journal of Cryptology, Vol-ume 10, Number 2, pp75-88, Spring 1997.

[8] L.Harn, New digital signature scheme based on dis-crete logarithm, Electronic Letters, Vol. 30, 5, pp.396-398, 3 March 1994.

[9] L. Harn, DSA type secure interactive batch verifica-tion protocols, Electronic Letters, Vol. 31, 4, pp.257-258, 16th Feb 1995.

[10] L. Harn, Batch verifying multiple DSA-type digitalsignatures, Electronic Letters, Vol. 34, 9, pp.870-871,30th April 1998.

[11] L. Harn, Batch verifying multiple RSA digital signa-tures, Electronic Letters, Vol. 34, 12, pp.1219-1220,11th June 1998.

[12] C. H. Lim, P. J. Lee, Security of interactive DSAbatch verification, Electronic Letters, Vol. 30, Issue19, pp.1592-1593, 16 February 1994.

[13] Alfred J. Menezes, Paul C. Van Oorschot, Scott A.Vanstone, Handbook of Applied Cryptography, CRCPress, (1996).

[14] R.C. Merkle, Method of Providing Digital Signatures,U.S. Patent No. 4,309,569, 5 Jan 1982.

[15] R.C. Merkle, A Certified Digital Signature, Advancesin Cryptology - Crypto’89, pp.218-238, Springer-Verlag.

[16] D. M’Raı̈hi, D. Naccache, Batch Exponentiation -A fast DLP based signature generation strategy, 3rdACM Conference on Computer and CommunicationsSecurity, ACM, 1996.

[17] D. Naccache, D. M’Raı̈hi, D. Raphaeli, S. Vaudenay,Can DSA be improved?: complexity trade-offs withthe digital signature standard, Proceedings of Euro-crypt’94, pp.85-94, 1994.

[18] D. Pointcheval and J. Stern, Security Proofs for Sig-nature Schemes, Advances in Cryptology - Euro-crypt’96, pp.387-396.

[19] R. L. Rivest, A. Shamir, L. Adleman, A method forobtaining digital signatures and public key cryptosys-tems, ACM, Vol. 21, No. 2, pp.120-126, 1978.

[20] SET Protocol Specifications (1997): Book 1: Busi-ness Description, Book 2: Programmer’s Guide. Ver-sion 1.0, Mastercard & Visa, 1997.

[21] Y.Tsuruoka, A Fast Algorithm on Addition Sequence,JWISC’93, 1993. (Cited in [16].)

[22] Yacov Yacobi, Michael J. Beller, Batch Diffie-Hellman Key Agreement Systems and their Applica-tion to Portable Communications, Proceedings of Eu-rocrypt’92, Vol. 658, pp.208-217, 1992.

[23] Yacov Yacobi, Michael J. Beller, Batch Diffie-Hellman Key Agreement Systems, Journal of Cryp-tology, Volume 10, Number 2, pp.89-96, Spring 1997.

[24] S. Yen, C. Laih, Improved Digital Signature Suitablefor Batch Verification, IEEE Transactions on Comput-ers, Vol. 44, No. 7, pp.957-959, July 1995.