Proceedings of the IASTED International Conference
Parallel and distributed Computing and Systems
November 3-6, 1999 MIT, Boston, USA
A BATCH-VERIFYING ALGORITHM FOR
MULTIPLE DIGITAL SIGNATURES
XIAOJUN SHEN
ZHIJUN LIU
LEIN HARN
Computer Science Telecommunications Program
University of Missouri-Kansas City
5100 Rockhill Road
Kansas City, MO 64110
harn@cstp.umkc.edu
xshen@cstp.umkc.edu
YONGMIN LOU
500E 8th, Rm 350
Kansas city, MO 64106
ylou@cstp.umkc.edu
scheme can also be found in the Elliptic Curve signature
scheme.
ABSTRACT- Instead of linearly verifying each
individual signature one by one, the batch-verifying
algorithm allows verifier to verify multiple signatures at
once. In this paper, we develop a batch-verifying
algorithm for identifying all invalid signatures in a batch
with length n. Our analytical analysis shows that this
algorithm needs only Min(2n-1, 2k(log n - logk) + 2k –
1) operations, where k is the number of invalid signatures
among the n signatures. Thus, it is more efficient than
the linear-verifying algorithm when k < 0.5n/logn, and it
needs at most 2n-1 operations even under the worst
scenario.
Digital signatures are used to authenticate messages
and to provide certificates for public keys. For example,
the RSA signatures have been adopted by VISA and
MasterCard in the secure electronic transactions (SET)
standard [4] for providing security of electronic transfer
of credit and payment information over the Internet.
Since public-key cryptography requires intensive
computation, it is desirable to speed up signature
signing/verification by using either a cryptographic
hardware accelerator or using an efficient software
algorithm. Very recently, algorithms for batch-verifying
were proposed for RSA signature [5] and DSA-type
signature [6]. Instead of verifying each individual
signature separately, these algorithms allow verifier to
verify multiple signatures simultaneously. Since this
approach maintains the same computational load as for
verification of a single signature, a significant reduction
in time for signature verification can be achieved. The
application of these algorithms can be found in the
security gateways that require verifying of X.509 publickey certificates signed by a limited number of certificate
authorities (CAs).
KEY WORDS- batch verification, binary trees,
digital signatures.
1. INTRODUCTION
At present, there are two popular public-key
algorithms which provide digital signatures: the RSA
scheme [1] and the ElGamal signature scheme [2]. The
RSA scheme makes use of the difficulty of factoring a
large integer into a product of two large prime numbers,
and the ElGamal signature scheme makes use of the
difficulty of solving the discrete logarithm problem over
GF(p), where p is a large prime integer. Recently, the
Elliptic Curve digital signature scheme, in which the
difficulty of breaking the scheme is based on solving the
discrete logarithm problem over an Elliptic Curve, has
been included in the IEEE p1363 working project [3].
General speaking, the Elliptic Curve signature scheme is
designed based on the ElGamal signature scheme. In
other words, major properties of the ElGamal signature
302-277
Assuming there are n individual signatures, s1, s2,
…, sn, in a batch, an important question in implementing
these batch-verifying algorithms is how to identify
invalid signatures efficiently? (They may occur due to
transmission/storage error.) In the next section, we will
propose a binary tree-searching algorithm for this
question. Its performance depends on the number k of
invalid signatures and their distribution among the n
-1-
signatures. Compared with the linear-verifying algorithm
that needs n operations, our algorithm needs only
Min(2n-1, 2k(log n - logk) + 2k – 1) operations. Thus,
it is more efficient than the linear-verifying algorithm
when k < 0.5n/logn. For a large k, this algorithm may
need slightly more operations. However, it never needs
more than 2n-1 operations even under the worst scenario.
if(signatureVerify(s[first], issuer.publickey.value))
{/* Function SignatureVerify() deploys general
* signature verification procedure. It returns 0 while
* the signature is valid, 1 while the signature is
* invalid.
*/
status[first] = 1;
return 1;
}
else return 0;
This paper is organized as follows. Section 2
presents the algorithm; Section 3 presents a detailed
analysis of this algorithm; and Section 4 concludes this
paper.
}
/* Step 1: calculate the product of all the signatures */
Product = Productof Signatures(s[], first, last);
/* Step 2: verify the product through single signature
* verification procedure.
*/
If(SignatureVerify(product, issuer.publickey.value))
{/*At least one of the s[] is wrong. */
return (BatchSignatureVerify(s, first, (first+last)/2,
status)+BatchSignatureVerify(s,
((first+last)/2+1), last, status));
}
else return 0;
}
2. THE BINARY TREE-SEARCHING
ALGORITHM
Assume that s1, s2, …, sn, are n signatures signed by
the same entity, for instance, a CA who issues public
key certificates to its clients. By using the batch
verification criterion as proposed in [5, 6], these n
signatures can be verified at once. Only one operation is
needed if all signatures are valid signatures. If there are
more invalid signatures in the batch, one operation is not
enough. Based on the classical binary-search approach,
an efficient algorithm to identify these invalid signatures
is given below. This algorithm divides the signature
batch into two subarrays, s1, s2, …, sn/2 and sn/2 +1,…,
sn, and applies a batch verification criterion on each
subarray again. It uses the divide-and-conquer procedure
recursively until all invalid signatures have been
identified. We will analyze its performance in the next
section.
3. COMPLEXITY ANALYSIS
Theorem 1.
Let n be the number of elements in the
array s, and k  n be the number of faulty elements in the
array. The number of SignatureVerify operations in the
Binary Tree-Searching Algorithm is upper bounded by
2k (log n - log k) +2k - 1.
Proof. Any execution of the algorithm can be modeled
by a binary tree, in which each node represents a
SignatureVerify operation. (Let us simply call it
operation.)
Binary Tree-Searching Algorithm
int BatchSignatureVerify(const signature s[], int first,
int last, const Issuer & issuer, int status[])
{/* This function is used to verify multipl signatures
* generated by the same entity who is identified by
* the issuer.
* s[]: signatures needed to be verified in a batch;
* first: index of the starting s[];
* last: index of the ending s[];
* issuer: stores issuer’s information, who generates s[];
* status[]: store verification status of s[]; 0; valid,
* 1: invalid;
* return value:
* 0: all s[] are valid; >0: number of failed certificates.
* All status[] are initialized as 0 before passed into the
* function;
*/
Signature
* product;
if (first = = last)
{
If a node is an internal vertex, then its two subtrees
represent recursive executions on the two subarrays
divided at this node. From the algorithm, we can assume
that m/2 elements are there in the left subtree, and
m/2 elements in the right subtree under an internal
node of m elements. If a node is a leaf, we color the leaf
based on the following two cases:
(1) A leaf is marked black if the result of the operation
identifies a single fault at this leaf. Obviously, there
are exactly k black leaves.
(2) A leaf is marked white if the result of the operation
finds no faults. Obviously, there is no need to do
further search from this node, no matter how many
elements are involved in this operation.
Now, we prove the theorem by induction on k.
-2-
2ilogn/2 + 2(k - i) logn/2 - 2(ilogi + (k - i)log(k - i)) + 2k - 1
Basis, k = 1.
In the worst case, the single fault is always contained in
the larger subarray when an array is splitted into two
subarrays at a node. Fig. 1 illustrates this situation.
 2k log n/2  - 2(ilog i + (k - i)log(k - i)) + 2k – 1.
From Calculus, it is easy to show that
(ilog i + (k - i)log(k - i))  klog(k/2).
n elements
n/2 elements
Therefore, the total number of operations is
 2k log n/2  - 2klog(k/2)+ 2k – 1
n/4 elements
= 2k log n/2  - 2klog k + 4k – 1.
If we can show  log n/2  = log n -1,
then the total number of operations will be
 2k( log n - 1) - 2klog k + 4k – 1
n/2p elements
Fig. 1. AN ILLUSTRATION OF BINARY SEARCH TREE WITH K
= 1.
= 2k( log n - log k) + 2k – 1,
Because n/2p = 1, p = log n .
Therefore, the total number of operations is
2p + 1 = 2log n + 1.
The theorem is true for k =1.
and the induction will be done.
Thus, let us prove
 log n/2  = log n -1.
Let n = 2p + m, 0  m  2p .
Induction step.
Suppose that for any k-1 or less faulty elements, the
theorem is true, we will show that it will be true for k
faulty (k 2) elements also. After the first operation, we
have two cases:
If m = 0,  log n/2  = log 2p-1 = p – 1 = log n - 1.
If m > 0,  log n/2  = log(2p+m)/2
= log 2p-1+m/2  = p
=(p +1)–1
= log n - 1.
Case 1. Both left and right subtrees have faulty elements.
Therefore, the claim is true.
We assume there are i faulty elements in the left
subtree and (k-i) elements in the right subtree. Fig. 2
illustrates this case.
Case 2. The left subtree of the root has no faulty
elements.
In this case, we need only search the right subtree.
Soon or later, we will arrive to a node whose both
subtrees have faulty elements. We can assume that after
p operations, we arrive to this node x. Fig. 3 illustrates
this situation.
i faults
(k - i) faults
n elements
Fig. 2. AN ILLUSTRATION OF CASE 1.
w
p operations
w
By induction, the number of operations to search all
faulty elements in the left tree is
2i( log n/2  - log i) + 2i – 1;
in the right tree is
2(k – i)( log n/2  - log(k - i)) + 2(k – i) – 1;
and at the root is 1.
x
w
i faults
Thus the total number of operations is
n/2p elements
(k - i) faults
Fig. 3. AN ILLUSTRATION OF CASE 2.
-3-
The node x has n/2p elements. From case 1, the
total number of operations on the tree rooted at x is upper
bounded by
has n leaves, all of which are black. From Graph Theory,
this tree has (n-1) internal vertices [7]. Therefore, the
number of operations is bounded by 2n-1.
2k( log  n/2p   - log k) + 2k – 1.
4. CONCLUSIONS
Since there are p operations at internal nodes before node
x, plus the p operations for the p white leaves outside the
tree of x, the total number of operations is upper bounded
by
2k( log  n/2p   - log k) + 2k – 1 + 2p
This paper presents a binary tree-searching
algorithm for batch-verifying n signatures, and a detailed
analysis of this algorithm. Compared with the linearverifying algorithm that needs n operations, this
algorithm needs only Min(2n-1, 2k(log n - logk) + 2k –
1) operations. It is more efficient than the linearverifying algorithm when k < 0.5n/logn. For a large k,
this algorithm may need slightly more operations, but
never needs more than 2n-1 operations even under the
worst scenario.
= 2k( log n - p – log k) + 2k – 1 + 2p
< 2k( log n - log k) + 2k – 1.
From theorem 1, we conclude that when k is a
small number, the number of operations is in the order of
O(logn). Thus batch verification is much faster than the
linear verification. When k is not small, but k < 0.5n/log
n, from Theorem 1, the number of operations is still less
than n, meaning that this algorithm is still better than the
linear search.
REFERENCES
[1] R. L Rivest, A. Shamir, and L. Adelman, A method
for obtaining digital signatures and public-key
cryptosystem, Commun. ACM, 1978, 21, (2), 120126.
[2] T. ElGamal, A public-key cryptosystem and
signature scheme based on discrete logarithms,
IEEE Trans. Inform. Theory, 1985, IT-31, 469-472.
[3] IEEE P1363: Standard Specifications For Public
Key
Cryptography,
http://grouper.ieee.org/groups/1363/.
[4] SET
specification,
http://www.setco.org/set_specifications.html..
[5] L. Harn, Batch verifying multiple RSA digital
signatures, Electronics Letters, Vol. 34, No. 12, June
1998, 1219-1220.
[6] L. Harn, Batch verifying multiple DSA-type digital
signatures, Electronics Letters, Vol. 34, No. 9, April
1998, 870-871.
[7] R. Johnsonbaugh, Discrete Mathematics, (Prentice
Hall, fourth edition, 1997) 408.
For a large k, the bound given by Theorem 1 may
not be in favor of the batch verification. However, even
for a large k, we claim that the performance of this
algorithm is not bad. Theorem 2 shows that the number
of operations used by the batch verification will never
needs more than 2n-1 operations.
Theorem 2.
Let n be the number of elements in the
array s, and k  n be the number of faulty elements in the
array. The number of SignatureVerify operations is upper
bounded by Min(2n –1, 2k (log n - log k) + 2k – 1).
Proof. From Theorem 1, we need only to show that in
any case, the number of operations will be bounded by
2n-1. It is obvious that the worst case occurs when all
elements are faulty, because the binary tree for this case
contains maximum number of nodes. The binary tree of
any other case is a subtree of this tree. This binary tree
-4-