For the protocol BGP (Border Gateway Protocol) used for exchanging routing information on the Internet, several attacks with forged routing information have been threats to real-world systems. This is caused by the lack of functionality in plain BGP to verify the routing information. For the protocol BGPsec, an extension of BGP, functionality has been implemented to verify the origin of routing information as well as the actual transmission path. Here, for the latter functionality of verifying the transmission path (AS path validation), there is an issue of heavily increasing memory consumption caused by a large number of signatures. It is expected that the technology of aggregate signatures, which can gather individual signatures into a single signature to be verified, could be applied to efficiently detect forged routing information by gathering signatures generated by all the routers on an actual path. However, the existing specification of functionality for aggregate signatures is in fact not sufficient for either functionality or security in the application to BGP.

For this problem, the present paper proposes a notion of bimodal aggregate signatures as a new variant of aggregate signatures suitable for use in BGP, and provides for concrete construction. The paper also proposes a protocol named APVAS (AS path validation based on aggregate signature) for efficient AS path validation based on the aforementioned scheme. Furthermore, the authors of the paper implemented their proposed protocol and report in the paper that their efficiency evaluation experiment focused on real-world conditions has shown that memory consumption has been decreased to about 20% compared to the previous solution.

For aggregate signatures, the notion itself was already proposed in the early 2000s, and in addition to theoretical study, practical applications such as the use in autonomous vehicles have been investigated. The principal advantages of the present paper include the novel viewpoint of focusing on the urgently important topic of protection against forgery attacks on the Internet and, more remarkably, that the result has both theoretical and practical values in high quality by specifying the requirements for aggregate signatures, constructing an aggregate signature scheme with the requirements, performing prototypical implementation of the proposed scheme (which is publicly available), and executing experimental efficiency evaluation. In the area of so-called advanced cryptosystems including aggregate signatures, the effective deployment of theoretical work to society has been a central subject. It is expected that the present paper will be a successful example of this subject in the future.