The computation complexity and communication complexity are two prime factors related to energy consumptions of an RFID system. Since the larger bits of communication and computation need higher energy consumption, it is certainly welcome if the computation complexity and communication complexity of an RFID system are low while security and privacy of the system are achieved in a desired level. This leaves an interesting research problem when an RFID is used for identifying tags: given sigmai=(mi, idi, f(ki, mi, idi)), where f is a cryptographic primitive (say, a message authentication code, or a digital signature scheme), and ki is a secret key shared between tag Ti and a processor P (i = 1,... ,1), we ask whether there exists an efficient polynomial time algorithm g such that on input f(ki, mi), it outputs an aggregate of message authentication codes (or signatures) T (T =Delta g(f(k1, m1),..., f(kl, ml))) such that the size of T is independent of I while the computation complexity of g is as lower as possible; furthermore, the validity of individual attestation can be checked efficiently given T? Since an attestation can be produced by a message authentication scheme or a digital signature scheme, we consider the following two cases separately: - Aggregating symmetric attestations (or message authentication codes): we define g(f(k1, m1), , f(kl, ml))= f(k1, m1) otimes ... otimes f(kl, ml), where f is any secure message authentication algorithm and otimes is a simple operator suitable for software implementation (e.g., XORing, modulo addition and multiplication). - Aggregating asymmetric attestations (or digital signatures): we define a function g for aggregating asymmetric attestations that is admissible to the algebraic structure of underlying one-way functions and otimes is a simple operator suitable for software implementation (e.g., XORing, modulo addition and multiplication). We show that 1) assuming the existence of a cryptographically secure message authentication code, there exists efficient implementation of aggregate symmetric-attestation protocols; and 2) assuming the RSA problem is hard, there exists efficient yet secure implementation of aggregate asymmetric-attestation protocols.