文献翻译原文

原文：(ItcomesfromCarltonR.Davis.IPSEC:SecuringVPNS.北京：清华大学出版社，2002)CryptanalysisandImprovementofDigitalMultisignatureSchemeBasedonRSASULi(粟栗)CUIGuohua(崔国华)CHENJing(陈晶)YUANJun(袁隽)SchoolofComputerScienceandTechnology,HuazhongUniversityofScienceandTechnology,Wuhan430074,ChinaAbstractZhangeta.lproposedasequentialmultisignatureschemebasedonRSA.Theschemehasadvantagesoflowcomputationandcommunicationcosts,andsoon.However,wefindaproblemintheirschemethattheverifiercannotdistinguishwhetherthemulti-signatureissignedbyallthesignersofthegrouporonlybythelastsigner.Thus,anysinglesignaturecreatedbythelastsignercanbeusedasamultisignaturecreatedbythewholegroupmembers.Thispaperproposesanimprovedschemethatcanovercomethedefect.Inthenewscheme,theidentitymessagesofallthesignersareaddedinthemultisignatureandusedinverificationphase,sothattheverifiercanknowthesignatureisgeneratedbywhichsigners.Performanceanalysisshowsthattheproposedschemecostslesscomputationthantheoriginalschemeinbothsignatureandverificationphases.Furthermore,eachpartialsignatureisbasedonthesigner’sidentitycertificate,whichmakestheschememoresecure.Keywords:Digitalmultisignature;Sequentialmultisignature;RSAcryptosystem;CryptanalysisIntroductionMultisignatureisajointsignaturegeneratedbyagroupofsigners.Thegrouphasasecuritypolicythatrequiresamultisignaturetobesignedbyallgroupmemberswiththeknowledgeofmultipleprivatekeys.Digitalmultisignaturesshouldhaveseveralbasicproperties[1]:(1)Multisignaturesaregeneratedbymultiplegroupmemberswiththeknowledgeofmultipleprivatekeys.(2)Multisignaturescanbeverifiedeasilybyusingthegrouppublickeywithoutknowingeachsignerspublickey.(3)Itiscomputationallyinfeasibletogeneratethegroupsignaturewithoutthecooperationofallgroupmembers.In2003,Zhangeta.l[2]proposedasequentialmultisignatureschemebasedonRSA,inwhichallthesignersuseacommonmodulus.Theschemehastheadvantagesoflowcomputationandcommunicationcosts,andcanresistforgeryandcoalitionattacks.Thedifficultyofbreakingthesystemisequivalenttothatoffactoringalargeintegerintoitstwolargeprimefactors.However,ourcryptanalysisofZhangeta.l’sschemefindsaseriousproblem;thatisaultisignatureisverifiedbyusingthelastsigner’spublickeyinsteadofthegrouppublickey.Asaresulttheverifiercannotdistinguishwhetherasignatureissignedbyagroupofsignersoronlybythelastsigner,whichviolatesthebasicpropertiesofsequentialmultisignature[1,3,4].Therefore,weproposeanimprovementschemetoovercomethisdefectinthispaper,sothattheverifierknowswhohavecreatedthemultisignature.Performanceandsecurityanalysesshowthatthenewschemenotonlykeepstheadvantagesoforiginalcheme,butalsosatisfiesthedefinitionofmltisignatureandismoresecure.1ReviewofZhangeta.lsSequentialMultisignatureScheme1.1SysteminitializationFirsttheTrustCenter(TC)selectstwolargeprimpandq,andcomputestheRSAmodulusn=pq.Then,TCselectsarandomnumberasthepublickeywhichmakesgcd(e,)=1,wheregcd(·)isthegreatestcommondivisorfunction,=(p-1)(q-1),and1<e<.Finally,TCcomputestheprivatekeydwhichmakesed≡1mod((n)).Inthemeanwhile,TCpublishesthepublickey(n,e)andkeeps(d,p,q)secretly.Define(i=1,2,…,k)tobethesignerwhohasaexclusivecertificate(i=1,2,…,k),whereispublic,andMthemessagetobesigned.TCcomputesandforeverysigner,andsendsthecertificatetoeachsignerthroughasafechannelwhereH(·)issecurehashfunction,whichgeneratesafixedlengthidentityinformationfromthecertificate,andistheprivatekeyofthesigner.Then,thecorrespondingsignerverifiesthevalidityofthecertificatethroughtheformula,andkeepsasasecretkeyiftheformulaholds.1.2GeneratingpartialsignatureofsequentialmultisignatureAsapreparationforgenerationofpartialsignatures,TCpublishestheorderofsignersthroughtheiridentity().Step1ThesignerU1selectsarandomnumberandcomputes,,,,WhereisthecommitmentofU1;m1bindsthecommitmentandplaintextbyhashfunction;(D1,f1)isthesignatureof.ThenthesignerU1sendsthepartialsignaturetothesigner.Step2Byanalogy,ifthe(i-1)thpartialsignatureisright,(2≤i<k)createstheithsignature.Heselectsarandomnumberandcomputes,,,.Thensendsthepartialsignaturetothesigner.computes=H(),,.verifiesthevalidityoftheithpartialsignaturebycomparingthevalueofwith.Thepartialsignatureisrightifequalsmi;otherwiseitiswrong.Step3createsthenextpartialsignature.Theaboveprocessisrepeateduntillthesignercreatesthesignatureandsendsittomultisignaturereceiver.Thereceivercomputes,,.verifiesthethesignaturevaliditybycomparingwith.Thefinalmultisignatureis.2CryptanalysisofZhangeta.l’sSequentialMultisignatureSchemeWhenthereceiverusesthesignature,heshouldconvincethethirdpartythatitwascorrectlysignedbytheksigners.Thethirdpartycomputesand,andverifiesthevalidityofthemultisignaturebyjudgingwhetherequation〕holdsornot.Thesignatureisverifiedbyusingonlythe’spublickeyinsteadofthepublickeyofksigners.Hence,thethirdpartycannotdistinguishwhetherthesignatureissignedbyksignersoronlybythekthsigner.Ifthesignerwantstoconvincethethirdparty,hemustuseallsigners’publickeytoverifythemultisignature.Althoughcanbecalculatedinpublictoshowthatthemultisignatureissignedbytheksigners,buttheverifierhastoknowallthekpartialsignatures,whichviolatesthedefinitionofsequentialmultisignature.Thecomputationamountofverificationincreaseslinearlywiththenumberofsigners.Therefore,weproposeanimprovedschemehereinaftertosolvethisproblembasedontheschemesinRefs.[2,5,6,7].3ImprovedSequentialMultisignatureSchemeBasedonRSA3.1InitializationphaseSignerselectsarandomnumber,computes,andsendstothe.Similarly,everysignerselectsarandomnumber,computesandsendstosigner.Atlast,computes,andsendstoreceiver.Then,computesm=H(M,)andpublishesm.3.2GeneratingpartialsignatureofsequentialmultisignatureStep1Signerusestherandomnumberandcomputes.Becausehassenttothesignerininitializationphase,heonlysendstonow.computesand,andverifies(,)bycomparingwithT1.Thepartialsignatureofisrightifequals.Otherwise,itiswrong,andrequirestoresignuntilthepartialsignaturesatisfiestheverificationequation.Step2Assumingthatthe(i-1)thsignatureisright(1<i<k),createstheithsignatureas.Thensendsthepartialsignaturetothesigner.computes,,and.verifiesthevalidityofbycomparingwith.Step3Signercreatesthenextpartialsignature.Theaboveprocessisrepeateduntilsignercreatesthelastpartialsignatureandsendsittothemultisignaturereceiver.computes,,and.verifiesthevalidityof(,)bycomparingwith.Thefinalmultisignaturesignedbyksignersis(,,m).3.3TestifyingvalidityAnyonecanverifythevalidityofthemultisignaturebycomputingandcomparingwith.Ifequals,themultisignaturesignedbytheksignersisright.ProofFromthesequentialsignatureprocess,itisknownthatWhenthereceiverorthethirdpartyverifiesthemultisignature,hecomputesBecause,wehave。ThenThemultisignatureisrightifandonlyifequals.4SecurityAnalysisZhangeta.l[2]analyzedthesecurityoftheiroriginalschemeindetailHere,weonlyanalyzethesecurityrelatedtothemodifiedpart.(1)Theverifierknowsthesignerofthemultisignature.Intheimprovedscheme,thecertificateofeachsignerhasbeenpublished,andtheverifiermustuse,,…,tocomputeforverification,sohecandistinguishwhetherthesignatureissignedbyksignersoronlybythekthsigner.(2)Thepublicationofininitializationphaseissecure.InZhangeta.l’soriginalscheme,istranslatedsequentiallybetweensigners.Here,iscomputedininitializationphase.Evenanattackerknowsandcancomputethevalueof,buthecannotgetfrom.(3)Themultisignaturecanresistforgeryattack.Iftheattackerwantstoforgethepartialsignatureof,hemustforgeavalidsatisfyingtheverificationformula.However,ispublishedininitializationphaseandcannotbeforged,sohemustmakeathatsatisfiestheformula.Thatisadifficultproblembasedonfactorizationofabiginteger.(4)Allsignersmustfollowthespecifiedorder.AnextsignerUi(i=2,…,k)verifiesthepartialsignaturethroughthevalueof,whichisgeneratedininitializationphase.AnysignaturedisorderofindividualsignerswillresultsintheprocessinterruptionofCreatingmultisignature.Forexample,ifthesignercreatedthepartialsignatureTibeforehereceivesthesignature,then≠willoccurtothesubsequentverificationphaseandtheprocessofcreatingthemultisignaturestops.5PerformanceAnalysisDefinesymbols,andasthetimecostsofmodularmultiplication,modularexponentiationandhashoperation,respectively.Inourscheme,theaveragecomputationtimeforverifyingthepreviouspartialsignatureis,butthecomputationoftillandtheirproductwhichcosts,canbedonebypre-calculation;thecomputationtimeforpartialsignatureis.ThecomputationcostsforbothsignatureandverificationarelessthanthoseinZhangeta.l’sscheme;thereforeourschemeismoreefficient.6ConclusionWepointedoutadefectofZhangeta.l’ssequentialmultisignatureschemebasedonRSA;thatis,averifiercannotdistinguishwhetherthesignatureissignedbyagroupofsignersoronlybythelastsignerofthegroup.Toovercomethedefectweproposedanimprovedscheme,inwhichtheverifiercanknowthesignatureisgeneratedbywhichsigners.Theproposedschemedoesnotincreasetheamountofcomputationandcommunication;itssecurityisbasedonthedifficultyoffactoringalargeinteger.Performanceanalysisandsecurityanalysisshowthattheproposedschemeismoresecureandefficientthantheoriginalscheme.ECCellipticcurvenumeralencryptionECCisbasedonthegaloisfieldin,ellipticcurvesetofpointsEconstatutesonthegroupdefinesseparatelogarithmsystemIngaloisfieldellipticcurvechoice,Shouldavoidusingtheultrastrangecurve,guaranteestheenoughsecurityTheellipticcurveoperationforassignsonellipticcurveEbasicpointGandTheinteger(11)nkappakappa,asksthenumbertoride,QalsoisonE,computation..(kappaGAddstogether)isrelativelyeasy;ButifassignsintheellipticcurvetwoGandQ,asksanintegerkappa,causes(mod)GQpkappa=,speciallywhenGiscomparesWhenGaoJiebasicpoint,thenisextremelydifficultThisistheellipticcurveseparatelogarithmquestion.Basedontheellipticcurveseparatelogarithmquestiondifficultsolution,tohaveformedtheECCsystem.1.ellipticcurvespasswordTheellipticcurvecryptographicsystemhasthemanykindsofforms,typicallikeEpigamicsystemDiffie-Hellmankeyswapagreement:SupposesEisanelementnumberfield()ontheellipticcurve,Gisinthecurvethepublicspot,itsstepisn.Asecretdesignationstochasticinteger,thecomputationselects,thetransmissionforB;Similarly,Bsecretdesignationstochasticinteger,thecomputationselects,thetransmissionforA.Themalekeyis,AwhilebythecomputationwhichreceivesfromBobtainsQwithownprivatekey;BwithownprivatekeyBdwhilebytheAdGcomputationwhichreceivesfromAobtainsQ.Theinterceptionmustresultindetermines,onlyknowsG,,with,butisunabletopromoteorTheEIGamalsystem:SupposedtheinformationsequencealreadytoinsertthroughthecodetotheellipticcurveEpsilonon,andA,BbothsidesalreadypassedTheDiffie-HellmanagreementhasmutuallyexchangedAdGandBdG.AmusttoBtransmissioninformationmEpsilon∈,AtransmissionforBseveralpairs:withitsprivatekeywhilebythefirstitem,usestheseconditemtosubtractitagain,solvesinformationm.2.severalkindstypicalbasedonECCdigitalsignatureplanBasedonthemalekeypassworddigitalsignaturesystembasicprincipleis:Whentheusersignswiththeprivatekey,signswithuseritselfrelatesintogether,alsoHasthelegalefficiency,thereceivingendconfirmswiththemalekeysigns.Generally,regardingthesamescaleparameter,theellipticcurvepasswordeachkeyintensitymustbebiggermuch,,173ellipticcurvepassworddepartmentTheseriesisequalto1,024EIGmalortheDSAsystemThereallegationspeedcomparedtoDSA,RSAandsoonothermalekeysystems,theefficiencyismorequicklyhigh.2.1basedonECCEIGamalsignatureplanThisplanistransplantsfromthetraditionalEIGamalsignaturesystemtotheellipticcurveinproduces1)initialization:Thestructureelementnumberfieldonthenon-ultrastrangeellipticcurveEpsilon,choosespublicbasicpoint,itsstepisn;InformationsequenceminsertsthroughthecodetoEpsilonon,namely2)keyproduction:TheuserAstochasticselection,willpublicizeselectstotakethemalekey3)signature:TheAstochasticchoice,thecomputation,calculates1again，thenlosesLeavessigns.4)confirms:AfterBreceivesthesignatureinformation,confirmsand,ifconfirmsforreallysigns;Otherwiseisthevacation.2.2ECDSAsignatureplanSupposestheelementnumberfieldonthenon-ultrastrangeellipticcurveEpsilon,choosespublicbasicpoint,itsstepisn;PassesinformationsequencemThecodeinsertstoEpsilonon,namely.SupposesAwithownprivatekeyAdtotheinformationmsignature,BusesAmalekeytotheabovebambooslipThenamecarriesontheconfirmation2.2.1signsAtohaveastochasticinteger,causes,,isanunidirectionalHashfunctionThen,AwillsigntheinformationandinformationmtransmissionforB.2.2.2confirmsBtoreceive,,,calculates.,and,if,pass,because2.3AbovebasedonECCsignatureplanalgorithmicanalysisIntheEIGamalplanonly(nisellipticcurveEpsilonstep)operatesthetraditionalmoldpoperationsubstitutionformoldnTheECDSAplancharacteristiciscalculatesinformationmthroughtheHashfunctionmixedtocollectthevalue,makesthenonlineartransformationtotheinformation,furtherenhancedthebambooslipFamoussecurityBut,directlyregardingthistheHashvaluecarriesonthesignature,becausetheHashvalue(MD5is128,SHAis160binarysequences)itValueverybig,makesthesignatureoperationtobemoretime-consumingInaddition,initsalgorithminformationdefiniteordersmbutdirectlyhasnottransmittedaftertheencryption,theinformationmsecuritycannotObtainsthesafeguardInviewofthis,thisarticleproposedonekindofproperattentiontobothsecurityandtheoperationefficiencyonekindhastheinformationretrievalthedigitalsignatureplan.3.OnekindbasedonECCsignatureimprovementprogramThisarticleproposedweightmakesthesignaturebynewsHashthevalueHamming,alsopassesthroughafterinformationmtheencryptionwithtosigntransmitstogether,causesthereceiveTheinformationhasmayrestore.3.1ParameterchoiceDesignatedHashfunctionMD5,easyhighspeedtorealizeMD5theinputnewslengthwith32bitsoftwarefree,theoutputcompressionvalueis128bit.IfdirectlyregardingthistheHashvaluecarriesonthesignature,becauseHashis128binarysequences,itsvalueverybig,calculatesthesignaturewithit,therunningtimeisverylongBecauseHashfunctionHammingweighttonewschangeverysensitive,ifthenewschange,theHammingweightchangestheprobabilityisabove90%,thisarticleconclusioncarriesonthemassiveexperimentalconfirmationregardingthiswithMATLAB,theresultisconsistentThereforethisarticleproposedweightmakesthesignaturebyHashthevalueHamming,doesnotsurpass128,regarding128binarysequencesitsvaluetobepossibletocausetheoperationgreatlyforthesimplification.Establishesaellipticcurveterritoryparameter,among,pexpressedagaloisfield,theelement,,thenon-ultrastrangeellipticcurveEpsilononspotsatisfiesequation,andEpsilononthebasicpointintegerfor#,iscalledellipticcurveEpsilonstepGexpressionellipticcurveEpsilononabasicpoint,nisselectsGthestepalsoforisbiggerthan1,602bigprimenumbers,itslengthhaddecidedtheECCkeylengthhisthesmallintegeriscalled-oddfactoralso.RelatedellipticcurvespotCanada,thesubtractionandthenumberwhileandsoontheoperationalrule,thestepcomputation,descriptionandsoonbasicpointselectionseealsotheliteratureispublic.Insertsinformationsequencemthroughthecodetotheelementnumberfield,namely.3.3ThisarticleplanalgorithmicanalysisFirstusedsecurehigherHashforinformationmfunctionMD5toentertherow,namelymadethenonlineartransformationaftermtodosignsAsaresultofHashThefunctionhasunidirectional,non-collisioncharacteristic,thereforecannotfindtwoseveral12,mm,causes,theaggressornottobeimpossibletocarryonthegenerationTradestheattack,hasthesamesecurityrankwithECDSA;TodispersesarowvaluetheHammingweighttocarryonsignsbutnon-todispersestherowvaluedirectsignature,comparesEnhancedtheoperationefficiencyAndalsopassesthroughafterinformationmtheencryptionwithtosigntransmitstogether,enablethereceivetheinformationtohavemayrestore.4.PerformanceanalysissignswhichbasedonECCBasedontheellipticcurvepassworddigitalsignature(ECDSA),itbreaksacodethedifficultytobeequaltotheellipticcurveseparatelogarithmquestiondifficultsolution,uptonowUptohadnotfoundtheeffectivemethodofattack,therelatedECDSAsecureanalysis,theliteraturehasamoredetailedanalysisThisarticlealgorithmintheECDSAfoundation,furtherenhancesthesecurityWhensignature,considerstheinformationdefiniteorderstheprotection,inordertoisextensivetothedefiniteordersDuplicate;HasnotusedittotheinformationdefiniteordersdirectsignaturetodispersearowvaluetheChinesebrightweighttomakethesignatureoperation.ThisarticleplanhasemphaticallyconsideredtheoperationefficiencyenhancementThealgorithminhadsomeplansinthefoundationtomakethefurtheroptimization,toHashletterThenumberHammingweightmakesthesignature,andtakesthemoldoperationbesidestheellipticcurveinnumberwhiletheoperation,otherarethealgebraicoperation,operationcomplexcomparesLow,greatlyenhancedtheoperatingspeed.Underspecificallyanalyzeseachperformance:(1)ThesignaturemayconfirmWhenBwithAmalekeyAQconfirmationnews,BmayconfirmistheAsignature;(2)BambooslipThenamecannotfabricateOnlysomeAknewitsprivatekeyAd,theothersareunabletoanalyzeobtainEvenifinellipticcurvebasicpointGandAA()QdG=ispublicButpromotesAdistheellipticcurveseparatelogarithmquestion,atpresentthesituationisunsolvable;(3)ThesignaturedidnotacknowledgeBorotherpeopleonlymustuseAMalekeyAQcanconfirmAthesignature,onceisconfirmed,Aafterwardsdidnotacknowledge;(4)SignscannotduplicateusesBecauseusedhasunidirectionaldispersedarrangesinorderHashThefunctionenterstherowtotheinformationoriginaltext,formsthehash,againsignsinthisabstractfoundationtoitsChinesebrightweightProducesoriginallyusingtheHashfunctionBeginninginformationhashtoprimaryinformationslightchangeextremelysensitive,theChinesebrightweightveryisalsosensitivetotheprimaryinformationchangeThesignatureistheinformationoriginaltextThefunction,differentinformationoriginaltextitdispersesarowvaluetobedifferent,signsalsodifferently;(5)TheinformationwhichsignsismayrestoreAmakesinformationmwithBQTheencryptionkey,carriedontheECCencryptiontotheinformationdefiniteorders,BhasmadetheinformationdecipherkeywithBdveryeasilytorestoretoit.Thisarticleplanmaygoastepfurtherthepracticalapplication,liketoinformationtheandsoonpictureortextdigitalsignatureistheworkwhichnextstepmustdoHowinvolvestoFirmlyinsertstheinformationoriginaltextintheellipticcurve,aswellasquestionandsoonrelatedellipticcurvefastalgorithmseparatearticlediscussion.5.AnellipticcurvedigitalsignatureschemeEllipticCurveCryptosystemisapublic-keycryptosystem,inadditiontodataencryption,itisanotherapplicationfordigitalsignatures.Withdistributedcomputertechnologytoenhanceandextensiveapplicationofcomputingpowerincreasedgreatly.Toachievegreatersecurity,RSAneedsofthekeybitlonger,tieuphugeresources,Thisaffectedmoreencryptionandsignaturespeed,inappropriateforsmartcardsandotherresourceslimitedhardwaredesign,EllipticCurveandhasthesamesecurityadvantagesofthesmalloverhead,EllipticCurveDigitalSignatureresearchandproductdesigngraduallybecomethehotspot.EllipticCurveDigitalSignatureandElGamaldigitalsignatureisverysimilar,onlyellipticcurvedigitalsignatureisbasedontheellipticcurvediscretelogarithmproblem(Eclipse),ElGamaldigitalsignatureandisbasedongenerallylimiteddomainofdiscretelogarithmproblem(DLP).Therefore,wecanusethissimilarity,rightabovethesixdifferenttypesofsignaturesequationappropriatetransform,thusbemoreconvenientEllipticCurvesignatureequation.Ourlastarticleisa(5)SignedanequationderivedEllipticCurveDigitalSignatureprogram.InEquationWeusedtoreplacem,thentheequationinto,Withbothsidesmultipliedbym,;Becausemisknownthenews,Itcanbehash,Signedwaslaunchedandtheacceptancesideknow,Wecanmake,canusesubstituteAsnewsmsignatures,Thus,theaboveequationcanbesignedintoasfollows:Signedinordertousethisequationtoconstructasignatureprogram,thestepsareasfollows:Selectingasecurityellipticcurve,ellipsecurveparametersandParaapartofthesame.(1)SignedAliceonEchoiceprivateKeyx,gforEBp,calculation,yasapublickeyissued,Aliceexplicitcalculationofm;(2)Alicechoiceintegerrandomk(ksecrets),(s,r,e)willbesenttotheverifierBob;Theseareoursignaturesderivedprogram,whichavoidstheinverseprocess,solvetheECDSAalgorithminadequate.TheprogramthanECDSAsimplealgorithm,theexperimentalresultsshowthatthealgorithmthanElGamal,Schnorrprogramabout28%faster.译文1：密码分析和基于RSA多重数字签名方案的改良(粟栗,崔国华,陈晶,袁隽)中国华中科技大学,计算机科学与技术学院,武汉430074摘要张等人提出了基于RSA序贯多重签名方案.该方案具有低运算、低通信费用优点等等。然而，我们发现一个问题,在他们的方案中核查不能区分多重签名签署是由签名组中所有的签名者所签署还是由最后一位签名者签署.因此,由最后一位签名者所做的单一签署可以作为整组签署成员所做的多重签署。本文提出一个改良方案，可以克服这个缺陷。在新的方案中，所有签名者的身份信息被添加在这个多重签署中，并且会在核查阶段显示，以确保核查时能知道签署是由哪些签名者产生的。性能分析说明，这个新的方案在签署和核查阶段需要的计算都比原来的方案少。此外，每一局部的签名是基于签名者的身份证书，这使得该方案更平安。引言多重签名是由一组签名者所产生的联合签名。该集团的平安政策，需要多重要签署的所有组成员的知识的多重私人钥匙。数字多重签署应该有几个根本属性：〔1〕多重签署是由多组成员用多个私钥的知识产生的；〔2〕多重签署在不知道每个签署者的公钥的情况下可以很容易的通过该组的公钥进行核查。〔3〕在没有所有组成员的合作下，计算产生该组签署的可行性。2003年，张等人提出了一种基于RSA的序列多重签名方案。其中所有的签名使用一个共同的模量。该方案的优点是低的计算和通信费用，并能抵抗伪造和联军攻击。攻破这个系统的困难性相当于将一个大整数分解为两个大素数因子。然而，我们对张等人加密方案进行分析，发现一个严重的问题。这个问题就是：一个多重签署可以由最后的签名者的公钥来进行核查，而不是多重签署组的公钥。结果使核查者不能区分签署是由一组签署者签署还是仅由最后一个签署者签署，这就违背了连续多重签署的根本属性【1，3】。因此，在这章中，我们提出一种改良的方案来克服这个缺陷，以使核查者能够确认签名是由谁产生的。性能和平安性分析说明，新的方案不仅保存了原来方案的优点，同时也符合了多重的定义，并且更加平安。1.张等人的连续多重签名方案的回忆1.1系统初始化首先，信托中心选择两个大素数p和q，并且计算RSA算法的模n=pq。然后，信托中心选择一个随机数e作为公钥，它满足gcd(e,)=1,这儿的gcd(·)是最大公约数函数，=(p-1)(q-1)，and1<e<.最后信托中心根据ed≡1mod((n))计算出私钥d。与此同时，信托中心发布公钥(n,e)和秘密保存(dp,q)。定义(i=1,2,…,k)是签名者，他有一个独家证书(i=1,2,…,k),这儿的是公开的，且将要被签名的信息是M。对每个签名者，信托中心计算和，并且通过一个平安渠道发送那个证书给每个签名者，这儿的H(·)是保密散列函数，这会产生一个固定长度的身份信息的凭证，是私钥签字。然后，相应的签字确认证书的有效性，在持有公式的情况下，通过公式，并保持作为密钥。1.2生成局部连续多重签名作为新一代的准备局部签名，信托中心通过签名者的身份信息()发布签名的顺序。步骤1：签名者U1选择一个随机数并且计算,,,,这儿的是U1的委托事项；绑定那些委托事项，并且明文通过散列函数；(D1,f1)就是的签名。然后，签名者U1发送局部的签名给签名者.步骤2：通过类推，如果(i-1)次局部签字是正确的，(2≤i<k)就创立i次签字。他选择一个随机数，并计算,,,.然后发送局部的签名给签名者.计算=H(),,.通过比拟和的值来验证第i局部签名的有效性，如果等于，那么那局部签名是正确的，否那么是错误的。步骤3：创立下一局部签名。以上过程重复执行直到签名者创立签名并且将其发送给多重签名接收者，这个接收者计算：,,.通过比拟和的值验证签名的有效性，最终的多重签名是.2.张等人的连续多重签名方案的加密分析当接收者在使用签名时，他应该说服第三方，这是k个签名者的正确签署。第三方计算and,并且通过判断等式〕是否存在来验证这个多重签名的有效性。这个签名只有用的公钥而不是所有k个签名者共有的公钥来验证。因此，第三方不能区分这个签名是由k个签名者共同签署还是由第k个签名者一个人签署。如果签名者想说服第三方，他必须用所有签名者的公钥来验证这个多重签名。尽管能够被公众的计算以显示这个多重签名是由k个签名者所签署，但验证者必须知道所有k局部的签名，这违反了连续多重签名的定义。验证的计算量随着签名者的数目呈线性增加。因此，我们在这儿提出一种改良的方案，后面解决这个问题是基于参考文献【2，5，6，7】中的方案。3基于RSA改良的连续多重签名方案3.1初始化阶段签名者选择一个随机数,计算,并且发送给.相似地,每个签名者选择一个随机数,计算且发送给签名者.最后，计算,且发送给接收者.然后，计算m=H(M,)且公布m.3.2产生连续多重签名的局部签名步骤1：签名者使用随机数且计算.因为在初始化阶段已经发送给签名者了,所以现在他只需发送给。计算和,且通过比拟和T1验证(,).如果等于，那么那局部签名是正确的.否那么,它是错误的，且需要让位直到那局部签名满足验证方程。步骤2：假定第(i-1)局部签名是正确的(1<i<k)，创立第i局部签名如.然后发送那局部签名给签名者.计算,,及.通过比拟和验证的有效性。步骤3：签名者创立下一局部签名。以上过程重复执行直到签名者创立最后局部的签名并且将其发送给多重签名接收者.计算,,及.通过比拟和来验证(,)的有效性，最终多重签名是由k签名者共同签署的，即(,,m).3.3作证有效性任何人都可以通过计算且比拟和来验证多重签名的有效性.多重签名由k个签名者签署是正确的。证明：从连续多重签名的过程中可以知道当接收者或者第三方验证这个多重签名时，他计算因为,我们得到。那么当且仅当等于时，签名正确。4平安性分析张等人细节性的分析了他们的原始方案的平安性。在这儿，我们只分析了平安性相关的修改局部。〔1〕验证者知道这个多重签名的签署者。在改良方案中，每个签名者的凭证被公开，并且验证者为了验证，必须用,,…,来计算，所以，他能够区分开那个签名是由k个签名者签署还是由第k个签名者签署。〔2〕在初始化阶段，的发布是平安的。在张等人的原始方案中，在签名者之间被连续传递。而在这儿，在初始化阶段被计算出。即使一个破坏者知道且能够计算出的值，但他也不能由得到。〔3〕多重签名能抵抗伪造攻击。如果攻击者想伪造局部的签名，他必须要伪造一个有效的满足那个验证公式。然而，是在初始化阶段被公开的，并且不能被伪造，所以，他必须取得一个使其满足公式.这是一个基于大整数分解的难题。〔4〕所有的签名者必须按照特定的次序。一个接一个签名者Ui(i=2,…,k)通过的值验证那局部签名，这个过程是在初始化阶段产生的。任何个体签名者的障碍将导致创立多重签名过程的终止。例如，如果签名者在接到签名局部之前创立局部签名，那么≠将导致随后的验证阶段和创立多重签名过程的终止5性能分析定义符号,和作为建立多重签名所消耗的时间，分别进行模幂和散列运算。在我们的方案中，来验证前面局部的签名所消耗的平均时间是,但是，直到及它们的产生将消耗的时间是,这可以预先计算。局部签名的计算时间是.签名和验证的耗时都少于张等人的方案。因此，我们的方案是更加有效地。6结论我们指出张等人基于RSA的连续多重签名方案的缺陷，那就是：验证者不能区分签名是由一组签名者共同签署还是仅由这组签名者中的最后一位单独签署。为了克服这个缺陷，我们提出一个改良方案，在这个方案中，验证者能够知道签名是由哪些人产生的。这个改良方案没有增加计算量和通信费用；它的平安性是基于一个大整数分解的困难性。性能分析和平安性分析显示，提出的这个方案比原来的方案更加平安和有效。译文2：基于椭圆曲线的一种改良的数字签名方案侯爱琴，张洁，高宝建，曹正文〔西北大学信息科学与技术学院，陕西西安710069〕ECC是基于有限域上，椭圆曲线点集所构成的群上定义的离散对数系统.有限域上椭圆曲线的选择，应防止使用超奇异曲线,以保证足够的平安性.椭圆曲线的运算为给定椭圆曲线上的一个基点和一个整数，求数乘，也是上的一点，计算(个相加)相对容易；但假设给定椭圆曲线上两点和，求一整数，使，特别是当G是较高阶的基点时，那么非常困难。这就是椭圆曲线离散对数问题。基于椭圆曲线离散对数问题的难解性，形成了ECC体制。1.椭圆曲线密码椭圆曲线密码系统有多种形式，典型的如EIGamal系统。Diffie-Hellman密钥交换协议：设E是一个素数域上的椭圆曲线，是曲线上公开的点,其阶为。A秘密的选定一个随机整数，计算点,发送给B；同样，B秘密的选定一个随机整数，计算点，发送给A。公钥为，A用自己的私钥乘以从B收到的计算得到；B用自己的私钥乘以从A收到的计