An ID-based multisignature scheme without reblocking and predetermined signing order

1. An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards and Interfaces, Vol. 27, No. 4, pp. 407-413, 2005. Presented by 廖冠捷 (2005/04/08)

2. Introduction • RSA based multisignature • ei *di =1 mod (ni) • si = si-1di mod ni (message must be reblocked) • ID-based multisignature scheme • No reblocking • No predetermined order of signing

3. ID-based multisignature scheme • Initial phase • Key Authentication Center (KAC) p, q: two distinct large primes (keeping secret) N = p · q: public value E (1<E< (N) , gcd((N), E)=1): public key of KAC D = E-1 mod N: private key of KAC

4. ID-based multisignature scheme • Key generation phase • IDi (1<IDi<N): User Ui’s identity • KAC compute Ui’s private key as follows di=IDi·DIDi mod (N) • KAC publishes IDi and returns di to Ui in a secret manner.

5. ID-based multisignature scheme • Signing phase • Assume that authorized user U1, U2, …, Um will collectively sign on document M • Ui generate the signature Si such that Si=Si-1di mod N, where S0=M • Then multisignature

6. ID-based multisignature scheme • Verification phase • Compute so that • Check whether

7. Security analysis • Secrecy • The security of the KAC’s private key D • Resistance against collaboration attacks • Several users may reveal their private key in order to attempt deriving the private keys of other users.

8. Conclusions • The public key certification can be simplified • It does not require reblocking of signed message • It is not necessary to enforce predetermined order of signing