1. 1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards and Interfaces, Vol. 27, No. 4, pp. 407- 413, 2005. Presented by 廖冠捷 (2005/04/08)

2. 2 Introduction RSA based multisignature  e i *d i =1 mod  (n i )  s i = s i-1 d i mod n i (message must be reblocked) ID-based multisignature scheme  No reblocking  No predetermined order of signing

3. 3 ID-based multisignature scheme Initial phase  Key Authentication Center (KAC) p, q: two distinct large primes (keeping secret) N = p · q: public value E (1<E<  (N), gcd(  (N), E)=1): public key of KAC D = E -1 mod N: private key of KAC

4. 4 ID-based multisignature scheme Key generation phase  ID i (1<ID i <N): User U i ’s identity  KAC compute U i ’s private key as follows d i =ID i ·D ID i mod  (N)  KAC publishes ID i and returns d i to U i in a secret manner.

5. 5 ID-based multisignature scheme Signing phase  Assume that authorized user U 1, U 2, …, U m will collectively sign on document M  U i generate the signature S i such that S i =S i-1 di mod N, where S 0 =M  Then multisignature

6. 6 ID-based multisignature scheme Verification phase  Compute so that  Check whether

7. 7 Security analysis Secrecy  The security of the KAC’s private key D Resistance against collaboration attacks  Several users may reveal their private key in order to attempt deriving the private keys of other users.

8. 8 Conclusions The public key certification can be simplified It does not require reblocking of signed message It is not necessary to enforce predetermined order of signing