中文摘要：

针对刘莉等基于RSA的无证书多重签名方案构造了3类伪造攻击,攻击显示该方案存在公钥替换攻击的缺陷,同时该方案也无法抵抗不诚实用户或不诚实用户与恶意密钥生成中心（key generation center,KGC）的合谋攻击。分析发现原方案不安全的主要原因在于把敌手不能伪造一个有效的个体签名直接等同于敌手不能伪造一个有效的多重签名。针对目前无证书多重签名的安全模型不够严谨的现状,给出安全增强的无证书多重签名的安全模型,该模型保证多重签名是有效的,当且仅当所有个体签名都是有效的。通过在部分私钥生成阶段对用户公钥的部分参数进行签名,在多重签名阶段将个体签名与用户公钥进行绑定,将其放进Hash函数进行散列计算,给出抗合谋攻击的改进方案。改进方案无需依赖于安全信道,其签名阶段较原方案减少L个指数运算和L-3个乘法运算,验证阶段较原方案减少3个指数运算,签名长度较原方案减少｜N｜比特,其中L代表签名者个数,｜N｜代表系统参数N的比特长度,因而具有更优的运行效率。在随机预言机模型下,改进方案的个体签名在RSA和离散对数困难性假设下是可证安全的,而多重签名的不可伪造性是通过Hash函数的抗碰撞特性来保证的。

英文摘要：

Three forgery attacks on Liu Li et al.＇s RSA-based certificateless multi-signature scheme were first presented.It could be found that their scheme was vulnerable to key replacement attacks.The scheme also could not resist conspiracy attack of dishonest signers or a dishonest signer with a malicious key generation center （KGC）.Analysis revealed that the main reason of insecurity of the original scheme was that the for- gery of a valid individual signature was equivalent to the forgery of a valid multi-signature generated by an adversary.Sincethe existing security models of certificateless multi-signature were not so rigorous,an improved security model was developed in this paper.It guaranteed that the multi- signature was valid if and only if every individual signature was valid.By means of signing the part of the user＇s public key in the stage of partial private key generation,and binding the individual signature and user＇s public key to hash function in the stage of multi-signature generation,an improved scheme resistant to conspiracy attack was proposed.The improved scheme did not rely on secure channels and had better efficiency.The costs were reduced by L exponentiations and L-3 multiplications in the stage of multi-signature generation and three exponentiations in the stage of multi-signature verification,where L was the number of signers.The size of the signature was decreased by ｜N｜ bits,where INl was the binary length of the system parameter N.The individual signature was provably secure under assumptions of intractability of RSA and discrete logarithm.The unforgeability of multi-signature was achieved through the collision resistance property of hash function.