针对基于离散对数多重签名方案的一种攻击

作为一种特殊的数字签名，多重签名由签名群体中的所有成员合作对给定的消息进行处理后形成整个群体的签名；而验证者只需要利用群体的唯一公钥即可对签名进行有效性检验．Harn和Ji等人提出了两个基于离散对数的多重签名方案．但陆浪如等指出了这两个方案的一个共同缺点：若部分成员合谋作弊，则群体所产生的多重签名也可以解释为由其他诚实成员所产生的多重签名．这样，在必要时，作弊成员就可以否认他们与某些多重签名有关．为了克服这一缺点，陆浪如等对这两个多重签名方案的密钥生成部分提出了两种改进．该文给出一种攻击方法以表明陆浪如等的改进多重签名方案仍然是不安全的．在这一攻击中，单个成员就能够控制群体私钥，从而能以群体的名义伪造对任何消息的多重签名．与此同时，其他成员仍可正常地产生签名，所以他们觉察不到欺诈的存在．另外，该文提出的攻击方法对改进前的方案也有效．

An Attack to Multisignature Schemes Based on Discrete Logarithm

Multisignature is a special kind of digital signature, in these schemes every member of the signing group generates his partial signature for the same message using his own secret, and the multisignature is combined by all these partial signatures. But to verify a multisignature, a verifier only needs to know the unique group public key. Harn and Ji et al. proposed two multisignature schemes based on discrete logarithm problem. However, Lu et al. found that there is a weakness in these two schemes: If several members collude together, a multisignature of the group can also be viewed as a multisignature generated by honest members. Therefore, if necessary, malicious members would repudiate that they did not sign some multisignatures. To avoid this weakness, Lu et al. proposed two kinds of improvements in the key generation protocols of the two existing multisignature schemes. This paper presents an attack to show that Lu et al.'s improved schemes are still insecure. In our attack, a single malicious group member can control the group secret key, and hence he can generate valid multisignature for any message on the behalf of the whole group without the help of other members. At the same time, honest members cannot detect this security flaw in the system, since the group can generate multisignature according to the prescribed protocols. Furthermore, our attack can also be applied to the original two schemes.