【正文】 致謝首先感謝我的指導(dǎo)張文麗老師的細(xì)心指導(dǎo)和各論壇程序員朋友的支持與建議。其次感謝陜西理工學(xué)院電信工程系的領(lǐng)導(dǎo)和老師，是他們的鼓勵和教導(dǎo)使我逐漸成長為一名合格的大學(xué)畢業(yè)生。在學(xué)分攻讀期間，王少華，尹繼武，陳莉，王戰(zhàn)備，龍光利，侯寶生，張文麗，陳正濤等各位老師無私的將自己所掌握的知識傳授于我；在畢設(shè)程序調(diào)試階段他們給予許多熱情的指導(dǎo)，在這里我對他們深表感謝。真誠的感謝在畢設(shè)過城中給予我?guī)椭母魑焕蠋熀屯瑢W(xué)，謝謝你們！參考文獻(xiàn)[1] 馮登國，計算機通信網(wǎng)絡(luò)安全，[M]北京:清華大學(xué)出版社，2001.[2] 黃元飛，陳麟，唐三平信息安全與加密解密核心技術(shù)[M]上海:浦東電子出版 社，2001[3] 吳世忠，2003國內(nèi)外網(wǎng)絡(luò)與信息安全年度報告(上)，信息安全與通信保密，: P12}14[4] 吳世忠，2003國內(nèi)外網(wǎng)絡(luò)與信息安全年度報告(心，信息安全與通信保密，: P9} 12[5] [J]. 科技情報開發(fā)與經(jīng)濟(jì)： 2006年01期[6] 蘭海兵,程勝利. RSA算法及其實現(xiàn)技術(shù)的改進(jìn)研究 [J]. 交通與計算機： 2006年01期[7] 程庭,張明慧,石國營. 一種基于DES和RSA算法的數(shù)據(jù)加密方案及實現(xiàn) [J].河南教育學(xué)院學(xué)報(自然科學(xué)版)：2003年02期： 7476[8] 王國兵,楊建沾,謝貴. 基于RSA算法的網(wǎng)絡(luò)安全體系構(gòu)造 [J].武漢大學(xué)學(xué)報(自然科學(xué)版)： 2000年01期： 3336[9] 呂皖麗，鐘城．?dāng)?shù)字簽名方案分析[J]．廣東科學(xué)院學(xué)報，2002，18(14)：161165．[10] 李繼紅．ElGamal型數(shù)字簽名方案及其應(yīng)用的研究[D]．西安：西安電子科技大學(xué)，1999．[11] 張先紅編著．?dāng)?shù)字簽名原理及技術(shù)[M]．北京：機械工業(yè)出版社．2004．1．[12] 鄭子偉,李翠華. 用類的RSA體制實現(xiàn)方案 [J].華僑大學(xué)學(xué)報(自然科學(xué)版)： 2003年03期： 102105[13] 楊維忠,李彤, [J].云南大學(xué)學(xué)報(自然科學(xué)版)： 2004年03期： 3538 [14] Rivet R L, Shamir A，Ad leman L. A method for obtaining digital signatures and public key cryptosystems. Comm., ACM. [M] 1977[15] Peter L Montgomery. Modular Multiplication Without Trial Division. [J] Mathematics of Computation, 1985, 44(170): S 19521[16] , Curves and Primality Proving[J].Mathematics of Computation，1993,61(2):2968．[17] iptic Curves over Finite Field and the Computation of Square Roots Mod P[J].Mathematics of Computation,1985,53(4):483494．附錄A：英文資料及翻譯英文資料：(It es from Carlton :Securing ：清華大學(xué)出版社，2002)Cryptanalysis and Improvement of Digital Multisignature Scheme Based on RSASU Li (粟　栗) CUI Guohua (崔國華)CHEN Jing (陳　晶)　YUAN Jun (袁　雋)School of Computer Science and Technology, Hua zhong University of Science and Technology, Wuhan 430074, ChinaAbstractZhang et proposed a sequential multisignature scheme based on RSA. The scheme has advantages of low putation and munication costs, and so on. However, we find a problem in their scheme that the verifier can not distinguish whether the multisignature is signed by all the signers of the group or only by the last signer. Thus, any single signature created by the last signer can be used as a multisignature created by the whole group members. This paper proposes an improved scheme that can overe the defect. In the new scheme, the identity messages of all the signers are added in the multisignature and used in verification phase, so that the verifier can know the signature is generated by which signers. Performance analysis shows that the proposed scheme costs less putation than the original scheme in both signature and verification phases. Furthermore, each partial signature is based on the signer’s identity certificate, which makes the scheme more secure.Key words:　Digital multisignature。 Sequential multisignature。 RSA cryptosystem。 CryptanalysisIntroductionMultisignature is a joint signature generated by a group of signers. The group has a security policy that requires a multisignature to be signed by all group members with the knowledge of multiple private keys. Digital multisignatures should have several basic properties [1]: (1)Multisignatures are generated by multiple group members with the knowledge of multiple private keys. (2) Multisignatures can be verified easily by using the group public key without knowing each signer s public key. (3) It is putationallyin feasible to generate the group signature without the cooperation of all group members.In 2003, Zhang et [2]proposed a sequential multisignature scheme based on RSA, in which all the signers use a mon modulus. The scheme has the advantages of low putation and munication costs, and can resist forgery and coalition attacks. The difficulty of breaking the system is equivalent to that of factoring a large integer into its twolarge prime factors. However, our cryptanalysis of Zhang et ’s scheme finds a serious problem。 that is a ultisignature is verified by using the last signer’s public key instead of the group public key. As a result the verifier can not distinguish whether a signature is signed by a group of signers or only by the last signer, which violates the basic properties of sequential multisignature[1, 3, 4]. Therefore, we propose an improvement scheme to overe this defect in this paper, so that the verifier knows who have created the multisignature. Performance and security analyses show that the new scheme not only keeps the advantages of original cheme, but also satisfies the definition of mltisignature and is more secure.1　Review of Zhang et s Sequential Multisignature Scheme1. 1　System initializationFirst the Trust Center (TC) selects two large prim p and q ,and putes the RSA modulusn=pq. Then, TC selects a random number as the public key which makes gcd (e,)=1, wheregcd() is the greatest mon divisor function, =(p1)(q1),and 1e. Finally,TC putes the private key d which makes ed≡1mod((n)). In the mean while, TC publishes the public key (n, e) and keeps (d, p, q) secretly. Define (i=1,2,…,k)to be the signer who has a exclusive certificate (i=1,2,…,k),where is public, and M the message to be signed.TC putes and for every signer, and sends the certificate to each signer through a safe channel where H() is secure hash function, which generates a fixed length identity information from the certificate , and is the private key of the signer. Then, the corresponding signer verifies the validity of the certificate through the formula , and keeps as a secret key if the formula holds.1. 2　Generating partial signature of sequential multisignature　　As a preparation for generation of partial signatures, TC publishes the order of signers through their identity () .Step 1　The signerU1selects a random number and putes ,　 , , , Where is the mitmentofU1。m1binds the mitment and plaintext by hash function。(D1, f1)is the signature of .Then the signerU1sends the partial signature to the signer . Step 2