Algorithm 1: The MSign Algorithm in IBMS CR−1.

Input: the master public key $mpk$, the private key $sk$, the identity set $IDSet$, the message to be signed m;  Output: a multi-signature $m\sigma$.   1. Each $M{S}_i$ randomly selects $r_i\in {\mathbb{Z}}_N^{*}$ and computes $R_i\equiv r_i^{3^{\ell }}(modN)$ and $t_i=h_2\left(R_i\right)$.   2. $M{S}_i$ only broadcasts $t_i$ to other signers $M{S}_j$ ($j\ne i$) in $IDSet$ and keeps $R_i$ temporarily.   3. After receiving $t_i$ from $M{S}_i$ ($2\le i\le n$), $M{S}_1$ then broadcasts $R_1$ to other $M{S}_i$.   4. After receiving $R_i$ from $M{R}_i$, $M{S}_1$ checks whether $t_i=h_2\left(R_i\right)$ for $2\le i\le n$ is satisfied.   5. If one of these fails, the algorithm stops, which means the attackers have mixed invalid partial signatures. Otherwise, $M{S}_1$ sets $R\equiv {\prod }_{i=1}^n{R}_i(modN)$, $w=h_3(R\parallel IDSet\parallel m)$, and $u_1\equiv r_1·s{k}_1^w(modN)$.   6. $M{S}_1$ broadcasts $u_1$ to other $M{S}_i$.   7. After receiving $u_i$ from $M{S}_i$, $M{S}_1$ aggregates these by $u\equiv {\prod }_{i=1}^n{u}_i(modN)$.   8. Each $M{S}_i$ locally generates a multi-signature $m\sigma =(w,u)$.  Return $m\sigma$;