| 摘要: | 在本論文中,研究主題在於具隱私性之簽章及簽密系統研究。傳統上所使用的數位簽章方法,並沒有辦法保護簽章簽署者或簽章接收者的隱私,原因在於一般數位簽章是可公開驗證的。為了保護簽章使用者的隱私,在密碼學研究上,學者也曾提出多種方法:1. 在保護簽章簽署者隱私方面,過去有指定驗證者簽章系統 (DVS)的提出;另一方面,為了保護簽章接收者的隱私,過去也有提名簽章系統 (Nominative Signature)的提出。 在指定驗證者簽章系統的研究中,目標在於設計出一個新的、可提供簽章不可否認性的指定驗證者簽章方法。方法是將Diffie-Hellman 金鑰加入變色龍簽章 (Chameleon Signature)中,以此概念設計出來的指定驗證者簽章系統不僅滿足了所有必須性質,更重要的,我們的方法提供了簽章不可否認性,並且簽章簽署權不會有轉移之疑慮。 在提名簽章系統的研究中,主要的研究在於對一個被提出的簽章方法及其攻擊,進行安全性分析。嚴謹地考量此簽章方法所提供的安全性保護,以及攻擊方法實際可達到的效果後,我們認為:1. 被提出的攻擊方法是不完全正確的;2. 被提出的簽章方法之安全度並不如作者所宣稱完整。此外,針對被提出方法及其攻擊不完整之處,採用Screening 之概念,為被提出簽章方法可應用之範圍,提供取捨準則。 除了簽章使用者隱私的研究,為保護明文之機密性,加密演算法是一般所採用之技術。然而,在某些情況必須同時對明文做簽署與加密動作時,為了效率考量,簽密(Signcryption)方法提供了一個有效率的選擇。在這部分研究中,我們發現過去大多數基於離散對數的簽密方法都不滿足Semantic Security,原因在於所使用簽章之雜湊函式洩漏了明文的相關資訊。針對這個弱點,我們在明文 之後串接一個隨機亂數,如此攻擊者在無法得知隨機亂數的情況下,明文機密性得以確保。 In this thesis, our researches focus on some digital signature schemes and signcryption schemes with privacy. Ordinary digital signature schemes do not protect the privacy of signature signers or recipients since they are public-verifiable. To enhance privacy of signature, several signature schemes are introduced. For the privacy of signer, designated verifier signature is a well-known primitive which provides rigorous definitions and properties. For the privacy of signature recipient, nominative signature provides a solution. On the observation that most existing designated verifier signature schemes can not provide non-repudiation, our objective is to design a new strong DVS construction. With the help of chameleon signature and Diffie-Hellman key, the new DVS construction is proposed. This generic construction satisfies all required properties of designated verifier signature, including a secure disavowal protocol. Moreover, the proposed construction is simple and does not suffer from the weakness of signing right delegatability. In the research of nominative signature, the major work is on the security analysis of one introduced scheme and its cryptanalysis. After reconsidering the security of the introduced scheme and the claim of its cryptanalysis, we conclude that the cryptanalysis is incompletely correct; meanwhile, the previous schemes are not as strong as being claimed. Moreover, we adopt the concept of signature screening for the introduced scheme to precisely defines what scenario it can be applied for. Except for the privacy of signature, a intuitive approach to protect messages is through encryption. In many cases, messages may need to be signed and encrypted simultaneously. For the consideration of efficiency, signcryption was introduced. In this vein of research, our goal is to provide a countermeasure for the weakness of previous signcryption schemes. That is most existing signcryption schemes based on discrete-logarithm are not semantic secure. The reason is that the hash computing of signature scheme leaks information about the encrypted message. As response to this weakness, we propose our countermeasure by concatenating a message with a random value. By the method the output of hash computing is indistinguishable to a third party, hence the confidentiality of message can be preserved. |
