隨著通訊技術與行動設備的不斷發展，通訊業者提供隨選視訊(Video on Demand，簡稱VOD)的服務更不受時間或空間的限制，使訂閱戶可以隨時隨地按自己喜愛存取影片服務，並可依消費習慣選擇月租制或計次制(Pay Per View，簡稱PPV)付費方式。然而，目前PPV計費系統，只能針對非即時性的視訊服務，在現今重視即時性與強調多元化服務的VOD系統中，提供一個適用於即時性與可計時的計費系統亦是重要研究課題之一。本研究利用基於橢圓曲線(elliptic curve)之自我驗證公開金鑰密碼系統(self-certified public key system)與變色龍雜湊函數鏈(chameleon hash chain)，設計一個適用於隨選視訊之安全且公平(fairness)的計費系統，並同時適用於即時與非即時之計次制付費的視訊服務系統中，內容提供者可由訂閱戶存取內容時間的長短提供其內容範圍並計算費用。本論文所提出的方法可達到不可否認性(undeniable)、不可偽冒性(non-forgeable)、匿名鑑別(anonymous authentication)、公平計費(fair billing)、預防重複計費(double-billing)、預防他人竊取服務、前推安全(forward secrecy)及後推安全(backward secrecy)。當發生計費糾紛時，本論文提出的方法亦可以證明費用的正確性，以確保計費的公平性。

Video on demand (VOD) service is more unlimited by time and place than before as the continuously development of communication technology and mobile devices. It makes subscribers to access video service in any time and any where. And they can choose payment method from pay per month or pay per view (PPV) according to consumption habit. However, PPV billing system only support for non-real-time video services. VOD system emphasis on immediacy and diversified services nowadays, therefore, to provide a billing system suitable for real-time and time countable is also one of the important research topic. This study use self-certified public key system based on elliptic curve and chameleon hash function chain to design a billing system suitable for security and fair, and applies to both the real-time and non-real-time PPV payment video services system. Content providers can provide subscribers the scope of its content by the length of accessing time and calculate the costs. The method proposed in this study can achieve undeniable, non-forgeable, anonymous authentication, fair billing, double-billing prevention, theft of service, forward secrecy and backward secrecy. When billing dispute occurs, the method in this study can also prove the charging accuracy to ensure fairness of billing.

[ASW97] N. Asokan, M. Schunter and M. Waidner, "Optimistic protocols for fair exchange," Proceeding of the 4th ACM conference on Computer and communications security－CCS '97, pp. 7-17, Zurich, Switzerland, 1997.
[AFI06] N. Attrapadung, J. Furukawa and H. Imai, "Forward-secure and searchable broadcast encryption with short ciphertexts and private keys," Proceeding of the 12th International Conference on the Theory and Application of Cryptology and Information Security–ASIACRYPT 2006, Vol. 4284, pp. 161-177, 2006.
[AI05] N. Attrapadung and H. Imai, "Graph-decomposition-based frameworks for subset-cover broadcast encryption and efficient instantiations," Proceeding of the 11th international conference on Theory and Application of Cryptology and Information Security－ASIACRYPT'05, Vol. 3788, pp. 100-120, Chennai, India, 2005.
[Ber91] S. Berkovits, "How to broadcast a secret," Proceeding of the Workshop on the Theory and Application of of Cryptographic Techniques－EUROCRYPT ’91, Vol. 547, pp. 535-541, Brighton, UK, 1991.
[BP90] H. Burk and A. Pfitzmann, "Value exchange systems enabling security and unobservability," Computers & Security, Vol. 9, No. 8, pp. 715-721, 1990.
[CWH00] Y.S. Chang, T.C. Wu, and S.C. Huang, “ElGamal-like digital signature and multisignature schemes using self-certified public keys,” The Journal of System and Software, pp. 99-105, 2000.
[CZTW08] X. Chen, F. Zhang, H. Tian, B. Wei, W. Susilo, Y. Mu, H. Lee, K. Kim, “Efficient generic on-line/off-line (threshold) signatures without key exposure,” Information Sciences, Vol. 178, No. 21, pp. 4192-4203, 2008.
[Dor12] J.Doran, "Telco TV goes far beyond IP," Retrieved May 14, 2012, from the World Wide Web:
http://ovum.com/2012/01/17/telco-tv-goes-far-beyond-ip/, 2012.
[FN94] A. Fiat and M. Naor, "Broadcast encryption," Proceeding of the 13th Annual International Cryptology Conference－CRYPTO '93, Vol. 773, pp. 480-491, Santa Barbara, California, USA, 1994.
[FR97] M. K. Franklin and M. K. Reiter, "Fair exchange with a semi-trusted third party," Proceeding of the 4th ACM conference on Computer and communications security－CCS '97, pp. 1-5, Zurich, Switzerland, 1997.
[GW09] C. Gentry and B. Waters, "Adaptive security in broadcast encryption systems," Proceeding of the 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques－EUROCRYPT 2009, Vol. 5479, pp. 171-188, Cologne, German, 2009.
[Gir91] M. Girault, "Self-certified public keys," Proceeding of the Workshop on the Theory and Application of of Cryptographic Techniques－EUROCRYPT ’91, Vol. 547, pp. 490-497, Brighton, UK, 1991.
[HL04] S. J. Hwang, and Y. H. Lee, “Repairing ElGamal-like multi-signature schemes using self-certified public keys,” Applied Mathematics and Computation, Vol. 156, No. 1, pp. 73-83, 2004.
[Joo03] H. Joo, "Private and fair pay-per-view scheme for Web-based video-on-demand systems," IEEE Transactions on Consumer Electronics, Vol. 49, No. 2, pp. 403-407, 2003.
[Kob87] N. Koblitz, "Elliptic curve cryptosystems," Mathematics of computation, Vol. 48, No. 177, pp. 203-209, 1987.
[KR00] H. Krawczyk and T. Rabin, “Chameleon signatures”, Proceeding of the Symposium on Network and Distributed Systems Security－NDSS2000, pp.143-154, 2000.
[Lam81] L. Lamport, "Password authentication with insecure communication," Advanced computing news from Communications of the ACM, Vol. 24, No. 11, pp. 770-772, 1981.
[Lee00] N. Y. Lee, "Fairness and privacy on pay-per view system for Web-based video service," IEEE Transactions on Consumer Electronics, Vol. 46, No. 4, pp. 980-985, 2000.
[Mil86] V. Miller, "Use of elliptic curves in cryptography," Proceeding of the 5nd Annual International Cryptology Conference－CRYPTO '85, Vol. 218, pp. 417-426, Santa Barbara, California, USA, 1986.
[PMDP06] R. D. Pietro, L. V. Mancini, A. Durante and V. Patil, "Addressing the shortcomings of one-way chains," Proceeding of the 13th ACM conference on Computer and communications security－CCS 2006, pp. 289-296, Alexandria, VA, USA, 2006.
[Sha84] A. Shamir, "Identity-Based Cryptosystems and Signature Schemes", Proceeding of the 4th Annual International Cryptology Conference－CRYPTO '84, pp.47-53, 1984.
[SL95] T. W. Sandholm and V. R. Lesser, "Equilibrium analysis of the possibilities of unenforced exchange in multiagent systems," Proceeding of the Fourteenth International Joint Conference on Artificial Intelligence－IJCAI '95, Vol. 14, pp. 694-703, Montreal, Quebec, Canada, 1995.
[ST01] A. Shamir and Y. Tauman, “Improved online / offline signature schemes”, Proceeding of the 21th Annual International Cryptology Conference－CRYPTO2001, Vol. 2139, pp. 355-367, 2001.
[Tsa05] W.J. Tsaur, “Several security schemes constructed using ECC-based self-certified public key cryptosystems,” Applied Mathematics and Computation, Vol. 168, Issue 1, pp. 447-464, 2005.
[Wu01] T.C. Wu, “Digital signature/multisignature schemes giving public key verification and message recovery simultaneously,” Computer Systems Science and Engineering, 2001.
[WC98] T.C. Wu, Y.S. Chang and T.Y. Lin, “Improvement of saeednia’s self-certified key exchange protocols,” IEE Electronic Letters,Vol 34, No 11, pp. 1094-1095, 1998.
[WWLL09] X. Wang, X. Wen, C. Liang, Y. Liu and X. Lin, "Fair Security Protocols with off-line TTP," Proceeding of the 2009 International Symposium on Intelligent Ubiquitous Computing and Education－IUCE 2009, pp. 109-112, 2009.
[ZG96] J. Zhou and D. Gollman, "A fair non-repudiation protocol," Proceeding of the IEEE CS Symposium on Security and Privacy－S&P '96, pp. 55-61, Oakland, California, USA, 1996..
[ZL99] J. Zhou and K. Lam, "A secure pay-per-view scheme for web-based video service," Proceeding of the Second International Workshop on Practice and Theory in Public Key Cryptography－PKC '99, Vol. 1560, pp. 66-67, Kamakura, Japan, 1999.