隨著資訊科技的發展，行動裝置(如手機、PDA)的可攜性、效能性及頻寬限制皆有所提升，而且行動商務提供多元化之加值服務，有鑑於行動裝置的普及，勢必使得行動付費成為人們消費付款的主要方式之一。然而，綜觀現今行動付費系統中，極少探討交易公平性問題，而且若有發生交易糾紛，需經由實體仲裁中心解決交易糾紛，不能立即處理交易。另外，在交易期間為了避免洩漏買方消費行為或習慣，故需將買方之身分隱藏。此外，在行動裝置運算能力與無線網路頻寬限制下，如何設計輕量化付費系統，並達到相同的安全等級為重要之議題。有鑑於此，本論文利用橢圓曲線密碼系統與自我驗證公開金鑰系統設計行動付費協定，以降低計算複雜度與通訊成本，並且藉由一個離線的可信賴第三方維持交易公平性。本論文提出的方法具有以下特點：(1)是樂觀式；(2)達到強公平性；(3)達到線上自動解決糾紛；(4)達到買方匿名性；(5)達到不可假冒性；(6)達到不可否認性；(7)達到前推安全；(8)TTP無金鑰管理問題(9)防止授權之付費被重覆使用。

Along with the development of Information Technology, the portability and efficiency of mobile devices and the bandwidth of mobile networks have been improved. Also, the mobile services have been diversely provided. Due to the convenience, mobile payment will become the main payment method for on-line transaction. Current researches rarely focus on the issue of the fair mobile payment systems. When the electronic transaction disputes, participants must manually resolve disputes through the trust party (i.e. the court), and cannot automatically resolve disputes immediately. Besides, in order to avoid revealing the buyer’s shopping behavior and habits during the transaction, the buyer’s identity must be hided. Hence, because of the above situations and the limitation of mobile device's computing power and wireless network bandwidth, how to design a lightweight fair mobile payment system to accomplish the same security level is becoming more and more important. In our proposed scheme, we propose a fair mobile payment protocol based on the ellipse curve cryptosystem and the self-certified public key system to reduce computing complexity and communication cost and maintain transaction fairness by off-line trusted third party. Our proposed scheme can achieve (1) Optimistic protocol；(2) Strong fairness；(3) On-line automated dispute resolution；(4) Anonymity of the buyer；(5) Non-impersonation；(6) Non-repudiation；(7) Forward security；(8) Elimination of key management issues for TTP；(9) Preventing the reuse of the authorized payment.

[1] X. Zheng, D. Chen, “Study of Mobile Payment Systems”, IEEE International Conference on E-Commerce (CEC 2003), 2003.
[2] I.C. LIN, C.C. CHANG, “A Practical Electronic Payment System for Message Delivery Service in the Mobile Environment”, Wireless Personal Communications, vol. 42, 2007, pp. 247–261.
[3] J. Doggest, “Electronic check project”, Financial Services Technology Consortium, see http://macke.wiwi.hu-berlin/IMI/micropayments.html, 1995.
[4] M. Sirbu and J.D. Tygar, “Netbill: An internet commerce system optimized for network delivered services”, IEEE Personal Communications, Vol. 2, No. 4, 1995 (Aug.), pp.34–39.
[5] M. Hassinen, K. Hypponen, E. Trchina, “Utilizing national public-key infrastructure in mobile payment systems”, Electronic Commerce Research and Applications, In Press, Corrected Proof, Available online 20 April 2007.
[6] Mobile Electronic Transactions Ltd., MeT Core Specification Version 1.2, Helsinki, Finland. <http://www.mobiletransaction.org/>, 2002.
[7] Finextra.com, Nordea Leads Dual-chip Mobile Payment Trials. <http://www.finextra.com/fullstory.asp?id=3220>, 24 September 2001.
[8] N. Asokan, M. Schunter, M. Waidner, “Optimistic protocols for fair exchange”, Proceedings of the 4th ACM Conference on Computer and Communications Security, Zurich, Switzerland, Association for Computing Machinery, New York, 1997 (April), pp.7–17.
[9] N. Asokan, V. Shoup, M. Waidner, “Asynchronous Protocols for Optimistic Fair Exchange”, Proceedings of the 1998 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 1998 (May), pp.86–99.
[10] S. Even, O. Goldreich, A. Lempel, “A randomized protocol for signing contracts”, Communications of the ACM 28, 1985 (June), pp. 637–647.
[11] T.W. Sandholm, V.R. Lesser, “Advantages of a leveled commitment contracting protocol”, Proceedings of the 13th National Conference on Artificial Intelligence, 1996, pp.126–133.
[12] M. Ben-Or, O. Goldrich, S. Micali, R. Rivest, “A fair protocol for signing contracts”, IEEE Transactions on Information Theory , Vol. 36, No. 1, 1990, pp.40–46.
[13] T. Okamoto, K. Ohta, “How to Simultaneously Exchange Secrets by General Assumptions”, Proceedings of the 2nd ACM Conference on Computer and Communications Security, 1994, pp.184–192.
[14] B. Cox, J. D. Tygar, M. Sirbu, “NetBill security and transaction protocol”, in Proceedings of the 1st USENIX Workshop in Electronic Commerce, New York, NY, USENIX Association, California, 1995 (July), pp.77–88.
[15] S. Ketchpel, “Transaction protection for information buyers and sellers”, Proceedings of the Dartmouth Institute for Advanced Graduate Studies: Electronic Publishing and the Information Superhighway, Dartmouth College, New Hampshire, 1995.
[16] M. K. Franklin, M. K. Reiter, “Fair exchange with a semi-trusted third party”, Proceedings of the 4th ACM Conference on Computer and Communications Security, Zurich, Switzerland, Association for Computing Machinery, New York, 1997 (April), pp.1–6.
[17] I. Ray, I. Ray, N. Narasimhamurthi. “A Fair-exchange E-commerce Protocol with Automated Dispute Resolution”, Proceedings of the IFIP TC11/ WG11.3 Fourteenth Annual Working Conference on Database Security: Data and Application Security, Development and Directions , 2000, pp.27–38.
[18] I. Ray, I. Ray, “An optimistic fair exchange e-commerce protocol with automated dispute resolution”, Proceedings of the First International Conference on Electronic Commerce and Web Technologies, Greenwich, UK, Lecture Notes in Computer Science, vol. 1875, Springer-Verlag, Berlin, 2000 (September), pp.84–93.
[19] I. Ray and I. Ray, “An Anonymous Fair-exchange E-commerce Protocol”, Proceedings 15th International in Parallel and Distributed Processing Symposium, 2001(April), pp.1790–1797.
[20] I. Ray, I. Ray, N. Natarajan, “An anonymous and failure resilient fair-exchange e-commerce protocol”, Decision Support Systems , 2005, pp.267–292.
[21] Q. Zhang, K. Markantonakis, K. Mayes, “A Mutual Authentication Enable Fair-Exchange and Anonymous E-Payment Protocol”, Proceeding of the 8th IEEE International Conference on E-Commerce Technology and the 3rd IEEE international Conference on Enterprise Computing, E-Commerce, and E-Services (CEC/EEE’06), pp.20–27.
[22] A. Nenadic, N. Zhang, B. Cheetham, C. Goble, “RSA-based Certified Delivery of E-Goods Using Verifiable and Recoverable Signature Encryption”, Journal of Universal Computer Secience, vol. 11, no. 1, 2005, pp.175–192.
[23] C.C. Oniz, E. Savas, A. Levi, “An Optimistic Fair E-Commerce Protocol for Large E-goods”, Proceedings of the Seventh IEEE International Symposium on Computer Networks (ISCN’06), pp. 214–219.
[24] A. Alaraj, M. Munro, “An e-commerce Fair Exchange Protocol for Exchange Digital Products and Payments”, Proceedings of the 2nd International Conference on Digital Information Management (ICDIM’07), pp.248–253.
[25] M. Girault, “Self-certified public keys”, Advances in Cryptology EUROCRYPT’91, Springer-Verlag, 1991, pp.491–497.
[26] A. Shamir, “Identity-based cryptosystems and signature schemes”, Advance in Cryptology-CRYPTO’84, Springer-Verlag, 1985, pp.47–53.
[27] H. Petersen, P. Horster, “Self-certified keys concepts and applications”, Proceeding of Communications and Multimedia Security’97, pp.102–116.
[28] IEEE 1363 Working Group, “IEEE P1363 standard specifications for public key cryptography”.
[29] S. Miyaguchi, K. Ohta, M. Iwata, “128-bit hash function (n-hash)”, Proceedings of SECURICOM’90, 1990.
[30] National Institute of Standards and Technology, NIST FIPS PUB 180, “Secure hash standard”, U. S. Department of Commerence, 1993.
[31] A. Perrig, R. Szewczyk, V. Wen, D. Culler, J. Tygar, “SPINS:Security protocols for sensor networks”, in Proceedings of Mobile Networking and Computing, 2001.
[32] W. Stallings, “Cryptography and Network Security Principles and Practices”, Third Edition, Prentice Hall, 2003
[33] B. Schneier, “Applied Cryptography”, 1996.
[34] N. Koblitz, “Elliptic curve cryptosystems”, Mathematics of Computation, Vol. 48, No. 17, 1985, pp.203–209.
[35] V.S. Miller, “Use of elliptic curves in cryptography”, Advances in Cryptology- CRYPTO’85, Springer- Verlag, 1985, pp.417–426.
[36] ANSI X9.62(1998), Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm(ECDSA).
[37] W.J. Tsaur, “Several security schemes constructed using ECC-based self-certified public key cryptosystems”, Applied Mathematics and Computation 168 , 2005, pp.447–464.
[38] NIST(2001), FIPS 186-2, Digital Signature Standard (DSS), http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf.
[39] NIST(2003), DRAFT Special Publication 800-57, Recommendation on Key Management, http://csrc.nist.gov/CryptoToolkit/kms/guideline-1-
Jan03.pdf.
[40] W. Diffie, M. Hellman, “New directions in cryptography”, IEEE Transactions on Information Theory, Vol. IT-22, No.6, 1976, pp.644– 654.
[41] R.L. Rivest, A. Shamir, and L.M. Adleman, “A method for obtaining digital signatures and public-key cryptosystem”, Communications of the ACM, Vol. 21, No. 2, 1978, pp. 120–126.
[42] Certicom Corporation, “ECC whitepaper: current public-key cryptographic syatems”,http://www.certicom.com/ecc/index.htm.
[43] A. Jurisic, A. Menezes, “Elliptic Curves and Cryptography”, 1997.
[44] J.B. Lacy, D.P. Mitchel, W.M. Schell, “CryptoLib:Cryptography in Software”, UNIX Security Symposium IV Proceedings, USENIX Association, 1993, pp.1–17.