公開金鑰密碼系統已是現今常見的密碼學技術，不論電子商務、股票買賣、線上報稅等交易，以及線上投票皆利用公開金鑰密碼系統，以確保訊息僅有接收者可以解讀，並確保訊息接受者接收的訊息為傳輸者所傳輸，且訊息未經過竄改變造；即確保訊息的隱密性、完整性與不可否認性。學者們針對現行之公開金鑰加密機制，指出需增進效率與減少儲存空間，以適用運算能力或電力較低之設備，所以提出以自我驗證公開金鑰密碼系統為基礎之鑑別加密機制。惟鑒於傳統鑑別加密機制常以訊息冗餘碼檢查完整性而增加訊息傳輸量；另以簽章為主的鑑別加密機制之設計未考量群組應用的需求，及以多簽章為主的簽別加密機制之設計未考量訊息回復功能的需求，所以傳統鑑別加密機制有其功能的侷限性，未能考慮現代社會的新形態訊息傳遞與人機溝通的特殊態樣，且不適用於智慧城市各式設備的應用。是故，本研究擷取自我驗證公開金鑰密碼系統在參數儲存空間與計算成本較低的優勢、提出三種新的自我驗證公開金鑰密碼系統之多簽章協定設計，以適用於智慧城市的各式設備：第一種的多簽章協定設計，目的是改善傳統冗餘檢查碼的設計，使新的協定具有訊息回復功能；第二種的多簽章協定設計運用Shamir的秘密分享機制建立群組溝通功能，讓傳送者可以利用接收者的公開金鑰傳送鑑別加密內容給群組成員，而群組成員可協同回復訊息與驗證簽章，且群組中的任何人皆可檢驗鑑別加密訊息的正確性，得以舉發傳輸不正確訊息的成員；第三種的多簽章協定設計是基於第二種協定設計的基礎上新增訊息鏈結的功能，即針對長度較長的訊息設計處理機制，讓該類訊息可易於在網路上傳輸。

Public key cryptosystem is a popular and mature technology, which has been applied to various domains such as E-commerce, stock transaction, online payment and electronic voting. In general, public key cryptosystem achieves the following security features for information systems: (1) only the genuine receiver can read the content of a targeted message; (2) the genuine receiver can verify whether the message was sent by the original sender; (3) the content of sent message cannot be tampered. In other words, public key cryptosystem achieves confidentiality, integrity, and non-repudiation. In order to adopt public key cryptosystem into devices with less computing resources and low storage space, researchers had proposed authenticated encryption schemes based on self-certified public key cryptosystem. However, traditional authenticated encryption schemes have the following issues: (1) the total size of a message will dynamically increase in proportion to the size of message content with the usage of cyclic redundancy check mechanism; (2) signature-based authenticated encryption schemes do not consider the need of group-based applications; (3) multisignature-based authenticated encryption schemes do not consider the need of message recovery. In consequence, traditional authenticated encryption schemes are not suitable for securing group-based collaborating applications and social networking applications in modern societies; traditional authenticated encryption schemes are also not suitable for various devices of smart city. Therefore, this dissertation applied advantages about small storage space and low computation cost of self-certified public key cryptosystem and introduced three mulitisignature protocol designs based on self-certified public key cryptosystem to enhance security features of traditional authenticated encryption and be suitable for various devices of smart city. The first proposed multisignature protocol design abandoned cyclic redundancy check mechanism and added message recovery capability. The second proposed mulitisignature protocol design utilized Shamir’s secret sharing concept for group communication. A message signature for a targeted message content can be built by group members and the original message content can be recovered through signature verification with collaboration of members; moreover, every group member can validate the authenticated message individually. The third proposed mulitisignature protocol is based on the second proposed protocol; a message chaining scheme is developed for messages with large contents.

中文摘要 I
ABSTRACT III
誌謝 V
目錄 VI
圖目錄 VIII
表目錄 IX
第一章 緒論 1
1.1 研究背景與動機 1
1.2 研究目的 6
1.3 論文架構 7
第二章 密碼學相關理論與技術 9
2.1 非對稱金鑰密碼系統 10
2.2 對稱式金鑰密碼系統 11
2.3 ElGamal數位簽章 12
2.4 身分基底密碼系統 13
2.5 自我驗證公開金鑰密碼系統 14
2.6 秘密分享 17
第三章 文獻探討 19
3.1 自我驗證公開金鑰密碼系統訊息回復簽章 19
3.2 自我驗證公開金鑰密碼系統訊息回復多簽章 25
第四章 自我驗證公開金鑰密碼系統之具訊息回復多簽章協定 30
4.1 訊息回復多簽章協定設計 31
4.2 安全分析 35
第五章 自我驗證之門檻鑑別加密協定 42
5.1 門檻鑑別加密協定設計 42
5.2 安全分析 50
第六章 具訊息鏈結功能的自我驗證之門檻鑑別加密協定 57
6.1 具訊息鏈結功能的門檻鑑別加密協定設計 57
6.2 安全分析 63
第七章 結論 70
參考文獻 73
著作清單 80

[1] R.L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and Public-key Cryptosystems,” Communications of the ACM, Vol. 21, No. 2, pp. 120-126, 1978.
[2] W. Diffie and M. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, Vol. 22, No. 6, pp. 644-654, 1976.
[3] T. ElGamal, “A Public Key Cryptosystem and a Signature Scheme based on Discrete Logarithms,” IEEE Transactions on Information Theory, Vol. 31, No. 4, pp. 469-472, 1985.
[4] I. Ray and N. Narasimhamurthi, “An Anonymous Electronic Voting Protocol for Voting over the Internet,” International Workshop on Advanced Issues of E-Commerce and Web-Based Information Systems, pp. 180-190, 2001.
[5] B. Amann, R. Sommer, M. Vallentin, and S. Hall, “No Attack Necessary: The Surprising Dynamics of SSL Trust Relationships,” in Proceedings of the 29th Annual Computer Security Applications Conference, pp. 179-188, 2013.
[6] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996.
[7] A. Shamir, “Identity-based Cryptosystems and Signature Schemes,” Proceeding of CRYPTO, pp. 47-53, 1984.
[8] M. Girault, “Self-certified Public Keys,” Proceeding of EUROCRYPT, pp. 490-497, 1991.
[9] H. Du and Q. Wen, “Certificateless Proxy Multi-signature,” Information Sciences, Vol. 276, pp. 21-30, 2014.
[10] S.J. Hwang and Y.H. Lee, “Repairing ElGamal-like Multi-signature Schemes using Self-certified Public Keys,” Applied Mathematics and Computation, Vol. 156, pp.73-83, 2004.
[11] Z. Shao, “Improvement of Efficient Proxy Signature Schemes using Self-certified Public Keys,” Applied Mathematics and Computation, Vol. 168, pp. 222-234, 2005.
[12] Y.P. Liao and C.M. Hsiao, “A Novel Multi-server Remote User Authentication Scheme using Self-certified Public Keys for Mobile Clients,” Future Generation Computer Systems, Vol. 29, No. 3, pp. 886-900, 2013.
[13] C.H. Tseng, S.H. Wang, and W.J. Tsaur, “Hierarchical and Dynamic Elliptic Curve Cryptosystem Based Self-Certified Public Key Scheme for Medical Data Protection,” IEEE Transaction ON Reliability, Vol. 64, No. 3, pp. 1078-1085, 2015.
[14] D. Guo, Q. Wen, W. Li, H. Zhang, and Z. Jin, “A Novel Authentication Scheme Using Self-certified Public Keys for Telecare Medical Information Systems,” Journal of Medical Systems, Vol. 39, No. 6, pp. 1-8, 2015.
[15] M.A. Simplicio Jr, M.V.M. Silva, R.C.A. Alves, and T.K.C. Shibata, “Lightweight and Escrow-less Authenticated Key Agreement for the Internet of Things,” Computer Communications, Vol. 98, pp. 43-51.
[16] S. Rostampour, N. Bagheri, M. Hosseinzadeh, and A. Khademzadeh, “An Authenticated Encryption Based Grouping Proof Protocol for RFID Systems,” Security and Communication Networks, Article in Press, 2017.
[17] P. Gope and T. Hwang, "BSN-Care: A Secure IoT-based Modern Healthcare System using Body Sensor Network," IEEE Sensors Journal, Vol. 16, No. 5, pp. 1368-1376, 2016.
[18] K. Nyberg and R.A. Rueppel, “A New Signature Scheme based on the DSA Giving Message Recovery,” Proceedings of ACM Conference on Computer and Communications Security, pp. 58-61, 1993.
[19] S.J. Hwang and H.C. Liao, “Security of Hsu-Wu’s Authenticated Encryption Scheme with (t,n) Shared Verification,” Applied Mathematics and Computation, Vol. 167, No. 1, pp. 281-285, 2005.
[20] C.L. Hsu and T.C. Wu, “Authenticated Encryption Scheme with (t, n) Shared Verification,” IEE Proceedings - Computers and Digital Techniques, Vol. 145, No. 2, pp. 117-120, 1998.
[21] A. Shamir, “How to Share a Secret,” Communications of the ACM, Vol. 22, No. 11, pp. 612-613, 1979.
[22] M. Ben-Or, O. Goldreich, S. Micali, and R.L. Rivest, “A Fair Protocol for Signing Contracts,” IEEE Transactions on Information Theory, Vol. 36, No. 1, pp. 40-46, 1990.
[23] R.S. Rajasree and S.V. Pede, “An Abuse-Free Optimistic Signature Exchange Protocol using Block Cipher,” International Conference on Computing Communication Control and Automation, pp. 256-260, 2015.
[24] L. Harn and C.H. Lin, “Contract Signature in E-commerce,” Computers and Electrical Engineering, Vol. 37, No. 2, pp. 169-173, 2011.
[25] National Institute of Standards and Technology, “NIST Special Publication 800-131A,” National Institute of Standards and Technology Technical Series Publications, http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-131a.pdf (accessed Mar 3, 2017).
[26] J. Daemen and V. Rijmen, “The Design of Rijndael: AES - The Advanced Encryption Standard,” Springer Berlin Heidelberg, 2002.
[27] P. Horster, M. Michels, and H. Petersen, “Authenticated Encryption Schemes with Low Communication Costs,” Electronics Letters, Vol. 30, No. 15, pp. 1212-1213, 1994.
[28] S. Araki, S. Uehara, and K. Imamura, “The Limited Verifier Signature and Its Application,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol. E82-A, No. 1, pp. 63-68, 1999.
[29] T.S. Wu and C.L. Hsu, “Convertible Authenticated Encryption Scheme,” Journal of Systems and Software, Vol. 62, No. 3, pp. 205-209, 2002.
[30] H.F. Huang and C.C. Chang, “An Efficient Convertible Authenticated Encryption Scheme and Its Variant,” International Conference on Information and Communications Security, pp. 382-392, 2003.
[31] Y.M. Tseng, J.K. Jan, and H.Y. Chien, “Digital Signature with Message Recovery using Self-Certified Public Keys and Its Variants,” Applied Mathematics and Computation, Vol. 136, No. 2-3, pp. 203-214, 2003.
[32] J. Lv, X. Wang, and K. Kim, “Practical Convertible Authenticated Encryption Schemes using Self-certified Public Keys,” Applied Mathematics and Computation, Vol. 169, No. 2, pp. 1285-1297, 2005.
[33] C.C. Lee, M.S. Hwang, and S.F. Tzeng, “A New Convertible Authenticated Encryption Scheme based on The Elgamal Cryptosystem,” International Journal of Foundations of Computer Science, Vol. 20, No. 2, pp. 351-359, 2009.
[34] H.Y. Lin, C.L. Hsu, and S.K. Huang, “Improved Convertible Authenticated Encryption Scheme with Provable Security,” Information Processing Letters, Vol. 111, No. 13, pp. 661-666, 2011.
[35] F. Wu and L. Xu, “An Improved and Provable Self-Certified Digital Signature Scheme with Message Recovery,” International Journal of Communication Systems, Vol. 28, No. 2, pp. 344-357, 2015.
[36] C.Y. Tsai, C.Y. Liu, S.C. Tsaur, and M.S. Hwang, “A Publicly Verifiable Authenticated Encryption Scheme Based on Factoring and Discrete Logarithms,” International Journal of Network Securit, Vol. 19, No. 3, pp. 443-448, 2017.
[37] C.Y. Yeun, “Digital Signature with Message Recovery and Authenticated Encryption (Signcryption) -A Comparison,” Lecture Notes in Computer Science, Vol. 1746, pp. 307-312, 1999.
[38] D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk, “RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” Internet Engineering Task Force. http://tools.ietf.org/html/rfc5280 (accessed Mar 3, 2017).
[39] J. Zhang, H. Chen, S. Gao, and Q. Geng, “Comment on a Digital Signature Scheme with Using Self-certified Public Keys,” International Forum on Information Technology and Applications, pp. 678-680, 2009.
[40] M.S. Hwang, C.C. Yang, and S.F. Tzeng, “Improved Digital Signature Scheme Based on Factoring and Discrete Logarithms,” Journal of Discrete Mathematical Sciences and Cryptography, Vol. 5, No. 2, pp. 151-155, 2002.
[41] L. Harn and T. Kresler, “New Scheme for Digital Multisignatures,” Electronics Letters, Vol. 25, No. 15, pp. 1002-1003, 1989.
[42] L. Harn, “Group-oriented (t, n) Threshold Digital Signature Scheme and Digital Multisignature,” IEE Proceedings-Computers and Digital Techniques, Vol. 141, No. 5, pp. 307-313, 1994.
[43] C.T. Wang, C.H. Lin, and C.C. Chang, “Threshold Signature Schemes with Traceable Signers in Group Communications,” Computer Communications, Vol. 21, No. 8, pp. 771-776, 1998.
[44] T.S. Wu and C.L. Hsu, “Threshold Signature Scheme using Self-Certified Public Keys,” Journal of Systems and Software, Vol. 67, No. 2, pp. 89-97, 2003.
[45] W.B. Lee and K.C. Liao, “Improved Self-certified Group-oriented Cryptosystem without a Combiner,” Journal of Systems and Software, Vol. 79, No. 4, pp. 502-506, 2006.
[46] T.S. Wu, C.L. Hsu, K.Y. Tsai, H.Y. Lin, and T.C. Wu, “Convertible Multi-authenticated Encryption Scheme,” Information Sciences, Vol. 178, No. 1, pp. 256-263, 2008.
[47] J.L. Tsai, “Convertible Multi-authenticated Encryption Scheme with One-way Hash Function,” Computer Communications, Vol. 32, No. 5, pp. 783-786, 2009.
[48] C.F. Lu, C.L. Hsu, and H.Y. Lin, “Provably Convertible Multi-authenticated Encryption Scheme for Generalized Group Communications,” Information Sciences, Vol. 199, pp. 154-166, 2012.
[49] D. Liu, X. Wang, and M. Huang, “Strongly Unforgeable Threshold Multi-proxy Multi-signature Scheme with Different Proxy Groups,” International Journal of Communication Systems, Vol. 27, No. 12, pp. 3693-3705, 2014.
[50] H. Bao, Z. Cao, and S. Wang, “Remarks on Wu-Hsu’s Threshold Signature Scheme using Self-Certified Public Keys,” Journal of Systems and Software, Vol. 78, No. 1, pp. 56-59, 2005.
[51] H. Ghodosi and S. Saeednia, “Modification to Self-certified Group-oriented Cryptosystem without Combiner,” Electronics Letters, Vol. 37, No. 2, pp. 86-87, 2001.