隨著科技的進步，電子病歷已經逐漸取代紙本病歷，而為了使電子病歷具有與紙本病歷相同的法律效力，並確保其完整性，使用數位簽章技術對電子病歷加以簽署是很重要的。然而，一份病歷是由不同的醫療人員對一位病患所進行的診斷、檢查或相關記錄所組成，依照現行的做法，每位醫療人員都必須使用自己的私密金鑰對自己所撰寫之部分進行簽署，並在該份電子病歷中嵌入其相對應的憑證。但此種作法會造成一份電子病歷的長度隨著簽署者的人數上升而增加，且當私密金鑰遺失時，之前所簽署的簽章將會失去信賴，這些均會帶給需要長期保存的電子病歷潛在的威脅。
在本篇論文中，我們提出一個適合電子病歷的群組憑證簽章機制，此機制將同科的醫療人員視為一個群組，讓群組內的成員均擁有自己的私密金鑰，但經由同群組內私密金鑰所簽署之簽章，可利用所屬的群組憑證進行驗證。依照此概念，我們可以有效的降低所需的憑證數量，且在驗證時，除了驗證簽署訊息的完整性外，同時也可得知簽署者的身份。我們針對幾個常見的攻擊作安全性分析，證明我們的機制足夠安全，且能確保在使用者私密金鑰遺失後，以往簽署過的簽章仍是可信任的。因此，我們認為此機制能改善現有對電子病歷簽章的做法。

Electronic medical records (EMR) gradually replace paper-based medical records with the advance of information technology. For having the same legal effect with paper-based medical records and ensuring the integrity, it is important for EMR to be signed by digital signature technology. However, an EMR consists of the diagnoses, examinations and related records of a patient from different medical personnel. According to existing practice, medical personnel need to sign on the written parts by their own secret keys and embed their corresponding certificates into this EMR. This approach would make the length of the EMR increase with the increasing of the number of signers. Otherwise, the previous signatures would not be trusted when the corresponding secret key is exposed. These will pose potential threats to the EMR that need to be kept for a long time.
In this thesis, we propose a group certificate signature scheme for EMR. Medical personnel from the same division are considered to a group. The members of the group have their own secret keys. The signatures signed by the secret keys from the same group can be verified by corresponding group certificate. With this concept, we can effectively reduce the number of required certificates in an EMR. In addition to verify the integrity of the signed message, a verifier can determine the actual signer of it at the same time. We have executed the security analysis for some specific common attacks, we prove that the proposed scheme is secure enough and can ensure that previous signatures are still credible after the exposure of key. Thus, we believe that the proposed scheme can improve the existing approach of digital signature for EMR.

中文摘要 I
Abstract II
誌謝 III
Contents V
List of Figures VI
List of Tables VI
Chapter 1 Introduction 1
Chapter 2 Related Work 6
2.1 Forward Security 6
2.2 Group Signature Scheme 9
2.3 Group Certificate Signature Scheme11
2.3.1 The scheme of Chang 11
2.3.2 The scheme of Yu and Hou 12
2.4 Preliminaries 15
2.4.1 Adversary Model 15
2.4.2 Discrete Logarithm Problem 15
2.4.3 Lagrange Interpolation Polynomial 16
Chapter 3 The Proposed Scheme 17
3.1 Assumption and Scheme Description 17
3.2 Notations 20
3.3 Algorithms 21
Chapter 4 Scheme Analysis 23
4.1 Security Analysis 23
4.2 Performance Analysis 29
4.3 Discussion32
Chapter 5 Conclusion 35
References 36

[1] D.I. Thompson, J. Osheroff, D. Classen and D.F. Sittig, “A review of methods to estimate the benefits of electronic medical records in hospitals and the need for a national benefits database,” Journal of Healthcare Information Management, vol. 21, no. 1, pp. 62-68, 2007.
[2] K. Chen, Y.C. Chang and D.W. Wang, “Aspect-oriented design and implementation of adaptable access control for Electronic Medical Records,” International Journal of Medical Informatics, vol. 79, no.3, pp. 181-203, 2010.
[3] K. Sartipi, K.A. Kuriakose and W. Ma, “An infrastructure for secure sharing of medical images between PACS and EHR systems,” International Conference on Computer Science and Software Engineering (CASCON), pp. 245-259, 2013.
[4] X.H. Le, S. Lee and Y.K. Lee, H. Lee, M. Khalid and R. Sankar, “Activity-oriented access control to ubiquitous hospital information and services,” Information Sciences, vol. 180, no. 16, pp. 2979-2990, 2010.
[5] M.F.F. Khan and K. Sakamura, “Security in Healthcare Informatics: Design and Implementation of a Robust Authentication and a Hybrid Access Control Mechanism,” Mosharaka International Conference on Communications, Computers and Applications (MIC-CCA), pp. 159-164, 2012.
[6] D. Weerasinghe, Y. Rahulamathavann and M. Rajarajan, “Secure trust delegation for sharing patient medical records in a mobile environment,” Health Policy and Technology, vol. 2, no. 1, pp. 36-44, 2013.
[7] Y. Wu and H. Yang, “An electronic medical records review system for mobile healthcare based on web services,” International Conference on Biomedical Engineering and Informatics (BMEI), pp. 1040-1044, 2012.
[8] L. Guo, C. Zhang, J. Sun and Y. Fang, “A Privacy-Preserving Attribute-Based Authentication System for Mobile Health Networks,” IEEE Transactions on Mobile Computing, vol. 18, no. 9, pp. 1927-1941, 2014.
[9] T.F. Lee, “Verifier-based three-party authentication schemes using extended chaotic maps for data exchange in telecare medicine information systems,” Computer Methods and Programs in Biomedicine, vol. 117, no. 3, pp. 464-472, 2014.
[10] A. Ferreira, R. Correia, L. Antunes, E. Palhares, P. Marques, P. Costa and A. da Costa Pereira, “Integrity for electronic patient record reports,” IEEE Symposium on Computer-Based Medical Systems (CBMS), pp. 4-9, 2004.
[11] Health Level Seven International, “HL7 Implementation Guide for CDA® Release 2: Digital Signatures and Delegation of Rights, Release 1”, 2014.
[12] RSA Data Security, Inc. “Understanding Public Key Infrastructure (PKI) An RSA Data Security White Paper,” 1999. Retrieved from RSA Data Security: ftp://ftp.rsa.com/pub/pdfs/understanding_pki.pdf
[13] W. Diffie and M.E. Hellman, “New directions in cryptography,” IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644-654, 1976.
[14] R. Anderson, “Two Remarks on Public Key Cryptology,” Technical Report UCAM-CL-TR-549, University of Cambridge, Computer Laboratory, 2002. Retrieved from: https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-549.pdf
[15] M. Bellare and S.K. Miner, “A Forward-Secure Digital Signature Scheme,” Advances in Cryptology — CRYPTO ’99, vol. 1666, pp. 431-448, 1999.
[16] D. Chaum and E. Heyst, “Group signatures,” Advances in Cryptology — EUROCRYPT ’91, vol. 547, pp. 257-265, 1991.
[17] L. Chen and T.P. Pedersen, “New group signature schemes,” Advances in Cryptology — EUROCRYPT ’94. vol. 950, pp. 171-181, 1995.
[18] J. Camenisch and M. Stadler, “Efficient group signature schemes for large groups,” Advances in Cryptology —CRYPTO ’97, vol. 1294, pp. 410-424, 1997.
[19] J. Camenisch, “Efficient and generalized group signatures,” Advances in Cryptoloty —EUROCRYPT ’97, vol. 1233, pp. 465-479, 1997.
[20] M. Bellare, H. Shi and C. Zhang, “Foundations of group signatures: the case of dynamic groups,” Topics in Cryptology – CT-RSA ’05, vol. 3376, pp. 136-153, 2005.
[21] X. Ding, G. Tsudik and S. Xu, “Leak-free group signatures with immediate revocation,” International Conference on Distributed Computing Systems (ICDCS), pp. 608-615, 2004.
[22] H. Park, H. Kim, K. Chun, J. Lee, S. Lim and I. Yie, “Untraceability of Group Signature Schemes based on Bilinear Mapping and Their Improvement,” International Conference on Information Technology (ITNG ‘07), pp. 747-753, 2007.
[23] H. Zheng, Z. Zhao and X. Zhang, “Access control based on group signatures in cloud service,” IEEE International Conference on Computer Science and Automation Engineering (CSAE), vol. 2, pp. 316-320, 2012.
[24] X. Chen, G. Lenzini, S. Mauw and J. Pang, “A Group Signature Based Electronic Toll Pricing System,” International Conference on Availability, Reliability and Security (ARES), pp85-93, 2012.
[25] S. Kuzhalvaimozhi and G.R. Rao, “Privacy protection in cloud using identity based group signature,” International Conference on the Applications of Digital Information and Web Technologies (ICADIWT), pp. 75-80, 2014.
[26] A. Fujii, G. Ohtake, G. Hanaoka and K. Ogawa, “Anonymous Authentication Scheme for Subscription Services,” Knowledge-Based Intelligent Information and Engineering Systems, vol. 4694, pp. 975-983, 2007.
[27] M.S.I. Mamun, A. Miyaji and H. Takada, “A Multi-purpose Group Signature for Vehicular Network Security,” International Conference on Network-Based Information Systems (NBiS), pp. 511-516, 2014.
[28] J.Y. Hwang, L. Chen, H.S. Cho and D. Nyang, “Short Dynamic Group Signature Scheme Supporting Controllable Linkability,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 6, pp. 1109-1124, 2015.
[29] J.K. Liu, V.K. Wei and D.S. Wong, “Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups,” Information Security and Privacy, vol. 3108, 2004, pp. 325-335, 2004.
[30] Tin-Wei Chang, “Efficient authentication schemes based on group certificate and their application on mobile communication systems,” Master’s thesis, Nation Cheng Kung University, Department of Electronic Engineering, 2003.
[31] L.C. Guillou, J.J. Quisquater, “A “Paradoxical” Indentity-Based Signature Scheme Resulting from Zero-Knowledge,” Advances in Cryptology — CRYPTO ’88, vol. 403, pp. 216-231, 1990.
[32] G. Itkis, L. Reyzin, “Forward-secure signatures with optimal signing and verifying,” Advances in Cryptology — CRYPTO ’01, vol. 2139, pp. 332-354, 2001.
[33] Y.C. Yu and T.W. Hou, “An efficient forward-secure group certificate digital signature scheme to enhance EMR authentication process,” Medical & Biological Engineering & Computing, vol. 52, no. 5, pp. 449-457, 2014.
[34] A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612-613, 1979.
[35] C.P. Schnorr, “Efficient identification and signatures for smart cards,” Advances in Cryptology — EUROCRYPT ’89, vol. 434, pp. 688-689, 1990.
[36] H. Krawczyk, “Simple forward-secure signatures from any signature scheme,” ACM conference on Computer and Communications Security (ACM CCS ’00), pp. 108-115, 2000.
[37] E. Barker and J. Kelsey, “Recommendation for Random Number Generation Using Deterministic Random Bit Generators,” NIST Special Publication 800-90A, 2012.