於公司應用，公司為用戶提供許多服務時，我們不希望透過公司繁雜之程序才收到所需要的文件或資料，所以為提升工作效率，公司群體可派代表為用戶提供服務，即為群簽章之精神，任何一公司成員均可代表該公司對文件或訊息進行簽署。

當公司成員為我們承辦相關業務時，我們總是希望得到一些折扣或回饋，但公司成員總是不希望我們把這些優惠資訊告訴別人，造成公司損失，所以變色龍雜奏函數特性「不可轉移性」可達到此需求。

然而，當使用者接收公司提供之服務、交易、訊息傳送時，還是要保有文件或訊息隱私性，所以需要將簽章與加密機制做結合，又為了能降低傳統簽章與加密兩階段的成本，所以本研究將群簽章與簽密做結合，並基於變色龍雜奏函數之特性，在傳送簽密文給接收者後，接收者可驗證此簽密文為有效群簽密，但無法轉移給其他人並允許接收者將簽密文轉換成一般簽章，藉以降低仲裁糾紛所需之成本。

根據本研究所提出來的方法，結合群簽章與簽密的特性，並基於變色龍雜湊函數，有以下的優點：
1. 群組成員可代表群組做簽署，故提高簽章程序效率。
2. 透過簽密機制，降低一般傳統兩階段簽章及加密的計算時間與傳輸成本。
3. 達到群組成員匿名性、群組簽章不可否認性，及傳送內文機密性、完整性、鑑別性。
4. 接收者收到群簽密後，為保障其群組之權益，所以接收者不可轉移給其他人，達到不可轉移性。
5. 當發生糾紛時，
(1) 群組不可否認其所簽署之群簽密。
(2) 群組可否認接收者所偽造之群簽密。
(3) 系統認證中心可追蹤其當初群組簽署者。

In corporate applications, we often do not want to go through the complicated procedures before receiving the required documents or information, especially for those which provides many services for the users. In order to enhance the efficiency, the company groups may have representatives to provide services for users. The spirit of group signature is that any company member may sign the document or message signature on behalf of the company.
When a company member provides business service to us, we would always expect to get some discounts or rewards. However the company representatives often do not want us to share the discount information to the others, which may lead to the company loss. "Non-transferability" on the chameleon hash function can assist us on achieving the demand base characteristic.
However, when the company provides services, trading, and sending the message to users, we have to retain a document or message privacy. So it is necessary to combine signature and encryption mechanisms. In order to reduce traditional signatures and encryption cost of a two-stage, we based on the chameleon hash functions combine group signature and signcryption. When the sender sent the signcryption text to the receiver, the recipient can verify the signature as a valid group signcryption text. The receiver cannot transfer the signcryption text to others. In order to reduce the costs necessary to arbitration disputes, the signcryption text is allowed the recipient to change the signcryption text into ordinary signature.
According to the method proposed in this study, based on chameleon hash functions combined the group signature and signcryption characteristics that have the following advantages:
1. In order to improve the efficiency of the signcryption procedure, members of the group can behalf of the group product the signcryption.
2. In order to reduce traditional calculation time and transmission costs of two-stage signature and encryption by signcryption mechanisms.
3. We can achieve the necessary about group member anonymity, group signcryption text repudiation, confidentiality, integrity, and authenticity.
4. In order to protect their group interests to achieve non-transferability, the recipient receives the group signcryption and recipient cannot transfer the signcryption text to other people.
5. When the event of a dispute：
(1) Group undenied who produce the signcryption text.
(2) Groups can deny the group signcrypted if the recipient forging.
(3) System Authority can track the actual signer in the group.

[AtMe04] G. Ateniese, and B. de Medeiros, “On the key exposure problem in chameleon hashes," IACR ePrint Report 2004/243, 2004.
[BaDe98] Bao, F. and Deng, R.H., “A signcryption svheme with signature directly verifiable by public key,” Workshop on Public Key Cryptography, Spring-Verlag, pp. 55-59, 1998.
[BDZ03] F. Bao, R. Deng and H. Zhu, “Variantions of Diffie –Hellman problem,” Proceeding of ICICS, pp. 301-312, 2003.
[BGMW92] Brickell, E.F., Gordon, D.M., McCurley, K.S. and Wilson,
D.B., “Fast exponentiation with precomputation,” Advances in Cryptology - EUROCRYPT’92, Springer-Verlag, pp.
200-207, 1992.
[BoFr01] D. Boneh and M. Franklin, Identity-based encryption from the weil pairing, Advances in CryptologyCRYPTO 2001, Springer, pp. 213-229, 2001.
[ChHe92] D. Chaum and E. van Heyst, Group signatures, in: Advances in Cryptology (Proceedings of EuroCrypt ’91), Lecture Notes in Computer Science, Vol. 547, Springer, Berlin, pp. 257—265, 1992.
[DeR93] De Rooij, P., “On Schnorr’s preprocessing for digital signature scheme,” Advances in Cryptology - EUROCRYPT’93, Springer-Verlag, pp. 435-439, 1993.
[DiHe76] Diffie, W. and Hellman, M.E., “New directions in cryptography,” IEEE Transactions on Information Theory, Vol. IT-22, No. 6, pp. 644-654, 1976.
[EnZh12] G. Enos and Y. Zheng, An ID-Based Signcryption Scheme with Compartmented Secret Sharing for Unsigncryption. In Proceedings of IACR Cryptology ePrint Archive, pp. 528-537, 2012.
[FIPS01] National Bureau of Standards, NBS FIPS PUB 197, Advanced Encryption Standard, U.S. Department of Commerce, November 2001.
[FIPS77] National Bureau of Standards, NBS FIPS PUB 46, Data Encryption Standard, U.S. Department of Commerce, Jan. 1977.
[FIPS93] FIPS 46-2, “Data encryption standard,” Federal Information Processing Standards Publication 46, U.S. Department of Commerce, January 1993.
[FIPS95] FIPS 180-1, “Secure Hash Standard,” Federal Information Processing Standards Publication 46, U.S. Department of Commerce, April 1995.
[FIPS99] FIPS 46-3, “Data Encryption Standard (DES), specifies the DES and Triple DES algorithms,” November 1999.
[HeWu99] W.H. He, and T.C.Wu, “Cryptanalysis and improvement of Petersen-Michels signcryption scheme,” IEE Ptoceedings-Computers and Digital Techniques, Vol. 146, No. 2, pp. 123-124, 1999.
[He99] 何煒華，「簽密法之設計」，國立台灣科技大學，博士論文，1999。
[ISO98a] ISO 10118-3, “Information technology – Security techniques –Hash functions – Part 3: Dedicated hash-functions,” International Organization for Standardization, June 1998.
[ISO98b] ISO 10118-3, “Information technology – Security techniques –Hash functions – Part 4: Hash-functions using modular arithmetic,” International Organization for Standardization, December 1998.
[KrRa00] H. Krawczyk, and T. Rabin, “Chameleon Signatures,” Network and Distributed System Security Symposium 2000, pp. 143-154, 2000.
[LeCh98] W. B. Lee and C. C. Chang, \E±cient group signature scheme based on the discrete logarithm," IEE Proceedings - Computer Digital Technology, vol. 145, no. 1, pp. 15-18, 1998.
[LiLe93] Lim, C.H. and Lee, P.J., “More flexible exponentiation with
precomputation,” Advances in Cryptology – CRYPTO’93,
Springer-Verlag, pp. 420-434, 1994.
[MOI90] S. Miyaguchi, K. Ohta and M. Iwata, “128-bit hash function (n-hash),” Proceeding of SECURICOM’90, pp. 127-137, 1990.
[MOV97] Menezes, A.J., Oorschot, P.C. and Vanstone, S.A., Handbook of Applied Cryptography, CRC Press Inc., 1997.
[Riv92] Rivest, R.L., “The MD5 message digest algorithm,” Request for Comments RFC 1321, April 1992.
[Shi02] R. H. Shi, “An efficient secure group signature scheme," Proceedings of IEEE TENCON'02, pp. 109-112, 2002.
[ShSrDe08] S. Sharmila Deva Selvi, S. Sree Vivek, Deepanshu Shukla and C. Pandu Ran- gan: Efficient and provably secure certificateless multi-receiver signcryption , in Provable Security, Volume 5324/2008 of LNCS, pp. 52-67, Springer, 2008.
[Zhe97a] Zheng, Y., “Digital signcryption or how to achieve cost(signature & encryption) << cost(signature) + cost(encryption),” Advances in Cryptology – CRYPTO’97, Springer-Verlag, pp. 165-179, 1997.
[ZhIm98] Y. Zheng and H. Imai, “How to Construct Efficient Signcryption Schemes on Elliptic Curves,” Information Processing Letters, Vol.68, pp. 227-233, 1998.