具隱私權強化之數位簽章

歷經逾三十年之研究發展，數位簽章已普遍地被視為傳統手寫式簽名於數位世界中的可行替代方案。然而，相較於傳統的手寫式簽名，一般型的數位簽章雖可提供更為強健的安全性保障，但未必具有更豐富且實用的功能。為拓展可應用之範圍，許多近期的研究試圖使數位簽章實現傳統手寫式簽名所無法達到的眾多新穎功能；而這些近期研究中，相當大的比例著眼於隱私權的強化。由於數位簽章的應用環境十分多樣且多變，數位簽章系統中隱私權及其相關議題，著實不容忽視。本論文將對數位簽章系統中隱私權及其相關議題，分別由系統中不同參與者的觀點，進行廣泛的討論與深入的分析。於簽章簽署者之隱私權部份，數種具備簽署者混淆性（signer ambiguity）之簽章系統將分別被討論。首先，本論文將提出一個具有合理且安全之混淆性撤銷機制的指定驗證者簽章系統（designated verifier signature scheme）；該系統在保障簽署者身份於觀察者角度之混淆性的同時，仍然可維持數位簽章所必備的不可否認性（non-repudiation）。此外，本論文利用同步生效式簽章系統（concurrent signature scheme），架構出一個具高度公平性與可行性之線上交易模式。本論文亦利用環簽章系統（ring signature scheme）建構一個行動代理人之線上訪價協定，而該協定同時達成可公開驗證之前向完整性（public verifiable forward integrity）與前向隱私性（forward privacy）。於簽章系統中驗證者之隱私權部份，本論文對一個十分具代表性之提名式簽章系統（nominative signature scheme）的安全性進行再分析。分析結果顯示，該提名式簽章足以抵抗近期文獻中所宣稱，針對指定驗證者隱私權的可能攻擊；事實上，該攻擊並非完全正確，其謬誤之處肇因於對安全性定義間細微差異的疏忽與誤解。本論文亦將該安全性定義間之細微差異與相關議題，延伸至以身份為基礎之簽章系統（identity-based signature scheme），及其批次驗證演算法（batch verification algorithm）。研究結果顯示，部份該類簽章系統之批次驗證研究，亦未正確精準地引用安全性定義。於某些具有特殊功能之數位簽章系統中，除簽署者與驗證者外，亦可能包含第三位參與者。對於此一可能之第三參與者的隱私權，本論文將以代理簽章系統（proxy signature scheme）為範例，進行分析討論。本論文將提出一個對代理簽署者之隱私權提供良好保護的代理簽章系統，該系統不僅能保障代理簽署者之匿名性（anonymity），亦能確保代理簽章間的不可連結性（unlinkability）。於部份應用環境中，上述兩項特徵亦強化了原始簽署者之隱私權。

關鍵字

環簽章；同步生效式簽章；指定驗證者簽章；混淆性；數位簽章；隱私權；匿名性；代理簽章；密碼學；批次驗證；提名式簽章

並列摘要

Being a digital alternative of a hand-written signature, an ordinary digital signature provides better protections in security aspects but unfortunately achieves no significant improvement in functional aspects. Many recent researches try to enrich digital signatures by introducing a diversity of novel and practical functionalities over the ordinary ones. Duo to the variety of application scenarios digital signatures can be applied to, privacy-related issues of digital signatures should never be overlooked; hence a large part of those new signature developments involves privacy enhancement. In this dissertation, privacy-related issues of digital signatures are extensively discussed from the view points of different participants of a digital signature scheme. For the privacy of the signer, some signature schemes with signer-ambiguity are discussed. First of all, a designated verifier signature scheme with secure disavowability is suggested; the suggested scheme keeps the identity of the signer ambiguous to third-party observers while maintains the signature non-repudiation property. Secondly, by using concurrent signatures, a fair and practical transaction model for online shopping applications is introduced; and thirdly, by using ring signatures, a mobile agent price survey protocol which simultaneously achieves publicly verifiable forward integrity and forward privacy is proposed. For the privacy of the verifier, the security of a previous nominative signature scheme is reconsidered. It is showed that the previous scheme survives after a recent cryptanalysis against the designated verifier''s privacy, since the recent cryptanalysis neglects a subtle difference between two related security notions, namely, verification and screening. This dissertation also points out that this subtle difference is neglected in some research works of signature batch verification as well. In some signature schemes with sophisticated functionalities, a third participant might be involved. For the privacy of the possible third participant in a digital signature scheme, proxy signatures are taken as an example and a new proxy signature scheme with privacy enhancement to proxy signers is proposed. More precisely, the proposed scheme provides anonymity and unlinkability to proxy signers; in some applications, these two properties also enhance the privacy of the original signer.

並列關鍵字

designated-verifier signatures ； ambiguity ； concurrent signatures ； privacy ； digital signatures ； cryptography ； proxy signatures ； batch verification ； anonymity ； nominative signatures ； ring signatures

參考文獻

[14] Tianjie Cao, Dongdai Lin, and Rui Xue. Security analysis of some batch verifying signatures from pairings. International Journal of Network Security, 3(2):112-117, 2006.

[38] Sherman S. M. Chow and Willy Susilo. Generic construction of (identity-based) perfect concurrent signatures. In Sihan Qing, Wenbo Mao, Javier Lopez, and Guilin Wang, editors, Information and Communications Security, ICICS 2005, volume 3783 of Lecture Notes in Computer Science, pages 194-206. Springer, 2005.

[39] Sherman S. M. Chow and Willy Susilo. Generic construction of (identity-based) perfect concurrent signatures. Cryptology ePrint Archive, Report 2006/361, 2006. Available at http://eprint.iacr.org/2006/361.

[36] Willy Susilo, Yi Mu, and Fangguo Zhang. Perfect concurrent signature schemes. In Javier Lopez, Sihan Qing, and Eiji Okamoto, editors, Information and Communications Security, ICICS 2004, volume 3269 of Lecture Notes in Computer Science, pages 14-26. Springer, 2004.

[76] Fangguo Zhang, Reihaneh Safavi-Naini, and Willy Susilo. An efficient signature scheme from bilinear pairings and its applications. In Feng Bao, Robert H. Deng, and Jianying Zhou, editors, Public Key Cryptography - PKC 2004, volume 2947 of Lecture Notes in Computer Science, pages 277-290. Springer, 2004.

國際替代計量

具隱私權強化之數位簽章

未授權

主題瀏覽