隨著電子商務的發展，愈來愈多使用者願意採用電子付款體驗快速而便捷的線上消費。當線上付款的機密性得到普遍認可後，使用者期望在交易時能得到更多的保障，如交易隱私的保護（匿名性）和交易雙方權益的保障（公平性）等。
　　電子付款的公平性，一般採用公平交換機制，藉由公正第三方的介入來達成。使用者的匿名性則必須根據消費金額的多寡來設計不同的機制。若為小額付款，一般採用較有效率的雜湊函數而減少公開金鑰運算，以達到快速有效率的交易。原始的小額付款較強調頻繁支付時的效率，大多採用離線式代理人（銀行）及後付式付款機制。它的優點在於使用者僅需領款一次，即可向不同的商家付款，並且享有延遲付款的好處。但許多後續的研究為了在小額付款上加入匿名性而犧牲了它原有的優點。有些方法中，每當使用者向不同商家付款時，都必須再次與代理人聯繫，部份方法則將對使用者較有利的後付機制改為預付式。大額付款為了避免銀行可能的損失，一般採用線上電子貨幣來達到使用者匿名，同時銀行可即時檢查該貨幣是否重覆使用。但目前的方法中，使用者的匿名性無法得到完整的保護，其消費行為（如所購買商品為何）在交易過程中仍可能會被洩露出來，而且對於交易安全性並無完整的定義及理論證明被提出。
　　本論文中，我們針對目前的電子付款協定提出了隱私強化機制。在小額付款方面，我們設計了低運算量的單次匿名憑證方法，以達到使用者匿名性，同時確保原始小額付款機制所應具備的優勢不會被犧牲，亦即提出一個匿名公平離線後付式小額付款機制。大額付款方面，以電子貨幣交易設計出匿名公平交易機制，以改善目前已被提出的做法中商品隱私保障較不周全而衍生出的使用者隱私洩露問題，達到完整的使用者匿名性。此外，針對此研究領域在安全性的保障上，往往僅提供安全性分析而缺乏完整理論證明，本論文對匿名公平電子付款協定提供完整的安全性定義及理論證明，使得所設計機制的安全性更令人信服。

　　With the development of electronic commerce, an increasing number of users are willing to adopt electronic payment in order to experience fast and convenient online transactions. As online payment confidentiality has met with universal acceptance, users are expectant of greater protection for their transactions in the form of transaction privacy protection (anonymity), user and vendor right protection (fairness), etc.
　　In general, electronic payment fairness is achieved by adopting fair exchange mechanisms, which involve a trusted third party. On the other hand, different mechanisms have to be designed according to the amount of payment for user anonymity. For micropayments, efficient hash functions are commonly adopted and public key operations are avoided so that fast and efficient transactions are achieved. Originally, micropayments were designed to achieve efficiency during payments that occur frequently. Most of them adopt an offline broker (bank) and a postpaid method. The advantages of such schemes are that the user can make payments to different vendors with a single withdrawal and enjoy the benefit of delayed payment. However, many successive studies sacrifice these advantages in order to include anonymity in micropayment. In some schemes, users have to communicate with the broker repeatedly if they intend to make payments to different vendors. In the other schemes, the postpaid method, which is favorable for the user, is changed to a prepaid one. In order to avoid possible losses to the bank, macropayments usually adopt online electronic cash (e-cash) for user anonymity and doublespending checking. However, the anonymity of a user is not completely protected in current schemes. The shopping behavior of a user (such as what products the user has purchased) could still be revealed during transactions. Moreover, a complete definition and formal security proof of transaction security have not been proposed.
　　In this dissertation, we propose privacy enhancement mechanisms for current electronic payment protocols. We design an efficient one-time anonymous certificate scheme for micropayment to achieve user anonymity and to ensure that the advantages of original micropayment mechanisms are not sacrificed. That is, we propose an anonymous fair offline postpaid micropayment scheme. In order to improve user privacy, which is a problem in the current schemes due to their incompleteness of product privacy, we design an anonymous fair transaction scheme based on e-cash to achieve complete user anonymity during macropayments. Although guarantee of security in this research field is usually provided by security analyses instead of complete theoretical proofs, this dissertation provides complete security definitions and formal theoretical proofs of the anonymous fair electronic payment protocols to make the security of the proposed schemes more convincing.

誌謝iii
摘要iv
Abstract v
List of Figures x
List of Tables xi
Chapter 1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Research Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Dissertation Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 2 Preliminary 5
2.1 A Generic Blind Signature Scheme . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 A Generic Electronic Cash Scheme . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 A Generic Fair Transaction Scheme . . . . . . . . . . . . . . . . . . . . . . . 8
2.3.1 Withdrawal Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.2 Payment Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3.3 Dispute Resolution Protocol . . . . . . . . . . . . . . . . . . . . . . . 12
2.3.4 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4 PayWord Micropayment Scheme . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.5 Random Oracle Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 3 Privacy Enhancement for Micropayment 17
3.1 Anonymous One-Time Certificate Protocol . . . . . . . . . . . . . . . . . . . 19
3.1.1 System Parameters Generation . . . . . . . . . . . . . . . . . . . . . . 20
3.1.2 Registration Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.1.3 Certificate Generation/Verification Phase . . . . . . . . . . . . . . . . 21
3.1.4 User Identity Tracing Phase . . . . . . . . . . . . . . . . . . . . . . . 22
3.2 The Proposed Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2.1 Registration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.2 Payment Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.3 Redemption Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.2.4 Dispute Resolution Protocol . . . . . . . . . . . . . . . . . . . . . . . 27
3.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.3.1 Certificate Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.3.2 Certificate Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . 28
3.3.3 Certificate Traceability . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.3.4 User Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.3.5 Fairness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.4 Comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Chapter 4 Privacy Enhancement for Macropayment 39
4.1 The Proposed Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.1.1 Withdrawal Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.1.2 Payment Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.1.3 Dispute Resolution Protocol . . . . . . . . . . . . . . . . . . . . . . . 45
4.1.4 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.2.1 E-cash Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.2.2 E-cash Unlinkability . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.2.3 Customer Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.2.4 Product Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.2.5 Fairness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.2.6 Timeliness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.3 Comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Chapter 5 Conclusions 63
Bibliography 64
Appendix A A Practical Fair Transaction Scheme 69
A.1 Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
A.2 Withdrawal Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
A.3 Payment Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
A.4 Dispute Resolution Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
A.5 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

[1] M. Al-Fayoumi and S. Aboud. Blind decryption and privacy protection. American journal
of applied sciences, 2(4):873 – 876, 2005.
[2] A. Alaraj and M. Munro. An e-commerce fair exchange protocol for exchanging digital
products and payments. In Digital Information Management ICDIM ’07. 2nd International
Conference on, volume 1, pages 248 – 253, 2007.
[3] A. Alaraj and M. Munro. An efficient e-commerce fair exchange protocol that encourages
customer and merchant to be honest. In SAFECOMP ’08: Proceedings of the 27th
international conference on Computer Safety, Reliability, and Security, pages 193 – 206,
2008.
[4] B. Alomair and R. Poovendran. Efficient authentication for mobile and pervasive computing.
In Information and Communications Security, volume 6476 of Lecture Notes in
Computer Science, pages 186 – 202. 2010.
[5] N. Asokan, V. Shoup, and M. Waidner. Optimistic fair exchange of digital signatures.
Selected Areas in Communications, IEEE Journal on, 18:593 – 610, 2000.
[6] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among notions of security
for public-key encryption schemes. In Advances in Cryptology - CRYPTO ’98,
volume 1462 of Lecture Notes in Computer Science, pages 26 – 45. 1998.
[7] M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko. The one-more-rsainversion
problems and the security of chaums blind signature scheme. Journal of Cryptology,
16:185 – 215, 2003.
[8] M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing
efficient protocols. In Proceedings of the 1st ACM conference on Computer and communications
security, CCS ’93, pages 62 – 73, 1993.
[9] L. Butty’an. Removing the financial incentive to cheat in micropayment schemes. IEE
Electronics Letters, 36(2):132 – 133, 2000.
[10] J. Camenisch, M. Dubovitskaya, and G. Neven. Unlinkable priced oblivious transfer with
rechargeable wallets. In Financial Cryptography and Data Security, volume 6052 of
Lecture Notes in Computer Science, pages 66 – 81. 2010.
[11] D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun.
ACM, 24(2):84 – 90, 1981.
[12] D. Chaum. Blind signatures for untraceable payments. In Advances in Cryptology -
CRYPTO’82, pages 199 – 203, 1983.
[13] D. Chaum. Security without identification: transaction systems to make big brother obsolete.
Commun. ACM, 28:1030 – 1044, 1985.
[14] D. Chaum, A. Fiat, and M. Naor. Untraceable electronic cash. In Advances in Cryptology
- CRYPTO ’88, volume 403 of Lecture Notes in Computer Science, pages 319 – 327.
1990.
[15] X. Chen, F. Zhang, W. Susilo, and Y. Mu. Efficient generic on-line/off-line signatures
without key exposure. In Applied Cryptography and Network Security, Lecture Notes in
Computer Science, pages 18 – 30. 2007.
[16] A. Esmaeeli and M. Shajari. MVPayword: Secure and efficient payword-based micropayment
scheme. In Applications of Digital Information and Web Technologies ICADIWT
’09. Second International Conference on the, pages 609 – 614, 2009.
[17] C. I. Fan andW. K. Chen. An efficient blind signature scheme for information hiding. Int.
J. Electron. Commerce, 6(1):93 – 100, 2001.
[18] C. I. Fan and Y. K. Liang. Anonymous fair transaction protocols based on electronic cash.
Int. J. Electron. Commerce, 13(1):131 – 151, 2008.
[19] C. I. Fan, C. N. Wu, W. Z. Sun, and W. K. Chen. Multi-recastable e-bidding game with
dual-blindness. Mathematical and Computer Modelling, 2012.
[20] L. M. Fan and J. X. Liao. Discrete micropayment protocol based on master-slave payword
chain. The Journal of China Universities of Posts and Telecommunications, 14:58 – 84,
2007.
[21] J. Furukawa and H. Imai. An efficient group signature scheme from bilinear maps. In
Information Security and Privacy, Lecture Notes in Computer Science, pages 92 – 128.
2005.
[22] J. Furukawa and K. Sako. An efficient publicly verifiable mix-net for long inputs. In
Financial Cryptography and Data Security, volume 4107 of Lecture Notes in Computer
Science, pages 111 – 125. 2006.
[23] J. Groth and S. Lu. Verifiable shuffle of large size ciphertexts. In Proceedings of the 10th
international conference on Practice and theory in public-key cryptography, PKC’07,
pages 377 – 392, 2007.
[24] S. Kim and W. Lee. A pay word-based micropayment protocol supporting multiple payments.
In Computer Communications and Networks, 2003. ICCCN 2003. Proceedings.
The 12th International Conference on, pages 609 – 612, 2003.
[25] P. Lin, H. Y. Chen, Y. Fang, J. Y. Jeng, and F. S. Lu. A secure mobile electronic payment
architecture platform for wireless mobile networks. Wireless Communications, IEEE
Transactions on, 7:2705 – 2713, 2008.
[26] J. Liu, W. Kou, and R. Sun. Fair e-payment protocols. In Computer Supported Cooperative
Work in Design, 2005. Proceedings of the Ninth International Conference on,
volume 1, pages 123 – 127, 2005.
[27] J. Liu and K. S. Kwak. A practical electronic payment scheme. In ISCIT’09: Proceedings
of the 9th international conference on Communications and information technologies,
pages 805 – 808, 2009.
[28] M. Ohkubo and M. Abe. A length-invariant hybrid mix. In Advances in Cryptology -
ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 178 – 191.
2000.
[29] M. M. Payeras-Capell`a, J. L. Ferrer-Gomila, and L. Huguet-Rotger. Anonymous payment
in a fair e-commerce protocol with verifiable ttp. In Trust, Privacy and Security in Digital
Business, volume 3592 of Lecture Notes in Computer Science, pages 60 – 69. Berlin,
Heidelberg, 2005.
[30] D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures.
Journal of Cryptology, 13:361 – 396, 2000.
[31] I. Ray and N. Natarajan. An anonymous and failure resilient fair-exchange e-commerce
protocol. Decision Support Systems, 39(3):267 – 292, 2005.
[32] J. Ren and J. Wu. Survey on anonymous communications in computer networks. Computer
Communications, 33:420 – 431, 2010.
[33] R. Rivest and A. Shamir. Payword and micromint: Two simple micropayment schemes.
In Security Protocols, Lecture Notes in Computer Science, pages 69 – 87. 1997.
[34] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and
public-key cryptosystems. Commun. ACM, 21(2):120 – 126, 1978.
[35] K. Sakurai and Y. Yamane. Blind decoding, blind undeniable signatures, and their applications
to privacy protection. In Proceedings of the First International Workshop on
Information Hiding, pages 257 – 264, 1996.
[36] M. Scott. Implementing cryptographic pairings. In Pairing-Based Cryptography-Pairing,
2007. In Proceedings of, pages 177 – 196, 2007.
[37] C. H. Wang. Untraceable fair network payment protocols with off-line TTP. In Advances
in Cryptology - ASIACRYPT 2003, volume 2894 of Lecture Notes in Computer Science,
pages 173 – 187. 2003.
[38] S. Wang, F. Hong, and G. Cui. A fair e-cash payment scheme based on credit. In ICEC
’05: Proceedings of the 7th international conference on Electronic commerce, pages 622
– 626, 2005.
[39] S. M. Yen. PayFair: a prepaid internet micropayment scheme ensuring customer fairness.
IEE Proceedings - Computers and Digital Techniques, 148:207 – 213, 2001.
[40] Q. Zhang, K. Markantonakis, and K. Mayes. A mutual authentication enabled fairexchange
and anonymous e-payment protocol. In CEC-EEE ’06: Proceedings of the
The 8th IEEE International Conference on E-Commerce Technology and The 3rd IEEE
International Conference on Enterprise Computing, E-Commerce, and E-Services, pages
20 – 27, 2006.
[41] X. Zhao, Y. Lv, and W. He. A novel micropayment scheme with complete anonymity.
In Information Assurance and Security, 2009. IAS ’09. Fifth International Conference on,
pages 638 – 642, 2009.
[42] Y. Zhu and R. Bettati. Information leakage as a model for quality of anonymity networks.
Parallel and Distributed Systems, IEEE Transactions on, 20(4):540 – 552, 2009.