數位簽章的批次驗證機制是為了節省檢驗簽章所需要的時間，到目前為止已經有非常多的應用。但幾乎所有已知批次驗證演算法，都是假設批次驗證可以發現所有錯誤的簽章。我們找到了一種方式可以創造多個錯誤簽章，使得這幾個簽章在批次驗證中不會被驗出來。因此，偵測錯誤簽章的工作會變得極為重要。我們提出兩個方式來在多個簽章中做錯誤簽章的偵測。當有錯誤簽章被偵測出來，我們可以使用一些已知的方法來抓出錯誤的簽章，例如二分法。

Batch verification is a technique for saving time on verifying signatures. It has many applications in the world. Almost all batch verification algorithm assume that batch verification is able to detect invalid signatures if it exists. We propose a method to create many invalid signatures which can not be detected in batch verification. Therefore, detecting invalid signatures is an important work. We also propose two method to detect invalid signatures even if the problem the above problem exists. After detecting the invalid signatures, some simple methods can be applied, such as bisection method.

Acknowledgments iii
摘要 iv
Abstract v
Chapter 1 緒論 1
1.1 研究背景與研究動機 1
1.2 相關研究 3
Chapter 2 基礎知識 4
2.1 基礎代數 4
2.2 難題 5
2.3 簽章系統 6
2.4 批次驗證 7
2.5 基礎圖論 8
Chapter 3 偽簽章集 10
3.1 偽簽章集之定義 10
3.2 以之簽章系統之表現 11
Chapter 4 偵測錯誤簽章之方法 12
4.1 二進制編碼法 13
4.1.1 檢測演算法 13
4.1.2 特殊例子與限制 14
4.2 d-Cover Free Family 14
4.2.1 d-CFF 之建構 16
4.2.2 檢測演算法 17
4.2.3 特殊例子與限制 18
4.3 比較與分析 19
Chapter 5 結論與未來展望 20
Bibliography 21

[1] A. J. Menezes, P. C. Van Oorschot, and S. A. Vanstone, Handbook of applied cryptography. CRC press, 1996.
[2] A. Fiat, “Batch RSA,” in Conference on the Theory and Application of Cryptology, pp. 175–185, Springer, 1989.
[3] M. Geng and F. Zhang, “Batch verification for certificateless signature schemes,” in Computational Intelligence and Security, 2009. CIS’09. International Conference on, vol. 2, pp. 288–292, IEEE, 2009.
[4] A. Shamir, “Identity-based cryptosystems and signature schemes,” in Workshop on the Theory and Application of Cryptographic Techniques, pp. 47–53, Springer, 1984.
[5] L. Harn, “Batch verifying multiple DSA-type digital signatures,” Electronics Letters, vol. 34, no. 9, pp. 870–871, 1998.
[6] H. Min-Shiang, L. Cheng-Chi, and T. Yuan-Liang, “Two simple batch verifying multiple digital signatures,” in International Conference on Information and Communications Security, pp. 233–237, Springer, 2001.
[7] D. Naccache, D. M’RaÏhi, S. Vaudenay, and D. Raphaeli, “Can DSA be improved?—Complexity trade-offs with the digital signature standard,” in Workshop on the Theory and Application of of Cryptographic Techniques, pp. 77–85, Springer, 1994.
[8] S. Karati, A. Das, D. Roychowdhury, B. Bellur, D. Bhattacharya, and A. Iyer, “Batch verification of ECDSA signatures,” in International Conference on Cryptology in Africa, pp. 1–18, Springer, 2012.
[9] S. Karati and A. Das, “Faster batch verification of standard ECDSA signatures using summation polynomials,” in International Conference on Applied Cryptography and Network Security, pp. 438–456, Springer, 2014.
[10] L. Harn, “Batch verifying multiple RSA digital signatures,” Electronics Letters, vol. 34, no. 12, pp. 1219–1220, 1998.
[11] C.-I. Fan, P.-H. Ho, and Y.-F. Tseng, “Strongly secure certificateless signature scheme supporting batch verification,” Mathematical Problems in Engineering, vol. 2014, 2014.
[12] M.-S. Hwang, I.-C. Lin, and K.-F. Hwang, “Cryptanalysis of the batch verifying multiple RSA digital signatures,” Informatica, vol. 11, no. 1, pp. 15–18, 2000.
[13] M.-S. Hwang, C.-C. Lee, and E. J.-L. Lu, “Cryptanalysis of the batch verifying multiple DSA-type digital signatures,” Pakistan Journal of Applied Sciences, vol. 1, no. 3, pp. 287–288, 2001.
[14] F. Bao, C.-C. Lee, and M.-S. Hwang, “Cryptanalysis and improvement on batch verifying multiple RSA digital signatures,” Applied Mathematics and Computation, vol. 172, no. 2, pp. 1195–1200, 2006.
[15] C. Boyd and C. Pavlovski, “Attacking and repairing batch verification schemes,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 58–71, Springer, 2000.
[16] L. Seungwon, C. Seongje, and C. Yookun, “Efficient identification of bad signatures in RSA-type batch signature,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 89, no. 1, pp. 74–80, 2006.
[17] M. Stanek, “Attacking LCCC batch verification of RSA signatures.,” IACR Cryptology ePrint Archive, vol. 2006, p. 111, 2006.
[18] M. S. Hwang, C. C. Lee, and Y. L. Tang, “Two simple batch verifying multiple digital signatures,” in Information and Communications Security, pp. 233–237, Springer, 2001.
[19] A. Atanasiu, “A new batch verifying scheme for identifying illegal signatures,” Journal of Computer Science and Technology, vol. 28, no. 1, pp. 144–151, 2013.
[20] M. Bellare, J. A. Garay, and T. Rabin, “Fast batch verification for modular exponentiation and digital signatures,” in International Conference on the Theory and Applications of Cryptographic Techniques, pp. 236–250, Springer, 1998.
[21] R. L. Burden and J. D. Faires, Solutions of Equations in One Variable, The Bisection Method. Brooks/Cole, Cengage Learning, 2011.
[22] C. H. Papadimitriou, Computational complexity. John Wiley and Sons Ltd., 2003.
[23] R. Bellman, “Dynamic programming treatment of the travelling salesman problem,” Journal of the ACM (JACM), vol. 9, no. 1, pp. 61–63, 1962.
[24] C. Pomerance, “A tale of two sieves,” Biscuits of Number Theory, vol. 85, p. 175, 2008.
[25] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, vol. 21, no. 2, pp. 120–126, 1978.
[26] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the weil pairing,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 514–532, Springer, 2001.
[27] C. Zhang, R. Lu, X. Lin, P. H. Ho, and X. Shen, “An efficient identity-based batch verification scheme for vehicular sensor networks,” in INFOCOM 2008. The 27th Conference on Computer Communications. IEEE, IEEE, 2008.
[28] W. Luo, L. Liu, S. Yuan, and X. Zhang, “Batch verification of the data integrity in cloud computing.,” International Journal of Digital Content Technology & its Applications, vol. 6, no. 15, 2012.
[29] W. Kautz and R. Singleton, “Nonrandom binary superimposed codes,” IEEE Transactions on Information Theory, vol. 10, no. 4, pp. 363–377, 1964.
[30] G. M. Zaverucha and D. R. Stinson, “Group testing and batch verification,” in International Conference on Information Theoretic Security, pp. 140–157, Springer, 2009.
[31] A. D yachkov, V. Lebedev, P. Vilenkin, and S. Yekhanin, “Cover-free families and superimposed codes: Constructions, bounds, and applications to cryptography and group testing,” in IEEE International Symposium on Information Theory, pp. 117–117, 2001.
[32] D. R. Stinson and R. Wei, “Generalized CoverFree Families,” Discrete Mathematics, vol. 279, no. 1, pp. 463–477, 2004.
[33] E. Porat and A. Rothschild, “Explicit non-adaptive combinatorial group testing schemes,” in International Colloquium on Automata, Languages, and Programming, pp. 748–759, Springer, 2008.