數位簽章技術, 隨著應用環境的不同, 衍生出多樣化的數位簽章機制。一般而言, 數位簽章內包含兩種必要因子, 分別為: 隨機參數與雜湊函數; 其中, 隨機參數是用來提供數位簽章的隨機化不規則分佈, 而雜湊函數是為了讓簽章訊息可以成為一個固定長度的訊息摘要以方便簽署。

隱藏在數位簽章內的隨機參數, 是一個可以利用的因子, 若能充分運用, 則數位簽章不但可以證明所簽署的訊息之訊息來源, 更可夾帶著其他秘密訊息在簽章內; 從Simmon 所提出的潛隱通道後, 我們提出多重潛隱通道, 可以隱藏更多的潛隱訊息, 給不同的潛隱訊息接收者; 此外, 藉由潛隱通道的應用, 讓隨機參數成為另一個安全因子, 使得前饋安全的簽章機制在嵌入潛隱道後, 具有後饋安全的特性, 我們提出前饋後饋安全安全簽章機制。

雜湊函數是一個產生訊息摘要的重要工具, 然而雜湊函數的特性, 具有單向性與不可碰撞性。一個簽章訊息經過雜湊函數的運算後, 只能對應到一個訊息摘要。近年來, 有學者衍生出變色龍雜湊函數, 是一個單向碰撞抵抗的後門雜湊函數, 隨機值輸入後, 除了擁有後門金鑰的人才可以計算出碰撞, 可以讓多個訊息, 經過變色龍雜湊函數, 可以只對映到同一個訊息摘要。因此, 有一系列的研究將此變色龍雜湊函數應用於online/offline 簽章機制或應用於消毒簽章機制, 我們利用此函數的特性於網路安全閘道-防火牆, 符合閘道所需要的快速盲目驗證之特性。此外, 我們還提出三相後門變色龍雜湊函數, 並將其應用於車輛擁有者識別機制, 具有快速鑑定且不需要即時連接資料庫的特性, 最後, 我們提出門檻式變色龍雜湊函數, 使得變色龍雜湊函數的碰撞達到門檻值後, 將洩漏出後門資訊。

A digital signature technique has evolved into varies digital signature schemes in different application environments. In general, a digital signature consists of a random number and a hash function in addition to signing function. The random number can be used to provide the randomization of digital signatures. The hash function can be used for generating a message digest that has a fix length and is convenient for signing.

The random number that hides in the digital signature is a useful factor. If we can use this factor well, then the digital signature can carry the other secret messages. On the basis of the concept of a subliminal channel proposed by Simmon, we have proposed multiple subliminal channels that can carry more than one subliminal message to different subliminal receivers. Furthermore, by using the concept of a subliminal channel, we can use the random number as another secure parameter of the digital signature. This concept leads to a forward-secure digital signature with backward-secure detection when the subliminal channel is embedded in the signature. We have proposed a forward-backward secure digital signature.

A hash function is an important tool for generating a message digest. The hash function used in a signature must be one-way and collision resistant. A signing message will map to a message digest via a hash function. In recent years, several chameleon hash functions have been proposed. A chameleon hash function is a trapdoor one-way hash function that prevents everyone except the holder of the trapdoor key from computing the collisions for a randomly given input. There are various studies that apply the chameleon hash function to online/offline digital
signatures and sterilization signatures. In this thesis, we apply this concept to a network secure gateway. We have achieved fast blind verification for an application gateway, such as a firewall. Further, we propose triple-trapdoor chameleon hash function and apply to vehicle owenship identification scheme. We have achieved the fast identification for vehicle ownership without connect to online database. We also have proposed threshold chameleon hash function and achieved that the collision will control under the threshold value. The trapdoor information will be exposed after the number of collision has accomplished.

1 Introduction 1
1.1 Subliminal Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 Choice of Random Number in Digital Signatures . . . . . . . . 4
1.1.2 Lu-Shieh’s Forward-secure Digital Signature . . . . . . . . . . 5
1.1.3 Subliminal Channels in the Lu-Shieh’s GQ Signature Scheme . 7
1.2 Chameleon Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.1 Single-trapdoor Hash Functions . . . . . . . . . . . . . . . . . 11
1.2.2 Double-trapdoor Hash Functions . . . . . . . . . . . . . . . . 12
1.2.3 Triple-trapdoor Hash Function . . . . . . . . . . . . . . . . . . 14
1.3 Our Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.4 Organization of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . 16
2 Multiple Subliminal Channels 18
2.1 Review of Lamport’s One-Time Signature Schemes . . . . . . . . . . 18
2.2 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.3 Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.4 OTSSs with Multiple Bits-a subliminal Channels Scheme . . . . . . . 21
2.4.1 Extension of the Proposed Scheme . . . . . . . . . . . . . . . 23
2.5 OTSSs with Multiple Blocks-a subliminal Channels Scheme . . . . . . 24
2.5.1 Extension of the Proposed Scheme . . . . . . . . . . . . . . . 26
2.6 An Application of the Proposed Schemes . . . . . . . . . . . . . . . . 28
2.7 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.7.1 Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.7.2 Indistinguishability and Inextricability of Subliminal Messages 32
3 A Forward-Backward Secure Signature Scheme 35
3.1 Forward-secure Signature Scheme . . . . . . . . . . . . . . . . . . . . 35
3.1.1 Review of Abdalla-Reyzin’s Forward-secure GQ Signature Scheme 37
3.2 Forward-secure Signature with Backward-secure Detection . . . . . . 38
3.2.1 The One-way Hash Chain . . . . . . . . . . . . . . . . . . . . 38
3.2.2 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.2.3 The Proposed Scheme . . . . . . . . . . . . . . . . . . . . . . 41
3.3 Security Analysis and Discussions . . . . . . . . . . . . . . . . . . . . 43
3.3.1 Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.3.2 Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.3.3 Forward-seucre Protection . . . . . . . . . . . . . . . . . . . . 47
3.3.4 Backward-secure Protection and Detection . . . . . . . . . . . 48
4 An Efficient Blind Verifying for Firewall using Chameleon Hash
Function 50
4.1 The Research Motive . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.2 Definitions and Constructions . . . . . . . . . . . . . . . . . . . . . . 52
4.2.1 Signcryption for Third-Party Verification . . . . . . . . . . . . 52
4.2.2 From Hash-Sign-Switch to Hash-Signcrypt-Switch Paradigm . 52
4.2.3 A Double-Trapdoor Chameleon Hash Family . . . . . . . . . . 53
4.2.4 The Security Requirements . . . . . . . . . . . . . . . . . . . . 54
4.2.5 Online/offline Signcryption for Firewall Verification . . . . . . 55
4.3 An Efficient Blind Verifying for Firewall using Online/Offline Sign-
cryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.4 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.4.1 Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.4.2 Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.5 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5 Efficient Vehicle Ownership Identification Scheme Based on Triple-
trapdoor Chameleon Hash Function 66
5.1 The Research Motive . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
5.2 Preliminary and Definitions . . . . . . . . . . . . . . . . . . . . . . . 69
5.2.1 Entities and the Flow of Vehicle Ownership Identification Scheme 69
5.2.2 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
5.2.3 The Triple-trapdoor Chameleon Hash Family . . . . . . . . . 71
5.3 Vehicle Ownership Identification Scheme . . . . . . . . . . . . . . . . 73
5.3.1 Overview of the Scheme . . . . . . . . . . . . . . . . . . . . . 73
5.3.2 The Proposed Scheme . . . . . . . . . . . . . . . . . . . . . . 75
5.4 Security analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.4.1 Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.4.2 License Unforgeability . . . . . . . . . . . . . . . . . . . . . . 79
5.4.3 Vehicle Owner Linkability and Traceability . . . . . . . . . . . 82
5.4.4 Swindling Free . . . . . . . . . . . . . . . . . . . . . . . . . . 83
5.5 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
6 (t, n) Threshold Chameleon Hash Scheme 87
6.1 Definition of TCHS . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
6.2 Definitions of Security . . . . . . . . . . . . . . . . . . . . . . . . . . 88
6.3 Bilinear Pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
6.4 Elliptic Curve Discrete Logarithm Problem . . . . . . . . . . . . . . . 90
6.5 The Proposed Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . 90
6.5.1 Threshold Chameleon Hash Scheme with Secret ID Expose . . 91
6.6 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6.6.1 Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6.6.2 Collision Resistance . . . . . . . . . . . . . . . . . . . . . . . . 94
7 Conclusions and Future Work 98

[1] http://www.ltsa.govt.nz/.
[2] M. Abdalla and M. Bellare. Increasing the lifetime of a key: a comparative analysis of the security of re-keying techniques. In Proceeding ASIACRYPT ’00, LNCS 1976, pages 431–448, 1999.
[3] M. Abdalla and L. Reyzin. A new forward-secure digital signature scheme. In Proceeding ASIACRYPT ’00, LNCS 2139, pages 116–129, 2001.
[4] B. Alomair, K. Sampigethaya, and R. Poovendran. Efficient generic forward-secure signatures and proxy signatures. In Proceeding EuroPKI ’08, LNCS 5057, pages 166–181, 2008.
[5] G. Ateniese and B. de Medeiros. Identity-based chameleon hash and applications. In Proceeding FC 2004, LNCS 3110, pages 164–180, 2004.
[6] G. Ateniese and B. de Medeiros. On the key exposure problem in chameleon hashes. In Proceeding SCN 2004, LNCS 3352, pages 165–179, 2005.
[7] J. Baek, R. Steinfeld, and Y. Zheng. Formal proofs for the security of signcryption. In In Proceeding PKC ’02, LNCS 2274, pages 286–301, 2002.
[8] M. Bellare and S. K. Miner. A forward-secure digital signature scheme. In Proceeding CRYPTO ’99, LNCS 1666, pages 431–448, 1999.
[9] M. Bellare and T. Ristov. Hash functions from sigma protocols and improvements to vsh. In Proceeding ASIACRYPT ’08, LNCS 5350, pages 125–142, 2008.
[10] E. Bresson, D. Catalano, and R. Gennaro. Improved on-line/off-line threshold signatures. In In Proceeding PKC ’07, LNCS 4450.
[11] M. H. Liu C. L. Chen. A traceable e-cash transfer system against blackmail via subliminal channel. Electronic Commerce Research and Applications, In Press, Corrected Proof, 2009.
[12] D. Catalano, M. Raimondo, D. Fiore, and R. Gennaro. Off-line/on-line signa tures: Theoretical aspects and experimental results. In Proceeding PKC ’08, LNCS 4939, pages 101–120, 2008.
[13] D. Chaum, A. Fiat, and M. Naor. Untraceable electronic cash. In Crypto ’88, LNCS 403, pages 319–327, 1990.
[14] X. Chen, F. Zhang, W. Susilo, and Y. Mu. Efficient generic on-line/off-line signatures without key exposure. In In Proceeding ACNS ’07, LNCS 4521,
pages 18–30, 2007.
[15] X. Chen, F. Zhang, H. Tian, B. Wei, W. Susilo, Y. Mu, and K. Kim H. Lee. Efficient generic on-line/off-line (threshold) signatures without key exposure.
Information Sciences, 178(21):4192–4203, 2008.
[16] C. Crutchfield, D. Molnar, D. Turner, and D. Wagner. Generic on-line/off-line threshold signatures. In In Proceeding PKC ’06, LNCS 3958, pages 58–74,
2006.
[17] Y. Desmedt. Subliminal-free authentication and signature. In Proceeding EUROCRYPT ’88, LNCS 330, pages 23–33, 1988.
[18] S. Even, O. Goldreich, and S. Micali. On-line/off-line digital signatures. JOURNAL of Cryptology, 9(1):35–67, 1996.
[19] S. Even, O. Goldreich, and S. Micali. On-line/off-line digital signatures. Journal of Cryptology, 9(1):35–67, 1996.
[20] C. I. Fan. Ownership-attached unblinding of blind signatures for untraceable electronic cash. Computer Communications, 176:263–284, 2006.
[21] C. I. Fan and C. L. Lei. A user efficient fair blind signature scheme for untraceable electronic cash. Journal of Information Science and Engineering,
18(1):47–58, 2002.
[22] C. Gamage, J. Leiwo, and Y. Zheng. Encrypted message authentication by firewalls. In In Proceeding PKC ’99, LNCS 1560, pages 69–81, 1999.
[23] L. Harn and G. Gong. Digital signature with a subliminal channel. In IEE Proceeding Comput. Digit. Tech, volume 144, pages 387–389, 1997.
[24] L. Harn, W. J. Hsin, and C. Lin. Efficient on-line/off-line signature schemes based on multiple-collision trapdoor hash families. The Computer Journal Ad-
vance Access originally published on May 11, 2009.
[25] P. Horster, M. Michels, and H. Petersen. Subliminal channels in digital logarithm based signature schemes and how to avoid them. In Theoretical Computer Science and Information Security, Technical Report TR-94-13, 1994.
[26] C. S. Hsu and Y. C. Hou. An image size unconstrained ownership identification scheme for gray-level and color ownership statements based on sampling methods. Computer Communications, 79:1130–1140, 2006.
[27] R. J. Hwang, C. H. Lai, and F. F. Su. An efficient signcryption scheme with forward secrecy based on elliptic curve. Applied Mathematics and Computation,
167:870–881, 2005.
[28] G. Itkis and L. Reyzin. Forward-secure signatures with optimal signing and verifying. In Proceeding CRYPTO ’01, LNCS 2139, pages 332–354, 2001.
[29] J. K. Jan and Y. M. Tseng. New digital signature with subliminal channels based on the discrete logarithm problem. In Proceeding International Work-
shops on Parallel Processing, pages 198–203, 1999.
[30] K. Kobara and H. Imai. Self-synchronized message randomization methods for subliminal channels. In Proceeding ICICS ’97, LNCS 1334, pages 325–334, 1997.
[31] K. Kobara and H. Imai. On the channel capacity of narrow-band subliminal channels. LNCS 1726:309–323, 1999.
[32] N. Koblitz, A. Menezes, and S. Vanstone. The state of elliptic curve cryptography. Designs, Codes and Cryptography ’00, 19(2-3):173–193, 2000.
[33] A. Kozlov and L. Reyzin. Forward-secure signatures with fast key update. In Proceeding SCN ’02, LNCS 2576, pages 247–262, 2002.
[34] H. Krawczyk. Simple forward-secure signatures from any signature scheme.
In Proceedings of the 7th ACM Conference on Computer and Communications Security, pages 108–115, 2000.
[35] H. Krawczyk, M. Bellare, and R. Canetti. Hmac: Keyed-hashing for message authentication. Internet Engineering Task Force, Request for Comments (RFC) 2104, 1997.
[36] H. Krawczyk and T. Rabin. Chameleon signatures. In In Symposium on Network and Distributed Systems Security, pages 143–154, 2000.
[37] K. Kurosawa and S. Samoa. New online/offline signature schemes without random oracles. In Proceeding PKC 2006, LNCS 3958, pages 330–346, 2006.
[38] H. Kuwakado and H. Tanaka. New subliminal channel embedded in the esign. IEICE Trans. Fundamentals, E82-A(10):2167–2171, 1999.
[39] L. Lamport. Constructing digital signatures from a one way function. Technical Report CSL-98, SRI International, 1979.
[40] L. Lamport. Password authentication with insecure communication. Communications of the ACM, 24(11):770–772, 1981.
[41] John M. Lee. and W. Mao. Two birds one stone: Signcryption using rsa. Cryptology -Cryptographers’ Track RSA Conference 2003, pages 210–224, 2003.
[42] N. Y. Lee and P. H. Ho. Convertible undeniable signature with subliminal channels. Applied Mathematics and Computation, 158(1):169–175, 2004.
[43] N. Y. Lee and P. S. Ho. Digital signature with threshold subliminal channel. IEEE Transactions on Consumer Electronics, 49(4):1240–1242, 2003.
[44] N. Y. Lee and D. R. Lin. Robust digital signature scheme with subliminal channels. IEICE Trans. Fundamentals, E86-A(1):187–188, 2003.
[45] N. Y. Lee and S. Y. Yang. The design of integrating subliminal channel with access control. Applied Mathematics and Computation, 171:573–580, 2005.
[46] D. R. Lin, C. I. Fan C. I. Wang, and D. J. Guan. One-time signatures with subliminal channels. In Information Security Conference, pages 269–276, 2005.
[47] D. R. Lin, C. I. Wang, C. I. Fan, and D. J. Guan. Forward-secure subliminal channels based on GQ signature. International Computer Symposium, pages
231–243, 2006.
[48] D. R. Lin, C. I. Wang, and D. J. Guan. An efficient blind verifying for firewall using online/offline signcryption. Journal of Internet Technology, Accepted
paper, 2009.
[49] C. F. Lu and S. Shieh. Secure key-evolving protocols for discrete logarithm schemes. In In Proceeding CT-RSA ’02, LNCS 2271, pages 300–309, 2002.
[50] C. F. Lu and S. Shieh. Efficient key-evolving protocol for the gq signature. Journal of information science and engineering, 20:763–769, 2004.
[51] T. Malkin, D. Micciancio, and S. K. Miner. Efficient generic forward-secure signatures with an unbounded number of time periods. In In Proceeding EUROCRYPT ’02, LNCS 2332, pages 400–417, 2002.
[52] M. Mehta and L. Harn. Efficient one-time proxy signatures. IEE Proceeding Commun, pages 553–560, 2005.
[53] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. 1997.
[54] Y. Park and Y. Cho. Efficient one-time signature schemes for stream authentication. Journal of Information Science and Engineering, 22:611–624, 2006.
[55] P. L. Pedro, C. Juli, T. Juan, L. Tieyan, and L. Yingjiu. Vulnerability analysis of RFID protocols for tag ownership transfer. Computer Networks, 54:1502–
1508, 2010.
[56] D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. Journal of Cryptography, 3(13):361–396, 2000.
[57] M. O. Rabin. Digitalize signatures. In Foundations of Secure Communication, Academic Press, pages 155–168, 1978.
[58] P. Rohatgi. A compact and fast hybrid signature scheme for multicast packet. In 6th ACM Conference on Computer and Communications Security, pages
93–100, 1999.
[59] R. S. Safavi-Naini and J. R. Seberry. Error-correcting codes for authentication and subliminal channels. IEEE Trans. Inform. Theory, 37(1):13–17, 1991.
[60] K. Sakurai and T. Itoh. Subliminal channels for signature transfer and their application to signature distribution schemes. 718:231–243, 1993.
[61] J. Seberry. A subliminal channel in codes for authentication without secrecy. In ARS COMBINATORIA, volume 19A, pages 37–41, 1985.
[62] A. Shamir and Y. Tauman. Improved on-line/off-line signature schemes. In Proceeding CRYPTO ’01, LNCS 2139, pages 355–367, 2001.
[63] G. J. Simmons. The prisoner’s problem and the subliminal channel. In Proceeding CRYPTO ’83, pages 51–67, 1984.
[64] G. J. Simmons. The subliminal channel and digital signatures. In Proceeding EUROCRYPT ’84, pages 364–378, 1984.
[65] G. J. Simmons. Subliminal communication is easy using the dsa. In Proceeding EUROCRYPT ’93, LNCS 765, pages 218–232, 1994.
[66] G. J. Simmons. The history of subliminal channels. IEEE Journal on Selected Areas in Communications, 16(4):452–462, 1998.
[67] B. Song and C. J. Mitchell. Scalable RFID security protocols supporting tag ownership transfer. Computer Communications, Accepted paper, 2010.
[68] L. Su, G. Cul, M. Yang, and J. Chen. Threshold subliminal channel based on designated verifier signature. Wuhan University Journal of Natural Sciences, 11(6):1485–1488, 2006.
[69] W. G. Tzeng and Z. J. Tzeng. Robust forward-secure signature schemes with proactive security. In Proceeding PKC ’00, LNCS 1992, pages 264–276, 2001.
[70] Z. Wang and W. Gao. Perfect subliminal channel in a paring-based digital signature. Asian Journal of Information Technology, 5(4):392–395, 2006.
[71] X. Xin and Q. Li. Construction of subliminal channel in ID-based signatures.
In International Conference on Information Engineering, volume 2, pages 159–162, 2009.
[72] Z. Xu, G. Dai, and D. Yang. An efficient on-line/off-line signcryption scheme for manet. 21st International Conference on Advanced Information Networking
and Applications Workshops, 2:171–176, May 2007.
[73] C. L. Yang, C. M. Li, and T. Hwang. Subliminal channels in the identity-based threshold ring signature. International Journal of Computer Mathematics, 00(0):1–18, 2008.
[74] C. C. Yanga, T. Y. Changa, and M. S. Hwang. A new anonymous conference key distribution system based on the elliptic curve discrete logarithm problem.
Computer Standards and Interfaces, 25:141–145, 2003.
[75] A. Young and M. Yung. A subliminal channel in secret block ciphers. Selected Areas in Cryptography, 3357:198–211, 2004.
[76] F. Zhang, B. Lee, and K. Kim. Exploring signature schemes with subliminal channel. In Symposium on Cryptography and Information Security ’03, pages
245–250, 2003.
[77] Z. K. Zhang, D. R. Lin, C. I. Fan, and D. J. Guan. A subliminal channel without sharing signer’s secret key. In Information Security Conference, pages
277–280, 2005.
[78] Y. Zheng. Digital signcryption or how to achieve cost(signature and encryption) << cost(signature)+cost(encryption). In In Proceeding CRYPTO ’97, LNCS 1294, pages 165–179, 1997.
[79] Y. Zheng and H. Imai. How to construct efficient signcryption schemes on elliptic curves. Information Processing Letters, 68:227–233, 1998.
[80] Y. Zheng and H. Imai. Using signcryption to build compact and efficient protocols for unforgeable session key establishment. http://wwwpsict.fcit.monash.edu.au/ yuliang/, 1999.