臺灣博碩士論文加值系統

　　模糊傳送協定是在密碼學中一個重要的基礎技術，在模糊傳送協定中有傳送方及接收方，傳送方想傳送所擁有的秘密值給接收方，接收方可以選擇想要的秘密值。然而傳送方不能知道接收方選擇那一個秘密值，接收方除了所選擇的秘密值之外，其他一概不能獲得。模糊傳送協定的應用很廣泛，像是私密資訊取得、交換秘密資訊，公平的電子契約、網路拍賣。

　　模糊傳送協定在許多的應用中，會經常反覆的使用。若能執行一次協定的初始階段，之後重覆使用初始參數，如此便能減少往後初始參數產生的計算成本及傳輸成本。然而協定在重覆使用之下可能潛藏著安全性的問題。Huang與Chang提出了一個有效率的n選t模糊傳送協定，但此協定在重覆使用之下，會遭受到未選擇訊息攻擊法，因此本文提出一個在重覆使用之下能抵擋未選擇訊息攻擊法的可重覆使用之n選t模糊傳送協定。

　　另外在2003年，Wu、Zhang、Wang 等人也提出了一個n選t模糊傳送協定，其中有提到此模糊傳送協定在無確認通道之下是不安全的，很可能遭受到中間人攻擊法，讓傳送方及接收方的隱私受到破壞。因此，本文提出兩個具有使用者確認功能的模糊傳送協定，分別為具明確型使用者確認之模糊傳送協定以及具內藏型使用者確認之模糊傳送協定，將模糊傳送協定有效率地加入了身份確認的機制，達成使用者身份確認的作用，避免中間人攻擊法。

Oblivious transfer is an important and basic technique in the field of cryptography. Basically, an oblivious transfer protocol includes two parties, Sender and Receiver. Sender has many secrets, and Receiver can freely choose one from those secrets. However, Receiver’s choice is a secret to Sender; Receiver learns nothing from the other secrets. Oblivious transfer protocols can be applied to private information retrieval, exchange secret, fair electronic contract signing, and Internet auction.

Oblivious transfer protocols often need to be reused in many applications. After the initial phase of oblivious transfer protocols is completed and the initial parameters can be used repeatedly, the computation cost and transmission cost will be reduced. However, some security problems could be appeared because of reuse. In 2005, Huang and Chang proposed an efficient t-out-of-n oblivious transfer protocol, but this protocol suffers from the un-chosen message replay attack. This thesis will propose a reusable oblivious transfer protocol, which can resist the un-chosen message replay attack.

Besides, Wu, Zhang, and Wang in 2003 proposed another t-out-of-n oblivious transfer protocol, which mentioned it cannot efficiently prevent the man-in-the-middle attack in an insecure channel. Hence, this study proposes two authenticated oblivious transfer protocols. One is an oblivious transfer protocol with explicated user authentication, and the other is an oblivious transfer protocol with implicated user authentication. Both protocols can efficiently avoid man-in-the-middle attack.

摘　　要 iv
ABSTRACT v
致　　謝 vi
目　　次 vii
圖目錄 ix
表目錄 x
第一章 緒論 1
1.1 研究背景 1
1.2 研究動機與目的 5
1.3 章節概要 6
第二章 模糊傳送協定之回顧 7
2.1 相關密碼學基礎 7
2.1.1 RSA密碼系統 7
2.1.2 公開金匙基礎建設 9
2.1.3 訊息確認碼 11
2.2 Two-Lock密碼系統 11
2.2.1 Huang和Chang n選t模糊傳送協定 13
2.2.2 Wu、Zhang和Wang n選t模糊傳送協定 16
2.3 Kurosawa 和Duong的可重覆使用之n選1模糊傳送協定 19
第三章 模糊傳送協定在重覆使用下之問題 23
3.1 重覆使用下要考量的問題 23
3.2 可能遭受的攻擊 24
3.2.1 未選擇訊息重送攻擊法 24
3.2.2 中間人攻擊法 25
3.2.3 相同訊息攻擊法 26
3.3 Huang和Chang n選t模糊傳送協定受到未選擇訊息重送攻擊 27
3.3.1 重覆使用Huang和Chang n選t模糊傳送協定 27
3.3.2 重覆使用Huang和Chang n選t模糊傳送協定受到未選擇訊息重送攻擊 30
3.4 Wu、Zhang和Chang n選t模糊傳送協定受到中間人攻擊 33
第四章 可重覆使用之n選t模糊傳送協定 37
4.1 可重覆使用之n選t模糊傳送協定 37
4.2 可重覆使用之n選t模糊傳送協定之安全分析 39
4.3 可重覆使用之n選t模糊傳送協定之效能分析 41
第五章 具使用者確認之模糊傳送協定 45
5.1 具明確型使用者確認之模糊傳送協定 45
5.2 具明確型使用者確認之模糊傳送協定安全分析 48
5.3 具內藏型使用者確認之模糊傳送協定 49
5.4 具內藏型使用者確認之模糊傳送協定安全分析 51
5.5 具使用者確認功能之模糊傳送協定的比較 53
第六章 結論與未來展望 55
6.1 結論 55
6.2 未來展望 56
參考文獻 57

[1]王建智，”可驗證模糊傳送之研究”，南台科技大學資訊管理所碩士論文，民94年。
[2]陳彥學，資訊安全理論與實務，文魁出版社，民國89年。
[3]賴溪松、韓亮、張真誠，近代密碼學及其應用，旗標出版社，民92年。
[4]B. Aiello, Y. Ishai, O. Reingold, “Priced Oblivious Transfer: How to Sell Digital Goods,” Proceedings Advances in Cryptology (Eurocrypt’01), LNCS 2045, pp. 119-135, 2001.
[5]N. Asokan, V. Niemi, and K. Nyberg, “Man-in-the-middle in tunnelled authentication protocols,” In 11th Security Protocols Workshop, 2003.
[6]F. Bao, R. Deng, P. Feng. “An Efficient and Practical Scheme for Privacy Protection in E-commerce of Digital Goods,“ LNCS 2015, pp. 162-170, 2000.
[7]D. Beaver, “How to Break a ‘Secure’ Oblivious Transfer Protocol,” Advances in Cryptology – Crypto’92, LNCS 658, pp. 258-296, 1992.
[8]M. Bellare, and S. Micali, “non-interactive oblivious transfer,” In Proceedings of Advances in Cryptology – Crypto’89, LNCS 435, pp.547-557, 1990.
[9]P. Berger, R. Peralta and T. Tedric, “ A Probaby Secure Oblivious Transfer Protocol,” Advances in Cryptology – Eurocrypt’84, LNCS 209, pp. 408-416, 1985,
[10]M. Blum, “Three Application of Oblivious Transfer: Part I: Coin flipping by telephone; Part II: How to exchange secrets; Part III: How to send certified electronic mail,” Dept. EECS, University of California, Berkeley, Calif., 1981.
[11]M. Blum, M. Rabin, “How to send certified electronic mail,” Dept. EECS, University of California, Berkeley, Calif., 1981.
[12]G. Brassard and C. Crépeau, ”Oblivious Transfer and Privacy Amplification,” Proceedings Advances in Cryptology (Eurocrypt’97), pp. 334-346, 1997.
[13]Y. H. Chen, and T. Hwang, “ID-based non-interactive zero-knowledge Proof System Based on one-out-of-two Noninteractive Oblivious Transfer,” Computer Communications Vol.18, No.12, pp.993-996, 1995.
[14]B. Chor, O. Goldreich, E. Kushilevitz, M. Susdan. “Private Information Retrieval,” Journal of the ACM 45(6), pp. 965-982, 1998.
[15]C.K. Chu, W.G. Tzeng, “Efficient k-Out-of-n Oblivious Transfer Schemes with Adaptive and Non-adaptive Queries,” Proc. of 8th International Workshop on Theory and Practice in Public Key Cryptography (PKC’05), pp. 23-26, 2005.
[16]C. Crépeau and J. Kilian, Achieving oblivious transfer using weakened security assumptions, Proceedings of the 28th Symposium on Foundations of Computer Science (FOCS '88), pp. 42-52, IEEE, 1988.
[17]W. Diffie, and M. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, Vol. IT-22, No.6, pp. 644-654, 1976.
[18]J. Domingo-Ferrer, “Anonymous fingerprinting based on committed oblivious transfer,” PKC’99, LNCS 1560, pp.43–52, 1999.
[19]T. ELGamal, “A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,” IEEE Trans. On Information Theory, Vol. IT-31, No.4, pp. 469-472, 1985.
[20]S. Even, O. Goldreich, and A. Lempel, “Randomized Protocol for Signing Contracts,” Communications of the ACM, vol.28, pp.637-647, 1985.
[21]J. Ghoi, G. Hanaoka, K. Rhee, and H. Imai, “How to Break COT-based Fingerprinting Schemes and Design New One,” IEICE Trans. Fundamentals, Vol.E88–A, No.10, pp.2800-2807, 2005.
[22]L. Harn, and H. Y. Lin, “Noninteractive Oblivious Transfer,” Electronics Letters, Vol.26, No.10, pp.635-636, 1990.
[23]Q. Huang, J Cukier, H. Kobayashi, B. Liu, J. Zhang, "Fast Authenticated Key Establishment Protocols for Self-Organizing Sensor Networks," International Conference on Wireless Sensor Networks and Applications (WSNA’03), pp. 141-150, 2003.
[24]H. Huang and C. Chang, “A New Design for Efficient t-out-of-n Oblivious Transfer Scheme,” In Proc. of the 19th International Conference on Advanced Information Networking and Applications (AINA’05), Vol. 2, pp. 499-502, 2005.
[25]K. Kurosawa and Q. Duong “How to Design Efficient Multiple-Use 1-out-n Oblivious Transfer,” IEICE Trans. Fundamentals, Vol.E87–A, No.1, pp.141-146, 2004.
[26]N.Y. Lee and C.C. Wang, “Verifiable Oblivious Transfer Protocol,” IEICE Trans. Information and Systems, Vol.E88–D, No.12, pp.2890-2892, 2005.
[27]S. Matsuo, W. Ogata, “Matching Oblivious Transfer: How to Exchange Valuable Data,” IEICE Trans. Fundamentals, Vol.E86–A, No.1, pp.189-193, 2003.
[28]Y. Mu, J. Zhang, and V. Varadharajan, “m out of n Oblivious Transfer,” ACISP’02, LNCS 2384, pp. 395-405, 2002.
[29]M. Naor and B. Pinkas, “Computationally Secure Oblivious Transfer,” Crypto’99, 1999.
[30]M. Naor and B. Pinkas, “Oblivious Transfer and Polyomial Evaluation,” Proc. 31st ACM Symp. Theory of Computing, p.145-254, 1999.
[31]National Institute of Standards and Technology (NIST), “The Digital Signature Standard Proposed by NIST,” Commun. ACM, Vol. 35, No. 7, pp. 36-40, 1992.
[32]T. Pedersen, “Non-Interactive and Information-Theoretical Secure Verifiable Secret Sharing,” Proc. Advances in Cryptology (Crypto ‘91), pp. 129-140, 1991.
[33]M. Blum, M. Rabin, “How to send certified electronic mail,” Dept. EECS, University of California, Berkeley, Calif., 1981.
[34]M. Rabin, “Exchange of secrets,” Dept. of Applied Physics, Harvard University, Cambridge, Mass, 1981.
[35]R. Rivest, A. Shamir and L. Adleman. “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, Vol. 21, pp. 120-126, 1978.
[36]R.L. Rivest and A. Shamir, “How to Expose an Eavesdropper,” Communications of the ACM, Vol. 27, No. 4, pp. 392-395, 1984.
[37]R. L. Rivest, “Unconditionally secure commitment and oblivious transfer schemes using private channels and a trusted initializer,” unpublished manuscript, 1999.
[38]A. Sadeghi, “How to break a semi-anonymous fingerprinting scheme,” Information Hiding 2001, LNCS 2137, pp.384–394, 2001.
[39]W. Stallings, Cryptography and Network Security, Third Edition, Prentice Hall, pp. 324-327, 2003.
[40]P. Syverson, “A taxonomy of replay attacks,” Computer Security Foundations Workshop VII, Proceedings, pp. 187-191, 1994.
[41]W.G. Tzeng, “Efficient Oblivious Transfer Scheme,” Proceedings of 2001 International Workshop on Practice and Theory in Public − Key Cryptography (PKC’02), LNCS 2274, 2002.
[42]W.G. Tzeng, “Efficient 1-out-of-n oblivious transfer schemes with universally reusable parameters,” IEEE Trans. on Computers Vol. 53, No.2, pp.232-240, 2004.
[43]Q. Wu, J. Zhang and Y. Wang, ”Practical m-out-of-n Oblivious Transfer and Its Applications,” Information and Communications Security, ICICS’03, LNCS 2836, pp. 226-237, 2003.