在網際網路上，網路廣告的收入乃是網站的主要收入之一。一般而言，廣告商支付給網站的費用乃依據此網站的流量或瀏覽人數來計算。因此，網站可能會為了要賺取更高的廣告費用，而誇大其流量或參觀瀏覽的人數。為了達到付費的公平性，如何正確地測量網站的流量乃是非常重要的。網站計量機制就是可用來測量網站的參觀瀏覽人數並驗證測量結果正確性的一種方法。運用網站計量機制，網站伺服端可以產生其瀏覽人數或流量的證明，並且以此證明來向廣告商收取網路廣告服務的合理費用。近年來，已有許多學者利用密碼學的技術來發展網站計量機制。本論文首先介紹網站計量機制的觀念並回顧其發展，接著針對一些現有之網站計量機制做討論與安全度分析。此外，吾人更發展出兩個網站計量機制：植基於bilinear pairing之門檻式計算安全計量機制，與植基於單向雜湊函數與位元XOR運算之高效能計量機制。植基於bilinear pairing之門檻式計算安全計量機制可以建立在GDH group中。植基於單向雜湊函數與位元XOR運算之高效能計量機制則具有高效能並能夠保護客戶端的隱私性。本論文所提出的網站計量機制除了可防止網站伺服端誇大瀏覽人數的行為，同時亦能夠防止惡意的攻擊者或客戶端意圖擾亂網站伺服端的計量結果。

In the Internet, network advertisement payment is one of the major incomes of Websites. In general, the amount of advertisement fee paid from advertisers to websites depends on the number of visits. Thus, Web servers may inflate the number of visits for gaining more money. In order to achieve the billing fairness, how to correctly measure the number of visits is very important. A Web metering scheme is used to measure the number of visits for websites and verify the correctness of metering result. It allows a Web server to create a proof for the number of visits to convince an advertiser and collect reasonable advertisement fees. Recently, some metering schemes based on cryptographic techniques have been proposed. This paper will first introduce the concept of Web metering schemes and then review some existed metering schemes. Moreover, this paper will propose two Web metering schemes: a threshold computationally secure metering scheme based on the bilinear pairings, and an efficient metering scheme based on a one-way hash function and bit-XOR operation. The threshold computationally secure metering scheme can be built on any GDH Group. The efficient metering scheme based on the one-way hash function and bit-XOR operation is pretty efficient and can protect the privacy of clients. Both of the proposed Web metering schemes can against fraud attempts by dishonest Web servers to inflate the number of visits, and against fraud attempts by attackers or malicious clients to disturb the metering results.

中文摘要…………………………………………………………………1
ABSTRACT…………………………………………………………………2
目次………………………………………………………………………3
圖目錄……………………………………………………………………5
表目錄……………………………………………………………………6
第一章 緒論………………………………………………………7
1.1 研究背景…………………………………………………………7
1.2 研究動機與目的…………………………………………………8
1.3 章節概要……………………………………………v……………9
第二章 網站計量機制之簡介……………………………………10
2.1 網站計量機制與其應用…………………………………………10
2.2 網站計量機制之回顧……………………………………………11
2.2.1 秘密分享機制………………………………………………12
2.2.2 Naor-Pinkas門檻式計量機制………………………………14
2.2.3 Ogata-Kurosawa門檻式計量機制……………………………24
2.2.4 Kim-Shin-Kim計量機制………………………………………31
2.2.5 Harn-Lin計量機制……………………………………………34
第三章 網站計量機制之研究與探討……………………………38
3.1 門檻式無條件安全計量機制之安全度分析…………………38
3.1.1 Ogata-Kurosawa門檻式無條件安全計量機制之安全探討…………………………………………………………38
3.1.2 討論………………………………………………………40
3.2 植基於bilinear pairing之門檻式計算安全計量機制………41
3.2.1 bilinear pairing之基本概念…………………………42
3.2.2 系統架構…………………………………………………43
3.2.3 安全度分析………………………………………………47
3.2.4 討論………………………………………………………49
3.3 Kim-Shin-Kim計量機制之安全分析與探討…………………49
3.3.1 Kim-Shin-Kim計量機制之安全分析……………………49
3.3.2 討論………………………………………………………51
3.4 植基於單向雜湊函數及位元XOR運算之高效能計量機制…52
3.3.1 系統架構…………………………………………………52
3.3.2 安全度分析………………………………………………56
3.3.3 討論………………………………………………………58
第四章 結論及未來研究方向………………………………………59
4.1 結論………………………………………………………………59
4.2 未來研究方向…………………………………………………59
參考文獻………………………………………………………………61

[1] http://www.forrester.com/home/0,6092,1-0,FF.html.
[2] J. C. Benaloh, “Secret Sharing Homonorphisms: Keeping Shares of a Secret”, Crypto’86, pp. 251-260, 1986.
[3] S. Berkley, “How to Broadcast a Secret”, Eurocrypt’91, pp. 535-541, 1991.
[4] G.R. Blakley, “Safeguarding Cryptographic Keys”, proc. NCC, Vol. 48, pp. 313-317, 1979.
[5] C. Blundo, A. De Boins and B. Masucci, “Metering Schemes with Pricing”, Proc. of 4th Int. Symp. DIStributed Computing (DISC 2000), Vol. 1914, pp. 194-208, 2000.
[6] C. Blundo, A. De Boins, B. Masucci and D.R. Stinson, “Dynamic Multi-Threshold Metering Schemes”, Proc. of SAC 2000, Vol. 2012, pp. 130-143, 2001.
[7] C. Blundo, A. De Boins and B. Masucci, “Bounds and Constructions for Metering Schemes” Comm. Inform System, Vol. 2, No. 1, pp.1-28, 2002.
[8] C. Blundo, S. Cimato and B. Masucci, “A Note of Optimal Metering Schemes” Information Processing Letters Vol. 84, No. 6, pp.319-326, 2002.
[9] C. Blundo, S. Martin, B. Masucci and C. Padro, “New Bounds on the Communication Complexity of Metering Schemes”, Proc. of IEEE Int. Symp. Information Theory (ISIT 2002), pp. 438, 2002.
[10] C. Blundo, A De Santis, “Graph Decompositions and Secret Sharing Scheme”, Eurocrypt’92, pp. 1-20, 1992.
[11] D. Boneh and M. Franklin, “Short Signature from the Weil Pairing”, Asiacrypt’01, pp. 515-532, 2001.
[12] D. Boneh and M. Franklin, “Identity-Based Encryption from the Weil Pairing”, Crypto’01, pp. 231-229, 2001.
[13] A. De Boins and B. Masucci, “An Information Theoretic approach to Metering Schemes”, Proc. of IEEE Int. Symp. Information Theory (ISIT 2000), pp. 49, 2000.
[14] J.C. Cha and J.H. Cheon, “An Identity-Based Signature from Gap Diffie-Hellman Groups”, PKC’03, pp.18-30, 2003.
[15] Y. Desmedt, “Society and Group Oriented Cryptography: A New Concept”, Crypto’87, pp. 120-127, 9788.
[16] Y. Desmedt and Y. Frankel, “Threshold Cryptosystem”, Crypto’89, pp. 307-315, 1990.
[17] T. ElGmal, “A Public Key Cryptosystem and Signature Scheme based on Discrete Logarithms”, IEEE Trans., Vol. IT-31, No. 4, pp. 469-472, 1985.
[18] Y. Frankel, “A Practical Protocol For Large Group Oriented Networks”, Eurocrypt’89, pp. 56-61. 1990.
[19] M.K. Franklin and D. Malkhi, “Auditable Metering with Lightweight Security”, Financial Cryptography’97, pp. 151-160, 1997.
[20] L. Harn, “Efficient Sharing (Broadcasting) of Multiple Secrets”, IEE Proceeding Computers and Digital Techniques, Vol. 142, No.3, pp. 237-240, 1995.
[21] L. Harn and H.Y. Lin, “A Non-Repudiation Metering Scheme”, IEEE Communications Letters, Vol. 5, No. 12, pp. 486-487, 2001.
[22] F. Hess, “Exponent Group Signature Schemes and Efficient Identity Based Signature Schemes Based on Pairings”, Cryptology ePrint Archive, Report 2002/012, available at http://eprint.iacr.org/2002/012.
[23] P. Horster, M. Michels and H. Petersen, “Meta-ElGamal Signature Schemes”, Proc. of 2nd ACM conference on Computer and communication security, pp. 96-107, 1994.
[24] S.S. Kim, J.Y. Shin and S.K. Kim, “Efficient Metering Scheme in the WWW”, Proc. of 2001 International Conferences on Info-tech and Info-net (ICII 2001), Vol. 5, pp. 117-121, 2001.
[25] L. Lamport, “Password Authentication with Insecure Communication”, Commun. ACM, Vol. 24, No. 11, pp. 770-772, 1981.
[26] B. Masucci and D.R. Stinson, “Metering Schemes for General Access Structures”, ESORICS 2000, LNCS, Vol. 1895, pp.612-613, 2000.
[27] B. Masucci and D.R. Stinson, “Efficient Metering Schemes with Pricing”, IEEE Trans. Inform. Theory, Vol. 47, No. 7, pp. 2835-2844, 2001.
[28] R.J. McEliece and D.V. Sarwate, “On Sharing Secrets and Reed-Solomon Codes”, Commmun. ACM, Vol. 24, No. 9, pp. 583-584, 1981.
[29] M. Naor and B. Pinkas, “Secure and Efficient Metering”, Eurocrypt’98, pp. 576-590, 1998.
[30] M. Naor and B. Pinkas, “Secure Accounting and Auditing on the Web”, Computer Networks and ISDN Systems Vol. 30, No. 1-7, pp. 541-550, 1998.
[31] J. Nechvatal, “Public Key Cryptography”, The Science of Information Integrity, Piscataway, NJ: IEEE Press, 1992.
[32] W. Ogata and K. Kurosawa, “Provably Secure Metering Scheme”, Asiacrypt’2000, pp. 388-398, 2000.
[33] K.G. Paterson, “ID-Based Signatures from Pairings on Ellitpic Curves”, Cryptology ePrint Archive, Report 2002/004, available at http://eprint.iacr.org/2002/004/.
[34] T.P. Pedersen, “Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing”, Crypto’91, pp. 129-140, 1991.
[35] T. Rabin and M. Ben-Or, “Verifiable Secret Sharing and Multiparty Protocols with Bonest Majority”, Proc. of 21st ACM Symposium on Theory and Computing, pp. 73-85, 1989.
[36] R. Rivest, “The MD5 Message Digest Algorithm”, RFC1321, 1992.
[37] R. Rivest, A. Shamir and L. Adleman, “A Method for Obtaining Digital Signature and Public Key Cryptosystem”, Commun. ACM, Vol.21, No. 2, pp. 120-126, 1978.
[38] R. Sakai, K. Ohgishi and M. Kasahara. “Cryptosystems Based on Pairing”, SCIS 2000, 2000.
[39] A. Shamir, “How to Share a Secret”, Comm. ACM, Vol. 22, No. 11, pp. 612-613, 1979.
[40] A. Shamir, “Identity-Based Cryptosystem and Signature Schemes”, Crypto’84, pp. 47-53, 1984.
[41] K. Shim, “Efficient One Round Tripartite Authentication from the Weil Pairing”'', Electronics Letters, Vol. 39, No. 2, pp. 208-209, 2003.
[42] N.P. Smart, “An ID-Based Authenticated Key Agreement Protocol Based on the Weil pairing”, Electronics Letter, Vol. 39, No. 14, pp. 630-632, 2002.
[43] W. Stallings, Cryptography and Network Security-PRINCIPLES AND PRINACTICES, third edition, Prentice Hall, pp. 29, 2003.
[44] D.R. Stinson, “An Explication of Secret Sharing Scheme”, Designs, Codes, and Cryptography, Vol. 2, pp. 357-390, 1992.
[45] M. Tompa and H. Woll, “How to Share a Secret with Cheaters”, Journal of Cryptography, Vol.1, pp. 133-138, 1988.
[46] E.R. Verheul, “Self-Blindable Credential Certificates from the Weil Pairing”, Asiacrypt’2001, pp. 533-551, 2001.
[47] D. Vo, F. Zhang and K. Kim, “A New Threshold Blind Signature from Pairings”, SCIS 2003, pp. 233-238, 2003.
[48] X. Yi, “An Identity-Based Signature Scheme from the Weil Pairing”, IEEE COMMUNICATIONS LETTERS, Vol. 7, No. 2, pp. 76-78, 2003.
[49] F. Zhang, B. Lee and K. Kim, “Exploring Signatures Schemes with Subliminal Channel”, SCIS 2003, pp. 245-250, 2003.
[50] “Proposed Federal Information Processing Standard for Digital Signature Standard (DSS)”, Federal Register, Vol. 56, No. 169, pp. 42980-42982, 1991.
[51] “The Digital Signature Standard Proposed by NIST”, Commun. ACM, Vol. 35, No. 7, pp. 36-40, 1992.
[52] NIST, FIPS PUB 180-1, 1995.
[53] VISA/Master Card, “The Secure Electronic Transaction (SET) Specification,” http://www.visa.com/cgi-bin/vee/sf/set, 1996.