不可否認簽章的特性，在於簽章的驗證必須透過原簽署者的合作，才能驗證簽章的正確性，提供對簽署者的保護機制。以往學者們所提出之不可否認簽章方法為產生簽章後再將訊息與簽章傳送給驗證者，訊息並無加密功能，缺乏機密性，若採簽章後再加密的兩階段作法較不經濟，為了降低計算及通訊的成本，本論文將結合簽密法(signcryption)，此方法的特性是同時達到簽署及加密的功能，成本上較為經濟，並利用金鑰協議協定(key agreement protocol)達到完美正向安全性(perfect forward secrecy)。

The characteristic of undeniable signature is the signature that can only be verified by cooperation the signer. It can provide the signer protection mechanism. In the past, many scholars proposed the undeniable signature scheme that generates signature and then send the message and signature to the verifier. The message has imperfection because of no encryption. The traditional signature-then-encryption approach has less efficient. To reduce computational and communication cost, in this thesis, we propose an undeniable signcryption scheme that combines the ideas of the signcryption scheme. The characteristic of signcryption scheme which is combines both sign and encryption in a logical single step. It has more efficient and less computational cost. We employ the key agreement protocol to achieve “perfect forward secrecy”.

誌謝 i
中文摘要 ii
英文摘要 iii
目錄 iv
1. 緒論 1
1.1 研究背景 1
1.2 研究動機與目的 2
1.3 論文架構 3
2. 相關研究 5
2.1 不可否認簽章法 5
2.1.1 Chaum不可否認簽章法 5
2.1.2 Yun-Kim可轉換不可否認簽章法 7
2.2 簽密法 8
2.2.1 Zheng簽密法 9
2.2.2 Bao-Deng簽密法 10
2.3 金鑰協議協定 11
3. 具完美正向安全之不可否認簽密法 13
4. 安全性與效率分析 17
4.1 安全性分析 17
4.2 效率評估 20
5. 結論與未來研究方向 22
參考文獻 23

[1]Bao, F. and Deng, R.H., “A signcryption scheme with signature directly verifiable by public key,” Public Key Cryptography, PKC’98, LNCS 1431, pp. 55-59, 1998.
[2]Boyar, J., Chaum, D., Damgard, I. and Pedersen, T., “Convertible undeniable signatures”, Advances in Cryptology-CRYPTO’90 LNCS, Vol.537, pp.189-205, 1991.
[3]Chaum, D., Antwerpen, H.V., “Undeniable signature”, Advances in Cryptology - CRYPTO’89, LNCS 435, pp. 212-217, 1989.
[4]Chaum, D., “Zero-knowledge undeniable signature”, Advances in Cryptology - CRYPTO’90, LNCS 473, pp. 458-464, 1990.
[5]Chaum, D., “Designated confirmer signatures”, Advances in Cryptology - Eurocrypt’94, LNCS 750, pp. 86-91, 1994.
[6]Diffie, W., Hellman, M.E., “New directions in cryptography”, IEEE Transactions on Information Theory, Vol. IT-22, No. 6, pp. 644-654, 1976.
[7]Gunther, C.H., “An identity-based key-exchange protocol,” Advances in Cryptology - EUROCRYPT’89, LNCS 434, pp. 29-37, 1990.
[8]Harn, L., Yang, S., “Group oriented undeniable signature schemes without the assistance of a mutually trusted party”, Advances in Cryptology - Asiacrypt’92, LNCS 718, pp. 133-0142, 1992.
[9]Hirose, S., Yoshida S., “An authenticated Diffie-Hellman key agreement protocol”, Available at http://grouper.ieee.org/groups/1363/P1363a/contributions/adh.pdf, 1998.
[10]Jean, M. and Serge, V., “Undeniable signatures based on characters：How to sign with one bit”, Advances in Cryptology – PKC, LNCS 2947, pp. 69-85, 2004.
[11]Jung, H.Y., Lee, D.H., Lim, J.I. and Chang, K.S. “Signcryption schemes with forward secrecy”, Proceedings of the 2nd International Workshop on Information Security Applications, Vol. 2, pp.403-475, 2001.
[12]Lee, C.H., Lim, J.I. and Kim, J.S., “An efficient and secure key agreement”, Available at http://grouper.ieee.org/groups/1363/P1363a/contributions/llk.pdf, 1999.
[13]Nguyen, K., Mu, Y. and Varadharajan, V., “Undeniable confirmer signature”, Information Security-Proceedings of Second International Workshop, ISW’99, LNCS 1729, pp.235–246, 1999.
[14]Shin, J.B., Lee, K., and Shim, K., “New DSA-verifiable signcryption schemes”, Conferences of the 5th International Conference on Information Security and Cryptology, ISCS’02, ,LNCS 2587, pp. 35-47, 2002.
[15]Steven, D. and Wenbo, Mao, "Anonymity and denial of undeniable and confirmer signatures”, Available at http://www.hpl.hp.com/techreports/2001/HPL-2001-303.pdf, 2001.
[16]Taher, E., “A public key cryptosystem and a signature scheme based on discrete logarithms”, IEEE Transactions on Information Theory, IT-30(4):pp.469-472, 1985.
[17]Yun, S.H., and Kim, T.Y., “Convertible undeniable signature scheme”, High-Performance Computing on the Information Superhighway, HPC-Asia, pp.700-703, 1997.
[18]Zheng, Y., “Digital signcryption or how to achieve cost(signature & encryption) << cost(signature) + cost(encryption)”, Advances in Cryptology–CRYPTO’97 LNCS, Vol.1294 pp.165–179, 1997.