隨著小額商品與服務的交易的興起，小額付款法因而被提出來。因為商品與服務其價值相當地微薄，因此小額付款法的主要考量是低計算量與低通訊量。在過去提出的小額付款方法中，因成本因素而沒有提供消費者匿名功能。然而匿名功能是保護消費者的個人交易資訊隱私的必要功能。Lin與Tsou分別在2004與2005提出他們的匿名小額付款方法；然而他們的方法所提供的匿名功能各有其缺失。Lin的方法不提供匿名撤銷的功能，無法得知(惡意)消費者的真實身份，因此無法解決交易糾紛。Tsou的方法採用假名來保護消費者的真實身份，然而其假名固定不變，消費者的身份可能經由其消費習慣而被推測出。此外，Tsou的方法一旦撤銷消費者的匿名，消費者必須重新向銀行註冊，此點對消費者甚為不便。另外，Lin與Tsou的方法皆採用先付款方式。先付款方式比後付款方式較容易建立匿名功能。然而，後付款的方式對消費者較為便利，消費者可先購買商品，日後再付出貨款。
本論文提出兩個匿名小額付款方法。第一個方法為先付款，第二個方法為後付款。兩個方法所使用的匿名方式，皆基於隨機地更換智慧卡的公開金鑰觀念，因此攻擊者無法經由追蹤交易行為而推測出消費者的真實身份。我們的方法皆提供匿名撤銷的功能，一旦發生交易糾紛，存在一公正第三者來撤銷消費者的匿名。我們的匿名撤銷皆不會嚴重影響消費者的匿名性，消費者只需更換智慧卡的公開金鑰，即可再次獲得匿名功能。此外，第二個小額付款方法為後付款方式，相信可吸引更多消費者。

Micropayment schemes are proposed for purchasing goods/services with small value.  For the small value of goods/services, the low computation and communication cost is the major consideration of micropayment schemes.  For the low computational and communicational cost, the earlier proposed micropayment schemes do not take the customer’s anonymity into the consideration.  However, the anonymity is an essential function for the privacy of customers’ payment.  Lin and Tsou proposed their anonymous micropayment schemes in 2004 and 2005, respectively.  However, there are some problems in their schemes.  Lin’s scheme does not provide the revoking function of customers’ anonymity.  Without revoking (malicious) customers’ anonymity, the disputes among customers, merchants, and banks cannot be settled down.  Tsou’s scheme uses the pseudonyms to protect customers’ identities.  Using the fixed customer’s pseudonym in Tsou’s scheme, the adversaries can infer customers’ identities by tracing customers’ payments.  Besides, after revoking customer’s anonymity in Tsou’s scheme, the customer has to register a new bank account.  This is inconvenient for customers.  Both Lin’s and Tsou’s schemes are prepaid schemes that are easier to provide anonymity than the postpaid schemes.  For customers, postpaid schemes are more convenient than prepaid schemes, since customers can obtain goods/services first and pay the money later.
In this thesis, two anonymous micropayment schemes are proposed.  One is prepaid and the other is postpaid.  Both schemes are based on the concept of randomly changing the smart card’s public keys.  Therefore, the adversaries cannot trace the customer’s payments to find the customer’s identity.  Both our schemes provide the function of revoking the customer’s anonymity, the disputes are sure to be resolved.  Besides, the anonymity revocations in both schemes do not affect the customer’s anonymity.  Customers can obtain their anonymity again by only updating their smart cards’ public keys.  The second scheme is the postpaid scheme which will be more popular than the prepaid schemes.

Table of Content
Chapter 1 Introduction.................................P. 1
Chapter 2	 Related Works................................P. 4
  2.1 PayWord Scheme..................................P. 4
  2.2 Blind Signature Schemes.........................P. 5
Chapter 3	 Our Prepaid Micropayment Scheme..............P. 8
  3.1 Model of Our Prepaid Micropayment Scheme........P. 8
  3.2 Cryptographic Primitives and Notations..........P. 12
  3.3 Our Basic Scheme................................P. 13
    3.3.1 The Setup Phase.............................P. 14
    3.3.2 The Registration Phase......................P. 14
    3.3.3 The Key Updating and Commitment Phase.......P. 14
    3.3.4 The Payment Phase...........................P. 17
    3.3.5 The Deposit Phase...........................P. 18
    3.3.6 The Anonymity Revoking Phase................P. 19
  3.4 Our Advanced Scheme.............................P. 20
    3.4.1 The Key Updating and Commitment Phase.......P. 20
    3.4.2 The Payment Phase...........................P. 21
    3.4.3 The Deposit Phase...........................P. 21
  3.5 Security Analyses...............................P. 23
    3.5.1 Double Spending Prevention..................P. 23
    3.5.2 Unforgeability..............................P. 23
    3.5.3 Anonymity...................................P. 24
  3.6 Comparisons and Discussions.....................P. 25
    3.6.1 Comparisons of Security Requirements........P. 25
    3.6.2 Comparisons of Computational Performance....P. 27
Chapter 4 Our Postpaid Micropayment Scheme............P. 30
  4.1 Model of Our Postpaid Micropayment Scheme.......P. 30
  4.2 Cryptographic Primitives and Notations..........P. 33
  4.3 Our Postpaid Micropayment Scheme................P. 35
    4.3.1 The Setup Phase.............................P. 35
    4.3.2 The Registration Phase......................P. 35
    4.3.3 The Key Updating Phase......................P. 36
    4.3.4 The Commitment Phase........................P. 37
    4.3.5 The Payment Phase...........................P. 39
    4.3.6 The Deposit Phase...........................P. 40
    4.3.7 The Anonymity Revoking Phase................P. 42
  4.4 Security Analyses...............................P. 43
    4.4.1 Double Spending Prevention..................P. 43
    4.4.2 Unforgeability..............................P. 43
    4.4.3 Anonymity...................................P. 44
  4.5 Comparisons and Discussions.....................P. 45
    4.5.1 Comparisons of Security Requirements........P. 45
    4.5.2 Comparisons of Computational Performance....P. 46
Chapter 5 Conclusions.................................P. 50
References............................................P. 51

List of Tables
Table 1 Comparisons of security requirements among various anonymous
micropayment schemes. ...………….....…………………………… P. 26
Table 2 Computational Performance of Anonymous Micropayment
Schemes....…………....………….....…………………...………….. P. 28
Table 3 Security requirements comparisons among various anonymous
micropayment schemes....………….....………….....…………..….. P. 46
Table 4 Computational Performance of anonymous micropayment
schemes....…………....………….....…………………....………….. P. 49

List of Figures
Fig 1 Okamoto-Schnorr Blind Signature Scheme ...……………………. P. 5
Fig 2 Model of Our Prepaid Micropayment Scheme…………………… P. 9
Fig 3 Model of Our Postpaid Micropayment Scheme………………….. P. 31

[1]	Anand, R. Sai and Madhavan, C. E. Veni, “An Online, Transferable E-Cash Payment System,” Advance in Cryptology – INDOCRYPT 2000, LNCS, Vol. 1977, Springer-Verlag, 2000, pp. 93-103.
[2]	Bellare, M., Garay, J., Hauser, R., Herzberg, A., Krawczyk, H., Steiner, M., Tsudik, G. and Waidner, M., “iKP – A Family of Secure Electronic Payment Protocols,” Proceeding of 1st USENIX workshop on Electronic Commerce, 1995, pp. 89-106.
[3]	Brands, Stefan, “Untraceable Off-line Cash in Wallet with Observers,” Advances in Cryptology – CRYPTO ’93, LNCS, Vol. 773, Springer-Verlag, 1993, pp. 428-432.
[4]	Chan, Agnes, Frankel, Yair, and Tsiounis, Yiannis, “Easy Come – Easy Go Divisible Cash,” Advances in Cryptology – EUROCRYPT ’98, LNCS, Vol. 1403, Springer-Verlag, 1998, pp. 561-575.
[5]	Chaum, D., “Blind signatures for untraceable payments,” Advances in Cryptography - Crypto ’82, LNCS, Plenum, 1983, pp. 199-203.
[6]	Chaum, D., Fiat, A., and Naor, M. “Untraceable Electronic Cash,” Advances in Crytology – CRYPTO’88, LNCS, Vol. 403, Springer-Verlag, 1988, pp. 21-25.
[7]	Frankel, Yair, Tsiounis, Yiannis, and Yung, Moti, “Indirect Discourse Proofs: “Achieving Efficient Fair Off-Line E-Cash System,” Advances in Cryptology – ASIACRYPT ’96, LNCS, Vol. 1163, Springer-Verlag, 1996, pp. 286-300.
[8]	Glassman, S., Manasse, M. S., Abadi, M., Gauthier, P., and Sobalvarro, P., “The Millicent Protocol for Inexpensive Electronic Commerce,” World Wide Web Journal, Proceeding of 4th International World Wide Web Conference, O’Reilly, 1995, pp. 603-618.
[9]	Herberg, Amir, “Micropayment,” in Payment Technologies for E-Commerce, Kou, Weidong Ed., New York: Springer-Verlag, 1998, pp. 245-282.
[10]	Jakobossn, Markus and Yung, Moti, “Revokable and Versatile Electronic Money,” Proceeding of the 3rd ACM Conference on Computer and Communications Security, India: ACM press, 1996, pp.79-87.
[11]	Lin, S.-Y., “Design and Cryptanalysis of Micropayment Schemes,” Master Thesis, National Central University, Taiwan, R.O.C, 2004.
[12]	Manasee, M. S., “The Millicent Protocols for Electronic Commerce,” Proceeding of 1st USENIX workshop on Electronic Commerce, 1995, pp. 117-123.
[13]	MasterCard and VISA “Secure Electronic Transactions,” [Online] Available: http://www.setco.org/set.html
[14]	Mu, Yi, Nguyen, Khanh Quoc, and Varadharajan, Vijay, “A Fair Electronic Cash Scheme,” Topics in Electronic Commerce: Second International Symposium – ISEC 2001, LNCS, Vol. 2040, Springer-Verlag, 2001, pp.20-32.
[15]	Neuman, B. C. and Medvinsky, G., “NetCheque, NetCash and the Characteristic of Internet Payment Services,” presented at MIT Workshop on Internet Economics, 1995.
[16]	Pointcheval, David and Stern, Jacques, “Provably Secure Blind Signature Schemes,” Advances in Cryptology – ASIACRYPT '96, LNCS Vol. 1163, Springer-Verlag, pp. 252-265.
[17]	Rivest, R. L. and Shamir, A., “PayWord and MicroMint: Two simple micropayment schemes,” Proceeding of Security Protocols Workshop, LNCS 1189, Springer-Verlag, 1997, pp. 69-87.
[18]	Sirbu, M. and Tyger, T. J., “NetBill: An Electronic Commerce System Optimized for Network Delivered Information and Services,” Proceeding of IEEE CompCon ’95, 1995, pp. 20-25.
[19]	Stern, J. and Vaudenay, S., “SVP: a Flexible Micropayment Scheme,” Proceeding of Financial Cryptography, LNCS, Vol. 1318, Springer-Verlag, 1997, pp. 161-172.
[20]	Tsiakis, T. and Sthephanides, G. “The concept of security and trust in electronic payments,” Computers & Security, Vol. 24, Issue 1, pp. 10-15, February 2005.
[21]	Tsou, J.-H., “The Study of Electronic Payment Scheme,” Master Thesis, Tamkang University, Taiwan, R.O.C, 2005.
[22]	Yen, S.-M., “PayFair: a prepaid internet micropayment scheme ensuring customer fairness,” Computers and Digital Techniques, IEE Proceedings, Vol. 148, Issue 6, pp. 207-213, November 2001.