由於網際網路使用廣泛，使得安全電子交易問題成為日趨重要的研究議題，尤其是針對電子商務環境。經由電子郵件進行通訊已取代傳統手寫信件成為便利的服務。為達到來源不可否認性，人們可在信件內附加自己的數位簽章，例如知名的RSA數位簽章。然而，在傳統的電子信件服務中，回執之不可否認性卻仍必須依賴收件者本身的意願。因此，收件者對已收到的電子郵件不具任何責任。本論文提出一植基於RSA簽章基礎之有效率的公平遞送認證信件協定。若收件者的確收到電子信件訊息，提出的公平遞送認證信件協定允許電子郵件的送件者取得不可否認的回執。在當遞送其它信件給相同收件者時，提出的公平遞送認證信件協定支援預先計算功能以改善後續通訊之效能。如同計算成本與通訊負載之評估，提出的公平遞送認證信件協定較其它相關協定更有效率且更具成本效益。
交易隱私權已在電子商務中吸引廣大關注。本論文提出一有效率且可證明安全之具交易隱私權的公平交換數位文件協定。藉由提出的協定，任何彼此不可信賴的雙方可以公平地交換他們有價值的文件而不需要任何可信任第三者連線協助。又公證者只需對每個文件公證一次，被授權的擁有者可接著重覆地與不同的參與者交換此已公證文件而不會洩漏文件的私密性或參與者的身分。安全與效能分析指出提出的協定不僅提供強公平性、來源不可否認性、回執不可否認性與訊息私密性外，也加強金鑰向前與向後的安全性、交易隱私權與授權交換之功能。另外，提出的公平交換數位文件協定比其它過去之研究更有效率。

With the widespread use of public Internet, the problem of secure electronic transaction becomes more and more important issues especially for electronic commerce (e-commerce) environment. Communication via electronic mail (e-mail) becomes a convenience service instead of traditional manuscript letter in e-commerce. For non-repudiation of origin, people append his/her digital signature such as well-known RSA signature to the email. However, the evidence of receipt still relies on the willingness of the recipient in the traditional e-mail service. Hence, the recipient has no responsible for the received e-mail. This dissertation proposes an efficient RSA-based fair certified e-mail delivery protocol. The proposed fair certified e-mail delivery protocol allows the e-mail sender to obtain the irrefutable receipt if the recipient indeed received this e-mail message. The proposed fair certified e-mail delivery protocol supports the pre-computation function in sending the other mails to the same recipient to improve the performance of subsequence communication. As the evaluations of computational cost and communication overhead, the proposed fair certified e-mail delivery protocol is efficient and cost-effective than other relevant protocols.
Transaction privacy has attracted a lot of attention in e-commerce. This dissertation proposes an efficient and provable fair document exchange protocol with transaction privacy. By the proposed protocol, any mutual untrustworthy parties can fairly exchange their valuable document without any assistance from on-line trusted third parties. Moreover, a notary only notarizes each document once. The authorized owner can then exchange the notarized document with different participant repeatedly without disclosing the confidentiality of the document or the identities of participants. Security and performance analyses indicate that the proposed protocol not only provides strong fairness, non-repudiation of origin, non-repudiation of receipt, and message confidentiality, but also enhances forward/backward secrecy, transaction privacy and authorized exchange. In addition, the proposed fair document exchange protocol is more efficient than the other works.

Chapter 1 Introduction 1
1.1 Research motivation 1
1.2 Objectives of the research 3
1.3 Organization 7
Chapter 2	 Related works 8
2.1 The TTP models of fair exchange protocols 8
2.2 The classifications of fair exchange protocols 10
2.3 Cryptanalysis on Ma et al.'s CEMD protocol 15
2.3.1 Review of Ma et al.'s CEMD protocol 15
2.3.2 Weakness in Ma et al.'s CEMD protocol 20
Chapter 3 Efficient and secure protocol in certified e-mail delivery 24
3.1 Preliminaries 24
3.2 The main fair exchange phase 24
3.3 The receipt recovery phase 27
3.4 Security analysis 27
3.4.1 Replay attack 28
3.4.2 Existential forgery attack 28
3.4.3 Strong fairness 29
3.5 Discussions 30
Chapter 4 Fair document exchange protocol with transaction privacy 33
4.1 Preliminaries 33
4.2 The proposed fair document exchange protocol 34
4.2.1 The notarization phase 35
4.2.2 The fair exchange phase 37
4.2.3 The arbitration phase 41
4.3 Security analysis 43
4.3.1 Message confidentiality 43
4.3.2 Backward and forward secrecy 55
4.3.3 Transaction privacy 55
4.3.4 Non-repudiation of origin and receipt 56
4.3.5 Authorized exchanging 67
4.3.6 Strong fairness 68
4.3.7 Replay attack 69
4.4 Discussions 70
4.4.1 Functionalities comparisons 70
4.4.2 Performance evaluations 72
Chapter 5 Conclusions and future works 76
5.1 Conclusions 76
5.2 Future works 77
References 80

List of Figures
Figure 1. The main exchange phase of Ma et al.'s CEMD protocol 18
Figure 2. The receipt recovery phase of Ma et al.'s CEMD protocol 20
Figure 3. The forgery attack on Ma et al.'s CEMD protocol 23
Figure 4. The main exchange phase of the proposed CEMD protocol 26
Figure 5. The notarization phase of the proposed FDX protocol 37
Figure 6. The fair exchange phase of the proposed FDX protocol 41

List of Tables
Table 1. Performance comparisons of CEMD protocols 32
Table 2. List of notations used in FDX protocol description 34
Table 3. Functionalities comparisons of FDX protocols 72
Table 4. Computational cost of public key operations 75
Table 5. Computation cost comparisons for FDX protocols 75
Table 6. Communication cost comparisons for FDX protocols 75

[1] M. Abadi, N. Glew, B. Horne, and B. Pinkas, “Certified email with a light on-line trusted third party: design and implementation,” Proceedings of International World Wide Web Conference, 2002, pp. 387-395.
[2] I. F. Akyildiz, X. Wang, and W. Wang, “Wireless mesh networks: a survey,” Computer Networks, Vol. 47, No. 4, March 2005, pp. 445-487.
[3] A. Alaraj and M. Munro, “An e-commerce fair exchange protocol that enforces the customer to be honest,” International Journal of Product Lifecycle Management, Vol. 3, No. 2/3, 2008, pp. 114-131.
[4] A. Alaraj and M. Munro, “An efficient e-commerce fair exchange protocol that encourages customer and merchant to be honest,” Proceedings of the 27th international conference on Computer Safety, Reliability, and Security, LNCS 5219, 2008, pp. 193-206.
[5] N. Asokan, M. Schunter, and M. Waidner, “Optimistic protocols for fair exchange,” Proceedings of the 4th ACM conference on Computer and communications security, April 1997, pp. 7-17.
[6] N. Asokan, M. Schunter, and M. Waidner, “Optimistic fair exchange of digital signatures,” IEEE Journal on Selected Areas in Communications, Vol. 18, no. 4, April 2000, pp. 593-610.
[7] G. Ateniese, “Verifiable encryption of digital signatures and applications,” ACM Transactions on Information and System Security, Vol. 7, No. 1, 2004, pp. 1-20.
[8] A. Bahreman and J.D. Tygar, “Certified electronic mail,” IEEE Proceedings of Internet Society Symposium on Network and Distributed System Security, 1994, pp. 3-19.
[9] F. Bao, G. Wang, J. Zhou, and H. Zhu, “Analysis and improvement of Micali’s fair contract signing protocol,” Information Security and Privacy, LNCS 3108, 2004, pp. 176-187.
[10] M. Bellare and P. Rogaway, “Random oracles are practical: a paradigm for designing efficient protocols,” Proceedings of the 1st ACM Conference on Computer and Communication Security, Nov. 1993, pp. 62-73.
[11] M. Ben-Or, O. Goldreich, S. Micali, R.L. Rivest, “A fair protocol for signing contracts,” IEEE Transactions on Information Theory, Vol. 36, 1990, pp. 40-46.
[12] N. Ben Salem, J.-P. Hubaux, “Securing wireless mesh networks,” IEEE Wireless Communications, Vol. 13, No. 2, 2006, pp. 50-55.
[13] G. Bleumer, “Existential forgery,” Encyclopedia of Cryptography and Security, Springer, 2005.
[14] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate and verifiably encrypted signatures from bilinear maps,” Proceedings of Eurocrypt’03, LNCS 2656, 2003, pp. 416-432.
[15] D. Boneh, H. Shacham, and B. Lynn, “Short signatures from the weil pairing,” Journal of Cryptography, Vol. 17, No. 4, 2004, pp. 297-319.
[16] X. Cao, X. Zeng, W. Kou, and L. Hu, “Identity-based anonymous remote authentication for value-added services in mobile networks,” IEEE Transactions on Vehicular Technology, Vol. 58, No. 7, Sep. 2009, pp. 3508-3517.
[17] L. Chen, C. Kudla, G.K. Paterson, “Concurrent signatures,” Proceedings of EUROCRYPT 2004, LNCS 3027, 2004, pp. 287-305.
[18] X. Chen, F. Zhang, H. Tian, and K. Kim, “Three-round abuse-free optimistic contract signing with everlasting secrecy,” Proceedings of the 14th Financial Cryptography and Data Security, Lecture Notes in Computer Science, Springer-Verlag, January 2010, (accepted).
[19] H.Y. Chien, “Forgery attacks on digital signature schemes without using one-way hash and message redundancy,” Communications Letters, Vol.10, No.5, 2006, pp. 324-325.
[20] T. Coffey and P. Saidha, “Nonrepudiation with mandatory proof of receipt,” ACM SIGCOMM Computer Comm. Rev., Vol.26, No.1, 1996, pp. 6-17.
[21] R. Deng, L. Gong, A. Lazar, and W. Wang, “Practical protocol for certified electronic mail,” Journal of Network and Systems Management, Vol. 4, no. 3, 1996, pp. 279-297.
[22] Y. Dodis, P. J. Lee, and D. H. Yum, “Optimistic fair exchange in a multi-user setting,” Journal of Universal Computer Science, Vol. 14, 2008, pp. 318-346.
[23] C.-I. Fan, S.-Y. Huang, P.-H. Ho, and C.-L. Lei, “Fair anonymous rewarding based on electronic cash,” Journal of Systems and Software, Vol. 82, No. 7, July 2009, pp. 1168-1176.
[24] K. B. Frikken and M. J. Atallah, “Achieving fairness in private contract negotiation,” Proceedings of the 9th Financial Cryptography and Data Security, LNCS 3570, 2005, pp. 270-284.
[25] W. Gao, F. Li, and B. Xu, “An abuse-free optimistic fair exchange protocol based on BLS signature,” International Conference on Computational Intelligence and Security, Vol. 2, 2008, pp. 278-282.
[26] S. Glass, M. Portmann, and V. Muthukkumarasamy, “Securing wireless mesh networks,” IEEE Internet Computing, Vol. 12, No, 4, 2008, pp. 30-36.
[27] S. Goldwasser, S. Micali, and R. Rivest, “A digital signature scheme secure against adaptive chosen-message attack,” SIAM Journal of Computing, Vol. 17, No. 2, 1988, pp. 281-308.
[28] C. Gu, and Y. Zhu, “An id-based verifiable encrypted signature scheme based on Hess's scheme,” Conference on Information Security and Cryptology (CISC’05), LNCS 3822, 2005, pp. 42-52.
[29] S. Gurgens, C. Rudolph, and H. Vogt, “On the security of fair non-repudiation protocols,” Proceedings of Information Security Conference, LNCS 2851, 2003, pp. 193-207.
[30] J.L Hernandez-Ardieta, A.I. Gonzalez-Tablas, and B.R. Alvarez, “An optimistic fair exchange protocol based on signature policies,” Computers & Security, Vol. 27, 2008, pp. 309-322.
[31] Z. Huang, R. Huang, and X. Lin, “Perfect concurrent signature protocol,” Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, Vol. 1, 2007, pp. 467-472.
[32] Z. Huang, X. Lin, and R. Huang, “Certificateless concurrent signature scheme,” Proceedings of the 9th International Conference for Young Computer Scientists, 2008, pp. 2102-2107.
[33] L.L. Iacono, C. Ruland, and N. Zisky, “Secure transfer of measurement data in open systems,” Computer Standards & Interfaces, Vol. 28, No. 3, January 2006, pp. 311-326.
[34] IEEE Draft P1363.3/D3: Standard for identity-based cryptographic techniques using pairings, IEEE P1363.3, Apr. 2008.
[35] K. Imamoto and K. Sakurai, “A certified email system with receiver's selective usage of delivery authority,” Proceedings of Indocrypt 2002, LNCS 2551, 2002, pp. 326-338.
[36] X. Liang, Z. Cao, R. Lu, and L. Qin, “Efficient and secure protocol in fair document exchange,” Computer Standards & Interfaces, Vol. 30, 2008, pp. 167-176.
[37] X.-L. Ma, W. Cui, L.-Z. Gu, Y.-X. Yang, and Z.-M. Hu, “A novel id-based verifiably encrypted signature without random oracle,” International Conference on Computational Intelligence and Security, Vol. 2, 2008, pp. 359-363.
[38] C. Ma, S. Li, K. Chen, and S. Liu, “Analysis and improvement of fair certified e-mail delivery protocol, “Computer Standards & Interfaces, Vol. 28, 2006, pp.467-474.
[39] A. Mukhamedov and M. Ryan, “Fair multi-party contract signing using private contract signatures,” Information and Computation, Vol. 206, 2008, pp. 272-290.
[40] A. Mukhamedov and M. Ryan, “Improved multi-party contract signing,” Proceedings of the 11th Financial Cryptography and Data Security, LNCS 4535, 2007.
[41] National Bureau of Standards (NBS). Federal Information Processing Standards Publication 197, Advanced Encryption Standard, U.S. Department of Commerce, Nov. 2001.
[42] National Institute of Standards and Technology (NIST), Federal Information Processing Standards Publication 186-2, Digital Signature Standard (DSS), January 2000.
[43] National Institute of Standards and Technology (NIST), Federal Information Processing Standards Publication 180-3, Secure Hash Standard (SHS), Oct. 2008.
[44] A. Nenadic, N. Zhang, and S. Barton, “Fair certified e-mail delivery,” ACM Symposium on Applied Computing-Computer Security Track, 2004, pp.391-396.
[45] A. Nenadic, N. Zhang, B. Cheetham, and C. Goble, “RSA-based certified delivery of e-goods using verifiable and recoverable signature encryption,” Journal of Universal Computer Science, Vol. 11, 2005, pp.175-192.
[46] A. Nenadic, N. Zhang, Q. Shi, and C. Goble, “DSA-based verifiable and recoverable encryption of signatures and its application in certified e-goods delivery,” Proceedings of IEEE Conference on e-Technology, e-Commerce and e-Service, 2005, pp. 94-99.
[47] A. Nenadic, N. Zhang, Q. Shi, and C. Goble, “Certified e-mail delivery with DSA receipts,” Proceedings of 19th IEEE International Parallel and Distributed Processing Symposium, Vol. 1, 2005, pp. 4-8.
[48] R. Oppliger, “Certified mail: the next challenge for secure messaging,” Communications of ACM, Vol. 47, No. 8, 2004, pp. 75-79.
[49] C. Rackoff and D.R. Simon, “Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack,” CRYPTO’91, LNCS 576, 1992, pp. 433-444.
[50] I. Ray, I. Ray, and N. Natarajan, “An anonymous and failure resilient fair-exchange e-commerce protocol,” Decision Support Systems, Vol. 39, No. 3, 2005, pp. 267-292.
[51] I. Ray and H. Zhang, “Experiences in developing a fair-exchange e-commerce protocol using common off-the-shelf components,” Electronic Commerce Research and Applications, Vol. 7, No. 2, 2008, pp. 247-259.
[52] R.L. Rivest, RSA Problem, Encyclopedia of cryptography and security, New York, Springer, pp. 532-536, 2005.
[53] R.L. Rivest, A. Shamir, and L.M. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, Vol. 21, 1978, pp. 120-126.
[54] Shamus Software Limited, Multiprecision Integer and Rational Arithmetic C/C++ Library (MIRACL), http://www.shamus.ie/, accessed on Feb. 2010.
[55] Z. Shao, “Certificate-based verifiably encrypted signatures from pairings,” Information Sciences, Vol. 178, 2008, pp. 2360-2373.
[56] I. Simplot-Ryl, I. Traore, and P. Everaere, “Distributed architectures for electronic cash schemes: a survey,” International Journal of Parallel, Emergent and Distributed Systems, Vol. 24, No. 3, June 2009, pp. 243-271.
[57] N. Smart, Cryptography, An Introduction, Second Edition, Mcgraw-Hill College, 2006.
[58] Y. Sun, L. Gu, S. Qing, S. Zheng, Y. Yang, and Y. Sun, “New optimistic fair exchange protocol based on short signature,” International Conference on Communication Software and Networks, 2010, pp. 99-104.
[59] G. Wang, “An abuse-free fair contract-signing protocol based on the RSA signature,” IEEE Transactions on Information Forensics and Security, Vol. 5, No. 1, 2010, pp. 158-168.
[60] F. Zhang, R. Safavi-Naini, and W. Susilo, “Efficient verifiably encrypted signature and partially blind signature from bilinear pairings,” Progress in Cryptology-INDOCRYPT’03, LNCS 2904, 2003, pp. 191-204.
[61] N. Zhang and Q. Shi, “Achieving nonrepudiation of receipt,” The Computer Journal, Vol. 39, No. 10, 1996, pp. 844-853.
[62] N. Zhang, Q. Shi, M. Merabti, and R. Askwith, “Practical and efficient fair document exchange over networks,” Journal of Network and Computer Applications, Vol. 29, 2006, pp. 46-61.
[63] J. Zhou and D. Gollman, “A fair non-repudiation protocol,” Proceedings of the IEEE Symposium on Security and Privacy, 1996, pp. 55-61.