同時簽章法可以分成兩類: 可鏈結的同時簽章法與不可鏈結的同時簽章法。保護個人隱私而言，不可鏈結的同時簽章法優於可鏈結的同時簽章法。然而，在可鏈結的同時簽章法下，被交換的訊息與簽章對之間的鏈結關係是明顯的，所以誠實簽名者可以在簽章有違法爭議時，用來證明其清白；相對的，不可鏈結的同時簽章法沒有任何鏈結，所以一個誠實的簽名者無法在爭議出現時，提供鏈結證據以證明他的簽章用途是合法的。為了避免這樣的缺陷，不可鏈結的同時簽章法應該有可供事後解決爭議的指定驗證者鏈結證據，在提供指定驗證者鏈結證據時，同時保有能保護隱私的不可鏈結性。此外，為了完善的隱私保護，訊息的機密性是必須具有的。本論文首先提出一個指定驗證者擔保的概念，在指定驗證者擔保的概念下，提出一個可保護守法簽名者的不可鏈結同時簽密機制。此外，本論文提出一個欺騙攻擊，指出Zhang跟Xu兩位學者的改進同時簽章法不滿足公平性，初始簽名者可透過此攻擊讓自己拿到未經同意的同時簽章，但是對應簽名者卻拿不到約定好的同時簽章。

Concurrent signature schemes can be classified into two classes: linkable concurrent signatures and unlinkable concurrent signatures.  To protect the transaction privacy, the unlinkable concurrent signatures are better than the linkable ones.  However, the unlinkable concurrent signatures cannot used as innocence clarification since no link between the exchanged message and concurrent signature pairs can be used to prove their concurrent signatures have legal and valid usages.  To prevent this flaw, the concept of designated verifier commitment is proposed first.  By adopting our designated verifier commitment, an unlinkable concurrent signcryption scheme with innocent signer protection is proposed to provide privacy protection and innocence classification at the same time.  Moreover, our scheme efficiently provides the message confidentiality for complete privacy protection.  Besides, a cheating attack is proposed to show that Zhang and Xu’s scheme is unfair, since the initial signer can obtain a concurrent signature on messages without the matching signer’s agreement while the matching signer cannot obtain his/her desired concurrent signature.

Table of Content
Chapter 1 Introduction	1
1.1 Our Contribution	3
Chapter 2 Preliminaries	6
2.1	Hwang and Sung Confidential Deniable Authentication Protocol	6
2.2 Underlying Hard Problems	7
Chapter 3 Our Designated Verifier Commitment Scheme 8
3.1 Our Concrete Designated Verifier Commitment(DVC) Scheme	8
3.2 Security Proofs of Our DVC scheme	9
Chapter 4 Our Unlinkable Concurrent Signcryption Scheme with Innocent Signer Protection(UCSS-ISP)	17
4.1 The Concrete UCSS-ISP	17
4.2 Security Analysis of Our UCSS-ISP 	23
4.3 Identification and Further Research 	39
Chapter 5 Security Flaws in Zhang and Xu Improved Concurrent Signature Scheme	40
5.1 Review of Zhang and Xu Sceme	40
5.2 Cryptanalysis of Zhang and Xu Scheme	43
Chapter 6 Conclusion	45
References	46
Appendix       49

[1]	L. Chen, C. Kudla, K.G. Paterson, “Concurrent Signatures,” Advances in Cryptology- EUROCRYPT 2004, LNCS 3207, Berlin Heidelberg: Springer-Verlag, 2004, pp. 287-305.
[2]	W. Susilo, Y. Mu, F. Zhang, “Perfect Concurrent Signature Schemes,” Information and Communications Security, LNCS 3269, Berlin Heidelberg: Springer-Verlag, 2004, pp. 14-26.
[3]	K. Nguyen, “Asymmetric Concurrent Signatures,” Information and Communications Security, LNCS 3783, Berlin Heidelberg: Springer-Verlag, 2005, pp. 181-193.
[4]	G. Wang, F. Bao and J. Zhou, “The Fairness of Perfect Concurrent Signatures,” The 8th International Conference on Information and Communications Security (ICICS 2006), LNCS 4307, New York: Springer-Verlag, pp. 435-451, 2006.
[5]	Y.C. Chen, “On the Research of Fair Exchange Protocols and Micropayment Schemes,” Master Thesis, National Central University, Taiwan, ROC, 2006.
[6]	Y. Mu, D. Wong, L. Chen, W. Susilo, and Q. Wu, “Concurrent Signature without 
a Conventional Keystone,” in Proceedings of the First International Workshop  on Coding and Cryptology, 2007, pp. 196-213.
[7]	Z. Huang , R. Huang and X. Lin, “Perfect Concurrent Signature Protocol,” in Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2007, pp. 467–472.
[8]	H. Z. Hwang, Concurrent Signatures: Security Notions, Analysis, and Construction Issues, Master Thesis, National Central University, Taiwan, ROC, 2008.
[9]	Y. Zhang and X. Wang, “Message Substitute Attack on Concurrent Signatures Protocol and its Improvement,” in Electronic Commerce and Security (ISECS 2008), IEEE press, 2008, pp. 497-501.
[10]	Y. Li, D. He, and X. Lu, “Accountability of Perfect Concurrent Signature,” in Computer and Electrical Engineering (ICCEE 2008), Dec. 2008, pp. 773-777.
[11]	X. Huang and L. Wang, "A Fair Concurrent Signature Scheme Based on Identity," in High Performance Computing and Applications (HPCA 2009), LNCS 5938, Berlin Heidelberg: Springer-Verlag, 2010, pp. 198-205.
[12]	Z. Huang, J. Chen, “Certificate-Based Perfect Concurrent Signatures,” in International Conference on Multimedia Information Networking and Security, 2010, pp. 526–530.
[13]	H. Jiang, Q. Xu and C. Zhang, “Convertible Perfect Concurrent Signature Protocol,” in 2010 International Conference on Computational Intelligence and Security, 2010, pp. 352–356.
[14]	W. Qin and N. R. Zhou, “New Concurrent Digital Signature Scheme Based on The Computational Diffie-Hellman Problem,” in The Journal of China Universities of Post and Telecommunications, Vol. 17, Issue 6, pp. 89-94, Dec. 2010.
[15]	S. J. Hwang and T. Y. Hsu, “A Concurrent Signature Scheme with Anonymity and Identification,” Journal of Computers, Vol. 21, No.1, April 2010.
[16]	Z. Zhang, S. Xu, “Cryptanalysis and Improvement of a Concurrent Signature Scheme Based on Identity,” in IEEE 2nd International Conference on Software Engineering and Service Science, 2011, pp. 453–456.
[17]	M. Luo, C. H. Zou, J. Hu and Y. Y. Wen, “Concurrent Signcryption Using Bilinear Pairings for E-commerce,” China Communications, Vol. 8, No. 2, pp. 1-11, 2011, [On-line] Available: http://www.chinacommunications.cn/fileup/PDF/2011-8-2-001.pdf
[18]	Y. Zhang and X. Wang, “Identity-Based Concurrent Signature Scheme With Improved Accountability,” in 2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, 2011, pp.514-519.
[19]	C. H. Wang and C. C. Chen, “An Efficient Model of Enhancing Fairness Level in Concurrent Signatures by Using an Off-line TTP,” in 6th Joint Workshop on Information Security (JWIS2011).
[20]	T. H. Yuen, D. S. Wong, W. Susilo and Q. Huang, “Concurrent Signature with Fully Negotiate Binding Control,” ProvSec2011, LNCS 6980, Berlin Heidelberg: Springer-Verlag, 2011, pp. 170-187.
[21]	X. Tan, Q. Huang and D. S. Wong, “Concurrent Signature without Random Oracles,” Cryptology ePrint Archive: version-20121024:052542.
(http://eprint.iacr.org/2012/576)
[22]	Y. Zheng, “Digital Signcryption or How to Achieve Cost(Signature & Encryption) << Cost(Signature) + Cost(encryption),” Advances in Cryptology — CRYPTO'97, LNCS 1294, New York: Springer-Verlag, 1997, pp. 165-179.
[23]	T.P. Pedersen, “Non-interactive and information-theoretic secure verifiable secret sharing,” Advances in Cryptology-CRYPTO' 91, LNCS576, New York; Springer-Verlag, 1992, pp. 129-140.
[24]	S. J. Hwang and Y. H. Sung, “Confidential Deniable Authentication Using Promised Signcryption,” Journal of Systems and Software, Vol. 84, pp. 1652-1659, 2011.
[25]	C. P. Schnorr, “Efficient Identification and Signatures for Smart Cards,” Advances in Cryptology—CRYPTO’ 89, LNCS 435, Berlin Heidelberg: Springer-Verlag, 1990, pp. 239-252.
[26]	D. Pointcheval and J. Stern, “Security Arguments for Digital Signatures and Blind Signatures,” Journal of Cryptography, No. 3, Vol.13, pp. 361-396, 2000.