【作者】 孙艳宾；

【导师】 卿斯汉；

【作者基本信息】 北京邮电大学 ， 密码学， 2011， 博士

【摘要】 电子商务时代,互联网的快速发展极大地提高了交易的便捷性,同时也带来了网络交易的危险性。由于数字化产品易于复制、网络环境又极其复杂,在网上从事商务活动存在特殊性——双方的交易活动一结束,双方当事人就可以消失的无影无踪,这为交易活动的可追究性,以及交易后可能出现的争议的妥善解决带来了巨大的麻烦。因此,如何保证网上交易活动的安全性就成了一个亟需解决的实际问题。这里的安全性不仅囊括开放网络中通信所要求的传统安全目标：有效性、机密性、认证性与完整性等,还需要具备时效性、不可否认性以及不可滥用性等特性,而公平交换协议正是实现这些安全性质的关键,日益受到国内外研究者的广泛关注。近年众多国内外研究者提出了一些高效的公平交换协议及用于构造双方公平交换协议的基本模块。这些成果为公平交换协议的研究开拓了思路、奠定了基础,但仍存在一些缺陷。如,大多数的公平交换协议不能很好的保证交易方的不可滥用性；构造双方公平交换协议的基本模块不能直接用于设计交互方式相对复杂的多方交换协议；多数多方合同签署协议仅适合于异步网络,消息延迟没有上限,需要的轮数较多,效率比较低。因此,在设计安全高效的公平交换协议方面还有很多工作需要深入研究。本文的目的即研究公平交换协议的设计及其安全性分析,主要内容包括四个方面：构造公平交换协议的基本模块、双方公平交换协议、多方公平交换协议以及无TTP参与的公平交换协议。主要创新工作如下：1、在公平交换协议的基本模块方面,利用基于身份的数字签名方案设计了可证安全的可验证加密签名方案。新方案中没有使用零知识证明系统提供验证,从而有效地避免了交互认证带来的效率损失2、在多方合同签署协议的基本模块方面,将可验证加密签名方案与聚合签名思想相结合,提出了可证安全的聚合可验证加密签名方案。从而,多个签署者可利用聚合可验证加密签名合成一个承诺消息,与验证者进行认证,避免了以往方案中验证者逐一与多个签署者进行交互认证。3、在双方公平交换协议方面,首先,利用Cha-Cheon的基于身份的签名方案设计了可证安全的可验证加密签名方案,并将此方案与基于身份的代理可验证加密签名方案相结合设计了一个新颖的多元合同签署协议。其交换双方可以为原始签署者和代理签署者的任意组合形式,即原始签署者与原始签署者、原始签署者与代理签署者以及代理签署者与代理签署者三种情形。其次,利用抗密钥暴露的哈希函数方案设计了一个新的具有时效性的公平交换协议。新协议的交换阶段并未使用零知识证明系统,有效降低了通信消耗,提高了协议效率。最后,指出2008年Gao等提出的满足不可滥用性的公平交换协议存在的安全漏洞,进而,引入时效性条件对此协议进行改进,提出了一个新的满足不可滥用性的公平交换协议。4、在多方交换协议方面,利用无限制聚合签名方案实现合同的签署和基于公钥密码系统的广播协议实现消息的分发,设计了一个新的多方合同签署协议。协议中不规定签署者发送消息的次序,设置了凭证的有效期,且无需提前确定不诚实签署者的数目。5、在无TTP参与的公平交换协议方面,通过安全性分析,首先指出2008年陈广辉等提出的基于并发签名的公平交换协议在两个参与者都诚实可信的情况下不满足不可滥用性。进而,提出了一个改进的满足不可滥用性的公平交换协议；其次,指出2010年罗铭等提出的基于签密的并发签名方案是存在伪造的,即在没有签名者的关键数与密钥的情况下,接收者利用签名者的有效模糊签名便可恢复出签密消息,且可以以签名者身份伪造任意消息的模糊签名。因此,基于该签密并发签名方案的公平交换协议方案也是不安全的。然后,对并发签名方案进行了改进,弥补了原并发签名方案的安全缺陷,从而能够有效保证公平交换协议的安全性。更多还原

【Abstract】 In the era of electronic commerce, the rapid development of the internet transaction has greatly improved the convenience and quickness, but it also brings the risk of online transactions. There are some specialties in the online transactions or business with the extremely complex network environment. And the participant can disappear without a trace at the end of the transaction. The traceability and disputes may arise after the transaction, which has brought more troubles. Therefore, the problem of the fair exchange becomes particularly important. And how to ensure the security of online transactions has become an urgent problem needs to solve. Beside the requirements of effectiveness, confidentiality, authentication and integrity, e-commerce also needs to satisfy timeless, non-repudiation and abuse-freeness etc., and the fair exchange protocol is the key to achieving these security properties.In recent years, many researchers have proposed a number of efficient fair exchange protocols and primitives of the fair exchange protocol. These results laid the foundation for the research on fair exchange protocol, but still have some defects. For example, most of the fair exchange protocol can not guarantee the abuse-freeness for a good party; the primitives of the two parties fair exchange protocol can not be directly used to design multi-party exchange protocol; most multi-contract signing protocol is only suitable for asynchronous networks, no maximum number of rounds for message delay, and efficiency is relatively low. Therefore, in designing safe and efficient fair exchange protocol that much work needs further study.This dissertation mainly focuses on the design and security analysis of the fair exchange protocol. The content of this dissertation includes four aspects: the design of the paradigm of the fair exchange protocol, the design of the fair exchange protocol, the design of the multi-party fair exchange protocol and the design of the fair exchange protocol without involved TTP. The main innovation of this dissertation briefly summarized as follows:1、In the verifiably encrypted signature:Utilizing the Shim’s identity-based signature scheme, a new identity-based verifiably encrypted signature scheme is proposed. As a building block of the fair exchange protocol, this approach does not use any zero-knowledge proofs to provide verifiability; it avoids most of the costly computations.2、To construct the multi-party fair exchange protocol (multi-party contract signing protocol), a new concept:Aggregate verifiably encrypted signature (AVES) scheme is proposed by combining aggregate signature with the new verifiably encrypted signature scheme. As a building block of the multi-party fair exchange protocol, many signers can aggregate their verifiably encrypted signature to one commitment message by using aggregate verifiably encrypted signature scheme. Thus, the verifier interacts with each signer for certification can be avoided, and only needs once.3、In the fair exchange protocol:Firstly, utilizing the Cha-Cheon’s identity-based signature scheme, a new provably secure identity-based verifiably encrypted signature scheme is proposed. Then, combining the proposed scheme and identity-based proxy verifiably encrypted signature scheme, a new novel multiplex contract signing protocol is proposed. The original signer or proxy signer uses verifiably encrypted signature or proxy verifiably encrypted signature to realize the interaction and certification of the commitment message in the information exchange process. The users can be any combination of forms of the original signer and the proxy signer, such as the original signer and the original signer, the original signer and the proxy signer, the proxy signer and the proxy signer. Secondly, based on the key-exposure-free chameleon hashing scheme, a new timeliness optimistic fair exchange protocol is proposed. The new scheme does not require the use of interactive zero-knowledge proofs in the exchange phase. Both parties can contact the trusted third party and settle the argument before the deadline. Finally, based on the security analysis, an abuse-free optimistic fair exchange protocol can not satisfy the requirement of fairness. Such weaknesses may lead to an unfair situation for the honest party. In order to overcome these weaknesses, a new secure abuse-free optimistic fair exchange protocol is proposed. In the proposed scheme, both parties can contact the trusted third party and settle the argument before the deadline.4、In the multi-party fair exchange protocol:Utilizing the unrestricted aggregate signature scheme and the public-key cryptosystem based broadcast protocol, a new multi-party contract signing protocol (MCSP) was proposed. The MCSP employed the public-key cryptosystem based broadcast protocol (PCBP) to distribute the messages of the signers, and employed the unrestricted aggregate signature scheme to sign the contract between the signers. The scheme does not require the order to send the messages and determining the number of dishonest in advance, and sets the validity of the certificate.5、In the fair exchange protocol without involved TTP:Through analysis, the perfect concurrent signature (CS)-based fair exchange protocol does not satisfy the property of the abuse-freeness if both parties are honest. Before releasing the secret information (keystone), anyone can identify who is the real signer when two parties have exchanged their two ambiguous signatures and relative data items. Then, an improved perfect concurrent signature-based fair exchange protocol was presented which overcomes the flaw of the previous scheme and realizes the property of the abuse-freeness. Based on the security analysis, an existing signcryption-based concurrent signature is broken. If the receiver has a valid ambiguous signature of the signer, without the signer’s keystone and secret key, he can obtain the signer’s message and forge an ambiguous signature on arbitrary message on behalf of the signer easily. So, the fair exchange protocol is insecure. Then, an improved signcrytion-base concurrent signature was presented which overcame the flaw of the previous scheme, which ensured the security of the fair exchange protocol.更多还原