同時簽章法可以分成兩類: 可鏈結的同時簽章法與不可鏈結的同時簽章法。保護個人隱私而言,不可鏈結的同時簽章法優於可鏈結的同時簽章法。然而,在可鏈結的同時簽章法下,被交換的訊息與簽章對之間的鏈結關係是明顯的,所以誠實簽名者可以在簽章有違法爭議時,用來證明其清白;相對的,不可鏈結的同時簽章法沒有任何鏈結,所以一個誠實的簽名者無法在爭議出現時,提供鏈結證據以證明他的簽章用途是合法的。為了避免這樣的缺陷,不可鏈結的同時簽章法應該有可供事後解決爭議的指定驗證者鏈結證據,在提供指定驗證者鏈結證據時,同時保有能保護隱私的不可鏈結性。此外,為了完善的隱私保護,訊息的機密性是必須具有的。本論文首先提出一個指定驗證者擔保的概念,在指定驗證者擔保的概念下,提出一個可保護守法簽名者的不可鏈結同時簽密機制。此外,本論文提出一個欺騙攻擊,指出Zhang跟Xu兩位學者的改進同時簽章法不滿足公平性,初始簽名者可透過此攻擊讓自己拿到未經同意的同時簽章,但是對應簽名者卻拿不到約定好的同時簽章。 Concurrent signature schemes can be classified into two classes: linkable concurrent signatures and unlinkable concurrent signatures. To protect the transaction privacy, the unlinkable concurrent signatures are better than the linkable ones. However, the unlinkable concurrent signatures cannot used as innocence clarification since no link between the exchanged message and concurrent signature pairs can be used to prove their concurrent signatures have legal and valid usages. To prevent this flaw, the concept of designated verifier commitment is proposed first. By adopting our designated verifier commitment, an unlinkable concurrent signcryption scheme with innocent signer protection is proposed to provide privacy protection and innocence classification at the same time. Moreover, our scheme efficiently provides the message confidentiality for complete privacy protection. Besides, a cheating attack is proposed to show that Zhang and Xu’s scheme is unfair, since the initial signer can obtain a concurrent signature on messages without the matching signer’s agreement while the matching signer cannot obtain his/her desired concurrent signature.
