加密技術確保電子文件的私密性和完整性，為密碼學領域中一項重要且基本的技術。其中，個人對個人的加密系統常被應用在以人為主體的環境下。然而，現代化社會為一個群體化社會，在此環境下所延伸的個人對群體的加密系統，稱之為群體導向加密系統。此系統讓發送者能加密文件給某群體，只有該群體的合法子群能合作解得明文，非合法子群則無法成功解密。

本論文探討的群體為同時包含同質性成員和異質性成員的混合式群體。在群體環境下，發送者會依據文件的重要性，彈性地決定解密者為某個人、全部的人、某個合法子群、抑或全部的合法子群。然而，以往的群體導向加密系統大多只探討單一情況，並無法滿足混合式群體的多重需求。於是，本論文提出植基於雙線性配對之群體導向加密系統。所提的系統不僅實現上述的需求，而且每一位群體成員僅需保有一把私鑰，降低金鑰管理的難度。

本論文中，將依序介紹系統演進的過程，包含最初的植基於雙線性配對之一般化門檻式加密系統、延伸發展的混合式群體導向加密系統，以及最後的植基於雙線性配對之群體導向加密系統。並利用Random Oracle Model來證明所提加密系統的安全性。

Since encryption skills can make electric documents have the properties of privacy and integrity, it is an important and basic skills in the field of cryptography. Cryptosystems for a user are often applied in individual-oriented environments. However, a modern society is a society of group, in which cryptosystems for a group are investigated and named group-oriented cryptosystems. In such a system, the sender can send a document for a group, and only the authorized subsets in the group can cooperatively decrypt the ciphertext, while invalid subsets cannot decrypt it successfully.

The group discussed in this thesis is a hybrid group which consists of homogeneous memberships and heterogeneous memberships simultaneously. According to the importance of the document, the sender can dynamically determine the receiver to be a specific user, or to be all users, or to be a specific authorized subset, or to be all authorized subsets in the group environment. However, existing group-oriented cryptosystems, most of which discussed only one situation, cannot satisfy the multi requirements of the hybrid group. Thus, this thesis proposes a group-oriented cryptosystem based on bilinear pairing. The proposed scheme not only realizes the above scenario, but also makes each user keep only one private key to ease the key management.

In this thesis, the three schemes are introduced. They are named generalized threshold cryptosystem based on bilinear pairing, hybrid group-oriented cryptosystem, and group-oriented cryptosystem based on bilinear pairing, respectively. Also, the proposed cryptosystem is provably secure under the random oracle model.

[1]　A. Shamir,　“How to Share a Secret”,　Communications of the ACM,　Vol. 22,　pp.　612-613,　1979.
[2]　A. Joux,　“The Weil and Tate Pairings as Building Blocks for Public Key Cryptosystems”,　in Proceedings Fifth Algorithmic Number Theory Symposium,　Lecture Notes in Computer Science,　Springer-Verlag,　2002.
[3]　C-S.　Laih and L.　Harn,　“Generalized Threshold Cryptosystems”,　Advances in Cryptology-Asiacrypt’91,　pp.　159-166,　1991.
[4]　C. Gentry and A. Silverberg,　“Hierarchical ID-Based Cryptography”,　Advances in Cryptology-Asiacrypt’02,　Lecture Notes on Computer Science 2501, Springer-Verlag, pp. 548-566, 2002.
[5]　C-C. Chang, S-J. Hwang, W-B. Wu, “Improvement on Generalized Threshold Cryptosystems”, The International Conference on Information and Management Sciences Conference (IMS), 2003.
[6]　D. Stinson, “Cryptography Theory and Practice”, CRC Press, Boca Raton, 1995.
[7]　D. Boneh and M. Franklin, “Identity-Based Encryption from the Weil Pairing”, Advances in Cryptology-Crypto’01 , LNCS 2139, pp. 213-229, Springer-Verlag, 2001.
[8]　D. Boneh, B. Lynn and H. Shacham, “Short Signatures from the Weil Pairing”, Advances in Cryptology-Asiacrypt’01, LNCS 2248, pp. 514-532, Springer, 2001.
[9]　D. Boneh, C. Gentry and B. Waters, “Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys”, Lecture Notes in Computer Science, Vol. 3621, pp. 258-275, 2005.
[10]　D. Boneh, X. Boyen and E-J. Goh, “Hierarchical Identity-Based Encryption with Constant Size Ciphertext”, Proceedings of Eurocrypt’05 , pp. 440-456, 2005.
[11]　D. Boneh, X. Boyen and S. Halevi, “Chosen Ciphertext Secure Public Key Threshold Encryption without Random Oracles”, CT-RSA 2006, pp. 226-243, 2006.
[12]　G. Blakley, “Safeguarding Cryptographic Keys”, Proceedings of the National Computer Conference, Vol. 48, pp. 535-541, AFIPS Press, Montvale, 1979.
[13]　G-I. Davida, R. Demillo and R. Lipton, “Protecting Shared Cryptographic Keys”, IEEE Symposium on Security and Privacy, pp. 100-102, 1980.
[14]　H. Ghodosi, J. Pieprzyk and R. Safavi-Naini, “Dynamic Threshold Cryptosystems: a New Scheme in Group Oriented Cryptography”, Proceedings of Pragocrypt’96, CTU Publishing House, Prague, Part 1, pp. 370-379, 1996.
[15]　H. Ghodosi, J. Pieprzyk, R. Safavi-Naini, “A Flexible Threshold Cryptosystem”, Proceedings of. 1996 IEEE International Symposium on Information Theory and Its Applications, pp. 75-77, Victoria, B.C., Canada, 1996.
[16]　H. Yiliang, Y. Xiaoyuan, S. Jun and L. Delong, “Verifiable Threshold Cryptosystems based on Elliptic Curve”, Proceedings of the 2003 International Conference on Computer Network and Mobile Computing, Vol. 10, pp. 334-337, 2003.
[17]　J-J. Tsai, T. Hwang and C-H. Wang, “New Generalized Group-Oriented Cryptosystem based on Diffie-Hellman Scheme”, Computer Communications, Vol. 22, pp. 727-729, 1999.
[18]　J. Baek and Y. Zheng, “Simple and Efficient Threshold Cryptosystem from the Gap Diffie-Hellman Group”, Proceedings of the 46th IEEE Global Communications Conference, Communications Security Track, Vol. 3, pp. 1491-1495, 2003.
[19]　J. Baek and Y. Zheng, “Identity-Based Threshold Decryption”, Public Key Cryptography-Proceedings of PKC 2004, LNCS 2947, pp. 248-261, Springer-Verlag, 2004.
[20]　J. Baek, S-N. and W. Susilo, “Efficient Multi-receiver Identity-Based Encryption and Its Application to Broadcast Encryption”, Public Key Cryptography-Proceedings of PKC 2005, Lecture Notes in Computer Science 3386, pp. 380-397, Springer-Verlag, 2005.
[21]　M. Ito, A. Saito, and T. Nishizeki. “Secret Sharing Scheme Realizing General Access Structure”, Proceedings of the IEEE Global Telecommunications Conference, Globecom’87, pp. 99-102, 1987.
[22]　M. Bellare and P. Rogaway, “Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols”, Proceedings of the 1st ACM conference on Computer and communications security, pp. 62-73, 1993.
[23]　N. Koblitz, “Elliptic Curve Cryptosystems”, Mathematics of Computation, Vol. 48, pp. 203-209, 1985.
[24]　NBS FIPSPUB 46, “Data Encryption Standard”, National Bureau of Standards, U.S. Department of Commerce, 1997.
[25]　Q-L. Xu and T-S. Chen, “An Efficient Threshold RSA Digital Signature Scheme”, Applied Mathematics and Computation, Vol. 166, No. 1, pp. 25-34, 2005.
[26]　R. Rivest, A. Shamir and L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, Communications of the ACM, Vol. 21, No. 2, pp. 120-126, 1978.
[27]　R. Cramer and V. Shoup, “A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack”, Advances in Cryptology-Crypto’98, LNCS 1462, pp. 13-25, 1998.
[28]　R. Ganetti, S. Halevi and J. Katz, “Chosen-Ciphertext Security from Identity-Based Encryption”, Proceedings of Eurocrypt’04, LNCS 3027, pp. 207-222, 2004.
[29]　R. Canetti, O. Goldreich and S. Halevi, “The Random Oracle Methodology, Revisited”, Journal of the ACM, Vol.51, No.4, pp. 557-594, 2004.
[30]　S-C. Kothari, “Generalized Linear Threshold Scheme”, Advances in Cryptology-Crypto’84, pp. 231-241, Springer Verlag, Berlin, 1984.
[31]　S. Goldwasser and S. Micali, “Probabilistic Encryption”, Journal of Computer Security, Vol. 28, pp. 270-299, 1984.
[32]　S-J. Wang, “Direct Construction of A Secret in Generalized Group-Oriented Cryptography”, Computer Standards Interfaces, pp. 455-460, 2004.
[33]　T. ElGamal, “A Public-Key Cryptosystem and a Signature Scheme based on Discrete Logarithms”, Advances in Cryptology-Crypto’85, Springer-Verlag, LNCS 196, pp. 10-18, 1985.
[34]　T. Hwang, “Cryptosystem for Group-Oriented Cryptography”, Proceedings of Eurocrypt’90, pp. 317-324, 1990.
[35]　T-C. Wu and Y-S. Chang, “Authorization-based Group-Oriented Secure Broadcasting System”, Journal of Information Science and Engineering, Vol. 15, No. 5, pp. 653-667, 1999.
[36]　V. Miller, “Use of Elliptic Curves in Cryptography”, Advances in Cryptology- Crypto’85, Lecture Notes in Computer Science, Vol. 218, pp. 417-426, 1985.
[37]　W. Diffie and M-E. Hellman, “New Directions in Cryptography”, IEEE Transactions on Information Theory, Vol. 22, No. 6, pp. 644-654, 1976.
[38]　W. Stalling, “Network and Network Security – Principles and Practice”, Prentice Hall International Edition, pp. 1-14, 1995.
[39]　X. Lai and J. Massey, “A Proposal for a New Block Encryption Standard”, Proceedings of Eurocrypt’91, Springer-Verlag, LNCS 473, pp. 389-404, 1991.
[40]　X. Chunxiang, Z. Junhui and X. Guozhen, “A Multisignature Scheme for The General Access Structure”, Communications, Circuits and Systems Proceedings, Vol. 1, pp. 88-90, 2005.
[41]　X. Du, Y. Wang, J. Ge and Y. Wang, “An Identity-Based Broadcast Encryption Scheme for Key Distribution”, IEEE Transactions on Broadcasting, Vol. 51, No. 2, pp. 264-266, 2005.
[42]　Y. Desmedt, “Society and Group-Oriented Cryptography: a New Concept”, In: Advances in Cryptology, Proceedings of Crypto’87, pp. 120-127, 1987.
[43]　Y. Desmedt and Y. Frankel, “Threshold Cryptosystem”, In: Advances in Cryptology, Proceedings of Crypto’89, pp. 307-315, 1989.
[44]　Y. Frankel, “A Practical Protocol for Large Group-Oriented Networks”, In: Advances in Cryptology, Proceedings of Crypto’89, pp. 56-61, 1989.