用戶識別可說是密碼學在日常生活中最重要的一種應用，
從實體大樓的進出管理到虛擬網路提供的服務，如何有效
而安全的識別合法用戶，規範使用者合理權限，都屬於用
戶識別的應用。其中對我們生活影響最大的莫過於在無線
通訊中的用戶識別，在早些年前無線通訊開始起步時，當
初使用的系統在用戶識別的安全協定上的設計並不嚴謹，
曾經造成電信公司及使用者相當大的損失。近幾年來將密
碼技術引進到無線通訊的用戶識別，才提供了用戶及電信
公司雙方較佳的安全防護。然而隨著科技日新月異，無線
網路結合電子商務及各種服務，安全上及實用上的需求都
大大增加，因此在新一代的無線通訊系統中，有許多學者
提出了基於數位簽章的安全識別協定。由於基於公開金鑰
技術的數位簽章在所需的運算量上要來的比對稱式密碼技
術高，因此如何達到較高的效率是一個相當重要的課題。

在本論文中，我們提出了一個基於團體憑證的數位簽章系
統，並將之應用於新一代的無線通訊上的用戶識別協定。
有別於一般的憑證，基於團體憑證，可用來認證許多由不
同私密金鑰所簽章的文件，在驗證過程中，對於同一群體
的用戶只需要一張團體憑證，因此可大大降低憑證的交換
及驗證憑證的過程。然而，不同於一般的團體式密碼系統
或識別系統，透過團體憑證的驗證，不僅能確認該用戶是
否屬於該團體，也能夠識別出特定的用戶。這是一個嶄新
的技術並且非常適合於個人及團體的識別系統。

User authentication is one of the most important
applications in cryptography. For example,
the passage management of the building or the virtual
network services all need secure and efficient
user authentication. The most common user
authentication process in our daily life is the
authentication protocol in mobile communication
system. With the popularization of cellular
phones, the security of mobile systems becomes
more and more critical. In the early days,
when the first generation mobile system was
started, the user authentication protocol was not
conscientious and careful. The misappropriation
problem is very serious; the users and the
telecommunication companies suffered large amount
of damage. After the cryptography technology was
applied to the authentication protocol in second
generation mobile communication system, the
situation became better. The mobile systems
nowadays have moved from second generation to
third generation, and the security requirements
of next generation system are very different.
With the growth of computing power of mobile
devices, many new authentication protocols based
on public key cryptography have been proposed
recently. Since the computation required for
public key computation is large compared with
the symmetric key encryption, the efficiency
consideration is very important.

In this thesis, we propose a new digital
signature scheme, which has single public key
corresponding to multiple private keys. With
this novel property, we can construct a group
certificate for a group of users. The users in
the same group hold the same certificate in spite
of the different users hold the different secret
keys. The public key is the same for all users
in the same group. The group certificate has
much benefit in authentication protocols, such
as saving storage spaces and reducing the need
of exchanging certificates. Because only one
certificate is needed for a group of users, the
efficiency will be improved. However, the group
certificate is not like the group oriented
cryptography technology. With our group
certificate, not only the group but also the
specific user in the group can be authenticated.
We first propose the method, and show that it is
very suitable for both group and user
authentications.

[1] 3GPP TS 33.102 V5.1.0 Dec. 2002.
[2] S.G. AKL, P.D. Taylor, "Cryptography solution to a problem of access control in a hierarchy" ACM Transaction on Computer Systems, Vol. 1, No. 3, pp. 239-248 Aug. 1983.
[3] K. Al-Tawil, A. Akrami and H. Youssef, "A new authentication protocol for GSM networks" 23rd Annual Conference on Local Computer Networks, 1998. LCN '98. Proceedings, pp. 21-30, Oct. 1998.
[4] K. Al-Tawil, A. Akrami, "A new authentication protocol for roaming users in GSM networks" IEEE International Symposium on Computers and Communications, 1999. Proceedings, pp. 93 -99, 1999.
[5] R. Anderson, Invited lecture, Fourth Annual Conference on Computer and Communications Security, ACM, 1997.
[6] A. Aziz, W. Diffie, "Privacy and authentication for wireless local area networks" IEEE Personal Communications, Vol. 1, Issue: 1, pp. 25-31, 1st Qtr 1994
[7] M. Bellare, S. Miner, "A forward secure digital signature scheme" CRYPTO'99 LNCS Vol. 1666, pp. 431-448, Aug. 1999.
[8] M.J. Beller, L.F. Chang and Y. Yacobi, "Privacy and authentication on a portable communications system" Global Telecommunications Conference, 1991. GLOBECOM '91, Vol. 3, pp. 1922-1927, Dec. 1991.
[9] V. Bharghavan, C.V. Ramamoorthy, "Security issues in mobile communications" Second International Symposium on Autonomous Decentralized Systems, 1995. Proceedings, ISADS 95, pp. 19-24, Apr. 1995.
[10] T.G. Brutch, P.C. Brutch, "Mutual Authentication, Confidentiality, and Key MANagement (MACKMAN) system for mobile computing and wireless communication" Computer Security Applications Conference, 1998, Proceedings, pp. 308-317, 14th Annual, Dec. 1998.
[11] W. Deng, M. Chen and B. Ai, "Enhancing authentication mechanism with mobile agent in mobile communication system" Vehicular Technology Conference, 2000. IEEE VTS-Fall VTC 2000. 52nd, Vol. 4, pp. 1956-1959, 2000.
[12] W. Diffie, M.E. Hellman, "New Direction in Cryptography" IEEE Transaction on Information Theory, Vol. IT-22, No. 6, pp. 644-654, Nov. 1976.
[13] N. El-Fishway, M. Nofal and A. Tadros, "An effective approach for authentication of mobile users" Vehicular Technology Conference, 2002. VTC Spring 2002. IEEE 55th, Vol. 2 pp. 598-601, 2002.
[14] L.C. Guillou, J.J. Quisquater, "A paradoxical identity-based signature scheme resulting from zero-knowledge" Advances in Cryptology CRYPTO'88 LNCS Vol. 403, pp. 216-231, Aug. 1988.
[15] C. Gunther, "An identity based key exchange protocol" Eurocrypt 89 Proceedings, LNCS Vol. 434, 1989.
[16] L. Harn, H.Y. Lin, "Modification to enhance the security of the GSM protocol" Proc. of the 5th National Conference on Information Security, ROC. pp. 74-76, May. 1995.
[17] G. Horn, K.M. Martin and C.J. Mitchell, "Authentication protocols for mobile network environment value-added services" IEEE Transactions on Vehicular Technology, Vol. 51 Issue: 2, pp. 383-392, Mar. 2002.
[18] G. Itkis, L. Reyzin, "Forward-secure signatures with optimal signing and verifying" CRYPTO 2001, LNCS Vol. 2139, August. 2001.
[19] ITU-T Recommendation X.509, "Information Technology Open System Interconnection - The Directory: Authentication Framework" Jan. 1997.
[20] N. Jefferies, "Security in third-generation mobile systems" IEE Colloquium on Security in Networks, pp. 8/1 -8/5, Feb. 1995.
[21] C.H. Lee, M.S. Hwang and W.P. Yang, "Enhanced privacy and authentication for the global system for mobile communications" Wireless Network, pp. 231-243, 1999.
[22] J. Liu, Y. Wang, "A user authentication protocol for digital mobile communication network" Personal, Sixth IEEE International Symposium on Indoor and Mobile Radio Communications, 1995. PIMRC'95. Wireless: Merging onto the Information Superhighway, Vol. 2, pp. 608-612, Sep. 1995.
[23] J. Liu, Y. Wang, "Authentication of mobile users in personal communication system" Seventh IEEE International Symposium on Personal, Indoor and Mobile Radio Communications, 1996. PIMRC'96, Vol. 3, pp. 1239-1242, Oct. 1996.
[24] C.C. Lo, Y.J. Chen, "Secure communication mechanisms for GSM networks" IEEE Transactions on Consumer Electronics, Vol. 45, Issue: 4, pp. 1074-1080, Nov. 1999.
[25] B. Mallinder, "An overview of the GSM system" Proc. Digital Cellular Radio Conf, Oct. 1988.
[26] A.J. Menezes, P.C. van Oorschot and S.A. Vanstone, "Handbook of applied cryptography" CRC, 1997.
[27] R. Molva, D. Samfat and G. Tsudik, "Authentication of mobile users" IEEE Network , Vol. 8, Issue: 2, pp. 26-34, Mar/Apr. 1994.
[28] R. Pandya, D. Grillo, E. Lycksell, P. Mieybegue, H. Okinaka and M. Yabusaki, "IMT-2000 Standards: Network Aspect" IEEE Personal Communications, pp. 20-29, 1997.
[29] C.S. Park, "On certificate-based security protocols for wireless mobile communication systems" IEEE Network, Vol. 11, Issue: 5, pp. 50-55, Sep/Oct. 1997.
[30] S. Putz, R. Schmitz and F. Tonsing, "Authentication schemes for third generation mobile radio systems" The Ninth IEEE International Symposium on Personal, Indoor and Mobile Radio Communications, Vol. 1, pp. 126 -130, Sep. 1998.
[31] M. Rahnema, "Overview of the GSM system and protocol architectures" IEEE Communication Magazine, Apr. 1993.
[32] R. Rivest, A. Shamir and L. Adleman, "A method for obtaining digital signature and public key cryptosystems" Communication of the ACM, Vol. 21, No.2, pp. 120-126, Feb. 1978.
[33] M.I. Samarakoon, B. Honary, "Novel authentication and key agreement protocol for low processing power and systems resource requirements in portable communications systems" IEE Colloquium on Novel DSP Algorithms and Architectures for Radio Systems (1999/184), pp. 9/1 -9/5, 1999.
[34] Z.J. Tzeng, W.G. Tzeng, "Authentication protocols for the third generation mobile systems," Personal Wireless Communications 16, pp. 35-50, 2001.
[35] J.E. Wilkes, "Privacy and authentication needs of PCS" IEEE Personal Communications Vol. 2, Issue: 4, pp. 11-15, Aug. 1995.
[36] Y. Yacobi, Z. Shmuely, "On key distributions" CRYPTO'89, Aug. 1989.
[37] 賴溪松、韓亮、張真誠，"近代密碼學及其應用" 旗標出版股份有限公司，2003