數位版權管理(DRM)系統用於保護以及管理數位內容，並且確保受認證的使用者可以正確使用其所購買的媒體。數位版權管理系統可以分成兩類：基於裝置之數位版權管理系統(Device-based DRM system)以及基於身份之數位版權管理系統(Identity-based DRM system)。在基於裝置之數位版權管理系統中，數位內容只被允許在購買此媒體的裝置上使用；因此，即使合法使用者同時擁有許多屬於他自己的裝置，此數位內容在這些裝置間並不允許被分享。如果使用者想在其他裝置上使用這個媒體，就必須額外為此裝置再購買一次。然而，這樣的情形並不符合消費者使用的習慣與期待，所以有人便提出了基於身份之數位版權管理系統的概念。在這個系統裡，使用者可以隨時隨地地使用其購買過的數位內容。第一個提出基於身份之數位版權管理系統的是Conrado等人，但是在他們所提出的系統中存在了一些弱點。在本研究中，我們所提出的新系統正是修正了他們的弱點並且依舊保持系統原本的優良特性(例如：匿名性以及移動性)。
本研究的另外一個議題是關於隱私權(Privacy)的保護。雖然目前已有許多數位版權管理系統在商業上廣泛使用，但是大部分的系統並沒有特別重視及保護使用者的隱私，意即使用者的購買資訊是可以被得知的。目前這方面的研究大多以提供匿名性來保護使用者的購買資訊，然而匿名的交易(Anonymous trade)會使得商家管理消費者資訊較為不便。另一方面，匿名的效果或許也會因為一些其他的方法而喪失(例如：攻擊者追查使用者的IP位址)。因此在此研究中，我們利用了Oblivious Transfer(OT)的方法來代替匿名交易，使商家不清楚消費者所要求的數位內容為何，但是依舊可以正確地完成交易，並且達到使用者隱私權的保護。我們將從安全性、實用性、效能等各方面來討論與比較，並且提出一個Privacity值來測量隱私權保護的權重。

Digital Rights Management (DRM) system protects and manages digital contents such that only authorized users can access media correctly and the others can not. DRM system can be further divided into device-based and identity-based DRM system. For device-based DRM system, a digital content is only allowed to be played on a particular device according to the license purchased. Therefore, if a user who owns two or more devices wants to play the same content on the device, he must purchase two or more licenses. This breaks off the habit of consumers in the real world. On the contrary, identity-based DRM system can meet more con-sumers’ expectations. A user is allowed to play a digital content anywhere and anytime once he purchases a license for the media. An identity-based DRM sys-tem was proposed by Conrado et al. recently, however, there are some drawbacks in their system. In this research, we improve their system in order to correct these drawbacks. Our proposed DRM system not only retains some useful properties as those in their system, e.g., privacy and mobility, but also provides more strong properties, including stealing proof, secrecy, and practicability.
The other issue discussed in this research is privacy. Several DRM systems has been proposed and implemented for users to purchase digital contents online without illegal spreading of the contents. However, those implementations would expose the users’ privacy – revealing what contents they have purchased. Some proposals address the problem by providing anonymity to the user. Anonymous trade would not allow the shopkeepers to manage users efficiently. Also, the identities of users can still be profiled via side channels like routing paths or IP addresses. In this research, we propose a scheme to preserve users’ privacy by no means of anonymity. Instead, we hide the users’ choices of contents from the shopkeepers using oblivious transfer (OT). We will evaluate our scheme in the aspects of security, performance, comparison, and implementation. A privacy measurement called “Privacity” is also firstly defined.

[1] R. Akalu, D. Kundar. (2004 March) "Technological protection measures in the courts." Signal Processing Magazine, IEEE, Vol. 21, Issue:2, pp. 109-117.
[2] M. Bellare and S. Micali, “Non-interactive oblivious transfer and applica-tions,” in Proceedings of Advances in Cryptology – CRYPTO’89, Vol. 435, pp. 547–557, 1989.
[3] S.C. C. Chan, "An Overview of Smart Card Security," 1997, August. Available: http://home.hkstar.com/~alanchan/papers/smartCardSecurity/
[4] C.K. Chu and W.C. Tzeng, “Efficient k-out-of-n oblivious transfer schemes with adaptive and non-adaptive queries,” in Proceedings of International Workshop on Practice and Theory in Public-Key Cryptography (PKC’05), Lecture Notes in Computer Science 3386, pp. 172-183, 2005.
[5] J.E. Cohen, "DRM and Privacy," Communications of the ACM, Vol. 46, No. 4, April 2003, pp. 46–49.
[6] C. Conrado, F. Kamperman, C.J. Schrijen, and W. Jonker, "Privacy in an Identity-based DRM System," IEEE Proceedings of the 14th International Workshop on Database and Expert Systems Applications (DEXA’03), Prague, September 2003, pp. 389-395.
[7] C. Conrado, M. Petkovic, W. Jonker, "Privacy-Preserving Digital Rights Management," Secure Data Management, 2004, pp. 83-99.
[8] J.S. Erickson, "Fair use, DRM, and Trusted Computing," Communications of the ACM, Vol. 46, No. 4, April 2003, pp. 34-39.
[9] J.S. Erickson, D.K. Mulligan, "The technical and legal dangers of code-based fair use enforcement," Proceedings of the IEEE, Vol. 92, Issue:6, Jun. 2004, pp. 985-996.
[10] R. Grimm, P. Aichroth, “Privacy protection for signed media files: a separa-tion-of-duty approach to the lightweight DRM (LWDRM) system,” in Pro-ceedings of the 2004 multimedia and security workshop on Multimedia and security (MM&Sec’04), Magdeburg, Germany, pp. 93-99, September 2004.
[11] M. Hendry, Smart Card Security and Applications, 2nd edition, Boston: Artech House, 2001
[12] K. Hill, "A perspective: the role of identifiers in managing and protecting intellectual property in the digital age," Proceedings of the IEEE, Vol. 87, Issue:7, Jul. 1994, pp. 1228-1238.
[13] R. Iannella. (2001 June) ,"Digital Rights Management (DRM) Architec-tures," D-Lab Magazine, Vol.7 No.6, Available: http://www.dlib.org/dlib/june01/iannella/06iannella.html
[14] D. Kundur, C.Y. Lin, B. Macq, H. Yu, "Special Issue on Enabling Security Technologies for Digital Rights Management," Proceedings of the IEEE, Vol. 92, Issue:6, Jun. 2004, pp. 879-882.
[15] D.G. Lee, H.G. Oh, and I.Y. Lee, “A Study on Contents Distribution Using Electronic Cash System,” in Proceedings of the 2004 IEEE international Conference on e-Technology, e-Commerce and e-Service (EEE’04), pp. 333-340, March 2004.
[16] M. Lesk. (2003 May) "The good, the bad, and the ugly: what might change if we had good DRM." Security & Privacy Magazine, IEEE, Vol. 1, Issue:3, pp. 63-66.
[17] A. Mana, E. Pimentel, "An Efficient Software Protection Scheme," Pro-ceedings of IFIP SEC, Dventer, the Netherlands, June 11, 2001.
[18] T.S. Messerges, E.A. Dabbish, "Digital Rights Management in a 3G Mobile Phone and Beyond," ACM DRM’03, Washington, DC, USA, October 27, 2003, pp. 27-38.
[19] Y. Mu, J. Zhang, and V. Varadharajan, “m out of n oblivious transfer,” in Proceedings of the 7th Australasian Conference on Information Security and Privacy (ACISP’02), Vol. 2384, pp. 395–405, 2002.
[20] D.K. Mulligan, J. Han, A.J. Burstein, "How DRM-Based Content Delivery Systems Disrupt Expectations of Personal Use," ACM DRM’03, Washington, DC, USA, October 27, 2003, pp. 77-89.
[21] M. Naor and B. Pinkas, “Oblivious transfer with adaptive queries,” in Pro-ceedings of Advances in Cryptology – CRYPTO’99, Vol. 1666, pp. 573–590, 1999.
[22] W. Ogata and K. Kurosawa, “Oblivious keyword search,” Journal of Com-plexity, Vol. 20, pp. 356–371, 2004.
[23] R. Oppliger, R. Rytz. (2005 March). "Does Trusted Computing Remedy Computer Security Problems?" Security & Privacy Magazine, IEEE, Vol. 3, Issue:2, pp. 16-19.
[24] R. Owens, R. Akalu, "Legal Policy and Digital Rights Management," PROCEEDINGS OF THE IEEE, vol. 92, No. 6, June 2004, pp. 997-1003.
[25] B.N. Park, J.W. Kim, and W. Lee, “PrecePt: a privacy-enhancing license management protocol for digital rights management,” in Proceedings of the 18th International Conference on Advanced Information Networking and Ap-plication (AINA’04), pp. 574-579, August 2004.
[26] M.O. Rabin, “How to exchange secrets by oblivious transfer,” Technical Report TR-81, Aiken Computation Laboratory, Harvard University, 1981.
[27] H.M. Sun, C.F. Hung, and B.H. Ku, “An Improved Identity-Based DRM System,” to appear in Proceeding of Information Security Conference (ISC) 2005.
[28] M. Ter Maat, "The economics of e-cash," Spectrum, IEEE, Vol.34, Issue:2, Feb. 1997, pp. 68-73.
[29] M. Trimeche, F. Chebil, "Digital rights management for visual content in mobile application," First International Symposium of IEEE on Control, Communications and Signal Processing, March 21-24, 2004, pp. 95-98.
[30] J. Williams. (2001 Sept.) "IT architecture meets the real (legal) world." IT Professional, IEEE, Vol. 3, Issue:5, pp. 65-68.
[31] S.Y. Yan, Number Theory for Computing, 2nd Edition, Berlin: Springer, 2002, pp. 399-403.
[32] Apple iTunes, http://www.apple.com.tw/itunes/
[33] Electronic Media Management System (EMMS), Available: http://www.ibm.com/software/emms
[34] Electronic privacy information center (2004, March 29) ,"Digital Rights Management and Privacy," Available: http://www.epic.org/privacy/drm/
[35] InterTrust, Available: http://www.intertrust.com/
[36] Microsoft DRM, Available: http://www.microsoft.com/windows/windowsmedia/drm/default.aspx
[37] Microsoft Windows media, "Windows Media Player for Windows XP pri-vacy statement," Available: http://www.microsoft.com/windows/windowsmedia/software/v8/privacy.aspx
[38] OMA DRM, http://www.openmobilealliance.org/