基于身份和无证书的两方认证密钥协商协议研究
|
摘要
网络安全是计算机网络技术应用普及的关键问题,密码理论和技术为传输安全提供了有力保证。认证密钥协商(AKA)协议的目的是,在公共网络环境中两方或多方参与实体通过消息交互完成身份认证,并建立实体间共享的秘密会话密钥以用于以后的安全通信。AKA协议设计与安全分析是密码学与网络安全研究的核心内容之一,具有重要的理论研究意义。该类协议结合具体的网络通信技术,可为基于两方或多方的网络应用提供安全保证,具有广泛的应用背景。过去多年大量的协议设计和安全分析工作说明,设计安全的AKA协议是极其困难的一项工作。本文针对基于身份和基于无证书密码体制的两方AKA协议从安全模型设计、方案攻击,到新方案的设计与安全证明问题开展了研究。
基于计算复杂性理论建立合适的安全模型将为AKA协议的安全性和有效性提供有力保证,在合适安全模型下的安全证明将说明协议的安全性是令人信服的。可证安全指的是明确定义敌手的攻击能力并建立形式化安全模型,设定协议安全目标,通过合适的计算复杂性假设条件,在模型下证明协议安全目标的可满足性。安全模型的描述直接关系到模型所覆盖的敌手攻击能力,反映了一个安全模型的描述能力强弱。随着无证书公钥密码体制的出现和在AKA协议设计中的应用,针对该环境的安全模型也逐渐成为研究重点。本文针对近年来提出的各种安全模型在敌手能力、覆盖的安全攻击、匹配关系以及会话新鲜性等方面进行了详细分析和比较。特别针对基于无证书的AKA协议安全模型进行了研究,提出了基于无证书AKA协议的安全模型。
AKA协议应满足一些必要的安全属性,如已知密钥安全、未知密钥共享、密钥泄露伪装、前向安全性、会话相关秘密信息泄露等。各种针对安全的攻击对AKA协议的安全性提出了更高的要求。基于身份的公钥密码体制和双线性映射技术已经成为设计AKA方案的核心技术。基于身份公钥加密方案的设计思想可以借鉴用于构建有效的AKA协议。一般基于身份的加密方案都使用了集成随机信息的明文盲化技术,这可以使得合法解密者在计算随机信息后正确解密。如果借助这种随机秘密隐藏的思想而不是直接采用加密或数字签名技术来构造AKA方案,将有效减少协议计算成本,提高方案的计算有效性。本文针对几个典型的基于身份的AKA方案分别实施了密钥复制攻击、密钥泄露伪装攻击、会话相关临时秘密信息泄露攻击。通过分析典型方案,利用前述思想,分别在密钥托管和无密钥托管环境下提出了几个安全性显著提高的新方案。
无证书公钥密码体制是处于传统公钥密码体制和基于身份等公钥密码体制之间的一种密码体制,它将两种公钥密码体制设计思想进行了有效结合。利用无证书公钥密码体制设计AKA协议具有更多的优势。目前基于无证书公钥密码体制设计的AKA协议还非常少,仅有的几个方案都没有形式化的安全证明,而且分析发现它们基本都存在安全缺陷。本文首先对目前出现的几个基于无证书的方案实施了各种安全攻击,然后基于典型的安全无证书加密方案构造了一系列安全有效的两方AKA协议。
本文的主要贡献在于:
一、通过增加敌手对本地全部密钥参与计算形成的中间临时秘密信息查询能力,提出了建立在Lippold强安全模型基础之上的改进安全模型,安全性要求进一步增强。同时对几个典型协议安全模型进行了详细地分析和比较。
二、在无密钥托管和密钥托管环境下,设计了具有更高安全性的基于身份的新方案。给出了其中一个具有密钥托管性和完美前向安全性的新方案在标准模型下的安全证明,解决了王等人提出的一个方案设计开放问题。
三、针对一系列基于无证书的方案实施了安全攻击;基于不同的无证书加密方案构造了一系列新方案。安全属性分析表明都能较好地满足已知安全属性要求。其中一个方案满足目前最强安全模型所提出的安全目标,计算效率提高。
Security issues are key problems for the popularization and application of network technology. Cryptographic theory and techniques provide assurance for data transmission. Authenticated key agreement (AKA) protocol is a process whereby two or multi-parties exchange messages, authenticate each others and establish shared session keys for later secure communications in the public network environment. As one of the core elements of cryptography and network security, it is of great academic significance to study the design and security analysis of AKA protocol, as well as of pervasive and practical backgrounds in the secure network applications by integrating with communication technologies. However, the related research in the past years shows that it is not a trivial work for its complexity. In this thesis, we focus on the study of the two-party identity-based and certificateless-based AKA protocols, ranging from the establishment of security models, attacks to some of the published protocols, up to the design of new schemes and proofs.
Security models based on computational complexity provide great support to the assurance of the security and efficiency for the AKA protocols. Proving security procedure under the proper security model gives the convincing evidence for trusting the protocols. Solution of proving security means such a process-Firstly the specification of the security model is provided and proper adversarial powers were described in such a model, and then the formal security definition of the protocol goals was figured out, a proof is laid out to clarify that the protocol meets its goals within such a model by stating the proper assumptions related to the computational complexity. The specification of the security model has direct bearing on the attack types which were covered, so it reflects the strength of the security model. With the emergence of certificateless-based cryptographic theory and certificateless-based AKA protocols, the research of security models in the certificateless settings is becoming an important issue. In this thesis, we investigated notions of various security models respect to the adversarial powers. Especially, a modified security model for the certificateless-based AKA protocol was presented.
Some necessary security attributes should be satisfied by the AKA protocols, such as known session-key secrecy, unknown key-sharing secrecy, key-compromised impersonation secrecy, forward secrecy, know session-specific information secrecy etc. Various attacks require the proposed protocol should satisfy more rigorous security requirements. Identity-based cryptography and bilinear mapping (paring) function are key techniques to design AKA protocols. Some design ideas can be borrowed from the identity-based encryption schemes to construct efficient identity-based AKA protocols. Generally, identity-base encryption schemes adopt the plaintext-blinding technique by embedding randomness. The proper decrypter can recover the plaintext from the ciphertext after acquiring the random elements. Constructing identity-based AKA protocols with such idea will greatly reduce the computational costs and improve the efficiency of schemes compared to using encryption and signature scheme directly. In this thesis, several identity-based AKA protocols published recently were critically examined. It is found that they exhibit vulnerabilities of varying severity, such as the key-replicating attack, the key-compromised impersonation attack, and the known session-specific information attack etc. Several secure and efficient AKA schemes based on encryption schemes were proposed, which can be used in the key-escrow mode and the key-escrowless mode.
Certificateless public key cryptography proposes a new paradigm which lies between in the identity-based public key cryptography and the traditional public key cryptography. It is regarded as the combination of these two ones. So far, the published AKA protocols in the literature are few in number, almost all of them are absence of formal security proof, as well as vulnerable to some types of attack. In this thesis, several published certificateless-based AKA protocols were analyzed to be vulnerable to several types of attack; Then a serial of certificateless-based AKA protocols were proposed based on some certificateless-based encryption schemes.
The main contributions are summarized as below:
1. An improved security model related to certificateless-based AKA protocol was proposed by strengthening the power of the adversary for querying intermediate secrets forming from all the local secret keys. Meanwhile, detailed analysis and comparisons were given to the classical security models in the literature.
2. New identity-based schemes with stronger security were proposed in the key-escrowless and key-escrow mode. Security proof in the standard model of one scheme with key-escrow and perfect forward secure secrecy was given. Thus solves one open question posed by Wang et al.
3. Different security attacks were demonstrated to some published certificateless-based two-party AKA schemes; A series of new schemes were proposed inspired on the certificateless-based encryption schemes. Analysis shows that they all meet the necessary security attributes. One of them captures the security requirements of the strongest security model at present, while it achieves better computational efficiency.
基于计算复杂性理论建立合适的安全模型将为AKA协议的安全性和有效性提供有力保证,在合适安全模型下的安全证明将说明协议的安全性是令人信服的。可证安全指的是明确定义敌手的攻击能力并建立形式化安全模型,设定协议安全目标,通过合适的计算复杂性假设条件,在模型下证明协议安全目标的可满足性。安全模型的描述直接关系到模型所覆盖的敌手攻击能力,反映了一个安全模型的描述能力强弱。随着无证书公钥密码体制的出现和在AKA协议设计中的应用,针对该环境的安全模型也逐渐成为研究重点。本文针对近年来提出的各种安全模型在敌手能力、覆盖的安全攻击、匹配关系以及会话新鲜性等方面进行了详细分析和比较。特别针对基于无证书的AKA协议安全模型进行了研究,提出了基于无证书AKA协议的安全模型。
AKA协议应满足一些必要的安全属性,如已知密钥安全、未知密钥共享、密钥泄露伪装、前向安全性、会话相关秘密信息泄露等。各种针对安全的攻击对AKA协议的安全性提出了更高的要求。基于身份的公钥密码体制和双线性映射技术已经成为设计AKA方案的核心技术。基于身份公钥加密方案的设计思想可以借鉴用于构建有效的AKA协议。一般基于身份的加密方案都使用了集成随机信息的明文盲化技术,这可以使得合法解密者在计算随机信息后正确解密。如果借助这种随机秘密隐藏的思想而不是直接采用加密或数字签名技术来构造AKA方案,将有效减少协议计算成本,提高方案的计算有效性。本文针对几个典型的基于身份的AKA方案分别实施了密钥复制攻击、密钥泄露伪装攻击、会话相关临时秘密信息泄露攻击。通过分析典型方案,利用前述思想,分别在密钥托管和无密钥托管环境下提出了几个安全性显著提高的新方案。
无证书公钥密码体制是处于传统公钥密码体制和基于身份等公钥密码体制之间的一种密码体制,它将两种公钥密码体制设计思想进行了有效结合。利用无证书公钥密码体制设计AKA协议具有更多的优势。目前基于无证书公钥密码体制设计的AKA协议还非常少,仅有的几个方案都没有形式化的安全证明,而且分析发现它们基本都存在安全缺陷。本文首先对目前出现的几个基于无证书的方案实施了各种安全攻击,然后基于典型的安全无证书加密方案构造了一系列安全有效的两方AKA协议。
本文的主要贡献在于:
一、通过增加敌手对本地全部密钥参与计算形成的中间临时秘密信息查询能力,提出了建立在Lippold强安全模型基础之上的改进安全模型,安全性要求进一步增强。同时对几个典型协议安全模型进行了详细地分析和比较。
二、在无密钥托管和密钥托管环境下,设计了具有更高安全性的基于身份的新方案。给出了其中一个具有密钥托管性和完美前向安全性的新方案在标准模型下的安全证明,解决了王等人提出的一个方案设计开放问题。
三、针对一系列基于无证书的方案实施了安全攻击;基于不同的无证书加密方案构造了一系列新方案。安全属性分析表明都能较好地满足已知安全属性要求。其中一个方案满足目前最强安全模型所提出的安全目标,计算效率提高。
Security issues are key problems for the popularization and application of network technology. Cryptographic theory and techniques provide assurance for data transmission. Authenticated key agreement (AKA) protocol is a process whereby two or multi-parties exchange messages, authenticate each others and establish shared session keys for later secure communications in the public network environment. As one of the core elements of cryptography and network security, it is of great academic significance to study the design and security analysis of AKA protocol, as well as of pervasive and practical backgrounds in the secure network applications by integrating with communication technologies. However, the related research in the past years shows that it is not a trivial work for its complexity. In this thesis, we focus on the study of the two-party identity-based and certificateless-based AKA protocols, ranging from the establishment of security models, attacks to some of the published protocols, up to the design of new schemes and proofs.
Security models based on computational complexity provide great support to the assurance of the security and efficiency for the AKA protocols. Proving security procedure under the proper security model gives the convincing evidence for trusting the protocols. Solution of proving security means such a process-Firstly the specification of the security model is provided and proper adversarial powers were described in such a model, and then the formal security definition of the protocol goals was figured out, a proof is laid out to clarify that the protocol meets its goals within such a model by stating the proper assumptions related to the computational complexity. The specification of the security model has direct bearing on the attack types which were covered, so it reflects the strength of the security model. With the emergence of certificateless-based cryptographic theory and certificateless-based AKA protocols, the research of security models in the certificateless settings is becoming an important issue. In this thesis, we investigated notions of various security models respect to the adversarial powers. Especially, a modified security model for the certificateless-based AKA protocol was presented.
Some necessary security attributes should be satisfied by the AKA protocols, such as known session-key secrecy, unknown key-sharing secrecy, key-compromised impersonation secrecy, forward secrecy, know session-specific information secrecy etc. Various attacks require the proposed protocol should satisfy more rigorous security requirements. Identity-based cryptography and bilinear mapping (paring) function are key techniques to design AKA protocols. Some design ideas can be borrowed from the identity-based encryption schemes to construct efficient identity-based AKA protocols. Generally, identity-base encryption schemes adopt the plaintext-blinding technique by embedding randomness. The proper decrypter can recover the plaintext from the ciphertext after acquiring the random elements. Constructing identity-based AKA protocols with such idea will greatly reduce the computational costs and improve the efficiency of schemes compared to using encryption and signature scheme directly. In this thesis, several identity-based AKA protocols published recently were critically examined. It is found that they exhibit vulnerabilities of varying severity, such as the key-replicating attack, the key-compromised impersonation attack, and the known session-specific information attack etc. Several secure and efficient AKA schemes based on encryption schemes were proposed, which can be used in the key-escrow mode and the key-escrowless mode.
Certificateless public key cryptography proposes a new paradigm which lies between in the identity-based public key cryptography and the traditional public key cryptography. It is regarded as the combination of these two ones. So far, the published AKA protocols in the literature are few in number, almost all of them are absence of formal security proof, as well as vulnerable to some types of attack. In this thesis, several published certificateless-based AKA protocols were analyzed to be vulnerable to several types of attack; Then a serial of certificateless-based AKA protocols were proposed based on some certificateless-based encryption schemes.
The main contributions are summarized as below:
1. An improved security model related to certificateless-based AKA protocol was proposed by strengthening the power of the adversary for querying intermediate secrets forming from all the local secret keys. Meanwhile, detailed analysis and comparisons were given to the classical security models in the literature.
2. New identity-based schemes with stronger security were proposed in the key-escrowless and key-escrow mode. Security proof in the standard model of one scheme with key-escrow and perfect forward secure secrecy was given. Thus solves one open question posed by Wang et al.
3. Different security attacks were demonstrated to some published certificateless-based two-party AKA schemes; A series of new schemes were proposed inspired on the certificateless-based encryption schemes. Analysis shows that they all meet the necessary security attributes. One of them captures the security requirements of the strongest security model at present, while it achieves better computational efficiency.
引文
[1]K-K.R. Choo. Secure Key Establishment. Springer Science+Bussiness Media, LLC. New York, USA. ISBN-13:978-0-387-87968-0,2008.
[2]R. Needham, M. Schroeder. Using Encryption for Authentication in Large Networks of Computers. Communications of the ACM,12(21):993-999,1978.
[3]B.C. Neuman, S. Stubblebine. Keberos:An Authentication Service for computer Networks. IEEE Communications Magazine,32(9):33-38,1994.
[4]W. Diffie, M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory,22(6):644-654,1976.
[5]G Lowe. An attack on the Needham-Schroeder public key authentication protocol. Information Processing Letters,56(3):131-133,1995.
[6]T. Matsumoto, Y Takashima and H. Imai. On Seeking Smart Public-key Distribution Systems. Transactions of the IECE of Japan, E69:99-106,1986.
[7]L. Law, A. Menezes, M. Qu, J. Solinas, and S. Vanstone. An Efficient Protocol for Authenticated Key Agreement. Technical Report CORR 98-05, Department of C&O, University of Waterloo,1998.
[8]H. Krawczyk. HMQV:A High-Performance Diffie-Hellman Protocol. Victor Shoup, editor, Proc. of Advances in Cryptology-CRYPTO 2005, LNCS Vol.3621, pp.546-566. Springer-Verlag,2005.
[9]C. Adams, S. Farrell. Internet X.509 public key infrastructure:Certificate management protocols. RFC 2510,1999.
[10]A. Shamir. Identity-based cryptosystems and signature schemes. Proc. of Advances in Cryptology-Crypto 1984, LNCS Vol.196, pp.47-53, Berlin/Springer-Verlag,1984.
[11]E. Okamoto. Key Distribution Systems Based on Identification Information. Proc. of Advances in Cryptology-Crypto 1987, LNCS Vol.293, pp.194-202, Springer-Verlag,1987.
[12]E. Okamoto, K. Tanaka. Key Distribution System Based on Identification Information. IEEE Journal on Selected Areas in Communications,7(4):481-485, 1989.
[13]A. Joux. A One Round Protocol for Tripartite Diffie-Hellman. Proc. of ANTS 4, LNCS Vol.1838, pp.385-394, Springer-Verlag,2000.
[14]R.Sakai, K. Ohgishi, M. Kasahara. Cryptosystems based on pairing. Symposium on Cryptography and Information Security, Okinawa,2000.
[15]M. Scott. Authenticated ID-based Key Exchange and Remote Log-in with Insecure Token and PIN Number. Cryptology ePrint Archive, Report 2002/164.
[16]N.P. Smart. An identity based authenticated key agreement protocol based on the Weil pairing. Electronics Letters 38(13):630-632,2002.
[17]L. Chen, C. Kudla. Identity Based Authenticated Key Agreement Protocols from Pairings. Cryptology ePrint Archive, Report 2002/184,2002.
[18]R. Dutta, R. Barua. Overview of Key Agreement Protocols. Cryptology ePrint Archive, Report 2005/289,2005.
[19]L. Chen, Z. Cheng, N.P. Smart. Identity-based key agreement protocols from pairings. International Journal of Information Security,6(4):213-241,2007.
[20]S.S. Al-Riyami, K.G Paterson. Certificateless public key cryptography. Laih CS, ed. Proc. of the Advances in Cryptology-ASIACRYPT 2003. LNCS Vol.2894, pp. 452-473, Berlin/Heidelberg:Springer-Verlag,2003.
[21]S.S. Al-Riyami and K.G. Paterson. CBE from CLE-PKE:Ageneric construction and efficient schemes. Proc. of the Public Key Cryptography-PKC 2005, LNCS Vol.3386, pp.398-415, Springer Berlin/Heidelberg,2005.
[22]S.S. Al-Riyami. Cryptographic Schemes based on Elliptic Curve Pairings. [Ph.D. Thesis]. Royal Holloway, University of London,2004.
[23]C.M. Swanson. Security in key agreement:two-party certificateless schemes. [MS. Thesis]. Waterloo, University of Waterloo,2008.
[24]卿斯汉.安全协议20年研究进展.软件学报,14(10):1740-1752,2003.
[25]冯登国.可证明安全性理论与方法研究.软件学报,16(10):1743-1756,2005.
[26]D. Dolev, A.C. Yao, On the Security of Public Key Protocols, IEEE Transactions on Information Theory,29(2):198-208,1983.
[27]中国密码学发展报告2008,中国密码学会组编,电子工业出版社,2009.
[28]N. Koblitz. Another look at provable security. Journal of Cryptology,20(1):3-37, 2007.
[29]C. Meadows. Open Issues in Formal Methods for Cryptographic Protocol Analysis. Proc. of MMM-ACNS 2001, LNCS Vol.2052, pp.237-250, Springer-Verlag,2001.
[30]S. Goldwasser, S. Micali. Probabilistic encryption. Journal of Computer & System Sciences,28(2):270-299,1984.
[31]V. Shoup. On Formal Models for Secure Key Exchange. Theory of Cryptography Library Record 99-12, http://philby.ucsd.edu/cryptolib/and invited talk at ACM Computer and Communications Security conference,1999.
[32]M. Bellare, R. Canetti, and H. Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols. Proc. of the 30th Annual ACM Symposium on Theory of Computing (STOC'98), pp.419-428,1998.
[33]R. Canetti, H. Krawczyk. Universally composable notions of key exchange and secure channels. Proc. of the Advances in Cryptology-Eurocrypt 2002, LNCS Vol. 2332, pp.337-351, Springer-Verlag,2002. Full version available at Cryptology ePrint Archive, Report 2002/059.
[34]S. Blake-Wilson, D. Johnson, A. Menezes. Key agreement protocols and their security analysis. Proc. of the 6th IMA International Conference on Cryptography and Coding, LNCS Vol.1355, pp.30-45, Springer-Verlag,1997.
[35]S. Blake-Wilson and A. Menezes. Authenticated Diffie-Hellman Key Agreement Protocols. Proc. of Selected Areas in Cryptography-SAC 1998, LNCS Vol.1556, pp.339-361. Springer-Verlag,1998.
[36]C. Boyd, A. Mathuria, Protocols for Authentication and Key Establishment, ISBN:978-3-540-43107-7, Springer-Verlag,2003.
[37]K. Kobara, S. Shin, and M. Streer. Partnership in key exchange protocols. Proc. of the 4th International Symposium on Information, Computer, and Communications Security, pp.161-170, ACM Press,2009.
[38]C. Boyd, Y. Cliff, J.G Nieto, K.G Paterson. Efficient one-round key exchange in the standard model. Proc. of 13th Australasian Conference of Information Security and Privacy. LNCS. Vol.5107, pp.69-83, Springer-Verlag,2008.
[39]C. Boyd, Y. Cliff, J.G Nieto, K.G Paterson. Efficient one-round key exchange in the standard model. Cryptology ePrint Archive, Report 2008/007,2008.
[40]L. Zhang, F.T. Zhang, Q.H. Wu, J. Domingo-Ferrer. Simulatable certificateless two-party authenticated key agreement protocol. Information Sciences 180(6):1020-1030,2010.
[41]C.J. Mitchell, M. Ward, P.Wilson. Key control in key agreement protocols. Electronics Letters,34(10):980-981,1998.
[42]C. Kudla, K. G Paterson, Modular Security Proofs for Key Agreement Protocols. Proc. of the Advances in Cryptology ASIACRYPT 2005, pp.549-565, Springer-Verlag,2005.
[43]R. Canetti, H. Krawczyk. Analysis of key exchange protocols and their use for building secure channels. Pfitzmann B, ed. Proc. of the Advances in Cryptology-EUROCRYPT 2001, LNCS Vol.2045, pp.453-474, Springer-Verlag, 2001.
[44]Z. Cheng, M. Nistazakis, R. Comley, and L. Vasiu. On The Indistinguishability-Based Security Model of Key Agreement Protocols-Simple
Cases. Proc. of the Applied Cryptography and Network Security (ACNS'04), 2004. See also Cryptography ePrint Archive, Report 2005/129,2005.
[45]J. Baek, R. Safavi-Naini, W. Susilo. Certificateless public key encryption without pairing. J. Zhou, J. Lopez (Eds.). Proc. of the 8th International Conference on Information Security (ISC 2005), LNCS Vol.3650, pp.134-148, Springer-Verlag, 2005.
[46]D. Boneh, M. Franklin. Identity-Based Encryption from the Weil Pairing. SIAM Journal on Computing,32(3):585-615,2003.
[47]D. Boneh. The Decision Diffie-Hellman Problem. Joe P. Buhler, editor, Proc. of the 3rd Algorithmic Number Theory Symposium-ANTS-Ⅲ, LNCS Vol.1423, pp.48-63. Springer-Verlag,1998.
[48]T. Okamoto, D. Pointcheval. The Gap-Problems:a New Class of Problems for the Security of Cryptographic Schemes. Kwangjo Kim, editor, Proc. of the Public Key Cryptography-PKC 2001, LNCS Vol.1992, pp.104-118. Springer-Verlag, 2001.
[49]F.G Zhang, R. Safavi-Naini, and W. Susilo. An Efficient Signature Scheme from Bilinear Pairings and Its Applications. Feng etc., editors, Proc. of the Public Key Cryptography-PKC 2004, LNCS Vol.2947, pp.277-290. Springer-Verlag,2004.
[50]C. Gentry. Practical identity-based encryption without random oracles. Proc. of Advances in Cryptology-EUROCRYPTO 2006, LNCS Vol.4004, pp.445-464, Berlin:Springer-Verlag,2006.
[51]L.Q. Chen, Z.H. Cheng. Security proof of Sakai-Kasahara's identity-based encryption scheme. Cryptology ePrint Archive, Report 2005/226,2005.
[52]D. Boneh, X. Boyen. Efficient selective-ID secure identity based encryption without random oracles. Proc. of the Advances in Cryptology-Eurocrypt 2004, LNCS Vol.3027, Berlin/Springer-Verlag, pp.223-238,2004.
[53]M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated Key Exchange Secure Against Dictionary Attacks. Bart Preneel, editor, Proc. of the Advances in Cryptology-EUROCRYPT 2000, LNCS Vol.1807, pp.139-155. Springer-Verlag, 2000.
[54]M. Bellare, P. Rogaway. Entity authentication and key distribution. Stinson DR, Ed, Proc. of the Advances in Cryptology-CRYPTO 1993, LNCS Vol.773, pp.110-125,Berlin/Heidelberg:Springer-Verlag,1993.
[55]M. Bellare and P. Rogaway. Provably Secure Session Key Distribution:the Three Party Case. Proc. of the 27th annual ACM Symposium on Theory of Computing(STOC'95), ACM Press, pp.57-66,1995.
[56]V.Shoup, A. Rubin. Session Key Distribution Using Smart Cards. Proc. of the Advanced in Cryptology-Eurocrypt 1996, LNCS Vol.1070, pp.321-331, Springer-Verlag,1995.
[57]S. Lucks. Open Key Exchange:How to defeat dictionary attacks without encrypting public Keys. Proc. of the 1997 Security Protocols Workshop, pp.79-90,1997.
[58]B. LaMacchia, K.Lauter, A. Mityagin. Stronger security of authenticated key exchange. Susilo W, Liu JK, Mu Y, eds. Proc. of the First International Conference on Provable Security (ProvSec'07), LNCS Vol.4784, pp.1-16, Berlin/Heidelberg:Springer-Verlag,2007.
[59]J. Xia, J. Wang, L. Fang, Y. Ren, S Bian. Formal proof of relative strengths of security between ECK2007 model and other proof models for key agreement protocols. Cryptology ePrint Archive, Report 2008/479,2008.
[60]C. Cremers. Formally and Practically Relating the CK, CK-HMQV, and eCK Security Models for Authenticated Key Exchange. Cryptology ePrint Archive, Report 2009/253,2009.
[61]K-K.R. Choo, C. Boyd, and Y Hitchcock. Examining indistinguishability-based proof models for key establishment protocols. Proc. of the Advances in Cryptology ASIACRYPT 2005, Springer-Verlag, pp.585-604,2005.
[62]K-K.R. Choo, C. Boyd, Y Hitchcock, G Maitland. On session identifiers in provably secure protocols:The Bellare-Rogaway three-party key distribution protocol revisited. Proc. of SCN'04, LNCS Vol.3352, pp.351-366, Springer-Verlag,2005.
[63]C. Cremers. Session-state Reveal is stronger than Ephemeral Key Reveal-Breaking the NAXOS key exchange protocol. Cryptology ePrint Archive, Report 2008/376,2009.
[64]C. Cremers. Session-state Reveal is stronger than Ephemeral Key Reveal: Attacking the NAXOS key exchange protocol. Proc. of the Applied Cryptography and Network Security (ACNS'2009). LNCS 5536, pp.20-33, Springer-Verlag, 2009.
[65]B. Ustaoglu. Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman protocols (extended version). Cryptology ePrint Archive, Report 2009/353,2009.
[66]B. Ustaoglu. Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Des. Codes Cryptography 46(3):329-342,2008.
[67]J. Lee, J.H. Park. Authenticated Key Exchange Secure under the Computational Diffie-Hellman Assumption, Cryptology ePrint Archive, Report 2008/344,2009.
[68]J. Lee, C.S. Park. An Efficient Authenticated Key Exchange Protocol with a Tight Security Reduction. Cryptology ePrint Archive, Report 2008/345,2008.
[69]I. R. Jeong, J. Katz, and D. H. Lee. One-round protocols for two-party authenticated key exchange. Proc. of the Applied Cryptography and Network Security, Second International Conference, ACNS 2004, LNCS Vol.3089 pp.220-232, Springer-Verlag,2004.
[70]T. Okamoto. Authenticated key exchange and key encapsulation in the standard model. In Advances in Cryptology-ASIACRYPT 2007, LNCS Vol.4833, pp. 474-484. Springer-Verlag,2007. See also Cryptology ePrint Archive, Report 2007/473.
[71]C. Swanson and D. Jao. A study of two-party certificateless authenticated key-agreement protocols. Proc. of the Progress in Cryptology-INDOCRYPT 2009. LNCS Vol.5922, pp.57-71. Berlin:Springer-Verlag,2009.
[72]G Lippold, C. Boyd, and J. G Nieto. Strongly secure certificateless key agreement. Proc. of the Pairing'09, LNCS Vol.5671, pp.206-230. Berlin: Springer-Verlag,2009.
[73]G Lippold, C. Boyd, and J. G Nieto. Strongly secure certificateless key agreement. Cryptology ePrint Archive, Report 2009/219,2009.
[74]K-K.R. Choo, Key Establishment:Proofs and Refutations, [Ph.D. Thesis]. Queensland University of Technology,2006.
[75]C. Boyd, K.-K.R. Choo, Security of two-party identity-based key agreement. Proc. of the Mycrypt'05, LNCS vol.3715, pp.229-243,2005.
[76]Y.J. Choie, E. Jeong and E. Lee. Efficient identity-based authenticated key agreement protocol from pairings. Applied Mathematics and Computation, Vol. 162(1):179-188,2005.
[77]S.B. Wang and Z.F. Cao. Cryptanalysis and Improvement of Choie et al.'s Authenticated Key Agreement Protocols. Proc. of the CIS'06-Part 2, pp. 1371-1374, IEEE Computing Society Press,2006.
[78]王圣宝,曹珍富,董晓蕾.标准模型下可证安全的身份基认证密钥协商协议.计算机学报,30(10):1842-1854,2007.
[79]Y.X. Sun and F.T Zhang. Secure certificateless public key encryption without redundancy. Cryptology ePrint Archive, Report 2008/487,2008.
[80]汪小芬,陈原,肖国镇.基于身份的认证密钥协商协议的安全分析与改进.通信学报,29(12):16-21,2008.
[81]K. Shim. Efficient ID-based authenticated key agreement protocol based on the Weil pairing Electronics Letters,9(8):653-654,2003.
[82]H. Sun, B. Hsieh. Security analysis of Shim's authenticated key agreement protocols from pairings. Cryptology ePrint Archive, Report 2003/113,2003.
[83]N. Mccullagh, P. Barreto. A new two party identity-based authenticated key agreement. Proc. of the 2005 RSA Conference. LNCS Vol.3376, pp.262-274, Berlin:Springer-Verlag,2005.
[84]N. Mccullagh, P. Barreto. A New Two-Party Identity-Based Authenticated Key Agreement. Cryptology ePrint Archive, Report 2004/122,2004.
[85]E.K. Ryu, E.J. Yoon, K.Y. Yoo. An Efficient ID-Based Authenticated Key Agreement Protocol. Proc. of Networking 2004, LNCS Vol.3042, pp.1458-1463, 2004.
[86]Q. Yuan, S. Li. A New Efficient ID-based Authenticated Key Agreement Protocol. Cryptology ePrint Archive, Report 2005/309,2005.
[87]S. Wang, Z. Cao, H. Bao, Security of an efficient ID-based authenticated key agreement protocol from pairings, Proc.of ISPA'05 Workshops, LNCS Vol.3759, pp.342-349,2005.
[88]S.B. Wang, Z.F. Cao, K-K.R. Choo and L.H. Wang. An improved identity-based key agreement protocol and its security proof. Information Sciences,. Vol.179(3):307-318,2009.
[89]S.B. Wang, Z.F. Cao, K-K. R. Choo, L.H. Wang. Security Proof for the Improved Ryu-Yoon-Yoo Identity-Based Key Agreement Protocol. Cryptology ePrint Archive, Report 2008/001,2008.
[90]S.B. Wang, Z.F. CAO, Z.H. CHENQ K-K. R. Choo. Perfect Forward Secure Identity-Based Authenticated Key Agreement Protocol in the Escrow Mode. Sci China Ser F-Inf Sci,52(8):1358-1370,2009.
[91]S.B. Wang, Z.F. Cao, and F. Cao. Efficient Identity-based Authenticated Key Agreement Protocol with PKG Forward Secrecy. International Journal of Network Security,7(2):181-186,2008.
[92]GH. Xie. Cryptanalysis of the Noel McCullagh and Paulo S.L.M. Barreto's two party identity-based key agreement. Cryptology ePrint Archive, Report 2005/093, 2005.
[93]GH. Xie. An ID-Based Key Agreement Scheme from pairing. Cryptology ePrint Archive, Report 2004/308,2004.
[94]S.P. Li, Q.Yuan, J. Li. Towards Security Two-part Authenticated Key Agreement Protocols. Cryptology ePrint Archive, Report 2005/300,2005.
[95]K. Shim. Cryptanalysis of Two ID-based Authenticated Key Agreement
Protocols from Pairings. Cryptology ePrint Archive, Report 2005/3570,2005.
[96]L. Chen, C Kudla. Identity based authenticated key agreement protocols from pairing. Proc. of the 16th IEEE Computer Security Foundations Workshop, pp.219-213, IEEE Computer Society,2003.
[97]H. Huang, Z.F.Cao. Strongly Secure Authenticated Key Exchange Protocol Based on Computational Diffie-Hellman Problem. Cryptology ePrint Archive, Report 2008/500,2008.
[98]Y. Wang. Efficient identity-based and authenticated key agreement protocol. Cryptology ePrint Archive, Report 2005/108,2005.
[99]J.B. Oh, E.J. Yoon and K.Y Yoo. An Efficient ID Based Authenticated Key Agreement Protocol with Pairings, Parallel and Distributed Processing and Applications. Proc. of 5th International Symposium (ISPA'07), LNCS Vol.4742, pp.446-456, Springer-Verlag,2007.
[100]M.H. Lim, S. Lee, H. Lee. Cryptanalytic Flaws in Oh et al.'s ID-Based Authenticated Key Agreement Protocol. Cryptology ePrint Archive, Report 2007/415,2007.
[101]D. Nalla. ID-based tripartite key agreement with signatures. Cryptology ePrint Archive, Report 2003/144,2003.
[102]K-K.R. Choo. Revisit of McCullagh-Barreto two-party ID-based authenticated key agreement protocols. Cryptology ePrint Archive, Report 2004/343,2004.
[103]Z.H. Cheng, L.Q Chen. On security proof of McCullagh-Barreto's key agreement protocol and its variants. International Journal of Security and Networks,2(3):251-259,2007.
[104]D. Nalla, K.C.Reddy. ID-based tripartite Authenticated Key Agreement Protocols from pairings. Cryptology ePrint Archive, Report 2003/004,2003.
[105]T.E. Gamal. A public key cryptosystem and signature scheme based on discrete logarithms. IEEE Transaction Information Theory, Vol.31(4):pp.469-472, 1985.
[106]T.K. Mandt. Certificateless authenticated two-party key agreement protocols. [Master's thesis], Gjovik University College, Department of Computer Science and Media Technology,2006.
[107]T.K. Mandt and C.H. Tan. Certificateless authenticated two-party key agreement protocols. Proc. of the Advances in Computer Science-ASIAN'06. Secure Software and Related Issues, LNCS Vol.4435, pp.37-44. Springer Berlin /Heidelberg,2008.
[108]S.B. Wang, Z.F. Cao, and L.C. Wang. Efficient certificateless authenticated key agreement protocol from pairings. Wuhan University Journal of Natural Sciences, 11(5):1278-1282,2006.
[109]Y.J. Shi and J.H. Li. Two-party authenticated key agreement in certificateless public key cryptography. Wuhan University Journal of Natural Sciences, 12(1):71-74,2007.
[110]S.B. Wang, Z.F Cao and H.Y. Bao, Efficient certificateless authentication and key agreement (CL-AK) for Grid computing. International Journal of Network Security,7(3):342-347,2008.
[111]B. Libert and J.J. Quisquater. On constructing certificateless cryptosystems from identity based encryption. Proc. of the Public Key Cryptography-PKC 2006, LNCS Vol.3958, pp.474-490, Springer Berlin/Heidelberg,2006.
[112]Y.J. Shi and J.H. Li. Constructing efficient certificateless public key encryption with pairing. International Journal of Network Security, Vol.6(1):26-32,2008.
[113]Y.J. Shi and J.H. Li. Provable efficient certificateless public key encryption. Cryptology ePrint Archive, Report 2005/287,2005.
[114]E. Fujisaki, T.Okamoto. Secure integration of asymmetric and symmetric encryption schemes. Proc. of the Advances in Cryptology-CRYPTO'99, LNCS Vol.1666, pp.535-554, Berlin/Springer-Verlag,1999.
[115]C.P. Schnorr. Efficient identifications and signatures for smart cards. Proc. of the Advances in Cryptology-Crypto'89, LNCS Vol.435, pp.239-251, Springer-Verlag,1990.
[116]A.W. Dent. A survey of certificateless encryption schemes and security models. International Journal of Information Security,7(5):349-377,2008.
[117]J.H. Park, K.Y. Choi, J.Y. Hwang, and D.H. Lee. Certificateless Public Key Encryption in the Selective-ID Security Model (without random oracles). X T. Takagi et al. (Eds.), Proc. of the Pairing 2007, LNCS Vol.4575, pp.60-82, Springer Berlin/Heidelberg,2007.
[118]Z.H. Cheng and R. Comley. Efficient certificateless public key encryption. Cryptology ePrint Archive, Report 2005/012,2005.
[119]Z. Cheng, L. Chen, R. Comley, Q. Tang. Identity-based key agreement with unilateral identity privacy using pairings. Proc. of ISPEC 2006, LNCS Vol.3903, pp.202-213, New York:Springer-Verlag,2006.
[120]D. Boneh and M. Franklin. Identity based encryption from the Weil pairing. Extended abstract Proc. of the Advances in Cryptology-CRYPTO 2001, LNCS Vol.2139, pp.213-229, Springer-Verlag,2001.
[1]N.P Smart.“An identity based authenticated key agreement protocol based on the Weil pairing,” Electronics Letters,38(13), pp.630-632,2002.
[2]M. Bellare and P. Rogaway.“Entity authentication and key distribution,” In Proc. of Advances in Cryptology-CRYPTO'93, Springer-Verlag, Berlin/Heidelberg, Vol.773 of LNCS, pp.232-249,1993.
[3]M. Bellare and P. Rogaway. “Provably secure session key distribution:the three party case,” In Proc of the 27th annual ACM Symposium on Theory of Computing, ACM Press, New York,1995, pp.57-66.
[4]S.B. Wang, Z.F. Cao, and X.L. Dong. "Provably secure identity-based authenticated key agreement protocols in the standard model,” Chinese Journal of Computers,30(10), pp.1842-1854,2007.
[5]N. McCullagh and P.S.L.M. Barreto. “A new two-party identity-based authenticated key agreement,” In Proc. of CT-RSA'05, Springer-Verlag, Berlin/Heidelberg, Vol.3376 of LNCS, pp.262-274,2005.
[6]L. Chen and C. Kudla. “Identity based key agreement protocols from pairings,” In Proc. of the 16th IEEE Computer Security Foundations Workshop, IEEE Computer Society, pp.219-213,2003. See also Cryptology ePrint Archive, Report 2002/184. Available at http://eprint.iacr.org/2002/184.
[7]K. Shim. "Efficient ID-based authenticated key agreement protocol based on the Weil pairing," Electronics Letters,9(8), pp.653-654,2003.
[8]H. Sun and B. Hsieh. “Security analysis of Shim's authenticated key agreement protocols from pairings,” Cryptology ePrint Archive, Report 2003/113,2003. Available at http://eprint.iacr.org/2003/113.
[9]Y Wang.“Efficient identity-based and authenticated key agreement protocol,” Cryptology ePrint Archive, Report 2005/108,2005. Available at http://eprint.iacr.org/2005/108.
[10]S. Blake-Wilson, D. Johnson and A. Meneze.“Key agreement protocols and their security analysis,” In Proc. of the 6th IMA International Conference on Cryptography and Coding, Springer-Verlag, Berlin/Heidelberg, Vol.1355 of LNCS, pp.30-45,1997.
[11]R. Canetti and H. Krawczyk.“Analysis of key exchange protocols and their use for building secure channels,” In Proc. of Advances in Cryptology-Eurocrypt'01, Springer-Verlag, Berlin/Heidelberg, Vol.2045 of LNCS, pp.453-474,2001.
[12]C. Adams and S. Farrell. “Internet X.509 public key infrastructure:Certificate management protocols,” Work in progress.
[13]A. Shamir. “Identity-based cryptosystems and signature schemes,” In Proc. of Advances in Cryptology-CRYPTO'84, Springer-Verlag, Berlin/Heidelberg, Vol. 196 of LNCS, pp.47-53,1984.
[14]S.S. Al-Riyami and K.G Paterson.“Certificateless public key cryptography,” In proc. of Advances in Cryptology-ASIACRYPT'03, Springer-Verlag, Berlin/Heidelberg, Vol.2894 of LNCS, pp.452-473,2003.
[15]S.B. Wang, Z.F. Cao, K-K.R. Choo and L.H. Wang. “An improved identity-based key agreement protocol and its security proof,” Information
Sciences, Vol.179 (3), pp.307-318,2009.
[16]A. Joux.“A one round protocol for tripartite Diffie-Hellman,” In Proc. of Algorithmic Number Theory symposium, ANTS IV, Springer-Verlag, Berlin/Heidelberg, Vol.1838 of LNCS, pp.385-394,2000.
[17]D. Boneh and M. Franklin. "Identity based encryption from the Weil pairing," In Proc. of Advances in Cryptology-CRYPTO'01, Springer-Verlag, Berlin/Heidelberg, Vol.2139 of LNCS, pp.213-229,2001.
[18]D. Nalla. “ID-based tripartite key agreement with signatures,” Cryptology ePrint Archive, Report 2003/144,2003. Available at http://eprint.iacr.org/2003/144.
[19]GH. Xie. "Cryptanalysis of Noel McCullagh and Paulo S.L.M.Barreto's two-party identity-based key agreement," Cryptology ePrint Archive, Report 2004/308,2004. Available at http://eprint.iacr.org/2004/308.
[20]K-K.R. Choo. "Revisit of McCullagh-Barreto two-party ID-based authenticated key agreement protocols," Cryptology ePrint Archive, Report 2004/343,2004. Available at http://eprint.iacr.org/2004/343.
[21]Z.H. Cheng, L.Q Chen. “On security proof of McCullagh-Barreto's key agreement protocol and its variants,”International Journal of Security and Networks,2(3), pp.251-259,2007.
[22]Y. J. Choie, E. Jeong and E. Lee. "Efficient identity-based authenticated key agreement protocol from pairings," Applied Mathematics and Computation, Vol. 162(1), pp.179-188,2005.
[23]K. Shim. "Cryptanalysis of two ID-based authenticated key agreement protocols from pairings," Cryptology ePrint Archive, Report 2005/357,2005. Available at http://eprint.iacr.org/2005/357.
[24]H. Krawczyk.“HMQV:A high-performance secure Diffie-Hellman protocol,” In Proc. of Advances in Cryptology-CRYPTO'05, Vol.3621 of LNCS, Berlin/Heidelberg, Springer-Verlag, pp.546-566,2005.
[25]Z. Cheng, M. Nistazakis, R. Comley and L. Vasiu. "On the indistinguishability-based security model of key agreement protocols-simple cases," Cryptology ePrint Archive, Report 2005/129,2005. Available at http://eprint.iacr.org/2005/129.
[26]T.K. Mandt and C.H. Tan. "Certificateless authenticated two-party key agreement protocols," In Proc. of Advances in Computer Science-ASIAN 2006, Secure Software and Related Issues, Springer Berlin/Heidelberg, Vol.4435 of Lecture Notes in Computer Science,2008, pp.37-44.
[27]C.M. Swanson.“Security in. key agreement:two-party certificateless schemes,” Master's thesis, University of Waterloo, Canada,2008.
[28]B. LaMacchia, K. Lauter, A. Mityagin.“Stronger security of authenticated key exchange,” In Proc. of the First International Conference on Provable Security (ProvSec'07),4784 of LNCS, Berlin/Heidelberg:Springer-Verlag,2007, pp.1-16.
[2]R. Needham, M. Schroeder. Using Encryption for Authentication in Large Networks of Computers. Communications of the ACM,12(21):993-999,1978.
[3]B.C. Neuman, S. Stubblebine. Keberos:An Authentication Service for computer Networks. IEEE Communications Magazine,32(9):33-38,1994.
[4]W. Diffie, M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory,22(6):644-654,1976.
[5]G Lowe. An attack on the Needham-Schroeder public key authentication protocol. Information Processing Letters,56(3):131-133,1995.
[6]T. Matsumoto, Y Takashima and H. Imai. On Seeking Smart Public-key Distribution Systems. Transactions of the IECE of Japan, E69:99-106,1986.
[7]L. Law, A. Menezes, M. Qu, J. Solinas, and S. Vanstone. An Efficient Protocol for Authenticated Key Agreement. Technical Report CORR 98-05, Department of C&O, University of Waterloo,1998.
[8]H. Krawczyk. HMQV:A High-Performance Diffie-Hellman Protocol. Victor Shoup, editor, Proc. of Advances in Cryptology-CRYPTO 2005, LNCS Vol.3621, pp.546-566. Springer-Verlag,2005.
[9]C. Adams, S. Farrell. Internet X.509 public key infrastructure:Certificate management protocols. RFC 2510,1999.
[10]A. Shamir. Identity-based cryptosystems and signature schemes. Proc. of Advances in Cryptology-Crypto 1984, LNCS Vol.196, pp.47-53, Berlin/Springer-Verlag,1984.
[11]E. Okamoto. Key Distribution Systems Based on Identification Information. Proc. of Advances in Cryptology-Crypto 1987, LNCS Vol.293, pp.194-202, Springer-Verlag,1987.
[12]E. Okamoto, K. Tanaka. Key Distribution System Based on Identification Information. IEEE Journal on Selected Areas in Communications,7(4):481-485, 1989.
[13]A. Joux. A One Round Protocol for Tripartite Diffie-Hellman. Proc. of ANTS 4, LNCS Vol.1838, pp.385-394, Springer-Verlag,2000.
[14]R.Sakai, K. Ohgishi, M. Kasahara. Cryptosystems based on pairing. Symposium on Cryptography and Information Security, Okinawa,2000.
[15]M. Scott. Authenticated ID-based Key Exchange and Remote Log-in with Insecure Token and PIN Number. Cryptology ePrint Archive, Report 2002/164.
[16]N.P. Smart. An identity based authenticated key agreement protocol based on the Weil pairing. Electronics Letters 38(13):630-632,2002.
[17]L. Chen, C. Kudla. Identity Based Authenticated Key Agreement Protocols from Pairings. Cryptology ePrint Archive, Report 2002/184,2002.
[18]R. Dutta, R. Barua. Overview of Key Agreement Protocols. Cryptology ePrint Archive, Report 2005/289,2005.
[19]L. Chen, Z. Cheng, N.P. Smart. Identity-based key agreement protocols from pairings. International Journal of Information Security,6(4):213-241,2007.
[20]S.S. Al-Riyami, K.G Paterson. Certificateless public key cryptography. Laih CS, ed. Proc. of the Advances in Cryptology-ASIACRYPT 2003. LNCS Vol.2894, pp. 452-473, Berlin/Heidelberg:Springer-Verlag,2003.
[21]S.S. Al-Riyami and K.G. Paterson. CBE from CLE-PKE:Ageneric construction and efficient schemes. Proc. of the Public Key Cryptography-PKC 2005, LNCS Vol.3386, pp.398-415, Springer Berlin/Heidelberg,2005.
[22]S.S. Al-Riyami. Cryptographic Schemes based on Elliptic Curve Pairings. [Ph.D. Thesis]. Royal Holloway, University of London,2004.
[23]C.M. Swanson. Security in key agreement:two-party certificateless schemes. [MS. Thesis]. Waterloo, University of Waterloo,2008.
[24]卿斯汉.安全协议20年研究进展.软件学报,14(10):1740-1752,2003.
[25]冯登国.可证明安全性理论与方法研究.软件学报,16(10):1743-1756,2005.
[26]D. Dolev, A.C. Yao, On the Security of Public Key Protocols, IEEE Transactions on Information Theory,29(2):198-208,1983.
[27]中国密码学发展报告2008,中国密码学会组编,电子工业出版社,2009.
[28]N. Koblitz. Another look at provable security. Journal of Cryptology,20(1):3-37, 2007.
[29]C. Meadows. Open Issues in Formal Methods for Cryptographic Protocol Analysis. Proc. of MMM-ACNS 2001, LNCS Vol.2052, pp.237-250, Springer-Verlag,2001.
[30]S. Goldwasser, S. Micali. Probabilistic encryption. Journal of Computer & System Sciences,28(2):270-299,1984.
[31]V. Shoup. On Formal Models for Secure Key Exchange. Theory of Cryptography Library Record 99-12, http://philby.ucsd.edu/cryptolib/and invited talk at ACM Computer and Communications Security conference,1999.
[32]M. Bellare, R. Canetti, and H. Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols. Proc. of the 30th Annual ACM Symposium on Theory of Computing (STOC'98), pp.419-428,1998.
[33]R. Canetti, H. Krawczyk. Universally composable notions of key exchange and secure channels. Proc. of the Advances in Cryptology-Eurocrypt 2002, LNCS Vol. 2332, pp.337-351, Springer-Verlag,2002. Full version available at Cryptology ePrint Archive, Report 2002/059.
[34]S. Blake-Wilson, D. Johnson, A. Menezes. Key agreement protocols and their security analysis. Proc. of the 6th IMA International Conference on Cryptography and Coding, LNCS Vol.1355, pp.30-45, Springer-Verlag,1997.
[35]S. Blake-Wilson and A. Menezes. Authenticated Diffie-Hellman Key Agreement Protocols. Proc. of Selected Areas in Cryptography-SAC 1998, LNCS Vol.1556, pp.339-361. Springer-Verlag,1998.
[36]C. Boyd, A. Mathuria, Protocols for Authentication and Key Establishment, ISBN:978-3-540-43107-7, Springer-Verlag,2003.
[37]K. Kobara, S. Shin, and M. Streer. Partnership in key exchange protocols. Proc. of the 4th International Symposium on Information, Computer, and Communications Security, pp.161-170, ACM Press,2009.
[38]C. Boyd, Y. Cliff, J.G Nieto, K.G Paterson. Efficient one-round key exchange in the standard model. Proc. of 13th Australasian Conference of Information Security and Privacy. LNCS. Vol.5107, pp.69-83, Springer-Verlag,2008.
[39]C. Boyd, Y. Cliff, J.G Nieto, K.G Paterson. Efficient one-round key exchange in the standard model. Cryptology ePrint Archive, Report 2008/007,2008.
[40]L. Zhang, F.T. Zhang, Q.H. Wu, J. Domingo-Ferrer. Simulatable certificateless two-party authenticated key agreement protocol. Information Sciences 180(6):1020-1030,2010.
[41]C.J. Mitchell, M. Ward, P.Wilson. Key control in key agreement protocols. Electronics Letters,34(10):980-981,1998.
[42]C. Kudla, K. G Paterson, Modular Security Proofs for Key Agreement Protocols. Proc. of the Advances in Cryptology ASIACRYPT 2005, pp.549-565, Springer-Verlag,2005.
[43]R. Canetti, H. Krawczyk. Analysis of key exchange protocols and their use for building secure channels. Pfitzmann B, ed. Proc. of the Advances in Cryptology-EUROCRYPT 2001, LNCS Vol.2045, pp.453-474, Springer-Verlag, 2001.
[44]Z. Cheng, M. Nistazakis, R. Comley, and L. Vasiu. On The Indistinguishability-Based Security Model of Key Agreement Protocols-Simple
Cases. Proc. of the Applied Cryptography and Network Security (ACNS'04), 2004. See also Cryptography ePrint Archive, Report 2005/129,2005.
[45]J. Baek, R. Safavi-Naini, W. Susilo. Certificateless public key encryption without pairing. J. Zhou, J. Lopez (Eds.). Proc. of the 8th International Conference on Information Security (ISC 2005), LNCS Vol.3650, pp.134-148, Springer-Verlag, 2005.
[46]D. Boneh, M. Franklin. Identity-Based Encryption from the Weil Pairing. SIAM Journal on Computing,32(3):585-615,2003.
[47]D. Boneh. The Decision Diffie-Hellman Problem. Joe P. Buhler, editor, Proc. of the 3rd Algorithmic Number Theory Symposium-ANTS-Ⅲ, LNCS Vol.1423, pp.48-63. Springer-Verlag,1998.
[48]T. Okamoto, D. Pointcheval. The Gap-Problems:a New Class of Problems for the Security of Cryptographic Schemes. Kwangjo Kim, editor, Proc. of the Public Key Cryptography-PKC 2001, LNCS Vol.1992, pp.104-118. Springer-Verlag, 2001.
[49]F.G Zhang, R. Safavi-Naini, and W. Susilo. An Efficient Signature Scheme from Bilinear Pairings and Its Applications. Feng etc., editors, Proc. of the Public Key Cryptography-PKC 2004, LNCS Vol.2947, pp.277-290. Springer-Verlag,2004.
[50]C. Gentry. Practical identity-based encryption without random oracles. Proc. of Advances in Cryptology-EUROCRYPTO 2006, LNCS Vol.4004, pp.445-464, Berlin:Springer-Verlag,2006.
[51]L.Q. Chen, Z.H. Cheng. Security proof of Sakai-Kasahara's identity-based encryption scheme. Cryptology ePrint Archive, Report 2005/226,2005.
[52]D. Boneh, X. Boyen. Efficient selective-ID secure identity based encryption without random oracles. Proc. of the Advances in Cryptology-Eurocrypt 2004, LNCS Vol.3027, Berlin/Springer-Verlag, pp.223-238,2004.
[53]M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated Key Exchange Secure Against Dictionary Attacks. Bart Preneel, editor, Proc. of the Advances in Cryptology-EUROCRYPT 2000, LNCS Vol.1807, pp.139-155. Springer-Verlag, 2000.
[54]M. Bellare, P. Rogaway. Entity authentication and key distribution. Stinson DR, Ed, Proc. of the Advances in Cryptology-CRYPTO 1993, LNCS Vol.773, pp.110-125,Berlin/Heidelberg:Springer-Verlag,1993.
[55]M. Bellare and P. Rogaway. Provably Secure Session Key Distribution:the Three Party Case. Proc. of the 27th annual ACM Symposium on Theory of Computing(STOC'95), ACM Press, pp.57-66,1995.
[56]V.Shoup, A. Rubin. Session Key Distribution Using Smart Cards. Proc. of the Advanced in Cryptology-Eurocrypt 1996, LNCS Vol.1070, pp.321-331, Springer-Verlag,1995.
[57]S. Lucks. Open Key Exchange:How to defeat dictionary attacks without encrypting public Keys. Proc. of the 1997 Security Protocols Workshop, pp.79-90,1997.
[58]B. LaMacchia, K.Lauter, A. Mityagin. Stronger security of authenticated key exchange. Susilo W, Liu JK, Mu Y, eds. Proc. of the First International Conference on Provable Security (ProvSec'07), LNCS Vol.4784, pp.1-16, Berlin/Heidelberg:Springer-Verlag,2007.
[59]J. Xia, J. Wang, L. Fang, Y. Ren, S Bian. Formal proof of relative strengths of security between ECK2007 model and other proof models for key agreement protocols. Cryptology ePrint Archive, Report 2008/479,2008.
[60]C. Cremers. Formally and Practically Relating the CK, CK-HMQV, and eCK Security Models for Authenticated Key Exchange. Cryptology ePrint Archive, Report 2009/253,2009.
[61]K-K.R. Choo, C. Boyd, and Y Hitchcock. Examining indistinguishability-based proof models for key establishment protocols. Proc. of the Advances in Cryptology ASIACRYPT 2005, Springer-Verlag, pp.585-604,2005.
[62]K-K.R. Choo, C. Boyd, Y Hitchcock, G Maitland. On session identifiers in provably secure protocols:The Bellare-Rogaway three-party key distribution protocol revisited. Proc. of SCN'04, LNCS Vol.3352, pp.351-366, Springer-Verlag,2005.
[63]C. Cremers. Session-state Reveal is stronger than Ephemeral Key Reveal-Breaking the NAXOS key exchange protocol. Cryptology ePrint Archive, Report 2008/376,2009.
[64]C. Cremers. Session-state Reveal is stronger than Ephemeral Key Reveal: Attacking the NAXOS key exchange protocol. Proc. of the Applied Cryptography and Network Security (ACNS'2009). LNCS 5536, pp.20-33, Springer-Verlag, 2009.
[65]B. Ustaoglu. Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman protocols (extended version). Cryptology ePrint Archive, Report 2009/353,2009.
[66]B. Ustaoglu. Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Des. Codes Cryptography 46(3):329-342,2008.
[67]J. Lee, J.H. Park. Authenticated Key Exchange Secure under the Computational Diffie-Hellman Assumption, Cryptology ePrint Archive, Report 2008/344,2009.
[68]J. Lee, C.S. Park. An Efficient Authenticated Key Exchange Protocol with a Tight Security Reduction. Cryptology ePrint Archive, Report 2008/345,2008.
[69]I. R. Jeong, J. Katz, and D. H. Lee. One-round protocols for two-party authenticated key exchange. Proc. of the Applied Cryptography and Network Security, Second International Conference, ACNS 2004, LNCS Vol.3089 pp.220-232, Springer-Verlag,2004.
[70]T. Okamoto. Authenticated key exchange and key encapsulation in the standard model. In Advances in Cryptology-ASIACRYPT 2007, LNCS Vol.4833, pp. 474-484. Springer-Verlag,2007. See also Cryptology ePrint Archive, Report 2007/473.
[71]C. Swanson and D. Jao. A study of two-party certificateless authenticated key-agreement protocols. Proc. of the Progress in Cryptology-INDOCRYPT 2009. LNCS Vol.5922, pp.57-71. Berlin:Springer-Verlag,2009.
[72]G Lippold, C. Boyd, and J. G Nieto. Strongly secure certificateless key agreement. Proc. of the Pairing'09, LNCS Vol.5671, pp.206-230. Berlin: Springer-Verlag,2009.
[73]G Lippold, C. Boyd, and J. G Nieto. Strongly secure certificateless key agreement. Cryptology ePrint Archive, Report 2009/219,2009.
[74]K-K.R. Choo, Key Establishment:Proofs and Refutations, [Ph.D. Thesis]. Queensland University of Technology,2006.
[75]C. Boyd, K.-K.R. Choo, Security of two-party identity-based key agreement. Proc. of the Mycrypt'05, LNCS vol.3715, pp.229-243,2005.
[76]Y.J. Choie, E. Jeong and E. Lee. Efficient identity-based authenticated key agreement protocol from pairings. Applied Mathematics and Computation, Vol. 162(1):179-188,2005.
[77]S.B. Wang and Z.F. Cao. Cryptanalysis and Improvement of Choie et al.'s Authenticated Key Agreement Protocols. Proc. of the CIS'06-Part 2, pp. 1371-1374, IEEE Computing Society Press,2006.
[78]王圣宝,曹珍富,董晓蕾.标准模型下可证安全的身份基认证密钥协商协议.计算机学报,30(10):1842-1854,2007.
[79]Y.X. Sun and F.T Zhang. Secure certificateless public key encryption without redundancy. Cryptology ePrint Archive, Report 2008/487,2008.
[80]汪小芬,陈原,肖国镇.基于身份的认证密钥协商协议的安全分析与改进.通信学报,29(12):16-21,2008.
[81]K. Shim. Efficient ID-based authenticated key agreement protocol based on the Weil pairing Electronics Letters,9(8):653-654,2003.
[82]H. Sun, B. Hsieh. Security analysis of Shim's authenticated key agreement protocols from pairings. Cryptology ePrint Archive, Report 2003/113,2003.
[83]N. Mccullagh, P. Barreto. A new two party identity-based authenticated key agreement. Proc. of the 2005 RSA Conference. LNCS Vol.3376, pp.262-274, Berlin:Springer-Verlag,2005.
[84]N. Mccullagh, P. Barreto. A New Two-Party Identity-Based Authenticated Key Agreement. Cryptology ePrint Archive, Report 2004/122,2004.
[85]E.K. Ryu, E.J. Yoon, K.Y. Yoo. An Efficient ID-Based Authenticated Key Agreement Protocol. Proc. of Networking 2004, LNCS Vol.3042, pp.1458-1463, 2004.
[86]Q. Yuan, S. Li. A New Efficient ID-based Authenticated Key Agreement Protocol. Cryptology ePrint Archive, Report 2005/309,2005.
[87]S. Wang, Z. Cao, H. Bao, Security of an efficient ID-based authenticated key agreement protocol from pairings, Proc.of ISPA'05 Workshops, LNCS Vol.3759, pp.342-349,2005.
[88]S.B. Wang, Z.F. Cao, K-K.R. Choo and L.H. Wang. An improved identity-based key agreement protocol and its security proof. Information Sciences,. Vol.179(3):307-318,2009.
[89]S.B. Wang, Z.F. Cao, K-K. R. Choo, L.H. Wang. Security Proof for the Improved Ryu-Yoon-Yoo Identity-Based Key Agreement Protocol. Cryptology ePrint Archive, Report 2008/001,2008.
[90]S.B. Wang, Z.F. CAO, Z.H. CHENQ K-K. R. Choo. Perfect Forward Secure Identity-Based Authenticated Key Agreement Protocol in the Escrow Mode. Sci China Ser F-Inf Sci,52(8):1358-1370,2009.
[91]S.B. Wang, Z.F. Cao, and F. Cao. Efficient Identity-based Authenticated Key Agreement Protocol with PKG Forward Secrecy. International Journal of Network Security,7(2):181-186,2008.
[92]GH. Xie. Cryptanalysis of the Noel McCullagh and Paulo S.L.M. Barreto's two party identity-based key agreement. Cryptology ePrint Archive, Report 2005/093, 2005.
[93]GH. Xie. An ID-Based Key Agreement Scheme from pairing. Cryptology ePrint Archive, Report 2004/308,2004.
[94]S.P. Li, Q.Yuan, J. Li. Towards Security Two-part Authenticated Key Agreement Protocols. Cryptology ePrint Archive, Report 2005/300,2005.
[95]K. Shim. Cryptanalysis of Two ID-based Authenticated Key Agreement
Protocols from Pairings. Cryptology ePrint Archive, Report 2005/3570,2005.
[96]L. Chen, C Kudla. Identity based authenticated key agreement protocols from pairing. Proc. of the 16th IEEE Computer Security Foundations Workshop, pp.219-213, IEEE Computer Society,2003.
[97]H. Huang, Z.F.Cao. Strongly Secure Authenticated Key Exchange Protocol Based on Computational Diffie-Hellman Problem. Cryptology ePrint Archive, Report 2008/500,2008.
[98]Y. Wang. Efficient identity-based and authenticated key agreement protocol. Cryptology ePrint Archive, Report 2005/108,2005.
[99]J.B. Oh, E.J. Yoon and K.Y Yoo. An Efficient ID Based Authenticated Key Agreement Protocol with Pairings, Parallel and Distributed Processing and Applications. Proc. of 5th International Symposium (ISPA'07), LNCS Vol.4742, pp.446-456, Springer-Verlag,2007.
[100]M.H. Lim, S. Lee, H. Lee. Cryptanalytic Flaws in Oh et al.'s ID-Based Authenticated Key Agreement Protocol. Cryptology ePrint Archive, Report 2007/415,2007.
[101]D. Nalla. ID-based tripartite key agreement with signatures. Cryptology ePrint Archive, Report 2003/144,2003.
[102]K-K.R. Choo. Revisit of McCullagh-Barreto two-party ID-based authenticated key agreement protocols. Cryptology ePrint Archive, Report 2004/343,2004.
[103]Z.H. Cheng, L.Q Chen. On security proof of McCullagh-Barreto's key agreement protocol and its variants. International Journal of Security and Networks,2(3):251-259,2007.
[104]D. Nalla, K.C.Reddy. ID-based tripartite Authenticated Key Agreement Protocols from pairings. Cryptology ePrint Archive, Report 2003/004,2003.
[105]T.E. Gamal. A public key cryptosystem and signature scheme based on discrete logarithms. IEEE Transaction Information Theory, Vol.31(4):pp.469-472, 1985.
[106]T.K. Mandt. Certificateless authenticated two-party key agreement protocols. [Master's thesis], Gjovik University College, Department of Computer Science and Media Technology,2006.
[107]T.K. Mandt and C.H. Tan. Certificateless authenticated two-party key agreement protocols. Proc. of the Advances in Computer Science-ASIAN'06. Secure Software and Related Issues, LNCS Vol.4435, pp.37-44. Springer Berlin /Heidelberg,2008.
[108]S.B. Wang, Z.F. Cao, and L.C. Wang. Efficient certificateless authenticated key agreement protocol from pairings. Wuhan University Journal of Natural Sciences, 11(5):1278-1282,2006.
[109]Y.J. Shi and J.H. Li. Two-party authenticated key agreement in certificateless public key cryptography. Wuhan University Journal of Natural Sciences, 12(1):71-74,2007.
[110]S.B. Wang, Z.F Cao and H.Y. Bao, Efficient certificateless authentication and key agreement (CL-AK) for Grid computing. International Journal of Network Security,7(3):342-347,2008.
[111]B. Libert and J.J. Quisquater. On constructing certificateless cryptosystems from identity based encryption. Proc. of the Public Key Cryptography-PKC 2006, LNCS Vol.3958, pp.474-490, Springer Berlin/Heidelberg,2006.
[112]Y.J. Shi and J.H. Li. Constructing efficient certificateless public key encryption with pairing. International Journal of Network Security, Vol.6(1):26-32,2008.
[113]Y.J. Shi and J.H. Li. Provable efficient certificateless public key encryption. Cryptology ePrint Archive, Report 2005/287,2005.
[114]E. Fujisaki, T.Okamoto. Secure integration of asymmetric and symmetric encryption schemes. Proc. of the Advances in Cryptology-CRYPTO'99, LNCS Vol.1666, pp.535-554, Berlin/Springer-Verlag,1999.
[115]C.P. Schnorr. Efficient identifications and signatures for smart cards. Proc. of the Advances in Cryptology-Crypto'89, LNCS Vol.435, pp.239-251, Springer-Verlag,1990.
[116]A.W. Dent. A survey of certificateless encryption schemes and security models. International Journal of Information Security,7(5):349-377,2008.
[117]J.H. Park, K.Y. Choi, J.Y. Hwang, and D.H. Lee. Certificateless Public Key Encryption in the Selective-ID Security Model (without random oracles). X T. Takagi et al. (Eds.), Proc. of the Pairing 2007, LNCS Vol.4575, pp.60-82, Springer Berlin/Heidelberg,2007.
[118]Z.H. Cheng and R. Comley. Efficient certificateless public key encryption. Cryptology ePrint Archive, Report 2005/012,2005.
[119]Z. Cheng, L. Chen, R. Comley, Q. Tang. Identity-based key agreement with unilateral identity privacy using pairings. Proc. of ISPEC 2006, LNCS Vol.3903, pp.202-213, New York:Springer-Verlag,2006.
[120]D. Boneh and M. Franklin. Identity based encryption from the Weil pairing. Extended abstract Proc. of the Advances in Cryptology-CRYPTO 2001, LNCS Vol.2139, pp.213-229, Springer-Verlag,2001.
[1]N.P Smart.“An identity based authenticated key agreement protocol based on the Weil pairing,” Electronics Letters,38(13), pp.630-632,2002.
[2]M. Bellare and P. Rogaway.“Entity authentication and key distribution,” In Proc. of Advances in Cryptology-CRYPTO'93, Springer-Verlag, Berlin/Heidelberg, Vol.773 of LNCS, pp.232-249,1993.
[3]M. Bellare and P. Rogaway. “Provably secure session key distribution:the three party case,” In Proc of the 27th annual ACM Symposium on Theory of Computing, ACM Press, New York,1995, pp.57-66.
[4]S.B. Wang, Z.F. Cao, and X.L. Dong. "Provably secure identity-based authenticated key agreement protocols in the standard model,” Chinese Journal of Computers,30(10), pp.1842-1854,2007.
[5]N. McCullagh and P.S.L.M. Barreto. “A new two-party identity-based authenticated key agreement,” In Proc. of CT-RSA'05, Springer-Verlag, Berlin/Heidelberg, Vol.3376 of LNCS, pp.262-274,2005.
[6]L. Chen and C. Kudla. “Identity based key agreement protocols from pairings,” In Proc. of the 16th IEEE Computer Security Foundations Workshop, IEEE Computer Society, pp.219-213,2003. See also Cryptology ePrint Archive, Report 2002/184. Available at http://eprint.iacr.org/2002/184.
[7]K. Shim. "Efficient ID-based authenticated key agreement protocol based on the Weil pairing," Electronics Letters,9(8), pp.653-654,2003.
[8]H. Sun and B. Hsieh. “Security analysis of Shim's authenticated key agreement protocols from pairings,” Cryptology ePrint Archive, Report 2003/113,2003. Available at http://eprint.iacr.org/2003/113.
[9]Y Wang.“Efficient identity-based and authenticated key agreement protocol,” Cryptology ePrint Archive, Report 2005/108,2005. Available at http://eprint.iacr.org/2005/108.
[10]S. Blake-Wilson, D. Johnson and A. Meneze.“Key agreement protocols and their security analysis,” In Proc. of the 6th IMA International Conference on Cryptography and Coding, Springer-Verlag, Berlin/Heidelberg, Vol.1355 of LNCS, pp.30-45,1997.
[11]R. Canetti and H. Krawczyk.“Analysis of key exchange protocols and their use for building secure channels,” In Proc. of Advances in Cryptology-Eurocrypt'01, Springer-Verlag, Berlin/Heidelberg, Vol.2045 of LNCS, pp.453-474,2001.
[12]C. Adams and S. Farrell. “Internet X.509 public key infrastructure:Certificate management protocols,” Work in progress.
[13]A. Shamir. “Identity-based cryptosystems and signature schemes,” In Proc. of Advances in Cryptology-CRYPTO'84, Springer-Verlag, Berlin/Heidelberg, Vol. 196 of LNCS, pp.47-53,1984.
[14]S.S. Al-Riyami and K.G Paterson.“Certificateless public key cryptography,” In proc. of Advances in Cryptology-ASIACRYPT'03, Springer-Verlag, Berlin/Heidelberg, Vol.2894 of LNCS, pp.452-473,2003.
[15]S.B. Wang, Z.F. Cao, K-K.R. Choo and L.H. Wang. “An improved identity-based key agreement protocol and its security proof,” Information
Sciences, Vol.179 (3), pp.307-318,2009.
[16]A. Joux.“A one round protocol for tripartite Diffie-Hellman,” In Proc. of Algorithmic Number Theory symposium, ANTS IV, Springer-Verlag, Berlin/Heidelberg, Vol.1838 of LNCS, pp.385-394,2000.
[17]D. Boneh and M. Franklin. "Identity based encryption from the Weil pairing," In Proc. of Advances in Cryptology-CRYPTO'01, Springer-Verlag, Berlin/Heidelberg, Vol.2139 of LNCS, pp.213-229,2001.
[18]D. Nalla. “ID-based tripartite key agreement with signatures,” Cryptology ePrint Archive, Report 2003/144,2003. Available at http://eprint.iacr.org/2003/144.
[19]GH. Xie. "Cryptanalysis of Noel McCullagh and Paulo S.L.M.Barreto's two-party identity-based key agreement," Cryptology ePrint Archive, Report 2004/308,2004. Available at http://eprint.iacr.org/2004/308.
[20]K-K.R. Choo. "Revisit of McCullagh-Barreto two-party ID-based authenticated key agreement protocols," Cryptology ePrint Archive, Report 2004/343,2004. Available at http://eprint.iacr.org/2004/343.
[21]Z.H. Cheng, L.Q Chen. “On security proof of McCullagh-Barreto's key agreement protocol and its variants,”International Journal of Security and Networks,2(3), pp.251-259,2007.
[22]Y. J. Choie, E. Jeong and E. Lee. "Efficient identity-based authenticated key agreement protocol from pairings," Applied Mathematics and Computation, Vol. 162(1), pp.179-188,2005.
[23]K. Shim. "Cryptanalysis of two ID-based authenticated key agreement protocols from pairings," Cryptology ePrint Archive, Report 2005/357,2005. Available at http://eprint.iacr.org/2005/357.
[24]H. Krawczyk.“HMQV:A high-performance secure Diffie-Hellman protocol,” In Proc. of Advances in Cryptology-CRYPTO'05, Vol.3621 of LNCS, Berlin/Heidelberg, Springer-Verlag, pp.546-566,2005.
[25]Z. Cheng, M. Nistazakis, R. Comley and L. Vasiu. "On the indistinguishability-based security model of key agreement protocols-simple cases," Cryptology ePrint Archive, Report 2005/129,2005. Available at http://eprint.iacr.org/2005/129.
[26]T.K. Mandt and C.H. Tan. "Certificateless authenticated two-party key agreement protocols," In Proc. of Advances in Computer Science-ASIAN 2006, Secure Software and Related Issues, Springer Berlin/Heidelberg, Vol.4435 of Lecture Notes in Computer Science,2008, pp.37-44.
[27]C.M. Swanson.“Security in. key agreement:two-party certificateless schemes,” Master's thesis, University of Waterloo, Canada,2008.
[28]B. LaMacchia, K. Lauter, A. Mityagin.“Stronger security of authenticated key exchange,” In Proc. of the First International Conference on Provable Security (ProvSec'07),4784 of LNCS, Berlin/Heidelberg:Springer-Verlag,2007, pp.1-16.