详细信息    本馆镜像全文|  推荐本文 |  |   获取CNKI官网全文
     XTR是由Lenstra和Verheul在Crypto 2000提出的一种新型公钥密码体制。它使用了GF(p~2)上的迹来表示GF(p~6)~*中阶为p~2-p+1的子群的元素,从而使得数据量降低到原来的1/3,而且相应的运算速度也比传统表示方法快。从安全角度来看,XTR是一种传统的基于子群离散对数问题的密码体系,即其安全性依赖于求有限域乘法群中离散对数的困难性。XTR体制已经成为近年来研究的热点,并被逐渐推广到密码体制的各种应用环境中。
With the rapid development and extensive applications of computer and communication technologies,our society goes into an information time.The establishment of information system has gradually become an essential foundation for nearly all fields of our society.As there exists confidential information in any organizations,the security problem about this information has become the common focus of both academia and enterprises.
     Since the invention of the concept of public key cryptography(PKC),PKC has been developed for about thirty years.Many excellent public key cryptosystems have been proposed and improved.But,the most popular public key cryptosystems are still RSA scheme and EIGamal scheme.Moreover,elliptic public key scheme has always been focused just because of its high efficiency.However,the present public key cryptosystems have some defects in computation,storing,convenient practicability and so on,which results in more restrictive applications.
     In recent years people is concerned about the study of systems that have the algebraic structures which use the extension finite fields.These systems can provide high compression data transmission,compact implementation process and performance improvement.
     XTR stands for "ECSTR",which is an abbreviation for Efficient and Compact Subgroup Trace Representation.The XTR public key system is a new cryptosystem proposed by Lenstra and Verheul in Crypto 2000.It uses the trace over GF(p~2) to represent elements of the order p~2-p+1 subgroup of GF(p~6)~*,thereby achieving a factor 3 size reduction.Also,the resulting calculations are appreciably faster than using the standard representation.
     Under the same application systems and similar secure conditions,it can be known from theoretical analysis that XTR can greatly increase the speed,and reduce the key sizes,data storage,computation and communication overhead compared with EIGamal and RSA public key cryptosystems.The method which uses trace function to represent elements of multiplicative group can completely take the place of the traditional representation of elements of subgroup.It can be applied to any cryptosystems based on discrete logarithm problem and raise to more excellent qualities without compromising security.
     From a security point of view,XTR is a traditional discrete logarithm system:for its security it relies on the difficulty of solving discrete logarithm related problems in the multiplicative group of a finite field.Thus,XTR is not based on any new primitive or new allegedly hard problem,on the contrary,it is based on the primitive underlying the very first public key cryptosystem,the Diffie-Hellman key agreement protocol.
     By using the analysis of theoretical foundation and protocol,we can deduce that the advantages of XTR compared with the popular public key cryptosystems nowadays are:
     ⅰ.Its very fast parameters and keys selection.
     Key selection for XTR is very fast compared to RSA,and orders of magnitude easier and faster than for ECC.This performance makes it easily feasible for all users of XTR to have public keys that are not shared with others,unlike ECC where a large part of the public key is often shared between all users of the system.
     ⅱ.Small key sizes.
     XTR keys are much smaller than RSA keys of comparable security.ECC keys allow a smaller representation than XTR keys,but in many circumstances(e.g. storage) ECC and XTR key sizes are comparable.
     ⅲ.Fast calculation speed.
     Full exponentiation in XTR is faster than full scalar multiplication in ECC over a 170-bit prime field,and thus substantially faster than full exponentiation in either RSA or traditional subgroup discrete logarithm systems of equivalent security.
     ⅳ.Its very easy programmability.
     ⅴ.Also,compared to ECC,the mathematics underlying XTR is straightforward, thus avoiding two common ECC-pitfalls:ascertaining that unfortunate parameter choices are avoided that happen to render the system less secure,and keeping abreast of,and incorporating additional checks published in,newly obtained results.
     As a result,XTR may be regarded as the best of three worlds,RSA,EIGamal,and ECC.It is an excellent alternative to either RSA,EIGamal,or ECC in applications such as SSL/TLS(Secure Sockets Layer/Transport Layer Security),public key smart cards,WAP/WTLS(Wireless Application Protocol/Wireless Transport Layer Security), IPSEC/IKE(Internet Protocol Security/Internet Key Exchange),and SET(Secure Electronic Transaction).
     In 2000,Lenstra and Verheul further proposed XTR key recovery algorithm,which leads to a factor 3 data transmission.However,this key recovery algorithm is restricted by some conditions.The most important condition among them is the "smallest" restriction. These conditions are very critical in practice,but they are neglected in almost all application protocols.If there are not rigorous assumptions and fully consideration about the details of the implementation of algorithm,the parameter corresponding problem may arise in future.This problem may lead to difficulties in the XTR compliant protocols, such as blind signature schemes and message recovery signature schemes.XTR system can be used into many cryptoschemes and digital signatures,but so far it is still not considered in provable security cryptosystems.
     For these problems,this paper mainly studies:
     ◆We introduce additional two-bit strings to resolve the "smallest" question in XTR key recovery algorithm,fully consider the other restrictive conditions in this algorithm and use the accelerate XTR algorithms to give the improved XTR-Blind-Nyberg-Rueppel and XTR-Blind-Schnorr signature schemes which are presented by Chen Xiao-feng,Gao Hu-ming and Wang Yu-ming,the full version of the XTR-Nyberg-Rueppel message recovery signature scheme proposed by Lenstra and Verheul.The improved schemes are more efficient than the original signature schemes both in communication and computation without compromising security.
     ◆Nowadays the most efficient adaptive chosen-ciphertext secure cryptosystem in the standard model is the one due to Kurosawa and Desmedt.We proposes an XTR version of the Kurosawa-Desmedt scheme.Our scheme is secure against adaptive chosen-ciphertext attack under the XTR version of the Decisional Diffie-Hellman assumption in the standard model.Comparing the efficiency between the proposed XTR-Kurosawa-Desmedt cryptoscheme and the Kurosawa-Desmedt scheme,we find that the proposed scheme is more efficient than the Kurosawa-Desmedt scheme both in communication and computation without compromising security.
     In order to resolve the parameter corresponding problem in XTR system,as well as to improve the computation efficiency,Wang Zehui et al.proposed a new public key cryptosystem so called XTR~+ based on the effective and compact subgroup trace representation in 2007.The XTR~+ public key system achieves GF(p~8) security using GF(p~4) arithmetic,so that the data storage is a half reduced.It was based on 4-th order LFSR sequence.But the fast pivotal algorithms were done by a 2nd order iteration based on the fast computation of the nth power of a 2×2 matrix.In addition,XTR+ is constructed as a cryptosystem of provable IND-CCA2 security and can be used for the strongly provable secure digital signature schemes,blind signature protocols and zeroknowledge proof protocols.Due to its optimization over the parameters,the expansion rate of these complicated protocols in XTR~+ is largely decreased.
     For the XTR~+ public key system,this paper studies:
     ◆Motivated by the work in XTR studied by Lenstra and Verheul et al.,we describe matrix-free pivotal algorithms in XTR~+ public key system.These new algorithms obviously improve the computation efficiency.
     The algorithm for selected term of the extended Euclidean sequence which is still used nowadays has played a very important role in the study of early algorithms and procedural process.It is of great significance for the research fields in computer algebra, number theory and cryptology.Therefore,the study of the algorithm for selected term of the extended Euclidean sequence is of great importance in research and development of these fields.
     For the algorithm for selected term of the extended Euclidean sequence,this paper respectively studies:
     ◆The reduced sum of two divisors is one of the fundamental operations in many problems and applications related to hyperelliptic curves.M.J.Jacobson,Jr et al presented a new algorithm for this operation in terms of continued fraction expansions on the three different possible models of a hyperelliptic curve:imaginary, real,and unusual.This algorithm relies on the Algorithm for Selected Term of the Polynomial Extended Euclidean Sequence(ASTPEES),and requires O(g~2) field operations,where g denotes the genus of the curve.We accelerate the ASTPEES algorithm by applying Half-GCD algorithm.Consequently, the algorithm for computing the reduced sum of two divisors of an arbitrary hyperelliptic curve is accelerated from quadratic to nearly linear time.
     ◆The common approach to the solution of the problems of modular and numerical rational number reconstruction which are two customary approach in computer algebra is by applying the Algorithm for Selected Term of the Integer Extended Euclidean Sequence(ASTIEES).Wang and Pan proposed an ASTIEES algorithm. The algorithm only spent nearly linear time,matching the known complexity bound for the integer gcd.We analyze the ASTIEES algorithm,then point out the bugs which are not considered comprehensively,and finally modify the ASTIEES algorithm.
[1]ADLEMAN L M.A subexponential algorithm for the discrete logarithm problem with applications to cryptography[C].Proceedings of the IEEE 20th Annual Symposium on Foundations of Computer Science,1979:55-60.
    [2]ABE M,GENNARO R,KUROSAWA K,et al.Tag-KEM/DEM:a new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM[C].R.Cramer,Ed.Proceedings of Advances in Cryptology-EUROCRYPT 2005:24th International Conference on the Theory and Application of Cryptographic Techniques,LNCS 1976.Aarhus,Denmark:May 2005:128-146.
    [3]ADLEMAN L M,HUANG M A.Function field sieve method for discrete logarithms over finite fields[J].Information and Computation,1999,151(1-2):5-16.
    [4]AHO A V,HOPCROFT J E,ULLMAN J D.The design and analysis of computer algorithms [M].Massachussetts,USA:Addison-Wesley,Reading,1974.
    [5]ASOKAN N,SHOUP V,WAIDNER M.Optimistic Fair Exchange of Digital Signatures[J].IEEE Journal on Selected Areas in Communications,2000,18(4):593-610.
    [6]ATENIESE G,TSUDIK G.Some open issues and directions in group signature[C].In Financial Crypto'99,LNCS 1648.London,UK:Springer-Verlag,1999:196-211.
    [7]BELLARE M,CANETTI R,KRAWCZYK H.A modular approach to the design and analysis of authentication and key exchange protocols[C].The 30th Annual ACM Symposium on Theory of Computing.New York:ACM,1998:419-428.
    [8]BELLARE M,DESAI A,POINTCHEVAL D,et al.Relations Among Notions of Security for Public Key Encryption Schemes[C].Advances in Cryptology CRYPTO'98.Berlin:Springer-Verlag,1998:26-45.
    [9]BIEHL I,MEYER B,M(U|¨)LLER V.Differential fault attacks on elliptic curve cryptosystems [C].Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology,LNCS 1880.London,UK:Springer-Verlag,2000:131-146.
    [10]BELLARE M,POINTCHEVAL D,ROGAWAY P.Authenticated key exchange secure against dictionary attacks[C].B.Preneel,ed.Advances in Cryptology-Eurocrypt'00,LNCS 1807.Berlin:Springer-Verlag,2000:139-155.
    [11]BROUWER A E,PELLIKAAN R,VERHEUL E R.Doing more with fewer bits[C].Proceedings of Asiacrypt'99,LNCS 1716.Berlin:Springer-Verlag,1999:321-332.
    [12]BELLARE M,ROGAWAY P.Entity authentication and key distribution[C].Advances in Cryptology CRYPTO'93.Berlin:Springer-Verlag,1994:232-249.
    [13]BELLARE M,ROGAWAY P.Optimal asymmetric encryption[C].In Advances in Cryptology-Eurocrypt'94.Berlin:Springer-Verlag,1994:92-111.
    [14]BACH E,SHALLIT J.Algorithmic number theory[M].Cambridge,MA,USA:The MIT Press,1996.
    [15]BLAKE I F,SEROUSSI G,SMART N P.Elliptic curves in cryptography[M].Cambridge:University Press,1999.
    [16]CHAUM D.Blind signature for untraceable payments[C].Proc.Crypto'82.New York:Plenum Press,1983:199-203.
    [17]CHAUM D.Blind signatures systemiC].CRYPTO'83.New York:Plenum Press,1983:153-158.
    [18]COHEN H.A course in computational algebraic number theory[M].GTM 138,New York:Springer-Verlag,1993.
    [20]CANETTI R.Universally Composable security:a new paradigm for cryptographic protocols [C].the 42nd IEEE Symposium on Foundations of Computer Science.Washington:IEEE,2001:136-145.
    [22]CHAUM D,HEYST E V.Group signatures[C].Advances in Cryptology-Eurocrypto'91,LNCS 547.Berlin:Springer-Verlag,1991:257-265.
    [23]CHIEN H Y,JAN J K,TSENG Y M.RSA-based partially blind signature with low computation[C].IEEE 8th International Conference on Parallel and Distributed Systems.Kyongju:Institute of Electrical and Electronics Engineers Computer Society,2001:385-389.
    [24]CANETTI R,KRAWCZYK H.Analysis of key-exchange protocols and their use for building secure channels[C].Advances in Cryptology EUROCRYPT 2001.Berlin:Springer-Verlag,2001:453-474.
    [25]COHEN H,LENSTRA A K.Implementation of a new primality test[J].Math.Comp.,1987,48:103-121.
    [26]COHEN H,MIYAJI A,ONO T.Efficient elliptic curve exponentiation using mixed coordinates [C].Proceedings Asiacrypt'98,LNCS 1514.Berlin:Springer-Verlag,1998:51-65.
    [27]CAMENISCH J L,PIVETEAU J M,STADLER M A.Blind signature based on discrete logarithm problem[C].Eurocrypt'94,LNCS 950.Perugia,Italy:Springer-Verlag,1994:428-432.
    [28]CAMENISH J,STADLER M.Efficient group signature schemes for large groups[C].Advances in Cryptology-CRPTO'97,LNCS 1294.Berlin:Springer-Verlag,1997:410-424.
    [29]CRAMMER R,SHOUP V.A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack[C].H.Krawczyk ed.Advances in Cryptology-Proceedings of CRYPTO'98,LNCS 1462.Santa Barbara:Springer-Verlag,1998:13-25.
    [30]CRAMMER R,SHOUP V.Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack[J].SIAM Journal of Computing,2003,33(1):167-226.
    [33]DIXON J D.Exact solution of linear equations using p-adic expansions[J].Numer.Math.,1982,40:137-141.
    [34]DOLEV D,DWORK C,NAOR M.Non-malleable cryptography[C].In Proceedings of the 23rd Annual ACM Symposium on Theory of Computing.New York,USA:ACM,May 1991:542-552.
    [35]DIFFIE W,HELLMAN M E.New directions in cryptography[J].IEEE Transactions on Information Theory,1976,IT-22(6):644-654.
    [37]EIGAMAL T.A Public Key cryptosystem and a signature scheme based on discrete logarithms[J].IEEE Transactions on Information Theory,1985,31:469-472.
    [38]FAN C I,CHEN W K,YEH Y S.Randomization enhanced Chaum's blind signature scheme[J].Computer Communications,2000,23(13):1677-1680.
    [39]FAN C I,LEI C L.Efficient blind signature scheme based on quadratic residues[J].IEEE Electronic Letters,1996,32(9):811-813.
    [40]FAN C I,LEI C L.User efficient blind signatures[J].IEEE Electronics Letters,1998,34(6):544-546.
    [41]FAN C I,LEI C L.Low-computation Partially blind signatures for electronic cash[J].IEICE Transactions on Fundamentals,1998,81(5):818-824.
    [42]FUJISAKI E,OKAMOTO T.How to enhance the security of public-key encryption at minimum cost[J].IEICE Transaction of Fundamentals of Electronic Communications and Computer Science,2000,E83-A:24-32.
    [44]Girault M.Self-certified public keys[C].Proc.Advances in Cryptology-EUROCRYPT'91,LNCS 547.Berlin:Springer-Verlag,1991:491-497.
    [45]GORDON D M.Discrete logarithms in GF(p) using the number field sieve[J].In SIAM J.of Disc.Math.,1993,6:124-138.
    [47]VON ZUR GATHEN J,GERHARD J.Modern computer algebra[M].Cambridge,UK:Cambridge University Press,1999.
    [48]GONG G,HARN L.Public key cryptosystems based on cubic finite field extensions[J].IEEE Trans.Inf.Theory,1999,45(7):2601-2605.
    [49]GAUDRY P,HESS F,SMART N P.Constructive and destructive facets of weft descent on elliptic curves[J].In J.of Cryptology,2002,15(1):19-46.
    [50]GALLANT R P,LAMBERT R J,VANSTONE S A.Faster point multiplication on elliptic curves with efficient endomorphisms[C].Proceedings Crypto 2001,LNCS 2139.London,UK:Springer-Verlag,2001:190-200.
    [51]GOLAWASSER S,MICALI S.Probabilistic encryption[J].Journal of Computer and System Sciences,1984,28:270-299.
    [52]HUA L K.Introduction to Number Theory[M].Berlin:Springer-Verlag,1982.
    [53]HWANG S J,CHANG C C,YANG W P.Authenticated encryption schemes With message linkages[J].Information Processing Letters,1996,58:189-194.
    [54]HARN L,KIELSER T.New scheme for digital multi-signature[J].Electronic Letters,1989,25(15):1002-1003.
    [55]HORSTER P,MICHELS M,PETERSEN H.Authenticated encryption schemes with low communication costs[J].Electronics Letters,1994,30(15):1230-1231.
    [56]HARDY G H,WRIGHT E M.An introduction to the theory of numbers[M].Oxford,UK:Clarendon Press,1960.
    [57]JUNGNICKEL D.Finite fields:structure and arithmetics[M].Mannheim:Bibliographisches Institute Wissenschaftsverlag,1993
    [58]JOUX A,LERCIER R.The function field sieve is quite special[C].In Algorithmic Number Theory Symposium-ANTS-V,LNCS 2369.London,UK:Springer-Verlag,2002:431-445.
    [59]JACOBSON JR M J,MENEZES A J,STEIN A.Hyperelliptic curves and cryptography [C].In High Primes and Misdemeanors:lectures in honor of the 60th birthday of Hugh Cowie Williams,Fields Institute Communications Series,41.American Mathematical Society,2004:255-282.
    [60]JACOBSON JR M J,SCHEIDLER R,STEIN A.Fast arithmetic on hyperelliptic curves via continued fraction expansions[C].T.Shaska,W.C.Huffman,D.Joyner,and V.Ustimenko,eds.Advances in Coding Theory and Cryptography,Series on Coding Theory and Cryptology,3.World Scientific Publishing,2007:201-244.
    [61]KOBLITZ N.Elliptic curve cryptosystems[J].Mathematics of Computation,1987,48:203-209.
    [62]KOBLITZ N.Hyperelliptic cryptosystems[J].In J.of Cryptology,1989,1:139-150.
    [63]KRAVITZ D W.Digital signature algorithm:U.S.,5231668[P].27 Jul 1993.
    [64]KOBLITZ N.An elliptic curve implementation of the finite field digital signature algorithm [C].Proceedings of Crypto'98,LNCS 1462.Berlin:Springer-Verlag,1998:327-337.
    [65]KNUTH D E.The art of computer programming,Volume 2,Seminumerical Algorithms [M].third edition.Addison-Wesley,1998.
    [66]KUROSAWA K,DESMEDT Y.A new paradigm of hybrid encryption scheme[C].M.Franklin ed.Proceedings of Advances in Cryptolog-y-CRYPTO 2004:24th Annual International Cryptology Conference,Santa Barbara,California,USA,August 2004 LNCS 3152.Berlin:Springer-Verlag,2004:426-442.
    [67]KIM S,PARK S,WON D.Proxy signatures:revisited[C].Proceedings of the First International Conference on Information and Communication Security,LNCS 1334.Berlin:Springer-Verlag,1997:223-232.
    [68]LEHMER D H.An extended theory of Lucas's functions[J].Ann.of Math.,1930,31:419-448.
    [69]LENSTRA A K.Using cyclotomic polynomials to construct efficient discrete logarithm cryptosystems over finite fields[C].Proceedings of ACISP'97,LNCS 1270.London,UK:Springer-Verlag,1997:127-138.
    [70]LEE W B,CHANG C Y.Efficient proxy-protected proxy signature scheme based on discrete logarithm[C].Proceedings of 1Oth Conference on information security.Hualien,Taiwan,ROC,2000:4-7.
    [72]LEE W B,CHANG C C.Authenticated encryption schemes with linkage between message blocks[J].Information Processing Letters,1997,63:247-250.
    [73]LIN W D,JAN J K.A security Personal learning tools using a proxy blind signature scheme[C].Proceedings of International Conference on Chinese Language Computing.USA:Chinese Language Computer Society Knowledge Systems Institute,2000:273-277.
    [75]LIDL R,MULLER W B.Permutation polynomials in RSA-cryptosystems[C].Proceedings of Crypto'83.New York:Plenum Press,1984:293-301.
    [76]LENSTRA A K,VERHEUL E R.The XTR public key systemiC].M.Bellare ed.Proceedings of Advances in Cryptology-CRYPTO 2000:20th Annual International Cryptology Conference,Santa Barbara,California,USA,August 2000,LNCS 1880.Berlin:Springer-Verlag,2000:1-19.
    [77]LENSTRA A K,VERHEUL E R.Key improvements to XTR[C].T.Okamoto ed.Proceedings of Advances in Cryptology-ASIACRYPT 2000:6th International Conference on the Theory and Application of Cryptology and Information Security,Kyoto,Japan,December 2000,LNCS 1976.Berlin:Springer-Verlag,2000:220-233.
    [78]LENSTRA A K,VERHEUL E R.An overview of the XTR public key systemiC].Proceedings of the Conference on Public Key Cryptography and Computational Number Theory,Warsaw,2000.Berlin:Walter de Gruyter,2001:151-180.
    [79]LENSTRA A K,VERHEUL E R.Fast irreducibility and subgroup membership testing in XTR[C].K.Kim ed.Proceedings of Public Key Cryptography:4th International Workshop on Practice and Theory in Public Key Cryptosystems,Cheju Island,Korea,February 2001,PKC 2001,LNCS 1992.Berlin:Springer-Verlag,2001:73-86.
    [81]MOENCK R T.Fast computation of GCDs[C].In STOC'73:Proceedings of the Fifth Annual ACM Symposium on Theory of Computing.New York:ACM Press,1973:142-151.
    [82]MONTGOMERY P L.Modular multiplication without trial division[J].Mathematics of Computation,1985,44(170):519-521.
    [83]MILLER V S.Use of elliptic curves in cryptography[C].H.C.Williams,ed.Advances in Cryptology-CRYPTO'85,LNCS 218.Berlin:Springer-Verlag,1986:417-426.
    [84]MCCURLEY K S.The discrete logarithm problem[C].C.Pomerance,ed.Cryptology and Computational Number Theory,volume 42 of Proceedings of Symposia in Applied Mathematics.American Mathematical Society,1990:49-74.
    [85]MONTGOMERY P L.Evaluating recurrences of form X_(m+n)=f(X_m,X_n,X_(m-n)) via lucas chains[OL].January 1992.ftp://ftp.cwi.nl/pub/pmontgom/Lucas.ps.gz.
    [86]MENEZES A.Elliptic curve public key cryptosystems[M].Boston,MA:Kluwer,1993.
    [87]MAO W.王继林,伍前红等译.现代密码学理论与实践[M].北京:电子工业出版社,2004.
    [88]MOENCK R T,CARTER J H.Approximate algorithms to derive exact solutions to systems of linear equations[C].In Proceedings of EUROSAM,LNCS 72.Berlin:Springer-Verlag,1979:63-73.
    [89]MENEZES A,OKAMOTO T,VANSTONE S A.Reducing elhptic curve logarithms to a finite field[J].IEEE Trans.Inform.Theory,1993,39:1639-1646.
    [90]MENEZES A,VANSTONE S A.ECSTR(XTR):elliptic curve singular trace representation [C].Rump Session of Crypto 2000.California,USA,2000.
    [91]NICHOLSON W K.Introduction to abstract algebra[M].Boston:PWS-Kent Publishing Company,1993.
    [92]NYBERG K,RUEPPEL R A.Message recovery for signature schemes based on the discrete logarithmiC].Advances in Cryptology-Eurocrypt'94,LNCS 950.Berlin:Springer-Verlag,1995:182-193.
    [93]NYBERG K,RUEPPEL R A.Message recovery for signature schemes based on the discrete logarithm[J].Designs,Codes and Cryptography.1996,7:61-81.
    [94]NAOR M,YUNG M.Public-key cryptosystems provably secure against chosen ciphertext attacks[C].In Proceedings of the 22nd Annual ACM Symposium on Theory of Computing,Baltimore,Maryland,United States,May 1990.New York,USA:ACM,1990:427-437.
    [95]OKAMOTO T.Provably secure and practical identification schemes and corresponding signature schemes[C].Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology,LNCS 740.London,UK:Springer-Verlag,1992:31-53.
    [96]VAN OORSCHOT P C,WIENER M J.On Diffie-Hellman key agreement with short exponents[C].Proceedings of Eurocrypt'96,LNCS 1070.Berlin:Springer-Verlag,1996:332-343.
    [97]POLLARD J M.A Monte Carlo method for factorization[J].BIT,1975,15:331-334.
    [98]POLLARD J M.Factoring with cubic integers[C].A.K.Lenstra,H.W.Lenstra Jr.,eds.The Development of the Number Field Sieve,volume 1554 of Lecture Notes in Mathematics.New York:Springer-Verlag,1993:4-10.
    [99]PAN V Y.Can we optimize Toeplitz/Hankel computations?[C].V.G.Ganzha,E.W.Mayr,E.V.Vorozhzov,eds.In Proceedings of the Fifth International Workshop on Computer Algebra in Scientific Computing(CASC 2002,Yalta,Ukraine).Muenchen,Germany:Technische Univ.,2002:253-264.
    [100]POHLIG S C,HELLMAN M E.An improved algorithm for computing logarithms over GF(p) and its cryptographic significance[J].IEEE Trans.on IT,1978,24:106-110.
    [101]PETERSEN H,HORSTER P.Self-certified keys-concepts and applications[C].In Proc.3rd Int.Conference on Communications and Multimedia Security'97.Chapman & Hall,September,1997:102-116.
    [102]POINTCHEVAL D,STERN J.Provably Secure Blind Signature Schemes[C].Advance Cryptology-Asiacrypt'96,LNCS 1163.Kyongju,Korea:Springer-Verlag,1996.252-265.
    [103]RACKOFF C,SIMON D.Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack[C].J.Feigenbaum ed.In Proceedings of Advances in Cryptology-CRYPTO '91,Santa Barbara,California,USA,August 1991 LNCS 576.Springer-Verlag,1991:433-444.
    [104]REVIST R L,SHAMIR A,ADLEMAN L.A method for obtaining digital signatures and public-key cryptosystems[J].Communications of the ACM,1978,21(2):120-126.
    [105]SCHRIJVER A.Theory of linear and integer programming[M].New York:Wiley,1986.
    [106]SCHNORR C P.Efficient signature generation by smart cards[J].Journal of Cryptology,1991,4:161-174.
    [107]SCHNEIER B.Applied cryptography-protocols,algorithms,and source code in C[M].Second Ed.New York:John Wiley & Sons,1996.
    [108]SHOUP V.Lower bounds for discrete logarithms and related problems[C].In Advances in Cryptology(EUROCRYPT),LNCS 1233.Berlin:Springer-Verlag,1997:256-266.
    [109]STALLINGS W.杨明,胥光辉,齐望东等译.密码编码学与网络安全:原理与实践[M].北京:电子工业出版社,2001.
    [110]STINSON D R.冯登国译.密码学原理与实践[M].北京:电子工业出版社,2003.
    [111]STAM M,LENSTRA A K.Speeding up XTR[C].C.Boyd ed.Proceedings of Advances in Cryptology-ASIACRYPT 2001:7th International Conference on the Theory and Application of Cryptology and Information Security,Gold Coast,Australia,December 2001,LNCS 2248.Berlin:Springer-Verlag,2001:125-143.
    [112]STADLER M A,PIVETEAU J M,CAMENISCH J L.A blind signatures scheme based on EIGamal signature[C].EUROCRYPT'95.Heidelberg:Springer-Verlag,1995:209-219.
    [113]STADLER M A,PIVETEAU J M,CAMENISCH J L.Fair blind signatures[C].In Proc.EUROCRYPT '95,LNCS 921.St.Malo,France:Springer-Verlag,1995:209-219.
    [114]SCH(O|¨)NHAGE A,STRASSEN V.Schnelle Multiplikation grosse Zahlen[J].Computing,1971,7:281-292.
    [115]SMITH P,SKINNER C.A public-key cryptosystem and a digital signature system based on the Lucas function analogue to discrete logarithms[C].Proceedings of Asiacrypt'94,LNCS 917.Berlin:Springer-Verlag,1995:357-364.
    [116]TESKE E.Speeding up Pollard's Rho method for computing discrete logarithms[C].In Alg.Numb.Th.Symp.(ANTS-Ⅲ),LNCS 1423.Berlin:Springer-Verlag,1998:541-554.
    [117]THERIAULT N.Index calculus attack for hyperelliptic curves of small genus[C].C.Laih ed.In Advances in Cryptology-ASIACRYPT 2003,LNCS 2894.Berlin:Springer,2003:75-92.
    [118]TSENG Y M,JAN J K.An efficient authenticated encryption schemes with message linkages and low communication costs[J].Journal of information and engineering,2002,18:41-46.
    [119]TSENG Y M,JAN J K,CHIEN H Y.Digital signature with message recovery using selfcertified Public keys and its variants[J].Applied Mathematics and Computation,2003,136(2-3):203-214.
    [120]TAN Z,LIU Z,TANG C.Digital proxy blind signature schemes based on DLP and ECDLP[J].MM Research Preprints,2002,21(7):212-217.
    [121]THULL K,YAP C.A unified approach to hgcd algorithms for polynomials and integers[OL].1998.http://citeseer.ist.psu.edu/235845.html.
    [122]URSIC S,PATARRA C.Exact solution of systems of linear equations with iterative methods[J].SIAM J.Algebraic Discrete Methods,1983,4:111-115.
    [123]VALLEE B.Dynamics of the binary Euclidean algorithm:functional analysis and operators [J].Algorithmica,1998,22:660-685.
    [124]VERHEUL E.Certificates of recoverability with scalable recovery agent security[C].Proceedings of PKC 2000,LNCS 1751.Berlin:Springer-Verlag,2000:258-275.
    [125]VERHEUL E.Evidence that XTR is more secure than supersingular elliptic curve cryptosystems [C].Proceedings of Eurocrypt 2001,LNCS 2045.Berlin:Springer-Verlag,2001:195-210.
    [126]VERHEUL E.Evidence that XTR is more secure than supersingular elliptic curve cryptosystems [J].Journal of Cryptology,2004,17(4):277-296.
    [127]WILLIAMS H C.A p+1 Method of Factoring[J].Math.Comp.,1982,39:225-234.
    [129]Working Group 2 of ISO/IEC JTC 1/SC27.An emerging standard for public-key encryption [EB/OL].2004-1-5.http://shoup.net.
    [131]WANG X,PAN V Y.Acceleration of Euclidean algorithm and rational number reconstruction [J].SIAM J.Comput.,2003,32:548-556.
    [133]WANG Z H,ZHANG Z G.XTR~+:a provable security public key cryptosystem[C].Y.Wang,Y.Cheung,H.Liu,eds.CIA 2006,LNAI 4456.Berlin Heidelberg:Springer-Verlag,2007:534-544.
    [135]Yan S Y.Number Theory for Computing[M].2nd Edition.New York:Springer-Verlag,2002.
    [140]ZIPPEL R E.Effective Polynomial Computation[M].Norwell,MA:Kluwer Academic Publishers,1993.

© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号

地址:北京市海淀区学院路29号 邮编:100083

电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700