可认证密钥交换研究
|
摘要
在信息技术和通信产业如此重要的今天,面对越来越多样化的攻击手段,如何保证通信数据的机密性、完整性、可认证性、可授权及不可抵赖性正成为计算机和信息安全领域越发重要的研究课题。作为目前核心技术之一的可认证密钥交换(Authenticated Key Exchange, AKE)为通信的双方提供了两种服务。一种是AKE为通信双方建立会话密钥(Session Key),即只有彼此所知的对称密钥,该密钥用来实现接下来传输过程中的数据机密性和数据完整性。另一种是AKE能使通信双方确认彼此的身份。根据认证要素不同,AKE可分为基于口令(Password)、基于对称密钥(Symmetric Key)、基于公钥(Public Key)和基于混合因素等不同种类。本文研究了基于口令的可认证密钥交换系统(PAKE)和无线网络中AKE系统的安全性和复杂性,主要研究工作创新之处如下:
(1)完全基于口令的双服务器可认证密钥交换系统
本文设计了一个新的完全基于口令的双服务器可认证密钥交换系统(Password-only Two-server AKE, PTAKE).该系统同时克服了传统单服务器系统的单点失败和多服务器系统高昂的系统开销的不足。新设计的系统不但满足此类系统的最强安全需求,即在主动攻击者(Acitve Adversary)攻破两台服务器中的任何一台时系统仍能抵御离线字典攻击,而且总共只需要6次消息传输。与目前唯一一个具有相同安全水平的系统比较,新系统的通信复杂度降低了40%而且计算复杂度没有增加。本文还利用同态单向函数和同态加密机制首次提出了一个泛型设计的PTAKE (Generic PTAKE),证明了即使在主动型攻击者控制两台服务器中的前台服务器或者被动攻击者(Passive Adversary)控制后台服务器时,该系统仍能抵御离线字典攻击。
(2)对双重指数模运算快速算法的复杂度研究
双重指数模运算广泛应用于包括上述PTAKE在内的诸多基于数论的密码系统中,是这些系统中开销最大的运算,它的执行效率将直接影响到整个系统的性能。本文对当前此运算的主流快速算法进行了比较与分析,特别是利用马尔科夫概率模型对此前认为最快的WLLC算法进行了复杂度分析。理论分析和实验数据表明,WLLC算法需要的平均模乘次数为1.556k(k表示指数的长度),修正了原有的分析结果1.306k。这表明目前基于标准符号数位码的双重指数模运算算法复杂度仍然无法降低到1.5k次模乘运算以下。
(3)匿名无线安全漫游协议
匿名无线安全漫游协议(Secure Wireless Roaming, SWR)在帮助漫游用户和外地服务器之间建立安全信道的同时能够保护该用户的隐私,其核心是用户以匿名的方式与外地服务器进行可认证密钥交换。本文在已有工作的基础上提出了更加完善的匿名SWR安全需求,包括用户身份可认证、服务器身份可认证、安全会话密钥的建立、向前安全性、用户匿名性和不可追踪性等。我们采用CK模型下的模块化构造法设计了一个完全基于对称密钥的匿名SWR协议。该协议仅需要4次消息传输,是目前同类协议中通信代价最低的。由于该协议仅需要对称密钥加密和消息认证码而不涉及公钥基础结构(Public Key Infrastructure, PKI),所以计算复杂度也是已知协议中最低的。
(4)向前安全可撤回群签名机制
作为重要的密码学基础工具,可撤回群签名机制可以用来构造一种新的AKE以实现本地化漫游(Localized Anonymous Roaming)。虽然此举可以降低服务器间通信负载,但是,群签名机制的使用会大幅度增加计算复杂度且导致用户撤回机制过于复杂。为了降低该类协议的复杂度,本文设计了一种高效的向前安全可撤回群签名机制。该机制的签名、验证和用户撤回计算复杂度以及群公钥长度、用户私钥长度和签名长度均为常量级,不依赖于群中用户数量或者已撤回用户数,是第一个常量级的可撤回群签名机制。
Nowadays information technologies and communication industries play important roles in human community. With the rapid development of various attacks through network, providing confidentiality, integrity, authentication, authorization and non-reputation of data becomes a very critical topic in computer science and information security. As a key technology, an Authenticated Key Exchange (AKE) protocol provides two kinds of services for two communication parties. First, it allows the two parties to establish a session key which is pure symmetric known by each other only. The established key is used for realizing the data confidentiality and data integrity in the coming data transmission. Second, it provides a mechanism for two parties to be convinced that it is communicating with the intended party. According to the different authentication factors, there are several kinds of AKE, such as Password-only AKE (PAKE), symmetric key based AKE, public key based AKE and hybrid AKE. This dissertation focuses on the security and complexity issues of PAKE and AKE for wireless network. The main work and contribution are shown as follows:
(1) Password-only Two-server Authenticated Key Exchange (PTAKE)
In this dissertation, we propose a novel PTAKE. It overcomes the disadvantage of the conventional single-server scheme that the single point of failure as well as the disadvantage of the multi-server scheme that the expensive system costs. It not only satisfies the strongest security requirement for PTAKE that the system is secure against offline dictionary attacks even if any one of the two servers is corrupted by an active adversary, but also it requires six communication rounds only. Namely, our scheme reduces the number of communication rounds by 40% when compared with other most efficient scheme while maintaining about the same degree of computational complexity. Furthermore, we propose a generic PTAKE with satisfying the lower security level for PTAKE that the system is secure against offline dictionary attacks even if the front one of the two servers is corrupted by an active adversary or the backend server is corrupted by a passive adversary.
(2) Complexity Analysis of An Fast Modular Duplex-exponentiation Algorithm
The PTAKE schemes mentioned above and many other existing crypto systems require efficient modular duplex-exponentiation operations in order to make the systems fast in practice as it is the most expensive operations for them. In this dissertation, we target to examine the computational complexity of the famous fast algorithms. Particularly, we provide a formal complexity analysis for WLLC algorithm under Markov probabilistic model, which was claimed to be the fastest algorithm. The complexity analysis and the experimental results show that the actual computational complexity of WLLC algorithm should be 1.556k:rather than 1.306k, where k is the larger bit length of the two exponents. It implies that the best modular duplex-exponentiations algorithm based on canonical-sighed-digit technique is still not able to overcome the 1.5k barrier.
(3) Anonymous Secure Wireless Roaming(Anonymous SWR)
In order to build a secure channel between the roaming user and the service provider with providing user privacy (i.e., user anonymity and user untraceability), the Anonymous Secure Wireless Roaming protocol has been proposed, the core function of which is to provide AKE between the two parties. In this dissertation, we focus on the proposal of the all-round security requirements for Anonymous SWR which captures the following security properties including mutual authentication between roaming user and foreign server, key establishment and key privacy against backend server, forward secrecy, user anonymity and user untraceability. And we propose a pure symmetric key based Anonymous SWR protocol using the CK modular approach. To best of our knowledge, it seems to be the first pure symmetric key based anonymous SWR. Compared with other existing Anonymous SWR protocols, both of the computation complexity and communication complexity of our protocol are lowest, since it involves only 4 message flows and no PKI (Public Key Infrastructure) but only highly efficient cryptographic operations are needed which include Message Authentication Code (MAC) and symmetric key encryption.
(4) Group Signature with Forward Secure Revocation.
As an important cryptographic tool, group signature has been widely employed by various crypto systems, especially it is employed to construct a localized anonymous roaming protocol as a core building block. Although for this roaming protocol, the communication burden of the servers will be alleviated much, the computational complexity and user revocation complexity will increase quickly due to the usage of group signature. In order to overcome this disadvantage, we propose an efficient group signature with forward secure revocation with satisfying constant signing and verifying complexity as well as constant size in signature public key and signing key.
(1)完全基于口令的双服务器可认证密钥交换系统
本文设计了一个新的完全基于口令的双服务器可认证密钥交换系统(Password-only Two-server AKE, PTAKE).该系统同时克服了传统单服务器系统的单点失败和多服务器系统高昂的系统开销的不足。新设计的系统不但满足此类系统的最强安全需求,即在主动攻击者(Acitve Adversary)攻破两台服务器中的任何一台时系统仍能抵御离线字典攻击,而且总共只需要6次消息传输。与目前唯一一个具有相同安全水平的系统比较,新系统的通信复杂度降低了40%而且计算复杂度没有增加。本文还利用同态单向函数和同态加密机制首次提出了一个泛型设计的PTAKE (Generic PTAKE),证明了即使在主动型攻击者控制两台服务器中的前台服务器或者被动攻击者(Passive Adversary)控制后台服务器时,该系统仍能抵御离线字典攻击。
(2)对双重指数模运算快速算法的复杂度研究
双重指数模运算广泛应用于包括上述PTAKE在内的诸多基于数论的密码系统中,是这些系统中开销最大的运算,它的执行效率将直接影响到整个系统的性能。本文对当前此运算的主流快速算法进行了比较与分析,特别是利用马尔科夫概率模型对此前认为最快的WLLC算法进行了复杂度分析。理论分析和实验数据表明,WLLC算法需要的平均模乘次数为1.556k(k表示指数的长度),修正了原有的分析结果1.306k。这表明目前基于标准符号数位码的双重指数模运算算法复杂度仍然无法降低到1.5k次模乘运算以下。
(3)匿名无线安全漫游协议
匿名无线安全漫游协议(Secure Wireless Roaming, SWR)在帮助漫游用户和外地服务器之间建立安全信道的同时能够保护该用户的隐私,其核心是用户以匿名的方式与外地服务器进行可认证密钥交换。本文在已有工作的基础上提出了更加完善的匿名SWR安全需求,包括用户身份可认证、服务器身份可认证、安全会话密钥的建立、向前安全性、用户匿名性和不可追踪性等。我们采用CK模型下的模块化构造法设计了一个完全基于对称密钥的匿名SWR协议。该协议仅需要4次消息传输,是目前同类协议中通信代价最低的。由于该协议仅需要对称密钥加密和消息认证码而不涉及公钥基础结构(Public Key Infrastructure, PKI),所以计算复杂度也是已知协议中最低的。
(4)向前安全可撤回群签名机制
作为重要的密码学基础工具,可撤回群签名机制可以用来构造一种新的AKE以实现本地化漫游(Localized Anonymous Roaming)。虽然此举可以降低服务器间通信负载,但是,群签名机制的使用会大幅度增加计算复杂度且导致用户撤回机制过于复杂。为了降低该类协议的复杂度,本文设计了一种高效的向前安全可撤回群签名机制。该机制的签名、验证和用户撤回计算复杂度以及群公钥长度、用户私钥长度和签名长度均为常量级,不依赖于群中用户数量或者已撤回用户数,是第一个常量级的可撤回群签名机制。
Nowadays information technologies and communication industries play important roles in human community. With the rapid development of various attacks through network, providing confidentiality, integrity, authentication, authorization and non-reputation of data becomes a very critical topic in computer science and information security. As a key technology, an Authenticated Key Exchange (AKE) protocol provides two kinds of services for two communication parties. First, it allows the two parties to establish a session key which is pure symmetric known by each other only. The established key is used for realizing the data confidentiality and data integrity in the coming data transmission. Second, it provides a mechanism for two parties to be convinced that it is communicating with the intended party. According to the different authentication factors, there are several kinds of AKE, such as Password-only AKE (PAKE), symmetric key based AKE, public key based AKE and hybrid AKE. This dissertation focuses on the security and complexity issues of PAKE and AKE for wireless network. The main work and contribution are shown as follows:
(1) Password-only Two-server Authenticated Key Exchange (PTAKE)
In this dissertation, we propose a novel PTAKE. It overcomes the disadvantage of the conventional single-server scheme that the single point of failure as well as the disadvantage of the multi-server scheme that the expensive system costs. It not only satisfies the strongest security requirement for PTAKE that the system is secure against offline dictionary attacks even if any one of the two servers is corrupted by an active adversary, but also it requires six communication rounds only. Namely, our scheme reduces the number of communication rounds by 40% when compared with other most efficient scheme while maintaining about the same degree of computational complexity. Furthermore, we propose a generic PTAKE with satisfying the lower security level for PTAKE that the system is secure against offline dictionary attacks even if the front one of the two servers is corrupted by an active adversary or the backend server is corrupted by a passive adversary.
(2) Complexity Analysis of An Fast Modular Duplex-exponentiation Algorithm
The PTAKE schemes mentioned above and many other existing crypto systems require efficient modular duplex-exponentiation operations in order to make the systems fast in practice as it is the most expensive operations for them. In this dissertation, we target to examine the computational complexity of the famous fast algorithms. Particularly, we provide a formal complexity analysis for WLLC algorithm under Markov probabilistic model, which was claimed to be the fastest algorithm. The complexity analysis and the experimental results show that the actual computational complexity of WLLC algorithm should be 1.556k:rather than 1.306k, where k is the larger bit length of the two exponents. It implies that the best modular duplex-exponentiations algorithm based on canonical-sighed-digit technique is still not able to overcome the 1.5k barrier.
(3) Anonymous Secure Wireless Roaming(Anonymous SWR)
In order to build a secure channel between the roaming user and the service provider with providing user privacy (i.e., user anonymity and user untraceability), the Anonymous Secure Wireless Roaming protocol has been proposed, the core function of which is to provide AKE between the two parties. In this dissertation, we focus on the proposal of the all-round security requirements for Anonymous SWR which captures the following security properties including mutual authentication between roaming user and foreign server, key establishment and key privacy against backend server, forward secrecy, user anonymity and user untraceability. And we propose a pure symmetric key based Anonymous SWR protocol using the CK modular approach. To best of our knowledge, it seems to be the first pure symmetric key based anonymous SWR. Compared with other existing Anonymous SWR protocols, both of the computation complexity and communication complexity of our protocol are lowest, since it involves only 4 message flows and no PKI (Public Key Infrastructure) but only highly efficient cryptographic operations are needed which include Message Authentication Code (MAC) and symmetric key encryption.
(4) Group Signature with Forward Secure Revocation.
As an important cryptographic tool, group signature has been widely employed by various crypto systems, especially it is employed to construct a localized anonymous roaming protocol as a core building block. Although for this roaming protocol, the communication burden of the servers will be alleviated much, the computational complexity and user revocation complexity will increase quickly due to the usage of group signature. In order to overcome this disadvantage, we propose an efficient group signature with forward secure revocation with satisfying constant signing and verifying complexity as well as constant size in signature public key and signing key.
引文
[1]W. Diffie, P. C. Oorschot, M J. Wiener. Authentication and authenticated key exchanges. Designs, Codes, and Cryptography,1992,2:107-125.
[2]R. Bird,I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, M. Yung. Systematic design of two-party authentication protocols, In Proceedings of CRYPTO 91, Lecture Notes in Computer Science, Springer,1992.576:44-61.
[3]M. Bellare, P. Rogaway. Entity authentication and key distribution. In Proceedings of CRYPTO 93, Lecture Notes in Computer Science, Springer,1994.773:232-249.
[4]S. Blake-Wilson. A. Menezes. Authenticated Diffie-Hellman key agreement protocols. In Proceedings of 5th Annual International Workshop, SAC'98. Lecture Notes in Computer Science, Springer,1998.1556:339-361.
[5]C. Boyd, A. Mathuria, Protocols for Authentication and Key Establishment. Springer, 2003.
[6]R. M. Needham, M. D. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM.1978,21:993-999.
[7]U. Carlsen. Optimal privacy and authentication on a portable communication system. ACM Operating System Review.1994,28:16-23.
[8]W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Informformation Theory.1976, IT-22:644-654.
[9]A. Aziz and W. Diffie. Privacy and authentication for wireless local area networks. IEEE Personal Communications.1994,1(1):25-31.
[10]J. Katz, R. Ostrovsky, M. Yung. Efficient password-authenticated key exchange using human-memorable passwords. In Proceedings of EUROCRYPT 2001:Second Symposium. Springer Berlin,2001, pp 475.
[11]M. Beller, Y. Yacobi. Fully-fledged two-way public key authentication and key agreement for low-cost terminals. Electronics Letters.1993, vol.29(11):999-1001.
[12]S. Bellovin, M. Merritt. Encrypted key exchange:password-based protocols secure against dictionary attacks. IEEE Computer Society Symposium on Research in Security and Privacy,1992, pp 72-84.
[13]M. Bellare, D. Pointcheval, P. Rogaway. Authenticated key exchange secure against dictionary attacks, In Proceedings of EUROCRYPT 2000, Lecture Notes in Computer Science, Springer,2000,1807:139-155.
[14]J. Brainard, A. Juels, B. Kaliski, M. Szydlo. A new two-server approach for authentication with short secrets. In Proceedings of USENIX Security Symposium,2003, pp 201-214.
[15]IEEE, P1363.2/D26:Standard Specifications for Password-based Public Key Cryptographic Techniques, Sep 2006.
[16]D. Samfat, R. Molva, N. Asokan, Untraceability in mobile networks. In Proceedings of MobiCom'95, ACM,1995, pp.26-36.
[17]Y. Yang, R. H. Deng, F. Bao. A practical password-based two-server authentication and key exchange system. IEEE Transactions on Dependable and Secure Computing.2006,3: 105-114.
[18]Y. Yang, F. Bao, and R. H. Deng. A new architecture for user authentication and key exchange using password for federated enterprises. In Proceedings of 20th Int'l Federation for Information Processing Int'l Information Security (SEC'05),2005, pp 95-112.
[19]Y. Yang, R. H. Deng, F. Bao. Fortifying password authentication in integrated healthcare delivery systems. In Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS'06), ACM Press,2006, pp 255-265.
[20]T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory,1985,31:469-472.
[21]S.-M.Yen, C.-S. Laih, A. Lenstra. Multi-exponentiation. In Proceedings of Computers and Digital Techniques.1994,141:325-326.
[22]V. S. Dimitrov, G. A. Jullien, W. C. Miller. Complexity and fast algorithms for multiexpontations. IEEE Transactions on Computers,2000,49:141-147.
[23]J. A. Solinas. Low-weight binary representations for pairs of integers. Tech. Rep. CORR 2001-41, University of Waterloo,1998.
[24]C.L. Wu, D.C. Lou, J.C. Lai, T. J. Chang, Fast modular multi-exponentiation using modified complex arithmetic. Applied Mathematics and Computation,2007,186: 1065-1074.
[25]M. Mouly and M. B. Pautet. The GSM System for Mobile Communications. Telecom Publishing,1992.
[26]Technical Specification Group (TSG) SA,3GPP TS 33.102:3rd Generation Partnership Project 3GPP,3G Security, Security Architecture,2003.
[27]The Telecommunications Industry Association (TIA), Mobile Station-Base Station Compatibility Standard for Wideband Spread Spectrum Cellular Systems (TIA/EIA-95-B-99), Feb 1999.
[28]J. Go and K. Kim, Wireless authentication protocol preserving user anonymity. In Proceedings of 2001 Symposium on Cryptography and Information Security (SCIS 2001), 2001, pp.159-164.
[29]V. Varadharajan, Y. Mu, Preserving privacy in mobile communications:a hybrid method. In Proceedings of IEEE International Conference on Personal Wireless Communications, 1997, pp.532-536.
[30]C. C. Lee, M. S. Hwang, and I. E. Liao, Security enhancement on a new authentication scheme with anonymity for wireless environments. IEEE Transactions on Industrial Electronics.53 (5):1683-1687,2006.
[31]G. Yang, D. S. Wong, X. Deng, Efficient anonymous roaming and its security analysis, In Proceedings of ACNS 2005. Lecture Notes in Computer Science, Springer Berlin,2005, 3531:334-349.
[32]Y. Jiang, C. Lin, X. Shen, M. Shi. Mutual authentication and key exchange protocol for roaming services in wireless mobile networks. IEEE Transactions on Wireless Communications,2006,5(9):2569-2577.
[33]G. Yang, D. S. Wong, X. Deng. Anonymous and authenticated key exchange for roaming networks. IEEE Transactions on Wireless Communications.2007,6(9):3461-3472.
[34]L. Buttyan, C. Gbaguidi, S. Staamann, U. Wilhelm. Extensions to an authentication technique proposed for the global mobility network, IEEE Transactions on Communications.2000,48:373-376.
[35]K. F. Hwang and C. C. Chang, A self-encryption mechanism for authentication of roaming and teleconference services. IEEE Transactions on Wireless Communications, 2003,2:400-407.
[36]D. S. Wong, Security analysis of two anonymous authentication protocols for distributed wireless networks. In Proceedings of Third IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom 2005 Workshops), IEEE Computer Society, March 2005, pp 284-288.
[37]D. S. Wong, A. H. Chan. Mutual.authentication and key exchange for low power wireless communications. In Proceedings of IEEE Military Communications Conference.2001, pp 39-43.
[38]K. Shim. Cryptanalysis of mutual authentication and key exchange for low power wireless communications. IEEE Communications Letters,2003,7:248-2503.
[39]S. L. Ng, C. Mitchell. Comments on mutual authentication and key exchange protocols for low power wireless communications. IEEE Communications Letters,2004,8:262-263
[40]G. Yang, D. S. Wong, X. Deng. Formal security definition and efficient construction for roaming with a privacy-preserving extension. Journal of Universal Computer Science (JUCS),2008,14:441-462.
[41]Z. G. Wan, K. Ren, P. Bart. A secure privacy-preserving roaming protocol based on hierarchical identity-based encryption for mobile networks. In Proceedings of the First ACM Conference on Wireless Network Security,2008, pp.62-67.
[42]D. S. Wong, Q. Huang, G. Yang, X. Deng. Universal authentication protocols for anonymous wireless communications. IEEE Transactions on Wireless Communications. 2010,9:168-174.
[43]L. Men, C. H. Wu, J. D. Irwin, Localized authentication for internetwork roaming across wireless lans. IEEE Communication,2008, pp.496-500.
[44]H. Zhu, X. Lin, R. Lu, P. H. Ho, X. Shen. Slab:Secure localized authentication and billing scheme for wireless mesh networks. IEEE Transactions on Wireless Communications,2008,17:3858-3868.
[45]G. Ateniese, G. Tsudik. Some open issues and new directions in group signatures. In Proceedings of Financial Cryptography 1999, Lecture Notes in Computer Science, Springer,1999,1648:196-211.
[46]D. Boneh, H. Shacham. Group signatures with verifier-local revocation. In Proceedings of CCS'04, ACM,2004, pp.168-177.
[47]G. Ateniese, D. Song, G. Tsudik. Quasi-efficient revocation of group signatures. In Proceedings of Financial Cryptography 2003, Lecture Notes in Computer Science, Springer,2003,2357:183-197.
[48]E. Bresson, J. Stern. Efficient revocation in group signatures. In Proceedings of PKC'01, Lecture Notes in Computer Science, Springer,2001,1992:190-206.
[49]J. Camenisch, A. Lysyanskaya. Dynamic accumulators and application to efficient revocation of anonymous credentials. In Proceedings of CRYPTO'02. Lecture Notes in Computer Science, Springer,2002,2442:101-120.
[50]D. Boneh, X. Boyen, H. Shacham. Short group signatures. In Proceedings of CRYPTO '04, Lecture Notes in Computer Science, Springer,3152:41-55.
[51]J. Camenisch, J. Groth. Group signatures:Better efficiency and new theoretical aspects. In Proceedings of SCN 2005. Lecture Notes in Computer Science, Springer,2005,3352: 120-133.
[52]D. Chaum, E. van Heyst. Group signatures. In Proceedings of EURO-CRYPT'91. Lecture Notes in Computer Science, Springer,2001,547:257-265.
[53]S. J. Kim, S. J. Park, and D. H. Won, Convertible group signatures. In Proceedings of ASIACRYPT'96. Lecture Notes in Computer Science, Springer,1996,1163:311-321.
[54]J. Camenisch, M. Stadler. Efficient group signature schemes for large groups. In Proceedings of Proc. CRYPTO'97. Lecture Notes in Computer Science, Springer,1997, 129:410-424.
[55]T. Nakanishi, Y. Sugiyama. A group signature scheme with efficient membership revocation for reasonable groups. In Proceedings of ACISP 2004. Lecture Notes in Computer Science, Springer,1997,3108:336-347.
[56]T. Nakanishi, H. Fujii, Y. Hira, N. Funabiki. Revocable group signature schemes with constant costs for signing and verifying. In Proceedings of PKC 2009. Lecture Notes in Computer Science, Springer-Verlag,2009,5443:463-480.
[57]T. Nakanishi, N. Funabiki. Verifier-local revocation group signature schemes with backward unlinkability from bilinear maps. In Proceedings of ASIACRYPT. Lecture Notes in Computer Science, Springer-Verlag,2005, pp.533-548.
[58]M. Bellare, R. Canetti, H. Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols. In Proceedings of 30th ACM Symp. on Theory of Computing. ACM,1998, pp.419-428.
[59]B. Neuman, T. Ts'o. Kerberos:an authentication service for computer networks. IEEE Communications Magazine,1994,32:33-38.
[60]R. Morris, K. Thompson, Password security:a case history. Communications of the ACM,,1979,22(11):594-597.
[61]L. Gong, M. Lomas, R. Needham, J. Saltzer, Protecting poorly chosen secrets from guessing attacks. IEEE Journal on Selected Areas in Communications,1993,11:648-656.
[62]Top 10 password crackers. http://sectools.org/crackers.html.
[63]W. Ford, B. Kaliski. Server-assisted generation of a strong secret from a password. In Proceedings of IEEE 9th International Workshop on Enabling (WETICE'2000),2000, pp 176-180.
[64]D. P. Jablon, Password authentication using multiple servers, In Proceedings of CT-RSA'01:The Cryptographers'Track at RSA Conference, Springer,2001 pp 344-360.
[65]P. MacKenzie, T. Shrimpton, M. Jakobsson. Threshold password-authenticated key exchange. Journal of Cryptology,2006,19(1):22-66.
[66]M. D. Raimondo, R. Gennaro. Provably secure threshold password-authenticated key exchange. In Proceedings of EUROCRYPT 2003. Lecture Notes in Computer Science, Springer,2003,2656:507-523.
[67]D. P. Jablon, Password authentication using multiple servers. In Proceedings of CT-RSA 2001, Lecture Notes in Computer Science, Springer,2001,2020:343-360.
[68]J. H. Lee, D. H. Lee. Secure and efficient password-based authenticated key exchange protocol for two-server architecture. In Proceedings of IEEE International Conference on Convergence Information Technology,2007, pp 2102-2107.
[69]J. Katz, P. MacKenzie, G. Taban, V. Gligor. Two-server password-only authenticated key exchange, Applied Cryptography and Network Security. Lecture Notes in Computer Science, Springer,2005,3531:1-16.
[70]M. Bellare, D. Pointcheval, P. Rogaway. Authenticated key exchange secure against dictionary attacks, In Proceedings of EUROCRYPT 2000, Lecture Notes in Computer Science, Springer,2000,1807:139-155.
[71]R. Canetti, H. Krawczyk. Analysis of key exchange protocols and their use for building secure channels. In Proceedings of EUROCRYPT 2001. Lecture Notes in Computer Science, Springer,2001,2045:453-474.
[72]M. Bellare, P. Rogaway. Random oracles are practical:A paradigm for designing efficient protocols. In Proceedings of First ACM Conference on Computer and Communications Security. ACM,1993, pp.62-73.
[73]S. Goldwasser, S. Micali. Probabilistic encryption. Journal of Computer and System Sciences,1984,28:270-299.
[74]T. Okamoto, S. Uchiyama. A new public-key cryptosystem as secure as factoring. In Proceedings of EUROCRYPT'98. Lecture Notes in Computer Science, Springer,1998, 1403:308-318.
[75]C. P. Schnorr, Effcient identification and signatures for smart cards. In Proceedings of EUROCRYPT'89. Lecture Notes in Computer Science, Springer Berlin,1990, 434:688-689.
[76]J. Camenisch and V. Shoup, Practical verifiable encryption and decryption of discrete logarithms, In Proceedings of CRYPTO 2003. Lecture Notes in Computer Science, Springer Berlin,2729:126-144.
[77]B. Waters. Efficient identity-based encryption without random oracles, In Proceedings of EUROCRYPT 2005, Lecture Notes in Computer Science, Springer Berlin,2005,3494: 114-127.
[78]ITL, Digital signature standard (DSS), Tech. Rep. FIPS 186, National Institute of Standards and Technology,1991.
[79]G. W. Reitweisner. Binary arithmetics. Advances in Computers,1960,1:231-308.
[80]C. N. Zhang. An improved binary algorithm for RSA. Computers and Math, with Applications,1993,25:15-24.
[81]S. Arno, F. S. Wheeler. Signed digit representations of minimal Hamming weight. IEEE Transactions on Computers,1993,42(8):1007-1010.
[82]K. Koyama, Y. Tsuruoka. A signed binary window method for fast computing over elliptic curves. IEICE Transactions on Fundamentals,1993, E76-A:55-62.
[83]K. Z. Pekmestzi. Complex number multipliers. In Proceedings of Computers and Digital Techniques,1989,136:70-75.
[84]C. M. Grinstead, J. L. Snell. Introducation to Probability. American Mathematical Society, 1997.
[85]R. L. Graham, D. Knuth,O. Patashnik. Concrete Mathematics. Addison-Wesley Publishing Company,1989.
[86]RFC 3748, Extensible Authentication Protocol (EAP), June 2004.
[87]RFC 5247, Extensible Authentication Protocol (EAP) Key Management Framework, Aug 2008.
[88]W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Informformatior. Theory.1976, IT-22:644-654.
[89]G. Yang, D. S. Wong, X. Deng. Formal security definition and efficient construction for roaming with a privacy-preserving extension. Journal of Universal Computer Science, 2008,14(3):441-462.
[90]D. Boneh. The decision diffie-hellman problem. In Proceedings of the Third Algorithmic Number Theory. Lecture Notes in Computer Science, Springer,1998,1423:48-63.
[91]Y. S. T. Tin, C. Boyd, J. G. Nieto. Provably secure key exchange:an engineering approach. In Proceedings of the Australasian information security workshop (ACSW Frontiers'03). Australian Computer Society, Inc.,2003, pp.97-104.
[92]M. Zhang, Y. Fang. Security analysis and enhancements of 3gpp authentication and key agreement protocol. IEEE Transactions on Wireless Communications,2005,4:734-742.
[93]C. C. Chang, C. Y. Lee, Y. C. Chiu. Enhanced authenticationbscheme with anonymity for roaming service in global mobility networks. Computer Communication,2009,42(4): 611-618.
[94]D. Wei. Crypto++5.2.1 benchmarks.
[95]L. Chen and T. P. Pedersen. New group signature schemes. In Proceedings of EUROCRYPT'94, Lecture Notes in Computer Science, Springer,1994,950:171-1810.
[96]A. Lysyanskaya, Z. Ramzan. Group blind digital signatures:A scalable solution to
electronic cash. In Proceedings of Financial Cryptography 1998, Springer,1998, 1465:184-197.
[97]J. Kilian and E. Petrank. Identity escrow. In Proceedings of CRYPTO'98. Lecture Notes in Computer Science, Springer,1998,1642:169-185.
[98]J. Camenisch, A. Lysyanskaya. An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In Proceedings of EUROCRYPT'01, Lecture Notes in Computer Science, Springer,2001,2045:93-118.
[99]G. Ateniese, J. Camenisch, M. Joye, G. Tsudik. A practical and provably secure coalition-resistant group signature scheme. In Proceedings of CRYPTO 2000. Lecture Notes in Computer Science, Springer,1998,1880:255-270.
[100]A. Fiat, A. Shami. How to prove yourself:Practical solutions to identification and signature problems. In Proceedings of CRYPTO'86. Lecture Notes in Computer Science, Springer,1986,263:186-194.
[101]I. Damgard, E. Fujisaki. A statistically-hiding integer commitment scheme based on groups with hidden order. In Proceedings of ASIACRYPT 2002. Lecture Notes in Computer Science, Springer,2002,2501:125-142.
[102]J. Camenisch, M. Michels. Separability and efficiency for generic group signature schemes. In Proceedings of CRYPTO'99. Lecture Notes in Computer Science, Springer, 1999,1666:413-430.
[103]M. Fischlin. Pseudorandom function tribe ensembles based on one-way permutations: Improvements and applications. In Proceedings of EUROCRYPT 99. Lecture Notes in Computer Science, Springer,1999,1592:432-445.
[104]M. Abadi, P. Rogawa. Reconciling two views of cryptography (the computational soundness of formal encryption). In Proceedings of First IFIP International Conference on Theoretical Computer Science. Lecture Notes in Computer Science, Springer,2007, 1872:3-22.
[105]E. Fujisaki, T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In Proceedings of CRYPTO 1999. Lecture Notes in Computer Science, Springer, 1999,1666:79.
[2]R. Bird,I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, M. Yung. Systematic design of two-party authentication protocols, In Proceedings of CRYPTO 91, Lecture Notes in Computer Science, Springer,1992.576:44-61.
[3]M. Bellare, P. Rogaway. Entity authentication and key distribution. In Proceedings of CRYPTO 93, Lecture Notes in Computer Science, Springer,1994.773:232-249.
[4]S. Blake-Wilson. A. Menezes. Authenticated Diffie-Hellman key agreement protocols. In Proceedings of 5th Annual International Workshop, SAC'98. Lecture Notes in Computer Science, Springer,1998.1556:339-361.
[5]C. Boyd, A. Mathuria, Protocols for Authentication and Key Establishment. Springer, 2003.
[6]R. M. Needham, M. D. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM.1978,21:993-999.
[7]U. Carlsen. Optimal privacy and authentication on a portable communication system. ACM Operating System Review.1994,28:16-23.
[8]W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Informformation Theory.1976, IT-22:644-654.
[9]A. Aziz and W. Diffie. Privacy and authentication for wireless local area networks. IEEE Personal Communications.1994,1(1):25-31.
[10]J. Katz, R. Ostrovsky, M. Yung. Efficient password-authenticated key exchange using human-memorable passwords. In Proceedings of EUROCRYPT 2001:Second Symposium. Springer Berlin,2001, pp 475.
[11]M. Beller, Y. Yacobi. Fully-fledged two-way public key authentication and key agreement for low-cost terminals. Electronics Letters.1993, vol.29(11):999-1001.
[12]S. Bellovin, M. Merritt. Encrypted key exchange:password-based protocols secure against dictionary attacks. IEEE Computer Society Symposium on Research in Security and Privacy,1992, pp 72-84.
[13]M. Bellare, D. Pointcheval, P. Rogaway. Authenticated key exchange secure against dictionary attacks, In Proceedings of EUROCRYPT 2000, Lecture Notes in Computer Science, Springer,2000,1807:139-155.
[14]J. Brainard, A. Juels, B. Kaliski, M. Szydlo. A new two-server approach for authentication with short secrets. In Proceedings of USENIX Security Symposium,2003, pp 201-214.
[15]IEEE, P1363.2/D26:Standard Specifications for Password-based Public Key Cryptographic Techniques, Sep 2006.
[16]D. Samfat, R. Molva, N. Asokan, Untraceability in mobile networks. In Proceedings of MobiCom'95, ACM,1995, pp.26-36.
[17]Y. Yang, R. H. Deng, F. Bao. A practical password-based two-server authentication and key exchange system. IEEE Transactions on Dependable and Secure Computing.2006,3: 105-114.
[18]Y. Yang, F. Bao, and R. H. Deng. A new architecture for user authentication and key exchange using password for federated enterprises. In Proceedings of 20th Int'l Federation for Information Processing Int'l Information Security (SEC'05),2005, pp 95-112.
[19]Y. Yang, R. H. Deng, F. Bao. Fortifying password authentication in integrated healthcare delivery systems. In Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS'06), ACM Press,2006, pp 255-265.
[20]T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory,1985,31:469-472.
[21]S.-M.Yen, C.-S. Laih, A. Lenstra. Multi-exponentiation. In Proceedings of Computers and Digital Techniques.1994,141:325-326.
[22]V. S. Dimitrov, G. A. Jullien, W. C. Miller. Complexity and fast algorithms for multiexpontations. IEEE Transactions on Computers,2000,49:141-147.
[23]J. A. Solinas. Low-weight binary representations for pairs of integers. Tech. Rep. CORR 2001-41, University of Waterloo,1998.
[24]C.L. Wu, D.C. Lou, J.C. Lai, T. J. Chang, Fast modular multi-exponentiation using modified complex arithmetic. Applied Mathematics and Computation,2007,186: 1065-1074.
[25]M. Mouly and M. B. Pautet. The GSM System for Mobile Communications. Telecom Publishing,1992.
[26]Technical Specification Group (TSG) SA,3GPP TS 33.102:3rd Generation Partnership Project 3GPP,3G Security, Security Architecture,2003.
[27]The Telecommunications Industry Association (TIA), Mobile Station-Base Station Compatibility Standard for Wideband Spread Spectrum Cellular Systems (TIA/EIA-95-B-99), Feb 1999.
[28]J. Go and K. Kim, Wireless authentication protocol preserving user anonymity. In Proceedings of 2001 Symposium on Cryptography and Information Security (SCIS 2001), 2001, pp.159-164.
[29]V. Varadharajan, Y. Mu, Preserving privacy in mobile communications:a hybrid method. In Proceedings of IEEE International Conference on Personal Wireless Communications, 1997, pp.532-536.
[30]C. C. Lee, M. S. Hwang, and I. E. Liao, Security enhancement on a new authentication scheme with anonymity for wireless environments. IEEE Transactions on Industrial Electronics.53 (5):1683-1687,2006.
[31]G. Yang, D. S. Wong, X. Deng, Efficient anonymous roaming and its security analysis, In Proceedings of ACNS 2005. Lecture Notes in Computer Science, Springer Berlin,2005, 3531:334-349.
[32]Y. Jiang, C. Lin, X. Shen, M. Shi. Mutual authentication and key exchange protocol for roaming services in wireless mobile networks. IEEE Transactions on Wireless Communications,2006,5(9):2569-2577.
[33]G. Yang, D. S. Wong, X. Deng. Anonymous and authenticated key exchange for roaming networks. IEEE Transactions on Wireless Communications.2007,6(9):3461-3472.
[34]L. Buttyan, C. Gbaguidi, S. Staamann, U. Wilhelm. Extensions to an authentication technique proposed for the global mobility network, IEEE Transactions on Communications.2000,48:373-376.
[35]K. F. Hwang and C. C. Chang, A self-encryption mechanism for authentication of roaming and teleconference services. IEEE Transactions on Wireless Communications, 2003,2:400-407.
[36]D. S. Wong, Security analysis of two anonymous authentication protocols for distributed wireless networks. In Proceedings of Third IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom 2005 Workshops), IEEE Computer Society, March 2005, pp 284-288.
[37]D. S. Wong, A. H. Chan. Mutual.authentication and key exchange for low power wireless communications. In Proceedings of IEEE Military Communications Conference.2001, pp 39-43.
[38]K. Shim. Cryptanalysis of mutual authentication and key exchange for low power wireless communications. IEEE Communications Letters,2003,7:248-2503.
[39]S. L. Ng, C. Mitchell. Comments on mutual authentication and key exchange protocols for low power wireless communications. IEEE Communications Letters,2004,8:262-263
[40]G. Yang, D. S. Wong, X. Deng. Formal security definition and efficient construction for roaming with a privacy-preserving extension. Journal of Universal Computer Science (JUCS),2008,14:441-462.
[41]Z. G. Wan, K. Ren, P. Bart. A secure privacy-preserving roaming protocol based on hierarchical identity-based encryption for mobile networks. In Proceedings of the First ACM Conference on Wireless Network Security,2008, pp.62-67.
[42]D. S. Wong, Q. Huang, G. Yang, X. Deng. Universal authentication protocols for anonymous wireless communications. IEEE Transactions on Wireless Communications. 2010,9:168-174.
[43]L. Men, C. H. Wu, J. D. Irwin, Localized authentication for internetwork roaming across wireless lans. IEEE Communication,2008, pp.496-500.
[44]H. Zhu, X. Lin, R. Lu, P. H. Ho, X. Shen. Slab:Secure localized authentication and billing scheme for wireless mesh networks. IEEE Transactions on Wireless Communications,2008,17:3858-3868.
[45]G. Ateniese, G. Tsudik. Some open issues and new directions in group signatures. In Proceedings of Financial Cryptography 1999, Lecture Notes in Computer Science, Springer,1999,1648:196-211.
[46]D. Boneh, H. Shacham. Group signatures with verifier-local revocation. In Proceedings of CCS'04, ACM,2004, pp.168-177.
[47]G. Ateniese, D. Song, G. Tsudik. Quasi-efficient revocation of group signatures. In Proceedings of Financial Cryptography 2003, Lecture Notes in Computer Science, Springer,2003,2357:183-197.
[48]E. Bresson, J. Stern. Efficient revocation in group signatures. In Proceedings of PKC'01, Lecture Notes in Computer Science, Springer,2001,1992:190-206.
[49]J. Camenisch, A. Lysyanskaya. Dynamic accumulators and application to efficient revocation of anonymous credentials. In Proceedings of CRYPTO'02. Lecture Notes in Computer Science, Springer,2002,2442:101-120.
[50]D. Boneh, X. Boyen, H. Shacham. Short group signatures. In Proceedings of CRYPTO '04, Lecture Notes in Computer Science, Springer,3152:41-55.
[51]J. Camenisch, J. Groth. Group signatures:Better efficiency and new theoretical aspects. In Proceedings of SCN 2005. Lecture Notes in Computer Science, Springer,2005,3352: 120-133.
[52]D. Chaum, E. van Heyst. Group signatures. In Proceedings of EURO-CRYPT'91. Lecture Notes in Computer Science, Springer,2001,547:257-265.
[53]S. J. Kim, S. J. Park, and D. H. Won, Convertible group signatures. In Proceedings of ASIACRYPT'96. Lecture Notes in Computer Science, Springer,1996,1163:311-321.
[54]J. Camenisch, M. Stadler. Efficient group signature schemes for large groups. In Proceedings of Proc. CRYPTO'97. Lecture Notes in Computer Science, Springer,1997, 129:410-424.
[55]T. Nakanishi, Y. Sugiyama. A group signature scheme with efficient membership revocation for reasonable groups. In Proceedings of ACISP 2004. Lecture Notes in Computer Science, Springer,1997,3108:336-347.
[56]T. Nakanishi, H. Fujii, Y. Hira, N. Funabiki. Revocable group signature schemes with constant costs for signing and verifying. In Proceedings of PKC 2009. Lecture Notes in Computer Science, Springer-Verlag,2009,5443:463-480.
[57]T. Nakanishi, N. Funabiki. Verifier-local revocation group signature schemes with backward unlinkability from bilinear maps. In Proceedings of ASIACRYPT. Lecture Notes in Computer Science, Springer-Verlag,2005, pp.533-548.
[58]M. Bellare, R. Canetti, H. Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols. In Proceedings of 30th ACM Symp. on Theory of Computing. ACM,1998, pp.419-428.
[59]B. Neuman, T. Ts'o. Kerberos:an authentication service for computer networks. IEEE Communications Magazine,1994,32:33-38.
[60]R. Morris, K. Thompson, Password security:a case history. Communications of the ACM,,1979,22(11):594-597.
[61]L. Gong, M. Lomas, R. Needham, J. Saltzer, Protecting poorly chosen secrets from guessing attacks. IEEE Journal on Selected Areas in Communications,1993,11:648-656.
[62]Top 10 password crackers. http://sectools.org/crackers.html.
[63]W. Ford, B. Kaliski. Server-assisted generation of a strong secret from a password. In Proceedings of IEEE 9th International Workshop on Enabling (WETICE'2000),2000, pp 176-180.
[64]D. P. Jablon, Password authentication using multiple servers, In Proceedings of CT-RSA'01:The Cryptographers'Track at RSA Conference, Springer,2001 pp 344-360.
[65]P. MacKenzie, T. Shrimpton, M. Jakobsson. Threshold password-authenticated key exchange. Journal of Cryptology,2006,19(1):22-66.
[66]M. D. Raimondo, R. Gennaro. Provably secure threshold password-authenticated key exchange. In Proceedings of EUROCRYPT 2003. Lecture Notes in Computer Science, Springer,2003,2656:507-523.
[67]D. P. Jablon, Password authentication using multiple servers. In Proceedings of CT-RSA 2001, Lecture Notes in Computer Science, Springer,2001,2020:343-360.
[68]J. H. Lee, D. H. Lee. Secure and efficient password-based authenticated key exchange protocol for two-server architecture. In Proceedings of IEEE International Conference on Convergence Information Technology,2007, pp 2102-2107.
[69]J. Katz, P. MacKenzie, G. Taban, V. Gligor. Two-server password-only authenticated key exchange, Applied Cryptography and Network Security. Lecture Notes in Computer Science, Springer,2005,3531:1-16.
[70]M. Bellare, D. Pointcheval, P. Rogaway. Authenticated key exchange secure against dictionary attacks, In Proceedings of EUROCRYPT 2000, Lecture Notes in Computer Science, Springer,2000,1807:139-155.
[71]R. Canetti, H. Krawczyk. Analysis of key exchange protocols and their use for building secure channels. In Proceedings of EUROCRYPT 2001. Lecture Notes in Computer Science, Springer,2001,2045:453-474.
[72]M. Bellare, P. Rogaway. Random oracles are practical:A paradigm for designing efficient protocols. In Proceedings of First ACM Conference on Computer and Communications Security. ACM,1993, pp.62-73.
[73]S. Goldwasser, S. Micali. Probabilistic encryption. Journal of Computer and System Sciences,1984,28:270-299.
[74]T. Okamoto, S. Uchiyama. A new public-key cryptosystem as secure as factoring. In Proceedings of EUROCRYPT'98. Lecture Notes in Computer Science, Springer,1998, 1403:308-318.
[75]C. P. Schnorr, Effcient identification and signatures for smart cards. In Proceedings of EUROCRYPT'89. Lecture Notes in Computer Science, Springer Berlin,1990, 434:688-689.
[76]J. Camenisch and V. Shoup, Practical verifiable encryption and decryption of discrete logarithms, In Proceedings of CRYPTO 2003. Lecture Notes in Computer Science, Springer Berlin,2729:126-144.
[77]B. Waters. Efficient identity-based encryption without random oracles, In Proceedings of EUROCRYPT 2005, Lecture Notes in Computer Science, Springer Berlin,2005,3494: 114-127.
[78]ITL, Digital signature standard (DSS), Tech. Rep. FIPS 186, National Institute of Standards and Technology,1991.
[79]G. W. Reitweisner. Binary arithmetics. Advances in Computers,1960,1:231-308.
[80]C. N. Zhang. An improved binary algorithm for RSA. Computers and Math, with Applications,1993,25:15-24.
[81]S. Arno, F. S. Wheeler. Signed digit representations of minimal Hamming weight. IEEE Transactions on Computers,1993,42(8):1007-1010.
[82]K. Koyama, Y. Tsuruoka. A signed binary window method for fast computing over elliptic curves. IEICE Transactions on Fundamentals,1993, E76-A:55-62.
[83]K. Z. Pekmestzi. Complex number multipliers. In Proceedings of Computers and Digital Techniques,1989,136:70-75.
[84]C. M. Grinstead, J. L. Snell. Introducation to Probability. American Mathematical Society, 1997.
[85]R. L. Graham, D. Knuth,O. Patashnik. Concrete Mathematics. Addison-Wesley Publishing Company,1989.
[86]RFC 3748, Extensible Authentication Protocol (EAP), June 2004.
[87]RFC 5247, Extensible Authentication Protocol (EAP) Key Management Framework, Aug 2008.
[88]W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Informformatior. Theory.1976, IT-22:644-654.
[89]G. Yang, D. S. Wong, X. Deng. Formal security definition and efficient construction for roaming with a privacy-preserving extension. Journal of Universal Computer Science, 2008,14(3):441-462.
[90]D. Boneh. The decision diffie-hellman problem. In Proceedings of the Third Algorithmic Number Theory. Lecture Notes in Computer Science, Springer,1998,1423:48-63.
[91]Y. S. T. Tin, C. Boyd, J. G. Nieto. Provably secure key exchange:an engineering approach. In Proceedings of the Australasian information security workshop (ACSW Frontiers'03). Australian Computer Society, Inc.,2003, pp.97-104.
[92]M. Zhang, Y. Fang. Security analysis and enhancements of 3gpp authentication and key agreement protocol. IEEE Transactions on Wireless Communications,2005,4:734-742.
[93]C. C. Chang, C. Y. Lee, Y. C. Chiu. Enhanced authenticationbscheme with anonymity for roaming service in global mobility networks. Computer Communication,2009,42(4): 611-618.
[94]D. Wei. Crypto++5.2.1 benchmarks.
[95]L. Chen and T. P. Pedersen. New group signature schemes. In Proceedings of EUROCRYPT'94, Lecture Notes in Computer Science, Springer,1994,950:171-1810.
[96]A. Lysyanskaya, Z. Ramzan. Group blind digital signatures:A scalable solution to
electronic cash. In Proceedings of Financial Cryptography 1998, Springer,1998, 1465:184-197.
[97]J. Kilian and E. Petrank. Identity escrow. In Proceedings of CRYPTO'98. Lecture Notes in Computer Science, Springer,1998,1642:169-185.
[98]J. Camenisch, A. Lysyanskaya. An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In Proceedings of EUROCRYPT'01, Lecture Notes in Computer Science, Springer,2001,2045:93-118.
[99]G. Ateniese, J. Camenisch, M. Joye, G. Tsudik. A practical and provably secure coalition-resistant group signature scheme. In Proceedings of CRYPTO 2000. Lecture Notes in Computer Science, Springer,1998,1880:255-270.
[100]A. Fiat, A. Shami. How to prove yourself:Practical solutions to identification and signature problems. In Proceedings of CRYPTO'86. Lecture Notes in Computer Science, Springer,1986,263:186-194.
[101]I. Damgard, E. Fujisaki. A statistically-hiding integer commitment scheme based on groups with hidden order. In Proceedings of ASIACRYPT 2002. Lecture Notes in Computer Science, Springer,2002,2501:125-142.
[102]J. Camenisch, M. Michels. Separability and efficiency for generic group signature schemes. In Proceedings of CRYPTO'99. Lecture Notes in Computer Science, Springer, 1999,1666:413-430.
[103]M. Fischlin. Pseudorandom function tribe ensembles based on one-way permutations: Improvements and applications. In Proceedings of EUROCRYPT 99. Lecture Notes in Computer Science, Springer,1999,1592:432-445.
[104]M. Abadi, P. Rogawa. Reconciling two views of cryptography (the computational soundness of formal encryption). In Proceedings of First IFIP International Conference on Theoretical Computer Science. Lecture Notes in Computer Science, Springer,2007, 1872:3-22.
[105]E. Fujisaki, T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In Proceedings of CRYPTO 1999. Lecture Notes in Computer Science, Springer, 1999,1666:79.