若干基于身份签名体制的研究与设计
|
摘要
在传统公钥密码体制中,由于用户的公钥是由用户自身随机生成的并且与用户的身份无关,为了确保公钥与其所有者之间的关系,证书中心(CA)需要以自己的数字签名的形式为用户的公钥颁发一张证书。这样一来,每个用户在验证签名之前必须要获得并且验证证书。基于证书的PKI系统由于需要提供证书查询、证书申请、证书撤销等诸多服务,造成系统结构过于复杂,建设和维护成本过高。公钥密码体制的这种证书管理制度往往会限制它的使用。为了缓解公钥密码体制中证书管理带来的问题,在1984年的密码学年会上,Shamir提出了基于身份的密码(Identity-based cryptosystem)的概念。在基于身份的密码方案中,用户的公钥可以由用户的身份信息(如实名,电子邮件地址等)直接计算出来,私钥由私钥生成器(PKG)生成并秘密传送给对应的用户。由于不必再用证书绑定公钥和身份,从而避免了证书管理造成的开销。基于身份的密码学主要包括基于身份的加密(IBE)和基于身份的签名(IBS)两个部分。近年来,国内外许多学者对基于身份的密码学作了深入的研究。然而,对丁基于身份密码学的研究还不够完善。因此,本文的研究重点为通过形式化的方法解决基于身份签名体制研究中的若干问题。本文的主要研究成果如下:
1.设计了一个在标准模型下可证明安全且具有较短公开参数的基于身份的签名方案。与目前为止唯一的一个标准模型下直接构造的IBS方案相比较,该方案的公开参数的长度大约缩短了一半,从而降低了存储开销。方案的安全性基于计算Diffie-Hellman问题。
2.签密是同时进行加密和签名的一种有效方法。2007年,Yu等学者提出了第一个标准模型下基于身份的签密方案。本文分析了该方案的安全性,指出该方案不满足语义安全性,提出了一个安全的基于身份的签密方案,并在标准模型下给出了安全性证明。进而,本文设计了一个基于身份广播签密方案。
3.有向签名适用于税务单,法院传票等场合。然而,基于身份的有向签名体制还没有被系统地研究过。因此,本文对基于身份的有向签名体制进行了形式化定义,并提出一个在随机预言机模型下可证安全的基于身份的有向签名体制。
4.在目前被广泛接受的基于身份的门限签名模型中,存在两个可信中心(一个是私钥牛成器PKG,另外一个是私钥分发者),因此在该模型下的具体方案也存在两个单点失效。为了获得更高的健壮性,本文提出了无可信中心的基于身份的门限签名的形式化定义和安全性模型,并提出了一个在标准模型下可证明安全的具体方案。该方案的签名阶段是非交互的,因此在通信效率方面优于其他的基于身份的门限签名方案。
5.无证书公钥密码体制是基于身份密码体制的后续概念。本文提出了一个新的无证书门限签名方案,并从健壮性和不可伪造性两方面证明了方案地安全性。新方案在计算和通信效率方面都优于已有的方案。
In traditional public key cryptosystems,the public key is usually a "random" string picked by the user that is unrelated to the user's identity.To bind the public key to its legitimate owner,a certificate authority(CA) needs to digitally sign a certificate claiming this relationship between the public key and the user.As a result,any verifier must obtain and verify the corresponding certificate before performing signature verification.Nowadays,certificate management(including revocation,storage and distribution) and the computational cost of certificate verification incur the main complaint against traditional public key cryptosystems. To eliminate the burden of certificate management,Shamir introduced the notion of identity-based cryptography in 1984.In an identity-based cryptosystem,a user's public key is just his publicly available identity(e.g.real name,email address,or IP address), hence no extra effort is necessary for ensuring the authenticity of a public key,the complexity of the certificate management is released.Recently,many researchers have conducted deep research in the area of identity-based cryptosystems,including signature schemes and encryption schemes.However,as far as we know,the research on identity-based signature schemes is not ideal enough.Thereby our point in this thesis is to study and design a series of identity-based signature schemes systematically via formalization means.Our main achievements are as follows:
1.Up to now,the only known direct construction of identity-based signature(IBS) scheme which is secure in the standard model is proposed by Paterson and Schuldt in 2006.The main problem of their scheme is that the public parameters include about n_u+n_m group elements,where n_u is the binary length of the identities and n_m is the binary length of the messages.In this thesis,we propose an IBS scheme with reduced public parameters which is also proven secure in the standard model.The public parameters of our scheme consist of max(n_u,n_m) group elements.Security of our scheme is reduced to the CDH problem in the underlying group.
2.The notion of digital signcryption was proposed to perform the functionality of signature and encryption simultaneously and efficiently.Recently,Yu and Yang presented the first identity-based signcryption scheme without random oracles.In this thesis, however,we show that the scheme is actually not semantically secure.Then we devise an identity-based signcryption scheme without random oracles,improving on Yu and Yang's scheme.We also propose an identity-based broadcast signcryption scheme based on our identity-based signcryption scheme.
3.Directed signature schemes are suitable for applications such as bill of tax and bill of health.As far as we know,directed signatures in the identity-based setting have not been formally studied yet.In this thesis,we fill this gap.We propose a reasonable formal model for identity-based directed signatures,and present a concrete scheme provably secure in this model.
4.In the widely accepted model of identity-based threshold signature schemes,there are two trusted authorities(one is the private key generator PKG,the other is the private key distributor).Therefore all schemes proposed in this model have two single points of failure.To provide better robustness in practice,we propose the notion and security model of identity-based threshold signature schemes without a trusted authority,and propose a concrete construction.The signing phase of our scheme is non-interactive, therefore it is better than other identity-based threshold signature schemes in terms of communication efficiency.
5.Certificateless cryptography is a sibling notion of identity-based cryptography.We propose a new certificateless threshold signature scheme,and prove it secure in terms of robustness and existential unforgeability.Our scheme improves on existing scheme in terms of both computation and communication efficiency.
1.设计了一个在标准模型下可证明安全且具有较短公开参数的基于身份的签名方案。与目前为止唯一的一个标准模型下直接构造的IBS方案相比较,该方案的公开参数的长度大约缩短了一半,从而降低了存储开销。方案的安全性基于计算Diffie-Hellman问题。
2.签密是同时进行加密和签名的一种有效方法。2007年,Yu等学者提出了第一个标准模型下基于身份的签密方案。本文分析了该方案的安全性,指出该方案不满足语义安全性,提出了一个安全的基于身份的签密方案,并在标准模型下给出了安全性证明。进而,本文设计了一个基于身份广播签密方案。
3.有向签名适用于税务单,法院传票等场合。然而,基于身份的有向签名体制还没有被系统地研究过。因此,本文对基于身份的有向签名体制进行了形式化定义,并提出一个在随机预言机模型下可证安全的基于身份的有向签名体制。
4.在目前被广泛接受的基于身份的门限签名模型中,存在两个可信中心(一个是私钥牛成器PKG,另外一个是私钥分发者),因此在该模型下的具体方案也存在两个单点失效。为了获得更高的健壮性,本文提出了无可信中心的基于身份的门限签名的形式化定义和安全性模型,并提出了一个在标准模型下可证明安全的具体方案。该方案的签名阶段是非交互的,因此在通信效率方面优于其他的基于身份的门限签名方案。
5.无证书公钥密码体制是基于身份密码体制的后续概念。本文提出了一个新的无证书门限签名方案,并从健壮性和不可伪造性两方面证明了方案地安全性。新方案在计算和通信效率方面都优于已有的方案。
In traditional public key cryptosystems,the public key is usually a "random" string picked by the user that is unrelated to the user's identity.To bind the public key to its legitimate owner,a certificate authority(CA) needs to digitally sign a certificate claiming this relationship between the public key and the user.As a result,any verifier must obtain and verify the corresponding certificate before performing signature verification.Nowadays,certificate management(including revocation,storage and distribution) and the computational cost of certificate verification incur the main complaint against traditional public key cryptosystems. To eliminate the burden of certificate management,Shamir introduced the notion of identity-based cryptography in 1984.In an identity-based cryptosystem,a user's public key is just his publicly available identity(e.g.real name,email address,or IP address), hence no extra effort is necessary for ensuring the authenticity of a public key,the complexity of the certificate management is released.Recently,many researchers have conducted deep research in the area of identity-based cryptosystems,including signature schemes and encryption schemes.However,as far as we know,the research on identity-based signature schemes is not ideal enough.Thereby our point in this thesis is to study and design a series of identity-based signature schemes systematically via formalization means.Our main achievements are as follows:
1.Up to now,the only known direct construction of identity-based signature(IBS) scheme which is secure in the standard model is proposed by Paterson and Schuldt in 2006.The main problem of their scheme is that the public parameters include about n_u+n_m group elements,where n_u is the binary length of the identities and n_m is the binary length of the messages.In this thesis,we propose an IBS scheme with reduced public parameters which is also proven secure in the standard model.The public parameters of our scheme consist of max(n_u,n_m) group elements.Security of our scheme is reduced to the CDH problem in the underlying group.
2.The notion of digital signcryption was proposed to perform the functionality of signature and encryption simultaneously and efficiently.Recently,Yu and Yang presented the first identity-based signcryption scheme without random oracles.In this thesis, however,we show that the scheme is actually not semantically secure.Then we devise an identity-based signcryption scheme without random oracles,improving on Yu and Yang's scheme.We also propose an identity-based broadcast signcryption scheme based on our identity-based signcryption scheme.
3.Directed signature schemes are suitable for applications such as bill of tax and bill of health.As far as we know,directed signatures in the identity-based setting have not been formally studied yet.In this thesis,we fill this gap.We propose a reasonable formal model for identity-based directed signatures,and present a concrete scheme provably secure in this model.
4.In the widely accepted model of identity-based threshold signature schemes,there are two trusted authorities(one is the private key generator PKG,the other is the private key distributor).Therefore all schemes proposed in this model have two single points of failure.To provide better robustness in practice,we propose the notion and security model of identity-based threshold signature schemes without a trusted authority,and propose a concrete construction.The signing phase of our scheme is non-interactive, therefore it is better than other identity-based threshold signature schemes in terms of communication efficiency.
5.Certificateless cryptography is a sibling notion of identity-based cryptography.We propose a new certificateless threshold signature scheme,and prove it secure in terms of robustness and existential unforgeability.Our scheme improves on existing scheme in terms of both computation and communication efficiency.
引文
[1]J.An,Y.Dodis,and T.Rabin,On the security of joint signature and encrytion,In Advanes in Cryptology-Eurocrypt' 02,LNCS 2332,Berlin,Springer-Verlag,2002,pp.83-107
[2]J.F.Almansa,I.Damgard,and J.B.Nielsen,2006.Simplified threshold RSA with adaptive and proactive security.Proceedings of EUROCRYPT 2006,LNCS 4004,pp.593-611.
[3]S.Al-Riyami,and K.Paterson,Certificateless public key cryptography,In Advances in Cryptology-Asiacrypt 2003,LNCS 2894,Berlin,Springer-Verlag,2003,pp.452-473.
[4]S.Al-Riyami,and K.Paterson,CBE from CL-PKE:A generic construction and efficient schemes,In Public Key Cryptography-PKC'05,LNCS 3386,Berlin,Springer-Verlag,2005,pp.398-415.
[5]S.Araki,S.Uehara,K.Imamura,The limited verifier signature and its application,IEICE Trans Fundamentals E82-A (1) (1999) 63-68.
[6]J.Baek,R.Steinfeld,Y.Zheng,Formal proofs for the security of signcryption,in:PKC 2002,LNCS,vol.2274,Springer-Verlag,Berlin,2002,pp.80-98.
[7]J.Baek,R.Steinfeld,Y Zheng,Formal proofs for the security of signcryption,J.Cryptology (2007) 20:203-235.
[8]J.Baek,Y Zheng,2004.Identity-based threshold signature scheme from the bilinear pairings.Proceedings of 2004 International Conference on Information Technology:Coding and Computing,IEEE Computer Society,pp.124-128.
[9]J.Baek,Y Zheng,2004.Identity-based threshold signature scheme from the bilinear pairings.Full version of [8],available from
[10]P.S.L.M.Barreto,B.Libert,N.McCullagh,J.J.Quisquater,Efficient and provably-secure identity based signatures and signcryption from bilinear maps,in:Advance in Cryptology-ASIACRYPT,05,LNCS,vol.3788,Springer-Verlag,2005,pp.515-532.
[11]P.S.L.M.Barreto,The Pairing-Based Crypto Lounge,http://paginas.terra.com.br/informatica/paulobarreto/pblounge.html,2005.
[12]D.Boneh and X.Boyen,Efficient selective-id Secure identity based encryption without random oracles,in Advances in Crptology-Eurocrypto'04,LNCS 3027,Berlin,Springer-Verlag,2004,pp.223-238.
[13]M.Bohio and A.Miri,Efficient identity-based security schemes for ad hoc network routing protocols,Ad Hoc Networks,vol.2 (3),2004,309-317.
[14]D.Boneh,and M.Franklin,Identity-based Encryption from the Weil pairing,SIAM.Journal of Computing,vol.32 (3),2003,586-615.Extended abstract in Advances in Crptology-Crypto'01,LNCS 2139,Berlin,Springer-Verlag,2001,pp.213-229.
[15]D.Boneh,C.Gentry,B.Lynn and H.Shacham,Aggregrate and verfiably encrypted signatures from bilinear maps,In Advances in Cryptography-Eurocrypt 2003,LNCS 2656,Berlin,Springer-Verlag,2003,pp.416-432.
[16]D.Boneh,B.Lynn,H.Shacham,Short signatures from the Weil pairing,Journal of Cryptology,17 (4),2004,297-319.Extended abstract in Advances in Crptology-Asiacrypt'01,LNCS 2248,Berlin,Springer-Verlag,2001,pp.514-532.
[17]M.Bellare,C.Namprempre,and G.Neven,Security proofs for identity-based identification and signature schemes,In Advances in Cryptology-Eurocrypto'04,LNCS 3027,Berlin,Springer-Verlag,2004,pp.268-286.
[18]M.Bellare,and P.Rogaway,Random oracles are practical:a paradigm for designing efficient protocols,In Proc.of the 1st ACM Conference on Computer and Communication Security,pp.62-73,ACM Press,New York,1993.
[19]X.Boyen,Multipurpose identity-based signcryption,A swiss army knife for identity-based cryptography,in:Advances in Cryptology-CRYPTO'03,LNCS,vol.2729,Springer-Verlag,2003,pp.382-398.
[20]X.Boyen,Q.Mei,B.Waters,Direct chosen ciphertext security from identity-based techniques,in:ACM Conference on Computer and Communications Security 2005,ACM Press,New York,2005,pp.320-329.
[21]Jan Camenisch,Maciej Koprowski,and Bogdan Warinschi.Efficient blind signatures without random oracles.In Carlo Blundo and Stelvio Cimato,editors,SCN,volume 3352 of Lecture Notes in Computer Science,pages 134-148.Springer,2004.
[22]J.Camenisch,M.Michels,Confirmer signature schemes secure against adaptive adversaries,Advances in Cryptology-EUROCRYPT'00,LNCS 1870,Springer-Verlag,2000,pp.243-258.
[23]R.Canetti,R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin,1999.Adaptive security for threshold cryptosystems.Proceedings of CRYPTO'99,LNCS 1666,pp.98-116.
[24]Ran Canetti,Oded Goldreich,and Shai Halevi.The random oracle methodology,revisited (preliminary version).In STOC '98:Proceedings of the thirtieth annual ACM symposium on Theory of computing,pages 209-218.ACM,1998.
[25]Ran Canetti,Oded Goldreich,and Shai Halevi.The random oracle methodology,revisited.Journal of the ACM,51(4):557-594,2004.
[26]Sanjit Chatterjee,Palash Sarkar.HIBE with short public parameters without random oracle,in Pro-ceedings of ASIACRYPT 2006,volume 4284 of Lecture Notes in Computer Science,Springer,145-160.
[27]D.Chaum,Blind signatures for untraceable payments,In Crypto'82,New York:Plenum Press,1983,pp.199-203.
[28]D.Chaum and H.van Antwerpen.Undeniable signatures.In CRYPTO'89,volume 435 of LNCS,pages 212-216,London,UK,1989.Springer-Verlag.
[29]D.Chaum,Designated confirmer signatures,Advances in Cryptology - EUROCRYPT'94,LNCS 950,Springer-Verlag,1994,pp.86-91.
[30]曹珍富,公钥密码学,哈尔滨,黑龙江教育出版社,1993.
[31]Z.Chai,Z.Cao,and X.Dong,Identity-based signature scheme based on quadratic residues,50(3),2007,pp.373-380.
[32]L.Chen,J.Malone-Lee,Improved identity-based signcryption,in:PKC 2005,LNCS,vol.3386,Springer-Verlag,Berlin,2005,pp.362-379.
[33]X.Chen,F.Zhang,D.M.Konidala,K.Kim,2004.New ID-based threshold signature scheme from bilinear pairing.Advances in Cryptology - INDOCRYPT 2004,LNCS 3348,pp.371-383.
[34]X.Cheng,J.Liu,X.Wang,2005.An identity-based signature and its threshold version.Proceed-ings of the 19th International Conference on Advanced Information Networking and Applications (AINA'05),pp.973-977.
[35]H.Y.Chien,and R.-Y.Lin,Improved ID-based security framework for ad hoc network,Ad Hoc Networks,vol.6(1),2008,47-60.
[36]程相国,基于双线性对的签名体制的勺研究,博士学位论文,西安电子科技大学,2006年.
[37]J.S.Chou,C.H.Lin,and C.H.Chiu,An identity-based scheme for ad hoc network secure routing protocol from pairing,WSEAS Transactions on Computers,2006,5(6),pp.1214-1221.
[38]C.K.Chu,W.G.Tzeng,2007.Optimal resilient threshold GQ signatures.Information Sciences,177,pp.1834-1851.
[39]J.Coron,On the exact security of full domain hash,In Advances in Cryptology - Crypto'00,LNCS 1880,Berlin,Springer-Verlag,2000,pp.229-235.
[40]Z.Cao,A threshold key escrow scheme based on public key cryptosystem,Science in China,44(4),441-448,2001.
[41]J.Cha,and J.Choen,An identity-based signature from gap Diffie-Hellman groups,In PKC 2003,LNCS 2567,Berlin,Springer-Verlag,2003,pp.18-30.
[42]X.Chen,F.Zhang,K.Kim,Limited verifier signature from bilinear pairings,Proceedins of Applied Cryptography and Network Security 2004,LNCS 3089,Springer-Verlag,2004,pp.135-148.
[43]R.Canetti,S.Halevi,J.Katz,A Forward-Secure Public-Key Encryption Scheme,in Advances in Crptology-Eurocrypto'03,LNCS 2656,Berlin,Springer-Verlag,2003,pp.255-271.
[44]H.Deng and D.P Agrawal.TIDS:Threshold and identity-based security scheme for wireless ad hoc networks.Ad Hoc Networks,2004,2(3):291-307.
[45]Y.Desmedt,1987.Society and group oriented cryptography:a new concept.Proceedings of CRYPTO'87,LNCS 293,pp.120-127.
[46]Y.Desmedt and S.Jajodia.Redistributing secret shares to new access structures and its applications.Tech.Report ISSE-TR-97-01,George Mason University,July 1997.ftp://isse.gmu.edu/pub/techrep/97 01 jajodia.ps.gz.
[47]Y.Desmedt,T.Lange,2006.Pairing based threshold cryptography improving on Libert-Quisquater and Baek-Zheng.Proceedings of Financial Cryptography 2006,LNCS 4107,pp.154-159.
[48]Y.Desmedt and Y.Frankel.Threshold cryptosystems.In Crypto'89,LNCS 435,pp.307-315.Springer-Verlag,1990.
[49]S.Duan and Z.Cao.Efficient and provably secure multi-receiver identity-based signcryption.Proceedings of ACISP'06,LNCS 4058,2006,pp.195-206.
[50]W.Diffie,M.E.Hellman,New directions in cryptography,IEEE Transactions on Information Theory,IT-22(6),1976,644-654.
[51]T.ElGamal,A public key cryptosystem and signature scheme based on discrete logarithms,IEEE Transactions on Information Theory,IT-31(4),1985,469-472.
[52]U.Feige,A.Fiat and A.Shamir,Zero-knowledge proofs of identity,Journal of Cryptography,1,1988,62-73.
[53]A.Fiat and A.Shamir,How to prove yourself:Practical solutions to identification and signature problems,In Advances in Cryptology-Crypto '86,LNCS 263,Berlin,Springer-Verlag,1986,pp.186-194.
[54]RA.Fouque,J.Stern,2001.Fully distributed threshold RSA under standard assumptions.Proceedings of ASIACRYPT 2001,LNCS 2248,pp.310-330.
[55]S.Galbraith,W.Mao,Invisibility and anonymity of undeniable and confirmer signatures,CT-RSA 2003,LNCS 2612,Springer-Verlag,2003,pp.80-97.
[56]David Galindo,Javier Herranz,and Eike Kiltz.On the generic construction of identity-based signatures with additional properties.In Xuejia Lai and Kefei Chen,editors,Advances in Cryptology- ASIACRYPT 2006,volume 4284 of Lecture Notes in Computer Science,pages 178-193.Springer,2006.
[57]R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin.Robust threshold DSS signatures.In Euro-crypt'96,volume 1070 of Lecture Notes in Computer Science,pages 354-371.Springer,1996.
[58]R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin,1999.The (in)security of distributed key generation in dlog-based cryptosystems.Proceedings of EUROCRYPT 1999,LNCS 1592,pp.295-310.
[59]R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin,2001.Robust threshold DSS signatures.Information and Computation,164(1),pp.54-84.
[60]R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin,2003.Secure applications of Pedersen's distributed key generation protocol.Proceedings of CT-RSA 2003,LNCS 2612,pp.373-390.
[61]M.C.Gorantla,R.Gangishetti,and A.Saxena,A survey on ID-based cryptographic primitives,In Cryptography ePrint Archive,Report 2005/094.
[62]S.Goldwasser,S.Micali,and R.Rivest,A digital signature scheme secure against adaptive chosen-message attacks,SIAM.Journal of Computing,17 (2),1988,281-308.
[63]C.Gentry and A.Silverberg,Hierarchical identity-based cryptography,In Advances in Cryptology-Asiacrypt '02,LNCS 2501,Berlin,Springer-Verlag,2002,pp.548-566.
[64]L.Guillou and J.Quisquater,A "paradoxical" identity-based signature scheme resulting from zero-knowledge,In Advances in Cryptology-Crypto '88,LNCS 403,Berlin,Springer-Verlag,1990,pp.216-231.
[65]F.Hess,Efficient Identity based signature schemes based on pairings,In Selected Areas in Cryptography-SAC '02,LNCS 2595,Berlin,Springer-Verlag,2003,pp.310-324.
[66]Bessie C.Hu,Duncan S.Wong,Zhenfeng Zhang and Xiaotie Deng,Certificateless signature:a new security model and an improved generic construction,Des Codes Crypt (2007) 42:109-126.
[67]X.Huang,W.Susilo,Y.Mu,and F.Zhang,On the security of certificateless signature schemes from asiacrypt 2003,CANS 2005,LNCS 3810,pp.13-25,Springer-Verlag,2005.
[68]Xinyi Huang,Yi Mu,Willy Susilo,Duncan S.Wong,and Wei Wu.Certificateless signature revisited.ACISP 2007,LNCS 4586,Springer-Verlag,2007,pp.308-322.
[69]黄振杰,具有特殊性质的数字签名体制研究,博士学位论文,西安电子科技大学,2005年.
[70]ITU-T.Rec.X.509(revised) the Directory - Authentication Framework,1993.International Telecommunication Union,Geneva,Swithzerland.
[71]M.Jakobsson,K.Sako,R.Impagliazzo,Designated verifier proofs and their applications,Advances in Cryptology - EUROCRYPT'96,LNCS 1070,Springer-Verlag,1996,pp.143-154.
[72]N.Koblitz,Elliptic Curve Cryptosystems,Mathematics of Computation,48,1987,203-209.
[73]F.Laguillaumie,P.Paillier,D.Vergnaud,Universally convertible directed signatures,Advances in Cryptology - ASIACRYPT'05,LNCS 3788,Springer-Verlag,2005,pp.682-701.
[74]Fabien Laguillaumie and Damien Vergnaud.Short undeniable signatures without random oracles:The missing link.In Subhamoy Maitra,C.E.Veni Madhavan,and Ramarathnam Venkatesan,editors,INDOCRYPT,volume 3797 of Lecture Notes in Computer Science,pages 283-296.Springer,2005.
[75]S.Lal,M.Kumar,A directed signature scheme and its applications,arXiv:cs/0409036,2004.
[76]J.Li,T.H.Yuen and K.Kim,2007.Practical threshold signatures without random oracles.Proceedings of Provable Security 2007,LNCS 4784,pp.198-207.
[77]F.Li,X.Xin,and Y.Hu,Identity-based broadcast signcryption,Computer Standards & Interfaces 30(2008) 89-94.
[78]B.Libert,J.J.Quisquator,A new identity based signcryption scheme from pairings,in:2003 IEEE information theory workshop,2003,pp.155-158.
[79]B.Libert,J.J.Quisquater,Identity based undeniable signatures,CT-RSA 2004,LNCS 2964,Springer-Verlag,2004,pp.112-125.
[80]C.H.Lim,RJ.Lee,Modified Maurer-Yacobi's scheme and its applications,Advances in Cryptology - AUSCRYPT'92,LNCS 718,Springer-Verlag,1992,pp.308-323.
[81]李发根,基于双线性对的签密体制研究,博士学位论文,西安电子科技大学,2007年.
[82]R.Lu,Z.Cao,A directed signature scheme based on RSA assumption,International Journal of Network Security 2(3)(2006) 182-421.
[83]陆荣幸,若干代理密码体制的研究与设计,博士学位论文,上海交通大学,2007年.
[84]R.Lu,X.Lin,Z.Cao,J.Shao,X.Liang,New (t,n) threshold directed signature scheme with provable security,Information Sciences 178 (3) (2008) 756-765.
[85]B.Libert,J.Quisquater,The exact security of an identity based signature and its applications,Cryp-tology ePrint Archive,Report 2004/102,http://eprint.iacr.org/2004/102.
[86]J.Malone-Lee,Identity based signcryption,Cryptology ePrint Archive,Report 2002/098,2002.Available from:http://eprint.iacr.org/2002/098.
[87]V.Miller Advances in Cryptology-Crypto' 85,LNCS 218,Berlin,Springer-Verlag,1986,pp.417-426.
[88]W.Mao,Modern Cryptography:Theory and Practice,published by by Prentice Hall PTR,2003.
[89]A.J.Menezes,P.C.van Oorschot and S.A.Vanstone,Handbook of Applied Cryptography,CRC Press,1997.
[90]M.Mambo,K.Usuda,and E.Okamoto,Proxy signatures for delegating signing operation,Proc.3rd ACM Conference on Computer and Communications Security,ACM Press,1996,pp.48-57.
[91]M.Mambo,K.Usuda,and E.Okamoto,Proxy signatures:Delegation of the power to sign messages,IEICE Trans.Fundam.,E79-A(9),1996,1338-1354.
[92]NIST,A Proposed Federal Information Processing Standard for Digital Signature Standard (DSS),Federal Register Announcement August 30,1991.
[93]NIST,Digital Signature Standard (DSS),Federal Information Processing Standards Publication 186,1994.
[94]T.Okamoto,Provably secure and practical identification schemes and corresponding signature schemes,In Advances in Cryptology-Crypto '92,LNCS 740,Berlin,Springer-Verlag,1992,pp.31-53.
[95]B.Lynn.PBC (Pairing-Based Cryptography) library,http://crypto.stanford.edu/pbc/.
[96]K.G.Paterson,J.C.N.Schuldt.Efficient identity-based signatures secure in the standard model,in:Proceedings of the 11th Australasian Conference on Information Security and Privacy,volume 4058 of Lecture Notes in Computer Science,Springer,207-222.
[97]B.N.Park and W.Lee.ISMANET:A secure routing protocol using identity-based signcryption scheme for mobile ad-hoc networks.IEICE Transactions on Communications,2005,E88-B(6):2548-2556.
[98]T.Pedersen,1991.A threshold cryptosystem without a trusted party.Proceedings of EURO-CRYPT'91,LNCS 547,pp.522-526.
[99]D.Pointcheval and J.Stern,“Security arguments for digital signatures and blind signatures”,Journal of Cryptology,13(3),2000,361-396.
[100]M.O.Rabin,Digitalized Signatures,Foundations of Secure Communication,Academic Press,UK,1978,155-168.
[101]R.L.Rivest,The MD5 Message Digest Algorithm,RFC 1321,Apr 1992.
[102]R.L.Rivest,A.Shamir and L.Adleman,A Method for Obtaining Digital Signatures and Public Key Cryptosystem Comm.ACM.,21,1978,120-126.
[103]R.Rivest,A.Shamir and Y.Tauman,How to leak a secret,Advances in Cryptology-Asiacrypt 2001,LNCS 2248,Berlin,Springer-Verlag,2001,pp.552-565.
[104]R.Sakai,K.Ohgishi,M.Kasahara,Cryptosystems based on pairing,Proceedings of Symposium on Cryptography and Information Security,Japan,Okinawa,2000,pp.26-28.
[105]B.Schneier,Applied cryptography (2nd ed.):protocols,algorithms,and source code in C,John Wiley & Sons,Inc.,New York,NY,1995
[106]C.P.Schnorr,Efficient identification and signature for smart cards,Advances in Cryptology-Crypto' 89,LNCS 435,Berlin,Springer-Verlag,1990,pp.239-252.
[107]C.P.Schnorr,Efficient identification and signature for smart cards,Journal of Cryptography,4(3),1991,161-174.
[108]A.Shamir,Identity-based cryptosystems and signature schemes,In Advances in Cryptology-Crypto'84,LNCS 196,Berlin,Springer-Verlag,1984,pp.47-53.
[109]C.Shannon,Communication Theory of Secrecy Systems,Bell Systems Technical Journal,Vol.28,1949,656-715.
[110]J.Shao,Z.Cao and L.Wang,2006.Efficient ID-based threshold signature schemes without pairings,http://eprint.iacr.org/2006/308.
[111]V Shoup.Practical threshold signatures,2000.Proceedins of EUROCRYPT 2000,LNCS 1807,pp.207-220.
[112]J.Stern,Why Provable Security Matters?,Advances in Cryptology-Eurocrypt'03,LNCS 2656,Berlin,Springer-Verlag,2003,pp.449-461.
[113]L.Wang,Z.Cao,X.Li,H.Qian,2007.Simulatability and security of certificateless threshold signatures.Information Sciences,177(6),pp.1382-1394.
[114]H.Wang,Y.Zhang,and D.Feng,2005.Short threshold signature schemes without random oracles.Proceedings of INDOCRYPT 2005,LNCS 3797,pp.297-310.
[115]Brent Waters.Efficient identity-based encryption without random oracles.In Advances in Cryptology - EUROCRYPT,volume 3494 of LNCS,pages 114-127.Springer-Verlag,2005.
[116]王永兴,基于身份的有向签名,榆林学院学报15(5)(2005)1-3.
[117]Q.Wu,Y.Mu,W.Susilo,F.Zhang,Efficient signcryption without random oracles,in:ATC 2006,LNCS,vol.4158,Springer-Verlag,2006,pp.449-458.
[118]Y.Yu,B.Yang,Identity-based signcryption scheme without random oracles,Computer Standards & Interfaces(2007),doi:10.1016/j.csi.2007.10.014
[119]Y.Yu,B.Yang and X.Huang,et al.Efficient identity-based signcryption scheme for multiple receivers.Proceedings of ATC'07,LNCS 4610,2007,pp.13-21.
[120]C.X.Zhang,R.X.Lu,X.D.Lin,P.H.Ho,and X.M.Shen,An efficient identity-based batch verification scheme for vehicular sensor networks,INFOCOM 2008(2008).
[121]F.Zhang,K.Kim,A universal forgery of Araki et al.'s convertible limited verifier signature scheme,IEICE Trans.Fundamentals E86-A(2)(2003) 515-516.
[122]F.Zhang,R.Safavi-Naini and W.Susilo,An efficient signature scheme from bilinear pairings and its applications,PKC 2004,Singapore,LNCS 2947,Berlin,Springer-Verlag,2004,pp.277 - 290.
[123]Z.Zhang,D.Wong,J.Xu and D.Feng,Certificateless public-key signature:security model and efficient construction,ACNS 2006,LNCS 3989,pp.293-308,Springer-Verlag,2006.
[124]Y.Zheng,Digital signcryption or how to achieve cost(signature & encryption)< [125]Y.Zheng.Signcryption Central.http://www.signcryption.net/publications/
[2]J.F.Almansa,I.Damgard,and J.B.Nielsen,2006.Simplified threshold RSA with adaptive and proactive security.Proceedings of EUROCRYPT 2006,LNCS 4004,pp.593-611.
[3]S.Al-Riyami,and K.Paterson,Certificateless public key cryptography,In Advances in Cryptology-Asiacrypt 2003,LNCS 2894,Berlin,Springer-Verlag,2003,pp.452-473.
[4]S.Al-Riyami,and K.Paterson,CBE from CL-PKE:A generic construction and efficient schemes,In Public Key Cryptography-PKC'05,LNCS 3386,Berlin,Springer-Verlag,2005,pp.398-415.
[5]S.Araki,S.Uehara,K.Imamura,The limited verifier signature and its application,IEICE Trans Fundamentals E82-A (1) (1999) 63-68.
[6]J.Baek,R.Steinfeld,Y.Zheng,Formal proofs for the security of signcryption,in:PKC 2002,LNCS,vol.2274,Springer-Verlag,Berlin,2002,pp.80-98.
[7]J.Baek,R.Steinfeld,Y Zheng,Formal proofs for the security of signcryption,J.Cryptology (2007) 20:203-235.
[8]J.Baek,Y Zheng,2004.Identity-based threshold signature scheme from the bilinear pairings.Proceedings of 2004 International Conference on Information Technology:Coding and Computing,IEEE Computer Society,pp.124-128.
[9]J.Baek,Y Zheng,2004.Identity-based threshold signature scheme from the bilinear pairings.Full version of [8],available from
[10]P.S.L.M.Barreto,B.Libert,N.McCullagh,J.J.Quisquater,Efficient and provably-secure identity based signatures and signcryption from bilinear maps,in:Advance in Cryptology-ASIACRYPT,05,LNCS,vol.3788,Springer-Verlag,2005,pp.515-532.
[11]P.S.L.M.Barreto,The Pairing-Based Crypto Lounge,http://paginas.terra.com.br/informatica/paulobarreto/pblounge.html,2005.
[12]D.Boneh and X.Boyen,Efficient selective-id Secure identity based encryption without random oracles,in Advances in Crptology-Eurocrypto'04,LNCS 3027,Berlin,Springer-Verlag,2004,pp.223-238.
[13]M.Bohio and A.Miri,Efficient identity-based security schemes for ad hoc network routing protocols,Ad Hoc Networks,vol.2 (3),2004,309-317.
[14]D.Boneh,and M.Franklin,Identity-based Encryption from the Weil pairing,SIAM.Journal of Computing,vol.32 (3),2003,586-615.Extended abstract in Advances in Crptology-Crypto'01,LNCS 2139,Berlin,Springer-Verlag,2001,pp.213-229.
[15]D.Boneh,C.Gentry,B.Lynn and H.Shacham,Aggregrate and verfiably encrypted signatures from bilinear maps,In Advances in Cryptography-Eurocrypt 2003,LNCS 2656,Berlin,Springer-Verlag,2003,pp.416-432.
[16]D.Boneh,B.Lynn,H.Shacham,Short signatures from the Weil pairing,Journal of Cryptology,17 (4),2004,297-319.Extended abstract in Advances in Crptology-Asiacrypt'01,LNCS 2248,Berlin,Springer-Verlag,2001,pp.514-532.
[17]M.Bellare,C.Namprempre,and G.Neven,Security proofs for identity-based identification and signature schemes,In Advances in Cryptology-Eurocrypto'04,LNCS 3027,Berlin,Springer-Verlag,2004,pp.268-286.
[18]M.Bellare,and P.Rogaway,Random oracles are practical:a paradigm for designing efficient protocols,In Proc.of the 1st ACM Conference on Computer and Communication Security,pp.62-73,ACM Press,New York,1993.
[19]X.Boyen,Multipurpose identity-based signcryption,A swiss army knife for identity-based cryptography,in:Advances in Cryptology-CRYPTO'03,LNCS,vol.2729,Springer-Verlag,2003,pp.382-398.
[20]X.Boyen,Q.Mei,B.Waters,Direct chosen ciphertext security from identity-based techniques,in:ACM Conference on Computer and Communications Security 2005,ACM Press,New York,2005,pp.320-329.
[21]Jan Camenisch,Maciej Koprowski,and Bogdan Warinschi.Efficient blind signatures without random oracles.In Carlo Blundo and Stelvio Cimato,editors,SCN,volume 3352 of Lecture Notes in Computer Science,pages 134-148.Springer,2004.
[22]J.Camenisch,M.Michels,Confirmer signature schemes secure against adaptive adversaries,Advances in Cryptology-EUROCRYPT'00,LNCS 1870,Springer-Verlag,2000,pp.243-258.
[23]R.Canetti,R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin,1999.Adaptive security for threshold cryptosystems.Proceedings of CRYPTO'99,LNCS 1666,pp.98-116.
[24]Ran Canetti,Oded Goldreich,and Shai Halevi.The random oracle methodology,revisited (preliminary version).In STOC '98:Proceedings of the thirtieth annual ACM symposium on Theory of computing,pages 209-218.ACM,1998.
[25]Ran Canetti,Oded Goldreich,and Shai Halevi.The random oracle methodology,revisited.Journal of the ACM,51(4):557-594,2004.
[26]Sanjit Chatterjee,Palash Sarkar.HIBE with short public parameters without random oracle,in Pro-ceedings of ASIACRYPT 2006,volume 4284 of Lecture Notes in Computer Science,Springer,145-160.
[27]D.Chaum,Blind signatures for untraceable payments,In Crypto'82,New York:Plenum Press,1983,pp.199-203.
[28]D.Chaum and H.van Antwerpen.Undeniable signatures.In CRYPTO'89,volume 435 of LNCS,pages 212-216,London,UK,1989.Springer-Verlag.
[29]D.Chaum,Designated confirmer signatures,Advances in Cryptology - EUROCRYPT'94,LNCS 950,Springer-Verlag,1994,pp.86-91.
[30]曹珍富,公钥密码学,哈尔滨,黑龙江教育出版社,1993.
[31]Z.Chai,Z.Cao,and X.Dong,Identity-based signature scheme based on quadratic residues,50(3),2007,pp.373-380.
[32]L.Chen,J.Malone-Lee,Improved identity-based signcryption,in:PKC 2005,LNCS,vol.3386,Springer-Verlag,Berlin,2005,pp.362-379.
[33]X.Chen,F.Zhang,D.M.Konidala,K.Kim,2004.New ID-based threshold signature scheme from bilinear pairing.Advances in Cryptology - INDOCRYPT 2004,LNCS 3348,pp.371-383.
[34]X.Cheng,J.Liu,X.Wang,2005.An identity-based signature and its threshold version.Proceed-ings of the 19th International Conference on Advanced Information Networking and Applications (AINA'05),pp.973-977.
[35]H.Y.Chien,and R.-Y.Lin,Improved ID-based security framework for ad hoc network,Ad Hoc Networks,vol.6(1),2008,47-60.
[36]程相国,基于双线性对的签名体制的勺研究,博士学位论文,西安电子科技大学,2006年.
[37]J.S.Chou,C.H.Lin,and C.H.Chiu,An identity-based scheme for ad hoc network secure routing protocol from pairing,WSEAS Transactions on Computers,2006,5(6),pp.1214-1221.
[38]C.K.Chu,W.G.Tzeng,2007.Optimal resilient threshold GQ signatures.Information Sciences,177,pp.1834-1851.
[39]J.Coron,On the exact security of full domain hash,In Advances in Cryptology - Crypto'00,LNCS 1880,Berlin,Springer-Verlag,2000,pp.229-235.
[40]Z.Cao,A threshold key escrow scheme based on public key cryptosystem,Science in China,44(4),441-448,2001.
[41]J.Cha,and J.Choen,An identity-based signature from gap Diffie-Hellman groups,In PKC 2003,LNCS 2567,Berlin,Springer-Verlag,2003,pp.18-30.
[42]X.Chen,F.Zhang,K.Kim,Limited verifier signature from bilinear pairings,Proceedins of Applied Cryptography and Network Security 2004,LNCS 3089,Springer-Verlag,2004,pp.135-148.
[43]R.Canetti,S.Halevi,J.Katz,A Forward-Secure Public-Key Encryption Scheme,in Advances in Crptology-Eurocrypto'03,LNCS 2656,Berlin,Springer-Verlag,2003,pp.255-271.
[44]H.Deng and D.P Agrawal.TIDS:Threshold and identity-based security scheme for wireless ad hoc networks.Ad Hoc Networks,2004,2(3):291-307.
[45]Y.Desmedt,1987.Society and group oriented cryptography:a new concept.Proceedings of CRYPTO'87,LNCS 293,pp.120-127.
[46]Y.Desmedt and S.Jajodia.Redistributing secret shares to new access structures and its applications.Tech.Report ISSE-TR-97-01,George Mason University,July 1997.ftp://isse.gmu.edu/pub/techrep/97 01 jajodia.ps.gz.
[47]Y.Desmedt,T.Lange,2006.Pairing based threshold cryptography improving on Libert-Quisquater and Baek-Zheng.Proceedings of Financial Cryptography 2006,LNCS 4107,pp.154-159.
[48]Y.Desmedt and Y.Frankel.Threshold cryptosystems.In Crypto'89,LNCS 435,pp.307-315.Springer-Verlag,1990.
[49]S.Duan and Z.Cao.Efficient and provably secure multi-receiver identity-based signcryption.Proceedings of ACISP'06,LNCS 4058,2006,pp.195-206.
[50]W.Diffie,M.E.Hellman,New directions in cryptography,IEEE Transactions on Information Theory,IT-22(6),1976,644-654.
[51]T.ElGamal,A public key cryptosystem and signature scheme based on discrete logarithms,IEEE Transactions on Information Theory,IT-31(4),1985,469-472.
[52]U.Feige,A.Fiat and A.Shamir,Zero-knowledge proofs of identity,Journal of Cryptography,1,1988,62-73.
[53]A.Fiat and A.Shamir,How to prove yourself:Practical solutions to identification and signature problems,In Advances in Cryptology-Crypto '86,LNCS 263,Berlin,Springer-Verlag,1986,pp.186-194.
[54]RA.Fouque,J.Stern,2001.Fully distributed threshold RSA under standard assumptions.Proceedings of ASIACRYPT 2001,LNCS 2248,pp.310-330.
[55]S.Galbraith,W.Mao,Invisibility and anonymity of undeniable and confirmer signatures,CT-RSA 2003,LNCS 2612,Springer-Verlag,2003,pp.80-97.
[56]David Galindo,Javier Herranz,and Eike Kiltz.On the generic construction of identity-based signatures with additional properties.In Xuejia Lai and Kefei Chen,editors,Advances in Cryptology- ASIACRYPT 2006,volume 4284 of Lecture Notes in Computer Science,pages 178-193.Springer,2006.
[57]R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin.Robust threshold DSS signatures.In Euro-crypt'96,volume 1070 of Lecture Notes in Computer Science,pages 354-371.Springer,1996.
[58]R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin,1999.The (in)security of distributed key generation in dlog-based cryptosystems.Proceedings of EUROCRYPT 1999,LNCS 1592,pp.295-310.
[59]R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin,2001.Robust threshold DSS signatures.Information and Computation,164(1),pp.54-84.
[60]R.Gennaro,S.Jarecki,H.Krawczyk,and T.Rabin,2003.Secure applications of Pedersen's distributed key generation protocol.Proceedings of CT-RSA 2003,LNCS 2612,pp.373-390.
[61]M.C.Gorantla,R.Gangishetti,and A.Saxena,A survey on ID-based cryptographic primitives,In Cryptography ePrint Archive,Report 2005/094.
[62]S.Goldwasser,S.Micali,and R.Rivest,A digital signature scheme secure against adaptive chosen-message attacks,SIAM.Journal of Computing,17 (2),1988,281-308.
[63]C.Gentry and A.Silverberg,Hierarchical identity-based cryptography,In Advances in Cryptology-Asiacrypt '02,LNCS 2501,Berlin,Springer-Verlag,2002,pp.548-566.
[64]L.Guillou and J.Quisquater,A "paradoxical" identity-based signature scheme resulting from zero-knowledge,In Advances in Cryptology-Crypto '88,LNCS 403,Berlin,Springer-Verlag,1990,pp.216-231.
[65]F.Hess,Efficient Identity based signature schemes based on pairings,In Selected Areas in Cryptography-SAC '02,LNCS 2595,Berlin,Springer-Verlag,2003,pp.310-324.
[66]Bessie C.Hu,Duncan S.Wong,Zhenfeng Zhang and Xiaotie Deng,Certificateless signature:a new security model and an improved generic construction,Des Codes Crypt (2007) 42:109-126.
[67]X.Huang,W.Susilo,Y.Mu,and F.Zhang,On the security of certificateless signature schemes from asiacrypt 2003,CANS 2005,LNCS 3810,pp.13-25,Springer-Verlag,2005.
[68]Xinyi Huang,Yi Mu,Willy Susilo,Duncan S.Wong,and Wei Wu.Certificateless signature revisited.ACISP 2007,LNCS 4586,Springer-Verlag,2007,pp.308-322.
[69]黄振杰,具有特殊性质的数字签名体制研究,博士学位论文,西安电子科技大学,2005年.
[70]ITU-T.Rec.X.509(revised) the Directory - Authentication Framework,1993.International Telecommunication Union,Geneva,Swithzerland.
[71]M.Jakobsson,K.Sako,R.Impagliazzo,Designated verifier proofs and their applications,Advances in Cryptology - EUROCRYPT'96,LNCS 1070,Springer-Verlag,1996,pp.143-154.
[72]N.Koblitz,Elliptic Curve Cryptosystems,Mathematics of Computation,48,1987,203-209.
[73]F.Laguillaumie,P.Paillier,D.Vergnaud,Universally convertible directed signatures,Advances in Cryptology - ASIACRYPT'05,LNCS 3788,Springer-Verlag,2005,pp.682-701.
[74]Fabien Laguillaumie and Damien Vergnaud.Short undeniable signatures without random oracles:The missing link.In Subhamoy Maitra,C.E.Veni Madhavan,and Ramarathnam Venkatesan,editors,INDOCRYPT,volume 3797 of Lecture Notes in Computer Science,pages 283-296.Springer,2005.
[75]S.Lal,M.Kumar,A directed signature scheme and its applications,arXiv:cs/0409036,2004.
[76]J.Li,T.H.Yuen and K.Kim,2007.Practical threshold signatures without random oracles.Proceedings of Provable Security 2007,LNCS 4784,pp.198-207.
[77]F.Li,X.Xin,and Y.Hu,Identity-based broadcast signcryption,Computer Standards & Interfaces 30(2008) 89-94.
[78]B.Libert,J.J.Quisquator,A new identity based signcryption scheme from pairings,in:2003 IEEE information theory workshop,2003,pp.155-158.
[79]B.Libert,J.J.Quisquater,Identity based undeniable signatures,CT-RSA 2004,LNCS 2964,Springer-Verlag,2004,pp.112-125.
[80]C.H.Lim,RJ.Lee,Modified Maurer-Yacobi's scheme and its applications,Advances in Cryptology - AUSCRYPT'92,LNCS 718,Springer-Verlag,1992,pp.308-323.
[81]李发根,基于双线性对的签密体制研究,博士学位论文,西安电子科技大学,2007年.
[82]R.Lu,Z.Cao,A directed signature scheme based on RSA assumption,International Journal of Network Security 2(3)(2006) 182-421.
[83]陆荣幸,若干代理密码体制的研究与设计,博士学位论文,上海交通大学,2007年.
[84]R.Lu,X.Lin,Z.Cao,J.Shao,X.Liang,New (t,n) threshold directed signature scheme with provable security,Information Sciences 178 (3) (2008) 756-765.
[85]B.Libert,J.Quisquater,The exact security of an identity based signature and its applications,Cryp-tology ePrint Archive,Report 2004/102,http://eprint.iacr.org/2004/102.
[86]J.Malone-Lee,Identity based signcryption,Cryptology ePrint Archive,Report 2002/098,2002.Available from:http://eprint.iacr.org/2002/098.
[87]V.Miller Advances in Cryptology-Crypto' 85,LNCS 218,Berlin,Springer-Verlag,1986,pp.417-426.
[88]W.Mao,Modern Cryptography:Theory and Practice,published by by Prentice Hall PTR,2003.
[89]A.J.Menezes,P.C.van Oorschot and S.A.Vanstone,Handbook of Applied Cryptography,CRC Press,1997.
[90]M.Mambo,K.Usuda,and E.Okamoto,Proxy signatures for delegating signing operation,Proc.3rd ACM Conference on Computer and Communications Security,ACM Press,1996,pp.48-57.
[91]M.Mambo,K.Usuda,and E.Okamoto,Proxy signatures:Delegation of the power to sign messages,IEICE Trans.Fundam.,E79-A(9),1996,1338-1354.
[92]NIST,A Proposed Federal Information Processing Standard for Digital Signature Standard (DSS),Federal Register Announcement August 30,1991.
[93]NIST,Digital Signature Standard (DSS),Federal Information Processing Standards Publication 186,1994.
[94]T.Okamoto,Provably secure and practical identification schemes and corresponding signature schemes,In Advances in Cryptology-Crypto '92,LNCS 740,Berlin,Springer-Verlag,1992,pp.31-53.
[95]B.Lynn.PBC (Pairing-Based Cryptography) library,http://crypto.stanford.edu/pbc/.
[96]K.G.Paterson,J.C.N.Schuldt.Efficient identity-based signatures secure in the standard model,in:Proceedings of the 11th Australasian Conference on Information Security and Privacy,volume 4058 of Lecture Notes in Computer Science,Springer,207-222.
[97]B.N.Park and W.Lee.ISMANET:A secure routing protocol using identity-based signcryption scheme for mobile ad-hoc networks.IEICE Transactions on Communications,2005,E88-B(6):2548-2556.
[98]T.Pedersen,1991.A threshold cryptosystem without a trusted party.Proceedings of EURO-CRYPT'91,LNCS 547,pp.522-526.
[99]D.Pointcheval and J.Stern,“Security arguments for digital signatures and blind signatures”,Journal of Cryptology,13(3),2000,361-396.
[100]M.O.Rabin,Digitalized Signatures,Foundations of Secure Communication,Academic Press,UK,1978,155-168.
[101]R.L.Rivest,The MD5 Message Digest Algorithm,RFC 1321,Apr 1992.
[102]R.L.Rivest,A.Shamir and L.Adleman,A Method for Obtaining Digital Signatures and Public Key Cryptosystem Comm.ACM.,21,1978,120-126.
[103]R.Rivest,A.Shamir and Y.Tauman,How to leak a secret,Advances in Cryptology-Asiacrypt 2001,LNCS 2248,Berlin,Springer-Verlag,2001,pp.552-565.
[104]R.Sakai,K.Ohgishi,M.Kasahara,Cryptosystems based on pairing,Proceedings of Symposium on Cryptography and Information Security,Japan,Okinawa,2000,pp.26-28.
[105]B.Schneier,Applied cryptography (2nd ed.):protocols,algorithms,and source code in C,John Wiley & Sons,Inc.,New York,NY,1995
[106]C.P.Schnorr,Efficient identification and signature for smart cards,Advances in Cryptology-Crypto' 89,LNCS 435,Berlin,Springer-Verlag,1990,pp.239-252.
[107]C.P.Schnorr,Efficient identification and signature for smart cards,Journal of Cryptography,4(3),1991,161-174.
[108]A.Shamir,Identity-based cryptosystems and signature schemes,In Advances in Cryptology-Crypto'84,LNCS 196,Berlin,Springer-Verlag,1984,pp.47-53.
[109]C.Shannon,Communication Theory of Secrecy Systems,Bell Systems Technical Journal,Vol.28,1949,656-715.
[110]J.Shao,Z.Cao and L.Wang,2006.Efficient ID-based threshold signature schemes without pairings,http://eprint.iacr.org/2006/308.
[111]V Shoup.Practical threshold signatures,2000.Proceedins of EUROCRYPT 2000,LNCS 1807,pp.207-220.
[112]J.Stern,Why Provable Security Matters?,Advances in Cryptology-Eurocrypt'03,LNCS 2656,Berlin,Springer-Verlag,2003,pp.449-461.
[113]L.Wang,Z.Cao,X.Li,H.Qian,2007.Simulatability and security of certificateless threshold signatures.Information Sciences,177(6),pp.1382-1394.
[114]H.Wang,Y.Zhang,and D.Feng,2005.Short threshold signature schemes without random oracles.Proceedings of INDOCRYPT 2005,LNCS 3797,pp.297-310.
[115]Brent Waters.Efficient identity-based encryption without random oracles.In Advances in Cryptology - EUROCRYPT,volume 3494 of LNCS,pages 114-127.Springer-Verlag,2005.
[116]王永兴,基于身份的有向签名,榆林学院学报15(5)(2005)1-3.
[117]Q.Wu,Y.Mu,W.Susilo,F.Zhang,Efficient signcryption without random oracles,in:ATC 2006,LNCS,vol.4158,Springer-Verlag,2006,pp.449-458.
[118]Y.Yu,B.Yang,Identity-based signcryption scheme without random oracles,Computer Standards & Interfaces(2007),doi:10.1016/j.csi.2007.10.014
[119]Y.Yu,B.Yang and X.Huang,et al.Efficient identity-based signcryption scheme for multiple receivers.Proceedings of ATC'07,LNCS 4610,2007,pp.13-21.
[120]C.X.Zhang,R.X.Lu,X.D.Lin,P.H.Ho,and X.M.Shen,An efficient identity-based batch verification scheme for vehicular sensor networks,INFOCOM 2008(2008).
[121]F.Zhang,K.Kim,A universal forgery of Araki et al.'s convertible limited verifier signature scheme,IEICE Trans.Fundamentals E86-A(2)(2003) 515-516.
[122]F.Zhang,R.Safavi-Naini and W.Susilo,An efficient signature scheme from bilinear pairings and its applications,PKC 2004,Singapore,LNCS 2947,Berlin,Springer-Verlag,2004,pp.277 - 290.
[123]Z.Zhang,D.Wong,J.Xu and D.Feng,Certificateless public-key signature:security model and efficient construction,ACNS 2006,LNCS 3989,pp.293-308,Springer-Verlag,2006.
[124]Y.Zheng,Digital signcryption or how to achieve cost(signature & encryption)<