通用可组合数字签名模型及其关键问题研究
|
摘要
随着计算机和网络通信技术的发展,数字签名技术得到了广泛的应用。国内外众多学者对数字签名的理论、技术和应用进行了深入的探讨与研究。通用可组合安全框架(Universal Composability Framework)因其能简化协议的分析并提供更强的安全性而越来越受到人们的重视。然而就我们所知,对于UC安全框架下数字签名的研究还很少。比如,有一些签名体制的理想功能(Ideal Functionality)定义中所用到的假设欠缺合理性,还有一些签名体制的UC安全模型的研究尚为空白。本文针对UC安全框架下的门限签名体制、代理重签名体制、代理签名体制进行了系统的研究与设计,并取得了相应的研究成果。
1.现有在UC安全框架下的门限签名体制的研究还不成熟,其理想功能并不完善,因此UC安全的门限签名协议的研究非常有意义。我们为门限签名定义了更为准确的理想功能,并构造了一系列满足UC安全的协议,包括两个门限签名协议和两个前摄性门限签名协议。我们提出的协议不仅具有可证明安全性,还满足UC安全性,弥补了已有相关工作中的不足,完善了UC安全框架下门限签名模型的研究。
2.代理重签名体制是现代密码学一个新兴的研究领域,然而目前并没有满足UC安全的代理重签名方案。我们将UC安全框架引入到代理重签名体制中,提出两个具有UC安全性的简单有效的代理重签名方案。我们不仅完善了代理重签名基于游戏的安全模型,还首次给出其基于UC安全框架下的安全模型,为以后研究UC安全的代理重签名协议的工作铺平了道路。
3. UC安全框架下的代理签名协议是研究的空白领域,因此我们进一步将UC安全框架扩展到代理签名体制中,构造了两个满足UC安全的代理门限签名协议。我们还针对资源受限的环境,探讨了如何设计适应于移动代理系统的代理多次签名方案和密钥隔离代理签名方案。我们的方案能在随机预言机模型下证明其安全性,并在一定程度上解决移动代理滥用和密钥泄漏的问题。对代理签名的安全模型所作的工作,是形式化分析代理签名体制的基础。
Along with the development of computer and network technologies, digital signaturehas been widely used in people’s daily lives. Lots of international experts and scientistsfocus on the studies of digital signature’s theories, technologies, and applications. UniversalComposablity (UC) framework getting more and more attention dues to it can simplify theanalysis of protocols and provide more powerful security. As we know, the researches ondigital signature under the UC framework are very rare. Moreover, many digital signatureschemes are without reasonable assumptions of the definitions of ideal functionality, andsome protocols lack the analysis under the UC framework. This paper involves our studiesand designs of threshold signature, proxy re-signature and proxy signature under the UCframework. Our contributions are shown as follows:
1. The current researches on threshold signature under the UC framework are far fromenough, and the ideal functionality is imperfect. Therefore, the studies of UC securethreshold signature schemes have significant values. We provide a more precise defini-tion of the ideal functionality for threshold signature primitive, and reconstruct a seriesof protocols, including two threshold signature protocols and two proactive thresholdprotocols, which are secure under UC Framework. The proposed protocols are notonly provably secure, but also secure under the UC framework. Our works comple-ment the shortage of the former researches, and better the researches on the formalstudies of the UC-based secure models for the threshold signature primitive.
2. Proxy re-cryptography is one of the fresh topics in modern cryptography. As far aswe know, there is no UC secure proxy re-signature scheme. We first introduce the UCframework to the studies of proxy re-signature, and propose two efficient proxy re-signature schemes with the UC security. We not only further perfect the game-basedsecure model for the proxy re-signature primitive, but also give its UC-based securemodel for the first time. Our works pave the way for the future works on studying theUC secure proxy re-signature protocols.
3. There is little work on UC secure proxy signature nowadays. We extend the UC Frame-work to the proxy signature scenarios, and propose two UC secure proxy thresholdsignature protocols. Furthermore, we design the multi-times proxy signature schemeand key-insulated proxy signature scheme which are suitable for mobile agent system.These schemes are provably secure under random oracle model, and efficiently solvethe abuse of mobile agent and key exposure problem. Our works formalize the securemodel for the proxy signature primitive, which lays foundation of future works.
1.现有在UC安全框架下的门限签名体制的研究还不成熟,其理想功能并不完善,因此UC安全的门限签名协议的研究非常有意义。我们为门限签名定义了更为准确的理想功能,并构造了一系列满足UC安全的协议,包括两个门限签名协议和两个前摄性门限签名协议。我们提出的协议不仅具有可证明安全性,还满足UC安全性,弥补了已有相关工作中的不足,完善了UC安全框架下门限签名模型的研究。
2.代理重签名体制是现代密码学一个新兴的研究领域,然而目前并没有满足UC安全的代理重签名方案。我们将UC安全框架引入到代理重签名体制中,提出两个具有UC安全性的简单有效的代理重签名方案。我们不仅完善了代理重签名基于游戏的安全模型,还首次给出其基于UC安全框架下的安全模型,为以后研究UC安全的代理重签名协议的工作铺平了道路。
3. UC安全框架下的代理签名协议是研究的空白领域,因此我们进一步将UC安全框架扩展到代理签名体制中,构造了两个满足UC安全的代理门限签名协议。我们还针对资源受限的环境,探讨了如何设计适应于移动代理系统的代理多次签名方案和密钥隔离代理签名方案。我们的方案能在随机预言机模型下证明其安全性,并在一定程度上解决移动代理滥用和密钥泄漏的问题。对代理签名的安全模型所作的工作,是形式化分析代理签名体制的基础。
Along with the development of computer and network technologies, digital signaturehas been widely used in people’s daily lives. Lots of international experts and scientistsfocus on the studies of digital signature’s theories, technologies, and applications. UniversalComposablity (UC) framework getting more and more attention dues to it can simplify theanalysis of protocols and provide more powerful security. As we know, the researches ondigital signature under the UC framework are very rare. Moreover, many digital signatureschemes are without reasonable assumptions of the definitions of ideal functionality, andsome protocols lack the analysis under the UC framework. This paper involves our studiesand designs of threshold signature, proxy re-signature and proxy signature under the UCframework. Our contributions are shown as follows:
1. The current researches on threshold signature under the UC framework are far fromenough, and the ideal functionality is imperfect. Therefore, the studies of UC securethreshold signature schemes have significant values. We provide a more precise defini-tion of the ideal functionality for threshold signature primitive, and reconstruct a seriesof protocols, including two threshold signature protocols and two proactive thresholdprotocols, which are secure under UC Framework. The proposed protocols are notonly provably secure, but also secure under the UC framework. Our works comple-ment the shortage of the former researches, and better the researches on the formalstudies of the UC-based secure models for the threshold signature primitive.
2. Proxy re-cryptography is one of the fresh topics in modern cryptography. As far aswe know, there is no UC secure proxy re-signature scheme. We first introduce the UCframework to the studies of proxy re-signature, and propose two efficient proxy re-signature schemes with the UC security. We not only further perfect the game-basedsecure model for the proxy re-signature primitive, but also give its UC-based securemodel for the first time. Our works pave the way for the future works on studying theUC secure proxy re-signature protocols.
3. There is little work on UC secure proxy signature nowadays. We extend the UC Frame-work to the proxy signature scenarios, and propose two UC secure proxy thresholdsignature protocols. Furthermore, we design the multi-times proxy signature schemeand key-insulated proxy signature scheme which are suitable for mobile agent system.These schemes are provably secure under random oracle model, and efficiently solvethe abuse of mobile agent and key exposure problem. Our works formalize the securemodel for the proxy signature primitive, which lays foundation of future works.
引文
[1] Digital signature standard. National Institute of Standards and Technology, NIST FIPS PUB 186.Department of commerce.
[2] Generalmagic公司推出的商业移动代理系统telescript(新闻). available at http://www-900.ibm.com/developerWorks/cn/java/l-mobile-agent/index.shtml.
[3] Pkcs v2.1 rsa cryptography standard (draft). available at http://www.rsa.com/rsalabs/pkcs/.
[4]毛文波.现代密码学理论与实践.电子工业出版社, 2004.
[5]冯登国.可证明安全性理论与方法研究.软件学报, 16(10):1743–1756, 2005.
[6] M. Abdalla and L. Reyzin. A new forward-secure digital signature scheme. In Asiacrypt 2000,volume 1976 of LNCS, pages 116–129, 2000.
[7] M. Abe and S. Fehr. Adaptively secure feldman vss and applications to universally-composablethreshold cryptography. In CRYPTO 2004, volume 3152 of LNCS, pages 317–334, 2004.
[8] J. Almansa, I. Damgard, and J. Nielsen. Simplified threshold rsa with adaptive and proactivesecurity. In Eurocrypt 2006, volume 4004 of LNCS, pages 593–611, 2006.
[9] J.H. An, Y. Dodis, and T. Rabin. On the security of joint signature and encryption. In Eurocrypt2002, volume 2332 of LNCS, pages 83–107. Springer-Verlag, Berlin, Germany, 2002.
[10] G. Ateniese, K. Fu, M. Green, and S. Hohenberger. Improved proxy re-encryption schemes withapplications to secure distributed storage. In Network and Distributed System Security Symposium2005, pages 29–43, 2005.
[11] G. Ateniese, K. Fu, M. Green, and S. Hohenberger. Improved proxy re-encryption schemes withapplications to secure distributed storage. ACM Transactions on Information and System Security,9(1):1–30, 2006.
[12] G. Ateniese and S. Hohenberger. Proxy re-signature: New definitions, algorithms, and applications.In ACM CCS 2005, pages 310–319, 2005.
[13] B. Barak, R. Canetti, J.B. Nielsen, and R. Pass. Universally composable protocols with relaxedset-up assumption. In FOCS 2004, pages 186–195, 2004.
[14] P. Barreto, H. Kim, and M. Scott. Efficient algorithms for pairing based cryptosystems. In CRYPTO2002, volume 2242 of LNCS, pages 354–368, 2002.
[15] D. Beaver. Foundations of secure interactive computing. In CRYPTO 1991, volume 576 of LNCS,pages 377–391, 1991.
[16] M. Bellare, R. Canetti, and H. Krawczyk. A modular approach to the design and analysis ofauthentication and key-exchange protocols. In Proc. of the 30th annual symposium on the Theoryof Computing, pages 419–428, 1998.
[17] M. Bellare and G. Neven. Transitive signatures based on factoring and rsa. In Asiacrypt 2002,volume 2501 of LNCS, pages 397–414, 2002.
[18] M. Bellare and G. Neven. Transitive signatures based on factoring and rsa. IEEE Transactions onInformation Theory, 51(6):2133–2151, 2005.
[19] M. Bellare and P. Rogaway. Entity authentication and key distribution. In CRYPTO 1993, volume773 of LNCS, pages 232–249, 1993.
[20] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient pro-tocols. In Proceedings of the First ACM Conference on Computer and Communications Security,pages 62–73. ACM Press, New York, USA, 1993.
[21] M. Bellare and P. Rogaway. Optimal asymmetric encryption-how to encrypt with rsa. In Eurocrypt1994, volume 950 of LNCS, pages 92–111. Springer-Verlag, Berlin, Germany, 1994.
[22] M. Bellare and P. Rogaway. The exact security of digital signature - how to sign with rsa and rabin.In Eurocrypt 1996, volume 1070 of LNCS, pages 399–416, 1996.
[23] D. Bernstein. Poving tight security for standard rabin-williams signatures. preprint 2003.
[24] G.R. Blakley. Safeguarding cryptographic keys. In AFIPS 1979 national computer conference,1979.
[25] M. Blaze, G. Bleumer, and M. Strauss. Divertible protocols and atomic proxy cryptography. InEurocrypt 1998, volume 1403 of LNCS, pages 127–144, 1998.
[26] M. Blaze and M. Strauss. Atomic proxy cryptography. Technical report, AT&T Research, 1997.
[27] D. Bleichenbacher. A chosen ciphertext attack against protocols based on the rsa encryption stan-dard pkcs1. In CRYPTO 1998, volume 1462 of LNCS, pages 1–12, 1998.
[28] M. Blum, P. Feldman, and S. Micali. Non-interactive zero-knowledge and its applications. InProceeding of the 20th Annual ACM Symposium on Theory and Computing, pages 103–112, 1988.
[29] A. Boldyreva. Efficient threshold signature, multisignature, and blind signature schemes based onthe gap-diffie-hellman-group signature scheme. In PKC 2003, volume 2567 of LNCS, pages 31–46,2003.
[30] A. Boldyreva, A. Palacio, and B. Warinschi. Secure proxy signature schemes for delegation ofsigning rights. At http://eprint.iacr.org/2003/096.
[31] D. Boneh and M. Franklin. Identity-based encryption from the weil pairing. In CRYPTO 2001,volume 2139 of LNCS, pages 213–229. Springer-Verlag, Berlin, Germany, 2001.
[32] D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and verifiably encrypted signaturesfrom bilinear maps. In Eurocrypt 2003, volume 2656 of LNCS, pages 416–432, 2003.
[33] D. Boneh, B. Lynn, and H. Shacham. Short signatures from the weil pairing. In Asiacrypt 2001,volume 2248 of LNCS, pages 514–532, 2001.
[34] C. Boyd. Digital multisignatures. Cryptography and Coding, pages 241–246, 1989.
[35] S. Canard and J. Traore. On fair e-cash systems based on group signature schemes. In InformationSecurity and Privacy - ACISP 2003, volume 2727 of LNCS, pages 237–248., 2003.
[36] R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. InProceeding of the 42th IEEE Symposium on Foundations of Computer Science. full version athttp://eprint.iacr.org/2000/067, pages 136–145, 2001.
[37] R. Canetti. Universally composable signature, certification and authentication. In Proceeding ofthe 17th Computer Security Foundations Workshop, 2004.
[38] R. Canetti. Obtaining universally composable security: Towards the bare bones of trust. In Asi-acrypt 2007, volume 4833 of LNCS, pages 88–112, 2007.
[39] R. Canetti. Composable formal security analysis: Juggling soundness, simplicity and efficiency. InICALP 2008, Part II, volume 5126 of LNCS, pages 1–13, 2008.
[40] R. Canetti, Y. Dodis, R. Pass, and S. Walfish. Universal composable security with global setup. InTCC 2007, volume 4392 of LNCS, pages 61–85, 2007.
[41] R. Canetti, R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Adaptive security for thresholdcryptosystems. In CRYPTO 1999, volume 1666 of LNCS, pages 98–115, 1999.
[42] R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, revisited (extendedabstract). In The 30th Annual ACM Symposium on Theory of Computing, pages 209–218. ACMPress, New York, USA, 1998.
[43] R. Canetti, S. Halevi, J. Katz, Y. Lindell, and P. MacKenzie. Universally composable password-based key exchange. In Eurocrypt 2005, volume 3494 of LNCS, pages 404–421, 2005.
[44] R. Canetti and S. Hohenberger. Chosen-ciphertext secure proxy re-encryption. In ACM CCS 2007,pages 185–194, 2007.
[45] R. Canetti and H. Krawczyk. Analysis of key exchange protocols and their use for building securechannels. In Eurocrypt 2001, volume 2045 of LNCS, pages 453–474, 2001.
[46] R. Canetti and T. Rabin. Universal composition with joint state. In CRYPTO 2003, volume 2729of LNCS, pages 265–281, 2003.
[47] Z.F. Cao. About the re-sharing of secret sharing (in chinese). In ChinaCrypt 1992, 1992.
[48] M. Cerecedo, T. Matsumoto, and H. Imai. Efficient and secure multiparty generation of digitalsignatures based on discrete logarithms. IEICE Trans. Fundamentals, E76A(4):532–545, 1993.
[49] D. Chaum, C. Crepeau, and I. Damgard. Multiparty unconditionally secure protocols. In Proc. 20annual Symp. on the Theory of Computing, pages 11–19, 1988.
[50] D. Chaum and E.V. Heyst. Group signatures. In Eurocrypt 1991, volume 547 of LNCS, pages 257–265, 1991.
[51] C. Choi, Z. Kim, and K. Kim. Schnorr signature scheme with restricted signing capability and itsapplication. In CCS03, 2003.
[52] S. Chow, S. Yiu, and L. Hui. Efficient identity based ring signature. In Applied Cryptography andNetwork Security 2005, volume 3531 of LNCS, pages 499–512, 2005.
[53] J. Coron. On the exact security of full domain hash. In CRYPTO 2000, volume 1880 of LNCS,pages 229–235. Springer-Verlag, Berlin, Germany, 2000.
[54] J. Coron. Optimal security proofs for pss and other signature schemes. In Eurocrypto 2002, volume2332 of LNCS, pages 272–287, 2002.
[55] J. Coron. Security proof for partial-domain hash signature scheme. In CRYPTO 2002, volume2442 of LNCS, pages 613–626, 2002.
[56] R. Croft and S. Harris. Public-key cryptography and re-usable shared secrets. Cryptography andCoding, Claredon Press, Oxford, pages 189–201, 1989.
[57] I. Damgard and J.B. Nielsen. Perfect hiding and perfect binding universally composable commit-ment schemes with constant expansion factor. In CRYPTO 2002, volume 2442 of LNCS, pages3–42, 2002.
[58] Y. Desmedt. Society and group oriented cryptography: A new concept. In CRYPTO 1987, volume293 of LNCS, pages 20–172, 1987.
[59] Y. Desmedt. Threshold cryptography. European Transactions on Telecommunications, 5(4):449–457, 1994.
[60] Y. Desmedt and Y. Frankel. Threshold cryptosystems. In CRYPTO 1989, volume 435 of LNCS,pages 307–315. Springer-Verlag, Berlin, Germany, 1989.
[61] Y. Desmedt and Y. Frankel. Shared generation of authenticatiors and signatures. In CRYPTO 1991,volume 576 of LNCS, pages 457–469, 1991.
[62] W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on InformationTheory, 22(6):644–654, 1976.
[63] W. Diffie, P.V. Oorschot, and W. Wiener. Authentication and authenticated key exchanges. Designs,Codes and Cryptography, 2:107–125, 1992.
[64] Y. Dodis and A. Ivan. Proxy cryptography revisited. In Network and Distributed System SecuritySymposium, 2003.
[65] Y. Dodis, J. Katz, S. Xu, and M. Yung. Key-insulated public-key cryptosystems. In Eurocrypt2002, volume 2332 of LNCS, pages 65–82, 2002.
[66] Y. Dodis, J. Katz, S. Xu, and M. Yung. Strong key-insulated signature schemes. In PKC 2003,volume 2567 of LNCS, pages 130–144, 2003.
[67] Y. Dodis, V. Shoup, and S. Walfish. Efficient constructions of composable commitments and zero-knowledge proofs. In CRYPTO 2008, volume 5157 of LNCS, pages 515–535, 2008.
[68] D. Duc, J. Cheon, and K. Kim. A forward-secure blind signature scheme based on the strong rsaassumption. In Information and Communications Security 2003, volume 2836 of LNCS, pages11–21, 2003.
[69] T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEETransactions on Information Theory, 31(4):462–472, 1985.
[70] U. Feige, A. Fiat, and A. Shamir. Zero-knowledge proofs of identity. ACM SIGACT, pages 210–217, 1987.
[71] P. Feldman. A practical scheme for non-interactive verifiable secret sharing. In Proceedings of the28th IEEE Ann. Symp. on Foundations of Computer Science - 28th FOCS, pages 427–437. IEEE,1987.
[72] A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signa-ture problems. In CRYPTO 1986, volume 263 of LNCS, pages 186–194. Springer-Verlag, Berlin,Germany, 1986.
[73] M. Fischlin. Round-optimal composable blind signatures in the common reference string model.In CRYPTO 2006, volume 4117 of LNCS, pages 60–77, 2006.
[74] M. Fischlin. Universally composable oblivious transfer in the multi-party setting. In CT-RSA 2006,volume 3860 of LNCS, pages 332–349, 2006.
[75] Y. Frankel. A practical protocol for large group oriented networks. In Eurocrypto 1989, volume434 of LNCS, pages 56–61, 1989.
[76] Y. Frankel, P. Gemmell, P.D. MacKenzie, and M. Yung. Optimal-sesilience proactive public-keycryptosystems. In IEEE Symposium on Foundations of Computer Science, pages 384–393, 1997.
[77] Y. Frankel, P. Gemmell, P.D. MacKenzie, and M. Yung. Proactive rsa. In CRYPTO 1997, volume1294 of LNCS, pages 440–454, 1997.
[78] Y. Frankel, P.D. MacKenzie, and M. Yung. Adaptive security for the additive-sharing based proac-tive rsa. In PKC 2001, volume 1992 of LNCS, pages 240–263, 2001.
[79] E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes.In CRYPTO 1999, volume 1666 of LNCS, pages 537–554. Springer-Verlag, Berlin, Germany, 1999.
[80] S. Gajek, M. Manulis, O. Pereira, A.R. Sadeghi, and J. Schwenk. Universally composable securityanalysis of tls. In ProvSec 2008, volume 5324 of LNCS, pages 313–327, 2008.
[81] S. Galbraith, K. Harrison, and D. Soldera. Implementing the tate pairing. In ANTS 2002, volume2369 of LNCS, pages 324–337, 2002.
[82] D. Galindo, J. Herranz, and E. Kiltz. On the generic construction of identity-based signatures withadditional properties. In Asiacrypt 2006, volume 4284 of LNCS, pages 178–193, 2006.
[83] R. Gennaro, S. Halevi, H. Krawczyk, and T. Rabin. Threshold rsa for dynamic and ad-hoc groups.In Eurocrypt 2008, volume 4965 of LNCS, pages 88–107, 2008.
[84] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and efficient sharing of rsa functions.In CRYPTO 1996, volume 1109 of LNCS, pages 157–172, 1996.
[85] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold dss signatures. In EURO-CRYPT 1996, volume 1070 of LNCS, pages 354–371, 1996.
[86] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Secure distributed key generation for discrete-log based cryptosystem. In Eurocrypt 1999, volume 1592 of LNCS, pages 295–310. Springer-Verlag, Berlin, Germany, 1999.
[87] R. Gennaro, H. Krawczyk, and T. Rabin. Rsa-based undeniable signatures. In CRYPTO 1997,volume 1294 of LNCS, pages 397–416, 1997.
[88] R. Gennaro, H. Krawczyk, and T. Rabin. Robust and efficient sharing of rsa functions (full version).Journal of Cryptology, 13(2)(2):273–300, 2000.
[89] O. Goldreich. Foundations of Cryptography Basic Tools. Cambridge University Press, 2001.
[90] O. Goldreich, S. Goldwasser, and N. Linial. Fault-tolerant computation in the full informationmodel. In Proceeding of 32nd FOCS, pages 447–457, 1991.
[91] O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game. In Proceeding of the19th annual ACM Symposium on Theory of Computing, pages 218–229, 1987.
[92] S. Goldwasser. Multi-party computation: past and present. In ACM Symposium on Principles ofDistributed Computing, 1997.
[93] S. Goldwasser and S. Micali. Probabilistic encryption. Journal of computer and system science,28:270–299, 1984.
[94] S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems.SIAM Journal on Comput., 18(1):186–208, 1989.
[95] S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing, 17(2):281–308, 1988.
[96] N. Gonzalez-Deleito, O. Markowitch, and E. Dall’Olio. A new key-insulated signature scheme.In ICICS 2004, volume 3269 of LNCS, pages 465–479, 2004.
[97] M. Green and G. Ateniese. Identity-based proxy re-encryption. In ACNS 2007, volume 4521 ofLNCS, pages 288–306, 2007.
[98] O. Horvitz and J. Katz. Universally-composable two-party computation in two rounds. In CRYPTO2007, volume 4622 of LNCS, pages 111–129, 2007.
[99] C. Hsu, T. Wu, and D. Wong. New nonrepu-diable threshold proxy signature scheme with knownsigners. The Journal of Systems and Software, 58:119–124, 2001.
[100] J. Hwang, H. Kim, D. Lee, and J. Lim. Digital signature schemes with restriction on signingcapability. In ACISP 2003, volume 2727 of LNCS, pages 324–335, 2003.
[101] M. Hwang, E.J. Lu, and I.C Lin. A practical (t,n) threshold proxy signature scheme based on thersa cryptosystem. IEEE Transactions on Knowledge and Data Engineering, 15:1552– 1560, 2003.
[102] G. Itkis. Intrusion-resilient signatures: Generic constructions, or defeating strong adversary withminimal assumptions. In SCN 2002, volume 2567 of LNCS, pages 102–118, 2002.
[103] G. Itkis and L. Reyzin. Sibir: Signer-base intrusion-resilient signatures. In CRYPTO 2002, volume2442 of LNCS, pages 499–514, 2002.
[104] D. Johson and A. Menezes. The elliptic curve digital signature algorithm. Technical report,CORR99-31, University of Waterloo, 1999.
[105] A. Joux and K. Nguyen. Seperating decision diffie-hellman from computational diffie-hellman incryptographic groups. Journal of Cyptology, 16:239–247, 2003.
[106] E.E. Karnin, J.W. Greene, and M.E. Hellman. On secret sharing systems. IEEE transactions oninformation theory, 29:35–41, 1983.
[107] S. Kim, S. Park, and D. Won. Proxy signatures, revisited. In ICICS 1997, volume 1334 of LNCS,page 223–243, 1997.
[108] N. Koblitz. Elliptic curve cryptosystems. Mathematics of computation, 48(177):203–209, 1987.
[109] N. Koblitz. Hyperelliptic cryptography. Journal of Crypto, 1(3):139–150, 1989.
[110] N. Koblitz and J. Menezes. Another look at provable security. Technical report, Waterloo Univer-sity, 2004.
[111] N. Koblitz and J. Menezes. Another look at provable security ii. Technical report, Waterloo Uni-versity, 2006.
[112] W. Kuo and M. Chen. A modified (t,n) threshold proxy signature scheme based on the rsa crypto-system. In ICITA 2005., 2005.
[113] J. Li, J. Zou, and Y. Wang. Security analysis and improvement of some proxy signature schemes.In Conference 2004, pages 1–2, 2004.
[114] B. Libert, J-J. Quisquater, and M. Yung. Forward-secure signatures in untrusted update environ-ments: Efficient and generic constructions. In Proceedings of the 14th ACM conference on Com-puter and communications security, pages 266–275, 2007.
[115] B. Libert and D. Vergnaud. Unidirectional chosen-ciphertext secure proxy re-encryption. In PKC2008, volume 4939 of LNCS, pages 360–379, 2008.
[116] R. Liu and X.F. Cao. Two new schemes of distributed management of communication key (inchinese). Journal of China Institute of Communications, 8(4):10–14, 1987.
[117] M. Mambo, K. Usuda, and E. Okamoto. Proxy signature: Delegation of the power to sign messages.IEICE Trans. Fundamentals, E79-A(9):1338–1353, 1996.
[118] M. Mambo, K. Usuda, and E. Okamoto. Proxy signature for delegating signing operation. In ACMCCS 1996, pages 48–57, 1996.
[119] K.M. Martin, R. Safavi-Naini, H.X. Wang, and P.R. Wild. Distributing the encryption and decryp-tion of a block cipher. Designs, Codes and Cryptography, 36(3):263–287, 2005.
[120] T. Matsuo. Proxy re-encryption systems for identity-based encryption. In Pairing-Based Cryptog-raphy 2007, volume 4575 of LNCS, pages 247–267, 2007.
[121] R. Merkle. A certified digital signature. In Crypto 1989, volume 435 of LNCS, pages 218–238,1989.
[122] S. Micali, K. Ohta, and L. Reyzin. Accountable-subgroup multisignatures. In ACM CCS 2001,pages 245–254, 2001.
[123] S. Micali and R. Rivest. Transitive signature schemes. In CT-RSA 2002, volume 2271 of LNCS,pages 236–243, 2002.
[124] S. Micali and P. Rogaway. Secure computation. In CRYPTO 1991, volume 576 of LNCS, pages392–404, 1991.
[125] V.S. Miller. use of elliptic curve in cryptography. In CRYPTO 1985, volume 218 of LNCS, pages417–426, 1985.
[126] K. Ohta and T. Okamoto. On concrete security treatment of signatures derived from identitfication.In CRYPTO 98, volume 1462 of LNCS, pages 345–370, 1998.
[127] T. Okamoto. Provably secure and practical identification schememes and corresponding signatureschemes. In CRYPTO 1992, volume 740 of LNCS, pages 31–53, 1992.
[128] R. Ostrovsky and M. Yung. How to withstand mobile virus attack. In Proceeding of the 10th ACMSymposium on Principles of Distributed Computing, pages 51–59, 1991.
[129] T.P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. InCRYPTO 1991, volume 576 of LNCS, pages 129–140. Springer-Verlag, Berlin, Germany, 1992.
[130] C. Peikert, V. Vaikuntanathan, and B. Waters. A framework for efficient and composable oblivioustransfer. In CRYPTO 2008, volume 5157 of LNCS, pages 554–571, 2008.
[131] D. Pointcheval. Contemporary cryptology provable security for public key schemes. In AdvancedCourse on Contemporary Cryptology, Advanced Courses CRM Barcelona, pages 133–189. 2005.
[132] D. Pointcheval and J. Stern. Security proofs for signature schemes. In Eurocrypt 1996, volume1070 of LNCS, pages 387–398, 1996.
[133] D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. Journalof Cryptology, 13(3):361–396, 2000.
[134] M. Prabhakaran and A. Sahai. New notions of security: achieving universal composability withouttrusted setup. In STOC 2004, pages 242–251, 2004.
[135] M. Rabin. Digital signatures and public-key functions as intractable as factorization. Technicalreport, MIT lab of computer science, 1979.
[136] T. Rabin. A simplified approach to threshold and proactive rsa. In CRYPTO 1998, volume 1462 ofLNCS, pages 89–104, 1998.
[137] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-keycryptosystems. Communication of the ACM, 21(2):120–126, 1978.
[138] A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to share a function securely. In Proc.26th ACM Symp. on Theory of Computing, pages 522–533, 1994.
[139] C. Schnorr. Efficient identification and signatures from smart cards. In CRYPTO 1989, volume 435of LNCS, pages 239–252, 1989.
[140] A. Shamir. How to share a secret. Communications of the ACM, 22(11):612–613, 1979.
[141] C. Shannon. Communication theory of secrecy systems. Bell Systems Technical Journal, 28:656–715, 1919.
[142] J. Shao, Z.F. Cao, L.C. Wang, and X.H. Liang. Proxy re-signature schemes wihout random oracles.In Indocrypt 2007, volume 4859 of LNCS, pages 197–209, 2007.
[143] K. Shim. An identity-based proxy signature scheme from pairing. In Information and Communi-cations Security 2006, 2006.
[144] V. Shoup. Practical threshold signatures. In Eurocrypt 2000., volume 1807 of LNCS, pages 207–220. Springer-Verlag, Berlin, Germany, 2000.
[145] J. Stern. Why provable security matters. In Eurocrypt 2003, volume 2656 of LNCS, pages 449–461,2003.
[146] H. Sun, N. Lee, and T. Hwang. threshold proxy signatures. IEEE Proceeding of Com-putes andDigital technique, 146:259–263, 1999.
[147] H. M. Sun and S. P. Shieh. Constructions of dynamic threshold schemes. Electronics letters,30(24):2023–2025, 1994.
[148] G. Taban, A.A. Cardenas, and V.D. Gligor. Towards a secure and interoperable drm architecture.In ACM DRM 2006, pages 69–78, 2006.
[149] Z. Tan and Z. Liu. Provably secure delegation-by-certification proxy signature scheme. In Infosecu2004, 2004.
[150] M. Terada1, K. Yoneyama, S. Hongo, and K. Ohta. Modeling agreement problems in the universalcomposability framework. In ICICS 2007, volume 4861 of LNCS, pages 350–361, 2007.
[151] G. Wang, F. Bao, J. Zhou, and R. Deng. Comments on a threshold proxy signature scheme basedon the rsa cryptosystem. IEEE transaction on knowledge and data engineering, 16(10), 2004.
[152] Y. Watanabe, J. Shikata, and H. Imai. Equivalence between semantic security and indistinguisha-bility against chosen ciphertext attacks. In PKC 2003, volume 2567 of LNCS, pages 71–84, 2003.
[153] C.C. Yao, F. Yao, and Y.L. Zhao. A note on the feasibility of generalized universal composability.In TAMC 2007, volume 4484 of LNCS, pages 474–485, 2007.
[154] C.C. Yao, F. Yao, and Y.L. Zhao. A note on universal composable zero knowledge in commonreference string model. In TMAC 2007, volume 4484 of LNCS, pages 462–473, 2007.
[155] X. Yi. An identity-based signature scheme from the weil pairing. IEEE Communications Letters,7(2), 2003.
[156] K. Zhang. Threshold proxy signature schemes. In Proceeding of the information security workshop,pages 191–197, 1997.
[2] Generalmagic公司推出的商业移动代理系统telescript(新闻). available at http://www-900.ibm.com/developerWorks/cn/java/l-mobile-agent/index.shtml.
[3] Pkcs v2.1 rsa cryptography standard (draft). available at http://www.rsa.com/rsalabs/pkcs/.
[4]毛文波.现代密码学理论与实践.电子工业出版社, 2004.
[5]冯登国.可证明安全性理论与方法研究.软件学报, 16(10):1743–1756, 2005.
[6] M. Abdalla and L. Reyzin. A new forward-secure digital signature scheme. In Asiacrypt 2000,volume 1976 of LNCS, pages 116–129, 2000.
[7] M. Abe and S. Fehr. Adaptively secure feldman vss and applications to universally-composablethreshold cryptography. In CRYPTO 2004, volume 3152 of LNCS, pages 317–334, 2004.
[8] J. Almansa, I. Damgard, and J. Nielsen. Simplified threshold rsa with adaptive and proactivesecurity. In Eurocrypt 2006, volume 4004 of LNCS, pages 593–611, 2006.
[9] J.H. An, Y. Dodis, and T. Rabin. On the security of joint signature and encryption. In Eurocrypt2002, volume 2332 of LNCS, pages 83–107. Springer-Verlag, Berlin, Germany, 2002.
[10] G. Ateniese, K. Fu, M. Green, and S. Hohenberger. Improved proxy re-encryption schemes withapplications to secure distributed storage. In Network and Distributed System Security Symposium2005, pages 29–43, 2005.
[11] G. Ateniese, K. Fu, M. Green, and S. Hohenberger. Improved proxy re-encryption schemes withapplications to secure distributed storage. ACM Transactions on Information and System Security,9(1):1–30, 2006.
[12] G. Ateniese and S. Hohenberger. Proxy re-signature: New definitions, algorithms, and applications.In ACM CCS 2005, pages 310–319, 2005.
[13] B. Barak, R. Canetti, J.B. Nielsen, and R. Pass. Universally composable protocols with relaxedset-up assumption. In FOCS 2004, pages 186–195, 2004.
[14] P. Barreto, H. Kim, and M. Scott. Efficient algorithms for pairing based cryptosystems. In CRYPTO2002, volume 2242 of LNCS, pages 354–368, 2002.
[15] D. Beaver. Foundations of secure interactive computing. In CRYPTO 1991, volume 576 of LNCS,pages 377–391, 1991.
[16] M. Bellare, R. Canetti, and H. Krawczyk. A modular approach to the design and analysis ofauthentication and key-exchange protocols. In Proc. of the 30th annual symposium on the Theoryof Computing, pages 419–428, 1998.
[17] M. Bellare and G. Neven. Transitive signatures based on factoring and rsa. In Asiacrypt 2002,volume 2501 of LNCS, pages 397–414, 2002.
[18] M. Bellare and G. Neven. Transitive signatures based on factoring and rsa. IEEE Transactions onInformation Theory, 51(6):2133–2151, 2005.
[19] M. Bellare and P. Rogaway. Entity authentication and key distribution. In CRYPTO 1993, volume773 of LNCS, pages 232–249, 1993.
[20] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient pro-tocols. In Proceedings of the First ACM Conference on Computer and Communications Security,pages 62–73. ACM Press, New York, USA, 1993.
[21] M. Bellare and P. Rogaway. Optimal asymmetric encryption-how to encrypt with rsa. In Eurocrypt1994, volume 950 of LNCS, pages 92–111. Springer-Verlag, Berlin, Germany, 1994.
[22] M. Bellare and P. Rogaway. The exact security of digital signature - how to sign with rsa and rabin.In Eurocrypt 1996, volume 1070 of LNCS, pages 399–416, 1996.
[23] D. Bernstein. Poving tight security for standard rabin-williams signatures. preprint 2003.
[24] G.R. Blakley. Safeguarding cryptographic keys. In AFIPS 1979 national computer conference,1979.
[25] M. Blaze, G. Bleumer, and M. Strauss. Divertible protocols and atomic proxy cryptography. InEurocrypt 1998, volume 1403 of LNCS, pages 127–144, 1998.
[26] M. Blaze and M. Strauss. Atomic proxy cryptography. Technical report, AT&T Research, 1997.
[27] D. Bleichenbacher. A chosen ciphertext attack against protocols based on the rsa encryption stan-dard pkcs1. In CRYPTO 1998, volume 1462 of LNCS, pages 1–12, 1998.
[28] M. Blum, P. Feldman, and S. Micali. Non-interactive zero-knowledge and its applications. InProceeding of the 20th Annual ACM Symposium on Theory and Computing, pages 103–112, 1988.
[29] A. Boldyreva. Efficient threshold signature, multisignature, and blind signature schemes based onthe gap-diffie-hellman-group signature scheme. In PKC 2003, volume 2567 of LNCS, pages 31–46,2003.
[30] A. Boldyreva, A. Palacio, and B. Warinschi. Secure proxy signature schemes for delegation ofsigning rights. At http://eprint.iacr.org/2003/096.
[31] D. Boneh and M. Franklin. Identity-based encryption from the weil pairing. In CRYPTO 2001,volume 2139 of LNCS, pages 213–229. Springer-Verlag, Berlin, Germany, 2001.
[32] D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and verifiably encrypted signaturesfrom bilinear maps. In Eurocrypt 2003, volume 2656 of LNCS, pages 416–432, 2003.
[33] D. Boneh, B. Lynn, and H. Shacham. Short signatures from the weil pairing. In Asiacrypt 2001,volume 2248 of LNCS, pages 514–532, 2001.
[34] C. Boyd. Digital multisignatures. Cryptography and Coding, pages 241–246, 1989.
[35] S. Canard and J. Traore. On fair e-cash systems based on group signature schemes. In InformationSecurity and Privacy - ACISP 2003, volume 2727 of LNCS, pages 237–248., 2003.
[36] R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. InProceeding of the 42th IEEE Symposium on Foundations of Computer Science. full version athttp://eprint.iacr.org/2000/067, pages 136–145, 2001.
[37] R. Canetti. Universally composable signature, certification and authentication. In Proceeding ofthe 17th Computer Security Foundations Workshop, 2004.
[38] R. Canetti. Obtaining universally composable security: Towards the bare bones of trust. In Asi-acrypt 2007, volume 4833 of LNCS, pages 88–112, 2007.
[39] R. Canetti. Composable formal security analysis: Juggling soundness, simplicity and efficiency. InICALP 2008, Part II, volume 5126 of LNCS, pages 1–13, 2008.
[40] R. Canetti, Y. Dodis, R. Pass, and S. Walfish. Universal composable security with global setup. InTCC 2007, volume 4392 of LNCS, pages 61–85, 2007.
[41] R. Canetti, R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Adaptive security for thresholdcryptosystems. In CRYPTO 1999, volume 1666 of LNCS, pages 98–115, 1999.
[42] R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, revisited (extendedabstract). In The 30th Annual ACM Symposium on Theory of Computing, pages 209–218. ACMPress, New York, USA, 1998.
[43] R. Canetti, S. Halevi, J. Katz, Y. Lindell, and P. MacKenzie. Universally composable password-based key exchange. In Eurocrypt 2005, volume 3494 of LNCS, pages 404–421, 2005.
[44] R. Canetti and S. Hohenberger. Chosen-ciphertext secure proxy re-encryption. In ACM CCS 2007,pages 185–194, 2007.
[45] R. Canetti and H. Krawczyk. Analysis of key exchange protocols and their use for building securechannels. In Eurocrypt 2001, volume 2045 of LNCS, pages 453–474, 2001.
[46] R. Canetti and T. Rabin. Universal composition with joint state. In CRYPTO 2003, volume 2729of LNCS, pages 265–281, 2003.
[47] Z.F. Cao. About the re-sharing of secret sharing (in chinese). In ChinaCrypt 1992, 1992.
[48] M. Cerecedo, T. Matsumoto, and H. Imai. Efficient and secure multiparty generation of digitalsignatures based on discrete logarithms. IEICE Trans. Fundamentals, E76A(4):532–545, 1993.
[49] D. Chaum, C. Crepeau, and I. Damgard. Multiparty unconditionally secure protocols. In Proc. 20annual Symp. on the Theory of Computing, pages 11–19, 1988.
[50] D. Chaum and E.V. Heyst. Group signatures. In Eurocrypt 1991, volume 547 of LNCS, pages 257–265, 1991.
[51] C. Choi, Z. Kim, and K. Kim. Schnorr signature scheme with restricted signing capability and itsapplication. In CCS03, 2003.
[52] S. Chow, S. Yiu, and L. Hui. Efficient identity based ring signature. In Applied Cryptography andNetwork Security 2005, volume 3531 of LNCS, pages 499–512, 2005.
[53] J. Coron. On the exact security of full domain hash. In CRYPTO 2000, volume 1880 of LNCS,pages 229–235. Springer-Verlag, Berlin, Germany, 2000.
[54] J. Coron. Optimal security proofs for pss and other signature schemes. In Eurocrypto 2002, volume2332 of LNCS, pages 272–287, 2002.
[55] J. Coron. Security proof for partial-domain hash signature scheme. In CRYPTO 2002, volume2442 of LNCS, pages 613–626, 2002.
[56] R. Croft and S. Harris. Public-key cryptography and re-usable shared secrets. Cryptography andCoding, Claredon Press, Oxford, pages 189–201, 1989.
[57] I. Damgard and J.B. Nielsen. Perfect hiding and perfect binding universally composable commit-ment schemes with constant expansion factor. In CRYPTO 2002, volume 2442 of LNCS, pages3–42, 2002.
[58] Y. Desmedt. Society and group oriented cryptography: A new concept. In CRYPTO 1987, volume293 of LNCS, pages 20–172, 1987.
[59] Y. Desmedt. Threshold cryptography. European Transactions on Telecommunications, 5(4):449–457, 1994.
[60] Y. Desmedt and Y. Frankel. Threshold cryptosystems. In CRYPTO 1989, volume 435 of LNCS,pages 307–315. Springer-Verlag, Berlin, Germany, 1989.
[61] Y. Desmedt and Y. Frankel. Shared generation of authenticatiors and signatures. In CRYPTO 1991,volume 576 of LNCS, pages 457–469, 1991.
[62] W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on InformationTheory, 22(6):644–654, 1976.
[63] W. Diffie, P.V. Oorschot, and W. Wiener. Authentication and authenticated key exchanges. Designs,Codes and Cryptography, 2:107–125, 1992.
[64] Y. Dodis and A. Ivan. Proxy cryptography revisited. In Network and Distributed System SecuritySymposium, 2003.
[65] Y. Dodis, J. Katz, S. Xu, and M. Yung. Key-insulated public-key cryptosystems. In Eurocrypt2002, volume 2332 of LNCS, pages 65–82, 2002.
[66] Y. Dodis, J. Katz, S. Xu, and M. Yung. Strong key-insulated signature schemes. In PKC 2003,volume 2567 of LNCS, pages 130–144, 2003.
[67] Y. Dodis, V. Shoup, and S. Walfish. Efficient constructions of composable commitments and zero-knowledge proofs. In CRYPTO 2008, volume 5157 of LNCS, pages 515–535, 2008.
[68] D. Duc, J. Cheon, and K. Kim. A forward-secure blind signature scheme based on the strong rsaassumption. In Information and Communications Security 2003, volume 2836 of LNCS, pages11–21, 2003.
[69] T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEETransactions on Information Theory, 31(4):462–472, 1985.
[70] U. Feige, A. Fiat, and A. Shamir. Zero-knowledge proofs of identity. ACM SIGACT, pages 210–217, 1987.
[71] P. Feldman. A practical scheme for non-interactive verifiable secret sharing. In Proceedings of the28th IEEE Ann. Symp. on Foundations of Computer Science - 28th FOCS, pages 427–437. IEEE,1987.
[72] A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signa-ture problems. In CRYPTO 1986, volume 263 of LNCS, pages 186–194. Springer-Verlag, Berlin,Germany, 1986.
[73] M. Fischlin. Round-optimal composable blind signatures in the common reference string model.In CRYPTO 2006, volume 4117 of LNCS, pages 60–77, 2006.
[74] M. Fischlin. Universally composable oblivious transfer in the multi-party setting. In CT-RSA 2006,volume 3860 of LNCS, pages 332–349, 2006.
[75] Y. Frankel. A practical protocol for large group oriented networks. In Eurocrypto 1989, volume434 of LNCS, pages 56–61, 1989.
[76] Y. Frankel, P. Gemmell, P.D. MacKenzie, and M. Yung. Optimal-sesilience proactive public-keycryptosystems. In IEEE Symposium on Foundations of Computer Science, pages 384–393, 1997.
[77] Y. Frankel, P. Gemmell, P.D. MacKenzie, and M. Yung. Proactive rsa. In CRYPTO 1997, volume1294 of LNCS, pages 440–454, 1997.
[78] Y. Frankel, P.D. MacKenzie, and M. Yung. Adaptive security for the additive-sharing based proac-tive rsa. In PKC 2001, volume 1992 of LNCS, pages 240–263, 2001.
[79] E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes.In CRYPTO 1999, volume 1666 of LNCS, pages 537–554. Springer-Verlag, Berlin, Germany, 1999.
[80] S. Gajek, M. Manulis, O. Pereira, A.R. Sadeghi, and J. Schwenk. Universally composable securityanalysis of tls. In ProvSec 2008, volume 5324 of LNCS, pages 313–327, 2008.
[81] S. Galbraith, K. Harrison, and D. Soldera. Implementing the tate pairing. In ANTS 2002, volume2369 of LNCS, pages 324–337, 2002.
[82] D. Galindo, J. Herranz, and E. Kiltz. On the generic construction of identity-based signatures withadditional properties. In Asiacrypt 2006, volume 4284 of LNCS, pages 178–193, 2006.
[83] R. Gennaro, S. Halevi, H. Krawczyk, and T. Rabin. Threshold rsa for dynamic and ad-hoc groups.In Eurocrypt 2008, volume 4965 of LNCS, pages 88–107, 2008.
[84] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and efficient sharing of rsa functions.In CRYPTO 1996, volume 1109 of LNCS, pages 157–172, 1996.
[85] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold dss signatures. In EURO-CRYPT 1996, volume 1070 of LNCS, pages 354–371, 1996.
[86] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Secure distributed key generation for discrete-log based cryptosystem. In Eurocrypt 1999, volume 1592 of LNCS, pages 295–310. Springer-Verlag, Berlin, Germany, 1999.
[87] R. Gennaro, H. Krawczyk, and T. Rabin. Rsa-based undeniable signatures. In CRYPTO 1997,volume 1294 of LNCS, pages 397–416, 1997.
[88] R. Gennaro, H. Krawczyk, and T. Rabin. Robust and efficient sharing of rsa functions (full version).Journal of Cryptology, 13(2)(2):273–300, 2000.
[89] O. Goldreich. Foundations of Cryptography Basic Tools. Cambridge University Press, 2001.
[90] O. Goldreich, S. Goldwasser, and N. Linial. Fault-tolerant computation in the full informationmodel. In Proceeding of 32nd FOCS, pages 447–457, 1991.
[91] O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game. In Proceeding of the19th annual ACM Symposium on Theory of Computing, pages 218–229, 1987.
[92] S. Goldwasser. Multi-party computation: past and present. In ACM Symposium on Principles ofDistributed Computing, 1997.
[93] S. Goldwasser and S. Micali. Probabilistic encryption. Journal of computer and system science,28:270–299, 1984.
[94] S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems.SIAM Journal on Comput., 18(1):186–208, 1989.
[95] S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing, 17(2):281–308, 1988.
[96] N. Gonzalez-Deleito, O. Markowitch, and E. Dall’Olio. A new key-insulated signature scheme.In ICICS 2004, volume 3269 of LNCS, pages 465–479, 2004.
[97] M. Green and G. Ateniese. Identity-based proxy re-encryption. In ACNS 2007, volume 4521 ofLNCS, pages 288–306, 2007.
[98] O. Horvitz and J. Katz. Universally-composable two-party computation in two rounds. In CRYPTO2007, volume 4622 of LNCS, pages 111–129, 2007.
[99] C. Hsu, T. Wu, and D. Wong. New nonrepu-diable threshold proxy signature scheme with knownsigners. The Journal of Systems and Software, 58:119–124, 2001.
[100] J. Hwang, H. Kim, D. Lee, and J. Lim. Digital signature schemes with restriction on signingcapability. In ACISP 2003, volume 2727 of LNCS, pages 324–335, 2003.
[101] M. Hwang, E.J. Lu, and I.C Lin. A practical (t,n) threshold proxy signature scheme based on thersa cryptosystem. IEEE Transactions on Knowledge and Data Engineering, 15:1552– 1560, 2003.
[102] G. Itkis. Intrusion-resilient signatures: Generic constructions, or defeating strong adversary withminimal assumptions. In SCN 2002, volume 2567 of LNCS, pages 102–118, 2002.
[103] G. Itkis and L. Reyzin. Sibir: Signer-base intrusion-resilient signatures. In CRYPTO 2002, volume2442 of LNCS, pages 499–514, 2002.
[104] D. Johson and A. Menezes. The elliptic curve digital signature algorithm. Technical report,CORR99-31, University of Waterloo, 1999.
[105] A. Joux and K. Nguyen. Seperating decision diffie-hellman from computational diffie-hellman incryptographic groups. Journal of Cyptology, 16:239–247, 2003.
[106] E.E. Karnin, J.W. Greene, and M.E. Hellman. On secret sharing systems. IEEE transactions oninformation theory, 29:35–41, 1983.
[107] S. Kim, S. Park, and D. Won. Proxy signatures, revisited. In ICICS 1997, volume 1334 of LNCS,page 223–243, 1997.
[108] N. Koblitz. Elliptic curve cryptosystems. Mathematics of computation, 48(177):203–209, 1987.
[109] N. Koblitz. Hyperelliptic cryptography. Journal of Crypto, 1(3):139–150, 1989.
[110] N. Koblitz and J. Menezes. Another look at provable security. Technical report, Waterloo Univer-sity, 2004.
[111] N. Koblitz and J. Menezes. Another look at provable security ii. Technical report, Waterloo Uni-versity, 2006.
[112] W. Kuo and M. Chen. A modified (t,n) threshold proxy signature scheme based on the rsa crypto-system. In ICITA 2005., 2005.
[113] J. Li, J. Zou, and Y. Wang. Security analysis and improvement of some proxy signature schemes.In Conference 2004, pages 1–2, 2004.
[114] B. Libert, J-J. Quisquater, and M. Yung. Forward-secure signatures in untrusted update environ-ments: Efficient and generic constructions. In Proceedings of the 14th ACM conference on Com-puter and communications security, pages 266–275, 2007.
[115] B. Libert and D. Vergnaud. Unidirectional chosen-ciphertext secure proxy re-encryption. In PKC2008, volume 4939 of LNCS, pages 360–379, 2008.
[116] R. Liu and X.F. Cao. Two new schemes of distributed management of communication key (inchinese). Journal of China Institute of Communications, 8(4):10–14, 1987.
[117] M. Mambo, K. Usuda, and E. Okamoto. Proxy signature: Delegation of the power to sign messages.IEICE Trans. Fundamentals, E79-A(9):1338–1353, 1996.
[118] M. Mambo, K. Usuda, and E. Okamoto. Proxy signature for delegating signing operation. In ACMCCS 1996, pages 48–57, 1996.
[119] K.M. Martin, R. Safavi-Naini, H.X. Wang, and P.R. Wild. Distributing the encryption and decryp-tion of a block cipher. Designs, Codes and Cryptography, 36(3):263–287, 2005.
[120] T. Matsuo. Proxy re-encryption systems for identity-based encryption. In Pairing-Based Cryptog-raphy 2007, volume 4575 of LNCS, pages 247–267, 2007.
[121] R. Merkle. A certified digital signature. In Crypto 1989, volume 435 of LNCS, pages 218–238,1989.
[122] S. Micali, K. Ohta, and L. Reyzin. Accountable-subgroup multisignatures. In ACM CCS 2001,pages 245–254, 2001.
[123] S. Micali and R. Rivest. Transitive signature schemes. In CT-RSA 2002, volume 2271 of LNCS,pages 236–243, 2002.
[124] S. Micali and P. Rogaway. Secure computation. In CRYPTO 1991, volume 576 of LNCS, pages392–404, 1991.
[125] V.S. Miller. use of elliptic curve in cryptography. In CRYPTO 1985, volume 218 of LNCS, pages417–426, 1985.
[126] K. Ohta and T. Okamoto. On concrete security treatment of signatures derived from identitfication.In CRYPTO 98, volume 1462 of LNCS, pages 345–370, 1998.
[127] T. Okamoto. Provably secure and practical identification schememes and corresponding signatureschemes. In CRYPTO 1992, volume 740 of LNCS, pages 31–53, 1992.
[128] R. Ostrovsky and M. Yung. How to withstand mobile virus attack. In Proceeding of the 10th ACMSymposium on Principles of Distributed Computing, pages 51–59, 1991.
[129] T.P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. InCRYPTO 1991, volume 576 of LNCS, pages 129–140. Springer-Verlag, Berlin, Germany, 1992.
[130] C. Peikert, V. Vaikuntanathan, and B. Waters. A framework for efficient and composable oblivioustransfer. In CRYPTO 2008, volume 5157 of LNCS, pages 554–571, 2008.
[131] D. Pointcheval. Contemporary cryptology provable security for public key schemes. In AdvancedCourse on Contemporary Cryptology, Advanced Courses CRM Barcelona, pages 133–189. 2005.
[132] D. Pointcheval and J. Stern. Security proofs for signature schemes. In Eurocrypt 1996, volume1070 of LNCS, pages 387–398, 1996.
[133] D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. Journalof Cryptology, 13(3):361–396, 2000.
[134] M. Prabhakaran and A. Sahai. New notions of security: achieving universal composability withouttrusted setup. In STOC 2004, pages 242–251, 2004.
[135] M. Rabin. Digital signatures and public-key functions as intractable as factorization. Technicalreport, MIT lab of computer science, 1979.
[136] T. Rabin. A simplified approach to threshold and proactive rsa. In CRYPTO 1998, volume 1462 ofLNCS, pages 89–104, 1998.
[137] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-keycryptosystems. Communication of the ACM, 21(2):120–126, 1978.
[138] A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to share a function securely. In Proc.26th ACM Symp. on Theory of Computing, pages 522–533, 1994.
[139] C. Schnorr. Efficient identification and signatures from smart cards. In CRYPTO 1989, volume 435of LNCS, pages 239–252, 1989.
[140] A. Shamir. How to share a secret. Communications of the ACM, 22(11):612–613, 1979.
[141] C. Shannon. Communication theory of secrecy systems. Bell Systems Technical Journal, 28:656–715, 1919.
[142] J. Shao, Z.F. Cao, L.C. Wang, and X.H. Liang. Proxy re-signature schemes wihout random oracles.In Indocrypt 2007, volume 4859 of LNCS, pages 197–209, 2007.
[143] K. Shim. An identity-based proxy signature scheme from pairing. In Information and Communi-cations Security 2006, 2006.
[144] V. Shoup. Practical threshold signatures. In Eurocrypt 2000., volume 1807 of LNCS, pages 207–220. Springer-Verlag, Berlin, Germany, 2000.
[145] J. Stern. Why provable security matters. In Eurocrypt 2003, volume 2656 of LNCS, pages 449–461,2003.
[146] H. Sun, N. Lee, and T. Hwang. threshold proxy signatures. IEEE Proceeding of Com-putes andDigital technique, 146:259–263, 1999.
[147] H. M. Sun and S. P. Shieh. Constructions of dynamic threshold schemes. Electronics letters,30(24):2023–2025, 1994.
[148] G. Taban, A.A. Cardenas, and V.D. Gligor. Towards a secure and interoperable drm architecture.In ACM DRM 2006, pages 69–78, 2006.
[149] Z. Tan and Z. Liu. Provably secure delegation-by-certification proxy signature scheme. In Infosecu2004, 2004.
[150] M. Terada1, K. Yoneyama, S. Hongo, and K. Ohta. Modeling agreement problems in the universalcomposability framework. In ICICS 2007, volume 4861 of LNCS, pages 350–361, 2007.
[151] G. Wang, F. Bao, J. Zhou, and R. Deng. Comments on a threshold proxy signature scheme basedon the rsa cryptosystem. IEEE transaction on knowledge and data engineering, 16(10), 2004.
[152] Y. Watanabe, J. Shikata, and H. Imai. Equivalence between semantic security and indistinguisha-bility against chosen ciphertext attacks. In PKC 2003, volume 2567 of LNCS, pages 71–84, 2003.
[153] C.C. Yao, F. Yao, and Y.L. Zhao. A note on the feasibility of generalized universal composability.In TAMC 2007, volume 4484 of LNCS, pages 474–485, 2007.
[154] C.C. Yao, F. Yao, and Y.L. Zhao. A note on universal composable zero knowledge in commonreference string model. In TMAC 2007, volume 4484 of LNCS, pages 462–473, 2007.
[155] X. Yi. An identity-based signature scheme from the weil pairing. IEEE Communications Letters,7(2), 2003.
[156] K. Zhang. Threshold proxy signature schemes. In Proceeding of the information security workshop,pages 191–197, 1997.