抗选择密文攻击公钥密码体制的研究
|
摘要
安全问题是通信与信息系统中核心问题之一。密码技术是信息安全的基础。
在公钥密码系统(PKC,public key cryptosystem)中,攻击者拥有加密公钥,他可以自由地用该公钥进行选择明文加密,即进行选择明文进行攻击。但是,在开放的网络环境中,攻击者还可以向网络中注入信息,而这种信息可能是一些加密的密文。然后,攻击者可以通过与参与方的交互,获得该密文的明文信息。为此,Rackoff和Simon在1991年提出抗选择密文攻击安全性(即,CCA安全性)概念。大致地说,根据这个定义,攻击者可以获得一些他所选择密文的解密;然后,攻击者被给定一个挑战密文;之后,攻击者还可以继续获得一些他所选择密文的解密,唯一的限制是不能直接获得挑战密文的解密;安全性要求攻击者最后不能获得挑战密文中的明文的任何部分信息。
抗选择密文攻击安全密码系统是一个很强的密码元件。它在设计抗主动攻击的密码学协议中起着重要的作用。如,它可以用来设计认证的密钥交换、密钥托管、公平交换等协议。
本论文从第2章至第5章就两个方面进行研究,一是设计新的PKC方案,并给出严格的证明;另一个是对已有的PKC方案的安全性进行证明。具体创新性工作如下:
在第2章,我们分别以两类特殊的基于身份加密方案—Boneh、Boyen提出的Selective-ID安全的基于身份加密方案和Waters提出的Adaptive-ID安全的基于身份加密方案为基础,建立了新的标准模型下的抗选择密文攻击的(非门限)公钥加密方案。另外,基于BB方案,我们还构造了一个新的CCA安全的密钥封装机制,该封装机制比由新的基于BB方案的加密方案直接得到的封装机制效率更高。这些方案都比直接运用Canetti-Halevi-Katz的方法得到的方案的效率高出很多,而接近于用Boneh-Katz方法得到的方案的效率(对解密而言,新方案的效率更高些)。
在第3章,我们建立了抗选择密文攻击的门限公钥加密方案,他们分别由CHK方案(为简单起见,我们用CHK方案来表示将CHK方法应用到BB方案所得到的方案,而BK方案也表示类似的含义)和我们在第2章中建立的非门限方案转化而得
Security is one of the most important problem in the communication and information system, while the cryptography is the basis for the security.In the public key cryptosystem (PKC) , the attacker can get the public encryption key, so he can freely encrypt some plain-text chosen adaptively, i.e., he could choose plain-text attack. But, in the open network, the attacker can also send some message, which may be some ciphertext chosen adaptively. Then, the attacker can interact with the participator, and get back the plain-text of the ciphertext. To deal with this active attack, Rackoff and Simon introduced the notion of secure against adaptive chosen ciphertext attack (i.e., CCA security) in 1991. Informally, according to this definition, the attacker can obtain decryptions of some ciphertexts of its choice. Then, the attacker is given the ciphertext he should challenge. Next, the attacker could continue to get the decryptions of some ciphertexts adaptively chosen, with the only restriction that the challenge ciphertext itself could not be decrypted. Then, this security requests that attacker could not get any partialinformation about the corresponding plain-text of the challenge ciphertext.The cryptosystem secure against adaptively chosen ciphertext attack is very powerful cryptographic primitive. It is essential in designing protocols that are secure against active adversaries. For example, this primitive is used in protocols for authenticated key exchange, key escrow, and fair exchange.In this thesis, from chapter 2 to chapter 5, the study is focused on two points: one is to design some new provable secure PKC schemes; the other is to give the formal proof for some existing PKC schemes. The contributions are summarized as following:In chapter 2, two new (non threshold) CCA secure public key encryption (PKE) schemes in the standard model are constructed from two special identity based encryption (IBE) schemes. Particularly, one is constructed from the Selective-ID secure IBE of Boneh and Boyen, the other is constructed from the Adaptive-ID secure IBE of Waters. In addition, a new CCA secure Key Encapsulation Mechanism (KEM) is proposed from the BB IBE scheme, which is more efficient than the one directly obtained from PKE based on the BB scheme. All the new proposals in this chapter are much more efficient than those can be obtained from the Canetti-Halevi-Katz general transform method, and can be comparable to (for the decryption, the new schemes are
even more efficient) those from the Boneh-Katz method.In chapter 3, CCA secure threshold public key encryption systems are constructed based on the non threshold schemes from CHK scheme (here, for simplified, CHK scheme denotes as the resulting scheme of applying the CHK method to the BB scheme, BK scheme denotes in the same sense) and the new proposals in chapter 2. Before this, most of CCA secure threshold public key encryption systems could only be proved secure in the Random Oracle model, only the Canetti-Goldwasser scheme could be proved CCA secure in the standard model , but since it is interactive, it could not be used in the asynchronous public network. However, all the new threshold schemes not only could be proved secure in the standard model, but also are non-interactive. Next, CCA secure threshold identity based encryption systems in the standard model are constructed. Before this, the first and only CCA secure threshold identity based encryption system, could only be proved secure in the Random Oracle. The results of this chapter also indicate that our schemes in chapter 2 not only enjoy the efficiency of the BK scheme, but also can be used in threshold CCA secure systems like CHK. But since the BK scheme could not be verified publicly, it does not suit for constructing threshold CCA secure system.In chapter 4, the security analysis is given for an existing scheme. It is rigorously proved to be secure against chosen ciphertext attack under the Gap Diffie-Hellman assumption in the Random Oracle model. Before this, it could only be proved in the Generic Group and Random Oracle model. In the Generic Group model, the attacker could not make use of the special code and algebra structure property from the group, in other words, the group is assumed to be ideal. But, the new proof only needs the Random Oracle, that is to say, only the Hash function is ideal. Since, in the Generic Group and Random Oracle model, both the group and the Hash function are ideal, the new proof gives more security confidence than that of previous related work.In chapter 5, two new publicly verifiable encryption schemes in the Random Oracle model are proposed. The proposals are more efficient than the one proposed by Baek and Zheng in 2003. The CCA security of the first one is relative to the Strong Diffie-Hellman problem, while the security of another one is related to the Linear Diffie-Hellman problem.
在公钥密码系统(PKC,public key cryptosystem)中,攻击者拥有加密公钥,他可以自由地用该公钥进行选择明文加密,即进行选择明文进行攻击。但是,在开放的网络环境中,攻击者还可以向网络中注入信息,而这种信息可能是一些加密的密文。然后,攻击者可以通过与参与方的交互,获得该密文的明文信息。为此,Rackoff和Simon在1991年提出抗选择密文攻击安全性(即,CCA安全性)概念。大致地说,根据这个定义,攻击者可以获得一些他所选择密文的解密;然后,攻击者被给定一个挑战密文;之后,攻击者还可以继续获得一些他所选择密文的解密,唯一的限制是不能直接获得挑战密文的解密;安全性要求攻击者最后不能获得挑战密文中的明文的任何部分信息。
抗选择密文攻击安全密码系统是一个很强的密码元件。它在设计抗主动攻击的密码学协议中起着重要的作用。如,它可以用来设计认证的密钥交换、密钥托管、公平交换等协议。
本论文从第2章至第5章就两个方面进行研究,一是设计新的PKC方案,并给出严格的证明;另一个是对已有的PKC方案的安全性进行证明。具体创新性工作如下:
在第2章,我们分别以两类特殊的基于身份加密方案—Boneh、Boyen提出的Selective-ID安全的基于身份加密方案和Waters提出的Adaptive-ID安全的基于身份加密方案为基础,建立了新的标准模型下的抗选择密文攻击的(非门限)公钥加密方案。另外,基于BB方案,我们还构造了一个新的CCA安全的密钥封装机制,该封装机制比由新的基于BB方案的加密方案直接得到的封装机制效率更高。这些方案都比直接运用Canetti-Halevi-Katz的方法得到的方案的效率高出很多,而接近于用Boneh-Katz方法得到的方案的效率(对解密而言,新方案的效率更高些)。
在第3章,我们建立了抗选择密文攻击的门限公钥加密方案,他们分别由CHK方案(为简单起见,我们用CHK方案来表示将CHK方法应用到BB方案所得到的方案,而BK方案也表示类似的含义)和我们在第2章中建立的非门限方案转化而得
Security is one of the most important problem in the communication and information system, while the cryptography is the basis for the security.In the public key cryptosystem (PKC) , the attacker can get the public encryption key, so he can freely encrypt some plain-text chosen adaptively, i.e., he could choose plain-text attack. But, in the open network, the attacker can also send some message, which may be some ciphertext chosen adaptively. Then, the attacker can interact with the participator, and get back the plain-text of the ciphertext. To deal with this active attack, Rackoff and Simon introduced the notion of secure against adaptive chosen ciphertext attack (i.e., CCA security) in 1991. Informally, according to this definition, the attacker can obtain decryptions of some ciphertexts of its choice. Then, the attacker is given the ciphertext he should challenge. Next, the attacker could continue to get the decryptions of some ciphertexts adaptively chosen, with the only restriction that the challenge ciphertext itself could not be decrypted. Then, this security requests that attacker could not get any partialinformation about the corresponding plain-text of the challenge ciphertext.The cryptosystem secure against adaptively chosen ciphertext attack is very powerful cryptographic primitive. It is essential in designing protocols that are secure against active adversaries. For example, this primitive is used in protocols for authenticated key exchange, key escrow, and fair exchange.In this thesis, from chapter 2 to chapter 5, the study is focused on two points: one is to design some new provable secure PKC schemes; the other is to give the formal proof for some existing PKC schemes. The contributions are summarized as following:In chapter 2, two new (non threshold) CCA secure public key encryption (PKE) schemes in the standard model are constructed from two special identity based encryption (IBE) schemes. Particularly, one is constructed from the Selective-ID secure IBE of Boneh and Boyen, the other is constructed from the Adaptive-ID secure IBE of Waters. In addition, a new CCA secure Key Encapsulation Mechanism (KEM) is proposed from the BB IBE scheme, which is more efficient than the one directly obtained from PKE based on the BB scheme. All the new proposals in this chapter are much more efficient than those can be obtained from the Canetti-Halevi-Katz general transform method, and can be comparable to (for the decryption, the new schemes are
even more efficient) those from the Boneh-Katz method.In chapter 3, CCA secure threshold public key encryption systems are constructed based on the non threshold schemes from CHK scheme (here, for simplified, CHK scheme denotes as the resulting scheme of applying the CHK method to the BB scheme, BK scheme denotes in the same sense) and the new proposals in chapter 2. Before this, most of CCA secure threshold public key encryption systems could only be proved secure in the Random Oracle model, only the Canetti-Goldwasser scheme could be proved CCA secure in the standard model , but since it is interactive, it could not be used in the asynchronous public network. However, all the new threshold schemes not only could be proved secure in the standard model, but also are non-interactive. Next, CCA secure threshold identity based encryption systems in the standard model are constructed. Before this, the first and only CCA secure threshold identity based encryption system, could only be proved secure in the Random Oracle. The results of this chapter also indicate that our schemes in chapter 2 not only enjoy the efficiency of the BK scheme, but also can be used in threshold CCA secure systems like CHK. But since the BK scheme could not be verified publicly, it does not suit for constructing threshold CCA secure system.In chapter 4, the security analysis is given for an existing scheme. It is rigorously proved to be secure against chosen ciphertext attack under the Gap Diffie-Hellman assumption in the Random Oracle model. Before this, it could only be proved in the Generic Group and Random Oracle model. In the Generic Group model, the attacker could not make use of the special code and algebra structure property from the group, in other words, the group is assumed to be ideal. But, the new proof only needs the Random Oracle, that is to say, only the Hash function is ideal. Since, in the Generic Group and Random Oracle model, both the group and the Hash function are ideal, the new proof gives more security confidence than that of previous related work.In chapter 5, two new publicly verifiable encryption schemes in the Random Oracle model are proposed. The proposals are more efficient than the one proposed by Baek and Zheng in 2003. The CCA security of the first one is relative to the Strong Diffie-Hellman problem, while the security of another one is related to the Linear Diffie-Hellman problem.
引文
[1] M.Abdalla, M.Bellare, and P.Rogaway. The Oracle Diffie-Hellman assumptions and an analysis of DHIES[C]. Topics in Cryptology CT-RSA 2001. Berlin: Springer-Verlag, 2001. 143-158.
[2] J.An, Y.Dodis and T. Rabin. On the Security of Joint Signature andEncryption, Advances in Cryptology-Proceedings of EUROCRYPT 2002, Lecture Notes in Computer Science 2332, Springer-Verlag, 2002: 83-107.
[3] N.Asokan, V.Shoup, and M.Waidner. Optimistic fair exchange of digital signatures[J]. IEEE Journal on Selected Areas in Communications, 2000, 18(4):593-610.
[4] J.Baek, R.Steinfeld, Y. Zheng, Formal Proofs for the Security of Signcryption[C]. Proceedings of Public Key Cryptography 2002. Berlin: Springer-Verlag, 2002: 81-98.
[5] J.Baek and Y.Zheng. Identity-Based Threshold Decryption. Practice and Theory in Public Key Cryptography -- PKC'2004, Singapore(SG), March 2004, Lecture Notes on Computer Science 2947, Springer-Verlag, 2004: 262-276.
[6] J.Baek and Y Zheng. Simple and Efficient Threshold Cryptosystem from the Gap Diffie-Hellman Group[A]. IEEE Global Communications Conference - Proceedings of GLOBECOM 2003 Communications Security Track[C] . IEEE, 2003, Vol. 3: 1491-1495.
[7] F.Bao, R.H.Deng, H.Zhu. Variations of Diffie-Hellman Problem [A]. Information and Communications Security [C]. Springer-Verlag, 1998, Vol. 2836: 301-312.
[8] M.Bellare, A.Boldyreva and A.Palacio. An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem. Advances in Cryptology - Eurocrypt 2004 Proceedings, Lecture Notes in Computer Science Vol. 3027, C.Cachin and J. Camenisch eds, Springer-Verlag, 2004:171 - 188.
[9] M.Bellare, R.Canetti, and H.Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols[C]. 30th Annual ACM Symposium on Theory of Computing. New York: ACM, 1998:419-428.
[10] M.Bellare, A.Desai, D. Pointcheval, and P. Rogaway. Relations among notions of security for public-key encryption schemes[C] Advances in Cryptology Crypto '98. Berlin: Springer-Verlag,1998: 26-45.
[11] M.Bellare, A.Boldyreva, and S. Micali. Public-key encryption in a multi-user setting: security proofs and improvements. In Advances in Cryptology-Eurocrypt 2000, 2000.
[12] M.Bellare, D.Pointcheval and P. Rogaway. Authenticated Key Exchange Secure Against Dictionary Attacks[C]. Advances in Cryptology - Proceedings of EUROCRYPT 2000. Berlin: Springer-Verlag, 2000:139-155.
[13] M. Bellare and P. Rogaway. Entity Authentication and Key Distribution[C]. Advances in Cryptology Crypto '93. Berlin: Springer-Verlag, 1994: 232-249.
[14] M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols[C]. In First ACM Conference on Computer and Communications Security. New York: ACM, 1993: 62-73.
[15] M.Bellare and P. Rogaway. Optimal asymmetric encryption[C]. In Advances in Cryptology-Eurocrypt'94. Berlin:Springer-Verlag, 1994: 92-111.
[16] M.Bellare, H.Shi, C.Zhang. Foundations of Group Signatures: The Case of Dynamic Groups. In: Topics in Cryptology - CT-RSA 2005, LNCS 3376, Springer-Verlag, 2005:136-153.
[17] A.Boldyreva. Efficient Threshold Signature, Multisignature and Blind Signature Schemes Based on the Gap Diffie-Hellman Group Signature Scheme. PKC 2003, LNCS 2139, Springer-Verlag, 2003:31-46.
[18] D.Boneh, C.Gentry, B.Lynn and H.Shacham. Aggregate and Verifiably Encrypted Signature from Bilinear Maps. Eurocrypt 2003, LNCS 2248Springer-Verlag, 2003:514-532.
[19] D.Boneh and X. Boyen. Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles[C]. Advances in Cryptology Eurocrypt 2004. Berlin:Springer-Verlag,2004: 223-238.
[20] D. Boneh. Simplified OAEP for the RSA and Rabin Functions. In Crypto'01, LNCS 2139 Springer-Verlag, Berlin, 2001: 275-291.
[21] D.Boneh, I. Mironov, V. Shoup. A secure Signature Scheme from Bilinear Maps. CT-RSA-2003, Springer-Verlag, Berlin, 2003: 98-110.
[22] D.Boneh, A.Silverberg. Applications of Multilinear forms to Cryptography, Report 2002/080, http://eprint.iacr.org, 2002.
[23] D. Boneh, M.Franklin. Identity Based Encryption From the Weil Pairing[C]. Advances in Cryptology - Crypto'01. Berlin: Springer-Verlag, 2001:213-229.
[24] D.Boneh and J.Katz. Improved efficiency for CCA-secure cryptosystems built using identity based encryption. In Proceedings of RSA-CT 2005. Springer-Verlag, 2005.
[25] D.Boneh, G.Di Crescenzo, R.Ostrovsky, G.Persiano. Public key encryption with keyword search. Advances in Cryptology -- Eurocrypt'2004.Springer-Verlag, Berlin, 2004: 506--522.
[26] D.Boneh, B.Lynn, and H.Shacham. Short signatures from the weil pairing. Joumal of Cryptology, 17(4):297-319, 2004.
[27] D.Boneh, X.Boyen, H.Shacham. Short Group Signatures. Advances in Cryptology -- Crypto'2004, Springer-Verlag,Berlin,2004.
[28] D. Boneh, X. Boyen. Short Signatures Without Random Oracles. Advances in Cryptology -- Eurocrypt'2004, Springer-Verlag ,Berlin, 2004: 56—73.
[29] X Boyen. Multipurpose identity-based signcryption: A Swiss Army knife for identitybased cryptography. In Advances in Cryptology—CRYPTO 2003, Springer-Verlag, Berlin, 2003: 383-399.
[30] D. Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1 [C]. Advances in Cryptology Crypto'98. Berlin:Springer-Verlag, 1998: 1-12.
[31] P.S.L.M. Berreto, H.Y. Kim and M. Scott. Efficient algorithms for pairing-based cryptosystems. Advances in Cryptology Crypto'2002, LNCS 2442, Springer-Verlag, 2002: 354-368.
[32] J.Camenisch, A.Lysyanskaya. Signature Schemes and Anonymous Credentials from Bilinear Maps. Advances in Cryptology -- Crypto'2004, Springer-Verlag, Berlin, 2004.
[33] J.Camenisch and V.Shoup. Practical Verifiable Encryption and Decryption of Discrete Logarithms. Advances in Cryptology -- Crypto 2003, LNCS vol. 2729, Springer-Verlag, 2003:126-144,
[34] R.Canetti, O.Goldreich, S.Halevi. The Random Oracle Methodology Revisited. In Proceedings of the 13th Annual ACM Symposium on Theory of Computing, ACM,1998: 209-218.
[35] R.Canetti, E.Kushilevitz, R.Ostrovsky. A Rosen. Randomness versus Fault-Tolerance. Journal of Cryptology 13 (1),2000:107-142.
[36] R.Canetti. Universally composable security: a new paradigm for cryptographic protocols. In 42nd IEEE Symposium on Foundations of Computer Science [C]. Washingdon, IEEE, 2001: 136-145.
[37] R.Canetti and S.Goldwasser. An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack[C]. In Advances in Cryptology Eurocrypt'99. Berlin:Springer-Verlag ,1999:90-106.
[38] R.Canetti, S.Halevi, and J.Katz. A Forward-Secure Public-Key Encryption Scheme. Adv. in Cryptology — Eurocrypt 2003, LNCS vol. 2656, Springer-Verlag, 2003.:255-271.
[39] R.Canetti, H.Krawczyk, and J.B. Nielsen. Relaxing Chosen Ciphertext Security. In Cryptology -- Crypto 2003, LNCS vol. 2656, Springer-Verlag, 2003.65-582.
[40] R.Canetti, I.Damgard, S.Dziembowski, Y. Ishai, and T. Malkin. On Adaptive vs. Non-adaptiveSecurity of Multiparty Protocols. Advances in Cryptology Eurocrypt 2001. Berlin:Springer-Verlag, 2001:262-279.
[41] R.Canetti, S.Halevi, and J. Katz. Chosen-Ciphertext Security from Identity-Based Encryption[C]. Advances in Cryptology Eurocrypt 2004. Berlin:Springer-Verlag,2004: 207-222.
[42] R.Canetti and H. Krawczyk. Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels[C]. Advances in Cryptology Eurocrypt 2001. Berlin:Springer-Verlag ,2001: 453-474.
[43] L.Chen, J.M Lee. Improved Identity-Based Signcryption. In: Public Key Cryptography - PKC 2005, LNCS 3386, Springer-Verlag, 2005: 362-379.
[44] S.S.M. Chow, S.M. Yiu, L.C.K. Hui, K.P. Chow. Efficient Forward and Provably Secure ID-Based Signcryption Scheme with Public Verifiability and Public Ciphertext Authenticity. 6th International Conference on Information Security and Cryptology -- ICISC'2003, Lecture Notes on Computer Science, 2971, Springer-Verlag, 2004: 352--369.
[45] C.Cocks. An Identity-Based Encryption Scheme Based on Quadratic Residues. Cryptography and Coding, LNCS vol. 2260, Springer-Verlag, 2001: 360-363.
[46] J.Coron, H.Handschuh, M.Joye, P.Paillier, D. Pointcheval and C. Tymen. GEM: a Generic Chosen-Ciphertext Secure Encryption Method, Topics in Cryptology: Cryptographer's Track in RSA Conference Proceedings of CT-RSA 2002, Lecture Notes in Computer Science 2271, Springer-Verlag, 2002:263-276,
[47] R.Cramer and V.Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack[C]. Advances in Cryptology Crypto'98. Berlin:Springer-Verlag 1998:13-25.
[48] R.Cramer and V.Shoup. Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption[C]. Advances in Cryptology Eurocrypt 2002. Berlin: Springer-Verlag, 2002:45-64.
[49] R.Cramer and V.Shoup. Design and Analysis of Practical Public-Key Encryption Schemes Secure Against Adaptive Chosen-Ciphertext Attack. SIAM Journal of Computing, 2003, 33(1): 167-226.
[50] D.Dolev, C.Dwork, and M.Naor. Non-malleable cryptography[J]. SIAM Journal of Computing, 2000, 30(2):391-437.
[51] I.Damgard. Towards practical public key cryptosystems secure against chosen ciphertext attacks In Advances in Cryptology-Crypto 91, Berlin: Springer-Verlag, 1991: 445-456.
[52] Y.Desmedt and Y.Frankel. Threshold cryptosystems. In Advances in Cryptology-Crypto'89, Berlin: Springer-Verlag, 1989:307-315.
[53] A.De Santis, Y.Desmedt, Y. Frankel, and M. Yung. How to Share a Function Securely. In Proceeding of the 26th STOC ACM Press, New York, 1994: 22-523.
[54] A.De Santis, G.Di Crescenzo, R.Ostrovsky, G. Persiano and A. Sahai. Robust Noninteractive Zero-Knowledge. In Advances inCryptology- Crypto2001, Springer-Verlag (LNCS 2139), 2001:566 - 598.
[55] Y.Dodis and N.Fazio. Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack Practice and Theory in Public Key Cryptography -- PKC'2003, Lecture Notes on Computer Science 2567, Springer-Verlag , 2003:100-115.
[56] Y.Dodis, J.H An. Concealment and Its Applications to Authenticated Encryption. In: EUROCRYPT 2003, LNCS 2656, Springer-Verlag, 2003:312-329.
[57] Y.Dodis, M.J. Freedman, S Jarecki, S Walfish. Versatile padding schemes for joint signature and encryption. In: Proc. of the 11th ACM Conference on Computer and Communications Security (CCS 2004). ACM, 2004: 344-353.
[58] Y.Dodis, M.Franklin, J.Katz, A.Miyaji, M.Yung. Intrusion-Resilient Public-Key Encryption. Topics in Cryptology -- CT-RSA 2003, Springer-Verlag, Berlin, 2003:19--32.
[59] W.Diffie and M.E. Hellman. New directions in cryptography[J]. IEEE Trans. Inform.Theory, 1976, 22: 644-654.
[60] R.Dutta, R.Barua, P.Sarkar. Pairing-Based Cryptography: A Survey. cryptology ePrint Archive, http://eprint.iacr.org/2004/064.
[61] T.EIGamal. A public key cryptosystem and signature scheme based on discrete logarithms[J]. IEEE Trans. Inform. Theory, 1985, 31:469-472.
[62] E.Elkind and A. Sahai. A Unified Methodology For Constructing Public-Key Encryption Schemes Secure Against Adaptive Chosen-Ciphertext Attack. Available at http://eprint.iacr.org/2002/042/.
[63] A.Fiat and A.Shamir, How to Prove Yourself: Practical Solutions of Iden-tification and Signature Problems, Proceedings of CRYPTO'86, Lecture Notes in Computer Science 263, Springer-Verlag, 1987: 186-184.
[64] P.Fouque and D.Pointcheval: Threshold Cryptosystems Secure Chosen-Ciphertext Attacks, Advances in Cryptology - Proceedings of ASIACRYPT 2001, Vol. 2248 ofLNCS, Springer-Verlag 2001: 351-368.
[65] Y.Frankel and M.Yung. Cryptanalysis of immunized LL public key systems. In Advances in Cryptology-Crypto95, Berlin: Springer-Verlag, 1995:287-296.
[66] E.Fujisaki and T.Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In Advances in Cryptology-Crypto'99, Berlin: Springer-Verlag, 1999: 537-554,
[67] E.Fujisaki and T.Okamoto. How to Enhance the Security of Public-Key Encryption at Minimum Cost[C]. Proceedings of Public Key Cryptography'99. Berlin: Springer-Verlag, 1999.53-68.
[68] E. Fujisaki, T.Okamoto, D. Pointcheval, and J. Stem. RSA-OAEP is secure under the RSA assumption[C]. Advances in Cryptology-Crypto 2001. Berlin:Springer-Verlag, 2001: 260-274.
[69] C.Gamage, J.Leiwo, Y.Zheng. Encrypted Message Authentication by Firewalls. In: PKC 1999, LNCS 1560, Springer-Verlag, 1999: 69-81.
[70] R.Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and Efficient Sharing of RSA Functions. In Crypto'96, LNCS 1109, Springer-Verlag, Berlin, 1996:157-172.
[71] R.Germaro, S.Jarecki, H.Krawczyk, and T. Rabin. Robust Threshold DSS Signatures. In Eurocrypt '96, LNCS 1070 Springer-Verlag, Berlin, 1996: 425-438.
[72] R.Gennaro, S.Jarecki, H.Krawczyk, and T. Rabin. Secure Distributed Key Generation for Discrete-Log Based Cryptosystems. In Eurocrypt'99, LNCS 1592, Springer-Verlag, Berlin, 1999:295-310.
[73] R.Gennaro and Y. Lindell. A Framework for Password-Based Authenticated Key Exchange. Adv. in Cryptology -- Eurocrypt 2003, LNCS vol. 2656, Springer-Verlag, 2003: 524-543.
[74] C.Gentry and A. Silverberg. Hierarchical Identity-Based Cryptography. Adv. in Cryptology--Asiacrypt 2002, LNCS vol. 2501, Springer-Verlag, 2002: 548-566.
[75] S.Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and System Sciences, 1984, 28:270-299.
[76] S. Halevi and H. Krawczyk. Public-Key Cryptography and Password Protocols[J]. ACM Transactions on Information and System Security, 1999, 2 (3): 230-268.
[77] F.Hess, Efficient Identity Based Signature Schemes Based on Pairings, Selected Areas in Cryptography - Proceedings of SAC 2002, Lecture Notes in Computer Science 2595, Springer-Verlag, 2002:310-324.
[78] Working Group 2 of ISO/IEC JTC 1/SC27. An Emerging Standard for Public-Key Encryption[EB/OL]. Available at http://shoup.net. 2004-1-5.
[79] S.Jarecki and A.Lysyanskaya. Adaptively secure threshold cryptography: introducing concurrency, removing erasures. In Advances in Cryptology-Eurocrypt 2000, Springer-Verlag, Berlin, 2000, 221-242.
[80] J.Horwitz and B.Lynn. Towards hierarchical identity-based encryption. In Advances in Cryptology—EUROCRYPT 2002, Springer-Verlag, Berlin,2001: 466-81.
[81] K.Kurosawa and Y.Desmedt. A New Paradigm of Hybrid Encryption Scheme[C]. Advances in Cryptology Crypto 2004. Springer-Verlag, Berlin, 2004: 426-442.
[82] A.Joux and K.Nguyen. Separating Decision Diffie-Hellman from Diffie-Hellman in Cryptographic Groups[J]. Journal of Cryptology, 2003, 16(3): 239-247.
[83] A Joux. A one round protocol for tripartite diffie-hellman. Journal of Cryptology, 2004, 17(4):263-276.
[84] L.Lamport. Constructing Digital Signatures from a One-Way Function. Technical Report CSL-98, SRI International, Palo Alto, 1979.
[85] C.H.Lim and P.J.Lee. Another method for attaining security against daptively chosen ciphertext attacks. In Advances in Cryptology Crypto93, Berlin: Springer-Verlag, 1993:420-434.
[86] Y.Lindell. A Simpler Construction of CCA-Secure Public-Key Encryption Under General Assumptions[C]. Advances in Cryptology Eurocrypt 2003. Berlin:Springer-Verlag, 2003: 241-254.
[87] B.Libert, J.-J. Quisquater. New identity based signcryption schemes based on pairings. IEEE Information Theory Workshop, Paris (France), 2003. See also Cryptology ePrint Archive, Report 2003/023.
[88] B.Libert, J.-J.Quisquater. Efficient Signcryption with Key Privacy from Gap-Diffie-Hellman Groups. Practice and Theory in Public Key Cryptography -- PKC'2004, Berlin: Springer-Verlag, 2004:187--200.
[89] J.M Lee, W.Mao. Two Birds One Stone: Signcryption Using RSA. In: CT-RSA 2003, LNCS 2612. Berlin: Springer-Verlag, 2003:211-225.
[90] U.M.Maurer and U.Wolf. The Diffie-Hellman Protocol[J]. Designs, Codes, and Cryptography, 2000,19:147-171.
[91] A.Menesez, P.van.Oorschot, and S.Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.
[92] A.Menezes, T.Okamoto, S.Vanstone. Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory, 1993, 39: 1639--1646.
[93] M.Naor and O.Reingold. Number-theoretic constructions of efficient pseudo-random functions. In 38th Annual Symposium on Foundations of Computer Science, 1997.
[94] M.Naor and M.Yung. Universal one-way Hash functions and their cryptographic applications. In 21st Annual ACM Symposium on Theory of Computing, 1989.
[95] M.Naor and M.Yung. Public-Key Cryptosystems Provably-Secure against Chosen-Ciphertext Attacks. 22nd ACM Symposium on Theory of Computing, ACM, 1990: 427-437.
[96] T.Okamoto and S.Uchiyama. A New Public Key Cryptosystem as Secure as Factoring. In Eurocrypt'98, LNCS 1403, Springer-Verlag, Berlin, 1998: 308-318.
[97] T.Okamoto and D.Pointcheval. The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes[C]. Proceedings of Public Key Cryptography 2001. Berlin: Springer-Verlag, 2001:104--118.
[98] T.Okamoto and D.Pointcheval. REACT: Rapid Enhanced-security Asymmetric Cryp-tosystem Transform[C]. Topics in Cryptology CT-RSA 2001. Berlin: Springer-Verlag, 2001:159-175.
[99] P.Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Advances in Cryptology-Eurocrypt'99, Berlin:Springer-Verlag,1999: 223-238.
[100] P.Paillier and D.Pointcheval. Efficient Public-Key Cryptosystems Provably Secure against Active Adversaries. In Asiacrypt'99, LNCS 1716, Springer-Verlag, Berlin, 1999:165-179.
[101] D.Pointcheval. Chosen-Ciphertext Security for any One-Way Cryptosystem[C] Proceedings of Practice and Theory in Public Key Cryptography 2000. Berlin: Springer-Verlag, 2000:129-146.
[102] D.Pointcheval and J. Stem. Security Arguments for Digital Signatures and Blind Signatures. Journal of Cryptology, 2000, 13(3):361-396.
[103] C.Rackhoff and D.R.Simon. Non interactive zero-knowledge proof of knowledge and chosen ciphertext attack[C]. Advances in Cryptology - Proceedings of CRYPTO'91.Berlin: Springer-Verlag, 1992:434-444.
[104] R.L.Rivest, A. Shamir, and L.M.Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 1978: 120-126.
[105] A.Sahai. Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security[C]. 40th IEEE Symposium on Foundations of Computer Science. Washington: IEEE, 1999:543-553.
[106] C.P.Schnorr: Effficient Signature Generation for Smarts Cards, Journal of Cryptology, 1991, 4:239-252.
[107] C.P.Schnorr and M.Jakobsson. Security of Signed EIGamal Encryption. In Asiacrypt'2000, LNCS 1976, Springer-Verlag, Berlin, 2000:458-469.
[108] V.Shoup. Using Hash functions as a hedge against chosen ciphertext attack[C]. Advances in Cryptology - EUROCRYPT 2000. Berlin:Springer-Verlag, 2000. 275-288.
[109] V.Shoup. Why Chosen Ciphertext Security Matters. IBM Research Report RZ 3076, November, 1998. Available at http://www.shoup.net/papers.
[110] V.Shoup. OAEP reconsidered[J]. Journal of Cryptology, 2002, 15(2): 75-96. Extended version appears in Advances in Cryptology-Proceeding of Cryptology 2001.
[111] V.Shoup. A proposal for an ISO standard for public key encryption (version 2.1) [EB/OL]. Available at http://shoup.net. 2001-3-1.
[112] V.Shoup and R.Gennaro. Securing Threshold Cryptosystems against Chosen Ciphertext Attack[C]. Advances in Cryptology - Proceedings of EUROCRYPT'98. Berlin: Springer-Verlag, 1998 : 1-16.
[113] V.Shoup Lower bounds for discrete logarithms and related problems. In Advances in Cryptology-Eurocrypt'97, Berlin: Springer-Verlag, 1997.
[114] A. Shamir. How to Share a Secret, Communications of the ACM, Vol. 22, 1979, pages 612-613.
[115] A.Shamir. Identity-based cryptosystems and signature schemes. In Proceedings of CRYPTO 84 on Advances in cryptology,. Springer-Verlag, Berlin, 1985: 47-53
[116] Y.Tsiounis and M.Yung. On the security of ElGamal based encryption. In Proceedings of Practice and Theory in Public Key Cryptography 1998, Springer-Verlag ,Berlin, 1998:117-134.
[117] B.Waters. Efficient Identity-Based Encryption Without Random Oracles. Advances in Cryptology Eurocrypt 2005, LNCS, springer-Verlag,2005:114-127. Available at http://eprint.iacr.org/2004/180.
[118] F.Zhang, R.Safavi-Naini, W.Susilo. An Efficient Signature Scheme from Bilinear Pairings and Its Applications. Practice and Theory in Public Key Cryptography -- PKC'2004,Berlin: Springer-Verlag, 2004: 277--290.
[119] Y.Zheng. Digital signcryption or how to achieve cost (signature & encryption)< [120] 白国强,椭圆曲线密码及其算法研究,西安电子科技大学博士论文,2000.
[121] 王育民,何大可,保密学—基础与应用,西安电子科技大学出版社,1990.
[122] 王育民,刘建伟,通信网的安全—理论与技术,西安电子科技大学出版社,1999.
[123] 张方国,超椭圆曲线密码体制的研究,西安电子科技大学博士论文,2001.
[2] J.An, Y.Dodis and T. Rabin. On the Security of Joint Signature andEncryption, Advances in Cryptology-Proceedings of EUROCRYPT 2002, Lecture Notes in Computer Science 2332, Springer-Verlag, 2002: 83-107.
[3] N.Asokan, V.Shoup, and M.Waidner. Optimistic fair exchange of digital signatures[J]. IEEE Journal on Selected Areas in Communications, 2000, 18(4):593-610.
[4] J.Baek, R.Steinfeld, Y. Zheng, Formal Proofs for the Security of Signcryption[C]. Proceedings of Public Key Cryptography 2002. Berlin: Springer-Verlag, 2002: 81-98.
[5] J.Baek and Y.Zheng. Identity-Based Threshold Decryption. Practice and Theory in Public Key Cryptography -- PKC'2004, Singapore(SG), March 2004, Lecture Notes on Computer Science 2947, Springer-Verlag, 2004: 262-276.
[6] J.Baek and Y Zheng. Simple and Efficient Threshold Cryptosystem from the Gap Diffie-Hellman Group[A]. IEEE Global Communications Conference - Proceedings of GLOBECOM 2003 Communications Security Track[C] . IEEE, 2003, Vol. 3: 1491-1495.
[7] F.Bao, R.H.Deng, H.Zhu. Variations of Diffie-Hellman Problem [A]. Information and Communications Security [C]. Springer-Verlag, 1998, Vol. 2836: 301-312.
[8] M.Bellare, A.Boldyreva and A.Palacio. An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem. Advances in Cryptology - Eurocrypt 2004 Proceedings, Lecture Notes in Computer Science Vol. 3027, C.Cachin and J. Camenisch eds, Springer-Verlag, 2004:171 - 188.
[9] M.Bellare, R.Canetti, and H.Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols[C]. 30th Annual ACM Symposium on Theory of Computing. New York: ACM, 1998:419-428.
[10] M.Bellare, A.Desai, D. Pointcheval, and P. Rogaway. Relations among notions of security for public-key encryption schemes[C] Advances in Cryptology Crypto '98. Berlin: Springer-Verlag,1998: 26-45.
[11] M.Bellare, A.Boldyreva, and S. Micali. Public-key encryption in a multi-user setting: security proofs and improvements. In Advances in Cryptology-Eurocrypt 2000, 2000.
[12] M.Bellare, D.Pointcheval and P. Rogaway. Authenticated Key Exchange Secure Against Dictionary Attacks[C]. Advances in Cryptology - Proceedings of EUROCRYPT 2000. Berlin: Springer-Verlag, 2000:139-155.
[13] M. Bellare and P. Rogaway. Entity Authentication and Key Distribution[C]. Advances in Cryptology Crypto '93. Berlin: Springer-Verlag, 1994: 232-249.
[14] M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols[C]. In First ACM Conference on Computer and Communications Security. New York: ACM, 1993: 62-73.
[15] M.Bellare and P. Rogaway. Optimal asymmetric encryption[C]. In Advances in Cryptology-Eurocrypt'94. Berlin:Springer-Verlag, 1994: 92-111.
[16] M.Bellare, H.Shi, C.Zhang. Foundations of Group Signatures: The Case of Dynamic Groups. In: Topics in Cryptology - CT-RSA 2005, LNCS 3376, Springer-Verlag, 2005:136-153.
[17] A.Boldyreva. Efficient Threshold Signature, Multisignature and Blind Signature Schemes Based on the Gap Diffie-Hellman Group Signature Scheme. PKC 2003, LNCS 2139, Springer-Verlag, 2003:31-46.
[18] D.Boneh, C.Gentry, B.Lynn and H.Shacham. Aggregate and Verifiably Encrypted Signature from Bilinear Maps. Eurocrypt 2003, LNCS 2248Springer-Verlag, 2003:514-532.
[19] D.Boneh and X. Boyen. Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles[C]. Advances in Cryptology Eurocrypt 2004. Berlin:Springer-Verlag,2004: 223-238.
[20] D. Boneh. Simplified OAEP for the RSA and Rabin Functions. In Crypto'01, LNCS 2139 Springer-Verlag, Berlin, 2001: 275-291.
[21] D.Boneh, I. Mironov, V. Shoup. A secure Signature Scheme from Bilinear Maps. CT-RSA-2003, Springer-Verlag, Berlin, 2003: 98-110.
[22] D.Boneh, A.Silverberg. Applications of Multilinear forms to Cryptography, Report 2002/080, http://eprint.iacr.org, 2002.
[23] D. Boneh, M.Franklin. Identity Based Encryption From the Weil Pairing[C]. Advances in Cryptology - Crypto'01. Berlin: Springer-Verlag, 2001:213-229.
[24] D.Boneh and J.Katz. Improved efficiency for CCA-secure cryptosystems built using identity based encryption. In Proceedings of RSA-CT 2005. Springer-Verlag, 2005.
[25] D.Boneh, G.Di Crescenzo, R.Ostrovsky, G.Persiano. Public key encryption with keyword search. Advances in Cryptology -- Eurocrypt'2004.Springer-Verlag, Berlin, 2004: 506--522.
[26] D.Boneh, B.Lynn, and H.Shacham. Short signatures from the weil pairing. Joumal of Cryptology, 17(4):297-319, 2004.
[27] D.Boneh, X.Boyen, H.Shacham. Short Group Signatures. Advances in Cryptology -- Crypto'2004, Springer-Verlag,Berlin,2004.
[28] D. Boneh, X. Boyen. Short Signatures Without Random Oracles. Advances in Cryptology -- Eurocrypt'2004, Springer-Verlag ,Berlin, 2004: 56—73.
[29] X Boyen. Multipurpose identity-based signcryption: A Swiss Army knife for identitybased cryptography. In Advances in Cryptology—CRYPTO 2003, Springer-Verlag, Berlin, 2003: 383-399.
[30] D. Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1 [C]. Advances in Cryptology Crypto'98. Berlin:Springer-Verlag, 1998: 1-12.
[31] P.S.L.M. Berreto, H.Y. Kim and M. Scott. Efficient algorithms for pairing-based cryptosystems. Advances in Cryptology Crypto'2002, LNCS 2442, Springer-Verlag, 2002: 354-368.
[32] J.Camenisch, A.Lysyanskaya. Signature Schemes and Anonymous Credentials from Bilinear Maps. Advances in Cryptology -- Crypto'2004, Springer-Verlag, Berlin, 2004.
[33] J.Camenisch and V.Shoup. Practical Verifiable Encryption and Decryption of Discrete Logarithms. Advances in Cryptology -- Crypto 2003, LNCS vol. 2729, Springer-Verlag, 2003:126-144,
[34] R.Canetti, O.Goldreich, S.Halevi. The Random Oracle Methodology Revisited. In Proceedings of the 13th Annual ACM Symposium on Theory of Computing, ACM,1998: 209-218.
[35] R.Canetti, E.Kushilevitz, R.Ostrovsky. A Rosen. Randomness versus Fault-Tolerance. Journal of Cryptology 13 (1),2000:107-142.
[36] R.Canetti. Universally composable security: a new paradigm for cryptographic protocols. In 42nd IEEE Symposium on Foundations of Computer Science [C]. Washingdon, IEEE, 2001: 136-145.
[37] R.Canetti and S.Goldwasser. An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack[C]. In Advances in Cryptology Eurocrypt'99. Berlin:Springer-Verlag ,1999:90-106.
[38] R.Canetti, S.Halevi, and J.Katz. A Forward-Secure Public-Key Encryption Scheme. Adv. in Cryptology — Eurocrypt 2003, LNCS vol. 2656, Springer-Verlag, 2003.:255-271.
[39] R.Canetti, H.Krawczyk, and J.B. Nielsen. Relaxing Chosen Ciphertext Security. In Cryptology -- Crypto 2003, LNCS vol. 2656, Springer-Verlag, 2003.65-582.
[40] R.Canetti, I.Damgard, S.Dziembowski, Y. Ishai, and T. Malkin. On Adaptive vs. Non-adaptiveSecurity of Multiparty Protocols. Advances in Cryptology Eurocrypt 2001. Berlin:Springer-Verlag, 2001:262-279.
[41] R.Canetti, S.Halevi, and J. Katz. Chosen-Ciphertext Security from Identity-Based Encryption[C]. Advances in Cryptology Eurocrypt 2004. Berlin:Springer-Verlag,2004: 207-222.
[42] R.Canetti and H. Krawczyk. Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels[C]. Advances in Cryptology Eurocrypt 2001. Berlin:Springer-Verlag ,2001: 453-474.
[43] L.Chen, J.M Lee. Improved Identity-Based Signcryption. In: Public Key Cryptography - PKC 2005, LNCS 3386, Springer-Verlag, 2005: 362-379.
[44] S.S.M. Chow, S.M. Yiu, L.C.K. Hui, K.P. Chow. Efficient Forward and Provably Secure ID-Based Signcryption Scheme with Public Verifiability and Public Ciphertext Authenticity. 6th International Conference on Information Security and Cryptology -- ICISC'2003, Lecture Notes on Computer Science, 2971, Springer-Verlag, 2004: 352--369.
[45] C.Cocks. An Identity-Based Encryption Scheme Based on Quadratic Residues. Cryptography and Coding, LNCS vol. 2260, Springer-Verlag, 2001: 360-363.
[46] J.Coron, H.Handschuh, M.Joye, P.Paillier, D. Pointcheval and C. Tymen. GEM: a Generic Chosen-Ciphertext Secure Encryption Method, Topics in Cryptology: Cryptographer's Track in RSA Conference Proceedings of CT-RSA 2002, Lecture Notes in Computer Science 2271, Springer-Verlag, 2002:263-276,
[47] R.Cramer and V.Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack[C]. Advances in Cryptology Crypto'98. Berlin:Springer-Verlag 1998:13-25.
[48] R.Cramer and V.Shoup. Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption[C]. Advances in Cryptology Eurocrypt 2002. Berlin: Springer-Verlag, 2002:45-64.
[49] R.Cramer and V.Shoup. Design and Analysis of Practical Public-Key Encryption Schemes Secure Against Adaptive Chosen-Ciphertext Attack. SIAM Journal of Computing, 2003, 33(1): 167-226.
[50] D.Dolev, C.Dwork, and M.Naor. Non-malleable cryptography[J]. SIAM Journal of Computing, 2000, 30(2):391-437.
[51] I.Damgard. Towards practical public key cryptosystems secure against chosen ciphertext attacks In Advances in Cryptology-Crypto 91, Berlin: Springer-Verlag, 1991: 445-456.
[52] Y.Desmedt and Y.Frankel. Threshold cryptosystems. In Advances in Cryptology-Crypto'89, Berlin: Springer-Verlag, 1989:307-315.
[53] A.De Santis, Y.Desmedt, Y. Frankel, and M. Yung. How to Share a Function Securely. In Proceeding of the 26th STOC ACM Press, New York, 1994: 22-523.
[54] A.De Santis, G.Di Crescenzo, R.Ostrovsky, G. Persiano and A. Sahai. Robust Noninteractive Zero-Knowledge. In Advances inCryptology- Crypto2001, Springer-Verlag (LNCS 2139), 2001:566 - 598.
[55] Y.Dodis and N.Fazio. Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack Practice and Theory in Public Key Cryptography -- PKC'2003, Lecture Notes on Computer Science 2567, Springer-Verlag , 2003:100-115.
[56] Y.Dodis, J.H An. Concealment and Its Applications to Authenticated Encryption. In: EUROCRYPT 2003, LNCS 2656, Springer-Verlag, 2003:312-329.
[57] Y.Dodis, M.J. Freedman, S Jarecki, S Walfish. Versatile padding schemes for joint signature and encryption. In: Proc. of the 11th ACM Conference on Computer and Communications Security (CCS 2004). ACM, 2004: 344-353.
[58] Y.Dodis, M.Franklin, J.Katz, A.Miyaji, M.Yung. Intrusion-Resilient Public-Key Encryption. Topics in Cryptology -- CT-RSA 2003, Springer-Verlag, Berlin, 2003:19--32.
[59] W.Diffie and M.E. Hellman. New directions in cryptography[J]. IEEE Trans. Inform.Theory, 1976, 22: 644-654.
[60] R.Dutta, R.Barua, P.Sarkar. Pairing-Based Cryptography: A Survey. cryptology ePrint Archive, http://eprint.iacr.org/2004/064.
[61] T.EIGamal. A public key cryptosystem and signature scheme based on discrete logarithms[J]. IEEE Trans. Inform. Theory, 1985, 31:469-472.
[62] E.Elkind and A. Sahai. A Unified Methodology For Constructing Public-Key Encryption Schemes Secure Against Adaptive Chosen-Ciphertext Attack. Available at http://eprint.iacr.org/2002/042/.
[63] A.Fiat and A.Shamir, How to Prove Yourself: Practical Solutions of Iden-tification and Signature Problems, Proceedings of CRYPTO'86, Lecture Notes in Computer Science 263, Springer-Verlag, 1987: 186-184.
[64] P.Fouque and D.Pointcheval: Threshold Cryptosystems Secure Chosen-Ciphertext Attacks, Advances in Cryptology - Proceedings of ASIACRYPT 2001, Vol. 2248 ofLNCS, Springer-Verlag 2001: 351-368.
[65] Y.Frankel and M.Yung. Cryptanalysis of immunized LL public key systems. In Advances in Cryptology-Crypto95, Berlin: Springer-Verlag, 1995:287-296.
[66] E.Fujisaki and T.Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In Advances in Cryptology-Crypto'99, Berlin: Springer-Verlag, 1999: 537-554,
[67] E.Fujisaki and T.Okamoto. How to Enhance the Security of Public-Key Encryption at Minimum Cost[C]. Proceedings of Public Key Cryptography'99. Berlin: Springer-Verlag, 1999.53-68.
[68] E. Fujisaki, T.Okamoto, D. Pointcheval, and J. Stem. RSA-OAEP is secure under the RSA assumption[C]. Advances in Cryptology-Crypto 2001. Berlin:Springer-Verlag, 2001: 260-274.
[69] C.Gamage, J.Leiwo, Y.Zheng. Encrypted Message Authentication by Firewalls. In: PKC 1999, LNCS 1560, Springer-Verlag, 1999: 69-81.
[70] R.Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and Efficient Sharing of RSA Functions. In Crypto'96, LNCS 1109, Springer-Verlag, Berlin, 1996:157-172.
[71] R.Germaro, S.Jarecki, H.Krawczyk, and T. Rabin. Robust Threshold DSS Signatures. In Eurocrypt '96, LNCS 1070 Springer-Verlag, Berlin, 1996: 425-438.
[72] R.Gennaro, S.Jarecki, H.Krawczyk, and T. Rabin. Secure Distributed Key Generation for Discrete-Log Based Cryptosystems. In Eurocrypt'99, LNCS 1592, Springer-Verlag, Berlin, 1999:295-310.
[73] R.Gennaro and Y. Lindell. A Framework for Password-Based Authenticated Key Exchange. Adv. in Cryptology -- Eurocrypt 2003, LNCS vol. 2656, Springer-Verlag, 2003: 524-543.
[74] C.Gentry and A. Silverberg. Hierarchical Identity-Based Cryptography. Adv. in Cryptology--Asiacrypt 2002, LNCS vol. 2501, Springer-Verlag, 2002: 548-566.
[75] S.Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and System Sciences, 1984, 28:270-299.
[76] S. Halevi and H. Krawczyk. Public-Key Cryptography and Password Protocols[J]. ACM Transactions on Information and System Security, 1999, 2 (3): 230-268.
[77] F.Hess, Efficient Identity Based Signature Schemes Based on Pairings, Selected Areas in Cryptography - Proceedings of SAC 2002, Lecture Notes in Computer Science 2595, Springer-Verlag, 2002:310-324.
[78] Working Group 2 of ISO/IEC JTC 1/SC27. An Emerging Standard for Public-Key Encryption[EB/OL]. Available at http://shoup.net. 2004-1-5.
[79] S.Jarecki and A.Lysyanskaya. Adaptively secure threshold cryptography: introducing concurrency, removing erasures. In Advances in Cryptology-Eurocrypt 2000, Springer-Verlag, Berlin, 2000, 221-242.
[80] J.Horwitz and B.Lynn. Towards hierarchical identity-based encryption. In Advances in Cryptology—EUROCRYPT 2002, Springer-Verlag, Berlin,2001: 466-81.
[81] K.Kurosawa and Y.Desmedt. A New Paradigm of Hybrid Encryption Scheme[C]. Advances in Cryptology Crypto 2004. Springer-Verlag, Berlin, 2004: 426-442.
[82] A.Joux and K.Nguyen. Separating Decision Diffie-Hellman from Diffie-Hellman in Cryptographic Groups[J]. Journal of Cryptology, 2003, 16(3): 239-247.
[83] A Joux. A one round protocol for tripartite diffie-hellman. Journal of Cryptology, 2004, 17(4):263-276.
[84] L.Lamport. Constructing Digital Signatures from a One-Way Function. Technical Report CSL-98, SRI International, Palo Alto, 1979.
[85] C.H.Lim and P.J.Lee. Another method for attaining security against daptively chosen ciphertext attacks. In Advances in Cryptology Crypto93, Berlin: Springer-Verlag, 1993:420-434.
[86] Y.Lindell. A Simpler Construction of CCA-Secure Public-Key Encryption Under General Assumptions[C]. Advances in Cryptology Eurocrypt 2003. Berlin:Springer-Verlag, 2003: 241-254.
[87] B.Libert, J.-J. Quisquater. New identity based signcryption schemes based on pairings. IEEE Information Theory Workshop, Paris (France), 2003. See also Cryptology ePrint Archive, Report 2003/023.
[88] B.Libert, J.-J.Quisquater. Efficient Signcryption with Key Privacy from Gap-Diffie-Hellman Groups. Practice and Theory in Public Key Cryptography -- PKC'2004, Berlin: Springer-Verlag, 2004:187--200.
[89] J.M Lee, W.Mao. Two Birds One Stone: Signcryption Using RSA. In: CT-RSA 2003, LNCS 2612. Berlin: Springer-Verlag, 2003:211-225.
[90] U.M.Maurer and U.Wolf. The Diffie-Hellman Protocol[J]. Designs, Codes, and Cryptography, 2000,19:147-171.
[91] A.Menesez, P.van.Oorschot, and S.Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.
[92] A.Menezes, T.Okamoto, S.Vanstone. Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory, 1993, 39: 1639--1646.
[93] M.Naor and O.Reingold. Number-theoretic constructions of efficient pseudo-random functions. In 38th Annual Symposium on Foundations of Computer Science, 1997.
[94] M.Naor and M.Yung. Universal one-way Hash functions and their cryptographic applications. In 21st Annual ACM Symposium on Theory of Computing, 1989.
[95] M.Naor and M.Yung. Public-Key Cryptosystems Provably-Secure against Chosen-Ciphertext Attacks. 22nd ACM Symposium on Theory of Computing, ACM, 1990: 427-437.
[96] T.Okamoto and S.Uchiyama. A New Public Key Cryptosystem as Secure as Factoring. In Eurocrypt'98, LNCS 1403, Springer-Verlag, Berlin, 1998: 308-318.
[97] T.Okamoto and D.Pointcheval. The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes[C]. Proceedings of Public Key Cryptography 2001. Berlin: Springer-Verlag, 2001:104--118.
[98] T.Okamoto and D.Pointcheval. REACT: Rapid Enhanced-security Asymmetric Cryp-tosystem Transform[C]. Topics in Cryptology CT-RSA 2001. Berlin: Springer-Verlag, 2001:159-175.
[99] P.Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Advances in Cryptology-Eurocrypt'99, Berlin:Springer-Verlag,1999: 223-238.
[100] P.Paillier and D.Pointcheval. Efficient Public-Key Cryptosystems Provably Secure against Active Adversaries. In Asiacrypt'99, LNCS 1716, Springer-Verlag, Berlin, 1999:165-179.
[101] D.Pointcheval. Chosen-Ciphertext Security for any One-Way Cryptosystem[C] Proceedings of Practice and Theory in Public Key Cryptography 2000. Berlin: Springer-Verlag, 2000:129-146.
[102] D.Pointcheval and J. Stem. Security Arguments for Digital Signatures and Blind Signatures. Journal of Cryptology, 2000, 13(3):361-396.
[103] C.Rackhoff and D.R.Simon. Non interactive zero-knowledge proof of knowledge and chosen ciphertext attack[C]. Advances in Cryptology - Proceedings of CRYPTO'91.Berlin: Springer-Verlag, 1992:434-444.
[104] R.L.Rivest, A. Shamir, and L.M.Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 1978: 120-126.
[105] A.Sahai. Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security[C]. 40th IEEE Symposium on Foundations of Computer Science. Washington: IEEE, 1999:543-553.
[106] C.P.Schnorr: Effficient Signature Generation for Smarts Cards, Journal of Cryptology, 1991, 4:239-252.
[107] C.P.Schnorr and M.Jakobsson. Security of Signed EIGamal Encryption. In Asiacrypt'2000, LNCS 1976, Springer-Verlag, Berlin, 2000:458-469.
[108] V.Shoup. Using Hash functions as a hedge against chosen ciphertext attack[C]. Advances in Cryptology - EUROCRYPT 2000. Berlin:Springer-Verlag, 2000. 275-288.
[109] V.Shoup. Why Chosen Ciphertext Security Matters. IBM Research Report RZ 3076, November, 1998. Available at http://www.shoup.net/papers.
[110] V.Shoup. OAEP reconsidered[J]. Journal of Cryptology, 2002, 15(2): 75-96. Extended version appears in Advances in Cryptology-Proceeding of Cryptology 2001.
[111] V.Shoup. A proposal for an ISO standard for public key encryption (version 2.1) [EB/OL]. Available at http://shoup.net. 2001-3-1.
[112] V.Shoup and R.Gennaro. Securing Threshold Cryptosystems against Chosen Ciphertext Attack[C]. Advances in Cryptology - Proceedings of EUROCRYPT'98. Berlin: Springer-Verlag, 1998 : 1-16.
[113] V.Shoup Lower bounds for discrete logarithms and related problems. In Advances in Cryptology-Eurocrypt'97, Berlin: Springer-Verlag, 1997.
[114] A. Shamir. How to Share a Secret, Communications of the ACM, Vol. 22, 1979, pages 612-613.
[115] A.Shamir. Identity-based cryptosystems and signature schemes. In Proceedings of CRYPTO 84 on Advances in cryptology,. Springer-Verlag, Berlin, 1985: 47-53
[116] Y.Tsiounis and M.Yung. On the security of ElGamal based encryption. In Proceedings of Practice and Theory in Public Key Cryptography 1998, Springer-Verlag ,Berlin, 1998:117-134.
[117] B.Waters. Efficient Identity-Based Encryption Without Random Oracles. Advances in Cryptology Eurocrypt 2005, LNCS, springer-Verlag,2005:114-127. Available at http://eprint.iacr.org/2004/180.
[118] F.Zhang, R.Safavi-Naini, W.Susilo. An Efficient Signature Scheme from Bilinear Pairings and Its Applications. Practice and Theory in Public Key Cryptography -- PKC'2004,Berlin: Springer-Verlag, 2004: 277--290.
[119] Y.Zheng. Digital signcryption or how to achieve cost (signature & encryption)<
[121] 王育民,何大可,保密学—基础与应用,西安电子科技大学出版社,1990.
[122] 王育民,刘建伟,通信网的安全—理论与技术,西安电子科技大学出版社,1999.
[123] 张方国,超椭圆曲线密码体制的研究,西安电子科技大学博士论文,2001.