认证及密钥协商协议设计与分析
|
摘要
密码协议是两个或多个参与方之间为完成某个计算任务而进行的一系列交互过程。利用密码协议可以实现会话密钥协商/分发、身份与消息认证、以及安全电子商务/政务等目的。密码协议是保障网络安全最有效的手段之一,是信息与网络安全的关键技术。
现实的网络环境是完全开放的,存在各种各样的攻击者和攻击方式,为保证协议参与者的信息安全,防止攻击者得到额外信息,需要设计安全有效的密码协议。可证明安全理论可以将密码协议/方案的安全性规约到某个密码学假设(例如一类数学问题的难解性,或者单向函数的存在性等),如果密码学假设成立,那么该密码协议/方案在当前计算条件下是安全的。因此,研究可证明安全的密码协议具有很强的现实应用背景和实际意义。
本论文围绕认证及密钥协商协议的设计及构建密码协议的支撑理论进行了研究,在密码协议/方案的安全性分析、两方可否认认证协议的设计、非对称群组密钥协商协议的叛逆者追踪、安全函数计算的可实现性、多PKG环境下基于身份签密方案的设计及密钥管理方面做了重点研究,并取得了一些研究成果。
一、密码协议/方案的安全性分析
早期的密码协议设计和分析方法是启发式方法,由于新的密码分析技术的出现是不确定的,而任何新的分析技术都可能使得密码协议被破解,所以启发式方法很难确保一个密码协议的安全性。在这种情况下,密码协议的形式化分析成为研究热点。所谓形式化方法,指的是分析者通过建立安全模型,用基于计算复杂性,或者逻辑推理的形式化方法来分析协议的安全性。本文总结了密码协议安全性分析方法,归纳了计算复杂性方法中的证明技术;并分别对一个可否认认证协议、一个两方认证密钥协商协议和一个多PKG环境下基于身份的签密方案进行了安全性分析,分析结果表明这三个密码协议/方案都存在安全缺陷。
二、两方可否认认证协议
可否认认证协议能够使接收者确信认证者想要对消息m认证,但是接收者R不能向第3方证明消息的来源:同时,消息m的认证者也不能向第3方证明曾经向接收者提供了认证的消息m。可否认性强化了密码协议的保密特性,并在互联网密钥交换协议、电子选举系统、电子商务系统等许多领域应用。Cramer和Shoup于Eurocrypt2002上提出的哈希证明系统作为一个重要的密码学组件已成功用于可否认认证协议的设计。本文基于可抽取的哈希证明系统,提出了一个新的可否认认证协议,协议满足并发不可伪造性和受限条件下的可否认性,并且给出了协议的安全性证明,将协议的不可伪造性规约为困难查找问题(如大整数分解、CDH),而不是判断问题(如DDH、DCR)。
三、叛逆者可追踪的非对称群组密钥协商
群组密钥协商作为一种基本的密码学任务,其目标在于允许多个用户在公开的网络环境中建立一个共享密钥。从应用的角度来看,群组密钥协商的最终目的在于为多个用户提供一个秘密的信道。Eurocrypt2009, Wu等人首次提出了非对称群组密钥协商协议(Asymmetric Group Key Agreement, ASGKA)的概念。在非对称群组密钥协商协议中,群组成员协商出的不是一个共享的会话密钥,而是一个共享的加密密钥。这个加密密钥可以被敌手访问,而且对应多个不同的解密密钥,每个用户都可以计算出一个对应该加密密钥的解密密钥。ASGKA是一个全新的概念,它留下了很多开放性问题和继续研究的思路,例如,叛逆者可追踪的ASGKA协议,基于身份的ASGKA协议。本文提出了一个叛逆者可追踪的非对称群组密钥协商协议ASGKAwTT,协议满足标准模型下可证明安全性,并且对于恶意参与者,即叛逆者,泄露给外部敌手的解密密钥,群组中的每个成员通过验证关于身份的多签名就可以恢复出叛逆者的身份信息。
四、多方安全函数计算的可实现性
Crypt2008, Prabhakaran和Rosulek提出了密码学复杂性的概念,试图在特定的安全模型下,研究安全多方计算函数的可实现性,探讨安全实现各类功能函数的复杂度(难度)及其关系。密码学复杂性理论的研究,最重要的工作是考察安全多方计算任务的可实现性。在一个具体的安全模型下,能够安全实现的所有安全多方计算任务唯一确定了一个“密码学复杂性类”,称为可实现类,然而并不是所有的研究对象都能被安全实现。刻画函数在特定安全模型下可安全实现的本质,有助于划分函数复杂度层次,直观理解函数之间复杂性比较和分类。本文对多方函数计算可实现性的必要条件进行了分析,通过反例证明了这些必要条件并不是充分条件。基于这些分析结果,给出了多方函数计算可实现性的充要条件,并通过一个新的技术框架,称为可分离性(splitiability),给出了可实现性证明。
五、多PKG环境下基于身份的签密方案
签密能够在一个合理的逻辑步骤内同时完成数字签名和公钥加密两项功能,而其所花费的代价,要远远低于传统的先签名后加密的方法,因此它是实现既保密又认证的传输信息的较为理想的方法,并作为密码协议设计的有效支撑理论被广泛研究。多PKG环境下基于身份的签密机制能够很好地解决域间实体的安全认证和保密通讯问题。本文提出了一个新的多PKG环境下基于身份的签密方案,方案使用了Waters基于身份加密体制及现有的基于身份签密体制的构造思想,并利用“(?)”运算和抗碰撞Hash函数消除了签密密文与明文之间的对应关系,从而保证了方案的语义安全。方案实现了标准模型下的可证明CCA安全和存在不可伪造性;且当新方案退化为单个PKG环境时,与其他标准模型下的安全方案相比,该方案仍有稍高的效率。
六、Ad Hoc网络密钥管理方案
密钥是密码系统中最机密的信息,密钥的管理水平直接决定了密码的应用水平。为了增强密码管理的可靠性,避免单点失效引起安全隐患,通常采用秘密分享/门限技术来设计有效的密钥管理方案。门限技术的思想是把秘密信息(如密钥)或者某个敏感计算(如加密)分散在多个用户中,使得只有达到一定数量的用户合作可以重构秘密信息或者完成敏感计算,而少于门限数量的用户则无法完成。本文提出了一种新的基于门限秘密共享的Ad Hoc网络密钥管理方案。这个方案最大的特点是,采用了一种完全无交互的基于对称二元多项式的门限秘密共享机制,从而可以安全、高效地实现动态节点加入和恶意节点的可追踪性,以及密钥份额的更新和会话密钥的交换,适合大规模Ad Hoc网络结构的动态拓扑变化。
A cryptographic protocol is an interactive procedure between two or multi players to carry out a computing task. Cryptographic protocol has a wide range of applications including session key agreement/distribution, identity and message authentication, and secure electronic business/government affairs etc. It's the key technology as well as one of the most effective measures of ensuring information and network security.
The real network is completely open, and there are varieties of attackers and attacks. In order to ensure the information security of the protocol participants, and to prevent an attacker from getting additional information, it's necessary to design secure and effective cryptographic protocols. The theory of provable security enables one to reduce the security of a protocol/scheme to some cryptographic assumption (such as the intractability of a class of mathematical problems, or the existence of one-way functions etc.) such that, if the assumption holds then the underlining protocol/scheme is secure under current computing capability. Therefore, it is of great practicability to do a systematic research on provably secure cryptographic protocols.
In this thesis, we investigate the design of authentication and key agreement protocols as well as the supporting theory of constructing cryptographic protocols, in which we focus on the security analysis of cryptographic protocols/schemes, the construction of two-party deniable authentication protocol, traitor-tracing in asymmetric key agreement protocol, the realizability of secure function evaluation (SFE for short), and the design and key management problems of identity-based signcryption schemes in the multi-PKG case, and achieve some results.
1. Security analysis of cryptographic scheme/protocols
In early literatures, the design and analysis of cryptographic protocols are shown in a heuristic way. However, the emergence of new cryptanalysis techniques is uncertain and any new technique is likely to make cryptographic protocols to be cracked, hence it is difficult to ensure the security of protocols based on the heuristic method. In this context, formal analysis is introduced and becomes one of the most interesting research areas. For formal analysis, the analyst first establishes the security model, and then applies the methods based on computational complexity or logical reasoning to analyze the security of the protocol. This thesis concludes the main analysis methods and the proof techniques based on computational complexity. Then we investigate a deniable authentication protocol, a two-party authenticated key agreement protocol and an identity-based signcryption scheme in the multi-PKG case respectively, and show that all of them have security flaws.
2. Two party deniable authentication protocols
Deniable Authentication protocols allow a sender to authenticate a message for a receiver, in a way that the receiver cannot convince a third party the source of message; meanwhile, the sender cannot convince a third party that she has authenticated a message. Deniability strengthens the privacy of cryptographic protocols, and has wide applications in internet key exchange, electronic election, and electronic business etc. The hash-proof system introduced by Cramer and Shoup in Eurocrypt2002as a basic component in cryptography, has been incorporated in the constructions of deniable authentication protocols. This thesis present a new deniable authentication protocol based on extractable hash proof systems, which satisfies concurrent unforgability and restricted deniability. Furthermore, we show a formal security proof reducing unforgability to the hardness of search problems (e.g. integer factorization, CDH) instead of decision problems (e.g. DDH, DCR).
3. Asymmetric group key agreement with traitor traceability
Another basic cryptographic task known as group key agreement enables multi participants to agree on a shared secret key in the open network. Considering from the application point of view, the goal of group key agreement is to establish a private communication channel between the participants. In Eurocrypt2009, Wu et al. first introduced the notion of asymmetric group key agreement (ASGKA for short) in which the final key obtained is not a secret session key but a public encryption key. This encryption key is available to the adversary, and is related to many different decryption keys such that every participant is able to compute one valid decryption key corresponding to the same encryption key. As ASGKA is a new research area, a lot of open problems and further research ideas are left, such as traitor-tracing ASGKA protocol. This thesis constructs an asymmetric group key agreement protocol called ASGKAwTT, which is provably secure in the standard model and enjoys the traitor-tracing property. That is, for any malicious player (i.e. the traitor) that leaks her secret key to an external adversary, her identity can be recovered by the group members through verifying the multi-signature on identities.
4. The realizability of multi-party secure function evaluation
The theory of cryptographic complexity, introduced by Prabhakaran and Rosulek in Crypto2008, studies the realizability of secure multi-party function evaluation and the inherent complexity of secure computing multi-party functionalities in specific security models and their relations. The most important step in this area is to investigate the secure realizability of multi-party tasks. Each concrete security model naturally defines a "cryptographic complexity class" consisting of the tasks which have secure protocols in that model, called the realizable class. However, not all the functionalities in consideration are realizable. Therefore, to abstract the combinatorial characterizations of protocols that can be secure realized under a specific security model, helps us in partitioning various cryptographic tasks into complexity levels and leads us to a better understanding and comparing of cryptographic complexity classes. This thesis analyze the necessary conditions that multi-party secure function evaluation (SEE) can be realized, and prove that these necessary conditions are not sufficient via counter examples. Based on the above result, we further show the sufficient and necessary conditions of realizable SFE functionalities, and exhibit a proof of realizability by introducing a new framework called splitability.
5. Multi-PKG id-based signcryption scheme
Signcryption is a cryptographic primitive that simultaneously performs the functions of both digital signatures and encryption schemes in a single step, while in a way that is more efficient than "encrypting-then-signing". Hence it is an effective method for private and authenticated message transmission, and has been extensively studied as a supporting theory in protocol designing. Identity-based signcryption scheme in the multi-PKG case provides a good solution to secure authentication and private communication between entities from different domains. This thesis present a new identity-based signcryption scheme in the multi-PKG case, which employs the ideas from Water's identity-based encryption scheme and existing identity-based signcryption schemes, using the⊕operation as well as collision-resilient hash function to eliminate the correspondence between ciphertext and plaintext and ensure semantic security. This scheme achieves provable security in the standard model and existential unforgability. Moreover, when only single PKG is concerned, this scheme has a better efficiency compared with other schemes in the standard model.
6. Ad Hoc key management scheme
Since secret key is the core information in a cryptosystem, the key management level directly determines the application level of a cryptosystem. In order to strengthen the reliability of key management and get rid of the security risks caused by single-point failures, it is usually preferred to apply secret sharing/threshold cryptography to design effective key management schemes. The main idea behind threshold cryptography is to share the secret information (e.g. the secret key) or the sensitive computation among multi players such that, nothing but a certain number of players coordinating is able to reconstruct the secret information or complete the sensitive computation, while fewer players cannot. This thesis design a new Ad Hoc key management scheme based on threshold secret sharing. The highlight of this scheme lies in that, it employs a non-interactive threshold secret sharing scheme based on symmetric binary polynomial such that, it provides a secure and efficient implementation for dynamic node joining, malicious node tracing, key share updating and session key exchanging, which makes it more applicable to large-scale Ad Hoc network with a dynamically changing topology.
现实的网络环境是完全开放的,存在各种各样的攻击者和攻击方式,为保证协议参与者的信息安全,防止攻击者得到额外信息,需要设计安全有效的密码协议。可证明安全理论可以将密码协议/方案的安全性规约到某个密码学假设(例如一类数学问题的难解性,或者单向函数的存在性等),如果密码学假设成立,那么该密码协议/方案在当前计算条件下是安全的。因此,研究可证明安全的密码协议具有很强的现实应用背景和实际意义。
本论文围绕认证及密钥协商协议的设计及构建密码协议的支撑理论进行了研究,在密码协议/方案的安全性分析、两方可否认认证协议的设计、非对称群组密钥协商协议的叛逆者追踪、安全函数计算的可实现性、多PKG环境下基于身份签密方案的设计及密钥管理方面做了重点研究,并取得了一些研究成果。
一、密码协议/方案的安全性分析
早期的密码协议设计和分析方法是启发式方法,由于新的密码分析技术的出现是不确定的,而任何新的分析技术都可能使得密码协议被破解,所以启发式方法很难确保一个密码协议的安全性。在这种情况下,密码协议的形式化分析成为研究热点。所谓形式化方法,指的是分析者通过建立安全模型,用基于计算复杂性,或者逻辑推理的形式化方法来分析协议的安全性。本文总结了密码协议安全性分析方法,归纳了计算复杂性方法中的证明技术;并分别对一个可否认认证协议、一个两方认证密钥协商协议和一个多PKG环境下基于身份的签密方案进行了安全性分析,分析结果表明这三个密码协议/方案都存在安全缺陷。
二、两方可否认认证协议
可否认认证协议能够使接收者确信认证者想要对消息m认证,但是接收者R不能向第3方证明消息的来源:同时,消息m的认证者也不能向第3方证明曾经向接收者提供了认证的消息m。可否认性强化了密码协议的保密特性,并在互联网密钥交换协议、电子选举系统、电子商务系统等许多领域应用。Cramer和Shoup于Eurocrypt2002上提出的哈希证明系统作为一个重要的密码学组件已成功用于可否认认证协议的设计。本文基于可抽取的哈希证明系统,提出了一个新的可否认认证协议,协议满足并发不可伪造性和受限条件下的可否认性,并且给出了协议的安全性证明,将协议的不可伪造性规约为困难查找问题(如大整数分解、CDH),而不是判断问题(如DDH、DCR)。
三、叛逆者可追踪的非对称群组密钥协商
群组密钥协商作为一种基本的密码学任务,其目标在于允许多个用户在公开的网络环境中建立一个共享密钥。从应用的角度来看,群组密钥协商的最终目的在于为多个用户提供一个秘密的信道。Eurocrypt2009, Wu等人首次提出了非对称群组密钥协商协议(Asymmetric Group Key Agreement, ASGKA)的概念。在非对称群组密钥协商协议中,群组成员协商出的不是一个共享的会话密钥,而是一个共享的加密密钥。这个加密密钥可以被敌手访问,而且对应多个不同的解密密钥,每个用户都可以计算出一个对应该加密密钥的解密密钥。ASGKA是一个全新的概念,它留下了很多开放性问题和继续研究的思路,例如,叛逆者可追踪的ASGKA协议,基于身份的ASGKA协议。本文提出了一个叛逆者可追踪的非对称群组密钥协商协议ASGKAwTT,协议满足标准模型下可证明安全性,并且对于恶意参与者,即叛逆者,泄露给外部敌手的解密密钥,群组中的每个成员通过验证关于身份的多签名就可以恢复出叛逆者的身份信息。
四、多方安全函数计算的可实现性
Crypt2008, Prabhakaran和Rosulek提出了密码学复杂性的概念,试图在特定的安全模型下,研究安全多方计算函数的可实现性,探讨安全实现各类功能函数的复杂度(难度)及其关系。密码学复杂性理论的研究,最重要的工作是考察安全多方计算任务的可实现性。在一个具体的安全模型下,能够安全实现的所有安全多方计算任务唯一确定了一个“密码学复杂性类”,称为可实现类,然而并不是所有的研究对象都能被安全实现。刻画函数在特定安全模型下可安全实现的本质,有助于划分函数复杂度层次,直观理解函数之间复杂性比较和分类。本文对多方函数计算可实现性的必要条件进行了分析,通过反例证明了这些必要条件并不是充分条件。基于这些分析结果,给出了多方函数计算可实现性的充要条件,并通过一个新的技术框架,称为可分离性(splitiability),给出了可实现性证明。
五、多PKG环境下基于身份的签密方案
签密能够在一个合理的逻辑步骤内同时完成数字签名和公钥加密两项功能,而其所花费的代价,要远远低于传统的先签名后加密的方法,因此它是实现既保密又认证的传输信息的较为理想的方法,并作为密码协议设计的有效支撑理论被广泛研究。多PKG环境下基于身份的签密机制能够很好地解决域间实体的安全认证和保密通讯问题。本文提出了一个新的多PKG环境下基于身份的签密方案,方案使用了Waters基于身份加密体制及现有的基于身份签密体制的构造思想,并利用“(?)”运算和抗碰撞Hash函数消除了签密密文与明文之间的对应关系,从而保证了方案的语义安全。方案实现了标准模型下的可证明CCA安全和存在不可伪造性;且当新方案退化为单个PKG环境时,与其他标准模型下的安全方案相比,该方案仍有稍高的效率。
六、Ad Hoc网络密钥管理方案
密钥是密码系统中最机密的信息,密钥的管理水平直接决定了密码的应用水平。为了增强密码管理的可靠性,避免单点失效引起安全隐患,通常采用秘密分享/门限技术来设计有效的密钥管理方案。门限技术的思想是把秘密信息(如密钥)或者某个敏感计算(如加密)分散在多个用户中,使得只有达到一定数量的用户合作可以重构秘密信息或者完成敏感计算,而少于门限数量的用户则无法完成。本文提出了一种新的基于门限秘密共享的Ad Hoc网络密钥管理方案。这个方案最大的特点是,采用了一种完全无交互的基于对称二元多项式的门限秘密共享机制,从而可以安全、高效地实现动态节点加入和恶意节点的可追踪性,以及密钥份额的更新和会话密钥的交换,适合大规模Ad Hoc网络结构的动态拓扑变化。
A cryptographic protocol is an interactive procedure between two or multi players to carry out a computing task. Cryptographic protocol has a wide range of applications including session key agreement/distribution, identity and message authentication, and secure electronic business/government affairs etc. It's the key technology as well as one of the most effective measures of ensuring information and network security.
The real network is completely open, and there are varieties of attackers and attacks. In order to ensure the information security of the protocol participants, and to prevent an attacker from getting additional information, it's necessary to design secure and effective cryptographic protocols. The theory of provable security enables one to reduce the security of a protocol/scheme to some cryptographic assumption (such as the intractability of a class of mathematical problems, or the existence of one-way functions etc.) such that, if the assumption holds then the underlining protocol/scheme is secure under current computing capability. Therefore, it is of great practicability to do a systematic research on provably secure cryptographic protocols.
In this thesis, we investigate the design of authentication and key agreement protocols as well as the supporting theory of constructing cryptographic protocols, in which we focus on the security analysis of cryptographic protocols/schemes, the construction of two-party deniable authentication protocol, traitor-tracing in asymmetric key agreement protocol, the realizability of secure function evaluation (SFE for short), and the design and key management problems of identity-based signcryption schemes in the multi-PKG case, and achieve some results.
1. Security analysis of cryptographic scheme/protocols
In early literatures, the design and analysis of cryptographic protocols are shown in a heuristic way. However, the emergence of new cryptanalysis techniques is uncertain and any new technique is likely to make cryptographic protocols to be cracked, hence it is difficult to ensure the security of protocols based on the heuristic method. In this context, formal analysis is introduced and becomes one of the most interesting research areas. For formal analysis, the analyst first establishes the security model, and then applies the methods based on computational complexity or logical reasoning to analyze the security of the protocol. This thesis concludes the main analysis methods and the proof techniques based on computational complexity. Then we investigate a deniable authentication protocol, a two-party authenticated key agreement protocol and an identity-based signcryption scheme in the multi-PKG case respectively, and show that all of them have security flaws.
2. Two party deniable authentication protocols
Deniable Authentication protocols allow a sender to authenticate a message for a receiver, in a way that the receiver cannot convince a third party the source of message; meanwhile, the sender cannot convince a third party that she has authenticated a message. Deniability strengthens the privacy of cryptographic protocols, and has wide applications in internet key exchange, electronic election, and electronic business etc. The hash-proof system introduced by Cramer and Shoup in Eurocrypt2002as a basic component in cryptography, has been incorporated in the constructions of deniable authentication protocols. This thesis present a new deniable authentication protocol based on extractable hash proof systems, which satisfies concurrent unforgability and restricted deniability. Furthermore, we show a formal security proof reducing unforgability to the hardness of search problems (e.g. integer factorization, CDH) instead of decision problems (e.g. DDH, DCR).
3. Asymmetric group key agreement with traitor traceability
Another basic cryptographic task known as group key agreement enables multi participants to agree on a shared secret key in the open network. Considering from the application point of view, the goal of group key agreement is to establish a private communication channel between the participants. In Eurocrypt2009, Wu et al. first introduced the notion of asymmetric group key agreement (ASGKA for short) in which the final key obtained is not a secret session key but a public encryption key. This encryption key is available to the adversary, and is related to many different decryption keys such that every participant is able to compute one valid decryption key corresponding to the same encryption key. As ASGKA is a new research area, a lot of open problems and further research ideas are left, such as traitor-tracing ASGKA protocol. This thesis constructs an asymmetric group key agreement protocol called ASGKAwTT, which is provably secure in the standard model and enjoys the traitor-tracing property. That is, for any malicious player (i.e. the traitor) that leaks her secret key to an external adversary, her identity can be recovered by the group members through verifying the multi-signature on identities.
4. The realizability of multi-party secure function evaluation
The theory of cryptographic complexity, introduced by Prabhakaran and Rosulek in Crypto2008, studies the realizability of secure multi-party function evaluation and the inherent complexity of secure computing multi-party functionalities in specific security models and their relations. The most important step in this area is to investigate the secure realizability of multi-party tasks. Each concrete security model naturally defines a "cryptographic complexity class" consisting of the tasks which have secure protocols in that model, called the realizable class. However, not all the functionalities in consideration are realizable. Therefore, to abstract the combinatorial characterizations of protocols that can be secure realized under a specific security model, helps us in partitioning various cryptographic tasks into complexity levels and leads us to a better understanding and comparing of cryptographic complexity classes. This thesis analyze the necessary conditions that multi-party secure function evaluation (SEE) can be realized, and prove that these necessary conditions are not sufficient via counter examples. Based on the above result, we further show the sufficient and necessary conditions of realizable SFE functionalities, and exhibit a proof of realizability by introducing a new framework called splitability.
5. Multi-PKG id-based signcryption scheme
Signcryption is a cryptographic primitive that simultaneously performs the functions of both digital signatures and encryption schemes in a single step, while in a way that is more efficient than "encrypting-then-signing". Hence it is an effective method for private and authenticated message transmission, and has been extensively studied as a supporting theory in protocol designing. Identity-based signcryption scheme in the multi-PKG case provides a good solution to secure authentication and private communication between entities from different domains. This thesis present a new identity-based signcryption scheme in the multi-PKG case, which employs the ideas from Water's identity-based encryption scheme and existing identity-based signcryption schemes, using the⊕operation as well as collision-resilient hash function to eliminate the correspondence between ciphertext and plaintext and ensure semantic security. This scheme achieves provable security in the standard model and existential unforgability. Moreover, when only single PKG is concerned, this scheme has a better efficiency compared with other schemes in the standard model.
6. Ad Hoc key management scheme
Since secret key is the core information in a cryptosystem, the key management level directly determines the application level of a cryptosystem. In order to strengthen the reliability of key management and get rid of the security risks caused by single-point failures, it is usually preferred to apply secret sharing/threshold cryptography to design effective key management schemes. The main idea behind threshold cryptography is to share the secret information (e.g. the secret key) or the sensitive computation among multi players such that, nothing but a certain number of players coordinating is able to reconstruct the secret information or complete the sensitive computation, while fewer players cannot. This thesis design a new Ad Hoc key management scheme based on threshold secret sharing. The highlight of this scheme lies in that, it employs a non-interactive threshold secret sharing scheme based on symmetric binary polynomial such that, it provides a secure and efficient implementation for dynamic node joining, malicious node tracing, key share updating and session key exchanging, which makes it more applicable to large-scale Ad Hoc network with a dynamically changing topology.
引文
[1]Diffie W and Hellman M. New directions in cryptography, IEEE Trans. Information Theory,1976,22(6):644-654.
[2]Wu Q, Mu Y, Susilo W, et al. Asymmetric group key exchange. Advances in Cryptology-EuroCrypt 2009. LNCS 5479. Berlin:Springer-Verlag,2009: 153-170.
[3]Damgard I. On the existence of bit commitment schemes and Zero-knowledge proofs. Advances in Cryptology-Crypto 1989. New York:Springer-verlag,1989: 17-29.
[4]Blum M. Coin flipping by telephone. IEEE Spring COMPCOM.1982:133-137.
[5]Rabin M O. How to exchange secrets by oblivious transfer. Harvard University, Harvard Aiken Computation Laboratory, Technical Report TR-81,1981.
[6]Goldwasser S, Micali S, and Rackoff C. The knowledge complexity of interactive proof systems. SIAM Journal on Computing,1989,18(1):186-208.
[7]Joux A. A one round protocol for tripartite Diffie-Hellman. In Proc. of Algorithm Number Theory 2000. LNCS 1838. Berlin:Springer-Verlag,2000: 385-394.
[8]Shamir A. How to share a secret. Communications of the ACM,1979,24(11): 612-613.
[9]Boneh D and Franklin M. Identity based encryption from the weil pairing. In Advances in Cryptology-Crypto 2001. LNCS 2139. Berlin:Springer-Verlag, 2001:213-229.
[10]Dolev D, Yao A C-C. On the security of public key protocols. IEEE Transactions on Information Theory,1983,29(2):198-207.
[11]Canetti R and Herzog J. Universallly Composable symbolic analysis of mutual authentication and key-exchange. Proc of Theory of Cryptography 2006. LNCS 3876. Berlin:Springer-Verlag,2006:380-403.
[12]Goldwasser S, Micali S. Probabilistic encryption. Journal of Computer and System Science,1984,28:270-299.
[13]Bellare M, Rogaway P. Entity authentication and key exchange. Advances in Cryptology-Crypto 1993. LNCS 773. Berlin:Springer-Verlag,1993:232-249.
[14]冯登国.可证明安全性理论与方法研究.软件学报,2005,16(10):1743-1756.
[15]Katz J. and Lindel Y. Introduction to modern cryptography:prinples and protocols. CRC press,2010. ISBN:978-7-118-07065-1.
[16]Shoup V. Sequences of Games:A tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332,2004. http://eprint.iacr.org/2004/332.pdf.
[17]Goldreich O. Foundations of cryptography-basic tools, volume 1. Cambridge University Press,2001. ISBN:0-521-79172-3.
[18]Bellare M, Rogaway P. Random oracles are practical:A paradigm for designing efficient protocols. In Proceeding of the 1st ACM Conference on Computer and Communications Security. New York:ACM,1993:62-73.
[19]Canetti R, Goldreich O, Halevi S. The random oracle methodology, revisited. In Proceedings of the STOC 1998, Texas, USA,1998:209-218 (preliminary version). Journal of the ACM,2004,51(4):557-594 (full version).
[20]Dolev D, Dwork C, Naor M. Non-malleable cryptography. STOC 1991, New York:ACM,1991:542-552.
[21]Dwork C, Naor M, Sahai A. Concurrent zero-knowledge. Journal of ACM,2004, 51(6):851-898.
[22]Canetti R. Universal composable security:A new paradigm for cryptographic protocols. Electronic Colloquium on Computational Complexity (ECCC) TR01-016,2001. Extended abstract in FOCS 2001. New York:IEEE Computer Society,2001:136-145.
[23]Raimondo M D, Gennaro R. New approaches for deniable authentication. Journal of Cryptology,2009,22:572-615. Preliminary version in proceedings of CCS'2005.
[24]冯涛,马建峰.基于证人不可区分的通用可复合安全并行可否认认证.软件学报,2007,18(11):2871—2888.
[25]冯涛,李凤华,马建峰,文相在.UC安全的并行可否认认证新方法.中国科学E辑:信息科学,2008,38(8):1220-1233.
[26]Dodis Y, Katz J, Smith A, Walfish S. Composability and on-line deniability of authentication. In Proc. of TCC 2009. LNCS 5444. Berlin:Springer-Verlag, 2009:146-162.
[27]Bellare M, Canetti R, Krawczy H. A modular approach to the design and analysis of authentication and key exchange protocols. STOC 1998, New York: ACM,1998:419-428.
[28]Canetti R, Krawczyk H. Analysis of key-exchange protocols and their use for building secure channels. Advances in Cryptology-EUROCRYPT 2001, LNCS 2045. Berlin:Springer-Verlag,2001:453-474.
[29]LaMacchia B, Lauter K, Mityagin A. Strong security of authenticated key exchange. ProvSec 2007. LNCS 4784. Berlin:Springer-Verlag,2007:1-16.
[30]Okamoto T. Authenticated key exchange and key encapsulation in the standard model. Advances in Cryptology-ASIACRYPT 2007. LNCS 4833. Berlin: Springer-Verlag,2007:474-484.
[31]赵建杰,谷大武.eCK模型下可证明安全的双方认证密钥协商协议.计算机学报,2011,34(1):49-54.
[32]Krawczy H. HMQV:A high-performance secure Diffie-Hellman protocol. Advances in Cryptology-CRYPT 2005. LNCS 3621. Berlin:Springer-Verlag, 2005:546-566
[33]Gennaro R, Krawczyk H, and Rabin T. Okamoto-Tanaka revisited:Fully authenticated Diffie-Hellman with minimal overhead. In proc. Of ACNS 2010. LNCS 6123. Berlin:Springer-Verlag,2010:309-328.
[34]Huang H. Strong secure one round authenticated key exchange protocol with perfect forward security. In proc. of ProvSec 2011. LNCS 6223. Berlin: Springer-Vedag,2011:389-397.
[35]Wee H. Efficient chosen-ciphertext security via extractable hash proofs. Advances in Cryptology-CRYPT 2010. LNCS 6223. Berlin:Springer-Vedag, 2010:314-332.
[36]Cramer R, Shoup V Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. Advances in Cryptology-EUROCRYPT 2002. LNCS 2332. Berlin:Springer-Verlag,2002:45-64.
[37]Paillier P. Public-key cryptosystems based on composite-degree residuosity classes. Advances in Cryptology-EUROCRYPT 1999. LNCS 1592. Berlin: Springer-Verlag,1999:223-238.
[38]Bresson E, Catalano D, Pointcheval D. A simple public-key cryptosystem with a double trapdoor decryption mechanism and its applications. Advances in Cryptology-ASIACRYPT 2003. LNCS 2894. Berlin:Springer-Verlag,2003: 37-54.
[39]Yao A C, Yao F F, Zhao Y et al. Deniable internet key exchange. In proc. of ACNS 2010. LNCS 6123. Berlin:Springer-Verlag,2010:329-348.
[40]Becker K, Wille U. Communication complexity of group key ditribution. In proc. of ACM CCS 1998, New York:ACM,1998:1-6.
[41]Boyd C, Gonzalez-Nieto J M. Round-optimal contributory conference key agreement. In proc.of PKC 2003. LNCS 2567. Berlin:Springer-Verlag,2002: 161-174.
[42]Choo K K R, Boyd C, Hitchcock Y. Errors in computational complexity proofs for protocols. Advances in Cryptology-ASIACRYPT 2005. LNCS 3788. Berlin: Springer-Verlag,2005:624-643.
[43]Gorantla M C, Boyd C, Gonz'alez Nieto J M. Modeling key compromise impersonation attacks on group key exchange protocols. In proc. of PKC 2009. LNCS 5443. Berlin:Springer-Verlag,2009:105-123.
[44]Choudary Gorantla M, Boyd C, Gonz'alez Nieto J M, Manulis M. Generic one round group key exchange in the standard model. Cryptology ePrint Archive, 2009, Report 2009/514. http://eprint.iacr.org/2009/514
[45]Wu Q, Zhang Y, Tang M, Yin P, et al. Extended asymmetric group key agreement for dynamic groups and its applications. China Communications, 2011,8(4):32-40.
[46]Wu Q, Qin B, Zhang L, et al. Bridge broadcast encryption and group key agreement. Advance in cryptology-ASIACRYPTO 2011. LNCS 7073. Berlin: Springer-Verlag,2011:143-160.
[47]Zhang L, Wu Q, Qin B, et al. Identity-based authenticated asymmetric group key agreement protocol. Cryptology ePrint Archive, Report 2010/209,2010. http://eprint.iacr.org/2010/209.pdf.
[48]Lu S, Ostrovsky R, Sahai A, et al. Sequential aggregate signatures and multisignatures without random oracles. Advance in cryptology-EUROCRYPT 2006. LNCS 4004. Berlin:Springer-Heidelberg,2006:465-585.
[49]Waters B. Efficient identity-based encryption without random oracles. Advances in Cryptology-EUROCRYPT 2005. LNCS 3494. Berlin:Springer-Heidelberg, 2005:114-127.
[50]Yao A C. Protocols for secure computation. FOCS 1982, Washington:IEEE Computer Society,1982:160-164.
[51]Goldreich O, Micali S, and Wigderson A. How to play any mental game or a completeness theorem for protocols with honest majority. STOC 1987, New York:ACM,1987:218-229.
[52]蔡进一,葛启,朱洪.计算复杂性理论部分进展简述www.ccf. org.cn/web/resource/newspic/.../9/.../jisuanfuzaxinglilun.pdf.
[53]Prabhakaran M, Rosulek M. Cryptographic complexity of multi-party computation problems:Classifications and separations. Advances in Cryptology-CRYPTO 2008, LNCS 5157. Berlin:Springer-Heidelberg,2008: 262-279.
[54]Rosulek M. The structure of secure multi-party computation [D]. The University of Illinois at Urbana-Champaign,2009.
[55]Canetti R, Marc F. Universally composable commitments. Advances in Cryptology-CRYPTO 2001. LNCS 2139. London:Springer-Heidelberg,2001: 19-40.
[56]Canetti R, Kushilevitz E, Lindell Y. On the limitations of universally composable two-party computation without set-up assumptions. Advances in Cryptology-EUROCRYPT 2003. LNCS 2656. Berlin:Springer-Heidelberg, 2003:68-86. Available at http://epnnt.iacr.org/2004/116.
[57]Canetti R, Kushilevitz E, Lindell Y. On the limitations of universally composable two-party computation without set-up assumptions. Journal of Cryptology,2006,19(2):135-167.
[58]Kidron D, Lindell Y. Impossibility results for universal composability in public-key models and with fixed inputs. Cryptology ePrint Archive, Report 2007/478,2007. http://eprint.iacr.org/2007/478.
[59]Maji H K, Prabhakaran M, Rosulek M. Complexity of multi-party computation problems:the case of 2-party symmetric secure function evaluation. In proc. of TCC 2009. LNCS 5444. Berlin:Springer-Heidelberg,2009:256-273.
[60]Maji H K, Prabhakaran M, Rosulek M. A zero-one law for cryptographic complexity with respect to computational UC security. Advances in Cryptology-CRYPTO 2010. LNCS 6223. Berlin:Springer-Heidelberg,2010: 595-612.
[61]Zheng Y. Digital signcryption or how to achieve cost (signature & encryption) < [62]Malone-Lee J. Identity-based signcryption. Cryptology ePrint Archive, Report 2002/098, July 2002. Available at http://eprint.iacr.org/2002/098
[63]Boyen X. Multipurpose identity based signcryption:a Swiss army knife for identity based cryptography. Advances in Cryptology-CRYPTO 2003. LCNS 2729. Berlin:Springer-Verlag,2003:383-399
[64]Chen L, Malone-Lee J. Improved identity-based signcryption. In proc. of PKC 2005. LCNS 3386. Berlin:Springer-Verlag,2005:362-379.
[65]Barreto P, Libert B, McCullagh N, et al. Efficient and provably-secure identity based signatures and signcryption from bilinear maps. Advances in Cryptology-ASIACRYPT 2005. LCNS 3788. Berlin:Springer-Verlag,2005: 515-532.
[66]李发根,胡予濮,李刚.一个高效的基于身份的签密方案.计算机学报,2006,29(9):1641-1647.
[67]Yu Y, Yang B, Sun Y, et al. Identity based signcryption scheme without random oracles. Computer Standards & Interfaces,2009,31(1):56-62.
[68]Zhang B. Cryptanalysis of an identity based signcryption scheme without random oracles. Journal of Computational Information Systems 2010,6(6): 1923-1931.
[69]Jin Z, Wen Q, Du H. An improved semantically-secure identity-based signcryption scheme in the standard model. Computers & Electrical Engineering, 2010,36(3):545-552.
[70]Li F, Muhaya F, Zhang M, et al. Efficient identity-based signcryption in the standard model. In proc. of ProvSec 2011. LNCS 6980. Berlin:Springer-Verlag, 2011:120-137.
[71]Kiltz E, Vahlis Y. CCA2 secure IBE:Standard model efficiency through authenticated symmetric encryption. In proc. of CT-RSA 2008. LNCS 4964. Berlin:Springer-Verlag,2008:221-238.
[72]Paterson K G, Schuldt J C N. Efficient identity-based signatures secure in the standard model. In proc. of ACISP 2006. LNCS 4058. Berlin:Springer-Verlag, 2006:207-222.
[73]张波,徐秋亮.无随机预言机的基于身份多签密方案.计算机学报,2010,33(1):103-110
[74]F. Li and M.K. Khan. A survey of identity-based signcryption. IETE Technical Review,2011,28(3):265-272.
[75]Li F, Hu Y, Zhang C. An identity-based signcryption scheme for multi-domain ad hoc networks. In proc. of ACNS 2007. LNCS 4521. Berlin:Springer-Verlag, 2007:373-384.
[76]Li F, Shirase M, Takagi T. Efficient multi-PKG ID-based signcryption for Ad Hoc networks. In proc. of INSCRYPT 2008. LNCS 5487. Berlin: Springer-Verlag,2008:289-304.
[77]Zhang J, Zou J. On the security of some Multi-PKG/Multi-Recipient signcryption schemes. In proc. of 3rd International Conference on Anti-counterfeiting, Security, and Identification in Communication,2009 (ASID 2009), Hong Kong, China, NJ:IEEE Press,2009:497-500.
[78]闻英友,罗铭,赵宏VoIP网络基于签密的安全机制的研究与实现.通信学报,2010,31(4):8-15.
[79]冀会芳,韩文报,刘连东.标准模型中基于身份的多PKG签密方案.计算机工程,2011,37(18):22-24.
[80]Yan L, Peng D, A new key management scheme base on threshold secret sharing.Advances in Cryptology -CHINACRYPT 2008, Wuhan.2008: 519-523.
[81]Li J, Wei D, Kou H. Identity-based and threshold key management in mobile Ad Hoc networks. In proc. of 2nd International Conference on Wireless Communication Networking and Mobile Computing (WiCOM 2006), vol.2. Wuhan.2006:1-4.
[82]Deng H, Mukherjee A, Agrawal D P. Threshold and identity-based key management and authentication for wireless ad hoc networks. In proc. of the International Conference on Information Technology:Coding and Computing (ITCC'04), Vol.1, Los Alamitos, CA, USA:IEEE Computer Society.2004: 107-111.
[83]Kong J, Zerfos P, Lu H, Zhang L. Providing robust and ubiquitous security support for mobile Ad-Hoc networks.In proc. of the IEEE 9th International Conference on Network Protocols (ICNP'01), Washington, DC, USA:IEEE Computer Society.2001:251-260.
[84]Li J, Cui G, Zhang M. Secure distributed group key management scheme for MANET. Journal of Chinese Computer Systems,2007,28 (6):991-997.
[85]Blom R. Non-Public key distribution. Advances in Cryptology-CRYPT 1982. 1982.231-236.
[86]Blom R. An optimal class of symmetric key generation systems. Advances in Cryptology-EUROCRYPT 1984. LNCS 209. Berlin:Springer-Verlag.1985: 335-338.
[87]Blundo C, A. Santis D, Herzberg A, Kutten S, et al. Perfectly secure key distribution for dynamic conferences. Advances in Cryptology-CRYPTO 1992. LNCS 740. Berlin:Spnnger-Verlag,1993:471-486.
[88]Saxena N, Tsudik G, Yi J H. Effcient node admission for short-lived mobile Ad Hoc networks. In proc. of 13th IEEE International Conference on Network Protocols, Los Alamitos, CA, USA:IEEE Computer Society.2005:269-278.
[89]Gennaro R, Halevi S, Krawczyk H, Rabin T. Threshold RSA for dynamic and Ad-Hoc groups. Advances in Cryptology-EUROCRYPT 2008. LNCS 4965. Berlin:Springer-Verlag,2008:88-107.
[90]Herzberg A, Jarecki S, Krawczyk H, Yung M. Proactive secret sharing or:How to cope with perpetual leakage. Advances in Cryptology-CRYPTO 1995. LNCS 963. Berlin:Springer-Verlag 1995:339-352.
[2]Wu Q, Mu Y, Susilo W, et al. Asymmetric group key exchange. Advances in Cryptology-EuroCrypt 2009. LNCS 5479. Berlin:Springer-Verlag,2009: 153-170.
[3]Damgard I. On the existence of bit commitment schemes and Zero-knowledge proofs. Advances in Cryptology-Crypto 1989. New York:Springer-verlag,1989: 17-29.
[4]Blum M. Coin flipping by telephone. IEEE Spring COMPCOM.1982:133-137.
[5]Rabin M O. How to exchange secrets by oblivious transfer. Harvard University, Harvard Aiken Computation Laboratory, Technical Report TR-81,1981.
[6]Goldwasser S, Micali S, and Rackoff C. The knowledge complexity of interactive proof systems. SIAM Journal on Computing,1989,18(1):186-208.
[7]Joux A. A one round protocol for tripartite Diffie-Hellman. In Proc. of Algorithm Number Theory 2000. LNCS 1838. Berlin:Springer-Verlag,2000: 385-394.
[8]Shamir A. How to share a secret. Communications of the ACM,1979,24(11): 612-613.
[9]Boneh D and Franklin M. Identity based encryption from the weil pairing. In Advances in Cryptology-Crypto 2001. LNCS 2139. Berlin:Springer-Verlag, 2001:213-229.
[10]Dolev D, Yao A C-C. On the security of public key protocols. IEEE Transactions on Information Theory,1983,29(2):198-207.
[11]Canetti R and Herzog J. Universallly Composable symbolic analysis of mutual authentication and key-exchange. Proc of Theory of Cryptography 2006. LNCS 3876. Berlin:Springer-Verlag,2006:380-403.
[12]Goldwasser S, Micali S. Probabilistic encryption. Journal of Computer and System Science,1984,28:270-299.
[13]Bellare M, Rogaway P. Entity authentication and key exchange. Advances in Cryptology-Crypto 1993. LNCS 773. Berlin:Springer-Verlag,1993:232-249.
[14]冯登国.可证明安全性理论与方法研究.软件学报,2005,16(10):1743-1756.
[15]Katz J. and Lindel Y. Introduction to modern cryptography:prinples and protocols. CRC press,2010. ISBN:978-7-118-07065-1.
[16]Shoup V. Sequences of Games:A tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332,2004. http://eprint.iacr.org/2004/332.pdf.
[17]Goldreich O. Foundations of cryptography-basic tools, volume 1. Cambridge University Press,2001. ISBN:0-521-79172-3.
[18]Bellare M, Rogaway P. Random oracles are practical:A paradigm for designing efficient protocols. In Proceeding of the 1st ACM Conference on Computer and Communications Security. New York:ACM,1993:62-73.
[19]Canetti R, Goldreich O, Halevi S. The random oracle methodology, revisited. In Proceedings of the STOC 1998, Texas, USA,1998:209-218 (preliminary version). Journal of the ACM,2004,51(4):557-594 (full version).
[20]Dolev D, Dwork C, Naor M. Non-malleable cryptography. STOC 1991, New York:ACM,1991:542-552.
[21]Dwork C, Naor M, Sahai A. Concurrent zero-knowledge. Journal of ACM,2004, 51(6):851-898.
[22]Canetti R. Universal composable security:A new paradigm for cryptographic protocols. Electronic Colloquium on Computational Complexity (ECCC) TR01-016,2001. Extended abstract in FOCS 2001. New York:IEEE Computer Society,2001:136-145.
[23]Raimondo M D, Gennaro R. New approaches for deniable authentication. Journal of Cryptology,2009,22:572-615. Preliminary version in proceedings of CCS'2005.
[24]冯涛,马建峰.基于证人不可区分的通用可复合安全并行可否认认证.软件学报,2007,18(11):2871—2888.
[25]冯涛,李凤华,马建峰,文相在.UC安全的并行可否认认证新方法.中国科学E辑:信息科学,2008,38(8):1220-1233.
[26]Dodis Y, Katz J, Smith A, Walfish S. Composability and on-line deniability of authentication. In Proc. of TCC 2009. LNCS 5444. Berlin:Springer-Verlag, 2009:146-162.
[27]Bellare M, Canetti R, Krawczy H. A modular approach to the design and analysis of authentication and key exchange protocols. STOC 1998, New York: ACM,1998:419-428.
[28]Canetti R, Krawczyk H. Analysis of key-exchange protocols and their use for building secure channels. Advances in Cryptology-EUROCRYPT 2001, LNCS 2045. Berlin:Springer-Verlag,2001:453-474.
[29]LaMacchia B, Lauter K, Mityagin A. Strong security of authenticated key exchange. ProvSec 2007. LNCS 4784. Berlin:Springer-Verlag,2007:1-16.
[30]Okamoto T. Authenticated key exchange and key encapsulation in the standard model. Advances in Cryptology-ASIACRYPT 2007. LNCS 4833. Berlin: Springer-Verlag,2007:474-484.
[31]赵建杰,谷大武.eCK模型下可证明安全的双方认证密钥协商协议.计算机学报,2011,34(1):49-54.
[32]Krawczy H. HMQV:A high-performance secure Diffie-Hellman protocol. Advances in Cryptology-CRYPT 2005. LNCS 3621. Berlin:Springer-Verlag, 2005:546-566
[33]Gennaro R, Krawczyk H, and Rabin T. Okamoto-Tanaka revisited:Fully authenticated Diffie-Hellman with minimal overhead. In proc. Of ACNS 2010. LNCS 6123. Berlin:Springer-Verlag,2010:309-328.
[34]Huang H. Strong secure one round authenticated key exchange protocol with perfect forward security. In proc. of ProvSec 2011. LNCS 6223. Berlin: Springer-Vedag,2011:389-397.
[35]Wee H. Efficient chosen-ciphertext security via extractable hash proofs. Advances in Cryptology-CRYPT 2010. LNCS 6223. Berlin:Springer-Vedag, 2010:314-332.
[36]Cramer R, Shoup V Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. Advances in Cryptology-EUROCRYPT 2002. LNCS 2332. Berlin:Springer-Verlag,2002:45-64.
[37]Paillier P. Public-key cryptosystems based on composite-degree residuosity classes. Advances in Cryptology-EUROCRYPT 1999. LNCS 1592. Berlin: Springer-Verlag,1999:223-238.
[38]Bresson E, Catalano D, Pointcheval D. A simple public-key cryptosystem with a double trapdoor decryption mechanism and its applications. Advances in Cryptology-ASIACRYPT 2003. LNCS 2894. Berlin:Springer-Verlag,2003: 37-54.
[39]Yao A C, Yao F F, Zhao Y et al. Deniable internet key exchange. In proc. of ACNS 2010. LNCS 6123. Berlin:Springer-Verlag,2010:329-348.
[40]Becker K, Wille U. Communication complexity of group key ditribution. In proc. of ACM CCS 1998, New York:ACM,1998:1-6.
[41]Boyd C, Gonzalez-Nieto J M. Round-optimal contributory conference key agreement. In proc.of PKC 2003. LNCS 2567. Berlin:Springer-Verlag,2002: 161-174.
[42]Choo K K R, Boyd C, Hitchcock Y. Errors in computational complexity proofs for protocols. Advances in Cryptology-ASIACRYPT 2005. LNCS 3788. Berlin: Springer-Verlag,2005:624-643.
[43]Gorantla M C, Boyd C, Gonz'alez Nieto J M. Modeling key compromise impersonation attacks on group key exchange protocols. In proc. of PKC 2009. LNCS 5443. Berlin:Springer-Verlag,2009:105-123.
[44]Choudary Gorantla M, Boyd C, Gonz'alez Nieto J M, Manulis M. Generic one round group key exchange in the standard model. Cryptology ePrint Archive, 2009, Report 2009/514. http://eprint.iacr.org/2009/514
[45]Wu Q, Zhang Y, Tang M, Yin P, et al. Extended asymmetric group key agreement for dynamic groups and its applications. China Communications, 2011,8(4):32-40.
[46]Wu Q, Qin B, Zhang L, et al. Bridge broadcast encryption and group key agreement. Advance in cryptology-ASIACRYPTO 2011. LNCS 7073. Berlin: Springer-Verlag,2011:143-160.
[47]Zhang L, Wu Q, Qin B, et al. Identity-based authenticated asymmetric group key agreement protocol. Cryptology ePrint Archive, Report 2010/209,2010. http://eprint.iacr.org/2010/209.pdf.
[48]Lu S, Ostrovsky R, Sahai A, et al. Sequential aggregate signatures and multisignatures without random oracles. Advance in cryptology-EUROCRYPT 2006. LNCS 4004. Berlin:Springer-Heidelberg,2006:465-585.
[49]Waters B. Efficient identity-based encryption without random oracles. Advances in Cryptology-EUROCRYPT 2005. LNCS 3494. Berlin:Springer-Heidelberg, 2005:114-127.
[50]Yao A C. Protocols for secure computation. FOCS 1982, Washington:IEEE Computer Society,1982:160-164.
[51]Goldreich O, Micali S, and Wigderson A. How to play any mental game or a completeness theorem for protocols with honest majority. STOC 1987, New York:ACM,1987:218-229.
[52]蔡进一,葛启,朱洪.计算复杂性理论部分进展简述www.ccf. org.cn/web/resource/newspic/.../9/.../jisuanfuzaxinglilun.pdf.
[53]Prabhakaran M, Rosulek M. Cryptographic complexity of multi-party computation problems:Classifications and separations. Advances in Cryptology-CRYPTO 2008, LNCS 5157. Berlin:Springer-Heidelberg,2008: 262-279.
[54]Rosulek M. The structure of secure multi-party computation [D]. The University of Illinois at Urbana-Champaign,2009.
[55]Canetti R, Marc F. Universally composable commitments. Advances in Cryptology-CRYPTO 2001. LNCS 2139. London:Springer-Heidelberg,2001: 19-40.
[56]Canetti R, Kushilevitz E, Lindell Y. On the limitations of universally composable two-party computation without set-up assumptions. Advances in Cryptology-EUROCRYPT 2003. LNCS 2656. Berlin:Springer-Heidelberg, 2003:68-86. Available at http://epnnt.iacr.org/2004/116.
[57]Canetti R, Kushilevitz E, Lindell Y. On the limitations of universally composable two-party computation without set-up assumptions. Journal of Cryptology,2006,19(2):135-167.
[58]Kidron D, Lindell Y. Impossibility results for universal composability in public-key models and with fixed inputs. Cryptology ePrint Archive, Report 2007/478,2007. http://eprint.iacr.org/2007/478.
[59]Maji H K, Prabhakaran M, Rosulek M. Complexity of multi-party computation problems:the case of 2-party symmetric secure function evaluation. In proc. of TCC 2009. LNCS 5444. Berlin:Springer-Heidelberg,2009:256-273.
[60]Maji H K, Prabhakaran M, Rosulek M. A zero-one law for cryptographic complexity with respect to computational UC security. Advances in Cryptology-CRYPTO 2010. LNCS 6223. Berlin:Springer-Heidelberg,2010: 595-612.
[61]Zheng Y. Digital signcryption or how to achieve cost (signature & encryption) <
[63]Boyen X. Multipurpose identity based signcryption:a Swiss army knife for identity based cryptography. Advances in Cryptology-CRYPTO 2003. LCNS 2729. Berlin:Springer-Verlag,2003:383-399
[64]Chen L, Malone-Lee J. Improved identity-based signcryption. In proc. of PKC 2005. LCNS 3386. Berlin:Springer-Verlag,2005:362-379.
[65]Barreto P, Libert B, McCullagh N, et al. Efficient and provably-secure identity based signatures and signcryption from bilinear maps. Advances in Cryptology-ASIACRYPT 2005. LCNS 3788. Berlin:Springer-Verlag,2005: 515-532.
[66]李发根,胡予濮,李刚.一个高效的基于身份的签密方案.计算机学报,2006,29(9):1641-1647.
[67]Yu Y, Yang B, Sun Y, et al. Identity based signcryption scheme without random oracles. Computer Standards & Interfaces,2009,31(1):56-62.
[68]Zhang B. Cryptanalysis of an identity based signcryption scheme without random oracles. Journal of Computational Information Systems 2010,6(6): 1923-1931.
[69]Jin Z, Wen Q, Du H. An improved semantically-secure identity-based signcryption scheme in the standard model. Computers & Electrical Engineering, 2010,36(3):545-552.
[70]Li F, Muhaya F, Zhang M, et al. Efficient identity-based signcryption in the standard model. In proc. of ProvSec 2011. LNCS 6980. Berlin:Springer-Verlag, 2011:120-137.
[71]Kiltz E, Vahlis Y. CCA2 secure IBE:Standard model efficiency through authenticated symmetric encryption. In proc. of CT-RSA 2008. LNCS 4964. Berlin:Springer-Verlag,2008:221-238.
[72]Paterson K G, Schuldt J C N. Efficient identity-based signatures secure in the standard model. In proc. of ACISP 2006. LNCS 4058. Berlin:Springer-Verlag, 2006:207-222.
[73]张波,徐秋亮.无随机预言机的基于身份多签密方案.计算机学报,2010,33(1):103-110
[74]F. Li and M.K. Khan. A survey of identity-based signcryption. IETE Technical Review,2011,28(3):265-272.
[75]Li F, Hu Y, Zhang C. An identity-based signcryption scheme for multi-domain ad hoc networks. In proc. of ACNS 2007. LNCS 4521. Berlin:Springer-Verlag, 2007:373-384.
[76]Li F, Shirase M, Takagi T. Efficient multi-PKG ID-based signcryption for Ad Hoc networks. In proc. of INSCRYPT 2008. LNCS 5487. Berlin: Springer-Verlag,2008:289-304.
[77]Zhang J, Zou J. On the security of some Multi-PKG/Multi-Recipient signcryption schemes. In proc. of 3rd International Conference on Anti-counterfeiting, Security, and Identification in Communication,2009 (ASID 2009), Hong Kong, China, NJ:IEEE Press,2009:497-500.
[78]闻英友,罗铭,赵宏VoIP网络基于签密的安全机制的研究与实现.通信学报,2010,31(4):8-15.
[79]冀会芳,韩文报,刘连东.标准模型中基于身份的多PKG签密方案.计算机工程,2011,37(18):22-24.
[80]Yan L, Peng D, A new key management scheme base on threshold secret sharing.Advances in Cryptology -CHINACRYPT 2008, Wuhan.2008: 519-523.
[81]Li J, Wei D, Kou H. Identity-based and threshold key management in mobile Ad Hoc networks. In proc. of 2nd International Conference on Wireless Communication Networking and Mobile Computing (WiCOM 2006), vol.2. Wuhan.2006:1-4.
[82]Deng H, Mukherjee A, Agrawal D P. Threshold and identity-based key management and authentication for wireless ad hoc networks. In proc. of the International Conference on Information Technology:Coding and Computing (ITCC'04), Vol.1, Los Alamitos, CA, USA:IEEE Computer Society.2004: 107-111.
[83]Kong J, Zerfos P, Lu H, Zhang L. Providing robust and ubiquitous security support for mobile Ad-Hoc networks.In proc. of the IEEE 9th International Conference on Network Protocols (ICNP'01), Washington, DC, USA:IEEE Computer Society.2001:251-260.
[84]Li J, Cui G, Zhang M. Secure distributed group key management scheme for MANET. Journal of Chinese Computer Systems,2007,28 (6):991-997.
[85]Blom R. Non-Public key distribution. Advances in Cryptology-CRYPT 1982. 1982.231-236.
[86]Blom R. An optimal class of symmetric key generation systems. Advances in Cryptology-EUROCRYPT 1984. LNCS 209. Berlin:Springer-Verlag.1985: 335-338.
[87]Blundo C, A. Santis D, Herzberg A, Kutten S, et al. Perfectly secure key distribution for dynamic conferences. Advances in Cryptology-CRYPTO 1992. LNCS 740. Berlin:Spnnger-Verlag,1993:471-486.
[88]Saxena N, Tsudik G, Yi J H. Effcient node admission for short-lived mobile Ad Hoc networks. In proc. of 13th IEEE International Conference on Network Protocols, Los Alamitos, CA, USA:IEEE Computer Society.2005:269-278.
[89]Gennaro R, Halevi S, Krawczyk H, Rabin T. Threshold RSA for dynamic and Ad-Hoc groups. Advances in Cryptology-EUROCRYPT 2008. LNCS 4965. Berlin:Springer-Verlag,2008:88-107.
[90]Herzberg A, Jarecki S, Krawczyk H, Yung M. Proactive secret sharing or:How to cope with perpetual leakage. Advances in Cryptology-CRYPTO 1995. LNCS 963. Berlin:Springer-Verlag 1995:339-352.