标准模型下口令认证密钥交换协议的分析与设计
|
摘要
口令认证密钥交换(PAKE)协议使得参与通信的用户用一个低熵的口令就可以实现实体认证,并能通过不安全的信道安全地生成共享的高熵会话密钥.它们避免了一般认证密钥交换协议要求存在公钥基础设施或要求用户拥有存储长对称密钥的安全硬件等前提假设,有着较强的实用性因而受到了广泛关注.为了使PAKE协议能够抵抗离线字典攻击,达到既定的安全性目标,采用可证明安全性理论进行安全性证明是现在普遍采用的协议分析与设计方法.在协议的安全性分析模型中,标准模型是比理想模型更为自然、更为合理的一类分析模型,且能比理想模型提供更强的安全性保证.但目前关于标准模型下PAKE协议的研究工作还较为缺乏,已有协议的效率和理想模型下的协议相比还有较大的差距.
本文对标准模型下PAKE协议的分析与设计进行了研究,重点研究了两方PAKE协议和三方PAKE协议的设计.分别针对不同安全性分析模型、基于不同计算困难性难题假设构造了新的安全的PAKE协议,使其在安全性和效率上比现有同类协议更具有竞争优势.主要完成了以下几方面的工作:
1.对几个已有的标准模型下设计的PAKE协议进行了安全性分析.分析了文献“标准模型下可证安全的加密密钥协商协议”中提出的两方PAKE协议,给出了外部攻击者实施的假冒服务器攻击;分析了“标准模型下高效的基于口令认证密钥协商协议”中提出的两方PAKE协议,给出了对协议主动攻击的外部攻击者实施的离线字典攻击;分析了“基于验证元的三方口令认证密钥交换协议”中提出的三方PAKE协议,给出了被动窃听的外部攻击者实施的离线字典攻击.同时还指出了这些协议设计或证明中的被疏忽之处,为同类协议的分析与设计提供了参考和借鉴.
2.研究了标准模型下两方PAKE协议的设计.首先,基于非交互、完美绑定且不可延展的承诺体制,平滑投射Hash函数簇等一般性组件设计了一个标准模型下安全的两方PAKE协议.该协议是第一个标准模型下的两轮PAKE协议,同时还能被实例化得到基于DDH假设、二次剩余假设和N次剩余假设等不同难题假设的具体协议;其次,在Katz等最近提出的基于格的口令认证密钥传输协议基础上,利用基于LWE假设的CCA2安全公钥加密体制、近似平滑投射Hash函数簇以及纠错编码等组件,设计了第一个基于格的口令认证密钥交换协议.
3.研究了UC框架下基于标准模型的两方PAKE协议的设计.首先对Canetti等提出的协议进行了改进,提出了一个新的PAKE协议,使之同样是标准模型下可证明UC安全的,但具有更高的通信和计算效率;其次,通过构造不可延展的、可提取的且是弱模拟可靠的陷门承诺体制,以及相应的平滑投射Hash函数簇,设计了一个高效的UC安全的两方PAKE协议.该协议采取和Canetti等所提出的协议完全不同的设计方法,避免了零知识证明协议的使用,在保持计算复杂度相当的前提下有效地提高了通信效率,使PAKE协议首次在UC框架下达到了最优的两轮.
4.研究了标准模型下三方PAKE协议的设计.针对三方情形设计了一个标准模型下安全的PAKE协议,并在Real-or-Random模型中证明了所设计协议的安全性.该协议具有会话密钥的语义安全性、针对诚实但好奇服务器的密钥私密性,并提供了客户和服务器之间的双向认证.与三方PAKE协议的通用构造相比,该协议不仅减少了通信轮数,还降低了计算复杂度.
Password authenticated key exchange (PAKE) protocols allow parties sharing only a low-entropy, human-memorable password to authenticate themselves and establish a common session key over an insecure channel in a secure manner. Since PAKE protocols do not require complex public-key infrastructure or trusted hardware of storing high entropy secrets, they have attracted many attentions since being introduced. In order to guarantee PAKE protocols resisting off-line dictionary attacks and securely realizing their designed goals, a popular measure is to resort protocol design and analysis to the theory of provable security. Among all security models, the standard model is more nature and, as it named, more standard than the ideal model, such as random oracle model and ideal cipher model. However, due to various reasons, protocols with security proof in the standard model are far less than those in the ideal model, and the computational and communication efficiency of these protocols is also lower.
In this thesis, we address with the problem of analyzing and designing PAKE protocols provably secure in the standard model, particularly the PAKE protocols in the two-party setting and in the three-party setting. We have designed several novel and secure PAKE protocols based on different security models and different computational difficult assumptions, such that they are more efficient in term of computation complexity or communication cost. Based on this start point, we did in-depth research on the analysis and design of PAKE protocols, and got the following results.
1. Several existed PAKE protocols designed in the standard model are analyzed. Firstly, cryptanalysis of a protocol proposed by Yin et al. in the paper of“Provable Secure Encrypted Key Exchange Protocol under Standard Model”is presented. A concrete attack in which an outside adversary impersonates a valid server is also given. Secondly, a protocol proposed by Shu et al. in the paper of“Provable Secure Encrypted Key Exchange Protocol under Standard Model”is analyzed. An off-line dictionary attack conducted by an active outside adversary is also introduced. Thirdly, a protocol proposed by Li et al. in the paper of“Verifier-Based Password Authenticated Key Exchange for Three-party”is pointed out to be vulnerable to off-line dictionary attack by any passive outside adversary. Further, the errors in the original protocols design and security proofs are also analyzed, which might be instructive to future PAKE protocols design.
2. Two-party PAKE protocols with provable security in the well-known Real-or-Random model are researched. Firstly, by utilizing non-interactive, perfect-biding and non-malleable commitment and smooth projective hashing function family, we proposed a two-party PAKE protocol in standard model, which is the first PAKE protocol achieving optimal two rounds. Since general building blocks are used, this protocol can be efficiently instantiated with primitives based on either the DDH, Quadratic Residuosity or N-Residuosity assumptions. Secondly, through using CCA2 secure public key encryption schemes based on LWE assumption, approximate smooth projective hash function family, and error-correcting codes, we constructed a two-party PAKE protocol based on Lattice and proved its security strictly. Note that the protocol introduced by Katz and Vaikuntanathan is in fact a key transport protocol, ours is the first truly key exchange protocol in this setting.
3. Two-party PAKE protocols designed in the UC framework and based on standard assumptions are presented. Firstly, based on Canetti’s protocol we proposed a new protocol which is also proven secure in the UC framework but with improved communication and computation performance. Secondly, we adopted a designing approach totally different from that used in Canetti’s protocol and designed an efficient protocol with provable security in the UC framework. To this end, we first defined a new definition for commitment, called weak simulation-sound trapdoor commitment. Then, we presented a concrete construction of non-malleable, extractable and weak simulation-sound commitment scheme, and also the corresponding smooth projective hash function family. By means of these newly constructed building blocks, our protocol avoids the usage of zero-knowledge protocols and achieves high performance in terms of communication efficiency, which is the first two round PAKE protocol in the UC framework.
4. We introduced a new PAKE protocol which is optimized for the special three-party setting; the resulting protocol is more efficient than the general construction in terms of round numbers as well as computational complexity. The protocol also enjoys provable security in the Real-or-Random model for three-party PAKE protocols, which provides semantic security for the session keys, guarantees key privacy against honest-but-curious server as well as resistance to undetectable on-line dictionary attacks.
本文对标准模型下PAKE协议的分析与设计进行了研究,重点研究了两方PAKE协议和三方PAKE协议的设计.分别针对不同安全性分析模型、基于不同计算困难性难题假设构造了新的安全的PAKE协议,使其在安全性和效率上比现有同类协议更具有竞争优势.主要完成了以下几方面的工作:
1.对几个已有的标准模型下设计的PAKE协议进行了安全性分析.分析了文献“标准模型下可证安全的加密密钥协商协议”中提出的两方PAKE协议,给出了外部攻击者实施的假冒服务器攻击;分析了“标准模型下高效的基于口令认证密钥协商协议”中提出的两方PAKE协议,给出了对协议主动攻击的外部攻击者实施的离线字典攻击;分析了“基于验证元的三方口令认证密钥交换协议”中提出的三方PAKE协议,给出了被动窃听的外部攻击者实施的离线字典攻击.同时还指出了这些协议设计或证明中的被疏忽之处,为同类协议的分析与设计提供了参考和借鉴.
2.研究了标准模型下两方PAKE协议的设计.首先,基于非交互、完美绑定且不可延展的承诺体制,平滑投射Hash函数簇等一般性组件设计了一个标准模型下安全的两方PAKE协议.该协议是第一个标准模型下的两轮PAKE协议,同时还能被实例化得到基于DDH假设、二次剩余假设和N次剩余假设等不同难题假设的具体协议;其次,在Katz等最近提出的基于格的口令认证密钥传输协议基础上,利用基于LWE假设的CCA2安全公钥加密体制、近似平滑投射Hash函数簇以及纠错编码等组件,设计了第一个基于格的口令认证密钥交换协议.
3.研究了UC框架下基于标准模型的两方PAKE协议的设计.首先对Canetti等提出的协议进行了改进,提出了一个新的PAKE协议,使之同样是标准模型下可证明UC安全的,但具有更高的通信和计算效率;其次,通过构造不可延展的、可提取的且是弱模拟可靠的陷门承诺体制,以及相应的平滑投射Hash函数簇,设计了一个高效的UC安全的两方PAKE协议.该协议采取和Canetti等所提出的协议完全不同的设计方法,避免了零知识证明协议的使用,在保持计算复杂度相当的前提下有效地提高了通信效率,使PAKE协议首次在UC框架下达到了最优的两轮.
4.研究了标准模型下三方PAKE协议的设计.针对三方情形设计了一个标准模型下安全的PAKE协议,并在Real-or-Random模型中证明了所设计协议的安全性.该协议具有会话密钥的语义安全性、针对诚实但好奇服务器的密钥私密性,并提供了客户和服务器之间的双向认证.与三方PAKE协议的通用构造相比,该协议不仅减少了通信轮数,还降低了计算复杂度.
Password authenticated key exchange (PAKE) protocols allow parties sharing only a low-entropy, human-memorable password to authenticate themselves and establish a common session key over an insecure channel in a secure manner. Since PAKE protocols do not require complex public-key infrastructure or trusted hardware of storing high entropy secrets, they have attracted many attentions since being introduced. In order to guarantee PAKE protocols resisting off-line dictionary attacks and securely realizing their designed goals, a popular measure is to resort protocol design and analysis to the theory of provable security. Among all security models, the standard model is more nature and, as it named, more standard than the ideal model, such as random oracle model and ideal cipher model. However, due to various reasons, protocols with security proof in the standard model are far less than those in the ideal model, and the computational and communication efficiency of these protocols is also lower.
In this thesis, we address with the problem of analyzing and designing PAKE protocols provably secure in the standard model, particularly the PAKE protocols in the two-party setting and in the three-party setting. We have designed several novel and secure PAKE protocols based on different security models and different computational difficult assumptions, such that they are more efficient in term of computation complexity or communication cost. Based on this start point, we did in-depth research on the analysis and design of PAKE protocols, and got the following results.
1. Several existed PAKE protocols designed in the standard model are analyzed. Firstly, cryptanalysis of a protocol proposed by Yin et al. in the paper of“Provable Secure Encrypted Key Exchange Protocol under Standard Model”is presented. A concrete attack in which an outside adversary impersonates a valid server is also given. Secondly, a protocol proposed by Shu et al. in the paper of“Provable Secure Encrypted Key Exchange Protocol under Standard Model”is analyzed. An off-line dictionary attack conducted by an active outside adversary is also introduced. Thirdly, a protocol proposed by Li et al. in the paper of“Verifier-Based Password Authenticated Key Exchange for Three-party”is pointed out to be vulnerable to off-line dictionary attack by any passive outside adversary. Further, the errors in the original protocols design and security proofs are also analyzed, which might be instructive to future PAKE protocols design.
2. Two-party PAKE protocols with provable security in the well-known Real-or-Random model are researched. Firstly, by utilizing non-interactive, perfect-biding and non-malleable commitment and smooth projective hashing function family, we proposed a two-party PAKE protocol in standard model, which is the first PAKE protocol achieving optimal two rounds. Since general building blocks are used, this protocol can be efficiently instantiated with primitives based on either the DDH, Quadratic Residuosity or N-Residuosity assumptions. Secondly, through using CCA2 secure public key encryption schemes based on LWE assumption, approximate smooth projective hash function family, and error-correcting codes, we constructed a two-party PAKE protocol based on Lattice and proved its security strictly. Note that the protocol introduced by Katz and Vaikuntanathan is in fact a key transport protocol, ours is the first truly key exchange protocol in this setting.
3. Two-party PAKE protocols designed in the UC framework and based on standard assumptions are presented. Firstly, based on Canetti’s protocol we proposed a new protocol which is also proven secure in the UC framework but with improved communication and computation performance. Secondly, we adopted a designing approach totally different from that used in Canetti’s protocol and designed an efficient protocol with provable security in the UC framework. To this end, we first defined a new definition for commitment, called weak simulation-sound trapdoor commitment. Then, we presented a concrete construction of non-malleable, extractable and weak simulation-sound commitment scheme, and also the corresponding smooth projective hash function family. By means of these newly constructed building blocks, our protocol avoids the usage of zero-knowledge protocols and achieves high performance in terms of communication efficiency, which is the first two round PAKE protocol in the UC framework.
4. We introduced a new PAKE protocol which is optimized for the special three-party setting; the resulting protocol is more efficient than the general construction in terms of round numbers as well as computational complexity. The protocol also enjoys provable security in the Real-or-Random model for three-party PAKE protocols, which provides semantic security for the session keys, guarantees key privacy against honest-but-curious server as well as resistance to undetectable on-line dictionary attacks.
引文
[1] A. J. Menezes, P. C. Oorschot, S. A. Vanstone. Handbook of Applied Cryptography [M]. New York: CRC Press, 1997: 489-534.
[2] L. Gong, M. Lomas, R. Needham, J. Saltzer. Protecting poorly chosen secrets from guessing attacks[J]. IEEE Journal on Selected Areas in Communications, 1993, 11(5): 648-656.
[3] S. Halevi, H. Krawczyk. Public-key cryptography and password protocols[J]. ACM Trans. on Information and Systems Security, 1999, 2(3):230-268.
[4] Y. Cliff, Y. S. T. Tin, C. Boyd. Password based server aided key exchange[A].In: Proc. ACNS 2006[C], LNCS 3989, Springer-Verlag, 2006: 146-161.
[5] M. Burmester. Cryptoanalysis of the Chang-Wu-Chen Key Distribution System[A]. In Proc. EUROCRYPT 1993[C], LNCS 2656, Springer-Verlag, 1993:440-442.
[6] K. K. R. Choo. Key establishment: proofs and refutations[D]. Australia: Queensland University of Technology, 2006.
[7]冯登国.可证明安全性理论与方法研究[J].软件学报, 2005, 16(10): 1743-1755.
[8] S. Goldwasse, S. Micali. Probabilitic encryption and how to paly mental poker keeping secret all partial information[A]. In: Proc. the 14th Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1982: 365–377.
[9] M. Bellare, P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols[A]. In: Proc. the 1st ACM Conference on Computer and Communications Security[C], ACM Press, 1993: 62-73.
[10] M. Bellare, A. Boldyreva, A. Palacio. An uninstantiable random-oracle model scheme for a hybrid-encryption problem[A]. In: Proc. EUROCRYPT 2004[C], LNCS 3027, Springer- Verlag, 2004: 171-188.
[11] R. Canetti, O. Goldreich, S. Halevi. The random oracle methodology, revisited[A]. In: Proc. the 30th Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1998: 209-218.
[12] R. Canetti, O. Goldreich, S. Halevi. On the random-oracle methodology as applied to length-restricted signature schemes[A]. In: Proc. TCC 2004[C], LNCS 2951, Springer- Verlag, 2004: 40-57.
[13] C. Shannon. Communication theory of secrecy systems[J]. Bell Systems Technical Journal, 1949, 28(4): 656-715.
[14] J. Black. The Ideal-Cipher Model, revisited: An uninstantiable blockcipher- based hash function[A], In: Proc. FSE 2006[C], LNCS 4047, Springer- Verlag, 2005: 328-340.
[15] J. Coron, J. Patarin, Y. Seurin. The random oracle model and the ideal cipher model are equivalent[A]. In Proc. CRYPTO 2008[C], LNCS 5157, Springer-Verlag, 2008: 1–20.
[16] M. Bellare, P. Rogaway. Collision-resistant hashing: towards making UOWHFs practical[A]. In: Proc. CRYPTO 1997[C], Springer-Verlag, 1997: 320-335.
[17] O. Goldreich. Fundations of Cryptography: Basic Applications[M]. England: Cambtidge University Press, 2004
[18]殷胤,李宝.标准模型下可证安全的加密密钥协商协议[J].软件学报, 2007, (18)2: 422-429. Also Available from http://www.jos.org.cn/1000-9825/ 18/422.htm
[19]舒剑,许春香.标准模型下高效的基于口令认证密钥协商协议[J].电子与信息学报, 2009, 31(11): 2716-2719.
[20]李文敏,温巧燕,张华.基于验证元的三方口令认证密钥交换协议[J].通信学报, 2008, 29(10): 149-152.
[21] J. Katz, V. Vaikuntanathan. Smooth projective hashing and password-based authenticated key exchange from lattices[A]. In: Proc. ASIACRYPT 2009[C], LNCS 5912, Springer- Verlag, 2009: 636-652.
[22] R. Canetti, S. Halevi, J. Katz, Y. Lindell, P. MacKenzie. Universally composable password- based key exchange[A]. In: Proc. EUROCRYPT 2005[C], LNCS 3494, Springer-Verlag, 2005: 404-421.
[23] C. Boyd, A. Mathuria. Protocols For Authentication And Key Establishment[M]. Berlin: Springer-Verlag, 2003.
[24] M. Manulis. Survey on security requirements and models for group key exchange[EB/OL]. Available from http://eprint.iacr.org/ 2006/388.pdf, 2006.
[25] A. J. Menezes, M. Qu, S. A. Vanstone. Some new key agreement protocols providing implicit authentication[A]. In: Proc. SAC 1995[C], Canada:Ottawa, 1995: 22-32.
[26] H. Krawczyk. HMQV: A high-performance secure Diffie-Hellman protocol[A]. In: Proc. CRYPTO 2005[C], LNCS 3621, Springer-Verlag, 2005:546–566.
[27] S. M. Bellovin, M. Merritt. Encrypted key exchange: password-based protocols secure against dictionary attacks[A]. In: Proc. IEEE Symposium on Research in Security and Privacy[C], IEEE Computer Society, 1992: 72-84.
[28] S. M. Bellovin, M. Merritt. Augmented encrypted key exchange: A password-based protocol secure against dictionary attacks and password file compromise[A]. In: Proc. the 1st ACM Conference on Computer and Communication Security[C]. ACM Press, 1993: 244-250.
[29] M. Steiner, G. Tsudik, M. Waidner. Refinement and extension of encrypted key exchange[J]. ACM SIGOPS Oper. Syst. Rev., 1995, 29(3): 22-30.
[30] T. Wu. The secure remote password protocol[A]. In: Proc. 1998 Internet Society Symposium on Network and Distributed System Security[C], 1998: 97-111.
[31] M. Bellare, P. Rogaway. Entity authentication and key distribution[A], In: Proc. CRYPTO 1993[C], LNCS 773, Springer-Verlag, 1993: 232-249.
[32] M. Bellare, P. Rogaway. Provably secure session key distribution- the three party case[A]. In: Proc. the 27th Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1995: 57-66.
[33] M. Bellare, R. Canetti, H. Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols[A]. In: Proc. the 30th Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1998: 419–428.
[34] R. Canetti, H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels[A]. In: Proc. EUROCRYPT 2001[C], LNCS 2045, Springer-Verlag, 2005:453–474.
[35] B. LaMacchia, K. Lauter, A. mityagin. Stronger security of authenticated key exchange[A], In: Proc. ProvSec 2007[C], LNCS 4784, Springer-Verlag, 2007: 1-16.
[36] M. Bellare, D. Pointcheval, P. Rogaway. Authenticated key exchange secure against dictionary attack[A]. In: Proc. EUROCRYPT 2000[C], LNCS 1807, Springer-Verlag, 2000: 139-155.
[37] V. Boyko, P. MacKenzie, S. Patel. Provably secure password-authenticated key exchange using Diffie-Hellman[A]. In: Proc. EUROCRYPT 2000, LNCS 1807, Springer-Verlag, 2000: 156-171.
[38] M. Abdalla, P. Fouque, D. Pointcheval. Password-based authenticatied key exchange in the three-party setting[A]. In: Proc. PKC 2005, LNCS 3386, Springer-Verlag, 2005: 65-84.
[39] O. Goldreich. Fundations of Cryptography: Basic Tools[M]. England: Cambtidge University Press, 2001
[40] C. Racko, D. R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack[A]. In: Proc. CRYPTO 1991[C], LNCS 576, Springer-Verlag, 1992: 433-444.
[41] M. Naor, M. Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks[A]. In: Proc. the 22nd Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1990: 427-437.
[42] S. Goldwasser, S. Micali. Probabilistic Encryption[J]. Journal of Computer and System Sciences, 1984, 28:270-299.
[43] V. Shoup. A Proposal for an ISO Standard for Public Key Encryption[EB/OL]. Available from http://eprint.iacr.org/2001/112, 2001.
[44] R. Gennaro, Y. Lindell. A framework for password-based authenticated key exchange[A]. In: Proc. EUROCRYPT 2003[C], LNCS 2656, Springer-Verlag, 2003: 524-543.
[45] R. Gennaro. Faster and shorter password-authenticated key exchange[A]. In: Proc. TCC 2008[C], LNCS 4948, Springer-Verlag, 2008: 586-606.
[46] D. Dolev, C. Dwork, M. Naor. Non-malleable cryptography[J]. SIAM Journal on Computing, 2000, 30(2):391-437.
[47] M. Bellare, A. Desai, D. Pointcheval, P. Rogaway. Relations among Notions of Security for Public-Key Encryption Schemes[A]. In: Proc. CRYPTO 1998, LNCS 1462, Springer-Verlag, 1998: 26-45.
[48] R. Cramer, V. Shoup. Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption[A]. In: Proc. EUROCRYPT 2002[C], LNCS 2332, Springer- Verlag, 2002: 45-64.
[49] S. Goldwasse, S. Micali, R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks[J]. SIAM Journal on Computing, 1988, 17(2): 281-308.
[50] P. MacKenzie. The PAK suite: Protocols for password authenticated key exchange[EB/OL]. Technical Report 2002-46, DIMACS, http://dimacs. rutgers.edu/ TechnicalReports/abstract/ 2002/2002-46.html, October 2002.
[51]吴树华.基于口令认证的密钥建立协议的设计与分析[D].郑州:信息工程大学信息工程学院, 2008.
[52] O. Goldreich, Y. Lindell. Session key generation using human passwords only[A]. In: Proc. CRYPTO 2001[C], LNCS 2139, Springer-Verlag, 2001: 408–432.
[53] J. Katz, R. Ostrovsky, M. Yung. Practical password-authenticated key exchange provably secure under standard assumptions[A]. In Proc. EUROCRYPT 2001[C], LNCS 2045, Springer- Verlag, 2001: 475–494.
[54] R. Cramer, V. Shoup. A practical public key cryptosystem provably secure against chosen ciphertext attack[A]. In: Proc. CRYPTO 98[C], LNCS 1462, Springer-Verlag, 1998: 13-25.
[55] S. Q. Jiang, G. Gong. Password based key exchange with mutual authentication[A]. In: Proc. SAC 2004[C], LNCS 3357, Springer-Verlag, 2004: 267–279.
[56] S. W. Lee, H. S. Kim, K.Y. Yoo. Efficient verifier-based key agreement protocol for three parties without server’s public key[J]. Applied Mathematics and Computation, 2005, 167(2): 996-1003.
[57] J. O. Kwon, I. R. Jeong, K. Sakurai. Efficient verifier-based password authentication key exchange in the three party setting[J]. Computer Standards and Interfaces, 2008, 29(2): 513-520.
[58] D. Micciancio, O. Regev. Lattice-based cryptography[A]. In: Proc. Post Quantum Cryptography[C], Springer-Verlag, 2009: 147-191.
[59] P. W. Shor. Algorithms for quantum computation: Discrete logarithms and factoring[A], In: Pro. the 35th Annual IEEE Symposium on the Foundations of Computer Science (FOCS)[C], IEEE Computer Society, 1994: 124-134.
[60] C. Peikert. Public-key cryptosystems from the worst-case shortest vector problem[A]. In: Proc. the 41st Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 2009: 333-342.
[61] O. Regev. On lattices, learning with errors, random linear codes, and cryptography[A]. In: Proc. the 37th Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 2005: 84-93.
[62] M. Ajtai. Generating hard instances of lattice problems (extended abstract)[A]. In: Proc. the 28th Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1996: 99-108.
[63] C. Peikert, B. Waters. Lossy trapdoor functions and their applications[A]. In: Proc. the 40th Annual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 2008: 187-196.
[64] C. Peikert. Public-key cryptosystems from the worst-case shortest vector problem[A]. In: Proc. the 41st Annual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 2009: 333-342.
[65] A. Rosen, G. Segev. Chosen-ciphertext security via correlated products[A]. In Proc. TCC 2009[C], LNCS 5444, Springer-Verlag, 2009: 419-436.
[66] M. Naor, M. Yung. Universal one-way hash functions and their cryptographic applications[A]. In: Proc. the 21st Annual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1989: 33-43.
[67] J. Hastad, R. Impagliazzo, L. A. Levin, M. Luby. A pseudorandom generator from any one-way function[J]. SIAM Journal on Computing, 1999, 28(4):1364-1396.
[68] M. Abdalla, O. Chevassut,D. Pointcheval, One-time verifier-based encrypted key exchange [A], In: Proc. PKC 2005[C], LNCS 3386, Springer-Verlag, 2005: 47-64.
[69] M. Abdalla and D. Pointcheval. Simple Password-Based Authenticated Key Protocols[A]. In: Proc. CT-RSA 2005[C], LNCS 3376, Springer-Verlag, 2005: 191-208.
[70] S. Park, J. Nam, S. Kim, D. Won. Efficient Password-Authenticated Key Exchange Based on RSA[A]. In: Proc. CT-RSA 2007[C], LNCS 4377, Springer-Verlag, 2006:309-323.
[71] M. Bellare, P. Rogaway. The AuthA protocol for password-based authenticated key exchange[EB/OL]. Contributions to IEEE P1363, Available from http://grouper.ieee.org/ groups/1363/ passwdPK/contributions.html, March 2000.
[72] E. Bresson, O. Chevassut, D. Pointcheval. Security proofs for an efficient passwordbased key exchange[A]. In: Proc. the 10th ACM Conference on Computer and Communications Security[C], ACM Press, 2003: 241-250.
[73] R. Canetti. Universally composable security: a new paradigm for cryptographic protocols [A]. In: Proc. 42nd IEEE Symposium on Foundations of Computer Science (FOCS)[C], IEEE Computer Society, 2001: 136-145.
[74] R. Canetti, T. Rabin. Universal composition with joint state[A]. In: Proc. CRYPTO 2003 [C], LNCS 2729, Springer-Verlag, 2003: 265-281.
[75] R. Canetti, H. Krawczyk. Universally composable notions of key exchange and secure channels[A]. In: Proc. EUROCRYPT 2002[C], LNCS 2332, Springer-Verlag, 2002: 337-351.
[76] A. Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security[A]. In: Proc. the 40th IEEE Symposium on Foundations of Computer Science (FOCS)[C], IEEE Computer Society, 1999: 543-553.
[77] A. De Santis, G. Di Crescenzo, R. Ostrovsky, G. Persiano, A. Sahai. Robust non- interactive zero-knowledge[A]. In: Proc. CRYPTO 2001[C], LNCS 2139, Springer-Verlag, 2001: 566-598.
[78] J. Garay, P. MacKenzie, K. Yang. Strengthening zero-knowledge protocols using signatures [A]. In: Proc. Eurocrypt 2003[C], LNCS 2656, Springer-Verlag, 2003: 177-194.
[79] M. Abdalla, D. Catalano, C. Chevalier, D. Pointcheval. Efficient two-party password based key exchange protocols in the UC framework[A]. In: Proc. CT-RSA 2008[C], LNCS 4964, Springer-Verlag, 2008: 335-351.
[80] M. Abdalla, C. Chevalier, D. Pointcheval. Smooth projective hashing for conditionally extractable commitments[A], In: Proc. CRYPTO 2009[C], LNCS 5677, Springer-Verlag, 2009: 671-689.
[81] R. Canetti, M. Fischlin. Universally Composable Commitments[A]. In: Proc. CRYPTO 2001[C]. LNCS 2139, Springer-Verlag, 2001: 19-40.
[82] D. Beaver. Adaptive Zero-Knowledge and Computational Equivocation[A] . In: Proc. the28th Annual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1996: 187-196.
[83] P. MacKenzie, K. Yang. On simulation-sound trapdoor commitments[A], In: Proc. EUROCRYPT 2004[C], LNCS 3027, Springer-Verlag, 2004: 382-400.
[84] P. Paillier. Public-key cryptosystems based on composite degree residue classes[A]. In: Proc. EUROCRYPT 1999[C], LNCS 1592, Springer-Verlag, 1999: 223-228.
[85] I. Damgard, M. Jurik. A generalisation, a simplication and some applications of Paillier's probabilistic public-key system[A]. In Proc. the 4th International Workshop on Practice and Theory in Public Key Cryptography[C], 2001: 119-136.
[86] J. Camenisch, V. Shoup. Practical verifiable encryption and decryption of discrete logarithms[A], In: Proc. CRYPTO 2003[C], LNCS 2729, Springer-Verlag, 2003: 126-144.
[87] J. Camenisch, V. Shoup, E. Bresson, D. Catalano, D. Pointcheval. A simple public-key cryptosystem with a double trapdoor decryption mechanism and its applications[A]. In: Proc. ASIACRYPT 2003[C], LNCS 2894, Springer-Verlag, 2003: 37–54.
[88] R. Nishimaki, E. Fujisaki, K. Tanaka. Efficient non-interactive universally composable string-commitment schemes[A]. In: Proc. ProvSec 2009[C], LNCS 5848, Springer-Verlag, 2009: 3-18.
[89] C. Peikert, B. Waters. Lossy trapdoor functions and their applications[A]. In: Proc. the 40th Annual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 2008: 187-196.
[90] S. Even, O. Goldreich, S. Micali. On-line/off-line digital signature[J]. Journal of Gryptography, 1996, 12(9): 35-67.
[91] J. Hastad, R. Impagliazzo, L. A. Levin, M. Luby. A pseudorandom generator from any one-way function[J]. SIAM Journal on Computing, 1999, 28(4):1364-1396.
[92] W. Wang, L. Hu. Efficient and provably secure generic construction of three-party password based authenticated key exchange protocols[A]. In: Proc. INDOCRYPT 2006[C], LNCS 4329, Springer-Verlag, 2006: 118-132.
[93] M. Abdalla, D. Pointcheval. Interactive Diffie-Hellman assumptions with applications to password-based authentication[A]. In: Proc. FC 2005[C], LNCS 3570, Springer-Verlag, 2005: 341-356.
[94] D. N. E, Q. F. Cheng, C. G. Ma. Password authenticated key exchange based on RSA in the three party setting[A]. In: Proc. ProvSec 2009[C], LNCS 5848, Springer-Verlag, 2009: 168-182.
[95] R. X. Lu, Z. F. Cao. Simple three-party key exchange protocol[J]. Computers and Security. 2007, 26(1): 94-97.
[96] S. H. Wu, Y. F. Zhu. Three party password-based authenticated key exchange with forward security[J]. Chinese Journal of Computers, 2007, 30(10): 1833-1841.
[2] L. Gong, M. Lomas, R. Needham, J. Saltzer. Protecting poorly chosen secrets from guessing attacks[J]. IEEE Journal on Selected Areas in Communications, 1993, 11(5): 648-656.
[3] S. Halevi, H. Krawczyk. Public-key cryptography and password protocols[J]. ACM Trans. on Information and Systems Security, 1999, 2(3):230-268.
[4] Y. Cliff, Y. S. T. Tin, C. Boyd. Password based server aided key exchange[A].In: Proc. ACNS 2006[C], LNCS 3989, Springer-Verlag, 2006: 146-161.
[5] M. Burmester. Cryptoanalysis of the Chang-Wu-Chen Key Distribution System[A]. In Proc. EUROCRYPT 1993[C], LNCS 2656, Springer-Verlag, 1993:440-442.
[6] K. K. R. Choo. Key establishment: proofs and refutations[D]. Australia: Queensland University of Technology, 2006.
[7]冯登国.可证明安全性理论与方法研究[J].软件学报, 2005, 16(10): 1743-1755.
[8] S. Goldwasse, S. Micali. Probabilitic encryption and how to paly mental poker keeping secret all partial information[A]. In: Proc. the 14th Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1982: 365–377.
[9] M. Bellare, P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols[A]. In: Proc. the 1st ACM Conference on Computer and Communications Security[C], ACM Press, 1993: 62-73.
[10] M. Bellare, A. Boldyreva, A. Palacio. An uninstantiable random-oracle model scheme for a hybrid-encryption problem[A]. In: Proc. EUROCRYPT 2004[C], LNCS 3027, Springer- Verlag, 2004: 171-188.
[11] R. Canetti, O. Goldreich, S. Halevi. The random oracle methodology, revisited[A]. In: Proc. the 30th Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1998: 209-218.
[12] R. Canetti, O. Goldreich, S. Halevi. On the random-oracle methodology as applied to length-restricted signature schemes[A]. In: Proc. TCC 2004[C], LNCS 2951, Springer- Verlag, 2004: 40-57.
[13] C. Shannon. Communication theory of secrecy systems[J]. Bell Systems Technical Journal, 1949, 28(4): 656-715.
[14] J. Black. The Ideal-Cipher Model, revisited: An uninstantiable blockcipher- based hash function[A], In: Proc. FSE 2006[C], LNCS 4047, Springer- Verlag, 2005: 328-340.
[15] J. Coron, J. Patarin, Y. Seurin. The random oracle model and the ideal cipher model are equivalent[A]. In Proc. CRYPTO 2008[C], LNCS 5157, Springer-Verlag, 2008: 1–20.
[16] M. Bellare, P. Rogaway. Collision-resistant hashing: towards making UOWHFs practical[A]. In: Proc. CRYPTO 1997[C], Springer-Verlag, 1997: 320-335.
[17] O. Goldreich. Fundations of Cryptography: Basic Applications[M]. England: Cambtidge University Press, 2004
[18]殷胤,李宝.标准模型下可证安全的加密密钥协商协议[J].软件学报, 2007, (18)2: 422-429. Also Available from http://www.jos.org.cn/1000-9825/ 18/422.htm
[19]舒剑,许春香.标准模型下高效的基于口令认证密钥协商协议[J].电子与信息学报, 2009, 31(11): 2716-2719.
[20]李文敏,温巧燕,张华.基于验证元的三方口令认证密钥交换协议[J].通信学报, 2008, 29(10): 149-152.
[21] J. Katz, V. Vaikuntanathan. Smooth projective hashing and password-based authenticated key exchange from lattices[A]. In: Proc. ASIACRYPT 2009[C], LNCS 5912, Springer- Verlag, 2009: 636-652.
[22] R. Canetti, S. Halevi, J. Katz, Y. Lindell, P. MacKenzie. Universally composable password- based key exchange[A]. In: Proc. EUROCRYPT 2005[C], LNCS 3494, Springer-Verlag, 2005: 404-421.
[23] C. Boyd, A. Mathuria. Protocols For Authentication And Key Establishment[M]. Berlin: Springer-Verlag, 2003.
[24] M. Manulis. Survey on security requirements and models for group key exchange[EB/OL]. Available from http://eprint.iacr.org/ 2006/388.pdf, 2006.
[25] A. J. Menezes, M. Qu, S. A. Vanstone. Some new key agreement protocols providing implicit authentication[A]. In: Proc. SAC 1995[C], Canada:Ottawa, 1995: 22-32.
[26] H. Krawczyk. HMQV: A high-performance secure Diffie-Hellman protocol[A]. In: Proc. CRYPTO 2005[C], LNCS 3621, Springer-Verlag, 2005:546–566.
[27] S. M. Bellovin, M. Merritt. Encrypted key exchange: password-based protocols secure against dictionary attacks[A]. In: Proc. IEEE Symposium on Research in Security and Privacy[C], IEEE Computer Society, 1992: 72-84.
[28] S. M. Bellovin, M. Merritt. Augmented encrypted key exchange: A password-based protocol secure against dictionary attacks and password file compromise[A]. In: Proc. the 1st ACM Conference on Computer and Communication Security[C]. ACM Press, 1993: 244-250.
[29] M. Steiner, G. Tsudik, M. Waidner. Refinement and extension of encrypted key exchange[J]. ACM SIGOPS Oper. Syst. Rev., 1995, 29(3): 22-30.
[30] T. Wu. The secure remote password protocol[A]. In: Proc. 1998 Internet Society Symposium on Network and Distributed System Security[C], 1998: 97-111.
[31] M. Bellare, P. Rogaway. Entity authentication and key distribution[A], In: Proc. CRYPTO 1993[C], LNCS 773, Springer-Verlag, 1993: 232-249.
[32] M. Bellare, P. Rogaway. Provably secure session key distribution- the three party case[A]. In: Proc. the 27th Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1995: 57-66.
[33] M. Bellare, R. Canetti, H. Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols[A]. In: Proc. the 30th Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1998: 419–428.
[34] R. Canetti, H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels[A]. In: Proc. EUROCRYPT 2001[C], LNCS 2045, Springer-Verlag, 2005:453–474.
[35] B. LaMacchia, K. Lauter, A. mityagin. Stronger security of authenticated key exchange[A], In: Proc. ProvSec 2007[C], LNCS 4784, Springer-Verlag, 2007: 1-16.
[36] M. Bellare, D. Pointcheval, P. Rogaway. Authenticated key exchange secure against dictionary attack[A]. In: Proc. EUROCRYPT 2000[C], LNCS 1807, Springer-Verlag, 2000: 139-155.
[37] V. Boyko, P. MacKenzie, S. Patel. Provably secure password-authenticated key exchange using Diffie-Hellman[A]. In: Proc. EUROCRYPT 2000, LNCS 1807, Springer-Verlag, 2000: 156-171.
[38] M. Abdalla, P. Fouque, D. Pointcheval. Password-based authenticatied key exchange in the three-party setting[A]. In: Proc. PKC 2005, LNCS 3386, Springer-Verlag, 2005: 65-84.
[39] O. Goldreich. Fundations of Cryptography: Basic Tools[M]. England: Cambtidge University Press, 2001
[40] C. Racko, D. R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack[A]. In: Proc. CRYPTO 1991[C], LNCS 576, Springer-Verlag, 1992: 433-444.
[41] M. Naor, M. Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks[A]. In: Proc. the 22nd Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1990: 427-437.
[42] S. Goldwasser, S. Micali. Probabilistic Encryption[J]. Journal of Computer and System Sciences, 1984, 28:270-299.
[43] V. Shoup. A Proposal for an ISO Standard for Public Key Encryption[EB/OL]. Available from http://eprint.iacr.org/2001/112, 2001.
[44] R. Gennaro, Y. Lindell. A framework for password-based authenticated key exchange[A]. In: Proc. EUROCRYPT 2003[C], LNCS 2656, Springer-Verlag, 2003: 524-543.
[45] R. Gennaro. Faster and shorter password-authenticated key exchange[A]. In: Proc. TCC 2008[C], LNCS 4948, Springer-Verlag, 2008: 586-606.
[46] D. Dolev, C. Dwork, M. Naor. Non-malleable cryptography[J]. SIAM Journal on Computing, 2000, 30(2):391-437.
[47] M. Bellare, A. Desai, D. Pointcheval, P. Rogaway. Relations among Notions of Security for Public-Key Encryption Schemes[A]. In: Proc. CRYPTO 1998, LNCS 1462, Springer-Verlag, 1998: 26-45.
[48] R. Cramer, V. Shoup. Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption[A]. In: Proc. EUROCRYPT 2002[C], LNCS 2332, Springer- Verlag, 2002: 45-64.
[49] S. Goldwasse, S. Micali, R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks[J]. SIAM Journal on Computing, 1988, 17(2): 281-308.
[50] P. MacKenzie. The PAK suite: Protocols for password authenticated key exchange[EB/OL]. Technical Report 2002-46, DIMACS, http://dimacs. rutgers.edu/ TechnicalReports/abstract/ 2002/2002-46.html, October 2002.
[51]吴树华.基于口令认证的密钥建立协议的设计与分析[D].郑州:信息工程大学信息工程学院, 2008.
[52] O. Goldreich, Y. Lindell. Session key generation using human passwords only[A]. In: Proc. CRYPTO 2001[C], LNCS 2139, Springer-Verlag, 2001: 408–432.
[53] J. Katz, R. Ostrovsky, M. Yung. Practical password-authenticated key exchange provably secure under standard assumptions[A]. In Proc. EUROCRYPT 2001[C], LNCS 2045, Springer- Verlag, 2001: 475–494.
[54] R. Cramer, V. Shoup. A practical public key cryptosystem provably secure against chosen ciphertext attack[A]. In: Proc. CRYPTO 98[C], LNCS 1462, Springer-Verlag, 1998: 13-25.
[55] S. Q. Jiang, G. Gong. Password based key exchange with mutual authentication[A]. In: Proc. SAC 2004[C], LNCS 3357, Springer-Verlag, 2004: 267–279.
[56] S. W. Lee, H. S. Kim, K.Y. Yoo. Efficient verifier-based key agreement protocol for three parties without server’s public key[J]. Applied Mathematics and Computation, 2005, 167(2): 996-1003.
[57] J. O. Kwon, I. R. Jeong, K. Sakurai. Efficient verifier-based password authentication key exchange in the three party setting[J]. Computer Standards and Interfaces, 2008, 29(2): 513-520.
[58] D. Micciancio, O. Regev. Lattice-based cryptography[A]. In: Proc. Post Quantum Cryptography[C], Springer-Verlag, 2009: 147-191.
[59] P. W. Shor. Algorithms for quantum computation: Discrete logarithms and factoring[A], In: Pro. the 35th Annual IEEE Symposium on the Foundations of Computer Science (FOCS)[C], IEEE Computer Society, 1994: 124-134.
[60] C. Peikert. Public-key cryptosystems from the worst-case shortest vector problem[A]. In: Proc. the 41st Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 2009: 333-342.
[61] O. Regev. On lattices, learning with errors, random linear codes, and cryptography[A]. In: Proc. the 37th Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 2005: 84-93.
[62] M. Ajtai. Generating hard instances of lattice problems (extended abstract)[A]. In: Proc. the 28th Aunnual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1996: 99-108.
[63] C. Peikert, B. Waters. Lossy trapdoor functions and their applications[A]. In: Proc. the 40th Annual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 2008: 187-196.
[64] C. Peikert. Public-key cryptosystems from the worst-case shortest vector problem[A]. In: Proc. the 41st Annual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 2009: 333-342.
[65] A. Rosen, G. Segev. Chosen-ciphertext security via correlated products[A]. In Proc. TCC 2009[C], LNCS 5444, Springer-Verlag, 2009: 419-436.
[66] M. Naor, M. Yung. Universal one-way hash functions and their cryptographic applications[A]. In: Proc. the 21st Annual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1989: 33-43.
[67] J. Hastad, R. Impagliazzo, L. A. Levin, M. Luby. A pseudorandom generator from any one-way function[J]. SIAM Journal on Computing, 1999, 28(4):1364-1396.
[68] M. Abdalla, O. Chevassut,D. Pointcheval, One-time verifier-based encrypted key exchange [A], In: Proc. PKC 2005[C], LNCS 3386, Springer-Verlag, 2005: 47-64.
[69] M. Abdalla and D. Pointcheval. Simple Password-Based Authenticated Key Protocols[A]. In: Proc. CT-RSA 2005[C], LNCS 3376, Springer-Verlag, 2005: 191-208.
[70] S. Park, J. Nam, S. Kim, D. Won. Efficient Password-Authenticated Key Exchange Based on RSA[A]. In: Proc. CT-RSA 2007[C], LNCS 4377, Springer-Verlag, 2006:309-323.
[71] M. Bellare, P. Rogaway. The AuthA protocol for password-based authenticated key exchange[EB/OL]. Contributions to IEEE P1363, Available from http://grouper.ieee.org/ groups/1363/ passwdPK/contributions.html, March 2000.
[72] E. Bresson, O. Chevassut, D. Pointcheval. Security proofs for an efficient passwordbased key exchange[A]. In: Proc. the 10th ACM Conference on Computer and Communications Security[C], ACM Press, 2003: 241-250.
[73] R. Canetti. Universally composable security: a new paradigm for cryptographic protocols [A]. In: Proc. 42nd IEEE Symposium on Foundations of Computer Science (FOCS)[C], IEEE Computer Society, 2001: 136-145.
[74] R. Canetti, T. Rabin. Universal composition with joint state[A]. In: Proc. CRYPTO 2003 [C], LNCS 2729, Springer-Verlag, 2003: 265-281.
[75] R. Canetti, H. Krawczyk. Universally composable notions of key exchange and secure channels[A]. In: Proc. EUROCRYPT 2002[C], LNCS 2332, Springer-Verlag, 2002: 337-351.
[76] A. Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security[A]. In: Proc. the 40th IEEE Symposium on Foundations of Computer Science (FOCS)[C], IEEE Computer Society, 1999: 543-553.
[77] A. De Santis, G. Di Crescenzo, R. Ostrovsky, G. Persiano, A. Sahai. Robust non- interactive zero-knowledge[A]. In: Proc. CRYPTO 2001[C], LNCS 2139, Springer-Verlag, 2001: 566-598.
[78] J. Garay, P. MacKenzie, K. Yang. Strengthening zero-knowledge protocols using signatures [A]. In: Proc. Eurocrypt 2003[C], LNCS 2656, Springer-Verlag, 2003: 177-194.
[79] M. Abdalla, D. Catalano, C. Chevalier, D. Pointcheval. Efficient two-party password based key exchange protocols in the UC framework[A]. In: Proc. CT-RSA 2008[C], LNCS 4964, Springer-Verlag, 2008: 335-351.
[80] M. Abdalla, C. Chevalier, D. Pointcheval. Smooth projective hashing for conditionally extractable commitments[A], In: Proc. CRYPTO 2009[C], LNCS 5677, Springer-Verlag, 2009: 671-689.
[81] R. Canetti, M. Fischlin. Universally Composable Commitments[A]. In: Proc. CRYPTO 2001[C]. LNCS 2139, Springer-Verlag, 2001: 19-40.
[82] D. Beaver. Adaptive Zero-Knowledge and Computational Equivocation[A] . In: Proc. the28th Annual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 1996: 187-196.
[83] P. MacKenzie, K. Yang. On simulation-sound trapdoor commitments[A], In: Proc. EUROCRYPT 2004[C], LNCS 3027, Springer-Verlag, 2004: 382-400.
[84] P. Paillier. Public-key cryptosystems based on composite degree residue classes[A]. In: Proc. EUROCRYPT 1999[C], LNCS 1592, Springer-Verlag, 1999: 223-228.
[85] I. Damgard, M. Jurik. A generalisation, a simplication and some applications of Paillier's probabilistic public-key system[A]. In Proc. the 4th International Workshop on Practice and Theory in Public Key Cryptography[C], 2001: 119-136.
[86] J. Camenisch, V. Shoup. Practical verifiable encryption and decryption of discrete logarithms[A], In: Proc. CRYPTO 2003[C], LNCS 2729, Springer-Verlag, 2003: 126-144.
[87] J. Camenisch, V. Shoup, E. Bresson, D. Catalano, D. Pointcheval. A simple public-key cryptosystem with a double trapdoor decryption mechanism and its applications[A]. In: Proc. ASIACRYPT 2003[C], LNCS 2894, Springer-Verlag, 2003: 37–54.
[88] R. Nishimaki, E. Fujisaki, K. Tanaka. Efficient non-interactive universally composable string-commitment schemes[A]. In: Proc. ProvSec 2009[C], LNCS 5848, Springer-Verlag, 2009: 3-18.
[89] C. Peikert, B. Waters. Lossy trapdoor functions and their applications[A]. In: Proc. the 40th Annual ACM Symposium on Theory of Computing (STOC)[C], ACM Press, 2008: 187-196.
[90] S. Even, O. Goldreich, S. Micali. On-line/off-line digital signature[J]. Journal of Gryptography, 1996, 12(9): 35-67.
[91] J. Hastad, R. Impagliazzo, L. A. Levin, M. Luby. A pseudorandom generator from any one-way function[J]. SIAM Journal on Computing, 1999, 28(4):1364-1396.
[92] W. Wang, L. Hu. Efficient and provably secure generic construction of three-party password based authenticated key exchange protocols[A]. In: Proc. INDOCRYPT 2006[C], LNCS 4329, Springer-Verlag, 2006: 118-132.
[93] M. Abdalla, D. Pointcheval. Interactive Diffie-Hellman assumptions with applications to password-based authentication[A]. In: Proc. FC 2005[C], LNCS 3570, Springer-Verlag, 2005: 341-356.
[94] D. N. E, Q. F. Cheng, C. G. Ma. Password authenticated key exchange based on RSA in the three party setting[A]. In: Proc. ProvSec 2009[C], LNCS 5848, Springer-Verlag, 2009: 168-182.
[95] R. X. Lu, Z. F. Cao. Simple three-party key exchange protocol[J]. Computers and Security. 2007, 26(1): 94-97.
[96] S. H. Wu, Y. F. Zhu. Three party password-based authenticated key exchange with forward security[J]. Chinese Journal of Computers, 2007, 30(10): 1833-1841.