UC安全理论及应用研究
|
摘要
随着互联网和电子商务技术的发展,人们对于网络的依赖程度逐渐增强,如电子现金交易、电子拍卖、电子招标和电子合同的签署等。与此同时,安全性问题成为一个不容忽视的问题。在复杂的网络和分布式环境中,单个协议显然已经不能满足人们的需求,越来越多地需要多个协议组合在一起使用,而原来各自安全的协议在组合以后能否保证组合协议的安全性,成为安全领域中一个重要的问题。Canetti提出的UC安全(Universally Composable Security,通用可复合安全)成为解决协议组合问题的重要工具。
作为一种可证安全的方法,UC框架中定义了一整套安全性模型来证明复杂环境下组合协议的安全性。UC安全采用模块化的思想,在UC框架中,被证明是UC安全的协议,在复杂的网络环境中作为一个模块,与其他协议进行组合时,不破坏组合后协议的安全性,即几个分别在UC框架中被证明是UC安全的协议,组合以后仍然是安全的。
本文主要研究UC安全的理论和应用:对现有的UC基本框架理论及其拓展进行深入分析,提出从参与者角度分析UC安全;对UC框架在安全协议中的应用进行研究,设计并证明UC安全的签密协议。
首先,本文详细综述了UC框架的理论发展、现有的信任模型和应用。对UC基础理论进行详细分析,引出UC定理,进而分析了JUC和GUC。由于朴素模型下,许多密码学协议仍然不能被UC安全实现。为解决这一问题,提出许多理想化的信任模型,本文对现有的一些典型的信任模型进行深入研究。
其次,作为安全模型的一种,本文将UC框架模型与可证安全的两种典型模型:随机预言模型和标准模型进行对比分析,从理论和应用方面找出其中的内在联系和区别,对协议的可证安全性有更深入的认识。此外,还首次提出从参与者角度,对UC理论进行讨论。首先研究了具有权重的参与者,通过给每个参与者引入一个权重的属性,来解决参与者具有不同权重时,敌手入侵参与者的问题。然后提出从博弈论的角度考虑,对根据自身获得利益来决定行为的理性参与者进行了摸索。
再次,UC安全的重要意义,迫切地要求基本的密码学协议能够在UC框架下安全实现,从而可以当作基本的模块在组合协议时直接使用。现在已有一些密码学协议基于UC框架进行设计,并证明其安全性:如加密、数字签名、零知识证明等。本文在UC框架下,基于KR模型,对签密协议进行研究。根据签密协议的安全性要求,提出签密的理想功能函数,并依此设计协议的一般化形式;随后基于UC安全的定义,通过模拟技术,证明所设计的一般化协议安全实现了理想的功能函数,即此一般化协议是UC安全的;同时,在UC框架下对所设计协议的存在性不可伪造进行讨论,利用反证法证明其安全性;最后,设计了一个签密协议,满足UC安全性。
With the development of the Internet and E-business, the human society's reliance on the network gradually increases, such as the transaction of E-cash、E-auction、E-bidding and the subscription of E-contract. At the same time, security issues become a problem that can not be ignored. In complex and distributed network environment, a single protocol has apparently been unable to meet people's needs, and it is necessary to combine many protocols . Whether the security can be guaranteed when a secure protocol is composed with an arbitrary set of protocols, or more genernally when the protocol is used as a component of an arbitrary systems, becomes an important issue in the field of security. Canetti proposed UC security (Universally Composable Security) as an important means to solve the problem of protocol composition. In this paper, we focus on the research of UC framework theory and applications.
As a method of provable security, UC framework defines a set of security model to solve the security of composed protocols in complex network environment. UC security adopts the modular idea. in the UC framework, as a module in complex network environment, the protocol proved to be UC secure, combined with other protocol, does not destroy the security of composed protocol. That is, the protocol which is composed of several separately UC secure protocols is still secure.
In this paper, we mainly study on two aspects of UC security analysis: the UC theory and the applications of UC framework on secure protocols. We deeply study on the the basic UC framework of theory and its expansion, propose to analyse from the angle of the participants, design and prove an UC secure signcryption protocol.
Frist of all, we summarize the development of UC framework theory, the trust assumptions and the applications in detail. A a detailed analysis of UC theory is conducted, and the critical theory - UC theorem is got. The JUC and GUC theory are also listed. In the plain model, many cryptography protocol still can not be UC securely implemented. In order to solve this problem, much idealized models have been proposed. In these models, some trust assumption is proposed, which are deeply researched in this paper.
As a security model, the UC framework model is compared with the random oracle model and the standard model. In order to have a more in-depth understanding, we analyze them and try to find the intrinsic contact and difference. In addition, from the perspective of participants, the UC theory is first discussed. First, the research with the weighed parties is done. We give each party a property of weight to solve the problem when parties have different weights, especially when the adversary corrupts the parties. Secondly, from the game theory point of view, we proposed to consider the behavior of rational participants according to the benefits they get.
For the important significance of UC security, it is urgently required to UC securely implement the cryptography primitive in UC framework, which can be used as a basic module in protocol compositions. Now there have been some cryptography protocol designed in UC framework and proved its security: such as encryption, digital signatures, zero-knowledge proof. In the UC frame, based on the KR Model, a signcryption protocol is discussed. According to the security requirements of signcryption protocols, the functionality is presented, and a generalizable protocol is designed. The following is the proof of UC security that is proving that the protocol securely realizes the ideal functionality. At the same time, the UC securely existential unforgeability against chosen message attacks is also discussed and is proved secure. At last, a concrete signcryption protocol is given, which is of course UC secure.
作为一种可证安全的方法,UC框架中定义了一整套安全性模型来证明复杂环境下组合协议的安全性。UC安全采用模块化的思想,在UC框架中,被证明是UC安全的协议,在复杂的网络环境中作为一个模块,与其他协议进行组合时,不破坏组合后协议的安全性,即几个分别在UC框架中被证明是UC安全的协议,组合以后仍然是安全的。
本文主要研究UC安全的理论和应用:对现有的UC基本框架理论及其拓展进行深入分析,提出从参与者角度分析UC安全;对UC框架在安全协议中的应用进行研究,设计并证明UC安全的签密协议。
首先,本文详细综述了UC框架的理论发展、现有的信任模型和应用。对UC基础理论进行详细分析,引出UC定理,进而分析了JUC和GUC。由于朴素模型下,许多密码学协议仍然不能被UC安全实现。为解决这一问题,提出许多理想化的信任模型,本文对现有的一些典型的信任模型进行深入研究。
其次,作为安全模型的一种,本文将UC框架模型与可证安全的两种典型模型:随机预言模型和标准模型进行对比分析,从理论和应用方面找出其中的内在联系和区别,对协议的可证安全性有更深入的认识。此外,还首次提出从参与者角度,对UC理论进行讨论。首先研究了具有权重的参与者,通过给每个参与者引入一个权重的属性,来解决参与者具有不同权重时,敌手入侵参与者的问题。然后提出从博弈论的角度考虑,对根据自身获得利益来决定行为的理性参与者进行了摸索。
再次,UC安全的重要意义,迫切地要求基本的密码学协议能够在UC框架下安全实现,从而可以当作基本的模块在组合协议时直接使用。现在已有一些密码学协议基于UC框架进行设计,并证明其安全性:如加密、数字签名、零知识证明等。本文在UC框架下,基于KR模型,对签密协议进行研究。根据签密协议的安全性要求,提出签密的理想功能函数,并依此设计协议的一般化形式;随后基于UC安全的定义,通过模拟技术,证明所设计的一般化协议安全实现了理想的功能函数,即此一般化协议是UC安全的;同时,在UC框架下对所设计协议的存在性不可伪造进行讨论,利用反证法证明其安全性;最后,设计了一个签密协议,满足UC安全性。
With the development of the Internet and E-business, the human society's reliance on the network gradually increases, such as the transaction of E-cash、E-auction、E-bidding and the subscription of E-contract. At the same time, security issues become a problem that can not be ignored. In complex and distributed network environment, a single protocol has apparently been unable to meet people's needs, and it is necessary to combine many protocols . Whether the security can be guaranteed when a secure protocol is composed with an arbitrary set of protocols, or more genernally when the protocol is used as a component of an arbitrary systems, becomes an important issue in the field of security. Canetti proposed UC security (Universally Composable Security) as an important means to solve the problem of protocol composition. In this paper, we focus on the research of UC framework theory and applications.
As a method of provable security, UC framework defines a set of security model to solve the security of composed protocols in complex network environment. UC security adopts the modular idea. in the UC framework, as a module in complex network environment, the protocol proved to be UC secure, combined with other protocol, does not destroy the security of composed protocol. That is, the protocol which is composed of several separately UC secure protocols is still secure.
In this paper, we mainly study on two aspects of UC security analysis: the UC theory and the applications of UC framework on secure protocols. We deeply study on the the basic UC framework of theory and its expansion, propose to analyse from the angle of the participants, design and prove an UC secure signcryption protocol.
Frist of all, we summarize the development of UC framework theory, the trust assumptions and the applications in detail. A a detailed analysis of UC theory is conducted, and the critical theory - UC theorem is got. The JUC and GUC theory are also listed. In the plain model, many cryptography protocol still can not be UC securely implemented. In order to solve this problem, much idealized models have been proposed. In these models, some trust assumption is proposed, which are deeply researched in this paper.
As a security model, the UC framework model is compared with the random oracle model and the standard model. In order to have a more in-depth understanding, we analyze them and try to find the intrinsic contact and difference. In addition, from the perspective of participants, the UC theory is first discussed. First, the research with the weighed parties is done. We give each party a property of weight to solve the problem when parties have different weights, especially when the adversary corrupts the parties. Secondly, from the game theory point of view, we proposed to consider the behavior of rational participants according to the benefits they get.
For the important significance of UC security, it is urgently required to UC securely implement the cryptography primitive in UC framework, which can be used as a basic module in protocol compositions. Now there have been some cryptography protocol designed in UC framework and proved its security: such as encryption, digital signatures, zero-knowledge proof. In the UC frame, based on the KR Model, a signcryption protocol is discussed. According to the security requirements of signcryption protocols, the functionality is presented, and a generalizable protocol is designed. The following is the proof of UC security that is proving that the protocol securely realizes the ideal functionality. At the same time, the UC securely existential unforgeability against chosen message attacks is also discussed and is proved secure. At last, a concrete signcryption protocol is given, which is of course UC secure.
引文
[1]W.Diffie,M.E.Hellman,New Directions in Cryptography,IEEE Trans Informat Theory,1976,pp.644-654.
[2]R.Canetti.Universally composable security:A new paradigm for cryptographic protocols.Extended abstract in 42nd FOCS,2001.A revised version(2005) is available at IACR Eprint Archive,eprint.iacr.org/2000/067/and at the ECCC archive,http://eccc.uni-trier.de/ecccreports/2001/TR01-016/.
[3]R.L.Rivest,A.Shamir,L.Adleman,A Method for obtaining Digital Signatures and Public-key Crypto system[J].Communications of the ACM,1978,21(2):120-126.
[4]T.Elgamal.A public key cryptosystem and signature scheme based on discrete logarithms IEEE Trans.July 1985,IT-31(4):469-472.
[5]NIST.Digital Signature Standard(DSS),FIPS 186-2,http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-changel.pdf,(2000).
[6]Wenbo Mao.Moderm Cryptography:Theory and Practice,(Prentice-Hall,PTR,2004).
[7]S.Goldwasser,S.Micali,and C.Rackoff.The knowledge complexity of interactive proof systems.In Proceedings of the 17th Annual ACM Symposium on Theory of Computing(STOC'85),pages 291-304,1985.
[8]O.Goldreich,S.Micali,and A.Wigderson.How to play any mental game a completeness theorem for protocols with honest majority.In Proceedings of the 19th Annual ACM Symposium on the Theory of Computing(STOC),pages 218-229.ACM Press,1987.
[9]R Canetti,L.Cheung,N.Lynch and O.Pereira.On the Role of Scheduling in Simulation-Based Security.The 7th Workshop on Issues in the Theory of Security(WITS),2007.
[10]C.Dwork,M.Naor,and A.Sahai.Concurrent Zero-Knowledge.In 30~(th) STOC, pages 409-418,1998.
[11]J.Garay and P.MacKenzie.Concurrent Oblivious Transfer.41~(st) FOCS,2000.
[12]R.Canetti,E.Kushilevitz,and Y.Lindell.On the limitations of universally composable two-party computation without set-up assumptions.J.Cryptology 19(2):135-167(2006).Early version in Eurocrypt,2003.Available also at eprint.iacr,org/2004/116.
[13]R.Canetti,R.Pass,a.shelat.Cryptography from sunspots:How to use an imperfect reference string.39th Symposium on Theory of Computing(STOC),ACM,2007.
[14]B.Barak,R.Canetti,J.B.Nielsen,R.Pass.Universally Composable Protocols with Relaxed Set-Up Assumptions.45th FOCS,pp.186-195.2004.
[15]J.Katz.Universally Composable Multi-party Computation Using Tamper-Proof Hardware.In Eurocrypt '07,pages 115-128,2007.
[16]Y.Lindell,M.Prabhakaran,Y.Tauman.Concurrent General Composition of Secure Protocols in the Timing Model.Manuscript,2004.
[17]M.Blum,P.Feldman,and S.Micali.Non-interactive zero-knowledge and its applications.In STOC88,pages 103-112,1988.
[18]R.Canetti,Y.Dodis,R.Pass and S.Walfish.Universally Composable Security with Pre-Existing Setup.4th theory of Cryptology Conference(TCC),2007.
[19]R.Canetti and T.Rabin.Universal Composition with Joint State.Crypto'03,2003.
[20]R.Canetti and M.Fischlin.Universally Composable Commitments.Crypto '01,2001.
[21]A.Yao,F.F.Yao and Y.Zhao.A Note on Universal Composable Zero Knowledge in Common Reference String Model.TAMC'07,pages 462-473,2007.
[22]D.Hofheinz,J.Muller-Quade,and D.Unruh.Universally Composable Zero-Knowledge Arguments and Commitments from Signature Cards.Tatra Mountains Mathematical Publications,2005.
[23]Y.Lindell.General Composition and Universal Composability in Secure Multi-Party Computation. 43rd FOCS, pp. 394-403. 2003.
[24] R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai. Universally composable two-party and multi-party secure computation. 34th STOC, pp. 494-503, 2002.
[25] R. Canetti, S. Halevi, J. Katz, Y. Lindell, P. D. Mackenzie. Universally Composable Password-Based Key Exchange. Eurocrypt 2005: 404-421. Long version at eprint.iacr.org/2005/196.
[26] R. Canetti and H. Krawczyk. Universally Composable Notions of Key Exchange and Secure Channels. Eurocrypt, 2002. Long version at eprint.iacr.org/2002/059.
[27] R. Canetti and J. Herzog. Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols. The Third Theory of Cryptograph Conference (TCC), 2006: 380-403. Long version at eprint.iacr.org/2004/334.
[28] M Bellare, A. Desai, D. Pointcbeval, P. Rogaway. Relations among Notions of Security for Public-key Encryption Scheme. In: Advances in Cryptology-CRYPTO98, LNCS 1462, pages 26-46,1998.
[29] M .Naor, M .Yung. Public-key Cryptosystems Provably Secuer against Chosen Ciphertext Attacks. In: ACM Symposium on Theory of Computing-STOC90, ACM Press, pages 427-437, 1990.
[30] T. Okamoto, S. Uchiyama. A new public-key cryptosystem as secure as factoring. In: Advances in Cryptology-Eurocrypt 98, L NCS 1403, pages308-318, 1998.
[31] S. Goldwasser, S. Micali, R. Rivest. A digital signature scheme secure against adaptive chosen message attack. SIAM Jounral on Computing, 17 :289-308, 1988.
[32] S. Even, Y Yacobi. Relations among public key signatuer systems. Technical Report 175, Technion, Haifa, Israel, March 1980.
[33] M .Blum. How to exchange (secret) keys. ACM Transactions on Computer Systems, 1(2): 175-193, May 1983. (Previously published in ACM STOC83, pages 440-447.)
[34] N. Smart. An Identity Based Authenticated Key Agreement Protocol Based on the Weil Pairing, Electronics Letters, Vol 38, pages 630-632, 2002.
[35] D. Dolev, A. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 1983,29(2): 198 208.
[36] Bellare M, Rogaway P. Random oracles are practical: A paradigm for designing efficient protocols. In: Proc. of the 1st ACM Conf. on Computer and Communications Security. New York: ACM Press, 1993. 62-67. http://doi.acm.org/10.1145/168588.168596
[37] Canetti R, Goldreich O, Halevi S. The random oracle methodology, revisited. Journal of the ACM, 2004,51(4):557-594.
[38] Goldwasser S, Micali S. Probabilistic encryption. Journal of Computer and System Science, 1984,28:270-299.
[39] Goldwasser S, Micali S, Rivest R. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing, 1988,17(2):281-308.
[40] Koeune F. Careful design and integration of cryptographic primitives with contributions to timing attack, padding schemes and random number generators [Ph.D. Thesis]. Louvain-la-Neuve: Universite Catholique de Louvain, 2001.
[41] Gennaro R, Halevi S, Rabin T. Secure Hash-and-sign signatures without the random oracle. In: Stern J, ed. Proc. of the Advances in Cryptology— EUROCRYPT'99. LNCS 1592, Berlin, Heidelberg: Springer-Verlag, 1999. 123-139.
[42] Halpern J. and Teague V. Rational Secret Sharing and Multiparty Computation. STOC 2004.
[43] Zheng Y. Digital signcryption or how to achieve cost(signature and encrytion)[C]//Proc of Information Security Workshop(ISW'97), LNCS 1397. Berlin: Springer-Verlag, 1998: 291-312.
[44] H. Petersen and M. Michels. Cryptanalysis and improvement of signcryption schemes. IEEE Proceedings-Computers and Digital Techniques, 1998, 145(2): 149-151.
[45] F. Bao and R.H. Deng. A signcryption scheme with signature directly verifiable by public key.Public Key Cryptography-PKC'98,LNCS 1431,Berlin:Springer-Verlag,1998:55-59.
[46]H.Y.Jung,D.H.Lee,J.l.Lim,and K.S.Chang.Signcryption schemes with forward secrecy.Information Security Application-WISA 2001,Seoul,Korea,2001:463-475.
[47]Steinfeld R,Zheng Y A signcryption scheme based on integer factorization [C]//Proc of Information Security Workshop(ISW'2000),LNCS 1975.Berlin:Springer-Vertag,2000:308-322.
[48]Malone-Lee J,Mao W.Two birds one stone:signcryption using RSA[C]//Proc of the RSA Conference 2003,LNCS 2612.Berlin:Springer-Verlag,2003:210-224.
[49]Zheng Y,Imal H.How to construct efficient signcryption schemes on elliptic curves[J].Information Processing Letters,1998,68(5):227-233.
[50]Hwang R J,Lai C H,Su F F.An efficient signcryption scheme with forward secrecy based on elliptic curve[J]..Applied Mathematics and Computation,2005,167(2):870-881.
[51]Gjosteen K,Krakmo L.Universally composable signcryption[C]// Proc of EuroPKI 2007,LNCS4582.Berlin:Springer-Verlag,2007:346-353.
[52]冯登国.可证安全性理论与方法[J].软件学报,2005,16(10):1743-1756.
[2]R.Canetti.Universally composable security:A new paradigm for cryptographic protocols.Extended abstract in 42nd FOCS,2001.A revised version(2005) is available at IACR Eprint Archive,eprint.iacr.org/2000/067/and at the ECCC archive,http://eccc.uni-trier.de/ecccreports/2001/TR01-016/.
[3]R.L.Rivest,A.Shamir,L.Adleman,A Method for obtaining Digital Signatures and Public-key Crypto system[J].Communications of the ACM,1978,21(2):120-126.
[4]T.Elgamal.A public key cryptosystem and signature scheme based on discrete logarithms IEEE Trans.July 1985,IT-31(4):469-472.
[5]NIST.Digital Signature Standard(DSS),FIPS 186-2,http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-changel.pdf,(2000).
[6]Wenbo Mao.Moderm Cryptography:Theory and Practice,(Prentice-Hall,PTR,2004).
[7]S.Goldwasser,S.Micali,and C.Rackoff.The knowledge complexity of interactive proof systems.In Proceedings of the 17th Annual ACM Symposium on Theory of Computing(STOC'85),pages 291-304,1985.
[8]O.Goldreich,S.Micali,and A.Wigderson.How to play any mental game a completeness theorem for protocols with honest majority.In Proceedings of the 19th Annual ACM Symposium on the Theory of Computing(STOC),pages 218-229.ACM Press,1987.
[9]R Canetti,L.Cheung,N.Lynch and O.Pereira.On the Role of Scheduling in Simulation-Based Security.The 7th Workshop on Issues in the Theory of Security(WITS),2007.
[10]C.Dwork,M.Naor,and A.Sahai.Concurrent Zero-Knowledge.In 30~(th) STOC, pages 409-418,1998.
[11]J.Garay and P.MacKenzie.Concurrent Oblivious Transfer.41~(st) FOCS,2000.
[12]R.Canetti,E.Kushilevitz,and Y.Lindell.On the limitations of universally composable two-party computation without set-up assumptions.J.Cryptology 19(2):135-167(2006).Early version in Eurocrypt,2003.Available also at eprint.iacr,org/2004/116.
[13]R.Canetti,R.Pass,a.shelat.Cryptography from sunspots:How to use an imperfect reference string.39th Symposium on Theory of Computing(STOC),ACM,2007.
[14]B.Barak,R.Canetti,J.B.Nielsen,R.Pass.Universally Composable Protocols with Relaxed Set-Up Assumptions.45th FOCS,pp.186-195.2004.
[15]J.Katz.Universally Composable Multi-party Computation Using Tamper-Proof Hardware.In Eurocrypt '07,pages 115-128,2007.
[16]Y.Lindell,M.Prabhakaran,Y.Tauman.Concurrent General Composition of Secure Protocols in the Timing Model.Manuscript,2004.
[17]M.Blum,P.Feldman,and S.Micali.Non-interactive zero-knowledge and its applications.In STOC88,pages 103-112,1988.
[18]R.Canetti,Y.Dodis,R.Pass and S.Walfish.Universally Composable Security with Pre-Existing Setup.4th theory of Cryptology Conference(TCC),2007.
[19]R.Canetti and T.Rabin.Universal Composition with Joint State.Crypto'03,2003.
[20]R.Canetti and M.Fischlin.Universally Composable Commitments.Crypto '01,2001.
[21]A.Yao,F.F.Yao and Y.Zhao.A Note on Universal Composable Zero Knowledge in Common Reference String Model.TAMC'07,pages 462-473,2007.
[22]D.Hofheinz,J.Muller-Quade,and D.Unruh.Universally Composable Zero-Knowledge Arguments and Commitments from Signature Cards.Tatra Mountains Mathematical Publications,2005.
[23]Y.Lindell.General Composition and Universal Composability in Secure Multi-Party Computation. 43rd FOCS, pp. 394-403. 2003.
[24] R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai. Universally composable two-party and multi-party secure computation. 34th STOC, pp. 494-503, 2002.
[25] R. Canetti, S. Halevi, J. Katz, Y. Lindell, P. D. Mackenzie. Universally Composable Password-Based Key Exchange. Eurocrypt 2005: 404-421. Long version at eprint.iacr.org/2005/196.
[26] R. Canetti and H. Krawczyk. Universally Composable Notions of Key Exchange and Secure Channels. Eurocrypt, 2002. Long version at eprint.iacr.org/2002/059.
[27] R. Canetti and J. Herzog. Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols. The Third Theory of Cryptograph Conference (TCC), 2006: 380-403. Long version at eprint.iacr.org/2004/334.
[28] M Bellare, A. Desai, D. Pointcbeval, P. Rogaway. Relations among Notions of Security for Public-key Encryption Scheme. In: Advances in Cryptology-CRYPTO98, LNCS 1462, pages 26-46,1998.
[29] M .Naor, M .Yung. Public-key Cryptosystems Provably Secuer against Chosen Ciphertext Attacks. In: ACM Symposium on Theory of Computing-STOC90, ACM Press, pages 427-437, 1990.
[30] T. Okamoto, S. Uchiyama. A new public-key cryptosystem as secure as factoring. In: Advances in Cryptology-Eurocrypt 98, L NCS 1403, pages308-318, 1998.
[31] S. Goldwasser, S. Micali, R. Rivest. A digital signature scheme secure against adaptive chosen message attack. SIAM Jounral on Computing, 17 :289-308, 1988.
[32] S. Even, Y Yacobi. Relations among public key signatuer systems. Technical Report 175, Technion, Haifa, Israel, March 1980.
[33] M .Blum. How to exchange (secret) keys. ACM Transactions on Computer Systems, 1(2): 175-193, May 1983. (Previously published in ACM STOC83, pages 440-447.)
[34] N. Smart. An Identity Based Authenticated Key Agreement Protocol Based on the Weil Pairing, Electronics Letters, Vol 38, pages 630-632, 2002.
[35] D. Dolev, A. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 1983,29(2): 198 208.
[36] Bellare M, Rogaway P. Random oracles are practical: A paradigm for designing efficient protocols. In: Proc. of the 1st ACM Conf. on Computer and Communications Security. New York: ACM Press, 1993. 62-67. http://doi.acm.org/10.1145/168588.168596
[37] Canetti R, Goldreich O, Halevi S. The random oracle methodology, revisited. Journal of the ACM, 2004,51(4):557-594.
[38] Goldwasser S, Micali S. Probabilistic encryption. Journal of Computer and System Science, 1984,28:270-299.
[39] Goldwasser S, Micali S, Rivest R. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing, 1988,17(2):281-308.
[40] Koeune F. Careful design and integration of cryptographic primitives with contributions to timing attack, padding schemes and random number generators [Ph.D. Thesis]. Louvain-la-Neuve: Universite Catholique de Louvain, 2001.
[41] Gennaro R, Halevi S, Rabin T. Secure Hash-and-sign signatures without the random oracle. In: Stern J, ed. Proc. of the Advances in Cryptology— EUROCRYPT'99. LNCS 1592, Berlin, Heidelberg: Springer-Verlag, 1999. 123-139.
[42] Halpern J. and Teague V. Rational Secret Sharing and Multiparty Computation. STOC 2004.
[43] Zheng Y. Digital signcryption or how to achieve cost(signature and encrytion)[C]//Proc of Information Security Workshop(ISW'97), LNCS 1397. Berlin: Springer-Verlag, 1998: 291-312.
[44] H. Petersen and M. Michels. Cryptanalysis and improvement of signcryption schemes. IEEE Proceedings-Computers and Digital Techniques, 1998, 145(2): 149-151.
[45] F. Bao and R.H. Deng. A signcryption scheme with signature directly verifiable by public key.Public Key Cryptography-PKC'98,LNCS 1431,Berlin:Springer-Verlag,1998:55-59.
[46]H.Y.Jung,D.H.Lee,J.l.Lim,and K.S.Chang.Signcryption schemes with forward secrecy.Information Security Application-WISA 2001,Seoul,Korea,2001:463-475.
[47]Steinfeld R,Zheng Y A signcryption scheme based on integer factorization [C]//Proc of Information Security Workshop(ISW'2000),LNCS 1975.Berlin:Springer-Vertag,2000:308-322.
[48]Malone-Lee J,Mao W.Two birds one stone:signcryption using RSA[C]//Proc of the RSA Conference 2003,LNCS 2612.Berlin:Springer-Verlag,2003:210-224.
[49]Zheng Y,Imal H.How to construct efficient signcryption schemes on elliptic curves[J].Information Processing Letters,1998,68(5):227-233.
[50]Hwang R J,Lai C H,Su F F.An efficient signcryption scheme with forward secrecy based on elliptic curve[J]..Applied Mathematics and Computation,2005,167(2):870-881.
[51]Gjosteen K,Krakmo L.Universally composable signcryption[C]// Proc of EuroPKI 2007,LNCS4582.Berlin:Springer-Verlag,2007:346-353.
[52]冯登国.可证安全性理论与方法[J].软件学报,2005,16(10):1743-1756.