认证密钥交换协议及其安全模型的研究
|
摘要
密钥交换协议允许通信双方在公开信道上建立一个共同的会话密钥。这个会话密钥被用作对称密码算法的密钥来保证随后通信数据的机密性和完整性。密钥交换问题的研究一直伴随公钥密码学的发展,它与加密、签名一样已经成为密码学研究重要的基本问题之一。由于最基本的Diffie-Hellman协议并不能抵抗中间人攻击。学者们围绕着如何提供认证性进行了广泛和深入的研究。然而,由于认证密钥交换协议安全目标的多样性和复杂性,如何合理地对它们进行建模并证明安全并不是一件简单的工作。
本文对认证密钥交换协议及其安全模型进行了进一步的研究。主要研究成果如下:
一、我们对著名的Blake-Wilson、Johnson和Menezes (BJM97)的工作进行了深入的研究。我们发现BJM97模型未能很好地建模公钥情形下敌手的能力。我们对BJM97模型进行了修改,通过引进了一个新的EstablishParty查询以及使用了一个修正的Corrupt查询,从而提出了BJM97+模型。值得注意的是,当我们在新的BJM97+模型中重新考虑原先的BJM97协议1和协议2时,发现它们的安全性证明将不再正确。具体地讲,BJM97协议1和协议2在计算Diffie-Hellman (CDH)假设下的安全性证明将不再成立。于是,我们对BJM97协议1和协议2时进行了修正,并且证明了在Gap Diffie-Hellman (GDH)假设下,修改的BJM97协议1和协议2在BJM97+模型下是安全的。
二、我们系统地研究了最近提出的增强的Canetti-Krawczyk (eCK)模型下安全的认证密钥交换协议。我们首次提出一系列在eCK模型下可证明安全的基于身份的认证密钥交换协议,包括单向、双向和三向协议。我们的协议应用了由Cash、Kiltz和Shoup在欧密2008上提出的陷门测试技术,具体成果如下:
·首先,我们对eCK模型进行了适当的改造,使之适合于基于身份的情形。同时,我们给出了eCK模型下单向认证密钥交换协议新鲜性新定义。
●其次,我们提出了一个新的双向认证密钥交换协议HC09,并且给出了相对应的单向认证密钥交换协议以及三向显式认证密钥交换协议。
●最后,我们证明这个协议在eCK模型下基于标准的双线性Diffie-Hellman(BDH)段设是安全的。据我们所知,这个协议是首个基于身份情形下eCK模型安全的认证密钥交换协议。
三、我们对认证密钥交换协议安全模型进行了进一步的研究。我们发现虽然eCK模型中双向认证密钥交换协议的新鲜性定义已经是相当地强了,但三向带确认的认证密钥交换协议新鲜性定义却存在着改进的余地。我们取得如下成果:
●首先,我们对eCK模型中三向带确认的认证密钥交换协议的新鲜性定义进行了进一步的增强,引进了所谓的抗强密钥泄露伪装攻击性,从而提出了新模型eCK+。我们指出之前在其它模型证明安全的协议在我们的eCK+模型将不再安全。
●然后,我们提出了一个新的三向认证密钥交换协议SIG-DH+,并且证明它满足eCK+模型。
四、我们研究了抗内部人攻击的群认证密钥交换协议。至今为止所有抗内部人攻击的群认证密钥交换协议均使用了签名技术。因此,每个参与方将至少验证n-1个签名,其中n为参与者数目。我们提出了个新的不使用签名的抗内部人攻击的群认证密钥交换协议。我们主要的思想是使用无签名的两方认证密钥交换协议。这个两方认证密钥交换协议可以代替签名被用来认证其他参与方的会话识别符。我们证明了如果所使用的两方认证密钥交换协议是安全的,那么我们的群认证密钥交换协议是抗内部人攻击的。与之前使用签名的群认证密钥交换协议相比较,我们的协议明显是更加高效的。
Key exchange (KE) protocols allow parties to establish a common session key in an un-secured channel, which is used as the key of the symmetric cryptographic algorithm to guar-antee the confidentiality and the integrity of the subsequent communication. Key exchange has been one of the primitives like encryption and signature. Since the Diffie-Hellman pro-tocol is susceptible to Man-In-Middle(MIM) attack, a lot of work have focused on providing it with authentication, i.e. authenticated key exchange (AKE) protocol. However, identify-ing and modeling the exact security requirements for authenticated key exchange protocols have been proven to be a non-trivial task. The thesis does further research on key exchange protocols and security models. The main results are as follows:
1. We do research on the famous Blake-Wilson,Johnson and Menezes (BJM97) protocols. We find that BJM97 model fails to model the adversary's capabilities in the public key setting well. We propose the BJM97+model by introducing a new EstablishParty query and using a modified Corrupt query. Notably, the security proof for BJM97 protocol 1 and protocol 2 will not be correct if we examine them in the BJM97+model. Specifically, both of them will no longer be provably secure under the computational Diffie-Hellman (CDH) assumption. We then introduce the modified B JM97 protocol 1 and protocol 2 and prove that they are secure in the BJM97+model under Gap Diffie-Hellman (GDH) assumption.
2. We do research on the key exchange protocols in the newly-proposed enhanced Canetti-Krawczyk (eCK) model. Using a new technique proposed by Cash,Kiltz and Shoup in Eurocrypt 2008, we first propose a family of ID-based key exchange pro-tocols in the eCK model, including one-pass,two-pass and three-pass protocols. The main results are as follows:
First, we adapt the eCK model to the ID-based setting, and give a new freshness definition for the one-pass protocol.
Second, we propose a new two-pass authenticated key exchange protocol HC09, and derive the corresponding one-pass and three-pass authenticated key exchange protocols.
Finally, we prove that the protocols are secure in the eCK model under the Bilin-ear Diffie-Hellman (BDH) assumption. To the best of our knowledge, these are the first ID-based authenticated key exchange protocols secure in the eCK model.
3. We further do research on the security model of authenticated key exchange protocols. While the freshness definition for two-pass authenticated key exchange protocols is very strong, however, we find that for three-pass definition there are further rooms for improvement. The main results are as follows:
First, we further enhance the freshness definition of eCK model for three-pass authenticated key exchange protocol, and propose a new model eCK+by intro-ducing a new notion called strong key compromise impersonation resilience. We point out that the authenticated key exchange protocols proven secure in prior models will no longer secure in the eCK+model.
Finally, we introduce a new authenticated key exchange protocol SIG-DH+, which is shown secure in the eCK+model.
4. We do research on the insider-resistant group key exchange protocol. So far, all pro-posed group key exchange protocols make use of signatures to resist insider attack. As a result, each participant must verify all other n—1 signatures, which make the protocols considerably inefficient. In the thesis, we propose a new insider-resistant group key protocol without signatures. The main idea is that we use the signature-free two-party authenticated key exchange (2-AKE) protocols, which is used to authenti-cate the messages instead of using signatures. We prove that if the underlying 2-AKE protocol is secure the group key exchange protocol is insider-resistant. Compared to all previous group key exchange protocols using signatures, our protocol is clearly more efficient.
本文对认证密钥交换协议及其安全模型进行了进一步的研究。主要研究成果如下:
一、我们对著名的Blake-Wilson、Johnson和Menezes (BJM97)的工作进行了深入的研究。我们发现BJM97模型未能很好地建模公钥情形下敌手的能力。我们对BJM97模型进行了修改,通过引进了一个新的EstablishParty查询以及使用了一个修正的Corrupt查询,从而提出了BJM97+模型。值得注意的是,当我们在新的BJM97+模型中重新考虑原先的BJM97协议1和协议2时,发现它们的安全性证明将不再正确。具体地讲,BJM97协议1和协议2在计算Diffie-Hellman (CDH)假设下的安全性证明将不再成立。于是,我们对BJM97协议1和协议2时进行了修正,并且证明了在Gap Diffie-Hellman (GDH)假设下,修改的BJM97协议1和协议2在BJM97+模型下是安全的。
二、我们系统地研究了最近提出的增强的Canetti-Krawczyk (eCK)模型下安全的认证密钥交换协议。我们首次提出一系列在eCK模型下可证明安全的基于身份的认证密钥交换协议,包括单向、双向和三向协议。我们的协议应用了由Cash、Kiltz和Shoup在欧密2008上提出的陷门测试技术,具体成果如下:
·首先,我们对eCK模型进行了适当的改造,使之适合于基于身份的情形。同时,我们给出了eCK模型下单向认证密钥交换协议新鲜性新定义。
●其次,我们提出了一个新的双向认证密钥交换协议HC09,并且给出了相对应的单向认证密钥交换协议以及三向显式认证密钥交换协议。
●最后,我们证明这个协议在eCK模型下基于标准的双线性Diffie-Hellman(BDH)段设是安全的。据我们所知,这个协议是首个基于身份情形下eCK模型安全的认证密钥交换协议。
三、我们对认证密钥交换协议安全模型进行了进一步的研究。我们发现虽然eCK模型中双向认证密钥交换协议的新鲜性定义已经是相当地强了,但三向带确认的认证密钥交换协议新鲜性定义却存在着改进的余地。我们取得如下成果:
●首先,我们对eCK模型中三向带确认的认证密钥交换协议的新鲜性定义进行了进一步的增强,引进了所谓的抗强密钥泄露伪装攻击性,从而提出了新模型eCK+。我们指出之前在其它模型证明安全的协议在我们的eCK+模型将不再安全。
●然后,我们提出了一个新的三向认证密钥交换协议SIG-DH+,并且证明它满足eCK+模型。
四、我们研究了抗内部人攻击的群认证密钥交换协议。至今为止所有抗内部人攻击的群认证密钥交换协议均使用了签名技术。因此,每个参与方将至少验证n-1个签名,其中n为参与者数目。我们提出了个新的不使用签名的抗内部人攻击的群认证密钥交换协议。我们主要的思想是使用无签名的两方认证密钥交换协议。这个两方认证密钥交换协议可以代替签名被用来认证其他参与方的会话识别符。我们证明了如果所使用的两方认证密钥交换协议是安全的,那么我们的群认证密钥交换协议是抗内部人攻击的。与之前使用签名的群认证密钥交换协议相比较,我们的协议明显是更加高效的。
Key exchange (KE) protocols allow parties to establish a common session key in an un-secured channel, which is used as the key of the symmetric cryptographic algorithm to guar-antee the confidentiality and the integrity of the subsequent communication. Key exchange has been one of the primitives like encryption and signature. Since the Diffie-Hellman pro-tocol is susceptible to Man-In-Middle(MIM) attack, a lot of work have focused on providing it with authentication, i.e. authenticated key exchange (AKE) protocol. However, identify-ing and modeling the exact security requirements for authenticated key exchange protocols have been proven to be a non-trivial task. The thesis does further research on key exchange protocols and security models. The main results are as follows:
1. We do research on the famous Blake-Wilson,Johnson and Menezes (BJM97) protocols. We find that BJM97 model fails to model the adversary's capabilities in the public key setting well. We propose the BJM97+model by introducing a new EstablishParty query and using a modified Corrupt query. Notably, the security proof for BJM97 protocol 1 and protocol 2 will not be correct if we examine them in the BJM97+model. Specifically, both of them will no longer be provably secure under the computational Diffie-Hellman (CDH) assumption. We then introduce the modified B JM97 protocol 1 and protocol 2 and prove that they are secure in the BJM97+model under Gap Diffie-Hellman (GDH) assumption.
2. We do research on the key exchange protocols in the newly-proposed enhanced Canetti-Krawczyk (eCK) model. Using a new technique proposed by Cash,Kiltz and Shoup in Eurocrypt 2008, we first propose a family of ID-based key exchange pro-tocols in the eCK model, including one-pass,two-pass and three-pass protocols. The main results are as follows:
First, we adapt the eCK model to the ID-based setting, and give a new freshness definition for the one-pass protocol.
Second, we propose a new two-pass authenticated key exchange protocol HC09, and derive the corresponding one-pass and three-pass authenticated key exchange protocols.
Finally, we prove that the protocols are secure in the eCK model under the Bilin-ear Diffie-Hellman (BDH) assumption. To the best of our knowledge, these are the first ID-based authenticated key exchange protocols secure in the eCK model.
3. We further do research on the security model of authenticated key exchange protocols. While the freshness definition for two-pass authenticated key exchange protocols is very strong, however, we find that for three-pass definition there are further rooms for improvement. The main results are as follows:
First, we further enhance the freshness definition of eCK model for three-pass authenticated key exchange protocol, and propose a new model eCK+by intro-ducing a new notion called strong key compromise impersonation resilience. We point out that the authenticated key exchange protocols proven secure in prior models will no longer secure in the eCK+model.
Finally, we introduce a new authenticated key exchange protocol SIG-DH+, which is shown secure in the eCK+model.
4. We do research on the insider-resistant group key exchange protocol. So far, all pro-posed group key exchange protocols make use of signatures to resist insider attack. As a result, each participant must verify all other n—1 signatures, which make the protocols considerably inefficient. In the thesis, we propose a new insider-resistant group key protocol without signatures. The main idea is that we use the signature-free two-party authenticated key exchange (2-AKE) protocols, which is used to authenti-cate the messages instead of using signatures. We prove that if the underlying 2-AKE protocol is secure the group key exchange protocol is insider-resistant. Compared to all previous group key exchange protocols using signatures, our protocol is clearly more efficient.
引文
[1]C. Shannon. Communication theory of secrecy systems. Bell Systems Techn. Journal,28:656-715, 1949.
[2]D.E. Standard. Federal Information Processing Standards Publication 46. National Bureau of Standards, US Department of Commerce,1977.
[3]PUB FIPS.197:advanced encryption standard. National Inst. of Standards& Tech,2001.
[4]Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644-654,1976.
[5]RL Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM,21(2):120-126,1978.
[6]T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE transactions on information theory,31(4):469-472,1985.
[7]Adi Shamir. Identity-based cryptosystems and signature schemes. In CRYPTO, pages 47-53,1984.
[8]D. Bonehl and M. Franklin. Identity-Based Encryption from the Weil Pairing. In Advances in Cryptology-Crypto 2001:21st Annual International Cryptology Conference, Santa Barbara, Cali-fornia, USA, August 19-23,2001, Proceedings, page 213. Springer,2001.
[9]S.M. Bellovin and M. Merritt. Encrypted key exchange:Password-based protocols secure against dictionary attacks. In IEEE Symposium on Research in Security and Privacy, IEEE,1992.
[10]Steven M. Bellovin and Michael Merritt. Augmented encrypted key exchange:A password-based protocol secure against dictionary attacks and password file compromise. In ACM Conference on Computer and Communications Security, pages 244-250,1993.
[11]V. Boyko, P. MacKenzie, and S. Patel. Provably secure password-authenticated key exchange using Diffie-Hellman. Lecture Notes in Computer Science, pages 156-171,2000.
[12]E. Bresson, O. Chevassut, and D. Pointcheval. Security proofs for an efficient password-based key exchange. In Proceedings of the 10th ACM conference on Computer and communications security, pages 241-250. ACM New York, NY, USA,2003.
[13]Emmanuel Bresson, Olivier Chevassut, and David Pointcheval. New security results on encrypted key exchange. In Feng Bao, Robert H. Deng, and Jianying Zhou, editors, Public Key Cryptography, volume 2947 of Lecture Notes in Computer Science, pages 145-158. Springer,2004.
[14]Philip D. MacKenzie. More efficient password-authenticated key exchange. In David Naccache, editor, CT-RSA, volume 2020 of Lecture Notes in Computer Science, pages 361-377. Springer, 2001.
[15]Michel Abdalla and David Pointcheval. Simple password-based encrypted key exchange protocols. In Alfred Menezes, editor, CT-RSA, volume 3376 of Lecture Notes in Computer Science, pages 191-208. Springer,2005.
[16]Rosario Gennaro. Faster and shorter password-authenticated key exchange. In Ran Canetti, editor, TCC, volume 4948 of Lecture Notes in Computer Science, pages 589-606. Springer,2008.
[17]J. Katz, R. Ostrovsky, and M. Yung. Practical password-authenticated key exchange provably secure under standard assumptions. In Advances in Cryptology-EUROCRYPT, volume 2045, pages 475-494,2001.
[18]Oded Goldreich and Yehuda Lindell. Session-key generation using human passwords only. In Joe Kilian, editor, CRYPTO, volume 2139 of Lecture Notes in Computer Science, pages 408-432. Springer,2001.
[19]Rosario Gennaro and Yehuda Lindell. A framework for password-based authenticated key ex-change. In Eli Biham, editor, EUROCRYPT, volume 2656 of Lecture Notes in Computer Science, pages 524-543. Springer,2003.
[20]B. Ustaoglu. Key establishment—security models, protocols and usage. Ph.d. Thesis.
[21]W. Mao. Modern cryptography:theory and practice. Prentice Hall Professional Technical Refer-ence,2003.
[22]Hugo Krawczyk. HMQV:A high-performance secure Diffie-Hellman protocol. In Victor Shoup, editor, CRYPTO, volume 3621 of Lecture Notes in Computer Science, pages 546-566. Springer, 2005.
[23]Mihir Bellare and Phillip Rogaway. Entity authentication and key distribution. In Douglas R. Stinson, editor, CRYPTO, volume 773 of Lecture Notes in Computer Science, pages 232-249. Springer,1993.
[24]Mihir Bellare and Phillip Rogaway. Provably secure session key distribution:the three party case. In STOC, pages 57-66. ACM,1995.
[25]Mihir Bellare, David Pointcheval, and Phillip Rogaway. Authenticated key exchange secure against dictionary attacks. In EUROCRYPT, pages 139-155,2000.
[26]S. Blake-Wilson and A. Menezes. Entity authentication and authenticated key transport protocols employing asymmetric techniques. In Proceedings of the 5th International Workshop on Security Protocols, pages 137-158. Springer-Verlag London, UK,1997.
[27]Simon Blake-Wilson, Don Johnson, and Alfred Menezes. Key agreement protocols and their security analysis. In Michael Darnell, editor, IMA Int. Conf., volume 1355 of Lecture Notes in Computer Science, pages 30-45. Springer,1997. The full version is available at http://www.math.uwaterloo.ca/ajmeneze/publications/agreement.ps.
[28]Mihir Bellare, Ran Canetti, and Hugo Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract). In STOC, pages 419-428,1998.
[29]Ran Canetti and Hugo Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In Birgit Pfitzmann, editor, EUROCRYPT, volume 2045 of Lecture Notes in Computer Science, pages 4530-474. Springer,2001.
[30]Kim-Kwang Raymond Choo, Colin Boyd, and Yvonne Hitchcock. Examining indistinguishability-based proof models for key establishment protocols. In Bimal K. Roy, editor, ASIACRYPT, volume 3788 of Lecture Notes in Computer Science, pages 585-604. Springer,2005.
[31]Kim-Kwang Raymond Choo, Colin Boyd, and Yvonne Hitchcock. Errors in computational com-plexity proofs for protocols. In Bimal K. Roy, editor, ASIACRYPT, volume 3788 of Lecture Notes in Computer Science, pages 624-643. Springer,2005.
[32]Brian LaMacchia, Kristin Lauter, and Anton Mityagin. Stronger security of authenticated key exchange. Cryptology ePrint Archive, Report 2006/073,2006. http://eprint. iacr. org/.
[33]Brian A. LaMacchia, Kristin Lauter, and Anton Mityagin. Stronger security of authenticated key exchange. In Willy Susilo, Joseph K. Liu, and Yi Mu, editors, ProvSec, volume 4784 of Lecture Notes in Computer Science, pages 1-16. Springer,2007.
[34]Takashima Y. Imai H. Matsumoto, T. On Seeking Smart Public-Key-Distribution Systems. The Transactions of the IECE of Japan, E69:99-106, February 1986.
[35]Laurie Law, Alfred Menezes, Minghua Qu, Jerome A. Solinas, and Scott A. Vanstone. An efficient protocol for authenticated key agreement. Des. Codes Cryptography,28(2):119-134,2003.
[36]Tatsuaki Okamoto and David Pointcheval. The gap-problems:A new class of problems for the security of cryptographic schemes. In Kwangjo Kim, editor, Public Key Cryptography, volume 1992 of Lecture Notes in Computer Science, pages 104-118. Springer,2001.
[37]Mihir Bellare and Adriana Palacio. The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In Matthew K. Franklin, editor, CRYPTO, volume 3152 of Lecture Notes in Computer Science, pages 273-289. Springer,2004.
[38]A. Menezes, Faculty of Mathematics, Dept. of Combinatorics, Optimization, and University of Waterloo. Another look at HMQV. Mathematical Cryptology, 1(1):47-64,2007.
[39]Kristin Lauter and Anton Mityagin. Security analysis of KEA authenticated key exchange protocol. In Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, editors, Public Key Cryptogra-phy, volume 3958 of Lecture Notes in Computer Science, pages 378-394. Springer,2006.
[40]Sebastien Kunz-Jacques and David Pointcheval. A new key exchange protocol based on MQV assuming public computations. In Roberto De Prisco and Moti Yung, editors, SCN, volume 4116 of Lecture Notes in Computer Science, pages 186-200. Springer,2006.
[41]Berkant Ustaoglu. Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Des. Codes Cryptography,46(3):329-342,2008.
[42]E. Okamoto. Key distribution systems based on identification information. In Advances in Cryptology-CRYPTO'87:Proceedings, page 194. Springer,1988.
[43]E. Okamoto and K. Tanaka. Key distribution system based on identification information. IEEE Journal on Selected Areas in Communications,7(4):481-485,1989.
[44]S. Kim, M. Mambo, T. Okamoto, H. Shizuya, M. Tada, and D. Won. On the security of the Okamoto-Tanaka ID-based key exchange scheme against active attacks. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences,84(1):231-238,2001.
[45]N.P. Smart. An identity based authenticated key agreement protocol based on the weil pairing. Electronics Letters,38:630-632,2002.
[46]L. Chen and C. Kudla. Identity based authenticated key agreement from pairings. In IEEE Com-puter Security Foundations Workshop, The modified version of this paper is available at Cryptology ePrint Archive, Report 2002/184, pages 219-233,2003.
[47]Noel McCullagh and Paulo S. L. M. Barreto. A new two-party identity-based authenticated key agreement. In Alfred Menezes, editor, CT-RSA, volume 3376 of Lecture Notes in Computer Sci-ence, pages 262-274. Springer,2005.
[48]Kim-Kwang Raymond Choo, Colin Boyd, and Yvonne Hitchcock. On session key construction in provably-secure key establishment protocols. In Ed Dawson and Serge Vaudenay, editors, My crypt, volume 3715 of Lecture Notes in Computer Science, pages 116-131. Springer,2005.
[49]Caroline Kudla and Kenneth G. Paterson. Modular security proofs for key agreement protocols. In Bimal K. Roy, editor, ASIACRYPT, volume 3788 of Lecture Notes in Computer Science, pages 549-565. Springer,2005.
[50]Y.Wang. Efficient identity-based and authenticated key agreement protocol, cryptology eprint archive, report 2005/108,2005.
[51]L. Chen, Z. Cheng, and Nigel P. Smart. Identity-based key agreement protocols from pairings. Int. J. Inf. Sec.,6(4):213-241,2007.
[52]Sherman S. M. Chow and Kim-Kwang Raymond Choo. Strongly-secure identity-based key agree-ment and anonymous extension. In Juan A. Garay, Arjen K. Lenstra, Masahiro Mambo, and Rene Peralta, editors, ISC, volume 4779 of Lecture Notes in Computer Science, pages 203-220. Springer, 2007.
[53]Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In Hugo Krawczyk, editor, CRYPTO, volume 1462 of Lecture Notes in Computer Science, pages 13-25. Springer,1998.
[54]Brent Waters. Efficient identity-based encryption without random oracles. In Ronald Cramer, edi-tor, EUROCRYPT, volume 3494 of Lecture Notes in Computer Science, pages 114-127. Springer, 2005.
[55]Craig Gentry. Practical identity-based encryption without random oracles. In Serge Vaudenay, ed-itor, EUROCRYPT, volume 4004 of Lecture Notes in Computer Science, pages 445-464. Springer, 2006.
[56]Tatsuaki Okamoto. Authenticated key exchange and key encapsulation in the standard model. In ASIACRYPT, pages 474-484,2007.
[57]Colin Boyd, Yvonne Cliff, Juan Gonzalez Nieto, and Kenneth G. Paterson. Efficient one-round key exchange in the standard model. In Yi Mu, Willy Susilo, and Jennifer Seberry, editors, ACISP, volume 5107 of Lecture Notes in Computer Science, pages 69-83. Springer,2008.
[58]Masayuki Abe, Rosario Gennaro, Kaoru Kurosawa, and Victor Shoup. Tag-KEM/DEM:A new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM. In Ronald Cramer, editor, EUROCRYPT, volume 3494 of Lecture Notes in Computer Science, pages 128-146. Springer,2005.
[59]David Cash, Eike Kiltz, and Victor Shoup. The twin Diffie-Hellman problem and applications. In Nigel P. Smart, editor, EUROCRYPT, volume 4965 of Lecture Notes in Computer Science, pages 127-145. Springer,2008.
[60]AJ Menezes, T. Okamoto, and SA Vanstone. Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory,39(5):1639-1646,1993.
[61]E.R. Verheul. Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. Journal of Cryptology,17(4):277-296,2004.
[62]Antoine Joux. The weil and tate pairings as building blocks for public key cryptosy stems. In Claus Fieker and David R. Kohel, editors, ANTS, volume 2369 of Lecture Notes in Computer Science, pages 20-32. Springer,2002.
[63]Steven D. Galbraith, Keith Harrison, and David Soldera. Implementing the tate pairing. In Claus Fieker and David R. Kohel, editors, ANTS, volume 2369 of Lecture Notes in Computer Science, pages 324-337. Springer,2002.
[64]P.S.L.M. Barreto, H.Y. Kim, B. Lynn, and M. Scott. Efficient algorithms for pairing-based cryp-tosystems. In Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology, pages 354-368. Springer-Verlag London, UK,2002.
[65]Steven D. Galbraith. Supersingular curves in cryptography. In Colin Boyd, editor, ASIACRYPT, volume 2248 of Lecture Notes in Computer Science, pages 495-513. Springer,2001.
[66]C.H. Papadimitriou and CH Papadimitriou. Computational complexity. Addison-Wesley Reading, Mass,1994.
[67]T.H. Cormen, C.E. Leiserson, R.L. Rivest, and C. Stein. Introduction to algorithms,1990.
[68]A.J. Menezes, P.C. Van Oorschot, and S.A. Vanstone. Handbook of applied cryptography. CRC press,1997.
[69]S. Goldwasser and M. Bellare. Lecture notes on cryptography. Summer course "Cryptography and computer security" at MIT,1999:1999,1996.
[70]O. Goldreich. Foundations of cryptography. Cambridge university press,2001.
[71]D.R. Stinson. Cryptography:theory and practice. CRC press,2006.
[72]J. Katz and Y. Lindell. Introduction to modern cryptography. Chapman& Hall/CRC,2008.
[73]Shaft Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SI AM J. Comput.,17(2):281-308,1988.
[74]Oded Goldreich, Shaft Goldwasser, and Silvio Micali. How to construct random functions.J. ACM, 33(4):792-807,1986.
[75]R. Rivest. RFC1321:TheMD5 message-digest algorithm. RFC Editor United States,1992.
[76]N.F. PUB.180-1:Secure hash standard. National Institute of Standards and Technology, US Department of Commerce, DRAFT,31.
[77]Amos Fiat and Adi Shamir. How to prove yourself:Practical solutions to identification and signa-ture problems. In Andrew M. Odlyzko, editor, CRYPTO, volume 263 of Lecture Notes in Computer Science, pages 186-194. Springer,1986.
[78]Mihir Bellare and Phillip Rogaway. Random oracles are practical:A paradigm for designing efficient protocols. In ACM Conference on Computer and Communications Security, pages 62-73, 1993.
[79]Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited.J. ACM, 51(4):557-594,2004.
[80]Danny Dolev and Andrew Chi-Chih Yao. On the security of public key protocols (extended ab-stract). In FOCS, pages 350-357. IEEE,1981.
[81]A. Menezes and B. Ustaoglu. Security arguments for the UM key agreement protocol in the NIST SP 800-56A standard. In Proceedings of the 2008 ACM symposium on Information, computer and communications security, pages 261-270. ACM New York, NY, USA,2008.
[82]M.C. Gorantla, C. Boyd, and J.M.G. Nieto. ID-based one-pass authenticated key establishment. In Proceedings of the sixth Australasian conference on Information security-Volume 81, pages 39-46. Australian Computer Society, Inc. Darlinghurst, Australia, Australia,2008.
[83]Ran Canetti and Hugo Krawczyk. Security analysis of IKE's signature-based key-exchange pro-tocol. In Moti Yung, editor, CRYPTO, volume 2442 of Lecture Notes in Computer Science, pages 143-161. Springer,2002.
[84]Hugo Krawczyk. SIGMA:the'SIGn-and-MAc'approach to authenticated Diffie-Hellman and its use in the IKE-protocols. In Dan Boneh, editor, CRYPTO, volume 2729 of Lecture Notes in Computer Science, pages 400-425. Springer,2003.
[85]CP Schnorr. Efficient signature generation by smart cards. Journal of cryptology,4(3):161-174, 1991.
[86]D. Boneh, B. Lynn, and H. Shacham. Short signatures from the Weil pairing. In Proceedings of Asiacrypt 2001, volume 2248 of LNCS,2001.
[87]V. Shoup. Sequences of games:a tool for taming complexity in security proofs. IACR eprint report, 332,2004.
[88]Antoine Joux. A one round protocol for tripartite Diffie-Hellman. In Wieb Bosma, editor, ANTS, volume 1838 of Lecture Notes in Computer Science, pages 385-394. Springer,2000.
[89]Ingemar Ingemarsson, Donald T. Tang, and C. K. Wong. A conference key distribution system. IEEE Transactions on Information Theory,28(5):714-719,1982.
[90]D. G. Steer, L. Strawczynski, Whitfield Diffie, and Michael J. Wiener. A secure audio telecon-ference system. In Shaft Goldwasser, editor, CRYPTO, volume 403 of Lecture Notes in Computer Science, pages 520-528. Springer,1988.
[91]Klaus Becker and Uta Wille. Communication complexity of group key distribution. In ACM Conference on Computer and Communications Security, pages 1-6,1998.
[92]Mike Burmester and Yvo Desmedt. A secure and efficient conference key distribution system (extended abstract). In EUROCRYPT, pages 275-286,1994.
[93]Michael Steiner, Gene Tsudik, and Michael Waidner. Diffie-Hellman key distribution extended to group communication. In ACM Conference on Computer and Communications Security, pages 31-37,1996.
[94]Emmanuel Bresson, Olivier Chevassut, David Pointcheval, and Jean-Jacques Quisquater. Prov-ably authenticated group Diffie-Hellman key exchange. In ACM Conference on Computer and Communications Security, pages 255-264,2001.
[95]Emmanuel Bresson, Olivier Chevassut, and David Pointcheval. Provably authenticated group Diffie-Hellman key exchange-the dynamic case. In Colin Boyd, editor, ASIACRYPT, volume 2248 of Lecture Notes in Computer Science, pages 290-309. Springer,2001.
[96]Emmanuel Bresson, Olivier Chevassut, and David Pointcheval. Dynamic group Diffie-Hellman key exchange under standard assumptions. In Lars R. Knudsen, editor, EUROCRYPT, volume 2332 of Lecture Notes in Computer Science, pages 321-336. Springer,2002.
[97]Emmanuel Bresson, Olivier Chevassut, and David Pointcheval. Group Diffie-Hellman key ex-change secure against dictionary attacks. In Yuliang Zheng, editor, ASIACRYPT, volume 2501 of Lecture Notes in Computer Science, pages 497-514. Springer,2002.
[98]Jonathan Katz and Moti Yung. Scalable protocols for authenticated group key exchange. In Dan Boneh, editor, CRYPTO, volume 2729 of Lecture Notes in Computer Science, pages 110-125. Springer,2003.
[99]Hyun-Jeong Kim, Su-Mi Lee, and Dong Hoon Lee. Constant-round authenticated group key ex-change for dynamic groups. In Pil Joong Lee, editor, ASIACRYPT, volume 3329 of Lecture Notes in Computer Science, pages 245-259. Springer,2004.
[100]Ratna Dutta, Rana Barua, and Palash Sarkar. Provably secure authenticated tree based group key agreement. In Javier Lopez, Sihan Qing, and Eiji Okamoto, editors, ICICS, volume 3269 of Lecture Notes in Computer Science, pages 92-104. Springer,2004.
[101]Jonathan Katz and Ji Sun Shin. Modeling insider attacks on group key-exchange protocols. In Vijay Atluri, Catherine Meadows, and Ari Juels, editors, ACM Conference on Computer and Com-munications Security, pages 180-189. ACM,2005.
[102]Jens-Matthias Bohli, Maria Isabel Gonzalez Vasco, and Rainer Steinwandt. Secure group key establishment revisited. Int. J. Inf. Sec.,6(4):243-254,2007.
[103]R. Canetti, I.B.M.T.J.W.R. Center, and NY Yorktown Heights. Universally composable security:A new paradigm for cryptographic protocols. In 42nd IEEE Symposium on Foundations of Computer Science,2001. Proceedings, pages 136-145,2001.
[104]Emmanuel Bresson, Mark Manulis, and Jorg Schwenk. On security models and compilers for group key exchange protocols. In Atsuko Miyaji, Hiroaki Kikuchi, and Kai Rannenberg, editors, TWSEC, volume 4752 of Lecture Notes in Computer Science, pages 292-307. Springer,2007.
[105]Emmanuel Bresson and Mark Manulis. Securing group key exchange against strong corruptions and key registration attacks. IJACT, 1(2):91-107,2008.
[106]Michel Abdalla, Jens-Matthias Bohli, Maria Isabel Gonzalez Vasco, and Rainer Steinwandt. (pass-word) authenticated key establishment:From 2-party to group. In Salil P. Vadhan, editor, TCC, volume 4392 of Lecture Notes in Computer Science, pages 499-514. Springer,2007.
[107]Yevgeniy Dodis, Rosario Gennaro, Johan Hastad, Hugo Krawczyk, and Tal Rabin. Randomness extraction and key derivation using the CBC, cascade and HMAC modes. In Matthew K. Franklin, editor, CRYPTO, volume 3152 of Lecture Notes in Computer Science, pages 494-510. Springer, 2004.
[108]O. Chevassut, P.A. Fouque, P. Gaudry, and D. Pointcheval. The twist-augmented technique for key exchange. In Public key cryptography-PKC 2006:9th International Conference on Theory And Practice in Public-Key Cryptography, New York, NY, USA, April 24-26,2006. Proceedings, page 410. Springer-Verlag New York Inc,2006.
[109]M. Manulis. Group key exchange enabling on-demand derivation of peer-to-peer keys. In Applied Cryptography and Network Security:7th International Conference, Acns 2009, Paris-Rocquencourt, France, June 2-5,2009, Proceedings, page 1. Springer,2009.
[2]D.E. Standard. Federal Information Processing Standards Publication 46. National Bureau of Standards, US Department of Commerce,1977.
[3]PUB FIPS.197:advanced encryption standard. National Inst. of Standards& Tech,2001.
[4]Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644-654,1976.
[5]RL Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM,21(2):120-126,1978.
[6]T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE transactions on information theory,31(4):469-472,1985.
[7]Adi Shamir. Identity-based cryptosystems and signature schemes. In CRYPTO, pages 47-53,1984.
[8]D. Bonehl and M. Franklin. Identity-Based Encryption from the Weil Pairing. In Advances in Cryptology-Crypto 2001:21st Annual International Cryptology Conference, Santa Barbara, Cali-fornia, USA, August 19-23,2001, Proceedings, page 213. Springer,2001.
[9]S.M. Bellovin and M. Merritt. Encrypted key exchange:Password-based protocols secure against dictionary attacks. In IEEE Symposium on Research in Security and Privacy, IEEE,1992.
[10]Steven M. Bellovin and Michael Merritt. Augmented encrypted key exchange:A password-based protocol secure against dictionary attacks and password file compromise. In ACM Conference on Computer and Communications Security, pages 244-250,1993.
[11]V. Boyko, P. MacKenzie, and S. Patel. Provably secure password-authenticated key exchange using Diffie-Hellman. Lecture Notes in Computer Science, pages 156-171,2000.
[12]E. Bresson, O. Chevassut, and D. Pointcheval. Security proofs for an efficient password-based key exchange. In Proceedings of the 10th ACM conference on Computer and communications security, pages 241-250. ACM New York, NY, USA,2003.
[13]Emmanuel Bresson, Olivier Chevassut, and David Pointcheval. New security results on encrypted key exchange. In Feng Bao, Robert H. Deng, and Jianying Zhou, editors, Public Key Cryptography, volume 2947 of Lecture Notes in Computer Science, pages 145-158. Springer,2004.
[14]Philip D. MacKenzie. More efficient password-authenticated key exchange. In David Naccache, editor, CT-RSA, volume 2020 of Lecture Notes in Computer Science, pages 361-377. Springer, 2001.
[15]Michel Abdalla and David Pointcheval. Simple password-based encrypted key exchange protocols. In Alfred Menezes, editor, CT-RSA, volume 3376 of Lecture Notes in Computer Science, pages 191-208. Springer,2005.
[16]Rosario Gennaro. Faster and shorter password-authenticated key exchange. In Ran Canetti, editor, TCC, volume 4948 of Lecture Notes in Computer Science, pages 589-606. Springer,2008.
[17]J. Katz, R. Ostrovsky, and M. Yung. Practical password-authenticated key exchange provably secure under standard assumptions. In Advances in Cryptology-EUROCRYPT, volume 2045, pages 475-494,2001.
[18]Oded Goldreich and Yehuda Lindell. Session-key generation using human passwords only. In Joe Kilian, editor, CRYPTO, volume 2139 of Lecture Notes in Computer Science, pages 408-432. Springer,2001.
[19]Rosario Gennaro and Yehuda Lindell. A framework for password-based authenticated key ex-change. In Eli Biham, editor, EUROCRYPT, volume 2656 of Lecture Notes in Computer Science, pages 524-543. Springer,2003.
[20]B. Ustaoglu. Key establishment—security models, protocols and usage. Ph.d. Thesis.
[21]W. Mao. Modern cryptography:theory and practice. Prentice Hall Professional Technical Refer-ence,2003.
[22]Hugo Krawczyk. HMQV:A high-performance secure Diffie-Hellman protocol. In Victor Shoup, editor, CRYPTO, volume 3621 of Lecture Notes in Computer Science, pages 546-566. Springer, 2005.
[23]Mihir Bellare and Phillip Rogaway. Entity authentication and key distribution. In Douglas R. Stinson, editor, CRYPTO, volume 773 of Lecture Notes in Computer Science, pages 232-249. Springer,1993.
[24]Mihir Bellare and Phillip Rogaway. Provably secure session key distribution:the three party case. In STOC, pages 57-66. ACM,1995.
[25]Mihir Bellare, David Pointcheval, and Phillip Rogaway. Authenticated key exchange secure against dictionary attacks. In EUROCRYPT, pages 139-155,2000.
[26]S. Blake-Wilson and A. Menezes. Entity authentication and authenticated key transport protocols employing asymmetric techniques. In Proceedings of the 5th International Workshop on Security Protocols, pages 137-158. Springer-Verlag London, UK,1997.
[27]Simon Blake-Wilson, Don Johnson, and Alfred Menezes. Key agreement protocols and their security analysis. In Michael Darnell, editor, IMA Int. Conf., volume 1355 of Lecture Notes in Computer Science, pages 30-45. Springer,1997. The full version is available at http://www.math.uwaterloo.ca/ajmeneze/publications/agreement.ps.
[28]Mihir Bellare, Ran Canetti, and Hugo Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract). In STOC, pages 419-428,1998.
[29]Ran Canetti and Hugo Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In Birgit Pfitzmann, editor, EUROCRYPT, volume 2045 of Lecture Notes in Computer Science, pages 4530-474. Springer,2001.
[30]Kim-Kwang Raymond Choo, Colin Boyd, and Yvonne Hitchcock. Examining indistinguishability-based proof models for key establishment protocols. In Bimal K. Roy, editor, ASIACRYPT, volume 3788 of Lecture Notes in Computer Science, pages 585-604. Springer,2005.
[31]Kim-Kwang Raymond Choo, Colin Boyd, and Yvonne Hitchcock. Errors in computational com-plexity proofs for protocols. In Bimal K. Roy, editor, ASIACRYPT, volume 3788 of Lecture Notes in Computer Science, pages 624-643. Springer,2005.
[32]Brian LaMacchia, Kristin Lauter, and Anton Mityagin. Stronger security of authenticated key exchange. Cryptology ePrint Archive, Report 2006/073,2006. http://eprint. iacr. org/.
[33]Brian A. LaMacchia, Kristin Lauter, and Anton Mityagin. Stronger security of authenticated key exchange. In Willy Susilo, Joseph K. Liu, and Yi Mu, editors, ProvSec, volume 4784 of Lecture Notes in Computer Science, pages 1-16. Springer,2007.
[34]Takashima Y. Imai H. Matsumoto, T. On Seeking Smart Public-Key-Distribution Systems. The Transactions of the IECE of Japan, E69:99-106, February 1986.
[35]Laurie Law, Alfred Menezes, Minghua Qu, Jerome A. Solinas, and Scott A. Vanstone. An efficient protocol for authenticated key agreement. Des. Codes Cryptography,28(2):119-134,2003.
[36]Tatsuaki Okamoto and David Pointcheval. The gap-problems:A new class of problems for the security of cryptographic schemes. In Kwangjo Kim, editor, Public Key Cryptography, volume 1992 of Lecture Notes in Computer Science, pages 104-118. Springer,2001.
[37]Mihir Bellare and Adriana Palacio. The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In Matthew K. Franklin, editor, CRYPTO, volume 3152 of Lecture Notes in Computer Science, pages 273-289. Springer,2004.
[38]A. Menezes, Faculty of Mathematics, Dept. of Combinatorics, Optimization, and University of Waterloo. Another look at HMQV. Mathematical Cryptology, 1(1):47-64,2007.
[39]Kristin Lauter and Anton Mityagin. Security analysis of KEA authenticated key exchange protocol. In Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, editors, Public Key Cryptogra-phy, volume 3958 of Lecture Notes in Computer Science, pages 378-394. Springer,2006.
[40]Sebastien Kunz-Jacques and David Pointcheval. A new key exchange protocol based on MQV assuming public computations. In Roberto De Prisco and Moti Yung, editors, SCN, volume 4116 of Lecture Notes in Computer Science, pages 186-200. Springer,2006.
[41]Berkant Ustaoglu. Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Des. Codes Cryptography,46(3):329-342,2008.
[42]E. Okamoto. Key distribution systems based on identification information. In Advances in Cryptology-CRYPTO'87:Proceedings, page 194. Springer,1988.
[43]E. Okamoto and K. Tanaka. Key distribution system based on identification information. IEEE Journal on Selected Areas in Communications,7(4):481-485,1989.
[44]S. Kim, M. Mambo, T. Okamoto, H. Shizuya, M. Tada, and D. Won. On the security of the Okamoto-Tanaka ID-based key exchange scheme against active attacks. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences,84(1):231-238,2001.
[45]N.P. Smart. An identity based authenticated key agreement protocol based on the weil pairing. Electronics Letters,38:630-632,2002.
[46]L. Chen and C. Kudla. Identity based authenticated key agreement from pairings. In IEEE Com-puter Security Foundations Workshop, The modified version of this paper is available at Cryptology ePrint Archive, Report 2002/184, pages 219-233,2003.
[47]Noel McCullagh and Paulo S. L. M. Barreto. A new two-party identity-based authenticated key agreement. In Alfred Menezes, editor, CT-RSA, volume 3376 of Lecture Notes in Computer Sci-ence, pages 262-274. Springer,2005.
[48]Kim-Kwang Raymond Choo, Colin Boyd, and Yvonne Hitchcock. On session key construction in provably-secure key establishment protocols. In Ed Dawson and Serge Vaudenay, editors, My crypt, volume 3715 of Lecture Notes in Computer Science, pages 116-131. Springer,2005.
[49]Caroline Kudla and Kenneth G. Paterson. Modular security proofs for key agreement protocols. In Bimal K. Roy, editor, ASIACRYPT, volume 3788 of Lecture Notes in Computer Science, pages 549-565. Springer,2005.
[50]Y.Wang. Efficient identity-based and authenticated key agreement protocol, cryptology eprint archive, report 2005/108,2005.
[51]L. Chen, Z. Cheng, and Nigel P. Smart. Identity-based key agreement protocols from pairings. Int. J. Inf. Sec.,6(4):213-241,2007.
[52]Sherman S. M. Chow and Kim-Kwang Raymond Choo. Strongly-secure identity-based key agree-ment and anonymous extension. In Juan A. Garay, Arjen K. Lenstra, Masahiro Mambo, and Rene Peralta, editors, ISC, volume 4779 of Lecture Notes in Computer Science, pages 203-220. Springer, 2007.
[53]Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In Hugo Krawczyk, editor, CRYPTO, volume 1462 of Lecture Notes in Computer Science, pages 13-25. Springer,1998.
[54]Brent Waters. Efficient identity-based encryption without random oracles. In Ronald Cramer, edi-tor, EUROCRYPT, volume 3494 of Lecture Notes in Computer Science, pages 114-127. Springer, 2005.
[55]Craig Gentry. Practical identity-based encryption without random oracles. In Serge Vaudenay, ed-itor, EUROCRYPT, volume 4004 of Lecture Notes in Computer Science, pages 445-464. Springer, 2006.
[56]Tatsuaki Okamoto. Authenticated key exchange and key encapsulation in the standard model. In ASIACRYPT, pages 474-484,2007.
[57]Colin Boyd, Yvonne Cliff, Juan Gonzalez Nieto, and Kenneth G. Paterson. Efficient one-round key exchange in the standard model. In Yi Mu, Willy Susilo, and Jennifer Seberry, editors, ACISP, volume 5107 of Lecture Notes in Computer Science, pages 69-83. Springer,2008.
[58]Masayuki Abe, Rosario Gennaro, Kaoru Kurosawa, and Victor Shoup. Tag-KEM/DEM:A new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM. In Ronald Cramer, editor, EUROCRYPT, volume 3494 of Lecture Notes in Computer Science, pages 128-146. Springer,2005.
[59]David Cash, Eike Kiltz, and Victor Shoup. The twin Diffie-Hellman problem and applications. In Nigel P. Smart, editor, EUROCRYPT, volume 4965 of Lecture Notes in Computer Science, pages 127-145. Springer,2008.
[60]AJ Menezes, T. Okamoto, and SA Vanstone. Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory,39(5):1639-1646,1993.
[61]E.R. Verheul. Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. Journal of Cryptology,17(4):277-296,2004.
[62]Antoine Joux. The weil and tate pairings as building blocks for public key cryptosy stems. In Claus Fieker and David R. Kohel, editors, ANTS, volume 2369 of Lecture Notes in Computer Science, pages 20-32. Springer,2002.
[63]Steven D. Galbraith, Keith Harrison, and David Soldera. Implementing the tate pairing. In Claus Fieker and David R. Kohel, editors, ANTS, volume 2369 of Lecture Notes in Computer Science, pages 324-337. Springer,2002.
[64]P.S.L.M. Barreto, H.Y. Kim, B. Lynn, and M. Scott. Efficient algorithms for pairing-based cryp-tosystems. In Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology, pages 354-368. Springer-Verlag London, UK,2002.
[65]Steven D. Galbraith. Supersingular curves in cryptography. In Colin Boyd, editor, ASIACRYPT, volume 2248 of Lecture Notes in Computer Science, pages 495-513. Springer,2001.
[66]C.H. Papadimitriou and CH Papadimitriou. Computational complexity. Addison-Wesley Reading, Mass,1994.
[67]T.H. Cormen, C.E. Leiserson, R.L. Rivest, and C. Stein. Introduction to algorithms,1990.
[68]A.J. Menezes, P.C. Van Oorschot, and S.A. Vanstone. Handbook of applied cryptography. CRC press,1997.
[69]S. Goldwasser and M. Bellare. Lecture notes on cryptography. Summer course "Cryptography and computer security" at MIT,1999:1999,1996.
[70]O. Goldreich. Foundations of cryptography. Cambridge university press,2001.
[71]D.R. Stinson. Cryptography:theory and practice. CRC press,2006.
[72]J. Katz and Y. Lindell. Introduction to modern cryptography. Chapman& Hall/CRC,2008.
[73]Shaft Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SI AM J. Comput.,17(2):281-308,1988.
[74]Oded Goldreich, Shaft Goldwasser, and Silvio Micali. How to construct random functions.J. ACM, 33(4):792-807,1986.
[75]R. Rivest. RFC1321:TheMD5 message-digest algorithm. RFC Editor United States,1992.
[76]N.F. PUB.180-1:Secure hash standard. National Institute of Standards and Technology, US Department of Commerce, DRAFT,31.
[77]Amos Fiat and Adi Shamir. How to prove yourself:Practical solutions to identification and signa-ture problems. In Andrew M. Odlyzko, editor, CRYPTO, volume 263 of Lecture Notes in Computer Science, pages 186-194. Springer,1986.
[78]Mihir Bellare and Phillip Rogaway. Random oracles are practical:A paradigm for designing efficient protocols. In ACM Conference on Computer and Communications Security, pages 62-73, 1993.
[79]Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited.J. ACM, 51(4):557-594,2004.
[80]Danny Dolev and Andrew Chi-Chih Yao. On the security of public key protocols (extended ab-stract). In FOCS, pages 350-357. IEEE,1981.
[81]A. Menezes and B. Ustaoglu. Security arguments for the UM key agreement protocol in the NIST SP 800-56A standard. In Proceedings of the 2008 ACM symposium on Information, computer and communications security, pages 261-270. ACM New York, NY, USA,2008.
[82]M.C. Gorantla, C. Boyd, and J.M.G. Nieto. ID-based one-pass authenticated key establishment. In Proceedings of the sixth Australasian conference on Information security-Volume 81, pages 39-46. Australian Computer Society, Inc. Darlinghurst, Australia, Australia,2008.
[83]Ran Canetti and Hugo Krawczyk. Security analysis of IKE's signature-based key-exchange pro-tocol. In Moti Yung, editor, CRYPTO, volume 2442 of Lecture Notes in Computer Science, pages 143-161. Springer,2002.
[84]Hugo Krawczyk. SIGMA:the'SIGn-and-MAc'approach to authenticated Diffie-Hellman and its use in the IKE-protocols. In Dan Boneh, editor, CRYPTO, volume 2729 of Lecture Notes in Computer Science, pages 400-425. Springer,2003.
[85]CP Schnorr. Efficient signature generation by smart cards. Journal of cryptology,4(3):161-174, 1991.
[86]D. Boneh, B. Lynn, and H. Shacham. Short signatures from the Weil pairing. In Proceedings of Asiacrypt 2001, volume 2248 of LNCS,2001.
[87]V. Shoup. Sequences of games:a tool for taming complexity in security proofs. IACR eprint report, 332,2004.
[88]Antoine Joux. A one round protocol for tripartite Diffie-Hellman. In Wieb Bosma, editor, ANTS, volume 1838 of Lecture Notes in Computer Science, pages 385-394. Springer,2000.
[89]Ingemar Ingemarsson, Donald T. Tang, and C. K. Wong. A conference key distribution system. IEEE Transactions on Information Theory,28(5):714-719,1982.
[90]D. G. Steer, L. Strawczynski, Whitfield Diffie, and Michael J. Wiener. A secure audio telecon-ference system. In Shaft Goldwasser, editor, CRYPTO, volume 403 of Lecture Notes in Computer Science, pages 520-528. Springer,1988.
[91]Klaus Becker and Uta Wille. Communication complexity of group key distribution. In ACM Conference on Computer and Communications Security, pages 1-6,1998.
[92]Mike Burmester and Yvo Desmedt. A secure and efficient conference key distribution system (extended abstract). In EUROCRYPT, pages 275-286,1994.
[93]Michael Steiner, Gene Tsudik, and Michael Waidner. Diffie-Hellman key distribution extended to group communication. In ACM Conference on Computer and Communications Security, pages 31-37,1996.
[94]Emmanuel Bresson, Olivier Chevassut, David Pointcheval, and Jean-Jacques Quisquater. Prov-ably authenticated group Diffie-Hellman key exchange. In ACM Conference on Computer and Communications Security, pages 255-264,2001.
[95]Emmanuel Bresson, Olivier Chevassut, and David Pointcheval. Provably authenticated group Diffie-Hellman key exchange-the dynamic case. In Colin Boyd, editor, ASIACRYPT, volume 2248 of Lecture Notes in Computer Science, pages 290-309. Springer,2001.
[96]Emmanuel Bresson, Olivier Chevassut, and David Pointcheval. Dynamic group Diffie-Hellman key exchange under standard assumptions. In Lars R. Knudsen, editor, EUROCRYPT, volume 2332 of Lecture Notes in Computer Science, pages 321-336. Springer,2002.
[97]Emmanuel Bresson, Olivier Chevassut, and David Pointcheval. Group Diffie-Hellman key ex-change secure against dictionary attacks. In Yuliang Zheng, editor, ASIACRYPT, volume 2501 of Lecture Notes in Computer Science, pages 497-514. Springer,2002.
[98]Jonathan Katz and Moti Yung. Scalable protocols for authenticated group key exchange. In Dan Boneh, editor, CRYPTO, volume 2729 of Lecture Notes in Computer Science, pages 110-125. Springer,2003.
[99]Hyun-Jeong Kim, Su-Mi Lee, and Dong Hoon Lee. Constant-round authenticated group key ex-change for dynamic groups. In Pil Joong Lee, editor, ASIACRYPT, volume 3329 of Lecture Notes in Computer Science, pages 245-259. Springer,2004.
[100]Ratna Dutta, Rana Barua, and Palash Sarkar. Provably secure authenticated tree based group key agreement. In Javier Lopez, Sihan Qing, and Eiji Okamoto, editors, ICICS, volume 3269 of Lecture Notes in Computer Science, pages 92-104. Springer,2004.
[101]Jonathan Katz and Ji Sun Shin. Modeling insider attacks on group key-exchange protocols. In Vijay Atluri, Catherine Meadows, and Ari Juels, editors, ACM Conference on Computer and Com-munications Security, pages 180-189. ACM,2005.
[102]Jens-Matthias Bohli, Maria Isabel Gonzalez Vasco, and Rainer Steinwandt. Secure group key establishment revisited. Int. J. Inf. Sec.,6(4):243-254,2007.
[103]R. Canetti, I.B.M.T.J.W.R. Center, and NY Yorktown Heights. Universally composable security:A new paradigm for cryptographic protocols. In 42nd IEEE Symposium on Foundations of Computer Science,2001. Proceedings, pages 136-145,2001.
[104]Emmanuel Bresson, Mark Manulis, and Jorg Schwenk. On security models and compilers for group key exchange protocols. In Atsuko Miyaji, Hiroaki Kikuchi, and Kai Rannenberg, editors, TWSEC, volume 4752 of Lecture Notes in Computer Science, pages 292-307. Springer,2007.
[105]Emmanuel Bresson and Mark Manulis. Securing group key exchange against strong corruptions and key registration attacks. IJACT, 1(2):91-107,2008.
[106]Michel Abdalla, Jens-Matthias Bohli, Maria Isabel Gonzalez Vasco, and Rainer Steinwandt. (pass-word) authenticated key establishment:From 2-party to group. In Salil P. Vadhan, editor, TCC, volume 4392 of Lecture Notes in Computer Science, pages 499-514. Springer,2007.
[107]Yevgeniy Dodis, Rosario Gennaro, Johan Hastad, Hugo Krawczyk, and Tal Rabin. Randomness extraction and key derivation using the CBC, cascade and HMAC modes. In Matthew K. Franklin, editor, CRYPTO, volume 3152 of Lecture Notes in Computer Science, pages 494-510. Springer, 2004.
[108]O. Chevassut, P.A. Fouque, P. Gaudry, and D. Pointcheval. The twist-augmented technique for key exchange. In Public key cryptography-PKC 2006:9th International Conference on Theory And Practice in Public-Key Cryptography, New York, NY, USA, April 24-26,2006. Proceedings, page 410. Springer-Verlag New York Inc,2006.
[109]M. Manulis. Group key exchange enabling on-demand derivation of peer-to-peer keys. In Applied Cryptography and Network Security:7th International Conference, Acns 2009, Paris-Rocquencourt, France, June 2-5,2009, Proceedings, page 1. Springer,2009.