基于XTR公钥体制的密码算法的分析与设计
|
摘要
计算机和互联网技术的飞速发展,将我们的社会带入了信息化时代,使得信息系统的建立逐渐成为社会各个领域不可或缺的基础设施.任何机构都有需要保密的信息,使得信息的安全成为各界所共同关注的热点。
XTR是由Lenstra和Verheul在Crypto 2000提出的一种新型公钥密码体制。它使用了GF(p~2)上的迹来表示GF(p~6)~*中阶为p~2-p+1的子群的元素,从而使得数据量降低到原来的1/3,而且相应的运算速度也比传统表示方法快。从安全角度来看,XTR是一种传统的基于子群离散对数问题的密码体系,即其安全性依赖于求有限域乘法群中离散对数的困难性。XTR体制已经成为近年来研究的热点,并被逐渐推广到密码体制的各种应用环境中。
本文采用增加附加的2位串的方法来解决XTR密钥恢复算法中的“最小者”问题,充分考虑此算法中的其他限制条件,并利用加速的XTR算法来具体给出XTR-Blind-Nyberg-Rueppel和XTR-Blind-Schnorr改进签名方案,XTR-Nyberg-Rueppel完整消息恢复签名方案,XTR-Kurosawa-Desmedt自适应选择密文安全的密码方案。使得在同等安全程度下,各应用协议的效率,包括数据的存储量和各阶段的计算量,都大大提高。
本文还借鉴Lenstra和Verheul等人在XTR方面的工作,在XTR~+公钥体制中提出无矩阵的核心算法,使得核心算法的运算效率显著提高。
由于研究和改进扩展欧几里得序列的选择项算法对于计算机代数、数论和密码学的研究和发展有着非常重要的理论意义,所以本文最后分别对多项式和整数的扩展欧几里得序列的选择项算法进行了研究,其中包括了对多项式扩展欧几里得序列的选择项算法的加速和对整数扩展欧几里得序列的选择项算法的修正。
With the rapid development and extensive applications of computer and communication technologies,our society goes into an information time.The establishment of information system has gradually become an essential foundation for nearly all fields of our society.As there exists confidential information in any organizations,the security problem about this information has become the common focus of both academia and enterprises.
Since the invention of the concept of public key cryptography(PKC),PKC has been developed for about thirty years.Many excellent public key cryptosystems have been proposed and improved.But,the most popular public key cryptosystems are still RSA scheme and EIGamal scheme.Moreover,elliptic public key scheme has always been focused just because of its high efficiency.However,the present public key cryptosystems have some defects in computation,storing,convenient practicability and so on,which results in more restrictive applications.
In recent years people is concerned about the study of systems that have the algebraic structures which use the extension finite fields.These systems can provide high compression data transmission,compact implementation process and performance improvement.
XTR stands for "ECSTR",which is an abbreviation for Efficient and Compact Subgroup Trace Representation.The XTR public key system is a new cryptosystem proposed by Lenstra and Verheul in Crypto 2000.It uses the trace over GF(p~2) to represent elements of the order p~2-p+1 subgroup of GF(p~6)~*,thereby achieving a factor 3 size reduction.Also,the resulting calculations are appreciably faster than using the standard representation.
Under the same application systems and similar secure conditions,it can be known from theoretical analysis that XTR can greatly increase the speed,and reduce the key sizes,data storage,computation and communication overhead compared with EIGamal and RSA public key cryptosystems.The method which uses trace function to represent elements of multiplicative group can completely take the place of the traditional representation of elements of subgroup.It can be applied to any cryptosystems based on discrete logarithm problem and raise to more excellent qualities without compromising security.
From a security point of view,XTR is a traditional discrete logarithm system:for its security it relies on the difficulty of solving discrete logarithm related problems in the multiplicative group of a finite field.Thus,XTR is not based on any new primitive or new allegedly hard problem,on the contrary,it is based on the primitive underlying the very first public key cryptosystem,the Diffie-Hellman key agreement protocol.
By using the analysis of theoretical foundation and protocol,we can deduce that the advantages of XTR compared with the popular public key cryptosystems nowadays are:
ⅰ.Its very fast parameters and keys selection.
Key selection for XTR is very fast compared to RSA,and orders of magnitude easier and faster than for ECC.This performance makes it easily feasible for all users of XTR to have public keys that are not shared with others,unlike ECC where a large part of the public key is often shared between all users of the system.
ⅱ.Small key sizes.
XTR keys are much smaller than RSA keys of comparable security.ECC keys allow a smaller representation than XTR keys,but in many circumstances(e.g. storage) ECC and XTR key sizes are comparable.
ⅲ.Fast calculation speed.
Full exponentiation in XTR is faster than full scalar multiplication in ECC over a 170-bit prime field,and thus substantially faster than full exponentiation in either RSA or traditional subgroup discrete logarithm systems of equivalent security.
ⅳ.Its very easy programmability.
ⅴ.Also,compared to ECC,the mathematics underlying XTR is straightforward, thus avoiding two common ECC-pitfalls:ascertaining that unfortunate parameter choices are avoided that happen to render the system less secure,and keeping abreast of,and incorporating additional checks published in,newly obtained results.
As a result,XTR may be regarded as the best of three worlds,RSA,EIGamal,and ECC.It is an excellent alternative to either RSA,EIGamal,or ECC in applications such as SSL/TLS(Secure Sockets Layer/Transport Layer Security),public key smart cards,WAP/WTLS(Wireless Application Protocol/Wireless Transport Layer Security), IPSEC/IKE(Internet Protocol Security/Internet Key Exchange),and SET(Secure Electronic Transaction).
In 2000,Lenstra and Verheul further proposed XTR key recovery algorithm,which leads to a factor 3 data transmission.However,this key recovery algorithm is restricted by some conditions.The most important condition among them is the "smallest" restriction. These conditions are very critical in practice,but they are neglected in almost all application protocols.If there are not rigorous assumptions and fully consideration about the details of the implementation of algorithm,the parameter corresponding problem may arise in future.This problem may lead to difficulties in the XTR compliant protocols, such as blind signature schemes and message recovery signature schemes.XTR system can be used into many cryptoschemes and digital signatures,but so far it is still not considered in provable security cryptosystems.
For these problems,this paper mainly studies:
◆We introduce additional two-bit strings to resolve the "smallest" question in XTR key recovery algorithm,fully consider the other restrictive conditions in this algorithm and use the accelerate XTR algorithms to give the improved XTR-Blind-Nyberg-Rueppel and XTR-Blind-Schnorr signature schemes which are presented by Chen Xiao-feng,Gao Hu-ming and Wang Yu-ming,the full version of the XTR-Nyberg-Rueppel message recovery signature scheme proposed by Lenstra and Verheul.The improved schemes are more efficient than the original signature schemes both in communication and computation without compromising security.
◆Nowadays the most efficient adaptive chosen-ciphertext secure cryptosystem in the standard model is the one due to Kurosawa and Desmedt.We proposes an XTR version of the Kurosawa-Desmedt scheme.Our scheme is secure against adaptive chosen-ciphertext attack under the XTR version of the Decisional Diffie-Hellman assumption in the standard model.Comparing the efficiency between the proposed XTR-Kurosawa-Desmedt cryptoscheme and the Kurosawa-Desmedt scheme,we find that the proposed scheme is more efficient than the Kurosawa-Desmedt scheme both in communication and computation without compromising security.
In order to resolve the parameter corresponding problem in XTR system,as well as to improve the computation efficiency,Wang Zehui et al.proposed a new public key cryptosystem so called XTR~+ based on the effective and compact subgroup trace representation in 2007.The XTR~+ public key system achieves GF(p~8) security using GF(p~4) arithmetic,so that the data storage is a half reduced.It was based on 4-th order LFSR sequence.But the fast pivotal algorithms were done by a 2nd order iteration based on the fast computation of the nth power of a 2×2 matrix.In addition,XTR+ is constructed as a cryptosystem of provable IND-CCA2 security and can be used for the strongly provable secure digital signature schemes,blind signature protocols and zeroknowledge proof protocols.Due to its optimization over the parameters,the expansion rate of these complicated protocols in XTR~+ is largely decreased.
For the XTR~+ public key system,this paper studies:
◆Motivated by the work in XTR studied by Lenstra and Verheul et al.,we describe matrix-free pivotal algorithms in XTR~+ public key system.These new algorithms obviously improve the computation efficiency.
The algorithm for selected term of the extended Euclidean sequence which is still used nowadays has played a very important role in the study of early algorithms and procedural process.It is of great significance for the research fields in computer algebra, number theory and cryptology.Therefore,the study of the algorithm for selected term of the extended Euclidean sequence is of great importance in research and development of these fields.
For the algorithm for selected term of the extended Euclidean sequence,this paper respectively studies:
◆The reduced sum of two divisors is one of the fundamental operations in many problems and applications related to hyperelliptic curves.M.J.Jacobson,Jr et al presented a new algorithm for this operation in terms of continued fraction expansions on the three different possible models of a hyperelliptic curve:imaginary, real,and unusual.This algorithm relies on the Algorithm for Selected Term of the Polynomial Extended Euclidean Sequence(ASTPEES),and requires O(g~2) field operations,where g denotes the genus of the curve.We accelerate the ASTPEES algorithm by applying Half-GCD algorithm.Consequently, the algorithm for computing the reduced sum of two divisors of an arbitrary hyperelliptic curve is accelerated from quadratic to nearly linear time.
◆The common approach to the solution of the problems of modular and numerical rational number reconstruction which are two customary approach in computer algebra is by applying the Algorithm for Selected Term of the Integer Extended Euclidean Sequence(ASTIEES).Wang and Pan proposed an ASTIEES algorithm. The algorithm only spent nearly linear time,matching the known complexity bound for the integer gcd.We analyze the ASTIEES algorithm,then point out the bugs which are not considered comprehensively,and finally modify the ASTIEES algorithm.
XTR是由Lenstra和Verheul在Crypto 2000提出的一种新型公钥密码体制。它使用了GF(p~2)上的迹来表示GF(p~6)~*中阶为p~2-p+1的子群的元素,从而使得数据量降低到原来的1/3,而且相应的运算速度也比传统表示方法快。从安全角度来看,XTR是一种传统的基于子群离散对数问题的密码体系,即其安全性依赖于求有限域乘法群中离散对数的困难性。XTR体制已经成为近年来研究的热点,并被逐渐推广到密码体制的各种应用环境中。
本文采用增加附加的2位串的方法来解决XTR密钥恢复算法中的“最小者”问题,充分考虑此算法中的其他限制条件,并利用加速的XTR算法来具体给出XTR-Blind-Nyberg-Rueppel和XTR-Blind-Schnorr改进签名方案,XTR-Nyberg-Rueppel完整消息恢复签名方案,XTR-Kurosawa-Desmedt自适应选择密文安全的密码方案。使得在同等安全程度下,各应用协议的效率,包括数据的存储量和各阶段的计算量,都大大提高。
本文还借鉴Lenstra和Verheul等人在XTR方面的工作,在XTR~+公钥体制中提出无矩阵的核心算法,使得核心算法的运算效率显著提高。
由于研究和改进扩展欧几里得序列的选择项算法对于计算机代数、数论和密码学的研究和发展有着非常重要的理论意义,所以本文最后分别对多项式和整数的扩展欧几里得序列的选择项算法进行了研究,其中包括了对多项式扩展欧几里得序列的选择项算法的加速和对整数扩展欧几里得序列的选择项算法的修正。
With the rapid development and extensive applications of computer and communication technologies,our society goes into an information time.The establishment of information system has gradually become an essential foundation for nearly all fields of our society.As there exists confidential information in any organizations,the security problem about this information has become the common focus of both academia and enterprises.
Since the invention of the concept of public key cryptography(PKC),PKC has been developed for about thirty years.Many excellent public key cryptosystems have been proposed and improved.But,the most popular public key cryptosystems are still RSA scheme and EIGamal scheme.Moreover,elliptic public key scheme has always been focused just because of its high efficiency.However,the present public key cryptosystems have some defects in computation,storing,convenient practicability and so on,which results in more restrictive applications.
In recent years people is concerned about the study of systems that have the algebraic structures which use the extension finite fields.These systems can provide high compression data transmission,compact implementation process and performance improvement.
XTR stands for "ECSTR",which is an abbreviation for Efficient and Compact Subgroup Trace Representation.The XTR public key system is a new cryptosystem proposed by Lenstra and Verheul in Crypto 2000.It uses the trace over GF(p~2) to represent elements of the order p~2-p+1 subgroup of GF(p~6)~*,thereby achieving a factor 3 size reduction.Also,the resulting calculations are appreciably faster than using the standard representation.
Under the same application systems and similar secure conditions,it can be known from theoretical analysis that XTR can greatly increase the speed,and reduce the key sizes,data storage,computation and communication overhead compared with EIGamal and RSA public key cryptosystems.The method which uses trace function to represent elements of multiplicative group can completely take the place of the traditional representation of elements of subgroup.It can be applied to any cryptosystems based on discrete logarithm problem and raise to more excellent qualities without compromising security.
From a security point of view,XTR is a traditional discrete logarithm system:for its security it relies on the difficulty of solving discrete logarithm related problems in the multiplicative group of a finite field.Thus,XTR is not based on any new primitive or new allegedly hard problem,on the contrary,it is based on the primitive underlying the very first public key cryptosystem,the Diffie-Hellman key agreement protocol.
By using the analysis of theoretical foundation and protocol,we can deduce that the advantages of XTR compared with the popular public key cryptosystems nowadays are:
ⅰ.Its very fast parameters and keys selection.
Key selection for XTR is very fast compared to RSA,and orders of magnitude easier and faster than for ECC.This performance makes it easily feasible for all users of XTR to have public keys that are not shared with others,unlike ECC where a large part of the public key is often shared between all users of the system.
ⅱ.Small key sizes.
XTR keys are much smaller than RSA keys of comparable security.ECC keys allow a smaller representation than XTR keys,but in many circumstances(e.g. storage) ECC and XTR key sizes are comparable.
ⅲ.Fast calculation speed.
Full exponentiation in XTR is faster than full scalar multiplication in ECC over a 170-bit prime field,and thus substantially faster than full exponentiation in either RSA or traditional subgroup discrete logarithm systems of equivalent security.
ⅳ.Its very easy programmability.
ⅴ.Also,compared to ECC,the mathematics underlying XTR is straightforward, thus avoiding two common ECC-pitfalls:ascertaining that unfortunate parameter choices are avoided that happen to render the system less secure,and keeping abreast of,and incorporating additional checks published in,newly obtained results.
As a result,XTR may be regarded as the best of three worlds,RSA,EIGamal,and ECC.It is an excellent alternative to either RSA,EIGamal,or ECC in applications such as SSL/TLS(Secure Sockets Layer/Transport Layer Security),public key smart cards,WAP/WTLS(Wireless Application Protocol/Wireless Transport Layer Security), IPSEC/IKE(Internet Protocol Security/Internet Key Exchange),and SET(Secure Electronic Transaction).
In 2000,Lenstra and Verheul further proposed XTR key recovery algorithm,which leads to a factor 3 data transmission.However,this key recovery algorithm is restricted by some conditions.The most important condition among them is the "smallest" restriction. These conditions are very critical in practice,but they are neglected in almost all application protocols.If there are not rigorous assumptions and fully consideration about the details of the implementation of algorithm,the parameter corresponding problem may arise in future.This problem may lead to difficulties in the XTR compliant protocols, such as blind signature schemes and message recovery signature schemes.XTR system can be used into many cryptoschemes and digital signatures,but so far it is still not considered in provable security cryptosystems.
For these problems,this paper mainly studies:
◆We introduce additional two-bit strings to resolve the "smallest" question in XTR key recovery algorithm,fully consider the other restrictive conditions in this algorithm and use the accelerate XTR algorithms to give the improved XTR-Blind-Nyberg-Rueppel and XTR-Blind-Schnorr signature schemes which are presented by Chen Xiao-feng,Gao Hu-ming and Wang Yu-ming,the full version of the XTR-Nyberg-Rueppel message recovery signature scheme proposed by Lenstra and Verheul.The improved schemes are more efficient than the original signature schemes both in communication and computation without compromising security.
◆Nowadays the most efficient adaptive chosen-ciphertext secure cryptosystem in the standard model is the one due to Kurosawa and Desmedt.We proposes an XTR version of the Kurosawa-Desmedt scheme.Our scheme is secure against adaptive chosen-ciphertext attack under the XTR version of the Decisional Diffie-Hellman assumption in the standard model.Comparing the efficiency between the proposed XTR-Kurosawa-Desmedt cryptoscheme and the Kurosawa-Desmedt scheme,we find that the proposed scheme is more efficient than the Kurosawa-Desmedt scheme both in communication and computation without compromising security.
In order to resolve the parameter corresponding problem in XTR system,as well as to improve the computation efficiency,Wang Zehui et al.proposed a new public key cryptosystem so called XTR~+ based on the effective and compact subgroup trace representation in 2007.The XTR~+ public key system achieves GF(p~8) security using GF(p~4) arithmetic,so that the data storage is a half reduced.It was based on 4-th order LFSR sequence.But the fast pivotal algorithms were done by a 2nd order iteration based on the fast computation of the nth power of a 2×2 matrix.In addition,XTR+ is constructed as a cryptosystem of provable IND-CCA2 security and can be used for the strongly provable secure digital signature schemes,blind signature protocols and zeroknowledge proof protocols.Due to its optimization over the parameters,the expansion rate of these complicated protocols in XTR~+ is largely decreased.
For the XTR~+ public key system,this paper studies:
◆Motivated by the work in XTR studied by Lenstra and Verheul et al.,we describe matrix-free pivotal algorithms in XTR~+ public key system.These new algorithms obviously improve the computation efficiency.
The algorithm for selected term of the extended Euclidean sequence which is still used nowadays has played a very important role in the study of early algorithms and procedural process.It is of great significance for the research fields in computer algebra, number theory and cryptology.Therefore,the study of the algorithm for selected term of the extended Euclidean sequence is of great importance in research and development of these fields.
For the algorithm for selected term of the extended Euclidean sequence,this paper respectively studies:
◆The reduced sum of two divisors is one of the fundamental operations in many problems and applications related to hyperelliptic curves.M.J.Jacobson,Jr et al presented a new algorithm for this operation in terms of continued fraction expansions on the three different possible models of a hyperelliptic curve:imaginary, real,and unusual.This algorithm relies on the Algorithm for Selected Term of the Polynomial Extended Euclidean Sequence(ASTPEES),and requires O(g~2) field operations,where g denotes the genus of the curve.We accelerate the ASTPEES algorithm by applying Half-GCD algorithm.Consequently, the algorithm for computing the reduced sum of two divisors of an arbitrary hyperelliptic curve is accelerated from quadratic to nearly linear time.
◆The common approach to the solution of the problems of modular and numerical rational number reconstruction which are two customary approach in computer algebra is by applying the Algorithm for Selected Term of the Integer Extended Euclidean Sequence(ASTIEES).Wang and Pan proposed an ASTIEES algorithm. The algorithm only spent nearly linear time,matching the known complexity bound for the integer gcd.We analyze the ASTIEES algorithm,then point out the bugs which are not considered comprehensively,and finally modify the ASTIEES algorithm.
引文
[1]ADLEMAN L M.A subexponential algorithm for the discrete logarithm problem with applications to cryptography[C].Proceedings of the IEEE 20th Annual Symposium on Foundations of Computer Science,1979:55-60.
[2]ABE M,GENNARO R,KUROSAWA K,et al.Tag-KEM/DEM:a new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM[C].R.Cramer,Ed.Proceedings of Advances in Cryptology-EUROCRYPT 2005:24th International Conference on the Theory and Application of Cryptographic Techniques,LNCS 1976.Aarhus,Denmark:May 2005:128-146.
[3]ADLEMAN L M,HUANG M A.Function field sieve method for discrete logarithms over finite fields[J].Information and Computation,1999,151(1-2):5-16.
[4]AHO A V,HOPCROFT J E,ULLMAN J D.The design and analysis of computer algorithms [M].Massachussetts,USA:Addison-Wesley,Reading,1974.
[5]ASOKAN N,SHOUP V,WAIDNER M.Optimistic Fair Exchange of Digital Signatures[J].IEEE Journal on Selected Areas in Communications,2000,18(4):593-610.
[6]ATENIESE G,TSUDIK G.Some open issues and directions in group signature[C].In Financial Crypto'99,LNCS 1648.London,UK:Springer-Verlag,1999:196-211.
[7]BELLARE M,CANETTI R,KRAWCZYK H.A modular approach to the design and analysis of authentication and key exchange protocols[C].The 30th Annual ACM Symposium on Theory of Computing.New York:ACM,1998:419-428.
[8]BELLARE M,DESAI A,POINTCHEVAL D,et al.Relations Among Notions of Security for Public Key Encryption Schemes[C].Advances in Cryptology CRYPTO'98.Berlin:Springer-Verlag,1998:26-45.
[9]BIEHL I,MEYER B,M(U|¨)LLER V.Differential fault attacks on elliptic curve cryptosystems [C].Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology,LNCS 1880.London,UK:Springer-Verlag,2000:131-146.
[10]BELLARE M,POINTCHEVAL D,ROGAWAY P.Authenticated key exchange secure against dictionary attacks[C].B.Preneel,ed.Advances in Cryptology-Eurocrypt'00,LNCS 1807.Berlin:Springer-Verlag,2000:139-155.
[11]BROUWER A E,PELLIKAAN R,VERHEUL E R.Doing more with fewer bits[C].Proceedings of Asiacrypt'99,LNCS 1716.Berlin:Springer-Verlag,1999:321-332.
[12]BELLARE M,ROGAWAY P.Entity authentication and key distribution[C].Advances in Cryptology CRYPTO'93.Berlin:Springer-Verlag,1994:232-249.
[13]BELLARE M,ROGAWAY P.Optimal asymmetric encryption[C].In Advances in Cryptology-Eurocrypt'94.Berlin:Springer-Verlag,1994:92-111.
[14]BACH E,SHALLIT J.Algorithmic number theory[M].Cambridge,MA,USA:The MIT Press,1996.
[15]BLAKE I F,SEROUSSI G,SMART N P.Elliptic curves in cryptography[M].Cambridge:University Press,1999.
[16]CHAUM D.Blind signature for untraceable payments[C].Proc.Crypto'82.New York:Plenum Press,1983:199-203.
[17]CHAUM D.Blind signatures systemiC].CRYPTO'83.New York:Plenum Press,1983:153-158.
[18]COHEN H.A course in computational algebraic number theory[M].GTM 138,New York:Springer-Verlag,1993.
[19]陈景润.初等数论Ⅲ[M].北京:科学出版社,1998.
[20]CANETTI R.Universally Composable security:a new paradigm for cryptographic protocols [C].the 42nd IEEE Symposium on Foundations of Computer Science.Washington:IEEE,2001:136-145.
[21]陈晓峰,高虎明,王育民.基于XTR体制的盲签名方案[J].电子与信息学报,2003,25(6):851-854.
[22]CHAUM D,HEYST E V.Group signatures[C].Advances in Cryptology-Eurocrypto'91,LNCS 547.Berlin:Springer-Verlag,1991:257-265.
[23]CHIEN H Y,JAN J K,TSENG Y M.RSA-based partially blind signature with low computation[C].IEEE 8th International Conference on Parallel and Distributed Systems.Kyongju:Institute of Electrical and Electronics Engineers Computer Society,2001:385-389.
[24]CANETTI R,KRAWCZYK H.Analysis of key-exchange protocols and their use for building secure channels[C].Advances in Cryptology EUROCRYPT 2001.Berlin:Springer-Verlag,2001:453-474.
[25]COHEN H,LENSTRA A K.Implementation of a new primality test[J].Math.Comp.,1987,48:103-121.
[26]COHEN H,MIYAJI A,ONO T.Efficient elliptic curve exponentiation using mixed coordinates [C].Proceedings Asiacrypt'98,LNCS 1514.Berlin:Springer-Verlag,1998:51-65.
[27]CAMENISCH J L,PIVETEAU J M,STADLER M A.Blind signature based on discrete logarithm problem[C].Eurocrypt'94,LNCS 950.Perugia,Italy:Springer-Verlag,1994:428-432.
[28]CAMENISH J,STADLER M.Efficient group signature schemes for large groups[C].Advances in Cryptology-CRPTO'97,LNCS 1294.Berlin:Springer-Verlag,1997:410-424.
[29]CRAMMER R,SHOUP V.A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack[C].H.Krawczyk ed.Advances in Cryptology-Proceedings of CRYPTO'98,LNCS 1462.Santa Barbara:Springer-Verlag,1998:13-25.
[30]CRAMMER R,SHOUP V.Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack[J].SIAM Journal of Computing,2003,33(1):167-226.
[31]陈晓峰,王继林,王育民.无强迫的最优合同签署方案[J].电子学报,2004,32(3):404-407.
[32]陈晓峰,王继林,王育民.基于广义体制的签名方案[J].电子与信息学报,2004,26(4):562-567.
[33]DIXON J D.Exact solution of linear equations using p-adic expansions[J].Numer.Math.,1982,40:137-141.
[34]DOLEV D,DWORK C,NAOR M.Non-malleable cryptography[C].In Proceedings of the 23rd Annual ACM Symposium on Theory of Computing.New York,USA:ACM,May 1991:542-552.
[35]DIFFIE W,HELLMAN M E.New directions in cryptography[J].IEEE Transactions on Information Theory,1976,IT-22(6):644-654.
[36]代锦秀,唐小虎,郑宇,等.XTR公钥密码体制概述[J].计算机工程与应用,2005,29:63-65.
[37]EIGAMAL T.A Public Key cryptosystem and a signature scheme based on discrete logarithms[J].IEEE Transactions on Information Theory,1985,31:469-472.
[38]FAN C I,CHEN W K,YEH Y S.Randomization enhanced Chaum's blind signature scheme[J].Computer Communications,2000,23(13):1677-1680.
[39]FAN C I,LEI C L.Efficient blind signature scheme based on quadratic residues[J].IEEE Electronic Letters,1996,32(9):811-813.
[40]FAN C I,LEI C L.User efficient blind signatures[J].IEEE Electronics Letters,1998,34(6):544-546.
[41]FAN C I,LEI C L.Low-computation Partially blind signatures for electronic cash[J].IEICE Transactions on Fundamentals,1998,81(5):818-824.
[42]FUJISAKI E,OKAMOTO T.How to enhance the security of public-key encryption at minimum cost[J].IEICE Transaction of Fundamentals of Electronic Communications and Computer Science,2000,E83-A:24-32.
[43]冯登国,卿斯汉.信息安全-核心理论与实践[M].北京:国防工业出版社,2000
[44]Girault M.Self-certified public keys[C].Proc.Advances in Cryptology-EUROCRYPT'91,LNCS 547.Berlin:Springer-Verlag,1991:491-497.
[45]GORDON D M.Discrete logarithms in GF(p) using the number field sieve[J].In SIAM J.of Disc.Math.,1993,6:124-138.
[46]谷超豪著.别有洞天-非线性科学[M].湖南:湖南科学技术出版社,2001.
[47]VON ZUR GATHEN J,GERHARD J.Modern computer algebra[M].Cambridge,UK:Cambridge University Press,1999.
[48]GONG G,HARN L.Public key cryptosystems based on cubic finite field extensions[J].IEEE Trans.Inf.Theory,1999,45(7):2601-2605.
[49]GAUDRY P,HESS F,SMART N P.Constructive and destructive facets of weft descent on elliptic curves[J].In J.of Cryptology,2002,15(1):19-46.
[50]GALLANT R P,LAMBERT R J,VANSTONE S A.Faster point multiplication on elliptic curves with efficient endomorphisms[C].Proceedings Crypto 2001,LNCS 2139.London,UK:Springer-Verlag,2001:190-200.
[51]GOLAWASSER S,MICALI S.Probabilistic encryption[J].Journal of Computer and System Sciences,1984,28:270-299.
[52]HUA L K.Introduction to Number Theory[M].Berlin:Springer-Verlag,1982.
[53]HWANG S J,CHANG C C,YANG W P.Authenticated encryption schemes With message linkages[J].Information Processing Letters,1996,58:189-194.
[54]HARN L,KIELSER T.New scheme for digital multi-signature[J].Electronic Letters,1989,25(15):1002-1003.
[55]HORSTER P,MICHELS M,PETERSEN H.Authenticated encryption schemes with low communication costs[J].Electronics Letters,1994,30(15):1230-1231.
[56]HARDY G H,WRIGHT E M.An introduction to the theory of numbers[M].Oxford,UK:Clarendon Press,1960.
[57]JUNGNICKEL D.Finite fields:structure and arithmetics[M].Mannheim:Bibliographisches Institute Wissenschaftsverlag,1993
[58]JOUX A,LERCIER R.The function field sieve is quite special[C].In Algorithmic Number Theory Symposium-ANTS-V,LNCS 2369.London,UK:Springer-Verlag,2002:431-445.
[59]JACOBSON JR M J,MENEZES A J,STEIN A.Hyperelliptic curves and cryptography [C].In High Primes and Misdemeanors:lectures in honor of the 60th birthday of Hugh Cowie Williams,Fields Institute Communications Series,41.American Mathematical Society,2004:255-282.
[60]JACOBSON JR M J,SCHEIDLER R,STEIN A.Fast arithmetic on hyperelliptic curves via continued fraction expansions[C].T.Shaska,W.C.Huffman,D.Joyner,and V.Ustimenko,eds.Advances in Coding Theory and Cryptography,Series on Coding Theory and Cryptology,3.World Scientific Publishing,2007:201-244.
[61]KOBLITZ N.Elliptic curve cryptosystems[J].Mathematics of Computation,1987,48:203-209.
[62]KOBLITZ N.Hyperelliptic cryptosystems[J].In J.of Cryptology,1989,1:139-150.
[63]KRAVITZ D W.Digital signature algorithm:U.S.,5231668[P].27 Jul 1993.
[64]KOBLITZ N.An elliptic curve implementation of the finite field digital signature algorithm [C].Proceedings of Crypto'98,LNCS 1462.Berlin:Springer-Verlag,1998:327-337.
[65]KNUTH D E.The art of computer programming,Volume 2,Seminumerical Algorithms [M].third edition.Addison-Wesley,1998.
[66]KUROSAWA K,DESMEDT Y.A new paradigm of hybrid encryption scheme[C].M.Franklin ed.Proceedings of Advances in Cryptolog-y-CRYPTO 2004:24th Annual International Cryptology Conference,Santa Barbara,California,USA,August 2004 LNCS 3152.Berlin:Springer-Verlag,2004:426-442.
[67]KIM S,PARK S,WON D.Proxy signatures:revisited[C].Proceedings of the First International Conference on Information and Communication Security,LNCS 1334.Berlin:Springer-Verlag,1997:223-232.
[68]LEHMER D H.An extended theory of Lucas's functions[J].Ann.of Math.,1930,31:419-448.
[69]LENSTRA A K.Using cyclotomic polynomials to construct efficient discrete logarithm cryptosystems over finite fields[C].Proceedings of ACISP'97,LNCS 1270.London,UK:Springer-Verlag,1997:127-138.
[70]LEE W B,CHANG C Y.Efficient proxy-protected proxy signature scheme based on discrete logarithm[C].Proceedings of 1Oth Conference on information security.Hualien,Taiwan,ROC,2000:4-7.
[71]卢建株,陈火炎.具有消息恢复的数字签名方案及其安全性[J].小型微型计算机系统,2003,24(4):695-697.
[72]LEE W B,CHANG C C.Authenticated encryption schemes with linkage between message blocks[J].Information Processing Letters,1997,63:247-250.
[73]LIN W D,JAN J K.A security Personal learning tools using a proxy blind signature scheme[C].Proceedings of International Conference on Chinese Language Computing.USA:Chinese Language Computer Society Knowledge Systems Institute,2000:273-277.
[74]李子臣,李中献.具有消息恢复签名方案的伪造攻击[J].通信学报,2000,21(5):84-87.
[75]LIDL R,MULLER W B.Permutation polynomials in RSA-cryptosystems[C].Proceedings of Crypto'83.New York:Plenum Press,1984:293-301.
[76]LENSTRA A K,VERHEUL E R.The XTR public key systemiC].M.Bellare ed.Proceedings of Advances in Cryptology-CRYPTO 2000:20th Annual International Cryptology Conference,Santa Barbara,California,USA,August 2000,LNCS 1880.Berlin:Springer-Verlag,2000:1-19.
[77]LENSTRA A K,VERHEUL E R.Key improvements to XTR[C].T.Okamoto ed.Proceedings of Advances in Cryptology-ASIACRYPT 2000:6th International Conference on the Theory and Application of Cryptology and Information Security,Kyoto,Japan,December 2000,LNCS 1976.Berlin:Springer-Verlag,2000:220-233.
[78]LENSTRA A K,VERHEUL E R.An overview of the XTR public key systemiC].Proceedings of the Conference on Public Key Cryptography and Computational Number Theory,Warsaw,2000.Berlin:Walter de Gruyter,2001:151-180.
[79]LENSTRA A K,VERHEUL E R.Fast irreducibility and subgroup membership testing in XTR[C].K.Kim ed.Proceedings of Public Key Cryptography:4th International Workshop on Practice and Theory in Public Key Cryptosystems,Cheju Island,Korea,February 2001,PKC 2001,LNCS 1992.Berlin:Springer-Verlag,2001:73-86.
[80]李子臣,杨义先.具有消息恢复的数字签名方案明[J].电子学报,2000,28(1):125-126.
[81]MOENCK R T.Fast computation of GCDs[C].In STOC'73:Proceedings of the Fifth Annual ACM Symposium on Theory of Computing.New York:ACM Press,1973:142-151.
[82]MONTGOMERY P L.Modular multiplication without trial division[J].Mathematics of Computation,1985,44(170):519-521.
[83]MILLER V S.Use of elliptic curves in cryptography[C].H.C.Williams,ed.Advances in Cryptology-CRYPTO'85,LNCS 218.Berlin:Springer-Verlag,1986:417-426.
[84]MCCURLEY K S.The discrete logarithm problem[C].C.Pomerance,ed.Cryptology and Computational Number Theory,volume 42 of Proceedings of Symposia in Applied Mathematics.American Mathematical Society,1990:49-74.
[85]MONTGOMERY P L.Evaluating recurrences of form X_(m+n)=f(X_m,X_n,X_(m-n)) via lucas chains[OL].January 1992.ftp://ftp.cwi.nl/pub/pmontgom/Lucas.ps.gz.
[86]MENEZES A.Elliptic curve public key cryptosystems[M].Boston,MA:Kluwer,1993.
[87]MAO W.王继林,伍前红等译.现代密码学理论与实践[M].北京:电子工业出版社,2004.
[88]MOENCK R T,CARTER J H.Approximate algorithms to derive exact solutions to systems of linear equations[C].In Proceedings of EUROSAM,LNCS 72.Berlin:Springer-Verlag,1979:63-73.
[89]MENEZES A,OKAMOTO T,VANSTONE S A.Reducing elhptic curve logarithms to a finite field[J].IEEE Trans.Inform.Theory,1993,39:1639-1646.
[90]MENEZES A,VANSTONE S A.ECSTR(XTR):elliptic curve singular trace representation [C].Rump Session of Crypto 2000.California,USA,2000.
[91]NICHOLSON W K.Introduction to abstract algebra[M].Boston:PWS-Kent Publishing Company,1993.
[92]NYBERG K,RUEPPEL R A.Message recovery for signature schemes based on the discrete logarithmiC].Advances in Cryptology-Eurocrypt'94,LNCS 950.Berlin:Springer-Verlag,1995:182-193.
[93]NYBERG K,RUEPPEL R A.Message recovery for signature schemes based on the discrete logarithm[J].Designs,Codes and Cryptography.1996,7:61-81.
[94]NAOR M,YUNG M.Public-key cryptosystems provably secure against chosen ciphertext attacks[C].In Proceedings of the 22nd Annual ACM Symposium on Theory of Computing,Baltimore,Maryland,United States,May 1990.New York,USA:ACM,1990:427-437.
[95]OKAMOTO T.Provably secure and practical identification schemes and corresponding signature schemes[C].Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology,LNCS 740.London,UK:Springer-Verlag,1992:31-53.
[96]VAN OORSCHOT P C,WIENER M J.On Diffie-Hellman key agreement with short exponents[C].Proceedings of Eurocrypt'96,LNCS 1070.Berlin:Springer-Verlag,1996:332-343.
[97]POLLARD J M.A Monte Carlo method for factorization[J].BIT,1975,15:331-334.
[98]POLLARD J M.Factoring with cubic integers[C].A.K.Lenstra,H.W.Lenstra Jr.,eds.The Development of the Number Field Sieve,volume 1554 of Lecture Notes in Mathematics.New York:Springer-Verlag,1993:4-10.
[99]PAN V Y.Can we optimize Toeplitz/Hankel computations?[C].V.G.Ganzha,E.W.Mayr,E.V.Vorozhzov,eds.In Proceedings of the Fifth International Workshop on Computer Algebra in Scientific Computing(CASC 2002,Yalta,Ukraine).Muenchen,Germany:Technische Univ.,2002:253-264.
[100]POHLIG S C,HELLMAN M E.An improved algorithm for computing logarithms over GF(p) and its cryptographic significance[J].IEEE Trans.on IT,1978,24:106-110.
[101]PETERSEN H,HORSTER P.Self-certified keys-concepts and applications[C].In Proc.3rd Int.Conference on Communications and Multimedia Security'97.Chapman & Hall,September,1997:102-116.
[102]POINTCHEVAL D,STERN J.Provably Secure Blind Signature Schemes[C].Advance Cryptology-Asiacrypt'96,LNCS 1163.Kyongju,Korea:Springer-Verlag,1996.252-265.
[103]RACKOFF C,SIMON D.Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack[C].J.Feigenbaum ed.In Proceedings of Advances in Cryptology-CRYPTO '91,Santa Barbara,California,USA,August 1991 LNCS 576.Springer-Verlag,1991:433-444.
[104]REVIST R L,SHAMIR A,ADLEMAN L.A method for obtaining digital signatures and public-key cryptosystems[J].Communications of the ACM,1978,21(2):120-126.
[105]SCHRIJVER A.Theory of linear and integer programming[M].New York:Wiley,1986.
[106]SCHNORR C P.Efficient signature generation by smart cards[J].Journal of Cryptology,1991,4:161-174.
[107]SCHNEIER B.Applied cryptography-protocols,algorithms,and source code in C[M].Second Ed.New York:John Wiley & Sons,1996.
[108]SHOUP V.Lower bounds for discrete logarithms and related problems[C].In Advances in Cryptology(EUROCRYPT),LNCS 1233.Berlin:Springer-Verlag,1997:256-266.
[109]STALLINGS W.杨明,胥光辉,齐望东等译.密码编码学与网络安全:原理与实践[M].北京:电子工业出版社,2001.
[110]STINSON D R.冯登国译.密码学原理与实践[M].北京:电子工业出版社,2003.
[111]STAM M,LENSTRA A K.Speeding up XTR[C].C.Boyd ed.Proceedings of Advances in Cryptology-ASIACRYPT 2001:7th International Conference on the Theory and Application of Cryptology and Information Security,Gold Coast,Australia,December 2001,LNCS 2248.Berlin:Springer-Verlag,2001:125-143.
[112]STADLER M A,PIVETEAU J M,CAMENISCH J L.A blind signatures scheme based on EIGamal signature[C].EUROCRYPT'95.Heidelberg:Springer-Verlag,1995:209-219.
[113]STADLER M A,PIVETEAU J M,CAMENISCH J L.Fair blind signatures[C].In Proc.EUROCRYPT '95,LNCS 921.St.Malo,France:Springer-Verlag,1995:209-219.
[114]SCH(O|¨)NHAGE A,STRASSEN V.Schnelle Multiplikation grosse Zahlen[J].Computing,1971,7:281-292.
[115]SMITH P,SKINNER C.A public-key cryptosystem and a digital signature system based on the Lucas function analogue to discrete logarithms[C].Proceedings of Asiacrypt'94,LNCS 917.Berlin:Springer-Verlag,1995:357-364.
[116]TESKE E.Speeding up Pollard's Rho method for computing discrete logarithms[C].In Alg.Numb.Th.Symp.(ANTS-Ⅲ),LNCS 1423.Berlin:Springer-Verlag,1998:541-554.
[117]THERIAULT N.Index calculus attack for hyperelliptic curves of small genus[C].C.Laih ed.In Advances in Cryptology-ASIACRYPT 2003,LNCS 2894.Berlin:Springer,2003:75-92.
[118]TSENG Y M,JAN J K.An efficient authenticated encryption schemes with message linkages and low communication costs[J].Journal of information and engineering,2002,18:41-46.
[119]TSENG Y M,JAN J K,CHIEN H Y.Digital signature with message recovery using selfcertified Public keys and its variants[J].Applied Mathematics and Computation,2003,136(2-3):203-214.
[120]TAN Z,LIU Z,TANG C.Digital proxy blind signature schemes based on DLP and ECDLP[J].MM Research Preprints,2002,21(7):212-217.
[121]THULL K,YAP C.A unified approach to hgcd algorithms for polynomials and integers[OL].1998.http://citeseer.ist.psu.edu/235845.html.
[122]URSIC S,PATARRA C.Exact solution of systems of linear equations with iterative methods[J].SIAM J.Algebraic Discrete Methods,1983,4:111-115.
[123]VALLEE B.Dynamics of the binary Euclidean algorithm:functional analysis and operators [J].Algorithmica,1998,22:660-685.
[124]VERHEUL E.Certificates of recoverability with scalable recovery agent security[C].Proceedings of PKC 2000,LNCS 1751.Berlin:Springer-Verlag,2000:258-275.
[125]VERHEUL E.Evidence that XTR is more secure than supersingular elliptic curve cryptosystems [C].Proceedings of Eurocrypt 2001,LNCS 2045.Berlin:Springer-Verlag,2001:195-210.
[126]VERHEUL E.Evidence that XTR is more secure than supersingular elliptic curve cryptosystems [J].Journal of Cryptology,2004,17(4):277-296.
[127]WILLIAMS H C.A p+1 Method of Factoring[J].Math.Comp.,1982,39:225-234.
[128]吴克力.数字签名理论与算法研究[D].南京:南京理工大学,2004.
[129]Working Group 2 of ISO/IEC JTC 1/SC27.An emerging standard for public-key encryption [EB/OL].2004-1-5.http://shoup.net.
[130]王育民,刘建伟.通信网的安全—理论与技术[M].西安:西安电子科技大学出版,1999.
[131]WANG X,PAN V Y.Acceleration of Euclidean algorithm and rational number reconstruction [J].SIAM J.Comput.,2003,32:548-556.
[132]王继林,伍前红,高虎明,等.基于XTR的Schnorr签字与环签字算法[J].西安电子科技大学学报,2004,31(3):454-458.
[133]WANG Z H,ZHANG Z G.XTR~+:a provable security public key cryptosystem[C].Y.Wang,Y.Cheung,H.Liu,eds.CIA 2006,LNAI 4456.Berlin Heidelberg:Springer-Verlag,2007:534-544.
[134]吴克力,朱保平,刘凤玉.公平的群盲签名方案[J].南京理工大学学报(自然科学版),2004,28(1):90-94.
[135]Yan S Y.Number Theory for Computing[M].2nd Edition.New York:Springer-Verlag,2002.
[136]杨波.网络安全理论与应用[M].北京:电子工业出版社,2002.
[137]杨义先,钮心忻,任金强.信息安全新技术[M].北京:北京邮电大学出版社,2002.
[138]杨义先,孙伟,钮心忻.现代密码新理论[M]_北京:科学出版社,2002.
[139]姚亦峰,朱华飞,陈抗生.基于二元仿射变换的广义EIGamal型盲签名方案[J].电子学报,2000,28(7):128-129.
[140]ZIPPEL R E.Effective Polynomial Computation[M].Norwell,MA:Kluwer Academic Publishers,1993.
[141]赵泽茂.数字签名理论及应用研究[D].南京:南京理工大学计算机系,2005.
[2]ABE M,GENNARO R,KUROSAWA K,et al.Tag-KEM/DEM:a new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM[C].R.Cramer,Ed.Proceedings of Advances in Cryptology-EUROCRYPT 2005:24th International Conference on the Theory and Application of Cryptographic Techniques,LNCS 1976.Aarhus,Denmark:May 2005:128-146.
[3]ADLEMAN L M,HUANG M A.Function field sieve method for discrete logarithms over finite fields[J].Information and Computation,1999,151(1-2):5-16.
[4]AHO A V,HOPCROFT J E,ULLMAN J D.The design and analysis of computer algorithms [M].Massachussetts,USA:Addison-Wesley,Reading,1974.
[5]ASOKAN N,SHOUP V,WAIDNER M.Optimistic Fair Exchange of Digital Signatures[J].IEEE Journal on Selected Areas in Communications,2000,18(4):593-610.
[6]ATENIESE G,TSUDIK G.Some open issues and directions in group signature[C].In Financial Crypto'99,LNCS 1648.London,UK:Springer-Verlag,1999:196-211.
[7]BELLARE M,CANETTI R,KRAWCZYK H.A modular approach to the design and analysis of authentication and key exchange protocols[C].The 30th Annual ACM Symposium on Theory of Computing.New York:ACM,1998:419-428.
[8]BELLARE M,DESAI A,POINTCHEVAL D,et al.Relations Among Notions of Security for Public Key Encryption Schemes[C].Advances in Cryptology CRYPTO'98.Berlin:Springer-Verlag,1998:26-45.
[9]BIEHL I,MEYER B,M(U|¨)LLER V.Differential fault attacks on elliptic curve cryptosystems [C].Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology,LNCS 1880.London,UK:Springer-Verlag,2000:131-146.
[10]BELLARE M,POINTCHEVAL D,ROGAWAY P.Authenticated key exchange secure against dictionary attacks[C].B.Preneel,ed.Advances in Cryptology-Eurocrypt'00,LNCS 1807.Berlin:Springer-Verlag,2000:139-155.
[11]BROUWER A E,PELLIKAAN R,VERHEUL E R.Doing more with fewer bits[C].Proceedings of Asiacrypt'99,LNCS 1716.Berlin:Springer-Verlag,1999:321-332.
[12]BELLARE M,ROGAWAY P.Entity authentication and key distribution[C].Advances in Cryptology CRYPTO'93.Berlin:Springer-Verlag,1994:232-249.
[13]BELLARE M,ROGAWAY P.Optimal asymmetric encryption[C].In Advances in Cryptology-Eurocrypt'94.Berlin:Springer-Verlag,1994:92-111.
[14]BACH E,SHALLIT J.Algorithmic number theory[M].Cambridge,MA,USA:The MIT Press,1996.
[15]BLAKE I F,SEROUSSI G,SMART N P.Elliptic curves in cryptography[M].Cambridge:University Press,1999.
[16]CHAUM D.Blind signature for untraceable payments[C].Proc.Crypto'82.New York:Plenum Press,1983:199-203.
[17]CHAUM D.Blind signatures systemiC].CRYPTO'83.New York:Plenum Press,1983:153-158.
[18]COHEN H.A course in computational algebraic number theory[M].GTM 138,New York:Springer-Verlag,1993.
[19]陈景润.初等数论Ⅲ[M].北京:科学出版社,1998.
[20]CANETTI R.Universally Composable security:a new paradigm for cryptographic protocols [C].the 42nd IEEE Symposium on Foundations of Computer Science.Washington:IEEE,2001:136-145.
[21]陈晓峰,高虎明,王育民.基于XTR体制的盲签名方案[J].电子与信息学报,2003,25(6):851-854.
[22]CHAUM D,HEYST E V.Group signatures[C].Advances in Cryptology-Eurocrypto'91,LNCS 547.Berlin:Springer-Verlag,1991:257-265.
[23]CHIEN H Y,JAN J K,TSENG Y M.RSA-based partially blind signature with low computation[C].IEEE 8th International Conference on Parallel and Distributed Systems.Kyongju:Institute of Electrical and Electronics Engineers Computer Society,2001:385-389.
[24]CANETTI R,KRAWCZYK H.Analysis of key-exchange protocols and their use for building secure channels[C].Advances in Cryptology EUROCRYPT 2001.Berlin:Springer-Verlag,2001:453-474.
[25]COHEN H,LENSTRA A K.Implementation of a new primality test[J].Math.Comp.,1987,48:103-121.
[26]COHEN H,MIYAJI A,ONO T.Efficient elliptic curve exponentiation using mixed coordinates [C].Proceedings Asiacrypt'98,LNCS 1514.Berlin:Springer-Verlag,1998:51-65.
[27]CAMENISCH J L,PIVETEAU J M,STADLER M A.Blind signature based on discrete logarithm problem[C].Eurocrypt'94,LNCS 950.Perugia,Italy:Springer-Verlag,1994:428-432.
[28]CAMENISH J,STADLER M.Efficient group signature schemes for large groups[C].Advances in Cryptology-CRPTO'97,LNCS 1294.Berlin:Springer-Verlag,1997:410-424.
[29]CRAMMER R,SHOUP V.A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack[C].H.Krawczyk ed.Advances in Cryptology-Proceedings of CRYPTO'98,LNCS 1462.Santa Barbara:Springer-Verlag,1998:13-25.
[30]CRAMMER R,SHOUP V.Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack[J].SIAM Journal of Computing,2003,33(1):167-226.
[31]陈晓峰,王继林,王育民.无强迫的最优合同签署方案[J].电子学报,2004,32(3):404-407.
[32]陈晓峰,王继林,王育民.基于广义体制的签名方案[J].电子与信息学报,2004,26(4):562-567.
[33]DIXON J D.Exact solution of linear equations using p-adic expansions[J].Numer.Math.,1982,40:137-141.
[34]DOLEV D,DWORK C,NAOR M.Non-malleable cryptography[C].In Proceedings of the 23rd Annual ACM Symposium on Theory of Computing.New York,USA:ACM,May 1991:542-552.
[35]DIFFIE W,HELLMAN M E.New directions in cryptography[J].IEEE Transactions on Information Theory,1976,IT-22(6):644-654.
[36]代锦秀,唐小虎,郑宇,等.XTR公钥密码体制概述[J].计算机工程与应用,2005,29:63-65.
[37]EIGAMAL T.A Public Key cryptosystem and a signature scheme based on discrete logarithms[J].IEEE Transactions on Information Theory,1985,31:469-472.
[38]FAN C I,CHEN W K,YEH Y S.Randomization enhanced Chaum's blind signature scheme[J].Computer Communications,2000,23(13):1677-1680.
[39]FAN C I,LEI C L.Efficient blind signature scheme based on quadratic residues[J].IEEE Electronic Letters,1996,32(9):811-813.
[40]FAN C I,LEI C L.User efficient blind signatures[J].IEEE Electronics Letters,1998,34(6):544-546.
[41]FAN C I,LEI C L.Low-computation Partially blind signatures for electronic cash[J].IEICE Transactions on Fundamentals,1998,81(5):818-824.
[42]FUJISAKI E,OKAMOTO T.How to enhance the security of public-key encryption at minimum cost[J].IEICE Transaction of Fundamentals of Electronic Communications and Computer Science,2000,E83-A:24-32.
[43]冯登国,卿斯汉.信息安全-核心理论与实践[M].北京:国防工业出版社,2000
[44]Girault M.Self-certified public keys[C].Proc.Advances in Cryptology-EUROCRYPT'91,LNCS 547.Berlin:Springer-Verlag,1991:491-497.
[45]GORDON D M.Discrete logarithms in GF(p) using the number field sieve[J].In SIAM J.of Disc.Math.,1993,6:124-138.
[46]谷超豪著.别有洞天-非线性科学[M].湖南:湖南科学技术出版社,2001.
[47]VON ZUR GATHEN J,GERHARD J.Modern computer algebra[M].Cambridge,UK:Cambridge University Press,1999.
[48]GONG G,HARN L.Public key cryptosystems based on cubic finite field extensions[J].IEEE Trans.Inf.Theory,1999,45(7):2601-2605.
[49]GAUDRY P,HESS F,SMART N P.Constructive and destructive facets of weft descent on elliptic curves[J].In J.of Cryptology,2002,15(1):19-46.
[50]GALLANT R P,LAMBERT R J,VANSTONE S A.Faster point multiplication on elliptic curves with efficient endomorphisms[C].Proceedings Crypto 2001,LNCS 2139.London,UK:Springer-Verlag,2001:190-200.
[51]GOLAWASSER S,MICALI S.Probabilistic encryption[J].Journal of Computer and System Sciences,1984,28:270-299.
[52]HUA L K.Introduction to Number Theory[M].Berlin:Springer-Verlag,1982.
[53]HWANG S J,CHANG C C,YANG W P.Authenticated encryption schemes With message linkages[J].Information Processing Letters,1996,58:189-194.
[54]HARN L,KIELSER T.New scheme for digital multi-signature[J].Electronic Letters,1989,25(15):1002-1003.
[55]HORSTER P,MICHELS M,PETERSEN H.Authenticated encryption schemes with low communication costs[J].Electronics Letters,1994,30(15):1230-1231.
[56]HARDY G H,WRIGHT E M.An introduction to the theory of numbers[M].Oxford,UK:Clarendon Press,1960.
[57]JUNGNICKEL D.Finite fields:structure and arithmetics[M].Mannheim:Bibliographisches Institute Wissenschaftsverlag,1993
[58]JOUX A,LERCIER R.The function field sieve is quite special[C].In Algorithmic Number Theory Symposium-ANTS-V,LNCS 2369.London,UK:Springer-Verlag,2002:431-445.
[59]JACOBSON JR M J,MENEZES A J,STEIN A.Hyperelliptic curves and cryptography [C].In High Primes and Misdemeanors:lectures in honor of the 60th birthday of Hugh Cowie Williams,Fields Institute Communications Series,41.American Mathematical Society,2004:255-282.
[60]JACOBSON JR M J,SCHEIDLER R,STEIN A.Fast arithmetic on hyperelliptic curves via continued fraction expansions[C].T.Shaska,W.C.Huffman,D.Joyner,and V.Ustimenko,eds.Advances in Coding Theory and Cryptography,Series on Coding Theory and Cryptology,3.World Scientific Publishing,2007:201-244.
[61]KOBLITZ N.Elliptic curve cryptosystems[J].Mathematics of Computation,1987,48:203-209.
[62]KOBLITZ N.Hyperelliptic cryptosystems[J].In J.of Cryptology,1989,1:139-150.
[63]KRAVITZ D W.Digital signature algorithm:U.S.,5231668[P].27 Jul 1993.
[64]KOBLITZ N.An elliptic curve implementation of the finite field digital signature algorithm [C].Proceedings of Crypto'98,LNCS 1462.Berlin:Springer-Verlag,1998:327-337.
[65]KNUTH D E.The art of computer programming,Volume 2,Seminumerical Algorithms [M].third edition.Addison-Wesley,1998.
[66]KUROSAWA K,DESMEDT Y.A new paradigm of hybrid encryption scheme[C].M.Franklin ed.Proceedings of Advances in Cryptolog-y-CRYPTO 2004:24th Annual International Cryptology Conference,Santa Barbara,California,USA,August 2004 LNCS 3152.Berlin:Springer-Verlag,2004:426-442.
[67]KIM S,PARK S,WON D.Proxy signatures:revisited[C].Proceedings of the First International Conference on Information and Communication Security,LNCS 1334.Berlin:Springer-Verlag,1997:223-232.
[68]LEHMER D H.An extended theory of Lucas's functions[J].Ann.of Math.,1930,31:419-448.
[69]LENSTRA A K.Using cyclotomic polynomials to construct efficient discrete logarithm cryptosystems over finite fields[C].Proceedings of ACISP'97,LNCS 1270.London,UK:Springer-Verlag,1997:127-138.
[70]LEE W B,CHANG C Y.Efficient proxy-protected proxy signature scheme based on discrete logarithm[C].Proceedings of 1Oth Conference on information security.Hualien,Taiwan,ROC,2000:4-7.
[71]卢建株,陈火炎.具有消息恢复的数字签名方案及其安全性[J].小型微型计算机系统,2003,24(4):695-697.
[72]LEE W B,CHANG C C.Authenticated encryption schemes with linkage between message blocks[J].Information Processing Letters,1997,63:247-250.
[73]LIN W D,JAN J K.A security Personal learning tools using a proxy blind signature scheme[C].Proceedings of International Conference on Chinese Language Computing.USA:Chinese Language Computer Society Knowledge Systems Institute,2000:273-277.
[74]李子臣,李中献.具有消息恢复签名方案的伪造攻击[J].通信学报,2000,21(5):84-87.
[75]LIDL R,MULLER W B.Permutation polynomials in RSA-cryptosystems[C].Proceedings of Crypto'83.New York:Plenum Press,1984:293-301.
[76]LENSTRA A K,VERHEUL E R.The XTR public key systemiC].M.Bellare ed.Proceedings of Advances in Cryptology-CRYPTO 2000:20th Annual International Cryptology Conference,Santa Barbara,California,USA,August 2000,LNCS 1880.Berlin:Springer-Verlag,2000:1-19.
[77]LENSTRA A K,VERHEUL E R.Key improvements to XTR[C].T.Okamoto ed.Proceedings of Advances in Cryptology-ASIACRYPT 2000:6th International Conference on the Theory and Application of Cryptology and Information Security,Kyoto,Japan,December 2000,LNCS 1976.Berlin:Springer-Verlag,2000:220-233.
[78]LENSTRA A K,VERHEUL E R.An overview of the XTR public key systemiC].Proceedings of the Conference on Public Key Cryptography and Computational Number Theory,Warsaw,2000.Berlin:Walter de Gruyter,2001:151-180.
[79]LENSTRA A K,VERHEUL E R.Fast irreducibility and subgroup membership testing in XTR[C].K.Kim ed.Proceedings of Public Key Cryptography:4th International Workshop on Practice and Theory in Public Key Cryptosystems,Cheju Island,Korea,February 2001,PKC 2001,LNCS 1992.Berlin:Springer-Verlag,2001:73-86.
[80]李子臣,杨义先.具有消息恢复的数字签名方案明[J].电子学报,2000,28(1):125-126.
[81]MOENCK R T.Fast computation of GCDs[C].In STOC'73:Proceedings of the Fifth Annual ACM Symposium on Theory of Computing.New York:ACM Press,1973:142-151.
[82]MONTGOMERY P L.Modular multiplication without trial division[J].Mathematics of Computation,1985,44(170):519-521.
[83]MILLER V S.Use of elliptic curves in cryptography[C].H.C.Williams,ed.Advances in Cryptology-CRYPTO'85,LNCS 218.Berlin:Springer-Verlag,1986:417-426.
[84]MCCURLEY K S.The discrete logarithm problem[C].C.Pomerance,ed.Cryptology and Computational Number Theory,volume 42 of Proceedings of Symposia in Applied Mathematics.American Mathematical Society,1990:49-74.
[85]MONTGOMERY P L.Evaluating recurrences of form X_(m+n)=f(X_m,X_n,X_(m-n)) via lucas chains[OL].January 1992.ftp://ftp.cwi.nl/pub/pmontgom/Lucas.ps.gz.
[86]MENEZES A.Elliptic curve public key cryptosystems[M].Boston,MA:Kluwer,1993.
[87]MAO W.王继林,伍前红等译.现代密码学理论与实践[M].北京:电子工业出版社,2004.
[88]MOENCK R T,CARTER J H.Approximate algorithms to derive exact solutions to systems of linear equations[C].In Proceedings of EUROSAM,LNCS 72.Berlin:Springer-Verlag,1979:63-73.
[89]MENEZES A,OKAMOTO T,VANSTONE S A.Reducing elhptic curve logarithms to a finite field[J].IEEE Trans.Inform.Theory,1993,39:1639-1646.
[90]MENEZES A,VANSTONE S A.ECSTR(XTR):elliptic curve singular trace representation [C].Rump Session of Crypto 2000.California,USA,2000.
[91]NICHOLSON W K.Introduction to abstract algebra[M].Boston:PWS-Kent Publishing Company,1993.
[92]NYBERG K,RUEPPEL R A.Message recovery for signature schemes based on the discrete logarithmiC].Advances in Cryptology-Eurocrypt'94,LNCS 950.Berlin:Springer-Verlag,1995:182-193.
[93]NYBERG K,RUEPPEL R A.Message recovery for signature schemes based on the discrete logarithm[J].Designs,Codes and Cryptography.1996,7:61-81.
[94]NAOR M,YUNG M.Public-key cryptosystems provably secure against chosen ciphertext attacks[C].In Proceedings of the 22nd Annual ACM Symposium on Theory of Computing,Baltimore,Maryland,United States,May 1990.New York,USA:ACM,1990:427-437.
[95]OKAMOTO T.Provably secure and practical identification schemes and corresponding signature schemes[C].Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology,LNCS 740.London,UK:Springer-Verlag,1992:31-53.
[96]VAN OORSCHOT P C,WIENER M J.On Diffie-Hellman key agreement with short exponents[C].Proceedings of Eurocrypt'96,LNCS 1070.Berlin:Springer-Verlag,1996:332-343.
[97]POLLARD J M.A Monte Carlo method for factorization[J].BIT,1975,15:331-334.
[98]POLLARD J M.Factoring with cubic integers[C].A.K.Lenstra,H.W.Lenstra Jr.,eds.The Development of the Number Field Sieve,volume 1554 of Lecture Notes in Mathematics.New York:Springer-Verlag,1993:4-10.
[99]PAN V Y.Can we optimize Toeplitz/Hankel computations?[C].V.G.Ganzha,E.W.Mayr,E.V.Vorozhzov,eds.In Proceedings of the Fifth International Workshop on Computer Algebra in Scientific Computing(CASC 2002,Yalta,Ukraine).Muenchen,Germany:Technische Univ.,2002:253-264.
[100]POHLIG S C,HELLMAN M E.An improved algorithm for computing logarithms over GF(p) and its cryptographic significance[J].IEEE Trans.on IT,1978,24:106-110.
[101]PETERSEN H,HORSTER P.Self-certified keys-concepts and applications[C].In Proc.3rd Int.Conference on Communications and Multimedia Security'97.Chapman & Hall,September,1997:102-116.
[102]POINTCHEVAL D,STERN J.Provably Secure Blind Signature Schemes[C].Advance Cryptology-Asiacrypt'96,LNCS 1163.Kyongju,Korea:Springer-Verlag,1996.252-265.
[103]RACKOFF C,SIMON D.Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack[C].J.Feigenbaum ed.In Proceedings of Advances in Cryptology-CRYPTO '91,Santa Barbara,California,USA,August 1991 LNCS 576.Springer-Verlag,1991:433-444.
[104]REVIST R L,SHAMIR A,ADLEMAN L.A method for obtaining digital signatures and public-key cryptosystems[J].Communications of the ACM,1978,21(2):120-126.
[105]SCHRIJVER A.Theory of linear and integer programming[M].New York:Wiley,1986.
[106]SCHNORR C P.Efficient signature generation by smart cards[J].Journal of Cryptology,1991,4:161-174.
[107]SCHNEIER B.Applied cryptography-protocols,algorithms,and source code in C[M].Second Ed.New York:John Wiley & Sons,1996.
[108]SHOUP V.Lower bounds for discrete logarithms and related problems[C].In Advances in Cryptology(EUROCRYPT),LNCS 1233.Berlin:Springer-Verlag,1997:256-266.
[109]STALLINGS W.杨明,胥光辉,齐望东等译.密码编码学与网络安全:原理与实践[M].北京:电子工业出版社,2001.
[110]STINSON D R.冯登国译.密码学原理与实践[M].北京:电子工业出版社,2003.
[111]STAM M,LENSTRA A K.Speeding up XTR[C].C.Boyd ed.Proceedings of Advances in Cryptology-ASIACRYPT 2001:7th International Conference on the Theory and Application of Cryptology and Information Security,Gold Coast,Australia,December 2001,LNCS 2248.Berlin:Springer-Verlag,2001:125-143.
[112]STADLER M A,PIVETEAU J M,CAMENISCH J L.A blind signatures scheme based on EIGamal signature[C].EUROCRYPT'95.Heidelberg:Springer-Verlag,1995:209-219.
[113]STADLER M A,PIVETEAU J M,CAMENISCH J L.Fair blind signatures[C].In Proc.EUROCRYPT '95,LNCS 921.St.Malo,France:Springer-Verlag,1995:209-219.
[114]SCH(O|¨)NHAGE A,STRASSEN V.Schnelle Multiplikation grosse Zahlen[J].Computing,1971,7:281-292.
[115]SMITH P,SKINNER C.A public-key cryptosystem and a digital signature system based on the Lucas function analogue to discrete logarithms[C].Proceedings of Asiacrypt'94,LNCS 917.Berlin:Springer-Verlag,1995:357-364.
[116]TESKE E.Speeding up Pollard's Rho method for computing discrete logarithms[C].In Alg.Numb.Th.Symp.(ANTS-Ⅲ),LNCS 1423.Berlin:Springer-Verlag,1998:541-554.
[117]THERIAULT N.Index calculus attack for hyperelliptic curves of small genus[C].C.Laih ed.In Advances in Cryptology-ASIACRYPT 2003,LNCS 2894.Berlin:Springer,2003:75-92.
[118]TSENG Y M,JAN J K.An efficient authenticated encryption schemes with message linkages and low communication costs[J].Journal of information and engineering,2002,18:41-46.
[119]TSENG Y M,JAN J K,CHIEN H Y.Digital signature with message recovery using selfcertified Public keys and its variants[J].Applied Mathematics and Computation,2003,136(2-3):203-214.
[120]TAN Z,LIU Z,TANG C.Digital proxy blind signature schemes based on DLP and ECDLP[J].MM Research Preprints,2002,21(7):212-217.
[121]THULL K,YAP C.A unified approach to hgcd algorithms for polynomials and integers[OL].1998.http://citeseer.ist.psu.edu/235845.html.
[122]URSIC S,PATARRA C.Exact solution of systems of linear equations with iterative methods[J].SIAM J.Algebraic Discrete Methods,1983,4:111-115.
[123]VALLEE B.Dynamics of the binary Euclidean algorithm:functional analysis and operators [J].Algorithmica,1998,22:660-685.
[124]VERHEUL E.Certificates of recoverability with scalable recovery agent security[C].Proceedings of PKC 2000,LNCS 1751.Berlin:Springer-Verlag,2000:258-275.
[125]VERHEUL E.Evidence that XTR is more secure than supersingular elliptic curve cryptosystems [C].Proceedings of Eurocrypt 2001,LNCS 2045.Berlin:Springer-Verlag,2001:195-210.
[126]VERHEUL E.Evidence that XTR is more secure than supersingular elliptic curve cryptosystems [J].Journal of Cryptology,2004,17(4):277-296.
[127]WILLIAMS H C.A p+1 Method of Factoring[J].Math.Comp.,1982,39:225-234.
[128]吴克力.数字签名理论与算法研究[D].南京:南京理工大学,2004.
[129]Working Group 2 of ISO/IEC JTC 1/SC27.An emerging standard for public-key encryption [EB/OL].2004-1-5.http://shoup.net.
[130]王育民,刘建伟.通信网的安全—理论与技术[M].西安:西安电子科技大学出版,1999.
[131]WANG X,PAN V Y.Acceleration of Euclidean algorithm and rational number reconstruction [J].SIAM J.Comput.,2003,32:548-556.
[132]王继林,伍前红,高虎明,等.基于XTR的Schnorr签字与环签字算法[J].西安电子科技大学学报,2004,31(3):454-458.
[133]WANG Z H,ZHANG Z G.XTR~+:a provable security public key cryptosystem[C].Y.Wang,Y.Cheung,H.Liu,eds.CIA 2006,LNAI 4456.Berlin Heidelberg:Springer-Verlag,2007:534-544.
[134]吴克力,朱保平,刘凤玉.公平的群盲签名方案[J].南京理工大学学报(自然科学版),2004,28(1):90-94.
[135]Yan S Y.Number Theory for Computing[M].2nd Edition.New York:Springer-Verlag,2002.
[136]杨波.网络安全理论与应用[M].北京:电子工业出版社,2002.
[137]杨义先,钮心忻,任金强.信息安全新技术[M].北京:北京邮电大学出版社,2002.
[138]杨义先,孙伟,钮心忻.现代密码新理论[M]_北京:科学出版社,2002.
[139]姚亦峰,朱华飞,陈抗生.基于二元仿射变换的广义EIGamal型盲签名方案[J].电子学报,2000,28(7):128-129.
[140]ZIPPEL R E.Effective Polynomial Computation[M].Norwell,MA:Kluwer Academic Publishers,1993.
[141]赵泽茂.数字签名理论及应用研究[D].南京:南京理工大学计算机系,2005.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |