基于身份密码体制的研究与设计
|
摘要
在传统公钥密码体制中,公钥的管理通常采用数字证书的方式。每个用户都拥有一个由证书权威中心签发的数字证书。这种方法存在以下缺点:使用任何公钥前都需要先验证公钥证书的合法性,增加了用户的计算量;权威中心需要大量计算和存储空间管理用户的证书,包括证书的撤销、存储和颁发。基于身份的密码体制解决了这些问题。在这种体制中,用户的身份信息直接作为公钥,无需通过数字证书进行绑定,从而避免了传统公钥密码体制中因管理大量用户证书而带来的种种弊端。
2001年,Boneh和Franklin提出了第一个有严格安全证明的基于身份的加密方案。此后,国内外专家学者构造了许多有价值的基于身份的密码方案,取得了丰富的研究成果。本文在标准模型下,对基于身份的密码方案进行了研究和设计,
主要有以下研究成果:
1.相对于基于身份的加密(IBE)方案,研究基于身份的签名(IBS)方案同样很有意义。本文提出了一个新的IBS方案,在标准模型中是EU-ID-CMA安全的。并且,方案具有短的公共参数,高的计算效率及紧的安全归约。同时,我们还提出了第一个在标准模型下的adaptive-ID模型中可证安全的IBSC方案,而且具有短的公共参数及紧的安全归约。
2.从提高密码方案的效率方面考虑,研究分层的基于身份的密码体制有重要意义。本文提出了一个密文长度为常数的分层的基于身份的加密(HIBE)方案,在标准模型中是IND-ID-CCA2安全的,而且有一个紧的安全归约。同时我们构造了一个签名长度为常数的分层的基于身份的签名(HIBS)方案,在标准模型中是EU-ID-CMA安全的。
3.模糊的IBE(fuzzy IBE)方案为基于身份密码体制提供了检错能力,并且可以把消息同时发送给多个具有相同属性的人。我们构造了一个新的fuzzy IBE方案,在标准模型中是IND-FID-CCA2安全的。而且,新方案还具有短的公共参数和一个紧的安全归约。
4.广播加密方案可以同时把消息发送给事先选定的一个集合,只有集合中的人可以解密密文。本文构造了一个新的基于身份的广播加密(IBBE)方案,在标准模型中是IND-ID-CCA2安全的。公钥和密文长度均为常数,每个用户的私钥长度与用户总数成正比。并且对任意多的敌手,新方案是抗联合攻击的。
5.代理重加密方案允许代理方把发送给一方的密文转变为发送给另一方的密文,同时不泄漏明文的内容。本文定义了分层的基于身份的代理重加密(HIBPRE)方案的结构和安全模型,然后构造了一个具体方案,在标准模型中是IND-PrID-CCA2安全的。而且,密文长度不随用户所在层数的增加而增加,是一个常数。据我们所知,这是第一个HIBPRE方案,且方案实现了单向性,非交互性与多次重加密性。
6.在并行密钥隔离加密方案中,有两个长期密钥轮流用来更新用户的短期密钥,而用户使用短期密钥进行加密和解密。本文提出了一个新的基于身份的并行密钥隔离加密(IBPKIE)方案,其公钥,私钥及密文长度均为常数。新方案在标准模型中是IND-ID-KI-CCA2安全的,而且加解密只需要四次双线性对运算。与J. Weng的方案相比,我们不仅在安全性方面得到了提高,而且减少了公共参数的长度。结合分层的基于身份的密码学和并行密钥隔离加密方案,我们还定义了分层的并行密钥隔离加密(HIBPKIE)方案的结构和IND-ID-KI-CCA2安全模型,然后提出了第一个HIBPKIE方案,并在标准模型中进行了安全证明。方案的公共参数和密文长度均为常数,并且计算量也很小。
A public key is managed by a digital certificate and each user has a certificate signed by a certificate authority in traditional public key cryptosystems. A user has to verify the correctness of its certificate before using a public key and the certificate authority needs large cost of computation and storage space to manage the certificates including their issuance, storage and revocation. These problems are solved by an identity-based cryptosystem in which the user’s identity is exactly his public key and no certificate is required. As a result, this system can be used to greatly simplify the management of cryptographic key in public key cryptography.
In 2001, Boneh and Franklin put forward the first identity-based encryption scheme with a strict security proof. Since then, a lot of identity-based cryptographic schemes have been raised and much progress has been made in this field. In this thesis, we investigate the identity-based cryptographic schemes in standard model, and obtain the following results:
1. Similar to the situation of identity-based encryption (IBE) scheme, the study on identity-based signature (IBS) scheme is of great value for practical applications. We propose a new identity-based signature (IBS) scheme which is EU-ID-CMA secure in standard model, and it has short public parameters, high efficiency and a tight reduction. In addition, we construct the first identity-based signcrypt (IBSC) scheme which is fully secure in standard model, and it has the characteristics of short public parameters and a tight reduction.
2. From the point of improving efficiency of cryptographic schemes, the study on hierarchical identity-based cryptosystem is significant. We present a hierarchical identity-based encryption (HIBE) scheme with constant size ciphertext, and it is IND-ID-CCA2 secure in standard model with a tight reduction. We also propose a hierarchical identity-based signature (HIBS) scheme with constant size signature, and it is EU-ID-CMA secure in standard model.
3. The concept of fuzzy identity-based encryption (fuzzy IBE) is introduced to provide an error-tolerance property for identity-based systems, and it allows a sender to encrypt a document to all users that have a certain set of attributes. We construct a new fuzzy IBE scheme which is IND-FID-CCA2 secure in standard model. Moreover, our scheme has short parameters and a tight reduction simultaneously.
4. In a broadcast encryption scheme, a broadcaster encrypts a message for a subset of users who are listening to a broadcast channel. Any user in this subset can use his private key to decrypt the broadcast. We design an identity-based broadcast encryption (IBBE) scheme which is IND-ID-CCA2 secure in standard model, with constant size public key and ciphertexts. In this scheme, the private key size is linearly proportional to the total number of users. Further, our IBBE scheme is collusion resistant for arbitrarily large collusions of users.
5. In a proxy re-encryption scheme, a semi-trusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. We define the framework and security model for the hierarchical identity-based proxy re-encryption (HIBPRE) scheme, and propose an HIBPRE scheme which is IND-PrID-CCA2 secure in standard model. In this scheme, the ciphertext size is independent of the level of the hierarchy. In addition, our scheme satisfies unidirectionality, non-interactivity and permits multiple re-encryptions.
6. Parallel key-insulated encryption allows distinct independent helpers to be alternatively used in key update operations for each user. We construct a new identity-based parallel key-insulated encryption (IBPKIE) scheme with constant size public key, private key and ciphertext. The scheme achieves IND-ID-KI-CCA2 security in standard model, and encryption and decryption only need four bilinear pair computation. Compared to the IBPKIE scheme of J. Weng, this work not only improves the security, but also decreases the size of the public key. Combining HIBE with PKIE scheme, we also define the framework and security model for the hierarchical identity-based parallel key- insulated encryption (HIBPKIE) scheme, and propose the first HIBPKIE scheme which is IND-ID-KI-CCA2 secure in standard model. Moreover, the size of the public key and ciphertext is constant, and the cost of its computation is very low.
2001年,Boneh和Franklin提出了第一个有严格安全证明的基于身份的加密方案。此后,国内外专家学者构造了许多有价值的基于身份的密码方案,取得了丰富的研究成果。本文在标准模型下,对基于身份的密码方案进行了研究和设计,
主要有以下研究成果:
1.相对于基于身份的加密(IBE)方案,研究基于身份的签名(IBS)方案同样很有意义。本文提出了一个新的IBS方案,在标准模型中是EU-ID-CMA安全的。并且,方案具有短的公共参数,高的计算效率及紧的安全归约。同时,我们还提出了第一个在标准模型下的adaptive-ID模型中可证安全的IBSC方案,而且具有短的公共参数及紧的安全归约。
2.从提高密码方案的效率方面考虑,研究分层的基于身份的密码体制有重要意义。本文提出了一个密文长度为常数的分层的基于身份的加密(HIBE)方案,在标准模型中是IND-ID-CCA2安全的,而且有一个紧的安全归约。同时我们构造了一个签名长度为常数的分层的基于身份的签名(HIBS)方案,在标准模型中是EU-ID-CMA安全的。
3.模糊的IBE(fuzzy IBE)方案为基于身份密码体制提供了检错能力,并且可以把消息同时发送给多个具有相同属性的人。我们构造了一个新的fuzzy IBE方案,在标准模型中是IND-FID-CCA2安全的。而且,新方案还具有短的公共参数和一个紧的安全归约。
4.广播加密方案可以同时把消息发送给事先选定的一个集合,只有集合中的人可以解密密文。本文构造了一个新的基于身份的广播加密(IBBE)方案,在标准模型中是IND-ID-CCA2安全的。公钥和密文长度均为常数,每个用户的私钥长度与用户总数成正比。并且对任意多的敌手,新方案是抗联合攻击的。
5.代理重加密方案允许代理方把发送给一方的密文转变为发送给另一方的密文,同时不泄漏明文的内容。本文定义了分层的基于身份的代理重加密(HIBPRE)方案的结构和安全模型,然后构造了一个具体方案,在标准模型中是IND-PrID-CCA2安全的。而且,密文长度不随用户所在层数的增加而增加,是一个常数。据我们所知,这是第一个HIBPRE方案,且方案实现了单向性,非交互性与多次重加密性。
6.在并行密钥隔离加密方案中,有两个长期密钥轮流用来更新用户的短期密钥,而用户使用短期密钥进行加密和解密。本文提出了一个新的基于身份的并行密钥隔离加密(IBPKIE)方案,其公钥,私钥及密文长度均为常数。新方案在标准模型中是IND-ID-KI-CCA2安全的,而且加解密只需要四次双线性对运算。与J. Weng的方案相比,我们不仅在安全性方面得到了提高,而且减少了公共参数的长度。结合分层的基于身份的密码学和并行密钥隔离加密方案,我们还定义了分层的并行密钥隔离加密(HIBPKIE)方案的结构和IND-ID-KI-CCA2安全模型,然后提出了第一个HIBPKIE方案,并在标准模型中进行了安全证明。方案的公共参数和密文长度均为常数,并且计算量也很小。
A public key is managed by a digital certificate and each user has a certificate signed by a certificate authority in traditional public key cryptosystems. A user has to verify the correctness of its certificate before using a public key and the certificate authority needs large cost of computation and storage space to manage the certificates including their issuance, storage and revocation. These problems are solved by an identity-based cryptosystem in which the user’s identity is exactly his public key and no certificate is required. As a result, this system can be used to greatly simplify the management of cryptographic key in public key cryptography.
In 2001, Boneh and Franklin put forward the first identity-based encryption scheme with a strict security proof. Since then, a lot of identity-based cryptographic schemes have been raised and much progress has been made in this field. In this thesis, we investigate the identity-based cryptographic schemes in standard model, and obtain the following results:
1. Similar to the situation of identity-based encryption (IBE) scheme, the study on identity-based signature (IBS) scheme is of great value for practical applications. We propose a new identity-based signature (IBS) scheme which is EU-ID-CMA secure in standard model, and it has short public parameters, high efficiency and a tight reduction. In addition, we construct the first identity-based signcrypt (IBSC) scheme which is fully secure in standard model, and it has the characteristics of short public parameters and a tight reduction.
2. From the point of improving efficiency of cryptographic schemes, the study on hierarchical identity-based cryptosystem is significant. We present a hierarchical identity-based encryption (HIBE) scheme with constant size ciphertext, and it is IND-ID-CCA2 secure in standard model with a tight reduction. We also propose a hierarchical identity-based signature (HIBS) scheme with constant size signature, and it is EU-ID-CMA secure in standard model.
3. The concept of fuzzy identity-based encryption (fuzzy IBE) is introduced to provide an error-tolerance property for identity-based systems, and it allows a sender to encrypt a document to all users that have a certain set of attributes. We construct a new fuzzy IBE scheme which is IND-FID-CCA2 secure in standard model. Moreover, our scheme has short parameters and a tight reduction simultaneously.
4. In a broadcast encryption scheme, a broadcaster encrypts a message for a subset of users who are listening to a broadcast channel. Any user in this subset can use his private key to decrypt the broadcast. We design an identity-based broadcast encryption (IBBE) scheme which is IND-ID-CCA2 secure in standard model, with constant size public key and ciphertexts. In this scheme, the private key size is linearly proportional to the total number of users. Further, our IBBE scheme is collusion resistant for arbitrarily large collusions of users.
5. In a proxy re-encryption scheme, a semi-trusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. We define the framework and security model for the hierarchical identity-based proxy re-encryption (HIBPRE) scheme, and propose an HIBPRE scheme which is IND-PrID-CCA2 secure in standard model. In this scheme, the ciphertext size is independent of the level of the hierarchy. In addition, our scheme satisfies unidirectionality, non-interactivity and permits multiple re-encryptions.
6. Parallel key-insulated encryption allows distinct independent helpers to be alternatively used in key update operations for each user. We construct a new identity-based parallel key-insulated encryption (IBPKIE) scheme with constant size public key, private key and ciphertext. The scheme achieves IND-ID-KI-CCA2 security in standard model, and encryption and decryption only need four bilinear pair computation. Compared to the IBPKIE scheme of J. Weng, this work not only improves the security, but also decreases the size of the public key. Combining HIBE with PKIE scheme, we also define the framework and security model for the hierarchical identity-based parallel key- insulated encryption (HIBPKIE) scheme, and propose the first HIBPKIE scheme which is IND-ID-KI-CCA2 secure in standard model. Moreover, the size of the public key and ciphertext is constant, and the cost of its computation is very low.
引文
[1] A.C. Yao. Theory and applications of trapdoor functions—FOCS’82, IEEE Computer Society, 80-91. Chicago, USA, Nov.1982.
[2] A. Fiat, A. Shamir. How to prove yourself: Practical solutions to identification and signature problems—CRYPTO’86, LNCS 263, 186-194, 1987.
[3] A. Fiat, M. Naor. Broadcast encryption—CRYPTO’93, LNCS 773, 480-491, 1994.
[4] A. Ivan, Y. Dodis. Proxy cryptography revisited—NDSS'03, The Internet Society, San Diego, USA, 2003.
[5] A.J. Menezes, T. Okamoto, and S. Vanstone. Reducing elliptic curve logarithms in a finite field. IEEE Transactions on Information Theory, 39(5):1639-1646, 1993.
[6] A. Joux. A one round protocol for tripartite Diffie-Hellman—ANTS’00, LNCS 1838, 385-394, 2000.
[7] A.K. Lenstra, E.R. Verheul. The XTR public key system—CRYPTO'00, LNCS 1880, 1-19, 2000.
[8] A. Miyaji, M. Nakabayashi, and S. Takano. New explicit conditions of elliptic curve traces for FR-reduction. IEICE Transactions on Fundamentals, E84-A(5):1234-1243, 2001.
[9] A. Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security—FOCS’99, IEEE Computer Society, 543-553. New York, USA, Oct.1999.
[10] A. Sahai, B. Waters. Fuzzy identity-based encryption—EUROCRYPT’05, LNCS 3494, 457-473, 2005.
[11] A. Shamir. Identity-based cryptosystems and signature schemes—CRYPTO’84, LNCS 196, 47-53, 1984.
[12] A.J. Menezes, P.C. Oorschot and S.A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.
[13] B. Libert, J. Quisquater, and M. Yung. Parallel key-insulated public key encryption without random oracles—PKC'07, LNCS 4450, 298-314, 2007.
[14] B. Schneier. Applied cryptography: Protocols, algorithms and source code in C. Wiley, 2nd edition, New York, 1995.
[15] B. Waters. Efficient identity-based encryption without random oracles—EUROCRYPT’05, LNCS 3494, 114-127, 2005.
[16] C. Cocks. An identity based encryption scheme based on quadratic residues—IMA’01, LNCS 2260, 360–363, 2001.
[17] C. Delerablee. Identity-based broadcast encryption with constant size ciphertext and privatekeys—ASIACRYPT’07, LNCS 4833, 200-215, 2007.
[18] C. Delerablee, P. Paillier, and D. Pointcheval. Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys—PAIRING’07, LNCS 4575, 39-59, 2007.
[19] C. Gamage, J. Leiwo, and Y. Zheng. Encrypted message authentication by firewall—PKC'99, LNCS 1560, 69-81, 1999.
[20] C. Gentry. Practical Identity-based encryption without random oracles—EUROCRYPT’06, LNCS 4404, 445-464, 2006.
[21] C. Gentry, A. Silverberg. Hierarchical id-based cryptography—ASIACRYPT’02, LNCS 2501, 548-566, 2002.
[22] C K Chu, W G Tzeng. Identity-based proxy re-encryption without random oracles—ISC’07, LNCS 4779, 189-202, 2007.
[23] C. Shannon. Communication theory of secrecy systems. Bell Systems Technical Journal, 28(4):656-715, 1949.
[24] C.P. Schnorr. Efficient identification and signature for smart cards—CRYPTO’89, LNCS 435, 239-252, 1990.
[25] C.P. Schnorr. Efficient identification and signature for smart cards. Journal of Cryptology, 4(3):161-174, 1991.
[26] D. Boneh, C. Gentry, and B. Waters. Collusion-resistant broadcast encryption with short ciphertexts and private keys—CRYPTO’05, LNCS 3621, 258-275, 2005.
[27] D. Boneh, G.D. Crescenzo, R. Ostrovsky, and G. Persiano. Public key encryption with keyword search—EUROCRYPT’04, LNCS 3027, 506–522, 2004.
[28] D. Boneh, M. Franklin. Identity-based encryption from the weil pairing—CRYPTO’01, LNCS 2139, 213-229, 2001.
[29] D. Boneh, M. Franklin. Identity based encryption form the weil pairing. SIAM Journal of Computing, 32(3):586-615, 2003.
[30] D. Boneh, X. Boyen. Efficient selective-ID secure identity based encryption without random oracles—EUROCRYPT’04, LNCS 3027, 223-238, 2004.
[31] D. Boneh, X. Boyen. Secure identity based encryption without random oracles—CRYPTO’04, LNCS 3152, 443-459, 2004.
[32] D. Boneh, X. Boyen. Short signatures without random oracles—Eurocrypt’04, LNCS 3027, 56-73, 2004.
[33] D. Boneh, X. Boyen, and E.J. Goh. Hierarchical identity based encryption with constant size ciphertext—EUROCRYPT’05, LNCS 3493, 440-456, 2005.
[34] D. Halevy, A. Shamir. The LSD broadcast encryption scheme—CRYPTO’02, LNCS 2442,47-60, 2002.
[35] D. Naccache. Secure and practical identity-based encryption. IET Information Security, 1(2):59-64, 2007.
[36] D. Naor, M. Naor, and J. Lotspiech. Revocation and tracing schemes for stateless receivers—CRYPTO’01, LNCS 2139, 41-62, 2001.
[37] D. Pointcheval, J. Stern. Security argument for digital signatures and blind signatures. Journal of Cryptology, 13 (3):361-396, 2001.
[38] F. Bao, R H Deng. A signcryption scheme with signature directly verifiable by public key—PKC'98, LNCS 1431, 55-59, 1998.
[39] F. Hess. Efficient identity based signature schemes based on pairings—SAC’02, LNCS 2595, 310-324, 2003.
[40] G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik, A pracical and provably secure coalition-resistant group signature—CRYPTO’00, LNCS 1880, 255-270, 2000.
[41] G. Ateniese, K. Fu, M. Green and S. Hohenberger. Improved proxy reencryption schemes with applications to secure distributed storage—NDSS’05, 29-43, 2005.
[42] G. Frey, H.G. Ruck. A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Mathematics of Computation, 62 (206):865-874, 1994.
[43] G. Hanaoka, Y. Hanaoka, and H. Imai. Parallel key-insulated public key encryption—PKC'06, LNCS 3958, 105-122, 2006.
[44] G. Itkis, L. Reyzin. SiBIR: Signer-base intrusion-resilient signatures—CRYPTO’02, LNCS 2442, 499-514, 2002.
[45] ITU-T. Rec. X.509 (revised) the directory-authentication framework, 1993. International Telecommunication Union, Geneva, Swithzerland.
[46] J. Baek, W. Susilo, and J. Zhou. New constructions of fuzzy identity-based encryption—ASIACCS’07, 368-370, 2007.
[47] J. Cha, J. Choen. An identity-based signature from gap Diffie-Hellman groups—PKC’03, LNCS 2567, 18-30, 2003.
[48] J. Camenisch, J.M. Piveteau, and M. Stadler. Blind signatures based on the discrete logarithm problem—EUROCRYPT’94, LNCS 950, 428–432, 1995.
[49] J. Hoffstein, J. Pipher and J.H. Silverman. NTRU: A new high speed public key cryptosystem—ANTS’98, LNCS 1423, 267-288, 1998.
[50] J. Horwitz, B. Lynn. Toward hierarchical identity-based encryption—EUROCRYPT’02, LNCS 2332, 466-481, 2002.
[51] J. Malone-Lee. Identity-based signcryption. Cryptology ePrint Archive, Report 2002/098, 2002. http://eprint.iacr.org/.
[52] J. Weng, S. Liu, K. Chen, and C. Ma. Identity-based parallel key insulated encryption withoutrandom oracles: security notions and construction—INDOCRYPT’06, LNCS 4329, 409-423, 2006.
[53] K. G. Paterson. ID-based signatures from pairings on elliptic curves. IEEE Communications Letters, 38(18):1025-1026, 2002.
[54] K.G. Paterson, J.C. N. Schuldt. Efficient identity based signatures secure in the standard model—ACISP’06, LNCS 4058, 207-222, 2006.
[55] L. Chen, J. Malone-Lee. Improved identity-based signcryption—PKC’05, LNCS 3386, 362-379, 2005.
[56] L.C. Guillou, J.J. Quisquater. A“paradoxical”identity-based signature scheme resulting from zero-knowledge—CRYPTO’89, LNCS 403, 216-231, 1989.
[57] L.M. Kohnfelder. Towards a practical public-key cryptosystem. Massachusetts Institute of Technology, Bachelor’s thesis, June 1978.
[58] M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, J. Malone-Lee, G. Neven, P. Paillier, and H. Shi. Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions—CRYPTO’05, LNCS 3621, 205–222, 2005.
[59] M. Bellare, A. Boldyreva, and A. Palacio. An uninstantiable random oracle-model scheme for a hybrid-encryption problem—EUROCRYPT'04, LNCS 3027, 171-188, 2004.
[60] M. Bellare, P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols—ACM CCS’93, 62-73, ACM Press, 1993.
[61] M. Bellare, S. Miner. A forward-secure digital signature scheme—CRYPTO'99, LNCS 1666, 431-448, 1999.
[62] M. Blaze, G. Bleumer and M. Strauss. Divertible protocols and atomic proxy ryptography—EUROCRYPT'98, LNCS 1403, 127-144, 1998.
[63] M. Green, G. Ateniese. Identity-based proxy re-encryption—ACNS'07, LNCS 4521, 288-306, 2007.
[64] M.H. Au, J.K. Liu, T.H. Yuen, and D.S. Wong. Efficient hierarchical identity based signature in the standard model. http://eprint.iacr.org/2007/068
[65] M.H. Au, J.K. Liu, T.H. Yuen, and D.S. Wong. Practical hierarchical identity based encryption and signature schemes without random oracles. http://eprint.iacr.org/2006/368
[66] M. Jakobsson. On quorum controlled asymmetric proxy re-encryption—PKC'99, LNCS 1560, 112-121, 1999.
[67] M. Mambo, E. Okamoto. Proxy cryptosystems: delegation of the power to decrypt ciphertexts. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, E80-A(1): 54-63, 1997.
[68] M. Pirretti, P. Traynor, P. McDaniel and B. Waters. Secure attribute-based systems—ACMCCS’06, 99-112, ACM Press, 2006.
[69] M.T. Goodrich, J.Z. Sun, R. Tamassia. Efficient tree-based revocation in groups of low-state devices—CRYPTO’04, LNCS 3152, 511-527, 2004.
[70] M.O. Rabin. Digitalized signatures. Foundations of secure communication. Academic Press, UK, 155-168, 1978.
[71] N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 203-209, 1987.
[72] NIST. A proposed federal information processing standard for digital signature standard (DSS). Federal Register Announcement, Aug.1991.
[73] NIST. Digital signature standard(DSS). Federal information processing standards publication 186, 1994.
[74] O. Goldreich. Foundation of Cryptography-Basic Tools. New York: Cambridge University Press, 2001.
[75] P.S.L.M. Barreto, B. Libert, N. McCullagh, and J.J. Quisquater. Efficient and provably secure identity-based signatures and signcryption from bilinear maps—ASIACRYPT’05, LNCS 3788, 515-532, 2005.
[76] P.S.L.M. Barreto and M. Naehrig. Pairing-friendly elliptic curves of prime order—SAC’05, LNCS 3897, 319-331, 2006.
[77] R. Anderson. Two remarks on public key cryptology. Invited lecture—ACM CCS, 1997.
[78] R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, evisited—STOC’98, 209-218, 1998.
[79] R. Canetti, S. Hohenberger. Chosen-ciphertext secure proxy re-encryption. Cryptology ePrint Archive, Report 2007/171, 2007.
[80] R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, revisited. Journal of the ACM, 51(4):557-594, 2004.
[81] R. Canetti, S. Halevi, and J. Katz. A forward-secure public-key encryption scheme—EUROCRYPT’03, LNCS 2656, 255-271, 2003.
[82] R. Canetti, S. Halevi and J. Katz. Chosen-ciphertext security from identity-based encryption—EUROCRYPT'04, LNCS 3027, 207-222, 2004.
[83] R. Cramer, V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack—CRYPTO’98, LNCS 1462, 13-25, 1998.
[84] R. Cramer, V. Shoup. Signature schemes based on the strong RSA assumption—ACM CCS’99, 46-51, ACM Press, 1999.
[85] R. L. Rivest, A. Shamir and L. Adleman. A method for obtaining digital signatures public key cryptosystem. Communication of ACM, 21(02):120-126, 1978.
[86] R. Sakai, K. Ohgishi and M. Kasahara. Cryptosystems based on pairing—SCIS’00, 26-28,2000.
[87] S. Chatterjee, P. Sarker. On hierarchical identity based encryption protocols with short public parameters. http://eprint.iacr.org/2006/279
[88] S. Chatterjee, P. Sarkar. Trading time for space: towards an efficient IBE scheme with short(er) public parameters in the standard model—ICISC’05, LNCS 3935, 424-440, 2005.
[89] S. Goldwasser, S. Micali. Probabilistic encryption. Journal of Computer and System Science, 28(2):270?299, 1984.
[90] S. Goldwasser, S. Micali. Probabilistic encryption and how to play mental poker keeping secret all partial information—STOC’82, 365-377, ACM Press, 1982.
[91] S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing, 17(2):281?308, 1988.
[92] S. Hohenberger, G.N. Rothblum, A. shelat, and V. Vaikuntanathan. Securely obfuscating re-encryption—TCC'07, LNCS 4392, 233-252, 2007.
[93] S S Chow, S M Yiu, and L C Hui. Efficient identity based ring signature—ACNS’05, LNCS 3531, 499-512, 2005.
[94] S S Chow, L C Hui, and S M Yiu, et al. Secure hierarchical identity based signature and its application—ICICS'04, LNCS 3269, 480-494, 2004.
[95] T. ElGamal. A public key cryptosystem and signature scheme based on discrete logarithms. IEEE Transactions on information theory, IT-31(4):469-472, 1985.
[96] T.H. Yuen, V.K. Wei. Constant-size hierarchical identity-based signature/signcryption without random oracles. Cryptology ePrint Archive, Report 2005/412, 2005. http://eprint.iacr.org/
[97] T. Okamoto. Provably secure and practical identification schemes and corresponding signature schemes—CRYPTO’92, LNCS 740, 31-53, 1992.
[98] V. Goyal, O. Pandey, A. Sahai and B. Waters. Attribute-based encryption for fine-grained access control of encrypted data—ACM CCS’06, 89-98, ACM Press, 2006.
[99] V. Miller. Short programs for functions on curves. Unpublished manuscript, 1986.
[100] V. Miller. The Weil pairing and its efficient calculation. Journal of Cryptology, 17(4): 235-261, 2004.
[101] V. Miller. Uses of elliptic curves in cryptography—CRYPTO’85, LNCS 218, 417-426, 1986.
[102] W. Diffie, M.E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6): 644-656, 1976.
[103] W. Mao. Modern Cryptography: Theory and Practice. Prentice Hall PTR, 2003.
[104] X. Boyen, B. Waters. Anonymous hierarchical identity-based encryption (without random oracles). Cryptology ePrint Archive 2006/085.
[105] Y. Dodis, J. Katz, S. Xu, and M. Yung. Key-insulated public key cryptosystems—EUROCRYPT'02, LNCS 2332, 65-82, 2002.
[106] Y. Dodis, J. Katz, S. Xu, and M. Yung. Strong key-insulated signature schemes—PKC’03, LNCS 2567, 130-144, 2003.
[107] Y. Dodis, M. Franklin, J. Katz, A. Miyaji, and M. Yung. Intrusion-resilient public key encryption—CT-RSA'03, LNCS 2612, 19-32, 2003.
[108] Y. Zheng. Digital signcryption or how to achieve cost (signature&encryption)≤cost(signature) + cost (encryption)—CRYPTO‘97, LNCS 1294, 165-179, 1997.
[109] Z. Cao. A public key cryptosystem based on a conic over finite fields F p—CHINACRYPTO’98, 45-49, Science Press, 1998. (in Chinese)
[110] Z. Cao. A threshold key escrow scheme based on public key cryptosystem. Science in China, 44(4), 441-448, 2001.
[111] Z. Cao. Conic analog of RSA cryptosystem and some improved RSA cryptosystems. Journal of Nature Science of Heilongjiang University, 16(4), 15-18, 1999.
[112]曹珍富.公钥密码学[M].哈尔滨:黑龙江教育出版社,1993.
[113]冯登国.可证明安全性理论与方法研究[J].软件学报,2005,16(10):1743-1756.
[114]赖溪松,韩亮,张真诚(著).张玉清,肖国镇(改编),计算机密码学及其应用,北京:国防工业出版社,2001.
[115]陆荣幸.若干代理密码体制的研究与设计[D].上海交通大学博士学位论文,2006.
[116]裴定一,徐祥.信息安全数学基础[M].北京:人民邮电出版社,2007.
[117]翁健.基于身份的密钥泄露保护机制的研究[D].上海交通大学博士学位论文,2008.
[118]张振峰,冯登国,陈伟东.可证明安全性研究方法与研究进展[J].信息安全国家重点实验室安全协议研讨会文集,2004,10-33.
[2] A. Fiat, A. Shamir. How to prove yourself: Practical solutions to identification and signature problems—CRYPTO’86, LNCS 263, 186-194, 1987.
[3] A. Fiat, M. Naor. Broadcast encryption—CRYPTO’93, LNCS 773, 480-491, 1994.
[4] A. Ivan, Y. Dodis. Proxy cryptography revisited—NDSS'03, The Internet Society, San Diego, USA, 2003.
[5] A.J. Menezes, T. Okamoto, and S. Vanstone. Reducing elliptic curve logarithms in a finite field. IEEE Transactions on Information Theory, 39(5):1639-1646, 1993.
[6] A. Joux. A one round protocol for tripartite Diffie-Hellman—ANTS’00, LNCS 1838, 385-394, 2000.
[7] A.K. Lenstra, E.R. Verheul. The XTR public key system—CRYPTO'00, LNCS 1880, 1-19, 2000.
[8] A. Miyaji, M. Nakabayashi, and S. Takano. New explicit conditions of elliptic curve traces for FR-reduction. IEICE Transactions on Fundamentals, E84-A(5):1234-1243, 2001.
[9] A. Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security—FOCS’99, IEEE Computer Society, 543-553. New York, USA, Oct.1999.
[10] A. Sahai, B. Waters. Fuzzy identity-based encryption—EUROCRYPT’05, LNCS 3494, 457-473, 2005.
[11] A. Shamir. Identity-based cryptosystems and signature schemes—CRYPTO’84, LNCS 196, 47-53, 1984.
[12] A.J. Menezes, P.C. Oorschot and S.A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.
[13] B. Libert, J. Quisquater, and M. Yung. Parallel key-insulated public key encryption without random oracles—PKC'07, LNCS 4450, 298-314, 2007.
[14] B. Schneier. Applied cryptography: Protocols, algorithms and source code in C. Wiley, 2nd edition, New York, 1995.
[15] B. Waters. Efficient identity-based encryption without random oracles—EUROCRYPT’05, LNCS 3494, 114-127, 2005.
[16] C. Cocks. An identity based encryption scheme based on quadratic residues—IMA’01, LNCS 2260, 360–363, 2001.
[17] C. Delerablee. Identity-based broadcast encryption with constant size ciphertext and privatekeys—ASIACRYPT’07, LNCS 4833, 200-215, 2007.
[18] C. Delerablee, P. Paillier, and D. Pointcheval. Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys—PAIRING’07, LNCS 4575, 39-59, 2007.
[19] C. Gamage, J. Leiwo, and Y. Zheng. Encrypted message authentication by firewall—PKC'99, LNCS 1560, 69-81, 1999.
[20] C. Gentry. Practical Identity-based encryption without random oracles—EUROCRYPT’06, LNCS 4404, 445-464, 2006.
[21] C. Gentry, A. Silverberg. Hierarchical id-based cryptography—ASIACRYPT’02, LNCS 2501, 548-566, 2002.
[22] C K Chu, W G Tzeng. Identity-based proxy re-encryption without random oracles—ISC’07, LNCS 4779, 189-202, 2007.
[23] C. Shannon. Communication theory of secrecy systems. Bell Systems Technical Journal, 28(4):656-715, 1949.
[24] C.P. Schnorr. Efficient identification and signature for smart cards—CRYPTO’89, LNCS 435, 239-252, 1990.
[25] C.P. Schnorr. Efficient identification and signature for smart cards. Journal of Cryptology, 4(3):161-174, 1991.
[26] D. Boneh, C. Gentry, and B. Waters. Collusion-resistant broadcast encryption with short ciphertexts and private keys—CRYPTO’05, LNCS 3621, 258-275, 2005.
[27] D. Boneh, G.D. Crescenzo, R. Ostrovsky, and G. Persiano. Public key encryption with keyword search—EUROCRYPT’04, LNCS 3027, 506–522, 2004.
[28] D. Boneh, M. Franklin. Identity-based encryption from the weil pairing—CRYPTO’01, LNCS 2139, 213-229, 2001.
[29] D. Boneh, M. Franklin. Identity based encryption form the weil pairing. SIAM Journal of Computing, 32(3):586-615, 2003.
[30] D. Boneh, X. Boyen. Efficient selective-ID secure identity based encryption without random oracles—EUROCRYPT’04, LNCS 3027, 223-238, 2004.
[31] D. Boneh, X. Boyen. Secure identity based encryption without random oracles—CRYPTO’04, LNCS 3152, 443-459, 2004.
[32] D. Boneh, X. Boyen. Short signatures without random oracles—Eurocrypt’04, LNCS 3027, 56-73, 2004.
[33] D. Boneh, X. Boyen, and E.J. Goh. Hierarchical identity based encryption with constant size ciphertext—EUROCRYPT’05, LNCS 3493, 440-456, 2005.
[34] D. Halevy, A. Shamir. The LSD broadcast encryption scheme—CRYPTO’02, LNCS 2442,47-60, 2002.
[35] D. Naccache. Secure and practical identity-based encryption. IET Information Security, 1(2):59-64, 2007.
[36] D. Naor, M. Naor, and J. Lotspiech. Revocation and tracing schemes for stateless receivers—CRYPTO’01, LNCS 2139, 41-62, 2001.
[37] D. Pointcheval, J. Stern. Security argument for digital signatures and blind signatures. Journal of Cryptology, 13 (3):361-396, 2001.
[38] F. Bao, R H Deng. A signcryption scheme with signature directly verifiable by public key—PKC'98, LNCS 1431, 55-59, 1998.
[39] F. Hess. Efficient identity based signature schemes based on pairings—SAC’02, LNCS 2595, 310-324, 2003.
[40] G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik, A pracical and provably secure coalition-resistant group signature—CRYPTO’00, LNCS 1880, 255-270, 2000.
[41] G. Ateniese, K. Fu, M. Green and S. Hohenberger. Improved proxy reencryption schemes with applications to secure distributed storage—NDSS’05, 29-43, 2005.
[42] G. Frey, H.G. Ruck. A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Mathematics of Computation, 62 (206):865-874, 1994.
[43] G. Hanaoka, Y. Hanaoka, and H. Imai. Parallel key-insulated public key encryption—PKC'06, LNCS 3958, 105-122, 2006.
[44] G. Itkis, L. Reyzin. SiBIR: Signer-base intrusion-resilient signatures—CRYPTO’02, LNCS 2442, 499-514, 2002.
[45] ITU-T. Rec. X.509 (revised) the directory-authentication framework, 1993. International Telecommunication Union, Geneva, Swithzerland.
[46] J. Baek, W. Susilo, and J. Zhou. New constructions of fuzzy identity-based encryption—ASIACCS’07, 368-370, 2007.
[47] J. Cha, J. Choen. An identity-based signature from gap Diffie-Hellman groups—PKC’03, LNCS 2567, 18-30, 2003.
[48] J. Camenisch, J.M. Piveteau, and M. Stadler. Blind signatures based on the discrete logarithm problem—EUROCRYPT’94, LNCS 950, 428–432, 1995.
[49] J. Hoffstein, J. Pipher and J.H. Silverman. NTRU: A new high speed public key cryptosystem—ANTS’98, LNCS 1423, 267-288, 1998.
[50] J. Horwitz, B. Lynn. Toward hierarchical identity-based encryption—EUROCRYPT’02, LNCS 2332, 466-481, 2002.
[51] J. Malone-Lee. Identity-based signcryption. Cryptology ePrint Archive, Report 2002/098, 2002. http://eprint.iacr.org/.
[52] J. Weng, S. Liu, K. Chen, and C. Ma. Identity-based parallel key insulated encryption withoutrandom oracles: security notions and construction—INDOCRYPT’06, LNCS 4329, 409-423, 2006.
[53] K. G. Paterson. ID-based signatures from pairings on elliptic curves. IEEE Communications Letters, 38(18):1025-1026, 2002.
[54] K.G. Paterson, J.C. N. Schuldt. Efficient identity based signatures secure in the standard model—ACISP’06, LNCS 4058, 207-222, 2006.
[55] L. Chen, J. Malone-Lee. Improved identity-based signcryption—PKC’05, LNCS 3386, 362-379, 2005.
[56] L.C. Guillou, J.J. Quisquater. A“paradoxical”identity-based signature scheme resulting from zero-knowledge—CRYPTO’89, LNCS 403, 216-231, 1989.
[57] L.M. Kohnfelder. Towards a practical public-key cryptosystem. Massachusetts Institute of Technology, Bachelor’s thesis, June 1978.
[58] M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, J. Malone-Lee, G. Neven, P. Paillier, and H. Shi. Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions—CRYPTO’05, LNCS 3621, 205–222, 2005.
[59] M. Bellare, A. Boldyreva, and A. Palacio. An uninstantiable random oracle-model scheme for a hybrid-encryption problem—EUROCRYPT'04, LNCS 3027, 171-188, 2004.
[60] M. Bellare, P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols—ACM CCS’93, 62-73, ACM Press, 1993.
[61] M. Bellare, S. Miner. A forward-secure digital signature scheme—CRYPTO'99, LNCS 1666, 431-448, 1999.
[62] M. Blaze, G. Bleumer and M. Strauss. Divertible protocols and atomic proxy ryptography—EUROCRYPT'98, LNCS 1403, 127-144, 1998.
[63] M. Green, G. Ateniese. Identity-based proxy re-encryption—ACNS'07, LNCS 4521, 288-306, 2007.
[64] M.H. Au, J.K. Liu, T.H. Yuen, and D.S. Wong. Efficient hierarchical identity based signature in the standard model. http://eprint.iacr.org/2007/068
[65] M.H. Au, J.K. Liu, T.H. Yuen, and D.S. Wong. Practical hierarchical identity based encryption and signature schemes without random oracles. http://eprint.iacr.org/2006/368
[66] M. Jakobsson. On quorum controlled asymmetric proxy re-encryption—PKC'99, LNCS 1560, 112-121, 1999.
[67] M. Mambo, E. Okamoto. Proxy cryptosystems: delegation of the power to decrypt ciphertexts. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, E80-A(1): 54-63, 1997.
[68] M. Pirretti, P. Traynor, P. McDaniel and B. Waters. Secure attribute-based systems—ACMCCS’06, 99-112, ACM Press, 2006.
[69] M.T. Goodrich, J.Z. Sun, R. Tamassia. Efficient tree-based revocation in groups of low-state devices—CRYPTO’04, LNCS 3152, 511-527, 2004.
[70] M.O. Rabin. Digitalized signatures. Foundations of secure communication. Academic Press, UK, 155-168, 1978.
[71] N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 203-209, 1987.
[72] NIST. A proposed federal information processing standard for digital signature standard (DSS). Federal Register Announcement, Aug.1991.
[73] NIST. Digital signature standard(DSS). Federal information processing standards publication 186, 1994.
[74] O. Goldreich. Foundation of Cryptography-Basic Tools. New York: Cambridge University Press, 2001.
[75] P.S.L.M. Barreto, B. Libert, N. McCullagh, and J.J. Quisquater. Efficient and provably secure identity-based signatures and signcryption from bilinear maps—ASIACRYPT’05, LNCS 3788, 515-532, 2005.
[76] P.S.L.M. Barreto and M. Naehrig. Pairing-friendly elliptic curves of prime order—SAC’05, LNCS 3897, 319-331, 2006.
[77] R. Anderson. Two remarks on public key cryptology. Invited lecture—ACM CCS, 1997.
[78] R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, evisited—STOC’98, 209-218, 1998.
[79] R. Canetti, S. Hohenberger. Chosen-ciphertext secure proxy re-encryption. Cryptology ePrint Archive, Report 2007/171, 2007.
[80] R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, revisited. Journal of the ACM, 51(4):557-594, 2004.
[81] R. Canetti, S. Halevi, and J. Katz. A forward-secure public-key encryption scheme—EUROCRYPT’03, LNCS 2656, 255-271, 2003.
[82] R. Canetti, S. Halevi and J. Katz. Chosen-ciphertext security from identity-based encryption—EUROCRYPT'04, LNCS 3027, 207-222, 2004.
[83] R. Cramer, V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack—CRYPTO’98, LNCS 1462, 13-25, 1998.
[84] R. Cramer, V. Shoup. Signature schemes based on the strong RSA assumption—ACM CCS’99, 46-51, ACM Press, 1999.
[85] R. L. Rivest, A. Shamir and L. Adleman. A method for obtaining digital signatures public key cryptosystem. Communication of ACM, 21(02):120-126, 1978.
[86] R. Sakai, K. Ohgishi and M. Kasahara. Cryptosystems based on pairing—SCIS’00, 26-28,2000.
[87] S. Chatterjee, P. Sarker. On hierarchical identity based encryption protocols with short public parameters. http://eprint.iacr.org/2006/279
[88] S. Chatterjee, P. Sarkar. Trading time for space: towards an efficient IBE scheme with short(er) public parameters in the standard model—ICISC’05, LNCS 3935, 424-440, 2005.
[89] S. Goldwasser, S. Micali. Probabilistic encryption. Journal of Computer and System Science, 28(2):270?299, 1984.
[90] S. Goldwasser, S. Micali. Probabilistic encryption and how to play mental poker keeping secret all partial information—STOC’82, 365-377, ACM Press, 1982.
[91] S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing, 17(2):281?308, 1988.
[92] S. Hohenberger, G.N. Rothblum, A. shelat, and V. Vaikuntanathan. Securely obfuscating re-encryption—TCC'07, LNCS 4392, 233-252, 2007.
[93] S S Chow, S M Yiu, and L C Hui. Efficient identity based ring signature—ACNS’05, LNCS 3531, 499-512, 2005.
[94] S S Chow, L C Hui, and S M Yiu, et al. Secure hierarchical identity based signature and its application—ICICS'04, LNCS 3269, 480-494, 2004.
[95] T. ElGamal. A public key cryptosystem and signature scheme based on discrete logarithms. IEEE Transactions on information theory, IT-31(4):469-472, 1985.
[96] T.H. Yuen, V.K. Wei. Constant-size hierarchical identity-based signature/signcryption without random oracles. Cryptology ePrint Archive, Report 2005/412, 2005. http://eprint.iacr.org/
[97] T. Okamoto. Provably secure and practical identification schemes and corresponding signature schemes—CRYPTO’92, LNCS 740, 31-53, 1992.
[98] V. Goyal, O. Pandey, A. Sahai and B. Waters. Attribute-based encryption for fine-grained access control of encrypted data—ACM CCS’06, 89-98, ACM Press, 2006.
[99] V. Miller. Short programs for functions on curves. Unpublished manuscript, 1986.
[100] V. Miller. The Weil pairing and its efficient calculation. Journal of Cryptology, 17(4): 235-261, 2004.
[101] V. Miller. Uses of elliptic curves in cryptography—CRYPTO’85, LNCS 218, 417-426, 1986.
[102] W. Diffie, M.E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6): 644-656, 1976.
[103] W. Mao. Modern Cryptography: Theory and Practice. Prentice Hall PTR, 2003.
[104] X. Boyen, B. Waters. Anonymous hierarchical identity-based encryption (without random oracles). Cryptology ePrint Archive 2006/085.
[105] Y. Dodis, J. Katz, S. Xu, and M. Yung. Key-insulated public key cryptosystems—EUROCRYPT'02, LNCS 2332, 65-82, 2002.
[106] Y. Dodis, J. Katz, S. Xu, and M. Yung. Strong key-insulated signature schemes—PKC’03, LNCS 2567, 130-144, 2003.
[107] Y. Dodis, M. Franklin, J. Katz, A. Miyaji, and M. Yung. Intrusion-resilient public key encryption—CT-RSA'03, LNCS 2612, 19-32, 2003.
[108] Y. Zheng. Digital signcryption or how to achieve cost (signature&encryption)≤cost(signature) + cost (encryption)—CRYPTO‘97, LNCS 1294, 165-179, 1997.
[109] Z. Cao. A public key cryptosystem based on a conic over finite fields F p—CHINACRYPTO’98, 45-49, Science Press, 1998. (in Chinese)
[110] Z. Cao. A threshold key escrow scheme based on public key cryptosystem. Science in China, 44(4), 441-448, 2001.
[111] Z. Cao. Conic analog of RSA cryptosystem and some improved RSA cryptosystems. Journal of Nature Science of Heilongjiang University, 16(4), 15-18, 1999.
[112]曹珍富.公钥密码学[M].哈尔滨:黑龙江教育出版社,1993.
[113]冯登国.可证明安全性理论与方法研究[J].软件学报,2005,16(10):1743-1756.
[114]赖溪松,韩亮,张真诚(著).张玉清,肖国镇(改编),计算机密码学及其应用,北京:国防工业出版社,2001.
[115]陆荣幸.若干代理密码体制的研究与设计[D].上海交通大学博士学位论文,2006.
[116]裴定一,徐祥.信息安全数学基础[M].北京:人民邮电出版社,2007.
[117]翁健.基于身份的密钥泄露保护机制的研究[D].上海交通大学博士学位论文,2008.
[118]张振峰,冯登国,陈伟东.可证明安全性研究方法与研究进展[J].信息安全国家重点实验室安全协议研讨会文集,2004,10-33.