Caroline J. Kudla (2006) Special Signature Schemes and Key Agreement Protocols.
Full text access: Open
This thesis is divided into two distinct parts. The first part of the thesis explores various deniable signature schemes and their applications. Such schemes do not bind a unique public key to a message, but rather specify a set of entities that could have created the signature, so each entity involved in the signature can deny having generated it. The main deniable signature schemes we examine are ring signature schemes. Ring signatures can be used to construct designated verifier signature schemes, which are closely related to designated verifier proof systems. We provide previously lacking formal definitions and security models for designated verifier proofs and signatures and examine their relationship to undeniable signature schemes. Ring signature schemes also have applications in the context of fair exchange of signatures. We introduce the notion of concurrent signatures, which can be constructed using ring signatures, and which provide a "near solution" to the problem of fair exchange. Concurrent signatures are more efficient than traditional solutions for fair exchange at the cost of some of the security guaranteed by traditional solutions. The second part of the thesis is concerned with the security of two-party key agreement protocols. It has traditionally been difficult to prove that a key agreement protocol satisfies a formal definition of security. A modular approach to constructing provably secure key agreement protocols was proposed, but the approach generally results in less efficient protocols. We examine the relationships between various well-known models of security and introduce a modular approach to the construction of proofs of security for key agreement protocols in such security models. Our approach simplifies the proof process, enabling us to provide proofs of security for several efficient key agreement protocols in the literature that were previously unproven.
This is a Published version This version's date is: 06/10/2006 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/009f5754-8571-4ce4-2dd7-c48af03a41d3/1/
Deposited by () on 12-Jul-2010 in Royal Holloway Research Online.Last modified on 13-Dec-2010
[1] M. Abdalla, O. Chevassut, and D. Pointcheval. One-time verifier-based encrypted key exchange. In S. Vaudenay, editor, Public Key Cryptography - PKC 2005, volume 3386 of Lecture Notes in Computer Science, pages 47–64. Springer-Verlag, 2005.
[2] M. Abe, M. Ohkubo, and K. Suzuki. 1-out-of-n signatures from a variety of keys.In Y. Zheng, editor, Advances in Cryptology – ASIACRYPT 2002, volume 2501 of Lecture Notes in Computer Science, pages 415–432. Springer-Verlag, 2002.
[3] S. Al-Riyami and K. Paterson. Authenticated three party key agreement protocols from pairings. In K. Paterson, editor, Proceedings of 9th IMA International Conference on Cryptography and Coding, volume 2898 of Lecture Notes in Computer Science, pages 332–359. Springer-Verlag, 2003.
[4] N. Asokan, V. Shoup, and M.Waidner. Optimistic fair exchange of digital signatures.In K. Nyberg, editor, Advances in Cryptology - EUROCRYPT 1998, volume 1403 of Lecture Notes in Computer Science, pages 591–606. Springer-Verlag, 1998.
[5] N. Asokan, V. Shoup, and M.Waidner. Optimistic fair exchange of digital signatures.IEEE Journal on Selected Areas in Communications, 18(4):593–610, 2000.
[6] B. Baum-Waidner and M. Waidner. Round-optimal and abuse free optimistic multiparty contract signing. In U. Montanari et al., editor, ICALP ’00: Proceedings of the 27th International Colloquium on Automata, Languages and Programming,pages 524–535. Springer-Verlag, 2000.
[7] M. Bellare, A. Boldyreva, and A. Palacio. An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In C. Cachin and J. Camenisch, editors, Advances in Cryptology - EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 171–188. Springer-Verlag, 2004.
[8] M. Bellare, R. Canetti, and H. Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols. In Proceedings of the 30th Annual ACM Symposium on the Theory of Computing STOC, pages 419–428. ACM,1998.
[9] M. Bellare, E. Petrank, C. Rackoff, and P. Rogaway. Authenticated key exchange in the public key model. Manuscript, 1995-96.
[10] M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated key exchange secure against dictionary attacks. In B. Preneel, editor, Advances in Cryptology – EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 139–155.Springer-Verlag, 2000.
[11] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM Conference on Computer and Communications Security, pages 62–73. ACM, 1993.
[12] M. Bellare and P. Rogaway. Entity authentication and key distribution. In D. Stinson, editor, Advances in Cryptology - CRYPTO 1993, volume 773 of Lecture Notes in Computer Science, pages 232–249. Springer-Verlag, 1994.
[13] M. Bellare and P. Rogaway. Provably secure session key distribution: The three party case. In Proceedings of the 27th Annual ACM Symposium on Theory of Computing STOC, pages 57–66. ACM, 1995.
[14] A. Bender, J. Katz, and R. Morselli. Ring signatures: Stronger definitions, and constructions without random oracles. 3rd Theory of Cryptography Conference -TCC 2006 (to appear), 2006. Available at http://eprint.iacr.org/2005/304.
[15] E. Biham, R. Chen, A. Joux, P. Carribault, C. Lemuet, and W. Jalby. Collisions of SHA-0 and reduced SHA-1. In R. Cramer, editor, Advances in Cryptology –EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science, pages 36–57. Springer-Verlag, 2005.
[16] S. Blake-Wilson, D. Johnson, and A. Menezes. Key agreement protocols and their security analysis. In M. Darnell, editor, Cryptography and Coding, volume 1355 of Lecture Notes in Computer Science, pages 30–45. Springer-Verlag, 1997.
[17] S. Blake-Wilson and A. Menezes. Entity authentication and key transport protocols employing asymmetric techniques. In Security Protocols Workshop, 1997.
[18] D. Boneh and M. Franklin. Identity-based encryption from the Weil pairing. In J. Kilian, editor, Advances in Cryptology – CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 213–229. Springer-Verlag, 2001.
[19] D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and verifiably encrypted signatures from bilinear maps. In E. Biham, editor, Advances in Cryptology – EUROCRYPT 2003, volume 2656 of Lecture Notes in Computer Science, pages 416–432. Springer-Verlag, 2003.
[20] D. Boneh and R. Lipton. Algorithms for black-box fields and their application to cryptography (extended abstract). In N. Koblitz, editor, Advances in Cryptology – CRYPTO 1996, volume 1109 of Lecture Notes in Computer Science, pages 283–297.Springer-Verlag, 1996.
[21] D. Boneh and M. Naor. Timed commitments. In M. Bellare, editor, Advances in Cryptology – CRYPTO 2000, volume 1880 of Lecture Notes in Computer Science,pages 236–254. Springer-Verlag, 2000.
[22] J. Boyar, D. Chaum, I. Damg°ard, and T. P. Pedersen. Convertible undeniable signatures. In A. Menezes and S. Vanstone, editors, Advances in Cryptology – CRYPTO 1990, volume 537 of Lecture Notes in Computer Science, pages 189–205.Springer-Verlag, 1991.
[23] C. Boyd, W. Mao, and K. Paterson. Key agreement using statically keyed authenticators. In M. Jakobsson et al., editor, Applied Cryptography and Network Security: Second International Conference, ACNS 2004, volume 3089 of Lecture Notes in Computer Science, pages 388–401. Springer-Verlag, 2004.
[24] G. Brassard, D. Chaum, and C. Cr´epeau. Minimum disclosure proofs of knowledge.Journal of Computer and System Sciences, 37(2):156–189, 1988.
[25] E. Bresson, J. Stern, and M. Szydlo. Threshold ring signatures for ad-hoc groups. In M. Yung, editor, Advances in Cryptology – CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages 465–480. Springer-Verlag, 2002.
[26] J. Camenisch. Efficient and generalized group signatures. In W. Fumy, editor,Advances in Cryptology – EUROCRYPT 1997, volume 1233 of Lecture Notes in Computer Science, pages 465–479. Springer-Verlag, 1997.
[27] J. Camenisch and M. Michels. Confirmer signature schemes secure against adaptive adversaries. In B. Preneel, editor, Advances in Cryptology – EUROCRYPT 2000,volume 1807 of Lecture Notes in Computer Science, pages 243–258. Springer-Verlag,2000.
[28] J. Camenisch and V. Shoup. Practical verifiable encryption and decryption of discrete logarithms. In D. Boneh, editor, Advances in Cryptology – CRYPTO 2003,volume 2729 of Lecture Notes in Computer Science, pages 126–144. Springer-Verlag,2003.
[29] R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067, last updated January 2005,2000. Available at http://eprint.iacr.org/.
[30] R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. In Proceedings of the 42nd IEEE symposium on Foundations of Computer Science - FOCS 2001, pages 136–145. IEEE Computer Society, 2001.
[31] R. Canetti, S. Halevi, J. Katz, Y. Lindell, and P. D. MacKenzie. Universally composable password-based key exchange. In R. Cramer, editor, Advances in Cryptology - EUROCRYPT 2005, volume 3494 of LNCS, pages 404–421. Springer-Verlag, 2005.
[32] R. Canetti and H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In B. Pfitzmann, editor, Advances in Cryptology EUROCRYPT 2001, volume 2045 of Lecture Notes in Computer Science, pages 453–474. Springer-Verlag, 2001.
[33] R. Canetti and H. Krawczyk. Universally composable notions of key exchange and secure channels. In L. Knudsen, editor, Advances in Cryptology – EUROCRYPT 2002, volume 2332 of Lecture Notes in Computer Science, pages 337–351. Springer-Verlag, 2002.
[34] D. Chaum. Demonstrating that a public predicate can be satisfied without revealing any information about how. In A. M. Odlyzko, editor, Advances in Cryptology - CRYPTO 1986, volume 263 of LNCS, pages 195–199. Springer-Verlag, 1986.
[35] D. Chaum. Zero-knowledge undeniable signatures. In I. Damg°ard, editor, Advances in Cryptology – EUROCRYPT 1990, volume 473 of Lecture Notes in Computer Science, pages 458–464. Springer-Verlag, 1990.
[36] D. Chaum. Designated confirmer signatures. In A. D. Santis, editor, Advances in Cryptology – EUROCRYPT 1994, volume 950 of Lecture Notes in Computer Science,pages 86–91. Springer-Verlag, 1994.
[37] D. Chaum and H. van Antwerpen. Undeniable signatures. In G. Brassard, editor, Advances in Cryptology – CRYPTO 1989, volume 435 of Lecture Notes in Computer Science, pages 212–216. Springer-Verlag, 1990.
[38] D. Chaum and E. van Heyst. Group signatures. In D. Davies, editor, Advances in Cryptology – EUROCRYPT 1991, volume 547 of Lecture Notes in Computer Science,pages 257–265. Springer-Verlag, 1991.
[39] L. Chen and C. Kudla. Identity based authenticated key agreement from pairings. Cryptology ePrint Archive, Report 2002/184, 2002. Available at http://eprint.iacr.org/.
[40] L. Chen and C. Kudla. Identity based authenticated key agreement from pairings. In IEEE Computer Security Foundations Workshop – CSFW-16 2003, pages 219–233.IEEE Computer Society Press, 2003.
[41] L. Chen, C. Kudla, and K. Paterson. Concurrent signatures. In C. Cachin and J. Camenisch, editors, Advances in Cryptology - EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 287–305. Springer-Verlag, 2004.
[42] M. Cherepnev. On the connection between the discrete logarithms and the Diffie Hellman problem. Discrete Math. Appl., 1996.
[43] K.-K. Choo, C. Boyd, and Y. Hitchcock. On session key construction in provablysecure key establishment protocols. In S. Vaudenay, editor, Proceedings of International Conference on Cryptology in Malaysia - Mycrypt 2005, volume 3715 of Lecture Notes in Computer Science, page 116 131. Springer-Verlag, 2005. Available at http://eprint.iacr.org/2005/206.
[44] S. Chow and W. Susilo. Generic construction of (identity-based) perfect concurrent signatures. In S. Qing et al., editor, Proceedings of the 7th International Conference on Information and Communications Security - ICICS 2005, volume 3783 of Lecture Notes in Computer Science, pages 194 – 206. Springer-Verlag, 2005.
[45] D. Coppersmith and I. Shparlinski. On polynomial approximation and the parallel complexity of the discrete logarithm problem and breaking the Diffie-Hellman cryptosystem. Preprint, Nov. 1996.
[46] R. Cramer, I. Damgard, and B. Schoenmakers. Proofs of partial knowledge and simplified design of witness hiding protocols. In Y. Desmedt, editor, Advances in Cryptology - CRYPTO 1994, volume 893 of Lecture Notes in Computer Science,pages 174–187. Springer-Verlag, 1995.
[47] I. Damg°ard and T. Pedersen. New convertible undeniable signature schemes. In U. Maurer, editor, Advances in Cryptology – EUROCRYPT 1996, volume 1070 of Lecture Notes in Computer Science, pages 372–386. Springer-Verlag, 1996.
[48] B. den Boer. Diffie-Hellman is as strong as discrete log for certain primes. In S. Goldwasser, editor, Advances in Cryptology – CRYPTO 1988, volume 403 of Lecture Notes in Computer Science, pages 530–539. Springer-Verlag, 1989.
[49] Y. Desmedt and M. Yung. Weakness of undeniable signature schemes. In D. Davies,editor, Advances in Cryptology – EUROCRYPT 1991, volume 547 of Lecture Notes in Computer Science, pages 205–220. Springer-Verlag, 1991.
[50] W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644–654, 1976.
[51] W. Diffie, P. C. van Oorschot, and M. J. Weiner. Authentication and authenticated key exchange. Designs, Codes and Cryptography, 2:107–125, 1992.
[52] Y. Dodis and L. Reyzin. Breaking and repairing optimistic fair exchange from PODC 2003. In M. Yung, editor, DRM ’03: Proceedings of the 2003 ACM workshop on Digital rights management, pages 47–54. ACM Press, 2003.
[53] S. Even, O. Goldreich, and A. Lempel. A randomized protocol for signing contracts.Commun. ACM, 28(6):637–647, 1985.
[54] G. Frey, M. M¨uller, and H. R¨uck. The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems. IEEE Transactions on Information Theory,45(5):1717–1719, 1999.
[55] S. D. Galbraith and W. Mao. Invisibility and anonymity of undeniable and confirmer signatures. In M. Joye, editor, CT-RSA 2003, volume 2612 of Lecture Notes in Computer Science, page 8097. Springer-Verlag, 2003.
[56] J. Garay, M. Jakobsson, and P. MacKenzie. Abuse-free optimistic contract signing. In M. Wiener, editor, Advances in Cryptology – Crypto 1999, volume 1666 of Lecture Notes in Computer Science, pages 449–466. Springer-Verlag, 1999.
[57] J. Garay and C. Pomerance. Timed fair exchange of standard signatures: [extended abstract]. In R.Wright, editor, Financial Cryptography 2003, volume 2742 of Lecture Notes in Computer Science, pages 190–207. Springer-Verlag, 2003.
[58] O. Goldreich. A simple protocol for signing contracts. In D. Chaum, editor, Advances in Cryptology – CRYPTO 1983, pages 133–136. Plenum Press, 1983.
[59] O. Goldreich, S. Micali, and A. Wigderson. How to prove all NP-statements in zero-knowledge, and a methodology of cryptographic protocol design. In A. M.Odlyzko, editor, Advances in Cryptology - CRYPTO 1986, volume 263 of LNCS,pages 171–185. Springer-Verlag, 1986.
[60] S. Goldwasser and Y. Kalai. On the (in)security of the Fiat-Shamir paradigm. In 44th Symposium on Foundations of Computer Science (FOCS 2003, pages 102–113.IEEE Computer Society, 2003.
[61] S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28(2):270–299, 1984.
[62] S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems. SIAM Journal on Computing, 18(1):186–208, 1989.
[63] S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281–308, 1988.
[64] S. Halevi and H. Krawczyk. Public-key cryptography and password protocols. In ACM Conference on Computer and Communications Security, pages 122–131, 1998.
[65] J. Herranz and G. S´aez. Forking lemmas for ring signature schemes. In T. Johansson and S. Maitra, editors, Proceedings of 5th International Conference on Cryptology in India - INDOCRYPT 2003, volume 2904 of Lecture Notes in Computer Science,pages 266–279. Springer-Verlag, 2003.
[66] J. Herranz and G. S´aez. New ID-based ring signature schemes. In J. Lopez et al.,editor, Proceedings of the 6th International Conference on Information and Communications Security - ICICS’04, volume 3269 of Lecture Notes in Computer Science,pages 27–39. Springer-Verlag, 2004.
[67] Y. Hitchcock, Y. Tin, J. G. Nieto, C. Boyd, and P. Montague. A password-based authenticator: Security proof and applications. In T. Johansson and S. Maitra, editors, Proceedings of 4th International Conference on Cryptology in India INDOCRYPT 2003, volume 2904 of Lecture Notes in Computer Science, pages 388–401. Springer-Verlag, 2003.
[68] M. Jakobsson. Blackmailing using undeniable signatures. In A. D. Santis, editor, Advances in Cryptology – EUROCRYPT 1994, volume 950 of Lecture Notes in Computer Science, pages 425–427. Springer-Verlag, 1994.
[69] M. Jakobsson and D. Pointcheval. Mutual authentication and key exchange protocol for low power devices. In P. Syverson, editor, Financial Cryptography, 5th International Conference, FC 2001, volume 2339 of Lecture Notes in Computer Science,page 178195. Springer-Verlag, 2002.
[70] M. Jakobsson, K. Sako, and R. Impagliazzo. Designated verifier proofs and their applications. In U. Maurer, editor, Advances in Cryptology - EUROCRYPT 1996, volume 1070 of Lecture Notes in Computer Science, pages 143–154. Springer-Verlag, 1996.
[71] I. Jeong, J. Katz, and D. Lee. One-round protocols for two-party authenticated key exchange. In M. Jakobsson et al., editor, Applied Cryptography and Network Security: the Second International Conference, ACNS 2004, volume 3089 of Lecture Notes in Computer Science, pages 220 – 232. Springer-Verlag, 2004.
[72] B. Kaliski, Jr. An unknown key-share attack on the MQV key agreement protocol.ACM Transactions on Information and Systems Security, 4(3):275–288, 2001.
[73] C. Kudla and K. Paterson. Modular security proofs for key agreement protocols. In B. Roy, editor, Advances in Cryptology – ASIACRYPT 2005, volume 3788 of Lecture Notes in Computer Science, pages 549–565. Springer-Verlag, 2005.
[74] C. Kudla and K. Paterson. Non-interactive designated verifier proofs and undeniable signatures. In N. Smart, editor, 10th International Conference on Cryptography and Coding, volume 3796 of Lecture Notes in Computer Science, pages 136–154. Springer-Verlag, 2005.
[75] F. Laguillaumie and D. Vergnaud. Designated verifier signatures: Anonymity and efficient construction from any bilinear map. In C. Blundo and S. Cimato, editors, SCN 2004, volume 3352 of Lecture Notes in Computer Science, pages 105–119.Springer-Verlag, 2005.
[76] L. Law, A. Menezes, M. Qu, J. Solinas, and S. Vanstone. An efficient protocol for authenticated key agreement. Designs, Codes and Cryptography, 28(2):119–134,2003.
[77] H. Lipmaa, G. Wang, and F. Bao. Designated verifier signature schemes: Attacks, new security notions and a new construction. In L. Caires et al., editor, Automata, Languages and Programming, ICALP 2005, volume 3580 of Lecture Notes in Computer Science, pages 459–471. Springer-Verlag, 2005.
[78] S. Lucks. Open key exchange: How to defeat dictionary attacks without encrypting public keys. In Security Protocols Workshop, 1997.
[79] T. Matsumoto, Y. Takashima, and H. Imai. On seeking smart public-key-distribution systems. Electronics Letters, E69(2):99–106, 1986.
[80] U. Maurer. Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms. In Y. Desmedt, editor, Advances in Cryptology — CRYPTO 1994, volume 839 of Lecture Notes in Computer Science, pages 271–281.Springer-Verlag, 1994.
[81] U. Maurer, R. Renner, and C. Holenstein. Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In M. Naor, editor,Theory of Cryptography, TCC 2004, volume 2951 of Lecture Notes in Computer Science, pages 21–39. Springer-Verlag, 2004.
[82] U. Maurer and S. Wolf. The relationship between breaking the Diffie-Hellman protocol and computing discrete logarithms. SIAM Journal on Computing, 28(5):1689–1721, 1999.
[83] N. McCullagh and P. Barreto. A new two-party identity-based authenticated key agreement. Cryptology ePrint Archive, Report 2004/122, 2005. Available at http://eprint.iacr.org/.
[84] N. McCullagh and P. Barreto. A new two-party identity-based authenticated key agreement. In A. Menezes, editor, Topics in Cryptology – CT-RSA 2005, volume 3376 of Lecture Notes in Computer Science, pages 262–274. Springer-Verlag, 2005.
[85] A. Menezes. Another look at HMQV. Cryptology ePrint Archive, Report 2005/205,2005. Available from http://eprint.iacr.org/2005/205.
[86] A. Menezes, T. Okamoto, and S. Vanstone. Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory, 39(5):1639–1646, 1993.
[87] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography.CRC Press, Boca Raton, 1997.
[88] C. Mitchell, M. Ward, and P. Wilson. Key control in key agreement protocols.Electronics Letters, 34:980–981, 1998.
[89] K. Nguyen. Asymmetric concurrent signatures. In S. Qing et al., editor, Proceedings of the 7th International Conference on Information and Communications Security - ICICS 2005, volume 3783 of Lecture Notes in Computer Science, pages 181 – 193.Springer-Verlag, 2005.
[90] J. Nielsen. Separating random oracle proofs from complexity theoretic proofs: The non-committing encryption case. In M. Yung, editor, Advances in Cryptology -CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages 111–126.Springer-Verlag, 2002.
[91] W. Ogata, K. Kurosawa, and S. Heng. The security of the FDH variant of Chaum’s undeniable signature scheme. Cryptology ePrint Archive, Report 2004/290, 2004.Available from http://eprint.iacr.org/2004/290.
[92] W. Ogata, K. Kurosawa, and S. Heng. The security of the FDH variant of Chaum’s undeniable signature scheme. In S. Vaudenay, editor, Public Key Cryptography -PKC 2005, volume 3386 of Lecture Notes in Computer Science, pages 328–345.Springer-Verlag, 2005.
[93] T. Okamoto and D. Pointcheval. The gap-problems: A new class of problems for the security of cryptographic schemes. In K. Kim, editor, Public Key Cryptography – PKC 2001, volume 1992 of Lecture Notes in Computer Science, pages 104–118.Springer-Verlag, 2001.
[94] J. Park, E. Chong, and H. Siegel. Constructing fair-exchange protocols for Ecommerce via distributed computation of RSA signatures. In Proceedings of the 22nd annual ACM symposium on Principles of Distributed Computing - PODC ’03,pages 172–181. ACM Press, 2003.
[95] D. Pointcheval and J. Stern. Security proofs for signature schemes. In U. Maurer, editor, Advances in Cryptology – EUROCRYPT 1996, volume 1070 of Lecture Notes in Computer Science, pages 387–398. Springer-Verlag, 1996.
[96] D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. Journal of Cryptology, vol. 13, pp. 361–396, 2000.
[97] R. Rivest, A. Shamir, and Y. Tauman. How to leak a secret. In C. Boyd, editor,Advances in Cryptology – ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pages 552–565. Springer-Verlag, 2001.
[98] S. Saeednia, S. Kremer, and O. Markowitch. An efficient strong designated verifier signature scheme. In J. Lim and D. Lee, editors, Information Security and Cryptology- ICISC 2003, volume 2971 of Lecture Notes in Computer Science, pages 40–54.Springer-Verlag, 2003.
[99] C. Schnorr. Efficient signature generation by smart cards. J. Cryptology, 4(3):161–174, 1991.
[100] A. Shamir. Identity-based cryptosystems and signature schemes. In G. Blakley and D. Chaum, editors, Advances in Cryptology – CRYPTO 1984, volume 196 of Lecture Notes in Computer Science, pages 47–53. Springer-Verlag, 1984.
[101] V. Shoup. On formal models for secure key exchange. IBM Technical Report RZ 3120, 1999. Available at http://shoup.net/papers.
102] V. Shoup and A. Rubin. Session key distribution using smart cards. In U. Maurer,editor, Advances in Cryptology – EUROCRYPT 1996, volume 1070 of Lecture Notes in Computer Science, pages 321–331. Springer-Verlag, 1996.
[103] N. Smart. An identity based authenticated key agreement protocol based on the Weil pairing. Electronics Letters, 38(13):630–632, 2002.
[104] R. Steinfeld, L. Bull, H. Wang, and J. Pieprzyk. Universal designated-verifier signatures. In C. Laih, editor, Advances in Cryptology - ASIACRYPT 2003, volume 2894 of Lecture Notes in Computer Science, pages 523–542. Springer-Verlag, 2003.
[105] R. Steinfeld, H.Wang, and J. Pieprzyk. Efficient extension of standard Schnorr/RSA signatures into universal designated-verifier signatures. In F. Bao et al., editor, PKC 2004, volume 2947 of Lecture Notes in Computer Science, pages 86–100. Springer-Verlag, 2004.
[106] D. Stinson. Cryptography: Theory and Practice, Second Edition. Chapman &Hall/CRC, 2002.
[107] W. Susilo and Y. Mu. Tripartite concurrent signatures. In Information Security and Privacy, 8th Australasian Conference, ACISP 2003, pages 425 – 441. Kluwer, 2005.
[108] W. Susilo, Y. Mu, and F. Zhang. Perfect concurrent signature schemes. In J. Lopez et al., editor, Proceedings of the 6th International Conference on Information and Communications Security - ICICS’04, volume 3269 of Lecture Notes in Computer Science, pages 14–26. Springer-Verlag, 2004.
[109] W. Susilo, F. Zhang, and Y. Mu. Identity-based strong designated verifier signature schemes. In H. Wang et al., editor, ACISP 2004, volume 3108 of Lecture Notes in Computer Science, pages 313–324. Springer-Verlag, 2004.
[110] Y. Tin, C. Boyd, and J. G. Nieto. Provably secure mobile key exchange: Applying the Canetti-Krawczyk approach. In R. Safavi-Naini and J. Seberry, editors, Information Security and Privacy, 8th Australasian Conference, ACISP 2003, volume 2727 of Lecture Notes in Computer Science, pages 166–179. Springer-Verlag, 2003.
[111] Y. Tin, H. Vasanta, C. Boyd, and J. G. Nieto. Protocols with security proofs for mobile applications. In H. Wang, J. Pieprzyk, and V. Varadharajan, editors, Information Security and Privacy: 9th Australasian Conference, ACISP 2004, volume 3108 of Lecture Notes in Computer Science, pages 358–369. Springer-Verlag, 2004.
[112] G. Wang. An attack on not-interactive designated verifier proofs for undeniable signatures. Cryptology ePrint Archive, Report 2003/243, 2003. Available from http://eprint.iacr.org/.
[113] X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu. Cryptanalysis of the hash functions MD4 and RIPEMD. In R. Cramer, editor, Advances in Cryptology – EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science, pages 1–18.Springer-Verlag, 2005.
[114] X. Wang, Y. Yin, and H. Yu. Finding collisions in the full SHA-1. In V. Shoup, editor, Advances in Cryptology – CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science, pages 17–36. Springer-Verlag, 2005.
[115] X. Wang and H. Yu. How to break MD5 and other hash functions. In R. Cramer, editor, Advances in Cryptology – EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science, pages 19–35. Springer-Verlag, 2005.
[116] X.Wang, H. Yu, and Y. Yin. Efficient collision search attacks on SHA-0. In V. Shoup,editor, Advances in Cryptology – CRYPTO 2005, volume 3621 of Lecture Notes inComputer Science, pages 1–16. Springer-Verlag, 2005.
[117] F. Zhang and K. Kim. ID-based blind signature and ring signature from pairings. In Y. Zheng, editor, Advances in Cryptology – ASIACRYPT 2002, volume 2501 of Lecture Notes in Computer Science, pages 533–547. Springer-Verlag, 2002.