Sattam S. Al-Riyami (2005) Cryptographic Schemes based on Elliptic Curve Pairings .
Full text access: Open
This thesis introduces the concept of certificateless public key cryptography (CLPKC). Elliptic curve pairings are then used to make concrete CL-PKC schemes and are also used to make other efficient key agreement protocols. CL-PKC can be viewed as a model for the use of public key cryptography that is intermediate between traditional certificated PKC and ID-PKC. This is because, in contrast to traditional public key cryptographic systems, CL-PKC does not require the use of certificates to guarantee the authenticity of public keys. It does rely on the use of a trusted authority (TA) who is in possession of a master key. In this respect, CL-PKC is similar to identity-based public key cryptography (ID-PKC). On the other hand, CL-PKC does not suffer from the key escrow property that is inherent in ID-PKC. Applications for the new infrastructure are discussed. We exemplify how CL-PKC schemes can be constructed by constructing several certificateless public key encryption schemes and modifying other existing ID based schemes. The lack of certificates and the desire to prove the schemes secure in the presence of an adversary who has access to the master key or has the ability to replace public keys, requires the careful development of new security models. We prove that some of our schemes are secure, provided that the Bilinear Diffie-Hellman Problem is hard. We then examine Joux’s protocol, which is a one round, tripartite key agreement protocol that is more bandwidth-efficient than any previous three-party key agreement protocol, however, Joux’s protocol is insecure, suffering from a simple man-in-the-middle attack. We show how to make Joux’s protocol secure, presenting several tripartite, authenticated key agreement protocols that still require only one round of communication. The security properties of the new protocols are studied. Applications for the protocols are also discussed.
This is a Published version This version's date is: 02/02/2005 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/b3e8c8f9-6158-b7c0-e2f2-35fc7ef73d3b/1/
Deposited by () on 13-Jul-2010 in Royal Holloway Research Online.Last modified on 13-Dec-2010
[1] C. Adams and S. Lloyd. Understanding Public-Key Infrastructure – Concepts,Standards, and Deployment Considerations. Macmillan Technical Publishing,Indianapolis, USA, 1999.
[2] L.M. Adleman. The function field sieve. In L.M. Adleman and M.A. Huang, editors,Proceedings of Algorithmic Number Theory Symposium – ANTS I, volume877 of Lecture Notes in Computer Science, pages 108–121. Springer-Verlag,1994.
[3] S.S. Al-Riyami and C.J. Mitchell. Renewing cryptographic timestamps. InB. Jerman-Blazic and T. Klobucar, editors, Communications and MultimediaSecurity, volume 228 of IFIP Conference Proceedings, pages 9–16. Kluwer,2002.
[4] S.S. Al-Riyami and K.G. Paterson. Authenticated three party key agreementprotocols from pairings. Cryptology ePrint Archive, Report 2002/035, 2002.http://eprint.iacr.org/.
[5] S.S. Al-Riyami and K.G. Paterson. Authenticated three party key agreementprotocols from pairings. In K.G. Paterson, editor, Proceedings of 9th IMAInternational Conference on Cryptography and Coding, volume 2898 of LectureNotes in Computer Science, pages 332–359. Springer-Verlag, 2003.
[6] S.S. Al-Riyami and K.G. Paterson. Certificateless public key cryptography.Cryptology ePrint Archive, Report 2003/126, 2003. http://eprint.iacr.org/, full version of [7].
[7] S.S. Al-Riyami and K.G. Paterson. Certificateless public key cryptography(extended abstract). In C.S. Laih, editor, Advances in Cryptology – ASIACRYPT2003, volume 2894 of Lecture Notes in Computer Science, pages 452–473. Springer-Verlag, 2003.
[8] American National Standards Institute – ANSI X9.42. Public key cryptography for the financial services industry: Agreement of symmetric keys using discrete logarithm cryptography, 2001.
[9] American National Standards Institute – ANSI X9.63. Public key cryptography for the financial services industry: Key agreement and key transport using elliptic curve cryptography, 2001.
[10] R. Ankney, D. Johnson, and M. Matyas. The Unified Model – contribution toX9F1, October 1995.
[11] J. Baek and Y. Zheng. Identity-based threshold decryption. Cryptology ePrint Archive, Report 2003/164, 2003. http://eprint.iacr.org/.
[12] P.S.L.M. Barreto, H.Y. Kim, B. Lynn, and M. Scott. Efficient algorithms for pairing-based cryptosystems. In M. Yung, editor, Advances in Cryptology –CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages354–368. Springer-Verlag, 2002.
[13] P.S.L.M. Barreto, B. Lynn, and M. Scott. Constructing elliptic curves with prescribed embedding degrees. In S. Cimato, C. Galdi, and G. Persiano, editors,Security in communication networks – SCN 2002, volume 2576 of Lecture Notes in Computer Science, pages 263–273. Springer-Verlag, 2002.
[14] R. Barua, R. Dutta, and P. Sarkar. An n-party key agreement scheme usingbilinear map. Cryptology ePrint Archive, Report 2003/062, 2003. http://eprint.iacr.org/.
[15] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A concrete security treatment of symmetric encryption. In 38th Annual Symposium on Foundationsof Computer Science – FOCS 1997, pages 394–403. IEEE Computer SocietyPress, 1997.
[16] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among notions of security for public-key encryption schemes. In Hugo Krawczyk, editor,Advances in Cryptology – CRYPTO 1998, volume 1462 of Lecture Notes inComputer Science. Springer-Verlag, 1998.
[17] M. Bellare and S. Goldwasser. Lecture notes on cryptography. Summer course on “Cryptography and Information Security” at MIT, 2001. http://www.cs.ucsd.edu/users/mihir/papers/gb.html.
[18] M. Bellare, C. Namprempre, and G. Neven. Security proofs for identity-based identification and signature schemes. In C. Cachin and J. Camenisch, editors, Advances in Cryptology – EUROCRYPT 2004, volume 3027 of Lecture Notesin Computer Science, pages 268–286. Springer-Verlag, 2004.
[19] M. Bellare and A. Palacio. Protecting against key exposure: Strongly keyinsulated encryption with optimal threshold. Cryptology ePrint Archive, Report 2002/064, 2002. http://eprint.iacr.org/.
[20] M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated key exchange secure against dictionary attacks. In B. Preneel, editor, Advances in Cryptology – EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 139–155. Springer-Verlag, 2000.
[21] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm fordesigning efficient protocols. In ACM Conference on Computer and Communications Security, pages 62–73. ACM, 1993.
[22] M. Bellare and P. Rogaway. Entity authentication and key distribution. InD.R. Stinson, editor, Advances in Cryptology – CRYPTO 1993, volume 773 ofLecture Notes in Computer Science, pages 232–249. Springer-Verlag, 1994.
[23] M. Bellare and P. Rogaway. Optimal asymmetric encryption – how to encryptwith RSA. In A. De Santis, editor, Advances in Cryptology – EUROCRYPT1994, volume 950 of Lecture Notes in Computer Science, pages 92–111.Springer-Verlag, 1994.
[24] M. Bellare and P. Rogaway. Provably secure session key distribution: The three party case. In Proceedings of the 27th Annual ACM Symposium on Theory ofComputing STOC, pages 57–66. ACM, 1995.
[25] I.F. Blake, G. Seroussi, and N.P. Smart. Elliptic curves in cryptography. Cambridge University Press, Cambridge, 1999.
[26] S. Blake-Wilson, D. Johnson, and A. Menezes. Key agreement protocols andtheir security analysis. In Proceedings of the 6th IMA International Conference on Cryptography and Coding, volume 1355 of Lecture Notes in Computer Science, pages 30–45. Springer-Verlag, 1997.
[27] S. Blake-Wilson and A. Menezes. Authenticated Diffie-Hellman key agreement protocols. In S. Tavares and H. Meijer, editors, 5th Annual Workshop on Selected Areas in Cryptography (SAC 1998), volume 1556 of Lecture Notes inComputer Science, pages 339–361. Springer-Verlag, 1998.
[28] A. Boldyreva. Efficient threshold signature, multisignature and blind signature schemes based on the gap-Diffie-Hellman-group signature scheme. InY. Desmedt, editor, International Workshop on Practice and Theory in PublicKey Cryptography – PKC 2003, volume 2567 of Lecture Notes in ComputerScience, pages 31–46. Springer-Verlag, 2003.
[29] D. Boneh and X. Boyen. Efficient selective-ID secure identity-based encryption without random oracles. In C. Cachin and J. Camenisch, editors, Advances in Cryptology – EUROCRYPT 2004, volume 3027 of Lecture Notes in ComputerScience, pages 223–238. Springer-Verlag, 2004.
[30] D. Boneh and X. Boyen. Short signatures without random oracles. In C. Cachin and J. Camenisch, editors, Advances in Cryptology – EUROCRYPT 2004,volume 3027 of Lecture Notes in Computer Science, pages 56–73. Springer-Verlag, 2004.
[31] D. Boneh, X. Ding, G. Tsudik, and M. Wong. A method for fast revocationof public key certificates and security capabilities. In proceedings of the 10th USENIX Security Symposium, pages 297–308. USENIX, 2001.
[32] D. Boneh and M. Franklin. Identity-based encryption from the Weil pairing.In J. Kilian, editor, Advances in Cryptology – CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 213–229. Springer-Verlag, 2001.
[33] D. Boneh and M. Franklin. Identity-based encryption from the Weil pairing.SIAM J. Computing, 32(3):586–615, 2003. http://www.crypto.stanford.edu/~dabo/abstracts/ibe.html, full version of [32].
[34] D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and verfiablyencrypted signatures from bilinear maps. In E. Biham, editor, Advances inCryptology – EUROCRYPT 2003, volume 2656 of Lecture Notes in ComputerScience, pages 416–432. Springer-Verlag, 2003.
[35] D. Boneh, I. Mironov, and V. Shoup. A secure signature scheme from bilinear maps. In M. Joye, editor, Topics in Cryptology – CT-RSA 2003, volume 2612 of Lecture Notes in Computer Science, pages 98–110. Springer-Verlag, 2003.
[36] D. Boneh, H. Shacham, and B. Lynn. Short signatures from the Weil pairing.In C. Boyd, editor, Advances in Cryptology – ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pages 514–532. Springer-Verlag, 2001.
[37] C. Boyd. Towards extensional goals in authentication protocols. In Proceedings of the 1997 DIMACS Workshop on Design and Formal Verification of Security Protocols, 1997. http://www.citeseer.nj.nec.com/boyd97towards.html/.
[38] X. Boyen. Multipurpose identity-based signcryption : A swiss army knife for identity-based cryptography. In D. Boneh, editor, Advances in Cryptology –CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages383–399. Springer-Verlag, 2003. For the full version of this paper see, http://eprint.iacr.org/2003/163.
[39] E. Bresson, O. Chevassut, and D. Pointcheval. Dynamic group Diffie-Hellman key exchange under standard assumptions. In L.R. Knudsen, editor, Advances in Cryptology – EUROCRYPT 2002, volume 2332 of Lecture Notes in Computer Science, pages 321–336. Springer-Verlag, 2002.
[40] A. Buldas, H. Lipmaa, and B. Schoenmakers. Optimally efficient accountable time-stamping. In Y. Zheng and H. Imai, editors, International Workshop on Practice and Theory in Public Key Cryptography – PKC 2000, volume 1751 of Lecture Notes in Computer Science, pages 293–305. Springer-Verlag, 2000.
[41] M. Burmester. On the risk of opening distributed keys. In Y. Desmedt, editor,Advances in Cryptology – CRYPTO 1994, volume 839 of Lecture Notes inComputer Science, pages 308–317. Springer-Verlag, 1994.
[42] R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology,revisited. In Proceedings of the 13th Annual ACM Symposium on the Theoryof Computing, pages 209–218. ACM, 1993.
[43] R. Canetti, S. Halevi, and J. Katz. A forward-secure public-key encryption scheme. In E. Biham, editor, Advances in Cryptology – EUROCRYPT 2003,volume 2656 of Lecture Notes in Computer Science, pages 255–271. Springer-Verlag, 2003.
[44] R. Canetti, S. Halevi, and J. Katz. Chosen-ciphertext security from identitybased encryption. In C. Cachin and J. Camenisch, editors, Advances in Cryptology – EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science,pages 207–222. Springer-Verlag, 2004. http://eprint.iacr.org/2003/182.
[45] R. Canetti and H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In B. Pfitzmann, editor, Advances in Cryptology– EUROCRYPT 2001, volume 2045 of Lecture Notes in Computer Science,pages 453–474. Springer-Verlag, 2001.
[46] R. Canetti and H. Krawczyk. Universally composable notions of key exchange and secure channels. In L.R. Knudsen, editor, Advances in Cryptology – EUROCRYPT 2002, volume 2332 of Lecture Notes in Computer Science, pages 337–351. Springer-Verlag, 2002.
[47] J.C. Cha and J.H. Cheon. An identity-based signature from gap Diffie-Hellman groups. In Y. Desmedt, editor, Public Key Cryptography – PKC 2003, volume 2567 of Lecture Notes in Computer Science, pages 18–30. Springer-Verlag, 2002.
[48] L. Chen, K. Harrison, A. Moss, D. Soldera, and N.P. Smart. Certification of public keys within an identity based system. In A.H. Chan and V.D. Gligor,editors, Information Security, 5th International Conference, ISC, volume 2433of Lecture Notes in Computer Science, pages 322–333. Springer-Verlag, 2002.
[49] L. Chen, K. Harrison, D. Soldera, and N.P. Smart. Applications of multiple trust authorities in pairing based cryptosystems. In G.I. Davida, Y. Frankel,and O. Rees, editors, Infrastructure Security, International Conference, InfraSec,volume 2437 of Lecture Notes in Computer Science, pages 260–275.Springer-Verlag, 2002.
[50] L. Chen and C. Kudla. Identity based authenticated key agreement from pairings.In IEEE Computer Security Foundations Workshop – CSFW-16 2003,pages 219–233. IEEE Computer Society Press, 2003.
[51] X. Chen, F. Zhang, and K. Kim. A new ID-based group signature schemefrom bilinear pairings. Cryptology ePrint Archive, Report 2003/116, 2003.http://eprint.iacr.org/.
[52] Z. Chen. Security analysis on Nalla-Reddy’s ID-based tripartite authenticated key agreement protocols. Cryptology ePrint Archive, Report 2003/103, 2003.http://eprint.iacr.org/.
[53] J.H. Cheon. A universal forgery of Hess’s second ID-based signature against the known-message attack. Cryptology ePrint Archive, Report 2002/028, 2002.http://eprint.iacr.org/.
[54] C. Cocks. An identity based encryption scheme based on quadratic residues.In B. Honary, editor, Proceedings of 8th IMA International Conference on Cryptography and Coding, volume 2260 of Lecture Notes in Computer Science,pages 360–363. Springer-Verlag, 2001.
[55] D. Coppersmith. Evaluating logarithms in GF(2n). In Proceedings of the16th Annual ACM Symposium on Theory of Computing STOC, pages 201–207. ACM, 1984.
[56] J. Dankers, T. Garefalakis, R. Schaffelhofer, and T. Wright. Public key infrastructurein mobile systems. IEE Electronics and Commucation EngineeringJournal, 14(5):180–190, 2002.
[57] Y. Desmedt and J. Quisquater. Public-key systems based on the difficulty of tampering. In A.M. Odlyzko, editor, Advances in Cryptology – CRYPTO 1986,volume 263 of Lecture Notes in Computer Science, pages 111–117. Springer-Verlag, 1986.
[58] W. Diffie and M. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644–654, 1976.
[59] W. Diffie, P.C. van Oorschot, and M. Wiener. Authentication and authenticatedkey exchanges. Designs, Codes and Cryptography, 2:107–125, 1992.
[60] X. Ding and G. Tsudik. Simple identity-based cryptography with mediatedrsa. In M. Joye, editor, Topics in Cryptology – CT-RSA 2003, volume 2612 ofLecture Notes in Computer Science, pages 193–210. Springer-Verlag, 2003.
[61] Y. Dodis, M. Franklin, J. Katz, A. Miyaji, and M. Yung. Intrusion-resilient public-key encryption. In M. Joye, editor, Topics in Cryptology – CTRSA 2003, volume 2612 of Lecture Notes in Computer Science, pages 19–32.Springer-Verlag, 2003.
[62] Y. Dodis, J. Katz, S. Xu, and M. Yung. Key-insulated public key cryptosystems. In L.R. Knudsen, editor, Advances in Cryptology – EUROCRYPT 2002,volume 2332 of Lecture Notes in Computer Science, pages 65–82. Springer-Verlag, 2002.
[63] Y. Dodis and M. Yung. Exposure-resilience for free: The hierarchical ID-based encryption case. In Proceedings of the First International IEEE Security in Storage Workshop, pages 45–52. IEEE Computer Society Press, 2002.
[64] D. Dolev, C. Dwork, and M. Naor. Non-malleable cryptography. SIAM Journalof Computing, 30(2):391–437, 2000.
[65] R. Dupont and A. Enge. Provably secure non-interactive key distribution based on pairings. In Proceedings of the International Workshop on Coding and Cryptography – WCC 2003, pages 165–174, 2003. To appear in Discrete AppliedMathematics.
[66] R. Dupont, A. Enge, and F. Morain. Building curves with arbitrary small MOV degree over finite prime fields. Cryptology ePrint Archive, Report 2002/094,2002. http://eprint.iacr.org/.
[67] I. Duursma and H. Lee. Tate-pairing implementations for tripartite key agreement.Cryptology ePrint Archive, Report 2003/053, 2003. http://eprint.iacr.org/.
[68] T. ElGamal. A public key cryptosystem and a signature scheme based ondiscrete logarithm. In G.R. Blakley and D. Chau, editors, Advances in Cryptology – CRYPTO 1984, volume 196 of Lecture Notes in Computer Science, pages 10–18. Springer-Verlag, 1985.
[69] G. Frey, M. M¨uller, and H. R¨uck. The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems. IEEE Transactions on Information Theory, 45(5):1717–1719, 1999.
[70] E. Fujisaki and T. Okamoto. How to enhance the security of public-key encryption at minimum cost. In H. Imai and Y. Zheng, editors, InternationalWorkshop on Practice and Theory in Public Key Cryptography – PKC 1999,volume 1560 of Lecture Notes in Computer Science, pages 53–68. Springer-Verlag, 1999.
[71] E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In M.J. Wiener, editor, Advances in Cryptology– CRYPTO 1999, volume 1666 of Lecture Notes in Computer Science,pages 537–554. Springer-Verlag, 1999. http://citeseer.nj.nec.com/fujisaki99secure.html.
[72] M. Gagn´e. Identity-based encryption: A survey. RSA Laboratories Cryptobytes,6(1):10–19, 2003.
[73] S.D. Galbraith. Supersingular curves in cryptography. In C. Boyd, editor,Proceedings of AsiaCrypt 2001, volume 2248 of Lecture Notes in ComputerScience, pages 495–513. Springer-Verlag, 2001.
[74] S.D. Galbraith, K. Harrison, and D. Soldera. Implementing the Tate pairing.In C. Fieker and D.R. Kohel, editors, Algorithmic Number Theory 5th International Symposium, ANTS-V, volume 2369 of Lecture Notes in ComputerScience, pages 324–337. Springer-Verlag, 2002.
[75] S.D. Galbraith, H.J. Hopkins, and I.E. Shparlinski. Secure Bilinear Diffie-Hellman bits. Cryptology ePrint Archive, Report 2002/155, 2002. http://eprint.iacr.org/.
[76] C. Gentry. Certificate-based encryption and the certificate revocation problem.In E. Biham, editor, Advances in Cryptology – EUROCRYPT 2003, volume2656 of Lecture Notes in Computer Science, pages 272–293. Springer-Verlag,2003.
[77] C. Gentry and A. Silverberg. Hierarchical ID-based cryptography. In Y. Zheng,editor, Advances in Cryptology – ASIACRYPT 2002, volume 2501 of LectureNotes in Computer Science, pages 548–566. Springer-Verlag, 2002.
[78] M. Girault. Self-certified public keys. In D.W. Davies, editor, Advances in Cryptology – EUROCRYPT 1991, volume 547 of Lecture Notes in ComputerScience, pages 490–497. Springer-Verlag, 1992.
[79] S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computerand System Sciences, 28(2):270–299, 1984.
[80] R. Granger, A.J. Holt, D. Page, N.P. Smart, and F. Vercauteren. Functionfield sieve in characteristic three. In D.A. Buell, editor, Proceedings of AlgorithmicNumber Theory Symposium – ANTS VI, volume 3076 of LectureNotes in Computer Science, pages 223–234. Springer-Verlag, 2004.
[81] P. Gutmann. PKI: It’s not dead, just resting. IEEE Computer, 35(8):41–49,2002.
[82] S. Han, K.Y. Yueng, and J. Wang. Undeniable signatures from pairings overelliptic curves. In ACM Conference on Electronic Commerce – EC 2003, pages262–263. ACM, 2003.
[83] F. Hess. Efficient identity based signature schemes based on pairings. InK. Nyberg and H. Heys, editors, Selected Areas in Cryptography 9th AnnualInternational Workshop, SAC 2002, volume 2595 of Lecture Notes in ComputerScience, pages 310–324. Springer-Verlag, 2003.
[84] P. Hoffman. Features of proposed successors to IKE. Internet Draft, ftp://ftp.ietf.org/internet-drafts/draft-ietf-ipsec-soi-features-01.txt%, 2002.
[85] J. Horwitz and B. Lynn. Towards hierarchical identity-based encryption. In L.R. Knudsen, editor, Advances in Cryptology – EUROCRYPT 2002, volume2332 of Lecture Notes in Computer Science, pages 466–481. Springer-Verlag,2002.
[86] D. H¨uhnlein, M. Jacobson, and D. Weber. Towards practical non-interactive public key cryptosystems using non-maximal imaginary quadratic orders. In D.R. Stinson and S.E. Tavares, editors, Selected Areas in Cryptography – SAC 2000, volume 2012 of Lecture Notes in Computer Science, pages 275–287.Springer-Verlag, 2000.
[87] IEEE P1363. Standard specifications for public key cryptography, 2000. http://grouper.ieee.org/groups/1363/index.html.
[88] International Organization for Standardization. ISO/IEC FCD 18014-1, Information technology — Security techniques — Time-stamping services — Part1: Framework, September 2001.
[89] ISO/IEC 15946-3. Information technology – security techniques – cryptographic techniques based on elliptic curves – part 3: Key establishment, awaiting publication.
[90] A. Joux. A one round protocol for tripartite Diffie-Hellman. In W. Bosma,editor, Proceedings of Algorithmic Number Theory Symposium – ANTS IV,volume 1838 of Lecture Notes in Computer Science, pages 385–394. Springer-Verlag, 2000.
[91] A. Joux and R. Lercier. The function field sieve is quite special. In Algorithmic Number Theory 5th International Symposium, ANTS-V, volume 2369 of Lecture Notes in Computer Science, pages 431–445. Springer-Verlag, 2002.
[92] A. Joux and K. Nguyen. Separating decision Diffie-Hellman from Diffie-Hellman in cryptographic groups. Cryptology ePrint Archive, Report2001/003, 2001. http://eprint.iacr.org/.
[93] B. Kaliski, Jr. An unknown key-share attack on the MQV key agreementprotocol. ACM Transactions on Information and Systems Security, 4(3):275–288, 2001.
[94] J. Katz. A forward secure public-key encryption scheme. Cryptology ePrintArchive, Report 2002/060, 2002. http://eprint.iacr.org/.
[95] M. Kim and K. Kim. A new identification scheme based on the bilinear Diffie-Hellman problem. In L. Batten and J. Seberry, editors, Information Security and Privacy, Seventh Australasian Conference – ACISP, volume 2384 of Lecture Notes in Computer Science, pages 362–378. Springer-Verlag, 2002.
[96] M. Kim and K. Kim. A new identification scheme based on the gap Diffie-Hellman problem. SCIS 2002: The 2002 Symposium on Cryptography andInformation Security Shirahama, Japan, 2002.
[97] N. Koblitz. Algebraic Aspects of Cryptography. Algorithms and Computationin Mathematics. Springer-Verlag, 1999.
[98] C. Kudla. Identity-based cryptography and related applications. Master’sthesis, Royal Holloway University of London, 2002.
[99] L. Law, A. Menezes, M. Qu, J. Solinas, and S.A. Vanstone. An efficient protocol for authenticated key agreement. Designs, Codes and Cryptography, 28(2):119–134, 2003. http://www.cacr.math.uwaterloo.ca/techreports/1998/tech_reports98.html.
[100] B. Lee and K. Kim. Self-certificate: PKI using self-certified key. Conference on Information Security and Cryptology 2000 – CISC 2000, 10(1):65–73, 2000.http://citeseer.nj.nec.com/483476.html.
[101] B. Lee and K. Kim. Self-certified signatures. In A. Menezes and P. Sarkar,editors, Progress in Cryptology – INDOCRYPT 2002, volume 2551 of Lecture Notes in Computer Science, pages 199–214. Springer-Verlag, 2002.
[102] B. Libert and J.-J. Quisquater. Efficient revocation and threshold pairing based cryptosystems. In Symposium on Principles of Distributed Computing – PODC 2003, pages 163–171, 2003.
[103] B. Libert and J.-J. Quisquater. Efficient signcryption with key privacy from gap diffie-hellman groups. In F. Bao, R.H. Deng, and J. Zhou, editors, International Workshop on Practice and Theory in Public Key Cryptography – PKC 2004,volume 2947 of Lecture Notes in Computer Science, pages 187–200. Springer-Verlag, 2004. See http://eprint.iacr.org/2003/023 for the full version.
[104] C. H. Lim and P. J. Lee. A key recovery attack on discrete log-based schemes using a prime order subgroup. In B.S. Kaliski Jr., editor, Advances in Cryptology– CRYPTO 1997, volume 1294 of Lecture Notes in Computer Science,pages 249–263. Springer-Verlag, 1997.
[105] C.-Y. Lin and T.-C. Wu. An identity-based ring signature scheme from bilinear pairings. Cryptology ePrint Archive, Report 2003/117, 2003. http://eprint.iacr.org/.
[106] C.-Y. Lin, T.-C. Wu, and F. Zhang. A structured multisignature scheme from the gap Diffie-Hellman group. Cryptology ePrint Archive, Report 2003/090,2003. http://eprint.iacr.org/.
[107] G. Lowe. Some new attacks upon security protocols. In PCSFW: Proceedingsof The 9th Computer Security Foundations Workshop, pages 162–169. IEEEComputer Society Press, 1996.
[108] B. Lynn. Authenticated identity-based encryption. Cryptology ePrint Archive,Report 2002/072, 2002. http://eprint.iacr.org/.
[109] J. Malone-Lee. Identity-based signcryption. Cryptology ePrint Archive, Report 2002/098, 2002. http://eprint.iacr.org/.
[110] T. Matsumoto, Y. Takashima, and H. Imai. On seeking smart public-keydistribution systems. Transactions on IECE of Japan, E69:99–106, 1986.
[111] U. Maurer and Y. Yacobi. Non-interactive public-key cryptography. In D.W.Davies, editor, Advances in Cryptology – EUROCRYPT 1991, volume 547 ofLecture Notes in Computer Science, pages 498–507. Springer-Verlag, 1991.
[112] A. Menezes, T. Okamoto, and S. Vanstone. Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory,39(5):1639–1646, 1993.
[113] A. Menezes, M. Qu, and S. Vanstone. Some new key agreement protocolsproviding mutual implicit authentications. 2nd Workshop on Selected Areas inCryptography (SAC 1995), pages 22–32, May 1995.
[114] A. Menezes, P.C. van Oorschot, and S. Vanstone. Handbook of Applied Cryptography.CRC Press, Boca Raton, 1997.
[115] C. Mitchell, M. Ward, and P. Wilson. Key control in key agreement protocols.Electronics Letters, 34:980–981, 1998.
[116] S. Mitsunari, R. Sakai, and M. Kasahara. A new traitor tracing. IEICETransactions on Fundamentals, E85-A(2):481–484, 2002.
[117] A. Muzereau, N.P. Smart, and F. Vercauteren. The equivalence between theDHP and DLP for elliptic curves used in practical applications. LMS JournalComputation and Mathematics, 7:50–72, 2004. http://www.lms.ac.uk/jcm/7/lms2003-034/.
[118] D. Nalla and K.C. Reddy. ID-based tripartite authenticated key agreementprotocols from pairings. Cryptology ePrint Archive, Report 2003/004, 2003.http://eprint.iacr.org/.
[119] D. Nalla and K.C. Reddy. Signcryption scheme for identity-based cryptosystems.Cryptology ePrint Archive, Report 2003/066, 2003. http://eprint.iacr.org/.
[120] M. Naor and M. Yung. Public-key cryptosystems provably secure againstchosen ciphertext attacks. In Proceedings of the 22nd Annual ACM Symposiumon Theory of Computing STOC, pages 427–437. ACM, 1990.
[121] E. Okamoto. Key distribution systems based on identification information. In C. Pomerance, editor, Advances in Cryptology – CRYPTO 1987, volume 293 of Lecture Notes in Computer Science, pages 194–202. Springer-Verlag, 1987.
[122] K.G. Paterson. Cryptography from pairings: a snapshot of current research. Information Security Technical Report, 7(3):41–54, 2002.
[123] K.G. Paterson. ID-based signatures from pairings on elliptic curves. Electronics Letters, 38(18):1025–1026, 2002.
[124] H. Petersen and P. Horster. Self-certified keys – concepts and applications. In Third International Conference on Communications and Multimedia Security,pages 102–116. Chapman and Hall, 1997. http://citeseer.nj.nec.com/petersen97selfcertified.html.
[125] B. Preneel, B. Van Rompay, J.-J. Quisquater, H. Massias, and J. Serret Avila.Design of a timestamping system. Technical report, TIMESEC, KatholiekeUniversiteit Leuven and Universit´e Catholique de Louvain, 1998.
[126] C. Rackoff and D. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attacks. In J. Feigenbaum, editor, Advances in Cryptology – CRYPTO 1991, volume 576 of Lecture Notes in Computer Science, pages 433–444. Springer-Verlag, 1991.
[127] K.C. Reddy and D. Nalla. Identity based authenticated group key agreement protocol. In A. Menezes and P. Sarkar, editors, Advances in Cryptology – INDOCRYPT 2002, volume 2551 of Lecture Notes in Computer Science, pages 215–233. Springer-Verlag, 2003.
[128] P. Rogaway and T. Shrimpton. Cryptographic hash-function basics: Definitions,implications, and separations for preimage resistance, second-preimageresistance, and collision-resistance, 2004. http://www.cs.ucdavis.edu/~rogaway/papers/index.html. To appear in Fast Software Encryption (FSE)2004.
[129] A. Roscoe. Intensional specifications of security protocols. In Proceedings 9th IEEE Computer Security Foundations Workshop, pages 28–38. IEEE ComputerSociety Press, 1996.
[130] S. Saeednia. Identity-based and self-certified key-exchange protocols. In V. Varadharajan, J. Pieprzyk, and Y. Mu, editors, Information Security andPrivacy, Second Australasian Conference – ACISP, volume 1270 of LectureNotes in Computer Science, pages 303–313. Springer-Verlag, 1997.
[131] S. Saeednia. A note on Girault’s self-certified model. Information ProcessingLetters, 86:323–327, 2003.
[132] R. Sakai and M. Kasahara. ID based cryptosystems with pairing on elliptic curve. Cryptology ePrint Archive, Report 2003/054, 2003. http://eprint.iacr.org/.
[133] R. Sakai, K. Ohgishi, and M. Kasahara. Cryptosystems based on pairing. In The 2000 Symposium on Cryptography and Information Security, Okinawa,Japan, January 2000.
[134] M. Scott. Authenticated ID-based key exchange and remote log-in with insecure token and PIN number. Cryptology ePrint Archive, Report 2002/164,2002. http://eprint.iacr.org/.
[135] A. Shamir. Identity-based cryptosystems and signature schemes. In G.R.Blakley and D. Chaum, editors, Advances in Cryptology – CRYPTO 1984,volume 196 of Lecture Notes in Computer Science, pages 47–53. Springer-Verlag, 1984.
[136] K. Shim. Cryptanalysis of Al-Riyami-Paterson’s authenticated three partykey agreement protocols. Cryptology ePrint Archive, Report 2003/122, 2003.http://eprint.iacr.org/.
[137] K. Shim. Efficient ID-based authenticated key agreement protocol based on Weil pairing. Electronics Letters, 39(8):653–654, 2003.
[138] K. Shim. Efficient one round tripartite authenticated key agreement protocol from Weil pairing. Electronics Letters, 39(2):208–209, 2003.
[139] K. Shim. A man-in-the-middle attack on Nalla-Reddy’s ID-based tripartiteauthenticated key agreement protocol. Cryptology ePrint Archive, Report2003/115, 2003. http://eprint.iacr.org/.
[140] V. Shoup. On formal models for secure key exchange. IBM Technical ReportRZ 3120, 1999. http://shoup.net/papers.
[141] J. Silverman. The Arithmetic of Elliptic Curves. Number 106 in GraduateTexts in Mathematics. Springer-Verlag, 1986.
[142] N.P. Smart. An identity based authenticated key agreement protocol based on the Weil pairing. Electronics Letters, 38(13):630–632, 2002.
[143] N.P. Smart. Access control using pairing based cryptography. In M. Joye,editor, Topics in Cryptology – CT-RSA 2003, volume 2612 of Lecture Notes inComputer Science, pages 111–121. Springer-Verlag, 2003.
[144] H.-M. Sun and B.-T. Hsieh. Security analysis of Shim’s authenticatedkey agreement protocols from pairings. Cryptology ePrint Archive, Report2003/113, 2003. http://eprint.iacr.org/.
[145] H. Tanaka. A realization scheme for the identity-based cryptosystem. InC. Pomerance, editor, Advances in Cryptology – CRYPTO 1987, volume 293of Lecture Notes in Computer Science, pages 341–349. Springer-Verlag, 1987.
[146] S. Tsuji and T. Itoh. An ID-based cryptosystem based on the discrete logarithm problem. IEEE Journal on Selected Areas in Communication, 7(4):467–473,1989.
[147] E.R. Verheul. Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. In B. Pfitzmann, editor, Advances in Cryptology – EUROCRYPT 2001, volume 2045 of Lecture Notes in Computer Science, pages 195–210. Springer-Verlag, 2001.
[148] E.R. Verheul. Self-blindable credential certificates from the Weil pairing. In C. Boyd, editor, Proceedings of AsiaCrypt 2001, volume 2248 of Lecture Notes in Computer Science, pages 533–551. Springer-Verlag, 2001.
[149] ITU-T Recommendation X.509. Information technology— open systems interconnection — the directory: Public-key and attribute certificate frameworks,2000.
[150] F. Zhang and K. Kim. ID-based blind signature and ring signature from pairings.In Y. Zheng, editor, Advances in Cryptology – ASIACRYPT 2002, volume2501 of Lecture Notes in Computer Science, pages 533–547. Springer-Verlag,2002.
[151] F. Zhang, S. Liu, and K. Kim. ID-based one round authenticated tripartite key agreement protocol with pairings. Cryptology ePrint Archive, Report 2002/122, 2002. http://eprint.iacr.org/.
[152] F. Zhang, R. Safavi-Naini, and C.-Y. Lin. New proxy signature, proxy blind signature and proxy ring signature schemes from bilinear pairing. Cryptology ePrint Archive, Report 2003/104, 2003. http://eprint.iacr.org/.
[153] F. Zhang, R. Safavi-Naini, and W. Susilo. Attack on Han et al.’s ID-based confirmer (undeniable) signature at ACM-EC’03. Cryptology ePrint Archive,Report 2003/129, 2003. http://eprint.iacr.org/.
[154] Z.-F. Zhang, J. Xu, and D.-G. Feng. Attack on an identification scheme based on gap Diffie-Hellman problem. Cryptology ePrint Archive, Report 2003/153,2003. http://eprint.iacr.org/.
[155] Y. Zheng. Digital signcryption or how to achieve cost (signature & encryption) << cost(signature) + cost(encryption). In B.S. Kaliski Jr., editor, Advances in Cryptology – CRYPTO 1997, volume 1294 of Lecture Notes in Computer Science, pages 165–179. Springer-Verlag, 1997.