Qiang Tang (2007) Key Establishment Protocols and Timed-Release Encryption Schemes.
Full text access: Open
This thesis is divided into two distinct parts. The first part of the thesis explores security issues in key establishment protocols, including both key distribution protocols and key agreement protocols, and in both the general and the password-based setting. The second part of the thesis explores security issues of Timed-Release encryption schemes, especially those with a Pre-Open capability. In the first part, we initially present a formal description of key establishment protocols, and summarise the security properties that may be required of such a protocol. Secondly, we examine existing security models for key establishment protocols. We show that none of these security models fully capture the desired security properties. Thirdly, we examine some existing protocols and demonstrate certain vulnerabilities. Some of these vulnerabilities have not previously been detected because of the lack of a formal security analysis, while others have been missed because the adopted security models fail to address such security vulnerabilities. Fourthly, we describe a novel security model for general key establishment protocols, and we further adapt it for the password setting. Finally, we propose key establishment protocols which are proved secure in our novel security model. In the second part we start by examining an existing security model for Timed-Release Encryption schemes with a Pre-open Capability (TRE-PC), and we demonstrate several limitations of this model. We then propose a new security model for such public-key encryption schemes, and establish relationships between the proposed security notions. We also propose a general construction for TRE-PC schemes and an instantiation of certain primitives.
This is a Published version This version's date is: 30/10/2007 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/605ee4f4-4adb-f265-dfc1-d15e12f6919e/1/
Deposited by () on 28-Jun-2010 in Royal Holloway Research Online.Last modified on 14-Dec-2010
[1] GB 15629.11-2003. Information technology–Telecommunications and informationexchange between systems–Local and metropolitan area networks–Specificrequirements–Part 11: Wireless LANMedium access control (MAC) and PhysicalLayer(PHY) Specifications, 2003.
[2] GB 15629.11-2003-XG1-2006. Information technology–Telecommunicationsand information exchange between systems–Local and metropolitan areanetworks–Specific requirements–Part 11:Wireless LAN Medium Access Control(MAC) and Physical Layer(PHY) specifications Amendment 1, 2006.
[3] GB 15629.1102-2003. Information technology–Telecommunications and informationexchange between systems–Local and metropolitan area networks–Specific requirements–Part 11: Wireless LAN Medium Access Control (MAC)and Physical Layer(PHY) Specifications: Higher-Speed Physical Layer Extensionin the 2.4 GHz Band, 2003.
[4] M. Abadi, B. Blanchet, and C. Fournet. Just fast keying in the pi calculus. InD. A. Schmidt, editor, Programming Languages and Systems, 13th EuropeanSymposium on Programming, ESOP 2004, volume 2986 of Lecture Notes inComputer Science, pages 340–354. Springer, 2004.
[5] M. Abadi and A. D. Gordon. A calculus for cryptographic protocols: The spicalculus. In ACM Conference on Computer and Communications Security,pages 36–47, 1997.
[6] M. Abadi and P. Rogaway. Reconciling two views of cryptography (the computationalsoundness of formal encryption). Journal of Cryptology, 15(2):103–127, 2002.
[7] M. Abdalla, E. Bresson, O. Chevassut, and D. Pointcheval. Password-basedgroup key exchange in a constant number of rounds. In M. Yung, editor, Pro-ceedings of the 9th International Workshop on Practice and Theory in PublicKey Cryptography, volume 3958 of Lecture Notes in Computer Science, pages427–442. Springer, 2006.
[8] M. Abdalla, O. Chevassut, and D. Pointcheval. One-time verifier-based encryptedkey exchange. In V. Serge, editor, Proceedings of the 8th InternationalWorkshop on Theory and Practice in Public Key, volume 3386 of Lecture Notesin Computer Science, pages 47–64. Springer, 2005.
[9] M. Abdalla, P.-A. Fouque, and D. Pointcheval. Password-based authenticatedkey exchange in the three-party setting. In V. Serge, editor, Proceedings of the8th International Workshop on Theory and Practice in Public Key, volume3386 of Lecture Notes in Computer Science, pages 65–84. Springer, 2005.
[10] M. Abdalla and D. Pointcheval. Simple password-based encrypted key exchangeprotocols. In A. Menezes, editor, Topics in Cryptology — CT-RSA2005, volume 3376 of Lecture Notes in Computer Science, pages 191–208.Springer, 2005.
[11] G. Agnew, R. Mullin, and S. Vanstone. An interactive data exchange protocolbased on discrete exponentiation. In Advances in Cryptology — EU-ROCRYPT 1988, volume 330 of Lecture Notes in Computer Science, pages159–166. Springer, 1988.
[12] L. Ahn, M. Blum, N. Hopper, and J. Langford. CAPTCHA: Using hardAI problems for security. In E. Biham, editor, Advances in Cryptology —EUROCRYPT 2003, volume 2656 of Lecture Notes in Computer Science, pages294–311. Springer, 2003.
[13] W. Aiello, S. M. Bellovin, M. B., R. Canetti, J. Ioannidis, A. D. Keromytis,and O. Reingold. Just fast keying: Key agreement in a hostile internet. ACMTrans. Inf. Syst. Secur., 7(2):242–273, 2004.
[14] WAPI Alliance. WAPI Implementation Plan. http://www.wapia.org, 2003.
[15] R. Anderson and T. Lomas. Fortifying key negotiation schemes with poorlychosen passwords. Electronics Letters, 30(13):1040–1041, 1994.
[16] G. Ateniese, M. Steiner, and G. Tsudik. Authenticated group key agreementand friends. In Proceedings of the 5th ACM conference on Computer andcommunications security, pages 17–26. ACM Press, 1998.
[17] M. Backes and B. Pfitzmann. Relating symbolic and cryptographic secrecy. In2005 IEEE Symposium on Security and Privacy, pages 171–182. IEEE ComputerSociety, 2005.
[18] S. Bakhtiari, R. Safavi-Naini, and J. Pieprzyk. On password-based authenticatedkey exchange using collisionful hash functions. In J. Pieprzyk andJ. Seberry, editors, Information Security and Privacy, First Australasian Con-ference, ACISP’96, volume 1172 of Lecture Notes in Computer Science, pages299–310. Springer, 1996.
[19] G. Barthe, J. Cederquist, and S. Tarento. A machine-checked formalization ofthe generic model and the random oracle model. In Automated Reasoning —Second International Joint Conference, IJCAR 2004, volume 3097 of LectureNotes in Computer Science, pages 385–399. Springer, 2004.
[20] R. Bauer, T. Berson, and R. Feiertag. A key distribution protocol using eventmarkers. ACM Trans. Comput. Syst., 1(3):249–255, 1983.
[21] J. A. Beachy and W. D. Blair. Abstract Algebra. Waveland Press, Inc., 3edition, 2005.
[22] M. Bellare, A. Boldyreva, and A. Palacio. An uninstantiable random-oraclemodelscheme for a hybrid-encryption problem. In C. Cachin and J. Camenisch,editors, Advances in Cryptology — EUROCRYPT 2004, volume 3027of Lecture Notes in Computer Science, pages 171–188. Springer, 2004.
[23] M. Bellare, R. Canetti, and H. Krawczyk. Keying hash functions for messageauthentication. In N. Koblitz, editor, Advances in Cryptology — CRYPTO1996, volume 1109 of Lecture Notes in Computer Science, pages 1–15. Springer,1996.
[24] M. Bellare, R. Canetti, and H. Krawczyk. A modular approach to the designand analysis of authentication and key exchange protocols (extended abstract).In Proceedings of the thirtieth annual ACM symposium on Theory of comput-ing, pages 419–428, 1998.
[25] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among notionsof security for public-key encryption schemes. In H. Krawczyk, editor,Advances in Cryptology — CRYPTO 1998, volume 1462 of Lecture Notes inComputer Science, pages 26–45. Springer, 1998.
[26] M. Bellare and S. Goldwasser. Encapsulated key-escrow. Technical ReportMIT/LCS/TR-688, MIT LCS, 1996.
[27] M. Bellare and A. Palacio. The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In M. K. Franklin, editor, Advances in Cryp-tology — CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science,pages 273–289. Springer, 2004.
[28] M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated key exchangesecure against dictionary attacks. In B. Preneel, editor, Advances in Cryptology— EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science,pages 139–155, 2000.
[29] M. Bellare and P. Rogaway. Entity authentication and key distribution. InD. R. Stinson, editor, Advances in Cryptology — CRYPTO 1993, volume 773of Lecture Notes in Computer Science, pages 110–125. Springer, 1993.
[30] M. Bellare and P. Rogaway. Random oracles are practical: a paradigm fordesigning efficient protocols. In Proceedings of the 1st ACM conference onComputer and communications security, pages 62–73. ACM Press, 1993.
[31] M. Bellare and P. Rogaway. Provably secure session key distribution: the threeparty case. In Proceedings of the Twenty-Seventh Annual ACM Symposiumon Theory of Computing, pages 57–66. ACM Press, 1995.
[32] M. Bellare and P. Rogaway. Code-based game-playing proofs and the securityof triple encryption. Cryptology ePrint Archive: Report 2004/331, 2004.
[33] M. Beller, L. Chang, and Y. Yacobi. Security for personal communicationsservices: public-key vs. private key approaches. In Proceedings of the 3rd In-ternational Symposium on personal, indoor and mobile radio communications,pages 26–31. IEEE Press, 1992.
[34] M. Beller, L. Chang, and Y. Yacobi. Privacy and authentication on a portablecommunications system. IEEE Journal on Selected Areas in Communications,11(6):821–829, 1993.
[35] M. Beller and Y. Yacobi. Batch Diffie-Hellman key agreement systems andtheir application to portable communications. In R. Rueppel, editor, Advancesin Cryptology — EUROCRYPT 1992, volume 658 of Lecture Notes in Com-puter Science, pages 208–220. Springer, 1992.
[36] M. Beller and Y. Yacobi. Fully-fledged two-way public key authentication andkey agreementfor low-cost terminals. Electronics Letters, 29(11):999–1001,1993.
[37] S. M. Bellovin and M. Merritt. Encrypted key exchange: Password-basedprotocols secure against dictionary attacks. In Proceedings of the IEEE Sym-posium on Security and Privacy, pages 72–84. IEEE Computer Society, 1992.
[38] S. M. Bellovin and M. Merritt. Augmented encrypted key exchange: Apassword-based protocol secure against dictionary attacks and password filecompromise. In Proceedings of the First ACM Conference on Computer andCommunications Security, pages 244–250, 1993.
[39] K. Bentahar, P. Farshim, J. Malone-Lee, and N.P. Smart. Generic constructionsof identity-based and certificateless KEMs. Cryptology ePrint Archive:Report 2005/058, 2005.
[40] R. Bird, I. S. Gopal, A. Herzberg, P. A. Janson, S. Kutten, R. Molva, andM. Yung. Systematic design of two-party authentication protocols. In Ad-vances in Cryptology — CRYPTO 1991, pages 44–61. Springer, 1992.
[41] T. E. Bjørstad and A.W. Dent. Building better signcryption schemes with tagkems.In M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, editors, Proceedingsof the 9th International Conference on Theory and Practice of Public-KeyCryptography, volume 3958 of Lecture Notes in Computer Science, pages 491–507. Springer, 2006.
[42] J. Black, P. Rogaway, and T. Shrimpton. Black-box analysis of the blockcipher-based hash-function constructions from PGV. In M. Yung, editor, Ad-vances in Cryptology — CRYPTO 2002, volume 2442 of Lecture Notes inComputer Science, pages 320–335. Springer, 2002.
[43] S. Blake-Wilson, D. Johnson, and A. Menezes. Key agreement protocols andtheir security analysis. In M. Darnell, editor, Proceedings of Cryptography andCoding, 6th IMA International Conference, volume 1355 of Lecture Notes inComputer Science, pages 30–45. Springer, 1997.
[44] S. Blake-Wilson and A. Menezes. Entity authentication and authenticatedkey transport protocols employing asymmetric techniques. In B. Christianson,B. Crispo, T. Lomas, and M. Roe, editors, Proceedings of Security Proto-cols, 5th International Workshop, volume 1361 of Lecture Notes in ComputerScience, pages 137–158. Springer, 1997.
[45] S. Blake-Wilson and A. Menezes. Authenticated diffie-hellman key agreementprotocols. In S. E. Tavares and H. Meijer, editors, Proceedings of the SelectedAreas in Cryptography, volume 1556 of Lecture Notes in Computer Science,pages 339–361. Springer, 1999.
[46] S. Blake-Wilson and A. Menezes. Unknown key-share attacks on the Stationto-Station (STS) protocol. In H. Imai and Y. Zheng, editors, Proceedingsof the Second International Workshop on Practice and Theory in Public KeyCryptography, volume 1560 of Lecture Notes in Computer Science, pages 154–170. Springer, 1999.
[47] B. Blanchet. A computationally sound mechanized prover for security protocols.In 2006 IEEE Symposium on Security and Privacy, pages 140–154. IEEEComputer Society, 2006.
[48] B. Blanchet and D. Pointcheval. Provably secure threshold passwordauthenticatedkey exchange. In C. Dwork, editor, Advances in Cryptology— CRYPTO 2006, volume 4117 of Lecture Notes in Computer Science, pages537–554. Springer, 2006.
[49] D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and verifiablyencrypted signatures from bilinear maps. In E. Biham, editor, Advances inCryptology — EUROCRYPT 2003, volume 2656 of Lecture Notes in ComputerScience, pages 416–432. Springer, 2003.
[50] D. Boneh and M. Naor. Timed commitments. In M. Bellare, editor, Advancesin Cryptology — CRYPTO 2000, pages 236–254. Springer, 2000.
[51] C. Boyd. Towards a classification of key agreement protocols. In proceedingsof the Eighth IEEE Computer Security Foundations Workshop, pages 38–43.IEEE Computer Society, 1995.
[52] C. Boyd. A class of flexible and efficient key management protocols. In pro-ceedings of the Ninth IEEE Computer Security Foundations Workshop, pages2–8. IEEE Computer Society, 1996.
[53] C. Boyd. On key agreement and conference key agreement. In V. Varadharajan,J. Pieprzyk, and Y. Mu, editors, Information Security and Privacy,Second Australasian Conference, ACISP’97, volume 1270 of Lecture Notes inComputer Science, pages 294–302. Springer, 1997.
[54] C. Boyd and A. Mathuria. Protocols for Authentication and Key Establish-ment. Springer, 2004.
[55] C. Boyd and D. Park. Public key protocols for wireless communications. InProceedings of the 1st International Conference on Information Security andCryptology, pages 47–57. Korea Institute of Information Security and Cryptology(KIISC), 1998.
[56] V. Boyko, P. D. MacKenzie, and S. Patel. Provably secure passwordauthenticatedkey exchange using diffie-hellman. In B. Preneel, editor, Ad-vances in Cryptology — EUROCRYPT 2000, volume 1807 of Lecture Notes inComputer Science, pages 156–171. Springer, 2000.
[57] E. Bresson and D. Catalano. Constant round authenticated group key agreementvia distributed computation. In F. Bao, R. H. Deng, and J. Zhou,editors, Proceedings of the 7th International Workshop on Practice and The-ory in Public Key Cryptography, volume 2947 of Lecture Notes in ComputerScience, pages 115–129. Springer, 2004.
[58] E. Bresson, O. Chevassut, and D. Pointcheval. Dynamic group Diffie-Hellmankey exchange under standard assumptions. In L. R. Knudsen, editor, Ad-vances in Cryptology — EUROCRYPT 2002, volume 2332 of Lecture Notes inComputer Science, pages 321–336. Springer, 2002.
[59] E. Bresson, O. Chevassut, and D. Pointcheval. Group Diffie-Hellman keyexchange secure against dictionary attacks. In Y. Zheng, editor, Advances inCryptology — ASIACRYPT 2002, volume 2501 of Lecture Notes in ComputerScience, pages 497–514. Springer, 2002.
[60] E. Bresson, O. Chevassut, D. Pointcheval, and J.-J. Quisquater. Provablyauthenticated group Diffie-Hellman key exchange. In Proceedings of the 8thACM Conference on Computer and Communications Security, pages 255–264.ACM Press, 2001.
[61] M. Burmester and Y. Desmedt. A secure and efficient conference key distributionsystem. In A. D. Santis, editor, Advances in Cryptology— EU-ROCRYPT 1994, volume 950 of Lecture Notes in Computer Science, pages275–286. Springer, 1994.
[62] M. Burmester and Y. Desmedt. A secure and efficient conference key distributionsystem. In A. D. Santis, editor, Pre–Proceedings of EUROCRYPT 1994,pages 279–290, 1994.
[63] M. Burmester and Y. Desmedt. A secure and scalable group key exchangesystem. Inf. Process. Lett., 94(3):137–143, 2005.
[64] M. Burrows, M. Abadi, and R. Needham. A logic of authentication. In Proceed-ings of the Twelfth ACM Symposium on Operating System Principles, pages1–13, 1989.
[65] M. Burrows, M. Abadi, and R. Needham. A logic of authentication. ACMTrans. Comput. Syst., 8(1):18–36, 1990.
[66] J. Byun and D. Lee. N-Party encrypted Diffie-Hellman key exchange usingdifferent passwords. In J. Ioannidis, A. D. Keromytis, and M. Yung, editors,Applied Cryptography and Network Security, Third International Conference,Proceedings, volume 3531 of Lecture Notes in Computer Science, pages 75–90.Springer, 2005.
[67] R. Canetti, S. Halevi, J. Katz, Y. Lindell, and P. D. MacKenzie. Universallycomposable password-based key exchange. In R. Cramer, editor, Advances inCryptology — EUROCRYPT 2005, volume 3494 of Lecture Notes in ComputerScience, pages 404–421. Springer, 2005.
[68] R. Canetti and H. Krawczyk. Analysis of key-exchange protocols and their usefor building secure channels. In B. Pfitzmann, editor, Advances in Cryptology— EUROCRYPT 2001, volume 2045 of Lecture Notes in Computer Science,pages 453–474. Springer, 2001.
[69] U. Carlsen. Optimal privacy and authentication on a portable communicationssystem. Operating Systems Review, 28(3):16–23, 1994.
[70] J. Cathalo, B. Libert, and J.-J. Quisquater. Efficient and non-interactivetimed-release encryption. In S. Qing, W. Mao, J. Lopez, and G. Wang, editors,Proceedings of the 7th International Conference on Information and Commu-nications Security, volume 3783 of Lecture Notes in Computer Science, pages291–303. Springer, 2005.
[71] A. C. F. Chan and I. F. Blake. Scalable, server-passive, user-anonymous timedrelease cryptography. In Proceedings of the 25th IEEE International Confer-ence on Distributed Computing Systems (ICDCS’05), pages 504–513. IEEEComputer Society, 2005.
[72] D. Chaum and T. P. Pedersen. Wallet databases with observers. In E. F.Brickell, editor, Advances in Cryptology — CRYPTO 1993, pages 89–105.Springer, 1993.
[73] L. Chen, Z. Cheng, and N. Smart. Identity-based key agreement protocolsfrom pairings. Cryptology ePrint Archive: Report 2006/199, 2006.
[74] L. Chen, D. Gollmann, and C. J. Mitchell. Key distribution without individualtrusted authentification servers. In Proceedings of the Eighth IEEE ComputerSecurity Foundations Workshop, pages 30–36. IEEE Computer Society, 1995.
[75] L. Chen and C. Kudla. Identity based authenticated key agreement protocolsfrom pairings. In Proc. of the 16th IEEE Computer Security FoundationsWorkshop, pages 219–233. IEEE Computer Society Press, 2003.
[76] L. Chen and Q. Tang. Bilateral unknown key-share attacks in key agreementprotocols. Cryptology ePrint Archive: Report 2007/209, 2007.
[77] J. Cheon and B. Jun. A polynomial time algorithm for the braid Diffie-Hellman conjugacy problem. In D. Boneh, editor, Advances in Cryptology— CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages212–225. Springer, 2003.
[78] O. Chevassut, P. Fouque, P. Gaudry, and D. Pointcheval. The twist-augmentedtechnique for key exchange. In M. Yung, Y. Dodis, A. Kiayias, and T. Malkin,editors, Proceedings of the 9th International Conference on Theory and Prac-tice of Public-Key Cryptography, volume 3958 of Lecture Notes in ComputerScience, pages 410–426. Springer, 2006.
[79] K. Choi, J. Hwang, D. Lee, and I. Seo. Id-based authenticated key agreementfor low-power mobile devices. In C. Boyd and J. M. Gonz´alez Nieto, editors,Information Security and Privacy, 10th Australasian Conference, Proceedings,volume 3574 of Lecture Notes in Computer Science, pages 494–505. Springer,2005.
[80] K. Y. Choi, J. Y. Hwang, and D. H. Lee. Efficient ID-based group key agreementwith bilinear maps. In F. Bao, R. Deng, and J. Y. Zhou, editors, Pro-ceedings of the 2004 International Workshop on Practice and Theory in PublicKey Cryptography, volume 2947 of Lecture Notes in Computer Science, pages130–144. Springer, 2004.
[81] K. R. Choo, C. Boyd, and Y. Hitchcock. Errors in computational complexityproofs for protocols. In B. Roy, editor, Advances in Cryptology — ASI-ACRYPT 2005, volume 3788 of Lecture Notes in Computer Science, pages624–643. Springer, 2005.
[82] K. R. Choo, C. Boyd, and Y. Hitchcock. Examining indistinguishability-basedproof models for key establishment protocols. In B. Roy, editor, Advances inCryptology — ASIACRYPT 2005, volume 3788 of Lecture Notes in ComputerScience, pages 585–604. Springer, 2005.
[83] K. R. Choo and Y. Hitchcock. Security requirements for key establishmentproof models: Revisiting bellare-rogaway and Jeong-Katz-Lee protocols. InC. Boyd and J. Nieto, editors, Information Security and Privacy, 10th Aus-tralasian Conference, Proceedings, volume 3574 of Lecture Notes in ComputerScience, pages 429–442. Springer, 2005.
[84] R. Cramer and V. Shoup. Design and analysis of practical public-key encryptionschemes secure against adaptive chosen ciphertext attack. SIAM Journalon Computing, 33(1):167–226, 2004.
[85] G. D. Crescenzo, R. Ostrovsky, and S. Rajagopalan. Conditional oblivioustransfer and timed-release encryption. In J. Stern, editor, Advances in Cryp-tology — EUROCRYPT 1999, volume 1592 of Lecture Notes in ComputerScience, pages 74–89. Springer, 1999.
[86] J. Daemen and V. Rijmen. The Design of Rijndael: AES — The AdvancedEncryption Standard. Springer, 2002.
[87] Ivan Damg°ard. Towards practical public key systems secure against chosenciphertext attacks. In J. Feigenbaum, editor, Advances in Cryptology —CRYPTO 1991, volume 576 of Lecture Notes in Computer Science, pages 445–456. Springer, 1991.
[88] D. Denning and G. Sacco. Timestamps in key distribution protocols. Commun.ACM, 24(8):533–536, 1981.
[89] A. W. Dent. Hybrid signcryption schemes with outsider security. In J. Zhou,J. Lopez, R. H. Deng, and F. Bao, editors, Proceedings of the 8th InternationalInformation Security Conference, volume 3650 of Lecture Notes in ComputerScience, pages 203–217. Springer, 2005.
[90] A. W. Dent and Q. Tang. Revisiting the security model for timed-releasepublic-key encryption with pre-open capability. Cryptology ePrint Archive:Report 2006/306, 2006.
[91] A. W. Dent and Q. Tang. Revisiting the security model for timed-releaseencryption with pre-open capability. In J. A. Garay, A. K. Lenstra, M. Mambo,and R. Peralta, editors, Information Security, 10th International Conference,ISC 2007, volume 4779 of Lecture Notes in Computer Science, pages 158–174.Springer, 2007.
[92] A. Desai. The security of all-or-nothing encryption: Protecting against exhaustivekey search. In M. Bellare, editor, Advances in Cryptology — CRYPTO2000, volume 1880 of Lecture Notes in Computer Science, pages 359–375.Springer, 2000.
[93] D.Harkins and D. Carrel. The Internet Key Exchange (IKEv2) Protocol. IETFRFC 2409, 1998.
[94] T. Dierks and C. Allen. The TLS protocol version 1.0. IETF RFC 2246, 1999.
[95] W. Diffie andM. Hellman. New directions in cryptography. IEEE Transactionson Information Theory, IT-22(6):644–654, 1976.
[96] W. Diffie, P. Oorschot, and M. Wiener. Authentication and authenticated keyexchanges. Des. Codes Cryptography, 2(2):107–125, 1992.
[97] X. J. Du, Y. Wang, J. H. Ge, and Y. M. Wang. ID-based authenticatedtwo round multiparty key agreement. Cryptology ePrint Archive: Report2003/247, 2003.
[98] X. J. Du, Y. Wang, J. H. Ge, and Y. M. Wang. An improved ID-based authenticatedgroup key agreement scheme. Cryptology ePrint Archive, Report2003/260, 2003.
[99] R. Dutta and R. Barua. Password-based Encrypted Group Key Agreement.International Journal of Network Security, 3(1):30–41, 2006.
[100] C. Dwork and M. Naor. Pricing via processing or combatting junk mail. InE. F. Brickell, editor, Advances in Cryptology — CRYPTO 1992, volume 740of Lecture Notes in Computer Science, pages 139–147. Springer, 1992.
[101] S. Even and Y. Mansour. A construction of a cipher from a single pseudorandompermutation. In H. Imai, R. L. Rivest, and T. Matsumoto, editors,Advances in Cryptology — ASIACRYPT 1991, volume 739 of Lecture Notesin Computer Science, pages 210–224. Springer, 1993.
[102] R. Gennaro and Y. Lindell. A framework for password-based authenticatedkey exchange. In E. Biham, editor, Advances in Cryptology — EUROCRYPT2003, volume 2656 of Lecture Notes in Computer Science, pages 524–543.Springer, 2003.
[103] M. Girault. Self-certified public keys. In D. Davies, editor, Advances in Cryp-tology — EUROCRYPT 1991, volume 547 of Lecture Notes in Computer Sci-ence, pages 490–497. Springer, 1991.
[104] O. Goldreich. The Foundations of Cryptography, volume 2. Cambridge UniversityPress, 2004.
[105] O. Goldreich and Y. Lindell. Session-key generation using human passwordsonly. In J. Kilian, editor, Advances in Cryptology — CRYPTO 2001, volume2139 of Lecture Notes in Computer Science, pages 408–432. Springer, 2001.
[106] S. Goldwasser and Y. T. Kalai. On the (in)security of the Fiat-Shamirparadigm. In Proceedings of the 44th Symposium on Foundations of Com-puter Science, pages 102–115. IEEE Computer Society, 2003.
[107] S. Goldwasser and S. Micali. Probabilistic encryption and how to play mentalpoker keeping secret all partial information. In Proceedings of the FourteenthAnnual ACM Symposium on Theory of Computing, pages 365–377. ACM,1982.
[108] L. Gong. Using one-way functions for authentication. SIGCOMM Comput.Commun. Rev., 19(5):8–11, 1989.
[109] L. Gong. Increasing availability and security of an authentication service.IEEE Journal on Selected Areas in Communications, 11(5):657–662, 1993.
[110] L. Gong. Lower bounds on messages and rounds for network authenticationprotocols. In ACM Conference on Computer and Communications Security,pages 26–37, 1993.
[111] L. Gong, T. Lomas, R. Needham, and J. Saltzer. Protecting poorly chosensecrets from guessing attacks. IEEE Journal on Selected Areas in Communi-cations, 11(5):648–656, 1993.
[112] C. G¨unther. An identity-based key-exchange protocol. In J. Quisquater andJ. Vandewalle, editors, Advances in Cryptology — EUROCRYPT 1989, volume434 of Lecture Notes in Computer Science, pages 29–37. Springer, 1990.
[113] Y. Lee H. Lee, H. Lee. An authenticated group key agreement protocol onbraid groups. Cryptology ePrint Archive: Report 2003/018, 2005.
[114] S. Halevi and H. Krawczyk. Public-key cryptography and password protocols.In ACM Conference on Computer and Communications Security, pages 122–131, 1998.
[115] S. Halevi and H. Krawczyk. A plausible approach to computer-aided cryptographicproofs. Cryptology ePrint Archive, Report 2005/181, 2005.
[116] L. Harn and H. Y. Lin. Authenticated key agreement without using onewayhash functions. Electronics Letters, 37(10):1429–1431, 2001.
[117] J. Herranz and J. L. Villar. An Unbalanced Protocol for Group Key Exchange.In TrustBus 2004, volume 3184 of Lecture Notes in Computer Science, pages172–180. Springer, 2004.
[118] S. Hirose and S. Yoshida. An authenticated diffie-hellman key agreementprotocol secure against active attacks. In H. Imai and Y. Zheng, editors,Proceedings of the first International Workshop on Practice and Theory inPublic Key Cryptography, volume 1431 of Lecture Notes in Computer Science,pages 135–148. Springer, 1998.
[119] Y. Hitchcock, C. Boyd, and J. Nieto. Tripartite key exchange in the canettikrawczykproof model. In A. Canteaut and K. Viswanathan, editors, Advancesin Cryptology — INDOCRYPT 2003, volume 3348 of Lecture Notes in Com-puter Science, pages 17–32. Springer, 2004.
[120] Y. Hitchcock, C. Boyd, and J. Manuel Gonz´alez Nieto. Modular proofs forkey exchange: rigorous optimizations in the canetti-krawczyk model. Appl.Algebra Eng. Commun. Comput., 16(6):405–438, 2006.
[121] C. A. R. Hoare. Communicating sequential processes. Commun. ACM,21(8):666–677, 1978.
[122] G. Horn, K.M.Martin, and C. J.Mitchell. Authentication protocols for mobilenetwork environment value-added services. IEEE Transactions on VehicularTechnology, 51(2):383–392, 2002.
[123] G. Horn and B. Preneel. Authentication and payment in future mobile systems.Journal of Computer Security, 8(2/3), 2000.
[124] M. S. Hwang, J. W. Lo, and S. C. Lin. An efficient user identification schemebased on ID-based cryptosystem. Computer Standards & Interfaces, 26:565–569, 2004.
[125] Y. Hwang, D. Yum, and P. Lee. Timed-release encryption with pre-opencapability and its application to certified e-mail system. In J. Zhou, J. Lopez,R. Deng, and F. Bao, editors, Proceedings of the 8th International InformationSecurity Conference, volume 3650 of Lecture Notes in Computer Science, pages344–358. Springer, 2005.
[126] I. Ingemarsson, D. Tang, and C. Wong. A conference key distribution system.IEEE Transactions on Information Theory, 28(5):714–720, 1982.
[127] Institute of Electrical and Electronics Engineers, Inc. IEEE P1363.2 draftD20, Standard Specifications for Password-Based Public-Key CryptographicTechniques, March 2005.
[128] International Organization for Standardization. ISO/IEC 9797–2, Informa-tion technology – Security techniques – Message Authentication Codes (MACs)– Part 2: Mechanisms using a dedicated hash-function, 1999.
[129] International Organization for Standardization. ISO/IEC 11770–4, Informa-tion technology — Security techniques — Key management — Part 4: Mech-anisms based on weak secrets, 2006.
[130] D. P. Jablon. Strong password-only authenticated key exchange. ComputerCommunication Review, 26(5):5–26, 1996.
[131] D. P. Jablon. Extended password key exchange protocols immune to dictionaryattack. In Proceedings of the 1997 Workshop on Enterprise Security, pages248–255, 1997.
[132] M. Jakobsson and D. Pointcheval. Mutual authentication for low-power mobiledevices. In P. F. Syverson, editor, Financial Cryptography, 5th InternationalConference, volume 2339 of Lecture Notes in Computer Science, pages 178–195. Springer, 2001.
[133] P. Janson and G. Tsudik. Secure and minimal protocols for authenticated keydistribution. Computer Communications, 18(9):645–653, 1995.
[134] ´E. Jaulmes, A. Joux, and F. Valette. On the security of randomized CBC-MACbeyond the birthday paradox limit: A new construction. In J. Daemen andV. Rijmen, editors, Fast Software Encryption, 9th International Workshop,volume 2365 of Lecture Notes in Computer Science, pages 237–251. Springer,2002.
[135] I. Jeong, J. Katz, and D. Lee. One-round protocols for two-party authenticatedkey exchange. In M. Jakobsson, M. Yung, and J. Zhou, editors, AppliedCryptography and Network Security, Second International Conference, volume3089 of Lecture Notes in Computer Science, pages 220–232. Springer, 2004.
[136] J. E. Johnson, D. E. Langworthy, L. Lamport, and F. H. Vogt. Formal specificationof a web services protocol. Electr. Notes Theor. Comput. Sci., 105:147–158, 2004.
[137] A. M. Johnston and P. Gemmell. Authenticated key exchange provably secureagainst the man-in-the-middle attack. Journal of Cryptology, 15(2):139–148,2002.
[138] A. Joux. A one round protocol for tripartite diffie-hellman. Journal of Cryp-tology, 17(4):263–276, 2004.
[139] M. J. Jacobson Jr., R. Scheidler, and H. C. Williams. An improvedreal-quadratic-field-based key exchange procedure. Journal of Cryptology,19(2):211–239, 2006.
[140] A. Juels and J. Brainard. Client puzzles: A cryptographic defense against connectiondepletion. Networks and Distributed Security Systems (NDSS 1999),pages 1168–1177, 1999.
[141] M. Just and S. Vaudenay. Authenticated multi-party key agreement. In K. Kimand T. Matsumoto, editors, Advances in Cryptology — ASIACRYPT 1996,volume 1163 of Lecture Notes in Computer Science, pages 36–49. Springer,1996.
[142] J. Katz, P. D. MacKenzie, G. Taban, and V. D. Gligor. Two-server passwordonlyauthenticated key exchange. In J. Ioannidis, A. D. Keromytis, andM. Yung, editors, Applied Cryptography and Network Security, Third Inter-national Conference, Proceedings, volume 3531 of Lecture Notes in ComputerScience, pages 1–16, 2005.
[143] J. Katz, R. Ostrovsky, and M. Yung. Efficient password-authenticated keyexchange using human-memorable passwords. In B. Pfitzmann, editor, Ad-vances in Cryptology — EUROCRYPT 2001, volume 2045 of Lecture Notes inComputer Science, pages 475–494. Springer, 2001.
[144] J. Katz and J. Shin. Modeling insider attacks on group key-exchange protocols.Cryptology ePrint Archive: Report 2005/163, 2005.
[145] J. Katz and M. Yung. Scalable protocols for authenticated group key exchange.In D. Boneh, editor, Advances in Cryptology — CRYPTO 2003, volume 2729of Lecture Notes in Computer Science, pages 110–125. Springer, 2003.
[146] S. Kent. IP Authentication Header. IETF RFC 4302, 2005.
[147] S. Kent. IP Encapsulating Security Payload (ESP). IETF RFC 4303, 2005.
[148] J. Kilian and P. Rogaway. How to protect DES against exhaustive key search(an analysis of DESX). Journal of Cryptology, 14(1):17–35, 2001.
[149] K. Ko, S. Lee, J. Cheon, J. Han, J. Kang, and C. Park. New public-keycryptosystem using braid groups. In M. Bellare, editor, Advances in Cryptology— CRYPTO 2000, volume 1880 of Lecture Notes in Computer Science, pages166–183. Springer, 2000.
[150] N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation,48:203–207, 1987.
[151] K. Koyama. Secure conference key distribution schemes for conspiracy attack.In R. Rueppel, editor, Advances in Cryptology — EUROCRYPT 1992, volume330 of Lecture Notes in Computer Science, pages 449–453. Springer, 1992.
[152] K. Koyama and K. Ohta. Identity-based conference key distribution systems.In C. Pomerance, editor, Advances in Cryptology — CRYPTO 1987, volume283 of Lecture Notes in Computer Science, pages 175–184. Springer, 1988.
[153] K. Koyama and K. Ohta. Security of improved identity-based conference keydistribution systems. In C. G¨unther, editor, Advances in Cryptology — EU-ROCRYPT 1988, volume 330 of Lecture Notes in Computer Science, pages11–19. Springer, 1988.
[154] H. Krawczyk. Skeme: a versatile secure key exchange mechanism for internet.In Proceedings of the 1996 Symposium on Network and Distributed SystemSecurity, pages 114–127. IEEE Computer Society, 1996.
[155] H. Krawczyk. HMQV: A high-performance secure diffie-hellman protocol. InVictor Shoup, editor, Advances in Cryptology — CRYPTO 2005, volume 3621of Lecture Notes in Computer Science, pages 546–566. Springer, 2005.
[156] H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for MessageAuthentication. IETF RFC 2104, 1997.
[157] C. Kudla and K. G. Paterson. Modular security proofs for key agreementprotocols. In B. K. Roy, editor, Advances in Cryptology — ASIACRYPT 2005,volume 3788 of Lecture Notes in Computer Science, pages 549–565. Springer,2005.
[158] T. Kwon. Practical authenticated key agreement using passwords. In K. Zhangand Y. Zheng, editors, Proceedings of the 7th Information Security Conference,volume 3225 of Lecture Notes in Computer Science, pages 1–12. Springer, 2004.
[159] T. Kwon and J. Song. Efficient and secure password-based authenticationprotocols against guessing attacks. Computer Communications, 21(9):853–861, 1998.
[160] T. Kwon and J. Song. Efficient key exchange and authentication protocolsprotecting weak secrets. IEICE Transactions Fundamentals, E81-A(1):156–163, 1998.
[161] T. Kwon and J. Song. Secure agreement scheme for gxy via password authentication.Electronics Letters, 35(11):892–893, 1999.
[162] C. S. Laih, L. Ding, and Y. M. Huang. Password-only authenticated keyestablishment protocol without public key cryptography. Electronics Letters,41(4):185–186, 2005.
[163] P. Laud. Handling encryption in an analysis for secure information flow. InP. Degano, editor, Proceedings of the 12th European Symposium on Program-ming, volume 2618 of Lecture Notes in Computer Science, pages 159–173.Springer, 2003.
[164] P. Laud. Symmetric encryption in automatic analyses for confidentialityagainst active adversaries. In 2004 IEEE Symposium on Security and Pri-vacy, pages 71–85. IEEE Computer Society, 2004.
[165] K. Lauter and A. Mityagin. Security analysis of KEA authenticated key exchangeprotocol. In M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, editors,Proceedings of the 9th International Conference on Theory and Practice ofPublic-Key Cryptography, volume 3958 of Lecture Notes in Computer Science,pages 378–394. Springer, 2006.
[166] H. Lee, K. Ha, and K. Ku. ID-based multi-party authenticated key agreementprotocols from multilinear forms. In J. Zhou, J. Lopez, R. H. Deng,and F. Bao, editors, Information Security, 8th International Conference Pro-ceedings, volume 3650 of Lecture Notes in Computer Science, pages 104–117.Springer, 2005.
[167] H. Lee, D. Won, K. Sohn, and H. Yang. Efficient 3-pass password-based keyexchange protocol with low computational cost for client. In J. Song, editor,Information Security and Cryptology — ICISC 1999, volume 1787 of LectureNotes in Computer Science, pages 147–155. Springer, 1999.
[168] W. B. Lee and K. C. Liao. Constructing identity-based cryptosystems fordiscrete logarithm based cryptosystems. Journal of Network and ComputerApplications, 27:191–199, 2004.
[169] X. Li, S. Moon, and J. Ma. On the security of the authentication moduleof chinese WLAN standard implementation plan. In J. Zhou, M. Yung, andF. Bao, editors, Applied Cryptography and Network Security, 4th InternationalConference, Proceedings, volume 3989 of Lecture Notes in Computer Science,pages 340–348, 2006.
[170] C. Lim and P. Lee. Several practical protocols for authentication and keyexchange. Inf. Process. Lett., 53(2):91–96, 1995.
[171] C. Lin, H. Sun, and T. Hwang. Three-party encrypted key exchange: Attacksand a solution. Operating Systems Review, 34(4):12–20, 2000.
[172] T. Lomas, L. Gong, J. Saltzer, and R. Needham. Reducing risks from poorlychosen keys. ACM SIGOPS Operating Systems Review, 23(5):14–18, 1989.
[173] T. Lomas, L. Gong, J. Saltzer, and R. Needham. Reducing risks from poorlychosen keys. In Proceedings of the Twelfth ACM Symposium on OperatingSystem Principles, pages 14–18, 1989.
[174] G. Lowe. An attack on the needham-schroeder public-key authentication protocol.Inf. Process. Lett., 56(3):131–133, 1995.
[175] G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocolusing FDR. In T. Margaria and B. Steffen, editors, Tools and Algorithmsfor Construction and Analysis of Systems, Second International Workshop,volume 1055 of Lecture Notes in Computer Science, pages 147–166. Springer,1996.
[176] G. Lowe. Some new attacks upon security protocols. In Ninth IEEE Com-puter Security Foundations Workshop, pages 162–169. IEEE Computer Society,1996.
[177] S. Lu and S. A. Smolka. Model checking the secure electronic transaction(SET) protocol. In Proceedings of the 7th International Symposium on Mod-eling, Analysis and Simulation of Computer and Telecommunication Systems,pages 358–365. IEEE Computer Society, 1999.
[178] S. Lucks. Open key exchange: How to defeat dictionary attacks without encryptingpublic keys. In B. Christianson, B. Crispo, T. Lomas, and M. Roe,editors, Proceedings of the 5th International Workshop on Security Protocols,pages 79–90. Springer, 1997.
[179] P. MacKenzie. More efficient password-authenticated key exchange. In D. Naccache,editor, Topics in Cryptology — CT-RSA 2001, volume 2020 of LectureNotes in Computer Science, pages 361–377. Springer, 2001.
[180] P. MacKenzie. On the security of the SPEKE password-authenticated keyexchange protocol. http://eprint.iacr.org/2001/057, 2001.
[181] P. MacKenzie, S. Patel, and R. Swaminathan. Password-authenticated keyexchange based on RSA. In T. Okamoto, editor, Advances in Cryptology —ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages599–613. Springer, 2000.
[182] P. D. MacKenzie, T. Shrimpton, and M. Jakobsson. Threshold passwordauthenticatedkey exchange. Journal of Cryptology, 19(1):27–66, 2006.
[183] M. Mambo and H. Shizuya. A note on the complexity of breaking okamototanakaID-based key exchange scheme. In Proceedings of the First Interna-tional Workshop on Practice and Theory in Public Key Cryptography, pages258–262. Springer, 1998.
[184] M. Mambo and H. Shizuya. A note on the complexity of breaking okamototanakaID-based key exchange scheme. IEICE Trans. Commun., E82-A(61):77–80, 2000.
[185] K. Matsuura and H. Imai. Modification of internet key exchange resistantagainst denial-of-service. In Pre-Proc. of Internet Workshop 2000, pages 167–174, 2000.
[186] T. May. Time-release crypto, 1993.
[187] A. Mayer and M. Yung. Secure protocol transformation via “expansion”: fromtwo-party to groups. In Proceedings of the 6th ACM conference on Computerand communications security, pages 83–92. ACM Press, 1999.
[188] C. Meadows and P. F. Syverson. A formal specification of requirements forpayment transactions in the SET protocol. In R. Hirschfeld, editor, FinancialCryptography, Second International Conference, Proceedings, volume 1465 ofLecture Notes in Computer Science, pages 122–140. Springer, 1998.
[189] A. J. Menezes, M. Qu, and S. A. Vanstone. Some new key agreement protocolsproviding mutual implicit authentication. In Workshop on selected areas incryptography (SAC 1995), pages 22–32, 1995.
[190] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of AppliedCryptography. CRC Press, 1997.
[191] R. C. Merkle. Secure communications over insecure channels. Commun. ACM,21(4):294–299, 1978.
[192] R. C. Merkle. One way hash functions and DES. In G. Brassard, editor,Advances in Cryptology — CRYPTO 1989, volume 435 of Lecture Notes inComputer Science, pages 428–446. Springer, 1990.
[193] D. Micciancio and B. Warinschi. Soundness of formal encryption in the presenceof active adversaries. In M. Naor, editor, Proceedings of the First Theoryof Cryptography Conference, volume 2951 of Lecture Notes in Computer Sci-ence, pages 133–151. Springer, 2004.
[194] V. S.Miller. Use of elliptic curves in cryptography. In Advances in cryptology—CRYPTO 1985, volume 218 of Lecture Notes in Computer Science, pages 417–426. Springer, 1986.
[195] C. J. Mitchell, M. Ward, and P. Wilson. On key control in key agreementprotocols. Electronics Letters, 34:980–981, 1998.
[196] M.Tatebayashi, N. Matsuzaki, and D. Newman Jr. Key distribution protocolfor digital mobile communication systems. In G. Brassard, editor, Advancesin Cryptology — CRYPTO 1989, volume 435 of Lecture Notes in ComputerScience, pages 324–334. Springer, 1989.
[197] R. Needham and M. Schroeder. Using encryption for authentication in largenetworks of computers. Commun. ACM, 21(12):993–999, 1978.
[198] M. H. Nguyen and S. P. Vadhan. Simpler session-key generation from shortrandom passwords. In M. Noar, editor, Proceedings of the First Theory ofCryptography Conference, volume 2951 of Lecture Notes in Computer Science,pages 428–445. Springer, 2004.
[199] J. B. Nielsen. Separating random oracle proofs from complexity theoreticproofs: The non-committing encryption case. In M. Yung, editor, Advancesin Cryptology — CRYPTO 2002, volume 2442 of Lecture Notes in ComputerScience, pages 111–126. Springer, 2002.
[200] E. Okamoto. Key distribution systems based on identification information. InC. Pomerance, editor, Advances in Cryptology — CRYPTO 1987, volume 283of Lecture Notes in Computer Science, pages 194–202. Springer, 1988.
[201] E. Okamoto and K. Tanaka. Key distribution system based on identificationinformation. IEEE Journal on Selected Areas in Communications, 8(1):4–11,1990.
[202] H. Orman. The Oakley key determination protocol. IETF RFC 2412, 1998.
[203] B. Klein M. Otten and T. Beth. Conference key distribution protocols indistributed systems. In P. G. Farrell, editor, Cryptography and Coding, 4thIMA International Conference, Proceedings, pages 225–241. Springer, 1995.
[204] D. Otway and O. Rees. Efficient and timely mutual authentication. OperatingSystems Review, 21(1):8–10, 1987.
[205] C. Park. On certificate-based security protocols for the wireless mobile communicationsystems. IEEE Networks, 11(9):50–55, 1997.
[206] S. Pasini and S. Vaudenay. SAS-Based authenticated key agreement. InM. Yung, Y. Dodis, A. Kiayias, and T. Malkin, editors, Proceedings of the9th International Conference on Theory and Practice of Public-Key Cryptog-raphy, volume 3958 of Lecture Notes in Computer Science, pages 395–409.Springer, 2006.
[207] S. Patel. Number theoretic attacks on secure password schemes. In Proceedingsof the 1997 IEEE Symposium on Security and Privacy, pages 236–247. IEEEComputer Society, 1997.
[208] O. Pereira and J. J. Quisquater. A security analysis of the cliques protocolssuites. In Proceedings of the 14th IEEE Computer Security FoundationsWorkshop, pages 73–81. IEEE Computer Society, 2001.
[209] J. Pieprzyk and C.-H. Li. Multiparty key agreement protocols. IEE Proceedings- Computers and Digital Techniques, 147(4):229–236, 2000.
[210] G. Price. A general attack model on hash-based client puzzles. In K. G.Paterson, editor, Cryptography and Coding, 9th IMA International Confer-ence, Proceedings, volume 2898 of Lecture Notes in Computer Science, pages319–331. Springer, 2003.
[211] M. Raimondo and R. Gennaro. Provably secure threshold passwordauthenticatedkey exchange. In E. Biham, editor, Advances in Cryptology— EUROCRYPT 2003, volume 2656 of Lecture Notes in Computer Science,pages 507–523. Springer, 2003.
[212] R. L. Rivest, A. Shamir, and D. A. Wagner. Time-lock puzzles and timedreleasecrypto. Technical Report MIT/LCS/TR-684, MIT LCS, 1996.
[213] S. Saeednia. Identity-based and self-certified key-exchange protocols. In Pro-ceedings of the Second Australasian Conference on Information Security andPrivacy, pages 303–313. Springer, 1997.
[214] S. Saeednia. Improvement of G¨unther’s identity-based key exchange protocol.Electronics Letters, 36(18):1535–1536, 2000.
[215] M. Satyanarayanan. Integrating security in a large distributed system. ACMTrans. Comput. Syst., 7(3):247–280, 1989.
[216] S. Shin, K. Kobara, and H. Imai. Efficient and leakage-resilient authenticatedkey transport protocol based on RSA. In J. Ioannidis, A. D. Keromytis, andM. Yung, editors, Applied Cryptography and Network Security, Third Inter-national Conference, ACNS 2005, volume 3531 of Lecture Notes in ComputerScience, pages 269–284. Springer, 2005.
[217] V. Shoup. On formal models for secure key exchange. Technical report, IBMResearch Report RZ 3120, 1998.
[218] V. Shoup. Sequences of games: a tool for taming complexity in security proofs.http://shoup.net/papers/, 2006.
[219] The SET standard Specification. SET Secure Electronic Transaction LLC.http://www.setco.org, 1997.
[220] D. Steer, L. Strawczynski, W. Diffie, and M. Wiener. A secure audio teleconferencesystem. In H. Krawczyk, editor, Advances in Cryptology — CRYPTO1998, volume 403 of Lecture Notes in Computer Science, pages 520–528.Springer, 1998.
[221] M. Steiner, G. Tsudik, and M. Waidner. Refinement and extension of encryptedkey exchange. Operating Systems Review, 29(3):22–30, 1995.
[222] M. Steiner, G. Tsudik, and M. Waidner. Diffie-Hellman key distribution extendedto group communication. In Proceedings of the 3rd ACM conferenceon Computer and communications security, pages 31–37. ACM Press, 1996.
[223] D. Stinson. Cryptography Theory and Practice. CRC Press, Inc., second edition,2002.
[224] M. Strangio. Efficient diffie-hellmann two-party key agreement protocols basedon elliptic curves. In H. Haddad, L. Liebrock, A. Omicini, and R. Wainwright,editors, Proceedings of the 2005 ACM Symposium on Applied Com-puting, pages 324–331. ACM, 2005.
[225] M. Strangio. On the resilience of key agreement protocols to key compromiseimpersonation. In A. Atzeni and A. Lioy, editors, Public Key Infrastructure,Third European PKI Workshop: Theory and Practice, Proceedings, volume4043 of Lecture Notes in Computer Science, pages 233–247. Springer, 2006.
[226] M. Strangio. An optimal round two-party password-authenticated key agreementprotocol. In Proceedings of the the First International Conference onAvailability, Reliability and Security, pages 216–223. IEEE Computer Society,2006.
[227] Q. Tang. On the security of three versions of the WAI protocol in ChineseWLAN implementation plan. Cryptology ePrint Archive: Report 2007/122,2007.
[228] Q. Tang and L. Chen. Weaknesses in two group Diffie-Hellman key exchangeprotocols. Cryptology ePrint Archive: Report 2005/197, 2005.
[229] Q. Tang and K. R. Choo. Secure password-based authenticated group keyagreement for data-sharing peer-to-peer networks. In J. Zhou, M. Yung, andF. Bao, editors, Applied Cryptography and Network Security, 4th InternationalConference, volume 3989 of Lecture Notes in Computer Science, pages 162–177, 2006.
[230] Q. Tang and C. J. Mitchell. Rethinking the security of some authenticatedgroup key agreement schemes. Cryptology ePrint Archive: Report 2004/363,2004.
[231] Q. Tang and C. J. Mitchell. Efficient compilers for authenticated group keyexchange. In Y. Hao, J. Liu, Y. Wang, Y. Cheung, H. Yin, L. Jiao, J. Ma,and Y. Jiao, editors, Computational Intelligence and Security, InternationalConference, volume 3802 of Lecture Notes in Computer Science, pages 192–197. Springer, 2005.
[232] Q. Tang and C. J. Mitchell. Enhanced password-based key establishmentprotocol. Cryptology ePrint Archive: Report 2005/141, 2005.
[233] Q. Tang and C. J. Mitchell. On the security of some password-based keyagreement schemes. Cryptology ePrint Archive: Report 2005/156, 2005.
[234] Q. Tang and C. J. Mitchell. On the security of some password-based keyagreement schemes. In Y. Hao, J. Liu, Y. Wang, Y. Cheung, H. Yin, L. Jiao,J. Ma, and Y. Jiao, editors, Computational Intelligence and Security, Interna-tional Conference, volume 3802 of Lecture Notes in Computer Science, pages149–154. Springer, 2005.
[235] Q. Tang and C. J. Mitchell. Security properties of two authenticated conferencekey agreement protocols. In S. Qing, W. Mao, J. Lopez, and G. Wang,editors, Information and Communications Security, 7th International Con-ference, volume 3783 of Lecture Notes in Computer Science, pages 304–314.Springer, 2005.
[236] Q. Tang and C. J. Mitchell. Weaknesses in a leakage-resilient authenticatedkey transport protocol. Cryptology ePrint Archive: Report 2005/173, 2005.
[237] Q. Tang and C. J. Mitchell. Cryptanalysis of a hybrid authentication protocolfor large mobile networks. Journal of Systems and Software, 79(4):496–501,2006.
[238] Y. Tseng. A secure authenticated group key agreement protocol for resourcelimitedmobile devices. Comput. J., 50(1):41–52, 2007.
[239] G. Tsudik and E. Herreweghen. Some remarks on protecting weak keys andpoorly-chosen secrets from guessing attacks. In Symposium on Reliable Dis-tributed Systems, pages 136–142, 1993.
[240] W. Tzeng. A practical and secure-fault-tolerant conferenc-key agreement protocol.In H. Imai and Y. Zheng, editors, Proceedings of the third InternationalWorkshop on Practice and Theory in Public Key Cryptosystems, pages 1–13.Springer, 2000.
[241] W. Tzeng. A secure fault-tolerant conference-key agreement protocol. IEEETransactions on Computers, 51(4):373–379, 2002.
[242] W. Tzeng and Z. Tzeng. Round-efficient conference key agreement protocolswith provable security. In Advances in Cryptology — ASIACRYPT 2000, pages614–628. Springer, 2000.
[243] X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu. Cryptanalysis of the hashfunctions MD4 and RIPEMD. In R. Cramer, editor, Advances in Cryptology— EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science,pages 1–18. Springer, 2005.
[244] X. Wang, Y. L. Yin, and H. Yu. Finding collisions in the full SHA-1. InV. Shoup, editor, Advances in Cryptology — CRYPTO 2005, volume 3621 ofLecture Notes in Computer Science, pages 17–36. Springer, 2005.
[245] X. Wang and H. Yu. How to break MD5 and other hash functions. InR. Cramer, editor, Advances in Cryptology — EUROCRYPT 2005, volume3494 of Lecture Notes in Computer Science, pages 19–35. Springer, 2005.
[246] X. Wang, H. Yu, and Y. L. Yin. Efficient collision search attacks on SHA-0.In V. Shoup, editor, Advances in Cryptology — CRYPTO 2005, volume 3621of Lecture Notes in Computer Science, pages 1–16. Springer, 2005.
[247] R. Winternitz. A secure one-way hash function built from DES. In Proceedingsof the IEEE Symposium on Information Security and Privacy, pages 88–90.IEEE Press, 1984.
[248] D. S. Wong and A. H. Chan. Efficient and mutually authenticated key exchangefor low power computing devices. In C. Boyd, editor, Advances inCryptology — ASIACRYPT 2001, pages 272–289. Springer, 2001.
[249] T. Wu. The secure remote password protocol. In Proceedings of the Networkand Distributed System Security Symposium, NDSS 1998, pages 97–111, 1998.
[250] Y. Yacobi. A key distribution “paradox”. In A. Menezes and S. Vanstone,editors, Advances in Cryptology — CRYPTO 1990, volume 537 of LectureNotes in Computer Science, pages 268–273. Springer, 1990.
[251] Y. Yacobi and M. Beller. Batch Diffie-Hellman key agreement systems. Journalof Cryptology, 10(2):89–96, 1997.
[252] S. Yen and M. Liu. High performance nounce-based authentication and keydistribution protocols against password guessing attacks. IEICE TransactionsFundamentals, E80-A(11):2209–2217, 1997.
[253] F. G. Zhang and X. F. Chen. Attacks on two ID-based authenticated groupkey agreement schemes. Cryptology ePrint Archive, Report 2003/259, 2003.
[254] H. Zhou, L. Fan, and J. Li. Remarks on unknown key-share attack on authenticatedmultiple-key agreement protocol. Electronics Letters, 39(17):1248–1249,2003.