密码协议的可组合安全
|
摘要
近年来,为了保证通信网络和计算机的安全,密码协议的应用范围不断扩大,构成也越来越复杂。人们期望通过利用小型的、可以验证安全的协议,构建大型的协议,以满足实际需要。另一方面,由于协议在网络中运行的高并发性,这就要求每个独立的协议运行时,自身安全性能够得到保证,且不威胁其它协议的安全性。因此,密码协议可组合安全性的研究就必然成为热点。
在众多密码协议的分析方法中,基于计算复杂性的通用可组合(UC)框架和基于符号操作方法的DDMP模型(由协议生成系统和协议组合逻辑组成)是研究密码协议可组合安全性的两个典型代表。本文从密码协议可组合安全的角度出发,对UC框架和DDMP模型的相关理论和关键技术展开了研究。主要研究成果如下:
1.在UC框架下提出了基于身份密钥交换的安全模型。设计了基于身份密钥交换的理想函数,其中重点是满足密钥生成中心前向保密性的理想函数。此外,带有密钥确认属性的Chen-Kudla协议可以安全实现满足密钥生成中心前向保密性的基于身份密钥交换理想函数。
2.在UC框架下研究了基于一次签名广播认证的可证明安全问题。首先,在UC框架下设计了基于一次签名广播认证的安全模型。其次,在混合模型下构造了UC安全的广播认证协议。然后,基于单向函数、单向hash函数和无碰撞hash函数设计了一次签名协议HORS+。最后,使用单向链构造了实现多值注册的协议OWC。组合HORS+和OWC得到的广播认证协议满足UC安全且适合能量受限的设备。
3.在UC框架下研究可信网络连接协议的安全性。首先,设计了TNC理想函数,EAP认证理想函数以及EAP-TNC理想函数,构造了通用可组合的可信网络连接安全模型。其次,在混合模型下构造了UC安全的可信网络连接协议TK-TNC。通过安全性分析,得出TCG标准的D-H PN协议不能实现EAP-TNC理想函数,易受攻击。最后,使用Twin DH交换技术设计了UC安全的TD-H PN协议。
4.针对Needham-Schroeder协议族扩展了PDS协议生成系统。利用扩展的PDS可以得出Needham-Schroeder协议族的生成系统。PCL可以为生成的协议提供逻辑证明。以Kerberos为例,详细描述了协议生成以及逻辑证明的过程。
In recent years, we have witnessed a gradually increasing adoption of crypto-graphic protocols to secure various applications in communications, computer net-works and computer security. However, designing and verifying the security of acomplex cryptographic protocol often proves to be di?cult. Hence, it is alwaysdesirable to be able to use secure and simple protocols as components to composea secure, but larger and more complicated protocol. On the other hand, ubiq-uitous computing environment often results in multiple concurrent executions ofcryptographic protocols. Such condition requires a protocol to be secure and tonot compromise the overall security when it is run concurrently with other proto-cols. Therefore, development of techniques to ensure secure composition of protocolsbecomes inevitable.
Among all existing formal methods for cryptographic protocol analysis, theUniversally Composable (UC) framework based on computational complexity andthe DDMP framework based on symbolic analysis (consists of the Protocol Deriva-tion System and the Protocol Composition Logic), are two state-of-the-art proposalsfor security analysis on cryptographic protocols composition. In this dissertation,we select the secure composition of cryptographic protocols as a starting point andcarry out researches on the theories and key technologies in the UC and the DDMPframeworks. The main results are as follows:
(1) The provable secure model of identity-based key exchange is proposed in theUC framework. The ideal functionalities of ID-based key exchange are pro-posed with emphasis on ID-based key exchange with Key Generation CenterForward Secrecy (KGC-FS). In addition, the fact that our ID-based KE withKGC-FS functionality can be securely realized by the protocol (with key con-firmation) proposed by Chen and Kudla is proven.
(2) The provable security of broadcast authentication using one-time signature isinvestigated in the UC framework. Firstly, a broadcast authentication modelis formulated. Secondly, a UC secure broadcast authentication scheme is pro-posed in the hybrid model. Thirdly, one-time signature protocol HORS+ isproposed. Lastly, protocol OWC is constructed to realize the multi-value regis-tration functionality. Our broadcast authentication scheme constructed by thecombined use of HORS+ and OWC is UC secure and suitable for low-power devices.
(3) The Trusted Network Connect (TNC) protocols are analyzed within the UCframework. The TNC model in the UC framework is proposed by first design-ing the TNC ideal functionality, the EAP ideal functionality and the EAP-TNC ideal functionality. Then, a UC secure Trusted Network Connect proto-col named TK-TNC is constructed. Subsequently, a security analysis showsthat D-H PN given in the TCG specification cannot satisfy the UC security andbe resistant to an attack. Using the Twin Di?e-Hellman exchange technique,a UC secure protocol TD-H PN is proposed.
(4) The PDS is extended to support the Needham-Schroeder family. Then, thederivation graph of the Needham-Schroeder family is developed by using theextended PDS. In addition, the PCL is applied to prove the correctness ofthe derived protocols. As an example, the detailed derivation and proof ofKerberos Version 5 is shown.
在众多密码协议的分析方法中,基于计算复杂性的通用可组合(UC)框架和基于符号操作方法的DDMP模型(由协议生成系统和协议组合逻辑组成)是研究密码协议可组合安全性的两个典型代表。本文从密码协议可组合安全的角度出发,对UC框架和DDMP模型的相关理论和关键技术展开了研究。主要研究成果如下:
1.在UC框架下提出了基于身份密钥交换的安全模型。设计了基于身份密钥交换的理想函数,其中重点是满足密钥生成中心前向保密性的理想函数。此外,带有密钥确认属性的Chen-Kudla协议可以安全实现满足密钥生成中心前向保密性的基于身份密钥交换理想函数。
2.在UC框架下研究了基于一次签名广播认证的可证明安全问题。首先,在UC框架下设计了基于一次签名广播认证的安全模型。其次,在混合模型下构造了UC安全的广播认证协议。然后,基于单向函数、单向hash函数和无碰撞hash函数设计了一次签名协议HORS+。最后,使用单向链构造了实现多值注册的协议OWC。组合HORS+和OWC得到的广播认证协议满足UC安全且适合能量受限的设备。
3.在UC框架下研究可信网络连接协议的安全性。首先,设计了TNC理想函数,EAP认证理想函数以及EAP-TNC理想函数,构造了通用可组合的可信网络连接安全模型。其次,在混合模型下构造了UC安全的可信网络连接协议TK-TNC。通过安全性分析,得出TCG标准的D-H PN协议不能实现EAP-TNC理想函数,易受攻击。最后,使用Twin DH交换技术设计了UC安全的TD-H PN协议。
4.针对Needham-Schroeder协议族扩展了PDS协议生成系统。利用扩展的PDS可以得出Needham-Schroeder协议族的生成系统。PCL可以为生成的协议提供逻辑证明。以Kerberos为例,详细描述了协议生成以及逻辑证明的过程。
In recent years, we have witnessed a gradually increasing adoption of crypto-graphic protocols to secure various applications in communications, computer net-works and computer security. However, designing and verifying the security of acomplex cryptographic protocol often proves to be di?cult. Hence, it is alwaysdesirable to be able to use secure and simple protocols as components to composea secure, but larger and more complicated protocol. On the other hand, ubiq-uitous computing environment often results in multiple concurrent executions ofcryptographic protocols. Such condition requires a protocol to be secure and tonot compromise the overall security when it is run concurrently with other proto-cols. Therefore, development of techniques to ensure secure composition of protocolsbecomes inevitable.
Among all existing formal methods for cryptographic protocol analysis, theUniversally Composable (UC) framework based on computational complexity andthe DDMP framework based on symbolic analysis (consists of the Protocol Deriva-tion System and the Protocol Composition Logic), are two state-of-the-art proposalsfor security analysis on cryptographic protocols composition. In this dissertation,we select the secure composition of cryptographic protocols as a starting point andcarry out researches on the theories and key technologies in the UC and the DDMPframeworks. The main results are as follows:
(1) The provable secure model of identity-based key exchange is proposed in theUC framework. The ideal functionalities of ID-based key exchange are pro-posed with emphasis on ID-based key exchange with Key Generation CenterForward Secrecy (KGC-FS). In addition, the fact that our ID-based KE withKGC-FS functionality can be securely realized by the protocol (with key con-firmation) proposed by Chen and Kudla is proven.
(2) The provable security of broadcast authentication using one-time signature isinvestigated in the UC framework. Firstly, a broadcast authentication modelis formulated. Secondly, a UC secure broadcast authentication scheme is pro-posed in the hybrid model. Thirdly, one-time signature protocol HORS+ isproposed. Lastly, protocol OWC is constructed to realize the multi-value regis-tration functionality. Our broadcast authentication scheme constructed by thecombined use of HORS+ and OWC is UC secure and suitable for low-power devices.
(3) The Trusted Network Connect (TNC) protocols are analyzed within the UCframework. The TNC model in the UC framework is proposed by first design-ing the TNC ideal functionality, the EAP ideal functionality and the EAP-TNC ideal functionality. Then, a UC secure Trusted Network Connect proto-col named TK-TNC is constructed. Subsequently, a security analysis showsthat D-H PN given in the TCG specification cannot satisfy the UC security andbe resistant to an attack. Using the Twin Di?e-Hellman exchange technique,a UC secure protocol TD-H PN is proposed.
(4) The PDS is extended to support the Needham-Schroeder family. Then, thederivation graph of the Needham-Schroeder family is developed by using theextended PDS. In addition, the PCL is applied to prove the correctness ofthe derived protocols. As an example, the detailed derivation and proof ofKerberos Version 5 is shown.
引文
[1] Shannon C. Communication theory of secrecy systems. Bell Systems Techn.Journal, 28: 656–715, 1949.
[2] Standard D. Federal Information Processing Standards Publication 46. Na-tional Bureau of Standards, US Department of Commerce, 1977.
[3] Di?e W and Hellman M. New directions in cryptography. IEEE Transactionson information Theory, 22(6): 644–654, 1976.
[4] Mao W. Modern cryptography: theory and practice. Prentice Hall ProfessionalTechnical Reference, 2003.
[5] Dolev D and Yao A. On the security of public key protocols. IEEE Transac-tions on information theory, 29(2): 198–208, 1983.
[6]卿斯汉.安全协议20年研究进展.软件学报, 14(010): 1740–1752, 2003.
[7] Dolev D, Even S, and Karp R. On the security of ping-pong protocols. Infor-mation and Control, 55(1-3): 57–68, 1982.
[8] Even S and Goldreich O. On the security of multi-party ping-pong protocols.In 24th Annual Symposium on Foundations of Computer Science, pages 34–39.IEEE, 1983.
[9] Burrows M, Abadi M, and Needham R. A logic of authentication. ACMTransactions on Computer Systems (TOCS), 8(1): 18–36, 1990.
[10]卿斯汉.安全协议的设计与逻辑分析.软件学报, 14(007): 1300–1309, 2003.
[11] Gong L, Needham R, and Yahalom R. Reasoning about belief in cryptographicprotocols. In Proceedings 1990 IEEE Symposium on Research in Security andPrivacy. 1990.
[12] Abadi M and Tuttle M. A Semantics for a Logic of Authentication; 10thPoDC, 1991.
[13] van Oorschot P. Extending cryptographic logics of belief to key agreementprotocols. In Proceedings of the 1st ACM Conference on Computer and Com-munications Security, page 243. ACM, 1993.
[14] Syverson P and Van Oorschot P. On unifying some cryptographic protocollogics. In 1994 IEEE Computer Society Symposium on Research in Securityand Privacy, 1994. Proceedings., pages 14–28. 1994.
[15] Kailar R. Reasoning about accountability in protocols for electronic commerce.In Proceedings of the 1995 IEEE Symposium on Security and Privacy, page236. IEEE Computer Society, 1995.
[16] Co?ey T and Saidha P. Logic for verifying public-key cryptographic protocols.IEE Proceedings-Computers and Digital Techniques, 144(1): 28–32, 1997.
[17] Kailar R, Gligor V, and Gong L. On the security e?ectiveness of cryptographicprotocols. In Proceedings of the 1994 Conference on Dependable Computingfor Critical Applications, pages 90–101. Citeseer.
[18] Rubin A and Honeyman P. Nonmonotonic cryptographic protocols. In Com-puter Security Foundations Workshop VII, 1994. CSFW 7. Proceedings, pages100–116. 1994.
[19] Brackin S, Inc A, and Hanscom A. A HOL extension of GNY for automaticallyanalyzing cryptographicprotocols. In 9th IEEE Computer Security Founda-tions Workshop, 1996. Proceedings., pages 62–76. 1996.
[20] Moser L. A logic of knowledge and belief for reasoning about computersecurity.In Computer Security Foundations Workshop II, 1989., Proceedings of the,pages 57–63. 1989.
[21] Bieber P and ONERA-CERT T. A logic of communication in hostile environ-ment. In Computer Security Foundations Workshop III, 1990. Proceedings,pages 14–22. 1990.
[22] Kessler V and Wedel G. AUTLOG-an advanced logic of authentication. InComputer Security Foundations Workshop VII, 1994. CSFW 7. Proceedings,pages 90–99. 1994.
[23] Vardi M. Why is modal logic so robustly decidable. DIMACS Series in DiscreteMathematics and Theoretical Computer Science, 31: 149–184, 1997.
[24] Lowe G. Breaking and fixing the Needham-Schroeder public-key protocol usingFDR. Tools and Algorithms for the Construction and Analysis of Systems,pages 147–166, 1996.
[25] F′abrega F, Herzog J, and Guttman J. Strand spaces: Proving security proto-cols correct. Journal of computer security, 7(2): 191–230, 1999.
[26] Perrig A and Song D. Looking for diamonds in the desert-extending automaticprotocolgeneration to three-party authentication and key agreementprotocols.In 13th IEEE Computer Security Foundations Workshop, 2000. CSFW-13.Proceedings, pages 64–76. 2000.
[27] Song D. Athena: a new e?cient automatic checker for security protocolanal-ysis. In Computer Security Foundations Workshop, 1999. Proceedings of the12th IEEE, pages 192–202. 1999.
[28] Meadows C. The NRL Protocol Analyzer: An Overview. The Journal of LogicProgramming, 26(2): 113–131, 1996.
[29] Millen J. The interrogator model. In Proceedings of the 1995 IEEE Symposiumon Security and Privacy, page 251. IEEE Computer Society, 1995.
[30] Dill D, Drexler A, Hu A, et al. Protocol verification as a hardware designaid. In IEEE 1992 International Conference on Computer Design: VLSI inComputers and Processors, 1992. ICCD’92. Proceedings., pages 522–525. 1992.
[31] McMillan K. Getting Started with SMV: User’s Manual. Cadence BerkeleyLaboratories, USA, 1998.
[32] Abadi M and Gordon A. A calculus for cryptographic protocols: The spicalculus. In Proceedings of the 4th ACM Conference on Computer and Com-munications Security, pages 36–47. ACM, 1997.
[33] Milner R, Parrow J, and Walker D. A calculus of mobile processes, Parts 1-2.Information and computation, 100(1): 1–77, 1992.
[34]薛锐.安全协议的形式化分析技术与方法.计算机学报, 29(001): 1–20, 2006.
[35]冯登国.可证明安全性理论与方法研究. Journal of Software, 16(10), 2005.
[36] Goldwasser S and Micali S. Probabilistic encryption. Journal of computer andsystem sciences, 28(2): 270–299, 1984.
[37] Goldwasser S, Micali S, and Rivest R. A digital signature scheme secureagainst adaptive chosen-message attacks. SIAM Journal on Computing, 1988.
[38] Bellare M and Rogaway P. Random oracles are practical: A paradigm fordesigning e?cient protocols. In Proceedings of the 1st ACM conference onComputer and communications security, page 73. AcM, 1993.
[39] Koeune F. Careful design and integration of cryptographic primitives withcontributions to timing attack, padding schemes and random number gener-ators [Ph. D. Thesis]. Louvain-la-Neuve: Universite Catholique de Louvain,2001.
[40] Gennaro R, Halevi S, and Rabin T. Secure hash-and-sign signatures withoutthe random oracle. In Advances in Cryptology―EUROCRYPT’99, pages123–139. Springer, 1999.
[41] Canetti R, Goldreich O, and Halevi S. The random oracle methodology, re-visited. Journal of the ACM (JACM), 51(4): 557–594, 2004.
[42] Pointcheval D. Asymmetric cryptography and practical security. Journal ofTelecommunications and Information Technology, 4: 41–56, 2002.
[43] Goldreich O. Foundations of cryptography: Basic applications. CambridgeUniv Pr, 2004.
[44] Bellare M and Rogaway P. Entity authentication and key distribution. InAdvances in Cryptology―CRYPTO’93, pages 232–249. Springer, 1993.
[45] Bellare M, Canetti R, and Krawczyk H. A modular approach to the design andanalysis of authentication and key exchange protocols (extended abstract). InProceedings of the thirtieth annual ACM symposium on Theory of computing,pages 419–428. ACM, 1998.
[46] Micali S and Rogaway P. Secure computation. In Advances in Cryptol-ogy―CRYPTO’91, pages 392–404. Springer.
[47] Canetti R and Krawczyk H. Analysis of key-exchange protocols and their usefor building secure channels. Advances in Cryptology―EUROCRYPT 2001,pages 453–474, 2001.
[48] Canetti R. Universally composable security: A new paradigm for crypto-graphic protocols. In focs, page 136. Published by the IEEE Computer Society,2001.
[49] Canetti R and Krawczyk H. Universally composable notions of key exchangeand secure channels. In Advances in Cryptology―EUROCRYPT 2002, pages337–351. Springer, 2002.
[50] Canetti R. Universally composable signature, certification, and authentica-tion. In 17th IEEE Computer Security Foundations Workshop, 2004. Proceed-ings, pages 219–233. 2004.
[51] Canetti R and Fischlin M. Universally composable commitments. In Advancesin Cryptology―CRYPTO 2001, pages 19–40. Springer, 2001.
[52] Canetti R, Lindell Y, Ostrovsky R, et al. Universally composable two-partyand multi-party secure computation. In Proceedings of the thiry-fourth annualACM symposium on Theory of computing, pages 494–503. ACM, 2002.
[53] Zhang F, Ma J, and Moon S. Universally composable anonymous Hash cer-tification model. Science in China Series F: Information Sciences, 50(3):440–455, 2007.
[54] Feng T, Li F, Ma J, et al. A new approach for UC security concurrent deniableauthentication. Science in China Series F: Information Sciences, 51(4): 352–367, 2008.
[55] Wikstr¨om D. A universally composable mix-net. Theory of Cryptography,pages 317–335.
[56] Camenisch J and Lysyanskaya A. A formal treatment of onion routing. InAdvances in Cryptology–CRYPTO 2005, pages 169–187. Springer, 2005.
[57] Abe M and Fehr S. Adaptively secure Feldman VSS and applications touniversally-composable threshold cryptography. In Advances in Cryptology–CRYPTO 2004, pages 317–334. Springer, 2004.
[58] Barak B, Canetti R, Nielsen J, et al. Universally composable protocols withrelaxed set-up assumptions, 2004.
[59] Prabhakaran M and Sahai A. New notions of security: achieving universalcomposability without trusted setup. In Proceedings of the thirty-sixth annualACM symposium on Theory of computing, page 251. ACM, 2004.
[60] Yao A, Yao F, and Zhao Y. A Note on Universal Composable Zero Knowledgein Common Reference String Model. Theory and Applications of Models ofComputation, pages 462–473, 2004.
[61] Yao A, Yao F, and Zhao Y. A note on the feasibility of generalised universalcomposability. Mathematical structures in computer science, 19(01): 193–205,2009.
[62]徐海霞.分布式密钥分发方案的安全性证明.软件学报, 16(004): 570–576,2005.
[63]雷飞宇. UC安全多方计算模型及其典型应用研究. Ph.D. thesis,上海交通大学, 2007.
[64]张帆.无线网络安全协议的形式化分析方法. Ph.D. thesis,西安电子科技大学, 2007.
[65]冯涛.通用可复合密码协议理论及其应用研究. Ph.D. thesis,西安电子科技大学, 2008.
[66]杨超.无线网络协议的形式化分析与设计. Ph.D. thesis,西安电子科技大学,2008.
[67]曹春杰.可证明安全的认证及密钥交换协议设计与分析. Ph.D. thesis,西安电子科技大学, 2008.
[68] Datta A, Dereka A, Mitchell J, et al. A derivation system and compositionallogic for security protocols. Journal of Computer Security, 13(3): 423–482,2005.
[69] Di?e W, Oorschot P, and Wiener M. Authentication and authenticated keyexchanges. Designs, Codes and Cryptography, 2(2): 107–125, 1992.
[70] Bellovin S and Aiello W. Just Fast Keying (JFK). draft-ietf-ipsec-jfk-04 (workin progress), 2002.
[71] Harkins D, Carrel D, et al. The internet key exchange (IKE), 1998.
[72] Durgin N, Mitchell J, and Pavlovic D. A compositional logic for provingsecurity properties of protocols. Journal of Computer Security, 11(4): 677–721, 2003.
[73] Datta A, Derek A, Mitchell J, et al. A derivation system for security protocolsand its logical formalization. In Proceedings of 16th IEEE Computer SecurityFoundations Workshop, pages 109–125. 2003.
[74] Datta A, Derek A, Mitchell J, et al. Secure protocol composition. In Proceed-ings of the 2003 ACM workshop on Formal methods in security engineering,pages 11–23. ACM, 2003.
[75] Datta A, Derek A, Mitchell J, et al. Abstraction and refinement in proto-col derivation. In Proceedings of 17th IEEE Computer Security FoundationsWorkshop, pages 30–45. Citeseer, 2004.
[76] Datta A, Derek A, Mitchell J, et al. Probabilistic polynomial-time semanticsfor a protocol security logic. Automata, Languages and Programming, pages16–29, 2005.
[77] Datta A, Derek A, Mitchell J, et al. Computationally sound compositionallogic for key exchange protocols. In 19th IEEE Computer Security FoundationsWorkshop, 2006, page 14. 2006.
[78] Datta A, Derek A, Mitchell J, et al. Protocol composition logic (PCL). Elec-tronic Notes in Theoretical Computer Science, 172: 311–358, 2007.
[79] Roy A, Datta A, Derek A, et al. Secrecy analysis in protocol compositionlogic. Advances in Computer Science-ASIAN 2006. Secure Software and Re-lated Issues, pages 197–213.
[80] He C, Sundararajan M, Datta A, et al. A modular correctness proof of IEEE802.11 i and TLS. In Proceedings of the 12th ACM conference on Computerand communications security, page 15. ACM, 2005.
[81] Meadows C and Pavlovic D. Deriving, attacking and defending the GDOIprotocol. Computer Security–ESORICS 2004, pages 53–72.
[82] Backes M, Datta A, Derek A, et al. Compositional analysis of contract-signingprotocols. Theoretical Computer Science, 367(1-2): 33–56, 2006.
[83] Dang L, Kou W, Li H, et al. E?cient ID-based registration protocol featuredwith user anonymity in mobile IP networks. IEEE Transactions on WirelessCommunications, 9(2): 594–604, 2010.
[84] Datta A, Franklin J, Garg D, et al. A logic of secure systems and its applicationto trusted computing. In Security and Privacy, 2009 30th IEEE Symposiumon, pages 221–236. 2009.
[85] Canetti R. Security and composition of multiparty cryptographic protocols.Journal of Cryptology, 13(1): 143–202, 2000.
[86] Pfitzmann B and Waidner M. Composition and integrity preservation of securereactive systems. In Proceedings of the 7th ACM conference on Computer andcommunications security, page 254. ACM, 2000.
[87] Backes M, Pfitzmann B, and Waidner M. A universally composable crypto-graphic library, 2003.
[88] Mitchell J, Ramanathan A, Scedrov A, et al. A probabilistic polynomial-time process calculus for the analysis of cryptographic protocols. TheoreticalComputer Science, 353(1-3): 118–164, 2006.
[89] Dodis Y and Micali S. Secure computation. In CRYPTO’00. 2000.
[90] Goldwasser S, Micali S, and Racko? C. The knowledge complexity of interac-tive proof-systems. In Proceedings of the seventeenth annual ACM symposiumon Theory of computing, page 304. ACM, 1985.
[91] Goldwasser S and Levin L. Fair computation of general functions in presenceof immoral majority. Advances in Cryptology-CRYPT0’90, pages 77–93.
[92] Datta A. Security analysis of network protocols: compositional reasoning andcomplexity-theoretic foundations. Ph.D. thesis, Citeseer, 2005.
[93] Shamir A. Identity-based cryptosystems and signature schemes. In Advancesin cryptology, pages 47–53. Springer, 1984.
[94] Joux A. A one round protocol for tripartite Di?e–Hellman. Journal of Cryp-tology, 17(4): 263–276, 2004.
[95] Boneh D and Franklin M. Identity-based encryption from the Weil pairing.In Advances in Cryptology―CRYPTO 2001, pages 213–229. Springer, 2001.
[96] Chen L and Kudla C. Identity Based Authenticated Key Agreement Protocolsfrom Pairings (Corrected version at http://eprint. iacr. org/2002/184/), in16th IEEE Computer Security Foundations Workshop, CSFW 2003, 2003.
[97] Smart N. Identity-based authenticated key agreement protocol based on Weil-pairing. Electronics Letters, 38(13): 630–632, 2002.
[98] McCullagh N and Barreto P. A new two-party identity-based authenticatedkey agreement. Topics in Cryptology–CT-RSA 2005, pages 262–274, 2005.
[99] Shim K. E?cient ID-based authenticated key agreement protocol based onWeil pairing. Electronics Letters, 39(8): 653–654, 2003.
[100] Wang Y. E?cient identity-based and authenticated key agreement protocol.Cryptography ePrint Archive, 108: 2005, 2005.
[101] Choo K, Boyd C, and Hitchcock Y. On session key construction in provably-secure key establishment protocols. Progress in Cryptology–Mycrypt 2005,pages 116–131.
[102] Cheng Z, Nistazakis M, Comley R, et al. On the indistinguishability-basedsecurity model of key agreement protocols-simple cases. In Proc. of ACNS,vol. 4. Citeseer, 2004.
[103] Kudla C and Paterson K. Modular security proofs for key agreement protocols.Advances in Cryptology-ASIACRYPT 2005, pages 549–565, 2005.
[104] Chen L, Cheng Z, and Smart N. Identity-based key agreement protocols frompairings. International Journal of Information Security, 6(4): 213–241, 2007.
[105] Li X, Ma J, and Moon S. Security extension for the Canetti-Krawczyk modelin identity-based systems. Science in China Series F: Information Sciences,48(1): 117–124, 2005.
[106] Zhu R, Tian X, and Wong D. A Suite of Enhanced Security Models for KeyCompromise Impersonation Resilience and ID-based Key Exchange.
[107] Wang Y, Attebury G, and Ramamurthy B. A survey of security issues inwireless sensor networks. IEEE Communications Surveys and Tutorials, 8(2):2–23, 2006.
[108] Perrig A, Szewczyk R, Tygar J, et al. SPINS: Security protocols for sensornetworks. Wireless networks, 8(5): 521–534, 2002.
[109] Luk M, Perrig A, and Whillock B. Seven cardinal properties of sensor networkbroadcast authentication. In Proceedings of the fourth ACM workshop onSecurity of ad hoc and sensor networks, page 156. ACM, 2006.
[110] Lamport L. Constructing digital signatures from a one-way function. Tech.rep., Technical Report CSL-98, SRI International, 1979.
[111] Merkle R. A digital signature based on a conventional encryption function. InAdvances in Cryptology―CRYPTO’87, pages 369–378. Springer, 1987.
[112] Merkle R. A certified digital signature. In Advances in Cryptol-ogy―CRYPTO’89 Proceedings, pages 218–238. Springer.
[113] Bos J and Chaum D. Provably unforgeable signatures. In Advances in Cryp-tology―CRYPTO’92, pages 1–14. Springer.
[114] Bleichenbacher D and Maurer U. Directed acyclic graphs, one-way functionsand digital signatures. In Advances in Cryptology―CRYPTO’94, pages 75–82. Springer.
[115] Bleichenbacher D and Maurer U. On the e?ciency of one-time digital signa-tures. In Advances in Cryptology―ASIACRYPT’96, pages 145–158. Springer.
[116] Bleichenbacher D and Maurer U. Optimal tree-based one-time digital signa-ture schemes. STACS 96, pages 361–374, 1996.
[117] Even S, Goldreich O, and Micali S. On-line/o?-line digital signatures. Journalof Cryptology, 9(1): 35–67, 1996.
[118] Hevia A and Micciancio D. The provable security of graph-based one-timesignatures and extensions to algebraic signature schemes. Advances in Cryp-tology―ASIACRYPT 2002, pages 191–196.
[119] Perrig A. The BiBa one-time signature and broadcast authentication protocol.In Proceedings of the 8th ACM Conference on Computer and CommunicationsSecurity, pages 28–37. ACM, 2001.
[120] Mitzenmacher M and Perrig A. Bounds and improvements for BiBa signatureschemes. No. TR-02-02, Computer Science Group, Harvard University, USA,2002.
[121] Reyzin L and Reyzin N. Better than BiBa: Short One-Time Signatures withFast Signing and Verifying. In Information security and privacy: 7th Aus-tralasian conference, ACISP 2002, Melbourne, Australia, July 3-5, 2002: pro-ceedings, page 144. Springer Verlag, 2002.
[122] PIEPRZYK J, WANGL H, and XING C. Multiple-time signature schemesagainst adaptive chosen message attacks. Lecture notes in computer science,pages 88–100, 2004.
[123] Park Y and Cho Y. E?cient one-time signature schemes for stream authen-tication. Journal of Information Science and Engineering, 22(3): 611–624,2006.
[124] Goldwasser S and Bellare M. Lecture notes on cryptography. Summer course“Cryptography and computer security”at MIT, 1996.
[125] Bicakci K and Baykal N. Infinite length hash chains and their applications.Eleventh IEEE International Workshops on Enabling Technologies: Infras-tructure for Collaborative Enterprises, 2002. WET ICE 2002. Proceedings,pages 57–61, 2002.
[126] Hu Y, Jakobsson M, and Perrig A. E?cient constructions for one-wayhash chains. In Applied Cryptography and Network Security, pages 423–441.Springer, 2005.
[127] TCG Specification Architecture Overview, Revision 1.4, August 2007.
[128] TNC Architecture for Interoperability, Specification Version 1.4, Revision 4,May 2009.
[129] Subject Key Attestation Evidence Extension, Specification Version 1, Revision7, June 2005.
[130] TNC IF-T: Protocol Bindings for Tunneled EAP Methods Specification Ver-sion 1.1, Revision 10, May 2007.
[131] TNC IF-T: Binding to TLS Specification Version 1.0, Revision 16, May 2009.
[132] Cash D, Kiltz E, and Shoup V. The Twin Di?e–Hellman Problem and Ap-plications. Journal of Cryptology, 22(4): 470–504, 2009.
[133] TPM Specification Version 1.2, March 2006.
[134] IEEE802, Port-Based Network Access Control, IEEE Std 802.1X-2004, De-cember 2004.
[135] Needham R and Schroeder M. Using encryption for authentication in largenetworks of computers. Communications of the ACM, 21(12): 999, 1978.
[136] Neuman C, Kohl J, Ts’o T, et al. The Kerberos network authentication service(V5). ISI, 1993.
[137] Otway D and Rees O. E?cient and timely mutual authentication. ACMSIGOPS Operating Systems Review, 21(1): 8–10, 1987.
[138] Fan H and Feng D. Security protocol theory and method, 2003.
[139] Neuman B and Stubblebine S. A note on the use of timestamps as nonces.ACM SIGOPS Operating Systems Review, 27(2): 14, 1993.
[2] Standard D. Federal Information Processing Standards Publication 46. Na-tional Bureau of Standards, US Department of Commerce, 1977.
[3] Di?e W and Hellman M. New directions in cryptography. IEEE Transactionson information Theory, 22(6): 644–654, 1976.
[4] Mao W. Modern cryptography: theory and practice. Prentice Hall ProfessionalTechnical Reference, 2003.
[5] Dolev D and Yao A. On the security of public key protocols. IEEE Transac-tions on information theory, 29(2): 198–208, 1983.
[6]卿斯汉.安全协议20年研究进展.软件学报, 14(010): 1740–1752, 2003.
[7] Dolev D, Even S, and Karp R. On the security of ping-pong protocols. Infor-mation and Control, 55(1-3): 57–68, 1982.
[8] Even S and Goldreich O. On the security of multi-party ping-pong protocols.In 24th Annual Symposium on Foundations of Computer Science, pages 34–39.IEEE, 1983.
[9] Burrows M, Abadi M, and Needham R. A logic of authentication. ACMTransactions on Computer Systems (TOCS), 8(1): 18–36, 1990.
[10]卿斯汉.安全协议的设计与逻辑分析.软件学报, 14(007): 1300–1309, 2003.
[11] Gong L, Needham R, and Yahalom R. Reasoning about belief in cryptographicprotocols. In Proceedings 1990 IEEE Symposium on Research in Security andPrivacy. 1990.
[12] Abadi M and Tuttle M. A Semantics for a Logic of Authentication; 10thPoDC, 1991.
[13] van Oorschot P. Extending cryptographic logics of belief to key agreementprotocols. In Proceedings of the 1st ACM Conference on Computer and Com-munications Security, page 243. ACM, 1993.
[14] Syverson P and Van Oorschot P. On unifying some cryptographic protocollogics. In 1994 IEEE Computer Society Symposium on Research in Securityand Privacy, 1994. Proceedings., pages 14–28. 1994.
[15] Kailar R. Reasoning about accountability in protocols for electronic commerce.In Proceedings of the 1995 IEEE Symposium on Security and Privacy, page236. IEEE Computer Society, 1995.
[16] Co?ey T and Saidha P. Logic for verifying public-key cryptographic protocols.IEE Proceedings-Computers and Digital Techniques, 144(1): 28–32, 1997.
[17] Kailar R, Gligor V, and Gong L. On the security e?ectiveness of cryptographicprotocols. In Proceedings of the 1994 Conference on Dependable Computingfor Critical Applications, pages 90–101. Citeseer.
[18] Rubin A and Honeyman P. Nonmonotonic cryptographic protocols. In Com-puter Security Foundations Workshop VII, 1994. CSFW 7. Proceedings, pages100–116. 1994.
[19] Brackin S, Inc A, and Hanscom A. A HOL extension of GNY for automaticallyanalyzing cryptographicprotocols. In 9th IEEE Computer Security Founda-tions Workshop, 1996. Proceedings., pages 62–76. 1996.
[20] Moser L. A logic of knowledge and belief for reasoning about computersecurity.In Computer Security Foundations Workshop II, 1989., Proceedings of the,pages 57–63. 1989.
[21] Bieber P and ONERA-CERT T. A logic of communication in hostile environ-ment. In Computer Security Foundations Workshop III, 1990. Proceedings,pages 14–22. 1990.
[22] Kessler V and Wedel G. AUTLOG-an advanced logic of authentication. InComputer Security Foundations Workshop VII, 1994. CSFW 7. Proceedings,pages 90–99. 1994.
[23] Vardi M. Why is modal logic so robustly decidable. DIMACS Series in DiscreteMathematics and Theoretical Computer Science, 31: 149–184, 1997.
[24] Lowe G. Breaking and fixing the Needham-Schroeder public-key protocol usingFDR. Tools and Algorithms for the Construction and Analysis of Systems,pages 147–166, 1996.
[25] F′abrega F, Herzog J, and Guttman J. Strand spaces: Proving security proto-cols correct. Journal of computer security, 7(2): 191–230, 1999.
[26] Perrig A and Song D. Looking for diamonds in the desert-extending automaticprotocolgeneration to three-party authentication and key agreementprotocols.In 13th IEEE Computer Security Foundations Workshop, 2000. CSFW-13.Proceedings, pages 64–76. 2000.
[27] Song D. Athena: a new e?cient automatic checker for security protocolanal-ysis. In Computer Security Foundations Workshop, 1999. Proceedings of the12th IEEE, pages 192–202. 1999.
[28] Meadows C. The NRL Protocol Analyzer: An Overview. The Journal of LogicProgramming, 26(2): 113–131, 1996.
[29] Millen J. The interrogator model. In Proceedings of the 1995 IEEE Symposiumon Security and Privacy, page 251. IEEE Computer Society, 1995.
[30] Dill D, Drexler A, Hu A, et al. Protocol verification as a hardware designaid. In IEEE 1992 International Conference on Computer Design: VLSI inComputers and Processors, 1992. ICCD’92. Proceedings., pages 522–525. 1992.
[31] McMillan K. Getting Started with SMV: User’s Manual. Cadence BerkeleyLaboratories, USA, 1998.
[32] Abadi M and Gordon A. A calculus for cryptographic protocols: The spicalculus. In Proceedings of the 4th ACM Conference on Computer and Com-munications Security, pages 36–47. ACM, 1997.
[33] Milner R, Parrow J, and Walker D. A calculus of mobile processes, Parts 1-2.Information and computation, 100(1): 1–77, 1992.
[34]薛锐.安全协议的形式化分析技术与方法.计算机学报, 29(001): 1–20, 2006.
[35]冯登国.可证明安全性理论与方法研究. Journal of Software, 16(10), 2005.
[36] Goldwasser S and Micali S. Probabilistic encryption. Journal of computer andsystem sciences, 28(2): 270–299, 1984.
[37] Goldwasser S, Micali S, and Rivest R. A digital signature scheme secureagainst adaptive chosen-message attacks. SIAM Journal on Computing, 1988.
[38] Bellare M and Rogaway P. Random oracles are practical: A paradigm fordesigning e?cient protocols. In Proceedings of the 1st ACM conference onComputer and communications security, page 73. AcM, 1993.
[39] Koeune F. Careful design and integration of cryptographic primitives withcontributions to timing attack, padding schemes and random number gener-ators [Ph. D. Thesis]. Louvain-la-Neuve: Universite Catholique de Louvain,2001.
[40] Gennaro R, Halevi S, and Rabin T. Secure hash-and-sign signatures withoutthe random oracle. In Advances in Cryptology―EUROCRYPT’99, pages123–139. Springer, 1999.
[41] Canetti R, Goldreich O, and Halevi S. The random oracle methodology, re-visited. Journal of the ACM (JACM), 51(4): 557–594, 2004.
[42] Pointcheval D. Asymmetric cryptography and practical security. Journal ofTelecommunications and Information Technology, 4: 41–56, 2002.
[43] Goldreich O. Foundations of cryptography: Basic applications. CambridgeUniv Pr, 2004.
[44] Bellare M and Rogaway P. Entity authentication and key distribution. InAdvances in Cryptology―CRYPTO’93, pages 232–249. Springer, 1993.
[45] Bellare M, Canetti R, and Krawczyk H. A modular approach to the design andanalysis of authentication and key exchange protocols (extended abstract). InProceedings of the thirtieth annual ACM symposium on Theory of computing,pages 419–428. ACM, 1998.
[46] Micali S and Rogaway P. Secure computation. In Advances in Cryptol-ogy―CRYPTO’91, pages 392–404. Springer.
[47] Canetti R and Krawczyk H. Analysis of key-exchange protocols and their usefor building secure channels. Advances in Cryptology―EUROCRYPT 2001,pages 453–474, 2001.
[48] Canetti R. Universally composable security: A new paradigm for crypto-graphic protocols. In focs, page 136. Published by the IEEE Computer Society,2001.
[49] Canetti R and Krawczyk H. Universally composable notions of key exchangeand secure channels. In Advances in Cryptology―EUROCRYPT 2002, pages337–351. Springer, 2002.
[50] Canetti R. Universally composable signature, certification, and authentica-tion. In 17th IEEE Computer Security Foundations Workshop, 2004. Proceed-ings, pages 219–233. 2004.
[51] Canetti R and Fischlin M. Universally composable commitments. In Advancesin Cryptology―CRYPTO 2001, pages 19–40. Springer, 2001.
[52] Canetti R, Lindell Y, Ostrovsky R, et al. Universally composable two-partyand multi-party secure computation. In Proceedings of the thiry-fourth annualACM symposium on Theory of computing, pages 494–503. ACM, 2002.
[53] Zhang F, Ma J, and Moon S. Universally composable anonymous Hash cer-tification model. Science in China Series F: Information Sciences, 50(3):440–455, 2007.
[54] Feng T, Li F, Ma J, et al. A new approach for UC security concurrent deniableauthentication. Science in China Series F: Information Sciences, 51(4): 352–367, 2008.
[55] Wikstr¨om D. A universally composable mix-net. Theory of Cryptography,pages 317–335.
[56] Camenisch J and Lysyanskaya A. A formal treatment of onion routing. InAdvances in Cryptology–CRYPTO 2005, pages 169–187. Springer, 2005.
[57] Abe M and Fehr S. Adaptively secure Feldman VSS and applications touniversally-composable threshold cryptography. In Advances in Cryptology–CRYPTO 2004, pages 317–334. Springer, 2004.
[58] Barak B, Canetti R, Nielsen J, et al. Universally composable protocols withrelaxed set-up assumptions, 2004.
[59] Prabhakaran M and Sahai A. New notions of security: achieving universalcomposability without trusted setup. In Proceedings of the thirty-sixth annualACM symposium on Theory of computing, page 251. ACM, 2004.
[60] Yao A, Yao F, and Zhao Y. A Note on Universal Composable Zero Knowledgein Common Reference String Model. Theory and Applications of Models ofComputation, pages 462–473, 2004.
[61] Yao A, Yao F, and Zhao Y. A note on the feasibility of generalised universalcomposability. Mathematical structures in computer science, 19(01): 193–205,2009.
[62]徐海霞.分布式密钥分发方案的安全性证明.软件学报, 16(004): 570–576,2005.
[63]雷飞宇. UC安全多方计算模型及其典型应用研究. Ph.D. thesis,上海交通大学, 2007.
[64]张帆.无线网络安全协议的形式化分析方法. Ph.D. thesis,西安电子科技大学, 2007.
[65]冯涛.通用可复合密码协议理论及其应用研究. Ph.D. thesis,西安电子科技大学, 2008.
[66]杨超.无线网络协议的形式化分析与设计. Ph.D. thesis,西安电子科技大学,2008.
[67]曹春杰.可证明安全的认证及密钥交换协议设计与分析. Ph.D. thesis,西安电子科技大学, 2008.
[68] Datta A, Dereka A, Mitchell J, et al. A derivation system and compositionallogic for security protocols. Journal of Computer Security, 13(3): 423–482,2005.
[69] Di?e W, Oorschot P, and Wiener M. Authentication and authenticated keyexchanges. Designs, Codes and Cryptography, 2(2): 107–125, 1992.
[70] Bellovin S and Aiello W. Just Fast Keying (JFK). draft-ietf-ipsec-jfk-04 (workin progress), 2002.
[71] Harkins D, Carrel D, et al. The internet key exchange (IKE), 1998.
[72] Durgin N, Mitchell J, and Pavlovic D. A compositional logic for provingsecurity properties of protocols. Journal of Computer Security, 11(4): 677–721, 2003.
[73] Datta A, Derek A, Mitchell J, et al. A derivation system for security protocolsand its logical formalization. In Proceedings of 16th IEEE Computer SecurityFoundations Workshop, pages 109–125. 2003.
[74] Datta A, Derek A, Mitchell J, et al. Secure protocol composition. In Proceed-ings of the 2003 ACM workshop on Formal methods in security engineering,pages 11–23. ACM, 2003.
[75] Datta A, Derek A, Mitchell J, et al. Abstraction and refinement in proto-col derivation. In Proceedings of 17th IEEE Computer Security FoundationsWorkshop, pages 30–45. Citeseer, 2004.
[76] Datta A, Derek A, Mitchell J, et al. Probabilistic polynomial-time semanticsfor a protocol security logic. Automata, Languages and Programming, pages16–29, 2005.
[77] Datta A, Derek A, Mitchell J, et al. Computationally sound compositionallogic for key exchange protocols. In 19th IEEE Computer Security FoundationsWorkshop, 2006, page 14. 2006.
[78] Datta A, Derek A, Mitchell J, et al. Protocol composition logic (PCL). Elec-tronic Notes in Theoretical Computer Science, 172: 311–358, 2007.
[79] Roy A, Datta A, Derek A, et al. Secrecy analysis in protocol compositionlogic. Advances in Computer Science-ASIAN 2006. Secure Software and Re-lated Issues, pages 197–213.
[80] He C, Sundararajan M, Datta A, et al. A modular correctness proof of IEEE802.11 i and TLS. In Proceedings of the 12th ACM conference on Computerand communications security, page 15. ACM, 2005.
[81] Meadows C and Pavlovic D. Deriving, attacking and defending the GDOIprotocol. Computer Security–ESORICS 2004, pages 53–72.
[82] Backes M, Datta A, Derek A, et al. Compositional analysis of contract-signingprotocols. Theoretical Computer Science, 367(1-2): 33–56, 2006.
[83] Dang L, Kou W, Li H, et al. E?cient ID-based registration protocol featuredwith user anonymity in mobile IP networks. IEEE Transactions on WirelessCommunications, 9(2): 594–604, 2010.
[84] Datta A, Franklin J, Garg D, et al. A logic of secure systems and its applicationto trusted computing. In Security and Privacy, 2009 30th IEEE Symposiumon, pages 221–236. 2009.
[85] Canetti R. Security and composition of multiparty cryptographic protocols.Journal of Cryptology, 13(1): 143–202, 2000.
[86] Pfitzmann B and Waidner M. Composition and integrity preservation of securereactive systems. In Proceedings of the 7th ACM conference on Computer andcommunications security, page 254. ACM, 2000.
[87] Backes M, Pfitzmann B, and Waidner M. A universally composable crypto-graphic library, 2003.
[88] Mitchell J, Ramanathan A, Scedrov A, et al. A probabilistic polynomial-time process calculus for the analysis of cryptographic protocols. TheoreticalComputer Science, 353(1-3): 118–164, 2006.
[89] Dodis Y and Micali S. Secure computation. In CRYPTO’00. 2000.
[90] Goldwasser S, Micali S, and Racko? C. The knowledge complexity of interac-tive proof-systems. In Proceedings of the seventeenth annual ACM symposiumon Theory of computing, page 304. ACM, 1985.
[91] Goldwasser S and Levin L. Fair computation of general functions in presenceof immoral majority. Advances in Cryptology-CRYPT0’90, pages 77–93.
[92] Datta A. Security analysis of network protocols: compositional reasoning andcomplexity-theoretic foundations. Ph.D. thesis, Citeseer, 2005.
[93] Shamir A. Identity-based cryptosystems and signature schemes. In Advancesin cryptology, pages 47–53. Springer, 1984.
[94] Joux A. A one round protocol for tripartite Di?e–Hellman. Journal of Cryp-tology, 17(4): 263–276, 2004.
[95] Boneh D and Franklin M. Identity-based encryption from the Weil pairing.In Advances in Cryptology―CRYPTO 2001, pages 213–229. Springer, 2001.
[96] Chen L and Kudla C. Identity Based Authenticated Key Agreement Protocolsfrom Pairings (Corrected version at http://eprint. iacr. org/2002/184/), in16th IEEE Computer Security Foundations Workshop, CSFW 2003, 2003.
[97] Smart N. Identity-based authenticated key agreement protocol based on Weil-pairing. Electronics Letters, 38(13): 630–632, 2002.
[98] McCullagh N and Barreto P. A new two-party identity-based authenticatedkey agreement. Topics in Cryptology–CT-RSA 2005, pages 262–274, 2005.
[99] Shim K. E?cient ID-based authenticated key agreement protocol based onWeil pairing. Electronics Letters, 39(8): 653–654, 2003.
[100] Wang Y. E?cient identity-based and authenticated key agreement protocol.Cryptography ePrint Archive, 108: 2005, 2005.
[101] Choo K, Boyd C, and Hitchcock Y. On session key construction in provably-secure key establishment protocols. Progress in Cryptology–Mycrypt 2005,pages 116–131.
[102] Cheng Z, Nistazakis M, Comley R, et al. On the indistinguishability-basedsecurity model of key agreement protocols-simple cases. In Proc. of ACNS,vol. 4. Citeseer, 2004.
[103] Kudla C and Paterson K. Modular security proofs for key agreement protocols.Advances in Cryptology-ASIACRYPT 2005, pages 549–565, 2005.
[104] Chen L, Cheng Z, and Smart N. Identity-based key agreement protocols frompairings. International Journal of Information Security, 6(4): 213–241, 2007.
[105] Li X, Ma J, and Moon S. Security extension for the Canetti-Krawczyk modelin identity-based systems. Science in China Series F: Information Sciences,48(1): 117–124, 2005.
[106] Zhu R, Tian X, and Wong D. A Suite of Enhanced Security Models for KeyCompromise Impersonation Resilience and ID-based Key Exchange.
[107] Wang Y, Attebury G, and Ramamurthy B. A survey of security issues inwireless sensor networks. IEEE Communications Surveys and Tutorials, 8(2):2–23, 2006.
[108] Perrig A, Szewczyk R, Tygar J, et al. SPINS: Security protocols for sensornetworks. Wireless networks, 8(5): 521–534, 2002.
[109] Luk M, Perrig A, and Whillock B. Seven cardinal properties of sensor networkbroadcast authentication. In Proceedings of the fourth ACM workshop onSecurity of ad hoc and sensor networks, page 156. ACM, 2006.
[110] Lamport L. Constructing digital signatures from a one-way function. Tech.rep., Technical Report CSL-98, SRI International, 1979.
[111] Merkle R. A digital signature based on a conventional encryption function. InAdvances in Cryptology―CRYPTO’87, pages 369–378. Springer, 1987.
[112] Merkle R. A certified digital signature. In Advances in Cryptol-ogy―CRYPTO’89 Proceedings, pages 218–238. Springer.
[113] Bos J and Chaum D. Provably unforgeable signatures. In Advances in Cryp-tology―CRYPTO’92, pages 1–14. Springer.
[114] Bleichenbacher D and Maurer U. Directed acyclic graphs, one-way functionsand digital signatures. In Advances in Cryptology―CRYPTO’94, pages 75–82. Springer.
[115] Bleichenbacher D and Maurer U. On the e?ciency of one-time digital signa-tures. In Advances in Cryptology―ASIACRYPT’96, pages 145–158. Springer.
[116] Bleichenbacher D and Maurer U. Optimal tree-based one-time digital signa-ture schemes. STACS 96, pages 361–374, 1996.
[117] Even S, Goldreich O, and Micali S. On-line/o?-line digital signatures. Journalof Cryptology, 9(1): 35–67, 1996.
[118] Hevia A and Micciancio D. The provable security of graph-based one-timesignatures and extensions to algebraic signature schemes. Advances in Cryp-tology―ASIACRYPT 2002, pages 191–196.
[119] Perrig A. The BiBa one-time signature and broadcast authentication protocol.In Proceedings of the 8th ACM Conference on Computer and CommunicationsSecurity, pages 28–37. ACM, 2001.
[120] Mitzenmacher M and Perrig A. Bounds and improvements for BiBa signatureschemes. No. TR-02-02, Computer Science Group, Harvard University, USA,2002.
[121] Reyzin L and Reyzin N. Better than BiBa: Short One-Time Signatures withFast Signing and Verifying. In Information security and privacy: 7th Aus-tralasian conference, ACISP 2002, Melbourne, Australia, July 3-5, 2002: pro-ceedings, page 144. Springer Verlag, 2002.
[122] PIEPRZYK J, WANGL H, and XING C. Multiple-time signature schemesagainst adaptive chosen message attacks. Lecture notes in computer science,pages 88–100, 2004.
[123] Park Y and Cho Y. E?cient one-time signature schemes for stream authen-tication. Journal of Information Science and Engineering, 22(3): 611–624,2006.
[124] Goldwasser S and Bellare M. Lecture notes on cryptography. Summer course“Cryptography and computer security”at MIT, 1996.
[125] Bicakci K and Baykal N. Infinite length hash chains and their applications.Eleventh IEEE International Workshops on Enabling Technologies: Infras-tructure for Collaborative Enterprises, 2002. WET ICE 2002. Proceedings,pages 57–61, 2002.
[126] Hu Y, Jakobsson M, and Perrig A. E?cient constructions for one-wayhash chains. In Applied Cryptography and Network Security, pages 423–441.Springer, 2005.
[127] TCG Specification Architecture Overview, Revision 1.4, August 2007.
[128] TNC Architecture for Interoperability, Specification Version 1.4, Revision 4,May 2009.
[129] Subject Key Attestation Evidence Extension, Specification Version 1, Revision7, June 2005.
[130] TNC IF-T: Protocol Bindings for Tunneled EAP Methods Specification Ver-sion 1.1, Revision 10, May 2007.
[131] TNC IF-T: Binding to TLS Specification Version 1.0, Revision 16, May 2009.
[132] Cash D, Kiltz E, and Shoup V. The Twin Di?e–Hellman Problem and Ap-plications. Journal of Cryptology, 22(4): 470–504, 2009.
[133] TPM Specification Version 1.2, March 2006.
[134] IEEE802, Port-Based Network Access Control, IEEE Std 802.1X-2004, De-cember 2004.
[135] Needham R and Schroeder M. Using encryption for authentication in largenetworks of computers. Communications of the ACM, 21(12): 999, 1978.
[136] Neuman C, Kohl J, Ts’o T, et al. The Kerberos network authentication service(V5). ISI, 1993.
[137] Otway D and Rees O. E?cient and timely mutual authentication. ACMSIGOPS Operating Systems Review, 21(1): 8–10, 1987.
[138] Fan H and Feng D. Security protocol theory and method, 2003.
[139] Neuman B and Stubblebine S. A note on the use of timestamps as nonces.ACM SIGOPS Operating Systems Review, 27(2): 14, 1993.