\`x^2+y_1+z_12^34\`
Advanced Search
Article Contents
Article Contents

Critical perspectives on provable security: Fifteen years of "another look" papers

Abstract / Introduction Full Text(HTML) Figure(0) / Table(1) Related Papers Cited by
  • We give an overview of our critiques of "proofs" of security and a guide to our papers on the subject that have appeared over the past decade and a half. We also provide numerous additional examples and a few updates and errata.

    Mathematics Subject Classification: Primary: 94A60.

    Citation:

    \begin{equation} \\ \end{equation}
  • 加载中
  • Table 1.  Major provable security claims found to have fallacies in the proofs

    Type of protocol Paper with purported proof Paper explaining fallacy
    1) Public key encryption padding (OAEP) Bellare-Rogaway Eurocrypt 1994 [46] Shoup 2002 [273]
    2) Signature schemes Coron Eurocrypt 2002 [116] Kakvi-Kiltz 2012 [199]
    3) Identity-based encryption Boneh-Franklin SIAM J. Comp. 2003 [69] Galindo 2005 [151]
    4) Authenticated encryption (GCM) McGrew-Viega Indocrypt 2004 [235] Iwata-Ohashi-Minematsu 2012 [193]
    5) Key agreement (HMQV) Krawczyk Crypto 2005 [220] Menezes 2007 [236]
    6) Message authentication codes (CBC-MAC and EMAC) Bellare-Pietrzak-Rogaway Crypto 2005 [44] and Pietrzak ICALP 2006 [254] Jha-Nandi 2016 [195]
    7) Triple encryption Bellare-Rogaway Eurocrypt 2006 [47] Gaži-Maurer 2009 [155]
    8) Symmetric encryption (XLS) Ristenpart-Rogaway FSE 2007 [260] Nandi 2014 [245]
    9) Tweakable encryption McGrew-Fluhrer SAC 2007 [234] Chakraborty–Hernández-Jiménez–Sarkar 2015 [90]
    10) Random oracles and Ideal ciphers Coron-Patarin-Seurin Crypto 2008 [125] Holenstein-Künzler-Tessaro 2011 [181]
     | Show Table
    DownLoad: CSV
  • [1] M. Abdalla, et al., Searchable encryption revisited: Consistency properties, relation to anonymous IBE, and extensions, J. Cryptology, 21 (2008), 350-391. doi: 10.1007/s00145-007-9006-6.
    [2] M. Abdalla, M. Bellare and G. Neven, Robust encryption, Theory of Cryptography, 480–497, Lecture Notes in Comput. Sci., 5978, Springer, Berlin, 2010. doi: 10.1007/978-3-642-11799-2_28.
    [3] M. Abdalla, F. Benhamouda, A. Passelègue and K. Paterson, Related-key security for pseudorandom functions beyond the linear barrier, Advances in Cryptology–CRYPTO 2014. Part I, 77–94, Lecture Notes in Comput. Sci., 8616, Springer, Heidelberg, 2014. doi: 10.1007/978-3-662-44371-2_5.
    [4] M. Abe, A three-move blind signature scheme for polynomially many signatures, Advances in Cryptology - Eurocrypt 2001, 136–151, Lecture Notes in Comput. Sci., 2045, Springer, Berlin, 2001. doi: 10.1007/3-540-44987-6_9.
    [5] M. Abe and M. Ohkub, Provably secure fair blind signatures with tight revocation, Advances in Cryptology - Asiacrypt 2001, 583–601, Lecture Notes in Comput. Sci., 2248, Springer, Berlin, 2001. doi: 10.1007/3-540-45682-1_34.
    [6] M. Albrecht, P. Farshim, J. Faugère and L. Perret, Polly cracker, revisited, Advances in Cryptology - Asiacrypt 2011, 179–196, Lecture Notes in Comput. Sci., 7073, Springer, Heidelberg, 2011. doi: 10.1007/978-3-642-25385-0_10.
    [7] M. Albrecht, J. Faugère, R. Fitzpatrick, L. Perret, Y. Todo and K. Xagawa, Practical cryptanalysis of a public-key encryption scheme based on new multivariate quadratic assumptions, Public Key Cryptography - PKC 2014, 446–464, Lecture Notes in Comput. Sci., 8383, Springer, Heidelberg, 2014. doi: 10.1007/978-3-642-54631-0_26.
    [8] M. Albrecht and K. Paterson, Breaking an identity-based encryption scheme based on DHIES, Cryptography and Coding, 344–355, Lecture Notes in Comput. Sci., 7089, Springer, Heidelberg, 2011. doi: 10.1007/978-3-642-25516-8_21.
    [9] W. AlexiB. ChorO. Goldreich and C. P. Schnorr, RSA and Rabin functions: Certain parts are as hard as the whole, SIAM J. Computing, 17 (1988), 194-209.  doi: 10.1137/0217013.
    [10] N. AlFardan and K. Paterson, Lucky thirteen: Breaking the TLS and DTLS record protocols, Proc. 2013 IEEE Symposium on Security and Privacy, 526–540.
    [11] E. Alkim, N. Bindel, J. Buchmann and Ö. Dagdelen, TESLA: Tightly-secure efficient signatures from standard lattices, version 20150730: 095248, available at http://eprint.iacr.org/2015/755.
    [12] E. Alkim, N. Bindel, J. Buchmann, Ö. Dagdelen, E. Eaton, G. Gutoski, J. Krämer and F. Pawlega, Revisiting TESLA in the quantum random oracle model, Post-Quantum Cryptography, 143–162, Lecture Notes in Comput. Sci., 10346, Springer, Cham, 2017.
    [13] M. Ambrona, G. Barthe, R. Gay and H. Wee, Attribute-based encryption in the generic group model: Automated proofs and new constructions, Proc. 2017 ACM SIGSAC Conference on Computer and Communications Security - CCS '17, 2017, 647–664. doi: 10.1145/3133956.3134088.
    [14] M. Ambrona, G. Barthe and B. Schmidt, Automated unbounded analysis of cryptographic constructions in the generic group model, Advances in Cryptology–EUROCRYPT 2016. Part II, 822–851, Lecture Notes in Comput. Sci., 9666, Springer, Berlin, 2016. doi: 10.1007/978-3-662-49896-5_29.
    [15] J. An, Y. Dodis and T. Rabin, On the security of joint signature and encryption, Advances in Cryptology - Eurocrypt 2002, 83–107, Lecture Notes in Comput. Sci., 2332, Springer, Berlin, 2002. doi: 10.1007/3-540-46035-7_6.
    [16] E. AndreevaA. LuykxB. Mennink and K. Yasuda, COBRA: A parallelizable authenticated online cipher without block cipher inverse, Fast Software Encryption - FSE 2014, 8540 (2014), 187-204.  doi: 10.1007/978-3-662-46706-0_10.
    [17] M. Backes and D. Hofheinz, How to break and repair a universally composable signature functionality, Information Security - ISC 2004, LNCS, 3225 (2004), 61–72. doi: 10.1007/978-3-540-30144-8_6.
    [18] C. Bader, D. Hofheinz, T. Jager, E. Kiltz and Y. Li, Tightly-secure authenticated key exchange, Theory of Cryptography, 629–658, Lecture Notes in Comput. Sci., 9014, Springer, Heidelberg, 2015. doi: 10.1007/978-3-662-46494-6_26.
    [19] J. Baek and Y. Zheng, Zheng and Seberry's public key encryption scheme revisited, International Journal of Information Security, 2 (2003), 37-44.  doi: 10.1007/s10207-003-0023-7.
    [20] A. Bagherzandi, J. Cheon and S. Jarecki, Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma, Proc. Fifteenth ACM Conference on Computer and Communications Security - CCS '08, 449–458.
    [21] S. Bai and S. Galbraith, An improved compression technique for signatures based on learning with errors, Topics in Cryptology - CT-RSA 2014, 28–47, Lecture Notes in Comput. Sci., 8366, Springer, Cham, 2014. doi: 10.1007/978-3-319-04852-9_2.
    [22] E. Bangerter, J. Camenisch and U. Maurer, Efficient proofs of knowledge of discrete logarithms and representations in groups with hidden order, Public Key Cryptography - PKC 2005, LNCS, 3386 (2005), 154–171. doi: 10.1007/978-3-540-30580-4_11.
    [23] G. Barthe, J. Crespo, B. Grégoire, C. Kunz, Y. Lakhnech, B. Schmidt and S. Zanella-Béguelin, Fully automated analysis of padding-based encryption in the computational model, Proc. 2013 ACM SIGSAC Conference on Computer and Communications Security - CCS '13, 2013, 1247–1260. doi: 10.1145/2508859.2516663.
    [24] G. Barthe, X. Fan, J. Gancher, B. Grégoire, C. Jacomme and E. Shi, Symbolic proofs for lattice-based cryptography, Proc. 2018 ACM SIGSAC Conference on Computer and Communications Security - CCS '18, 2018, 538–555. doi: 10.1145/3243734.3243825.
    [25] M. Bellare, Practice-oriented provable-security, Proc. First International Workshop on Information Security - ISW 1997, LNCS, 1396 (1997), 221–231.
    [26] M. Bellare, New proofs for NMAC and HMAC: Security without collision-resistance, Advances in Cryptology - Crypto 2006, LNCS, 4117 (2006), 602–619. doi: 10.1007/11818175_36.
    [27] M. Bellare, Email to N. Koblitz, 24 February 2012.
    [28] M. Bellare, New proofs for NMAC and HMAC: Security without collision-resistance, J. Cryptology, 28 (2015), 844-878.  doi: 10.1007/s00145-014-9185-x.
    [29] M. Bellare, D. Bernstein and S. Tessaro, Hash-function based PRFs: AMAC and its multi-user security, Advances in Cryptology - Eurocrypt 2016, LNCS, 9665 (2016), 566–595. doi: 10.1007/978-3-662-49890-3_22.
    [30] M. Bellare, A. Boldyreva and A. O'Neill, Deterministic and efficiently searchable encryption, Advances in Cryptology - Crypto 2007, LNCS, 4622 (2007), 535–552. doi: 10.1007/978-3-540-74143-5_30.
    [31] M. Bellare, A. Boldyreva and J. Staddon, Randomness re-use in multi-recipient encryption schemes, Public Key Cryptography - PKC 2003, LNCS, 2567 (2002), 85–99. doi: 10.1007/3-540-36288-6_7.
    [32] M. Bellare, R. Canetti and H. Krawczyk, Keying hash functions for message authentication, Advances in Cryptology - Crypto 1996, LNCS, 1109 (1996), 1–15. doi: 10.1007/3-540-68697-5_1.
    [33] M. Bellare, R. Canetti and H. Krawczyk, HMAC: Keyed-hashing for message authentication, Internet RFC 2104, 1997.
    [34] M. Bellare, R. Canetti and H. Krawczyk, A modular approach to the design and analysis of authentication and key exchange protocols, Proc. 30th Annual ACM Symposium on Theory of Computing - STOC 1998, 1998, 419–428.
    [35] M. Bellare and D. Cash, Pseudorandom functions and permutations provably secure against related-key attacks, Advances in Cryptology - Crypto 2010, LNCS, 6223 (2010), 666–684. doi: 10.1007/978-3-642-14623-7_36.
    [36] M. Bellare, J. Garay and T. Rabin, Fast batch verification for modular exponentiation and digital signatures, Advances in Cryptology - Eurocrypt 1998, LNCS, 1403 (1998), 236–250. doi: 10.1007/BFb0054130.
    [37] M. Bellare, J. Garay and T. Rabin, Fast batch verification for modular exponentiation and digital signatures, available at http://eprint.iacr.org/1998/007.
    [38] M. Bellare, O. Goldreich and A. Mityagin, The power of verification queries in message authentication and authenticated encryption, http://eprint.iacr.org/2004/309.
    [39] M. BellareD. Hofheinz and E. Kiltz, Subtleties in the definition of IND-CCA: When and how should challenge decryption be disallowed?, J. Cryptology, 28 (2015), 29-48.  doi: 10.1007/s00145-013-9167-4.
    [40] M. Bellare, C. Nanprempre and G. Neven, Unrestricted aggregate signatures, Automata, Languages, and Programming - ICALP 2007, LNCS, 4596 (2007), 411–422. doi: 10.1007/978-3-540-73420-8_37.
    [41] M. BellareC. NamprempreD. Pointcheval and M. Semanko, The one-more-RSA inversion problems and the security of Chaum's blind signature scheme, J. Cryptology, 16 (2003), 185-215.  doi: 10.1007/s00145-002-0120-1.
    [42] M. Bellare and A. Palacio, GQ and Schnorr identification schemes: Proofs of security against impersonation under active and concurrent attacks, Advances in Cryptology - Crypto 2002, LNCS, 2442 (2002), 162–177. doi: 10.1007/3-540-45708-9_11.
    [43] M. Bellare, K. Paterson and P. Rogaway, Security of symmetric encryption against mass surveillance, Advances in Cryptology - Crypto 2014, LNCS, 8616 (2014), 1–19. doi: 10.1007/978-3-662-44371-2_1.
    [44] M. Bellare, K. Pietrzak and P. Rogaway, Improved security analyses for CBC MACs, Advances in Cryptology - Crypto 2005, LNCS, 3621 (2005), 527–545. doi: 10.1007/11535218_32.
    [45] M. Bellare and P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, Proc. First ACM Conference on Computer and Communications Security - CCS '93, 1993, 62–73. doi: 10.1145/168588.168596.
    [46] M. Bellare and P. Rogaway, Optimal asymmetric encryption, Advances in Cryptology - Eurocrypt 1994, LNCS, 950 (1995), 92–111. doi: 10.1007/BFb0053428.
    [47] M. Bellare and P. Rogaway, The security of triple encryption and a framework for code-based gameplaying proofs, Advances in Cryptology - Eurocrypt 2006, LNCS, 4004 (2006), 409–426. doi: 10.1007/11761679_25.
    [48] C. Berbain, H. Gilbert and J. Patarin, QUAD: A practical stream cipher with provable security, Advances in Cryptology - Eurocrypt 2006, LNCS, 4004 (2004), 109–128. doi: 10.1007/11761679_8.
    [49] C. BerbainH. Gilbert and J. Patarin, QUAD: A multivariate stream cipher with provable security, Journal of Symbolic Computation, 44 (2009), 1703-1723.  doi: 10.1016/j.jsc.2008.10.004.
    [50] D. BernhardG. FuchsbauerE. GhadafiN. Smart and B. Warinschi, Anonymous attestation with user-controlled linkability, International Journal of Information Security, 12 (2013), 219-249.  doi: 10.1007/s10207-013-0191-z.
    [51] D. Bernstein, email to hash-forum@nist.gov, 2 March 2007.
    [52] D. Bernstein, Proving tight security for Rabin-Williams signatures, Advances in Cryptology - Eurocrypt 2008, LNCS, 4965 (2008), 70–87. doi: 10.1007/978-3-540-78967-3_5.
    [53] D. Bernstein, Multi-user Schnorr, revisited, available at http://eprint.iacr.org/2015/996.
    [54] D. Bernstein et al., SPHINCS+: Submission to the NIST post-quantum project, 30 November 2017, available at http://sphincs.org/data/sphincs+-specification.pdf.
    [55] D. Bernstein and T. Lange, Never trust a bunny, Radio Frequency Identification: Security and Privacy Issues - RFIDSec 2012, LNCS, 7739 (2012), 137–148. doi: 10.1007/978-3-642-36140-1_10.
    [56] D. Bernstein and E. Persichetti, Towards KEM unification, available at http://eprint.iacr.org/2018/526.
    [57] K. Bhargavan, B. Blanchet and N. Kobeissi, Verified models and reference implementations for the TLS 1.3 standard candidate, Proc. 2017 IEEE Symposium on Security and Privacy, 2017, 483–502. doi: 10.1109/SP.2017.26.
    [58] K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti and P. Strub, Implementing TLS with verified cryptographic security, Proc. 2013 IEEE Symposium on Security and Privacy, 2013, 445–459. doi: 10.1109/SP.2013.37.
    [59] S. Blake-Wilson and A. Menezes, Unknown key-share attacks on the station-to-station (STS) protocol, Public Key Cryptography - PKC 1999, LNCS, 1560 (1999), 156–170. doi: 10.1007/3-540-49162-7_12.
    [60] B. Blanchet and D. Pointcheval, Automated security proofs with sequences of games, Advances in Cryptology - Crypto 2006, LNCS, 4117 (2006), 537–554. doi: 10.1007/11818175_32.
    [61] L. BlumM. Blum and M. Shub, A simple unpredictable pseudo-random number generator, SIAM J. Computing, 15 (1986), 364-383.  doi: 10.1137/0215025.
    [62] J. BohliM. Vasco and R. Steinwandt, Secure group key establishment revisited, International Journal of Information Security, 6 (2007), 243-254.  doi: 10.1007/s10207-007-0018-x.
    [63] A. Boldyreva, Efficient threshold signatures, multisignatures and blind signatures based on the gap-Diffie-Hellman-group signature scheme, Public Key Cryptography - PKC 2003, LNCS, 2567 (2002), 31–46. doi: 10.1007/3-540-36288-6_3.
    [64] A. Boldyreva, N. Chenette, Y. Lee and A. O'Neill, Order-preserving symmetric encryption, Advances in Cryptology - Eurocrypt 2009, LNCS, 5479 (2009), 224–241. doi: 10.1007/978-3-642-01001-9_13.
    [65] A. Boldyreva, C. Gentry, A. O'Neill and D. H. Yum, Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing, Proc. 14th ACM Conference on Computer and Communications Security - CCS '07, 2007, 276–285; full version available at http://eprint.iacr.org/2007/438. doi: 10.1145/1315245.1315280.
    [66] A. Boldyreva, V. Goyal and V. Kumar, Identity-based encryption with efficient revocation, Proc. Fifteenth ACM Conference on Computer and Communications Security - CCS '08, 2008, 417–426. doi: 10.1145/1455770.1455823.
    [67] D. Boneh and X. Boyen, Short signatures without random oracles, Advances in Cryptology - Eurocrypt 2004, LNCS, 3027 (2004), 56–73. doi: 10.1007/978-3-540-24676-3_4.
    [68] D. Boneh, G. Di Crescenzo, R. Ostrovsky and G. Persiano, Public key encryption with keyword search, Advances in Cryptology - Eurocrypt 2004, LNCS, 3027 (2004), 506–522. doi: 10.1007/978-3-540-24676-3_30.
    [69] D. Boneh and M. Franklin, Identity-based encryption from the Weil pairing, SIAM J. Computing, 32 (2003), 586-615.  doi: 10.1137/S0097539701398521.
    [70] R. Bost and O. Sanders, Trick or tweak: On the (in)security of OTR's tweaks, Advances in Cryptology - Asiacrypt 2016, LNCS, 10031 (2016), 333–353. doi: 10.1007/978-3-662-53887-6_12.
    [71] M. Boyarsky, Public-key cryptography and password protocols: The multi-user case, Proc. 6th ACM Conference on Computer and Communications Security - CCS '99, 1999, 63–72. doi: 10.1145/319709.319719.
    [72] C. Boyd and J. Nieto, Round-optimal contributory conference key agreement, Public Key Cryptography - PKC 2003, LNCS, 2567 (2003), 161–174. doi: 10.1007/3-540-36288-6_12.
    [73] C. Boyd and C. Pavlovski, Attacking and repairing batch verification schemes, Advances in Cryptology - Asiacrypt 2000, LNCS, 1976 (2000), 58–71. doi: 10.1007/3-540-44448-3_5.
    [74] E. Bresson, O. Chevassut and D. Pointcheval, Provably authenticated group Diffie-Hellman key exchange - the dynamic case, Advances in Cryptology - Asiacrypt 2001, LNCS, 2248 (2001), 290–309. doi: 10.1007/3-540-45682-1_18.
    [75] E. Bresson, O. Chevassut, D. Pointcheval and J. Quisquater, Provably authenticated group Diffie-Hellman key exchange, Proc. 8th ACM Conference on Computer and Communications Security - CCS '01, 2001, 255–264. doi: 10.1145/501983.502018.
    [76] E. Brickell, J. Camenisch and L. Chen, Direct anonymous attestation, Proc. 11th ACM Conference on Computer and Communications Security - CCS '04, 2004, 132–145. doi: 10.1145/1030083.1030103.
    [77] E. BrickellL. Chen and J. Li, Simplified security notions for direct anonymous attestation and a concrete scheme from pairings, International Journal of Information Security, 8 (2009), 315-330.  doi: 10.1007/s10207-009-0076-3.
    [78] E. Brickell and J. Li, A pairing-based DAA scheme further reducing TPM resources, Trust and Trustworthy Computing - Trust 2010, LNCS, 6101 (2010), 181–195. doi: 10.1007/978-3-642-13869-0_12.
    [79] J. Bringer and H. Chabanne, Trusted-HB: A low-cost version of HB+ secure against man-in-the-middle attacks, IEEE Transactions on Information Theory, 54 (2008), 4339-4342.  doi: 10.1109/TIT.2008.928290.
    [80] J. BuchmannE. DahmenS. ErethA. Hülsing and M. Rückert, On the security of the Winternitz one-time signature scheme, International Journal of Applied Cryptography, 3 (2013), 84-96.  doi: 10.1504/IJACT.2013.053435.
    [81] J. Camenisch, M. Drijvers and A. Lehmann, Anonymous attestation using the strong Diffie-Hellman assumption revisited, Trust and Trustworthy Computing - Trust 2016, LNCS, 9824 (2016), 1–20. doi: 10.1007/978-3-319-45572-3_1.
    [82] J. Camenisch, M. Drijvers and A. Lehmann, Universally composable direct anonymous attestation, Public Key Cryptography - PKC 2016, LNCS, 9615 (2016), 234–264. doi: 10.1007/978-3-662-49387-8_10.
    [83] J. Camenisch and M. Michels, Confirmer signature schemes secure against adaptive adversaries, Advances in Cryptology - Eurocrypt 2000, LNCS, 1807 (2000), 243–258. doi: 10.1007/3-540-45539-6_17.
    [84] R. CanettiO. Goldreich and S. Halevi, The random oracle methodology, revisited, Journal of the ACM, 51 (2004), 557-594.  doi: 10.1145/1008731.1008734.
    [85] R. Canetti and H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, Advances in Cryptology - Eurocrypt 2001, LNCS, 2045 (2001), 453–474. doi: 10.1007/3-540-44987-6_28.
    [86] R. Canetti and H. Krawczyk, Universally composable notions of key exchange and secure channels, Advances in Cryptology - Eurocrypt 2002, LNCS, 2332 (2002), 337–351. doi: 10.1007/3-540-46035-7_22.
    [87] R. Canetti and H. Krawczyk, Security analysis of IKE's signature-based key-exchange protocol, Advances in Cryptology - Crypto 2002, LNCS, 2442 (2002), 143–161. doi: 10.1007/3-540-45708-9_10.
    [88] R. Canetti and T. Rabin, Universal composition with joint state, Advances in Cryptology - Ceypto 2003, LNCS, 2729 (2003), 265–281; extended version 20020419: 032235 available at http://eprint.iacr.org/2002/047. doi: 10.1007/978-3-540-45146-4_16.
    [89] B. Canvel, A. Hiltgen, S. Vaudenay and M. Vuagnoux, Password interception in a SSL/TLS channel, Advances in Cryptology - Crypto 2003, LNCS, 2729 (2003), 583–599. doi: 10.1007/978-3-540-45146-4_34.
    [90] D. ChakrabortyV. Hernández-Jiménez and P. Sarkar, Another look at XCB, Cryptography and Communications, 7 (2015), 439-468.  doi: 10.1007/s12095-015-0127-8.
    [91] D. Chakraborty and M. Nandi, ttacks on the authenticated encryption mode of operation PAE, IEEE Transactions on Information Theory, 61 (2015), 5636-5624.  doi: 10.1109/TIT.2015.2461532.
    [92] D. Chakraborty and P. Sarkar, On modes of operations of a block cipher for authentication and authenticated encryption, Cryptography and Communications, 8 (2016), 455-511.  doi: 10.1007/s12095-015-0153-6.
    [93] H. Chan, A. Perrig and D. Song, Secure hierarchical in-network aggregation in sensor networks, Proc. 13th ACM Conference on Computer and Communications Security - CCS '06, 2006, 278–287. doi: 10.1145/1180405.1180440.
    [94] D. Chang, M. Nandi and M. Yung, On the security of hash functions employing blockcipher postprocessing, Fast Software Encryption - FSE 2011, LNCS, 6733 (2011), 146–166. doi: 10.1007/978-3-642-21702-9_9.
    [95] S. Chatterjee and M. Das, Property preserving symmetric encryption revisited, Advances in Cryptology - Asiacrypt 2015, LNCS, 9453 (2015), 658–682. doi: 10.1007/978-3-662-48800-3_27.
    [96] S. Chatterjee, C. Kamath and V. Kumar, Galindo-Garcia identity-based signature revisited, Information Security and Cryptology - ISC 2012, LNCS, 7839 (2012), 456–471. doi: 10.1007/978-3-642-37682-5_32.
    [97] S. ChatterjeeK. Karabina and A. Menezes, Fault attacks on pairing-based protocols revisited, IEEE Transactions on Computers, 64 (2015), 1707-1714. 
    [98] S. Chatterjee, N. Koblitz, A. Menezes and P. Sarkar, Another look at tightness Ⅱ: Practical issues in cryptography, Paradigms in Cryptology - Mycrypt 2016, LNCS, 10311 (2016), 21–55. doi: 10.1007/978-3-319-61273-7_3.
    [99] S. Chatterjee, A. Menezes and P. Sarkar, Another look at tightness, Selected Areas in Cryptography - SAC 2011, LNCS, 7118 (2012), 293–319. doi: 10.1007/978-3-642-28496-0_18.
    [100] L. Chen, A DAA scheme requiring less TPM resources, Information Security and Cryptology - Inscrypt 2009, LNCS, 6151 (2009), 350–365. doi: 10.1007/978-3-642-16342-5_26.
    [101] Y. Chen, M. Charlemagne, Z. Guan, J. Hu and Z. Chen, Identity-based encryption based on DHIES, Proc. 5th ACM Symposium on Information, Computer and Communications Security - ASIA CCS 2010, 2010, 82–88. doi: 10.1145/1755688.1755699.
    [102] L. ChenZ. Cheng and N. Smart, Identity-based key agreement protocols from pairings, International Journal of Information Security, 6 (2007), 213-241.  doi: 10.1007/s10207-006-0011-9.
    [103] L. Chen and C. Kudla, Identity based authenticated key agreement protocols from pairings, Proc. 16th IEEE Computer Security Foundations Workshop, 2003, 219–233. doi: 10.1109/CSFW.2003.1212715.
    [104] L. Chen and J. Li, A note on the Chen-Morrissey-Smart DAA scheme, Information Processing Letters, 110 (2010), 485-488.  doi: 10.1016/j.ipl.2010.04.017.
    [105] L. Chen and J. Li, Flexible and scalable digital signatures in TPM 2.0, Proc. 2013 ACM SIGSAC Conference on Computer and Communications Security - CCS '13, 2013, 37–48. doi: 10.1145/2508859.2516729.
    [106] L. Chen, P. Morrissey and N. Smart, Pairings in trusted computing, Pairing-Based Cryptography - Pairing 2008, LNCS, 5209 (2008), 1–17. doi: 10.1007/978-3-540-85538-5_1.
    [107] L. Chen, P. Morrissey and N. Smart, On proofs of security for DAA schemes, International Conference on Provable Security - ProvSec 2008, LNCS, 5324 (2008), 156–175. doi: 10.1007/978-3-540-88733-1_11.
    [108] L. Chen, D. Page and N. Smart, On the design and implementation of an efficient DAA scheme, Smart Card Research and Advanced Applications - CARDIS 2010, LNCS, 6035 (2010), 223–237. doi: 10.1007/978-3-642-12510-2_16.
    [109] J. Cheon, P. Fouque, C. Lee, B. Minaud and H. Ryu, Cryptanalysis of the new CLT multilinear map over the integers, Advances in Cryptology - Eurocrypt 2016, LNCS, 9665 (2016), 509–536. doi: 10.1007/978-3-662-49890-3_20.
    [110] J. Cheon, K. Han, C. Lee, H. Ryu and D. Stehlé, Cryptanalysis of the multilinear map over the integers, Advances in Cryptology - Eurocrypt 2015, LNCS, 9056 (2015), 3–12. doi: 10.1007/978-3-662-46800-5_1.
    [111] J. Cheon, H. Lee and J. Seo, A new additive homomorphic encryption based on the co-ACD problem, Proc. 2014 ACM SIGSAC Conference on Computer and Communications Security - CCS '14, (2014), 287–298. doi: 10.1145/2660267.2660335.
    [112] K. Choo, C. Boyd and Y. Hitchcock, Errors in computational complexity proofs for protocols, Advances in Cryptology - Asiacrypt 2005, LNCS, 3788 (2005), 624–643. doi: 10.1007/11593447_34.
    [113] S. Chow, J. Weng, Y. Yang and R. Deng, Efficient unidirectional proxy re-encryption, Progress in Cryptology - Africacrypt 2010, LNCS, 6055 (2010), 316–332. doi: 10.1007/978-3-642-12678-9_19.
    [114] S. Coretti, Y. Dodis, S. Guo and J. Steinberger, Random oracles and non-uniformity, Advances in Cryptology - Eurocrypt 2018, LNCS, 10820 (2018), 227–258.
    [115] J.-S. Coron, On the exact security of full domain hash, Advances in Cryptology - Crypto 2000, LNCS, 1880 (2000), 229–235. doi: 10.1007/3-540-44598-6_14.
    [116] J.-S. Coron, Optimal security proofs for PSS and other signature schemes, Advances in Cryptology - Eurocrypt 2002, LNCS, 2332 (2002), 272–287. doi: 10.1007/3-540-46035-7_18.
    [117] J.-S. Coron, Y. Dodis, C. Malinaud and P. Puniya, Merkle-Damgård revisited: How to construct a hash function, Advances in Cryptology - Crypto 2005, LNCS, 3621 (2005), 430–448. doi: 10.1007/11535218_26.
    [118] J.-S. Coron, H. Handschuh, M. Joye, P. Paillier, D. Pointcheval and C. Tymen, GEM: A generic chosen-ciphertext secure encryption method, Topics in Cryptology - CT-RSA 2002, LNCS, 2271 (2002), 263–276. doi: 10.1007/3-540-45760-7_18.
    [119] J.-S. CoronT. HolensteinR. KünzlerJ. PatarinY. Seurin and S. Tessaro, How to build an ideal cipher: The indifferentiability of the Feistel construction, J. Cryptology, 29 (2016), 61-114.  doi: 10.1007/s00145-014-9189-6.
    [120] J.-S. Coron, A. Joux, A. Mandal, D. Naccache and M. Tibouchi, Cryptanalysis of the RSA subgroup assumption from TCC 2005, Public Key Cryptography - PKC 2011, LNCS, 6571 (2011), 147–155. doi: 10.1007/978-3-642-19379-8_9.
    [121] J.-S. Coron, M. Lee, T. Lepoint and M. Tibouchi, Cryptanalysis of GGH15 multilinear maps, Advances in Cryptology - Crypto 2016, LNCS, 9815 (2016), 607–628. doi: 10.1007/978-3-662-53008-5_21.
    [122] J.-S. Coron, T. Lepoint and M. Tibouchi, Practical multilinear maps over the integers, Advances in Cryptology - Crypto 2013, LNCS, 8042 (2013), 476–493. doi: 10.1007/978-3-642-40041-4_26.
    [123] J.-S. Coron, T. Lepoint and M. Tibouchi, New multilinear maps over the integers, Advances in Cryptology - Crypto 2015, LNCS, 9215 (2015), 267–286. doi: 10.1007/978-3-662-47989-6_13.
    [124] J.-S. Coron and D. Naccache, On the security of RSA screening, Public Key Cryptography - PKC 1999, LNCS, 1560 (1999), 197–203. doi: 10.1007/3-540-49162-7_15.
    [125] J.-S. Coron, J. Patarin and Y. Seurin, The random oracle model and the ideal cipher model are equivalent, Advances in Cryptology - Crypto 2008, LNCS, 5157 (2008), 1–20. doi: 10.1007/978-3-540-85174-5_1.
    [126] C. Cremers, M. Horvat, J. Hoyland, S. Scott and T. van der Merwe, A comprehensive symbolic analysis of TLS 1.3, Proc. 2017 ACM SIGSAC Conference on Computer and Communications Security - CCS '17, 2017, 1773–1788.
    [127] R. De MilloR. Lipton and A. Perlis, Social processes and proofs of theorems and programs, Program Verification, 14 (1993), 297-319.  doi: 10.1007/978-94-011-1793-7_14.
    [128] J. Degabriele, P. Farshim and B. Poettering, A more cautious approach to security against mass surveillance, Fast Software Encryption - FSE 2015, LNCS, 9054 (2015), 579–598. doi: 10.1007/978-3-662-48116-5_28.
    [129] J. DegabrieleK. Paterson and G. Watson, Provable security in the real world, IEEE Security & Privacy, 9 (2011), 33-41.  doi: 10.1109/MSP.2010.200.
    [130] Y. Dodis, T. Ristenpart, and T. Shrimpton, Salvaging Merkle-Damgård for practical applications, Advanced in Cryptology - Eurocrypt 2009, LNCS, 5479 (2009), 371–388. doi: 10.1007/978-3-642-01001-9_22.
    [131] D. DolevC. Dwork and M. Naor, Non-malleable cryptography, SIAM J. Computing, 30 (2000), 391-437.  doi: 10.1137/S0097539795291562.
    [132] M. Drijvers, K. Edalatnejad, B. Ford, E. Kiltz, J. Loss, G. Neven and I. Stepanovs, On the security of two-round multi-signatures, available at http://eprint.iacr.org/2018/417.
    [133] N. Drucker and S. Gueron, Selfie: Reflections on TLS 1.3 with PSK, available at http://eprint.iacr.org/2019/347.
    [134] T. Duong and J. Rizzo, BEAST: A surprising crypto attack against https, 2012, available at http://antoanthongtin.vn/Portals/0/TempUpload/pProceedings/2014/9/26/tetcon2012_juliano_beast.pdf.
    [135] D. Eastlake, S. Crocker and J. Schiller, RFC 1750 - Randomness Recommendations for Security, available at http://www.ietf.org/rfc/rfc1750.txt.
    [136] O. Eikemeier et al., History-free aggregate message authentication codes, Security and Cryptography for Networks - SCN 2010, LNCS, 6280 (2010), 309–328.
    [137] J. Fan, X. Guo, E. De Mulder, P. Schaumont, B. Preneel and I. Verbauwhede, State-of-the-art of secure ECC implementations: A survey of known side-channel attacks and countermeasures, IEEE International Symposium on Hardware-Oriented Security and Trust - HOST 2010, 2010, 76–87. doi: 10.1109/HST.2010.5513110.
    [138] P. Farshim, B. Libert, K. Paterson and E. Quaglia, Robust encryption, revisited, Public Key Cryptography - PKC 2013, LNCS, 7788 (2013), 352–368. doi: 10.1007/978-3-642-36362-7_22.
    [139] S. Fehr, D. Hofheinz, E. Kiltz and H. Wee, Encryption schemes secure against chosen-ciphertext selective opening attacks, Advances in Cryptology - Eurocrypt 2010, LNCS, 6110 (2010), 381–402. doi: 10.1007/978-3-642-13190-5_20.
    [140] M. Fischlin and F. Günther, Replay attacks on zero round-trip time: The case of TLS 1.3 handshake candidates, Proc. 2017 IEEE European Symposium on Security and Privacy, 2017, 60–75. doi: 10.1109/EuroSP.2017.18.
    [141] C. Forler, E. List, S. Lucks and J. Wenzel, POEx: A beyond-birthday-bound-secure on-line cipher, Cryptogr. Commun., 10 (2018), 177–193, available at http://www.researchgate.net/publication/299565944. doi: 10.1007/s12095-017-0250-9.
    [142] P. Fouque, M. Lee, T. Lepoint and M. Tibouchi, Cryptanalysis of the co-ACD assumption, Advances in Cryptology - Crypto 2015, LNCS, 9215 (2015), 561–580. doi: 10.1007/978-3-662-47989-6_27.
    [143] D. Freedman, Lies, damned lies, and medical science, The Atlantic, 306 (2010), 76-84. 
    [144] D. Frumkin and A. Shamir, Un-trusted-HB: Security vulnerabilities of trusted-HB, available at http://eprint.iacr.org/2009/044.
    [145] G. Fuchsbauer, Breaking existential unforgeability of a signature scheme from Asiacrypt 2014, available at http://eprint.iacr.org/2014/892.
    [146] G. Fuchsbauer, C. Hanser, C. Kamath and D. Slamanig, Practical round-optimal blind signatures in the standard model from weaker assumptions, Security and Cryptography for Networks - SCN 2016, LNCS, 9841 (2016), 391–408. doi: 10.1007/978-3-319-44618-9_21.
    [147] G. Fuchsbauer, C. Hanser and D. Slamanig, Practical round-optimal blind signatures in the standard model, Advances in Cryptology - Crypto 2015, LNCS, 9216 (2015), 233–253. doi: 10.1007/978-3-662-48000-7_12.
    [148] G. FuchsbauerC. Hanser and D. Slamanig, Structure-preserving signatures on equivalence classes and constant-size anonymous credentials, J. Cryptology, 32 (2019), 498-546.  doi: 10.1007/s00145-018-9281-4.
    [149] J. Furukawa and H. Imai, An efficient group signature scheme from bilinear maps, Australasian Conference on Information Security and Privacy, 3574 (2005), 455-467.  doi: 10.1007/11506157_38.
    [150] S. GalbraithJ. Malone-Lee and N. Smart, Public key signatures in the multi-user setting, Information Processing Letters, 83 (2002), 263-266.  doi: 10.1016/S0020-0190(01)00338-6.
    [151] D. Galindo, Boneh-Franklin identity-based encryption revisited, Automata, Languages and Programming - ICALP 2005, LNCS, 3580 (2005), 791–802. doi: 10.1007/11523468_64.
    [152] D. Galindo and F. García, A Schnorr-like lightweight identity-based signature scheme, Progress in Cryptology - Africacrypt 2009, LNCS, 5580 (2009), 135–148. doi: 10.1007/978-3-642-02384-2_9.
    [153] S. Garg, C. Gentry and S. Halevi, Candidate multilinear maps from ideal lattices, Advances in Cryptology - Eurocrypt 2013, LNCS, 7881 (2013), 1–17. doi: 10.1007/978-3-642-38348-9_1.
    [154] S. Garg and D. Gupta, Efficient round optimal blind signatures, Advances in Cryptology - Eurocrypt 2014, LNCS, 8441 (2014), 477–495. doi: 10.1007/978-3-642-55220-5_27.
    [155] P. Gaži and U. Maurer, Cascade encryption revisited, Advances in Cryptology - Asiacrypt 2009, LNCS, 5912 (2009), 37–51. doi: 10.1007/978-3-642-10366-7_3.
    [156] R. Gennaro, S. Halevi and T. Rabin, Secure hash-and-sign signatures without the random oracle, Advances in Cryptology –– Eurocrypt 1999, LNCS, 1592 (1999), 123–139. doi: 10.1007/3-540-48910-X_9.
    [157] C. Gentry, S. Gorbunov and S. Halevi, Graph-induced multilinear maps from lattices, Theory of Cryptography Conference - TCC 2015, LNCS, 9015 (2015), 498–527. doi: 10.1007/978-3-662-46497-7_20.
    [158] C. Gentry, D. Molnar and Z. Ramzan, Efficient designated confirmer signatures without random oracles or general zero-knowledge proofs, Advances in Cryptology - Asiacrypt 2005, LNCS, 3788 (2005), 662–681. doi: 10.1007/11593447_36.
    [159] F. Giacon, E. Kiltz and B. Poettering, Hybrid encryption in a multi-user setting, revisited, Public Key Cryptography - PKC 2018, LNCS, 10769 (2018), 159–189.
    [160] H. GilbertM. Robshaw and H. Sibert, Active attack against HB+: A provably secure lightweight authentication protocol, Electronics Letters, 41 (2005), 1169-1170.  doi: 10.1049/el:20052622.
    [161] O. Goldreich, On post-modern cryptography, available at http://eprint.iacr.org/2006/461.
    [162] S. Goldwasser and M. Bellare, Lecture Notes on Cryptography, , July 2008, available at http://cseweb.ucsd.edu/mihir/papers/gb.pdf.
    [163] S. Goldwasser and Y. Kalai, Cryptographic assumptions: A position paper, Theory of Cryptography Conference, 9562 (2016), 505–522, available at http://eprint.iacr.org/2015/907. doi: 10.1007/978-3-662-49096-9_21.
    [164] S. Goldwasser, S. Micali and R. Rivest, A "paradoxical" solution to the signature problem, Proc. 25th Annual IEEE Symposium on the Foundations of Computer Science - FOCS 1984, 1984, 441–448. doi: 10.1109/SFCS.1984.715946.
    [165] S. Goldwasser and E. Waisbard, Transformation of digital signature schemes into designated confirmer signature schemes, Theory of Cryptography Conference - TCC 2004, LNCS, 2951 (2004), 77–100. doi: 10.1007/978-3-540-24638-1_5.
    [166] B. Gong and Y. Zhao, Cryptanalysis of RLWE-based one-pass authenticated key exchange, Post-Quantum Cryptography - PQCrypto 2017, LNCS, 10346 (2017), 163–183.
    [167] R. Granger, On the static Diffie-Hellman problem on elliptic curves over extension fields, Advances in Cryptology - Asiacrypt 2010, LNCS, 6477 (2010), 283–302. doi: 10.1007/978-3-642-17373-8_17.
    [168] J. Groth, Cryptography in subgroups of $Z_n^*$, Theory of Cryptography Conference - TCC 2005, LNCS, 3378 (2006), 50–65. doi: 10.1007/978-3-540-30576-7_4.
    [169] P. Grubbs, R. McPherson, M. Naveed, T. Ristenpart and V. Shmatikov, Breaking web applications built on top of encrypted data, Proc. 2016 ACM SIGSAC Conference on Computer and Communications Security -CCS '16, 2016, 1353–1364. doi: 10.1145/2976749.2978351.
    [170] P. Grubbs, T. Ristenpart and V. Shmatikov, Why your encrypted database is not secure, Proc. 16th Workshop on Hot Topics in Operating Systems - HotOS 2017, ACM, 2017, 162–168. doi: 10.1145/3102980.3103007.
    [171] S. Halevi, An observation regarding Jutla's modes of operation, available at http://eprint.iacr.org/2001/015.
    [172] S. Halevi, A plausible approach to computer-aided cryptographic proofs, available at http://eprint.iacr.org/2005/181.
    [173] S. Halevi and H. Krawczyk, Public-key cryptography and password protocols, Proc. 5th ACM Conference on Computer and Communications Security - CCS '98, 1998, 122–131. doi: 10.1145/288090.288118.
    [174] S. Halevi and P. Rogaway, A parallelizable enciphering mode, Topics in Cryptology - CT-RSA 2004, LNCS, 2964 (2004), 292–304. doi: 10.1007/978-3-540-24660-2_23.
    [175] C. Hanser and D. Slamanig, Structure-preserving signatures on equivalence classes and their application to anonymous credentials, Advances in Cryptology - Asiacrypt 2014, LNCS, 8873 (2014), 491–511. doi: 10.1007/978-3-662-45611-8_26.
    [176] C. Herley and P. van Oorschot, SoK: Science, security and the elusive goal of security as a scientific pursuit, Proc. 2017 IEEE Symposium on Security and Privacy, 2017, 99–120. doi: 10.1109/SP.2017.38.
    [177] G. Herold, Polly cracker, revisited, revisited, Public Key Cryptography - PKC 2012, LNCS, 7293 (2012), 17–33. doi: 10.1007/978-3-642-30057-8_2.
    [178] S. Heyse, E. Kiltz, V. Lyubashevsky, C. Paar and K. Pietrzak, Lapin: An efficient authentication protocol based on ring-LPN, Fast Software Encryption - FSE 2012, LNCS, 7549 (2012), 346–365. doi: 10.1007/978-3-642-34047-5_20.
    [179] D. Hofheinz, K. Hövelmanns and E. Kiltz, A modular analysis of the Fujisaki-Okamoto transformation, Theory of Cryptography Conference - TCC 2017, LNCS, 10677 (2017), 341–371.
    [180] D. Hofheinz, K. Hövelmanns and E. Kiltz, A modular analysis of the Fujisaki-Okamoto transformation, Theory of Cryptography Conference, 10677 (2017), 341–371, available at http://eprint.iacr.org/2017/604. doi: 10.1007/978-3-319-70500-2_12.
    [181] T. Holenstein, R. Künzler and S. Tessaro, The equivalence of the random oracle model and the ideal cipher model, revisited, Proc. 43rd Annual ACM Symposium on Theory of Computing - STOC 2011, 2011, 89–98. doi: 10.1145/1993636.1993650.
    [182] Y. Hu and H. Jia, Cryptanalysis of GGH map, Advances in Cryptology - Eurocrypt 2016, LNCS, 9665 (2016), 537–565. doi: 10.1007/978-3-662-49890-3_21.
    [183] Y. Huang, F. Liu and B. Yang, Public-key cryptography from new multivariate quadratic assumptions, Public Key Cryptography - PKC 2012, LNCS, 7293 (2012), 190–205. doi: 10.1007/978-3-642-30057-8_12.
    [184] Z. Huang, S. Liu and B. Qin, Sender-equivocable encryption schemes secure against chosen-ciphertext attacks revisited, Public Key Cryptography - PKC 2013, LNCS, 7778 (2013), 369–385. doi: 10.1007/978-3-642-36362-7_23.
    [185] D. Huff, How to Lie with Statistics, W. W. Norton, 1954.
    [186] E. Hufschmitt and J. Traoré, Fair blind signatures revisited, Pairing-Based Cryptography - Pairing 2007, LNCS, 4575 (2007), 268–292. doi: 10.1007/978-3-540-73489-5_14.
    [187] A. Hülsing, J. Rijnveld and F. Song, Mitigating multi-target attacks in hash-based signatures, Public Key Cryptography - PKC 2016, LNCS, 9614 (2016), 387–416. doi: 10.1007/978-3-662-49384-7_15.
    [188] J. Hwang, D. Lee and M. Yung, Universal forgery of the identity-based sequential aggregate signature scheme, Proc. 4th International Symposium on Information, Computer and Communications Security - ASIA CCS 2009, ACM, 2009, 157–160.
    [189] Y. Hwang and P. Lee, Public key encryption with conjunctive keyword search and its extension to a multi-user system, Pairing-Based Cryptography - Pairing 2007, LNCS, 4575 (2007), 2–22. doi: 10.1007/978-3-540-73489-5_2.
    [190] A. Inoue, T. Iwata, K. Minematsu and B. Poettering, Cryptanalysis of OCB2: Attacks on authenticity and confidentiality, available at http://eprint.iacr.org/2017/604.
    [191] A. Ishida, Y. Sakai, K. Emura, G. Hanaoka and K. Tanaka, Proper usage of the group signature scheme in ISO/IEC 20008-2, available at http://eprint.iacr.org/2019/284.
    [192] ISO/IEC 19772: 2009, Information Technology - Security Techniques - Authenticated Encryption, 2009.
    [193] T. Iwata, K. Ohashi and K. Minematsu, Breaking and repairing GCM security proofs, Advances in Cryptology - Crypto 2012, LNCS, 7417 (2012), 31–49. doi: 10.1007/978-3-642-32009-5_3.
    [194] M. Jakobsson and D. Pointcheval, Mutual authentication for low-power mobile devices, Financial Cryptography - FC 2001, LNCS, 2339 (2001), 178–195. doi: 10.1007/3-540-46088-8_17.
    [195] A. Jha and M. Nandi, Revisiting structure graphs: Applications to CBC-MAC and EMAC, J. Math. Cryptology, 10 (2016), 157-180.  doi: 10.1515/jmc-2016-0030.
    [196] A. Jha and M. Nandi, On rate-1 and beyond-the-birthday bound secure online ciphers using tweakable block ciphers, Cryptography and Communications, 10 (2018), 731-753.  doi: 10.1007/s12095-017-0275-0.
    [197] A. Joux, G. Martinet and F. Valette, Block-adaptive attackers: Revisiting the (in)security of some provably secure encryption modes: CBC, GEM, 1ACBC, Advances in Cryptology - Crypto 2002, LNCS, 2442 (2002), 17–30. doi: 10.1007/3-540-45708-9_2.
    [198] A. Juels and S. Weis, Authenticating pervasive devices with human protocols, Advances in Cryptology - Crypto 2005, LNCS, 3621 (2005), 293–308. doi: 10.1007/11535218_18.
    [199] S. Kakvi and E. Kiltz, Optimal security proofs for full domain hash, revisited, Advances in Cryptology - Eurocrypt 2012, LNCS, 7237 (2012), 537–553. doi: 10.1007/978-3-642-29011-4_22.
    [200] J. Katz, Letter to the editor, Notices of the Amer. Math. Soc., 54 (2007), 1454-1455. 
    [201] J. Katz and Y. Lindell, Introduction to Modern Cryptography, 2nd edition, Chapman and Hall/CRC, 2015.
    [202] J. Katz and Y. Lindell, Aggregate message authentication codes, Topics in Cryptology - CT-RSA 2008, LNCS, 4964 (2008), 155–169. doi: 10.1007/978-3-540-79263-5_10.
    [203] E. Kiltz, D. Masny and J. Pan, Optimal security proofs for signatures from identification schemes, Advances in Cryptology - Crypto 2016, LNCS, 9815 (2016), 33–61. doi: 10.1007/978-3-662-53008-5_2.
    [204] A. H. KoblitzN. Koblitz and A. Menezes, Elliptic curve cryptography: The serpentine course of a paradigm shift, J. Number Theory, 131 (2011), 781-814.  doi: 10.1016/j.jnt.2009.01.006.
    [205] N. Koblitz, The uneasy relationship between mathematics and cryptography, Notices of the Amer. Math. Soc., 54 (2007), 972-979. 
    [206] N. Koblitz, Another look at automated theorem-proving, J. Math. Cryptology, 1 (2007), 385-403.  doi: 10.1515/jmc.2007.020.
    [207] N. Koblitz, Another look at automated theorem-proving. Ⅱ, J. Math. Cryptology, 5 (2012), 205-224.  doi: 10.1515/jmc-2011-0014.
    [208] N. Koblitz and A. Menezes, Another look at rovable security. Ⅱ, Progress in Cryptology - Indocrypt 2006, LNCS, 4329 (2006), 148–175. doi: 10.1007/11941378_12.
    [209] N. Koblitz and A. Menezes, Another look at rovable security, J. Cryptology, 20 (2007), 3-37.  doi: 10.1007/s00145-005-0432-z.
    [210] N. Koblitz and A. Menezes, Another look at generic groups, Advances in Math. Communications, 1 (2007), 13-28.  doi: 10.3934/amc.2007.1.13.
    [211] N. Koblitz and A. Menezes, Another look at non-standard discrete log and Diffie-Hellman problems, J. Math. Cryptology, 2 (2008), 311-326.  doi: 10.1515/JMC.2008.014.
    [212] N. Koblitz and A. Menezes, The brave new world of bodacious assumptions in cryptography, Notices of the Amer. Math. Soc., 57 (2010), 357-365. 
    [213] N. Koblitz and A. Menezes, Intractible problems in cryptography, Finite Fields: Theory and Applications, Contemporary Mathematics, 518 (2010), 279-300.  doi: 10.1090/conm/518/10212.
    [214] N. Koblitz and A. Menezes, Another look at HMAC, J. Math. Cryptology, 7 (2013), 225-251.  doi: 10.1515/jmc-2013-5004.
    [215] N. Koblitz and A. Menezes, Another look at non-uniformity, Groups Complexity Cryptology, 5 (2013), 117-139.  doi: 10.1515/gcc-2013-0008.
    [216] N. Koblitz and A. Menezes, Another look at security definitions, Advances in Math. Communications, 7 (2013), 1-38.  doi: 10.3934/amc.2013.7.1.
    [217] N. Koblitz and A. Menezes, Another look at security theorems for 1-key nested MACs, in Ç. Koç, ed., Open Problems in Mathematics and Computational Science, Springer-Verlag, 2014, 69–89.
    [218] N. Koblitz and A. Menezes, The random oracle model: A twenty-year retrospective, Designs, Codes and Cryptography, 77 (2015), 587-610.  doi: 10.1007/s10623-015-0094-2.
    [219] H. Krawczyk, The order of encryption and authentication for protecting communications (or: How secure is SSL?), Advances in Cryptology - Crypto 2001, LNCS, 2139 (2001), 310–331. doi: 10.1007/3-540-44647-8_19.
    [220] H. Krawczyk, HMQV: A high-performance secure Diffie-Hellman protocol, Advances in Cryptology - Crypto 2005, LNCS, 3621 (2005), 546–566. doi: 10.1007/11535218_33.
    [221] S. Kunz-Jacques, G. Martinet, G. Poupard and J. Stern, Cryptanalysis of an efficient proof of knowledge of discrete logarithm, Public Key Cryptography - PKC 2006, LNCS, 3958 (2006), 27–43. doi: 10.1007/11745853_3.
    [222] K. Kurosawa and W. Ogata, Efficient Rabin-type digital signature scheme, Designs, Codes and Cryptography, 16 (1999), 53-64.  doi: 10.1023/A:1008374325369.
    [223] M. Lacharité, Security of BLS and BGLS signatures in a multi-user setting, Cryptography and Communications, 10 (2018), 41-58.  doi: 10.1007/s12095-017-0253-6.
    [224] P. Lafrance and A. Menezes, On the security of the WOTS-PRF signature scheme, Advances in Math. Communications, 13 (2019), 185-193.  doi: 10.3934/amc.2019012.
    [225] L. LawA. MenezesM. QuJ. Solinas and S. Vanstone, An efficient protocol for authenticated key agreement, Designs, Codes and Cryptography, 28 (2003), 119-134.  doi: 10.1023/A:1022595222606.
    [226] G. Leurent, M. Nandi and F. Sibleyras, Generic attacks against beyond-birthday-bound MACs, Advances in Cryptology - Crypto 2018, LNCS, 10991 (2018), 306–336.
    [227] B. Libert and J. Quisquater, Efficient signcryption with key privacy from gap Diffie-Hellman groups, Public Key Cryptography - PKC 2004, LNCS, 2947 (2004), 187–200. doi: 10.1007/978-3-540-24632-9_14.
    [228] B. Libert and J. Quisquater, Improved signcryption from $q$-Diffie-Hellman problems, Security in Communication Networks - SCN 2004, LNCS, 3352 (2004), 220–234. doi: 10.1007/978-3-540-30598-9_16.
    [229] E. List and M. Nandi, Revisiting full-prf-secure PMAC and using it for beyond-birthday authenticated encryption, Topics in Cryptology - CT-RSA 2017, LNCS, 10159 (2017), 258–274.
    [230] A. Luykx, B. Mennink and K. Paterson, Analyzing multi-key security degradation, Advances in Cryptology - Asiacrypt 2017, LNCS, 10625 (2017), 575–605.
    [231] C. Ma, Efficient short signcryption scheme with public verifiability, Information Security and Cryptology - Inscrypt 2006, LNCS, 4318 (2006), 118–129. doi: 10.1007/11937807_10.
    [232] C. MaJ. WengY. Li and R. Deng, Efficient discrete logarithm based multi-signature scheme in the plain public key model, Designs, Codes and Cryptography, 54 (2010), 121-133.  doi: 10.1007/s10623-009-9313-z.
    [233] J. Manger, A chosen ciphertext attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as standardized in PKCS #1 v2.0, Advances in Cryptology - Crypto 2001, LNCS, 2139 (2001), 230–238. doi: 10.1007/3-540-44647-8_14.
    [234] D. McGrew and S. Fluhrer, The security of the extended codebook (XCB) mode of operation, Selected Areas in Cryptography - SAC 2007, LNCS, 4876 (2007), 311–327. doi: 10.1007/978-3-540-77360-3_20.
    [235] D. McGrew and J. Viega, The security and performance of the Galois/Counter Mode (GCM) of operation, Progress in Cryptology - Indocrypt 2004, LNCS, 3348 (2004), 343–355. doi: 10.1007/978-3-540-30556-9_27.
    [236] A. Menezes, Another look at HMQV, J. Math. Cryptology, 1 (2007), 47-64.  doi: 10.1515/JMC.2007.004.
    [237] A. Menezes, Another look at provable security, Invited talk at Eurocrypt 2012, available at http://www.cs.bris.ac.uk/eurocrypt2012/Program/Weds/Menezes.pdf.
    [238] A. Menezes and N. Smart, Security of signature schemes in a multi-user setting, Designs, Codes and Cryptography, 33 (2004), 261-274.  doi: 10.1023/B:DESI.0000036250.18062.3f.
    [239] A. Menezes and B. Ustaoglu, On the importance of public-key validation in the MQV and HMQV key agreement protocols, Progress in Cryptology - Indocrypt 2006, LNCS, 4329 (2006), 133–147. doi: 10.1007/11941378_11.
    [240] K. Minematsu, Parallelizable rate-1 authenticated encryption from pseudorandom functions, Advances in Cryptology - Eurocrypt 2014, LNCS, 8441 (2014), 275–292. doi: 10.1007/978-3-642-55220-5_16.
    [241] B. Möller, T. Duong and K. Kotowicz, The POODLE bites: Exploiting the SSL 3.0 fallback, 2014, available at http://www.openssl.org/~bodo/ssl-poodle.pdf.
    [242] Y. Naito, Full prf-secure message authentication code based on tweakable block cipher, International Conference on Provable Security - ProvSec 2015, LNCS, 9451 (2015), 167–182. doi: 10.1007/978-3-319-26059-4_9.
    [243] Y. Naito, Improved security bound of LightMAC_Plus and its single-key variant, Topics in Cryptology - CT-RSA 2018, LNCS, 10808 (2018), 300–318.
    [244] M. Nandi, Forging attacks on two authenticated encryption schemes COBRA and POET, Advances in Cryptology - Asiacrypt 2014, LNCS, 8873 (2014), 126–140. doi: 10.1007/978-3-662-45611-8_7.
    [245] M. Nandi, XLS is not a strong pseudorandom permutation, Advances in Cryptology - Asiacrypt 2014, LNCS, 8873 (2014), 478–490. doi: 10.1007/978-3-662-45611-8_25.
    [246] M. Nandi and T. Pandit, On the security of joint signature and encryption revisited, J. Math. Cryptology, 10 (2016), 181-221.  doi: 10.1515/jmc-2015-0060.
    [247] T. Okamoto, E. Fujisaki and H. Morita, TSH-ESIGN: Efficient digital signature scheme using trisection hash, submission to IEEE P1363a, 1998.
    [248] C. O'Neil, Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy, Crown, 2016.
    [249] O. Pandey and Y. Rouselakis, Property preserving symmetric encryption, Advances in Cryptology - Eurocrypt 2012, LNCS, 7237 (2012), 375–391.
    [250] D. Park, K. Kim and P. Lee, Public-key encryption with conjunctive keyword search, WISA 2004, LNCS, 3325 (2004), 73–86. doi: 10.1007/978-3-540-31815-6_7.
    [251] K. Paterson, T. Ristenpart and T. Shrimpton, Tag size does matter: Attacks and proofs for the TLS record protocol, Advances in Cryptology - Asiacrypt 2011, LNCS, 7073 (2011), 372–389. doi: 10.1007/978-3-642-25385-0_20.
    [252] C. Peikert, 19 February 2015 blog posting, http://web.eecs.umich.edu/ ~cpeikert/soliloquy.html.
    [253] C. Peikert, 24 May 2018 pqc-forum, http://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/7H6wv-Xrp18.
    [254] K. Pietrzak, A tight bound for EMAC, Automata, Languages and Programming. Part II - ICALP 2006, LNCS, 4052 (2006), 168–179. doi: 10.1007/11787006_15.
    [255] A. Pinto, B. Poettering and J. Schuldt, Multi-recipient encryption, revisited, Proc. 9th ACM Symposium on Information, Computer and Communications Security - ASIA CCS '14, 2014, 229–238. doi: 10.1145/2590296.2590329.
    [256] R. Poddar, T. Boelter and R. Popa, Arx: A strongly encrypted database system, available at http://eprint.iacr.org/2016/591.
    [257] D. Pointcheval and J. Stern, Security arguments for digital signatures and blind signatures, J. Cryptology, 13 (2000), 361-396.  doi: 10.1007/s001450010003.
    [258] R. Popa and N. Zeldovich, Multi-key searchable encryption, available at http://eprint.iacr.org/2013/508.
    [259] O. Regev, On lattices, Learning with errors, random linear codes, and cryptography, Journal of the ACM, 56 (2009), Art. 34, 40 pp. doi: 10.1145/1568318.1568324.
    [260] T. Ristenpart and P. Rogaway, How to enrich the message space of a cipher, Fast Software Encryption - FSE 2007, LNCS, 4593 (2007), 101–118. doi: 10.1007/978-3-540-74619-5_7.
    [261] P. Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC, Advances in Cryptology - Asiacrypt 2004, LNCS, 3329 (2004), 16–31. doi: 10.1007/978-3-540-30539-2_2.
    [262] P. RogawayM. Bellare and J. Black, OCB: A block-cipher mode of operation for efficient authenticated encryption, ACM Transactions on Information and System Security, 6 (2003), 365-403. 
    [263] P. Rogaway and T. Shrimpton, A provable-security treatment of the key-wrap problem, Advances in Cryptology - Eurocrypt 2006, LNCS, 4004 (2006), 373–390. doi: 10.1007/11761679_23.
    [264] F. Salmon, Recipe for disaster: The formula that killed Wall Street, Wired Magazine, 17 (2009).
    [265] P. Sarkar, Pseudo-random functions and parallelizable modes of operations of a block cipher, IEEE Transactions on Information Theory, 56 (2010), 4025-4037.  doi: 10.1109/TIT.2010.2050921.
    [266] C.-P. Schnorr, Efficient identification and signatures for smart cards, Advances in Cryptology - Crypto 1989, LNCS, 435 (1990), 239–252. doi: 10.1007/0-387-34805-0_22.
    [267] D. Schröder and D. Unruh, Security of blind signatures revisited, J. Cryptology, 30 (2017), 470-494.  doi: 10.1007/s00145-015-9225-1.
    [268] W. Schroé, B. Mennink, E. Andreeva and B. Preneel, Forgery and subkey recovery on CAESAR candidate iFeed, Selected Areas in Cryptography - SAC 2015, LNCS, 9566 (2015), 197–204. doi: 10.1007/978-3-319-31301-6_11.
    [269] J. Seo and K. Emura, Revocable identity-based encryption revisited: Security model and construction, Public Key Cryptography - PKC 2013, LNCS, 7778 (2013), 216–234. doi: 10.1007/978-3-642-36362-7_14.
    [270] J. Shao and Z. Cao, CCA-secure proxy re-encryption without pairings, Public Key Cryptography - PKC 2009, LNCS, 5443 (2009), 357–376. doi: 10.1007/978-3-642-00468-1_20.
    [271] V. Shoup, Lower bounds for discrete logarithms and related problems, Advances in Cryptology - Eurocrypt 1997, LNCS, 1233 (1997), 256–266. doi: 10.1007/3-540-69053-0_18.
    [272] V. Shoup, Why chosen ciphertext security matters, IBM Research Report RZ 3076 (#93122), 23 November 1998.
    [273] V. Shoup, OAEP reconsidered, J. Cryptology, 15 (2002), 223-249.  doi: 10.1007/s00145-002-0133-9.
    [274] V. Shoup, ISO/IEC 18033-2: 2006, Information Technology - Security Techniques - Encryption Algorithms - Part 2: Asymmetric Ciphers, 2006; final draft available at http://www.shoup.net/iso/std6.pdf.
    [275] A. Sidorenko and B. Schoenmakers, Concrete security of the Blum-Blum-Shub pseudorandom generator, Cryptography and Coding 2005, LNCS, 3796 (2005), 355–375. doi: 10.1007/11586821_24.
    [276] B. Snow, Telephone conversation with N. Koblitz, 7 May 2009.
    [277] A. Sokal, Transgressing the boundaries: Toward a transformative hermeneutics of quantum gravity, Social Text, 1996, 217–252. doi: 10.2307/466856.
    [278] D. Soldera, J. Seberry and C. Qu, The analysis of Zheng-Seberry scheme, ACISP 2002, LNCS, 2384 (2002), 159–168. doi: 10.1007/3-540-45450-0_13.
    [279] P. Soundararajan, Non-Constructivity in Security Proofs, Master's thesis, University of Waterloo, 2018.
    [280] J. Stern, D. Pointcheval, J. Malone-Lee and N. Smart, Flaws in applying proof methodologies to signature schemes, Advances in Cryptology - Crypto 2002, LNCS, 2442 (2002), 93–110. doi: 10.1007/3-540-45708-9_7.
    [281] J. Stillwell, Mathematics and Its History, 2nd ed., Springer-Verlag, 2002. doi: 10.1007/978-1-4684-9281-1.
    [282] C. Tan, On the security of signcryption scheme with key privacy, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, E88-A (2005), 1093-1095. doi: 10.1016/j.ipl.2006.01.015.
    [283] C. Tan, Analysis of improved signcryption scheme with key privacy, Information Processing Letters, 99 (2006), 135-138.  doi: 10.1016/j.ipl.2006.01.015.
    [284] C. Tan, Security analysis of signcryption scheme from $q$-Diffie-Hellman problems, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, E89-A (2006), 206-208.  doi: 10.1093/ietfec/e89-a.1.206.
    [285] C. Tan, Forgery of provable secure short signcryption scheme, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, E90-A (2007), 1879-1880.  doi: 10.1093/ietfec/e90-a.9.1879.
    [286] M. Tibouchi, Cryptographic multilinear maps: A status report, CRYPTREC-EX-2603-2016, January 2017, available at http://www.cryptrec.go.jp/estimation/cryptrec-ex-2603-2016.pdf.
    [287] S. Vaudenay, Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS, Advances in Cryptology - Eurocrypt 2002, LNCS, 2332 (2002), 534–545. doi: 10.1007/3-540-46035-7_35.
    [288] U. V. Vazirani and V. V. Vazirani, Efficient and secure pseudo-random number generation, Proc. 25th Annual IEEE Symposium on the Foundations of Computer Science - FOCS 1984, 1984, 458–463. doi: 10.1109/SFCS.1984.715948.
    [289] D. Wikström, Designated confirmer signatures revisited, Theory of Cryptography Conference - TCC 2007, LNCS, 4392 (2007), 342–361. doi: 10.1007/978-3-540-70936-7_19.
    [290] D. Wong and A. Chan, Efficient and mutually authenticated key exchange for low power computing devices, Advances in Cryptology - Asiacrypt 2001, LNCS, 2248 (2001), 272–289. doi: 10.1007/3-540-45682-1_17.
    [291] , Xbox 360 timing attack, http://beta.ivc.no/wiki/index.php/Xbox_360_Timing_Attack.
    [292] L. Xi, K. Yang, Z. Zhang and D. Feng, DAA-related APIs in TPM 2.0 revisited, Trust and Trustworthy Computing - Trust 2014, LNCS, 8564 (2014), 1–18. doi: 10.1007/978-3-319-08593-7_1.
    [293] B. Yang, C. Chen, D. Bernstein and J. Chen, Analysis of QUAD, Fast Software Encryption - FSE 2007, LNCS, 4593 (2007), 290–308. doi: 10.1007/978-3-540-74619-5_19.
    [294] G. Yang, D. Wong and X. Deng, Analysis and improvement of a signcryption scheme with key privacy, Information Security - ISC 2005, LNCS, 3650 (2005), 218–232. doi: 10.1007/11556992_16.
    [295] A. Young and M. Yung, Malicious Cryptography: Exposing Cryptovirology, Wiley, 2004.
    [296] G. M. Zaverucha, Hybrid encryption in the multi-user setting, available at http://eprint.iacr.org/2012/159.
    [297] L. Zhang, W. Hu, H. Sui and P. Wang, iFeed[AES] v1, submission to CAESAR competition., Available at https://competitions.cr.yp.to/round1/ifeedaesv1.pdf.
    [298] J. Zhang, Z. Zhang, J. Ding, M. Snook and Ö. Dagdelen, Authenticated key exchange from ideal lattices, Advances in Cryptology - Eurocrypt 2015, LNCS, 9057 (2015), 719–751. doi: 10.1007/978-3-662-46803-6_24.
  • 加载中

Tables(1)

SHARE

Article Metrics

HTML views(3699) PDF downloads(10075) Cited by(0)

Access History

Other Articles By Authors

Catalog

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return