1.

R. Anderson and S. Vaudenay, Minding your *p*'s and *q*'s, *'96*, Lecture Notes in Computer Science, Vol. 1163, Springer-Verlag (1996) pp. 26–35.

2.

ANSI X9.42, *Agreement of Symmetric Algorithm Keys Using Diffie-Hellman* (2001).

3.

ANSI X9.62, *The Elliptic Curve Digital Signature Algorithm (ECDSA)* (1999).

4.

ANSI X9.63, *Elliptic Curve Key Agreement and Key Transport Protocols* (2001).

5.

M. Bellare, R. Canetti and H. Krawczyk, Keying hash functions for message authentication, *'96*, Lecture Notes in Computer Science, Vol. 1109, Springer-Verlag (1996) pp. 1–15.

6.

M. Bellare, R. Canetti and H. Krawczyk, A modular approach to the design and analysis of authentication and key exchange protocols, In *Proceedings of the 30th Annual ACM Symposium on the Theory of Computing* (1998) pp. 419–428.

7.

M. Bellare and P. Rogaway, Entity authentication and key distribution, *'93*, Lecture Notes in Computer Science, Vol. 773, Springer-Verlag (1994) pp. 232–249.

8.

S. Blake-Wilson, D. Johnson and A. Menezes, Key agreement protocols and their security analysis, In *Proceedings of the sixth IMA International Conference on Cryptography and Coding*, Lecture Notes in Computer Science, Vol. 1355, Springer-Verlag (1997) pp. 30–45.

9.

M. Burmester, On the risk of opening distributed keys, *'94*, Lecture Notes in Computer Science, Vol. 839, Springer-Verlag (1994) pp. 308–317.

10.

R. Canetti and H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, *Advances in Cryptology- Eurocrypt 2001*, Lecture Notes in Computer Science, Vol. 2045, Springer-Verlag (2001) pp. 453–474.

11.

D. Chaum, J.-H. Evertse and J. van de Graaf, An improved protocol for demonstrating possession of discrete logarithms and some generalizations, *'87*, Lecture Notes in Computer Science, Vol. 304, Springer-Verlag (1988) pp. 127–141.

12.

Y. Desmedt and M. Burmester, Towards practical 'proven secure' authenticated key distribution, *1st ACM Conference on Computer and Communications Security* (1993) pp. 228–231.

13.

W. Diffie and M. Hellman, New Directions in Cryptography,

*IEEE Transactions on Information Theory*, Vol. 22 (1976) pp. 644–654.

Google Scholar14.

W. Diffie, P. van Oorschot and M.Wiener, Authentication and authenticated key exchanges,

*Designs, Codes and Cryptography*, Vol. 2 (1992) pp. 107–125.

Google Scholar15.

G. Frey and H. Rück, A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves,

*Mathematics of Computation*, Vol. 62 (1994) pp. 865–874.

Google Scholar16.

K. C. Goss, Cryptographic method and apparatus for public key exchange with authentication, U.S. patent 4,956,865, September 11 (1990).

17.

IEEE P1363-2000, *Standard Specifications for Public-Key Cryptography* (2000).

18.

ISO/IEC 15946-3, *Information Technology- Security Techniques- Cryptographic Techniques Based on Elliptic Curves, Part 3*; Key Establishment (2002).

19.

D. Johnson, Contribution to ANSI X9F1 working group (1997).

20.

M. Just and S. Vaudenay, Authenticated multi-party key agreement, *'96*, Lecture Notes in Computer Science, Vol. 1163, Springer-Verlag (1996) pp. 36–49.

21.

B. Kaliski, Contribution to ANSI X9F1 and IEEE P1363 working groups, June (1998).

22.

B. Kaliski, An unknown key-share attack on the MQV key agreement protocol,

*ACM Transactions on Information and System Security*, Vol. 4 (2001) pp. 275–288.

Google Scholar23.

C. Lim and P. Lee, A key recovery attack on discrete log-based schemes using a prime order subgroup, *'97*, Lecture Notes in Computer Science, Vol. 1294, Springer-Verlag (1997) pp. 249–263.

24.

T. Matsumoto,Y. Takashima and H. Imai, Onseeking smart public-key distribution systems,

*The Transactions of the IECE of Japan*, Vol. E69 (1986) pp. 99–106.

Google Scholar25.

A. Menezes, T. Okamoto and S. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field,

*IEEE Transactions on Information Theory*, Vol. 39 (1993) pp. 1639–1646.

Google Scholar26.

A. Menezes, M. Qu and S. Vanstone, Key agreement and the need for authentication, Presentation at PKS '95, Toronto, Canada, November (1995).

27.

C. Mitchell, M. Ward and P. Wilson, Key control in key agreement protocols.

*Electronics Letters*, Vol. 34 (1998) pp. 980–981.

Google Scholar28.

National Institute of Standards and Technology, Secure Hash Standard (SHS), FIPS Publication 180-1, April (1995).

29.

National Institute of Standards and Technology, Digital signature standard, FIPS Publication 186-2, (1999).

30.

National Institute of Standards and Technology, Second key management workshop, November (2001).

31.

National Security Agency, SKIPJACK and KEA algorithm specification, Version 2.0, May 29 (1998).

32.

S. Pohlig and M. Hellman, An improved algorithm for computing logarithms over GF(

*p*) and its cryptographic significance,

*IEEE Transactions on Information Theory*, Vol. 24 (1978) pp. 106–110.

Google Scholar33.

J. Pollard, Monte Carlo methods for index computation mod

*p*,

*Mathematics of Computation*, Vol. 32 (1978) pp. 918–924.

Google Scholar34.

T. Satoh and K. Araki, Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves,

*Commentarii Mathematici Universitatis Sancti Pauli*, Vol. 47 (1998) pp. 81–92.

Google Scholar35.

I. Semaev, Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic

*p*,

*Mathematics of Computation*, Vol. 67 (1998) pp. 353–356.

Google Scholar36.

V. Shoup, On formal models for secure key exchange, available from Theory of Cryptography Library, http://philby.ucsd.edu/cryptolib, April 1999. Revised November (1999).

37.

N. Smart, The discrete logarithm problem on elliptic curves of trace one,

*Journal of Cryptology*, Vol. 12 (1999) pp. 193–196.

Google Scholar38.

J. Solinas, Low-weight binary representations for pairs of integers, Technical Report CORR 2001-48, Department of C&O, University of Waterloo (2001).

39.

P. van Oorschot and M. Wiener, On Diffie-Hellman key agreement with short exponents, *'96*, Lecture Notes in Computer Science, Vol. 1070, Springer-Verlag (1996) pp. 332–343.

40.

Y. Yacobi, A key distribution paradox,

*'90*, Lecture Notes in Computer Science, Vol. 537, Springer-Verlag (1991) pp. 268–273.

Google Scholar