Handbook of Applied Cryptography
References
[1] M. A BADI AND R. N EEDHAM , “Prudent en- [11] L.M. A DLEMAN AND J. D E M ARRAIS , “A gineering practice for cryptographic proto-
subexponential algorithm for discrete loga- cols”, DEC SRC report #125, Digital Equip-
rithms over all finite fields”, Mathematics of ment Corporation, Palo Alto, CA, 1994.
Computation , 61 (1993), 1–15. [2] M. A BADI AND M.R. T UTTLE , “A seman-
[12] L.M. A DLEMAN , J. D E M ARRAIS , AND M.- tics for a logic of authentication”, Proceed-
UANG D. H , “A subexponential algorithm for ings of the Tenth Annual ACM Symposium
discrete logarithms over the rational subgroup on Principles of Distributed Computing , 201–
of the Jacobians of large genus hyperelliptic 216, 1991.
curves over finite fields”, Algorithmic Number [3] C. A DAMS , “Symmetric cryptographic sys-
Theory (LNCS 877) , 28–40, 1994. tem for data encryption”, U.S. Patent #
[13] L.M. A DLEMAN AND M.-D. A. H UANG , 5,511,123, 23 Apr 1996.
Primality Testing and Abelian Varieties Over [4]
, “IDUP and SPKM: Developing Finite Fields , Springer-Verlag, Berlin, 1992. public-key-based APIs and mechanisms for communication security services”, Proceed-
[14] L.M. A DLEMAN AND H.W. L ENSTRA J R ., ings of the Internet Society Symposium on Net-
“Finding irreducible polynomials over finite work and Distributed System Security , 128–
fields”, Proceedings of the 18th Annual ACM Symposium on Theory of Computing 135, IEEE Computer Society Press, 1996. , 350–
[5] C. A DAMS AND
EIJER H. M , “Security-
related comments regarding McEliece’s [15] L.M. A DLEMAN AND K.S. M C C URLEY , public-key cryptosystem”, Advances in
“Open problems in number theoretic com- Cryptology–CRYPTO ’87 (LNCS 293) , 224–
plexity, II”, Algorithmic Number Theory 228, 1988.
(LNCS 877) , 291–322, 1994. [6]
, “Security-related comments regard- [16] L.M. A DLEMAN , C. P OMERANCE , AND ing McEliece’s public-key cryptosystem”,
R.S. R UMELY , “On distinguishing prime IEEE Transactions on Information Theory , 35
numbers from composite numbers”, Annals of (1989), 454–455. An earlier version appeared
Mathematics , 117 (1983), 173–206. in [5].
[17] G.B. A GNEW , “Random sources for crypto- [7] C. A DAMS AND S.E. T AVARES , “Design-
graphic systems”, Advances in Cryptology– ing S-boxes for ciphers resistant to differen-
EUROCRYPT ’87 (LNCS 304) , 77–81, 1988. tial cryptanalysis”, W. Wolfowicz, editor, Pro-
[18] G.B. A GNEW , R.C. M ULLIN , I.M. O NYSZ - ceedings of the 3rd Symposium on State and CHUK , AND S.A. V ANSTONE , “An imple- Progress of Research in Cryptography, Rome, mentation for a fast public-key cryptosystem”, Italy , 181–190, 1993. Journal of Cryptology , 3 (1991), 63–79.
[8] L.M. A DLEMAN , “A subexponential algo- rithm for the discrete logarithm problem with
[19] G.B. A GNEW , R.C. M ULLIN , AND S.A. applications to cryptography”, Proceedings of
V ANSTONE , “Improved digital signature sch- the IEEE 20th Annual Symposium on Founda-
eme based on discrete exponentiation”, Elec- tions of Computer Science , 55–60, 1979.
tronics Letters , 26 (July 5, 1990), 1024–1025. [9]
, “The function field sieve”, Algorith- [20] S.G. A KL , “On the security of com- mic Number Theory (LNCS 877) , 108–121,
pressed encodings”, Advances in Cryptology– 1994.
Proceedings of Crypto 83 , 209–230, 1984. [10]
, “Molecular computation of solutions [21] N. A LEXANDRIS , M. B URMESTER , V. C HR - to combinatorial problems”, Science, 266
ISSIKOPOULOS , AND Y. D ESMEDT , “A se- (1994), 1021–1024.
cure key distribution system”, W. Wolfowicz,
704 References
editor, Proceedings of the 3rd Symposium on [34] ANSI X3.106, “American National Standard State and Progress of Research in Cryptogra-
for Information Systems – Data Encryption phy, Rome, Italy , 30–34, Feb. 1993.
Algorithm – Modes of Operation”, American [22] W. A LEXI , B. C HOR , O. G OLDREICH , AND
National Standards Institute, 1983.
C.P. S CHNORR , “RSA/Rabin bits are 1 2 +
[35] ANSI X9.8, “American National Standard 1/poly(log n) secure”, Proceedings of the
for Financial Services – Banking – Personal IEEE 25th Annual Symposium on Founda- Identification Number management and se- tions of Computer Science , 449–457, 1984. curity. Part 1: PIN protection principles and
[23] , “RSA and Rabin functions: Certain techniques; Part 2: Approved algorithms for parts are as hard as the whole”, SIAM Journal
PIN encipherment”, ASC X9 Secretariat – on Computing , 17 (1988), 194–209. An ear-
American Bankers Association, 1995. lier version appeared in [22].
[24] W.R. A LFORD ,
[36] ANSI X9.9 ( REVISED ), “American National OMERANCE C. P , “There are infinitely many
RANVILLE A. G , AND
Standard – Financial institution message au- Carmichael numbers”, Annals of Mathemat-
thentication (wholesale)”, ASC X9 Secretariat ics , 140 (1994), 703–722.
– American Bankers Association, 1986 (re- places X9.9–1982).
[25] H. A MIRAZIZI AND M. H ELLMAN , “Time- memory-processor trade-offs”, IEEE Trans-
[37] ANSI X9.17, “American National Stan- actions on Information Theory , 34 (1988),
dard – Financial institution key management 505–512.
(wholesale)”, ASC X9 Secretariat – American [26] R. A NDERSON , “Practical RSA trapdoor”,
Bankers Association, 1985. Electronics Letters , 29 (May 27, 1993), 995.
[38] ANSI X9.19, “American National Standard [27]
, “The classification of hash functions”, – Financial institution retail message authen- P.G. Farrell, editor, Codes and Cyphers:
tication”, ASC X9 Secretariat – American Cryptography and Coding IV , 83–93, Institute
Bankers Association, 1986. of Mathematics & Its Applications (IMA),
1995. [39] ANSI X9.23, “American National Standard [28]
, “On Fibonacci keystream generators”, – Financial institution encryption of whole-
B. Preneel, editor, Fast Software Encryption, sale financial messages”, ASC X9 Secretariat Second International Workshop (LNCS 1008) ,
– American Bankers Association, 1988. 346–352, Springer-Verlag, 1995.
[40] ANSI X9.24, “American National Standard [29]
, “Searching for the optimum correla- for Financial Services – Financial services re- tion attack”, B. Preneel, editor, Fast Software
tail key management”, ASC X9 Secretariat – Encryption, Second International Workshop
American Bankers Association, 1992. (LNCS 1008) , 137–143, Springer-Verlag, 1995.
[41] ANSI X9.26, “American National Standard – Financial institution sign-on authentication
[30] R. A NDERSON AND
for wholesale financial transactions”, ASC X9 tical and provably secure block ciphers:
IHAM E. B , “Two prac-
Secretariat – American Bankers Association, BEAR and LION”, D. Gollmann, editor,
Fast Software Encryption, Third International Workshop (LNCS 1039) , 113–120, Springer-
[42] ANSI X9.28, “American National Stan- Verlag, 1996.
dard for Financial Services – Financial in- [31] R. A NDERSON AND R. N EEDHAM , “Robust-
stitution multiple center key management ness principles for public key protocols”, Ad-
(wholesale)”, ASC X9 Secretariat – American vances in Cryptology–CRYPTO ’95 (LNCS
Bankers Association, 1991. 963) , 236–247, 1995.
[43] ANSI X9.30 (P ART 1), “American National [32] N.C. A NKENY , “The least quadratic non
Standard for Financial Services – Public key residue”, Annals of Mathematics, 55 (1952),
cryptography using irreversible algorithms for 65–72.
the financial services industry – Part 1: The [33] ANSI X3.92, “American National Standard
digital signature algorithm (DSA)”, ASC X9 – Data Encryption Algorithm”, American Na-
Secretariat – American Bankers Association, tional Standards Institute, 1981.
References 705
[44] ANSI X9.30 (P ART 2), “American National [56] F. A RNAULT , “Rabin-Miller primality test: Standard for Financial Services – Public key
composite numbers which pass it”, Mathemat- cryptography using irreversible algorithms
ics of Computation , 64 (1995), 355–361. for the financial services industry – Part 2:
[57] A.O.L. A TKIN AND R.G. L ARSON , “On a The secure hash algorithm (SHA)”, ASC X9
primality test of Solovay and Strassen”, SIAM Secretariat – American Bankers Association,
Journal on Computing , 11 (1982), 789–791. 1993. [58] A.O.L. A TKIN AND
ORAIN F. M , “Elliptic [45] ANSI X9.31 (P ART 1), “American National
curves and primality proving”, Mathematics Standard for Financial Services – Public key
of Computation , 61 (1993), 29–68. cryptography using RSA for the financial ser-
vices industry – Part 1: The RSA signature al- [59] D. A TKINS , M. G RAFF , A.K. L ENSTRA , gorithm”, draft, 1995.
AND P.C. L EYLAND , “The magic words are SQUEAMISH OSSIFRAGE”, Advances in
[46] ANSI X9.31 (P ART 2), “American National Cryptology–ASIACRYPT ’94 (LNCS 917) , Standard for Financial Services – Public key
cryptography using RSA for the financial ser- vices industry – Part 2: Hash algorithms for
[60] L. B ABAI , “Trading group theory for random- RSA”, draft, 1995.
ness”, Proceedings of the 17th Annual ACM Symposium on Theory of Computing , 421–
[47] ANSI X9.42, “Public key cryptography for
the financial services industry: Management of symmetric algorithm keys using Diffie-
[61] L. B ABAI AND S. M ORAN , “Arthur-Merlin Hellman”, draft, 1995.
games: a randomized proof system, and a hierarchy of complexity classes”, Journal of
[48] ANSI X9.44, “Public key cryptography us- Computer and System Sciences , 36 (1988), ing reversible algorithms for the financial ser-
vices industry: Transport of symmetric algo- [62] E. B ACH , “Discrete logarithms and factor- rithm keys using RSA”, draft, 1994. ing”, Report No. UCB/CSD 84/186, Com-
[49] ANSI X9.45, “Public key cryptography for puter Science Division (EECS), University of the financial services industry – Enhanced
California, Berkeley, California, 1984. management controls using digital signatures
, Analytic Methods in the Analysis and and attribute certificates”, draft, 1996. Design of Number-Theoretic Algorithms , MIT
[50] ANSI X9.52, “Triple data encryption algo- Press, Cambridge, Massachusetts, 1985. An rithm modes of operation”, draft, 1996.
ACM Distinguished Dissertation. [51] ANSI X9.55, “Public key cryptography for
, “Explicit bounds for primality testing the financial services industry – Extensions to
and related problems”, Mathematics of Com- public key certificates and certificate revoca-
putation , 55 (1990), 355–380. tion lists”, draft, 1995.
, “Number-theoretic algorithms”, An- [52] ANSI X9.57, “Public key cryptography for
nual Review of Computer Science , 4 (1990), the financial services industry – Certificate
, “Realistic analysis of some random- [53] K. A OKI AND K. O HTA , “Differential-linear
management”, draft, 1995.
ized algorithms”, Journal of Computer and cryptanalysis of FEAL-8”, IEICE Transac-
System Sciences , 42 (1991), 30–53. tions on Fundamentals of Electronics, Com-
, “Toward a theory of Pollard’s rho munications and Computer Science , E79-A
method”, Information and Computation, 90 (1996), 20–27.
[54] B. A RAZI , “Integrating a key distribution pro- [68] E. B ACH AND J. S HALLIT , “Factoring with cedure into the digital signature standard”,
cyclotomic polynomials”, Proceedings of the Electronics Letters , 29 (May 27, 1993), 966–
IEEE 26th Annual Symposium on Founda- 967.
tions of Computer Science , 443–450, 1985. [55]
, “Factoring with cyclotomic polynomi- visionless operations”, The Computer Jour-
, “On primality testing using purely di-
als”, Mathematics of Computation, 52 (1989), nal , 37 (1994), 219–222.
201–219. An earlier version appeared in [68]. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
706 References
[70] , Algorithmic Number Theory, Volume that are probably prime”, Journal of Cryptol-
I: Efficient Algorithms , MIT Press, Cam- ogy , 1 (1988), 53–64. bridge, Massachusetts, 1996.
[82] P. B ´ EGUIN AND J.-J. Q UISQUATER , “Se- [71] E. B ACH AND J. S ORENSON , “Sieve algo-
cure acceleration of DSS signatures using rithms for perfect power testing”, Algorith-
insecure server”, Advances in Cryptology– mica , 9 (1993), 313–328.
ASIACRYPT ’94 (LNCS 917) , 249–259, 1995. [72] A. B AHREMAN , “PEMToolKit: Building a top-down certification hierarchy”, Proceed-
[83] A. B EIMEL AND HOR B. C , “Interaction ings of the Internet Society Symposium on Net-
in key distribution schemes”, Advances in work and Distributed System Security , 161–
Cryptology–CRYPTO ’93 (LNCS 773) , 444– 171, IEEE Computer Society Press, 1995.
[73] T. B ARITAUD , M. C AMPANA , P. C HAU -
IPER F. P , Cipher Systems: VAUD , AND
[84] H. B EKER AND
ILBERT H. G , “On the security The Protection of Communications , John Wi- of the permuted kernel identification scheme”,
ley & Sons, New York, 1982. Advances in Cryptology–CRYPTO ’92 (LNCS
[85] H. B EKER AND M. W ALKER , “Key manage- 740) , 305–311, 1993.
ment for secure electronic funds transfer in a [74] W. B ARKER , Cryptanalysis of the Hagelin
retail environment”, Advances in Cryptology– Cryptograph , Aegean Park Press, Laguna
Proceedings of CRYPTO 84 (LNCS 196) , Hills, California, 1977.
[75] P. B ARRETT , “Implementing the Rivest [86] M. B ELLARE , R. C ANETTI , AND RAW H. K - Shamir and Adleman public key encryption
CZYK , “Keying hash functions for message algorithm on a standard digital signal proces-
authenticaion”, Advances in Cryptology– sor”, Advances in Cryptology–CRYPTO ’86
CRYPTO ’96 (LNCS 1109) , 1–15, 1996. (LNCS 263) , 311–323, 1987.
[76] R.K. B AUER , T.A. B ERSON , AND R.J. [87] M. B ELLARE AND O. G OLDREICH , “On
F EIERTAG , “A key distribution protocol using defining proofs of knowledge”, Advances in event markers”, ACM Transactions on Com-
Cryptology–CRYPTO ’92 (LNCS 740) , 390– puter Systems , 1 (1983), 249–255.
[77] U. B AUM AND S. B LACKBURN , “Clock- [88] M. B ELLARE , O. G OLDREICH , AND controlled pseudorandom generators on finite
S. G OLDWASSER , “Incremental cryptogra- groups”, B. Preneel, editor, Fast Software
phy: The case of hashing and signing”, Ad- Encryption, Second International Workshop
vances in Cryptology–CRYPTO ’94 (LNCS (LNCS 1008) , 6–21, Springer-Verlag, 1995.
839) , 216–233, 1994. [78] F. B AUSPIESS AND H.-J. K NOBLOCH ,
, “Incremental cryptography and appli- “How to keep authenticity alive in a com-
cation to virus protection”, Proceedings of the puter network”, Advances in Cryptology–
27th Annual ACM Symposium on Theory of EUROCRYPT ’89 (LNCS 434) , 38–46, 1990.
Computing , 45–56, 1995. [79] D. B AYER , S. H ABER , AND W.S. S TOR -
[90] M. B ELLARE , R. G U ERIN ´ , AND P. R O - NETTA , “Improving the efficiency and reli- GAWAY , “XOR MACs: New methods for ability of digital time-stamping”, R. Capoc- message authentication using finite pseudo- elli, A. De Santis, and U. Vaccaro, editors, random functions”, Advances in Cryptology– Sequences II: Methods in Communication, CRYPTO ’95 (LNCS 963) , 15–28, 1995. Security, and Computer Science , 329–334,
Springer-Verlag, 1993. [91] M. B ELLARE , J. K ILIAN , AND P. R OG - [80] P. B EAUCHEMIN AND
AWAY , “The security of cipher block chain- generalization of Hellman’s extension to
RASSARD G. B , “A
ing”, Advances in Cryptology–CRYPTO ’94 Shannon’s approach to cryptography”, Jour-
(LNCS 839) , 341–358, 1994. nal of Cryptology , 1 (1988), 129–131.
[92] M. B ELLARE AND S. M ICALI , “How to sign [81] P. B EAUCHEMIN , G. B RASSARD , C. given any trapdoor function”, Advances in
Cryptology–CRYPTO ’88 (LNCS 403) , 200– ANCE , “The generation of random numbers
C R EPEAU ´ , C. G OUTIER , AND
OMER C. P -
References 707
[93] M. B ELLARE AND P. R OGAWAY , “Random
, “Augmented encrypted key exchange: oracles are practical: a paradigm for designing
a password-based protocol secure against dic- efficient protocols”, 1st ACM Conference on
tionary attacks and password file compro- Computer and Communications Security , 62–
mise”, 1st ACM Conference on Computer and
73, ACM Press, 1993. Communications Security , 244–250, ACM [94]
, “Entity authentication and key dis-
Press, 1993.
tribution”, Advances in Cryptology–CRYPTO
, “An attack on the Interlock Protocol ’93 (LNCS 773) , 232–249, 1994.
when used for authentication”, IEEE Transac- tions on Information Theory , 40 (1994), 273–
[95] , “Optimal asymmetric encryption”,
Advances in Cryptology–EUROCRYPT ’94 (LNCS 950) , 92–111, 1995.
[107] I. B EN -A ROYA AND IHAM E. B , “Differ- ential cyptanalysis of Lucifer”, Advances in
[96] , “Provably secure session key distribu- Cryptology–CRYPTO ’93 (LNCS 773) , 187– tion – the three party case”, Proceedings of the
27th Annual ACM Symposium on Theory of Computing , 57–66, 1995.
, “Differential cryptanalysis of Lu- cifer”, Journal of Cryptology, 9 (1996), 21–
34. An earlier version appeared in [107]. COBI , “Privacy and authentication on a
[97] M.J. B ELLER , L.-F. C HANG , AND Y. Y A -
portable communications system”, IEEE [109] M. B EN -O R , “Probabilistic algorithms in fi- Global Telecommunications Conference ,
nite fields”, Proceedings of the IEEE 22nd An- 1922–1927, 1991.
nual Symposium on Foundations of Computer Science , 394–398, 1981.
[98] , “Security for personal communica- tions services: public-key vs. private key
[110] J. B ENALOH , “Secret sharing homomor- approaches”, The Third IEEE International
phisms: Keeping shares of a secret secret”, Symposium on Personal, Indoor and Mobile
Advances in Cryptology–CRYPTO ’86 (LNCS Radio Communications (PIMRC’92) , 26–31,
[111] J. B ENALOH AND M. DE M ARE , “One- way accumulators:
A decentralized alter- [99]
, “Privacy and authentication on a native to digital signatures”, Advances in portable communications system”, IEEE Cryptology–EUROCRYPT ’93 (LNCS 765) , Journal on Selected Areas in Communica-
tions , 11 (1993), 821–829. [112] J. B ENALOH AND J. L EICHTER , “General-
[100] M.J. B ELLER AND Y. Y ACOBI , “Minimal ized secret sharing and monotone functions”, asymmetric authentication and key agree-
Advances in Cryptology–CRYPTO ’88 (LNCS ment schemes”, October 1994 unpublished
403) , 27–35, 1990. manuscript. [113] S. B ENGIO , G. B RASSARD , Y.G. D ESMEDT , [101]
, “Fully-fledged two-way public key au- OUTIER C. G , AND J.-J. Q UISQUATER , “Se- thentication and key agreement for low-cost
cure implementation of identification sys- terminals”, Electronics Letters, 29 (May 27,
tems”, Journal of Cryptology, 4 (1991), 175– 1993), 999–1001.
[102] S.M. B ELLOVIN AND M. M ERRITT , “Cryp- [114] C. B ENNETT , G. B RASSARD , S. B REID - tographic protocol for secure communica-
BART , AND S. W IESNER , “Quantum cryp- tions”, U.S. Patent # 5,241,599, 31 Aug 1993.
tography, or unforgeable subway tokens”, Ad- [103]
, “Limitations of the Kerberos authen- vances in Cryptology–Proceedings of Crypto tication system”, Computer Communication
82 , 267–275, 1983. Review , 20 (1990), 119–132.
[115] C. B ENNETT , G. B RASSARD , AND K - A. E [104]
, “Encrypted key exchange: password- ERT , “Quantum cryptography”, Scientific based protocols secure against dictionary at-
American , special issue (1997), 164–171. tacks”, Proceedings of the 1992 IEEE Com-
[116] S. B ERKOVITS , “How to broadcast a secret”, puter Society Symposium on Research in Se-
Advances in Cryptology–EUROCRYPT ’91 curity and Privacy , 72–84, 1992.
(LNCS 547) , 535–541, 1991. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
708 References
[117] E.R. B ERLEKAMP , “Factoring polynomials
, “On modes of operation”, R. Ander- over finite fields”, Bell System Technical Jour-
son, editor, Fast Software Encryption, Cam- nal , 46 (1967), 1853–1859.
bridge Security Workshop (LNCS 809) , 116– [118]
, Algebric Coding Theory, McGraw 120, Springer-Verlag, 1994. Hill, New York, 1968.
, “Cryptanalysis of multiple modes [119]
, “Factoring polynomials over large fi- of operation”, Advances in Cryptology– nite fields”, Mathematics of Computation, 24
ASIACRYPT ’94 (LNCS 917) , 278–292, 1995. (1970), 713–735.
, “On Matsui’s linear cryptanalysis”,
[120] E.R. B ERLEKAMP , R.J. M C E LIECE , AND
Advances in Cryptology–EUROCRYPT ’94
H.C.A. VAN T ILBORG , “On the inherent (LNCS 950) , 341–355, 1995. intractability of certain coding problems”,
IRYUKOV A. B , “How to (1978), 384–386.
IEEE Transactions on Information Theory , 24
[133] E. B IHAM AND
strengthen DES using existing hardware”, [121] D.J. B ERNSTEIN , “Detecting perfect powers
Advances in Cryptology–ASIACRYPT ’94 in essentially linear time”, preprint, 1995.
(LNCS 917) , 398–412, 1995. [122] D.J. B ERNSTEIN AND A.K. L ENSTRA , “A
HAMIR A. S , “Differential general number field sieve implementation”,
[134] E. B IHAM AND
cryptanalysis of DES-like cryptosystems”, A.K. Lenstra and H.W. Lenstra Jr., editors,
Journal of Cryptology , 4 (1991), 3–72. An The Development of the Number Field Sieve ,
earlier version appeared in [135]. volume 1554 of Lecture Notes in Mathemat- ics , 103–126, Springer-Verlag, 1993.
, “Differential cryptanalysis of DES- like cryptosystems”, Advances in Cryptology–
[123] T. B ETH , “Efficient zero-knowledge identifi- CRYPTO ’90 (LNCS 537) , 2–21, 1991. cation scheme for smart cards”, Advances in
Cryptology–EUROCRYPT ’88 (LNCS 330) ,
, “Differential cryptanalysis of Feal 77–84, 1988.
and N-Hash”, Advances in Cryptology–
EUROCRYPT ’91 (LNCS 547) , 1–16, 1991. ity of pseudo-random sequences – or: If you
[124] T. B ETH AND Z.-D. D AI , “On the complex-
, “Differential cryptanalysis of Snefru, can describe a sequence it can’t be random”,
Khafre, REDOC-II, LOKI, and Lucifer”, Ad- Advances in Cryptology–EUROCRYPT ’89
vances in Cryptology–CRYPTO ’91 (LNCS (LNCS 434) , 533–543, 1990.
576) , 156–171, 1992. [125] T. B ETH , H.-J. K NOBLOCH , M. O TTEN , G.J. S IMMONS , AND P. W ICHMANN , “To-
, Differential Cryptanalysis of the Data wards acceptable key escrow systems”, 2nd
Encryption Standard , Springer-Verlag, New ACM Conference on Computer and Commu-
York, 1993.
, “Differential cryptanalysis of the full [126] T. B ETH AND
nications Security , 51–58, ACM Press, 1994.
16-round DES”, Advances in Cryptology– go generator”, Advances in Cryptology–
IPER , “The stop-and- F.C. P
CRYPTO ’92 (LNCS 740) , 487–496, 1993. Proceedings of EUROCRYPT 84 (LNCS 209) , 88–92, 1985.
[140] R. B IRD ,
OPAL I. G , ERZBERG A. H , P. J ANSON , S. K UTTEN , R. M OLVA , AND
M. Y UNG , “Systematic design of two- BATIANSKII , AND
[127] J. B IERBRAUER , T. J OHANSSON , G. K A -
party authentication protocols”, Advances in lies of hash functions via geometric codes
MEETS B. S , “On fami-
Cryptology–CRYPTO ’91 (LNCS 576) , 44– and concatenation”, Advances in Cryptology–
CRYPTO ’93 (LNCS 773) , 331–342, 1994. [128] E. B IHAM , “New types of cryptanalytic
, “Systematic design of a family of attacks using related keys”, Advances in
attack-resistant authentication protocols”, Cryptology–EUROCRYPT ’93 (LNCS 765) ,
IEEE Journal on Selected Areas in Commu- 398–409, 1994.
nications , 11 (1993), 679–693. [129]
, “The KryptoKnight family of light- using related keys”, Journal of Cryptology, 7
, “New types of cryptanalytic attacks
weight protocols for authentication and key (1994), 229–246. An earlier version appeared
distribution”, IEEE/ACM Transactions on in [128].
Networking , 3 (1995), 31–41.
References 709
[143] S. B LACKBURN , S. M URPHY , AND J. S TE - [155] D. B LEICHENBACHER AND U. M AURER , RN , “The cryptanalysis of a public-key imple-
“Directed acyclic graphs, one-way func- mentation of finite group mappings”, Journal
tions and digital signatures”, Advances in of Cryptology , 8 (1995), 157–166.
Cryptology–CRYPTO ’94 (LNCS 839) , 75–
[144] R.E. B LAHUT , Principles and Practice of In- formation Theory , Addison-Wesley, Reading,
[156] U. B L OCHER AND ¨ M. D ICHTL , “Fish: A fast Massachusetts, 1987.
software stream cipher”, R. Anderson, editor, Fast Software Encryption, Cambridge Secu-
[145] I.F. B LAKE , R. F UJI -H ARA , R.C. M ULLIN , rity Workshop (LNCS 809) , 41–44, Springer- AND S.A. V ANSTONE , “Computing loga-
Verlag, 1994.
rithms in finite fields of characteristic two”, SIAM Journal on Algebraic and Discrete
[157] R. B LOM , “Non-public key distribution”, Ad- Methods , 5 (1984), 276–285.
vances in Cryptology–Proceedings of Crypto
82 , 231–236, 1983. [146] I.F. B LAKE , S. G AO , AND R. L AMBERT ,
, “An optimal class of symmet- “Constructive problems for irreducible poly-
ric key generation systems”, Advances in nomials over finite fields”, T.A. Gulliver and Cryptology–Proceedings of EUROCRYPT 84 N.P. Secord, editors, Information Theory and (LNCS 209) , 335–338, 1985. Applications (LNCS 793) , 1–23, Springer-
Verlag, 1994. [159] L. B LUM , M. B LUM , AND M. S HUB , “Com- parison of two pseudo-random number gener-
[147] B. B LAKLEY , G.R. B LAKLEY , A.H. C HAN , ators”, Advances in Cryptology–Proceedings AND J.L. M ASSEY , “Threshold schemes with
of Crypto 82 , 61–78, 1983. disenrollment”, Advances in Cryptology–
, “A simple unpredictable pseudo- random number generator”, SIAM Journal on [148] G. B LAKLEY , “Safeguarding cryptographic
CRYPTO ’92 (LNCS 740) , 540–548, 1993.
Computing , 15 (1986), 364–383. An earlier keys”, Proceedings of AFIPS National Com-
version appeared in [159]. puter Conference , 313–317, 1979.
[161] M. B LUM , “Independent unbiased coin flips [149]
, “A computer algorithm for calculating from a correlated biased source: a finite state the product AB modulo M ”, IEEE Transac-
Markov chain”, Proceedings of the IEEE 25th tions on Computers , 32 (1983), 497–500.
Annual Symposium on Foundations of Com- puter Science , 425–433, 1984.
[150] G. B LAKLEY AND
OROSH I. B , “Rivest-
Shamir-Adleman public key cryptosystems [162] M. B LUM , A. D E S ANTIS , S. M ICALI , do not always conceal messages”, Comput-
ERSIANO G. P , “Noninteractive zero- ers and Mathematics with Applications , 5:3
AND
knowledge”, SIAM Journal on Computing, 20 (1979), 169–178.
(1991), 1084–1118. [151] G. B LAKLEY AND
[163] M. B LUM , P. F ELDMAN , AND S. M ICALI , of ramp schemes”, Advances in Cryptology–
EADOWS C. M , “Security
“Non-interactive zero-knowledge and its ap- Proceedings of CRYPTO 84 (LNCS 196) ,
plications”, Proceedings of the 20th Annual 242–268, 1985.
ACM Symposium on Theory of Computing , 103–112, 1988.
[152] M. B LAZE , “Protocol failure in the escrowed [164] M. B LUM AND S. G OLDWASSER , “An ef- encryption standard”, 2nd ACM Conference
ficient probabilistic public-key encryption on Computer and Communications Security ,
scheme which hides all partial informa- 59–67, ACM Press, 1994.
tion”, Advances in Cryptology–Proceedings [153] D. B LEICHENBACHER , “Generating ElGa-
of CRYPTO 84 (LNCS 196) , 289–299, 1985. mal signatures without knowing the secret
[165] M. B LUM AND S. M ICALI , “How to generate key”, Advances in Cryptology–EUROCRYPT
cryptographically strong sequences of pseudo ’96 (LNCS 1070) , 10–18, 1996.
random bits”, Proceedings of the IEEE 23rd [154] D. B LEICHENBACHER , W. B OSMA , AND
Annual Symposium on Foundations of Com- A.K. L ENSTRA , “Some remarks on Lucas-
puter Science , 112–117, 1982. based cryptosystems”, Advances in Cryptolo-
, “How to generate cryptographically gy–CRYPTO ’95 (LNCS 963) , 386–396, 1995.
strong sequences of pseudo-random bits”, Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
710 References
SIAM Journal on Computing , 13 (1984), 850– [179] J. B OYAR , “Inferring sequences produced by 864. An earlier version appeared in [165].
a linear congruential generator missing low- [167] C. B LUNDO AND
order bits”, Journal of Cryptology, 1 (1989), ments for broadcast encryption”, Advances in
RESTI A. C , “Space require-
Cryptology–EUROCRYPT ’94 (LNCS 950) ,
, “Inferring sequences produced by 287–298, 1995. pseudo-random number generators”, Journal
of the Association for Computing Machinery , AND U. V ACCARO , “Fully dynamic secret
[168] C. B LUNDO , A. C RESTI , A. D E S ANTIS ,
36 (1989), 129–141. sharing schemes”, Advances in Cryptology–
CRYPTO ’93 (LNCS 773) , 110–125, 1994. [181] J. B OYAR , D. C HAUM , I.B. D AMG ARD ˚ ,
AND T. P EDERSEN , “Convertible undeni- S. K UTTEN , U. V ACCARO , AND M. Y UNG ,
[169] C. B LUNDO , A. D E S ANTIS , A. H ERZBERG ,
able signatures”, Advances in Cryptology– “Perfectly-secure key distribution for dy-
CRYPTO ’90 (LNCS 537) , 189–205, 1991. namic conferences”, Advances in Cryptology–
[182] C. B OYD , “Digital multisignatures”, H. Beker CRYPTO ’92 (LNCS 740) , 471–486, 1993.
and F. Piper, editors, Cryptography and Cod- [170] R.V. B OOK AND
ing , Institute of Mathematics & Its Applica- bility of two-party protocols”, Advances in
TTO F. O , “The verifia-
tions (IMA), 241–246, Clarendon Press, 1989. Cryptology–EUROCRYPT ’85 (LNCS 219) , 254–260, 1986.
[183] C. B OYD AND W. M AO , “On a limitation [171] A. B OOTH , “A signed binary multiplication
of BAN logic”, Advances in Cryptology– technique”, The Quarterly Journal of Me-
EUROCRYPT ’93 (LNCS 765) , 240–247, chanics and Applied Mathematics , 4 (1951),
236–240. [184] B.O. B RACHTL , D. C OPPERSMITH , M.M. [172] J. B OS AND
H YDEN , S.M. M ATYAS J R ., C.H.W. able signatures”, Advances in Cryptology–
HAUM D. C , “Provably unforge-
M EYER , J. O SEAS , S. P ILPEL , AND CRYPTO ’92 (LNCS 740) , 1–14, 1993.
M. S CHILLING , “Data authentication using
modification detection codes based on a pub- chain heuristics”, Advances in Cryptology–
[173] J. B OS AND M. C OSTER , “Addition
lic one-way encryption function”, U.S. Patent CRYPTO ’89 (LNCS 435) , 400–407, 1990.
# 4,908,861, 13 Mar 1990.
[185] S. B RANDS , “Restrictive blinding of secret- “Faster primality testing”, Advances in
[174] W. B OSMA AND M.-P VAN DER H ULST ,
key certificates”, Advances in Cryptology– Cryptology–EUROCRYPT ’89 (LNCS 434) ,
EUROCRYPT ’95 (LNCS 921) , 231–247, 652–656, 1990.
[175] A. B OSSELAERS , R. G OVAERTS , AND J. V ANDEWALLE , “Cryptography within
[186] J. B RANDT AND AMG I. D ARD ˚ , “On gen- phase I of the EEC-RACE programme”,
eration of probable primes by incremental
B. Preneel, R. Govaerts, and J. Vandewalle, search”, Advances in Cryptology–CRYPTO editors, Computer Security and Industrial
’92 (LNCS 740) , 358–370, 1993. Cryptography: State of the Art and Evolution
[187] J. B RANDT , I. D AMG ARD ˚ , AND P. L AN - (LNCS 741) , 227–234, Springer-Verlag, 1993.
DROCK , “Speeding up prime number gener- [176]
, “Comparison of three modular re- ation”, Advances in Cryptology–ASIACRYPT duction functions”, Advances in Cryptology–
’91 (LNCS 739) , 440–449, 1993. CRYPTO ’93 (LNCS 773) , 175–186, 1994. ˚
[177] , “Fast hashing on the Pentium”, Ad- [188] J. B RANDT , I. D AMG ARD , P. L ANDROCK , vances in Cryptology–CRYPTO ’96 (LNCS
AND T. P EDERSEN , “Zero-knowledge au- 1109) , 298–312, 1996.
thentication scheme with secret key ex- change”, Advances in Cryptology–CRYPTO
[178] A. B OSSELAERS AND
’88 (LNCS 403) , 583–588, 1990. tors, Integrity Primitives for Secure Informa-
RENEEL B. P , edi-
tion Systems: Final Report of RACE Integrity [189] D.K. B RANSTAD , “Encryption protection in Primitives Evaluation RIPE-RACE 1040 ,
computer data communications”, Proceed- LNCS 1007, Springer-Verlag, New York,
ings of the 4th Data Communications Sympo- 1995.
sium (Quebec), 8.1–8.7, IEEE, 1975.
References 711
[190] G. B RASSARD , “A note on the complexity of [204] E.F. B RICKELL , D.M. G ORDON , K.S. M C - cryptography”, IEEE Transactions on Infor-
ILSON D.B. W , “Fast expo- mation Theory , 25 (1979), 232–233.
C URLEY , AND
nentiation with precomputation”, Advances in [191]
, “On computationally secure authen- Cryptology–EUROCRYPT ’92 (LNCS 658) , 200–207, 1993.
tication tags requiring short secret shared keys”, Advances in Cryptology–Proceedings
[205] E.F. B RICKELL , P.J. L EE , AND Y. Y ACOBI , of Crypto 82 , 79–86, 1983.
“Secure audio teleconference”, Advances in Cryptology–CRYPTO ’87 (LNCS 293) , 418–
[192] , Modern Cryptology:
A Tutorial ,
LNCS 325, Springer-Verlag, New York, 1988. [206] E.F. B RICKELL AND K.S. M C C URLEY , “An [193] G. B RASSARD , D. C HAUM , AND
interactive identification scheme based on dis- , “Minimum disclosure proofs of knowledge”,
R EPEAU ´ C. C -
crete logarithms and factoring”, Advances in Journal of Computer and System Sciences , 37
Cryptology–EUROCRYPT ’90 (LNCS 473) , (1988), 156–189.
[194] G. B RASSARD AND
, “An interactive identification scheme knowledge simulation of Boolean circuits”,
R EPEAU ´ C. C , “Zero-
based on discrete logarithms and factoring”, Advances in Cryptology–CRYPTO ’86 (LNCS
Journal of Cryptology , 5 (1992), 29–39. An 263) , 223–233, 1987.
earlier version appeared in [206]. [208] E.F. B RICKELL AND A.M. O DLYZKO ,
[195] , “Sorting out zero-knowledge”, Ad- “Cryptanalysis: A survey of recent results”, vances in Cryptology–EUROCRYPT ’89
Proceedings of the IEEE , 76 (1988), 578–593. (LNCS 434) , 181–191, 1990.
, “Cryptanalysis: A survey of recent re- [196] R.P. B RENT , “An improved Monte Carlo fac-
sults”, G.J. Simmons, editor, Contemporary torization algorithm”, BIT, 20 (1980), 176–
Cryptology: The Science of Information In- 184.
tegrity , 501–540, IEEE Press, 1992. An ear- [197] R.P. B RENT AND J.M. P OLLARD , “Factor-
lier version appeared in [208]. ization of the eighth Fermat number”, Math-
[210] J. B RILLHART , D. L EHMER , AND J. S ELF - ematics of Computation , 36 (1981), 627–630.
RIDGE , “New primality criteria and factoriza- tions of m 2 ± 1”, Mathematics of Computa-
[198] D.M. B RESSOUD , Factorization and Primal- tion , 29 (1975), 620–647. ity Testing , Springer-Verlag, New York, 1989. [211] J. B RILLHART , D. L EHMER , J. S ELFRIDGE ,
[199] E.F. B RICKELL , “A fast modular multipli-
B. T UCKERMAN , AND S. W AGSTAFF cation algorithm with applications to two
1, b = key cryptography”, Advances in Cryptology–
J R ., Factorizations of b n ±
2, 3, 5, 6, 7, 10, 11, 12 up to High Powers, Proceedings of Crypto 82 , 51–60, 1983.
volume 22 of Contemporary Mathematics, [200]
, “Breaking iterated knapsacks”, American Mathematical Society, Providence, Rhode Island, 2nd edition, 1988.
Advances in Cryptology–Proceedings of CRYPTO 84 (LNCS 196) , 342–358, 1985.
[212] J. B RILLHART AND J. S ELFRIDGE , “Some factorizations of n 2 ± 1 and related results”,
[201] , “The cryptanalysis of knapsack cryp- Mathematics of Computation , 21 (1967), 87– tosystems”, R.D. Ringeisen and F.S. Roberts,
editors, Applications of Discrete Mathemat- ics , 3–23, SIAM, 1988.
[213] D. B RILLINGER , Time Series: Data Analy- sis and Theory , Holden-Day, San Francisco,
[202] E.F. B RICKELL AND J.M. D E L AURENTIS ,
“An attack on a signature scheme proposed [214] L. B ROWN , M. K WAN , J. P IEPRZYK , by Okamoto and Shiraishi”, Advances in
AND J. S EBERRY , “Improving resistance Cryptology–CRYPTO ’85 (LNCS 218) , 28–
to differential cryptanalysis and the re-
32, 1986. design of LOKI”, Advances in Cryptology– [203] E.F. B RICKELL , D.M. G ORDON , AND K.S.
ASIACRYPT ’91 (LNCS 739) , 36–50, 1993. M C C URLEY , “Method for exponentiating
[215] L. B ROWN , J. P IEPRZYK , AND J. S EBERRY , in cryptographic systems”, U.S. Patent #
“LOKI – a cryptographic primitive for authen- 5,299,262, 29 Mar 1994.
tication and secrecy applications”, Advances Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
712 References
in Cryptology–AUSCRYPT ’90 (LNCS 453) , [228] J.L. C AMENISCH , J.-M. P IVETEAU , AND 229–236, 1990.
M.A. S TADLER , “Blind signatures based on [216] J. B UCHMANN AND S. D ¨ ULLMANN , “On the
the discrete logarithm problem”, Advances in computation of discrete logarithms in class
Cryptology–EUROCRYPT ’94 (LNCS 950) , groups”, Advances in Cryptology–CRYPTO
’90 (LNCS 537) , 134–139, 1991. [229] K.W. C AMPBELL AND M.J. W IENER , “DES [217] J. B UCHMANN , J. L OHO , AND J. Z AYER ,
is not a group”, Advances in Cryptology– “An implementation of the general num-
CRYPTO ’92 (LNCS 740) , 512–520, 1993. ber field sieve”, Advances in Cryptology–
[230] C.M. C AMPBELL J R ., “Design and speci- CRYPTO ’93 (LNCS 773) , 159–165, 1994.
fication of cryptographic capabilities”, D.K. [218] J. B UCHMANN AND
Branstad, editor, Computer security and the key-exchange system based on imaginary
ILLIAMS H.C. W , “A
Data Encryption Standard , 54–66, NBS Spe- quadratic fields”, Journal of Cryptology, 1
cial Publication 500-27, U.S. Department of (1988), 107–118.
Commerce, National Bureau of Standards, Washington, D.C., 1977.
[219] J.P. B UHLER , H.W. L ENSTRA J R ., AND
¨ OMERANCE C. P , “Factoring integers with the
[231] E.R. C
ANFIELD , P. E RD OS , AND OM C. P - , “On a problem of Oppenheim con-
number field sieve”, A.K. Lenstra and H.W.
ERANCE cerning ‘Factorisatio Numerorum’”, Journal
Lenstra Jr., editors, The Development of the , 17 (1983), 1–28. Number Field Sieve , volume 1554 of Lec-
of Number Theory ture Notes in Mathematics , 50–94, Springer-
[232] D.G. C ANTOR AND ASSENHAUS H. Z , “A Verlag, 1993.
new algorithm for factoring polynomials over finite fields”, Mathematics of Computation, 36
[220] M. B URMESTER , “On the risk of opening
distributed keys”, Advances in Cryptology– CRYPTO ’94 (LNCS 839) , 308–317, 1994.
[233] J.L. C ARTER AND M.N. W EGMAN , “Uni- versal classes of hash functions”, Proceedings
[221] M. B URMESTER AND Y. D ESMEDT , “Re- of the 9th Annual ACM Symposium on Theory marks on soundness of proofs”, Electronics of Computing , 106–112, 1977. Letters , 25 (October 26, 1989), 1509–1511.
, “Universal classes of hash functions”, [222]
, “A secure and efficient confer- Journal of Computer and System Sciences , 18 ence key distribution system”, Advances in
(1979), 143–154. An earlier version appeared Cryptology–EUROCRYPT ’94 (LNCS 950) ,
in [233].
275–286, 1995. [235] F. C HABAUD , “On the security of some cryp-
[223] M. B URMESTER , Y. D ESMEDT , F. P IPER , tosystems based on error-correcting codes”, AND M. W ALKER , “A general zero-
Advances in Cryptology–EUROCRYPT ’94 knowledge scheme”, Advances in Cryptology–
(LNCS 950) , 131–139, 1995. EUROCRYPT ’89 (LNCS 434) , 122–133,
[236] G.J. C HAITIN , “On the length of programs for 1990. computing finite binary sequences”, Journal
[224] M. B URROWS , M. A BADI , AND R. N EED - of the Association for Computing Machinery , HAM , “A logic of authentication”, Proceed-
13 (1966), 547–569. ings of the Royal Society of London Series
[237] W.G. C HAMBERS , “Clock-controlled shift
A: Mathematical and Physical Sciences , 246 registers in binary sequence generators”, IEE (1989), 233–271. Preliminary version ap- Proceedings E – Computers and Digital Tech- peared as 1989 version of [227]. niques , 135 (1988), 17–24.
[225] , “A logic of authentication”, Proceed-
, “Two stream ciphers”, R. Ander- ings of the 12th Annual ACM Symposium on
son, editor, Fast Software Encryption, Cam- Operating Systems Principles , 1–13, 1989.
bridge Security Workshop (LNCS 809) , 51– [226]
55, Springer-Verlag, 1994. Transactions on Computer Systems , 8 (1990),
, “A logic of authentication”, ACM
[239] W.G. C HAMBERS AND OLLMANN D. G , 18–36.
“Lock-in effect in cascades of clock- [227]
, “A logic of authentication”, DEC SRC controlled shift-registers”, Advances in report #39, Digital Equipment Corporation,
Cryptology–EUROCRYPT ’88 (LNCS 330) , Palo Alto, CA, Feb. 1989. Revised Feb. 1990.
References 713
[240] B. C HAR , K. G EDDES ,
[253] D. C HAUM AND E. VAN H EIJST , “Group sig- EONG B. L , M. M ONAGAN , AND S. W ATT ,
ONNET G. G ,
natures”, Advances in Cryptology–EUROCR- Maple V Library Reference Manual , Springer-
YPT ’91 (LNCS 547) , 257–265, 1991. Verlag, New York, 1991.
[241] C. C , L. O’C
, J. P
[254] D. C HAUM , E. VAN H EIJST , AND FITZ B. P -
R. S AFAVI -N AINI , AND Y. Z HENG , “Com- MANN , “Cryptographically strong undeni- ments on Soviet encryption algorithm”, Ad-
able signatures, unconditionally secure for the vances in Cryptology–EUROCRYPT ’94
signer”, Advances in Cryptology–CRYPTO (LNCS 950) , 433–438, 1995.
’91 (LNCS 576) , 470–484, 1992. [242] D. C HAUM , “Blind signatures for untrace-
[255] L. C HEN AND T.P. P EDERSEN , “New group able payments”, Advances in Cryptology–
signature schemes”, Advances in Cryptology– Proceedings of Crypto 82 , 199–203, 1983.
EUROCRYPT ’94 (LNCS 950) , 171–181, [243]
, “Security without identification:
transaction systems to make big brother obso- lete”, Communications of the ACM, 28 (1985),
[256] V. C HEPYZHOV AND MEETS B. S , “On a fast 1030–1044.
correlation attack on certain stream ciphers”, Advances in Cryptology–EUROCRYPT ’91
[244] , “Demonstrating that a public predicate (LNCS 547) , 176–185, 1991. can be satisfied without revealing any infor-
mation about how”, Advances in Cryptology– [257] B. C HOR AND O. G OLDREICH , “Unbiased CRYPTO ’86 (LNCS 263) , 195–199, 1987.
bits from sources of weak randomness and [245]
, “Blinding for unanticipated signa- probabilistic communication complexity”, tures”, Advances in Cryptology–EUROCRYPT
Proceedings of the IEEE 26th Annual Sym- ’87 (LNCS 304) , 227–233, 1988.
posium on Foundations of Computer Science , [246]
, “Zero-knowledge undeniable signa-
tures”, Advances in Cryptology–EUROCRYPT [258] , “Unbiased bits from sources of weak ’90 (LNCS 473) , 458–464, 1991.
randomness and probabilistic communication [247]
, “Designated confirmer signatures”, complexity”, SIAM Journal on Computing, 17 Advances in Cryptology–EUROCRYPT ’94
(1988), 230–261. An earlier version appeared (LNCS 950) , 86–91, 1995.
in [257].
[248] D. C HAUM , J.-H. E VERTSE , AND J. VAN DE
G RAAF , “An improved protocol for demon- [259] B. C HOR , S. G OLDWASSER , S. M ICALI , strating possession of discrete logarithms
WERBUCH B. A , “Verifiable secret shar- and some generalizations”, Advances in
AND
ing and achieving simultaneity in the presence Cryptology–EUROCRYPT ’87 (LNCS 304) ,
of faults”, Proceedings of the IEEE 26th An- 127–141, 1988.
nual Symposium on Foundations of Computer Science , 383–395, 1985.
[249] D. C HAUM , J.-H. E VERTSE , J. VAN DE
G RAAF , AND R. P ERALTA , “Demonstrating [260] B. C HOR AND R.L. R IVEST , “A knap- possession of a discrete logarithm without re-
sack type public key cryptosystem based vealing it”, Advances in Cryptology–CRYPTO
on arithmetic in finite fields”, Advances ’86 (LNCS 263) , 200–212, 1987.
in Cryptology–Proceedings of CRYPTO 84 [250] D. C HAUM , A. F IAT , AND M. N AOR ,
(LNCS 196) , 54–65, 1985. “Untraceable electronic cash”, Advances in Cryptology–CRYPTO ’88 (LNCS 403) , 319–
, “A knapsack-type public key cryp- 327, 1990.
tosystem based on arithmetic in finite fields”, IEEE Transactions on Information Theory , 34
[251] D. C HAUM AND T.P. P EDERSEN , “Wal- let databases with observers”, Advances in
(1988), 901–909. An earlier version appeared in [260].
Cryptology–CRYPTO ’92 (LNCS 740) , 89– 105, 1993.
[262] A. C LARK , J. G OLI C ´ , AND AWSON E. D ,
“A comparison of fast correlation attacks”, PEN , “Undeniable signatures”, Advances in
[252] D. C HAUM AND H. VAN A NTWER -
D. Gollmann, editor, Fast Software Encryp- Cryptology–CRYPTO ’89 (LNCS 435) , 212–
tion, Third International Workshop (LNCS 216, 1990.
1039) , 145–157, Springer-Verlag, 1996. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
714 References
[263] H. C OHEN , A Course in Computational Al- [277] D. C OPPERSMITH , M. F RANKLIN , J. P ATA - gebraic Number Theory , Springer-Verlag,
RIN , AND M. R EITER , “Low-exponent Berlin, 1993.
RSA with related messages”, Advances in [264] H. C OHEN AND A.K. L ENSTRA , “Imple-
Cryptology–EUROCRYPT ’96 (LNCS 1070) , mentation of a new primality test”, Mathemat-
ics of Computation , 48 (1987), 103–121. [278] D. C OPPERSMITH , D.B. J OHNSON , AND [265] H. C OHEN AND H.W. L ENSTRA J R ., “Pri-
S.M. M ATYAS , “A proposed mode for triple- mality testing and Jacobi sums”, Mathematics
DES encryption”, IBM Journal of Research of Computation , 42 (1984), 297–330.
and Development , 40 (1996), 253–261. [266] D. C OPPERSMITH , “Fast evaluation of loga-
[279] D. C OPPERSMITH , H. K RAWCZYK , AND rithms in fields of characteristic two”, IEEE
Y. M ANSOUR , “The shrinking generator”, Transactions on Information Theory , 30
Advances in Cryptology–CRYPTO ’93 (LNCS (1984), 587–594.
, “Another birthday attack”, Advances [280] D. C OPPERSMITH , A.M. O DLZYKO , AND in Cryptology–CRYPTO ’85 (LNCS 218) , 14–
R. S CHROEPPEL , “Discrete logarithms in
17, 1986. GF (p)”, Algorithmica, 1 (1986), 1–15. [268]
, “The real reason for Rivest’s [281] D. C OPPERSMITH AND P. R OGAWAY , phenomenon”, Advances in Cryptology–
“Software-efficient pseudorandom function CRYPTO ’85 (LNCS 218) , 535–536, 1986.
and the use thereof for encryption”, U.S. [269]
, “Modifications to the number field Patent # 5,454,039, 26 Sep 1995. sieve”, Journal of Cryptology, 6 (1993), 169–
[282] T.H. C ORMEN , C.E. L EISERSON , AND R.L. 180.
R IVEST , Introduction to Algorithms, MIT [270]
, “Solving linear equations over Press, Cambridge, Massachusetts, 1990. GF (2): Block Lanczos algorithm”, Linear
[283] M.J. C OSTER , A. J OUX , B.A. L A M AC - Algebra and its Applications , 192 (1993), 33–
CHIA , A.M. O DLYZKO , C.P. S CHNORR ,
60. AND J. S TERN , “Improved low-density subset [271]
, “The Data Encryption Standard (DES) sum algorithms”, Computational Complexity, and its strength against attacks”, IBM Jour-
2 (1992), 111–128. nal of Research and Development , 38 (1994),
[284] J.-M. C OUVEIGNES , “Computing a square 243–250.
root for the number field sieve”, A.K. Lenstra [272]
, “Solving homogeneous linear equa- and H.W. Lenstra Jr., editors, The Develop- tions over GF(2) via block Wiedemann al-
ment of the Number Field Sieve , volume 1554 gorithm”, Mathematics of Computation, 62
of Lecture Notes in Mathematics, 95–102, (1994), 333–350.
Springer-Verlag, 1993. [273]
, “Finding a small root of a bivari- [285] T. C OVER AND R. K ING , “A convergent ate integer equation; factoring with high
gambling estimate of the entropy of English”, bits known”, Advances in Cryptology–
IEEE Transactions on Information Theory , 24 EUROCRYPT ’96 (LNCS 1070) , 178–189,
1996. [286] R.E. C RANDALL , “Method and apparatus for [274]
, “Finding a small root of a univariate public key exchange in a cryptographic sys- modular equation”, Advances in Cryptology–
tem”, U.S. Patent # 5,159,632, 27 Oct 1992. EUROCRYPT ’96 (LNCS 1070) , 155–165,
, “Method and apparatus for pub- 1996.
lic key exchange in a cryptographic sys- [275]
, “Analysis of ISO/CCITT Document tem”, U.S. Patent # 5,271,061, 14 Dec 1993 X.509 Annex D”, memorandum, IBM T.J.
(continuation-in-part of 5,159,632). Watson Research Center, Yorktown Heights,
[288] R.A. C ROFT AND S.P. H ARRIS , “Public-key N.Y., 10598, U.S.A., June 11 1989.
cryptography and re-usable shared secrets”, [276]
H. Beker and F. Piper, editors, Cryptogra- Research Report RC 18397, IBM T.J. Wat-
, “Two broken hash functions”, IBM
phy and Coding , Institute of Mathematics & son Research Center, Yorktown Heights, N.Y.,
Its Applications (IMA), 189–201, Clarendon 10598, U.S.A., Oct. 6 1992.
Press, 1989.
References 715
[289] J. D AEMEN , Cipher and hash function de- [301] H. D AVENPORT , “Bases for finite fields”, The sign , PhD thesis, Katholieke Universiteit Leu-
Journal of the London Mathematical Society , ven (Belgium), 1995.
43 (1968), 21–39. [290] J. D AEMEN , R. G OVAERTS , AND J. V AN -
[302] G.I. D AVIDA , “Chosen signature cryptanaly- DEWALLE , “A new approach to block ci-
sis of the RSA (MIT) public key cryptosys- pher design”, R. Anderson, editor, Fast Soft-
tem”, Technical Report TR-CS-82-2, Depart- ware Encryption, Cambridge Security Work-
ment of Electrical Engineering and Computer shop (LNCS 809) , 18–32, Springer-Verlag,
Science, University of Wisconsin, Milwau- 1994.
kee, WI, 1982.
[291] , “Resynchronization weaknesses in [303] D.W. D AVIES , “Some regular properties synchronous stream ciphers”, Advances in
of the ‘Data Encryption Standard’ algo- Cryptology–EUROCRYPT ’93 (LNCS 765) ,
rithm”, Advances in Cryptology–Proceedings 159–167, 1994.
of Crypto 82 , 89–96, 1983. [292]
, “A message authenticator algo- Cryptology–CRYPTO ’93 (LNCS 773) , 224–
, “Weak keys for IDEA”, Advances in
rithm suitable for a mainframe computer”, 231, 1994.
Advances in Cryptology–Proceedings of [293] Z.-D D AI , “Proof of Rueppel’s linear com-
CRYPTO 84 (LNCS 196) , 393–400, 1985. plexity conjecture”, IEEE Transactions on In-
, “Schemes for electronic funds trans- formation Theory , 32 (1986), 440–443.
fer at the point of sale”, K.M. Jackson and [294] Z.-D. D AI AND J.-H. Y ANG , “Linear
J. Hruska, editors, Computer Security Refer- complexity of periodically repeated ran-
ence Book , 667–689, CRC Press, 1992. dom sequences”, Advances in Cryptology–
[306] D.W. D AVIES AND D.O. C LAYDEN , “The EUROCRYPT ’91 (LNCS 547) , 168–175,
message authenticator algorithm (MAA) and 1991.
its implementation”, Report DITC 109/88, [295] I.B. D AMG ARD ˚ , “Collision free hash func-
National Physical Laboratory, U.K., February tions and public key signature schemes”,
Advances in Cryptology–EUROCRYPT ’87 [307] D.W. D AVIES AND G.I.P. P ARKIN , “The (LNCS 304) , 203–216, 1988.
average cycle size of the key stream in out- [296]
, “A design principle for hash func- put feedback encipherment”, Advances in tions”, Advances in Cryptology–CRYPTO ’89
Cryptology–Proceedings of Crypto 82 , 97–98, (LNCS 435) , 416–427, 1990.
[297] , “Towards practical public key systems [308] D.W. D AVIES AND W.L. P RICE , Security for secure against chosen ciphertext attacks”, Ad-
Computer Networks , John Wiley & Sons, New York, 2nd edition, 1989.
vances in Cryptology–CRYPTO ’91 (LNCS 576) , 445–456, 1992.
[309] D. D AVIS , R. I HAKA , AND P. F ENSTER - [298]
, “Practical and provably secure re- MACHER , “Cryptographic randomness from lease of a secret and exchange of signatures”,