References

[1] M. A BADI AND R. N EEDHAM , “Prudent en- [11] L.M. A DLEMAN AND J. D E M ARRAIS , “A gineering practice for cryptographic proto-

subexponential algorithm for discrete loga- cols”, DEC SRC report #125, Digital Equip-

rithms over all finite fields”, Mathematics of ment Corporation, Palo Alto, CA, 1994.

Computation , 61 (1993), 1–15. [2] M. A BADI AND M.R. T UTTLE , “A seman-

[12] L.M. A DLEMAN , J. D E M ARRAIS , AND M.- tics for a logic of authentication”, Proceed-

UANG D. H , “A subexponential algorithm for ings of the Tenth Annual ACM Symposium

discrete logarithms over the rational subgroup on Principles of Distributed Computing , 201–

of the Jacobians of large genus hyperelliptic 216, 1991.

curves over finite fields”, Algorithmic Number [3] C. A DAMS , “Symmetric cryptographic sys-

Theory (LNCS 877) , 28–40, 1994. tem for data encryption”, U.S. Patent #

[13] L.M. A DLEMAN AND M.-D. A. H UANG , 5,511,123, 23 Apr 1996.

Primality Testing and Abelian Varieties Over [4]

, “IDUP and SPKM: Developing Finite Fields , Springer-Verlag, Berlin, 1992. public-key-based APIs and mechanisms for communication security services”, Proceed-

[14] L.M. A DLEMAN AND H.W. L ENSTRA J R ., ings of the Internet Society Symposium on Net-

“Finding irreducible polynomials over finite work and Distributed System Security , 128–

fields”, Proceedings of the 18th Annual ACM Symposium on Theory of Computing 135, IEEE Computer Society Press, 1996. , 350–

[5] C. A DAMS AND

EIJER H. M , “Security-

related comments regarding McEliece’s [15] L.M. A DLEMAN AND K.S. M C C URLEY , public-key cryptosystem”, Advances in

“Open problems in number theoretic com- Cryptology–CRYPTO ’87 (LNCS 293) , 224–

plexity, II”, Algorithmic Number Theory 228, 1988.

(LNCS 877) , 291–322, 1994. [6]

, “Security-related comments regard- [16] L.M. A DLEMAN , C. P OMERANCE , AND ing McEliece’s public-key cryptosystem”,

R.S. R UMELY , “On distinguishing prime IEEE Transactions on Information Theory , 35

numbers from composite numbers”, Annals of (1989), 454–455. An earlier version appeared

Mathematics , 117 (1983), 173–206. in [5].

[17] G.B. A GNEW , “Random sources for crypto- [7] C. A DAMS AND S.E. T AVARES , “Design-

graphic systems”, Advances in Cryptology– ing S-boxes for ciphers resistant to differen-

EUROCRYPT ’87 (LNCS 304) , 77–81, 1988. tial cryptanalysis”, W. Wolfowicz, editor, Pro-

[18] G.B. A GNEW , R.C. M ULLIN , I.M. O NYSZ - ceedings of the 3rd Symposium on State and CHUK , AND S.A. V ANSTONE , “An imple- Progress of Research in Cryptography, Rome, mentation for a fast public-key cryptosystem”, Italy , 181–190, 1993. Journal of Cryptology , 3 (1991), 63–79.

[8] L.M. A DLEMAN , “A subexponential algo- rithm for the discrete logarithm problem with

[19] G.B. A GNEW , R.C. M ULLIN , AND S.A. applications to cryptography”, Proceedings of

V ANSTONE , “Improved digital signature sch- the IEEE 20th Annual Symposium on Founda-

eme based on discrete exponentiation”, Elec- tions of Computer Science , 55–60, 1979.

tronics Letters , 26 (July 5, 1990), 1024–1025. [9]

, “The function field sieve”, Algorith- [20] S.G. A KL , “On the security of com- mic Number Theory (LNCS 877) , 108–121,

pressed encodings”, Advances in Cryptology– 1994.

Proceedings of Crypto 83 , 209–230, 1984. [10]

, “Molecular computation of solutions [21] N. A LEXANDRIS , M. B URMESTER , V. C HR - to combinatorial problems”, Science, 266

ISSIKOPOULOS , AND Y. D ESMEDT , “A se- (1994), 1021–1024.

cure key distribution system”, W. Wolfowicz,

704 References

editor, Proceedings of the 3rd Symposium on [34] ANSI X3.106, “American National Standard State and Progress of Research in Cryptogra-

for Information Systems – Data Encryption phy, Rome, Italy , 30–34, Feb. 1993.

Algorithm – Modes of Operation”, American [22] W. A LEXI , B. C HOR , O. G OLDREICH , AND

National Standards Institute, 1983.

C.P. S CHNORR , “RSA/Rabin bits are 1 2 +

[35] ANSI X9.8, “American National Standard 1/poly(log n) secure”, Proceedings of the

for Financial Services – Banking – Personal IEEE 25th Annual Symposium on Founda- Identification Number management and se- tions of Computer Science , 449–457, 1984. curity. Part 1: PIN protection principles and

[23] , “RSA and Rabin functions: Certain techniques; Part 2: Approved algorithms for parts are as hard as the whole”, SIAM Journal

PIN encipherment”, ASC X9 Secretariat – on Computing , 17 (1988), 194–209. An ear-

American Bankers Association, 1995. lier version appeared in [22].

[24] W.R. A LFORD ,

[36] ANSI X9.9 ( REVISED ), “American National OMERANCE C. P , “There are infinitely many

RANVILLE A. G , AND

Standard – Financial institution message au- Carmichael numbers”, Annals of Mathemat-

thentication (wholesale)”, ASC X9 Secretariat ics , 140 (1994), 703–722.

– American Bankers Association, 1986 (re- places X9.9–1982).

[25] H. A MIRAZIZI AND M. H ELLMAN , “Time- memory-processor trade-offs”, IEEE Trans-

[37] ANSI X9.17, “American National Stan- actions on Information Theory , 34 (1988),

dard – Financial institution key management 505–512.

(wholesale)”, ASC X9 Secretariat – American [26] R. A NDERSON , “Practical RSA trapdoor”,

Bankers Association, 1985. Electronics Letters , 29 (May 27, 1993), 995.

[38] ANSI X9.19, “American National Standard [27]

, “The classification of hash functions”, – Financial institution retail message authen- P.G. Farrell, editor, Codes and Cyphers:

tication”, ASC X9 Secretariat – American Cryptography and Coding IV , 83–93, Institute

Bankers Association, 1986. of Mathematics & Its Applications (IMA),

1995. [39] ANSI X9.23, “American National Standard [28]

, “On Fibonacci keystream generators”, – Financial institution encryption of whole-

B. Preneel, editor, Fast Software Encryption, sale financial messages”, ASC X9 Secretariat Second International Workshop (LNCS 1008) ,

– American Bankers Association, 1988. 346–352, Springer-Verlag, 1995.

[40] ANSI X9.24, “American National Standard [29]

, “Searching for the optimum correla- for Financial Services – Financial services re- tion attack”, B. Preneel, editor, Fast Software

tail key management”, ASC X9 Secretariat – Encryption, Second International Workshop

American Bankers Association, 1992. (LNCS 1008) , 137–143, Springer-Verlag, 1995.

[41] ANSI X9.26, “American National Standard – Financial institution sign-on authentication

[30] R. A NDERSON AND

for wholesale financial transactions”, ASC X9 tical and provably secure block ciphers:

IHAM E. B , “Two prac-

Secretariat – American Bankers Association, BEAR and LION”, D. Gollmann, editor,

Fast Software Encryption, Third International Workshop (LNCS 1039) , 113–120, Springer-

[42] ANSI X9.28, “American National Stan- Verlag, 1996.

dard for Financial Services – Financial in- [31] R. A NDERSON AND R. N EEDHAM , “Robust-

stitution multiple center key management ness principles for public key protocols”, Ad-

(wholesale)”, ASC X9 Secretariat – American vances in Cryptology–CRYPTO ’95 (LNCS

Bankers Association, 1991. 963) , 236–247, 1995.

[43] ANSI X9.30 (P ART 1), “American National [32] N.C. A NKENY , “The least quadratic non

Standard for Financial Services – Public key residue”, Annals of Mathematics, 55 (1952),

cryptography using irreversible algorithms for 65–72.

the financial services industry – Part 1: The [33] ANSI X3.92, “American National Standard

digital signature algorithm (DSA)”, ASC X9 – Data Encryption Algorithm”, American Na-

Secretariat – American Bankers Association, tional Standards Institute, 1981.

References 705

[44] ANSI X9.30 (P ART 2), “American National [56] F. A RNAULT , “Rabin-Miller primality test: Standard for Financial Services – Public key

composite numbers which pass it”, Mathemat- cryptography using irreversible algorithms

ics of Computation , 64 (1995), 355–361. for the financial services industry – Part 2:

[57] A.O.L. A TKIN AND R.G. L ARSON , “On a The secure hash algorithm (SHA)”, ASC X9

primality test of Solovay and Strassen”, SIAM Secretariat – American Bankers Association,

Journal on Computing , 11 (1982), 789–791. 1993. [58] A.O.L. A TKIN AND

ORAIN F. M , “Elliptic [45] ANSI X9.31 (P ART 1), “American National

curves and primality proving”, Mathematics Standard for Financial Services – Public key

of Computation , 61 (1993), 29–68. cryptography using RSA for the financial ser-

vices industry – Part 1: The RSA signature al- [59] D. A TKINS , M. G RAFF , A.K. L ENSTRA , gorithm”, draft, 1995.

AND P.C. L EYLAND , “The magic words are SQUEAMISH OSSIFRAGE”, Advances in

[46] ANSI X9.31 (P ART 2), “American National Cryptology–ASIACRYPT ’94 (LNCS 917) , Standard for Financial Services – Public key

cryptography using RSA for the financial ser- vices industry – Part 2: Hash algorithms for

[60] L. B ABAI , “Trading group theory for random- RSA”, draft, 1995.

ness”, Proceedings of the 17th Annual ACM Symposium on Theory of Computing , 421–

[47] ANSI X9.42, “Public key cryptography for

the financial services industry: Management of symmetric algorithm keys using Diffie-

[61] L. B ABAI AND S. M ORAN , “Arthur-Merlin Hellman”, draft, 1995.

games: a randomized proof system, and a hierarchy of complexity classes”, Journal of

[48] ANSI X9.44, “Public key cryptography us- Computer and System Sciences , 36 (1988), ing reversible algorithms for the financial ser-

vices industry: Transport of symmetric algo- [62] E. B ACH , “Discrete logarithms and factor- rithm keys using RSA”, draft, 1994. ing”, Report No. UCB/CSD 84/186, Com-

[49] ANSI X9.45, “Public key cryptography for puter Science Division (EECS), University of the financial services industry – Enhanced

California, Berkeley, California, 1984. management controls using digital signatures

, Analytic Methods in the Analysis and and attribute certificates”, draft, 1996. Design of Number-Theoretic Algorithms , MIT

[50] ANSI X9.52, “Triple data encryption algo- Press, Cambridge, Massachusetts, 1985. An rithm modes of operation”, draft, 1996.

ACM Distinguished Dissertation. [51] ANSI X9.55, “Public key cryptography for

, “Explicit bounds for primality testing the financial services industry – Extensions to

and related problems”, Mathematics of Com- public key certificates and certificate revoca-

putation , 55 (1990), 355–380. tion lists”, draft, 1995.

, “Number-theoretic algorithms”, An- [52] ANSI X9.57, “Public key cryptography for

nual Review of Computer Science , 4 (1990), the financial services industry – Certificate

, “Realistic analysis of some random- [53] K. A OKI AND K. O HTA , “Differential-linear

management”, draft, 1995.

ized algorithms”, Journal of Computer and cryptanalysis of FEAL-8”, IEICE Transac-

System Sciences , 42 (1991), 30–53. tions on Fundamentals of Electronics, Com-

, “Toward a theory of Pollard’s rho munications and Computer Science , E79-A

method”, Information and Computation, 90 (1996), 20–27.

[54] B. A RAZI , “Integrating a key distribution pro- [68] E. B ACH AND J. S HALLIT , “Factoring with cedure into the digital signature standard”,

cyclotomic polynomials”, Proceedings of the Electronics Letters , 29 (May 27, 1993), 966–

IEEE 26th Annual Symposium on Founda- 967.

tions of Computer Science , 443–450, 1985. [55]

, “Factoring with cyclotomic polynomi- visionless operations”, The Computer Jour-

, “On primality testing using purely di-

als”, Mathematics of Computation, 52 (1989), nal , 37 (1994), 219–222.

201–219. An earlier version appeared in [68]. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

706 References

[70] , Algorithmic Number Theory, Volume that are probably prime”, Journal of Cryptol-

I: Efficient Algorithms , MIT Press, Cam- ogy , 1 (1988), 53–64. bridge, Massachusetts, 1996.

[82] P. B ´ EGUIN AND J.-J. Q UISQUATER , “Se- [71] E. B ACH AND J. S ORENSON , “Sieve algo-

cure acceleration of DSS signatures using rithms for perfect power testing”, Algorith-

insecure server”, Advances in Cryptology– mica , 9 (1993), 313–328.

ASIACRYPT ’94 (LNCS 917) , 249–259, 1995. [72] A. B AHREMAN , “PEMToolKit: Building a top-down certification hierarchy”, Proceed-

[83] A. B EIMEL AND HOR B. C , “Interaction ings of the Internet Society Symposium on Net-

in key distribution schemes”, Advances in work and Distributed System Security , 161–

Cryptology–CRYPTO ’93 (LNCS 773) , 444– 171, IEEE Computer Society Press, 1995.

[73] T. B ARITAUD , M. C AMPANA , P. C HAU -

IPER F. P , Cipher Systems: VAUD , AND

[84] H. B EKER AND

ILBERT H. G , “On the security The Protection of Communications , John Wi- of the permuted kernel identification scheme”,

ley & Sons, New York, 1982. Advances in Cryptology–CRYPTO ’92 (LNCS

[85] H. B EKER AND M. W ALKER , “Key manage- 740) , 305–311, 1993.

ment for secure electronic funds transfer in a [74] W. B ARKER , Cryptanalysis of the Hagelin

retail environment”, Advances in Cryptology– Cryptograph , Aegean Park Press, Laguna

Proceedings of CRYPTO 84 (LNCS 196) , Hills, California, 1977.

[75] P. B ARRETT , “Implementing the Rivest [86] M. B ELLARE , R. C ANETTI , AND RAW H. K - Shamir and Adleman public key encryption

CZYK , “Keying hash functions for message algorithm on a standard digital signal proces-

authenticaion”, Advances in Cryptology– sor”, Advances in Cryptology–CRYPTO ’86

CRYPTO ’96 (LNCS 1109) , 1–15, 1996. (LNCS 263) , 311–323, 1987.

[76] R.K. B AUER , T.A. B ERSON , AND R.J. [87] M. B ELLARE AND O. G OLDREICH , “On

F EIERTAG , “A key distribution protocol using defining proofs of knowledge”, Advances in event markers”, ACM Transactions on Com-

Cryptology–CRYPTO ’92 (LNCS 740) , 390– puter Systems , 1 (1983), 249–255.

[77] U. B AUM AND S. B LACKBURN , “Clock- [88] M. B ELLARE , O. G OLDREICH , AND controlled pseudorandom generators on finite

S. G OLDWASSER , “Incremental cryptogra- groups”, B. Preneel, editor, Fast Software

phy: The case of hashing and signing”, Ad- Encryption, Second International Workshop

vances in Cryptology–CRYPTO ’94 (LNCS (LNCS 1008) , 6–21, Springer-Verlag, 1995.

839) , 216–233, 1994. [78] F. B AUSPIESS AND H.-J. K NOBLOCH ,

, “Incremental cryptography and appli- “How to keep authenticity alive in a com-

cation to virus protection”, Proceedings of the puter network”, Advances in Cryptology–

27th Annual ACM Symposium on Theory of EUROCRYPT ’89 (LNCS 434) , 38–46, 1990.

Computing , 45–56, 1995. [79] D. B AYER , S. H ABER , AND W.S. S TOR -

[90] M. B ELLARE , R. G U ERIN ´ , AND P. R O - NETTA , “Improving the efficiency and reli- GAWAY , “XOR MACs: New methods for ability of digital time-stamping”, R. Capoc- message authentication using finite pseudo- elli, A. De Santis, and U. Vaccaro, editors, random functions”, Advances in Cryptology– Sequences II: Methods in Communication, CRYPTO ’95 (LNCS 963) , 15–28, 1995. Security, and Computer Science , 329–334,

Springer-Verlag, 1993. [91] M. B ELLARE , J. K ILIAN , AND P. R OG - [80] P. B EAUCHEMIN AND

AWAY , “The security of cipher block chain- generalization of Hellman’s extension to

RASSARD G. B , “A

ing”, Advances in Cryptology–CRYPTO ’94 Shannon’s approach to cryptography”, Jour-

(LNCS 839) , 341–358, 1994. nal of Cryptology , 1 (1988), 129–131.

[92] M. B ELLARE AND S. M ICALI , “How to sign [81] P. B EAUCHEMIN , G. B RASSARD , C. given any trapdoor function”, Advances in

Cryptology–CRYPTO ’88 (LNCS 403) , 200– ANCE , “The generation of random numbers

C R EPEAU ´ , C. G OUTIER , AND

OMER C. P -

References 707

[93] M. B ELLARE AND P. R OGAWAY , “Random

, “Augmented encrypted key exchange: oracles are practical: a paradigm for designing

a password-based protocol secure against dic- efficient protocols”, 1st ACM Conference on

tionary attacks and password file compro- Computer and Communications Security , 62–

mise”, 1st ACM Conference on Computer and

73, ACM Press, 1993. Communications Security , 244–250, ACM [94]

, “Entity authentication and key dis-

Press, 1993.

tribution”, Advances in Cryptology–CRYPTO

, “An attack on the Interlock Protocol ’93 (LNCS 773) , 232–249, 1994.

when used for authentication”, IEEE Transac- tions on Information Theory , 40 (1994), 273–

[95] , “Optimal asymmetric encryption”,

Advances in Cryptology–EUROCRYPT ’94 (LNCS 950) , 92–111, 1995.

[107] I. B EN -A ROYA AND IHAM E. B , “Differ- ential cyptanalysis of Lucifer”, Advances in

[96] , “Provably secure session key distribu- Cryptology–CRYPTO ’93 (LNCS 773) , 187– tion – the three party case”, Proceedings of the

27th Annual ACM Symposium on Theory of Computing , 57–66, 1995.

, “Differential cryptanalysis of Lu- cifer”, Journal of Cryptology, 9 (1996), 21–

34. An earlier version appeared in [107]. COBI , “Privacy and authentication on a

[97] M.J. B ELLER , L.-F. C HANG , AND Y. Y A -

portable communications system”, IEEE [109] M. B EN -O R , “Probabilistic algorithms in fi- Global Telecommunications Conference ,

nite fields”, Proceedings of the IEEE 22nd An- 1922–1927, 1991.

nual Symposium on Foundations of Computer Science , 394–398, 1981.

[98] , “Security for personal communica- tions services: public-key vs. private key

[110] J. B ENALOH , “Secret sharing homomor- approaches”, The Third IEEE International

phisms: Keeping shares of a secret secret”, Symposium on Personal, Indoor and Mobile

Advances in Cryptology–CRYPTO ’86 (LNCS Radio Communications (PIMRC’92) , 26–31,

[111] J. B ENALOH AND M. DE M ARE , “One- way accumulators:

A decentralized alter- [99]

, “Privacy and authentication on a native to digital signatures”, Advances in portable communications system”, IEEE Cryptology–EUROCRYPT ’93 (LNCS 765) , Journal on Selected Areas in Communica-

tions , 11 (1993), 821–829. [112] J. B ENALOH AND J. L EICHTER , “General-

[100] M.J. B ELLER AND Y. Y ACOBI , “Minimal ized secret sharing and monotone functions”, asymmetric authentication and key agree-

Advances in Cryptology–CRYPTO ’88 (LNCS ment schemes”, October 1994 unpublished

403) , 27–35, 1990. manuscript. [113] S. B ENGIO , G. B RASSARD , Y.G. D ESMEDT , [101]

, “Fully-fledged two-way public key au- OUTIER C. G , AND J.-J. Q UISQUATER , “Se- thentication and key agreement for low-cost

cure implementation of identification sys- terminals”, Electronics Letters, 29 (May 27,

tems”, Journal of Cryptology, 4 (1991), 175– 1993), 999–1001.

[102] S.M. B ELLOVIN AND M. M ERRITT , “Cryp- [114] C. B ENNETT , G. B RASSARD , S. B REID - tographic protocol for secure communica-

BART , AND S. W IESNER , “Quantum cryp- tions”, U.S. Patent # 5,241,599, 31 Aug 1993.

tography, or unforgeable subway tokens”, Ad- [103]

, “Limitations of the Kerberos authen- vances in Cryptology–Proceedings of Crypto tication system”, Computer Communication

82 , 267–275, 1983. Review , 20 (1990), 119–132.

[115] C. B ENNETT , G. B RASSARD , AND K - A. E [104]

, “Encrypted key exchange: password- ERT , “Quantum cryptography”, Scientific based protocols secure against dictionary at-

American , special issue (1997), 164–171. tacks”, Proceedings of the 1992 IEEE Com-

[116] S. B ERKOVITS , “How to broadcast a secret”, puter Society Symposium on Research in Se-

Advances in Cryptology–EUROCRYPT ’91 curity and Privacy , 72–84, 1992.

(LNCS 547) , 535–541, 1991. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

708 References

[117] E.R. B ERLEKAMP , “Factoring polynomials

, “On modes of operation”, R. Ander- over finite fields”, Bell System Technical Jour-

son, editor, Fast Software Encryption, Cam- nal , 46 (1967), 1853–1859.

bridge Security Workshop (LNCS 809) , 116– [118]

, Algebric Coding Theory, McGraw 120, Springer-Verlag, 1994. Hill, New York, 1968.

, “Cryptanalysis of multiple modes [119]

, “Factoring polynomials over large fi- of operation”, Advances in Cryptology– nite fields”, Mathematics of Computation, 24

ASIACRYPT ’94 (LNCS 917) , 278–292, 1995. (1970), 713–735.

, “On Matsui’s linear cryptanalysis”,

[120] E.R. B ERLEKAMP , R.J. M C E LIECE , AND

Advances in Cryptology–EUROCRYPT ’94

H.C.A. VAN T ILBORG , “On the inherent (LNCS 950) , 341–355, 1995. intractability of certain coding problems”,

IRYUKOV A. B , “How to (1978), 384–386.

IEEE Transactions on Information Theory , 24

[133] E. B IHAM AND

strengthen DES using existing hardware”, [121] D.J. B ERNSTEIN , “Detecting perfect powers

Advances in Cryptology–ASIACRYPT ’94 in essentially linear time”, preprint, 1995.

(LNCS 917) , 398–412, 1995. [122] D.J. B ERNSTEIN AND A.K. L ENSTRA , “A

HAMIR A. S , “Differential general number field sieve implementation”,

[134] E. B IHAM AND

cryptanalysis of DES-like cryptosystems”, A.K. Lenstra and H.W. Lenstra Jr., editors,

Journal of Cryptology , 4 (1991), 3–72. An The Development of the Number Field Sieve ,

earlier version appeared in [135]. volume 1554 of Lecture Notes in Mathemat- ics , 103–126, Springer-Verlag, 1993.

, “Differential cryptanalysis of DES- like cryptosystems”, Advances in Cryptology–

[123] T. B ETH , “Efficient zero-knowledge identifi- CRYPTO ’90 (LNCS 537) , 2–21, 1991. cation scheme for smart cards”, Advances in

Cryptology–EUROCRYPT ’88 (LNCS 330) ,

, “Differential cryptanalysis of Feal 77–84, 1988.

and N-Hash”, Advances in Cryptology–

EUROCRYPT ’91 (LNCS 547) , 1–16, 1991. ity of pseudo-random sequences – or: If you

[124] T. B ETH AND Z.-D. D AI , “On the complex-

, “Differential cryptanalysis of Snefru, can describe a sequence it can’t be random”,

Khafre, REDOC-II, LOKI, and Lucifer”, Ad- Advances in Cryptology–EUROCRYPT ’89

vances in Cryptology–CRYPTO ’91 (LNCS (LNCS 434) , 533–543, 1990.

576) , 156–171, 1992. [125] T. B ETH , H.-J. K NOBLOCH , M. O TTEN , G.J. S IMMONS , AND P. W ICHMANN , “To-

, Differential Cryptanalysis of the Data wards acceptable key escrow systems”, 2nd

Encryption Standard , Springer-Verlag, New ACM Conference on Computer and Commu-

York, 1993.

, “Differential cryptanalysis of the full [126] T. B ETH AND

nications Security , 51–58, ACM Press, 1994.

16-round DES”, Advances in Cryptology– go generator”, Advances in Cryptology–

IPER , “The stop-and- F.C. P

CRYPTO ’92 (LNCS 740) , 487–496, 1993. Proceedings of EUROCRYPT 84 (LNCS 209) , 88–92, 1985.

[140] R. B IRD ,

OPAL I. G , ERZBERG A. H , P. J ANSON , S. K UTTEN , R. M OLVA , AND

M. Y UNG , “Systematic design of two- BATIANSKII , AND

[127] J. B IERBRAUER , T. J OHANSSON , G. K A -

party authentication protocols”, Advances in lies of hash functions via geometric codes

MEETS B. S , “On fami-

Cryptology–CRYPTO ’91 (LNCS 576) , 44– and concatenation”, Advances in Cryptology–

CRYPTO ’93 (LNCS 773) , 331–342, 1994. [128] E. B IHAM , “New types of cryptanalytic

, “Systematic design of a family of attacks using related keys”, Advances in

attack-resistant authentication protocols”, Cryptology–EUROCRYPT ’93 (LNCS 765) ,

IEEE Journal on Selected Areas in Commu- 398–409, 1994.

nications , 11 (1993), 679–693. [129]

, “The KryptoKnight family of light- using related keys”, Journal of Cryptology, 7

, “New types of cryptanalytic attacks

weight protocols for authentication and key (1994), 229–246. An earlier version appeared

distribution”, IEEE/ACM Transactions on in [128].

Networking , 3 (1995), 31–41.

References 709

[143] S. B LACKBURN , S. M URPHY , AND J. S TE - [155] D. B LEICHENBACHER AND U. M AURER , RN , “The cryptanalysis of a public-key imple-

“Directed acyclic graphs, one-way func- mentation of finite group mappings”, Journal

tions and digital signatures”, Advances in of Cryptology , 8 (1995), 157–166.

Cryptology–CRYPTO ’94 (LNCS 839) , 75–

[144] R.E. B LAHUT , Principles and Practice of In- formation Theory , Addison-Wesley, Reading,

[156] U. B L OCHER AND ¨ M. D ICHTL , “Fish: A fast Massachusetts, 1987.

software stream cipher”, R. Anderson, editor, Fast Software Encryption, Cambridge Secu-

[145] I.F. B LAKE , R. F UJI -H ARA , R.C. M ULLIN , rity Workshop (LNCS 809) , 41–44, Springer- AND S.A. V ANSTONE , “Computing loga-

Verlag, 1994.

rithms in finite fields of characteristic two”, SIAM Journal on Algebraic and Discrete

[157] R. B LOM , “Non-public key distribution”, Ad- Methods , 5 (1984), 276–285.

vances in Cryptology–Proceedings of Crypto

82 , 231–236, 1983. [146] I.F. B LAKE , S. G AO , AND R. L AMBERT ,

, “An optimal class of symmet- “Constructive problems for irreducible poly-

ric key generation systems”, Advances in nomials over finite fields”, T.A. Gulliver and Cryptology–Proceedings of EUROCRYPT 84 N.P. Secord, editors, Information Theory and (LNCS 209) , 335–338, 1985. Applications (LNCS 793) , 1–23, Springer-

Verlag, 1994. [159] L. B LUM , M. B LUM , AND M. S HUB , “Com- parison of two pseudo-random number gener-

[147] B. B LAKLEY , G.R. B LAKLEY , A.H. C HAN , ators”, Advances in Cryptology–Proceedings AND J.L. M ASSEY , “Threshold schemes with

of Crypto 82 , 61–78, 1983. disenrollment”, Advances in Cryptology–

, “A simple unpredictable pseudo- random number generator”, SIAM Journal on [148] G. B LAKLEY , “Safeguarding cryptographic

CRYPTO ’92 (LNCS 740) , 540–548, 1993.

Computing , 15 (1986), 364–383. An earlier keys”, Proceedings of AFIPS National Com-

version appeared in [159]. puter Conference , 313–317, 1979.

[161] M. B LUM , “Independent unbiased coin flips [149]

, “A computer algorithm for calculating from a correlated biased source: a finite state the product AB modulo M ”, IEEE Transac-

Markov chain”, Proceedings of the IEEE 25th tions on Computers , 32 (1983), 497–500.

Annual Symposium on Foundations of Com- puter Science , 425–433, 1984.

[150] G. B LAKLEY AND

OROSH I. B , “Rivest-

Shamir-Adleman public key cryptosystems [162] M. B LUM , A. D E S ANTIS , S. M ICALI , do not always conceal messages”, Comput-

ERSIANO G. P , “Noninteractive zero- ers and Mathematics with Applications , 5:3

AND

knowledge”, SIAM Journal on Computing, 20 (1979), 169–178.

(1991), 1084–1118. [151] G. B LAKLEY AND

[163] M. B LUM , P. F ELDMAN , AND S. M ICALI , of ramp schemes”, Advances in Cryptology–

EADOWS C. M , “Security

“Non-interactive zero-knowledge and its ap- Proceedings of CRYPTO 84 (LNCS 196) ,

plications”, Proceedings of the 20th Annual 242–268, 1985.

ACM Symposium on Theory of Computing , 103–112, 1988.

[152] M. B LAZE , “Protocol failure in the escrowed [164] M. B LUM AND S. G OLDWASSER , “An ef- encryption standard”, 2nd ACM Conference

ficient probabilistic public-key encryption on Computer and Communications Security ,

scheme which hides all partial informa- 59–67, ACM Press, 1994.

tion”, Advances in Cryptology–Proceedings [153] D. B LEICHENBACHER , “Generating ElGa-

of CRYPTO 84 (LNCS 196) , 289–299, 1985. mal signatures without knowing the secret

[165] M. B LUM AND S. M ICALI , “How to generate key”, Advances in Cryptology–EUROCRYPT

cryptographically strong sequences of pseudo ’96 (LNCS 1070) , 10–18, 1996.

random bits”, Proceedings of the IEEE 23rd [154] D. B LEICHENBACHER , W. B OSMA , AND

Annual Symposium on Foundations of Com- A.K. L ENSTRA , “Some remarks on Lucas-

puter Science , 112–117, 1982. based cryptosystems”, Advances in Cryptolo-

, “How to generate cryptographically gy–CRYPTO ’95 (LNCS 963) , 386–396, 1995.

strong sequences of pseudo-random bits”, Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

710 References

SIAM Journal on Computing , 13 (1984), 850– [179] J. B OYAR , “Inferring sequences produced by 864. An earlier version appeared in [165].

a linear congruential generator missing low- [167] C. B LUNDO AND

order bits”, Journal of Cryptology, 1 (1989), ments for broadcast encryption”, Advances in

RESTI A. C , “Space require-

Cryptology–EUROCRYPT ’94 (LNCS 950) ,

, “Inferring sequences produced by 287–298, 1995. pseudo-random number generators”, Journal

of the Association for Computing Machinery , AND U. V ACCARO , “Fully dynamic secret

[168] C. B LUNDO , A. C RESTI , A. D E S ANTIS ,

36 (1989), 129–141. sharing schemes”, Advances in Cryptology–

CRYPTO ’93 (LNCS 773) , 110–125, 1994. [181] J. B OYAR , D. C HAUM , I.B. D AMG ARD ˚ ,

AND T. P EDERSEN , “Convertible undeni- S. K UTTEN , U. V ACCARO , AND M. Y UNG ,

[169] C. B LUNDO , A. D E S ANTIS , A. H ERZBERG ,

able signatures”, Advances in Cryptology– “Perfectly-secure key distribution for dy-

CRYPTO ’90 (LNCS 537) , 189–205, 1991. namic conferences”, Advances in Cryptology–

[182] C. B OYD , “Digital multisignatures”, H. Beker CRYPTO ’92 (LNCS 740) , 471–486, 1993.

and F. Piper, editors, Cryptography and Cod- [170] R.V. B OOK AND

ing , Institute of Mathematics & Its Applica- bility of two-party protocols”, Advances in

TTO F. O , “The verifia-

tions (IMA), 241–246, Clarendon Press, 1989. Cryptology–EUROCRYPT ’85 (LNCS 219) , 254–260, 1986.

[183] C. B OYD AND W. M AO , “On a limitation [171] A. B OOTH , “A signed binary multiplication

of BAN logic”, Advances in Cryptology– technique”, The Quarterly Journal of Me-

EUROCRYPT ’93 (LNCS 765) , 240–247, chanics and Applied Mathematics , 4 (1951),

236–240. [184] B.O. B RACHTL , D. C OPPERSMITH , M.M. [172] J. B OS AND

H YDEN , S.M. M ATYAS J R ., C.H.W. able signatures”, Advances in Cryptology–

HAUM D. C , “Provably unforge-

M EYER , J. O SEAS , S. P ILPEL , AND CRYPTO ’92 (LNCS 740) , 1–14, 1993.

M. S CHILLING , “Data authentication using

modification detection codes based on a pub- chain heuristics”, Advances in Cryptology–

[173] J. B OS AND M. C OSTER , “Addition

lic one-way encryption function”, U.S. Patent CRYPTO ’89 (LNCS 435) , 400–407, 1990.

# 4,908,861, 13 Mar 1990.

[185] S. B RANDS , “Restrictive blinding of secret- “Faster primality testing”, Advances in

[174] W. B OSMA AND M.-P VAN DER H ULST ,

key certificates”, Advances in Cryptology– Cryptology–EUROCRYPT ’89 (LNCS 434) ,

EUROCRYPT ’95 (LNCS 921) , 231–247, 652–656, 1990.

[175] A. B OSSELAERS , R. G OVAERTS , AND J. V ANDEWALLE , “Cryptography within

[186] J. B RANDT AND AMG I. D ARD ˚ , “On gen- phase I of the EEC-RACE programme”,

eration of probable primes by incremental

B. Preneel, R. Govaerts, and J. Vandewalle, search”, Advances in Cryptology–CRYPTO editors, Computer Security and Industrial

’92 (LNCS 740) , 358–370, 1993. Cryptography: State of the Art and Evolution

[187] J. B RANDT , I. D AMG ARD ˚ , AND P. L AN - (LNCS 741) , 227–234, Springer-Verlag, 1993.

DROCK , “Speeding up prime number gener- [176]

, “Comparison of three modular re- ation”, Advances in Cryptology–ASIACRYPT duction functions”, Advances in Cryptology–

’91 (LNCS 739) , 440–449, 1993. CRYPTO ’93 (LNCS 773) , 175–186, 1994. ˚

[177] , “Fast hashing on the Pentium”, Ad- [188] J. B RANDT , I. D AMG ARD , P. L ANDROCK , vances in Cryptology–CRYPTO ’96 (LNCS

AND T. P EDERSEN , “Zero-knowledge au- 1109) , 298–312, 1996.

thentication scheme with secret key ex- change”, Advances in Cryptology–CRYPTO

[178] A. B OSSELAERS AND

’88 (LNCS 403) , 583–588, 1990. tors, Integrity Primitives for Secure Informa-

RENEEL B. P , edi-

tion Systems: Final Report of RACE Integrity [189] D.K. B RANSTAD , “Encryption protection in Primitives Evaluation RIPE-RACE 1040 ,

computer data communications”, Proceed- LNCS 1007, Springer-Verlag, New York,

ings of the 4th Data Communications Sympo- 1995.

sium (Quebec), 8.1–8.7, IEEE, 1975.

References 711

[190] G. B RASSARD , “A note on the complexity of [204] E.F. B RICKELL , D.M. G ORDON , K.S. M C - cryptography”, IEEE Transactions on Infor-

ILSON D.B. W , “Fast expo- mation Theory , 25 (1979), 232–233.

C URLEY , AND

nentiation with precomputation”, Advances in [191]

, “On computationally secure authen- Cryptology–EUROCRYPT ’92 (LNCS 658) , 200–207, 1993.

tication tags requiring short secret shared keys”, Advances in Cryptology–Proceedings

[205] E.F. B RICKELL , P.J. L EE , AND Y. Y ACOBI , of Crypto 82 , 79–86, 1983.

“Secure audio teleconference”, Advances in Cryptology–CRYPTO ’87 (LNCS 293) , 418–

[192] , Modern Cryptology:

A Tutorial ,

LNCS 325, Springer-Verlag, New York, 1988. [206] E.F. B RICKELL AND K.S. M C C URLEY , “An [193] G. B RASSARD , D. C HAUM , AND

interactive identification scheme based on dis- , “Minimum disclosure proofs of knowledge”,

R EPEAU ´ C. C -

crete logarithms and factoring”, Advances in Journal of Computer and System Sciences , 37

Cryptology–EUROCRYPT ’90 (LNCS 473) , (1988), 156–189.

[194] G. B RASSARD AND

, “An interactive identification scheme knowledge simulation of Boolean circuits”,

R EPEAU ´ C. C , “Zero-

based on discrete logarithms and factoring”, Advances in Cryptology–CRYPTO ’86 (LNCS

Journal of Cryptology , 5 (1992), 29–39. An 263) , 223–233, 1987.

earlier version appeared in [206]. [208] E.F. B RICKELL AND A.M. O DLYZKO ,

[195] , “Sorting out zero-knowledge”, Ad- “Cryptanalysis: A survey of recent results”, vances in Cryptology–EUROCRYPT ’89

Proceedings of the IEEE , 76 (1988), 578–593. (LNCS 434) , 181–191, 1990.

, “Cryptanalysis: A survey of recent re- [196] R.P. B RENT , “An improved Monte Carlo fac-

sults”, G.J. Simmons, editor, Contemporary torization algorithm”, BIT, 20 (1980), 176–

Cryptology: The Science of Information In- 184.

tegrity , 501–540, IEEE Press, 1992. An ear- [197] R.P. B RENT AND J.M. P OLLARD , “Factor-

lier version appeared in [208]. ization of the eighth Fermat number”, Math-

[210] J. B RILLHART , D. L EHMER , AND J. S ELF - ematics of Computation , 36 (1981), 627–630.

RIDGE , “New primality criteria and factoriza- tions of m 2 ± 1”, Mathematics of Computa-

[198] D.M. B RESSOUD , Factorization and Primal- tion , 29 (1975), 620–647. ity Testing , Springer-Verlag, New York, 1989. [211] J. B RILLHART , D. L EHMER , J. S ELFRIDGE ,

[199] E.F. B RICKELL , “A fast modular multipli-

B. T UCKERMAN , AND S. W AGSTAFF cation algorithm with applications to two

1, b = key cryptography”, Advances in Cryptology–

J R ., Factorizations of b n ±

2, 3, 5, 6, 7, 10, 11, 12 up to High Powers, Proceedings of Crypto 82 , 51–60, 1983.

volume 22 of Contemporary Mathematics, [200]

, “Breaking iterated knapsacks”, American Mathematical Society, Providence, Rhode Island, 2nd edition, 1988.

Advances in Cryptology–Proceedings of CRYPTO 84 (LNCS 196) , 342–358, 1985.

[212] J. B RILLHART AND J. S ELFRIDGE , “Some factorizations of n 2 ± 1 and related results”,

[201] , “The cryptanalysis of knapsack cryp- Mathematics of Computation , 21 (1967), 87– tosystems”, R.D. Ringeisen and F.S. Roberts,

editors, Applications of Discrete Mathemat- ics , 3–23, SIAM, 1988.

[213] D. B RILLINGER , Time Series: Data Analy- sis and Theory , Holden-Day, San Francisco,

[202] E.F. B RICKELL AND J.M. D E L AURENTIS ,

“An attack on a signature scheme proposed [214] L. B ROWN , M. K WAN , J. P IEPRZYK , by Okamoto and Shiraishi”, Advances in

AND J. S EBERRY , “Improving resistance Cryptology–CRYPTO ’85 (LNCS 218) , 28–

to differential cryptanalysis and the re-

32, 1986. design of LOKI”, Advances in Cryptology– [203] E.F. B RICKELL , D.M. G ORDON , AND K.S.

ASIACRYPT ’91 (LNCS 739) , 36–50, 1993. M C C URLEY , “Method for exponentiating

[215] L. B ROWN , J. P IEPRZYK , AND J. S EBERRY , in cryptographic systems”, U.S. Patent #

“LOKI – a cryptographic primitive for authen- 5,299,262, 29 Mar 1994.

tication and secrecy applications”, Advances Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

712 References

in Cryptology–AUSCRYPT ’90 (LNCS 453) , [228] J.L. C AMENISCH , J.-M. P IVETEAU , AND 229–236, 1990.

M.A. S TADLER , “Blind signatures based on [216] J. B UCHMANN AND S. D ¨ ULLMANN , “On the

the discrete logarithm problem”, Advances in computation of discrete logarithms in class

Cryptology–EUROCRYPT ’94 (LNCS 950) , groups”, Advances in Cryptology–CRYPTO

’90 (LNCS 537) , 134–139, 1991. [229] K.W. C AMPBELL AND M.J. W IENER , “DES [217] J. B UCHMANN , J. L OHO , AND J. Z AYER ,

is not a group”, Advances in Cryptology– “An implementation of the general num-

CRYPTO ’92 (LNCS 740) , 512–520, 1993. ber field sieve”, Advances in Cryptology–

[230] C.M. C AMPBELL J R ., “Design and speci- CRYPTO ’93 (LNCS 773) , 159–165, 1994.

fication of cryptographic capabilities”, D.K. [218] J. B UCHMANN AND

Branstad, editor, Computer security and the key-exchange system based on imaginary

ILLIAMS H.C. W , “A

Data Encryption Standard , 54–66, NBS Spe- quadratic fields”, Journal of Cryptology, 1

cial Publication 500-27, U.S. Department of (1988), 107–118.

Commerce, National Bureau of Standards, Washington, D.C., 1977.

[219] J.P. B UHLER , H.W. L ENSTRA J R ., AND

¨ OMERANCE C. P , “Factoring integers with the

[231] E.R. C

ANFIELD , P. E RD OS , AND OM C. P - , “On a problem of Oppenheim con-

number field sieve”, A.K. Lenstra and H.W.

ERANCE cerning ‘Factorisatio Numerorum’”, Journal

Lenstra Jr., editors, The Development of the , 17 (1983), 1–28. Number Field Sieve , volume 1554 of Lec-

of Number Theory ture Notes in Mathematics , 50–94, Springer-

[232] D.G. C ANTOR AND ASSENHAUS H. Z , “A Verlag, 1993.

new algorithm for factoring polynomials over finite fields”, Mathematics of Computation, 36

[220] M. B URMESTER , “On the risk of opening

distributed keys”, Advances in Cryptology– CRYPTO ’94 (LNCS 839) , 308–317, 1994.

[233] J.L. C ARTER AND M.N. W EGMAN , “Uni- versal classes of hash functions”, Proceedings

[221] M. B URMESTER AND Y. D ESMEDT , “Re- of the 9th Annual ACM Symposium on Theory marks on soundness of proofs”, Electronics of Computing , 106–112, 1977. Letters , 25 (October 26, 1989), 1509–1511.

, “Universal classes of hash functions”, [222]

, “A secure and efficient confer- Journal of Computer and System Sciences , 18 ence key distribution system”, Advances in

(1979), 143–154. An earlier version appeared Cryptology–EUROCRYPT ’94 (LNCS 950) ,

in [233].

275–286, 1995. [235] F. C HABAUD , “On the security of some cryp-

[223] M. B URMESTER , Y. D ESMEDT , F. P IPER , tosystems based on error-correcting codes”, AND M. W ALKER , “A general zero-

Advances in Cryptology–EUROCRYPT ’94 knowledge scheme”, Advances in Cryptology–

(LNCS 950) , 131–139, 1995. EUROCRYPT ’89 (LNCS 434) , 122–133,

[236] G.J. C HAITIN , “On the length of programs for 1990. computing finite binary sequences”, Journal

[224] M. B URROWS , M. A BADI , AND R. N EED - of the Association for Computing Machinery , HAM , “A logic of authentication”, Proceed-

13 (1966), 547–569. ings of the Royal Society of London Series

[237] W.G. C HAMBERS , “Clock-controlled shift

A: Mathematical and Physical Sciences , 246 registers in binary sequence generators”, IEE (1989), 233–271. Preliminary version ap- Proceedings E – Computers and Digital Tech- peared as 1989 version of [227]. niques , 135 (1988), 17–24.

[225] , “A logic of authentication”, Proceed-

, “Two stream ciphers”, R. Ander- ings of the 12th Annual ACM Symposium on

son, editor, Fast Software Encryption, Cam- Operating Systems Principles , 1–13, 1989.

bridge Security Workshop (LNCS 809) , 51– [226]

55, Springer-Verlag, 1994. Transactions on Computer Systems , 8 (1990),

, “A logic of authentication”, ACM

[239] W.G. C HAMBERS AND OLLMANN D. G , 18–36.

“Lock-in effect in cascades of clock- [227]

, “A logic of authentication”, DEC SRC controlled shift-registers”, Advances in report #39, Digital Equipment Corporation,

Cryptology–EUROCRYPT ’88 (LNCS 330) , Palo Alto, CA, Feb. 1989. Revised Feb. 1990.

References 713

[240] B. C HAR , K. G EDDES ,

[253] D. C HAUM AND E. VAN H EIJST , “Group sig- EONG B. L , M. M ONAGAN , AND S. W ATT ,

ONNET G. G ,

natures”, Advances in Cryptology–EUROCR- Maple V Library Reference Manual , Springer-

YPT ’91 (LNCS 547) , 257–265, 1991. Verlag, New York, 1991.

[241] C. C , L. O’C

, J. P

[254] D. C HAUM , E. VAN H EIJST , AND FITZ B. P -

R. S AFAVI -N AINI , AND Y. Z HENG , “Com- MANN , “Cryptographically strong undeni- ments on Soviet encryption algorithm”, Ad-

able signatures, unconditionally secure for the vances in Cryptology–EUROCRYPT ’94

signer”, Advances in Cryptology–CRYPTO (LNCS 950) , 433–438, 1995.

’91 (LNCS 576) , 470–484, 1992. [242] D. C HAUM , “Blind signatures for untrace-

[255] L. C HEN AND T.P. P EDERSEN , “New group able payments”, Advances in Cryptology–

signature schemes”, Advances in Cryptology– Proceedings of Crypto 82 , 199–203, 1983.

EUROCRYPT ’94 (LNCS 950) , 171–181, [243]

, “Security without identification:

transaction systems to make big brother obso- lete”, Communications of the ACM, 28 (1985),

[256] V. C HEPYZHOV AND MEETS B. S , “On a fast 1030–1044.

correlation attack on certain stream ciphers”, Advances in Cryptology–EUROCRYPT ’91

[244] , “Demonstrating that a public predicate (LNCS 547) , 176–185, 1991. can be satisfied without revealing any infor-

mation about how”, Advances in Cryptology– [257] B. C HOR AND O. G OLDREICH , “Unbiased CRYPTO ’86 (LNCS 263) , 195–199, 1987.

bits from sources of weak randomness and [245]

, “Blinding for unanticipated signa- probabilistic communication complexity”, tures”, Advances in Cryptology–EUROCRYPT

Proceedings of the IEEE 26th Annual Sym- ’87 (LNCS 304) , 227–233, 1988.

posium on Foundations of Computer Science , [246]

, “Zero-knowledge undeniable signa-

tures”, Advances in Cryptology–EUROCRYPT [258] , “Unbiased bits from sources of weak ’90 (LNCS 473) , 458–464, 1991.

randomness and probabilistic communication [247]

, “Designated confirmer signatures”, complexity”, SIAM Journal on Computing, 17 Advances in Cryptology–EUROCRYPT ’94

(1988), 230–261. An earlier version appeared (LNCS 950) , 86–91, 1995.

in [257].

[248] D. C HAUM , J.-H. E VERTSE , AND J. VAN DE

G RAAF , “An improved protocol for demon- [259] B. C HOR , S. G OLDWASSER , S. M ICALI , strating possession of discrete logarithms

WERBUCH B. A , “Verifiable secret shar- and some generalizations”, Advances in

AND

ing and achieving simultaneity in the presence Cryptology–EUROCRYPT ’87 (LNCS 304) ,

of faults”, Proceedings of the IEEE 26th An- 127–141, 1988.

nual Symposium on Foundations of Computer Science , 383–395, 1985.

[249] D. C HAUM , J.-H. E VERTSE , J. VAN DE

G RAAF , AND R. P ERALTA , “Demonstrating [260] B. C HOR AND R.L. R IVEST , “A knap- possession of a discrete logarithm without re-

sack type public key cryptosystem based vealing it”, Advances in Cryptology–CRYPTO

on arithmetic in finite fields”, Advances ’86 (LNCS 263) , 200–212, 1987.

in Cryptology–Proceedings of CRYPTO 84 [250] D. C HAUM , A. F IAT , AND M. N AOR ,

(LNCS 196) , 54–65, 1985. “Untraceable electronic cash”, Advances in Cryptology–CRYPTO ’88 (LNCS 403) , 319–

, “A knapsack-type public key cryp- 327, 1990.

tosystem based on arithmetic in finite fields”, IEEE Transactions on Information Theory , 34

[251] D. C HAUM AND T.P. P EDERSEN , “Wal- let databases with observers”, Advances in

(1988), 901–909. An earlier version appeared in [260].

Cryptology–CRYPTO ’92 (LNCS 740) , 89– 105, 1993.

[262] A. C LARK , J. G OLI C ´ , AND AWSON E. D ,

“A comparison of fast correlation attacks”, PEN , “Undeniable signatures”, Advances in

[252] D. C HAUM AND H. VAN A NTWER -

D. Gollmann, editor, Fast Software Encryp- Cryptology–CRYPTO ’89 (LNCS 435) , 212–

tion, Third International Workshop (LNCS 216, 1990.

1039) , 145–157, Springer-Verlag, 1996. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

714 References

[263] H. C OHEN , A Course in Computational Al- [277] D. C OPPERSMITH , M. F RANKLIN , J. P ATA - gebraic Number Theory , Springer-Verlag,

RIN , AND M. R EITER , “Low-exponent Berlin, 1993.

RSA with related messages”, Advances in [264] H. C OHEN AND A.K. L ENSTRA , “Imple-

Cryptology–EUROCRYPT ’96 (LNCS 1070) , mentation of a new primality test”, Mathemat-

ics of Computation , 48 (1987), 103–121. [278] D. C OPPERSMITH , D.B. J OHNSON , AND [265] H. C OHEN AND H.W. L ENSTRA J R ., “Pri-

S.M. M ATYAS , “A proposed mode for triple- mality testing and Jacobi sums”, Mathematics

DES encryption”, IBM Journal of Research of Computation , 42 (1984), 297–330.

and Development , 40 (1996), 253–261. [266] D. C OPPERSMITH , “Fast evaluation of loga-

[279] D. C OPPERSMITH , H. K RAWCZYK , AND rithms in fields of characteristic two”, IEEE

Y. M ANSOUR , “The shrinking generator”, Transactions on Information Theory , 30

Advances in Cryptology–CRYPTO ’93 (LNCS (1984), 587–594.

, “Another birthday attack”, Advances [280] D. C OPPERSMITH , A.M. O DLZYKO , AND in Cryptology–CRYPTO ’85 (LNCS 218) , 14–

R. S CHROEPPEL , “Discrete logarithms in

17, 1986. GF (p)”, Algorithmica, 1 (1986), 1–15. [268]

, “The real reason for Rivest’s [281] D. C OPPERSMITH AND P. R OGAWAY , phenomenon”, Advances in Cryptology–

“Software-efficient pseudorandom function CRYPTO ’85 (LNCS 218) , 535–536, 1986.

and the use thereof for encryption”, U.S. [269]

, “Modifications to the number field Patent # 5,454,039, 26 Sep 1995. sieve”, Journal of Cryptology, 6 (1993), 169–

[282] T.H. C ORMEN , C.E. L EISERSON , AND R.L. 180.

R IVEST , Introduction to Algorithms, MIT [270]

, “Solving linear equations over Press, Cambridge, Massachusetts, 1990. GF (2): Block Lanczos algorithm”, Linear

[283] M.J. C OSTER , A. J OUX , B.A. L A M AC - Algebra and its Applications , 192 (1993), 33–

CHIA , A.M. O DLYZKO , C.P. S CHNORR ,

60. AND J. S TERN , “Improved low-density subset [271]

, “The Data Encryption Standard (DES) sum algorithms”, Computational Complexity, and its strength against attacks”, IBM Jour-

2 (1992), 111–128. nal of Research and Development , 38 (1994),

[284] J.-M. C OUVEIGNES , “Computing a square 243–250.

root for the number field sieve”, A.K. Lenstra [272]

, “Solving homogeneous linear equa- and H.W. Lenstra Jr., editors, The Develop- tions over GF(2) via block Wiedemann al-

ment of the Number Field Sieve , volume 1554 gorithm”, Mathematics of Computation, 62

of Lecture Notes in Mathematics, 95–102, (1994), 333–350.

Springer-Verlag, 1993. [273]

, “Finding a small root of a bivari- [285] T. C OVER AND R. K ING , “A convergent ate integer equation; factoring with high

gambling estimate of the entropy of English”, bits known”, Advances in Cryptology–

IEEE Transactions on Information Theory , 24 EUROCRYPT ’96 (LNCS 1070) , 178–189,

1996. [286] R.E. C RANDALL , “Method and apparatus for [274]

, “Finding a small root of a univariate public key exchange in a cryptographic sys- modular equation”, Advances in Cryptology–

tem”, U.S. Patent # 5,159,632, 27 Oct 1992. EUROCRYPT ’96 (LNCS 1070) , 155–165,

, “Method and apparatus for pub- 1996.

lic key exchange in a cryptographic sys- [275]

, “Analysis of ISO/CCITT Document tem”, U.S. Patent # 5,271,061, 14 Dec 1993 X.509 Annex D”, memorandum, IBM T.J.

(continuation-in-part of 5,159,632). Watson Research Center, Yorktown Heights,

[288] R.A. C ROFT AND S.P. H ARRIS , “Public-key N.Y., 10598, U.S.A., June 11 1989.

cryptography and re-usable shared secrets”, [276]

H. Beker and F. Piper, editors, Cryptogra- Research Report RC 18397, IBM T.J. Wat-

, “Two broken hash functions”, IBM

phy and Coding , Institute of Mathematics & son Research Center, Yorktown Heights, N.Y.,

Its Applications (IMA), 189–201, Clarendon 10598, U.S.A., Oct. 6 1992.

Press, 1989.

References 715

[289] J. D AEMEN , Cipher and hash function de- [301] H. D AVENPORT , “Bases for finite fields”, The sign , PhD thesis, Katholieke Universiteit Leu-

Journal of the London Mathematical Society , ven (Belgium), 1995.

43 (1968), 21–39. [290] J. D AEMEN , R. G OVAERTS , AND J. V AN -

[302] G.I. D AVIDA , “Chosen signature cryptanaly- DEWALLE , “A new approach to block ci-

sis of the RSA (MIT) public key cryptosys- pher design”, R. Anderson, editor, Fast Soft-

tem”, Technical Report TR-CS-82-2, Depart- ware Encryption, Cambridge Security Work-

ment of Electrical Engineering and Computer shop (LNCS 809) , 18–32, Springer-Verlag,

Science, University of Wisconsin, Milwau- 1994.

kee, WI, 1982.

[291] , “Resynchronization weaknesses in [303] D.W. D AVIES , “Some regular properties synchronous stream ciphers”, Advances in

of the ‘Data Encryption Standard’ algo- Cryptology–EUROCRYPT ’93 (LNCS 765) ,

rithm”, Advances in Cryptology–Proceedings 159–167, 1994.

of Crypto 82 , 89–96, 1983. [292]

, “A message authenticator algo- Cryptology–CRYPTO ’93 (LNCS 773) , 224–

, “Weak keys for IDEA”, Advances in

rithm suitable for a mainframe computer”, 231, 1994.

Advances in Cryptology–Proceedings of [293] Z.-D D AI , “Proof of Rueppel’s linear com-

CRYPTO 84 (LNCS 196) , 393–400, 1985. plexity conjecture”, IEEE Transactions on In-

, “Schemes for electronic funds trans- formation Theory , 32 (1986), 440–443.

fer at the point of sale”, K.M. Jackson and [294] Z.-D. D AI AND J.-H. Y ANG , “Linear

J. Hruska, editors, Computer Security Refer- complexity of periodically repeated ran-

ence Book , 667–689, CRC Press, 1992. dom sequences”, Advances in Cryptology–

[306] D.W. D AVIES AND D.O. C LAYDEN , “The EUROCRYPT ’91 (LNCS 547) , 168–175,

message authenticator algorithm (MAA) and 1991.

its implementation”, Report DITC 109/88, [295] I.B. D AMG ARD ˚ , “Collision free hash func-

National Physical Laboratory, U.K., February tions and public key signature schemes”,

Advances in Cryptology–EUROCRYPT ’87 [307] D.W. D AVIES AND G.I.P. P ARKIN , “The (LNCS 304) , 203–216, 1988.

average cycle size of the key stream in out- [296]

, “A design principle for hash func- put feedback encipherment”, Advances in tions”, Advances in Cryptology–CRYPTO ’89

Cryptology–Proceedings of Crypto 82 , 97–98, (LNCS 435) , 416–427, 1990.

[297] , “Towards practical public key systems [308] D.W. D AVIES AND W.L. P RICE , Security for secure against chosen ciphertext attacks”, Ad-

Computer Networks , John Wiley & Sons, New York, 2nd edition, 1989.

vances in Cryptology–CRYPTO ’91 (LNCS 576) , 445–456, 1992.

[309] D. D AVIS , R. I HAKA , AND P. F ENSTER - [298]

, “Practical and provably secure re- MACHER , “Cryptographic randomness from lease of a secret and exchange of signatures”,