References.Pdf

This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac

CRC Press has granted the following speciﬁc permissions for the electronic version of this book:

Permission is granted to retrieve, print and store a single copy of this chapter for personal use. This permission does not extend to binding multiple chapters of the book, photocopying or producing copies for other than personal use of the person creating the copy, or making electronic copies available for retrieval by others without prior permission in writing from CRC Press.

Except where over-ridden by the speciﬁc permission above, the standard copyright notice from CRC Press applies to this electronic version:

Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microﬁlming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Speciﬁc permission must be obtained in writing from CRC Press for such copying.

c 1997 by CRC Press, Inc. References

[1] M. ABADI AND R. NEEDHAM, ªPrudent en- [11] L.M. ADLEMAN AND J. DEMARRAIS,ªA gineering practice for cryptographic proto- subexponential algorithm for discrete loga- colsº, DEC SRC report #125, Digital Equip- rithms over all ®nite ®eldsº, Mathematics of ment Corporation, Palo Alto, CA, 1994. Computation, 61 (1993), 1±15.

[2] M. ABADI AND M.R. TUTTLE, ªA seman- [12] L.M. ADLEMAN,J.DEMARRAIS, AND M.- tics for a logic of authenticationº, Proceed- D. HUANG, ªA subexponential algorithm for ings of the Tenth Annual ACM Symposium discrete logarithms over the rational subgroup on Principles of Distributed Computing, 201± of the Jacobians of large genus hyperelliptic 216, 1991. curves over ®nite ®eldsº, Algorithmic Number [3] C. ADAMS, ªSymmetric cryptographic sys- Theory (LNCS 877), 28±40, 1994. tem for data encryptionº, U.S. Patent # [13] L.M. ADLEMAN AND M.-D. A. HUANG, 5,511,123, 23 Apr 1996. Primality Testing and Abelian Varieties Over [4] , ªIDUP and SPKM: Developing Finite Fields, Springer-Verlag, Berlin, 1992. public-key-based APIs and mechanisms for [14] L.M. ADLEMAN AND H.W. LENSTRA JR., communication security servicesº, Proceed- ªFinding irreducible polynomials over ®nite ings of the Internet Society Symposium on Net- ®eldsº, Proceedings of the 18th Annual ACM work and Distributed System Security, 128± Symposium on Theory of Computing, 350± 135, IEEE Computer Society Press, 1996. 355, 1986. [5] C. ADAMS AND H. MEIJER, ªSecurity- related comments regarding McEliece's [15] L.M. ADLEMAN AND K.S. MCCURLEY, public-key cryptosystemº, Advances in ªOpen problems in number theoretic com- Cryptology±CRYPTO '87 (LNCS 293), 224± plexity, IIº, Algorithmic Number Theory 228, 1988. (LNCS 877), 291±322, 1994. [6] , ªSecurity-related comments regard- [16] L.M. ADLEMAN,C.POMERANCE, AND ing McEliece's public-key cryptosystemº, R.S. RUMELY, ªOn distinguishing prime IEEE Transactions on Information Theory,35 numbers from composite numbersº, Annals of (1989), 454±455. An earlier version appeared Mathematics, 117 (1983), 173±206. in [5]. [17] G.B. AGNEW, ªRandom sources for crypto- [7] C. ADAMS AND S.E. TAVA R E S, ªDesign- graphic systemsº, Advances in Cryptology± ing S-boxes for ciphers resistant to differen- EUROCRYPT '87 (LNCS 304), 77±81, 1988. tial cryptanalysisº, W. Wolfowicz, editor, Pro- [18] G.B. AGNEW,R.C.MULLIN,I.M.ONYSZ- ceedings of the 3rd Symposium on State and CHUK, AND S.A. VANSTONE,ªAnimple- Progress of Research in Cryptography, Rome, mentation for a fast public-key cryptosystemº, Italy, 181±190, 1993. Journal of Cryptology, 3 (1991), 63±79. [8] L.M. ADLEMAN, ªA subexponential algorithm for the discrete logarithm problem with [19] G.B. AGNEW,R.C.MULLIN, AND S.A. applications to cryptographyº, Proceedings of VANSTONE, ªImproved digital signature sch- the IEEE 20th Annual Symposium on Founda- eme based on discrete exponentiationº, Elec- tions of Computer Science, 55±60, 1979. tronics Letters, 26 (July 5, 1990), 1024±1025. [9] , ªThe function ®eld sieveº, Algorith- [20] S.G. AKL, ªOn the security of com- mic Number Theory (LNCS 877), 108±121, pressed encodingsº, Advances in Cryptology± 1994. Proceedings of Crypto 83, 209±230, 1984. [10] , ªMolecular computation of solutions [21] N. ALEXANDRIS,M.BURMESTER,V.CHR- to combinatorial problemsº, Science, 266 ISSIKOPOULOS, AND Y. D ESMEDT,ªAse- (1994), 1021±1024. cure key distribution systemº, W. Wolfowicz,

703 704 References

editor, Proceedings of the 3rd Symposium on [34] ANSI X3.106, ªAmerican National Standard State and Progress of Research in Cryptogra- for Information Systems ± Data Encryption phy, Rome, Italy, 30±34, Feb. 1993. Algorithm ± Modes of Operationº, American [22] W. ALEXI,B.CHOR,O.GOLDREICH, AND National Standards Institute, 1983. 1 CHNORR + C.P. S , ªRSA/Rabin bits are 2 [35] ANSI X9.8, ªAmerican National Standard 1/poly(log n) secureº, Proceedings of the for Financial Services ± Banking ± Personal IEEE 25th Annual Symposium on Founda- Identi®cation Number management and se- tions of Computer Science, 449±457, 1984. curity. Part 1: PIN protection principles and [23] , ªRSA and Rabin functions: Certain techniques; Part 2: Approved algorithms for parts are as hard as the wholeº, SIAM Journal PIN enciphermentº, ASC X9 Secretariat ± on Computing, 17 (1988), 194±209. An ear- American Bankers Association, 1995. lier version appeared in [22]. [36] ANSI X9.9 (REVISED), ªAmerican National [24] W.R. ALFORD,A.GRANVILLE, AND Standard ± Financial institution message au- C. POMERANCE, ªThere are in®nitely many thentication (wholesale)º, ASC X9 Secretariat Carmichael numbersº, Annals of Mathemat- ics, 140 (1994), 703±722. ± American Bankers Association, 1986 (re- places X9.9±1982). [25] H. AMIRAZIZI AND M. HELLMAN,ªTime- memory-processor trade-offsº, IEEE Trans- [37] ANSI X9.17, ªAmerican National Stan- actions on Information Theory, 34 (1988), dard ± Financial institution key management 505±512. (wholesale)º, ASC X9 Secretariat ± American [26] R. ANDERSON, ªPractical RSA trapdoorº, Bankers Association, 1985. Electronics Letters, 29 (May 27, 1993), 995. [38] ANSI X9.19, ªAmerican National Standard [27] , ªThe classi®cation of hash functionsº, ± Financial institution retail message authen- P.G. Farrell, editor, Codes and Cyphers: ticationº, ASC X9 Secretariat ± American Cryptography and Coding IV, 83±93, Institute Bankers Association, 1986. of Mathematics & Its Applications (IMA), 1995. [39] ANSI X9.23, ªAmerican National Standard [28] , ªOn Fibonacci keystream generatorsº, ± Financial institution encryption of whole- B. Preneel, editor, Fast Software Encryption, sale ®nancial messagesº, ASC X9 Secretariat ± American Bankers Association, 1988. Second International Workshop (LNCS 1008), 346±352, Springer-Verlag, 1995. [40] ANSI X9.24, ªAmerican National Standard [29] , ªSearching for the optimum correla- for Financial Services ± Financial services re- tion attackº, B. Preneel, editor, Fast Software tail key managementº, ASC X9 Secretariat ± Encryption, Second International Workshop American Bankers Association, 1992. (LNCS 1008), 137±143, Springer-Verlag, 1995. [41] ANSI X9.26, ªAmerican National Standard ± Financial institution sign-on authentication [30] R. ANDERSON AND E. BIHAM, ªTwo prac- for wholesale ®nancial transactionsº, ASC X9 tical and provably secure block ciphers: Secretariat ± American Bankers Association, BEAR and LIONº, D. Gollmann, editor, 1990. Fast Software Encryption, Third International Workshop (LNCS 1039), 113±120, Springer- [42] ANSI X9.28, ªAmerican National Stan- Verlag, 1996. dard for Financial Services ± Financial in- [31] R. ANDERSON AND R. NEEDHAM, ªRobust- stitution multiple center key management ness principles for public key protocolsº, Ad- (wholesale)º, ASC X9 Secretariat ± American vances in Cryptology±CRYPTO '95 (LNCS Bankers Association, 1991. 963), 236±247, 1995. [43] ANSI X9.30 (PART 1), ªAmerican National [32] N.C. ANKENY, ªThe least quadratic non Standard for Financial Services ± Public key residueº, Annals of Mathematics, 55 (1952), cryptography using irreversible algorithms for 65±72. the ®nancial services industry ± Part 1: The [33] ANSI X3.92, ªAmerican National Standard digital signature algorithm (DSA)º, ASC X9 ± Data Encryption Algorithmº, American Na- Secretariat ± American Bankers Association, tional Standards Institute, 1981. 1995.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 705

[44] ANSI X9.30 (PART 2), ªAmerican National [56] F. ARNAULT, ªRabin-Miller primality test: Standard for Financial Services ± Public key composite numbers which pass itº, Mathemat- cryptography using irreversible algorithms ics of Computation, 64 (1995), 355±361. for the ®nancial services industry ± Part 2: [57] A.O.L. ATKIN AND R.G. LARSON,ªOna The secure hash algorithm (SHA)º, ASC X9 primality test of Solovay and Strassenº, SIAM Secretariat ± American Bankers Association, Journal on Computing, 11 (1982), 789±791. 1993. [58] A.O.L. ATKIN AND F. MORAIN, ªElliptic [45] ANSI X9.31 (PART 1), ªAmerican National curves and primality provingº, Mathematics Standard for Financial Services ± Public key of Computation, 61 (1993), 29±68. cryptography using RSA for the ®nancial services industry ± Part 1: The RSA signature al- [59] D. ATKINS,M.GRAFF,A.K.LENSTRA, gorithmº, draft, 1995. AND P.C. L EYLAND, ªThe magic words are SQUEAMISH OSSIFRAGEº, Advances in [46] ANSI X9.31 (PART 2), ªAmerican National Cryptology±ASIACRYPT '94 (LNCS 917), Standard for Financial Services ± Public key 263±277, 1995. cryptography using RSA for the ®nancial services industry ± Part 2: Hash algorithms for [60] L. BABAI, ªTrading group theory for random- RSAº, draft, 1995. nessº, Proceedings of the 17th Annual ACM Symposium on Theory of Computing, 421± [47] ANSI X9.42, ªPublic key cryptography for 429, 1985. the ®nancial services industry: Management [61] L. BABAI AND S. MORAN, ªArthur-Merlin of symmetric algorithm keys using Dif®e- games: a randomized proof system, and a Hellmanº, draft, 1995. hierarchy of complexity classesº, Journal of [48] ANSI X9.44, ªPublic key cryptography us- Computer and System Sciences, 36 (1988), ing reversible algorithms for the ®nancial ser- 254±276. vices industry: Transport of symmetric algo- [62] E. BACH, ªDiscrete logarithms and factor- rithm keys using RSAº, draft, 1994. ingº, Report No. UCB/CSD 84/186, Com- [49] ANSI X9.45, ªPublic key cryptography for puter Science Division (EECS), University of the ®nancial services industry ± Enhanced California, Berkeley, California, 1984. management controls using digital signatures [63] , Analytic Methods in the Analysis and and attribute certi®catesº, draft, 1996. Design of Number-Theoretic Algorithms,MIT [50] ANSI X9.52, ªTriple data encryption algo- Press, Cambridge, Massachusetts, 1985. An rithm modes of operationº, draft, 1996. ACM Distinguished Dissertation. [51] ANSI X9.55, ªPublic key cryptography for [64] , ªExplicit bounds for primality testing the ®nancial services industry ± Extensions to and related problemsº, Mathematics of Com- public key certi®cates and certi®cate revoca- putation, 55 (1990), 355±380. tion listsº, draft, 1995. [65] , ªNumber-theoretic algorithmsº, An- [52] ANSI X9.57, ªPublic key cryptography for nual Review of Computer Science, 4 (1990), the ®nancial services industry ± Certi®cate 119±172. managementº, draft, 1995. [66] , ªRealistic analysis of some random- [53] K. AOKI AND K. OHTA, ªDifferential-linear ized algorithmsº, Journal of Computer and cryptanalysis of FEAL-8º, IEICE Transac- System Sciences, 42 (1991), 30±53. tions on Fundamentals of Electronics, Com- [67] , ªToward a theory of Pollard's rho munications and Computer Science, E79-A methodº, Information and Computation,90 (1996), 20±27. (1991), 139±155. [54] B. ARAZI, ªIntegrating a key distribution pro- [68] E. BACH AND J. SHALLIT, ªFactoring with cedure into the digital signature standardº, cyclotomic polynomialsº, Proceedings of the Electronics Letters, 29 (May 27, 1993), 966± IEEE 26th Annual Symposium on Founda- 967. tions of Computer Science, 443±450, 1985. [55] , ªOn primality testing using purely di- [69] , ªFactoring with cyclotomic polynomi- visionless operationsº, The Computer Jour- alsº, Mathematics of Computation, 52 (1989), nal, 37 (1994), 219±222. 201±219. An earlier version appeared in [68].

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 706 References

[70] , Algorithmic Number Theory, Volume that are probably primeº, Journal of Cryptol- I: Ef®cient Algorithms, MIT Press, Cam- ogy, 1 (1988), 53±64. bridge, Massachusetts, 1996. [82] P. BEGUINÂ AND J.-J. QUISQUATER,ªSe- [71] E. BACH AND J. SORENSON, ªSieve algo- cure acceleration of DSS signatures using rithms for perfect power testingº, Algorith- insecure serverº, Advances in Cryptology± mica, 9 (1993), 313±328. ASIACRYPT '94 (LNCS 917), 249±259, 1995. [72] A. BAHREMAN, ªPEMToolKit: Building a [83] A. BEIMEL AND B. CHOR, ªInteraction top-down certi®cation hierarchyº, Proceed- in key distribution schemesº, Advances in ings of the Internet Society Symposium on Net- Cryptology±CRYPTO '93 (LNCS 773), 444± work and Distributed System Security, 161± 455, 1994. 171, IEEE Computer Society Press, 1995. [73] T. BARITAUD,M.CAMPANA,P.CHAU- [84] H. BEKER AND F. PIPER, Cipher Systems: VAUD, AND H. GILBERT, ªOn the security The Protection of Communications, John Wi- of the permuted kernel identi®cation schemeº, ley & Sons, New York, 1982. Advances in Cryptology±CRYPTO '92 (LNCS [85] H. BEKER AND M. WALKER, ªKey manage- 740), 305±311, 1993. ment for secure electronic funds transfer in a [74] W. BARKER, Cryptanalysis of the Hagelin retail environmentº, Advances in Cryptology± Cryptograph, Aegean Park Press, Laguna Proceedings of CRYPTO 84 (LNCS 196), Hills, California, 1977. 401±410, 1985. [75] P. BARRETT, ªImplementing the Rivest [86] M. BELLARE,R.CANETTI, AND H. KRAW- Shamir and Adleman public key encryption CZYK, ªKeying hash functions for message algorithm on a standard digital signal proces- authenticaionº, Advances in Cryptology± sorº, Advances in Cryptology±CRYPTO '86 CRYPTO '96 (LNCS 1109), 1±15, 1996. (LNCS 263), 311±323, 1987. [87] M. BELLARE AND O. GOLDREICH,ªOn [76] R.K. BAUER,T.A.BERSON, AND R.J. de®ning proofs of knowledgeº, Advances in FEIERTAG, ªA key distribution protocol using event markersº, ACM Transactions on Com- Cryptology±CRYPTO '92 (LNCS 740), 390± puter Systems, 1 (1983), 249±255. 420, 1993. [77] U. BAUM AND S. BLACKBURN, ªClock- [88] M. BELLARE,O.GOLDREICH, AND controlled pseudorandom generators on ®nite S. GOLDWASSER, ªIncremental cryptogra- groupsº, B. Preneel, editor, Fast Software phy: The case of hashing and signingº, Ad- Encryption, Second International Workshop vances in Cryptology±CRYPTO '94 (LNCS (LNCS 1008), 6±21, Springer-Verlag, 1995. 839), 216±233, 1994. [78] F. BAUSPIESS AND H.-J. KNOBLOCH, [89] , ªIncremental cryptography and appli- ªHow to keep authenticity alive in a com- cation to virus protectionº, Proceedings of the puter networkº, Advances in Cryptology± 27th Annual ACM Symposium on Theory of EUROCRYPT '89 (LNCS 434), 38±46, 1990. Computing, 45±56, 1995. [79] D. BAYER,S.HABER, AND W.S. STOR- [90] M. BELLARE,R.GUERINÂ , AND P. RO- NETTA, ªImproving the ef®ciency and reli- GAWAY, ªXOR MACs: New methods for ability of digital time-stampingº, R. Capoc- message authentication using ®nite pseudo- elli, A. De Santis, and U. Vaccaro, editors, random functionsº, Advances in Cryptology± Sequences II: Methods in Communication, CRYPTO '95 (LNCS 963), 15±28, 1995. Security, and Computer Science, 329±334, Springer-Verlag, 1993. [91] M. BELLARE,J.KILIAN, AND P. ROG- [80] P. BEAUCHEMIN AND G. BRASSARD,ªA AWAY, ªThe security of cipher block chain- generalization of Hellman's extension to ingº, Advances in Cryptology±CRYPTO '94 Shannon's approach to cryptographyº, Jour- (LNCS 839), 341±358, 1994. nal of Cryptology, 1 (1988), 129±131. [92] M. BELLARE AND S. MICALI,ªHowtosign [81] P. BEAUCHEMIN,G.BRASSARD,C. given any trapdoor functionº, Advances in CREPEAUÂ ,C.GOUTIER, AND C. POMER- Cryptology±CRYPTO '88 (LNCS 403), 200± ANCE, ªThe generation of random numbers 215, 1990.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 707

[93] M. BELLARE AND P. ROGAWAY, ªRandom [105] , ªAugmented encrypted key exchange: oracles are practical: a paradigm for designing a password-based protocol secure against dic- ef®cient protocolsº, 1st ACM Conference on tionary attacks and password ®le compro- Computer and Communications Security, 62± miseº, 1st ACM Conference on Computer and 73, ACM Press, 1993. Communications Security, 244±250, ACM Press, 1993. [94] , ªEntity authentication and key dis- tributionº, Advances in Cryptology±CRYPTO [106] , ªAn attack on the Interlock Protocol '93 (LNCS 773), 232±249, 1994. when used for authenticationº, IEEE Transac- tions on Information Theory, 40 (1994), 273± [95] , ªOptimal asymmetric encryptionº, 275. Advances in Cryptology±EUROCRYPT '94 (LNCS 950), 92±111, 1995. [107] I. BEN-AROYA AND E. BIHAM,ªDiffer- ential cyptanalysis of Luciferº, Advances in [96] , ªProvably secure session key distribu- Cryptology±CRYPTO '93 (LNCS 773), 187± tion ± the three party caseº, Proceedings of the 199, 1994. 27th Annual ACM Symposium on Theory of Computing, 57±66, 1995. [108] , ªDifferential cryptanalysis of Lu- ciferº, Journal of Cryptology, 9 (1996), 21± [97] M.J. BELLER,L.-F.CHANG, AND Y. YA- 34. An earlier version appeared in [107]. COBI, ªPrivacy and authentication on a portable communications systemº, IEEE [109] M. BEN-OR, ªProbabilistic algorithms in ®- Global Telecommunications Conference, nite ®eldsº, Proceedings of the IEEE 22nd An- 1922±1927, 1991. nual Symposium on Foundations of Computer Science, 394±398, 1981. [98] , ªSecurity for personal communica- [110] J. BENALOH, ªSecret sharing homomor- tions services: public-key vs. private key phisms: Keeping shares of a secret secretº, approachesº, The Third IEEE International Advances in Cryptology±CRYPTO '86 (LNCS Symposium on Personal, Indoor and Mobile 263), 251±260, 1987. Radio Communications (PIMRC'92), 26±31, 1992. [111] J. BENALOH AND M. DE MARE,ªOne- way accumulators: A decentralized alter- [99] , ªPrivacy and authentication on a native to digital signaturesº, Advances in portable communications systemº, IEEE Cryptology±EUROCRYPT '93 (LNCS 765), Journal on Selected Areas in Communica- 274±285, 1994. tions, 11 (1993), 821±829. [112] J. BENALOH AND J. LEICHTER,ªGeneral- [100] M.J. BELLER AND Y. YACOBI,ªMinimal ized secret sharing and monotone functionsº, asymmetric authentication and key agree- Advances in Cryptology±CRYPTO '88 (LNCS ment schemesº, October 1994 unpublished 403), 27±35, 1990. manuscript. [113] S. BENGIO,G.BRASSARD,Y.G.DESMEDT, [101] , ªFully-¯edged two-way public key au- C. GOUTIER, AND J.-J. QUISQUATER,ªSe- thentication and key agreement for low-cost cure implementation of identi®cation sys- terminalsº, Electronics Letters, 29 (May 27, temsº, Journal of Cryptology, 4 (1991), 175± 1993), 999±1001. 183.

[102] S.M. BELLOVIN AND M. MERRITT, ªCryp- [114] C. BENNETT,G.BRASSARD,S.BREID- tographic protocol for secure communica- BART, AND S. WIESNER, ªQuantum cryp- tionsº, U.S. Patent # 5,241,599, 31 Aug 1993. tography, or unforgeable subway tokensº, Ad- [103] , ªLimitations of the Kerberos authen- vances in Cryptology±Proceedings of Crypto tication systemº, Computer Communication 82, 267±275, 1983. Review, 20 (1990), 119±132. [115] C. BENNETT,G.BRASSARD, AND A. EK- ERT, ªQuantum cryptographyº, Scienti®c [104] , ªEncrypted key exchange: password- American, special issue (1997), 164±171. based protocols secure against dictionary at- tacksº, Proceedings of the 1992 IEEE Com- [116] S. BERKOVITS, ªHow to broadcast a secretº, puter Society Symposium on Research in Se- Advances in Cryptology±EUROCRYPT '91 curity and Privacy, 72±84, 1992. (LNCS 547), 535±541, 1991.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 708 References

[117] E.R. BERLEKAMP, ªFactoring polynomials [130] , ªOn modes of operationº, R. Ander- over ®nite ®eldsº, Bell System Technical Jour- son, editor, Fast Software Encryption, Cam- nal, 46 (1967), 1853±1859. bridge Security Workshop (LNCS 809), 116± [118] , Algebric Coding Theory,McGraw 120, Springer-Verlag, 1994. Hill, New York, 1968. [131] , ªCryptanalysis of multiple modes [119] , ªFactoring polynomials over large ®- of operationº, Advances in Cryptology± nite ®eldsº, Mathematics of Computation,24 ASIACRYPT '94 (LNCS 917), 278±292, 1995. (1970), 713±735. [132] , ªOn Matsui's linear cryptanalysisº, [120] E.R. BERLEKAMP,R.J.MCELIECE, AND Advances in Cryptology±EUROCRYPT '94 H.C.A. VA N TILBORG, ªOn the inherent (LNCS 950), 341±355, 1995. intractability of certain coding problemsº, IEEE Transactions on Information Theory,24 [133] E. BIHAM AND A. BIRYUKOV,ªHowto (1978), 384±386. strengthen DES using existing hardwareº, [121] D.J. BERNSTEIN, ªDetecting perfect powers Advances in Cryptology±ASIACRYPT '94 in essentially linear timeº, preprint, 1995. (LNCS 917), 398±412, 1995. [122] D.J. BERNSTEIN AND A.K. LENSTRA,ªA [134] E. BIHAM AND A. SHAMIR, ªDifferential general number ®eld sieve implementationº, cryptanalysis of DES-like cryptosystemsº, A.K. Lenstra and H.W. Lenstra Jr., editors, Journal of Cryptology, 4 (1991), 3±72. An The Development of the Number Field Sieve, earlier version appeared in [135]. volume 1554 of Lecture Notes in Mathemat- ics, 103±126, Springer-Verlag, 1993. [135] , ªDifferential cryptanalysis of DES- like cryptosystemsº, Advances in Cryptology± [123] T. BETH, ªEf®cient zero-knowledge identi®- CRYPTO '90 (LNCS 537), 2±21, 1991. cation scheme for smart cardsº, Advances in Cryptology±EUROCRYPT '88 (LNCS 330), [136] , ªDifferential cryptanalysis of Feal 77±84, 1988. and N-Hashº, Advances in Cryptology± [124] T. BETH AND Z.-D. DAI, ªOn the complex- EUROCRYPT '91 (LNCS 547), 1±16, 1991. ity of pseudo-random sequences ± or: If you [137] , ªDifferential cryptanalysis of Snefru, can describe a sequence it can't be randomº, Khafre, REDOC-II, LOKI, and Luciferº, Ad- Advances in Cryptology±EUROCRYPT '89 vances in Cryptology±CRYPTO '91 (LNCS (LNCS 434), 533±543, 1990. 576), 156±171, 1992. [125] T. BETH,H.-J.KNOBLOCH,M.OTTEN, G.J. SIMMONS, AND P. W ICHMANN,ªTo- [138] , Differential Cryptanalysis of the Data wards acceptable key escrow systemsº, 2nd Encryption Standard, Springer-Verlag, New ACM Conference on Computer and Commu- York, 1993. nications Security, 51±58, ACM Press, 1994. [139] , ªDifferential cryptanalysis of the full [126] T. BETH AND F.C. PIPER, ªThe stop-and- 16-round DESº, Advances in Cryptology± go generatorº, Advances in Cryptology± CRYPTO '92 (LNCS 740), 487±496, 1993. Proceedings of EUROCRYPT 84 (LNCS 209), [140] R. BIRD,I.GOPAL,A.HERZBERG, 88±92, 1985. P. JANSON,S.KUTTEN,R.MOLVA, AND IERBRAUER OHANSSON A [127] J. B ,T.J ,G.K - M. YUNG, ªSystematic design of two- BATIANSKII, AND B. SMEETS,ªOnfami- party authentication protocolsº, Advances in lies of hash functions via geometric codes Cryptology±CRYPTO '91 (LNCS 576), 44± and concatenationº, Advances in Cryptology± 61, 1992. CRYPTO '93 (LNCS 773), 331±342, 1994. [128] E. BIHAM, ªNew types of cryptanalytic [141] , ªSystematic design of a family of attacks using related keysº, Advances in attack-resistant authentication protocolsº, Cryptology±EUROCRYPT '93 (LNCS 765), IEEE Journal on Selected Areas in Commu- 398±409, 1994. nications, 11 (1993), 679±693. [129] , ªNew types of cryptanalytic attacks [142] , ªThe KryptoKnight family of light- using related keysº, Journal of Cryptology,7 weight protocols for authentication and key (1994), 229±246. An earlier version appeared distributionº, IEEE/ACM Transactions on in [128]. Networking, 3 (1995), 31±41.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 709

[143] S. BLACKBURN,S.MURPHY, AND J. STE- [155] D. BLEICHENBACHER AND U. MAURER, RN, ªThe cryptanalysis of a public-key imple- ªDirected acyclic graphs, one-way func- mentation of ®nite group mappingsº, Journal tions and digital signaturesº, Advances in of Cryptology, 8 (1995), 157±166. Cryptology±CRYPTO '94 (LNCS 839), 75± 82, 1994. [144] R.E. BLAHUT, Principles and Practice of In- formation Theory, Addison-Wesley, Reading, [156] U. BLOCHERÈ AND M. DICHTL, ªFish: A fast Massachusetts, 1987. software stream cipherº, R. Anderson, editor, Fast Software Encryption, Cambridge Secu- [145] I.F. BLAKE,R.FUJI-HARA,R.C.MULLIN, rity Workshop (LNCS 809), 41±44, Springer- AND S.A. VANSTONE, ªComputing loga- Verlag, 1994. rithms in ®nite ®elds of characteristic twoº, SIAM Journal on Algebraic and Discrete [157] R. BLOM, ªNon-public key distributionº, Ad- Methods, 5 (1984), 276±285. vances in Cryptology±Proceedings of Crypto 82, 231±236, 1983. [146] I.F. BLAKE,S.GAO, AND R. LAMBERT, [158] , ªAn optimal class of symmet- ªConstructive problems for irreducible poly- ric key generation systemsº, Advances in nomials over ®nite ®eldsº, T.A. Gulliver and Cryptology±Proceedings of EUROCRYPT 84 N.P. Secord, editors, Information Theory and (LNCS 209), 335±338, 1985. Applications (LNCS 793), 1±23, Springer- Verlag, 1994. [159] L. BLUM,M.BLUM, AND M. SHUB,ªCom- parison of two pseudo-random number gener- [147] B. BLAKLEY,G.R.BLAKLEY,A.H.CHAN, atorsº, Advances in Cryptology±Proceedings AND J.L. MASSEY, ªThreshold schemes with of Crypto 82, 61±78, 1983. disenrollmentº, Advances in Cryptology± CRYPTO '92 (LNCS 740), 540±548, 1993. [160] , ªA simple unpredictable pseudorandom number generatorº, SIAM Journal on [148] G. BLAKLEY, ªSafeguarding cryptographic Computing, 15 (1986), 364±383. An earlier keysº, Proceedings of AFIPS National Com- version appeared in [159]. puter Conference, 313±317, 1979. [161] M. BLUM, ªIndependent unbiased coin ¯ips [149] , ªA computer algorithm for calculating from a correlated biased source: a ®nite state the product AB modulo Mº, IEEE Transac- Markov chainº, Proceedings of the IEEE 25th tions on Computers, 32 (1983), 497±500. Annual Symposium on Foundations of Com- puter Science, 425±433, 1984. [150] G. BLAKLEY AND I. BOROSH,ªRivest- Shamir-Adleman public key cryptosystems [162] M. BLUM,A.DE SANTIS,S.MICALI, do not always conceal messagesº, Comput- AND G. PERSIANO, ªNoninteractive zero- ers and Mathematics with Applications,5:3 knowledgeº, SIAM Journal on Computing,20 (1979), 169±178. (1991), 1084±1118. [163] M. BLUM,P.FELDMAN, AND S. MICALI, [151] G. BLAKLEY AND C. MEADOWS, ªSecurity ªNon-interactive zero-knowledge and its ap- of ramp schemesº, Advances in Cryptology± plicationsº, Proceedings of the 20th Annual Proceedings of CRYPTO 84 (LNCS 196), ACM Symposium on Theory of Computing, 242±268, 1985. 103±112, 1988. [152] M. BLAZE, ªProtocol failure in the escrowed [164] M. BLUM AND S. GOLDWASSER,ªAnef- encryption standardº, 2nd ACM Conference ®cient probabilistic public-key encryption on Computer and Communications Security, scheme which hides all partial informa- 59±67, ACM Press, 1994. tionº, Advances in Cryptology±Proceedings [153] D. BLEICHENBACHER, ªGenerating ElGa- of CRYPTO 84 (LNCS 196), 289±299, 1985. mal signatures without knowing the secret [165] M. BLUM AND S. MICALI, ªHow to generate keyº, Advances in Cryptology±EUROCRYPT cryptographically strong sequences of pseudo '96 (LNCS 1070), 10±18, 1996. random bitsº, Proceedings of the IEEE 23rd [154] D. BLEICHENBACHER,W.BOSMA, AND Annual Symposium on Foundations of Com- A.K. LENSTRA, ªSome remarks on Lucas- puter Science, 112±117, 1982. based cryptosystemsº, Advances in Cryptolo- [166] , ªHow to generate cryptographically gy±CRYPTO '95 (LNCS 963), 386±396, 1995. strong sequences of pseudo-random bitsº,

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 710 References

SIAM Journal on Computing, 13 (1984), 850± [179] J. BOYAR, ªInferring sequences produced by 864. An earlier version appeared in [165]. a linear congruential generator missing low- [167] C. BLUNDO AND A. CRESTI, ªSpace require- order bitsº, Journal of Cryptology, 1 (1989), ments for broadcast encryptionº, Advances in 177±184. Cryptology±EUROCRYPT '94 (LNCS 950), [180] , ªInferring sequences produced by 287±298, 1995. pseudo-random number generatorsº, Journal [168] C. BLUNDO,A.CRESTI,A.DE SANTIS, of the Association for Computing Machinery, AND U. VACCARO, ªFully dynamic secret 36 (1989), 129±141. sharing schemesº, Advances in Cryptology± CRYPTO '93 (LNCS 773), 110±125, 1994. [181] J. BOYAR,D.CHAUM,I.B.DAMGARDÊ , [169] C. BLUNDO,A.DE SANTIS,A.HERZBERG, AND T. PEDERSEN, ªConvertible undeni- S. KUTTEN,U.VACCARO, AND M. YUNG, able signaturesº, Advances in Cryptology± ªPerfectly-secure key distribution for dy- CRYPTO '90 (LNCS 537), 189±205, 1991. namic conferencesº, Advances in Cryptology± [182] C. BOYD, ªDigital multisignaturesº, H. Beker CRYPTO '92 (LNCS 740), 471±486, 1993. and F. Piper, editors, Cryptography and Cod- [170] R.V. BOOK AND F. OTTO, ªThe veri®a- ing, Institute of Mathematics & Its Applica- bility of two-party protocolsº, Advances in tions (IMA), 241±246, Clarendon Press, 1989. Cryptology±EUROCRYPT '85 (LNCS 219), 254±260, 1986. [183] C. BOYD AND W. MAO, ªOn a limitation of BAN logicº, Advances in Cryptology± [171] A. BOOTH, ªA signed binary multiplication EUROCRYPT '93 (LNCS 765), 240±247, techniqueº, The Quarterly Journal of Me- 1994. chanics and Applied Mathematics, 4 (1951), 236±240. [184] B.O. BRACHTL,D.COPPERSMITH,M.M. [172] J. BOS AND D. CHAUM, ªProvably unforge- HYDEN,S.M.MATYAS JR., C.H.W. able signaturesº, Advances in Cryptology± MEYER,J.OSEAS,S.PILPEL, AND CRYPTO '92 (LNCS 740), 1±14, 1993. M. SCHILLING, ªData authentication using [173] J. BOS AND M. COSTER, ªAddition modi®cation detection codes based on a pub- chain heuristicsº, Advances in Cryptology± lic one-way encryption functionº, U.S. Patent CRYPTO '89 (LNCS 435), 400±407, 1990. # 4,908,861, 13 Mar 1990.

[174] W. BOSMA AND M.-P VA N D E R HULST, [185] S. BRANDS, ªRestrictive blinding of secret- ªFaster primality testingº, Advances in key certi®catesº, Advances in Cryptology± Cryptology±EUROCRYPT '89 (LNCS 434), EUROCRYPT '95 (LNCS 921), 231±247, 652±656, 1990. 1995. [175] A. BOSSELAERS,R.GOVAERTS, AND RANDT AND AMGARDÊ J. VANDEWALLE, ªCryptography within [186] J. B I. D , ªOn gen- phase I of the EEC-RACE programmeº, eration of probable primes by incremental B. Preneel, R. Govaerts, and J. Vandewalle, searchº, Advances in Cryptology±CRYPTO editors, Computer Security and Industrial '92 (LNCS 740), 358±370, 1993. Cryptography: State of the Art and Evolution [187] J. BRANDT,I.DAMGARDÊ , AND P. L AN- (LNCS 741), 227±234, Springer-Verlag, 1993. DROCK, ªSpeeding up prime number gener- [176] , ªComparison of three modular re- ationº, Advances in Cryptology±ASIACRYPT duction functionsº, Advances in Cryptology± '91 (LNCS 739), 440±449, 1993. CRYPTO '93 (LNCS 773), 175±186, 1994. [188] J. BRANDT,I.DAMGARDÊ ,P.LANDROCK, [177] , ªFast hashing on the Pentiumº, Ad- AND T. PEDERSEN, ªZero-knowledge au- vances in Cryptology±CRYPTO '96 (LNCS thentication scheme with secret key ex- 1109), 298±312, 1996. changeº, Advances in Cryptology±CRYPTO [178] A. BOSSELAERS AND B. PRENEEL,edi- '88 (LNCS 403), 583±588, 1990. tors, Integrity Primitives for Secure Informa- tion Systems: Final Report of RACE Integrity [189] D.K. BRANSTAD, ªEncryption protection in Primitives Evaluation RIPE-RACE 1040, computer data communicationsº, Proceed- LNCS 1007, Springer-Verlag, New York, ings of the 4th Data Communications Sympo- 1995. sium (Quebec), 8.1±8.7, IEEE, 1975.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 711

[190] G. BRASSARD, ªA note on the complexity of [204] E.F. BRICKELL,D.M.GORDON,K.S.MC- cryptographyº, IEEE Transactions on Infor- CURLEY, AND D.B. WILSON, ªFast expo- mation Theory, 25 (1979), 232±233. nentiation with precomputationº, Advances in Cryptology±EUROCRYPT '92 (LNCS 658), [191] , ªOn computationally secure authen- 200±207, 1993. tication tags requiring short secret shared keysº, Advances in Cryptology±Proceedings [205] E.F. BRICKELL,P.J.LEE, AND Y. YACOBI, of Crypto 82, 79±86, 1983. ªSecure audio teleconferenceº, Advances in Cryptology±CRYPTO '87 (LNCS 293), 418± [192] , Modern Cryptology: A Tutorial, 426, 1988. LNCS 325, Springer-Verlag, New York, 1988. [206] E.F. BRICKELL AND K.S. MCCURLEY,ªAn [193] G. BRASSARD,D.CHAUM, AND C. CREPEAUÂ - interactive identi®cation scheme based on dis- , ªMinimum disclosure proofs of knowledgeº, crete logarithms and factoringº, Advances in Journal of Computer and System Sciences,37 Cryptology±EUROCRYPT '90 (LNCS 473), (1988), 156±189. 63±71, 1991.

[194] G. BRASSARD AND C. CREPEAUÂ ,ªZero- [207] , ªAn interactive identi®cation scheme knowledge simulation of Boolean circuitsº, based on discrete logarithms and factoringº, Advances in Cryptology±CRYPTO '86 (LNCS Journal of Cryptology, 5 (1992), 29±39. An 263), 223±233, 1987. earlier version appeared in [206]. [208] E.F. BRICKELL AND A.M. ODLYZKO, [195] , ªSorting out zero-knowledgeº, Ad- ªCryptanalysis: A survey of recent resultsº, vances in Cryptology±EUROCRYPT '89 Proceedings of the IEEE, 76 (1988), 578±593. (LNCS 434), 181±191, 1990. [209] , ªCryptanalysis: A survey of recent re- [196] R.P. BRENT, ªAn improved Monte Carlo fac- sultsº, G.J. Simmons, editor, Contemporary torization algorithmº, BIT, 20 (1980), 176± Cryptology: The Science of Information In- 184. tegrity, 501±540, IEEE Press, 1992. An earlier version appeared in [208]. [197] R.P. BRENT AND J.M. POLLARD, ªFactor- ization of the eighth Fermat numberº, Math- [210] J. BRILLHART,D.LEHMER, AND J. SELF- ematics of Computation, 36 (1981), 627±630. RIDGE, ªNew primality criteria and factorizations of 2m 1º, Mathematics of Computa- [198] D.M. BRESSOUD, Factorization and Primal- tion, 29 (1975), 620±647. ity Testing, Springer-Verlag, New York, 1989. [211] J. BRILLHART,D.LEHMER,J.SELFRIDGE, [199] E.F. BRICKELL, ªA fast modular multipli- B. TUCKERMAN, AND S. WAGSTAFF n cation algorithm with applications to two JR., Factorizations of b 1, b = key cryptographyº, Advances in Cryptology± 2, 3, 5, 6, 7, 10, 11, 12 up to High Powers, Proceedings of Crypto 82, 51±60, 1983. volume 22 of Contemporary Mathematics, American Mathematical Society, Providence, [200] , ªBreaking iterated knapsacksº, Rhode Island, 2nd edition, 1988. Advances in Cryptology±Proceedings of CRYPTO 84 (LNCS 196), 342±358, 1985. [212] J. BRILLHART AND J. SELFRIDGE,ªSome factorizations of 2n 1 and related resultsº, [201] , ªThe cryptanalysis of knapsack cryp- Mathematics of Computation, 21 (1967), 87± tosystemsº, R.D. Ringeisen and F.S. Roberts, 96. editors, Applications of Discrete Mathemat- [213] D. BRILLINGER, Time Series: Data Analy- ics, 3±23, SIAM, 1988. sis and Theory, Holden-Day, San Francisco, [202] E.F. BRICKELL AND J.M. DELAURENTIS, 1981. ªAn attack on a signature scheme proposed [214] L. BROWN,M.KWAN,J.PIEPRZYK, by Okamoto and Shiraishiº, Advances in AND J. SEBERRY, ªImproving resistance Cryptology±CRYPTO '85 (LNCS 218), 28± to differential cryptanalysis and the re- 32, 1986. design of LOKIº, Advances in Cryptology± [203] E.F. BRICKELL,D.M.GORDON, AND K.S. ASIACRYPT '91 (LNCS 739), 36±50, 1993. MCCURLEY, ªMethod for exponentiating [215] L. BROWN,J.PIEPRZYK, AND J. SEBERRY, in cryptographic systemsº, U.S. Patent # ªLOKI ± a cryptographic primitive for authen- 5,299,262, 29 Mar 1994. tication and secrecy applicationsº, Advances

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 712 References

in Cryptology±AUSCRYPT '90 (LNCS 453), [228] J.L. CAMENISCH,J.-M.PIVETEAU, AND 229±236, 1990. M.A. STADLER, ªBlind signatures based on [216] J. BUCHMANN AND S. DULLMANNÈ ,ªOnthe the discrete logarithm problemº, Advances in computation of discrete logarithms in class Cryptology±EUROCRYPT '94 (LNCS 950), groupsº, Advances in Cryptology±CRYPTO 428±432, 1995. '90 (LNCS 537), 134±139, 1991. [229] K.W. CAMPBELL AND M.J. WIENER,ªDES is not a groupº, Advances in Cryptology± [217] J. BUCHMANN,J.LOHO, AND J. ZAYER, ªAn implementation of the general num- CRYPTO '92 (LNCS 740), 512±520, 1993. ber ®eld sieveº, Advances in Cryptology± [230] C.M. CAMPBELL JR., ªDesign and speci- CRYPTO '93 (LNCS 773), 159±165, 1994. ®cation of cryptographic capabilitiesº, D.K. Branstad, editor, Computer security and the [218] J. BUCHMANN AND H.C. WILLIAMS,ªA Data Encryption Standard, 54±66, NBS Spe- key-exchange system based on imaginary cial Publication 500-27, U.S. Department of quadratic ®eldsº, Journal of Cryptology,1 Commerce, National Bureau of Standards, (1988), 107±118. Washington, D.C., 1977. [219] J.P. BUHLER,H.W.LENSTRA JR., AND [231] E.R. CANFIELD,P.ERDOSÈ , AND C. POM- C. POMERANCE, ªFactoring integers with the ERANCE, ªOn a problem of Oppenheim con- number ®eld sieveº, A.K. Lenstra and H.W. cerning `Factorisatio Numerorum'º, Journal Lenstra Jr., editors, The Development of the of Number Theory, 17 (1983), 1±28. Number Field Sieve, volume 1554 of Lec- ture Notes in Mathematics, 50±94, Springer- [232] D.G. CANTOR AND H. ZASSENHAUS,ªA Verlag, 1993. new algorithm for factoring polynomials over ®nite ®eldsº, Mathematics of Computation,36 [220] M. BURMESTER, ªOn the risk of opening (1981), 587±592. distributed keysº, Advances in Cryptology± CRYPTO '94 (LNCS 839), 308±317, 1994. [233] J.L. CARTER AND M.N. WEGMAN,ªUni- versal classes of hash functionsº, Proceedings [221] M. BURMESTER AND Y. D ESMEDT,ªRe- of the 9th Annual ACM Symposium on Theory marks on soundness of proofsº, Electronics of Computing, 106±112, 1977. Letters, 25 (October 26, 1989), 1509±1511. [234] , ªUniversal classes of hash functionsº, [222] , ªA secure and ef®cient confer- Journal of Computer and System Sciences,18 ence key distribution systemº, Advances in (1979), 143±154. An earlier version appeared Cryptology±EUROCRYPT '94 (LNCS 950), in [233]. 275±286, 1995. [235] F. CHABAUD, ªOn the security of some cryp- [223] M. BURMESTER,Y.DESMEDT,F.PIPER, tosystems based on error-correcting codesº, AND M. WALKER, ªA general zero- Advances in Cryptology±EUROCRYPT '94 knowledge schemeº, Advances in Cryptology± (LNCS 950), 131±139, 1995. EUROCRYPT '89 (LNCS 434), 122±133, [236] G.J. CHAITIN, ªOn the length of programs for 1990. computing ®nite binary sequencesº, Journal [224] M. BURROWS,M.ABADI, AND R. NEED- of the Association for Computing Machinery, HAM, ªA logic of authenticationº, Proceed- 13 (1966), 547±569. ings of the Royal Society of London Series [237] W.G. CHAMBERS, ªClock-controlled shift A: Mathematical and Physical Sciences, 246 registers in binary sequence generatorsº, IEE (1989), 233±271. Preliminary version ap- Proceedings E ± Computers and Digital Tech- peared as 1989 version of [227]. niques, 135 (1988), 17±24. [225] , ªA logic of authenticationº, Proceed- [238] , ªTwo stream ciphersº, R. Ander- ings of the 12th Annual ACM Symposium on son, editor, Fast Software Encryption, Cam- Operating Systems Principles, 1±13, 1989. bridge Security Workshop (LNCS 809), 51± [226] , ªA logic of authenticationº, ACM 55, Springer-Verlag, 1994. Transactions on Computer Systems, 8 (1990), [239] W.G. CHAMBERS AND D. GOLLMANN, 18±36. ªLock-in effect in cascades of clock- [227] , ªA logic of authenticationº, DEC SRC controlled shift-registersº, Advances in report #39, Digital Equipment Corporation, Cryptology±EUROCRYPT '88 (LNCS 330), Palo Alto, CA, Feb. 1989. Revised Feb. 1990. 331±343, 1988.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 713

[240] B. CHAR,K.GEDDES,G.GONNET, [253] D. CHAUM AND E. VA N HEIJST, ªGroup sig- B. LEONG,M.MONAGAN, AND S. WATT, naturesº, Advances in Cryptology±EUROCR- Maple V Library Reference Manual, Springer- YPT '91 (LNCS 547), 257±265, 1991. Verlag, New York, 1991. [254] D. CHAUM,E.VA N HEIJST, AND B. PFITZ- [241] C. CHARNES,L.O'CONNOR,J.PIEPRZYK, MANN, ªCryptographically strong undeni- R. SAFAVI-NAINI, AND Y. Z HENG,ªCom- able signatures, unconditionally secure for the ments on Soviet encryption algorithmº, Ad- signerº, Advances in Cryptology±CRYPTO vances in Cryptology±EUROCRYPT '94 '91 (LNCS 576), 470±484, 1992. (LNCS 950), 433±438, 1995. [242] D. CHAUM, ªBlind signatures for untrace- [255] L. CHEN AND T.P. PEDERSEN, ªNew group able paymentsº, Advances in Cryptology± signature schemesº, Advances in Cryptology± Proceedings of Crypto 82, 199±203, 1983. EUROCRYPT '94 (LNCS 950), 171±181, [243] , ªSecurity without identi®cation: 1995. transaction systems to make big brother obso- [256] V. CHEPYZHOV AND B. SMEETS,ªOnafast leteº, Communications of the ACM, 28 (1985), correlation attack on certain stream ciphersº, 1030±1044. Advances in Cryptology±EUROCRYPT '91 [244] , ªDemonstrating that a public predicate (LNCS 547), 176±185, 1991. can be satis®ed without revealing any information about howº, Advances in Cryptology± [257] B. CHOR AND O. GOLDREICH, ªUnbiased CRYPTO '86 (LNCS 263), 195±199, 1987. bits from sources of weak randomness and [245] , ªBlinding for unanticipated signa- probabilistic communication complexityº, turesº, Advances in Cryptology±EUROCRYPT Proceedings of the IEEE 26th Annual Sym- '87 (LNCS 304), 227±233, 1988. posium on Foundations of Computer Science, [246] , ªZero-knowledge undeniable signa- 429±442, 1985. turesº, Advances in Cryptology±EUROCRYPT [258] , ªUnbiased bits from sources of weak '90 (LNCS 473), 458±464, 1991. randomness and probabilistic communication [247] , ªDesignated con®rmer signaturesº, complexityº, SIAM Journal on Computing,17 Advances in Cryptology±EUROCRYPT '94 (1988), 230±261. An earlier version appeared (LNCS 950), 86±91, 1995. in [257]. [248] D. CHAUM,J.-H.EVERTSE, AND J. VA N D E HOR OLDWASSER ICALI GRAAF, ªAn improved protocol for demon- [259] B. C ,S.G ,S.M , strating possession of discrete logarithms AND B. AWERBUCH, ªVeri®able secret shar- and some generalizationsº, Advances in ing and achieving simultaneity in the presence Cryptology±EUROCRYPT '87 (LNCS 304), of faultsº, Proceedings of the IEEE 26th An- 127±141, 1988. nual Symposium on Foundations of Computer Science, 383±395, 1985. [249] D. CHAUM,J.-H.EVERTSE,J.VA N D E GRAAF, AND R. PERALTA, ªDemonstrating [260] B. CHOR AND R.L. RIVEST, ªA knap- possession of a discrete logarithm without re- sack type public key cryptosystem based vealing itº, Advances in Cryptology±CRYPTO on arithmetic in ®nite ®eldsº, Advances '86 (LNCS 263), 200±212, 1987. in Cryptology±Proceedings of CRYPTO 84 [250] D. CHAUM,A.FIAT, AND M. NAOR, (LNCS 196), 54±65, 1985. ªUntraceable electronic cashº, Advances in Cryptology±CRYPTO '88 (LNCS 403), 319± [261] , ªA knapsack-type public key cryp- 327, 1990. tosystem based on arithmetic in ®nite ®eldsº, IEEE Transactions on Information Theory,34 [251] D. CHAUM AND T.P. PEDERSEN,ªWal- (1988), 901±909. An earlier version appeared let databases with observersº, Advances in in [260]. Cryptology±CRYPTO '92 (LNCS 740), 89± 105, 1993. [262] A. CLARK,J.GOLICÂ , AND E. DAWSON, [252] D. CHAUM AND H. VA N ANTWER- ªA comparison of fast correlation attacksº, PEN, ªUndeniable signaturesº, Advances in D. Gollmann, editor, Fast Software Encryp- Cryptology±CRYPTO '89 (LNCS 435), 212± tion, Third International Workshop (LNCS 216, 1990. 1039), 145±157, Springer-Verlag, 1996.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 714 References

[263] H. COHEN, A Course in Computational Al- [277] D. COPPERSMITH,M.FRANKLIN,J.PATA- gebraic Number Theory, Springer-Verlag, RIN, AND M. REITER, ªLow-exponent Berlin, 1993. RSA with related messagesº, Advances in [264] H. COHEN AND A.K. LENSTRA,ªImple- Cryptology±EUROCRYPT '96 (LNCS 1070), mentation of a new primality testº, Mathemat- 1±9, 1996. ics of Computation, 48 (1987), 103±121. [278] D. COPPERSMITH,D.B.JOHNSON, AND [265] H. COHEN AND H.W. LENSTRA JR., ªPri- S.M. MATYAS, ªA proposed mode for triple- mality testing and Jacobi sumsº, Mathematics DES encryptionº, IBM Journal of Research of Computation, 42 (1984), 297±330. and Development, 40 (1996), 253±261. [266] D. COPPERSMITH, ªFast evaluation of loga- [279] D. COPPERSMITH,H.KRAWCZYK, AND rithms in ®elds of characteristic twoº, IEEE Y. M ANSOUR, ªThe shrinking generatorº, Transactions on Information Theory,30 Advances in Cryptology±CRYPTO '93 (LNCS (1984), 587±594. 773), 22±39, 1994. [267] , ªAnother birthday attackº, Advances [280] D. COPPERSMITH,A.M.ODLZYKO, AND in Cryptology±CRYPTO '85 (LNCS 218), 14± R. SCHROEPPEL, ªDiscrete logarithms in 17, 1986. GF (p)º, Algorithmica, 1 (1986), 1±15. [268] , ªThe real reason for Rivest's [281] D. COPPERSMITH AND P. ROGAWAY, phenomenonº, Advances in Cryptology± ªSoftware-ef®cient pseudorandom function CRYPTO '85 (LNCS 218), 535±536, 1986. and the use thereof for encryptionº, U.S. [269] , ªModi®cations to the number ®eld Patent # 5,454,039, 26 Sep 1995. sieveº, Journal of Cryptology, 6 (1993), 169± [282] T.H. CORMEN,C.E.LEISERSON, AND R.L. 180. RIVEST, Introduction to Algorithms,MIT [270] , ªSolving linear equations over Press, Cambridge, Massachusetts, 1990. GF (2): Block Lanczos algorithmº, Linear [283] M.J. COSTER,A.JOUX,B.A.LAMAC- Algebra and its Applications, 192 (1993), 33± CHIA,A.M.ODLYZKO,C.P.SCHNORR, 60. AND J. STERN, ªImproved low-density subset [271] , ªThe Data Encryption Standard (DES) sum algorithmsº, Computational Complexity, and its strength against attacksº, IBM Jour- 2 (1992), 111±128. nal of Research and Development, 38 (1994), [284] J.-M. COUVEIGNES, ªComputing a square 243±250. root for the number ®eld sieveº, A.K. Lenstra [272] , ªSolving homogeneous linear equa- and H.W. Lenstra Jr., editors, The Develop- tions over GF(2) via block Wiedemann al- ment of the Number Field Sieve, volume 1554 gorithmº, Mathematics of Computation,62 of Lecture Notes in Mathematics, 95±102, (1994), 333±350. Springer-Verlag, 1993. [273] , ªFinding a small root of a bivari- [285] T. COVER AND R. KING, ªA convergent ate integer equation; factoring with high gambling estimate of the entropy of Englishº, bits knownº, Advances in Cryptology± IEEE Transactions on Information Theory,24 EUROCRYPT '96 (LNCS 1070), 178±189, (1978), 413±421. 1996. [286] R.E. CRANDALL, ªMethod and apparatus for [274] , ªFinding a small root of a univariate public key exchange in a cryptographic sys- modular equationº, Advances in Cryptology± temº, U.S. Patent # 5,159,632, 27 Oct 1992. EUROCRYPT '96 (LNCS 1070), 155±165, [287] , ªMethod and apparatus for pub- 1996. lic key exchange in a cryptographic sys- [275] , ªAnalysis of ISO/CCITT Document temº, U.S. Patent # 5,271,061, 14 Dec 1993 X.509 Annex Dº, memorandum, IBM T.J. (continuation-in-part of 5,159,632). Watson Research Center, Yorktown Heights, [288] R.A. CROFT AND S.P. HARRIS, ªPublic-key N.Y., 10598, U.S.A., June 11 1989. cryptography and re-usable shared secretsº, [276] , ªTwo broken hash functionsº, IBM H. Beker and F. Piper, editors, Cryptogra- Research Report RC 18397, IBM T.J. Wat- phy and Coding, Institute of Mathematics & son Research Center, Yorktown Heights, N.Y., Its Applications (IMA), 189±201, Clarendon 10598, U.S.A., Oct. 6 1992. Press, 1989.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 715

[289] J. DAEMEN, Cipher and hash function de- [301] H. DAV E N P O RT, ªBases for ®nite ®eldsº, The sign, PhD thesis, Katholieke Universiteit Leu- Journal of the London Mathematical Society, ven (Belgium), 1995. 43 (1968), 21±39.

[290] J. DAEMEN,R.GOVAERTS, AND J. VAN- [302] G.I. DAV I D A, ªChosen signature cryptanaly- DEWALLE, ªA new approach to block ci- sis of the RSA (MIT) public key cryptosys- pher designº, R. Anderson, editor, Fast Soft- temº, Technical Report TR-CS-82-2, Depart- ware Encryption, Cambridge Security Work- ment of Electrical Engineering and Computer shop (LNCS 809), 18±32, Springer-Verlag, Science, University of Wisconsin, Milwau- 1994. kee, WI, 1982.

[291] , ªResynchronization weaknesses in [303] D.W. DAV I E S, ªSome regular properties synchronous stream ciphersº, Advances in of the `Data Encryption Standard' algo- Cryptology±EUROCRYPT '93 (LNCS 765), rithmº, Advances in Cryptology±Proceedings 159±167, 1994. of Crypto 82, 89±96, 1983. [292] , ªWeak keys for IDEAº, Advances in [304] , ªA message authenticator algo- Cryptology±CRYPTO '93 (LNCS 773), 224± rithm suitable for a mainframe computerº, 231, 1994. Advances in Cryptology±Proceedings of CRYPTO 84 (LNCS 196), 393±400, 1985. [293] Z.-D DAI, ªProof of Rueppel's linear complexity conjectureº, IEEE Transactions on In- [305] , ªSchemes for electronic funds trans- formation Theory, 32 (1986), 440±443. fer at the point of saleº, K.M. Jackson and J. Hruska, editors, Computer Security Refer- [294] Z.-D. DAI AND J.-H. YANG, ªLinear ence Book, 667±689, CRC Press, 1992. complexity of periodically repeated random sequencesº, Advances in Cryptology± [306] D.W. DAVIES AND D.O. CLAYDEN,ªThe EUROCRYPT '91 (LNCS 547), 168±175, message authenticator algorithm (MAA) and 1991. its implementationº, Report DITC 109/88, National Physical Laboratory, U.K., February [295] I.B. DAMGARDÊ , ªCollision free hash func- 1988. tions and public key signature schemesº, Advances in Cryptology±EUROCRYPT '87 [307] D.W. DAVIES AND G.I.P. PARKIN,ªThe (LNCS 304), 203±216, 1988. average cycle size of the key stream in output feedback enciphermentº, Advances in [296] , ªA design principle for hash func- Cryptology±Proceedings of Crypto 82, 97±98, tionsº, Advances in Cryptology±CRYPTO '89 1983. (LNCS 435), 416±427, 1990. [308] D.W. DAVIES AND W.L. PRICE, Security for [297] , ªTowards practical public key systems Computer Networks, John Wiley & Sons, New secure against chosen ciphertext attacksº, Ad- York, 2nd edition, 1989. vances in Cryptology±CRYPTO '91 (LNCS 576), 445±456, 1992. [309] D. DAV I S ,R.IHAKA, AND P. F ENSTER- MACHER, ªCryptographic randomness from [298] , ªPractical and provably secure re- air turbulence in disk drivesº, Advances in lease of a secret and exchange of signaturesº, Cryptology±CRYPTO '94 (LNCS 839), 114± Advances in Cryptology±EUROCRYPT '93 120, 1994. (LNCS 765), 200±217, 1994. [310] D. DAVIS AND R. SWICK, ªNetwork security [299] I.B. DAMGARDÊ AND P. L ANDROCK,ªIm- via private-key certi®catesº, Operating Sys- proved bounds for the Rabin primality testº, tems Review, 24 (1990), 64±67. M.J. Ganley, editor, Cryptography and Cod- ing III, volume 45 of Institute of Mathematics [311] J.A. DAV I S ,D.B.HOLDRIDGE, AND G.J. & Its Applications (IMA), 117±128, Claren- SIMMONS, ªStatus report on factoring (at don Press, 1993. the Sandia National Labs)º, Advances in Cryptology±Proceedings of EUROCRYPT 84 [300] I.B. DAMGARDÊ ,P.LANDROCK, AND (LNCS 209), 183±215, 1985. C. POMERANCE, ªAverage case error esti- mates for the strong probable prime testº, [312] E. DAWSON, ªCryptanalysis of summa- Mathematics of Computation, 61 (1993), 177± tion generatorº, Advances in Cryptology± 194. AUSCRYPT '92 (LNCS 718), 209±215, 1993.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 716 References

[313] W. DE JONGE AND D. CHAUM, ªAttacks [325] , ªCollisions for the compression func- on some RSA signaturesº, Advances in tion of MD5º, Advances in Cryptology± Cryptology±CRYPTO '85 (LNCS 218), 18± EUROCRYPT '93 (LNCS 765), 293±304, 27, 1986. 1994.

[314] P. DE ROOIJ, ªOn the security of the Schnorr [326] D.E. DENNING, Cryptography and Data scheme using preprocessingº, Advances in Security, Addison-Wesley, Reading, Mas- Cryptology±EUROCRYPT '91 (LNCS 547), sachusetts, 1983. Reprinted with corrections. 71±80, 1991. [327] , ªDigital signatures with RSA and [315] , ªOn Schnorr's preprocessing for other public-key cryptosystemsº, Communi- digital signature schemesº, Advances in cations of the ACM, 27 (1984), 388±392. Cryptology±EUROCRYPT '93 (LNCS 765), [328] , ªTo tap or not to tapº, Communica- 435±439, 1994. tions of the ACM, 36 (1993), 24±44. [316] , ªEf®cient exponentiation using pre- [329] D.E. DENNING AND D.K. BRANSTAD,ªA computation and vector addition chainsº, taxonomy for key escrow encryption sys- Advances in Cryptology±EUROCRYPT '94 temsº, Communications of the ACM,39 (LNCS 950), 389±399, 1995. (1996), 34±40.

[317] A. DE SANTIS,S.MICALI, AND G. PER- [330] D.E. DENNING AND G.M. SACCO,ªTimes- SIANO, ªNon-interactive zero-knowledge tamps in key distribution protocolsº, Commu- proof systemsº, Advances in Cryptology± nications of the ACM, 24 (1981), 533±536. CRYPTO '87 (LNCS 293), 52±72, 1988. [331] D.E. DENNING AND M. SMID, ªKey escrow- ing todayº, IEEE Communications Magazine, [318] A. DE SANTIS AND M. YUNG,ªOnthe 32 (September 1994), 58±68. design of provably secure cryptographic hash functionsº, Advances in Cryptology± [332] J. B. DENNIS AND E. C. VA N HORN,ªPro- EUROCRYPT '90 (LNCS 473), 412±431, gramming semantics for multiprogrammed 1991. computationsº, Communications of the ACM, 9 (1966), 143±155. [319] D. DE WALEFFE AND J.-J. QUISQUATER, ªBetter login protocols for computer net- [333] T. DENNY,B.DODSON,A.K.LENSTRA, worksº, B. Preneel, R. Govaerts, and J. Vande- AND M.S. MANASSE, ªOn the factoriza- walle, editors, Computer Security and Indus- tion of RSA-120º, Advances in Cryptology± trial Cryptography: State of the Art and Evo- CRYPTO '93 (LNCS 773), 166±174, 1994. lution (LNCS 741), 50±70, Springer-Verlag, [334] DEPARTMENT OF DEFENSE (U.S.),ªDepart- 1993. ment of defense password management guide- lineº, CSC-STD-002-85, Department of De- [320] J.M. DELAURENTIS, ªA further weakness in fense Computer Security Center, Fort Meade, the common modulus protocol for the RSA Maryland, 1985. cryptoalgorithmº, Cryptologia, 8 (1984), 253±259. [335] Y. DESMEDT, ªUnconditionally secure authentication schemes and practical and [321] N. DEMYTKO, ªA new elliptic curve based theoretical consequencesº, Advances in analogue of RSAº, Advances in Cryptology± Cryptology±CRYPTO '85 (LNCS 218), 42± EUROCRYPT '93 (LNCS 765), 40±49, 1994. 55, 1986. [322] B. DEN BOER, ªCryptanalysis of F.E.A.L.º, [336] , ªSociety and group oriented cryp- Advances in Cryptology±EUROCRYPT '88 tography: A new conceptº, Advances in (LNCS 330), 293±299, 1988. Cryptology±CRYPTO '87 (LNCS 293), 120± [323] , ªDif®e-Hellman is as strong as dis- 127, 1988. crete log for certain primesº, Advances in [337] , ªThreshold cryptographyº, Euro- Cryptology±CRYPTO '88 (LNCS 403), 530± pean Transactions on Telecommunications,5 539, 1990. (1994), 449±457. [324] B. DEN BOER AND A. BOSSELAERS,ªAn [338] , ªSecuring traceability of ciphertexts ± attack on the last two rounds of MD4º, Ad- Towards a secure software key escrow sys- vances in Cryptology±CRYPTO '91 (LNCS temº, Advances in Cryptology±EUROCRYPT 576), 194±203, 1992. '95 (LNCS 921), 147±157, 1995.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 717

[339] Y. DESMEDT AND M. BURMESTER,ªTo- [352] H. DOBBERTIN, ªCryptanalysis of MD4º, wards practical `proven secure' authenti- Journal of Cryptology, to appear. cated key distributionº, 1st ACM Conference [353] , ªRIPEMD with two-round compress on Computer and Communications Security, function is not collision-freeº, Journal of 228±231, ACM Press, 1993. Cryptology, to appear; announced at rump [340] Y. DESMEDT,C.GOUTIER, AND S. BEN- session, Eurocrypt '95. GIO, ªSpecial uses and abuses of the Fiat- Shamir passport protocolº, Advances in [354] , ªCryptanalysis of MD4º, D. Goll- Cryptology±CRYPTO '87 (LNCS 293), 21± mann, editor, Fast Software Encryption, Third 39, 1988. International Workshop (LNCS 1039), 53±69, Springer-Verlag, 1996. [341] Y. DESMEDT AND A.M. ODLYZKO, ªA chosen text attack on the RSA cryptosystem [355] H. DOBBERTIN,A.BOSSELAERS, AND and some discrete logarithm schemesº, Ad- B. PRENEEL, ªRIPEMD-160: a strengthened vances in Cryptology±CRYPTO '85 (LNCS version of RIPEMDº, D. Gollmann, editor, 218), 516±522, 1986. Fast Software Encryption, Third International Workshop (LNCS 1039), 71±82, Springer- [342] W. DIFFIE, ªThe ®rst ten years of public-key cryptographyº, Proceedings of the IEEE,76 Verlag, 1996. (1988), 560±577. [356] B. DODSON AND A.K. LENSTRA, ªNFS with [343] , ªThe ®rst ten years of public key cryp- four large primes: An explosive experimentº, tologyº, G.J. Simmons, editor, Contemporary Advances in Cryptology±CRYPTO '95 (LNCS Cryptology: The Science of Information In- 963), 372±385, 1995. tegrity, 135±175, IEEE Press, 1992. An ear- [357] D. DOLEV,C.DWORK, AND M. NAOR, lier version appeared in [342]. ªNon-malleable cryptographyº, Proceedings [344] W. DIFFIE AND M.E. HELLMAN,ªMul- of the 23rd Annual ACM Symposium on The- tiuser cryptographic techniquesº, Proceed- ory of Computing, 542±552, 1991. ings of AFIPS National Computer Confer- [358] D. DOLEV AND A.C. YAO, ªOn the secu- ence, 109±112, 1976. rity of public key protocolsº, Proceedings of [345] , ªNew directions in cryptographyº, the IEEE 22nd Annual Symposium on Foun- IEEE Transactions on Information Theory,22 dations of Computer Science, 350±357, 1981. (1976), 644±654. [359] , ªOn the security of public key proto- [346] , ªExhaustive cryptanalysis of the NBS colsº, IEEE Transactions on Information The- Data Encryption Standardº, Computer,10 ory, 29 (1983), 198±208. An earlier version (1977), 74±84. appeared in [358]. [347] , ªPrivacy and authentication: An introduction to cryptographyº, Proceedings of the [360] P. DOWNEY,B.LEONG, AND R. SETHI, IEEE, 67 (1979), 397±427. ªComputing sequences with addition chainsº, SIAM Journal on Computing, 10 (1981), 638± [348] W. DIFFIE,P.C.VA N OORSCHOT, AND M.J. 646. WIENER, ªAuthentication and authenticated key exchangesº, Designs, Codes and Cryp- [361] S.R. DUSSEÂ AND B.S. KALISKI JR., tography, 2 (1992), 107±125. ªA cryptographic library for the Motorola DSP 56000º, Advances in Cryptology± [349] C. DING, ªThe differential cryptanalysis and design of natural stream ciphersº, R. Ander- EUROCRYPT '90 (LNCS 473), 230±244, son, editor, Fast Software Encryption, Cam- 1991. bridge Security Workshop (LNCS 809), 101± [362] H. EBERLE, ªA high-speed DES implemen- 115, Springer-Verlag, 1994. tation for network applicationsº, Advances in [350] B. DIXON AND A.K. LENSTRA, ªMassively Cryptology±CRYPTO '92 (LNCS 740), 521± parallel elliptic curve factoringº, Advances in 539, 1993. Cryptology±EUROCRYPT '92 (LNCS 658), [363] W. F. EHRSAM, C.H.W. MEYER,R.L. 183±193, 1993. POWERS,J.L.SMITH, AND W.L. TUCH- [351] J.D. DIXON, ªAsymptotically fast factoriza- MAN, ªProduct block cipher system for data tion of integersº, Mathematics of Computa- securityº, U.S. Patent # 3,962,539, 8 Jun tion, 36 (1981), 255±260. 1976.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 718 References

[364] W.F. EHRSAM,S.M.MATYAS,C.H. [376] S. EVEN AND O. GOLDREICH,ªOnthe MEYER, AND W.L. TUCHMAN, ªA crypto- power of cascade ciphersº, ACM Transactions graphic key management scheme for imple- on Computer Systems, 3 (1985), 108±116. menting the Data Encryption Standardº, IBM [377] S. EVEN,O.GOLDREICH, AND S. MI- Systems Journal, 17 (1978), 106±125. CALI, ªOn-line/off-line digital signaturesº, [365] ELECTRONIC INDUSTRIES ASSOCIATION Advances in Cryptology±CRYPTO '89 (LNCS (EIA), ªDual-mode mobile station ± base 435), 263±275, 1990. station compatibility standardº, EIA Interim [378] , ªOn-line/off-line digital signaturesº, Standard IS-54 Revision B (Rev. B), 1992. Journal of Cryptology, 9 (1996), 35±67. An earlier version appeared in [377]. [366] T. ELGAMAL, Cryptography and logarithms over ®nite ®elds, PhD thesis, Stanford Univer- [379] S. EVEN AND Y. YACOBI, ªCryptocomplex- sity, 1984. ity and NP-completenessº, J.W. de Bakker and J. van Leeuwen, editors, Automata, Lan- [367] , ªA public key cryptosystem and a sig- guages, and Programming, 7th Colloquium nature scheme based on discrete logarithmsº, (LNCS 85), 195±207, Springer-Verlag, 1980. Advances in Cryptology±Proceedings of [380] D. EVERETT, ªIdentity veri®cation and bio- CRYPTO 84 (LNCS 196), 10±18, 1985. metricsº, K.M. Jackson and J. Hruska, edi- [368] , ªA public key cryptosystem and a sig- tors, Computer Security Reference Book, 37± nature scheme based on discrete logarithmsº, 73, CRC Press, 1992. IEEE Transactions on Information Theory,31 [381] J.-H. EVERTSE AND E. VA N HEIJST,ªWhich (1985), 469±472. An earlier version appeared new RSA-signatures can be computed from in [367]. certain given RSA-signatures?º, Journal of [369] , ªA subexponential-time algorithm for Cryptology, 5 (1992), 41±52. 2 computing discrete logarithms over GF(p )º, [382] R.C. FAIRFIELD,R.L.MORTENSON, AND IEEE Transactions on Information Theory,31 K.B. COULTHART, ªAn LSI random number (1985), 473±481. generator (RNG)º, Advances in Cryptology± [370] P. ELIAS, ªThe ef®cient construction of an Proceedings of CRYPTO 84 (LNCS 196), unbiased random sequenceº, The Annals of 203±230, 1985. Mathematical Statistics, 43 (1972), 865±870. [383] U. FEIGE,A.FIAT, AND A. SHAMIR,ªZero- knowledge proofs of identityº, Journal of [371] , ªInterval and recency rank source en- Cryptology, 1 (1988), 77±94. coding: Two on-line adaptive variable-length schemesº, IEEE Transactions on Information [384] U. FEIGE AND A. SHAMIR, ªWitness indis- Theory, 33 (1987), 3±10. tinguishable and witness hiding protocolsº, Proceedings of the 22nd Annual ACM Sym- [372] E.D. ERDMANN, ªEmpirical tests of binary posium on Theory of Computing, 416±426, keystreamsº, Master's thesis, Department of 1990. Mathematics, Royal Holloway and Bedford [385] H. FEISTEL, ªBlock cipher cryptographic New College, University of London, 1992. systemº, U.S. Patent # 3,798,359, 19 Mar [373] P. ERDOSÈ AND C. POMERANCE,ªOnthe 1974. number of false witnesses for a composite [386] , ªStep code ciphering systemº, U.S. numberº, Mathematics of Computation,46 Patent # 3,798,360, 19 Mar 1974. (1986), 259±279. [387] , ªCryptography and computer pri- [374] D. ESTES,L.M.ADLEMAN,K.KOMPELLA, vacyº, Scienti®c American, 228 (May 1973), K.S. MCCURLEY, AND G.L. MILLER, 15±23. ªBreaking the Ong-Schnorr-Shamir signa- [388] H. FEISTEL,W.A.NOTZ, AND J.L. SMITH, ture scheme for quadratic number ®eldsº, Ad- ªSome cryptographic techniques for machine- vances in Cryptology±CRYPTO '85 (LNCS to-machine data communicationsº, Proceed- 218), 3±13, 1986. ings of the IEEE, 63 (1975), 1545±1554. [375] A. EVANS JR., W. KANTROWITZ, AND [389] F.A. FELDMAN, ªFast spectral tests for mea- E. WEISS, ªA user authentication scheme not suring nonrandomness and the DESº, Ad- requiring secrecy in the computerº, Commu- vances in Cryptology±CRYPTO '87 (LNCS nications of the ACM, 17 (1974), 437±442. 293), 243±254, 1988.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 719

[390] P. FELDMAN, ªA practical scheme for non- Publication 113, U.S. Department of Com- interactive veri®able secret sharingº, Pro- merce/National Bureau of Standards, National ceedings of the IEEE 28th Annual Symposium Technical Information Service, Spring®eld, on Foundations of Computer Science, 427± Virginia, 1985. 437, 1987. [401] FIPS 140-1, ªSecurity requirements for cryp- [391] D.C. FELDMEIER AND P.R. KARN, ªUNIX tographic modulesº, Federal Information Pro- password security ± ten years laterº, Advances cessing Standards Publication 140-1, U.S. in Cryptology±CRYPTO '89 (LNCS 435), 44± Department of Commerce/N.I.S.T., National 63, 1990. Technical Information Service, Spring®eld, [392] W. FELLER, An Introduction to Probability Virginia, 1994. Theory and its Applications, John Wiley & [402] FIPS 171, ªKey management using ANSI Sons, New York, 3rd edition, 1968. X9.17º, Federal Information Processing Stan- [393] A. FIAT AND M. NAOR, ªRigorous dards Publication 171, U.S. Department of time/space tradeoffs for inverting functionsº, Commerce/N.I.S.T., National Technical Infor- Proceedings of the 23rd Annual ACM Sym- mation Service, Spring®eld, Virginia, 1992. posium on Theory of Computing, 534±541, [403] FIPS 180, ªSecure hash standardº, Fed- 1991. eral Information Processing Standards Pub- [394] , ªBroadcast encryptionº, Advances in lication 180, U.S. Department of Com- Cryptology±CRYPTO '93 (LNCS 773), 480± merce/N.I.S.T., National Technical Informa- 491, 1994. tion Service, Spring®eld, Virginia, May 11 1993. [395] A. FIAT AND A. SHAMIR, ªHow to prove yourself: Practical solutions to identi®ca- [404] FIPS 180-1, ªSecure hash standardº, Fed- tion and signature problemsº, Advances in eral Information Processing Standards Pub- Cryptology±CRYPTO '86 (LNCS 263), 186± lication 180-1, U.S. Department of Com- 194, 1987. merce/N.I.S.T., National Technical Informa- [396] FIPS 46, ªData encryption standardº, Federal tion Service, Spring®eld, Virginia, April 17 Information Processing Standards Publication 1995 (supersedes FIPS PUB 180). 46, U.S. Department of Commerce/National [405] FIPS 185, ªEscrowed encryption standard Bureau of Standards, National Technical In- (EES)º, Federal Information Processing Stan- formation Service, Spring®eld, Virginia, 1977 dards Publication 185, U.S. Department of (revised as FIPS 46-1:1988; FIPS 46-2:1993). Commerce/N.I.S.T., National Technical Infor- [397] FIPS 74, ªGuidelines for implementing and mation Service, Spring®eld, Virginia, 1994. using the NBS data encryption standardº, [406] FIPS 186, ªDigital signature standardº, Federal Information Processing Standards Federal Information Processing Standards Publication 74, U.S. Department of Com- Publication 186, U.S. Department of Com- merce/National Bureau of Standards, National merce/N.I.S.T., National Technical Informa- Technical Information Service, Spring®eld, tion Service, Spring®eld, Virginia, 1994. Virginia, 1981. [407] FIPS 196, ªEntity authentication using public [398] FIPS 81, ªDES modes of operationº, Federal key cryptographyº, U.S. Department of Com- Information Processing Standards Publication merce/N.I.S.T., February 18 1997. 81, U.S. Department of Commerce/National Bureau of Standards, National Technical [408] A.M. FISCHER, ªPublic key/signature cryp- Information Service, Spring®eld, Virginia, tosystem with enhanced digital signature cer- 1980. ti®cationº, U.S. Patent # 4,868,877, 19 Sep 1989. [399] FIPS 112, ªPassword usageº, Federal Infor- mation Processing Standards Publication 112, [409] , ªPublic key/signature cryptosystem U.S. Department of Commerce/National Bu- with enhanced digital signature certi®ca- reau of Standards, National Technical Infor- tionº, U.S. Patent # 5,005,200, 2 Apr 1991 mation Service, Spring®eld, Virginia, 1985. (continuation-in-part of 4,868,877). [400] FIPS 113, ªComputer data authenticationº, [410] , ªElectronic document authorizationº, Federal Information Processing Standards Proceedings of the 13th National Computer

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 720 References

Security Conference, Washington D.C., spon- [423] W. FRIEDMAN, Military Cryptanalysis,U.S. sored by N.I.S.T. and the National Computer Government Printing Of®ce, Washington DC, Security Center, USA, 1990. 1944. Volume I ± Monoalphabetic substitu- [411] J.-B. FISCHER AND J. STERN,ªAnef®- tion systems. Volume II ± Simpler varieties cient pseudo-random generator provably as of polyalphabetic substitution systems. Vol- secure as syndrome decodingº, Advances in ume III ± Aperiodic substitutions. Volume IV Cryptology±EUROCRYPT '96 (LNCS 1070), ± Transposition systems. 245±255, 1996. [424] , ªCryptologyº, Encyclopedia Brittan- [412] M. FISCHER,S.MICALI, AND C. RACKOFF, ica, 6 (1967), 844±851. ªA secure protocol for oblivious transferº, unpublished (presented at Eurocrypt'84). [425] , Elements of Cryptanalysis, Aegean Park Press, Laguna Hills, California, 1976. [413] P. FLAJOLET AND A. ODLYZKO, ªRandom First published in 1923. mapping statisticsº, Advances in Cryptology± EUROCRYPT '89 (LNCS 434), 329±354, [426] , The Index of Coincidence and its 1990. Applications in Cryptography, Aegean Park [414] W. FORD, Computer Communications Se- Press, Laguna Hills, California, 1979. First curity: Principles, Standard Protocols and published in 1920. Techniques, Prentice Hall, Englewood Cliffs, [427] A.M. FRIEZE,J.HASTADÊ ,R.KANNAN, New Jersey, 1994. J.C. LAGARIAS, AND A. SHAMIR, ªRecon- [415] , ªStandardizing information technol- structing truncated integer variables satisfying ogy securityº, StandardView, 2 (1994), 64±71. linear congruencesº, SIAM Journal on Com- [416] , ªAdvances in public-key certi®cate puting, 17 (1988), 262±280. standardsº, Security, Audit and Control,13 [428] A. FUJIOKA,T.OKAMOTO, AND S. MIYA- (1995), ACM Press/SIGSAC, 9±15. GUCHI, ªESIGN: An ef®cient digital signa- [417] W. FORD AND M. WIENER,ªAkeydistri- ture implementation for smart cardsº, Ad- bution method for object-based protectionº, vances in Cryptology±EUROCRYPT '91 2nd ACM Conference on Computer and Com- (LNCS 547), 446±457, 1991. munications Security, 193±197, ACM Press, 1994. [429] W. FUMY AND P. L ANDROCK, ªPrinciples of key managementº, IEEE Journal on Selected [418] R. FORREÂ, ªA fast correlation attack Areas in Communications, 11 (1993), 785± on nonlinearly feedforward ®ltered shift- 793. register sequencesº, Advances in Cryptology± EUROCRYPT '89 (LNCS 434), 586±595, [430] W. FUMY AND M. LECLERC, ªPlacement of 1990. cryptographic key distribution within OSI: de- [419] Y. FRANKEL AND M. YUNG, ªCryptanaly- sign alternatives and assessmentº, Computer sis of the immunized LL public key systemsº, Networks and ISDN Systems, 26 (1993), 217± Advances in Cryptology±CRYPTO '95 (LNCS 225. 963), 287±296, 1995. [431] W. FUMY AND M. MUNZERT, ªA modular [420] , ªEscrow encryption systems visited: approach to key distributionº, Advances in Attacks, analysis and designsº, Advances in Cryptology±CRYPTO '90 (LNCS 537), 274± Cryptology±CRYPTO '95 (LNCS 963), 222± 283, 1991. 235, 1995. [432] W. FUMY AND M. RIETENSPIESS,ªOpen [421] M.K. FRANKLIN AND M.K. REITER, ªVeri®able signature sharingº, Advances in systems security standardsº, A. Kent and J.G. Cryptology±EUROCRYPT '95 (LNCS 921), Williams, editors, Encyclopedia of Computer 50±63, 1995. Science and Technology 34, 301±334, Marcel Dekker, 1996. [422] G. FREY AND H.-G. RUCKÈ , ªA remark concerning m-divisibility and the discrete loga- [433] K. GAARDER AND E. SNEKKENES, ªApply- rithm in the divisor class group of curvesº, ing a formal analysis technique to the CCITT Mathematics of Computation, 62 (1994), 865± X.509 strong two-way authentication proto- 874. colº, Journal of Cryptology, 3 (1991), 81±98.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 721

[434] E.M. GABIDULIN, ªOn public-key cryp- [447] J. GEORGIADES, ªSome remarks on the se- tosystems based on linear codes: Ef®ciency curity of the identi®cation scheme based on and weaknessº, P.G. Farrell, editor, Codes and permuted kernelsº, Journal of Cryptology,5 Cyphers: Cryptography and Coding IV, 17± (1992), 133±137. 31, Institute of Mathematics & Its Applica- [448] J. GERVER, ªFactoring large numbers with tions (IMA), 1995. a quadratic sieveº, Mathematics of Computa- [435] E.M. GABIDULIN,A.V.PARAMONOV, tion, 41 (1983), 287±294. AND O.V. TRETJAKOV, ªIdeals over a [449] P.J. GIBLIN, Primes and Programming: An non-commutative ring and their application Introduction to Number Theory with Comput- in cryptologyº, Advances in Cryptology± ing, Cambridge University Press, Cambrige, EUROCRYPT '91 (LNCS 547), 482±489, 1993. 1991. [450] J.K. GIBSON, ªSome comments on Damg- [436] H. GAINES, Cryptanalysis: A Study of Ci- ard'sÊ hashing principleº, Electronics Letters, phers and their Solutions, Dover Publications, 26 (July 19, 1990), 1178±1179. New York, 1956. [451] , ªEquivalent Goppa codes and trap- [437] J. GAIT, ªA new nonlinear pseudorandom doors to McEliece's public key cryptosys- number generatorº, IEEE Transactions on temº, Advances in Cryptology±EUROCRYPT Software Engineering, 3 (1977), 359±363. '91 (LNCS 547), 517±521, 1991. [438] J.M. GALVIN,K.MCCLOGHRIE, AND J.R. [452] , ªSeverely denting the Gabidulin ver- DAV I N, ªSecure management of SNMP net- sion of the McEliece public key cryptosys- worksº, Integrated Network Management, II, temº, Designs, Codes and Cryptography,6 703±714, 1991. (1995), 37±45.

[439] R.A. GAMES AND A.H. CHAN, ªA fast algo- [453] , ªThe security of the Gabidulin public rithm for determining the complexity of a bi- key cryptosystemº, Advances in Cryptology± nary sequence with period 2nº, IEEE Trans- EUROCRYPT '96 (LNCS 1070), 212±223, actions on Information Theory, 29 (1983), 1996. 144±146. [454] E.N. GILBERT,F.J.MACWILLIAMS, AND [440] M. GARDNER, ªA new kind of cipher that N.J.A. SLOANE, ªCodes which detect de- would take millions of years to breakº, Scien- ceptionº, Bell System Technical Journal,53 ti®c American, 237 (Aug 1977), 120±124. (1974), 405±424.

[441] M.R. GAREY AND D.S. JOHNSON, Comput- [455] H. GILBERT AND G. CHASSEÂ, ªA statistical ers and Intractability: A Guide to the The- attack of the Feal-8 cryptosystemº, Advances ory of NP-completeness, W.H. Freeman, San in Cryptology±CRYPTO '90 (LNCS 537), 22± Francisco, 1979. 33, 1991.

[442] S. GARFINKEL, PGP: Pretty Good Privacy, [456] H. GILBERT AND P. CHAUVAUD, ªA chosen O'Reilly and Associates, Inc., Sebastopol, plaintext attack of the 16-round Khufu cryp- California, 1995. tosystemº, Advances in Cryptology±CRYPTO '94 (LNCS 839), 359±368, 1994. [443] H. GARNER, ªThe residue number systemº, IRE Transactions on Electronic Computers, [457] M. GIRAULT, ªHash-functions using modulo- EC-8 (1959), 140±147. n operationsº, Advances in Cryptology± EUROCRYPT '87 (LNCS 304), 217±226, [444] C.F. GAUSS, Disquisitiones Arithmeticae, 1988. 1801. English translation by Arthur A. Clarke, [458] , ªAn identity-based identi®cation sch- Springer-Verlag, New York, 1986. eme based on discrete logarithms modulo a [445] K. GEDDES,S.CZAPOR, AND G. LABAHN, composite numberº, Advances in Cryptology± Algorithms for Computer Algebra,Kluwer EUROCRYPT '90 (LNCS 473), 481±486, Academic Publishers, Boston, 1992. 1991.

[446] P. GEFFE, ªHow to protect data with ciphers [459] , ªSelf-certi®ed public keysº, Advances that are really hard to breakº, Electronics,46 in Cryptology±EUROCRYPT '91 (LNCS (1973), 99±101. 547), 490±497, 1991.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 722 References

[460] M. GIRAULT,R.COHEN, AND M. CAM- [471] O. GOLDREICH AND L.A. LEVIN,ªAhard- PANA, ªA generalized birthday attackº, Ad- core predicate for all one-way functionsº, vances in Cryptology±EUROCRYPT '88 Proceedings of the 21st Annual ACM Sympo- (LNCS 330), 129±156, 1988. sium on Theory of Computing, 25±32, 1989. [461] M. GIRAULT AND J.C. PAILLESÁ ,ªAn [472] O. GOLDREICH,S.MICALI, AND A. WIG- identity-based scheme providing zero- DERSON, ªProofs that yield nothing but their knowledge authentication and authenticated validity and a methodology of cryptographic key-exchangeº, First European Symposium protocol designº, Proceedings of the IEEE on Research in Computer Security ± ES- 27th Annual Symposium on Foundations of ORICS'90, 173±184, 1990. Computer Science, 174±187, 1986. [462] M. GIRAULT AND J. STERN, ªOn the length [473] , ªHow to prove all NP statements of cryptographic hash-values used in identi- in zero-knowledge, and a methodology of ®cation schemesº, Advances in Cryptology± cryptographic protocol designº, Advances in CRYPTO '94 (LNCS 839), 202±215, 1994. Cryptology±CRYPTO '86 (LNCS 263), 171± 185, 1987. [463] V.D. GLIGOR,R.KAILAR,S.STUB- BLEBINE, AND L. GONG, ªLogics for crypto- [474] , ªProofs that yield nothing but their graphic protocols Ð virtues and limitationsº, validity or all languages in NP have zero- The Computer Security Foundations Work- knowledge proof systemsº, Journal of the shop IV, 219±226, IEEE Computer Security Association for Computing Machinery,38 Press, 1991. (1991), 691±729. An earlier version appeared in [472]. [464] C.M. GOLDIE AND R.G.E. PINCH, Commu- nication Theory, Cambridge University Press, [475] O. GOLDREICH AND Y. O REN, ªDe®nitions Cambridge, 1991. and properties of zero-knowledge proof sys- temsº, Journal of Cryptology, 7 (1994), 1±32. [465] O. GOLDREICH, ªTwo remarks concerning [476] S. GOLDWASSER, ªThe search for provably the Goldwasser-Micali-Rivest signature sch- secure cryptosystemsº, C. Pomerance, editor, emeº, Advances in Cryptology±CRYPTO '86 Cryptology and Computational Number The- (LNCS 263), 104±110, 1987. ory, volume 42 of Proceedings of Symposia [466] O. GOLDREICH,S.GOLDWASSER, AND in Applied Mathematics, 89±113, American S. MICALI, ªHow to construct random func- Mathematical Society, 1990. tionsº, Proceedings of the IEEE 25th Annual [477] S. GOLDWASSER AND J. KILIAN,ªAlmost Symposium on Foundations of Computer Sci- all primes can be quickly certi®edº, Proceed- ence, 464±479, 1984. ings of the 18th Annual ACM Symposium on [467] , ªOn the cryptographic applications of Theory of Computing, 316±329, 1986. random functionsº, Advances in Cryptology± [478] S. GOLDWASSER AND S. MICALI, ªProba- Proceedings of CRYPTO 84 (LNCS 196), bilistic encryption & how to play mental poker 276±288, 1985. keeping secret all partial informationº, Pro- [468] , ªHow to construct random functionsº, ceedings of the 14th Annual ACM Symposium Journal of the Association for Computing Ma- on Theory of Computing, 365±377, 1982. chinery, 33 (1986), 792±807. An earlier ver- [479] , ªProbabilistic encryptionº, Journal of sion appeared in [466]. Computer and System Sciences, 28 (1984), [469] O. GOLDREICH AND H. KRAWCZYK,ªOn 270±299. An earlier version appeared in the composition of zero-knowledge proof sys- [478]. temsº, M.S. Paterson, editor, Automata, Lan- [480] S. GOLDWASSER,S.MICALI, AND C. RAC- guages and Programming, 17th International KOFF, ªThe knowledge complexity of interac- Colloquium (LNCS 443), 268±282, Springer- tive proof-systemsº, Proceedings of the 17th Verlag, 1990. Annual ACM Symposium on Theory of Com- [470] O. GOLDREICH,H.KRAWCZYK, AND puting, 291±304, 1985. M. LUBY, ªOn the existence of pseudoran- [481] , ªThe knowledge complexity of inter- dom generatorsº, Proceedings of the IEEE active proof systemsº, SIAM Journal on Com- 29th Annual Symposium on Foundations of puting, 18 (1989), 186±208. An earlier ver- Computer Science, 12±24, 1988. sion appeared in [480].

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 723

[482] S. GOLDWASSER,S.MICALI, AND R.L. [493] R.A. GOLLIVER,A.K.LENSTRA, AND K.S. RIVEST, ªA ªparadoxicalº solution to the sig- MCCURLEY, ªLattice sieving and trial di- nature problemº, Proceedings of the IEEE visionº, Algorithmic Number Theory (LNCS 25th Annual Symposium on Foundations of 877), 18±27, 1994. Computer Science, 441±448, 1984. [494] D. GOLLMANN, ªPseudo random properties [483] , ªA ªparadoxicalº solution to the sig- of cascade connections of clock controlled nature problemº, Advances in Cryptology± shift registersº, Advances in Cryptology± Proceedings of CRYPTO 84 (LNCS 196), 467, Proceedings of EUROCRYPT 84 (LNCS 209), 1985. 93±98, 1985. [484] , ªA digital signature scheme secure [495] , ªCryptanalysis of clock controlled against adaptive chosen-message attacksº, shift registersº, R. Anderson, editor, Fast Soft- SIAM Journal on Computing, 17 (1988), 281± ware Encryption, Cambridge Security Work- 308. Earlier versions appeared in [482] and shop (LNCS 809), 121±126, Springer-Verlag, [483]. 1994.

[485] J. GOLICÂ , ªCorrelation via linear sequen- [496] D. GOLLMANN AND W.G. CHAMBERS, tial circuit approximation of combiners ªClock-controlled shift registers: a reviewº, with memoryº, Advances in Cryptology± IEEE Journal on Selected Areas in Communi- EUROCRYPT '92 (LNCS 658), 113±123, cations, 7 (1989), 525±533. 1993. [497] D. GOLLMANN,Y.HAN, AND C. MITCHE- [486] , ªOn the security of shift register based LL, ªRedundant integer representations and keystream generatorsº, R. Anderson, editor, fast exponentiationº, Designs, Codes and Fast Software Encryption, Cambridge Secu- Cryptography, 7 (1996), 135±151. rity Workshop (LNCS 809), 90±100, Springer- Verlag, 1994. [498] S.W. GOLOMB, Shift Register Sequences, Holden-Day, San Francisco, 1967. Reprinted [487] , ªIntrinsic statistical weakness of key- by Aegean Park Press, 1982. stream generatorsº, Advances in Cryptology± ASIACRYPT '94 (LNCS 917), 91±103, 1995. [499] L. GONG, ªUsing one-way functions for au- thenticationº, Computer Communication Re- [488] , ªLinear cryptanalysis of stream ci- view, 19 (1989), 8±11. phersº, B. Preneel, editor, Fast Software Encryption, Second International Workshop [500] , ªA security risk of depending on syn- (LNCS 1008), 154±169, Springer-Verlag, chronized clocksº, Operating Systems Re- 1995. view, 26 (1992), 49±53. [489] , ªTowards fast correlation attacks on ir- [501] , ªVariations on the themes of message regularly clocked shift registersº, Advances in freshness and replayº, The Computer Security Cryptology±EUROCRYPT '95 (LNCS 921), Foundations Workshop VI, 131±136, IEEE 248±262, 1995. Computer Society Press, 1993. [490] , ªOn the security of nonlinear ®l- [502] , ªNew protocols for third-party-based ter generatorsº, D. Gollmann, editor, Fast authentication and secure broadcastº, 2nd Software Encryption, Third International ACM Conference on Computer and Com- Workshop (LNCS 1039), 173±188, Springer- munications Security, 176±183, ACM Press, Verlag, 1996. 1994.

[491] J. GOLICÂ AND M. MIHALJEVICÂ , ªA gener- [503] , ªEf®cient network authentication pro- alized correlation attack on a class of stream tocols: lower bounds and optimal implemen- ciphers based on the Levenshtein distanceº, tationsº, Distributed Computing, 9 (1995), Journal of Cryptology, 3 (1991), 201±212. 131±145.

[492] J. GOLICÂ AND L. O'CONNOR, ªEmbed- [504] L. GONG, T.M.A. LOMAS,R.M.NEED- ding and probabilistic correlation attacks on HAM, AND J.H. SALTZER,ªProtecting poorly clock-controlled shift registersº, Advances in chosen secrets from guessing attacksº, IEEE Cryptology±EUROCRYPT '94 (LNCS 950), Journal on Selected Areas in Communica- 230±243, 1995. tions, 11 (1993), 648±656.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 724 References

[505] L. GONG,R.NEEDHAM, AND R. YA- 2-adic numbersº, Advances in Cryptology± HALOM, ªReasoning about belief in crypto- EUROCRYPT '94 (LNCS 950), 215±222, graphic protocolsº, Proceedings of the IEEE 1995. Computer Society Symposium on Research in [519] K.C. GOSS, ªCryptographic method and ap- Security and Privacy, 234±248, 1990. paratus for public key exchange with authenti- [506] L. GONG AND D.J. WHEELER,ªAmatrix cationº, U.S. Patent # 4,956,863, 11 Sep 1990. key-distribution schemeº, Journal of Cryptol- [520] R. GRAHAM,D.KNUTH, AND O. PATASH- ogy, 2 (1990), 51±59. NIK, Concrete Mathematics, Addison- [507] I.J. GOOD, ªThe serial test for sampling num- Wesley, Reading, Massachusetts, 2nd edition, bers and other tests for randomnessº, Pro- 1994. ceedings of the Cambridge Philosophical So- [521] A. GRANVILLE, ªPrimality testing and ciety, 49 (1953), 276±284. Carmichael numbersº, Notices of the Amer- [508] , ªOn the serial test for random se- ican Mathematical Society, 39 (1992), 696± quencesº, The Annals of Mathematical Statis- 700. tics, 28 (1957), 262±264. [522] E. GROSSMAN, ªGroup theoretic remarks on cryptographic systems based on two types of [509] D.M. GORDON, ªDesigning and detecting trapdoors for discrete log cryptosystemsº, Ad- additionº, IBM Research Report RC 4742, vances in Cryptology±CRYPTO '92 (LNCS IBM T.J. Watson Research Center, Yorktown 740), 66±75, 1993. Heights, N.Y., 10598, U.S.A., Feb. 26 1974. [523] L.C. GUILLOU AND J.-J. QUISQUATER, [510] , ªDiscrete logarithms in GF(p) using ªMethod and apparatus for authenticating ac- the number ®eld sieveº, SIAM Journal on Dis- creditations and for authenticating and signing crete Mathematics, 6 (1993), 124±138. messagesº, U.S. Patent # 5,140,634, 18 Aug [511] D.M. GORDON AND K.S. MCCURLEY, 1992. ªMassively parallel computations of dis- [524] , ªA practical zero-knowledge protocol crete logarithmsº, Advances in Cryptology± ®tted to security microprocessor minimizing CRYPTO '92 (LNCS 740), 312±323, 1993. both transmission and memoryº, Advances in [512] J. GORDON, ªVery simple method to ®nd the Cryptology±EUROCRYPT '88 (LNCS 330), minimum polynomial of an arbitrary nonzero 123±128, 1988. element of a ®nite ®eldº, Electronics Letters, [525] L.C. GUILLOU,J.-J.QUISQUATER,M.WA- 12 (December 9, 1976), 663±664. LKER,P.LANDROCK, AND C. SHAER,ªPre- [513] , ªStrong RSA keysº, Electronics Let- cautions taken against various potential at- ters, 20 (June 7, 1984), 514±516. tacks in ISO/IEC DIS 9796º, Advances in Cryptology±EUROCRYPT '90 (LNCS 473), [514] , ªStrong primes are easy to ®ndº, Ad- 465±473, 1991. vances in Cryptology±Proceedings of EURO- CRYPT 84 (LNCS 209), 216±223, 1985. [526] L.C. GUILLOU AND M. UGON, ªSmart card ± a highly reliable and portable security de- [515] , ªHow to forge RSA key certi®catesº, viceº, Advances in Cryptology±CRYPTO '86 Electronics Letters, 21 (April 25, 1985), 377± (LNCS 263), 464±479, 1987. 379. [527] L.C. GUILLOU,M.UGON, AND J.-J. [516] , ªFast multiplicative inverse in modu- QUISQUATER, ªThe smart card: A standard- lar arithmeticº, H. Beker and F. Piper, editors, ized security device dedicated to public cryp- Cryptography and Coding, Institute of Math- tologyº, G.J. Simmons, editor, Contemporary ematics & Its Applications (IMA), 269±279, Cryptology: The Science of Information In- Clarendon Press, 1989. tegrity, 561±613, IEEE Press, 1992. [517] J. GORDON AND H. RETKIN,ªArebigS- [528] C.G. GUNTHERÈ , ªAlternating step gener- boxes best?º, Cryptography±Proceedings of ators controlled by de Bruijn sequencesº, the Workshop on Cryptography, Burg Feuer- Advances in Cryptology±EUROCRYPT '87 stein (LNCS 149), 257±262, 1983. (LNCS 304), 5±14, 1988. [518] M. GORESKY AND A. KLAPPER, ªFeedback [529] , ªA universal algorithm for homo- registers based on rami®ed extensions of the phonic codingº, Advances in Cryptology±

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 725

EUROCRYPT '88 (LNCS 330), 405±414, [542] V. HARRIS, ªAn algorithm for ®nding the 1988. greatest common divisorº, Fibonacci Quar- terly, 8 (1970), 102±103. [530] , ªAn identity-based key-exchange pro- tocolº, Advances in Cryptology±EUROCRY- [543] J. HASTADÊ ,A.W.SCHRIFT, AND A. SHAM- PT '89 (LNCS 434), 29±37, 1990. IR, ªThe discrete logarithm modulo a composite hides O(n) bitsº, Journal of Computer and [531] H. GUSTAFSON, Statistical Analysis of Sym- System Sciences, 47 (1993), 376±404. metric Ciphers, PhD thesis, Queensland Uni- versity of Technology, 1996. [544] J. HASTADÊ , ªSolving simultaneous modular equations of low degreeº, SIAM Journal on [532] H. GUSTAFSON,E.DAWSON, AND J. GOL- Computing, 17 (1988), 336±341. ICÂ , ªRandomness measures related to subset [545] , ªPseudo-random generators under occurrenceº, E. Dawson and J. GoliÂc, editors, uniform assumptionsº, Proceedings of the Cryptography: Policy and Algorithms, Inter- 22nd Annual ACM Symposium on Theory of national Conference, Brisbane, Queensland, Computing, 395±404, 1990. Australia, July 1995 (LNCS 1029), 132±143, 1996. [546] R. HEIMAN, ªA note on discrete logarithms with special structureº, Advances in [533] H. GUSTAFSON,E.DAWSON,L.NIELSEN, Cryptology±EUROCRYPT '92 (LNCS 658), AND W. CAELLI, ªA computer package for 454±457, 1993. measuring the strength of encryption algo- rithmsº, Computers & Security, 13 (1994), [547] , ªSecure audio teleconferencing: A 687±697. practical solutionº, Advances in Cryptology± EUROCRYPT '92 (LNCS 658), 437±448, [534] A. GUYOT, ªOCAPI: Architecture of a VLSI 1993. coprocessor for the gcd and extended gcd of [548] M.E. HELLMAN, ªAn extension of the Shan- large numbersº, Proceedings of the 10th IEEE non theory approach to cryptographyº, IEEE Symposium on Computer Arithmetic, 226± Transactions on Information Theory,23 231, IEEE Press, 1991. (1977), 289±294. [535] S. HABER AND W.S. STORNETTA,ªHowto [549] , ªA cryptanalytic time-memory trade- time-stamp a digital documentº, Journal of offº, IEEE Transactions on Information The- Cryptology, 3 (1991), 99±111. ory, 26 (1980), 401±406. [536] J.L. HAFNER AND K.S. MCCURLEY,ªOn [550] M.E. HELLMAN AND C.E. BACH, ªMethod the distribution of running times of certain in- and apparatus for use in public-key data en- teger factoring algorithmsº, Journal of Algo- cryption systemº, U.S. Patent # 4,633,036, 30 rithms, 10 (1989), 531±556. Dec 1986. [537] , ªA rigorous subexponential algorithm [551] M.E. HELLMAN,B.W.DIFFIE, AND R.C. for computation of class groupsº, Journal of MERKLE, ªCryptographic apparatus and the American Mathematical Society, 2 (1989), methodº, U.S. Patent # 4,200,770, 29 Apr 837±850. 1980.

[538] T. HANSEN AND G.L. MULLEN, ªPrimitive [552] M.E. HELLMAN,R.MERKLE,R.SCHROE- polynomials over ®nite ®eldsº, Mathematics PPEL,L.WASHINGTON,W.DIFFIE, of Computation, 59 (1992), 639±643. S. POHLIG, AND P. S CHWEITZER, ªResults of an initial attempt to cryptanalyze the NBS [539] G.H. HARDY, A Mathematician's Apology, Data Encryption Standardº, Technical Report Cambridge University Press, London, 1967. SEL 76-042, Information Systems Labora- [540] G.H. HARDY AND E.M. WRIGHT, An Intro- tory, Stanford University, Palo Alto, Califor- duction to the Theory of Numbers, Clarendon nia, Sept. 9 1976 (revised Nov 10 1976). Press, Oxford, 5th edition, 1979. [553] M.E. HELLMAN AND R.C. MERKLE, ªPub- [541] C. HARPES,G.G.KRAMER, AND J.L. lic key cryptographic apparatus and methodº, MASSEY, ªA generalization of linear crypt- U.S. Patent # 4,218,582, 19 Aug 1980. analysis and the applicability of Matsui's [554] M.E. HELLMAN AND S.C. POHLIG,ªEx- piling-up lemmaº, Advances in Cryptology± ponentiation cryptographic apparatus and EUROCRYPT '95 (LNCS 921), 24±38, 1995. methodº, U.S. Patent # 4,424,414, 3 Jan 1984.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 726 References

[555] M.E. HELLMAN AND J.M. REYNERI, [568] R. IMPAGLIAZZO,L.LEVIN, AND M. LUBY, ªFast computation of discrete logarithms ªPseudo-random generation from one-way in GF(q)º, Advances in Cryptology± functionsº, Proceedings of the 21st Annual Proceedings of Crypto 82, 3±13, 1983. ACM Symposium on Theory of Computing, [556] I.N. HERSTEIN, Topics in Algebra,Xerox 12±24, 1989. College Pub., Lexington, Massachusetts, 2nd [569] R. IMPAGLIAZZO AND M. NAOR,ªEf®cient edition, 1975. cryptographic schemes provably as secure as subset sumº, Proceedings of the IEEE 30th [557] L.S. HILL, ªCryptography in an algebraic al- phabetº, American Mathematical Monthly,36 Annual Symposium on Foundations of Com- (1929), 306±312. puter Science, 236±241, 1989. [570] I. INGEMARSSON AND G.J. SIMMONS,ªA [558] L.J. HOFFMAN, Modern Methods for Com- puter Security and Privacy, Prentice Hall, En- protocol to set up shared secret schemes with- glewood Cliffs, New Jersey, 1977. out the assistance of a mutually trusted partyº, Advances in Cryptology±EUROCRYPT '90 [559] R.V. HOGG AND E.A. TANIS, Probability (LNCS 473), 266±282, 1991. and statistical inference, Macmillan Publish- [571] I. INGEMARSSON,D.T.TANG, AND C.K. ing Company, New York, 3rd edition, 1988. WONG, ªA conference key distribution sys- [560] W. HOHL,X.LAI,T.MEIER, AND temº, IEEE Transactions on Information The- C. WALDVOGEL, ªSecurity of iterated hash ory, 28 (1982), 714±720. functions based on block ciphersº, Advances [572] K. IRELAND AND M. ROSEN, A Classi- in Cryptology±CRYPTO '93 (LNCS 773), cal Introduction to Modern Number The- 379±390, 1994. ory, Springer-Verlag, New York, 2nd edition, [561] S.-M. HONG,S.-Y.OH, AND H. YOON, 1990. ªNew modular multiplication algorithms for [573] ISO 7498-2, ªInformation processing sys- fast modular exponentiationº, Advances in tems ± Open Systems Interconnection ± Ba- Cryptology±EUROCRYPT '96 (LNCS 1070), sic reference model ± Part 2: Security archi- 166±177, 1996. tectureº, International Organization for Stan- [562] P. HORSTER AND H.-J. KNOBLOCH,ªDis- dardization, Geneva, Switzerland, 1989 (®rst crete logarithm based protocolsº, Advances in edition) (equivalent to ITU-T Rec. X.800). Cryptology±EUROCRYPT '91 (LNCS 547), [574] ISO 8372, ªInformation processing ± Modes 399±408, 1991. of operation for a 64-bit block cipher algo- [563] P. HORSTER,M.MICHELS, AND H. PE- rithmº, International Organization for Stan- TERSEN, ªMeta-message recovery and meta- dardization, Geneva, Switzerland, 1987 (®rst blind signature schemes based on the dis- edition; con®rmed 1992). crete logarithm problem and their applica- [575] ISO 8730, ªBanking ± Requirements for tionsº, Advances in Cryptology±ASIACRYPT message authentication (wholesale)º, Inter- '94 (LNCS 917), 224±237, 1995. national Organization for Standardization, [564] P. HORSTER AND H. PETERSEN,ªGen- Geneva, Switzerland, 1990 (second edition). eralized ElGamal signatures (in German)º, [576] ISO 8731-1, ªBanking ± Approved algo- Sicherheit in Informationssystemen, Proceed- rithms for message authentication ± Part 1: ings der Fachtagung SIS'94, 89±106, Verlag DEAº, International Organization for Stan- der Fachvereine ZÈurich, 1994. dardization, Geneva, Switzerland, 1987 (®rst [565] T.W. HUNGERFORD, Algebra, Holt, Rinehart edition; con®rmed 1992). and Winston, New York, 1974. [577] ISO 8731-2, ªBanking ± Approved algo- [566] K. HWANG, Computer Arithmetic, Princi- rithms for message authentication ± Part ples, Architecture and Design, John Wiley & 2: Message authenticator algorithmº, Inter- Sons, New York, 1979. national Organization for Standardization, [567] C. I'ANSON AND C. MITCHELL, ªSecurity Geneva, Switzerland, 1992 (second edition). defects in CCITT Recommendation X.509 [578] ISO 8732, ªBanking ± Key management ± The directory authentication frameworkº, (wholesale)º, International Organization for Computer Communication Review, 20 (1990), Standardization, Geneva, Switzerland, 1988 30±34. (®rst edition).

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 727

[579] ISO 9564-1, ªBanking ± Personal Identi®- [590] ISO 11568-3, ªBanking ± Key management cation Number management and security ± (retail) ± Part 3: Key life cycle for symmetric Part 1: PIN protection principles and tech- ciphersº, International Organization for Stan- niquesº, International Organization for Stan- dardization, Geneva, Switzerland, 1994. dardization, Geneva, Switzerland, 1990. [591] ISO 11568-4, ªBanking ± Key management [580] ISO 9564-2, ªBanking ± Personal Identi®ca- (retail) ± Part 4: Key management techniques tion Number management and security ± Part using public key cryptographyº, draft (DIS), 2: Approved algorithm(s) for PIN encipher- 1996. mentº, International Organization for Stan- [592] ISO 11568-5, ªBanking ± Key management dardization, Geneva, Switzerland, 1991. (retail) ± Part 5: Key life cycle for public key [581] ISO 9807, ªBanking and related ®nancial ser- cryptosystemsº, draft (DIS), 1996. vices ± Requirements for message authenti- [593] ISO 11568-6, ªBanking ± Key management cation (retail)º, International Organization for (retail) ± Part 6: Key management schemesº, Standardization, Geneva, Switzerland, 1991. draft (CD), 1996. [582] ISO 10126-1, ªBanking ± Procedures for [594] ISO/IEC 9594-1, ªInformation technol- message encipherment (wholesale) ± Part 1: ogy ± Open Systems Interconnection ± The General principlesº, International Organiza- Directory: Overview of concepts, models, tion for Standardization, Geneva, Switzer- and servicesº, International Organization for land, 1991. Standardization, Geneva, Switzerland, 1995 [583] ISO 10126-2, ªBanking ± Procedures for (equivalent to ITU-T Rec. X.500, 1993). message encipherment (wholesale) ± Part 2: [595] ISO/IEC 9594-8, ªInformation technology Algorithmsº, International Organization for ± Open Systems Interconnection ± The Di- Standardization, Geneva, Switzerland, 1991. rectory: Authentication frameworkº, Inter- national Organization for Standardization, [584] ISO 10202-7, ªFinancial transaction cards ± Geneva, Switzerland, 1995 (equivalent to Security architecture of ®nancial transaction ITU-T Rec. X.509, 1993). systems using integrated circuit cards ± Part 7: Key managementº, draft (DIS), 1994. [596] ISO/IEC 9796, ªInformation technology ± Security techniques ± Digital signature sch- [585] ISO 11131, ªBanking ± Financial institution eme giving message recoveryº, International sign-on authenticationº, International Organi- Organization for Standardization, Geneva, zation for Standardization, Geneva, Switzer- Switzerland, 1991 (®rst edition). land, 1992. [597] ISO/IEC 9797, ªInformation technology ± [586] ISO 11166-1, ªBanking ± Key management Security techniques ± Data integrity mech- by means of asymmetric algorithms ± Part anism using a cryptographic check function 1: Principles, procedures and formatsº, In- employing a block cipher algorithmº, In- ternational Organization for Standardization, ternational Organization for Standardization, Geneva, Switzerland, 1994. Geneva, Switzerland, 1994 (second edition). [587] ISO 11166-2, ªBanking ± Key manage- [598] ISO/IEC 9798-1, ªInformation technology ment by means of asymmetric algorithms ± ± Security techniques ± Entity authentication Part 2: Approved algorithms using the RSA mechanisms ± Part 1: General modelº, In- cryptosystemº, International Organization for ternational Organization for Standardization, Standardization, Geneva, Switzerland, 1995. Geneva, Switzerland, 1991 (®rst edition). [588] ISO 11568-1, ªBanking ± Key management [599] ISO/IEC 9798-2, ªInformation technology (retail) ± Part 1: Introduction to key manage- ± Security techniques ± Entity authentication mentº, International Organization for Stan- ± Part 2: Mechanisms using symmetric en- dardization, Geneva, Switzerland, 1994. cipherment algorithmsº, International Organi- [589] ISO 11568-2, ªBanking ± Key management zation for Standardization, Geneva, Switzer- (retail) ± Part 2: Key management techniques land, 1994 (®rst edition). for symmetric ciphersº, International Organi- [600] ISO/IEC 9798-3, ªInformation technology zation for Standardization, Geneva, Switzer- ± Security techniques ± Entity authentica- land, 1994. tion mechanisms ± Part 3: Entity authen-

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 728 References

tication using a public-key algorithmº, In- Switzerland, 1996 (equivalent to ITU-T Rec. ternational Organization for Standardization, X.811, 1995). Geneva, Switzerland, 1993 (®rst edition). [611] ISO/IEC 10181-3, ªInformation technology [601] ISO/IEC 9798-4, ªInformation technology ± Open Systems Interconnection ± Security ± Security techniques ± Entity authentication frameworks for open systems ± Part 3: Access ± Part 4: Mechanisms using a cryptographic control frameworkº, 1996. check functionº, International Organization [612] ISO/IEC 10181-4, ªInformation technology for Standardization, Geneva, Switzerland, ± Open Systems Interconnection ± Security 1995 (®rst edition). frameworks for open systems ± Part 4: Non- [602] ISO/IEC 9798-5, ªInformation technology repudiation frameworkº, 1996. ± Security techniques ± Entity authentication ± Part 5: Mechanisms using zero knowledge [613] ISO/IEC 10181-5, ªInformation technology techniquesº, draft (CD), 1996. ± Open Systems Interconnection ± Security frameworks for open systems ± Part 5: Con- [603] ISO/IEC 9979, ªData cryptographic tech- ®dentiality frameworkº, 1996. niques ± Procedures for the registration of cryptographic algorithmsº, International [614] ISO/IEC 10181-6, ªInformation technology Organization for Standardization, Geneva, ± Open Systems Interconnection ± Security Switzerland, 1991 (®rst edition). frameworks for open systems ± Part 6: In- tegrity frameworkº, 1996. [604] ISO/IEC 10116, ªInformation processing ± Modes of operation for an n-bit block cipher [615] ISO/IEC 10181-7, ªInformation technology algorithmº, International Organization for ± Open Systems Interconnection ± Security Standardization, Geneva, Switzerland, 1991 frameworks for open systems ± Part 7: Secu- (®rst edition). rity audit and alarms frameworkº, 1996. [605] ISO/IEC 10118-1, ªInformation technology [616] ISO/IEC 11770-1, ªInformation technology ± Security techniques ± Hash-functions ± Part ± Security techniques ± Key management ± 1: Generalº, International Organization for Part 1: Frameworkº, draft (DIS), 1996. Standardization, Geneva, Switzerland, 1994. [617] ISO/IEC 11770-2, ªInformation technology [606] ISO/IEC 10118-2, ªInformation technology ± Security techniques ± Key management ± ± Security techniques ± Hash-functions ± Part Part 2: Mechanisms using symmetric tech- 2: Hash-functions using an n-bit block cipher niquesº, International Organization for Stan- algorithmº, International Organization for dardization, Geneva, Switzerland, 1996 (®rst Standardization, Geneva, Switzerland, 1994. edition). [607] ISO/IEC 10118-3, ªInformation technology [618] ISO/IEC 11770-3, ªInformation technology ± Security techniques ± Hash-functions ± Part ± Security techniques ± Key management ± 3: Dedicated hash-functionsº, draft (CD), Part 3: Mechanisms using asymmetric tech- 1996. niquesº, draft (DIS), 1996. [608] ISO/IEC 10118-4, ªInformation technology [619] ISO/IEC 13888-1, ªInformation technology ± Security techniques ± Hash-functions ± Part ± Security techniques ± Non-repudiation ± 4: Hash-functions using modular arithmeticº, Part 1: General modelº, draft (CD), 1996. draft (CD), 1996. [620] ISO/IEC 13888-2, ªInformation technology [609] ISO/IEC 10181-1, ªInformation technol- ± Security techniques ± Non-repudiation ± ogy ± Open Systems Interconnection ± Se- Part 2: Using symmetric encipherment algo- curity frameworks for open systems ± Part rithmsº, draft (CD), 1996. 1: Overviewº, International Organization for Standardization, Geneva, Switzerland, 1996 [621] ISO/IEC 13888-3, ªInformation technology (equivalent to ITU-T Rec. X.810, 1995). ± Security techniques ± Non-repudiation ± Part 3: Using asymmetric techniquesº, draft [610] ISO/IEC 10181-2, ªInformation technol- (CD), 1996. ogy ± Open Systems Interconnection ± Se- curity frameworks for open systems ± Part [622] ISO/IEC 14888-1, ªInformation technology 2: Authentication frameworkº, International ± Security techniques ± Digital signatures with Organization for Standardization, Geneva, appendix ± Part 1: Generalº, draft (CD), 1996.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 729

[623] ISO/IEC 14888-2, ªInformation technology and fast exponentiationº, Electronics Letters, ± Security techniques ± Digital signatures with 25 (August 17, 1989), 1171±1172. appendix ± Part 2: Identity-based mecha- [635] N. JEFFERIES,C.MITCHELL, AND M. nismsº, draft (CD), 1996. WALKER, ªA proposed architecture for [624] ISO/IEC 14888-3, ªInformation technology trusted third party servicesº, E. Dawson ± Security techniques ± Digital signatures with and J. GoliÂc, editors, Cryptography: Policy appendix ± Part 3: Certi®cate-based mecha- and Algorithms, International Conference, nismsº, draft (CD), 1996. Brisbane, Queensland, Australia, July 1995 [625] M. ITO,A.SAITO, AND T. NISHIZEKI,ªSe- (LNCS 1029), 98±104, 1996. cret sharing scheme realizing general access [636] H.N. JENDAL, Y.J.B. KUHN, AND J.L. structureº, IEEE Global Telecommunications MASSEY, ªAn information-theoretic treat- Conference, 99±102, 1987. ment of homophonic substitutionº, Advances [626] ITU-T REC. X.509 (REVISED), ªThe Di- in Cryptology±EUROCRYPT '89 (LNCS rectory ± Authentication frameworkº, Inter- 434), 382±394, 1990. national Telecommunication Union, Geneva, [637] S.M. JENNINGS, ªMultiplexed sequences: Switzerland, 1993 (equivalent to ISO/IEC Some properties of the minimum polyno- 9594-8:1994). mialº, Cryptography±Proceedings of the [627] ITU-T REC. X.509 (1993) TECHNICAL Workshop on Cryptography, Burg Feuerstein CORRIGENDUM 1, ªThe Directory ± Authen- (LNCS 149), 189±206, 1983. tication frameworkº, International Telecom- [638] T. JOHANSSON,G.KABATIANSKII, AND munication Union, Geneva, Switzerland, July B. SMEETS, ªOn the relation between A- 1995 (equivalent to Technical Corrigendum 1 codes and codes correcting independent er- to ISO/IEC 9594-8:1994). rorsº, Advances in Cryptology±EUROCRYPT [628] ITU-T REC. X.509 (1993) AMENDMENT 1: '93 (LNCS 765), 1±11, 1994. CERTIFICATE EXTENSIONS, ªThe Directory [639] D.B. JOHNSON,A.LE,W.MARTIN, ± Authentication frameworkº, International S. MATYAS, AND J. WILKINS, ªHybrid key Telecommunication Union, Geneva, Switzer- distribution scheme giving key record recov- land, July 1995 draft for JCT1 letter ballot eryº, IBM Technical Disclosure Bulletin,37 (equivalent to Ammendment 1 to ISO/IEC (1994), 5±16. 9594-8:1994). [640] D.B. JOHNSON AND S.M. MATYAS,ªAsym- [629] W.-A. JACKSON,K.M.MARTIN, AND C.M. metric encryption: Evolution and enhance- O'KEEFE, ªMultisecret threshold schemesº, mentsº, CryptoBytes, 2 (Spring 1996), 1±6. Advances in Cryptology±CRYPTO '93 (LNCS 773), 126±135, 1994. [641] D.S. JOHNSON, ªThe NP-completeness col- umn: an ongoing guideº, Journal of Algo- [630] G. JAESCHKE, ªOn strong pseudoprimes to several basesº, Mathematics of Computation, rithms, 9 (1988), 426±444. 61 (1993), 915±926. [642] R.W. JONES, ªSome techniques for handling [631] C.J.A. JANSEN AND D.E. BOEKEE,ªOnthe encipherment keysº, ICL Technical Journal,3 signi®cance of the directed acyclic word graph (1982), 175±188. in cryptologyº, Advances in Cryptology± [643] R.R. JUENEMAN, ªAnalysis of certain as- AUSCRYPT '90 (LNCS 453), 318±326, 1990. pects of output feedback modeº, Advances [632] , ªThe shortest feedback shift register in Cryptology±Proceedings of Crypto 82, 99± that can generate a given sequenceº, Advances 127, 1983. in Cryptology±CRYPTO '89 (LNCS 435), 90± [644] , ªA high speed manipulation detection 99, 1990. codeº, Advances in Cryptology±CRYPTO '86 [633] T. JEBELEAN, ªComparing several gcd al- (LNCS 263), 327±346, 1987. gorithmsº, Proceedings of the 11th Sympo- [645] R.R. JUENEMAN,S.M.MATYAS, AND C.H. sium on Computer Arithmetic, 180±185, IEEE MEYER, ªMessage authentication with ma- Press, 1993. nipulation detection codesº, Proceedings of [634] J. JEDWAB AND C. MITCHELL,ªMinimum the 1983 IEEE Symposium on Security and weight modi®ed signed-digit representations Privacy, 33±54, 1984.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 730 References

[646] D. JUNGNICKEL, Finite Fields: Structure networksº, IEEE Transactions on Computers, and Arithmetics, Bibliographisches Institut ± 28 (1979), 747±753. Wissenschaftsverlag, Mannheim, 1993. [660] N. KAPIDZIC AND A. DAV I D S O N, ªA cer- [647] M. JUST,E.KRANAKIS,D.KRIZANC, AND ti®cate management system: structure, func- P. VA N OORSCHOT, ªOn key distribution via tions and protocolsº, Proceedings of the In- true broadcastingº, 2nd ACM Conference on ternet Society Symposium on Network and Computer and Communications Security, 81± Distributed System Security, 153±160, IEEE 88, ACM Press, 1994. Computer Society Press, 1995.

[648] D. KAHN, The Codebreakers, Macmillan [661] A. KARATSUBA AND YU.OFMAN, ªMulti- Publishing Company, New York, 1967. plication of multidigit numbers on automataº, [649] B.S. KALISKI JR., ªA chosen message at- Soviet Physics ± Doklady, 7 (1963), 595±596. tack on Demytko's elliptic curve cryptosys- [662] E.D. KARNIN,J.W.GREENE, AND M.E. temº, Journal of Cryptology, to appear. HELLMAN, ªOn secret sharing systemsº, [650] , ªA pseudo-random bit generator IEEE Transactions on Information Theory,29 based on elliptic logarithmsº, Advances in (1983), 35±41. Cryptology±CRYPTO '86 (LNCS 263), 84± [663] A. KEHNE,J.SCHOWÈ ALDERÈ , AND H. LAN- 103, 1987. GENDORFERÈ , ªA nonce-based protocol for [651] , Elliptic curves and cryptography: a multiple authenticationsº, Operating Systems pseudorandom bit generator and other tools, Review, 26 (1992), 84±89. PhD thesis, MIT Department of Electrical En- [664] R. KEMMERER,C.MEADOWS, AND gineering and Computer Science, 1988. J. MILLEN, ªThree systems for cryptographic [652] , ªAnderson's RSA trapdoor can be bro- protocol analysisº, Journal of Cryptology,7 kenº, Electronics Letters, 29 (July 22, 1993), (1994), 79±130. 1387±1388. [665] S. KENT, ªEncryption-based protection pro- [653] , ªThe Montgomery inverse and its ap- tocols for interactive user-computer commu- plicationsº, IEEE Transactions on Comput- nicationº, MIT/LCS/TR-162 (M.Sc. thesis), ers, 44 (1995), 1064±1065. MIT Laboratory for Computer Science, 1976. [654] B.S. KALISKI JR., R.L. RIVEST, AND A.T. [666] , ªInternet privacy enhanced mailº, SHERMAN, ªIs the Data Encryption Standard Communications of the ACM, 36 (1993), 48± a group? (Results of cycling experiments on 60. DES)º, Journal of Cryptology, 1 (1988), 3± [667] , ªInternet security standards: past, 36. present and futureº, StandardView, 2 (1994), [655] B.S. KALISKI JR. AND M. ROBSHAW,ªThe 78±85. secure use of RSAº, CryptoBytes, 1 (Autumn [668] A. KERCKHOFFS, ªLa cryptographie mili- 1995), 7±13. taireº, Journal des Sciences Militaires,9thSe- [656] B.S. KALISKI JR. AND Y. L . Y IN,ªOndiffer- ries (February 1883), 161±191. ential and linear cryptanalysis of the RC5 en- [669] I. KESSLER AND H. KRAWCZYK,ªMini- cryption algorithmº, Advances in Cryptology± mum buffer length and clock rate for the CRYPTO '95 (LNCS 963), 171±184, 1995. shrinking generator cryptosystemº, IBM Re- [657] E. KALTOFEN, ªAnalysis of Coppersmith's search Report RC 19938, IBM T.J. Watson block Wiedemann algorithm for the parallel Research Center, Yorktown Heights, N.Y., solution of sparse linear systemsº, Mathemat- 10598, U.S.A., 1995. ics of Computation, 64 (1995), 777±806. [670] E. KEY, ªAn analysis of the structure and [658] E. KALTOFEN AND V. S HOUP, ªSubquadra- complexity of nonlinear binary sequence gen- tic-time factoring of polynomials over ®nite eratorsº, IEEE Transactions on Information ®eldsº, Proceedings of the 27th Annual ACM Theory, 22 (1976), 732±736. Symposium on Theory of Computing, 398± [671] J. KILIAN AND T. LEIGHTON, ªFair cryp- 406, 1995. tosystems, revisited: A rigorous approach [659] J. KAM AND G. DAV I D A, ªStructured de- to key-escrowº, Advances in Cryptology± sign of substitution-permutation encryption CRYPTO '95 (LNCS 963), 208±221, 1995.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 731

[672] J. KILIAN AND P. ROGAWAY,ªHowtopro- [686] , ªTruncated and higher order differ- tect DES against exhaustive key searchº, Ad- entialsº, B. Preneel, editor, Fast Software vances in Cryptology±CRYPTO '96 (LNCS Encryption, Second International Workshop 1109), 252±267, 1996. (LNCS 1008), 196±211, Springer-Verlag, 1995. [673] S.-H. KIM AND C. POMERANCE, ªThe probability that a random probable prime is com- [687] L.R. KNUDSEN AND T. BERSON, ªTrun- positeº, Mathematics of Computation,53 cated differentials of SAFERº, D. Gollmann, (1989), 721±741. editor, Fast Software Encryption, Third In- ternational Workshop (LNCS 1039), 15±26, [674] M. KIMBERLEY, ªComparison of two statis- Springer-Verlag, 1996. tical tests for keystream sequencesº, Electron- ics Letters, 23 (April 9, 1987), 365±366. [688] L.R. KNUDSEN AND X. LAI, ªNew attacks on all double block length hash functions [675] A. KLAPPER, ªThe vulnerability of geometric of hash rate 1, including the parallel-DMº, sequences based on ®elds of odd characteris- Advances in Cryptology±EUROCRYPT '94 ticº, Journal of Cryptology, 7 (1994), 33±51. (LNCS 950), 410±418, 1995. [676] A. KLAPPER AND M. GORESKY, ªFeedback [689] L.R. KNUDSEN AND W. MEIER, ªImproved shift registers, combiners with memory, and 2- differential attacks on RC5º, Advances in adic spanº, Journal of Cryptology, to appear. Cryptology±CRYPTO '96 (LNCS 1109), 216± [677] , ª2-Adic shift registersº, R. Ander- 228, 1996. son, editor, Fast Software Encryption, Cam- [690] L.R. KNUDSEN AND T. PEDERSEN,ªOnthe bridge Security Workshop (LNCS 809), 174± dif®culty of software key escrowº, Advances 178, Springer-Verlag, 1994. in Cryptology±EUROCRYPT '96 (LNCS 1070), 237±244, 1996. [678] , ªCryptanalysis based on 2-adic rational approximationº, Advances in Cryptology± [691] D.E. KNUTH, The Art of Computer Program- CRYPTO '95 (LNCS 963), 262±273, 1995. ming ± Fundamental Algorithms, volume 1, Addison-Wesley, Reading, Massachusetts, [679] , ªLarge period nearly de Bruijn 2nd edition, 1973. FCSR sequencesº, Advances in Cryptology± EUROCRYPT '95 (LNCS 921), 263±273, [692] , The Art of Computer Programming 1995. ± Seminumerical Algorithms, volume 2, Addison-Wesley, Reading, Massachusetts, [680] D.V. KLEIN, ªFoiling the cracker: a survey 2nd edition, 1981. of, and improvements to, password securityº, [693] , The Art of Computer Programming ± Proceedings of the 2nd USENIX UNIX Secu- Sorting and Searching, volume 3, Addison- rity Workshop, 5±14, 1990. Wesley, Reading, Massachusetts, 1973. [681] H.-J. KNOBLOCH, ªA smart card implemen- [694] D.E. KNUTH AND L. TRABB PARDO,ªAnal- tation of the Fiat-Shamir identi®cation sch- ysis of a simple factorization algorithmº, The- emeº, Advances in Cryptology±EUROCRYPT oretical Computer Science, 3 (1976), 321± '88 (LNCS 330), 87±95, 1988. 348. [682] L.R. KNUDSEN, ªCryptanalysis of LOKIº, [695] N. KOBLITZ, ªElliptic curve cryptosystemsº, Advances in Cryptology±ASIACRYPT '91 Mathematics of Computation, 48 (1987), 203± (LNCS 739), 22±35, 1993. 209. [683] , ªCryptanalysis of LOKI91º, Advances [696] , ªHyperelliptic cryptosystemsº, Jour- in Cryptology±AUSCRYPT '92 (LNCS 718), nal of Cryptology, 1 (1989), 139±150. 196±208, 1993. [697] , A Course in Number Theory and Cryp- [684] , Block Ciphers ± Analysis, Design and tography, Springer-Verlag, New York, 2nd Applications, PhD thesis, Computer Science edition, 1994. Department, Aarhus University (Denmark), [698] C. KOCË, ªHigh-speed RSA implementationº, 1994. Technical Report, RSA Laboratories, 1994. [685] , ªA key-schedule weakness in SAFER [699] , ªRSA hardware implementationº, K-64º, Advances in Cryptology±CRYPTO '95 Technical Report TR-801, RSA Laboratories, (LNCS 963), 274±286, 1995. 1996.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 732 References

[700] C. KOCË, T. ACAR, AND B.S. KALISKI [714] , ªLFSR-based hashing and authentica- JR., ªAnalyzing and comparing Montgomery tionº, Advances in Cryptology±CRYPTO '94 multiplication algorithmsº, IEEE Micro,16 (LNCS 839), 129±139, 1994. (1996), 26±33. [715] , ªSecret sharing made shortº, Ad- [701] J.T. KOHL, ªThe use of encryption in Ker- vances in Cryptology±CRYPTO '93 (LNCS beros for network authenticationº, Advances 773), 136±146, 1994. in Cryptology±CRYPTO '89 (LNCS 435), 35± [716] , ªThe shrinking generator: Some prac- 43, 1990. tical considerationsº, R. Anderson, editor, [702] L.M. KOHNFELDER, ªA method for certi®ca- Fast Software Encryption, Cambridge Secu- tionº, MIT Laboratory for Computer Science, rity Workshop (LNCS 809), 45±46, Springer- unpublished (essentially pp.39-43 of [703]), Verlag, 1994. 1978. [717] , ªNew hash functions for message [703] , Toward a practical public-key cryp- authenticationº, Advances in Cryptology± tosystem, B.Sc. thesis, MIT Department of EUROCRYPT '95 (LNCS 921), 301±310, Electrical Engineering, 1978. 1995. [704] A. KOLMOGOROV, ªThree approaches to the [718] , ªSKEME: A versatile secure key ex- de®nition of the concept `quantity of infor- change mechanism for Internetº, Proceedings mationº', Problemy Peredachi Informatsii,1 of the Internet Society Symposium on Net- (1965), 3±11. work and Distributed System Security, 114± [705] A.G. KONHEIM, Cryptography, A Primer, 127, IEEE Computer Society Press, 1996. John Wiley & Sons, New York, 1981. [719] Y. KURITA AND M. MATSUMOTO, ªPrimi- t t [706] I. KOREN, Computer Arithmetic Algorithms, tive -nomials ( =3,5) over GF(2) whose ≤ Prentice Hall, Englewood Cliffs, New Jersey, degree is a Mersenne exponent 44497º, 1993. Mathematics of Computation, 56 (1991), 817± 821. [707] V.I. KORZHIK AND A.I. TURKIN, ªCrypt- analysis of McEliece's public-key cryptosys- [720] K. KUROSAWA,T.ITO, AND M. TAKEUCHI, temº, Advances in Cryptology±EUROCRYPT ªPublic key cryptosystem using a reciprocal '91 (LNCS 547), 68±70, 1991. number with the same intractability as factoring a large numberº, Cryptologia, 12 (1988), [708] K. KOYAMA,U.MAURER,T.OKAMOTO, 225±233. AND S.A. VANSTONE, ªNew public-key schemes based on elliptic curves over the ring [721] K. KUROSAWA,K.OKADA, AND S. TSUJII, Znº, Advances in Cryptology±CRYPTO '91 ªLow exponent attack against elliptic curve (LNCS 576), 252±266, 1992. RSAº, Advances in Cryptology±ASIACRYPT '94 (LNCS 917), 376±383, 1995. [709] K. KOYAMA AND R. TERADA,ªHowto strengthen DES-like cryptosystems against [722] K. KUSUDA AND T. MATSUMOTO, ªOpti- differential cryptanalysisº, IEICE Transac- mization of time-memory trade-off cryptanal- tions on Fundamentals of Electronics, Com- ysis and its application to DES, FEAL-32, munications and Computer Science, E76-A and Skipjackº, IEICE Transactions on Funda- (1993), 63±69. mentals of Electronics, Communications and Computer Science, E79-A (1996), 35±48. [710] E. KRANAKIS, Primality and Cryptography, John Wiley & Sons, Stuttgart, 1986. [723] J.C. LAGARIAS, ªKnapsack public key cryptosystems and diophantine approxima- [711] D.W. KRAVITZ, ªDigital signature algo- tionº, Advances in Cryptology±Proceedings rithmº, U.S. Patent # 5,231,668, 27 Jul 1993. of Crypto 83, 3±23, 1984. [712] H. KRAWCZYK, ªHow to predict congru- [724] , ªPseudorandom number generators in ential generatorsº, Advances in Cryptology± cryptography and number theoryº, C. Pomer- CRYPTO '89 (LNCS 435), 138±153, 1990. ance, editor, Cryptology and Computational [713] , ªHow to predict congruential genera- Number Theory, volume 42 of Proceedings of torsº, Journal of Algorithms, 13 (1992), 527± Symposia in Applied Mathematics, 115±143, 545. An earlier version appeared in [712]. American Mathematical Society, 1990.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 733

[725] X. LAI, ªCondition for the nonsingularity of ®eldsº, Designs, Codes and Cryptography,1 a feedback shift-register over a general ®- (1991), 47±62. nite ®eldº, IEEE Transactions on Information [737] , ªSolving large sparse linear systems Theory, 33 (1987), 747±749. over ®nite ®eldsº, Advances in Cryptology± [726] , ªOn the design and security of CRYPTO '90 (LNCS 537), 109±133, 1991. block ciphersº, ETH Series in Information [738] L. LAMPORT, ªConstructing digital signa- Processing, J.L. Massey (editor), vol. 1, tures from a one-way functionº, Technical re- Hartung-Gorre Verlag Konstanz, Technische port CSL-98, SRI International, Palo Alto, Hochschule (Zurich), 1992. 1979. [727] X. LAI AND L.R. KNUDSEN, ªAttacks on [739] , ªPassword authentication with inse- double block length hash functionsº, R. An- cure communicationº, Communications of the derson, editor, Fast Software Encryption, ACM, 24 (1981), 770±772. Cambridge Security Workshop (LNCS 809), 157±165, Springer-Verlag, 1994. [740] B. LAMPSON,M.ABADI,M.BURROWS, AND E. WOBBER, ªAuthentication in dis- [728] X. LAI AND J.L. MASSEY, ªA proposal for a tributed systems: Theory and practiceº, new block encryption standardº, Advances in ACM Transactions on Computer Systems,10 Cryptology±EUROCRYPT '90 (LNCS 473), (1992), 265±310. 389±404, 1991. [741] S.K. LANGFORD AND M.E. HELLMAN, [729] , ªHash functions based on block ci- ªDifferential-linear cryptanalysisº, Advances phersº, Advances in Cryptology±EUROCRY- in Cryptology±CRYPTO '94 (LNCS 839), 17± PT '92 (LNCS 658), 55±70, 1993. 25, 1994. [730] X. LAI,J.L.MASSEY, AND S. MURPHY, [742] P.J. LEE AND E.F. BRICKELL, ªAn obser- ªMarkov ciphers and differential cryptanaly- vation on the security of McEliece's public- sisº, Advances in Cryptology±EUROCRYPT key cryptosystemº, Advances in Cryptology± '91 (LNCS 547), 17±38, 1991. EUROCRYPT '88 (LNCS 330), 275±280, [731] X. LAI,R.A.RUEPPEL, AND J. WOOL- 1988. LVEN, ªA fast cryptographic checksum al- [743] D.H. LEHMER, ªEuclid's algorithm for large gorithm based on stream ciphersº, Advances numbersº, American Mathematical Monthly, in Cryptology±AUSCRYPT '92 (LNCS 718), 45 (1938), 227±233. 339±348, 1993. [744] D.H. LEHMER AND R.E. POWERS, ªOn fac- [732] C.-S. LAIH,L.HARN,J.-Y.LEE, AND toring large numbersº, Bulletin of the AMS,37 T. HWANG, ªDynamic threshold scheme (1931), 770±776. based on the de®nition of cross-product in an n-dimensional linear spaceº, Advances in [745] T. LEIGHTON AND S. MICALI, ªSecret-key Cryptology±CRYPTO '89 (LNCS 435), 286± agreement without public-key cryptographyº, 298, 1990. Advances in Cryptology±CRYPTO '93 (LNCS 773), 456±479, 1994. [733] C.-S. LAIH,F.-K.TU, AND W.-C TAI,ªOn the security of the Lucas functionº, Informa- [746] A.K. LENSTRA,ªPostingtosci.cryptº,April tion Processing Letters, 53 (1995), 243±247. 11 1996. [734] K.-Y. LAM AND T. BETH, ªTimely authen- [747] , ªPrimality testingº, C. Pomerance, ed- tication in distributed systemsº, Y. Deswarte, itor, Cryptology and Computational Number G. Eizenberg, and J.-J. Quisquater, editors, Theory, volume 42 of Proceedings of Sym- Second European Symposium on Research posia in Applied Mathematics, 13±25, Amer- in Computer Security ± ESORICS'92 (LNCS ican Mathematical Society, 1990. 648), 293±303, Springer-Verlag, 1992. [748] A.K. LENSTRA AND H.W. LENSTRA JR., [735] K.-Y. LAM AND L.C.K. HUI,ªEf®ciency ªAlgorithms in number theoryº, J. van of SS(I) square-and-multiply exponentiation Leeuwen, editor, Handbook of Theoretical algorithmsº, Electronics Letters, 30 (Decem- Computer Science, 674±715, Elsevier Science ber 8, 1994), 2115±2116. Publishers, 1990. [736] B.A. LAMACCHIA AND A.M. ODLYZKO, [749] , The Development of the Number Field ªComputation of discrete logarithms in prime Sieve, Springer-Verlag, Berlin, 1993.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 734 References

[750] A.K. LENSTRA,H.W.LENSTRA JR., AND [764] R. LIDL AND H. NIEDERREITER, Finite L. LOVASZÂ , ªFactoring polynomials with ra- Fields, Cambridge University Press, Cam- tional coef®cientsº, Mathematische Annalen, bridge, 1984. 261 (1982), 515±534. [765] A. LIEBL, ªAuthentication in distributed sys- [751] A.K. LENSTRA,H.W.LENSTRA JR., M.S. tems: A bibliographyº, Operating Systems MANASSE, AND J.M. POLLARD, ªThe fac- Review, 27 (1993), 31±41. torization of the ninth Fermat numberº, Math- ematics of Computation, 61 (1993), 319±349. [766] C.H. LIM AND P.J. L EE, ªAnother method [752] , ªThe number ®eld sieveº, A.K. for attaining security against adaptively Lenstra and H.W. Lenstra Jr., editors, The De- chosen ciphertext attacksº, Advances in velopment of the Number Field Sieve, volume Cryptology±CRYPTO '93 (LNCS 773), 420± 1554 of Lecture Notes in Mathematics, 11±42, 434, 1994. Springer-Verlag, 1993. [767] , ªMore ¯exible exponentiation with [753] A.K. LENSTRA AND M.S. MANASSE, ªFac- precomputationº, Advances in Cryptology± toring by electronic mailº, Advances in CRYPTO '94 (LNCS 839), 95±107, 1994. Cryptology±EUROCRYPT '89 (LNCS 434), 355±371, 1990. [768] , ªServer (prover/signer)-aided veri- [754] , ªFactoring with two large primesº, ®cation of identity proofs and signaturesº, Mathematics of Computation, 63 (1994), 785± Advances in Cryptology±EUROCRYPT '95 798. (LNCS 921), 64±78, 1995. [755] A.K. LENSTRA,P.WINKLER, AND Y. YA- [769] S. LIN AND D. COSTELLO, Error Con- COBI, ªA key escrow system with warrant trol Coding: Fundamentals and Applications, boundsº, Advances in Cryptology±CRYPTO Prentice Hall, Englewood Cliffs, New Jersey, '95 (LNCS 963), 197±207, 1995. 1983. [756] H.W. LENSTRA JR., ªFactoring integers with elliptic curvesº, Annals of Mathematics, 126 [770] J. LIPSON, Elements of Algebra and Alge- (1987), 649±673. braic Computing, Addison-Wesley, Reading, [757] , ªFinding isomorphisms between ®- Massachusetts, 1981. nite ®eldsº, Mathematics of Computation,56 [771] T.M.A. LOMAS,L.GONG,J.H.SALTZER, (1991), 329±347. AND R.M. NEEDHAM, ªReducing risks from [758] , ªOn the Chor-Rivest knapsack cryp- poorly chosen keysº, Operating Systems Re- tosystemº, Journal of Cryptology, 3 (1991), view, 23 (Special issue), 14±18. (Pre- 149±155. sented at: 12th ACM Symposium on Operat- [759] H.W. LENSTRA JR. AND C. POMERANCE, ing Systems Principles, Litch®eld Park, Ari- ªA rigorous time bound for factoring inte- zona, Dec. 1989). gersº, Journal of the American Mathematical Society, 5 (1992), 483±516. [772] D.L. LONG AND A. WIGDERSON,ªThedis- crete logarithm hides O(log n) bitsº, SIAM [760] H.W. LENSTRA JR. AND R.J. SCHOOF, Journal on Computing, 17 (1988), 363±372. ªPrimitive normal bases for ®nite ®eldsº, Mathematics of Computation, 48 (1987), 217± [773] R. LOVORN, Rigorous, subexponential al- 231. gorithms for discrete logarithms over ®nite [761] L.A. LEVIN, ªOne-way functions and pseu- ®elds, PhD thesis, University of Georgia, dorandom generatorsº, Proceedings of the 1992. 17th Annual ACM Symposium on Theory of Computing, 363±365, 1985. [774] M. LUBY, Pseudorandomness and Crypto- graphic Applications, Princeton University [762] J. LEVINE, United States Cryptographic Press, Princeton, New Jersey, 1996. Patents 1861±1981, Cryptologia, Inc., Terre Haute, Indiana, 1983. [775] M. LUBY AND C. RACKOFF, ªPseudo- [763] R. LIDL AND W.B. MULLERÈ ,ªPermuta- random permutation generators and crypto- tion polynomials in RSA-cryptosystemsº, Ad- graphic compositionº, Proceedings of the vances in Cryptology±Proceedings of Crypto 18th Annual ACM Symposium on Theory of 83, 293±301, 1984. Computing, 356±363, 1986.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 735

[776] , ªHow to construct pseudorandom per- [788] , ªSAFER K-64: One year laterº, mutations from pseudorandom functionsº, B. Preneel, editor, Fast Software Encryption, SIAM Journal on Computing, 17 (1988), 373± Second International Workshop (LNCS 1008), 386. An earlier version appeared in [775]. 212±241, Springer-Verlag, 1995.

[777] S. LUCKS, ªFaster Luby-Rackoff ciphersº, [789] J.L. MASSEY AND I. INGEMARSSON,ªThe D. Gollmann, editor, Fast Software Encryp- Rip Van Winkle cipher ± A simple and prov- tion, Third International Workshop (LNCS ably computationally secure cipher with a ®- 1039), 189±203, Springer-Verlag, 1996. nite keyº, IEEE International Symposium on Information Theory (Abstracts), p.146, 1985. [778] F.J. MACWILLIAMS AND N.J.A. SLOANE, The Theory of Error-Correcting Codes, [790] J.L. MASSEY AND X. LAI, ªDevice for con- North-Holland, Amsterdam, 1977 (®fth print- verting a digital block and the use thereofº, ing: 1986). European Patent # 482,154, 29 Apr 1992.

[779] W. MADRYGA, ªA high performance encryp- [791] , ªDevice for the conversion of a dig- tion algorithmº, J. Finch and E. Dougall, edi- ital block and use of sameº, U.S. Patent # tors, Computer Security: A Global Challenge, 5,214,703, 25 May 1993. Proceedings of the Second IFIP International [792] J.L. MASSEY AND J.K. OMURA, ªMethod Conference on Computer Security, 557±570, and apparatus for maintaining the privacy of North-Holland, 1984. digital messages conveyed by public transmis- [780] D.P. MAHER, ªCrypto backup and key es- sionº, U.S. Patent # 4,567,600, 28 Jan 1986. crowº, Communications of the ACM,39 [793] J.L. MASSEY AND R.A. RUEPPEL, ªLinear (1996), 48±53. ciphers and random sequence generators with [781] W. MAO AND C. BOYD,ªOntheuseof multiple clocksº, Advances in Cryptology± encryption in cryptographic protocolsº, P.G. Proceedings of EUROCRYPT 84 (LNCS 209), Farrell, editor, Codes and Cyphers: Cryptog- 74±87, 1985. raphy and Coding IV, 251±262, Institute of [794] J.L. MASSEY AND S. SERCONEK,ªA Mathematics & Its Applications (IMA), 1995. Fourier transform approach to the linear com- [782] G. MARSAGLIA, ªA current view of random plexity of nonlinearly ®ltered sequencesº, Ad- number generationº, L. Billard, editor, Com- vances in Cryptology±CRYPTO '94 (LNCS puter Science and Statistics: Proceedings of 839), 332±340, 1994. the Sixteenth Symposium on the Interface,3± [795] M. MATSUI, ªThe ®rst experimental crypt- 10, North-Holland, 1985. analysis of the Data Encryption Standardº, [783] P. MARTIN-LOFÈ , ªThe de®nition of ran- Advances in Cryptology±CRYPTO '94 (LNCS dom sequencesº, Information and Control,9 839), 1±11, 1994. (1966), 602±619. [796] , ªLinear cryptanalysis method for [784] J.L. MASSEY, ªShift-register synthesis and DES cipherº, Advances in Cryptology± BCH decodingº, IEEE Transactions on Infor- EUROCRYPT '93 (LNCS 765), 386±397, mation Theory, 15 (1969), 122±127. 1994. [785] , ªAn introduction to contemporary [797] , ªOn correlation between the or- cryptologyº, Proceedings of the IEEE,76 der of S-boxes and the strength of DESº, (1988), 533±549. Advances in Cryptology±EUROCRYPT '94 (LNCS 950), 366±375, 1995. [786] , ªContemporary cryptology: An intro- ductionº, G.J. Simmons, editor, Contempo- [798] M. MATSUI AND A. YAMAGISHI,ªA rary Cryptology: The Science of Information new method for known plaintext attack of Integrity, 1±39, IEEE Press, 1992. An earlier FEAL cipherº, Advances in Cryptology± version appeared in [785]. EUROCRYPT '92 (LNCS 658), 81±91, 1993.

[787] , ªSAFER K-64: A byte-oriented [799] T. MATSUMOTO AND H. IMAI,ªOnthekey block-ciphering algorithmº, R. Anderson, predistribution system: A practical solution editor, Fast Software Encryption, Cam- to the key distribution problemº, Advances in bridge Security Workshop (LNCS 809), 1±17, Cryptology±CRYPTO '87 (LNCS 293), 185± Springer-Verlag, 1994. 193, 1988.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 736 References

[800] T. MATSUMOTO,Y.TAKASHIMA, AND [813] , ªA universal statistical test for ran- H. IMAI, ªOn seeking smart public-key- dom bit generatorsº, Journal of Cryptology,5 distribution systemsº, The Transactions of the (1992), 89±105. An earlier version appeared IECE of Japan, E69 (1986), 99±106. in [810].

[801] S.M. MATYAS, ªDigital signatures ± an [814] , ªFactoring with an oracleº, Advances overviewº, Computer Networks, 3 (1979), in Cryptology±EUROCRYPT '92 (LNCS 87±94. 658), 429±436, 1993. [815] , ªSecret key agreement by public dis- [802] , ªKey handling with control vectorsº, cussion from common informationº, IEEE IBM Systems Journal, 30 (1991), 151±174. Transactions on Information Theory,39 [803] , ªKey processing with control vec- (1993), 733±742. torsº, Journal of Cryptology, 3 (1991), 113± [816] , ªA simpli®ed and generalized treat- 136. ment of Luby-Rackoff pseudorandom permu- [804] S.M. MATYAS AND C.H. MEYER,ªGener- tation generatorsº, Advances in Cryptology± ation, distribution, and installation of cryp- EUROCRYPT '92 (LNCS 658), 239±255, tographic keysº, IBM Systems Journal,17 1993. (1978), 126±137. [817] , ªTowards the equivalence of breaking the Dif®e-Hellman protocol and com- [805] S.M. MATYAS,C.H.MEYER, AND J. OS- puting discrete logarithmsº, Advances in EAS, ªGenerating strong one-way functions Cryptology±CRYPTO '94 (LNCS 839), 271± with cryptographic algorithmº, IBM Techni- 281, 1994. cal Disclosure Bulletin, 27 (1985), 5658± 5659. [818] , ªFast generation of prime numbers and secure public-key cryptographic parametersº, [806] S.M. MATYAS, C.H.W. MEYER, AND B.O. Journal of Cryptology, 8 (1995), 123±155. An BRACHTL, ªControlled use of cryptographic earlier version appeared in [807]. keys via generating station established control [819] , ªThe role of information theory in valuesº, U.S. Patent # 4,850,017, 18 Jul 1989. cryptographyº, P.G. Farrell, editor, Codes and [807] U. MAURER, ªFast generation of secure Cyphers: Cryptography and Coding IV, 49± RSA-moduli with almost maximal diversityº, 71, Institute of Mathematics & Its Applica- Advances in Cryptology±EUROCRYPT '89 tions (IMA), 1995. (LNCS 434), 636±647, 1990. [820] U. MAURER AND J.L. MASSEY,ªPer- [808] , ªNew approaches to the design of self- fect local randomness in pseudo-random se- synchronizing stream ciphersº, Advances in quencesº, Advances in Cryptology±CRYPTO Cryptology±EUROCRYPT '91 (LNCS 547), '89 (LNCS 435), 100±112, 1990. 458±471, 1991. [821] , ªLocal randomness in pseudorandom sequencesº, Journal of Cryptology, 4 (1991), [809] , ªA provably-secure strongly-random- 135±149. An earlier version appeared in ized cipherº, Advances in Cryptology±EURO- [820]. CRYPT '90 (LNCS 473), 361±373, 1991. [822] , ªCascade ciphers: The importance of [810] , ªA universal statistical test for ran- being ®rstº, Journal of Cryptology, 6 (1993), dom bit generatorsº, Advances in Cryptology± 55±61. CRYPTO '90 (LNCS 537), 409±420, 1991. [823] U. MAURER AND Y. YACOBI, ªNon- [811] , ªConditionally-perfect secrecy and a interactive public-key cryptographyº, Ad- provably-secure randomized cipherº, Journal vances in Cryptology±EUROCRYPT '91 of Cryptology, 5 (1992), 53±66. An earlier (LNCS 547), 498±507, 1991. version appeared in [809]. [824] , ªA remark on a non-interactive [812] , ªSome number-theoretic conjectures public-key distribution systemº, Advances in and their relation to the generation of crypto- Cryptology±EUROCRYPT '92 (LNCS 658), graphic primesº, C. Mitchell, editor, Cryptog- 458±460, 1993. raphy and Coding II, volume 33 of Institute of [825] K.S. MCCURLEY, ªA key distribution sys- Mathematics & Its Applications (IMA), 173± tem equivalent to factoringº, Journal of Cryp- 191, Clarendon Press, 1992. tology, 1 (1988), 95±105.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 737

[826] , ªCryptographic key distribution and [839] S. MENDES AND C. HUITEMA, ªA new ap- computation in class groupsº, R.A. Mollin, proach to the X.509 framework: allowing a editor, Number Theory and Applications, global authentication infrastructure without a 459±479, Kluwer Academic Publishers, 1989. global trust modelº, Proceedings of the In- [827] , ªThe discrete logarithm problemº, ternet Society Symposium on Network and C. Pomerance, editor, Cryptology and Com- Distributed System Security, 172±189, IEEE putational Number Theory, volume 42 of Pro- Computer Society Press, 1995. ceedings of Symposia in Applied Mathemat- [840] A. MENEZES, Elliptic Curve Public Key ics, 49±74, American Mathematical Society, Cryptosystems, Kluwer Academic Publishers, 1990. Boston, 1993. [828] R.J. MCELIECE, ªA public-key cryptosys- [841] A. MENEZES,I.BLAKE,X.GAO,R.MUL- tem based on algebraic coding theoryº, DSN LIN,S.VANSTONE, AND T. YAGHOOBIAN, progress report #42-44, Jet Propulsion Labo- Applications of Finite Fields, Kluwer Aca- ratory, Pasadena, California, 1978. demic Publishers, Boston, 1993. [829] , The Theory of Information and Cod- ing: A Mathematical Framework for Commu- [842] A. MENEZES,T.OKAMOTO, AND S. VAN- nication, Cambridge University Press, Cam- STONE, ªReducing elliptic curve logarithms bridge, 1984. to logarithms in a ®nite ®eldº, Proceedings of the 23rd Annual ACM Symposium on Theory [830] , Finite Fields for Computer Scientists of Computing, 80±89, 1991. and Engineeers, Kluwer Academic Publish- ers, Boston, 1987. [843] , ªReducing elliptic curve logarithms to logarithms in a ®nite ®eldº, IEEE Trans- [831] C.A. MEADOWS, ªFormal veri®cation of actions on Information Theory, 39 (1993), cryptographic protocols: a surveyº, Advances 1639±1646. An earlier version appeared in in Cryptology±ASIACRYPT '94 (LNCS 917), [842]. 133±150, 1995. [832] W. MEIER, ªOn the security of the IDEA [844] A. MENEZES,M.QU, AND S. VANSTONE, block cipherº, Advances in Cryptology± ªSome new key agreement protocols provid- EUROCRYPT '93 (LNCS 765), 371±385, ing implicit authenticationº, workshop record, 1994. 2nd Workshop on Selected Areas in Cryptog- raphy (SAC'95), Ottawa, Canada, May 18±19 [833] W. MEIER AND O. STAFFELBACH,ªFast 1995. correlation attacks on stream ciphersº, Ad- vances in Cryptology±EUROCRYPT '88 [845] R. MENICOCCI, ªCryptanalysis of a two- (LNCS 330), 301±314, 1988. stage Gollmann cascade generatorº, W. Wol- [834] , ªFast correlation attacks on certain fowicz, editor, Proceedings of the 3rd Sym- stream ciphersº, Journal of Cryptology,1 posium on State and Progress of Research in (1989), 159±176. An earlier version appeared Cryptography, Rome, Italy, 62±69, 1993. in [833]. [846] R.C. MERKLE, ªDigital signature system and [835] , ªAnalysis of pseudo random se- method based on a conventional encryption quences generated by cellular automataº, functionº, U.S. Patent # 4,881,264, 14 Nov Advances in Cryptology±EUROCRYPT '91 1989. (LNCS 547), 186±199, 1991. [847] , ªMethod and apparatus for data en- [836] , ªCorrelation properties of combiners cryptionº, U.S. Patent # 5,003,597, 26 Mar with memory in stream ciphersº, Advances in 1991. Cryptology±EUROCRYPT '90 (LNCS 473), 204±213, 1991. [848] , ªMethod of providing digital signa- turesº, U.S. Patent # 4,309,569, 5 Jan 1982. [837] , ªCorrelation properties of combiners with memory in stream ciphersº, Journal of [849] , ªSecure communications over inse- Cryptology, 5 (1992), 67±86. An earlier ver- cure channelsº, Communications of the ACM, sion appeared in [836]. 21 (1978), 294±299. [838] , ªThe self-shrinking generatorº, Ad- [850] , Secrecy, Authentication, and Public vances in Cryptology±EUROCRYPT '94 Key Systems, UMI Research Press, Ann Ar- (LNCS 950), 205±214, 1995. bor, Michigan, 1979.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 738 References

[851] , ªSecrecy, authentication, and pub- [866] S. MICALI AND C.P. SCHNORR,ªEf®cient, lic key systemsº, Technical Report No.1979- perfect random number generatorsº, Ad- 1, Information Systems Laboratory, Stanford vances in Cryptology±CRYPTO '88 (LNCS University, Palo Alto, California, 1979. Also 403), 173±198, 1990. available as [850]. [867] , ªEf®cient, perfect polynomial random [852] , ªProtocols for public key cryptosys- number generatorsº, Journal of Cryptology,3 temsº, Proceedings of the 1980 IEEE Sympo- (1991), 157±172. An earlier version appeared sium on Security and Privacy, 122±134, 1980. in [866]. [853] , ªA certi®ed digital signatureº, Ad- vances in Cryptology±CRYPTO '89 (LNCS [868] S. MICALI AND A. SHAMIR, ªAn improve- 435), 218±238, 1990. ment of the Fiat-Shamir identi®cation and signature schemeº, Advances in Cryptology± [854] , ªA fast software one-way hash func- CRYPTO '88 (LNCS 403), 244±247, 1990. tionº, Journal of Cryptology, 3 (1990), 43±58. [855] , ªOne way hash functions and DESº, [869] S. MICALI AND R. SIDNEY,ªAsimple Advances in Cryptology±CRYPTO '89 (LNCS method for generating and sharing pseudo- 435), 428±446, 1990. random functions, with applications to [856] , ªFast software encryption functionsº, Clipper-like key escrow systemsº, Advances Advances in Cryptology±CRYPTO '90 (LNCS in Cryptology±CRYPTO '95 (LNCS 963), 537), 476±501, 1991. 185±196, 1995. [857] R.C. MERKLE AND M.E. HELLMAN,ªHid- [870] P. MIHAILESCU, ªFast generation of provable ing information and signatures in trapdoor primes using search in arithmetic progres- knapsacksº, IEEE Transactions on Informa- sionsº, Advances in Cryptology±CRYPTO '94 tion Theory, 24 (1978), 525±530. (LNCS 839), 282±293, 1994. [858] , ªOn the security of multiple en- [871] M.J. MIHALJEVICÂ , ªA security examination cryptionº, Communications of the ACM,24 of the self-shrinking generatorº, presentation (1981), 465±467. at 5th IMA Conference on Cryptography and [859] C.H. MEYER AND S.M. MATYAS, Cryptog- Coding, Cirencester, U.K., December 1995. raphy: A New Dimension in Computer Data Security, John Wiley & Sons, New York, 1982 [872] , ªAn approach to the initial state re- (third printing). construction of a clock-controlled shift register based on a novel distance measureº, Ad- [860] C.H. MEYER AND M. SCHILLING,ªSe- cure program load with manipulation detec- vances in Cryptology±AUSCRYPT '92 (LNCS tion codeº, Proceedings of the 6th Worldwide 718), 349±356, 1993. Congress on Computer and Communications [873] , ªA correlation attack on the bi- Security and Protection (SECURICOM'88), nary sequence generators with time-varying 111±130, 1988. output functionº, Advances in Cryptology± [861] S. MICALI, ªFair cryptosystems and methods ASIACRYPT '94 (LNCS 917), 67±79, 1995. of useº, U.S. Patent # 5,276,737, 4 Jan 1994. [874] M.J. MIHALJEVICÂ AND J.D. GOLICÂ ,ªA [862] , ªFair cryptosystems and methods of fast iterative algorithm for a shift register useº, U.S. Patent # 5,315,658, 24 May 1994 initial state reconstruction given the noisy (continuation-in-part of 5,276,737). output sequenceº, Advances in Cryptology± [863] , ªFair public-key cryptosystemsº, Ad- AUSCRYPT '90 (LNCS 453), 165±175, 1990. vances in Cryptology±CRYPTO '92 (LNCS 740), 113±138, 1993. [875] , ªConvergence of a Bayesian iterative error-correction procedure on a noisy shift [864] S. MICALI,O.GOLDREICH, AND S. EVEN, ªOn-line/off-line digital signingº, U.S. Patent register sequenceº, Advances in Cryptology± # 5,016,274, 14 May 1991. EUROCRYPT '92 (LNCS 658), 124±137, 1993. [865] S. MICALI,C.RACKOFF, AND B. SLOAN, ªThe notion of security for probabilistic cryp- [876] G.L. MILLER, ªRiemann's hypothesis and tosystemsº, SIAM Journal on Computing,17 tests for primalityº, Journal of Computer and (1988), 412±426. System Sciences, 13 (1976), 300±317.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 739

[877] S.P. MILLER,B.C.NEUMAN,J.I.SCHILL- [890] S.B. MOHAN AND B.S. ADIGA,ªFastal- ER, AND J.H. SALTZER, ªKerberos authen- gorithms for implementing RSA public key tication and authorization systemº, Section cryptosystemº, Electronics Letters,21(Au- E.2.1 of Project Athena Technical Plan, MIT, gust 15, 1985), 761. Cambridge, Massachusetts, 1987. [891] R. MOLVA,G.TSUDIK,E.VAN HER- [878] V.S. MILLER, ªUse of elliptic curves in cryp- REWEGHEN, AND S. ZATTI, ªKryptoKnight tographyº, Advances in Cryptology±CRYPTO authentication and key distribution sys- '85 (LNCS 218), 417±426, 1986. temº, Y. Deswarte, G. Eizenberg, and J.-J. Quisquater, editors, Second European Sympo- [879] C. MITCHELL, ªA storage complexity based sium on Research in Computer Security ± ES- analogue of Maurer key establishment using ORICS'92 (LNCS 648), 155±174, Springer- public channelsº, C. Boyd, editor, Cryptog- Verlag, 1992. raphy and Coding, 5th IMA Conference, Pro- ceedings, 84±93, Institute of Mathematics & [892] L. MONIER, ªEvaluation and comparison of Its Applications (IMA), 1995. two ef®cient probabilistic primality testing al- gorithmsº, Theoretical Computer Science,12 [880] , ªLimitations of challenge-response (1980), 97±108. entity authenticationº, Electronics Letters,25 (August 17, 1989), 1195±1196. [893] P. MONTGOMERY, ªModular multiplication without trial divisionº, Mathematics of Com- [881] C. MITCHELL AND F. PIPER,ªKeystorage putation, 44 (1985), 519±521. in secure networksº, Discrete Applied Math- ematics, 21 (1988), 215±228. [894] , ªSpeeding the Pollard and elliptic curve methods of factorizationº, Mathematics [882] C. MITCHELL,F.PIPER, AND P. W ILD, of Computation, 48 (1987), 243±264. ªDigital signaturesº, G.J. Simmons, editor, Contemporary Cryptology: The Science of [895] P. MONTGOMERY AND R. SILVERMAN,ªAn P − Information Integrity, 325±378, IEEE Press, FFT extension to the 1 factoring al- 1992. gorithmº, Mathematics of Computation,54 (1990), 839±854. [883] A. MITROPOULOS AND H. MEIJER,ªZero knowledge proofs ± a surveyº, Technical Re- [896] P.L. MONTGOMERY, ªA block Lanczos algo- GF port No. 90-IR-05, Queen's University at rithm for ®nding dependencies over (2)º, Kingston, Kingston, Ontario, Canada, 1990. Advances in Cryptology±EUROCRYPT '95 (LNCS 921), 106±120, 1995. [884] S. MIYAGUCHI, ªThe FEAL cipher familyº, Advances in Cryptology±CRYPTO '90 (LNCS [897] A.M. MOOD, ªThe distribution theory of 537), 627±638, 1991. runsº, The Annals of Mathematical Statistics, 11 (1940), 367±392. [885] S. MIYAGUCHI,S.KURIHARA,K.OHTA, [898] J.H. MOORE, ªProtocol failures in cryptosys- AND H. MORITA, ªExpansion of FEAL ci- temsº, Proceedings of the IEEE, 76 (1988), pherº, NTT Review, 2 (1990), 117±127. 594±602. [886] S. MIYAGUCHI,K.OHTA, AND M. IWATA, [899] , ªProtocol failures in cryptosystemsº, ª128-bit hash function (N-hash)º, NTT Re- G.J. Simmons, editor, Contemporary Cryp- view, 2 (1990), 128±132. tology: The Science of Information Integrity, [887] S. MIYAGUCHI,A.SHIRAISHI, AND 541±558, IEEE Press, 1992. Appeared earlier A. SHIMIZU, ªFast data encipherment al- as [898]. gorithm FEAL-8º, Review of the Electrical [900] J.H. MOORE AND G.J. SIMMONS,ªCy- Communications Laboratories, 36 (1988), cle structure of the DES for keys having 433±437. palindromic (or antipalindromic) sequences of [888] A. MIYAJI AND M. TATEBAYASHI, ªPublic round keysº, IEEE Transactions on Software key cryptosystem with an elliptic curveº, U.S. Engineering, 13 (1987), 262±273. An earlier Patent # 5,272,755, 21 Dec 1993. version appeared in [901]. [889] , ªMethod of privacy communica- [901] , ªCycle structure of the DES with tion using elliptic curvesº, U.S. Patent # weak and semi-weak keysº, Advances in 5,351,297, 27 Sep 1994 (continuation-in-part Cryptology±CRYPTO '86 (LNCS 263), 9±32, of 5,272,755). 1987.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 740 References

[902] F. MORAIN, ªDistributed primality prov- [915] D. NACCACHE,D.M'RAÈIHI, AND D. RAP- 3539 ing and the primality of (2 +1)/3º, HAELI, ªCan Montgomery parasites be Advances in Cryptology±EUROCRYPT '90 avoided? A design methodology based on key (LNCS 473), 110±123, 1991. and cryptosystem modi®cationsº, Designs, [903] , ªPrime values of partition numbers Codes and Cryptography, 5 (1995), 73±80. and the primality of p1840926 º, LIX Re- [916] D. NACCACHE,D.M'RAÈIHI,S.VAU- search Report LIX/RR/92/11, Laboratoire DENAY, AND D. RAPHAELI, ªCan D.S.A. d'Informatique de l'Ecole Polytechnique, be improved? Complexity trade-offs with France, June 1992. the digital signature standardº, Advances in [904] F. MORAIN AND J. OLIVOS, ªSpeeding up Cryptology±EUROCRYPT '94 (LNCS 950), the computations on an elliptic curve using 77±85, 1995. addition-subtraction chainsº, Theoretical In- [917] D. NACCACHE AND H. M'SILTI,ªAnew formatics and Applications, 24 (1990), 531± modulo computation algorithmº, Recherche 543. OpÂerationnelle ± Operations Research [905] I.H. MORGAN AND G.L. MULLEN,ªPrim- (RAIRO-OR), 24 (1990), 307±313. itive normal polynomials over ®nite ®eldsº, [918] K. NAGASAKA,J.-S.SHIUE, AND C.-W. Mathematics of Computation, 63 (1994), 759± HO, ªA fast algorithm of the Chinese remain- 765. der theorem and its application to Fibonacci [906] R. MORRIS, ªThe Hagelin cipher machine numberº, G.E. Bergum, A.N. Philippou, and (M-209), Reconstruction of the internal set- A.F. Horadam, editors, Applications of Fi- tingsº, Cryptologia, 2 (1978), 267±278. bonacci Numbers, Proceedings of the Fourth [907] R. MORRIS AND K. THOMPSON, ªPassword International Conference on Fibonacci Num- security: a case historyº, Communications of bers and their Applications, 241±246, Kluwer the ACM, 22 (1979), 594±597. Academic Publishers, 1991. [908] M.A. MORRISON AND J. BRILLHART,ªA [919] M. NAOR AND A. SHAMIR,ªVisual method of factoring and the factorization of cryptographyº, Advances in Cryptology± F7º, Mathematics of Computation, 29 (1975), EUROCRYPT '94 (LNCS 950), 1±12, 1995. 183±205. [920] M. NAOR AND M. YUNG, ªUniversal one- [909] W.B. MULLERÈ AND R. NOBAUERÈ , ªCrypt- way hash functions and their cryptographic analysis of the Dickson-schemeº, Advances in applicationsº, Proceedings of the 21st Annual Cryptology±EUROCRYPT '85 (LNCS 219), ACM Symposium on Theory of Computing, 50±61, 1986. 33±43, 1989. È È [910] W.B. MULLER AND W. NOBAUER,ªSome [921] , ªPublic-key cryptosystems provably remarks on public-key cryptosystemsº, Studia secure against chosen ciphertext attacksº, Scientiarum Mathematicarum Hungarica,16 Proceedings of the 22nd Annual ACM Sym- (1981), 71±76. posium on Theory of Computing, 427±437, [911] R. MULLIN,I.ONYSZCHUK,S.VANSTONE, 1990. AND R. WILSON, ªOptimal normal bases in n [922] J. NECHVATAL, ªPublic key cryptographyº, GF (p )º, Discrete Applied Mathematics,22 G.J. Simmons, editor, Contemporary Cryp- (1988/89), 149±161. tology: The Science of Information Integrity, [912] S. MUND, ªZiv-Lempel complexity for peri- 177±288, IEEE Press, 1992. odic sequences and its cryptographic applica- tionº, Advances in Cryptology±EUROCRYPT [923] R.M. NEEDHAM AND M.D. SCHROEDER, '91 (LNCS 547), 114±126, 1991. ªUsing encryption for authentication in large networks of computersº, Communications of [913] S. MURPHY, ªThe cryptanalysis of FEAL-4 the ACM, 21 (1978), 993±999. with 20 chosen plaintextsº, Journal of Cryp- tology, 2 (1990), 145±154. [924] , ªAuthentication revisitedº, Operating Systems Review, 21 (1987), 7. [914] D. NACCACHE, ªCan O.S.S. be repaired? ± proposal for a new practical signature sch- [925] B.C. NEUMAN AND S.G. STUBBLEBINE,ªA emeº, Advances in Cryptology±EUROCRYPT note on the use of timestamps as noncesº, Op- '93 (LNCS 765), 233±239, 1994. erating Systems Review, 27 (1993), 10±14.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 741

[926] B.C. NEUMAN AND T. TS'O,ªKerberos: [938] , ªMessage recovery for signature sch- an authentication service for computer net- emes based on the discrete logarithm prob- worksº, IEEE Communications Magazine,32 lemº, Designs, Codes and Cryptography,7 (September 1994), 33±38. (1996), 61±81.

[927] H. NIEDERREITER, ªThe probabilistic the- [939] A.M. ODLYZKO, ªCryptanalytic attacks on ory of linear complexityº, Advances in the multiplicative knapsack cryptosystem Cryptology±EUROCRYPT '88 (LNCS 330), and on Shamir's fast signature schemeº, 191±209, 1988. IEEE Transactions on Information Theory,30 (1984), 594±601. [928] , ªA combinatorial approach to probabilistic results on the linear-complexity pro®le [940] , ªDiscrete logarithms in ®nite ®elds of random sequencesº, Journal of Cryptology, and their cryptographic signi®canceº, Ad- 2 (1990), 105±112. vances in Cryptology±Proceedings of EURO- CRYPT 84 (LNCS 209), 224±314, 1985. [929] , ªKeystream sequences with a [941] , ªThe rise and fall of knapsack cryp- good linear complexity pro®le for every tosystemsº, C. Pomerance, editor, Cryptol- starting pointº, Advances in Cryptology± ogy and Computational Number Theory, vol- EUROCRYPT '89 (LNCS 434), 523±532, ume 42 of Proceedings of Symposia in Applied 1990. Mathematics, 75±88, American Mathematical [930] , ªThe linear complexity pro®le and the Society, 1990. jump complexity of keystream sequencesº, [942] , ªDiscrete logarithms and smooth poly- Advances in Cryptology±EUROCRYPT '90 nomialsº, G.L. Mullen and P.J-S. Shiue, ed- (LNCS 473), 174±188, 1991. itors, Finite Fields: Theory, Applications, [931] K. NISHIMURA AND M. SIBUYA, ªProbabil- and Algorithms, volume 168 of Contemporary ity to meet in the middleº, Journal of Cryptol- Mathematics, 269±278, American Mathemat- ogy, 2 (1990), 13±22. ical Society, 1994. [943] K. OHTA AND K. AOKI, ªLinear cryptanaly- [932] I.M. NIVEN AND H.S. ZUCKERMAN, An In- sis of the Fast Data Encipherment Algorithmº, troduction to the Theory of Numbers, John Wi- Advances in Cryptology±CRYPTO '94 (LNCS ley & Sons, New York, 4th edition, 1980. 839), 12±16, 1994. [933] M.J. NORRIS AND G.J. SIMMONS, ªAlgo- [944] K. OHTA AND T. OKAMOTO, ªPractical ex- rithms for high-speed modular arithmeticº, tension of Fiat-Shamir schemeº, Electronics Congressus Numerantium, 31 (1981), 153± Letters, 24 (July 21, 1988), 955±956. 163. [945] , ªA modi®cation of the Fiat-Shamir [934] G. NORTON, ªExtending the binary gcd al- schemeº, Advances in Cryptology±CRYPTO gorithmº, J. Calmet, editor, Algebraic Algo- '88 (LNCS 403), 232±243, 1990. rithms and Error-Correcting Codes, 3rd Inter- [946] E. OKAMOTO AND K. TANAKA,ªKeydis- national Conference, AAECC-3 (LNCS 229), tribution system based on identi®cation infor- 363±372, Springer-Verlag, 1986. mationº, IEEE Journal on Selected Areas in [935] K. NYBERG, ªOn one-pass authenticated key Communications, 7 (1989), 481±485. establishment schemesº, workshop record, [947] T. OKAMOTO, ªA single public-key authen- 2nd Workshop on Selected Areas in Cryptog- tication scheme for multiple usersº, Systems raphy (SAC'95), Ottawa, Canada, May 18±19 and Computers in Japan, 18 (1987), 14±24. 1995. Translated from Denshi Tsushin Gakkai Ron- [936] K. NYBERG AND R. RUEPPEL,ªAnewsig- bunshi vol. 69-D no.10, October 1986, 1481± nature scheme based on the DSA giving mes- 1489. sage recoveryº, 1st ACM Conference on Com- [948] , ªA fast signature scheme based on puter and Communications Security, 58±61, congruential polynomial operationsº, IEEE ACM Press, 1993. Transactions on Information Theory,36 [937] , ªWeaknesses in some recent key (1990), 47±53. agreement protocolsº, Electronics Letters,30 [949] , ªProvably secure and practical identi- (January 6, 1994), 26±27. ®cation schemes and corresponding signature

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 742 References

schemesº, Advances in Cryptology±CRYPTO wide Congress on Computer and Commu- '92 (LNCS 740), 31±53, 1993. nications Security and Protection (SECURI- [950] , ªDesignated con®rmer signatures and COM'89), 171±185, 1989. public-key encryption are equivalentº, Ad- [963] C.H. PAPADIMITRIOU, Computational Com- vances in Cryptology±CRYPTO '94 (LNCS plexity, Addison-Wesley, Reading, Mas- 839), 61±74, 1994. sachusetts, 1994. [951] , ªAn ef®cient divisible electronic cash [964] S.-J. PARK,S.-J.LEE, AND S.-C. GOH, schemeº, Advances in Cryptology±CRYPTO ªOn the security of the Gollmann cascadesº, '95 (LNCS 963), 438±451, 1995. Advances in Cryptology±CRYPTO '95 (LNCS 963), 148±156, 1995. [952] T. OKAMOTO,S.MIYAGUCHI,A.SHI- RAISHI, AND T. KAWAOKA, ªSigned doc- [965] J. PATARIN, ªHidden ®elds equations (HFE) ument transmission systemº, U.S. Patent # and isomorphisms of polynomials (IP): Two 4,625,076, 25 Nov 1986. new families of asymmetric algorithmsº, Advances in Cryptology±EUROCRYPT '96 [953] T. OKAMOTO AND A. SHIRAISHI,ªAfast (LNCS 1070), 33±48, 1996. signature scheme based on quadratic inequal- itiesº, Proceedings of the 1985 IEEE Sympo- [966] J. PATARIN AND P. CHAUVAUD, ªImproved sium on Security and Privacy, 123±132, 1985. algorithms for the permuted kernel problemº, Advances in Cryptology±CRYPTO '93 (LNCS [954] T. OKAMOTO,A.SHIRAISHI, AND T. KAW- 773), 391±402, 1994. AOKA, ªSecure user authentication without password ®lesº, Technical Report NI83-92, [967] W. PENZHORN AND G. KUHNÈ , ªComputa- I.E.C.E., Japan, January 1984. In Japanese. tion of low-weight parity checks for correlation attacks on stream ciphersº, C. Boyd, [955] J. OLIVOS, ªOn vectorial addition chainsº, editor, Cryptography and Coding, 5th IMA Journal of Algorithms, 2 (1981), 13±21. Conference, Proceedings, 74±83, Institute of [956] J.K. OMURA AND J.L. MASSEY, ªCompu- Mathematics & Its Applications (IMA), 1995. tational method and apparatus for ®nite ®eld [968] R. PERALTA, ªSimultaneous security of bits arithmeticº, U.S. Patent # 4,587,627, 6 May in the discrete logº, Advances in Cryptology± 1986. EUROCRYPT '85 (LNCS 219), 62±72, 1986. [957] H. ONG AND C.P. SCHNORR, ªFast signa- [969] R. PERALTA AND V. S HOUP, ªPrimality test- ture generation with a Fiat Shamir-like sch- ing with fewer random bitsº, Computational emeº, Advances in Cryptology±EUROCRYPT Complexity, 3 (1993), 355±367. '90 (LNCS 473), 432±440, 1991. [970] A. PFITZMANN AND R. ASSMANN,ªMore [958] H. ONG,C.P.SCHNORR, AND A. SHAMIR, ef®cient software implementations of (gen- ªAn ef®cient signature scheme based on eralized) DESº, Computers & Security,12 quadratic equationsº, Proceedings of the 16th (1993), 477±500. Annual ACM Symposium on Theory of Com- puting, 208±216, 1984. [971] B. PFITZMANN AND M. WAIDNER, ªFail- stop signatures and their applicationsº, Pro- [959] I.M. ONYSZCHUK,R.C.MULLIN, AND ceedings of the 9th Worldwide Congress S.A. VANSTONE, ªComputational method on Computer and Communications Security and apparatus for ®nite ®eld multiplicationº, and Protection (SECURICOM'91), 145±160, U.S. Patent # 4,745,568, 17 May 1988. 1991. [960] G. ORTON, ªA multiple-iterated trapdoor [972] , ªFormal aspects of fail-stop signa- for dense compact knapsacksº, Advances in turesº, Interner Bericht 22/90, UniversitÈat Cryptology±EUROCRYPT '94 (LNCS 950), Karlsruhe, Germany, December 1990. 112±130, 1995. [973] S.J.D. PHOENIX AND P.D. TOWNSEND, [961] D. OTWAY AND O. REES,ªEf®cientand ªQuantum cryptography: protecting our fu- timely mutual authenticationº, Operating Sys- ture networks with quantum mechanicsº, tems Review, 21 (1987), 8±10. C. Boyd, editor, Cryptography and Coding, [962] J.C. PAILLESÁ AND M. GIRAULT, ªCRIPT: A 5th IMA Conference, Proceedings, 112±131, public-key based solution for secure data com- Institute of Mathematics & Its Applications municationsº, Proceedings of the 7th World- (IMA), 1995.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 743

[974] R. PINCH, ªThe Carmichael numbers up [988] J.M. POLLARD AND C. SCHNORR,ªAnef®- to 1015º, Mathematics of Computation,61 cient solution of the congruence x2 + ky2 = (1993), 381±391. m (mod n)º, IEEE Transactions on Infor- [975] , ªSome primality testing algorithmsº, mation Theory, 33 (1987), 702±709. Notices of the American Mathematical Soci- [989] C. POMERANCE, ªAnalysis and comparison ety, 40 (1993), 1203±1210. of some integer factoring algorithmsº, H.W. [976] , ªExtending the HÊastad attack to Lenstra Jr. and R. Tijdeman, editors, Compu- LUCº, Electronics Letters, 31 (October 12, tational Methods in Number Theory, Part 1, 1995), 1827±1828. 89±139, Mathematisch Centrum, 1982. [977] , ªExtending the Wiener attack to RSA- [990] , ªThe quadratic sieve factoring algo- type cryptosystemsº, Electronics Letters,31 rithmº, Advances in Cryptology±Proceedings (September 28, 1995), 1736±1738. of EUROCRYPT 84 (LNCS 209), 169±182, 1985. [978] V. PLESS, ªEncryption schemes for computer con®dentialityº, IEEE Transactions on Com- [991] , ªFast, rigorous factorization and dis- puters, 26 (1977), 1133±1136. crete logarithm algorithmsº, Discrete Algo- rithms and Complexity, 119±143, Academic [979] J.B. PLUMSTEAD, ªInferring a sequence gen- Press, 1987. erated by a linear congruenceº, Proceedings of the IEEE 23rd Annual Symposium on Foun- [992] , ªVery short primality proofsº, Mathe- dations of Computer Science, 153±159, 1982. matics of Computation, 48 (1987), 315±322. [980] , ªInferring a sequence produced by a [993] , editor, Cryptology and Computational linear congruenceº, Advances in Cryptology± Number Theory, American Mathematical So- Proceedings of Crypto 82, 317±319, 1983. ciety, Providence, Rhode Island, 1990. [981] H.C. POCKLINGTON, ªThe determination of [994] , ªFactoringº, C. Pomerance, editor, the prime or composite nature of large num- Cryptology and Computational Number The- bers by Fermat's theoremº, Proceedings of the ory, volume 42 of Proceedings of Symposia Cambridge Philosophical Society, 18 (1914), in Applied Mathematics, 27±47, American 29±30. Mathematical Society, 1990. [982] S.C. POHLIG AND M.E. HELLMAN,ªAnim- [995] , ªThe number ®eld sieveº, W. Gautsc- proved algorithm for computing logarithms hi, editor, Mathematics of Computation, 1943- over GF (p) and its cryptographic signi®- 1993: A Half-Century of Computation Math- canceº, IEEE Transactions on Information ematics, volume 48 of Proceedings of Sym- Theory, 24 (1978), 106±110. posia in Applied Mathematics, 465±480, American Mathematical Society, 1994. [983] D. POINTCHEVAL, ªA new identi®cation scheme based on the perceptrons problemº, [996] C. POMERANCE,J.L.SELFRIDGE, AND Advances in Cryptology±EUROCRYPT '95 S.S. WAGSTAFF JR., ªThe pseudoprimes to 9 (LNCS 921), 319±328, 1995. 25 · 10 º, Mathematics of Computation,35 (1980), 1003±1026. [984] J.M. POLLARD, ªTheorems on factorization and primality testingº, Proceedings of the [997] C. POMERANCE AND J. SORENSON, ªCount- Cambridge Philosophical Society, 76 (1974), ing the integers factorable via cyclotomic 521±528. methodsº, Journal of Algorithms, 19 (1995), 250±265. [985] , ªA Monte Carlo method for factoriza- tionº, BIT, 15 (1975), 331±334. [998] G.J. POPEK AND C.S. KLINE, ªEncryption and secure computer networksº, ACM Com- [986] , ªMonte Carlo methods for index computing Surveys, 11 (1979), 331±356. putation (mod p)º, Mathematics of Compu- n tation, 32 (1978), 918±924. [999] E. PRANGE, ªAn algorism for factoring x − [987] , ªFactoring with cubic integersº, A.K. 1 over a ®nite ®eldº, AFCRC-TN-59-775, Air Lenstra and H.W. Lenstra Jr., editors, The De- Force Cambridge Research Center, 1959. velopment of the Number Field Sieve, volume [1000] V.R. PRATT, ªEvery prime has a succinct 1554 of Lecture Notes in Mathematics, 4±10, certi®cateº, SIAM Journal on Computing,4 Springer-Verlag, 1993. (1975), 214±220.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 744 References

[1001] B. PRENEEL, ªStandardization of crypto- [1013] M. QU AND S.A. VANSTONE, ªThe knap- graphic techniquesº, B. Preneel, R. Govaerts, sack problem in cryptographyº, Contempo- and J. Vandewalle, editors, Computer Secu- rary Mathematics, 168 (1994), 291±308. rity and Industrial Cryptography: State of [1014] K. QUINN, ªSome constructions for key dis- the Art and Evolution (LNCS 741), 162±173, tribution patternsº, Designs, Codes and Cryp- Springer-Verlag, 1993. tography, 4 (1994), 177±191. [1002] , ªCryptographic hash functionsº, Eu- [1015] J.-J. QUISQUATER, ªA digital signature sch- ropean Transactions on Telecommunications, eme with extended recoveryº, preprint, 1995. 5 (1994), 431±448. [1016] J.-J. QUISQUATER AND C. COUVREUR, [1003] , Analysis and design of cryptographic ªFast decipherment algorithm for RSA public- hash functions, PhD thesis, Katholieke Uni- key cryptosystemº, Electronics Letters,18 versiteit Leuven (Belgium), Jan. 1993. (October 14, 1982), 905±907. [1004] , Cryptographic Hash Functions, [1017] J.-J. QUISQUATER AND J.-P.DELESCAILLE, Kluwer Academic Publishers, Boston, (to ap- ªHow easy is collision search? Applica- pear). Updated and expanded from [1003]. tion to DESº, Advances in Cryptology± EUROCRYPT '89 (LNCS 434), 429±434, [1005] B. PRENEEL,R.GOVAERTS, AND J. VAN- 1990. DEWALLE, ªDifferential cryptanalysis of hash functions based on block ciphersº, 1st ACM [1018] , ªHow easy is collision search. New re- Conference on Computer and Communica- sults and applications to DESº, Advances in tions Security, 183±188, ACM Press, 1993. Cryptology±CRYPTO '89 (LNCS 435), 408± 413, 1990. [1006] , ªInformation authentication: Hash [1019] J.-J. QUISQUATER AND M. GIRAULT, functions and digital signaturesº, B. Preneel, ª2n-bit hash-functions using n-bit symmet- R. Govaerts, and J. Vandewalle, editors, Com- ric block cipher algorithmsº, Advances in puter Security and Industrial Cryptography: Cryptology±EUROCRYPT '89 (LNCS 434), State of the Art and Evolution (LNCS 741), 102±109, 1990. 87±131, Springer-Verlag, 1993. [1020] J.-J. QUISQUATER,L.GUILLOU, AND [1007] , ªHash functions based on block ci- T. BERSON, ªHow to explain zero-knowledge phers: A synthetic approachº, Advances in protocols to your childrenº, Advances in Cryptology±CRYPTO '93 (LNCS 773), 368± Cryptology±CRYPTO '89 (LNCS 435), 628± 378, 1994. 631, 1990. [1008] B. PRENEEL,M.NUTTIN,V.RIJMEN, AND [1021] M.O. RABIN, ªProbabilistic algorithmsº, J.F. J. BUELENS, ªCryptanalysis of the CFB mode Traub, editor, Algorithms and Complexity, of the DES with a reduced number of roundsº, 21±40, Academic Press, 1976. Advances in Cryptology±CRYPTO '93 (LNCS [1022] , ªDigitalized signaturesº, R. DeMillo, 773), 212±223, 1994. D. Dobkin, A. Jones, and R. Lipton, editors, [1009] B. PRENEEL AND P. VA N OORSCHOT, Foundations of Secure Computation, 155± ªMDx-MAC and building fast MACs from 168, Academic Press, 1978. hash functionsº, Advances in Cryptology± [1023] , ªDigitalized signatures and public- CRYPTO '95 (LNCS 963), 1±14, 1995. key functions as intractable as factorizationº, [1010] , ªOn the security of two MAC MIT/LCS/TR-212, MIT Laboratory for Com- algorithmsº, Advances in Cryptology± puter Science, 1979. EUROCRYPT '96 (LNCS 1070), 19±32, 1996. [1024] , ªProbabilistic algorithm for testing [1011] N. PROCTOR, ªA self-synchronizing cas- primalityº, Journal of Number Theory,12 caded cipher system with dynamic control of (1980), 128±138. error propagationº, Advances in Cryptology± [1025] , ªProbabilistic algorithms in ®nite Proceedings of CRYPTO 84 (LNCS 196), ®eldsº, SIAM Journal on Computing,9 174±190, 1985. (1980), 273±280. [1012] G.B. PURDY, ªA high security log-in pro- [1026] , ªFingerprinting by random polynomi- cedureº, Communications of the ACM,17 alsº, TR-15-81, Center for Research in Com- (1974), 442±445. puting Technology, Harvard University, 1981.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 745

[1027] , ªEf®cient dispersal of information for modes, and identi®ersº, Internet Request for security, load balancing, and fault toleranceº, Comments 1423, D. Balenson, February 1993 Journal of the Association for Computing Ma- (obsoletes RFC 1115, September 1989, J. chinery, 36 (1989), 335±348. Linn). [1028] T. RABIN AND M. BEN-OR,ªVeri®ablese- [1039] RFC 1424, ªPrivacy enhancement for Inter- cret sharing and multiparty protocols with net electronic mail ± Part IV: Key certi®ca- honest majorityº, Proceedings of the 21st An- tion and related servicesº, Internet Request for nual ACM Symposium on Theory of Comput- Comments 1424, B. Kaliski, February 1993. ing, 73±85, 1989. [1040] RFC 1508, ªGeneric security service applica- [1029] C. RACKOFF AND D.R. SIMON, ªNon- tion program interfaceº, Internet Request for interactive zero-knowledge proof of knowl- Comments 1508, J. Linn, September 1993. edge and chosen ciphertext attackº, Advances [1041] RFC 1510, ªThe Kerberos network authen- in Cryptology±CRYPTO '91 (LNCS 576), tication service (V5)º, Internet Request for 433±444, 1992. Comments 1510, J. Kohl and C. Neuman, [1030] G. RAWLINS, Compared to What? An Intro- September 1993. duction to the Analysis of Algorithms,Com- [1042] RFC 1521, ªMIME (Multipurpose Internet puter Science Press, New York, 1992. Mail Extensions) Part One: Mechanisms for [1031] G. REITWIESNER, ªBinary arithmeticº, Ad- specifying and describing the format of In- vances in Computers, 1 (1960), 231±308. ternet message bodiesº, Internet Request for [1032] T. RENJI, ªOn ®nite automaton one-key cryp- Comments 1521, N. Borenstein and N. Freed, tosystemsº, R. Anderson, editor, Fast Soft- September 1993 (obsoletes RFC 1341). ware Encryption, Cambridge Security Work- [1043] RFC 1750, ªRandomness requirements for shop (LNCS 809), 135±148, Springer-Verlag, securityº, Internet Request for Comments 1994. 1750, D. Eastlake, S. Crocker and J. Schiller, [1033] RFC 1319, ªThe MD2 message-digest algo- December 1994. rithmº, Internet Request for Comments 1319, [1044] RFC 1828, ªIP authentication using keyed B. Kaliski, April 1992 (updates RFC 1115, MD5º, Internet Request for Comments 1828, August 1989, J. Linn). P. Metzger and W. Simpson, August 1995. [1034] RFC 1320, ªThe MD4 message-digest algo- [1045] RFC 1847, ªSecurity multiparts for MIME: rithmº, Internet Request for Comments 1320, Multipart/signed and multipart/encryptedº, R.L. Rivest, April 1992 (obsoletes RFC 1186, Internet Request for Comments 1847, J. October 1990, R. Rivest). Galvin, S. Murphy, S. Crocker and N. Freed, [1035] RFC 1321, ªThe MD5 message-digest algo- October 1995. rithmº, Internet Request for Comments 1321, [1046] RFC 1848, ªMIME object security servicesº, R.L. Rivest, April 1992 (presented at Rump Internet Request for Comments 1848, S. Session of Crypto'91). Crocker, N. Freed, J. Galvin and S. Murphy, [1036] RFC 1421, ªPrivacy enhancement for Inter- October 1995. net electronic mail ± Part I: Message encryp- [1047] RFC 1938, ªA one-time password systemº, tion and authentication proceduresº, Internet Internet Request for Comments 1938, N. Request for Comments 1421, J. Linn, Febru- Haller and C. Metz, May 1996. ary 1993 (obsoletes RFC 1113 ± September [1048] V. RIJMEN,J.DAEMEN,B.PRENEEL, 1989; RFC 1040 ± January 1988; and RFC A. BOSSELAERS, AND E. DE WIN,ªThe 989 ± February 1987, J. Linn). cipher SHARKº, D. Gollmann, editor, Fast [1037] RFC 1422, ªPrivacy enhancement for Inter- Software Encryption, Third International net electronic mail ± Part II: Certi®cate-based Workshop (LNCS 1039), 99±111, Springer- key managementº, Internet Request for Com- Verlag, 1996. ments 1422, S. Kent, February 1993 (obso- [1049] V. RIJMEN AND B. PRENEEL, ªOn weak- letes RFC 1114, August 1989, S. Kent and J. nesses of non-surjective round functionsº, Linn). presented at the 2nd Workshop on Selected [1038] RFC 1423, ªPrivacy enhancement for In- Areas in Cryptography (SAC'95), Ottawa, ternet electronic mail ± Part III: Algorithms, Canada, May 18±19 1995.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 746 References

[1050] , ªImproved characteristics for differ- Encryption, Second International Workshop ential cryptanalysis of hash functions based (LNCS 1008), 305±328, Springer-Verlag, on block ciphersº, B. Preneel, editor, Fast 1995. Software Encryption, Second International [1065] P. ROGAWAY, ªBucket hashing and its ap- Workshop (LNCS 1008), 242±248, Springer- plication to fast message authenticationº, Ad- Verlag, 1995. vances in Cryptology±CRYPTO '95 (LNCS [1051] R.L. RIVEST, ªAre `strong' primes needed 963), 29±42, 1995. for RSA?º, unpublished manuscript, 1991. [1066] P. ROGAWAY AND D. COPPERSMITH,ªA [1052] , ªRemarks on a proposed cryptana- software-optimized encryption algorithmº, lytic attack on the M.I.T. public-key cryp- R. Anderson, editor, Fast Software Encryp- tosystemº, Cryptologia, 2 (1978), 62±65. tion, Cambridge Security Workshop (LNCS [1053] , ªStatistical analysis of the Hagelin 809), 56±63, Springer-Verlag, 1994. cryptographº, Cryptologia, 5 (1981), 27±32. [1067] N. ROGIER AND P. CHAUVAUD,ªThecom- pression function of MD2 is not collision [1054] , ªCryptographyº, J. van Leeuwen, ed- freeº, workshop record, 2nd Workshop on Se- itor, Handbook of Theoretical Computer Sci- lected Areas in Cryptography (SAC'95), Ot- ence, 719±755, Elsevier Science Publishers, tawa, Canada, May 18±19 1995. 1990. [1068] J. ROMPEL, ªOne-way functions are neces- [1055] , ªThe MD4 message digest algorithmº, sary and suf®cient for secure signaturesº, Pro- Advances in Cryptology±CRYPTO '90 (LNCS ceedings of the 22nd Annual ACM Symposium 537), 303±311, 1991. on Theory of Computing, 387±394, 1990. [1056] , ªThe RC5 encryption algorithmº, [1069] K.H. ROSEN, Elementary Number Theory B. Preneel, editor, Fast Software Encryption, and its Applications, Addison-Wesley, Read- Second International Workshop (LNCS 1008), ing, Massachusetts, 3rd edition, 1992. 86±96, Springer-Verlag, 1995. [1070] J. ROSSER AND L. SCHOENFELD, ªApprox- [1057] R.L. RIVEST AND A. SHAMIR,ªHowtoex- imate formulas for some functions of prime pose an eavesdropperº, Communications of numbersº, Illinois Journal of Mathematics,6 the ACM, 27 (1984), 393±395. (1962), 64±94. [1058] , ªEf®cient factoring based on par- [1071] RSA LABORATORIES, ªThe Public-Key tial informationº, Advances in Cryptology± Cryptography Standards ± PKCS #11: Cryp- EUROCRYPT '85 (LNCS 219), 31±34, 1986. tographic token interface standardº, RSA [1059] R.L. RIVEST,A.SHAMIR, AND L.M. Data Security Inc., Redwood City, California, ADLEMAN, ªCryptographic communications April 28 1995. system and methodº, U.S. Patent # 4,405,829, [1072] , ªThe Public-Key Cryptography Stan- 20 Sep 1983. dards (PKCS)º, RSA Data Security Inc., Red- [1060] , ªA method for obtaining digital signa- wood City, California, November 1993 Re- tures and public-key cryptosystemsº, Commu- lease. nications of the ACM, 21 (1978), 120±126. [1073] A.D. RUBIN AND P. HONEYMAN,ªFormal [1061] R.L. RIVEST AND A.T. SHERMAN,ªRan- methods for the analysis of authentication pro- domized encryption techniquesº, Advances in tocolsº, CITI Technical Report 93-7, Infor- Cryptology±Proceedings of Crypto 82, 145± mation Technology Division, University of 163, 1983. Michigan, 1993. [1062] M.J.B. ROBSHAW, ªOn evaluating the linear [1074] F. RUBIN, ªDecrypting a stream cipher based n complexity of a sequence of least period 2 º, on J-K ¯ip-¯opsº, IEEE Transactions on Designs, Codes and Cryptography, 4 (1994), Computers, 28 (1979), 483±487. 263±269. [1075] R.A. RUEPPEL, Analysis and Design of [1063] , ªStream ciphersº, Technical Report Stream Ciphers, Springer-Verlag, Berlin, TR-701 (version 2.0), RSA Laboratories, 1986. 1995. [1076] , ªCorrelation immunity and the sum- [1064] M. ROE, ªHow to reverse engineer an EES mation generatorº, Advances in Cryptology± deviceº, B. Preneel, editor, Fast Software CRYPTO '85 (LNCS 218), 260±272, 1986.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 747

[1077] , ªLinear complexity and random se- [1090] M. SANTHA AND U.V. VAZIRANI,ªGener- quencesº, Advances in Cryptology±EURO- ating quasi-random sequences from slightly- CRYPT '85 (LNCS 219), 167±188, 1986. random sourcesº, Proceedings of the IEEE [1078] , ªKey agreements based on func- 25th Annual Symposium on Foundations of tion compositionº, Advances in Cryptology± Computer Science, 434±440, 1984. EUROCRYPT '88 (LNCS 330), 3±10, 1988. [1091] , ªGenerating quasi-random sequences [1079] , ªOn the security of Schnorr's pseudo from semi-random sourcesº, Journal of Com- random generatorº, Advances in Cryptology± puter and System Sciences, 33 (1986), 75±87. EUROCRYPT '89 (LNCS 434), 423±428, An earlier version appeared in [1090]. 1990. [1092] O. SCHIROKAUER, ªDiscrete logarithms and [1080] , ªA formal approach to security local unitsº, Philosophical Transactions of the architecturesº, Advances in Cryptology± Royal Society of London A, 345 (1993), 409± EUROCRYPT '91 (LNCS 547), 387±398, 423. 1991. [1093] B. SCHNEIER, ªDescription of a new [1081] , ªStream ciphersº, G.J. Simmons, ed- variable-length key, 64-bit block cipher itor, Contemporary Cryptology: The Science (Blow®sh)º, R. Anderson, editor, Fast Soft- of Information Integrity, 65±134, IEEE Press, ware Encryption, Cambridge Security Work- 1992. shop (LNCS 809), 191±204, Springer-Verlag, [1082] , ªCriticism of ISO CD 11166 banking 1994. Ð key management by means of asymmet- [1094] , Applied Cryptography: Protocols, Al- ric algorithmsº, W. Wolfowicz, editor, Pro- gorithms, and Source Code in C, John Wiley ceedings of the 3rd Symposium on State and & Sons, New York, 2nd edition, 1996. Progress of Research in Cryptography, Rome, Italy, 191±198, 1993. [1095] C.P. SCHNORR, ªMethod for identifying sub- scribers and for generating and verifying elec- [1083] R.A. RUEPPEL,A.LENSTRA,M.SMID, tronic signatures in a data exchange systemº, K. MCCURLEY,Y.DESMEDT,A.ODLYZKO, U.S. Patent # 4,995,082, 19 Feb 1991. AND P. L ANDROCK, ªThe Eurocrypt '92 con- troversial issue: trapdoor primes and mod- [1096] , ªOn the construction of random num- uliº, Advances in Cryptology±EUROCRYPT ber generators and random function genera- '92 (LNCS 658), 194±199, 1993. torsº, Advances in Cryptology±EUROCRYPT '88 (LNCS 330), 225±232, 1988. [1084] R.A. RUEPPEL AND J.L. MASSEY,ªThe knapsack as a non-linear functionº, IEEE In- [1097] , ªEf®cient identi®cation and signatures ternational Symposium on Information The- for smart cardsº, Advances in Cryptology± ory (Abstracts), p.46, 1985. CRYPTO '89 (LNCS 435), 239±252, 1990. [1085] R.A. RUEPPEL AND O.J. STAFFELBACH, [1098] , ªEf®cient signature generation by ªProducts of linear recurring sequences with smart cardsº, Journal of Cryptology, 4 (1991), maximum complexityº, IEEE Transactions 161±174. on Information Theory, 33 (1987), 124±131. [1099] C.P. SCHNORR AND M. EUCHNER,ªLat- [1086] R.A. RUEPPEL AND P.C. VA N OORSCHOT, tice basis reduction: Improved practical al- ªModern key agreement techniquesº, Com- gorithms and solving subset sum problemsº, puter Communications, 17 (1994), 458±465. L. Budach, editor, Fundamentals of Compu- [1087] A. RUSSELL, ªNecessary and suf®cient con- tation Theory (LNCS 529), 68±85, Springer- ditions for collision-free hashingº, Advances Verlag, 1991. in Cryptology±CRYPTO '92 (LNCS 740), [1100] C.P. SCHNORR AND H.H. HORNERÈ ,ªAt- 433±441, 1993. tacking the Chor-Rivest cryptosystem by [1088] , ªNecessary and suf®cient conditions improved lattice reductionº, Advances in for collision-free hashingº, Journal of Cryp- Cryptology±EUROCRYPT '95 (LNCS 921), tology, 8 (1995), 87±99. An earlier version 1±12, 1995. appeared in [1087]. [1101] A. SCHONHAGEÈ , ªA lower bound for the [1089] A. SALOMAA, Public-key Cryptography, length of addition chainsº, Theoretical Com- Springer-Verlag, Berlin, 1990. puter Science, 1 (1975), 1±12.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 748 References

[1102] A.W. SCHRIFT AND A. SHAMIR,ªOnthe [1115] , ªIdentity-based cryptosystems and universality of the next bit testº, Advances in signature schemesº, Advances in Cryptology± Cryptology±CRYPTO '90 (LNCS 537), 394± Proceedings of CRYPTO 84 (LNCS 196), 47± 408, 1991. 53, 1985. [1103] , ªUniversal tests for nonuniform dis- [1116] , ªAn ef®cient identi®cation scheme tributionsº, Journal of Cryptology, 6 (1993), based on permuted kernelsº, Advances in 119±133. An earlier version appeared in Cryptology±CRYPTO '89 (LNCS 435), 606± [1102]. 609, 1990. [1104] F. SCHWENK AND J. EISFELD, ªPublic [1117] , ªRSA for paranoidsº, CryptoBytes,1 key encryption and signature schemes based (Autumn 1995), 1±4. on polynomials over Znº, Advances in [1118] A. SHAMIR AND A. FIAT, ªMethod, appa- Cryptology±EUROCRYPT '96 (LNCS 1070), ratus and article for identi®cation and signa- 60±71, 1996. tureº, U.S. Patent # 4,748,668, 31 May 1988. [1105] R. SEDGEWICK, Algorithms, Addison- [1119] M. SHAND AND J. VUILLEMIN,ªFastimple- Wesley, Reading, Massachusetts, 2nd edition, mentations of RSA cryptographyº, Proceed- 1988. ings of the 11th IEEE Symposium on Com- [1106] R. SEDGEWICK,T.G.SZYMANSKI, AND puter Arithmetic, 252±259, 1993. A.C. YAO, ªThe complexity of ®nding cycles in periodic functionsº, SIAM Journal on Com- [1120] C.E. SHANNON, ªA mathematical theory of puting, 11 (1982), 376±390. communicationº, Bell System Technical Jour- nal, 27 (1948), 379±423, 623±656. [1107] E.S. SELMER, ªLinear recurrence relations over ®nite ®eldsº, Department of Mathemat- [1121] , ªCommunication theory of secrecy ics, University of Bergen, Norway, 1966. systemsº, Bell System Technical Journal,28 (1949), 656±715. [1108] J. SHALLIT, ªOn the worst case of three algorithms for computing the Jacobi symbolº, [1122] , ªPrediction and entropy of printed Journal of Symbolic Computation, 10 (1990), Englishº, Bell System Technical Journal,30 593±610. (1951), 50±64.

[1109] A. SHAMIR, ªA fast signature schemeº, [1123] J. SHAWE-TAYLOR, ªGenerating strong MIT/LCS/TM-107, MIT Laboratory for Com- primesº, Electronics Letters, 22 (July 31, puter Science, 1978. 1986), 875±877. [1110] , ªHow to share a secretº, Communica- [1124] S. SHEPHERD, ªA high speed software imple- tions of the ACM, 22 (1979), 612±613. mentation of the Data Encryption Standardº, Computers & Security, 14 (1995), 349±357. [1111] , ªOn the generation of cryptographically strong pseudo-random sequencesº, [1125] A. SHIMIZU AND S. MIYAGUCHI,ªData S. Even and O. Kariv, editors, Automata, Lan- randomization equipmentº, U.S. Patent # guages, and Programming, 8th Colloquium 4,850,019, 18 Jul 1989. (LNCS 115), 544±550, Springer-Verlag, 1981. [1126] , ªFast data encipherment algo- [1112] , ªOn the generation of cryptographi- rithm FEALº, Advances in Cryptology± cally strong pseudorandom sequencesº, ACM EUROCRYPT '87 (LNCS 304), 267±278, Transactions on Computer Systems, 1 (1983), 1988. 38±44. An earlier version appeared in [1111]. [1127] Z. SHMUELY, ªComposite Dif®e-Hellman [1113] , ªA polynomial time algorithm public-key generating systems are hard to for breaking the basic Merkle-Hellman breakº, Technical Report #356, TECHNION cryptosystemº, Advances in Cryptology± ± Israel Institute of Technology, Computer Proceedings of Crypto 82, 279±288, 1983. Science Department, 1985.

[1114] , ªA polynomial-time algorithm for [1128] P.W. SHOR, ªAlgorithms for quantum com- breaking the basic Merkle-Hellman cryp- putation: discrete logarithms and factoringº, tosystemº, IEEE Transactions on Information Proceedings of the IEEE 35th Annual Sym- Theory, 30 (1984), 699±704. An earlier ver- posium on Foundations of Computer Science, sion appeared in [1113]. 124±134, 1994.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 749

[1129] V. SHOUP, ªNew algorithms for ®nding irre- [1144] , ªA survey of information authentica- ducible polynomials over ®nite ®eldsº, Math- tionº, G.J. Simmons, editor, Contemporary ematics of Computation, 54 (1990), 435±447. Cryptology: The Science of Information In- [1130] , ªSearching for primitive roots in ®- tegrity, 379±419, IEEE Press, 1992. nite ®eldsº, Mathematics of Computation,58 [1145] , ªAn introduction to shared secret (1992), 369±380. and/or shared control schemes and their appli- [1131] , ªFast construction of irreducible poly- cationº, G.J. Simmons, editor, Contemporary nomials over ®nite ®eldsº, Journal of Sym- Cryptology: The Science of Information In- bolic Computation, 17 (1994), 371±391. tegrity, 441±497, IEEE Press, 1992. [1132] T. SIEGENTHALER, ªCorrelation-immunity [1146] , ªHow to insure that data acquired of nonlinear combining functions for crypto- to verify treaty compliance are trustworthyº, graphic applicationsº, IEEE Transactions on G.J. Simmons, editor, Contemporary Cryp- Information Theory, 30 (1984), 776±780. tology: The Science of Information Integrity, 615±630, IEEE Press, 1992. [1133] , ªDecrypting a class of stream ciphers using ciphertext onlyº, IEEE Transactions on [1147] , ªThe subliminal channels in the U.S. Computers, 34 (1985), 81±85. Digital Signature Algorithm (DSA)º, W. Wol- [1134] , ªCryptanalysts representation of non- fowicz, editor, Proceedings of the 3rd Sym- linearly ®ltered ML-sequencesº, Advances in posium on State and Progress of Research in Cryptology±EUROCRYPT '85 (LNCS 219), Cryptography, Rome, Italy, 35±54, 1993. 103±110, 1986. [1148] , ªProof of soundness (integrity) of cryptographic protocolsº, Journal of Cryptol- [1135] R.D. SILVERMAN, ªThe multiple polynomial quadratic sieveº, Mathematics of Computa- ogy, 7 (1994), 69±77. tion, 48 (1987), 329±339. [1149] , ªSubliminal communication is easy [1136] R.D. SILVERMAN AND S.S. WAGSTAFF JR., using the DSAº, Advances in Cryptology± ªA practical analysis of the elliptic curve fac- EUROCRYPT '93 (LNCS 765), 218±232, toring algorithmº, Mathematics of Computa- 1994. tion, 61 (1993), 445±462. [1150] , ªProtocols that ensure fairnessº, P.G. [1137] G.J. SIMMONS, ªA ªweakº privacy protocol Farrell, editor, Codes and Cyphers: Cryptog- using the RSA crypto algorithmº, Cryptolo- raphy and Coding IV, 383±394, Institute of gia, 7 (1983), 180±182. Mathematics & Its Applications (IMA), 1995. [1138] , ªAuthentication theory/coding the- [1151] G.J. SIMMONS AND M.J. NORRIS, ªPrelimi- oryº, Advances in Cryptology±Proceedings of nary comments on the M.I.T. public-key cryp- CRYPTO 84 (LNCS 196), 411±431, 1985. tosystemº, Cryptologia, 1 (1977), 406±414. [1139] , ªThe subliminal channel and dig- [1152] A. SINKOV, Elementary Cryptanalysis: A ital signaturesº, Advances in Cryptology± Mathematical Approach, Random House, Proceedings of EUROCRYPT 84 (LNCS 209), New York, 1968. 364±378, 1985. [1153] M.E. SMID, ªIntegrating the Data Encryp- [1140] , ªA secure subliminal channel (?)º, Ad- tion Standard into computer networksº, IEEE vances in Cryptology±CRYPTO '85 (LNCS Transactions on Communications, 29 (1981), 218), 33±41, 1986. 762±772. [1141] , ªHow to (really) share a secretº, Ad- [1154] M.E. SMID AND D.K. BRANSTAD, ªCrypto- vances in Cryptology±CRYPTO '88 (LNCS graphic key notarization methods and appara- 403), 390±448, 1990. tusº, U.S. Patent # 4,386,233, 31 May 1983. [1142] , ªPrepositioned shared secret and/or [1155] , ªThe Data Encryption Standard: Past shared control schemesº, Advances in and futureº, Proceedings of the IEEE,76 Cryptology±EUROCRYPT '89 (LNCS 434), (1988), 550±559. 436±467, 1990. [1156] , ªThe Data Encryption Standard: Past [1143] , ªContemporary cryptology: a fore- and futureº, G.J. Simmons, editor, Contempo- wordº, G.J. Simmons, editor, Contemporary rary Cryptology: The Science of Information Cryptology: The Science of Information In- Integrity, 43±64, IEEE Press, 1992. Appeared tegrity, vii±xv, IEEE Press, 1992. earlier as [1155].

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 750 References

[1157] , ªResponse to comments on the NIST [1170] J. STEIN, ªComputational problems associ- proposed digital signature standardº, Ad- ated with Racah algebraº, Journal of Compu- vances in Cryptology±CRYPTO '92 (LNCS tational Physics, 1 (1967), 397±405. 740), 76±88, 1993. [1171] J.G. STEINER,C.NEUMAN, AND J.I. [1158] D.R. SMITH AND J.T. PALMER,ªUniver- SCHILLER, ªKerberos: an authentication ser- sal ®xed messages and the Rivest-Shamir- vice for open network systemsº, Proceedings Adleman cryptosystemº, Mathematika,26 of the Winter 1988 Usenix Conference, 191± (1979), 44±52. 201, 1988. TEINER SUDIK AND AID [1159] J.L. SMITH, ªRecirculating block ci- [1172] M. S ,G.T , M. W - pher cryptographic systemº, U.S. Patent # NER, ªRe®nement and extension of encrypted 3,796,830, 12 Mar 1974. key exchangeº, Operating Systems Review, 29:3 (1995), 22±30. [1160] , ªThe design of Lucifer: A cryp- [1173] J. STERN, ªSecret linear congruential gener- tographic device for data communicationsº, ators are not cryptographically secureº, Pro- IBM Research Report RC 3326, IBM T.J. ceedings of the IEEE 28th Annual Symposium Watson Research Center, Yorktown Heights, on Foundations of Computer Science, 421± N.Y., 10598, U.S.A., Apr. 15 1971. 426, 1987. [1161] P. SMITH AND M. LENNON,ªLUC:Anew [1174] , ªAn alternative to the Fiat-Shamir pro- public key systemº, E. Dougall, editor, Pro- tocolº, Advances in Cryptology±EUROCRY- ceedings of the IFIP TC11 Ninth International PT '89 (LNCS 434), 173±180, 1990. Conference on Information Security, IFIP/Sec [1175] , ªDesigning identi®cation schemes 93, 103±117, North-Holland, 1993. with keys of short sizeº, Advances in [1162] P. SMITH AND C. SKINNER, ªA public-key Cryptology±CRYPTO '94 (LNCS 839), 164± cryptosystem and a digital signature system 173, 1994. based on the Lucas function analogue to dis- [1176] , ªA new identi®cation scheme based crete logarithmsº, Advances in Cryptology± on syndrome decodingº, Advances in ASIACRYPT '94 (LNCS 917), 357±364, 1995. Cryptology±CRYPTO '93 (LNCS 773), 13± [1163] R. SOLOVAY AND V. S TRASSEN,ªAfast 21, 1994. Monte-Carlo test for primalityº, SIAM Jour- [1177] D.R. STINSON, ªAn explication of secret nal on Computing, 6 (1977), 84±85. Erratum sharing schemesº, Designs, Codes and Cryp- in ibid, 7 (1978), 118. tography, 2 (1992), 357±390. [1164] J. SORENSON, ªTwo fast gcd algorithmsº, [1178] , Cryptography: Theory and Practice, Journal of Algorithms, 16 (1994), 110±144. CRC Press, Boca Raton, Florida, 1995. [1165] A. SORKIN, ªLucifer, a cryptographic algo- [1179] S.G. STUBBLEBINEAND V. D . G LIGOR,ªOn rithmº, Cryptologia, 8 (1984), 22±35. message integrity in cryptographic protocolsº, Proceedings of the 1992 IEEE Computer So- [1166] M. STADLER,J.-M.PIVETEAU, AND J. CA- ciety Symposium on Research in Security and MENISCH, ªFair blind signaturesº, Advances Privacy, 85±104, 1992. in Cryptology±EUROCRYPT '95 (LNCS 921), 209±219, 1995. [1180] D.J. SYKES, ªThe management of encryption keysº, D.K. Branstad, editor, Computer secu- [1167] O. STAFFELBACH AND W. MEIER, ªCryp- rity and the Data Encryption Standard, 46±53, tographic signi®cance of the carry for ci- NBS Special Publication 500-27, U.S. Depart- phers based on integer additionº, Advances in ment of Commerce, National Bureau of Stan- Cryptology±CRYPTO '90 (LNCS 537), 601± dards, Washington, D.C., 1977. 614, 1991. [1181] P. SYVERSON, ªKnowledge, belief and se- [1168] W. STAHNKE, ªPrimitive binary polynomi- mantics in the analysis of cryptographic proto- alsº, Mathematics of Computation, 27 (1973), colsº, Journal of Computer Security, 1 (1992), 977±980. 317±334. [1169] D.G. STEER,L.STRAWCZYNSKI,W.DIFF- [1182] , ªA taxonomy of replay attacksº, Pro- IE, AND M. WIENER, ªA secure audio tele- ceedings of the Computer Security Founda- conference systemº, Advances in Cryptology± tions Workshop VII (CSFW 1994), 187±191, CRYPTO '88 (LNCS 403), 520±528, 1990. IEEE Computer Society Press, 1994.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 751

[1183] P. SYVERSON AND P. VA N OORSCHOT,ªOn on Fundamentals of Electronics, Communica- unifying some cryptographic protocol logicsº, tions and Computer Science, E78-A (1995), Proceedings of the 1994 IEEE Computer So- 1148±1153. An earlier version appeared in ciety Symposium on Research in Security and [1192]. Privacy, 14±28, 1994. [1194] M. TOMPA AND H. WOLL, ªRandom self- [1184] K. TANAKA AND E. OKAMOTO,ªKeydis- reducibility and zero-knowledge interactive tribution using id-related information direc- proofs of possession of informationº, Pro- tory suitable for mail systemsº, Proceedings ceedings of the IEEE 28th Annual Symposium of the 8th Worldwide Congress on Computer on Foundations of Computer Science, 472± and Communications Security and Protection 482, 1987. (SECURICOM'90), 115±122, 1990. [1195] , ªHow to share a secret with cheatersº, [1185] A. TARAH AND C. HUITEMA, ªAssociating Journal of Cryptology, 1 (1988), 133±138. metrics to certi®cation pathsº, Y. Deswarte, [1196] G. TSUDIK, ªMessage authentication with G. Eizenberg, and J.-J. Quisquater, editors, one-way hash functionsº, Computer Commu- Second European Symposium on Research nication Review, 22 (1992), 29±38. in Computer Security ± ESORICS'92 (LNCS 648), 175±189, Springer-Verlag, 1992. [1197] S. TSUJII AND J. CHAO,ªAnewID- based key sharing systemº, Advances in [1186] J.J. TARDO AND K. ALAGAPPAN, ªSPX: Cryptology±CRYPTO '91 (LNCS 576), 288± Global authentication using public key certi®- 299, 1992. catesº, Proceedings of the IEEE Symposium [1198] W. TUCHMAN, ªIntegrated system designº, on Research in Security and Privacy, 232± D.K. Branstad, editor, Computer security and 244, 1991. the Data Encryption Standard, 94±96, NBS [1187] A. TARDY-CORFDIR AND H. GILBERT,ªA Special Publication 500-27, U.S. Department known plaintext attack of FEAL-4 and FEAL- of Commerce, National Bureau of Standards, 6º, Advances in Cryptology±CRYPTO '91 Washington, D.C., 1977. (LNCS 576), 172±182, 1992. [1199] , ªHellman presents no shortcut solu- [1188] M. TATEBAYASHI,N.MATSUZAKI, AND tions to the DESº, IEEE Spectrum, 16 (1979), D.B. NEWMAN JR., ªKey distribution pro- 40±41. tocol for digital mobile communication sys- [1200] J. VA N D E GRAAF AND R. PERALTA,ªAsim- temsº, Advances in Cryptology±CRYPTO '89 ple and secure way to show the validity of (LNCS 435), 324±334, 1990. your public keyº, Advances in Cryptology± [1189] R. TAYLOR, ªAn integrity check value al- CRYPTO '87 (LNCS 293), 128±134, 1988. gorithm for stream ciphersº, Advances in [1201] E. VA N HEIJST AND T.P. PEDERSEN,ªHow Cryptology±CRYPTO '93 (LNCS 773), 40± to make ef®cient fail-stop signaturesº, Ad- 48, 1994. vances in Cryptology±EUROCRYPT '92 [1190] J.A. THIONG LY, ªA serial version of the (LNCS 658), 366±377, 1993. Pohlig-Hellman algorithm for computing dis- [1202] E. VA N HEIJST,T.P.PEDERSEN, AND crete logarithmsº, Applicable Algebra in En- B. PFITZMANN, ªNew constructions of fail- gineering, Communication and Computing,4 stop signatures and lower boundsº, Advances (1993), 77±80. in Cryptology±CRYPTO '92 (LNCS 740), 15± [1191] J. THOMPSON, ªS/MIME message speci®ca- 30, 1993. tion ± PKCS security services for MIMEº, [1203] P. VA N OORSCHOT, ªA comparison of prac- RSA Data Security Inc., Aug. 29 1995, tical public key cryptosystems based on in- http://www.rsa.com/ . teger factorization and discrete logarithmsº, [1192] T. TOKITA,T.SORIMACHI, AND M. MAT- G.J. Simmons, editor, Contemporary Cryp- SUI, ªLinear cryptanalysis of LOKI and tology: The Science of Information Integrity, 2 s DESº, Advances in Cryptology±ASIACRY- 289±322, IEEE Press, 1992. PT '94 (LNCS 917), 293±303, 1995. [1204] , ªExtending cryptographic logics of [1193] , ªOn applicability of linear cryptanal- belief to key agreement protocolsº, 1st ACM ysis to DES-like cryptosystems ± LOKI89, Conference on Computer and Communica- LOKI91 and s2DESº, IEICE Transactions tions Security, 232±243, ACM Press, 1993.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 752 References

[1205] , ªAn alternate explanation of two quasi-random sequences from two communi- BAN-logic ªfailuresºº, Advances in Crypto- cating slightly-random sourcesº, Proceedings logy±EUROCRYPT '93 (LNCS 765), 443± of the 17th Annual ACM Symposium on The- 447, 1994. ory of Computing, 366±378, 1985. [1206] P. VA N OORSCHOT AND M. WIENER, [1218] U.V. VAZIRANI AND V. V. VAZIRANI,ªEf®- ªA known-plaintext attack on two-key cient and secure pseudo-random number gen- triple encryptionº, Advances in Cryptology± erationº, Proceedings of the IEEE 25th An- EUROCRYPT '90 (LNCS 473), 318±325, nual Symposium on Foundations of Computer 1991. Science, 458±463, 1984. This paper also ap- [1207] , ªParallel collision search with appli- peared in [1219]. cations to hash functions and discrete log- [1219] , ªEf®cient and secure pseudo- arithmsº, 2nd ACM Conference on Com- random number generationº, Advances in puter and Communications Security, 210± Cryptology±Proceedings of CRYPTO 84 218, ACM Press, 1994. (LNCS 196), 193±202, 1985. [1208] , ªImproving implementable meet-in- [1220] K. VEDDER, ªSecurity aspects of mobile the-middle attacks by orders of magnitudeº, communicationsº, B. Preneel, R. Govaerts, Advances in Cryptology±CRYPTO '96 (LNCS and J. Vandewalle, editors, Computer Secu- 1109), 229±236, 1996. rity and Industrial Cryptography: State of [1209] , ªOn Dif®e-Hellman key agree- the Art and Evolution (LNCS 741), 193±210, ment with short exponentsº, Advances in Springer-Verlag, 1993. Cryptology±EUROCRYPT '96 (LNCS 1070), [1221] G.S. VERNAM, ªSecret signaling systemº, 332±343, 1996. U.S. Patent # 1,310,719, 22 Jul 1919. [1210] H.C.A. VA N TILBORG, An Introduction to [1222] , ªCipher printing telegraph systems for Cryptology, Kluwer Academic Publishers, secret wire and radio telegraphic communica- Boston, 1988. tionsº, Journal of the American Institute for [1211] , ªAuthentication codes: an area where Electrical Engineers, 55 (1926), 109±115. coding and cryptology meetº, C. Boyd, edi- [1223] J. VON NEUMANN, ªVarious techniques used tor, Cryptography and Coding, 5th IMA Con- in connection with random digitsº, Applied ference, Proceedings, 169±183, Institute of Mathematics Series, U.S. National Bureau of Mathematics & Its Applications (IMA), 1995. Standards, 12 (1951), 36±38. [1212] J. VA N TILBURG, ªOn the McEliece public- [1224] J. VON ZUR GATHEN AND V. S HOUP,ªCom- key cryptosystemº, Advances in Cryptology± puting Frobenius maps and factoring polyno- CRYPTO '88 (LNCS 403), 119±131, 1990. mialsº, Computational Complexity, 2 (1992), [1213] S.A. VANSTONE AND R.J. ZUCCHERATO, 187±224. ªElliptic curve cryptosystems using curves of [1225] V.L. VOYDOCK AND S.T. KENT, ªSecurity smooth order over the ring Znº, IEEE Trans- mechanisms in high-level network protocolsº, actions on Information Theory, to appear. Computing Surveys, 15 (1983), 135±171. [1214] , ªShort RSA keys and their genera- [1226] D. WACKERLY,W.MENDENHALL III, AND tionº, Journal of Cryptology, 8 (1995), 101± R. SCHEAFFER, Mathematical Statistics with 114. Applications, Duxbury Press, Belmont, Cali- [1215] S. VAUDENAY, ªOn the need for multipermu- fornia, 5th edition, 1996. tations: Cryptanalysis of MD4 and SAFERº, [1227] M. WAIDNER AND B. PFITZMANN,ªThe B. Preneel, editor, Fast Software Encryption, dining cryptographers in the disco: Uncon- Second International Workshop (LNCS 1008), ditional sender and recipient untraceability 286±297, Springer-Verlag, 1995. with computationally secure serviceabilityº, [1216] , ªOn the weak keys of Blow®shº, Advances in Cryptology±EUROCRYPT '89 D. Gollmann, editor, Fast Software Encryp- (LNCS 434), 690, 1990. tion, Third International Workshop (LNCS [1228] C.P. WALDVOGEL AND J.L. MASSEY,ªThe 1039), 27±32, Springer-Verlag, 1996. probability distribution of the Dif®e-Hellman [1217] U.V. VAZIRANI, ªTowards a strong com- keyº, Advances in Cryptology±AUSCRYPT munication complexity theory, or generating '92 (LNCS 718), 492±504, 1993.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter. References 753

[1229] S.T. WALKER,S.B.LIPNER,C.M.ELLI- [1242] S. WIESNER, ªConjugate codingº, SIGACT SON, AND D.M. BALENSON, ªCommercial News, 15 (1983), 78±88. Original manuscript key recoveryº, Communications of the ACM, (circa 1970). 39 (1996), 41±47. [1243] H.S. WILF, ªBacktrack: An O(1) expected [1230] C.D. WALTER, ªFaster modular multipli- time algorithm for the graph coloring prob- cation by operand scalingº, Advances in lemº, Information Processing Letters,18 Cryptology±CRYPTO '91 (LNCS 576), 313± (1984), 119±121. 323, 1992. [1244] M.V. WILKES, Time-Sharing Computer Sys- [1231] P.C. WAYNER, ªContent-addressable search tems, American Elsevier Pub. Co., New York, engines and DES-like systemsº, Advances in 3rd edition, 1975. Cryptology±CRYPTO '92 (LNCS 740), 575± [1245] F. WILLEMS, ªUniversal data compression 586, 1993. and repetition timesº, IEEE Transactions on Information Theory, 35 (1989), 54±58. [1232] D. WEBER, ªAn implementation of the general number ®eld sieve to compute discrete [1246] H.C. WILLIAMS, ªA modi®cation of the logarithms mod pº, Advances in Cryptology± RSA public-key encryption procedureº, IEEE EUROCRYPT '95 (LNCS 921), 95±105, 1995. Transactions on Information Theory,26 (1980), 726±729. [1233] A.F. WEBSTER AND S.E. TAVA R E S,ªOnthe p design of S-boxesº, Advances in Cryptology± [1247] ,ªA +1method of factoringº, Math- CRYPTO '85 (LNCS 218), 523±534, 1986. ematics of Computation, 39 (1982), 225±234. [1248] , ªSome public-key crypto-functions as [1234] M.N. WEGMAN AND J.L. CARTER,ªNew intractable as factorizationº, Cryptologia,9 hash functions and their use in authentication (1985), 223±237. and set equalityº, Journal of Computer and System Sciences, 22 (1981), 265±279. [1249] H.C. WILLIAMS AND B. SCHMID,ªSomere- marks concerning the M.I.T. public-key cryp- [1235] D. WELSH, Codes and Cryptography, tosystemº, BIT, 19 (1979), 525±538. Clarendon Press, Oxford, 1988. [1250] R.S. WINTERNITZ, ªA secure one-way hash [1236] A.E. WESTERN AND J.C.P. MILLER, Ta- function built from DESº, Proceedings of the bles of Indices and Primitive Roots, volume 9, 1984 IEEE Symposium on Security and Pri- Royal Society Mathematical Tables, Cam- vacy, 88±90, 1984. bridge University Press, 1968. [1251] S. WOLFRAM, ªCryptography with cellular [1237] D.J. WHEELER, ªA bulk data encryption al- automataº, Advances in Cryptology±CRYPTO gorithmº, R. Anderson, editor, Fast Software '85 (LNCS 218), 429±432, 1986. Encryption, Cambridge Security Workshop [1252] , ªRandom sequence generation by cel- (LNCS 809), 127±134, Springer-Verlag, 1994. lular automataº, Advances in Applied Mathe- [1238] D.J. WHEELER AND R.M. NEEDHAM, matics, 7 (1986), 123±169. ªTEA, a tiny encryption algorithmº, B. Pre- [1253] H. WOLL, ªReductions among number the- neel, editor, Fast Software Encryption, Second oretic problemsº, Information and Computa- International Workshop (LNCS 1008), 363± tion, 72 (1987), 167±179. 366, Springer-Verlag, 1995. [1254] A.D. WYNER, ªThe wire-tap channelº, Bell [1239] D.H. WIEDEMANN, ªSolving sparse linear System Technical Journal, 54 (1975), 1355± equations over ®nite ®eldsº, IEEE Transac- 1387. tions on Information Theory, 32 (1986), 54± [1255] Y. YACOBI, ªA key distribution ªparadoxºº, 62. Advances in Cryptology±CRYPTO '90 (LNCS [1240] M.J. WIENER, ªCryptanalysis of short RSA 537), 268±273, 1991. secret exponentsº, IEEE Transactions on In- [1256] Y. YACOBI AND Z. SHMUELY,ªOnkeydis- formation Theory, 36 (1990), 553±558. tribution systemsº, Advances in Cryptology± [1241] , ªEf®cient DES key searchº, Technical CRYPTO '89 (LNCS 435), 344±355, 1990. Report TR-244, School of Computer Science, [1257] A.C. YAO, ªOn the evaluation of powersº, Carleton University, Ottawa, 1994. Presented SIAM Journal on Computing, 5 (1976), 100± at Crypto '93 rump session. 103.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. 754 References

[1258] , ªTheory and applications of trapdoor [1268] Y. ZHENG,J.PIEPRZYK, AND J. SEBERRY, functionsº, Proceedings of the IEEE 23rd An- ªHAVAL ± a one-way hashing algorithm nual Symposium on Foundations of Computer with variable length of outputº, Advances in Science, 80±91, 1982. Cryptology±AUSCRYPT '92 (LNCS 718), 83± [1259] S.-M. YEN AND C.-S. LAIH, ªNew digi- 104, 1993. tal signature scheme based on discrete log- [1269] Y. ZHENG AND J. SEBERRY, ªImmunizing arithmº, Electronics Letters, 29 (June 10, public key cryptosystems against chosen ci- 1993), 1120±1121. phertext attacksº, IEEE Journal on Selected [1260] C. YUEN, ªTesting random number genera- Areas in Communications, 11 (1993), 715± tors by Walsh transformº, IEEE Transactions 724. on Computers, 26 (1977), 329±333. [1261] D. YUN, ªFast algorithm for rational function [1270] N. ZIERLER, ªPrimitive trinomials whose de- integrationº, Information Processing 77: Pro- gree is a Mersenne exponentº, Information ceedings of IFIP Congress 77, 493±498, 1977. and Control, 15 (1969), 67±69. [1262] G. YUVAL, ªHow to swindle Rabinº, Cryp- [1271] N. ZIERLER AND J. BRILLHART,ªOnprim- tologia, 3 (1979), 187±190. itive trinomials (mod 2)º, Information and [1263] K. ZENG AND M. HUANG, ªOn the lin- Control, 13 (1968), 541±554. ear syndrome method in cryptanalysisº, Ad- vances in Cryptology±CRYPTO '88 (LNCS [1272] P.R. ZIMMERMANN, The Of®cial PGP 403), 469±478, 1990. User's Guide, MIT Press, Cambridge, Mas- [1264] K. ZENG,C.-H.YANG, AND T.R.N. RAO, sachusetts, 1995 (second printing). ªOn the linear consistency test (LCT) in [1273] J. ZIV AND A. LEMPEL, ªOn the complexity cryptanalysis with applicationsº, Advances in of ®nite sequencesº, IEEE Transactions on In- Cryptology±CRYPTO '89 (LNCS 435), 164± formation Theory, 22 (1976), 75±81. 174, 1990. [1265] , ªAn improved linear syndrome algo- [1274] M. ZÏ IVKOVICÂ , ªAn algorithm for the initial rithm in cryptanalysis with applicationsº, Ad- state reconstruction of the clock-controlled vances in Cryptology±CRYPTO '90 (LNCS shift registerº, IEEE Transactions on Infor- 537), 34±47, 1991. mation Theory, 37 (1991), 1488±1490. [1266] K. ZENG,C.-H.YANG,D.-YWEI, AND [1275] , ªA table of primitive binary polynomi- T.R.N. RAO, ªPseudorandom bit generators alsº, Mathematics of Computation, 62 (1994), in stream-cipher cryptographyº, Computer, 385±386. 24 (1991), 8±17. [1267] C. ZHANG, ªAn improved binary algorithm [1276] , ªTable of primitive binary polyno- for RSAº, Computers and Mathematics with mials. IIº, Mathematics of Computation,63 Applications, 25:6 (1993), 15±24. (1994), 301±306.

c 1997 by CRC Press, Inc. Ð See accompanying notice at front of chapter.