References

This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P.
van
Oorschot, and S. Vanstone, CRC Press, 1996.
For further information, see www.cacr.math.uwaterloo.ca/hac
CRC Press has granted the following specific permissions for the electronic version of this
book:
Permission is granted to retrieve, print and store a single copy of this chapter for
personal use. This permission does not extend to binding multiple chapters of
the book, photocopying or producing copies for other than personal use of the
person creating the copy, or making electronic copies available for retrieval by
others without prior permission in writing from CRC Press.
Except where over-ridden by the specific permission above, the standard copyright notice
from CRC Press applies to this electronic version:
Neither this book nor any part may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying, microfilming,
and recording, or by any information storage or retrieval system, without prior
permission in writing from the publisher.
The consent of CRC Press does not extend to copying for general distribution,
for promotion, for creating new works, or for resale. Specific permission must be
obtained in writing from CRC Press for such copying.
1997
c by CRC Press, Inc.
References
[1] M. A BADI AND R. N EEDHAM, “Prudent en- [11] L.M. A DLEMAN AND J. D E M ARRAIS, “A
gineering practice for cryptographic proto- subexponential algorithm for discrete loga-
cols”, DEC SRC report #125, Digital Equip- rithms over all finite fields”, Mathematics of
ment Corporation, Palo Alto, CA, 1994. Computation, 61 (1993), 1–15.
[2] M. A BADI AND M.R. T UTTLE , “A seman- [12] L.M. A DLEMAN , J. D E M ARRAIS , AND M.-
tics for a logic of authentication”, Proceed- D. H UANG, “A subexponential algorithm for
ings of the Tenth Annual ACM Symposium discrete logarithms over the rational subgroup
on Principles of Distributed Computing, 201– of the Jacobians of large genus hyperelliptic
216, 1991. curves over finite fields”, Algorithmic Number
[3] C. A DAMS, “Symmetric cryptographic sys- Theory (LNCS 877), 28–40, 1994.
tem for data encryption”, U.S. Patent # [13] L.M. A DLEMAN AND M.-D. A. H UANG,
5,511,123, 23 Apr 1996. Primality Testing and Abelian Varieties Over
[4] , “IDUP and SPKM: Developing Finite Fields, Springer-Verlag, Berlin, 1992.
public-key-based APIs and mechanisms for
[14] L.M. A DLEMAN AND H.W. L ENSTRA J R .,
communication security services”, Proceed-
“Finding irreducible polynomials over finite
ings of the Internet Society Symposium on Net-
fields”, Proceedings of the 18th Annual ACM
work and Distributed System Security, 128–
Symposium on Theory of Computing, 350–
135, IEEE Computer Society Press, 1996.
355, 1986.
[5] C. A DAMS AND H. M EIJER, “Security-
related comments regarding McEliece’s [15] L.M. A DLEMAN AND K.S. M C C URLEY,
public-key cryptosystem”, Advances in “Open problems in number theoretic com-
Cryptology–CRYPTO ’87 (LNCS 293), 224– plexity, II”, Algorithmic Number Theory
228, 1988. (LNCS 877), 291–322, 1994.
[6] , “Security-related comments regard- [16] L.M. A DLEMAN , C. P OMERANCE , AND
ing McEliece’s public-key cryptosystem”, R.S. R UMELY, “On distinguishing prime
IEEE Transactions on Information Theory, 35 numbers from composite numbers”, Annals of
(1989), 454–455. An earlier version appeared Mathematics, 117 (1983), 173–206.
in [5]. [17] G.B. A GNEW, “Random sources for crypto-
[7] C. A DAMS AND S.E. TAVARES, “Design- graphic systems”, Advances in Cryptology–
ing S-boxes for ciphers resistant to differen- EUROCRYPT ’87 (LNCS 304), 77–81, 1988.
tial cryptanalysis”, W. Wolfowicz, editor, Pro-
[18] G.B. A GNEW, R.C. M ULLIN , I.M. O NYSZ -
ceedings of the 3rd Symposium on State and
CHUK , AND S.A. VANSTONE , “An imple-
Progress of Research in Cryptography, Rome,
mentation for a fast public-key cryptosystem”,
Italy, 181–190, 1993.
Journal of Cryptology, 3 (1991), 63–79.
[8] L.M. A DLEMAN, “A subexponential algo-
rithm for the discrete logarithm problem with [19] G.B. A GNEW, R.C. M ULLIN , AND S.A.
applications to cryptography”, Proceedings of VANSTONE , “Improved digital signature sch-
the IEEE 20th Annual Symposium on Founda- eme based on discrete exponentiation”, Elec-
tions of Computer Science, 55–60, 1979. tronics Letters, 26 (July 5, 1990), 1024–1025.
[9] , “The function field sieve”, Algorith- [20] S.G. A KL , “On the security of com-
mic Number Theory (LNCS 877), 108–121, pressed encodings”, Advances in Cryptology–
1994. Proceedings of Crypto 83, 209–230, 1984.
[10] , “Molecular computation of solutions [21] N. A LEXANDRIS , M. B URMESTER , V. C HR -
to combinatorial problems”, Science, 266 ISSIKOPOULOS , AND Y. D ESMEDT , “A se-
(1994), 1021–1024. cure key distribution system”, W. Wolfowicz,
703
704 References
editor, Proceedings of the 3rd Symposium on [34] ANSI X3.106, “American National Standard
State and Progress of Research in Cryptogra- for Information Systems – Data Encryption
phy, Rome, Italy, 30–34, Feb. 1993. Algorithm – Modes of Operation”, American
[22] W. A LEXI , B. C HOR , O. G OLDREICH , AND National Standards Institute, 1983.
C.P. S CHNORR, “RSA/Rabin bits are 12 + [35] ANSI X9.8, “American National Standard
1/poly(log n) secure”, Proceedings of the
for Financial Services – Banking – Personal
IEEE 25th Annual Symposium on Founda- Identification Number management and se-
tions of Computer Science, 449–457, 1984. curity. Part 1: PIN protection principles and
[23] , “RSA and Rabin functions: Certain techniques; Part 2: Approved algorithms for
parts are as hard as the whole”, SIAM Journal PIN encipherment”, ASC X9 Secretariat –
on Computing, 17 (1988), 194–209. An ear- American Bankers Association, 1995.
lier version appeared in [22].
[24] W.R. A LFORD , A. G RANVILLE , AND [36] ANSI X9.9 ( REVISED ), “American National
C. P OMERANCE , “There are infinitely many Standard – Financial institution message au-
thentication (wholesale)”, ASC X9 Secretariat
Carmichael numbers”, Annals of Mathemat-
ics, 140 (1994), 703–722. – American Bankers Association, 1986 (re-
places X9.9–1982).
[25] H. A MIRAZIZI AND M. H ELLMAN, “Time-
memory-processor trade-offs”, IEEE Trans- [37] ANSI X9.17, “American National Stan-
actions on Information Theory, 34 (1988), dard – Financial institution key management
505–512. (wholesale)”, ASC X9 Secretariat – American
[26] R. A NDERSON, “Practical RSA trapdoor”, Bankers Association, 1985.
Electronics Letters, 29 (May 27, 1993), 995. [38] ANSI X9.19, “American National Standard
[27] , “The classification of hash functions”, – Financial institution retail message authen-
P.G. Farrell, editor, Codes and Cyphers: tication”, ASC X9 Secretariat – American
Cryptography and Coding IV, 83–93, Institute Bankers Association, 1986.
of Mathematics & Its Applications (IMA),
1995. [39] ANSI X9.23, “American National Standard
[28] , “On Fibonacci keystream generators”, – Financial institution encryption of whole-
B. Preneel, editor, Fast Software Encryption, sale financial messages”, ASC X9 Secretariat
– American Bankers Association, 1988.
Second International Workshop (LNCS 1008),
346–352, Springer-Verlag, 1995. [40] ANSI X9.24, “American National Standard
[29] , “Searching for the optimum correla- for Financial Services – Financial services re-
tion attack”, B. Preneel, editor, Fast Software tail key management”, ASC X9 Secretariat –
Encryption, Second International Workshop American Bankers Association, 1992.
(LNCS 1008), 137–143, Springer-Verlag,
1995. [41] ANSI X9.26, “American National Standard
– Financial institution sign-on authentication
[30] R. A NDERSON AND E. B IHAM, “Two prac-
for wholesale financial transactions”, ASC X9
tical and provably secure block ciphers: Secretariat – American Bankers Association,
BEAR and LION”, D. Gollmann, editor, 1990.
Fast Software Encryption, Third International
Workshop (LNCS 1039), 113–120, Springer- [42] ANSI X9.28, “American National Stan-
Verlag, 1996. dard for Financial Services – Financial in-
[31] R. A NDERSON AND R. N EEDHAM, “Robust- stitution multiple center key management
ness principles for public key protocols”, Ad- (wholesale)”, ASC X9 Secretariat – American
vances in Cryptology–CRYPTO ’95 (LNCS Bankers Association, 1991.
963), 236–247, 1995.
[43] ANSI X9.30 (PART 1), “American National
[32] N.C. A NKENY, “The least quadratic non Standard for Financial Services – Public key
residue”, Annals of Mathematics, 55 (1952), cryptography using irreversible algorithms for
65–72. the financial services industry – Part 1: The
[33] ANSI X3.92, “American National Standard digital signature algorithm (DSA)”, ASC X9
– Data Encryption Algorithm”, American Na- Secretariat – American Bankers Association,
tional Standards Institute, 1981. 1995.
1997
c by CRC Press, Inc. — See accompanying notice at front of chapter.
References 705
[44] ANSI X9.30 (PART 2), “American National [56] F. A RNAULT , “Rabin-Miller primality test:
Standard for Financial Services – Public key composite numbers which pass it”, Mathemat-
cryptography using irreversible algorithms ics of Computation, 64 (1995), 355–361.
for the financial services industry – Part 2: [57] A.O.L. ATKIN AND R.G. L ARSON, “On a
The secure hash algorithm (SHA)”, ASC X9 primality test of Solovay and Strassen”, SIAM
Secretariat – American Bankers Association, Journal on Computing, 11 (1982), 789–791.
1993.
[58] A.O.L. ATKIN AND F. M ORAIN, “Elliptic
[45] ANSI X9.31 (PART 1), “American National curves and primality proving”, Mathematics
Standard for Financial Services – Public key of Computation, 61 (1993), 29–68.
cryptography using RSA for the financial ser-
vices industry – Part 1: The RSA signature al- [59] D. ATKINS , M. G RAFF , A.K. L ENSTRA ,
AND P.C. L EYLAND, “The magic words are
gorithm”, draft, 1995.
SQUEAMISH OSSIFRAGE”, Advances in
[46] ANSI X9.31 (PART 2), “American National Cryptology–ASIACRYPT ’94 (LNCS 917),
Standard for Financial Services – Public key 263–277, 1995.
cryptography using RSA for the financial ser-
vices industry – Part 2: Hash algorithms for [60] L. B ABAI, “Trading group theory for random-
RSA”, draft, 1995. ness”, Proceedings of the 17th Annual ACM
Symposium on Theory of Computing, 421–
[47] ANSI X9.42, “Public key cryptography for 429, 1985.
the financial services industry: Management
[61] L. B ABAI AND S. M ORAN, “Arthur-Merlin
of symmetric algorithm keys using Diffie-
games: a randomized proof system, and a
Hellman”, draft, 1995.
hierarchy of complexity classes”, Journal of
[48] ANSI X9.44, “Public key cryptography us- Computer and System Sciences, 36 (1988),
ing reversible algorithms for the financial ser- 254–276.
vices industry: Transport of symmetric algo-
[62] E. B ACH, “Discrete logarithms and factor-
rithm keys using RSA”, draft, 1994.
ing”, Report No. UCB/CSD 84/186, Com-
[49] ANSI X9.45, “Public key cryptography for puter Science Division (EECS), University of
the financial services industry – Enhanced California, Berkeley, California, 1984.
management controls using digital signatures [63] , Analytic Methods in the Analysis and
and attribute certificates”, draft, 1996. Design of Number-Theoretic Algorithms, MIT
[50] ANSI X9.52, “Triple data encryption algo- Press, Cambridge, Massachusetts, 1985. An
rithm modes of operation”, draft, 1996. ACM Distinguished Dissertation.
[51] ANSI X9.55, “Public key cryptography for [64] , “Explicit bounds for primality testing
the financial services industry – Extensions to and related problems”, Mathematics of Com-
public key certificates and certificate revoca- putation, 55 (1990), 355–380.
tion lists”, draft, 1995. [65] , “Number-theoretic algorithms”, An-
[52] ANSI X9.57, “Public key cryptography for nual Review of Computer Science, 4 (1990),
the financial services industry – Certificate 119–172.
management”, draft, 1995. [66] , “Realistic analysis of some random-
[53] K. A OKI AND K. O HTA, “Differential-linear ized algorithms”, Journal of Computer and
cryptanalysis of FEAL-8”, IEICE Transac- System Sciences, 42 (1991), 30–53.
tions on Fundamentals of Electronics, Com- [67] , “Toward a theory of Pollard’s rho
munications and Computer Science, E79-A method”, Information and Computation, 90
(1996), 20–27. (1991), 139–155.
[54] B. A RAZI, “Integrating a key distribution pro- [68] E. B ACH AND J. S HALLIT , “Factoring with
cedure into the digital signature standard”, cyclotomic polynomials”, Proceedings of the
Electronics Letters, 29 (May 27, 1993), 966– IEEE 26th Annual Symposium on Founda-
967. tions of Computer Science, 443–450, 1985.
[55] , “On primality testing using purely di- [69] , “Factoring with cyclotomic polynomi-
visionless operations”, The Computer Jour- als”, Mathematics of Computation, 52 (1989),
nal, 37 (1994), 219–222. 201–219. An earlier version appeared in [68].
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

706 References
[70] , Algorithmic Number Theory, Volume that are probably prime”, Journal of Cryptol-
I: Efficient Algorithms, MIT Press, Cam- ogy, 1 (1988), 53–64.
bridge, Massachusetts, 1996.
[82] P. B ÉGUIN AND J.-J. Q UISQUATER, “Se-
[71] E. B ACH AND J. S ORENSON, “Sieve algo- cure acceleration of DSS signatures using
rithms for perfect power testing”, Algorith- insecure server”, Advances in Cryptology–
mica, 9 (1993), 313–328. ASIACRYPT ’94 (LNCS 917), 249–259, 1995.
[72] A. B AHREMAN, “PEMToolKit: Building a
[83] A. B EIMEL AND B. C HOR, “Interaction
top-down certification hierarchy”, Proceed-
in key distribution schemes”, Advances in
ings of the Internet Society Symposium on Net-
Cryptology–CRYPTO ’93 (LNCS 773), 444–
work and Distributed System Security, 161–
455, 1994.
171, IEEE Computer Society Press, 1995.
[73] T. B ARITAUD , M. C AMPANA , P. C HAU - [84] H. B EKER AND F. P IPER, Cipher Systems:
VAUD , AND H. G ILBERT , “On the security The Protection of Communications, John Wi-
of the permuted kernel identification scheme”, ley & Sons, New York, 1982.
Advances in Cryptology–CRYPTO ’92 (LNCS
[85] H. B EKER AND M. WALKER, “Key manage-
740), 305–311, 1993.
ment for secure electronic funds transfer in a
[74] W. B ARKER, Cryptanalysis of the Hagelin retail environment”, Advances in Cryptology–
Cryptograph, Aegean Park Press, Laguna Proceedings of CRYPTO 84 (LNCS 196),
Hills, California, 1977. 401–410, 1985.
[75] P. B ARRETT , “Implementing the Rivest [86] M. B ELLARE , R. C ANETTI , AND H. K RAW -
Shamir and Adleman public key encryption CZYK, “Keying hash functions for message
algorithm on a standard digital signal proces- authenticaion”, Advances in Cryptology–
sor”, Advances in Cryptology–CRYPTO ’86 CRYPTO ’96 (LNCS 1109), 1–15, 1996.
(LNCS 263), 311–323, 1987.
[76] R.K. B AUER , T.A. B ERSON , AND R.J. [87] M. B ELLARE AND O. G OLDREICH, “On
F EIERTAG, “A key distribution protocol using defining proofs of knowledge”, Advances in
event markers”, ACM Transactions on Com- Cryptology–CRYPTO ’92 (LNCS 740), 390–
puter Systems, 1 (1983), 249–255. 420, 1993.
[77] U. B AUM AND S. B LACKBURN, “Clock- [88] M. B ELLARE , O. G OLDREICH , AND

controlled pseudorandom generators on finite S. G OLDWASSER, “Incremental cryptogra-
groups”, B. Preneel, editor, Fast Software phy: The case of hashing and signing”, Ad-
Encryption, Second International Workshop vances in Cryptology–CRYPTO ’94 (LNCS
(LNCS 1008), 6–21, Springer-Verlag, 1995. 839), 216–233, 1994.
[78] F. B AUSPIESS AND H.-J. K NOBLOCH, [89] , “Incremental cryptography and appli-
“How to keep authenticity alive in a com- cation to virus protection”, Proceedings of the
puter network”, Advances in Cryptology– 27th Annual ACM Symposium on Theory of
EUROCRYPT ’89 (LNCS 434), 38–46, 1990. Computing, 45–56, 1995.
[79] D. B AYER , S. H ABER , AND W.S. S TOR -
[90] M. B ELLARE , R. G U ÉRIN , AND P. R O -
NETTA, “Improving the efficiency and reli-
GAWAY, “XOR MACs: New methods for
ability of digital time-stamping”, R. Capoc-
message authentication using finite pseudo-
elli, A. De Santis, and U. Vaccaro, editors,
random functions”, Advances in Cryptology–
Sequences II: Methods in Communication,
CRYPTO ’95 (LNCS 963), 15–28, 1995.
Security, and Computer Science, 329–334,
Springer-Verlag, 1993. [91] M. B ELLARE , J. K ILIAN , AND P. R OG -
[80] P. B EAUCHEMIN AND G. B RASSARD, “A AWAY, “The security of cipher block chain-
generalization of Hellman’s extension to ing”, Advances in Cryptology–CRYPTO ’94
Shannon’s approach to cryptography”, Jour- (LNCS 839), 341–358, 1994.
nal of Cryptology, 1 (1988), 129–131. [92] M. B ELLARE AND S. M ICALI, “How to sign
[81] P. B EAUCHEMIN , G. B RASSARD , C. given any trapdoor function”, Advances in
C R ÉPEAU , C. G OUTIER , AND C. P OMER - Cryptology–CRYPTO ’88 (LNCS 403), 200–
ANCE , “The generation of random numbers 215, 1990.
1997
References 707
[93] M. B ELLARE AND P. R OGAWAY, “Random [105] , “Augmented encrypted key exchange:
oracles are practical: a paradigm for designing a password-based protocol secure against dic-
efficient protocols”, 1st ACM Conference on tionary attacks and password file compro-
Computer and Communications Security, 62– mise”, 1st ACM Conference on Computer and
73, ACM Press, 1993. Communications Security, 244–250, ACM
Press, 1993.
[94] , “Entity authentication and key dis-
tribution”, Advances in Cryptology–CRYPTO [106] , “An attack on the Interlock Protocol
’93 (LNCS 773), 232–249, 1994. when used for authentication”, IEEE Transac-
tions on Information Theory, 40 (1994), 273–
[95] , “Optimal asymmetric encryption”, 275.
Advances in Cryptology–EUROCRYPT ’94
(LNCS 950), 92–111, 1995. [107] I. B EN -A ROYA AND E. B IHAM, “Differ-
ential cyptanalysis of Lucifer”, Advances in
[96] , “Provably secure session key distribu- Cryptology–CRYPTO ’93 (LNCS 773), 187–
tion – the three party case”, Proceedings of the 199, 1994.
27th Annual ACM Symposium on Theory of
Computing, 57–66, 1995. [108] , “Differential cryptanalysis of Lu-
cifer”, Journal of Cryptology, 9 (1996), 21–
[97] M.J. B ELLER , L.-F. C HANG , AND Y. YA - 34. An earlier version appeared in [107].
COBI , “Privacy and authentication on a
portable communications system”, IEEE [109] M. B EN -O R, “Probabilistic algorithms in fi-
Global Telecommunications Conference, nite fields”, Proceedings of the IEEE 22nd An-
1922–1927, 1991. nual Symposium on Foundations of Computer
Science, 394–398, 1981.
[98] , “Security for personal communica-
[110] J. B ENALOH, “Secret sharing homomor-
tions services: public-key vs. private key
phisms: Keeping shares of a secret secret”,
approaches”, The Third IEEE International
Symposium on Personal, Indoor and Mobile
263), 251–260, 1987.
Radio Communications (PIMRC’92), 26–31,
1992. [111] J. B ENALOH AND M. DE M ARE , “One-
way accumulators: A decentralized alter-
[99] , “Privacy and authentication on a
native to digital signatures”, Advances in
portable communications system”, IEEE
Cryptology–EUROCRYPT ’93 (LNCS 765),
Journal on Selected Areas in Communica-
274–285, 1994.
tions, 11 (1993), 821–829.
[112] J. B ENALOH AND J. L EICHTER, “General-
[100] M.J. B ELLER AND Y. YACOBI, “Minimal ized secret sharing and monotone functions”,
asymmetric authentication and key agree- Advances in Cryptology–CRYPTO ’88 (LNCS
ment schemes”, October 1994 unpublished 403), 27–35, 1990.
manuscript.
[113] S. B ENGIO , G. B RASSARD , Y.G. D ESMEDT,
[101] , “Fully-fledged two-way public key au- C. G OUTIER , AND J.-J. Q UISQUATER, “Se-
thentication and key agreement for low-cost cure implementation of identification sys-
terminals”, Electronics Letters, 29 (May 27, tems”, Journal of Cryptology, 4 (1991), 175–
1993), 999–1001. 183.
[102] S.M. B ELLOVIN AND M. M ERRITT , “Cryp- [114] C. B ENNETT, G. B RASSARD , S. B REID -
tographic protocol for secure communica- BART, AND S. W IESNER , “Quantum cryp-
tions”, U.S. Patent # 5,241,599, 31 Aug 1993. tography, or unforgeable subway tokens”, Ad-
[103] , “Limitations of the Kerberos authen- vances in Cryptology–Proceedings of Crypto
tication system”, Computer Communication 82, 267–275, 1983.
Review, 20 (1990), 119–132. [115] C. B ENNETT, G. B RASSARD , AND A. E K -
ERT , “Quantum cryptography”, Scientific
[104] , “Encrypted key exchange: password-
American, special issue (1997), 164–171.
based protocols secure against dictionary at-
tacks”, Proceedings of the 1992 IEEE Com- [116] S. B ERKOVITS, “How to broadcast a secret”,
puter Society Symposium on Research in Se- Advances in Cryptology–EUROCRYPT ’91
curity and Privacy, 72–84, 1992. (LNCS 547), 535–541, 1991.

708 References
[117] E.R. B ERLEKAMP, “Factoring polynomials [130] , “On modes of operation”, R. Ander-
over finite fields”, Bell System Technical Jour- son, editor, Fast Software Encryption, Cam-
nal, 46 (1967), 1853–1859. bridge Security Workshop (LNCS 809), 116–
[118] , Algebric Coding Theory, McGraw 120, Springer-Verlag, 1994.
Hill, New York, 1968. [131] , “Cryptanalysis of multiple modes
[119] , “Factoring polynomials over large fi- of operation”, Advances in Cryptology–
nite fields”, Mathematics of Computation, 24 ASIACRYPT ’94 (LNCS 917), 278–292, 1995.
(1970), 713–735.
[132] , “On Matsui’s linear cryptanalysis”,
[120] E.R. B ERLEKAMP, R.J. M C E LIECE , AND
H.C.A. VAN T ILBORG, “On the inherent
(LNCS 950), 341–355, 1995.
intractability of certain coding problems”,
IEEE Transactions on Information Theory, 24 [133] E. B IHAM AND A. B IRYUKOV, “How to
(1978), 384–386. strengthen DES using existing hardware”,
[121] D.J. B ERNSTEIN, “Detecting perfect powers Advances in Cryptology–ASIACRYPT ’94
in essentially linear time”, preprint, 1995. (LNCS 917), 398–412, 1995.
[122] D.J. B ERNSTEIN AND A.K. L ENSTRA, “A [134] E. B IHAM AND A. S HAMIR, “Differential
general number field sieve implementation”, cryptanalysis of DES-like cryptosystems”,
A.K. Lenstra and H.W. Lenstra Jr., editors, Journal of Cryptology, 4 (1991), 3–72. An
The Development of the Number Field Sieve, earlier version appeared in [135].
volume 1554 of Lecture Notes in Mathemat-
ics, 103–126, Springer-Verlag, 1993. [135] , “Differential cryptanalysis of DES-
like cryptosystems”, Advances in Cryptology–
[123] T. B ETH, “Efficient zero-knowledge identifi-
CRYPTO ’90 (LNCS 537), 2–21, 1991.
cation scheme for smart cards”, Advances in
Cryptology–EUROCRYPT ’88 (LNCS 330), [136] , “Differential cryptanalysis of Feal
77–84, 1988. and N-Hash”, Advances in Cryptology–
[124] T. B ETH AND Z.-D. D AI, “On the complex- EUROCRYPT ’91 (LNCS 547), 1–16, 1991.
ity of pseudo-random sequences – or: If you [137] , “Differential cryptanalysis of Snefru,
can describe a sequence it can’t be random”, Khafre, REDOC-II, LOKI, and Lucifer”, Ad-
Advances in Cryptology–EUROCRYPT ’89 vances in Cryptology–CRYPTO ’91 (LNCS
(LNCS 434), 533–543, 1990. 576), 156–171, 1992.
[125] T. B ETH , H.-J. K NOBLOCH , M. O TTEN ,
G.J. S IMMONS , AND P. W ICHMANN, “To- [138] , Differential Cryptanalysis of the Data
wards acceptable key escrow systems”, 2nd Encryption Standard, Springer-Verlag, New
ACM Conference on Computer and Commu- York, 1993.
nications Security, 51–58, ACM Press, 1994. [139] , “Differential cryptanalysis of the full
[126] T. B ETH AND F.C. P IPER, “The stop-and- 16-round DES”, Advances in Cryptology–
go generator”, Advances in Cryptology– CRYPTO ’92 (LNCS 740), 487–496, 1993.
Proceedings of EUROCRYPT 84 (LNCS 209),
[140] R. B IRD , I. G OPAL , A. H ERZBERG ,
88–92, 1985.
P. J ANSON , S. K UTTEN , R. M OLVA , AND
[127] J. B IERBRAUER , T. J OHANSSON , G. K A - M. Y UNG, “Systematic design of two-
BATIANSKII , AND B. S MEETS, “On fami- party authentication protocols”, Advances in
lies of hash functions via geometric codes Cryptology–CRYPTO ’91 (LNCS 576), 44–
and concatenation”, Advances in Cryptology– 61, 1992.
CRYPTO ’93 (LNCS 773), 331–342, 1994.
[128] E. B IHAM, “New types of cryptanalytic [141] , “Systematic design of a family of
attacks using related keys”, Advances in attack-resistant authentication protocols”,
Cryptology–EUROCRYPT ’93 (LNCS 765), IEEE Journal on Selected Areas in Commu-
398–409, 1994. nications, 11 (1993), 679–693.
[129] , “New types of cryptanalytic attacks [142] , “The KryptoKnight family of light-
using related keys”, Journal of Cryptology, 7 weight protocols for authentication and key
(1994), 229–246. An earlier version appeared distribution”, IEEE/ACM Transactions on
in [128]. Networking, 3 (1995), 31–41.
1997
References 709
[143] S. B LACKBURN , S. M URPHY, AND J. S TE - [155] D. B LEICHENBACHER AND U. M AURER,

RN, “The cryptanalysis of a public-key imple- “Directed acyclic graphs, one-way func-
mentation of finite group mappings”, Journal tions and digital signatures”, Advances in
of Cryptology, 8 (1995), 157–166. Cryptology–CRYPTO ’94 (LNCS 839), 75–
82, 1994.
[144] R.E. B LAHUT , Principles and Practice of In-
formation Theory, Addison-Wesley, Reading, [156] U. B L ÖCHER AND M. D ICHTL , “Fish: A fast
Massachusetts, 1987. software stream cipher”, R. Anderson, editor,
Fast Software Encryption, Cambridge Secu-
[145] I.F. B LAKE , R. F UJI -H ARA , R.C. M ULLIN , rity Workshop (LNCS 809), 41–44, Springer-
AND S.A. VANSTONE , “Computing loga- Verlag, 1994.
rithms in finite fields of characteristic two”,
SIAM Journal on Algebraic and Discrete [157] R. B LOM, “Non-public key distribution”, Ad-
Methods, 5 (1984), 276–285. vances in Cryptology–Proceedings of Crypto
82, 231–236, 1983.
[146] I.F. B LAKE , S. G AO , AND R. L AMBERT,
[158] , “An optimal class of symmet-
“Constructive problems for irreducible poly-
ric key generation systems”, Advances in
nomials over finite fields”, T.A. Gulliver and
Cryptology–Proceedings of EUROCRYPT 84
N.P. Secord, editors, Information Theory and
(LNCS 209), 335–338, 1985.
Applications (LNCS 793), 1–23, Springer-
Verlag, 1994. [159] L. B LUM , M. B LUM , AND M. S HUB, “Com-
parison of two pseudo-random number gener-
[147] B. B LAKLEY, G.R. B LAKLEY, A.H. C HAN , ators”, Advances in Cryptology–Proceedings
AND J.L. M ASSEY, “Threshold schemes with of Crypto 82, 61–78, 1983.
disenrollment”, Advances in Cryptology–
CRYPTO ’92 (LNCS 740), 540–548, 1993. [160] , “A simple unpredictable pseudo-
random number generator”, SIAM Journal on
[148] G. B LAKLEY, “Safeguarding cryptographic Computing, 15 (1986), 364–383. An earlier
keys”, Proceedings of AFIPS National Com- version appeared in [159].
puter Conference, 313–317, 1979.
[161] M. B LUM, “Independent unbiased coin flips
[149] , “A computer algorithm for calculating from a correlated biased source: a finite state
the product AB modulo M ”, IEEE Transac- Markov chain”, Proceedings of the IEEE 25th
tions on Computers, 32 (1983), 497–500. Annual Symposium on Foundations of Com-
puter Science, 425–433, 1984.
[150] G. B LAKLEY AND I. B OROSH, “Rivest-
Shamir-Adleman public key cryptosystems [162] M. B LUM , A. D E S ANTIS , S. M ICALI ,
do not always conceal messages”, Comput- AND G. P ERSIANO, “Noninteractive zero-
ers and Mathematics with Applications, 5:3 knowledge”, SIAM Journal on Computing, 20
(1979), 169–178. (1991), 1084–1118.
[163] M. B LUM , P. F ELDMAN , AND S. M ICALI,
[151] G. B LAKLEY AND C. M EADOWS, “Security
“Non-interactive zero-knowledge and its ap-
of ramp schemes”, Advances in Cryptology–
plications”, Proceedings of the 20th Annual
Proceedings of CRYPTO 84 (LNCS 196),
ACM Symposium on Theory of Computing,
242–268, 1985.
103–112, 1988.
[152] M. B LAZE , “Protocol failure in the escrowed [164] M. B LUM AND S. G OLDWASSER, “An ef-
encryption standard”, 2nd ACM Conference ficient probabilistic public-key encryption
on Computer and Communications Security, scheme which hides all partial informa-
59–67, ACM Press, 1994. tion”, Advances in Cryptology–Proceedings
[153] D. B LEICHENBACHER, “Generating ElGa- of CRYPTO 84 (LNCS 196), 289–299, 1985.
mal signatures without knowing the secret [165] M. B LUM AND S. M ICALI, “How to generate
key”, Advances in Cryptology–EUROCRYPT cryptographically strong sequences of pseudo
’96 (LNCS 1070), 10–18, 1996. random bits”, Proceedings of the IEEE 23rd
[154] D. B LEICHENBACHER , W. B OSMA , AND Annual Symposium on Foundations of Com-
A.K. L ENSTRA, “Some remarks on Lucas- puter Science, 112–117, 1982.
based cryptosystems”, Advances in Cryptolo- [166] , “How to generate cryptographically
gy–CRYPTO ’95 (LNCS 963), 386–396, 1995. strong sequences of pseudo-random bits”,

710 References
SIAM Journal on Computing, 13 (1984), 850– [179] J. B OYAR, “Inferring sequences produced by
864. An earlier version appeared in [165]. a linear congruential generator missing low-
[167] C. B LUNDO AND A. C RESTI, “Space require- order bits”, Journal of Cryptology, 1 (1989),
ments for broadcast encryption”, Advances in 177–184.
[180] , “Inferring sequences produced by
287–298, 1995.
pseudo-random number generators”, Journal
[168] C. B LUNDO , A. C RESTI , A. D E S ANTIS , of the Association for Computing Machinery,
AND U. VACCARO, “Fully dynamic secret 36 (1989), 129–141.
sharing schemes”, Advances in Cryptology–
CRYPTO ’93 (LNCS 773), 110–125, 1994. [181] J. B OYAR , D. C HAUM , I.B. D AMG ÅRD ,
[169] C. B LUNDO , A. D E S ANTIS , A. H ERZBERG , AND T. P EDERSEN, “Convertible undeni-
S. K UTTEN , U. VACCARO , AND M. Y UNG, able signatures”, Advances in Cryptology–

“Perfectly-secure key distribution for dy- CRYPTO ’90 (LNCS 537), 189–205, 1991.
namic conferences”, Advances in Cryptology– [182] C. B OYD, “Digital multisignatures”, H. Beker
CRYPTO ’92 (LNCS 740), 471–486, 1993. and F. Piper, editors, Cryptography and Cod-
[170] R.V. B OOK AND F. O TTO, “The verifia- ing, Institute of Mathematics & Its Applica-
bility of two-party protocols”, Advances in tions (IMA), 241–246, Clarendon Press, 1989.
254–260, 1986. [183] C. B OYD AND W. M AO, “On a limitation
of BAN logic”, Advances in Cryptology–
[171] A. B OOTH, “A signed binary multiplication
EUROCRYPT ’93 (LNCS 765), 240–247,
technique”, The Quarterly Journal of Me-
1994.
chanics and Applied Mathematics, 4 (1951),
236–240. [184] B.O. B RACHTL , D. C OPPERSMITH , M.M.
[172] J. B OS AND D. C HAUM, “Provably unforge- H YDEN , S.M. M ATYAS J R ., C.H.W.
able signatures”, Advances in Cryptology– M EYER , J. O SEAS , S. P ILPEL , AND
CRYPTO ’92 (LNCS 740), 1–14, 1993. M. S CHILLING, “Data authentication using
[173] J. B OS AND M. C OSTER, “Addition modification detection codes based on a pub-
chain heuristics”, Advances in Cryptology– lic one-way encryption function”, U.S. Patent
CRYPTO ’89 (LNCS 435), 400–407, 1990. # 4,908,861, 13 Mar 1990.
[174] W. B OSMA AND M.-P VAN DER H ULST , [185] S. B RANDS, “Restrictive blinding of secret-
“Faster primality testing”, Advances in key certificates”, Advances in Cryptology–
Cryptology–EUROCRYPT ’89 (LNCS 434), EUROCRYPT ’95 (LNCS 921), 231–247,
652–656, 1990. 1995.
[175] A. B OSSELAERS , R. G OVAERTS , AND
J. VANDEWALLE , “Cryptography within [186] J. B RANDT AND I. D AMG ÅRD, “On gen-
phase I of the EEC-RACE programme”, eration of probable primes by incremental
B. Preneel, R. Govaerts, and J. Vandewalle, search”, Advances in Cryptology–CRYPTO
editors, Computer Security and Industrial ’92 (LNCS 740), 358–370, 1993.
Cryptography: State of the Art and Evolution [187] J. B RANDT, I. D AMG ÅRD , AND P. L AN -
(LNCS 741), 227–234, Springer-Verlag, 1993. DROCK, “Speeding up prime number gener-
[176] , “Comparison of three modular re- ation”, Advances in Cryptology–ASIACRYPT
duction functions”, Advances in Cryptology– ’91 (LNCS 739), 440–449, 1993.
CRYPTO ’93 (LNCS 773), 175–186, 1994.
[188] J. B RANDT, I. D AMG ÅRD , P. L ANDROCK ,
[177] , “Fast hashing on the Pentium”, Ad-
AND T. P EDERSEN, “Zero-knowledge au-
vances in Cryptology–CRYPTO ’96 (LNCS
thentication scheme with secret key ex-
1109), 298–312, 1996.
change”, Advances in Cryptology–CRYPTO
[178] A. B OSSELAERS AND B. P RENEEL , edi- ’88 (LNCS 403), 583–588, 1990.
tors, Integrity Primitives for Secure Informa-
tion Systems: Final Report of RACE Integrity [189] D.K. B RANSTAD, “Encryption protection in
Primitives Evaluation RIPE-RACE 1040, computer data communications”, Proceed-
LNCS 1007, Springer-Verlag, New York, ings of the 4th Data Communications Sympo-
1995. sium (Quebec), 8.1–8.7, IEEE, 1975.
1997
References 711
[190] G. B RASSARD, “A note on the complexity of [204] E.F. B RICKELL , D.M. G ORDON , K.S. M C -
cryptography”, IEEE Transactions on Infor- C URLEY, AND D.B. W ILSON, “Fast expo-
mation Theory, 25 (1979), 232–233. nentiation with precomputation”, Advances in
[191] , “On computationally secure authen-
200–207, 1993.
tication tags requiring short secret shared
keys”, Advances in Cryptology–Proceedings [205] E.F. B RICKELL , P.J. L EE , AND Y. YACOBI,
of Crypto 82, 79–86, 1983. “Secure audio teleconference”, Advances in
[192] , Modern Cryptology: A Tutorial, 426, 1988.
LNCS 325, Springer-Verlag, New York, 1988.
[206] E.F. B RICKELL AND K.S. M C C URLEY, “An
[193] G. B RASSARD , D. C HAUM , AND C. C R ÉPEAU- interactive identification scheme based on dis-
, “Minimum disclosure proofs of knowledge”, crete logarithms and factoring”, Advances in
Journal of Computer and System Sciences, 37 Cryptology–EUROCRYPT ’90 (LNCS 473),
(1988), 156–189. 63–71, 1991.
[194] G. B RASSARD AND C. C R ÉPEAU, “Zero- [207] , “An interactive identification scheme
knowledge simulation of Boolean circuits”, based on discrete logarithms and factoring”,
Advances in Cryptology–CRYPTO ’86 (LNCS Journal of Cryptology, 5 (1992), 29–39. An
263), 223–233, 1987. earlier version appeared in [206].
[208] E.F. B RICKELL AND A.M. O DLYZKO,
[195] , “Sorting out zero-knowledge”, Ad- “Cryptanalysis: A survey of recent results”,
vances in Cryptology–EUROCRYPT ’89 Proceedings of the IEEE, 76 (1988), 578–593.
(LNCS 434), 181–191, 1990.
[209] , “Cryptanalysis: A survey of recent re-
[196] R.P. B RENT , “An improved Monte Carlo fac- sults”, G.J. Simmons, editor, Contemporary
torization algorithm”, BIT, 20 (1980), 176– Cryptology: The Science of Information In-
184. tegrity, 501–540, IEEE Press, 1992. An ear-
[197] R.P. B RENT AND J.M. P OLLARD, “Factor- lier version appeared in [208].
ization of the eighth Fermat number”, Math- [210] J. B RILLHART, D. L EHMER , AND J. S ELF -
ematics of Computation, 36 (1981), 627–630. RIDGE , “New primality criteria and factoriza-
tions of 2m ± 1”, Mathematics of Computa-
[198] D.M. B RESSOUD, Factorization and Primal- tion, 29 (1975), 620–647.
ity Testing, Springer-Verlag, New York, 1989.
[211] J. B RILLHART, D. L EHMER , J. S ELFRIDGE ,
[199] E.F. B RICKELL , “A fast modular multipli- B. T UCKERMAN , AND S. WAGSTAFF
cation algorithm with applications to two J R ., Factorizations of bn ± 1, b =
key cryptography”, Advances in Cryptology– 2, 3, 5, 6, 7, 10, 11, 12 up to High Powers,
Proceedings of Crypto 82, 51–60, 1983. volume 22 of Contemporary Mathematics,
American Mathematical Society, Providence,
[200] , “Breaking iterated knapsacks”,
Rhode Island, 2nd edition, 1988.
Advances in Cryptology–Proceedings of
CRYPTO 84 (LNCS 196), 342–358, 1985. [212] J. B RILLHART AND J. S ELFRIDGE , “Some
factorizations of 2n ± 1 and related results”,
[201] , “The cryptanalysis of knapsack cryp- Mathematics of Computation, 21 (1967), 87–
tosystems”, R.D. Ringeisen and F.S. Roberts, 96.
editors, Applications of Discrete Mathemat-
[213] D. B RILLINGER, Time Series: Data Analy-
ics, 3–23, SIAM, 1988.
sis and Theory, Holden-Day, San Francisco,
[202] E.F. B RICKELL AND J.M. D E L AURENTIS, 1981.
“An attack on a signature scheme proposed [214] L. B ROWN , M. K WAN , J. P IEPRZYK ,
by Okamoto and Shiraishi”, Advances in AND J. S EBERRY, “Improving resistance
Cryptology–CRYPTO ’85 (LNCS 218), 28– to differential cryptanalysis and the re-
32, 1986. design of LOKI”, Advances in Cryptology–
[203] E.F. B RICKELL , D.M. G ORDON , AND K.S. ASIACRYPT ’91 (LNCS 739), 36–50, 1993.
M C C URLEY, “Method for exponentiating [215] L. B ROWN , J. P IEPRZYK , AND J. S EBERRY,
in cryptographic systems”, U.S. Patent # “LOKI – a cryptographic primitive for authen-
5,299,262, 29 Mar 1994. tication and secrecy applications”, Advances

712 References
in Cryptology–AUSCRYPT ’90 (LNCS 453), [228] J.L. C AMENISCH , J.-M. P IVETEAU , AND
229–236, 1990. M.A. S TADLER, “Blind signatures based on
[216] J. B UCHMANN AND S. D ÜLLMANN, “On the the discrete logarithm problem”, Advances in
computation of discrete logarithms in class Cryptology–EUROCRYPT ’94 (LNCS 950),
groups”, Advances in Cryptology–CRYPTO 428–432, 1995.
’90 (LNCS 537), 134–139, 1991. [229] K.W. C AMPBELL AND M.J. W IENER, “DES
[217] J. B UCHMANN , J. L OHO , AND J. Z AYER, is not a group”, Advances in Cryptology–
“An implementation of the general num- CRYPTO ’92 (LNCS 740), 512–520, 1993.
ber field sieve”, Advances in Cryptology– [230] C.M. C AMPBELL J R ., “Design and speci-
CRYPTO ’93 (LNCS 773), 159–165, 1994. fication of cryptographic capabilities”, D.K.
Branstad, editor, Computer security and the
[218] J. B UCHMANN AND H.C. W ILLIAMS, “A
Data Encryption Standard, 54–66, NBS Spe-
key-exchange system based on imaginary
cial Publication 500-27, U.S. Department of
quadratic fields”, Journal of Cryptology, 1
Commerce, National Bureau of Standards,
(1988), 107–118.
Washington, D.C., 1977.
[219] J.P. B UHLER , H.W. L ENSTRA J R ., AND
[231] E.R. C ANFIELD , P. E RD ÖS , AND C. P OM -
C. P OMERANCE , “Factoring integers with the
ERANCE , “On a problem of Oppenheim con-
number field sieve”, A.K. Lenstra and H.W.
cerning ‘Factorisatio Numerorum’”, Journal
Lenstra Jr., editors, The Development of the
of Number Theory, 17 (1983), 1–28.
Number Field Sieve, volume 1554 of Lec-
ture Notes in Mathematics, 50–94, Springer- [232] D.G. C ANTOR AND H. Z ASSENHAUS, “A
Verlag, 1993. new algorithm for factoring polynomials over
finite fields”, Mathematics of Computation, 36
[220] M. B URMESTER, “On the risk of opening
(1981), 587–592.
distributed keys”, Advances in Cryptology–
CRYPTO ’94 (LNCS 839), 308–317, 1994. [233] J.L. C ARTER AND M.N. W EGMAN, “Uni-
versal classes of hash functions”, Proceedings
[221] M. B URMESTER AND Y. D ESMEDT , “Re- of the 9th Annual ACM Symposium on Theory
marks on soundness of proofs”, Electronics of Computing, 106–112, 1977.
Letters, 25 (October 26, 1989), 1509–1511.
[234] , “Universal classes of hash functions”,
[222] , “A secure and efficient confer- Journal of Computer and System Sciences, 18
ence key distribution system”, Advances in (1979), 143–154. An earlier version appeared
Cryptology–EUROCRYPT ’94 (LNCS 950), in [233].
275–286, 1995.
[235] F. C HABAUD, “On the security of some cryp-
[223] M. B URMESTER , Y. D ESMEDT, F. P IPER , tosystems based on error-correcting codes”,
AND M. WALKER , “A general zero- Advances in Cryptology–EUROCRYPT ’94
knowledge scheme”, Advances in Cryptology– (LNCS 950), 131–139, 1995.
EUROCRYPT ’89 (LNCS 434), 122–133,
[236] G.J. C HAITIN, “On the length of programs for
1990.
computing finite binary sequences”, Journal
[224] M. B URROWS , M. A BADI , AND R. N EED - of the Association for Computing Machinery,
HAM, “A logic of authentication”, Proceed- 13 (1966), 547–569.
ings of the Royal Society of London Series
[237] W.G. C HAMBERS, “Clock-controlled shift
A: Mathematical and Physical Sciences, 246
registers in binary sequence generators”, IEE
(1989), 233–271. Preliminary version ap-
Proceedings E – Computers and Digital Tech-
peared as 1989 version of [227].
niques, 135 (1988), 17–24.
[225] , “A logic of authentication”, Proceed- [238] , “Two stream ciphers”, R. Ander-
ings of the 12th Annual ACM Symposium on son, editor, Fast Software Encryption, Cam-
Operating Systems Principles, 1–13, 1989. bridge Security Workshop (LNCS 809), 51–
[226] , “A logic of authentication”, ACM 55, Springer-Verlag, 1994.
Transactions on Computer Systems, 8 (1990), [239] W.G. C HAMBERS AND D. G OLLMANN,
18–36. “Lock-in effect in cascades of clock-
[227] , “A logic of authentication”, DEC SRC controlled shift-registers”, Advances in
report #39, Digital Equipment Corporation, Cryptology–EUROCRYPT ’88 (LNCS 330),
Palo Alto, CA, Feb. 1989. Revised Feb. 1990. 331–343, 1988.
1997
References 713
[240] B. C HAR , K. G EDDES , G. G ONNET, [253] D. C HAUM AND E. VAN H EIJST , “Group sig-
B. L EONG , M. M ONAGAN , AND S. WATT , natures”, Advances in Cryptology–EUROCR-
Maple V Library Reference Manual, Springer- YPT ’91 (LNCS 547), 257–265, 1991.
Verlag, New York, 1991.
[254] D. C HAUM , E. VAN H EIJST, AND B. P FITZ -
[241] C. C HARNES , L. O’C ONNOR , J. P IEPRZYK ,
MANN, “Cryptographically strong undeni-
R. S AFAVI -N AINI , AND Y. Z HENG, “Com-
able signatures, unconditionally secure for the
ments on Soviet encryption algorithm”, Ad-
signer”, Advances in Cryptology–CRYPTO
vances in Cryptology–EUROCRYPT ’94
’91 (LNCS 576), 470–484, 1992.
(LNCS 950), 433–438, 1995.
[242] D. C HAUM, “Blind signatures for untrace- [255] L. C HEN AND T.P. P EDERSEN, “New group
able payments”, Advances in Cryptology– signature schemes”, Advances in Cryptology–
Proceedings of Crypto 82, 199–203, 1983. EUROCRYPT ’94 (LNCS 950), 171–181,
[243] , “Security without identification: 1995.
transaction systems to make big brother obso-
[256] V. C HEPYZHOV AND B. S MEETS, “On a fast
lete”, Communications of the ACM, 28 (1985),
correlation attack on certain stream ciphers”,
1030–1044.
[244] , “Demonstrating that a public predicate (LNCS 547), 176–185, 1991.
can be satisfied without revealing any infor-
mation about how”, Advances in Cryptology– [257] B. C HOR AND O. G OLDREICH, “Unbiased
CRYPTO ’86 (LNCS 263), 195–199, 1987. bits from sources of weak randomness and
[245] , “Blinding for unanticipated signa- probabilistic communication complexity”,
tures”, Advances in Cryptology–EUROCRYPT Proceedings of the IEEE 26th Annual Sym-
’87 (LNCS 304), 227–233, 1988. posium on Foundations of Computer Science,
[246] , “Zero-knowledge undeniable signa- 429–442, 1985.
tures”, Advances in Cryptology–EUROCRYPT [258] , “Unbiased bits from sources of weak
’90 (LNCS 473), 458–464, 1991. randomness and probabilistic communication
[247] , “Designated confirmer signatures”, complexity”, SIAM Journal on Computing, 17
Advances in Cryptology–EUROCRYPT ’94 (1988), 230–261. An earlier version appeared
(LNCS 950), 86–91, 1995. in [257].
[248] D. C HAUM , J.-H. E VERTSE , AND J. VAN DE
G RAAF, “An improved protocol for demon- [259] B. C HOR , S. G OLDWASSER , S. M ICALI ,
strating possession of discrete logarithms AND B. AWERBUCH, “Verifiable secret shar-
and some generalizations”, Advances in ing and achieving simultaneity in the presence
Cryptology–EUROCRYPT ’87 (LNCS 304), of faults”, Proceedings of the IEEE 26th An-
127–141, 1988. nual Symposium on Foundations of Computer
Science, 383–395, 1985.
[249] D. C HAUM , J.-H. E VERTSE , J. VAN DE
G RAAF, AND R. P ERALTA, “Demonstrating [260] B. C HOR AND R.L. R IVEST , “A knap-
possession of a discrete logarithm without re- sack type public key cryptosystem based
vealing it”, Advances in Cryptology–CRYPTO on arithmetic in finite fields”, Advances
’86 (LNCS 263), 200–212, 1987. in Cryptology–Proceedings of CRYPTO 84
[250] D. C HAUM , A. F IAT, AND M. N AOR, (LNCS 196), 54–65, 1985.
“Untraceable electronic cash”, Advances in
Cryptology–CRYPTO ’88 (LNCS 403), 319– [261] , “A knapsack-type public key cryp-
327, 1990. tosystem based on arithmetic in finite fields”,
IEEE Transactions on Information Theory, 34
[251] D. C HAUM AND T.P. P EDERSEN, “Wal-
(1988), 901–909. An earlier version appeared
let databases with observers”, Advances in
in [260].
105, 1993. [262] A. C LARK , J. G OLI Ć , AND E. D AWSON,
[252] D. C HAUM AND H. VAN A NTWER - “A comparison of fast correlation attacks”,
PEN, “Undeniable signatures”, Advances in D. Gollmann, editor, Fast Software Encryp-
Cryptology–CRYPTO ’89 (LNCS 435), 212– tion, Third International Workshop (LNCS
216, 1990. 1039), 145–157, Springer-Verlag, 1996.

714 References
[263] H. C OHEN, A Course in Computational Al- [277] D. C OPPERSMITH , M. F RANKLIN , J. PATA -

gebraic Number Theory, Springer-Verlag, RIN , AND M. R EITER , “Low-exponent
Berlin, 1993. RSA with related messages”, Advances in
[264] H. C OHEN AND A.K. L ENSTRA, “Imple- Cryptology–EUROCRYPT ’96 (LNCS 1070),
mentation of a new primality test”, Mathemat- 1–9, 1996.
ics of Computation, 48 (1987), 103–121. [278] D. C OPPERSMITH , D.B. J OHNSON , AND
[265] H. C OHEN AND H.W. L ENSTRA J R ., “Pri- S.M. M ATYAS, “A proposed mode for triple-
mality testing and Jacobi sums”, Mathematics DES encryption”, IBM Journal of Research
of Computation, 42 (1984), 297–330. and Development, 40 (1996), 253–261.
[266] D. C OPPERSMITH, “Fast evaluation of loga- [279] D. C OPPERSMITH , H. K RAWCZYK , AND
rithms in fields of characteristic two”, IEEE Y. M ANSOUR, “The shrinking generator”,
Transactions on Information Theory, 30 Advances in Cryptology–CRYPTO ’93 (LNCS
(1984), 587–594. 773), 22–39, 1994.
[267] , “Another birthday attack”, Advances [280] D. C OPPERSMITH , A.M. O DLZYKO , AND
in Cryptology–CRYPTO ’85 (LNCS 218), 14– R. S CHROEPPEL , “Discrete logarithms in
17, 1986. GF (p)”, Algorithmica, 1 (1986), 1–15.
[268] , “The real reason for Rivest’s [281] D. C OPPERSMITH AND P. R OGAWAY,
phenomenon”, Advances in Cryptology– “Software-efficient pseudorandom function
CRYPTO ’85 (LNCS 218), 535–536, 1986. and the use thereof for encryption”, U.S.
[269] , “Modifications to the number field Patent # 5,454,039, 26 Sep 1995.
sieve”, Journal of Cryptology, 6 (1993), 169– [282] T.H. C ORMEN , C.E. L EISERSON , AND R.L.
180. R IVEST , Introduction to Algorithms, MIT
[270] , “Solving linear equations over Press, Cambridge, Massachusetts, 1990.
GF (2): Block Lanczos algorithm”, Linear [283] M.J. C OSTER , A. J OUX , B.A. L A M AC -
Algebra and its Applications, 192 (1993), 33– CHIA , A.M. O DLYZKO , C.P. S CHNORR ,
60. AND J. S TERN, “Improved low-density subset
[271] , “The Data Encryption Standard (DES) sum algorithms”, Computational Complexity,
and its strength against attacks”, IBM Jour- 2 (1992), 111–128.
nal of Research and Development, 38 (1994), [284] J.-M. C OUVEIGNES, “Computing a square
243–250. root for the number field sieve”, A.K. Lenstra
[272] , “Solving homogeneous linear equa- and H.W. Lenstra Jr., editors, The Develop-
tions over GF(2) via block Wiedemann al- ment of the Number Field Sieve, volume 1554
gorithm”, Mathematics of Computation, 62 of Lecture Notes in Mathematics, 95–102,
(1994), 333–350. Springer-Verlag, 1993.
[273] , “Finding a small root of a bivari- [285] T. C OVER AND R. K ING, “A convergent
ate integer equation; factoring with high gambling estimate of the entropy of English”,
bits known”, Advances in Cryptology– IEEE Transactions on Information Theory, 24
EUROCRYPT ’96 (LNCS 1070), 178–189, (1978), 413–421.
1996. [286] R.E. C RANDALL , “Method and apparatus for
[274] , “Finding a small root of a univariate public key exchange in a cryptographic sys-
modular equation”, Advances in Cryptology– tem”, U.S. Patent # 5,159,632, 27 Oct 1992.
EUROCRYPT ’96 (LNCS 1070), 155–165, [287] , “Method and apparatus for pub-
1996. lic key exchange in a cryptographic sys-
[275] , “Analysis of ISO/CCITT Document tem”, U.S. Patent # 5,271,061, 14 Dec 1993
X.509 Annex D”, memorandum, IBM T.J. (continuation-in-part of 5,159,632).
Watson Research Center, Yorktown Heights, [288] R.A. C ROFT AND S.P. H ARRIS, “Public-key
N.Y., 10598, U.S.A., June 11 1989. cryptography and re-usable shared secrets”,
[276] , “Two broken hash functions”, IBM H. Beker and F. Piper, editors, Cryptogra-
Research Report RC 18397, IBM T.J. Wat- phy and Coding, Institute of Mathematics &
son Research Center, Yorktown Heights, N.Y., Its Applications (IMA), 189–201, Clarendon
10598, U.S.A., Oct. 6 1992. Press, 1989.
1997
References 715
[289] J. D AEMEN, Cipher and hash function de- [301] H. D AVENPORT , “Bases for finite fields”, The
sign, PhD thesis, Katholieke Universiteit Leu- Journal of the London Mathematical Society,
ven (Belgium), 1995. 43 (1968), 21–39.
[290] J. D AEMEN , R. G OVAERTS , AND J. VAN - [302] G.I. D AVIDA, “Chosen signature cryptanaly-
DEWALLE , “A new approach to block ci- sis of the RSA (MIT) public key cryptosys-
pher design”, R. Anderson, editor, Fast Soft- tem”, Technical Report TR-CS-82-2, Depart-
ware Encryption, Cambridge Security Work- ment of Electrical Engineering and Computer
shop (LNCS 809), 18–32, Springer-Verlag, Science, University of Wisconsin, Milwau-
1994. kee, WI, 1982.
[291] , “Resynchronization weaknesses in [303] D.W. D AVIES, “Some regular properties
synchronous stream ciphers”, Advances in of the ‘Data Encryption Standard’ algo-
Cryptology–EUROCRYPT ’93 (LNCS 765), rithm”, Advances in Cryptology–Proceedings
159–167, 1994. of Crypto 82, 89–96, 1983.
[292] , “Weak keys for IDEA”, Advances in [304] , “A message authenticator algo-
Cryptology–CRYPTO ’93 (LNCS 773), 224– rithm suitable for a mainframe computer”,
231, 1994. Advances in Cryptology–Proceedings of
CRYPTO 84 (LNCS 196), 393–400, 1985.
[293] Z.-D D AI, “Proof of Rueppel’s linear com-
plexity conjecture”, IEEE Transactions on In- [305] , “Schemes for electronic funds trans-
formation Theory, 32 (1986), 440–443. fer at the point of sale”, K.M. Jackson and
J. Hruska, editors, Computer Security Refer-
[294] Z.-D. D AI AND J.-H. YANG, “Linear
ence Book, 667–689, CRC Press, 1992.
complexity of periodically repeated ran-
dom sequences”, Advances in Cryptology– [306] D.W. D AVIES AND D.O. C LAYDEN, “The
EUROCRYPT ’91 (LNCS 547), 168–175, message authenticator algorithm (MAA) and
1991. its implementation”, Report DITC 109/88,
National Physical Laboratory, U.K., February
[295] I.B. D AMG ÅRD, “Collision free hash func-
1988.
tions and public key signature schemes”,
Advances in Cryptology–EUROCRYPT ’87 [307] D.W. D AVIES AND G.I.P. PARKIN, “The
(LNCS 304), 203–216, 1988. average cycle size of the key stream in out-
put feedback encipherment”, Advances in
[296] , “A design principle for hash func-
Cryptology–Proceedings of Crypto 82, 97–98,
tions”, Advances in Cryptology–CRYPTO ’89
1983.
(LNCS 435), 416–427, 1990.
[308] D.W. D AVIES AND W.L. P RICE , Security for
[297] , “Towards practical public key systems
Computer Networks, John Wiley & Sons, New
secure against chosen ciphertext attacks”, Ad-
York, 2nd edition, 1989.
576), 445–456, 1992. [309] D. D AVIS , R. I HAKA , AND P. F ENSTER -
MACHER , “Cryptographic randomness from
[298] , “Practical and provably secure re-
air turbulence in disk drives”, Advances in
lease of a secret and exchange of signatures”,
120, 1994.
(LNCS 765), 200–217, 1994.
[310] D. D AVIS AND R. S WICK, “Network security
[299] I.B. D AMG ÅRD AND P. L ANDROCK, “Im-
via private-key certificates”, Operating Sys-
proved bounds for the Rabin primality test”,
tems Review, 24 (1990), 64–67.
M.J. Ganley, editor, Cryptography and Cod-
ing III, volume 45 of Institute of Mathematics [311] J.A. D AVIS , D.B. H OLDRIDGE , AND G.J.
& Its Applications (IMA), 117–128, Claren- S IMMONS, “Status report on factoring (at
don Press, 1993. the Sandia National Labs)”, Advances in
Cryptology–Proceedings of EUROCRYPT 84
[300] I.B. D AMG ÅRD , P. L ANDROCK , AND
(LNCS 209), 183–215, 1985.
C. P OMERANCE , “Average case error esti-
mates for the strong probable prime test”, [312] E. D AWSON, “Cryptanalysis of summa-
Mathematics of Computation, 61 (1993), 177– tion generator”, Advances in Cryptology–
194. AUSCRYPT ’92 (LNCS 718), 209–215, 1993.

716 References
[313] W. DE J ONGE AND D. C HAUM, “Attacks [325] , “Collisions for the compression func-
on some RSA signatures”, Advances in tion of MD5”, Advances in Cryptology–
Cryptology–CRYPTO ’85 (LNCS 218), 18– EUROCRYPT ’93 (LNCS 765), 293–304,
27, 1986. 1994.
[314] P. DE R OOIJ, “On the security of the Schnorr [326] D.E. D ENNING, Cryptography and Data
scheme using preprocessing”, Advances in Security, Addison-Wesley, Reading, Mas-
Cryptology–EUROCRYPT ’91 (LNCS 547), sachusetts, 1983. Reprinted with corrections.
71–80, 1991. [327] , “Digital signatures with RSA and
[315] , “On Schnorr’s preprocessing for other public-key cryptosystems”, Communi-
digital signature schemes”, Advances in cations of the ACM, 27 (1984), 388–392.
Cryptology–EUROCRYPT ’93 (LNCS 765), [328] , “To tap or not to tap”, Communica-
435–439, 1994. tions of the ACM, 36 (1993), 24–44.
[316] , “Efficient exponentiation using pre- [329] D.E. D ENNING AND D.K. B RANSTAD, “A
computation and vector addition chains”, taxonomy for key escrow encryption sys-
Advances in Cryptology–EUROCRYPT ’94 tems”, Communications of the ACM, 39
(LNCS 950), 389–399, 1995. (1996), 34–40.
[317] A. D E S ANTIS , S. M ICALI , AND G. P ER - [330] D.E. D ENNING AND G.M. S ACCO, “Times-
SIANO, “Non-interactive zero-knowledge tamps in key distribution protocols”, Commu-
proof systems”, Advances in Cryptology– nications of the ACM, 24 (1981), 533–536.
CRYPTO ’87 (LNCS 293), 52–72, 1988. [331] D.E. D ENNING AND M. S MID, “Key escrow-
ing today”, IEEE Communications Magazine,
[318] A. D E S ANTIS AND M. Y UNG, “On the
32 (September 1994), 58–68.
design of provably secure cryptographic
hash functions”, Advances in Cryptology– [332] J. B. D ENNIS AND E. C. VAN H ORN, “Pro-
EUROCRYPT ’90 (LNCS 473), 412–431, gramming semantics for multiprogrammed
1991. computations”, Communications of the ACM,
9 (1966), 143–155.
[319] D. DE WALEFFE AND J.-J. Q UISQUATER,
“Better login protocols for computer net- [333] T. D ENNY, B. D ODSON , A.K. L ENSTRA ,
works”, B. Preneel, R. Govaerts, and J. Vande- AND M.S. M ANASSE , “On the factoriza-
walle, editors, Computer Security and Indus- tion of RSA-120”, Advances in Cryptology–
trial Cryptography: State of the Art and Evo- CRYPTO ’93 (LNCS 773), 166–174, 1994.
lution (LNCS 741), 50–70, Springer-Verlag, [334] D EPARTMENT OF D EFENSE (U.S.), “Depart-
1993. ment of defense password management guide-
line”, CSC-STD-002-85, Department of De-
[320] J.M. D E L AURENTIS, “A further weakness in
fense Computer Security Center, Fort Meade,
the common modulus protocol for the RSA
Maryland, 1985.
cryptoalgorithm”, Cryptologia, 8 (1984),
253–259. [335] Y. D ESMEDT , “Unconditionally secure
authentication schemes and practical and
[321] N. D EMYTKO, “A new elliptic curve based
theoretical consequences”, Advances in
analogue of RSA”, Advances in Cryptology–
EUROCRYPT ’93 (LNCS 765), 40–49, 1994.
55, 1986.
[322] B. DEN B OER, “Cryptanalysis of F.E.A.L.”, [336] , “Society and group oriented cryp-
Advances in Cryptology–EUROCRYPT ’88 tography: A new concept”, Advances in
(LNCS 330), 293–299, 1988. Cryptology–CRYPTO ’87 (LNCS 293), 120–
[323] , “Diffie-Hellman is as strong as dis- 127, 1988.
crete log for certain primes”, Advances in [337] , “Threshold cryptography”, Euro-
Cryptology–CRYPTO ’88 (LNCS 403), 530– pean Transactions on Telecommunications, 5
539, 1990. (1994), 449–457.
[324] B. DEN B OER AND A. B OSSELAERS, “An [338] , “Securing traceability of ciphertexts –
attack on the last two rounds of MD4”, Ad- Towards a secure software key escrow sys-
vances in Cryptology–CRYPTO ’91 (LNCS tem”, Advances in Cryptology–EUROCRYPT
576), 194–203, 1992. ’95 (LNCS 921), 147–157, 1995.
1997
References 717
[339] Y. D ESMEDT AND M. B URMESTER, “To- [352] H. D OBBERTIN, “Cryptanalysis of MD4”,

wards practical ‘proven secure’ authenti- Journal of Cryptology, to appear.
cated key distribution”, 1st ACM Conference
[353] , “RIPEMD with two-round compress
on Computer and Communications Security,
function is not collision-free”, Journal of
228–231, ACM Press, 1993.
Cryptology, to appear; announced at rump
[340] Y. D ESMEDT, C. G OUTIER , AND S. B EN - session, Eurocrypt ’95.
GIO, “Special uses and abuses of the Fiat-
Shamir passport protocol”, Advances in [354] , “Cryptanalysis of MD4”, D. Goll-
Cryptology–CRYPTO ’87 (LNCS 293), 21– mann, editor, Fast Software Encryption, Third
39, 1988. International Workshop (LNCS 1039), 53–69,
Springer-Verlag, 1996.
[341] Y. D ESMEDT AND A.M. O DLYZKO, “A cho-
sen text attack on the RSA cryptosystem [355] H. D OBBERTIN , A. B OSSELAERS , AND
and some discrete logarithm schemes”, Ad- B. P RENEEL , “RIPEMD-160: a strengthened
vances in Cryptology–CRYPTO ’85 (LNCS version of RIPEMD”, D. Gollmann, editor,
218), 516–522, 1986. Fast Software Encryption, Third International
[342] W. D IFFIE , “The first ten years of public-key Workshop (LNCS 1039), 71–82, Springer-
cryptography”, Proceedings of the IEEE, 76 Verlag, 1996.
(1988), 560–577. [356] B. D ODSON AND A.K. L ENSTRA, “NFS with
[343] , “The first ten years of public key cryp- four large primes: An explosive experiment”,
tology”, G.J. Simmons, editor, Contemporary Advances in Cryptology–CRYPTO ’95 (LNCS
Cryptology: The Science of Information In- 963), 372–385, 1995.
tegrity, 135–175, IEEE Press, 1992. An ear- [357] D. D OLEV, C. D WORK , AND M. N AOR,
lier version appeared in [342]. “Non-malleable cryptography”, Proceedings
[344] W. D IFFIE AND M.E. H ELLMAN, “Mul- of the 23rd Annual ACM Symposium on The-
tiuser cryptographic techniques”, Proceed- ory of Computing, 542–552, 1991.
ings of AFIPS National Computer Confer-
[358] D. D OLEV AND A.C. YAO, “On the secu-
ence, 109–112, 1976.
rity of public key protocols”, Proceedings of
[345] , “New directions in cryptography”, the IEEE 22nd Annual Symposium on Foun-
IEEE Transactions on Information Theory, 22 dations of Computer Science, 350–357, 1981.
(1976), 644–654.
[359] , “On the security of public key proto-
[346] , “Exhaustive cryptanalysis of the NBS
cols”, IEEE Transactions on Information The-
Data Encryption Standard”, Computer, 10
ory, 29 (1983), 198–208. An earlier version
(1977), 74–84.
appeared in [358].
[347] , “Privacy and authentication: An intro-
duction to cryptography”, Proceedings of the [360] P. D OWNEY, B. L EONG , AND R. S ETHI,
IEEE, 67 (1979), 397–427. “Computing sequences with addition chains”,
SIAM Journal on Computing, 10 (1981), 638–
[348] W. D IFFIE , P.C. VAN O ORSCHOT, AND M.J. 646.
W IENER, “Authentication and authenticated
key exchanges”, Designs, Codes and Cryp- [361] S.R. D USS É AND B.S. K ALISKI J R .,
tography, 2 (1992), 107–125. “A cryptographic library for the Motorola
[349] C. D ING, “The differential cryptanalysis and DSP 56000”, Advances in Cryptology–
design of natural stream ciphers”, R. Ander- EUROCRYPT ’90 (LNCS 473), 230–244,
son, editor, Fast Software Encryption, Cam- 1991.
bridge Security Workshop (LNCS 809), 101– [362] H. E BERLE , “A high-speed DES implemen-
115, Springer-Verlag, 1994. tation for network applications”, Advances in
[350] B. D IXON AND A.K. L ENSTRA, “Massively Cryptology–CRYPTO ’92 (LNCS 740), 521–
parallel elliptic curve factoring”, Advances in 539, 1993.
Cryptology–EUROCRYPT ’92 (LNCS 658), [363] W. F. E HRSAM , C.H.W. M EYER , R.L.
183–193, 1993. P OWERS , J.L. S MITH , AND W.L. T UCH -
[351] J.D. D IXON, “Asymptotically fast factoriza- MAN, “Product block cipher system for data
tion of integers”, Mathematics of Computa- security”, U.S. Patent # 3,962,539, 8 Jun
tion, 36 (1981), 255–260. 1976.

718 References
[364] W.F. E HRSAM , S.M. M ATYAS , C.H. [376] S. E VEN AND O. G OLDREICH, “On the
M EYER , AND W.L. T UCHMAN, “A crypto- power of cascade ciphers”, ACM Transactions
graphic key management scheme for imple- on Computer Systems, 3 (1985), 108–116.
menting the Data Encryption Standard”, IBM [377] S. E VEN , O. G OLDREICH , AND S. M I -
Systems Journal, 17 (1978), 106–125. CALI , “On-line/off-line digital signatures”,
[365] E LECTRONIC I NDUSTRIES A SSOCIATION Advances in Cryptology–CRYPTO ’89 (LNCS
(EIA), “Dual-mode mobile station – base 435), 263–275, 1990.
station compatibility standard”, EIA Interim [378] , “On-line/off-line digital signatures”,
Standard IS-54 Revision B (Rev. B), 1992. Journal of Cryptology, 9 (1996), 35–67. An
earlier version appeared in [377].
[366] T. E L G AMAL , Cryptography and logarithms
over finite fields, PhD thesis, Stanford Univer- [379] S. E VEN AND Y. YACOBI, “Cryptocomplex-
sity, 1984. ity and NP-completeness”, J.W. de Bakker
and J. van Leeuwen, editors, Automata, Lan-
[367] , “A public key cryptosystem and a sig- guages, and Programming, 7th Colloquium
nature scheme based on discrete logarithms”, (LNCS 85), 195–207, Springer-Verlag, 1980.
Advances in Cryptology–Proceedings of
[380] D. E VERETT , “Identity verification and bio-
CRYPTO 84 (LNCS 196), 10–18, 1985.
metrics”, K.M. Jackson and J. Hruska, edi-
[368] , “A public key cryptosystem and a sig- tors, Computer Security Reference Book, 37–
nature scheme based on discrete logarithms”, 73, CRC Press, 1992.
IEEE Transactions on Information Theory, 31 [381] J.-H. E VERTSE AND E. VAN H EIJST , “Which
(1985), 469–472. An earlier version appeared new RSA-signatures can be computed from
in [367]. certain given RSA-signatures?”, Journal of
[369] , “A subexponential-time algorithm for Cryptology, 5 (1992), 41–52.
computing discrete logarithms over GF(p2 )”, [382] R.C. FAIRFIELD , R.L. M ORTENSON , AND
IEEE Transactions on Information Theory, 31 K.B. C OULTHART , “An LSI random number
(1985), 473–481. generator (RNG)”, Advances in Cryptology–
[370] P. E LIAS, “The efficient construction of an Proceedings of CRYPTO 84 (LNCS 196),
unbiased random sequence”, The Annals of 203–230, 1985.
Mathematical Statistics, 43 (1972), 865–870. [383] U. F EIGE , A. F IAT, AND A. S HAMIR, “Zero-
knowledge proofs of identity”, Journal of
[371] , “Interval and recency rank source en-
Cryptology, 1 (1988), 77–94.
coding: Two on-line adaptive variable-length
schemes”, IEEE Transactions on Information [384] U. F EIGE AND A. S HAMIR, “Witness indis-
Theory, 33 (1987), 3–10. tinguishable and witness hiding protocols”,
Proceedings of the 22nd Annual ACM Sym-
[372] E.D. E RDMANN, “Empirical tests of binary posium on Theory of Computing, 416–426,
keystreams”, Master’s thesis, Department of 1990.
Mathematics, Royal Holloway and Bedford
[385] H. F EISTEL , “Block cipher cryptographic
New College, University of London, 1992.
system”, U.S. Patent # 3,798,359, 19 Mar
[373] P. E RD ÖS AND C. P OMERANCE , “On the 1974.
number of false witnesses for a composite [386] , “Step code ciphering system”, U.S.
number”, Mathematics of Computation, 46 Patent # 3,798,360, 19 Mar 1974.
(1986), 259–279.
[387] , “Cryptography and computer pri-
[374] D. E STES , L.M. A DLEMAN , K. K OMPELLA , vacy”, Scientific American, 228 (May 1973),
K.S. M C C URLEY, AND G.L. M ILLER, 15–23.
“Breaking the Ong-Schnorr-Shamir signa- [388] H. F EISTEL , W.A. N OTZ , AND J.L. S MITH,
ture scheme for quadratic number fields”, Ad- “Some cryptographic techniques for machine-
vances in Cryptology–CRYPTO ’85 (LNCS to-machine data communications”, Proceed-
218), 3–13, 1986. ings of the IEEE, 63 (1975), 1545–1554.
[375] A. E VANS J R ., W. K ANTROWITZ , AND [389] F.A. F ELDMAN, “Fast spectral tests for mea-
E. W EISS, “A user authentication scheme not suring nonrandomness and the DES”, Ad-
requiring secrecy in the computer”, Commu- vances in Cryptology–CRYPTO ’87 (LNCS
nications of the ACM, 17 (1974), 437–442. 293), 243–254, 1988.
1997
References 719
[390] P. F ELDMAN, “A practical scheme for non- Publication 113, U.S. Department of Com-
interactive verifiable secret sharing”, Pro- merce/National Bureau of Standards, National
ceedings of the IEEE 28th Annual Symposium Technical Information Service, Springfield,
on Foundations of Computer Science, 427– Virginia, 1985.
437, 1987.
[401] FIPS 140-1, “Security requirements for cryp-
[391] D.C. F ELDMEIER AND P.R. K ARN, “UNIX tographic modules”, Federal Information Pro-
password security – ten years later”, Advances cessing Standards Publication 140-1, U.S.
in Cryptology–CRYPTO ’89 (LNCS 435), 44– Department of Commerce/N.I.S.T., National
63, 1990. Technical Information Service, Springfield,
[392] W. F ELLER, An Introduction to Probability Virginia, 1994.
Theory and its Applications, John Wiley & [402] FIPS 171, “Key management using ANSI
Sons, New York, 3rd edition, 1968. X9.17”, Federal Information Processing Stan-
[393] A. F IAT AND M. N AOR, “Rigorous dards Publication 171, U.S. Department of
time/space tradeoffs for inverting functions”, Commerce/N.I.S.T., National Technical Infor-
Proceedings of the 23rd Annual ACM Sym- mation Service, Springfield, Virginia, 1992.
posium on Theory of Computing, 534–541, [403] FIPS 180, “Secure hash standard”, Fed-
1991. eral Information Processing Standards Pub-
[394] , “Broadcast encryption”, Advances in lication 180, U.S. Department of Com-
Cryptology–CRYPTO ’93 (LNCS 773), 480– merce/N.I.S.T., National Technical Informa-
491, 1994. tion Service, Springfield, Virginia, May 11
1993.
[395] A. F IAT AND A. S HAMIR, “How to prove
yourself: Practical solutions to identifica- [404] FIPS 180-1, “Secure hash standard”, Fed-
tion and signature problems”, Advances in eral Information Processing Standards Pub-
Cryptology–CRYPTO ’86 (LNCS 263), 186– lication 180-1, U.S. Department of Com-
194, 1987. merce/N.I.S.T., National Technical Informa-
[396] FIPS 46, “Data encryption standard”, Federal tion Service, Springfield, Virginia, April 17
Information Processing Standards Publication 1995 (supersedes FIPS PUB 180).
46, U.S. Department of Commerce/National [405] FIPS 185, “Escrowed encryption standard
Bureau of Standards, National Technical In- (EES)”, Federal Information Processing Stan-
formation Service, Springfield, Virginia, 1977 dards Publication 185, U.S. Department of
(revised as FIPS 46-1:1988; FIPS 46-2:1993). Commerce/N.I.S.T., National Technical Infor-
[397] FIPS 74, “Guidelines for implementing and mation Service, Springfield, Virginia, 1994.
using the NBS data encryption standard”, [406] FIPS 186, “Digital signature standard”,
Federal Information Processing Standards Federal Information Processing Standards
Publication 74, U.S. Department of Com- Publication 186, U.S. Department of Com-
merce/National Bureau of Standards, National merce/N.I.S.T., National Technical Informa-
Technical Information Service, Springfield, tion Service, Springfield, Virginia, 1994.
Virginia, 1981.
[407] FIPS 196, “Entity authentication using public
[398] FIPS 81, “DES modes of operation”, Federal key cryptography”, U.S. Department of Com-
Information Processing Standards Publication merce/N.I.S.T., February 18 1997.
81, U.S. Department of Commerce/National
Bureau of Standards, National Technical [408] A.M. F ISCHER, “Public key/signature cryp-
Information Service, Springfield, Virginia, tosystem with enhanced digital signature cer-
1980. tification”, U.S. Patent # 4,868,877, 19 Sep
1989.
[399] FIPS 112, “Password usage”, Federal Infor-
mation Processing Standards Publication 112, [409] , “Public key/signature cryptosystem
U.S. Department of Commerce/National Bu- with enhanced digital signature certifica-
reau of Standards, National Technical Infor- tion”, U.S. Patent # 5,005,200, 2 Apr 1991
mation Service, Springfield, Virginia, 1985. (continuation-in-part of 4,868,877).
[400] FIPS 113, “Computer data authentication”, [410] , “Electronic document authorization”,
Federal Information Processing Standards Proceedings of the 13th National Computer

720 References
Security Conference, Washington D.C., spon- [423] W. F RIEDMAN, Military Cryptanalysis, U.S.
sored by N.I.S.T. and the National Computer Government Printing Office, Washington DC,
Security Center, USA, 1990. 1944. Volume I – Monoalphabetic substitu-
[411] J.-B. F ISCHER AND J. S TERN, “An effi- tion systems. Volume II – Simpler varieties
cient pseudo-random generator provably as of polyalphabetic substitution systems. Vol-
secure as syndrome decoding”, Advances in ume III – Aperiodic substitutions. Volume IV
Cryptology–EUROCRYPT ’96 (LNCS 1070), – Transposition systems.
245–255, 1996. [424] , “Cryptology”, Encyclopedia Brittan-
[412] M. F ISCHER , S. M ICALI , AND C. R ACKOFF, ica, 6 (1967), 844–851.
“A secure protocol for oblivious transfer”, un-
published (presented at Eurocrypt’84). [425] , Elements of Cryptanalysis, Aegean
Park Press, Laguna Hills, California, 1976.
[413] P. F LAJOLET AND A. O DLYZKO, “Random First published in 1923.
mapping statistics”, Advances in Cryptology–
EUROCRYPT ’89 (LNCS 434), 329–354, [426] , The Index of Coincidence and its
1990. Applications in Cryptography, Aegean Park
[414] W. F ORD, Computer Communications Se- Press, Laguna Hills, California, 1979. First
curity: Principles, Standard Protocols and published in 1920.
Techniques, Prentice Hall, Englewood Cliffs,
[427] A.M. F RIEZE , J. H ÅSTAD , R. K ANNAN ,
New Jersey, 1994.
J.C. L AGARIAS , AND A. S HAMIR, “Recon-
[415] , “Standardizing information technol- structing truncated integer variables satisfying
ogy security”, StandardView, 2 (1994), 64–71. linear congruences”, SIAM Journal on Com-
[416] , “Advances in public-key certificate puting, 17 (1988), 262–280.
standards”, Security, Audit and Control, 13
[428] A. F UJIOKA , T. O KAMOTO , AND S. M IYA -
(1995), ACM Press/SIGSAC, 9–15.
GUCHI , “ESIGN: An efficient digital signa-
[417] W. F ORD AND M. W IENER, “A key distri- ture implementation for smart cards”, Ad-
bution method for object-based protection”, vances in Cryptology–EUROCRYPT ’91
2nd ACM Conference on Computer and Com- (LNCS 547), 446–457, 1991.
munications Security, 193–197, ACM Press,
1994. [429] W. F UMY AND P. L ANDROCK, “Principles of
key management”, IEEE Journal on Selected
[418] R. F ORR É , “A fast correlation attack
Areas in Communications, 11 (1993), 785–
on nonlinearly feedforward filtered shift-
793.
register sequences”, Advances in Cryptology–
EUROCRYPT ’89 (LNCS 434), 586–595, [430] W. F UMY AND M. L ECLERC, “Placement of
1990. cryptographic key distribution within OSI: de-
[419] Y. F RANKEL AND M. Y UNG, “Cryptanaly- sign alternatives and assessment”, Computer
sis of the immunized LL public key systems”, Networks and ISDN Systems, 26 (1993), 217–
Advances in Cryptology–CRYPTO ’95 (LNCS 225.
963), 287–296, 1995.
[431] W. F UMY AND M. M UNZERT , “A modular
[420] , “Escrow encryption systems visited: approach to key distribution”, Advances in
Attacks, analysis and designs”, Advances in Cryptology–CRYPTO ’90 (LNCS 537), 274–
Cryptology–CRYPTO ’95 (LNCS 963), 222– 283, 1991.
235, 1995.
[421] M.K. F RANKLIN AND M.K. R EITER, [432] W. F UMY AND M. R IETENSPIESS, “Open
“Verifiable signature sharing”, Advances in systems security standards”, A. Kent and J.G.
Cryptology–EUROCRYPT ’95 (LNCS 921), Williams, editors, Encyclopedia of Computer
50–63, 1995. Science and Technology 34, 301–334, Marcel
Dekker, 1996.
[422] G. F REY AND H.-G. R ÜCK, “A remark con-
cerning m-divisibility and the discrete loga- [433] K. G AARDER AND E. S NEKKENES, “Apply-
rithm in the divisor class group of curves”, ing a formal analysis technique to the CCITT
Mathematics of Computation, 62 (1994), 865– X.509 strong two-way authentication proto-
874. col”, Journal of Cryptology, 3 (1991), 81–98.
1997
References 721
[434] E.M. G ABIDULIN, “On public-key cryp- [447] J. G EORGIADES, “Some remarks on the se-
tosystems based on linear codes: Efficiency curity of the identification scheme based on
and weakness”, P.G. Farrell, editor, Codes and permuted kernels”, Journal of Cryptology, 5
Cyphers: Cryptography and Coding IV, 17– (1992), 133–137.
31, Institute of Mathematics & Its Applica- [448] J. G ERVER, “Factoring large numbers with
tions (IMA), 1995. a quadratic sieve”, Mathematics of Computa-
[435] E.M. G ABIDULIN , A.V. PARAMONOV, tion, 41 (1983), 287–294.
AND O.V. T RETJAKOV, “Ideals over a [449] P.J. G IBLIN, Primes and Programming: An
non-commutative ring and their application Introduction to Number Theory with Comput-
in cryptology”, Advances in Cryptology– ing, Cambridge University Press, Cambrige,
EUROCRYPT ’91 (LNCS 547), 482–489, 1993.
1991.
[450] J.K. G IBSON, “Some comments on Damg-
[436] H. G AINES, Cryptanalysis: A Study of Ci- ård’s hashing principle”, Electronics Letters,
phers and their Solutions, Dover Publications, 26 (July 19, 1990), 1178–1179.
New York, 1956.
[451] , “Equivalent Goppa codes and trap-
[437] J. G AIT , “A new nonlinear pseudorandom doors to McEliece’s public key cryptosys-
number generator”, IEEE Transactions on tem”, Advances in Cryptology–EUROCRYPT
Software Engineering, 3 (1977), 359–363. ’91 (LNCS 547), 517–521, 1991.
[438] J.M. G ALVIN , K. M C C LOGHRIE , AND J.R. [452] , “Severely denting the Gabidulin ver-
D AVIN, “Secure management of SNMP net- sion of the McEliece public key cryptosys-
works”, Integrated Network Management, II, tem”, Designs, Codes and Cryptography, 6
703–714, 1991. (1995), 37–45.
[439] R.A. G AMES AND A.H. C HAN, “A fast algo- [453] , “The security of the Gabidulin public
rithm for determining the complexity of a bi- key cryptosystem”, Advances in Cryptology–
nary sequence with period 2n ”, IEEE Trans- EUROCRYPT ’96 (LNCS 1070), 212–223,
actions on Information Theory, 29 (1983), 1996.
144–146. [454] E.N. G ILBERT, F.J. M AC W ILLIAMS , AND
[440] M. G ARDNER, “A new kind of cipher that N.J.A. S LOANE , “Codes which detect de-
would take millions of years to break”, Scien- ception”, Bell System Technical Journal, 53
tific American, 237 (Aug 1977), 120–124. (1974), 405–424.
[441] M.R. G AREY AND D.S. J OHNSON, Comput- [455] H. G ILBERT AND G. C HASS É , “A statistical
ers and Intractability: A Guide to the The- attack of the Feal-8 cryptosystem”, Advances
ory of NP-completeness, W.H. Freeman, San in Cryptology–CRYPTO ’90 (LNCS 537), 22–
Francisco, 1979. 33, 1991.
[442] S. G ARFINKEL , PGP: Pretty Good Privacy, [456] H. G ILBERT AND P. C HAUVAUD, “A chosen
O’Reilly and Associates, Inc., Sebastopol, plaintext attack of the 16-round Khufu cryp-
California, 1995. tosystem”, Advances in Cryptology–CRYPTO
’94 (LNCS 839), 359–368, 1994.
[443] H. G ARNER, “The residue number system”,
IRE Transactions on Electronic Computers, [457] M. G IRAULT , “Hash-functions using modulo-
EC-8 (1959), 140–147. n operations”, Advances in Cryptology–
EUROCRYPT ’87 (LNCS 304), 217–226,
[444] C.F. G AUSS, Disquisitiones Arithmeticae, 1988.
1801. English translation by Arthur A. Clarke,
[458] , “An identity-based identification sch-
Springer-Verlag, New York, 1986.
eme based on discrete logarithms modulo a
[445] K. G EDDES , S. C ZAPOR , AND G. L ABAHN, composite number”, Advances in Cryptology–
Algorithms for Computer Algebra, Kluwer EUROCRYPT ’90 (LNCS 473), 481–486,
Academic Publishers, Boston, 1992. 1991.
[446] P. G EFFE , “How to protect data with ciphers [459] , “Self-certified public keys”, Advances
that are really hard to break”, Electronics, 46 in Cryptology–EUROCRYPT ’91 (LNCS
(1973), 99–101. 547), 490–497, 1991.

722 References
[460] M. G IRAULT, R. C OHEN , AND M. C AM - [471] O. G OLDREICH AND L.A. L EVIN, “A hard-
PANA, “A generalized birthday attack”, Ad- core predicate for all one-way functions”,
vances in Cryptology–EUROCRYPT ’88 Proceedings of the 21st Annual ACM Sympo-
(LNCS 330), 129–156, 1988. sium on Theory of Computing, 25–32, 1989.
[461] M. G IRAULT AND J.C. PAILL ÈS, “An [472] O. G OLDREICH , S. M ICALI , AND A. W IG -
identity-based scheme providing zero- DERSON, “Proofs that yield nothing but their
knowledge authentication and authenticated validity and a methodology of cryptographic
key-exchange”, First European Symposium protocol design”, Proceedings of the IEEE
on Research in Computer Security – ES- 27th Annual Symposium on Foundations of
ORICS’90, 173–184, 1990. Computer Science, 174–187, 1986.
[462] M. G IRAULT AND J. S TERN, “On the length [473] , “How to prove all NP statements
of cryptographic hash-values used in identi- in zero-knowledge, and a methodology of
fication schemes”, Advances in Cryptology– cryptographic protocol design”, Advances in
CRYPTO ’94 (LNCS 839), 202–215, 1994. Cryptology–CRYPTO ’86 (LNCS 263), 171–
185, 1987.
[463] V.D. G LIGOR , R. K AILAR , S. S TUB -
BLEBINE , AND L. G ONG, “Logics for crypto- [474] , “Proofs that yield nothing but their
graphic protocols — virtues and limitations”, validity or all languages in NP have zero-
The Computer Security Foundations Work- knowledge proof systems”, Journal of the
shop IV, 219–226, IEEE Computer Security Association for Computing Machinery, 38
Press, 1991. (1991), 691–729. An earlier version appeared
in [472].
[464] C.M. G OLDIE AND R.G.E. P INCH, Commu-
nication Theory, Cambridge University Press, [475] O. G OLDREICH AND Y. O REN, “Definitions
Cambridge, 1991. and properties of zero-knowledge proof sys-
tems”, Journal of Cryptology, 7 (1994), 1–32.
[465] O. G OLDREICH, “Two remarks concerning
[476] S. G OLDWASSER, “The search for provably
the Goldwasser-Micali-Rivest signature sch-
secure cryptosystems”, C. Pomerance, editor,
eme”, Advances in Cryptology–CRYPTO ’86
Cryptology and Computational Number The-
(LNCS 263), 104–110, 1987.
ory, volume 42 of Proceedings of Symposia
[466] O. G OLDREICH , S. G OLDWASSER , AND in Applied Mathematics, 89–113, American
S. M ICALI, “How to construct random func- Mathematical Society, 1990.
tions”, Proceedings of the IEEE 25th Annual [477] S. G OLDWASSER AND J. K ILIAN, “Almost
Symposium on Foundations of Computer Sci- all primes can be quickly certified”, Proceed-
ence, 464–479, 1984. ings of the 18th Annual ACM Symposium on
[467] , “On the cryptographic applications of Theory of Computing, 316–329, 1986.
random functions”, Advances in Cryptology– [478] S. G OLDWASSER AND S. M ICALI, “Proba-
Proceedings of CRYPTO 84 (LNCS 196), bilistic encryption & how to play mental poker
276–288, 1985. keeping secret all partial information”, Pro-
[468] , “How to construct random functions”, ceedings of the 14th Annual ACM Symposium
Journal of the Association for Computing Ma- on Theory of Computing, 365–377, 1982.
chinery, 33 (1986), 792–807. An earlier ver- [479] , “Probabilistic encryption”, Journal of
sion appeared in [466]. Computer and System Sciences, 28 (1984),
[469] O. G OLDREICH AND H. K RAWCZYK, “On 270–299. An earlier version appeared in
the composition of zero-knowledge proof sys- [478].
tems”, M.S. Paterson, editor, Automata, Lan- [480] S. G OLDWASSER , S. M ICALI , AND C. R AC -
guages and Programming, 17th International KOFF, “The knowledge complexity of interac-
Colloquium (LNCS 443), 268–282, Springer- tive proof-systems”, Proceedings of the 17th
Verlag, 1990. Annual ACM Symposium on Theory of Com-
[470] O. G OLDREICH , H. K RAWCZYK , AND puting, 291–304, 1985.
M. L UBY, “On the existence of pseudoran- [481] , “The knowledge complexity of inter-
dom generators”, Proceedings of the IEEE active proof systems”, SIAM Journal on Com-
29th Annual Symposium on Foundations of puting, 18 (1989), 186–208. An earlier ver-
Computer Science, 12–24, 1988. sion appeared in [480].
1997
References 723
[482] S. G OLDWASSER , S. M ICALI , AND R.L. [493] R.A. G OLLIVER , A.K. L ENSTRA , AND K.S.
R IVEST , “A “paradoxical” solution to the sig- M C C URLEY, “Lattice sieving and trial di-
nature problem”, Proceedings of the IEEE vision”, Algorithmic Number Theory (LNCS
25th Annual Symposium on Foundations of 877), 18–27, 1994.
Computer Science, 441–448, 1984.
[494] D. G OLLMANN, “Pseudo random properties
[483] , “A “paradoxical” solution to the sig- of cascade connections of clock controlled
nature problem”, Advances in Cryptology– shift registers”, Advances in Cryptology–
Proceedings of CRYPTO 84 (LNCS 196), 467, Proceedings of EUROCRYPT 84 (LNCS 209),
1985. 93–98, 1985.
[484] , “A digital signature scheme secure [495] , “Cryptanalysis of clock controlled
against adaptive chosen-message attacks”, shift registers”, R. Anderson, editor, Fast Soft-
SIAM Journal on Computing, 17 (1988), 281– ware Encryption, Cambridge Security Work-
308. Earlier versions appeared in [482] and shop (LNCS 809), 121–126, Springer-Verlag,
[483]. 1994.
[485] J. G OLI Ć, “Correlation via linear sequen- [496] D. G OLLMANN AND W.G. C HAMBERS,
tial circuit approximation of combiners “Clock-controlled shift registers: a review”,
with memory”, Advances in Cryptology– IEEE Journal on Selected Areas in Communi-
EUROCRYPT ’92 (LNCS 658), 113–123, cations, 7 (1989), 525–533.
1993.
[497] D. G OLLMANN , Y. H AN , AND C. M ITCHE -
[486] , “On the security of shift register based LL , “Redundant integer representations and
keystream generators”, R. Anderson, editor, fast exponentiation”, Designs, Codes and
Fast Software Encryption, Cambridge Secu- Cryptography, 7 (1996), 135–151.
rity Workshop (LNCS 809), 90–100, Springer-
Verlag, 1994. [498] S.W. G OLOMB, Shift Register Sequences,
Holden-Day, San Francisco, 1967. Reprinted
[487] , “Intrinsic statistical weakness of key- by Aegean Park Press, 1982.
stream generators”, Advances in Cryptology–
ASIACRYPT ’94 (LNCS 917), 91–103, 1995. [499] L. G ONG, “Using one-way functions for au-
thentication”, Computer Communication Re-
[488] , “Linear cryptanalysis of stream ci- view, 19 (1989), 8–11.
phers”, B. Preneel, editor, Fast Software
Encryption, Second International Workshop [500] , “A security risk of depending on syn-
(LNCS 1008), 154–169, Springer-Verlag, chronized clocks”, Operating Systems Re-
1995. view, 26 (1992), 49–53.
[489] , “Towards fast correlation attacks on ir- [501] , “Variations on the themes of message
regularly clocked shift registers”, Advances in freshness and replay”, The Computer Security
Cryptology–EUROCRYPT ’95 (LNCS 921), Foundations Workshop VI, 131–136, IEEE
248–262, 1995. Computer Society Press, 1993.
[490] , “On the security of nonlinear fil- [502] , “New protocols for third-party-based
ter generators”, D. Gollmann, editor, Fast authentication and secure broadcast”, 2nd
Software Encryption, Third International ACM Conference on Computer and Com-
Workshop (LNCS 1039), 173–188, Springer- munications Security, 176–183, ACM Press,
Verlag, 1996. 1994.
[491] J. G OLI Ć AND M. M IHALJEVI Ć, “A gener- [503] , “Efficient network authentication pro-
alized correlation attack on a class of stream tocols: lower bounds and optimal implemen-
ciphers based on the Levenshtein distance”, tations”, Distributed Computing, 9 (1995),
Journal of Cryptology, 3 (1991), 201–212. 131–145.
[492] J. G OLI Ć AND L. O’C ONNOR, “Embed- [504] L. G ONG , T.M.A. L OMAS , R.M. N EED -
ding and probabilistic correlation attacks on HAM , AND J.H. S ALTZER , “Protecting poorly
clock-controlled shift registers”, Advances in chosen secrets from guessing attacks”, IEEE
Cryptology–EUROCRYPT ’94 (LNCS 950), Journal on Selected Areas in Communica-
230–243, 1995. tions, 11 (1993), 648–656.

724 References
[505] L. G ONG , R. N EEDHAM , AND R. YA - 2-adic numbers”, Advances in Cryptology–

HALOM, “Reasoning about belief in crypto- EUROCRYPT ’94 (LNCS 950), 215–222,
graphic protocols”, Proceedings of the IEEE 1995.
Computer Society Symposium on Research in [519] K.C. G OSS, “Cryptographic method and ap-
Security and Privacy, 234–248, 1990. paratus for public key exchange with authenti-
[506] L. G ONG AND D.J. W HEELER, “A matrix cation”, U.S. Patent # 4,956,863, 11 Sep 1990.
key-distribution scheme”, Journal of Cryptol- [520] R. G RAHAM , D. K NUTH , AND O. PATASH -
ogy, 2 (1990), 51–59. NIK, Concrete Mathematics, Addison-
[507] I.J. G OOD, “The serial test for sampling num- Wesley, Reading, Massachusetts, 2nd edition,
bers and other tests for randomness”, Pro- 1994.
ceedings of the Cambridge Philosophical So- [521] A. G RANVILLE , “Primality testing and
ciety, 49 (1953), 276–284. Carmichael numbers”, Notices of the Amer-
[508] , “On the serial test for random se- ican Mathematical Society, 39 (1992), 696–
quences”, The Annals of Mathematical Statis- 700.
tics, 28 (1957), 262–264. [522] E. G ROSSMAN, “Group theoretic remarks on
[509] D.M. G ORDON, “Designing and detecting cryptographic systems based on two types of
trapdoors for discrete log cryptosystems”, Ad- addition”, IBM Research Report RC 4742,
vances in Cryptology–CRYPTO ’92 (LNCS IBM T.J. Watson Research Center, Yorktown
740), 66–75, 1993. Heights, N.Y., 10598, U.S.A., Feb. 26 1974.
[523] L.C. G UILLOU AND J.-J. Q UISQUATER,
[510] , “Discrete logarithms in GF(p) using
“Method and apparatus for authenticating ac-
the number field sieve”, SIAM Journal on Dis-
creditations and for authenticating and signing
crete Mathematics, 6 (1993), 124–138.
messages”, U.S. Patent # 5,140,634, 18 Aug
[511] D.M. G ORDON AND K.S. M C C URLEY, 1992.
“Massively parallel computations of dis- [524] , “A practical zero-knowledge protocol
crete logarithms”, Advances in Cryptology– fitted to security microprocessor minimizing
CRYPTO ’92 (LNCS 740), 312–323, 1993. both transmission and memory”, Advances in
[512] J. G ORDON, “Very simple method to find the Cryptology–EUROCRYPT ’88 (LNCS 330),
minimum polynomial of an arbitrary nonzero 123–128, 1988.
element of a finite field”, Electronics Letters, [525] L.C. G UILLOU , J.-J. Q UISQUATER , M. WA -
12 (December 9, 1976), 663–664. LKER , P. L ANDROCK , AND C. S HAER , “Pre-
[513] , “Strong RSA keys”, Electronics Let- cautions taken against various potential at-
ters, 20 (June 7, 1984), 514–516. tacks in ISO/IEC DIS 9796”, Advances in
[514] , “Strong primes are easy to find”, Ad-
465–473, 1991.
vances in Cryptology–Proceedings of EURO-
CRYPT 84 (LNCS 209), 216–223, 1985. [526] L.C. G UILLOU AND M. U GON, “Smart card
– a highly reliable and portable security de-
[515] , “How to forge RSA key certificates”, vice”, Advances in Cryptology–CRYPTO ’86
Electronics Letters, 21 (April 25, 1985), 377– (LNCS 263), 464–479, 1987.
379.
[527] L.C. G UILLOU , M. U GON , AND J.-J.
[516] , “Fast multiplicative inverse in modu- Q UISQUATER, “The smart card: A standard-
lar arithmetic”, H. Beker and F. Piper, editors, ized security device dedicated to public cryp-
Cryptography and Coding, Institute of Math- tology”, G.J. Simmons, editor, Contemporary
ematics & Its Applications (IMA), 269–279, Cryptology: The Science of Information In-
Clarendon Press, 1989. tegrity, 561–613, IEEE Press, 1992.
[517] J. G ORDON AND H. R ETKIN, “Are big S- [528] C.G. G ÜNTHER, “Alternating step gener-
boxes best?”, Cryptography–Proceedings of ators controlled by de Bruijn sequences”,
the Workshop on Cryptography, Burg Feuer- Advances in Cryptology–EUROCRYPT ’87
stein (LNCS 149), 257–262, 1983. (LNCS 304), 5–14, 1988.
[518] M. G ORESKY AND A. K LAPPER, “Feedback [529] , “A universal algorithm for homo-
registers based on ramified extensions of the phonic coding”, Advances in Cryptology–
1997
References 725
EUROCRYPT ’88 (LNCS 330), 405–414, [542] V. H ARRIS, “An algorithm for finding the
1988. greatest common divisor”, Fibonacci Quar-
terly, 8 (1970), 102–103.
[530] , “An identity-based key-exchange pro-
tocol”, Advances in Cryptology–EUROCRY- [543] J. H ÅSTAD , A.W. S CHRIFT, AND A. S HAM -
PT ’89 (LNCS 434), 29–37, 1990. IR , “The discrete logarithm modulo a compos-
ite hides O(n) bits”, Journal of Computer and
[531] H. G USTAFSON, Statistical Analysis of Sym- System Sciences, 47 (1993), 376–404.
metric Ciphers, PhD thesis, Queensland Uni-
versity of Technology, 1996. [544] J. H ÅSTAD, “Solving simultaneous modular
equations of low degree”, SIAM Journal on
[532] H. G USTAFSON , E. D AWSON , AND J. G OL - Computing, 17 (1988), 336–341.
I Ć , “Randomness measures related to subset
[545] , “Pseudo-random generators under
occurrence”, E. Dawson and J. Golić, editors,
uniform assumptions”, Proceedings of the
Cryptography: Policy and Algorithms, Inter-
22nd Annual ACM Symposium on Theory of
national Conference, Brisbane, Queensland,
Computing, 395–404, 1990.
Australia, July 1995 (LNCS 1029), 132–143,
1996. [546] R. H EIMAN, “A note on discrete loga-
rithms with special structure”, Advances in
[533] H. G USTAFSON , E. D AWSON , L. N IELSEN , Cryptology–EUROCRYPT ’92 (LNCS 658),
AND W. C AELLI , “A computer package for 454–457, 1993.
measuring the strength of encryption algo-
rithms”, Computers & Security, 13 (1994), [547] , “Secure audio teleconferencing: A
687–697. practical solution”, Advances in Cryptology–
EUROCRYPT ’92 (LNCS 658), 437–448,
[534] A. G UYOT , “OCAPI: Architecture of a VLSI 1993.
coprocessor for the gcd and extended gcd of
[548] M.E. H ELLMAN, “An extension of the Shan-
large numbers”, Proceedings of the 10th IEEE
non theory approach to cryptography”, IEEE
Symposium on Computer Arithmetic, 226–
Transactions on Information Theory, 23
231, IEEE Press, 1991.
(1977), 289–294.
[535] S. H ABER AND W.S. S TORNETTA, “How to [549] , “A cryptanalytic time-memory trade-
time-stamp a digital document”, Journal of off”, IEEE Transactions on Information The-
Cryptology, 3 (1991), 99–111. ory, 26 (1980), 401–406.
[536] J.L. H AFNER AND K.S. M C C URLEY, “On [550] M.E. H ELLMAN AND C.E. B ACH, “Method
the distribution of running times of certain in- and apparatus for use in public-key data en-
teger factoring algorithms”, Journal of Algo- cryption system”, U.S. Patent # 4,633,036, 30
rithms, 10 (1989), 531–556. Dec 1986.
[537] , “A rigorous subexponential algorithm [551] M.E. H ELLMAN , B.W. D IFFIE , AND R.C.
for computation of class groups”, Journal of M ERKLE , “Cryptographic apparatus and
the American Mathematical Society, 2 (1989), method”, U.S. Patent # 4,200,770, 29 Apr
837–850. 1980.
[538] T. H ANSEN AND G.L. M ULLEN, “Primitive [552] M.E. H ELLMAN , R. M ERKLE , R. S CHROE -
polynomials over finite fields”, Mathematics PPEL , L. WASHINGTON , W. D IFFIE ,
of Computation, 59 (1992), 639–643. S. P OHLIG , AND P. S CHWEITZER, “Results
of an initial attempt to cryptanalyze the NBS
[539] G.H. H ARDY, A Mathematician’s Apology, Data Encryption Standard”, Technical Report
Cambridge University Press, London, 1967. SEL 76-042, Information Systems Labora-
[540] G.H. H ARDY AND E.M. W RIGHT , An Intro- tory, Stanford University, Palo Alto, Califor-
duction to the Theory of Numbers, Clarendon nia, Sept. 9 1976 (revised Nov 10 1976).
Press, Oxford, 5th edition, 1979. [553] M.E. H ELLMAN AND R.C. M ERKLE , “Pub-
[541] C. H ARPES , G.G. K RAMER , AND J.L. lic key cryptographic apparatus and method”,
M ASSEY, “A generalization of linear crypt- U.S. Patent # 4,218,582, 19 Aug 1980.
analysis and the applicability of Matsui’s [554] M.E. H ELLMAN AND S.C. P OHLIG, “Ex-
piling-up lemma”, Advances in Cryptology– ponentiation cryptographic apparatus and
EUROCRYPT ’95 (LNCS 921), 24–38, 1995. method”, U.S. Patent # 4,424,414, 3 Jan 1984.

726 References
[555] M.E. H ELLMAN AND J.M. R EYNERI, [568] R. I MPAGLIAZZO , L. L EVIN , AND M. L UBY,
“Fast computation of discrete logarithms “Pseudo-random generation from one-way
in GF(q)”, Advances in Cryptology– functions”, Proceedings of the 21st Annual
Proceedings of Crypto 82, 3–13, 1983. ACM Symposium on Theory of Computing,
[556] I.N. H ERSTEIN, Topics in Algebra, Xerox 12–24, 1989.
College Pub., Lexington, Massachusetts, 2nd [569] R. I MPAGLIAZZO AND M. N AOR, “Efficient
edition, 1975. cryptographic schemes provably as secure as
[557] L.S. H ILL , “Cryptography in an algebraic al- subset sum”, Proceedings of the IEEE 30th
phabet”, American Mathematical Monthly, 36 Annual Symposium on Foundations of Com-
(1929), 306–312. puter Science, 236–241, 1989.
[558] L.J. H OFFMAN, Modern Methods for Com- [570] I. I NGEMARSSON AND G.J. S IMMONS, “A
puter Security and Privacy, Prentice Hall, En- protocol to set up shared secret schemes with-
glewood Cliffs, New Jersey, 1977. out the assistance of a mutually trusted party”,
[559] R.V. H OGG AND E.A. TANIS, Probability (LNCS 473), 266–282, 1991.
and statistical inference, Macmillan Publish-
[571] I. I NGEMARSSON , D.T. TANG , AND C.K.
ing Company, New York, 3rd edition, 1988.
W ONG, “A conference key distribution sys-
[560] W. H OHL , X. L AI , T. M EIER , AND tem”, IEEE Transactions on Information The-
C. WALDVOGEL , “Security of iterated hash ory, 28 (1982), 714–720.
functions based on block ciphers”, Advances
[572] K. I RELAND AND M. R OSEN, A Classi-
in Cryptology–CRYPTO ’93 (LNCS 773),
cal Introduction to Modern Number The-
379–390, 1994.
ory, Springer-Verlag, New York, 2nd edition,
[561] S.-M. H ONG , S.-Y. O H , AND H. Y OON, 1990.
“New modular multiplication algorithms for
[573] ISO 7498-2, “Information processing sys-
fast modular exponentiation”, Advances in
tems – Open Systems Interconnection – Ba-
sic reference model – Part 2: Security archi-
166–177, 1996.
tecture”, International Organization for Stan-
[562] P. H ORSTER AND H.-J. K NOBLOCH, “Dis- dardization, Geneva, Switzerland, 1989 (first
crete logarithm based protocols”, Advances in edition) (equivalent to ITU-T Rec. X.800).
[574] ISO 8372, “Information processing – Modes
399–408, 1991.
of operation for a 64-bit block cipher algo-
[563] P. H ORSTER , M. M ICHELS , AND H. P E - rithm”, International Organization for Stan-
TERSEN, “Meta-message recovery and meta- dardization, Geneva, Switzerland, 1987 (first
blind signature schemes based on the dis- edition; confirmed 1992).
crete logarithm problem and their applica-
[575] ISO 8730, “Banking – Requirements for
tions”, Advances in Cryptology–ASIACRYPT
message authentication (wholesale)”, Inter-
’94 (LNCS 917), 224–237, 1995.
national Organization for Standardization,
[564] P. H ORSTER AND H. P ETERSEN, “Gen- Geneva, Switzerland, 1990 (second edition).
eralized ElGamal signatures (in German)”, [576] ISO 8731-1, “Banking – Approved algo-
Sicherheit in Informationssystemen, Proceed- rithms for message authentication – Part 1:
ings der Fachtagung SIS’94, 89–106, Verlag DEA”, International Organization for Stan-
der Fachvereine Zürich, 1994. dardization, Geneva, Switzerland, 1987 (first
[565] T.W. H UNGERFORD, Algebra, Holt, Rinehart edition; confirmed 1992).
and Winston, New York, 1974. [577] ISO 8731-2, “Banking – Approved algo-
[566] K. H WANG, Computer Arithmetic, Princi- rithms for message authentication – Part
ples, Architecture and Design, John Wiley & 2: Message authenticator algorithm”, Inter-
Sons, New York, 1979. national Organization for Standardization,
[567] C. I’A NSON AND C. M ITCHELL , “Security Geneva, Switzerland, 1992 (second edition).
defects in CCITT Recommendation X.509 [578] ISO 8732, “Banking – Key management
– The directory authentication framework”, (wholesale)”, International Organization for
Computer Communication Review, 20 (1990), Standardization, Geneva, Switzerland, 1988
30–34. (first edition).
1997
References 727
[579] ISO 9564-1, “Banking – Personal Identifi- [590] ISO 11568-3, “Banking – Key management
cation Number management and security – (retail) – Part 3: Key life cycle for symmetric
Part 1: PIN protection principles and tech- ciphers”, International Organization for Stan-
niques”, International Organization for Stan- dardization, Geneva, Switzerland, 1994.
dardization, Geneva, Switzerland, 1990. [591] ISO 11568-4, “Banking – Key management
[580] ISO 9564-2, “Banking – Personal Identifica- (retail) – Part 4: Key management techniques
tion Number management and security – Part using public key cryptography”, draft (DIS),
2: Approved algorithm(s) for PIN encipher- 1996.
ment”, International Organization for Stan- [592] ISO 11568-5, “Banking – Key management
dardization, Geneva, Switzerland, 1991. (retail) – Part 5: Key life cycle for public key
[581] ISO 9807, “Banking and related financial ser- cryptosystems”, draft (DIS), 1996.
vices – Requirements for message authenti- [593] ISO 11568-6, “Banking – Key management
cation (retail)”, International Organization for (retail) – Part 6: Key management schemes”,
Standardization, Geneva, Switzerland, 1991. draft (CD), 1996.
[582] ISO 10126-1, “Banking – Procedures for [594] ISO/IEC 9594-1, “Information technol-
message encipherment (wholesale) – Part 1: ogy – Open Systems Interconnection – The
General principles”, International Organiza- Directory: Overview of concepts, models,
tion for Standardization, Geneva, Switzer- and services”, International Organization for
land, 1991. Standardization, Geneva, Switzerland, 1995
[583] ISO 10126-2, “Banking – Procedures for (equivalent to ITU-T Rec. X.500, 1993).
message encipherment (wholesale) – Part 2: [595] ISO/IEC 9594-8, “Information technology
Algorithms”, International Organization for – Open Systems Interconnection – The Di-
Standardization, Geneva, Switzerland, 1991. rectory: Authentication framework”, Inter-
national Organization for Standardization,
[584] ISO 10202-7, “Financial transaction cards –
Geneva, Switzerland, 1995 (equivalent to
Security architecture of financial transaction
ITU-T Rec. X.509, 1993).
systems using integrated circuit cards – Part 7:
Key management”, draft (DIS), 1994. [596] ISO/IEC 9796, “Information technology –
Security techniques – Digital signature sch-
[585] ISO 11131, “Banking – Financial institution eme giving message recovery”, International
sign-on authentication”, International Organi- Organization for Standardization, Geneva,
zation for Standardization, Geneva, Switzer- Switzerland, 1991 (first edition).
land, 1992.
[597] ISO/IEC 9797, “Information technology –
[586] ISO 11166-1, “Banking – Key management Security techniques – Data integrity mech-
by means of asymmetric algorithms – Part anism using a cryptographic check function
1: Principles, procedures and formats”, In- employing a block cipher algorithm”, In-
ternational Organization for Standardization, ternational Organization for Standardization,
Geneva, Switzerland, 1994. Geneva, Switzerland, 1994 (second edition).
[587] ISO 11166-2, “Banking – Key manage- [598] ISO/IEC 9798-1, “Information technology
ment by means of asymmetric algorithms – – Security techniques – Entity authentication
Part 2: Approved algorithms using the RSA mechanisms – Part 1: General model”, In-
cryptosystem”, International Organization for ternational Organization for Standardization,
Standardization, Geneva, Switzerland, 1995. Geneva, Switzerland, 1991 (first edition).
[588] ISO 11568-1, “Banking – Key management [599] ISO/IEC 9798-2, “Information technology
(retail) – Part 1: Introduction to key manage- – Security techniques – Entity authentication
ment”, International Organization for Stan- – Part 2: Mechanisms using symmetric en-
dardization, Geneva, Switzerland, 1994. cipherment algorithms”, International Organi-
[589] ISO 11568-2, “Banking – Key management zation for Standardization, Geneva, Switzer-
(retail) – Part 2: Key management techniques land, 1994 (first edition).
for symmetric ciphers”, International Organi- [600] ISO/IEC 9798-3, “Information technology
zation for Standardization, Geneva, Switzer- – Security techniques – Entity authentica-
land, 1994. tion mechanisms – Part 3: Entity authen-

728 References
tication using a public-key algorithm”, In- Switzerland, 1996 (equivalent to ITU-T Rec.
ternational Organization for Standardization, X.811, 1995).
Geneva, Switzerland, 1993 (first edition).
[611] ISO/IEC 10181-3, “Information technology
[601] ISO/IEC 9798-4, “Information technology – Open Systems Interconnection – Security
– Security techniques – Entity authentication frameworks for open systems – Part 3: Access
– Part 4: Mechanisms using a cryptographic control framework”, 1996.
check function”, International Organization
for Standardization, Geneva, Switzerland,
– Open Systems Interconnection – Security
1995 (first edition).
frameworks for open systems – Part 4: Non-
[602] ISO/IEC 9798-5, “Information technology repudiation framework”, 1996.
– Security techniques – Entity authentication
– Part 5: Mechanisms using zero knowledge [613] ISO/IEC 10181-5, “Information technology
techniques”, draft (CD), 1996. – Open Systems Interconnection – Security
frameworks for open systems – Part 5: Con-
[603] ISO/IEC 9979, “Data cryptographic tech- fidentiality framework”, 1996.
niques – Procedures for the registration
of cryptographic algorithms”, International [614] ISO/IEC 10181-6, “Information technology
Organization for Standardization, Geneva, – Open Systems Interconnection – Security
Switzerland, 1991 (first edition). frameworks for open systems – Part 6: In-
tegrity framework”, 1996.
[604] ISO/IEC 10116, “Information processing –
Modes of operation for an n-bit block cipher [615] ISO/IEC 10181-7, “Information technology
algorithm”, International Organization for – Open Systems Interconnection – Security
Standardization, Geneva, Switzerland, 1991 frameworks for open systems – Part 7: Secu-
(first edition). rity audit and alarms framework”, 1996.
[605] ISO/IEC 10118-1, “Information technology [616] ISO/IEC 11770-1, “Information technology
– Security techniques – Hash-functions – Part – Security techniques – Key management –
1: General”, International Organization for Part 1: Framework”, draft (DIS), 1996.
Standardization, Geneva, Switzerland, 1994.
[606] ISO/IEC 10118-2, “Information technology – Security techniques – Key management –
– Security techniques – Hash-functions – Part Part 2: Mechanisms using symmetric tech-
2: Hash-functions using an n-bit block cipher niques”, International Organization for Stan-
algorithm”, International Organization for dardization, Geneva, Switzerland, 1996 (first
Standardization, Geneva, Switzerland, 1994. edition).
– Security techniques – Hash-functions – Part – Security techniques – Key management –
3: Dedicated hash-functions”, draft (CD), Part 3: Mechanisms using asymmetric tech-
1996. niques”, draft (DIS), 1996.
– Security techniques – Hash-functions – Part – Security techniques – Non-repudiation –
4: Hash-functions using modular arithmetic”, Part 1: General model”, draft (CD), 1996.
draft (CD), 1996.
[609] ISO/IEC 10181-1, “Information technol-
– Security techniques – Non-repudiation –
ogy – Open Systems Interconnection – Se-
Part 2: Using symmetric encipherment algo-
curity frameworks for open systems – Part
rithms”, draft (CD), 1996.
1: Overview”, International Organization for
Standardization, Geneva, Switzerland, 1996 [621] ISO/IEC 13888-3, “Information technology
(equivalent to ITU-T Rec. X.810, 1995). – Security techniques – Non-repudiation –
Part 3: Using asymmetric techniques”, draft
[610] ISO/IEC 10181-2, “Information technol-
(CD), 1996.
ogy – Open Systems Interconnection – Se-
curity frameworks for open systems – Part [622] ISO/IEC 14888-1, “Information technology
2: Authentication framework”, International – Security techniques – Digital signatures with
Organization for Standardization, Geneva, appendix – Part 1: General”, draft (CD), 1996.
1997
References 729
[623] ISO/IEC 14888-2, “Information technology and fast exponentiation”, Electronics Letters,
– Security techniques – Digital signatures with 25 (August 17, 1989), 1171–1172.
appendix – Part 2: Identity-based mecha-
[635] N. J EFFERIES , C. M ITCHELL , AND M.
nisms”, draft (CD), 1996.
WALKER, “A proposed architecture for
[624] ISO/IEC 14888-3, “Information technology trusted third party services”, E. Dawson
– Security techniques – Digital signatures with and J. Golić, editors, Cryptography: Policy
appendix – Part 3: Certificate-based mecha- and Algorithms, International Conference,
nisms”, draft (CD), 1996. Brisbane, Queensland, Australia, July 1995
[625] M. I TO , A. S AITO , AND T. N ISHIZEKI, “Se- (LNCS 1029), 98–104, 1996.
cret sharing scheme realizing general access [636] H.N. J ENDAL , Y.J.B. K UHN , AND J.L.
structure”, IEEE Global Telecommunications M ASSEY, “An information-theoretic treat-
Conference, 99–102, 1987. ment of homophonic substitution”, Advances
[626] ITU-T R EC . X.509 ( REVISED ), “The Di- in Cryptology–EUROCRYPT ’89 (LNCS
rectory – Authentication framework”, Inter- 434), 382–394, 1990.
national Telecommunication Union, Geneva, [637] S.M. J ENNINGS, “Multiplexed sequences:
Switzerland, 1993 (equivalent to ISO/IEC Some properties of the minimum polyno-
9594-8:1994). mial”, Cryptography–Proceedings of the
[627] ITU-T R EC . X.509 (1993) T ECHNICAL Workshop on Cryptography, Burg Feuerstein
C ORRIGENDUM 1, “The Directory – Authen- (LNCS 149), 189–206, 1983.
tication framework”, International Telecom- [638] T. J OHANSSON , G. K ABATIANSKII , AND
munication Union, Geneva, Switzerland, July B. S MEETS, “On the relation between A-
1995 (equivalent to Technical Corrigendum 1 codes and codes correcting independent er-
to ISO/IEC 9594-8:1994). rors”, Advances in Cryptology–EUROCRYPT
[628] ITU-T R EC . X.509 (1993) A MENDMENT 1: ’93 (LNCS 765), 1–11, 1994.
C ERTIFICATE E XTENSIONS, “The Directory
[639] D.B. J OHNSON , A. L E , W. M ARTIN ,
– Authentication framework”, International
S. M ATYAS , AND J. W ILKINS, “Hybrid key
Telecommunication Union, Geneva, Switzer-
distribution scheme giving key record recov-
land, July 1995 draft for JCT1 letter ballot
ery”, IBM Technical Disclosure Bulletin, 37
(equivalent to Ammendment 1 to ISO/IEC
(1994), 5–16.
9594-8:1994).
[640] D.B. J OHNSON AND S.M. M ATYAS, “Asym-
[629] W.-A. J ACKSON , K.M. M ARTIN , AND C.M.
metric encryption: Evolution and enhance-
O’K EEFE , “Multisecret threshold schemes”,
ments”, CryptoBytes, 2 (Spring 1996), 1–6.
773), 126–135, 1994. [641] D.S. J OHNSON, “The NP-completeness col-
[630] G. J AESCHKE , “On strong pseudoprimes to umn: an ongoing guide”, Journal of Algo-
several bases”, Mathematics of Computation, rithms, 9 (1988), 426–444.
61 (1993), 915–926. [642] R.W. J ONES, “Some techniques for handling
[631] C.J.A. J ANSEN AND D.E. B OEKEE , “On the encipherment keys”, ICL Technical Journal, 3
significance of the directed acyclic word graph (1982), 175–188.
in cryptology”, Advances in Cryptology– [643] R.R. J UENEMAN, “Analysis of certain as-
AUSCRYPT ’90 (LNCS 453), 318–326, 1990. pects of output feedback mode”, Advances
[632] , “The shortest feedback shift register in Cryptology–Proceedings of Crypto 82, 99–
that can generate a given sequence”, Advances 127, 1983.
in Cryptology–CRYPTO ’89 (LNCS 435), 90– [644] , “A high speed manipulation detection
99, 1990. code”, Advances in Cryptology–CRYPTO ’86
[633] T. J EBELEAN, “Comparing several gcd al- (LNCS 263), 327–346, 1987.
gorithms”, Proceedings of the 11th Sympo- [645] R.R. J UENEMAN , S.M. M ATYAS , AND C.H.
sium on Computer Arithmetic, 180–185, IEEE M EYER, “Message authentication with ma-
Press, 1993. nipulation detection codes”, Proceedings of
[634] J. J EDWAB AND C. M ITCHELL , “Minimum the 1983 IEEE Symposium on Security and
weight modified signed-digit representations Privacy, 33–54, 1984.

730 References
[646] D. J UNGNICKEL , Finite Fields: Structure networks”, IEEE Transactions on Computers,

and Arithmetics, Bibliographisches Institut – 28 (1979), 747–753.
Wissenschaftsverlag, Mannheim, 1993. [660] N. K APIDZIC AND A. D AVIDSON, “A cer-
[647] M. J UST, E. K RANAKIS , D. K RIZANC , AND tificate management system: structure, func-
P. VAN O ORSCHOT , “On key distribution via tions and protocols”, Proceedings of the In-
true broadcasting”, 2nd ACM Conference on ternet Society Symposium on Network and
Computer and Communications Security, 81– Distributed System Security, 153–160, IEEE
88, ACM Press, 1994. Computer Society Press, 1995.
[648] D. K AHN, The Codebreakers, Macmillan [661] A. K ARATSUBA AND Y U . O FMAN, “Multi-
Publishing Company, New York, 1967. plication of multidigit numbers on automata”,
[649] B.S. K ALISKI J R ., “A chosen message at- Soviet Physics – Doklady, 7 (1963), 595–596.
tack on Demytko’s elliptic curve cryptosys- [662] E.D. K ARNIN , J.W. G REENE , AND M.E.
tem”, Journal of Cryptology, to appear. H ELLMAN, “On secret sharing systems”,
[650] , “A pseudo-random bit generator IEEE Transactions on Information Theory, 29
based on elliptic logarithms”, Advances in (1983), 35–41.
Cryptology–CRYPTO ’86 (LNCS 263), 84– [663] A. K EHNE , J. S CH ÖW ÄLDER , AND H. L AN -
103, 1987. GEND ÖRFER , “A nonce-based protocol for
[651] , Elliptic curves and cryptography: a multiple authentications”, Operating Systems
pseudorandom bit generator and other tools, Review, 26 (1992), 84–89.
PhD thesis, MIT Department of Electrical En- [664] R. K EMMERER , C. M EADOWS , AND
gineering and Computer Science, 1988. J. M ILLEN, “Three systems for cryptographic
[652] , “Anderson’s RSA trapdoor can be bro- protocol analysis”, Journal of Cryptology, 7
ken”, Electronics Letters, 29 (July 22, 1993), (1994), 79–130.
1387–1388. [665] S. K ENT , “Encryption-based protection pro-
[653] , “The Montgomery inverse and its ap- tocols for interactive user-computer commu-
plications”, IEEE Transactions on Comput- nication”, MIT/LCS/TR-162 (M.Sc. thesis),
ers, 44 (1995), 1064–1065. MIT Laboratory for Computer Science, 1976.
[654] B.S. K ALISKI J R ., R.L. R IVEST, AND A.T. [666] , “Internet privacy enhanced mail”,
S HERMAN, “Is the Data Encryption Standard Communications of the ACM, 36 (1993), 48–
a group? (Results of cycling experiments on 60.
DES)”, Journal of Cryptology, 1 (1988), 3– [667] , “Internet security standards: past,
36. present and future”, StandardView, 2 (1994),
[655] B.S. K ALISKI J R . AND M. R OBSHAW, “The 78–85.
secure use of RSA”, CryptoBytes, 1 (Autumn [668] A. K ERCKHOFFS, “La cryptographie mili-
1995), 7–13. taire”, Journal des Sciences Militaires, 9th Se-
[656] B.S. K ALISKI J R . AND Y.L. Y IN, “On differ- ries (February 1883), 161–191.
ential and linear cryptanalysis of the RC5 en- [669] I. K ESSLER AND H. K RAWCZYK, “Mini-
cryption algorithm”, Advances in Cryptology– mum buffer length and clock rate for the
CRYPTO ’95 (LNCS 963), 171–184, 1995. shrinking generator cryptosystem”, IBM Re-
[657] E. K ALTOFEN, “Analysis of Coppersmith’s search Report RC 19938, IBM T.J. Watson
block Wiedemann algorithm for the parallel Research Center, Yorktown Heights, N.Y.,
solution of sparse linear systems”, Mathemat- 10598, U.S.A., 1995.
ics of Computation, 64 (1995), 777–806. [670] E. K EY, “An analysis of the structure and
[658] E. K ALTOFEN AND V. S HOUP, “Subquadra- complexity of nonlinear binary sequence gen-
tic-time factoring of polynomials over finite erators”, IEEE Transactions on Information
fields”, Proceedings of the 27th Annual ACM Theory, 22 (1976), 732–736.
Symposium on Theory of Computing, 398– [671] J. K ILIAN AND T. L EIGHTON, “Fair cryp-
406, 1995. tosystems, revisited: A rigorous approach
[659] J. K AM AND G. D AVIDA, “Structured de- to key-escrow”, Advances in Cryptology–
sign of substitution-permutation encryption CRYPTO ’95 (LNCS 963), 208–221, 1995.
1997
References 731
[672] J. K ILIAN AND P. R OGAWAY, “How to pro- [686] , “Truncated and higher order differ-
tect DES against exhaustive key search”, Ad- entials”, B. Preneel, editor, Fast Software
vances in Cryptology–CRYPTO ’96 (LNCS Encryption, Second International Workshop
1109), 252–267, 1996. (LNCS 1008), 196–211, Springer-Verlag,
1995.
[673] S.-H. K IM AND C. P OMERANCE , “The prob-
ability that a random probable prime is com- [687] L.R. K NUDSEN AND T. B ERSON, “Trun-
posite”, Mathematics of Computation, 53 cated differentials of SAFER”, D. Gollmann,
(1989), 721–741. editor, Fast Software Encryption, Third In-
ternational Workshop (LNCS 1039), 15–26,
[674] M. K IMBERLEY, “Comparison of two statis- Springer-Verlag, 1996.
tical tests for keystream sequences”, Electron-
ics Letters, 23 (April 9, 1987), 365–366. [688] L.R. K NUDSEN AND X. L AI, “New attacks
on all double block length hash functions
[675] A. K LAPPER, “The vulnerability of geometric of hash rate 1, including the parallel-DM”,
sequences based on fields of odd characteris- Advances in Cryptology–EUROCRYPT ’94
tic”, Journal of Cryptology, 7 (1994), 33–51. (LNCS 950), 410–418, 1995.
[676] A. K LAPPER AND M. G ORESKY, “Feedback [689] L.R. K NUDSEN AND W. M EIER, “Improved
shift registers, combiners with memory, and 2- differential attacks on RC5”, Advances in
adic span”, Journal of Cryptology, to appear. Cryptology–CRYPTO ’96 (LNCS 1109), 216–
[677] , “2-Adic shift registers”, R. Ander- 228, 1996.
son, editor, Fast Software Encryption, Cam- [690] L.R. K NUDSEN AND T. P EDERSEN, “On the
bridge Security Workshop (LNCS 809), 174– difficulty of software key escrow”, Advances
178, Springer-Verlag, 1994. in Cryptology–EUROCRYPT ’96 (LNCS
1070), 237–244, 1996.
[678] , “Cryptanalysis based on 2-adic ratio-
nal approximation”, Advances in Cryptology– [691] D.E. K NUTH, The Art of Computer Program-
CRYPTO ’95 (LNCS 963), 262–273, 1995. ming – Fundamental Algorithms, volume 1,
Addison-Wesley, Reading, Massachusetts,
[679] , “Large period nearly de Bruijn 2nd edition, 1973.
FCSR sequences”, Advances in Cryptology–
EUROCRYPT ’95 (LNCS 921), 263–273, [692] , The Art of Computer Programming
1995. – Seminumerical Algorithms, volume 2,
Addison-Wesley, Reading, Massachusetts,
[680] D.V. K LEIN, “Foiling the cracker: a survey 2nd edition, 1981.
of, and improvements to, password security”,
[693] , The Art of Computer Programming –
Proceedings of the 2nd USENIX UNIX Secu-
Sorting and Searching, volume 3, Addison-
rity Workshop, 5–14, 1990.
Wesley, Reading, Massachusetts, 1973.
[681] H.-J. K NOBLOCH, “A smart card implemen- [694] D.E. K NUTH AND L. T RABB PARDO, “Anal-
tation of the Fiat-Shamir identification sch- ysis of a simple factorization algorithm”, The-
eme”, Advances in Cryptology–EUROCRYPT oretical Computer Science, 3 (1976), 321–
’88 (LNCS 330), 87–95, 1988. 348.
[682] L.R. K NUDSEN, “Cryptanalysis of LOKI”, [695] N. K OBLITZ , “Elliptic curve cryptosystems”,
Advances in Cryptology–ASIACRYPT ’91 Mathematics of Computation, 48 (1987), 203–
(LNCS 739), 22–35, 1993. 209.
[683] , “Cryptanalysis of LOKI91”, Advances [696] , “Hyperelliptic cryptosystems”, Jour-
in Cryptology–AUSCRYPT ’92 (LNCS 718), nal of Cryptology, 1 (1989), 139–150.
196–208, 1993. [697] , A Course in Number Theory and Cryp-
[684] , Block Ciphers – Analysis, Design and tography, Springer-Verlag, New York, 2nd
Applications, PhD thesis, Computer Science edition, 1994.
Department, Aarhus University (Denmark), [698] C. K OÇ, “High-speed RSA implementation”,
1994. Technical Report, RSA Laboratories, 1994.
[685] , “A key-schedule weakness in SAFER [699] , “RSA hardware implementation”,
K-64”, Advances in Cryptology–CRYPTO ’95 Technical Report TR-801, RSA Laboratories,
(LNCS 963), 274–286, 1995. 1996.

732 References
[700] C. K OÇ , T. A CAR , AND B.S. K ALISKI [714] , “LFSR-based hashing and authentica-
J R ., “Analyzing and comparing Montgomery tion”, Advances in Cryptology–CRYPTO ’94
multiplication algorithms”, IEEE Micro, 16 (LNCS 839), 129–139, 1994.
(1996), 26–33.
[715] , “Secret sharing made short”, Ad-
[701] J.T. K OHL , “The use of encryption in Ker- vances in Cryptology–CRYPTO ’93 (LNCS
beros for network authentication”, Advances 773), 136–146, 1994.
in Cryptology–CRYPTO ’89 (LNCS 435), 35–
[716] , “The shrinking generator: Some prac-
43, 1990.
tical considerations”, R. Anderson, editor,
[702] L.M. K OHNFELDER, “A method for certifica- Fast Software Encryption, Cambridge Secu-
tion”, MIT Laboratory for Computer Science, rity Workshop (LNCS 809), 45–46, Springer-
unpublished (essentially pp.39-43 of [703]), Verlag, 1994.
1978.
[717] , “New hash functions for message
[703] , Toward a practical public-key cryp- authentication”, Advances in Cryptology–
tosystem, B.Sc. thesis, MIT Department of EUROCRYPT ’95 (LNCS 921), 301–310,
Electrical Engineering, 1978. 1995.
[704] A. K OLMOGOROV, “Three approaches to the [718] , “SKEME: A versatile secure key ex-
definition of the concept ‘quantity of infor- change mechanism for Internet”, Proceedings
mation”’, Problemy Peredachi Informatsii, 1 of the Internet Society Symposium on Net-
(1965), 3–11. work and Distributed System Security, 114–
[705] A.G. K ONHEIM, Cryptography, A Primer, 127, IEEE Computer Society Press, 1996.
John Wiley & Sons, New York, 1981. [719] Y. K URITA AND M. M ATSUMOTO, “Primi-
[706] I. K OREN, Computer Arithmetic Algorithms, tive t-nomials (t = 3,5) over GF(2) whose
Prentice Hall, Englewood Cliffs, New Jersey, degree is a Mersenne exponent ≤ 44497”,
1993. Mathematics of Computation, 56 (1991), 817–
821.
[707] V.I. K ORZHIK AND A.I. T URKIN, “Crypt-
analysis of McEliece’s public-key cryptosys- [720] K. K UROSAWA , T. I TO , AND M. TAKEUCHI,
tem”, Advances in Cryptology–EUROCRYPT “Public key cryptosystem using a reciprocal
’91 (LNCS 547), 68–70, 1991. number with the same intractability as factor-
ing a large number”, Cryptologia, 12 (1988),
[708] K. K OYAMA , U. M AURER , T. O KAMOTO , 225–233.
AND S.A. VANSTONE , “New public-key sch-
emes based on elliptic curves over the ring [721] K. K UROSAWA , K. O KADA , AND S. T SUJII,
Zn ”, Advances in Cryptology–CRYPTO ’91 “Low exponent attack against elliptic curve
(LNCS 576), 252–266, 1992. RSA”, Advances in Cryptology–ASIACRYPT
’94 (LNCS 917), 376–383, 1995.
[709] K. K OYAMA AND R. T ERADA, “How to
strengthen DES-like cryptosystems against [722] K. K USUDA AND T. M ATSUMOTO, “Opti-
differential cryptanalysis”, IEICE Transac- mization of time-memory trade-off cryptanal-
tions on Fundamentals of Electronics, Com- ysis and its application to DES, FEAL-32,
munications and Computer Science, E76-A and Skipjack”, IEICE Transactions on Funda-
(1993), 63–69. mentals of Electronics, Communications and
Computer Science, E79-A (1996), 35–48.
[710] E. K RANAKIS, Primality and Cryptography,
John Wiley & Sons, Stuttgart, 1986. [723] J.C. L AGARIAS, “Knapsack public key
cryptosystems and diophantine approxima-
[711] D.W. K RAVITZ , “Digital signature algo- tion”, Advances in Cryptology–Proceedings
rithm”, U.S. Patent # 5,231,668, 27 Jul 1993. of Crypto 83, 3–23, 1984.
[712] H. K RAWCZYK, “How to predict congru-
[724] , “Pseudorandom number generators in
ential generators”, Advances in Cryptology–
cryptography and number theory”, C. Pomer-
CRYPTO ’89 (LNCS 435), 138–153, 1990.
ance, editor, Cryptology and Computational
[713] , “How to predict congruential genera- Number Theory, volume 42 of Proceedings of
tors”, Journal of Algorithms, 13 (1992), 527– Symposia in Applied Mathematics, 115–143,
545. An earlier version appeared in [712]. American Mathematical Society, 1990.
1997
References 733
[725] X. L AI, “Condition for the nonsingularity of fields”, Designs, Codes and Cryptography, 1
a feedback shift-register over a general fi- (1991), 47–62.
nite field”, IEEE Transactions on Information [737] , “Solving large sparse linear systems
Theory, 33 (1987), 747–749. over finite fields”, Advances in Cryptology–
[726] , “On the design and security of CRYPTO ’90 (LNCS 537), 109–133, 1991.
block ciphers”, ETH Series in Information [738] L. L AMPORT , “Constructing digital signa-
Processing, J.L. Massey (editor), vol. 1, tures from a one-way function”, Technical re-
Hartung-Gorre Verlag Konstanz, Technische port CSL-98, SRI International, Palo Alto,
Hochschule (Zurich), 1992. 1979.
[727] X. L AI AND L.R. K NUDSEN, “Attacks on
[739] , “Password authentication with inse-
double block length hash functions”, R. An-
cure communication”, Communications of the
derson, editor, Fast Software Encryption,
ACM, 24 (1981), 770–772.
Cambridge Security Workshop (LNCS 809),
157–165, Springer-Verlag, 1994. [740] B. L AMPSON , M. A BADI , M. B URROWS ,
AND E. W OBBER , “Authentication in dis-
[728] X. L AI AND J.L. M ASSEY, “A proposal for a
tributed systems: Theory and practice”,
new block encryption standard”, Advances in
ACM Transactions on Computer Systems, 10
(1992), 265–310.
389–404, 1991.
[741] S.K. L ANGFORD AND M.E. H ELLMAN,
[729] , “Hash functions based on block ci-
“Differential-linear cryptanalysis”, Advances
phers”, Advances in Cryptology–EUROCRY-
PT ’92 (LNCS 658), 55–70, 1993.
25, 1994.
[730] X. L AI , J.L. M ASSEY, AND S. M URPHY,
[742] P.J. L EE AND E.F. B RICKELL , “An obser-
“Markov ciphers and differential cryptanaly-
vation on the security of McEliece’s public-
sis”, Advances in Cryptology–EUROCRYPT
key cryptosystem”, Advances in Cryptology–
’91 (LNCS 547), 17–38, 1991.
EUROCRYPT ’88 (LNCS 330), 275–280,
[731] X. L AI , R.A. R UEPPEL , AND J. W OOL - 1988.
LVEN, “A fast cryptographic checksum al-
[743] D.H. L EHMER, “Euclid’s algorithm for large
gorithm based on stream ciphers”, Advances
numbers”, American Mathematical Monthly,
in Cryptology–AUSCRYPT ’92 (LNCS 718),
45 (1938), 227–233.
339–348, 1993.
[744] D.H. L EHMER AND R.E. P OWERS, “On fac-
[732] C.-S. L AIH , L. H ARN , J.-Y. L EE , AND
toring large numbers”, Bulletin of the AMS, 37
T. H WANG, “Dynamic threshold scheme
(1931), 770–776.
based on the definition of cross-product in
an n-dimensional linear space”, Advances in [745] T. L EIGHTON AND S. M ICALI, “Secret-key
Cryptology–CRYPTO ’89 (LNCS 435), 286– agreement without public-key cryptography”,
298, 1990. Advances in Cryptology–CRYPTO ’93 (LNCS
773), 456–479, 1994.
[733] C.-S. L AIH , F.-K. T U , AND W.-C TAI, “On
the security of the Lucas function”, Informa- [746] A.K. L ENSTRA, “Posting to sci.crypt”, April
tion Processing Letters, 53 (1995), 243–247. 11 1996.
[734] K.-Y. L AM AND T. B ETH, “Timely authen- [747] , “Primality testing”, C. Pomerance, ed-
tication in distributed systems”, Y. Deswarte, itor, Cryptology and Computational Number
G. Eizenberg, and J.-J. Quisquater, editors, Theory, volume 42 of Proceedings of Sym-
Second European Symposium on Research posia in Applied Mathematics, 13–25, Amer-
in Computer Security – ESORICS’92 (LNCS ican Mathematical Society, 1990.
648), 293–303, Springer-Verlag, 1992. [748] A.K. L ENSTRA AND H.W. L ENSTRA J R .,
[735] K.-Y. L AM AND L.C.K. H UI, “Efficiency “Algorithms in number theory”, J. van
of SS(I) square-and-multiply exponentiation Leeuwen, editor, Handbook of Theoretical
algorithms”, Electronics Letters, 30 (Decem- Computer Science, 674–715, Elsevier Science
ber 8, 1994), 2115–2116. Publishers, 1990.
[736] B.A. L A M ACCHIA AND A.M. O DLYZKO, [749] , The Development of the Number Field
“Computation of discrete logarithms in prime Sieve, Springer-Verlag, Berlin, 1993.

734 References
[750] A.K. L ENSTRA , H.W. L ENSTRA J R ., AND [764] R. L IDL AND H. N IEDERREITER, Finite
L. L OV ÁSZ , “Factoring polynomials with ra- Fields, Cambridge University Press, Cam-
tional coefficients”, Mathematische Annalen, bridge, 1984.
261 (1982), 515–534.
[765] A. L IEBL , “Authentication in distributed sys-
[751] A.K. L ENSTRA , H.W. L ENSTRA J R ., M.S.
tems: A bibliography”, Operating Systems
M ANASSE , AND J.M. P OLLARD, “The fac-
Review, 27 (1993), 31–41.
torization of the ninth Fermat number”, Math-
ematics of Computation, 61 (1993), 319–349. [766] C.H. L IM AND P.J. L EE , “Another method
[752] , “The number field sieve”, A.K. for attaining security against adaptively
Lenstra and H.W. Lenstra Jr., editors, The De- chosen ciphertext attacks”, Advances in
velopment of the Number Field Sieve, volume Cryptology–CRYPTO ’93 (LNCS 773), 420–
1554 of Lecture Notes in Mathematics, 11–42, 434, 1994.
Springer-Verlag, 1993.
[767] , “More flexible exponentiation with
[753] A.K. L ENSTRA AND M.S. M ANASSE , “Fac-
precomputation”, Advances in Cryptology–
toring by electronic mail”, Advances in
CRYPTO ’94 (LNCS 839), 95–107, 1994.
355–371, 1990. [768] , “Server (prover/signer)-aided veri-
[754] , “Factoring with two large primes”, fication of identity proofs and signatures”,
Mathematics of Computation, 63 (1994), 785– Advances in Cryptology–EUROCRYPT ’95
798. (LNCS 921), 64–78, 1995.
[755] A.K. L ENSTRA , P. W INKLER , AND Y. YA -
[769] S. L IN AND D. C OSTELLO, Error Con-
COBI , “A key escrow system with warrant
trol Coding: Fundamentals and Applications,
bounds”, Advances in Cryptology–CRYPTO
Prentice Hall, Englewood Cliffs, New Jersey,
’95 (LNCS 963), 197–207, 1995.
1983.
[756] H.W. L ENSTRA J R ., “Factoring integers with
elliptic curves”, Annals of Mathematics, 126 [770] J. L IPSON, Elements of Algebra and Alge-
(1987), 649–673. braic Computing, Addison-Wesley, Reading,
[757] , “Finding isomorphisms between fi- Massachusetts, 1981.
nite fields”, Mathematics of Computation, 56
[771] T.M.A. L OMAS , L. G ONG , J.H. S ALTZER ,
(1991), 329–347.
AND R.M. N EEDHAM, “Reducing risks from
[758] , “On the Chor-Rivest knapsack cryp- poorly chosen keys”, Operating Systems Re-
tosystem”, Journal of Cryptology, 3 (1991), view, 23 (Special issue), 14–18. (Pre-
149–155. sented at: 12th ACM Symposium on Operat-
[759] H.W. L ENSTRA J R . AND C. P OMERANCE , ing Systems Principles, Litchfield Park, Ari-
“A rigorous time bound for factoring inte- zona, Dec. 1989).
gers”, Journal of the American Mathematical
Society, 5 (1992), 483–516. [772] D.L. L ONG AND A. W IGDERSON, “The dis-
crete logarithm hides O(log n) bits”, SIAM
[760] H.W. L ENSTRA J R . AND R.J. S CHOOF,
Journal on Computing, 17 (1988), 363–372.
“Primitive normal bases for finite fields”,
Mathematics of Computation, 48 (1987), 217– [773] R. L OVORN, Rigorous, subexponential al-
231. gorithms for discrete logarithms over finite
[761] L.A. L EVIN, “One-way functions and pseu- fields, PhD thesis, University of Georgia,
dorandom generators”, Proceedings of the 1992.
17th Annual ACM Symposium on Theory of
Computing, 363–365, 1985. [774] M. L UBY, Pseudorandomness and Crypto-
graphic Applications, Princeton University
[762] J. L EVINE , United States Cryptographic
Press, Princeton, New Jersey, 1996.
Patents 1861–1981, Cryptologia, Inc., Terre
Haute, Indiana, 1983. [775] M. L UBY AND C. R ACKOFF, “Pseudo-
[763] R. L IDL AND W.B. M ÜLLER, “Permuta- random permutation generators and crypto-
tion polynomials in RSA-cryptosystems”, Ad- graphic composition”, Proceedings of the
vances in Cryptology–Proceedings of Crypto 18th Annual ACM Symposium on Theory of
83, 293–301, 1984. Computing, 356–363, 1986.
1997
References 735
[776] , “How to construct pseudorandom per- [788] , “SAFER K-64: One year later”,
mutations from pseudorandom functions”, B. Preneel, editor, Fast Software Encryption,
SIAM Journal on Computing, 17 (1988), 373– Second International Workshop (LNCS 1008),
386. An earlier version appeared in [775]. 212–241, Springer-Verlag, 1995.
[777] S. L UCKS, “Faster Luby-Rackoff ciphers”, [789] J.L. M ASSEY AND I. I NGEMARSSON, “The
D. Gollmann, editor, Fast Software Encryp- Rip Van Winkle cipher – A simple and prov-
tion, Third International Workshop (LNCS ably computationally secure cipher with a fi-
1039), 189–203, Springer-Verlag, 1996. nite key”, IEEE International Symposium on
Information Theory (Abstracts), p.146, 1985.
[778] F.J. M AC W ILLIAMS AND N.J.A. S LOANE ,
The Theory of Error-Correcting Codes, [790] J.L. M ASSEY AND X. L AI, “Device for con-
North-Holland, Amsterdam, 1977 (fifth print- verting a digital block and the use thereof”,
ing: 1986). European Patent # 482,154, 29 Apr 1992.
[779] W. M ADRYGA, “A high performance encryp- [791] , “Device for the conversion of a dig-
tion algorithm”, J. Finch and E. Dougall, edi- ital block and use of same”, U.S. Patent #
tors, Computer Security: A Global Challenge, 5,214,703, 25 May 1993.
Proceedings of the Second IFIP International
[792] J.L. M ASSEY AND J.K. O MURA, “Method
Conference on Computer Security, 557–570,
and apparatus for maintaining the privacy of
North-Holland, 1984.
digital messages conveyed by public transmis-
[780] D.P. M AHER, “Crypto backup and key es- sion”, U.S. Patent # 4,567,600, 28 Jan 1986.
crow”, Communications of the ACM, 39
[793] J.L. M ASSEY AND R.A. R UEPPEL , “Linear
(1996), 48–53.
ciphers and random sequence generators with
[781] W. M AO AND C. B OYD, “On the use of multiple clocks”, Advances in Cryptology–
encryption in cryptographic protocols”, P.G. Proceedings of EUROCRYPT 84 (LNCS 209),
Farrell, editor, Codes and Cyphers: Cryptog- 74–87, 1985.
raphy and Coding IV, 251–262, Institute of
[794] J.L. M ASSEY AND S. S ERCONEK, “A
Mathematics & Its Applications (IMA), 1995.
Fourier transform approach to the linear com-
[782] G. M ARSAGLIA, “A current view of random plexity of nonlinearly filtered sequences”, Ad-
number generation”, L. Billard, editor, Com- vances in Cryptology–CRYPTO ’94 (LNCS
puter Science and Statistics: Proceedings of 839), 332–340, 1994.
the Sixteenth Symposium on the Interface, 3–
[795] M. M ATSUI, “The first experimental crypt-
10, North-Holland, 1985.
analysis of the Data Encryption Standard”,
[783] P. M ARTIN -L ÖF, “The definition of ran- Advances in Cryptology–CRYPTO ’94 (LNCS
dom sequences”, Information and Control, 9 839), 1–11, 1994.
(1966), 602–619.
[796] , “Linear cryptanalysis method for
[784] J.L. M ASSEY, “Shift-register synthesis and DES cipher”, Advances in Cryptology–
BCH decoding”, IEEE Transactions on Infor- EUROCRYPT ’93 (LNCS 765), 386–397,
mation Theory, 15 (1969), 122–127. 1994.
[785] , “An introduction to contemporary [797] , “On correlation between the or-
cryptology”, Proceedings of the IEEE, 76 der of S-boxes and the strength of DES”,
(1988), 533–549. Advances in Cryptology–EUROCRYPT ’94
(LNCS 950), 366–375, 1995.
[786] , “Contemporary cryptology: An intro-
duction”, G.J. Simmons, editor, Contempo- [798] M. M ATSUI AND A. YAMAGISHI, “A
rary Cryptology: The Science of Information new method for known plaintext attack of
Integrity, 1–39, IEEE Press, 1992. An earlier FEAL cipher”, Advances in Cryptology–
version appeared in [785]. EUROCRYPT ’92 (LNCS 658), 81–91, 1993.
[787] , “SAFER K-64: A byte-oriented [799] T. M ATSUMOTO AND H. I MAI, “On the key
block-ciphering algorithm”, R. Anderson, predistribution system: A practical solution
editor, Fast Software Encryption, Cam- to the key distribution problem”, Advances in
bridge Security Workshop (LNCS 809), 1–17, Cryptology–CRYPTO ’87 (LNCS 293), 185–
Springer-Verlag, 1994. 193, 1988.

736 References
[800] T. M ATSUMOTO , Y. TAKASHIMA , AND [813] , “A universal statistical test for ran-
H. I MAI, “On seeking smart public-key- dom bit generators”, Journal of Cryptology, 5
distribution systems”, The Transactions of the (1992), 89–105. An earlier version appeared
IECE of Japan, E69 (1986), 99–106. in [810].
[801] S.M. M ATYAS, “Digital signatures – an [814] , “Factoring with an oracle”, Advances
overview”, Computer Networks, 3 (1979), in Cryptology–EUROCRYPT ’92 (LNCS
87–94. 658), 429–436, 1993.
[815] , “Secret key agreement by public dis-
[802] , “Key handling with control vectors”,
cussion from common information”, IEEE
IBM Systems Journal, 30 (1991), 151–174.
Transactions on Information Theory, 39
[803] , “Key processing with control vec- (1993), 733–742.
tors”, Journal of Cryptology, 3 (1991), 113– [816] , “A simplified and generalized treat-
136. ment of Luby-Rackoff pseudorandom permu-
[804] S.M. M ATYAS AND C.H. M EYER, “Gener- tation generators”, Advances in Cryptology–
ation, distribution, and installation of cryp- EUROCRYPT ’92 (LNCS 658), 239–255,
tographic keys”, IBM Systems Journal, 17 1993.
(1978), 126–137. [817] , “Towards the equivalence of break-
ing the Diffie-Hellman protocol and com-
[805] S.M. M ATYAS , C.H. M EYER , AND J. O S -
puting discrete logarithms”, Advances in
EAS, “Generating strong one-way functions
with cryptographic algorithm”, IBM Techni-
281, 1994.
cal Disclosure Bulletin, 27 (1985), 5658–
5659. [818] , “Fast generation of prime numbers and
secure public-key cryptographic parameters”,
[806] S.M. M ATYAS , C.H.W. M EYER , AND B.O. Journal of Cryptology, 8 (1995), 123–155. An
B RACHTL , “Controlled use of cryptographic earlier version appeared in [807].
keys via generating station established control
[819] , “The role of information theory in
values”, U.S. Patent # 4,850,017, 18 Jul 1989.
cryptography”, P.G. Farrell, editor, Codes and
[807] U. M AURER, “Fast generation of secure Cyphers: Cryptography and Coding IV, 49–
RSA-moduli with almost maximal diversity”, 71, Institute of Mathematics & Its Applica-
Advances in Cryptology–EUROCRYPT ’89 tions (IMA), 1995.
(LNCS 434), 636–647, 1990. [820] U. M AURER AND J.L. M ASSEY, “Per-
[808] , “New approaches to the design of self- fect local randomness in pseudo-random se-
synchronizing stream ciphers”, Advances in quences”, Advances in Cryptology–CRYPTO
Cryptology–EUROCRYPT ’91 (LNCS 547), ’89 (LNCS 435), 100–112, 1990.
458–471, 1991. [821] , “Local randomness in pseudorandom
sequences”, Journal of Cryptology, 4 (1991),
[809] , “A provably-secure strongly-random-
135–149. An earlier version appeared in
ized cipher”, Advances in Cryptology–EURO-
[820].
CRYPT ’90 (LNCS 473), 361–373, 1991.
[822] , “Cascade ciphers: The importance of
[810] , “A universal statistical test for ran- being first”, Journal of Cryptology, 6 (1993),
dom bit generators”, Advances in Cryptology– 55–61.
CRYPTO ’90 (LNCS 537), 409–420, 1991.
[823] U. M AURER AND Y. YACOBI, “Non-
[811] , “Conditionally-perfect secrecy and a interactive public-key cryptography”, Ad-
provably-secure randomized cipher”, Journal vances in Cryptology–EUROCRYPT ’91
of Cryptology, 5 (1992), 53–66. An earlier (LNCS 547), 498–507, 1991.
version appeared in [809]. [824] , “A remark on a non-interactive
[812] , “Some number-theoretic conjectures public-key distribution system”, Advances in
and their relation to the generation of crypto- Cryptology–EUROCRYPT ’92 (LNCS 658),
graphic primes”, C. Mitchell, editor, Cryptog- 458–460, 1993.
raphy and Coding II, volume 33 of Institute of [825] K.S. M C C URLEY, “A key distribution sys-
Mathematics & Its Applications (IMA), 173– tem equivalent to factoring”, Journal of Cryp-
191, Clarendon Press, 1992. tology, 1 (1988), 95–105.
1997
References 737
[826] , “Cryptographic key distribution and [839] S. M ENDES AND C. H UITEMA, “A new ap-
computation in class groups”, R.A. Mollin, proach to the X.509 framework: allowing a
editor, Number Theory and Applications, global authentication infrastructure without a
459–479, Kluwer Academic Publishers, 1989. global trust model”, Proceedings of the In-
[827] , “The discrete logarithm problem”, ternet Society Symposium on Network and
C. Pomerance, editor, Cryptology and Com- Distributed System Security, 172–189, IEEE
putational Number Theory, volume 42 of Pro- Computer Society Press, 1995.
ceedings of Symposia in Applied Mathemat- [840] A. M ENEZES, Elliptic Curve Public Key
ics, 49–74, American Mathematical Society, Cryptosystems, Kluwer Academic Publishers,
1990. Boston, 1993.
[828] R.J. M C E LIECE , “A public-key cryptosys- [841] A. M ENEZES , I. B LAKE , X. G AO , R. M UL -
tem based on algebraic coding theory”, DSN LIN , S. VANSTONE , AND T. YAGHOOBIAN,
progress report #42-44, Jet Propulsion Labo- Applications of Finite Fields, Kluwer Aca-
ratory, Pasadena, California, 1978. demic Publishers, Boston, 1993.
[829] , The Theory of Information and Cod-
ing: A Mathematical Framework for Commu- [842] A. M ENEZES , T. O KAMOTO , AND S. VAN -
STONE , “Reducing elliptic curve logarithms
nication, Cambridge University Press, Cam-
bridge, 1984. to logarithms in a finite field”, Proceedings of
the 23rd Annual ACM Symposium on Theory
[830] , Finite Fields for Computer Scientists of Computing, 80–89, 1991.
and Engineeers, Kluwer Academic Publish-
ers, Boston, 1987. [843] , “Reducing elliptic curve logarithms
to logarithms in a finite field”, IEEE Trans-
[831] C.A. M EADOWS, “Formal verification of
actions on Information Theory, 39 (1993),
cryptographic protocols: a survey”, Advances
1639–1646. An earlier version appeared in
in Cryptology–ASIACRYPT ’94 (LNCS 917),
[842].
133–150, 1995.
[832] W. M EIER, “On the security of the IDEA [844] A. M ENEZES , M. Q U , AND S. VANSTONE ,
block cipher”, Advances in Cryptology– “Some new key agreement protocols provid-
EUROCRYPT ’93 (LNCS 765), 371–385, ing implicit authentication”, workshop record,
1994. 2nd Workshop on Selected Areas in Cryptog-
raphy (SAC’95), Ottawa, Canada, May 18–19
[833] W. M EIER AND O. S TAFFELBACH, “Fast
1995.
correlation attacks on stream ciphers”, Ad-
vances in Cryptology–EUROCRYPT ’88 [845] R. M ENICOCCI, “Cryptanalysis of a two-
(LNCS 330), 301–314, 1988. stage Gollmann cascade generator”, W. Wol-
[834] , “Fast correlation attacks on certain fowicz, editor, Proceedings of the 3rd Sym-
stream ciphers”, Journal of Cryptology, 1 posium on State and Progress of Research in
(1989), 159–176. An earlier version appeared Cryptography, Rome, Italy, 62–69, 1993.
in [833]. [846] R.C. M ERKLE , “Digital signature system and
[835] , “Analysis of pseudo random se- method based on a conventional encryption
quences generated by cellular automata”, function”, U.S. Patent # 4,881,264, 14 Nov
Advances in Cryptology–EUROCRYPT ’91 1989.
(LNCS 547), 186–199, 1991. [847] , “Method and apparatus for data en-
[836] , “Correlation properties of combiners cryption”, U.S. Patent # 5,003,597, 26 Mar
with memory in stream ciphers”, Advances in 1991.
204–213, 1991. [848] , “Method of providing digital signa-
tures”, U.S. Patent # 4,309,569, 5 Jan 1982.
[837] , “Correlation properties of combiners
with memory in stream ciphers”, Journal of [849] , “Secure communications over inse-
Cryptology, 5 (1992), 67–86. An earlier ver- cure channels”, Communications of the ACM,
sion appeared in [836]. 21 (1978), 294–299.
[838] , “The self-shrinking generator”, Ad- [850] , Secrecy, Authentication, and Public
vances in Cryptology–EUROCRYPT ’94 Key Systems, UMI Research Press, Ann Ar-
(LNCS 950), 205–214, 1995. bor, Michigan, 1979.

738 References
[851] , “Secrecy, authentication, and pub- [866] S. M ICALI AND C.P. S CHNORR, “Efficient,
lic key systems”, Technical Report No.1979- perfect random number generators”, Ad-
1, Information Systems Laboratory, Stanford vances in Cryptology–CRYPTO ’88 (LNCS
University, Palo Alto, California, 1979. Also 403), 173–198, 1990.
available as [850].
[867] , “Efficient, perfect polynomial random
[852] , “Protocols for public key cryptosys- number generators”, Journal of Cryptology, 3
tems”, Proceedings of the 1980 IEEE Sympo- (1991), 157–172. An earlier version appeared
sium on Security and Privacy, 122–134, 1980. in [866].
[853] , “A certified digital signature”, Ad-
vances in Cryptology–CRYPTO ’89 (LNCS [868] S. M ICALI AND A. S HAMIR, “An improve-
435), 218–238, 1990. ment of the Fiat-Shamir identification and
signature scheme”, Advances in Cryptology–
[854] , “A fast software one-way hash func-
CRYPTO ’88 (LNCS 403), 244–247, 1990.
tion”, Journal of Cryptology, 3 (1990), 43–58.
[855] , “One way hash functions and DES”, [869] S. M ICALI AND R. S IDNEY, “A simple
Advances in Cryptology–CRYPTO ’89 (LNCS method for generating and sharing pseudo-
435), 428–446, 1990. random functions, with applications to
[856] , “Fast software encryption functions”, Clipper-like key escrow systems”, Advances
Advances in Cryptology–CRYPTO ’90 (LNCS in Cryptology–CRYPTO ’95 (LNCS 963),
537), 476–501, 1991. 185–196, 1995.
[857] R.C. M ERKLE AND M.E. H ELLMAN, “Hid- [870] P. M IHAILESCU, “Fast generation of provable
ing information and signatures in trapdoor primes using search in arithmetic progres-
knapsacks”, IEEE Transactions on Informa- sions”, Advances in Cryptology–CRYPTO ’94
tion Theory, 24 (1978), 525–530. (LNCS 839), 282–293, 1994.
[858] , “On the security of multiple en-
[871] M.J. M IHALJEVI Ć, “A security examination
cryption”, Communications of the ACM, 24
of the self-shrinking generator”, presentation
(1981), 465–467.
at 5th IMA Conference on Cryptography and
[859] C.H. M EYER AND S.M. M ATYAS, Cryptog- Coding, Cirencester, U.K., December 1995.
raphy: A New Dimension in Computer Data
Security, John Wiley & Sons, New York, 1982 [872] , “An approach to the initial state re-
(third printing). construction of a clock-controlled shift regis-
[860] C.H. M EYER AND M. S CHILLING, “Se- ter based on a novel distance measure”, Ad-
cure program load with manipulation detec- vances in Cryptology–AUSCRYPT ’92 (LNCS
tion code”, Proceedings of the 6th Worldwide 718), 349–356, 1993.
Congress on Computer and Communications [873] , “A correlation attack on the bi-
Security and Protection (SECURICOM’88), nary sequence generators with time-varying
111–130, 1988. output function”, Advances in Cryptology–
[861] S. M ICALI, “Fair cryptosystems and methods ASIACRYPT ’94 (LNCS 917), 67–79, 1995.
of use”, U.S. Patent # 5,276,737, 4 Jan 1994.
[874] M.J. M IHALJEVI Ć AND J.D. G OLI Ć, “A
[862] , “Fair cryptosystems and methods of
fast iterative algorithm for a shift register
use”, U.S. Patent # 5,315,658, 24 May 1994
initial state reconstruction given the noisy
(continuation-in-part of 5,276,737).
output sequence”, Advances in Cryptology–
[863] , “Fair public-key cryptosystems”, Ad- AUSCRYPT ’90 (LNCS 453), 165–175, 1990.
740), 113–138, 1993. [875] , “Convergence of a Bayesian iterative
[864] S. M ICALI , O. G OLDREICH , AND S. E VEN, error-correction procedure on a noisy shift
“On-line/off-line digital signing”, U.S. Patent register sequence”, Advances in Cryptology–
# 5,016,274, 14 May 1991. EUROCRYPT ’92 (LNCS 658), 124–137,
1993.
[865] S. M ICALI , C. R ACKOFF , AND B. S LOAN,
“The notion of security for probabilistic cryp- [876] G.L. M ILLER, “Riemann’s hypothesis and
tosystems”, SIAM Journal on Computing, 17 tests for primality”, Journal of Computer and
(1988), 412–426. System Sciences, 13 (1976), 300–317.
1997
References 739
[877] S.P. M ILLER , B.C. N EUMAN , J.I. S CHILL - [890] S.B. M OHAN AND B.S. A DIGA, “Fast al-
ER , AND J.H. S ALTZER , “Kerberos authen- gorithms for implementing RSA public key
tication and authorization system”, Section cryptosystem”, Electronics Letters, 21 (Au-
E.2.1 of Project Athena Technical Plan, MIT, gust 15, 1985), 761.
Cambridge, Massachusetts, 1987. [891] R. M OLVA , G. T SUDIK , E. VAN H ER -
[878] V.S. M ILLER, “Use of elliptic curves in cryp- REWEGHEN , AND S. Z ATTI , “KryptoKnight
tography”, Advances in Cryptology–CRYPTO authentication and key distribution sys-
’85 (LNCS 218), 417–426, 1986. tem”, Y. Deswarte, G. Eizenberg, and J.-J.
Quisquater, editors, Second European Sympo-
[879] C. M ITCHELL , “A storage complexity based
sium on Research in Computer Security – ES-
analogue of Maurer key establishment using
ORICS’92 (LNCS 648), 155–174, Springer-
public channels”, C. Boyd, editor, Cryptog-
Verlag, 1992.
raphy and Coding, 5th IMA Conference, Pro-
ceedings, 84–93, Institute of Mathematics & [892] L. M ONIER, “Evaluation and comparison of
Its Applications (IMA), 1995. two efficient probabilistic primality testing al-
gorithms”, Theoretical Computer Science, 12
[880] , “Limitations of challenge-response
(1980), 97–108.
entity authentication”, Electronics Letters, 25
(August 17, 1989), 1195–1196. [893] P. M ONTGOMERY, “Modular multiplication
without trial division”, Mathematics of Com-
[881] C. M ITCHELL AND F. P IPER, “Key storage
putation, 44 (1985), 519–521.
in secure networks”, Discrete Applied Math-
ematics, 21 (1988), 215–228. [894] , “Speeding the Pollard and elliptic
curve methods of factorization”, Mathematics
[882] C. M ITCHELL , F. P IPER , AND P. W ILD, of Computation, 48 (1987), 243–264.
“Digital signatures”, G.J. Simmons, editor,
Contemporary Cryptology: The Science of [895] P. M ONTGOMERY AND R. S ILVERMAN, “An
Information Integrity, 325–378, IEEE Press, FFT extension to the P − 1 factoring al-
1992. gorithm”, Mathematics of Computation, 54
(1990), 839–854.
[883] A. M ITROPOULOS AND H. M EIJER, “Zero
knowledge proofs – a survey”, Technical Re- [896] P.L. M ONTGOMERY, “A block Lanczos algo-
port No. 90-IR-05, Queen’s University at rithm for finding dependencies over GF (2)”,
Kingston, Kingston, Ontario, Canada, 1990. Advances in Cryptology–EUROCRYPT ’95
(LNCS 921), 106–120, 1995.
[884] S. M IYAGUCHI, “The FEAL cipher family”,
Advances in Cryptology–CRYPTO ’90 (LNCS [897] A.M. M OOD, “The distribution theory of
537), 627–638, 1991. runs”, The Annals of Mathematical Statistics,
11 (1940), 367–392.
[885] S. M IYAGUCHI , S. K URIHARA , K. O HTA ,
[898] J.H. M OORE , “Protocol failures in cryptosys-
AND H. M ORITA, “Expansion of FEAL ci-
tems”, Proceedings of the IEEE, 76 (1988),
pher”, NTT Review, 2 (1990), 117–127.
594–602.
[886] S. M IYAGUCHI , K. O HTA , AND M. I WATA,
[899] , “Protocol failures in cryptosystems”,
“128-bit hash function (N-hash)”, NTT Re-
G.J. Simmons, editor, Contemporary Cryp-
view, 2 (1990), 128–132.
tology: The Science of Information Integrity,
[887] S. M IYAGUCHI , A. S HIRAISHI , AND 541–558, IEEE Press, 1992. Appeared earlier
A. S HIMIZU, “Fast data encipherment al- as [898].
gorithm FEAL-8”, Review of the Electrical
[900] J.H. M OORE AND G.J. S IMMONS, “Cy-
Communications Laboratories, 36 (1988),
cle structure of the DES for keys having
433–437.
palindromic (or antipalindromic) sequences of
[888] A. M IYAJI AND M. TATEBAYASHI, “Public round keys”, IEEE Transactions on Software
key cryptosystem with an elliptic curve”, U.S. Engineering, 13 (1987), 262–273. An earlier
Patent # 5,272,755, 21 Dec 1993. version appeared in [901].
[889] , “Method of privacy communica- [901] , “Cycle structure of the DES with
tion using elliptic curves”, U.S. Patent # weak and semi-weak keys”, Advances in
5,351,297, 27 Sep 1994 (continuation-in-part Cryptology–CRYPTO ’86 (LNCS 263), 9–32,
of 5,272,755). 1987.

740 References
[902] F. M ORAIN, “Distributed primality prov- [915] D. N ACCACHE , D. M’R A ÏHI , AND D. R AP -
ing and the primality of (23539 + 1)/3”, HAELI , “Can Montgomery parasites be
Advances in Cryptology–EUROCRYPT ’90 avoided? A design methodology based on key
(LNCS 473), 110–123, 1991. and cryptosystem modifications”, Designs,
[903] , “Prime values of partition numbers Codes and Cryptography, 5 (1995), 73–80.
and the primality of p1840926 ”, LIX Re- [916] D. N ACCACHE , D. M’R A ÏHI , S. VAU -
search Report LIX/RR/92/11, Laboratoire DENAY, AND D. R APHAELI , “Can D.S.A.
d’Informatique de l’Ecole Polytechnique, be improved? Complexity trade-offs with
France, June 1992. the digital signature standard”, Advances in
[904] F. M ORAIN AND J. O LIVOS, “Speeding up Cryptology–EUROCRYPT ’94 (LNCS 950),
the computations on an elliptic curve using 77–85, 1995.
addition-subtraction chains”, Theoretical In- [917] D. N ACCACHE AND H. M’ SILTI, “A new
formatics and Applications, 24 (1990), 531– modulo computation algorithm”, Recherche
543. Opérationnelle – Operations Research
[905] I.H. M ORGAN AND G.L. M ULLEN, “Prim- (RAIRO-OR), 24 (1990), 307–313.
itive normal polynomials over finite fields”,
[918] K. N AGASAKA , J.-S. S HIUE , AND C.-W.
Mathematics of Computation, 63 (1994), 759–
H O, “A fast algorithm of the Chinese remain-
765.
der theorem and its application to Fibonacci
[906] R. M ORRIS, “The Hagelin cipher machine number”, G.E. Bergum, A.N. Philippou, and
(M-209), Reconstruction of the internal set- A.F. Horadam, editors, Applications of Fi-
tings”, Cryptologia, 2 (1978), 267–278. bonacci Numbers, Proceedings of the Fourth
[907] R. M ORRIS AND K. T HOMPSON, “Password International Conference on Fibonacci Num-
security: a case history”, Communications of bers and their Applications, 241–246, Kluwer
the ACM, 22 (1979), 594–597. Academic Publishers, 1991.
[908] M.A. M ORRISON AND J. B RILLHART , “A [919] M. N AOR AND A. S HAMIR, “Visual
method of factoring and the factorization of cryptography”, Advances in Cryptology–
F7 ”, Mathematics of Computation, 29 (1975), EUROCRYPT ’94 (LNCS 950), 1–12, 1995.
183–205.
[920] M. N AOR AND M. Y UNG, “Universal one-
[909] W.B. M ÜLLER AND R. N ÖBAUER, “Crypt- way hash functions and their cryptographic
analysis of the Dickson-scheme”, Advances in applications”, Proceedings of the 21st Annual
Cryptology–EUROCRYPT ’85 (LNCS 219), ACM Symposium on Theory of Computing,
50–61, 1986. 33–43, 1989.
[910] W.B. M ÜLLER AND W. N ÖBAUER, “Some [921] , “Public-key cryptosystems provably
remarks on public-key cryptosystems”, Studia secure against chosen ciphertext attacks”,
Scientiarum Mathematicarum Hungarica, 16 Proceedings of the 22nd Annual ACM Sym-
(1981), 71–76. posium on Theory of Computing, 427–437,
[911] R. M ULLIN , I. O NYSZCHUK , S. VANSTONE , 1990.
AND R. W ILSON, “Optimal normal bases in
[922] J. N ECHVATAL , “Public key cryptography”,
GF (pn )”, Discrete Applied Mathematics, 22
G.J. Simmons, editor, Contemporary Cryp-
(1988/89), 149–161.
tology: The Science of Information Integrity,
[912] S. M UND, “Ziv-Lempel complexity for peri- 177–288, IEEE Press, 1992.
odic sequences and its cryptographic applica-
tion”, Advances in Cryptology–EUROCRYPT [923] R.M. N EEDHAM AND M.D. S CHROEDER,
’91 (LNCS 547), 114–126, 1991. “Using encryption for authentication in large
networks of computers”, Communications of
[913] S. M URPHY, “The cryptanalysis of FEAL-4 the ACM, 21 (1978), 993–999.
with 20 chosen plaintexts”, Journal of Cryp-
tology, 2 (1990), 145–154. [924] , “Authentication revisited”, Operating
Systems Review, 21 (1987), 7.
[914] D. N ACCACHE , “Can O.S.S. be repaired? –
proposal for a new practical signature sch- [925] B.C. N EUMAN AND S.G. S TUBBLEBINE ,“A
eme”, Advances in Cryptology–EUROCRYPT note on the use of timestamps as nonces”, Op-
’93 (LNCS 765), 233–239, 1994. erating Systems Review, 27 (1993), 10–14.
1997
References 741
[926] B.C. N EUMAN AND T. T S ’ O, “Kerberos: [938] , “Message recovery for signature sch-
an authentication service for computer net- emes based on the discrete logarithm prob-
works”, IEEE Communications Magazine, 32 lem”, Designs, Codes and Cryptography, 7
(September 1994), 33–38. (1996), 61–81.
[927] H. N IEDERREITER, “The probabilistic the- [939] A.M. O DLYZKO, “Cryptanalytic attacks on
ory of linear complexity”, Advances in the multiplicative knapsack cryptosystem
Cryptology–EUROCRYPT ’88 (LNCS 330), and on Shamir’s fast signature scheme”,
191–209, 1988. IEEE Transactions on Information Theory, 30
(1984), 594–601.
[928] , “A combinatorial approach to proba-
bilistic results on the linear-complexity profile [940] , “Discrete logarithms in finite fields
of random sequences”, Journal of Cryptology, and their cryptographic significance”, Ad-
2 (1990), 105–112. vances in Cryptology–Proceedings of EURO-
CRYPT 84 (LNCS 209), 224–314, 1985.
[929] , “Keystream sequences with a
[941] , “The rise and fall of knapsack cryp-
good linear complexity profile for every
tosystems”, C. Pomerance, editor, Cryptol-
starting point”, Advances in Cryptology–
ogy and Computational Number Theory, vol-
EUROCRYPT ’89 (LNCS 434), 523–532,
ume 42 of Proceedings of Symposia in Applied
1990.
Mathematics, 75–88, American Mathematical
[930] , “The linear complexity profile and the Society, 1990.
jump complexity of keystream sequences”, [942] , “Discrete logarithms and smooth poly-
Advances in Cryptology–EUROCRYPT ’90 nomials”, G.L. Mullen and P.J-S. Shiue, ed-
(LNCS 473), 174–188, 1991. itors, Finite Fields: Theory, Applications,
[931] K. N ISHIMURA AND M. S IBUYA, “Probabil- and Algorithms, volume 168 of Contemporary
ity to meet in the middle”, Journal of Cryptol- Mathematics, 269–278, American Mathemat-
ogy, 2 (1990), 13–22. ical Society, 1994.
[943] K. O HTA AND K. A OKI, “Linear cryptanaly-
[932] I.M. N IVEN AND H.S. Z UCKERMAN, An In-
sis of the Fast Data Encipherment Algorithm”,
troduction to the Theory of Numbers, John Wi-
ley & Sons, New York, 4th edition, 1980.
839), 12–16, 1994.
[933] M.J. N ORRIS AND G.J. S IMMONS, “Algo- [944] K. O HTA AND T. O KAMOTO, “Practical ex-
rithms for high-speed modular arithmetic”, tension of Fiat-Shamir scheme”, Electronics
Congressus Numerantium, 31 (1981), 153– Letters, 24 (July 21, 1988), 955–956.
163.
[945] , “A modification of the Fiat-Shamir
[934] G. N ORTON, “Extending the binary gcd al- scheme”, Advances in Cryptology–CRYPTO
gorithm”, J. Calmet, editor, Algebraic Algo- ’88 (LNCS 403), 232–243, 1990.
rithms and Error-Correcting Codes, 3rd Inter-
[946] E. O KAMOTO AND K. TANAKA, “Key dis-
national Conference, AAECC-3 (LNCS 229),
tribution system based on identification infor-
363–372, Springer-Verlag, 1986.
mation”, IEEE Journal on Selected Areas in
[935] K. N YBERG, “On one-pass authenticated key Communications, 7 (1989), 481–485.
establishment schemes”, workshop record, [947] T. O KAMOTO, “A single public-key authen-
2nd Workshop on Selected Areas in Cryptog- tication scheme for multiple users”, Systems
raphy (SAC’95), Ottawa, Canada, May 18–19 and Computers in Japan, 18 (1987), 14–24.
1995. Translated from Denshi Tsushin Gakkai Ron-
[936] K. N YBERG AND R. R UEPPEL , “A new sig- bunshi vol. 69-D no.10, October 1986, 1481–
nature scheme based on the DSA giving mes- 1489.
sage recovery”, 1st ACM Conference on Com- [948] , “A fast signature scheme based on
puter and Communications Security, 58–61, congruential polynomial operations”, IEEE
ACM Press, 1993. Transactions on Information Theory, 36
[937] , “Weaknesses in some recent key (1990), 47–53.
agreement protocols”, Electronics Letters, 30 [949] , “Provably secure and practical identi-
(January 6, 1994), 26–27. fication schemes and corresponding signature

742 References
schemes”, Advances in Cryptology–CRYPTO wide Congress on Computer and Commu-

’92 (LNCS 740), 31–53, 1993. nications Security and Protection (SECURI-
[950] , “Designated confirmer signatures and COM’89), 171–185, 1989.
public-key encryption are equivalent”, Ad- [963] C.H. PAPADIMITRIOU, Computational Com-
vances in Cryptology–CRYPTO ’94 (LNCS plexity, Addison-Wesley, Reading, Mas-
839), 61–74, 1994. sachusetts, 1994.
[951] , “An efficient divisible electronic cash [964] S.-J. PARK , S.-J. L EE , AND S.-C. G OH,
scheme”, Advances in Cryptology–CRYPTO “On the security of the Gollmann cascades”,
’95 (LNCS 963), 438–451, 1995. Advances in Cryptology–CRYPTO ’95 (LNCS
963), 148–156, 1995.
[952] T. O KAMOTO , S. M IYAGUCHI , A. S HI -
RAISHI , AND T. K AWAOKA, “Signed doc- [965] J. PATARIN, “Hidden fields equations (HFE)
ument transmission system”, U.S. Patent # and isomorphisms of polynomials (IP): Two
4,625,076, 25 Nov 1986. new families of asymmetric algorithms”,
[953] T. O KAMOTO AND A. S HIRAISHI, “A fast
(LNCS 1070), 33–48, 1996.
signature scheme based on quadratic inequal-
ities”, Proceedings of the 1985 IEEE Sympo- [966] J. PATARIN AND P. C HAUVAUD, “Improved
sium on Security and Privacy, 123–132, 1985. algorithms for the permuted kernel problem”,
[954] T. O KAMOTO , A. S HIRAISHI , AND T. K AW -
773), 391–402, 1994.
AOKA, “Secure user authentication without
password files”, Technical Report NI83-92, [967] W. P ENZHORN AND G. K ÜHN, “Computa-
I.E.C.E., Japan, January 1984. In Japanese. tion of low-weight parity checks for corre-
lation attacks on stream ciphers”, C. Boyd,
[955] J. O LIVOS, “On vectorial addition chains”,
editor, Cryptography and Coding, 5th IMA
Journal of Algorithms, 2 (1981), 13–21.
Conference, Proceedings, 74–83, Institute of
[956] J.K. O MURA AND J.L. M ASSEY, “Compu- Mathematics & Its Applications (IMA), 1995.
tational method and apparatus for finite field
[968] R. P ERALTA, “Simultaneous security of bits
arithmetic”, U.S. Patent # 4,587,627, 6 May
in the discrete log”, Advances in Cryptology–
1986.
EUROCRYPT ’85 (LNCS 219), 62–72, 1986.
[957] H. O NG AND C.P. S CHNORR, “Fast signa-
[969] R. P ERALTA AND V. S HOUP, “Primality test-
ture generation with a Fiat Shamir-like sch-
ing with fewer random bits”, Computational
eme”, Advances in Cryptology–EUROCRYPT
Complexity, 3 (1993), 355–367.
’90 (LNCS 473), 432–440, 1991.
[970] A. P FITZMANN AND R. A SSMANN, “More
[958] H. O NG , C.P. S CHNORR , AND A. S HAMIR,
efficient software implementations of (gen-
“An efficient signature scheme based on
eralized) DES”, Computers & Security, 12
quadratic equations”, Proceedings of the 16th
(1993), 477–500.
Annual ACM Symposium on Theory of Com-
puting, 208–216, 1984. [971] B. P FITZMANN AND M. WAIDNER, “Fail-
stop signatures and their applications”, Pro-
[959] I.M. O NYSZCHUK , R.C. M ULLIN , AND ceedings of the 9th Worldwide Congress
S.A. VANSTONE , “Computational method
on Computer and Communications Security
and apparatus for finite field multiplication”,
and Protection (SECURICOM’91), 145–160,
U.S. Patent # 4,745,568, 17 May 1988. 1991.
[960] G. O RTON, “A multiple-iterated trapdoor [972] , “Formal aspects of fail-stop signa-
for dense compact knapsacks”, Advances in tures”, Interner Bericht 22/90, Universität
Cryptology–EUROCRYPT ’94 (LNCS 950), Karlsruhe, Germany, December 1990.
112–130, 1995.
[973] S.J.D. P HOENIX AND P.D. T OWNSEND,
[961] D. O TWAY AND O. R EES, “Efficient and “Quantum cryptography: protecting our fu-
timely mutual authentication”, Operating Sys- ture networks with quantum mechanics”,
tems Review, 21 (1987), 8–10. C. Boyd, editor, Cryptography and Coding,
[962] J.C. PAILL ÈS AND M. G IRAULT , “CRIPT: A 5th IMA Conference, Proceedings, 112–131,
public-key based solution for secure data com- Institute of Mathematics & Its Applications
munications”, Proceedings of the 7th World- (IMA), 1995.
1997
References 743
[974] R. P INCH, “The Carmichael numbers up [988] J.M. P OLLARD AND C. S CHNORR, “An effi-
to 1015 ”, Mathematics of Computation, 61 cient solution of the congruence x2 + ky 2 =
(1993), 381–391. m (mod n)”, IEEE Transactions on Infor-
[975] , “Some primality testing algorithms”, mation Theory, 33 (1987), 702–709.
Notices of the American Mathematical Soci- [989] C. P OMERANCE , “Analysis and comparison
ety, 40 (1993), 1203–1210. of some integer factoring algorithms”, H.W.
[976] , “Extending the Håstad attack to Lenstra Jr. and R. Tijdeman, editors, Compu-
LUC”, Electronics Letters, 31 (October 12, tational Methods in Number Theory, Part 1,
1995), 1827–1828. 89–139, Mathematisch Centrum, 1982.
[977] , “Extending the Wiener attack to RSA- [990] , “The quadratic sieve factoring algo-
type cryptosystems”, Electronics Letters, 31 rithm”, Advances in Cryptology–Proceedings
(September 28, 1995), 1736–1738. of EUROCRYPT 84 (LNCS 209), 169–182,
1985.
[978] V. P LESS, “Encryption schemes for computer
confidentiality”, IEEE Transactions on Com- [991] , “Fast, rigorous factorization and dis-
puters, 26 (1977), 1133–1136. crete logarithm algorithms”, Discrete Algo-
rithms and Complexity, 119–143, Academic
[979] J.B. P LUMSTEAD, “Inferring a sequence gen- Press, 1987.
erated by a linear congruence”, Proceedings
of the IEEE 23rd Annual Symposium on Foun- [992] , “Very short primality proofs”, Mathe-
dations of Computer Science, 153–159, 1982. matics of Computation, 48 (1987), 315–322.
[980] , “Inferring a sequence produced by a [993] , editor, Cryptology and Computational
linear congruence”, Advances in Cryptology– Number Theory, American Mathematical So-
Proceedings of Crypto 82, 317–319, 1983. ciety, Providence, Rhode Island, 1990.
[981] H.C. P OCKLINGTON, “The determination of [994] , “Factoring”, C. Pomerance, editor,
the prime or composite nature of large num- Cryptology and Computational Number The-
bers by Fermat’s theorem”, Proceedings of the ory, volume 42 of Proceedings of Symposia
Cambridge Philosophical Society, 18 (1914), in Applied Mathematics, 27–47, American
29–30. Mathematical Society, 1990.
[982] S.C. P OHLIG AND M.E. H ELLMAN, “An im- [995] , “The number field sieve”, W. Gautsc-
proved algorithm for computing logarithms hi, editor, Mathematics of Computation, 1943-
over GF (p) and its cryptographic signifi- 1993: A Half-Century of Computation Math-
cance”, IEEE Transactions on Information ematics, volume 48 of Proceedings of Sym-
Theory, 24 (1978), 106–110. posia in Applied Mathematics, 465–480,
American Mathematical Society, 1994.
[983] D. P OINTCHEVAL , “A new identification
scheme based on the perceptrons problem”, [996] C. P OMERANCE , J.L. S ELFRIDGE , AND
Advances in Cryptology–EUROCRYPT ’95 S.S. WAGSTAFF J R ., “The pseudoprimes to
(LNCS 921), 319–328, 1995. 25 · 109 ”, Mathematics of Computation, 35
(1980), 1003–1026.
[984] J.M. P OLLARD, “Theorems on factorization
and primality testing”, Proceedings of the [997] C. P OMERANCE AND J. S ORENSON, “Count-
Cambridge Philosophical Society, 76 (1974), ing the integers factorable via cyclotomic
521–528. methods”, Journal of Algorithms, 19 (1995),
250–265.
[985] , “A Monte Carlo method for factoriza-
tion”, BIT, 15 (1975), 331–334. [998] G.J. P OPEK AND C.S. K LINE , “Encryption
and secure computer networks”, ACM Com-
[986] , “Monte Carlo methods for index com-
puting Surveys, 11 (1979), 331–356.
putation (mod p)”, Mathematics of Compu-
tation, 32 (1978), 918–924. [999] E. P RANGE , “An algorism for factoring xn −
[987] , “Factoring with cubic integers”, A.K. 1 over a finite field”, AFCRC-TN-59-775, Air
Lenstra and H.W. Lenstra Jr., editors, The De- Force Cambridge Research Center, 1959.
velopment of the Number Field Sieve, volume [1000] V.R. P RATT , “Every prime has a succinct
1554 of Lecture Notes in Mathematics, 4–10, certificate”, SIAM Journal on Computing, 4
Springer-Verlag, 1993. (1975), 214–220.

744 References
[1001] B. P RENEEL , “Standardization of crypto- [1013] M. Q U AND S.A. VANSTONE , “The knap-
graphic techniques”, B. Preneel, R. Govaerts, sack problem in cryptography”, Contempo-
and J. Vandewalle, editors, Computer Secu- rary Mathematics, 168 (1994), 291–308.
rity and Industrial Cryptography: State of [1014] K. Q UINN, “Some constructions for key dis-
the Art and Evolution (LNCS 741), 162–173, tribution patterns”, Designs, Codes and Cryp-
Springer-Verlag, 1993. tography, 4 (1994), 177–191.
[1002] , “Cryptographic hash functions”, Eu- [1015] J.-J. Q UISQUATER, “A digital signature sch-
ropean Transactions on Telecommunications, eme with extended recovery”, preprint, 1995.
5 (1994), 431–448.
[1016] J.-J. Q UISQUATER AND C. C OUVREUR,
[1003] , Analysis and design of cryptographic “Fast decipherment algorithm for RSA public-
hash functions, PhD thesis, Katholieke Uni- key cryptosystem”, Electronics Letters, 18
versiteit Leuven (Belgium), Jan. 1993. (October 14, 1982), 905–907.
[1004] , Cryptographic Hash Functions, [1017] J.-J. Q UISQUATER AND J.-P. D ELESCAILLE,
Kluwer Academic Publishers, Boston, (to ap- “How easy is collision search? Applica-
pear). Updated and expanded from [1003]. tion to DES”, Advances in Cryptology–
EUROCRYPT ’89 (LNCS 434), 429–434,
[1005] B. P RENEEL , R. G OVAERTS , AND J. VAN -
1990.
DEWALLE , “Differential cryptanalysis of hash
functions based on block ciphers”, 1st ACM [1018] , “How easy is collision search. New re-
Conference on Computer and Communica- sults and applications to DES”, Advances in
tions Security, 183–188, ACM Press, 1993. Cryptology–CRYPTO ’89 (LNCS 435), 408–
413, 1990.
[1006] , “Information authentication: Hash
[1019] J.-J. Q UISQUATER AND M. G IRAULT ,
functions and digital signatures”, B. Preneel,
“2n-bit hash-functions using n-bit symmet-
R. Govaerts, and J. Vandewalle, editors, Com-
ric block cipher algorithms”, Advances in
puter Security and Industrial Cryptography:
State of the Art and Evolution (LNCS 741),
102–109, 1990.
[1020] J.-J. Q UISQUATER , L. G UILLOU , AND
[1007] , “Hash functions based on block ci-
T. B ERSON, “How to explain zero-knowledge
phers: A synthetic approach”, Advances in
protocols to your children”, Advances in
378, 1994.
631, 1990.
[1008] B. P RENEEL , M. N UTTIN , V. R IJMEN , AND [1021] M.O. R ABIN, “Probabilistic algorithms”, J.F.
J. B UELENS, “Cryptanalysis of the CFB mode Traub, editor, Algorithms and Complexity,
of the DES with a reduced number of rounds”, 21–40, Academic Press, 1976.
[1022] , “Digitalized signatures”, R. DeMillo,
773), 212–223, 1994.
D. Dobkin, A. Jones, and R. Lipton, editors,
[1009] B. P RENEEL AND P. VAN O ORSCHOT , Foundations of Secure Computation, 155–
“MDx-MAC and building fast MACs from 168, Academic Press, 1978.
hash functions”, Advances in Cryptology–
[1023] , “Digitalized signatures and public-
CRYPTO ’95 (LNCS 963), 1–14, 1995.
key functions as intractable as factorization”,
[1010] , “On the security of two MAC MIT/LCS/TR-212, MIT Laboratory for Com-
algorithms”, Advances in Cryptology– puter Science, 1979.
EUROCRYPT ’96 (LNCS 1070), 19–32, 1996. [1024] , “Probabilistic algorithm for testing
[1011] N. P ROCTOR, “A self-synchronizing cas- primality”, Journal of Number Theory, 12
caded cipher system with dynamic control of (1980), 128–138.
error propagation”, Advances in Cryptology– [1025] , “Probabilistic algorithms in finite
Proceedings of CRYPTO 84 (LNCS 196), fields”, SIAM Journal on Computing, 9
174–190, 1985. (1980), 273–280.
[1012] G.B. P URDY, “A high security log-in pro- [1026] , “Fingerprinting by random polynomi-
cedure”, Communications of the ACM, 17 als”, TR-15-81, Center for Research in Com-
(1974), 442–445. puting Technology, Harvard University, 1981.
1997
References 745
[1027] , “Efficient dispersal of information for modes, and identifiers”, Internet Request for
security, load balancing, and fault tolerance”, Comments 1423, D. Balenson, February 1993
Journal of the Association for Computing Ma- (obsoletes RFC 1115, September 1989, J.
chinery, 36 (1989), 335–348. Linn).
[1028] T. R ABIN AND M. B EN -O R, “Verifiable se- [1039] RFC 1424, “Privacy enhancement for Inter-
cret sharing and multiparty protocols with net electronic mail – Part IV: Key certifica-
honest majority”, Proceedings of the 21st An- tion and related services”, Internet Request for
nual ACM Symposium on Theory of Comput- Comments 1424, B. Kaliski, February 1993.
ing, 73–85, 1989. [1040] RFC 1508, “Generic security service applica-
[1029] C. R ACKOFF AND D.R. S IMON, “Non- tion program interface”, Internet Request for
interactive zero-knowledge proof of knowl- Comments 1508, J. Linn, September 1993.
edge and chosen ciphertext attack”, Advances [1041] RFC 1510, “The Kerberos network authen-
in Cryptology–CRYPTO ’91 (LNCS 576), tication service (V5)”, Internet Request for
433–444, 1992. Comments 1510, J. Kohl and C. Neuman,
[1030] G. R AWLINS, Compared to What? An Intro- September 1993.
duction to the Analysis of Algorithms, Com- [1042] RFC 1521, “MIME (Multipurpose Internet
puter Science Press, New York, 1992. Mail Extensions) Part One: Mechanisms for
[1031] G. R EITWIESNER, “Binary arithmetic”, Ad- specifying and describing the format of In-
vances in Computers, 1 (1960), 231–308. ternet message bodies”, Internet Request for
[1032] T. R ENJI, “On finite automaton one-key cryp- Comments 1521, N. Borenstein and N. Freed,
tosystems”, R. Anderson, editor, Fast Soft- September 1993 (obsoletes RFC 1341).
ware Encryption, Cambridge Security Work- [1043] RFC 1750, “Randomness requirements for
shop (LNCS 809), 135–148, Springer-Verlag, security”, Internet Request for Comments
1994. 1750, D. Eastlake, S. Crocker and J. Schiller,
[1033] RFC 1319, “The MD2 message-digest algo- December 1994.
rithm”, Internet Request for Comments 1319, [1044] RFC 1828, “IP authentication using keyed
B. Kaliski, April 1992 (updates RFC 1115, MD5”, Internet Request for Comments 1828,
August 1989, J. Linn). P. Metzger and W. Simpson, August 1995.
[1034] RFC 1320, “The MD4 message-digest algo- [1045] RFC 1847, “Security multiparts for MIME:
rithm”, Internet Request for Comments 1320, Multipart/signed and multipart/encrypted”,
R.L. Rivest, April 1992 (obsoletes RFC 1186, Internet Request for Comments 1847, J.
October 1990, R. Rivest). Galvin, S. Murphy, S. Crocker and N. Freed,
[1035] RFC 1321, “The MD5 message-digest algo- October 1995.
rithm”, Internet Request for Comments 1321, [1046] RFC 1848, “MIME object security services”,
R.L. Rivest, April 1992 (presented at Rump Internet Request for Comments 1848, S.
Session of Crypto’91). Crocker, N. Freed, J. Galvin and S. Murphy,
[1036] RFC 1421, “Privacy enhancement for Inter- October 1995.
net electronic mail – Part I: Message encryp- [1047] RFC 1938, “A one-time password system”,
tion and authentication procedures”, Internet Internet Request for Comments 1938, N.
Request for Comments 1421, J. Linn, Febru- Haller and C. Metz, May 1996.
ary 1993 (obsoletes RFC 1113 – September [1048] V. R IJMEN , J. D AEMEN , B. P RENEEL ,
1989; RFC 1040 – January 1988; and RFC A. B OSSELAERS , AND E. D E W IN, “The
989 – February 1987, J. Linn). cipher SHARK”, D. Gollmann, editor, Fast
[1037] RFC 1422, “Privacy enhancement for Inter- Software Encryption, Third International
net electronic mail – Part II: Certificate-based Workshop (LNCS 1039), 99–111, Springer-
key management”, Internet Request for Com- Verlag, 1996.
ments 1422, S. Kent, February 1993 (obso- [1049] V. R IJMEN AND B. P RENEEL , “On weak-
letes RFC 1114, August 1989, S. Kent and J. nesses of non-surjective round functions”,
Linn). presented at the 2nd Workshop on Selected
[1038] RFC 1423, “Privacy enhancement for In- Areas in Cryptography (SAC’95), Ottawa,
ternet electronic mail – Part III: Algorithms, Canada, May 18–19 1995.

746 References
[1050] , “Improved characteristics for differ- Encryption, Second International Workshop

ential cryptanalysis of hash functions based (LNCS 1008), 305–328, Springer-Verlag,
on block ciphers”, B. Preneel, editor, Fast 1995.
Software Encryption, Second International [1065] P. R OGAWAY, “Bucket hashing and its ap-
Workshop (LNCS 1008), 242–248, Springer- plication to fast message authentication”, Ad-
Verlag, 1995. vances in Cryptology–CRYPTO ’95 (LNCS
[1051] R.L. R IVEST , “Are ‘strong’ primes needed 963), 29–42, 1995.
for RSA?”, unpublished manuscript, 1991. [1066] P. R OGAWAY AND D. C OPPERSMITH, “A
[1052] , “Remarks on a proposed cryptana- software-optimized encryption algorithm”,
lytic attack on the M.I.T. public-key cryp- R. Anderson, editor, Fast Software Encryp-
tosystem”, Cryptologia, 2 (1978), 62–65. tion, Cambridge Security Workshop (LNCS
[1053] , “Statistical analysis of the Hagelin 809), 56–63, Springer-Verlag, 1994.
cryptograph”, Cryptologia, 5 (1981), 27–32. [1067] N. R OGIER AND P. C HAUVAUD, “The com-
pression function of MD2 is not collision
[1054] , “Cryptography”, J. van Leeuwen, ed-
free”, workshop record, 2nd Workshop on Se-
itor, Handbook of Theoretical Computer Sci-
lected Areas in Cryptography (SAC’95), Ot-
ence, 719–755, Elsevier Science Publishers,
tawa, Canada, May 18–19 1995.
1990.
[1068] J. R OMPEL , “One-way functions are neces-
[1055] , “The MD4 message digest algorithm”,
sary and sufficient for secure signatures”, Pro-
ceedings of the 22nd Annual ACM Symposium
537), 303–311, 1991.
on Theory of Computing, 387–394, 1990.
[1056] , “The RC5 encryption algorithm”,
[1069] K.H. R OSEN, Elementary Number Theory
B. Preneel, editor, Fast Software Encryption,
and its Applications, Addison-Wesley, Read-
Second International Workshop (LNCS 1008),
ing, Massachusetts, 3rd edition, 1992.
[1070] J. R OSSER AND L. S CHOENFELD, “Approx-
[1057] R.L. R IVEST AND A. S HAMIR, “How to ex-
imate formulas for some functions of prime
pose an eavesdropper”, Communications of
numbers”, Illinois Journal of Mathematics, 6
the ACM, 27 (1984), 393–395.
(1962), 64–94.
[1058] , “Efficient factoring based on par-
[1071] RSA L ABORATORIES, “The Public-Key
tial information”, Advances in Cryptology–
Cryptography Standards – PKCS #11: Cryp-
EUROCRYPT ’85 (LNCS 219), 31–34, 1986.
tographic token interface standard”, RSA
[1059] R.L. R IVEST, A. S HAMIR , AND L.M. Data Security Inc., Redwood City, California,
A DLEMAN, “Cryptographic communications April 28 1995.
system and method”, U.S. Patent # 4,405,829,
[1072] , “The Public-Key Cryptography Stan-
20 Sep 1983.
dards (PKCS)”, RSA Data Security Inc., Red-
[1060] , “A method for obtaining digital signa- wood City, California, November 1993 Re-
tures and public-key cryptosystems”, Commu- lease.
nications of the ACM, 21 (1978), 120–126.
[1073] A.D. R UBIN AND P. H ONEYMAN, “Formal
[1061] R.L. R IVEST AND A.T. S HERMAN, “Ran- methods for the analysis of authentication pro-
domized encryption techniques”, Advances in tocols”, CITI Technical Report 93-7, Infor-
Cryptology–Proceedings of Crypto 82, 145– mation Technology Division, University of
163, 1983. Michigan, 1993.
[1062] M.J.B. R OBSHAW, “On evaluating the linear [1074] F. R UBIN, “Decrypting a stream cipher based
complexity of a sequence of least period 2n ”, on J-K flip-flops”, IEEE Transactions on
Designs, Codes and Cryptography, 4 (1994), Computers, 28 (1979), 483–487.
263–269. [1075] R.A. R UEPPEL , Analysis and Design of
[1063] , “Stream ciphers”, Technical Report Stream Ciphers, Springer-Verlag, Berlin,
TR-701 (version 2.0), RSA Laboratories, 1986.
1995. [1076] , “Correlation immunity and the sum-
[1064] M. R OE , “How to reverse engineer an EES mation generator”, Advances in Cryptology–
device”, B. Preneel, editor, Fast Software CRYPTO ’85 (LNCS 218), 260–272, 1986.
1997
References 747
[1077] , “Linear complexity and random se- [1090] M. S ANTHA AND U.V. VAZIRANI, “Gener-
quences”, Advances in Cryptology–EURO- ating quasi-random sequences from slightly-
CRYPT ’85 (LNCS 219), 167–188, 1986. random sources”, Proceedings of the IEEE
[1078] , “Key agreements based on func- 25th Annual Symposium on Foundations of
tion composition”, Advances in Cryptology– Computer Science, 434–440, 1984.
EUROCRYPT ’88 (LNCS 330), 3–10, 1988. [1091] , “Generating quasi-random sequences
[1079] , “On the security of Schnorr’s pseudo from semi-random sources”, Journal of Com-
random generator”, Advances in Cryptology– puter and System Sciences, 33 (1986), 75–87.
EUROCRYPT ’89 (LNCS 434), 423–428, An earlier version appeared in [1090].
1990. [1092] O. S CHIROKAUER, “Discrete logarithms and
[1080] , “A formal approach to security local units”, Philosophical Transactions of the
architectures”, Advances in Cryptology– Royal Society of London A, 345 (1993), 409–
EUROCRYPT ’91 (LNCS 547), 387–398, 423.
1991. [1093] B. S CHNEIER, “Description of a new
[1081] , “Stream ciphers”, G.J. Simmons, ed- variable-length key, 64-bit block cipher
itor, Contemporary Cryptology: The Science (Blowfish)”, R. Anderson, editor, Fast Soft-
of Information Integrity, 65–134, IEEE Press, ware Encryption, Cambridge Security Work-
1992. shop (LNCS 809), 191–204, Springer-Verlag,
[1082] , “Criticism of ISO CD 11166 banking 1994.
— key management by means of asymmet- [1094] , Applied Cryptography: Protocols, Al-
ric algorithms”, W. Wolfowicz, editor, Pro- gorithms, and Source Code in C, John Wiley
ceedings of the 3rd Symposium on State and & Sons, New York, 2nd edition, 1996.
Progress of Research in Cryptography, Rome,
Italy, 191–198, 1993. [1095] C.P. S CHNORR, “Method for identifying sub-
scribers and for generating and verifying elec-
[1083] R.A. R UEPPEL , A. L ENSTRA , M. S MID , tronic signatures in a data exchange system”,
K. M C C URLEY, Y. D ESMEDT, A. O DLYZKO , U.S. Patent # 4,995,082, 19 Feb 1991.
AND P. L ANDROCK, “The Eurocrypt ’92 con-
troversial issue: trapdoor primes and mod- [1096] , “On the construction of random num-
uli”, Advances in Cryptology–EUROCRYPT ber generators and random function genera-
’92 (LNCS 658), 194–199, 1993. tors”, Advances in Cryptology–EUROCRYPT
’88 (LNCS 330), 225–232, 1988.
[1084] R.A. R UEPPEL AND J.L. M ASSEY, “The
knapsack as a non-linear function”, IEEE In- [1097] , “Efficient identification and signatures
ternational Symposium on Information The- for smart cards”, Advances in Cryptology–
ory (Abstracts), p.46, 1985. CRYPTO ’89 (LNCS 435), 239–252, 1990.
[1085] R.A. R UEPPEL AND O.J. S TAFFELBACH, [1098] , “Efficient signature generation by
“Products of linear recurring sequences with smart cards”, Journal of Cryptology, 4 (1991),
maximum complexity”, IEEE Transactions 161–174.
on Information Theory, 33 (1987), 124–131. [1099] C.P. S CHNORR AND M. E UCHNER, “Lat-
[1086] R.A. R UEPPEL AND P.C. VAN O ORSCHOT , tice basis reduction: Improved practical al-
“Modern key agreement techniques”, Com- gorithms and solving subset sum problems”,
puter Communications, 17 (1994), 458–465. L. Budach, editor, Fundamentals of Compu-
[1087] A. R USSELL , “Necessary and sufficient con- tation Theory (LNCS 529), 68–85, Springer-
ditions for collision-free hashing”, Advances Verlag, 1991.
in Cryptology–CRYPTO ’92 (LNCS 740), [1100] C.P. S CHNORR AND H.H. H ÖRNER, “At-
433–441, 1993. tacking the Chor-Rivest cryptosystem by
[1088] , “Necessary and sufficient conditions improved lattice reduction”, Advances in
for collision-free hashing”, Journal of Cryp- Cryptology–EUROCRYPT ’95 (LNCS 921),
tology, 8 (1995), 87–99. An earlier version 1–12, 1995.
appeared in [1087]. [1101] A. S CH ÖNHAGE , “A lower bound for the
[1089] A. S ALOMAA, Public-key Cryptography, length of addition chains”, Theoretical Com-
Springer-Verlag, Berlin, 1990. puter Science, 1 (1975), 1–12.

748 References
[1102] A.W. S CHRIFT AND A. S HAMIR, “On the [1115] , “Identity-based cryptosystems and
universality of the next bit test”, Advances in signature schemes”, Advances in Cryptology–
Cryptology–CRYPTO ’90 (LNCS 537), 394– Proceedings of CRYPTO 84 (LNCS 196), 47–
408, 1991. 53, 1985.
[1103] , “Universal tests for nonuniform dis- [1116] , “An efficient identification scheme
tributions”, Journal of Cryptology, 6 (1993), based on permuted kernels”, Advances in
119–133. An earlier version appeared in Cryptology–CRYPTO ’89 (LNCS 435), 606–
[1102]. 609, 1990.
[1104] F. S CHWENK AND J. E ISFELD, “Public [1117] , “RSA for paranoids”, CryptoBytes, 1
key encryption and signature schemes based (Autumn 1995), 1–4.
on polynomials over Zn ”, Advances in
[1118] A. S HAMIR AND A. F IAT , “Method, appa-
ratus and article for identification and signa-
60–71, 1996.
ture”, U.S. Patent # 4,748,668, 31 May 1988.
[1105] R. S EDGEWICK, Algorithms, Addison-
[1119] M. S HAND AND J. V UILLEMIN, “Fast imple-
Wesley, Reading, Massachusetts, 2nd edition,
mentations of RSA cryptography”, Proceed-
1988.
ings of the 11th IEEE Symposium on Com-
[1106] R. S EDGEWICK , T.G. S ZYMANSKI , AND puter Arithmetic, 252–259, 1993.
A.C. YAO, “The complexity of finding cycles
in periodic functions”, SIAM Journal on Com- [1120] C.E. S HANNON, “A mathematical theory of
puting, 11 (1982), 376–390. communication”, Bell System Technical Jour-
nal, 27 (1948), 379–423, 623–656.
[1107] E.S. S ELMER, “Linear recurrence relations
over finite fields”, Department of Mathemat- [1121] , “Communication theory of secrecy
ics, University of Bergen, Norway, 1966. systems”, Bell System Technical Journal, 28
(1949), 656–715.
[1108] J. S HALLIT , “On the worst case of three al-
gorithms for computing the Jacobi symbol”, [1122] , “Prediction and entropy of printed
Journal of Symbolic Computation, 10 (1990), English”, Bell System Technical Journal, 30
593–610. (1951), 50–64.
[1109] A. S HAMIR, “A fast signature scheme”, [1123] J. S HAWE -TAYLOR, “Generating strong
MIT/LCS/TM-107, MIT Laboratory for Com- primes”, Electronics Letters, 22 (July 31,
puter Science, 1978. 1986), 875–877.
[1110] , “How to share a secret”, Communica- [1124] S. S HEPHERD, “A high speed software imple-
tions of the ACM, 22 (1979), 612–613. mentation of the Data Encryption Standard”,
Computers & Security, 14 (1995), 349–357.
[1111] , “On the generation of cryptograph-
ically strong pseudo-random sequences”, [1125] A. S HIMIZU AND S. M IYAGUCHI, “Data
S. Even and O. Kariv, editors, Automata, Lan- randomization equipment”, U.S. Patent #
guages, and Programming, 8th Colloquium 4,850,019, 18 Jul 1989.
(LNCS 115), 544–550, Springer-Verlag, 1981. [1126] , “Fast data encipherment algo-
[1112] , “On the generation of cryptographi- rithm FEAL”, Advances in Cryptology–
cally strong pseudorandom sequences”, ACM EUROCRYPT ’87 (LNCS 304), 267–278,
Transactions on Computer Systems, 1 (1983), 1988.
38–44. An earlier version appeared in [1111]. [1127] Z. S HMUELY, “Composite Diffie-Hellman
[1113] , “A polynomial time algorithm public-key generating systems are hard to
for breaking the basic Merkle-Hellman break”, Technical Report #356, TECHNION
cryptosystem”, Advances in Cryptology– – Israel Institute of Technology, Computer
Proceedings of Crypto 82, 279–288, 1983. Science Department, 1985.
[1114] , “A polynomial-time algorithm for [1128] P.W. S HOR, “Algorithms for quantum com-
breaking the basic Merkle-Hellman cryp- putation: discrete logarithms and factoring”,
tosystem”, IEEE Transactions on Information Proceedings of the IEEE 35th Annual Sym-
Theory, 30 (1984), 699–704. An earlier ver- posium on Foundations of Computer Science,
sion appeared in [1113]. 124–134, 1994.
1997
References 749
[1129] V. S HOUP, “New algorithms for finding irre- [1144] , “A survey of information authentica-
ducible polynomials over finite fields”, Math- tion”, G.J. Simmons, editor, Contemporary
ematics of Computation, 54 (1990), 435–447. Cryptology: The Science of Information In-
[1130] , “Searching for primitive roots in fi- tegrity, 379–419, IEEE Press, 1992.
nite fields”, Mathematics of Computation, 58 [1145] , “An introduction to shared secret
(1992), 369–380. and/or shared control schemes and their appli-
[1131] , “Fast construction of irreducible poly- cation”, G.J. Simmons, editor, Contemporary
nomials over finite fields”, Journal of Sym- Cryptology: The Science of Information In-
bolic Computation, 17 (1994), 371–391. tegrity, 441–497, IEEE Press, 1992.
[1132] T. S IEGENTHALER, “Correlation-immunity [1146] , “How to insure that data acquired
of nonlinear combining functions for crypto- to verify treaty compliance are trustworthy”,
graphic applications”, IEEE Transactions on G.J. Simmons, editor, Contemporary Cryp-
Information Theory, 30 (1984), 776–780. tology: The Science of Information Integrity,
615–630, IEEE Press, 1992.
[1133] , “Decrypting a class of stream ciphers
using ciphertext only”, IEEE Transactions on [1147] , “The subliminal channels in the U.S.
Computers, 34 (1985), 81–85. Digital Signature Algorithm (DSA)”, W. Wol-
[1134] , “Cryptanalysts representation of non- fowicz, editor, Proceedings of the 3rd Sym-
linearly filtered ML-sequences”, Advances in posium on State and Progress of Research in
Cryptology–EUROCRYPT ’85 (LNCS 219), Cryptography, Rome, Italy, 35–54, 1993.
103–110, 1986. [1148] , “Proof of soundness (integrity) of
[1135] R.D. S ILVERMAN, “The multiple polynomial cryptographic protocols”, Journal of Cryptol-
quadratic sieve”, Mathematics of Computa- ogy, 7 (1994), 69–77.
tion, 48 (1987), 329–339. [1149] , “Subliminal communication is easy
[1136] R.D. S ILVERMAN AND S.S. WAGSTAFF J R ., using the DSA”, Advances in Cryptology–
“A practical analysis of the elliptic curve fac- EUROCRYPT ’93 (LNCS 765), 218–232,
toring algorithm”, Mathematics of Computa- 1994.
tion, 61 (1993), 445–462. [1150] , “Protocols that ensure fairness”, P.G.
[1137] G.J. S IMMONS, “A “weak” privacy protocol Farrell, editor, Codes and Cyphers: Cryptog-
using the RSA crypto algorithm”, Cryptolo- raphy and Coding IV, 383–394, Institute of
gia, 7 (1983), 180–182. Mathematics & Its Applications (IMA), 1995.
[1138] , “Authentication theory/coding the- [1151] G.J. S IMMONS AND M.J. N ORRIS, “Prelimi-
ory”, Advances in Cryptology–Proceedings of nary comments on the M.I.T. public-key cryp-
CRYPTO 84 (LNCS 196), 411–431, 1985. tosystem”, Cryptologia, 1 (1977), 406–414.
[1139] , “The subliminal channel and dig- [1152] A. S INKOV, Elementary Cryptanalysis: A
ital signatures”, Advances in Cryptology– Mathematical Approach, Random House,
Proceedings of EUROCRYPT 84 (LNCS 209), New York, 1968.
364–378, 1985. [1153] M.E. S MID, “Integrating the Data Encryp-
[1140] , “A secure subliminal channel (?)”, Ad- tion Standard into computer networks”, IEEE
vances in Cryptology–CRYPTO ’85 (LNCS Transactions on Communications, 29 (1981),
218), 33–41, 1986. 762–772.
[1141] , “How to (really) share a secret”, Ad- [1154] M.E. S MID AND D.K. B RANSTAD, “Crypto-
vances in Cryptology–CRYPTO ’88 (LNCS graphic key notarization methods and appara-
403), 390–448, 1990. tus”, U.S. Patent # 4,386,233, 31 May 1983.
[1142] , “Prepositioned shared secret and/or [1155] , “The Data Encryption Standard: Past
shared control schemes”, Advances in and future”, Proceedings of the IEEE, 76
Cryptology–EUROCRYPT ’89 (LNCS 434), (1988), 550–559.
436–467, 1990. [1156] , “The Data Encryption Standard: Past
[1143] , “Contemporary cryptology: a fore- and future”, G.J. Simmons, editor, Contempo-
word”, G.J. Simmons, editor, Contemporary rary Cryptology: The Science of Information
Cryptology: The Science of Information In- Integrity, 43–64, IEEE Press, 1992. Appeared
tegrity, vii–xv, IEEE Press, 1992. earlier as [1155].

750 References
[1157] , “Response to comments on the NIST [1170] J. S TEIN, “Computational problems associ-
proposed digital signature standard”, Ad- ated with Racah algebra”, Journal of Compu-
vances in Cryptology–CRYPTO ’92 (LNCS tational Physics, 1 (1967), 397–405.
740), 76–88, 1993. [1171] J.G. S TEINER , C. N EUMAN , AND J.I.
[1158] D.R. S MITH AND J.T. PALMER, “Univer- S CHILLER, “Kerberos: an authentication ser-
sal fixed messages and the Rivest-Shamir- vice for open network systems”, Proceedings
Adleman cryptosystem”, Mathematika, 26 of the Winter 1988 Usenix Conference, 191–
(1979), 44–52. 201, 1988.
[1159] J.L. S MITH, “Recirculating block ci- [1172] M. S TEINER , G. T SUDIK , AND M. WAID -
NER , “Refinement and extension of encrypted
pher cryptographic system”, U.S. Patent #
3,796,830, 12 Mar 1974. key exchange”, Operating Systems Review,
29:3 (1995), 22–30.
[1160] , “The design of Lucifer: A cryp-
[1173] J. S TERN, “Secret linear congruential gener-
tographic device for data communications”,
ators are not cryptographically secure”, Pro-
IBM Research Report RC 3326, IBM T.J.
ceedings of the IEEE 28th Annual Symposium
Watson Research Center, Yorktown Heights,
on Foundations of Computer Science, 421–
N.Y., 10598, U.S.A., Apr. 15 1971.
426, 1987.
[1161] P. S MITH AND M. L ENNON, “LUC: A new [1174] , “An alternative to the Fiat-Shamir pro-
public key system”, E. Dougall, editor, Pro- tocol”, Advances in Cryptology–EUROCRY-
ceedings of the IFIP TC11 Ninth International PT ’89 (LNCS 434), 173–180, 1990.
Conference on Information Security, IFIP/Sec
[1175] , “Designing identification schemes
93, 103–117, North-Holland, 1993.
with keys of short size”, Advances in
[1162] P. S MITH AND C. S KINNER, “A public-key Cryptology–CRYPTO ’94 (LNCS 839), 164–
cryptosystem and a digital signature system 173, 1994.
based on the Lucas function analogue to dis- [1176] , “A new identification scheme based
crete logarithms”, Advances in Cryptology– on syndrome decoding”, Advances in
ASIACRYPT ’94 (LNCS 917), 357–364, 1995. Cryptology–CRYPTO ’93 (LNCS 773), 13–
[1163] R. S OLOVAY AND V. S TRASSEN, “A fast 21, 1994.
Monte-Carlo test for primality”, SIAM Jour- [1177] D.R. S TINSON, “An explication of secret
nal on Computing, 6 (1977), 84–85. Erratum sharing schemes”, Designs, Codes and Cryp-
in ibid, 7 (1978), 118. tography, 2 (1992), 357–390.
[1164] J. S ORENSON, “Two fast gcd algorithms”, [1178] , Cryptography: Theory and Practice,
Journal of Algorithms, 16 (1994), 110–144. CRC Press, Boca Raton, Florida, 1995.
[1165] A. S ORKIN, “Lucifer, a cryptographic algo- [1179] S.G. S TUBBLEBINE AND V.D. G LIGOR, “On
rithm”, Cryptologia, 8 (1984), 22–35. message integrity in cryptographic protocols”,
Proceedings of the 1992 IEEE Computer So-
[1166] M. S TADLER , J.-M. P IVETEAU , AND J. C A -
ciety Symposium on Research in Security and
MENISCH, “Fair blind signatures”, Advances
Privacy, 85–104, 1992.
in Cryptology–EUROCRYPT ’95 (LNCS
921), 209–219, 1995. [1180] D.J. S YKES, “The management of encryption
keys”, D.K. Branstad, editor, Computer secu-
[1167] O. S TAFFELBACH AND W. M EIER, “Cryp- rity and the Data Encryption Standard, 46–53,
tographic significance of the carry for ci- NBS Special Publication 500-27, U.S. Depart-
phers based on integer addition”, Advances in ment of Commerce, National Bureau of Stan-
Cryptology–CRYPTO ’90 (LNCS 537), 601– dards, Washington, D.C., 1977.
614, 1991.
[1181] P. S YVERSON, “Knowledge, belief and se-
[1168] W. S TAHNKE , “Primitive binary polynomi- mantics in the analysis of cryptographic proto-
als”, Mathematics of Computation, 27 (1973), cols”, Journal of Computer Security, 1 (1992),
977–980. 317–334.
[1169] D.G. S TEER , L. S TRAWCZYNSKI , W. D IFF - [1182] , “A taxonomy of replay attacks”, Pro-
IE , AND M. W IENER , “A secure audio tele- ceedings of the Computer Security Founda-
conference system”, Advances in Cryptology– tions Workshop VII (CSFW 1994), 187–191,
CRYPTO ’88 (LNCS 403), 520–528, 1990. IEEE Computer Society Press, 1994.
1997
References 751
[1183] P. S YVERSON AND P. VAN O ORSCHOT , “On on Fundamentals of Electronics, Communica-

unifying some cryptographic protocol logics”, tions and Computer Science, E78-A (1995),
Proceedings of the 1994 IEEE Computer So- 1148–1153. An earlier version appeared in
ciety Symposium on Research in Security and [1192].
Privacy, 14–28, 1994. [1194] M. T OMPA AND H. W OLL , “Random self-
[1184] K. TANAKA AND E. O KAMOTO, “Key dis- reducibility and zero-knowledge interactive
tribution using id-related information direc- proofs of possession of information”, Pro-
tory suitable for mail systems”, Proceedings ceedings of the IEEE 28th Annual Symposium
of the 8th Worldwide Congress on Computer on Foundations of Computer Science, 472–
and Communications Security and Protection 482, 1987.
(SECURICOM’90), 115–122, 1990. [1195] , “How to share a secret with cheaters”,
[1185] A. TARAH AND C. H UITEMA, “Associating Journal of Cryptology, 1 (1988), 133–138.
metrics to certification paths”, Y. Deswarte, [1196] G. T SUDIK, “Message authentication with
G. Eizenberg, and J.-J. Quisquater, editors, one-way hash functions”, Computer Commu-
Second European Symposium on Research nication Review, 22 (1992), 29–38.
in Computer Security – ESORICS’92 (LNCS
648), 175–189, Springer-Verlag, 1992. [1197] S. T SUJII AND J. C HAO, “A new ID-
based key sharing system”, Advances in
[1186] J.J. TARDO AND K. A LAGAPPAN, “SPX: Cryptology–CRYPTO ’91 (LNCS 576), 288–
Global authentication using public key certifi- 299, 1992.
cates”, Proceedings of the IEEE Symposium
[1198] W. T UCHMAN, “Integrated system design”,
on Research in Security and Privacy, 232–
D.K. Branstad, editor, Computer security and
244, 1991.
the Data Encryption Standard, 94–96, NBS
[1187] A. TARDY-C ORFDIR AND H. G ILBERT , “A Special Publication 500-27, U.S. Department
known plaintext attack of FEAL-4 and FEAL- of Commerce, National Bureau of Standards,
6”, Advances in Cryptology–CRYPTO ’91 Washington, D.C., 1977.
(LNCS 576), 172–182, 1992.
[1199] , “Hellman presents no shortcut solu-
[1188] M. TATEBAYASHI , N. M ATSUZAKI , AND tions to the DES”, IEEE Spectrum, 16 (1979),
D.B. N EWMAN J R ., “Key distribution pro- 40–41.
tocol for digital mobile communication sys-
[1200] J. VAN DE G RAAF AND R. P ERALTA, “A sim-
tems”, Advances in Cryptology–CRYPTO ’89
ple and secure way to show the validity of
(LNCS 435), 324–334, 1990.
your public key”, Advances in Cryptology–
[1189] R. TAYLOR, “An integrity check value al- CRYPTO ’87 (LNCS 293), 128–134, 1988.
gorithm for stream ciphers”, Advances in
[1201] E. VAN H EIJST AND T.P. P EDERSEN, “How
to make efficient fail-stop signatures”, Ad-
48, 1994.
vances in Cryptology–EUROCRYPT ’92
[1190] J.A. T HIONG LY, “A serial version of the (LNCS 658), 366–377, 1993.
Pohlig-Hellman algorithm for computing dis-
[1202] E. VAN H EIJST, T.P. P EDERSEN , AND
crete logarithms”, Applicable Algebra in En-
B. P FITZMANN, “New constructions of fail-
gineering, Communication and Computing, 4
stop signatures and lower bounds”, Advances
(1993), 77–80.
[1191] J. T HOMPSON, “S/MIME message specifica- 30, 1993.
tion – PKCS security services for MIME”, [1203] P. VAN O ORSCHOT , “A comparison of prac-
RSA Data Security Inc., Aug. 29 1995, tical public key cryptosystems based on in-
http://www.rsa.com/. teger factorization and discrete logarithms”,
[1192] T. T OKITA , T. S ORIMACHI , AND M. M AT- G.J. Simmons, editor, Contemporary Cryp-
SUI , “Linear cryptanalysis of LOKI and tology: The Science of Information Integrity,
s2 DES”, Advances in Cryptology–ASIACRY- 289–322, IEEE Press, 1992.
PT ’94 (LNCS 917), 293–303, 1995. [1204] , “Extending cryptographic logics of
[1193] , “On applicability of linear cryptanal- belief to key agreement protocols”, 1st ACM
ysis to DES-like cryptosystems – LOKI89, Conference on Computer and Communica-
LOKI91 and s2 DES”, IEICE Transactions tions Security, 232–243, ACM Press, 1993.

752 References
[1205] , “An alternate explanation of two quasi-random sequences from two communi-
BAN-logic “failures””, Advances in Crypto- cating slightly-random sources”, Proceedings
logy–EUROCRYPT ’93 (LNCS 765), 443– of the 17th Annual ACM Symposium on The-
447, 1994. ory of Computing, 366–378, 1985.
[1206] P. VAN O ORSCHOT AND M. W IENER, [1218] U.V. VAZIRANI AND V.V. VAZIRANI, “Effi-
“A known-plaintext attack on two-key cient and secure pseudo-random number gen-
triple encryption”, Advances in Cryptology– eration”, Proceedings of the IEEE 25th An-
EUROCRYPT ’90 (LNCS 473), 318–325, nual Symposium on Foundations of Computer
1991. Science, 458–463, 1984. This paper also ap-
[1207] , “Parallel collision search with appli- peared in [1219].
cations to hash functions and discrete log- [1219] , “Efficient and secure pseudo-
arithms”, 2nd ACM Conference on Com- random number generation”, Advances in
puter and Communications Security, 210– Cryptology–Proceedings of CRYPTO 84
218, ACM Press, 1994. (LNCS 196), 193–202, 1985.
[1208] , “Improving implementable meet-in- [1220] K. V EDDER, “Security aspects of mobile
the-middle attacks by orders of magnitude”, communications”, B. Preneel, R. Govaerts,
Advances in Cryptology–CRYPTO ’96 (LNCS and J. Vandewalle, editors, Computer Secu-
1109), 229–236, 1996. rity and Industrial Cryptography: State of
[1209] , “On Diffie-Hellman key agree- the Art and Evolution (LNCS 741), 193–210,
ment with short exponents”, Advances in Springer-Verlag, 1993.
Cryptology–EUROCRYPT ’96 (LNCS 1070), [1221] G.S. V ERNAM, “Secret signaling system”,
332–343, 1996. U.S. Patent # 1,310,719, 22 Jul 1919.
[1210] H.C.A. VAN T ILBORG, An Introduction to [1222] , “Cipher printing telegraph systems for
Cryptology, Kluwer Academic Publishers, secret wire and radio telegraphic communica-
Boston, 1988. tions”, Journal of the American Institute for
[1211] , “Authentication codes: an area where Electrical Engineers, 55 (1926), 109–115.
coding and cryptology meet”, C. Boyd, edi- [1223] J. VON N EUMANN, “Various techniques used
tor, Cryptography and Coding, 5th IMA Con- in connection with random digits”, Applied
ference, Proceedings, 169–183, Institute of Mathematics Series, U.S. National Bureau of
Mathematics & Its Applications (IMA), 1995. Standards, 12 (1951), 36–38.
[1212] J. VAN T ILBURG, “On the McEliece public- [1224] J. VON ZUR G ATHEN AND V. S HOUP, “Com-
key cryptosystem”, Advances in Cryptology– puting Frobenius maps and factoring polyno-
CRYPTO ’88 (LNCS 403), 119–131, 1990. mials”, Computational Complexity, 2 (1992),
[1213] S.A. VANSTONE AND R.J. Z UCCHERATO, 187–224.
“Elliptic curve cryptosystems using curves of [1225] V.L. V OYDOCK AND S.T. K ENT , “Security
smooth order over the ring Zn ”, IEEE Trans- mechanisms in high-level network protocols”,
actions on Information Theory, to appear. Computing Surveys, 15 (1983), 135–171.
[1214] , “Short RSA keys and their genera- [1226] D. WACKERLY, W. M ENDENHALL III, AND
tion”, Journal of Cryptology, 8 (1995), 101– R. S CHEAFFER, Mathematical Statistics with
114. Applications, Duxbury Press, Belmont, Cali-
[1215] S. VAUDENAY, “On the need for multipermu- fornia, 5th edition, 1996.
tations: Cryptanalysis of MD4 and SAFER”, [1227] M. WAIDNER AND B. P FITZMANN, “The
B. Preneel, editor, Fast Software Encryption, dining cryptographers in the disco: Uncon-
Second International Workshop (LNCS 1008), ditional sender and recipient untraceability
286–297, Springer-Verlag, 1995. with computationally secure serviceability”,
[1216] , “On the weak keys of Blowfish”, Advances in Cryptology–EUROCRYPT ’89
D. Gollmann, editor, Fast Software Encryp- (LNCS 434), 690, 1990.
tion, Third International Workshop (LNCS [1228] C.P. WALDVOGEL AND J.L. M ASSEY, “The
1039), 27–32, Springer-Verlag, 1996. probability distribution of the Diffie-Hellman
[1217] U.V. VAZIRANI, “Towards a strong com- key”, Advances in Cryptology–AUSCRYPT
munication complexity theory, or generating ’92 (LNCS 718), 492–504, 1993.
1997
References 753
[1229] S.T. WALKER , S.B. L IPNER , C.M. E LLI - [1242] S. W IESNER, “Conjugate coding”, SIGACT
SON , AND D.M. B ALENSON, “Commercial News, 15 (1983), 78–88. Original manuscript
key recovery”, Communications of the ACM, (circa 1970).
39 (1996), 41–47. [1243] H.S. W ILF, “Backtrack: An O(1) expected
[1230] C.D. WALTER, “Faster modular multipli- time algorithm for the graph coloring prob-
cation by operand scaling”, Advances in lem”, Information Processing Letters, 18
Cryptology–CRYPTO ’91 (LNCS 576), 313– (1984), 119–121.
323, 1992. [1244] M.V. W ILKES, Time-Sharing Computer Sys-
[1231] P.C. WAYNER, “Content-addressable search tems, American Elsevier Pub. Co., New York,
engines and DES-like systems”, Advances in 3rd edition, 1975.
Cryptology–CRYPTO ’92 (LNCS 740), 575– [1245] F. W ILLEMS, “Universal data compression
586, 1993. and repetition times”, IEEE Transactions on
Information Theory, 35 (1989), 54–58.
[1232] D. W EBER, “An implementation of the gen-
eral number field sieve to compute discrete [1246] H.C. W ILLIAMS, “A modification of the
logarithms mod p”, Advances in Cryptology– RSA public-key encryption procedure”, IEEE
EUROCRYPT ’95 (LNCS 921), 95–105, 1995. Transactions on Information Theory, 26
(1980), 726–729.
[1233] A.F. W EBSTER AND S.E. TAVARES, “On the
design of S-boxes”, Advances in Cryptology– [1247] , “A p + 1 method of factoring”, Math-
CRYPTO ’85 (LNCS 218), 523–534, 1986. ematics of Computation, 39 (1982), 225–234.
[1248] , “Some public-key crypto-functions as
[1234] M.N. W EGMAN AND J.L. C ARTER, “New
intractable as factorization”, Cryptologia, 9
hash functions and their use in authentication
(1985), 223–237.
and set equality”, Journal of Computer and
System Sciences, 22 (1981), 265–279. [1249] H.C. W ILLIAMS AND B. S CHMID, “Some re-
marks concerning the M.I.T. public-key cryp-
[1235] D. W ELSH, Codes and Cryptography, tosystem”, BIT, 19 (1979), 525–538.
Clarendon Press, Oxford, 1988.
[1250] R.S. W INTERNITZ , “A secure one-way hash
[1236] A.E. W ESTERN AND J.C.P. M ILLER, Ta- function built from DES”, Proceedings of the
bles of Indices and Primitive Roots, volume 9, 1984 IEEE Symposium on Security and Pri-
Royal Society Mathematical Tables, Cam- vacy, 88–90, 1984.
bridge University Press, 1968.
[1251] S. W OLFRAM, “Cryptography with cellular
[1237] D.J. W HEELER, “A bulk data encryption al- automata”, Advances in Cryptology–CRYPTO
gorithm”, R. Anderson, editor, Fast Software ’85 (LNCS 218), 429–432, 1986.
Encryption, Cambridge Security Workshop [1252] , “Random sequence generation by cel-
(LNCS 809), 127–134, Springer-Verlag, 1994. lular automata”, Advances in Applied Mathe-
[1238] D.J. W HEELER AND R.M. N EEDHAM, matics, 7 (1986), 123–169.
“TEA, a tiny encryption algorithm”, B. Pre- [1253] H. W OLL , “Reductions among number the-
neel, editor, Fast Software Encryption, Second oretic problems”, Information and Computa-
International Workshop (LNCS 1008), 363– tion, 72 (1987), 167–179.
366, Springer-Verlag, 1995.
[1254] A.D. W YNER, “The wire-tap channel”, Bell
[1239] D.H. W IEDEMANN, “Solving sparse linear System Technical Journal, 54 (1975), 1355–
equations over finite fields”, IEEE Transac- 1387.
tions on Information Theory, 32 (1986), 54– [1255] Y. YACOBI, “A key distribution “paradox””,
62. Advances in Cryptology–CRYPTO ’90 (LNCS
[1240] M.J. W IENER, “Cryptanalysis of short RSA 537), 268–273, 1991.
secret exponents”, IEEE Transactions on In- [1256] Y. YACOBI AND Z. S HMUELY, “On key dis-
formation Theory, 36 (1990), 553–558. tribution systems”, Advances in Cryptology–
[1241] , “Efficient DES key search”, Technical CRYPTO ’89 (LNCS 435), 344–355, 1990.
Report TR-244, School of Computer Science, [1257] A.C. YAO, “On the evaluation of powers”,
Carleton University, Ottawa, 1994. Presented SIAM Journal on Computing, 5 (1976), 100–
at Crypto ’93 rump session. 103.

754 References
[1258] , “Theory and applications of trapdoor [1268] Y. Z HENG , J. P IEPRZYK , AND J. S EBERRY,
functions”, Proceedings of the IEEE 23rd An- “HAVAL – a one-way hashing algorithm
nual Symposium on Foundations of Computer with variable length of output”, Advances in
Science, 80–91, 1982. Cryptology–AUSCRYPT ’92 (LNCS 718), 83–
[1259] S.-M. Y EN AND C.-S. L AIH, “New digi- 104, 1993.
tal signature scheme based on discrete log-
[1269] Y. Z HENG AND J. S EBERRY, “Immunizing
arithm”, Electronics Letters, 29 (June 10,
public key cryptosystems against chosen ci-
1993), 1120–1121.
phertext attacks”, IEEE Journal on Selected
[1260] C. Y UEN, “Testing random number genera- Areas in Communications, 11 (1993), 715–
tors by Walsh transform”, IEEE Transactions 724.
on Computers, 26 (1977), 329–333.
[1261] D. Y UN, “Fast algorithm for rational function [1270] N. Z IERLER, “Primitive trinomials whose de-
integration”, Information Processing 77: Pro- gree is a Mersenne exponent”, Information
ceedings of IFIP Congress 77, 493–498, 1977. and Control, 15 (1969), 67–69.
[1262] G. Y UVAL , “How to swindle Rabin”, Cryp- [1271] N. Z IERLER AND J. B RILLHART , “On prim-
tologia, 3 (1979), 187–190. itive trinomials (mod 2)”, Information and
[1263] K. Z ENG AND M. H UANG, “On the lin- Control, 13 (1968), 541–554.
ear syndrome method in cryptanalysis”, Ad-
vances in Cryptology–CRYPTO ’88 (LNCS [1272] P.R. Z IMMERMANN, The Official PGP
403), 469–478, 1990. User’s Guide, MIT Press, Cambridge, Mas-
[1264] K. Z ENG , C.-H. YANG , AND T.R.N. R AO, sachusetts, 1995 (second printing).
“On the linear consistency test (LCT) in
[1273] J. Z IV AND A. L EMPEL , “On the complexity
cryptanalysis with applications”, Advances in
of finite sequences”, IEEE Transactions on In-
formation Theory, 22 (1976), 75–81.
174, 1990.
[1265] , “An improved linear syndrome algo- [1274] M. Ž IVKOVI Ć, “An algorithm for the initial
rithm in cryptanalysis with applications”, Ad- state reconstruction of the clock-controlled
vances in Cryptology–CRYPTO ’90 (LNCS shift register”, IEEE Transactions on Infor-
537), 34–47, 1991. mation Theory, 37 (1991), 1488–1490.
[1266] K. Z ENG , C.-H. YANG , D.-Y W EI , AND
[1275] , “A table of primitive binary polynomi-
T.R.N. R AO, “Pseudorandom bit generators
als”, Mathematics of Computation, 62 (1994),
in stream-cipher cryptography”, Computer,
385–386.
24 (1991), 8–17.
[1267] C. Z HANG, “An improved binary algorithm [1276] , “Table of primitive binary polyno-
for RSA”, Computers and Mathematics with mials. II”, Mathematics of Computation, 63
Applications, 25:6 (1993), 15–24. (1994), 301–306.
1997

References

Uploaded by

Copyright:

Available Formats

You might also like

References

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

References

Uploaded by

Copyright:

Available Formats

This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

[77] U. B AUM AND S. B LACKBURN, “Clock- [88] M. B ELLARE , O. G OLDREICH , AND

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

[143] S. B LACKBURN , S. M URPHY, AND J. S TE - [155] D. B LEICHENBACHER AND U. M AURER,

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

S. K UTTEN , U. VACCARO , AND M. Y UNG, able signatures”, Advances in Cryptology–

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

[263] H. C OHEN, A Course in Computational Al- [277] D. C OPPERSMITH , M. F RANKLIN , J. PATA -

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

[339] Y. D ESMEDT AND M. B URMESTER, “To- [352] H. D OBBERTIN, “Cryptanalysis of MD4”,

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

[505] L. G ONG , R. N EEDHAM , AND R. YA - 2-adic numbers”, Advances in Cryptology–

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

[646] D. J UNGNICKEL , Finite Fields: Structure networks”, IEEE Transactions on Computers,

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

schemes”, Advances in Cryptology–CRYPTO wide Congress on Computer and Commu-

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

[1050] , “Improved characteristics for differ- Encryption, Second International Workshop

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

[1183] P. S YVERSON AND P. VAN O ORSCHOT , “On on Fundamentals of Electronics, Communica-

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

You might also like