. 3
( 8)


Page 659
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page

/*printf("Round %03d: %081x %081x sk: %081x %08lx\n",
i/2,d[0l,d[ll,sk[il,skCi+ll); *!
d[ll -= sk[i+ll;
rc = d[Ol & 31;
d[ll = ROTR32(dCll,rc);
d[l] '= d[Ol;

dCO1 -= sk[il;
rc = d[ll & 31;
drol = ROTR32(dCOl,rc);
d[Ol '= d[ll;
d[O] -= c->xkCOl;
d[l] -= c->xkCll;

void rc5-key(rc5-ctx *c, ul *key, int keylen){
u4 *pk,A,B; I* padded key *I
int xk-len, pk-len, i, num-steps,rc;
ul *cp;

xk-len = c->nr*2 + 2;
pk-len = keylen/4;
if((keylen%4)!=0) pk-len += 1;

pk = (˜4 *) malloc(pk-len * 4);
if(pk==NULL) I
printf("An error occurred!\n");

/* Initialize pk -- this should work on Intel machines, anyway.... */
for(i=O;i<pk-len;i++) pk[i]=O;
cp = (ul *)pk;
for(i=O;i<keylen;i++) cp[i]=key[i];

/* Initialize xk. */
c->xkCOl = Oxb7e15163; /* P32 */
for(i=l;i<xk-len;i++) c->xk[i] = c->xk[i-11 + Ox9e3779b9; /* Q32 */

for(i=O;i<xk-len;i++) 1
A = A + c->xk[i];
B=B^ c->xk[i];

/* Expand key into xk. */
if(pk-len>xk-len) num-steps = 3*pk_len;else num-steps = 3*xk_len;

A = c->xk[i%xk-lenl = ROTL32(c->xkCi%xk-len] + A + B,3);
rc = (A+B) & 31;

Page 660
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page
Source Code

B = pk[i%pk-len] = ROTL32(pk[i%pk_lenl + A + B,rc);

/* c lobber sensitive data before deallocating memory. */
for-( i=O;i<pk-len;i++) pk[i] =O;

free (pk);

void main(void)(
rc5-ctx c;
u4 data[81;
char key[l = "ABCDE";
int i;

for(i=O;i<8;i++) data[il = i;
rc5_init(&c,lO); /* 10 rounds */

for(i=O;i<8;i+=2) printf("Block %Old = %081x %081x\n",
for(i=O;i<8;i+=2) printf("Block %Old = %081x %081x\n",

typedef struct 1
unsigned long rl,r2,r3;
I a5-ctx;

static int thresholdcrl, r2, r3)
unsigned int rl;
unsigned int r2;
unsigned int r3;

int total;

total = (((t-1 >> 9) & 0x1) == 1) +
(((t-2 >> 11) & 0x1) == 1) +
(((t-3 >> 11) & 0x1) == 1);

if (total > 1)
return (0);

Page 661
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page

return (1);

unsigned long clock-rl(ct1, rl)
int ctl;
unsigned long rl;

unsigned long feedback;

ctl I\= ((t-1 >> 9) & 0x1);
if (ctl)

feedback = (r-1 >> 18) h (r-1 >> 17) h (t-1 >> 16) h (r-1 >> 13);
rl = (t-1 << 1) & Ox7ffff;
if (feedback & 0x01)
rl A= 0x01;

return (t-1);

unsigned long clock-r2(ctl, r2)
int ctl;
unsigned long r2;

unsigned long feedback;

ctl A= ((r-2 >> 11) & 0x1);
if (ctl)

feedback = (r2 >> 21) h (r2 >> 20) h (r-2 >> 16) n (r-2 >> 12);
t-2 = (t-2 << 1) & Ox3fffff;
if (feedback & 0x01)
r2 A= 0x01;

return (t-2);

unsigned long clock-r3(ctl, r3)
int ctl;
unsigned long r3;

unsigned long feedback;

ctl A= ((t-3 >> 11) & 0x1);
if (ctl)
feedback = (r3 >> 22) A (t-3 >> 21) A (r-3 >> 18) A (t-3 >> 17);
r3 = (r3 << 1) & Ox7fffff;
if (feedback & 0x01)
r3 A= 0x01;
return (r-3);

Page 662
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page
Source Code

int keystreamckey, frame, alice, bob)
unsigned char *key; /* 64 bit session key */
unsigned long frame; /* 22 bit frame sequence number */
unsigned char *alice; /* 114 bit Alice to Bob key stream */
unsigned char *bob; /* 114 bit Bob to Alice key stream */

unsigned long rl; /* 19 bit shift register */
unsigned long r2; /* 22 bit shift register */
unsigned long r3; /* 23 bit shift register */
int i; /* counter for loops */
int clock...ctl; /* xored with clock enable on each shift register */
unsigned char *ptr; /* current position in keystream */
unsigned char byte; /* byte of keystream being assembled */
unsigned int bits; /* number of bits of keystream in byte */
unsigned int bit; /* bit output from keystream generator */

/* Initialise shift registers from session key */

rl = (keyLO 1 (key[ll << 8) 1 (key[21 << 16) ) & Ox7ffff;
r2 = ((keyL21 >> 3) 1 (keyC31 << 5) 1 (key[4] << 13) I (key[S] << 21)) &
r3 = ((keyL51 >> 1) I (key[61 << 7) ) (key[71 << 15) ) & Ox7fffff;

/* Merge frame sequence number into shift register state, by xor'ing it
* into the feedback path

for (i=O;i<22;i++)

clock-ctl = thresholdcr1, r2, r2);
rl = clock-rl(clock-ctl, rl);
r2 = clock-r2(clock_ctl, r2);
r3 = clock-r3(clock_ctl, r3);
if (frame & 1)
rl A= 1;
r2 A= 1;
r3 h= 1.
I '
frame = frame >> 1;

/* Run shift registers for 100 clock ticks to allow frame number to
* be diffused into all the bits of the shift registers

for (i=O;i<lOO;i++)

clock-ctl = thresholdcr1, r2, r2);
rl = clock-rl(clock-ctl, rl);
r2 = clock-r2(clock_ctl, r2);
r3 = clock-r3(clock_ctl, r3);

/* Produce 114 bits of Alice->Bob key stream */

Page 663
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page

ptr = alice;
bits = 0;
byte = 0;
for (i=O;i<ll4;i++)
clock-ctl = thresholdcr1, t-2, r2);
rl = clock-rl(clock-ctl, rl);
r2 = clock-r2(clock_ctl, r2);
r3 = clock-r3(clock_ctl, r3);

bit = ((t-1 >> 18) * (r-2 >> 21) h (t-3 >> 22)) & 0x01;
byte = (byte << 1) 1 bit;
if (bits == 8)
*ptr = byte;
bits = 0;
byte = 0;
if (bits)
*ptr = byte;

/* Run shift registers for another 100 bits to hide relationship between
* Alice->Bob key stream and Bob->Alice key stream.

for (i=O;i<lOO;i++)
clock-ctl = thresholdcr1, r2, r2);
rl = clock-rl(clock-ctl, rl);
r2 = clock-r2(clock_ctl, r2);
r3 = clock-r3(clock_ctl, r3);

/* Produce 114 bits of Bob->Alice key stream */

ptr = bob;
bits = 0;
byte = 0;
for (i=O;i<ll4;i++)

clock-ctl = thresholdcrl, r2, r2);
rl = clock-rl(clock-ctl, rl);
r2 = clock-r2(clock_ctl, r2);
r3 = clock-r3(clock_ctl, r3);

bit = ((t-1 >> 18) h (r2 >> 21) A (t-3 >> 22)) & 0x01;
byte = (byte << 1) ( bit;
if (bits == 8)

*ptr = byte;

Page 664
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page
Source Code

bits = 0;
byte = 0;

if (bits)
*ptr = byte;

return (0);

void a5_key(a5_ctx *c, char *k)l
c->rl = k[01<<11˜k[11<<3 I k[21>>5 ; /* 19 */
c->r2 = k[21<<17lk[31<<9 I k[41<<1 I k[51>>7; /* 22 */
c->r3 = k[51<<15lk[61<<8 I k[71 ; I* 23 "I

I* Step one bit in A5, return 0 or 1 as output bit. *I
int a5LstepCa5Lctx *c)(
int control;
control = thresholdcc->rl,c->r2,c->r3);
c->rl = clock-rl(control,c->rl);
c->r2 = clock-r2(control,c->rZ);
c->r3 = clock-r3(control,c->r3);
return( (c->rl^c->r2^c->r3)&1);

/* Encrypts a buffer of len bytes. *I
void a5-encrypt(a5Lctx *c, char *data, int 1en)l
int i,j;
char t;

for(j=O;j<8;j++) t = t<<l I a5LstepCc);

void a!Y_decrypt(a5_ctx *c, char *data, int 1en)l

void main(void)i
a5Lctx c;
char data[lOOl;
char key[l = l1,2,3,4,5,6,7,8);
int i,flag;

for(i=O;i<lOO;i++) data[il = i;



Page 665
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page


flag = 0;
for(i=O;i<lOO;i++) if(data[il!=i)flag = 1;
if(flag)printf("Decrypt failed\n"); else printf("Decrypt succeeded\n");


#define ALG-OK 0
#define ALG-NOTOK 1
#define WORDS-PER-SEAL-CALL 1024

typedef struct {
long tL5201; I* 512 rounded up to a multiple
unsigned of 5 + 5*/
unsigned long s[2651; I* 256 rounded up to a multiple of 5 + 5*/
unsigned long r[201; /* 16 rounded up to multiple of 5 *I
unsigned long counter; I* 32-bit synch value. *I
unsigned long ks-buf[WORDS-PER-SEAL-CALL];
int ks-pos;
I seal-ctx;

#define ROT2(x) (((x) >> 2) 1 C(x) << 30))
#define ROT9(x) (c(x) >> 9) 1 C(x) << 23))
#define ROT8(x) (c(x) >> 8) 1 c(x) << 24))
#define ROTlGCx) (c(x) >> 16) 1 c(x) << 16))
#define ROT24Cx) (c(x) >> 24) I ((x1 << 8))
#define RDT27Cx) (((x1 >> 27) I c(x) << 5))

#define WORD(cp) ((cp[Ol << 24) << 16)l(cp[21 << 8)l(cpC31))

#define FlCx, y, z) (((x) & (˜1) 1 cc-(x)1 & (z)))
#define F2(x, y, z) ((x)^(y)^(z)
#define F3(x, y, z) (((x1 & (˜1) 1 ((xl & (z)) I C(y) & (z)))
#define F4(x, y, z) ((x)^(y)^(z)

int g(in, i, h)
unsigned char *in;
int i;
unsigned long *h;
unsigned long ho;
unsigned long hl;
unsigned long h2;
unsigned long h3;
unsigned long h4;
unsigned long a;
unsigned long b;
unsigned long c;
unsigned long d;
unsigned long e;

Page 666
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page
Source Code

unsigned char *kp;
unsigned long wL801;
unsigned long temp;

kp = in;
h0 = WORDCkp); kp += 4;
hl = WORDCkp); kp += 4;
h2 = WORDCkp); kp += 4;
h3 = WORDCkp); kp += 4;
h4 = WORDCkp); kp += 4;

w[Ol = i;
for (i=l;i<l6;i++)
w[il = 0;
for (i=16;i<8O;i++)
w[i] = w[i-31Aw[i-81Aw[i-14l^w[i-161;

a = ho;
b = hl;
c = h2;
d = h3;
e = h4;

for (i=O;i<2O;i++)
temp = ROT27Ca) + Fl(b, c, d) + e + w[i] + Ox5a827999;
e= d;
d= c;
c= ROT2Cb);
b= a;
a= temp;

for (i=2O;i<4O;i++)
d) + e + w[il + OxkK%bal;
temp = ROT27Ca) + F2(b, c,
e= d.
d= c;
c= ROT2Cb);
b= a;
a= temp;

for (i=4O;i<6O;i++)
d) + e + w[il + Ox8flbbcdc;
temp = ROT27(a) + F3(b, c,
e= d;
d= c;
c= ROT2Cb);
b= a;
a= temp;
for (i=6O;i<8O;i++)
temp = ROT27Ca) + F4(b, c, d) + e + w[i 1 + Oxca62cld6;
e = d;
d = c;

Page 667
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page

c = ROTPCb);
b = a;
a = temp;
h[OI = hO+a;
h[lI = hl+b;
h[21 = h2+c;
h[31 = h3+d;
h[4] = h4+e;

return (ALG-OK);

unsigned long gammaca, i)
unsigned char *a;
int i;
unsigned long h[51;

(void) g(a, i/5, h);
return h[i % 51;

int seal-initcseal-ctx *result, unsigned char *key)
int i;
unsigned long h[51;

for (i=O;i<51O;i+=5)
g(key, i/5, &(result->t[il));
I* horrible special case for the end *I
g(key, 51015, h);
for (i=51O;i<512;i++)
result->t[il = h[i-5101;
I* 0x1000 mod 5 is +l, so have horrible special case for the s tart *I
g(key, (-1+0x1000)/5, h);
for (i=O;i<4;i++)
result->s[il = h[i+lI;
for (i=4;i<254;i+=5)
g(key, (i+Ox1000)/5, &(result->s[i]));
I* horrible special case for the end *I
g(key, (254+0x1000)/5, h);
for (i=254;i<256;i++)
result->s[il = h[i-2541;
I* 0x2000 mod 5 is +2, so have horrible special case at the start *I
g(key, (-2+0x2000)/5, h);
for (i=O;i<3;i++)
result->r[il = h[i+2];
for (i=3;i<13;i+=5)
g(key, (i+Ox2000)/5, &(result->r[il));
I* horrible special case for the end *I
g(key, (13+0x2000)/5, h);
for (i=13;i<16;i++)
result->r[il = h[i-131;
return (ALG-OK);

Page 668
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page
Source Code

int seal(seal-ctx *key, unsigned long in, unsigned long *out)
int i;
int j;
int 1;
unsigned long a;
unsigned long b;
unsigned long c;
unsigned long d;
unsigned short p;
unsigned short q;
unsigned long nl;
unsigned long n2;
unsigned long n3;
unsigned long n4;
unsigned long *wp;

wp = out;

for (1=0;1<4;1++)
a = in h key->rC4*11;
b = ROT8Cin) A key->r[4*1+11;
c = ROTlGCin) A key->r[4*1+21;
d = ROT24Cin) A key->r[4*1+31;

for (j=O;j<2;j++)
p = a & Ox7fc;
b += key->t[pl41;
a = ROT9Ca);

p = b & Ox7fc;
c += key->t[p/41;
b = RDT9Cb);

p = c & Ox7fc;
d += key->t[pl41;
c = ROT9Cc);

p = d & Ox7fc;
a += key->t[p/4];
d = ROT9Cd);

nl = d;
n2 = b;
n3 = a;
n4 = c;

p = a & Ox7fc;
b += key->t[p/4];

Page 669
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page

a = ROT9Ca);

p = b & Ox7fc;
c += key->tCp/41;
b = ROT9Cb):

p = c & Ox7fc;
d += key->tCp/41;
c = ROT9Cc):

p = d & Ox7fc;
a += key->tCp/41;
d = ROT9Cd);

I* This generates 64 32-bit words, or 256 bytes of keystream. *I
for (i=O;i<64;i++)

p = a & Ox7fc;
b += key->t[p/41;
a = ROT9Ca);
b h= a;

q = b & Ox7fc;
c A= key->t[q/41;
b = ROT9Cb);
c += b;

p = (p+c) & Ox7fc;
d += key->t[p/41;
c = ROT9Cc);
d h= c;

q = (q+d) & Ox7fc;
a h= key->t[q/4];
d = ROT9Cd);
a += d;

p = (p+a) & Ox7fc;
b h= key->t[p/41;
a = ROT9Ca);

q = (q+b) & Ox7fc;
c += key->tCq/41;
b = ROT9Cb);

p = (p+c) & Ox7fc;
d II= key->t[p/41;
c = ROT9Cc);

q = (q+d) & Ox7fc;
a += key->tCq/41;
d = ROT9Cd);

= b + key->s[4*il;

Page 670
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page
Source Code

*wp = c n key->s[4*i+ll;
*wp = d + key->s[4*i+21;
*wp = a n key->s[4*i+31;

if (i & 1)

a += n3;
c += n4;


a += nl;
c += n2;

return (ALGGOK);

/* Added call to refill ks-buf and reset counter and ks-pos. */
void seal-refill-buffer(seal_ctx *c)(
c->ks-pos = 0;

void seal-keycseal-ctx *c, unsigned char *key){
c->counter = 0; /* By default, init to zero. */
c->ks-pos = WORDS-PER-SEAL-CALL;
/* Refill keystream buffer on next call. */

/* This encrypts the next w words with SEAL. */
void seal-encrypt(seal_ctx *c, unsigned long *data-ptr, int w)l
int i;

if(c->ks-pos>=WORDS-PER-SEAL-CALL) seal-refill-buffer(c);

void seal-decrypt(seal-ctx *c, unsigned long *data-ptr, int w) {

void seal-resynch(seal-ctx *c, unsigned long synch-word){
c->counter = synch-word;

Page 671
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page

c->ks-pos = WORDS-PER-SEAL-CALL;

void main(void)L
seal-ctx sc;
unsigned long buf[lOOOl,t;
int i,flag;
unsigned char key[l =
.1,12,13,14,15,16,1 .7,18,191;


for(i=O;i<lOOO;i++) buf[il=O;
t = 0;
for(i=O;i<lOOO;i++) t = t h buf[il;
printf("XOR of buf is %08lx.\n",t);

flag = 0;
for(i=O;i<lOOO;i++) if(buf[il!=O)flag=l;
if(flag) printf("Decrypt failed.\n");
else printf("Decrypt succeeded.\n");

Page 672
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page


Cryptology-CRYPTO ˜87 Proceedings,
1. ABA Bank Card Standard, “Management
and Use of Personal Information Num- Springer-Verlag, 1988, pp. 224-230.
9. C.M. Adams and S.E. Tavares, “The Struc-
bers,” Aids from ABA, Catalog no. 207213,
tured Design of Cryptographically Good S-
American Bankers Association, 1979.
Boxes,” fournal of Cryptology, v. 3, n. 1,
2. ABA Document 4.3, “Key Management
Standard,” American Bankers Association, 1990, pp. 27-41.
10. C.M. Adams and S.E. Tavares, “Designing
S-Boxes for Ciphers Resistant to Differen-
3. M. Abadi, J. Feigenbaum, and J. Kilian,
“On Hiding Information from an Oracle,” tial Cryptanalysis,” Proceedings of the 3rd
Symposium on State and Progress of
Proceedings of the 19th ACM Symposium
on the Theory of Computing, 1987, pp. Research in Cryptography, Rome, Italy,
195-203. 15-16 Feb 1993, pp. 181-190.
Il. W. Adams and D. Shanks, “Strong Primal-
4. M. Abadi, J. Feigenbaum, and J. Kilian,
ity Tests That Are Not Sufficient,” Mathe-
“On Hiding Information from an Oracle,”
matics of Computation, v. 39, 1982, pp.
fournal of Computer and System Sciences,
v. 39, n. 1, Aug 1989, pp. 21-50. 255300.
5. M. Abadi and R. Needham, “Prudent Engi- 12. W.W. Adams and L.J. Goldstein, Introduc-
neering Practice for Cryptographic Proto- tion to Number Theory, Englewood Cliffs,
cols,” Research Report 125, Digital Equip- N.J.: Prentice-Hall, 1976.
ment Corp Systems Research Center, Jun 13. B.S. Adiga and P. Shankar, “Modified Lu-
1994. Lee Cryptosystem,” Electronics Letters, v.
6. CM. Adams, “On Immunity Against 21, n. 18,29 Aug 1985, pp. 794795.
Biham and Shamir™s ˜Differential Crypt- 14. L.M. Adleman, “A Subexponential Algo-
analysis,™ ” Information Processing Let- rithm for the Discrete Logarithm Problem
ters, v. 41, 14 Feb 1992, pp. 77-80. with Applications to Cryptography,” Pro-
7. C.M. Adams, “Simple and Effective Key ceedings of the IEEE 20th Annual Sympo-
Scheduling for Symmetric Ciphers,” Work- sium of Foundations of Computer Science,
shop on Selected Areas in Cryptography- 1979, pp. 5560.
Workshop Record, Kingston, Ontario, 5-6 15. L.M. Adleman, “On Breaking Generalized
May 1994, pp. 129-133. Knapsack Public Key Cryptosystems,”
Proceedings of the 15th ACM Symposium
8. C.M. Adams and H. Meijer, “Security-
on Theory of Computing, 1983, pp. 402-
Related Comments Regarding McEliece™s
Public-Key Cryptosystem,” Advances in 412.

Page 673
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page

16. L.M. Adleman, “Factoring Numbers Using 28. S.G. Akl, “Digital Signatures: A Tutorial
Singular Integers,” Proceedings of the 23rd Survey,” Computer, v. 16, n. 2, Feb 1983,
Annual ACM Symposium on the Theory pp. 15-24.
of Computing, 1991, pp. 64-71. 29. S.G. Akl, “On the Security of Compressed
17. L.M. Adleman, “Molecular Computation Encodings,” Advances in Cryptology: Pro-
of Solutions to Combinatorial Problems,” ceedings of Crypto 83, Plenum Press, 1984,
Science, v. 266, n. 11, Nov 1994, p. 1021. pp. 209-230.
18. L.M. Adleman, D. Estes, and K. McCurley, 30. S.G. Akl and H. Meijer, “A Fast Pseudo-
“Solving Bivariate Quadratic Congruences Random Permutation Generator with
in Random Polynomial Time,” Mathemat- Applications to Cryptology,” Advances in
ics of Computation, v. 48, n. 177, Jan 1987, Cryptology: Proceedings of CRYPTO 84,
pp. 17-28. Springer-Verlag. 1985, pp. 269-275.
19. L.M. Adleman, C. Pomerance, and R.S. 31. M. Alabbadi and S.B. Wicker, “Security of
Rumeley, “On Distinguishing Prime Xinmei Digital Signature Scheme,” Elec-
Numbers from Composite Numbers,” tronics Letters, v. 28, n. 9, 23 Apr 1992, pp.
Annals of Mathematics, v. 117, n. 1, 1983, 890-891.
pp. 173-206. 32. M. Alabbadi and S.B. Wicker, “Digital Sig-
20. L.M. Adleman and R.L. Rivest, “How to nature Schemes Based on Error-Correcting
Break the Lu-Lee (COMSAT) Public-Key Codes,” Proceedings of the 1993 IEEE-
Cryptosystem,” MIT Laboratory for Com- ISIT, IEEE Press, 1993, p. 199.
puter Science, Jul 1979. 33. M. Alabbadi and S.B. Wicker, “Cryptanaly-
21. G.B. Agnew, “Random Sources for Crypto- sis of the Harn and Wang Modification of
graphic Systems,” Advances in Cryp- the Xinmei Digital Signature Scheme,”
tology-EUROCRYPT ˜87 Proceedings, Electronics Letters, v. 28, n. 18, 27 Aug
Springer-Verlag. 1988, pp. 77-81. 1992, pp. 1756-I 758.
22. G.B. Agnew, R.C. Mullin, I.M. Onyszchuk, 34. K. Alagappan and J. Tardo, “SPX Guide:
and S.A. Vanstone, “An Implementation Prototype Public Key Authentication Ser-
for a Fast Public-Key Cryptosystem,” Iour- vice,” Digital Equipment Corp., May 1991.
nal of Cryptology, v. 3, n. 2, 1991, pp. 35. W. Alexi, B.-Z. Chor, 0. Goldreich, and
63-79. C.P. Schnorr, “RSA and Rabin Functions:
23. G.B. Agnew, R.C. Mullin, and S.A. Van- Certain Parts Are as Hard as the Whole,”
stone, “A Fast Elliptic Curve Cryptosys- Proceedings of the 25th IEEE Symposium
tern,” Advances in Cryptology-EURO- on the Foundations of Computer Science,
CRYPT ˜89 Proceedings, Springer-Verlag, 1984, pp. 449457.
1990, pp. 706-708. 36. W. Alexi, B.-Z. Chor, 0. Goldreich, and
24. G.B. Agnew, R.C. Mullin, and S.A. Van- C.P. Schnorr, “RSA and Rabin Functions:
stone, “Improved Digital Signature Certain Parts are as Hard as the Whole,”
Scheme Based on Discrete Exponentia- SIAM Iournal on Computing, v. 17, n. 2,
tion,” Electronics Letters, v. 26, n. 14, 5 Jul Apr 1988, pp. 194-209.
1990, pp. 1024-1025. 37. Ameritech Mobile Communications et al.,
25. G.B. Agnew, R.C. Mullin, and S.A. Van- “Cellular Digital Packet Data System
stone, “On the Development of a Fast Specifications: Part 406: Airlink Security,”
Elliptic Curve Cryptosystem,” Advances CDPD Industry Input Coordinator, Costa
in Cryptology-EUROCRYPT ˜92 Pro- Mesa, Calif., Jul 1993.
ceedings, Springer-Verlag, 1993, pp. 482- 38. H.R. Amirazizi, E.D. Karnin, and J.M.
287. Reyneri, “Compact Knapsacks are Polyno-
26. G.B. Agnew, R.C. Mullin, and S.A. Van- mial Solvable,” ACM SIGACT News, v.
stone, “An Implementation of Elliptic 15, 1983, pp. 20-22.
Curve Cryptosystems over F2155,” IEEE 39. R.J. Anderson, “Solving a Class of Stream
Selected Areas of Communications, v. 11, Ciphers,” Cryptologia, v. 14, n. 3, Jul 1990,
n. 5, Jun 1993, pp. 804-813. pp. 285-288.
27. A. Aho, J. Hopcroft, and J. Ullman, The 40. R.J. Anderson, “A Second Generation Elec-
Design and Analysis of Computer Algo- tronic Wallet,” ESORICS 92, Proceedings
rithms, Addison-Wesley, 1974. of the Second European Symposium on

Page 674
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page

54. ANSI X9.9 (Revised), “American National
Research in Computer Security, Springer-
Standard for Financial Institution Message
Verlag, 1992, pp. 411-418.
Authentication (Wholesale),” American
R.J. Anderson, “Faster Attack on Certain
Bankers Association, 1986.
Stream Ciphers,” Electronics Letters, v.
x9.17 (Revised),
55. ANSI
29, n. 15, 22 Jul 1993, pp. 1322-1323.
National Standard for Financial Institution
42. R.J. Anderson, “Derived Sequence Attacks
Key Management [Wholesale),” American
on Stream Ciphers,” presented at the rump
Bankers Association, 1985.
session of CRYPTO ˜93, Aug 1993.
56. ANSI X9.19, “American National Stan-
R.J. Anderson, “Why Cryptosystems Fail,”
dard for Retail Message Authentication,”
1st ACM Conference on Computer and
American Bankers Association, 1985.
Communications Security, ACM Press,
57. ANSI X9.23, “American National Stan-
1993, pp. 215-227.
dard for Financial Institution Message
44. R.J. Anderson, “Why Cryptosystems Fail,”
Encryption,” American Bankers Associa-
Communications of the ACM, v. 37, n. 11,
tion, 1988.
Nov 1994, pp. 32-40.
58. ANSI X9.24, “Draft Proposed American
R.J. Anderson, “On Fibonacci Keystream
National Standard for Retail Key Manage-
Generators,” K.U. Leuven Workshop on
ment,” American Bankers Association,
Cryptographic Algorithms, Springer-Verlag,
1995, to appear.
X9.26 (Revised), “American
R.J. Anderson, “Searching for the Opti- 59. ANSI
National Standard for Financial Institution
mum Correlation Attack,” K.U. Leuven
Sign-On Authentication for Wholesale
Workshop on Cryptographic Algorithms,
Financial Transaction,” American Bankers
Springer-Verlag, 1995, to appear.
Association, 1990.
R.J. Anderson and T.M.A. Lomas, “Fortify-
60. ANSI X9.30, “Working Draft: Public Key
ing Key Negotiation Schemes with Poorly
Cryptography Using Irreversible Algo-
Chosen Passwords,” Electronics Letters, v.
rithms for the Financial Services
30, n. 13, 23 Jun 1994, pp. 1040-1041.
Industry,” American Bankers Association,
R.J. Anderson and R. Needham, “Robust-
Aug 1994.
ness Principles for Public Key Protocols,”
Advances in Cryptology-CRYPTO ˜95 61. ANSI X9.31, “Working Draft: Public Key
Proceedings, Springer-Verlag, 1995, to Cryptography Using Reversible Algo-
rithms for the Financial Services
Industry,” American Bankers Association,
D. Andleman and J. Reeds, “On the Crypt-
Mar 1993.
analysis of Rotor Machines and Substitu-
62. K. Aoki and K. Ohta, “Differential-Linear
tion-permutation Networks,” IEEE ˜TZans-
Cryptanalysis of FEAL-8,” Proceedings of
actions on Information Theory, v. IT-28, n.
4, Jul 1982, pp. 578-584. the 1995 Symposium on Cryptography
50. ANSI X3.92, “American National Stan- and Information Security (SCIS 9.5).
dard for Data Encryption Algorithm Inuyama, Japan, 2427 Jan 1995, pp.
(DEA),” American National Standards A3.4.1-11. [In Japanese.)
63. K. Araki and T. Sekine, “On the Conspir-
Institute, 1981.
51. ANSI X3.105, “American National Stan- acy Problem of the Generalized Tanaka™s
dard for Information Systems-Data Link Cryptosystem,” IEICE Transactions, v.
Encryption,” American National Stan- E74, n. 8, Aug 1991, pp. 2176-2178.
64. S. Araki, K. Aoki, and K. Ohta, “The Best
dards Institute, 1983.
52. ANSI X3.106, “American National Stan- Linear Expression Search for FEAL,” Pro-
dard for Information Systems-Data ceedings of the 1995 Symposium on Cryp-
Encryption Algorithm-Modes of Opera- tography and Information Security (SCIS
tion,” American National Standards Insti- 95), Inuyama, Japan, 24-27 Jan 1995, pp.
tute, 1983.
53. ANSI X9.8, “American National Standard 65. C. Asmuth and J. Bloom, “A Modular
for Personal Information Number (PIN) Approach to Key Safeguarding,” IEEE
Management and Security,” American Transactions on Information Theory, v. IT-
Bankers Association, 1982. 29, n. 2, Mar 1983, pp. 208-210.

Page 675
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page

81. S.K. Banerjee, “High Speed Implementa-
66. D. Atkins, M. Graff, A.K. Lenstra, and P.C.
tion of DES,” Computers & Security, v. 1,
Leyland, “The Magic Words are Squeamish
1982, pp. 261-267.
Ossifrage, ” Advances in Cryptology-
82. Z. Baodong, “MC-Veiled Linear Transform
ASIACRYPT ˜94 Proceedings, Springer-
Public Key Cryptosystem,” Acta Electron-
Verlag, 1995, pp. 263-277.
ica Sinica, v. 20, n. 4, Apr 1992, pp. 21-24.
67. AT&T, “T7001 Random Number Genera-
(In Chinese.)
tor,” Data Sheet, Aug 1986.
83. P.H. Bardell, “Analysis of Cellular
68. AT&T, “AT&T Readying New Spy-Proof
Automata Used as Pseudorandom Pattern
Phone for Big Military and Civilian Mar-
Generators,” Proceedings of 1990 Interna-
kets,” The Report on AT&T, 2 Jun 1986,
tional Test Conference, pp. 762-768.
pp. 6-7.
84. T. Baritaud, H. Gilbert, and M. Girault,
Bit Slice
69. AT&T, “T7002/T7003
“FFT Hashing is not Collision-Free,”
Multiplier,” product announcement, 1987.
Advances in Cryptology-EUROCRYPT
70. AT&T, “Telephone Security Device TSD
˜92 Proceedings, Springer-Verlag, 1993, pp.
360˜User™s Manual,” AT&T, 20 Sep
85. C. Barker, “An Industry Perspective of the
71. Y. Aumann and U. Feige, “On Message
CCEP,” 2nd Annual AIAA Computer
Proof Systems with Known Space Veri-
Security Conference Proceedings, 1986.
fiers,” Advances in Cryptology-CRYPTO
86. W.G. Barker, Cryptanalysis of the Hagelin
˜93 Proceedings, Springer-Verlag. 1994, pp.
Cryptograph, Aegean Park Press, 1977.
87. P. Barrett, “Implementing the Rivest
72. R.G. Ayoub, An Introduction to the The-
Shamir and Adleman Public Key Encryp-
ory of Numbers, Providence, RI: American
tion Algorithm on a Standard Digital Sig-
Mathematical Society, 1963.
nal Processor,” Advances in Cryptology-
73. A. Aziz and W. Diffie, “Privacy and
CRYPTO ˜86 Proceedings, Springer-Verlag,
Authentication for Wireless Local Area
1987, pp. 311323.
Networks,” IEEE Personal Communica-
88. T.C. Bartee and D.I. Schneider, “Computa-
tions, v. 1, n. 1, 1994, pp. 2531.
tion with Finite Fields,” Information and
74. A. Bahreman and J.D. T™ygar, “Certified
Control, v. 6, n. 2, Jun 1963, pp. 79-98.
Electronic Mail,” Proceedings of the Inter-
89. U. Baum and S. Blackburn, “Clock-
net Society 1994 Workshop on Network
Controlled Pseudorandom Generators on
and Distributed System Security, The
Finite Groups,” K. U. Leuven Workshop on
Internet Society, 1994, pp. 3-19.
75. D. Balenson, “Automated Distribution of Cryptographic Algorithms, Springer-Verlag,
Cryptographic Keys Using the Financial 1995, to appear.
Institution Key Management Standard,” 90. K.R. Bauer, T.A. Bersen, and R.J. Feiertag,
“A Key Distribution Protocol Using Event
IEEE Communications Magazine, v. 23, n.
9, Sep 1985, pp. 41-46. Markers,” ACM Transactions on Computer
76. D. Balenson, “Privacy Enhancement for Systems, v. 1, n. 3, 1983, pp. 249-255.
Internet Electronic Mail: Part III: Algo- 91. F. Bauspiess and F. Damm, “Requirements
rithms, Modes, and Identifiers,” RFC 1423, for Cryptographic Hash Functions,” Com-
Feb 1993. puters d Security, v. 11, n. 5, Sep 1992, pp.
77. D. Balenson, C.M. Ellison, S.B. Lipner, and 427-437.
92. D. Bayer, S. Haber, and W.S. Stornetta,
S.T. Walker, “A New Approach to Soft-
“Improving the Efficiency and Reliability
ware Key Escrow Encryption,” TIS Report
of Digital Time-Stamping” Sequences ˜92:
#520, Trusted Information Systems, Aug
94. Methods in Communication, Security,
78. R. Ball, Mathematical Recreations and and Computer Science, Springer-Verlag,
Essays, New York: MacMillan, 1960. 1992, pp. 329334.
79. J. Bamford, The Puzzle Palace, Boston: 93. R. Bayer and J.K. Metzger, “On the Enci-
Houghton Mifflin, 1982. pherment of Search Trees and Random
80. J. Bamford and W. Madsen, The Puzzle Access Files,” ACM Transactions on Data-
Palace, Second Edition, Penguin Books, base Systems, v. 1, n. 1, Mar 1976, pp.
1995. 37-52.

Page 676
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page

106. M. Bellare, S. Micali, and R. Ostrovsky,
94. M. Beale and M.F. Monaghan, “Encrytion
“Perfect Zero-Knowledge in Constant
Using Random Boolean Functions,” Cryp-
Rounds,” Proceedings of the 22nd ACM
tography and Coding, H.J. Beker and EC.
Symposium on the Theory of Computing,
Piper, eds., Oxford: Clarendon Press, 1989,
1990, pp. 482-493.
pp. 219-230.
107. S.M. Bellovin, “A Preliminary Technical
95. l? Beauchemin and G. Brassard, “A Gener-
Analysis of Clipper and Skipjack,” unpub-
alization of Hellman™s Extension to Shan-
lished manuscript, 20 Apr 1993.
non™s Approach to Cryptography,” fournal
108. S.M. Bellovin and M. Merritt, “Limita-
of Cryptology, v. 1, n. 2, 1988, pp. 129-132.
tions of the Kerberos Protocol,” Winter
96. P. Beauchemin, G. Brassard, C. Crepeau, C.
1991 USENIX Conference Proceedings,
Goutier, and C. Pomerance, “The Genera-
USENIX Association, 1991, pp. 253-267.
tion of Random Numbers that are Proba-
109. S.M. Bellovin and M. Merritt, “Encrypted
bly Prime,” fournal of Cryptology, v. 1, n.
Key Exchange: Password-Based Protocols
1, 1988, pp. 53-64.
Secure Against Dictionary Attacks,” Pro-
97. D. Beaver, J. Feigenbaum, and V. Shoup,
ceedings of the 1992 IEEE Computer Soci-
“Hiding Instances in Zero-Knowledge
ety Conference on Research in Security
Proofs,” Advances in Cryptology-
CRYPTO ˜90 Proceedings, Springer-Verlag. and Privacy, 1992, pp. 72-84.
110. SM. Bellovin and M. Merritt, “An Attack
1991, pp. 326-338.
on the Interlock Protocol When Used for
98. H. Beker, J. Friend, and P. Halliden, “Sim-
Authentication,” IEEE Transactions on
plifying Key Management in Electronic
Funds Transfer Points of Sale Systems,” Information Theory, v. 40, n. 1, Jan 1994,
Electronics Letters, v. 19, n. 12, Jtm 1983, pp. 273-275.
111. S.M. Bellovin and M. Merritt, “Crypto-
pp. 442-444.
graphic Protocol for Secure Communica-
99. H. Beker and F. Piper, Cipher Systems: The
tions,” U.S. Patent #5,241,599,31 Aug 93.
Protection of Communications, London:
112. I. Ben-Aroya and E. Biham, “Differential
Northwood Books, 1982.
Cryptanalysis of Lucifer,” Advances in
100. D.E. Bell and L. J. LaPadula, “Secure Com-
Cryptology-CRYPTO ˜93 Proceedings,
puter Systems: Mathematical Found-
Springer-Verlag, 1994, pp. 187-199.
ations,” Report ESD-TR-73-275, MITRE
113. J.C. Benaloh, “Cryptographic Capsules: A
Corp., 1973.
101. D.E. Bell and L. J. LaPadula, “Secure Com- Disjunctive Primitive for Interactive Pro-
puter Systems: A Mathematical Model,” tocols,” Advances in Cryptology-
Report MTR-2547, MITRE Corp., 1973. CRYPTO ˜86 Proceedings, Springer-VerIag,
D.E. Bell and L. J. LaPadula, “Secure Com- 1987,213-222.
114. J.C. Benaloh, “Secret Sharing Homor-
puter Systems: A Refinement of the Math-
phisms: Keeping Shares of a Secret Secret,”
ematical Model,” Report ESD-TR-73-278,
Advances in Cryptology-CRYPTO ˜86
MITRE Corp., 1974.
103. D.E. Bell and L.J. LaPadula, “Secure Com- Proceedings, Springer-Verlag, 1987, pp.
puter Systems: Unified Exposition and 25 l-260.
“Verifiable Secret-Ballot
Multics Interpretation,” Report ESD-TR- 115. J.C. Benaloh,
Elections,” Ph.D. dissertation, Yale Uni-
75-306, MITRE Corp., 1976.
104. M. Bellare and S. Goldwasser, “New versity, YALEU/DCS/TR-561, Dee 1987.
Paradigms for Digital Signatures and Mes- 116. J.C. Benaloh and M. de Mare, “One-Way
sage Authentication Based on Non- Accumulators: A Decentralized Aherna-
Zero Knowledge Proofs,” tive to Digital Signatures,” Advances in
Advances in Cryptology-CRYPTO ˜89 Cryptology-EUROCRYPT ˜93 Proceed-
Proceedings, Springer-Verlag 1990, pp. ings, Springer-Verlag, 1994, pp. 274-285.
194-211. 117. J.C. Benaloh and D. Tuinstra, “Receipt-
105. M. Bellare and S. Micali, “Non-Interactive Free Secret Ballot Elections,” Proceedings
Oblivious Transfer and Applications,” of the 26th ACM Symposium on the The-
Advances in Cryptology-CRYPTO ˜89 ory of Computing, 1994, pp. 544-553.
Proceedings, Springer-Verlag 1990, pp. 118 J.C. Benaloh and M. Yung, “Distributing
the Power of a Government to Enhance

Page 677
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page

130. C.H. Bennett, G. Brassard, C. Crepeau, and
the Privacy of Voters,” Proceedings of the
5th ACM Symposium on the Principles M.-H. Skubiszewska, “Practical Quantum
in Distributed Computing, 1986, pp. Oblivious Transfer,” Advances in Cryptol-
52-62. ogy-CRYPTO ˜91 Proceedings, Springer-
119. A. Bender and G. Castagnoli, “On the Verlag 1992, pp. 351366.
131. C.H. Bennett, G. Brassard, and A.K. Ekert,
Implementation of Elliptic Curve Cryp-
tosystems,” Advances in Cryptology- “Quantum Scientific
CRYPTO ˜89 Proceedings, Springer-Verlag, American, v. 267, n. 4, Ott 1992, pp. 50-57.
1990, pp. 186-192. 132. C.H. Bennett, G. Brassard, and N.D. Mer-
120. S. Bengio, G. Brassard, Y.G. Desmedt, C. min, “Quantum Cryptography Without
Goutier, and J.-J. Quisquater, “Secure Bell™s Theorem,” Physical Review Letters,
Implementation of v. 68, n. 5,3 Feb 1992, pp. 557-559.
Systems,” fournal of Cryptology, v. 4. n. 3, 133. C.H. Bennett, G. Brassard, and J.-M.
1991, pp. 175-184. Robert, “How to Reduce Your Enemy™s
121. C.H. Bennett, F. Bessette, G. Brassard, L. Information,” Advances in Cryptology-
Salvail, and J. Smolin, “Experimental CRYPTO ˜85 Proceedings, Springer-Verlag,
Quantum Cryptography,” Advances in 1986, pp. 468476.
Cryptology-EUROCRYPT ˜90 Proceed- 134. C.H. Bennett, G. Brassard, and J.-M.
ings, Springer-Verlag 1991, pp. 253-265. Robert, “Privacy Amplification by Public
122. C.H. Bennett, F. Bessette, G. Brassard, L. Discussion,” SIAMfournal on Computing,
Salvail, and J. Smolin, “Experimental v. 17, n. 2, Apr 1988, pp. 210-229.
135. J. Bennett, “Analysis of the Encryption
Quantum Cryptography,” fournal of Cryp-
tology, v. 5, n. 1, 1992, pp. 3-28. Algorithm Used in WordPerfect Word Pro-
123. C.H. Bennett and G. Brassard, “Quantum cessing Program,” Cryptologia, v. 11, n. 4,
Cryptography: Public Key Distribution Ott 1987, pp. 206-210.
136. M. Ben-Or, S. Goldwasser, and A. Wigder-
and Coin Tossing,” Proceedings of the
IEEE International Conference on Com- son, “Completeness Theorems for Non-
puters, Systems, and Signal Processing, Cryptographic Fault-Tolerant Distributed
Banjalore, India, Dee 1984, pp. 175-179. Computation,” Proceedings of the 20th
124. C.H. Bennett and G. Brassard, “An Update ACM Symposium on the Theory of Com-
on Quantum Cryptography,” Advances in puting, 1988, pp. l-10.
Cryptology: Proceedings of CRYPTO 84, 137. M. Ben-Or, 0. Goldreich, S. Goldwasser, J.
Springer-Verlag, 1985, pp. 475-480. H&tad, J. Kilian, S. Micali, and P. Rog-
125. C.H. Bennett and G. Brassard, “Quantum away, “Everything Provable is Provable in
Public-Key Distribution System,” IBM Zero-Knowledge,” Advances in Cryptol-
Technical Disclosure Bulletin, v. 28, 1985, ogy-CRYPTO ˜88 Proceedings, Springer-
pp. 31533163. VerIag 1990, pp. 37-56.
126. C.H. Bennett and G. Brassard, “Quantum 138. M. Ben-Or, 0. Goldreich, S. Micali, and
Public Key Distribution Reinvented” R.L. Rivest, “A Fair Protocol for Signing
SIGACTNews, v. 18, n. 4, 1987, pp. 51-53. Contracts,” IEEE Transactions on Informa-
127. C.H. Bennett and G. Brassard, “The Dawn tion Theory, v. 36, n. 1, Jan 1990, pp. 40-46.
of a New Era for Quantum Cryptography: 139. H.A. Bergen and W.J. Caelli, “File Security
The Experimental Prototype is Working!” in WordPerfect 5.0,” Cryptologia, v. 15, n.
SIGACT News, v. 20, n. 4, Fall 1989, pp. 1, Jan 1991, pp. 57-66.
78-82. 140. E.R. Berlekamp, Algebraic Coding Theory,
128. C.H. Bennett, G. Brassard, and S. Breidbart, Aegean Park Press, 1984.
Quantum Cryptography II: How to Re- 141. S. Berkovits, “How to Broadcast a Secret,”
Use a One-Time Pad Safely Even if P=NP, Advances in Cryptology-EUROCRYPT
unpublished manuscript, Nov 1982. ˜91 Proceedings, Springer-Verlag 1991, pp.
129. C.H. Bennett, G. Brassard, S. Breidbart, and 535641.
142. S. Berkovits, J. Kowalchuk, and B. Schan-
S. Weisner, “Quantum Cryptography, or
Unforgeable Subway Tokens,” Advances ning “Implementing Public-Key Scheme,”
in Cryptology: Proceedings of Crypto 82, IEEE Communications Magazine, v. 17, n.
Plenum Press, 1983, pp. 267-275. 3, May 1979, pp. 2-3.

Page 678
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page

Computer Security Foundations Work-
143. D.J. Bernstein, Bernstein vs. U.S. Depart-
shop III, IEEE Computer Society Press,
ment of State et al., Civil Action No. C95-
1990, pp. 14-22.
0582-MHP, United States District Court
157. E. Biham, “Cryptanalysis of the Chaotic-
for the Northern District of California, 21
Map Cryptosystem Suggested at EURO-
Feb 1995.
CRYPT ˜91,” Advances in Cryptology-
144. T. Berson, “Differential Cryptanalysis
EUROCRYPT ˜91 Proceedings, Springer-
Mod 232 with Applications to MD5,”
Verlag, 1991, pp. 532-534.
Advances in Cryptology-EUROCRYPT
158. E. Biham, “New Types of Cryptanalytic
˜92 Proceedings, 1992, pp. 71-80.
Attacks Using Related Keys,” Technical
145. T. Beth, Verfahren der schnellen Fourier-
Report #753, Computer Science Depart-
Transformation, Teubner, Stuttgart, 1984.
ment, Technion-Israel Institute of Tech-
[In German.)
nology, Sep 1992.
146. T. Beth, “Efficient Zero-Knowledge Identi-


. 3
( 8)