ñòð. 16 |

Cited on pages 334, 342, 345, and 349

[86] H. Krawczyk, M. Bellare, and R. Canetti, RFC 2104--HMAC: keyed-

hashing for message authentication, at

www.faqs.org/rfcs/rfc2104.htrnl

Cited on page 198

[87] D. L. Kreher and D. R . Stinson, Combinatorial Algorithms: Generation,

Enumeration and Search, CRC Press, 1999

Cited on page 152

An excellent approach to an interesting subject. Unfortunately,

0

this otherwise fine book is marred by a large number of typos-

which is death for an algorithms (or cryptanalysis) book.

ANNOTATEDBIBLIOGRAPHY 385

[88] S. Kullback, General Solution for the Double Transposition Cipher,

Aegean Park Press

Cited on page 8

[89] M. K. Lai, Knapsack cryptosystems: the past and the future,

March 2001, at www.cecs.uci.edu/-mingl/knapsack.html

Cited on page 275

[go] M. Lee, Cryptanalysis of the SIGABA, Master's Thesis, University of

California, Santa Barbara, June 2003, at

www.cs.ucsb.edu/-kirbysdl/broadcast/thesis/thesis.pdf

Cited on pages 32 and 59

An excellent overview of rotors as cryptographic elements and a

0

nice description of Sigaba. However, the cryptanalysis only cov-

ers reduced-rotor versions of the cipher, which are qualitatively

different than the full Sigaba.

[91] A. K. Lenstra, H. W. Lenstra, Jr., and L. LovBsz, Factoring polynomi-

als with rational coefficients, Mathematische Annalen, Vol. 261, No. 4,

1982, pp. 515-534

Cited on page 272

[92] K. Lesh, Example of Dixon's squares, at

www.math.union.edu/˜leshk/mth221-06sp/homework/dixon-ex˜ple.pdf

Cited on page 319

[93] S. Levy, The open secret, Wired, issue 7.04, April 1999, at

www.wired.com/wired/archive/7.04/crypto˜pr.htrnl

Cited on pages 276 and 284

Ellis, Cocks, and Williamson get their due.

0

[94] J. Liang and X. Lai, Improved collision attack on hash function MD5,

at eprint.iacr.org/2005/425.pdf

Cited on page 230

[95] Legendre symbol, Wikipedia, the free encyclopedia, at

en.wikipedia.org/wiki/Legendre-symbol

Cited on page 356

[96] I. Mantin, Analysis of the stream cipher RC4, at

www.wisdom.weizmann.ac.il/"itsik/RC4/Papers/Mantinl.zip

Cited on pages 110 and 380

Clearer and more detailed than [51].

0

ANNOTATED BIBLIOGRAPHY

386

[97] M. Matsui, Linear cryptanalysis method for DES cipher, Advances in

Cryptology, Proceedings of Eurocrypt 1993, LNCS 470, T. Helleseth,

Ed., Springer-Verlag, 1994, pp. 386-397

Cited on page 170

[98] M. Matsui arid A. Yamagishi, A new method for known plaintext at-

tack on FEAL cipher, Advances in Cryptology, Proceedings of Euro-

crypt 1992, LNCS 658, R. Rueppel, Ed., Springer-Verlag, 1993, pp. 81-

91

Cited on pages 170 and 177

[99] A. Menezes, P. van Oorschot, arid S. Vanstone, Handbook of Applied

Cryptography, CRC Press, 1996

Cited on pages 93, 327, 329, 331, and 333

[100] R . Merkle and M. Hellman, Hiding information and signatures in trap-

door knapsacks, IEEE Transactions on Information Theory, Vol. IT-24,

NO. 5, 1978, pp. 525-530

Cited on pages 267 arid 268

[ l o l l T. hleskanen, On the NTRU cryptosystcrri, TUCS Dissertations No. 63,

Turku Centre for Computer Science, June 2005, at

www.tucs.fi/publications/attachment.php?fname=DISS63.pdf

Cited on pages 298 arid 304

[102] D. Micciancio and S. Goldwasser, Complexity of Lattice Problems: A

Cryptographic Perspectiiie, Kluwer International Series in Engineering

and Computer Science, Vol. 671, Kluwer Academic Publishers, 2002

Cited on page 284

[ 1031 P. Montgomery, Modular multiplication without trial division, Mnthe-

matics of Computation, Vol. 44, No. 170, 1985, pp. 519-521

Cited on page 338

[104] S. Morris, Cryptology timelinr, at

www.math.cornell.edu/"morris/l35/timeline.html

Cited on page 5

[lo51 National cryptologic museum, the big machines exhibit, at

www.nsa.gov/museum/museuOOOO2.cfm

Cited on pages 49 and 53

[106] nl. Nelson, Remembering Phil Katz, at

www.ddj.com/maillists/compression/do2OOOO5cm/do2OOOO5cmOOl.htm

Cited on page 111

ANNOTATEDBIBLIOGRAPHY 387

[lo71 National Institute of Standards and Technology (NIST), Security re-

quirements for cryptographic modules, FIPS PUB 140-2, at

csrc.nist.gov/publications/fips/fipsl40-2/fipsl402.pdf

Cited on page 315

[lo81 NTRU Cryptosystems, at www. ntru.com

Cited on pages 294 and 295

[log] A. M. Odlyzko, The rise and fall of knapsack cryptosystems, at

www.research.att.com/-amo/doc/arch/knapsack.survey.pdf

Cited on page 275

[110] P. C. van Oorschot and M. J. Wiener, Parallel collision search with

application to hash functions and discrete logarithms, at

www.scs.carleton.ca/"paulv/papers/acmccs94.pdf

Cited on page 202

[111] Operating instructions for ECM Mark 2 (CSP 888/889) and CCM

Mark 1 (CSP 1600), at www. hnsa.org/doc/crypto/ecm/index.htm

Cited on page 52

[I121 PBS home programs, Creativity and play: fostering creativity, at

www.pbs.org/wholechild/providers/play.html

Cited on page 127

[113] R. Pekelney, ECM MARK 2 and CCM MARK 1, at

www.hnsa.org/doc/crypto/ecm/

Cited on page 59

[114] PKZIP, Wikipedia, the free encyclopedia, at

en.wikipedia.org/wiki/Pkzip

Cited on page 110

[115] C. Pomerance, The quadratic sieve factoring algorithm, Advances in

Cryptology, Proceedings of Eurocrypt '84, LNCS 209, T. Beth, N. Cot,

and I. Ingemarsson, Eds., Springer-Verlag, 1985, pp. 169-182, at

www.math.dartmouth.edu/˜carlp/PDF/paper52.pdf

Cited on page 327

[116] C. Pomerance, A tale of two sieves, Notices of the AMS,December 1996,

pp. 1473-1485, at www.ams.org/notices/l99612/pomerance.pdf

Cited on page 328

[117] Purple cipher switch, at

www.nsa.gov/public/publiOOOO7.cfm

Cited on page 38

ANNOTATEDBIBLIOGRAPHY

388

[118] M. 0. Rabin, Digitalized signatures and public key functions as in-

tractable as factorization, MIT/LCS/TR-212, MIT Laboratory for

Computer Science, 1979

Cited on page 289

[119] J. Reeds, Solved: the ciphers in book I11 of Trithemius's Steganographia,

at www.dtc.umn.edu/-reedsj/trit .pdf

Cited on page 144

[120] E. Rescorla, RFC 2631--Diffie-Hellman key agreement method, at

ietf.org/rfc/rfc2631.txt

Cited on page 276

[la11 R. Rivest, RFC 1320-the MD4 rnessage-digest algorithm, April 1992,

at ftp.rfc-editor.org/in-notes/rfcl32O.txt

Cited on pages 208 and 209

[122] R. Rivest, RFC 1321-the MD5 message-digest algorithm, April 1992,

at ftp.rfc-editor.org/in-notes/rfc332l.txt

Cited on pages 225, 226, 227, and 231

[123] R. Rivest, A. Shamir, and L. Adelman, A method for obtaining digit,al

signatures and puhlic-key cryptosystems, Communications of the A C M ,

Vol. 21, 1978, pp. 120-126

Cited on page 284

[124] G. Rose, Greg Rose's cryptographic stuff, at,

people.qualcomm.com/ggr/crypto.html

Cited on page 144

[125] R. Rueppel, Analysis and Design of Stream Ciphers, Springer-Verlag,

198G

Cited on pages 83, 87, and 95

The best hook available on the theory of stream ciphers.

0

[126] L. F. Safford and D. W. Seiler, Control circuits for electric coding ma-

chines, United States patent number 6,175,625, January 2001

Cited on page 53

[127] Y. Sasaki, Y. Naito, N. Kunihiro, and K. Ohta, Improved collision

attack on MD5, at eprint . iacr.org/2005/400 .pdf

Cited on page 230

[128] J . J. G. Savard and R. S. Pekelncy, The ECM Mark 11: design, history

arid cryptology, Crypptologia, Vol. 23, No. 3, July 1999, pp. 211-228

Cit,etl on page 59

ANNOTATEDBIBLIOGRAPHY 389

[129] W. Schindler, A timing attack against RSA with the Chinese Remain-

der Theorem, CHES 2000, LNCS 1965, C. K. Koq and C. Paar, Eds.,

Springer-Verlag, 2000, pp. 109-124

Cited on pages 334, 345, 346, 347, 349, 350, and 352

[130] J. Seberry, Hash function tutorial, at

www.uow.edu.au/˜jennie/CSCI97l/hashl.pdf

Cited on page 193

[131] Shanks-Tonelli algorithm, at

en.wikipedia.org/wiki/Shanks-Tonelli-algorithm

Cited on page 326

[132] A. Shamir, A polynomial-time algorithm for breaking the basic Merkle-

Hellman cryptosystem, IEEE Transactions on Information Theory,

Vol. IT-30, No. 5, September 1984, pp. 699-704

Cited on pages 270 and 272

[133] C. E. Shannon, Communication theory of secrecy systems, Bell System

Technical Journal, Vol. 28, No. 4, 1949, pp. 656-715, at

www.cs.ucla.edu/˜jkong/research/security/shannon1949.pdf

Cited on pages 8, 17, 69, and 182

The paper that started it all. This paper remains surprisingly rel-

0

evant after more than a half-century.

[134] A. Shimizu and S. Miyaguchi, Fast data encryption algorithm FEAL,

Advances in Cryptology, Proceedings of Eurocrypt '87, LNCS 304,

D. Chaum and W. L. Price, Eds., Springer-Verlag, 1987, pp. 267-278

Cited on pages 170 and 171

[135] T . Siegenthaler, Decrypting a class of stream ciphers using cipher-

text only, IEEE Transactions on Computers, Vol. C-34, No. 1, 1985,

pp. 8184

Cited on page 93

[136] J. Silverman, A meet-in-the-middle attack on an NTRU private key,

Technical Report 4: Version 1, NTRU Cryptosystems, 1997

Cited on pages 299 and 301

Version 2 of this report is available at the NTRU website. However,

0

that version omits many iniportant details and is very unclear.

[137] J. Silverman, Almost inverses and fast NTRU key creation, Technical

Report 14, NTR.U Cryptosystems, 1999

Cited on page 294

ANNOTATEDBIBLIOGRAPHY

390

[138] J. Silverman, Estimated breaking times for NTRU lattices, Technical

Report 12, NTRU Cryptosystems, 1999

Cited on pages 302, 303, and 304

[139] R. J. Spillman, Classical and Contemporary Cryptology, Preritice Hall,

2004

Cited on page 1

[140] Staff Report, U.S. Senate Select Committee on Intelligence, Unclassified

summary: involvement of NSA in the development of the Data Encryp-

tion Standard, Staff Report, 98th Congress, 2nd Session, April 1978

Cited on page 170

Unclassified summary of Senate report, that cleared the National

0

Security Agency of any wrongdoing in the design of the Data En-

cryption Standard (DES). This report failed to satisfy the critics,

but 30 years of intense cryptanalysis seems to have silenced all but

the clinically paranoid.

[141] M. Stamp and C. F. Martin, An algorithm for the k-error linear corri-

plexity of binary sequences with period 2", I E E E Transactions o n In-

f o r m a t i o n Theory, Vol. IT-39, No. 4, July 1993, pp. 1398-1401

Cited on pages 87, 88, and 121

[142] M. Stamp, Information Security: Principles and Practice, Wiley-

Interscience, 2005

Cited on pages xv, 28, 93, 94, 103, 129, 130, 131, 133, 196, 199, 258,

270, 305, and 353

[143] h/I. Stay, ZIP attacks with reduced known plaintext, at

www.woodmann.com/fravia/mike-zipattacks.htm

Cited on page 111

[144] M. Stevens, Fast collision attack on MD5, at

eprint.iacr.org/2006/104.pdf

Cited on pages 230, 235, 242, 248, 252, 367, 368, 369, 370, and 392

Probably the best implemcritation of Wang's attack so far--get

0

the source code at win.tue .nl/hashclash/

[145] A. Stubblefield, J . Ioannidis, and A. D. Rubin, Using the Fluhrer,

Mantin and Shamir attack to break WEP, at

philby.ucsd.edu/"bsy/ndss/2OO2/html/2OO2/papers/stubbl.pdf

Cited on page 106

ANNOTATEDBIBLIOGRAPHY 39 1

[146] G. Sullivan, The ECM mark 11:some observations on the rotor stepping,

Cryptologia, Vol. 26, No. 2, pp. 97-100, April 2002

Cited on page 76

(1471 Telecommunications Industry Association and Electronic Industry Al-

liance, TDMA third generation wireless messages subject to encryption,

at ftp.tiaonline.org/UWC136/136-511-A.pdf

Cited on page 144

[148] W. Trappe and L. C. Washington, Introduction to Cryptography with

Coding Theory, Prentice Hall, 2002

Cited on page 34

The best mathematical introduction to cryptography--bar none.

0

[149] B. W. Tuchman, The Zimmermann Telegram, Ballantine Books, 1985

Cited on page 20

[150] R. Venkataramu, RSA timing attack, at

cs.sjsu.edu/faculty/stamp/papers/RSATiming.doc

Cited on page 352

[151] VENONA, at www . m a .gov/venona/index. cfm

Cited on page 19

VENONA is an interesting topic, both for its crypto implications

0

and for the historical material. Many of those who vigorously de-

nied they had arly role in espionage are implicated by VENONA

decrypts. Also, of the hundreds of traitors mentioned (by cover

name) in the decrypts, the true identities of more than half re-

main unknown.

[152] D. Wagner, B. Schneier, and J. Kelsey, Cryptanalysis of the cellular

message encryption algorithm, at www. schneier . codpaper-cmea.pdf

Cited on pages 144, 151, 156, 157, and 159

[153] D. Wagner, L. Simpson, E. Dawson, J. Kelsey, W. Millan, and

B. Schneier, Cryptanalysis of ORYX, at

www.schneier.com/paper-oryx.pdf

Cited on pages 94 and 120

[154] J. R. Walker, Unsafe at any key size; an analysis of the WEP encapsu-

lation, at www .dis .org/wl/pdf /unsaf e .pdf

Cited on page 109

A clever title and a good description of some of the many problems

with WEP.

ANNOTATEDBIBLIOGRAPHY

392

[155] X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu, Cryptanalysis of the

hash functions MD4 and RIPEMD, at

www.infosec.sdu.edu.cn/paper/md4-ripemd-attck.pdf

Cited on pages 229 arid 230

[156] X. Wang, D. Feng, X. Lai, and H. Yu, Collisions for hash functions MD4,

MD5, HAVAL-128 and RIPEMD, at eprint . iacr .org/2004/199 .pdf

Cited on pages 229 and 230

An MD5 collision, but no details on how it was obtained.

0

[I571 X. Wang and H. Yu, How to break MD5 and other hash functions, at

www.infosec.sdu.edu.cn/paper/md5-attack.pdf

Cited on pages 229, 230, 231, 237, 363, 364, 365, and 366

Ironically, this paper is just about the last place you should look

0

for comprehensible information on Wangâ€™s MD5 attack. To learn

more about the attack, see [34] for the concepts, see [64] for the

excruciating details on the derivation of the sufficient conditions

and see [144] for a fast implementation (including source code).

[I581 D. J . Wheeler and R. M. Needham, TEA, a tiny encryption algorithm,

at www.cix.co.uk/-klockstone/tea.pdf

Cited on page 132

[I591 M. Wiener, Cryptanalysis of short RSA sccrct exponents, IEEE Truns-

actions o n Informa,tion Theory, Vol. IT-36, No. 3, 1990, pp. 553-558

Cited on page 288

[160] W. Wong, Revealing your secrets through the fourth dimension, ACM

Cr˜ssroads,Spring 2005, pp. 20-24

Cited on page 357

[161] J. Yajima and T. Shimoyama, Wangâ€™s sufficient conditions of MD5 are

riot sufficient, at eprint . iacr .org/2005/263.pdf

Cited on page 230

[162] G. Yuval, How to swindle Rabin, Cryptologia, Vol. 3 , No. 3, 1979,

pp. 187-189

Cited on page 202

Index

14-part message, see Purple ASCII, 169

cipher, 14-part message

baby-step giant-step, see discrete

3GPP. 94

log, baby-step giant-step

backtracking, 152, 154, 158

A5/1 stream cipher, 93

Barbie, xiii

A5/2 stream cipher, 93

additive, see codebook cipher, Berlekamp-Massey Algorithm,

83-86, 89, 121

additive

discrepancy, 83

Advanced Encryption Standard,

see AES birthday problem, 200--201

block cipher, 21, 127-191

Adventure, 1

CBC mode, 129-130, 196

AES, 140, 257

affine cipher, see substitution chosen key attâ€™ack, 257

cipher, affine cipher CTR mode, 131

Akelarre, 132, 160-169, 186--189 ECB mode, 129

algorithm, 161 key schedule, 131

AR structure, 162 round function, 131

attack, 166-169 subkey, 131

Bob, 1

key, 160

key schedule, 160, 163-165 Bobcat hash, 258

subkey, 165 Bonaparte, Napoleon, 267

Alberti, Leon Battista, 9

Caesarâ€™s cipher, see substitution

Alice, 1

Angooki Taipu B, see Purple cipher, Caesarâ€™s cipher

Caesar, Julius, 8

cipher

CBC mode

ARC, 110

and random access, 184

Arithmetica, 266, 279-284, 309,

Cellular Message Encryption

311

Algorithm, see CMEA

Hughes-Tannenbaum attack,

challenge, see challenge-response

283-284

challenge-response, 310

key agreement, 282

Chan-Games Algorithm, 121

private key, 281

Chinese Remainder Theorem, see

public key, 281

Arithmetica key exchange, see CRT

chosen ciphertext attack, see

Arithmetica

393

INDEX

394

cryptanalysis, chosen CRC, 103, 112, 199

ciphertext crib. 37

chosen plaintext attack, see CRT. 287. 290. 291. 336--337, 360.

cryptanalysis, chosen 371

plaintext example, 371

cipher, 2 cryptanalysis, 2

cipher block chaining mode, see chosen ciphertext, 3

block cipher, CBC mode chosen plaintext, 3

ciphertext , 2 ciphertext only, 2, 18

ciphertext only attack, see differential, 132, 170

cryptanalysis, ciphertext exhaustive key search. 10

only forward search, 258, 286

CMEA, 94, 132, 144-159, 185-186 known plaintext, 3, 17

Cave Table, 144, 145, 152, linear. 132

157, 185 related key, 3

chosen plaintext attack, crypto, 2

148-151 cryptographically strong sequence,

encryption, 146 80, 85-88

known plaintext at tack, cryptography, 2

158-159 cryptology, 2

Simplified CMEA, see cryptosystem, 2

SCMEA CSP-889, see Sigaba

Cocks, Clifford, 284 cyclic redundancy check, see CRC

codebook cipher, 20-21, 24, 25,

Damggrd-Merkle construction,

68, 127, 128

see Merkle-Damggrd

additive, 20, 24, 128

collision resistance, see hash construction

Data Encryption Standard, see

function, strong collision

DES

resistance

columnar transposition cipher, see Daum, Magnus, 230, 233, 235

de Briiijn sequence, 82

transposition cipher,

de Fermat, Pierre, 279

columnar

decrypt. 2

cornbining function, 89

depth, 45, 106

COMP128, 93

DES, 59, 111, 132, 140, 170

confidentiality, 305

Diffie, Whitfield, 275, 276

confusion, 8, 182

Diffie Hellman, 265, 266, 276--279,

conjiigacy problem, see group,

309-310, 315, 330

corijugacy problem

Converter M-l34C, see Sigaba ephcmeral, 278, 310

man-in-the-middlc attack,

Cord cipher, 40

277-278, 309

correlation attack, 90-93, 121

counter mode: see block cipher, diffusion, 8, 182

digital signature, 266. 305

CTR mode

INDEX 395

Digital Signature Standard, see Euclidean Algorithm, 287, 290,

DSS 311, 317, 371

Diophantus, 279 example, 372

discrete log, 307, 330-333, 356 Euclidean length, 272

baby-step giant-step, 331-332, Euler phi function, 285, 371

356 Eulerâ€™s Theorem, 285, 289, 312,

index calculus, 332-333, 356 371

problem, 277

factoring, 316-329, 355-356

trial multiplication, 330

Dixonâ€™s Algorithm, 317-322,

Dixonâ€™s Algorithm, see factoring,

327, 330, 332, 355

Dixonâ€™s Algorithm

factor base, 319

Dobbertin, Hans, 208, 210

multiple polynomial quadratic

DSS, 308

sieve, 327

ECC, 333 number field sieve, 327

ECM Mark 11, see Sigaba quadratic sieve, 323-327, 355

electronic codebook mode, see smooth, 319

block cipher, ECB mode trial division, 316-317

ElGamal signature, 266, 305-308, work factor comparison, 329

313-315, 330 Fast data Encryption ALgorithm,

hashing, 308 see FEAL

math issues, 308 fault induction attack, 315

elliptic curve cryptosystems, see FCSR, 83

ECC FEAL, 132, 170, 189-191

Ellis, James, 265 differential attack, 172-177

encrypt, 2 FEAL-4, 170-182

encrypt and sign, 306 FEAL-4 algorithm, 172

English letter frequencies, 11 FEAL-8, 170

Enigma, 25-31, 34-37, 40, 43, 53, FEAL-N, 170

69-71 FEAL-NX, 170

attack, 34-37 function, 173

cycles, 35 linear attack, 177-182

encryption, 27 feedback with carry shift register,

key, 27 see FCSR

keyspace, 29-˜31 Feistel Cipher, 131-132, 183, 184,

movable ring, 29 189

reflector, 29 Feistel, Horst, 131

rotor, 29 Feller, William, 141, 185

stecker, 26, 31, 35 Fermatâ€™s Little Theorem, 332, 371

forward search attack, see

ULTRA,26

versus Purple, 50 cryptanalysis, forward

Eratosthenes search

sieve of, 323 Friedman, William F., 14, 52, 68

396 INDEX

Gates, Bill, 316 Hitler, Adolph, 25

GCHQ, 276, 284 HMAC, 103, 196, 198-199

glitching attack, see RSA, Hopper, G., 330

glitching attack Hull, Cordell, 39

Global System for Mobile

IC, see index of coincidence

Communications, see

IDEA cipher, 111

GSM

Goren, Ben, 284 index calculus, see discrete log,

Gra.m--Schmidt, 272, 274 index calculus

group, 279, 280 index of coincidence, 14-16, 22-23

initialization vector, see IV

abelian, 372

braid group, 283, 284 integrity, 266, 305

commutative, 372 IIâ€™Sec, 278

IV, 21

conjugacy problem, 282, 283

definition, 372 repeated, 184

finite presentation, 280

Jade cipher, 40

free group, 280

JN-25 cipher, 38

theory, 372

GSM, 93-94

k-error linear complexity, 87

hash function, 132, 193-257 profile, 88

Kahn, David, 1

and ElGamal signature, 308

Karatsuba multiplication, 341-342

avalanche effect, 194

birthday attack, 201 -202 Kasiski test, 14

Kasiski, Friederich W., 14

compression, 193

Katz, Phil, 110, 111

compression function, 196

Kerckhoffsâ€™ Principle, 3 -4, 22, 45,

digital signature, 195

efficiency, 193 68, 91, 111, 183

fingerprint, 194 key, 2

integrity, 195 key distribution problem, 276

keyed hash, 198 key establishment problem, 278

Merkle-Damgzrd, 197, 200 knapsack cryptosystem, 266-275,

Nostradamus attack, 258 309

one-way, 193, 257 encryption, 269

strong collision resistance, general knapsack, 269

193, 257 lattice reduction attack,

weak collision resistance, 193, 270-275

257 private key, 268

hashed message authentication public key, 268

code, see HMAC superincreasing knapsack, 268

Heiirnan. Martin, 133. 141. 267. trap door one-way function,

276 270

Hill cipher, 16-17 knapsack problem, 275

INDEX 397

known plaintext attack, see inverse, 374

cryptanalysis, known invertible, 374

plaintext multiplication, 373

Kocher, Paul, 111, 334 operations, 373

Mauborgne, Joseph, 18

LAN, 103, 104 MD4, 199, 208-225, 258-261

lattice, 270, 271 algorithm, 208-210

LCG, 80 attack, 210--224

Lenstra, Lenstra, and Lovhsz compression function, 209

Algorithm, see LLL continuous approximation,

Algorithm 220, 260

LFSR, 80, 82Z83, 89, 91, 121 differential attack, 2 15-2 16,

linear algebra, 373 260

linear dependence, 373 equation solving, 217-223, 233

linear independence, 270, 373 functions, 209

linear cipher, 17 initialization vector, 213

linear complexity, 83, 121 meaningful collision, 224-225

profile, 87 not a t ion, 2 13-2 15

linear congruential generator, see padding, 208

LCG round functions, 211

linear feedback shift register, see MD5, 199, 225-256, 261-264

LFSR algorithm, 225-230

linear independence, 271 avalanche effect, 227

linear span, 272 Chinese method, 229

linearly dependent, see linear compression function, 228

algebra, linear Daumâ€™s analysis, 230, 237

dependence differences from MD4, 226

linearly independent, see linear functions, 226

algebra, linear inner collisions, 238

independence multi-step modification, 234,

Livius, Titus, 315 250-252

LLL Algorithm, 272, 273, 298 notation, 227, 230-231

local area network, see LAN postscript file collision, 256

practical attack, 253-256

m-sequence, 86 reverse engineering Wangâ€™s

MAC, 103 attack, 238-248

and integrity, 183 round functions, 228

man-in-the-middle, 306 signed differential, 232, 262

Maroon cipher, 50 single-step modification, 234,

Marshall, General George C., 39 249-250, 262

matrix Stevensâ€™ attack, 235, 248,

addition, 373 252-253

identity, 374 Wangâ€™s attack, 231-252

398 ILVDEX

Wangâ€™s differentials, 235 NSA, 170, 276

Wangâ€™s input differentials, Ntli-degree TRUncated

polynomial ring, see

235-236

Wangâ€™s output differentials, NTRU

236-237 NTRU, 266, 293-304, 309,

LVangâ€™s precise different.ia1, 312-313

231, 261 chosen ciphertext attack,

meet-in-the-middle, 152, 156-159 302-304

Merkle, Ralph, 267, 276 decryption, 295

Merkle-Hellman knapsack, see efficiency. 298

knapsack cncryption, 295

message authentication code, see keys, 294

MAC mect-in-the-middle attack,

Message Digest 4, see LID4 299-301, 313

Message Digest 5, see MD5 message space, 293

message indicator, see MI multiple transmission at tack.

MI, 21, 96, 105 301

polynomial ring, 293

modular exponentiation, 335-342

mono-alphabetic substitution, see private key, 295

public key, 295

simple substitution,

recommended parameters, 302

mono-alphabetic

nuclear espionage, 19

substitution

number field sieve, see factoring,

Montgomery multiplication,

number field sieve

338-341, 346, 355

Number Theorists aRe Us, see

extra reduction, 338, 348

NTRU

multiple polynomial quadratic

sieve, see factoring, nuniber theory, 371

multiple polynomial

OAEP, 291

quadratic sieve

one-time pad, 18-19, 23

one-way, see hash function,

National Security Agency, see

one-way

NSA

OprnSSL, 335, 342, 349

Next Generation Secure

optimal asymmetric encryption

Computing Base, see

padding, see OAEP

NGSCB

ORYX, 81, 93 103, 120, 122-123

NGSCB, 353

attack, 97 102

nomenclator, see substitution

cryptanalysis, 94

ciphcr , nomencl at or

key, 96

non-repudiation, 195, 305

keystream, 96- 97

nonce, 310

permutation, 99

Nostradamus attack, see hash

Owen, John. 79

function, Nostradamus

attack Pearl Harbor. 39

INDEX 399

perfect forward secrecy, see PFS quadratic sieve, see factoring,

PFS, 278, 310 quadratic sieve

PIN, 310

Rbzycki, Jerzy, 34

PKWare, Inc., 111

Rabin cipher, 266, 289--292, 309,

PKZIP, 81, 110-120, 123-125

312, 316

attack, 113-120

and square roots, 290

CRC, 113, 120

chosen ciphertext attack,

encryption, 112

291-292

key, 111

decryption, 289

keystream, 111

encryption, 289

plaintext, 2

keys, 289

Poe, Edgar Allan, 22, 26

RC4, 81, 103-110, 120, 122

Pollardâ€™s Rho Algorithm, 327, 333

Pollardâ€™s p - 1 Algorithm, 287 attack, 105-110

poly-alphabetic substitution, see initialization, 105

key, 105

substitution cipher,

keystream, 105, 106

poly-alphabetic

Red cipher, 46

substitution

pre-image resistance, see hash Reeds, James A . , 144

Rejewski, Marian, 34

function, one-way

related key attack, 105, see

public key cryptography, 2,

265-309 cryptanalysis, related key

repeated squaring, 335-336, 346

lack of genetic diversity, 257

response, see challenge-response

notation, 194

private key, 265 Revelation, 289

public key, 265 RFC 2104, 198

trap door one-way function, ring

265 definition, 372

Purple cipher, 25, 31, 38-51, theory, 372

71-72 Rivest, Ron, 103, 208, 225

14-part message, 38, 39, 49 Rose, Greg, 144, 238

6-20 split, 46, 47 rotors, 31L34, 69

analog, 48 Rowlett, Frank, 39, 45, 46, 52, 68

decryption, 42 RSA, 265, 266, 284-289, 309,

diagnosis, 45-48 311-358

encryption, 41 blinding, 352

keyspace, 44445 decryption, 285

MAGIC, 39 encryption, 285

sixes, 40 glitching attack, 315, 353-354

stepping, 43 implementation attacks, 334

switch, 40, 44 keys, 284

twenties, 40 mathematical issues, 285-288

versus Enigma, 50 quantization, 352

INDEX

400

index rotors, 53, 56

small decryption exponent,

288 keyspace, 57-59

sniall encryption exponent, message indicator, 59

288 rotor orientation, 55

timing attack, 334-353, 357 Sigaba Lite, 77

Rueppel, Rainer A., 95 sign and encrypt, 306

simple substitution, see

Scherbius, Arthur, 26 substitution cipher,

Schlafly, Roger, 111 simple substitution

Schnorr signature scheme, 308 Simplified Cellular Message

SCMEA, 146--147 Encryption Algorithm,

chosen plaintext at tack, see SCMEA

147--148 sliding window, 341

known plaintext attack, smartcard, 334, 353

151-158 SSL, 103

scytale, see transposition cipher, Station-to-Station protocol, 278

scytale steroids, 323

SEA, Iric., 110 Stevens, Marc, 230, 252

second pre-image resistance, see

stream cipher, 19, 79-125

hash function, weak

keystream, 79

collision resistance

strong collision resistance, see

Secure Hash Algorithm 1, see

hash function, strong

SHA-1

collision resistance

Secure Socket Laycr, see SSI,

strong prime, 287

security by obscurity, 3

subset sum problem, 267

SHA-1, 199, 225, 256, 258

substitution cipher, 8--17

Sharnir, Adi, 105, 106, 170, 270,

affine cipher, 10, 22

272

Caesaris cipher, 8

Shanks- Torielli Algorithm, 326

mono-alphabetic substitution,

Shannon, Claude, 8, 17, 69, 182

9

shift register, 81, 94

nomenclator, 9

feedback function, 81

poly-alphabetic substitution,

fill, 94

9, 29, 40

LFSR, 95

siniple substitution, 9

sitle-channel attack, 315, 334, 353

Vigenhre, 10-15, 22, 23

sicve of Eratosthenes, see

Swiss cheese, 103

Eratosthenes, sieve of

symmetric cipher, 2

Sigaba, 25, 52-68, 73-76

symmetric group, 310

attack, 59-67

System Enhancement Associates,

cipher rotors, 53

Inc., see SEA, Inc.

control rotors, 53

decryption, 58

TEA cipher, 111, 132

encryption, 54

INDEX 40 1

weak collision resistance, see hash

Telecommunications Industry

Association, see TIA function, weak colIision

Third Generation Partnership resistance

Project, see 3GPP Welchman, Gordon, 34

TIA, 93, 144 WEP, 103-105, 120

initialization vector, 104, 105,

Tiger hash, 258

time-memory trade-off, see 120

Williamson, Malcolm, 276

TMTO

Wired Equivalent Privacy, see

timing attack

WEP

Brumley-Boneh, 349-352

Kocherâ€™s, 342-345

Zimmermann Telegram, 20

prevention, 352

ZIP, 110

Schindlerâ€™s, 346-350

Zygalski, Henryk, 34

Tiny Encryption Algorithm, see

TEA

TMTO, 133-143, 330, 331

and distinguished points, 142

success probability, 141, 142,

185

totient function, 371

transposition cipher, 5-8

columnar, 5, 23

double transposition, 7, 23

keyword columnar, 6

scytale, 5

trial division, see factoring, trial

division

trial multiplication, see discrete

log, trial multiplication

Trithemius, 144

Trudy, 1

trusted computing, 353

truth table, 91

Turing, Alan, 34

VENONA, 19

Vernam, Gilbert, 18

Vigenkre cipher, see substitution

cipher, Vigenkre

Vigenkre, Blaise de, 10

Wang, Xiaoyun, 229, 231, 233,

235, 238

This Page Intentionally Left Blank

ñòð. 16 |