<<

. 16
( 16)



www.cryptography.com/resources/whitepapers/TimingAttacks.pdf
Cited on pages 334, 342, 345, and 349

[86] H. Krawczyk, M. Bellare, and R. Canetti, RFC 2104--HMAC: keyed-
hashing for message authentication, at
www.faqs.org/rfcs/rfc2104.htrnl
Cited on page 198

[87] D. L. Kreher and D. R . Stinson, Combinatorial Algorithms: Generation,
Enumeration and Search, CRC Press, 1999
Cited on page 152

An excellent approach to an interesting subject. Unfortunately,
0

this otherwise fine book is marred by a large number of typos-
which is death for an algorithms (or cryptanalysis) book.
ANNOTATEDBIBLIOGRAPHY 385


[88] S. Kullback, General Solution for the Double Transposition Cipher,
Aegean Park Press
Cited on page 8

[89] M. K. Lai, Knapsack cryptosystems: the past and the future,
March 2001, at www.cecs.uci.edu/-mingl/knapsack.html
Cited on page 275

[go] M. Lee, Cryptanalysis of the SIGABA, Master's Thesis, University of
California, Santa Barbara, June 2003, at
www.cs.ucsb.edu/-kirbysdl/broadcast/thesis/thesis.pdf
Cited on pages 32 and 59

An excellent overview of rotors as cryptographic elements and a
0

nice description of Sigaba. However, the cryptanalysis only cov-
ers reduced-rotor versions of the cipher, which are qualitatively
different than the full Sigaba.

[91] A. K. Lenstra, H. W. Lenstra, Jr., and L. LovBsz, Factoring polynomi-
als with rational coefficients, Mathematische Annalen, Vol. 261, No. 4,
1982, pp. 515-534
Cited on page 272

[92] K. Lesh, Example of Dixon's squares, at
www.math.union.edu/˜leshk/mth221-06sp/homework/dixon-ex˜ple.pdf
Cited on page 319

[93] S. Levy, The open secret, Wired, issue 7.04, April 1999, at
www.wired.com/wired/archive/7.04/crypto˜pr.htrnl
Cited on pages 276 and 284

Ellis, Cocks, and Williamson get their due.
0


[94] J. Liang and X. Lai, Improved collision attack on hash function MD5,
at eprint.iacr.org/2005/425.pdf
Cited on page 230

[95] Legendre symbol, Wikipedia, the free encyclopedia, at
en.wikipedia.org/wiki/Legendre-symbol
Cited on page 356

[96] I. Mantin, Analysis of the stream cipher RC4, at
www.wisdom.weizmann.ac.il/"itsik/RC4/Papers/Mantinl.zip
Cited on pages 110 and 380

Clearer and more detailed than [51].
0
ANNOTATED BIBLIOGRAPHY
386


[97] M. Matsui, Linear cryptanalysis method for DES cipher, Advances in
Cryptology, Proceedings of Eurocrypt 1993, LNCS 470, T. Helleseth,
Ed., Springer-Verlag, 1994, pp. 386-397
Cited on page 170

[98] M. Matsui arid A. Yamagishi, A new method for known plaintext at-
tack on FEAL cipher, Advances in Cryptology, Proceedings of Euro-
crypt 1992, LNCS 658, R. Rueppel, Ed., Springer-Verlag, 1993, pp. 81-
91
Cited on pages 170 and 177

[99] A. Menezes, P. van Oorschot, arid S. Vanstone, Handbook of Applied
Cryptography, CRC Press, 1996
Cited on pages 93, 327, 329, 331, and 333

[100] R . Merkle and M. Hellman, Hiding information and signatures in trap-
door knapsacks, IEEE Transactions on Information Theory, Vol. IT-24,
NO. 5, 1978, pp. 525-530
Cited on pages 267 arid 268

[ l o l l T. hleskanen, On the NTRU cryptosystcrri, TUCS Dissertations No. 63,
Turku Centre for Computer Science, June 2005, at
www.tucs.fi/publications/attachment.php?fname=DISS63.pdf
Cited on pages 298 arid 304

[102] D. Micciancio and S. Goldwasser, Complexity of Lattice Problems: A
Cryptographic Perspectiiie, Kluwer International Series in Engineering
and Computer Science, Vol. 671, Kluwer Academic Publishers, 2002
Cited on page 284

[ 1031 P. Montgomery, Modular multiplication without trial division, Mnthe-
matics of Computation, Vol. 44, No. 170, 1985, pp. 519-521
Cited on page 338

[104] S. Morris, Cryptology timelinr, at
www.math.cornell.edu/"morris/l35/timeline.html
Cited on page 5

[lo51 National cryptologic museum, the big machines exhibit, at
www.nsa.gov/museum/museuOOOO2.cfm
Cited on pages 49 and 53

[106] nl. Nelson, Remembering Phil Katz, at
www.ddj.com/maillists/compression/do2OOOO5cm/do2OOOO5cmOOl.htm
Cited on page 111
ANNOTATEDBIBLIOGRAPHY 387


[lo71 National Institute of Standards and Technology (NIST), Security re-
quirements for cryptographic modules, FIPS PUB 140-2, at
csrc.nist.gov/publications/fips/fipsl40-2/fipsl402.pdf
Cited on page 315

[lo81 NTRU Cryptosystems, at www. ntru.com
Cited on pages 294 and 295

[log] A. M. Odlyzko, The rise and fall of knapsack cryptosystems, at
www.research.att.com/-amo/doc/arch/knapsack.survey.pdf
Cited on page 275

[110] P. C. van Oorschot and M. J. Wiener, Parallel collision search with
application to hash functions and discrete logarithms, at
www.scs.carleton.ca/"paulv/papers/acmccs94.pdf
Cited on page 202

[111] Operating instructions for ECM Mark 2 (CSP 888/889) and CCM
Mark 1 (CSP 1600), at www. hnsa.org/doc/crypto/ecm/index.htm
Cited on page 52

[I121 PBS home programs, Creativity and play: fostering creativity, at
www.pbs.org/wholechild/providers/play.html
Cited on page 127

[113] R. Pekelney, ECM MARK 2 and CCM MARK 1, at
www.hnsa.org/doc/crypto/ecm/
Cited on page 59

[114] PKZIP, Wikipedia, the free encyclopedia, at
en.wikipedia.org/wiki/Pkzip
Cited on page 110

[115] C. Pomerance, The quadratic sieve factoring algorithm, Advances in
Cryptology, Proceedings of Eurocrypt '84, LNCS 209, T. Beth, N. Cot,
and I. Ingemarsson, Eds., Springer-Verlag, 1985, pp. 169-182, at
www.math.dartmouth.edu/˜carlp/PDF/paper52.pdf
Cited on page 327

[116] C. Pomerance, A tale of two sieves, Notices of the AMS,December 1996,
pp. 1473-1485, at www.ams.org/notices/l99612/pomerance.pdf
Cited on page 328

[117] Purple cipher switch, at
www.nsa.gov/public/publiOOOO7.cfm
Cited on page 38
ANNOTATEDBIBLIOGRAPHY
388


[118] M. 0. Rabin, Digitalized signatures and public key functions as in-
tractable as factorization, MIT/LCS/TR-212, MIT Laboratory for
Computer Science, 1979
Cited on page 289

[119] J. Reeds, Solved: the ciphers in book I11 of Trithemius's Steganographia,
at www.dtc.umn.edu/-reedsj/trit .pdf
Cited on page 144

[120] E. Rescorla, RFC 2631--Diffie-Hellman key agreement method, at
ietf.org/rfc/rfc2631.txt
Cited on page 276

[la11 R. Rivest, RFC 1320-the MD4 rnessage-digest algorithm, April 1992,
at ftp.rfc-editor.org/in-notes/rfcl32O.txt
Cited on pages 208 and 209

[122] R. Rivest, RFC 1321-the MD5 message-digest algorithm, April 1992,
at ftp.rfc-editor.org/in-notes/rfc332l.txt
Cited on pages 225, 226, 227, and 231

[123] R. Rivest, A. Shamir, and L. Adelman, A method for obtaining digit,al
signatures and puhlic-key cryptosystems, Communications of the A C M ,
Vol. 21, 1978, pp. 120-126
Cited on page 284

[124] G. Rose, Greg Rose's cryptographic stuff, at,
people.qualcomm.com/ggr/crypto.html
Cited on page 144

[125] R. Rueppel, Analysis and Design of Stream Ciphers, Springer-Verlag,
198G
Cited on pages 83, 87, and 95

The best hook available on the theory of stream ciphers.
0


[126] L. F. Safford and D. W. Seiler, Control circuits for electric coding ma-
chines, United States patent number 6,175,625, January 2001
Cited on page 53

[127] Y. Sasaki, Y. Naito, N. Kunihiro, and K. Ohta, Improved collision
attack on MD5, at eprint . iacr.org/2005/400 .pdf
Cited on page 230

[128] J . J. G. Savard and R. S. Pekelncy, The ECM Mark 11: design, history
arid cryptology, Crypptologia, Vol. 23, No. 3, July 1999, pp. 211-228
Cit,etl on page 59
ANNOTATEDBIBLIOGRAPHY 389


[129] W. Schindler, A timing attack against RSA with the Chinese Remain-
der Theorem, CHES 2000, LNCS 1965, C. K. Koq and C. Paar, Eds.,
Springer-Verlag, 2000, pp. 109-124
Cited on pages 334, 345, 346, 347, 349, 350, and 352

[130] J. Seberry, Hash function tutorial, at
www.uow.edu.au/˜jennie/CSCI97l/hashl.pdf
Cited on page 193

[131] Shanks-Tonelli algorithm, at
en.wikipedia.org/wiki/Shanks-Tonelli-algorithm
Cited on page 326

[132] A. Shamir, A polynomial-time algorithm for breaking the basic Merkle-
Hellman cryptosystem, IEEE Transactions on Information Theory,
Vol. IT-30, No. 5, September 1984, pp. 699-704
Cited on pages 270 and 272

[133] C. E. Shannon, Communication theory of secrecy systems, Bell System
Technical Journal, Vol. 28, No. 4, 1949, pp. 656-715, at
www.cs.ucla.edu/˜jkong/research/security/shannon1949.pdf
Cited on pages 8, 17, 69, and 182

The paper that started it all. This paper remains surprisingly rel-
0

evant after more than a half-century.

[134] A. Shimizu and S. Miyaguchi, Fast data encryption algorithm FEAL,
Advances in Cryptology, Proceedings of Eurocrypt '87, LNCS 304,
D. Chaum and W. L. Price, Eds., Springer-Verlag, 1987, pp. 267-278
Cited on pages 170 and 171

[135] T . Siegenthaler, Decrypting a class of stream ciphers using cipher-
text only, IEEE Transactions on Computers, Vol. C-34, No. 1, 1985,
pp. 8184
Cited on page 93

[136] J. Silverman, A meet-in-the-middle attack on an NTRU private key,
Technical Report 4: Version 1, NTRU Cryptosystems, 1997
Cited on pages 299 and 301

Version 2 of this report is available at the NTRU website. However,
0

that version omits many iniportant details and is very unclear.

[137] J. Silverman, Almost inverses and fast NTRU key creation, Technical
Report 14, NTR.U Cryptosystems, 1999
Cited on page 294
ANNOTATEDBIBLIOGRAPHY
390


[138] J. Silverman, Estimated breaking times for NTRU lattices, Technical
Report 12, NTRU Cryptosystems, 1999
Cited on pages 302, 303, and 304

[139] R. J. Spillman, Classical and Contemporary Cryptology, Preritice Hall,
2004
Cited on page 1

[140] Staff Report, U.S. Senate Select Committee on Intelligence, Unclassified
summary: involvement of NSA in the development of the Data Encryp-
tion Standard, Staff Report, 98th Congress, 2nd Session, April 1978
Cited on page 170

Unclassified summary of Senate report, that cleared the National
0

Security Agency of any wrongdoing in the design of the Data En-
cryption Standard (DES). This report failed to satisfy the critics,
but 30 years of intense cryptanalysis seems to have silenced all but
the clinically paranoid.

[141] M. Stamp and C. F. Martin, An algorithm for the k-error linear corri-
plexity of binary sequences with period 2", I E E E Transactions o n In-
f o r m a t i o n Theory, Vol. IT-39, No. 4, July 1993, pp. 1398-1401
Cited on pages 87, 88, and 121

[142] M. Stamp, Information Security: Principles and Practice, Wiley-
Interscience, 2005
Cited on pages xv, 28, 93, 94, 103, 129, 130, 131, 133, 196, 199, 258,
270, 305, and 353

[143] h/I. Stay, ZIP attacks with reduced known plaintext, at
www.woodmann.com/fravia/mike-zipattacks.htm
Cited on page 111

[144] M. Stevens, Fast collision attack on MD5, at
eprint.iacr.org/2006/104.pdf
Cited on pages 230, 235, 242, 248, 252, 367, 368, 369, 370, and 392

Probably the best implemcritation of Wang's attack so far--get
0

the source code at win.tue .nl/hashclash/

[145] A. Stubblefield, J . Ioannidis, and A. D. Rubin, Using the Fluhrer,
Mantin and Shamir attack to break WEP, at
philby.ucsd.edu/"bsy/ndss/2OO2/html/2OO2/papers/stubbl.pdf
Cited on page 106
ANNOTATEDBIBLIOGRAPHY 39 1


[146] G. Sullivan, The ECM mark 11:some observations on the rotor stepping,
Cryptologia, Vol. 26, No. 2, pp. 97-100, April 2002
Cited on page 76

(1471 Telecommunications Industry Association and Electronic Industry Al-
liance, TDMA third generation wireless messages subject to encryption,
at ftp.tiaonline.org/UWC136/136-511-A.pdf
Cited on page 144

[148] W. Trappe and L. C. Washington, Introduction to Cryptography with
Coding Theory, Prentice Hall, 2002
Cited on page 34

The best mathematical introduction to cryptography--bar none.
0


[149] B. W. Tuchman, The Zimmermann Telegram, Ballantine Books, 1985
Cited on page 20

[150] R. Venkataramu, RSA timing attack, at
cs.sjsu.edu/faculty/stamp/papers/RSATiming.doc
Cited on page 352

[151] VENONA, at www . m a .gov/venona/index. cfm
Cited on page 19

VENONA is an interesting topic, both for its crypto implications
0

and for the historical material. Many of those who vigorously de-
nied they had arly role in espionage are implicated by VENONA
decrypts. Also, of the hundreds of traitors mentioned (by cover
name) in the decrypts, the true identities of more than half re-
main unknown.

[152] D. Wagner, B. Schneier, and J. Kelsey, Cryptanalysis of the cellular
message encryption algorithm, at www. schneier . codpaper-cmea.pdf
Cited on pages 144, 151, 156, 157, and 159

[153] D. Wagner, L. Simpson, E. Dawson, J. Kelsey, W. Millan, and
B. Schneier, Cryptanalysis of ORYX, at
www.schneier.com/paper-oryx.pdf
Cited on pages 94 and 120

[154] J. R. Walker, Unsafe at any key size; an analysis of the WEP encapsu-
lation, at www .dis .org/wl/pdf /unsaf e .pdf
Cited on page 109

A clever title and a good description of some of the many problems
with WEP.
ANNOTATEDBIBLIOGRAPHY
392


[155] X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu, Cryptanalysis of the
hash functions MD4 and RIPEMD, at
www.infosec.sdu.edu.cn/paper/md4-ripemd-attck.pdf
Cited on pages 229 arid 230

[156] X. Wang, D. Feng, X. Lai, and H. Yu, Collisions for hash functions MD4,
MD5, HAVAL-128 and RIPEMD, at eprint . iacr .org/2004/199 .pdf
Cited on pages 229 and 230

An MD5 collision, but no details on how it was obtained.
0


[I571 X. Wang and H. Yu, How to break MD5 and other hash functions, at
www.infosec.sdu.edu.cn/paper/md5-attack.pdf
Cited on pages 229, 230, 231, 237, 363, 364, 365, and 366

Ironically, this paper is just about the last place you should look
0

for comprehensible information on Wang™s MD5 attack. To learn
more about the attack, see [34] for the concepts, see [64] for the
excruciating details on the derivation of the sufficient conditions
and see [144] for a fast implementation (including source code).

[I581 D. J . Wheeler and R. M. Needham, TEA, a tiny encryption algorithm,
at www.cix.co.uk/-klockstone/tea.pdf
Cited on page 132

[I591 M. Wiener, Cryptanalysis of short RSA sccrct exponents, IEEE Truns-
actions o n Informa,tion Theory, Vol. IT-36, No. 3, 1990, pp. 553-558
Cited on page 288

[160] W. Wong, Revealing your secrets through the fourth dimension, ACM
Cr˜ssroads,Spring 2005, pp. 20-24
Cited on page 357

[161] J. Yajima and T. Shimoyama, Wang™s sufficient conditions of MD5 are
riot sufficient, at eprint . iacr .org/2005/263.pdf
Cited on page 230

[162] G. Yuval, How to swindle Rabin, Cryptologia, Vol. 3 , No. 3, 1979,
pp. 187-189
Cited on page 202
Index
14-part message, see Purple ASCII, 169
cipher, 14-part message
baby-step giant-step, see discrete
3GPP. 94
log, baby-step giant-step
backtracking, 152, 154, 158
A5/1 stream cipher, 93
Barbie, xiii
A5/2 stream cipher, 93
additive, see codebook cipher, Berlekamp-Massey Algorithm,
83-86, 89, 121
additive
discrepancy, 83
Advanced Encryption Standard,
see AES birthday problem, 200--201
block cipher, 21, 127-191
Adventure, 1
CBC mode, 129-130, 196
AES, 140, 257
affine cipher, see substitution chosen key att™ack, 257
cipher, affine cipher CTR mode, 131
Akelarre, 132, 160-169, 186--189 ECB mode, 129
algorithm, 161 key schedule, 131
AR structure, 162 round function, 131
attack, 166-169 subkey, 131
Bob, 1
key, 160
key schedule, 160, 163-165 Bobcat hash, 258
subkey, 165 Bonaparte, Napoleon, 267
Alberti, Leon Battista, 9
Caesar™s cipher, see substitution
Alice, 1
Angooki Taipu B, see Purple cipher, Caesar™s cipher
Caesar, Julius, 8
cipher
CBC mode
ARC, 110
and random access, 184
Arithmetica, 266, 279-284, 309,
Cellular Message Encryption
311
Algorithm, see CMEA
Hughes-Tannenbaum attack,
challenge, see challenge-response
283-284
challenge-response, 310
key agreement, 282
Chan-Games Algorithm, 121
private key, 281
Chinese Remainder Theorem, see
public key, 281
Arithmetica key exchange, see CRT
chosen ciphertext attack, see
Arithmetica

393
INDEX
394


cryptanalysis, chosen CRC, 103, 112, 199
ciphertext crib. 37
chosen plaintext attack, see CRT. 287. 290. 291. 336--337, 360.
cryptanalysis, chosen 371
plaintext example, 371
cipher, 2 cryptanalysis, 2
cipher block chaining mode, see chosen ciphertext, 3
block cipher, CBC mode chosen plaintext, 3
ciphertext , 2 ciphertext only, 2, 18
ciphertext only attack, see differential, 132, 170
cryptanalysis, ciphertext exhaustive key search. 10
only forward search, 258, 286
CMEA, 94, 132, 144-159, 185-186 known plaintext, 3, 17
Cave Table, 144, 145, 152, linear. 132
157, 185 related key, 3
chosen plaintext attack, crypto, 2
148-151 cryptographically strong sequence,
encryption, 146 80, 85-88
known plaintext at tack, cryptography, 2
158-159 cryptology, 2
Simplified CMEA, see cryptosystem, 2
SCMEA CSP-889, see Sigaba
Cocks, Clifford, 284 cyclic redundancy check, see CRC
codebook cipher, 20-21, 24, 25,
Damggrd-Merkle construction,
68, 127, 128
see Merkle-Damggrd
additive, 20, 24, 128
collision resistance, see hash construction
Data Encryption Standard, see
function, strong collision
DES
resistance
columnar transposition cipher, see Daum, Magnus, 230, 233, 235
de Briiijn sequence, 82
transposition cipher,
de Fermat, Pierre, 279
columnar
decrypt. 2
cornbining function, 89
depth, 45, 106
COMP128, 93
DES, 59, 111, 132, 140, 170
confidentiality, 305
Diffie, Whitfield, 275, 276
confusion, 8, 182
Diffie Hellman, 265, 266, 276--279,
conjiigacy problem, see group,
309-310, 315, 330
corijugacy problem
Converter M-l34C, see Sigaba ephcmeral, 278, 310
man-in-the-middlc attack,
Cord cipher, 40
277-278, 309
correlation attack, 90-93, 121
counter mode: see block cipher, diffusion, 8, 182
digital signature, 266. 305
CTR mode
INDEX 395


Digital Signature Standard, see Euclidean Algorithm, 287, 290,
DSS 311, 317, 371
Diophantus, 279 example, 372
discrete log, 307, 330-333, 356 Euclidean length, 272
baby-step giant-step, 331-332, Euler phi function, 285, 371
356 Euler™s Theorem, 285, 289, 312,
index calculus, 332-333, 356 371
problem, 277
factoring, 316-329, 355-356
trial multiplication, 330
Dixon™s Algorithm, 317-322,
Dixon™s Algorithm, see factoring,
327, 330, 332, 355
Dixon™s Algorithm
factor base, 319
Dobbertin, Hans, 208, 210
multiple polynomial quadratic
DSS, 308
sieve, 327
ECC, 333 number field sieve, 327
ECM Mark 11, see Sigaba quadratic sieve, 323-327, 355
electronic codebook mode, see smooth, 319
block cipher, ECB mode trial division, 316-317
ElGamal signature, 266, 305-308, work factor comparison, 329
313-315, 330 Fast data Encryption ALgorithm,
hashing, 308 see FEAL
math issues, 308 fault induction attack, 315
elliptic curve cryptosystems, see FCSR, 83
ECC FEAL, 132, 170, 189-191
Ellis, James, 265 differential attack, 172-177
encrypt, 2 FEAL-4, 170-182
encrypt and sign, 306 FEAL-4 algorithm, 172
English letter frequencies, 11 FEAL-8, 170
Enigma, 25-31, 34-37, 40, 43, 53, FEAL-N, 170
69-71 FEAL-NX, 170
attack, 34-37 function, 173
cycles, 35 linear attack, 177-182
encryption, 27 feedback with carry shift register,
key, 27 see FCSR
keyspace, 29-˜31 Feistel Cipher, 131-132, 183, 184,
movable ring, 29 189
reflector, 29 Feistel, Horst, 131
rotor, 29 Feller, William, 141, 185
stecker, 26, 31, 35 Fermat™s Little Theorem, 332, 371
forward search attack, see
ULTRA,26
versus Purple, 50 cryptanalysis, forward
Eratosthenes search
sieve of, 323 Friedman, William F., 14, 52, 68
396 INDEX


Gates, Bill, 316 Hitler, Adolph, 25
GCHQ, 276, 284 HMAC, 103, 196, 198-199
glitching attack, see RSA, Hopper, G., 330
glitching attack Hull, Cordell, 39
Global System for Mobile
IC, see index of coincidence
Communications, see
IDEA cipher, 111
GSM
Goren, Ben, 284 index calculus, see discrete log,
Gra.m--Schmidt, 272, 274 index calculus
group, 279, 280 index of coincidence, 14-16, 22-23
initialization vector, see IV
abelian, 372
braid group, 283, 284 integrity, 266, 305
commutative, 372 II™Sec, 278
IV, 21
conjugacy problem, 282, 283
definition, 372 repeated, 184
finite presentation, 280
Jade cipher, 40
free group, 280
JN-25 cipher, 38
theory, 372
GSM, 93-94
k-error linear complexity, 87
hash function, 132, 193-257 profile, 88
Kahn, David, 1
and ElGamal signature, 308
Karatsuba multiplication, 341-342
avalanche effect, 194
birthday attack, 201 -202 Kasiski test, 14
Kasiski, Friederich W., 14
compression, 193
Katz, Phil, 110, 111
compression function, 196
Kerckhoffs™ Principle, 3 -4, 22, 45,
digital signature, 195
efficiency, 193 68, 91, 111, 183
fingerprint, 194 key, 2
integrity, 195 key distribution problem, 276
keyed hash, 198 key establishment problem, 278
Merkle-Damgzrd, 197, 200 knapsack cryptosystem, 266-275,
Nostradamus attack, 258 309
one-way, 193, 257 encryption, 269
strong collision resistance, general knapsack, 269
193, 257 lattice reduction attack,
weak collision resistance, 193, 270-275
257 private key, 268
hashed message authentication public key, 268
code, see HMAC superincreasing knapsack, 268
Heiirnan. Martin, 133. 141. 267. trap door one-way function,
276 270
Hill cipher, 16-17 knapsack problem, 275
INDEX 397


known plaintext attack, see inverse, 374
cryptanalysis, known invertible, 374
plaintext multiplication, 373
Kocher, Paul, 111, 334 operations, 373
Mauborgne, Joseph, 18
LAN, 103, 104 MD4, 199, 208-225, 258-261
lattice, 270, 271 algorithm, 208-210
LCG, 80 attack, 210--224
Lenstra, Lenstra, and Lovhsz compression function, 209
Algorithm, see LLL continuous approximation,
Algorithm 220, 260
LFSR, 80, 82Z83, 89, 91, 121 differential attack, 2 15-2 16,
linear algebra, 373 260
linear dependence, 373 equation solving, 217-223, 233
linear independence, 270, 373 functions, 209
linear cipher, 17 initialization vector, 213
linear complexity, 83, 121 meaningful collision, 224-225
profile, 87 not a t ion, 2 13-2 15
linear congruential generator, see padding, 208
LCG round functions, 211
linear feedback shift register, see MD5, 199, 225-256, 261-264
LFSR algorithm, 225-230
linear independence, 271 avalanche effect, 227
linear span, 272 Chinese method, 229
linearly dependent, see linear compression function, 228
algebra, linear Daum™s analysis, 230, 237
dependence differences from MD4, 226
linearly independent, see linear functions, 226
algebra, linear inner collisions, 238
independence multi-step modification, 234,
Livius, Titus, 315 250-252
LLL Algorithm, 272, 273, 298 notation, 227, 230-231
local area network, see LAN postscript file collision, 256
practical attack, 253-256
m-sequence, 86 reverse engineering Wang™s
MAC, 103 attack, 238-248
and integrity, 183 round functions, 228
man-in-the-middle, 306 signed differential, 232, 262
Maroon cipher, 50 single-step modification, 234,
Marshall, General George C., 39 249-250, 262
matrix Stevens™ attack, 235, 248,
addition, 373 252-253
identity, 374 Wang™s attack, 231-252
398 ILVDEX

Wang™s differentials, 235 NSA, 170, 276
Wang™s input differentials, Ntli-degree TRUncated
polynomial ring, see
235-236
Wang™s output differentials, NTRU
236-237 NTRU, 266, 293-304, 309,
LVang™s precise different.ia1, 312-313
231, 261 chosen ciphertext attack,
meet-in-the-middle, 152, 156-159 302-304
Merkle, Ralph, 267, 276 decryption, 295
Merkle-Hellman knapsack, see efficiency. 298
knapsack cncryption, 295
message authentication code, see keys, 294
MAC mect-in-the-middle attack,
Message Digest 4, see LID4 299-301, 313
Message Digest 5, see MD5 message space, 293
message indicator, see MI multiple transmission at tack.
MI, 21, 96, 105 301
polynomial ring, 293
modular exponentiation, 335-342
mono-alphabetic substitution, see private key, 295
public key, 295
simple substitution,
recommended parameters, 302
mono-alphabetic
nuclear espionage, 19
substitution
number field sieve, see factoring,
Montgomery multiplication,
number field sieve
338-341, 346, 355
Number Theorists aRe Us, see
extra reduction, 338, 348
NTRU
multiple polynomial quadratic
sieve, see factoring, nuniber theory, 371
multiple polynomial
OAEP, 291
quadratic sieve
one-time pad, 18-19, 23
one-way, see hash function,
National Security Agency, see
one-way
NSA
OprnSSL, 335, 342, 349
Next Generation Secure
optimal asymmetric encryption
Computing Base, see
padding, see OAEP
NGSCB
ORYX, 81, 93 103, 120, 122-123
NGSCB, 353
attack, 97 102
nomenclator, see substitution
cryptanalysis, 94
ciphcr , nomencl at or
key, 96
non-repudiation, 195, 305
keystream, 96- 97
nonce, 310
permutation, 99
Nostradamus attack, see hash
Owen, John. 79
function, Nostradamus
attack Pearl Harbor. 39
INDEX 399


perfect forward secrecy, see PFS quadratic sieve, see factoring,
PFS, 278, 310 quadratic sieve
PIN, 310
Rbzycki, Jerzy, 34
PKWare, Inc., 111
Rabin cipher, 266, 289--292, 309,
PKZIP, 81, 110-120, 123-125
312, 316
attack, 113-120
and square roots, 290
CRC, 113, 120
chosen ciphertext attack,
encryption, 112
291-292
key, 111
decryption, 289
keystream, 111
encryption, 289
plaintext, 2
keys, 289
Poe, Edgar Allan, 22, 26
RC4, 81, 103-110, 120, 122
Pollard™s Rho Algorithm, 327, 333
Pollard™s p - 1 Algorithm, 287 attack, 105-110
poly-alphabetic substitution, see initialization, 105
key, 105
substitution cipher,
keystream, 105, 106
poly-alphabetic
Red cipher, 46
substitution
pre-image resistance, see hash Reeds, James A . , 144
Rejewski, Marian, 34
function, one-way
related key attack, 105, see
public key cryptography, 2,
265-309 cryptanalysis, related key
repeated squaring, 335-336, 346
lack of genetic diversity, 257
response, see challenge-response
notation, 194
private key, 265 Revelation, 289
public key, 265 RFC 2104, 198
trap door one-way function, ring
265 definition, 372
Purple cipher, 25, 31, 38-51, theory, 372
71-72 Rivest, Ron, 103, 208, 225
14-part message, 38, 39, 49 Rose, Greg, 144, 238
6-20 split, 46, 47 rotors, 31L34, 69
analog, 48 Rowlett, Frank, 39, 45, 46, 52, 68
decryption, 42 RSA, 265, 266, 284-289, 309,
diagnosis, 45-48 311-358
encryption, 41 blinding, 352
keyspace, 44445 decryption, 285
MAGIC, 39 encryption, 285
sixes, 40 glitching attack, 315, 353-354
stepping, 43 implementation attacks, 334
switch, 40, 44 keys, 284
twenties, 40 mathematical issues, 285-288
versus Enigma, 50 quantization, 352
INDEX
400


index rotors, 53, 56
small decryption exponent,
288 keyspace, 57-59
sniall encryption exponent, message indicator, 59
288 rotor orientation, 55
timing attack, 334-353, 357 Sigaba Lite, 77
Rueppel, Rainer A., 95 sign and encrypt, 306
simple substitution, see
Scherbius, Arthur, 26 substitution cipher,
Schlafly, Roger, 111 simple substitution
Schnorr signature scheme, 308 Simplified Cellular Message
SCMEA, 146--147 Encryption Algorithm,
chosen plaintext at tack, see SCMEA
147--148 sliding window, 341
known plaintext attack, smartcard, 334, 353
151-158 SSL, 103
scytale, see transposition cipher, Station-to-Station protocol, 278
scytale steroids, 323
SEA, Iric., 110 Stevens, Marc, 230, 252
second pre-image resistance, see
stream cipher, 19, 79-125
hash function, weak
keystream, 79
collision resistance
strong collision resistance, see
Secure Hash Algorithm 1, see
hash function, strong
SHA-1
collision resistance
Secure Socket Laycr, see SSI,
strong prime, 287
security by obscurity, 3
subset sum problem, 267
SHA-1, 199, 225, 256, 258
substitution cipher, 8--17
Sharnir, Adi, 105, 106, 170, 270,
affine cipher, 10, 22
272
Caesaris cipher, 8
Shanks- Torielli Algorithm, 326
mono-alphabetic substitution,
Shannon, Claude, 8, 17, 69, 182
9
shift register, 81, 94
nomenclator, 9
feedback function, 81
poly-alphabetic substitution,
fill, 94
9, 29, 40
LFSR, 95
siniple substitution, 9
sitle-channel attack, 315, 334, 353
Vigenhre, 10-15, 22, 23
sicve of Eratosthenes, see
Swiss cheese, 103
Eratosthenes, sieve of
symmetric cipher, 2
Sigaba, 25, 52-68, 73-76
symmetric group, 310
attack, 59-67
System Enhancement Associates,
cipher rotors, 53
Inc., see SEA, Inc.
control rotors, 53
decryption, 58
TEA cipher, 111, 132
encryption, 54
INDEX 40 1


weak collision resistance, see hash
Telecommunications Industry
Association, see TIA function, weak colIision
Third Generation Partnership resistance
Project, see 3GPP Welchman, Gordon, 34
TIA, 93, 144 WEP, 103-105, 120
initialization vector, 104, 105,
Tiger hash, 258
time-memory trade-off, see 120
Williamson, Malcolm, 276
TMTO
Wired Equivalent Privacy, see
timing attack
WEP
Brumley-Boneh, 349-352
Kocher™s, 342-345
Zimmermann Telegram, 20
prevention, 352
ZIP, 110
Schindler™s, 346-350
Zygalski, Henryk, 34
Tiny Encryption Algorithm, see
TEA
TMTO, 133-143, 330, 331
and distinguished points, 142
success probability, 141, 142,
185
totient function, 371
transposition cipher, 5-8
columnar, 5, 23
double transposition, 7, 23
keyword columnar, 6
scytale, 5
trial division, see factoring, trial
division
trial multiplication, see discrete
log, trial multiplication
Trithemius, 144
Trudy, 1
trusted computing, 353
truth table, 91
Turing, Alan, 34

VENONA, 19
Vernam, Gilbert, 18
Vigenkre cipher, see substitution
cipher, Vigenkre
Vigenkre, Blaise de, 10

Wang, Xiaoyun, 229, 231, 233,
235, 238
This Page Intentionally Left Blank

<<

. 16
( 16)