<< ńňđ. 24(âńĺăî 29)ŃÎÄĹĐĆŔÍČĹ >>

/* Enc/dec test: */
for(i=0;i<9;i++) a[i]=i;
twy_enc(&gc,a,3);
for(i=0;i<9;i+=3) printf(â€śBlock %01d encrypts to %08lx %08lx %08lx\nâ€ť,
i/3,a[i],a[i+1],a[i+2]);

twy_dec(&gc,a,2);
twy_dec(&gc,a+6,1);

for(i=0;i<9;i+=3) printf(â€śBlock %01d decrypts to %08lx %08lx %08lx\nâ€ť,
i/3,a[i],a[i+1],a[i+2]);
}

RC5
#include <stdio.h>

/* An RC5 context needs to know how many rounds it has, and its subkeys. */

Page 544 of 666
Applied Cryptography: Second Edition - Bruce Schneier

typedef struct {
u4 *xk;
int nr;
} rc5_ctx;

/* Where possible, these should be replaced with actual rotate instructions.
For Turbo C++, this is done with _lrotl and _lrotr. */

#define ROTL32(X,C) (((X)<<(C))|((X)>>(32â€“(C))))
#define ROTR32(X,C) (((X)>>(C))|((X)<<(32â€“(C))))
/* Function prototypes for dealing with RC5 basic operations. */
void rc5_init(rc5_ctx *, int);
void rc5_destroy(rc5_ctx *);
void rc5_key(rc5_ctx *, u1 *, int);
void rc5_encrypt(rc5_ctx *, u4 *, int);
void rc5_decrypt(rc5_ctx *, u4 *, int);

/* Function implementations for RC5. */

/* Scrub out all sensitive values. */
void rc5_destroy(rc5_ctx *c){
int i;
for(i=0;i<(câ€“>nr)*2+2;i++) câ€“>xk[i]=0;
free(câ€“>xk);
}

/* Allocate memory for rc5 contextâ€™s xk and such. */
void rc5_init(rc5_ctx *c, int rounds){
câ€“>nr = rounds;
câ€“>xk = (u4 *) malloc(4*(rounds*2+2));
}

void rc5_encrypt(rc5_ctx *c, u4 *data, int blocks){
u4 *d,*sk;
int h,i,rc;

d = data;
sk = (câ€“>xk)+2;
for(h=0;h<blocks;h++){
d[0] += câ€“>xk[0];
d[1] += câ€“>xk[1];
for(i=0;i<câ€“>nr*2;i+=2){
d[0] ^= d[1];
rc = d[1] & 31;
d[0] = ROTL32(d[0],rc);
d[0] += sk[i];
d[1] ^= d[0];
rc = d[0] & 31;
d[1] = ROTL32(d[1],rc);
d[1] += sk[i+1];
/*printf(â€śRound %03d : %08lx %08lx sk= %08lx %08lx\nâ€ť,i/2,
d[0],d[1],sk[i],sk[i+1]);*/
}
d+=2;
}
}

void rc5_decrypt(rc5_ctx *c, u4 *data, int blocks){
u4 *d,*sk;
int h,i,rc;

d = data;
sk = (câ€“>xk)+2;
for(h=0;h<blocks;h++){
for(i=câ€“>nr*2â€“2;i>=0;iâ€“=2){
/*printf(â€śRound %03d: %08lx %08lx sk: %08lx %08lx\nâ€ť,

Page 545 of 666
Applied Cryptography: Second Edition - Bruce Schneier

i/2,d[0],d[1],sk[i],sk[i+1]); */
d[1] â€“= sk[i+1];
rc = d[0] & 31;
d[1] = ROTR32(d[1],rc);
d[1] ^= d[0];
d[0] â€“= sk[i];
rc = d[1] & 31;
d[0] = ROTR32(d[0],rc);
d[0] ^= d[1];
}
d[0] â€“= câ€“>xk[0];
d[1] â€“= câ€“>xk[1];
d+=2;
}
}

void rc5_key(rc5_ctx *c, u1 *key, int keylen){
u4 *pk,A,B; /* padded key */
int xk_len, pk_len, i, num_steps,rc;
u1 *cp;

xk_len = câ€“>nr*2 + 2;
pk_len = keylen/4;
if((keylen%4)!=0) pk_len += 1;

pk = (u4 *) malloc(pk_len * 4);
if(pk==NULL) {
printf(â€śAn error occurred!\nâ€ť);
exit(â€“1);
}

/* Initialize pk â€“â€“ this should work on Intel machines, anyway.... */
for(i=0;i<pk_len;i++) pk[i]=0;
cp = (u1 *)pk;
for(i=0;i<keylen;i++) cp[i]=key[i];

/* Initialize xk. */
câ€“>xk[0] = 0xb7e15163; /* P32 */
for(i=1;i<xk_len;i++) câ€“>xk[i] = câ€“>xk[iâ€“1] + 0x9e3779b9; /* Q32 */

/* TESTING */
A = B = 0;
for(i=0;i<xk_len;i++) {
A = A + câ€“>xk[i];
B = B ^ câ€“>xk[i];
}

/* Expand key into xk. */
if(pk_len>xk_len) num_steps = 3*pk_len;else num_steps = 3*xk_len;

A = B = 0;
for(i=0;i<num_steps;i++){
A = câ€“>xk[i%xk_len] = ROTL32(câ€“>xk[i%xk_len] + A + B,3);
rc = (A+B) & 31;
B = pk[i%pk_len] = ROTL32(pk[i%pk_len] + A + B,rc);

}

/* Clobber sensitive data before deallocating memory. */
for(i=0;i<pk_len;i++) pk[i] =0;

free(pk);
}

void main(void){
rc5_ctx c;

Page 546 of 666
Applied Cryptography: Second Edition - Bruce Schneier

u4 data[8];
char key[] = â€śABCDEâ€ť;
int i;

printf(â€śâ€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“â€“\nâ€ť);

for(i=0;i<8;i++) data[i] = i;
rc5_init(&c,10); /* 10 rounds */
rc5_key(&c,key,5);

rc5_encrypt(&c,data,4);
printf(â€śEncryptions:\nâ€ť);
for(i=0;i<8;i+=2) printf(â€śBlock %01d = %08lx %08lx\nâ€ť,
i/2,data[i],data[i+1]);

rc5_decrypt(&c,data,2);
rc5_decrypt(&c,data+4,2);
printf(â€śDecryptions:\nâ€ť);
for(i=0;i<8;i+=2) printf(â€śBlock %01d = %08lx %08lx\nâ€ť,
i/2,data[i],data[i+1]);
}

A5
typedef struct {
unsigned long r1,r2,r3;
} a5_ctx;

static int threshold(r1, r2, r3)
unsigned int r1;
unsigned int r2;
unsigned int r3;
{
int total;

total = (((r1 >> 9) & 0x1) == 1) +
(((r2 >> 11) & 0x1) == 1) +
(((r3 >> 11) & 0x1) == 1);

if (total > 1)
return (0);
else
return (1);
}

unsigned long clock_r1(ctl, r1)
int ctl;
unsigned long r1;
{
unsigned long feedback;

ctl ^= ((r1 >> 9) & 0x1);
if (ctl)
{
feedback = (r1 >> 18) ^ (r1 >> 17) ^ (r1 >> 16) ^ (r1 >> 13);
r1 = (r1 << 1) & 0x7ffff;
if (feedback & 0Ă—01)
r1 ^= 0Ă—01;
}
return (r1);
}

unsigned long clock_r2(ctl, r2)
int ctl;
unsigned long r2;

Page 547 of 666
Applied Cryptography: Second Edition - Bruce Schneier

{
unsigned long feedback;

ctl ^= ((r2 >> 11) & 0x1);
if (ctl)
{
feedback = (r2 >> 21) ^ (r2 >> 20) ^ (r2 >> 16) ^ (r2 >> 12);
r2 = (r2 << 1) & 0x3fffff;
if (feedback & 0Ă—01)
r2 ^= 0Ă—01;
}
return (r2);
}

unsigned long clock_r3(ctl, r3)
int ctl;
unsigned long r3;
{
unsigned long feedback;

ctl ^= ((r3 >> 11) & 0x1);
if (ctl)
{
feedback = (r3 >> 22) ^ (r3 >> 21) ^ (r3 >> 18) ^ (r3 >> 17);
r3 = (r3 << 1) & 0x7fffff;
if (feedback & 0Ă—01)
r3 ^= 0Ă—01;
}
return (r3);
}
int keystream(key, frame, alice, bob)
unsigned char *key; /* 64 bit session key */
unsigned long frame; /* 22 bit frame sequence number */
unsigned char *alice; /* 114 bit Alice to Bob key stream */
unsigned char *bob; /* 114 bit Bob to Alice key stream */
{
unsigned long r1; /* 19 bit shift register */
unsigned long r2; /* 22 bit shift register */
unsigned long r3; /* 23 bit shift register */
int i; /* counter for loops */
int clock_ctl; /* xored with clock enable on each shift register */
unsigned char *ptr; /* current position in keystream */
unsigned char byte; /* byte of keystream being assembled */
unsigned int bits; /* number of bits of keystream in byte */
unsigned int bit; /* bit output from keystream generator */
/* Initialise shift registers from session key */
r1 = (key[0] | (key[1] << 8) | (key[2] << 16) ) & 0x7ffff;
r2 = ((key[2] >> 3) | (key[3] << 5) | (key[4] << 13) | (key[5] << 21)) &
0x3fffff;
r3 = ((key[5] >> 1) | (key[6] << 7) | (key[7] << 15) ) & 0x7fffff;

/* Merge frame sequence number into shift register state, by xorâ€™ing it
* into the feedback path
*/

for (i=0;i<22;i++)
{
clock_ctl = threshold(r1, r2, r2);
r1 = clock_r1(clock_ctl, r1);
r2 = clock_r2(clock_ctl, r2);
r3 = clock_r3(clock_ctl, r3);
if (frame & 1)
{
r1 ^= 1;
r2 ^= 1;
r3 ^= 1;

Page 548 of 666
Applied Cryptography: Second Edition - Bruce Schneier

}
frame = frame >> 1;
}

/* Run shift registers for 100 clock ticks to allow frame number to
* be diffused into all the bits of the shift registers
*/

for (i=0;i<100;i++)
{
clock_ctl = threshold(r1, r2, r2);
r1 = clock_r1(clock_ctl, r1);
r2 = clock_r2(clock_ctl, r2);
r3 = clock_r3(clock_ctl, r3);
}

/* Produce 114 bits of Aliceâ€“>Bob key stream */
ptr = alice;
bits = 0;
byte = 0;
for (i=0;i<114;i++)
{
clock_ctl = threshold(r1, r2, r2);
r1 = clock_r1(clock_ctl, r1);
r2 = clock_r2(clock_ctl, r2);
r3 = clock_r3(clock_ctl, r3);

bit = ((r1 >> 18) ^ (r2 >> 21) ^ (r3 >> 22)) & 0Ă—01;
byte = (byte << 1) | bit;
bits++;
if (bits == 8)
{
*ptr = byte;
ptr++;
bits = 0;
byte = 0;
}
}
if (bits)
*ptr = byte;

/* Run shift registers for another 100 bits to hide relationship between
* Aliceâ€“>Bob key stream and Bobâ€“>Alice key stream.
*/

for (i=0;i<100;i++)
{
clock_ctl = threshold(r1, r2, r2);
r1 = clock_r1(clock_ctl, r1);
r2 = clock_r2(clock_ctl, r2);
r3 = clock_r3(clock_ctl, r3);
}

/* Produce 114 bits of Bobâ€“>Alice key stream */

ptr = bob;
bits = 0;
byte = 0;
for (i=0;i<114;i++)
{
clock_ctl = threshold(r1, r2, r2);
r1 = clock_r1(clock_ctl, r1);
r2 = clock_r2(clock_ctl, r2);
r3 = clock_r3(clock_ctl, r3);

bit = ((r1 >> 18) ^ (r2 >> 21) ^ (r3 >> 22)) & 0Ă—01;

Page 549 of 666
Applied Cryptography: Second Edition - Bruce Schneier

byte = (byte << 1) | bit;
bits++;
if (bits == 8)
{
*ptr = byte;
ptr++;
bits = 0;
byte = 0;
}
}
if (bits)
*ptr = byte;

return (0);
}
void a5_key(a5_ctx *c, char *k){
câ€“>r1 = k[0]<<11|k[1]<<3 | k[2]>>5 ; /* 19 */
câ€“>r2 = k[2]<<17|k[3]<<9 | k[4]<<1 | k[5]>>7; /* 22 */
câ€“>r3 = k[5]<<15|k[6]<<8 | k[7] ; /* 23 */
}

/* Step one bit in A5, return 0 or 1 as output bit. */
int a5_step(a5_ctx *c){
int control;
control = threshold(câ€“>r1,câ€“>r2,câ€“>r3);
câ€“>r1 = clock_r1(control,câ€“>r1);
câ€“>r2 = clock_r2(control,câ€“>r2);
câ€“>r3 = clock_r3(control,câ€“>r3);
return( (câ€“>r1^câ€“>r2^câ€“>r3)&1);
}

/* Encrypts a buffer of len bytes. */
void a5_encrypt(a5_ctx *c, char *data, int len){
int i,j;
char t;

for(i=0;i<len;i++){
for(j=0;j<8;j++) t = t<<1 | a5_step(c);
data[i]^=t;
}
}

void a5_decrypt(a5_ctx *c, char *data, int len){
a5_encrypt(c,data,len);
}

void main(void){
a5_ctx c;
char data[100];
char key[] = {1,2,3,4,5,6,7,8};
int i,flag;

for(i=0;i<100;i++) data[i] = i;

a5_key(&c,key);
a5_encrypt(&c,data,100);

a5_key(&c,key);
a5_decrypt(&c,data,1);
a5_decrypt(&c,data+1,99);

flag = 0;
for(i=0;i<100;i++) if(data[i]!=i)flag = 1;
if(flag)printf(â€śDecrypt failed\nâ€ť); else printf(â€śDecrypt succeeded\nâ€ť);
}

Page 550 of 666
Applied Cryptography: Second Edition - Bruce Schneier

SEAL
#undef SEAL_DEBUG

#define ALG_OK 0
#define ALG_NOTOK 1
#define WORDS_PER_SEAL_CALL 1024

typedef struct {
unsigned long t[520]; /* 512 rounded up to a multiple of 5 + 5*/
unsigned long s[265]; /* 256 rounded up to a multiple of 5 + 5*/
unsigned long r[20]; /* 16 rounded up to multiple of 5 */
unsigned long counter; /* 32â€“bit synch value. */
unsigned long ks_buf[WORDS_PER_SEAL_CALL];
int ks_pos;
} seal_ctx;

#define ROT2(x) (((x) >> 2) | ((x) << 30))
#define ROT9(x) (((x) >> 9) | ((x) << 23))
#define ROT8(x) (((x) >> 8) | ((x) << 24))
#define ROT16(x) (((x) >> 16) | ((x) << 16))
#define ROT24(x) (((x) >> 24) | ((x) << 8))
#define ROT27(x) (((x) >> 27) | ((x) << 5))

#define WORD(cp) ((cp[0] << 24)|(cp[1] << 16)|(cp[2] << 8)|(cp[3]))

#define F1(x, y, z) (((x) & (y)) | ((˜(x)) & (z)))
#define F2(x, y, z) ((x)^(y)^(z))
#define F3(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
#define F4(x, y, z) ((x)^(y)^(z))

int g(in, i, h)
unsigned char *in;
int i;
unsigned long *h;
{
unsigned long h0;
unsigned long h1;
unsigned long h2;
unsigned long h3;
unsigned long h4;
unsigned long a;
unsigned long b;unsigned long c;
unsigned long d;
unsigned long e;
unsigned char *kp;
unsigned long w[80];
unsigned long temp;

kp = in;
h0 = WORD(kp); kp += 4;
h1 = WORD(kp); kp += 4;
h2 = WORD(kp); kp += 4;
h3 = WORD(kp); kp += 4;
h4 = WORD(kp); kp += 4;

w[0] = i;
for (i=1;i<16;i++)
w[i] = 0;
for (i=16;i<80;i++)
w[i] = w[iâ€“3]^w[iâ€“8]^w[iâ€“14]^w[iâ€“16];

a = h0;
b = h1;

Page 551 of 666
Applied Cryptography: Second Edition - Bruce Schneier

c = h2;
d = h3;
e = h4;

for (i=0;i<20;i++)
{
temp = ROT27(a) + F1(b, c, d) + e + w[i] + 0x5a827999;
e = d;
d = c;
c = ROT2(b);
b = a;
a = temp;
}
for (i=20;i<40;i++)
{
temp = ROT27(a) + F2(b, c, d) + e + w[i] + 0x6ed9eba1;
e = d;
d = c;
c = ROT2(b);
b = a;
a = temp;
}
for (i=40;i<60;i++)
{
temp = ROT27(a) + F3(b, c, d) + e + w[i] + 0x8f1bbcdc;
e = d;
d = c;
c = ROT2(b);
b = a;
a = temp;
}
for (i=60;i<80;i++)
{
temp = ROT27(a) + F4(b, c, d) + e + w[i] + 0xca62c1d6;
e = d;
d = c;
c = ROT2(b);
b = a;
a = temp;
}
h[0] = h0+a;
h[1] = h1+b;
h[2] = h2+c;
h[3] = h3+d;
h[4] = h4+e;

return (ALG_OK);
}

unsigned long gamma(a, i)
unsigned char *a;
int i;
{
unsigned long h[5];
(void) g(a, i/5, h);
return h[i % 5];
}

int seal_init(seal_ctx *result, unsigned char *key)
{
int i;
unsigned long h[5];

for (i=0;i<510;i+=5)
g(key, i/5, &(resultâ€“>t[i]));
/* horrible special case for the end */

Page 552 of 666
Applied Cryptography: Second Edition - Bruce Schneier

g(key, 510/5, h);
for (i=510;i<512;i++)
resultâ€“>t[i] = h[iâ€“510];
/* 0x1000 mod 5 is +1, so have horrible special case for the start */
g(key, (â€“1+0x1000)/5, h);
for (i=0;i<4;i++)
resultâ€“>s[i] = h[i+1];
for (i=4;i<254;i+=5)
g(key, (i+0x1000)/5, &(resultâ€“>s[i]));
/* horrible special case for the end */
g(key, (254+0x1000)/5, h);
for (i=254;i<256;i++)
resultâ€“>s[i] = h[iâ€“254];
/* 0x2000 mod 5 is +2, so have horrible special case at the start */
g(key, (â€“2+0x2000)/5, h);
for (i=0;i<3;i++)
resultâ€“>r[i] = h[i+2];
for (i=3;i<13;i+=5)
g(key, (i+0x2000)/5, &(resultâ€“>r[i]));
/* horrible special case for the end */
g(key, (13+0x2000)/5, h);
for (i=13;i<16;i++)
resultâ€“>r[i] = h[iâ€“13];
return (ALG_OK);
}

int seal(seal_ctx *key, unsigned long in, unsigned long *out)
{
int i;
int j;
int l;
unsigned long a;
unsigned long b;
unsigned long c;
unsigned long d;
unsigned short p;
unsigned short q;
unsigned long n1;
unsigned long n2;
unsigned long n3;
unsigned long n4;
unsigned long *wp;

wp = out;

for (l=0;l<4;l++)
{
a = in ^ keyâ€“>r[4*l];
b = ROT8(in) ^ keyâ€“>r[4*l+1];
c = ROT16(in) ^ keyâ€“>r[4*l+2];
d = ROT24(in) ^ keyâ€“>r[4*l+3];

for (j=0;j<2;j++)
{
p = a & 0x7fc;
b += keyâ€“>t[p/4];
a = ROT9(a);

p = b & 0x7fc;
c += keyâ€“>t[p/4];
b = ROT9(b);

p = c & 0x7fc;
d += keyâ€“>t[p/4];
c = ROT9(c);

Page 553 of 666
Applied Cryptography: Second Edition - Bruce Schneier

p = d & 0x7fc;
a += keyâ€“>t[p/4];
d = ROT9(d);

}
n1 = d;
n2 = b;
n3 = a;
n4 = c;

p = a & 0x7fc;
b += keyâ€“>t[p/4];
a = ROT9(a);

p = b & 0x7fc;
c += keyâ€“>t[p/4];
b = ROT9(b);

p = c & 0x7fc;
d += keyâ€“>t[p/4];
c = ROT9(c);

p = d & 0x7fc;
a += keyâ€“>t[p/4];
d = ROT9(d);

/* This generates 64 32â€“bit words, or 256 bytes of keystream. */
for (i=0;i<64;i++)
{
p = a & 0x7fc;
b += keyâ€“>t[p/4];
a = ROT9(a);
b ^= a;

q = b & 0x7fc;
c ^= keyâ€“>t[q/4];
b = ROT9(b);
c += b;

p = (p+c) & 0x7fc;
d += keyâ€“>t[p/4];
c = ROT9(c);
d ^= c;

q = (q+d) & 0x7fc;
a ^= keyâ€“>t[q/4];
d = ROT9(d);
a += d;

p = (p+a) & 0x7fc;
b ^= keyâ€“>t[p/4];
a = ROT9(a);

q = (q+b) & 0x7fc;
c += keyâ€“>t[q/4];
b = ROT9(b);

p = (p+c) & 0x7fc;
d ^= keyâ€“>t[p/4];
c = ROT9(c);

q = (q+d) & 0x7fc;
a += keyâ€“>t[q/4];
d = ROT9(d);

*wp = b + keyâ€“>s[4*i];

Page 554 of 666
Applied Cryptography: Second Edition - Bruce Schneier

wp++;
*wp = c ^ keyâ€“>s[4*i+1];
wp++;
*wp = d + keyâ€“>s[4*i+2];
wp++;
*wp = a ^ keyâ€“>s[4*i+3];
wp++;

if (i & 1)
{
a += n3;
c += n4;
}
else
{
a += n1;
c += n2;
}

}
}
return (ALG_OK);
}

/* Added call to refill ks_buf and reset counter and ks_pos. */
void seal_refill_buffer(seal_ctx *c){
seal(c,câ€“>counter,câ€“>ks_buf);
câ€“>counter++;
câ€“>ks_pos = 0;
}

void seal_key(seal_ctx *c, unsigned char *key){
seal_init(c,key);
câ€“>counter = 0; /* By default, init to zero. */
câ€“>ks_pos = WORDS_PER_SEAL_CALL;
/* Refill keystream buffer on next call. */
}

/* This encrypts the next w words with SEAL. */
void seal_encrypt(seal_ctx *c, unsigned long *data_ptr, int w){
int i;

for(i=0;i<w;i++){
if(câ€“>ks_pos>=WORDS_PER_SEAL_CALL) seal_refill_buffer(c);
data_ptr[i]^=câ€“>ks_buf[câ€“>ks_pos];
câ€“>ks_pos++;
}
}

void seal_decrypt(seal_ctx *c, unsigned long *data_ptr, int w) {
seal_encrypt(c,data_ptr,w);
}

void seal_resynch(seal_ctx *c, unsigned long synch_word){
câ€“>counter = synch_word;
câ€“>ks_pos = WORDS_PER_SEAL_CALL;
}

void main(void){
seal_ctx sc;
unsigned long buf[1000],t;
int i,flag;
unsigned char key[] =
{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19};

printf(â€ś1\nâ€ť);

Page 555 of 666
Applied Cryptography: Second Edition - Bruce Schneier

seal_key(&sc,key);

printf(â€ś2\nâ€ť);
for(i=0;i<1000;i++) buf[i]=0;
printf(â€ś3\nâ€ť);
seal_encrypt(&sc,buf,1000);
printf(â€ś4\nâ€ť);
t = 0;
for(i=0;i<1000;i++) t = t ^ buf[i];
printf(â€śXOR of buf is %08lx.\nâ€ť,t);

seal_key(&sc,key);
seal_decrypt(&sc,buf,1);
seal_decrypt(&sc,buf+1,999);
flag = 0;
for(i=0;i<1000;i++) if(buf[i]!=0)flag=1;
if(flag) printf(â€śDecrypt failed.\nâ€ť);
else printf(â€śDecrypt succeeded.\nâ€ť);
}

References
1. ABA Bank Card Standard, â€śManagement and Use of Personal Information Numbers,â€ť
Aids from ABA, Catalog no. 207213, American Bankers Association, 1979.
2. ABA Document 4.3, â€śKey Management Standard,â€ť American Bankers Association,
1980.
3. M. Abadi, J. Feigenbaum, and J. Kilian, â€śOn Hiding Information from an Oracle,â€ť
Proceedings of the 19th ACM Symposium on the Theory of Computing, 1987, pp. 195â€“203.
4. M. Abadi, J. Feigenbaum, and J. Kilian, â€śOn Hiding Information from an Oracle,â€ť
Journal of Computer and System Sciences, v. 39, n. 1, Aug 1989, pp. 21â€“50.
5. M. Abadi and R. Needham, â€śPrudent Engineering Practice for Cryptographic
Protocols,â€ť Research Report 125, Digital Equipment Corp Systems Research Center, Jun 1994.
6. C.M. Adams, â€śOn Immunity Against Biham and Shamirâ€™s â€˜Differential
Cryptanalysis,â€™â€ť Information Processing Letters, v. 41, 14 Feb 1992, pp. 77â€“80.
7. C.M. Adams, â€śSimple and Effective Key Scheduling for Symmetric Ciphers,â€ť
Workshop on Selected Areas in Cryptographyâ€”Workshop Record, Kingston, Ontario, 5â€“6 May
1994, pp. 129â€“133.
Publicâ€“Key Cryptosystem,â€ť Advances in Cryptologyâ€”CRYPTO â€™87 Proceedings, Springerâ€“
Verlag, 1988, pp. 224â€“230.
9. C.M. Adams and S.E. Tavares, â€śThe Structured Design of Cryptographically Good Sâ€“
Boxes,â€ť Journal of Cryptology, v. 3, n. 1, 1990, pp. 27â€“41.
10. C.M. Adams and S.E. Tavares, â€śDesigning Sâ€“Boxes for Ciphers Resistant to
Differential Cryptanalysis,â€ť Proceedings of the 3rd Symposium on State and Progress of Research
in Cryptography, Rome, Italy, 15â€“16 Feb 1993, pp. 181â€“190.
11. W. Adams and D. Shanks, â€śStrong Primality Tests That Are Not Sufficient,â€ť
Mathematics of Computation, v. 39, 1982, pp. 255â€“300.
12. W.W. Adams and L.J. Goldstein, Introduction to Number Theory, Englewood Cliffs,
N.J.: Prenticeâ€“Hall, 1976.
13. B.S. Adiga and P. Shankar, â€śModified Luâ€“Lee Cryptosystem,â€ť Electronics Letters, v.
21, n. 18, 29 Aug 1985, pp. 794â€“795.
14. L.M. Adleman, â€śA Subexponential Algorithm for the Discrete Logarithm Problem
with Applications to Cryptography,â€ť Proceedings of the IEEE 20th Annual Symposium of
Foundations of Computer Science, 1979, pp. 55â€“60.
15. L.M. Adleman, â€śOn Breaking Generalized Knapsack Public Key Cryptosystems,â€ť
Proceedings of the 15th ACM Symposium on Theory of Computing, 1983, pp. 402â€“ 412.

Page 556 of 666
Applied Cryptography: Second Edition - Bruce Schneier

16. L.M. Adleman, â€śFactoring Numbers Using Singular Integers,â€ť Proceedings of the 23rd
Annual ACM Symposium on the Theory of Computing, 1991, pp. 64â€“71.
17. L.M. Adleman, â€śMolecular Computation of Solutions to Combinatorial Problems,â€ť
Science, v. 266, n. 11, Nov 1994, p. 1021.
Congruences in Random Polynomial Time,â€ť Mathematics of Computation, v. 48, n. 177, Jan
1987, pp. 17â€“28.
19. L.M. Adleman, C. Pomerance, and R.S. Rumeley, â€śOn Distinguishing Prime Numbers
from Composite Numbers,â€ť Annals of Mathematics, v. 117, n. 1, 1983, pp. 173â€“206.
20. L.M. Adleman and R.L. Rivest, â€śHow to Break the Luâ€“Lee (COMSAT) Publicâ€“Key
Cryptosystem,â€ť MIT Laboratory for Computer Science, Jul 1979.
21. G.B. Agnew, â€śRandom Sources for Cryptographic Systems,â€ť Advances in
Cryptologyâ€”EUROCRYPT â€™87 Proceedings, Springerâ€“Verlag, 1988, pp. 77â€“81.
22. G.B. Agnew, R.C. Mullin, I.M. Onyszchuk, and S.A. Vanstone, â€śAn Implementation
for a Fast Publicâ€“Key Cryptosystem,â€ť Journal of Cryptology, v. 3, n. 2, 1991, pp. 63â€“79.
23. G.B. Agnew, R.C. Mullin, and S.A. Vanstone, â€śA Fast Elliptic Curve Cryptosystem,â€ť
Advances in Cryptologyâ€”EUROCRYPT â€™89 Proceedings, Springerâ€“Verlag, 1990, pp. 706â€“708.
24. G.B. Agnew, R.C. Mullin, and S.A. Vanstone, â€śImproved Digital Signature Scheme
Based on Discrete Exponentiation,â€ť Electronics Letters, v. 26, n. 14, 5 Jul 1990, pp. 1024â€“1025.
25. G.B. Agnew, R.C. Mullin, and S.A. Vanstone, â€śOn the Development of a Fast Elliptic
Curve Cryptosystem,â€ť Advances in Cryptologyâ€”EUROCRYPT â€™92 Proceedings, Springerâ€“
Verlag, 1993, pp. 482â€“ 287.
26. G.B. Agnew, R.C. Mullin, and S.A. Vanstone, â€śAn Implementation of Elliptic Curve
Cryptosystems over F2155,â€ť IEEE Selected Areas of Communications, v. 11, n. 5, Jun 1993, pp.
804â€“813.
27. A. Aho, J. Hopcroft, and J. Ullman, The Design and Analysis of Computer Algorithms,
28. S.G. Akl, â€śDigital Signatures: A Tutorial Survey,â€ť Computer, v. 16, n. 2, Feb 1983, pp.
15â€“24.
29. S.G. Akl, â€śOn the Security of Compressed Encodings,â€ť Advances in Cryptology:
Proceedings of Crypto 83, Plenum Press, 1984, pp. 209â€“230.
30. S.G. Akl and H. Meijer, â€śA Fast Pseudoâ€“Random Permutation Generator with
Applications to Cryptology,â€ť Advances in Cryptology: Proceedings of CRYPTO 84, Springerâ€“
Verlag, 1985, pp. 269â€“275.
31. M. Alabbadi and S.B. Wicker, â€śSecurity of Xinmei Digital Signature Scheme,â€ť
Electronics Letters, v. 28, n. 9, 23 Apr 1992, pp. 890â€“891.
32. M. Alabbadi and S.B. Wicker, â€śDigital Signature Schemes Based on Errorâ€“
Correcting Codes,â€ť Proceedings of the 1993 IEEEâ€“ISIT, IEEE Press, 1993, p. 199.
33. M. Alabbadi and S.B. Wicker, â€śCryptanalysis of the Harn and Wang Modification of
the Xinmei Digital Signature Scheme,â€ť Electronics Letters, v. 28, n. 18, 27 Aug 1992, pp. 1756â€“
1758.
34. K. Alagappan and J. Tardo, â€śSPX Guide: Prototype Public Key Authentication
Service,â€ť Digital Equipment Corp., May 1991.
35. W. Alexi, B.â€“Z. Chor, O. Goldreich, and C.P. Schnorr, â€śRSA and Rabin Functions:
Certain Parts Are as Hard as the Whole,â€ť Proceedings of the 25th IEEE Symposium on the
Foundations of Computer Science, 1984, pp. 449â€“457.
36. W. Alexi, B.â€“Z. Chor, O. Goldreich, and C.P. Schnorr, â€śRSA and Rabin Functions:
Certain Parts are as Hard as the Whole,â€ť SIAM Journal on Computing, v. 17, n. 2, Apr 1988, pp.
194â€“209.
37. Ameritech Mobile Communications et al., â€śCellular Digital Packet Data System
Specifications: Part 406: Airlink Security,â€ť CDPD Industry Input Coordinator, Costa Mesa,
Calif., Jul 1993.
38. H.R. Amirazizi, E.D. Karnin, and J.M. Reyneri, â€śCompact Knapsacks are Polynomial

Page 557 of 666
Applied Cryptography: Second Edition - Bruce Schneier

Solvable,â€ť ACM SIGACT News, v. 15, 1983, pp. 20â€“22.
39. R.J. Anderson, â€śSolving a Class of Stream Ciphers,â€ť Cryptologia, v. 14, n. 3, Jul 1990,
pp. 285â€“288.
40. R.J. Anderson, â€śA Second Generation Electronic Wallet,â€ť ESORICS 92, Proceedings
of the Second European Symposium on Research in Computer Security, Springerâ€“Verlag, 1992,
pp. 411â€“418.
41. R.J. Anderson, â€śFaster Attack on Certain Stream Ciphers,â€ť Electronics Letters, v. 29,
n. 15, 22 Jul 1993, pp. 1322â€“1323.
42. R.J. Anderson, â€śDerived Sequence Attacks on Stream Ciphers,â€ť presented at the
rump session of CRYPTO â€™93, Aug 1993.
43. R.J. Anderson, â€śWhy Cryptosystems Fail,â€ť 1st ACM Conference on Computer and
Communications Security, ACM Press, 1993, pp. 215â€“227.
44. R.J. Anderson, â€śWhy Cryptosystems Fail,â€ť Communications of the ACM, v. 37, n. 11,
Nov 1994, pp. 32â€“40.
45. R.J. Anderson, â€śOn Fibonacci Keystream Generators,â€ť K.U. Leuven Workshop on
Cryptographic Algorithms, Springerâ€“Verlag, 1995, to appear.
46. R.J. Anderson, â€śSearching for the Optimum Correlation Attack,â€ť K.U. Leuven
Workshop on Cryptographic Algorithms, Springerâ€“Verlag, 1995, to appear.
47. R.J. Anderson and T.M.A. Lomas, â€śFortifying Key Negotiation Schemes with Poorly
Chosen Passwords,â€ť Electronics Letters, v. 30, n. 13, 23 Jun 1994, pp. 1040â€“1041.
48. R.J. Anderson and R. Needham, â€śRobustness Principles for Public Key Protocols,â€ť
Advances in Cryptologyâ€”CRYPTO â€™95 Proceedings, Springerâ€“Verlag, 1995, to appear.
49. D. Andleman and J. Reeds, â€śOn the Cryptanalysis of Rotor Machines and
Substitutionâ€“Permutation Networks,â€ť IEEE Transactions on Information Theory, v. ITâ€“28, n. 4,
Jul 1982, pp. 578â€“584.
50. ANSI X3.92, â€śAmerican National Standard for Data Encryption Algorithm (DEA),â€ť
American National Standards Institute, 1981.
51. ANSI X3.105, â€śAmerican National Standard for Information Systemsâ€”Data Link
Encryption,â€ť American National Standards Institute, 1983.
52. ANSI X3.106, â€śAmerican National Standard for Information Systemsâ€”Data
Encryption Algorithmâ€”Modes of Operation,â€ť American National Standards Institute, 1983.
53. ANSI X9.8, â€śAmerican National Standard for Personal Information Number (PIN)
Management and Security,â€ť American Bankers Association, 1982.
54. ANSI X9.9 (Revised), â€śAmerican National Standard for Financial Institution Message
Authentication (Wholesale),â€ť American Bankers Association, 1986.
55. ANSI X9.17 (Revised), â€śAmerican National Standard for Financial Institution Key
Management (Wholesale),â€ť American Bankers Association, 1985.
56. ANSI X9.19, â€śAmerican National Standard for Retail Message Authentication,â€ť
American Bankers Association, 1985.
57. ANSI X9.23, â€śAmerican National Standard for Financial Institution Message
Encryption,â€ť American Bankers Association, 1988.
58. ANSI X9.24, â€śDraft Proposed American National Standard for Retail Key
Management,â€ť American Bankers Association, 1988.
59. ANSI X9.26 (Revised), â€śAmerican National Standard for Financial Institution Signâ€“
On Authentication for Wholesale Financial Transaction,â€ť American Bankers Association, 1990.
60. ANSI X9.30, â€śWorking Draft: Public Key Cryptography Using Irreversible
Algorithms for the Financial Services Industry,â€ť American Bankers Association, Aug 1994.
61. ANSI X9.31, â€śWorking Draft: Public Key Cryptography Using Reversible Algorithms
for the Financial Services Industry,â€ť American Bankers Association, Mar 1993.
62. K. Aoki and K. Ohta, â€śDifferentialâ€“Linear Cryptanalysis of FEALâ€“8,â€ť Proceedings of
the 1995 Symposium on Cryptography and Information Security (SCIS 95), Inuyama, Japan, 24â€“
27 Jan 1995, pp. A3.4.1â€“11. (In Japanese.)
63. K. Araki and T. Sekine, â€śOn the Conspiracy Problem of the Generalized Tanakaâ€™s

Page 558 of 666
Applied Cryptography: Second Edition - Bruce Schneier

Cryptosystem,â€ť IEICE Transactions, v. E74, n. 8, Aug 1991, pp. 2176â€“2178.
64. S. Araki, K. Aoki, and K. Ohta, â€śThe Best Linear Expression Search for FEAL,â€ť
Proceedings of the 1995 Symposium on Cryptography and Information Security (SCIS 95),
Inuyama, Japan, 24â€“27 Jan 1995, pp. A4.4.1â€“10.
65. C. Asmuth and J. Bloom, â€śA Modular Approach to Key Safeguarding,â€ť IEEE
Transactions on Information Theory, v. ITâ€“29, n. 2, Mar 1983, pp. 208â€“210.
66. D. Atkins, M. Graff, A.K. Lenstra, and P.C. Leyland, â€śThe Magic Words are
Squeamish Ossifrage,â€ť Advances in Cryptologyâ€”ASIACRYPT â€™94 Proceedings, Springerâ€“Verlag,
1995, pp. 263â€“277.
67. AT&T, â€śT7001 Random Number Generator,â€ť Data Sheet, Aug 1986.
68. AT&T, â€śAT&T Readying New Spyâ€“Proof Phone for Big Military and Civilian
Markets,â€ť The Report on AT&T, 2 Jun 1986, pp. 6â€“7.
69. AT&T, â€śT7002/T7003 Bit Slice Multiplier,â€ť product announcement, 1987.
70. AT&T, â€śTelephone Security Device TSD 3600â€”Userâ€™s Manual,â€ť AT&T, 20 Sep 1992.
71. Y. Aumann and U. Feige, â€śOn Message Proof Systems with Known Space Verifiers,â€ť
Advances in Cryptologyâ€”CRYPTO â€™93 Proceedings, Springerâ€“Verlag, 1994, pp. 85â€“99.
72. R.G. Ayoub, An Introduction to the Theory of Numbers, Providence, RI: American
Mathematical Society, 1963.
73. A. Aziz and W. Diffie, â€śPrivacy and Authentication for Wireless Local Area
Networks,â€ť IEEE Personal Communications, v. 1, n. 1, 1994, pp. 25â€“31.
74. A. Bahreman and J.D. Tygar, â€śCertified Electronic Mail,â€ť Proceedings of the Internet
Society 1994 Workshop on Network and Distributed System Security, The Internet Society, 1994,
pp. 3â€“19.
75. D. Balenson, â€śAutomated Distribution of Cryptographic Keys Using the Financial
Institution Key Management Standard,â€ť IEEE Communications Magazine, v. 23, n. 9, Sep 1985,
pp. 41â€“46.
76. D. Balenson, â€śPrivacy Enhancement for Internet Electronic Mail: Part III:
Algorithms, Modes, and Identifiers,â€ť RFC 1423, Feb 1993.
77. D. Balenson, C.M. Ellison, S.B. Lipner, and S.T. Walker, â€śA New Approach to
Software Key Escrow Encryption,â€ť TIS Report #520, Trusted Information Systems, Aug 94.
78. R. Ball, Mathematical Recreations and Essays, New York: MacMillan, 1960.
79. J. Bamford, The Puzzle Palace, Boston: Houghton Mifflin, 1982.
80. J. Bamford and W. Madsen, The Puzzle Palace, Second Edition, Penguin Books, 1995.
81. S.K. Banerjee, â€śHigh Speed Implementation of DES,â€ť Computers & Security, v. 1,
1982, pp. 261â€“267.
82. Z. Baodong, â€śMCâ€“Veiled Linear Transform Public Key Cryptosystem,â€ť Acta
Electronica Sinica, v. 20, n. 4, Apr 1992, pp. 21â€“24. (In Chinese.)
83. P.H. Bardell, â€śAnalysis of Cellular Automata Used as Pseudorandom Pattern
Generators,â€ť Proceedings of 1990 International Test Conference, pp. 762â€“768.
84. T. Baritaud, H. Gilbert, and M. Girault, â€śFFT Hashing is not Collisionâ€“Free,â€ť
Advances in Cryptologyâ€”EUROCRYPT â€™92 Proceedings, Springerâ€“Verlag, 1993, pp. 35â€“44.
85. C. Barker, â€śAn Industry Perspective of the CCEP,â€ť 2nd Annual AIAA Computer
Security Conference Proceedings, 1986.
86. W.G. Barker, Cryptanalysis of the Hagelin Cryptograph, Aegean Park Press, 1977.
87. P. Barrett, â€śImplementing the Rivest Shamir and Adleman Public Key Encryption
Algorithm on a Standard Digital Signal Processor,â€ť Advances in Cryptologyâ€”CRYPTO â€™86
Proceedings, Springerâ€“Verlag, 1987, pp. 311â€“323.
88. T.C. Bartee and D.I. Schneider, â€śComputation with Finite Fields,â€ť Information and
Control, v. 6, n. 2, Jun 1963, pp. 79â€“98.
89. U. Baum and S. Blackburn, â€śClockâ€“Controlled Pseudorandom Generators on Finite
Groups,â€ť K.U. Leuven Workshop on Cryptographic Algorithms, Springerâ€“Verlag, 1995, to
appear.
90. K.R. Bauer, T.A. Bersen, and R.J. Feiertag, â€śA Key Distribution Protocol Using Event

Page 559 of 666
Applied Cryptography: Second Edition - Bruce Schneier

Markers,â€ť ACM Transactions on Computer Systems, v. 1, n. 3, 1983, pp. 249â€“255.
91. F. Bauspiess and F. Damm, â€śRequirements for Cryptographic Hash Functions,â€ť
Computers & Security, v. 11, n. 5, Sep 1992, pp. 427â€“437.
92. D. Bayer, S. Haber, and W.S. Stornetta, â€śImproving the Efficiency and Reliability of
Digital Timeâ€“Stamping,â€ť Sequences â€™91: Methods in Communication, Security, and Computer
Science, Springerâ€“Verlag, 1992, pp. 329â€“334.
93. R. Bayer and J.K. Metzger, â€śOn the Encipherment of Search Trees and Random
Access Files,â€ť ACM Transactions on Database Systems, v. 1, n. 1, Mar 1976, pp. 37â€“52.
94. M. Beale and M.F. Monaghan, â€śEncrytion Using Random Boolean Functions,â€ť
Cryptography and Coding, H.J. Beker and F.C. Piper, eds., Oxford: Clarendon Press, 1989, pp.
219â€“230.
95. P. Beauchemin and G. Brassard, â€śA Generalization of Hellmanâ€™s Extension to
Shannonâ€™s Approach to Cryptography,â€ť Journal of Cryptology, v. 1, n. 2, 1988, pp. 129â€“132.
96. P. Beauchemin, G. Brassard, C. CrĂ©peau, C. Goutier, and C. Pomerance, â€śThe
Generation of Random Numbers that are Probably Prime,â€ť Journal of Cryptology, v. 1, n. 1,
1988, pp. 53â€“64.
97. D. Beaver, J. Feigenbaum, and V. Shoup, â€śHiding Instances in Zeroâ€“Knowledge
Proofs,â€ť Advances in Cryptologyâ€”CRYPTO â€™90 Proceedings, Springerâ€“Verlag, 1991, pp. 326â€“
338.
98. H. Beker, J. Friend, and P. Halliden, â€śSimplifying Key Management in Electronic
Funds Transfer Points of Sale Systems,â€ť Electronics Letters, v. 19, n. 12, Jun 1983, pp. 442â€“444.
99. H. Beker and F. Piper, Cipher Systems: The Protection of Communications, London:
Northwood Books, 1982.
100. D.E. Bell and L.J. LaPadula, â€śSecure Computer Systems: Mathematical
Foundations,â€ť Report ESDâ€“TRâ€“73â€“275, MITRE Corp., 1973.
101. D.E. Bell and L.J. LaPadula, â€śSecure Computer Systems: A Mathematical Model,â€ť
Report MTRâ€“2547, MITRE Corp., 1973.
102. D.E. Bell and L.J. LaPadula, â€śSecure Computer Systems: A Refinement of the
Mathematical Model,â€ť Report ESDâ€“TRâ€“73â€“278, MITRE Corp., 1974.
103. D.E. Bell and L.J. LaPadula, â€śSecure Computer Systems: Unified Exposition and
Multics Interpretation,â€ť Report ESDâ€“TRâ€“75â€“306, MITRE Corp., 1976.
104. M. Bellare and S. Goldwasser, â€śNew Paradigms for Digital Signatures and Message
Authentication Based on Nonâ€“Interactive Zero Knowledge Proofs,â€ť Advances in Cryptologyâ€”
CRYPTO â€™89 Proceedings, Springerâ€“Verlag, 1990, pp. 194â€“211.
105. M. Bellare and S. Micali, â€śNonâ€“Interactive Oblivious Transfer and Applications,â€ť
Advances in Cryptologyâ€”CRYPTO â€™89 Proceedings, Springerâ€“Verlag, 1990, pp. 547â€“557.
106. M. Bellare, S. Micali, and R. Ostrovsky, â€śPerfect Zeroâ€“Knowledge in Constant
Rounds,â€ť Proceedings of the 22nd ACM Symposium on the Theory of Computing, 1990, pp. 482â€“
493.
107. S.M. Bellovin, â€śA Preliminary Technical Analysis of Clipper and Skipjack,â€ť
unpublished manuscript, 20 Apr 1993.
108. S.M. Bellovin and M. Merritt, â€śLimitations of the Kerberos Protocol,â€ť Winter 1991
USENIX Conference Proceedings, USENIX Association, 1991, pp. 253â€“267.
109. S.M. Bellovin and M. Merritt, â€śEncrypted Key Exchange: Passwordâ€“Based
Protocols Secure Against Dictionary Attacks,â€ť Proceedings of the 1992 IEEE Computer Society
Conference on Research in Security and Privacy, 1992, pp. 72â€“84.
110. S.M. Bellovin and M. Merritt, â€śAn Attack on the Interlock Protocol When Used for
Authentication,â€ť IEEE Transactions on Information Theory, v. 40, n. 1, Jan 1994, pp. 273â€“275.
111. S.M. Bellovin and M. Merritt, â€śCryptographic Protocol for Secure
Communications,â€ť U.S. Patent #5,241,599, 31 Aug 93.
112. I. Benâ€“Aroya and E. Biham, â€śDifferential Cryptanalysis of Lucifer,â€ť Advances in
Cryptologyâ€”CRYPTO â€™93 Proceedings, Springerâ€“Verlag, 1994, pp. 187â€“199.
113. J.C. Benaloh, â€śCryptographic Capsules: A Disjunctive Primitive for Interactive

Page 560 of 666
Applied Cryptography: Second Edition - Bruce Schneier

Protocols,â€ť Advances in Cryptologyâ€”CRYPTO â€™86 Proceedings, Springerâ€“Verlag, 1987, 213â€“222.
114. J.C. Benaloh, â€śSecret Sharing Homorphisms: Keeping Shares of a Secret Secret,â€ť
Advances in Cryptologyâ€”CRYPTO â€™86 Proceedings, Springerâ€“Verlag, 1987, pp. 251â€“260.
115. J.C. Benaloh, â€śVerifiable Secretâ€“Ballot Elections,â€ť Ph.D. dissertation, Yale
University, YALEU/DCS/TRâ€“561, Dec 1987.
116. J.C. Benaloh and M. de Mare, â€śOneâ€“Way Accumulators: A Decentralized
Alternative to Digital Signatures,â€ť Advances in Cryptologyâ€”EUROCRYPT â€™93 Proceedings,
Springerâ€“Verlag, 1994, pp. 274â€“285.
117. J.C. Benaloh and D. Tuinstra, â€śReceiptâ€“Free Secret Ballot Elections,â€ť Proceedings of
the 26th ACM Symposium on the Theory of Computing, 1994, pp. 544â€“553.
118. J.C. Benaloh and M. Yung, â€śDistributing the Power of a Government to Enhance the
Privacy of Voters,â€ť Proceedings of the 5th ACM Symposium on the Principles in Distributed
Computing, 1986, pp. 52â€“62.
119. A. Bender and G. Castagnoli, â€śOn the Implementation of Elliptic Curve
Cryptosystems,â€ť Advances in Cryptologyâ€”CRYPTO â€™89 Proceedings, Springerâ€“Verlag, 1990, pp.
186â€“192.
120. S. Bengio, G. Brassard, Y.G. Desmedt, C. Goutier, and J.â€“J. Quisquater, â€śSecure
Implementation of Identification Systems,â€ť Journal of Cryptology, v. 4, n. 3, 1991, pp. 175â€“184.
121. C.H. Bennett, F. Bessette, G. Brassard, L. Salvail, and J. Smolin, â€śExperimental
Quantum Cryptography,â€ť Advances in Cryptologyâ€”EUROCRYPT â€™90 Proceedings, Springerâ€“
Verlag, 1991, pp. 253â€“265.
122. C.H. Bennett, F. Bessette, G. Brassard, L. Salvail, and J. Smolin, â€śExperimental
Quantum Cryptography,â€ť Journal of Cryptology, v. 5, n. 1, 1992, pp. 3â€“28.
123. C.H. Bennett and G. Brassard, â€śQuantum Cryptography: Public Key Distribution
and Coin Tossing,â€ť Proceedings of the IEEE International Conference on Computers, Systems,
and Signal Processing, Banjalore, India, Dec 1984, pp. 175â€“179.
124. C.H. Bennett and G. Brassard, â€śAn Update on Quantum Cryptography,â€ť Advances
in Cryptology: Proceedings of CRYPTO 84, Springerâ€“Verlag, 1985, pp. 475â€“480.
125. C.H. Bennett and G. Brassard, â€śQuantum Publicâ€“Key Distribution System,â€ť IBM
Technical Disclosure Bulletin, v. 28, 1985, pp. 3153â€“3163.
126. C.H. Bennett and G. Brassard, â€śQuantum Public Key Distribution Reinvented,â€ť
SIGACT News, v. 18, n. 4, 1987, pp. 51â€“53.
127. C.H. Bennett and G. Brassard, â€śThe Dawn of a New Era for Quantum
Cryptography: The Experimental Prototype is Working!â€ť SIGACT News, v. 20, n. 4, Fall 1989,
pp. 78â€“82.
128. C.H. Bennett, G. Brassard, and S. Breidbart, Quantum Cryptography II: How to Reâ€“
Use a Oneâ€“Time Pad Safely Even if P=NP, unpublished manuscript, Nov 1982.
129. C.H. Bennett, G. Brassard, S. Breidbart, and S. Weisner, â€śQuantum Cryptography,
or Unforgeable Subway Tokens,â€ť Advances in Cryptology: Proceedings of Crypto 82, Plenum
Press, 1983, pp. 267â€“275.
130. C.H. Bennett, G. Brassard, C. CrĂ©peau, and M.â€“H. Skubiszewska, â€śPractical
Quantum Oblivious Transfer,â€ť Advances in Cryptologyâ€”CRYPTO â€™91 Proceedings, Springerâ€“
Verlag, 1992, pp. 351â€“366.
131. C.H. Bennett, G. Brassard, and A.K. Ekert, â€śQuantum Cryptography,â€ť Scientific
American, v. 267, n. 4, Oct 1992, pp. 50â€“57.
132. C.H. Bennett, G. Brassard, and N.D. Mermin, â€śQuantum Cryptography Without
Bellâ€™s Theorem,â€ť Physical Review Letters, v. 68, n. 5, 3 Feb 1992, pp. 557â€“559.
133. C.H. Bennett, G. Brassard, and J.â€“M. Robert, â€śHow to Reduce Your Enemyâ€™s
Information,â€ť Advances in Cryptologyâ€”CRYPTO â€™85 Proceedings, Springerâ€“Verlag, 1986, pp.
468â€“476.
134. C.H. Bennett, G. Brassard, and J.â€“M. Robert, â€śPrivacy Amplification by Public
Discussion,â€ť SIAM Journal on Computing, v. 17, n. 2, Apr 1988, pp. 210â€“229.
135. J. Bennett, â€śAnalysis of the Encryption Algorithm Used in WordPerfect Word

Page 561 of 666
Applied Cryptography: Second Edition - Bruce Schneier

Processing Program,â€ť Cryptologia, v. 11, n. 4, Oct 1987, pp. 206â€“210.
136. M. Benâ€“Or, S. Goldwasser, and A. Wigderson, â€śCompleteness Theorems for Nonâ€“
Cryptographic Faultâ€“Tolerant Distributed Computation,â€ť Proceedings of the 20th ACM
Symposium on the Theory of Computing, 1988, pp. 1â€“10.
137. M. Benâ€“Or, O. Goldreich, S. Goldwasser, J. HĂĄstad, J. Kilian, S. Micali, and P.
Rogaway, â€śEverything Provable is Provable in Zeroâ€“Knowledge,â€ť Advances in Cryptologyâ€”
CRYPTO â€™88 Proceedings, Springerâ€“Verlag, 1990, pp. 37â€“56.
138. M. Benâ€“Or, O. Goldreich, S. Micali, and R.L. Rivest, â€śA Fair Protocol for Signing
Contracts,â€ť IEEE Transactions on Information Theory, v. 36, n. 1, Jan 1990, pp. 40â€“46.
139. H.A. Bergen and W.J. Caelli, â€śFile Security in WordPerfect 5.0,â€ť Cryptologia, v. 15,
n. 1, Jan 1991, pp. 57â€“66.
140. E.R. Berlekamp, Algebraic Coding Theory, Aegean Park Press, 1984.
â€™91 Proceedings, Springerâ€“Verlag, 1991, pp. 535â€“541.
142. S. Berkovits, J. Kowalchuk, and B. Schanning, â€śImplementing Publicâ€“Key Scheme,â€ť
IEEE Communications Magazine, v. 17, n. 3, May 1979, pp. 2â€“3.
143. D.J. Bernstein, Bernstein vs. U.S. Department of State et al., Civil Action No. C95â€“
0582â€“MHP, United States District Court for the Northern District of California, 21 Feb 1995.
144. T. Berson, â€śDifferential Cryptanalysis Mod 232 with Applications to MD5,â€ť
Advances in Cryptologyâ€”EUROCRYPT â€™92 Proceedings, 1992, pp. 71â€“80.
145. T. Beth, Verfahren der schnellen Fourierâ€“Transformation, Teubner, Stuttgart, 1984.
(In German.)
146. T. Beth, â€śEfficient Zeroâ€“Knowledge Identification Scheme for Smart Cards,â€ť
Advances in Cryptologyâ€”EUROCRYPT â€™88 Proceedings, Springerâ€“Verlag, 1988, pp. 77â€“84.
147. T. Beth, B.M. Cook, and D. Gollmann, â€śArchitectures for Exponentiation in GF
(2n),â€ť Advances in Cryptologyâ€”CRYPTO â€™86 Proceedings, Springerâ€“Verlag, 1987, pp. 302â€“310.
148. T. Beth and Y. Desmedt, â€śIdentification Tokensâ€”or: Solving the Chess
Grandmaster Problem,â€ť Advances in Cryptologyâ€”CRYPTO â€™90 Proceedings, Springerâ€“Verlag,
1991, pp. 169â€“176.
149. T. Beth and C. Ding, â€śOn Almost Nonlinear Permutations,â€ť Advances in
Cryptologyâ€”EUROCRYPT â€™93 Proceedings, Springerâ€“Verlag, 1994, pp. 65â€“76.
150. T. Beth, M. Frisch, and G.J. Simmons, eds., Lecture Notes in Computer Science 578;
Public Key Cryptography: State of the Art and Future Directions, Springerâ€“Verlag, 1992.
151. T. Beth and F.C. Piper, â€śThe Stopâ€“andâ€“Go Generator,â€ť Advances in Cryptology:
Proceedings of EUROCRYPT 84, Springerâ€“Verlag, 1984, pp. 88â€“92.
152. T. Beth and F. Schaefer, â€śNon Supersingular Elliptic Curves for Public Key
Cryptosystems,â€ť Advances in Cryptologyâ€”EUROCRYPT â€™91 Proceedings, Springerâ€“Verlag,
1991, pp. 316â€“327.
153. A. Beutelspacher, â€śHow to Say â€˜Noâ€™,â€ť Advances in Cryptologyâ€”EUROCRYPT â€™89
Proceedings, Springerâ€“Verlag, 1990, pp. 491â€“496.
154. J. Bidzos, letter to NIST regarding DSS, 20 Sep 1991.
155. J. Bidzos, personal communication, 1993.
156. P. Bieber, â€śA Logic of Communication in a Hostile Environment,â€ť Proceedings of the
Computer Security Foundations Workshop III, IEEE Computer Society Press, 1990, pp. 14â€“22.
157. E. Biham, â€śCryptanalysis of the Chaoticâ€“Map Cryptosystem Suggested at
EUROCRYPT â€™91,â€ť Advances in Cryptologyâ€”EUROCRYPT â€™91 Proceedings, Springerâ€“ Verlag,
1991, pp. 532â€“534.
158. E. Biham, â€śNew Types of Cryptanalytic Attacks Using Related Keys,â€ť Technical
Report #753, Computer Science Department, Technionâ€”Israel Institute of Technology, Sep
1992.
159. E. Biham, â€śOn the Applicability of Differential Cryptanalysis to Hash Functions,â€ť
lecture at EIES Workshop on Cryptographic Hash Functions, Mar 1992.
160. E. Biham, personal communication, 1993.

Page 562 of 666
Applied Cryptography: Second Edition - Bruce Schneier

161. E. Biham, â€śHigher Order Differential Cryptanalysis,â€ť unpublished manuscript, Jan
1994.
162. E. Biham, â€śOn Modes of Operation,â€ť Fast Software Encryption, Cambridge Security
Workshop Proceedings, Springerâ€“Verlag, 1994, pp. 116â€“120.
163. E. Biham, â€śNew Types of Cryptanalytic Attacks Using Related Keys,â€ť Journal of
Cryptology, v. 7, n. 4, 1994, pp. 229â€“246.
164. E. Biham, â€śOn Matsuiâ€™s Linear Cryptanalysis,â€ť Advances in Cryptologyâ€”
EUROCRYPT â€™94 Proceedings, Springerâ€“Verlag, 1995, pp. 398â€“412.
165. E. Biham and A. Biryukov, â€śHow to Strengthen DES Using Existing Hardware,â€ť
Advances in Cryptologyâ€”ASIACRYPT â€™94 Proceedings, Springerâ€“Verlag, 1995, to appear.
166. E. Biham and P.C. Kocher, â€śA Known Plaintext Attack on the PKZIP Encryption,â€ť
K.U. Leuven Workshop on Cryptographic Algorithms, Springerâ€“Verlag, 1995, to appear.
167. E. Biham and A. Shamir, â€śDifferential Cryptanalysis of DESâ€“like Cryptosystems,â€ť
Advances in Cryptologyâ€”CRYPTO â€™90 Proceedings, Springerâ€“Verlag, 1991, pp. 2â€“21.
168. E. Biham and A. Shamir, â€śDifferential Cryptanalysis of DESâ€“like Cryptosystems,â€ť
Journal of Cryptology, v. 4, n. 1, 1991, pp 3â€“72.
169. E. Biham and A. Shamir, â€śDifferential Cryptanalysis of Feal and Nâ€“Hash,â€ť
Advances in Cryptologyâ€”EUROCRYPT â€™91 Proceedings, Springerâ€“Verlag, 1991, pp. 1â€“16.
170. E. Biham and A. Shamir, â€śDifferential Cryptanalysis of Snefru, Khafre, REDOCâ€“II,
LOKI, and Lucifer,â€ť Advances in Cryptologyâ€”CRYPTO â€™91 Proceedings, 1992, pp. 156â€“171.
171. E. Biham and A. Shamir, â€śDifferential Cryptanalysis of the Full 16â€“Round DES,â€ť
Advances in Cryptologyâ€”CRYPTO â€™92 Proceedings, Springerâ€“Verlag, 1993, 487â€“ 496.
172. E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard,
Springerâ€“Verlag, 1993.
173. R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, and M. Yung,
â€śSystematic Design of Twoâ€“Party Authentication Protocols,â€ť Advances in Cryptologyâ€”CRYPTO
â€™91 Proceedings, Springerâ€“Verlag, 1992, pp. 44â€“61.
174. R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, and M. Yung,
â€śSystematic Design of a Family of Attackâ€“Resistant Authentication Protocols,â€ť IEEE Journal of
Selected Areas in Communication, to appear.
175. R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, and M. Yung, â€śA
Modular Family of Secure Protocols for Authentication and Key Distribution,â€ť IEEE/ACM
Transactions on Networking, to appear.
176. M. Bishop, â€śAn Application for a Fast Data Encryption Standard Implementation,â€ť
Computing Systems, v. 1, n. 3, 1988, pp. 221â€“254.
177. M. Bishop, â€śPrivacyâ€“Enhanced Electronic Mail,â€ť Distributed Computing and
Cryptography, J. Feigenbaum and M. Merritt, eds., American Mathematical Society, 1991, pp.
93â€“106.
178. M. Bishop, â€śPrivacyâ€“Enhanced Electronic Mail,â€ť Internetworking: Research and
Experience, v. 2, n. 4, Dec 1991, pp. 199â€“233.
179. M. Bishop, â€śRecent Changes to Privacy Enhanced Electronic Mail,â€ť
Internetworking: Research and Experience, v. 4, n. 1, Mar 1993, pp. 47â€“59.
180. I.F. Blake, R. Fujiâ€“Hara, R.C. Mullin, and S.A. Vanstone, â€śComputing Logarithms
in Finite Fields of Characteristic Two,â€ť SIAM Journal on Algebraic Discrete Methods, v. 5, 1984,
pp. 276â€“285.
181. I.F. Blake, R.C. Mullin, and S.A. Vanstone, â€śComputing Logarithms in GF (2n),â€ť
Advances in Cryptology: Proceedings of CRYPTO 84, Springerâ€“Verlag, 1985, pp. 73â€“82.
182. G.R. Blakley, â€śSafeguarding Cryptographic Keys,â€ť Proceedings of the National
Computer Conference, 1979, American Federation of Information Processing Societies, v. 48,
1979, pp. 313â€“317.
183. G.R. Blakley, â€śOneâ€“Time Pads are Key Safeguarding Schemes, Not
Cryptosystemsâ€”Fast Key Safeguarding Schemes (Threshold Schemes) Exist,â€ť Proceedings of
the 1980 Symposium on Security and Privacy, IEEE Computer Society, Apr 1980, pp. 108â€“113.

Page 563 of 666
Applied Cryptography: Second Edition - Bruce Schneier

184. G.R. Blakley and I. Borosh, â€śRivestâ€“Shamirâ€“Adleman Public Key Cryptosystems Do
Not Always Conceal Messages,â€ť Computers and Mathematics with Applications, v. 5, n. 3, 1979,
pp. 169â€“178.
185. G.R. Blakley and C. Meadows, â€śA Database Encryption Scheme which Allows the
Computation of Statistics Using Encrypted Data,â€ť Proceedings of the 1985 Symposium on
Security and Privacy, IEEE Computer Society, Apr 1985, pp. 116â€“122.
186. M. Blaze, â€śA Cryptographic File System for UNIX,â€ť 1st ACM Conference on
Computer and Communications Security, ACM Press, 1993, pp. 9â€“16.
187. M. Blaze, â€śProtocol Failure in the Escrowed Encryption Standard,â€ť 2nd ACM
Conference on Computer and Communications Security, ACM Press, 1994, pp. 59â€“67.
188. M. Blaze, â€śKey Management in an Encrypting File System,â€ť Proceedings of the
Summer 94 USENIX Conference, USENIX Association, 1994, pp. 27â€“35.
189. M. Blaze and B. Schneier, â€śThe MacGuffin Block Cipher Algorithm,â€ť K.U. Leuven
Workshop on Cryptographic Algorithms, Springerâ€“Verlag, 1995, to appear.
190. U. BlĂ¶cher and M. Dichtl, â€śFish: A Fast Software Stream Cipher,â€ť Fast Software
Encryption, Cambridge Security Workshop Proceedings, Springerâ€“Verlag, 1994, pp. 41â€“44.
191. R. Blom, â€śNonâ€“Public Key Distribution,â€ť Advances in Cryptology: Proceedings of
Crypto 82, Plenum Press, 1983, pp. 231â€“236.
192. K.J. Blow and S.J.D. Phoenix, â€śOn a Fundamental Theorem of Quantum
Cryptography,â€ť Journal of Modern Optics, v. 40, n. 1, Jan 1993, pp. 33â€“36.
193. L. Blum, M. Blum, and M. Shub, â€śA Simple Unpredictable Pseudoâ€“Random
Number Generator,â€ť SIAM Journal on Computing, v. 15, n. 2, 1986, pp. 364â€“383.
194. M. Blum, â€śCoin Flipping by Telephone: A Protocol for Solving Impossible
Problems,â€ť Proceedings of the 24th IEEE Computer Conference (CompCon), 1982, pp. 133â€“137.
195. M. Blum, â€śHow to Exchange (Secret) Keys,â€ť ACM Transactions on Computer
Systems, v. 1, n. 2, May 1983, pp. 175â€“193.
196. M. Blum, â€śHow to Prove a Theorem So No One Else Can Claim It,â€ť Proceedings of
the International Congress of Mathematicians, Berkeley, CA, 1986, pp. 1444â€“1451.
197. M. Blum, A. De Santis, S. Micali, and G. Persiano, â€śNoninteractive Zeroâ€“
Knowledge,â€ť SIAM Journal on Computing, v. 20, n. 6, Dec 1991, pp. 1084â€“1118.
198. M. Blum, P. Feldman, and S. Micali, â€śNonâ€“Interactive Zeroâ€“Knowledge and Its
Applications,â€ť Proceedings of the 20th ACM Symposium on Theory of Computing, 1988, pp. 103â€“
112.
199. M. Blum and S. Goldwasser, â€śAn Efficient Probabilistic Publicâ€“Key Encryption
Scheme Which Hides All Partial Information,â€ť Advances in Cryptology: Proceedings of CRYPTO
84, Springerâ€“Verlag, 1985, pp. 289â€“299.
200. M. Blum and S. Micali, â€śHow to Generate Cryptographicallyâ€“Strong Sequences of
Pseudoâ€“Random Bits,â€ť SIAM Journal on Computing, v. 13, n. 4, Nov 1984, pp. 850â€“864.
201. B. den Boer, â€śCryptanalysis of F.E.A.L.,â€ť Advances in Cryptologyâ€”EUROCRYPT
â€™88 Proceedings, Springerâ€“Verlag, 1988, pp. 293â€“300.
202. B. den Boer and A. Bosselaers, â€śAn Attack on the Last Two Rounds of MD4,â€ť
Advances in Cryptologyâ€”CRYPTO â€™91 Proceedings, Springerâ€“Verlag, 1992, pp. 194â€“203.
203. B. den Boer and A. Bosselaers, â€śCollisions for the Compression Function of MD5,â€ť
Advances in Cryptologyâ€”EUROCRYPT â€™93 Proceedings, Springerâ€“Verlag, 1994, pp. 293â€“304.
204. J.â€“P. Boly, A. Bosselaers, R. Cramer, R. Michelsen, S. MjĂ¸lsnes, F. Muller, T.
Pedersen, B. Pfitzmann, P. de Rooij, B. Schoenmakers, M. Schunter, L. VallĂ©e, and M. Waidner,
â€śDigital Payment Systems in the ESPRIT Project CAFE,â€ť Securicom 94, Paris, France, 2â€“6 Jan
1994, pp. 35â€“45.
205. J.â€“P. Boly, A. Bosselaers, R. Cramer, R. Michelsen, S. MjĂ¸lsnes, F. Muller, T.
Pedersen, B. Pfitzmann, P. de Rooij, B. Schoenmakers, M. Schunter, L. VallĂ©e, and M. Waidner,
â€śThe ESPRIT Project CAFEâ€”High Security Digital Payment System,â€ť Computer Securityâ€”
ESORICS 94, Springerâ€“Verlag, 1994, pp. 217â€“230.
206. D.J. Bond, â€śPractical Primality Testing,â€ť Proceedings of IEE International

Page 564 of 666
Applied Cryptography: Second Edition - Bruce Schneier

Conference on Secure Communications Systems, 22â€“23 Feb 1984, pp. 50â€“53.
 << ńňđ. 24(âńĺăî 29)ŃÎÄĹĐĆŔÍČĹ >>