<<

. 24
( 29)



>>


/* Enc/dec test: */
for(i=0;i<9;i++) a[i]=i;
twy_enc(&gc,a,3);
for(i=0;i<9;i+=3) printf(“Block %01d encrypts to %08lx %08lx %08lx\n”,
i/3,a[i],a[i+1],a[i+2]);

twy_dec(&gc,a,2);
twy_dec(&gc,a+6,1);

for(i=0;i<9;i+=3) printf(“Block %01d decrypts to %08lx %08lx %08lx\n”,
i/3,a[i],a[i+1],a[i+2]);
}

RC5
#include <stdio.h>

/* An RC5 context needs to know how many rounds it has, and its subkeys. */




Page 544 of 666
Applied Cryptography: Second Edition - Bruce Schneier



typedef struct {
u4 *xk;
int nr;
} rc5_ctx;

/* Where possible, these should be replaced with actual rotate instructions.
For Turbo C++, this is done with _lrotl and _lrotr. */

#define ROTL32(X,C) (((X)<<(C))|((X)>>(32“(C))))
#define ROTR32(X,C) (((X)>>(C))|((X)<<(32“(C))))
/* Function prototypes for dealing with RC5 basic operations. */
void rc5_init(rc5_ctx *, int);
void rc5_destroy(rc5_ctx *);
void rc5_key(rc5_ctx *, u1 *, int);
void rc5_encrypt(rc5_ctx *, u4 *, int);
void rc5_decrypt(rc5_ctx *, u4 *, int);

/* Function implementations for RC5. */

/* Scrub out all sensitive values. */
void rc5_destroy(rc5_ctx *c){
int i;
for(i=0;i<(c“>nr)*2+2;i++) c“>xk[i]=0;
free(c“>xk);
}

/* Allocate memory for rc5 context™s xk and such. */
void rc5_init(rc5_ctx *c, int rounds){
c“>nr = rounds;
c“>xk = (u4 *) malloc(4*(rounds*2+2));
}

void rc5_encrypt(rc5_ctx *c, u4 *data, int blocks){
u4 *d,*sk;
int h,i,rc;

d = data;
sk = (c“>xk)+2;
for(h=0;h<blocks;h++){
d[0] += c“>xk[0];
d[1] += c“>xk[1];
for(i=0;i<c“>nr*2;i+=2){
d[0] ^= d[1];
rc = d[1] & 31;
d[0] = ROTL32(d[0],rc);
d[0] += sk[i];
d[1] ^= d[0];
rc = d[0] & 31;
d[1] = ROTL32(d[1],rc);
d[1] += sk[i+1];
/*printf(“Round %03d : %08lx %08lx sk= %08lx %08lx\n”,i/2,
d[0],d[1],sk[i],sk[i+1]);*/
}
d+=2;
}
}

void rc5_decrypt(rc5_ctx *c, u4 *data, int blocks){
u4 *d,*sk;
int h,i,rc;

d = data;
sk = (c“>xk)+2;
for(h=0;h<blocks;h++){
for(i=c“>nr*2“2;i>=0;i“=2){
/*printf(“Round %03d: %08lx %08lx sk: %08lx %08lx\n”,




Page 545 of 666
Applied Cryptography: Second Edition - Bruce Schneier



i/2,d[0],d[1],sk[i],sk[i+1]); */
d[1] “= sk[i+1];
rc = d[0] & 31;
d[1] = ROTR32(d[1],rc);
d[1] ^= d[0];
d[0] “= sk[i];
rc = d[1] & 31;
d[0] = ROTR32(d[0],rc);
d[0] ^= d[1];
}
d[0] “= c“>xk[0];
d[1] “= c“>xk[1];
d+=2;
}
}

void rc5_key(rc5_ctx *c, u1 *key, int keylen){
u4 *pk,A,B; /* padded key */
int xk_len, pk_len, i, num_steps,rc;
u1 *cp;

xk_len = c“>nr*2 + 2;
pk_len = keylen/4;
if((keylen%4)!=0) pk_len += 1;

pk = (u4 *) malloc(pk_len * 4);
if(pk==NULL) {
printf(“An error occurred!\n”);
exit(“1);
}

/* Initialize pk ““ this should work on Intel machines, anyway.... */
for(i=0;i<pk_len;i++) pk[i]=0;
cp = (u1 *)pk;
for(i=0;i<keylen;i++) cp[i]=key[i];

/* Initialize xk. */
c“>xk[0] = 0xb7e15163; /* P32 */
for(i=1;i<xk_len;i++) c“>xk[i] = c“>xk[i“1] + 0x9e3779b9; /* Q32 */

/* TESTING */
A = B = 0;
for(i=0;i<xk_len;i++) {
A = A + c“>xk[i];
B = B ^ c“>xk[i];
}

/* Expand key into xk. */
if(pk_len>xk_len) num_steps = 3*pk_len;else num_steps = 3*xk_len;

A = B = 0;
for(i=0;i<num_steps;i++){
A = c“>xk[i%xk_len] = ROTL32(c“>xk[i%xk_len] + A + B,3);
rc = (A+B) & 31;
B = pk[i%pk_len] = ROTL32(pk[i%pk_len] + A + B,rc);

}

/* Clobber sensitive data before deallocating memory. */
for(i=0;i<pk_len;i++) pk[i] =0;

free(pk);
}

void main(void){
rc5_ctx c;




Page 546 of 666
Applied Cryptography: Second Edition - Bruce Schneier



u4 data[8];
char key[] = “ABCDE”;
int i;

printf(““““““““““““““““““““““““““““““““““““““““““““““““““\n”);

for(i=0;i<8;i++) data[i] = i;
rc5_init(&c,10); /* 10 rounds */
rc5_key(&c,key,5);

rc5_encrypt(&c,data,4);
printf(“Encryptions:\n”);
for(i=0;i<8;i+=2) printf(“Block %01d = %08lx %08lx\n”,
i/2,data[i],data[i+1]);

rc5_decrypt(&c,data,2);
rc5_decrypt(&c,data+4,2);
printf(“Decryptions:\n”);
for(i=0;i<8;i+=2) printf(“Block %01d = %08lx %08lx\n”,
i/2,data[i],data[i+1]);
}

A5
typedef struct {
unsigned long r1,r2,r3;
} a5_ctx;

static int threshold(r1, r2, r3)
unsigned int r1;
unsigned int r2;
unsigned int r3;
{
int total;

total = (((r1 >> 9) & 0x1) == 1) +
(((r2 >> 11) & 0x1) == 1) +
(((r3 >> 11) & 0x1) == 1);

if (total > 1)
return (0);
else
return (1);
}

unsigned long clock_r1(ctl, r1)
int ctl;
unsigned long r1;
{
unsigned long feedback;

ctl ^= ((r1 >> 9) & 0x1);
if (ctl)
{
feedback = (r1 >> 18) ^ (r1 >> 17) ^ (r1 >> 16) ^ (r1 >> 13);
r1 = (r1 << 1) & 0x7ffff;
if (feedback & 0—01)
r1 ^= 0—01;
}
return (r1);
}

unsigned long clock_r2(ctl, r2)
int ctl;
unsigned long r2;




Page 547 of 666
Applied Cryptography: Second Edition - Bruce Schneier



{
unsigned long feedback;

ctl ^= ((r2 >> 11) & 0x1);
if (ctl)
{
feedback = (r2 >> 21) ^ (r2 >> 20) ^ (r2 >> 16) ^ (r2 >> 12);
r2 = (r2 << 1) & 0x3fffff;
if (feedback & 0—01)
r2 ^= 0—01;
}
return (r2);
}

unsigned long clock_r3(ctl, r3)
int ctl;
unsigned long r3;
{
unsigned long feedback;

ctl ^= ((r3 >> 11) & 0x1);
if (ctl)
{
feedback = (r3 >> 22) ^ (r3 >> 21) ^ (r3 >> 18) ^ (r3 >> 17);
r3 = (r3 << 1) & 0x7fffff;
if (feedback & 0—01)
r3 ^= 0—01;
}
return (r3);
}
int keystream(key, frame, alice, bob)
unsigned char *key; /* 64 bit session key */
unsigned long frame; /* 22 bit frame sequence number */
unsigned char *alice; /* 114 bit Alice to Bob key stream */
unsigned char *bob; /* 114 bit Bob to Alice key stream */
{
unsigned long r1; /* 19 bit shift register */
unsigned long r2; /* 22 bit shift register */
unsigned long r3; /* 23 bit shift register */
int i; /* counter for loops */
int clock_ctl; /* xored with clock enable on each shift register */
unsigned char *ptr; /* current position in keystream */
unsigned char byte; /* byte of keystream being assembled */
unsigned int bits; /* number of bits of keystream in byte */
unsigned int bit; /* bit output from keystream generator */
/* Initialise shift registers from session key */
r1 = (key[0] | (key[1] << 8) | (key[2] << 16) ) & 0x7ffff;
r2 = ((key[2] >> 3) | (key[3] << 5) | (key[4] << 13) | (key[5] << 21)) &
0x3fffff;
r3 = ((key[5] >> 1) | (key[6] << 7) | (key[7] << 15) ) & 0x7fffff;

/* Merge frame sequence number into shift register state, by xor™ing it
* into the feedback path
*/

for (i=0;i<22;i++)
{
clock_ctl = threshold(r1, r2, r2);
r1 = clock_r1(clock_ctl, r1);
r2 = clock_r2(clock_ctl, r2);
r3 = clock_r3(clock_ctl, r3);
if (frame & 1)
{
r1 ^= 1;
r2 ^= 1;
r3 ^= 1;




Page 548 of 666
Applied Cryptography: Second Edition - Bruce Schneier



}
frame = frame >> 1;
}

/* Run shift registers for 100 clock ticks to allow frame number to
* be diffused into all the bits of the shift registers
*/

for (i=0;i<100;i++)
{
clock_ctl = threshold(r1, r2, r2);
r1 = clock_r1(clock_ctl, r1);
r2 = clock_r2(clock_ctl, r2);
r3 = clock_r3(clock_ctl, r3);
}

/* Produce 114 bits of Alice“>Bob key stream */
ptr = alice;
bits = 0;
byte = 0;
for (i=0;i<114;i++)
{
clock_ctl = threshold(r1, r2, r2);
r1 = clock_r1(clock_ctl, r1);
r2 = clock_r2(clock_ctl, r2);
r3 = clock_r3(clock_ctl, r3);

bit = ((r1 >> 18) ^ (r2 >> 21) ^ (r3 >> 22)) & 0—01;
byte = (byte << 1) | bit;
bits++;
if (bits == 8)
{
*ptr = byte;
ptr++;
bits = 0;
byte = 0;
}
}
if (bits)
*ptr = byte;

/* Run shift registers for another 100 bits to hide relationship between
* Alice“>Bob key stream and Bob“>Alice key stream.
*/

for (i=0;i<100;i++)
{
clock_ctl = threshold(r1, r2, r2);
r1 = clock_r1(clock_ctl, r1);
r2 = clock_r2(clock_ctl, r2);
r3 = clock_r3(clock_ctl, r3);
}

/* Produce 114 bits of Bob“>Alice key stream */

ptr = bob;
bits = 0;
byte = 0;
for (i=0;i<114;i++)
{
clock_ctl = threshold(r1, r2, r2);
r1 = clock_r1(clock_ctl, r1);
r2 = clock_r2(clock_ctl, r2);
r3 = clock_r3(clock_ctl, r3);

bit = ((r1 >> 18) ^ (r2 >> 21) ^ (r3 >> 22)) & 0—01;




Page 549 of 666
Applied Cryptography: Second Edition - Bruce Schneier



byte = (byte << 1) | bit;
bits++;
if (bits == 8)
{
*ptr = byte;
ptr++;
bits = 0;
byte = 0;
}
}
if (bits)
*ptr = byte;

return (0);
}
void a5_key(a5_ctx *c, char *k){
c“>r1 = k[0]<<11|k[1]<<3 | k[2]>>5 ; /* 19 */
c“>r2 = k[2]<<17|k[3]<<9 | k[4]<<1 | k[5]>>7; /* 22 */
c“>r3 = k[5]<<15|k[6]<<8 | k[7] ; /* 23 */
}

/* Step one bit in A5, return 0 or 1 as output bit. */
int a5_step(a5_ctx *c){
int control;
control = threshold(c“>r1,c“>r2,c“>r3);
c“>r1 = clock_r1(control,c“>r1);
c“>r2 = clock_r2(control,c“>r2);
c“>r3 = clock_r3(control,c“>r3);
return( (c“>r1^c“>r2^c“>r3)&1);
}

/* Encrypts a buffer of len bytes. */
void a5_encrypt(a5_ctx *c, char *data, int len){
int i,j;
char t;

for(i=0;i<len;i++){
for(j=0;j<8;j++) t = t<<1 | a5_step(c);
data[i]^=t;
}
}

void a5_decrypt(a5_ctx *c, char *data, int len){
a5_encrypt(c,data,len);
}

void main(void){
a5_ctx c;
char data[100];
char key[] = {1,2,3,4,5,6,7,8};
int i,flag;

for(i=0;i<100;i++) data[i] = i;

a5_key(&c,key);
a5_encrypt(&c,data,100);

a5_key(&c,key);
a5_decrypt(&c,data,1);
a5_decrypt(&c,data+1,99);

flag = 0;
for(i=0;i<100;i++) if(data[i]!=i)flag = 1;
if(flag)printf(“Decrypt failed\n”); else printf(“Decrypt succeeded\n”);
}




Page 550 of 666
Applied Cryptography: Second Edition - Bruce Schneier




SEAL
#undef SEAL_DEBUG

#define ALG_OK 0
#define ALG_NOTOK 1
#define WORDS_PER_SEAL_CALL 1024

typedef struct {
unsigned long t[520]; /* 512 rounded up to a multiple of 5 + 5*/
unsigned long s[265]; /* 256 rounded up to a multiple of 5 + 5*/
unsigned long r[20]; /* 16 rounded up to multiple of 5 */
unsigned long counter; /* 32“bit synch value. */
unsigned long ks_buf[WORDS_PER_SEAL_CALL];
int ks_pos;
} seal_ctx;

#define ROT2(x) (((x) >> 2) | ((x) << 30))
#define ROT9(x) (((x) >> 9) | ((x) << 23))
#define ROT8(x) (((x) >> 8) | ((x) << 24))
#define ROT16(x) (((x) >> 16) | ((x) << 16))
#define ROT24(x) (((x) >> 24) | ((x) << 8))
#define ROT27(x) (((x) >> 27) | ((x) << 5))

#define WORD(cp) ((cp[0] << 24)|(cp[1] << 16)|(cp[2] << 8)|(cp[3]))

#define F1(x, y, z) (((x) & (y)) | ((˜(x)) & (z)))
#define F2(x, y, z) ((x)^(y)^(z))
#define F3(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
#define F4(x, y, z) ((x)^(y)^(z))

int g(in, i, h)
unsigned char *in;
int i;
unsigned long *h;
{
unsigned long h0;
unsigned long h1;
unsigned long h2;
unsigned long h3;
unsigned long h4;
unsigned long a;
unsigned long b;unsigned long c;
unsigned long d;
unsigned long e;
unsigned char *kp;
unsigned long w[80];
unsigned long temp;

kp = in;
h0 = WORD(kp); kp += 4;
h1 = WORD(kp); kp += 4;
h2 = WORD(kp); kp += 4;
h3 = WORD(kp); kp += 4;
h4 = WORD(kp); kp += 4;

w[0] = i;
for (i=1;i<16;i++)
w[i] = 0;
for (i=16;i<80;i++)
w[i] = w[i“3]^w[i“8]^w[i“14]^w[i“16];

a = h0;
b = h1;




Page 551 of 666
Applied Cryptography: Second Edition - Bruce Schneier



c = h2;
d = h3;
e = h4;

for (i=0;i<20;i++)
{
temp = ROT27(a) + F1(b, c, d) + e + w[i] + 0x5a827999;
e = d;
d = c;
c = ROT2(b);
b = a;
a = temp;
}
for (i=20;i<40;i++)
{
temp = ROT27(a) + F2(b, c, d) + e + w[i] + 0x6ed9eba1;
e = d;
d = c;
c = ROT2(b);
b = a;
a = temp;
}
for (i=40;i<60;i++)
{
temp = ROT27(a) + F3(b, c, d) + e + w[i] + 0x8f1bbcdc;
e = d;
d = c;
c = ROT2(b);
b = a;
a = temp;
}
for (i=60;i<80;i++)
{
temp = ROT27(a) + F4(b, c, d) + e + w[i] + 0xca62c1d6;
e = d;
d = c;
c = ROT2(b);
b = a;
a = temp;
}
h[0] = h0+a;
h[1] = h1+b;
h[2] = h2+c;
h[3] = h3+d;
h[4] = h4+e;

return (ALG_OK);
}

unsigned long gamma(a, i)
unsigned char *a;
int i;
{
unsigned long h[5];
(void) g(a, i/5, h);
return h[i % 5];
}

int seal_init(seal_ctx *result, unsigned char *key)
{
int i;
unsigned long h[5];

for (i=0;i<510;i+=5)
g(key, i/5, &(result“>t[i]));
/* horrible special case for the end */




Page 552 of 666
Applied Cryptography: Second Edition - Bruce Schneier



g(key, 510/5, h);
for (i=510;i<512;i++)
result“>t[i] = h[i“510];
/* 0x1000 mod 5 is +1, so have horrible special case for the start */
g(key, (“1+0x1000)/5, h);
for (i=0;i<4;i++)
result“>s[i] = h[i+1];
for (i=4;i<254;i+=5)
g(key, (i+0x1000)/5, &(result“>s[i]));
/* horrible special case for the end */
g(key, (254+0x1000)/5, h);
for (i=254;i<256;i++)
result“>s[i] = h[i“254];
/* 0x2000 mod 5 is +2, so have horrible special case at the start */
g(key, (“2+0x2000)/5, h);
for (i=0;i<3;i++)
result“>r[i] = h[i+2];
for (i=3;i<13;i+=5)
g(key, (i+0x2000)/5, &(result“>r[i]));
/* horrible special case for the end */
g(key, (13+0x2000)/5, h);
for (i=13;i<16;i++)
result“>r[i] = h[i“13];
return (ALG_OK);
}

int seal(seal_ctx *key, unsigned long in, unsigned long *out)
{
int i;
int j;
int l;
unsigned long a;
unsigned long b;
unsigned long c;
unsigned long d;
unsigned short p;
unsigned short q;
unsigned long n1;
unsigned long n2;
unsigned long n3;
unsigned long n4;
unsigned long *wp;

wp = out;

for (l=0;l<4;l++)
{
a = in ^ key“>r[4*l];
b = ROT8(in) ^ key“>r[4*l+1];
c = ROT16(in) ^ key“>r[4*l+2];
d = ROT24(in) ^ key“>r[4*l+3];

for (j=0;j<2;j++)
{
p = a & 0x7fc;
b += key“>t[p/4];
a = ROT9(a);

p = b & 0x7fc;
c += key“>t[p/4];
b = ROT9(b);

p = c & 0x7fc;
d += key“>t[p/4];
c = ROT9(c);




Page 553 of 666
Applied Cryptography: Second Edition - Bruce Schneier



p = d & 0x7fc;
a += key“>t[p/4];
d = ROT9(d);

}
n1 = d;
n2 = b;
n3 = a;
n4 = c;

p = a & 0x7fc;
b += key“>t[p/4];
a = ROT9(a);

p = b & 0x7fc;
c += key“>t[p/4];
b = ROT9(b);

p = c & 0x7fc;
d += key“>t[p/4];
c = ROT9(c);

p = d & 0x7fc;
a += key“>t[p/4];
d = ROT9(d);

/* This generates 64 32“bit words, or 256 bytes of keystream. */
for (i=0;i<64;i++)
{
p = a & 0x7fc;
b += key“>t[p/4];
a = ROT9(a);
b ^= a;

q = b & 0x7fc;
c ^= key“>t[q/4];
b = ROT9(b);
c += b;

p = (p+c) & 0x7fc;
d += key“>t[p/4];
c = ROT9(c);
d ^= c;

q = (q+d) & 0x7fc;
a ^= key“>t[q/4];
d = ROT9(d);
a += d;

p = (p+a) & 0x7fc;
b ^= key“>t[p/4];
a = ROT9(a);

q = (q+b) & 0x7fc;
c += key“>t[q/4];
b = ROT9(b);

p = (p+c) & 0x7fc;
d ^= key“>t[p/4];
c = ROT9(c);

q = (q+d) & 0x7fc;
a += key“>t[q/4];
d = ROT9(d);

*wp = b + key“>s[4*i];




Page 554 of 666
Applied Cryptography: Second Edition - Bruce Schneier



wp++;
*wp = c ^ key“>s[4*i+1];
wp++;
*wp = d + key“>s[4*i+2];
wp++;
*wp = a ^ key“>s[4*i+3];
wp++;

if (i & 1)
{
a += n3;
c += n4;
}
else
{
a += n1;
c += n2;
}

}
}
return (ALG_OK);
}

/* Added call to refill ks_buf and reset counter and ks_pos. */
void seal_refill_buffer(seal_ctx *c){
seal(c,c“>counter,c“>ks_buf);
c“>counter++;
c“>ks_pos = 0;
}

void seal_key(seal_ctx *c, unsigned char *key){
seal_init(c,key);
c“>counter = 0; /* By default, init to zero. */
c“>ks_pos = WORDS_PER_SEAL_CALL;
/* Refill keystream buffer on next call. */
}

/* This encrypts the next w words with SEAL. */
void seal_encrypt(seal_ctx *c, unsigned long *data_ptr, int w){
int i;

for(i=0;i<w;i++){
if(c“>ks_pos>=WORDS_PER_SEAL_CALL) seal_refill_buffer(c);
data_ptr[i]^=c“>ks_buf[c“>ks_pos];
c“>ks_pos++;
}
}

void seal_decrypt(seal_ctx *c, unsigned long *data_ptr, int w) {
seal_encrypt(c,data_ptr,w);
}

void seal_resynch(seal_ctx *c, unsigned long synch_word){
c“>counter = synch_word;
c“>ks_pos = WORDS_PER_SEAL_CALL;
}

void main(void){
seal_ctx sc;
unsigned long buf[1000],t;
int i,flag;
unsigned char key[] =
{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19};

printf(“1\n”);




Page 555 of 666
Applied Cryptography: Second Edition - Bruce Schneier



seal_key(&sc,key);

printf(“2\n”);
for(i=0;i<1000;i++) buf[i]=0;
printf(“3\n”);
seal_encrypt(&sc,buf,1000);
printf(“4\n”);
t = 0;
for(i=0;i<1000;i++) t = t ^ buf[i];
printf(“XOR of buf is %08lx.\n”,t);

seal_key(&sc,key);
seal_decrypt(&sc,buf,1);
seal_decrypt(&sc,buf+1,999);
flag = 0;
for(i=0;i<1000;i++) if(buf[i]!=0)flag=1;
if(flag) printf(“Decrypt failed.\n”);
else printf(“Decrypt succeeded.\n”);
}


References
1. ABA Bank Card Standard, “Management and Use of Personal Information Numbers,”
Aids from ABA, Catalog no. 207213, American Bankers Association, 1979.
2. ABA Document 4.3, “Key Management Standard,” American Bankers Association,
1980.
3. M. Abadi, J. Feigenbaum, and J. Kilian, “On Hiding Information from an Oracle,”
Proceedings of the 19th ACM Symposium on the Theory of Computing, 1987, pp. 195“203.
4. M. Abadi, J. Feigenbaum, and J. Kilian, “On Hiding Information from an Oracle,”
Journal of Computer and System Sciences, v. 39, n. 1, Aug 1989, pp. 21“50.
5. M. Abadi and R. Needham, “Prudent Engineering Practice for Cryptographic
Protocols,” Research Report 125, Digital Equipment Corp Systems Research Center, Jun 1994.
6. C.M. Adams, “On Immunity Against Biham and Shamir™s ˜Differential
Cryptanalysis,™” Information Processing Letters, v. 41, 14 Feb 1992, pp. 77“80.
7. C.M. Adams, “Simple and Effective Key Scheduling for Symmetric Ciphers,”
Workshop on Selected Areas in Cryptography”Workshop Record, Kingston, Ontario, 5“6 May
1994, pp. 129“133.
8. C.M. Adams and H. Meijer, “Security“Related Comments Regarding McEliece™s
Public“Key Cryptosystem,” Advances in Cryptology”CRYPTO ™87 Proceedings, Springer“
Verlag, 1988, pp. 224“230.
9. C.M. Adams and S.E. Tavares, “The Structured Design of Cryptographically Good S“
Boxes,” Journal of Cryptology, v. 3, n. 1, 1990, pp. 27“41.
10. C.M. Adams and S.E. Tavares, “Designing S“Boxes for Ciphers Resistant to
Differential Cryptanalysis,” Proceedings of the 3rd Symposium on State and Progress of Research
in Cryptography, Rome, Italy, 15“16 Feb 1993, pp. 181“190.
11. W. Adams and D. Shanks, “Strong Primality Tests That Are Not Sufficient,”
Mathematics of Computation, v. 39, 1982, pp. 255“300.
12. W.W. Adams and L.J. Goldstein, Introduction to Number Theory, Englewood Cliffs,
N.J.: Prentice“Hall, 1976.
13. B.S. Adiga and P. Shankar, “Modified Lu“Lee Cryptosystem,” Electronics Letters, v.
21, n. 18, 29 Aug 1985, pp. 794“795.
14. L.M. Adleman, “A Subexponential Algorithm for the Discrete Logarithm Problem
with Applications to Cryptography,” Proceedings of the IEEE 20th Annual Symposium of
Foundations of Computer Science, 1979, pp. 55“60.
15. L.M. Adleman, “On Breaking Generalized Knapsack Public Key Cryptosystems,”
Proceedings of the 15th ACM Symposium on Theory of Computing, 1983, pp. 402“ 412.




Page 556 of 666
Applied Cryptography: Second Edition - Bruce Schneier



16. L.M. Adleman, “Factoring Numbers Using Singular Integers,” Proceedings of the 23rd
Annual ACM Symposium on the Theory of Computing, 1991, pp. 64“71.
17. L.M. Adleman, “Molecular Computation of Solutions to Combinatorial Problems,”
Science, v. 266, n. 11, Nov 1994, p. 1021.
18. L.M. Adleman, D. Estes, and K. McCurley, “Solving Bivariate Quadratic
Congruences in Random Polynomial Time,” Mathematics of Computation, v. 48, n. 177, Jan
1987, pp. 17“28.
19. L.M. Adleman, C. Pomerance, and R.S. Rumeley, “On Distinguishing Prime Numbers
from Composite Numbers,” Annals of Mathematics, v. 117, n. 1, 1983, pp. 173“206.
20. L.M. Adleman and R.L. Rivest, “How to Break the Lu“Lee (COMSAT) Public“Key
Cryptosystem,” MIT Laboratory for Computer Science, Jul 1979.
21. G.B. Agnew, “Random Sources for Cryptographic Systems,” Advances in
Cryptology”EUROCRYPT ™87 Proceedings, Springer“Verlag, 1988, pp. 77“81.
22. G.B. Agnew, R.C. Mullin, I.M. Onyszchuk, and S.A. Vanstone, “An Implementation
for a Fast Public“Key Cryptosystem,” Journal of Cryptology, v. 3, n. 2, 1991, pp. 63“79.
23. G.B. Agnew, R.C. Mullin, and S.A. Vanstone, “A Fast Elliptic Curve Cryptosystem,”
Advances in Cryptology”EUROCRYPT ™89 Proceedings, Springer“Verlag, 1990, pp. 706“708.
24. G.B. Agnew, R.C. Mullin, and S.A. Vanstone, “Improved Digital Signature Scheme
Based on Discrete Exponentiation,” Electronics Letters, v. 26, n. 14, 5 Jul 1990, pp. 1024“1025.
25. G.B. Agnew, R.C. Mullin, and S.A. Vanstone, “On the Development of a Fast Elliptic
Curve Cryptosystem,” Advances in Cryptology”EUROCRYPT ™92 Proceedings, Springer“
Verlag, 1993, pp. 482“ 287.
26. G.B. Agnew, R.C. Mullin, and S.A. Vanstone, “An Implementation of Elliptic Curve
Cryptosystems over F2155,” IEEE Selected Areas of Communications, v. 11, n. 5, Jun 1993, pp.
804“813.
27. A. Aho, J. Hopcroft, and J. Ullman, The Design and Analysis of Computer Algorithms,
Addison“Wesley, 1974.
28. S.G. Akl, “Digital Signatures: A Tutorial Survey,” Computer, v. 16, n. 2, Feb 1983, pp.
15“24.
29. S.G. Akl, “On the Security of Compressed Encodings,” Advances in Cryptology:
Proceedings of Crypto 83, Plenum Press, 1984, pp. 209“230.
30. S.G. Akl and H. Meijer, “A Fast Pseudo“Random Permutation Generator with
Applications to Cryptology,” Advances in Cryptology: Proceedings of CRYPTO 84, Springer“
Verlag, 1985, pp. 269“275.
31. M. Alabbadi and S.B. Wicker, “Security of Xinmei Digital Signature Scheme,”
Electronics Letters, v. 28, n. 9, 23 Apr 1992, pp. 890“891.
32. M. Alabbadi and S.B. Wicker, “Digital Signature Schemes Based on Error“
Correcting Codes,” Proceedings of the 1993 IEEE“ISIT, IEEE Press, 1993, p. 199.
33. M. Alabbadi and S.B. Wicker, “Cryptanalysis of the Harn and Wang Modification of
the Xinmei Digital Signature Scheme,” Electronics Letters, v. 28, n. 18, 27 Aug 1992, pp. 1756“
1758.
34. K. Alagappan and J. Tardo, “SPX Guide: Prototype Public Key Authentication
Service,” Digital Equipment Corp., May 1991.
35. W. Alexi, B.“Z. Chor, O. Goldreich, and C.P. Schnorr, “RSA and Rabin Functions:
Certain Parts Are as Hard as the Whole,” Proceedings of the 25th IEEE Symposium on the
Foundations of Computer Science, 1984, pp. 449“457.
36. W. Alexi, B.“Z. Chor, O. Goldreich, and C.P. Schnorr, “RSA and Rabin Functions:
Certain Parts are as Hard as the Whole,” SIAM Journal on Computing, v. 17, n. 2, Apr 1988, pp.
194“209.
37. Ameritech Mobile Communications et al., “Cellular Digital Packet Data System
Specifications: Part 406: Airlink Security,” CDPD Industry Input Coordinator, Costa Mesa,
Calif., Jul 1993.
38. H.R. Amirazizi, E.D. Karnin, and J.M. Reyneri, “Compact Knapsacks are Polynomial



Page 557 of 666
Applied Cryptography: Second Edition - Bruce Schneier



Solvable,” ACM SIGACT News, v. 15, 1983, pp. 20“22.
39. R.J. Anderson, “Solving a Class of Stream Ciphers,” Cryptologia, v. 14, n. 3, Jul 1990,
pp. 285“288.
40. R.J. Anderson, “A Second Generation Electronic Wallet,” ESORICS 92, Proceedings
of the Second European Symposium on Research in Computer Security, Springer“Verlag, 1992,
pp. 411“418.
41. R.J. Anderson, “Faster Attack on Certain Stream Ciphers,” Electronics Letters, v. 29,
n. 15, 22 Jul 1993, pp. 1322“1323.
42. R.J. Anderson, “Derived Sequence Attacks on Stream Ciphers,” presented at the
rump session of CRYPTO ™93, Aug 1993.
43. R.J. Anderson, “Why Cryptosystems Fail,” 1st ACM Conference on Computer and
Communications Security, ACM Press, 1993, pp. 215“227.
44. R.J. Anderson, “Why Cryptosystems Fail,” Communications of the ACM, v. 37, n. 11,
Nov 1994, pp. 32“40.
45. R.J. Anderson, “On Fibonacci Keystream Generators,” K.U. Leuven Workshop on
Cryptographic Algorithms, Springer“Verlag, 1995, to appear.
46. R.J. Anderson, “Searching for the Optimum Correlation Attack,” K.U. Leuven
Workshop on Cryptographic Algorithms, Springer“Verlag, 1995, to appear.
47. R.J. Anderson and T.M.A. Lomas, “Fortifying Key Negotiation Schemes with Poorly
Chosen Passwords,” Electronics Letters, v. 30, n. 13, 23 Jun 1994, pp. 1040“1041.
48. R.J. Anderson and R. Needham, “Robustness Principles for Public Key Protocols,”
Advances in Cryptology”CRYPTO ™95 Proceedings, Springer“Verlag, 1995, to appear.
49. D. Andleman and J. Reeds, “On the Cryptanalysis of Rotor Machines and
Substitution“Permutation Networks,” IEEE Transactions on Information Theory, v. IT“28, n. 4,
Jul 1982, pp. 578“584.
50. ANSI X3.92, “American National Standard for Data Encryption Algorithm (DEA),”
American National Standards Institute, 1981.
51. ANSI X3.105, “American National Standard for Information Systems”Data Link
Encryption,” American National Standards Institute, 1983.
52. ANSI X3.106, “American National Standard for Information Systems”Data
Encryption Algorithm”Modes of Operation,” American National Standards Institute, 1983.
53. ANSI X9.8, “American National Standard for Personal Information Number (PIN)
Management and Security,” American Bankers Association, 1982.
54. ANSI X9.9 (Revised), “American National Standard for Financial Institution Message
Authentication (Wholesale),” American Bankers Association, 1986.
55. ANSI X9.17 (Revised), “American National Standard for Financial Institution Key
Management (Wholesale),” American Bankers Association, 1985.
56. ANSI X9.19, “American National Standard for Retail Message Authentication,”
American Bankers Association, 1985.
57. ANSI X9.23, “American National Standard for Financial Institution Message
Encryption,” American Bankers Association, 1988.
58. ANSI X9.24, “Draft Proposed American National Standard for Retail Key
Management,” American Bankers Association, 1988.
59. ANSI X9.26 (Revised), “American National Standard for Financial Institution Sign“
On Authentication for Wholesale Financial Transaction,” American Bankers Association, 1990.
60. ANSI X9.30, “Working Draft: Public Key Cryptography Using Irreversible
Algorithms for the Financial Services Industry,” American Bankers Association, Aug 1994.
61. ANSI X9.31, “Working Draft: Public Key Cryptography Using Reversible Algorithms
for the Financial Services Industry,” American Bankers Association, Mar 1993.
62. K. Aoki and K. Ohta, “Differential“Linear Cryptanalysis of FEAL“8,” Proceedings of
the 1995 Symposium on Cryptography and Information Security (SCIS 95), Inuyama, Japan, 24“
27 Jan 1995, pp. A3.4.1“11. (In Japanese.)
63. K. Araki and T. Sekine, “On the Conspiracy Problem of the Generalized Tanaka™s



Page 558 of 666
Applied Cryptography: Second Edition - Bruce Schneier



Cryptosystem,” IEICE Transactions, v. E74, n. 8, Aug 1991, pp. 2176“2178.
64. S. Araki, K. Aoki, and K. Ohta, “The Best Linear Expression Search for FEAL,”
Proceedings of the 1995 Symposium on Cryptography and Information Security (SCIS 95),
Inuyama, Japan, 24“27 Jan 1995, pp. A4.4.1“10.
65. C. Asmuth and J. Bloom, “A Modular Approach to Key Safeguarding,” IEEE
Transactions on Information Theory, v. IT“29, n. 2, Mar 1983, pp. 208“210.
66. D. Atkins, M. Graff, A.K. Lenstra, and P.C. Leyland, “The Magic Words are
Squeamish Ossifrage,” Advances in Cryptology”ASIACRYPT ™94 Proceedings, Springer“Verlag,
1995, pp. 263“277.
67. AT&T, “T7001 Random Number Generator,” Data Sheet, Aug 1986.
68. AT&T, “AT&T Readying New Spy“Proof Phone for Big Military and Civilian
Markets,” The Report on AT&T, 2 Jun 1986, pp. 6“7.
69. AT&T, “T7002/T7003 Bit Slice Multiplier,” product announcement, 1987.
70. AT&T, “Telephone Security Device TSD 3600”User™s Manual,” AT&T, 20 Sep 1992.
71. Y. Aumann and U. Feige, “On Message Proof Systems with Known Space Verifiers,”
Advances in Cryptology”CRYPTO ™93 Proceedings, Springer“Verlag, 1994, pp. 85“99.
72. R.G. Ayoub, An Introduction to the Theory of Numbers, Providence, RI: American
Mathematical Society, 1963.
73. A. Aziz and W. Diffie, “Privacy and Authentication for Wireless Local Area
Networks,” IEEE Personal Communications, v. 1, n. 1, 1994, pp. 25“31.
74. A. Bahreman and J.D. Tygar, “Certified Electronic Mail,” Proceedings of the Internet
Society 1994 Workshop on Network and Distributed System Security, The Internet Society, 1994,
pp. 3“19.
75. D. Balenson, “Automated Distribution of Cryptographic Keys Using the Financial
Institution Key Management Standard,” IEEE Communications Magazine, v. 23, n. 9, Sep 1985,
pp. 41“46.
76. D. Balenson, “Privacy Enhancement for Internet Electronic Mail: Part III:
Algorithms, Modes, and Identifiers,” RFC 1423, Feb 1993.
77. D. Balenson, C.M. Ellison, S.B. Lipner, and S.T. Walker, “A New Approach to
Software Key Escrow Encryption,” TIS Report #520, Trusted Information Systems, Aug 94.
78. R. Ball, Mathematical Recreations and Essays, New York: MacMillan, 1960.
79. J. Bamford, The Puzzle Palace, Boston: Houghton Mifflin, 1982.
80. J. Bamford and W. Madsen, The Puzzle Palace, Second Edition, Penguin Books, 1995.
81. S.K. Banerjee, “High Speed Implementation of DES,” Computers & Security, v. 1,
1982, pp. 261“267.
82. Z. Baodong, “MC“Veiled Linear Transform Public Key Cryptosystem,” Acta
Electronica Sinica, v. 20, n. 4, Apr 1992, pp. 21“24. (In Chinese.)
83. P.H. Bardell, “Analysis of Cellular Automata Used as Pseudorandom Pattern
Generators,” Proceedings of 1990 International Test Conference, pp. 762“768.
84. T. Baritaud, H. Gilbert, and M. Girault, “FFT Hashing is not Collision“Free,”
Advances in Cryptology”EUROCRYPT ™92 Proceedings, Springer“Verlag, 1993, pp. 35“44.
85. C. Barker, “An Industry Perspective of the CCEP,” 2nd Annual AIAA Computer
Security Conference Proceedings, 1986.
86. W.G. Barker, Cryptanalysis of the Hagelin Cryptograph, Aegean Park Press, 1977.
87. P. Barrett, “Implementing the Rivest Shamir and Adleman Public Key Encryption
Algorithm on a Standard Digital Signal Processor,” Advances in Cryptology”CRYPTO ™86
Proceedings, Springer“Verlag, 1987, pp. 311“323.
88. T.C. Bartee and D.I. Schneider, “Computation with Finite Fields,” Information and
Control, v. 6, n. 2, Jun 1963, pp. 79“98.
89. U. Baum and S. Blackburn, “Clock“Controlled Pseudorandom Generators on Finite
Groups,” K.U. Leuven Workshop on Cryptographic Algorithms, Springer“Verlag, 1995, to
appear.
90. K.R. Bauer, T.A. Bersen, and R.J. Feiertag, “A Key Distribution Protocol Using Event



Page 559 of 666
Applied Cryptography: Second Edition - Bruce Schneier



Markers,” ACM Transactions on Computer Systems, v. 1, n. 3, 1983, pp. 249“255.
91. F. Bauspiess and F. Damm, “Requirements for Cryptographic Hash Functions,”
Computers & Security, v. 11, n. 5, Sep 1992, pp. 427“437.
92. D. Bayer, S. Haber, and W.S. Stornetta, “Improving the Efficiency and Reliability of
Digital Time“Stamping,” Sequences ™91: Methods in Communication, Security, and Computer
Science, Springer“Verlag, 1992, pp. 329“334.
93. R. Bayer and J.K. Metzger, “On the Encipherment of Search Trees and Random
Access Files,” ACM Transactions on Database Systems, v. 1, n. 1, Mar 1976, pp. 37“52.
94. M. Beale and M.F. Monaghan, “Encrytion Using Random Boolean Functions,”
Cryptography and Coding, H.J. Beker and F.C. Piper, eds., Oxford: Clarendon Press, 1989, pp.
219“230.
95. P. Beauchemin and G. Brassard, “A Generalization of Hellman™s Extension to
Shannon™s Approach to Cryptography,” Journal of Cryptology, v. 1, n. 2, 1988, pp. 129“132.
96. P. Beauchemin, G. Brassard, C. Cr©peau, C. Goutier, and C. Pomerance, “The
Generation of Random Numbers that are Probably Prime,” Journal of Cryptology, v. 1, n. 1,
1988, pp. 53“64.
97. D. Beaver, J. Feigenbaum, and V. Shoup, “Hiding Instances in Zero“Knowledge
Proofs,” Advances in Cryptology”CRYPTO ™90 Proceedings, Springer“Verlag, 1991, pp. 326“
338.
98. H. Beker, J. Friend, and P. Halliden, “Simplifying Key Management in Electronic
Funds Transfer Points of Sale Systems,” Electronics Letters, v. 19, n. 12, Jun 1983, pp. 442“444.
99. H. Beker and F. Piper, Cipher Systems: The Protection of Communications, London:
Northwood Books, 1982.
100. D.E. Bell and L.J. LaPadula, “Secure Computer Systems: Mathematical
Foundations,” Report ESD“TR“73“275, MITRE Corp., 1973.
101. D.E. Bell and L.J. LaPadula, “Secure Computer Systems: A Mathematical Model,”
Report MTR“2547, MITRE Corp., 1973.
102. D.E. Bell and L.J. LaPadula, “Secure Computer Systems: A Refinement of the
Mathematical Model,” Report ESD“TR“73“278, MITRE Corp., 1974.
103. D.E. Bell and L.J. LaPadula, “Secure Computer Systems: Unified Exposition and
Multics Interpretation,” Report ESD“TR“75“306, MITRE Corp., 1976.
104. M. Bellare and S. Goldwasser, “New Paradigms for Digital Signatures and Message
Authentication Based on Non“Interactive Zero Knowledge Proofs,” Advances in Cryptology”
CRYPTO ™89 Proceedings, Springer“Verlag, 1990, pp. 194“211.
105. M. Bellare and S. Micali, “Non“Interactive Oblivious Transfer and Applications,”
Advances in Cryptology”CRYPTO ™89 Proceedings, Springer“Verlag, 1990, pp. 547“557.
106. M. Bellare, S. Micali, and R. Ostrovsky, “Perfect Zero“Knowledge in Constant
Rounds,” Proceedings of the 22nd ACM Symposium on the Theory of Computing, 1990, pp. 482“
493.
107. S.M. Bellovin, “A Preliminary Technical Analysis of Clipper and Skipjack,”
unpublished manuscript, 20 Apr 1993.
108. S.M. Bellovin and M. Merritt, “Limitations of the Kerberos Protocol,” Winter 1991
USENIX Conference Proceedings, USENIX Association, 1991, pp. 253“267.
109. S.M. Bellovin and M. Merritt, “Encrypted Key Exchange: Password“Based
Protocols Secure Against Dictionary Attacks,” Proceedings of the 1992 IEEE Computer Society
Conference on Research in Security and Privacy, 1992, pp. 72“84.
110. S.M. Bellovin and M. Merritt, “An Attack on the Interlock Protocol When Used for
Authentication,” IEEE Transactions on Information Theory, v. 40, n. 1, Jan 1994, pp. 273“275.
111. S.M. Bellovin and M. Merritt, “Cryptographic Protocol for Secure
Communications,” U.S. Patent #5,241,599, 31 Aug 93.
112. I. Ben“Aroya and E. Biham, “Differential Cryptanalysis of Lucifer,” Advances in
Cryptology”CRYPTO ™93 Proceedings, Springer“Verlag, 1994, pp. 187“199.
113. J.C. Benaloh, “Cryptographic Capsules: A Disjunctive Primitive for Interactive



Page 560 of 666
Applied Cryptography: Second Edition - Bruce Schneier



Protocols,” Advances in Cryptology”CRYPTO ™86 Proceedings, Springer“Verlag, 1987, 213“222.
114. J.C. Benaloh, “Secret Sharing Homorphisms: Keeping Shares of a Secret Secret,”
Advances in Cryptology”CRYPTO ™86 Proceedings, Springer“Verlag, 1987, pp. 251“260.
115. J.C. Benaloh, “Verifiable Secret“Ballot Elections,” Ph.D. dissertation, Yale
University, YALEU/DCS/TR“561, Dec 1987.
116. J.C. Benaloh and M. de Mare, “One“Way Accumulators: A Decentralized
Alternative to Digital Signatures,” Advances in Cryptology”EUROCRYPT ™93 Proceedings,
Springer“Verlag, 1994, pp. 274“285.
117. J.C. Benaloh and D. Tuinstra, “Receipt“Free Secret Ballot Elections,” Proceedings of
the 26th ACM Symposium on the Theory of Computing, 1994, pp. 544“553.
118. J.C. Benaloh and M. Yung, “Distributing the Power of a Government to Enhance the
Privacy of Voters,” Proceedings of the 5th ACM Symposium on the Principles in Distributed
Computing, 1986, pp. 52“62.
119. A. Bender and G. Castagnoli, “On the Implementation of Elliptic Curve
Cryptosystems,” Advances in Cryptology”CRYPTO ™89 Proceedings, Springer“Verlag, 1990, pp.
186“192.
120. S. Bengio, G. Brassard, Y.G. Desmedt, C. Goutier, and J.“J. Quisquater, “Secure
Implementation of Identification Systems,” Journal of Cryptology, v. 4, n. 3, 1991, pp. 175“184.
121. C.H. Bennett, F. Bessette, G. Brassard, L. Salvail, and J. Smolin, “Experimental
Quantum Cryptography,” Advances in Cryptology”EUROCRYPT ™90 Proceedings, Springer“
Verlag, 1991, pp. 253“265.
122. C.H. Bennett, F. Bessette, G. Brassard, L. Salvail, and J. Smolin, “Experimental
Quantum Cryptography,” Journal of Cryptology, v. 5, n. 1, 1992, pp. 3“28.
123. C.H. Bennett and G. Brassard, “Quantum Cryptography: Public Key Distribution
and Coin Tossing,” Proceedings of the IEEE International Conference on Computers, Systems,
and Signal Processing, Banjalore, India, Dec 1984, pp. 175“179.
124. C.H. Bennett and G. Brassard, “An Update on Quantum Cryptography,” Advances
in Cryptology: Proceedings of CRYPTO 84, Springer“Verlag, 1985, pp. 475“480.
125. C.H. Bennett and G. Brassard, “Quantum Public“Key Distribution System,” IBM
Technical Disclosure Bulletin, v. 28, 1985, pp. 3153“3163.
126. C.H. Bennett and G. Brassard, “Quantum Public Key Distribution Reinvented,”
SIGACT News, v. 18, n. 4, 1987, pp. 51“53.
127. C.H. Bennett and G. Brassard, “The Dawn of a New Era for Quantum
Cryptography: The Experimental Prototype is Working!” SIGACT News, v. 20, n. 4, Fall 1989,
pp. 78“82.
128. C.H. Bennett, G. Brassard, and S. Breidbart, Quantum Cryptography II: How to Re“
Use a One“Time Pad Safely Even if P=NP, unpublished manuscript, Nov 1982.
129. C.H. Bennett, G. Brassard, S. Breidbart, and S. Weisner, “Quantum Cryptography,
or Unforgeable Subway Tokens,” Advances in Cryptology: Proceedings of Crypto 82, Plenum
Press, 1983, pp. 267“275.
130. C.H. Bennett, G. Brassard, C. Cr©peau, and M.“H. Skubiszewska, “Practical
Quantum Oblivious Transfer,” Advances in Cryptology”CRYPTO ™91 Proceedings, Springer“
Verlag, 1992, pp. 351“366.
131. C.H. Bennett, G. Brassard, and A.K. Ekert, “Quantum Cryptography,” Scientific
American, v. 267, n. 4, Oct 1992, pp. 50“57.
132. C.H. Bennett, G. Brassard, and N.D. Mermin, “Quantum Cryptography Without
Bell™s Theorem,” Physical Review Letters, v. 68, n. 5, 3 Feb 1992, pp. 557“559.
133. C.H. Bennett, G. Brassard, and J.“M. Robert, “How to Reduce Your Enemy™s
Information,” Advances in Cryptology”CRYPTO ™85 Proceedings, Springer“Verlag, 1986, pp.
468“476.
134. C.H. Bennett, G. Brassard, and J.“M. Robert, “Privacy Amplification by Public
Discussion,” SIAM Journal on Computing, v. 17, n. 2, Apr 1988, pp. 210“229.
135. J. Bennett, “Analysis of the Encryption Algorithm Used in WordPerfect Word



Page 561 of 666
Applied Cryptography: Second Edition - Bruce Schneier



Processing Program,” Cryptologia, v. 11, n. 4, Oct 1987, pp. 206“210.
136. M. Ben“Or, S. Goldwasser, and A. Wigderson, “Completeness Theorems for Non“
Cryptographic Fault“Tolerant Distributed Computation,” Proceedings of the 20th ACM
Symposium on the Theory of Computing, 1988, pp. 1“10.
137. M. Ben“Or, O. Goldreich, S. Goldwasser, J. Håstad, J. Kilian, S. Micali, and P.
Rogaway, “Everything Provable is Provable in Zero“Knowledge,” Advances in Cryptology”
CRYPTO ™88 Proceedings, Springer“Verlag, 1990, pp. 37“56.
138. M. Ben“Or, O. Goldreich, S. Micali, and R.L. Rivest, “A Fair Protocol for Signing
Contracts,” IEEE Transactions on Information Theory, v. 36, n. 1, Jan 1990, pp. 40“46.
139. H.A. Bergen and W.J. Caelli, “File Security in WordPerfect 5.0,” Cryptologia, v. 15,
n. 1, Jan 1991, pp. 57“66.
140. E.R. Berlekamp, Algebraic Coding Theory, Aegean Park Press, 1984.
141. S. Berkovits, “How to Broadcast a Secret,” Advances in Cryptology”EUROCRYPT
™91 Proceedings, Springer“Verlag, 1991, pp. 535“541.
142. S. Berkovits, J. Kowalchuk, and B. Schanning, “Implementing Public“Key Scheme,”
IEEE Communications Magazine, v. 17, n. 3, May 1979, pp. 2“3.
143. D.J. Bernstein, Bernstein vs. U.S. Department of State et al., Civil Action No. C95“
0582“MHP, United States District Court for the Northern District of California, 21 Feb 1995.
144. T. Berson, “Differential Cryptanalysis Mod 232 with Applications to MD5,”
Advances in Cryptology”EUROCRYPT ™92 Proceedings, 1992, pp. 71“80.
145. T. Beth, Verfahren der schnellen Fourier“Transformation, Teubner, Stuttgart, 1984.
(In German.)
146. T. Beth, “Efficient Zero“Knowledge Identification Scheme for Smart Cards,”
Advances in Cryptology”EUROCRYPT ™88 Proceedings, Springer“Verlag, 1988, pp. 77“84.
147. T. Beth, B.M. Cook, and D. Gollmann, “Architectures for Exponentiation in GF
(2n),” Advances in Cryptology”CRYPTO ™86 Proceedings, Springer“Verlag, 1987, pp. 302“310.
148. T. Beth and Y. Desmedt, “Identification Tokens”or: Solving the Chess
Grandmaster Problem,” Advances in Cryptology”CRYPTO ™90 Proceedings, Springer“Verlag,
1991, pp. 169“176.
149. T. Beth and C. Ding, “On Almost Nonlinear Permutations,” Advances in
Cryptology”EUROCRYPT ™93 Proceedings, Springer“Verlag, 1994, pp. 65“76.
150. T. Beth, M. Frisch, and G.J. Simmons, eds., Lecture Notes in Computer Science 578;
Public Key Cryptography: State of the Art and Future Directions, Springer“Verlag, 1992.
151. T. Beth and F.C. Piper, “The Stop“and“Go Generator,” Advances in Cryptology:
Proceedings of EUROCRYPT 84, Springer“Verlag, 1984, pp. 88“92.
152. T. Beth and F. Schaefer, “Non Supersingular Elliptic Curves for Public Key
Cryptosystems,” Advances in Cryptology”EUROCRYPT ™91 Proceedings, Springer“Verlag,
1991, pp. 316“327.
153. A. Beutelspacher, “How to Say ˜No™,” Advances in Cryptology”EUROCRYPT ™89
Proceedings, Springer“Verlag, 1990, pp. 491“496.
154. J. Bidzos, letter to NIST regarding DSS, 20 Sep 1991.
155. J. Bidzos, personal communication, 1993.
156. P. Bieber, “A Logic of Communication in a Hostile Environment,” Proceedings of the
Computer Security Foundations Workshop III, IEEE Computer Society Press, 1990, pp. 14“22.
157. E. Biham, “Cryptanalysis of the Chaotic“Map Cryptosystem Suggested at
EUROCRYPT ™91,” Advances in Cryptology”EUROCRYPT ™91 Proceedings, Springer“ Verlag,
1991, pp. 532“534.
158. E. Biham, “New Types of Cryptanalytic Attacks Using Related Keys,” Technical
Report #753, Computer Science Department, Technion”Israel Institute of Technology, Sep
1992.
159. E. Biham, “On the Applicability of Differential Cryptanalysis to Hash Functions,”
lecture at EIES Workshop on Cryptographic Hash Functions, Mar 1992.
160. E. Biham, personal communication, 1993.



Page 562 of 666
Applied Cryptography: Second Edition - Bruce Schneier



161. E. Biham, “Higher Order Differential Cryptanalysis,” unpublished manuscript, Jan
1994.
162. E. Biham, “On Modes of Operation,” Fast Software Encryption, Cambridge Security
Workshop Proceedings, Springer“Verlag, 1994, pp. 116“120.
163. E. Biham, “New Types of Cryptanalytic Attacks Using Related Keys,” Journal of
Cryptology, v. 7, n. 4, 1994, pp. 229“246.
164. E. Biham, “On Matsui™s Linear Cryptanalysis,” Advances in Cryptology”
EUROCRYPT ™94 Proceedings, Springer“Verlag, 1995, pp. 398“412.
165. E. Biham and A. Biryukov, “How to Strengthen DES Using Existing Hardware,”
Advances in Cryptology”ASIACRYPT ™94 Proceedings, Springer“Verlag, 1995, to appear.
166. E. Biham and P.C. Kocher, “A Known Plaintext Attack on the PKZIP Encryption,”
K.U. Leuven Workshop on Cryptographic Algorithms, Springer“Verlag, 1995, to appear.
167. E. Biham and A. Shamir, “Differential Cryptanalysis of DES“like Cryptosystems,”
Advances in Cryptology”CRYPTO ™90 Proceedings, Springer“Verlag, 1991, pp. 2“21.
168. E. Biham and A. Shamir, “Differential Cryptanalysis of DES“like Cryptosystems,”
Journal of Cryptology, v. 4, n. 1, 1991, pp 3“72.
169. E. Biham and A. Shamir, “Differential Cryptanalysis of Feal and N“Hash,”
Advances in Cryptology”EUROCRYPT ™91 Proceedings, Springer“Verlag, 1991, pp. 1“16.
170. E. Biham and A. Shamir, “Differential Cryptanalysis of Snefru, Khafre, REDOC“II,
LOKI, and Lucifer,” Advances in Cryptology”CRYPTO ™91 Proceedings, 1992, pp. 156“171.
171. E. Biham and A. Shamir, “Differential Cryptanalysis of the Full 16“Round DES,”
Advances in Cryptology”CRYPTO ™92 Proceedings, Springer“Verlag, 1993, 487“ 496.
172. E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard,
Springer“Verlag, 1993.
173. R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, and M. Yung,
“Systematic Design of Two“Party Authentication Protocols,” Advances in Cryptology”CRYPTO
™91 Proceedings, Springer“Verlag, 1992, pp. 44“61.
174. R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, and M. Yung,
“Systematic Design of a Family of Attack“Resistant Authentication Protocols,” IEEE Journal of
Selected Areas in Communication, to appear.
175. R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, and M. Yung, “A
Modular Family of Secure Protocols for Authentication and Key Distribution,” IEEE/ACM
Transactions on Networking, to appear.
176. M. Bishop, “An Application for a Fast Data Encryption Standard Implementation,”
Computing Systems, v. 1, n. 3, 1988, pp. 221“254.
177. M. Bishop, “Privacy“Enhanced Electronic Mail,” Distributed Computing and
Cryptography, J. Feigenbaum and M. Merritt, eds., American Mathematical Society, 1991, pp.
93“106.
178. M. Bishop, “Privacy“Enhanced Electronic Mail,” Internetworking: Research and
Experience, v. 2, n. 4, Dec 1991, pp. 199“233.
179. M. Bishop, “Recent Changes to Privacy Enhanced Electronic Mail,”
Internetworking: Research and Experience, v. 4, n. 1, Mar 1993, pp. 47“59.
180. I.F. Blake, R. Fuji“Hara, R.C. Mullin, and S.A. Vanstone, “Computing Logarithms
in Finite Fields of Characteristic Two,” SIAM Journal on Algebraic Discrete Methods, v. 5, 1984,
pp. 276“285.
181. I.F. Blake, R.C. Mullin, and S.A. Vanstone, “Computing Logarithms in GF (2n),”
Advances in Cryptology: Proceedings of CRYPTO 84, Springer“Verlag, 1985, pp. 73“82.
182. G.R. Blakley, “Safeguarding Cryptographic Keys,” Proceedings of the National
Computer Conference, 1979, American Federation of Information Processing Societies, v. 48,
1979, pp. 313“317.
183. G.R. Blakley, “One“Time Pads are Key Safeguarding Schemes, Not
Cryptosystems”Fast Key Safeguarding Schemes (Threshold Schemes) Exist,” Proceedings of
the 1980 Symposium on Security and Privacy, IEEE Computer Society, Apr 1980, pp. 108“113.



Page 563 of 666
Applied Cryptography: Second Edition - Bruce Schneier



184. G.R. Blakley and I. Borosh, “Rivest“Shamir“Adleman Public Key Cryptosystems Do
Not Always Conceal Messages,” Computers and Mathematics with Applications, v. 5, n. 3, 1979,
pp. 169“178.
185. G.R. Blakley and C. Meadows, “A Database Encryption Scheme which Allows the
Computation of Statistics Using Encrypted Data,” Proceedings of the 1985 Symposium on
Security and Privacy, IEEE Computer Society, Apr 1985, pp. 116“122.
186. M. Blaze, “A Cryptographic File System for UNIX,” 1st ACM Conference on
Computer and Communications Security, ACM Press, 1993, pp. 9“16.
187. M. Blaze, “Protocol Failure in the Escrowed Encryption Standard,” 2nd ACM
Conference on Computer and Communications Security, ACM Press, 1994, pp. 59“67.
188. M. Blaze, “Key Management in an Encrypting File System,” Proceedings of the
Summer 94 USENIX Conference, USENIX Association, 1994, pp. 27“35.
189. M. Blaze and B. Schneier, “The MacGuffin Block Cipher Algorithm,” K.U. Leuven
Workshop on Cryptographic Algorithms, Springer“Verlag, 1995, to appear.
190. U. Blöcher and M. Dichtl, “Fish: A Fast Software Stream Cipher,” Fast Software
Encryption, Cambridge Security Workshop Proceedings, Springer“Verlag, 1994, pp. 41“44.
191. R. Blom, “Non“Public Key Distribution,” Advances in Cryptology: Proceedings of
Crypto 82, Plenum Press, 1983, pp. 231“236.
192. K.J. Blow and S.J.D. Phoenix, “On a Fundamental Theorem of Quantum
Cryptography,” Journal of Modern Optics, v. 40, n. 1, Jan 1993, pp. 33“36.
193. L. Blum, M. Blum, and M. Shub, “A Simple Unpredictable Pseudo“Random
Number Generator,” SIAM Journal on Computing, v. 15, n. 2, 1986, pp. 364“383.
194. M. Blum, “Coin Flipping by Telephone: A Protocol for Solving Impossible
Problems,” Proceedings of the 24th IEEE Computer Conference (CompCon), 1982, pp. 133“137.
195. M. Blum, “How to Exchange (Secret) Keys,” ACM Transactions on Computer
Systems, v. 1, n. 2, May 1983, pp. 175“193.
196. M. Blum, “How to Prove a Theorem So No One Else Can Claim It,” Proceedings of
the International Congress of Mathematicians, Berkeley, CA, 1986, pp. 1444“1451.
197. M. Blum, A. De Santis, S. Micali, and G. Persiano, “Noninteractive Zero“
Knowledge,” SIAM Journal on Computing, v. 20, n. 6, Dec 1991, pp. 1084“1118.
198. M. Blum, P. Feldman, and S. Micali, “Non“Interactive Zero“Knowledge and Its
Applications,” Proceedings of the 20th ACM Symposium on Theory of Computing, 1988, pp. 103“
112.
199. M. Blum and S. Goldwasser, “An Efficient Probabilistic Public“Key Encryption
Scheme Which Hides All Partial Information,” Advances in Cryptology: Proceedings of CRYPTO
84, Springer“Verlag, 1985, pp. 289“299.
200. M. Blum and S. Micali, “How to Generate Cryptographically“Strong Sequences of
Pseudo“Random Bits,” SIAM Journal on Computing, v. 13, n. 4, Nov 1984, pp. 850“864.
201. B. den Boer, “Cryptanalysis of F.E.A.L.,” Advances in Cryptology”EUROCRYPT
™88 Proceedings, Springer“Verlag, 1988, pp. 293“300.
202. B. den Boer and A. Bosselaers, “An Attack on the Last Two Rounds of MD4,”
Advances in Cryptology”CRYPTO ™91 Proceedings, Springer“Verlag, 1992, pp. 194“203.
203. B. den Boer and A. Bosselaers, “Collisions for the Compression Function of MD5,”
Advances in Cryptology”EUROCRYPT ™93 Proceedings, Springer“Verlag, 1994, pp. 293“304.
204. J.“P. Boly, A. Bosselaers, R. Cramer, R. Michelsen, S. Mjølsnes, F. Muller, T.
Pedersen, B. Pfitzmann, P. de Rooij, B. Schoenmakers, M. Schunter, L. Vall©e, and M. Waidner,
“Digital Payment Systems in the ESPRIT Project CAFE,” Securicom 94, Paris, France, 2“6 Jan
1994, pp. 35“45.
205. J.“P. Boly, A. Bosselaers, R. Cramer, R. Michelsen, S. Mjølsnes, F. Muller, T.
Pedersen, B. Pfitzmann, P. de Rooij, B. Schoenmakers, M. Schunter, L. Vall©e, and M. Waidner,
“The ESPRIT Project CAFE”High Security Digital Payment System,” Computer Security”
ESORICS 94, Springer“Verlag, 1994, pp. 217“230.
206. D.J. Bond, “Practical Primality Testing,” Proceedings of IEE International



Page 564 of 666
Applied Cryptography: Second Edition - Bruce Schneier



Conference on Secure Communications Systems, 22“23 Feb 1984, pp. 50“53.

<<

. 24
( 29)



>>