10123!547698&,: $(;(6< ,.=&8?>a@ bdcfehgi kj lk >nmoeqpr j...
Post on 05-Aug-2020
1 Views
Preview:
TRANSCRIPT
������������������ ������������������������ "!"#%$&$(')$(*+-,.,"/10123!547698&,":�$(;(6<��,.=&8?>A@�BDCFEHGI�KJ���LK����>NMOEQPR��JS �����UTV������>?��J�WDX�E�YZ��J��1����J���>?�[�\M�������U>^]`_�_�a�Eb(������c��1�������Z��J������U�7��������J�>&�U�K�edfd3dhgUifjfi�khg1lOj�m3nhg1ofdOj�mfpfkOqfr3rsgUifjRt�nOj3i
�[�uM�U�K���������wv��U��J����KWx�����7����y�y��Vz{��J�v|�� A�KTK��}�T~ O�����7����������J��������������~�Ky��KT����U��J���TwP��K���U���QJ����?�������@A�R���f�
M.�K���7�����U����J-���^vQ����J�����W{�����������U����PH�K>O �����J�����J�W����������Z���U��J�v�y��FTK�� �B|���f�������^TV���Q ������^����� A�K�U����J��Qy�c����KE��������� O�����7����������J�W��R����J��`�����3���KJ�WD���D@���J�W���J�v���c�y����� �y���TV���� ����������Q�������@A�3���f>� ��������3TK�Q �BO��J�vI���w ��U�RW�c�TK��J�v�T��� ����K�{�����w�������K��������J� A�K���U��J���yc��U����������� A�K�U����J5T����K�`����J�v�������TK�� �B�>������7���f��J�v��Ky��KT������QJ���T-T��� ����K����PR����y��Q@�y����������U����������PR��y^@�B�������K�U�sz{��������c��� ��U�����h A�K�U�~�����U���QJ���J7z{�U������J�v~�����Q���[��M��U�K�U��E
�&�OTK�K <��z{���K�U����PH�K�1�V�U��W�W��KJ�@�B��������U O��TK��}�T- O�����7����������J5��@A��PH��>��������1����J�W�����W�TK�� �BO����v����xJ�������T�������Q���[�\M�U�K���Z�� � �y����K�%�����������h�Ky��KT����U��J���ThP��K���U���QJ��
�F�K������������������@O�3����J������QJ�BD ������F�7��B�@A�Z���K ����3W�c�TK��W����&���U��J��U�~�������KW���J��QJ�BD���Q���u���@�B���J�B��7�K�QJ���>h�Ky��KT����U��J���T������7��TV����J���TK��y�>h��J�TKy�c�W���J�v� ��������RT��� �BN��J�v�>��7��TK�U��}�y��~��J�v�>��J�W����KT�����W���J�vQ>%����@�B5��J�B���J����Q���7��������J��1�����U��v������e������������PR��ys�1BO�������7>?z{��������c��~ ��U����� A�K�U�~�����U���QJ���J7z{�U������J�v~�����Q� �����{ �c�@�y����U���K�UE�����7T���J�����J����Q���[� M�������{W��R����J����~���3���KJ�Wx���-T��� �BN��J�vD������v���J��K�U��ysW�����������@�c�������J�>������ ����Q�~�`������J�>N���Q��T����K�`����J�v�J���z¡ze�����f��>N���^��������������y��KEhX� A�KT���}�Te O�����7���U������Jx��c��1�{@O���@<������J��KWD��J7z{�U������J�v~�����Q���[�\M�U�K���Z�������Uc�TV��T��� �BN��J�v�E
T¢ ]�_�_Q£�@�B��[^¤M��������>�¥¦J�T�E
Index
Symbols§�¨f§(cardinality of a set
¨), 49©
(set member), 49ª(subset), 49« (proper subset), 49¬(set intersection), 49(set union), 49® (set difference), 49¯ (Cartesian product), 49°(empty set), 50±-notation (big-O), 58²-notation (big-omega), 59³-notation (big-theta), 59´ -notation (little-o), 59µ·¶�¸¹ (by definition), 213ºN»·¼ ½(¾�¿ÁÀ
(subexponential notation), 60Â?Ã(polytime reduction), 61Ä (asymptotic equivalence), 134Å (mathematical constant pi), 49Æ (base of natural logarithms), 49
(sum), 50(product), 50Ç
(factorial), 50È`É(floor), 49Ê`Ë(ceiling), 49Ì
(Euler phi function), 65, 286Í3ÎÐÏ3Ñ (Mobius function), 154Ò�Ó(base Ô logarithm), 50Ò�Õ(natural logarithm), 50¼ Ö�¾�×ÁÀ
(interval of integers), 49§(divides relation), 63, 79Ø (congruence relation), 67, 79Ù(much less than), 529Ú(much greater than), 170Û Ü(binomial coefficient), 52ÝÞ (Legendre symbol), 72ß7à (inner product), 118á1âfá(length of a vector
â), 118Ö�ã�×
(assignment operator), 66Ö á ×(concatenation of strings
Ö,×), 38ä�å ¾·æ�ç Ü
(bitstrings of bitlength è ), 447ä�å ¾·æ�çÁé(bitstrings of arbitrary bitlength), 447ê
(the rational numbers), 49ë(the real numbers), 49
ì(the integers), 49ì Û (integers modulo Ï ), 68ì�é Û (multiplicative group of
ì Û ), 69í Û (quadratic residues modulo Ï ), 70í Û (quadratic non-residues modulo Ï ), 70îH»(finite field of order ï ), 81î é »(multiplicative group of
îH»), 81ðs¼ â À
(polynomial ring), 78ñ(inclusive-OR), 213ò(exclusive-OR), 20ó(AND), 213ô(addition mod Ô Û ), 263õ(subtraction mod Ô Û ), 270ö(modified multiplication mod Ô Û�÷ æ ), 263ã�ø(left rotation), 213ù ú (right rotation), 213û ú�ü (message transfer), 396
AAbelian group, 75Abstract Syntax Notation One (ASN.1), 660Access control, 3Access control matrix, 387Access matrix model, 569Access structure, 526
monotone, 527Accredited Standards Committee (ASC), 648Active adversary, 15, 37Active attack, 41, 495Ad hoc security, 43Adaptive chosen-ciphertext attack, 42Adaptive chosen-message attack, 433Adaptive chosen-plaintext attack, 41Addition chains, 621, 633Adversary, 13, 495
active, 15insider, 496
one-time, 496permanent, 496
outsider, 496passive, 15
Affine cipher, 239Algebraic normal form, 205Algorithm
definition of, 57
755
756 Index
deterministic, 62exponential-time, 59polynomial-time, 59randomized, 62
expected running time, 63running time, 58
asymptotic, 58average-case, 58worst-case, 58
subexponential-time, 60Alphabet of definition, 11Alternating step generator, 209–211, 220Anonymity, 3ANSI standards, 648–651, 660
ordering and acquiring, 656ANSI X9.17 pseudorandom bit generator, 173Anti-palindromic keys of DES, 257Appended authenticator, 361Arbitrated signature scheme, 472–473Arithmetic
integer, see Multiple-precision integer arithmeticmodular, see Multiple-precision modular arith-
meticArthur-Merlin games, 421ASN.1, see Abstract Syntax Notation One (ASN.1)Asymmetric cryptographic system, 544Asymptotic running time, 58Atkin’s primality test, 145
implementation report, 166Attack
active, 41, 495adaptive chosen-ciphertext, 42adaptive chosen-message, 433adaptive chosen-plaintext, 41chosen-ciphertext, 41, 226chosen-message, 433chosen-plaintext, 41, 226chosen-text, 417ciphertext-only, 41, 225dictionary, 42, 392differential cryptanalysis, 258differential-linear, 271exhaustive key search, 233–234forced delay, 417forward search, 42, 288, 420impersonation, 42, 417interleaving, 42, 417, 531, 540intruder-in-the-middle, 530, 540key-only, 432known-key, 42, 496, 534known-key triangle, 538known-message, 432known-plaintext, 41, 225linear cryptanalysis, 258
local, 419meet-in-the-middle, 235misplaced trust in server, 531non-interactive, 419off-line, 419on-line, 419passive, 41, 495pre-play, 397reflection, 417, 530, 540related-key, 226remote, 419replay, 42, 417time-memory tradeoff, 236truncated differentials, 271universal forgery, 482
Attacker, 13Attacker (alternate names), 495
see also AdversaryAttribute certificate, 561Audit trail, 549, 583Audit trail information, 545Authenticated key establishment, 492, 493Authenticated key exchange protocol
AKEP1/AKEP2, 499, 535, 541Authentication
data origin, 4, 361see also Data origin authentication
entity, 4see also Entity authentication
explicit key, 492key, 492message, 361mutual, 494protocol, 493transaction, 362unilateral, 494see also Entity authentication (and Identifica-
tion)Authentication code, 376, 382Authentication path, 557Authentication server, 491, 549Authentication tree, 466–468, 485, 556–559, 587Authority revocation list (ARL), 577Authorization, 3Authorized subset, 527Auto-key cipher, 242Autocorrelation function, 180Autocorrelation test, 182Auxiliary-input zero-knowledge, 423Avalanche effect, 277Average-case running time, 58
BBaby-step giant-step algorithm, 104–106, 128
cý
1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
Index 757
BAN logic, 420, 534, 541Bandwidth efficiency, 437Barrett reduction, 603–605, 631Base
×representation, 592
Basis, 80Bayes’ theorem, 51BEAR block cipher, 282Beaufort cipher, 241Beller-Yacobi key transport
2-pass, 5144-pass, 513
Berlekamp’sí
-matrix algorithm, 124, 132Berlekamp-Massey algorithm, 200–201
next discrepancy, 200Bernoulli trial, 52Biased, 172Big-endian, 344Big-O notation, 58Big-omega notation, 59Big-theta notation, 59Bijection, 7, 50Binary additive stream cipher, 194
keystream generator, 194running key generator, 194
Binary alphabet, 11Binary Euclidean algorithm, 632Binary extended gcd algorithm, 608–610, 632Binary gcd algorithm, 606–607, 632Binary operation, 75Binary representation, 592Binary tree, 557
balanced, 558children, 557depth of, 558internal vertex, 557leaf, 557parent, 557root vertex, 557
Binomialcoefficient, 52distribution, 52theorem, 52
Biometrics, 387, 420Birthday attack, 352, 369Birthday problem, 53Birthday surprise, 53Bit commitment, 421Bitzer’s hash function, 374Black-box, 329, 341, 369, 378Blakley’s threshold scheme, 538Blind signature scheme, 475, 487
based on DSA, 487based on Nyberg-Rueppel, 487Chaum, 475
fair, 487Blinded message, 475Blinding function, 475
based on RSA, 475Blob, 421Block cipher, 223–282
3-WAY, 281attacks on
differential cryptanalysis, 258differential-linear, 271exhaustive key search, 233–234, 273key clustering attack, 281linear cryptanalysis, 258meet-in-the-middle attack, 235related-key attack, 226, 281time-memory tradeoff, 236, 273truncated differentials, 271, 280
BEAR, 282Blowfish, 281CAST, 281classical cipher, 237–250definition of, 16, 224DES, 250–259double DES, 235FEAL, 259–262GOST, 282IDEA, 263–265iterated, 251Khafre, 271Khufu, 271LION, 282LOKI’91, 270Luby-Rackoff, 282Lucifer, 276modes of operation, 228–233, 272
ANSI X3.106 standard, 649ANSI X9.52 standard, 651CBC with checksum (CBCC), 367cipher feedback mode (CFB), 231cipher-block chaining mode (CBC), 230counter mode, 233electronic codebook mode (ECB), 228–
230FIPS 81 standard, 654ISO 8372 standard, 645ISO/IEC 10116 standard, 647output feedback mode (OFB), 232–233plaintext-ciphertext block chaining
(PCBC), 368Randomized DES (RDES), 278RC2, 282RC5, 269–270round function, 251SAFER, 266–269
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
758 Index
semi-weak keys (of DES), 257anti-palindromic keys (of DES), 257
SHARK, 281SKIPJACK, 282, 584TEA, 282triple DES, 272WAKE, 282
Block of a sequence, 180Blocklength, 224Blom’s KDS bound, 505Blom’s key pre-distribution system, 506, 536Blowfish block cipher, 281Blum integer, 74–75Blum-Blum-Shub pseudorandom bit generator, 186–
187, 308Blum-Goldwasser probabilistic public-key encryp-
tion, 308–311decryption algorithm, 309encryption algorithm, 309key generation, 308security of, 310
Blum-Micali pseudorandom generator, 189Blundo’s conference KDS bound, 529Boolean function, 202
algebraic normal form of, 205correlation immune, 207nonlinear order of, 205
BPP, 63Break-backward protection, 496Brickell-McCurley identification protocol, 423Broadcast encryption, 528Bucket hashing, 382Burmester-Desmedt conference keying, 528Burst error, 363
CCA, see Certification authority (CA)CA-certificate, 572Caesar cipher, 239CALEA, 590Capability (access control), 570Capstone chip, 589Cardinality of a set, 49Carmichael number, 137Carry-save adder, 630Cartesian product, 49Cascade cipher, 234, 237Cascade generatorþ -sequence, 221ÿ -cycle, 220Cascading hash functions, 334CAST block cipher, 281
patent, 659CBC, see Cipher-block chaining mode
CBC-MAC, 353–354, 367ANSI X9.9 standard, 650ANSI X9.19 standard, 650FIPS 113 standard, 654ISO 8731-1 standard, 652ISO 9807 standard, 652ISO/IEC 9797 standard, 646
Cellular automata stream cipher, 222Certificate
ANSI X9.45 standard, 651ANSI X9.55 standard, 651ANSI X9.57 standard, 651caching, 576chain, 572directory, 549
pull model, 576push model, 576
forward, 575on-line, 576public-key, see Public-key certificatereverse, 575revocation, 566, 576–577RFC 1422, 655secret-key, see Secret-key certificatesymmetric-key, see Symmetric-key certificateX.509 standard, 660
Certificate of primality, 166Certificate revocation list (CRL), 576–577Certification, 3
path, 572policy, 576topology, 572
Certification authority (CA), 491, 548, 556, 559Certificational attack, 236Certificational weakness, 285CFB, see Cipher feedback modeCFB-64 MAC, 650Challenge, 397, 409Challenge-response identification, 397–405, 420–
421public-key, 403–405
ISO/IEC 9798-3, 404–405modified Needham-Schroeder, 404X.509, 404
symmetric-key, 400–403ISO/IEC 9798-2, 401–402SKID2, 402SKID3, 402
Channel, 13physically secure, 13secure, 13secured, 13unsecured, 13
Characteristic of a field, 77
cý
1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
Index 759
Chaum’s blind signature protocol, 475Chaum-van Antwerpen undeniable signature sch-
eme, 476–478disavowal protocol, 477key generation, 476security of, 478signature generation, 476
Chebyshev’s inequality, 52Checksum, 362, 367–368Chi-square (�
�) distribution, 177–179
degrees of freedom, 177mean of, 177variance of, 177
Chinese remainder theorem (CRT), 68Garner’s algorithm, 612–613Gauss’s algorithm, 68
Chipcard, 387, 424Chor-Rivest public-key encryption, 302–306, 318
attacks on, 318decryption algorithm, 303encryption algorithm, 303key generation, 303recommended parameter sizes, 305security of, 305
Chosen-ciphertext attack, 41, 226, 285adaptive, 285indifferent, 285
Chosen-message attack, 433directed, 482generic, 482
Chosen-plaintext attack, 41, 226Cipher, 12
see also EncryptionCipher-block chaining mode (CBC), 230
integrity of IV in, 230use in public-key encryption, 285
Cipher feedback mode (CFB), 231as a stream cipher, 233ISO variant of, 231
Cipher machine, 242–245Jefferson cylinder, 243rotor-based machine, 243–245, 276
Enigma, 245Hagelin M-209, 245Hebern, 244
Wheatstone disc, 274Ciphertext, 11Ciphertext-only attack, 41, 225Ciphertext space, 11Claimant, 385, 386Classical cipher, 237–250, 273–276
cipher machines, see Cipher machinecryptanalysis, 245–250, 275–276
index of coincidence, 248
Kasiski’s method, 248measure of roughness, 249
polyalphabetic substitution cipher, see Polyal-phabetic substitution cipher
substitution cipher, see Substitution ciphertransposition cipher, see Transposition cipher
Classical modular multiplication, 600Classical occupancy problem, 53Claw-resistant (claw-free), 376, 468Clipper chip, 584, 589
key escrow, 584law enforcement access field (LEAF), 584
Clipper key escrow, 654Clock-controlled generator, 209–212co-NP, 60Codebook, 240Codomain of a function, 6, 50Collision, 321
pseudo-collision, 371Collision resistance, 324, 325Collision resistant hash function (CRHF), 325Combining function, 205Common modulus attack on RSA, 289Commutative ring, 77Complementation property of DES, 256–257Complete function, 277Complexity classes, 59–62
BPP, 63co-NP, 60NP, 60NP-complete, 61NP-hard, 62NPC, 61P, 60RP, 63ZPP, 63
Complexity measure2-adic span, 218linear complexity, 198–201maximum order complexity, 217Turing-Kolmogorov-Chaitin complexity, 217Ziv-Lempel complexity, 217
Complexity of attacks on a block cipher, 225–227active complexity, 226attack complexity, 226data complexity, 226passive complexity, 226processing complexity, 226storage complexity, 226
Complexity theory, 57–63Complexity-theoretic security, 43Compliant, 532Composite integer, 64Composition of functions, 19
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
760 Index
Computation-resistance (MAC), 325Computational problems
computationally equivalent, 88polytime reduction, 88
Computational security, 43, 226Computational zero-knowledge protocol, 407Computationally equivalent decision problems, 61COMSET, 421, 536Conditional entropy, 56Conditional probability, 51Conditional transinformation, 57Conference keying, 528–529, 540
Blundo’s conference KDS bound, 529Burmester-Desmedt, 528definition of, 528
Confidentiality, 3, 4, 12Confirmation, 3Confounder, 418Confusion, 20Congruences
integers, 67polynomials, 79
Conjugate gradient method, 129Connection polynomial of an LFSR, 196, 204
known versus secret, 204sparse versus dense, 205
Constrained linear equations problem, 423Continued fraction factoring algorithm, 126Continuous random variable, 176Control vector, 569
patent, 639, 658Conventional encryption, 15Coprime, 64Correcting-block chaining attack, 373Correlated, 172Correlation attack, 206, 218Correlation immunity, 207, 218Counter mode, 233CRC-based MAC, 359Credential, 501CRHF, see Collision resistant hash functionCross-certificate (CA-certificate), 572Cross-certificate pair, 573CRT, see Chinese remainder theoremCryptanalysis, 15Cryptanalyst, 15Cryptographic check value, 363Cryptographic primitives, 4
taxonomy of, 5Cryptographically secure pseudorandom bit gener-
ator (CSPRBG), 185–187Blum-Blum-Shub generator, 186–187Blum-Micali generator, 189definition of, 171
Micali-Schnorr generator, 186modified-Rabin generator, 190RSA generator, 185–186
Cryptographydefinition of, 4goals of, 4
CRYPTOKI, 656Cryptology, 15Cryptoperiod of a key, 553Cryptosystem, 15Cut-and-choose protocol, 410, 421Cycle of a periodic sequence, 180Cyclic group, 69, 76
generator of, 76Cyclic redundancy code (CRC), 363Cyclic register, 220Cycling attacks on RSA, 289, 313
DData Authentication Algorithm (DAA), 654Data Encryption Standard, see DES block cipherData integrity, 3, 4, 33, 359–368, 383Data key, 552Data origin authentication, 3, 4, 25, 359–368, 491Davies-Meyer hash function, 341de Bruijn FSR, 203de Bruijn sequence, 203De-skewing, 172DEA, 649Decimated subsequence, 211Decision problems, 60
computationally equivalent, 61polytime reduction, 61
Decryption, 11Decryption exponent for RSA, 286Decryption function, 11DECT, 586Degrees of freedom, 177Delay element
of an FSR, 202of an LFSR, 195
Delayed-carry adder, 630Density of a knapsack set, 120Derivative of a polynomial, 123DES block cipher, 250–259, 276–278
ANSI X3.92 standard, 649attacks on
differential cryptanalysis, 258–259exhaustive key search, 233–234, 272linear cryptanalysis, 258–259
complementation property, 256–257decryption algorithm, 255DESX, 273double DES, see Double DES
cý
1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
Index 761
encryption algorithm, 253expansion permutation, 252FIPS 46 standard, 654initial permutation (IP), 252, 277key schedule
decryption, 256encryption, 255
modes of operation, see Block cipher, modesof operation
patent, 636permuted choices (PC1, PC2), 252properties and strengths, 256–259round, 252S-box, 252semi-weak key, 257
anti-fixed point of, 257test vectors, 256triple-DES, 273weak key, 257
fixed point of, 257Designated confirmer signature, 487Deterministic, 306Deterministic algorithm, 62Dickson polynomial, 314Dickson scheme, 314Dictionary attack, 42Difference of sets, 49Differential chaining attack, 375Differential cryptanalysis
of block ciphers, 258, 271, 278–280Differential-linear cryptanalysis, 271Diffie-Hellman key agreement, 515–520, 522–524
ANSI X9.42 standard, 651composite modulus, 537patent, 637
Diffie-Hellman problem, 113–114composite moduli, 114, 131generalized, 113
Diffie-Lamport one-time signature scheme, 485Diffusion, 20Digital envelope, 550Digital fingerprint, 321Digital signature, see SignatureDigital Signature Algorithm (DSA), 452–454, 483
ANSI X9.30-1 standard, 651FIPS 186 standard, 655key generation, 452patent, 640, 658security of, 453signature generation, 452signature verification, 453use and throw coupons, 483
Dimension of a vector space, 80Dirichlet theorem, 135
Disavowal protocol, 477Discrete Fourier Transform (DFT), 631Discrete logarithms, 103–113
baby-step giant-step algorithm, 104–106composite moduli, 114exhaustive search, 104for class groups, 130for elliptic curves, 130for hyperelliptic curves, 130function field sieve, 129generalized problem, 103heuristic running time, 129in subgroups of
ì�éÞ , 113index-calculus algorithms, 109–112lambda method, 128number field sieve, 128Pohlig-Hellman algorithm, 107–109Pollard’s rho algorithm, 106–107problem definition, 103rigorously analyzed algorithms, 129security of individual bits, 116
Divisible electronic coin, 487Division
of integers, 63of polynomials, 79
Division algorithmfor integers, 64for polynomials, 78
Dixon’s algorithm, 95, 127DNA computer, 130Domain of a function, 6, 50Double DES, 235Double spending, 487Double-length MDC, 339DSA, see Digital Signature AlgorithmDynamic key establishment, 491Dynamic secret sharing scheme, 527
EE-D-E triple encryption, 235, 272E-E-E triple encryption, 272Eavesdropper, 13, 495ECA, see Elliptic curve factoring algorithmECB, see Electronic codebook modeEffective key size, 224Electronic cash
divisible, 487untraceable, 487
Electronic codebook mode (ECB), 228–230ElGamal key agreement, 517ElGamal public-key encryption, 294–298
generalizeddecryption algorithm, 297encryption algorithm, 297
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
762 Index
key generation, 297inì é Þ
decryption algorithm, 295encryption algorithm, 295key generation, 294recommended parameter sizes, 296
security of, 296ElGamal signature scheme, 454–459, 484
generalizedkey generation, 458signature generation, 458signature verification, 458
inì�éÞ
key generation, 454security of, 455–456signature generation, 454signature verification, 454
signature verification, 618variants of, 457
Elliptic curvediscrete logarithm problem, 130ElGamal public-key encryption, 297in public-key cryptography, 316
patents, 659RSA analogue, 315supersingular curve, 130, 316
Elliptic curve factoring algorithm (ECA), 94, 125implementation reports, 126
Elliptic curve primality proving algorithm, 145Encrypted key exchange (EKE), 538Encryption, 11
see also Block ciphersee also Public-key encryptionsee also Stream cipher
Encryption exponent for RSA, 286Encryption function, 11Encryption scheme, 12
breakable, 14Enemy, 13, 495Enigma, 245, 276Entity, 13Entity authentication, 3, 386, 491
ANSI X9.26 standard, 651FIPS 196 standard, 655ISO 11131 standard, 652ISO/IEC 9798 standard, 401–402, 404–405, 421,
647see also Identification
Entropy, 56–57, 246Ephemeral secret, 494Equivalence class, 68, 79Equivocation, 56Error-correcting code, 298, 363, 506Escrowed Encryption Standard (EES)
FIPS 185, 654ESIGN signature scheme, 473–474, 486
key generation, 473patent, 638, 658security of, 474signature generation, 473signature verification, 473
Euclidean algorithmfor integers, 66for polynomials, 81–83
Euler liar, 138Euler phi function (
Ì), 65
Euler pseudoprime, 138Euler witness, 137Euler’s criterion, 137Euler’s theorem, 69Exclusive-or (XOR), 20Exhaustive key search, 14, 233–234, 272Existential forgery, 30, 326, 432����� (exponential function), 50Expected running time, 63Explicit authentication, 492Exponent array, 617Exponent recoding, see ExponentiationExponential-time algorithm, 59Exponentiation, 613–629, 633–634
addition chains, 621exponent recoding, 627–629
signed-digit representation, 627–628string-replacement representation, 628–
629fixed-base comb method, 625–627fixed-base Euclidean method, 624–625fixed-base windowing method, 623–624left-to-right binary method, 615left-to-right è -ary method, 615modified left-to-right è -ary method, 616Montgomery method, 619–620repeated square-and-multiply algorithm, 71,
84right-to-left binary method, 614simultaneous multiple, 617–618sliding-window method, 616vector-addition chains, 622–623
Extendable secret sharing scheme, 526Extended Euclidean algorithm
for integers, 67for polynomials, 82
Extended Riemann Hypothesis (ERH), 165Extension field, 77Extractor, 406
FFactor base, 94, 109
cý
1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
Index 763
Factoring integers, see Integer factorizationFactoring polynomials, see Polynomial factoriza-
tionFail-stop signature scheme, 478–481, 488
Heijst-Pedersen, 478–481Fair blind signature scheme, 487Fair cryptosystems, 640–641, 658
for Diffie-Hellman key agreement, 641patent, 640
FEAL block cipher, 259–262, 278–279attacks on, 278–279FEAL decryption algorithm, 261FEAL-8 encryption algorithm, 261FEAL-8 key schedule, 261FEAL-N, 262FEAL-NX, 262patent, 639test vectors, 262
Feedback shift register (FSR), 195–203de Bruijn, 203definition of, 202delay element of, 202feedback bit of, 202feedback function of, 202Feedback with carry shift register (FCSR), 217–
218, 222initial state of, 202linear feedback shift register, see Linear feed-
back shift register (LFSR)non-singular, 203nonlinear feedback shift register, 202output sequence of, 202stage of, 202
Feedback with carry shift register (FCSR), 217–218,222
Feige-Fiat-Shamir identification protocol, 410–412,422
Feige-Fiat-Shamir signature scheme, 447–449, 483identity-based modification, 449key generation, 447security of, 448signature generation, 448signature verification, 448
Feistel cipher, 251, 276Fermat liar, 136Fermat number, 143, 166Fermat witness, 136Fermat’s primality test, 136Fermat’s theorem, 69Fiat-Shamir identification protocol
basic version, 408patent, 638, 658
Fiat-Shamir signature scheme, 483patent, 638, 658
Field, 77characteristic of, 77definition of, 77extension field of, 77finite, see Finite fieldsubfield of, 77
Filtering function, 208Finite field, 80–85
definition of, 80order of, 80polynomial basis, 83
FIPS, 654–655, 661ordering and acquiring, 656
FIPS 186 pseudorandom bit generator, 174–175FISH stream cipher, 222Fixed-point chaining attack, 374Floyd’s cycle-finding algorithm, 91, 125Forced delay attack, 417Formal methods, 534, 541Forward certificate, 575Forward error correction, 363Forward search attack, 34, 42, 288, 420Fractionation, 276Frequency distribution
of English digrams, 247of single English characters, 247
Frequency test, 181Fresh key, 494Function, 6–10, 50
bijection, 7composition of, 19definition of, 6injective, 46inverse, 7involution, 10one-to-one, 7one-way, 8onto, 7permutation, 10surjective, 46trapdoor one-way, 9
Function field sieve, 129Functional diagram, 6Functional graph, 54
component size, 55cycle length, 55predecessors size, 55rho-length, 55tail length, 55tree size, 55
Functionally trusted third party, 39
GGap of a sequence, 180
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
764 Index
Garner’s algorithm, 612–613Gauss’s algorithm, 68Gaussian integer method, 128Ó��
, see Greatest common divisorGeffe generator, 206General-purpose factoring algorithm, 90Generator
of a cyclic group, 76, 160algorithm for finding, 163
ofî é »
, 81ofî é ��� , 163
ofì é Û , 69
ofì�éÞ , 164
algorithm for selecting, 164Generator matrix, 506Girault self-certified public key, 522GMR one-time signature scheme, 468–471, 486
authentication tree, 470key generation, 469security of, 470signature generation, 469signature verification, 469
GOAL stream cipher, 219Goldwasser-Kilian primality test, 166Goldwasser-Micali probabilistic public-key encryp-
tion, 307–308decryption algorithm, 307encryption algorithm, 307key generation, 307security of, 308
Golomb’s randomness postulates, 180Goppa code, 299, 317Gordon’s algorithm for strong prime generation, 150GOST block cipher, 282GQ identification protocol, 412–414, 422
patent, 639, 658GQ signature scheme, 450–451
key generation, 450message recovery variant, 451patent, 639, 658security of, 451signature generation, 450signature verification, 450
Grandmaster postal-chess problem, 418Greatest common divisor
binary extended gcd algorithm, 608–610, 632binary gcd algorithm, 606–607, 632Euclidean algorithm, 66Lehmer’s gcd algorithm, 607–608, 632of integers, 64of polynomials, 81
Group, 75–76cyclic, 76definition of, 75
of units, 77order of, 75subgroup of, 76
Group signature, 488GSM, 586GSS-API, 655, 661Gunther’s implicitly-certified public key, 521Gunther’s key agreement, 522
HHagelin M-209, 245, 276Hamming weight, 105Handwritten signature, 23Hard predicate, 115Hash function, 33, 321–383
alternate terminology, 325, 371applications, 321–322, 330–331attacks, 368–375
birthday, 369–371chaining, 373–375Pseudo-collisions, 371–373
based on block ciphers, 338–343Abreast Davies-Meyer, 380Davies-Meyer, 341Matyas-Meyer-Oseas, 341MDC-2, 342MDC-4, 343Merkle’s DES-based hash, 338, 339, 378Miyaguchi-Preneel, 341N-Hash, 380Tandem Davies-Meyer, 380
based on modular arithmetic, 351–352MASH-1, 352MASH-2, 352
cascading, 334collision resistant (CRHF), 325customized, 343–351
HAVAL, 379MD2, 380MD4, 346MD5, 347RIPEMD, 380RIPEMD-128, 339, 380RIPEMD-160, 339, 350Secure Hash Algorithm (SHA-1), 348Snefru, 380
definition of, 322ideal security, 336initialization value (IV), 335MD-strengthening, see MD-strengtheningMerkle’s meta-method, 333one-way (OWHF), 325padding, 334–335properties of
cý
1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
Index 765
2nd-preimage resistance, 323collision resistance, 324compression, 322ease of computation, 322local one-wayness, 331near-collision resistance, 331non-correlation, 331partial-preimage resistance, 331preimage resistance, 323strong collision resistance, 324weak collision resistance, 324
-collision resistant, 424strong one-way, 325universal classes of, 376universal one-way, 377weak one-way, 325
Hash-code, 321Hash-result, 321Hash-value, 33, 321HAVAL hash function, 379Heijst-Pedersen fail-stop signature scheme, 478–481
key generation, 478proof-of-forgery algorithm, 481signature generation, 479signature verification, 479
Hellman-Merkle patent, 637, 658Heuristic security, 43, 533High-order digit, 593Hill cipher, 240, 274Historical work factor, 44HMAC, 355Homomorphic property of RSA, 289Homophonic substitution cipher, 17, 240Hybrid protocol, 512Hyperelliptic curve
discrete logarithm problem, 130ElGamal public-key encryption, 297
Hypothesis testing, 179–180
IIC card, 387IDEA block cipher, 263–265, 279–280
attacks on, 279–280decryption algorithm, 264encryption algorithm, 264key schedule, 264patent, 640, 658test vectors, 265weak keys, 279
Ideal secret sharing scheme, 526, 527Identification, 3, 24–25, 385–424
applications of, 387attacks on, 417–420, 424
chosen-text, 417
forced delay, 417impersonation, 417interleaving, 417local, 419non-interactive, 419off-line, 419pre-play, 397, 398reflection, 417remote, 419replay, 417
challenge-response, see Challenge-responseidentification
mutual, 387passwords, see Passwords (weak
authentication)questionnaire-based, 420relation to signatures, 388unilateral, 387zero-knowledge, see Zero-knowledge identifi-
cationsee also Entity authentication
Identification Friend or Foe (IFF) system, 421Identity verification, 385Identity-based key establishment, 493Identity-based system, 538, 561–562, 587IDUP, 661IEEE P1363 standard, 660IETF, 655Image of a function, 6, 50Impersonation, 27, 42, 386, 417Impersonator, 495Implicit key authentication, see Key authenticationImplicitly-certified public key, 520–522, 562–563,
588Diffie-Hellman using, 522–524identity-based, 563of Girault, 522of Gunther, 521self-certified, 563
Imprint, 321Improved PES (IPES), 279In-line trusted third party, 547Incremental hashing, 378Independent events, 51Index of coincidence, 248, 275Index-calculus algorithm, 109–112, 128
Gaussian integer method, 128inî ��� , 111
implementation reports, 128inì Þ , 110
implementation reports, 128linear sieve, 128residue list sieve, 128
Information dispersal algorithm (IDA), 539
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
766 Index
Information rate, 527Information security, 2
objectives of, 3Information security service, 14
breaking of, 15Information theory, 56–57Initial state
of an FSR, 202of an LFSR, 196
Injective function, 46, 50Inner product, 118Input size, 58Insider, 496
one-time, 496permanent, 496
Integer, 49multiple-precision, 593negative
signed-magnitude representation, 593two’s complement representation, 594
single-precision, 593Integer arithmetic, see Multiple-precision integer
arithmeticInteger factorization, 89–98
continued fraction algorithm, 126Dixon’s algorithm, 95, 127elliptic curve algorithm, 94general number field sieve, 98general-purpose algorithms, 90heuristic running times, 127multiple polynomial quadratic sieve, 97Pollard’s ÿ ® æ algorithm, 92–93Pollard’s rho algorithm, 91–92problem definition, 89quadratic sieve algorithm, 95–97random square methods, 94–98special number field sieve, 98special-purpose algorithms, 90trial division, 90–91
Integers modulo Ï , 67–71Integrity check value (ICV), 363Interactive proof system, 406
Arthur-Merlin games, 421completeness, 406soundness, 406
Interleaving attack, 42, 417, 531, 540Interloper, 13Internal vertex, 557Internet security standards, 655–656, 661Intersection of sets, 49Intruder, 13, 495Intruder-in-the-middle attack, 530, 540Inverse function, 7Inversion attack on stream ciphers, 219
Involution, 10Irreducible polynomial, 78, 154–160
algorithm for generating, 156algorithm for testing, 155number of, 155primitive polynomial, see Primitive
polynomialtrinomials, 157
ISO standards, see ISO/IEC standardsISO/IEC 9796, 442–444, 482–483ISO/IEC standards, 645–648, 651–653, 660–661
committee draft (CD), 645draft international standard (DIS), 645ordering and acquiring, 656working draft (WD), 645
Isomorphic, 81, 104Iterated block cipher, 251ITU, 653
JJacobi sum primality test, 144, 166Jacobi symbol, 73
computing, 73Jefferson cylinder, 243, 274Joint entropy, 56JTC1, 645
KKaratsuba-Ofman multiplication, 630Kasiski’s method, 248, 275KDC, see Key distribution center (KDC)Kerberos authentication protocol, 401, 501–502,
535–536RFC 1510, 656
Kerckhoffs’ assumption, 225Kerckhoffs’ desiderata, 14Key, 11
archival, 580backup, 580cryptoperiod of, 553data, 552de-registration, 580derived, 568destruction, 580fresh, 494generator, 549installation, 579key-encrypting, 552key-transport, 552layering, 551–553long-term, 553master, 551notarization, 568offsetting, 568private, 27, 544
cý
1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
Index 767
public, 27, 544public-key vs. symmetric-key, 31–32, 551recovery, 580registration, 579revocation, 566, 580secret, 544separation, 567short-term, 553symmetric, 544terminal, 552update, 580variant, 568
Key access server, 549Key agreement, 34, 35, 505–506, 515–524, 536–
538Blom’s key pre-distribution system, 506definition of, 490Diffie-Hellman, 516ElGamal, 517encrypted key exchange (EKE), 538Gunther, 522MTI/A0, 517–519relation to key transport, 491Station-to-station (STS), 519
Key authentication, 492Key clustering attack on block ciphers, 281Key confirmation, 492Key control, 494Key derivation, 490, 498Key distribution
confidential keys, 551–555key layering, 551–553key translation center, 553–554symmetric-key certificates, 554–555
public keys, 555–566authentication trees, 556–559certificates, 559–561identity-based, 561–562implicitly-certified, 562–563
Key distribution center (KDC), 491, 500, 547Key distribution pattern, 536Key distribution problem, 16, 546Key distribution system (KDS), 505
Blom’s KDS bound, 505security against coalitions, 505
Key escrow, 584–586agent, 550, 584Clipper, 584
Key establishment, 489–541analysis of, 530–534, 540–541attacks on
interleaving, 531intruder-in-the-middle, 530misplaced trust in server, 531
reflection, 530authenticated, 492, 493compliant, 532definition of, 35, 490identity-based, 493key agreement, see Key agreementkey transport, see Key transportmessage-independent, 493operational, 532resilient, 532simplified classification, 491
Key life cycle, 577–581key states, 580
Key management, 36–38, 543–590ANSI X9.17 standard, 650ANSI X9.24 standard, 650ANSI X9.28 standard, 651ANSI X9.42 standard, 651centralized, 546controlling key usage, 567–570definition of, 35, 544ISO 8732 standard, 652ISO 10202-7 standard, 652ISO 11166 standard, 652ISO 11568 standard, 653ISO/IEC 11770 standard, 647key agreement, see Key agreementkey distribution, see Key distributionkey establishment, see Key establishmentkey life cycle, 577–581key transport, see Key transport
Key management facility, 549Key notarization, 568
patent, 642, 658Key pair, 12Key pre-distribution scheme, 540
definition of, 490Key server, 549Key space, 11, 21, 224Key tag, 568Key translation center (KTC), 491, 500, 547, 553Key transport, 35, 497–504, 506–515, 535–536
AKEP1, 499AKEP2, 499Beller-Yacobi (2-pass), 514Beller-Yacobi (4-pass), 513COMSET, 536definition of, 490Kerberos, 501–502Needham-Schroeder public-key, 508Needham-Schroeder shared-key, 503Otway-Rees protocol, 504relation to key agreement, 491Shamir’s no-key protocol, 500
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
768 Index
X.509 three-way, 512X.509 two-way, 511
Key update, 490Keyed hash function, see Message authentication
code (MAC)Keying material, 544Keying relationship, 544Keystream, 20, 193, 194Keystream generator, 21, 194Khafre block cipher, 271
attacks on, 281patent, 644
Khufu block cipher, 271attacks on, 281patent, 644
Knapsack generator, 209, 220Knapsack problem, 131Knapsack public-key encryption, 300–306
Chor-Rivest, 302–306Merkle Hellman, 300–302
Knapsack set, 117density of, 120
Known-key attack, 42, 496, 534Known-key triangle attack, 538Known-message attack, 432Known-plaintext attack, 41, 225KryptoKnight, 535, 541KTC, see Key translation center (KTC)
Lº��-lattice basis reduction algorithm, 118–120, 131
Lagrange’s theorem, 76Lambda method for discrete logarithms, 128Lamport’s one-time-password scheme, 396Lanczos method, 129Lattice, 118
dimension of, 118reduced basis, 118
Lattice basis reduction algorithm, 118–120, 131, 317Law of large numbers, 52Law of quadratic reciprocity, 72Ò���
, see Least common multipleLeading coefficient, 78LEAF, 584–585Leaf of a binary tree, 557Least common multiple, 64Least significant digit, 593Legendre symbol, 72
computing, 73Lehmer’s gcd algorithm, 607–608, 632Length of a vector, 118Liar, 135
Euler, 138Fermat, 136
strong, 139Life cycle, see Key life cycleLinear code, 506Linear combination, 80Linear complexity, 198–201
algorithm for computing, see Berlekamp-Massey algorithm
of a finite sequence, 198of a random periodic sequence, 199of a random sequence, 198of an infinite sequence, 198profile, 199
Linear complexity profile, 199–200algorithm for computing, 201limitations of, 200of a random sequence, 199
Linear congruential generator, 170, 187multivariate congruential generator, 187truncated, 187
Linear consistency attack, 219–220Linear cryptanalysis
of block ciphers, 258, 271, 278, 280of stream ciphers, 219
Linear feedback shift register (LFSR), 195–201connection polynomial of, 196definition of, 195delay element of, 195feedback bit of, 196initial state of, 196maximum-length, 197non-singular, 196output sequence of, 195stage of, 195
Linear sieve, 128Linear syndrome attack, 218Linear system (solving large), 129Linearly dependent, 80Linearly independent, 80LION block cipher, 282Little-endian, 344Little-o notation, 59Lock-in, 221Logarithm, 49LOKI block cipher, 281
LOKI’89, 281LOKI’91, 270, 281
Long-term key, 553Low-order digit, 593Luby-Rackoff block cipher, 282LUC cryptosystem, 314
LUCDIF, 316LUCELG, 316
Lucas-Lehmer primality test, 142Lucifer block cipher, 276
cý
1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
Index 769
patent, 641, 659
Mþ -sequence, 197MAC, see Message authentication code (MAC)Manipulation detection code, see Modification de-
tection codeMapping, 6, 50Markov cipher, 280MASH-1 hash function, 352
ISO/IEC 10118-4 standard, 647MASH-2 hash function, 352
ISO/IEC 10118-4 standard, 647Master key, 551Matyas-Meyer-Oseas hash function, 341
ISO/IEC 10118-2 standard, 647Maurer’s algorithm for provable prime generation,
153, 167Maurer’s universal statistical test, 183–185, 189Maximum order complexity, 217Maximum-length LFSR, 197Maximum-rank-distance (MRD) code, 317McEliece public-key encryption, 298–299, 317
decryption algorithm, 299encryption algorithm, 299key generation, 298recommended parameter sizes, 299security of, 299
MD-strengthening, 334, 335, 337MD2 hash function, 380
RFC 1319, 655MD4 hash function, 346
RFC 1320, 655MD5 hash function, 347
RFC 1321, 655MD5-MAC, 358MDC, see Modification detection codeMDC-2 hash function, 342
ISO/IEC 10118-2 standard, 647patent, 639
MDC-4 hash function, 343patent, 639
MDS code, 281, 506Mean, 51Measure of roughness, 249Mechanism, 34Meet-in-the-middle attack
on double DES, 235on double encryption, 235
time-memory tradeoff, 236on multiple encryption
time-memory tradeoff, 236Meet-in-the-middle chaining attack, 374Merkle channel, 48
Merkle one-time signature scheme, 464–466, 485authentication tree, 466key generation, 464patent, 643security of, 465signature generation, 465signature verification, 465
Merkle puzzle scheme, 47, 537Merkle’s DES-based hash function, 338, 339, 378Merkle’s meta-method for hashing, 333Merkle-Hellman knapsack encryption, 300–302,
317–318basic
decryption algorithm, 301encryption algorithm, 301key generation, 300
multiple-iteratedkey generation, 302
patent, 637security of, 302
Mersenne number, 142Mersenne prime, 142, 143, 160Message authentication, see Data origin authenti-
cationMessage authentication code (MAC), 33, 323,
352–359, 381–383applications of, 323, 330based on block ciphers, 353–354
CBC-MAC, see CBC-MACCFB-64 MAC, 650RIPE-MAC, see RIPE-MAC
birthday attack on, 352customized, 356–358
bucket hashing, 382MD5-MAC, 358Message Authenticator Algorithm
(MAA), 356definition, 325for stream ciphers, 358–359
CRC-based, 359Lai-Rueppel-Woollven scheme, 383Taylor’s scheme, 383
from MDCs, 354–355envelope method with padding, 355hash-based MAC, 355HMAC, 355secret prefix method, 355secret suffix method, 355XOR MAC, 382
ISO 8730 standard, 652ISO 9807 standard, 652properties of
compression, 325computation-resistance, 325
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
770 Index
ease of computation, 325key non-recovery, 325
retail MAC, 650types of attack
adaptive chosen-text, 326chosen-text, 326known-text, 326
types of forgeryexistential, 326selective, 326
see also CBC-MACMessage authentication tag system, 376Message Authenticator Algorithm (MAA), 356
ISO 8731-2 standard, 652Message concealing in RSA, 290, 313Message digest, 321Message integrity code (MIC), 323Message space, 11Message-independent key establishment, 493Micali-Schnorr pseudorandom bit generator, 186Miller-Rabin primality test, 139, 165MIME, 656, 661Minimum disclosure proof, 421Minimum polynomial, 156Mips year, 126MISSI, 590Mixed-radix representation, 611, 630Mixing algebraic systems, 279Miyaguchi-Preneel hash function, 341Mobius function, 154����
notation, 64Modes of operation
multiple modes, see Multiple encryption, modesof operation
single modes, see Block cipher, modes of op-eration
Modification detection code (MDC), 33, 323, 324Modified-Rabin pseudorandom bit generator, 190Modified-Rabin signature scheme, 439–442, 482
key generation, 440security of, 441signature generation, 440signature verification, 440
Modular arithmetic, see Multiple-precision modu-lar arithmetic
Modular exponentiation, see ExponentiationModular reduction, 599
Barrett, 603–605, 631Montgomery, 600–602, 631special moduli, 605–606
Modular representation, see Mixed-radix represen-tation
Modulus, 67Monic polynomial, 78
Mono-alphabetic substitution cipher, see Substitu-tion cipher
Monobit test, 181Monotone access structure, 527Montgomery exponentiation, 619–620Montgomery multiplication, 602–603Montgomery reduction, 600–602, 631MOSS, 656
RFC 1848, 656Most significant digit, 593MTI protocols, 518, 537MTI/A0 key agreement, 517–519, 537
Goss variant, 537patent, 644, 659
Multi-secret threshold scheme, 527Multiple encryption, 234–237
definition of, 234double encryption, 234modes of operation, 237
triple-inner-CBC mode, 237triple-outer-CBC mode, 237
triple encryption, 235E-D-E, 235
two-key triple-encryption, 235Multiple polynomial quadratic sieve, 97Multiple-precision integer, 593Multiple-precision integer arithmetic, 592–599
addition, 594–595division, 598–599
normalization, 599��, see Greatest common divisor
multiplication, 595–596discrete Fourier transform (DFT), 631Karatsuba-Ofman, 630
squaring, 596–597subtraction, 594–595
Multiple-precision modular arithmetic, 599–606addition, 600exponentiation, see Exponentiationinversion, 610multiplication
classical, 600Montgomery multiplication, 602–603
reduction, 599Barrett, 603–605, 631Montgomery, 600–602, 631special moduli, 605–606
subtraction, 600Multiplexer generator, 220Multiplicative group
ofì Û , 69
of a finite field, 81Multiplicative inverse, 68
computing, 71, 84, 610
cý
1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
Index 771
Multiplicative property in RSA, 288, 435, 482Multiplicity of a factor, 122Multispeed inner-product generator, 220Multivariate polynomial congruential generator,
187Mutual authentication, 387, 402, 405, 494Mutual information, 57Mutually exclusive events, 51
NN-Hash function, 380Name server, 549Needham-Schroeder public-key, 508, 536Needham-Schroeder shared-key, 401, 503, 535Next-bit test, 171Next-discrepancy, 200Nibble, 443NIST, 654Noise diode, 40Non-interactive protocol, 493Non-interactive ZK proof, 424Non-malleable encryption, 311, 319Non-repudiation, 3, 4, 582–584
ISO/IEC 13888 standard, 648Non-singular
FSR, 203LFSR, 196
Nonce, 397, 497Nonlinear combination generator, 205–208
combining function of, 205Nonlinear feedback shift register, see Feedback shift
register (FSR)Nonlinear filter generator, 208–209
filtering function, 208Nonlinear order, 205Normal basis, 168
exponentiation, 642multiplication, 642patents, 642–643, 659
Normal distribution, 176–177mean of, 176standard, 176variance of, 176
Normal polynomial, 168Normalization, 599Notarized key, 569Notary
agent, 550seal, 569service, 582
NP, 60NP-complete, 61NP-hard, 62NPC, 61
Number field sievefor discrete logarithms, 128for integer factorization, 98, 126
implementation reports, 126, 127general number field sieve, 98special number field sieve, 98, 126
Number theory, 63–75Nyberg-Rueppel signature scheme, 460–462, 485
security of, 461signature generation, 461signature verification, 461
OObject identifier (OID), 660OFB, see Output feedback modeOff-line trusted third party, 548Ohta-Okamoto identification protocol, 422On-line certificate, 576On-line trusted third party, 547On-line/off-line signature, 486
patent, 644One-key encryption, 15One-sided statistical test, 179One-time insider, 496One-time pad, 21, 192–193, 274
patent, 657One-time password scheme, 395–397One-time signature scheme, 462–471
Diffie-Lamport, 485GMR, 468–471Merkle, 464–466Rabin, 462–464validation parameters, 462
One-to-one function, 7–8, 50One-way cipher, 377One-way function, 8–9, 327
DES-based, 190, 328exponentiation modulo a prime, 115, 329multiplication of large primes, 329Rabin function, 115RSA function, 115
One-way hash function (OWHF), 325One-way permutation, 115, 328Onto function, 7, 50Open Systems Interconnection (OSI), 653, 660Operational, 532Opponent, 13, 495
see also AttackerOptimal normal basis, 168, 659Oracle, 88Order
generating element of maximum order inì é Û ,
163ofì�é Û , 69
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
772 Index
of a finite field, 80of a group, 75of a group element, 76, 160
algorithm for determining, 162of an element in
ì é Û , 69Otway-Rees protocol, 504, 536Output feedback mode (OFB), 232–233
as a stream cipher, 233changing IV in, 232counter mode, 233feedback size, 233
Outsider, 496OWHF, see One-way hash functionOwnership, 3
PP, 60Palindromic keys of DES, 257Party, 13Passcode generator, 402Passive adversary, 15Passive attack, 41, 495Passkey, 395Passphrase, 390Passwords (weak authentication), 388–397, 420
aging, 390attacks on, 391–393
dictionary, 392exhaustive search, 391password-guessing, 392pre-play, 397replay, 391
encrypted password file, 389entropy, 392generator, 387one-time, 395–397
Lamport’s scheme, 396passkey, 395passphrase, 390personal identification number (PIN), 394rules, 389salting, 390stored password file, 389UNIX, 393–394
Patents, 635–645, 657–659ordering and acquiring, 645priority date, 636validity period, 636
PEM, see Privacy Enhanced Mail (PEM)Pepin’s primality test, 166Perceptrons problem, 423Perfect forward secrecy, 496, 534Perfect power
testing for, 89
Perfect secrecy, 42, 227, 307Perfect secret sharing scheme, 526, 527Perfect zero-knowledge protocol, 407Period of a periodic sequence, 180Periodic sequence, 180
autocorrelation function of, 180cycle of, 180period of, 180
Permanent insider, 496Permutation, 10, 50Permutation polynomial, 314Permuted kernel problem, 423Personal Identification Number (PIN)
ANSI X9.8 standard, 649ISO 9564 standard, 652
PGP, see Pretty Good Privacy (PGP)Phi function (
Ì), 65
Photuris, 661Physically secure channel, 13PIKE stream cipher, 222PIN, see Passwords (weak authentication), see Per-
sonal Identification Number (PIN)PKCS standards, 656, 661
ordering and acquiring, 657PKCS #1, 445–447, 483
Plaintext, 11Plaintext-aware encryption scheme, 311–312Playfair cipher, 239, 274Pless generator, 218PN-sequence, 181Pocklington’s theorem, 144Pohlig-Hellman algorithm, 107–109, 128Pohlig-Hellman cipher, 271
patent, 642, 659Poker test, 182, 188Policy Certification Authority (PCA), 589Pollard’s ÿ ® æ algorithm, 92–93, 125Pollard’s rho algorithm
for discrete logarithms, 106–107, 128for factoring, 91–92, 125
Polyalphabetic substitution cipher, 18, 241–242,273–274
auto-key cipher, 242Beaufort cipher, 241cipher machine, see Cipher machinePURPLE cipher, 276Vigenere cipher
auto-key, 242compound, 241full, 242running-key, 242simple, 18, 241single mixed alphabet, 242
Polygram substitution cipher, 239
cý
1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
Index 773
Polynomial, 78irreducible, 78leading coefficient of, 78
Polynomial basis, 83Polynomial factorization, 122–124, 132
Berlekamp’sí
-matrix algorithm, 124square-free factorization, 123
Polynomial-time algorithm, 59Polynomial-time indistinguishability, 318Polynomial-time statistical test, 171Polynomially security public-key encryption, 306Polytime reduction, 61, 88Practical security, 43Pre-play attack, 397, 398Pre-positioned secret sharing scheme, 527Precision, 593Preimage, 6, 50Preimage resistance, 323Pretty Good Privacy (PGP), 661Primality proving algorithm, see Primality test, true
primality testPrimality test
probabilistic primality test, 135–142comparison, 140–142Fermat’s test, 136Miller-Rabin test, 139Solovay-Strassen test, 138
true primality test, 142–145Atkin’s test, 145Goldwasser-Kilian test, 166Jacobi sum test, 144Lucas-Lehmer test, 142Pepin’s test, 166
Prime number, 9, 64Prime number generation, 145–154
algorithmsGordon’s algorithm, 150Maurer’s algorithm, 153NIST method, 151random search, 146
DSA primes, 150–152incremental search, 148provable primes, 152–154random search, 145–149strong primes, 149–150
Prime number theorem, 64Primitive element, see GeneratorPrimitive normal polynomial, 168Primitive polynomial, 157–160
algorithm for generating, 160algorithm for testing, 157definition of, 84
Primitives, 4Principal, 495
Principal square root, 74Privacy, see ConfidentialityPrivacy Enhanced Mail (PEM), 588, 655
RFCs 1421–1424, 655Private key, 26, 27, 544Private-key certificate, see Symmetric-key certifi-
catePrivate-key encryption, 15Probabilistic public-key encryption, 306–312,
318–319Blum-Goldwasser, 308–311Goldwasser-Micali, 307–308security level
polynomially secure, 306semantically secure, 306
Probability, 50Probability density function, 176Probability distribution, 50Probability theory, 50–55Probable prime, 136Product cipher, 20, 251Proof of knowledge, 406, 421, 422Proposed Encryption Standard (PES), 279Protection lifetime, 553, 578Protocol
authentication, 493cut-and-choose, 410, 421definition of, 33, 490failure of, 34hybrid, 512identification, see Identificationkey establishment, see Key establishmentmessage-independent, 493non-interactive, 493witness hiding, 423zero-knowledge, 405–417
Provable prime, 134, 142Provable security, 43, 533Prover, 386Pseudo-collision, 371Pseudo-Hadamard transform, 266Pseudo-noise sequence, 181Pseudoprime, 136
Euler, 138strong, 139
Pseudorandom bit generator (PRBG), 173–175ANSI X9.17, 173definition of, 170FIPS 186, 174–175linear congruential generator, 170, 187
Pseudorandom bit sequence, 170Pseudorandom function, 331Pseudorandom sequences, 39–41Pseudosquares modulo Ï , 74, 99, 308
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
774 Index
Public key, 26, 27, 544compared vs. symmetric-key, 31–32, 551implicitly-certified, 520–522
Public-key certificate, 39, 559–561, 587data part, 559distinguished name, 559signature part, 559
Public-key encryption, 25–27, 283–319advantages of, 31disadvantages of, 32ElGamal, 294–298knapsack, 300–306
Chor-Rivest, 302–306Merkle-Hellman, 300–302
LUC, see LUC cryptosystemMcEliece, 298–299non-malleable, 311plaintext-aware, 311–312probabilistic, 306–312
Blum-Goldwasser, 308–311Goldwasser-Micali, 307–308
Rabin, 292–294reversible, 28RSA, 285–291types of attacks, 285Williams, 315
PURPLE cipher, 276Puzzle system, 376, 537
QQuadratic congruential generator, 187Quadratic non-residues, 70Quadratic residues, 70Quadratic residuosity problem, 99, 127, 307Quadratic sieve factoring algorithm, 95–97, 126
implementation reports, 126Quantum computer, 130Quantum cryptography, 48, 535Quotient, 64, 78
RRabin one-time signature scheme, 462–464
key generation, 463resolution of disputes, 463signature generation, 463signature verification, 463
Rabin public-key encryption, 292–294, 315decryption algorithm, 292encryption algorithm, 292key generation, 292security of, 293use of redundancy, 293
Rabin signature scheme, 438–442, 482ISO/IEC 9796, 442–444key generation, 438
signature generation, 438signature verification, 439use of redundancy, 439
Rabin’s information dispersal algorithm (IDA),539
RACE/RIPE project, 421, 536Radix representation, 592–593
base×, 592
binary, 592high-order digit, 593least significant digit, 593low-order digit, 593mixed, 611, 630most significant digit, 593precision, 593radix
×, 592
Ramp schemes, see Secret sharingRandom bit generator, 39–41, 171–173
cryptographically secure pseudorandom bitgenerator, see Cryptographically sec-ure pseudorandom bit generator(CSPRBG)
definition of, 170hardware techniques, 172pseudorandom bit generator, see Pseudorand-
om bit generator (PRBG)software techniques, 172
Random cipher, 225Random cipher model, 246Random function, 190
poly-random, 190Random mappings model, 54Random oracle model, 316Random square methods, 94–98Random variable, 51
continuous, 176entropy of, 56expected value of, 51mean of, 51standard deviation of, 51variance of, 51
Randomized algorithm, 62–63Randomized DES (RDES) block cipher, 278Randomized encryption, 225, 296, 306Randomized stream cipher, 216Range of a function, 46Rate of an iterated hash function, 340Rational numbers, 49RC2 block cipher, 282RC4 stream cipher, 222, 282RC5 block cipher, 269–270, 280–281
attacks on, 280–281decryption algorithm, 270encryption algorithm, 270
cý
1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
Index 775
key schedule, 270patent, 659test vectors, 270weak keys, 281
Real number, 49Real-time, 385Reblocking problem in RSA, 435–436, 482Receipt, 3Receiver, 13Reduced basis, 118Redundancy, 29, 431
of English, 245Reflection attack, 417, 530, 540Registration authority, 549Related-key attack on block ciphers, 281Relatively prime, 64Remainder, 64, 78Replay attack, 42, 417Requests for Comments, see RFCsResidue list sieve, 128Resilient key establishment protocol, 532Response, 409Retail banking, 648Retail MAC, 650Reverse certificate, 575Reversible public-key encryption scheme, 28Revocation, 3RFCs, 655–656
ordering and acquiring, 657Ring, 76–77
commutative, 77definition of, 76group of units, 77polynomial, 78–79
Rip van Winkle cipher, 216RIPE-MAC, 354, 381RIPEMD hash function, 380RIPEMD-128 hash function, 339, 380RIPEMD-160 hash function, 339, 350
ISO/IEC 10118-3 standard, 647Root vertex, 557Rotor-based machine, see Cipher machineRound function, 251Round of a product cipher, 20RP, 63RSA-129 number, 126, 130RSA problem, 98–99, 127, 287
security of individual bits, 116RSA pseudorandom bit generator, 185–186RSA public-key encryption, 285–291, 312–315
decryption algorithm, 286, 611, 613decryption exponent, 286elliptic curve analogue, 315encryption algorithm, 286
encryption exponent, 286key generation, 286modulus, 286patent, 638prime selection, 290recommended modulus size, 290security of, 287–290
adaptive chosen-ciphertext attack, 289,313
common modulus attack, 289cycling attacks, 289, 313forward search attack, 288message concealing, 290, 313multiplicative properties, 288polynomially related plaintext, 313relation to factoring, 287small decryption exponent, 288small encryption exponent, 288, 291, 313
unbalanced, 314RSA signature scheme, 433–438, 482
ANSI X9.31-1 standard, 651bandwidth efficiency, 437ISO/IEC 9796, 442–444key generation, 434patent, 638PKCS #1, 445–447reblocking problem, 435–436, 482redundancy function, 437security of, 434–435signature generation, 434, 613signature verification, 434
Run of a sequence, 180Running key generator, 194Runs test, 182, 188
SS/MIME, 661Safe prime, 537
algorithm for generating, 164definition of, 164
SAFER block cipher, 266–269, 280attacks on, 280SAFER K-64 decryption algorithm, 269SAFER K-64 encryption algorithm, 268SAFER K-64 key schedule, 268SAFER K-128, 280SAFER SK-64 key schedule, 268SK-128, 280test vectors, 269
Salt, 288, 390Schnorr identification protocol, 414–416, 422
patent, 639Schnorr signature scheme, 459–460, 484
Brickell-McCurley variant, 484
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
776 Index
Okamoto variant, 484patent, 639signature generation, 459signature verification, 460
SEAL stream cipher, 213–216implementation report, 222patent, 222test vectors, 215
Sealed authenticator, 361Sealed key, 5682nd-preimage resistance, 323, 325Secrecy, see ConfidentialitySecret broadcasting scheme, 540Secret key, 544Secret-key certificate, 588Secret sharing, 524–528, 538–540
access structure, 526authorized subset, 527dynamic, 527extendable, 526generalized, 526–528ideal, 527information rate, 527multi-secret threshold, 527perfect, 526, 527pre-positioned, 527ramp schemes, 539shared control schemes, 524–525threshold scheme, 525–526verifiable, 527visual cryptography, 539with disenrollment, 528
Secure channel, 13Secure Hash Algorithm (SHA-1), 348
ANSI X9.30-2 standard, 651FIPS 180-1 standard, 654ISO/IEC 10118-3 standard, 647
Secured channel, 13Security domain, 570Security policy, 545Seed, 21, 170Selective forgery, 326, 432Self-shrinking generator, 221Self-synchronizing stream cipher, 194–195Semantically secure public-key encryption, 306Semi-weak keys of DES, 257Sender, 13Sequence
block of, 180de Bruijn, 203gap of, 180þ -sequence, 197periodic, 180pn-sequence, 181
pseudo-noise, 181run of, 180
Sequence numbers, 399Serial test, 181, 188Session key, 36, 494Session key establishment, 491SHA-1, see Secure Hash Algorithm (SHA-1)Shadow, 538Shamir’s no-key protocol, 500, 535Shamir’s threshold scheme, 526, 539Shared control schemes, 524–525Shares, 524–528, 538SHARK block cipher, 281Shift cipher, 239Short-term key, 553Shrinking generator, 211–212
implementation report, 221Sieving, 97Signature, 3, 22–23, 28–30, 425–488
arbitrated, 472–473blind, see Blind signature schemedesignated confirmer, 487deterministic, 427Diffie-Lamport, 485Digital Signature Algorithm (DSA), 452–454ElGamal, 454–459ESIGN, 473–474fail-stop, see Fail-stop signature schemeFeige-Fiat-Shamir, 447–449framework, 426–433generation algorithm, 426GMR, 468–471GQ, 450–451group, 488handwritten, 23Merkle one-time, 464–466modified-Rabin, 439–442Nyberg-Rueppel, 460–462on-line/off-line, 486Ong-Schnorr-Shamir (OSS), 482, 486Rabin, 438–442Rabin one-time, 462–464randomized, 427relation to identification, 388resolution of disputes, 30RSA, 433–438Schnorr, 459–460strongly equivalent, 485types of attacks, 432undeniable, see Undeniable signature schemeverification algorithm, 426with appendix, 481
framework, 428–430ISO/IEC 14888 standard, 648
cý
1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
Index 777
PKCS #1, 445–447with message recovery, 29
framework, 430–432ISO/IEC 9796 standard, 442–444, 646,
660with redundancy, 29
Signature notarization, 583Signature space, 427Signature stripping, 510Signed-digit representation, 627–628Signed-magnitude representation, 593Signer, 23Significance level, 179Signing transformation, 22Simple substitution cipher, see Mono-alphabetic sub-
stitution cipherSimulator, 407Simultaneous diophantine approximation, 121–122
algorithm for, 122unusually good, 121
Simultaneous multiple exponentiation, 617Simultaneously secure bits, 115Single-key encryption, 15Single-length MDC, 339Single-precision integer, 593Singleton bound, 506SKEME, 661SKID2 identification protocol, 402, 421SKID3 identification protocol, 402, 421SKIP, 661SKIPJACK block cipher, 282, 654Sliding-window exponentiation, 616Small decryption exponent in RSA, 288Small encryption exponent in RSA, 288, 291, 313Smart card, 387
ISO 10202 standard, 652Smooth
integer, 92polynomial, 112
Snefru hash function, 380� ¯�� Ô S-boxes, 281Solovay-Strassen primality test, 138, 165Span, 80Sparse linear equations, 129
conjugate gradient method, 129Lanczos method, 129Wiedemann algorithm, 129
Special-purpose factoring algorithm, 90SPKM, 656, 661Split-knowledge scheme, 525Splitting an integer, 89Spread spectrum, 45Square roots, 99–102
composite modulus, 101–102, 127
prime modulus, 100–101, 127SQROOT problem, 101
Square-free factorization, 123algorithm for, 123, 132
Square-free integer, 137Square-free polynomial, 123Stage
of an FSR, 202of an LFSR, 195
Standard deviation, 51Standard normal distribution, 176Standards, 645–657, 660–661
ANSI, 648–651FIPS, 654–655IEEE, 660Internet, 655–656ISO/IEC, 645–648, 651–653PKCS, 656RFC, 655–656X.509, 653
Station-to-station (STS) key agreement, 519, 538Statistical test, 175–185, 188–189
autocorrelation test, 182frequency test, 181hypothesis, 179Maurer’s universal statistical test, 183–185,
189one-sided test, 179poker test, 182polynomial-time, 171runs test, 182serial test, 181significance level, 179two-sided test, 180
Statistical zero-knowledge protocol, 424Steganography, 46Step-1/step-2 generator, 220Stirling numbers, 53Stirling’s formula, 59Stop-and-go generator, 220Stream cipher, 20–21, 191–222
A5, 222attacks on
correlation attack, 206, 218inversion attack, 219linear consistency attack, 219–220linear cryptanalysis, 219linear syndrome attack, 218lock-in, 221
cellular automata, 222classification, 192–195clock-controlled generator, 209–212
alternating step generator, 209–211þ -sequence cascade, 221
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
778 Index
ÿ -cycle cascade, 220self-shrinking generator, 221shrinking generator, 211–212step-1/step-2 generator, 220stop-and-go generator, 220
comparison with block ciphers, 192FISH, 222GOAL, 219initial state, 193, 194keystream, 193, 194next-state function, 193nonlinear combination generator, 205–208
Geffe generator, 206multiplexer generator, 220multispeed inner-product generator, 220Pless generator, 218summation generator, 207
nonlinear filter generator, 208–209knapsack generator, 209
one-time pad, 192–193output function, 193, 194PIKE, 222randomized stream cipher, 216RC4, 222Rip van Winkle cipher, 216SEAL, 213–216self-synchronizing stream cipher, 194–195synchronous stream cipher, 193–194
Strict avalanche criterion (SAC), 277String-replacement representation, 628–629Strong collision resistance, 324Strong equivalent signature schemes, 485Strong liar, 139Strong one-way hash function, 325Strong prime, 149–150
algorithm for generating, 150definition of, 149, 291Hellman-Bach patent, 643usage in RSA, 291
Strong pseudoprime, 139Strong pseudoprime test, see Miller-Rabin primal-
ity testStrong witness, 139Subexponential-time algorithm, 60Subfield, 77Subgroup, 76Subliminal channel, 485
broadband, 485narrowband, 485
Subset sum problem, 61, 117–122, 190meet-in-the-middle algorithm, 118naive algorithm, 117superincreasing, 300using
º �algorithm, 120
Subspace of a vector space, 80Substitution cipher, 17–18, 238–241
homophonic, 17, 240mono-alphabetic, 17, 239
affine cipher, 239Caesar cipher, 239shift cipher, 239unicity distance of, 247
polyalphabetic, 18polygram, 239
Hill cipher, 240Playfair cipher, 239
Substitution-permutation (SP) network, 251Summation generator, 207, 218Superincreasing subset sum problem, 300
algorithm for solving, 300Superuser, 389Surjective function, 46, 50SWIFT, 586Symmetric cryptographic system, 544Symmetric key, 544
compared vs. public-key, 31–32, 551Symmetric-key certificate, 554–555, 587Symmetric-key encryption, 15–21
advantages of, 31block cipher, 223–282definition of, 15disadvantages of, 31stream cipher, 191–222
Synchronous stream cipher, 193–194binary additive stream cipher, 194
Syndrome decoding problem, 190, 423
TTapper, 13TEA block cipher, 282TEMPEST, 45Teraflop, 44Terminal key, 552Test vectors
DES, 256FEAL, 262IDEA, 265MD4, 345MD5, 345MD5-MAC, 358RC5, 270RIPEMD-160, 345SAFER, 269SHA-1, 345
3-WAY block cipher, 281Threshold cryptography, 534Threshold scheme, 525–526
Blakley, 538
cý
1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
Index 779
Shamir, 526, 539Ticket, 501, 570, 586Time-memory tradeoff, 236, 273Time-variant parameter, 362, 397–400, 497
nonce, 397random numbers, 398–399sequence numbers, 399timestamps, 399–400
Timestamp, 3, 399–400, 420, 581–582agent, 550
Toeplitz matrix, 382Transaction authentication, 362Transformation, 6Transinformation, 57Transposition cipher, 18, 238
compound, 238simple, 18, 238unicity distance of, 246
Trapdoor one-way function, 9, 26Trapdoor predicate, 318Tree authentication, 376
patent, 637Trinomial, 154Triple encryption, 235–237, 272Triple-DES, 272, 651
ANSI X9.52 standard, 651Triple-inner-CBC mode, 237Triple-outer-CBC mode, 237Truncated differential analysis, 271, 280Trust model, 572
centralized, 573directed graph, 575distributed, 575hierarchy with reverse certificates, 575rooted chain, 573separate domains, 573strict hierarchical, 573
Trusted server, 491Trusted third party (TTP), 30, 36, 491, 547–550,
581–584authentication server, 549certificate directory, 549certification authority (CA), 548functionally trusted, 39in-line, 547KDC, see Key distribution center (KDC)key access server, 549key escrow agent, 550key generator, 549key management facility, 549key server, 549KTC, see Key translation center (KTC)name server, 549notary agent, 550
off-line, 548on-line, 547registration authority, 549timestamp agent, 550unconditionally trusted, 39
TTP, see Trusted third party (TTP)Turing-Kolmogorov-Chaitin complexity, 217Two’s complement representation, 5942-adic span, 218Two-bit test, 181Two-key triple-encryption, 235
chosen-plaintext attack on, 236known-plaintext attack on, 237
Two-sided statistical test, 180Type I error, 179Type II error, 179
UUnbalanced RSA, 314Unblinding function, 475Unconcealed message, 290Unconditional security, see Perfect secrecy, 533Unconditionally trusted third party, 39Undeniable signature scheme, 476–478, 487–488
Chaum-van Antwerpen, 476–478confirmer, 487
Unicity distancedefinition of, 246known-plaintext, 235of a cascade cipher, 272of a mono-alphabetic substitution cipher, 247of a transposition cipher, 246
Unilateral authentication, 387, 401–402, 405, 494Union of sets, 49Unique factorization domain, 81Unit, 68, 77, 103, 114Universal classes of hash function, 376Universal exponent, 287Universal forgery, 482Universal one-way hash function, 377Universal statistical test, see Maurer’s universal
statistical testUNIX passwords, 393–394Unsecured channel, 13Unusually good simultaneous diophantine approx-
imation, 121, 317Userid, 388
VValidation, 3Validation parameters, 462Variance, 51Vector space, 79–80
dimension of, 80standard basis, 80
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
780 Index
subspace of, 80Vector-addition chains, 622–623Verifiable secret sharing, 527, 539Verification algorithm, 426Verification transformation, 22Verifier, 23, 385, 386Vernam cipher, see One-time padVigenere cipher, see Polyalphabetic substitution ci-
pherVisual cryptography, 539
WWAKE block cipher, 282Weak collision resistance, 324Weak keys of DES, 257Weak one-way hash function, 325Wheatstone disc, 274Wholesale banking, 648Wiedemann algorithm, 129Williams’ public-key encryption, 315Witness, 135, 409
Euler, 137Fermat, 136strong, 139
Witness hiding protocol, 423Witness indistinguishability, 423Witnessing, 3Work factor, 44
historical, 44Worst-case running time, 58Wyner’s wire-tap channel, 535
XX.509 authentication protocol, 536
three-way, 512two-way, 511
X.509 certificate, 587X.509 standard, 653XOR, see Exclusive-or
YYuval’s birthday attack, 369
ZZero-knowledge identification, 405–417, 421–424
Brickell-McCurley, 423comparison of protocols, 416–417constrained linear equations problem, 423extended Fiat-Shamir, 422Feige-Fiat-Shamir, 410–412Fiat-Shamir (basic version), 408Fischer-Micali-Rackoff, 422GQ, 412–414Ohta-Okamoto, 422permuted kernel problem, 423
Schnorr, 414–416syndrome decoding problem, 423
Zero-knowledge protocol, 405–417, 421–424auxiliary-input, 423black-box simulation, 423challenge, 409completeness, 406computational, 407extracting secret, 406for possession of discrete log, 422parallel version, 412perfect, 407proof of knowledge, 406, 421, 422proof of membership, 421response, 409simulator, 407soundness, 406statistical, 424witness, 409
Ziv-Lempel complexity, 217ì Þ -operation, 82ZPP, 63
cý
1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
top related