REFERENCES

[Adl95] L.M. Adleman. On constructing a molecular computer, University of Southern California, draft, January 1995.
(See Question 111)

[Adl96] L.M. Adleman. Statement, Cryptographer's Expert Panel, RSA Data Security Conference, San Francisco, CA, January 17, 1996.
(See Question 111)

[AGL95] D. Atkins, M. Graff, A.K. Lenstra and P.C. Leyland. The magic words are squeamish ossifrage. In Advances in Cryptology - Asiacrypt '94, pages 263-277, Springer-Verlag, 1995.
(See Question 51)

[ANS83] American National Standards Institute. American National Standard X3.106: Data Encryption Algorithm, Modes of Operations, 1983.
(See Question 82)

[ANS93a] American National Standards Institute. Draft: American National Standard X9.30-199X: Public-Key Cryptography Using Irreversible Algorithms for the Financial Services Industry: Part 1: The Digital Signature Algorithm (DSA). American Bankers Association, March 1993.
(See Question 160)

[ANS93c] American National Standards Institute. American National Standard X9.31-1992: Public Key Cryptography Using Reversible Algorithms for the Financial Services Industry: Part 2: The MDC-2 Hash Algorithm, June 1993.

[Atk95a] R. Atkinson. RFC 1825: Security Architecture for the Internet Protocol. Naval Research Laboratory, August 1995.
(See Question 137)

[Bam82] J. Bamford. The Puzzle Palace. Houghton Mifflin, Boston, 1982.
(See Question 148)

[Bar92] J.P. Barlow. Decrypting the puzzle palace. Communications of the ACM, 35(7): 25-31, July 1992.
(See Question 149)

[BBB92] C. Bennett, F. Bessette, G. Brassard, L. Savail, and J. Smolin. Experimental quantum cryptography. Journal of Cryptology, 5(1): 3-28, 1992.
(See Question 110)

[BBC88] P. Beauchemin, G. Brassard, C. Crepeau, C. Goutier, and C. Pomerance. The generation of random numbers that are probably prime. Journal of Cryptology, 1: 53-64, 1988.
(See Question 15)

[BBL95] D. Bleichenbacher, W. Bosma, and A. Lenstra. Some remarks on Lucas-based cryptosystems. In Advances in Cryptology Crypto '95, pages 386-396, Springer-Verlag, 1995.
(See Question 33)

[BBS86] L. Blum, M. Blum, and M. Shub. A simple unpredicatable random number generator. SIAM Journal on Computing , 15: 364-383, 1986.
(See Question 92)

[BD93b] J. Brandt and I. Damgard. On generation of probable primes by incremental search. In Advances in Cryptology - Crypto '92, pages 358-370, Springer-Verlag, 1993.
(See Question 15)

[BDB92] M.V.D. Burmester, Y.G. Desmedt, and T. Beth. Efficient zero-knowledge identification schemes for smart cards. Computer Journal, 35: 21-29, 1992.
(See Question 18 and Question 143)

[BDK93] E.F. Brickell, D.E. Denning, S.T. Kent, D.P. Maher, and W. Tuchman. Skipjack Review, Interim Report: The Skipjack Algorithm. July 28, 1993.
(See Question 57and Question 80)

[Bea95] D. Beaver. Factoring: The DNA solution. In Advances in Cryptology - Asiacrypt '94, pages 419-423, Springer-Verlag, 1995.
(See Question 111)

[Ben82] P. Benioff. Quantum mechanical Hamiltonian models of Turing machines. Journal of Statistical Physics, 29(3): 515-546, 1982.
(See Question 109)

[BG85] M. Blum and S. Goldwasser. An efficient probabilistic public-key encryption scheme which hides all partial information. In Advances in Cryptology - Crypto '84, pages 289-299, Springer-Verlag, 1985.
(See Question 36)

[BLP94] J.P. Buhler, H.W. Lenstra, and C. Pomerance. The development of the number field sieve. Volume 1554 of Lecture Notes in Computer Science, Springer-Verlag, 1994.
(See Question 48)

[BLS88] J. Brillhart, D.H. Lehmer, J.L. Selfridge, B. Tuckerman, and S.S. Wagstaff Jr. Factorizations of bn � 1, b = 2,3,5,6,7,10,11,12 up to High Powers. Volume 22 of Contemporary Mathematics, American Mathematical Society, 2nd edition, 1988.
(See Question 48)

[BLZ94] J. Buchmann, J. Loho, and J. Zayer. An implementation of the general number field sieve. In Advances in Cryptology - Crypto '93, pages 159-166, Springer-Verlag, 1994.
(See Question 48)

[BM84] M. Blum and S. Micali. How to generate cryptographically strong sequences of pseudo-random bits. SIAM Journal on Computing, 13(4): 850-863, 1984.
(See Question 92 and Question 112)

[BO88] E.F. Brickell and A.M. Odlyzko. Cryptanalysis: A survey of recent results. Proceedings of the IEEE, 76: 578-593, 1988.
(See Question 18)

[Bra88] G. Brassard. Modern Cryptology . Volume 325 of Lecture Notes in Computer Science, Springer-Verlag, 1988.
(See Question 1and Question 84)

[Bre89] D.M. Bressoud. Factorization and Primality Testing. Springer-Verlag, 1989.
(See Question 48)

[Bri85] E.F. Brickell. Breaking iterated knapsacks. In Advances in Cryptology - Crypto '84, pages 342-358, Springer-Verlag, 1985.
(See Question 32)

[BS91a] E. Biham and A. Shamir. Differential cryptanalysis of DES-like cryptosystems. In Advances in Cryptology Crypto '90, pages 2-21, Springer-Verlag, 1991.
(See Question 58)

[BS91b] E. Biham and A. Shamir. Differential cryptanalysis of FEAL and N-Hash. In Advances in Cryptology Eurocrypt '91, pages 156-171, Springer-Verlag, 1991.
(See Question 79)

[BS93a] E. Biham and A. Shamir. Differential cryptanalysis of the full 16-round DES. In Advances in Cryptology - Crypto '92, pages 487-496, Springer-Verlag, 1993.
(See Question 58 and Question 65)

[CFN88] D. Chaum, A. Fiat and M. Naor. Untraceable electronic cash. In Advances in Cryptology - Crypto '88, pages 319-327, Springer-Verlag, 1988.
(See Question 39)

[Cha83] D. Chaum. Blind signatures for untraceable payments. In Advances in Cryptology - Crypto '82, pages 199-203, Springer-Verlag, 1983.
(See Question 39 and Question 138)

[Cha85] D. Chaum. Security without identification: transaction systems to make big brother obsolete. Communications of the ACM, 28(10): 1030-1044, October 1985.
(See Question 39 and See Question 138)

[CLR90] T.H. Cormen, C.E. Leiserson, and R.L. Rivest. Introduction to Algorithms. MIT Press, Cambridge, Massachusetts, 1990.
(See Question 9 and Question 48)

[Cop92] D. Coppersmith. The data encryption standard and its strength against attacks. IBM Research Report RC 18613 (81421), T. J. Watson research center, December 1992.
(See Question 58)

[COS86] D. Coppersmith, A.M. Odlyzko, and R. Schroeppel. Discrete logarithms in GF(p). Algorithmica , 1: 1-15, 1986.
(See Question 52)

[CP94] L. Chen and T.P. Pederson. New group signature schemes. In Advances in Cryptology - Eurocrypt '94, pages 171-181, Springer-Verlag, 1994.
(See Question 42)

[CP95] L. Chen and T.P. Pedersen. On the efficiency of group signatures: providing information-theoretic anonymity. In Advances in Cryptology - Eurocrypt '95, pages 39-49, Springer-Verlag, 1995.
(See Question 42)

[CR88] B. Chor and R.L. Rivest. A knapsack-type public-key cryptosystem based on arithmetic in finite fields. IEEE Transactions on Information Theory, 34(5): 901-909, 1988.
(See Question 32)

[CV90] D. Chaum and H. van Antwerpen. Undeniable signatures. In Advances in Cryptology - Crypto '89, pages 212-216, Springer-Verlag, 1990.
(See Question 44)

[CV91] D. Chaum and E. van Heijst. Group signatures. In Advances in Cryptology - Eurocrypt '91, pages 257-265, Springer-Verlag, 1991.
(See Question 42)

[CV92] D. Chaum and H. van Antwerpen. Cryptographically strong undeniable signatures, unconditionally secure for the signer. In Advances in Cryptology - Crypto '91 , pages 470-484, Springer-Verlag, 1992.
(See Question 44)

[CW93] K.W. Campbell and M.J. Wiener. DES is not a group. In Advances in Cryptology - Crypto '92, pages 512-520, Springer-Verlag, 1993.
(See Question 70)

[Dam90] I. Damg�rd. A design principle for hash functions. In Advances in Cryptology - Crypto '89, pages 416-427, Springer-Verlag, 1990.
(See Question 32 and Question 97)

[Dav82] G. Davida. Chosen signature cryptanalysis of the RSA public key cryptosystem. Technical Report TR-CS-82-2, Department of EECS, University of Wisconsin, Milwaukee, 1982.
(See Question 10)

[DB95] D.E. Denning and D.K. Branstad. A taxonomy for key escrow encryption systems. January, 1995.
(See Question 153 and Question 154)

[Den95] D.E. Denning. The Case for "Clipper." Technology Review, pages 48-55, July 1995.

[Des95] Y. Desmedt. Securing traceability of ciphertexts-Towards a secure software key escrow system. In Advances in Cryptology - Eurocrypt '95, pages 147-157, Springer-Verlag, 1995.
(See Question 154)

[DH76] W. Diffie and M.E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22: 644-654, 1976.
(SeeQuestion 3, Question 4, and Question 108)

[DH77] W. Diffie and M.E. Hellman. Exhaustive cryptanalysis of the NBS Data Encryption Standard. Computer , 10: 74-84, 1977.
(See Question 57 and Question 65)

[Dif88] W. Diffie. The first ten years of public-key cryptography. Proceedings of the IEEE, 76: 560-577, 1988.
(See Question 3)

[DIP94] D. Davies, R. Ihaka, and P. Fenstermacher. Cryptographic randomness from air turbulence in disk drives. In Advances in Cryptology - Crypto '94, pages 114-120, Springer-Verlag, 1994.
(See Question 112)

[Div95] D.P. DiVincenzo. Two-bit gates are universal for quantum computation. Physical Review A, 51: 1015-1022, 1995.

[DL95] B. Dodson and A.K. Lenstra. NFS with four large primes: An explosive experiment. In Advances in Cryptology Crypto '95, pages 372-385, Springer-Verlag, 1995.
(See Question 48)

[DO86] Y. Desmedt and A.M. Odlyzko. A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes. In Advances in Cryptology - Crypto '85, pages 516-522, Springer-Verlag, 1986.
(See Question 10)

[Dob95] H. Dobbertin. Alf Swindles Ann. CryptoBytes, 1(3): 5, 1995.
(See Question 99)

[DP83] D.W. Davies and G.I. Parkin. The average cycle size of the key stream in output feedback encipherment. In Advances in Cryptology: Proceedings of Crypto '82, pages 97-98, Plenum Press, 1983.
(See Question 83)

[DRB95] P. Domokos, M.J. Raimond, M. Brune, and S. Haroche. A simple cavity-QED two-bit universal quantum logic gate: principle and expected performances. Physical Review A. To appear.

[DVW92] W. Diffie, P.C. van Oorschot, and M.J. Wiener. Authentication and authenticated key exchanges. Designs, Codes and Cryptography, 2: 107-125, 1992.
(See Question 25)

[ECS94] D. Eastlake, 3rd, S. Crocker, and J. Schiller. RFC 1750: Randomness Recommendations for Security . DEC, Cybercash, and MIT, December 1994.
(See Question 112)

[For94] W. Ford. Computer Communications Security - Principles, Standard Protocols and Techniques, Prentice-Hall, New Jersey, 1994.
(See Question 1, Question 20, and Question 113)

[FR95] P. Fahn and M.J.B. Robshaw. Results from the RSA Factoring Challenge. Technical Report TR-501, version 1.3, RSA Laboratories, January 1995.
(See Question 50)

[FS87] A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Advances in Cryptology - Crypto '86, pages 186-194, Springer-Verlag, 1987.
(See Question 18 and Question 107)

[FY94] M. Franklin and M. Yung. Blind Weak Signature and its Applications: Putting Non-Cryptographic Secure Computation to Work. In Advances in Cryptology - Eurocrypt '94, pages 67-76, Springer-Verlag, 1994.
(See Question 39)

[Has88] J. Hastad. Solving simultaneous modular equations of low degree. SIAM Journal of Computing, 17: 336-241, 1988.
(See Question 10)

[Hel80] M.E. Hellman. A cryptanalytic time-memory trade off. IEEE Transactions on Information Theory, IT-26: 401-406, 1980.
(See Question 65)

[Kah67] D. Kahn. The Codebreakers. Macmillan Co., New York, 1967.
(See Question 1)

[Kal92] B.S. Kaliski Jr. RFC 1319: The MD2 Message-Digest Algorithm. RSA Laboratories, April 1992.
(See Question 99)

[Kal93a] B.S. Kaliski Jr. RFC 1424: Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services. RSA Laboratories, February 1993.

[Kal93b] B.S. Kaliski Jr. A survey of encryption standards. IEEE Micro, 13(6): 74-81, December 1993.
(See Question 20 and Question 127)

[Kal95] B.S. Kaliski Jr. A chosen message attack on Demytko's cryptosystem. Journal of Cryptology. To appear.
(See Question 31)

[Knu81] D.E. Knuth. The Art of Computer Programming, volume 2, Seminumerical Algorithms. Addison-Wesley, 2nd edition, 1981.
(See Question 48 and Question 112)

[Knu93] L.R. Knudsen. Practically secure Feistel ciphers. In Proceedings of 1st Workshop on Fast Software Encryption, pages 211-221, Springer-Verlag, 1993.
(See Question 59)

[Knu95] L.R. Knudsen. A key-schedule weakness in SAFER K-64. In Advances in Cryptology - Crypto '95, pages 274-286, Springer-Verlag, 1995.
(See Question 78)

[KO95] K. Kurosawa and K. Okada. Low exponent attack against elliptic curve RSA. In Advances in Cryptology - Asiacrypt '94, pages 376-383, Springer-Verlag, 1995.
(See Question 31)

[Kob87] N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48: 203-209, 1987.
(See Question 31)

[Kob94] N. Koblitz. A Course in Number Theory and Cryptography. Springer-Verlag, 1994.
(Question 30 and Question 48)

[Koc94] �.K. Ko�. High-Speed RSA Implementation. Technical Report TR-201, version 2.0, RSA Laboratories, November 1994.
(See Question 9)

[KR94] B.S. Kaliski Jr. and M.J.B. Robshaw. Linear cryptanalysis using multiple approximations. In Advances in Cryptology - Crypto '94, pages 26-39, Springer-Verlag, 1994.
(See Question 59)

[KR95a] B.S. Kaliski Jr. and M.J.B. Robshaw. Linear cryptanalysis using multiple approximations and FEAL. In Proceedings of 2nd Workshop on Fast Software Encryption, pages 249-264, Springer-Verlag, 1995.
(See Question 79)

[KR95c] B.S. Kaliski Jr. and M.J.B. Robshaw. The secure use of RSA. CryptoBytes, 1(3): 7-13, 1995.
(See Question 10)

[KR96] B.S. Kaliski Jr. and M.J.B. Robshaw. Multiple encryption: weighing up security and performance. Dr. Dobb's Journal, #243, pages 123-127, January 1996.
(See Question 85 and Question 72)

[KT91] V.I. Korzhik and A.I. Turkin. Cryptanalysis of McEliece's public-key cryptosystem. In Advances in Cryptology - Eurocrypt '91, pages 68-70, Springer-Verlag, 1991.
(See Question 34)

[KY95] B.S. Kaliski Jr. and Y.L. Yin. On differential and linear cryptanalysis of the RC5 encryption algorithm. In Advances in Cryptology - Crypto '95, pages 171-183, Springer-Verlag, 1995.
(See Question 76)

[Lan88] S. Landau. Zero knowledge and the Department of Defense. Notices of the American Mathematical Society, 35: 5-12, 1988.
(See Question 149)

[Mau94] U. Maurer. Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms. In Advances in Cryptology - Crypto '94, pages 271-281, Springer-Verlag, 1994.
(See Question 24)

[Mce78] R.J. McEliece. A public-key cryptosystem based on algebraic coding theory. JPL DSN Progress Report 42-44 , pages 114-116, 1978.
(See Question 34)

[Mcn95] F.L. McNulty. Clipper Alive and well as a voluntary government standard for telecommunications. The 1995 RSA Data Security Conference, January 1995.

[Men93] A. Menezes. Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, 1993.

[Mer79] R.C. Merkle. Secrecy, authentication and public-key systems. Ph. D. Thesis, Stanford University, 1979.

[Odl95] A.M. Odlyzko. The future of integer factorization. CryptoBytes, 1(2): 5-12, 1995.
(See Question 12)

[Oka93] T. Okamoto. Provably secure and practical identification schemes and corresponding signature schemes. In Advances in Cryptology - Crypto '92, pages 31-53, Springer-Verlag, 1993.
(See Question 143)

[OPS93] Office of the Press Secretary. Statement . The White House, April 16, 1993.
(See Question 151)

[Pol74] J. Pollard. Theorems of factorization and primality testing. Proceedings of Cambridge Philosophical Society, 76: 521-528, 1974.
(See Question 48 and Question 52)

[Pol75] J. Pollard. Monte Carlo method for factorization. BIT, 15: 331-334, 1975.
(See Question 48)

[Pre93] B. Preneel. Analysis and Design of Cryptographic Hash Functions. Ph.D. Thesis, Katholieke University Leuven, 1993.
(See Question 94, Question 99, Question 100, and Question 101)

[Riv90] R.L. Rivest. Cryptography. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, volume A, pages 719-755, MIT Press/Elsevier, Amsterdam, 1990.
(See Question 1)

[Riv91a] R.L. Rivest. Finding four million random primes. In Advances in Cryptology - Crypto '90, pages 625-626, Springer-Verlag, 1991.
(See Question 15 and Question 52)

[Riv91b] R.L. Rivest. The MD4 message digest algorithm. In Advances in Cryptology - Crypto '90, pages 303-311, Springer-Verlag, 1991.
(See Question 99)

[Riv92a] R.L. Rivest. Response to NIST's proposal. Communications of the ACM, 35: 41-47, July 1992.
(See Question 12 and Question 52)

[Riv92b] R.L. Rivest. RFC 1320: The MD4 Message-Digest Algorithm. Network Working Group, April 1992.
(See Question 99)

[Riv92c] R.L. Rivest. RFC 1321: The MD5 Message-Digest Algorithm. Internet Activities Board, April 1992.
(See Question 99)

[Rob95d] M.J.B. Robshaw. Security estimates for 512-bit RSA. Technical Note, RSA Laboratories, June 1995.
(See Question 12)

[RS95] E. Rescorla and A. Schiffman. The Secure HyperText Transfer Protocol. Internet-Draft, EIT, July 1995.
(See Question 133)

[RSA78] R.L. Rivest, A. Shamir, and L.M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2): 120-126, February 1978.
(See Question 8 and Question 108)

[RSA95] RSA Laboratories. PKCS #11: Cryptographic Token Interface Standard. Version 1.0, April 1995.
(See Question 145)

[Rue92] R.A. Rueppel. Stream ciphers. In Contemporary Cryptology - The Science of Information Integrity . IEEE Press, 1992.
(See Question 92)

[SB93] M.E. Smid and D.K. Branstad. Response to comments on the NIST proposed Digital Signature Standard. In Advances in Cryptology - Crypto '92, pages 76-87, Springer-Verlag, 1993.
(See Question 26 and Question 27)

[Sch83] I. Schaumuller-Bichl. Cryptanalysis of the Data Encryption Standard by a method of formal coding. Cryptography, Proc. Burg Feuerstein 1982, 149: 235-255, Berlin,1983.
(See Question 74)

[Sch90] C.P. Schnorr. Efficient identification and signatures for smart cards. In Advances in Cryptology - Crypto '89, pages 239-251, Springer-Verlag, 1990.
(See Question 27 and Question 18)

[Sch95b] B. Schneier. Applied Cryptography : Protocols, Algorithms, and Source Code in C. Wiley, 2nd Edition, 1995.
(See Question 1 and Question 18)

[SH95] C.P. Schnorr and H.H. H�rner. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In Advances in Cryptology - Eurocrypt '95, pages 1-12, Springer-Verlag, 1995.
(See Question 32)

[Sha95] M. Shand. Personal communication. 1995.
(See Question 9)

[Sho94] P.W. Shor. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual IEEE Symposium on the Foundations of Computer Science, pages 124-134, 1994.
(See Question 109)

[Sil87] R.D. Silverman. The multiple polynomial quadratic sieve. Mathematics of Computation, 48: 329-339, 1987.
(See Question 48)

[Sim92] G.J. Simmons, editor. Contemporary Cryptology - The Science of Information Integrity. IEEE Press, 1992.
(See Question 1, Question 103, and Question 105)

[Sta95] W. Stallings. Network and Internetwork Security Principles and Practice. Prentice-Hall, New Jersey, 1995.
(See Question 1)

[Sti95] D.R. Stinson. Cryptography - Theory and Practice. CRC Press, Boca Raton, 1995.
(See Question 1 and Question 102)

[SV93] M. Shand and J. Vuillemin. Fast implementations of RSA cryptography. In Proceedings of the 11th IEEE Symposium on Computer Arithmetic, pages 252-259, IEEE Computer Society Press, 1993.
(See Question 9)