**[Adl95]** L.M. Adleman. On constructing a molecular computer,
University of Southern California, draft, January 1995.

**(***See **Question 111***)**

**[Adl96]** L.M. Adleman. Statement, Cryptographer's Expert Panel,
RSA Data Security Conference, San Francisco, CA, January 17,
1996.

**(***See **Question 111***)**

**[AGL95]** D. Atkins, M. Graff, A.K. Lenstra and P.C. Leyland. The
magic words are squeamish ossifrage. In *Advances in Cryptology
- Asiacrypt '94*, pages 263-277, Springer-Verlag, 1995.

**(***See **Question 51***)**

**[ANS83]** American National Standards Institute. *American
National Standard X3.106: Data Encryption Algorithm, Modes of
Operations, *1983*.*

**(***See **Question 82***)**

**[ANS93a]** American National Standards Institute. *Draft:
American National Standard X9.30-199X: Public-Key Cryptography
Using Irreversible Algorithms for the Financial Services
Industry: Part 1: The Digital Signature Algorithm (DSA)*.
American Bankers Association, March 1993.

**(***See **Question 160***)**

**[ANS93c]** American National Standards Institute. *American
National Standard X9.31-1992: Public Key Cryptography Using
Reversible Algorithms for the Financial Services Industry: Part
2: The MDC-2 Hash Algorithm*, June 1993.

**[Atk95a]** R. Atkinson. *RFC 1825: Security Architecture for the
Internet Protocol*. Naval Research Laboratory, August 1995.

**(***See **Question 137***)**

**[Bam82]** J. Bamford. *The Puzzle Palace. *Houghton Mifflin,
Boston, 1982.

**(***See **Question 148***)**

**[Bar92]** J.P. Barlow. Decrypting the puzzle palace. *Communications
of the ACM*, 35(7): 25-31, July 1992.

**(***See **Question 149***)**

**[BBB92]** C. Bennett, F. Bessette, G. Brassard, L. Savail, and J.
Smolin. Experimental quantum cryptography. *Journal of
Cryptology*, 5(1): 3-28, 1992.

**(***See **Question 110***)**

**[BBC88]** P. Beauchemin, G. Brassard, C. Crepeau, C. Goutier, and
C. Pomerance. The generation of random numbers that are probably
prime. *Journal of Cryptology*, 1: 53-64, 1988.

**(***See **Question 15***)**

**[BBL95]** D. Bleichenbacher, W. Bosma, and A. Lenstra. Some
remarks on Lucas-based cryptosystems. In *Advances in
Cryptology Crypto '95*, pages 386-396, Springer-Verlag, 1995.

**(***See **Question 33***)**

**[BBS86]** L. Blum, M. Blum, and M. Shub. A simple unpredicatable
random number generator. *SIAM Journal on Computing *, 15:
364-383, 1986.

**(***See **Question 92***)**

**[BD93b]** J. Brandt and I. Damgard. On generation of probable
primes by incremental search. In *Advances in Cryptology -
Crypto '92*, pages 358-370, Springer-Verlag, 1993.

**(***See **Question 15***)**

**[BDB92]** M.V.D. Burmester, Y.G. Desmedt, and T. Beth. Efficient
zero-knowledge identification schemes for smart cards. *Computer
Journal*, 35: 21-29, 1992.

**(***See **Question 18** and **Question 143***)**

**[BDK93]** E.F. Brickell, D.E. Denning, S.T. Kent, D.P. Maher, and
W. Tuchman. S*kipjack Review, Interim Report: The Skipjack
Algorithm*. July 28, 1993.

**(***See **Question 57**and **Question 80***)**

**[Bea95]** D. Beaver. Factoring: The DNA solution. In* Advances
in Cryptology - Asiacrypt* *'94*, pages 419-423,
Springer-Verlag, 1995.

**(***See **Question 111***)**

**[Ben82]** P. Benioff. Quantum mechanical Hamiltonian models of
Turing machines. *Journal of Statistical Physics*, 29(3):
515-546, 1982.

**(***See **Question 109***)**

**[BG85]** M. Blum and S. Goldwasser. An efficient probabilistic
public-key encryption scheme which hides all partial information.
In *Advances in Cryptology - Crypto '84*, pages 289-299,
Springer-Verlag, 1985.

**(***See **Question 36***)**

**[BLP94]** J.P. Buhler, H.W. Lenstra, and C. Pomerance. The
development of the number field sieve. Volume 1554 of *Lecture
Notes in Computer Science,* Springer-Verlag, 1994.

**(***See **Question 48***)**

**[BLS88]** J. Brillhart, D.H. Lehmer, J.L. Selfridge, B.
Tuckerman, and S.S. Wagstaff Jr. *Factorizations of bn ± 1, b
= *2,3,5,6,7,10,11,12* up to High Powers*. Volume 22 of *Contemporary
Mathematics*, American Mathematical Society, 2nd edition,
1988.

**(***See **Question 48***)**

**[BLZ94]** J. Buchmann, J. Loho, and J. Zayer. An implementation
of the general number field sieve. In *Advances in Cryptology -
Crypto '93*, pages 159-166, Springer-Verlag, 1994.

**(***See **Question 48***)**

**[BM84]** M. Blum and S. Micali. How to generate
cryptographically strong sequences of pseudo-random bits. *SIAM
Journal on Computing*, 13(4): 850-863, 1984.

**(***See **Question 92** and **Question 112***)**

**[BO88]** E.F. Brickell and A.M. Odlyzko. Cryptanalysis: A survey
of recent results. *Proceedings of the IEEE*, 76: 578-593,
1988.

**(***See **Question 18***)**

**[Bra88]** G. Brassard. *Modern Cryptology *. Volume 325 of *Lecture
Notes in Computer Science*, Springer-Verlag, 1988.

**(***See **Question 1**and **Question 84***)**

**[Bre89]** D.M. Bressoud. *Factorization and Primality Testing*.
Springer-Verlag, 1989.

**(***See **Question 48***)**

**[Bri85]** E.F. Brickell. Breaking iterated knapsacks. In *Advances
in Cryptology - Crypto '84*, pages 342-358, Springer-Verlag,
1985.

**(***See **Question 32***)**

**[BS91a]** E. Biham and A. Shamir. Differential cryptanalysis of
DES-like cryptosystems. In *Advances in Cryptology Crypto '90*,
pages 2-21, Springer-Verlag, 1991.

**(***See **Question 58***)**

**[BS91b]** E. Biham and A. Shamir. Differential cryptanalysis of
FEAL and N-Hash. In *Advances in Cryptology Eurocrypt '91*,
pages 156-171, Springer-Verlag, 1991.

**(***See **Question 79***)**

**[BS93a]** E. Biham and A. Shamir. Differential cryptanalysis of
the full 16-round DES. In *Advances in Cryptology - Crypto '92*,
pages 487-496, Springer-Verlag, 1993.

**(***See **Question 58** and **Question 65***)**

**[CFN88]** D. Chaum, A. Fiat and M. Naor. Untraceable electronic
cash. In* Advances in Cryptology - Crypto* *'88, *pages
319-327, Springer-Verlag, 1988.

**(***See **Question 39***)**

**[Cha83]** D. Chaum. Blind signatures for untraceable payments. In*
Advances in Cryptology - Crypto* *'82,* pages 199-203,
Springer-Verlag, 1983.

**(***See **Question 39** and **Question 138***)**

**[Cha85]** D. Chaum. Security without identification: transaction
systems to make big brother obsolete. *Communications of the
ACM*, 28(10): 1030-1044, October 1985.

**(***See **Question 39** and See **Question 138***)**

**[CLR90]** T.H. Cormen, C.E. Leiserson, and R.L.
Rivest. *Introduction to Algorithms*.
MIT Press, Cambridge, Massachusetts, 1990.

**(***See **Question 9** and **Question 48***)**

**[Cop92]** D. Coppersmith. The data encryption standard and its
strength against attacks. *IBM Research Report *RC 18613
(81421), T. J. Watson research center, December 1992.

**(***See **Question 58***)**

**[COS86]** D. Coppersmith, A.M. Odlyzko, and R. Schroeppel.
Discrete logarithms in* GF(p).* *Algorithmica *, 1:
1-15, 1986.

**(***See **Question 52***)**

**[CP94]** L. Chen and T.P. Pederson. New group signature schemes.
In *Advances in Cryptology - Eurocrypt* *'94*, pages
171-181, Springer-Verlag, 1994.

**(***See **Question 42***)**

**[CP95]** L. Chen and T.P. Pedersen. On the efficiency of group
signatures: providing information-theoretic anonymity. In*
Advances in Cryptology - Eurocrypt* *'95*, pages 39-49,
Springer-Verlag, 1995.

**(***See **Question 42***)**

**[CR88]** B. Chor and R.L.
Rivest. A knapsack-type public-key
cryptosystem based on arithmetic in finite fields. *IEEE
Transactions on Information Theory*, 34(5): 901-909, 1988.

**(***See **Question 32***)**

**[CV90]** D. Chaum and H. van Antwerpen. Undeniable signatures.
In *Advances in Cryptology - Crypto '89*, pages 212-216,
Springer-Verlag, 1990.

**(***See **Question 44***)**

**[CV91]** D. Chaum and E. van Heijst. Group signatures. In*
Advances in Cryptology - Eurocrypt '91*, pages 257-265,
Springer-Verlag, 1991.

**(***See **Question 42***)**

**[CV92]** D. Chaum and H. van Antwerpen. Cryptographically strong
undeniable signatures, unconditionally secure for the signer. In *Advances
in Cryptology - Crypto '91 *, pages 470-484, Springer-Verlag,
1992.

**(***See **Question 44***)**

**[CW93]** K.W. Campbell and M.J. Wiener. DES is not a group. In *Advances
in Cryptology - Crypto '92*, pages 512-520, Springer-Verlag,
1993.

**(***See **Question 70***)**

**[Dam90]** I. Damgård. A design principle for hash functions. In *Advances
in Cryptology - Crypto* *'89*, pages 416-427,
Springer-Verlag, 1990.

**(***See **Question 32** and **Question 97***)**

**[Dav82]** G. Davida. *Chosen signature cryptanalysis of the RSA
public key cryptosystem*. Technical Report TR-CS-82-2,
Department of EECS, University of Wisconsin, Milwaukee, 1982.

**(***See **Question 10***)**

**[DB95]** D.E. Denning and D.K. Branstad. *A taxonomy for key
escrow encryption systems*. January, 1995.

**(***See **Question 153** and **Question 154***)**

**[Den95]** D.E. Denning. The Case for "Clipper." *Technology
Review*, pages 48-55, July 1995.

**[Des95]** Y. Desmedt. Securing traceability of
ciphertexts-Towards a secure software key escrow system. In *Advances
in Cryptology - Eurocrypt* *'95*, pages 147-157,
Springer-Verlag, 1995.

**(***See **Question 154***)**

**[DH76]** W. Diffie and M.E. Hellman. New directions in
cryptography. *IEEE Transactions on Information Theory*,
IT-22: 644-654, 1976.

**(***See**Question 3**, **Question 4**, and **Question 108***)**

**[DH77]** W. Diffie and M.E. Hellman. Exhaustive cryptanalysis of
the NBS Data Encryption Standard. *Computer *, 10: 74-84,
1977.

**(***See **Question 57** and **Question 65***)**

**[Dif88]** W. Diffie. The first ten years of public-key
cryptography. *Proceedings of the IEEE*, 76: 560-577, 1988.

**(***See **Question 3***)**

**[DIP94]** D. Davies, R. Ihaka, and P. Fenstermacher.
Cryptographic randomness from air turbulence in disk drives. In *Advances
in Cryptology - Crypto* *'94*, pages 114-120,
Springer-Verlag, 1994.

**(***See **Question 112***)**

**[Div95]** D.P. DiVincenzo. Two-bit gates are universal for
quantum computation. *Physical Review A*, 51: 1015-1022,
1995.

**[DL95]** B. Dodson and A.K. Lenstra. NFS with four large primes:
An explosive experiment. In *Advances in Cryptology Crypto '95,*
pages 372-385, Springer-Verlag, 1995.

**(***See **Question 48***)**

**[DO86]** Y. Desmedt and A.M. Odlyzko. A chosen text attack on
the RSA cryptosystem and some discrete logarithm schemes. In*
Advances in Cryptology - Crypto* *'85*, pages 516-522,
Springer-Verlag, 1986.

**(***See **Question 10***)**

**[Dob95]** H. Dobbertin. Alf Swindles Ann. *CryptoBytes*, 1(3): 5,
1995.

**(***See **Question 99***)**

**[DP83]** D.W. Davies and G.I. Parkin. The average cycle size of
the key stream in output feedback encipherment. In* Advances in
Cryptology: Proceedings of Crypto '82*, pages 97-98, Plenum
Press, 1983.

**(***See **Question 83***)**

**[DRB95]** P. Domokos, M.J. Raimond, M. Brune, and S. Haroche. A
simple cavity-QED two-bit universal quantum logic gate: principle
and expected performances. *Physical Review A*. To appear.

**[DVW92]** W. Diffie, P.C. van Oorschot, and M.J. Wiener.
Authentication and authenticated key exchanges. *Designs, Codes
and Cryptography*, 2: 107-125, 1992.

**(***See **Question 25***)**

**[ECS94]** D. Eastlake, 3rd, S. Crocker, and J. Schiller. *RFC
1750: Randomness Recommendations for Security *. DEC,
Cybercash, and MIT, December 1994.

**(***See **Question 112***)**

**[For94]** W. Ford. *Computer Communications Security -
Principles, Standard Protocols and Techniques*, Prentice-Hall,
New Jersey, 1994.

**(***See **Question 1**, **Question 20**, and **Question 113***) **

**[FR95]** P. Fahn and M.J.B. Robshaw. *Results from the RSA
Factoring Challenge*. Technical Report TR-501, version 1.3,
RSA Laboratories,* *January 1995.

**(***See **Question 50***)**

**[FS87]** A. Fiat and A. Shamir. How to prove yourself: Practical
solutions to identification and signature problems. In *Advances
in Cryptology - Crypto '86*, pages 186-194, Springer-Verlag,
1987.

**(***See **Question 18** and **Question 107***)**

**[FY94]** M. Franklin and M. Yung. Blind Weak Signature and its
Applications: Putting Non-Cryptographic Secure Computation to
Work. In* Advances in Cryptology - Eurocrypt '94*, pages
67-76, Springer-Verlag, 1994.

**(***See **Question 39***)**

**[Has88]** J. Hastad. Solving simultaneous modular equations of
low degree. *SIAM Journal of Computing*, 17: 336-241, 1988.

**(***See **Question 10***)**

**[Hel80]** M.E. Hellman. A cryptanalytic time-memory trade off. *IEEE
Transactions on Information Theory*, IT-26: 401-406, 1980.

**(***See **Question 65***)**

**[Kah67]** D. Kahn. *The Codebreakers*. Macmillan Co., New
York, 1967.

**(***See **Question 1***)**

**[Kal92]** B.S. Kaliski Jr. *RFC 1319: The MD2 Message-Digest
Algorithm*. RSA Laboratories, April 1992.

**(***See **Question 99***)**

**[Kal93a]** B.S. Kaliski Jr. *RFC 1424: Privacy Enhancement for
Internet Electronic Mail: Part IV: Key Certification and Related
Services*. RSA Laboratories, February 1993.

**[Kal93b]** B.S. Kaliski Jr. A survey of encryption standards. *IEEE
Micro*, 13(6): 74-81, December 1993.

**(***See **Question 20** and **Question 127***)**

**[Kal95]** B.S. Kaliski Jr. A chosen message attack on Demytko's
cryptosystem. Journal of Cryptology. To appear.

**(***See **Question 31***)**

**[Knu81]** D.E. Knuth. *The Art of Computer Programming*,
volume 2, *Seminumerical Algorithms*. Addison-Wesley, 2nd
edition, 1981.

**(***See **Question 48** and **Question 112***)**

**[Knu93]** L.R. Knudsen. Practically secure Feistel ciphers. In *Proceedings
of 1st Workshop* on *Fast Software Encryption*, pages
211-221, Springer-Verlag, 1993.

**(***See **Question 59***)**

**[Knu95]** L.R. Knudsen. A key-schedule weakness in SAFER K-64. In
*Advances in Cryptology - Crypto '95*, pages 274-286,
Springer-Verlag, 1995.

**(***See **Question 78***)**

**[KO95]** K. Kurosawa and K. Okada. Low exponent attack against
elliptic curve RSA. In *Advances in Cryptology - Asiacrypt '94*,
pages 376-383, Springer-Verlag, 1995.

**(***See **Question 31***)**

**[Kob87]** N. Koblitz. Elliptic curve cryptosystems. *Mathematics
of Computation*, 48: 203-209, 1987.

**(***See **Question 31***)**

**[Kob94]** N. Koblitz. *A Course in Number Theory and
Cryptography*. Springer-Verlag, 1994.

**(****Question
30**** and ****Question 48****)**

**[Koc94]** Ç.K. Koç. *High-Speed RSA Implementation*.
Technical Report TR-201, version 2.0, RSA Laboratories, November
1994.

**(***See **Question 9***)**

**[KR94]** B.S. Kaliski Jr. and M.J.B. Robshaw. Linear
cryptanalysis using multiple approximations. In *Advances in
Cryptology - Crypto* *'94*, pages 26-39, Springer-Verlag,
1994.

**(***See **Question 59***)**

**[KR95a]** B.S. Kaliski Jr. and M.J.B. Robshaw. Linear
cryptanalysis using multiple approximations and FEAL. In *Proceedings
of 2nd* *Workshop on* *Fast Software Encryption*,
pages 249-264, Springer-Verlag, 1995.

**(***See **Question 79***)**

**[KR95c]** B.S. Kaliski Jr. and M.J.B. Robshaw. The secure use of
RSA. *CryptoBytes,* 1(3): 7-13, 1995.

**(***See **Question 10***)**

**[KR96]** B.S. Kaliski Jr. and M.J.B. Robshaw. *Multiple
encryption: weighing up security and performance*. *Dr.
Dobb's Journal*, #243, pages 123-127, January 1996.

**(***See **Question 85** and **Question 72***)**

**[KT91]** V.I. Korzhik and A.I. Turkin. Cryptanalysis of
McEliece's public-key cryptosystem. In *Advances in Cryptology
- Eurocrypt '91*, pages 68-70, Springer-Verlag, 1991.

**(***See **Question 34***)**

**[KY95]** B.S. Kaliski Jr. and Y.L. Yin. On differential and
linear cryptanalysis of the RC5 encryption algorithm. In*
Advances in Cryptology - Crypto* *'95*, pages 171-183,
Springer-Verlag, 1995.

**(***See **Question 76***)**

**[Lan88]** S. Landau. Zero knowledge and the Department of
Defense. *Notices of the American Mathematical Society*, 35:
5-12, 1988.

**(***See **Question 149***)**

**[Mau94]** U. Maurer. Towards the equivalence of breaking the
Diffie-Hellman protocol and computing discrete logarithms. In *Advances
in Cryptology - Crypto '94*, pages 271-281, Springer-Verlag,
1994.

**(***See **Question 24***)**

**[Mce78]** R.J. McEliece. A public-key cryptosystem based on
algebraic coding theory. *JPL DSN Progress Report 42-44 *,
pages 114-116, 1978.

**(***See **Question 34***)**

**[Mcn95]** F.L. McNulty. Clipper Alive and well as a voluntary
government standard for telecommunications. *The 1995 RSA Data
Security Conference*, January 1995.

**[Men93]** A. Menezes. *Elliptic Curve Public Key Cryptosystems*.
Kluwer Academic Publishers, 1993.

**[Mer79]** R.C. Merkle. Secrecy, authentication and public-key
systems. Ph. D. Thesis, Stanford University, 1979.

**[Odl95]** A.M. Odlyzko. The future of integer factorization. *CryptoBytes,
*1(2): 5-12, 1995.

**(***See **Question 12***)**

**[Oka93]** T. Okamoto. Provably secure and practical
identification schemes and corresponding signature schemes. In *Advances
in Cryptology - Crypto '92*, pages 31-53, Springer-Verlag,
1993.

**(***See **Question 143***)**

**[OPS93]** Office of the Press Secretary. *Statement *. The
White House, April 16, 1993.

**(***See **Question 151***)**

**[Pol74]** J. Pollard. Theorems of factorization and primality
testing. *Proceedings of Cambridge Philosophical Society*,
76: 521-528, 1974.

**(***See **Question 48** and **Question 52***)**

**[Pol75]** J. Pollard. Monte Carlo method for factorization. *BIT*,
15: 331-334, 1975.

**(***See **Question 48***)**

**[Pre93]** B. Preneel. *Analysis and Design of Cryptographic
Hash Functions*. Ph.D. Thesis, Katholieke University Leuven,
1993.

**(***See **Question 94**, **Question 99**, **Question 100**, and **Question 101***)**

**[Riv90]** R.L. Rivest. Cryptography. In
J. van Leeuwen, editor, *Handbook of Theoretical Computer
Science*, volume A, pages 719-755, MIT Press/Elsevier,
Amsterdam, 1990.

**(***See **Question 1***)**

**[Riv91a]** R.L. Rivest. Finding four
million random primes. In *Advances in Cryptology - Crypto '90*,
pages 625-626, Springer-Verlag, 1991.

**(***See **Question 15** and **Question 52***)**

**[Riv91b]** R.L. Rivest. The MD4 message
digest algorithm. In *Advances in Cryptology - Crypto '90*,
pages 303-311, Springer-Verlag, 1991.

**(***See **Question 99***)**

**[Riv92a]** R.L. Rivest. Response to
NIST's proposal. *Communications of the ACM*, 35: 41-47,
July 1992.

**(***See **Question 12** and **Question 52***)**

**[Riv92b]** R.L. Rivest. *RFC 1320: The
MD4 Message-Digest Algorithm*. Network Working Group, April
1992.

**(***See **Question 99***)**

**[Riv92c]** R.L. Rivest. *RFC 1321: The
MD5 Message-Digest Algorithm*. Internet Activities Board,
April 1992.

**(***See **Question 99***)**

**[Rob95d]** M.J.B. Robshaw. *Security estimates for 512-bit RSA*.
Technical Note, RSA
Laboratories, June 1995.

**(***See **Question 12***)**

**[RS95]** E. Rescorla and A. Schiffman. *The Secure HyperText
Transfer Protocol*. Internet-Draft, EIT, July 1995.

**(***See **Question 133***)**

**[RSA78]** R.L. Rivest, A. Shamir, and
L.M. Adleman. A method for obtaining digital signatures and
public-key cryptosystems. *Communications of the ACM*,
21(2): 120-126, February 1978.

**(***See **Question 8** and **Question 108***)**

**[RSA95]** RSA Laboratories. *PKCS #11: Cryptographic Token
Interface Standard*. Version 1.0, April 1995.

**(***See **Question 145***)**

**[Rue92]** R.A. Rueppel. Stream ciphers. In *Contemporary
Cryptology - The Science of Information Integrity *. IEEE
Press, 1992.

**(***See **Question 92***)**

**[SB93]** M.E. Smid and D.K. Branstad. Response to comments on
the NIST proposed Digital Signature Standard. In *Advances in
Cryptology - Crypto '92*, pages 76-87, Springer-Verlag, 1993.

**(***See **Question 26** and **Question 27***)**

**[Sch83]** I. Schaumuller-Bichl. Cryptanalysis of the Data
Encryption Standard by a method of formal coding. *Cryptography,
Proc. Burg Feuerstein 1982*, 149: 235-255, Berlin,1983.

**(***See **Question 74***)**

**[Sch90]** C.P. Schnorr. Efficient identification and signatures
for smart cards. In *Advances in Cryptology - Crypto '89*,
pages 239-251, Springer-Verlag, 1990.

**(***See **Question 27** and **Question 18***)**

**[Sch95b]** B. Schneier. *Applied Cryptography *: *Protocols,
Algorithms, and Source Code in C.* Wiley, 2nd Edition, 1995.

**(***See **Question 1** and **Question 18***)**

**[SH95]** C.P. Schnorr and H.H. Hörner. Attacking the
Chor-Rivest cryptosystem by improved lattice reduction. In *Advances
in Cryptology - Eurocrypt* *'95*, pages 1-12,
Springer-Verlag, 1995.

**(***See **Question 32***)**

**[Sha95]** M. Shand. Personal communication. 1995.

**(***See **Question 9***)**

**[Sho94]** P.W. Shor. Algorithms for quantum computation: Discrete
logarithms and factoring. In *Proceedings of the 35th Annual
IEEE Symposium on the Foundations of Computer Science*, pages
124-134, 1994.

**(***See **Question 109***)**

**[Sil87]** R.D. Silverman. The multiple polynomial quadratic
sieve. *Mathematics of Computation*, 48: 329-339, 1987.

**(***See **Question 48***)**

**[Sim92]** G.J. Simmons, editor. *Contemporary Cryptology - The
Science of Information Integrity*. IEEE Press, 1992.

**(***See **Question 1**, **Question 103**, and **Question 105***)**

**[Sta95]** W. Stallings. *Network and Internetwork Security
Principles and Practice*. Prentice-Hall, New Jersey, 1995.

**(***See **Question 1***)**

**[Sti95]** D.R.
Stinson. *Cryptography - Theory and Practice*. CRC Press,
Boca Raton, 1995.

**(***See **Question 1** and **Question 102***)**

**[SV93]** M. Shand and J. Vuillemin. Fast implementations of RSA
cryptography. In *Proceedings of the 11th IEEE Symposium on
Computer Arithmetic*, pages 252-259, IEEE Computer Society
Press, 1993.

**(***See **Question 9***)**