REFERENCES


[Adl95] L.M. Adleman. On constructing a molecular computer, University of Southern California, draft, January 1995.
(See
Question 111)


[Adl96] L.M. Adleman. Statement, Cryptographer's Expert Panel, RSA Data Security Conference, San Francisco, CA, January 17, 1996.
(See
Question 111)


[AGL95] D. Atkins, M. Graff, A.K. Lenstra and P.C. Leyland. The magic words are squeamish ossifrage. In Advances in Cryptology - Asiacrypt '94, pages 263-277, Springer-Verlag, 1995.
(See
Question 51)


[ANS83] American National Standards Institute. American National Standard X3.106: Data Encryption Algorithm, Modes of Operations, 1983.
(See
Question 82)


[ANS93a] American National Standards Institute. Draft: American National Standard X9.30-199X: Public-Key Cryptography Using Irreversible Algorithms for the Financial Services Industry: Part 1: The Digital Signature Algorithm (DSA). American Bankers Association, March 1993.
(See
Question 160)


[ANS93c] American National Standards Institute. American National Standard X9.31-1992: Public Key Cryptography Using Reversible Algorithms for the Financial Services Industry: Part 2: The MDC-2 Hash Algorithm, June 1993.


[Atk95a] R. Atkinson. RFC 1825: Security Architecture for the Internet Protocol. Naval Research Laboratory, August 1995.
(See
Question 137)


[Bam82] J. Bamford. The Puzzle Palace. Houghton Mifflin, Boston, 1982.
(See
Question 148)


[Bar92] J.P. Barlow. Decrypting the puzzle palace. Communications of the ACM, 35(7): 25-31, July 1992.
(See
Question 149)


[BBB92] C. Bennett, F. Bessette, G. Brassard, L. Savail, and J. Smolin. Experimental quantum cryptography. Journal of Cryptology, 5(1): 3-28, 1992.
(See
Question 110)


[BBC88] P. Beauchemin, G. Brassard, C. Crepeau, C. Goutier, and C. Pomerance. The generation of random numbers that are probably prime. Journal of Cryptology, 1: 53-64, 1988.
(See
Question 15)


[BBL95] D. Bleichenbacher, W. Bosma, and A. Lenstra. Some remarks on Lucas-based cryptosystems. In Advances in Cryptology Crypto '95, pages 386-396, Springer-Verlag, 1995.
(See
Question 33)


[BBS86] L. Blum, M. Blum, and M. Shub. A simple unpredicatable random number generator. SIAM Journal on Computing , 15: 364-383, 1986.
(See
Question 92)


[BD93b] J. Brandt and I. Damgard. On generation of probable primes by incremental search. In Advances in Cryptology - Crypto '92, pages 358-370, Springer-Verlag, 1993.
(See
Question 15)


[BDB92] M.V.D. Burmester, Y.G. Desmedt, and T. Beth. Efficient zero-knowledge identification schemes for smart cards. Computer Journal, 35: 21-29, 1992.
(See
Question 18 and Question 143)


[BDK93] E.F. Brickell, D.E. Denning, S.T. Kent, D.P. Maher, and W. Tuchman. Skipjack Review, Interim Report: The Skipjack Algorithm. July 28, 1993.
(See
Question 57and Question 80)


[Bea95] D. Beaver. Factoring: The DNA solution. In Advances in Cryptology - Asiacrypt '94, pages 419-423, Springer-Verlag, 1995.
(See
Question 111)


[Ben82] P. Benioff. Quantum mechanical Hamiltonian models of Turing machines. Journal of Statistical Physics, 29(3): 515-546, 1982.
(See
Question 109)


[BG85] M. Blum and S. Goldwasser. An efficient probabilistic public-key encryption scheme which hides all partial information. In Advances in Cryptology - Crypto '84, pages 289-299, Springer-Verlag, 1985.
(See
Question 36)


[BLP94] J.P. Buhler, H.W. Lenstra, and C. Pomerance. The development of the number field sieve. Volume 1554 of Lecture Notes in Computer Science, Springer-Verlag, 1994.
(See
Question 48)


[BLS88] J. Brillhart, D.H. Lehmer, J.L. Selfridge, B. Tuckerman, and S.S. Wagstaff Jr. Factorizations of bn ± 1, b = 2,3,5,6,7,10,11,12 up to High Powers. Volume 22 of Contemporary Mathematics, American Mathematical Society, 2nd edition, 1988.
(See
Question 48)


[BLZ94] J. Buchmann, J. Loho, and J. Zayer. An implementation of the general number field sieve. In Advances in Cryptology - Crypto '93, pages 159-166, Springer-Verlag, 1994.
(See
Question 48)


[BM84] M. Blum and S. Micali. How to generate cryptographically strong sequences of pseudo-random bits. SIAM Journal on Computing, 13(4): 850-863, 1984.
(See
Question 92 and Question 112)


[BO88] E.F. Brickell and A.M. Odlyzko. Cryptanalysis: A survey of recent results. Proceedings of the IEEE, 76: 578-593, 1988.
(See
Question 18)


[Bra88] G. Brassard. Modern Cryptology . Volume 325 of Lecture Notes in Computer Science, Springer-Verlag, 1988.
(See
Question 1and Question 84)


[Bre89] D.M. Bressoud. Factorization and Primality Testing. Springer-Verlag, 1989.
(See
Question 48)


[Bri85] E.F. Brickell. Breaking iterated knapsacks. In Advances in Cryptology - Crypto '84, pages 342-358, Springer-Verlag, 1985.
(See
Question 32)


[BS91a] E. Biham and A. Shamir. Differential cryptanalysis of DES-like cryptosystems. In Advances in Cryptology Crypto '90, pages 2-21, Springer-Verlag, 1991.
(See
Question 58)


[BS91b] E. Biham and A. Shamir. Differential cryptanalysis of FEAL and N-Hash. In Advances in Cryptology Eurocrypt '91, pages 156-171, Springer-Verlag, 1991.
(See
Question 79)


[BS93a] E. Biham and A. Shamir. Differential cryptanalysis of the full 16-round DES. In Advances in Cryptology - Crypto '92, pages 487-496, Springer-Verlag, 1993.
(See
Question 58 and Question 65)


[CFN88] D. Chaum, A. Fiat and M. Naor. Untraceable electronic cash. In Advances in Cryptology - Crypto '88, pages 319-327, Springer-Verlag, 1988.
(See
Question 39)


[Cha83] D. Chaum. Blind signatures for untraceable payments. In Advances in Cryptology - Crypto '82, pages 199-203, Springer-Verlag, 1983.
(See
Question 39 and Question 138)


[Cha85] D. Chaum. Security without identification: transaction systems to make big brother obsolete. Communications of the ACM, 28(10): 1030-1044, October 1985.
(See
Question 39 and See Question 138)


[CLR90] T.H. Cormen, C.E. Leiserson, and R.L. Rivest. Introduction to Algorithms. MIT Press, Cambridge, Massachusetts, 1990.
(See
Question 9 and Question 48)


[Cop92] D. Coppersmith. The data encryption standard and its strength against attacks. IBM Research Report RC 18613 (81421), T. J. Watson research center, December 1992.
(See
Question 58)


[COS86] D. Coppersmith, A.M. Odlyzko, and R. Schroeppel. Discrete logarithms in GF(p). Algorithmica , 1: 1-15, 1986.
(See
Question 52)


[CP94] L. Chen and T.P. Pederson. New group signature schemes. In Advances in Cryptology - Eurocrypt '94, pages 171-181, Springer-Verlag, 1994.
(See
Question 42)


[CP95] L. Chen and T.P. Pedersen. On the efficiency of group signatures: providing information-theoretic anonymity. In Advances in Cryptology - Eurocrypt '95, pages 39-49, Springer-Verlag, 1995.
(See
Question 42)


[CR88] B. Chor and R.L. Rivest. A knapsack-type public-key cryptosystem based on arithmetic in finite fields. IEEE Transactions on Information Theory, 34(5): 901-909, 1988.
(See
Question 32)


[CV90] D. Chaum and H. van Antwerpen. Undeniable signatures. In Advances in Cryptology - Crypto '89, pages 212-216, Springer-Verlag, 1990.
(See
Question 44)


[CV91] D. Chaum and E. van Heijst. Group signatures. In Advances in Cryptology - Eurocrypt '91, pages 257-265, Springer-Verlag, 1991.
(See
Question 42)


[CV92] D. Chaum and H. van Antwerpen. Cryptographically strong undeniable signatures, unconditionally secure for the signer. In Advances in Cryptology - Crypto '91 , pages 470-484, Springer-Verlag, 1992.
(See
Question 44)


[CW93] K.W. Campbell and M.J. Wiener. DES is not a group. In Advances in Cryptology - Crypto '92, pages 512-520, Springer-Verlag, 1993.
(See
Question 70)


[Dam90] I. Damgård. A design principle for hash functions. In Advances in Cryptology - Crypto '89, pages 416-427, Springer-Verlag, 1990.
(See
Question 32 and Question 97)


[Dav82] G. Davida. Chosen signature cryptanalysis of the RSA public key cryptosystem. Technical Report TR-CS-82-2, Department of EECS, University of Wisconsin, Milwaukee, 1982.
(See
Question 10)


[DB95] D.E. Denning and D.K. Branstad. A taxonomy for key escrow encryption systems. January, 1995.
(See
Question 153 and Question 154)


[Den95] D.E. Denning. The Case for "Clipper." Technology Review, pages 48-55, July 1995.


[Des95] Y. Desmedt. Securing traceability of ciphertexts-Towards a secure software key escrow system. In Advances in Cryptology - Eurocrypt '95, pages 147-157, Springer-Verlag, 1995.
(See
Question 154)


[DH76] W. Diffie and M.E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22: 644-654, 1976.
(See
Question 3, Question 4, and Question 108)


[DH77] W. Diffie and M.E. Hellman. Exhaustive cryptanalysis of the NBS Data Encryption Standard. Computer , 10: 74-84, 1977.
(See
Question 57 and Question 65)


[Dif88] W. Diffie. The first ten years of public-key cryptography. Proceedings of the IEEE, 76: 560-577, 1988.
(See
Question 3)


[DIP94] D. Davies, R. Ihaka, and P. Fenstermacher. Cryptographic randomness from air turbulence in disk drives. In Advances in Cryptology - Crypto '94, pages 114-120, Springer-Verlag, 1994.
(See
Question 112)


[Div95] D.P. DiVincenzo. Two-bit gates are universal for quantum computation. Physical Review A, 51: 1015-1022, 1995.


[DL95] B. Dodson and A.K. Lenstra. NFS with four large primes: An explosive experiment. In Advances in Cryptology Crypto '95, pages 372-385, Springer-Verlag, 1995.
(See
Question 48)


[DO86] Y. Desmedt and A.M. Odlyzko. A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes. In Advances in Cryptology - Crypto '85, pages 516-522, Springer-Verlag, 1986.
(See
Question 10)


[Dob95] H. Dobbertin. Alf Swindles Ann. CryptoBytes, 1(3): 5, 1995.
(See
Question 99)


[DP83] D.W. Davies and G.I. Parkin. The average cycle size of the key stream in output feedback encipherment. In Advances in Cryptology: Proceedings of Crypto '82, pages 97-98, Plenum Press, 1983.
(See
Question 83)


[DRB95] P. Domokos, M.J. Raimond, M. Brune, and S. Haroche. A simple cavity-QED two-bit universal quantum logic gate: principle and expected performances. Physical Review A. To appear.


[DVW92] W. Diffie, P.C. van Oorschot, and M.J. Wiener. Authentication and authenticated key exchanges. Designs, Codes and Cryptography, 2: 107-125, 1992.
(See
Question 25)


[ECS94] D. Eastlake, 3rd, S. Crocker, and J. Schiller. RFC 1750: Randomness Recommendations for Security . DEC, Cybercash, and MIT, December 1994.
(See
Question 112)


[For94] W. Ford. Computer Communications Security - Principles, Standard Protocols and Techniques, Prentice-Hall, New Jersey, 1994.
(See
Question 1, Question 20, and Question 113)


[FR95] P. Fahn and M.J.B. Robshaw. Results from the RSA Factoring Challenge. Technical Report TR-501, version 1.3, RSA Laboratories, January 1995.
(See
Question 50)


[FS87] A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Advances in Cryptology - Crypto '86, pages 186-194, Springer-Verlag, 1987.
(See
Question 18 and Question 107)


[FY94] M. Franklin and M. Yung. Blind Weak Signature and its Applications: Putting Non-Cryptographic Secure Computation to Work. In Advances in Cryptology - Eurocrypt '94, pages 67-76, Springer-Verlag, 1994.
(See
Question 39)


[Has88] J. Hastad. Solving simultaneous modular equations of low degree. SIAM Journal of Computing, 17: 336-241, 1988.
(See
Question 10)


[Hel80] M.E. Hellman. A cryptanalytic time-memory trade off. IEEE Transactions on Information Theory, IT-26: 401-406, 1980.
(See
Question 65)


[Kah67] D. Kahn. The Codebreakers. Macmillan Co., New York, 1967.
(See
Question 1)


[Kal92] B.S. Kaliski Jr. RFC 1319: The MD2 Message-Digest Algorithm. RSA Laboratories, April 1992.
(See
Question 99)


[Kal93a] B.S. Kaliski Jr. RFC 1424: Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services. RSA Laboratories, February 1993.


[Kal93b] B.S. Kaliski Jr. A survey of encryption standards. IEEE Micro, 13(6): 74-81, December 1993.
(See
Question 20 and Question 127)


[Kal95] B.S. Kaliski Jr. A chosen message attack on Demytko's cryptosystem. Journal of Cryptology. To appear.
(See
Question 31)


[Knu81] D.E. Knuth. The Art of Computer Programming, volume 2, Seminumerical Algorithms. Addison-Wesley, 2nd edition, 1981.
(See
Question 48 and Question 112)


[Knu93] L.R. Knudsen. Practically secure Feistel ciphers. In Proceedings of 1st Workshop on Fast Software Encryption, pages 211-221, Springer-Verlag, 1993.
(See
Question 59)


[Knu95] L.R. Knudsen. A key-schedule weakness in SAFER K-64. In Advances in Cryptology - Crypto '95, pages 274-286, Springer-Verlag, 1995.
(See
Question 78)


[KO95] K. Kurosawa and K. Okada. Low exponent attack against elliptic curve RSA. In Advances in Cryptology - Asiacrypt '94, pages 376-383, Springer-Verlag, 1995.
(See
Question 31)


[Kob87] N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48: 203-209, 1987.
(See
Question 31)


[Kob94] N. Koblitz. A Course in Number Theory and Cryptography. Springer-Verlag, 1994.
(
Question 30 and Question 48)


[Koc94] Ç.K. Koç. High-Speed RSA Implementation. Technical Report TR-201, version 2.0, RSA Laboratories, November 1994.
(See
Question 9)


[KR94] B.S. Kaliski Jr. and M.J.B. Robshaw. Linear cryptanalysis using multiple approximations. In Advances in Cryptology - Crypto '94, pages 26-39, Springer-Verlag, 1994.
(See
Question 59)


[KR95a] B.S. Kaliski Jr. and M.J.B. Robshaw. Linear cryptanalysis using multiple approximations and FEAL. In Proceedings of 2nd Workshop on Fast Software Encryption, pages 249-264, Springer-Verlag, 1995.
(See
Question 79)


[KR95c] B.S. Kaliski Jr. and M.J.B. Robshaw. The secure use of RSA. CryptoBytes, 1(3): 7-13, 1995.
(See
Question 10)


[KR96] B.S. Kaliski Jr. and M.J.B. Robshaw. Multiple encryption: weighing up security and performance. Dr. Dobb's Journal, #243, pages 123-127, January 1996.
(See
Question 85 and Question 72)


[KT91] V.I. Korzhik and A.I. Turkin. Cryptanalysis of McEliece's public-key cryptosystem. In Advances in Cryptology - Eurocrypt '91, pages 68-70, Springer-Verlag, 1991.
(See
Question 34)


[KY95] B.S. Kaliski Jr. and Y.L. Yin. On differential and linear cryptanalysis of the RC5 encryption algorithm. In Advances in Cryptology - Crypto '95, pages 171-183, Springer-Verlag, 1995.
(See
Question 76)


[Lan88] S. Landau. Zero knowledge and the Department of Defense. Notices of the American Mathematical Society, 35: 5-12, 1988.
(See
Question 149)


[Mau94] U. Maurer. Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms. In Advances in Cryptology - Crypto '94, pages 271-281, Springer-Verlag, 1994.
(See
Question 24)


[Mce78] R.J. McEliece. A public-key cryptosystem based on algebraic coding theory. JPL DSN Progress Report 42-44 , pages 114-116, 1978.
(See
Question 34)


[Mcn95] F.L. McNulty. Clipper Alive and well as a voluntary government standard for telecommunications. The 1995 RSA Data Security Conference, January 1995.


[Men93] A. Menezes. Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, 1993.


[Mer79] R.C. Merkle. Secrecy, authentication and public-key systems. Ph. D. Thesis, Stanford University, 1979.


[Odl95] A.M. Odlyzko. The future of integer factorization. CryptoBytes, 1(2): 5-12, 1995.
(See
Question 12)


[Oka93] T. Okamoto. Provably secure and practical identification schemes and corresponding signature schemes. In Advances in Cryptology - Crypto '92, pages 31-53, Springer-Verlag, 1993.
(See
Question 143)


[OPS93] Office of the Press Secretary. Statement . The White House, April 16, 1993.
(See
Question 151)


[Pol74] J. Pollard. Theorems of factorization and primality testing. Proceedings of Cambridge Philosophical Society, 76: 521-528, 1974.
(See
Question 48 and Question 52)


[Pol75] J. Pollard. Monte Carlo method for factorization. BIT, 15: 331-334, 1975.
(See
Question 48)


[Pre93] B. Preneel. Analysis and Design of Cryptographic Hash Functions. Ph.D. Thesis, Katholieke University Leuven, 1993.
(See
Question 94, Question 99, Question 100, and Question 101)


[Riv90] R.L. Rivest. Cryptography. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, volume A, pages 719-755, MIT Press/Elsevier, Amsterdam, 1990.
(See
Question 1)


[Riv91a] R.L. Rivest. Finding four million random primes. In Advances in Cryptology - Crypto '90, pages 625-626, Springer-Verlag, 1991.
(See
Question 15 and Question 52)


[Riv91b] R.L. Rivest. The MD4 message digest algorithm. In Advances in Cryptology - Crypto '90, pages 303-311, Springer-Verlag, 1991.
(See
Question 99)


[Riv92a] R.L. Rivest. Response to NIST's proposal. Communications of the ACM, 35: 41-47, July 1992.
(See
Question 12 and Question 52)


[Riv92b] R.L. Rivest. RFC 1320: The MD4 Message-Digest Algorithm. Network Working Group, April 1992.
(See
Question 99)


[Riv92c] R.L. Rivest. RFC 1321: The MD5 Message-Digest Algorithm. Internet Activities Board, April 1992.
(See
Question 99)


[Rob95d] M.J.B. Robshaw. Security estimates for 512-bit RSA. Technical Note, RSA Laboratories, June 1995.
(See
Question 12)


[RS95] E. Rescorla and A. Schiffman. The Secure HyperText Transfer Protocol. Internet-Draft, EIT, July 1995.
(See
Question 133)


[RSA78] R.L. Rivest, A. Shamir, and L.M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2): 120-126, February 1978.
(See
Question 8 and Question 108)


[RSA95] RSA Laboratories. PKCS #11: Cryptographic Token Interface Standard. Version 1.0, April 1995.
(See
Question 145)


[Rue92] R.A. Rueppel. Stream ciphers. In Contemporary Cryptology - The Science of Information Integrity . IEEE Press, 1992.
(See
Question 92)


[SB93] M.E. Smid and D.K. Branstad. Response to comments on the NIST proposed Digital Signature Standard. In Advances in Cryptology - Crypto '92, pages 76-87, Springer-Verlag, 1993.
(See
Question 26 and Question 27)


[Sch83] I. Schaumuller-Bichl. Cryptanalysis of the Data Encryption Standard by a method of formal coding. Cryptography, Proc. Burg Feuerstein 1982, 149: 235-255, Berlin,1983.
(See
Question 74)


[Sch90] C.P. Schnorr. Efficient identification and signatures for smart cards. In Advances in Cryptology - Crypto '89, pages 239-251, Springer-Verlag, 1990.
(See
Question 27 and Question 18)


[Sch95b] B. Schneier. Applied Cryptography : Protocols, Algorithms, and Source Code in C. Wiley, 2nd Edition, 1995.
(See
Question 1 and Question 18)


[SH95] C.P. Schnorr and H.H. Hörner. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In Advances in Cryptology - Eurocrypt '95, pages 1-12, Springer-Verlag, 1995.
(See
Question 32)


[Sha95] M. Shand. Personal communication. 1995.
(See
Question 9)


[Sho94] P.W. Shor. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual IEEE Symposium on the Foundations of Computer Science, pages 124-134, 1994.
(See
Question 109)


[Sil87] R.D. Silverman. The multiple polynomial quadratic sieve. Mathematics of Computation, 48: 329-339, 1987.
(See
Question 48)


[Sim92] G.J. Simmons, editor. Contemporary Cryptology - The Science of Information Integrity. IEEE Press, 1992.
(See
Question 1, Question 103, and Question 105)


[Sta95] W. Stallings. Network and Internetwork Security Principles and Practice. Prentice-Hall, New Jersey, 1995.
(See
Question 1)


[Sti95] D.R. Stinson. Cryptography - Theory and Practice. CRC Press, Boca Raton, 1995.
(See
Question 1 and Question 102)


[SV93] M. Shand and J. Vuillemin. Fast implementations of RSA cryptography. In Proceedings of the 11th IEEE Symposium on Computer Arithmetic, pages 252-259, IEEE Computer Society Press, 1993.
(See
Question 9)