ENCYCLOPEDIA OF CRYPTOGRAPHY AND SECURITY i ii ENCYCLOPEDIA OF CRYPTOGRAPHY AND SECURITY Editor-in-chief Henk C.A van Tilborg Eindhoven University of Technology The Netherlands iii Library of Congress Cataloging-in-Publication Data A C.I.P Catalogue record for this book is available from the Library of Congress Encyclopedia of Cryptography and Security, Edited by Henk C A van Tilborg p cm ISBN-10: (HB) 0-387-23473-X ISBN-13: (HB) 978-0387-23473-1 ISBN-10: (eBook) 0-387-23483-7 ISBN-13: (eBook) 978-0387-23483-0 Printed on acid-free paper C 2005 Springer Science+Business Media, Inc All rights reserved This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, Inc 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights Printed in the United States of America SPIN 11327875 (HC) / 151464 (eBook) springeronline.com iv Dedicated to the ones I love v vi List of Advisory Board Members Editor-in-Chief Henk van Tilborg Technische Universiteit Eindhoven Burt Kaliski RSA Security Peter Landrock University of Aarhus Carlisle Adams Entrust, Inc Patrick McDaniel Penn State University Friedrich Bauer Technische Universitat ă Munchen ă Alfred Menezes University of Waterloo Gerrit Bleumer Francotyp-Postalia David Naccache Gemplus International and Royal Holloway, University of London Dan Boneh Stanford University Christof Paar Ruhr-Universitat ă Bochum Pascale Charpin INRIA-Rocquencourt Bart Preneel Katholieke Universiteit Leuven Claude Crepeau McGill University Jean-Jacques Quisquater Universit´e Catholique de Louvain Yvo Desmedt University of London Kazue Sako NEC Corporation Grigory Kabatiansky Institute for Information Transmission Problems Berry Schoenmakers Technische Universiteit Eindhoven vii viii List of Contributors Carlisle Adams Sacha Barg Friedrich Bauer Olivier Benoˆıt Eli Biham Alex Biryukov John Black Robert Blakley Gerrit Bleumer Sharon Boeyen Dan Boneh Antoon Bosselaars Gerald Brose Marco Bucci Mike Burmester Christian Cachin Tom Caddy Ran Canetti Anne Canteaut Claude Carlet Pascale Charpin Hamid Choukri Scott Contini Claude Cr´epeau Eric Cronin Joan Daemen Christophe De Canniere Yvo Desmedt Marijke de Soete Yevgeniy Dodis Glen Durfee Cynthia Dwork Carl Ellison Toni Farley Caroline Fontaine Matthew Franklin Martin Gagn´e Daniel M Gordon Jorge Guajardo Stuart Haber Helena Handschuh Darrel Hankerson Clemens Heinrich Tor Helleseth Russ Housley Hideki Imai Anil Jain Jill Joseph Marc Joye Mike Just Gregory Kabatiansky Burt Kaliski Lars Knudsen C ¸ etin Kaya Koc¸ Franc¸ois Koeune Hugo Krawczyk Markus Kuhn Peter Landrock Kerstin Lemke Arjen K Lenstra Paul Leyland Benoˆıt Libert Moses Liskov Steve Lloyd Henri Massias Patrick McDaniel Alfred Menezes Daniele Micciancio Bodo Măoller Francáois Morain Dalit Naor Kim Nguyen Phong Q Nguyen Francis Olivier Lukasz Opyrchal Christof Paar Pascal Paillier Joe Pato Sachar Paulus Torben Pedersen Benny Pinkas David Pointcheval Bart Preneel Niels Provos Jean-Jacques Quisquater Vincent Rijmen Ronald L Rivest Matt Robshaw Arun Ross Randy Sabett ix 670 Z ZERO-KNOWLEDGE Zero-knowledge is a property attributed to interactive proofs, interactive arguments and noninteractive proofs Since the soundness property protects the interest of the verifier, the zeroknowledge property protects the interest of the prover By means of a zero-knowledge proof, the prover is able to convince the verifier of the validity of a given statement, without releasing any knowledge beyond the validity of the statement (Note that the notion of witness hiding proofs provides an alternative to the notion of zero-knowledge proofs.) In other words, from executing a zeroknowledge protocol with an honest prover, the verifier should learn nothing beyond the validity of the statement This is captured by stating that whatever the verifier ‘sees’ when interacting with the prover by means of the zero-knowledge protocol can be efficiently simulated by the verifier itself It is crucial to note that the zero-knowledge condition should be satisfied even if the verifier deviates from the protocol in arbitrary ways As a simple example, consider the following protocol Let g denote a generator of a cyclic group G of order p, where p is a large prime number A key pair is generated by choosing x ∈ Z p uniformly at random, and setting y = g x as the public key and x as the corresponding private key (see also modular arithmetic and public key cryptography) The protocol for proving knowledge of x on common input y runs as follows The prover chooses u ∈ Z p uniformly at random, sets a = gu and sends a to the verifier Next, the verifier chooses a challenge c ∈ {0, 1} uniformly at random and sends c to the prover The prover computes the response r = u + cx mod p and sends it to the verifier Finally, the verifier checks that gr = ayc holds The zero-knowledge property follows from the fact that the outputs of the following two probabilistic polynomial-time algorithms are identically distributed, where V ∗ denotes an arbitrarily cheating verifier It is assumed that V ∗ is given as a rewindable black-box A triple (a, c, r ) is called a conversation, as it consists of the messages exchanged during a run of the protocol Real conversations Input: private key x Output: conversation (a, c, r ) Choose random u ∈ Z p Set a = gu Send a to V ∗ Receive c ∈ {0, 1} from V ∗ Set r = u + cx mod p Output (a, c, r ) Simulated conversations Input: public key y Output: conversation (a, c, r ) Choose random c ∈ {0, 1}, r ∈ Z p Set a = gr y−c Send a to V ∗ Receive c ∈ {0, 1} from V ∗ If c = c rewind V ∗ to point prior to accepting a and go to step Output (a, c, r ) At step of the simulation, the probability that c = c is exactly 1/2, since c ∈ {0, 1} is chosen uniformly at random Hence, on average two iterations are required to generate a simulated transcript (a, c, r ) The conclusion is that no matter what algorithm (or “strategy”) a cheating verifier V ∗ follows in trying to extract useful information from the prover, the same algorithm can be used to generate identically distributed conversations without needing the cooperation of the prover Whereas the real conversations are generated using the private key x as input, the simulated conversations are generated using only the public key y as input In general, the distributions of the real conversations and the simulated conversations not need to be identical Perfect zero-knowledge means that the distributions are indeed identical Almost-perfect or statistical zero-knowledge means that the distributions are statistically indistinguishable (i.e., the statistical distance between the distributions is negligible) Similarly, computational zero-knowledge (see also computational complexity) means that the distributions are polynomially indistinguishable (i.e., cannot be efficiently distinguished) By engaging in a zero-knowledge protocol multiple times, a cheating verifier may collect many 671 672 Zero-knowledge valid conversations In general, the simulation for a single run of a protocol can be easily extended to a simulation for multiple runs of the protocol as long as the runs are sequential, that is, the second run starts only after the first run is finished, and so on In other words, the zero-knowledge property is preserved under sequential composition However, parallel composition, where a prover is engaged in several runs of a protocol at the same time, in general, does not preserve the zero-knowledge property; running the above simulation k times in parallel does not result in an efficient simulation as the chances that c = c holds at step for all runs at the same time will be only 2−k The concept of zero-knowledge was introduced by Goldwasser et al in the early eighties (journal version appeared in [6]) In [7] it was subsequently proved that a zero-knowledge interactive proof exists for every language in NP Non-interactive zeroknowledge proofs were introduced in [1, 2] There are many varieties of zero-knowledge proofs, see [8] for an overview Examples of some advanced notions are concurrent zero-knowledge [4, 5] and resettable zero-knowledge [3] [2] [3] [4] [5] [6] [7] Berry Schoenmakers References [8] [1] Blum, M., P Feldman, and S Micali (1988) “Noninteractive zero-knowledge and its applications.” Proceedings of the 20th ACM Symposium on the Theory of Computing, 103–112 Blum, M., A De Santis, S Micali, and G Persiano (1991) “Non-interactive zero-knowledge proof systems.” SIAM Journal on Computing, 20 (6), 1084–1118 Canetti, R., O Goldreich, S Goldwasser, and S Micali (2000) “Resettable zero-knowledge.” Proceedings of the 32nd ACM Symposium on the Theory of Computing, 235–244 ˚ Damgard, I (2000) “Efficient concurrent zeroknowledge in the auxiliary string model.” Advances in Cryptology—EUROCRYPT 2000, Lecture Notes in Computer Science, vol 1807, ed B Preneel Springer-Verlag, Berlin, 418–430 Dwork, C., M Naor, and A Sahai (1998) “Concurrent zero-knowledge.” Proceedings of the 30th ACM Symposium on the Theory of Computing, 409– 418 Goldwasser, S., S Micali, and C Rackoff (1989) “The knowledge complexity of interactive proof systems.” SIAM Journal on Computing, 18, 186–208 Preliminary version in 17th ACM Symposium on the Theory of Computing, 1982 Goldreich, O., S Micali, and A Wigderson (1991) “Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems.” Journal of the ACM, 38 (1), 691–729 Preliminary version in 27th IEEE Symposium on Foundations of Computer Science, 1986 Goldreich, O (2001) Foundations of Cryptography—Basic Tools Cambridge University Press, Cambridge Index A A5/1, AAA, 555 AAC, 198, 200 AAR, 200 AB, 127 ABA digital signature guidelines, Abelian, 244 Abreast Davies-Meyer, 263 absence of communication attack, 384 absolute indicator, 55 abundance of communication attack, 384 abuse-free protocol, 215 Abwehr, 117 access control, 2–6 access control list, 3, 4, 595 access control model, 3, 462, 463 access control policy, 2, 25, 462 access management, 283 access matrix model, access structure, 7, 544, 545, 611 accumulator, 617, 618 ACE-KEM, 410, 411 ACH, 176 ACL, 3, 4, 595 A-code, 22 acquirer, 7, 181 acrostics, 118 active adversary, 399 active cryptanalysis, 113, 568 active eavesdropper, 169 active penetration test, 456 ActiveX, 660 adaptive adversary, 399, 612 adaptive chosen ciphertext attack, adaptive chosen plaintext and ciphertext attack, adaptive chosen plaintext attack, addition chain, 235 addition problem, 92 addition sequence, 236 addition–subtraction chain, 236 additive inverse, 524 additive knapsack, 333 additonal decryption key, 468 address spoofing, 144, 232 A-distance, 22 Adleman-Pomerance-Rumely primality proving algorithm, 474 admissible change of variables, 184 Advanced Encryption Standard (AES), 520–24 advantage, 161 adversary, 399 adversary structure, advisary simulator, 419 AE, 11, 12, 13, 18, 19 AEAD, 12, 19 AES, 408, 409, 410, 411, 412, 520–24 affine equivalent, 53 affine functions, 53 affine invariant, 53 affine scheme, 21 AG-code, 22 aggressive mode, 312 AGM method, 190 AH, 310 Alberti encryption, Alberti table, alert message, 548 algebraic attack, 224 algebraic degree, 53, 83, 223 algebraic-geometry codes, 22 algebraic normal form, 53, 83 algebraic number field, 430 all-or-nothing encryption, 209 allowed, 544 almost bent function, 127, 416 almost perfect nonlinear function, 127, 375 almost perfect zero-knowledge, 671 alphabet, 9–10 alternating step generator, 78 American Bar Association, amplified boomerang attack, 56, 150 ANF, 53 anomalous binary curves, 187 anomaly, 299 anonym, 476, 477 anonymity, 10–11, 489, 490 anonymity set, 10 anonymous network, 384 anonymous remailer, 384 ANSI, 64, 487, 530, 556, 626 APN function, 375 APPEL, 479 appendix, 158 application cryptogram, 200 ARQC, 198, 200 AS, 329 ASN1, 669 associated data, 579 associativity, 243, 524 asymmetric cryptosystem, 11, 325, 489 asymmetric proxy encryption, 489 asymmetric proxy signature scheme, 490 asymmetric watermarking, 656 asymptotic security, 93 asynchronous self-synchronizing stream cipher, 559 ATM, 394, 482 attribute, 11, 25 attribute certificate, 11 attribute management, 11 auctioneer role, 462 auditing, 283 authenticated encryption (OCB, IAPM, XCBC), 11–19 authenticated encryption with associated data, 12, 14 authenticated key exchange, 596 authentication, 21–22, 23, 24, 310 authentication authority, 273, 630, 631 673 authentication code, 21 authentication header, 310 authentication provider, 283 authentication scheme, 34 authentication server, 329 authentication token, 23 authenticator, 282, 329 authenticity, 11, 12, 118, 285 Authenticode, 658, 660, 661 authorization, 2, 26, 27 authorization algebra, 594 authorization architecture, 23–26 authorization management, 26, 27 authorization policy, 25, 26, 27 authorizer, 463 auto-correlation, 27 autokey, 323 automated teller machine, 394, 482 automatic clearing house, 176 automatic template analysis, 171 availability, 27–28 avalanche, 598, 602 B baby–step giant–step method, 165 backward security, 248 backwards mixing, 369 balance property, 373 balanced, 55, 82, 105 base, 240 base key, 324 basic constraints extension, 635 basic Merkle-Hellman scheme, 334, 335 basis, 345 Bass-O-Matic, 467 BCH code, 125, 126 BDH, 275 Beaufort encryption, 29 Beaufort table, 29 bent function, 375, 416 Berlekamp–Massey algorithm, 29–30 Berlekamp Q matrix, 30 B´ezout, 536 BGMW method, 233 bigram, 601 bigram substitution, 601 bilinear Diffie-Hellman problem, 275 bill of lading, 52 binary alphabet, binary Euclidean algorithm, 31–32 binary exponentiation, 32 binary field, 227 binary gcd algorithm, 31 binder, 580 binomial distribution, 33–34 biometric identification, 111 biometrics, 34–36 bipartite substitution, 601 birthday attack, 259 birthday paradox, 36–37, 292 bit, bit tracing, 572, 573 674 Index bitslice, 564 B/L, 52 black-box attack, 258 black-box tracing, 623 black list, 669 blind signature, 37–38 blind watermarking, 655 blinding factor, 40 blinding techniques, 39–40 block, 601 block cipher, 41–46, 601 block code, 124 Block Korkine-Zolotarev reduction, 347, 569 Blowfish, 48, 638 BLS short digital signatures, 49 Bluetooth, 169 Blum–Blum–Shub pseudorandom bit generator, 50, 486 Blum–Goldwasser public key encryption system, 51 Blum integer, 50 Blum prime, 501 Bolero.net, 52 bombs, 343 Boneh-Durfee attack, 666 Boneh-Franklin identity based cryptosystems, 273, 275, 276 boolean functions, 52–55 boomerang attack, 55–56, 150 boundary, 229 BPP, 95 braid group, 244 branch number, 523 Brickell low density attack, 338 Brickell Merkle-Hellman attack, 335, 336, 337 bridge certification authority, 632 broadcast encryption, 56–59 brute force attack, 114 Burmester-Desmedt protocol, 246 butterfly algorithm, 54 buyer role, 462 byte, C CA, 70 Caesar cipher, 61 Camellia, 61, 410, 411 Canadian Trusted Computer Product Evaluation Criteria, 552 canonical S-expressions, 594, 595 capabilities, 4, 109 capability list, Capstone, 327, 586 captured agent trust, 181 card issuer, 564 cardholder CA, 564 Carmichael number, 221, 291, 436, 473 cascade cipher, 401, 480 cascading revocation, CAST, 62–63, 518 CBC, 386 CBC-MAC and variants, 63–65, 365 CC, 229 CCA2, 108, 109 CCIT2, 66 CCM, 16, 17 CCR, 139 CDA, 198 CDH, 140, 275, 276 CDMA, 560 centralized system, 177 CEPS-standard, 66–67, 77, 181, 362, 482 certificate, 67 certificate authority, 70 certificate extension, 634 certificate management, 68 certificate of primality, 68 certificate policy, 628, 629, 635 certificate policy statements, Certificate Practice Statement, 107 certificate revocation, 68–70 certificate revocation list, 68, 618 certification, 616 certification authority, 70, 421, 631, 637, 669 certified mail, 71 CFB, 389 CFRAC, 291, 294 CGI, 664 chaffing and winnowing, 72 chaining attack, 259 chaining variable, 63, 258, 364 chair, 245 challenge covertext, 160 challenge–response protocol, 73, 286, 542 channel, 160 characteristic, 152, 227 characteristic polynomial, 356, 373, 561 Chaum blind signature scheme, 74 Chaum-van Antwerpen undeniable signature scheme, 641 Chinese Remainder Theorem, 75 chord-and-tangent rule, 184 Chor-Rivest cryptosystem, 337, 338 chosen ciphertext attack, 42, 76, 114 chosen message attack, 160 chosen one-out-of-two, 445 chosen plaintext and ciphertext attack, 77 chosen plaintext attack, 42, 76, 114, 160 chosen related key, 518 Cipher Block Chaining, 386 Cipher FeedBack, 389 cipher suite, 548 cipher system, 119 ciphertext, 119, 568 ciphertext ciphertext compromise, 113 ciphertext only attack, 42, 77, 114 ciphertext stealing, 387 claimant, 272 classical cryptosystem, 324, 603 claw-free, 77 claw-resistant, 77 clearance level, client hello, 549 Clipper, 327, 586, 606 CLIP-scheme, 77 clock-controlled generator, 77 closest vector problem, 79 closure, 243, 524 closure alert, 548 closure attack, 132 CMA, 546, 547 CMAC, 63, 64 CMP, 52 CMS, 592 CMVP, 228 coalition, 225, 621 Cock’s identity based cryptosystem, 274 code, 21, 124, 545 codebook attack, 80 code-division-multiple-access, 560 codeword, 124 Cohen-Lenstra-Bosma algorithm, 474, 475 collision, 364 collision attack, 80, 364, 405 collision freeness, 257 collision intractible, 257 collision resistance, 81 Collision-Resistant Hash Function (CRHF), 257 collusion attack, 225 combination generator, 82 combined data authentication, 198 combined modes, 389 combiner, 607 commit phase, 83 commitment, 83–85, 418 Common Criteria, 86–88, 229, 552 Common Electronic Purse Specifications, 66–67, 181 common reference string, 414 communication channel anonymity, 88 communication complexity, 245 commutative group, 244 commutativity, 524 COMP128, 367 complementary circulating register, 139 complementary slide, 587 complementation property, 130 complete mediation property, 2, completeness, 297, 298 complexity class, 92 complexity spectrum, 415 composite, 470, 484 composite residuosity assumption, 453 compression function, 102, 136, 258, 260, 364, 524, 525 compromise, 113 compromising emanations, 89 Compton effect, 503 computable function, 399 computational complexity, 92–97 computational Diffie Hellman, 140, 275 computational security, 551 computational soundness, 297 computational zero-knowledge, 671 computationally secure steganography, 161 computationally sound proof system, 297 computer virus, 627 concealment, 580 Index concrete security, 93 concurrent zero-knowledge, 672 conditional correlation attack, 224 conditional entropy, 289 conference key, 244 conference keying, 244 confidentiality, 118, 174, 176, 310, 489 confirmer signature, 145 confirming operation, 641 confusion, 41, 602 congruence class, 391 conjugate, 125 connection polynomial, 356 consumable credentials, 110 containing, 100 Content Protection for Recordable Media, 57 content scrambling system, 100 continued fraction method, 291, 294 contract signing, 97 contrast, 652 control vector, 98 conventional cryptosystem, 324, 603 conversation, 671 convertible undeniable signature, 642 cookies, 665 copy generation control, 99 copy marking, 100 copy protection, 99–102 copy right protection, 655 Core Messaging Platform, 52 core rounds, 369 Corporate Message Recovery, 468 correcting-block attack, 102, 259 correlation attack for stream ciphers, 103–4 correlation-immune and resilient Boolean functions, 104, 105–6 correlation immunity order, 83, 104, 105 Counter Mode, 388 counterfeiting, 174, 176 cover signal, 655 covert channel, 106 covertext, 159 CPRM, 57 CPS, Certificate Practice Statement, 107 CR, 453 Cramer–Shoup public key scheme, 108 credentials, 109–12, 281, 463 CRHF, 257, 643 cribs, 343 Critical Security Parameters, 228, 229, 456 CRL (CRLS), 68, 595, 618 cross-certification, 632 cross-correlation, 113 crossing step, 460 crowds, 384, 385, 478 CRT, 75 cryptanalysis, 43, 113 crypto machines, 116–18 cryptographic boundary, 229 cryptographic message syntax, 592 cryptographic module, 458 cryptographic module validation program, 228 cryptographic protocol, 482 cryptography, 118 cryptology, 118–19 cryptosystem, 119 CRYPTREC, 119–23 CSEXP, 595 CS-Lite, 108 CSP, 229, 456 CSS, 100 CTCPEC, 552 CTR, 388 cue, 118 customer acquirer, 564 cut-and-choose protocol, 123 CVP, 79 CWC, 18 cyclic, 240 cyclic codes, 124–27 cyclic codes with two zeros, 127 cyclic group, 244 cyclic Reed–Muller code, 125 cycling attacks against RSA, 293 cyclotomic coset, 125 cyclotomy method, 474 cyptanalysis, 113–16 Cyrillic alphabet, D data authentication, 21 data encapsulation mechanism, 411 Data Encryption Standard (DES), 129–33 data key, 326 data masking, 576 data origin authentication, 361 data remanence, 135 Data Seal, 367 Davies attack, 132 Davies–Meyer, 136, 260, 262, 263 DC Network, 137–38 DCR, 453 DDA, 198 DDH, 108, 140 de Bruijn graph, 139 de Bruijn sequence, 138–40 de Viaris attack, 115 deception, 519 decimation, 373, 374, 570 deciphering, 202 decision function, decisional composite residuosity assumption, 453 decisional Diffie-Hellmann problem, 140 decision-making module, 35 decorrelation, 45, 353 decryption, 202, 568 decryption algorithm, 119 decryption exponent, 142 decryption steps, 202 DECT, 367 Deep Crack, 626 definitely composite, 480 degree, 211, 313, 347, 430 675 delegated path discovery, 69 delegated path validation, 69 delegation, 4, 595 Della Porta’s maxim, 371 DEM, 411 DEMA, 171 denary alphabet, deniable encryption, 142 denial-of-service, 137, 143, 232, 233, 300, 505 density, 334 depth, 114 derivative, 55, 481 derived key, 144 Derived Test Requirements, 230 DES, 129–33 designated combiner, 612 designated confirmer signature, 145 Desmedt-Vandewalle-Govaerts knapsack, 335 DES-X, 146 DFA, 219 DHP, 154 dictionary, 147 dictionary attack (1), 147 dictionary attack (2), 147, 171, 454 difference distribution table, 148 difference set, 224 differential characteristic, 152 differential cryptanalysis, 44, 147–51 differential electromagnetic analysis, 171 differential fault analysis, 219 differential–linear attack, 152 differential membership test, 656, 657 differential power analysis, 152, 171, 302, 572, 573 Diffie–Hellman key agreement, 154 Diffie–Hellman problem, 154 diffusion, 41, 602 digital identity, 282 digital millenium copyright act, 101 digital rights management system, 101, 520 digital signature, 158 digital signature algorithm, 158 digital signature guidelines, 421 digital signature scheme, 158, 201, 527 Digital Signature Standard, 158–59 digital steganography, 159–63 digital versatile disk, 656 digital video disk, 656 digraphic substitution, 601 direct cross-certification, 632 direct inversion, 309 direct payment schemes, 176 discrete Fourier transform, 54, 403 discrete logarithm, 164 discrete logarithm problem, 164–67 discretionary access control, discriminant, 184 Disquisitiones Arithmeticae, 472 distance, 124 distinguished points, 615 distinguisher, 287, 383 676 Index distinguishing algorithm, 43 distinguishing attack, 354 distributed DoS attack, 144 distributed key generation, 646 distributivity, 524 divide-and-conquer attack, 105 division intractable, 546 Dixon’s random squares methods, 294 DLP, 164–67 DMCA, 101 DMZ, 300 domain parameters, 189, 190 DoS, 143, 300 double-and-add, 33 double-DES, 626 double key, 323 DP, 615 DPA, 152, 171, 302, 572, 573 DPD, 69 DPV, 69 DRM, 101 DRMS, 101 DSA, 158 DSG, 421 DSS, 158–59 DTR, 230 dual code, 124 DVD, 656 dynamic adversary, 399 dynamic attribute, 25 dynamic authentication, 198 dynamic data authentication, 198 dynamic group signature scheme, 250 dynamic traitor tracing, 622, 623 E E&M, 14 E0 (Bluetooth), 169 EAL, 86, 87–88 easy, 333 eavesdropper, 169, 591 EAX, 16, 17 Ebay, 215 ECB, 386 ECC, 124, 186 ECC challenges, 170 ECDLP, 186–88 ECDSA, 195, 410, 411 ECIES, 195 ECMS, 100, 655 ECPP, 474 ECSTR, 599 ED, 335 EE, 594 efficiency, 245, 246, 248, 651 egress filtering, 231, 233 electromagnetic attack, 170–73, 302 electromagnetic pulse, 504 electronic cash, 174–75 electronic cheque, 175 electronic codebook mode (ECB), 386 electronic coin, 174 electronic commerce, 7, 313 electronic copyright management system, 100, 655 Electronic Frontier Foundation, 626 electronic funds transfer, 176 electronic negotiable instruments, 175 electronic noise source, 511 electronic payment, 175–77 electronic postage, 177–78 electronic purse, 180–82 electronic voting schemes, 179–80 electronic wallet, 180–82 Elements, 471 ElGamal digital signature scheme, 182 ElGamal public key encryption, 183 elliptic curve cryptography, 186 elliptic curve discrete logarithm problem, 186–88 elliptic curve integrated encryption scheme, 195 elliptic curve key agreement schemes, 189 elliptic curve keys, 189 elliptic curve method for factoring, 190 elliptic curve point multiplication using halving, 191–94 elliptic curve primailty proving algortihm, 474 elliptic curve public-key encryption schemes, 195 elliptic curve signature schemes, 195 elliptic curves, 183–86 elliptic curves for primality proving, 196 EMA, 170–73 EMAC, 17, 64, 365, 366, 410, 411 EMP, 504 EMV, 181, 197–201, 482 encapsulating security payload, 310 enciphering, 202 Encrypt-and-MAC, 14 encrypt copyrighted content, 100 encryption, 202, 568 encryption algorithm, 119 encryption exponent, 202 encryption key, 202, 488 encryption rule, 202 encryption step, 202 Encrypt-then-MAC, 13 end entity, 594 endomorphic cryptosystem, 119 enforcement, 2, 461 Enigma, 117 entitlement, 202 entitlements management, 202 entity authentication, 203 entropy, 289, 486 envelope, 226 envelope MAC, 365, 366 environmental attacks, 576 EPC, 482 ephemeral, 325, 457 equivalent, 391 equivocation, 289 erasure-free, 612 error-correcting code, 124 ESP, 310 EtM, 13 Euclidean algorithm, 204–6 EU-CMA, 546 Euler liar, 473 Euler pseudoprime, 473 Euler’s phi function, 206 Euler’s theorem, 206, 392, 394, 537 Euler’s totient function, 206, 394, 537 evaluation assurance level, 86, 87–88 evaluation of policy, 463 Even-Mansour, 587 exact identification, 226 excluded subtrees, 636 exculpability scheme, 251 exhaustive key search, 43, 114, 206 existential forgery, 209, 362, 363 expansion, 129 explicit policy indicator, 635 exponential security, 93 exponential time, 210 exponentiation, 244 exponentiation algorithms, 210–11, 520 extended Euclidean algorithm, 204 extended MD4, 261 extension degree, 211 extension field, 211 extension field operations, 449 external collision, 364 F factor base, 166, 213, 293, 432, 493 factoring, 290–96 factoring circuits, 213 FACTORING problem, 93, 96 fail-stop signature, 213 fair blind signature, 38 fair exchange, 97, 215 fairness, 399 false accept error, 35 false positive, 143, 226, 299, 651 false reject error, 35 fast correlation attack, 216 fast data encipherment algorithm, 219 fault attacks, 218–19, 302 fault generation, 591 FCG, 506 FDH, 502, 528 FEAL, 219 feature extraction module, 35 Federal Information Processing Standard, 227–30 federation, 285 feedback bit, 355 feedback coefficients, 355 feedback function/polynomial, 355, 356, 415 feedback shift register, 415 Feige-Fiat-Shamir signature scheme, 222 Feistel cipher, 221 Fermat liar, 472, 473 Fermat primality test, 221, 293, 484 Fermat prime, 483 Fermat’s little theorem, 221, 292, 472 Index Fiat–Naor construction, 58 Fiat-Shamir identification protocol and Feige Fiat-Shamir signature scheme, 222 FIB, 303, 305 field, 222, 227 field polynomial, 223 filter generator, 223 filtering (packets), 231 fingerprinting, 101, 161, 225–26 fingerprinting code, 226 finite field, 223, 227 FIPS, 129, 227–30, 268, 386, 487, 566, 626 firewall, 230–33 Fischlin scheme, 547 fixed-base comb method, 234 fixed-base Euclidean method, 235 fixed-base exponentiation, 210, 233 fixed-base windowing method, 233 fixed-exponent exponentiation, 210, 235 fixed point attack, 259 flat namespace, 273 flexible RSA assumption, 546 flip-flop metastability source, 511, 512 flooding DoS attack, 143 flow, 300 focused ion beam, 303, 305 forgery, 237 forgery attack, 361, 362 Fortezza, 586 forward mixing, 368 forward secrecy, 245 forward security, 251, 613 fragmentation, 384 frame, 519 frame counter, 519 frame number, frequency matching, 114 freshness, 245, 407 Frobenius map, 187 Frobenius-Grantham primality test, 473, 474 FSR, 415 Fujiwara-Okamoto transformation, 276, 278 full-domain hash method, 502, 528 full-knowledge prenetration test, 456 full positive difference set, 224 function field, 577 fundamental theorem of arithmetic, 470 G Galois field, 227 gap, 239 gap Diffie-Hellman assumption, 582 gap Diffie-Hellman group, 276, 613 Gaussian integer method, 288 gcd, 243 GCDH assumption, 247 G-DES, 518 Geffe generator, 486 general exponentiation, 210 general knapsack scheme, 336 general NFS, 430, 431, 432 general purpose primality test, 437, 438 generalized Feistel, 221 generalized inversion attack, 307 generalized Mersenne number, 239 generalized Mersenne prime, 239 generator, 240 generator matrix, 124 generator polynomial, 125 generic, 514 Gennaro-Halevi-Rabin scheme, 546, 547 geometry of numbers, 345 GHS attack, 188 Givierge’s maxim, 371 GKE, 244–48 global deduction, 43 glue logic design, 305 GMR signature, 240 GNFS, 430, 431, 432 GNU Privacy Guard, 466, 468 GOC PKI, 557 Golay code, 125 Gold sequence, 375 Goldwasser–Micali encryption scheme, 241 Golomb ruler, 224 Golomb’s randomness postulates, 242, 487 Goppa codes, 375, 376, 377, 378 GOST, 242 GPS, 410, 411 Graham-Shamir scheme, 335, 337 greatest common divisor, 243 grille, 601 group, 243 group axioms, 243 Group Computational Diffie-Hellman assumption, 247 group key agreement, 244–48 group key distribution, 244 group manager, 645 group names, 594 group of units, 524 group session key, 248 group signature, 250–51 GSM, Guillou-Quisquater signature scheme, 274 H Hadamard transform, 54 Hagelin, 117 half-trace, 193 halving, 192 Hamiltonian graph, 481 Hamming distance, 53, 124, 416 Hamming weight, 53, 124 handshake, 548 hard core bit, 253 Hardware Security Module, 254 hash function, 256–64 hash rate, 261 hash127, 14 hash-and-sign, 616 Hasse’s theorem, 185 HAVAL, 261 HELIX, 18 677 Hellmann’s time-memory trade-off, 646 HEMP, 504 Hermite-Korkine-Zolotarev lattice reduction, 346 hidden fields, 665 hider, 580 hierarchical namespace, 273 high order DPA, 171 history variable, 419 HMAC, 14, 267, 366, 410, 411 holocryptic, 323 homomorphic secret sharing, 609 homomorphism, 268 homophone, 202 honest-but-curious adversary, 399 host security, 662 HSM, 254 HTTP, 230 HTTPS, secure HTTP, 268 hyperelliptic cryptosystems, 577 hypertext transfer protocol, 230 I IACBC, 15 IAPM, 13, 15 IBE, 273, 280–81 IBIP, 177 IBS, 273, 276 ICC, 218 ICE-CAR, 557 ID, 299–301 IDEA, 271 ideal, 125 ideal SSS, 545 ideally secure hash function, 258 identifiable parent property, 226 identification, 203, 272 identifier, 282 identity, 244, 476, 524 identity based cryptosystems, 273–78 identity based encryption, 280–81 identity based scheme, 222 identity based signature, 273, 274, 276 identity escrow scheme, 251 identity management, 282–85 identity provider, 285 identity theft, 285 identity uniqueness, 272 identity verification protocol, 285 IDS, 300 IEEE P1363, 556 IEEE P802, 556 IEFT, 596 IEMP, 505 IETF, 71, 313, 619 IKE, 310, 312 imbalance, 353 impersonation attack, 21, 286 impossible cryptanalysis, 150 impossible differential attack, 286 improved Davies attack, 132 incremental hash function, 264 IND, 559 IND-CCA2, 108, 109 independent key, 290 678 Index independent subkeys, 133 index of coincidence, 115 index-calculus method, 166, 187, 287–89 indirect payment systems, 175 indistinguishability of encryptions, 559 individual conversion operation, 145, 642 individual key, 324 inferential power analysis, 573 Information Based Indicia Program, 177 information hiding, 159, 161 information integrity, 21 information leakage, 571 information symbols, 124 Information Technology Security Evaluation Criteria, 552 information theoretic security, 551 information theory, 289–90 Ingemarsson-Tang-Wong protocol, 246 ingress filtering, 231, 233 inhibit any policy extension, 635 inhibit any policy indicator, 636 initial policy set, 635 initial state, 355 initial value, 258, 386 in-line TTP, 71, 97 inner CBC, 389 inner modes, 389 inside out attack, 56 insider secure, 580 integer factoring, 290–96 integral attack, 405 integrity, 21, 109, 310, 361 integrity-aware cipher block chaining, 15 integrity-aware parallelizable mode, 15 interactive argument, 297 interactive proof, 297 interactive VSS, 646 interleaved modes, 389 interleaved sliding window exponentiation, 584 internal collision attack, 364 International Telecommunication Union, 669 internet engineering task force, 71, 313 internet key exchange, 310 internet protocol, 230, 310 internet security association and key management protocol, 310 interpolation attack, 298 intrusion detection, 299–301, 663 intrusion detection system, 299 invariance under decimation, 373 invasive attack, 301–7 inverse, 244 inverse Fourier relation, 54 inversion attack, 307–8 inversion in finite fields, 308–9 invisibility, 145, 641 involution, 130, 221 IP, 230, 310 IPA, 573 IPES, 271, 309 IPsec, 310–13, 362, 554 irreducible polynomial, 313 ISAKMP, 310, 312 ISO, 86, 87, 200, 201, 268, 361, 530, 619 isolog, 113 isomorph, 113 issuer, 181, 313, 594, 595 ITA, 313–16 iterated attacks, 43 iterated cipher, 41 iterated hash function, 258 iterated Merkle-Hellman scheme, 334, 337 iterative cipher, 480, 586 Itoh-Tsujii inversion algorithm, 313–16 ITSEC, 552 ITU, 459, 669 IV (initial value), 258, 386 J Jacobi Sum Test, 474 Jacobi symbol, 317 Java, 659 JavaScript, 661 JCP, 557 Jenning generator, 350 K KA, 319–21 Kahn’s maxim, 372 Kappa test, 115 Karatsuba algorithm, 319–21, 401, 402 Kasiski’s method, 115 KASUMI, 322 KASUMI/MISTY1, 322 KCDSA, 195 KDC, 328, 637 KEM, 411 Kerberos authentication protocol, 323, 407 Kerckhoff ’s maxim, 42, 371 key, 160, 323–25, 568 key agreement, 325 key alphabet, 323 key authentication, 326 key confirmation, 326 key-dependent S-boxes, 133 key directive, 324 key distribution center, 328, 637 key encapsulation mechanism, 411 key encryption key, 326 key escrow, 327 key establishment protocol, 482 key exchange protocol, 326, 482 key generation algorithm, 158, 160, 163, 362, 488 key graph, 137 key group, 324 key management, 328–32 key mixing, 129 key negotiation, 324 key phrase, 323 key ranking, 152, 353 key recovery, 327 key recovery attack, 363 key revocation, 56, 278 key schedule algorithm, 41 key schedule attacks, 45 key space, 568 key stream, 539 key symmetric cryptosystem, 325 key text, 119, 323 key token, 621 key translation, 99 key transport, 326 KeyNote system, 463 key-whitening, 46 Khufu, 287, 383 kleptography, 106 KN cipher, 298 knapsack cryptographic schemes, 333–40 knapsack problem, 263, 333 knowledge extractor, 481 known plaintext attack, 42, 114, 342 known related key, 518 Knuth-Schroeppel function, 494 Koblitz curve, 170, 187, 192 L L3 lattice reduction, 346 label, 579 Lagarias and Odlyzko attack, 336, 337 Lagrange interpolation formula, 298 Lagrange’s theorem, 537, 598 lambda representation, 194 language, 481 Latin alphabet, Latin square, 115 lattice, 335, 336, 337, 345 lattice-based cryptography, 347–48 lattice reduction, 335, 336, 338, 346–47 lattice sieve, 432 lattice sieving, 432 law of quadratic reciprosity, 317 Layered Subset Difference, 58 lchop, 386 lcm, 349 LDAP, 553 least common multiple, 349 left-to-right exponentiation, 32, 33, 520, 583, 588, 639 legal structures, 285 Legendre symbol, 349 Lehmer’s Euclidean algorithm, 205 length, 652 ´ lattice Lenstra-Lenstra-Lovasz reduction, 346 lexicographical knapsacks, 336 LFSR, 355–58 license, 99 licensee, 463 linear approximations, 351 linear characteristic, 152, 352 linear code, 124 linear complexity, 29, 139, 349 linear complexity profile, 349 linear congruential generator, 350 linear consistency attack, 350 Index linear cryptanalysis, 44 linear cryptanalysis for block ciphers, 351–53 linear cryptanalysis for stream ciphers, 354 linear feedback shift register, 355–58 linear hull, 352 linear probability, 351 linear sieve, 291, 295 linear SSS, 545 linear structure, 55 linear substitution, 601 linear syndrome attack, 358 linking, 617 list decoding, 152 LKH, 58 LLL latice reduction algorithm, 335, 346, 347, 569 L-notation, 358 local deduction, 43 local DoS attack, 143 local policy, 463 Local Registration Authority, 330, 518 logical key hierarchy scheme, 58 longevity, 283, 285 long-lived broadcast encryption, 57 low density knapsack, 336 LRA, 330, 518 LSD, 58 Luby-Rackoff cipher, 358 LUC, 599 Lucas-Lehmer primality test, 474 Lucas probable prime test, 473 Lucifer, 129, 480, 656 M MAA, 361, 366 MAC, 6, 13, 200, 201, 230 MAC algorithms, 361–67 MAC guessing attack, 364 MacDES, 65, 365 MAC-then-Encrypt, 13 MAC-verification attack, 362 main mode IPsec, 312 malicious adversary, 399 malleable, 418 malleable encryption scheme, 180 mandatory access control, man-in-the-middle attack, 368 manipulation, 458 Manipulation Detection Code (MDC), 256 mark copyrighted content, 99 marking assumption, 225 MARS, 368 MASH functions (Modular Arithmetic Secure Hash), 263, 370 master copy control, 99 master key, 370 matching ciphertext attack, 43, 387, 389 matching module, 35 Matsui, 351, 352 Mattson–Solomon polynomial, 127 Maurer’s method, 371, 474 Maurer’s universal statistical test, 487 Maxim Number One, 371 maxims, 371 maximum correlation, 55 maximum distance separable code, 126 maximum-length linear sequence, 372–75 maximum order complexity, 415 May attack, 666 McEliece public key cryptosystem, 375–78 McGrew-Sherman OFT protocol, 248 MD2 hash function, 260 MD4-MD5, 378 MD5 hash function, 378 MDC hash function, 256 MDC-2 and MDC-4, 379 MDS code, 126 MDx-family, 260 MDx-MAC, 366 media access control, 230 meet-in-the-middle attack, 258, 381 member pseudonym, 483 membership test, 656 memory size, 224, 307 merchant CA, 564 Merkle tree, 618 Merkle-Damgard strengthening, 136, 258, 260, 565 Merkle–Hellman dominance, 334 Merkle–Hellman transformation, 334 Merkle–Hellman trapdoor, 333 Merkle’s meta-method, 257 Mersenne number, 381, 474 Mersenne prime, 381 message authentication code, 21, 200, 361, 362, 363 message authenticaton algorithm, 361, 366 message-encrypting key, 324 message length attack, 384 message recovery, 158 METI, 119, 121 Meyer-Schilling hash functions, 262 microprobing, 590 Miller-Rabin probabilistic primality test, 291, 382, 436, 437 million message attack, 550 MIME, 591, 658 minimal polynomial, 125, 382 minimum distance, 124 Minkowski lattice reduction, 346 Minkowski’s first theorem, 346, 569 MIPS-year, 383 miss-in-the-middle attack, 383 MISTY1, 322, 410, 411 misuse, 299 mix networks, 383 mixed alphabet, 10 Miyaguchi-Preneel hash function, 261 mobile code, 658, 659, 661 modes, 12 modes of operation of a block cipher, 386–90 modification, 458 679 modular addition, 392 modular arithmetic, 391–93, 434, 435 modular exponentiation, 221, 392, 396 modular inverse, 392 modular multiplication, 392 modular root, 394 modulus, 391, 392, 394 MONDEX-scheme, 181, 362, 394 monitoring, 458 monographic substitution, 601 monomial, 517, 518 monotone, 7, 544 monotone signature, 238 MonPro algorithm, 395 Montgomery arithmetic, 394–97 Montgomery exponentiation, 396 Montgomery multiplication, 397 Montgomery product, 395 Montgomery reduction, 395 Montgomery representation, 395 Montgomery squaring, 396, 397 Moore’s law, 398 Morrison-Brillhart method, 293 MPHPT, 119, 121 MPQS, 493 MQV key agreement scheme, 189 m-resilient, 55, 105 m-sequence, 372 MtE, 13 multicast encryption, 538 multi-exponentiation, 584 multigram property, 373 multipartite substitution, 601 multiparty computation, 398–400 multiple anagramming, 116 multiple bits DPA, 171 multiple encryption, 381, 401, 598 multiple polynomial quadratic sieve, 493 multiplication problem, 92, 96, 401 multiplicative group, 227, 244, 524 multiplicative inverse, 392 multiplicative knapsack, 333 multiplicative secret sharing, 607 multi-precision multiplication, 401–4 multi-precision squaring, 404 multi-set attack, 405 multi-signature, 250, 612 mutual identity verification protocol, 285 N NAF, 193, 194, 584 name, 593 name constraints extension, 635 naming authority, 273 Naor–Yung double encryption paradigm, 109 narrow-sense envelope, 226 National Bureau of Standards, 129 NBS, 129 near prime, 239 nearest vector problem, 79 Needham-Schroeder protocols, 407 need-to-know principle, 680 Index NEMA, 116 NESSIE project, 408–12 New European Schemes for Signature, Integrity and Encryption, 408–12 NFS, 430–33 Niederreiter encryption scheme, 413 NIST, 88, 228, 566, 586 NIZK, 418 NL, 105 NLFSR, 415 non-adjavent form, 193, 194, 584 non-blind watermarking, 655 nonce, 73 non-coincidence exhaustion, 115 non-commutative, 244 non-cyclic, 244 non-interactive proofs, 414, 419 non-interactive zero-knowledge proofs, 672 non-invasive attack, 591 non-linear feedback shift register, 415 non-linearity of Boolean functions, 416 nonlinearity order, 53 non-malleability, 417, 560 non-multiplicativity, 528 nonperiodic key, 323 non-repudiation, 71, 97, 214, 420–24 non-secret key encryption, 424–26 non-singular Boolean function, 139 non-singular LFSR, 356 non-transferable, 641 non-transferable credentials, 110 non-transferable signature, 146 normal base, 313 normal-legacy, 408 normal profile, 299 NP, 94 NP-complete, 94 n-residue, 395 NTRU, 348, 427 null, 601 null cipher, 118 number field, 430 number field sieve, 166, 288, 296, 430–33 number theory, 433–39 Nyberg-Rueppel signature scheme, 440 O OAEP: Optimal Asymmetric Encryption Padding, 108, 443, 534 oblivious transfer, 399, 445 observer, 181 OCB, 12, 15, 16 OCSP, 70, 459 odd-characteristic extension, 211, 227 OEF, 448–50 OFB, 386, 387 off-line authentication, 197, 198 off-line CAM, 197, 198 offline credentials, 110 off-line electronic payment, 176 off-line electronic postage, 177 offset codebook, 12, 15, 16 OFT protocol, 248 OMA, 200 OMAC, 64, 365 omega-notation, 447 one-more forgery, 37, 38, 74, 238 one-time blind signature, 38 one-time key, 324 one-time pad, 324 one-time password, 446 one-to-one, 333 one-way accumulator, 618 one-way function, 94, 446, 485, 625 one-way function tree protocol, 248 One-Way Hash Function (OWHF), 257 one-way permutation, 446 onion routing, 384 on-line authentication method, 197, 200 on-line CAM, 197, 200 on-line certificate status protocol, 70, 459 online credentials, 110 online electronic payment, 176 on-line electronic postage, 177 online mutual authentication, 200 O-notation, 447 opaque, 489, 490 open code, 118 Open PGP, 555 Optimal asymmetric Encryption Padding, 443, 534 optimal authentication scheme, 21 optimal extension fields, 448–50 optimistic contract signing, 97 oracle, 560 orange book, 552 order, 357, 393, 450 OT, 445 OTP, 324 outer modes, 389 out-of-phase autocorrelation, 27 output feedback, 387 output transformation, 63, 263, 364 outsider secure, 580 overspender detection, 450 overspending prevention, 450 OWHF, 257 P P3P, 479 packet, 519 padding, 200, 202, 384, 565 PAG, 422 Paillier assumption, 108 Paillier encryption and signature schemes, 453 pairings over elliptic curves, 276 PAP, 24, 26 parallel composition, 672 parallelized collision search, 165 parity check matrix, 124, 126 parity check polynomial, 126 parity check symbols, 127 Parseval’s relation, 54 partial-domain one-wayness, 444 partial preimage resistance, 257 partial signature, 612 partition number, 531 partitioning cryptanalysis, 353 passive adversary, 399 passive attacks, 161 passive cryptanalysis, 113, 568 passive eavesdropper, 169, 568 passive penetration test, 456 password, 285, 453–55 pastry dough mixing, 601 pattern finding, 115 pay later, 176 pay now, 176 payment authorization, 174, 176 payment card, 455, 564 PC, 481, 482 PCR, 139 PDP, 24, 25, 26, 27 PEM, Privacy Enhanced Mail, 455 penetration, 458 penetration testing, 456 PEP, 24 perfect, 544, 567 perfect cryptosystem, 290 perfect forward secrecy / PFS, 457 perfect threshold scheme, 567, 609 perfect zero knowledge, 671 perfectly secure steganography, 161 period of a polynomial, 357, 373, 561 period of a sequence, 27 periodic key, 323 permission, 461, 462 permitted subtrees, 636 permutation, 129, 130, 358, 599 permutation matrix, 601 person pseudonym, 483 personal agent trust, 181 personal identification number (PIN), 458 personalization, 283 PES, 271 PFS, 457 PGP, 466 phase noise source, 512 physical attacks, 458 physical security, 458, 662 piling-up lemma, 351 PIN, 458 PIN verification, 200 PKCS, 443, 459, 528, 530 PKG, 273 PKI, 459, 488 PKI Assessment Guidelines, 422 PKIX - Public Key Infrastructure (X.509), 69, 459, 553 plaintext, 119, 568 plaintext awareness, 560 plaintext ciphertext compromise, 113 plaintext plaintext compromise, 113 platform for privacy preferences project, 479 playback control, 99 Playfair cipher, 460 plug-ins, 658 PMAC, 16, 366, 460 Index PN-sequence, 483 Pohlig-Hellman algorithm, 164 point addition, 185 point at infinity, 184 point doubling, 185 point multiplication, 191, 193 point of sale, 66 policy, 25, 26, 461 Policy Administration Point, 26 policy constraint, 634 policy control, 283 Policy Decision Point, 24, 25, 26, 27 Policy Enforcement Point, 24 policy mapping, 634 policy mapping inhibit indicator, 635 Pollard’s Kangaroo method, 166 Pollard’s lambda method, 167 Pollard’s p-1 method, 292 Pollard’s rho method, 165, 292 polyalphabetic encryption, 323 polyalphabetic substitution, 323 Polybios square encryption, 464 polygraphic substitution, 601 polynomial basis representation, 211 polynomial complexity, 465 polynomial function, 464, 465 polynomial security, 93 polynomial time, 464 polyphony, 202 Pontifex, 593 Porta encryption, 465 Porta table, 465 POS, 66 postal security device, 178 power analysis, 572, 573 power trace, 152 PP, 87, 229 pre-charged dual rail logic, 575 predecessor attack, 385 predictable sequence, 350 preimage resistance, 257, 465 pre-pay, 176 preperiod, 415 Pretty Good Privacy, 466 PRIMALITY problem, 93 primality proving algorithm, 470, 472 primality test, 470 prime certificate, 68 prime field, 227 prime field anomalous curve, 187 prime generation, 470, 472, 474 prime number, 470–75 prime number theorem, 436, 471 prime-order field, 227, 393 priming key character, 323 primitive cyclic code, 124 primitive element, 476 primitive polynomial, 126, 373, 476 primitive root, 240 principal ideal, 125 principal ideal ring, 125 privacy, 11, 12, 282, 284, 285, 476 Privacy Enhanced Mail, 455 privacy enhancing technologies, 478 private key cryptosystem, 324, 603 private key generator, 273 private watermarking, 655 privilege, 25, 282, 479 privilege management, 479 PRNG, 485, 486, 487 proactive group signature, 455 proactive password, 455 proactive threshold cryptography, 609 proactive threshold signature, 612 probabilistic algorithm, 94 probabilistic primality test, 480 probabilistic public-key encryption, 480 Probabilistic Signature-Encryption Padding, 582 probabilistic signature scheme, 530, 534 probabilistic SSS, 545 probable prime, 470, 472, 480, 485 product cipher, superencryption, 202, 480 proof of knowledge vs proof of membership, 481 proofs of membership, 481 propagation characteristics of Boolean functions, 55, 481 propagation criterion, 481 proposed encryption standard, 271 protection, protection profile, 87, 229 protocol, 482 Proton, 362, 482 provable prime, 472 provable security, 12 prover, 297, 593 provisioning, 283 proxy encryption, 488 proxy signatures, 490 PSAM, 66 PSD, 178 PSEC-KEM, 411 PSEP, 582 pseudo-Hadamard transform, 638 pseudo Mersenne prime, 482 pseudo-noise sequence, 483 pseudonym, 476, 477, 483 pseudonymity, 10 pseudoprime, 472, 484 pseudo-random function, 146, 485 pseudo-random number generator, 485 pseudo-random permutation, 358, 359 pseudo-random sequence, 242 PSS, 530, 534 PSS-R, 530, 581 public key based protocol, 222 public key certificate, 67 public key cryptography, 487 public key cryptography standards, 459 Public Key Infrastructure, 488 public key proxy encryption, 488 public key proxy signatures, 490 public key stegosystem, 163 public key watermarking, 656 public watermarking, 655 publicly verifiable secret sharing, 646 purchase secure application module, 66 pure circulating register, 139 681 pure cryptosystem, 119 purse, 394 Q Q-matrix, 30 QS, 493–95 quadratic complexity, 139 quadratic Frobenius test, 437 quadratic non-residue, 493 quadratic reciprocity law, 317 quadratic residue, 493 Quadratic Residuosity Problem, 493 quadratic sieve, 295, 438, 493–95 quantum cryptography, 495–98 quartet, 149 quaternary alphabet, quick mode IPsec, 312 R RA, 518 Rabin cryptosystem, 501 Rabin digital signature scheme, 502 Rabin-Miller test, 291, 436, 437 Rabin’s primality test, 473, 474, 475 RACE project, 408, 409 radio frequency attacks, 503 rainbow tables, 615 ramp scheme, 545 random bit generation (hardware), 509 random key, 324 random oracle model, 514 random preimage attack, 259 random sequence, 323 random squares method, 294 randomized algorithm, 94, 95 randomness postulates of Golomb, 242 randomness source, 511 rank metric, 376 rational points, 186 RC2, 515, 518 RC4, 515 RC5, 515 RC6, 516 rchop, 386, 387 reactive defense password, 455 receipt-free problem, 180 receiver deniable encryption, 142 recipient anonymity, 517 recipient unobservability, 517 record layer, 548 rectangle attack, 56, 62, 150 reduced, 346 reducible polynomial, 313 reduction, 93, 94 reductionist, 443 redundancy, 290 Reed-Muller codes, 517 Reed–Solomon code, 125 Registration Authority, 518 re-keying, 245, 247 related key attack, 518 relationship anonymity, 88 relationship pseudonym, 484 682 Index relatively prime, 519 relay attack, 519 reliability, 174, 176, 245, 606 relying party, 67, 594 remote DoS attack, 143 repeated key, 323 replay attack, 80, 312, 329, 519 repository, 283, 617 representation (lambda), 194 request for comment, 455, 459 resettable zero-knowledge, 672 residue class, 206, 391 resilience, 612 resiliency order, 83, 105 resilient, 55, 105 response, 519 resynchronization attack, 519 retail MAC, 64, 65, 365 reversed alphabet, 10 revocable credentials, 110 revocation scheme, 56, 57, 278, 669 RF attack, 503 RFC, 366, 455, 459 right, 462, 520 right-to-left exponentiation, 33, 520, 583, 588, 640 rights management, 520 Rijndael, 520–24 ring, 524 ring homomorphism, 268 RIPE, 408, 409, 411 RIPEMD family, 260, 366, 524 risk, 629 risk management, 200 RMAC, 65, 366 robust, 612, 655 Rohrbach’s maxim, 371 role hierarchy, root CA, 564 rotor, 116 round, 245, 480 round function, 41, 258 rounds complexity, 245 RP, 67, 594 RS code, 125 RSA assumption, 532, 534, 537 RSA-CRT, 666 RSA cryptosystem, 527, 528, 537 RSA digital signature scheme, 527 RSA factoring challenge, 531 RSA-KEM, 411 RSA number, 531 RSA problem, 532, 537 RSA-PSS, 410 RSA public-key encryption, 536 Rule Book, 52 run, 539 run property, 373 running-key, 323, 539 running time, 92 S SA, 311, 312 SAC, 55 SAEP+, 444 safe prime, 541 safeguard selection, 629 SAFER, 518, 627 sally, 462 salt, 541 SAML, 479 SAN, 602 SASAS, 405 Satoh’s algorithm, 190 saturation attack, 405, 639 SBEMP, 504 scalable GKE, 245 scalar multiplication, 191, 244, 608 scanning electron microscope, 302 Schnorr digital signature scheme, 541 Schnorr Identification, 542 Schoof ’s algorithm, 190 SDA, 198 SDMI, 656 SDSI, 593 SDSI names, 593, 594 SEAL, 543 second preimage resistance, 257, 543 secrecy, 118 secret key cryptosystem, 325, 603 secret sharing scheme, 544 secretive defense password, 455 secure channel, 568 secure digital music initiative, 656 Secure Electronic Transactions, 176, 564 Secure Hash Algorithm, 565 secure HTTP, 268 Secure Shell, 596 secure signatures from the “strong RSA” assumption, 546 Secure Socket Layer (SSL), 14, 548 SecureID, 367 security, 12, 551 Security Architecture, 551 security assertion markup language, 479 security association, 311 security association database, 311 security boundary, 456 Security Evaluation Criteria, 552 security gateways, 311 security label, security level, 228, 229 security module, 254 security parameter, 93, 551 security parameter index, 311 security policy, 660, 663 security policy database, 311 security standards activities, 552 security target, 86, 456 seed, 485 selective forgery, 363, 558 self-initializing Quadratic Sieve, 495 self-reciprocal permutation, 600 self-reducibility, 533 self-shrinking generator, 558 self-synchronizing stream cipher, 559 seller, 462 SEM, 302 SEMA, 171 semagram, 118 semantic security, 417, 559 semi-honest adversary, 399 semi-weak key, 130 sender anonymity, 560 sender deniable encryption, 142 sensitivity level, sensor, 299, 300 sensor module, 35 sequences, 560 sequential composition, 672 Serpent, 563 ServerHello, 549 session key, 244, 324, 329, 457 session pseudonym, 484 SET, 176, 564 S-expression, 594 SFLASH, 410, 411 SGEMP, 505 SHA family (Secure Hash Algorithm), 410, 565 SHACAL, 410, 411 Shamir’s threshold scheme, 567 Shamir’s ultimate knapsack scheme, 336 Shamir–Zippel scheme, 335 Shank’s baby–step giant–step method, 165 Shannon’s maxim, 372 Shannon’s main theorem, 290 Shannon’s model, 568 Shannon theory, 289, 290 share, 568 sharing rules, 545 SHARK, 298 Shawe-Taylor’s algorithm, 474, 475 shift-and-add property, 373 shift register sequence, 373 shifted alphabet, 10 Shăonhage and Strasse method, 403 short digital signatures, 49 shortest vector problem, 569 shrinking generator, 570 shuffling procedure, 180 side-channel analysis, 571 side-channel attacks, 576 Siegenthaler, 105 sieve of Eratosthenes, 471 sieving, 577 sieving in function fields, 577 sieving technique, 287 SIGABA, 117 SIGMYC, 117 sign function, 54 signature, 158, 299, 463 signcryption, 578 signed digit exponentiation, 583 signer’s security, 214 signing algorithm, 158 silo, 285 simple distributed security infrastructure, 593 simple electromagnetic analysis, 171 simple mail transport protocol, 231 simple power analysis, 152, 171, 302, 573 Index simple public key infrastructure, 593 simple substitution, 343, 601 Simplified Asymmetric Encryption Padding, 444 simultaneous exponentiation, 584 simultaneous security, 253 simultaneous sliding window exponentiation, 585 single sign-on, 283 singleton bound, 126 size, 545 Skipjack, 327, 586 Sky Videocrypt system, 367 slid pair, 587 slide attack, 587 slide-with a twist, 587 sliding window exponentiation, 588 SLN, 602 slow key-schedule, 133 small polynomial, 465 smartcard tamper resistance, 218, 306, 590 S/MIME, 554, 591 smooth number, 493, 592 smooth polynomial, 592 smoothness, 592 smoothness probability, 593 SMTP, 231 Snefru, 628 SNFS, 430, 431 sniffing, 663 SNORT, 301 SOBER-128, 19 software attack, 302, 590 Solitaire, 593 Solovay & Strassen’s primality test, 473, 475 Sophie Germain prime, 541 soundness, 146, 298, 641 SP network, 41, 602 SPA, 152, 171, 302, 573 SPD, 311 special NFS, 430, 431 special purpose primality test, 437, 438 SPKI/SDSI, 555, 593 SPN, 602 spoofing, 144, 232 square-and-multiply algorithm, 33, 537 square attack, 62, 405 square-root bound, 21 SQUFOF algorithm, 494 SSH, 14, 596 SSL-protocol, 123, 548 stage, 355 standard alphabet, 10 state, 355 stateful firewall, 232 stateless, 56, 57 static, 25, 325, 612 static adversary, 399 static data authentication, 198, 199 static group signature, 250 static off-line CAM, 198 station-to-station protocol, 596 statistical cryptanalysis, 44 statistical test, 487 statistical zero knowledge, 671 statistically secure steganography, 161 steganography, 118, 159–63 stegosystem, 159, 160 stegotext, 159 Steiner’s algorithm, 31 stop-and-go generator, 350 straddling cipher, 601 straddling encryption, 601 stream cipher, 596, 601 strict avalanche criterion, 55 strong liar, 473 strong prime, 597 strong pseudoprime, 473 strong pseudoprime test, 436, 473 strong RSA assumption, 534, 546, 597 strongly unforgeable, 14 structural cryptanalysis, 598 structures, 152, 287 STS protocol, 596 sub-exponential time, 598 subfield, 211 subfield inversion, 309 subfield operations, 448 subgroup, 598 subgroup cryptosystems, 598 subject, 595 subliminal channel, 106 subpolynomial time, 465 subscriber registration model, 631 subset difference method, 57 subset sum problem, 96, 333 substitution, 130, 458, 599–601 substitution-affine network, 602 substitution attack, 21 substitution cipher, 600 substitution-linear network, 602 substitution-permutation (SP) network, 602 substitution-permutation sandwich, 602 successive minima, 346 summation generator, 602 sum-of-squares indicator, 55 super pseudorandom permutation, 359 superelliptic curves, 577 superencryption, 202, 480 superimposition, 115 superincreasing sequence, 333 supersingular curve, 185 support, 53 SVP, 569 S.W.I.F.T., 52, 366 symmetric cryptosystem, 11, 325, 602 symmetric proxy encryption, 489 symmetric proxy signature scheme, 490 symmetry of position, 115 synchronous stream cipher, 603 systematic cyclic code, 124 T T method, 149 table attack, 43 tag, 21, 595 tamper detection, 605 tamper resistance, 605 683 tamper response, 605 Tandem Davies-Meyer hash function, 263 tapping sequence, 223 target collision resistant, 643 target LFSR, 216 Target of Evaluation, 229 Tate pairing, 187, 273, 275 TC, 198, 200 TCP, 230, 231, 232 TCPA, 101 TCR, 643 TCSEC, 552 TDEA, 626 TEA, 518 teardrop, 300 TED, 506 Telepass, 367 teletype alphabet, tempest, 170, 605 ternary alphabet, TGS, 329 theta-notation, 447 three-GPP-MAC, 65, 366 threshold authentication, 606 threshold cryptography, 606–10 threshold decryption, 606, 607 threshold pseudorandomness, 606 threshold scheme, 606, 608 threshold security, 606 threshold signature, 399, 400, 607, 611–13 threshold subject, 595 threshold tracing, 623 Through Transport Club, 52 ticket, 99, 329 ticket granting server, 329 t-identifiable parent property, 226 time-memory tradeoff, 43, 614 time stamping, 71, 329, 616–19 timing attack, 302, 384, 619 title registry, 52 TLS, 120, 122, 123, 362, 366, 554, 624 TM system, 463 TOE, 229 token, 621 Toom-Cook multiplication, 402 TOS, 311 total break, 37, 43 totient function, 394 TR, 52 trace function, 53, 127, 192, 374, 571, 573, 599 traceability, 251, 613 tracing for watermarking, 225 tracing mechanism, 56 traffic normalization, 232 traitor, 621 traitor tracing, 101, 225, 621 transaction pseudonym, 484 transform, 310, 311 transform mode, 311 transient electromagnetic device, 506 transitive signature, 238 translucent, 489, 490 transmission control protocol, 230, 231 transparent, 489, 490 684 Index Transport Layer Security (TLS), 14, 554, 624 transposition, 343, 601 transposition cipher, 601 trapdoor one-way function, 625 trapdoor permutation, 625 treble key, 323 trial division, 292, 471 Triple DES, 133, 626 triple encryption, 46 Trojan horses, computer viruses and worms, 627, 648, 663 truncated differentials, 149, 383, 627 Trust Management system, 463 trust model, 628–36 trust model business controls, 634 trust relationship, 628 trusted access structure, trusted authority, 637 trusted Center, 245 trusted computer system evaluation criteria, 552 trusted computing platform alliance, 101 trusted group authority, 250, 612, 645 trusted path, 229, 454 trusted third party, 630 Trusted Third Party, 637 truth table, 53 TS, 71 TTP, 637 tunnel mode, 311 tweakable blockcipher, 17 TWINKLE, 637 TWIRL, 637 twisted construction, 22 two-factor authentication, 638 Twofish, 638 two-key triple encryption, 46 two-tier hierarchy, 632 two-to-the-k-ary exponentiation, 639 Two-Track-MAC, 366, 410, 411 type of service bits, 311 TYPEX, 117 U UDP, 230, 231, 232, 311 UMAC, 14, 410, 411 unauthorized decryption, 202 unconditional authentication, 21 unconditional blindness, 38 unconditional security, 21, 551 undeniable signature, 73, 641 undercover agent trust, 181 unforgeability, 145, 214, 251, 490, 613, 641 unicity distance, 42, 290 unilateral identity verification protocol, 285 unipartite substitution, 601 unique SVP, 348 unit, 524 universal break, 37 universal conversion operation, 642 universal nonlinearity bound, 416 Universal One-Way Hash Functions (UOWHF), 257, 643 universal padding schemes, 582 universal statistical test, 487 universal stegosystem, 162 universal verifiability, 145, 642 unlinkability, 251, 644 unlinkable credentials, 110 unobstrusiveness, 655 untraceability, 644 unveil phase, 84 UOWHF, 643 U.S FPKI, 556 user authentication, 644 user data protocol, 311 user datagram protocol, 230, 231 uSVP, 348 V validation, 616 validity, 595 validity of conversion, 146 vcc glitch, 218 vector-addition chain, 236 verifiable encryption, 645 verifiable forgery, 363, 364 verifiable mix protocol, 385 verifiable secret sharing, 645 verification algorithm, 158 verification scheme, 34 verifier, 272, 297, 593 Vernam cipher, 647 Vernam table, 647 Vernam type, 290 veronym, 476, 477 ` Vigenere encryption, 648 Vigen`ere table, 648 vircator, 506 Vircator, 506 virtual private network, 310 virus, 627 virus protection, 648–51 virus scanner, 627 visual secret sharing scheme, 652 vocabulary, 10 VPN, 310 VSS, 645 VSSS, 652 W WAKE-ROFB, 588 walled garden, 285 wallet, 180–82, 394 wallet database, 111 Walsh transform, 54, 104, 105, 217 watermarking, 161, 225, 655 weak collision resistance, 257 weak keys, 271, 656 weak plaintext awareness, 443, 444 web browser security, 657 web of trust, 468 web security, 657–65 wedge device, 198 Wegman-Carter construction, 14, 16, 18 Weierstrass equation, 183 weight, 124 Weil descent, 188 Weil pairing, 49, 187, 275 Weil’s theorem, 186 WEP, 13 Whirlpool, 261, 410, 411 whitening, 46, 146, 576 wide-sense fingerprinting, 226 wide trail strategy, 521 width-w NAF, 193 Wiener, Boneh-Durfee and May attacks on the RSA public key cryptosystem, 666 Wi-Fi, 515 winnowing, 72 wired equivalent privacy protocol, 13 wireless, 1, 515 witness, 480, 617 witness hiding, 667 witness indistinguishability, 667 worm, 627, 648 X X.509, 68, 69, 553, 629, 631, 634, 669 XACML, 479 XCBC, 15, 64, 365 XECB, 13, 15, 366 xedni calculus, 187 XEDNI calculus, 289 XML, 555, 595 XOR-MAC, 365, 366 XTR, 599 Y yoyo-game, 587 Z zero-divisor, 524 zero-knowledge, 286, 671 zero-knowledge interactive proof, 298, 671 zero-knowledge penetration test, 456 zig-zag exhaustion, 116 zombies, 144 .. .ENCYCLOPEDIA OF CRYPTOGRAPHY AND SECURITY i ii ENCYCLOPEDIA OF CRYPTOGRAPHY AND SECURITY Editor-in-chief Henk C.A van Tilborg Eindhoven University of Technology The Netherlands iii Library of. .. study one of the many books on computer and information security or cryptology At the end of 2001, the idea to write an easily accessible encyclopedia on cryptography and information security. .. Brewer, D and M Nash (1989) “The chinese wall security policy.” Proc IEEE Symposium on Security and Privacy, 206–214 [4] Clark, D.D and D.R Wilson (1987) “A comparison of commercial and military