173. R. Bird, I. Gopal, A. Herzberg, R Janson, S. Kutten, R. Molva, and M. Yung, "Systematic Design of Two-Party Authentication Protocols, " Advances in Cryptology CRYPTO' Proceedings, Springer-Verlag, 1992, pp. 44-61.

174. R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, and M. Yung, "System atic Design of a Family of Attack-Resistant Authentication Protocols, " IEEE journal of Selected Areas in Communication, to appear.

175. R. Bird, I. Gopal, A. Herzberg R Janson, S. Kutten, R. Molva, and M. Yung, "A Modu lar Family of Secure Protocols for Authentication and Key Distribution," IEEE/ACM Transactions on Networking, to appear.

176. M. Bishop, "An Application for a Fast Data Encryption Standard Implementation, " Computing Systems, v. 1, n. 3, 1988, pp. 221-254.

177. M. Bishop, "Privacy-Enhanced Electronic Mail," Distributed Computing and Cryptography, J. Feigenbaum and M. Merritt, eds., American Mathematical Society, 1991, pp. 93-106.

178. M. Bishop, "Privacy-Enhanced Electronic Mail, " Internetworking: Research and Experience, v. 2, n. 4, Dec 1991, pp. 199-233.

179. M. Bishop, "Recent Changes to Privacy Enhanced Electronic Mail," Internetworking:

Research and Experience, v. 4, n. 1, Mar 1993, pp. 47-59.

180. I.F. Blake, R. Fuji-Hara, R.C. Mullin, and S.A. Vanstone, "Computing Logarithms in Finite Fields of Characteristic Two, " SIAM Journal on Algebraic Discrete Methods, v. 5, 1984, pp. 276-285.

181. I.F. Blake, R.C. Mullin, and S.A. Vanstone, "Computing Logarithms in GF (2n), " Advances in Cryptology: Proceedings of CRYPTO 84, Springer-Verlag, 1985, pp. 73-82.

182. G.R. Blakley, "Safeguarding Cryptographic Keys," Proceedings of the National Computer Conference, 1979, American Federation of Information Processing Societies, v. 48. 1979, pp. 313-317.

183. G.R. Blakley, "One-Time Pads are Key Safeguarding Schemes, Not Cryptosystems Fast Key Safeguarding Schemes (Threshold Schemes Exist ), " Proceedings of the Symposium on Security and Privacy, IEEE Computer Society. Apr 1980, pp. 108-113.

184. G.R. Blakley and I. Borosh, "Rivest-Shamir-Adleman Public Key Cryptosystems Do Not Always Conceal Messages," Computers and Mathematics with Applications, v. 5, n. 3, 1979, pp. 169-178.

185. G.R. Blakley and C. Meadows, "A Database Encryption Scheme which Allows the Computation of Statistics Using Encrypted Data," Proceedings of the 1985 Symposium on Security and Privacy, IEEE Computer Society, Apr 1985, pp. 116-122.

186. M. Blaze, "A Cryptographic File System for UNIX," 1st ACM Conference on Computer and Communications Security, ACM Press, 1993, pp. 9-16.

187. M. Blaze, "Protocol Failure in the Escrowed Encryption Standard, " 2nd ACM Conference on Computer and Communications security, ACM Press, 1994, pp. 59-67.

188. M. Blaze, "Key Management in an Encrypting File System, " Proceedings of the Summer 94 USENIX Conference, USENIX Association, 1994, pp. 27-35.

189. M. Blaze and B. Schneier, "The MacGuffin Block Cipher Algorithm, " K. U. Leuven Workshop on Cryptographic Algorithms, Springer-Verlag, 1995, to appear.

190. U. Blocher and M. Dichtl, "Fish: A Fast Software Stream Cipher," Fast Software Encryption, Cambridge Security Workshop Proceedings, Springer-Verlag, 1994, pp. 41 44.

191. R. Blom, "Non-Public Key Distribution," Advances in Cryptology: Proceedings of Crypto 82, Plenum Press, 1983, pp. 231-236.

192. K.J. Blow and S.J.D. Phoenix, "On a Fundamental Theorem of Quantum Cryptography, " Journal of Modern Optics, v. 40, n. 1, Jan 1993, pp. 33-36.

193. L. Blum, M. Blum, and M. Shub, "A Simple Unpredictable Pseudo-Random Number Generator," SIAM Journal on Computing, v. 15, n. 2, 1986, pp. 364-383.

194. M. Blum, "Coin Flipping by Telephone: A Protocol for Solving Impossible Problems,'' Proceedings of the 24th IEEE Computer Conference (CompCon), 1982, pp. 133-137.

195. M. Blum, "How to Exchange Secret Keys, " ACM Transactions on Computer Systems, v.

1, n. 2, May 1983, pp. 175-193.

196. M. Blum, "How to Prove a Theorem So No Onc Else Can Claim It," Proceedings of the International Congress of Mathematicians, Berkeley, CA, 1986, pp. 1444-1451.

197. M. Blum, A. De Santis, S. Micali, and G. Persiano, "Noninteractive Zero-Knowledge, " SIAM Journal on Computing, v. 20, n. 6, Dec 1991. pp. 1084-1118.

198. M. Blum, P. Feldman, and S. Micali, "Non Interactivc Zero-Knowledge and Its Applications, " Proceedings of the 20th ACM Symposilzm on Theory of Computing, 1988, pp. 103-112.

199. M. Blum and S. Goldwasser, "An Efficient Probabilistic Public-Key Encryption Scheme Which Hides All Partial Information," Advances in Cryptology: Proceedings of C RYPTO 84, Springer-Verlag, 1985, pp. 289-299.

200. M. Blum and S. Micali, "How to Generate Cryptographically-Strong Sequences of Pseudo Random Bits," SIAM Journal on Computing, v. 13, n. 4, Nov 1984, pp. 850-864.

201. B. den Boer. "Cryptanalysts of F.E.A.L.," Advances in Cryptology E UROCRYPT ' Proceeding.s, Springer-Verlag, 1988, pp. 293-300.

202. B. den Boer and A. Bosselaers, "An Attack on the Last Two Rounds of MD4, " Advances in Cryptology CRYPTO '91 Proceedings, Springer-Verlag, 1992, pp. 1 94-203.

203. B. den Boer and A. Bosselaers, "Collisions for the Compression Function of M D5," Advances in Cryptology EUROCRYPT 93 Proceedings, Springer-Verlag, 1994, pp. 204. J.-P. Boly, A. Bosselaers, R. Cramer, R. Michelsen, S. Mjolsnes, F. Muller, T. Pedersen, B.

Pfitzmann, R de Rooij, B. Schoenmakers, M. Schunter, L. Vallee, and M. Waidner, "Digital Payment Systems in the ESPRIT Project CAFE, " Securicom 94, Paris, France, 2 6 Jan 1994, pp. 35-45.

205. J.-R Boly, A. Bosselaers, R. Cramer, R. Michelsen, S. Mjolsnes, F. Muller, T. Pcdersen, B.

Pfitzmann, P. de Rooij, B. Schoen makers, M. Schunter, L. Vallee, and M. Waidner, "The ESPRIT Project CAFE High Security Digital Payment System," Computer Security ESORICS 94, Springer-Verlag, 1994, pp. 217-230.

206. D.J. Bond, "Practical Primality Testing," Proceedings of IKE International Conference on Secure Communications Systems, 22-23 Feb 1984, pp. 50-53.

207. H. Bonnenberg, Secure Testing of VSLI Cryptographic Equipment, Series in Microelectronics, Vol. 25, Konstanz: Hartung Gorre Verlag, 1993.

208. H. Bonnenberg, A. Curiger, N. Felber, H. Kacslin, and X. Lai, "VLSI Implementation of a New Block Cipher," Proceedings of the IEEE International Conference on Computer Design: VLSI in Computers and Processors (ICCD 91), Oct 1991, pp. 510 -513.

209. K.S. Booth, "Authentication of Signatures Using Public Key Encryption," Commu nications of the ACM, v. 24, n. 11, Nov 1981, pp. 772-774, 210. A. Bosselaers, R. Govaerts, and J. Vanderwalle, Advances in Cryptology CRYPTO ' Proceedings, Springer-Verlag, 1994, pp. 175-186.

211. D.R Bovet and P. Crescenzi, Introduction to the Theory of CompiexiLy, Englewood Cliffs, N.J.: Prenticc-Hall, 1994.

212. J. Boyar, "Inferring Scqucnccs Produced by a Linear Congruential Generator Missing Low-Order Bits." Journal of Cryptology, v. 1, n. 3, 1989, pp. 177-184.

213. J. Boyar, D. Chaum, and I. Damgard, "Convertible Undeniable Signatures," Advances in Cryptology CRYPTO '90 Proceedings, Springer-Verlag, 1991, pp. 189-205.

214. J. Boyar, K. Fricdl, and C. Lund, "Practical Zero-Knowledge Proofs: Giving Hints and Using Deficiencies, " Advances in Cryptology EUROCRYPT '89 Proceedings, Springer Verlag, 1990, pp. 155-172.

215. J. Boyar, C. Lund, and R. Peralta, "On the Communication Complexity of Zero Knowledge Proofs, " Journal of Cryptology, v.6, n.2, 1993, pp.65-85.

216. J. Boyar and R. Peralta, "On the Concrete Complexity of Zero-Knowledge Proofs, " Advances in Cryptology CRYPTO '89 Proceedings, Springer-Verlag 1990, pp. 507-525.

217. C. Boyd, "Some Applications of Multiple Key Ciphers," Advances in Cryptology EUROCRYPT '88 Proceedings, Springer Verlag, 1988, pp. 455-467.

218. C. Boyd, "Digital Multisignatures," Cryptography and Coding, H.J. Beker and F.C. Piper, eds., Oxford: Clarendon Press, 1989, pp. 241-246.

219. C. Boyd, "A New Multiple Key Cipher and an Improved Voting Scheme," Advances in Cryptology EUROCRYPT '89 Proceed ings, Springer-Verlag, 1990, pp. 617 625.

220. C. Boyd, "Multisignatures Revisited," Cryptography and Coding, M.J. Ganley, ed., Oxford: Clarendon Press, 1993, pp. 21-30.

221. C. Boyd and W. Mao, "On the Limitation of BAN Logic, " Advances in Cryptology EUROCRYPT '93 Proceedings, Springer Verlag, 1994, pp. 240-247.

222. C. Boyd and W. Mao, "Designing Secure Key Exchange Protocols," Computer Secu rity ESORICS 94, Springer-Verlag, 1994, pp. 217-230.

223. B. O. Brachtl, D. Coppersmith, M.M. Hyden, S.M. Matyas, C.H. Meyer, J. Oseas, S.

Pilpel, and M. Schilling, "Data Authentication Using Modification Detection Codes Based on a Public One Way Function," U.S. Patent #4,908,861, 13 Mar 1990.

224. J. Brandt, I.B. Damgard, R Landrock, and T. Pederson, "Zero-Knowledge Authentication Scheme with Secret Key Exchange," Advances in Cryptology CRYPTO '88, Springer Verlag, 1990, pp. 583-588.

225. S.A. Brands, "An Efficient Off-Line Electronic Cash System Based on the Representation Problem," Report CS-R9323, Computer Science / Department of Algorithms and Architecture, CWI, Mar 1993.

226. S.A. Brands, "Untraceable Off-line Cash in Wallet with Observers," Advances in Cryptology CRYPTO '93, Springer Verlag, 1994, pp. 302-318.

227. S.A. Brands, "Electronic Cash on the Internet," Proceedings of the Internet Society Symposium on Network and Distributed Systems Secunty, IEEE Computer Society Press 1995, pp 64-84.

228. D.K. Branstad, "Hellman's Data Does Not Support His Conclusion," IEEE Spectrum, v.

16, n. 7, Jul 1979, p. 39.

229. D.K. Branstad, J. Gait, and S. Katzke, "Report on the Workshop on Cryptography in Support of Computer Security, " NBSIR 77-1291, National Bureau of Standards, Sep 21 22, 1976, September 1977.

230. G. Brassard, "A Note on the Complexity of Cryptography, " IEEE Transactions on Information Theory, v. IT-25, n. 2, Mar 1979, pp. 232-233.

231. G. Brassard, "Relativized Cryptography," Proceedings of the IEEE 20th Annual Symposium on the Foundations of Computer Science, 1979, pp. 383-391.

232. G. Brassard, "A Time-Luck Trade -off in Relativized Cryptography, " Proceedings of the IEEE 21st Annual Symposium on the Foundations of Computer Science, 1980, pp. 380 386.

233. G. Brassard, "A Time-Luck Tradeoff in Relativized Cryptography," Journal Of Computer and System Sciences, v. 22, n.3, Jun 1981, pp. 280-311.

234. G. Brassard, "An Optimally Secure Relativized Cryptosystem," SIGACT News, v. 15, n. 1, 1983, pp. 28-33.

235. G. Brassard, "Relativized Cryptography," IEEE Transactions on Information Theory, v.

IT-29, n. 6, Nov 1983, pp. 877-894.

236. G. Brassard, Modern Cryptology: A Tuto rial, Springer-Verlag, 1988.

237. G. Brassard, "Quantum Cryptography: A Bibliography," SIGACT News, v. 24, n. 3, Oct 1993, pp. 16-20.

238. G. Brassard, D. Chaum, and C. Crepeau, "An Introduction to Minimum Disclosure," CWI Quarterly v. 1, 1988, pp. 3-17.

239. G. Brassard, D. Chaum, and C. Crepeau, "Minimum Disclosure Proofs of Knowledge," Journal of Computer and System Sciences, v. 37, n.2, Oct 1988, pp. 156-189.

240. G. Brassard and C. Crepeau, "Non-Transitive Transfer of Confidence: A Perfect Zero Knowledge Interactive Protocol for SAT and Beyond," Proceedings of the 27th IEEE Symposium on Foundations of Computer Science, 1986, pp. 188-195.

241. G. Brassard and C. Crepeau, "Zero- Knowledge Simulation of Boolean Circuits," Advances in Cryptology CRYPTO '86 Proceedings, Springer-Verlag, 1987, pp. 22 5-233.

242. G. Brassard and C. Crcpeau, "Sorting Out Zcro-Knowlcdge, " Advances in Cryptology EUROCRYPT '89 Proceedings, Springcr-Vcrlag, 1990, pp. 181-191.

243. G. Brassard and C. Crcpcau, "Quantum Bit Commitment and Coin Tossing Protocols, " Advances in Cryptology CRYPTO '90 Proceedings, Springer-Verlag, 1991, pp. 49-61.

244. G. Brassard, C. Crepeau, R. Jozsa, and D. Langlois, "A Quantum Bit Commitment Schcmc Provably Unbreakable by Both Parties, " Proceedings of the 34th IEEE Symposium on Foundations of computer Science, 1993, pp. 362-371.

245. G. Brassard, C. Crepeau, and J.-M. Robert, ''Information Theoretic Reductions Among Disclosure Problems, " Proceedings of the 27th IEEE Symposium on Foundations of Computer Science, 1986, pp. 168-173.

246. G. Brassard, C. Crcpeau, and J.-M. Robert, "All-or-Nothing Disclosure of Secrets, " Advances in Cryptology CRYPTO '86 Proceedings, Springer-Verlag, 1987, pp. 234-238.

247. G. Brassard, C. Crepeau, and M. Yung, "Everything in NP Can Be Argued in Perfect Zero Knowledge in a Bounded Number of Rounds," Proceedings on the 16th Inter national Colloquium on Automata, Languages, and Programming, Springer-Verlag, 1989, pp. 123 136.

248. R.P. Brent, "An Improved Monte-Carlo Factorization Algorithm," BIT v. 20, n. 2, 1980, pp. 176-184.

249. R.P. Brent, "On the Periods of Generalized 261. Fibonacci Recurrences, Mathematics of Computation, v 63, n. 207, Jul 1994, pp. 389-401.

250. R.R Brent, "Parallel Algorithms for Integer Factorization," Research Report CMA-R49-89, Computer Science Laboratory The Australian National University, Oct 1989.

251. D.M. Bressotid, Factorization and Primality Testing, Springer-Verlag, 1989.

252. E.F. Brickcll, "A Fast Modular Multiplication Algorithm with Applications to Two Key Cryptography," Advances in Cryptology: Proceedings of Crypto 82, Plenum Press, 1982, pp. 51-60.

253. E.F. Brickell, "Are Most Low Density Polynomial Knapsacks Solvable in Polynomial Timer" Proceedings of the 14th Southeastern Conference on Combinatorics, Graph Theory, and Computing, 1983.

254. E.F. Brickell, "Solving Low Density Knapsacks," Advances in Cryptology: Proceedings of Crypto 83, Plenum Press, 1984, pp. 25-37.

255. E.F. Brickell, "Breaking Iterated Knapsacks," Advances in Cryptology: Proceedings of Crypto 84, Springer-Verlag, 1985, pp. 342-358.

256. E.F. Brickell, "Cryptanalysts of the Uagisawa Public Key Cryptosystem," Abstracts of Papers, EUROCRYPT '86, 20-22 May 1986.

257. E.F. Brickell, "The Cryptanalysis of Knapsack Cryptosystems, " Applications of Discrete Mathematics, R.D. Ringeisen and F.S. Roberts, eds., Society for Industrial and Applied Mathematics, Philadelphia, 1988, pp. 3-23.

258. E.F. Brickell, "Survey of Hardware Implementations of RSA, " Advances in Cryptology CRYPTO '89 Proceedings, Springcr-Verlag, 1990, pp. 368-370.

259. E.F. Brickell, D. Chaum, I.B. Damgard, and J. van de Graff, "Gradual and Verifiable Release of a Secret," Advances in Cryptology CRYPTO '87 Proceedings, Springer-Verlag, 1988, pp. 156-166.

260. E.F. Brickell, J.A. Davis, and G.J. Simmons, "A Preliminary Report on the Cryptanalysis of Merkle-Hellman Knapsack, " Advances in Cryptology: Proceedings of Crypto 82, Plenum Press, 1983, pp. 289-303.

261. E.F. Brickell and J. DeLaurentis, "An Attack on a Signature Scheme Proposed by Okamoto and Shiraishi, " Advances in Cryptology CRYPTO '85 Proceedings, Springer Verlag, 1986, pp. 28-32.

263. E.F. Brickell, J.C. Lagarias, and A.M. Odlyzko, "Evaluation of the Adleman Attack of Multiple Iterated Knapsack Cryptosystems," Advances in Cryptology: Proceedings of Crypto 83, Plenum Press, 1984, pp. 39-42.

264. E.F. Brickell, RJ. Lee, and Y. Yacobi, "Secure Audio Teleconference," Advances in Cryptology CRYPTO '87 Proceedings, Springer-Verlag, 1988, pp. 418 426.

265. E. F. Brickell and K. S. McCurley, "An Interactive Identification Scheme Based on Discrete Logarithms and Factoring, " Advances in Cryptology EUROCRYPT ' Proceedings, Springer-Verlag, 1991, pp. 63-71.

266. E.F. Brickell, J.H. Moore, and M.R. Purtill, "Structure in the S-Boxes of the DES," Advances in Cryptology CRYPTO '86 Proceedings, Springer-Verlag, 1987, pp. 3-8.

267. E.F. Brickell and A.M. Odlyzko, "Crypt analysis: A Survey of Recent Results," Pro ceedings of the IEEE, v. 76, n. 5, May 1988, 279. pp. 578-593.

268. E.F. Brickell and A.M. Odlyzko, "Crypt analysis: A Survey of Recent Results," Contemporary Cryptology: The Science of Information Integnty, G.J. Simmons, ed., IEEE Press, 1991, pp. 501-540.

269. E.F. Brickell and G.J. Simmons, "A Status Report on Knapsack Based Public Key Cryptosystems, " Congressus Numeran tium, v. 7, 1983, pp. 3-72.

270. E.F. Brickell and D.R. Stinson, "The Detection of Cheaters in Threshold Schemes," Advances in Cryptology CRYPTO '88 Proceedings, Springer-Verlag, 1990, pp. 564 577.

271. A.G. Broscius and J.M. Smith, "Exploiting Parallelism in Hardware Implementation of the DES, " Advances in Cryptology CRYPTO '91 Proceedings, Springer-Verlag, 1992, pp. 367-376.

272. L. Brown, M. Kwan, J. Pieprzyk, and J. Seberry, "Improving Resistancc to Differential Cryptanalysis and the Redesign of LOKI, " Advances in Cryptology ASIACRYPT ' Proceedings, Springer-Verlag, 1993, pp. 36-50.

273. L. Brown, J. Pieprzyk, and J. Seberry, "LOKI: A Cryptographic Primitive for Authentication and Secrecy Applications," Advances in Cryptology AUSCRYPT ' Proceedings, Springer Verlag, 1990, pp. 229-236.

274. L. Brown, J. Pieprzyk, and J. Seberry, "Key Scheduling in DES Type Cryptosystems," Advances in Cryptology A IJSCRYPT '90 Proceedings, Springer-Verlag, 1990, pp. 221 228.

275. L. Brown and J. Seberry, "On the Design of Permutation P in DES Type Cryptosystems," Advances in Cryptology EUROCRYPT '89 Proceedings, Springer-Verlag, 1990, pp. 696 705.

276. W. Brown, "A Quantum Leap in Secret Communications, " New Scientist, n. 1585, 30 Jan 1993, p. 21.

277. J.O. Bruer, "On Pseudo Random Sequences as Crypto Generators," Proceedings of the International Zurich Seminar on Digital Communication, Switzerland, 1984.

278. L. Brynielsson "On the Linear Complexity of Combined Shift Register Sequences," Advances in Cryptology EUROCRYPT '85, Springer-Verlag, 1986, pp. 156-166.

279. J. Buchmann, J. Loho, and J. Zayer, "An Implementation of thc General Number Field Sieve, " Advances in Cryptology CRYPTO '93 Proceedings, Springer-Verlag, 1994, pp.

159-165.

280. M. Burmester and Y. Desmedt, "Broadcast Interactive Proofs," Advances in Cryptology EUROCRYPT '91 Proceedings, Springer-Verlag, 1991, pp. 81-95.

281. M. Burmester and Y. Desmedt, "A Secure and Efficient Conference Key Distribution System, " Advances in Cryptology EUROCRYPT '94 Proceedings, Springer-Verlag, 1995, to appear.

282. D. Burnham, "NSA Seeking 500,000 'Secure' Telephones," The New York Times, 6 Oct 1994.

283. M. Burrows, M. Abadi, and R. Needham, "A Logic of Authentication, " Research Report 39, Digital Equipment Corp. Sys- tems Research Center, Feb 1989.

284. M. Burrows, M. Abadi, and R. Needham, "A Logic of Authentication," ACM Trans actions on Computer Systems, v. 8, n. 1, Feb 1990, pp. 18-36.

285. M. Burrows, M. Abadi, and R. Needham, "Rejoinder to Nessett," Operating System Review, v. 20, n. 2, Apr 1990, pp. 39 40.

286. J.J. Cadc, "A Modification of a Broken Pu blic-Key Cipher," Advances in Cryptology CRYPTO '86 Proceedillgs, Springer- Verlag, 1987, pp. 64-83.

287. T.R. Cain and A.T. Sherman, "How to Break Gifford's Cipher, " P roceedings of the 2nd Annual ACM Conference Computer and Communications Security 300 ACM Press, 1994, pp. 198-209.

288. C. Calvelli and V Varadharajan, "An Analysis of Some Delegation Protocols for Distributed Systems, " Proceedings of the Computer Security Foundations Workshop V, IEEE Computer Society Press, 1992, pp. 92-110.

289. J.L. Camenisch, J.-M. Piveteau, and M.A. Stadler, "An Efficient Electronic Payment System Protecting Privacy," Computer Security ESOR ICS 94, Springer-Verlag, 1994, pp. 207-215, 290. P. Camion and J. Patarin, "The Knapsack Hash Function Proposed at Crypto '89 Can Be Broken," Advances in Cryptology EUROCRYPT '91, Springer-Verlag, 1991, pp. 39 53.

291. C.M. Campbell, "Design and Specification of Cryptographic Capabilities," IEEE Computer Society Magazine, v. 16, n. 6, Nov 1978, pp. 15 19.

292. E.A. Campbell, R. Safavi-Naini, and PA. Pleasants, "Partial Belief and Probabilistic Reasoning in the Analysis of Secure Protocols," Proceedings of the Computer Security Foundations Workshop V, IEEE Computer Society Press, 1992, pp. 92-110.

293. K.W. Campbell and M.J. Wiener, "DES Is Not a Group," Advances in Cryptology CRYPTO '92 Proceedings, Springer-Verlag, pp. 512-520.

294. Z.F. Cao and G. Zhao, "Some New MC Knapsack Cryptosystems, " CHINACRYPT 307.

'94, Xidian, China, 11-15 Nov 1994, pp. 70-75. (In Chinese.) 295. C. Carlet, "Partially-Bent Functions, " Advances in Cryptology CRYPTO ' Proceedings, Springer-Verlag, 1993, pp. 280 -291.

296. C. Carlet, "Partially Bent Functions," Designs, Codes and Cryptography. v. 3, 1993, pp.

135-145.

297. C. Carlet, "Two New Classes of Bent Functions" Advances in Cryptology EU ROCRYPT '93 Proceedings, Springer Vcrlag, 1994, pp. 77-101.

298. C. Carlet, J. Seberry, and X.M. Zhang, "Comments on Generating and Counting Binary Bent Sequences,' " IEEE Transac tions on Information Theory v. IT-40, n. 2, Mar 1994, p. 600.

300. J.M. Carroll, "The Three Faces of Information Security," Advances in Cryptology AUSCRYPT '90 Proceedings, Springer-Verlag, 1990, pp. 433 -450.

301. J.M. Carroll, "'Do-it-yourself' Cryptography," Computers & Security v. 9, n. 7, Nov 1990, pp. 613-619.

302. T.R. Caron and R.D. Silverman, "Parallel Implementation of the Quadratic Scheme," Journal of Supercomputing, v. 1, n. 3, 1988, pp. 273-290.

303. CCITT, Draft Recommendation X.509, "The Directory Authentication Framework," Consultation Committee, International Telephone and Telegraph, International Telecommunications Union, Geneva, 1987.

304. CCITT, Recommendation X.509, "The Directory Authentication Framework, " Consultation Committee, International Telephone and Telegraph, International Telecommunications Union, Geneva, 1989.

305. CCITT, Recommendation X.800, "Security Architecture for Open Systems Interconnection for CCITT Applications, " International Telephone and Telegraph. International Telecommunications Union, Geneva, 1991.

306. F. Chabaud, "On the Security of Some Cryptosystems Based on Error-Correcting Codes," Advances in Cryptology EURO- CRYPT '94 Proceedings, Springer-Verlag, 1995, to appear.

307. F. Chabaud and S. Vaudenay, "Links Between Differential and Linear Cryptanalysis, " Advances in Cryptology- EUROCRYPT '94 Proceedings, Springer-Verlag, 1995, to appear.

308. W.G. Chambers and D. Gollmann, "Generators for Sequences with Near-Maximal Linear Equivalence," IKE l'roceedings, V. 135, Pt. E, n. 1, Jan 1988, pp. 67-69.

309. W.G. Chambers and D. Gollmann, "Lock-In Effect in Cascades of Clock-Controlled Shi ft Registers, " Advances in Cryptology EUROCRYPT '88 Proceedings, Springer-Verlag, 1988, pp. 331-343.

310. A. Chan and R. Games, "On the Linear Span of Binary Sequences from Finite Geometries, " Advances in Cryptology CRYPTO '86 Proceedings, Springer-Verlag, 1987, pp. 405 417.

311. J.R Chandler, D.C. Arrington, D.R. Berkel- hammer, and W.L. Gill, "Identification and Analysis of Foreign Laws and Regulations Pertaining to the Use of Commercial Encryption Products for Voice and Data Communications, " National Intellectual Property Law Institute, George Washing- ton University, Washington, D.C., Jan 1994.

312. C.C. Chang and S.J. Hwang, "Cryptographic Authentication of Passwords, " Proceedings of the 25th Annual 1991 IEEE International Carnahan Conference on Security Technology, Taipei, Taiwan, 1-3 Oct 1991, pp. 126-130.

313. C.C. Chang and S.J. Hwang, "A Strategy for Transforming Public-Key Cryptosystems into Identity-Based Cryptosystems." Proceedings of the 25th Annual 1991 IEEE International Carnahan Conference on Security Technology, Taipei, Taiwan, 1-3 Oct 1991, pp. 68-72.

314. C.C. Chang and C.H. Lin, "An ID-Based Signature Scheme Based upon Rabin's Public Key Cryptosystem, " Proceedings of the 25th Annual 1991 IEEE International Carahan Conference on Secunty Technology, Taipei, Taiwan, 1-3 Oct 1991, pp. 139-141.

315. C. Charnes and J. Pieprzyk, "Attacking the SL2 Hashing Scheme," Advances in Cryptology ASIACRYPT '94 Proceedings, Springer-Verlag, 1995, pp. 322-330.

316. D. Chaum, "Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms, " Communications of the ACM,v.24,n.2,Febl981,pp.84 88.

317. D. Chaum, "Blind Signatures for Untraceable Payments," Advances in Cryptology:

Proceedings of Crypto 82, Plenum Press, 1983, pp. 199-203.

318. D. Chaum, "Security Without Identification: Transaction Systems to Make Big Brother Obsolete, " Communications of the ACM, v. 28, n. 10, Oct 1985, pp. 1030-1044.

319. D. Chaum, "Demonstrating that a Public Predicate Can Be Satisfied without Revealing Any Information about How, " Advances in Cryptology CRYPTO '86 Proceedings, Springer Verlag, 1987, pp. 159-199.

320. D. Chaum, "Blinding for Unanticipated Signatures," Advances in Cryptology EUROCRYPT '87 Proceedings, Springer-Vcrlag, 1988, pp. 227-233.

321. D. Chaum, "The Dining Cryptographers Problem: Unconditional Sender and Receiver Untraceability, " Journal of Cryptology, v. 1, n. 1, 1988, pp. 65-75.

322. D. Chaum, "Elections with Unconditionally Secret Ballots and Disruptions Equivalent to Breaking RSA," Advances in Cryptology EUROCRYPT '88 Proceedings. Springer-Verlag, 1988, pp. 177-181.

323. D. Chaum, "Blind Signature Systems, " U.S. Patent #4,759,063, 19 Jul 1988.

324. D. Chaum, "Blind Unanticipated Signature Systems," U.S. Patent #4,759,064, 19 Jul 1988.

325. D. Chaum, "Online Cash Checks, " Advances in Cryptology EUROCRYPT ' Proceedings, Springcr-Verlag, 1990, pp. 288-293.

326. D. Chaum, "One-Show Blind Signature Systems," U.S. Patent #4,914,698, 3 Apr 1990.

327. D. Chaum, "Undeniable Signature Systems," U.S. Patent #4,947,430, 7 Aug 1990.

328. D. Chaum, "Returned-Value Blind Signature Systems," U.S. Patent #4,949,380, 14 Aug 1990.

329. D. Chaum, "Zero-Knowledge Undeniable Signatures, " Advances in Cryptology EUROCRYPT '90 Proceedings, Springer-Verlag, 1991, pp. 458-464.

330. D. Chaum, "Group Signatures," Advances in Cryptology EUROCRYPT '91 Proceedings, Springer-Verlag, 1991, pp. 2.57-265.

331. D. Chaum, "Unpredictable Blind Signature Systems," U.S. Patent #4,991,210, 5 Feb 1991.

332. D. Chaum, "Achieving Electronic Privacy," Scientific American, v. 267, n. 2, Aug 1992, pp.

96-101.

333. D. Chaum, "Designated Confirmer Signatures," Advances in Cryptology E UROCRYPT ' Proceedings, Springer-Verlag, 1995, to appear.

334. D. Chaum, C. Crepeau, and I.B. Damgard, "Multiparty Unconditionally Secure Protocols, " Proceedings of the 20th ACM Symposium on the Theory of Computing, 1988, pp. 11-19.

335. D. Chaum, B. den Boer, E. van Heyst, S. Mjolsnes, and A. Steenbeek, "Efficient Offline Electronic Checks," Advances in Cryptology E UK OCRYPT '89 Proceedings, Springer Verlag, 1990, pp. 2Y4-301.

336. D. Chaum and J.-H. Evertse, "Cryptanalysis of DES with a Reduced Number of Rounds;

Scqucnces of Linear Factors in Block Ciphers, " Advances in Cryptology CRYPTO ' Proceedings, Springer-Verlag, 1986, pp. 192-211.

337. D. Chaum, J.-H. Evertse, and J. van de Graff, "An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations, " Advances in Cryptology EUROCRYPT '87 Proceedings, Springer-Verlag, 1988, pp. 127 141.

338. D. Chaum, J.-H. Evertse, J. van de Graff, and R. Peralta, "Demonstrating Possession of a Discrete Logarithm without Revealing It, " Advances in Cryptology CRYPTO ' Proceedings, Springer-Verlag, 1987, pp. 200-212.

339. D. Chaum, A. Fiat, and M. Naor, "Untraceable Electronic Cash," Advances in Cryptology CRYPTO '88 Proceedings, Springer-Verlag, 1990, pp. 319-327.

340. D. Chaum and T. Pedersen, "Transferred Cash Grows in Size," Advances in Cryptology EUROCRYPT '92 Proceedings, Springer-Verlag, 1993, pp. 391-407.

341. D. Chaum and T. Pedersen, "Wallet Databases with Observers," Advances in Cryptology CRYPTO '92 Proceedings, Springer-Verlag, 1993, pp. 89-105.

342. D. Chaum and J. Schaumuller-Bichel, eds., Smart Card 2000, North Holland: Elsevier Science Publishers, 1989.

343. 1). Chaum and H. van Antwcrpen, "Und eniable Signaturcs," Advances in Cryptology CRYPTO '89 Proceedings, Springcr-Verlag, 1990, pp. 212-216.

344. D. Chaum, E. van Heijst, and B. Pfitzmann, "Cryptographically Strong Undeniab le Signatures, Unconditionally Secure for thc Signer, " Advances in Cryptology CRYPTO '91 Proceedings. Springer-Verlag, 1992, pp. 470-484.

345. T.M. Chee, "The Cryptanalysis of a New Public-Key Cryptosystem Based on Modular Knapsacks, " Advances in Cryptology CKYP TO '91 Proceedings, Springer-Verlag, 1992, pp. 204-212.

346. L Chen, "Oblivious Signatures," Computer Security ESORICS 94, Springcr-Verlag, 19 94, pp. 161-172, 347. L. Chen and M. Burminster, "A Practical Secret Voting Scheme which Allows Voters to Abstain," CHINACRYPT '94, Xidian, China, 11-15 Nov 1994, pp. 100-107.

348. L. Chen and T.P Pedersen "New Group Signature Schemes, " Advances in Cryptology EUROCRYPT '94 Proceedings, Springer-Verlag, 1995, to appear.

349. J. Chenhui, "Spectral Characteristics of Partially-Bent Functions," CHINACRYPT '94, Xidian, China, 11-15 Nov 1994, pp. 48-51.

350. V. Chepyzhov and B. Smeets, "On a Fast Correlation Attack on Certain Stream Ciphers," Advances in Cryptology EUR OCRYPT '91 Proceedings, Springer-Verlag, 1991, pp. 176 185.

351. T.C. Cheung, "Management of PEM Public Key Certificates Using X.500 Directory Service: Some Problems and Solutions," Proceedings of the lnternet Society Workshop on Network and Distnhuted System Security. The Internet Society, 1994, pp.

35 42.

352. G.C. Chiou and W.C. Chen, "Secure Broadcasting Using the Secure Lock, " IEEE Transactions on Software Engineenng, v. SE-15, n. 8, Aug 1989, pp. 929-934.

353. Y.J. Choie and H.S. Hwoang, "On the Cryptosystem Using Elliptic Curves, " Pro ceedings of the 1993 Korea-Japan Workshop on Information Security and Cryp tography, Seoul, Korca, 24-26 Oct 1993, pp. 105-113.

354. B. Chor and O. Goldreich, "RSA/Rabin Least Significant Bits are 1/2+1/... Secure, " Advances in Cryptology: Proceedings of CRYPTO 84, Springer-Verlag, 1985, pp. 303 313.

355. B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch, "Verifiable Secret Sharing and Achieving Simultaneity in the Presence of Faults," Proceedings of the 26th Amlual IEEE Symposium on the Foundations of Computer Science, 1985, pp. 383-395.

356. B. Chor and R.L. Rivcst, "A Knapsack Typc Public Key Cryptosystem Based on Arith mctic in Finitc Fields," Advallces ill Cryptology: Proceedings of CRYPTO 84, Springer Verlag, 1985, pp. 54-65.

357. R Christoffersson, S.-A. Ekahll, V. Fak, S. Herda, R Mattila, W. Price, and H.-O. Wid man, Crypto Users Handbook: A Guide for Implementors of Cryptographic Protection in Computer Systems, North Holland Elscvicr Scicncc Publishcrs, 1988.

358. R. Cleve, "Controlled Gradual Disclosure Schemes for Random Bits and Their Applications, " Advances in Cryptology CRYPTO '89 Proceedings, Springer-Verlag, 1990, pp. 572-588.

359. J.D. Cohen, "Improving Privacy in Cryptographic Elections," Yale University Computer Science Department Technical Report YALEU/DCS/TR-454, Feb 1986.

360. J.D. Cohen and M.H. Fischer, "A Robust and Verifiable Cryptographically Secure Election Scheme, " Proceedings of the 26th Annual IEEE Symposium on the Foundations of Computer Science, 1985. pp. 372-382.

361. R. Cole, "A Model for Security in Dis tributed Systems," Computers and Secu rity, v.9, n.4, Apr 1990, pp.319-330.

362. Comptroller General of the United States, "Matter of National Institute of Standards and Technology Use of Electronic Data Interchange Technology to Create Valid Obligations," File B-245714, 13 Dec 1991.

363. M.S. Conn, letter to Joe Abernathy, National Security Agency, Ser: Q43-111 92, 10 Jun 1992.

364. C. Connell, "An Analysis of NewDES: A Modified Version of DES," Cryptologia, v. 14, n. 3, Jul 1990, pp. 217-223.

365. S.A. Cook, "The Complexity of Theorem Proving Procedures," Proceedings of the 3rd Annual ACM Symposium on the The oryofComputing, 1971,pp. 151-158.

366. R.H. Cooper and W. Patterson, "A Generalization of the Knapsack Method Using Galois Fields," Cryptologia, v. 8, n. 4, Oct 1984, pp. 343-347.

367. R.H. Cooper and W. Patterson, "RSA as a Benchmark for Multiprocessor Machines, " Advances in Cryptology AUSCRYPT'90 Proceedings, Springer-Verlag, 1990, pp. 356 359.

368. D. Coppersmith, "Fast Evaluation of Logarithms in Fields of Characteristic Two," IEEE Transactions on Information Theory, v.30,n.4,Jull984,pp.587-594.

369. D. Coppersmith, "Another Birthday Attack, " Advances in Cryptology CRYPTO ' Proceedings, Springer-Verlag, 1986, pp. 14-17.

370. D. Coppersmith, "Cheating at Mental Poker, " Advances in Cryptology CRYPTO ' Proceedings, Springer-Verlag, 1986, pp. 104-107.

371. D. Coppersmith, "The Real Reason for Rivest's Phenomenon, " Advances in Cryptology CRYPTO '85 Proceedings, Springer-Verlag, 1986, pp. 535-536.

372. D. Coppersmith, "Two Broken Hash Functions," Research Report RD 18397, IBM T.J.

Watson Center, Oct 1992.

373. D. Coppersmith, "The Data Encryption Standard (DES) and Its Strength against Attacks," Technical Report RC 18613, IBM T.J. Watson Center, Dec 1992.

374. D. Coppersmith, "The Data Encryption Standard (DES) and its Strength against Attacks, " IBM /ournal of Research and Development, v. 38, n. 3, May 1994, pp. 243-250.

375. D. Coppersmith, "Attack on the Cryptographic Scheme NIKS-TAS," Advances in Cryptology CRYPTO '94 Proceedings, Springer-Verlag, 1994, pp. 294-307.

376. D. Coppersmith, personal communication, 1994.

377. D. Coppersmith and E. Grossman, "Generators for Certain Alternating Groups with Applications to Cryptography, " SIAM Journal on Applied Mathematics, v. 29, n. 4, Dec 1975, pp. 624-627.

378. D. Coppersmith, H. Krawczyk, and Y. Mansour, "The Shrinking Generator, " Advances in Cryptology CRYPTO '93 Proceedings, Springer-Verlag, 1994, pp. 22-39.

379. D. Coppersmith, A. Odlykzo, and R. Schroeppel, "Discrete Logarithms in GF (p),'' Algorithmica, v. 1, n. 1, 1986, pp. 1-16.

380. D. Coppersmith and R Rogaway, "Software Efficient Pseudo Random Function and the Use Thereof for Encryption," U.S. Patent pending, 1995.

381. D. Coppersmith, J. Stern, and S. Vaudenay, "Attacks on the Birational Signature Schemes, " Advances in Cryptology CRYPTO '93 Proceedings, Springer-Verlag, 1994, pp. 435 443.

382. V. Cordonnier and J.-J. Quisquater, eds.. CARD1S '94 Proceedings of the First Smart Card Research and Advanced Application Conference, Lille, France, 24-26 Oct 1994.

383. C. Couvreur and J.-J. Quisquater, "An Introduction to Fast Generation of Large Prime Numbers," Philips /ournal Research, v. 37. n. 5 6, 1982, pp. 231-264.

384. C. Couvreur and J.-J. Quisquater, "An Introduction to Fast Generation of Large Prime Numbers," Philips journal Research, v. 38, 1983, i' 385. C. Coveyou and R.D. MacPherson, "Fourier Analysis of Uniform Random Number Gcncrators," lournal of the ACM, v. 14, n. 1, 1967, pp. 100-119.

386. T.M. Cover and R.C. King, "A Convergent Gambling Estimate of the Entropy of English," IEEE Tran.saction.s on Informa- tion Theory, v. IT-24, n. 4, Jul 1978, pp. 413-421.

387. R.J.F. Cramer and T.R Pedersen, "Improved Privacy in Wallets with Observers," Advances in Cryptology EZJROCRYPT '93 Proceedings, Springer-Verlag, 1994, pp. 329-343.

388. R.E. Crandell, "Method and Apparatus for Public Key Exchange in a Cryptographic System," U.S. Patent #5,159,632, 27 Oct 1992.

389. C. Crepeau, "A Secure Poker Protocol That Minimizes the Effect of Player Coalitions," Advances in Cryptology CKYP'I'O '85 Proceedings, Springer-Verlag, 1986, pit. 73-86.

390. C. Crepcau, "A Zcro-Knowlcdge Poker Protocol that Achieves Confidentiality of the Players' Strategy, or How to Achieve an Electronic Poker Face, " Advances in Cryptology CRYPTO '86 Proceedings, Springer-Verlag, 1987, pp. 23Y-247, 391. C. Crepeau, "Equivalence Between Two Flavours of Oblivious Transfer," Advances in Cryptology CRYPTO 87 Proceedings, Springer-Ver lag, 1988, pp. 350-354.

392. C. Crepeau, "Correct and Private Reductions among Oblivious Transfers," Ph.D.

dissertation, Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, 1990.

393. C. Crcpcau, "Quantum Oblivious Transfcr, " journal of Modern Optics, v. 41, n. 12, Dec 1994, pp. 2445-2454.

394. C. Crepeau and J. Kilian, "Achieving Oblivious Transfer Using Weakened Security Assumptions, " Proceedings of the 29th Amllzal Symposiurn on the Foundatijns of Computer Science, 1988, pp. 42-.32.

395. C. Crepeau and J. Kilian, "Weakening Security Assumptions and Oblivious Transfer, " Advances in Cryptology CRYPTO '88 Proceedings, Springer-Verlag, 1990, pp. 2-7.

396. C. Crepeau and L. Salvail, "Quantum Obliv ious Mutual Identification, " Advances in Cryptology EUROCRYPT '95 Proceed- ings, Springer-Verlag 1995, pp. 133-146.

397. A. Curiger, H. Bonnenberg, R. Zimmermann, N. Felber, H. Kaeslin and W. Fichtner, "VINCI: VLSI Implementation of the New Block Cipher IDEA," Proceedings of IEEE CICC '93, San Diego, CA, May 1993, pp. 15.5.1-15.5.4.

398. A. Curiger and B. Stuber, "Specification for the IDEA Chip, " Technical Report No.

92/03, Institut fur Integrierte Systeme, ETH Zurich, Feb 1992.

399. T. Cusick, "Boolean Functions Satisfying a Higher Order Strict Avalanche Criterion," Advances in Cryptology EUROCRYPT '93 Proceedings, Springer-Verlag, 1994, pp. 102 117.

400. T.W. Cusick and M.C. Wood, "The REDOC-II Cryptosystem," Advances in Cryptology CRYPTO '90 Proceedings, Springer-Verlag, 1991, pp. 545-563.

401. Cylink Corporation, Cylink Corporation vs. RSA Data Security, Inc., Civil Action No.

C94-02332-CW, United States District Court for the Northern District of Califor- nia, Jun 1994.

402. J. Daeman, "Cipher and Hash Function Design, " Ph.D. Thesis, Katholieke Univer- siteit Leuven, Mar 95.

403. J. Daeman, A. Bosselaers, R. Govaerts, and J. Vandewalle, "Collisions for Schnorr's Hash Function FFT-Hash Presented at Crypto '91," Advances in Cryptology ASIA CRYPT ' Proceedings, Springer- Verlag, 1993, pp. 477-480.

404. J. Daeman, R. Govaerts, and J. Vandewalle, "A Framework for the Design of One-Way Hash Functions Including Cryptanalysis of Damgard's Onc-Way Function Based on Cellular Automata, " Advances in Cryp- tology ASIA CRYPT '91 Proceedings, Springer Verlag, 1993, pp. 82-96.

405. J. Daeman, R. Govaerts, and J. Vandewalle, "A Hardware Design Model for Crypto graphic Algorithms, " ESORICS 92, Pro- ceedings of the Second European Sympo- sium on Research in Computer Security, Springer-Verlag, 1992, pp. 419 434.

406. J. Daemcn, R. Govacrts, and J. Vandewalle, "Block Ciphers Based on Modular Arith metic, " Proceedings of the 3rd Symposium on State and Progress of Research in Cryptography, Rome, Italy, 15-16 Feb 1993, pp. 418. 80-89.

407. J. Daemen, R. Govaerts. and J. Vandewalle, "Fast Hashing Both in Hardware and Soft ware," presented at the rump session of CRYPTO '93, Aug 1993.

408. J. Daeman, R. Govaerts, and J. Vandewalle, "Resynchronization Weaknesses in Syn chronous Stream Ciphers," Advances in Cryptology E UR O CRYPT '93 Proceed ings, Springer-Verlag, 1994, pp. 159-167.

409. J. Daeman, R. Govaerts, and J. Vandewalle, "Weak Keys for IDEA, " Advances in Cryptology CRYPTO '93 Proceedings, Springer-Verlag, 1994, pp. 224-230.

410. J. Daemen, R. Govaerts, and J. Vandewalle, "A New Approach to Block Cipher Design," Fast Software Encryption, Cam bridge Security Workshop Proceedings, Springer-Verlag, 1994, pp. 18-32.

411. Z.-D. Dai, "Proof of Rueppel's Linear Complexity Conjecture," IEEE Transactions on Information Theory, v. IT-32, n. 3, May 1986, pp. 440 443.

412. I.B. Damgard, "Collision Free Hash Functions and Public Key Signature Schemes," Advances in Cryptology EUROCRYPT '87 Proceedings, Springer-Verlag, 1988, pp.

203-216.

413. I.B. Damgard, "Payment Systems and Credential Mechanisms with Provable Secu rity Against Abuse by Individuals, " Advances in Cryptology CRYPTO '88 I'roceedings, Springer-Verlag, 1990, pp. 328- 414. I.B. Damgard, "A Design Principle for Hash Functions, " Advances in Cryptol428. ogy CRYPTO '89 Proceedings, Springer Verlag, 1990, pp. 416 427.

415. I.B. Damgard, "Practical and Provably Secure Release of a Secret and Exchangc of Signatures, " Advances in Cryptology EUROCRYPT '93 Proceedings, Springer Verlag, 1994, pp. 200-217.

416. 1.B. Damgard and L.R. Knudsen, "The Rreaking of the AR Hash Function, " Advances in Cryptology EUROCRYPT '93 Proceedings, Springer-Verlag, 1994, pp. 286-292.

417. I.B. Damgard and R Landrock, "Improved Bounds for the Rabin Primality Test, " 431.

Cryptography and Coding III, M.J. Ganley, e d., Oxford: Clarendon Press, 1993, pp. 117 128.

418. I.B. Damgard, P. Landrock and C. Pomerance, "Average Case Error Estimates for the Strong Probablc Prime Test," Mathematics of Computation, v. 61, n. 203, Jul 1993, pp.

177-194.

419. H.E. Daniels, Jr., letter to Datapro Research Corporation regarding CCEP, 23 Dec 1985.

420. H. Davenport, The Higher Arithmetic, Dover Books, 1983.

421. G.I. Davida, "Inverse of Elements of a Galois Field," Electronics Letters, v. 8, n. 21, Oct 1972, pp. 518-520.

422. G.I. Davida, "Hellman's Scheme Breaks DES in Its Basic Form," IEEE Spectrum, v. 16, n.

7, Jul 1979, p. 39.

423. G.I. Davida, "Chosen Signature Cryptanalysis of the RSA iMITJ Public Key Cryptosystem," Technical Report TR-CS-82-2, Department of EECS, University of Wis- consin, 1982.

424. G.I. Davida and G.G. Walter, "A Public Key Analog Cryptosystem," Advances in Cryptology E UR O CRYPT '8 7 Proceedings, Springer-Verlag, 1988, pp. 143-147.

425. G.I. Davida, D. Wells, and J. Kam, "A Database Encryption System with Subkeys," ACM Transactions on Database Systems,v.6,n.2,Junl981,pp.312-328.

426. D.W. Davies, "Applying the RSA Digital Signature to Electronic Mail," Computer, v. 16, n. 2, Feb 1983, pp. 55-62.

427. D.W. Davies, "Some Regular Properties of the DES," Advances in Cryptology: Pro ceedings of Crypto 82, Plenum Press, 1983, pp. 89-96.

428. D.W. Davics, "A Message Authentication Algorithm Suitable for a Mainframe Com puter," Advances in Cryptology: Proceed- ings of Crypto 82, Springer-Verlag, 1985, pp.

393 400.

429. D.W. Davies and S. Murphy, "Pairs and Triplets of DES S-boxes, " Cryptologia, v. 8, n. 1, 1995, pp. 1-25.

430. D.W. Davies and G.I.P. Parkin, "The Average Size of thc Key Stream in Output Feedback Encipherment, " Cryptography Proceedings of the Workshop of cryplograpy Burg Feuer.stein, Germany, March 29-April 2, 1982, Springer-Verlag, 1983, pp. 263-279.

431 D.W. Davies and G.I.R Parkin, "The Averag e Size of the Key Stream in Output Feedback Mode, " Advances in Cryptology: Pro ceedings of Crypto 82, Plenum Press, 1983, pp. 97 98.

432. D.W. Davies and W. L. Price, "The Applica tion of Digital Signatures Based on Public- Key Cryptosystems, " Proceedings of the Fifth International Computer Communications Conference, Oct 1980, pp. 525-530.

433. D.W. Davies and W.L. Price, "The Applica- tion of Digital Signatures Based on Public Key Cryptosystems, " National Physical Laboratory Report DNACS 39/80, Dec 1980.

434. D.W. Davies and W.L. Price, "Digital Sig- nature An Update," Proceedings of Inter national Conference on Computer Com- munications, Sydney, Oct 1984, North Holland:

Elsevier, 1985, pp. 843-847.

435. D.W. Davies and W.L. Price, Security for Computer Networks, second edition, John Wiley & Sons, 1989.

436. M. Davio, Y. Desmedt, M. Fosseprez, R. Govaerts, J. Hulsbrosch, R Neutjens, R Piret, J l Quisquater, J Vandewalle, and S. Wouters, "Analytical Characteristics of the Data Encryption Standard," Advances in Cryptology: Proceedings of Crypto 83, Plenum Press, 1984, pp. 171-202.

437. M. Davio, Y. Desmedt, l Goubert, F. Hoor- naert, and l -J Quisquater, "Efficient Hard ware and Software Implementation of the DES," Advances in Cryptology: Proceed- ings of CRYPTO 84, Springer-Verlag, 1985, pp. 144 146.

438. M. Davio, Y. Desmedt, and l-l Quisquater, "Propagation Characteristics of the DES, " Advances in Cryptology: Pro- ceedings of EUROCRYPT 84, Springer- Verlag, 1985, 62 73.

439. D. Davis, R. Ihaka, and R Fenstermacher, "Cryptographic Randomness from Air Turbulence in Disk Drives," Advances in Cryptology CRYPTO '94 Proceedings, Springer-Verlag, 1994, pp. 114 120.

440. J.A. Davis, D. B. Holdbridge, and G.l. Sim- mons, "Status Report on Factoring tat the Sandia National Laboratoriesi," Advances in Cryptology: Proceedings of CRYPTO 84, Springer-Verlag, 1985, pp. 183-215.

441. R.M. Davis, "The Data Encryption Stan- dard in Perspective," Computer Secunty and the Data Encryption Standard, National Bureau of Standards Special Pub- lication 500-27, Feb 1978.

442. E. Dawson and A. Clark, "Cryptanalysts of Universal Logic Sequences," Advances in Cryptology EUROCRYPT '93 Proceed- ings, Springer-Verlag, to appear.

443. M.H. Dawson and S.E. Tavares, "An Expanded Set of Design Criteria for Substi- tution Boxes and Their Use in Strengthen- ing DES-Like Cryptosystems, " IEEE Pacific Rim Conference on Communica- tions, Computers, and Signal Processing, Victoria, BC, Canada, 9-10 May 1991, pp. 191-195.

444. M.H. Dawson and S.E. Tavares, "An Expanded Set of S-Box Design Criteria Based on Information Theory and Its Relation to Differential-like Attacks," Advances in Cryptology EUROCRYPT '91 Proceedings, Springer-Verlag, 1991, pp. 352-367.

445. C.A. Deavours, "Unicity Points in Cryptanalysis," Cryptologia, v. 1, n. 1, 1977, pp. 46-68.

446. C.A. Deavours, "The Black Chamber: A Column;

How the British Broke Enigma."

Cryptologia, v. 4, n. 3, lU1 1980, pp. 129- 132.

447. C.A. Deavours, "The Black Chamber: A Column;

La Methode des Batons," Cryp- tologia, v. 4, n. 4, Oct 1980, pp. 240-247.

448. C.A. Deavours and L. Kruh, Machine Cryptography and Modern Cryptanalysis, Norwood MA: Artech House, 1985.

449. l.M. DeLaurentis, "A Further Weakness in the Common Modulus Protocol for the RSA Cryptosystem," Cryptologia, v. 8, n. 3, lul 1984, pp. 253-259.

450. R Delsarte, Y. Desmedt, A. Odlyzko, and P. Piret, "Fast Cryptanalysis of the Matsumoto lmai Public-Key Scheme, " Advances in Cryptology: Proceedings of EUROCRYPT 84, Spunger-Verlag, 1985, pp. 142-149.

451. R Delsarte and R Piret, "Comment on 'Extension of RSA Cryptostructure: A Galois Approach'," Electronics Letters, v. 18, n. 13, 24 Jun 1982, pp. 582-583.

452. R. DeMillo, N. Lynch, and M. Merritt, "Cryptographic Protocols," Proceedings of the 14th Annual Symposium on the The- ory of Computing, 1982, pp. 383-400.

453. R. DeMillo and M. Merritt, "Protocols for Data Security," Computer, v. 16, n. 2, Feb 1983, pp. 39-50.

454. N. Demytko, "A New Elliptic Curve Based Analogue of RSA," Advances in Cryptolgy EUROCRYPT 93 Proceedings, Springer-Verlag, 1994, pp. 40-49.

455. D.E. Denning, "Secure Personal Comput- ing in an Insecure Network," Communi- cations of the ACM, v. 22, n. 8, Aug 1979, pp. 476-482.

456. D.E. Denning, Cryptography and Data Security, Addison-Wesley, 1982.

457. D.E. Denning, "Protecting Public Keys and Signature Keys," Computer. v. 16, n. 2, Feb 1983, pp. 27-35.

458. D.E. Denning, "Digital Signatures with RSA and Other Public-Key Cryptosys471. tems," Communications of the ACM, v. 27, n. 4, Apr 1984, pp. 388-392.

459. D.E. Denning, "The Data Encryption Standard: Fifteen Years of Public Scrutiny, " Proceedings of the Sixth Annual Com puter Security Applications Conference, IEEE Computer Society Press, 1990.

460. D.E. Denning, "The Clipper Chip: A Tech nical Summary, " unpublished manuscript, Apr 1993.

461. D.E. Denning and G.M. Sacco, "Time stamps in Key Distribution Protocols, " Communications of the ACM, v. 24, n. 8, Aug 1981, pp. 533-536.

462. D.E. Denning and M. Smid, "Key Escrow ing Today," IEEE Communications Maga zine, v. 32, n. 9, Sep 1994, pp. 58-68.

463. T. Denny, B. Dodson, A.K. Lenstra, and M.S. Manasse, "On the Factorization of RSA 120," Advances in Cryptology CRYPTO 93 Proceedings, Springer-Verlag, 1994, pp.

166-174.

464. W.F. Denny, "Encryptions Using Linear and Non-Linear Codes: Implementations and Security Considerations," Ph.D. dis sertation, The Center for Advanced Com puter Studies, University of Southern Louisiana, Spring 1988.

465. Department of Defense, "Department of Defense Trusted Computer System Evalu478.

ation Criteria," DOD 5200.28-STD, Dec 1985.

466. Department of State, "International Traf fic in Arms Regulations SITARS," 22 CFR 120 130, Office of Munitions Control, 479. Nov 1989.

467. Department of State, "Defense Trade Reg ulations," 22 CFR 120-130, Office of Defense Trade Controls, May 1992.

468. Department of the Treasury, "Electronic Funds and Securities Transfer Policy, " Department of the Treasury Directives Manual, Chapter TD 81, Section 80, Department of the Treasury, 16 Aug 1984.

469. Department of the Treasury, "Criteria and Procedures for Testing, Evaluating, and Certifying Message Authentication Deci- sions for Federal E.F.T. Use," Department of the Treasury, 1 May 198.~.

470. Department of the Treasury, "Electronic Funds and Securitics Transfer Policy Message Authentication and Enhanced Security," Order No. 106-09, Department of the Treasury, 2 Oct 1986.

471. H. Dobbertin, "A Survey on the Construc- tion of Bent Functions," K.U. Le uven Workshop on Cryptographic Algorithms, Springer-Verlag, 1995, to appear.

472. B. Dodson and A.K. Lenstra, "NFS with Four Large Primes: An Explosive Experiment," draft manuscript.

473. D. Dolev and A. Yao, "On the Security of Public-Key Protocols, " Communications of the ACM, v. 29, n. 8, Aug 1983, pp. 198-208.

474. J. Domingo-Ferrer, "Probabilistic Authentication Analysis," CARDIS 94 Proceed- ings of the First Smart Card Research and Applications Conference, Lille, France, 24-26 Oct 1994, pp. 49-60.

475. R de Rooij, "On the Security of the Schnorr Scheme Using Preprocessing, " Advances in Cryptology EUR(9CRYPT 91 I'roceed- ings, Springer-Verlag, 1991, pp. 71-80.

476. A. De Santis, G. Di Crescenzo, and G. Per- siano, "Secret Sharing and Perfect Zero Knowledge, " Advances in Cryptology CKYPTO 93 I'roceedings, Springer-Verlag, 1994, pp. 73-84.

477. A. De Santis, S. Micali, and G. Persiano, "Non-interactive Zero-Knowledge Proof Systems," Advances in Cryptology CRYPTO '87 Pro cee dings, Springer Verlag, 1988, pp. 52-72.

478. A. De Santis, S. Micali, and G. Persiano, "Non-Interactive Zero-Knowledge with Preprocessing," Advances in Cryptology CRYPTO 88 Proceedings, Springer-Verlag, 1990, pp. 269-282.

479. Y. Desmedt, "What Happened with Knapsack Cryptographic Schemes" Performance limits in Communication, Theory and P'ractice, NATO ASI Series E: Applied Sciences, v. 142, Kluwer Academic Publishers, 1988, pp. 113-134.

480. Y. Desmedt, "Subliminal-Free Authentication and Signature," Advances in Cryptology EUROCRYPT '88 Proceedings, Springer-Verlag, 1988, pp. 23-33.

481. Y. Desmedt, "Abuses in Cryptography and How to Fight Them," Advances in Cryptology CRYPTO '8~3 Proceedings, Springer Verlag, 1990, pp.375-389.

482. Y. Desmedt and M. Burmester, "An Effi cient Zero-Knowledge Scheme for the Discrete Logarithm Based on Smooth Numbers, " Advances in Cryptology ASIA CRYPT ' Proceedings, Springer Verlag, 1993, pp. 360-367.

483. Y. Desmedt and Y. Frankel, "Threshold 496. Cryptosystems, " Advances in Cryptol ogy CRYPTO '89 Proceedings, Springer Verlag, 1990, pp. 307-315.

484. Y. Desmedt and Y. Frankel, "Shared Gen eration of Authentication and Signatures, " Advances in Cryptology CRYPTO '91 Proceedings, Springer-Verlag, 1992, pp. 469.

485. Y. Desmedt, C. Goutier, and S. Bengio, "Special Uses and Abuses of the Fiat Shamir Passport Protocol," Advances in Cryptology CRYPTO '87 Proceedings, Springer Verlag, 1988, pp. 21-39.

486. Y. Desmedt and A.M. Odlykzo, "A Chosen Text Attack on the RSA Cryptosystem and Some Discrete Logarithm Problems, " Advances in Cryptology CRYPTO ' Proceedings, Springer-Verlag, 1986, pp. 516-522.

487. Y. Dcsmedt, J.-J. Quisquater, and M. Davio, "Dependence of Output on Input in DES:

Small Avalanche Characteristics," Advances in Cryptology: Proceedings of CRYPTO 84, Springer-Verlag, 1985, pp. 359-376.

488. Y. Desmedt, J. Vandewalle, and R. Go vaerts, "Critical Analysis of the Security of Knapsack Public Key Algorithms," IEEE Transactions on Information Theory, v. IT 30,n.4,Jull984,pp.601-611.

489. Y. Desmedt and M. Yung, "Weaknesses of Undeniable Signature Schemes, " Ad vances in Cryptology EUROCRYPT '91 Proceedings, Springer-Verlag, 1991, pp. 205-220.

490. W. Diffie, lecture at IEEE Information The ory Workshop, Ithaca, N.Y., 1977.

491. W. Diftie, "Cryptographic Technology: Fif teen Year Forecast," BNR Inc., Jan 1981.

492. W. Diffie, "The First Ten Years of Public Key Cryptography, " Proceedings of the IEEE, v 76, n. 5, May 1988, pp. 560-577.

493. W. Diffie, "Authenticated Key Exchange and Secure Interactive Communication," Proceedings of SECURICOM'90, 1990.

494. W. Diffie, "The First Ten Years of Public- Key Cryptography, " in Contemporary Cryptology: The Science of Information Integrity, G.J. Simmons. ed., IEEE Press, 1992, pp. 135-175.

495. W. Diffie and M.E. Hellman, "Multiuser Cryptographic Techniques, " Proceedings of AFIPS National Computer Conference, 1976, pp. 109-112.

496. W. Diffie and M.E. Hellman, "New Direc- tions in Cryptography, " IEEE Transactions on Information Theory, v. IT-22, n. 6, Nov 1976, pp. 644~54.

497. W. Diffie and M.E. Hellman, "Exhaustive Cryptanalysis of the NBS Data Encryption Standard," Computer, v. 10, n. 6, Jun 1977, pp. 74-84.

498. W. Diffie and M.E. Hellman, "Privacy and Authentication: An Introduction to Cryp tography," Proceedings of the IEEE, v. 67, n. 3, Mar 1979, pp. 397-427.

499. W. Diffie, L. Strawczynski, B. O'Higgins, and D. Steer, "An ISDN Secure Telephone Unit," Proceedings of the National Tele- communications Forum, v 41, n. 1, 1987, pp.

473 477.

500. W. Diffie, RC. van Oorschot, and M.J. Wiener, "Authentication and Authenti- cated Key Exchanges," Designs, Codes and Cryptography, v. 2, 1992, 107-125.

501. C. Ding, "The Differential Cryptanalysis and Design of Natural Stream Ciphers," Fast Software Encryption, Cambridge Security Workshop Proceedings, Springer- Verlag, 1994, pp. 101-115.

502. C. Ding, G. Xiao, and W. Shan, The Stahility Theory of Stream Ciphers, Springer- Verlag, 1991.

503. A. Di Porto and W. Wolfewicz, "VINO: A Block Cipher Including Variable Permuta tions, " Fast Software Encryption, Cambridge Secunty Workshop l'roceedings, Springer Verlag, 1994, pp. 205-210.

504. B. Dixon and A.K. Lenstra, "Factoring Inte- gers Using SIMD Sieves, " Advances in Cryptology E UR O CRYPT '93 Proceed- ings, Springer-Verlag, 1994, pp. 28-39.

505. J.D. Dixon, "Factorization and Primality Tests," American Mathematical Monthly, v.91,n.6, 1984,pp.333-352.

506. D. Dolev and A. Yao, "On the Security of Public Key Protocols," Proceedings ol the 22nd Annual Symposium on the Founda- tions of Computer Science, 1981, pp. 350- 357.

507. L.X. Duan and C.C. Nian, "Modified Lu- Lee Cryptosystems," Electronics Letters, v. 25, n. 13, 22 Jun 1989, p. 826.

508. R. Durstenfeld, "Algorithm 235: Random Permutation, " Communications of the ACM, v.

7, n. 7, Jul 1964, p. 420.

509. S. Dusse and B. Kaliski, Jr., "A Cryptographic Library for the Motorola DSP56000, " Advances in Cryptology EUROCRYPT '90 Proceedings, Springer- Verlag, 1991, pp.

230-244.

510. C. Dwork and L. Stockmeyer, "Zero- Knowledge with Finite State Verifiers, " Advances in Cryptology CRYPTO '88 Proceedings, Springer-Verlag, 1990, pp. 71-75.

511. D.E. Eastlake, S.D. Crocker, and J.I. Schiller, "Randomness Requirements for Security," RFC 1750, Dec 1994.

512. H. Eberle, "A High-Speed DES Implementation for Network Applications, " Advances in Cryptology CRYPTO '92 Proceedings, Springer-Verlag, pp. 521-539.

513. T. Edwards, "Implementing Electronic Poker: A Practical Exercise in Zero Knowledge Interactive Proofs, " Master's thesis, Department of Computer Science, University of Kentucky, May 1994.

514. W.F. Ehrsam, C.H.W. Meyer, R.L. Powers, J L. Smith, and W.L. Tuchman, "Product Block Cipher for Data Security, " U.S. Patent #3,962,539, 8 Jun 1976.

515. W.F. Ehrsam, C.H.W. Meyer, and W.L. Tuchman, "A Cryptographic Key Manage ment Scheme for Implementing the Data Encryption Standard," IBM Systems lour nal, v. 17, n. 2, 1978, pp. 106-125.

516. R. Eier and H. Lagger, "Trapdoors in Knap sack Cryptosystems, " Lecture Notes in Computer Science 149;

Cryptography Proceedings, Burg Feuerstein 1982, Springer Verlag, 1983, pp. 316-322.

517. A.K. Ekert, "Quantum Cryptography Based on Bell's Theorem, " Physical Review Letters, v. 67, n. 6, Aug 1991, pp. 529. 661-663.

518. T. ElGamal, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms, " Advances in Cryptology: Proceedings of CRYPTO 84, Springer" Verlag, 1985, pp. 1~18.

519. T. ElGamal, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," IEEE Transactions on Infor- mation Theory, v. IT-31, n. 4, 1985, pp. 469 472.

520. T. ElGamal, "On Computing Logarithms Over Finite Fields," Advances in Cryptol- ogy CR YP TO '85 Pro cee dings, Springe r - Verlag, 1986, pp. 396 402.

521. T. ElGamal and B. Kaliski, letter to the edi- tor regarding LUC, Dr. Dobb's /ournal, v.

18,n.5,Mayl993,p. 10.

522. T. Eng and T. Okamoto, "Single-Term Divisible Electronic Coins," Advances in Cryptology EUROCRYPT '94 Proceed- ings, Springer-Verlag, 1995, to appear.

523. M.H. Er, D.J. Wong, A.A. Sethu, and K.S. Ngeow, "Design and Implementation of RSA Cryptosystem Using Multiple DSP Chips," 1991 IEEE International Sympo- sium on Circuits and Systems, v. 1, Singa- pore, 11-14 Jun 1991, pp. 49-52.

524. D. Estes, L.M. Adleman, K. Konpella, K.S. McCurley, and G.L. Miller, "Breaking the Ong-Schnorr-Shamir Signature Schemes for Quadratic Number Fields," Advances in Cryptology CRYPTO '85 Proceedings, Springer-Verlag, 1986, pp. 3-13.

525. ETEBAC, "Echanges Telematiques Entre Les Banques et Leurs Clients," Standard ETEBAC 5, Comite Fran,cais d'Organisa- tion et de Normalisation Bancaires, Apr 1989.

IIn French.~ 526. A. Evans, W. Kantrowitz, and E. Weiss, "A User Identification Scheme Not Requiring Secrecy in the Computer," Communica- tions of the ACM, v. 17, n. 8, Aug 1974, pp.

437-472.

527. S. Even and O. Goldreich, "DES-Like Functions Can Generate the Alternating Group, " IEEE Transactions on Informa- tion Theory, v. IT-29, n. 6, Nov 1983, pp. 863-865.

528. S. Even and O. Goldreich, "On the Power of Cascade Ciphers," ACM Transactions on Computer Systems, v. 3, n. 2, May 1985, pp. 108-116.

529. S. Even, O. Goldreich, and A. Lempel, "A Randomizing Protocol for Signing Con tracts," Communications of the ACM, v. 28, n. 6, [un 1985, pp. 637-647.

530. S. Even and Y. Yacobi, "Cryptography and NP-Completeness," I'roceedings of the 7th International CoRoquium on Automata, Languages, and Programming, Springer -Verlag, 1980, pp. 195-207.

531. H.-H. Evertse, "Linear Structures in Block Ciphers, " Advances in Cryptology EUROCRYPT '87 Proceedings, Springer Verlag, 1988, pp. 249-266.

532. R Fahn and M.J.B. Robshaw, "Results from the RSA Factoring Challenge," Technical Report TR-501, Version 1.3, RSA Laboratories, Jan 1995.

533. R.C. Fairfield, A. Matusevich, and J. Plany, "An LSI Digital Encryption Processor (DEP)," Advances in Cryptology: Proceed ings of CRYPTO 84, Springer-Verlag 1985, pp. 115-143.

534. R.C. Fairfield, A. Matusevich, and J. Plany, "An LSI Digital Encryption Processor (DEPJ," IEEE Communications, v. 23. n. 7, Jul 1985, pp. 30-41.

535. R.C. Fairfield, R.L. Mortenson, and K.B. Koulthart, "An LSI Random Number Gen erator (RNG~," Advances in Cryptology: Proceedings of CRYPTO 84, Springer Verlag, 1985, pp. 203-230.

536. "International Business Machines Corp. License Under Patents," Federal Register, v. 40, n. 52, 17 Mar 1975, p. 12067.

537. "Solicitation for Public Key Cryptographic Algorithms," Federal Register, v. 47, n. 126, 30 Jun 1982, p. 28445.

538. "Proposed Federal Information Processing Standard for Digital Signature Standard (DSSi," Federal Register, v. 56, n. 169, 30 Aug 1991, pp. 42980-42982.

539. "Proposed Federal Information Processing Standard for Secure Hash Standard," Fed eral Register, v. 57, n. 21, 31 Jan 1992, pp. 3747-3749.

540. "Proposed Reaffirmation of Federal Infor mation Processing Standard (FIPS) 46-1, Data Encryption Standard (DES)," Federal Register, v. 57, n. 177, 11 Sep 1992, p. 41727.

541. "Notice of Proposal for Grant of Exclusive Patent License," [ederal Register, v. 58, n.

108, 8 Jun 1993, pp. 23105-23106.

542. "Approval of Federal Information Process ing Standards Publication 186, Digital Sig nature Standard (DSS)," Federal Register, v. 58, n. 96, 19 May 1994, pp. 26208-26211.

543. "Proposed Revision of Federal Information Processing Standard (FIPS) 180, Secure Hash Standard, " Federal Register, v. 59, n. 131, 11 Jul 1994, pp. 35317-35318.

544. U. Feige, A. Fiat, and A. Shamir, "Zero Knowledge Proofs of Identity," Proceed- ings of the lPth Annual ACM Symposium on the Theory of Computing, 1987, pp. 210-217.

545. U. Feige, A. Fiat, and A. Shamir, "Zero Knowledge Proofs of Identity," Journal of Cryptology v. 1, n. 2, 1988, pp. 77-94.

546. U. Feige and A. Shamir, "Zero Knowledge Proofs of Knowledge in Two Rounds, " Advances in Cryptology CRYPTO '89 Proceedings, Springer-Verlag, 1990, pp. 526-544.

547. J. Feigenbaum, "Encrypting Problem Instances, or,..., Can You Take Advan- tage of Someone Without Having to Trust Him, " Advances in Cryptology CRYPTO ' Proceedings, Springer-Verlag, 1986, pp. 477-488.

548. J. Feigenbaum, "Overview of Interactive Proof Systems and Zero-Knowledge, " in Contemporary Cryptology: The Science of Information Integrity, G.J. Simmons, ed., IEEE Press, 1992, pp. 423 439.

549. J. Feigenbaum, M.Y. Liberman, E. Grosse, and J.A. Reeds, "Cryptographic Protection of Membership Lists," Newsletter of the International Association of Cryptologic Research, v. 9, 1992, pp. 16-20.

550. J. Feigenbaum, M.Y. Liverman, and R.N. Wright, "Cryptographic Protection of Databases and Software, " Distnbuted Computing and Cryptography, 1 Feigen- baum and M.

Merritt, eds., American Mathematical Society, 1991, pp. 161-172.

551. H. Feistel, "Cryptographic Coding for Data-Bank Privacy," RC 2827, Yorktown Heights, NY: IBM Research, Mar 1970.

552. H. Feistel, "Cryptography and Computer Privacy, " Scientific American, v. 228, n. 5, May 1973, pp. 15-23.

553. H. Feistel, "Block Cipher Cryptographic System," U.S. Patent #3,798,359, 19 Mar 1974.

554. H. Feistel, "Step Code Ciphering System," U.S. Patent #3,798,360, 19 Mar 1974.

555. H. Feistel, "Centralized Verification Sys- tem," U.S. Patent #3,798,605, 19 Mar 1974.

556. H. Feistel, W.A. Notz, and J.L. Smith, "Cryptographic Techniques for Machine to Machine Data Communications," RC 3663, Yorktown Heights, N.Y.: IBM Research, Dec 1971.

557. H. Feistel, W.A. Notz, and J.L. Smith, "Some Cryptographic Techniques for Machine to Machine Data Communica tions," Proceedings of the IEEE, v. 63, n. 11, Nov 1975, pp.

1545-1554.

558. R Feldman, "A Practical Scheme for Non interactive Verifiable Secret Sharing," Proceedings of the 28th Annual Symposium on the Foundations of Computer Science, 1987, pp. 427 437.

559. R.A. Feldman, "Fast Spectral Test for Mea suring Nunrandomness and the DES, " Advances in Cryptology CRYPTO '87 Proceedings, Springer-Verlag, 1988, pp. 243 254.

560. R.A. Feldman, "A New Spectral Test for Nonrandomness and the DES, " IEEE 573.

Transactions on Software Engineering, v. 16, n. 3, Mar 1990, pp. 261-267.

561. D.C. Feldmeier and RR. Karn, "UNIX Password Security Ten Years Later, " Advances in Cryptology CRYPTO '89 Proceedings, Springer-Verlag, 1990, pp. 44-63.

562. H. Fell and W. Diffie, "Analysis of a Public Key Approach Based on Polynomial Sub stitution, " Advances in Cryptology CRYPTO '85 Proceedings, Springer-Verlag, 1986, pp. 427-437.

ence/Department of Algorithms and Architecture, CWI, Mar 1993.

564. N.T. Ferguson, "Single Term Off-Line Coins," Advances in Cryptology EUROCRYPT ' Proceedings, Springer-Verlag, 1994, pp. 318-328.

565. N.T. Ferguson, "Extensions of Single-term Coins," Advances in Cryptology 579.

CRYPTO '93 Proceedings, Springer-Verlag, 1994, pp. 292-301.

566. A. Fiat and A. Shamir, "How to Prove Yourself: Practical Solutions to Idcntifica tion and Signature Problems," Advances in Cryptology C RYPTO '86 Proceedings, Springer Verlag, 1987, pp. 186-194.

567. A. Fiat and A. Shamir, "Unforgeable Proofs of Identity," Proceedings of sec uricom 87, Paris, 1987, pp. 147-15~3.

568. P. Finch, "A Study of the Blowfish Encryp tion Algorithm," Ph.D. dissertation, Department of Computer Science, City University of New York Graduate School and University Center, Feb 1995.

569. R. Flynn and A.S. Campasano, "Data Dependent Keys for Selective Encryption Terminal," Proceedings of NCC, vol. 47, AFIPS Press, 1978, pp. 1127-1129.

570. R.H. Follett, letter to NIST regarding DSS, 25 Nov 1991.

571. R. Forre, "The Strict Avalanche Criterion: Spectral Properties and an Extended D efi nition, " Advances in Cryptology CRYPTO '88 Proceedings, Springer-Verlag, 1990, pp.

450-468.

572. R. Forre, "A Fast Correlation Attack or Nonlinearity Feedforward Filtered Shift Register Sequences, " Advances in Cryptology CRYPTO '89 Proceedings, Springer-Verlag, 1990, pp. 568-595.

573. S. Fortune and M. Merritt, "Poker Protocols," Advances in Cryptology: Proceedings of CRYPTO 84, Springer-Verlag, 1985, pp. 454-464.

574. R.B. Fougner, "Public Key Standards and Licenses," RFC 1170, Jan 1991.

575. Y. Frankel and M. Yung, "Escrowed Encryption Systems Visited: Threats. Attacks, Analysis and Designs," Advances in Cryptology CKYPTO '95 Proceedings'. Springer Verlag, 1995, to appear.

576. W.F. Friedman, Methods for the Solution of Running-Key Ciphers, Riverbank Publica tion No. 16, Riverbank Labs, 1918.

577. W.F. Friedman, The Index of Coincidence and Its Applications in Cryptography, Riverbank Publication No. 22, Rivcrhank Labs, 1920. Reprinted by Aegean Park Press, 1987.

578. W.F. Friedman, Elements of Cryptanalysis, Laguna Hills, CA: Aegean Park Press, 1976.

579. W.F. Friedman, "Cryptology," Encyclopedia Britannica, v. 6, pp. 844-851, 1967.

580. A.M. Frieze, J. Hastad, R. Kannan, J.C. Lagarias, and A. Shamir, "Reconstructing Truncated Integer Variables Satisfying Linear Congru enccs," SIAM Journal on Computing, v. 17, n. 2, Apr 1988, pp. 262-280.

581. A.M. Frieze, R. Kannan, and J.C. Lagarias, "Linear Congruential Generators loo not Produce Random Sequences," Proceedings of the 25th IEEE Symposium on Founda tions of Computer Science, 1984, pp. 480 484.

582. E. Fujiaski and T. Okamoto, "On Comparison of Practical Digitial Signature Schemes," Proceedings of the l992 Symposium on Cryptography and Information Security (SCIS 92), Tateshina, Japan, 2 4 Apr 1994, pp. lA.1-12.

583. A. Fujioka, T. Okamoto, and S. Miyaguchi, "ESIGN: An Efficient Digital Signature Implementation for Smart Cards, " Advances in Cryptology EUROCRYPT ' Proceedings, Springer-Verlag, 1991, pp. 446 457.

584. A. Fujioka, T. Okamoto, and K. Ohta, "Interactive Bi-Proof Systems and Undeniable Signature Schemes," Advances in Cryptology EU ROCRYPT '91 Proceedings, Springer Verlag, 1991, pp. 243-256.

585. A. Fujioka, T. Okamoto, and K. Ohta, "A Practical Secret Voting Scheme for Large Scale Elections, " Advances in Cryptology AUSCRYPT '92 Proceedings, Springer-Verlag, 1993, pp. 244-251.

586. K. Gaardner and E. Snekkenes, "Applying a Formal Analysis Technique to the CCITT X.509 Strong Two-Way Authentication Protocol," lournal of Cryptology v. 3,n.2, l991,pp.81-98.

587. H.E Gaines, Cryptanalysis, American Photographic Press, 1937. Reprintcd by Dover Publications, 1956.

588. J. Gait, "A New Nonlinear Pseudorandom Number Generator, " IEEE Transactions on Software Engineering, v. SE-3, n. 5, Sep 1977, pp. 359-363.

589. J. Gait, "Short Cycling in the Kravitz-Reed Public Key Encryption System," Electron- ics Letters, v. 18, n. 16, 5 Aug 1982, pp. 706-707.

590. Z. Galil, S. Haber, and M. Yung, "A Private Interactive Test of a Boolean Predicate and Minimum-Knowledge Public-Key Cryp- tosystems," Proceedings of the 26th IEEE Symposium on Foundations of Computer Science, 1985, pp. 360-371.

591. Z. Galil, S. Haber, and M. Yung, "Crypto- graphic Computation: Secure Fault- Tolerant Protocols and the Public-Key Model, " Advances in Cryptology CRYPTO '87Proceedings, Springer-Verlag, 1988, pp. 135-155.

592. Z. Galil, S. Haber, and M. Yung, "Mini- mum-Knowledge Interactive Proofs for Decision Problems, " SIAM lournal on Computing, v. 18, n. 4, 1989, pp. 711-739.

593. R.G. Gallager, Information Theory and Reliable Communications, New York:John Wiley & Sons, 1968.

594. P. Gallay and E. Depret, "A Cryptography Microprocessor," 1988 IEEE International Solid-State Circuits Conference Digest of Technical Papers, 1988, pp. 148-149.

595. R.A. Games, "There are no de Bruijn Sequences of Span n with Complexity 2n + n + 1," Journal of Combinatorical Theory, Series A, v. 34, n. 2, Mar 1983, pp. 248-251.

596. R.A. Games and A.H. Chan, "A Fast Algo- rithm for Determining the Complexity of a Binary Sequence with 2n,'t IEEE Transactions on Information Theory, v. IT-29, n. 1, Jan 1983, pp. 144-146.

597. R.A. Games, A.H. Chan, and E.L. Key, "On the Complexity of de Brui jn Sequences," ournal of Combinatorical Theory, Series A, v. 33, n. 1, Nov 1982, pp. 233-246.

598. S.H. Gao and G.L. Mullen, "Dickson Polynomials and Irreducible Polynomials over Finite Fields," Journal of Number Theory, v. 49, n. 1, Oct 1994, pp. 18-132.

599. M. Gardner, "A New Kind of Cipher That Would Take Millions of Years to Break," Scientific American, v. 237, n. 8, Aug 1977, pp. 120-124.

600. M.R. Garey and D.S. Johnson, Computers and Intractability: A Guide to the Theory of NP-Completeness, W.H. Freeman and Co., 1979.

601. S.L. Garfinkel, POP: Pretty Good Privacy, Sebastopol, CA: O'Reilly and Associates, 1995.

602. C.W. Gardiner, "Distributed Public Key Certificate Management," Proceedings of the Privacy and Security Research Group 1993 Workshop on Network and Distributed System Security, The Internet Society, 1993, pp. 69-73.

603. G. Garon and R. Outerbridge, "DES Watch: An Examination of the Sufficiency of the Data Encryption Standard for Finan- cial Institution Information Security in the 1990's," Cryptologia, v. 15, n. 3, Jul 1991, pp. 177-193.

604. M. Gasser, A. Goldstein, C. Kaufman, and B. Lampson, "The Digital Distributed Sys tems Security Architecture," Proceedings of the 12th National Computer Seezznty Conference, NIST, 1989, pp. 305-319.

605. J. von zur Gathen, D. Kozen, and S. Lan- dau, "Functional Decomposition of Poly nomials, " Proceedings of the 28tl1 IEEE Symposium on the Poundations of Computer Science, IEEE Press, 1987, pp. 127617. 131.

606. RR. Geffe, "How to Protect Data With Ciphers That are Really Hard to Break," Electronics, v. 46, n. 1, Jan 1973, pp. 99-101.

607. D.K. Gifford, D. Heitmann, D.A. Segal, R.G. Cote, K. Tanacea, and D.E. Burmas- ter, "Boston Community Information Sys- tem 1986 Experimental Test Results, " MIT/LCS/TR-397, MIT Laboratory for Computer Science, Aug 1987.

608. D.K. Gifford, J.M. Lucassen, and S.T. Berlin, "The Application of Digital Broadcast Communication to Large Scale Information Systems, " IEEE Journal on Selected Areas in Communications, v. 3, n. 3, May 1985, pp. 457-467.

609. D.K. Gifford and D.A. Segal, "Boston Community Information System 1987- Experimental Test Results," MIT/LCS/ TR-422, MIT Laboratory for Computer Science, May 1989.

610. H. Gilbert and G. Chase, "A Statistical Attack on the Feal-8 Cryptosystem, " Advances in Cryptology CRYPTO '90 Proceedings, Springer-Verlag, 1991, pp. 22- 611. H. Gilbert and R Chauvaud, "A Chosen Plaintext Attack of the 16-Round Khufu Cryptosystem," Advances in Cryptol- ogy CRYPTO '94 Proceedings, Springer-Verlag, 1994, pp. 259-268.

612. M. Girault, "Hash-Functions Using Mod- ulo-N Operations," Advances in Cryptology EUROCRYPT '87 Proceedings, Springer-Verlag, 1988, pp. 217-226.

613. J. Gleick, "A New Approach to Protecting Secrets is Discovered, " The New York Times, 18 Feb 1987, pp. C1 and C3.

614. J.-M. Goethals and C. Couvreur, "A Crypt analytic Attack on the Lu-Lee Public-Key Cryptosystem, " Philips lournal of Re search, v. 35, 1980, pp. 301-306.

615. O. Goldreich, "A Uniform-Complexity Treatment of Encryption and Zero Knowledge, Journal of Cryptology, v. 6, n. 1, 1993, pp. 21-53.

616. O. Goldreich and H. Krawczyk, "On the Composition of Zero Knowledge Proof Systems," Proceedings on the 17th Inter national Colloquium on Automata, Languages, and Programming, Springer" Verlag, 1990, pp. 268-282.

617. O. Goldreich and E. Kushilevitz, "A Perfect Zero-Knowledge Proof for a Problem Equivalent to Discrete Logarithm, " Advances in Cryptology CRYPTO '88 I'roceedings, Springer-Verlag, 1990, pp. 58-70.

618. O. Goldreich and E. Kushilevitz, "A Per- fect Zero-Knowledge Proof for a Problem Equivalent to Discrete Logarithm," lour- nal of Cryptology, v. 6, n. 2, law, pp. 97-116.

619. O. Goldreich, S. Micali, and A. Wigderson, "Proofs That Yield Nothing but Their Validity and a Methodology of Cryptographic Protocol Design," Proceedings of the 27th IEEE Symposium on the Foundations of Computer Science, 1 986, pp. 174-187.

620. O. Goldreich, S. Micali, and A. Wigderson, "How to Prove All NP Statements in Zero Knowledge and a Methodology of Cryptographic Protocol Design, " Advances in Cryptology CRYPTO '86 Proceedings, Springer-Verlag, 1987, pp. 171-185.

621. O. Goldreich, S. Micali, and A. Wigderson, "How to Play Any Mental Game," Pro ceedings of the 19th ACM Symposium on the Theory of Computing, 1987, pp. 218-229.

622. O. Goldreich, S. Micali, and A. Wigdcrson, "Proofs That Yield Nothing but Their Validity and a Methodology of Crypto- graphic Protocol Design," Journal of the ACM, v. 38, n. 1, Jul 1991, pp. 691-729.

623. S. Goldwasser and J. Kilian, "Almost All Primes Can Be Quickly Certified, " Pro- ceedings of the 18th ACM Symposium on the Theory of Computing, 1986, pp. 316- 329.

624. S. Goldwasser and S. Micali, "Probabilistic Encryption and How to Play Mental Poker Keeping Secret All Partial Information," Proceedings of the 14th ACM Symposium on the Theory of Computing, 1982, pp. 270-299.

625. S. Goldwasser and S. Micali, "Probabilistic Encryption," Journal of Computer and System Sciences. v. 28, n. 2, Apr 1984, pp. 270-299.

626. S. Goldwasscr, S. Micali, and C. Rackoff, "The Knowledge Complexity of Interac- tive Proof Systems, " Proceedings of the 17th ACM Symposium on Theory of Com- puting, 1985, pp. 291-304.

627. S.Goldwasser, S. Micali, and C. Rackoff, "The Knowledge Complexity of Interac tive Proof Systems, " SIAM lournal on Computing, v. 18, n. 1, Feb 1989, pp. 186 208.

628. S. Goldwasser, S. Micali, and R.L. Rivest, "A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks," SIAM lournal on Computing, v.

17,n.2,Aprl988,pp.281-308.

629. S. Goldwasser, S. Micali, and A.C. Yao, "On Signatures and Authentication," Advances in Cryptology: Proceedings of Crypto 82, Plenum Press, 1983, pp. 211-215.

630. J.D. Golic, "On the Linear Complexity of Functions of Periodic GFIq~ Sequences," IEEE Transactions on Information Theory, v. IT-35, n. 1. Jan 1989, pp. 69-75.

631. J.D. Golic, "Linear Cryptanalysis of Stream Ciphers," K.U. Le uven Workshop on Cryptographic Algorithms, Springer Verlag, 1995, pp. 262-282.

632. J.D. Golic, "Towards Fast Correlation Attacks on Irregularly Clocked Shift Registers," Advances in Cryptology EURO CRYPT '95 Proceedings, Springer-Verlag, 1995, to appear.

633. J.D. Golic and M.J. Mihajlevic, "A Gener alized Correlation Attack on a Class of Stream Ciphers Based on the Levenshtein Distance, " journal of Cryptology, v. 3, n.3, 1991, pp.

201-212.

634. J.D. Golic and L. O'Connor, "Embedding and Probabilistic Correlation Attacks on Clock Controlled Shift Registers," Advances in Cryptology EUROCRYPT '94 I'roceedings, Springer-Verlag, 1995, to appear.

635. R. Golliver, A.K. Lenstra, K.S. McCurley, "Lattice Sieving and Trial Division," Pro ceedings of the Algorithmic Number Theory Symposium, Cornell, 1994, to appear.

636. D. Gollmann, "Kaskadenschaltungen takt gesteuerter Schicberegister als Pseudozu fallszahlengencratoren," Ph.D. disserta tion, Universitat Linz, 1983. (In German ).

637. D. Gollmann, "Pseudo Random Properties of Cascade Connections of Clock Con trolled Shift Registers," Advances in Cryp tology: Proceedings of EUROCRYPT 84, Springer Verlag, 1985, pp. 93-98.

638. D. Gollmann, "Correlation Analysis of Cascaded Sequences," Cryptography and Coding, H.J. Beker and F.C. Piper, eds., Oxford: Clarendon Press, 1989, pp. 289-297.

639. D. Gollmann, "Transformation Matrices of Clock-Controlled Shift Registers, " Cryptography and Coding 111, M.J. Ganley, e d., Oxford: Clarendon Press, 1993, pp.

197-210.

640. D. Gollmann and W.G. Chambers, "Lock-In Effect in Cascades of Clock-Controlled Shift Registers, " Advances in Cryptology EUROCRYPT '88 Proceedings, Springer-Verlag, 1988, pp. 331-343.

641. D. Gollmann and WG. Chambers, "Clock-Controlled Shift Registers: A Review, " IEEE lournal on Selected Areas in Communications, v. 7, n. 4, May 1989, pp. 525-533.

642. D. Gollmann and W.G. Chambers, "A Cryptanalysis of Step~-cascades," Advances in Cryptology EUROCRYPT '89 Proceedings, Springer-Verlag, 1990, pp. 680-687.

643. S.W. Golomb, Shift Register Sequences, San Francisco: Holden-Day, 1967. (Reprinted by Aegean Park Press, 1982.

644. L. Gong, "A Security Risk of Depending on Synchronized Clocks, " Operating Systems Review, v. 26, n. 1, Jan 1992, pp. 49-53.

645. L. Gong, R. Needham, and R. Yahalom, "Reasoning About Belief in Cryptographic Protocols," Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy, 1991, pp. 234-248.

646. R.M. Goodman and A.J. McAuley, "A New Trapdoor Knapsack Public Key Cryptosys tem," Advances in Cryptology: Proceedings of EUROCRYPT 84, Springer-Verlag, 1985, pp. 150-158.

647. R.M. Goodman and A.J. McAuley, "A New Trapdoor Knapsack Public Key Cryptosystem," IKE Proceedings, v. 132, pt. E, n. 6, Nov 1985, pp. 289-292.

648. D.M. Gordon, "Discrete Logarithms Using the Number Field Sieve," Preprint, 28 Mar 1991.

649. D.M. Gordon and K.S. McCurley, "Computation of Discrete Logarithms in Fields of Characteristic Two," presented at the rump session of CRYPTO'91, Aug 1991.

650. D.M. Gordon and K.S. McCurley, "Massively Parallel Computation of Discrete Logarithms, " Advances in Cryptology CRYPTO '92 Proceedings, Springer-Verlag, 661.

1993, pp. 312-323.

651. J.A. Gordon, "Strong Primes are Easy to Find," Advances in Cryptology: Proceedings of EUROCRYPT 84, Springer-Verlag, 1985, pp. 216-223.

652. J.A. Gordon, "Very Simple Method to Find the Minimal Polynomial of an Arbitrary Non Zero Element of a Finite Field, " Electronics Letters, v. 12, n. 25, 9 Dec 1976, pp. 663 664.

653. J.A. Gordon and R. Retkin, "Are Big S- Boxes Best7" Cryptograph y Proceedings of the Workshop on Cryptography, Burg Feuerstein, Germany, March 29-April 2, 1982, Springer-Verlag, 1983, pp. 257-262.

654. M. Goresky and A. Klapper, "Feedback Registers Based on Ramified Extension of the 2 adic Numbers," Advances in Cryptology EUROCRYPT '94 Proceedings, Springer-Verlag, 1995, to appear.

655. GOST, Gosudarstvennyi Standard 28147-89, "Cryptographic Protection for Data Processing Systems," Government Committee of the USSR for Standards, 1989. ( in Russian.} 656. GOST R 34.10-94, Gosudarstvennyi Standard of Russian Federation, "Information technology. Cryptographic Data Security. Produce and check procedures of Electronic Digital Signature based on Asymmetric Cryptographic Algorithm. " Government Committee of the Russia for Standards, 1994. (In Russian. ) 657. GOST R 34.11-94, Gosudarstvennyi Standard of Russian Federation, " Information technology. Cryptographic Data Security. Hashing function." Government Committee of the Russia for Standards, 1994. (In Russian.) 658. R. Gottfert and H. Niederreiter, "On the Linear Complexity of Products of Shift-Register Sequences," Advances in Cryptology EUROCRYPT '93 Proceedings, Springer-Verlag, 1994, pp. 151-158.

659. R. Gottfert and H. Niederreiter, "A General Lower Bound for the Linear Complexity of the Product of Shift-Register Sequences, " Advances in Cryptology EUROCRYPT ' Proceedings, Springer- Verlag, 1995, to appear.

660. J. van de Graaf and R. Peralta, "A Simple and Secure Way to Show the Validity of Your Public Key," Advances in Cryptology CRYPTO '87 Proceedings, Springer- Verlag, 1988, pp. 128-134.

661. J. Grollman and A.L. Selman, "Complexity Measures for Public-Key Cryptosystems," Proceedings of the 25th IEEE Symposium on the Foundations of Computer Science, 1984, pp. 495- 662. GSA Federal Standard 1026, "Telecommunications: General Security Requirements for Equipment Using the Data Encryption Standard, " General Services Administration, Apr 1982.

663. GSA Federal Standard 1027, ''Telecommunications: Interoperability and Security Requirements for Use of the Data Encryption Standard in the Physical and Data Link Layers of Data Communications, " General Services Administration, Jan 1983.

664. GSA Federal Standard 1028, "Intcroperability and Security Requirements for Use of the Data Encryption Standard with CCITT Group 3 Facsimile Equipment, " General Services Administration, Apr 1985.

665. R Guam, "Cellular Automaton Public Key Cryptosystems," Complex Systems, v. 1, 1987, pp. 51-56.

666. H. Guan, "An Analysis of the Finite Automata Public Key Algorithm, " CHINACRYPT'94, Xidian, China, 11-15 Nov 1994, pp. 120-126. (In Chinese) 667. G. Guanella, "Means for and Method for Secret Signalling," U.S. Patent #2,405,500, 6 Aug 1946.

668. M. Gude, "Concept for a High-Performance Random Number Generator Based on Physical Random Phenomena," Frequenz, v. 39, 1985, pp. 187-190.

669. M. Gude, "Ein quasi-idealer Gleichverteil-ungsgenerator basierend auf physikalischen Zufallsphinomenen," Ph.D. dissertation, Aachen University of Technology, 1987. (In German.) 670. L.C. Guillou and J.-J. Quisquater, "A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory," Advances in Cryptology EUROCRYPT '88 Proceedings, Springer-Verlag, 1988, pp. 123-128.

671. L.C. Guillou and J. Quisquater, "A 'Paradoxical' Identity-Based Signature Scheme Resulting from Zero-Knowledge," Advances in Cryptology CRYPTO '88 Proceedings, Springer Verlag, 1990, pp. 216- 231.

672. L.C. Guillou, M. Ugon, and J. -J. Quisquater, "The Smart Card: A Standardized Security Device Dedicated to Public Cryptology," contemporary Cryptology: The Science of Information Integrity G. Simmons, ed., IEEE Press, 1992, pp. 561-613.

673. C.G. Gunther, "Alternating Step Generators Controlled by de Bruijn Sequences," Advances in Cryptology EUROCRYPT '87 Proceedings, Springer-Verlag, 1988, pp. 5-14.

674. C.G. Gunther, "An Identity-based Key-exchange Protocol, " Advances in Cryptology EUROCRYPT '89 Proceedings, Springer-Verlag, 1990, pp. 29-37.

675. H. Gustafson, E. Dawson, and B. Caelli, "Comparison of Block Ciphers, " Advances in Cryptology AUSCRYPT '90 Proceed- ings, Springer-Verlag, 1990, pp. 208-220.

676. P. Gutmann, personal communication, 1993.

677. H. Gutowitz, "A Cellular Automaton Cryptosystem: Specification and Call for Attack," unpublished manuscript, Aug 1992.

678. H. Gutowitz, "Method and Apparatus for Encryption, Decryption, and Authentication Using Dynamical Systems," U.S. Patent #5,365,589, 15 Nov 1994.

679. H. Gutowitz, "Cryptography with Dynamical Systems, " Cellular Automata and Cooperative Phenomenon, Kluwer Academic Press, 1993.

680. R.K. Guy, "How to Factor a Number, " Fifth Manitoba Conference on Numeral Mathematics Congressus Numerantium, v. 16, 1976, pp. 49-89.

681. R.K. Guy, Unsolved Problems in Number Theory, Springer-Verlag, 1981.

682. S. Haber and W.S. Stornetta, "How to Time-Stamp a Digital Document, " Advances in Cryptology CRYPTO '90 Proceedings, Springer-Verlag, 1991, pp. 437-455.

683. S. Haber and W.S. Stornetta, "How to Time-Stamp a Digital Document, " journal of Cryptology, v. 3, n. 2, 1991, pp. 99-112.

684. S. Haber and W.S. Stornetta, "Digital Document Time-Stamping with Catenate Certificate," U.S. Patent #5,136,646, 4 Aug 1992.

685. S. Haber and W.S. Stornetta, "Method for Secure Time-Stamping of Digital Documents," U.S. Patent #5,136,647, 4 Aug 1992.

686. S. Haber and W.S. Stornetta, "Method of Extending the Validity of a Cryptographic Certificate," U.S. Patent #5,373,561, 13 Dec 1994.

687. T. Habutsu, Y. Nishio, I. Sasase, and S. Mori, "A Secret Key Cryptosystem by Iterating a Chaotic Map," Transactions of the Institute of Electronics, Information, and Communication Engineers, v. E73, n. 7,1ul 1990, pp. 1041-1044.

688. T. Habutsu, Y. Nishio, I. Sasase, and S. Mori, "A Secret Key Cryptosystem by Iterating a Chaotic Map, " Advances in Cryptology EUROCRYPT '91 Proceedings, Springer-Verlag, 1991, pp. 127-140.

689. S. Hada and H. Tanaka, "An Improvement Scheme of DES against Differential Cryptanalysis," Proceedings of the 1994 Symposium on Cryptography and Information Security (SCIS 94), Lake Biwa, Japan, 27-29 Jan 1994, pp 14A. I-l l. fin Japanese. l 690. B.C.W. Hagelin, "The Story of the Hagelin Cryptos," Cryptologia, v. 18, n.3, Jul 1994, pp.

204-242.

691. T. Hansen and G.L. Mullen, "Primitive Polynomials over Finite Fields," Mathematics of Computation, v. 59, n. 200, Oct 1992, pp. 639-643.

692. S. Harada and S. Kasahara, "An ID-Based Key Sharing Scheme Without Preliminary Communication," IEICE Japan, Technical Report, ISEC89-38, 1989. (In Japanese ).

693. S. Harari, "A Correlation Cryptographic Scheme," EUROCODE '90 International Symposium on Coding Theory, Springer-Verlag, 1991, pp. 180-192.

694. T. Hardjono and J. Seberry, "Authentication via Multi-Service Tickets in the Kuperee Server, " Computer Security ESORICS 94, Springer-Verlag, 1994, pp. 144 160.

695. L. Harn and T. Kiesler, "New Scheme for Digital Multisignatures," Electronics Letters, v.

25, n. 15, 20 Jul 198Y, pp. 1002- 1003.

696. L. Harn and T. Kiesler, ''Improved Rabin's Scheme with High Efficiency, " Electronics Letters, v. 25, n. 15, 20 Jul 1989, p. 1016.

697. L. Harn and T. Kiesler, "Two New Efficient Cryptosystems Based on Rabin's Scheme, " Fifth Annual Computer Secunty Applications Conference, IEEE Computer Society Press, 1990, pp. 263-270.

698. L. Harn and D.-C. Wang "Cryptanalysts and Modification of Digital Signature Scheme Based on Error-Correeting Codes, " Electronics Letters, v. 28. n. 2, 10 Jan 1992, p. 157 159.

699. L. Harn and Y. Xu, "Design of Generalized ElGamal Type Digital Signature Schemes Based on Discrete Logarithm, " Electronics Letters, v. 30, n. 24. 24 Nov 1994, p. 2025 2026.

700. L. Harn and S. Yang, "Group-Oriented Undeniable Signature Schemes without the Assistance of a Mutually Trusted Party," Advances in Cryptology AUSCRYPT ' Proceedings, Springer- Verlag, 1993, pp. 133-142.

701. G. Harper, A. Menezes, and S. Vanstone, "Public-Key Cryptosystems with Very Small Key Lengths," Advances in Cryptology EUROCRYPT '92 Proceedings, Springer-Verlag 1993, pp. 163-173.

702. C. Harpes, "Notes on High Order Differen- tial Cryptanalysis of DES, " internal report, Signal and Information Processing Labora- tory, Swiss Federal Institute of Technology, Aug 1993.

703. G.W. Hart, "To Decode Short Cryptograms," Communications of the ACM, 717. v. 37, n.

9, Sep 1994, pp. 102-108.

704. J. Hastad, "On Using RSA with Low Exponent in a Public Key Network," Advances in Cryptology CRYPTO '85 Proceedings, Springer-Verlag 1986, pp. 403-408.

705 1 Hastad and A. Shamir, "The Cryptographic Secunty of Truncated Linearly Related Variables, " Proceedings of the 1 7th Annual ACM Symposium on the Theory of Computing, 1985, pp. 356-362.

706. R.C. Hauser and E.S. Lee, "Verification and Modelling of Authentication Protocols, " ESORICS 92, Proceedings of the Second European Symposium on Research in Computer Security, Springer-Verlag 1992, pp. 131-154.

707. B. Hayes, "Anonymous One-Time Signatures and Flexible Untraceable Electronic Cash," Advances in Cryptology AUSCRYPT '90 Proceedings, Springer Verlag, 1990, pp. 294 305.

708. D.K. He, "LUC Public Key Cryptosystem and its Properties," CHINACRYPT '94, Xidian, China, 11-15 Nov 1994, pp. 60-69. (In Chinese.) 709. J. He and T. Kiesler, "Enhancing the Security of ElGamal's Signature Scheme," IKE Proceedings on Computers and Digital Techniques, v. 141, n.3, 1994. pp.193-195.

711. N. Heintze and J.D. Tygar, "A Model for Secure Protocols and their Compositions, " Proceedings of the 1994 IEEE Computer Society Symposium on Research in Secu rity and Privacy 1994, pp. 2-13.

712. M.E. Hellman, "An Extension of the Shannon Theory Approach to Cryptography," IEEE Transactions on Information Theory, v. IT-23, n. 3, May 1977, pp. 289-294.

713. M.E. Hellman, "The Mathematics of Public-Key Cryptography," Scientihc American, v. 241, n. 8, Aug 1979, pp. 146-157.

714. M.E. Hellman, "DES Will Be Totally Insecure within Ten Years, " IEEE Spectrum, v. 16, n. 7, Jul 1979, pp. 32-39.

716. M.E. Hellman, "A Cryptanalytic Time- Memory Trade Off," IEEE Transactions on Information Theory, v. 26, n. 4, Jul 1980, pp. 401-406.

717. M.E. Hellman, "Another Cryptanalytic Attack on Cryptosystem for Multiple Communications', " Information Processing Letters, v. 12, 1981. pp. 182-183.

718. M.E. Hellman, W. Diffie, and R.C. Merkle, "Cryptographic Apparatus and Method," U.S.

Patent #4,200,770, 29 Apr 1980.

719. M.E. Hellman, W. Diffie, and R.C. Merkle, "Cryptographic Apparatus and Method," Canada Patent #1,121,480, 6 Apr 1982.

720. M.E. Hellman and R.C. Merkle, "Public Key Cryptographic Apparatus and Method," U.S.

Patent #4,218,582, 19 Aug 1980.

721. M.E. Hellman, R. Merkle, R. Schroeppel, L. Washington, W. Diffie, S. Pohlig, and R Schweitzer, "Results of an Initial Attempt to Cryptanalyze the NBS Data Encryption Standard," Technical Report SEL 76-042, Information Systems Lab, Department of Electrical Engineering Stanford University, 1976.

722. M.E. Hellman and S.C. Pohlig, "Exponentiation Cryptographic Apparatus and Method," U.S. Patent #4,424,414, 3 Jan 1984.

723. M.E. Hellman and J.M. Reyneri, "Distribution of Drainage in the DES," Advances in Cryptology: Proceedings of Crypto 82, Plenum Prcss, 1983, pp. 129-131.

724. E Hendessi and M.R. Arcf, "A Successful Attack Against the DES, " Third Canadian Workshop on Information Theory and Applications, Springer-Verlag, 1994, pp. 78-90.

725. T. Herlestam, "Critical Remarks on Some 738. Public-Key Cryptosystems, " BIT, v. 18, 1978, pp. 493-496.

726. T. Herlestam, "On Ftmctions of Linear Shift Register Sequences", Advances in Cryptology EUROCRYPT '85, Springer Verlag, 1986, pp. 119-129.

727. T. Herlestam and R. Iohannesson, "On Computing Logarithms over GF (2P),'' BIT, 740.

v. 21, 1981, pp. 326-334.

728. H.M. Heys and S.E. Tavares, "On thc Security of the CAST Encryption Algorithm," Proceedings of the Canadian Conference on Electrical and Computer Engineenng, Halifax, Nova Scotia, Sep 1994, pp. 332-335.

729. H.M. Heys and S.E. Tavares, "The Design of Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis," Proceedings of the 2nd Annual ACM Conference on Computer and Communications Security, ACM Press, 1994, pp. 148-155.

730. E. Heyst and T.P. Pederson, "How to Make Fail-Stop Signatures," Advances in Cryptology EUROCRYPT '92 Proceedings, Springer-Verlag 1993, pp. 366-377.

731. E. Heyst, T.R Pederson, and B. Pfitzmann, "New Construction of Fail-Stop Signatures and Lower Bounds," Advances in Cryptology CRYPTO '92 Proceedings, Springer-Verlag 1993, pp. 15-30.

732. L.S. Hill, "Cryptography in an Algebraic Alphabet," American Mathematical Monthly, v. 36, Jun-Jul 1929, pp. 306-312.

733. P.J.M. Hin, "Channel-Error-Correcting Privacy Cryptosystems," Ph.D. dissertation, Delft University of Technology, 1986. (In Dutch ).

734. R. Hirschield, "Making Elcctronic Refunds Safer, " Advances in Cryptology CRYPTO ' Proceedings, Springer-Verlag, 1993, pp. 106 -112.

735. A. Hodges, Alan Turing: The Enigma of Intelligence, Simon and Schuster, 1983.

736. W. Hohl, X. Lai, T. Meier, and C. Waldvogel, "Security of Iterated Hash Functions Based on Block Ciphers, " Advances in Cryptology CRYPTO '93 Proceedings, Springer Verlag, 1994, pp. 379-390.

737. F. Hoornaert, M. Decroos, J. Vandewalle, and R. Govaerts, "Fast RSA-Hardware: Dream or Reality?" Advances in Cryptology E UROCRYPT '88 Proceedings, Springer-Verlag, 1988, pp. 257-264.

738. F. Hoornaert, J. Goubert, and Y. Desmedt, "Efficient Hardware Implementation of the DES," Advances in Cryptology: Proceedings of CRYPTO 84, Springer-Verlag, 1985, pp.

147-173.

739. E. Horowitz and S. Sahni, Fundamentals of Computer Algonthms, Rockville, MD:

Computer Science Press, 1978.

740. R Horster, H. Petersen, and M. Michels, "Meta-EIGamal Signature Schemes," Proceedings of the 2nd Annual ACM Conference on Computer and Communications Security, ACM Press, 1994, pp. 96-107.

741. R Horster, H. Petersen, and M. Michels, "Meta Message Recovery and Meta Blind Signature Schemes Based on the Discrete Logarithm Problem and their Applications, " Advances in Cryptology ASIACRYPT '94 Proceedings, Springer-Verlag, 1995, pp. 224 237.

742. L.K. Hua, Introduction to Number Theory, Springer-Verlag, 1982.

743. K. Huber, "Specialized Attack on Chor-Rivest Public Key Cryptosystem, " Electronics Letters, v.27, n. 23, 7 Nov 1991, pp. 2130-2131.

744. E. Hughes, "A Cypherpunk's Manifesto, " 9 Mar 1993.

745. E. Hughes, "An Encrypted Key Transmission Protocol," presented at the rump s ession of CRYPTO '94, Aug 1994.

746. H. Hule and W.B. Muller, "On the RSA- Cryptosystem with Wrong Keys," Contributions to General Algebra 6, Vienna: Verlag Holder-Pichler-Tempsky, 1988, pp. 103-109.

747. H.A. Hussain, J.W.A. Sada, and S.M. Kalipha, "New Multistage Knapsack Public-Key Cryptosystem," International Journal of Systems Science, v. 22, n. 11, Nov 1991, pp.

2313-2320.

748. T. Hwang, "Attacks on Okamoto and Tanaka's One-Way ID-Based Key Distribution System," Information Processing Letters,v.43,n.2,Augl992, pp.83-86.

749. T. Hwang and T.R.N. Rao, "Secret Error- Correcting Codes (SECC )." Advances in Cryptology CRYPTO '88 Proceedings, Springer-Verlag, 1990, pp. 540-563.

750. C. Ianson and C. Mitchell, "Security Defects in CCITT Recommendation X.509 the Directory Authentication Framework," Computer Communications Review, v. 20, n. 2, Apr 1990, pp. 30-34.

751. IBM, "Common Cryptographic Architecture: Cryptographic Application Programming Interface Reference," SC40-1675-1, IBM Corp., Nov 1990.

752. IBM, "Common Cryptographic Architecture: Cryptographic Application Programming Interface Reference Public Key Algorithm," IBM Corp., Mar 1993.

753. R. Impagliazzo and M. Yung, "Direct Minimum-Knowledge Computations, " Advances in Cryptology CRYPTO '87 Proceedings, Springer-Verlag, 1988, pp. 40-51.

754. I. Ingemarsson, "A New Algorithm for the Solution of the Knapsack Problem," Lecture Notes in Computer Science 149;

Cryptography: Proceedings of the Workshop on Cryptography, Springer-Verlag, 1983, pp. 309-315.

755. I. Ingemarsson, "Delay Estimation for Truly Random Binary Sequences or How to Measure the Length of Rip van Winkle's Sleep," Communications and Cryptography: Two Sides of One Tapestry, R.E. Blahut ct al., eds., Kluwer Adademic Pub- lishcrs, 1994, pp.

179-186.

756. I. Ingemarsson and G.J. Simmons, "A Protocol to Set Up Shared Secret Schemes without the Assistance of a Mutually Trusted Party," Advances in Cryptology EUROCRYPT ' Proceedings, Springer-Verlag, 1991, pp. 266-282.

757. I. Ingemarsson, D.T. Tang, and C.K. Wong, "A Conference Key Distribution System," IEEE Transactions on Information Theory, v. IT-28, n. 5, Sep 1982, pp. 714-720.

758. ISO DIS 8730, "Banking Requirements for Message Authentication Wholesale," Association for Payment Clearing Services, London, Jul 1987.

759. ISO DIS 8781-1, "Banking Approved Algorithms for Message Authentication Part 1: DEA" Association for Payment Clearing Services, London, 1987.

760. ISO DIS 8731-2, "Banking Approved Algorithms for Message Authentication Part 2:

Message Authenticator Algorithm, " Association for Payment Clearing Services, London, 1987.

761. ISO DIS 8732, "Banking Key Management (Wholesaled ) " Association for Payment Clearing Services, London, Dec 1987.

762. ISO/IEC 9796, "Information Technology Security Techniques. Digital Signature Scheme Giving Message Recovery," International Organization for Standardization, Jul 1991.

763. ISO/IEC 9797, "Data Cryptographic Techniques. Data Integrity Mechanism Using a Cryptographic Check Function Employing a Block Cipher Algorithm," International Organization for Standardization, 1989.

764. ISO DIS 10118 DRAFT, "Information Technology Security Techniques. Hash Functions" International Organization for Standardization, 1989.

765. ISO DIS 10118 DRAFT, "Information Technology Security Techniques. Hash Functions" International Organization for Standardization, April 1991.

766. ISO N98, "Hash Functions Using a Pseudo Random Algorithm,'' working document, ISO IEC/JTC 1 /SC27/WG2, International Organization for Standardization, 1992.

767. ISO N179, "AR Fingerprint Function," working document, ISO-IEC/JTC1/SC27/ WG2, International Organization for Standardization, 1992.

General and Part 2: Hash-Functions Using an e-Bit Block Cipher Algorithm, " International Organization for Standardization, 1993.

769. K. Ito, S. Kondo, and Y. Mitsuoka, "SXAL8/MBAL Algorithm," Technical Report, ISEC93-68, IEICE Japan, 1993. (In Japancsc. ) 770. K.R. Iversen, "The Application of Cryptographic Zero-Knowledge Techniques in Computerized Secret Ballot Election Schemes, " Ph.D. dissertation, IDT-report 1991:3, Norwegian Institute of Technology, Feb 1991.

771. K.R. Iversen, "A Cryptographic Scheme for Computerized General Elections, " Advances in Cryptology CRYPTO '91 Proceedings, Springcr-Vcrlag, 1992, pp. 405 -419.

772. K. Iwamura, T. Matsumoto, and H. Imai, "An Implcmcutation Method for RSA Cryp tosystem with Parallel Processing ", Transactions of the Institute of Electronics, Information, and Communication Engineers, v. J75-A, n. 8, Aug 1992, pp. 1301-1311.

773. W.J. Jaburek, "A Generalization of ElGamal's Public Key Cryptosystem, " Advances in Cryptology EUROCRYPT '89 Proceedings, 1990, Springer-Verlag, pp. 23-28.

774. N.S. James, R. Lidl, and H. Niederreiter, "Breaking the Cade Cipher," Advances in Cryptology CRYPTO '86 Proceedings, 1987, Springer-Verlag, pp. 60-63.

775. C.J.A. Jansen, "On the Key Storage Requirements for Secure Terminals'" Computers and Security, v. 5, n. 2, Jun 788. 1986, pp. 145-149.

776. C.J.A. Jansen, "Investigations on Nonlin ear Strcamcipher Systems: Construction and Evaluation Methods," Ph.D. dissertation, Technical University of Delft, 1989.

777. C.J.A. Jansen and D.E. Boekee, "Modes of Blockcipher Algorithms and their Protection against Active Eavesdropping, " Advances in Cryptology EUROCRYPT '87 Proceedings, Springer-Verlag, 1988, pp. 281-286.

778. S.M. Jennings, "A Special Class of Binary Sequences," Ph.D. dissertation, University of London, 1980.

779. S.M. Jennings, "Multiplexed Sequences: Some Properties of the Minimum Polynomial," Lecture Notes in Computer Science 149;

Cryptography: Proceedings of the Workshop on Cryptography, Springer-Verlag, 1983, pp. 189-206.

780. S.M. Jennings, "Autocorrelation Function of the Multiplexed Sequence, " IKE Pro ceedings, v. 131, n. 2, Apr 1984, pp. 169-172.

781. T. Jin, "Care and Feeding of Your Three Headed Dog, " Document Number IAG-90 -011, Hewlett-Packard, May 1990.

782. T. Jin, "Living with Your Three-Headed Dog," Document Number IAG-90-012, Hewlett Packard, May 1990.

783. A. Jiwa, J. Seberry. and Y. Zheng, "Beacon Based Authentication," Computer Security ESORICS 94, Springer-Verlag, 1994, pp. 125-141.

784. D.B. Johnson, G.M. Dolan, M.J. Kelly, A.V. Le, and S.M. Matyas, "Common Cryptographic Architecture. Cryptographic Application Programming Interface," IBM Systems journal, v.

30, n.2, 1991, pp.130-150.

785. D.B. Johnson, S.M. Matyas, A.V. Le. and J.D. Wilkins, "Design of the Commercial Data Masking Facility Data Privacy Algorithm," 1st ACM Conference on Computer and Communications Security, ACM Press, 1993, pp. 93-96.

786. J.R Jordan, "A Variant of a Public-Key Cryptosystem Based on Goppa Codes," Sigact News, v. 15, n. 1, 1983, pp. 61-66.

787. A. Joux and L. Granboulan, "A Practical Attack Against Knapsack Based Hash Functions" Advances in Cryptology EUROCRYPT '94 Proceedings, Springer-Verlag, 1995, to appear.

788. A. Joux and J. Stern, "Cryptanalysis of Another Knapsack Cryptosystem, " Advances in Cryptology ASIACRYPT '91 Proceedings, Springer-Verlag, 1993, pp. 470-476.

789. R.R. Jueneman, "Analysis of Certain Aspects of Output-Feedback Mode, " Advances in Cryptology: Proceedings of Crypto 82, Plenum Press, 1983, pp.99-127.

790. R.R. Jueneman, "Electronic Document Authentication, " IEEE Network Magazine, v. 1, n.2, Apr 1978, pp. 17-23.

791. R.R. Jueneman, "A High Speed Manipulation Detection Code," Advances in Cryptology CRYPTO '86 Proceedings, Springer-Verlag, 1987, pp. 327-346.

792. R.R. Jueneman, S.M. Matyas, and C.H. Meyer, "Message Authentication with Manipulation Detection Codes," Proceedings of the 1983 IEEE Computer Society Symposium on Research in Security and Privacy, 1983, pp. 733-54.

793. R.R. Jucncman, S.M. Matyas, and C.H. Meyer, "Message Authentication, " IEEE Communications Magazine, v. 23, n. 9, Sep 1985, pp. 29 40.

794. D. Kahn, The Codebreakers: The Story of Secret Writing, New York: Macmillan Publishing Co., 1967.

795. D. Kahn, Kahn on Codes, New York: Macmillan Publishing Co., 1983.

796. D. Kahn, Seizing the Enigma, Boston: Houghton Mifflin Co., 1991.

797. P. Kaijser, T. Parker, and D. Pinkas, "SESAME: The Solution to Security for Open Distributed Systems," Journal of Computer communications, V. 17, n. 4, Jul 1994, pp.

501-518.

798. R. Kailar and V.D. Gilgor, "On Belief Evolution in Authentication Protocols," Proceedings of the Computer Security Foundations Workshop IV, IEEE Computer Society Press, 1991, pp. 102-116.

799. B.S. Kaliski, "A Pseudo Random Bit Generator Based on Elliptic Logarithms," Master's thesis, Massachusetts Institute of Technology, 1987.

800. B.S. Kaliski, letter to NIST regarding DSS, 4 Nov 1991.

802. B.S. Kaliski, "Privacy Enhancement for Internet Electronic Mail: Part IV: Key Cer tificates and Related Services," RFC 1424, Feb 1993.

803. B.S. Kaliski, "An Overview of the PKCS Standards," RSA Laboratories, Nov 1993.

804. B.S. Kaliski, "A Survey of Encryption Standards, IEEE Micro, v. 13, n. 6, Dec 1993, pp.

74-81.

805. B.S. Kaliski, personal communication, 1993.

806. B.S. Kaliski, "On the Security and Performance of Several Triple-DES Modes," RSA Laboratories, draft manuscript, Jan 1994.

807. B.S. Kaliski, R.L. Rivest, and A.T. Sherman, "Is the Data Encryption Standard a Group?", Advances in Cryptology EUROCRYPT '85, Springer-Verlag, 1986, pp. 81-95.

808. B.S. Kaliski, R.L. Rivest, and A.T. Sherman, "Is the Data Encryption Standard a Pure Cipher? Results of More Cycling Experiments in DESK, " Advances in Cryptology CRYPTO '85 Proceedings, Springer-Verlag, 1986, pp. 212-226.

809. B.S. Kaliski, R.L. Rivest, and A.T. Sherman, "Is the Data Encryption Standard a Group?

(Results of Cycling Experiments on DESK," Journal of Cryptology v. 1, n. 1, 1988, pp. 3 36.

810. B.S. Kaliski and M.J.B. Robshaw, "Fast Block Cipher Proposal," Fast Software Encryption, Cambridge Security Workshop Proceedings, Springer-Verlag, 1994, pp. 33 40.

811. B.S. Kaliski and M.J.B. Robshaw, "Linear Cryptanalysis Using Multiple Approximations," Advances in Cryptology CRYPTO '94 Proceedings, Springer-Verlag, 1994, pp. 26-39.

812. B.S. Kaliski and M.J.B. Robshaw, "Linear Cryptanalysis Using Multiple Approximations and PEAL," K.U. Leuven Workshop on Cryptographic Algorithms, Springer-Verlag, 1995, to appear.

813. R.G. Kammer, statement before the U.S. government Subcommittee on Telecommunications and Finance, Committee on Energy and Commerce, 29 Apr 1993.

814. T. Kaneko, K. Koyama, and R. Terada, "Dynamic Swapping Schemes and Differential Cryptanalysis, Proceedings of the 1993 Korea- Japan Workshop on Information Security and Cryptography Seoul, Korea, 24-26 Oct 1993, pp. 292-301.

815. T. Kaneko, K. Koyama, and R. Terada, "Dynamic Swapping Schemes and Differential Cryptanalysis," Transactions of the Institute of Electronics, Information, and Communication Engineers, v. E77-A, n. 8, Aug 1994, pp. 1328-1336.

816. T. Kaneko and H. Miyano, "A Study on the Strength Evaluation of Randomized DES Like Cryptosystems against Chosen Plaintext Attacks, " Proceedings of the Symposium on Cryptography and Information Security (SCIS 93), Shozenji, Japan, 28- Jan 1993, pp. 15C.1-10.

817. J. Karl, "A Cryptosystem Based on Propositional Logic," Machines, Languages, and Complexity: 5th International Meeting of Young Computer Scientists, Selected Con tributions, Springer-Verlag, 1989, pp. 210-219.

818. E.D. Karnin, J.W. Greene, and M.E. Hellman, "On Sharing Secret Systems," IEEE Transactions on Information Theory v. IT- 29, 1983, pp. 35 41.

819. F.W Kasiski, Die Geheimschriften and die Dechiffrir-kunst, E.S. Miller und Sohn, 1863. In German.

820. A. Kehne, J. Schonwalder, and H. Langendorfer, "A Nonce-Based Protocol for Multiple Authentications," Operating Systems Review, v. 26, n. 4, Oct 1992, pp. 84-89.

821. J. Kelsey, personal communication, 1994.

822. R. Kemmerer, "Analyzing Encryption Protocols Using Formal Verification Techniques, " IEEE Journal on Selected Areas in Communications, v. 7, n. 4, May 1989, pp. 448 457.

823. R. Kemmerer, C.A. Meadows, and J. Millen, "Three Systems for Cryptographic Protocol Analysis," Journal of Cryptology v. 7, n. 2, 1994, pp. 79-130.

824. S.T. Kent, "Encryption-Based Protection Protocols for Interactive User-Computer Communications, " MIT/LCS/TR162, MIT Laboratory for Computer Science, May 1976.

825. S.T. Kent, "Privacy Enhancement for Internct Electronic Mail: Part II: Certificate Based Key Management," RFC 1422, Feb 1993.

826. S.T. Kent, "Understanding the Internet Certification System, " Proceedings of INET '93, The Internet Society, 1993, pp. BAB 1 -BAB 10.

827. S.T. Kent and J. Linn, "Privacy Enhaneement for Internet Electronic Mail: Part II:

Certificate-Based Key Management," RFC 1114, Aug 1989.

828. V. Kessler and G. Wedel, "AUTOLOG An Advanced Logic of Authentication," Proceedings of the Computer Security Foundations Workshop, IEEE Computer Society Press, 1994, pp.

90-99.

829. E.L. Key, "An Analysis of the Structure and Complexity of Nonlinear Binary Sequence Generators," IEEE Transactions on Information Theory v. IT-22, n. 6, Nov 1976, pp. 732 736.

830. T. Kiesler and L. Harn, "RSA Blocking and Multisignature Schemes with No Bit Expansion," Electronics Letters, v. 26, n. 18, 30 Aug 1990, pp. 1490-1491.

831. J. Kilian, Crises of Randomness in Algorithms and Protocols, MIT Press, 1990.

832. J. Kilian, "Achieving Zero-Knowledge Robustly, " Advances in Cryptology CRYPTO Proceedings, Springer-Verlag, 1991, pp. 313-325.

833. J. Kilian and T. Leighton, "Failsafe Key Escrow," MIT/LCS/TR-636, MIT Laboratory for Computer Science, Aug 1994.

834. K. Kim, "Construction of DES-Like S -Boxes Based on Boolean Functions Satisfying the SAC, " Advances in Cryptology, ASIACRYPT 91 Proceedings, Springer -Verlag, 1993, pp.

59-72.

835. K. Kim, S. Lee, and S. Park, "Necessary Conditions to Strengthen DES S-Boxes Against Linear Cryptanalysis," Proceedings of the 1994 Symposium on Cryptography and Information Secunty (SCIS 94), Lake Biwa, Japan, 27-29 Jan 1994, pp. 15D.1-9.

836. K. Kim, S. Lee, and S. Park, "How to Strengthen DES against Differential Attack, " unpublished manuscript, 1994.

837. K. Kim, S. Lee, S. Park, and D. Lee, "DES Can Be Immune to Differential Cryptanalysis, " Workshop on Selected Areas in Cryptography Workshop Record, Kingston, Ontario, 5- May 1994, pp. 70-81.

838. K. Kim, S. Park, and S. Lee, "How to Strengthen DES against Two Robust Attacks," Proceedings of the 1995 Japan-Korea Workshop on Information Security and Cryptography Inuyama, Japan, 24-27 Jan 1995, 173-182.

839. K. Kim, S. Park, and S. Lee, "Reconstruction of s2DES S-Boxes and their Immunity to Differential Cryptanalysis, " Proceedings of the 1993 Korea- Japan Workshop on Information Security and Cryptography, Seoul, Korea, 24-26 Oct l 993, pp.282-291.

840. S. Kim and B.S. Um, "A Multipurpose Membership Proof System Based on Discrete Logarithm," Proceedings of the 1993 Korea- Japan Workshop on Information Security and Cryptography, Seoul, Korea, 24-26 Oct 1993, pp. 177-183.

841. P. Kinnucan, "Data Encryption Gurus: Tuchman and Meyer," Cryptologia, v. 2, n. 4, Oct 1978.

842. A. Klapper, "The Vulnerability of Geometric Sequences Based on Fields of Odd Characteristic," Journal of cryptology v. 7, n. 1, 1994, pp. 33-52.

843. A. Klapper, "Feedback with Carry Shift Registers over Finite Fields," K. U. Leuven Workshop on Cryptographic Algorithms, Springer-Verlag, 1995, to appear.

844. A. Klapper and M. Goresky, "2-adic Shift Registers, " Fast Software Encryption, Cambridge Security Workshop l'roceed- ings, Springer-Verlag, 1994, pp. 174-178.

845. A. Klapper and M. Goresky, "2-adic Shift Registers," Technical Report #239-93, Department of Computer Science, University of Kentucky, 19 Apr 1994.

846. A. Klapper and M. Goresky, "Large Period Nearly de Bruijn FCSR Sequences, " Advances in Cryptology EUROCRYPT 95 Proceedings, Springer-Verlag, 1995, pp. 263-273.

847. D.V. Klein, "'Foiling the Cracker: A Survey of, and Implications to, Password Security," Proceedings of the USENIX UNIX Security Workshop, Aug 1990, pp. 5-14.

848. D.V Klein, personal communication, 1994.

849. C.S. Kline and G.J. Popek, "Public Key vs. Conventional Key Cryptosystems," Proceedings of AFIPS National Computer Conference, pp. 831-837.

850. H.-J. Knobloch, "A Smart Card Implementation of the Fiat-Shamir Identification Scheme," Advances in Cryptology EUROCRPYT '88 Proceedings, Springer-Verlag, 1988, pp. 87 95.

851. T. Knoph, J. Fropl, W. Beller, and T.Giesler, "A Hardware Implementation of a Modified DES Algorithm," Microprocessing and Microprogramming, v. 30, 1990, pp. 59-66.

852. L.R. Knudsen, "Cryptanalysts of LOKI," Advances in Cryptology ASIACRYPT ' Proceedings, Springer-Verlag, 1993, pp. 22-35.

853. L.R. Knudsen, "Cryptanalysts of LOKI," Cryptography and Coding 111, M.J. Ganley, ed., Oxford: Clarendon Press, 1993, pp. 223-236.

854. L.R. Knudsen, "Cryptanalysts of LOKI91," Advances in Cryptology AUSCRYPT ' Proceedings, Springer-Verlag, 1993, pp. 196-208.

855. L.R. Knudsen, "Iterative Characteristics of DES and sZDES," Advances in Cryptology CRYPTO '92, Springer-Verlag, 1993, pp. 497-511.

856. L.R. Knudsen, "An Analysis of Kim, Park and Lee's DES-Like S-Boxes," unpublished manuscript, 1993.

857. L.R. Knudsen, "Practically Secure Feistel Ciphers," Fast Software Encryption, Cam bridge Secunty Workshop Proceedings, Springer-Verlag, 1994, pp. 211-221.

860. L.R. Knudsen, "Applications of Higher Order Differentials and Partial Differentials, " K. U Leuven Workshop on Cryptographic Algorithms, Springer-Verlag, 1995, to appear.

861. L.R. Knudsen and X. Lai, "New Attacks on All Double Block Length Hash Functions of Hash Rate 1, Including the Parallel-DM," Advances in Cryptology EUROCRYPT ' Proceedings, Springer-Verlag, 1995, to appear.

862. L.R. Knudsen, "A Weakness in SAFER K-64, " Advances in Cryptology-CRYPT O ' Proceedings, Springer-Verlag, 1995, to appear.

863. D. Knuth, The Art of Computer Programming: Volume 2, Seminumerical Algo rithms, 2nd edition, Addison-Wesley, 1981.

864. D. Knuth, "Deciphering a Linear Congruential Encryption," IEEE Transactions on Information Theory, v. IT-31, n. 1, Jan 1985, pp. 49-52.

865. K. Kobayashi and L. Aoki, "On Linear Cryptanalysis of MBAL, " Proceedings of the Symposium on Cryptography and Information Security (SCIS 95, Innyama, Japan, 24- Jan 1995, pp. A4.2.1-9.

866. K. Kobayashi, K. Tamura, and Y. Nemoto, "Two-dimensional Modified Rabin Cryptosystem," Transactions of the Institute of Electronics, Information, and Communication Engineers, v. J72-D, n. 5, May 1989, pp. 850-851. (In Japanese. ) 867. N. Koblitz, "Elliptic Curve Cryptosystems, " Mathematics of Computation, v. 48, n. 177, 1987, pp. 203-209.

868. N. Koblitz, "A Family of Jacobians Suitable for Discrete Log Cryptosystems, " Advances in Cryptology CRYPTO '88 Proceedings, Springer-Verlag 1990, pp. 94 -99.

869. N. Koblitz, "Constructing Elliptic Curve Cryptosystems in Characteristic 2," Advances in Cryptology CRYPTO '90 Proceedings, Springer-Verlag 1991, pp. 15 6-167.

870. N. Koblitz, "Hyperelliptic Cryptosystems," Journal of Cryptology, v. 1, n. 3, 1989, pp.

129-150.

871. N. Koblitz, "CM-Curves with Good Cryptographic Properties, " Advances in Cryptology CRYPTO '91 Proceedings, Springer-Verlag, 1992, pp. 279-287.

872. C.K. Koc, "High-Speed RSA Implementation," Version 2.0, RSA Laboratories, Nov 1994.

873. M.J. Kochanski, "Remarks on Lu and Lee's Proposals," Crypto logia, v. 4, n. 4, 1980, pp.

204-207.

874. M.J. Kochanski, "Developing an RSA Chip," Advances in Cryptology CRYPTO ' Proceedings, Springer-Verlag, 1986, pp. 350-357.

875. J.T. Kohl, "The Use of Encryption in Kerberos for Network Authentication," Advances in Cryptology CRYPTO '89 Proceedings, Springer-Verlag, 1990, pp.35 -43.

876. J.T. Kohl, "The Evolution of the Kerberos Authentication Service," Eur opean Conference Proceedings, May 1991, pp. 295-313.

877. J.T. Kohl and B.C. Neuman, "The Kerberos Network Authentication Service, " RFC 1510, Sep 1993.

878. J.T. Kohl, B.C. Neuman, and T. Ts'o, "The Evolution of the Kerberos Authentication System," Distributed Open Systems, IEEE Computer Society Press, 1994, pp. 78-94.

879. Kohnfelder, "Toward a Practical Public Key Cryptosystem, " Bachelor's thesis, MIT Department of Electrical Engineering, May 1978.

880. A. G. Konheim, Cryptography: A Primer, New York: John Wiley & Sons, 1981.

881. A.G. Konheim, M.H. Mack, R.K. McNeill, B. Tuckerman, and G. Waldbaum, "The IPS Cryptographic Programs," IBM Systems journal, v. 19, n. 2, 1980, pp. 253-283.

882. V.I. Korzhik and A.I. Turkin, "Cryptanalysis of McEliece's Public-Key Cryptosystem," Advances in Cryptology EUROCRYPT '91 Proceedings, Springer-Verlag, 1991, pp. 68 70.

883. S.C. Kothari, "Generalized Linear Threshold Scheme," Advances in Cryptology:

Proceedings of CRYPTO 84, Springer-Verlag, 1985, pp. 231-241.

884. J. Kowalchuk, B.R Schanning, and S. Powers, "Communication Privacy: Integration of Public and Secret Key Cryptography," Proceedings of the National Telecommunication Conference, IEEE Press, 1980, pp. 49.1.1 49.1.5.

885. K. Koyama, "A Master Key for the RSA Public-Key Cryptosystem," Transactions of the Institute of Electronics, Information, and Communication Engineers, v. J65-D, n. 2, Feb 1982, pp. 163-170.

886. K. Koyama, "A Cryptosystem Using the Master Key for Multi-Address Communications," Transactions of the Institute of Electronics, Information, and Communication Engineers, v. J65-D, n. 9, Sep 1982, pp. 1151-1158.

887. K. Koyama, "Demonstrating Membership of a Group Using the Shizuya-Koyama -Itoh (SKI) Protocol," Proceedings of the 1989 Symposium on Cryptography and Information Security ( SCIS 89), Gotenba, Japan, 1989.

888. K. Koyama, "Direct Demonstration of the Power to Break Public-Key Cryptosystems, " Advances in Cryptology AUSCRYPT '90 Proceedings, Springer-Verlag, 1990, pp. 14-21.

889. K. Koyama, "Security and Unique Decipherability of Two-dimensional Public Key Cryptosystems," Transactions of the Institute of Electronics, Information, and Communication Engineers, v. E73, n. 7, Jul 1990, pp. 1057-1067.

890. K. Koyama, U.M. Maurer, T. Okamoto, and S.A. Vanstone, "New Public-Key Schemes Based on Elliptic Curves over the Ring Zn " Advances in Cryptology CRYPTO ' Proceedings, Springer-Verlag, 1992, pp. 252-266.

891. K. Koyama and K. Ohta, "Identity-based Conference Key Dist ribution System," Ad vances in Cryptology CRYPTO '87 Proceedings, Springer-Verlag, 1988, pp.175-184.

892. K. Koyama and T. Okamoto, "Elliptic Curve Cryptosystems and Their Applications, " IEICE Transactions on Information and Systems, v. E75-D, n. 1, Jan 1992, pp. 50-57.

893. K. Koyama and R. Terada, " How to Strengthen DES-Like Cryptosystems against Differential Cryptanalysis," Transactions of the Institute of Electronics, Information, and Communication Engineers, v. E76-A, n. 1, Jan 1993, pp. 63-69.

894. K. Koyama and R. Terada, "Probabilistic Swapping Schemes to Strengthen DES against Differential Cryptanalysis, " Proceedings of the 1993 Symposium on Cryptography and Information Security (SCIS 93), Shuzenji, Japan, 28-30 Jan 1993, pp. 15D.1-12.

895. K. Koyama and Y. Tsuruoka, "Speeding up Elliptic Cryptosystems Using a Singled Binary Window Method, " Advances in Cryptology CRYPTO '92 Proceedings, Springer-Verlag, 1993, pp. 345-357.

896. E. Kranakis, Pnmality and Cryptography, Wiler-Teubner Series in Computer Science, 1986.

897. D. Kravitz, "Digital Signature Algorithm," U.S. Patent #5,231,668, 27 Jul 1993.

898. D. Kravitz and L. Reed, "Extension of RSA Cryptostructure: A Galois Approach, " Electronics Letters, v. 18, n. 6, 18 Mar 1982, pp. 255-256.

899. H. Krawczyk, "How to Predict Congruential Generators," Advances in Cryptology CRYPTO'89 Proceedings, Springer- Verlag, 1990, pp. 138-153.

900. H. Krawczyk, "How to Predict Congruential Generators," Journal of Algorithms, v. 13, n.

4, Dec 1992, pp. 527-545.

901. H. Krawczyk, "The Shrinking Generator: Some Practical Considerations," Fast Software Encryption, Cambridge Security Workshop Proceedings, Springer-Verlag, 1994, pp. 46.

902. G.J. Kuhn, "Algorithms for Self-Synchronizing Ciphers," Proceedings of COMSIG 88, 1988.

903. G.J. Kuhn, F. Bruwer, and W. Smit, "'n Vinnige Veeldoelige Enkripsievlokkie, " Pro ceedings of Infosec 90, 1990. (In Afrikaans.) 904. S. Kullback, Statistical Methods in Cryptanalysis, U.S. Government Printing Office, 1935.

Reprinted by Aegean Park Press, 1976.

905. RV. Kumar, R.A. Scholtz, and L.R. Welch, "Generalized Bent Functions and their Prop erties," Journal of Combinational Theory, Series A, v. 40, n. 1, Sep 1985, pp. 90-107.

906. M. Kurosaki, T. Matsumoto, and H. Imai, "Simple Methods for Multipurpose Certification," Proceedings of the 1989 Symposium on Cryptography and Information Security (SCIS 89), Gotenba, Japan, 1989.

907. M. Kurosaki, T. Matsumoto, and H. Imai, "Proving that You Belong to at Least One of the Specified Groups," Proceedings of the 1990 Symposium on Cryptography and Information Security (SCIS 90), Hihondaira, Japan, 1990.

908. K. Kurosawa, "Key Changeable ID-Based Cryptosystem," Electronics Letters, v. 25, n. 9, 27 Apr 1989, pp. 577-578.

909. K. Kurosawa, T. Ito, and M. Takeuchi, "Public Key Cryptosystem Using a Reciprocal Number with the Same Intractability as Factoring a Large Number," Cryptologia, v. 12, n.

4, Oct 1988, pp. 225-233.

910. K. Kurosawa, C. Park, and K. Sakano, "Group Signer/Verifier Separation Scheme," Proceedings of the 1995 Japan-Korea Workshop on Information Security and Cryptography, Inuyama, Japan, 24-27 Jan 1995, 134-143.

911. G.C. Kurtz, D. Shanks, and H.C. Williams, "Fast Primality Tests for Numbers Less than 50*10" Mathematics of Computation, v. 46, n. 174, Apr 1986, pp. 691-701.

912. K. Kusuda and T. Matsumoto, "Optimization of the Time-Memory Trade-Off Cryptanalysis and Its Application to Block Ciphers, " Proceedings of the 1995 Symposium on Cryptography and Information Security (SCIS 95 ), Inuyama, Japan, 24-27 Jan 1995, pp.

A3.2.1-11. (In Japanese.) 913. H. Kuwakado and K. Koyama, "Security of RSA-Type Cryptosystems Over Elliptic Curves against Hastad Attack," Electronics Letters, v. 30, n. 22, 27 Oct 1994, pp. 1843 1844.

914. H. Kuwakado and K. Koyama, "A Ncw RSA-Type Cryptosystem over Singular Elliptic Curves, " IMA Conference on Applications of Finite Fields, Oxford University Press, to appear.

915. H. Kuwakado and K. Koyama, "A New RSA-Type Scheme Based on Singular Cubic Curves," Proceedings of the 1995 Japan-Korea Workshop on Information Security and Cryptography, Inuyama, Japan, 24-27 Jan 1995, pp. 144-151.

916. M. Kwan, "An Eight Bit Weakness in the LOKI Cryptosystem, " technical report, Australian Dcfensc Force Academy, Apr 1991.

917. M. Kwan and J. Pieprzyk, "A General Purpose Technique for Locating Key Scheduling Weakness in DES-Like Cryptosystcms, " Advances in Cryptology ASIACRYPT ' Proceedings, Springer-Verlag, 1991, pp. 237-246.

918. J.B. Lacy, D.P. Mitchell, and W.M. Schell, "CryptoLib: Cryptography in Software," UNIX Security Symposium Proceedings, USENIX Association, 1993, pp. 1-17.

919. J.C. Lagarias, "Knapsack Public Key Cryptosystems and Diophantine Approximations," Advances in Cryptology: Proceedings of Crypto 83, Plenum Press, 1984, pp. 3-23.

920. J.C. Lagarias, "Performance Analysis of Shamir's Attack on the Basic Merkle-Hellman Knapsack Cryptosystem, " Lec- ture Notes in Computer Science 172;

Proceedings of the 11 th International Colloquium on Automata, Languages, and Programming (ICALP ), Springer- Verlag, 1984, pp. 312-323.

921. J.C. Lagarias and A.M. Odlyzko, "Solving Low-Density Subset Sum Problems," Proceedings of the 24th IEEE Symposium on Foundations of Computer Science, I 983, pp. 1-10.

922. J.C. Lagarias and A.M. Odlyzko, "Solving Low-Density Subset Sum Problems," Journal of the ACM, v. 32, n. 1, Jan 1985, pp. 229-246.

923. J.C. Lagarias and J. Reeds, "Unique Extraporation of Polynomial Recurrences, " SIAM Journal on Computing, v. 17, n. 2, Apr 1988, pp. 342-362.

924. X. Lai, Detailed Description and a Software Implementation of the IPES Cipher, unpublished manuscript, 8 Nov 1991.

925. X. Lai, On the Design and Secunty of Block Ciphers, ETH Series in Information Processing, v. 1, Konstanz: Hartung-Gorre Verlag, 1992.

926. X. Lai, personal communication, 1993.

927. X. Lai, "Higher Order Derivatives and Differential Cryptanalysis," Communications and Cryptography: Two Sides of One Tapestry, R.E. Blahut et al., eds., Kluwer Adademic Publishers, 1994, pp. 227-233.

928. X. Lai and L. Knudsen, "Attacks on Double Block Length Hash Functions," Fast Software Encryption, Cambridge Security Workshop Proceedings, Springer-Verlag, 1994, pp. 157 165.

929. X. Lai and J. Massey, "A Proposal for a New Block Encryption Standard, " Advances in Cryptology EUROCRYPT '90 Proceedings, Springer-Verlag, 1991, pp. 389 404.

930. X. Lai and J. Massey, "Hash Functions Based on Block Ciphers, " Advances in Cryptology EUROCRYPT '92 Proceedings, Springer-Verlag, 1992, pp. 55-70.

931. X. Lai, J. Massey, and S. Murphy, "Markov Ciphers and Differential Cryptanalysis," Advances in Cryptology EUROCRYPT '91 Proceedings, Springer-Verlag, 1991, pp. 17-38.

932. X. Lai, R.A. Rueppel, and J. Woollven, "A Fast Cryptographic Checksum Algorithm Based on Stream Ciphers," Advances in Cryptology AUSCRYPT '92 Proceedings, Springer-Verlag, 1993, pp. 339-348.

933. C.S. Laih, J.Y. Lee, C.H. Chen, and L. Harn, "A New Scheme for ID-based Cryptosys tems.md Signatures," Tournal of the Chinese Institute of Engineers, v. 15, n. 2, Sep 1992, pp. 605-610.

934. B.A. LaMacchia and A.M. Odlyzko, "Computation of Discrete Logarithms in Prime Fields, " Designs, Codes, and Cryptography, v. 1, 1991, pp. 46-62.