10123!547698&,: $(;(6< ,.=&8?>A@ BDCFEHGI KJ LK >NMOEQPR J...

�� "!"#%$&$(')$(*+-,.,"/10123!547698&,":�$(;(6<��,.=&8?>A@�BDCFEHGI�KJ��LK��>NMOEQPR��JS ��UTV��>?��J�WDX�E�YZ��J��1��J��>?�[�\M��U>^]`_�_�a�Eb(��c��1��Z��J��U�7��J�>&�U�K�edfd3dhgUifjfi�khg1lOj�m3nhg1ofdOj�mfpfkOqfr3rsgUifjRt�nOj3i

�[�uM�U�K��wv��U��J��KWx��7��y�y��Vz{��J�v|�� A�KTK��}�T~ O��7��J��~�Ky��KT��U��J��TwP��K��U��QJ��?��@A�R��f�

M.�K��7��U��J-��^vQ��J��W{��U��PH�K>O ��J��J�W��Z��U��J�v�y��FTK�� B|��f��^TV��Q ��^�� A�K�U��J��Qy�c��KE�� O��7��J�W��R��J��`��3��KJ�WD��D@��J�W��J�v��c�y�� y��TV�� Q��@A�3��f>� ��3TK�Q �BO��J�vI��w ��U�RW�c�TK��J�v�T�� K�{��w��K��J� A�K��U��J��yc��U�� A�K�U��J5T��K�`��J�v��TK�� B�>��7��f��J�v��Ky��KT��QJ��T-T�� K��PR��y��Q@�y��U��PR��y^@�B��K�U�sz{��c�� U��h A�K�U�~��U��QJ��J7z{�U��J�v~��Q��[��M��U�K�U��E

�&�OTK�K <��z{��K�U��PH�K�1�V�U��W�W��KJ�@�B��U O��TK��}�T- O��7��J5��@A��PH��>��1��J�W��W�TK�� BO��v��xJ��T��Q��[�\M�U�K��Z�� y��K�%��h�Ky��KT��U��J��ThP��K��U��QJ��

�F�K��@O�3��J��QJ�BD ��F�7��B�@A�Z��K ��3W�c�TK��W��&��U��J��U�~��KW��J��QJ�BD��Q��u��@�B��J�B��7�K�QJ��>h�Ky��KT��U��J��T��7��TV��J��TK��y�>h��J�TKy�c�W��J�v� ��RT�� BN��J�v�>��7��TK�U��}�y��~��J�v�>��J�W��KT��W��J�vQ>%��@�B5��J�B��J��Q��7��J��1��U��v��e��PR��ys�1BO��7>?z{��c��~ ��U�� A�K�U�~��U��QJ��J7z{�U��J�v~��Q� ��{ �c�@�y��U��K�UE��7T��J��J��Q��[� M��{W��R��J��~��3��KJ�Wx��-T�� BN��J�vD��v��J��K�U��ysW��@�c��J�>�� Q�~�`��J�>N��Q��T��K�`��J�v�J��z¡ze��f��>N��^��y��KEhX� A�KT��}�Te O��7��U��Jx��c��1�{@O��@<��J��KWD��J7z{�U��J�v~��Q��[�\M�U�K��Z��Uc�TV��T�� BN��J�v�E

T¢ ]�_�_Q£�@�B��[^¤M��>�¥¦J�T�E

Index

Symbols§�¨f§(cardinality of a set

¨), 49©

(set member), 49ª(subset), 49« (proper subset), 49¬(set intersection), 49(set union), 49® (set difference), 49¯ (Cartesian product), 49°(empty set), 50±-notation (big-O), 58²-notation (big-omega), 59³-notation (big-theta), 59´ -notation (little-o), 59µ·¶�¸¹ (by definition), 213ºN»·¼ ½(¾�¿ÁÀ

(subexponential notation), 60Â?Ã(polytime reduction), 61Ä (asymptotic equivalence), 134Å (mathematical constant pi), 49Æ (base of natural logarithms), 49

(sum), 50(product), 50Ç

(factorial), 50È`É(floor), 49Ê`Ë(ceiling), 49Ì

(Euler phi function), 65, 286Í3ÎÐÏ3Ñ (Mobius function), 154Ò�Ó(base Ô logarithm), 50Ò�Õ(natural logarithm), 50¼ Ö�¾�×ÁÀ

(interval of integers), 49§(divides relation), 63, 79Ø (congruence relation), 67, 79Ù(much less than), 529Ú(much greater than), 170Û Ü(binomial coefficient), 52ÝÞ (Legendre symbol), 72ß7à (inner product), 118á1âfá(length of a vector

â), 118Ö�ã�×

(assignment operator), 66Ö á ×(concatenation of strings

Ö,×), 38ä�å ¾·æ�ç Ü

(bitstrings of bitlength è ), 447ä�å ¾·æ�çÁé(bitstrings of arbitrary bitlength), 447ê

(the rational numbers), 49ë(the real numbers), 49

ì(the integers), 49ì Û (integers modulo Ï ), 68ì�é Û (multiplicative group of

ì Û ), 69í Û (quadratic residues modulo Ï ), 70í Û (quadratic non-residues modulo Ï ), 70îH»(finite field of order ï ), 81î é »(multiplicative group of

îH»), 81ðs¼ â À

(polynomial ring), 78ñ(inclusive-OR), 213ò(exclusive-OR), 20ó(AND), 213ô(addition mod Ô Û ), 263õ(subtraction mod Ô Û ), 270ö(modified multiplication mod Ô Û�÷ æ ), 263ã�ø(left rotation), 213ù ú (right rotation), 213û ú�ü (message transfer), 396

AAbelian group, 75Abstract Syntax Notation One (ASN.1), 660Access control, 3Access control matrix, 387Access matrix model, 569Access structure, 526

monotone, 527Accredited Standards Committee (ASC), 648Active adversary, 15, 37Active attack, 41, 495Ad hoc security, 43Adaptive chosen-ciphertext attack, 42Adaptive chosen-message attack, 433Adaptive chosen-plaintext attack, 41Addition chains, 621, 633Adversary, 13, 495

active, 15insider, 496

one-time, 496permanent, 496

outsider, 496passive, 15

Affine cipher, 239Algebraic normal form, 205Algorithm

definition of, 57

755

756 Index

deterministic, 62exponential-time, 59polynomial-time, 59randomized, 62

expected running time, 63running time, 58

asymptotic, 58average-case, 58worst-case, 58

subexponential-time, 60Alphabet of definition, 11Alternating step generator, 209–211, 220Anonymity, 3ANSI standards, 648–651, 660

ordering and acquiring, 656ANSI X9.17 pseudorandom bit generator, 173Anti-palindromic keys of DES, 257Appended authenticator, 361Arbitrated signature scheme, 472–473Arithmetic

integer, see Multiple-precision integer arithmeticmodular, see Multiple-precision modular arith-

meticArthur-Merlin games, 421ASN.1, see Abstract Syntax Notation One (ASN.1)Asymmetric cryptographic system, 544Asymptotic running time, 58Atkin’s primality test, 145

implementation report, 166Attack

active, 41, 495adaptive chosen-ciphertext, 42adaptive chosen-message, 433adaptive chosen-plaintext, 41chosen-ciphertext, 41, 226chosen-message, 433chosen-plaintext, 41, 226chosen-text, 417ciphertext-only, 41, 225dictionary, 42, 392differential cryptanalysis, 258differential-linear, 271exhaustive key search, 233–234forced delay, 417forward search, 42, 288, 420impersonation, 42, 417interleaving, 42, 417, 531, 540intruder-in-the-middle, 530, 540key-only, 432known-key, 42, 496, 534known-key triangle, 538known-message, 432known-plaintext, 41, 225linear cryptanalysis, 258

local, 419meet-in-the-middle, 235misplaced trust in server, 531non-interactive, 419off-line, 419on-line, 419passive, 41, 495pre-play, 397reflection, 417, 530, 540related-key, 226remote, 419replay, 42, 417time-memory tradeoff, 236truncated differentials, 271universal forgery, 482

Attacker, 13Attacker (alternate names), 495

see also AdversaryAttribute certificate, 561Audit trail, 549, 583Audit trail information, 545Authenticated key establishment, 492, 493Authenticated key exchange protocol

AKEP1/AKEP2, 499, 535, 541Authentication

data origin, 4, 361see also Data origin authentication

entity, 4see also Entity authentication

explicit key, 492key, 492message, 361mutual, 494protocol, 493transaction, 362unilateral, 494see also Entity authentication (and Identifica-

tion)Authentication code, 376, 382Authentication path, 557Authentication server, 491, 549Authentication tree, 466–468, 485, 556–559, 587Authority revocation list (ARL), 577Authorization, 3Authorized subset, 527Auto-key cipher, 242Autocorrelation function, 180Autocorrelation test, 182Auxiliary-input zero-knowledge, 423Avalanche effect, 277Average-case running time, 58

BBaby-step giant-step algorithm, 104–106, 128

cý

1997 by CRC Press, Inc. — See accompanying notice at front of chapter.

Index 757

BAN logic, 420, 534, 541Bandwidth efficiency, 437Barrett reduction, 603–605, 631Base

×representation, 592

Basis, 80Bayes’ theorem, 51BEAR block cipher, 282Beaufort cipher, 241Beller-Yacobi key transport

2-pass, 5144-pass, 513

Berlekamp’sí

-matrix algorithm, 124, 132Berlekamp-Massey algorithm, 200–201

next discrepancy, 200Bernoulli trial, 52Biased, 172Big-endian, 344Big-O notation, 58Big-omega notation, 59Big-theta notation, 59Bijection, 7, 50Binary additive stream cipher, 194

keystream generator, 194running key generator, 194

Binary alphabet, 11Binary Euclidean algorithm, 632Binary extended gcd algorithm, 608–610, 632Binary gcd algorithm, 606–607, 632Binary operation, 75Binary representation, 592Binary tree, 557

balanced, 558children, 557depth of, 558internal vertex, 557leaf, 557parent, 557root vertex, 557

Binomialcoefficient, 52distribution, 52theorem, 52

Biometrics, 387, 420Birthday attack, 352, 369Birthday problem, 53Birthday surprise, 53Bit commitment, 421Bitzer’s hash function, 374Black-box, 329, 341, 369, 378Blakley’s threshold scheme, 538Blind signature scheme, 475, 487

based on DSA, 487based on Nyberg-Rueppel, 487Chaum, 475

fair, 487Blinded message, 475Blinding function, 475

based on RSA, 475Blob, 421Block cipher, 223–282

3-WAY, 281attacks on

differential cryptanalysis, 258differential-linear, 271exhaustive key search, 233–234, 273key clustering attack, 281linear cryptanalysis, 258meet-in-the-middle attack, 235related-key attack, 226, 281time-memory tradeoff, 236, 273truncated differentials, 271, 280

BEAR, 282Blowfish, 281CAST, 281classical cipher, 237–250definition of, 16, 224DES, 250–259double DES, 235FEAL, 259–262GOST, 282IDEA, 263–265iterated, 251Khafre, 271Khufu, 271LION, 282LOKI’91, 270Luby-Rackoff, 282Lucifer, 276modes of operation, 228–233, 272

ANSI X3.106 standard, 649ANSI X9.52 standard, 651CBC with checksum (CBCC), 367cipher feedback mode (CFB), 231cipher-block chaining mode (CBC), 230counter mode, 233electronic codebook mode (ECB), 228–

230FIPS 81 standard, 654ISO 8372 standard, 645ISO/IEC 10116 standard, 647output feedback mode (OFB), 232–233plaintext-ciphertext block chaining

(PCBC), 368Randomized DES (RDES), 278RC2, 282RC5, 269–270round function, 251SAFER, 266–269

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

758 Index

semi-weak keys (of DES), 257anti-palindromic keys (of DES), 257

SHARK, 281SKIPJACK, 282, 584TEA, 282triple DES, 272WAKE, 282

Block of a sequence, 180Blocklength, 224Blom’s KDS bound, 505Blom’s key pre-distribution system, 506, 536Blowfish block cipher, 281Blum integer, 74–75Blum-Blum-Shub pseudorandom bit generator, 186–

187, 308Blum-Goldwasser probabilistic public-key encryp-

tion, 308–311decryption algorithm, 309encryption algorithm, 309key generation, 308security of, 310

Blum-Micali pseudorandom generator, 189Blundo’s conference KDS bound, 529Boolean function, 202

algebraic normal form of, 205correlation immune, 207nonlinear order of, 205

BPP, 63Break-backward protection, 496Brickell-McCurley identification protocol, 423Broadcast encryption, 528Bucket hashing, 382Burmester-Desmedt conference keying, 528Burst error, 363

CCA, see Certification authority (CA)CA-certificate, 572Caesar cipher, 239CALEA, 590Capability (access control), 570Capstone chip, 589Cardinality of a set, 49Carmichael number, 137Carry-save adder, 630Cartesian product, 49Cascade cipher, 234, 237Cascade generatorþ -sequence, 221ÿ -cycle, 220Cascading hash functions, 334CAST block cipher, 281

patent, 659CBC, see Cipher-block chaining mode

CBC-MAC, 353–354, 367ANSI X9.9 standard, 650ANSI X9.19 standard, 650FIPS 113 standard, 654ISO 8731-1 standard, 652ISO 9807 standard, 652ISO/IEC 9797 standard, 646

Cellular automata stream cipher, 222Certificate

ANSI X9.45 standard, 651ANSI X9.55 standard, 651ANSI X9.57 standard, 651caching, 576chain, 572directory, 549

pull model, 576push model, 576

forward, 575on-line, 576public-key, see Public-key certificatereverse, 575revocation, 566, 576–577RFC 1422, 655secret-key, see Secret-key certificatesymmetric-key, see Symmetric-key certificateX.509 standard, 660

Certificate of primality, 166Certificate revocation list (CRL), 576–577Certification, 3

path, 572policy, 576topology, 572

Certification authority (CA), 491, 548, 556, 559Certificational attack, 236Certificational weakness, 285CFB, see Cipher feedback modeCFB-64 MAC, 650Challenge, 397, 409Challenge-response identification, 397–405, 420–

421public-key, 403–405

ISO/IEC 9798-3, 404–405modified Needham-Schroeder, 404X.509, 404

symmetric-key, 400–403ISO/IEC 9798-2, 401–402SKID2, 402SKID3, 402

Channel, 13physically secure, 13secure, 13secured, 13unsecured, 13

Characteristic of a field, 77

cý


Index 759

Chaum’s blind signature protocol, 475Chaum-van Antwerpen undeniable signature sch-

eme, 476–478disavowal protocol, 477key generation, 476security of, 478signature generation, 476

Chebyshev’s inequality, 52Checksum, 362, 367–368Chi-square (�

�) distribution, 177–179

degrees of freedom, 177mean of, 177variance of, 177

Chinese remainder theorem (CRT), 68Garner’s algorithm, 612–613Gauss’s algorithm, 68

Chipcard, 387, 424Chor-Rivest public-key encryption, 302–306, 318

attacks on, 318decryption algorithm, 303encryption algorithm, 303key generation, 303recommended parameter sizes, 305security of, 305

Chosen-ciphertext attack, 41, 226, 285adaptive, 285indifferent, 285

Chosen-message attack, 433directed, 482generic, 482

Chosen-plaintext attack, 41, 226Cipher, 12

see also EncryptionCipher-block chaining mode (CBC), 230

integrity of IV in, 230use in public-key encryption, 285

Cipher feedback mode (CFB), 231as a stream cipher, 233ISO variant of, 231

Cipher machine, 242–245Jefferson cylinder, 243rotor-based machine, 243–245, 276

Enigma, 245Hagelin M-209, 245Hebern, 244

Wheatstone disc, 274Ciphertext, 11Ciphertext-only attack, 41, 225Ciphertext space, 11Claimant, 385, 386Classical cipher, 237–250, 273–276

cipher machines, see Cipher machinecryptanalysis, 245–250, 275–276

index of coincidence, 248

Kasiski’s method, 248measure of roughness, 249

polyalphabetic substitution cipher, see Polyal-phabetic substitution cipher

substitution cipher, see Substitution ciphertransposition cipher, see Transposition cipher

Classical modular multiplication, 600Classical occupancy problem, 53Claw-resistant (claw-free), 376, 468Clipper chip, 584, 589

key escrow, 584law enforcement access field (LEAF), 584

Clipper key escrow, 654Clock-controlled generator, 209–212co-NP, 60Codebook, 240Codomain of a function, 6, 50Collision, 321

pseudo-collision, 371Collision resistance, 324, 325Collision resistant hash function (CRHF), 325Combining function, 205Common modulus attack on RSA, 289Commutative ring, 77Complementation property of DES, 256–257Complete function, 277Complexity classes, 59–62

BPP, 63co-NP, 60NP, 60NP-complete, 61NP-hard, 62NPC, 61P, 60RP, 63ZPP, 63

Complexity measure2-adic span, 218linear complexity, 198–201maximum order complexity, 217Turing-Kolmogorov-Chaitin complexity, 217Ziv-Lempel complexity, 217

Complexity of attacks on a block cipher, 225–227active complexity, 226attack complexity, 226data complexity, 226passive complexity, 226processing complexity, 226storage complexity, 226

Complexity theory, 57–63Complexity-theoretic security, 43Compliant, 532Composite integer, 64Composition of functions, 19


760 Index

Computation-resistance (MAC), 325Computational problems

computationally equivalent, 88polytime reduction, 88

Computational security, 43, 226Computational zero-knowledge protocol, 407Computationally equivalent decision problems, 61COMSET, 421, 536Conditional entropy, 56Conditional probability, 51Conditional transinformation, 57Conference keying, 528–529, 540

Blundo’s conference KDS bound, 529Burmester-Desmedt, 528definition of, 528

Confidentiality, 3, 4, 12Confirmation, 3Confounder, 418Confusion, 20Congruences

integers, 67polynomials, 79

Conjugate gradient method, 129Connection polynomial of an LFSR, 196, 204

known versus secret, 204sparse versus dense, 205

Constrained linear equations problem, 423Continued fraction factoring algorithm, 126Continuous random variable, 176Control vector, 569

patent, 639, 658Conventional encryption, 15Coprime, 64Correcting-block chaining attack, 373Correlated, 172Correlation attack, 206, 218Correlation immunity, 207, 218Counter mode, 233CRC-based MAC, 359Credential, 501CRHF, see Collision resistant hash functionCross-certificate (CA-certificate), 572Cross-certificate pair, 573CRT, see Chinese remainder theoremCryptanalysis, 15Cryptanalyst, 15Cryptographic check value, 363Cryptographic primitives, 4

taxonomy of, 5Cryptographically secure pseudorandom bit gener-

ator (CSPRBG), 185–187Blum-Blum-Shub generator, 186–187Blum-Micali generator, 189definition of, 171

Micali-Schnorr generator, 186modified-Rabin generator, 190RSA generator, 185–186

Cryptographydefinition of, 4goals of, 4

CRYPTOKI, 656Cryptology, 15Cryptoperiod of a key, 553Cryptosystem, 15Cut-and-choose protocol, 410, 421Cycle of a periodic sequence, 180Cyclic group, 69, 76

generator of, 76Cyclic redundancy code (CRC), 363Cyclic register, 220Cycling attacks on RSA, 289, 313

DData Authentication Algorithm (DAA), 654Data Encryption Standard, see DES block cipherData integrity, 3, 4, 33, 359–368, 383Data key, 552Data origin authentication, 3, 4, 25, 359–368, 491Davies-Meyer hash function, 341de Bruijn FSR, 203de Bruijn sequence, 203De-skewing, 172DEA, 649Decimated subsequence, 211Decision problems, 60

computationally equivalent, 61polytime reduction, 61

Decryption, 11Decryption exponent for RSA, 286Decryption function, 11DECT, 586Degrees of freedom, 177Delay element

of an FSR, 202of an LFSR, 195

Delayed-carry adder, 630Density of a knapsack set, 120Derivative of a polynomial, 123DES block cipher, 250–259, 276–278

ANSI X3.92 standard, 649attacks on

differential cryptanalysis, 258–259exhaustive key search, 233–234, 272linear cryptanalysis, 258–259

complementation property, 256–257decryption algorithm, 255DESX, 273double DES, see Double DES

cý


Index 761

encryption algorithm, 253expansion permutation, 252FIPS 46 standard, 654initial permutation (IP), 252, 277key schedule

decryption, 256encryption, 255

modes of operation, see Block cipher, modesof operation

patent, 636permuted choices (PC1, PC2), 252properties and strengths, 256–259round, 252S-box, 252semi-weak key, 257

anti-fixed point of, 257test vectors, 256triple-DES, 273weak key, 257

fixed point of, 257Designated confirmer signature, 487Deterministic, 306Deterministic algorithm, 62Dickson polynomial, 314Dickson scheme, 314Dictionary attack, 42Difference of sets, 49Differential chaining attack, 375Differential cryptanalysis

of block ciphers, 258, 271, 278–280Differential-linear cryptanalysis, 271Diffie-Hellman key agreement, 515–520, 522–524

ANSI X9.42 standard, 651composite modulus, 537patent, 637

Diffie-Hellman problem, 113–114composite moduli, 114, 131generalized, 113

Diffie-Lamport one-time signature scheme, 485Diffusion, 20Digital envelope, 550Digital fingerprint, 321Digital signature, see SignatureDigital Signature Algorithm (DSA), 452–454, 483

ANSI X9.30-1 standard, 651FIPS 186 standard, 655key generation, 452patent, 640, 658security of, 453signature generation, 452signature verification, 453use and throw coupons, 483

Dimension of a vector space, 80Dirichlet theorem, 135

Disavowal protocol, 477Discrete Fourier Transform (DFT), 631Discrete logarithms, 103–113

baby-step giant-step algorithm, 104–106composite moduli, 114exhaustive search, 104for class groups, 130for elliptic curves, 130for hyperelliptic curves, 130function field sieve, 129generalized problem, 103heuristic running time, 129in subgroups of

ì�éÞ , 113index-calculus algorithms, 109–112lambda method, 128number field sieve, 128Pohlig-Hellman algorithm, 107–109Pollard’s rho algorithm, 106–107problem definition, 103rigorously analyzed algorithms, 129security of individual bits, 116

Divisible electronic coin, 487Division

of integers, 63of polynomials, 79

Division algorithmfor integers, 64for polynomials, 78

Dixon’s algorithm, 95, 127DNA computer, 130Domain of a function, 6, 50Double DES, 235Double spending, 487Double-length MDC, 339DSA, see Digital Signature AlgorithmDynamic key establishment, 491Dynamic secret sharing scheme, 527

EE-D-E triple encryption, 235, 272E-E-E triple encryption, 272Eavesdropper, 13, 495ECA, see Elliptic curve factoring algorithmECB, see Electronic codebook modeEffective key size, 224Electronic cash

divisible, 487untraceable, 487

Electronic codebook mode (ECB), 228–230ElGamal key agreement, 517ElGamal public-key encryption, 294–298

generalizeddecryption algorithm, 297encryption algorithm, 297


762 Index

key generation, 297inì é Þ

decryption algorithm, 295encryption algorithm, 295key generation, 294recommended parameter sizes, 296

security of, 296ElGamal signature scheme, 454–459, 484

generalizedkey generation, 458signature generation, 458signature verification, 458

inì�éÞ

key generation, 454security of, 455–456signature generation, 454signature verification, 454

signature verification, 618variants of, 457

Elliptic curvediscrete logarithm problem, 130ElGamal public-key encryption, 297in public-key cryptography, 316

patents, 659RSA analogue, 315supersingular curve, 130, 316

Elliptic curve factoring algorithm (ECA), 94, 125implementation reports, 126

Elliptic curve primality proving algorithm, 145Encrypted key exchange (EKE), 538Encryption, 11

see also Block ciphersee also Public-key encryptionsee also Stream cipher

Encryption exponent for RSA, 286Encryption function, 11Encryption scheme, 12

breakable, 14Enemy, 13, 495Enigma, 245, 276Entity, 13Entity authentication, 3, 386, 491

ANSI X9.26 standard, 651FIPS 196 standard, 655ISO 11131 standard, 652ISO/IEC 9798 standard, 401–402, 404–405, 421,

647see also Identification

Entropy, 56–57, 246Ephemeral secret, 494Equivalence class, 68, 79Equivocation, 56Error-correcting code, 298, 363, 506Escrowed Encryption Standard (EES)

FIPS 185, 654ESIGN signature scheme, 473–474, 486

key generation, 473patent, 638, 658security of, 474signature generation, 473signature verification, 473

Euclidean algorithmfor integers, 66for polynomials, 81–83

Euler liar, 138Euler phi function (

Ì), 65

Euler pseudoprime, 138Euler witness, 137Euler’s criterion, 137Euler’s theorem, 69Exclusive-or (XOR), 20Exhaustive key search, 14, 233–234, 272Existential forgery, 30, 326, 432�� (exponential function), 50Expected running time, 63Explicit authentication, 492Exponent array, 617Exponent recoding, see ExponentiationExponential-time algorithm, 59Exponentiation, 613–629, 633–634

addition chains, 621exponent recoding, 627–629

signed-digit representation, 627–628string-replacement representation, 628–

629fixed-base comb method, 625–627fixed-base Euclidean method, 624–625fixed-base windowing method, 623–624left-to-right binary method, 615left-to-right è -ary method, 615modified left-to-right è -ary method, 616Montgomery method, 619–620repeated square-and-multiply algorithm, 71,

84right-to-left binary method, 614simultaneous multiple, 617–618sliding-window method, 616vector-addition chains, 622–623

Extendable secret sharing scheme, 526Extended Euclidean algorithm

for integers, 67for polynomials, 82

Extended Riemann Hypothesis (ERH), 165Extension field, 77Extractor, 406

FFactor base, 94, 109

cý


Index 763

Factoring integers, see Integer factorizationFactoring polynomials, see Polynomial factoriza-

tionFail-stop signature scheme, 478–481, 488

Heijst-Pedersen, 478–481Fair blind signature scheme, 487Fair cryptosystems, 640–641, 658

for Diffie-Hellman key agreement, 641patent, 640

FEAL block cipher, 259–262, 278–279attacks on, 278–279FEAL decryption algorithm, 261FEAL-8 encryption algorithm, 261FEAL-8 key schedule, 261FEAL-N, 262FEAL-NX, 262patent, 639test vectors, 262

Feedback shift register (FSR), 195–203de Bruijn, 203definition of, 202delay element of, 202feedback bit of, 202feedback function of, 202Feedback with carry shift register (FCSR), 217–

218, 222initial state of, 202linear feedback shift register, see Linear feed-

back shift register (LFSR)non-singular, 203nonlinear feedback shift register, 202output sequence of, 202stage of, 202

Feedback with carry shift register (FCSR), 217–218,222

Feige-Fiat-Shamir identification protocol, 410–412,422

Feige-Fiat-Shamir signature scheme, 447–449, 483identity-based modification, 449key generation, 447security of, 448signature generation, 448signature verification, 448

Feistel cipher, 251, 276Fermat liar, 136Fermat number, 143, 166Fermat witness, 136Fermat’s primality test, 136Fermat’s theorem, 69Fiat-Shamir identification protocol

basic version, 408patent, 638, 658

Fiat-Shamir signature scheme, 483patent, 638, 658

Field, 77characteristic of, 77definition of, 77extension field of, 77finite, see Finite fieldsubfield of, 77

Filtering function, 208Finite field, 80–85

definition of, 80order of, 80polynomial basis, 83

FIPS, 654–655, 661ordering and acquiring, 656

FIPS 186 pseudorandom bit generator, 174–175FISH stream cipher, 222Fixed-point chaining attack, 374Floyd’s cycle-finding algorithm, 91, 125Forced delay attack, 417Formal methods, 534, 541Forward certificate, 575Forward error correction, 363Forward search attack, 34, 42, 288, 420Fractionation, 276Frequency distribution

of English digrams, 247of single English characters, 247

Frequency test, 181Fresh key, 494Function, 6–10, 50

bijection, 7composition of, 19definition of, 6injective, 46inverse, 7involution, 10one-to-one, 7one-way, 8onto, 7permutation, 10surjective, 46trapdoor one-way, 9

Function field sieve, 129Functional diagram, 6Functional graph, 54

component size, 55cycle length, 55predecessors size, 55rho-length, 55tail length, 55tree size, 55

Functionally trusted third party, 39

GGap of a sequence, 180


764 Index

Garner’s algorithm, 612–613Gauss’s algorithm, 68Gaussian integer method, 128Ó��

, see Greatest common divisorGeffe generator, 206General-purpose factoring algorithm, 90Generator

of a cyclic group, 76, 160algorithm for finding, 163

ofî é »

, 81ofî é �� , 163

ofì é Û , 69

ofì�éÞ , 164

algorithm for selecting, 164Generator matrix, 506Girault self-certified public key, 522GMR one-time signature scheme, 468–471, 486

authentication tree, 470key generation, 469security of, 470signature generation, 469signature verification, 469

GOAL stream cipher, 219Goldwasser-Kilian primality test, 166Goldwasser-Micali probabilistic public-key encryp-

tion, 307–308decryption algorithm, 307encryption algorithm, 307key generation, 307security of, 308

Golomb’s randomness postulates, 180Goppa code, 299, 317Gordon’s algorithm for strong prime generation, 150GOST block cipher, 282GQ identification protocol, 412–414, 422

patent, 639, 658GQ signature scheme, 450–451

key generation, 450message recovery variant, 451patent, 639, 658security of, 451signature generation, 450signature verification, 450

Grandmaster postal-chess problem, 418Greatest common divisor

binary extended gcd algorithm, 608–610, 632binary gcd algorithm, 606–607, 632Euclidean algorithm, 66Lehmer’s gcd algorithm, 607–608, 632of integers, 64of polynomials, 81

Group, 75–76cyclic, 76definition of, 75

of units, 77order of, 75subgroup of, 76

Group signature, 488GSM, 586GSS-API, 655, 661Gunther’s implicitly-certified public key, 521Gunther’s key agreement, 522

HHagelin M-209, 245, 276Hamming weight, 105Handwritten signature, 23Hard predicate, 115Hash function, 33, 321–383

alternate terminology, 325, 371applications, 321–322, 330–331attacks, 368–375

birthday, 369–371chaining, 373–375Pseudo-collisions, 371–373

based on block ciphers, 338–343Abreast Davies-Meyer, 380Davies-Meyer, 341Matyas-Meyer-Oseas, 341MDC-2, 342MDC-4, 343Merkle’s DES-based hash, 338, 339, 378Miyaguchi-Preneel, 341N-Hash, 380Tandem Davies-Meyer, 380

based on modular arithmetic, 351–352MASH-1, 352MASH-2, 352

cascading, 334collision resistant (CRHF), 325customized, 343–351

HAVAL, 379MD2, 380MD4, 346MD5, 347RIPEMD, 380RIPEMD-128, 339, 380RIPEMD-160, 339, 350Secure Hash Algorithm (SHA-1), 348Snefru, 380

definition of, 322ideal security, 336initialization value (IV), 335MD-strengthening, see MD-strengtheningMerkle’s meta-method, 333one-way (OWHF), 325padding, 334–335properties of

cý


Index 765

2nd-preimage resistance, 323collision resistance, 324compression, 322ease of computation, 322local one-wayness, 331near-collision resistance, 331non-correlation, 331partial-preimage resistance, 331preimage resistance, 323strong collision resistance, 324weak collision resistance, 324

-collision resistant, 424strong one-way, 325universal classes of, 376universal one-way, 377weak one-way, 325

Hash-code, 321Hash-result, 321Hash-value, 33, 321HAVAL hash function, 379Heijst-Pedersen fail-stop signature scheme, 478–481

key generation, 478proof-of-forgery algorithm, 481signature generation, 479signature verification, 479

Hellman-Merkle patent, 637, 658Heuristic security, 43, 533High-order digit, 593Hill cipher, 240, 274Historical work factor, 44HMAC, 355Homomorphic property of RSA, 289Homophonic substitution cipher, 17, 240Hybrid protocol, 512Hyperelliptic curve

discrete logarithm problem, 130ElGamal public-key encryption, 297

Hypothesis testing, 179–180

IIC card, 387IDEA block cipher, 263–265, 279–280

attacks on, 279–280decryption algorithm, 264encryption algorithm, 264key schedule, 264patent, 640, 658test vectors, 265weak keys, 279

Ideal secret sharing scheme, 526, 527Identification, 3, 24–25, 385–424

applications of, 387attacks on, 417–420, 424

chosen-text, 417

forced delay, 417impersonation, 417interleaving, 417local, 419non-interactive, 419off-line, 419pre-play, 397, 398reflection, 417remote, 419replay, 417

challenge-response, see Challenge-responseidentification

mutual, 387passwords, see Passwords (weak

authentication)questionnaire-based, 420relation to signatures, 388unilateral, 387zero-knowledge, see Zero-knowledge identifi-

cationsee also Entity authentication

Identification Friend or Foe (IFF) system, 421Identity verification, 385Identity-based key establishment, 493Identity-based system, 538, 561–562, 587IDUP, 661IEEE P1363 standard, 660IETF, 655Image of a function, 6, 50Impersonation, 27, 42, 386, 417Impersonator, 495Implicit key authentication, see Key authenticationImplicitly-certified public key, 520–522, 562–563,

588Diffie-Hellman using, 522–524identity-based, 563of Girault, 522of Gunther, 521self-certified, 563

Imprint, 321Improved PES (IPES), 279In-line trusted third party, 547Incremental hashing, 378Independent events, 51Index of coincidence, 248, 275Index-calculus algorithm, 109–112, 128

Gaussian integer method, 128inî �� , 111

implementation reports, 128inì Þ , 110

implementation reports, 128linear sieve, 128residue list sieve, 128

Information dispersal algorithm (IDA), 539


766 Index

Information rate, 527Information security, 2

objectives of, 3Information security service, 14

breaking of, 15Information theory, 56–57Initial state


Injective function, 46, 50Inner product, 118Input size, 58Insider, 496

one-time, 496permanent, 496

Integer, 49multiple-precision, 593negative

signed-magnitude representation, 593two’s complement representation, 594

single-precision, 593Integer arithmetic, see Multiple-precision integer

arithmeticInteger factorization, 89–98

continued fraction algorithm, 126Dixon’s algorithm, 95, 127elliptic curve algorithm, 94general number field sieve, 98general-purpose algorithms, 90heuristic running times, 127multiple polynomial quadratic sieve, 97Pollard’s ÿ ® æ algorithm, 92–93Pollard’s rho algorithm, 91–92problem definition, 89quadratic sieve algorithm, 95–97random square methods, 94–98special number field sieve, 98special-purpose algorithms, 90trial division, 90–91

Integers modulo Ï , 67–71Integrity check value (ICV), 363Interactive proof system, 406

Arthur-Merlin games, 421completeness, 406soundness, 406

Interleaving attack, 42, 417, 531, 540Interloper, 13Internal vertex, 557Internet security standards, 655–656, 661Intersection of sets, 49Intruder, 13, 495Intruder-in-the-middle attack, 530, 540Inverse function, 7Inversion attack on stream ciphers, 219

Involution, 10Irreducible polynomial, 78, 154–160

algorithm for generating, 156algorithm for testing, 155number of, 155primitive polynomial, see Primitive

polynomialtrinomials, 157

ISO standards, see ISO/IEC standardsISO/IEC 9796, 442–444, 482–483ISO/IEC standards, 645–648, 651–653, 660–661

committee draft (CD), 645draft international standard (DIS), 645ordering and acquiring, 656working draft (WD), 645

Isomorphic, 81, 104Iterated block cipher, 251ITU, 653

JJacobi sum primality test, 144, 166Jacobi symbol, 73

computing, 73Jefferson cylinder, 243, 274Joint entropy, 56JTC1, 645

KKaratsuba-Ofman multiplication, 630Kasiski’s method, 248, 275KDC, see Key distribution center (KDC)Kerberos authentication protocol, 401, 501–502,

535–536RFC 1510, 656

Kerckhoffs’ assumption, 225Kerckhoffs’ desiderata, 14Key, 11

archival, 580backup, 580cryptoperiod of, 553data, 552de-registration, 580derived, 568destruction, 580fresh, 494generator, 549installation, 579key-encrypting, 552key-transport, 552layering, 551–553long-term, 553master, 551notarization, 568offsetting, 568private, 27, 544

cý


Index 767

public, 27, 544public-key vs. symmetric-key, 31–32, 551recovery, 580registration, 579revocation, 566, 580secret, 544separation, 567short-term, 553symmetric, 544terminal, 552update, 580variant, 568

Key access server, 549Key agreement, 34, 35, 505–506, 515–524, 536–

538Blom’s key pre-distribution system, 506definition of, 490Diffie-Hellman, 516ElGamal, 517encrypted key exchange (EKE), 538Gunther, 522MTI/A0, 517–519relation to key transport, 491Station-to-station (STS), 519

Key authentication, 492Key clustering attack on block ciphers, 281Key confirmation, 492Key control, 494Key derivation, 490, 498Key distribution

confidential keys, 551–555key layering, 551–553key translation center, 553–554symmetric-key certificates, 554–555

public keys, 555–566authentication trees, 556–559certificates, 559–561identity-based, 561–562implicitly-certified, 562–563

Key distribution center (KDC), 491, 500, 547Key distribution pattern, 536Key distribution problem, 16, 546Key distribution system (KDS), 505

Blom’s KDS bound, 505security against coalitions, 505

Key escrow, 584–586agent, 550, 584Clipper, 584

Key establishment, 489–541analysis of, 530–534, 540–541attacks on

interleaving, 531intruder-in-the-middle, 530misplaced trust in server, 531

reflection, 530authenticated, 492, 493compliant, 532definition of, 35, 490identity-based, 493key agreement, see Key agreementkey transport, see Key transportmessage-independent, 493operational, 532resilient, 532simplified classification, 491

Key life cycle, 577–581key states, 580

Key management, 36–38, 543–590ANSI X9.17 standard, 650ANSI X9.24 standard, 650ANSI X9.28 standard, 651ANSI X9.42 standard, 651centralized, 546controlling key usage, 567–570definition of, 35, 544ISO 8732 standard, 652ISO 10202-7 standard, 652ISO 11166 standard, 652ISO 11568 standard, 653ISO/IEC 11770 standard, 647key agreement, see Key agreementkey distribution, see Key distributionkey establishment, see Key establishmentkey life cycle, 577–581key transport, see Key transport

Key management facility, 549Key notarization, 568

patent, 642, 658Key pair, 12Key pre-distribution scheme, 540

definition of, 490Key server, 549Key space, 11, 21, 224Key tag, 568Key translation center (KTC), 491, 500, 547, 553Key transport, 35, 497–504, 506–515, 535–536

AKEP1, 499AKEP2, 499Beller-Yacobi (2-pass), 514Beller-Yacobi (4-pass), 513COMSET, 536definition of, 490Kerberos, 501–502Needham-Schroeder public-key, 508Needham-Schroeder shared-key, 503Otway-Rees protocol, 504relation to key agreement, 491Shamir’s no-key protocol, 500


768 Index

X.509 three-way, 512X.509 two-way, 511

Key update, 490Keyed hash function, see Message authentication

code (MAC)Keying material, 544Keying relationship, 544Keystream, 20, 193, 194Keystream generator, 21, 194Khafre block cipher, 271

attacks on, 281patent, 644

Khufu block cipher, 271attacks on, 281patent, 644

Knapsack generator, 209, 220Knapsack problem, 131Knapsack public-key encryption, 300–306

Chor-Rivest, 302–306Merkle Hellman, 300–302

Knapsack set, 117density of, 120

Known-key attack, 42, 496, 534Known-key triangle attack, 538Known-message attack, 432Known-plaintext attack, 41, 225KryptoKnight, 535, 541KTC, see Key translation center (KTC)

Lº��-lattice basis reduction algorithm, 118–120, 131

Lagrange’s theorem, 76Lambda method for discrete logarithms, 128Lamport’s one-time-password scheme, 396Lanczos method, 129Lattice, 118

dimension of, 118reduced basis, 118

Lattice basis reduction algorithm, 118–120, 131, 317Law of large numbers, 52Law of quadratic reciprocity, 72Ò��

, see Least common multipleLeading coefficient, 78LEAF, 584–585Leaf of a binary tree, 557Least common multiple, 64Least significant digit, 593Legendre symbol, 72

computing, 73Lehmer’s gcd algorithm, 607–608, 632Length of a vector, 118Liar, 135

Euler, 138Fermat, 136

strong, 139Life cycle, see Key life cycleLinear code, 506Linear combination, 80Linear complexity, 198–201

algorithm for computing, see Berlekamp-Massey algorithm

of a finite sequence, 198of a random periodic sequence, 199of a random sequence, 198of an infinite sequence, 198profile, 199

Linear complexity profile, 199–200algorithm for computing, 201limitations of, 200of a random sequence, 199

Linear congruential generator, 170, 187multivariate congruential generator, 187truncated, 187

Linear consistency attack, 219–220Linear cryptanalysis

of block ciphers, 258, 271, 278, 280of stream ciphers, 219

Linear feedback shift register (LFSR), 195–201connection polynomial of, 196definition of, 195delay element of, 195feedback bit of, 196initial state of, 196maximum-length, 197non-singular, 196output sequence of, 195stage of, 195

Linear sieve, 128Linear syndrome attack, 218Linear system (solving large), 129Linearly dependent, 80Linearly independent, 80LION block cipher, 282Little-endian, 344Little-o notation, 59Lock-in, 221Logarithm, 49LOKI block cipher, 281

LOKI’89, 281LOKI’91, 270, 281

Long-term key, 553Low-order digit, 593Luby-Rackoff block cipher, 282LUC cryptosystem, 314

LUCDIF, 316LUCELG, 316

Lucas-Lehmer primality test, 142Lucifer block cipher, 276

cý


Index 769

patent, 641, 659

Mþ -sequence, 197MAC, see Message authentication code (MAC)Manipulation detection code, see Modification de-

tection codeMapping, 6, 50Markov cipher, 280MASH-1 hash function, 352

ISO/IEC 10118-4 standard, 647MASH-2 hash function, 352

ISO/IEC 10118-4 standard, 647Master key, 551Matyas-Meyer-Oseas hash function, 341

ISO/IEC 10118-2 standard, 647Maurer’s algorithm for provable prime generation,

153, 167Maurer’s universal statistical test, 183–185, 189Maximum order complexity, 217Maximum-length LFSR, 197Maximum-rank-distance (MRD) code, 317McEliece public-key encryption, 298–299, 317

decryption algorithm, 299encryption algorithm, 299key generation, 298recommended parameter sizes, 299security of, 299

MD-strengthening, 334, 335, 337MD2 hash function, 380

RFC 1319, 655MD4 hash function, 346

RFC 1320, 655MD5 hash function, 347

RFC 1321, 655MD5-MAC, 358MDC, see Modification detection codeMDC-2 hash function, 342

ISO/IEC 10118-2 standard, 647patent, 639

MDC-4 hash function, 343patent, 639

MDS code, 281, 506Mean, 51Measure of roughness, 249Mechanism, 34Meet-in-the-middle attack

on double DES, 235on double encryption, 235

time-memory tradeoff, 236on multiple encryption

time-memory tradeoff, 236Meet-in-the-middle chaining attack, 374Merkle channel, 48

Merkle one-time signature scheme, 464–466, 485authentication tree, 466key generation, 464patent, 643security of, 465signature generation, 465signature verification, 465

Merkle puzzle scheme, 47, 537Merkle’s DES-based hash function, 338, 339, 378Merkle’s meta-method for hashing, 333Merkle-Hellman knapsack encryption, 300–302,

317–318basic

decryption algorithm, 301encryption algorithm, 301key generation, 300

multiple-iteratedkey generation, 302

patent, 637security of, 302

Mersenne number, 142Mersenne prime, 142, 143, 160Message authentication, see Data origin authenti-

cationMessage authentication code (MAC), 33, 323,

352–359, 381–383applications of, 323, 330based on block ciphers, 353–354

CBC-MAC, see CBC-MACCFB-64 MAC, 650RIPE-MAC, see RIPE-MAC

birthday attack on, 352customized, 356–358

bucket hashing, 382MD5-MAC, 358Message Authenticator Algorithm

(MAA), 356definition, 325for stream ciphers, 358–359

CRC-based, 359Lai-Rueppel-Woollven scheme, 383Taylor’s scheme, 383

from MDCs, 354–355envelope method with padding, 355hash-based MAC, 355HMAC, 355secret prefix method, 355secret suffix method, 355XOR MAC, 382

ISO 8730 standard, 652ISO 9807 standard, 652properties of

compression, 325computation-resistance, 325


770 Index

ease of computation, 325key non-recovery, 325

retail MAC, 650types of attack

adaptive chosen-text, 326chosen-text, 326known-text, 326

types of forgeryexistential, 326selective, 326

see also CBC-MACMessage authentication tag system, 376Message Authenticator Algorithm (MAA), 356

ISO 8731-2 standard, 652Message concealing in RSA, 290, 313Message digest, 321Message integrity code (MIC), 323Message space, 11Message-independent key establishment, 493Micali-Schnorr pseudorandom bit generator, 186Miller-Rabin primality test, 139, 165MIME, 656, 661Minimum disclosure proof, 421Minimum polynomial, 156Mips year, 126MISSI, 590Mixed-radix representation, 611, 630Mixing algebraic systems, 279Miyaguchi-Preneel hash function, 341Mobius function, 154��

notation, 64Modes of operation

multiple modes, see Multiple encryption, modesof operation

single modes, see Block cipher, modes of op-eration

Modification detection code (MDC), 33, 323, 324Modified-Rabin pseudorandom bit generator, 190Modified-Rabin signature scheme, 439–442, 482

key generation, 440security of, 441signature generation, 440signature verification, 440

Modular arithmetic, see Multiple-precision modu-lar arithmetic

Modular exponentiation, see ExponentiationModular reduction, 599

Barrett, 603–605, 631Montgomery, 600–602, 631special moduli, 605–606

Modular representation, see Mixed-radix represen-tation

Modulus, 67Monic polynomial, 78

Mono-alphabetic substitution cipher, see Substitu-tion cipher

Monobit test, 181Monotone access structure, 527Montgomery exponentiation, 619–620Montgomery multiplication, 602–603Montgomery reduction, 600–602, 631MOSS, 656

RFC 1848, 656Most significant digit, 593MTI protocols, 518, 537MTI/A0 key agreement, 517–519, 537

Goss variant, 537patent, 644, 659

Multi-secret threshold scheme, 527Multiple encryption, 234–237

definition of, 234double encryption, 234modes of operation, 237

triple-inner-CBC mode, 237triple-outer-CBC mode, 237

triple encryption, 235E-D-E, 235

two-key triple-encryption, 235Multiple polynomial quadratic sieve, 97Multiple-precision integer, 593Multiple-precision integer arithmetic, 592–599

addition, 594–595division, 598–599

normalization, 599Ó��, see Greatest common divisor

multiplication, 595–596discrete Fourier transform (DFT), 631Karatsuba-Ofman, 630

squaring, 596–597subtraction, 594–595

Multiple-precision modular arithmetic, 599–606addition, 600exponentiation, see Exponentiationinversion, 610multiplication

classical, 600Montgomery multiplication, 602–603

reduction, 599Barrett, 603–605, 631Montgomery, 600–602, 631special moduli, 605–606

subtraction, 600Multiplexer generator, 220Multiplicative group

ofì Û , 69

of a finite field, 81Multiplicative inverse, 68

computing, 71, 84, 610

cý


Index 771

Multiplicative property in RSA, 288, 435, 482Multiplicity of a factor, 122Multispeed inner-product generator, 220Multivariate polynomial congruential generator,

187Mutual authentication, 387, 402, 405, 494Mutual information, 57Mutually exclusive events, 51

NN-Hash function, 380Name server, 549Needham-Schroeder public-key, 508, 536Needham-Schroeder shared-key, 401, 503, 535Next-bit test, 171Next-discrepancy, 200Nibble, 443NIST, 654Noise diode, 40Non-interactive protocol, 493Non-interactive ZK proof, 424Non-malleable encryption, 311, 319Non-repudiation, 3, 4, 582–584

ISO/IEC 13888 standard, 648Non-singular

FSR, 203LFSR, 196

Nonce, 397, 497Nonlinear combination generator, 205–208

combining function of, 205Nonlinear feedback shift register, see Feedback shift

register (FSR)Nonlinear filter generator, 208–209

filtering function, 208Nonlinear order, 205Normal basis, 168

exponentiation, 642multiplication, 642patents, 642–643, 659

Normal distribution, 176–177mean of, 176standard, 176variance of, 176

Normal polynomial, 168Normalization, 599Notarized key, 569Notary

agent, 550seal, 569service, 582

NP, 60NP-complete, 61NP-hard, 62NPC, 61

Number field sievefor discrete logarithms, 128for integer factorization, 98, 126

implementation reports, 126, 127general number field sieve, 98special number field sieve, 98, 126

Number theory, 63–75Nyberg-Rueppel signature scheme, 460–462, 485

security of, 461signature generation, 461signature verification, 461

OObject identifier (OID), 660OFB, see Output feedback modeOff-line trusted third party, 548Ohta-Okamoto identification protocol, 422On-line certificate, 576On-line trusted third party, 547On-line/off-line signature, 486

patent, 644One-key encryption, 15One-sided statistical test, 179One-time insider, 496One-time pad, 21, 192–193, 274

patent, 657One-time password scheme, 395–397One-time signature scheme, 462–471

Diffie-Lamport, 485GMR, 468–471Merkle, 464–466Rabin, 462–464validation parameters, 462

One-to-one function, 7–8, 50One-way cipher, 377One-way function, 8–9, 327

DES-based, 190, 328exponentiation modulo a prime, 115, 329multiplication of large primes, 329Rabin function, 115RSA function, 115

One-way hash function (OWHF), 325One-way permutation, 115, 328Onto function, 7, 50Open Systems Interconnection (OSI), 653, 660Operational, 532Opponent, 13, 495

see also AttackerOptimal normal basis, 168, 659Oracle, 88Order

generating element of maximum order inì é Û ,

163ofì�é Û , 69


772 Index

of a finite field, 80of a group, 75of a group element, 76, 160

algorithm for determining, 162of an element in

ì é Û , 69Otway-Rees protocol, 504, 536Output feedback mode (OFB), 232–233

as a stream cipher, 233changing IV in, 232counter mode, 233feedback size, 233

Outsider, 496OWHF, see One-way hash functionOwnership, 3

PP, 60Palindromic keys of DES, 257Party, 13Passcode generator, 402Passive adversary, 15Passive attack, 41, 495Passkey, 395Passphrase, 390Passwords (weak authentication), 388–397, 420

aging, 390attacks on, 391–393

dictionary, 392exhaustive search, 391password-guessing, 392pre-play, 397replay, 391

encrypted password file, 389entropy, 392generator, 387one-time, 395–397

Lamport’s scheme, 396passkey, 395passphrase, 390personal identification number (PIN), 394rules, 389salting, 390stored password file, 389UNIX, 393–394

Patents, 635–645, 657–659ordering and acquiring, 645priority date, 636validity period, 636

PEM, see Privacy Enhanced Mail (PEM)Pepin’s primality test, 166Perceptrons problem, 423Perfect forward secrecy, 496, 534Perfect power

testing for, 89

Perfect secrecy, 42, 227, 307Perfect secret sharing scheme, 526, 527Perfect zero-knowledge protocol, 407Period of a periodic sequence, 180Periodic sequence, 180

autocorrelation function of, 180cycle of, 180period of, 180

Permanent insider, 496Permutation, 10, 50Permutation polynomial, 314Permuted kernel problem, 423Personal Identification Number (PIN)

ANSI X9.8 standard, 649ISO 9564 standard, 652

PGP, see Pretty Good Privacy (PGP)Phi function (

Ì), 65

Photuris, 661Physically secure channel, 13PIKE stream cipher, 222PIN, see Passwords (weak authentication), see Per-

sonal Identification Number (PIN)PKCS standards, 656, 661

ordering and acquiring, 657PKCS #1, 445–447, 483

Plaintext, 11Plaintext-aware encryption scheme, 311–312Playfair cipher, 239, 274Pless generator, 218PN-sequence, 181Pocklington’s theorem, 144Pohlig-Hellman algorithm, 107–109, 128Pohlig-Hellman cipher, 271

patent, 642, 659Poker test, 182, 188Policy Certification Authority (PCA), 589Pollard’s ÿ ® æ algorithm, 92–93, 125Pollard’s rho algorithm

for discrete logarithms, 106–107, 128for factoring, 91–92, 125

Polyalphabetic substitution cipher, 18, 241–242,273–274

auto-key cipher, 242Beaufort cipher, 241cipher machine, see Cipher machinePURPLE cipher, 276Vigenere cipher

auto-key, 242compound, 241full, 242running-key, 242simple, 18, 241single mixed alphabet, 242

Polygram substitution cipher, 239

cý


Index 773

Polynomial, 78irreducible, 78leading coefficient of, 78

Polynomial basis, 83Polynomial factorization, 122–124, 132

Berlekamp’sí

-matrix algorithm, 124square-free factorization, 123

Polynomial-time algorithm, 59Polynomial-time indistinguishability, 318Polynomial-time statistical test, 171Polynomially security public-key encryption, 306Polytime reduction, 61, 88Practical security, 43Pre-play attack, 397, 398Pre-positioned secret sharing scheme, 527Precision, 593Preimage, 6, 50Preimage resistance, 323Pretty Good Privacy (PGP), 661Primality proving algorithm, see Primality test, true

primality testPrimality test

probabilistic primality test, 135–142comparison, 140–142Fermat’s test, 136Miller-Rabin test, 139Solovay-Strassen test, 138

true primality test, 142–145Atkin’s test, 145Goldwasser-Kilian test, 166Jacobi sum test, 144Lucas-Lehmer test, 142Pepin’s test, 166

Prime number, 9, 64Prime number generation, 145–154

algorithmsGordon’s algorithm, 150Maurer’s algorithm, 153NIST method, 151random search, 146

DSA primes, 150–152incremental search, 148provable primes, 152–154random search, 145–149strong primes, 149–150

Prime number theorem, 64Primitive element, see GeneratorPrimitive normal polynomial, 168Primitive polynomial, 157–160

algorithm for generating, 160algorithm for testing, 157definition of, 84

Primitives, 4Principal, 495

Principal square root, 74Privacy, see ConfidentialityPrivacy Enhanced Mail (PEM), 588, 655

RFCs 1421–1424, 655Private key, 26, 27, 544Private-key certificate, see Symmetric-key certifi-

catePrivate-key encryption, 15Probabilistic public-key encryption, 306–312,

318–319Blum-Goldwasser, 308–311Goldwasser-Micali, 307–308security level

polynomially secure, 306semantically secure, 306

Probability, 50Probability density function, 176Probability distribution, 50Probability theory, 50–55Probable prime, 136Product cipher, 20, 251Proof of knowledge, 406, 421, 422Proposed Encryption Standard (PES), 279Protection lifetime, 553, 578Protocol

authentication, 493cut-and-choose, 410, 421definition of, 33, 490failure of, 34hybrid, 512identification, see Identificationkey establishment, see Key establishmentmessage-independent, 493non-interactive, 493witness hiding, 423zero-knowledge, 405–417

Provable prime, 134, 142Provable security, 43, 533Prover, 386Pseudo-collision, 371Pseudo-Hadamard transform, 266Pseudo-noise sequence, 181Pseudoprime, 136

Euler, 138strong, 139

Pseudorandom bit generator (PRBG), 173–175ANSI X9.17, 173definition of, 170FIPS 186, 174–175linear congruential generator, 170, 187

Pseudorandom bit sequence, 170Pseudorandom function, 331Pseudorandom sequences, 39–41Pseudosquares modulo Ï , 74, 99, 308


774 Index

Public key, 26, 27, 544compared vs. symmetric-key, 31–32, 551implicitly-certified, 520–522

Public-key certificate, 39, 559–561, 587data part, 559distinguished name, 559signature part, 559

Public-key encryption, 25–27, 283–319advantages of, 31disadvantages of, 32ElGamal, 294–298knapsack, 300–306

Chor-Rivest, 302–306Merkle-Hellman, 300–302

LUC, see LUC cryptosystemMcEliece, 298–299non-malleable, 311plaintext-aware, 311–312probabilistic, 306–312

Blum-Goldwasser, 308–311Goldwasser-Micali, 307–308

Rabin, 292–294reversible, 28RSA, 285–291types of attacks, 285Williams, 315

PURPLE cipher, 276Puzzle system, 376, 537

QQuadratic congruential generator, 187Quadratic non-residues, 70Quadratic residues, 70Quadratic residuosity problem, 99, 127, 307Quadratic sieve factoring algorithm, 95–97, 126

implementation reports, 126Quantum computer, 130Quantum cryptography, 48, 535Quotient, 64, 78

RRabin one-time signature scheme, 462–464

key generation, 463resolution of disputes, 463signature generation, 463signature verification, 463

Rabin public-key encryption, 292–294, 315decryption algorithm, 292encryption algorithm, 292key generation, 292security of, 293use of redundancy, 293

Rabin signature scheme, 438–442, 482ISO/IEC 9796, 442–444key generation, 438

signature generation, 438signature verification, 439use of redundancy, 439

Rabin’s information dispersal algorithm (IDA),539

RACE/RIPE project, 421, 536Radix representation, 592–593

base×, 592

binary, 592high-order digit, 593least significant digit, 593low-order digit, 593mixed, 611, 630most significant digit, 593precision, 593radix

×, 592

Ramp schemes, see Secret sharingRandom bit generator, 39–41, 171–173

cryptographically secure pseudorandom bitgenerator, see Cryptographically sec-ure pseudorandom bit generator(CSPRBG)

definition of, 170hardware techniques, 172pseudorandom bit generator, see Pseudorand-

om bit generator (PRBG)software techniques, 172

Random cipher, 225Random cipher model, 246Random function, 190

poly-random, 190Random mappings model, 54Random oracle model, 316Random square methods, 94–98Random variable, 51

continuous, 176entropy of, 56expected value of, 51mean of, 51standard deviation of, 51variance of, 51

Randomized algorithm, 62–63Randomized DES (RDES) block cipher, 278Randomized encryption, 225, 296, 306Randomized stream cipher, 216Range of a function, 46Rate of an iterated hash function, 340Rational numbers, 49RC2 block cipher, 282RC4 stream cipher, 222, 282RC5 block cipher, 269–270, 280–281

attacks on, 280–281decryption algorithm, 270encryption algorithm, 270

cý


Index 775

key schedule, 270patent, 659test vectors, 270weak keys, 281

Real number, 49Real-time, 385Reblocking problem in RSA, 435–436, 482Receipt, 3Receiver, 13Reduced basis, 118Redundancy, 29, 431

of English, 245Reflection attack, 417, 530, 540Registration authority, 549Related-key attack on block ciphers, 281Relatively prime, 64Remainder, 64, 78Replay attack, 42, 417Requests for Comments, see RFCsResidue list sieve, 128Resilient key establishment protocol, 532Response, 409Retail banking, 648Retail MAC, 650Reverse certificate, 575Reversible public-key encryption scheme, 28Revocation, 3RFCs, 655–656

ordering and acquiring, 657Ring, 76–77

commutative, 77definition of, 76group of units, 77polynomial, 78–79

Rip van Winkle cipher, 216RIPE-MAC, 354, 381RIPEMD hash function, 380RIPEMD-128 hash function, 339, 380RIPEMD-160 hash function, 339, 350

ISO/IEC 10118-3 standard, 647Root vertex, 557Rotor-based machine, see Cipher machineRound function, 251Round of a product cipher, 20RP, 63RSA-129 number, 126, 130RSA problem, 98–99, 127, 287

security of individual bits, 116RSA pseudorandom bit generator, 185–186RSA public-key encryption, 285–291, 312–315

decryption algorithm, 286, 611, 613decryption exponent, 286elliptic curve analogue, 315encryption algorithm, 286

encryption exponent, 286key generation, 286modulus, 286patent, 638prime selection, 290recommended modulus size, 290security of, 287–290

adaptive chosen-ciphertext attack, 289,313

common modulus attack, 289cycling attacks, 289, 313forward search attack, 288message concealing, 290, 313multiplicative properties, 288polynomially related plaintext, 313relation to factoring, 287small decryption exponent, 288small encryption exponent, 288, 291, 313

unbalanced, 314RSA signature scheme, 433–438, 482

ANSI X9.31-1 standard, 651bandwidth efficiency, 437ISO/IEC 9796, 442–444key generation, 434patent, 638PKCS #1, 445–447reblocking problem, 435–436, 482redundancy function, 437security of, 434–435signature generation, 434, 613signature verification, 434

Run of a sequence, 180Running key generator, 194Runs test, 182, 188

SS/MIME, 661Safe prime, 537

algorithm for generating, 164definition of, 164

SAFER block cipher, 266–269, 280attacks on, 280SAFER K-64 decryption algorithm, 269SAFER K-64 encryption algorithm, 268SAFER K-64 key schedule, 268SAFER K-128, 280SAFER SK-64 key schedule, 268SK-128, 280test vectors, 269

Salt, 288, 390Schnorr identification protocol, 414–416, 422

patent, 639Schnorr signature scheme, 459–460, 484

Brickell-McCurley variant, 484


776 Index

Okamoto variant, 484patent, 639signature generation, 459signature verification, 460

SEAL stream cipher, 213–216implementation report, 222patent, 222test vectors, 215

Sealed authenticator, 361Sealed key, 5682nd-preimage resistance, 323, 325Secrecy, see ConfidentialitySecret broadcasting scheme, 540Secret key, 544Secret-key certificate, 588Secret sharing, 524–528, 538–540

access structure, 526authorized subset, 527dynamic, 527extendable, 526generalized, 526–528ideal, 527information rate, 527multi-secret threshold, 527perfect, 526, 527pre-positioned, 527ramp schemes, 539shared control schemes, 524–525threshold scheme, 525–526verifiable, 527visual cryptography, 539with disenrollment, 528

Secure channel, 13Secure Hash Algorithm (SHA-1), 348

ANSI X9.30-2 standard, 651FIPS 180-1 standard, 654ISO/IEC 10118-3 standard, 647

Secured channel, 13Security domain, 570Security policy, 545Seed, 21, 170Selective forgery, 326, 432Self-shrinking generator, 221Self-synchronizing stream cipher, 194–195Semantically secure public-key encryption, 306Semi-weak keys of DES, 257Sender, 13Sequence

block of, 180de Bruijn, 203gap of, 180þ -sequence, 197periodic, 180pn-sequence, 181

pseudo-noise, 181run of, 180

Sequence numbers, 399Serial test, 181, 188Session key, 36, 494Session key establishment, 491SHA-1, see Secure Hash Algorithm (SHA-1)Shadow, 538Shamir’s no-key protocol, 500, 535Shamir’s threshold scheme, 526, 539Shared control schemes, 524–525Shares, 524–528, 538SHARK block cipher, 281Shift cipher, 239Short-term key, 553Shrinking generator, 211–212

implementation report, 221Sieving, 97Signature, 3, 22–23, 28–30, 425–488

arbitrated, 472–473blind, see Blind signature schemedesignated confirmer, 487deterministic, 427Diffie-Lamport, 485Digital Signature Algorithm (DSA), 452–454ElGamal, 454–459ESIGN, 473–474fail-stop, see Fail-stop signature schemeFeige-Fiat-Shamir, 447–449framework, 426–433generation algorithm, 426GMR, 468–471GQ, 450–451group, 488handwritten, 23Merkle one-time, 464–466modified-Rabin, 439–442Nyberg-Rueppel, 460–462on-line/off-line, 486Ong-Schnorr-Shamir (OSS), 482, 486Rabin, 438–442Rabin one-time, 462–464randomized, 427relation to identification, 388resolution of disputes, 30RSA, 433–438Schnorr, 459–460strongly equivalent, 485types of attacks, 432undeniable, see Undeniable signature schemeverification algorithm, 426with appendix, 481

framework, 428–430ISO/IEC 14888 standard, 648

cý


Index 777

PKCS #1, 445–447with message recovery, 29

framework, 430–432ISO/IEC 9796 standard, 442–444, 646,

660with redundancy, 29

Signature notarization, 583Signature space, 427Signature stripping, 510Signed-digit representation, 627–628Signed-magnitude representation, 593Signer, 23Significance level, 179Signing transformation, 22Simple substitution cipher, see Mono-alphabetic sub-

stitution cipherSimulator, 407Simultaneous diophantine approximation, 121–122

algorithm for, 122unusually good, 121

Simultaneous multiple exponentiation, 617Simultaneously secure bits, 115Single-key encryption, 15Single-length MDC, 339Single-precision integer, 593Singleton bound, 506SKEME, 661SKID2 identification protocol, 402, 421SKID3 identification protocol, 402, 421SKIP, 661SKIPJACK block cipher, 282, 654Sliding-window exponentiation, 616Small decryption exponent in RSA, 288Small encryption exponent in RSA, 288, 291, 313Smart card, 387

ISO 10202 standard, 652Smooth

integer, 92polynomial, 112

Snefru hash function, 380� ¯�� Ô S-boxes, 281Solovay-Strassen primality test, 138, 165Span, 80Sparse linear equations, 129

conjugate gradient method, 129Lanczos method, 129Wiedemann algorithm, 129

Special-purpose factoring algorithm, 90SPKM, 656, 661Split-knowledge scheme, 525Splitting an integer, 89Spread spectrum, 45Square roots, 99–102

composite modulus, 101–102, 127

prime modulus, 100–101, 127SQROOT problem, 101

Square-free factorization, 123algorithm for, 123, 132

Square-free integer, 137Square-free polynomial, 123Stage


Standard deviation, 51Standard normal distribution, 176Standards, 645–657, 660–661

ANSI, 648–651FIPS, 654–655IEEE, 660Internet, 655–656ISO/IEC, 645–648, 651–653PKCS, 656RFC, 655–656X.509, 653

Station-to-station (STS) key agreement, 519, 538Statistical test, 175–185, 188–189

autocorrelation test, 182frequency test, 181hypothesis, 179Maurer’s universal statistical test, 183–185,

189one-sided test, 179poker test, 182polynomial-time, 171runs test, 182serial test, 181significance level, 179two-sided test, 180

Statistical zero-knowledge protocol, 424Steganography, 46Step-1/step-2 generator, 220Stirling numbers, 53Stirling’s formula, 59Stop-and-go generator, 220Stream cipher, 20–21, 191–222

A5, 222attacks on

correlation attack, 206, 218inversion attack, 219linear consistency attack, 219–220linear cryptanalysis, 219linear syndrome attack, 218lock-in, 221

cellular automata, 222classification, 192–195clock-controlled generator, 209–212

alternating step generator, 209–211þ -sequence cascade, 221


778 Index

ÿ -cycle cascade, 220self-shrinking generator, 221shrinking generator, 211–212step-1/step-2 generator, 220stop-and-go generator, 220

comparison with block ciphers, 192FISH, 222GOAL, 219initial state, 193, 194keystream, 193, 194next-state function, 193nonlinear combination generator, 205–208

Geffe generator, 206multiplexer generator, 220multispeed inner-product generator, 220Pless generator, 218summation generator, 207

nonlinear filter generator, 208–209knapsack generator, 209

one-time pad, 192–193output function, 193, 194PIKE, 222randomized stream cipher, 216RC4, 222Rip van Winkle cipher, 216SEAL, 213–216self-synchronizing stream cipher, 194–195synchronous stream cipher, 193–194

Strict avalanche criterion (SAC), 277String-replacement representation, 628–629Strong collision resistance, 324Strong equivalent signature schemes, 485Strong liar, 139Strong one-way hash function, 325Strong prime, 149–150

algorithm for generating, 150definition of, 149, 291Hellman-Bach patent, 643usage in RSA, 291

Strong pseudoprime, 139Strong pseudoprime test, see Miller-Rabin primal-

ity testStrong witness, 139Subexponential-time algorithm, 60Subfield, 77Subgroup, 76Subliminal channel, 485

broadband, 485narrowband, 485

Subset sum problem, 61, 117–122, 190meet-in-the-middle algorithm, 118naive algorithm, 117superincreasing, 300using

º �algorithm, 120

Subspace of a vector space, 80Substitution cipher, 17–18, 238–241

homophonic, 17, 240mono-alphabetic, 17, 239

affine cipher, 239Caesar cipher, 239shift cipher, 239unicity distance of, 247

polyalphabetic, 18polygram, 239

Hill cipher, 240Playfair cipher, 239

Substitution-permutation (SP) network, 251Summation generator, 207, 218Superincreasing subset sum problem, 300

algorithm for solving, 300Superuser, 389Surjective function, 46, 50SWIFT, 586Symmetric cryptographic system, 544Symmetric key, 544

compared vs. public-key, 31–32, 551Symmetric-key certificate, 554–555, 587Symmetric-key encryption, 15–21

advantages of, 31block cipher, 223–282definition of, 15disadvantages of, 31stream cipher, 191–222

Synchronous stream cipher, 193–194binary additive stream cipher, 194

Syndrome decoding problem, 190, 423

TTapper, 13TEA block cipher, 282TEMPEST, 45Teraflop, 44Terminal key, 552Test vectors

DES, 256FEAL, 262IDEA, 265MD4, 345MD5, 345MD5-MAC, 358RC5, 270RIPEMD-160, 345SAFER, 269SHA-1, 345

3-WAY block cipher, 281Threshold cryptography, 534Threshold scheme, 525–526

Blakley, 538

cý


Index 779

Shamir, 526, 539Ticket, 501, 570, 586Time-memory tradeoff, 236, 273Time-variant parameter, 362, 397–400, 497

nonce, 397random numbers, 398–399sequence numbers, 399timestamps, 399–400

Timestamp, 3, 399–400, 420, 581–582agent, 550

Toeplitz matrix, 382Transaction authentication, 362Transformation, 6Transinformation, 57Transposition cipher, 18, 238

compound, 238simple, 18, 238unicity distance of, 246

Trapdoor one-way function, 9, 26Trapdoor predicate, 318Tree authentication, 376

patent, 637Trinomial, 154Triple encryption, 235–237, 272Triple-DES, 272, 651

ANSI X9.52 standard, 651Triple-inner-CBC mode, 237Triple-outer-CBC mode, 237Truncated differential analysis, 271, 280Trust model, 572

centralized, 573directed graph, 575distributed, 575hierarchy with reverse certificates, 575rooted chain, 573separate domains, 573strict hierarchical, 573

Trusted server, 491Trusted third party (TTP), 30, 36, 491, 547–550,

581–584authentication server, 549certificate directory, 549certification authority (CA), 548functionally trusted, 39in-line, 547KDC, see Key distribution center (KDC)key access server, 549key escrow agent, 550key generator, 549key management facility, 549key server, 549KTC, see Key translation center (KTC)name server, 549notary agent, 550

off-line, 548on-line, 547registration authority, 549timestamp agent, 550unconditionally trusted, 39

TTP, see Trusted third party (TTP)Turing-Kolmogorov-Chaitin complexity, 217Two’s complement representation, 5942-adic span, 218Two-bit test, 181Two-key triple-encryption, 235

chosen-plaintext attack on, 236known-plaintext attack on, 237

Two-sided statistical test, 180Type I error, 179Type II error, 179

UUnbalanced RSA, 314Unblinding function, 475Unconcealed message, 290Unconditional security, see Perfect secrecy, 533Unconditionally trusted third party, 39Undeniable signature scheme, 476–478, 487–488

Chaum-van Antwerpen, 476–478confirmer, 487

Unicity distancedefinition of, 246known-plaintext, 235of a cascade cipher, 272of a mono-alphabetic substitution cipher, 247of a transposition cipher, 246

Unilateral authentication, 387, 401–402, 405, 494Union of sets, 49Unique factorization domain, 81Unit, 68, 77, 103, 114Universal classes of hash function, 376Universal exponent, 287Universal forgery, 482Universal one-way hash function, 377Universal statistical test, see Maurer’s universal

statistical testUNIX passwords, 393–394Unsecured channel, 13Unusually good simultaneous diophantine approx-

imation, 121, 317Userid, 388

VValidation, 3Validation parameters, 462Variance, 51Vector space, 79–80

dimension of, 80standard basis, 80


780 Index

subspace of, 80Vector-addition chains, 622–623Verifiable secret sharing, 527, 539Verification algorithm, 426Verification transformation, 22Verifier, 23, 385, 386Vernam cipher, see One-time padVigenere cipher, see Polyalphabetic substitution ci-

pherVisual cryptography, 539

WWAKE block cipher, 282Weak collision resistance, 324Weak keys of DES, 257Weak one-way hash function, 325Wheatstone disc, 274Wholesale banking, 648Wiedemann algorithm, 129Williams’ public-key encryption, 315Witness, 135, 409

Euler, 137Fermat, 136strong, 139

Witness hiding protocol, 423Witness indistinguishability, 423Witnessing, 3Work factor, 44

historical, 44Worst-case running time, 58Wyner’s wire-tap channel, 535

XX.509 authentication protocol, 536

three-way, 512two-way, 511

X.509 certificate, 587X.509 standard, 653XOR, see Exclusive-or

YYuval’s birthday attack, 369

ZZero-knowledge identification, 405–417, 421–424

Brickell-McCurley, 423comparison of protocols, 416–417constrained linear equations problem, 423extended Fiat-Shamir, 422Feige-Fiat-Shamir, 410–412Fiat-Shamir (basic version), 408Fischer-Micali-Rackoff, 422GQ, 412–414Ohta-Okamoto, 422permuted kernel problem, 423

Schnorr, 414–416syndrome decoding problem, 423

Zero-knowledge protocol, 405–417, 421–424auxiliary-input, 423black-box simulation, 423challenge, 409completeness, 406computational, 407extracting secret, 406for possession of discrete log, 422parallel version, 412perfect, 407proof of knowledge, 406, 421, 422proof of membership, 421response, 409simulator, 407soundness, 406statistical, 424witness, 409

Ziv-Lempel complexity, 217ì Þ -operation, 82ZPP, 63

cý


10123!547698&,: $(;(6< ,.=&8?>A@ BDCFEHGI KJ LK >NMOEQPR J...

Documents

Transcript of 10123!547698&,: $(;(6< ,.=&8?>A@ BDCFEHGI KJ LK >NMOEQPR J...