#### You've reached the end of your free preview.

Want to read all 794 pages?

**Unformatted text preview: **HANDBOOK of APPLIED
CRYPTOGRAPHY Alfred J. Menezes
Paul C. van Oorschot
Scott A. Vanstone Foreword
by R.L. Rivest
As we draw near to closing out the twentieth century, we see quite clearly that the
information-processing and telecommunications revolutions now underway will
continue vigorously into the twenty-first. We interact and transact by directing flocks
of digital packets towards each other through cyberspace, carrying love notes, digital
cash, and secret corporate documents. Our personal and economic lives rely more and
more on our ability to let such ethereal carrier pigeons mediate at a distance what we
used to do with face-to-face meetings, paper documents, and a firm handshake.
Unfortunately, the technical wizardry enabling remote collaborations is founded on
broadcasting everything as sequences of zeros and ones that one's own dog wouldn't
recognize. What is to distinguish a digital dollar when it is as easily reproducible as the
spoken word? How do we converse privately when every syllable is bounced off a
satellite and smeared over an entire continent? How should a bank know that it really is
Bill Gates requesting from his laptop in Fiji a transfer of $10,000,000,000 to another
bank? Fortunately, the magical mathematics of cryptography can help. Cryptography
provides techniques for keeping information secret, for determining that information
has not been tampered with, and for determining who authored pieces of information.
Cryptography is fascinating because of the close ties it forges between theory and
practice, and because today's practical applications of cryptography are pervasive and
critical components of our information-based society. Information-protection protocols
designed on theoretical foundations one year appear in products and standards
documents the next. Conversely, new theoretical developments sometimes mean that
last year's proposal has a previously unsuspected weakness. While the theory is
advancing vigorously, there are as yet few true guarantees; the security of many
proposals depends on unproven (if plausible) assumptions. The theoretical work refines
and improves the practice, while the practice challenges and inspires the theoretical
work. When a system is "broken," our knowledge improves, and next year's system is
improved to repair the defect. (One is reminded of the long and intriguing battle
between the designers of bank vaults and their opponents.)
Cryptography is also fascinating because of its game-like adversarial nature. A good
cryptographer rapidly changes sides back and forth in his or her thinking, from attacker
to defender and back. Just as in a game of chess, sequences of moves and countermoves must be considered until the current situation is understood. Unlike chess
players, cryptographers must also consider all the ways an adversary might try to gain
by breaking the rules or violating expectations. (Does it matter if she measures how
long I am computing? Does it matter if her "random" number isn't one?)
The current volume is a major contribution to the field of cryptography. It is a rigorous
encyclopedia of known techniques, with an emphasis on those that are both (believed to
be) secure and practically useful. It presents in a coherent manner most of the important
cryptographic tools one needs to implement secure cryptographic systems, and explains
many of the cryptographic principles and protocols of existing systems. The topics
covered range from low-level considerations such as random-number generation and
efficient modular exponentiation algorithms and medium-level items such as publickey signature techniques, to higher-level topics such as zero-knowledge protocols. This book's excellent organization and style allow it to serve well as both a self-contained
tutorial and an indispensable desk reference.
In documenting the state of a fast-moving field, the authors have done incredibly well
at providing error-free comprehensive content that is up-to-date. Indeed, many of the
chapters, such as those on hash functions or key-establishment protocols, break new
ground in both their content and their unified presentations. In the trade-off between
comprehensive coverage and exhaustive treatment of individual items, the authors have
chosen to write simply and directly, and thus efficiently, allowing each element to be
explained together with their important details, caveats, and comparisons.
While motivated by practical applications, the authors have clearly written a book that
will be of as much interest to researchers and students as it is to practitioners, by
including ample discussion of the underlying mathematics and associated theoretical
considerations. The essential mathematical techniques and requisite notions are
presented crisply and clearly, with illustrative examples. The insightful historical notes
and extensive bibliography make this book a superb stepping-stone to the literature. (I
was very pleasantly surprised to find an appendix with complete programs for the
CRYPTO and EUROCRYPT conferences!)
It is a pleasure to have been asked to provide the foreword for this book. I am happy to
congratulate the authors on their accomplishment, and to inform the reader that he/she
is looking at a landmark in the development of the field.
Ronald L. Rivest
Webster Professor of Electrical Engineering and Computer Science
Massachusetts Institute of Technology
June 1996 Preface
This book is intended as a reference for professional cryptographers, presenting the
techniques and algorithms of greatest interest to the current practitioner, along with the supporting motivation and background material. It also provides a comprehensive source from
which to learn cryptography, serving both students and instructors. In addition, the rigorous treatment, breadth, and extensive bibliographic material should make it an important
reference for research professionals.
Our goal was to assimilate the existing cryptographic knowledge of industrial interest
into one consistent, self-contained volume accessible to engineers in practice, to computer
scientists and mathematicians in academia, and to motivated non-specialists with a strong
desire to learn cryptography. Such a task is beyond the scope of each of the following: research papers, which by nature focus on narrow topics using very specialized (and often
non-standard) terminology; survey papers, which typically address, at most, a small number of major topics at a high level; and (regretably also) most books, due to the fact that
many book authors lack either practical experience or familiarity with the research literature or both. Our intent was to provide a detailed presentation of those areas of cryptography which we have found to be of greatest practical utility in our own industrial experience,
while maintaining a sufﬁciently formal approach to be suitable both as a trustworthy reference for those whose primary interest is further research, and to provide a solid foundation
for students and others ﬁrst learning the subject.
Throughout each chapter, we emphasize the relationship between various aspects of
cryptography. Background sections commence most chapters, providing a framework and
perspective for the techniques which follow. Computer source code (e.g. C code) for algorithms has been intentionally omitted, in favor of algorithms speciﬁed in sufﬁcient detail to
allow direct implementation without consulting secondary references. We believe this style
of presentation allows a better understanding of how algorithms actually work, while at the
same time avoiding low-level implementation-speciﬁc constructs (which some readers will
invariably be unfamiliar with) of various currently-popular programming languages.
The presentation also strongly delineates what has been established as fact (by mathematical arguments) from what is simply current conjecture. To avoid obscuring the very
applied nature of the subject, rigorous proofs of correctness are in most cases omitted; however, references given in the Notes section at the end of each chapter indicate the original
or recommended sources for these results. The trailing Notes sections also provide information (quite detailed in places) on various additional techniques not addressed in the main
text, and provide a survey of research activities and theoretical results; references again indicate where readers may pursue particular aspects in greater depth. Needless to say, many
results, and indeed some entire research areas, have been given far less attention than they
warrant, or have been omitted entirely due to lack of space; we apologize in advance for
such major omissions, and hope that the most signiﬁcant of these are brought to our attention.
To provide an integrated treatment of cryptography spanning foundational motivation
through concrete implementation, it is useful to consider a hierarchy of thought ranging
from conceptual ideas and end-user services, down to the tools necessary to complete actual implementations. Table 1 depicts the hierarchical structure around which this book is
organized. Corresponding to this, Figure 1 illustrates how these hierarchical levels map
xxiii xxiv Preface Information Security Objectives
Conﬁdentiality
Data integrity
Authentication (entity and data origin)
Non-repudiation
Cryptographic functions
Encryption
Chapters 6, 7, 8
Message authentication and data integrity techniques Chapter 9
Identiﬁcation/entity authentication techniques
Chapter 10
Digital signatures
Chapter 11
Cryptographic building blocks
Stream ciphers
Chapter 6
Block ciphers (symmetric-key)
Chapter 7
Public-key encryption
Chapter 8
One-way hash functions (unkeyed)
Chapter 9
Message authentication codes
Chapter 9
Signature schemes (public-key, symmetric-key)
Chapter 11
Utilities
Public-key parameter generation
Chapter 4
Pseudorandom bit generation
Chapter 5
Efﬁcient algorithms for discrete arithmetic
Chapter 14
Foundations
Introduction to cryptography
Chapter 1
Mathematical background
Chapter 2
Complexity and analysis of underlying problems
Chapter 3
Infrastructure techniques and commercial aspects
Key establishment protocols
Chapter 12
Key installation and key management
Chapter 13
Cryptographic patents
Chapter 15
Cryptographic standards
Chapter 15
Table 1: Hierarchical levels of applied cryptography. onto the various chapters, and their inter-dependence.
Table 2 lists the chapters of the book, along with the primary author(s) of each who
should be contacted by readers with comments on speciﬁc chapters. Each chapter was written to provide a self-contained treatment of one major topic. Collectively, however, the
chapters have been designed and carefully integrated to be entirely complementary with
respect to deﬁnitions, terminology, and notation. Furthermore, there is essentially no duplication of material across chapters; instead, appropriate cross-chapter references are provided where relevant.
While it is not intended that this book be read linearly from front to back, the material
has been arranged so that doing so has some merit. Two primary goals motivated by the
“handbook” nature of this project were to allow easy access to stand-alone results, and to allow results and algorithms to be easily referenced (e.g., for discussion or subsequent crossreference). To facilitate the ease of accessing and referencing results, items have been categorized and numbered to a large extent, with the followingclasses of items jointlynumbered
consecutively in each chapter: Deﬁnitions, Examples, Facts, Notes, Remarks, Algorithms,
Protocols, and Mechanisms. In more traditional treatments, Facts are usually identiﬁed as
propositions, lemmas, or theorems. We use numbered Notes for additional technical points, Chapter 6 stream ciphers Chapters 6,7,8 encryption Figure 1: Roadmap of the book. signatures Chapter 11 (public-key) math Chapter 15 Chapter 13 Chapter 2 background
key management standards Chapter 12 establishment of secret keys patents and Chapter 14 Chapter 3 Chapter 1 introduction security foundations efficient Chapter 11 signatures
(symmetric-key) Chapter 11 digital
signatures non-repudiation implementation Chapter 4 Chapter 5 Chapter 9 public-key
parameters Chapter 9 (keyed) (unkeyed) random
number
generation Chapter 8 hash functions Chapter 10 identification hash functions Chapter 9 message
authentication authentication public-key Chapter 7 data integrity encryption
(public-key) Chapter 9 data integrity
techniques block ciphers
(symmetric-key) confidentiality Preface
xxv xxvi Preface Chapter
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
— Overview of Cryptography
Mathematical Background
Number-Theoretic Reference Problems
Public-Key Parameters
Pseudorandom Bits and Sequences
Stream Ciphers
Block Ciphers
Public-Key Encryption
Hash Functions and Data Integrity
Identiﬁcation and Entity Authentication
Digital Signatures
Key Establishment Protocols
Key Management Techniques
Efﬁcient Implementation
Patents and Standards
Overall organization Primary Author
AJM PVO SAV
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
* Table 2: Primary authors of each chapter. while numbered Remarks identify non-technical (often non-rigorous) comments, observations, and opinions. Algorithms, Protocols and Mechanisms refer to techniques involving
a series of steps. Examples, Notes, and Remarks generally begin with parenthetical summary titles to allow faster access, by indicating the nature of the content so that the entire
item itself need not be read in order to determine this. The use of a large number of small
subsections is also intended to enhance the handbook nature and accessibility to results.
Regarding the partitioning of subject areas into chapters, we have used what we call a
functional organization (based on functions of interest to end-users). For example, all items
related to entity authentication are addressed in one chapter. An alternative would have been
what may be called an academic organization, under which perhaps, all protocols based on
zero-knowledge concepts (including both a subset of entity authentication protocols and
signature schemes) might be covered in one chapter. We believe that a functional organization is more convenient to the practitioner, who is more likely to be interested in options
available for an entity authentication protocol (Chapter 10) or a signature scheme (Chapter
11), than to be seeking a zero-knowledge protocol with unspeciﬁed end-purpose.
In the front matter, a top-level Table of Contents (giving chapter numbers and titles
only) is provided, as well as a detailed Table of Contents (down to the level of subsections,
e.g., x5.1.1). This is followed by a List of Figures, and a List of Tables. At the start of each
chapter, a brief Table of Contents (specifying section number and titles only, e.g., x5.1, x5.2)
is also given for convenience.
At the end of the book, we have included a list of papers presented at each of the Crypto,
Eurocrypt, Asiacrypt/Auscrypt and Fast Software Encryption conferences to date, as well
as a list of all papers published in the Journal of Cryptology up to Volume 9. These are
in addition to the References section, each entry of which is cited at least once in the body
of the handbook. Almost all of these references have been veriﬁed for correctness in their
exact titles, volume and page numbers, etc. Finally, an extensive Index prepared by the
authors is included. The Index begins with a List of Symbols.
Our intention was not to introduce a collection of new techniques and protocols, but Preface xxvii rather to selectively present techniques from those currently available in the public domain.
Such a consolidation of the literature is necessary from time to time. The fact that many
good books in this ﬁeld include essentially no more than what is covered here in Chapters
7, 8 and 11 (indeed, these might serve as an introductory course along with Chapter 1) illustrates that the ﬁeld has grown tremendously in the past 15 years. The mathematical foundation presented in Chapters 2 and 3 is hard to ﬁnd in one volume, and missing from most
cryptography texts. The material in Chapter 4 on generation of public-key parameters, and
in Chapter 14 on efﬁcient implementations, while well-known to a small body of specialists
and available in the scattered literature, has previously not been available in general texts.
The material in Chapters 5 and 6 on pseudorandom number generation and stream ciphers
is also often absent (many texts focus entirely on block ciphers), or approached only from
a theoretical viewpoint. Hash functions (Chapter 9) and identiﬁcation protocols (Chapter
10) have only recently been studied in depth as specialized topics on their own, and along
with Chapter 12 on key establishment protocols, it is hard to ﬁnd consolidated treatments
of these now-mainstream topics. Key management techniques as presented in Chapter 13
have traditionally not been given much attention by cryptographers, but are of great importance in practice. A focused treatment of cryptographic patents and a concise summary of
cryptographic standards, as presented in Chapter 15, are also long overdue.
In most cases (with some historical exceptions), where algorithms are known to be insecure, we have chosen to leave out speciﬁcation of their details, because most such techniques are of little practical interest. Essentially all of the algorithms included have been
veriﬁed for correctness by independent implementation, conﬁrming the test vectors speciﬁed.
Acknowledgements
This project would not have been possible without the tremendous efforts put forth by our
peers who have taken the time to read endless drafts and provide us with technical corrections, constructive feedback, and countless suggestions. In particular, the advice of our Advisory Editors has been invaluable, and it is impossible to attribute individualcredit for their
many suggestions throughout this book. Among our Advisory Editors, we would particularly like to thank:
Mihir Bellare
Burt Kaliski
Chris Mitchell
Gus Simmons
Yacov Yacobi Don Coppersmith
Peter Landrock
Tatsuaki Okamoto
Miles Smid Dorothy Denning
Arjen Lenstra
Bart Preneel
Jacques Stern Walter Fumy
Ueli Maurer
Ron Rivest
Mike Wiener In addition, we gratefully acknowledge the exceptionally large number of additional individuals who have helped improve the quality of this volume, by providing highly appreciated feedback and guidance on various matters. These individuals include:
Carlisle Adams
Simon Blackburn
Colin Boyd
Ed Dawson
Whit Difﬁe
Luis Encinas
Shuhong Gao
Jovan Goli´
c Rich Ankney
Ian Blake
J¨ rgen Brandt
o
Peter de Rooij
Hans Dobbertin
Warwick Ford
Will Gilbert
Dieter Gollmann Tom Berson
Antoon Bosselaers
Mike Burmester
Yvo Desmedt
Carl Ellison
Amparo Fuster
Marc Girault
Li Gong xxviii Preface Carrie Grant
Darrel Hankerson
Mike Just
Neal Koblitz
Evangelos Kranakis
Xuejia Lai
S. Mike Matyas
Mike Mosca
Volker M¨ eller
u
Kaisa Nyberg
Walter Penzhorn
Leon Pintsov
Matt Robshaw
Rainer Rueppel
Jeff Shallit
Andrea Vanstone
Jerry Veeh
Robert Zuccherato Blake Greenlee
Anwar Hasan
Andy Klapper
Cetin Koc
¸
¸
David Kravitz
Charles Lam
Willi Meier
Tim Moses
David Naccache
Andrew Odlyzko
Birgit Pﬁtzmann
Fred Piper
Peter Rodney
Mahmoud Salmasizadeh
Jon Sorenson
Serge Vaudenay
Fausto Vitini Helen Gustafson
Don Johnson
Lars Knudsen
Judy Koeller
Hugo Krawczyk
Alan Ling
Peter Montgomery
Serge Mister
James Nechvatal
Richard Outerbridge
Kevin Phelps
Carl Pomerance
Phil Rogaway
Roger Schlaﬂy
Doug Stinson
Klaus Vedder
Lisa Yin We apologize to those whose names have inadvertently escaped this list. Special thanks are
due to Carrie Grant, Darrel Hankerson, Judy Koeller, Charles Lam, and Andrea Vanstone.
Their hard work contributed greatly to the quality of this book, and it was truly a pleasure
working with them. Thanks also to the folks at CRC Press, including Tia Atchison, Gary
Bennett, Susie Carlisle, Nora Konopka, Mary Kugler, Amy Morrell, Tim P...

View
Full Document

- Fall '15
- fugeo
- Cryptography, Public-key cryptography, data integrity, Hash functions, public-key encryption