Skip to main content Accessibility help
×
Hostname: page-component-cd9895bd7-lnqnp Total loading time: 0 Render date: 2024-12-28T01:29:48.597Z Has data issue: false hasContentIssue false

References

Published online by Cambridge University Press:  11 November 2021

Joppe Bos
Affiliation:
NXP Semiconductors, Belgium
Martijn Stam
Affiliation:
Simula UiB, Norway
Get access

Summary

Image of the first page of this content. For PDF version, please use the ‘Save PDF’ preceeding this image.'
Type
Chapter
Information
Computational Cryptography
Algorithmic Aspects of Cryptology
, pp. 335 - 382
Publisher: Cambridge University Press
Print publication year: 2021

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Abbott, J., Shoup, V., and Zimmermann, P. 2000. Factorization in Z[x]: the Searching Phase. Pages 17 of: Traverso, C. (ed.), International Symposium on Symbolic and Algebraic Computation – ISSAC. ACM. (Cited on page 290.)Google Scholar
Acar, T. 1997. High-Speed Algorithms & Architectures for Number Theoretic Cryptosystems. PhD thesis, Department of Electrical & Computer Engineering, Oregon State University. (Cited on page 232.)Google Scholar
Acar, T., and Shumow, D. 2010. Modular Reduction without Pre-Computation for Special Moduli. Technical Report. Microsoft Research. (Cited on page 241.)Google Scholar
Adj, G., Canales-Martínez, I., Cruz-Cortés, N., Menezes, A., Oliveira, T., Rivera-Zamarripa, L., and Rodríguez-Henríquez, F. 2018. Computing Discrete Logarithms in Cryptographically-Interesting Characteristic-Three Finite Fields. Advances in Mathematics of Communications, 12(4), 741759. (Cited on page 328.)Google Scholar
Adkins, H. 2011. An update on attempted man-in-the-middle attacks. https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html. (Cited on page 154.)Google Scholar
Adleman, L. M. 1994. The Function Field Sieve. Pages 108121 of: Adleman, L. M., and Huang, M. A. (eds.), Algorithmic Number Theory, First International Symposium, ANTS-I, Ithaca, NY, USA, May 6-9, 1994, Proceedings. LNCS, vol. 877. Springer, Heidelberg, Germany. (Cited on page 328.)Google Scholar
Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J. A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Zanella-Béguelin, S., and Zimmermann, P. 2015. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. Pages 517 of: Ray, I., Li, N., and Kruegel, C. (eds.), ACM CCS 2015. Denver, CO, USA: ACM Press. (Cited on pages 157, 158, 159, 160, 162, 163, 164, and 167.)Google Scholar
Aggarwal, D., and Maurer, U. 2009. Breaking RSA Generically Is Equivalent to Factoring. Pages 3653 of: Joux, A. (ed.), EUROCRYPT 2009. LNCS, vol. 5479. Cologne, Germany: Springer, Heidelberg, Germany. (Cited on page 141.)Google Scholar
Agrawal, M., Kayal, N., and Saxena, N. 2004. PRIMES is in P. Annals of Mathematics, 160(2), 781793. (Cited on pages 47 and 77.)Google Scholar
Ajtai, M. 1998. The Shortest Vector Problem in L2 is NP-hard for Randomized Reductions (Extended Abstract). Pages 1019 of: 30th ACM STOC. Dallas, TX, USA: ACM Press. (Cited on page 79.)Google Scholar
Albrecht, M. R., Fitzpatrick, R., and Göpfert, F. 2014. On the Efficacy of Solving LWE by Reduction to Unique-SVP. Pages 293310 of: Lee, H.-S., and Han, D.-G. (eds.), ICISC 13. LNCS, vol. 8565. Seoul, Korea: Springer, Heidelberg, Germany. (Cited on page 31.)Google Scholar
Albrecht, M. R., Rechberger, C., Schneider, T., Tiessen, T., and Zohner, M. 2015a. Ciphers for MPC and FHE. Pages 430454 of: Oswald, E., and Fischlin, M. (eds.), EUROCRYPT 2015, Part I. LNCS, vol. 9056. Sofia, Bulgaria: Springer, Heidelberg, Germany. (Cited on page 332.)Google Scholar
Albrecht, M. R., Papini, D., Paterson, K. G., and Villanueva-Polanco, R. 2015b. Factoring 512-Bit RSA Moduli for Fun (and a Profit of $ 9,000). https://martinralbrecht.files.wordpress.com/2015/03/freak-scan1.pdf. (Cited on page 144.)Google Scholar
Albrecht, M. R., Bai, S., and Ducas, L. 2016. A Subfield Lattice Attack on Overstretched NTRU Assumptions - Cryptanalysis of Some FHE and Graded Encoding Schemes. Pages 153178 of: Robshaw, M., and Katz, J. (eds.), CRYPTO 2016, Part I. LNCS, vol. 9814. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 35, 36, and 37.)Google Scholar
Albrecht, M. R., Göpfert, F., Virdia, F., and Wunderer, T. 2017. Revisiting the Expected Cost of Solving uSVP and Applications to LWE. Pages 297322 of: Takagi, T., and Peyrin, T. (eds.), ASIACRYPT 2017, Part I. LNCS, vol. 10624. Hong Kong, China: Springer, Heidelberg, Germany. (Cited on pages 23, 31, 32, and 33.)Google Scholar
Albrecht, M. R., Massimo, J., Paterson, K. G., and Somorovsky, J. 2018. Prime and Prejudice: Primality Testing Under Adversarial Conditions. Pages 281298 of: Lie, D., Mannan, M., Backes, M., and Wang, X. (eds.), ACM CCS 2018. Toronto, ON, Canada: ACM Press. (Cited on page 142.)Google Scholar
Albrecht, M. R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E. W., and Stevens, M. 2019. The General Sieve Kernel and New Records in Lattice Reduction. Pages 717746 of: Ishai, Y., and Rijmen, V. (eds.), EUROCRYPT 2019, Part II. LNCS, vol. 11477. Darmstadt, Germany: Springer, Heidelberg, Germany. (Cited on page 33.)Google Scholar
Alford, W. R., and Pomerance, C. 1993. Implementing the Self-Initializing Quadratic Sieve on a Distributed Network. Pages 163174 of: van der Poorten, A., Shparlinski, I., and Zimmer, H. G. (eds.), Number Theoretic and Algebraic Methods in Computer Science. Moscow: World Scientific, Singapore, Singapore. (Cited on page 57.)Google Scholar
Alkim, E., Ducas, L., Pöppelmann, T., and Schwabe, P. 2016. Post-quantum Key Exchange - A New Hope. Pages 327343 of: Holz, T., and Savage, S. (eds.), USENIX Security 2016. Austin, TX, USA: USENIX Association. (Cited on pages 22, 23, 31, and 34.)Google Scholar
ANSSI. 2010. Référentiel Général de Sécurité, Annexe B1 Mécanismes cryptographiques : Régles et recommandations concernant le choix et le dimensionnement des mécanismes cryptographiques. Version 1.20. (Cited on page 315.)Google Scholar
Antipa, A., Brown, D. R. L., Menezes, A., Struik, R., and Vanstone, S. A. 2003. Validation of Elliptic Curve Public Keys. Pages 211223 of: Desmedt, Y. (ed.), PKC 2003. LNCS, vol. 2567. Miami, FL, USA: Springer, Heidelberg, Germany. (Cited on page 172.)Google Scholar
Aoki, K., Franke, J., Kleinjung, T., Lenstra, A. K., and Osvik, D. A. 2007. A Kilobit Special Number Field Sieve Factorization. Pages 112 of: Kurosawa, K. (ed.), ASIACRYPT 2007. LNCS, vol. 4833. Kuching, Malaysia: Springer, Heidelberg, Germany. (Cited on pages 3, 169, and 323.)Google Scholar
Applebaum, B., Cash, D., Peikert, C., and Sahai, A. 2009. Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems. Pages 595618 of: Halevi, S. (ed.), CRYPTO 2009. LNCS, vol. 5677. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 16.)Google Scholar
Atkins, D., Graff, M., Lenstra, A. K., and Leyland, P. C. 1995. The Magic Words are Squeamish Ossifrage. Pages 263277 of: Pieprzyk, J., and Safavi-Naini, R. (eds.), ASIACRYPT’94. LNCS, vol. 917. Wollongong, Australia: Springer, Heidelberg, Germany. (Cited on pages 3, 49, 57, and 320.)Google Scholar
Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., Valenta, L., Adrian, D., Halderman, J. A., Dukhovni, V., Käsper, E., Cohney, S., Engels, S., Paar, C., and Shavitt, Y. 2016. DROWN: Breaking TLS Using SSLv2. Pages 689706 of: Holz, T., and Savage, S. (eds.), USENIX Security 2016. Austin, TX, USA: USENIX Association. (Cited on pages 150 and 151.)Google Scholar
Bai, S., Stehlé, D., and Wen, W. 2016. Improved Reduction from the Bounded Distance Decoding Problem to the Unique Shortest Vector Problem in Lattices. Pages 76:176:12 of: Chatzigiannakis, I., Mitzenmacher, M., Rabani, Y., and Sangiorgi, D. (eds.), ICALP 2016. LIPIcs, vol. 55. Rome, Italy: Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik. (Cited on page 29.)Google Scholar
Bai, S., Stehlé, D., and Wen, W. 2018. Measuring, Simulating and Exploiting the Head Concavity Phenomenon in BKZ. Pages 369404 of: Peyrin, T., and Galbraith, S. (eds.), ASIACRYPT 2018, Part I. LNCS, vol. 11272. Brisbane, Queensland, Australia: Springer, Heidelberg, Germany. (Cited on pages 24 and 25.)Google Scholar
Baillie, R., and Wagstaff, S. S. Jr 1980. Lucas Pseudoprimes. Mathematics of Computation, 35, 13911417. (Cited on page 46.)Google Scholar
Barbulescu, R. 2013. Algorithmes de logarithmes discrets dans les corps finis. PhD thesis, Université de Lorraine, France. (Cited on page 159.)Google Scholar
Barbulescu, R., and Duquesne, S. 2019. Updating Key Size Estimations for Pairings. Journal of Cryptology, 32(4), 12981336. (Cited on pages 123, 311, and 329.)Google Scholar
Barbulescu, R., and Pierrot, C. 2014. The Multiple Number Field Sieve for Medium- and High-Characteristic Finite Fields. LMS Journal of Computation and Mathematics, 17(A), 230246. (Cited on page 123.)Google Scholar
Barbulescu, R., Gaudry, P., Joux, A., and Thomé, E. 2014. A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic. Pages 116 of: Nguyen, P. Q., and Oswald, E. (eds.), EUROCRYPT 2014. LNCS, vol. 8441. Copenhagen, Denmark: Springer, Heidelberg, Germany. (Cited on pages 130, 132, 135, 137, and 328.)Google Scholar
Barbulescu, R., Gaudry, P., Guillevic, A., and Morain, F. 2015a. Improving NFS for the Discrete Logarithm Problem in Non-prime Finite Fields. Pages 129155 of: Oswald, E., and Fischlin, M. (eds.), EUROCRYPT 2015, Part I. LNCS, vol. 9056. Sofia, Bulgaria: Springer, Heidelberg, Germany. (Cited on page 329.)Google Scholar
Barbulescu, R., Gaudry, P., and Kleinjung, T. 2015b. The Tower Number Field Sieve. Pages 3155 of: Iwata, T., and Cheon, J. H. (eds.), ASIACRYPT 2015, Part II. LNCS, vol. 9453. Auckland, New Zealand: Springer, Heidelberg, Germany. (Cited on pages 123 and 329.)Google Scholar
Barker, E. 2020. NIST Special Publication 800-57 Part 1, Revision 5, Recommendation for Key Management: Part 1 – General. Technical Report. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-57pt1r5. (Cited on page 313.)Google Scholar
Barker, E., and Dang, Q. 2011. NIST SP 800-57 Part 3 Revision 1: Recommendation for Key Management–Application-Specific Key Management Guidances. Technical Report. Gaithersburg, MD, USA. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf. (Cited on page 144.)Google Scholar
Barker, E., Chen, L., Roginsky, A., Vassilev, A., and Davis, R. 2018. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf. (Cited on pages 162 and 167.)Google Scholar
Barker, E., Chen, L., Roginsky, A., Vassilev, A., Davis, R., and Simon, S. 2019. Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf. (Cited on page 145.)Google Scholar
Barker, E. B., and Roginsky, A. L. 2011. NIST SP 800-131A. Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. Technical Report. Gaithersburg, MD, USA. https://doi.org/10.6028/NIST.SP.800-131A. (Cited on pages 143 and 157.)Google Scholar
Barreto, P. S. L. M., and Naehrig, M. 2006. Pairing-Friendly Elliptic Curves of Prime Order. Pages 319331 of: Preneel, B., and Tavares, S. (eds.), SAC 2005. LNCS, vol. 3897. Kingston, Ontario, Canada: Springer, Heidelberg, Germany. (Cited on page 327.)Google Scholar
Barrett, P. 1987. Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor. Pages 311323 of: Odlyzko, A. M. (ed.), CRYPTO’86. LNCS, vol. 263. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 237.)Google Scholar
Bauer, A., and Joux, A. 2007. Toward a Rigorous Variation of Coppersmith's Algorithm on Three Variables. Pages 361378 of: Naor, M. (ed.), EUROCRYPT 2007. LNCS, vol. 4515. Barcelona, Spain: Springer, Heidelberg, Germany. (Cited on pages 98 and 103.)Google Scholar
Bellare, M. 1998. PSS: Provably Secure Encoding Method for Digital Signatures. Submission to the IEEE P1363a: Provably Secure Signatures Working Group. (Cited on page 149.)Google Scholar
Bellare, M., and Rogaway, P. 1995. Optimal Asymmetric Encryption. Pages 92111 of: Santis, A. D. (ed.), EUROCRYPT’94. LNCS, vol. 950. Perugia, Italy: Springer, Heidelberg, Germany. (Cited on pages 86, 149, and 225.)Google Scholar
Bellare, M., and Rogaway, P. 1996. The Exact Security of Digital Signatures: How to Sign with RSA and Rabin. Pages 399416 of: Maurer, U. M. (ed.), EUROCRYPT’96. LNCS, vol. 1070. Saragossa, Spain: Springer, Heidelberg, Germany. (Cited on page 154.)Google Scholar
Bentahar, K., and Smart, N. P. 2007. Efficient 15, 360-bit RSA Using Woop-Optimised Montgomery Arithmetic. Pages 346363 of: Galbraith, S. D. (ed.), 11th IMA International Conference on Cryptography and Coding. LNCS, vol. 4887. Cirencester, UK: Springer, Heidelberg, Germany. (Cited on pages 236 and 237.)Google Scholar
Bernstein, D. J. 2006a (September). Elliptic vs. Hyperelliptic, part I. Talk at ECC (slides at http://cr.yp.to/talks/2006.09.20/slides.pdf). (Cited on page 238.)Google Scholar
Bernstein, D. J. 2015. Error-Prone Cryptographic Designs. Real World Cryptography (RWC) invited talk. https://cr.yp.to/talks/2015.01.07/slides-djb-20150107-a4.pdf. (Cited on page 226.)Google Scholar
Bernstein, D. J. 2006b. Curve25519: New Diffie-Hellman Speed Records. Pages 207228 of: Yung, M., Dodis, Y., Kiayias, A., and Malkin, T. (eds.), PKC 2006. LNCS, vol. 3958. New York, NY, USA: Springer, Heidelberg, Germany. (Cited on pages 172 and 242.)Google Scholar
Bernstein, D. J., Duif, N., Lange, T., Schwabe, P., and Yang, B.-Y. 2011. High-Speed High-Security Signatures. Pages 124142 of: Preneel, B., and Takagi, T. (eds.), CHES 2011. LNCS, vol. 6917. Nara, Japan: Springer, Heidelberg, Germany. (Cited on page 242.)Google Scholar
Bernstein, D. J., Duif, N., Lange, T., Schwabe, P., and Yang, B.-Y. 2012. High-Speed High-Security Signatures. Journal of Cryptographic Engineering, 2(2), 7789. (Cited on page 176.)Google Scholar
Bernstein, D. J., Chang, Y.-A., Cheng, C.-M., Chou, L.-P., Heninger, N., Lange, T., and van Someren, N. 2013. Factoring RSA Keys from Certified Smart Cards: Coppersmith in the Wild. Pages 341360 of: Sako, K., and Sarkar, P. (eds.), ASIACRYPT 2013, Part II. LNCS, vol. 8270. Bengalore, India: Springer, Heidelberg, Germany. (Cited on pages 80, 148, and 149.)Google Scholar
Bernstein, D. J., Chou, T., Chuengsatiansup, C., Hülsing, A., Lambooij, E., Lange, T., Niederhagen, R., and van Vredendaal, C. 2015a. How to Manipulate Curve Standards: A White Paper for the Black Hat http://bada55.cr.yp.to. Pages 109139 of: Chen, L., and Matsuo, S. (eds.), Security Standardisation Research - Second International Conference, SSR 2015, Tokyo, Japan, December 15-16, 2015, Proceedings. LNCS, vol. 9497. Springer. (Cited on page 172.)Google Scholar
Bernstein, D. J., Hopwood, D., Hülsing, A., Lange, T., Niederhagen, R., Papachristodoulou, L., Schneider, M., Schwabe, P., and Wilcox-O’Hearn, Z. 2015b. SPHINCS: Practical Stateless Hash-Based Signatures. Pages 368397 of: Oswald, E., and Fischlin, M. (eds.), EUROCRYPT 2015, Part I. LNCS, vol. 9056. Sofia, Bulgaria: Springer, Heidelberg, Germany. (Cited on page 332.)Google Scholar
Bernstein, D. J., Chuengsatiansup, C., Lange, T., and van Vredendaal, C. 2019. NTRU Prime. Technical Report. National Institute of Standards and Technology. Available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions. (Cited on pages 37 and 38.)Google Scholar
Beuchat, J.-L., Perez, L. J. D., Fuentes-Castaneda, L., and Rodriguez-Henriquez, F. 2017. Final Exponentiation. Chap. 7, pages 7–1–7–28 of: El Mrabet, N., and Joye, M. (eds.), Guide to Pairing-Based Cryptography. CRC Press. (Cited on page 310.)Google Scholar
Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., and Zinzindohoue, J. K. 2015. A Messy State of the Union: Taming the Composite State Machines of TLS. Pages 535552 of: 2015 IEEE Symposium on Security and Privacy. San Jose, CA, USA: IEEE Computer Society Press. (Cited on page 157.)Google Scholar
Bhargavan, K., and Leurent, G. 2016. Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH. In: NDSS 2016. San Diego, CA, USA: The Internet Society. (Cited on page 202.)Google Scholar
Biasse, J.-F., and Song, F. 2016. Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. Pages 893902 of: Krauthgamer, R. (ed.), 27th SODA. Arlington, VA, USA: ACM-SIAM. (Cited on page 38.)Google Scholar
Biasse, J.-F., Espitau, T., Fouque, P.-A., Gélin, A., and Kirchner, P. 2017. Computing Generator in Cyclotomic Integer Rings - A Subfield Algorithm for the Principal Ideal Problem in and Application to the Cryptanalysis of a FHE Scheme. Pages 6088 of: Coron, J.-S., and Nielsen, J. B. (eds.), EUROCRYPT 2017, Part I. LNCS, vol. 10210. Paris, France: Springer, Heidelberg, Germany. (Cited on page 38.)Google Scholar
Biham, E. 1997. A Fast New DES Implementation in Software. Pages 260272 of: Biham, E. (ed.), FSE’97. LNCS, vol. 1267. Haifa, Israel: Springer, Heidelberg, Germany. (Cited on page 232.)Google Scholar
Biham, E., and Chen, R. 2004. Near-Collisions of SHA-0. Pages 290305 of: Franklin, M. (ed.), CRYPTO 2004. LNCS, vol. 3152. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 189.)Google Scholar
Blake, I. F., Mullin, R. C., and Vanstone, S. A. 1984. Computing Logarithms in GF(2n). Pages 7382 of: Blakley, G. R., and Chaum, D. (eds.), CRYPTO’84. LNCS, vol. 196. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 328.)Google Scholar
Bleichenbacher, D. 1998. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. Pages 112 of: Krawczyk, H. (ed.), CRYPTO’98. LNCS, vol. 1462. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 149 and 151.)Google Scholar
Bleichenbacher, D. 2000. On the Generation of One-Time Keys in DL Signature Schemes. Presentation at IEEE P1363 working group meeting. (Cited on page 180.)Google Scholar
Bleichenbacher, D., and May, A. 2006. New Attacks on RSA with Small Secret CRT-Exponents. Pages 113 of: Yung, M., Dodis, Y., Kiayias, A., and Malkin, T. (eds.), PKC 2006. LNCS, vol. 3958. New York, NY, USA: Springer, Heidelberg, Germany. (Cited on pages 80 and 99.)Google Scholar
Bleichenbacher, D., Bosma, W., and Lenstra, A. K. 1995. Some Remarks on Lucas-Based Cryptosystems. Pages 386396 of: Coppersmith, D. (ed.), CRYPTO’95. LNCS, vol. 963. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 298.)Google Scholar
blockchain. 2015. The Most Repeated R Value on the Blockchain. https://bitcointalk.org/index.php?topic=1118704.0. (Cited on page 177.)Google Scholar
Blömer, J., and May, A. 2005. A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers. Pages 251267 of: Cramer, R. (ed.), EUROCRYPT 2005. LNCS, vol. 3494. Aarhus, Denmark: Springer, Heidelberg, Germany. (Cited on pages 101 and 103.)Google Scholar
Bluestein, L. 1970. A Linear Filtering Approach to the Computation of Discrete Fourier Transform. IEEE Transactions on Audio and Electroacoustics, 18(4), 451455. (Cited on page 282.)Google Scholar
Bluher, A. W. 2004. On xq+1 + ax + b. Finite Fields and Their Applications, 10(3), 285305. (Cited on page 133.)Google Scholar
Blum, L., Blum, M., and Shub, M. 1986. A Simple Unpredictable Pseudo-Random Number Generator. SIAM Journal on Computing, 15(2), 364383. (Cited on page 104.)Google Scholar
Böck, H., Somorovsky, J., and Young, C. 2018. Return Of Bleichenbacher's Oracle Threat (ROBOT). Pages 817849 of: Enck, W., and Felt, A. P. (eds.), USENIX Security 2018. Baltimore, MD, USA: USENIX Association. (Cited on page 151.)Google Scholar
Boneh, D. 1999. Twenty Years of Attacks on the RSA Cryptosystem. Notices of the American Mathematical Society, 46(2), 203213. (Cited on pages 70, 71, and 227.)Google Scholar
Boneh, D., and Durfee, G. 2000. Cryptanalysis of RSA with Private Key d less than N0.292. IEEE Transactions on Information Theory, 46(4), 13391349. (Cited on page 74.)Google Scholar
Boneh, D. 1998. The Decision Diffie-Hellman Problem. In: Third Algorithmic Number Theory Symposium (ANTS). LNCS, vol. 1423. Springer, Heidelberg, Germany. Invited paper. (Cited on pages 162 and 295.)Google Scholar
Boneh, D. 2000. Finding Smooth Integers in Short Intervals using CRT Decoding. Pages 265272 of: 32nd ACM STOC. Portland, OR, USA: ACM Press. (Cited on page 78.)Google Scholar
Boneh, D. 2001. Simplified OAEP for the RSA and Rabin Functions. Pages 275291 of: Kilian, J. (ed.), CRYPTO 2001. LNCS, vol. 2139. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 79 and 86.)Google Scholar
Boneh, D., and Durfee, G. 1999. Cryptanalysis of RSA with Private Key d Less than N0.292. Pages 111 of: Stern, J. (ed.), EUROCRYPT’99. LNCS, vol. 1592. Prague, Czech Republic: Springer, Heidelberg, Germany. (Cited on pages 80, 98, 102, and 104.)Google Scholar
Boneh, D., and Franklin, M. K. 2001. Identity-Based Encryption from the Weil Pairing. Pages 213229 of: Kilian, J. (ed.), CRYPTO 2001. LNCS, vol. 2139. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 67 and 327.)Google Scholar
Boneh, D., and Venkatesan, R. 1996. Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes. Pages 129142 of: Koblitz, N. (ed.), CRYPTO’96. LNCS, vol. 1109. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 179.)Google Scholar
Boneh, D., and Venkatesan, R. 1998. Breaking RSA May Not Be Equivalent to Factoring. Pages 5971 of: Nyberg, K. (ed.), EUROCRYPT’98. LNCS, vol. 1403. Espoo, Finland: Springer, Heidelberg, Germany. (Cited on page 141.)Google Scholar
Boneh, D., Halevi, S., and Howgrave-Graham, N. 2001. The Modular Inversion Hidden Number Problem. Pages 3651 of: Boyd, C. (ed.), ASIACRYPT 2001. LNCS, vol. 2248. Gold Coast, Australia: Springer, Heidelberg, Germany. (Cited on pages 80, 104, and 105.)Google Scholar
Bos, J. N. E. 1992. Practical Privacy. PhD thesis, Technische Universiteit Eindhoven. (Cited on page 236.)Google Scholar
Bos, J. W. 2010. High-Performance Modular Multiplication on the Cell Processor. Pages 724 of: Hasan, M. A., and Helleseth, T. (eds.), Workshop on the Arithmetic of Finite Fields – WAIFI 2010. LNCS, vol. 6087. Springer, Heidelberg, Germany. (Cited on pages 6 and 243.)Google Scholar
Bos, J. W., and Kaihara, M. E. 2010. Montgomery Multiplication on the Cell. Pages 477485 of: Wyrzykowski, R., Dongarra, J., Karczewski, K., and Wasniewski, J. (eds.), Parallel Processing and Applied Mathematics – PPAM 2009. LNCS, vol. 6067. Springer, Heidelberg, Germany. (Cited on page 6.)Google Scholar
Bos, J. W., and Kleinjung, T. 2012. ECM at Work. Pages 467484 of: Wang, X., and Sako, K. (eds.), ASIACRYPT 2012. LNCS, vol. 7658. Beijing, China: Springer, Heidelberg, Germany. (Cited on page 325.)Google Scholar
Bos, J. W., Kaihara, M. E., Kleinjung, T., Lenstra, A. K., and Montgomery, P. L. 2009. On the Security of 1024-bit RSA and 160-bit Elliptic Curve Cryptography. Cryptology ePrint Archive, Report 2009/389. http://eprint.iacr.org/2009/389. (Cited on page 143.)Google Scholar
Bos, J. W., Kleinjung, T., and Lenstra, A. K. 2010. On the Use of the Negation Map in the Pollard Rho Method. Pages 6682 of: Hanrot, G., Morain, F., and Thomé, E. (eds.), Algorithmic Number Theory Symposium – ANTS-IX. LNCS, vol. 6197. Springer. (Cited on page 6.)Google Scholar
Bos, J. W., Kleinjung, T., Lenstra, A. K., and Montgomery, P. L. 2011. Efficient SIMD Arithmetic Modulo a Mersenne Number. Pages 213221 of: Antelo, E., Hough, D., and Ienne, P. (eds.), IEEE Symposium on Computer Arithmetic – ARITH-20. IEEE Computer Society. (Cited on pages 3, 6, 243, 247, and 325.)Google Scholar
Bos, J. W., Kaihara, M. E., Kleinjung, T., Lenstra, A. K., and Montgomery, P. L. 2012. Solving a 112-bit Prime Elliptic Curve Discrete Logarithm Problem on Game Consoles Using Sloppy Reduction. International Journal of Applied Cryptography, 2(3), 212228. (Cited on pages 6, 243, and 325.)Google Scholar
Bos, J. W., Costello, C., Hisil, H., and Lauter, K. 2013a. Fast Cryptography in Genus 2. Pages 194210 of: Johansson, T., and Nguyen, P. Q. (eds.), EUROCRYPT 2013. LNCS, vol. 7881. Athens, Greece: Springer, Heidelberg, Germany. (Cited on pages 238 and 241.)Google Scholar
Bos, J. W., Costello, C., Hisil, H., and Lauter, K. 2013b. High-Performance Scalar Multiplication Using 8-Dimensional GLV/GLS Decomposition. Pages 331348 of: Bertoni, G., and Coron, J.-S. (eds.), CHES 2013. LNCS, vol. 8086. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 241.)Google Scholar
Bos, J. W., Lauter, K., Loftus, J., and Naehrig, M. 2013c. Improved Security for a Ring-Based Fully Homomorphic Encryption Scheme. Pages 4564 of: Stam, M. (ed.), 14th IMA International Conference on Cryptography and Coding. LNCS, vol. 8308. Oxford, UK: Springer, Heidelberg, Germany. (Cited on page 37.)Google Scholar
Bos, J. W., Halderman, J. A., Heninger, N., Moore, J., Naehrig, M., and Wustrow, E. 2014a. Elliptic Curve Cryptography in Practice. Pages 157175 of: Christin, N., and Safavi-Naini, R. (eds.), FC 2014. LNCS, vol. 8437. Christ Church, Barbados: Springer, Heidelberg, Germany. (Cited on page 178.)Google Scholar
Bos, J. W., Montgomery, P. L., Shumow, D., and Zaverucha, G. M. 2014b. Montgomery Multiplication Using Vector Instructions. Pages 471489 of: Lange, T., Lauter, K., and Lisonek, P. (eds.), SAC 2013. LNCS, vol. 8282. Burnaby, BC, Canada: Springer, Heidelberg, Germany. (Cited on pages 230, 231, 232, and 234.)Google Scholar
Bos, J. W., Costello, C., and Naehrig, M. 2017. Scalar Multiplication and Exponentiation in Pairing Groups. Chap. 6, pages 6–1–6–23 of: El Mrabet, N., and Joye, M. (eds.), Guide to Pairing-Based Cryptography. CRC Press. (Cited on page 310.)Google Scholar
Bosma, W., Cannon, J., and Playoust, C. 1997. The Magma Algebra System I: The User Language. Journal of Symbolic Computation, 24(3-4), 235265. (Cited on page 128.)Google Scholar
Bosma, W., Hutton, J., and Verheul, E. R. 2002. Looking beyond XTR. Pages 4663 of: Zheng, Y. (ed.), ASIACRYPT 2002. LNCS, vol. 2501. Queenstown, New Zealand: Springer, Heidelberg, Germany. (Cited on page 305.)Google Scholar
Boudot, F., Gaudry, P., Guillevic, A., Heninger, N., Emmanuel, T., and Zimmermann, P. 02/12/2019. 795-bit factoring and discrete logarithms. NMBRTHRY list, https://lists.gforge.inria.fr/pipermail/cado-nfs-discuss/2019-December/001139.html. (Cited on page 137.)Google Scholar
Boudot, F., Gaudry, P., Guillevic, A., Heninger, N., Thomé, E., and Zimmermann, P. 2020. Comparing the Difficulty of Factorization and Discrete Logarithm: A 240-Digit Experiment. Pages 6291 of: Micciancio, D., and Ristenpart, T. (eds.), CRYPTO 2020, Part II. LNCS, vol. 12171. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 323.)Google Scholar
Boudot, F., Gaudry, P., Guillevic, A., Heninger, N., Thomé, E., and Zimmermann, P. 28/02/2020. Factorization of RSA-250. NMBRTHRY list. (Cited on page 138.)Google Scholar
Boyen, X. 2008. The Uber-Assumption Family (Invited Talk). Pages 3956 of: Galbraith, S. D., and Paterson, K. G. (eds.), PAIRING 2008. LNCS, vol. 5209. Egham, UK: Springer, Heidelberg, Germany. (Cited on page 298.)Google Scholar
Brakerski, Z., and Vaikuntanathan, V. 2011. Efficient Fully Homomorphic Encryption from (Standard) LWE. Pages 97106 of: Ostrovsky, R. (ed.), 52nd FOCS. Palm Springs, CA, USA: IEEE Computer Society Press. (Cited on page 16.)Google Scholar
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., and Stehlé, D. 2013. Classical Hardness of Learning with Errors. Pages 575584 of: Boneh, D., Roughgarden, T., and Feigenbaum, J. (eds.), 45th ACM STOC. Palo Alto, CA, USA: ACM Press. (Cited on page 16.)Google Scholar
Brands, S. 1993. An Efficient Off-line Electronic Cash System Based on the Representation Problem. CWI Technical report, CS-R9323. (Cited on page 295.)Google Scholar
Breitner, J., and Heninger, N. 2019. Biased Nonce Sense: Lattice Attacks Against Weak ECDSA Signatures in Cryptocurrencies. Pages 320 of: Goldberg, I., and Moore, T. (eds.), FC 2019. LNCS, vol. 11598. Frigate Bay, St. Kitts and Nevis: Springer, Heidelberg, Germany. (Cited on pages 177, 178, and 179.)Google Scholar
Brengel, M., and Rossow, C. 2018. Identifying Key Leakage of Bitcoin Users. Pages 623643 of: Bailey, M., Holz, T., Stamatogiannakis, M., and Ioannidis, S. (eds.), Research in Attacks, Intrusions, and Defenses. Cham: Springer International Publishing. (Cited on page 178.)Google Scholar
Brent, R. P., and Kung, H. T. 1978. Fast Algorithms for Manipulating Formal Power Series. J. ACM, 25(4), 581595. (Cited on pages 278 and 280.)Google Scholar
Brent, R. P., Gaudry, P., Thomé, E., and Zimmermann, P. 2008. Faster Multiplication in GF(2)[x]. Pages 153166 of: van der Poorten, A. J., and Stein, A. (eds.), Algorithmic Number Theory – ANTS-VIII. LNCS, vol. 5011. Springer, Heidelberg, Germany. (Cited on page 285.)Google Scholar
Brillhart, J., Lehmer, D. H., Selfridge, J. L., Tuckerman, B., and Wagstaff, S. S. Jr 2002. Factorizations of bn ± 1,b = 2, 3, 5, 6, 7, 10, 11, 12 up to High Powers. Third edn. Contemporary Mathematics, vol. 22. American Mathematical Society. (Cited on page 77.)Google Scholar
Brouwer, A. E., Pellikaan, R., and Verheul, E. R. 1999. Doing More with Fewer Bits. Pages 321332 of: Lam, K.-Y., Okamoto, E., and Xing, C. (eds.), ASIACRYPT’99. LNCS, vol. 1716. Singapore: Springer, Heidelberg, Germany. (Cited on pages 123, 298, and 305.)Google Scholar
BSI. 2013. Kryptographische Verfahren: Empfehlungen und Schlüssellängen. BSI TR- 02102. Version 2013.2. (Cited on page 315.)Google Scholar
Buhler, J., Lenstra, H. W. Jr, and Pomerance, C. 1993. Factoring Integers with the Number Field Sieve. Pages 5094 of: Lenstra, A. K., and Lenstra, H. W. Jr (eds.), The Development of the Number Field Sieve. Lecture Notes in Mathematics, vol. 1554. Springer-Verlag, Berlin, Germany. (Cited on page 61.)Google Scholar
Castellucci, R. 2015. Cracking Cryptocurrency Brainwallets. https://rya.nc/cracking_cryptocurrency_brainwallets.pdf. (Cited on page 177.)Google Scholar
Castellucci, R., and Valsorda, F. 2016. Stealing Bitcoin with Math. https://news.webamooz.com/wp-content/uploads/bot/offsecmag/151.pdf. (Cited on page 178.)Google Scholar
Cavallar, S., Dodson, B., Lenstra, A. K., Leyland, P. C., Lioen, W. M., Montgomery, P. L., Murphy, B., te Riele, H., and Zimmermann, P. 1999. Factorization of RSA-140 Using the Number Field Sieve. Pages 195207 of: Lam, K.-Y., Okamoto, E., and Xing, C. (eds.), ASIACRYPT’99. LNCS, vol. 1716. Singapore: Springer, Heidelberg, Germany. (Cited on pages 3 and 62.)Google Scholar
Cavallar, S., Dodson, B., Lenstra, A. K., Lioen, W. M., Montgomery, P. L., Murphy, B., te Riele, H., Aardal, K., Gilchrist, J., Guillerm, G., Leyland, P. C., Marchand, J., Morain, F., Muffett, A., Putnam, C., Putnam, C., and Zimmermann, P. 2000. Factorization of a 512-Bit RSA Modulus. Pages 118 of: Preneel, B. (ed.), EUROCRYPT 2000. LNCS, vol. 1807. Bruges, Belgium: Springer, Heidelberg, Germany. (Cited on pages 3, 143, and 315.)Google Scholar
Checkoway, S., Niederhagen, R., Everspaugh, A., Green, M., Lange, T., Ristenpart, T., Bernstein, D. J., Maskiewicz, J., Shacham, H., and Fredrikson, M. 2014. On the Practical Exploitability of Dual EC in TLS Implementations. Pages 319335 of: Fu, K., and Jung, J. (eds.), USENIX Security 2014. San Diego, CA, USA: USENIX Association. (Cited on page 147.)Google Scholar
Checkoway, S., Maskiewicz, J., Garman, C., Fried, J., Cohney, S., Green, M., Heninger, N., Weinmann, R.-P., Rescorla, E., and Shacham, H. 2016. A Systematic Analysis of the Juniper Dual EC Incident. Pages 468479 of: Weippl, E. R., Katzenbeisser, S., Kruegel, C., Myers, A. C., and Halevi, S. (eds.), ACM CCS 2016. Vienna, Austria: ACM Press. (Cited on page 147.)Google Scholar
Chen, Y. 2013. Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. PhD thesis, Paris 7. (Cited on page 23.)Google Scholar
Chen, Y., and Nguyen, P. Q. 2011. BKZ 2.0: Better Lattice Security Estimates. Pages 120 of: Lee, D. H., and Wang, X. (eds.), ASIACRYPT 2011. LNCS, vol. 7073. Seoul, South Korea: Springer, Heidelberg, Germany. (Cited on pages 20, 23, 25, 27, and 330.)Google Scholar
Cheon, J. H., Jeong, J., and Lee, C. 2016. An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low-Level Encoding of Zero. LMS Journal of Computation and Mathematics, 19(A), 255266. (Cited on pages 35 and 36.)Google Scholar
Chevallier-Mames, B., Joye, M., and Paillier, P. 2003. Faster Double-Size Modular Multiplication from Euclidean Multipliers. Pages 214227 of: Walter, C. D., Koç, Ç. K., and Paar, C. (eds.), CHES 2003. LNCS, vol. 2779. Cologne, Germany: Springer, Heidelberg, Germany. (Cited on page 236.)Google Scholar
Chrome Platform Status. 2017. Chrome Platform Status: Remove DHE-Based Ciphers. https://www.chromestatus.com/feature/5128908798164992. (Cited on pages 157, 158, and 170.)Google Scholar
Cohen, H., and Lenstra, A. K. 1987. Supplement to Implementation of a New Primality Test. Mathematics of Computation, 48(177), S1–S4. (Cited on page 306.)Google Scholar
Cohen, H. 1993. A Course in Computational Algebraic Number Theory. Springer, Heidelberg, Germany. (Cited on page 290.)Google Scholar
Cohn, H., and Heninger, N. 2011. Ideal Forms of Coppersmith's Theorem and Guruswami-Sudan List Decoding. Pages 298308 of: Chazelle, B. (ed.), ICS 2011. Tsinghua University, Beijing, China: Tsinghua University Press. (Cited on page 78.)Google Scholar
Cohney, S., Kwong, A., Paz, S., Genkin, D., Heninger, N., Ronen, E., and Yarom, Y. 2020. Pseudorandom Black Swans: Cache Attacks on CTR_DRBG. Pages 12411258 of: 2020 IEEE Symposium on Security and Privacy. San Francisco, CA, USA: IEEE Computer Society Press. (Cited on page 147.)Google Scholar
Cohney, S. N., Green, M. D., and Heninger, N. 2018. Practical State Recovery Attacks against Legacy RNG Implementations. Pages 265280 of: Lie, D., Mannan, M., Backes, M., and Wang, X. (eds.), ACM CCS 2018. Toronto, ON, Canada: ACM Press. (Cited on page 147.)Google Scholar
Commeine, A., and Semaev, I. 2006. An Algorithm to Solve the Discrete Logarithm Problem with the Number Field Sieve. Pages 174190 of: Yung, M., Dodis, Y., Kiayias, A., and Malkin, T. (eds.), PKC 2006. LNCS, vol. 3958. New York, NY, USA: Springer, Heidelberg, Germany. (Cited on page 159.)Google Scholar
Comodo Fraud Incident. 2011. Comodo Fraud Incident. https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html. (Cited on page 154.)Google Scholar
Cooley, J. W., and Tukey, J. W. 1965. An Algorithm for the Machine Calculation of Complex Fourier Series. Mathematics of Computation, 19, 297301. (Cited on page 259.)Google Scholar
Coppersmith, D. 1984a. Evaluating Logarithms in GF(2n). Pages 201207 of: 16th ACM STOC. Washington, DC, USA: ACM Press. (Cited on pages 131 and 138.)Google Scholar
Coppersmith, D. 1984b. Fast Evaluation of Logarithms in Fields of Characteristic Two. IEEE Transactions on Information Theory, 30(4), 587594. (Cited on pages 131 and 328.)Google Scholar
Coppersmith, D. 1996a. Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. Pages 178189 of: Maurer, U. M. (ed.), EUROCRYPT’96. LNCS, vol. 1070. Saragossa, Spain: Springer, Heidelberg, Germany. (Cited on pages 4, 15, 74, 79, and 84.)Google Scholar
Coppersmith, D. 1996b. Finding a Small Root of a Univariate Modular Equation. Pages 155165 of: Maurer, U. M. (ed.), EUROCRYPT’96. LNCS, vol. 1070. Saragossa, Spain: Springer, Heidelberg, Germany. (Cited on pages 4, 74, and 79.)Google Scholar
Coppersmith, D. 1997. Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Journal of Cryptology, 10(4), 233260. (Cited on pages 74, 79, 84, 145, and 148.)Google Scholar
Coppersmith, D., and Shamir, A. 1997. Lattice Attacks on NTRU. Pages 5261 of: Fumy, W. (ed.), EUROCRYPT’97. LNCS, vol. 1233. Konstanz, Germany: Springer, Heidelberg, Germany. (Cited on page 35.)Google Scholar
Courtois, N. T., Emirdag, P., and Valsorda, F. 2014. Private Key Recovery Combination Attacks: On Extreme Fragility of Popular Bitcoin Key Management, Wallet and Cold Storage Solutions in Presence of Poor RNG Events. Cryptology ePrint Archive, Report 2014/848. http://eprint.iacr.org/2014/848. (Cited on page 178.)Google Scholar
Couveignes, J.-M. 2006. Hard Homogeneous Spaces. Cryptology ePrint Archive, Report 2006/291. http://eprint.iacr.org/2006/291. (Cited on page 297.)Google Scholar
Couveignes, J. M., and Lercier, R. 2009. Elliptic Periods for Finite Fields. Finite Fields and Their Applications, 15(1), 122. (Cited on page 136.)Google Scholar
Cowie, J., Dodson, B., Elkenbracht-Huizing, R. M., Lenstra, A. K., Montgomery, P. L., and Zayer, J. 1996. A World Wide Number Field Sieve Factoring Record: On to 512 Bits. Pages 382394 of: Kim, K., and Matsumoto, T. (eds.), ASIACRYPT’96. LNCS, vol. 1163. Kyongju, Korea: Springer, Heidelberg, Germany. (Cited on page 3.)Google Scholar
Crandall, R., and Pomerance, C. 2005. Prime Numbers: A Computational Perspective. Second edn. New York: Springer-Verlag. (Cited on pages 58, 62, and 67.)Google Scholar
Crandall, R. E. 1992 (October). Method and Apparatus for Public Key Exchange in a Cryptographic System. US Patent 5,159,632. (Cited on pages 239 and 242.)Google Scholar
CrySyS Lab. 2012 (May 31,). sKyWIper (a.k.a. Flame a.k.a. Flamer): A Complex Malware for Targeted Attacks. Laboratory of Cryptography and System Security, Budapest University of Technology and Economics: http://www.crysys.hu/skywiper/skywiper.pdf. (Cited on page 198.)Google Scholar
CVE. 2015. CVE-2015-3240. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-3240. (Cited on page 165.)Google Scholar
Dachman-Soled, D., Ducas, L., Gong, H., and Rossi, M. 2020. LWE with Side Information: Attacks and Concrete Security Estimation. Cryptology ePrint Archive, Report 2020/292. https://eprint.iacr.org/2020/292. (Cited on pages 33, 34, 35, and 40.)Google Scholar
Damgård, I. 1990. A Design Principle for Hash Functions. Pages 416427 of: Brassard, G. (ed.), CRYPTO’89. LNCS, vol. 435. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 183.)Google Scholar
Dash, A., Sarmah, D., Behera, B. K., and Panigrahi, P. K. 2018. Exact Search Algorithm to Factorize Large Biprimes and a Triprime on IBM Quantum Computer. https://arxiv.org/abs/1805.10478. (Cited on page 330.)Google Scholar
Daum, M., and Lucks, S. 2005 (June). Attacking Hash Functions by Poisoned Messages, “The Story of Alice and her Boss”. https://web.archive.org/web/20160713130211/http://th.informatik.uni-mannheim.de:80/people/lucks/HashCollisions/. (Cited on page 205.)Google Scholar
De Cannière, C., and Rechberger, C. 2006. Finding SHA-1 Characteristics: General Results and Applications. Pages 120 of: Lai, X., and Chen, K. (eds.), ASIACRYPT 2006. LNCS, vol. 4284. Shanghai, China: Springer, Heidelberg, Germany. (Cited on page 189.)Google Scholar
Delignat-Lavaud, A. 2014. Mozilla Foundation Security Advisory 2014-73:RSA Signature Forgery in NSS. https://www.mozilla.org/en-US/security/advisories/mfsa2014-73/. (Cited on page 153.)Google Scholar
den Boer, B., and Bosselaers, A. 1994. Collisions for the Compressin Function of MD5. Pages 293304 of: Helleseth, T. (ed.), EUROCRYPT’93. LNCS, vol. 765. Lofthus, Norway: Springer, Heidelberg, Germany. (Cited on page 183.)Google Scholar
Dennis, J. E., and Schnabel, R. B. 1983. Numerical Methods for Unconstrained Optimization and Nonlinear Equations. Computational Mathematics. Prentice-Hall, Hoboken, NJ, USA. (Cited on page 77.)Google Scholar
Denny, T. F., Dodson, B., Lenstra, A. K., and Manasse, M. S. 1994. On the Factorization of RSA-120. Pages 166174 of: Stinson, D. R. (ed.), CRYPTO’93. LNCS, vol. 773. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 3.)Google Scholar
Dickman, K. 1930. On the Frequency of Numbers Containing Prime Factors of a Certain Relative Magnitude. Arkiv för Matatematik, Astronomi och Fysik, 22A, 10, 114. (Cited on pages 66 and 76.)Google Scholar
Diem, C. 2011. On the Discrete Logarithm Problem in Elliptic Curves. Compositio Mathematica, 147, 75104. (Cited on pages 118 and 326.)Google Scholar
Diem, C. 2013. On the discrete logarithm problem in elliptic curves II. Algebra Number Theory, 7(6), 12811323. (Cited on page 118.)Google Scholar
Dierks, T., and Rescorla, E. 2006 (Apr.). The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346. RFC Editor. https://www.rfc-editor.org/info/rfc4346. (Cited on page 141.)Google Scholar
Dierks, T., and Rescorla, E. 2008 (Aug.). The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246. RFC Editor. https://www.rfc-editor.org/info/rfc5246. (Cited on pages 141, 150, 155, and 156.)Google Scholar
Dierks, T., and Allen, C. 1999 (Jan.). RFC 2246 - The TLS Protocol Version 1.0. Internet Activities Board. (Cited on pages 149 and 154.)Google Scholar
Diffie, W., and Hellman, M. E. 1976. New Directions in Cryptography. IEEE Transactions on Information Theory, 22(6), 644654. (Cited on pages 47, 48, 106, 122, 155, and 293.)Google Scholar
Diffie, W., and Hellman, M. E. 1977. Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard. IEEE Computer, 10(6), 7484. (Cited on page 316.)Google Scholar
Dixon, B., and Lenstra, A. K. 1994. Factoring Integers Using SIMD Sieves. Pages 2839 of: Helleseth, T. (ed.), EUROCRYPT’93. LNCS, vol. 765. Lofthus, Norway: Springer, Heidelberg, Germany. (Cited on page 3.)Google Scholar
Dixon, J. D. 1981. Asymptotically Fast Factorization of Integers. Mathematics of Computation, 36, 255260. (Cited on pages 68 and 69.)Google Scholar
Dodson, B., and Lenstra, A. K. 1995. NFS with Four Large Primes: An Explosive Experiment. Pages 372385 of: Coppersmith, D. (ed.), CRYPTO’95. LNCS, vol. 963. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 3.)Google Scholar
Ducas, L., Durmus, A., Lepoint, T., and Lyubashevsky, V. 2013. Lattice Signatures and Bimodal Gaussians. Pages 4056 of: Canetti, R., and Garay, J. A. (eds.), CRYPTO 2013, Part I. LNCS, vol. 8042. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 35.)Google Scholar
Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., and Stehlé, D. 2018. CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme. IACR TCHES, 2018(1), 238268. https://tches.iacr.org/index.php/TCHES/article/view/839. (Cited on pages 26 and 27.)Google Scholar
Düll, M., Haase, B., Hinterwälder, G., Hutter, M., Paar, C., Sánchez, A. H., and Schwabe, P. 2015. High-speed Curve25519 on 8-bit, 16-bit and 32-bit Microcontrollers. Design, Codes and Cryptography, 77(2), 493514. (Cited on page 243.)Google Scholar
Dumas, J.-G., Giorgi, P., and Pernet, C. 2008. Dense Linear Algebra over Word-Size Prime Fields: the FFLAS and FFPACK Packages. ACM Transactions on Mathematical Software, 35(3), 142. (Cited on page 288.)Google Scholar
Dummit, D. S., and Foote, R. M. 2004. Abstract Algebra. Third edn. New York: John Wiley & Sons. (Cited on page 58.)Google Scholar
Duquesne, S., Mrabet, N. E., Haloui, S., Robert, D., and Rondepierre, F. 2017. Choosing Parameters. Chap. 10, pages 10–1–10–22 of: El Mrabet, N., and Joye, M. (eds.), Guide to Pairing-Based Cryptography. CRC Press. (Cited on page 311.)Google Scholar
Durumeric, Z., Wustrow, E., and Halderman, J. A. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. Pages 605620 of: King, S. T. (ed.), USENIX Security 2013. Washington, DC, USA: USENIX Association. (Cited on page 146.)Google Scholar
Durumeric, Z., Adrian, D., Mirian, A., Kasten, J., Bursztein, E., Lidzborski, N., Thomas, K., Eranti, V., Bailey, M., and Halderman, J. A. 2015. Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security. Pages 2739 of: Proceedings of the 2015 Internet Measurement Conference. IMC. New York, NY, USA: Association for Computing Machinery. (Cited on page 144.)Google Scholar
Duursma, I. M., and Lee, H.-S. 2003. Tate Pairing Implementation for Hyperelliptic Curves y2 = xpx + d. Pages 111123 of: Laih, C.-S. (ed.), ASIACRYPT 2003. LNCS, vol. 2894. Taipei, Taiwan: Springer, Heidelberg, Germany. (Cited on page 310.)Google Scholar
Duvillard, L. 2019. Arjen Lenstra, la craie, le tableau noir et le tournevis. https://actu.epfl.ch/news/arjen-lenstra-la-craie-le-tableau-noir-et-le-tourn. (Cited on page 8.)Google Scholar
ECRYPT, and Smart, N. P. 2018. Algorithms, Key Size and Protocols Report. https://www.ecrypt.eu.org/csa/documents/D5.4-FinalAlgKeySizeProt.pdf. (Cited on pages 313 and 333.)Google Scholar
Edge, J. 2014 (July). A system call for random numbers: getrandom(). https://lwn.net/Articles/606141/. (Cited on page 147.)Google Scholar
Edlinger, B. 2019. Change DH parameters to generate the order q subgroup instead of 2q. https://github.com/openssl/openssl/pull/9363. (Cited on page 162.)Google Scholar
ElGamal, T. 1984. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. Pages 1018 of: Blakley, G. R., and Chaum, D. (eds.), CRYPTO’84. LNCS, vol. 196. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 156.)Google Scholar
ElGamal, T. 1985. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Transactions on Information Theory, 31, 469472. (Cited on pages 122 and 295.)Google Scholar
Ernst, M., Jochemsz, E., May, A., and de Weger, B. 2005. Partial Key Exposure Attacks on RSA up to Full Size Exponents. Pages 371386 of: Cramer, R. (ed.), EUROCRYPT 2005. LNCS, vol. 3494. Aarhus, Denmark: Springer, Heidelberg, Germany. (Cited on page 98.)Google Scholar
Estibals, N. 2010. Compact Hardware for Computing the Tate Pairing over 128-Bit-Security Supersingular Curves. Pages 397416 of: Joye, M., Miyaji, A., and Otsuka, A. (eds.), PAIRING 2010. LNCS, vol. 6487. Yamanaka Hot Spring, Japan: Springer, Heidelberg, Germany. (Cited on page 67.)Google Scholar
Faugère, J.-C. 1999. A New Efficient Algorithm for Computing Gröbner Bases (F4). Journal of Pure and Applied Algebra, 139 (1-3), 6188. (Cited on page 129.)Google Scholar
Ferguson, N., Schneier, B., and Kohno, T. 2010. Cryptography Engineering: Design Principles and Practical Applications. Wiley, New Jersey, United States. (Cited on page 236.)Google Scholar
Fillinger, M., and Stevens, M. 2015. Reverse-Engineering of the Cryptanalytic Attack Used in the Flame Super-Malware. Pages 586611 of: Iwata, T., and Cheon, J. H. (eds.), ASIACRYPT 2015, Part II. LNCS, vol. 9453. Auckland, New Zealand: Springer, Heidelberg, Germany. (Cited on pages 188, 189, 212, and 219.)Google Scholar
Finney, H. 2006. Bleichenbacher's RSA Signature Forgery Based on Implementation Error. https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE. (Cited on pages 145 and 152.)Google Scholar
Fischer, W., and Seifert, J.-P. 2003. Increasing the Bitlength of a Crypto-Coprocessor. Pages 7181 of: Kaliski, B. S. Jr, Koç, Ç. K., and Paar, C. (eds.), CHES 2002. LNCS, vol. 2523. Redwood Shores, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 236 and 237.)Google Scholar
Flynn, M. J. 1972. Some Computer Organizations and Their Effectiveness. IEEE Transactions on Computers, C-21(9), 948960. (Cited on page 230.)Google Scholar
Fousse, L., Hanrot, G., Lefèvre, V., Pélissier, P., and Zimmermann, P. 2007. MPFR: A Multiple-Precision Binary Floating-Point Library with Correct Rounding. ACM Transactions on Mathematical Software, 33(2), 13. (Cited on page 291.)Google Scholar
Franke, J., Kleinjung, T., Paar, C., Pelzl, J., Priplata, C., and Stahlke, C. 2005. SHARK: A Realizable Special Hardware Sieving Device for Factoring 1024-Bit Integers. Pages 119130 of: Rao, J. R., and Sunar, B. (eds.), CHES 2005. LNCS, vol. 3659. Edinburgh, UK: Springer, Heidelberg, Germany. (Cited on page 324.)Google Scholar
Frey, G., and Ruck, H. 1994. A Remark Considering m-Divisibility in the Divisor Class Group of Curves. Mathematics of Computation, 62(206), 865874. (Cited on page 116.)Google Scholar
Fried, J. 2020. Personal communication. (Cited on page 160.)Google Scholar
Fried, J., Gaudry, P., Heninger, N., and Thomé, E. 2017. A Kilobit Hidden SNFS Discrete Logarithm Computation. Pages 202231 of: Coron, J.-S., and Nielsen, J. B. (eds.), EUROCRYPT 2017, Part I. LNCS, vol. 10210. Paris, France: Springer, Heidelberg, Germany. (Cited on pages 169, 170, and 323.)Google Scholar
Friedl, M., Provos, N., and Simpson, W. 2006 (Mar.). Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol. RFC 4419. RFC Editor. https://www.rfc-editor.org/info/rfc4419. (Cited on pages 156, 160, and 168.)Google Scholar
Galbraith, S. D., Paterson, K. G., and Smart, N. P. 2006. Pairings for Cryptographers. Cryptology ePrint Archive, Report 2006/165. http://eprint.iacr.org/2006/165. (Cited on page 309.)Google Scholar
Galbraith, S. D. 2001. Supersingular Curves in Cryptography. Pages 495513 of: Boyd, C. (ed.), ASIACRYPT 2001. LNCS, vol. 2248. Gold Coast, Australia: Springer, Heidelberg, Germany. (Cited on page 310.)Google Scholar
Galbraith, S. D. 2012. Mathematics of Public Key Cryptography. Cambridge University Press, Cambridge, UK. (Cited on page 304.)Google Scholar
Galbraith, S. D., and Gebregiyorgis, S. W. 2014. Summation Polynomial Algorithms for Elliptic Curves in Characteristic Two. Pages 409427 of: Meier, W., and Mukhopadhyay, D. (eds.), INDOCRYPT 2014. LNCS, vol. 8885. New Delhi, India: Springer, Heidelberg, Germany. (Cited on page 117.)Google Scholar
Galbraith, S. D., and Scott, M. 2008. Exponentiation in Pairing-Friendly Groups Using Homomorphisms. Pages 211224 of: Galbraith, S. D., and Paterson, K. G. (eds.), PAIRING 2008. LNCS, vol. 5209. Egham, UK: Springer, Heidelberg, Germany. (Cited on page 311.)Google Scholar
Galbraith, S. D., Hess, F., and Smart, N. P. 2002. Extending the GHS Weil Descent Attack. Pages 2944 of: Knudsen, L. R. (ed.), EUROCRYPT 2002. LNCS, vol. 2332. Amsterdam, The Netherlands: Springer, Heidelberg, Germany. (Cited on page 117.)Google Scholar
Galbraith, S. D., Hess, F., and Vercauteren, F. 2008. Aspects of Pairing Inversion. IEEE Transactions of Information Theory, 54(12), 57195728. (Cited on page 309.)Google Scholar
Gallant, R. P., Lambert, R. J., and Vanstone, S. A. 2001. Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms. Pages 190200 of: Kilian, J. (ed.), CRYPTO 2001. LNCS, vol. 2139. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 301.)Google Scholar
Gama, N., and Nguyen, P. Q. 2008a. Finding Short Lattice Vectors within Mordell's Inequality. Pages 207216 of: Ladner, R. E., and Dwork, C. (eds.), 40th ACM STOC. Victoria, BC, Canada: ACM Press. (Cited on pages 15 and 19.)Google Scholar
Gama, N., and Nguyen, P. Q. 2008b. Predicting Lattice Reduction. Pages 3151 of: Smart, N. P. (ed.), EUROCRYPT 2008. LNCS, vol. 4965. Istanbul, Turkey: Springer, Heidelberg, Germany. (Cited on pages 19 and 30.)Google Scholar
Gardner, M. August, 1977. A New Kind of Cipher that would take Millions of Years to Break. Scientific American, 120124. (Cited on pages 49 and 320.)Google Scholar
Garg, S., Gentry, C., and Halevi, S. 2013. Candidate Multilinear Maps from Ideal Lattices. Pages 117 of: Johansson, T., and Nguyen, P. Q. (eds.), EUROCRYPT 2013. LNCS, vol. 7881. Athens, Greece: Springer, Heidelberg, Germany. (Cited on page 37.)Google Scholar
Garman, C., Green, M., Kaptchuk, G., Miers, I., and Rushanan, M. 2016. Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage. Pages 655672 of: Holz, T., and Savage, S. (eds.), USENIX Security 2016. Austin, TX, USA: USENIX Association. (Cited on page 150.)Google Scholar
Gaudry, P. 2009. Index Calculus for Abelian Varieties of small Dimension and the Elliptic Curve Discrete Logarithm Problem. Journal of Symbolic Computation, 44, 16901702. (Cited on pages 117, 125, and 326.)Google Scholar
Gaudry, P., and Schost, É. 2012. Genus 2 Point Counting over Prime Fields. Journal of Symbolic Computation, 47(4), 368400. (Cited on page 238.)Google Scholar
Gaudry, P., Hess, F., and Smart, N. P. 2002. Constructive and Destructive Facets of Weil Descent on Elliptic Curves. Journal of Cryptology, 15(1), 1946. (Cited on pages 117 and 326.)Google Scholar
Gauss, C. F. 1965. Disquisitiones Arithmeticae. Translated by A. A. Clarke. Yale University Press, New Haven, CT, USA. (Cited on page 106.)Google Scholar
Gebhardt, M., Illies, G., and Schindler, W. 2006. A Note on the Practical Value of Single Hash Collisions for Special File Formats. Pages 333344 of: Sicherheit. LNI, vol. P-77. GI. (Cited on pages 184 and 205.)Google Scholar
Geiselmann, W., and Steinwandt, R. 2003. A Dedicated Sieving Hardware. Pages 254266 of: Desmedt, Y. (ed.), PKC 2003. LNCS, vol. 2567. Miami, FL, USA: Springer, Heidelberg, Germany. (Cited on page 324.)Google Scholar
Geiselmann, W., and Steinwandt, R. 2004. Yet Another Sieving Device. Pages 278291 of: Okamoto, T. (ed.), CT-RSA 2004. LNCS, vol. 2964. San Francisco, CA, USA: Springer, Heidelberg, Germany. (Cited on page 324.)Google Scholar
Gentry, C., and Szydlo, M. 2002. Cryptanalysis of the Revised NTRU Signature Scheme. Pages 299320 of: Knudsen, L. R. (ed.), EUROCRYPT 2002. LNCS, vol. 2332. Amsterdam, The Netherlands: Springer, Heidelberg, Germany. (Cited on pages 35 and 36.)Google Scholar
Gentry, C., Peikert, C., and Vaikuntanathan, V. 2008. Trapdoors for Hard Lattices and New Cryptographic Constructions. Pages 197206 of: Ladner, R. E., and Dwork, C. (eds.), 40th ACM STOC. Victoria, BC, Canada: ACM Press. (Cited on page 16.)Google Scholar
Giacomelli, I., Madsen, J., and Orlandi, C. 2016. ZKBoo: Faster Zero-Knowledge for Boolean Circuits. Pages 10691083 of: Holz, T., and Savage, S. (eds.), USENIX Security 2016. Austin, TX, USA: USENIX Association. (Cited on page 332.)Google Scholar
Gillmor, D. 2016 (Aug.). Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS). RFC 7919. RFC Editor. https://www.rfc-editor.org/info/rfc7919. (Cited on pages 154, 156, 158, 159, 160, and 170.)Google Scholar
Gilmore(Ed.), J. 1998. Cracking DES: Secrets of Encryption Research, Wire-tap Politics and Chip Design. Electronic Frontier Foundation, O’Reilly & Associates, Sebastopol, CA, USA. (Cited on page 316.)Google Scholar
Girault, M., Toffin, P., and Vallée, B. 1990. Computation of Approximate L-th Roots Modulo n and Application to Cryptography. Pages 100117 of: Goldwasser, S. (ed.), CRYPTO’88. LNCS, vol. 403. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 79.)Google Scholar
Goldberg, D. 1991. What Every Computer Scientist Should Know About Floating Point Arithmetic. ACM Computing Surveys, 23(1), 548. (Cited on page 252.)Google Scholar
Golliver, R. A., Lenstra, A. K., and McCurley, K. S. 1994. Lattice Sieving and Trial Division. Pages 1827 of: Adleman, L. M., and Huang, M. A. (eds.), Algorithmic Number Theory, First International Symposium – ANTS-I. LNCS, vol. 877. Springer, Heidelberg, Germany. (Cited on page 3.)Google Scholar
Göloglu, F., and Joux, A. 2019. A Simplified Approach to Rigorous Degree 2 Elimination in Discrete Logarithm Algorithms. Mathematics of Computation, 88(319), 24852496. (Cited on page 136.)Google Scholar
Göloglu, F., Granger, R., McGuire, G., and Zumbrägel, J. 2013. On the Function Field Sieve and the Impact of Higher Splitting Probabilities — Application to Discrete Logarithms in and . Pages 109128 of: Canetti, R., and Garay, J. A. (eds.), CRYPTO 2013, Part II. LNCS, vol. 8043. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 130, 132, 135, 137, and 328.)Google Scholar
Göloglu, F., Granger, R., McGuire, G., and Zumbrägel, J. 2014. Solving a 6120-bit DLP on a Desktop Computer. Pages 136152 of: Lange, T., Lauter, K., and Lisonek, P. (eds.), SAC 2013. LNCS, vol. 8282. Burnaby, BC, Canada: Springer, Heidelberg, Germany. (Cited on pages 130, 135, and 137.)Google Scholar
Gong, G., and Harn, L. 1999. Public-Key Cryptosystems based on Cubic Finite Field Extensions. IEEE Transactions on Information Theory, 45(7), 26012605. (Cited on page 298.)Google Scholar
Gong, G., Harn, L., and Wu, H. 2001. The GH Public-Key Cryptosystem. Pages 284300 of: Vaudenay, S., and Youssef, A. M. (eds.), SAC 2001. LNCS, vol. 2259. Toronto, Ontario, Canada: Springer, Heidelberg, Germany. (Cited on page 298.)Google Scholar
Göpfert, F., and Yakkundimath, A. 2015. Darmstadt LWE Challenges. https://www.latticechallenge.org/lwe_challenge/challenge.php. Accessed: 15-08-2018. (Cited on page 33.)Google Scholar
Gordon, D. M. 1998. A Survey of Fast Exponentiation Methods. Journal of Algorithms, 27, 129146. (Cited on page 226.)Google Scholar
Gordon, D. M. 1993. Designing and Detecting Trapdoors for Discrete Log Cryptosystems. Pages 6675 of: Brickell, E. F. (ed.), CRYPTO’92. LNCS, vol. 740. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 169.)Google Scholar
Gordon, D. M., and McCurley, K. S. 1993. Massively Parallel Computation of Discrete Logarithms. Pages 312323 of: Brickell, E. F. (ed.), CRYPTO’92. LNCS, vol. 740. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 138.)Google Scholar
Granger, R., Page, D., and Stam, M. 2006a. On Small Characteristic Algebraic Tori in Pairing-Based Cryptography. LMS Journal of Computation and Mathematics, 9, 6485. (Cited on page 310.)Google Scholar
Granger, R., and Lenstra, A. K. 2013. Personal communication between Robert Granger and Arjen K. Lenstra. (Cited on page 123.)Google Scholar
Granger, R., and Scott, M. 2010. Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions. Pages 209223 of: Nguyen, P. Q., and Pointcheval, D. (eds.), PKC 2010. LNCS, vol. 6056. Paris, France: Springer, Heidelberg, Germany. (Cited on page 307.)Google Scholar
Granger, R., and Stam, M. 2005. Personal communication between Robert Granger and Martijn Stam. (Cited on page 123.)Google Scholar
Granger, R., and Vercauteren, F. 2005. On the Discrete Logarithm Problem on Algebraic Tori. Pages 6685 of: Shoup, V. (ed.), CRYPTO 2005. LNCS, vol. 3621. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 124, 125, 126, 128, 130, 132, 313, and 328.)Google Scholar
Granger, R., Kleinjung, T., Lenstra, A. K., Wesolowski, B., and Zumbrägel, J. 10/07/2019. Discrete Logarithms in GF(230750). NMBRTHRY list. (Cited on page 137.)Google Scholar
Granger, R., Page, D., and Stam, M. 2004. A Comparison of CEILIDH and XTR. Pages 235249 of: Buell, D. A. (ed.), Algorithmic Number Theory – ANTS. LNCS, vol. 3076. Springer, Heidelberg, Germany. (Cited on page 307.)Google Scholar
Granger, R., Page, D., and Stam, M. 2005. Hardware and Software Normal Basis Arithmetic for Pairing-Based Cryptography in Characteristic Three. IEEE Transactions on Computers, 54(7), 852860. (Cited on page 310.)Google Scholar
Granger, R., Page, D., and Smart, N. P. 2006b. High Security Pairing-Based Cryptography Revisited. Pages 480494 of: Hess, F., Pauli, S., and Pohst, M. E. (eds.), Algorithmic Number Theory – ANTS. LNCS, vol. 4076. Springer, Heidelberg, Germany. (Cited on page 309.)Google Scholar
Granger, R., Kleinjung, T., and Zumbrägel, J. 2014a. Breaking ‘128-bit Secure’ Supersingular Binary Curves - (Or How to Solve Discrete Logarithms in and ). Pages 126145 of: Garay, J. A., and Gennaro, R. (eds.), CRYPTO 2014, Part II. LNCS, vol. 8617. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 130, 132, and 137.)Google Scholar
Granger, R., Kleinjung, T., and Zumbrägel, J. 2014b. On the Powers of 2. Cryptology ePrint Archive, Report 2014/300. http://eprint.iacr.org/2014/300. (Cited on pages 130 and 137.)Google Scholar
Granger, R., Kleinjung, T., and Zumbrägel, J. 2018a. Indiscreet Logarithms in Finite Fields of Small Characteristic. Advances in Mathematics of Communications, 12(2), 263286. (Cited on pages 122, 131, and 135.)Google Scholar
Granger, R., Kleinjung, T., and Zumbrägel, J. 2018b. On the discrete logarithm problem in finite fields of fixed characteristic. Transactions of the American Mathematical Society, 370, 31293145. (Cited on pages 130, 132, 136, 137, and 328.)Google Scholar
Granlund, T., and the GMP development team. 2002. GNU MP: The GNU Multiple Precision Arithmetic Library. http://gmplib.org/. (Cited on page 252.)Google Scholar
Granville, A. 2005. It is Easy to Determine whether a Given Integer is Prime. Bulletin of the American Mathematical Society, 42, 338. (Cited on page 47.)Google Scholar
Gruber, P. M., and Lekkerkerker, C. G. 1987. Geometry of numbers. Second edn. North-Holland Mathematical Library, vol. 37. North-Holland Publishing Co., Amsterdam. (Cited on page 82.)Google Scholar
Gueron, S. 2003. Enhanced Montgomery Multiplication. Pages 4656 of: Kaliski, B. S. Jr, Koç, Ç. K., and Paar, C. (eds.), CHES 2002. LNCS, vol. 2523. Redwood Shores, CA, USA: Springer, Heidelberg, Germany. (Cited on page 234.)Google Scholar
Guillevic, A. 2020a. Pairing-Friendly Curves. https://members.loria.fr/AGuillevic/pairing-friendly-curves. (Cited on page 311.)Google Scholar
Guillevic, A. 2020b. A Short-List of Pairing-Friendly Curves Resistant to Special TNFS at the 128-Bit Security Level. Pages 535564 of: Kiayias, A., Kohlweiss, M., Wallden, P., and Zikas, V. (eds.), PKC 2020, Part II. LNCS, vol. 12111. Edinburgh, UK: Springer, Heidelberg, Germany. (Cited on page 329.)Google Scholar
Hachez, G., and Quisquater, J.-J. 2000. Montgomery Exponentiation with no Final Subtractions: Improved Results. Pages 293301 of: Koç, Ç. K., and Paar, C. (eds.), CHES 2000. LNCS, vol. 1965. Worcester, Massachusetts, USA: Springer, Heidelberg, Germany. (Cited on page 234.)Google Scholar
Halevi, S., and Shoup, V. 2014. Algorithms in HElib. Pages 554571 of: Garay, J. A., and Gennaro, R. (eds.), CRYPTO 2014, Part I. LNCS, vol. 8616. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 281.)Google Scholar
Hamburg, M. 2012. Fast and Compact Elliptic-Curve Cryptography. Cryptology ePrint Archive, Report 2012/309. http://eprint.iacr.org/2012/309. (Cited on page 241.)Google Scholar
Han, D.-G., Lim, J., and Sakurai, K. 2004. On Security of XTR Public Key Cryptosystems Against Side Channel Attacks. Pages 454465 of: Wang, H., Pieprzyk, J., and Varadharajan, V. (eds.), ACISP 04. LNCS, vol. 3108. Sydney, NSW, Australia: Springer, Heidelberg, Germany. (Cited on page 302.)Google Scholar
Hanrot, G., Pujol, X., and Stehlé, D. 2011a. Analyzing Blockwise Lattice Algorithms Using Dynamical Systems. Pages 447464 of: Rogaway, P. (ed.), CRYPTO 2011. LNCS, vol. 6841. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 18 and 19.)Google Scholar
Hanrot, G., Pujol, X., and Stehlé, D. 2011b. Terminating BKZ. Cryptology ePrint Archive, Report 2011/198. http://eprint.iacr.org/2011/198. (Cited on page 19.)Google Scholar
Harkins, D., and Carrel, D. 1998. The Internet Key Exchange (IKE). IETF RFC 2409 (Proposed Standard). (Cited on pages 152, 154, 155, 156, and 158.)Google Scholar
Hars, L. 2004. Long Modular Multiplication for Cryptographic Applications. Pages 4561 of: Joye, M., and Quisquater, J.-J. (eds.), CHES 2004. LNCS, vol. 3156. Cambridge, Massachusetts, USA: Springer, Heidelberg, Germany. (Cited on page 229.)Google Scholar
Harvey, D. 2014. Faster Arithmetic for Number-Theoretic Transforms. Journal of Symbolic Computation, 60, 113119. (Cited on page 267.)Google Scholar
Håstad, J. 1986. On Using RSA with Low Exponent in a Public Key Network. Pages 403408 of: Williams, H. C. (ed.), CRYPTO’85. LNCS, vol. 218. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 79, 81, 86, and 227.)Google Scholar
Hastings, M., Fried, J., and Heninger, N. 2016. Weak Keys Remain Widespread in Network Devices. Pages 4963 of: Proceedings of the 2016 Internet Measurement Conference. IMC. New York, NY, USA: Association for Computing Machinery. (Cited on page 148.)Google Scholar
Hawkes, P., Paddon, M., and Rose, G. G. 2004. Musings on the Wang et al. MD5 Collision. Cryptology ePrint Archive, Report 2004/264. http://eprint.iacr.org/2004/264. (Cited on page 317.)Google Scholar
Hayashi, T., Shinohara, N., Wang, L., Matsuo, S., Shirase, M., and Takagi, T. 2010. Solving a 676-Bit Discrete Logarithm Problem in GF(36n). Pages 351367 of: Nguyen, P. Q., and Pointcheval, D. (eds.), PKC 2010. LNCS, vol. 6056. Paris, France: Springer, Heidelberg, Germany. (Cited on page 138.)Google Scholar
Hayashi, T., Shimoyama, T., Shinohara, N., and Takagi, T. 2012. Breaking Pairing-Based Cryptosystems Using ηT Pairing over GF(397). Pages 4360 of: Wang, X., and Sako, K. (eds.), ASIACRYPT 2012. LNCS, vol. 7658. Beijing, China: Springer, Heidelberg, Germany. (Cited on page 138.)Google Scholar
Heffner, C. 2010. LittleBlackBox: Database of Private SSL/SSH Keys for Embedded Devices. http://code.google.com/p/littleblackbox. (Cited on page 146.)Google Scholar
Hellman, M. E., and Reyneri, J. M. 1982. Fast Computation of Discrete Logarithms in GF(q). Pages 313 of: Chaum, D., Rivest, R. L., and Sherman, A. T. (eds.), CRYPTO’82. Santa Barbara, CA, USA: Plenum Press, New York, USA. (Cited on page 328.)Google Scholar
Heninger, N., Durumeric, Z., Wustrow, E., and Halderman, J. A. 2012. Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. Pages 205220 of: Kohno, T. (ed.), USENIX Security 2012. Bellevue, WA, USA: USENIX Association. (Cited on pages 143, 145, 146, 147, 148, 149, 150, 175, and 178.)Google Scholar
Herrmann, M., and May, A. 2009. Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much? Pages 487504 of: Matsui, M. (ed.), ASIACRYPT 2009. LNCS, vol. 5912. Tokyo, Japan: Springer, Heidelberg, Germany. (Cited on pages 97 and 104.)Google Scholar
Herrmann, M., and May, A. 2010. Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA. Pages 5369 of: Nguyen, P. Q., and Pointcheval, D. (eds.), PKC 2010. LNCS, vol. 6056. Paris, France: Springer, Heidelberg, Germany. (Cited on pages 97, 98, 100, and 103.)Google Scholar
Herstein, I. N. 1999. Abstract Algebra. Third edn. New York: John Wiley & Sons. (Cited on page 58.)Google Scholar
Hess, F. 2003. The GHS Attack Revisited. Pages 374387 of: Biham, E. (ed.), EUROCRYPT 2003. LNCS, vol. 2656. Warsaw, Poland: Springer, Heidelberg, Germany. (Cited on page 117.)Google Scholar
Hoffstein, J., Pipher, J., and Silverman, J. H. 1996. NTRU: A New High Speed Public Key Cryptosystem. Draft Distributed at Crypto’96, available at http://web.securityinnovation.com/hubfs/files/ntru-orig.pdf. (Cited on pages 16, 17, and 35.)Google Scholar
Hoffstein, J., Pipher, J., and Silverman, J. H. 1998. NTRU: A Ring-Based Public Key Cryptosystem. Pages 267288 of: Buhler, J. (ed.), Algorithmic Number Theory – ANTS. LNCS, vol. 1423. Springer, Heidelberg, Germany. (Cited on page 35.)Google Scholar
Horwitz, J., and Venkatesan, R. 2002. Random Cayley Digraphs and the Discrete Logarithm. Pages 416430 of: Fieker, C., and Kohel, D. R. (eds.), Algorithmic Number Theory. Springer, Heidelberg, Germany. (Cited on page 108.)Google Scholar
Howgrave-Graham, N. A., and Smart, N. P. 2001. Lattice Attacks on Digital Signature Schemes. Designs, Codes and Cryptography, 23(3), 283290. (Cited on pages 162 and 179.)Google Scholar
Howgrave-Graham, N. 1997. Finding Small Roots of Univariate Modular Equations Revisited. Pages 131142 of: Darnell, M. (ed.), 6th IMA International Conference on Cryptography and Coding. LNCS, vol. 1355. Cirencester, UK: Springer, Heidelberg, Germany. (Cited on pages 81 and 84.)Google Scholar
Howgrave-Graham, N. 2001. Approximate Integer Common Divisors. Pages 5166 of: Silverman, J. H. (ed.), Cryptography and Lattices. Springer, Heidelberg, Germany. (Cited on pages 148 and 149.)Google Scholar
Howgrave-Graham, N. 2007. A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU. Pages 150169 of: Menezes, A. (ed.), CRYPTO 2007. LNCS, vol. 4622. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 26.)Google Scholar
ICSI. 2020. The ICSI Certificate Notary. https://web.archive.org/web/20200624025519/https://notary.icsi.berkeley.edu/. (Cited on pages 141, 171, and 174.)Google Scholar
Information Technology Laboratory National Institute of Standards and Technology. 2000. Digital Signature Standard (DSS). https://csrc.nist.gov/CSRC/media/Publications/fips/186/2/archive/2001-10-05/documents/fips186-2-change1.pdf. (Cited on page 170.)Google Scholar
Information Technology Laboratory National Institute of Standards and Technology. 2013. Digital Signature Standard (DSS). https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf. (Cited on pages 142, 162, 169, 174, 175, 176, and 238.)Google Scholar
Ireland, K., and Rosen, M. 1998. A Classical Introduction to Modern Number Theory. Berlin, New York: Springer-Verlag. (Cited on page 58.)Google Scholar
Ishai, Y., Kushilevitz, E., Ostrovsky, R., and Sahai, A. 2007. Zero-Knowledge from Secure Multiparty Computation. Pages 2130 of: Johnson, D. S., and Feige, U. (eds.), 39th ACM STOC. San Diego, CA, USA: ACM Press. (Cited on page 332.)Google Scholar
Jager, T., Schwenk, J., and Somorovsky, J. 2015. Practical Invalid Curve Attacks on TLS-ECDH. Pages 407425 of: Pernul, G., Ryan, P. Y. A., and Weippl, E. R. (eds.), ESORICS 2015, Part I. LNCS, vol. 9326. Vienna, Austria: Springer, Heidelberg, Germany. (Cited on page 173.)Google Scholar
Jager, T., Kakvi, S. A., and May, A. 2018. On the Security of the PKCS#1 v1.5 Signature Scheme. Pages 11951208 of: Lie, D., Mannan, M., Backes, M., and Wang, X. (eds.), ACM CCS 2018. Toronto, ON, Canada: ACM Press. (Cited on page 152.)Google Scholar
Janusz, G. 1998. Algebraic Number Fields. Second edn. American Mathematical Society. (Cited on page 58.)Google Scholar
Jochemsz, E., and May, A. 2006. A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants. Pages 267282 of: Lai, X., and Chen, K. (eds.), ASIACRYPT 2006. LNCS, vol. 4284. Shanghai, China: Springer, Heidelberg, Germany. (Cited on page 101.)Google Scholar
Jochemsz, E., and May, A. 2007. A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N0.073. Pages 395411 of: Menezes, A. (ed.), CRYPTO 2007. LNCS, vol. 4622. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 80 and 100.)Google Scholar
Jonsson, J., and Kaliski, B. 2003 (Feb.). Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specification, Version 2.1. RFC 3447. RFC Editor. https://www.rfc-editor.org/info/rfc3447. (Cited on page 225.)Google Scholar
Joux, A. 2000. A One Round Protocol for Tripartite Diffie-Hellman. Pages 385394 of: Bosma, W. (ed.), Algorithmic Number Theory – ANTS. LNCS, vol. 1838. Springer, Heidelberg, Germany. (Cited on page 327.)Google Scholar
Joux, A. 2013. Faster Index Calculus for the Medium Prime Case Application to 1175-bit and 1425-bit Finite Fields. Pages 177193 of: Johansson, T., and Nguyen, P. Q. (eds.), EUROCRYPT 2013. LNCS, vol. 7881. Athens, Greece: Springer, Heidelberg, Germany. (Cited on pages 131 and 132.)Google Scholar
Joux, A. 2014. A New Index Calculus Algorithm with Complexity L(1/4+o(1)) in Small Characteristic. Pages 355379 of: Lange, T., Lauter, K., and Lisonek, P. (eds.), SAC 2013. LNCS, vol. 8282. Burnaby, BC, Canada: Springer, Heidelberg, Germany. (Cited on pages 130, 132, 134, 135, 137, and 328.)Google Scholar
Joux, A., and Lercier, R. 2002. The Function Field Sieve Is Quite Special. Pages 431445 of: Fieker, C., and Kohel, D. R. (eds.), Algorithmic Number Theory – ANTS. LNCS, vol. 2369. Springer, Heidelberg, Germany. (Cited on page 328.)Google Scholar
Joux, A., and Lercier, R. 2006. The Function Field Sieve in the Medium Prime Case. Pages 254270 of: Vaudenay, S. (ed.), EUROCRYPT 2006. LNCS, vol. 4004. St. Petersburg, Russia: Springer, Heidelberg, Germany. (Cited on pages 131, 132, 135, 138, and 328.)Google Scholar
Joux, A., and Peyrin, T. 2007. Hash Functions and the (Amplified) Boomerang Attack. Pages 244263 of: Menezes, A. (ed.), CRYPTO 2007. LNCS, vol. 4622. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 189.)Google Scholar
Joux, A., and Pierrot, C. 2014. Improving the Polynomial time Precomputation of Frobenius Representation Discrete Logarithm Algorithms - Simplified Setting for Small Characteristic Finite Fields. Pages 378397 of: Sarkar, P., and Iwata, T. (eds.), ASIACRYPT 2014, Part I. LNCS, vol. 8873. Kaoshiung, Taiwan, R.O.C.: Springer, Heidelberg, Germany. (Cited on page 137.)Google Scholar
Joux, A., and Pierrot, C. 2016. Technical History of Discrete Logarithms in Small Characteristic Finite Fields – The Road from Subexponential to Quasi-Polynomial Complexity. Designs, Codes and Cryptography, 78(1), 7385. (Cited on page 131.)Google Scholar
Joux, A., and Pierrot, C. 2019. Algorithmic Aspects of Elliptic Bases in Finite Field Discrete Logarithm Algorithms. Cryptology ePrint Archive, Report 2019/782. https://eprint.iacr.org/2019/782. (Cited on page 136.)Google Scholar
Joux, A., and Vitse, V. 2012. Cover and Decomposition Index Calculus on Elliptic Curves Made Practical - Application to a Previously Unreachable Curve over . Pages 926 of: Pointcheval, D., and Johansson, T. (eds.), EUROCRYPT 2012. LNCS, vol. 7237. Cambridge, UK: Springer, Heidelberg, Germany. (Cited on page 117.)Google Scholar
Joux, A., Lercier, R., Smart, N., and Vercauteren, F. 2006. The Number Field Sieve in the Medium Prime Case. Pages 326344 of: Dwork, C. (ed.), CRYPTO 2006. LNCS, vol. 4117. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 328 and 329.)Google Scholar
Joux, A., Odlyzko, A., and Pierrot, C. 2014. The Past, Evolving Present, and Future of the Discrete Logarithm. Pages 536 of: Open Problems in Mathematics and Computational Science. Springer, Heidelberg, Germany. (Cited on page 131.)Google Scholar
Joye, M. 2012. On Quisquater's Multiplication Algorithm. Pages 37 of: Naccache, D. (ed.), Cryptography and Security: From Theory to Applications. LNCS, vol. 6805. Springer, Heidelberg, Germany. (Cited on page 229.)Google Scholar
Joye, M., and Yen, S.-M. 2003. The Montgomery Powering Ladder. Pages 291302 of: Kaliski, B. S. Jr, Koç, Ç. K., and Paar, C. (eds.), CHES 2002. LNCS, vol. 2523. Redwood Shores, CA, USA: Springer, Heidelberg, Germany. (Cited on page 302.)Google Scholar
Joye, M., Lenstra, A. K., and Quisquater, J.-J. 1999. Chinese Remaindering Based Cryptosystems in the Presence of Faults. Journal of Cryptology, 12(4), 241245. (Cited on page 71.)Google Scholar
Kakvi, S. A., Kiltz, E., and May, A. 2012. Certifying RSA. Pages 404414 of: Wang, X., and Sako, K. (eds.), ASIACRYPT 2012. LNCS, vol. 7658. Beijing, China: Springer, Heidelberg, Germany. (Cited on pages 80, 92, and 93.)Google Scholar
Kaliski, B. 1998 (Mar.). PKCS #1: RSA Encryption Version 1.5. RFC 2313. RFC Editor. https://www.rfc-editor.org/info/rfc2313. (Cited on pages 149, 150, and 152.)Google Scholar
Kaltofen, E., and Shoup, V. 1998. Subquadratic-Time Factoring of Polynomials over Finite Fields. Mathematics of Computation, 67(223), 11791197. (Cited on page 281.)Google Scholar
Kaminsky, D. 2005. MD5 to Be Considered Harmful Someday. Pages 323337 of: Archibald, N., dedhed, Fogie, S., Hurley, C., Kaminsky, D., Long, J., McOmie (aka Pyr0), L., Meer, H., Potter, B., Temmingh, R., Wyler (aka Grifter), N. R., and Mullen (THOR), T. M. (eds.), Aggressive Network Self-Defense. Burlington: Syngress. Available at https://eprint.iacr.org/2004/357.pdf. (Cited on pages 184 and 207.)Google Scholar
Kannan, R. 1987. Minkowski's Convex Body Theorem and Integer Programming. Mathematics Of Operations Research, 12(3), 415440. (Cited on page 30.)Google Scholar
Kannan, R., Lenstra, A. K., and Lovász, L. 1984. Polynomial Factorization and Nonrandomness of Bits of Algebraic and Some Transcendental Numbers. Pages 191200 of: 16th ACM STOC. Washington, DC, USA: ACM Press. (Cited on page 2.)Google Scholar
Karabina, K. 2013. Squaring in Cyclotomic Subgroups. Mathematics of Computation, 82(281), 555579. (Cited on pages 307 and 310.)Google Scholar
Karabina, K., Knapp, E., and Menezes, A. 2013. Generalizations of Verheul's Theorem to Asymmetric Pairings. Advances in Mathematics of Communications, 7(1), 103111. (Cited on page 309.)Google Scholar
Karatsuba, A., and Ofman, Y. 1962. Multiplication of Many-Digital Numbers by Automatic Computers. Doklady Akademii Nauk SSSR, 145, 293294. Translation in Physics-Doklady 7, 595-596, 1963. (Cited on pages 235 and 271.)Google Scholar
Kaspersky Lab. 2012 (May 28,). The Flame: Questions and Answers. Securelist blog: https://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers. (Cited on page 198.)Google Scholar
Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and Kivinen, T. 2014 (Oct.). Internet Key Exchange Protocol Version 2 (IKEv2). RFC 7296. RFC Editor. https://www.rfc-editor.org/info/rfc7296. (Cited on pages 154, 155, 156, and 158.)Google Scholar
Kedlaya, K. S., and Umans, C. 2011. Fast Polynomial Factorization and Modular Composition. SIAM Journal on Computing, 40(6), 17671802. (Cited on page 278.)Google Scholar
Kelsey, J., and Kohno, T. 2006. Herding Hash Functions and the Nostradamus Attack. Pages 183200 of: Vaudenay, S. (ed.), EUROCRYPT 2006. LNCS, vol. 4004. St. Petersburg, Russia: Springer, Heidelberg, Germany. (Cited on pages 203 and 205.)Google Scholar
Kiltz, E., Pietrzak, K., Stam, M., and Yung, M. 2009. A New Randomness Extraction Paradigm for Hybrid Encryption. Pages 590609 of: Joux, A. (ed.), EUROCRYPT 2009. LNCS, vol. 5479. Cologne, Germany: Springer, Heidelberg, Germany. (Cited on page 303.)Google Scholar
Kim, T., and Barbulescu, R. 2016. Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case. Pages 543571 of: Robshaw, M., and Katz, J. (eds.), CRYPTO 2016, Part I. LNCS, vol. 9814. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 123 and 329.)Google Scholar
Kim, T., and Jeong, J. 2017. Extended Tower Number Field Sieve with Application to Finite Fields of Arbitrary Composite Extension Degree. Pages 388408 of: Fehr, S. (ed.), PKC 2017, Part I. LNCS, vol. 10174. Amsterdam, The Netherlands: Springer, Heidelberg, Germany. (Cited on page 329.)Google Scholar
Kipnis, A., Patarin, J., and Goubin, L. 1999. Unbalanced Oil and Vinegar Signature Schemes. Pages 206222 of: Stern, J. (ed.), EUROCRYPT’99. LNCS, vol. 1592. Prague, Czech Republic: Springer, Heidelberg, Germany. (Cited on page 331.)Google Scholar
Kirchner, P., and Fouque, P.-A. 2017. Revisiting Lattice Attacks on Over-stretched NTRU Parameters. Pages 326 of: Coron, J.-S., and Nielsen, J. B. (eds.), EUROCRYPT 2017, Part I. LNCS, vol. 10210. Paris, France: Springer, Heidelberg, Germany. (Cited on pages 35, 36, 38, and 39.)Google Scholar
Kleinjung, T. 2007. Discrete Logarithms in GF(p) — 160 Digits. https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;1c737cf8.0702. (Cited on page 157.)Google Scholar
Kleinjung, T., and Wesolowski, B. 2019. Discrete Logarithms in Quasi-Polynomial Time in Finite Fields of Fixed Characteristic. Cryptology ePrint Archive, Report 2019/751. https://eprint.iacr.org/2019/751. (Cited on pages 136 and 137.)Google Scholar
Kleinjung, T., Aoki, K., Franke, J., Lenstra, A. K., Thomé, E., Bos, J. W., Gaudry, P., Kruppa, A., Montgomery, P. L., Osvik, D. A., te Riele, H. J. J., Timofeev, A., and Zimmermann, P. 2010. Factorization of a 768-Bit RSA Modulus. Pages 333350 of: Rabin, T. (ed.), CRYPTO 2010. LNCS, vol. 6223. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 3, 8, 137, and 157.)Google Scholar
Kleinjung, T., Lenstra, A. K., Page, D., and Smart, N. P. 2012. Using the Cloud to Determine Key Strengths. Pages 1739 of: Galbraith, S. D., and Nandi, M. (eds.), INDOCRYPT 2012. LNCS, vol. 7668. Kolkata, India: Springer, Heidelberg, Germany. (Cited on pages 4, 316, 317, and 325.)Google Scholar
Kleinjung, T., Bos, J. W., and Lenstra, A. K. 2014. Mersenne Factorization Factory. Pages 358377 of: Sarkar, P., and Iwata, T. (eds.), ASIACRYPT 2014, Part I. LNCS, vol. 8873. Kaoshiung, Taiwan, R.O.C.: Springer, Heidelberg, Germany. (Cited on pages 3, 61, and 138.)Google Scholar
Kleinjung, T., Diem, C., Lenstra, A. K., Priplata, C., and Stahlke, C. 2017. Computation of a 768-Bit Prime Field Discrete Logarithm. Pages 185201 of: Coron, J.-S., and Nielsen, J. B. (eds.), EUROCRYPT 2017, Part I. LNCS, vol. 10210. Paris, France: Springer, Heidelberg, Germany. (Cited on pages 6, 137, and 157.)Google Scholar
Klima, V. 2005. Finding MD5 Collisions on a Notebook PC Using Multi-message Modifications. Cryptology ePrint Archive, Report 2005/102. http://eprint.iacr.org/2005/102. (Cited on page 184.)Google Scholar
Klima, V. 2006. Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology ePrint Archive, Report 2006/105. http://eprint.iacr.org/2006/105. (Cited on pages 184 and 189.)Google Scholar
Klitzke, E. 2017. Bitcoin Transaction Malleability. https://eklitzke.org/bitcoin-transaction-malleability. (Cited on page 176.)Google Scholar
Klyachko, A. A. 1988. On the Rationality of Tori with Cyclic Splitting Field (Russian). Arithmetic and Geometry of Varieties, 7378. (Cited on page 124.)Google Scholar
Klyubin, A. 2013 (August). Some SecureRandom Thoughts. https://android-developers.googleblog.com/2013/08/some-securerandom-thoughts.html. (Cited on page 178.)Google Scholar
Kneževicć, M., Vercauteren, F., and Verbauwhede, I. 2010. Speeding Up Bipartite Modular Multiplication. Pages 166179 of: Hasan, M. A., and Helleseth, T. (eds.), Arithmetic of Finite Fields – WAIFI. LNCS, vol. 6087. Springer, Heidelberg, Germany. (Cited on page 241.)Google Scholar
Knuth, D. E., and Papadimitriou, C. H. 1981. Duality in addition chains. Bulletin of the European Association for Theoretical Computer Science, 13, 24. (Cited on page 302.)Google Scholar
Knuth, D. E. 1997. Seminumerical Algorithms. 3rd edn. The Art of Computer Programming, vol. 2. Reading, Massachusetts, USA: Addison-Wesley. (Cited on page 226.)Google Scholar
Koblitz, A. H., Koblitz, N., and Menezes, A. 2011. Elliptic Curve Cryptography: The Serpentine Course of a Paradigm Shift. Journal of Number Theory, 131(5), 781814. (Cited on page 171.)Google Scholar
Koblitz, N. 1987. Elliptic Curve Cryptosystems. Mathematics of Computation, 48(177), 203209. (Cited on pages 62, 171, 237, and 295.)Google Scholar
Koblitz, N., and Menezes, A. 2016. A Riddle Wrapped in an Enigma. IEEE Security & Privacy, 14(6), 3442. (Cited on pages 171 and 172.)Google Scholar
Kocher, P. 2020. Personal communication. (Cited on pages 143 and 148.)Google Scholar
Kraitchik, M. 1922. Théorie des nombres. Vol. 1. Paris: Gauthier-Villars. (Cited on pages 54 and 109.)Google Scholar
Kraitchik, M. 1924. Recherches sur la théorie des nombres. Vol. 1. Paris: Gauthier-Villars. (Cited on page 109.)Google Scholar
Krawczyk, H. 2003. SIGMA: The “SIGn-and-MAc” Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols. Pages 400425 of: Boneh, D. (ed.), CRYPTO 2003. LNCS, vol. 2729. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 202.)Google Scholar
Kronecker, L. 1882. Grundzüge einer arithmetischen theorie der algebraischen grössen. Journal für die reine und angewandte Mathematik, 1122. (Cited on page 289.)Google Scholar
Kuhn, T. S. 1996. The Structure of Scientific Revolutions. Chicago, IL: University of Chicago Press. (Cited on page 130.)Google Scholar
Kumar, S., Paar, C., Pelzl, J., Pfeiffer, G., and Schimmler, M. 2006. Breaking Ciphers with COPACOBANA - A Cost-Optimized Parallel Code Breaker. Pages 101118 of: Goubin, L., and Matsui, M. (eds.), CHES 2006. LNCS, vol. 4249. Yokohama, Japan: Springer, Heidelberg, Germany. (Cited on page 316.)Google Scholar
Kunihiro, N., Shinohara, N., and Izu, T. 2012. A Unified Framework for Small Secret Exponent Attack on RSA. Pages 260277 of: Miri, A., and Vaudenay, S. (eds.), SAC 2011. LNCS, vol. 7118. Toronto, ON, Canada: Springer, Heidelberg, Germany. (Cited on pages 98 and 103.)Google Scholar
Lagarias, J. C., and Odlyzko, A. M. 1983. Solving Low-Density Subset Sum Problems. Pages 110 of: 24th FOCS. Tucson, AZ: IEEE Computer Society Press. (Cited on page 30.)Google Scholar
Lamport, L. 1979 (Oct.). Constructing Digital Signatures from a One-way Function. Technical Report SRI-CSL-98. SRI International Computer Science Laboratory. (Cited on page 332.)Google Scholar
Laphroaig, M. (ed.). 2017. Pastor Laphroaig Screams High Five to the Heavens as the Whole World Goes Under. PoC||GTFO, vol. 0x14. Tract Association of POC||GTFO and Friends. (Cited on page 211.)Google Scholar
Laurie, B., Langley, A., and Kasper, E. 2013 (June). Certificate Transparency. RFC 6962. RFC Editor. https://www.rfc-editor.org/info/rfc6962. (Cited on page 154.)Google Scholar
Lehmer, D. H., and Powers, R. E. 1931. On Factoring Large Numbers. Bulletin of the American Mathematical Society, 37, 770776. (Cited on page 54.)Google Scholar
Lehmer, D. N. 1909. Factor Table for the First Ten Millions Containing the Smallest Factor of Every Number not Divisible by 2, 3, 5, or 7 Between the Limits 0 and 10017000. Carnegie Institute of Washington. (Cited on page 41.)Google Scholar
Lehmer, D. H. 1928. The Mechanical Combination of Linear Forms. American Mathematical Monthly, 35, 114121. (Cited on page 323.)Google Scholar
Lehmer, D. H. 1933. A Photo-Electric Number Sieve. American Mathematical Monthly, 40, 401406. (Cited on pages 323 and 324.)Google Scholar
Lehmer, D. N. 1932. Hunting Big Game in the Theory of Numbers. Scripta Mathematica I, 229235. (Cited on page 323.)Google Scholar
Lenstra, A. K., and Lenstra, H. W. Jr 1987. Algorithms in Number Theory. Technical Report 87-008, University of Chicago. (Cited on page 109.)Google Scholar
Lenstra, A. K., and Lenstra, H. W. Jr 1993. The Development of the Number Field Sieve. Lecture Notes in Mathematics, vol. 1554. New York: Springer-Verlag. (Cited on pages 58 and 321.)Google Scholar
Lenstra, A. K., and Verheul, E. R. 2001a. An Overview of the XTR Public Key System. Pages 151180 of: Public Key Cryptography and Computational Number Theory. Verlages Walter de Gruyter. (Cited on page 123.)Google Scholar
Lenstra, A. K. 1981. Lattices and Factorization of Polynomials. SIGSAM Bulletin, 15(3), 1516. (Cited on page 2.)Google Scholar
Lenstra, A. K. 1982. Lattices and Factorization of Polynomials over Algebraic Number Fields. Pages 3239 of: Calmet, J. (ed.), European Computer Algebra Conference – EUROCAM. LNCS, vol. 144. Springer. (Cited on page 2.)Google Scholar
Lenstra, A. K. 1983. Factoring Multivariate Polynomials over Finite Fields (Extended Abstract). Pages 189192 of: 15th ACM STOC. Boston, MA, USA: ACM Press. (Cited on page 2.)Google Scholar
Lenstra, A. K. 1984. Polynomial-Time Algorithms for the Factorization of Polynomials. PhD thesis, University of Amsterdam. (Cited on page 2.)Google Scholar
Lenstra, A. K. 1997. Using Cyclotomic Polynomials to Construct Efficient Discrete Logarithm Cryptosystems over Finite Fields. Pages 127138 of: Varadharajan, V., Pieprzyk, J., and Mu, Y. (eds.), ACISP 97. LNCS, vol. 1270. Sydney, NSW, Australia: Springer, Heidelberg, Germany. (Cited on pages 6, 123, 130, 296, and 311.)Google Scholar
Lenstra, A. K. 1998. Generating RSA Moduli with a Predetermined Portion. Pages 110 of: Ohta, K., and Pei, D. (eds.), ASIACRYPT’98. LNCS, vol. 1514. Beijing, China: Springer, Heidelberg, Germany. (Cited on pages 79, 228, and 241.)Google Scholar
Lenstra, A. K. 2001. Unbelievable Security. Matching AES Security Using Public Key Systems (Invited Talk). Pages 6786 of: Boyd, C. (ed.), ASIACRYPT 2001. LNCS, vol. 2248. Gold Coast, Australia: Springer, Heidelberg, Germany. (Cited on pages 4, 162, 238, 312, and 313.)Google Scholar
Lenstra, A. K., and de Weger, B. 2005. On the Possibility of Constructing Meaningful Hash Collisions for Public Keys. Pages 267279 of: Boyd, C., and Nieto, J. M. G. (eds.), ACISP 05. LNCS, vol. 3574. Brisbane, Queensland, Australia: Springer, Heidelberg, Germany. (Cited on pages 6, 184, and 191.)Google Scholar
Lenstra, A. K., and Haber, S. 1991. Comment on Proposed Digital Signature Standard. Letter to NIST regarding DSS, 1991. (Cited on page 169.)Google Scholar
Lenstra, A. K., and Manasse, M. S. 1990. Factoring by Electronic Mail. Pages 355371 of: Quisquater, J.-J., and Vandewalle, J. (eds.), EUROCRYPT’89. LNCS, vol. 434. Houthalen, Belgium: Springer, Heidelberg, Germany. (Cited on pages 2, 3, 57, and 319.)Google Scholar
Lenstra, A. K., and Manasse, M. S. 1991. Factoring with Two Large Primes. Pages 7282 of: Damgård, I. (ed.), EUROCRYPT’90. LNCS, vol. 473. Aarhus, Denmark: Springer, Heidelberg, Germany. (Cited on pages 3 and 57.)Google Scholar
Lenstra, A. K., and Shamir, A. 2000. Analysis and Optimization of the TWINKLE Factoring Device. Pages 3552 of: Preneel, B. (ed.), EUROCRYPT 2000. LNCS, vol. 1807. Bruges, Belgium: Springer, Heidelberg, Germany. (Cited on pages 62 and 324.)Google Scholar
Lenstra, A. K., and Shparlinski, I. 2002. Selective Forgery of RSA Signatures with Fixed-Pattern Padding. Pages 228236 of: Naccache, D., and Paillier, P. (eds.), PKC 2002. LNCS, vol. 2274. Paris, France: Springer, Heidelberg, Germany. (Cited on page 8.)Google Scholar
Lenstra, A. K., and Verheul, E. R. 2000a. Key Improvements to XTR. Pages 220233 of: Okamoto, T. (ed.), ASIACRYPT 2000. LNCS, vol. 1976. Kyoto, Japan: Springer, Heidelberg, Germany. (Cited on pages 4 and 299.)Google Scholar
Lenstra, A. K., and Verheul, E. R. 2000b. Selecting Cryptographic Key Sizes. Pages 446465 of: Imai, H., and Zheng, Y. (eds.), PKC 2000. LNCS, vol. 1751. Melbourne, Victoria, Australia: Springer, Heidelberg, Germany. (Cited on pages 4, 314, and 315.)Google Scholar
Lenstra, A. K., and Verheul, E. R. 2000c. The XTR Public Key System. Pages 119 of: Bellare, M. (ed.), CRYPTO 2000. LNCS, vol. 1880. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 4, 123, 297, 300, 303, 306, 311, and 327.)Google Scholar
Lenstra, A. K., and Verheul, E. R. 2001b. Fast Irreducibility and Subgroup Membership Testing in XTR. Pages 7386 of: Kim, K. (ed.), PKC 2001. LNCS, vol. 1992. Cheju Island, South Korea: Springer, Heidelberg, Germany. (Cited on pages 4, 299, and 301.)Google Scholar
Lenstra, A. K., and Verheul, E. R. 2001c. Selecting Cryptographic Key Sizes. Journal of Cryptology, 14(4), 255293. (Cited on pages 4, 157, 235, 238, and 314.)Google Scholar
Lenstra, A. K., Lenstra, H. W. Jr., and Lovász, L. 1982. Factoring Polynomials with Rational Coefficients. Mathematische Annalen, 261(4), 515534. (Cited on pages 2, 15, 71, 72, 73, 78, 79, 179, 290, and 330.)Google Scholar
Lenstra, A. K., Lenstra, H. W. Jr., Manasse, M. S., and Pollard, J. M. 1990. The Number Field Sieve. Pages 564572 of: 22nd ACM STOC. Baltimore, MD, USA: ACM Press. (Cited on pages 3 and 58.)Google Scholar
Lenstra, A. K., Lenstra, H. W. Jr, Manasse, M. S., and Pollard, J. M. 1993. The Factorization of the Ninth Fermat Number. Mathematics of Computation, 61(203), 319349. (Cited on page 3.)Google Scholar
Lenstra, A. K., Shamir, A., Tomlinson, J., and Tromer, E. 2002. Analysis of Bernstein's Factorization Circuit. Pages 126 of: Zheng, Y. (ed.), ASIACRYPT 2002. LNCS, vol. 2501. Queenstown, New Zealand: Springer, Heidelberg, Germany. (Cited on page 324.)Google Scholar
Lenstra, A. K., Tromer, E., Shamir, A., Kortsmit, W., Dodson, B., Hughes, J. P., and Leyland, P. C. 2003. Factoring Estimates for a 1024-Bit RSA Modulus. Pages 5574 of: Laih, C.-S. (ed.), ASIACRYPT 2003. LNCS, vol. 2894. Taipei, Taiwan: Springer, Heidelberg, Germany. (Cited on pages 3 and 324.)Google Scholar
Lenstra, A. K., Wang, X., and de Weger, B. 2005. Colliding X.509 Certificates. Cryptology ePrint Archive, Report 2005/067. http://eprint.iacr.org/2005/067. (Cited on page 6.)Google Scholar
Lenstra, A. K., Hughes, J. P., Augier, M., Bos, J. W., Kleinjung, T., and Wachter, C. 2012. Public Keys. Pages 626642 of: Safavi-Naini, R., and Canetti, R. (eds.), CRYPTO 2012. LNCS, vol. 7417. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 8, 70, 80, 143, 145, 146, 147, 148, 155, 164, 174, and 175.)Google Scholar
Lenstra, A. K., Kleinjung, T., and Thomé, E. 2013. Universal Security - From Bits and Mips to Pools, Lakes - and Beyond. Pages 121124 of: Fischlin, M., and Katzenbeisser, S. (eds.), Number Theory and Cryptography - Papers in Honor of Johannes Buchmann on the Occasion of His 60th Birthday. LNCS, vol. 8260. Springer, Heidelberg, Germany. (Cited on page 333.)Google Scholar
Lenstra, H. W. Jr 1987. Factoring Integers with Elliptic Curves. Annals of Mathematics, 126(3), 649673. (Cited on pages 3, 62, 64, 65, 163, and 233.)Google Scholar
Lepinski, M., and Kent, S. 2008. Additional Diffie-Hellman Groups for Use with IETF Standards. IETF RFC 5114. (Cited on pages 162, 166, and 170.)Google Scholar
Leurent, G., and Peyrin, T. 2019. From Collisions to Chosen-Prefix Collisions Application to Full SHA-1. Pages 527555 of: Ishai, Y., and Rijmen, V. (eds.), EUROCRYPT 2019, Part III. LNCS, vol. 11478. Darmstadt, Germany: Springer, Heidelberg, Germany. (Cited on pages 185, 189, 201, and 318.)Google Scholar
Leurent, G., and Peyrin, T. 2020. SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust. Pages 18391856 of: Capkun, S., and Roesner, F. (eds.), USENIX Security 2020. USENIX Association. (Cited on pages 185 and 201.)Google Scholar
Leyland, P. C., Lenstra, A. K., Dodson, B., Muffett, A., and Wagstaff, S. S. Jr 2002. MPQS with Three Large Primes. Pages 446460 of: Fieker, C., and Kohel, D. R. (eds.), Algorithmic Number Theory, 5th International Symposium – ANTS-V. LNCS, vol. 2369. Springer, Heidelberg, Germany. (Cited on page 3.)Google Scholar
Lido, G. 2016. Discrete Logarithm over Finite Fields of Small Characteristic. Master's thesis, Universita di Pisa. (Cited on page 136.)Google Scholar
Lim, C. H., and Lee, P. J. 1996. Generating Efficient Primes for Discrete Log Cryptosystems. http://citeseerx.ist.psu.edu/viewdoc/summary? doi=10.1.1.43.8261. (Cited on page 169.)Google Scholar
Lim, C. H., and Lee, P. J. 1997. A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroup. Pages 249263 of: Kaliski, B. S. Jr. (ed.), CRYPTO’97. LNCS, vol. 1294. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 166 and 167.)Google Scholar
Liu, M., and Nguyen, P. Q. 2013. Solving BDD by Enumeration: An Update. Pages 293309 of: Dawson, E. (ed.), CT-RSA 2013. LNCS, vol. 7779. San Francisco, CA, USA: Springer, Heidelberg, Germany. (Cited on page 33.)Google Scholar
Livitt, C. D. 2016. Preliminary Expert Report of Carl D. Livitt. https://medsec.com/stj_expert_witness_report.pdf. (Cited on page 144.)Google Scholar
Lochter, M., and Merkle, J. 2010 (Mar.). Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation. RFC 5639. RFC Editor. https://www.rfc-editor.org/info/rfc5639. (Cited on page 172.)Google Scholar
López-Alt, A., Tromer, E., and Vaikuntanathan, V. 2012. On-the-Fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption. Pages 12191234 of: Karloff, H. J., and Pitassi, T. (eds.), 44th ACM STOC. New York, NY, USA: ACM Press. (Cited on page 37.)Google Scholar
Lovorn, R. 1992. Rigorous Subexponential Algorithms for Discrete Logarithms over Finite Fields. PhD thesis, University of Georgia. (Cited on page 131.)Google Scholar
Lyubashevsky, V., Peikert, C., and Regev, O. 2010. On Ideal Lattices and Learning with Errors over Rings. Pages 123 of: Gilbert, H. (ed.), EUROCRYPT 2010. LNCS, vol. 6110. French Riviera: Springer, Heidelberg, Germany. (Cited on page 16.)Google Scholar
Manger, J. 2001. A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0. Pages 230238 of: Kilian, J. (ed.), CRYPTO 2001. LNCS, vol. 2139. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 152.)Google Scholar
Matsumoto, T., and Imai, H. 1988. Public Quadratic Polynominal-Tuples for Efficient Signature-Verification and Message-Encryption. Pages 419453 of: Günther, C. G. (ed.), EUROCRYPT’88. LNCS, vol. 330. Davos, Switzerland: Springer, Heidelberg, Germany. (Cited on page 331.)Google Scholar
Maurer, U. M. 1994. Towards the Equivalence of Breaking the Diffie-Hellman Protocol and Computing Discrete Algorithms. Pages 271281 of: Desmedt, Y. (ed.), CRYPTO’94. LNCS, vol. 839. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 155.)Google Scholar
Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., and Preneel, B. 2012. A Cross-Protocol Attack on the TLS Protocol. Pages 6272 of: Yu, T., Danezis, G., and Gligor, V. D. (eds.), ACM CCS 2012. Raleigh, NC, USA: ACM Press. (Cited on page 167.)Google Scholar
May, A. 2002. Cryptanalysis of Unbalanced RSA with Small CRT-Exponent. Pages 242256 of: Yung, M. (ed.), CRYPTO 2002. LNCS, vol. 2442. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 80 and 99.)Google Scholar
May, A. 2004. Computing the RSA Secret Key Is Deterministic Polynomial Time Equivalent to Factoring. Pages 213219 of: Franklin, M. (ed.), CRYPTO 2004. LNCS, vol. 3152. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 71 and 73.)Google Scholar
May, A. 2010. Using LLL-Reduction for Solving RSA and Factorization Problems. In: [457]. (Cited on pages 83 and 84.)Google Scholar
May, A., and Ritzenhofen, M. 2008. Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Pages 3746 of: Cramer, R. (ed.), PKC 2008. LNCS, vol. 4939. Barcelona, Spain: Springer, Heidelberg, Germany. (Cited on pages 88, 89, and 104.)Google Scholar
May, A., and Silverman, J. H. 2001. Dimension Reduction Methods for Convolution Modular Lattices. Pages 110125 of: Silverman, J. H. (ed.), Cryptography and Lattices – CaLC. LNCS, vol. 2146. Springer, Heidelberg, Germany. (Cited on page 35.)Google Scholar
McCurley, K. S. 1990. The Discrete Logarithm Problem. Pages 4974 of: Cryptology and computational number theory, Proceedings of Symposia in Applied Mathematics, vol. 42. American Mathematical Society, Providence, Rhode Island, USA. (Cited on page 109.)Google Scholar
McDonald, C., Hawkes, P., and Pieprzyk, J. 2009. Differential Path for SHA-1 with complexity O(252). Cryptology ePrint Archive, Report 2009/259. http://eprint.iacr.org/2009/259. (Cited on page 185.)Google Scholar
McEliece, R. J. 1978. A Public-Key Cryptosystem Based On Algebraic Coding Theory. DSN Progress Report, 44, 114116. (Cited on page 331.)Google Scholar
McLean, T. 2015. Critical Vulnerabilities in JSON Web Token Libraries. https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/. (Cited on page 153.)Google Scholar
Mendel, F., Rechberger, C., and Rijmen, V. 2007. Update on SHA-1. Rump session of CRYPTO 2007. http://rump2007.cr.yp.to/09-rechberger.pdf. (Cited on page 185.)Google Scholar
Menezes, A. 1993. Elliptic Curve Public Key Cryptosystems. Boston, MA: Kluwer. (Cited on page 308.)Google Scholar
Menezes, A., and Vanstone, S. 2000. ECSTR (XTR): Elliptic Curve Singular Trace Representation. Presented at the Rump Session of Crypto 2000. (Cited on page 308.)Google Scholar
Menezes, A., Okamoto, T., and Vanstone, S. 1993. Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field. IEEE Transactions on Information Theory, 39(5), 16391646. (Cited on page 116.)Google Scholar
Menezes, A., and Qu, M. 2001. Analysis of the Weil Descent Attack of Gaudry, Hess and Smart. Pages 308318 of: Naccache, D. (ed.), CT-RSA 2001. LNCS, vol. 2020. San Francisco, CA, USA: Springer, Heidelberg, Germany. (Cited on page 117.)Google Scholar
Menezes, A., and Wu, Y. 1997. The Discrete Logarithm Problem in GL(n, q). Ars Combinatoria, 47. (Cited on page 118.)Google Scholar
Menezes, A., Vanstone, S. A., and Okamoto, T. 1991. Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field. Pages 8089 of: 23rd ACM STOC. New Orleans, LA, USA: ACM Press. (Cited on pages 67, 308, and 327.)Google Scholar
Merkle, R. C. 1990a. A Certified Digital Signature. Pages 218238 of: Brassard, G. (ed.), CRYPTO’89. LNCS, vol. 435. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 332.)Google Scholar
Merkle, R. C. 1990b. One Way Hash Functions and DES. Pages 428446 of: Brassard, G. (ed.), CRYPTO’89. LNCS, vol. 435. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 183.)Google Scholar
Meyer, C., Somorovsky, J., Weiss, E., Schwenk, J., Schinzel, S., and Tews, E. 2014. Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks. Pages 733748 of: Fu, K., and Jung, J. (eds.), USENIX Security 2014. San Diego, CA, USA: USENIX Association. (Cited on page 151.)Google Scholar
Micciancio, D., and Walter, M. 2016. Practical, Predictable Lattice Basis Reduction. Pages 820849 of: Fischlin, M., and Coron, J.-S. (eds.), EUROCRYPT 2016, Part I. LNCS, vol. 9665. Vienna, Austria: Springer, Heidelberg, Germany. (Cited on page 15.)Google Scholar
Michaelis, K., Meyer, C., and Schwenk, J. 2013. Randomly Failed! The State of Randomness in Current Java Implementations. Pages 129144 of: Dawson, E. (ed.), CT-RSA 2013. LNCS, vol. 7779. San Francisco, CA, USA: Springer, Heidelberg, Germany. (Cited on page 178.)Google Scholar
Microsoft. 2012 (June 6,). Flame Malware Collision Attack Explained. Security Research & Defense, Microsoft TechNet Blog: https://msrc-blog.microsoft.com/2012/06/06/flame-malware-collision-attack-explained. (Cited on pages 198 and 199.)Google Scholar
Miele, A., Bos, J. W., Kleinjung, T., and Lenstra, A. K. 2014. Cofactorization on Graphics Processing Units. Pages 335352 of: Batina, L., and Robshaw, M. (eds.), CHES 2014. LNCS, vol. 8731. Busan, South Korea: Springer, Heidelberg, Germany. (Cited on page 3.)Google Scholar
Mikle, O. 2004. Practical Attacks on Digital Signatures Using MD5 Message Digest. Cryptology ePrint Archive, Report 2004/356. http://eprint.iacr.org/2004/356. (Cited on pages 184 and 207.)Google Scholar
Miller, D. 2020 (May). OpenSSH 8.3 released (and ssh-rsa deprecation notice). https://lwn.net/Articles/821544/. (Cited on page 141.)Google Scholar
Miller, G. L. 1976. Riemann's Hypothesis and Tests for Primality. Journal of Computer and System Sciences, 13(3), 300317. (Cited on pages 91, 93, and 141.)Google Scholar
Miller, S. D., Narayanan, B., and Venkatesan, R. 2017. Coppersmith's Lattices and “Focus Groups”: an Attack on Small-Exponent RSA. Cryptology ePrint Archive, Report 2017/835. http://eprint.iacr.org/2017/835. (Cited on page 102.)Google Scholar
Miller, V. S. 1986. Use of Elliptic Curves in Cryptography. Pages 417426 of: Williams, H. C. (ed.), CRYPTO’85. LNCS, vol. 218. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 62, 171, 237, and 295.)Google Scholar
Miller, V. S. 2004. The Weil Pairing, and Its Efficient Calculation. Journal of Cryptology, 17(4), 235261. (Cited on page 116.)Google Scholar
Mironov, I. 2012. Factoring RSA Moduli. Part II. https://windowsontheory.org/2012/05/17/factoring-rsa-moduli-part-ii/. (Cited on page 142.)Google Scholar
Möller, N., and Granlund, T. 2011. Improved Division by Invariant Integers. IEEE Transactions on Computers, 60(2), 165175. (Cited on page 270.)Google Scholar
Montgomery, P. L. 1983. Evaluating Recurrences of Form Xm+n = f(Xm, Xn, Xm−n) via Lucas Chains. Revised (1992) version from ftp.cw.nl:/pub/pmontgom/Lucas.ps.gs. (Cited on pages 300 and 302.)Google Scholar
Montgomery, P. L. 1985. Modular Multiplication without Trial Division. Mathematics of Computation, 44(170), 519521. (Cited on pages 224, 237, and 270.)Google Scholar
Montgomery, P. L. 1994. Vectorization of the Elliptic Curve Method. Technical Report. Centrum Wiskunde & Informatica (CWI). (Cited on page 233.)Google Scholar
Montgomery, P. L., and Murphy, B. 1999. Improved polynomial selection for the Number Field Sieve. In: The Mathematics of Public Key Cryptography Conference. Toronto: Fields Institute. (Cited on page 61.)Google Scholar
Moore, G. E. 1965. Cramming more Components onto Integrated Circuits. Electronics Magazine, 38(8), 114117. (Cited on page 230.)Google Scholar
Morain, F. 2004. La primalité en temps polynomial (d’après Adleman, Huang; Agrawal, Kayal, Saxena). Astérisque, 294, 205230. (Cited on page 47.)Google Scholar
Moriarty, K., Kaliski, B., Jonsson, J., and Rusch, A. 2016 (Nov.). PKCS #1: RSA Cryptography Specifications Version 2.2. https://www.rfc-editor.org/info/rfc8017. (Cited on page 149.)Google Scholar
Morrison, M. A., and Brillhart, J. 1975. A Method of Factoring and the Factorization of F7. Mathematics of Computation, 29, 183205. (Cited on pages 53, 54, and 319.)Google Scholar
Mozilla. 2017. HTTP Public Key Pinning (HPKP). https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning. (Cited on page 154.)Google Scholar
Müller, W., and Nöbauer, R. 1981. Some Remarks on Public-Key Cryptosystems. Studia Scientiarum Mathematicarum Hungarica, 16, 7176. (Cited on page 298.)Google Scholar
National Institute of Standards and Technology. 2012. Special Publication 800-57. Recommendation for Key Management Part 1: General (Revision 3). (Cited on page 315.)Google Scholar
National Security Agency. 2020. Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers. https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF. (Cited on page 176.)Google Scholar
National Security Agency Central Security Service. 2015. Cryptography Today. https://web.archive.org/web/20151123081120/https://www.nsa.gov/ia/programs/suiteb_cryptography. (Cited on page 171.)Google Scholar
Nechaev, V. I. 1994. On the Complexity of a Deterministic Algorithm for a Discrete Logarithm. Matematicheskie Zametki, 55, 91101. (Cited on page 107.)Google Scholar
Nemec, M., Sýs, M., Svenda, P., Klinec, D., and Matyas, V. 2017. The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli. Pages 16311648 of: Thuraisingham, B. M., Evans, D., Malkin, T., and Xu, D. (eds.), ACM CCS 2017. Dallas, TX, USA: ACM Press. (Cited on pages 15, 80, and 143.)Google Scholar
Neumaier, A., and Stehlé, D. 2016. Faster LLL-type reduction of Lattice Bases. Pages 373380 of: Abramov, S. A., Zima, E. V., and Gao, X. (eds.), International Symposium on Symbolic and Algebraic Computation – ISSAC. Association for Computing Machinery, New York, USA. (Cited on page 82.)Google Scholar
Nguyen, P. Q. 1999. Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto’97. Pages 288304 of: Wiener, M. J. (ed.), CRYPTO’99. LNCS, vol. 1666. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 290.)Google Scholar
Nguyen, P. Q. 2010. Hermite's Constant and Lattice Algorithms. In: [457]. (Cited on page 18.)Google Scholar
Nguyen, P. Q., and Stehlé, D. 2005. Floating-Point LLL Revisited. Pages 215233 of: Cramer, R. (ed.), EUROCRYPT 2005. LNCS, vol. 3494. Aarhus, Denmark: Springer, Heidelberg, Germany. (Cited on page 291.)Google Scholar
Nguyen, P. Q., and Stern, J. 1998. Cryptanalysis of the Ajtai-Dwork Cryptosystem. Pages 223242 of: Krawczyk, H. (ed.), CRYPTO’98. LNCS, vol. 1462. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 290.)Google Scholar
Nguyen, P. Q., and Vallée, B. (eds.). 2010. The LLL Algorithm - Survey and Applications. ISC. Springer, Heidelberg, Germany. (Cited on pages 2, 291, 366, 369, and 375.)Google Scholar
NMBRTHRY. 2020. NumberTheoryList: https://listserv.nodak.edu/cgi-bin/wa.exe?A0=NMBRTHRY. (Cited on page 138.)Google Scholar
Nyberg, K., and Rueppel, R. A. 1993. A New Signature Scheme Based on the DSA Giving Message Recovery. Pages 5861 of: Denning, D. E., Pyle, R., Ganesan, R., Sandhu, R. S., and Ashby, V. (eds.), ACM CCS 93. Fairfax, Virginia, USA: ACM Press. (Cited on page 303.)Google Scholar
Odlyzko, A. M. 1985. Discrete Logarithms in Finite Fields and Their Cryptographic Significance. Pages 224314 of: Beth, T., Cot, N., and Ingemarsson, I. (eds.), EUROCRYPT’84. LNCS, vol. 209. Paris, France: Springer, Heidelberg, Germany. (Cited on pages 109 and 131.)Google Scholar
Odoni, R., Varadharajan, V., and Sanders, P. 1984. Public Key Distribution in Matrix Rings. Electronics Letters, 20(9), 386387. (Cited on page 118.)Google Scholar
OpenSSH. 2020. OpenSSH Legacy Options. https://www.openssh.com/legacy.html. (Cited on page 158.)Google Scholar
Oracle. 2014. JDK 8 Security Enhancements. https://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html. (Cited on page 157.)Google Scholar
Orman, H. 1998 (Nov.). RFC 2412 - The Oakley Key Determination Protocol. Internet Engineering Task Force. http://www.ietf.org/rfc/rfc2412.txt. (Cited on pages 158 and 169.)Google Scholar
Page, D., and Smart, N. P. 2004. Parallel Cryptographic Arithmetic using a Redundant Montgomery Representation. IEEE Transactions on Computers, 53(11), 14741482. (Cited on pages 233 and 234.)Google Scholar
Page, D., and Stam, M. 2004. On XTR and Side-Channel Analysis. Pages 5468 of: Handschuh, H., and Hasan, A. (eds.), SAC 2004. LNCS, vol. 3357. Waterloo, Ontario, Canada: Springer, Heidelberg, Germany. (Cited on page 302.)Google Scholar
Paillier, P. 1999. Low-Cost Double-Size Modular Exponentiation or How to Stretch Your Cryptoprocessor. Pages 223234 of: Imai, H., and Zheng, Y. (eds.), PKC’99. LNCS, vol. 1560. Kamakura, Japan: Springer, Heidelberg, Germany. (Cited on page 236.)Google Scholar
Parhami, B. 2000. Computer Arithmetic: Algorithms and Hardware Designs.1 edn. Oxford University Press, Oxford, UK. (Cited on page 227.)Google Scholar
Pataki, G., and Tural, M. 2008. On sublattice determinants in reduced bases. https://arxiv.org/abs/0804.4014. (Cited on page 38.)Google Scholar
Patarin, J. 1995. Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt’88. Pages 248261 of: Coppersmith, D. (ed.), CRYPTO’95. LNCS, vol. 963. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 331.)Google Scholar
Patarin, J. 1997. The Oil and Vinegar Algorithm for Signatures. Presented at the Dagstuhl Workshop on Cryptography. (Cited on page 331.)Google Scholar
Pohlig, S. C., and Hellman, M. E. 1978. An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Significance (Corresp.). IEEE Transactions on Information Theory, 24(1), 106110. (Cited on pages 107, 161, 163, and 294.)Google Scholar
Pollard, J. M. 1975. A Monte Carlo Method for Factorization. Nordisk Tidskrift for Informationsbehandling (BIT), 15, 331335. (Cited on page 43.)Google Scholar
Pollard, J. M. 1993. Factoring with Cubic Integers. Lecture Notes in Mathematics, vol. 1554. New York: Springer-Verlag. Pages 410. (Cited on pages 3 and 58.)Google Scholar
Pollard, J. M. 1974. Theorems on Factorization and Primality Testing. Pages 521528 of: Mathematical Proceedings of the Cambridge Philosophical Society, vol. 76. Cambridge University Press, Cambridge, UK. (Cited on pages 43, 67, 142, 161, and 319.)Google Scholar
Pollard, J. M. 1978. Monte Carlo Methods for Index Computation (mod p). Mathematics of Computation, 32, 918924. (Cited on pages 108, 160, 163, 294, and 325.)Google Scholar
Pollard, J. M. 2000. Kangaroos, Monopoly and Discrete Logarithms. Journal of Cryptology, 13, 437447. (Cited on page 325.)Google Scholar
Pomerance, C. 1982. Analysis and Comparison of Some Integer Factoring Algorithms. Pages 89139 of: Lenstra, H. W. Jr, and Tijdeman, R. (eds.), Computational Methods in Number Theory, Part 1. Mathematical Centre Tracts, vol. 154. (Cited on pages 3, 53, and 57.)Google Scholar
Pomerance, C. 1994. The Number Field Sieve. Pages 465480 of: Mathematics of Computation 1943–1993: a Half-Century of Computational Mathematics. Proceedings of Symposia in Applied Mathematics, vol. 48. American Mathematics Society, Providence, USA. (Cited on page 58.)Google Scholar
Pomerance, C. 2010. Primality Testing: Variations on a Theme of Lucas. Congressus Numerantium, 201, 301312. (Cited on page 46.)Google Scholar
Pomerance, C., Selfridge, J. L., and Wagstaff, S. S. Jr 1980. The Pseudoprimes to 25 · 109. Mathematics of Computation, 35, 10031026. (Cited on page 46.)Google Scholar
Pomerance, C., Smith, J. W., and Wagstaff, S. S. 1983. New Ideas for Factoring Large Integers. Pages 8185 of: Chaum, D. (ed.), CRYPTO’83. Santa Barbara, CA, USA: Plenum Press, New York, USA. (Cited on pages 54 and 323.)Google Scholar
Pornin, T. 2013 (Aug.). Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA). RFC 6979. RFC Editor. https://www.rfc-editor.org/info/rfc6979. (Cited on pages 174, 176, and 179.)Google Scholar
Priest, D. M. 1992 (11). On Properties of Floating Point Arithmetics: Numerical Stability and the Cost of Accurate Computations. PhD thesis, University of California, Berkeley. ftp://ftp.icsi.berkeley.edu/pub/theory/priest-thesis.ps.Z. (Cited on page 291.)Google Scholar
Primmer, R., and D’Halluin, C. 2005. Collision and Preimage Resistance of the Centera Content Address. Technical Report: http://citeseerx.ist.psu.edu/viewdoc/download? doi=10.1.1.140.2189&rep=rep1&type=pdf. EMC Corporation. (Cited on page 210.)Google Scholar
Qualys. 2020. SSL Pulse. https://www.ssllabs.com/ssl-pulse/. (Cited on page 144.)Google Scholar
Quisquater, J.-J. 1992. Encoding System According to the So-Called RSA Method, by Means of a Microcontroller and Arrangement Implementing this System. U.S. Patent 5,166,979. (Cited on page 229.)Google Scholar
Quisquater, J.-J., and Standaert, F. 2005. Exhaustive key search of the DES: Updates and refinements. Special-purpose Hardware for Attacking Cryptographic Systems – SHARCS. (Cited on page 316.)Google Scholar
Rabin, M. 1979. Digitized Signatures and Public-Key Functions as Intractable as Factoring. Technical Report LCS/TR-212. M.I.T. Lab for Computer Science. (Cited on page 49.)Google Scholar
Rabin, M. O. 1980. Probabilistic Algorithm for Testing Primality. Journal of Number Theory, 12(1), 128138. (Cited on page 141.)Google Scholar
Rankin, R. A. 1953. On Positive Definite Quadratic Forms. Journal of the London Mathematical Society, s1-28(3), 309314. (Cited on page 18.)Google Scholar
Razavi, K., Gras, B., Bosman, E., Preneel, B., Giuffrida, C., and Bos, H. 2016. Flip Feng Shui: Hammering a Needle in the Software Stack. Pages 118 of: Holz, T., and Savage, S. (eds.), USENIX Security 2016. Austin, TX, USA: USENIX Association. (Cited on page 163.)Google Scholar
Regev, O. 2005. On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. Pages 8493 of: Gabow, H. N., and Fagin, R. (eds.), 37th ACM STOC. Baltimore, MA, USA: ACM Press. (Cited on page 16.)Google Scholar
Regev, O. 2009. On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. Journal of the ACM, 56(6), 140. (Cited on page 16.)Google Scholar
Rescorla, E. 2018 (Aug.). The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. RFC Editor. https://www.rfc-editor.org/info/rfc8446. (Cited on pages 155 and 156.)Google Scholar
Rescorla, E. 2015. NSS Accepts Export-Length DHE Keys with Regular DHE Cipher Suites (“Logjam”). https://bugzilla.mozilla.org/show_bug.cgi?id=1138554. (Cited on page 158.)Google Scholar
rico666. 2016. Large Bitcoin Collider. https://lbc.cryptoguru.org/. (Cited on page 177.)Google Scholar
Rieger, G. 2016. Socat security advisory 7 - Created new 2048bit DH modulus. https://www.openwall.com/lists/oss-security/2016/02/01/4. (Cited on page 164.)Google Scholar
Rivest, R. L. 1980. A Description of a Single-Chip Implementation of the RSA Cipher. LAMBDA Mazazine, 1(3), 1418. (Cited on page 226.)Google Scholar
Rivest, R. L., Shamir, A., and Adleman, L. 1983. Cryptographic Communications System and Method. U.S.A. Patent 4,405,829. (Cited on page 227.)Google Scholar
Rivest, R. L., Shamir, A., and Adleman, L. M. 1978. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the Association for Computing Machinery, 21(2), 120126. (Cited on pages 3, 48, 70, 93, 141, 225, 226, 229, 234, and 319.)Google Scholar
Rogaway, P. 2006. Formalizing Human Ignorance. Pages 211228 of: Nguyen, P. Q. (ed.), Progress in Cryptology - VIETCRYPT 06. LNCS, vol. 4341. Hanoi, Vietnam: Springer, Heidelberg, Germany. (Cited on page 183.)Google Scholar
Rubin, K., and Silverberg, A. 2003. Torus-Based Cryptography. Pages 349365 of: Boneh, D. (ed.), CRYPTO 2003. LNCS, vol. 2729. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 124, 125, 126, 128, and 304.)Google Scholar
Rubin, K., and Silverberg, A. 2008. Compression in Finite Fields and Torus-Based Cryptography. SIAM Journal on Computing, 37(5), 14011428. (Cited on page 304.)Google Scholar
Rudd, W. G., Buell, D. A., and Chiarulli, D. M. 1984. A High Performance Factoring Machine. Pages 297300 of: Agrawal, D. P. (ed.), Symposium on Computer Architecture. ACM, New York, USA. (Cited on page 323.)Google Scholar
Sakai, R., Ohgishi, K., and Kasahara, M. 2000 (Jan.). Cryptosystems Based on Pairing. Pages 2628 of: Symposium on Cryptography and Information Security – SCIS. (Cited on page 327.)Google Scholar
Sakemi, Y., Kobayashi, T., Saito, T., and Wahby, R. S. 2020. Pairing-Friendly Curves. Internet-Draft draft-irtf-cfrg-pairing-friendly-curves-08. Internet Engineering Task Force. Work in Progress, https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-08. (Cited on page 311.)Google Scholar
Sarkar, P., and Singh, S. 2016. A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm. Pages 3762 of: Cheon, J. H., and Takagi, T. (eds.), ASIACRYPT 2016, Part I. LNCS, vol. 10031. Hanoi, Vietnam: Springer, Heidelberg, Germany. (Cited on page 329.)Google Scholar
Satoh, T., and Araki, K. 1998. Fermat Quotients and the Polynomial Time Discrete Log Algorithm for Anomalous Elliptic Curves. Commentarii mathematici Universitatis Sancti Pauli, 47, 8192. (Cited on page 326.)Google Scholar
Schirokauer, O. 2000. Using Number Fields to Compute Logarithms in Finite Fields. Mathematics of Computation, 69(231), 12671283. (Cited on pages 322 and 329.)Google Scholar
Schneier, B. 2005 (august). The MD5 Defense. Schneier on Security blog. https://www.schneier.com/blog/archives/2005/08/the_md5_defense.html. (Cited on page 210.)Google Scholar
Schnorr, C.-P. 1987. A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms. Theoretical Computer Science, 53, 201224. (Cited on pages 15, 18, 179, and 330.)Google Scholar
Schnorr, C.-P. 1990a. Efficient Identification and Signatures for Smart Cards. Pages 239252 of: Brassard, G. (ed.), CRYPTO’89. LNCS, vol. 435. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 294.)Google Scholar
Schnorr, C.-P. 1990b. Factoring Integers and Computing Discrete Logarithms via Diophantine Approximation. Pages 171181 of: Advances in Computational Complexity Theory. American Mathematical Society, New York, USA. (Cited on page 76.)Google Scholar
Schnorr, C.-P. 1991a. Efficient Signature Generation by Smart Cards. Journal of Cryptology, 4(3), 161174. (Cited on page 122.)Google Scholar
Schnorr, C.-P. 1991b. Factoring Integers and Computing Discrete Logarithms via Diophantine Approximations. Pages 281293 of: Davies, D. W. (ed.), EUROCRYPT’91. LNCS, vol. 547. Brighton, UK: Springer, Heidelberg, Germany. (Cited on page 76.)Google Scholar
Schnorr, C. 1994. Block Reduced Lattice Bases and Successive Minima. Combinatorics, Probability & Computing, 3, 507522. (Cited on page 19.)Google Scholar
Schnorr, C. 2003. Lattice Reduction by Random Sampling and Birthday Methods. Pages 145156 of: Alt, H., and Habib, M. (eds.), Symposium on Theoretical Aspects of Computer Science – STACS. LNCS, vol. 2607. Springer, Heidelberg, Germany. (Cited on page 21.)Google Scholar
Schnorr, C., and Euchner, M. 1991. Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems. Pages 6885 of: Budach, L. (ed.), Fundamentals of Computation Theory – FCT. LNCS, vol. 529. Springer, Heidelberg, Germany. (Cited on pages 290 and 291.)Google Scholar
Schnorr, C., and Euchner, M. 1994. Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems. Mathematical Programming, 66, 181199. (Cited on pages 15, 18, and 179.)Google Scholar
Schönhage, A., and Strassen, V. 1971. Schnelle Multiplikation großer Zahlen. Computing, 7(3-4), 281292. (Cited on page 271.)Google Scholar
Schoof, R. 1995. Counting Points on Elliptic Curves over Finite Fields. Journal de théorie des nombres de Bordeaux, 7(1), 219254. (Cited on pages 112 and 295.)Google Scholar
Scientific Working Group on Digital Evidence. 2019 (September). SWGDE Position on the Use of MD5 and SHA1 Hash Algorithms in Digital and Multimedia Forensics. (Cited on page 209.)Google Scholar
Scott, M., and Barreto, P. S. L. M. 2004. Compressed Pairings. Pages 140156 of: Franklin, M. (ed.), CRYPTO 2004. LNCS, vol. 3152. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 309.)Google Scholar
SECG. 2000. SEC 2: Recommended Elliptic Curve Domain Parameters. Standards for Efficient Cryptography Group, Certicom Corp. (Cited on pages 172 and 175.)Google Scholar
Secure Sockets Layer. 2015. Secure Sockets Layer (SSL)/Transport Layer Security (TLS). http://www.spiegel.de/media/media-35511.pdf. (Cited on page 154.)Google Scholar
Semaev, I. A. 1998. Evaluation of Discrete Logarithms in a Group of p-torsion Points of an Elliptic Curve in Characteristic p. Mathematics of Computation, 67(221), 353356. (Cited on pages 121 and 326.)Google Scholar
Semaev, I. 2004. Summation Polynomials and the Discrete Logarithm Problem on Elliptic Curves. Cryptology ePrint Archive, Report 2004/031. http://eprint.iacr.org/2004/031. (Cited on pages 117 and 326.)Google Scholar
Shallit, J., Williams, H. C., and Morain, F. 1995. Discovery of a Lost Factoring Machine. The Mathematical Intelligencer, 4147. (Cited on page 323.)Google Scholar
Shamir, A. 1979. Factoring Numbers in O(log n) Arithmetic Steps. Information Processing Letters, 8, 2831. (Cited on page 69.)Google Scholar
Shamir, A. 1999. Factoring Large Numbers with the Twinkle Device (Extended Abstract). Pages 212 of: Koç, Çetin Kaya., and Paar, C. (eds.), CHES’99. LNCS, vol. 1717. Worcester, Massachusetts, USA: Springer, Heidelberg, Germany. (Cited on pages 62 and 324.)Google Scholar
Shamir, A., and Tromer, E. 2003. Factoring Large Number with the TWIRL Device. Pages 126 of: Boneh, D. (ed.), CRYPTO 2003. LNCS, vol. 2729. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 324.)Google Scholar
Shanks, D. 1971. Class Number, a Theory of Factorization, and Genera. Pages 415440 of: 1969 Number Theory Institute (Proceedings of Symposia in Pure Mathematics, Vol. XX, State University New York, Stony Brook, NY, 1969). American Mathematical Society, New York, USA. (Cited on pages 68, 294, and 319.)Google Scholar
Sherman, A. T. 1989. VLSI Placement and Routing: The PI Project. Springer-Verlag New York. (Cited on page 227.)Google Scholar
Shirase, M., Han, D.-G., Hibino, Y., Kim, H. W., and Takagi, T. 2007. Compressed XTR. Pages 420431 of: Katz, J., and Yung, M. (eds.), ACNS 07. LNCS, vol. 4521. Zhuhai, China: Springer, Heidelberg, Germany. (Cited on page 310.)Google Scholar
Shirase, M., Han, D., Hibino, Y., Kim, H., and Takagi, T. 2008. A More Compact Representation of XTR Cryptosystem. IEICE Fundamentals of Electronics, Communications and Computer Sciences, 91-A(10), 28432850. (Cited on page 310.)Google Scholar
Shor, P. W. 1994. Algorithms for Quantum Computation: Discrete Logarithms and Factoring. Pages 124134 of: 35th FOCS. Santa Fe, NM, USA: IEEE Computer Society Press. (Cited on pages 77 and 329.)Google Scholar
Shor, P. W. 1997. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM Journal on Computing, 26(5), 14841509. (Cited on page 139.)Google Scholar
Shoup, V. 1993. Factoring Polynomials over Finite Fields: Asymptotic Complexity vs. Reality. Pages 124129 of: Proceedings of the IMACS Symposium. (Cited on page 253.)Google Scholar
Shoup, V. 1995. A New Polynomial Factorization Algorithm and its Implementation. Journal of Symbolic Computation, 20, 363397. (Cited on page 277.)Google Scholar
Shoup, V. 1997. Lower Bounds for Discrete Logarithms and Related Problems. Pages 256266 of: Fumy, W. (ed.), EUROCRYPT’97. LNCS, vol. 1233. Konstanz, Germany: Springer, Heidelberg, Germany. (Cited on page 107.)Google Scholar
Shoup, V. 2001a. OAEP Reconsidered. Pages 239259 of: Kilian, J. (ed.), CRYPTO 2001. LNCS, vol. 2139. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 79 and 86.)Google Scholar
Shoup, V. 2001b. A Proposal for an ISO Standard for Public Key Encryption (version 2.1),. https://www.shoup.net/papers/iso-2_1.pdf. (Cited on page 154.)Google Scholar
Sica, F., Ciet, M., and Quisquater, J.-J. 2003. Analysis of the Gallant-Lambert-Vanstone Method Based on Efficient Endomorphisms: Elliptic and Hyperelliptic Curves. Pages 2136 of: Nyberg, K., and Heys, H. M. (eds.), SAC 2002. LNCS, vol. 2595. St. John's, Newfoundland, Canada: Springer, Heidelberg, Germany. (Cited on page 301.)Google Scholar
Silverman, R. D., and Wagstaff, S. S. Jr 1993. A Practical Analysis of the Elliptic Curve Factoring Algorithm. Mathematics of Computation, 61, 445462. (Cited on page 66.)Google Scholar
Silverman, R. D. 1987. The Multiple Polynomial Quadratic Sieve. Mathematics of Computation, 48, 329339. (Cited on pages 57 and 319.)Google Scholar
Singh, S. 1999. The Code Book: The Secret History of Codes and Code-Breaking. Fourth Estate, New York, USA. (Cited on page 226.)Google Scholar
Smart, N. P. 2014. Algorithms, Key Size and Parameters Report. Technical Report. European Union Agency for Network and Information Security (ENISA). http://www.enisa.europa.eu. (Cited on pages 235 and 236.)Google Scholar
Smart, N. P. 1999. The Discrete Logarithm Problem on Elliptic Curves of Trace One. Journal of Cryptology, 12(3), 193196. (Cited on pages 121 and 326.)Google Scholar
Smeets, I., Lenstra, A. K., Lenstra, H., Lovász, L., and van Emde Boas, P. 2010. The History of the LLL-Algorithm. In: [457]. (Cited on page 79.)Google Scholar
Smith, J. W., and Wagstaff, S. S. Jr 1983. An Extended Precision Operand Computer. Pages 209216 of: Proceedings of the Twenty-First Southeast Region ACM Conference. ACM, New York, USA. (Cited on page 54.)Google Scholar
Smith, P., and Skinner, C. 1995. A Public-Key Cryptosystem and a Digital Signature System Based on the Lucas Function Analogue to Discrete Logarithms. Pages 357364 of: Pieprzyk, J., and Safavi-Naini, R. (eds.), ASIACRYPT’94. LNCS, vol. 917. Wollongong, Australia: Springer, Heidelberg, Germany. (Cited on pages 122 and 298.)Google Scholar
Smith, P. J., and Lennon, M. J. J. 1993. LUC: A New Public Key System. Pages 103117 of: Dougall, E. G. (ed.), Computer Security, Proceedings of the IFIP TC11, Conference on Information Security, IFIP/Sec. IFIP Transactions, vol. A-37. North-Holland. (Cited on page 298.)Google Scholar
Solinas, J. A. 1999. Generalized Mersenne numbers. Technical Report CORR 99-39. Centre for Applied Cryptographic Research. http://www.cacr.math.uwaterloo.ca/techreports/1999/corr99-39.pdf. (Cited on pages 238 and 239.)Google Scholar
Sotirov, A. 2012 (June). Analyzing the MD5 Collision in Flame. SummerCon 2020, New York, USA, https://trailofbits.files.wordpress.com/2012/06/flame-md5.pdf. (Cited on pages 198 and 199.)Google Scholar
Springall, D., Durumeric, Z., and Halderman, J. A. 2016. Measuring the Security Harm of TLS Crypto Shortcuts. Pages 3347 of: Proceedings of the 2016 Internet Measurement Conference. IMC 2016. New York, NY, USA: Association for Computing Machinery. (Cited on page 161.)Google Scholar
Stam, M. 2003. Speeding Up Subgroup Cryptosystems. PhD thesis, Technische Universiteit Eindhoven. (Cited on pages 298, 300, 301, and 302.)Google Scholar
Stam, M., and Lenstra, A. K. 2001. Speeding Up XTR. Pages 125143 of: Boyd, C. (ed.), ASIACRYPT 2001. LNCS, vol. 2248. Gold Coast, Australia: Springer, Heidelberg, Germany. (Cited on pages 4, 300, and 301.)Google Scholar
Stam, M., and Lenstra, A. K. 2003. Efficient Subgroup Exponentiation in Quadratic and Sixth Degree Extensions. Pages 318332 of: Kaliski, B. S. Jr, Koç, Ç. K., and Paar, C. (eds.), CHES 2002. LNCS, vol. 2523. Redwood Shores, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 4, 306, and 307.)Google Scholar
Stehlé, D., Steinfeld, R., Tanaka, K., and Xagawa, K. 2009. Efficient Public Key Encryption Based on Ideal Lattices. Pages 617635 of: Matsui, M. (ed.), ASIACRYPT 2009. LNCS, vol. 5912. Tokyo, Japan: Springer, Heidelberg, Germany. (Cited on page 16.)Google Scholar
Stein, W. 2019. Sage Mathematics Software Version 9.0. The Sage Development Team. http://www.sagemath.org. (Cited on page 20.)Google Scholar
Stevens, D. 2009a. http://blog.didierstevens.com/2009/01/17/. (Cited on page 208.)Google Scholar
Stevens, M. 2006. Fast Collision Attack on MD5. Cryptology ePrint Archive, Report 2006/104. http://eprint.iacr.org/2006/104. (Cited on page 184.)Google Scholar
Stevens, M. 2007 (June). On Collisions for MD5. MPhil thesis, Eindhoven University of Technology. (Cited on page 184.)Google Scholar
Stevens, M. 2009b (June). GitHub: Project HashClash - MD5 & SHA-1 cryptanalysis. https://github.com/cr-marcstevens/hashclash. (Cited on pages 189, 200, 201, 203, and 217.)Google Scholar
Stevens, M. 2012 (June). Attacks on Hash Functions and Applications. PhD thesis, Leiden University. (Cited on page 189.)Google Scholar
Stevens, M. 2013a. Counter-Cryptanalysis. Pages 129146 of: Canetti, R., and Garay, J. A. (eds.), CRYPTO 2013, Part I. LNCS, vol. 8042. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 200, 212, and 219.)Google Scholar
Stevens, M. 2013b. New Collision Attacks on SHA-1 Based on Optimal Joint Local-Collision Analysis. Pages 245261 of: Johansson, T., and Nguyen, P. Q. (eds.), EUROCRYPT 2013. LNCS, vol. 7881. Athens, Greece: Springer, Heidelberg, Germany. (Cited on page 185.)Google Scholar
Stevens, M., Lenstra, A. K., and de Weger, B. 2007a. Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities. Pages 122 of: Naor, M. (ed.), EUROCRYPT 2007. LNCS, vol. 4515. Barcelona, Spain: Springer, Heidelberg, Germany. (Cited on pages 6, 184, 186, 189, 191, 192, 217, 219, and 317.)Google Scholar
Stevens, M., Lenstra, A., and de Weger, B. 2007b. Predicting the Winner of the 2008 US Presidential Elections Using a Sony PlayStation 3. http://www.win.tue.nl/hashclash/Nostradamus/. (Cited on page 206.)Google Scholar
Stevens, M., Lenstra, A., and de Weger, B. 2007c. Vulnerability of Software Integrity and Code Signing. http://www.win.tue.nl/hashclash/SoftIntCodeSign/. (Cited on page 208.)Google Scholar
Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A. K., Molnar, D., Osvik, D. A., and de Weger, B. 2009. Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate. Pages 5569 of: Halevi, S. (ed.), CRYPTO 2009. LNCS, vol. 5677. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 6, 184, 188, 189, 191, 201, 212, 217, and 220.)Google Scholar
Stevens, M., Lenstra, A. K., and Weger, B. D. 2012. Chosen-prefix Collisions for MD5 and Applications. International Journal of Applied Cryptography, 2(4), 322359. (Cited on pages 6, 205, and 206.)Google Scholar
Stevens, M., Bursztein, E., Karpman, P., Albertini, A., and Markov, Y. 2017. The First Collision for Full SHA-1. Pages 570596 of: Katz, J., and Shacham, H. (eds.), CRYPTO 2017, Part I. LNCS, vol. 10401. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 185, 189, and 201.)Google Scholar
Strassen, V. 1976/77. Einige Resultate über Berechnungskomplexität. Jahresbericht der Deutschen Mathematiker-Vereinigung, 78, 18. (Cited on page 67.)Google Scholar
Strassen, V. 1969. Gaussian Elimination is not Optimal. Numerische Mathematik, 13, 354356. (Cited on page 286.)Google Scholar
Svenda, P., Nemec, M., Sekan, P., Kvasnovský, R., Formánek, D., Komárek, D., and Matyás, V. 2016. The Million-Key Question - Investigating the Origins of RSA Public Keys. Pages 893910 of: Holz, T., and Savage, S. (eds.), USENIX Security 2016. Austin, TX, USA: USENIX Association. (Cited on pages 142 and 149.)Google Scholar
Takayasu, A., and Kunihiro, N. 2014. Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound. Pages 345362 of: Joux, A., and Youssef, A. M. (eds.), SAC 2014. LNCS, vol. 8781. Montreal, QC, Canada: Springer, Heidelberg, Germany. (Cited on page 98.)Google Scholar
Takayasu, A., and Kunihiro, N. 2015. Partial Key Exposure Attacks on CRT-RSA: Better Cryptanalysis to Full Size Encryption Exponents. Pages 518537 of: Malkin, T., Kolesnikov, V., Lewko, A. B., and Polychronakis, M. (eds.), ACNS 15. LNCS, vol. 9092. New York, NY, USA: Springer, Heidelberg, Germany. (Cited on page 98.)Google Scholar
Takayasu, A., and Kunihiro, N. 2016. How to Generalize RSA Cryptanalyses. Pages 6797 of: Cheng, C.-M., Chung, K.-M., Persiano, G., and Yang, B.-Y. (eds.), PKC 2016, Part II. LNCS, vol. 9615. Taipei, Taiwan: Springer, Heidelberg, Germany. (Cited on pages 98 and 103.)Google Scholar
Takayasu, A., and Kunihiro, N. 2017. A Tool Kit for Partial Key Exposure Attacks on RSA. Pages 5873 of: Handschuh, H. (ed.), CT-RSA 2017. LNCS, vol. 10159. San Francisco, CA, USA: Springer, Heidelberg, Germany. (Cited on page 98.)Google Scholar
Takayasu, A., Lu, Y., and Peng, L. 2017. Small CRT-Exponent RSA Revisited. Pages 130159 of: Coron, J.-S., and Nielsen, J. B. (eds.), EUROCRYPT 2017, Part II. LNCS, vol. 10211. Paris, France: Springer, Heidelberg, Germany. (Cited on pages 80 and 100.)Google Scholar
Takayasu, A., Lu, Y., and Peng, L. 2019. Small CRT-Exponent RSA Revisited. Journal of Cryptology, 32(4), 13371382. (Cited on pages 100 and 103.)Google Scholar
Team, B. 2015. Android Wallet Security Update. https://blog.blockchain.com/2015/05/28/android-wallet-security-update/. (Cited on page 179.)Google Scholar
thatch45, and basepi. 2013. Change key generation seq. https://github.com/saltstack/salt/commit/5dd304276ba5745ec21fc1e6686a0b28da29e6fc. (Cited on page 145.)Google Scholar
The FPLLL Development Team. 2019a. FPLLL, a Lattice Reduction Library. Available at https://github.com/fplll/fplll. (Cited on pages 20 and 291.)Google Scholar
The FPLLL Development Team. 2019b. FPyLLL, a Python Interface to FPLLL. Available at https://github.com/fplll/fpylll. (Cited on page 24.)Google Scholar
The Washington Post. 2012 (June). U.S., Israel Developed Flame Computer Virus to Slow Iranian Nuclear Efforts, Officials Say. Ellen Nakashima, Greg Miller and Julie Tate (http://articles.washingtonpost.com/2012-06-19/world/35460741_1_stuxnet-computer-virus-malware). (Cited on page 198.)Google Scholar
tranogatha. 2015. Establish deprecation date for DHE cipher suites in WebRTC. https://bugzilla.mozilla.org/show_bug.cgi?id=1227519. (Cited on pages 158 and 170.)Google Scholar
Trappe, W., and Washington, L. C. 2002. Introduction to Cryptography with Coding Theory. Prentice Hall, Hoboken, NJ, USA. (Cited on page 67.)Google Scholar
Tsiounis, Y., and Yung, M. 1998. On the Security of ElGamal Based Encryption. Pages 117134 of: Imai, H., and Zheng, Y. (eds.), PKC’98. LNCS, vol. 1431. Pacifico Yokohama, Japan: Springer, Heidelberg, Germany. (Cited on page 295.)Google Scholar
Valenta, L., Cohney, S., Liao, A., Fried, J., Bodduluri, S., and Heninger, N. 2016. Factoring as a Service. Pages 321338 of: Grossklags, J., and Preneel, B. (eds.), FC 2016. LNCS, vol. 9603. Christ Church, Barbados: Springer, Heidelberg, Germany. (Cited on pages 143 and 144.)Google Scholar
Valenta, L., Adrian, D., Sanso, A., Cohney, S., Fried, J., Hastings, M., Halderman, J. A., and Heninger, N. 2017. Measuring Small Subgroup Attacks against Diffie-Hellman. In: NDSS 2017. San Diego, CA, USA: The Internet Society. (Cited on pages 160, 162, 164, 165, 166, 167, 172, and 173.)Google Scholar
van der Hoeven, J. 2004. The Truncated Fourier Transform and Applications. Pages 290296 of: Gutierrez, J. (ed.), Proceedings of the International Symposium on Symbolic and Algebraic Computation, ISSAC’04. New York, NY, USA: Association for Computing Machinery. (Cited on page 267.)Google Scholar
van der Hoeven, J., and Lecerf, G. 2020. Fast multivariate multi-point evaluation revisited. Journal of Complexity, 56, 101405. (Cited on page 278.)Google Scholar
van Dijk, M., and Woodruff, D. P. 2004. Asymptotically Optimal Communication for Torus-Based Cryptography. Pages 157178 of: Franklin, M. (ed.), CRYPTO 2004. LNCS, vol. 3152. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 305, 311, and 313.)Google Scholar
van Dijk, M., Granger, R., Page, D., Rubin, K., Silverberg, A., Stam, M., and Woodruff, D. P. 2005. Practical Cryptography in High Dimensional Tori. Pages 234250 of: Cramer, R. (ed.), EUROCRYPT 2005. LNCS, vol. 3494. Aarhus, Denmark: Springer, Heidelberg, Germany. (Cited on pages 130 and 306.)Google Scholar
van Hoeij, M. 2002. Factoring Polynomials and the Knapsack Problem. Journal of Number Theory, 95(2), 167189. (Cited on page 290.)Google Scholar
van Oorschot, P. C., and Wiener, M. J. 1994. Parallel Collision Search with Application to Hash Functions and Discrete Logarithms. Pages 210218 of: Denning, D. E., Pyle, R., Ganesan, R., and Sandhu, R. S. (eds.), ACM CCS 94. Fairfax, VA, USA: ACM Press. (Cited on page 295.)Google Scholar
van Oorschot, P. C., and Wiener, M. J. 1996. On Diffie-Hellman Key Agreement with Short Exponents. Pages 332343 of: Maurer, U. M. (ed.), EUROCRYPT’96. LNCS, vol. 1070. Saragossa, Spain: Springer, Heidelberg, Germany. (Cited on page 163.)Google Scholar
van Oorschot, P. C., and Wiener, M. J. 1999. Parallel Collision Search with Cryptanalytic Applications. Journal of Cryptology, 12(1), 128. (Cited on pages 109, 183, 186, 216, and 325.)Google Scholar
Vandersypen, L. M. K., Steffen, M., Breyta, G., Yannoni, C. S., Sherwood, M. H., and Chuang, I. L. 2001. Experimental realization of Shor's quantum factoring algorithm using nuclear magnetic resonance. Nature, 414(6866), 883887. (Cited on page 330.)Google Scholar
Vanstone, S. A., and Zuccherato, R. J. 1995. Short RSA Keys and Their Generation. Journal of Cryptology, 8(2), 101114. (Cited on page 228.)Google Scholar
Verheul, E. R. 2001. Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems. Pages 195210 of: Pfitzmann, B. (ed.), EUROCRYPT 2001. LNCS, vol. 2045. Innsbruck, Austria: Springer, Heidelberg, Germany. (Cited on page 309.)Google Scholar
Verheul, E. R. 2004. Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems. Journal of Cryptology, 17(4), 277296. (Cited on page 309.)Google Scholar
Villatte, B. 2011. Interview Intégrale du Lauréat de la Polysphère d’Or. (Cited on page 6.)Google Scholar
Voskresenskiĭ, V. E. 1998. Algebraic Groups and Their Birational Invariants. Translations of Mathematical Monographs, 179, American Mathematical Society. (Cited on page 124.)Google Scholar
VPN Exploitation Process. 2010 (Sept.). Intro to the VPN Exploitation Process. Media leak. http://www.spiegel.de/media/media-35515.pdf. (Cited on page 154.)Google Scholar
Wagner, D., and Schneier, B. 1996. Analysis of the SSL 3.0 protocol. In: Tygar, D. (ed.), Proceedings of the Second USENIX Workshop on Electronic Commerce, vol. 1. USENIX Association, Berkeley, CA. (Cited on page 153.)Google Scholar
Wagstaff, S. S. Jr 2013. The Joy of Factoring. Student Mathematical Library, vol. 68. Providence, RI: American Mathematical Society. (Cited on pages 9, 41, and 75.)Google Scholar
Wagstaff, S. S. Jr, and Smith, J. W. 1987. Methods of Factoring Large Integers. Pages 281303 of: Chudnovsky, D. V., Chudnovsky, G. V., Cohn, H., and Nathanson, M. B. (eds.), Number Theory, New York, 1984–1985. Lecture Notes in Mathematics, vol. 1240. Springer, Heidelberg, Germany. (Cited on page 54.)Google Scholar
Walter, C. D. 1999a. Montgomery Exponentiation Needs No Final Subtractions. Electronics Letters, 35(21), 18311832. (Cited on page 234.)Google Scholar
Walter, C. D. 1992. Faster Modular Multiplication by Operand Scaling. Pages 313323 of: Feigenbaum, J. (ed.), CRYPTO’91. LNCS, vol. 576. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 229.)Google Scholar
Walter, C. D. 1999b. Montgomery's Multiplication Technique: How to Make It Smaller and Faster (Invited Talk). Pages 8093 of: Koç, Çetin Kaya., and Paar, C. (eds.), CHES’99. LNCS, vol. 1717. Worcester, Massachusetts, USA: Springer, Heidelberg, Germany. (Cited on page 234.)Google Scholar
Wang, X., and Yu, H. 2005. How to Break MD5 and Other Hash Functions. Pages 1935 of: Cramer, R. (ed.), EUROCRYPT 2005. LNCS, vol. 3494. Aarhus, Denmark: Springer, Heidelberg, Germany. (Cited on pages 183, 184, 189, 200, and 317.)Google Scholar
Wang, X., Yao, A. C., and Yao, F. 2005a. Cryptanalysis on SHA-1. NIST Cryptographic Hash Workshop. http://csrc.nist.gov/groups/ST/hash/documents/Wang_SHA1-New-Result.pdf. (Cited on page 185.)Google Scholar
Wang, X., Yin, Y. L., and Yu, H. 2005b. Finding Collisions in the Full SHA-1. Pages 1736 of: Shoup, V. (ed.), CRYPTO 2005. LNCS, vol. 3621. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on page 185.)Google Scholar
Washington, L. C. 2003. Elliptic Curves: Number Theory and Cryptography. Boca Raton, FL: Chapman & Hall/CRC Press. (Cited on page 67.)Google Scholar
Weimerskirch, A., Stebila, D., and Shantz, S. C. 2003. Generic GF(2m) Arithmetic in Software and Its Application to ECC. Pages 7992 of: Safavi-Naini, R., and Seberry, J. (eds.), ACISP 03. LNCS, vol. 2727. Wollongong, NSW, Australia: Springer, Heidelberg, Germany. (Cited on page 284.)Google Scholar
Wiener, M. J. 1990a. Cryptanalysis of Short RSA Secret Exponents. IEEE Transactions on Information Theory, 36(3), 553558. (Cited on pages 71 and 227.)Google Scholar
Wiener, M. J. 1990b. Cryptanalysis of Short RSA Secret Exponents (Abstract). Page 372 of: Quisquater, J.-J., and Vandewalle, J. (eds.), EUROCRYPT’89. LNCS, vol. 434. Houthalen, Belgium: Springer, Heidelberg, Germany. (Cited on pages 80 and 95.)Google Scholar
Williams, H. C. 1980. A Modification of the RSA Public-Key Encryption Procedure. IEEE Transactions on Information Theory, 26(6), 726729. (Cited on page 49.)Google Scholar
Wilson, K. 2014. Phasing out Certificates with 1024-bit RSA Keys. https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/. (Cited on page 144.)Google Scholar
Wunderer, T. 2019. A detailed analysis of the hybrid lattice-reduction and meet-in-the-middle attack. Journal of Mathemathical Cryptology, 13(1), 126. (Cited on page 26.)Google Scholar
Xie, T., Liu, F., and Feng, D. 2008. Could The 1-MSB Input Difference Be The Fastest Collision Attack For MD5? Cryptology ePrint Archive, Report 2008/391. http://eprint.iacr.org/2008/391. (Cited on page 184.)Google Scholar
Xu, J., Sarkar, S., Hu, L., Wang, H., and Pan, Y. 2019. New Results on Modular Inversion Hidden Number Problem and Inversive Congruential Generator. Pages 297321 of: Boldyreva, A., and Micciancio, D. (eds.), CRYPTO 2019, Part I. LNCS, vol. 11692. Santa Barbara, CA, USA: Springer, Heidelberg, Germany. (Cited on pages 80, 104, and 105.)Google Scholar
Yilek, S., Rescorla, E., Shacham, H., Enright, B., and Savage, S. 2009. When Private Keys Are Public: Results from the 2008 Debian OpenSSL Vulnerability. Pages 1527 of: Feldmann, A., and Mathy, L. (eds.), Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement. IMC ’09. New York, NY, USA: Association for Computing Machinery. (Cited on pages 146 and 147.)Google Scholar
Ylonen, T., and Lonvick, C. 2006 (Jan.). The Secure Shell (SSH) Transport Layer Protocol. RFC 4253. RFC Editor. https://www.rfc-editor.org/info/rfc4253. (Cited on pages 141, 154, 155, 156, 157, 158, and 174.)Google Scholar
Yoshino, M., Okeya, K., and Vuillaume, C. 2007. Double-Size Bipartite Modular Multiplication. Pages 230244 of: Pieprzyk, J., Ghodosi, H., and Dawson, E. (eds.), ACISP 07. LNCS, vol. 4586. Townsville, Australia: Springer, Heidelberg, Germany. (Cited on page 236.)Google Scholar
Yu, Y., and Ducas, L. 2017. Second Order Statistical Behavior of LLL and BKZ. Pages 322 of: Adams, C., and Camenisch, J. (eds.), SAC 2017. LNCS, vol. 10719. Ottawa, ON, Canada: Springer, Heidelberg, Germany. (Cited on page 24.)Google Scholar
Zassenhaus, H. 1969. On Hensel Factorization, I. Journal of Number Theory, 1(3), 291311. (Cited on page 290.)Google Scholar
Zhang, Z., Chen, C., Hoffstein, J., Whyte, W., Schanck, J. M., Hulsing, A., Rijneveld, J., Schwabe, P., and Danba, O. 2019. NTRUEncrypt. Technical Report. National Institute of Standards and Technology. Available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions. (Cited on page 35.)Google Scholar
Zimmermann, P., and Dodson, B. 2006. 20 Years of ECM. Pages 525542 of: Algorithmic Number Theory, Proceedings ANTS 2006. LNCS, vol. 4076. Berlin: Springer. (Cited on page 66.)Google Scholar

Save book to Kindle

To save this book to your Kindle, first ensure no-reply@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.

Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

  • References
  • Edited by Joppe Bos, Martijn Stam
  • Book: Computational Cryptography
  • Online publication: 11 November 2021
  • Chapter DOI: https://doi.org/10.1017/9781108854207.015
Available formats
×

Save book to Dropbox

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.

  • References
  • Edited by Joppe Bos, Martijn Stam
  • Book: Computational Cryptography
  • Online publication: 11 November 2021
  • Chapter DOI: https://doi.org/10.1017/9781108854207.015
Available formats
×

Save book to Google Drive

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.

  • References
  • Edited by Joppe Bos, Martijn Stam
  • Book: Computational Cryptography
  • Online publication: 11 November 2021
  • Chapter DOI: https://doi.org/10.1017/9781108854207.015
Available formats
×