... decision problem L
1
is NP-complete:
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
62 Ch. 2 Mathematical Background
co-NP
NPC
NP
P
NP ∩ co-NP
Figure 2.2:
Conjectured ... However,thesetZ
∗
n
(seeDefinition2.124)isagroup
of order φ(n) under the operation of multiplication modulo n, with identity element 1.
Handbook of Applied Cryptography...
... of ele-
ments in the factorbase (for convenienceof notation,let p
1
=log
x
x, p
2
=log
x
(x+
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
112 Ch. 3 Number-Theoretic ... problem
The Diffie-Hellman problem is closely related to the well-studied discrete logarithm prob-
lem (DLP) of §3.6. It is of significance to public-key cryptography because i...
... instead of the hypothetical polynomial-
time algorithm for solving the SQROOT problem in the proof.
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
294 Ch. 8 Public-Key ... modified by adding redundancy, is of great prac-
tical interest.
3
This chosen-ciphertext attack is an execution of the constructive proof of the equivalence of factoring n...
... originator.
1.8 Public-key cryptography
The concept of public-key encryption is simple and elegant, but has far-reaching conse-
quences.
1.8.1 Public-key encryption
Let {E
e
: e ∈K}be a set of encryption ... abstract
concepts of this section in mind as concrete methods are presented.
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
10 Ch. 1 Over...
... fol-
lows that the probability of a random monic irreducible polynomial of degree m in Z
p
[x]
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
158 Ch. 4 Public-Key ... expected degreeof the irreduciblefactorofleast degreeof a random
polynomial of degree m in Z
p
[x] is O(lg m). Hence for each choice of f(x), the expected
number of times steps...
... that of §5.4.4(iii). In
the former, a sample sequence is divided into m-bit blocks, each of which is further subdi-
vided into l-bit sub-blocks (for some divisor l of m). The number of m-bit ... 5.7 on
the universality of the next-bit test is due to Yao [1258]. For a proof of Yao’s result, see
Kranakis [710] and §12.2 of Stinson [1178]. A proof of a generalization of Yao’s r...
... size, respectively. The size of table R depends on the desired
bitlength L of the keystream — each 1K byte of keystream requires 16 bytes of R.
Handbook of Applied Cryptography by A. Menezes, ... of the three component LFSRs (i.e., the secret key) can be efficiently
recovered from a known-plaintext segment of length 37n bits.
Anothervariantof the stop-and-gogenerator is the...
... time-memoryproduct
is 2
2k+1
.
7.38 Note (generalizedmeet-in-the-middletrade-off) Variations of Note 7.37 allow time-space
tradeoffs for meet-in-the-middle key search on any concatenation of L ... strengthened version of
M-209 (C-48) with period exceeding 2.75 ×10
9
(with keywheels of 47, 43, 41, 37, 31, 29
pins); CD-55, a pocket-size version of the C-52; and T-55, an on-line versio...