•

Table of Contents

Modern Cryptography: Theory and Practice
ByWenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR
Pub Date: July 25, 2003
ISBN: 0-13-066943-1
Pages: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousrealworld application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.


•

Table of Contents

Modern Cryptography: Theory and Practice

ByWenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR
Pub Date: July 25, 2003
ISBN: 0-13-066943-1
Pages: 648

Copyright

ManyHewlett-Packard®
cryptographicProfessional
schemes Books
and protocols, especially those based on public-keycryptography,
have Abasic
or
so-called
"textbook
crypto" versions, as these versionsare usually the subjects for
Short Description of the Book
many textbooks on cryptography. This book takes adifferent approach to introducing
Preface
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
Scope
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
Acknowledgements
guys behave
nicely.It reveals the general unfitness of "textbook crypto" for the real world by
List
of Figures
demonstratingnumerous

attacks on such schemes, protocols and systems under variousrealof Algorithms,
Protocols and
Attacks
worldList
application
scenarios.
This
book chooses to introduce a set of practicalcryptographic
schemes,
Part I:protocols
Introductionand systems, many of them standards or de factoones, studies them closely,
explainsChapter
their working
principles,
discusses
theirGame
practicalusages, and examines their strong
1. Beginning
with a Simple
Communication
(i.e., fit-for-application)
security
properties,
oftenwith
security evidence formally established.
Section 1.1. A Communication Game
The book also includes self-containedtheoretical background material that is the foundation for
Section 1.2. Criteria for Desirable Cryptographic Systems and Protocols
modern cryptography.
Section 1.3. Chapter Summary

Exercises
Chapter 2. Wrestling Between Safeguard and Attack
Section 2.1. Introduction
Section 2.2. Encryption
Section 2.3. Vulnerable Environment (the Dolev-Yao Threat Model)
Section 2.4. Authentication Servers
Section 2.5. Security Properties for Authenticated Key Establishment
Section 2.6. Protocols for Authenticated Key Establishment Using Encryption
Section 2.7. Chapter Summary
Exercises
Part II: Mathematical Foundations: Standard Notation
Chapter 3. Probability and Information Theory
Section 3.1. Introduction
Section 3.2. Basic Concept of Probability
Section 3.3. Properties
Section 3.4. Basic Calculation
Section 3.5. Random Variables and their Probability Distributions
Section 3.6. Birthday Paradox
Section 3.7. Information Theory


Section 3.8. Redundancy in Natural Languages
Section 3.9. Chapter Summary
Exercises
Chapter 4. Computational Complexity
Section 4.1. Introduction
Section 4.2. Turing Machines
Section 4.3. Deterministic Polynomial Time

•


Table of Contents

Section 4.4. Probabilistic Polynomial Time
Modern Cryptography: Theory and Practice
Section 4.5. Non-deterministic Polynomial Time
ByWenbo Mao Hewlett-Packard Company
Section 4.6. Non-Polynomial Bounds
Section 4.7. Polynomial-time Indistinguishability
Publisher: Prentice Hall PTR
Section 4.8. Theory of Computational Complexity and Modern Cryptography
Pub Date: July 25, 2003
Section 4.9. Chapter Summary
ISBN: 0-13-066943-1
Exercises
Pages: 648
Chapter 5. Algebraic Foundations
Section 5.1. Introduction
Section 5.2. Groups
Section 5.3. Rings and Fields
Section 5.4. The Structure of Finite Fields

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
Section 5.5. Group Constructed Using Points on an Elliptic Curve
have basic
or so-called "textbook crypto" versions, as these versionsare usually the subjects for
Section 5.6.
Summary This book takes adifferent approach to introducing
many textbooks
on Chapter

cryptography.
Exercises
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explainsChapter
why "textbook
6. Number Theory
crypto" isonly good in an ideal world where data are random and bad
guys behave
nicely.It
reveals the general unfitness of "textbook crypto" for the real world by
Section
6.1. Introduction
demonstratingnumerous
attacks
suchClasses
schemes, protocols and systems under variousrealSection 6.2. Congruences
and on
Residue
world application
scenarios.
This
book
chooses
to introduce a set of practicalcryptographic
Section 6.3. Euler's Phi Function
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
Section 6.4. The Theorems of Fermat, Euler and Lagrange
explains their working principles, discusses their practicalusages, and examines their strong
Section 6.5. Quadratic Residues
(i.e., fit-for-application)

security properties, oftenwith security evidence formally established.
6.6. Square
Roots Modulo Integer
The book Section
also includes
self-containedtheoretical
background material that is the foundation for
Section
6.7.
Blum
Integers
modern cryptography.
Section 6.8. Chapter Summary
Exercises
Part III: Basic Cryptographic Techniques
Chapter 7. Encryption — Symmetric Techniques
Section 7.1. Introduction
Section 7.2. Definition
Section 7.3. Substitution Ciphers
Section 7.4. Transposition Ciphers
Section 7.5. Classical Ciphers: Usefulness and Security
Section 7.6. The Data Encryption Standard (DES)
Section 7.7. The Advanced Encryption Standard (AES)
Section 7.8. Confidentiality Modes of Operation
Section 7.9. Key Channel Establishment for Symmetric Cryptosystems
Section 7.10. Chapter Summary
Exercises
Chapter 8. Encryption — Asymmetric Techniques
Section 8.1. Introduction
Section 8.2. Insecurity of "Textbook Encryption Algorithms"

Section 8.3. The Diffie-Hellman Key Exchange Protocol
Section 8.4. The Diffie-Hellman Problem and the Discrete Logarithm Problem


Section 8.5. The RSA Cryptosystem (Textbook Version)
Section 8.6. Cryptanalysis Against Public-key Cryptosystems
Section 8.7. The RSA Problem
Section 8.8. The Integer Factorization Problem
Section 8.9. Insecurity of the Textbook RSA Encryption
Section 8.10. The Rabin Cryptosystem (Textbook Version)
Section 8.11. Insecurity of the Textbook Rabin Encryption

•

Table of Contents

Section 8.12. The ElGamal Cryptosystem (Textbook Version)
Modern Cryptography: Theory and Practice
Section 8.13. Insecurity of the Textbook ElGamal Encryption
ByWenbo Mao Hewlett-Packard Company
Section 8.14. Need for Stronger Security Notions for Public-key Cryptosystems
Section 8.15. Combination of Asymmetric and Symmetric Cryptography
Publisher: Prentice Hall PTR
Section 8.16. Key Channel Establishment for Public-key Cryptosystems
Pub Date: July 25, 2003
Section 8.17. Chapter Summary
ISBN: 0-13-066943-1
Exercises
Pages: 648
Chapter 9. In An Ideal World: Bit Security of The Basic Public-Key Cryptographic Functions

Section 9.1. Introduction
Section 9.2. The RSA Bit
Section 9.3. The Rabin Bit
Section 9.4. The ElGamal Bit

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
Section 9.5. The Discrete Logarithm Bit
have basic
or so-called "textbook crypto" versions, as these versionsare usually the subjects for
Section 9.6.
Summary This book takes adifferent approach to introducing
many textbooks
on Chapter
cryptography.
Exercises
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explainsChapter
why "textbook
10. Data Integrity
crypto"
Techniques
isonly good in an ideal world where data are random and bad
guys behave
nicely.It
reveals the general unfitness of "textbook crypto" for the real world by
Section
10.1. Introduction
demonstratingnumerous
attacks on such schemes, protocols and systems under variousrealSection 10.2. Definition
world application

scenarios.
This book chooses to introduce a set of practicalcryptographic
Section 10.3. Symmetric Techniques
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
Section 10.4. Asymmetric Techniques I: Digital Signatures
explains their working principles, discusses their practicalusages, and examines their strong
Section 10.5. Asymmetric Techniques II: Data Integrity Without Source Identification
(i.e., fit-for-application)
security properties, oftenwith security evidence formally established.
10.6. Chapter
Summary
The book Section
also includes
self-containedtheoretical
background material that is the foundation for
Exercises
modern cryptography.
Part IV: Authentication
Chapter 11. Authentication Protocols — Principles
Section 11.1. Introduction
Section 11.2. Authentication and Refined Notions
Section 11.3. Convention
Section 11.4. Basic Authentication Techniques
Section 11.5. Password-based Authentication
Section 11.6. Authenticated Key Exchange Based on Asymmetric Cryptography
Section 11.7. Typical Attacks on Authentication Protocols
Section 11.8. A Brief Literature Note
Section 11.9. Chapter Summary
Exercises
Chapter 12. Authentication Protocols — The Real World

Section 12.1. Introduction
Section 12.2. Authentication Protocols for Internet Security
Section 12.3. The Secure Shell (SSH) Remote Login Protocol
Section 12.4. The Kerberos Protocol and its Realization in Windows 2000
Section 12.5. SSL and TLS
Section 12.6. Chapter Summary
Exercises


Chapter 13. Authentication Framework for Public-Key Cryptography
Section 13.1. Introduction
Section 13.2. Directory-Based Authentication Framework
Section 13.3. Non-Directory Based Public-key Authentication Framework
Section 13.4. Chapter Summary
Exercises
Part V: Formal Approaches to Security Establishment

•

Table of Contents

Chapter 14. Formal and Strong Security Definitions for Public-Key Cryptosystems
Modern Cryptography: Theory and Practice
Section 14.1. Introduction
ByWenbo Mao Hewlett-Packard Company
Section 14.2. A Formal Treatment for Security
Section 14.3. Semantic Security — the Debut of Provable Security
Publisher: Prentice Hall PTR
Section 14.4. Inadequacy of Semantic Security
Pub Date: July 25, 2003

Section 14.5. Beyond Semantic Security
ISBN: 0-13-066943-1
Section 14.6. Chapter Summary
Pages: 648
Exercises
Chapter 15. Provably Secure and Efficient Public-Key Cryptosystems
Section 15.1. Introduction
Section 15.2. The Optimal Asymmetric Encryption Padding
Section 15.3. The Cramer-Shoup Public-key Cryptosystem

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
Section 15.4. An Overview of Provably Secure Hybrid Cryptosystems
have basic
or so-called "textbook crypto" versions, as these versionsare usually the subjects for
Section 15.5.
Literature Notes onThis
Practical
andtakes
Provably
Secure Public-key
Cryptosystems
many textbooks
on cryptography.
book
adifferent
approach
to introducing
Section
15.6.
Chapter

Summary
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why
Section
"textbook
15.7. Exercises
crypto" isonly good in an ideal world where data are random and bad
guys behave
reveals
the general
unfitness
of "textbook crypto" for the real world by
Chapternicely.It
16. Strong
and Provable
Security for
Digital Signatures
demonstratingnumerous
attacks
on
such
schemes,
protocols
and systems under variousrealSection 16.1. Introduction
world application
scenarios.
This
book
chooses
to

introduce
a
set of practicalcryptographic
Section 16.2. Strong Security Notion for Digital Signatures
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
Section 16.3. Strong and Provable Security for ElGamal-family Signatures
explains their working principles, discusses their practicalusages, and examines their strong
Section 16.4. Fit-for-application Ways for Signing in RSA and Rabin
(i.e., fit-for-application)
security properties, oftenwith security evidence formally established.
16.5. Signcryption
The book Section
also includes
self-containedtheoretical background material that is the foundation for
Section 16.6. Chapter Summary
modern cryptography.
Section 16.7. Exercises
Chapter 17. Formal Methods for Authentication Protocols Analysis
Section 17.1. Introduction
Section 17.2. Toward Formal Specification of Authentication Protocols
Section 17.3. A Computational View of Correct Protocols — the Bellare-Rogaway Model
Section 17.4. A Symbolic Manipulation View of Correct Protocols
Section 17.5. Formal Analysis Techniques: State System Exploration
Section 17.6. Reconciling Two Views of Formal Techniques for Security
Section 17.7. Chapter Summary
Exercises
Part VI: Cryptographic Protocols
Chapter 18. Zero-Knowledge Protocols
Section 18.1. Introduction
Section 18.2. Basic Definitions

Section 18.3. Zero-knowledge Properties
Section 18.4. Proof or Argument?
Section 18.5. Protocols with Two-sided-error
Section 18.6. Round Efficiency
Section 18.7. Non-interactive Zero-knowledge
Section 18.8. Chapter Summary


Exercises
Chapter 19. Returning to "Coin Flipping Over Telephone"
Section 19.1. Blum's "Coin-Flipping-By-Telephone" Protocol
Section 19.2. Security Analysis
Section 19.3. Efficiency
Section 19.4. Chapter Summary
Chapter 20. Afterremark

•

Table of Contents

Bibliography
Modern Cryptography: Theory and Practice
ByWenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR
Pub Date: July 25, 2003
ISBN: 0-13-066943-1
Pages: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,

have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousrealworld application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.


Copyright
Library of Congress Cataloging-in-Publication Data
A
CIP catalogTable
record
for this book can be obtained from the Library of Congress.
•
of Contents
Modern Cryptography: Theory and Practice

Editorial/production supervision: Mary Sudul

ByWenbo Mao Hewlett-Packard Company

Cover design director: Jerry Votta
Publisher: Prentice Hall PTR


Cover design: Talar Boorujy

Pub Date: July 25, 2003

ISBN: 0-13-066943-1
Manufacturing
manager: Maura Zaldivar
Pages: 648

Acquisitions editor: Jill Harry
Marketing manager: Dan DePasquale
Publisher, Hewlett-Packard Books: Walter Bruce
Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many
textbooks
on cryptography.
This book takes adifferent approach to introducing
© 2004
by Hewlett-Packard
Company
cryptography:
it
pays
much
more
attention
tofit-for-application aspects of cryptography. It
Published by Prentice Hall PTR
explains

why
"textbook
crypto"
isonly
good
in
an ideal world where data are random and bad
Prentice-Hall, Inc.
guys
behave
nicely.It
reveals
the
general
unfitness
of "textbook crypto" for the real world by
Upper Saddle River, New Jersey 07458
demonstratingnumerous attacks on such schemes, protocols and systems under variousrealworld application
scenarios.
This
book
to introduce
a set of practicalcryptographic
Prentice
Hall books
are widely
used
by chooses
corporations
and government

agencies for training,
schemes, protocols
and systems, many of them standards or de factoones, studies them closely,
marketing,
and resale.
explains their working principles, discusses their practicalusages, and examines their strong
(i.e.,publisher
fit-for-application)
security
oftenwith
security
evidence
formally
established.
The
offers discounts
on properties,
this book when
ordered
in bulk
quantities.
For more
The book alsocontact
includes
self-containedtheoretical
background
material that FAX:
is the201-236-7141;
foundation for
information,

Corporate
Sales Department,
Phone: 800-382-3419;

cryptography.
E-mail:
Or write: Prentice Hall PTR, Corporate Sales Dept., One Lake Street, Upper Saddle River, NJ
07458.
Other product or company names mentioned herein are the trademarks or registered trademarks
of their respective owners.
All rights reserved. No part of this book may be reproduced, in any form or by any means,
without permission in writing from the publisher.
Printed in the United States of America
1st Printing

Pearson
Pearson
Pearson
Pearson
Pearson
Pearson
Pearson
Pearson

Education LTD.
Education Australia PTY, Limited
Education Singapore, Pte. Ltd.
Education North Asia Ltd.
Education Canada, Ltd.
Educación de Mexico, S.A. de C.V.

Education — Japan
Education Malaysia, Pte. Ltd.


Dedication
To
Ronghui || Yiwei || Yifan
•

Table of Contents

Modern Cryptography: Theory and Practice
ByWenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR
Pub Date: July 25, 2003
ISBN: 0-13-066943-1
Pages: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousrealworld application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for

modern cryptography.


Hewlett-Packard® Professional Books
HP-UX
•

Fernandez

Table of Contents

Configuring CDE

Modern Cryptography: Theory and Practice

Madell
Disk
By
Wenbo Mao Hewlett-Packard Company
Olker

and File Management Tasks on HP-UX

Optimizing NFS Performance

Publisher: Prentice Hall PTR

Poniatowski
Pub Date: July 25, 2003


HP-UX 11i Virtual Partitions

ISBN: 0-13-066943-1
Poniatowski

HP-UX 11i System Administration Handbook and
Toolkit, Second Edition

Pages: 648

Poniatowski

The HP-UX 11.x System Administration Handbook
and Toolkit

Poniatowski
HP-UX 11.x System Administration "How To" Book
Many cryptographic schemes and protocols, especially those based on public-keycryptography,
Poniatowski
HP-UX
10.x versions,
System Administration
"How To"
Book the subjects for
have
basic or so-called "textbook
crypto"
as these versionsare
usually
many

textbooks on cryptography.
This
book takes
adifferentHandbook
approach and
to introducing
Poniatowski
HP-UX
System
Administration
Toolkit
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
Poniatowski
Learning
the HP-UX
Operating
explains
why "textbook crypto"
isonly good
in an ideal
world System
where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
Rehman
HP Certified: HP-UX System Administration
demonstratingnumerous attacks on such schemes, protocols and systems under variousrealworld
application scenarios. This
book
chooses
introduce a set of practicalcryptographic

Sauers/Weygant
HP-UX
Tuning
andtoPerformance
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
Weygant
Clusters
for High
Availability,
Secondand
Edition
explains
their working principles,
discusses
their
practicalusages,
examines their strong
(i.e.,
fit-for-application)
security
properties,
oftenwith
security
evidence
formally established.
Wong
HP-UX 11i Security
The book also includes self-containedtheoretical background material that is the foundation for
modern
UNIX, Lcryptography.

INUX, W INDOWS, AND MPE I/X
Mosberger/Eranian

IA-64 Linux Kernel

Poniatowski

UNIX User's Handbook, Second Edition

Stone/Symons

UNIX Fault Management

C OMPUTER A RCHITECTURE
Evans/Trimper

Itanium Architecture for Programmers

Kane

PA-RISC 2.0 Architecture

Markstein

IA-64 and Elementary Functions

NETWORKING/C OMMUNICATIONS
Blommers

Architecting Enterprise Solutions with UNIX

Networking

Blommers

OpenView Network Node Manager

Blommers

Practical Planning for Network Growth

Brans

Mobilize Your Enterprise

Cook

Building Enterprise Information Architecture


Lucke

Designing and Implementing Computer Workgroups

Lund

Integrating UNIX and PC Network Operating
Systems

SECURITY
Bruce

•

Security in Distributed Computing
Table of Contents

Mao

Modern Cryptography:Theory and Practice

Modern Cryptography: Theory and Practice

Pearson
etHewlett-Packard
al.
Trusted
By
Wenbo Mao
Company
Pipkin
Publisher: Prentice Hall PTR

Pipkin
Pub Date: July 25, 2003

Computing Platforms

Halting the Hacker, Second Edition
Information Security

ISBN:

0-13-066943-1
WEB/I
NTERNET
C ONCEPTS AND P ROGRAMMING
Pages: 648

Amor

E-business (R)evolution, Second Edition

Apte/Mehta

UDDI

Mowbrey/Werry

Online Communities

Many
cryptographic schemes and
especially those based on public-keycryptography,
Tapadiya
.NETprotocols,
Programming
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
OTHERtextbooks
P ROGRAMMING
many
on cryptography. This book takes adifferent approach to introducing
cryptography:

it
pays much more
attention
aspects of cryptography. It
Blinn
Portable
Shell tofit-for-application
Programming
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys
Caruso
behave nicely.It reveals Power
the general
Programming
unfitnessin
ofHP
"textbook
Open View
crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousrealChaudhri
Object
Databases
in introduce
Practice a set of practicalcryptographic
world
application scenarios. This
book
chooses to
schemes,
protocols and systems,

of them
standards
or de
factoones, studies them closely,
Chew
The many
Java/C++
Cross
Reference
Handbook
explains their working principles, discusses their practicalusages, and examines their strong
Grady
Practical
Software
Metricssecurity
for Project
Management
(i.e.,
fit-for-application) security
properties,
oftenwith
evidence
formally established.
and
Process
Improvement
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
Grady
Software Metrics

Grady

Successful Software Process Improvement

Lewis

The Art and Science of Smalltalk

Lichtenbelt

Introduction to Volume Rendering

Mellquist

SNMP++

Mikkelsen

Practical Software Configuration Management

Norton

Thread Time

Tapadiya

COM+ Programming

Yuan


Windows 2000 GDI Programming

STORAGE
Thornburgh

Fibre Channel for Mass Storage

Thornburgh/Schoenborn Storage Area Networks
Todman
IT/IS

Designing Data Warehouses


Missbach/Hoffman

SAP Hardware Solutions

IMAGE P ROCESSING
Crane

A Simplified Approach to Image Processing

Gann

Desktop Scanners

•

Table of Contents


Modern Cryptography: Theory and Practice
ByWenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR
Pub Date: July 25, 2003
ISBN: 0-13-066943-1
Pages: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousrealworld application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.


A Short Description of the Book
Many cryptographic schemes and protocols, especially those based on public-key cryptography,
have basic or so-called "textbook crypto" versions, as these versions are usually the subjects for
many
textbooks
This book takes a different approach to introducing
•

Tableon
of cryptography.
Contents
cryptography:
it
pays
much
more
attention
to fit-for-application aspects of cryptography. It
Modern Cryptography: Theory and Practice
explains why "textbook crypto" is only good in an ideal world where data are random and bad
ByWenbo Mao Hewlett-Packard Company
guys behave nicely. It reveals the general unfitness of "textbook crypto" for the real world by
demonstrating numerous attacks on such schemes, protocols and systems under various realPublisher:
Prentice scenarios.
Hall PTR
world
application
This book chooses to introduce a set of practical cryptographic
Pub Date:
July 25, 2003
schemes,
protocols
and systems, many of them standards or de facto ones, studies them closely,
explains
their
working principles, discusses their practical usages, and examines their strong
ISBN:
0-13-066943-1

(i.e., fit-for-application)
security properties, often with security evidence formally established.
Pages: 648
The book also includes self-contained theoretical background material that is the foundation for
modern cryptography.

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousrealworld application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.


Preface
Our society has entered an era where commerce activities, business transactions and
government services have been, and more and more of them will be, conducted and offered over
open
computer
and
communications networks such as the Internet, in particular, via
•
Table
of Contents

WorldWideWeb-based
tools.
Modern Cryptography: Theory
and Doing
Practicethings online has a great advantage of an always-on
availability to people in any corner of the world. Here are a few examples of things that have
ByWenbo Mao Hewlett-Packard Company
been, can or will be done online:
Publisher:
Prentice
PTR
Banking,
bill Hall
payment,

home shopping, stock trading, auctions, taxation, gambling, microelectronic identity, online access to medical records,
virtual
private networking, secure data archival and retrieval, certified delivery of
ISBN: 0-13-066943-1
documents,
fair exchange of sensitive documents, fair signing of contracts, time-stamping,
Pages: 648
notarization, voting, advertising, licensing, ticket booking, interactive games, digital
libraries, digital rights management, pirate tracing, …

payment
pay-per-downloading),
Pub
Date: July (e.g.,
25, 2003


And more can be imagined.
Many cryptographic
schemes
andtransactions
protocols, especially
those
based
onare
public-keycryptography,
Fascinating
commerce
activities,
and services
like
these
only possible if
have basic or so-called
"textbook
crypto"
versions,
as these
versionsare
usually
the subjects
for
communications
over open
networks
can be

conducted
in a secure
manner.
An effective
solution
many
textbooks
on cryptography.
This networks
book takesisadifferent
approach to introducing
to
securing
communications
over open
to apply cryptography.
Encryption, digital
cryptography:
it pays much more
attention tofit-for-application
aspects
of cryptography.
It
signatures,
password-based
user authentication,
are some of the
most basic
cryptographic
explains why

isonly good
in an ideal
world
where
data
are random
techniques
for"textbook
securing crypto"
communications.
However,
as we
shall
witness
many
times inand
thisbad
book,
guys behave
nicely.Itsubtleties
reveals the
of "textbook crypto"
for the real world
bythe
there
are surprising
andgeneral
seriousunfitness
security consequences
in the applications

of even
demonstratingnumerous
on such
schemes,
and systems
under variousrealmost
basic cryptographic attacks
techniques.
Moreover,
for protocols
many "fancier"
applications,
such as many
world in
application
scenarios.
This book
chooses
to introducetechniques
a set of practicalcryptographic
listed
the preceding
paragraph,
the basic
cryptographic
are no longer adequate.
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
With
an increasingly
large

demanddiscusses
for safeguarding
communications
open networks
for
explains
their working
principles,
their practicalusages,
andover
examines
their strong
[a], an
more
and more sophisticated
forms
of electronic
commerce,
business
and
servicesestablished.
(i.e., fit-for-application)
security
properties,
oftenwith
security
evidence
formally
increasingly
large

number
of information securitybackground
professionals
will bethat
needed
forfoundation
designing,for
The book also
includes
self-containedtheoretical
material
is the
developing,
analyzing and maintaining information security systems and cryptographic
modern cryptography.
protocols. These professionals may range from IT systems administrators, information security
engineers and software/hardware systems developers whose products have security
requirements, to cryptographers.
[a]

Gartner Group forecasts that total electronic business revenues for business to business (B2B) and
business to consumer (B2C) in the European Union will reach a projected US $2.6 trillion in 2004 (with
probability 0.7) which is a 28-fold increase from the level of 2000 [5]. Also, eMarketer [104] (page 41) reports
that the cost to financial institutions (in USA) due to electronic identity theft was US $1.4 billion in 2002, and
forecasts to grow by a compound annual growth rate of 29%.

In the past few years, the author, a technical consultant on information security and
cryptographic systems at Hewlett-Packard Laboratories in Bristol, has witnessed the
phenomenon of a progressively increased demand for information security professionals
unmatched by an evident shortage of them. As a result, many engineers, who are oriented to

application problems and may have little proper training in cryptography and information
security have become "roll-up-sleeves" designers and developers for information security
systems or cryptographic protocols. This is in spite of the fact that designing cryptographic
systems and protocols is a difficult job even for an expert cryptographer.
The author's job has granted him privileged opportunities to review many information security
systems and cryptographic protocols, some of them proposed and designed by "roll-up-sleeves"
engineers and are for uses in serious applications. In several occasions, the author observed socalled "textbook crypto" features in such systems, which are the result of applications of
cryptographic algorithms and schemes in ways they are usually introduced in many


cryptographic textbooks. Direct encryption of a password (a secret number of a small
magnitude) under a basic public-key encryption algorithm (e.g., "RSA") is a typical example of
textbook crypto. The appearances of textbook crypto in serious applications with a "nonnegligible probability" have caused a concern for the author to realize that the general danger of
textbook crypto is not widely known to many people who design and develop information
security systems for serious real-world applications.
Motivated by an increasing demand for information security professionals and a belief that their
•
Table of Contents
knowledge in cryptography should not be limited to textbook crypto, the author has written this
Modern Cryptography: Theory and Practice
book as a textbook on non-textbook cryptography. This book endeavors to:
ByWenbo Mao Hewlett-Packard Company

Introduce
a wide
range
Publisher:
Prentice
Hall PTR


of cryptographic algorithms, schemes and protocols with a
particular emphasis on their non-textbook versions.

Pub Date: July 25, 2003

ISBN: 0-13-066943-1
Reveal
general insecurity of textbook crypto by demonstrating a large number of attacks on
Pages:
648
and
summarizing
typical attacking techniques for such systems.

Provide principles and guidelines for the design, analysis and implementation of
cryptographic systems and protocols with a focus on standards.
Study formalism techniques and methodologies for a rigorous establishment of strong and
Many cryptographic schemes and protocols, especially those based on public-keycryptography,
fit-for-application security notions for cryptographic systems and protocols.
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
Include self-contained and elaborated material as theoretical foundations of modern
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
cryptography for readers who desire a systematic understanding of the subject.
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousrealworld application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.

The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.


Scope
Modern cryptography is a vast area of study as a result of fast advances made in the past thirty
years. This book focuses on one aspect: introducing fit-for-application cryptographic schemes
and protocols with their strong security properties evidently established.
•

Table of Contents

Modern
Cryptography:
Theory
Practice
The
book
is organized
intoand
the
following six parts:
ByWenbo Mao Hewlett-Packard Company

Part I This part contains two chapters (1—2) and serves an elementary-level introduction
for the book and the areas of cryptography and information security. Chapter 1 begins with
Publisher: Prentice Hall PTR
a demonstration on the effectiveness of cryptography in solving a subtle communication
Pub Date: July 25, 2003
problem. A simple cryptographic protocol (first protocol of the book) for achieving "fair coin

ISBN: 0-13-066943-1
tossing
over telephone" will be presented and discussed. This chapter then carries on to
Pages: 648a cultural and "trade" introduction to the areas of study. Chapter 2 uses a series of
conduct
simple authentication protocols to manifest an unfortunate fact in the areas: pitfalls are
everywhere.
As an elementary-level introduction, this part is intended for newcomers to the areas.

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
Part II This part contains four chapters (3—6) as a set of mathematical background
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
knowledge, facts and basis to serve as a self-contained mathematical reference guide for
many textbooks on cryptography. This book takes adifferent approach to introducing
the book. Readers who only intend to "knowhow," i.e., know how to use the fit-forcryptography: it pays much more attention tofit-for-application aspects of cryptography. It
application crypto schemes and protocols, may skip this part yet still be able to follow most
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
contents of the rest of the book. Readers who also want to "know-why," i.e., know why
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
these schemes and protocols have strong security properties, may find that this selfdemonstratingnumerous attacks on such schemes, protocols and systems under variousrealcontained mathematical part is a sufficient reference material. When we present working
world application scenarios. This book chooses to introduce a set of practicalcryptographic
principles of cryptographic schemes and protocols, reveal insecurity for some of them and
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
reason about security for the rest, it will always be possible for us to refer to a precise point
explains their working principles, discusses their practicalusages, and examines their strong
in this part of the book for supporting mathematical foundations.
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book
background
materialstudy

that is
This also
part includes
can also self-containedtheoretical
be used to conduct a systematic
background
of the
thefoundation
theoretical for
modern
cryptography.
foundations for modern cryptography.
Part III This part contains four chapters (7—10) introducing the most basic cryptographic
algorithms and techniques for providing privacy and data integrity protections. Chapter 7 is
for symmetric encryption schemes, Chapter 8, asymmetric techniques. Chapter 9 considers
an important security quality possessed by the basic and popular asymmetric cryptographic
functions when they are used in an ideal world in which data are random. Finally, Chapter
10 covers data integrity techniques.
Since the schemes and techniques introduced here are the most basic ones, many of them
are in fact in the textbook crypto category and are consequently insecure. While the
schemes are introduced, abundant attacks on many schemes will be demonstrated with
warning remarks explicitly stated. For practitioners who do not plan to proceed with an indepth study of fit-for-application crypto and their strong security notions, this textbook
crypto part will still provide these readers with explicit early warning signals on the general
insecurity of textbook crypto.
Part IV This part contains three chapters (11—13) introducing an important notion in
applied cryptography and information security: authentication. These chapters provide a
wide coverage of the topic. Chapter 11 includes technical background, principles, a series of
basic protocols and standards, common attacking tricks and prevention measures. Chapter
12 is a case study for four well-known authentication protocol systems for real world
applications.Chapter 13 introduces techniques which are particularly suitable for open



systems which cover up-to-date and novel techniques.
Practitioners, such as information security systems administration staff in an enterprise and
software/hardware developers whose products have security consequences may find this
part helpful.
Part V This part contains four chapters (14—17) which provide formalism and rigorous
treatments for strong (i.e., fit-for-application) security notions for public-key cryptographic
•
Table of Contents
techniques
(encryption, signature and signcryption) and formal methodologies for the
Modern Cryptography: Theory and Practice
analysis of authentication protocols. Chapter 14 introduces formal definitions of strong
ByWenbo
Mao Hewlett-Packard
security
notions. TheCompany
next two chapters are fit-for-application counterparts to textbook
crypto schemes introduced in Part III, with strong security properties formally established
(i.e., evidently
Finally, Chapter 17 introduces formal analysis methodologies
Publisher:
Prentice Hallreasoned).
PTR
and
techniques
for
the
analysis

of authentication protocols, which we have not been able to
Pub Date: July 25, 2003
deal with in Part IV.
ISBN: 0-13-066943-1

Pages:VI
648This is the final part of the book. It contains two technical chapters (18—19) and a
Part
short final remark (Chapter 20). The main technical content of this part, Chapter 18,
introduces a class of cryptographic protocols called zero-knowledge protocols. These
protocols provide an important security service which is needed in various "fancy"
electronic commerce and business applications: verification of a claimed property of secret
(e.g., in conforming
with
a business
requirement)
a strict privacy
Manydata
cryptographic
schemes and
protocols,
especially
those while
basedpreserving
on public-keycryptography,
the claimant.
Zero-knowledge
protocols
to be
introducedusually

in this the
partsubjects
exemplify
have quality
basic orfor
so-called
"textbook
crypto" versions,
as these
versionsare
for
diversity
special security
needs
various
real world
applications,
which are beyond
manythe
textbooks
onofcryptography.
This
bookintakes
adifferent
approach
to introducing
confidentiality,
authentication
and non-repudiation.
In the

technical chapter
cryptography:
it paysintegrity,
much more
attention tofit-for-application
aspects
offinal
cryptography.
It
of the
book
(Chapter
19) we
will good
complete
jobworld
whichwhere
has been
fromand
the bad
first
explains
why
"textbook
crypto"
isonly
in anour
ideal
dataleft
areover

random
of the book:
to realize
"fair coin
tossing
over telephone."
final
realization
guys protocol
behave nicely.It
reveals
the general
unfitness
of "textbook
crypto"That
for the
real
world by will
achieve a protocol which
has
strong
security
properties
yet with an
demonstratingnumerous
attacks
onevidently-established
such schemes, protocols
and
systems

under variousrealsuitable
for practical
applications.
worldefficiency
application
scenarios.
This book
chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
Needless
to say,
a description
for discusses
each fit-for-application
crypto scheme
or protocol
to begin
explains their
working
principles,
their practicalusages,
and examines
theirhas
strong
with
a
reason
why
the
textbook

crypto
counterpart
is
unfit
for
application.
Invariably,
these
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
reasons
demonstrated
by attacks on these schemes
or protocols,
nature offor
The bookare
also
includes self-containedtheoretical
background
material which,
that is by
thethe
foundation
attacks,
often
contain
a
certain
degree
of
subtleties.

In
addition,
a
description
of
a
fit-formodern cryptography.
application scheme or protocol must also end at an analysis that the strong (i.e., fit-forapplication) security properties do hold as claimed. Consequently, some parts of this book
inevitably contain mathematical and logical reasonings, deductions and transformations in order
to manifest attacks and fixes.

While admittedly fit-for-application cryptography is not a topic for quick mastery or that can be
mastered via light reading, this book, nonetheless, is not one for in-depth research topics which
will only be of interest to specialist cryptographers. The things reported and explained in it are
well-known and quite elementary to cryptographers. The author believes that they can also be
comprehended by non-specialists if the introduction to the subject is provided with plenty of
explanations and examples and is supported by self-contained mathematical background and
reference material.
The book is aimed at the following readers.
Students who have completed, or are near to completion of, first degree courses in
computer, information science or applied mathematics, and plan to pursue a career in
information security. For them, this book may serve as an advanced course in applied
cryptography.
Security engineers in high-tech companies who are responsible for the design and
development of information security systems. If we say that the consequence of textbook


•

crypto appearing in an academic research proposal may not be too harmful since the worst

case of the consequence would be an embarrassment, then the use of textbook crypto in an
information security product may lead to a serious loss. Therefore, knowing the unfitness of
textbook crypto for real world applications is necessary for these readers. Moreover, these
readers should have a good understanding of the security principles behind the fit-forapplication schemes and protocols and so they can apply the schemes and the principles
correctly. The self-contained mathematical foundations material in Part II makes the book a
suitableTable
self-teaching
text for these readers.
of Contents

Modern Cryptography: Theory and Practice

Information security systems administration staff in an enterprise and software/hardware
have security consequences. For these readers, Part I
is a simple and essential course for cultural and "trade" training; Parts III and IV form a
suitable
cut-down
Publisher:
Prentice
Hall PTRset of knowledge in cryptography and information security. These three
parts
contain
many basic crypto schemes and protocols accompanied with plenty of
Pub Date: July 25, 2003
attacking
tricks
and prevention measures which should be known to and can be grasped by
ISBN: 0-13-066943-1
this population of readers without demanding them to be burdened by theoretical
Pages: 648

foundations.

ByWenbo
Mao Hewlett-Packard
Company
systems
developers whose
products

New Ph.D. candidates beginning their research in cryptography or computer security. These
readers will appreciate a single-point reference book which covers formal treatment of
strong security notions and elaborates these notions adequately. Such a book can help
Manythem
cryptographic
and
protocols,
based
on public-keycryptography,
to quicklyschemes
enter into
the
vast areaespecially
of study. those
For them,
Parts
II,IV,V, and VI
have constitute
basic or so-called
"textbook
versions,

as these which
versionsare
usually
subjects
for
a suitable
level of crypto"
literature
survey material
can lead
themthe
to find
further
manyliteratures,
textbooks on
This
book takes
adifferenttheir
approach
to introducing
andcryptography.
can help them
to shape
and specialize
own research
topics.
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
A cut-down
subset crypto"
of the book

(e.g.,
I,II,
III and
VI)
also form
a suitable
course
in
explains
why "textbook
isonly
goodPart
in an
ideal
world
where
data are
random
and bad
forthe
undergraduate
students
in computer
science,
information
guys applied
behave cryptography
nicely.It reveals
general unfitness
of "textbook

crypto"
for the
real worldscience
by
and applied mathematics
courses.
demonstratingnumerous
attacks
on such schemes, protocols and systems under variousrealworld application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.


Acknowledgements
I am deeply grateful to Feng Bao, Colin Boyd, Richard DeMillo, Steven Galbraith, Dieter
Gollmann, Keith Harrison, Marcus Leech, Helger Lipmaa, Hoi-Kwong Lo, Javier Lopez, John
Malone-Lee, Cary Meltzer, Christian Paquin, Kenny Paterson, David Pointcheval, Vincent Rijmen,
•
of Soldera,
Contents Paul van Oorschot, Serge Vaudenay and Stefek Zaba. These people
Nigel Smart,Table
David
Modern
Cryptography:
Theory
and Practice
gave generously of their time

to review chapters or the whole book and provide invaluable
comments,
and suggestions
which make the book better.
By
Wenbo Mao criticisms
Hewlett-Packard
Company
The book also benefits from the following people answering my questions: Mihir Bellare, Jan
Publisher: Prentice Hall PTR
Camenisch, Neil Dunbar, Yair Frankel, Shai Halevi, Antoine Joux, Marc Joye, Chalie Kaufman,
Pub Date: July 25, 2003
Adrian Kent, Hugo Krawczyk, Catherine Meadows, Bill Munro, Phong Nguyen, Radia Perlman,
0-13-066943-1
Marco ISBN:
Ricca,
Ronald Rivest, Steve Schneider, Victor Shoup, Igor Shparlinski and Moti Yung.
Pages: 648

I would also like to thank Jill Harry at Prentice-Hall PTR and Susan Wright at HP Professional
Books for introducing me to book writing and for the encouragement and professional support
they provided during the lengthy period of manuscript writing. Thanks also to Jennifer Blackwell,
Robin Carroll, Brenda Mulligan, Justin Somma and Mary Sudul at Prentice-Hall PTR and to
Walter
Bruce and Patschemes
Pekary at
HPprotocols,
Professional
Books. those based on public-keycryptography,
Many cryptographic

and
especially
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
I am also grateful to my colleagues at Hewlett-Packard Laboratories Bristol, including David Ball,
many textbooks on cryptography. This book takes adifferent approach to introducing
Richard Cardwell, Liqun Chen, Ian Cole, Gareth Jones, Stephen Pearson and Martin Sadler for
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
technical and literature services and management support.
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
Bristol, England
demonstratingnumerous attacks on such schemes, protocols and systems under variousrealworld
application scenarios. This book chooses to introduce a set of practicalcryptographic
May 2003
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.


List of Figures
2.1
•

3.1

A Simplified Pictorial Description of a Cryptographic System
Table of Contents


Binomial Distribution

Modern Cryptography: Theory and Practice

4.1
A Turing
Machine
By
Wenbo Mao
Hewlett-Packard
Company
4.2

The operation of machine Div3

25
70
87
90

Publisher: Prentice Hall PTR

4.3Pub Date:
Bitwise
July 25, Time
2003 Complexities of the Basic Modular Arithmetic
Operations
ISBN: 0-13-066943-1

103


4.4

124

Pages:
All648
Possible

Moves of a Non-deterministic Turing Machine

5.1

Elliptic Curve Group Operation

168

7.1

Cryptographic Systems

208

7.2 cryptographic
Feistel Cipher
(One and
Round)
220
Many
schemes

protocols, especially those based on public-keycryptography,
have
or so-called
"textbook
crypto"
as these versionsare usually
7.3 basicThe
Cipher Block
Chaining
Modeversions,
of Operation
233 the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
7.4
The Cipher
Mode
of Operation
238
cryptography:
it paysFeedback
much more
attention
tofit-for-application aspects of cryptography.
It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
7.5
The Output Feedback Mode of Operation
239
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous

attacks on such schemes, protocols and systems under
10.1
Data Integrity Systems
299 variousrealworld application scenarios. This book chooses to introduce a set of practicalcryptographic
12.1
An
Unprotected
IP Packet
schemes,
protocols
and systems,
many of them standards or de factoones, 390
studies them closely,
explains
their
working
principles,
discusses
their
practicalusages,
and
examines
12.2
The Structure of an Authentication Header and its Position
392 their strong
(i.e., fit-for-application)
security
properties,
oftenwith
security

evidence
formally
established.
in an IP Packet
The book also includes self-containedtheoretical background material that is the foundation for
modern
12.3
cryptography.
The Structure of an Encapsulating Security Payload
393
12.4

Kerberos Exchanges

412

14.1

Summary of the Indistinguishable Attack Games

489

14.2

Reduction from an NM-attack to an IND-attack

495

14.3


Reduction from IND-CCA2 to NM-CCA2

497

14.4

Relations Among Security Notions for Public-key
Cryptosystems

498

15.1

Optimal Asymmetric Encryption Padding (OAEP)

503

15.2

OAEP as a Two-round Feistel Cipher

504

15.3

Reduction from Inversion of a One-way Trapdoor Function f
to an Attack on the f-OAEP Scheme

511


15.4

Reduction from the DDH Problem to an Attack on the
Cramer-Shoup Cryptosystem

532

16.1

Reduction from a Signature Forgery to Solving a Hard
Problem

551

16.2

Successful Forking Answers to Random Oracle Queries

553


16.3

The PSS Padding

560

16.4

The PSS-R Padding


563

17.1

The CSP Language

609

17.2

The CSP Entailment Axioms

613

•

Table of Contents

Modern Cryptography: Theory and Practice
ByWenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR
Pub Date: July 25, 2003
ISBN: 0-13-066943-1
Pages: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing

cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousrealworld application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.


List of Algorithms, Protocols and Attacks
Protocol 1.1: Coin Flipping Over Telephone
•

Table of Contents

Protocol 2.1: From Alice To Bob

Modern Cryptography: Theory and Practice

Protocol
Session Key
From Trent
By
Wenbo Mao2.2:
Hewlett-Packard
Company
Attack 2.1: An Attack on Protocol "Session Key From
Publisher: Prentice Hall PTR

Trent"
Pub Date: July 25, 2003

5
32
34
35

Protocol
2.3: Message Authentication
ISBN: 0-13-066943-1

39

Pages:2.4:
648 Challenge Response (the NeedhamProtocol
Schroeder Protocol)

43

Attack 2.2: An Attack on the Needham-Schroeder Protocol

44

Protocol 2.5: Needham-Schroeder Public-key
47
Many
Authentication
cryptographic
Protocol

schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
Attack
2.3: An on
Attack
on the Needham-Schroeder
Public- approach to introducing
50
many
textbooks
cryptography.
This book takes adifferent
key
Protocol
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains
why4.1:
"textbook
isonly
good in an
ideal world where data are
Algorithm
Euclid crypto"
Algorithm
for Greatest
Common
93random and bad
guys
behave
nicely.It

reveals
the
general
unfitness
of
"textbook
crypto"
for
the real world by
Divisor
demonstratingnumerous attacks on such schemes, protocols and systems under variousrealAlgorithm
4.2: Extended
Algorithm
96
world
application
scenarios.Euclid
This book
chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
Algorithm 4.3: Modular Exponentiation
101
explains their working principles, discusses their practicalusages, and examines their strong
(i.e.,
fit-for-application)
security
properties,
oftenwith
security evidence formally
established.

Algorithm
4.4: Searching
Through
Phone Book
(a ZPP
108
The
book also includes self-containedtheoretical background material that is the foundation for
Algorithm)
modern cryptography.
Algorithm 4.5: Probabilistic Primality Test (a Monte Carlo
110
Algorithm)
Algorithm 4.6: Proof of Primality (a Las Vegas Algorithm)

113

Protocol 4.1: Quantum Key Distribution (an Atlantic City
Algorithm)

117

Algorithm 4.7: Random k-bit Probabilistic Prime
Generation

121

Algorithm 4.8: Square-Freeness Integer

123


Algorithm 5.1: Random Primitive Root Modulo Prime

166

Algorithm 5.2: Point Multiplication for Elliptic Curve
Element

171

Algorithm 6.1: Chinese Remainder

182

Algorithm 6.2: Legendre/Jacobi Symbol

191

Algorithm 6.3: Square Root Modulo Prime (Special Cases)

194

Algorithm 6.4: Square Root Modulo Prime (General Case)

196


Algorithm 6.5: Square Root Modulo Composite

197


Protocol 7.1: A Zero-knowledge Protocol Using Shift
Cipher

216

Protocol 8.1: The Diffie-Hellman Key Exchange Protocol

249

Attack 8.1: Man-in-the-Middle Attack on the DiffieExchange
Protocol
•Hellman KeyTable
of Contents

251

Modern Cryptography: Theory and Practice

258

Algorithm 8.1: The RSA Cryptosystem

ByWenbo Mao Hewlett-Packard Company

Algorithm 8.2: The Rabin Cryptosystem

269

Publisher: Prentice

Hall PTR
Algorithm
8.3: The
ElGamal Cryptosystem

274

Pub Date: July 25, 2003

Algorithm 9.1: Binary Searching RSA Plaintext Using a
ISBN: 0-13-066943-1
Parity Oracle

289

Algorithm 9.2: Extracting Discrete Logarithm Using a
Parity Oracle

293

Pages: 648

Algorithm 9.3: Extracting Discrete Logarithm Using a
294
"Half-order Oracle"
Many cryptographic schemes and protocols, especially those based on public-keycryptography,
Algorithm
The RSA
Signature
Scheme

309 the subjects for
have
basic or10.1:
so-called
"textbook
crypto"
versions, as these versionsare usually
many textbooks on cryptography. This book takes adifferent approach to introducing
Algorithm 10.2: The Rabin Signature Scheme
312
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains
why10.3:
"textbook
crypto" isonly
goodScheme
in an ideal world where data are
Algorithm
The ElGamal
Signature
314random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
Algorithm 10.4: The Schnorr
Scheme protocols and systems 319
demonstratingnumerous
attacksSignature
on such schemes,
under variousrealworld
application
scenarios.

This
book
chooses
to
introduce
a
set
of
practicalcryptographic
Algorithm 10.5: The Digital Signature Standard
320
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains
Algorithm
their
10.6:
working
Optimal
principles,
Asymmetric
discusses
Encryption
their practicalusages,
Padding
and examines
324 their strong
(i.e.,
for RSA
fit-for-application)
(RSA-OAEP)

security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
Protocol
11.1: ISO Public Key Three-Pass Mutual
346
modern
cryptography.
Authentication Protocol
Attack 11.1: Wiener's Attack on ISO Public Key Three-Pass
Mutual Authentication Protocol

347

Protocol 11.2: The Woo-Lam Protocol

350

Protocol 11.3: Needham's Password Authentication
Protocol

352

Protocol 11.4: The S/KEY Protocol

355

Protocol 11.5: Encrypted Key Exchange (EKE)

357


Protocol 11.6: The Station-to-Station (STS) Protocol

361

Protocol 11.7: Flawed "Authentication-only" STS Protocol

363

Attack 11.2: An Attack on the "Authentication-only" STS
Protocol

364

Attack 11.3: Lowe's Attack on the STS Protocol (a Minor
Flaw)

366

Attack 11.4: An Attack on the S/KEY Protocol

371


Attack 11.5: A Parallel-Session Attack on the Woo-Lam
Protocol

372

Attack 11.6: A Reflection Attack on a "Fixed" Version of
the Woo-Lam Protocol


374

Protocol 11.8: A Minor Variation of the Otway-Rees
Protocol

379

•

Table of Contents

Attack
11.7: An Attack
Minor
Modern
Cryptography:
Theory on
andthe
Practice

Variation of the

381

Otway-Rees Protocol

ByWenbo Mao Hewlett-Packard Company

Protocol 12.1: Signature-based IKE Phase 1 Main Mode

Publisher: Prentice Hall PTR

Attack 12.1: Authentication Failure in Signature-based IKE
Pub Date: July 25, 2003
Phase
1 Main Mode

397
399

ISBN: 0-13-066943-1

Protocol
A Typical Run of the TLS Handshake
Pages:12.2:
648
Protocol

421

Algorithm 13.1: Shamir's Identity-based Signature
Scheme

437

Algorithm
13.2: The
Identity-Based
Cryptosystem
ofthose based on public-keycryptography,

451
Many
cryptographic
schemes
and protocols,
especially
Boneh
and
Franklin
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many
textbooks
cryptography. This
book takes adifferent
Protocol
14.1: on
Indistinguishable
Chosen-plaintext
Attack approach to introducing
465
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
Protocol
14.2:
A Fair Deal
Protocol
theinSRA
Mental
469random and bad
explains
why

"textbook
crypto"
isonlyfor
good
an ideal
world where data are
Poker
Game
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousrealAlgorithm 14.1: The Probabilistic Cryptosystem of
473
world application scenarios. This book chooses to introduce a set of practicalcryptographic
Goldwasser and Micali
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains
their
working
principles, discusses
their practicalusages,
and examines
Algorithm
14.2:
A Semantically
Secure Version
of the
476 their strong
(i.e.,
fit-for-application)
ElGamal
Cryptosystem security properties, oftenwith security evidence formally established.

The book also includes self-containedtheoretical background material that is the foundation for
Protocol
14.3: "Lunchtime Attack" (Non-adaptive
483
modern
cryptography.
Indistinguishable Chosen-ciphertext Attack)
Protocol 14.4: "Small-hours Attack" (Indistinguishable
Adaptive Chosen-ciphertext Attack)

488

Protocol 14.5: Malleability Attack in Chosen-plaintext
Mode

491

Algorithm 15.1: The Cramer-Shoup Public-key
Cryptosystem

526

Algorithm 15.2: Product of Exponentiations

529

Algorithm 16.1: The Probabilistic Signature Scheme (PSS)

561


Algorithm 16.2: The Universal RSA-Padding Scheme for
Signature and Encryption

564

Algorithm 16.3: Zheng's Signcryption Scheme SCSI

568

Algorithm 16.4: Two Birds One Stone: RSA-TBOS
Signcryption Scheme

573

Protocol 17.1: The Needham-Schroeder Symmetric-key
Authentication Protocol in Refined Specification

585


Protocol 17.2: The Woo-Lam Protocol in Refined
Specification

586

Protocol 17.3: The Needham-Schroeder Public-key
Authentication Protocol

588


Protocol 17.4: The Needham-Schroeder Public-key
Authentication Protocol in Refined Specification

588

•

Table of Contents

Protocol
17.5: Another
Refined
Specification
Modern
Cryptography:
Theory and
Practice

of the
Needham-Schroeder Public-key Authentication Protocol

589

Protocol 17.6:MAP1

595

ByWenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR


Protocol 18.1: An Interactive Proof Protocol for Subgroup
Pub Date: July 25, 2003
Membership

623

ISBN: 0-13-066943-1

Protocol
Schnorr's Identification Protocol
Pages:18.2:
648

630

Protocol 18.3: A Perfect Zero-knowledge Proof Protocol for
Quadratic Residuosity

642

Protocol 18.4: ZK Proof that N Has Two Distinct Prime
645
Factors
Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have
basic 18.5:
or so-called
"textbook
Protocol

"Not To
Be Used"crypto" versions, as these versionsare usually
651 the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
Protocol 18.6:
Chaum's
ZKmore
Proofattention
of Dis-Log-EQ
Protocol
cryptography:
it pays
much
tofit-for-application
aspects of654
cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
Protocol 19.1: Blum's Coin-Flipping-by-Telephone Protocol
667
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousrealworld application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.


Part I: Introduction
The first part of this book consists of two introductory chapters. They introduce us to some

of the most basic concepts in cryptography and information security, to the environment in
which we
communicate
•
Table
of Contents and handle sensitive information, to several well known figures who
act
in
that
environment
and the standard modus operandi of some of them who play role of
Modern Cryptography: Theory and Practice
bad guys, to the culture of the communities for research and development of cryptographic
ByWenbo Mao Hewlett-Packard Company
and information security systems, and to the fact of extreme error proneness of these
systems.
Publisher: Prentice Hall PTR

AsDate:
an July
elementary-level
Pub
25, 2003

introduction, this part is intended for newcomers to the areas.

ISBN: 0-13-066943-1
Pages: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,

have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousrealworld application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.