Previous TableofContents Next

Preface
Therearetwokindsofcryptographyinthisworld:cryptographythatwillstop
yourkidsisterfromreadingyourfiles,andcryptographythatwillstopmajor
governmentsfromreadingyourfiles.Thisbookisaboutthelatter.
IfItakealetter,lockitinasafe,hidethesafesomewhereinNewYork,thentell
youtoreadtheletter,that’snotsecurity.That’sobscurity.Ontheotherhand,ifI
takealetterandlockitinasafe,andthengiveyouthesafealongwiththe
designspecificationsofthesafeandahundredidenticalsafeswiththeir
combinationssothatyouandtheworld’sbestsafecrackerscanstudythelocking
mechanism—andyoustillcan’topenthesafeandreadtheletter—that’ssecurity.
Formanyyears,thissortofcryptographywastheexclusivedomainofthe
military.TheUnitedStates’NationalSecurityAgency(NSA),andits
counterpartsintheformerSovietUnion,England,France,Israel,andelsewhere,
havespentbillionsofdollarsintheveryseriousgameofsecuringtheirown
communicationswhiletryingtobreakeveryoneelse’s.Privateindividuals,with
farlessexpertiseandbudget,havebeenpowerlesstoprotecttheirownprivacy
againstthesegovernments.
Duringthelast20years,publicacademicresearchincryptographyhas
exploded.Whileclassicalcryptographyhasbeenlongusedbyordinarycitizens,
computercryptographywastheexclusivedomainoftheworld’smilitariessince
WorldWarII.Today,state–of–the–artcomputercryptographyispracticed
outsidethesecuredwallsofthemilitaryagencies.Thelaypersoncannow
employsecuritypracticesthatcanprotectagainstthemostpowerfulof
adversaries—securitythatmayprotectagainstmilitaryagenciesforyearsto
come.
Doaveragepeoplereallyneedthiskindofsecurity?Yes.Theymaybeplanning
apoliticalcampaign,discussingtaxes,orhavinganillicitaffair.Theymaybe
designinganewproduct,discussingamarketingstrategy,orplanningahostile
businesstakeover.Ortheymaybelivinginacountrythatdoesnotrespectthe

rightsofprivacyofitscitizens.Theymaybedoingsomethingthattheyfeel
shouldn’tbeillegal,butis.Forwhateverreason,thedataandcommunications


arepersonal,private,andnooneelse’sbusiness.
Thisbookisbeingpublishedinatumultuoustime.In1994,theClinton
administrationapprovedtheEscrowedEncryptionStandard(includingthe
ClipperchipandFortezzacard)andsignedtheDigitalTelephonybillintolaw.
Bothoftheseinitiativestrytoensurethegovernment’sabilitytoconduct
electronicsurveillance.
SomedangerouslyOrwellianassumptionsareatworkhere:thatthegovernment
hastherighttolistentoprivatecommunications,andthatthereissomething
wrongwithaprivatecitizentryingtokeepasecretfromthegovernment.Law
enforcementhasalwaysbeenabletoconductcourt–authorizedsurveillanceif
possible,butthisisthefirsttimethatthepeoplehavebeenforcedtotakeactive
measurestomakethemselvesavailableforsurveillance.Theseinitiativesarenot
simplygovernmentproposalsinsomeobscurearea;theyarepreemptiveand
unilateralattemptstousurppowersthatpreviouslybelongedtothepeople.
ClipperandDigitalTelephonydonotprotectprivacy;theyforceindividualsto
unconditionallytrustthatthegovernmentwillrespecttheirprivacy.Thesame
lawenforcementauthoritieswhoillegallytappedMartinLutherKingJr.’s
phonescaneasilytapaphoneprotectedwithClipper.Intherecentpast,local
policeauthoritieshaveeitherbeenchargedcriminallyorsuedcivillyin
numerousjurisdictions—Maryland,Connecticut,Vermont,Georgia,Missouri,
andNevada—forconductingillegalwiretaps.It’sapoorideatodeploya
technologythatcouldsomedayfacilitateapolicestate.
Thelessonhereisthatitisinsufficienttoprotectourselveswithlaws;weneedto
protectourselveswithmathematics.Encryptionistooimportanttobeleftsolely
togovernments.
Thisbookgivesyouthetoolsyouneedtoprotectyourownprivacy;

cryptographyproductsmaybedeclaredillegal,buttheinformationwillnever
be.

HowtoReadThisBook
IwroteAppliedCryptographytobebothalivelyintroductiontothefieldof
cryptographyandacomprehensivereference.Ihavetriedtokeepthetext
readablewithoutsacrificingaccuracy.Thisbookisnotintendedtobea


mathematicaltext.AlthoughIhavenotdeliberatelygivenanyfalseinformation,
Idoplayfastandloosewiththeory.Forthoseinterestedinformalism,thereare
copiousreferencestotheacademicliterature.
Chapter1introducescryptography,definesmanyterms,andbrieflydiscusses
precomputercryptography.
Chapters2through6(PartI)describecryptographicprotocols:whatpeoplecan
dowithcryptography.Theprotocolsrangefromthesimple(sendingencrypted
messagesfromonepersontoanother)tothecomplex(flippingacoinoverthe
telephone)totheesoteric(secureandanonymousdigitalmoneyexchange).
Someoftheseprotocolsareobvious;othersarealmostamazing.Cryptography
cansolvealotofproblemsthatmostpeopleneverrealizeditcould.
Chapters7through10(PartII)discusscryptographictechniques.Allfour
chaptersinthissectionareimportantforeventhemostbasicusesof
cryptography.Chapters7and8areaboutkeys:howlongakeyshouldbein
ordertobesecure,howtogeneratekeys,howtostorekeys,howtodisposeof
keys,andsoon.Keymanagementisthehardestpartofcryptographyandoften
theAchilles’heelofanotherwisesecuresystem.Chapter9discussesdifferent
waysofusingcryptographicalgorithms,andChapter10givestheoddsandends
ofalgorithms:howtochoose,implement,andusealgorithms.
Chapters11through23(PartIII)listalgorithms.Chapter11providesthe
mathematicalbackground.Thischapterisonlyrequiredifyouareinterestedin

public–keyalgorithms.IfyoujustwanttoimplementDES(orsomething
similar),youcanskipahead.Chapter12discussesDES:thealgorithm,its
history,itssecurity,andsomevariants.Chapters13,14,and15discussother
blockalgorithms;ifyouwantsomethingmoresecurethanDES,skiptothe
sectiononIDEAandtriple–DES.Ifyouwanttoreadaboutabunchof
algorithms,someofwhichmaybemoresecurethanDES,readthewhole
chapter.Chapters16and17discussstreamalgorithms.Chapter18focuseson
one–wayhashfunctions;MD5andSHAarethemostcommon,althoughI
discussmanymore.Chapter19discussespublic–keyencryptionalgorithms,
Chapter20discussespublic–keydigitalsignaturealgorithms,Chapter21
discussespublic–keyidentificationalgorithms,andChapter22discussespublic–
keykeyexchangealgorithms.TheimportantalgorithmsareRSA,DSA,Fiat–
Shamir,andDiffie–Hellman,respectively.Chapter23hasmoreesotericpublic–
keyalgorithmsandprotocols;themathinthischapterisquitecomplicated,so


wearyourseatbelt.
Chapters24and25(PartIV)turntotherealworldofcryptography.Chapter24
discussessomeofthecurrentimplementationsofthesealgorithmsandprotocols,
whileChapter25touchesonsomeofthepoliticalissuessurrounding
cryptography.Thesechaptersarebynomeansintendedtobecomprehensive.
Alsoincludedaresourcecodelistingsfor10algorithmsdiscussedinPartIII.I
wasunabletoincludeallthecodeIwantedtoduetospacelimitations,and
cryptographicsourcecodecannototherwisebeexported.(Amazinglyenough,
theStateDepartmentallowedexportofthefirsteditionofthisbookwithsource
code,butdeniedexportforacomputerdiskwiththeexactsamesourcecodeon
it.Gofigure.)Anassociatedsourcecodedisksetincludesmuchmoresource
codethanIcouldfitinthisbook;itisprobablythelargestcollectionof
cryptographicsourcecodeoutsideamilitaryinstitution.Icanonlysendsource
codediskstoU.S.andCanadiancitizenslivingintheU.S.andCanada,but

hopefullythatwillchangesomeday.Ifyouareinterestedinimplementingor
playingwiththecryptographicalgorithmsinthisbook,getthedisk.Seethelast
pageofthebookfordetails.
Onecriticismofthisbookisthatitsencyclopedicnaturetakesawayfromits
readability.Thisistrue,butIwantedtoprovideasinglereferenceforthosewho
mightcomeacrossanalgorithmintheacademicliteratureorinaproduct.For
thosewhoaremoreinterestedinatutorial,Iapologize.Alotisbeingdoneinthe
field;thisisthefirsttimesomuchofithasbeengatheredbetweentwocovers.
Evenso,spaceconsiderationsforcedmetoleavemanythingsout.Icovered
topicsthatIfeltwereimportant,practical,orinteresting.IfIcouldn’tcovera
topicindepth,Igavereferencestoarticlesandpapersthatdid.
Ihavedonemybesttohuntdownanderadicateallerrorsinthisbook,butmany
haveassuredmethatitisanimpossibletask.Certainly,thesecondeditionhas
farfewererrorsthanthefirst.Anerratalistingisavailablefrommeandwillbe
periodicallypostedtotheUsenetnewsgroupsci.crypt.Ifanyreaderfindsan
error,pleaseletmeknow.I’llsendthefirstpersontofindeacherrorinthebook
afreecopyofthesourcecodedisk.

Previous TableofContents Next


Previous TableofContents Next


AbouttheAuthor
BRUCESCHNEIERispresidentofCounterpaneSystems,anOakPark,Illinois
consultingfirmspecializingincryptographyandcomputersecurity.Bruceisalso
theauthorofE–MailSecurity(JohnWiley&Sons,1995)andProtectYour
Macintosh(PeachpitPress,1994);andhaswrittendozensofarticleson
cryptographyformajormagazines.HeisacontributingeditortoDr.Dobb’s

Journal,whereheeditsthe“AlgorithmsAlley”column,andacontributing
editortoComputerandCommunicationsSecurityReviews.Bruceservesonthe
boardofdirectorsoftheInternationalAssociationforCryptologicResearch,isa
memberoftheAdvisoryBoardfortheElectronicPrivacyInformationCenter,
andisontheprogramcommitteefortheNewSecurityParadigmsWorkshop.In
addition,hefindstimetogivefrequentlecturesoncryptography,computer
security,andprivacy.

Acknowledgments
Thelistofpeoplewhohadahandinthisbookmayseemunending,butallare
worthyofmention.IwouldliketothankDonAlvarez,RossAnderson,Dave
Balenson,KarlBarrus,SteveBellovin,DanBernstein,EliBiham,JoanBoyar,
KarenCooper,WhitDiffie,JoanFeigenbaum,PhilKarn,NealKoblitz,Xuejia
Lai,TomLeranth,MikeMarkowitz,RalphMerkle,BillPatton,PeterPearson,
CharlesPfleeger,KenPizzini,BartPreneel,MarkRiordan,JoachimSchurman,
andMarcSchwartzforreadingandeditingallorpartsofthefirstedition;Marc
VauclairfortranslatingthefirsteditionintoFrench;AbeAbraham,Ross
Anderson,DaveBanisar,SteveBellovin,EliBiham,MattBishop,MattBlaze,
GaryCarter,JanCamenisch,ClaudeCrŽpeau,JoanDaemen,JorgeDavila,Ed
Dawson,WhitDiffie,CarlEllison,JoanFeigenbaum,NielsFerguson,Matt
Franklin,RosarioGennaro,DieterGollmann,MarkGoresky,RichardGraveman,
StuartHaber,JingmanHe,BobHogue,KennethIversen,MarkusJakobsson,
BurtKaliski,PhilKarn,JohnKelsey,JohnKennedy,LarsKnudsen,Paul
Kocher,JohnLadwig,XuejiaLai,ArjenLenstra,PaulLeyland,Mike
Markowitz,JimMassey,BruceMcNair,WilliamHughMurray,RogerNeedham,
ClifNeuman,KaisaNyberg,LukeO’Connor,PeterPearson,RenŽPeralta,Bart
Preneel,YisraelRadai,MattRobshaw,MichaelRoe,PhilRogaway,AviRubin,
PaulRubin,SelwynRussell,KazueSako,MahmoudSalmasizadeh,Markus
Stadler,DmitryTitov,JimmyUpton,MarcVauclair,SergeVaudenay,Gideon



Yuval,GlenZorn,andseveralanonymousgovernmentemployeesforreading
andeditingallorpartsofthesecondedition;LawrieBrown,LeisaCondie,Joan
Daemen,PeterGutmann,AlanInsley,ChrisJohnston,JohnKelsey,XuejiaLai,
BillLeininger,MikeMarkowitz,RichardOuterbridge,PeterPearson,Ken
Pizzini,ColinPlumb,RSADataSecurity,Inc.,MichaelRoe,MichaelWood,and
PhilZimmermannforprovidingsourcecode;PaulMacNerlandforcreatingthe
figuresforthefirstedition;KarenCooperforcopyeditingthesecondedition;
BethFriedmanforproofreadingthesecondedition;CarolKennedyforindexing
thesecondedition;thereadersofsci.cryptandtheCypherpunksmailinglistfor
commentingonideas,answeringquestions,andfindingerrorsinthefirst
edition;RandySeussforprovidingInternetaccess;JeffDuntemannandJon
Ericksonforhelpingmegetstarted;assortedrandomInsleysfortheimpetus,
encouragement,support,conversations,friendship,anddinners;andAT&T;Bell
Labsforfiringmeandmakingthisallpossible.Allthesepeoplehelpedtocreate
afarbetterbookthanIcouldhavecreatedalone.
BruceSchneier
OakPark,Ill.


Previous TableofContents Next


AppliedCryptography,SecondEdition:Protocols,Algorthms,andSourceCodeinC

(Publisher:JohnWiley&Sons,Inc.)
Author(s):BruceSchneier
ISBN:0471128457
PublicationDate:01/01/96


ForewordbyWhitfieldDiffie
Preface
AbouttheAuthor

Chapter1—Foundations
1.1Terminology
1.2Steganography
1.3SubstitutionCiphersandTranspositionCiphers
1.4SimpleXOR
1.5One-TimePads
1.6ComputerAlgorithms
1.7LargeNumbers

PartI—CryptographicProtocols
Chapter2—ProtocolBuildingBlocks
2.1IntroductiontoProtocols
2.2CommunicationsUsingSymmetricCryptography
2.3One-WayFunctions
2.4One-WayHashFunctions
2.5CommunicationsUsingPublic-KeyCryptography
2.6DigitalSignatures
2.7DigitalSignatureswithEncryption
2.8RandomandPseudo-Random-SequenceGeneration

Chapter3—BasicProtocols


3.1KeyExchange
3.2Authentication
3.3AuthenticationandKeyExchange

3.4FormalAnalysisofAuthenticationandKey-ExchangeProtocols
3.5Multiple-KeyPublic-KeyCryptography
3.6SecretSplitting
3.7SecretSharing
3.8CryptographicProtectionofDatabases

Chapter4—IntermediateProtocols
4.1TimestampingServices
4.2SubliminalChannel
4.3UndeniableDigitalSignatures
4.4DesignatedConfirmerSignatures
4.5ProxySignatures
4.6GroupSignatures
4.7Fail-StopDigitalSignatures
4.8ComputingwithEncryptedData
4.9BitCommitment
4.10FairCoinFlips
4.11MentalPoker
4.12One-WayAccumulators
4.13All-or-NothingDisclosureofSecrets
4.14KeyEscrow

Chapter5—AdvancedProtocols
5.1Zero-KnowledgeProofs
5.2Zero-KnowledgeProofsofIdentity
5.3BlindSignatures
5.4Identity-BasedPublic-KeyCryptography
5.5ObliviousTransfer
5.6ObliviousSignatures
5.7SimultaneousContractSigning

5.8DigitalCertifiedMail
5.9SimultaneousExchangeofSecrets

Chapter6—EsotericProtocols
6.1SecureElections
6.2SecureMultipartyComputation
6.3AnonymousMessageBroadcast
6.4DigitalCash


PartII—CryptographicTechniques
Chapter7—KeyLength
7.1SymmetricKeyLength
7.2Public-KeyKeyLength
7.3ComparingSymmetricandPublic-KeyKeyLength
7.4BirthdayAttacksagainstOne-WayHashFunctions
7.5HowLongShouldaKeyBe?
7.6CaveatEmptor

Chapter8—KeyManagement
8.1GeneratingKeys
8.2NonlinearKeyspaces
8.3TransferringKeys
8.4VerifyingKeys
8.5UsingKeys
8.6UpdatingKeys
8.7StoringKeys
8.8BackupKeys
8.9CompromisedKeys
8.10LifetimeofKeys

8.11DestroyingKeys
8.12Public-KeyKeyManagement

Chapter9—AlgorithmTypesandModes
9.1ElectronicCodebookMode
9.2BlockReplay
9.3CipherBlockChainingMode
9.4StreamCiphers
9.5Self-SynchronizingStreamCiphers
9.6Cipher-FeedbackMode
9.7SynchronousStreamCiphers
9.8Output-FeedbackMode
9.9CounterMode
9.10OtherBlock-CipherModes
9.11ChoosingaCipherMode
9.12Interleaving
9.13BlockCiphersversusStreamCiphers

Chapter10—UsingAlgorithms
10.1ChoosinganAlgorithm
10.2Public-KeyCryptographyversusSymmetricCryptography


10.3EncryptingCommunicationsChannels
10.4EncryptingDataforStorage
10.5HardwareEncryptionversusSoftwareEncryption
10.6Compression,Encoding,andEncryption
10.7DetectingEncryption
10.8HidingCiphertextinCiphertext
10.9DestroyingInformation


PartIII—CryptographicAlgorithms
Chapter11—MathematicalBackground
11.1InformationTheory
11.2ComplexityTheory
11.3NumberTheory
11.4Factoring
11.5PrimeNumberGeneration
11.6DiscreteLogarithmsinaFiniteField

Chapter12—DataEncryptionStandard(DES)
12.1Background
12.2DescriptionofDES
12.3SecurityofDES
12.4DifferentialandLinearCryptanalysis
12.5TheRealDesignCriteria
12.6DESVariants
12.7HowSecureIsDESToday?

Chapter13—OtherBlockCiphers
13.1Lucifer
13.2Madryga
13.3NewDES
13.4FEAL
13.5REDOC
13.6LOKI
13.7KhufuandKhafre
13.8RC2
13.9IDEA
13.10MMB

13.11CA-1.1
13.12Skipjack

Chapter14—StillOtherBlockCiphers


14.1GOST
14.2CAST
14.3Blowfish
14.4SAFER
14.53-Way
14.6Crab
14.7SXAL8/MBAL
14.8RC5
14.9OtherBlockAlgorithms
14.10TheoryofBlockCipherDesign
14.11Usingone-WayHashFunctions
14.12ChoosingaBlockAlgorithm

Chapter15—CombiningBlockCiphers
15.1DoubleEncryption
15.2TripleEncryption
15.3DoublingtheBlockLength
15.4OtherMultipleEncryptionSchemes
15.5CDMFKeyShortening
15.6Whitening
15.7CascadingMultipleBlockAlgorithms
15.8CombiningMultipleBlockAlgorithms

Chapter16—Pseudo-Random-SequenceGeneratorsandStreamCip

16.1LinearCongruentialGenerators
16.2LinearFeedbackShiftRegisters
16.3DesignandAnalysisofStreamCiphers
16.4StreamCiphersUsingLFSRs
16.5A5
16.6HughesXPD/KPD
16.7Nanoteq
16.8Rambutan
16.9AdditiveGenerators
16.10Gifford
16.11AlgorithmM
16.12PKZIP

Chapter17—OtherStreamCiphersandRealRandom-SequenceGe
17.1RC4
17.2SEAL
17.3WAKE


17.4FeedbackwithCarryShiftRegisters
17.5StreamCiphersUsingFCSRs
17.6Nonlinear-FeedbackShiftRegisters
17.7OtherStreamCiphers
17.8System-TheoreticApproachtoStream-CipherDesign
17.9Complexity-TheoreticApproachtoStream-CipherDesign
17.10OtherApproachestoStream-CipherDesign
17.11CascadingMultipleStreamCiphers
17.12ChoosingaStreamCipher
17.13GeneratingMultipleStreamsfromaSinglePseudo-Random-Sequen
17.14RealRandom-SequenceGenerators


Chapter18—One-WayHashFunctions
18.1Background
18.2Snefru
18.3N-Hash
18.4MD4
18.5MD5
18.6MD2
18.7SecureHashAlgorithm(SHA)
18.8RIPE-MD
18.9HAVAL
18.10OtherOne-WayHashFunctions
18.11One-WayHashFunctionsUsingSymmetricBlockAlgorithms
18.12UsingPublic-KeyAlgorithms
18.13ChoosingaOne-WayHashFunction
18.14MessageAuthenticationCodes

Chapter19—Public-KeyAlgorithms
19.1Background
19.2KnapsackAlgorithms
19.3RSA
19.4Pohlig-Hellman
19.5Rabin
19.6ElGamal
19.7McEliece
19.8EllipticCurveCryptosystems
19.9LUC
19.10FiniteAutomatonPublic-KeyCryptosystems

Chapter20—Public-KeyDigitalSignatureAlgorithms



20.1DigitalSignatureAlgorithm(DSA)
20.2DSAVariants
20.3GostDigitalSignatureAlgorithm
20.4DiscreteLogarithmSignatureSchemes
20.5Ong-Schnorr-Shamir
20.6ESIGN
20.7CellularAutomata
20.8OtherPublic-KeyAlgorithms

Chapter21—IdentificationSchemes
21.1Feige-Fiat-Shamir
21.2Guillou-Quisquater
21.3Schnorr
21.4ConvertingIdentificationSchemestoSignatureSchemes

Chapter22—Key-ExchangeAlgorithms
22.1Diffie-Hellman
22.2Station-to-StationProtocol
22.3Shamir’sThree-PassProtocol
22.4COMSET
22.5EncryptedKeyExchange
22.6FortifiedKeyNegotiation
22.7ConferenceKeyDistributionandSecretBroadcasting

Chapter23—SpecialAlgorithmsforProtocols
23.1Multiple-KeyPublic-KeyCryptography
23.2Secret-SharingAlgorithms
23.3SubliminalChannel

23.4UndeniableDigitalSignatures
23.5DesignatedConfirmerSignatures
23.6ComputingwithEncryptedData
23.7FairCoinFlips
23.8One-WayAccumulators
23.9All-or-NothingDisclosureofSecrets
23.10FairandFailsafeCryptosystems
23.11Zero-KnowledgeProofsofKnowledge
23.12BlindSignatures
23.13ObliviousTransfer
23.14SecureMultipartyComputation
23.15ProbabilisticEncryption
23.16QuantumCryptography


PartIV—TheRealWorld
Chapter24—ExampleImplementations
24.1IBMSecret-KeyManagementProtocol
24.2MITRENET
24.3ISDN
24.4STU-III
24.5Kerberos
24.6KryptoKnight
24.7SESAME
24.8IBMCommonCryptographicArchitecture
24.9ISOAuthenticationFramework
24.10Privacy-EnhancedMail(PEM)
24.11MessageSecurityProtocol(MSP)
24.12PrettyGoodPrivacy(PGP)
24.13SmartCards

24.14Public-KeyCryptographyStandards(PKCS)
24.15UniversalElectronicPaymentSystem(UEPS)
24.16Clipper
24.17Capstone
24.18AT&T;Model3600TelephoneSecurityDevice(TSD)

Chapter25—Politics
25.1NationalSecurityAgency(NSA)
25.2NationalComputerSecurityCenter(NCSC)
25.3NationalInstituteofStandardsandTechnology(NIST)
25.4RSADataSecurity,Inc.
25.5PublicKeyPartners
25.6InternationalAssociationforCryptologicResearch(IACR)
25.7RACEIntegrityPrimitivesEvaluation(RIPE)
25.8ConditionalAccessforEurope(CAFE)
25.9ISO/IEC9979
25.10Professional,CivilLiberties,andIndustryGroups
25.11Sci.crypt
25.12Cypherpunks
25.13Patents
25.14U.S.ExportRules
25.15ForeignImportandExportofCryptography
25.16LegalIssues


AfterwordbyMattBlaze
PartV—SourceCode
References
Index




Previous TableofContents Next

ForewordByWhitfieldDiffie
Theliteratureofcryptographyhasacurioushistory.Secrecy,ofcourse,has
alwaysplayedacentralrole,butuntiltheFirstWorldWar,important
developmentsappearedinprintinamoreorlesstimelyfashionandthefield
movedforwardinmuchthesamewayasotherspecializeddisciplines.Aslateas
1918,oneofthemostinfluentialcryptanalyticpapersofthetwentiethcentury,
WilliamF.Friedman’smonographTheIndexofCoincidenceandIts
ApplicationsinCryptography,appearedasaresearchreportoftheprivate
RiverbankLaboratories[577].Andthis,despitethefactthattheworkhadbeen
doneaspartofthewareffort.InthesameyearEdwardH.HebernofOakland,
Californiafiledthefirstpatentforarotormachine[710],thedevicedestinedto
beamainstayofmilitarycryptographyfornearly50years.
AftertheFirstWorldWar,however,thingsbegantochange.U.S.Armyand
Navyorganizations,workingentirelyinsecret,begantomakefundamental
advancesincryptography.Duringthethirtiesandfortiesafewbasicpapersdid
appearintheopenliteratureandseveraltreatisesonthesubjectwerepublished,
butthelatterwerefartherandfartherbehindthestateoftheart.Bytheendof
thewarthetransitionwascomplete.Withonenotableexception,thepublic
literaturehaddied.ThatexceptionwasClaudeShannon’spaper“The
CommunicationTheoryofSecrecySystems,”whichappearedintheBellSystem
TechnicalJournalin1949[1432].ItwassimilartoFriedman’s1918paper,in
thatitgrewoutofwartimeworkofShannon’s.AftertheSecondWorldWar
endeditwasdeclassified,possiblybymistake.
From1949until1967thecryptographicliteraturewasbarren.Inthatyeara
differentsortofcontributionappeared:DavidKahn’shistory,TheCodebreakers
[794].Itdidn’tcontainanynewtechnicalideas,butitdidcontainaremarkably

completehistoryofwhathadgonebefore,includingmentionofsomethingsthat
thegovernmentstillconsideredsecret.ThesignificanceofTheCodebreakerslay
notjustinitsremarkablescope,butalsointhefactthatitenjoyedgoodsalesand
madetensofthousandsofpeople,whohadnevergiventhematteramoment’s
thought,awareofcryptography.Atrickleofnewcryptographicpapersbeganto
bewritten.


Ataboutthesametime,HorstFeistel,whohadearlierworkedonidentification
friendorfoedevicesfortheAirForce,tookhislifelongpassionfor
cryptographytotheIBMWatsonLaboratoryinYorktownHeights,NewYork.
There,hebegandevelopmentofwhatwastobecometheU.S.DataEncryption
Standard;bytheearly1970sseveraltechnicalreportsonthissubjectbyFeistel
andhiscolleagueshadbeenmadepublicbyIBM[1482,1484,552].
ThiswasthesituationwhenIenteredthefieldinlate1972.Thecryptographic
literaturewasn’tabundant,butwhattherewasincludedsomeveryshiny
nuggets.
Cryptologypresentsadifficultynotfoundinnormalacademicdisciplines:the
needfortheproperinteractionofcryptographyandcryptanalysis.Thisarisesout
ofthefactthatintheabsenceofrealcommunicationsrequirements,itiseasyto
proposeasystemthatappearsunbreakable.Manyacademicdesignsareso
complexthatthewould–becryptanalystdoesn’tknowwheretostart;exposing
flawsinthesedesignsisfarharderthandesigningtheminthefirstplace.The
resultisthatthecompetitiveprocess,whichisonestrongmotivationin
academicresearch,cannottakehold.
WhenMartinHellmanandIproposedpublic–keycryptographyin1975[496],
oneoftheindirectaspectsofourcontributionwastointroduceaproblemthat
doesnotevenappeareasytosolve.Nowanaspiringcryptosystemdesigner
couldproducesomethingthatwouldberecognizedasclever—somethingthat
didmorethanjustturnmeaningfultextintononsense.Theresulthasbeena

spectacularincreaseinthenumberofpeopleworkingincryptography,the
numberofmeetingsheld,andthenumberofbooksandpaperspublished.
InmyacceptancespeechfortheDonaldE.Finkaward—givenforthebest
expositorypapertoappearinanIEEEjournal—whichIreceivedjointlywith
Hellmanin1980,Itoldtheaudiencethatinwriting“Privacyand
Authentication,”IhadanexperiencethatIsuspectedwasrareevenamongthe
prominentscholarswhopopulatetheIEEEawardsceremony:Ihadwrittenthe
paperIhadwantedtostudy,butcouldnotfind,whenIfirstbecameseriously
interestedincryptography.HadIbeenabletogototheStanfordbookstoreand
pickupamoderncryptographytext,Iwouldprobablyhavelearnedaboutthe
fieldyearsearlier.Buttheonlythingsavailableinthefallof1972wereafew
classicpapersandsomeobscuretechnicalreports.


Thecontemporaryresearcherhasnosuchproblem.Theproblemnowis
choosingwheretostartamongthethousandsofpapersanddozensofbooks.The
contemporaryresearcher,yes,butwhataboutthecontemporaryprogrammeror
engineerwhomerelywantstousecryptography?Wheredoesthatpersonturn?
Untilnow,ithasbeennecessarytospendlonghourshuntingoutandthen
studyingtheresearchliteraturebeforebeingabletodesignthesortof
cryptographicutilitiesgliblydescribedinpopulararticles.
ThisisthegapthatBruceSchneier’sAppliedCryptographyhascometofill.
Beginningwiththeobjectivesofcommunicationsecurityandelementary
examplesofprogramsusedtoachievetheseobjectives,Schneiergivesusa
panoramicviewofthefruitsof20yearsofpublicresearch.Thetitlesaysitall;
fromthemundaneobjectiveofhavingasecureconversationtheveryfirsttime
youcallsomeonetothepossibilitiesofdigitalmoneyandcryptographically
secureelections,thisiswhereyou’llfindit.
Notsatisfiedthatthebookwasabouttherealworldmerelybecauseitwentall
thewaydowntothecode,Schneierhasincludedanaccountoftheworldin

whichcryptographyisdevelopedandapplied,anddiscussesentitiesranging
fromtheInternationalAssociationforCryptologicResearchtotheNSA.
Whenpublicinterestincryptographywasjustemerginginthelateseventiesand
earlyeighties,theNationalSecurityAgency(NSA),America’sofficial
cryptographicorgan,madeseveralattemptstoquashit.Thefirstwasaletter
fromalong–timeNSAemployeeallegedly,avowedly,andapparentlyactingon
hisown.TheletterwassenttotheIEEEandwarnedthatthepublicationof
cryptographicmaterialwasaviolationoftheInternationalTrafficinArms
Regulations(ITAR).Thisviewpointturnedoutnoteventobesupportedbythe
regulationsthemselves—whichcontainedanexplicitexemptionforpublished
material—butgaveboththepublicpracticeofcryptographyandthe1977
InformationTheoryWorkshoplotsofunexpectedpublicity.
Amoreseriousattemptoccurredin1980,whentheNSAfundedtheAmerican
CouncilonEducationtoexaminetheissuewithaviewtopersuadingCongress
togiveitlegalcontrolofpublicationsinthefieldofcryptography.Theresults
fellfarshortofNSA’sambitionsandresultedinaprogramofvoluntaryreview
ofcryptographicpapers;researcherswererequestedtoasktheNSA’sopinionon
whetherdisclosureofresultswouldadverselyaffectthenationalinterestbefore
publication.


Astheeightiesprogressed,pressurefocusedmoreonthepracticethanthestudy
ofcryptography.ExistinglawsgavetheNSAthepower,throughtheDepartment
ofState,toregulatetheexportofcryptographicequipment.Asbusinessbecame
moreandmoreinternationalandtheAmericanfractionoftheworldmarket
declined,thepressuretohaveasingleproductinbothdomesticandoffshore
marketsincreased.Suchsingleproductsweresubjecttoexportcontrolandthus
theNSAacquiredsubstantialinfluencenotonlyoverwhatwasexported,but
alsooverwhatwassoldintheUnitedStates.
Asthisiswritten,anewchallengeconfrontsthepublicpracticeofcryptography.

ThegovernmenthasaugmentedthewidelypublishedandavailableData
EncryptionStandard,withasecretalgorithmimplementedintamper–resistant
chips.Thesechipswillincorporateacodifiedmechanismofgovernment
monitoring.Thenegativeaspectsofthis“key–escrow”programrangefroma
potentiallydisastrousimpactonpersonalprivacytothehighcostofhavingto
addhardwaretoproductsthathadpreviouslyencryptedinsoftware.Sofarkey
escrowproductsareenjoyinglessthanstellarsalesandtheschemehasattracted
widespreadnegativecomment,especiallyfromtheindependentcryptographers.
Somepeople,however,seemorefutureinprogrammingthanpolitickingand
haveredoubledtheireffortstoprovidetheworldwithstrongcryptographythatis
accessibletopublicscrutiny.
Asharpstepbackfromthenotionthatexportcontrollawcouldsupersedethe
FirstAmendmentseemedtohavebeentakenin1980whentheFederalRegister
announcementofarevisiontoITARincludedthestatement:“...provisionhas
beenaddedtomakeitclearthattheregulationoftheexportoftechnicaldata
doesnotpurporttointerferewiththeFirstAmendmentrightsofindividuals.”
ButthefactthattensionbetweentheFirstAmendmentandtheexportcontrol
lawshasnotgoneawayshouldbeevidentfromstatementsataconferenceheld
byRSADataSecurity.NSA’srepresentativefromtheexportcontroloffice
expressedtheopinionthatpeoplewhopublishedcryptographicprogramswere
“inagreyarea”withrespecttothelaw.Ifthatisso,itisagreyareaonwhich
thefirsteditionofthisbookhasshedsomelight.Exportapplicationsforthe
bookitselfhavebeengranted,withacknowledgementthatpublishedmateriallay
beyondtheauthorityoftheMunitionsControlBoard.Applicationstoexportthe
enclosedprogramsondisk,however,havebeendenied.
TheshiftintheNSA’sstrategy,fromattemptingtocontrolcryptographic
researchtotighteningitsgriponthedevelopmentanddeploymentof


cryptographicproducts,ispresumablyduetoitsrealizationthatallthegreat

cryptographicpapersintheworlddonotprotectasinglebitoftraffic.Sittingon
theshelf,thisvolumemaybeabletodonobetterthanthebooksandpapersthat
precededit,butsittingnexttoaworkstation,whereaprogrammeriswriting
cryptographiccode,itjustmay.
WhitfieldDiffie
MountainView,
CA

Previous TableofContents Next


Previous TableofContents Next

Chapter1
Foundations
1.1Terminology

SenderandReceiver
Supposeasenderwantstosendamessagetoareceiver.Moreover,thissender
wantstosendthemessagesecurely:Shewantstomakesureaneavesdropper
cannotreadthemessage.

MessagesandEncryption
Amessageisplaintext(sometimescalledcleartext).Theprocessofdisguisinga
messageinsuchawayastohideitssubstanceisencryption.Anencrypted
messageisciphertext.Theprocessofturningciphertextbackintoplaintextis
decryption.ThisisallshowninFigure1.1.
(IfyouwanttofollowtheISO7498-2standard,usetheterms“encipher”and
“decipher.”Itseemsthatsomeculturesfindtheterms“encrypt”and“decrypt”
offensive,astheyrefertodeadbodies.)

Theartandscienceofkeepingmessagessecureiscryptography,anditis
practicedbycryptographers.Cryptanalystsarepractitionersofcryptanalysis,
theartandscienceofbreakingciphertext;thatis,seeingthroughthedisguise.
Thebranchofmathematicsencompassingbothcryptographyandcryptanalysis
iscryptologyanditspractitionersarecryptologists.Moderncryptologistsare
generallytrainedintheoreticalmathematics—theyhavetobe.

Figure1.1EncryptionandDecryption.
PlaintextisdenotedbyM,formessage,orP,forplaintext.Itcanbeastreamof
bits,atextfile,abitmap,astreamofdigitizedvoice,adigitalvideo
image...whatever.Asfarasacomputerisconcerned,Missimplybinarydata.


(Afterthischapter,thisbookconcernsitselfwithbinarydataandcomputer
cryptography.)Theplaintextcanbeintendedforeithertransmissionorstorage.
Inanycase,Misthemessagetobeencrypted.
CiphertextisdenotedbyC.Itisalsobinarydata:sometimesthesamesizeasM,
sometimeslarger.(Bycombiningencryptionwithcompression,Cmaybe
smallerthanM.However,encryptiondoesnotaccomplishthis.)Theencryption
functionE,operatesonMtoproduceC.Or,inmathematicalnotation:
E(M)=C
Inthereverseprocess,thedecryptionfunctionDoperatesonCtoproduceM:
D(C)=M
Sincethewholepointofencryptingandthendecryptingamessageistorecover
theoriginalplaintext,thefollowingidentitymustholdtrue:
D(E(M))=M

Authentication,Integrity,andNonrepudiation
Inadditiontoprovidingconfidentiality,cryptographyisoftenaskedtodoother
jobs:

—Authentication.Itshouldbepossibleforthereceiverofamessageto
ascertainitsorigin;anintrudershouldnotbeabletomasqueradeas
someoneelse.
—Integrity.Itshouldbepossibleforthereceiverofamessagetoverify
thatithasnotbeenmodifiedintransit;anintrudershouldnotbeableto
substituteafalsemessageforalegitimateone.
—Nonrepudiation.Asendershouldnotbeabletofalselydenylaterthat
hesentamessage.
Thesearevitalrequirementsforsocialinteractiononcomputers,andare
analogoustoface-to-faceinteractions.Thatsomeoneiswhohesaysheis...that
someone’scredentials—whetheradriver’slicense,amedicaldegree,ora
passport—arevalid...thatadocumentpurportingtocomefromapersonactually
camefromthatperson....Thesearethethingsthatauthentication,integrity,and
nonrepudiationprovide.


AlgorithmsandKeys
Acryptographicalgorithm,alsocalledacipher,isthemathematicalfunction
usedforencryptionanddecryption.(Generally,therearetworelatedfunctions:
oneforencryptionandtheotherfordecryption.)
Ifthesecurityofanalgorithmisbasedonkeepingthewaythatalgorithmworks
asecret,itisarestrictedalgorithm.Restrictedalgorithmshavehistorical
interest,butarewoefullyinadequatebytoday’sstandards.Alargeorchanging
groupofuserscannotusethem,becauseeverytimeauserleavesthegroup
everyoneelsemustswitchtoadifferentalgorithm.Ifsomeoneaccidentally
revealsthesecret,everyonemustchangetheiralgorithm.
Evenmoredamning,restrictedalgorithmsallownoqualitycontrolor
standardization.Everygroupofusersmusthavetheirownuniquealgorithm.
Suchagroupcan’tuseoff-the-shelfhardwareorsoftwareproducts;an
eavesdroppercanbuythesameproductandlearnthealgorithm.Theyhaveto

writetheirownalgorithmsandimplementations.Ifnooneinthegroupisagood
cryptographer,thentheywon’tknowiftheyhaveasecurealgorithm.
Despitethesemajordrawbacks,restrictedalgorithmsareenormouslypopularfor
low-securityapplications.Userseitherdon’trealizeordon’tcareaboutthe
securityproblemsinherentintheirsystem.
Moderncryptographysolvesthisproblemwithakey,denotedbyK.Thiskey
mightbeanyoneofalargenumberofvalues.Therangeofpossiblevaluesof
thekeyiscalledthekeyspace.Boththeencryptionanddecryptionoperations
usethiskey(i.e.,theyaredependentonthekeyandthisfactisdenotedbythek
subscript),sothefunctionsnowbecome:
EK(M)=C
DK(C)=M
Thosefunctionshavethepropertythat(seeFigure1.2):
DK(EK(M))=M
Somealgorithmsuseadifferentencryptionkeyanddecryptionkey(seeFigure
1.3).Thatis,theencryptionkey,K1,isdifferentfromthecorresponding


decryptionkey,K2.Inthiscase:
EK1(M)=C
DK2(C)=M
DK2(EK1(M))=M
Allofthesecurityinthesealgorithmsisbasedinthekey(orkeys);noneisbased
inthedetailsofthealgorithm.Thismeansthatthealgorithmcanbepublished
andanalyzed.Productsusingthealgorithmcanbemass-produced.Itdoesn’t
matterifaneavesdropperknowsyouralgorithm;ifshedoesn’tknowyour
particularkey,shecan’treadyourmessages.

Figure1.2Encryptionanddecryptionwithakey.


Figure1.3Encryptionanddecryptionwithtwodifferentkeys.
Acryptosystemisanalgorithm,plusallpossibleplaintexts,ciphertexts,and
keys.

SymmetricAlgorithms
Therearetwogeneraltypesofkey-basedalgorithms:symmetricandpublic-key.
Symmetricalgorithms,sometimescalledconventionalalgorithms,are
algorithmswheretheencryptionkeycanbecalculatedfromthedecryptionkey
andviceversa.Inmostsymmetricalgorithms,theencryptionkeyandthe
decryptionkeyarethesame.Thesealgorithms,alsocalledsecret-key
algorithms,single-keyalgorithms,orone-keyalgorithms,requirethatthesender
andreceiveragreeonakeybeforetheycancommunicatesecurely.Thesecurity
ofasymmetricalgorithmrestsinthekey;divulgingthekeymeansthatanyone
couldencryptanddecryptmessages.Aslongasthecommunicationneedsto
remainsecret,thekeymustremainsecret.
Encryptionanddecryptionwithasymmetricalgorithmaredenotedby:
EK(M)=C
DK(C)=M