1. No category

What is a backdoor? - Computer Science and Engineering

Understanding and
Implementing Encryption
Backdoors
By Derek Kern
CSC7002
March 31, 2012
Contents
● The Setup
○
○
○
○
History: The Zimmerman Telegram
The Conceit
Where to conceal the backdoor
Asymmetric vs. Symmetric
● RSA
○ Simple Symmetric Backdoor
○ Extended Symmetric Backdoor
● ElGamal
○ Aside: Generating Groups and Primitives
○ Simple Symmetric Backdoor
● Electronic Book Cipher
○ Simple Symmetric Backdoor
Introduction
● Encryption algorithms like RSA, ElGamal,
etc appear to be secure in the abstract
● Unfortunately, we do not use them in the
abstract
● We trust that implementations of these
algorithms are sound and honest
○ Sound - No cryptographically significant bugs
○ Honest - No backdoors
● Could e-commerce exist without this trust?
● My overall goal was to discover how easy it
is to plant backdoors in order to determine
whether this trust is warranted
Introduction
● Questions to be examined
○ How easy is it to embed backdoors into encryption
implementations?
■ RSA
■ ElGamal
■ Electronic Book Cipher
○ What is it about encryption algorithms that make
○
them susceptible to backdoors?
How can backdoors be revealed?
The Zimmerman Telegram
●
●
●
Sent by A. Zimmerman,
German Foreign
Secretary, to the German
Ambassador of Mexico
The Germans, anticipating
an American response to
planned unrestricted
submarine warfare, were
attempting to convince
Mexico to attack the US
They promised Texas,
New Mexico and Arizona
to the government of
Mexico
The Ciphertext
●
The telegram was
intercepted and
decoded by the
The Zimmerman Telegram
The plaintext
We intend to begin on the first of February unrestricted submarine warfare. We shall
endeavor in spite of this to keep the United States of America neutral. In the event
of this not succeeding, we make Mexico a proposal of alliance on the following
basis:
make war together, make peace together, generous financial support and an
understanding on our part that Mexico is to reconquer the lost territory in Texas,
New Mexico, and Arizona. The settlement in detail is left to you. You will inform the
President of the above most secretly as soon as the outbreak of war with the United
States of America is certain and add the suggestion that he should, on his own
initiative, invite Japan to immediate adherence and at the same time mediate
between Japan and ourselves. Please call the President's attention to the fact that
the ruthless employment of our submarines now offers the prospect of compelling
England in a few months to make peace.
Signed, ZIMMERMANN
The Conceit
● You are given a black box
● This box could be hardware or software
● Depending upon the algorithm, it may
generate keys or encrypt the plaintext
● How would you know that this box is honest?
○ Are the keys being generated honest?
○ Is the ciphertext honest?
● When we discussed DES, we focused upon
whether a backdoor was embedded into the
algorithm
The Conceit
● This may have been the case, but the
easiest place to embed a backdoor is in the
implementation of an algorithm
● We will focus upon the implementation
● The actors in this cryptography story are:
○ Alice - Encryption user
○ Bart - Encryption user
○ EveCorp - Encryption implementer
What is a backdoor?
● A.k.a trapdoor
○ I avoided this synonym because of the use of
'trapdoor' when discussing trapdoor functions
● It is a selective weakening of a cryptographic
implementation (or algorithm) such that a
third party, EveCorp, can decrypt
communications between Alice and Bob
● Usually backdoors are hidden, but not
always (remember the, now defunct, Clipper
chip)
● We will be focusing upon hidden backdoors
What is a backdoor?
● Food for thought: Is intention the only aspect
that truly differentiates backdoors from
implementation errors?
Where to conceal a backdoor
● Random number generators
○ In this case, EveCorp would have a good idea what
random numbers will be generated
● In subtle code
○ In 2003, a hacker tried to slip a backdoor into Linux
kernel. The difference between the honest and
dishonest implementations was a single equal sign
● In public keys
○ We will see two such backdoors
● In ciphertext
○ We will see one such backdoor
Symmetric vs Asymmetric
● So, you are EveCorp
○ You have inserted a backdoor into an
○
○
implementation
If, upon finding the backdoor, someone could use it
to decrypt Alice and Bob's communications, then the
backdoor is symmetric
If, upon finding the backdoor, someone could not
use it to decrypt Alice and Bob's communications,
then the backdoor is asymmetric
[YY96]
● We will see only symmetric backdoors
● Asymmetric backdoors typically involve
What should EveCorp's backdoor look like?
● The backdoor should:
○ ...allow polynomial time access to the contents of the
message
● The backdoor should not:
○ ...cause the black box output to be distinguishable,
○
in polynomial time, from honest black box output.
Thus, it should be sufficiently hidden
...weaken the encryption implementation such that it
is open to non-backdoor attacks
RSA
● Quick Review
○ Start by generating two large primes, p and q; their
product becomes the public key modulus, n
○ phi(n) = ( p - 1 )( q - 1 )
○ Find the public key exponent, e, such that gcd( e,
phi(n) ) = 1
○ Find the private key exponent, d, such that d is the
multiplicative inverse of e modulo phi(n)
○ Let m be the plaintext and c be the ciphertext
○ Encrypt: c = me (mod n)
○ Decrypt: m = cd (mod n)
RSA
● Dirichlet's Prime Number Theorem
○ For any two positive coprime integers, a and d, there
are infinitely many prime numbers of the form nd + a
where n >= 0. [Dud08] Call these primes 'Dirichlet
Primes'
○ Upshot: Given an arithmetic series nd + a, where a
and d are coprime, there are an infinite number of
prime numbers as n goes to infinity
○ Example
■ Let a = 5 and d = 7
● n = 1: 1(7) + 5 = 12 --- Nope
● n = 2: 2(7) + 5 = 19 --- Bingo
RSA
● Dirichlet's Prime Number Theorem
○ So, how is Dirichlet's Theorem (DT) relevant?
■ Well, what happens if we do the following?
● n(d) + a (mod d)
● Example
○
○
2(7) + 5 = 19
19 ≡ 5 (mod 7)
■ So, by looking at 19 mod 7, we are able to
'release' 5 from the sum
■ Thus, we are able to release the value of a from
the Dirichlet Prime modulo d
RSA
● Simple Symmetric Backdoor [And93]
○ Choose p and q using Dirichlet's (td + a)
■ Note: I've renamed n to t in order to avoid
confusion
○ Fix d to be a large prime; this is the backdoor key. It
will be hidden in the black box
○ (1) Choose a random prime a such that a has
roughly a quarter the bits of d; we know that a and d
are coprime
○ (2) Set t to be some initial value that is about a
quarter of the bits of d; this initial value should be
some function, f(x), of a and d
○ (3) Increase t until (td + a) is a prime
RSA
● Simple Symmetric Backdoor
○ Now, consider n:
■ n = pq = (t1d + a1)(t2d + a2)
[Kal94]
● pq = t1dt2d + a1t2d + a2t1d + a1a2
● And this modulo d is: a1a2
● a1 and a2 are much smaller than p and q and can be easily
factored
○ Assume that we factor a1a2 to obtain a1 and a2
■ How do we obtain p and q?
○ We know d and have a1 and a2; we also know f(x)
○ Use f(d + a1) and f(d + a2) to get the initial values of
t, t1 and t2, for p and q
RSA
● Simple Symmetric Backdoor
○ For each t, t1 and t2, increase t until a prime is
reached
○ For t1, this prime will p; for t2, this prime will be q
○ With p and q, the ciphertext can be decrypted
RSA - Simple Symmetric Backdoor
Honestly generated keys
e = 93854897993268419291268282158132054459478903016461905919978319015693947069231026005974211
7337930805914627366311257693964672312365587416140319953949
m = 62016643699815891866681776782968332929444025522604782939725140786641517313787243227776152
04975376524559040066052482523719642724550770881042443457837
d = 76142261560107732310949314937054504027136222912946759700839906428395196232482475719392595
9696795501194641200735629994701463260345872178329048258349
Dishonestly generated keys
e = 38679033777561333679744814330283741777516711549088393212436928676715685026888635251008547
554814821766015253704097564971842900261750864932507866030963
m = 94837333025621043745241580207768261280757907156643485047688214354183296858393461170480771
1854450795093240193241133277726482805691469236923612526751981
d = 16866847269610423710279206935327981980647459578169704285835920028040686215635642293732050
210554408831060031156790302211642479203284798196797865229243
RSA
● Simple Symmetric Backdoor
○ Is this backdoor secure from outside attacks?
○ Kaliski [Kal94] proposes a method of freeing
"trapped moduli"
■ He says that this is "easy" to do
■ However, requires many different public key
moduli that use the same backdoor key
● It may be hard to obtain enough of them
● Each device could be given a unique
backdoor key
○ So, it appears to be secure
RSA
● Extended Symmetric Backdoor
○ As the length (number of bits) of p and q grows, so
does the length of a1 and a2
○ At a certain point, factoring a1a2 will become too
difficult
○ Question: What do we do?
○ Answer: Generate a1 and a2 using the same method
as we used to generate p and q
○ We'll need another backdoor key. Call the original
key d1 and the new key d2
RSA
● Extended Symmetric Backdoor
○ The result:
■ pq = (t1d1 + a1)(t2d1 + a2) = (t1d1 + [t3d2 + a3])(t2d1 + [t4d2 + a4])
■ pq = d1(t1t2d1 + t1t4d2 + t1a4 + t2t3d2 + t2a3) + d2(t3d2 + t3a4 + t4a3) +
a 3a 4
■
■
■
And this mod d1: d2(t3d2 + t3a4 + t4a3) + a3a4
And this mod d2: a3a4
Again, a3 and a4 are much smaller than p, q, a1, and a2 and can
be easily factored
○ Assuming that we've factored a3a4 into a3 and a4, we
can use the previous procedure to find a1 and a2
○ We then use it again, with a1 and a2, in order to find
p and q
ElGamal
● Quick Review
○ Generate large prime p. p is the order of group P
○ Randomly, find a primitive g (generator) within P
○ Randomly select x where 0 < x <= p - 1
○ Let h = gx (mod p)
○ The tuple ( h, g, p ) is the public key
○ x is the private key
○ Encrypt 1: Randomly select y where 0 < y <= p - 1
○ Encrypt 2: Let j = hy (mod p) and jm = m * j
○ Encrypt 3: Send pair ( j, jm )
○ Decrypt 1: Let k = ( j x )-1
○ Decrypt 2: m = j * k
ElGamal - Aside
● A little more review
○ When is g a primitive of a group modulo p?
■ 1<g<p-1
● This ensures that g is a least residue (mod p)
■ gcd( g, p ) = 1
● By Euler's Theorem, this ensures that gphi(p) ≡ 1
(mod p)
ElGamal - Aside
● A little more review
○ When is g a primitive of a group modulo p? (cont'd)
■ There is no factor t of phi(p) such that gphi(p)/t ≡ 1 (mod
p)
●
●
This ensures that the order of g is phi(p)
This check follows from Lagrange's Theorem
○
●
Let gcd(a, m) = 1 and a have order j (mod m). Then ak ≡
1 (mod m) iff j divides k
[Dud08]
So, the upshot is that if phi(p) is not the order of g
(mod p), then it must be a multiple of the order g
and thus will be revealed by this check
ElGamal - Aside
● A little more review
○ Quick question: Why must the order of g be phi(p) (mod
p)?
●
We want there to be as many solutions (keys) to
the discrete logarithm problem as possible
●
Remember the order essentially defines the scope
of the cycle within the group
●
Therefore, if x is greater than the order of g, then
there is some y less than the order g, such that gx
≡ gy (mod p)
●
Thus, the order defines the number of possible
private and transient keys modulo p
●
Of course, since p is prime, phi(p) = p - 1. This is
the largest possible keyspace for p
ElGamal - Aside
● Generating primitives for groups
○ As we discussed in class, this is difficult to do
○ Straightforward Approach - Starting with group P
■ Remember prime p is the group modulus
■ (1) Factor phi(p), i.e. factor p - 1 (call these phi
factors)
■ (2) Randomly select prime g where 1 < g < p - 1
■ (3) For each phi factor t, calculate z = g(p - 1)/t (mod p)
● If z ≡ 1, g is not primitive
● Otherwise, go to (3)
■ (4) If we run out of phi factors, then g is primitive
○ Problem: Factoring p - 1, step (1), can take an
inordinate amount of time
○ How can we eliminate this step?
ElGamal - Aside
● Generating primitives for groups
○ My Approach
■ Don't randomly select p
■ Instead, build p - 1 from set of randomly selected,
fairly large, factors
■ If p is prime, then we have the factors of its phi
■ Try to find g the same as before
○ Advantages
■ No factoring step
● The most computationally intensive steps are
prime identification and multiplicative
exponentiation. Both are very tractable
■ A cryptographically sound p - 1 should have some
large factors. This can be guaranteed
ElGamal - Aside
● Does this approach result in secure keys?
○ The primitive g is found the same way as before, this part
of the process isn't at issue. So, is the group prime p
secure?
○
Specifically, is there something about the creation of phi
(p) that makes it insecure?
■
○
Safe from approaches to Discrete Logarithms?
●
●
Pohlig-Hellman - Yes, phi(p) has very large factors
●
Pollard-Rho - Yes. Again, based on the large p - 1
order
Square root attacks - Yes. The order is as large as
possible
So, in sum, I think so ;-)
ElGamal
● Simple Symmetric Backdoor [YY04]
○ Fix d to be a large prime; this is the backdoor key. It
will be hidden within the black box
○ During each encryption, secretly store the transient key
■ Call the random key value generated during encryption the
'transient key'
○ Generate the next transient key by raising the previous
transient key to the power of d (modulo p)
■
Also, we do some masking and hashing in order to more
thoroughly scramble it
○ Remember, each ciphertext pair is ( j, jm )
○ Except for the first message, each subsequent j is
compromised
○ Thus, jm can be decrypted using d and the value of j from
the previous message
ElGamal - Simple Symmetric Backdoor
Encryption of: We intend to begin
(from Zimmerman Telegram)
Honest Ciphertext #1
614257656221382688573142349037538122259876939099763472183530964683281345:
10847938691876064908875396829235419011867883387106206903128143230040006207425296970163005922
487308425320674930984024647262618076341088805342295536793645319224023428:
8613895761349785490311469766957801656395102130175346112626954616196773035081439485257260
Honest Ciphertext #2
36770137365355326915033293116739398794604852388408264918804083306916989:
3573093338837266260929916799882973733169410316975621629887254255159432596409957742364612594
898463771352447997235822811443115822255241208825427093944974676377617598:
5586877097374278353666760281800657611341582888657869898595444868920958544445356322009840
Dishonest Ciphertext
7207333450963736014413003333524629556375976104780320859169270403064476037:
98063429673816717585126188188003463163876923449878118807666618498512656458145878817857016634
3007518097878295367989526702948027786422852380446474894531259657006909814:
12923976209750529737096501019228624433160285153135154232915924778057108990737182742671020
Dishonest Decryption
eg.DishonestDecrypt( '3007518097878295367989526702948027786422852380446474894531259657006909814:
12923976209750529737096501019228624433160285153135154232915924778057108990737182742671020',
'7207333450963736014413003333524629556375976104780320859169270403064476037' )
('to begin', '3007518097878295367989526702948027786422852380446474894531259657006909814')
This is easy...why?
● So far we've seen backdoors into two modern
public key encryption algorithms
● They were easy to understand and implement
● What is it about these algorithms that made them
susceptible?
● My hypothesis: The relationship between plaintexts
and ciphertexts
○ Necessary condition: There must be a one-tomany or many-to-many relationship between
plaintexts and ciphertexts
○ Imagine designing a backdoor for Caesar Cipher
Electronic Book Cipher
● Could a book cipher support a backdoor?
● Yes and for the same reason as before
● How it works
○ Shared Private Key: An ordered set of one or many
○
electronic texts (see Project Gutenberg)
Encryption
■ Dynamically, build a substitution dictionary using
the key texts
●
Each word and letter can have a maximum number of
substitutions
●
If this limit is exceeded, then randomly decide whether
to replace a substitution
Electronic Book Cipher
● How it works (cont'd)
○ Encryption
■ Using the substitution dictionary, for each word in
○
the plaintext, randomly select a substitution from
the set of possible substitutions
■ If no word substitution is found, perform the same
procedure with the letters of the word
Decryption
■ (Cached or dynamically) Build a complete
reverse substitution dictionary using the key texts
●
For each code in the ciphertext, use the reverse
substitution dictionary to find the plaintext word or letter
Electronic Book Cipher
● Advantages
○ Book ciphers themselves are very difficult to crack
○ Because of the randomness introduced by the
construction and utilization of the encryption
dictionary, the ciphertext is never quite the same,
even if the plaintext is
It is a very simple process, in both directions
○
● Given the simplicity of EBC, how can a
backdoor be planted?
Electronic Book Cipher
First Encryption of the initial part of the Zimmerman Telegram
71308 441686 554583 124529 12726 208027 355849 10052 167195 305244:1 450108:1 246956:2
556800:2 539960:3 549694:0 275184:1 525203:0 197776:0 549119:3 488707:6 531084:2 -1:0
501231:2 03722:6 432655:0 262125:5 463022:0 403256:8 411505:4 501854:7 484837:3 -1:0 359013
328617 269730 197714 16459 250797 296272 102812 14023 168722 400683 304738 537762
520659 44241 42788 399666 06891 536013 22467 124043 68908 492759 09808 341786 551986
15533 381627 07594 90328 28254 06891 285721 511544 222223 287670 263120 23144 325933
242551 103270 421051 179064 565164 16767 391407 02619 200990 100226 402991 551986 55826
328598 519974:4 269881:4 227687:0 452574:1 514032:5 04996:0 544069:3 407137:2 151524:5 -1:0
Second Encryption of the initial part of the Zimmerman Telegram
315266 441686 317435 181602 29556 468255 273829 12999 167195 222231:1 477123:0 277299:1
261415:3 477935:3 555323:4 461706:4 489713:1 440675:0 00232:1 520686:2 01010:2 -1:0 515295:2
265389:1 06095:0 520642:2 90666:0 440529:2 00575:1 308590:7 486418:1 -1:0 496256 54536 21467
379857 12142 179883 421328 78609 11267 411583 08331 564869 563200 246598 44241 42788
05155 04747 552114 169226 07863 17060 492759 269738 127039 551986 00740 361439 536909
189391 46263 04597 441145 370215 94334 11150 73102 520115 501657 230600 203819 564526
80391 508370 40587 446654 26177 175796 552106 26231 551986 09392 05518 489017:2 534850:4
149013:2 458526:0 560805:6 114903:4 01613:1 475553:2 459714:0 -1:0
Electronic Book Cipher
● Given the simplicity of EBC, how can a
backdoor be planted?
Electronic Book Cipher
● Simple Symmetric Backdoor
○ Embed the titles of the chosen private key texts into
○
the ciphertext
How?
■
Let istart and iend be the indices between which the titles will
be embedded
■
If the index of the current cipher code is between istart and
iend, then:
●
●
Let t be the current letter of the current key text title
●
●
If it is found, then use the substitution
For each plaintext word, attempt to find a substitution whose
first two digits also represent the ASCII code of t
If it isn't found, attempt to find
Electronic Book Cipher
● Simple Symmetric Backdoor
○ How?
■ If the index of the current cipher code is between istart and
iend, then: (cont'd)
●
If it isn't found, attempt to find a substitution whose first two
digits do not map to any ASCII alphanumeric
●
●
If it is found, then use the substitute
If isn't found, choose any substitute
Electronic Book Cipher
Honest encryption of the initial part of the Zimmerman Telegram
71308 441686 554583 124529 12726 208027 355849 10052 167195 305244:1 450108:1 246956:2
556800:2 539960:3 549694:0 275184:1 525203:0 197776:0 549119:3 488707:6 531084:2 -1:0
501231:2 03722:6 432655:0 262125:5 463022:0 403256:8 411505:4 501854:7 484837:3 -1:0 359013
328617 269730 197714 16459 250797 296272 102812 14023 168722 400683 304738 537762
520659 44241 42788 399666 06891 536013 22467 124043 68908 492759 09808 341786 551986
15533 381627 07594 90328 28254 06891 285721 511544 222223 287670 263120 23144 325933
242551 103270 421051 179064 565164 16767 391407 02619 200990 100226 402991 551986 55826
328598 519974:4 269881:4 227687:0 452574:1 514032:5 04996:0 544069:3 407137:2 151524:5 -1:0
Dishonest encryption of the initial part of the Zimmerman Telegram
00627 100600 545449 03857 448727 546671 87200 561296 167195 555511:2 558572:1 550353:1
551586:2 526271:0 558281:7 550353:1 564393:8 552214:0 558281:7 551586:2 480061:5 -1:0
526271:0 555511:2 386875:0 65460:3 531034:1 550353:1 564393:8 558572:1 551586:2 -1:0 291460
00627 00313 197714 399070 02926 561296 82284 545449 04945 546671 39040 283044 561296
44241 42788 399070 546671 41311 561296 65626 262405 492759 00627 06063 551986 484163
102315 561296 04816 448727 546671 08827 199265 06063 00006 12611 06063 00008 12611 46174
192669 23317 405794 374100 08630 448727 78016 00644 286304 551986 68049 545449 550353:1
551586:2 552214:0 554558:1 558572:1 01050:3 555511:2 551586:2 550353:1 -1:0
Electronic Book Cipher
Dishonest encryption of the initial part of the Zimmerman Telegram
00627 100600 545449 03857 448727 546671 87200 561296 167195 555511:2 558572:1 550353:1
551586:2 526271:0 558281:7 550353:1 564393:8 552214:0 558281:7 551586:2 480061:5 -1:0
526271:0 555511:2 386875:0 65460:3 531034:1 550353:1 564393:8 558572:1 551586:2 -1:0 291460
00627 00313 197714 399070 02926 561296 82284 545449 04945 546671 39040 283044 561296
44241 42788 399070 546671 41311 561296 65626 262405 492759 00627 06063 551986 484163
102315 561296 04816 448727 546671 08827 199265 06063 00006 12611 06063 00008 12611 46174
192669 23317 405794 374100 08630 448727 78016 00644 286304 551986 68049 545449 550353:1
551586:2 552214:0 554558:1 558572:1 01050:3 555511:2 551586:2 550353:1 -1:0 546671 80107
250287 399070 558281:7 551586:2 69558:1 531034:1 526271:0 -1:0 00257 551986 405794 531034:1
550353:1 564393:8 00784:7 554558:1 558572:1 531034:1 -1:0 546671 457356 399070 59578 560194
65040 545449 307790 307790 00145 23817 546671 116506 561296 546671 67413 02009 04551
69867 151460 00165 524376 563789:0 464270:6 491188:0 439755:2 519792:1 551338:2 546140:3
94334:2 -1:0
>>> dishonest_book_cipher.get_book_titles_from_ciphertext( ctxt )
'WARANDPEACEMF'
Revealing Backdoors
● How?
○ Comparing output
■ Won't expose good backdoors, especially if the
backdoor has a finite limit
○
Side-channel
■
Follow the example set by Archimedes when
attempting to route out a dishonest goldsmith who
may have substituted silver some for gold when
crafting King Hiero's crown - compare to known
honest sample
■
■
Similar side-channel attacks on encryption
Does encryption or key-generation require markedly
more CPU cycles or energy?
Summary
● We've seen backdoors in:
○ RSA
○ ElGamal
○ Electronic Book Cipher
● They were easy to construct and embed
● We've even seen that they can be extended
along with the key size (RSA)
● The relationship between the plaintext and
possible ciphertext seems to play a role in
whether an encryption algorithm can support
a backdoor
Conclusion
● Backdoors are so easy to introduce into
software/hardware implementations of
encryption algorithms that our trust in
implementers is probably better
acknowledged as 'faith'
● We must either have faith that no backdoors
are present or we must have faith that, if
they are present, they will not be used
maliciously
References
[And93]
[CS03]
[Dud08]
[FP09]
[Kal94]
[Sin00]
[Tuc85]
[TW06]
[You04]
[YY96]
[YY04]
Ross Anderson. Practical RSA Trapdoor. Electronic Letters. 29(11): 995, 1993.
Claude Crépeau and Alain Slakmon. Simple Backdoors for RSA Key Generation. CTRSA'03 Proceedings of the 2003 RSA conference on The cryptographers' track. pgs. 403416, 2003.
Underwood Dudley. Elementary Number Theory. Dover Publications, Mineola, NY, 2008.
Evangellos Fountas and Constantinos Patsakis. Creating RSA Trapdoors Using Lagrange
Four Square Theorem. 2009 Fifth International Conference on Intelligent Information Hiding
and Multimedia Signal Processing. pgs. 779-782, 2009.
Burton Kaliski. Anderson’s RSA Trapdoor Can Be Broken. Electronic Letters. 29(15):
1387-88, 1993.
Simon Singh. The Code Book: The Science of Secrecy from Ancient Egypt to Quantum
Cryptography. Anchor Books, 2000.
Barbara Tuchman. The Zimmerman Telegram. Ballentine Books, New York, NY, 1985.
Wade Trappe and Lawrence Washington. Introduction to Cryptography with Coding
Theory. Pearson Prentice Hall, Upper Saddle River, NJ, 2006.
Adam Young. Mitigating Insider Threats to RSA Key Generation. Cryptobytes, RSA
Laboratories. 7(1): 1-15, 2004.
Adam Young and Moti Yung. The Dark Side of Black Box Cryptography, or: Should We
Trust Capstone?. CRYPTO '96 Proceedings of the 16th Annual International Cryptology
Conference on Advances in Cryptology. pgs. 89-103, 1996.
Adam Young and Moti Yung. Malicious Cryptography: Exposing Cryptovirology. Wiley,
Indianapolis, IN, 2004.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz