Understanding and Implementing Encryption Backdoors By Derek Kern - - PowerPoint PPT Presentation

Understanding and Implementing Encryption Backdoors

By Derek Kern CSC7002 March 31, 2012

Contents

• The Setup

○ History: The Zimmerman Telegram ○ The Conceit ○ Where to conceal the backdoor ○ Asymmetric vs. Symmetric

• RSA

○ Simple Symmetric Backdoor ○ Extended Symmetric Backdoor

• ElGamal

○ Aside: Generating Groups and Primitives ○ Simple Symmetric Backdoor

• Electronic Book Cipher

○ Simple Symmetric Backdoor

Introduction

• Encryption algorithms like RSA, ElGamal,

etc appear to be secure in the abstract

• Unfortunately, we do not use them in the

abstract

• We trust that implementations of these

algorithms are sound and honest ○ Sound - No cryptographically significant bugs ○ Honest - No backdoors

• Could e-commerce exist without this trust?
• My overall goal was to discover how easy it

is to plant backdoors in order to determine whether this trust is warranted

Introduction

• Questions to be examined

○ How easy is it to embed backdoors into encryption

implementations?

■ RSA ■ ElGamal ■ Electronic Book Cipher ○ What is it about encryption algorithms that make

them susceptible to backdoors?

○ How can backdoors be revealed?

The Zimmerman Telegram

• Sent by A. Zimmerman,

German Foreign Secretary, to the German Ambassador of Mexico

• The Germans, anticipating

an American response to planned unrestricted submarine warfare, were attempting to convince Mexico to attack the US

• They promised Texas,

New Mexico and Arizona to the government of Mexico

• The telegram was

intercepted and decoded by the British The Ciphertext

The Zimmerman Telegram

The plaintext

We intend to begin on the first of February unrestricted submarine warfare. We shall endeavor in spite of this to keep the United States of America neutral. In the event

• f this not succeeding, we make Mexico a proposal of alliance on the following

basis: make war together, make peace together, generous financial support and an understanding on our part that Mexico is to reconquer the lost territory in Texas, New Mexico, and Arizona. The settlement in detail is left to you. You will inform the President of the above most secretly as soon as the outbreak of war with the United States of America is certain and add the suggestion that he should, on his own initiative, invite Japan to immediate adherence and at the same time mediate between Japan and ourselves. Please call the President's attention to the fact that the ruthless employment of our submarines now offers the prospect of compelling England in a few months to make peace. Signed, ZIMMERMANN

The Conceit

• You are given a black box
• This box could be hardware or software
• Depending upon the algorithm, it may

generate keys or encrypt the plaintext

• How would you know that this box is honest?

○ Are the keys being generated honest? ○ Is the ciphertext honest?

• When we discussed DES, we focused upon

whether a backdoor was embedded into the algorithm

The Conceit

• This may have been the case, but the

easiest place to embed a backdoor is in the implementation of an algorithm

• We will focus upon the implementation
• The actors in this cryptography story are:

○ Alice - Encryption user ○ Bart - Encryption user ○ EveCorp - Encryption implementer

What is a backdoor?

• A.k.a trapdoor

○ I avoided this synonym because of the use of

'trapdoor' when discussing trapdoor functions

• It is a selective weakening of a cryptographic

implementation (or algorithm) such that a third party, EveCorp, can decrypt communications between Alice and Bob

• Usually backdoors are hidden, but not

always (remember the, now defunct, Clipper chip)

• We will be focusing upon hidden backdoors

What is a backdoor?

• Food for thought: Is intention the only aspect

that truly differentiates backdoors from implementation errors?

Where to conceal a backdoor

• Random number generators

○ In this case, EveCorp would have a good idea what random numbers will be generated

• In subtle code

○ In 2003, a hacker tried to slip a backdoor into Linux

• kernel. The difference between the honest and

dishonest implementations was a single equal sign

• In public keys

○ We will see two such backdoors

• In ciphertext

○ We will see one such backdoor

Symmetric vs Asymmetric

• So, you are EveCorp

○ You have inserted a backdoor into an

implementation

○ If, upon finding the backdoor, someone could use it

to decrypt Alice and Bob's communications, then the backdoor is symmetric

○ If, upon finding the backdoor, someone could not

use it to decrypt Alice and Bob's communications, then the backdoor is asymmetric [YY96]

• We will see only symmetric backdoors
• Asymmetric backdoors typically involve

encrypting the backdoor itself

What should EveCorp's backdoor look like?

• The backdoor should:

○ ...allow polynomial time access to the contents of the

message

• The backdoor should not:

○ ...cause the black box output to be distinguishable,

in polynomial time, from honest black box output. Thus, it should be sufficiently hidden

○ ...weaken the encryption implementation such that it

is open to non-backdoor attacks

RSA

• Quick Review

○ Start by generating two large primes, p and q; their product becomes the public key modulus, n ○ phi(n) = ( p - 1 )( q - 1 ) ○ Find the public key exponent, e, such that gcd( e, phi(n) ) = 1 ○ Find the private key exponent, d, such that d is the multiplicative inverse of e modulo phi(n) ○ Let m be the plaintext and c be the ciphertext ○ Encrypt: c = me (mod n) ○ Decrypt: m = cd (mod n)

RSA

• Dirichlet's Prime Number Theorem

○ For any two positive coprime integers, a and d, there are infinitely many prime numbers of the form nd + a where n >= 0. [Dud08] Call these primes 'Dirichlet Primes' ○ Upshot: Given an arithmetic series nd + a, where a and d are coprime, there are an infinite number of prime numbers as n goes to infinity ○ Example ■ Let a = 5 and d = 7

• n = 1: 1(7) + 5 = 12 --- Nope
• n = 2: 2(7) + 5 = 19 --- Bingo

RSA

• Dirichlet's Prime Number Theorem

○ So, how is Dirichlet's Theorem (DT) relevant? ■ Well, what happens if we do the following?

• n(d) + a (mod d)
• Example

○

2(7) + 5 = 19

○

19 ≡ 5 (mod 7)

■ So, by looking at 19 mod 7, we are able to 'release' 5 from the sum ■ Thus, we are able to release the value of a from the Dirichlet Prime modulo d

RSA

• Simple Symmetric Backdoor [And93]

○ Choose p and q using Dirichlet's (td + a) ■ Note: I've renamed n to t in order to avoid confusion ○ Fix d to be a large prime; this is the backdoor key. It will be hidden in the black box ○ (1) Choose a random prime a such that a has roughly a quarter the bits of d; we know that a and d are coprime ○ (2) Set t to be some initial value that is about a quarter of the bits of d; this initial value should be some function, f(x), of a and d ○ (3) Increase t until (td + a) is a prime ○ Do (1), (2) and (3) for p and q

RSA

• Simple Symmetric Backdoor

○ Now, consider n: ■ n = pq = (t1d + a1)(t2d + a2) [Kal94]

• pq = t1dt2d + a1t2d + a2t1d + a1a2
• And this modulo d is: a1a2
• a1 and a2 are much smaller than p and q and can be easily

factored

○ Assume that we factor a1a2 to obtain a1 and a2 ■ How do we obtain p and q? ○ We know d and have a1 and a2; we also know f(x) ○ Use f(d + a1) and f(d + a2) to get the initial values of t, t1 and t2, for p and q

RSA

• Simple Symmetric Backdoor

○ For each t, t1 and t2, increase t until a prime is reached ○ For t1, this prime will p; for t2, this prime will be q ○ With p and q, the ciphertext can be decrypted

RSA - Simple Symmetric Backdoor

Honestly generated keys

e = 93854897993268419291268282158132054459478903016461905919978319015693947069231026005974211 7337930805914627366311257693964672312365587416140319953949 m = 62016643699815891866681776782968332929444025522604782939725140786641517313787243227776152 04975376524559040066052482523719642724550770881042443457837 d = 76142261560107732310949314937054504027136222912946759700839906428395196232482475719392595 9696795501194641200735629994701463260345872178329048258349

Dishonestly generated keys

e = 38679033777561333679744814330283741777516711549088393212436928676715685026888635251008547 554814821766015253704097564971842900261750864932507866030963 m = 94837333025621043745241580207768261280757907156643485047688214354183296858393461170480771 1854450795093240193241133277726482805691469236923612526751981 d = 16866847269610423710279206935327981980647459578169704285835920028040686215635642293732050 210554408831060031156790302211642479203284798196797865229243

RSA

• Simple Symmetric Backdoor

○ Is this backdoor secure from outside attacks? ○ Kaliski [Kal94] proposes a method of freeing "trapped moduli" ■ He says that this is "easy" to do ■ However, requires many different public key moduli that use the same backdoor key

• It may be hard to obtain enough of them
• Each device could be given a unique

backdoor key ○ So, it appears to be secure

RSA

• Extended Symmetric Backdoor

○ As the length (number of bits) of p and q grows, so does the length of a1 and a2 ○ At a certain point, factoring a1a2 will become too difficult ○ Question: What do we do? ○ Answer: Generate a1 and a2 using the same method as we used to generate p and q ○ We'll need another backdoor key. Call the original key d1 and the new key d2

RSA

• Extended Symmetric Backdoor

○ The result: ■

pq = (t1d1 + a1)(t2d1 + a2) = (t1d1 + [t3d2 + a3])(t2d1 + [t4d2 + a4])

■

pq = d1(t1t2d1 + t1t4d2 + t1a4 + t2t3d2 + t2a3) + d2(t3d2 + t3a4 + t4a3) + a3a4

■

And this mod d1: d2(t3d2 + t3a4 + t4a3) + a3a4

■

And this mod d2: a3a4

■

Again, a3 and a4 are much smaller than p, q, a1, and a2 and can be easily factored

○ Assuming that we've factored a3a4 into a3 and a4, we can use the previous procedure to find a1 and a2 ○ We then use it again, with a1 and a2, in order to find p and q

ElGamal

• Quick Review

○

Generate large prime p. p is the order of group P

○

Randomly, find a primitive g (generator) within P

○

Randomly select x where 0 < x <= p - 1

○

Let h = gx (mod p)

○

The tuple ( h, g, p ) is the public key

○

x is the private key

○

Encrypt 1: Randomly select y where 0 < y <= p - 1

○

Encrypt 2: Let j = hy (mod p) and jm = m * j

○

Encrypt 3: Send pair ( j, jm )

○

Decrypt 1: Let k = ( j x )-1

○

Decrypt 2: m = jm * k

ElGamal - Aside

• A little more review

○ When is g a primitive of a group modulo p? ■

1 < g < p - 1

• This ensures that g is a least residue (mod p)

■

gcd( g, p ) = 1

• By Euler's Theorem, this ensures that gphi(p) ≡ 1

(mod p)

ElGamal - Aside

• A little more review

○ When is g a primitive of a group modulo p? (cont'd) ■

There is no factor t of phi(p) such that gphi(p)/t ≡ 1 (mod p)

• This ensures that the order of g is phi(p)
• This check follows from Lagrange's Theorem

○

Let gcd(a, m) = 1 and a have order j (mod m). Then ak ≡ 1 (mod m) iff j divides k [Dud08]

• So, the upshot is that if phi(p) is not the order of g

(mod p), then it must be a multiple of the order g and thus will be revealed by this check

ElGamal - Aside

• A little more review

○ Quick question: Why must the order of g be phi(p) (mod

p)?

• We want there to be as many solutions (keys) to

the discrete logarithm problem as possible

• Remember the order essentially defines the scope
• f the cycle within the group
• Therefore, if x is greater than the order of g, then

there is some y less than the order g, such that gx ≡ gy (mod p)

• Thus, the order defines the number of possible

private and transient keys modulo p

• Of course, since p is prime, phi(p) = p - 1. This is

the largest possible keyspace for p

ElGamal - Aside

• Generating primitives for groups

○ As we discussed in class, this is difficult to do ○ Straightforward Approach - Starting with group P ■

Remember prime p is the group modulus

■

(1) Factor phi(p), i.e. factor p - 1 (call these phi factors)

■

(2) Randomly select prime g where 1 < g < p - 1

■

(3) For each phi factor t, calculate z = g(p - 1)/t (mod p)

• If z ≡ 1, g is not primitive
• Otherwise, go to (3)

■

(4) If we run out of phi factors, then g is primitive

○

Problem: Factoring p - 1, step (1), can take an inordinate amount of time

○

How can we eliminate this step?

ElGamal - Aside

• Generating primitives for groups

○ My Approach ■

Don't randomly select p

■

Instead, build p - 1 from set of randomly selected, fairly large, factors

■

If p is prime, then we have the factors of its phi

■

Try to find g the same as before

○

Advantages

■

No factoring step

• The most computationally intensive steps are

prime identification and multiplicative

• exponentiation. Both are very tractable

■

A cryptographically sound p - 1 should have some large factors. This can be guaranteed

ElGamal - Aside

• Does this approach result in secure keys?

○

The primitive g is found the same way as before, this part

• f the process isn't at issue. So, is the group prime p

secure?

○

Specifically, is there something about the creation of phi (p) that makes it insecure?

■

Safe from approaches to Discrete Logarithms?

• Pohlig-Hellman - Yes, phi(p) has very large factors
• Square root attacks - Yes. The order is as large as

possible

• Pollard-Rho - Yes. Again, based on the large p - 1
• rder

○

So, in sum, I think so ;-)

ElGamal

• Simple Symmetric Backdoor [YY04]

○ Fix d to be a large prime; this is the backdoor key. It will be hidden within the black box ○

During each encryption, secretly store the transient key

■

Call the random key value generated during encryption the 'transient key'

○

Generate the next transient key by raising the previous transient key to the power of d (modulo p)

■

Also, we do some masking and hashing in order to more thoroughly scramble it

○

Remember, each ciphertext pair is ( j, jm )

○

Except for the first message, each subsequent j is compromised

○

Thus, jm can be decrypted using d and the value of j from the previous message

ElGamal - Simple Symmetric Backdoor

Honest Ciphertext #1

614257656221382688573142349037538122259876939099763472183530964683281345: 10847938691876064908875396829235419011867883387106206903128143230040006207425296970163005922 487308425320674930984024647262618076341088805342295536793645319224023428: 8613895761349785490311469766957801656395102130175346112626954616196773035081439485257260

Honest Ciphertext #2

36770137365355326915033293116739398794604852388408264918804083306916989: 3573093338837266260929916799882973733169410316975621629887254255159432596409957742364612594 898463771352447997235822811443115822255241208825427093944974676377617598: 5586877097374278353666760281800657611341582888657869898595444868920958544445356322009840

Dishonest Ciphertext

7207333450963736014413003333524629556375976104780320859169270403064476037: 98063429673816717585126188188003463163876923449878118807666618498512656458145878817857016634 3007518097878295367989526702948027786422852380446474894531259657006909814: 12923976209750529737096501019228624433160285153135154232915924778057108990737182742671020

Dishonest Decryption

eg.DishonestDecrypt( '3007518097878295367989526702948027786422852380446474894531259657006909814: 12923976209750529737096501019228624433160285153135154232915924778057108990737182742671020', '7207333450963736014413003333524629556375976104780320859169270403064476037' ) ('to begin', '3007518097878295367989526702948027786422852380446474894531259657006909814')

Encryption of: We intend to begin (from Zimmerman Telegram)

This is easy...why?

• So far we've seen backdoors into two modern

public key encryption algorithms

• They were easy to understand and implement
• What is it about these algorithms that made them

susceptible?

• My hypothesis: The relationship between plaintexts

and ciphertexts

○ Necessary condition: There must be a one-to-

many or many-to-many relationship between plaintexts and ciphertexts

○ Imagine designing a backdoor for Caesar Cipher

Electronic Book Cipher

• Could a book cipher support a backdoor?
• Yes and for the same reason as before
• How it works

○ Shared Private Key: An ordered set of one or many

electronic texts (see Project Gutenberg)

○ Encryption ■ Dynamically, build a substitution dictionary using

the key texts

• Each word and letter can have a maximum number of

substitutions

• If this limit is exceeded, then randomly decide whether

to replace a substitution

Electronic Book Cipher

• How it works (cont'd)

○ Encryption ■ Using the substitution dictionary, for each word in

the plaintext, randomly select a substitution from the set of possible substitutions

■ If no word substitution is found, perform the same

procedure with the letters of the word

○ Decryption ■ (Cached or dynamically) Build a complete

reverse substitution dictionary using the key texts

• For each code in the ciphertext, use the reverse

substitution dictionary to find the plaintext word or letter

Electronic Book Cipher

• Advantages

○ Book ciphers themselves are very difficult to crack ○ Because of the randomness introduced by the

construction and utilization of the encryption dictionary, the ciphertext is never quite the same, even if the plaintext is

○ It is a very simple process, in both directions

• Given the simplicity of EBC, how can a

backdoor be planted?

Electronic Book Cipher

First Encryption of the initial part of the Zimmerman Telegram

71308 441686 554583 124529 12726 208027 355849 10052 167195 305244:1 450108:1 246956:2 556800:2 539960:3 549694:0 275184:1 525203:0 197776:0 549119:3 488707:6 531084:2 -1:0 501231:2 03722:6 432655:0 262125:5 463022:0 403256:8 411505:4 501854:7 484837:3 -1:0 359013 328617 269730 197714 16459 250797 296272 102812 14023 168722 400683 304738 537762 520659 44241 42788 399666 06891 536013 22467 124043 68908 492759 09808 341786 551986 15533 381627 07594 90328 28254 06891 285721 511544 222223 287670 263120 23144 325933 242551 103270 421051 179064 565164 16767 391407 02619 200990 100226 402991 551986 55826 328598 519974:4 269881:4 227687:0 452574:1 514032:5 04996:0 544069:3 407137:2 151524:5 -1:0

Second Encryption of the initial part of the Zimmerman Telegram

315266 441686 317435 181602 29556 468255 273829 12999 167195 222231:1 477123:0 277299:1 261415:3 477935:3 555323:4 461706:4 489713:1 440675:0 00232:1 520686:2 01010:2 -1:0 515295:2 265389:1 06095:0 520642:2 90666:0 440529:2 00575:1 308590:7 486418:1 -1:0 496256 54536 21467 379857 12142 179883 421328 78609 11267 411583 08331 564869 563200 246598 44241 42788 05155 04747 552114 169226 07863 17060 492759 269738 127039 551986 00740 361439 536909 189391 46263 04597 441145 370215 94334 11150 73102 520115 501657 230600 203819 564526 80391 508370 40587 446654 26177 175796 552106 26231 551986 09392 05518 489017:2 534850:4 149013:2 458526:0 560805:6 114903:4 01613:1 475553:2 459714:0 -1:0

Electronic Book Cipher

• Given the simplicity of EBC, how can a

backdoor be planted?

Electronic Book Cipher

• Simple Symmetric Backdoor

○ Embed the titles of the chosen private key texts into

the ciphertext

○ How? ■

Let istart and iend be the indices between which the titles will be embedded

■

If the index of the current cipher code is between istart and iend, then:

• Let t be the current letter of the current key text title
• For each plaintext word, attempt to find a substitution whose

first two digits also represent the ASCII code of t

• If it is found, then use the substitution
• If it isn't found, attempt to find

Electronic Book Cipher

• Simple Symmetric Backdoor

○ How? ■

If the index of the current cipher code is between istart and iend, then: (cont'd)

• If it isn't found, attempt to find a substitution whose first two

digits do not map to any ASCII alphanumeric

• If it is found, then use the substitute
• If isn't found, choose any substitute

Electronic Book Cipher

Honest encryption of the initial part of the Zimmerman Telegram

71308 441686 554583 124529 12726 208027 355849 10052 167195 305244:1 450108:1 246956:2 556800:2 539960:3 549694:0 275184:1 525203:0 197776:0 549119:3 488707:6 531084:2 -1:0 501231:2 03722:6 432655:0 262125:5 463022:0 403256:8 411505:4 501854:7 484837:3 -1:0 359013 328617 269730 197714 16459 250797 296272 102812 14023 168722 400683 304738 537762 520659 44241 42788 399666 06891 536013 22467 124043 68908 492759 09808 341786 551986 15533 381627 07594 90328 28254 06891 285721 511544 222223 287670 263120 23144 325933 242551 103270 421051 179064 565164 16767 391407 02619 200990 100226 402991 551986 55826 328598 519974:4 269881:4 227687:0 452574:1 514032:5 04996:0 544069:3 407137:2 151524:5 -1:0

Dishonest encryption of the initial part of the Zimmerman Telegram

00627 100600 545449 03857 448727 546671 87200 561296 167195 555511:2 558572:1 550353:1 551586:2 526271:0 558281:7 550353:1 564393:8 552214:0 558281:7 551586:2 480061:5 -1:0 526271:0 555511:2 386875:0 65460:3 531034:1 550353:1 564393:8 558572:1 551586:2 -1:0 291460 00627 00313 197714 399070 02926 561296 82284 545449 04945 546671 39040 283044 561296 44241 42788 399070 546671 41311 561296 65626 262405 492759 00627 06063 551986 484163 102315 561296 04816 448727 546671 08827 199265 06063 00006 12611 06063 00008 12611 46174 192669 23317 405794 374100 08630 448727 78016 00644 286304 551986 68049 545449 550353:1 551586:2 552214:0 554558:1 558572:1 01050:3 555511:2 551586:2 550353:1 -1:0

Electronic Book Cipher

>>> dishonest_book_cipher.get_book_titles_from_ciphertext( ctxt ) 'WARANDPEACEMF' Dishonest encryption of the initial part of the Zimmerman Telegram

00627 100600 545449 03857 448727 546671 87200 561296 167195 555511:2 558572:1 550353:1 551586:2 526271:0 558281:7 550353:1 564393:8 552214:0 558281:7 551586:2 480061:5 -1:0 526271:0 555511:2 386875:0 65460:3 531034:1 550353:1 564393:8 558572:1 551586:2 -1:0 291460 00627 00313 197714 399070 02926 561296 82284 545449 04945 546671 39040 283044 561296 44241 42788 399070 546671 41311 561296 65626 262405 492759 00627 06063 551986 484163 102315 561296 04816 448727 546671 08827 199265 06063 00006 12611 06063 00008 12611 46174 192669 23317 405794 374100 08630 448727 78016 00644 286304 551986 68049 545449 550353:1 551586:2 552214:0 554558:1 558572:1 01050:3 555511:2 551586:2 550353:1 -1:0 546671 80107 250287 399070 558281:7 551586:2 69558:1 531034:1 526271:0 -1:0 00257 551986 405794 531034:1 550353:1 564393:8 00784:7 554558:1 558572:1 531034:1 -1:0 546671 457356 399070 59578 560194 65040 545449 307790 307790 00145 23817 546671 116506 561296 546671 67413 02009 04551 69867 151460 00165 524376 563789:0 464270:6 491188:0 439755:2 519792:1 551338:2 546140:3 94334:2 -1:0

Revealing Backdoors

• How?

○

Comparing output

■

Won't expose good backdoors, especially if the backdoor has a finite limit

○

Side-channel

■

Follow the example set by Archimedes when attempting to route out a dishonest goldsmith who may have substituted silver some for gold when crafting King Hiero's crown - compare to known honest sample

■

Similar side-channel attacks on encryption

■

Does encryption or key-generation require markedly more CPU cycles or energy?

○

Reverse-engineering

Summary

• We've seen backdoors in:

○ RSA ○ ElGamal ○ Electronic Book Cipher

• They were easy to construct and embed
• We've even seen that they can be extended

along with the key size (RSA)

• The relationship between the plaintext and

possible ciphertext seems to play a role in whether an encryption algorithm can support a backdoor

Conclusion

• Backdoors are so easy to introduce into

software/hardware implementations of encryption algorithms that our trust in implementers is probably better acknowledged as 'faith'

• We must either have faith that no backdoors

are present or we must have faith that, if they are present, they will not be used maliciously

References

[And93] Ross Anderson. Practical RSA Trapdoor. Electronic Letters. 29(11): 995, 1993. [CS03] Claude Crépeau and Alain Slakmon. Simple Backdoors for RSA Key Generation. CT- RSA'03 Proceedings of the 2003 RSA conference on The cryptographers' track. pgs. 403- 416, 2003. [Dud08] Underwood Dudley. Elementary Number Theory. Dover Publications, Mineola, NY, 2008. [FP09] Evangellos Fountas and Constantinos Patsakis. Creating RSA Trapdoors Using Lagrange Four Square Theorem. 2009 Fifth International Conference on Intelligent Information Hiding and Multimedia Signal Processing. pgs. 779-782, 2009. [Kal94] Burton Kaliski. Anderson’s RSA Trapdoor Can Be Broken. Electronic Letters. 29(15): 1387-88, 1993. [Sin00] Simon Singh. The Code Book: The Science of Secrecy from Ancient Egypt to Quantum

• Cryptography. Anchor Books, 2000.

[Tuc85] Barbara Tuchman. The Zimmerman Telegram. Ballentine Books, New York, NY, 1985. [TW06] Wade Trappe and Lawrence Washington. Introduction to Cryptography with Coding

• Theory. Pearson Prentice Hall, Upper Saddle River, NJ, 2006.

[You04] Adam Young. Mitigating Insider Threats to RSA Key Generation. Cryptobytes, RSA

• Laboratories. 7(1): 1-15, 2004.

[YY96] Adam Young and Moti Yung. The Dark Side of Black Box Cryptography, or: Should We Trust Capstone?. CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology. pgs. 89-103, 1996. [YY04] Adam Young and Moti Yung. Malicious Cryptography: Exposing Cryptovirology. Wiley, Indianapolis, IN, 2004.