Bibliography

[1] Ross Anderson, Eli Biham, and Lars Knudsen. Serpent: A Proposal for the Advanced Encryption Standard. In National Institute of Standards and Technology [98]. See http://www.cl.cam.ac.uk/∼rja14/serpent.html.

[2] Ross J. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., 2008.

[3] Claude Barral and Assia Tria. Fake Fingers in Fingerprint Recognition: Glycerin Supersedes Gelatin. In Véronique Cortier, Claude Kirchner, Mitsuhiro Okada, and Hideki Sakurada, editors, Formal to Practical Security, volume 5458 of Lecture Notes in Computer Science, pages 57–69. Springer-Verlag, 2009.

[4] Mihir Bellare. New Proofs for NMAC and HMAC: Security Without Collision-Resistance. In Cynthia Dwork, editor, Advances in Cryptology—CRYPTO 2006, volume 4117 of Lecture Notes in Computer Science, pages 602–619. Springer-Verlag, 2006.

[5] Mihir Bellare, Ran Canetti, and Hugo Krawczyk. Keying Hash Functions for Message Authentication. In Koblitz [76], pages 1–15.

[6] Mihir Bellare, Joe Kilian, and Phillip Rogaway. The Security of Cipher Block Chaining. In Desmedt [31], pages 341–358.

[7] Mihir Bellare and Chanathip Namprempre. Authenticated Encryption: Relations Among Notions and Analysis of the Generic Composition Paradigm. In Tatsuaki Okamoto, editor, Advances in Cryptology—ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 531–545. Springer-Verlag, 2000.

[8] Mihir Bellare and Phillip Rogaway. The Exact Security of Digital Signatures: How to Sign with RSA and Rabin. In Ueli M. Maurer, editor, Advances in Cryptology—EUROCRYPT 1996, volume 1070 of Lecture Notes in Computer Science. Springer-Verlag, 1996.

[9] Mihir Bellare and Phillip Rogaway. Optimal Asymmetric Encryption: How to Encrypt with RSA. In Alfredo De Santis, editor, Advances in Cryptology—EUROCRYPT 1994, volume 950 of Lecture Notes in Computer Science, pages 92–111. Springer-Verlag, 2004.

[10] Mihir Bellare and Phillip Rogaway. Introduction to Modern Cryptography, 2005. Available from http://cseweb.ucsd.edu/users/mihir/cse207/classnotes.html.

[11] Charles H. Bennett and Gilles Brassard. An update on quantum cryptography. In G.R. Blakley and David Chaum, editors, Advances in Cryptology, Proceedings of CRYPTO 84, volume 196 of Lecture Notes in Computer Science, pages 475–480. Springer-Verlag, 1984.

[12] Daniel J. Bernstein. Cache-Timing Attacks on AES, 2005. Available from http://cr.yp.to/antiforgery/cachetiming-20050414.pdf.

[13] Eli Biham. New Types of Cryptanalytic Attacks Using Related Keys. In Helleseth [61], pages 398–409.

[14] Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir. Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds. Cryptology ePrint Archive, Report 2009/374, 2009. See http://eprint.iacr.org/2009/374.

[15] Alex Biryukov and Dmitry Khovratovich. Related-key Cryptanalysis of the Full AES-192 and AES-256. Cryptology ePrint Archive, Report 2009/317, 2009. See http://eprint.iacr.org/2009/317.

[16] Alex Biryukov, Dmitry Khovratovich, and Ivica Nikoli images/ccidle.gif . Distinguisher and Related-Key Attack on the Full AES-256. In Shai Halevi, editor, Advances in Cryptology—CRYPTO 2009, volume 5677 of Lecture Notes in Computer Science, pages 231–249. Springer-Verlag, 2009.

[17] Jurjen Bos. Booting problems with the JEC computer. Personal communications, 1983.

[18] Jurjen Bos. Practical Privacy. PhD thesis, Eindhoven University of Technology, 1992. Available from http://www.macfergus.com/niels/lib/bosphd.html.

[19] Gilles Brassard and Claude Crépeau. Quantum Bit Commitment and Coin Tossing Protocols. In Menezes and Vanstone [89], pages 49–61.

[20] Karl Brincat and Chris J. Mitchell. New CBC-MAC forgery attacks. In V. Varadharajan and Y. Mu, editors, Information Security and Privacy, ACISP 2001, volume 2119 of Lecture Notes in Computer Science, pages 3–14. Springer-Verlag, 2001.

[21] David Brumley and Dan Boneh. Remote Timing Attacks are Practical. In USENIX Security Symposium Proceedings, 2003.

[22] Carolynn Burwick, Don Coppersmith, Edward D'Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas Jr., Luke O'Connor, Mohammad Peyravian, David Safford, and Nevenko Zunic. MARS—a candidate cipher for AES. In National Institute of Standards and Technology [98]. See http://www.research.ibm.com/security/mars.pdf.

[23] Christian Cachin. Entropy Measures and Unconditional Security in Cryptography. PhD thesis, ETH, Swiss Federal Institute of Technology, Zürich, 1997. See ftp://ftp.inf.ethz.ch/pub/publications/dissertations/th12187.ps.gz.

[24] Lewis Carroll. The Hunting of the Snark: An Agony, in Eight Fits. Macmillan and Co., London, 1876.

[25] Florent Chabaud and Antoine Joux. Differential Collisions in SHA-0. In Hugo Krawczyk, editor, Advances in Cryptology—CRYPTO ′98, volume 1462 of Lecture Notes in Computer Science, pages 56–71. Springer-Verlag, 1998.

[26] Jean-Sébastien Coron, Yevgeniy Dodis, Cécile Malinaud, and Prashant Puniya. Merkel-Damgård Revisited: How to Construct a Hash Function. In Shoup [119], pages 430–448.

[27] Joan Daemen and Vincent Rijmen. AES Proposal: Rijndael. In National Institute of Standards and Technology [98].

[28] I.B. Damgård, editor. Advances in Cryptology—EUROCRYPT ′90, volume 473 of Lecture Notes in Computer Science. Springer-Verlag, 1990.

[29] Don Davis, Ross Ihaka, and Philip Fenstermacher. Cryptographic Randomness from Air Turbulence in Disk Drives. In Desmedt [31], pages 114–120.

[30] Bert den Boer and Antoon Bosselaers. Collisions for the compression function of MD5. In Helleseth [61], pages 293–304.

[31] Yvo G. Desmedt, editor. Advances in Cryptology—CRYPTO ′94, volume 839 of Lecture Notes in Computer Science. Springer-Verlag, 1994.

[32] Giovanni Di Crescenzo, Niels Ferguson, Russel Impagliazzo, and Markus Jakobsson. How to Forget a Secret. In Christoph Meinel and Sophie Tison, editors, STACS 99, volume 1563 of Lecture Notes in Computer Science, pages 500–509. Springer-Verlag, 1999.

[33] Whitfield Diffie and Martin E. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, IT-22(6):644–654, November 1976.

[34] Whitfield Diffie, Paul C. Van Oorschot, and Michael J. Wiener. Authentication and Authenticated Key Exchanges. Designs, Codes and Cryptography, 2(2):107–125, 1992.

[35] Edsger W. Dijkstra. The Humble Programmer. Communications of the ACM, 15(10):859–866, 1972. Also published as EWD340, http://www.cs.utexas.edu/users/EWD/ewd03xx/EWD340.PDF.

[36] Hans Dobbertin. Cryptanalysis of MD4. J. Cryptology, 11(4):253–271, 1998.

[37] Mark Dowd, John McDonald, and Justin Schuh. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Addison-Wesley, 2006.

[38] Orr Dunkelman, Sebastiaan Indesteege, and Nathan Keller. A Differential-Linear Attack on 12-Round Serpent. In Dipanwita Roy Chowdhury, Vincent Rijmen, and Abhijit Das, editors, Progress in Cryptology—INDOCRYPT 2008, volume 5365 of Lecture Notes in Computer Science, pages 308–321. Springer-Verlag, 2008.

[39] Stephen R. Dussé and Burton S. Kaliski Jr. A Cryptographic Library for the Motorola DSP56000. In Damgård [28], pages 230–244.

[40] Morris Dworkin. Recommendation for Block Cipher Modes of Operation—Methods and Techniques. National Institute of Standards and Technology, December 2001. Available from http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf.

[41] Morris Dworkin. Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality. National Institute of Standards and Technology, May 2004. Available from http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf.

[42] Morris Dworkin. Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. National Institute of Standards and Technology, May 2005. Available from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf.

[43] Morris Dworkin. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC. National Institute of Standards and Technology, November 2007. Available from http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf.

[44] Electronic Frontier Foundation. Cracking DES: Secrets of Encryption Research, Wiretap Politics & Chip Design. O'Reilly, 1998.

[45] Carl Ellison. Improvements on Conventional PKI Wisdom. In Sean Smith, editor, 1st Annual PKI Research Workshop—Proceedings, pages 165–175, 2002. Available from http://www.cs.dartmouth.edu/∼pki02/Ellison/.

[46] Jan-Hendrik Evertse and Eugène van Heyst. Which New RSA-Signatures Can Be Computed from Certain Given RSA-Signatures? J. Cryptology, 5(1):41–52, 1992.

[47] H. Feistel, W.A. Notz, and J.L. Smith. Some Cryptographic Techniques for Machine-to-Machine Data Communications. Proceedings of the IEEE, 63(11):1545–1554, 1975.

[48] Niels Ferguson. Authentication weaknesses in GCM. Public Comments to NIST, 2005. See http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf.

[49] Niels Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, Mike Stay, David Wagner, and Doug Whiting. Improved Cryptanalysis of Rijndael. In Bruce Schneier, editor, Fast Software Encryption, 7th International Workshop, FSE 2000, volume 1978 of Lecture Notes in Computer Science, pages 213–230. Springer-Verlag, 2000. See also http://www.schneier.com/paper-rijndael.html.

[50] Niels Ferguson, John Kelsey, Bruce Schneier, and Doug Whiting. A Twofish Retreat: Related-Key Attacks Against Reduced-Round Twofish. Twofish Technical Report 6, Counterpane Systems, February 2000. See http://www.schneier.com/paper-twofish-related.html.

[51] Niels Ferguson and Bruce Schneier. A Cryptographic Evaluation of IPsec, 1999. See http://www.schneier.com/paper-ipsec.html.

[52] Scott Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the Key Schedule Algorithm of RC4. In Serge Vaudenay and Amr M. Youssef, editors, Selected Areas in Cryptography, 8th Annual International Workshop, SAC 2001, volume 2259 of Lecture Notes in Computer Science. Springer-Verlag, 2001.

[53] Alan O. Freier, Philip Karlton, and Paul C. Kocher. The SSL Protocol, Version 3.0. Internet draft, Transport Layer Security Working Group, November 18, 1996. Available from http://www.potaroo.net/ietf/idref/draft-freier-ssl-version3/.

[54] Ian Goldberg and David Wagner. Randomness and the Netscape Browser. Dr. Dobb's Journal, pages 66–70, January 1996. Available from http://www.cs.berkeley.edu/∼daw/papers/ddj-netscape.html.

[55] Oded Goldreich. Foundations of Cryptography: Volume 1, Basic Tools. Cambridge University Press, 2001. Also available from http://www.wisdom.weizmann.ac.il/∼oded/foc-book.html.

[56] Oded Goldreich. Foundations of Cryptography: Volume 2, Basic Applications. Cambridge University Press, 2001. Also available from http://www.wisdom.weizmann.ac.il/∼oded/foc-book.html.

[57] Peter Gutmann. Secure Deletion of Data from Magnetic and Solid-State Memory. In USENIX Security Symposium Proceedings, 1996. Available from http://www.cs.auckland.ac.nz/∼pgut001/pubs/secure_del.html.

[58] Peter Gutmann. X.509 Style Guide, October 2000. Available from http://www.cs.auckland.ac.nz/∼pgut001/pubs/x509guide.txt.

[59] J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. Lest We Remember: Cold Boot Attacks on Encryption Keys. In USENIX Security Symposium Proceedings, pages 45–60, 2008.

[60] D. Harkins and D. Carrel. The Internet Key Exchange (IKE). RFC 2409, November 1998.

[61] Tor Helleseth, editor. Advances in Cryptology—EUROCRYPT ′93, volume 765 of Lecture Notes in Computer Science. Springer-Verlag, 1993.

[62] Michael Howard and Steve Lipner. The Security Development Lifecycle. Microsoft Press, 2006.

[63] Intel. Intel 82802 Firmware Hub: Random Number Generator, Programmer's Reference Manual, December 1999. Available from the Intel web site.

[64] International Telecommunication Union. X.680-X.683: Abstract Syntax Notation One (ASN.1), X.690-X.693: ASN.1 encoding rules, 2002.

[65] Jakob Jonsson. On the Security of CTR + CBC-MAC. In Selected Areas in Cryptography, 9th Annual International Workshop, SAC 2002, 2002. See http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ccm/ccm-ad1.pdf.

[66] Robert R. Jueneman. Analysis of Certain Aspects of Output Feedback Mode. In David Chaum, Ronald L. Rivest, and Alan T. Sherman, editors, Advances in Cryptology, Proceedings of Crypto 82, pages 99–128. Plenum Press, 1982.

[67] David Kahn. The Codebreakers, The Story of Secret Writing. Macmillan Publishing Co., New York, 1967.

[68] Jonathan Katz and Yehuda Lindell. Introduction to Modern Cryptography: Principles and Protocols. Chapman & Hall/CRC, 2007.

[69] John Kelsey, Bruce Schneier, and Niels Ferguson. Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator. In Howard Heys and Carlisle Adams, editors, Selected Areas in Cryptography, 6th Annual International Workshop, SAC ′99, volume 1758 of Lecture Notes in Computer Science. Springer-Verlag, 1999.

[70] John Kelsey, Bruce Schneier, and David Wagner. Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In Koblitz [76], pages 237–251.

[71] John Kelsey, Bruce Schneier, David Wagner, and Chris Hall. Cryptanalytic Attacks on Pseudorandom Number Generators. In Serge Vaudenay, editor, Fast Software Encryption, 5th International Workshop, FSE′98, volume 1372 of Lecture Notes in Computer Science, pages 168–188. Springer-Verlag, 1998.

[72] John Kelsey, Bruce Schneier, David Wagner, and Chris Hall. Side Channel Cryptanalysis of Product Ciphers. Journal of Computer Security, 8(2–3):141–158, 2000. See also http://www.schneier.com/paper-side-channel.html.

[73] S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, November 1998.

[74] Lars R. Knudsen and Vincent Rijmen. Two Rights Sometimes Make a Wrong. In Workshop on Selected Areas in Cryptography (SAC ′97), pages 213–223, 1997.

[75] Donald E. Knuth. Seminumerical Algorithms, volume 2 of The Art of Computer Programming. Addison-Wesley, 1981.

[76] Neal Koblitz, editor. Advances in Cryptology—CRYPTO ′96, volume 1109 of Lecture Notes in Computer Science. Springer-Verlag, 1996.

[77] Paul Kocher, Joshua Jaffe, and Benjamin Jun. Differential Power Analysis. In Michael Wiener, editor, Advances in Cryptology—CRYPTO ′99, volume 1666 of Lecture Notes in Computer Science, pages 388–397. Springer-Verlag, 1999.

[78] Paul C. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In Koblitz [76], pages 104–113.

[79] J. Kohl and C. Neuman. The Kerberos Network Authentication Service (V5). RFC 1510, September 1993.

[80] Tadayoshi Kohno, John Viega, and Doug Whiting. CWC: A High-Performance Conventional Authenticated Encryption Mode. In Bimal Roy and Willi Meier, editors, Fast Software Encryption, 11th International Workshop, FSE 2004, volume 3017 of Lecture Notes in Computer Science, pages 408–426. Springer-Verlag, 2004.

[81] H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication. RFC 2104, February 1997.

[82] Hugo Krawczyk. The Order of Encryption and Authentication for Protecting Communications (or: How Secure is SSL?). In Joe Kilian, editor, Advances in Cryptology—CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 310–331. Springer-Verlag, 2001.

[83] Xuejia Lai, James L. Massey, and Sean Murphy. Markov Ciphers and Differential Cryptanalysis. In D.W. Davies, editor, Advances in Cryptology—EUROCRYPT ′91, volume 547 of Lecture Notes in Computer Science, pages 17–38. Springer-Verlag, 1991.

[84] Xuejia Lai and James L. Massey. A Proposal for a New Block Encryption Standard. In Damgård [28], pages 389–404.

[85] Arjen K. Lenstra and Eric R. Verheul. Selecting Cryptographic Key Sizes. J. Cryptology, 14(4):255–293, August 2001.

[86] Michael Luby and Charles Rackoff. How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM J. Computation, 17(2), April 1988.

[87] T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino. Impact of Artificial “Gummy” Fingers on Fingerprint Systems. In Proceedings of SPIE, Vol #4677, Optical Security and Counterfeit Deterrence Techniques IV, 2002. See also http://cryptome.org/gummy.htm.

[88] Gary McGraw. Software Security: Building Security In. Addison-Wesley, 2006.

[89] A.J. Menezes and S.A. Vanstone, editors. Advances in Cryptology—CRYPTO ′90, volume 537 of Lecture Notes in Computer Science. Springer-Verlag, 1990.

[90] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. Also available from http://www.cacr.math.uwaterloo.ca/hac/.

[91] D. Mills. Simple Network Time Protocol (SNTP) Version 4. RFC 2030, October 1996.

[92] David L. Mills. Network Time Protocol (Version 3). RFC 1305, March 1992.

[93] P. Montgomery. Modular Multiplication without Trial Division. Mathematics of Computation, 44(170):519–521, 1985.

[94] Moni Naor and Omer Reingold. On the Construction of Pseudorandom Permutations: Luby-Rackoff Revisited. J. Cryptology, 12(1):29–66, 1999.

[95] National Institute of Standards and Technology. DES Modes of Operation, December 2, 1980. FIPS PUB 81, available from http://www.itl.nist.gov/fipspubs/fip81.htm.

[96] National Institute of Standards and Technology. Data Encryption Standard (DES), December 30, 1993. FIPS PUB 46-2, available from http://www.itl.nist.gov/fipspubs/fip46-2.htm.

[97] National Institute of Standards and Technology. Secure Hash Standard, April 17, 1995. FIPS PUB 180-1, available from http://www.digistamp.com/reference/fip180-1.pdf.

[98] National Institute of Standards and Technology. AES Round 1 Technical Evaluation, CD-1: Documentation, August 1998.

[99] National Institute of Standards and Technology. Data Encryption Standard (DES), 1999. FIPS PUB 46-3, available from http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf.

[100] National Institute of Standards and Technology. Proc. 3rd AES candidate conference, April 2000.

[101] National Institute of Standards and Technology. Secure Hash Standard (draft), 2008. FIPS PUB 180-3, available from http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf.

[102] Roger M. Needham and Michael D. Schroeder. Using Encryption for Authentication in Large Networks of Computers. Communications of the ACM, 21(12):993–999, December 1978.

[103] Bart Preneel and Paul C. van Oorschot. On the Security of Two MAC Algorithms. In Ueli Maurer, editor, Advances in Cryptology—EUROCRYPT ′96, volume 1070 of Lecture Notes in Computer Science, pages 19–32. Springer-Verlag, 1996.

[104] R. Rivest. The MD5 Message-Digest Algorithm. RFC 1321, April 1992.

[105] Ronald Rivest, Adi Shamir, and Leonard Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, 21:120–126, February 1978.

[106] Ronald L. Rivest. The MD4 Message Digest Algorithm. In Menezes and Vanstone [89], pages 303–311.

[107] Ronald L. Rivest. The RC5 Encryption Algorithm. In B. Preneel, editor, Fast Software Encryption, Second International Workshop, FSE′94, volume 1008 of Lecture Notes in Computer Science, pages 86–96. Springer-Verlag, 1995.

[108] Ronald L. Rivest, M.J.B. Robshaw, R. Sidney, and Y.L. Yin. The RC6 Block Cipher. In National Institute of Standards and Technology [98]. See http://people.csail.mit.edu/rivest/Rc6.pdf.

[109] Phillip Rogaway, Mihir Bellare, John Black, and Ted Krovetz. OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption. In Eighth ACM Conference on Computer and Communications Security (CCS-8), pages 196–205. ACM, ACM Press, 2001.

[110] RSA Laboratories. PKCS #1 v2.1: RSA Cryptography Standard, January 2001. Available from http://www.rsa.com/rsalabs/node.asp?id = 2124.

[111] Bruce Schneier. Applied Cryptography, Protocols, Algorithms, and Source Code in C. John Wiley & Sons, Inc., 1994.

[112] Bruce Schneier. Applied Cryptography, Second Edition, Protocols, Algorithms, and Source Code in C. John Wiley & Sons, Inc., 1996.

[113] Bruce Schneier. Attack Trees. Dr. Dobb s Journal, 1999. Also available from http://www.schneier.com/paper-attacktrees-ddj-ft.html.

[114] Bruce Schneier. Secrets and Lies: Digital Security in a Networked World. John Wiley & Sons, Inc., 2000.

[115] Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson. The Twofish Encryption Algorithm, A 128-Bit Block Cipher. John Wiley & Sons, Inc., 1999.

[116] Dr. Seuss. Horton Hatches the Egg. Random House, 1940.

[117] Adi Shamir. How to Share a Secret. Communications of the ACM, 22(11):612–613, 1979.

[118] C.E. Shannon. A Mathematical Theory of Communication. The Bell Systems Technical Journal, 27:370–423 and 623–656, July and October 1948. See http://cm.bell-labs.com/cm/ms/what/shannonday/paper.html.

[119] Victor Shoup, editor. Advances in Cryptology—CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science. Springer-Verlag, 2005.

[120] Simon Singh. The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. Anchor, 2000.

[121] David Wagner, Niels Ferguson, and Bruce Schneier. Cryptanalysis of FROG. In Proc. 2nd AES candidate conference, pages 175–181. National Institute of Standards and Technology, March 1999.

[122] David Wagner and Bruce Schneier. Analysis of the SSL 3.0 protocol. In Proceedings of the Second USENIX Workshop on Electronic Commerce, pages 29–40, November 1996. Revised version available from http://www.schneier.com/paper-ssl.html.

[123] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Finding Collisions in the Full SHA-1. In Shoup [119], pages 17–36.

[124] Xiaoyun Wang and Hongbo Yu. How to Break MD5 and Other Hash Functions. In Ronald Cramer, editor, Advances in Cryptology—EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science, pages 19–35. Springer-Verlag, 2005.

[125] Mark N. Wegman and J. Lawrence Carter. New Hash Functions and Their Use in Authentication and Set Equality. J. Computer and System Sciences, 22(3):265–279, 1981.

[126] Doug Whiting, Russ Housley, and Niels Ferguson. Counter with CBC-MAC (CCM), June 2002. See http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ccm/ccm.pdf.

[127] Michael J. Wiener. Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory, 36(3):553–558, May 1990.

[128] Robert S. Winternitz. Producing a One-way Hash Function from DES. In David Chaum, editor, Advances in Cryptology, Proceedings of Crypto 83, pages 203–207. Plenum Press, 1983.

[129] Thomas Wu. The Secure Remote Password Protocol. In Proceedings of the 1998 Network and Distributed System Security (NDSS'98) Symposium, March 1998.

[130] Phil Zimmermann and Jon Callas. The Evolution of PGP's Web of Trust. In Andy Oram and John Viega, editors, Beautiful Security, pages 107–130. O'Reilly, 2009.