Endless Ebook, One Click Away – Start Downloading at ebookname.

com

Algorithmic Cryptanalysis 1st Edition Antoine Joux

https://ebookname.com/product/algorithmic-cryptanalysis-1st-
edition-antoine-joux/

OR CLICK HERE

DOWLOAD EBOOK

Browse and Get More Ebook Downloads Instantly at https://ebookname.com

Click here to visit ebookname.com and download ebook now
Instant digital products (PDF, ePub, MOBI) available
Download now and explore formats that suit you...

Elementary cryptanalysis 2nd ed Edition Sinkov

https://ebookname.com/product/elementary-cryptanalysis-2nd-ed-
edition-sinkov/

The Invention of Celebrity Antoine Lilti

https://ebookname.com/product/the-invention-of-celebrity-antoine-
lilti/

Cryptanalysis of RSA and Its Variants 1st Edition M.

Jason Hinek

https://ebookname.com/product/cryptanalysis-of-rsa-and-its-
variants-1st-edition-m-jason-hinek/

Organizing for Change Integrating Architectural

Thinking in Other Fields 1st Edition Michael Shamiyeh

https://ebookname.com/product/organizing-for-change-integrating-
architectural-thinking-in-other-fields-1st-edition-michael-
shamiyeh/
Handbook of Stress and the Brain Part 2 Stress
Integrative and Clinical Aspects 1st Edition T.
Steckler

https://ebookname.com/product/handbook-of-stress-and-the-brain-
part-2-stress-integrative-and-clinical-aspects-1st-edition-t-
steckler/

The New Encyclopedia of Southern Culture Volume 23 Folk

Art 1st Edition Carol Crown

https://ebookname.com/product/the-new-encyclopedia-of-southern-
culture-volume-23-folk-art-1st-edition-carol-crown/

A Companion to the Hellenistic World 1st Edition Andrew

Erskine

https://ebookname.com/product/a-companion-to-the-hellenistic-
world-1st-edition-andrew-erskine/

Nydia A Tragic Play George Henry Boker (Editor)

https://ebookname.com/product/nydia-a-tragic-play-george-henry-
boker-editor/

The Sun Mercury and Venus Linda Elkins-Tanton

https://ebookname.com/product/the-sun-mercury-and-venus-linda-
elkins-tanton/
Understanding Capital Punishment Law Third Edition
Linda E. Carter

https://ebookname.com/product/understanding-capital-punishment-
law-third-edition-linda-e-carter/
 Algorithmic
cryptAnAlysis

© 2009 by Taylor and Francis Group, LLC

 CHAPMAN & HALL/CRC
CRYPTOGRAPHY AND NETWORK SECURITY

Series Editor
Douglas R. Stinson

Published Titles

Jonathan Katz and Yehuda Lindell, Introduction to Modern

Cryptography
Antoine Joux, Algorithmic Cryptanalysis

Forthcoming Titles

Burton Rosenberg, Handbook of Financial Cryptography

Maria Isabel Vasco, Spyros Magliveras, and Rainer Steinwandt,
Group Theoretic Cryptography
Shiu-Kai Chin and Susan Beth Older, Access Control, Security and
Trust: A Logical Approach

© 2009 by Taylor and Francis Group, LLC

 Chapman & Hall/CRC
CRYPTOGRAPHY AND NETWORK SECURITY

Algorithmic
cryptAnAlysis

Antoine Joux

© 2009 by Taylor and Francis Group, LLC

Chapman & Hall/CRC
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742

© 2009 by Taylor and Francis Group, LLC

Chapman & Hall/CRC is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed in the United States of America on acid-free paper

10 9 8 7 6 5 4 3 2 1

International Standard Book Number: 978-1-4200-7002-6 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts
have been made to publish reliable data and information, but the author and publisher cannot assume
responsibility for the validity of all materials or the consequences of their use. The authors and publishers
have attempted to trace the copyright holders of all material reproduced in this publication and apologize to
copyright holders if permission to publish in this form has not been obtained. If any copyright material has
not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit-
ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented,
including photocopying, microfilming, and recording, or in any information storage or retrieval system,
without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.
com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood
Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and
registration for a variety of users. For organizations that have been granted a photocopy license by the CCC,
a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used
only for identification and explanation without intent to infringe.

Library of Congress Cataloging‑in‑Publication Data

Joux, Antoine.
Algorithmic cryptanalysis / Antoine Joux.
p. cm. -- (Chapman & Hall/CRC cryptography and network security)
Includes bibliographical references and index.
ISBN 978-1-4200-7002-6 (hardcover : alk. paper)
1. Computer algorithms. 2. Cryptography. I. Title. III. Series.

QA76.9.A43J693 2009
005.8’2--dc22 2009016989

Visit the Taylor & Francis Web site at

http://www.taylorandfrancis.com

and the CRC Press Web site at

http://www.crcpress.com

© 2009 by Taylor and Francis Group, LLC

 À Katia, Anne et Louis

© 2009 by Taylor and Francis Group, LLC

Contents

Preface
I Background
1 A bird’s-eye view of modern cryptography 3
1.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.1 Typical cryptographic needs . . . . . . . . . . . . . . . 6
1.2 Defining security in cryptography . . . . . . . . . . . . . . . 10
1.2.1 Distinguishers . . . . . . . . . . . . . . . . . . . . . . . 11
1.2.2 Integrity and signatures . . . . . . . . . . . . . . . . . 16
1.2.3 Authenticated encryption . . . . . . . . . . . . . . . . 17
1.2.4 Abstracting cryptographic primitives . . . . . . . . . . 21

2 Elementary number theory and algebra background 23

2.1 Integers and rational numbers . . . . . . . . . . . . . . . . . 23
2.2 Greatest common divisors in Z . . . . . . . . . . . . . . . . . 26
2.2.1 Binary GCD algorithm . . . . . . . . . . . . . . . . . 30
2.2.2 Approximations using partial GCD computations . . . 31
2.3 Modular arithmetic . . . . . . . . . . . . . . . . . . . . . . . 33
2.3.1 Basic algorithms for modular arithmetic . . . . . . . . 34
2.3.2 Primality testing . . . . . . . . . . . . . . . . . . . . . 38
2.3.3 Specific aspects of the composite case . . . . . . . . . 41
2.4 Univariate polynomials and rational fractions . . . . . . . . . 44
2.4.1 Greatest common divisors and modular arithmetic . . 45
2.4.2 Derivative of polynomials . . . . . . . . . . . . . . . . 47
2.5 Finite fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
2.5.1 The general case . . . . . . . . . . . . . . . . . . . . . 48
2.5.2 The special case of F2n . . . . . . . . . . . . . . . . . 49
2.5.3 Solving univariate polynomial equations . . . . . . . . 55
2.6 Vector spaces and linear maps . . . . . . . . . . . . . . . . . 61
2.7 The RSA and Diffie-Hellman cryptosystems . . . . . . . . . . 63
2.7.1 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
2.7.2 Diffie-Hellman key exchange . . . . . . . . . . . . . . . 65

© 2009 by Taylor and Francis Group, LLC

II Algorithms
3 Linear algebra 71
3.1 Introductory example: Multiplication of small matrices over F2 71
3.2 Dense matrix multiplication . . . . . . . . . . . . . . . . . . 77
3.2.1 Strassen’s algorithm . . . . . . . . . . . . . . . . . . . 80
3.2.2 Asymptotically fast matrix multiplication . . . . . . . 89
3.2.3 Relation to other linear algebra problems . . . . . . . 93
3.3 Gaussian elimination algorithms . . . . . . . . . . . . . . . . 94
3.3.1 Matrix inversion . . . . . . . . . . . . . . . . . . . . . 98
3.3.2 Non-invertible matrices . . . . . . . . . . . . . . . . . 98
3.3.3 Hermite normal forms . . . . . . . . . . . . . . . . . . 103
3.4 Sparse linear algebra . . . . . . . . . . . . . . . . . . . . . . 105
3.4.1 Iterative algorithms . . . . . . . . . . . . . . . . . . . 106
3.4.2 Structured Gaussian elimination . . . . . . . . . . . . 113

4 Sieve algorithms 123

4.1 Introductory example: Eratosthenes’s sieve . . . . . . . . . . 123
4.1.1 Overview of Eratosthenes’s sieve . . . . . . . . . . . . 123
4.1.2 Improvements to Eratosthenes’s sieve . . . . . . . . . 125
4.1.3 Finding primes faster: Atkin and Bernstein’s sieve . . 133
4.2 Sieving for smooth composites . . . . . . . . . . . . . . . . . 135
4.2.1 General setting . . . . . . . . . . . . . . . . . . . . . . 136
4.2.2 Advanced sieving approaches . . . . . . . . . . . . . . 148
4.2.3 Sieving without sieving . . . . . . . . . . . . . . . . . 152

5 Brute force cryptanalysis 155

5.1 Introductory example: Dictionary attacks . . . . . . . . . . . 155
5.2 Brute force and the DES algorithm . . . . . . . . . . . . . . 157
5.2.1 The DES algorithm . . . . . . . . . . . . . . . . . . . 157
5.2.2 Brute force on DES . . . . . . . . . . . . . . . . . . . 161
5.3 Brute force as a security mechanism . . . . . . . . . . . . . . 163
5.4 Brute force steps in advanced cryptanalysis . . . . . . . . . . 164
5.4.1 Description of the SHA hash function family . . . . . . 165
5.4.2 A linear model of SHA-0 . . . . . . . . . . . . . . . . . 168
5.4.3 Adding non-linearity . . . . . . . . . . . . . . . . . . . 171
5.4.4 Searching for collision instances . . . . . . . . . . . . . 179

© 2009 by Taylor and Francis Group, LLC

 5.5 Brute force and parallel computers . . . . . . . . . . . . . . . 182

6 The birthday paradox: Sorting or not? 185

6.1 Introductory example: Birthday attacks on modes of operation 186
6.1.1 Security of CBC encryption and CBC-MAC . . . . . . 186
6.2 Analysis of birthday paradox bounds . . . . . . . . . . . . . 189
6.2.1 Generalizations . . . . . . . . . . . . . . . . . . . . . . 190
6.3 Finding collisions . . . . . . . . . . . . . . . . . . . . . . . . 192
6.3.1 Sort algorithms . . . . . . . . . . . . . . . . . . . . . . 196
6.3.2 Hash tables . . . . . . . . . . . . . . . . . . . . . . . . 207
6.3.3 Binary trees . . . . . . . . . . . . . . . . . . . . . . . . 210
6.4 Application to discrete logarithms in generic groups . . . . . 216
6.4.1 Pohlig-Hellman algorithm . . . . . . . . . . . . . . . . 216
6.4.2 Baby-step, giant-step algorithm . . . . . . . . . . . . . 218

7 Birthday-based algorithms for functions 223

7.1 Algorithmic aspects . . . . . . . . . . . . . . . . . . . . . . . 224
7.1.1 Floyd’s cycle finding algorithm . . . . . . . . . . . . . 225
7.1.2 Brent’s cycle finding algorithm . . . . . . . . . . . . . 226
7.1.3 Finding the cycle’s start . . . . . . . . . . . . . . . . . 227
7.1.4 Value-dependent cycle finding . . . . . . . . . . . . . . 228
7.2 Analysis of random functions . . . . . . . . . . . . . . . . . . 231
7.2.1 Global properties . . . . . . . . . . . . . . . . . . . . . 231
7.2.2 Local properties . . . . . . . . . . . . . . . . . . . . . 232
7.2.3 Extremal properties . . . . . . . . . . . . . . . . . . . 232
7.3 Number-theoretic applications . . . . . . . . . . . . . . . . . 233
7.3.1 Pollard’s Rho factoring algorithm . . . . . . . . . . . . 233
7.3.2 Pollard’s Rho discrete logarithm algorithm . . . . . . 236
7.3.3 Pollard’s kangaroos . . . . . . . . . . . . . . . . . . . . 237
7.4 A direct cryptographic application in the context of blockwise
security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
7.4.1 Blockwise security of CBC encryption . . . . . . . . . 239
7.4.2 CBC encryption beyond the birthday bound . . . . . 239
7.4.3 Delayed CBC beyond the birthday bound . . . . . . . 240
7.5 Collisions in hash functions . . . . . . . . . . . . . . . . . . . 242
7.5.1 Collisions between meaningful messages . . . . . . . . 243
7.5.2 Parallelizable collision search . . . . . . . . . . . . . . 244

© 2009 by Taylor and Francis Group, LLC

 7.6 Hellman’s time memory tradeoff . . . . . . . . . . . . . . . . 246
7.6.1 Simplified case . . . . . . . . . . . . . . . . . . . . . . 247
7.6.2 General case . . . . . . . . . . . . . . . . . . . . . . . 248

8 Birthday attacks through quadrisection 251

8.1 Introductory example: Subset sum problems . . . . . . . . . 251
8.1.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . 252
8.1.2 The algorithm of Shamir and Schroeppel . . . . . . . 253
8.2 General setting for reduced memory birthday attacks . . . . 256
8.2.1 Xoring bit strings . . . . . . . . . . . . . . . . . . . . . 257
8.2.2 Generalization to different groups . . . . . . . . . . . . 258
8.2.3 Working with more lists . . . . . . . . . . . . . . . . . 262
8.3 Extensions of the technique . . . . . . . . . . . . . . . . . . . 263
8.3.1 Multiple targets . . . . . . . . . . . . . . . . . . . . . 263
8.3.2 Wagner’s extension . . . . . . . . . . . . . . . . . . . . 264
8.3.3 Related open problems . . . . . . . . . . . . . . . . . . 265
8.4 Some direct applications . . . . . . . . . . . . . . . . . . . . 267
8.4.1 Noisy Chinese remainder reconstruction . . . . . . . . 267
8.4.2 Plain RSA and plain ElGamal encryptions . . . . . . 269
8.4.3 Birthday attack on plain RSA . . . . . . . . . . . . . . 269
8.4.4 Birthday attack on plain ElGamal . . . . . . . . . . . 270

9 Fourier and Hadamard-Walsh transforms 273

9.1 Introductory example: Studying S-boxes . . . . . . . . . . . 273
9.1.1 Definitions, notations and basic algorithms . . . . . . 273
9.1.2 Fast linear characteristics using the Walsh transform . 275
9.1.3 Link between Walsh transforms and differential charac-
teristics . . . . . . . . . . . . . . . . . . . . . . . . . . 279
9.1.4 Truncated differential characteristics . . . . . . . . . . 282
9.2 Algebraic normal forms of Boolean functions . . . . . . . . . 285
9.3 Goldreich-Levin theorem . . . . . . . . . . . . . . . . . . . . 286
9.4 Generalization of the Walsh transform to Fp . . . . . . . . . 288
9.4.1 Complexity analysis . . . . . . . . . . . . . . . . . . . 291
9.4.2 Generalization of the Moebius transform to Fp . . . . 293
9.5 Fast Fourier transforms . . . . . . . . . . . . . . . . . . . . . 294
9.5.1 Cooley-Tukey algorithm . . . . . . . . . . . . . . . . . 296
9.5.2 Rader’s algorithm . . . . . . . . . . . . . . . . . . . . 300

© 2009 by Taylor and Francis Group, LLC

 9.5.3 Arbitrary finite abelian groups . . . . . . . . . . . . . 303

10 Lattice reduction 309

10.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
10.2 Introductory example: Gauss reduction . . . . . . . . . . . . 311
10.2.1 Complexity analysis . . . . . . . . . . . . . . . . . . . 315
10.3 Higher dimensions . . . . . . . . . . . . . . . . . . . . . . . . 318
10.3.1 Gram-Schmidt orthogonalization . . . . . . . . . . . . 319
10.3.2 Lenstra-Lenstra-Lovász algorithm . . . . . . . . . . . 320
10.4 Shortest vectors and improved lattice reduction . . . . . . . 327
10.4.1 Enumeration algorithms for the shortest vector . . . . 327
10.4.2 Using shortest vectors to improve lattice reduction . . 330
10.5 Dual and orthogonal lattices . . . . . . . . . . . . . . . . . . 331
10.5.1 Dual of a lattice . . . . . . . . . . . . . . . . . . . . . 332
10.5.2 Orthogonal of a lattice . . . . . . . . . . . . . . . . . . 333

11 Polynomial systems and Gröbner base computations 337

11.1 General framework . . . . . . . . . . . . . . . . . . . . . . . 338
11.2 Bivariate systems of equations . . . . . . . . . . . . . . . . . 340
11.2.1 Resultants of univariate polynomials . . . . . . . . . . 341
11.2.2 Application of resultants to bivariate systems . . . . . 343
11.3 Definitions: Multivariate ideals, monomial orderings and Gröbner
bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
11.3.1 A simple example: Monomial ideals . . . . . . . . . . 346
11.3.2 General case: Gröbner bases . . . . . . . . . . . . . . 346
11.3.3 Computing roots with Gröbner bases . . . . . . . . . . 349
11.3.4 Homogeneous versus affine algebraic systems . . . . . 351
11.4 Buchberger algorithm . . . . . . . . . . . . . . . . . . . . . . 352
11.5 Macaulay’s matrices . . . . . . . . . . . . . . . . . . . . . . . 354
11.6 Faugère’s algorithms . . . . . . . . . . . . . . . . . . . . . . . 355
11.6.1 The F4 approach . . . . . . . . . . . . . . . . . . . . . 356
11.6.2 The F5 approach . . . . . . . . . . . . . . . . . . . . . 359
11.6.3 The specific case of F2 . . . . . . . . . . . . . . . . . . 360
11.6.4 Choosing and changing monomial ordering for Gröbner
bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
11.7 Algebraic attacks on multivariate cryptography . . . . . . . . 362
11.7.1 The HFE cryptosystem . . . . . . . . . . . . . . . . . 363

© 2009 by Taylor and Francis Group, LLC

 11.7.2 Experimental Gröbner basis attack . . . . . . . . . . . 364
11.7.3 Theoretical explanation . . . . . . . . . . . . . . . . . 365
11.7.4 Direct sparse approach on Macaulay’s matrix . . . . . 366
11.8 On the complexity of Gröbner bases computation . . . . . . 367

III Applications
12 Attacks on stream ciphers 373
12.1 LFSR-based keystream generators . . . . . . . . . . . . . . . 374
12.2 Correlation attacks . . . . . . . . . . . . . . . . . . . . . . . 376
12.2.1 Noisy LFSR model . . . . . . . . . . . . . . . . . . . . 376
12.2.2 Maximum likelihood decoding . . . . . . . . . . . . . . 377
12.2.3 Fast correlation attacks . . . . . . . . . . . . . . . . . 380
12.2.4 Algorithmic aspects of fast correlation attacks . . . . . 383
12.3 Algebraic attacks . . . . . . . . . . . . . . . . . . . . . . . . 387
12.3.1 Predicting an annihilator polynomial . . . . . . . . . . 388
12.4 Extension to some non-linear shift registers . . . . . . . . . . 389
12.5 The cube attack . . . . . . . . . . . . . . . . . . . . . . . . . 390
12.5.1 Basic scenario for the cube method . . . . . . . . . . . 392
12.6 Time memory data tradeoffs . . . . . . . . . . . . . . . . . . 393

13 Lattice-based cryptanalysis 397

13.1 Direct attacks using lattice reduction . . . . . . . . . . . . . 397
13.1.1 Dependence relations with small coefficients . . . . . . 397
13.1.2 Some applications of short dependence relations . . . 402
13.2 Coppersmith’s small roots attacks . . . . . . . . . . . . . . . 407
13.2.1 Univariate modular polynomials . . . . . . . . . . . . 407
13.2.2 Bivariate polynomials . . . . . . . . . . . . . . . . . . 410
13.2.3 Extension to rational roots . . . . . . . . . . . . . . . 413
13.2.4 Security of RSA with small decryption exponent . . . 414

14 Elliptic curves and pairings 417

14.1 Introduction to elliptic curves . . . . . . . . . . . . . . . . . 417
14.1.1 The group structure of elliptic curves . . . . . . . . . . 418
14.1.2 Double and add method on elliptic curves . . . . . . . 423
14.1.3 Number of points on elliptic curves . . . . . . . . . . . 423
14.2 The Weil pairing . . . . . . . . . . . . . . . . . . . . . . . . . 424
14.2.1 Weil’s reciprocity law . . . . . . . . . . . . . . . . . . 424

© 2009 by Taylor and Francis Group, LLC

 14.2.2 The Weil pairing on `-torsion points . . . . . . . . . . 429
14.3 The elliptic curve factoring method . . . . . . . . . . . . . . 432
14.3.1 Pollard’s p − 1 factoring . . . . . . . . . . . . . . . . . 432
14.3.2 Elliptic curve factoring . . . . . . . . . . . . . . . . . . 433

15 Index calculus algorithms 439

15.1 Introduction to index calculus . . . . . . . . . . . . . . . . . 439
15.2 A simple finite field example . . . . . . . . . . . . . . . . . . 441
15.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 441
15.2.2 A toy example . . . . . . . . . . . . . . . . . . . . . . 448
15.3 Generalization to finite fields with small enough characteristic 449
15.3.1 Overview of the regular function field sieve . . . . . . 453
15.4 Introduction to the number field sieve . . . . . . . . . . . . . 455
15.4.1 Factoring with the quadratic sieve . . . . . . . . . . . 456
15.4.2 Discrete logarithms with the Gaussian integer method 457
15.4.3 Constructing number field sieve polynomials . . . . . . 461
15.5 Smoothness probabilities . . . . . . . . . . . . . . . . . . . . 463
15.5.1 Computing smoothness probabilities for polynomials . 463
15.5.2 Asymptotic lower bound on the smoothness probability 467
15.5.3 Smoothness probabilities for integers . . . . . . . . . . 467

References 471

Lists 491

© 2009 by Taylor and Francis Group, LLC

Preface
The idea of this book stemmed from a master’s degree course given at the
University of Versailles. Since most students in this course come from a math-
ematical background, its goal is both to prime them on algorithmic methods
and to motivate these algorithmic methods by cryptographically relevant ex-
amples. Discussing this course with colleagues, I realized that its content
could be of interest to a much larger audience. Then, at Eurocrypt 2007 in
Barcelona, I had the opportunity to speak to Sunil Nair from Taylor & Fran-
cis. This discussion encouraged me to turn my course into a book, which you
are now holding.
This book is intended to serve several purposes. First, it can be a basis for
courses, both at the undergraduate and at the graduate levels. I also hope
that it can serve as a handbook of algorithmic methods for cryptographers.
It is structured in three parts: background, algorithms and applications. The
background part contains two chapters, a short introduction to cryptography
mostly from a cryptanalytic perspective and a background chapter on ele-
mentary number theory and algebra. The algorithms part has nine chapters,
each chapter regroups algorithms dedicated to a single topic, often illustrated
by simple cryptographic applications. Its topics cover linear algebra, sieving,
brute force, algorithms based on the birthday paradox, Hadamard-Fourier-
Walsh transforms, lattice reduction and Gröbner bases. The applications part
takes a different point-of-view and uses recipes from several chapters in the
algorithms part to address more advanced cryptographic applications. This
final part contains four chapters dealing with linear feedback shift register
based stream ciphers, lattice methods for cryptanalysis, elliptic curves and
index calculus methods.
All chapters in the algorithms and applications parts have an exercise sec-
tion. For all exercises whose number is marked with an “h” exponent, e.g.,
exercise 1h , hints and solutions are given on the book’s website whose ad-
dress is http://www.joux.biz/algcrypt. To allow the book to serve as a
textbook, about half of the exercises have neither hints nor solutions.
The content of this book should not necessarily be read or taught in linear
order. For a first reading or an introductory course, the content of Chapters 2,
3 and 6 covering basic number theory, linear algebra and birthday paradox al-
gorithms should suffice. For a longer course, the choice of chapters depends on
the background of the reader or students. With a mathematical background,
I would recommend choosing among Chapters 4, 7, 10 and 11. Indeed, these
chapters are based on mathematical premises and develop algorithms on this
basis. With a computer science background, Chapters 5, 8 and 9 are more
suited. Finally, the applications presented in the last part can be used for
dedicated graduate courses. Alternatively, they can serve as a basis for course

© 2009 by Taylor and Francis Group, LLC

end projects.
Throughout this book, we discuss many algorithms. Depending on the spe-
cific aspect that needs to be emphasized, this is done using either a textual
description, an algorithm in pseudo-code or a C code program. The idea is
to use pseudo-code to emphasize high-level description of algorithms and C
code to focus on lower-level implementation details. Despite some drawbacks,
the C programming language is well suited for programming cryptanalytic
applications. One essential advantage is that it is a relatively low-level pro-
gramming language that allows to tightly control the behavior of the code
that is executed by the target processor. Of course, assembly language would
give an even tighter control. However, it would be much harder to read and
would only be usable on a single microprocessor or family of microprocessors.
Note that for lack of space, it was not possible to present here C programs
for all algorithms that are discussed in this book. Several additional codes
are available for downloading on the book’s website. All these codes were
developed and tested using the widely available Gnu GCC compiler. Note
that these codes are not optimally tuned, indeed, fine tuning C code is usually
specific to a single compiler version and often hurt the code’s legibility. Where
timings are given, they were measured on an Intel Core 2 Duo at 2.4 Ghz.
Writing this book was a long and challenging undertaking. It would not
have been possible without the help of many people. First, I would like to
thank my Ph.D. advisor, Jacques Stern, without his guidance, I would not
have taken the path of research and cryptography. I also wish to thank all
my colleagues and co-authors, for discussing fascinating research problems. It
was a great source of inspiration while writing this book. All my students and
former students deserve special thanks, especially for forcing me to reconsider
previous knowledge again and again. Through sheer coincidence, I happened
to be the program chair of Eurocrypt 2009 while writing this book, it was a
very nice experience and I am extremely grateful to the wonderful people who
accepted to serve on my committee. During the finalization of the manuscript,
I attended a seminar on “Symmetric Cryptography” at the “Leibniz-Zentrum
für Informatik” in Schloss Dagstuhl, Germany. Attending this seminar and
discussing with all the participants was extremely helpful at that time, I
would like to give due credit to the organizers and to the wonderful staff at
Schloss Dagstuhl. A few of my colleagues helped me during proofreading,
thanks to Johannes Buchmann, Pierre-Alain Fouque, Steven Galbraith, Louis
Goubin, Reynald Lercier, Michael Quisquater, Michael Schneider and Nicolas
Sendrier, this book contains much fewer typos than it would have. Thanks
to Michel Abdalla for putting together a large bibliography of cryptography-
related articles and for letting me use it. Last but not least, I would like to
express all my gratitude to my family for supporting me all these years and
for coping with my occasional absentmindedness.
Finally, I wish to acknowledge institutional support from the Délégation
Générale pour l’Armement and the University of Versailles and Saint-Quentin-
en-Yvelines.

© 2009 by Taylor and Francis Group, LLC

Other documents randomly have
different content
 On Christmas night, 1734, the Royal Palace of the Alcazar was on fire,
and the building and all its treasures were utterly destroyed. This disaster
afforded Philip V. the opportunity to display his powers as a master builder.
He had already created the Palace of San Ildefonso at La Granja, he had
rebuilt the palace at Aranjuez, he had tinkered at the Alcazar at Seville.
Now he would create a marble monument that should surpass the
magnitude and magnificence of Philip the Second’s Escorial and outstrip in
splendour the Versailles palace of Louis XIV. Such a work was beyond the
art of the followers of Churriguera: he sent to the Court of Turin for the
Abbé Felipe de Juvara, the Sicilian, and confided to him the scheme of the
palace that he would raise on the heights of San Bernardino. It was to be a
square edifice of the composite order, having four façades, each 1700 feet
long, it was to contain twenty-three courts, approached by thirty-four
entrances from the exterior, and be completed with gardens, churches,
public offices, and a theatre. It was to be a collection of palaces under one
roof, and the colossal model of the building, which is preserved in the
Galeria Topografica of the Madrid Museum, conveys some idea of the
marvel of architecture which the king and his designer had conceived
between them. But the palace on the San Bernardino hill was never begun.
The ruling ambition of the masterful Elizabeth Farnese was to advance the
interests of her children, and she begrudged the expense which the colossal
building would entail. She raised so many difficulties and delayed so long
the adoption of the plans that Juvara died of hope deferred, and Giovanoni
Battista Saccheti came from Turin to carry on the work. The queen by this
time had exhausted Philip’s resistance to her will, and Sacchetti’s less
pretentious design, traced among the still smouldering ruins of the ancient
Alcazar, was adopted on 7th April 1737.
A year later the first stone of the present palace was laid. The
foundation-stone bore a commemorative description and enclosed a leaden
casket, containing gold, silver, and copper coins from the mints of Madrid,
Seville, Mexico, and Peru. The work of ensuring the solidity of the
foundations by moulding them into the western slope of the hill cost an
enormous sum of money, entailed an immense amount of labour, and
occupied a proportionately extensive period of time. In 1808 the palace had
cost 75,000,000 pesetas, and the subsequent alterations, which included the
enclosing of the Campo del Moro with a wall and gilded railing, brought up
the sum total to the enormous sum of over 100,000,000 pesetas. Philip died
in 1746, long before the palace he had projected was near completion. The
work went on through the thirteen years’ reign of Philip VI., and when
Charles III. came to Madrid in 1759 he recognised that unless the rate of
progress was accelerated he would have to occupy the building at the Buen
Retiro for the rest of his life. Under his resolute authority the work was
pushed on with more vigour, and it was ready for his occupation on 1st
December 1764. It had taken over a quarter of a century to build, it had cost
Spain three millions sterling, but it gained the place that Philip V.
anticipated for it among the palaces of the world.
It has been said, and the statement is but slightly exaggerated, that our
own Buckingham Palace looks shabby and insignificant beside this vast pile
of shimmering, white masonry, this truly royal residence, this unique
museum, which contains every variety of art treasures. The architecture
selected is the unpoetical but imposing style of the late Renaissance, and the
regularity of the exterior is redeemed from monotony by Ionic columns,
pilasters, and balconies. The massive building, 500 feet square and 100 feet
in height, forms a huge quadrangle, enclosing a court, while two projecting
wings form the Plaza de Armas. The base of the building, which is
composed of three stories above the ground-floor, is of granite, and the
upper portion is of the beautiful white stone of Colmenar, which gleams
like marble. The lower portion is plain, massive, and severe, and the
appearance of the third story is marred by the square port-holes of the entre-
súelos. A wide cornice runs round the top, and above it a stone balustrade,
on the pedestals of which stand rococo vases. In accordance with the first
plans of the palace, the whole of this balustrade was surmounted by statues,
but these were removed on account of their great weight, and are now
scattered all over Madrid.
The principal entrance is in the south façade, but the palace is
approached by five other grand entrances. The east side, which faces on to
the Plaza de Oriente, is called ‘del Principe,’ from the fact that at one time it
was always used by the royal family. On the eastern and southern sides the
height of the edifice is more than doubled by reason of the uneven ground
where it falls away to the river. The northern side faces the Guadarrama
mountains, from which the icy winter blasts have frozen to death many
unfortunate sentries on guard at the Puerta del Diamante. The main southern
entrance leads into a huge patio, some 240 feet square, surrounded by an
open portico, composed of thirty-six arches, surmounted by another row of
arches, forming a gallery with glass windows. In this court are four large
statues of Trajan, Hadrian, Honorius, and Theodosius, the four Roman
emperors who were natives of Spain. The upper vaulting is decorated with
allegorical frescoes, the work of Corrado Giaquinto, representing the
Spanish monarchy offering homage to religion. The famous Grand
Staircase, with its three flights of black and white marble steps,—each step
a single slab of marble—and its celebrated lions, lead out of this court.
Napoleon Bonaparte is reported to have said to his brother Joseph as the
intrusive king made his first ascent of this superb staircase, ‘Vous serez
mieux logé que moi.’ During the same historic tour of the palace the
emperor laid his hand on one of the silver lions in the throne-room, and
remarked to his brother, ‘Je la tiens enfin, cette Espagne si désirée.’
The ground area of the palace is divided into thirty salons, magnificently
furnished and adorned with a profusion of precious marbles and fresco
paintings by Ribera, Gonzalez, Velazquez, Maella, Mengs, Bayeu, and
Lopez. It would be going outside the province of this sketch to describe
each apartment in detail, but special reference must be made to the Hall of
Ambassadors. This magnificent apartment, the largest and richest in the
Palace, occupies the centre of the principal façade, in which it has five
balconies. The whole apartment glows with rich colouring, and scintillates
with a lavish display of precious metals. The rock-crystal chandeliers,
colossal looking-glasses cast at San Ildefonso, the marble tables, the
crimson, and the gilding compose a spectacle of royal magnificence. Here is
the splendid throne of silver, made for the husband of Mary of England, and
mounting guard on either side are the huge lions of the same metal. The
ceiling, painted by Juan Bautista Tiépolo, represents the Spanish Monarchy,
exalted by poetic beings, accompanied by the Virtues, and surrounded by its
dominions in both hemispheres. On a throne, at the sides of which are
Apollo and Minerva, the Monarchy is majestically seated, supported by the
allegorical figures representing the science of Government, Peace and
Justice and Virtue. Another group, on clouds, is formed by Abundance,
Mercy, and other figures. A rainbow crosses the whole ceiling, and between
this and the great circle of clouds circled by angels covering is the
Monarchy. In the same salon is an allegory in praise of Charles III., which is
formed by Magnanimity and Glory, Affability and Counsel. Faith,
enthroned on clouds, has an altar of fire, and is accompanied by Hope,
Charity, Prudence, Strength, and Victory; and an angel carries a chain with
a medal to reward the Noble Arts. Between the cornice Tiépolo displayed
his masterly hand by delineating the provinces of the Spanish Monarchy.
Roberto Michel executed in the angles four gilded medallions, representing
Water and Spring, Air and Summer, Fire and Autumn, and Earth and
Winter. Over the doors are two ovals, one representing Abundance, and the
other Merit and Virtue. All the walls of this regal hall are covered with
crimson velvet bordered with gold. On the right is the statue of Prudence,
on the left that of Justice, and in the two angles traced by the steps are four
gilded bronze lions. Before the superb mirrors in this apartment are costly
tables, and on these marble busts and other no less beautiful objects, the
whole constituting the most beautiful room in the palace, and one of the
first in Europe.
In these salons is the wonderful collection of French clocks which
amused the unproductive leisure of Ferdinand VII., who spent his time in a
profitless endeavour to make them chime simultaneously. The glorious
pictures, now in the Prado, that once adorned these walls were removed by
Ferdinand VII. to make room for his beloved silk hangings. At his death
vaults and store-rooms were emptied of a forgotten accumulation of fine old
furniture, and much portable treasure was removed from the palace. Much
of this has vanished beyond recovery, but during the redecoration of the
building for the reception of the king’s bride, Alfonso XIII. was successful in
recovering a number of splendid bronzes, clocks, and porcelain vases,
which now adorn the principal apartments.
The Guard Room, occupied by the Royal Halberdiers, is at the head of
the Royal Staircase, and opens into the enormous Hall of Columns. The
columns which support the corner medallions are similar to those on the
staircase, and the ceiling is painted by Conrado Giaquinto. The paving is of
variegated marbles; the only decorations of the apartments are its
medallions, its cornices of trophies, and its four great allegorical figures.
For its impressiveness the room depends solely on its architectural merits
and its simplicity, and forms a striking contrast to the other salons of the
palace with their superb tapestries, upholstered furniture, brocades, and
ornaments. The Banqueting Hall is of magnificent proportions, and the Ball
Room, to the splendour of which all the arts and manufactures appear to
have contributed, is the largest in Europe. The Chinese Room, the Charles
III. Room, hung with blue brocade starred with silver, and the Giardini
Room, which is upholstered in ivory satin, embroidered in gold and
coloured flowers, and roofed with porcelain from the Buen Retiro factory,
are among the many marvels of this marvellous palace.
The Royal Chapel, which was depleted in 1808 by General Belliard, who
carried off the pictures painted for Philip II. by Michael Coxis, is still
splendid in its profusion of rich marbles, gilt, and stucco, and its beautiful
ceiling painted by Giaquinto. Many of the exquisite altar-cloths and
vestments were embroidered by Queen Cristina. Here also is an immensely
valuable collection of fine ecclesiastical objects; and here at Epiphany,
Easter, and Corpus Christi the galleries leading from the royal chapel are
hung with the magnificent and unique tapestries which belong to the crown
of Spain.
The private library of his Majesty is on the ground-floor of the palace. It
was formed by Philip V. about 1714, and has since been increased by the
acquisition of several notable collections, including those of the dean of
Teruel, Counts Mansilla and Gondomar, and Judge Bruna of Seville. The
manuscripts are for the most part from the extinct colleges. The king’s
library, which occupies ten rooms and two passages, is composed of eighty
thousand volumes in magnificent mahogany cases with beautiful glass from
La Granja. Books issued prior to the sixteenth century, beautiful copies on
vellum, very rare editions by Spanish printers, and rich bindings, make this
library one of the most important in Europe. Among the illustrated missals
is a prayer-book said to have belonged to Ferdinand and Isabella or their
daughter, Juana la Loca, whose portrait it contains. The building is adorned
with exquisite ornaments and the arms of Leon and Castile in enamel. The
correspondence of Gondomar, the Spanish ambassador in London during
the reign of James I., is also to be seen here.
The general Archive of the crown of Spain was created in virtue of a
royal decree of Ferdinand VII., dated May 22, 1814. The organisation and
classification of all the documents since the reign of Charles I. until that of
Isabella II. were based on chronology; but Alfonso XII. thought the
classification of subjects more scientific, and the Keeper of the Archives
has, since 1876, had the whole of the documents divided into four large
sections, namely, administrative, juridical, historical, and according to their
sources. This Archive also has a reference library composed of seven
hundred volumes. At present the Archive of the Crown consists of thirty
rooms, containing nearly ten thousand bundles of papers and two thousand
volumes. The administrative documents date from 1479; the juridical ones
from 1598; the historical from 1558; there being also some property deeds
dating from the eleventh century relating to the celebrated monastery of El
Escorial, founded by Philip II., which from the paleographic point of view,
and even from the historical, are of great interest.
The Royal Pharmacy, situated in the part of the palace known as Los
Arcos Nuevos (the New Arches), has an origin which is closely bound up
with the history of national pharmacy. In the beginning of the
pharmaceutical profession, when it became a faculty, the Royal Pharmacy
was the centre of the profession in all its phases. It contains a rich collection
of utensils of all periods, curious examples of pharmaceutical materials
used in olden times, and a well-filled library, consisting of more than two
thousand five hundred volumes.
The stables of the ancient Alcazar were situated in the space now
occupied by the large Armoury Court; those of the present palace were built
in the reign of Charles III., in accordance with the plans and under the
direction of the notable architect, Francisco Sabatini. The plan of the edifice
is an irregular polygon, the longest side of which, at the Cuesta de San
Vicente, is nearly 700 feet in length. The principal façade is in the Calle
Bailen, and is adorned by a simple granite portal, over which are the royal
arms. This door leads to a fine court surrounded by arches, and on the west
side is a small chapel, dedicated to St. Anthony, Abbot.
The principal part of these buildings consists in the large and
magnificent galleries, sustained by double rows of pillars, which constitute
the stables. These consist of a spacious stable for the horses used by royalty.
There is another stable for Spanish horses, another for foreign horses and
mares, and yet another for mules. More than three hundred animals can be
accommodated in the stables. There are at present one hundred saddle-
horses, all of which, with the exception of sixty foreign animals, come from
the royal stud at Aranjuez.
The general harness-room is a large nave, consisting of three halls.
Preserved in many cases are the magnificent sets of harness and saddles, the
liveries of footmen and coachmen, crests, fly-traps, whips and ancient
horse-cloths, bridles, and other curiosities. The Royal Riding School is built
on one of the esplanades facing the Campo del Moro.
In order to form some idea of the size of the edifice, it may be mentioned
that, besides the coach-houses, stables, harness-rooms, etc., there are
apartments for the accommodation of the six hundred and thirty-seven
people and their families who are employed in this department of the
palace.
The Royal Coach-house is situated in the Campo del Moro. Its plan is a
rectangular parallelogram, the longest sides of which are 278 feet in length,
and the shortest 101 feet. This great coach-house was built in the time of
Ferdinand VII., after the design and under the direction of the architect
Custodio Moreno, who gave to the exterior a simple and severe appearance.
In this department are twenty splendid State carriages, which are only used
on special occasions, among them being that of Juana the Mad, restored a
few years since, and one hundred and twenty-one carriages of all kinds and
shapes for daily use.
Kings of three dynasties have made their homes in the Royal Palace of
Madrid since the nineteenth century brought in with it so much havoc and
disruption to Spain. The Bourbons, Joseph Buonaparte, and Amadeo of
Savoy, each ‘abode his hour or two and went his way,’ and in 1873 and
1874 the palace windows looked out upon a city which for the first time
since its foundation was the capital of a republic. Nearly all the culminating
incidents in the stormy history which has been enacted in Spain since the
abdication of Charles IV. occurred in the Royal Palace. From this not too
secure eminence Ferdinand the Desired saw his guards slaughtered by the
frenzied mob. ‘Serve the fools right,’ he exclaimed; ‘at all events I am
inviolable.’ But the king had a fit of terror when he found his palace was
left without guards to protect it from the crowd, and Riego, the man he
hated, was taken into favour, in order that he might appease the populace.
Through the terrible night of 7th October 1841, when Generals Concha
and Leon made their determined attempt to kidnap Queen Isabella and her
little sister, the Infanta Maria Luisa, the valiant eighteen halberdiers of the
guard, commanded by Colonel Dalee, held the grand staircase of the palace
against an army of revolutionists until the National Militia arrived to relieve
them. Truly that night the halberdiers wrote a magnificent page of fidelity in
the records of the guards.
After a hopeless struggle to reduce Spanish affairs into something like
order, Amadeo of Savoy issued from the Royal Palace his valedictory
address to his people, and on the following day, 12th February 1873, he left
Madrid, as he had entered it, a chevalier sans peur et sans reproche. In the
same palace Alfonso XIII. was born and baptized, from the palace he set out
to the church of San Jeronimo to be married to Victoria Eugénie of
Battenberg, and here was born and baptized the Prince of the Asturias, the
heir to the throne of Spain.
 Plate 1

ESCORIAL. VIEW OF THE PALACE

 Plate 2

ESCORIAL. VIEW OF THE PALACE

Plate 3
 Plate 3

ESCORIAL. VIEW OF THE PALACE (EAST SIDE)

 Plate 4

ESCORIAL. NORTH-WEST ANGLE OF THE PALACE

 Plate 5

ESCORIAL. PRINCIPAL FAÇADE AND ANGLE OF THE PALACE

 Plate 6

ESCORIAL. VIEW OF THE PRINCIPAL STAIRCASE OF THE PALACE

 Plate 7

ESCORIAL. HALL OF AMBASSADORS

 Plate 8

ESCORIAL. RECEPTION HALL

 Plate 9

ESCORIAL. VIEW OF THE DINING HALL

 Plate 10

ESCORIAL. POMPEIAN HALL

Plate 11
 ESCORIAL. LIBRARY

Plate 12

ESCORIAL. CHAPTER ROOM

Plate 13
ESCORIAL. “THE HOLY FAMILY,” BY RAPHAEL

Plate 14

ESCORIAL. “THE LAST SUPPER,” BY TITIAN

 Plate 15

ESCORIAL. “A SMOKER,” BY TENIERS

 Plate 16

ESCORIAL. “COUNTRY DANCE,” BY GOYA

Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebookname.com