Note: Descriptions are shown in the official language in which they were submitted.
CA 02458819 2004-02-24
A >E~EY AGREEIv~ENT PROTOCOL BASED ON'~ETWORK D'YNaM)<CS
BACKGROUND OF TIE IMVENTION
1. Field of the invention
The present invention relates to cryptographic systems. More particularly, the
invention
generates, by public discussion, a cryptographic key that is unconditionally
secure. Prior to this
invention, cryptographic keys generated by public discussion, such as Diffie-
Hellman, satisfied the
weak condition of computational security but were not unconditionally secure.
IO
2. Discussion of the Related Art
An Achilles Heel of classical cryptographic systems is that secret
commux<ication c an o nly
take place after a key is communicated in secret over a fatally secure
communication channel.
Lomonaco [5,6] describes the matter as the "Catch 22" of ery~ptography, as
follows:
"Catch 22. Before Alice and Bob ca~~ communicate in secret. they must first
cortununicate in
secret."
Lomooaco goes on to describe further difficulties involvin' the public lcey
cryptographic
systems that are currently in use. For a discussion on several other
disadvantages of tloe Public Trey
Infrastnich~re (PKI) see U.S. General Accounting Office Report [8) and
Schneier [13].
Let x be a con~.mon key that has been created for Alice and Bob. That is, x is
a binary vector
of length rc. Then x can be used as a one-time pad as follows. Let m be a
message that Alice wishes
to trmsmit to Bob; m is some binary vector also of length t:. Alice encodes u:
as m ~ x where
denotes bitlvise addition, i.e., etclusive OR. Thus rrr ~ x, not fn, i s
broadcast over the public
channel. Bob then decodes in exactly the same way. Thus Bab decodes the
message (m ~ x) ~ x,
which is m, because of th.e properties of birwise addition.
3b
Al.ternati~~eiy, the key x can be used in a standard symmetric lcey
cryptosystem such as that of
Rijndael [12) or Data Bnciyption Standard (DES) [13]. The idea now is to
encode rrr as fr(rtz) where
fx denotes the Rijndael permutation with the parameter x. Then, to get the
message, Bob decodes by
I
CA 02458819 2004-02-24
gx[fxfm)1= m where gx is the inverse of fx
To date, practical protocols for constructing such a common key x use for
their security
unpraven mathematical assumptions concerning the complexity of various
mathematical problems
such as the factoring problem, the discrete Iog problem, and the Diffie-
ldellma.n problem. Another
serious difficulty coneeming present systems involves the very long keys that
are needed for even
minimal security. In his monograph R. A. Mollin [17] points out that for
elliptic curves cryptography
an absolute winimum of 300 bits should be used for even the most modest
security requirements and
500 bits for more sensitive communication. Further, key lengths of 2048 bits
are recommended for
RSA in the same reference.
In [19] chapter 5, Julian Brown gives an example of a financial encryption
system depending
on RSA keys of 512-bit, namely the CREST system ixztroduced in 1997 by the
Hank of England. H'e
quotes the noted cryptographer A. Lenstra concerning such codes as follows:
"Keys of 512 bits might
even be within the reach of cyphcrpunks. In principle they could crack such
numbers overnight".
Randomness in Arrival Times of Network Communications
Computer nerivorlcs are ~~ery compJ.ex systems formed by the superposition oI
several protocol
layers [14]. Fib ire 1 shows the layers in a typical network. The following
analysis of how the layers
work together serves to explain the randomness in netv~~orlcs.
The lowest layer cormects two computers, i.e., creates a channel between them,
by some
physical means and is called the Physical Layer.
The second layer removes random physical errors (called "noise") .from the
channel. to create
m error-free communications path from one point to another. This layer. i.e.,
the Data Lirzh Layer, is
primatZly responsible for dealing with irar~mission errors eeneratEd as
electrical impulses
(representing bits) as sent over a physical connection. Error detectir~n
techniques [I5) are used to
identify the transmission errors in many protocols. Once an error is detected
the protocol requests a
resend. Random errors in the Data Link Layer can be observed by noting timing
delays.
2
CA 02458819 2004-02-24
The Medium Access Layer deals with allocating and scheduling all
communi.catian.s over a
single channel. Tn a networked environtnent, including the Internet, many
computers communicate
over a single channel. Bursts in packet traffic is a well-known characteristic
and is due to the
uncontrollable behavior of many individual computers communicating over a
single channel [16]
leading to random fluctuations in transmission times.
The Network Layer deals with routing information to create a true or virtual
connection
between two computers. The routing is dependent on the variety of routing
algorithms and the load
placed on each muter. These two factors makes the transmission times fluctuate
randomly.
is
The Transport Layer interfaces with the final Application Layer to provide an
end-to-end,
reliable, connection-oriented byte stream from sender to receiver. To da so,
the Transport Layer
provides connection establislunent and connection management. The times
associated with Transport
Layer activities depend on all devices in the network and the algorithms being
used. Thus,
fluetuatiom in transmission times in the Transport Layer also occur,
contributing to timing delays.
However, izot only the network influences timing fluctuations. The
transmitting and receiving
computers have internal delays resulting from servicing network packets. Thus,
even the act of
observing the. timings will also introduce random iluctua.tions. (fee appendix
B for an analysis of the
2a effects of perturbations on arrival timing).
Another approach to obtaining independently generated but correlated raw
random keys is to
employ a commonly known to the communicati~.~g parties probabilistic array and
agreed upon
generation procedure.
SUM:'vlARY OF TFIk. .T~,'VENT10N
The present invention provides an ef~eient, practical system and method for a
key ayement
protocol based on network dynamics or a probabilistic generation method that
ha.s the strongest
possible security, namely, unconditional security, and that does not require
airy additional hardware.
Previotu work in this area is either theoretical [11] or practically
infeasible due the requirement for
additional channels based on expensive and complicated hardware such as
satellites, radio transmitter
3
CA 02458819 2004-02-24
arrays and accompanying additional computer hardware to communicate ~svith
these devices f 7]. All
previous cryptographic keys only satisfy the weaker criterion of computational
security.
Tn one embodiment, the present invention introduces relative time sequences
based vn round-
trip timings of packets between vvo communicating patties. These packets form
the basic building
blocks for creating an efficient and unconditionally secure key agreement
protocol that can be used as
a replacement for current symmetric and asymunetric key cr~~Ptosystems. In
another embodiment, the
present invention introduces correlated raw randomly generated keys that have
been independently
generated by two communicating parties based on a probabilistic array (or
vector). The present
invention is an unconditionally secure cryptographic system and method based
on ideas that can be
used in the domain of quantum encryption [l, 5 and 20 Chapter 6]. Moreover,
the present invention
for the first time provides a cryptographic protocol that exploits fundamental
results (and their
interconnectedness) in the Cteids of information theory, error-correction
codes, block desiy and
classical statistics. The system and metliod of the present invention is
computationally faster, simpler
1 ~ arid more secure tha~r existing cryptosystems. In additioy due to the
unconditional security pro~rided
by the present invc-ntion, the system and method of the present invention are
in~-ulnerable to all
attacks from super-computers and even qumtum computers. This is in sharp
contrast to all previous
protocols.
The present invention provides a protocol that uses either two characteristics
of network
transit time: namel;r, its raz~dornness, and the fact that, despite this, the
average timing measured by
two canvnunicating parties will converge over a Iarge number of repetitions or
a probabilistic aiTay
and adjusting raw Icey generation method. Tl:e r esult i s t hat t wo c
orrelated r andom v ariables a re
obtained, one by measuring the relative time a packet takes to complete a
round trip with respect to a
first party, Alice or A, and a round trip with respect to a second party, Bob
or B, and the other by
starting with a known probabilistic array and applying an agreed upon
adjusting procedure to arrive at
a correlated generated raw random key.
rn. a first preferred embodiment, A and B engage in rallynng packets back and
forth and
calculate round-trip times individually. the packets may be used .for any
additional purpose since the
contents of the packets are irrelevant. Only the round-trip times are of
interest. Figure 2 shows one
ro~.md of a relative x ound-trip t ime g enerator o f t he p resent i
nvention. F figure 2 d iagrammatically
4
CA 02458819 2004-02-24
describes the pzocess.
In a second preferred embodiment, A and B employ a pre-determined string P to
independently generate raw random keys. Appendix C describes the process.
PHASE 1-Alice and Bob employ the system and method of the present invention to
construct
a raw random key.
For example, Alice and Bob exchange packets over a network, record round-trig
lU times, .and each form a bit string by concatenating a pre-arranged number
of low order bits of
successive packet round-trip times. O~.~ce sufficient bits are concatenated,
the process is
stropped and both Alice and Bob apply a pre-determined permutation to their
respective
concatenated bit strings to fonn permuted remnant raw keys K,, and ICB,
respectively of equal
length.
Or, in another example, Alice and Bob employ a pre-deternlined probabilistic
string P
to independently generate correlated random raw strings li,~ and K~ usi.nb a
process such as
the one described in Appendix C.
''U PHASE 2- Alice and Bob employ these remnal~t raw hevs to create a
reconciled key~
Alice and Bob systematically partition their respective permuted remnant raw
keys, li,,
and rB, i nto s ub-blocks, a ompute, a xchange a nd a ornpare p arities f or a
ach s ub-block, and,
discarding the low order bit of the sub-block, re-concatenate the modified sub-
blocks in their
2 ~ original order. In the case of blocks with misma~ched parities the
partition process is iterated
until mismatched bits are located and deleted.
PHASE 3 - A lice and Bob create an unconditionally secure pad or key fxom
their common
reconciled key:
privacy amplif carton to eliminate any partial information that an
eavesdropper, Lve,
might have is applied by both Alice and Bob using a pre-determined pxopiietary
hash function
[4] to produce a final unconditionally secure key of a pre-determined length
from th.e
5
CA 02458819 2004-02-24
reconciled key.
BRIEF DESCRIrPTION OF TIDE DRAffINGS
S FIG. 1 illustrates a tyical mufti-layer computer network protocol.
F'IG. 2 illustrates one rallying round between tvvo communicating parties for
genezating a
pezmuted remnant bit string by each party.
FIG. 3 illustrates mean arrival tizz~e as a function of channel noise noise
parameter).
FIG. 4 illustrates adjusting bits using the present invention to increase the
correlation between
the raw keys of the communicating parties while decreasing the correlation
between the raw keys of
the corximunicating parties and an possible eavesdropper.
DETAILED D)>SCRIPTION OF 1'H;E INVENTION
In a preferred embodiment, the key agreement scheme of the present invention
comprises
three phases. The first phase is construction of a permuted remnant bit
stri.ug. Two m ethods ~ re
presented.
?0 The first metkrod is based on physical characteristics of tine network,
wherein, for example and
not limitation, the two communicatino- parties, Alice and Bob, rally packets
back and forth recording
round-trip times.
Tre second method is probabilistic, wherein, for example and not limitation,
the two
communicating parties, Alice and Bob, both know a probabilistic string P of
real numbers and
generate keys based on this string, see Appendix C.
Same of the bits may still be different after the initial bit string
construction so Alice and Bob
then participate in a second phase called Information Re;.onciliation. The
second phase results in
Alice aaad Bob holding etactly the same key. However, ):ve may have partial
kn.owl.edge of the
reconciled strings, in the form of Shannon bits. Therefore, a third and Fnal
phase called Privacy
Amplification is perforrx~.ed to elin~.inate any partial information collected
by EL~e.
1?HASE I - Alice and Bob rally packets back and faith to generate a bit string
from truncated
6
CA 02458819 2004-02-24
round-trip timings. This suing is then systematically permuted. The procedure
is as follows:
(ij Alice sends Bob a network packet and logs the time t~,a
(ii) Bob records the time of reception as tao and responds immediately to
Alice with
another network packet.
(iii) Alice records the time of reception as tAl, and responds immediately
with a networJc
packet.
(iv) Bob records the time of reception as t$~ and responds immediately to
Alice with
another network packet.
(v) Alice and Bob respectively calculate
At,, - t,~ ~ - t,~ o
and
.QtB ~ tee - too
Depending on the quality of the network connection, only some bits of fit,,
and ~tB are kept.
The higher order bits are dropped. Typical expeumental data and criteria for
the truncation
can be found in [18].
By taking a suitable probability distribution it can be shown that the average
of b.t,~ equals the
average of dta.
(vi) Repeat steps {i) throw. (v) in order to create enou~T bits that are then
concatenated as
a string of bits of a pre-detennined length.
{i)-(vi) Altez'natively, Alice and Bob each know a random probabilistic array
P. They
independently proceed as described in Appendix C to generate correlated raw
random
keys K,, and K~.
PHASE Il. - Once Buff cient bits are created, the process is stopped. Alice
arid Bob
must now use the relative time series to create ar~ unconditionally secure pad
or key. One
3~) skilled in the art can deduce, from a study of various papers in the list
of references that there
are many ways to proceed. The present in~~ention uses an approach which, very
loosely
speaking, is initially related to that of Bennett ct al.[1). However in [3, 4
and 10J, several
changes and improvements have. been indicated. These changes, based on
fundamental
r
CA 02458819 2004-02-24
results in algebraic coding theory, information theory, block design and
classical statistics
together achieve the following results:
(a) an a-priori bound on key-lengths;
(b) a method fox estimating the initial and subsequent bit correlations and
key-lengths;
(c) a precise procedure on how to proceed optimally at each stage;
(d) a foxmal proof that KA converges to K~;
(e) a stopping rule;
(f) a verification procedure for equality; and
(g) a new systematic hash function for Privacy Amplification.
After PHASE I, Alice and Bob have their respective binary arrays K,, and Kg
and both
perforn~. the following steps of PHASE TI:
(vii) Shuttle and partition. Alice a«d Bob apply a permutation to K,; and X~ .
They then
1 S partition the remnant raw keys into sub-blocks of length 1= 4.
(viii) Parity exchange and bisective search with 1= 4: Parities are computed
and exchanged
for each sub-block of length 4 by Alice and Bob. Simultaneously they discard
the bottom bit
of each sub-block so that no new infonnation is revealed to Ew. If the
parities agree Alice
aid B ob r etain t he t hree top bits of each sub-block. If the parities
disagree Alice and Bob
'20 perform. a bisective search discarding the bottom element in each sub-
block exactly as
described in [1] and [5] (see also [4]). The procedure in steps (vii) and
(viii) is denoted by
XAP4 .
(ix) Estimate Correlation From the length of the new key, we can calculate the
expected
initial bit correlation xo bet~u,~een K,, and h'B [4J. Using xo eve can
calculate the present
25 expected correlation x = cpa( xo ).
(x) Shuffle. parity exchan~g, bisective search with the optimal 1: To the
remnant keys KA,
K~ we apply a permutation f in order to separate adjacent ke~-s. As a non-
restricti~~e example,
one suchJcan be irnplenzcnted by shuffling the bit order from (1.2,3,....,n)
into the order (l ;p
+1,2p+1,...,q,p+1,?,p+2,2p+2,...,qzp+',...,p-1,2p-1,3p-1.,...,qp.tp+p-l,p,
30 2 p, 3 p, 9~P +P!, whexe q; _ (n - i) i p.
Given the present correlation x we choose the optimal value for I = l(x) by
using the tables in
s
CA 02458819 2004-02-24
[4~. Similar to (viii), (ix) for the case 1 = 4, we carry out the procedure
KAP, . From x, or
from the new common length of the remnant keys, we calculate the expected
present
correlation after hA,p! has been applied. We repeat (xi) until the stopping
condition holds-
(xi) Stopping Condition : For key length n and correlation x we have rr(1-x) <
E ,a pre
y determined small positive number. We then proceed to tile verification
procedure, an examl7le
of which is as follows.
(xii) Verification Procedure : Let KA , X~ both be of length rr. Let t be the
smallest integer
for which 2' 5 rt . Construct a binary matrix M= m~~, (1 < i 5 t+1 , 1 <_ j <_
2' ) as follows:
a. The entries m;~, (1 5 i j < t ) are the entries of the t x r identity
matrix fx' .
b. The (t +1 )'~' row of M is the a11-ones vector, that I5 rn'+~,~ = 1 ( 1 _<
j S 2' ).
c. Denote the top t entries in the j'h column by the binary vector v; ( 1 5 j
< 2' ).
Thus, vj = ~mi~ ( 1 5 i S t; . Then we impose the condition that the vectors
vi are all
distinct. Thus, the set ; v~ ; equals the set of all 2' distinct binary
vectors of length t.
d. Denoie the rows of Mby RI, Rz, .. ., R,m . Let x, y denote the remnant keys
li,~,
1 ~ Ifs written as row vectors of length n. Let x, ~ denote the vectors that
result when a
row of zeros of lend h 2'-rr is adjoined, on the right of x, y respectively.
Thus
x = (x,000..0), y = (y,000..0).
e. Our verification criterion is to check that x . R; =y . lZ;, (1 < i S t+1
).
Xf the vErification criterion is not satisfied we renxove the first t+1 bits
from li~, , lip
and repeat steps (x), (xi) and check again if the verification criterion is
satisfied.
Eventually, it will be satisfied.
At this stage Alice and Bob have coraf m~ed that they no~v share the same key.
Once
confirmed, the final remnant raw key as transformed by Phase 2 is modified by
removing the first t-vl bits from KA = KB . Our new key is re-named the
"reconciled
key" and phase 3, privacy amplification is perfornzed.
PHASE TlI- At this stage Alice and Bob now have a common reconciled hey. In
certain cases
it is possible that the key is only partially secret to eavesdropper, Eve, in
the sense that Eve may hare
some information on the reconciled key in the form of Shannon nits. Alice and
Bob now begin the
process of PrivacyrlmplijicQtion that is the extraction of a final secret key
from a partially secret one
(see [1] and [2]). A well-known result of Bennett, Brassard and Robert (see
[I8]) shows that Eve's
average informarion about the final secret key is less than 2-iilr~ 2 Shannon
bits as explained below
9
CA 02458819 2004-02-24
(See also Shannon [9]).
(xiii) Pn- '~ Arnplitication - Let the upper-bound on E4~e's number of Shannon
Bits be k
and let s > 0 be some security parameter that Alice and Bob may adjust as
desired. Alice and
Bob now apply a hash function described in "Method For The Construction Of
dash
Functions Based On Sylvester : atrices, Balanced Incomplete Block Designs And
Error-
Correcting Codes", co-pending Irish Patent Application, (the entire contents
of which is
hereby included by reference as if fully set foz<h herein [3]) tvhich produces
a final secret key
of length ~a - k- s from the reconciled key of length rt.
The system az~.d method of the present invention provide an unconditionally
secure key
agreement scheme based on network dynamics as follows. In P?~IASE I, ?lice and
Bob permute the
bits of what remains of their respective raw keys, which keys incorporate
delay occasioned by
network noise. In PHASE II, the key from PHASE z undergoes the treatment of
Lomonaco [S]. That
i~, in PHASE II Alice and Bob partition the remnant raw key into blocks of
length. L An upper bound
on the length of the final key has been estimated and the sequence of values
of l that geld l:ey lengihs
arbitrarily close to this upper bound has also been estimated [4]. In PHASE
IT, for each of these
blocks. Alice and Bob publicly con spare overall parity checks, making sure
each time to discard the
last b it o f the compared bloclt. Each time an overall parity check does not
agree, Alice and Bob
initiate a binary search for the error, i.e., bisecting the mismatched black
into two sub-blocks,
publicly comparing the parities for each of these sub-blocks, ~rhile
discarding the bottom bit of each
sub-block. They continue their bisective search on the sub-block for which
their parities are not in
a.green~ent. This bisective search continues until the en~oneous bit is
located and deleted. They then
proceed to the next l-block..
PHASE f is then repeated, i.e., a suitable permutation is chosen and applied
to obtainthe
permuted remnant raw key. PFIA,SE II is then repeated, i.e., the remnant raw
key is partitioned into
blocks of length l, parities are compared, etc. Precise expressions for the:
expected bit correlation (see
below] following each step have been obtained in [4~, where it is also shown
shat this c.orTelation
conver3es to 1. Moreover in [4] the expected number of steps to convergence.
as ~.vell as the expected
length of the reconciled key are tabulated.
CA 02458819 2004-02-24
The probability that corresponding bits ayee in the arrays KA , KB is la~o~rn
as the bit
correlation probability or, simply, as the bit correlation. It can be shown
(see [A.]) that each round can
be used to inczease the bit-correlation. For example, if we statrt with a bit-
correlation of 0.7 then after
one round with l = 3 the bit-correlation increases to about 0.77 and then to
0.8?. For l = 2 the
corresponding numbers are 0 .84 a nd 0 .97. E stimates a re a lso a vailable f
or t he k ey 1 engths a fter a
round of the protocol of the present invention, for various values of l [4].
The final secret lcey can now be used fox a one-time pad to c:eate perfect
secrecy or can be
used as a key for a symmetzic key cry~ptosystem such as Rijndael [1?.] or
Triple DES [18].
A simplified version of the algorttlun for the values l = 2 and 3 is described
in. Appendix A.
The system and method of the present invention provides secure transmission
over wireless
and wire media and networks as set forth below;
1 S a. wireless
1. radio transmission
2. radio frequency
3. satellite
4. microwave
5. infrared
G. acoustic
7, elec.tro-magnetic spectrum
8. spread spectrum
9. laser
b. u-ired
1. optical
2. fiber optics
3. electrical
4. Ethernet
5. quantum communication
c. net<vorks
1. intranet
2. Internet
11
CA 02458819 2004-02-24
3. extranet
4. Public Switched Telephone Network
(PSTN)
5. Local Area Network (LAN)
6. Wireless Local Area Network (WLAN)
7, Wireless Fidelity (WLFI]
8. Wireless Local Area Network (~'iLAN]
9. TEEE 802.11, 802.11a, 802.1 lb
I0. Personal Area Net<voxk (PAN)
11. Bluetooth
12. Code Division Multiple Access (CDMA)
13. Global System for Mobile (GSM)
Communication
14. 3'd Generation Mobile Network (3G)
15. Asynchronous Transfer Mode (ATM)
16. Digital Subscriber Line (DSL)
1. 5 I7. Frame Relay
Lt will be understood by those skilled in tire art, that ?he above-described
embodiments are but
examples from which it is possible to deviate without departing from the scope
of the invention as
defined in the appended clainss.
12
CA 02458819 2004-02-24
REFERENCE AND 13ISLIOORA.PkIY
The following references are hereby incorporated by reference as if fully set
forth herein.
S
[l] Charles Bennett, Fran~.ois Besseite, Gilles l3rassard, Louis Salvail, and
John Smolin,
L~'zperi~nental quantum cryptography, EUROl'CRYPT '90 (~~hus, Denmark), 1990,
pp. 253-
265.
[?-] Charles Td. Bernett, Gilles Brassard, and Jean-Mare Robe1-t, Privacy
Amplification by
Public Discursior~, Siam J. of Computing, 17, no.2 ( 1988), pp. 210-229.
[3] Aiden Bruen and David Wehlau, Method for the Construction ofHash Functions
Based on
Sylvester Matrices, Balanced In.eornplete Block Desio s, and Error-Correcting
Codes, Tiish
J'atent Co-pending Trish Patent Application.
[4J Aiden Bruen and David Wehlau, A Note pn Bit-Reronciliation Algoritlarns,
Non-Flepha~~.t
Encryption Systems Technical Note. OI _x~ NE2, 2001.
[S] Samuel J. Lomonaco, A quick glance at guantunr cryptography, Cryptologia
23 (1999),
no. 1, pp. 1-41.
[6] , .! Rosetta Stone for Quantum ,Mechanics Y~itlz An Introduction to
Ouanturn
Compurarion, quart-phI000704~ (2000).
[7] C.Teli 1~I. Maurer, Secret Key Adreetnent By Public Discussion From
COrlant0T1 Information,
IEPE Transactions on Information Theory 39 no.3 (1993), pp. 733-7~2.
[8] United States General Accouniing Office:, Advances and Rrnaair~ir~g
Challenges to
Adoption of Public h,'ey Infrastructure Technology. GAD 01-227 Report,
February 2001,
Report to the Chaimnan, Subcommittee on Government Lfficiency, Fii:ancial
fvlanagement
and 7ntengovernmental Relations, Committee on Government Reform, House of
13
CA 02458819 2004-02-24
Representatives.
[9] Claude E. Shannon, Communication Theory of Secrecy Systems, Bell System
Technical
Journal 2 8( 1949), 556-715.
[10] David Wehlau, Report for Non-Elephant EncryptiorT, Non-Elephant
Encryption
Technical Note 01.08.2001.
[11) A. D. Wyner, The Wire-Tap Channel. Bell System Technical Journal 54
no.8(1975),
1355-1387.
[12] Joan Daemon a.nd Vincent Rijnmeien, T7ie Rijndael Block Cypher, June
199$,
http:llcsrc.nist. aovieneryntion/aeslri jndaellriindael.ndf
I5 [13] B race S chneier, Applied CryPtod aphy, 2 "~ E dition, Jo hn W iley &
S ons, N ew York,
1996, Chapter 12.
[I4] Andrew Tanenbaum, Computer Nehs~orl~s, Prentice Hall, 1996.
[15] Claude E. Shannon, A ~fatherrrntical theory of Communication, Bell System
Technical
Journal27(1948), pp. 379-423 and 623-6~6.
[16] Will E. Leland, Murad S. Taqq, Walter Willinger, and Daniel V. Wilson, On
the SeJ'
Sin:ilar Nature of Ethernet Truff e, Proe. SIGCOItZM (San Francisco, CA;
Deepinder P.
2~ Sidhu, Ed.), 1993, pp. 183-193.
( 17] R. A. Mollin., An Introduction to Cryptography, Chapmzn & Hall!CRC,
2000. Chapter 6.
[18] Douglas R. Stinson, Cryptograplry: Theor~~ and Practice, CRC Press, 1995.
[19] Julian R. Brown, The Quest for the Quantum Computer, 51111011 & Schustrr,
New York,
2001.
I4
CA 02458819 2004-02-24
(20) Xiaomin Bao, Probabilistic Adjusting Raw Key Generation Method, Report
for IJon-
Elephant Encryption, Non-Elephant Encryption Technical Vote 02.nm., July 26,
2002
