[1]

Beker, H., and F. Piper, *Cipher Systems: The Protection of Communications*, Wiley, New York, 1982.

[2]

Bovey, J. D., An approximate probability distribution for the order of elements of the symmetric group, *Bulletin of the London Mathematical Society*, **12** (1980), 41–46.

[3]

Bovey, J., and A. Williamson, The probability of generating the symmetric group, *Bulletin of the London Mathematical Society*, **10** (1978), 91–96.

[4]

Brent, R. P., Analysis of some new cycle-finding and factorization algorithms, Technical Report, Department of Computer Science, Australian National University (1979).

[5]

Carmichael, R. D., *Introduction to the Theory of Groups of Finite Order*, Dover, New York, 1956.

[6]

Chandra, A. K., Efficient compilation of linear recursive programs, Technical Report STAN-CS-72-282, Computer Science Department, Stanford University (April 1972).

[7]

Chor, B.-Z., *Two Issues in Public-Key Cryptography: RSA Bit Security and a New Knapsack Type Cryptosystem*, MIT Press, Cambridge, MA, 1985.

[8]

Coppersmith, D., and E. Grossman, Generators for certain alternating groups with applications to cryptology, *Siam Journal on Applied Mathematics*, **29** (1975), 624–627.

[9]

Davies, D. W., Some regular properties of the DES, in [55] A. T. Sherman, eds., *Advances in Cryptology: Proceedings of Crypto* 82, Plenum, New York, 1983., 89–96.

[10]

Davies, D. W., and G. I. P. Parkin, The average size of the key stream in output feedback encipherment, in [59] Beth, T., ed., *Cryptography, Proceedings of the Workshop on Cryptography, Burg Feuerstein*, *Germany, March 29–April* 2,1982, Springer-Verlag, Berlin, 263–279.

[11]

Davies, D. W., and G. I. P. Parkin, The average size of the key stream in output feedback mode, in [55] A. T. Sherman, eds., *Advances in Cryptology: Proceedings of Crypto* 82, Plenum, New York, 1983., 97–98.

[12]

Davies, D. W., and W. L. Price, *Security for Computer Networks: An Introduction to Data Security in Teleprocessing and Electronic Funds Transfer*, Wiley, Chichester, 1984.

[13]

Davio, M. Y. Desmedt, J. Goubert, F. Hoornaert, and J.-J. Quisquater, Efficient hardware and software implementations for the DES, in [56] Blakley, G. R., and D. Chaum, eds., *Advances in Cryptology: Proceedings of Crypto* 84, Springer-Verlag, New York, 1985, 144–146.

[14]

Diffie, W. and M. E. Hellman, Exhaustive cryptanalysis of the NBS Data Encryption Standard,

*Computer*,

**10** (1977), 74–84.

PubMed[15]

Diffie, W., and M. E. Hellman, Privacy and authentication: an introduction to cryptography, *Proceedings of the IEEE*, **67** (1979), 397–427.

[16]

Dixon, J. D., The probability of generating the symmetric group, *Math Zentrum*, **110** (1969), 199–205.

[17]

Feldman, F., A new spectral test for nonrandomness and the DES, *IEEE Transactions on Software Engineering*, to appear.

[18]

Feller, W., *An Introduction to Probability Theory and Its Applications*, vol. I, Wiley, New York, 1968.

[19]

Gaines, H. F., *Cryptanalysis: A Study of Ciphers and Their Solution*, Dover, New York, 1956.

[20]

Gait, J., A new nonlinear pseudorandom number generator, *IEEE Transactions on Software Engineering*, **3** (1977), 359–363.

[21]

Goldreich, O., DES-like functions can generate the alternating group, *IEEE Transactions on Information Theory*, **29**(1983), 863–865.

[22]

Good, I. J., *The Estimation of Probabilities: An Essay on Modern Bayesian Methods*, MIT Press, Cambridge, MA, 1965.

[23]

Harris, B., Probability distributions related to random mappings, *Annals of Mathematical Statistics*, **31**(1959), 1045–1062.

[24]

Hellman, M. E., R. Merkle, R. Schroeppel, L. Washington, W. Diffie, S. Pohlig, and P. Schweitzer, Results of an initial attempt to cryptanalyze the NBS Data Encryption Standard, Technical Report SEL 76-042, Information Systems Laboratory, Stanford University (November 1976).

[25]

Hellman, M. E., A cryptanalytic time-memory tradeoff, *IEEE Transactions on Information Theory*, **26** (1980), 401–406.

[26]

Hellman, M. E., and J. M. Reyneri, Distribution of drainage in the DES, in [55] Chaum, D., R. L. Rivest, and A. T. Sherman, eds., *Advances in Cryptology: Proceedings of Crypto* 82, Plenum, New York, 1983., 129–131.

[27]

Hinsdale, J. K., Implementing the Sedgewick-Szymanski cycle detection algorithm, B.Sc. thesis, Department of EECS, MIT (February 1985).

[28]

Jueneman, R. R., Analysis of certain aspects of output-feedback mode, in [55] Chaum, D., R. L. Rivest, and A. T. Sherman, eds., *Advances in Cryptology: Proceedings of Crypto* 82, Plenum, New York, 1983., 99–127.

[29]

Kaliski, B. S. Jr., Design and reliability of custom hardware for DES cycling experiments, M.Sc. thesis, Department of EECS, MIT (January 1987).

[30]

Kaliski, B. S. Jr., R. L. Rivest, and A. T. Sherman, Is the Data Encryption Standard a group?, in [60] Pichler, F., ed., *Advances in Cryptology: Proceedings of Eurocrypt* 85, Springer-Verlag, Berlin, 1986., 81–95.

[31]

Kaliski, B. S., R. L. Rivest, and A. T. Sherman, Is the Data Encryption Standard a pure cipher? (Results of more cycling experiments on DES), in [57] Williams, H. C., ed., *Advances in Cryptology: Proceedings of Crypto* 85, Springer-Verlag, New York, 1986., 212–226.

[32]

Knuth, D. E., *The Art of Computer Programming*, vol. II: *Seminumerical algorithms*, Addison-Wesley, Reading, MA, 1981.

[33]

Knuth, D. E., *The Art of Computer Programming*, vol. III: *Sorting and searching*, Addison-Wesley, Reading, MA, 1973.

[34]

Kolata, G., Codes go public, *Boston Globe* (September 30,1985), **44**.

[35]

Lenstra, H. W. Jr., Factoring integers with elliptic curves, *Annals of Mathematics*, to appear.

[36]

Longo, G., ed., *Secure Digital Communications*, Springer-Verlag, Vienna, 1983.

[37]

Merkle, R. C., and M. E. Hellman, On the security of multiple encryption, *Communications of the Association for Computing Machinery*, **24** (July 1981), 465–467.

[38]

Meyer, C. H., and S. M. Matyas, *Cryptology: A New Dimension in Computer Data Security*, Wiley, New York, 1982.

[39]

Moore, J. H., and G. J. Simmons, Cycle structure of the DES with weak and semi-weak keys, in [58] Odlyzko, A., ed., *Advances in Cryptology: Proceedings of Crypto* 86, Springer-Verlag, New York, 1987., 3–32.

[40]

Osteyee, D. B., and I. J. Good, *Information, Weight of Evidence, the Singularity Between Probability Measures and Signal Detection*, Springer-Verlag, Berlin, 1974.

[41]

Pollard, J. M., A Monte Carlo method for factorization, *Bit*, **15** (1975), 331–334.

[42]

Pomerance, C., Analysis and comparison of some integer factoring algorithms, in *Computational Methods in Number Theory*, H. W. Lenstra Jr., and R. Tijdeman, eds., Math. Centrum Tract 154, Amsterdam, 1982, 89–139.

[43]

Purdom, P. W., Jr., and C. A. Brown, *The Analysis of Algorithms*, Holt, Rinehart, and Winston, New York, 1985.

[44]

Purdom, P. W., and J. H. Williams, Cycle length in a random function, *Transactions of the American Mathematical Society*, **133** (1968), 547–551.

[45]

Rivest, R., A. Shamir, and L. Adleman, On digital signatures and public-key cryptosystems, *Communications of the Association of Computing Machinery*, **21** (1978), 120–126.

[46]

Rotman, J. J., *The Theory of Groups: An Introduction*, Allyn and Bacon, Boston, 1978.

[47]

Sattler, J., and C. P. Schnorr, Generating random walks in groups, unpublished manuscript (October 1983).

[48]

Shannon, C. E., Communication theory of secrecy systems, *Bell System Technical Journal*, **28** (1949), 656–715.

[49]

Sedgewick, R. T. G. Szymanski, and A. C. Yao, The complexity of finding cycles in periodic functions, *Siam Journal on Computing*, **11** (1982), 376–390.

[50]

Shepp, L. A., and S. P. Lloyd, Ordered cycle lengths in a random permutation, *Transactions of the American Mathematical Society*, **121** (1966), 340–357.

[51]

Sherman, A. T., Cryptology and VLSI (a two-part dissertation): I. Detecting and exploiting algebraic weaknesses in cryptosystems. **II.** Algorithms for placing modules on a custom VLSI chip, Technical Report TR-381, MIT Laboratory for Computer Science (October 1986).

[52]

Tuchman, W. L., talk presented at the National Computer Conference (June 1978).

[53]

Wielandt, H., *Finite Permutation Groups*, Academic Press, New York 1964.

[54]

*Data Ciphering Processors Am*, 9518, Am9568, AmZ8068 *Technical Manual*, Advanced Micro Device Inc., Sunnyvale, CA (1984).

[55]

Chaum, D., R. L. Rivest, and A. T. Sherman, eds., *Advances in Cryptology: Proceedings of Crypto* 82, Plenum, New York, 1983.

[56]

Blakley, G. R., and D. Chaum, eds., *Advances in Cryptology: Proceedings of Crypto* 84, Springer-Verlag, New York, 1985.

[57]

Williams, H. C., ed., *Advances in Cryptology: Proceedings of Crypto* 85, Springer-Verlag, New York, 1986.

[58]

Odlyzko, A., ed., *Advances in Cryptology: Proceedings of Crypto* 86, Springer-Verlag, New York, 1987.

[59]

Beth, T., ed., *Cryptography, Proceedings of the Workshop on Cryptography, Burg Feuerstein*, *Germany, March 29–April* 2,1982, Springer-Verlag, Berlin, 1983.

[60]

Pichler, F., ed., *Advances in Cryptology: Proceedings of Eurocrypt* 85, Springer-Verlag, Berlin, 1986.

[61]

*Data Encryption Standard*, Federal Information Processing Standards Publications 46, National Bureau of Standards, U.S. Department of Commerce, Washington, DC (January 15, 1977).

[62]

*DES Modes of Operation*, Federal Information Processing Standards Publication 81, National Bureau of Standards, U.S. Department of Commerce, Washington, DC (December 1980).

[63]

*IBM Personal Computer Technical Reference*, Bocaraton, FL (July 1982).

[64]

Unclassified summary: involvement of NSA in the development of the Data Encryption Standard, Staff Report of the Senate Select Committee on Intelligence, United States Senate (April 1978).