PUBLIC LECTURE. WED. 6th. NOVEMBER 1996.
ST. PATRICK'S COLLEGE, DRUMCONDRA, DUBLIN 9.
LECTURE TITLE: PRIME NUMBERS and
PUBLIC-KEY CRYPTOGRAPHY
LECTURER: Dr. JOHN COSGRAVE,
MATHEMATICS DEPARTMENT, ST. PATRICK'S COLLEGE, DRUMCONDRA, DUBLIN 9, IRELAND.

E-mail: J. C. at home
J.C. at St. Patrick's College

___________________________________________

AIM of LECTURE: To explain the fundamental concept of 'public-key cryptography' (a revolutionary development of the past twenty years), and to show how 'prime' numbers have played an integral role in its development.

PLAN of LECTURE:

1. What is 'Cryptography'? A very brief history for the period to 1976 A.D.

2. The fundamental idea of public-key cryptography (Diffie and Hellman, 1976).

3. A brief mathematical interlude ('modular exponentiation').

4. The realization of public-key cryptography (Rivest, Shamir and Adleman, 1977).

5. Fundamental mathematical ideas for public-key.

___________________________________________

1. What is Cryptography? A brief history.

[ Etymology: from the Greek 'kryptos logos', meaning 'hidden word'. So 'cryptography' is 'secret' or 'hidden' writing. ]

I will speak on this (and am not making it part of my text, which I only regard as the 'bones' of my talk) for about five/ten minutes. At the end of this part of my lecture the key terms (no pun intended) will be:

a. plaintext (the ordinary text)

b. encryption key (what someone applies to plaintext to disguise it)

c. ciphertext (the encrypted form of the text)

d. decryption key (what one applies to ciphertext to recover the plaintext)

___________________________________________

2. The fundamental idea of public-key cryptography

(Diffie and Hellman, S tanford University, 1976)

Their fundamental paper:

'New Directions in Cryptography', IEEE Transactions on Information Theory, Vol. IT-22, No. 6, November 1976, 644-654. (IEEE is the Institute of Electronic and Electrical Engineers.)

The opening sentence from their paper read: "We stand today on the brink of a revolution in cryptography."

In this paper they proposed the IDEA (and much, much more as well) of 'public-key' (as opposed to the classical 'private-key') cryptography.

I will talk about this in my lecture.

____________________________________________

3. A brief mathematical interlude ('modular exponentiation')

Question: What remainder does the number 34 'leave' when divided by 13?

That's easy. 34 = 13*2 + 8, and so on division by 13 the number 34 'leaves' remainder 8.

Dividing numbers by 13 is called 'doing modular arithmetic' with 'modulus' 13, and this is how one does it (in MAPLE) with the above example, followed rapidly with some other examples (which I will ask YOU to do in your head before I use MAPLE):

> 35 mod 13;

> 123437652596959161941949 mod 5461385845;

> 100000000000000 mod 100000000;

> 10000000000000000018 mod 100000000000;

>

Another question: What remainder does the number 3 to the power of 5 leave on division by 13?

That's also easy. 3^5 = 243 = 13*18 + 9, and so on division by 13 the number 3 to the power of 5 leaves remainder 9. Dividing numbers by 13 is - as you know - 'doing modular arithmetic' with 'modulus' 13; dividing powers of numbers by 13 is called 'doing modular exponentiation' with modulus 13, and it can of course be done by the MAPLE command which you have already seen:

> 3^5 mod 13;

> 5^3 mod 13;

> 12321^3 mod 873;

>

But how about finding - for example - the remainder that the number 123456789123456781234567 to the power of 987654321987654321987654321 leaves on division by 122333444455555?

Let's try it:

> 123456789123456781234567^987654321987654321987654321 mod 122333444455555;

Error, integer too large in context

>

What does that "Error, object too large" mean?

It means that the number 123456789123456781234567^987654321987654321987654321 is too large for MAPLE to handle. But not only is it too large for MAPLE to handle, it is in fact SO large that even if it were calculated it would require years to write it out even at a rate of billions of digits per second.

But - as you will see later - this (the finding of the remainder) is precisely the sort of calculation that one needs to be able to do in 'public-key' cryptograhy. Number theorists have known for many years how to do this sort of calculation. It is done by a combination of methods: ordinary 'modular' arithmetic, together with what is called the 'square and multiply' method. The details of this would take some time to explain, and so you must allow me to skip gently by them (the details are actually quite simple, and I teach them to my students).

MAPLE has an inbuilt facility for doing 'modular exponentiation', and here I illustrate it with a few examples, starting with the ones with which you are already familiar, and then moving on to the one that led to the "Error, object too large":

> 3&^5 mod 13;

> 5&^3 mod 13;

> 12321&^3 mod 873;

>

And now - much more dramatically - the earlier "Error" one, and onother one:

> 123456789123456781234567&^987654321987654321987654321 mod 122333444455555;

>

Instantly!!!

You see the difference in the 'commands'?

The earlier command was of the form a^b mod m. In that form MAPLE was being asked to FIRST calculate a^b, and THEN calculate the remainder on division by m.

The latter command was of the form a&^b mod m. In that form MAPLE was being asked to use modular arithmetic TOGETHER with the (INCREDIBLY FAST) square-and-multiply method.

One more example:

> 2086822056296502560265&^3548276254987776266 mod 931987294968252720194941649999;

>

Later you will see why we need to be able to do such calculations. ____________________________________________

4. The realization of public-key cryptography by

Rivest, Shamir and Adleman of MIT, 1977.

(MIT = the Massachusetts Institute of Technology)

Their fundamental paper:

'A method for obtaining digital signatures and public-key cryptosystems', Communications of the ACM (Association for Computing Machines), Vol. 21, (1978), 120-126.

Their paper began: "An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences:

(1) Couriers or other secure means ane not needed to transmit keys, ... .

(2) A message can be "signed" using a privately held encryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key.

Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in "electronic mail" and "electronic funds transfer" systems ... .

___________________________________________

The work of Rivest, Shamir and Adleman first gained widespread public attention when it was brilliantly explained by Martin Garnder in his 'Scientific American' Mathematical Games column in the August 1977 issue. The header for that article read:

"A new kind of cipher that would take millions of years to break"

It was in that article that the famous RSA_129 'challenge number' first made its appearance. I will have things to say about that later ... .

___________________________________________

WHAT IT'S ALL GOING TO BE ABOUT. In a nutshell, what I am going to attempt to explain to you reduces to this: You know what a prime number is (2, 3, 5, 7, 11, 13, ... ). There are an 'infinite' number of them (Euclid), and if I were to choose two SMALL primes and NOT reveal them to you, BUT told you their product, THEN you would have NO difficulty in telling me what the two primes were. Say, for example, I told you their product was 91; then after a moment's reflection you would be able to tell me that the primes I had chosen were 7 and 13.

BUT if I were to choose two 'LARGE' primes and not reveal them to you, and I told you their product, then you (and not only you, but - for example - the US National Security Agency) would find it VIRTUALLY IMPOSSIBLE (in a sense which I will be more explicit about later) to tell me what the two primes were. It is this (current) VIRTUAL IMPOSSIBILITY that Rivest, Shamir and Adleman exploited to create an "unbreakable cryptographic protocol" (there are reservations which I will explain later in the lecture).

So, keep your eye open for the PRODUCT of TWO prime numbers in what follows ... .

_______________________________

Here I will throw you in at the deep end, and then embark on a mathematical journey at the end of which I hope you will 'know'.

" We shall not cease from exploration

And the end of all our exploring

Will be to arrive where we started

And know the place for the first time. "

(T.S. Eliot)

________________________________

The first thing I do (and this is elementary) is to give instructions for converting plaintext into numerical form, according to the associations: a with 1, b with 2, ... , z with 26, A with 27, B with 28, ... , Z with 52, ` (the 'backward quote' sign) with 53, 1 with 54, 2 with 55, ... , 9 with 62, 0 with 63, - (the minus sign) with 64, ... , ( - the left round bracket - with 75, ... , a 'space' with 79, ... , and so on.

[ These instructions were communicated to me - via the Internet - by Joe Riel, an engineer working in California. I sent out an enquiry via the 'Maple Users Group' asking for help with this, and within hours I had several helpful responses, the best of which was Joe Riel's. ]

The following is simply to instruct MAPLE as to which letters (small and large case), numerals, punctuation marks, etc. I wish to use:

> `crypt/alphabet` :=

> `abcdefghijklmnopqrstuvwxyz`

> .`ABCDEFGHIJKLMNOPQRSTUVWXYZ`

> .```1234567890-=~!@#$£%^&*()_+`

> .` ,./<>?;':"[]{}|`:

>

The following sets up the association between the terms of the 'crypt/alphabet'

and the numbers 1 to 95.

> ### WARNING: semantics of type `string` have changed
to_number := proc(st, string) local ll, nn, ss, ii;

> global `crypt/alphabet`; ll := length(st);

> if ll = 0 then RETURN(0) fi; nn := 1;

> for ii to ll do ss := SearchText(substring(st, ii .. ii),

> `crypt/alphabet`);

> if not type(ss, numeric) or ss = 0 then

> ERROR(`the letter `.(substring(st, ii .. ii))

> .` is not in the alphabet`)

> fi; nn := 100*nn + ss od;

> nn - 10^(2*ll) end:

>

Some examples:

> to_number(`Welcome to St. Patrick's College`);

>

And a much longer one:

[Added afterwards for people to whom I send this worksheet: This next one may lead to an 'Error' message ('strings') for you, and you may need to change it. I just wanted to write a message with a great variety of signs in it.]

> to_number(`There are - at the moment - US$1.60 to IR£1 (the Irish 'punt'). In one of George Orwell's letters (in the 4-volume Penguin edition) you may read that at one time the rate was US$5 to St£1. Do you remember the term 'half a dollar'? It was two shillings and sixpence!!`);

>

The '6767' at the end of the output represents '!!', the double exclamation mark.

And now some instructions to recover a text from its numerical form:

> from_number := proc(nn, integer)
local ss, mm, ll, pp, ii, ans;
global `crypt/alphabet`; mm := nn;
ll := floor(1/2*trunc(evalf(log10(mm))))+1;
ans := ``; for ii to ll do mm := mm/100;
pp := 100*frac(mm);
if pp > length(`crypt/alphabet`) then
ERROR
#(`there is no letter in the alphabet corresponding `
#.`to the number `.(convert(pp, string))) fi;
(`there is NO meaningful text corresponding to the number you have inputted`)
fi;
ss := substring(`crypt/alphabet`, pp..pp);
ans := cat(ss, ans); mm := trunc(mm)
od;
ans
end:

>

Some examples:

> from_number(950102030495);

>

And now I take the number you have just seen, and adjoin an

extra 96 at the end:

> from_number(95010203049596);

Error, (in from_number) there is NO meaningful text corresponding to the number you have inputted

>

> from_number(30050118803615081481805115211880120503202118058023011980191580828282);

>

So much for just taking a text and recasting it in numerical form according to the above associations. Now to get down to the real business of sending public-key encrypted messages, and their decryption:

A Cookbook for public-key encryption and decryption.

I am going to show you how SOMEONE can send ME a message that THEY encrypt by the 'RSA cryptographic protocol' (as it is called, after its creators, Rivest, Shamir and Adleman), and which THEY do NOT ANYONE TO UNDERSTAND BUT ME, and show you what I then do to decrypt THEIR message.

It is to be understood that the above numerical associations are already agreed upon.

BEFORE anyone can send me an RSA-encrypted message they have to know what is called my 'public-key'. My public key is a pair of numbers (n, e). The 'n' is what is called my 'public modulus', and the 'e' is my 'public encryption power'. These are formed as follows:

The first step is to choose a (reasonably big - more on how big later) random prime number:

> p:=nextprime(56782894997592526946596965999565948474734464644);

>

and then similarly choose another prime number:

> q:=nextprime(75296587628568265828284485625547494384373773574447);

>

THOSE 2 PRIME NUMBERS ARE KEPT SECRET.

And then I multiply those two prime numbers together:

> n:=p*q;

>

That number 'n' is my PUBLIC MODULUS ('public' in the sense that I do NOT care who knows its value). Next I form my a certain number 'e', my 'public encryption power'. That is formed as follows: First I form a VERY SPECIAL number called 'phi_n' which, like p and q above, is ALSO KEPT SECRET:

> phi_n:=(p - 1)*(q - 1);

>

Having formed phi_n I then form my 'public encryption exponent' 'e'. That is specially chosen so that there is NO whole number larger than 1 which is a factor of BOTH e AND phi_n. [ And so - for example - IF p and q had been 19 and 23, then one would NOT choose e to be 15 because 3 is a factor of BOTH 15 AND (19 - 1)*(23 - 1). Whereas IF e had been chosen to be 7 (say), then it would be alright. ]

In practice I choose e to be a large randomly chosen prime:

> e:=nextprime(75859825925924926296969);

>

I have to be CERTAIN that there is NO whole number larger than 1 which is a factor of BOTH e and phi_n. That involves some standard mathematics (called the 'Euclidean algorithm') - the details of which need not concern you - and is checked by:

> igcd(e, phi_n); # 'igcd' stands for 'integer greatest common divisor'

>

The MEANING of that '1' is that the ONLY factor of BOTH e and phi_n is 1, and so

here I am safe.

[ Aside: here two examples for you to see, with smaller whole numbers involved: ]

> igcd(15, 22);

> igcd(15, 21);

>

Having chosen my PUBLIC encryption exponent e, I then proceed to calculate my 'PRIVATE decryption exponent' 'd'. That number d is the UNIQUE number BETWEEN 1 and phi_n such that the product of e and d leaves remainder 1 on division by phi_n. A FUNDAMENTAL mathematical point is that d can ONLY be calculated by someone who KNOWS the value of phi_n, or, what amounts to the same thing, the values of p and q.

Now that I have chosen - and made known my RSA 'public-key' (n, e) - I am ready to receive RSA-encrypted messages.

So, suppose someone (YOU, let us say) wanted to send ME an RSA-encrypted message, whose plaintext was: The money is now in your Swiss account.

This is what you would do:

First you would cast your text into numerical form, using the above agreed instructions:

> numerical_form_of_text:=to_number(`The money is now in your Swiss account`);

>

and then you would check to see how many digits are in the numerical form of your text:

> length(numerical_form_of_text);

>

You also check how many digits my 'public modulus' n has:

> length(n);

>

With the number which is the numerical form of your text being LESS than my public modulus you are now ready to send me your message (I will explain in my lecture what you do otherwise).

This is what you do:

You take the number which is the numerical form of your text, and apply 'modular exponentiation' to it, using MY PUBLICLY DECLARED ENCRYPTION EXPONENT (e) with MY PUBLICLY DECLARED MODULUS (n):

> numerical_form_of_cipher_text:=numerical_form_of_text&^e mod n; # the transformed text

>

You then send me the number numerical_form_of_cipher_text.

On receipt of your encrypted message I proceed to decrypt it as follows:

I would ALREADY have calculated my 'decryption exponent' d. That number d is the UNIQUE number between 1 and phi_n (which is HUGE when p and q are large) such that the PRODUCT of e and d leaves remainder 1 on division by the number phi_n.

The value of 'd' is calculated by using a method called the 'extended Euclidean algorithm', a simple, but remarkably powerful idea which dates from Euclid (300 B.C.). (This is also something which I teach to my students.)

> igcdex(e, phi_n, x, y); # the 'ex' is the 'extended Euclidean ... '

>

You need not be concerned with what that 'x' and 'y' is about (thought I will explain it to anyone who wishes to know what's going on); suffice it to say that some powerful Mathematics is going on behind the scenes, which enables me (the one who CHOOSE the primes 'p' and 'q' some time ago) to calculate the 'decryption exponent' d:

> d:=x mod phi_n;

>

Now that I have the value of 'd', the numerical form of the ORIGINAL text is recovered by MY applying modular exponentiation to the received numerical_form_of_cipher_text, using my PUBLIC modulus n, together with my PRIVATE decryption exponent d:

> numerical_form_of_decoded_text:=numerical_form_of_cipher_text&^d mod n;

>

And I now recover the text of the message YOU sent to ME, by transforming the last string of digits into text by:

> original_text:=from_number(numerical_form_of_decoded_text);

>

Suppose someone somehow eavesdropped on the above message. Could they decrypt it? They could if they knew my PRIVATE decryption exponent d.

Let's see what happens if they try GUESSING my PRIVATE d:

> d_guess:=682569569269;

>

That guessed value of d would result in the following attempted decryption:

> numerical_form_of_attempted_decryption:=numerical_form_of_cipher_text&^d_guess mod n;

>

which would now result in the following attempt at restoring the original text:

> attempted_original_text:=from_number(numerical_form_of_attempted_decryption);

Error, (in from_number) there is NO meaningful text corresponding to the number you have inputted

>

Of course IF someone did correctly guess my PRIVATE decryption exponent d, then they would be able to recover the text of the message you sent me.

I wish to remind you that there is a UNIQUE value for d in the range 1 to phi_n, and so when p and q are large then phi_n ( = (p - 1)*(q - 1) ) is large, and so the chances of correctly guessing it are remote.

And it's not even the case that if one quessed close to d that an eavesdropper would do any better. I will illustrate by choosing a guessed decryption exponent which is 1 less, and then 1 more, than the correct value of d:

> d - 1;

>

> numerical_form_of_another_attempted_decryption:=

> numerical_form_of_cipher_text&^(d - 1) mod n;

>

> another_attempted_original_text:=from_number(numerical_form_of_attempted_decryption);

Error, (in from_number) there is NO meaningful text corresponding to the number you have inputted

>

And now let's try the other side of d:

> d + 1;

>

> numerical_form_of_yet_another_attempted_decryption:=

> numerical_form_of_cipher_text&^(d + 1) mod n;

>

> yet_another_attempted_original_text:=

> from_number(numerical_form_of_yet_another_attempted_decryption);

Error, (in from_number) there is NO meaningful text corresponding to the number you have inputted

>

QUESTION: Wouldn't a decryption be possible if someone KNEW the values of p and q?

ANSWER: Of course. Anyone who knew p and q (and who is familiar with the mathematics of calculating d from phi_n (namely (p - 1)*(q - 1)) would be immediately able to calculate d.

QUESTION: So, isn't it just a question of recovering the values of p and q from the value of n?

[Added afterwards: When I was planning this lecture I had mentally allowed that I would only devote about five minutes to section 1 - the 'private-key' period. To my horror I found that I spent almost twenty minutes on it, and as a result I only got to this point after almost one hour. I decided not to try the patience of my audience too much, and brought my lecture to an end at that point.

As I had printed the text, and made about fifty photocopies, I was able to give out texts to everyone who was interested (all my copies went, and I had to post more later).

There followed a period of about forty minutes of questions and answers.]

_____________________________

5. Fundamental mathematical ideas for public-key.

It is only possible to touch briefly on these.

Besides familarity with 'modular arithmetic' (also known as 'clock' arithmetic, or 'congruences') and the Euclidean algorithm and its 'extension', the key ideas involve the work of two famous mathematicians: Pierre de Fermat (1601-1667) and Leonhard Euler (1707-1783).

One of the very many wonderful discoveries that Fermat made was this:

Fermat's 'little' theorem: If p is any prime number and a is any whole number that is NOT divisible by p, then the number a to the power of (p-1), when divided by p, will leave remainder of 1.

______________________________

Some examples to help you understand:

(1) Let p = 5 and a = 2, then (p-1) = 5-1 = 4, and so 2 to the power of 4 will leave 1 over when divided by 5: 2^4 = 16 = 5*3 + 1. So the remainder is 1.

(2) Let p = 7 and a = 10, then (p-1) = 7-1 = 6, and so 10 to the power of 6 will leave 1 over when divided by 7: 10^6 = 1000000 = 7*142857 + 1. So the remainder is 1.

You should verify some examples for yourself in your own time.

Let's just quickly see some examples with much larger numbers:

> p:=nextprime(1234564264327);

>

And now I'll choose an 'a' that is NOT divisible by p:

> a:=8675645534;

>

And now let us check to see what remainder a to the power of (p-1) leaves on division by p:

> a&^(p - 1) mod p;

>

And the next number after a is (a+1):

> (a+1)&^(p-1) mod p;

>

But let me just show you these:

> 30&^10 mod 11; # here p = 11 and a = 30.

> 31&^10 mod 11; # p is still 11, but I've changed a to 31.

> 32&^10 mod 11; # p is still 11, but I've changed a to 32.

> 33&^10 mod 11; # p is still 11, but I've changed a to 33.

>

The remainder has now come to be 0, because - as you see - the value of a (33) IS now divisible by 11.

Fermat discovered this beautiful theorem in connection with his work on primes of the form (2^n - 1) (the subject of my other public lecture, on the recently discovered record prime 2^1257787 - 1), but he was unable to give a proof that it was always true.

The first proof was given by Euler (there were many subsequent ones - including one of my own in 1966 for the special case when a = 2), and it was he who went on to give a 'generalization' of Fermat's theorem:

Euler's generalization of Fermat's 'little' theorem: If n is any whole number greater than 1 (prime or not) and a is any whole number such that a and n are NOT both divisible by any whole number greater than 1, then there is a whole number WHOSE VALUE DEPENDS ONLY ON THE NUMBER n itself (which Euler called phi_n) such that the number a to the power of phi_n will leave remainder 1 when divided by n.

_________________________________

When n is itself a prime (the Fermat case), then phi_n = n - 1.

But when n is NOT a prime it is NO longer the case that phi_n = n - 1.

For example: Let n = 4 (the very first example of a NON-PRIME greater than 1); then n - 1 = 3. Now, choosing a = 7, we have a and n are NOT both divisible by any whole number greater than 1. And now let us calculate 7 (namely a) to the power of n - 1 (namely 3), to see what remainder it leaves on division by n:

7^3 = 7*7*7 = 49*7 = 343 = 4*85 + 3, so it leaves 3 (and NOT 1) over when divided by 4.

I could give infinitely many similar examples ... .

____________________________________

So, QUESTION: WHAT is the value of phi_n when n is NOT a prime?

Euler was able to give a COMPLETE answer to this, but I am going to limit myself to the following

PARTIAL ANSWER: When a number is NOT a prime then there are an INFINITE number of different possible shapes that it might have. It could be the product of two primes (which might be different or not: 15 = 3*5, 49 = 7*7, etc); it could be the product of three primes (which might be different or not: 42 = 2*3*7, 12 = 2*2*3, 125 = 5*5*5, etc); it could be the product of four (five, six, ... ) primes ... .

In the simplest possible case - when n is the product of two DIFFERENT primes, p and q - Euler discovered, and was able to prove, that the value of phi_n was (p - 1)*(q - 1). So, we have:

The simplest case of Euler's generalization of Fermat's 'little' theorem: Let p and q be any two DISTINCT primes, and let phi_n = (p - 1)*(q - 1). Let a be any whole number such that a and n are NOT both divisible by any whole number greater than 1 (and it can be shown that that is EQUIVALENT to saying that a is NOT divisible by p, and a is NOT divisible by q). Then a to the power of phi_n will leave remainder 1 when divided by n.

________________________________

An example to help you gain some understanding: Let p = 3 and q = 5, and set n = p*q = 3*5 = 15. Then phi_n = phi_15 = (3 - 1)*(5 - 1) = 2*4 = 8. Let us choose a = 4. Then a (4) and n (15) are NOT both divisible by any whole number greater than 1, and we have: a^phi_n = 4^8 = 4*4*4*4*4*4*4*4 = 65536 = 15*4369 + 1, and so leaves remainder 1 on division by 15 (namely n).

You should do some similar examples for yourself.

____________________________________

It is this special case of Euler's theorem (the two distinct primes case) that underpins the Rivest, Shamir and Adleman cryptographic protocol ... .

According to an article in the April 1995 issue of 'Math Horizons' (available from Mathematical Association of America at: 1529 Eighteenth Street, N.W., Washington, D.C., 20036), on reading the Diffie-Hellman paper, Rivest and Shamir (of MIT) started to work on attempting a realization of the public-key idea. At that time they had a new colleague, Adleman. Rivest and Shamir would come up with a proposal, pass it on to Adleman, and he would find a flaw in it ... . Their forty-third proposal was the now famous RSA cryptographic protocol ... .

RECOMMENDED READING LIST

Besides the original papers mentioned above (which a good library could obtain for you), a basic list would be vast, and so I limit my list to just two books:

1. Title: Cryptology

Author: Albrecht Beutelspacher

Publisher: The Mathematical Association of America (1994)

ISBN: 0-88385-504-6

[ This is a sound basic text, and covers the history from Caesar up to modern times. ]

2. Title: PGP: Pretty Good Privacy

Author: Simson Garfinkel

Publisher: O'Reilly & Associates, Inc. (1995)

ISBN: 1-56592-098-8

[ The best recommendation for this book is surely that of Phil Zimmerman's (the creator of PGP), who said of it: "I even learned a few new things about PGP from Simson's informative book." ]

Both these books have extensive bibliographies, and Garfinkel's book includes many useful e-mail addresses (e.g. for the Electronic Privacy Information Center (US spelling) and the Electronic Frontier Foundation. Both these organisations issue regular free documents on legal and political issues relating to cryptography, and are obtainable by e-mail subscription), Web addresses of Usenet newsgroups, and Web addresses for 'ftp-ing' free copies of PGP software.

__________________________________