论文信息 - Fast Software Encryption

Fast Software Encryption

TWINE is a recent lightweight block cipher based on a Feistel structure. We first present two new attacks on TWINE-128 reduced to 25 rounds that have a slightly higher overall complexity than the 25round attack presented by Wang and Wu at ACISP 2014, but a lower data complexity. Then, we introduce alternative representations of both the round function of this block cipher and of a sequence of 4 rounds. LBlock, another lightweight block cipher, turns out to exhibit the same behaviour. Then, we illustrate how this alternative representation can shed new light on the security of TWINE by deriving high probability iterated truncated differential trails covering 4 rounds with probability 2−16. The importance of these is shown by combining different truncated differential trails to attack 23-rounds TWINE-128 and by giving a tighter lower bound on the high probability of some differentials by clustering differential characteristics following one of these truncated trails. A comparison between these high probability differentials and those recently found in a variant of LBlock by Leurent highlights the importance of considering the whole distribution of the coefficients in the difference distribution table of a S-Box and not only their maximum value.

Gregor Leander | G. Leander

[1] Ueli Maurer,et al. Computational Indistinguishability Amplification: Tight Product Theorems for System Composition , 2009, IACR Cryptol. ePrint Arch..

[2] Claude E. Shannon,et al. Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[3] Serge Vaudenay,et al. Resistance against Iterated Attacks by Decorrelation Revisited, , 2012, CRYPTO.

[4] Adi Shamir,et al. Improved Single-Key Attacks on 8-Round AES-192 and AES-256 , 2010, Journal of Cryptology.

[5] Céline Blondeau,et al. Improbable Differential from Impossible Differential: On the Validity of the Model , 2013, INDOCRYPT.

[6] Santanu Sarkar,et al. A Differential Fault Attack on Grain-128a using MACs , 2012, IACR Cryptol. ePrint Arch..

[7] David Cash,et al. Pseudorandom Functions and Permutations Provably Secure against Related-Key Attacks , 2010, CRYPTO.

[8] Kan Yasuda,et al. The Security and Performance of "GCM" when Short Multiplications Are Used Instead , 2012, Inscrypt.

[9] Keting Jia,et al. Improved Meet-in-the-Middle Attacks on AES-192 and PRINCE , 2013, IACR Cryptol. ePrint Arch..

[10] Paul Crowley,et al. Mercy: A Fast Large Block Cipher for Disk Sector Encryption , 2000, FSE.

[11] Larry Carter,et al. New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[12] Joan Daemen,et al. Limitations of the Even-Mansour Construction , 1991, ASIACRYPT.

[13] Eli Biham,et al. Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[14] Moti Yung,et al. The Prevalence of Kleptographic Attacks on Discrete-Log Based Cryptosystems , 1997, CRYPTO.

[15] Pankaj Rohatgi,et al. Template Attacks , 2002, CHES.

[16] Peng Wang,et al. HCTR: A Variable-Input-Length Enciphering Mode , 2005, CISC.

[17] Kaisa Nyberg,et al. Differentially Uniform Mappings for Cryptography , 1994, EUROCRYPT.

[18] Goutam Paul,et al. Permutation After RC4 Key Scheduling Reveals the Secret Key , 2007, Selected Areas in Cryptography.

[19] Stefan Lucks,et al. The Skein Hash Function Family , 2009 .

[20] Eli Biham,et al. New types of cryptanalytic attacks using related keys , 1994, Journal of Cryptology.

[21] Damith C. Ranasinghe,et al. A2U2: A stream cipher for printed electronics RFID tags , 2011, 2011 IEEE International Conference on RFID.

[22] Xuejia Lai,et al. Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[23] Benoit Cogliati,et al. On the Provable Security of the Iterated Even-Mansour Cipher Against Related-Key and Chosen-Key Attacks , 2015, EUROCRYPT.

[24] Stefano Tessaro,et al. The equivalence of the random oracle model and the ideal cipher model, revisited , 2010, STOC '11.

[25] Tetsu Iwata,et al. Tweakable Pseudorandom Permutation from Generalized Feistel Structure , 2008, ProvSec.

[26] Santanu Sarkar,et al. A Differential Fault Attack on the Grain Family of Stream Ciphers , 2012, CHES.

[27] Alex Biryukov,et al. Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds , 2010, IACR Cryptol. ePrint Arch..

[28] Chanathip Namprempre,et al. Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[29] Ueli Maurer,et al. Cascade Encryption Revisited , 2009, ASIACRYPT.

[30] Vincent Rijmen,et al. Understanding Two-Round Differentials in AES , 2006, SCN.

[31] Vincent Rijmen,et al. Zero-Correlation Linear Cryptanalysis of Block Ciphers , 2011, IACR Cryptol. ePrint Arch..

[32] Tsutomu Matsumoto,et al. Security of Camellia against Truncated Differential Cryptanalysis , 2001, FSE.

[33] Yu Sasaki,et al. Meet-in-the-Middle Technique for Integral Attacks against Feistel Ciphers , 2012, Selected Areas in Cryptography.

[34] Kazumaro Aoki,et al. Best Differential Characteristic Search of FEAL , 1996, FSE.

[35] Stefan Mangard,et al. Power Analysis Attacks and Countermeasures , 2007, IEEE Design & Test of Computers.

[36] Chao Li,et al. Square Like Attack on Camellia , 2007, ICICS.

[37] David A. Wagner,et al. Tweakable Block Ciphers , 2002, Journal of Cryptology.

[38] M. Afzal,et al. Algebraic Cryptanalysis of A NLFSR Based Stream Cipher , 2008, 2008 3rd International Conference on Information and Communication Technologies: From Theory to Applications.

[39] Mahdi Sajadieh,et al. Recursive Diffusion Layers for Block Ciphers and Hash Functions , 2012, FSE.

[40] Jiazhe Chen,et al. Impossible Differential Cryptanalysis of the Lightweight Block Ciphers TEA, XTEA and HIGHT , 2012, AFRICACRYPT.

[41] Serge Vaudenay,et al. Decorrelation: A Theory for Block Cipher Security , 2003, Journal of Cryptology.

[42] Andrey Bogdanov,et al. APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography , 2014, FSE.

[43] Yishay Mansour,et al. A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[44] Eli Biham,et al. Rigorous Bounds on Cryptanalytic Time/Memory Tradeoffs , 2006, CRYPTO.

[45] Jiqiang Lu. A methodology for differential-linear cryptanalysis and its applications , 2015, Des. Codes Cryptogr..

[46] Vincent Rijmen,et al. Differential Analysis of the LED Block Cipher , 2012, IACR Cryptol. ePrint Arch..

[47] Seokhie Hong,et al. Related-Key Chosen IV Attacks on Grain-v1 and Grain-128 , 2008, ACISP.

[48] Cihangir Tezcan,et al. Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT , 2009, ACISP.

[49] Gustavus J. Simmons,et al. The Prisoners' Problem and the Subliminal Channel , 1983, CRYPTO.

[50] Céline Blondeau,et al. Multiple Differential Cryptanalysis: Theory and Practice , 2011, FSE.

[51] Kenji Ohkuma,et al. Weak Keys of Reduced-Round PRESENT for Linear Cryptanalysis , 2009, Selected Areas in Cryptography.

[52] Blandine Debraize. Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking , 2012, CHES.

[53] Haibin Zhang,et al. Online Ciphers from Tweakable Blockciphers , 2011, CT-RSA.

[54] Kaisa Nyberg,et al. Linear Approximation of Block Ciphers , 1994, EUROCRYPT.

[55] Jorge Nakahara,et al. A New Involutory MDS Matrix for the AES , 2009, Int. J. Netw. Secur..

[56] Stefan Lucks,et al. McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes , 2012, FSE.

[57] Anne Canteaut,et al. Differential properties of power functions , 2010, 2010 IEEE International Symposium on Information Theory.

[58] A. E. Harmanci,et al. Impossible Differential Cryptanalysis of Reduced-Round LBlock , 2012, WISTP.

[59] Martin Hell,et al. Grain: a stream cipher for constrained environments , 2007, Int. J. Wirel. Mob. Comput..

[60] Frédérique E. Oggier,et al. Lightweight MDS Involution Matrices , 2015, FSE.

[61] N. Ferguson. Authentication weaknesses in GCM , 2005 .

[62] Chenhui Jin,et al. On Compact Cauchy Matrices for Substitution-Permutation Networks , 2015, IEEE Transactions on Computers.

[63] Martin E. Hellman,et al. A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[64] Russ Housley,et al. Counter with CBC-MAC (CCM) , 2003, RFC.

[65] Bruce Schneier,et al. Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent , 2000, FSE.

[66] Shuang Wu,et al. Analysis of BLAKE2 , 2014, CT-RSA.

[67] Willi Meier,et al. New Results on Generalization of Roos-Type Biases and Related Keystreams of RC4 , 2013, AFRICACRYPT.

[68] Pooya Farshim,et al. The Related-Key Security of Iterated Even-Mansour Ciphers , 2015, FSE.

[69] Mitsuru Matsui,et al. On Correlation Between the Order of S-boxes and the Strength of DES , 1994, EUROCRYPT.

[70] Adi Shamir,et al. Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials , 2013, FSE.

[71] Moti Yung,et al. Malicious Cryptography: Kleptographic Aspects , 2005, CT-RSA.

[72] Moti Yung,et al. Bandwidth-Optimal Kleptographic Attacks , 2001, CHES.

[73] Yannick Seurin,et al. How to Construct an Ideal Cipher from a Small Set of Public Permutations , 2013, ASIACRYPT.

[74] Scott R. Fluhrer,et al. Statistical Analysis of the Alleged RC4 Keystream Generator , 2000, FSE.

[75] Jürgen Pulkus,et al. Switching Blindings with a View Towards IDEA , 2004, CHES.

[76] María Naya-Plasencia,et al. Block Ciphers That Are Easier to Mask: How Far Can We Go? , 2013, CHES.

[77] Dongdai Lin,et al. RECTANGLE: A Bit-slice Ultra-Lightweight Block Cipher Suitable for Multiple Platforms , 2014, IACR Cryptol. ePrint Arch..

[78] Shuang Wu,et al. Security Analysis of PRINCE , 2013, FSE.

[79] Mahdi Sajadieh,et al. On construction of involutory MDS matrices from Vandermonde Matrices in GF(2q) , 2011, Designs, Codes and Cryptography.

[80] Kazuhiko Minematsu,et al. Parallelizable Rate-1 Authenticated Encryption from Pseudorandom Functions , 2014, EUROCRYPT.

[81] Tanja Lange,et al. On the Practical Exploitability of Dual EC in TLS Implementations , 2014, USENIX Security Symposium.

[82] Tsutomu Matsumoto,et al. A Strategy for Constructing Fast Round Functions with Practical Security Against Differential and Linear Cryptanalysis , 1998, Selected Areas in Cryptography.

[83] Andra Giurgiu,et al. No Place to Hide – Edward Snowden, the NSA and the Surveillance State , 2015 .

[84] Stefan Dziembowski,et al. Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[85] Serge Vaudenay,et al. Perfect Diffusion Primitives for Block Ciphers , 2004, Selected Areas in Cryptography.

[86] Gordon Procter. A Note on the CLRW2 Tweakable Block Cipher Construction , 2014, IACR Cryptol. ePrint Arch..

[87] Bruce Schneier,et al. Description of a New Variable-Length Key, 64-bit Block Cipher (Blowfish) , 1993, FSE.

[88] Philippe Oechslin,et al. Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[89] Paulo S. L. M. Barreto,et al. Whirlwind: a new cryptographic hash function , 2010, Des. Codes Cryptogr..

[90] François-Xavier Standaert,et al. An optimal Key Enumeration Algorithm and its Application to Side-Channel Attacks , 2012, IACR Cryptol. ePrint Arch..

[91] Shai Halevi,et al. A Tweakable Enciphering Mode , 2003, CRYPTO.

[92] Thomas Peyrin,et al. Tweaks and Keys for Block Ciphers: The TWEAKEY Framework , 2014, ASIACRYPT.

[93] Bo Zhu,et al. Revisiting MAC Forgeries, Weak Keys and Provable Security of Galois/Counter Mode of Operation , 2013, CANS.

[94] Hidenori Kuwakado,et al. Fast WEP-Key Recovery Attack Using Only Encrypted IP Packets , 2010, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[95] Markku-Juhani O. Saarinen. Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes , 2012, FSE.

[96] Orr Dunkelman,et al. Linear Analysis of Reduced-Round CubeHash , 2011, ACNS.

[97] Keting Jia,et al. Improved Attacks on Reduced-Round Camellia-128/192/256 , 2015, CT-RSA.

[98] Andrey Bogdanov,et al. Towards Understanding the Known-Key Security of Block Ciphers , 2013, IACR Cryptol. ePrint Arch..

[99] Vincent Rijmen,et al. The Wide Trail Design Strategy , 2001, IMACC.

[100] Moti Yung,et al. The Dark Side of "Black-Box" Cryptography, or: Should We Trust Capstone? , 1996, CRYPTO.

[101] Markku-Juhani O. Saarinen. Cryptographic Analysis of All 4 x 4 - Bit S-Boxes , 2011, IACR Cryptol. ePrint Arch..

[102] Christof Paar,et al. Ultra-Lightweight Implementations for Smart Devices - Security for 1000 Gate Equivalents , 2008, CARDIS.

[103] Markku-Juhani O. Saarinen. SGCM: The Sophie Germain Counter Mode , 2011, IACR Cryptol. ePrint Arch..

[104] Manuel Barbosa,et al. The Related-Key Analysis of Feistel Constructions , 2014, IACR Cryptol. ePrint Arch..

[105] S. Babbage. Improved “exhaustive search” attacks on stream ciphers , 1995 .

[106] Thierry P. Berger,et al. Construction of Recursive MDS Diffusion Layers from Gabidulin Codes , 2013, INDOCRYPT.

[107] Guo-qiang Liu,et al. Improved Slender-Set Linear Cryptanalysis , 2014, FSE.

[108] John C. Wray. An Analysis of Covert Timing Channels , 1992, J. Comput. Secur..

[109] Gregor Leander,et al. On the Classification of 4 Bit S-Boxes , 2007, WAIFI.

[110] Tetsu Iwata,et al. New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms , 2004, FSE.

[111] John P. Steinberger,et al. Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[112] Alex Biryukov,et al. Structural Cryptanalysis of SASAS , 2001, Journal of Cryptology.

[113] Mihir Bellare,et al. Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[114] Jean-Didier Legat,et al. ICEBERG : An Involutional Cipher Efficient for Block Encryption in Reconfigurable Hardware , 2004, FSE.

[115] Ilya Mironov,et al. Applications of SAT Solvers to Cryptanalysis of Hash Functions , 2006, SAT.

[116] Andrey Bogdanov,et al. Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA , 2013, Selected Areas in Cryptography.

[117] Mihir Bellare,et al. The EAX Mode of Operation , 2004, FSE.

[118] Gaoli Wang,et al. Boomerang and Slide-Rotational Analysis of the SM3 Hash Function , 2012, Selected Areas in Cryptography.

[119] Serge Vaudenay,et al. Links Between Differential and Linear Cryptanalysis , 1994, EUROCRYPT.

[120] Christophe De Cannière,et al. KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[121] Orr Dunkelman,et al. Treatment of the initial value in Time-Memory-Data Tradeoff attacks on stream ciphers , 2008, Inf. Process. Lett..

[122] Stefan Lucks. Ciphers Secure against Related-Key Attacks , 2004, FSE.

[123] Andrey Bogdanov,et al. SPONGENT: The Design Space of Lightweight Cryptographic Hashing , 2011, IEEE Transactions on Computers.

[124] Vincent Rijmen,et al. Known-Key Distinguishers for Some Block Ciphers , 2007, ASIACRYPT.

[125] Thierry P. Berger,et al. Extended Generalized Feistel Networks Using Matrix Representation , 2013, Selected Areas in Cryptography.

[126] Marc Stevens,et al. New Collision Attacks on SHA-1 Based on Optimal Joint Local-Collision Analysis , 2013, EUROCRYPT.

[127] Thomas Shrimpton,et al. Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[128] Alex Biryukov,et al. Advanced Slide Attacks , 2000, EUROCRYPT.

[129] Jerry den Hartog,et al. Improving DPA by Peak Distribution Analysis , 2010, Selected Areas in Cryptography.

[130] Jean-Sébastien Coron,et al. A New Algorithm for Switching from Arithmetic to Boolean Masking , 2003, CHES.

[131] Kyoji Shibutani,et al. Generic Key Recovery Attack on Feistel Scheme , 2013, IACR Cryptol. ePrint Arch..

[132] Marine Minier,et al. Improved Impossible Differential Attacks against Round-Reduced LBlock , 2014, IACR Cryptol. ePrint Arch..

[133] Sean Murphy,et al. The effectiveness of the linear hull effect , 2012, J. Math. Cryptol..

[134] Mohammad Dakhilalian,et al. Impossible Differential Attacks on 13-Round CLEFIA-128 , 2011, Journal of Computer Science and Technology.

[135] Goutam Paul,et al. (Non-)Random Sequences from (Non-)Random Permutations—Analysis of RC4 Stream Cipher , 2012, Journal of Cryptology.

[136] Ivica Nikolic,et al. Rotational Cryptanalysis of ARX , 2010, FSE.

[137] Bruce Schneier,et al. Improved Cryptanalysis of Rijndael , 2000, FSE.

[138] Seokhie Hong,et al. Truncated Differential Cryptanalysis of Camellia , 2001, ICISC.

[139] Anne Canteaut,et al. PRINCE - A Low-Latency Block Cipher for Pervasive Computing Applications - Extended Abstract , 2012, ASIACRYPT.

[140] Thomas Peyrin,et al. Improved Differential Attacks for ECHO and Grostl , 2010, IACR Cryptol. ePrint Arch..

[141] Kaisa Nyberg,et al. Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities , 2014, IACR Cryptol. ePrint Arch..

[142] J. Ball,et al. Revealed: How US and UK Spy Agencies Defeat Internet Privacy and Security , 2013 .

[143] Claude Carlet,et al. Codes, Bent Functions and Permutations Suitable For DES-like Cryptosystems , 1998, Des. Codes Cryptogr..

[144] Jiazhe Chen,et al. Low Data Complexity Attack on Reduced Camellia-256 , 2012, ACISP.

[145] Adi Shamir,et al. A Practical Attack on Broadcast RC4 , 2001, FSE.

[146] Orr Dunkelman,et al. Cryptanalysis of CTC2 , 2009, CT-RSA.

[147] Anne Canteaut,et al. Multiple Di fferential Cryptanalysis of Round-Reduced PRINCE (Full version) , 2014, IACR Cryptol. ePrint Arch..

[148] Ruby B. Lee,et al. Maya: A Novel Block Encryption Function , 2009 .

[149] Masakatu Morii,et al. Full Plaintext Recovery Attack on Broadcast RC4 , 2013, FSE.

[150] Alex Biryukov,et al. Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[151] Andrey Bogdanov,et al. Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[152] Mitsuru Matsui,et al. A New Method for Known Plaintext Attack of FEAL Cipher , 1992, EUROCRYPT.

[153] Thomas Peyrin,et al. Unaligned Rebound Attack: Application to Keccak , 2012, FSE.

[154] Mihir Bellare,et al. Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[155] Kaisa Nyberg,et al. Zero-correlation linear cryptanalysis of reduced-round LBlock , 2012, Des. Codes Cryptogr..

[156] Matt Henricksen,et al. Security analysis of GCM for communication , 2014, Secur. Commun. Networks.

[157] L. Knudsen. Cryptanalysis of LOKI 91 , 1998 .

[158] Alex Biryukov,et al. On Multiple Linear Approximations , 2004, IACR Cryptol. ePrint Arch..

[159] Darko Kirovski,et al. Robust Covert Communication over a Public Audio Channel Using Spread Spectrum , 2001, Information Hiding.

[160] Adi Shamir,et al. Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[161] Serge Vaudenay,et al. Misuse-Resistant Variants of the OMD Authenticated Encryption Mode , 2014, ProvSec.

[162] Jonathan Katz,et al. Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.

[163] Morris J. Dworkin,et al. SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC , 2007 .

[164] Adi Shamir,et al. Improved Practical Attacks on Round-Reduced Keccak , 2012, Journal of Cryptology.

[165] Jérémy Jean,et al. Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting , 2013, IACR Cryptol. ePrint Arch..

[166] Mi-Jung Noh,et al. DIFFERENTIAL POWER ATTACK AND MASKING METHOD , 2005 .

[167] Serge Vaudenay,et al. Boosting OMD for Almost Free Authentication of Associated Data , 2015, FSE.

[168] Steve Babbage,et al. On MISTY1 Higher Order Differential Cryptanalysis , 2000, ICISC.

[169] Pankaj Rohatgi,et al. Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[170] Ross Anderson,et al. Serpent: A Proposal for the Advanced Encryption Standard , 1998 .

[171] Thomas Shrimpton,et al. Tweakable Blockciphers with Beyond Birthday-Bound Security , 2012, IACR Cryptol. ePrint Arch..

[172] Steven J. Murdoch,et al. Embedding Covert Channels into TCP/IP , 2005, Information Hiding.

[173] Wenling Wu,et al. Recursive Diffusion Layers for (Lightweight) Block Ciphers and Hash Functions , 2012, Selected Areas in Cryptography.

[174] Stefan Mangard,et al. Side-Channel Leakage of Masked CMOS Gates , 2005, CT-RSA.

[175] Gaëtan Leurent,et al. Construction of Differential Characteristics in ARX Designs Application to Skein , 2013, CRYPTO.

[176] Yasuo Hatano,et al. Higher Order Differential Attack of Camellia (II) , 2002, Selected Areas in Cryptography.

[177] Van Assche,et al. A rotational distinguisher on Shabal ’ s keyed permutation and its impact on the security proofs , 2010 .

[178] Florian Mendel,et al. Differential Cryptanalysis of Keccak Variants , 2013, IMACC.

[179] Aline Gouget,et al. Fault analysis of GRAIN-128 , 2009, 2009 IEEE International Workshop on Hardware-Oriented Security and Trust.

[180] A. Youssef. On the Design of Linear Transformations for Substitution Permutation Encryption Networks , 2007 .

[181] Chao Li,et al. New Observation on Camellia , 2005, Selected Areas in Cryptography.

[182] Jérémy Jean,et al. Internal Differential Boomerangs: Practical Analysis of the Round-Reduced Keccak- f f Permutation , 2015, FSE.

[183] Bart Mennink,et al. Trivial Nonce-Misusing Attack on Pure OMD , 2015, IACR Cryptol. ePrint Arch..

[184] Susan K. Langford,et al. Differential-Linear Cryptanalysis , 1994, CRYPTO.

[185] María Naya-Plasencia,et al. Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon (Full Version) , 2014, IACR Cryptol. ePrint Arch..

[186] James L. Massey,et al. A spectral characterization of correlation-immune combining functions , 1988, IEEE Trans. Inf. Theory.

[187] Moti Yung,et al. Space-Efficient Kleptography Without Random Oracles , 2007, Information Hiding.

[188] Shai Halevi,et al. EME*: Extending EME to Handle Arbitrary-Length Messages with Associated Data , 2004, INDOCRYPT.

[189] Aslı Bay. Provable Security of Block Ciphers and Cryptanalysis , 2014 .

[190] Paul Stankovski,et al. Greedy Distinguishers and Nonrandomness Detectors , 2010, INDOCRYPT.

[191] Florian Mendel,et al. The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[192] Morris J. Dworkin. SP 800-38C. Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality , 2004 .

[193] Thomas Peyrin,et al. FOAM: Searching for Hardware-Optimal SPN Structures and Components with a Fair Comparison , 2014, CHES.

[194] Phillip Rogaway,et al. Bucket Hashing and Its Application to Fast Message Authentication , 1995, Journal of Cryptology.

[195] Adi Shamir,et al. Fault Analysis of Stream Ciphers , 2004, CHES.

[196] Jérôme Lacan,et al. Systematic MDS erasure codes based on Vandermonde matrices , 2004, IEEE Communications Letters.

[197] Kan Yasuda,et al. Boosting Merkle-Damgård Hashing for Message Authentication , 2007, ASIACRYPT.

[198] Sean Murphy,et al. The Return of the Cryptographic Boomerang , 2011, IEEE Transactions on Information Theory.

[199] Samuel Neves,et al. Analysis of NORX: Investigating Differential and Rotational Properties , 2014, LATINCRYPT.

[200] Stefan Lucks,et al. Pipelineable On-line Encryption , 2014, FSE.

[201] John Kelsey,et al. Recommendation for Random Number Generation Using Deterministic Random Bit Generators , 2014 .

[202] Emmanuel Prouff,et al. Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[203] Anne Canteaut,et al. Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256 , 2010, Selected Areas in Cryptography.

[204] Ralph C. Merkle,et al. Fast Software Encryption Functions , 1990, CRYPTO.

[205] Keting Jia,et al. Improved Impossible Differential Attacks on Reduced-Round MISTY1 , 2012, WISA.

[206] Bart Preneel,et al. Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms , 2008, CRYPTO.

[207] John P. Steinberger,et al. Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes , 2015, IACR Cryptol. ePrint Arch..

[208] Alex Biryukov,et al. Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers , 2000, ASIACRYPT.

[209] Andrey Bogdanov,et al. Parallelizable and Authenticated Online Ciphers , 2013, IACR Cryptol. ePrint Arch..

[210] Alex Biryukov,et al. Boomerang Attacks on BLAKE-32 , 2011, FSE.

[211] Xiaoli Yu,et al. Reflection Cryptanalysis of PRINCE-Like Ciphers , 2013, Journal of Cryptology.

[212] Shai Halevi,et al. A Parallelizable Enciphering Mode , 2004, CT-RSA.

[213] Luke O'Connor. On the Distribution of Characteristics in Bijective Mappings , 1993, EUROCRYPT.

[214] Eli Biham,et al. Near-Collisions of SHA-0 , 2004, CRYPTO.

[215] Giovanni Di Crescenzo,et al. Security Amplification by Composition: The Case of Doubly-Iterated, Ideal Ciphers , 1998, CRYPTO.

[216] David Naccache,et al. OMD: A Compression Function Mode of Operation for Authenticated Encryption , 2014, Selected Areas in Cryptography.

[217] Andrey Bogdanov,et al. Integral and Multidimensional Linear Distinguishers with Correlation Zero , 2012, ASIACRYPT.

[218] Yannick Seurin,et al. An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher , 2012, ASIACRYPT.

[219] Anne Canteaut,et al. Higher-Order Differential Properties of Keccak and Luffa , 2011, FSE.

[220] Ivica Nikolic,et al. Rotational Rebound Attacks on Reduced Skein , 2010, Journal of Cryptology.

[221] Wieland Fischer,et al. Differential Power Analysis of Stream Ciphers , 2007, CT-RSA.

[222] Kishan Chand Gupta,et al. On Constructions of Involutory MDS Matrices , 2013, AFRICACRYPT.

[223] Adi Shamir,et al. Minimalism in Cryptography: The Even-Mansour Scheme Revisited , 2012, EUROCRYPT.

[224] Ali Aydin Selçuk,et al. A Meet-in-the-Middle Attack on 8-Round AES , 2008, FSE.

[225] Shay Gueron,et al. AES-GCM software performance on the current high end CPUs as a performance baseline for CAESAR competition , 2013 .

[226] Kenneth G. Paterson,et al. Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[227] Guido Bertoni,et al. Keccak sponge function family main document , 2009 .

[228] Mitsuru Matsui,et al. Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis , 2000, Selected Areas in Cryptography.

[229] Andrey Bogdanov,et al. Zero Correlation Linear Cryptanalysis with Reduced Data Complexity , 2012, FSE.

[230] Kenneth G. Paterson,et al. On Cipher-Dependent Related-Key Attacks in the Ideal-Cipher Model , 2011, IACR Cryptol. ePrint Arch..

[231] Daniel Augot,et al. Direct Construction of Recursive MDS Diffusion Layers Using Shortened BCH Codes , 2014, FSE.

[232] Carlos Cid,et al. On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes , 2013, Journal of Cryptology.

[233] Jiqiang Lu,et al. Weak Keys of the Full MISTY1 Block Cipher for Related-Key Differential Cryptanalysis , 2013, CT-RSA.

[234] Stefan Lucks,et al. On the Security of the Core of PRINCE Against Biclique and Differential Cryptanalysis , 2012, IACR Cryptol. ePrint Arch..

[235] Ingrid Verbauwhede,et al. Chaskey: An Efficient MAC Algorithm for 32-bit Microcontrollers , 2014, Selected Areas in Cryptography.

[236] Yu Sasaki,et al. Comprehensive Study of Integral Analysis on 22-Round LBlock , 2012, ICISC.

[237] Wang Ailan,et al. Linear Cryptanalysis for the Compression Function of Hamsi-256 , 2011, 2011 International Conference on Network Computing and Information Security.

[238] Willi Meier,et al. Fast Algebraic Attacks on Stream Ciphers with Linear Feedback , 2003, CRYPTO.

[239] Moti Yung,et al. A Space Efficient Backdoor in RSA and Its Applications , 2005, Selected Areas in Cryptography.

[240] Daniel Augot,et al. Exhaustive search for small dimension recursive MDS diffusion layers for block ciphers and hash functions , 2013, 2013 IEEE International Symposium on Information Theory.

[241] Yanjun Li,et al. Improved Integral Attacks on Reduced-Round CLEFIA Block Cipher , 2011, WISA.

[242] Stefano Tessaro,et al. Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading , 2012, IACR Cryptol. ePrint Arch..

[243] Vincent Rijmen,et al. Analysis Methods for (Alleged) RC4 , 1998, ASIACRYPT.

[244] Kaisa Nyberg,et al. Multidimensional Extension of Matsui's Algorithm 2 , 2009, FSE.

[245] Niklas Sörensson,et al. An Extensible SAT-solver , 2003, SAT.

[246] Serge Vaudenay,et al. Resistance Against General Iterated Attacks , 1999, EUROCRYPT.

[247] Jooyoung Lee,et al. Towards Key-Length Extension with Optimal Security: Cascade Encryption and Xor-cascade Encryption , 2013, EUROCRYPT.

[248] Hugo Krawczyk,et al. LFSR-based Hashing and Authentication , 1994, CRYPTO.

[249] Martin Hell,et al. A Stream Cipher Proposal: Grain-128 , 2006, 2006 IEEE International Symposium on Information Theory.

[250] Jongsung Kim,et al. Impossible Differential Cryptanalysis for Block Cipher Structures , 2003, INDOCRYPT.

[251] Alex Biryukov,et al. Real Time Cryptanalysis of A5/1 on a PC , 2000, FSE.

[252] Markus G. Kuhn,et al. Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[253] John P. Steinberger,et al. Security/Efficiency Tradeoffs for Permutation-Based Hashing , 2008, EUROCRYPT.

[254] Christophe Clavier,et al. Correlation Power Analysis with a Leakage Model , 2004, CHES.

[255] Lars R. Knudsen,et al. Cryptanalysis of LOKI , 1991, ASIACRYPT.

[256] Eli Biham,et al. Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials , 1999, Journal of Cryptology.

[257] Willi Meier,et al. Quark: A Lightweight Hash , 2010, Journal of Cryptology.

[258] Thomas Peyrin,et al. The PHOTON Family of Lightweight Hash Functions , 2011, IACR Cryptol. ePrint Arch..

[259] Mihir Bellare,et al. OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[260] John Viega,et al. The Security and Performance of the Galois/Counter Mode of Operation (Full Version) , 2004, IACR Cryptol. ePrint Arch..

[261] Endre Szemerédi,et al. Extremal problems in discrete geometry , 1983, Comb..

[262] Stefan Mangard,et al. An AES Smart Card Implementation Resistant to Power Analysis Attacks , 2006, ACNS.

[263] Madhumangal Pal,et al. Practical Distinguishers against 6-Round Keccak-f Exploiting Self-Symmetry , 2014, AFRICACRYPT.

[264] Moses D. Liskov,et al. On Tweaking Luby-Rackoff Blockciphers , 2007, ASIACRYPT.

[265] Stefan Mangard,et al. One for all - all for one: unifying standard differential power analysis attacks , 2011, IET Inf. Secur..

[266] Toshiyasu Matsushima,et al. Tweakable Enciphering Schemes from Hash-Sum-Expansion , 2007, INDOCRYPT.

[267] Kazuhiko Minematsu,et al. Improved Security Analysis of XEX and LRW Modes , 2006, Selected Areas in Cryptography.

[268] Jonathan K. Millen. 20 years of covert channel modeling and analysis , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[269] Bart Preneel,et al. Mutual Information Analysis , 2008, CHES.

[270] Jason Smith,et al. The SIMON and SPECK Families of Lightweight Block Ciphers , 2013, IACR Cryptol. ePrint Arch..

[271] Peter Gazi,et al. Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers , 2013, CRYPTO.

[272] Gustavus J. Simmons,et al. Cycle Structures of the DES with Weak and Semi-Weak Keys , 1986, CRYPTO.

[273] María Naya-Plasencia,et al. Practical Analysis of Reduced-Round Keccak , 2011, INDOCRYPT.

[274] John P. Steinberger,et al. Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations , 2012, IACR Cryptol. ePrint Arch..

[275] Thomas Siegenthaler,et al. Correlation-immunity of nonlinear combining functions for cryptographic applications , 1984, IEEE Trans. Inf. Theory.

[276] Vincent Rijmen,et al. The Block Cipher Rijndael , 1998, CARDIS.

[277] Guang Gong,et al. A unified method for finding impossible differentials of block cipher structures , 2014, Inf. Sci..

[278] Christof Paar,et al. A Stochastic Model for Differential Side Channel Cryptanalysis , 2005, CHES.

[279] Ronald L. Rivest,et al. Spritz - a spongy RC4-like stream cipher and hash function , 2016, IACR Cryptol. ePrint Arch..

[280] Eli Biham,et al. Differential-Linear Cryptanalysis of Serpent , 2003, FSE.

[281] Harold S. Stone,et al. A Parallel Algorithm for the Efficient Solution of a General Class of Recurrence Equations , 1973, IEEE Transactions on Computers.

[282] Yuval Ishai,et al. Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[283] Kenneth G. Paterson,et al. On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[284] Mihir Bellare,et al. A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[285] Jacques Patarin,et al. The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.

[286] Mihir Bellare,et al. A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[287] K. Sakurai,et al. On Non-Pseudorandomness from Block Ciphers with Provable Immunity Against Linear Cryptanalysis (Special Section on Cryptography and Information Security) , 1997 .

[288] Marian Srebrny,et al. Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function , 2014, IACR Cryptol. ePrint Arch..

[289] Palash Sarkar,et al. Efficient Tweakable Enciphering Schemes From (Block-Wise) Universal Hash Functions , 2009, IEEE Transactions on Information Theory.

[290] Mihir Bellare,et al. XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions , 1995, CRYPTO.

[291] Serge Vaudenay,et al. Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[292] John P. Steinberger,et al. Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance , 2012, IACR Cryptol. ePrint Arch..

[293] Kenneth G. Paterson,et al. Plaintext Recovery Attacks against SSH , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[294] Atul Luykx,et al. Beyond 2c/2 Security in Sponge-Based Authenticated Encryption Modes , 2014, IACR Cryptol. ePrint Arch..

[295] Dongdai Lin,et al. Speeding Up the Search Algorithm for the Best Differential and Best Linear Trails , 2014, Inscrypt.

[296] Moti Yung,et al. Kleptography: Using Cryptography Against Cryptography , 1997, EUROCRYPT.

[297] Orr Dunkelman,et al. A Differential-Linear Attack on 12-Round Serpent , 2008, INDOCRYPT.

[298] Steve Babbage,et al. The MICKEY Stream Ciphers , 2008, The eSTREAM Finalists.

[299] Martijn Stam,et al. Collisions Are Not Incidental: A Compression Function Exploiting Discrete Geometry , 2012, TCC.

[300] Alex Biryukov,et al. Second-Order Differential Collisions for Reduced SHA-256 , 2011, ASIACRYPT.

[301] Lars R. Knudsen,et al. DES-X (or DESX) , 2005, Encyclopedia of Cryptography and Security.

[302] Erik Zenner,et al. Cryptanalysis of the Light-Weight Cipher A2U2 , 2011, IMACC.

[303] Willi Meier,et al. Dependence in IV-Related Bytes of RC4 Key Enhances Vulnerabilities in WPA , 2014, FSE.

[304] Eli Biham,et al. Enhancing Differential-Linear Cryptanalysis , 2002, ASIACRYPT.

[305] Orr Dunkelman,et al. Practical-time attacks against reduced variants of MISTY1 , 2015, Des. Codes Cryptogr..

[306] Vincent Rijmen,et al. The Rebound Attack and Subspace Distinguishers: Application to Whirlpool , 2015, Journal of Cryptology.

[307] Ron Steinfeld,et al. Rotational Cryptanalysis of ARX Revisited , 2015, FSE.

[308] Keting Jia,et al. New Impossible Differential Attacks of Reduced-Round Camellia-192 and Camellia-256 , 2011, ACISP.

[309] Phillip Rogaway,et al. The OCB Authenticated-Encryption Algorithm , 2014, RFC.

[310] Gregor Leander,et al. On Linear Hulls, Statistical Saturation Attacks, PRESENT and a Cryptanalysis of PUFFIN , 2011, EUROCRYPT.

[311] Moti Yung,et al. A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks (extended version) , 2009, IACR Cryptol. ePrint Arch..

[312] John P. Steinberger,et al. On the Indifferentiability of Key-Alternating Ciphers , 2013, IACR Cryptol. ePrint Arch..

[313] Michael Luby,et al. Pseudo-random permutation generators and cryptographic composition , 1986, STOC '86.

[314] Alexander Maximov. Cryptanalysis of the "Grain" family of stream ciphers , 2006, ASIACCS '06.

[315] Guido Bertoni,et al. On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[316] Serge Vaudenay,et al. Provable Security for Block Ciphers by Decorrelation , 1998, STACS.

[317] Andrey Bogdanov,et al. Twisted Polynomials and Forgery Attacks on GCM , 2015, EUROCRYPT.

[318] John P. Steinberger,et al. Minimizing the Two-Round Even–Mansour Cipher , 2014, Journal of Cryptology.

[319] Kazuhiko Minematsu,et al. Beyond-Birthday-Bound Security Based on Tweakable Block Cipher , 2009, FSE.

[320] Benny Pinkas,et al. The Design and Implementation of Protocol-Based Hidden Key Recovery , 2003, ISC.

[321] Serge Vaudenay,et al. Revisiting iterated attacks in the context of decorrelation theory , 2014, Cryptography and Communications.

[322] Andrey Bogdanov,et al. On the (In)Equivalence of Impossible Differential and Zero-Correlation Distinguishers for Feistel- and Skipjack-Type Ciphers , 2014, ACNS.

[323] M. Benaissa,et al. Hardware performance of eStream phase-III stream cipher candidates , 2008 .

[324] Yee Wei Law,et al. KLEIN: A New Family of Lightweight Block Ciphers , 2010, RFIDSec.

[325] Alex Biryukov,et al. Analysis of Involutional Ciphers: Khazad and Anubis , 2003, FSE.

[326] Samuel Neves,et al. BLAKE2: Simpler, Smaller, Fast as MD5 , 2013, ACNS.

[327] Keting Jia,et al. A Meet-in-the-Middle Attack on the Full KASUMI , 2011, IACR Cryptol. ePrint Arch..

[328] Serge Vaudenay,et al. Smashing WEP in a Passive Attack , 2013, FSE.

[329] Alexander Maximov,et al. New State Recovery Attack on RC4 , 2008, CRYPTO.

[330] Mihir Bellare,et al. The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[331] Kishan Chand Gupta,et al. On Constructions of Circulant MDS Matrices for Lightweight Cryptography , 2014, ISPEC.

[332] Donghoon Chang,et al. A Keyed Sponge Construction with Pseudorandomness in a Standard Model , 2012 .

[333] Lars R. Knudsen,et al. Truncated and Higher Order Differentials , 1994, FSE.

[334] Serge Vaudenay,et al. How Far Can We Go Beyond Linear Cryptanalysis? , 2004, ASIACRYPT.

[335] Ingrid Verbauwhede,et al. A low-cost implementation of Trivium , 2008 .

[336] Adi Shamir,et al. New Attacks on Keccak-224 and Keccak-256 , 2012, FSE.

[337] Yongzhuang Wei,et al. Generic related-key and induced chosen IV attacks using the method of key differentiation , 2013, IACR Cryptol. ePrint Arch..

[338] Chanathip Namprempre,et al. Reconsidering Generic Composition , 2014, IACR Cryptol. ePrint Arch..

[339] Marc Joye,et al. Addition with Blinded Operands , 2014, COSADE.

[340] Claude Crépeau,et al. Simple Backdoors for RSA Key Generation , 2003, CT-RSA.

[341] Joe Kilian,et al. How to Protect DES Against Exhaustive Key Search , 1996, CRYPTO.

[342] Goutam Paul,et al. Some Combinatorial Results towards State Recovery Attack on RC4 , 2011, ICISS.

[343] Onur Özen,et al. Design and Analysis of Multi-Block-Length Hash Functions , 2012 .

[344] Goutam Paul,et al. New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4 , 2008, FSE.

[345] Jean-Sébastien Coron,et al. Secure Conversion between Boolean and Arithmetic Masking of Any Order , 2014, CHES.

[346] David A. Wagner,et al. Integral Cryptanalysis , 2002, FSE.

[347] Stefan Mangard,et al. Power analysis attacks - revealing the secrets of smart cards , 2007 .

[348] John Viega,et al. The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[349] Stefano Tessaro,et al. The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC , 2015, CRYPTO.

[350] Martin Hell,et al. Grain-128a: a new version of Grain-128 with optional authentication , 2011, Int. J. Wirel. Mob. Comput..

[351] Xiaoyun Wang,et al. How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[352] Palash Sarkar,et al. HCH: A New Tweakable Enciphering Scheme Using the Hash-Counter-Hash Approach , 2008, IEEE Transactions on Information Theory.

[353] Ueli Maurer,et al. Indistinguishability Amplification , 2007, CRYPTO.

[354] Thomas Peyrin,et al. The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[355] Craig Gentry,et al. Eliminating Random Permutation Oracles in the Even-Mansour Cipher , 2004, ASIACRYPT.

[356] Gregor Leander,et al. Differential-Linear Cryptanalysis Revisited , 2014, FSE.

[357] Vincent Rijmen,et al. The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[358] Xuejia Lai. Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[359] Pierre-Alain Fouque,et al. Exhausting Demirci-Selçuk Meet-in-the-Middle Attacks against Reduced-Round AES , 2013, IACR Cryptol. ePrint Arch..

[360] Mitsuru Matsui,et al. New Block Encryption Algorithm MISTY , 1997, FSE.

[361] Dawu Gu,et al. New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia , 2012, FSE.

[362] Serge Vaudenay,et al. Adaptive-Attack Norm for Decorrelation and Super-Pseudorandomness , 1999, Selected Areas in Cryptography.

[363] Bart Preneel,et al. Differential-Linear Attacks Against the Stream Cipher Phelix , 2007, FSE.

[364] Joo Yeon Cho,et al. Linear Cryptanalysis of Reduced-Round PRESENT , 2010, CT-RSA.

[365] Lars R. Knudsen,et al. Cryptanalysis of PRESENT-like ciphers with secret S-boxes , 2011, IACR Cryptol. ePrint Arch..

[366] Serge Vaudenay,et al. Resistance against Adaptive Plaintext-Ciphertext Iterated Distinguishers , 2012, INDOCRYPT.

[367] 尚弘島影. National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[368] A. Joux. Authentication Failures in NIST version of GCM , 2006 .

[369] Meiqin Wang,et al. A Model for Structure Attacks, with Applications to PRESENT and Serpent , 2012, FSE.

[370] Bart Preneel,et al. The Differential Analysis of S-Functions , 2010, Selected Areas in Cryptography.

[371] Hovav Shacham,et al. Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[372] Alex Biryukov,et al. Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.

[373] Vincent Rijmen,et al. The KHAZAD Legacy-Level Block Cipher , 2001 .

[374] Kyoji Shibutani,et al. On the diffusion matrix employed in the Whirlpool hashing function , 2022 .

[375] David A. Wagner,et al. The Boomerang Attack , 1999, FSE.

[376] Tetsu Iwata,et al. Breaking and Repairing GCM Security Proofs , 2012, IACR Cryptol. ePrint Arch..

[377] Vincent Rijmen,et al. The Block Cipher Square , 1997, FSE.

[378] Phillip Rogaway,et al. Authenticated-encryption with associated-data , 2002, CCS '02.

[379] Kazuo Ohta,et al. Improving the Search Algorithm for the Best Linear Expression , 1995, CRYPTO.

[380] Stefano Tessaro,et al. Security Amplification for the Cascade of Arbitrarily Weak PRPs: Tight Bounds via the Interactive Hardcore Lemma , 2011, TCC.

[381] Vincent Rijmen,et al. ON THE RELATED-KEY ATTACKS AGAINST AES * , 2012 .

[382] Mitsuru Matsui,et al. Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[383] Kenneth G. Paterson,et al. Plaintext Recovery Attacks Against WPA/TKIP , 2014, FSE.

[384] Jean-Pierre Tillich,et al. Accurate estimates of the data complexity and success probability for various cryptanalyses , 2011, Des. Codes Cryptogr..

[385] Jacques Patarin,et al. A Proof of Security in O(2n) for the Xor of Two Random Permutations , 2008, ICITS.

[386] Jovan Dj. Golic,et al. Cryptanalysis of Alleged A5 Stream Cipher , 1997, EUROCRYPT.

[387] G. V. Assche,et al. On the security of the keyed sponge construction , 2011 .

[388] Xiaoyun Wang,et al. Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[389] Thomas Roche,et al. SCARE of Secret Ciphers with SPN Structures , 2013, ASIACRYPT.

[390] Siva Sai Yerubandi,et al. Differential Power Analysis , 2002 .

[391] Andrey Bogdanov,et al. spongent: A Lightweight Hash Function , 2011, CHES.

[392] John P. Steinberger,et al. The Security of Multiple Encryption in the Ideal Cipher Model , 2014, CRYPTO.

[393] Vincent Rijmen,et al. A Simple Key-Recovery Attack on McOE-X , 2012, CANS.

[394] Ueli Maurer,et al. Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[395] Christophe De Cannière,et al. Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[396] David Cash,et al. Cryptography Secure Against Related-Key Attacks and Tampering , 2011, IACR Cryptol. ePrint Arch..

[397] Martin Hell,et al. The Grain Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[398] Phillip Rogaway,et al. The Software Performance of Authenticated-Encryption Modes , 2011, FSE.

[399] Jongsung Kim,et al. The higher-order meet-in-the-middle attack and its application to the Camellia block cipher , 2014, Theor. Comput. Sci..

[400] Tanja Lange,et al. Kangaroos in Side-Channel Attacks , 2014, CARDIS.

[401] Phillip Rogaway,et al. Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[402] Kenneth G. Paterson,et al. Security of Symmetric Encryption against Mass Surveillance , 2014, IACR Cryptol. ePrint Arch..

[403] Joe Kilian,et al. How to Protect DES Against Exhaustive Key Search (an Analysis of DESX) , 2015, Journal of Cryptology.

[404] Elena Dubrova,et al. An Architectural Countermeasure against Power Analysis Attacks for FSR-Based Stream Ciphers , 2012, COSADE.

[405] Yannick Seurin,et al. Tweakable Blockciphers with Asymptotically Optimal Security , 2013, FSE.

[406] Gaëtan Leurent,et al. Analysis of Differential Attacks in ARX Constructions , 2012, ASIACRYPT.

[407] Xiaoyun Wang,et al. Cryptanalysis of Stream Cipher Grain Family , 2009, IACR Cryptol. ePrint Arch..

[408] Marian Srebrny,et al. ICEPOLE: High-speed, Hardware-oriented Authenticated Encryption , 2014, IACR Cryptol. ePrint Arch..

[409] Phillip Rogaway,et al. Nonce-Based Symmetric Encryption , 2004, FSE.

[410] Jongsung Kim,et al. Improving the Efficiency of Impossible Differential Cryptanalysis of Reduced Camellia and MISTY 1 , 2007 .

[411] Adi Shamir,et al. An Experimentally Verified Attack on Full Grain-128 Using Dedicated Reconfigurable Hardware , 2011, IACR Cryptol. ePrint Arch..

[412] Luke O'Connor,et al. Properties of Linear Approximation Tables , 1994, FSE.

[413] Tim Dierks,et al. The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[414] Andreas Klein,et al. Attacks on the RC4 stream cipher , 2008, Des. Codes Cryptogr..

[415] François-Xavier Standaert,et al. Leakage-Resilient Symmetric Cryptography Under Empirically Verifiable Assumptions , 2013, IACR Cryptol. ePrint Arch..

[416] James H. Burrows,et al. Secure Hash Standard , 1995 .

[417] Magnus Daum,et al. Cryptanalysis of Hash functions of the MD4-family , 2005 .

[418] Orr Dunkelman,et al. New Insights on Impossible Differential Cryptanalysis , 2011, Selected Areas in Cryptography.

[419] Andrey Bogdanov,et al. PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[420] Louis Goubin,et al. A Sound Method for Switching between Boolean and Arithmetic Masking , 2001, CHES.

[421] Palash Sarkar,et al. A General Construction of Tweakable Block Ciphers and Different Modes of Operations , 2008, IEEE Transactions on Information Theory.

[422] Kaisa Nyberg,et al. New Links Between Differential and Linear Cryptanalysis , 2015, IACR Cryptol. ePrint Arch..