Cryptanalysis of Hash Functions

This thesis deals with the analysis and design of cryptographic hash functions that are fundamental components of many cryptographic applications such as digital signatures, authentication, key derivation, random number generation and many others. Due to this versatility they are considered as the “Swiss army knives” of modern cryptology. A hash function is a one-way mathematical function that takes a message of arbitrary length as input and produces an output of fixed (smaller) length. In recent years, several of the approved cryptographic hash functions which are generally inspired by MD4 have been successfully attacked, and serious attacks have been published against the world-wide standard SHA-1. In response, the National Institute of Standards and Technology (NIST) has opened a public competition to develop a new cryptographic hash algorithm, SHA-3, to replace the older SHA-1 and SHA-2 hash functions. The first part of this thesis is focused on the analysis of the hash function JH, one of the finalists of this competition. We demonstrate attacks on JH showing that the algorithm is not as secure as claimed by its designer. We find a semifree-start collision for the hash function and semi-free-start near-collisions for the compression function of reduced-round JH. Moreover, we present distinguishers for the full internal permutation. The second part of this thesis is focused on the design of hash functions. We propose a new family of sponge-based lightweight hash function called spongent. We first explain the design strategy of spongent and then we present its security analysis by applying the most important state-of-the-art methods of cryptanalysis and by investigating their complexity.

[1]  Tor Helleseth,et al.  Advances in Cryptology — EUROCRYPT ’93 , 2001, Lecture Notes in Computer Science.

[2]  María Naya-Plasencia,et al.  Rebound Attack on JH42 , 2011, ASIACRYPT.

[3]  Jennifer Seberry,et al.  HAVAL - A One-Way Hashing Algorithm with Variable Length of Output , 1992, AUSCRYPT.

[4]  Steve Babbage,et al.  The MICKEY Stream Ciphers , 2008, The eSTREAM Finalists.

[5]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[6]  Dale K. Pace,et al.  The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet , 1998 .

[7]  Alex Biryukov,et al.  Second-Order Differential Collisions for Reduced SHA-256 , 2011, ASIACRYPT.

[8]  Louis Kruh,et al.  Selections from Cryptologia: History, People, and Technology , 1998 .

[9]  Yu Sasaki,et al.  Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl , 2010, ASIACRYPT.

[10]  Jean-Jacques Quisquater,et al.  How Easy is Collision Search. New Results and Applications to DES , 1989, CRYPTO.

[11]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[12]  Michael Vielhaber Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack , 2007, IACR Cryptol. ePrint Arch..

[13]  Bart Preneel Mash Hash Functions (Modular Arithmetic Secure Hash) , 2005, Encyclopedia of Cryptography and Security.

[14]  Christof Paar,et al.  New Lightweight DES Variants , 2007, FSE.

[15]  Ronald L. Rivest,et al.  Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 , 2009, FSE.

[16]  John P. Steinberger,et al.  Security/Efficiency Tradeoffs for Permutation-Based Hashing , 2008, EUROCRYPT.

[17]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[18]  Ron Steinfeld,et al.  VSH, an Efficient and Provable Collision Resistant Hash Function , 2006, IACR Cryptol. ePrint Arch..

[19]  Adi Shamir,et al.  Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization , 1999, CRYPTO.

[20]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[21]  Jongsung Kim,et al.  On the Security of Encryption Modes of MD4, MD5 and HAVAL , 2005, ICICS.

[22]  Vincent Rijmen,et al.  Producing Collisions for PANAMA , 2001, FSE.

[23]  Gregor Leander,et al.  A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack , 2011, CRYPTO.

[24]  Willi Meier,et al.  SHA-3 proposal BLAKE , 2009 .

[25]  Joo Yeon Cho,et al.  Linear Cryptanalysis of Reduced-Round PRESENT , 2010, CT-RSA.

[26]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[27]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[28]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[29]  Vincent Rijmen,et al.  The WHIRLPOOL Hashing Function , 2003 .

[30]  Bart Preneel,et al.  Integrity Primitives for Secure Information Systems , 2005, Lecture Notes in Computer Science.

[31]  Martijn Stam,et al.  The Symbiosis between Collision and Preimage Resistance , 2011, IMACC.

[32]  D. Kahn The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet , 1967 .

[33]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.

[34]  Bart Preneel,et al.  Improved Collision Attacks on the Reduced-Round Grøstl Hash Function , 2010, ISC.

[35]  Andrey Bogdanov,et al.  spongent: A Lightweight Hash Function , 2011, CHES.

[36]  Adi Shamir,et al.  Breaking Grain-128 with Dynamic Cube Attacks , 2011, IACR Cryptol. ePrint Arch..

[37]  Guido Bertoni,et al.  Sponge-Based Pseudo-Random Number Generators , 2010, CHES.

[38]  Guido Bertoni,et al.  RadioGatún, a belt-and-mill hash function , 2006, IACR Cryptol. ePrint Arch..

[39]  Andreas Klein Stream Ciphers , 2013 .

[40]  Gideon Yuval,et al.  How to Swindle Rabin , 1979, Cryptologia.

[41]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[42]  Herodotus,et al.  Herodotus: The Histories , 2015 .

[43]  Josef Pieprzyk Topics in Cryptology - CT-RSA 2010, The Cryptographers' Track at the RSA Conference 2010, San Francisco, CA, USA, March 1-5, 2010. Proceedings , 2010, CT-RSA.

[44]  John P. Steinberger,et al.  Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers , 2008, CRYPTO.

[45]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[46]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[47]  Mohamed El-Hadedy,et al.  Cryptographic hash function Blue Midnight Wish , 2009, 2009 Proceedings of the 1st International Workshop on Security and Communication Networks.

[48]  Yu Sasaki,et al.  Boomerang Distinguishers on MD4-Family: First Practical Results on Full 5-Pass HAVAL , 2011, Selected Areas in Cryptography.

[49]  J. Wrench Table errata: The art of computer programming, Vol. 2: Seminumerical algorithms (Addison-Wesley, Reading, Mass., 1969) by Donald E. Knuth , 1970 .

[50]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[51]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[52]  Bruce Schneier,et al.  Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent , 2000, FSE.

[53]  Willi Meier,et al.  Cryptographic Significance of the Carry for Ciphers Based on Integer Addition , 1990, CRYPTO.

[54]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[55]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[56]  Stefan Lucks,et al.  The Skein Hash Function Family , 2009 .

[57]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[58]  Bart Preneel,et al.  Cryptographic hash functions , 2010, Eur. Trans. Telecommun..

[59]  Antoine Joux,et al.  Advances in Cryptology - EUROCRYPT 2009 , 2009, Lecture Notes in Computer Science.

[60]  Martin Hell,et al.  Grain: a stream cipher for constrained environments , 2007, Int. J. Wirel. Mob. Comput..

[61]  Alex Biryukov,et al.  Boomerang Attacks on BLAKE-32 , 2011, FSE.

[62]  Florian Mendel,et al.  Rebound Attacks on the Reduced Grøstl Hash Function , 2010, CT-RSA.

[63]  Gaëtan Leurent,et al.  Narrow-Bicliques: Cryptanalysis of Full IDEA , 2012, EUROCRYPT.

[64]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[65]  Eli Biham,et al.  Miss in the Middle Attacks on IDEA and Khufu , 1999, FSE.

[66]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[67]  Bai En A One-Way Hashing Algorithm with Variable Length of Output , 2004 .

[68]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[69]  Seokhie Hong,et al.  Fast Software Encryption, 17th International Workshop, FSE 2010, Seoul, Korea, February 7-10, 2010, Revised Selected Papers , 2010, FSE.

[70]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1 , 2009, CRYPTO.

[71]  Yasuo Hatano,et al.  Higher Order Differential Attack on Step-Reduced Variants of Luffa v1 , 2010, FSE.

[72]  Willi Meier,et al.  Quark: A Lightweight Hash , 2010, Journal of Cryptology.

[73]  Thomas Peyrin,et al.  The PHOTON Family of Lightweight Hash Functions , 2011, IACR Cryptol. ePrint Arch..

[74]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[75]  Praveen Gauravaram,et al.  On Randomizing Hash Functions to Strengthen the Security of Digital Signatures , 2009, EUROCRYPT.

[76]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[77]  Orr Dunkelman Fast Software Encryption, 16th International Workshop, FSE 2009, Leuven, Belgium, February 22-25, 2009, Revised Selected Papers , 2009, FSE.

[78]  Ronald L. Rivest,et al.  The MD4 Message-Digest Algorithm , 1990, RFC.

[79]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[80]  Philippe Flajolet,et al.  Random Mapping Statistics , 1990, EUROCRYPT.

[81]  Philippe Dumas,et al.  On the Additive Differential Probability of Exclusive-Or , 2004, FSE.

[82]  Sean Murphy,et al.  The Return of the Cryptographic Boomerang , 2011, IEEE Transactions on Information Theory.

[83]  Thomas Shrimpton,et al.  Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[84]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.

[85]  Olivier Billet , .

[86]  Christophe De Cannière,et al.  Trivium: A Stream Cipher Construction Inspired by Block Cipher Design Principles , 2006, ISC.

[87]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[88]  Orr Dunkelman,et al.  Linear Analysis of Reduced-Round CubeHash , 2011, ACNS.

[89]  Hans Dobbertin Cryptanalysis of MD4 , 1996, FSE.

[90]  Donghoon Chang,et al.  RC4-Hash: A New Hash Function Based on RC4 , 2006, INDOCRYPT.

[91]  Hideki Imai,et al.  Comparison Between XL and Gröbner Basis Algorithms , 2004, ASIACRYPT.

[92]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[93]  Martin Schläffer Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function , 2010, Selected Areas in Cryptography.

[94]  Xuejia Lai,et al.  Hash Function Based on Block Ciphers , 1992, EUROCRYPT.

[95]  John P. Steinberger,et al.  Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part II , 2020, CRYPTO.

[96]  Bart Preneel,et al.  Integrity Primitives for Secure Information Systems: Final RIPE Report of RACE Integrity Primitives Evaluation , 1995 .

[97]  Jean-Jacques Quisquater,et al.  SEA: A Scalable Encryption Algorithm for Small Embedded Applications , 2006, CARDIS.

[98]  Stefan Mangard,et al.  Cryptographic Hardware and Embedded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA, August 17-20, 2010. Proceedings , 2010, CHES.

[99]  Vincent Rijmen,et al.  Differential Analysis of the LED Block Cipher , 2012, IACR Cryptol. ePrint Arch..

[100]  Yu Sasaki,et al.  Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.

[101]  Kaisa Nyberg,et al.  Linear Approximation of Block Ciphers , 1994, EUROCRYPT.

[102]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[103]  Joan Daemen,et al.  Fast Hashing and Stream Encryption with PANAMA , 1998, FSE.

[104]  Joan Daemen,et al.  Producing Collisions for Panama, Instantaneously , 2007, FSE.

[105]  Thomas Peyrin,et al.  Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations , 2010, FSE.

[106]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[107]  Vincent Rijmen,et al.  Rebound Attack on Reduced-Round Versions of JH , 2010, FSE.

[108]  Florian Mendel,et al.  Collisions for 70-Step SHA-1: On the Full Cost of Collision Search , 2007, Selected Areas in Cryptography.

[109]  Dieter Gollmann,et al.  Fast software encryption : Third International Workshop, Cambridge, UK, February 21-23, 1996 : proceedings , 1996, FSE 1996.

[110]  Vincent Rijmen,et al.  Collisions for the WIDEA-8 Compression Function , 2013, CT-RSA.

[111]  Douglas R. Stinson,et al.  On the complexity of the herding attack and some related attacks on hash functions , 2012, Des. Codes Cryptogr..

[112]  Antoine Joux,et al.  Differential Collisions in SHA-0 , 1998, CRYPTO.

[113]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[114]  Willi Meier,et al.  Improved Cryptanalysis of Skein , 2009, IACR Cryptol. ePrint Arch..

[115]  Jiazhe Chen,et al.  The Boomerang Attacks on the Round-Reduced Skein-512 , 2012, Selected Areas in Cryptography.

[116]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[117]  Antoon Bosselaers,et al.  Collisions for the Compressin Function of MD5 , 1994, EUROCRYPT.

[118]  Gregor Leander,et al.  On Linear Hulls, Statistical Saturation Attacks, PRESENT and a Cryptanalysis of PUFFIN , 2011, EUROCRYPT.

[119]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.

[120]  Mitsuru Matsui,et al.  Advances in Cryptology - ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6-10, 2009. Proceedings , 2009, ASIACRYPT.

[121]  Willi Meier,et al.  Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.

[122]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[123]  Chris Peikert,et al.  SWIFFT: A Modest Proposal for FFT Hashing , 2008, FSE.

[124]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[125]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[126]  Nicolas Courtois,et al.  The Security of Hidden Field Equations (HFE) , 2001, CT-RSA.

[127]  Simon Singh,et al.  The Code Book , 1999 .

[128]  Matthew J. B. Robshaw,et al.  Linear Cryptanalysis Using Multiple Approximations , 1994, CRYPTO.

[129]  Florian Mendel,et al.  Intermediate Status Report , 2011 .

[130]  María Naya-Plasencia,et al.  How to Improve Rebound Attacks , 2011, IACR Cryptol. ePrint Arch..

[131]  Thomas Peyrin,et al.  Improved Differential Attacks for ECHO and Grostl , 2010, IACR Cryptol. ePrint Arch..

[132]  Matthew J. B. Robshaw,et al.  New Stream Cipher Designs: The eSTREAM Finalists , 2008 .

[133]  Simon Singh,et al.  The Code Book: The Evolution of Secrecy from Mary, Queen of Scots, to Quantum Cryptography , 1999 .

[134]  Bruno Buchberger,et al.  Bruno Buchberger's PhD thesis 1965: An algorithm for finding the basis elements of the residue class ring of a zero dimensional polynomial ideal , 2006, J. Symb. Comput..

[135]  Yu Sasaki,et al.  Preimage Attacks on 3, 4, and 5-Pass HAVAL , 2008, ASIACRYPT.

[136]  Bart Preneel,et al.  RIPEMD-160: A Strengthened Version of RIPEMD , 1996, FSE.

[137]  Ali Miri,et al.  Selected Areas in Cryptography , 2007 .

[138]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[139]  Yu Sasaki,et al.  Finding Preimages in Full MD5 Faster Than Exhaustive Search , 2009, EUROCRYPT.

[140]  Wang Ailan,et al.  Linear Cryptanalysis for the Compression Function of Hamsi-256 , 2011, 2011 International Conference on Network Computing and Information Security.

[141]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[142]  Bart Preneel,et al.  Hash Functions Based on Three Permutations: A Generic Security Analysis , 2012, IACR Cryptol. ePrint Arch..

[143]  Shoichi Hirose,et al.  Some Plausible Constructions of Double-Block-Length Hash Functions , 2006, FSE.

[144]  Antoine Joux Fast Software Encryption: 18th International Workshop, FSE 2011, Lyngby, Denmark, February 13-16, 2011, Revised Selected Papers , 2011 .

[145]  Jongsung Kim,et al.  HIGHT: A New Block Cipher Suitable for Low-Resource Device , 2006, CHES.

[146]  Ronald L. Rivest The MD 6 hash function A proposal to NIST for SHA-3 , 2008 .

[147]  John Kelsey,et al.  Herding, Second Preimage and Trojan Message Attacks beyond Merkle-Damgård , 2009, Selected Areas in Cryptography.

[148]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[149]  Ralph C. Merkle,et al.  A fast software one-way hash function , 1990, Journal of Cryptology.

[150]  Ueli Maurer,et al.  Indistinguishability of Random Systems , 2002, EUROCRYPT.

[151]  Suzuki Kazuhiro,et al.  Birthday Paradox for Multi-Collisions , 2007 .

[152]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[153]  Martin Hell,et al.  The Grain Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[154]  Dmitry Khovratovich,et al.  Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family , 2012, IACR Cryptol. ePrint Arch..

[155]  Christophe De Canniere Hash Function Lua Specification , 2008 .

[156]  Hongjun Wu,et al.  The Hash Function JH , 2009 .

[157]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[158]  Mihir Bellare,et al.  A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost , 1997, EUROCRYPT.

[159]  Anne Canteaut,et al.  Higher-Order Differential Properties of Keccak and Luffa , 2011, FSE.

[160]  Mridul Nandi,et al.  Security Analysis of the Mode of JH Hash Function , 2010, FSE.

[161]  Thomas Peyrin,et al.  Hash Functions and the (Amplified) Boomerang Attack , 2007, CRYPTO.

[162]  Shiho Moriai,et al.  Efficient Algorithms for Computing Differential Properties of Addition , 2001, FSE.

[163]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[164]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[165]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[166]  Vincent Rijmen,et al.  Selected Areas in Cryptography, 16th Annual International Workshop, SAC 2009, Calgary, Alberta, Canada, August 13-14, 2009, Revised Selected Papers , 2009, Selected Areas in Cryptography.

[167]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[168]  Bart Mennink,et al.  Provable Chosen-Target-Forced-Midfix Preimage Resistance , 2011, Selected Areas in Cryptography.

[169]  Dieter Gollmann Fast Software Encryption , 1993, Lecture Notes in Computer Science.

[170]  Alex Biryukov,et al.  Hash family LUX-Algorithm Specifications and Supporting Documentation , 2008 .

[171]  Lars R. Knudsen,et al.  The Grindahl Hash Functions , 2007, FSE.

[172]  Alex Biryukov,et al.  Fast Software Encryption: 14th International Workshop, FSE 2007, Luxembourg, Luxembourg, March 26-28, 2007, Revised Selected Papers , 2007, FSE 2007.

[173]  Shai Halevi Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings , 2009, CRYPTO.

[174]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[175]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[176]  Eli Biham,et al.  The Rectangle Attack - Rectangling the Serpent , 2001, EUROCRYPT.

[177]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[178]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[179]  Bart Preneel,et al.  Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations , 2005, IACR Cryptol. ePrint Arch..

[180]  V. Rijmen,et al.  On the Four-Round AES Characteristics , 2013 .

[181]  Dmitry Khovratovich Bicliques for Permutations: Collision and Preimage Attacks in Stronger Settings , 2012, ASIACRYPT.

[182]  Mitsuru Matsui Fast Software Encryption , 2002, Lecture Notes in Computer Science.

[183]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[184]  Bimal Roy,et al.  Fast Software Encryption , 2004, Lecture Notes in Computer Science.

[185]  Guido Bertoni,et al.  Sufficient conditions for sound tree and sequential hashing modes , 2013, International Journal of Information Security.

[186]  Douglas R. Stinson,et al.  Some Observations on the Theory of Cryptographic Hash Functions , 2006, Des. Codes Cryptogr..

[187]  Bart Preneel,et al.  UNAF: A Special Set of Additive Differences with Application to the Differential Analysis of ARX , 2012, FSE.

[188]  Andrey Bogdanov,et al.  Hash Functions and RFID Tags: Mind the Gap , 2008, CHES.

[189]  Josef Pieprzyk,et al.  Cryptanalysis of Block Ciphers with Overdefined Systems of Equations , 2002, ASIACRYPT.

[190]  Aggelos Kiayias,et al.  BiTR: Built-in Tamper Resilience , 2011, IACR Cryptol. ePrint Arch..

[191]  Chae Hoon Lim,et al.  mCrypton - A Lightweight Block Cipher for Security of Low-Cost RFID Tags and Sensors , 2005, WISA.

[192]  Vincent Rijmen,et al.  Rebound Distinguishers: Results on the Full Whirlpool Compression Function , 2009, ASIACRYPT.

[193]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[194]  Vincent Rijmen,et al.  The Wide Trail Design Strategy , 2001, IMACC.

[195]  François-Xavier Standaert,et al.  A Statistical Saturation Attack against the Block Cipher PRESENT , 2009, CT-RSA.

[196]  Bart Preneel,et al.  Collisions for RC4-Hash , 2008, ISC.

[197]  Bart Preneel,et al.  The Lane hash function , 2009, Symmetric Cryptography.

[198]  Andrey Bogdanov,et al.  SPONGENT: The Design Space of Lightweight Cryptographic Hashing , 2011, IEEE Transactions on Computers.