密码算法的组件设计与安全性分析
|
摘要
密码算法的组件设计与安全性分析,作为密码学领域的热点问题,在序列密码、分组密码和Hash函数的设计与分析中具有十分重要的意义。本文首先研究了作为密码算法重要组件的布尔函数的设计理论,主要研究了满足特定密码学指标的旋转对称布尔函数的构造与计数问题;而后讨论了密码算法的分析方法,对一些常见的分组密码算法,以及Hash函数中的分组密码组件进行了安全性分析。
在布尔函数设计理论的研究方面,取得的主要成果有:
(1)研究了具有最大代数免疫度(MAI)的偶数元旋转对称布尔函数的构造问题。给出了一个包含n/2 - 1个不同构造的一般构造类和一个高非线性度的偶数元旋转对称MAI函数的具体构造。
(2)研究了偶数元平衡旋转对称MAI函数的构造问题。给出了一个偶数元平衡旋转对称MAI函数的一般性构造,并以2m元平衡旋转对称MAI函数为例,得到了一类非线性度较高的2m元平衡旋转对称MAI函数的具体构造。
(3)研究了平衡旋转对称布尔函数的计数问题。通过对相关方程组解的优化和分析,不仅改进了已有的关于pr(p为素数)元平衡旋转对称布尔函数的计数下界,并首次给出了一般奇数元平衡旋转对称布尔函数的计数下界。在密码算法的安全性分析方面,取得主要成果有:
(1)对完整轮数ARIRANG加密模式抵抗相关密钥矩形攻击的能力进行了评估。利用初始密钥的一个线性变换和轮函数的全1差分特性,首次给出了完整轮数ARIRANG加密模式的相关密钥矩形攻击。结果表明:ARIRANG加密模式作为分组密码使用是不安全的,它不能抵抗相关密钥矩形攻击。
(2)对完整轮数HAS-V加密模式抵抗相关密钥矩形攻击的能力进行了评估。通过对HAS-V加密模式中双管加密结构和密钥扩展算法的分析,给出了一个完整100轮HAS-V加密模式的相关密钥矩形区分器。结果表明:HAS-V加密模式是不能抵抗相关密钥矩形攻击的。
(3)对HIGHT算法抵抗积分攻击的能力进行了研究。通过理论推导和实验模拟,将HIGHT算法设计者给出的两个12轮积分区分器进行了更正,同时推导出两个新的17轮高阶积分区分器,并详细给出了22轮HIGHT算法基于高阶积分区分器的积分攻击。
(4)对Zodiac算法抵抗积分攻击的能力进行了深入的研究。已有结果显示,Zodiac算法存在两个8轮积分区分器,本文首先通过对Zodiac算法的等价结构,以及算法概率为1的截断差分的研究,构造了Zodiac算法形式上完全一致的两个新的9轮积分区分器。并对不同轮数的Zodiac算法,特别对完整轮数的Zodiac-192,实施了积分攻击。此外,本文还将Zodiac算法的9轮积分区分器扩展成高阶积分区分器,特别得到了完整16轮Zodiac算法的高阶积分区分器,并以15轮高阶积分区分器为例,给出了完整轮数Zodiac算法的高阶积分攻击。
As a hot topic in the cryptology, component design and security analysis of crypto-graphicalgorithmsplay significantroles inthedesign andanalysis ofsteamciphers, blockciphers and Hash functions. This thesis firstly investigates the design theory of Booleanfunctions,whichisanimportantcomponentofcryptographicalgorithms. Asamainstudy,the constructions and counts of rotation symmetric Boolean functions(RSBFs) with somecryptographic criteria are investigated. Then we discuss the analysis methods of crypto-graphic algorithms. Furthermore, the security of some familiar block ciphers includingsome block cipher components of Hash functions is evaluated.
In the domain of the design theory of Boolean functions, the main contents and fruitsof this thesis are outlined as follows:
(1) The constructions of even-variable RSBFs with maximum algebraic immunity(MAI) are studied. Firstly, we present a new construction class of even-variable RSBFswith MAI, which has totally n/2 ? 1 different constructions. And then an improved con-struction which achieves both MAI and high nonlinearity is proposed.
(2)Someconstructionsofeven-variablebalancedRSBFswithMAIaregiven. Firstly,we present a new general construction of even-variable balanced RSBFs with MAI. Thenas an example, an improved construction of 2m-variable balanced RSBFs with both MAIand high nonlinearity is proposed.
(3) The enumeration of the balanced RSBFs is discussed. Based on some improve-ment and analysis of the solutions of the correlative equation system, the lower bound onthe number of pr-variable balanced RSBFs is improved, where p is a prime. And then fora general odd n, a lower bound on the number of n-variable balanced RSBFs is providedfor the first time.
In the domain of the security analysis of cryptographic algorithms, the main contentsand fruits of this thesis are outlined as follows:
(1) The security of the full round ARIRANG encryption mode against related-keyrectangle attack is evaluated. Based on a linear transformation of the master key andthe all-one differential of the round function, a related-key rectangle attack of the full40-round ARIRANG encryption mode is presented. The result shows that the ARIRANG encryption mode as a block cipher is not safe, it is not immune to the related-key rectangleattack.
(2)ThesecurityofthefullroundHAS-Vencryptionmodeagainstrelated-keyrectan-gle attack is evaluated. Through the analysis of the two parallel-line encryption structureandthekeyscheduleoftheHAS-Vencryptionmode, arelated-keyrectangledistinguisherof the full 100-round HAS-V encryption mode is presented. The result shows that theHAS-V encryption mode is not immune to the related-key rectangle attack.
(3) The resistance of HIGHT against integral attack is discussed. Through the the-oretic deducibility and computer simulation, we point out and correct an error in the 12-round integral distinguishers given by the HIGHT proposers. And then two new 17-roundhigher order integral distinguishers are described. Based on which, we present an integralattack on 22-round HIGHT in detail.
(4) The resistance of Zodiac against integral attack is investigated deeply. Knownresults show that there are two 8-round integral distinguishers of Zodiac. Firstly, by theanalysis of the equivalent structures and truncated differential with probability being 1,two new 9-round integral distinguishers which are accordant formally are proposed. Thenthe integral attacks are applied to Zodiac with different rounds. Particularly, an integralattack on the full 16-round Zodiac-192 is presented. Additionally, the 9-round integraldistinguishers of Zodiac are extended to the higher order integral distinguishers. Espe-cially, a full 16-round higher order integral distinguisher of Zodiac is obtained. Based onthe 15-round higher order integral distinguishers, the higher order integral attacks on thefull round Zodiac are presented.
在布尔函数设计理论的研究方面,取得的主要成果有:
(1)研究了具有最大代数免疫度(MAI)的偶数元旋转对称布尔函数的构造问题。给出了一个包含n/2 - 1个不同构造的一般构造类和一个高非线性度的偶数元旋转对称MAI函数的具体构造。
(2)研究了偶数元平衡旋转对称MAI函数的构造问题。给出了一个偶数元平衡旋转对称MAI函数的一般性构造,并以2m元平衡旋转对称MAI函数为例,得到了一类非线性度较高的2m元平衡旋转对称MAI函数的具体构造。
(3)研究了平衡旋转对称布尔函数的计数问题。通过对相关方程组解的优化和分析,不仅改进了已有的关于pr(p为素数)元平衡旋转对称布尔函数的计数下界,并首次给出了一般奇数元平衡旋转对称布尔函数的计数下界。在密码算法的安全性分析方面,取得主要成果有:
(1)对完整轮数ARIRANG加密模式抵抗相关密钥矩形攻击的能力进行了评估。利用初始密钥的一个线性变换和轮函数的全1差分特性,首次给出了完整轮数ARIRANG加密模式的相关密钥矩形攻击。结果表明:ARIRANG加密模式作为分组密码使用是不安全的,它不能抵抗相关密钥矩形攻击。
(2)对完整轮数HAS-V加密模式抵抗相关密钥矩形攻击的能力进行了评估。通过对HAS-V加密模式中双管加密结构和密钥扩展算法的分析,给出了一个完整100轮HAS-V加密模式的相关密钥矩形区分器。结果表明:HAS-V加密模式是不能抵抗相关密钥矩形攻击的。
(3)对HIGHT算法抵抗积分攻击的能力进行了研究。通过理论推导和实验模拟,将HIGHT算法设计者给出的两个12轮积分区分器进行了更正,同时推导出两个新的17轮高阶积分区分器,并详细给出了22轮HIGHT算法基于高阶积分区分器的积分攻击。
(4)对Zodiac算法抵抗积分攻击的能力进行了深入的研究。已有结果显示,Zodiac算法存在两个8轮积分区分器,本文首先通过对Zodiac算法的等价结构,以及算法概率为1的截断差分的研究,构造了Zodiac算法形式上完全一致的两个新的9轮积分区分器。并对不同轮数的Zodiac算法,特别对完整轮数的Zodiac-192,实施了积分攻击。此外,本文还将Zodiac算法的9轮积分区分器扩展成高阶积分区分器,特别得到了完整16轮Zodiac算法的高阶积分区分器,并以15轮高阶积分区分器为例,给出了完整轮数Zodiac算法的高阶积分攻击。
As a hot topic in the cryptology, component design and security analysis of crypto-graphicalgorithmsplay significantroles inthedesign andanalysis ofsteamciphers, blockciphers and Hash functions. This thesis firstly investigates the design theory of Booleanfunctions,whichisanimportantcomponentofcryptographicalgorithms. Asamainstudy,the constructions and counts of rotation symmetric Boolean functions(RSBFs) with somecryptographic criteria are investigated. Then we discuss the analysis methods of crypto-graphic algorithms. Furthermore, the security of some familiar block ciphers includingsome block cipher components of Hash functions is evaluated.
In the domain of the design theory of Boolean functions, the main contents and fruitsof this thesis are outlined as follows:
(1) The constructions of even-variable RSBFs with maximum algebraic immunity(MAI) are studied. Firstly, we present a new construction class of even-variable RSBFswith MAI, which has totally n/2 ? 1 different constructions. And then an improved con-struction which achieves both MAI and high nonlinearity is proposed.
(2)Someconstructionsofeven-variablebalancedRSBFswithMAIaregiven. Firstly,we present a new general construction of even-variable balanced RSBFs with MAI. Thenas an example, an improved construction of 2m-variable balanced RSBFs with both MAIand high nonlinearity is proposed.
(3) The enumeration of the balanced RSBFs is discussed. Based on some improve-ment and analysis of the solutions of the correlative equation system, the lower bound onthe number of pr-variable balanced RSBFs is improved, where p is a prime. And then fora general odd n, a lower bound on the number of n-variable balanced RSBFs is providedfor the first time.
In the domain of the security analysis of cryptographic algorithms, the main contentsand fruits of this thesis are outlined as follows:
(1) The security of the full round ARIRANG encryption mode against related-keyrectangle attack is evaluated. Based on a linear transformation of the master key andthe all-one differential of the round function, a related-key rectangle attack of the full40-round ARIRANG encryption mode is presented. The result shows that the ARIRANG encryption mode as a block cipher is not safe, it is not immune to the related-key rectangleattack.
(2)ThesecurityofthefullroundHAS-Vencryptionmodeagainstrelated-keyrectan-gle attack is evaluated. Through the analysis of the two parallel-line encryption structureandthekeyscheduleoftheHAS-Vencryptionmode, arelated-keyrectangledistinguisherof the full 100-round HAS-V encryption mode is presented. The result shows that theHAS-V encryption mode is not immune to the related-key rectangle attack.
(3) The resistance of HIGHT against integral attack is discussed. Through the the-oretic deducibility and computer simulation, we point out and correct an error in the 12-round integral distinguishers given by the HIGHT proposers. And then two new 17-roundhigher order integral distinguishers are described. Based on which, we present an integralattack on 22-round HIGHT in detail.
(4) The resistance of Zodiac against integral attack is investigated deeply. Knownresults show that there are two 8-round integral distinguishers of Zodiac. Firstly, by theanalysis of the equivalent structures and truncated differential with probability being 1,two new 9-round integral distinguishers which are accordant formally are proposed. Thenthe integral attacks are applied to Zodiac with different rounds. Particularly, an integralattack on the full 16-round Zodiac-192 is presented. Additionally, the 9-round integraldistinguishers of Zodiac are extended to the higher order integral distinguishers. Espe-cially, a full 16-round higher order integral distinguisher of Zodiac is obtained. Based onthe 15-round higher order integral distinguishers, the higher order integral attacks on thefull round Zodiac are presented.
引文
[1] AES计划. http://csrc.nist.gov/encryption/aes/.
[2] Aoki K, Ichikawa T, Kanda M, Matsui M, Moriai S, Nakajima J, Tolita T. Camel-lia: A 128-bit Block Cipher Suitable for Multiple Platforms[C]. SAC 2000, LNCS2012, Springer-Verlag, 2001: 41-54.
[3] Armknecht F. Improving Fast Algebiraic Attacks[C]. FSE 2004, LNCS 3017,Springer-Verlag, 2004: 65-82.
[4] Aumasson J P, Henzen L, Meier W, Phan R C W. SHA-3 Proposal BLAKE. Sub-mission to NIST, 2008.
[5] Bernstein D. Salsa 20 Specifcation.http://www.ecrypt.eu.org/stream/salsa20p2.html.
[6] Bertoni G, Daemen J, Peeters M, Assche G V. Keccak Sponge Function Family.Submission to NIST, 2008.
[7] Biham E, Shamir A. Differential Cryptanalysis of DES-like Cryptosystems[J].Journal of Cryptology, 1991, 4(1): 3-72.
[8] Biham E, Shamir A. Differential Cryptanalysis of the Data Encryption Stan-dard[M]. Springer-Verlag, 1993.
[9] Biham E. New Types of Cryptanalytic Attacks Using Related Keys[C]. EURO-CRYPT 1993, LNCS 765, Springer-Verlag, 1994: 398-409.
[10] Biham E, Shamir A. Differential Fault Analysis of Secret Key Cryptosystems[C].CRYPTO 1997, LNCS 1294, Springer-Verlag, 1997: 513-525.
[11] Biham E, Biryukov A, Shamir A. Cryptanalysis of Skipjack Reduced to 31 RoundsUsing Impossible Differentials[C]. EUROCRYPT 1999, LNCS 1592, Springer-Verlag, 1999: 12-23.
[12] Biham E, Biryukov A, Shamir A. Miss in the Middle Attacks on IDEA andKhufu[C]. FSE 1999, LNCS 1636, Springer-Verlag, 1999: 124-138.
[13] Biham E, Dunkelman O, Keller N. The Rectangle Attack Rectangling the Ser-pent[C]. EUROCRYPT 2001, LNCS 2045, Springer-Verlag, 2001: 340-357.
[14] Biham E, Dunkelman O, Keller N. New Results on Boomerang and Rectangle At-tacks[C]. FSE 2002, LNCS 2365, Springer-Verlag, 2002: 1-16.
[15] Biham E, Dunkelman O, Keller N. Rectangle Attacks on 49-round SHACAL-1[C].FSE 2003, LNCS 2887, Springer-Verlag, 2003: 22-35.
[16] Biham E, Dunkelman O, Keller N. Realted-Key Boomerang and Rectangle At-tacks[C]. EUROCRYPT 2005, LNCS 3494, Springer-Verlag, 2005: 507-525.
[17] Biham E, Dunkelman O, Keller N. A Related-Key Rectangle Attack on the FullKASUMI[C], ASIACRYPT 2005, LNCS 3788, Springer-Verlag, 2005: 443-461.
[18] Biham E, Dunkelman O, Keller N. Related-key Impossible Differential Attacks on8-round AES-192[C]. CT-RSA 2006, LNCS 3860, Springer-Verlag, 2006: 21-33.
[19] Biryukov A, Wagner D. Slide Attack[C]. FSE 1999, LNCS 1636, Springer-Verlag,1999: 245-259.
[20] Biryukov A, Wagner D. Advanced Slide Attack[C]. EUROCRYPT 2000, LNCS1807, Springer-Verlag, 2000: 589-606.
[21] Biryukov A, Shamir A. Structural Cryptanalysis of SASAS[C]. EUROCRYPT2001, LNCS 2045, Springer-Verlag, 2001: 394-405.
[22] Biryukov A, Khovratovich D. Related-Key Cryptanalysis of the Full AES-192 andAES-256[C]. ASIACRYPT 2009, LNCS 5912, Springer-Verlag, 2009: 1-18.
[23] Bogdanov A, Khovratovich D, Rechberger C. Biclique Cryptanalysis of the FullAES[C]. ASIACRYPT 2011, to appear.
[24] Bogdanov A, Knudsen L R, Leander G, Paar C, Poschmann A, Robshaw M J B,Seurin Y, Vikkelsoe C. PRESENT: An Ultra-Lightweight Block Cipher[C]. CHES2007, LNCS 4727, Springer-Verlag, 2007: 450-466.
[25] Boneh D, DeMillo R A, Lipton R J. On the Importance of Checking CryptographicProtocols for Faults[C]. EUROCRYPT 1997, LNCS 1233, Springer-Verlag, 1997:37-51.
[26] Braeken A, Preneel B. On the Algebraic Immunity of Symmetric Boolean Func-tions[C]. INDOCRYPT 2005, LNCS 3797, Springer-Verlag, 2005: 35-48.
[27] Canteaut A. Open Problems Related to Algebraic Attacks on Stream Ciphers[C].WCC 2005, LNCS 3969, Springer-Verlag, 2006: 120-134.
[28] Carlet C. Boolean Functions for Cryptography and Error Correcting Codes. Chaperto the monography Boolean Methods and Models, Y. Crama and P. Hammer eds,Cambridge University Press, to appear. Preliminary version available athttp://www.rocq.inria.fr/codes/Claude.Carlet/pubs.html.
[29] Carlet C, Gaborit P. On the Construction of Balanced Boolean Functions witha Good Algebraic Immunity[C]. International Workshop on Boolean Functions:Cryptography and Applications-BFCA 2005, Rouen, France, 2005: 1-14.
[30] Carlet C, Dalai D K, Gupta K C, Maitra S. Algebraic Immunity for Cryptographi-cally Significant Boolean Functions: Analysis and Construction[J]. IEEE Transac-tions on Information Theory, 2006, 52: 3105-3121.
[31] Carlet C. On Bent and Highly Nonlinear Balance/resilient Functions and Their Al-gebraic Immunities[C]. AAECC 2006, LNCS 3857, Springer-Verlag, 2006: 1-28.
[32] Carlet C. On the Higher Order Nonlinearities of Algebraic Immune Functions[C].CRYPTO 2006, LNCS 4117, Springer-Verlag, 2006: 584-601.
[33] Carlet C. A Method of Construction of Balanced Functions with Optimum Al-gebraic Immunity[C]. Proceedings of the International Workshop on Coding andCryptography, The Wuyi Mountain, Fujian, China, June 11-15, 2007.
[34] CarletC,FengKQ.AnInfineClassofBalancedFunctionswithOptimalAlgebraicImmunity[C]. ASIACRYPT 2008, LNCS 5350, Springer-Verlag, 2008: 425-440.
[35] Carlet C, Zeng X Y, Li C L, Hu L. Further Properties of Several Classes of BooleanFunctions with Optimum Algebraic Immunity[J]. Designs, Codes and Cryptogra-phy, 2009, 52: 303-338.
[36] Chang D, Hong S, Kang C, et al. ARIRANG: SHA-3 Proposa. NIST SHA-3 can-didate, 2009.http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/ARIRANG.zip.
[37] Cho J Y, Pieprzyk J. Algebriac Attacks on SOBER-t32 and SOBER-128[C]. FSE2004, LNCS 3017, Springer-Verlag, 2004: 49-64.
[38] Choy J, Chew G, Khoo K, Yap H. Cryptographic Properties and Application of aGeneralized Unbalanced Feistel Network Structure[C]. ACISP 2009, LNCS 5594,Springer-Verlag, 2009: 73-89.
[39] Courtois N, Pieprzyk J. Cryptanalysis of Block Ciphers with Overdefined Systemsof Equations[C]. ASIACRYPT 2002, LNCS 2501, Springer-Verlag, 2002: 267-287.
[40] Courtois N, Meier W. Algebraic Attacks on Stream Ciphers with Linear Feed-back[C]. EUROCRYPT 2003, LNCS 2656, Springer-Verlag, 2003: 345-359.
[41] Courtois N. Fast Algebraic Attacks on Stream Ciphers with Linear Feedback[C].CRYPTO 2003, LNCS 2729, Springer-Verlag, 2003: 176-194.
[42] Cusick T W, Stanica P. Fast Evaluation, Weights and Nonlinearity of Rotation-Symmetric Functions[J]. Discrete Mathematics, 2002, 258(1-3): 289-301.
[43] Daemen J, Knudsen L R, Rijmen V. The Block Cipher SQUARE[C]. FSE 1997,LNCS 1267, Springer-Verlag, 1997: 149-165.
[44] Daemen J, Rijmen V. The Design of Rijndael: AES-The Advanced EncryptionStandard[M]. Springer, 2002.
[45] Dalai D K, Gupta K C, Maitra S. Results on Algebraic Immunity for Crypto-graphically Significant Boolean Functions[C]. INDOCRYPT 2004, LNCS 3348,Springer-Verlag, 2004: 92-106.
[46] Dalai D K, Gupta K C, Maitra S. Cryptographically Significant Boolean Functions:Construction and Analysis in Terms of Algebraic Immunity[C]. FSE 2005, LNCS3557, Springer-Verlag, 2005: 98-111.
[47] Dalai D K, Maitra S, Sarkar S. Basic Theory in Construction of Boolean Functionswith Maximum Possible Annihilator Immunity[J]. Designs, Codes and Cryptogra-phy, 2006, 40: 41-58.
[48] Dalai D K, Maitra S, Sarkar S. Results on Rotation Symmetric Bent Func-tions[C].SecondInternationalWorkshoponBooleanFunctions: CryptographyandApplications-BFCA 2006, 2006: 137-156.
[49] Dalai D K, Maitra S, Sarkar S. Results on Rotation Symmetric Bent Functions[J].Discrete Mathematics and Applications, 2009, 309: 2398-2409.
[50] Davies D, Murphy S. Pairs and Triples of DES S-boxes[J]. Journal of Cryptology,Springer-Verlag, 1995, 8(1): 1-25.
[51] Diffie W, Hellman M E. New Direction in Cryptogryphy. IEEE Transactions onInformation Theory, 1976, 22(6): 644-654.
[52] Diffie W, Hellman M. Exhaustive Cryptanalysis of the NBS Data Encryption Stan-dard[J]. Computer, 1977, 10(6): 74-84.
[53] Dunkelman O. Thchniques for Cryptanalysis of Block Ciphers. PhD Thesis, IsraelInstitute of Technology, 2006.
[54] Dunkelman O, Keller N, Kim J. Related-Key Rectangle Attack on the FullSHACAL-1[C]. SAC 2006, LNCS 4356, Springer-Verlag, 2006: 28-44.
[55] Dunkelman O, Fleischmann E, Gorski M, et al. Related-Key Rectangle Attackof the Full HAS-160 Encryption Mode[C]. INDOCRYPT 2009, LNCS 5922,Springer-Verlag, 2009: 157-168.
[56] Duo L, Li C, Feng K. New Observation on Camellia[C]. SAC 2005, LNCS 3897,Springer-Verlag, 2006: 51-64.
[57] Duo L, Li C, Feng K. Square Like Attack on Camellia[C]. ICICS 2007, LNCS4861, Springer-Verlag, 2007: 269-283.
[58] ECRYPT计划. http://www.ecrypt.eu.org/.
[59]冯登国.频谱理论及其在密码学中的应用[M].北京:科学出版社, 2000.
[60] Ferguson N, Kelsey J, Lucks S, Schneier B, Stay M, Wagner D, Whiting D. Im-proved Cryptanalisis of Rijndael[C]. FSE 2000, LNCS 1978, Springer-Verlag,2000: 213-230.
[61] Ferguson N, Lucks S, Schneier B, Whiting D, et al. The Skein Hash Function Fam-ily. Submission to NIST, 2008.
[62] Filiol E, Fontaine C. Highly Nonlinear Balanced Boolean Functions with a GoodCorrelation-Immunity[C]. EUROCRYPT 1998, LNCS 1403, Springer-Verlag,1998: 475-488.
[63] FIPS 46-3, Data Encryption Standard. In National Institute of Standards and Tech-nology, Oct, 1977.
[64] Florent C, Antoine J. Differential Collisions in SHA-0[C]. CRYPTO 1998, LNCS1462, Springer-Verlag, 1998: 56-71.
[65] Fleischmann E, Gorski M, Lucks S. Memoryless Related-Key Boomerang Attackon 39-Round SHACAL-2[C]. ISPEC 2009, LNCS 5451, Springer-Verlag, 2009:310-323.
[66] Fleischmann E, Gorski M, Lucks S. Memoryless Related-Key Boomerang Attackon the Full Tiger Block Cipher[C]. ISPEC 2009, LNCS 5451, Springer-Verlag,2009: 298-309.
[67] Fu S J, Li C, Matsuura K, Qu L J. Construction of Rotation Symmetric BooleanFunctions with Maximum Algebraic Immunity[C]. CANS 2009, LNCS 5888,Springer-Verlag, 2009: 402-412.
[68] Fu S J, Li C, Qu L J. On the Number of Rotation Symmetric Boolean Functions[J].Science in China Series F-Information Sciences, 2010, 53(3): 537-545.
[69] Fu S J, Li C, Matsuura K, Qu L J. Construction of Rotation Symmetric BooleanFunctions with Maximum Algebraic Immunity[J]. IET Information Security, 2011,5(3): 92-99.
[70] Galice S, Minier M. Improving Integral Attacks Against Rijndael-256 up to 9Rounds[C]. AFRICACRYPT 2008, LNCS 5023, Springer-Verlag, 2008: 1-15.
[71] Gauravaram P, Knudsen L, Matusiewicz K, Mendel F, et al. Gr?stl-A SHA-3 Can-didate. Submission to NIST, 2008.
[72] GilbertH,MinierM.ACollisionAttackonSevenRoundsofRijndael[C].Proceed-ings of the Third AES Candidate Conference, National Institute of Standards andTechnology, 2000: 230-241.
[73] Gorski M, Lucks S. New Related-Key Boomerang Attacks on AES[C], IN-DOCRYPT 2008, LNCS 5365, Springer-Verlag, 2008: 266-278.
[74] Guo J, Matusiewicz K, Knudsen L R, et al. Practical Pseudo-collisions for HashFunctionsARIRANG-224/384[C].SAC2009,LNCS5867,Springer-Verlag,2009:141-156.
[75] Handschuh H, Naccache D. SHACAL: A Family of Block Ciphers. Submission tothe NESSIE project, 2002.
[76] Harpes C, Massey J L. Partitioning Cryptanalysis[C]. FSE 1997, LNCS 1267,Springer-Verlag, 1997: 13-27.
[77] Hawkes P. Differential-linear Weak-key Classes of IDEA[C]. EUROCRYPT 1998,LNCS 1403, Springer-Verlag, 1998: 112-126.
[78] He Y, Qing S. Square Attack on Reduced Camellia Cipher[C]. ICICS 2001, LNCS2229, Springer-Verlag, 2001: 238-245.
[79] Hell M, Maximov A, Maitra S. On Efficient Implementation of Search Strategy forRotation Symmetric Boolean Functions[C]. ACCT 2004, Black Sea Coast, Bul-garia, 2004: 19-25.
[80] HongD,SungJ,MoriaiS,etal.ImpossibleDifferentialCryptanalysisofZodiac[C].FSE 2001, LNCS 2355, Springer-Verlag, 2002: 300-311.
[81] Hong S, Kim J, Lee S, Preneel B. Related-Key Rectangle Attacks on Reduced Ver-sions of SHACAL-1 and AES-192[C]. FSE 2005, LNCS 3557, Springer-Verlag,2005: 368-383.
[82] Hong D, Sung J, Hong S, Kim J, Lee S, Koo B S, Lee C, Chang D, Lee J, Jeong K,Kim H, Kim J, Chee S. HIGHT: A New Block Cipher Suitable for Low-ResourceDevice[C]. CHES 2006, LNCS 4249, Springer-Verlag, 2006: 46-59.
[83] HongD,KooB,KimWH,etal.PreimageAttacksonReducedStepsofARIRANGand PKC 98-Hash[C]. ICISC 2009, LNCS 5984, Springer-Verlag, 2009: 315-331.
[84] Hu Y, Zhang Y, Xiao G. Integral Cryptanalysis of SAFER+[J]. Electronic Letters,1999, 35(17): 1458-1459.
[85] Jakimoski G, Desmedt Y. Related-key Differential Cryptanalysis of 192-bit KeyAES Variants[C], SAC 2003, LNCS 3006, Springer-Verlag, 2004: 208-221.
[86] JakobsenT,KnudsenLR.TheInterpolationAttackonBlockCipher[C].FSE1997,LNCS 1267, Springer-Verlag, 1997: 28-40.
[87] Jeong K, Lee C, Sung J, Hong S, Lim J. Related-Key Amplified Boomerang At-tacks on the Full-Round Eagle-64 and Eagle-128[C], ACISP 2007, LNCS 4586,Springer-Verlag, 2007: 143-157.
[88] Ji W, Hu L. Square Attack on Reduced-Round Zodiac Cipher[C]. ISPEC 2008,LNCS 4991, Springer-Verlag, 2008: 377-391.
[89] Kaliski Jr S, Robshaw M J B. Linear Cryptanalysis Using Multiple Approxima-tions[C]. CRYPTO 1994, LNCS 839, Springer-Verlag, 1994: 26-39.
[90] Kaliski Jr S, Robshaw M J B. Robshaw. Linear Cryptanalysis Using Multiple Ap-proximations and FEAL[C]. FSE 1994, LNCS 1008, Springer-Verlag, 1995: 249-264.
[91] Kavut S, Maitra S, Yucel M D. Search for Boolean Functions with Excellent Pro-filesintheRotationSymmetricClass[J].IEEETransactionsonInformationTheory,2007, 53(5): 1743-1751.
[92] Kelsey J, Schneier B, Wanger D. Key-Schedule Cryptanalysis of IDEA, G-DES,GOST,SAFER,andTriple-DES[C],CRYPTO1996, LNCS1109, Springer-Verlag,1996: 237-251.
[93] Kelsey J, Schneier B, Wanger D. Related-key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA[C]. ICICS 1997, LNCS 1334,Springer-Verlag, 1997: 233-246.
[94] Kelsey J, Schneier B, Wagner D, Hall C. Side Channel Cryptanalysis of ProductCiphers[C]. 5th European Symposium on Research in Computer Security, LNCS1485, Springer-Verlag, 1998: 97-110.
[95] Kelsey J, Kohno T, Schneier B. Amplified Boomerang Attacks against Reduced-round MARS and Serpent[C]. FSE 2000, LNCS 1978, Springer-Verlag, 2001: 75-93.
[96] Kim J, Kim G, Hong S, Lee S, Hong D. The Related-Key Rectangle Attack-Application to SHACAL-1[C]. ACISP 2004, LNCS 3108, Springer-Verlag, 2004:123-136.
[97] Kim J, Kim G, Lee S, Lim J, Song J. Related-Key Attacks on Reduced Roundsof SHACAL-2[C]. INDOCRYPT 2004, LNCS 3348, Springer-Verlag, 2004: 175-190.
[98] Kim J, Hong S, Preneel B. Related-Key Rectangle Attacks on Reduced AES-192and AES-256[C]. FSE 2007, LNCS 4593, Springer-Verlag, 2007: 225-241.
[99] Knudsen L R. Cryptanalysis of LOKI 91[C]. AUSCRYPT 1992, LNCS 718,Springer-Verlag, 1993: 196-208.
[100] KnudsenLR.CryptanalysisofLOKI[C].ASIACRYPT1991,LNCS739,Springer-Verlag, 1993: 22-35.
[101] Knudsen L R. Truncated and High Order Differentials[C]. FSE 1994, LNCS 1008,Springer-Verlag, 1995: 196-211.
[102] KnudsenLR,BersonTA.TruncatedDifferentialsofSAFER[C].FSE1996, LNCS1039, Springer-Verlag, 1996: 15-26.
[103] Knudsen L R, Robshaw M J B. Non-linear Approximations in Linear Cryptanaly-sis[C]. EUROCRYPT 1996, LNCS 1070, Springer-Verlag, 1996: 224-236.
[104] KnudsenLR.DEAL-A128-bitBlockCipher.AESProposal,TechnicalReport151,Department of Informatics, University of Bergen, 1998.
[105] Knudsen L R, Wagner D. Integral Cryptanalysis[C]. FSE 2002, LNCS 2365,Springer-Verlag, 2002: 112-127.
[106] KocherPC.TimingAttacksonImplementationsofDiffie-Hellman, RSA,DSSandOther Systems[C]. CRYPTO 1996, LNCS 1109, Springer-Verlag, 1996: 104-113.
[107] Kocher P C, Jaffe J, Jun B. Differential Power Analysis[C]. CRYPTO 1999, LNCS1666, Springer-Verlag, 1999: 388-397.
[108] KuhnM G, Anderson R J. Soft Tempest: Hidden Data Transmission Using Electro-magnetic Emanations[C]. Information Hiding 1998, LNCS 1525, Springer-Verlag,1998: 124-142.
[109] Lai X, Massey J. A Proposal for a New Block Encryption Standard[C]. EURO-CRYPT 1990, LNCS 473, Springer-Verlag, 1991: 389-404.
[110] Lai X. High Order Derivatives and Differential Cryptanalysis[C]. Communicationsand Cryptography, Kluwer Academic Press, 1994: 227-223.
[111] Langford S, Hellman M. Differential-Linear Cryptanalysis[C]. CRYPTO 1994,LNCS 839, Springer-Verlag, 1994: 17-26.
[112] Leander G, Paar C, Poschmann A. New Lightweight DES Variants[C]. FSE 2007,LNCS 4593, Springer-Verlag, 2007: 196-210.
[113] Lee C, Jun K, Jung M, et al. Zodiac Version 1.0 (revised) architecture and Spec-ification, Standardization Workshop on Information Security Technology, KoreanContribution on MP18033, ISO/IEC JTC1/SC27 N2563.http://www.kisa.or.kr/seed/index.html, 2000.
[114] Lee C, Kim J, Sung J, Hong S, Lee S, Moon D. Related-Key Differential Attackson Cobra-H64 and Cobra-H128[C]. Cryptography and Coding 2005, LNCS 3796,Springer-Verlag, 2005: 201-219.
[115] Lee C, Kim J, Hong S, Sung J, Lee S. Related-Key Differential Attacks on Cobra-S128, Cobra-F64a, and Cobra-F64b[C]. Mycrypt 2005, LNCS 3715, Springer-Verlag, 2005: 244-262.
[116] Lee D H, Kim J, Hong J, et al. Algebraic Attacks on Summation Generators[C].FSE 2004, LNCS 3017, Springer-Verlag, 2004: 34-48.
[117]李超,孙兵,李瑞林.分组密码的攻击方法与实例分析[M].北京:科学出版社,2010.
[118] Li N, Qu L J, Qi W F, et al. On the Construction of Boolean Functions with Opti-malAlgebraicImmunity[J].IEEETransactionsonInfomationTheory, 2008, 54(3):1330-1334.
[119] LiR,SunB,LiC,QuL.CryptanalysisofageneralizedFeistelnetworkstructure[C].ACISP 2010, LNCS 6168, Springer-Verlag, 2010: 1-18.
[120] Li Y. Results on Rotation Symmetric Polynomial over GF(p)[J]. Information Sci-ences Letters, 2008, 178: 280-286.
[121] Li Y, Yang M, Kan H B. Constructing and Counting Boolean Functions on EvenVariables with Maximum Algebraic Immunity[J],IEICE Transactions on Funda-mentals of Electronics, Communications and Computer Sciences, 2010, E93-A(3):640-643.
[122] Lim C, Korkishko T. mCrypton-A Lightweight Block Cipher for Security of Low-cost RFID Tags and Sensors[C]. WISA 2005, LNCS 3786, Springer-Verlag, 2006:243-258.
[123] Liu F, Ji W, Hu L, Ding J, Lv S, Pyshkin A, Weinmann R P. Analysis of the SMS4Block Cipher[C]. ACISP 2007, LNCS 4586, Springer-Verlag, 2007: 158-170.
[124] Liu F, Feng K Q. On the 2m-variable Symmetric Boolean Functions with Maxi-mum Algebraic Immunity 2m?1[C]. Proceedings of the International Workshop onCoding and Cryptography, The Wuyi Mountain, Fujian, China, June 11-15, 2007.
[125] Lobanov M. Tight Bound between Nonlinearity and Algebraic Immunity.http://eprint.iacr.org/2005/441.
[126] LuJ,LeeC,KimJ.Related-KeyAttacksontheFull-RoundCobra-F64aandCobra-F64b[C]. SCN 2006, LNCS 4116, Springer-Verlag, 2006: 95-110.
[127] Lu J, Kim J, Keller N, et al. Related-Key Rectangle Attack on 42-round SHACAL-2[C]. ISC 2006, LNCS 4176, Springer-Verlag, 2006: 85-100.
[128] LuJ.CryptanalysisofReducedVersionsoftheHIGHTBLOCKCipherfromCHES2006[C]. ICISC 2007, LNCS 4817, Springer-Verlag, 2007: 11-26.
[129] Lu J, Kim J. Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Rleated-Key Rectangle Cryptanalysis[J]. IEICE Transactions on Fundamentals of Electron-ics, Communications and Computer Sciences, 2008, E91-A(9): 2588-2596.
[130] Lu J. Related-key Rectangle Attack on 36 Rounds of the XTEA Block Cipher[J].Int. J. Inf. Secur, 2009, 8: 1-11.
[131] Lucks S. The Saturation Attack-a Bait for Twofish[C]. FSE 2001, LNCS 2355,Springer-Verlag, 2002: 1-15.
[132] MacWillams F, Sloane N. The Theory of Error Correcting Codes. NorthHolland,1997.
[133] Matsui M. Linear Cryptanalysis Method for DES Cipher[C]. EUROCRYPT 1993,LNCS 765, Springer-Verlag, 1993: 386-397.
[134] Matsui M. New Block Encryption Algorithm MISTY[C]. FSE 1997, LNCS 1267,Springer-Verlag, 1997: 54-68.
[135] Maximov A, Hell M, Maitra S. Plateaued Rotation Symmetric Boolean Functionson Odd Number of Variables[C]. First Workshop on Boolean Functions: Cryptog-raphy and Applications-BFCA 2005, 2005: 83-104.
[136] Meier W, Pasalic E, Carlet C. Algebraic Attacks and Decomposition of BooleanFunctions[C]. EUROCRYPT 2004, LNCS 3027, Springer-Verlag, 2004: 474-491.
[137] Mendel F, Rijmen V. Weaknesses in the HAS-V Compression Function[C]. ICISC2007, LNCS 4817, Springer-Verlag, 2007: 335-345.
[138] Mihaljevic W, Imai H. Cryptanalysis of Toyocrypt-HS1 Stream Cipher[J]. IEICETransactions on Fundamentals of Electronics, Communications and Computer Sci-ences, 2002, E85-A(1): 66-73.
[139] Mouha N, Cannière C D, Indesteege S, Preneel B. Finding Collisions for a 45-StepSimplified HAS-V[C]. WISA 2009, LNCS 5932, Springer-Verlag, 2009: 206-225.
[140] Nakahara Jr J, Freitas D, Phan R. New Nultiset Attacks on Rijndael with LargeBlocks[C]. Mycrypt 2005, LNCS 3715, Springer-Verlag, 2005: 277-295.
[141] NESSIE计划. http://www.cryptonessie.org.
[142] O¨zen O, Vaici K, Tezcan C, Kocair C. Lightweight Block Cipher Revisited: Crypt-analysis of Reduced Round PRESENT and HIGHT[C]. ACISP 2009, LNCS 5594,Springer-Verlag, 2009: 90-107.
[143] ParkNK,HwangJH,LeePJ.HAS-V:ANewHashFunctionwithVariableOutputLength[C]. SAC 2000, LNCS 2012, Springer-Verlag, 2000: 202-216.
[144] Pieprzyk J, Qu C X. Fast Hashing and Rotation-Symmetric Functions[J]. Journalof Universal Computer Science, 1999, 5(1): 20-31.
[145] Qu L J, Feng G Z, Li C. On the Boolean Functions with Maximum Possible Alge-braic Immunity: Construction and a Lower Bound of the Count.http://eprint.iacr.org/2005/449.pdf.
[146] Qu L J, Li C, Feng K Q. A Note on Symmetric Boolean Functions with MaximumAlgebraic Immunity in Odd Number of Variables[J]. IEEE Transactions on Infor-mation Theory, 2007, 53(8): 2908-2910.
[147] Qu L J, Li C. Weight Supports technique and the Symmetric Boolean Functionswith Maximum Algebraic Immunity on Even Number of Variables[C]. Inscrypt2007, LNCS 4990, Springer-Verlag, 2007: 271-282.
[148] Qu L J, Li C. On the 2m-variable Symmetric Boolean Functions with MaximumAlgebraic Immunity[J]. Science in China Series F: Information Sciences, 2008,51(2): 120-127.
[149] Qu L J, Feng K Q, Liu F, Wang L. Constructing Symmetric Boolean FunctionsWithMaximumAlgebraicImmunity[J].IEEETransactionsonInformationTheory,2009, 55(5): 2406-2412.
[150] Rijmen V. Cryptanalysis and Design of Iterated Block Ciphers. Katholieke Univer-siteit Leuven, Belgium, 1997.
[151] RijmenV,PreneelB,WinE.OnWeaknessesofNon-surjectiveRoundFunctions[J].Designs, Codes and Cryptography, 1997, 12(3): 253-266.
[152] Rizomiliotis P. On the Resistance of Boolean Functions against Algebraic AttacksUsingUnivariatePolynomialRepresentation[J].IEEETransactionsonInformationTheory, 2010, 56: 4014-4024.
[153] Robshaw M J B. Searching for Compact Algorithms: CGEN[C]. VIETCRYPT2006, LNCS 4341, Springer-Verlag, 2006: 37-49.
[154] Sarkar S, Maitra S. Construction of Rotation Symmetric Boolean Functions withMaximun Algebraic Immunity on Odd Number of Variables[C]. Applied Algebra,Algebraic Algorithms and Error-Correcting Codes, LNCS 4851, Springer-Verlag,2007: 271-280.
[155] Sarkar S, Maitra S. Construction of Rotation Symmetric Boolean Functions withOptimal Algebraic Immunity[J]. Computation Systems, 2009, 12(3): 267-284.
[156] Shannon C E. Communication Theory of Secrecy Systems[J]. Bell System Techni-cal Jouran, 1949, 28: 656-715.
[157] SHA-3计划. http://www.nist.gov/encryption/sha-3/.
[158] Shimoyama T, Moriai S, Kaneko T. Improving the High Order Differential Attackand Cryptanalysis of the KN Cipher[C]. Pre-Proceedings of 1997 Information Se-curity Workshop, 1997: 1-8.
[159] Siegenthaler T. Decrypting a Class of Stream Ciphers Using Ciphertext Only[J].IEEE Transactions on Computer, 1985, 34(1): 81-85.
[160] SonyCorporation.The128-bitBlockcipherCLEFIA[R]:SecurityandPerformanceEvaluation. Revision 1.0 June 1, 2007.
[161] Standaert F X, Piret G, Gershenfeld N, Quisquater J J. SEA: A Scalable Encryp-tion Algorithm for Small Embedded Applications[C]. CARDIS 2006, LNCS 3928,Springer-Verlag, 2006: 222-236.
[162] Stanica P, Maitra S. Rotation Symmetric Boolean Functions-count and Crypto-graphic Properties[J]. Electronic Notes in Discrete Mathematics, 2003, 15: 139-145.
[163] Stanica P, Maitra S, Clark J. Results on Rotation Symmetric Bent and CorrelationImmune Boolean Functions[C]. FSE 2004, LNCS 3017, Springer-Verlag, 2004:161-177.
[164] Stanica P, Maitra S. Rotation Symmetric Boolean Functions-count and Crypto-graphic Properties[J]. Discrete Mathematics and Applications, 2008, 156: 1567-1580.
[165] Sun B, Qu L J, Li C. New Cryptanalysis of Block Ciphers with Low AlgebraicDegree[C]. FSE 2009, LNCS 5665, Springer-Verlag, 2009: 180-192.
[166]唐学海,李超,谢端强. CLEFIA密码的Square攻击[J].电子与信息学报, 2009,31(9): 2260-2263.
[167] Tu Z R, Deng Y P. A Class of 1-resilient Function with High Nonlinearity andAlgebraic Immunity, Cryptography ePrint Archive, Report 2010/179, 2010.
[168] Wang D. The Boomerang Attack[C]. FSE 1999, LNCS 1636, Springer-Verlag,1999: 156-170.
[169] WangG.Related-KeyRectangleAttackon43-RoundSHACAL-2[C].ISPEC2007,LNCS 4464, Springer-Verlag, 2007: 33-42.
[170] Wang Q, Peng J, Kan H, Xue X. Constructions of Cryptographically SignificantBoolean Functions using Primitive Polynomials[J]. IEEE Transactions on Infor-mation Theory, 2010, 56(6): 3048-3053.
[171]王薇,王小云.对CLEFIA算法的饱和度分析[J].通信学报, 2008, 29(10):88-92.
[172]韦永壮,胡予濮. 42轮SHACAL-2新的相关密钥矩形攻击[J].通信学报, 2009,30(1): 7-11.
[173]温巧燕,钮心忻,杨义先.现代密码学中的布尔函数[M].北京:科学出版社,2000.
[174] Wheeler D, Needham R. TEA, a Tiny Encryption Algorithm[C]. FSE 1994, LNCS1008, Springer-Verlag, 1995: 363-366.
[175] Wu H. Related-Cipher Attacks[C]. ICICS 2002, LNCS 2513, Springer-Verlag,2002: 447-455.
[176] Wu H. The Hash Function JH. Submission to NIST, 2008.
[177] Wu W, Zhang W, Feng D. Improved Integral Cryptanalysis of FOX Block Ci-pher[C]. ICISC 2005, LNCS 3935, Springer-Verlag, 2005: 229-241.
[178]吴文玲,冯登国,张文涛.分组密码的设计与分析(第二版)[M].北京:清华大学出版社, 2009.
[179] Yeom Y, Park S, Kim I. On the Security of Camellia Against the Square Attack[C].FSE 2002, LNCS 2365, Springer-Verlag, 2002: 89-99.
[180] Z'aba M R, Raddum H, Henricksen M, et al. Bit-Pattern Based Integral Attack[C].FSE 2008, LNCS 5086, Springer-Verlag, 2008: 363-381.
[181] Zhang P, Sun B, Li C. Saturation Attack on the Block Cipher HIGHT[C]. CANS2009, LNCS 5888, Springer-Verlag, 2009: 76-86.
[182] Zhang W, Wu W, Zhang L, Feng D. Improved Related-key Impossible DifferentialAttack on Reduced-round AES-192[C]. SAC 2006, LNCS 4356, Springer-Verlag,2007: 15-27.
[183] Zhang W, Wu W, Zhang L, Feng D. Related-key Differential-linear Attacks onReduced AES-192[C]. INDOCRYPT 2007, LNCS 4859, Springer-Verlag, 2007:73-85.
[2] Aoki K, Ichikawa T, Kanda M, Matsui M, Moriai S, Nakajima J, Tolita T. Camel-lia: A 128-bit Block Cipher Suitable for Multiple Platforms[C]. SAC 2000, LNCS2012, Springer-Verlag, 2001: 41-54.
[3] Armknecht F. Improving Fast Algebiraic Attacks[C]. FSE 2004, LNCS 3017,Springer-Verlag, 2004: 65-82.
[4] Aumasson J P, Henzen L, Meier W, Phan R C W. SHA-3 Proposal BLAKE. Sub-mission to NIST, 2008.
[5] Bernstein D. Salsa 20 Specifcation.http://www.ecrypt.eu.org/stream/salsa20p2.html.
[6] Bertoni G, Daemen J, Peeters M, Assche G V. Keccak Sponge Function Family.Submission to NIST, 2008.
[7] Biham E, Shamir A. Differential Cryptanalysis of DES-like Cryptosystems[J].Journal of Cryptology, 1991, 4(1): 3-72.
[8] Biham E, Shamir A. Differential Cryptanalysis of the Data Encryption Stan-dard[M]. Springer-Verlag, 1993.
[9] Biham E. New Types of Cryptanalytic Attacks Using Related Keys[C]. EURO-CRYPT 1993, LNCS 765, Springer-Verlag, 1994: 398-409.
[10] Biham E, Shamir A. Differential Fault Analysis of Secret Key Cryptosystems[C].CRYPTO 1997, LNCS 1294, Springer-Verlag, 1997: 513-525.
[11] Biham E, Biryukov A, Shamir A. Cryptanalysis of Skipjack Reduced to 31 RoundsUsing Impossible Differentials[C]. EUROCRYPT 1999, LNCS 1592, Springer-Verlag, 1999: 12-23.
[12] Biham E, Biryukov A, Shamir A. Miss in the Middle Attacks on IDEA andKhufu[C]. FSE 1999, LNCS 1636, Springer-Verlag, 1999: 124-138.
[13] Biham E, Dunkelman O, Keller N. The Rectangle Attack Rectangling the Ser-pent[C]. EUROCRYPT 2001, LNCS 2045, Springer-Verlag, 2001: 340-357.
[14] Biham E, Dunkelman O, Keller N. New Results on Boomerang and Rectangle At-tacks[C]. FSE 2002, LNCS 2365, Springer-Verlag, 2002: 1-16.
[15] Biham E, Dunkelman O, Keller N. Rectangle Attacks on 49-round SHACAL-1[C].FSE 2003, LNCS 2887, Springer-Verlag, 2003: 22-35.
[16] Biham E, Dunkelman O, Keller N. Realted-Key Boomerang and Rectangle At-tacks[C]. EUROCRYPT 2005, LNCS 3494, Springer-Verlag, 2005: 507-525.
[17] Biham E, Dunkelman O, Keller N. A Related-Key Rectangle Attack on the FullKASUMI[C], ASIACRYPT 2005, LNCS 3788, Springer-Verlag, 2005: 443-461.
[18] Biham E, Dunkelman O, Keller N. Related-key Impossible Differential Attacks on8-round AES-192[C]. CT-RSA 2006, LNCS 3860, Springer-Verlag, 2006: 21-33.
[19] Biryukov A, Wagner D. Slide Attack[C]. FSE 1999, LNCS 1636, Springer-Verlag,1999: 245-259.
[20] Biryukov A, Wagner D. Advanced Slide Attack[C]. EUROCRYPT 2000, LNCS1807, Springer-Verlag, 2000: 589-606.
[21] Biryukov A, Shamir A. Structural Cryptanalysis of SASAS[C]. EUROCRYPT2001, LNCS 2045, Springer-Verlag, 2001: 394-405.
[22] Biryukov A, Khovratovich D. Related-Key Cryptanalysis of the Full AES-192 andAES-256[C]. ASIACRYPT 2009, LNCS 5912, Springer-Verlag, 2009: 1-18.
[23] Bogdanov A, Khovratovich D, Rechberger C. Biclique Cryptanalysis of the FullAES[C]. ASIACRYPT 2011, to appear.
[24] Bogdanov A, Knudsen L R, Leander G, Paar C, Poschmann A, Robshaw M J B,Seurin Y, Vikkelsoe C. PRESENT: An Ultra-Lightweight Block Cipher[C]. CHES2007, LNCS 4727, Springer-Verlag, 2007: 450-466.
[25] Boneh D, DeMillo R A, Lipton R J. On the Importance of Checking CryptographicProtocols for Faults[C]. EUROCRYPT 1997, LNCS 1233, Springer-Verlag, 1997:37-51.
[26] Braeken A, Preneel B. On the Algebraic Immunity of Symmetric Boolean Func-tions[C]. INDOCRYPT 2005, LNCS 3797, Springer-Verlag, 2005: 35-48.
[27] Canteaut A. Open Problems Related to Algebraic Attacks on Stream Ciphers[C].WCC 2005, LNCS 3969, Springer-Verlag, 2006: 120-134.
[28] Carlet C. Boolean Functions for Cryptography and Error Correcting Codes. Chaperto the monography Boolean Methods and Models, Y. Crama and P. Hammer eds,Cambridge University Press, to appear. Preliminary version available athttp://www.rocq.inria.fr/codes/Claude.Carlet/pubs.html.
[29] Carlet C, Gaborit P. On the Construction of Balanced Boolean Functions witha Good Algebraic Immunity[C]. International Workshop on Boolean Functions:Cryptography and Applications-BFCA 2005, Rouen, France, 2005: 1-14.
[30] Carlet C, Dalai D K, Gupta K C, Maitra S. Algebraic Immunity for Cryptographi-cally Significant Boolean Functions: Analysis and Construction[J]. IEEE Transac-tions on Information Theory, 2006, 52: 3105-3121.
[31] Carlet C. On Bent and Highly Nonlinear Balance/resilient Functions and Their Al-gebraic Immunities[C]. AAECC 2006, LNCS 3857, Springer-Verlag, 2006: 1-28.
[32] Carlet C. On the Higher Order Nonlinearities of Algebraic Immune Functions[C].CRYPTO 2006, LNCS 4117, Springer-Verlag, 2006: 584-601.
[33] Carlet C. A Method of Construction of Balanced Functions with Optimum Al-gebraic Immunity[C]. Proceedings of the International Workshop on Coding andCryptography, The Wuyi Mountain, Fujian, China, June 11-15, 2007.
[34] CarletC,FengKQ.AnInfineClassofBalancedFunctionswithOptimalAlgebraicImmunity[C]. ASIACRYPT 2008, LNCS 5350, Springer-Verlag, 2008: 425-440.
[35] Carlet C, Zeng X Y, Li C L, Hu L. Further Properties of Several Classes of BooleanFunctions with Optimum Algebraic Immunity[J]. Designs, Codes and Cryptogra-phy, 2009, 52: 303-338.
[36] Chang D, Hong S, Kang C, et al. ARIRANG: SHA-3 Proposa. NIST SHA-3 can-didate, 2009.http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/ARIRANG.zip.
[37] Cho J Y, Pieprzyk J. Algebriac Attacks on SOBER-t32 and SOBER-128[C]. FSE2004, LNCS 3017, Springer-Verlag, 2004: 49-64.
[38] Choy J, Chew G, Khoo K, Yap H. Cryptographic Properties and Application of aGeneralized Unbalanced Feistel Network Structure[C]. ACISP 2009, LNCS 5594,Springer-Verlag, 2009: 73-89.
[39] Courtois N, Pieprzyk J. Cryptanalysis of Block Ciphers with Overdefined Systemsof Equations[C]. ASIACRYPT 2002, LNCS 2501, Springer-Verlag, 2002: 267-287.
[40] Courtois N, Meier W. Algebraic Attacks on Stream Ciphers with Linear Feed-back[C]. EUROCRYPT 2003, LNCS 2656, Springer-Verlag, 2003: 345-359.
[41] Courtois N. Fast Algebraic Attacks on Stream Ciphers with Linear Feedback[C].CRYPTO 2003, LNCS 2729, Springer-Verlag, 2003: 176-194.
[42] Cusick T W, Stanica P. Fast Evaluation, Weights and Nonlinearity of Rotation-Symmetric Functions[J]. Discrete Mathematics, 2002, 258(1-3): 289-301.
[43] Daemen J, Knudsen L R, Rijmen V. The Block Cipher SQUARE[C]. FSE 1997,LNCS 1267, Springer-Verlag, 1997: 149-165.
[44] Daemen J, Rijmen V. The Design of Rijndael: AES-The Advanced EncryptionStandard[M]. Springer, 2002.
[45] Dalai D K, Gupta K C, Maitra S. Results on Algebraic Immunity for Crypto-graphically Significant Boolean Functions[C]. INDOCRYPT 2004, LNCS 3348,Springer-Verlag, 2004: 92-106.
[46] Dalai D K, Gupta K C, Maitra S. Cryptographically Significant Boolean Functions:Construction and Analysis in Terms of Algebraic Immunity[C]. FSE 2005, LNCS3557, Springer-Verlag, 2005: 98-111.
[47] Dalai D K, Maitra S, Sarkar S. Basic Theory in Construction of Boolean Functionswith Maximum Possible Annihilator Immunity[J]. Designs, Codes and Cryptogra-phy, 2006, 40: 41-58.
[48] Dalai D K, Maitra S, Sarkar S. Results on Rotation Symmetric Bent Func-tions[C].SecondInternationalWorkshoponBooleanFunctions: CryptographyandApplications-BFCA 2006, 2006: 137-156.
[49] Dalai D K, Maitra S, Sarkar S. Results on Rotation Symmetric Bent Functions[J].Discrete Mathematics and Applications, 2009, 309: 2398-2409.
[50] Davies D, Murphy S. Pairs and Triples of DES S-boxes[J]. Journal of Cryptology,Springer-Verlag, 1995, 8(1): 1-25.
[51] Diffie W, Hellman M E. New Direction in Cryptogryphy. IEEE Transactions onInformation Theory, 1976, 22(6): 644-654.
[52] Diffie W, Hellman M. Exhaustive Cryptanalysis of the NBS Data Encryption Stan-dard[J]. Computer, 1977, 10(6): 74-84.
[53] Dunkelman O. Thchniques for Cryptanalysis of Block Ciphers. PhD Thesis, IsraelInstitute of Technology, 2006.
[54] Dunkelman O, Keller N, Kim J. Related-Key Rectangle Attack on the FullSHACAL-1[C]. SAC 2006, LNCS 4356, Springer-Verlag, 2006: 28-44.
[55] Dunkelman O, Fleischmann E, Gorski M, et al. Related-Key Rectangle Attackof the Full HAS-160 Encryption Mode[C]. INDOCRYPT 2009, LNCS 5922,Springer-Verlag, 2009: 157-168.
[56] Duo L, Li C, Feng K. New Observation on Camellia[C]. SAC 2005, LNCS 3897,Springer-Verlag, 2006: 51-64.
[57] Duo L, Li C, Feng K. Square Like Attack on Camellia[C]. ICICS 2007, LNCS4861, Springer-Verlag, 2007: 269-283.
[58] ECRYPT计划. http://www.ecrypt.eu.org/.
[59]冯登国.频谱理论及其在密码学中的应用[M].北京:科学出版社, 2000.
[60] Ferguson N, Kelsey J, Lucks S, Schneier B, Stay M, Wagner D, Whiting D. Im-proved Cryptanalisis of Rijndael[C]. FSE 2000, LNCS 1978, Springer-Verlag,2000: 213-230.
[61] Ferguson N, Lucks S, Schneier B, Whiting D, et al. The Skein Hash Function Fam-ily. Submission to NIST, 2008.
[62] Filiol E, Fontaine C. Highly Nonlinear Balanced Boolean Functions with a GoodCorrelation-Immunity[C]. EUROCRYPT 1998, LNCS 1403, Springer-Verlag,1998: 475-488.
[63] FIPS 46-3, Data Encryption Standard. In National Institute of Standards and Tech-nology, Oct, 1977.
[64] Florent C, Antoine J. Differential Collisions in SHA-0[C]. CRYPTO 1998, LNCS1462, Springer-Verlag, 1998: 56-71.
[65] Fleischmann E, Gorski M, Lucks S. Memoryless Related-Key Boomerang Attackon 39-Round SHACAL-2[C]. ISPEC 2009, LNCS 5451, Springer-Verlag, 2009:310-323.
[66] Fleischmann E, Gorski M, Lucks S. Memoryless Related-Key Boomerang Attackon the Full Tiger Block Cipher[C]. ISPEC 2009, LNCS 5451, Springer-Verlag,2009: 298-309.
[67] Fu S J, Li C, Matsuura K, Qu L J. Construction of Rotation Symmetric BooleanFunctions with Maximum Algebraic Immunity[C]. CANS 2009, LNCS 5888,Springer-Verlag, 2009: 402-412.
[68] Fu S J, Li C, Qu L J. On the Number of Rotation Symmetric Boolean Functions[J].Science in China Series F-Information Sciences, 2010, 53(3): 537-545.
[69] Fu S J, Li C, Matsuura K, Qu L J. Construction of Rotation Symmetric BooleanFunctions with Maximum Algebraic Immunity[J]. IET Information Security, 2011,5(3): 92-99.
[70] Galice S, Minier M. Improving Integral Attacks Against Rijndael-256 up to 9Rounds[C]. AFRICACRYPT 2008, LNCS 5023, Springer-Verlag, 2008: 1-15.
[71] Gauravaram P, Knudsen L, Matusiewicz K, Mendel F, et al. Gr?stl-A SHA-3 Can-didate. Submission to NIST, 2008.
[72] GilbertH,MinierM.ACollisionAttackonSevenRoundsofRijndael[C].Proceed-ings of the Third AES Candidate Conference, National Institute of Standards andTechnology, 2000: 230-241.
[73] Gorski M, Lucks S. New Related-Key Boomerang Attacks on AES[C], IN-DOCRYPT 2008, LNCS 5365, Springer-Verlag, 2008: 266-278.
[74] Guo J, Matusiewicz K, Knudsen L R, et al. Practical Pseudo-collisions for HashFunctionsARIRANG-224/384[C].SAC2009,LNCS5867,Springer-Verlag,2009:141-156.
[75] Handschuh H, Naccache D. SHACAL: A Family of Block Ciphers. Submission tothe NESSIE project, 2002.
[76] Harpes C, Massey J L. Partitioning Cryptanalysis[C]. FSE 1997, LNCS 1267,Springer-Verlag, 1997: 13-27.
[77] Hawkes P. Differential-linear Weak-key Classes of IDEA[C]. EUROCRYPT 1998,LNCS 1403, Springer-Verlag, 1998: 112-126.
[78] He Y, Qing S. Square Attack on Reduced Camellia Cipher[C]. ICICS 2001, LNCS2229, Springer-Verlag, 2001: 238-245.
[79] Hell M, Maximov A, Maitra S. On Efficient Implementation of Search Strategy forRotation Symmetric Boolean Functions[C]. ACCT 2004, Black Sea Coast, Bul-garia, 2004: 19-25.
[80] HongD,SungJ,MoriaiS,etal.ImpossibleDifferentialCryptanalysisofZodiac[C].FSE 2001, LNCS 2355, Springer-Verlag, 2002: 300-311.
[81] Hong S, Kim J, Lee S, Preneel B. Related-Key Rectangle Attacks on Reduced Ver-sions of SHACAL-1 and AES-192[C]. FSE 2005, LNCS 3557, Springer-Verlag,2005: 368-383.
[82] Hong D, Sung J, Hong S, Kim J, Lee S, Koo B S, Lee C, Chang D, Lee J, Jeong K,Kim H, Kim J, Chee S. HIGHT: A New Block Cipher Suitable for Low-ResourceDevice[C]. CHES 2006, LNCS 4249, Springer-Verlag, 2006: 46-59.
[83] HongD,KooB,KimWH,etal.PreimageAttacksonReducedStepsofARIRANGand PKC 98-Hash[C]. ICISC 2009, LNCS 5984, Springer-Verlag, 2009: 315-331.
[84] Hu Y, Zhang Y, Xiao G. Integral Cryptanalysis of SAFER+[J]. Electronic Letters,1999, 35(17): 1458-1459.
[85] Jakimoski G, Desmedt Y. Related-key Differential Cryptanalysis of 192-bit KeyAES Variants[C], SAC 2003, LNCS 3006, Springer-Verlag, 2004: 208-221.
[86] JakobsenT,KnudsenLR.TheInterpolationAttackonBlockCipher[C].FSE1997,LNCS 1267, Springer-Verlag, 1997: 28-40.
[87] Jeong K, Lee C, Sung J, Hong S, Lim J. Related-Key Amplified Boomerang At-tacks on the Full-Round Eagle-64 and Eagle-128[C], ACISP 2007, LNCS 4586,Springer-Verlag, 2007: 143-157.
[88] Ji W, Hu L. Square Attack on Reduced-Round Zodiac Cipher[C]. ISPEC 2008,LNCS 4991, Springer-Verlag, 2008: 377-391.
[89] Kaliski Jr S, Robshaw M J B. Linear Cryptanalysis Using Multiple Approxima-tions[C]. CRYPTO 1994, LNCS 839, Springer-Verlag, 1994: 26-39.
[90] Kaliski Jr S, Robshaw M J B. Robshaw. Linear Cryptanalysis Using Multiple Ap-proximations and FEAL[C]. FSE 1994, LNCS 1008, Springer-Verlag, 1995: 249-264.
[91] Kavut S, Maitra S, Yucel M D. Search for Boolean Functions with Excellent Pro-filesintheRotationSymmetricClass[J].IEEETransactionsonInformationTheory,2007, 53(5): 1743-1751.
[92] Kelsey J, Schneier B, Wanger D. Key-Schedule Cryptanalysis of IDEA, G-DES,GOST,SAFER,andTriple-DES[C],CRYPTO1996, LNCS1109, Springer-Verlag,1996: 237-251.
[93] Kelsey J, Schneier B, Wanger D. Related-key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA[C]. ICICS 1997, LNCS 1334,Springer-Verlag, 1997: 233-246.
[94] Kelsey J, Schneier B, Wagner D, Hall C. Side Channel Cryptanalysis of ProductCiphers[C]. 5th European Symposium on Research in Computer Security, LNCS1485, Springer-Verlag, 1998: 97-110.
[95] Kelsey J, Kohno T, Schneier B. Amplified Boomerang Attacks against Reduced-round MARS and Serpent[C]. FSE 2000, LNCS 1978, Springer-Verlag, 2001: 75-93.
[96] Kim J, Kim G, Hong S, Lee S, Hong D. The Related-Key Rectangle Attack-Application to SHACAL-1[C]. ACISP 2004, LNCS 3108, Springer-Verlag, 2004:123-136.
[97] Kim J, Kim G, Lee S, Lim J, Song J. Related-Key Attacks on Reduced Roundsof SHACAL-2[C]. INDOCRYPT 2004, LNCS 3348, Springer-Verlag, 2004: 175-190.
[98] Kim J, Hong S, Preneel B. Related-Key Rectangle Attacks on Reduced AES-192and AES-256[C]. FSE 2007, LNCS 4593, Springer-Verlag, 2007: 225-241.
[99] Knudsen L R. Cryptanalysis of LOKI 91[C]. AUSCRYPT 1992, LNCS 718,Springer-Verlag, 1993: 196-208.
[100] KnudsenLR.CryptanalysisofLOKI[C].ASIACRYPT1991,LNCS739,Springer-Verlag, 1993: 22-35.
[101] Knudsen L R. Truncated and High Order Differentials[C]. FSE 1994, LNCS 1008,Springer-Verlag, 1995: 196-211.
[102] KnudsenLR,BersonTA.TruncatedDifferentialsofSAFER[C].FSE1996, LNCS1039, Springer-Verlag, 1996: 15-26.
[103] Knudsen L R, Robshaw M J B. Non-linear Approximations in Linear Cryptanaly-sis[C]. EUROCRYPT 1996, LNCS 1070, Springer-Verlag, 1996: 224-236.
[104] KnudsenLR.DEAL-A128-bitBlockCipher.AESProposal,TechnicalReport151,Department of Informatics, University of Bergen, 1998.
[105] Knudsen L R, Wagner D. Integral Cryptanalysis[C]. FSE 2002, LNCS 2365,Springer-Verlag, 2002: 112-127.
[106] KocherPC.TimingAttacksonImplementationsofDiffie-Hellman, RSA,DSSandOther Systems[C]. CRYPTO 1996, LNCS 1109, Springer-Verlag, 1996: 104-113.
[107] Kocher P C, Jaffe J, Jun B. Differential Power Analysis[C]. CRYPTO 1999, LNCS1666, Springer-Verlag, 1999: 388-397.
[108] KuhnM G, Anderson R J. Soft Tempest: Hidden Data Transmission Using Electro-magnetic Emanations[C]. Information Hiding 1998, LNCS 1525, Springer-Verlag,1998: 124-142.
[109] Lai X, Massey J. A Proposal for a New Block Encryption Standard[C]. EURO-CRYPT 1990, LNCS 473, Springer-Verlag, 1991: 389-404.
[110] Lai X. High Order Derivatives and Differential Cryptanalysis[C]. Communicationsand Cryptography, Kluwer Academic Press, 1994: 227-223.
[111] Langford S, Hellman M. Differential-Linear Cryptanalysis[C]. CRYPTO 1994,LNCS 839, Springer-Verlag, 1994: 17-26.
[112] Leander G, Paar C, Poschmann A. New Lightweight DES Variants[C]. FSE 2007,LNCS 4593, Springer-Verlag, 2007: 196-210.
[113] Lee C, Jun K, Jung M, et al. Zodiac Version 1.0 (revised) architecture and Spec-ification, Standardization Workshop on Information Security Technology, KoreanContribution on MP18033, ISO/IEC JTC1/SC27 N2563.http://www.kisa.or.kr/seed/index.html, 2000.
[114] Lee C, Kim J, Sung J, Hong S, Lee S, Moon D. Related-Key Differential Attackson Cobra-H64 and Cobra-H128[C]. Cryptography and Coding 2005, LNCS 3796,Springer-Verlag, 2005: 201-219.
[115] Lee C, Kim J, Hong S, Sung J, Lee S. Related-Key Differential Attacks on Cobra-S128, Cobra-F64a, and Cobra-F64b[C]. Mycrypt 2005, LNCS 3715, Springer-Verlag, 2005: 244-262.
[116] Lee D H, Kim J, Hong J, et al. Algebraic Attacks on Summation Generators[C].FSE 2004, LNCS 3017, Springer-Verlag, 2004: 34-48.
[117]李超,孙兵,李瑞林.分组密码的攻击方法与实例分析[M].北京:科学出版社,2010.
[118] Li N, Qu L J, Qi W F, et al. On the Construction of Boolean Functions with Opti-malAlgebraicImmunity[J].IEEETransactionsonInfomationTheory, 2008, 54(3):1330-1334.
[119] LiR,SunB,LiC,QuL.CryptanalysisofageneralizedFeistelnetworkstructure[C].ACISP 2010, LNCS 6168, Springer-Verlag, 2010: 1-18.
[120] Li Y. Results on Rotation Symmetric Polynomial over GF(p)[J]. Information Sci-ences Letters, 2008, 178: 280-286.
[121] Li Y, Yang M, Kan H B. Constructing and Counting Boolean Functions on EvenVariables with Maximum Algebraic Immunity[J],IEICE Transactions on Funda-mentals of Electronics, Communications and Computer Sciences, 2010, E93-A(3):640-643.
[122] Lim C, Korkishko T. mCrypton-A Lightweight Block Cipher for Security of Low-cost RFID Tags and Sensors[C]. WISA 2005, LNCS 3786, Springer-Verlag, 2006:243-258.
[123] Liu F, Ji W, Hu L, Ding J, Lv S, Pyshkin A, Weinmann R P. Analysis of the SMS4Block Cipher[C]. ACISP 2007, LNCS 4586, Springer-Verlag, 2007: 158-170.
[124] Liu F, Feng K Q. On the 2m-variable Symmetric Boolean Functions with Maxi-mum Algebraic Immunity 2m?1[C]. Proceedings of the International Workshop onCoding and Cryptography, The Wuyi Mountain, Fujian, China, June 11-15, 2007.
[125] Lobanov M. Tight Bound between Nonlinearity and Algebraic Immunity.http://eprint.iacr.org/2005/441.
[126] LuJ,LeeC,KimJ.Related-KeyAttacksontheFull-RoundCobra-F64aandCobra-F64b[C]. SCN 2006, LNCS 4116, Springer-Verlag, 2006: 95-110.
[127] Lu J, Kim J, Keller N, et al. Related-Key Rectangle Attack on 42-round SHACAL-2[C]. ISC 2006, LNCS 4176, Springer-Verlag, 2006: 85-100.
[128] LuJ.CryptanalysisofReducedVersionsoftheHIGHTBLOCKCipherfromCHES2006[C]. ICISC 2007, LNCS 4817, Springer-Verlag, 2007: 11-26.
[129] Lu J, Kim J. Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Rleated-Key Rectangle Cryptanalysis[J]. IEICE Transactions on Fundamentals of Electron-ics, Communications and Computer Sciences, 2008, E91-A(9): 2588-2596.
[130] Lu J. Related-key Rectangle Attack on 36 Rounds of the XTEA Block Cipher[J].Int. J. Inf. Secur, 2009, 8: 1-11.
[131] Lucks S. The Saturation Attack-a Bait for Twofish[C]. FSE 2001, LNCS 2355,Springer-Verlag, 2002: 1-15.
[132] MacWillams F, Sloane N. The Theory of Error Correcting Codes. NorthHolland,1997.
[133] Matsui M. Linear Cryptanalysis Method for DES Cipher[C]. EUROCRYPT 1993,LNCS 765, Springer-Verlag, 1993: 386-397.
[134] Matsui M. New Block Encryption Algorithm MISTY[C]. FSE 1997, LNCS 1267,Springer-Verlag, 1997: 54-68.
[135] Maximov A, Hell M, Maitra S. Plateaued Rotation Symmetric Boolean Functionson Odd Number of Variables[C]. First Workshop on Boolean Functions: Cryptog-raphy and Applications-BFCA 2005, 2005: 83-104.
[136] Meier W, Pasalic E, Carlet C. Algebraic Attacks and Decomposition of BooleanFunctions[C]. EUROCRYPT 2004, LNCS 3027, Springer-Verlag, 2004: 474-491.
[137] Mendel F, Rijmen V. Weaknesses in the HAS-V Compression Function[C]. ICISC2007, LNCS 4817, Springer-Verlag, 2007: 335-345.
[138] Mihaljevic W, Imai H. Cryptanalysis of Toyocrypt-HS1 Stream Cipher[J]. IEICETransactions on Fundamentals of Electronics, Communications and Computer Sci-ences, 2002, E85-A(1): 66-73.
[139] Mouha N, Cannière C D, Indesteege S, Preneel B. Finding Collisions for a 45-StepSimplified HAS-V[C]. WISA 2009, LNCS 5932, Springer-Verlag, 2009: 206-225.
[140] Nakahara Jr J, Freitas D, Phan R. New Nultiset Attacks on Rijndael with LargeBlocks[C]. Mycrypt 2005, LNCS 3715, Springer-Verlag, 2005: 277-295.
[141] NESSIE计划. http://www.cryptonessie.org.
[142] O¨zen O, Vaici K, Tezcan C, Kocair C. Lightweight Block Cipher Revisited: Crypt-analysis of Reduced Round PRESENT and HIGHT[C]. ACISP 2009, LNCS 5594,Springer-Verlag, 2009: 90-107.
[143] ParkNK,HwangJH,LeePJ.HAS-V:ANewHashFunctionwithVariableOutputLength[C]. SAC 2000, LNCS 2012, Springer-Verlag, 2000: 202-216.
[144] Pieprzyk J, Qu C X. Fast Hashing and Rotation-Symmetric Functions[J]. Journalof Universal Computer Science, 1999, 5(1): 20-31.
[145] Qu L J, Feng G Z, Li C. On the Boolean Functions with Maximum Possible Alge-braic Immunity: Construction and a Lower Bound of the Count.http://eprint.iacr.org/2005/449.pdf.
[146] Qu L J, Li C, Feng K Q. A Note on Symmetric Boolean Functions with MaximumAlgebraic Immunity in Odd Number of Variables[J]. IEEE Transactions on Infor-mation Theory, 2007, 53(8): 2908-2910.
[147] Qu L J, Li C. Weight Supports technique and the Symmetric Boolean Functionswith Maximum Algebraic Immunity on Even Number of Variables[C]. Inscrypt2007, LNCS 4990, Springer-Verlag, 2007: 271-282.
[148] Qu L J, Li C. On the 2m-variable Symmetric Boolean Functions with MaximumAlgebraic Immunity[J]. Science in China Series F: Information Sciences, 2008,51(2): 120-127.
[149] Qu L J, Feng K Q, Liu F, Wang L. Constructing Symmetric Boolean FunctionsWithMaximumAlgebraicImmunity[J].IEEETransactionsonInformationTheory,2009, 55(5): 2406-2412.
[150] Rijmen V. Cryptanalysis and Design of Iterated Block Ciphers. Katholieke Univer-siteit Leuven, Belgium, 1997.
[151] RijmenV,PreneelB,WinE.OnWeaknessesofNon-surjectiveRoundFunctions[J].Designs, Codes and Cryptography, 1997, 12(3): 253-266.
[152] Rizomiliotis P. On the Resistance of Boolean Functions against Algebraic AttacksUsingUnivariatePolynomialRepresentation[J].IEEETransactionsonInformationTheory, 2010, 56: 4014-4024.
[153] Robshaw M J B. Searching for Compact Algorithms: CGEN[C]. VIETCRYPT2006, LNCS 4341, Springer-Verlag, 2006: 37-49.
[154] Sarkar S, Maitra S. Construction of Rotation Symmetric Boolean Functions withMaximun Algebraic Immunity on Odd Number of Variables[C]. Applied Algebra,Algebraic Algorithms and Error-Correcting Codes, LNCS 4851, Springer-Verlag,2007: 271-280.
[155] Sarkar S, Maitra S. Construction of Rotation Symmetric Boolean Functions withOptimal Algebraic Immunity[J]. Computation Systems, 2009, 12(3): 267-284.
[156] Shannon C E. Communication Theory of Secrecy Systems[J]. Bell System Techni-cal Jouran, 1949, 28: 656-715.
[157] SHA-3计划. http://www.nist.gov/encryption/sha-3/.
[158] Shimoyama T, Moriai S, Kaneko T. Improving the High Order Differential Attackand Cryptanalysis of the KN Cipher[C]. Pre-Proceedings of 1997 Information Se-curity Workshop, 1997: 1-8.
[159] Siegenthaler T. Decrypting a Class of Stream Ciphers Using Ciphertext Only[J].IEEE Transactions on Computer, 1985, 34(1): 81-85.
[160] SonyCorporation.The128-bitBlockcipherCLEFIA[R]:SecurityandPerformanceEvaluation. Revision 1.0 June 1, 2007.
[161] Standaert F X, Piret G, Gershenfeld N, Quisquater J J. SEA: A Scalable Encryp-tion Algorithm for Small Embedded Applications[C]. CARDIS 2006, LNCS 3928,Springer-Verlag, 2006: 222-236.
[162] Stanica P, Maitra S. Rotation Symmetric Boolean Functions-count and Crypto-graphic Properties[J]. Electronic Notes in Discrete Mathematics, 2003, 15: 139-145.
[163] Stanica P, Maitra S, Clark J. Results on Rotation Symmetric Bent and CorrelationImmune Boolean Functions[C]. FSE 2004, LNCS 3017, Springer-Verlag, 2004:161-177.
[164] Stanica P, Maitra S. Rotation Symmetric Boolean Functions-count and Crypto-graphic Properties[J]. Discrete Mathematics and Applications, 2008, 156: 1567-1580.
[165] Sun B, Qu L J, Li C. New Cryptanalysis of Block Ciphers with Low AlgebraicDegree[C]. FSE 2009, LNCS 5665, Springer-Verlag, 2009: 180-192.
[166]唐学海,李超,谢端强. CLEFIA密码的Square攻击[J].电子与信息学报, 2009,31(9): 2260-2263.
[167] Tu Z R, Deng Y P. A Class of 1-resilient Function with High Nonlinearity andAlgebraic Immunity, Cryptography ePrint Archive, Report 2010/179, 2010.
[168] Wang D. The Boomerang Attack[C]. FSE 1999, LNCS 1636, Springer-Verlag,1999: 156-170.
[169] WangG.Related-KeyRectangleAttackon43-RoundSHACAL-2[C].ISPEC2007,LNCS 4464, Springer-Verlag, 2007: 33-42.
[170] Wang Q, Peng J, Kan H, Xue X. Constructions of Cryptographically SignificantBoolean Functions using Primitive Polynomials[J]. IEEE Transactions on Infor-mation Theory, 2010, 56(6): 3048-3053.
[171]王薇,王小云.对CLEFIA算法的饱和度分析[J].通信学报, 2008, 29(10):88-92.
[172]韦永壮,胡予濮. 42轮SHACAL-2新的相关密钥矩形攻击[J].通信学报, 2009,30(1): 7-11.
[173]温巧燕,钮心忻,杨义先.现代密码学中的布尔函数[M].北京:科学出版社,2000.
[174] Wheeler D, Needham R. TEA, a Tiny Encryption Algorithm[C]. FSE 1994, LNCS1008, Springer-Verlag, 1995: 363-366.
[175] Wu H. Related-Cipher Attacks[C]. ICICS 2002, LNCS 2513, Springer-Verlag,2002: 447-455.
[176] Wu H. The Hash Function JH. Submission to NIST, 2008.
[177] Wu W, Zhang W, Feng D. Improved Integral Cryptanalysis of FOX Block Ci-pher[C]. ICISC 2005, LNCS 3935, Springer-Verlag, 2005: 229-241.
[178]吴文玲,冯登国,张文涛.分组密码的设计与分析(第二版)[M].北京:清华大学出版社, 2009.
[179] Yeom Y, Park S, Kim I. On the Security of Camellia Against the Square Attack[C].FSE 2002, LNCS 2365, Springer-Verlag, 2002: 89-99.
[180] Z'aba M R, Raddum H, Henricksen M, et al. Bit-Pattern Based Integral Attack[C].FSE 2008, LNCS 5086, Springer-Verlag, 2008: 363-381.
[181] Zhang P, Sun B, Li C. Saturation Attack on the Block Cipher HIGHT[C]. CANS2009, LNCS 5888, Springer-Verlag, 2009: 76-86.
[182] Zhang W, Wu W, Zhang L, Feng D. Improved Related-key Impossible DifferentialAttack on Reduced-round AES-192[C]. SAC 2006, LNCS 4356, Springer-Verlag,2007: 15-27.
[183] Zhang W, Wu W, Zhang L, Feng D. Related-key Differential-linear Attacks onReduced AES-192[C]. INDOCRYPT 2007, LNCS 4859, Springer-Verlag, 2007:73-85.