分组密码分析方法的基本原理及其应用
|
摘要
分组密码是密码学的重要分支.数据加密标准DES的破译与高级加密标准AES的选用对分组密码算法的设计理论与分析理论产生了巨大推动.近几年来,在欧洲序列密码标准的征集活动ECRYPT计划和美国Hash函数标准的征集活动SHA3计划中,越来越多的序列密码和Hash函数都采用了分组密码的设计思想.分组密码设计理论的日渐成熟,对分组密码的分析提出了新的挑战,与此同时,设计理论也亟需新的分析结果来获得更大发展.本文研究了分组密码的不可能差分分析、相关密钥分析、积分分析和差分故障攻击的基本原理,利用这些分析方法对Feistel型密码、修正的Lai-Messay型密码、SPN型密码等算法进行有效地分析,获得了一些新的结果.
本文的第一部分利用不可能差分分析方法对Feistel结构与Lai-Messay结构的分组密码进行有效分析.得到了以下几方面的结果:
(1)研究了具有SP型轮函数和SPS型轮函数,并且线性层P定义在F2n×n上的Feistel结构.这两种结构在当前非常流行,代表密码为欧洲分组密码标准Camellia和AES候选算法E2.已知结果表明,当轮函数为双射时,Feistel密码存在5轮不可能差分.利用中间相遇法,本文得到了SP型轮函数Feistel密码存在6/7/8轮不可能差分的充分条件: P⊕P?1中汉明重量大于1的列对应着某些6轮不可能差分;通过统计P和P?1在某些特定位置上1的个数可以确定某些7轮不可能差分,通过计算P的某个子矩阵的秩,可以判断8轮不可能差分.我们设计了两个P置换,使用该P置换的Feistel-SP结构不存在上述8轮不可能差分,并且分支数达到最大.SPS型轮函数Feistel密码的6轮不可能差分也可以通过计算P的某个子矩阵的秩来确定.这些结果表明,当设计Feistel密码组件时,为使其能够抵抗不可能差分分析,应该慎重地选择线性层.
(2)找到了AES候选算法E2密码的一组6轮不可能差分,对已知结果改进了一轮.基于新的6轮不可能差分,评估了E2密码抵抗不可能差分分析的能力,结果显示不包含初始变换和末端变换的7轮E2-128/192/256和8轮E2-256对不可能差分分析是不免疫的.
(3)对修正Lai-Messay结构的FOX系列密码进行研究,结合线性层的性质,找到了FOX的4轮不可能差分,基于这些4轮不可能差分,利用空间-时间权衡技术,给出了对5/6/7轮FOX64以及5轮FOX128的分析结果.
本文的第二部分研究相关密钥模型下分组密码的安全性.得到了以下两个结果:
(1)研究了SPN结构的分组密码Crypton对相关密钥不可能差分分析的免疫性.通过分析Crypton密码的密钥扩展算法,构造了Crypton的6轮相关密钥不可能差分区分器,利用该区分器,结合线性层的性质,给出了对9轮256比特密钥的Crypton的攻击结果,该攻击可以恢复出Crypton的第9轮的全部密钥字节。
(2)研究了韩国Hash标准HAS-160在加密模式下的安全性,HAS-160加密模式可以看作一个具有512比特密钥、160比特明文的分组密码,以前最优的分析结果是基于一个71轮的概率为2?304的相关密钥矩形区分器,通过更细致地研究HAS-160的性质,并引入比特固定技术,本文构造了一个概率为2?290的72轮相关密钥矩形区分器,利用这一区分器,对HAS-160的全部80轮给出了两个攻击方案,改进了已有的分析结果.
本文的第三部分研究积分区分器的构造.首先,利用Z'aba基于比特的积分思想,构造了具有256比特分组长度的Rijndael密码新的3轮积分区分器,该区分器只需要32个选择明文,与传统的Square区分器需要256个选择明文相比,明文量大大减少了.其次,利用高阶差分的理论,将密文看作关于明文的布尔函数,利用布尔函数的代数次数理论研究了积分区分器的构造与证明,分别以Rijndael密码和Present密码为例,将基于字节的积分方法与基于比特的积分方法统一到代数次数上来,丰富了积分攻击的理论.最后给出了6轮SMS4结构代数次数的一个上界,该上界远小于理想分组密码的代数次数.
本文的第四部分提出了对欧洲标准SHACAL-2密码的差分故障攻击,SHACAL-2密码为广义Feistel结构,通过研究算法的迭代结构,采用面向字的故障诱导模型,在倒数第二轮诱导故障,结合差分分析技术,可以恢复出算法的轮密钥.在PC机上的模拟结果显示,恢复出一个32比特的轮密钥平均需要8个随机错误,结合密钥扩展算法,完全恢复出512比特密钥大约需要128个错误密文.该结果显示了硬件故障对SHACAL-2算法的安全性具有很大潜在危险.
Block cipher is an important branch of cryptology. The brokenness of data encryptionstandard(DES)andthelaunchofadvancedencryptionstandard(AES)havegreatlypromotedboth the theories of design and analysis of block cipher. In recent years, from the ECRYPTproject of Europe to SHA-3 project of America, more and more stream ciphers and Hashfunctions were designed based on the idea of block cipher. The design theory of block ciphercomes mature gradually, which proposes more challenge of cryptanalysis. New cryptanaly-sis results can also promote the design theory. This thesis investigates several cryptanalyticmethods, including impossible differential cryptanalysis, related-key cryptanalysis, integralcryptanalysis, differential fault analysis and so on. By using these methods, we analyze Feis-tel cipher, Modified Lai-Messay cipher, SPN cipher etc. efficiently and get some new resultson cryptanalysis.
In the first part, impossible differential cryptanalysis on Feistel cipher and modifiedLai-Messay cipher is studied. The main contents and fruits of this part are as follows:
(1) Feistel ciphers with SP and SPS round functions are discussed, where the lineartransformation P is defined over F2n×n. The typical ciphers employing the two structuresare European standard Camellia and AES candidate E2. Known result shows that there arealways 5-round impossible differentials of a Feistel cipher with bijective round function. Byusing the method of“miss in the middle”, we find some sufficient conditions for impossi-ble differentials of Feistel-SP ciphers with 6/7/8 rounds, i.e. any column of P⊕P?1 whoseHamming weight is greater than 1 corresponds to some 6-round impossible differentials forFeistel ciphers with SP round functions. The existence of some 7-round impossible differ-entials can be determined by counting the times that 1 appears at some special positions of PandP?1. Some8-roundimpossibledifferentialscanbefoundbycomputingtherankofsomesub-matrix of P. We also present two linear transformations, by employing which, Feistel-SP structure has no 8-round impossible differentials mentioned above. For Feistel cipherswith SPS round functions, by determining the rank of some sub-matrix of P, 6-round im-possible differentials can be found. These results tell us that when designing a Feistel cipherwith SP or SPS round function where the diffusion layer is selected from Fn2×n, the lin-ear transformation should be chosen carefully to make the cipher secure against impossible differential cryptanalysis.
(2) For an AES candidate E2, a series of impossible differentials are discovered, whichimproves the former results by one round. We also evaluate the security of E2 against im-possible differential cryptanalysis. The results show that tweaked E2-128/192/256 reducedto 7 rounds and tweaked E2-256 reduced to 8 rounds are not immune to this cryptanalysis.
(3) Impossible differential cryptanalysis on FOX, a block cipher with a modified Lai-Messay structure, is studied. Combining properties of the structure and diffusion layer, wepresent some 4-round impossible differentials, based on which we can perform attacks onFOX with reduced rounds and improve the former cryptanalysis results.
In the second part, the thesis studies the security of block cipher under the related-keymodel. The main contents and fruits of this part are as follows:
(1) We target an SPN cipher Crypton firstly. By analyzing the key schedule of Cryptonand diffusion layer, some 6-round related-key impossible differential distinguishers are con-structed, based on which we perform a 9-round attack on Crypton with 256 bits key for thefirst time. The attack can recover all the bytes of the 9th round key.
(2) We aim to re-evaluate the security of HAS-160 in encryption mode—a block cipherwith 512 bits key size and 160 bits plaintext size. Previous attack was based on a 71-roundrelated-key distinguisher with a probability of 2?304. By investigating some delicate proper-tiesofHAS-160andusingabit-fixingtechnique,wepresenta72-roundrelated-keyrectangledistinguisher with a probability of 2?290. Two key recovery attacks on the encryption modeof the full 80-round HAS-160 are performed, which improve the former results.
The third part discusses the construction of integral distinguisher, which is used forperforming integral attack. Firstly, by using Z'aba's idea of bit-pattern based integral, weconstruct a new 3-round distinguisher of Rijndael with 256 bit block length. Comparingwith the Square distinguisher which needs 256 chosen plaintexts, this new one only needs32 chosen plaintexts. Secondly, if we treat the ciphertext as the boolean function respectto plaintext bits, the integral distinguisher can be constructed or proved using the theory ofalgebraic degree. Take Rijndael and Present as examples, we unify byte-oriented integralmethod and bit-oriented integral method in a new way. Finally, we bounded the algebraicdegree of 6-round SMS4 structure, which turns out to be a bad degree.
In the last part, we proposed differential fault attack on European standard algorithmSHACAL-2, which employs an unbalanced Feistel structure. By observing the iterate struc- ture, using word-oriented fault model, as well as combining the technique of differentialcryptanalysis, the subkey of SHACAL-2 can be recovered. PC simulation shows that, 8faulty ciphertexts can recover a 32-bit subkey on average, and 128 faulty ciphertexts areneeded to recover all the 512 bit keys if consider the key schedule. The attack indicates thatfaults on hardware greatly threat the security of SHACAL-2.
本文的第一部分利用不可能差分分析方法对Feistel结构与Lai-Messay结构的分组密码进行有效分析.得到了以下几方面的结果:
(1)研究了具有SP型轮函数和SPS型轮函数,并且线性层P定义在F2n×n上的Feistel结构.这两种结构在当前非常流行,代表密码为欧洲分组密码标准Camellia和AES候选算法E2.已知结果表明,当轮函数为双射时,Feistel密码存在5轮不可能差分.利用中间相遇法,本文得到了SP型轮函数Feistel密码存在6/7/8轮不可能差分的充分条件: P⊕P?1中汉明重量大于1的列对应着某些6轮不可能差分;通过统计P和P?1在某些特定位置上1的个数可以确定某些7轮不可能差分,通过计算P的某个子矩阵的秩,可以判断8轮不可能差分.我们设计了两个P置换,使用该P置换的Feistel-SP结构不存在上述8轮不可能差分,并且分支数达到最大.SPS型轮函数Feistel密码的6轮不可能差分也可以通过计算P的某个子矩阵的秩来确定.这些结果表明,当设计Feistel密码组件时,为使其能够抵抗不可能差分分析,应该慎重地选择线性层.
(2)找到了AES候选算法E2密码的一组6轮不可能差分,对已知结果改进了一轮.基于新的6轮不可能差分,评估了E2密码抵抗不可能差分分析的能力,结果显示不包含初始变换和末端变换的7轮E2-128/192/256和8轮E2-256对不可能差分分析是不免疫的.
(3)对修正Lai-Messay结构的FOX系列密码进行研究,结合线性层的性质,找到了FOX的4轮不可能差分,基于这些4轮不可能差分,利用空间-时间权衡技术,给出了对5/6/7轮FOX64以及5轮FOX128的分析结果.
本文的第二部分研究相关密钥模型下分组密码的安全性.得到了以下两个结果:
(1)研究了SPN结构的分组密码Crypton对相关密钥不可能差分分析的免疫性.通过分析Crypton密码的密钥扩展算法,构造了Crypton的6轮相关密钥不可能差分区分器,利用该区分器,结合线性层的性质,给出了对9轮256比特密钥的Crypton的攻击结果,该攻击可以恢复出Crypton的第9轮的全部密钥字节。
(2)研究了韩国Hash标准HAS-160在加密模式下的安全性,HAS-160加密模式可以看作一个具有512比特密钥、160比特明文的分组密码,以前最优的分析结果是基于一个71轮的概率为2?304的相关密钥矩形区分器,通过更细致地研究HAS-160的性质,并引入比特固定技术,本文构造了一个概率为2?290的72轮相关密钥矩形区分器,利用这一区分器,对HAS-160的全部80轮给出了两个攻击方案,改进了已有的分析结果.
本文的第三部分研究积分区分器的构造.首先,利用Z'aba基于比特的积分思想,构造了具有256比特分组长度的Rijndael密码新的3轮积分区分器,该区分器只需要32个选择明文,与传统的Square区分器需要256个选择明文相比,明文量大大减少了.其次,利用高阶差分的理论,将密文看作关于明文的布尔函数,利用布尔函数的代数次数理论研究了积分区分器的构造与证明,分别以Rijndael密码和Present密码为例,将基于字节的积分方法与基于比特的积分方法统一到代数次数上来,丰富了积分攻击的理论.最后给出了6轮SMS4结构代数次数的一个上界,该上界远小于理想分组密码的代数次数.
本文的第四部分提出了对欧洲标准SHACAL-2密码的差分故障攻击,SHACAL-2密码为广义Feistel结构,通过研究算法的迭代结构,采用面向字的故障诱导模型,在倒数第二轮诱导故障,结合差分分析技术,可以恢复出算法的轮密钥.在PC机上的模拟结果显示,恢复出一个32比特的轮密钥平均需要8个随机错误,结合密钥扩展算法,完全恢复出512比特密钥大约需要128个错误密文.该结果显示了硬件故障对SHACAL-2算法的安全性具有很大潜在危险.
Block cipher is an important branch of cryptology. The brokenness of data encryptionstandard(DES)andthelaunchofadvancedencryptionstandard(AES)havegreatlypromotedboth the theories of design and analysis of block cipher. In recent years, from the ECRYPTproject of Europe to SHA-3 project of America, more and more stream ciphers and Hashfunctions were designed based on the idea of block cipher. The design theory of block ciphercomes mature gradually, which proposes more challenge of cryptanalysis. New cryptanaly-sis results can also promote the design theory. This thesis investigates several cryptanalyticmethods, including impossible differential cryptanalysis, related-key cryptanalysis, integralcryptanalysis, differential fault analysis and so on. By using these methods, we analyze Feis-tel cipher, Modified Lai-Messay cipher, SPN cipher etc. efficiently and get some new resultson cryptanalysis.
In the first part, impossible differential cryptanalysis on Feistel cipher and modifiedLai-Messay cipher is studied. The main contents and fruits of this part are as follows:
(1) Feistel ciphers with SP and SPS round functions are discussed, where the lineartransformation P is defined over F2n×n. The typical ciphers employing the two structuresare European standard Camellia and AES candidate E2. Known result shows that there arealways 5-round impossible differentials of a Feistel cipher with bijective round function. Byusing the method of“miss in the middle”, we find some sufficient conditions for impossi-ble differentials of Feistel-SP ciphers with 6/7/8 rounds, i.e. any column of P⊕P?1 whoseHamming weight is greater than 1 corresponds to some 6-round impossible differentials forFeistel ciphers with SP round functions. The existence of some 7-round impossible differ-entials can be determined by counting the times that 1 appears at some special positions of PandP?1. Some8-roundimpossibledifferentialscanbefoundbycomputingtherankofsomesub-matrix of P. We also present two linear transformations, by employing which, Feistel-SP structure has no 8-round impossible differentials mentioned above. For Feistel cipherswith SPS round functions, by determining the rank of some sub-matrix of P, 6-round im-possible differentials can be found. These results tell us that when designing a Feistel cipherwith SP or SPS round function where the diffusion layer is selected from Fn2×n, the lin-ear transformation should be chosen carefully to make the cipher secure against impossible differential cryptanalysis.
(2) For an AES candidate E2, a series of impossible differentials are discovered, whichimproves the former results by one round. We also evaluate the security of E2 against im-possible differential cryptanalysis. The results show that tweaked E2-128/192/256 reducedto 7 rounds and tweaked E2-256 reduced to 8 rounds are not immune to this cryptanalysis.
(3) Impossible differential cryptanalysis on FOX, a block cipher with a modified Lai-Messay structure, is studied. Combining properties of the structure and diffusion layer, wepresent some 4-round impossible differentials, based on which we can perform attacks onFOX with reduced rounds and improve the former cryptanalysis results.
In the second part, the thesis studies the security of block cipher under the related-keymodel. The main contents and fruits of this part are as follows:
(1) We target an SPN cipher Crypton firstly. By analyzing the key schedule of Cryptonand diffusion layer, some 6-round related-key impossible differential distinguishers are con-structed, based on which we perform a 9-round attack on Crypton with 256 bits key for thefirst time. The attack can recover all the bytes of the 9th round key.
(2) We aim to re-evaluate the security of HAS-160 in encryption mode—a block cipherwith 512 bits key size and 160 bits plaintext size. Previous attack was based on a 71-roundrelated-key distinguisher with a probability of 2?304. By investigating some delicate proper-tiesofHAS-160andusingabit-fixingtechnique,wepresenta72-roundrelated-keyrectangledistinguisher with a probability of 2?290. Two key recovery attacks on the encryption modeof the full 80-round HAS-160 are performed, which improve the former results.
The third part discusses the construction of integral distinguisher, which is used forperforming integral attack. Firstly, by using Z'aba's idea of bit-pattern based integral, weconstruct a new 3-round distinguisher of Rijndael with 256 bit block length. Comparingwith the Square distinguisher which needs 256 chosen plaintexts, this new one only needs32 chosen plaintexts. Secondly, if we treat the ciphertext as the boolean function respectto plaintext bits, the integral distinguisher can be constructed or proved using the theory ofalgebraic degree. Take Rijndael and Present as examples, we unify byte-oriented integralmethod and bit-oriented integral method in a new way. Finally, we bounded the algebraicdegree of 6-round SMS4 structure, which turns out to be a bad degree.
In the last part, we proposed differential fault attack on European standard algorithmSHACAL-2, which employs an unbalanced Feistel structure. By observing the iterate struc- ture, using word-oriented fault model, as well as combining the technique of differentialcryptanalysis, the subkey of SHACAL-2 can be recovered. PC simulation shows that, 8faulty ciphertexts can recover a 32-bit subkey on average, and 128 faulty ciphertexts areneeded to recover all the 512 bit keys if consider the key schedule. The attack indicates thatfaults on hardware greatly threat the security of SHACAL-2.
引文
[1] Agrawal D, Archambeault B, Rao J, Rohatgi P. The EM Side-Channel(s). Crypto-graphic Hardware and Embedded Systems—CHES 2002. LNCS 2523, pp. 29-45.Springer-Verlag, 2003.
[2] AlquiéD.2-RoundSubstitution-Permutationand3-RoundFeistelNetworksHaveBadAlgebraic Degree. http://eprint.iacr.org/2010/071.
[3] AokiK,IchikawaT,KandaM,etc.SpecificationofCamellia—a128-bitBlockCipher.Selected Areas in Cryptography—SAC 2000. LNCS 2012, pp. 183-191. Springer-Verlag, 2001.
[4] Aoki K, Kanda M. Search for Impossible Differential of E2. http://csrc. nist. gov/en-cryption/aes/round1/comment.
[5] Arthur S, Lucifer. A Cryptographic Algorithm. Cryptologia. Vol. 8, No. 1, pp. 22-41.1984.
[6] Aumasson J, Henzen L, Meier W, Phan R. SHA-3 Proposal BLAKE. Submission toSHA-3 Competition, 2008.
[7] Barreto P, Rijmen V. The Khazad Legacy-Level Block Cipher. First Open NESSIEWorkshop. Leuven, 2000. http://www.cryptonessie.org.
[8] Bertoni G, Daemen J, Peeters M, and Assch G. KECCAK Sponge Function FamilyMain Document. Submission to SHA-3 Competition, 2008.
[9] Biehl I, Meyer B, Müller V. Differential Fault Attacks on Elliptic Curve Cryptosys-tems. Advances in Cryptology—Crypto 2000. LNCS 1880, pp. 131-146. Springer-Verlag, 2000.
[10] Biham E. New Types of Cryptanalytic Attacks Using Related Keys. Journal of Cryp-tology. 4(1), pp. 3-72. 1991.
[11] BihamE,BiryukovA,ShamirA.CryptanalysisofSkipjackReducedto31RoundsUs-ing Impossible Differentials. Adances in Cryptology—EuroCrypt 1999. LNCS 1592,pp. 12-23. Springer-Verlag, 1999.
[12] BihamE,BiryukovA,ShamirA.MissintheMiddleAttacksonIDEAandKhufu.FastSoftware Encryption—FSE 1999. LNCS 1636, pp. 124-138. Springer-Verlag, 1999.
[13] Biham E, Dunkelman O, Keller N. Related-Key Boomerang and Rectangle Attacks.Advances in Cryptology—EuroCrypt 2005. LNCS 3557, pp. 507-525. Springer-Verlag, 2005.
[14] Biham E, Dunkelman O, Keller N. Related-Key Impossible Differential Attacks on8-Round AES-192, CT-RSA 2006. LNCS 3860, pp. 21-33. Springer-Verlag, 2006.
[15] Biham E, Dunkelman O, Keller N. The Rectangle Attack - Rectangling the Ser-pent. Advances in Cryptology—EuroCrypt 2001. LNCS 2045, pp. 340-357. Springer-Verlag, 2001.
[16] BihamE,ShamirA.DifferentialCryptanalysisofDES-LikeCryptosystems.Advancesin Cryptology—CRYPTO 1990. LNCS 537, pp. 2-21. Springer-Verlag, 1991.
[17] Biham E, Shamir A. Differential Cryptanalysis of the Full 16-Round DES. Advancesin Cryptology—Crypto 1992. LNCS 740, pp. 487-496. Springer-Verlag, 1993.
[18] Biham E, Shamir A. Differential Fault Analysis of Secret Key Cryptosystems. Ad-vancesinCryptology—Crypto1997.LNCS1294,pp.513-525.Springer-Verlag,1997.
[19] Biryukov A, Khovratovich D, Nikoli Ivica. Distinguisher and Related-Key Attack ontheFullAES-256,AdvancesinCryptology—Crypto2009.LNCS5677, pp.231-249.Springer-Verlag, 2009.
[20] Biryukov A, Nikolic I. Automatic Search for Related-Key Differential Characteris-tics in Byte-Oriented Block ciphers: Application to AES, Camellia, Khazad and Oth-ers. Advances in Cryptology—EuroCrypt 2010, LNCS 6110, pp. 322-344. Springer-Verlag, 2010.
[21] Biryukov A, Shamir A. Structural Cryptanalysis of SASAS. Advances in Cryptology—EuroCrypt 2001. LNCS 2045, pp. 394-405. Springer-Verlag, 2001.
[22] Biryukov A, Wagner D. Slide Attacks. Fast Software Encryption—FSE 1999. LNCS1636, pp. 245-259. Springer-Verlag.
[23] Bogdanov A, Khovratovich D, Rechberger C. Biclique Cryptanalysis of the Full AES.AsiaCrypt 2011. To appear.
[24] Bogdanov A, Knudsen L , Leander G, Paar C, Poschmann A, Robshaw B, Seurin Y,Vikkelsoe. PRESENT: An Ultra-Lightweight Block Cipher. Cryptographic Hardwareand Embedded Systems—CHES 2007. LNCS 4727, pp. 450-466. Springer-Verlag,2007.
[25] Boneh D, DeMillo R, Lipton R. On the Importance of Checking Cryptographic Pro-tocols for Faults. Advances in Cryptology—EuroCrypt 1997. LNCS 1233, pp. 37-51.Springer-Verlag, 1997.
[26] Boura C, Canteaut. Zero-Sum Distinguishers for Iterated Permutation and ApplicationtoKECCAK-f andHamsi-256.SelectedAreasinCryptography—SAC2010.LNCS6544,pp. 1-17. Springer-Verlag, 2011.
[27] Chen H, Wu W, Feng D. Differential Fault Analysis on CLEFIA. International Con-ference on Information and Communication Security—ICICS 2007. LNCS 4861, pp.284-295. Springer-Verlag, 2007.
[28] Cheon J, Kim M, Kim K, Lee J. Improved Impossible Differential Differential Crypt-analysis of Rijndael and Crypton. Information Security and Cryptology—ICISC 2001.LNCS 2288, pp. 39-49. Springer-Verlag, 2002.
[29] Cho H, Park S, Sung S, Yun A. Collision Search Attack for 53-Step HAS-160. Infor-mation Security and Cryptology—ICISC 2006. LNCS 4296, pp. 286-295. Springer-Verlag, 2006.
[30] Choy J, Chew G, Khoo K, Yap H. Cryptographic Properties and Application of a Gen-eralized Unbalanced Feistel Network Structure. Australasian Conference on Informa-tion Security and Privacy—ACISP 2009. LNCS 5594, pp. 73-89. Springer-Verlag,2009.
[31] Cid C, Leurent G. An Analysis of the XSL Algorithm. Advances in Cryptology—AsiaCrypt 2005. LNCS 3788, pp. 333-352. Springer-Verlag, 2005.
[32] Courtois N, Pieprzyk J. Cryptanalysis of Block Ciphers with Overdefined Systemsof Equations. Advances in Cryptology—AsiaCrypt 2002. LNCS 2501, pp. 267-287.Springer-Verlag, 2002.
[33] Courtois N. The Inverse S-Box, Non-linear Polynomial Relations and Cryptanalysisof Block Ciphers. The Fourth AES Candidate Conference—AES 2004. LNCS 3373,pp. 170-188. 2005.
[34] Courtois N, Debraize B. Specific S-Box Criteria in Algebraic Attacks on Block Ci-phers with Several Known Plaintexts. WEWoRC 2007. LNCS 4945, pp. 100-113.2008.
[35] Daemen J, Knudsen L, Rijmen V. The Block Cipher Square. Fast Software Encryption—FSE 1997. LNCS 1267, pp. 149-165. Springer-Verlag, 1997.
[36] Daeman J, Rijmen V. The Design of Rijndael: AES—the Advanced Encryption Stan-dard. Information Security and Cryptography. Springer-Verlag, 2002.
[37] Damg?rd I. Design Principle for Hash Functions. Advances in Cryptology—Crypto1989. LNCS 435, pp. 416-427. Springer-Verlag, 1990.
[38] Demirci H, Sel?uk A. A Meet in the Middle Attack on 8-round AES. Fast SoftwareEncryption—FSE 2008. LNCS 5086, pp. 116-126. Springer-Verlag, 2008.
[39] Demirci H, Sel?uk A, Türe E. A New Meet-in-the-Middle Attack on the IDEA BlockCipher. Selected Areas in Cryptography—SAC 2003. LNCS 3006, pp. 117-129.Springer-Verlag, 2004.
[40] Demirci H, Ta?km I, ?oban M, Baysal A. Improved Meet-in-the-Middle Attacks onAES. IndoCrypt 2009. LNCS 5922, pp. 144-156. Springer-Verlag, 2009.
[41] D'Halluin G, Bijnens G, Rijmen V, and Preneel B. Attack on Six Rounds of Crypton.Fast Software Encryption—FSE 1999. LNCS 1636, pp. 46-59. Springer-Verlag, 1999.
[42] Diffie W, Hellman M. New Direction in Cryptography. IEEE Trans. Inform. Theory.22(6). pp. 644-654, 1976.
[43] DiffieW,HellmanM.ExhaustiveCryptanalysisoftheNBSDataEncryptionStandard.Computer 10(6), pp. 74-84. 1977.
[44] Dinur I, Shamir A. Cube Attacks on Tweakable Black Box Polynomials. Advances inCryptology—EuroCrypt 2009. LNCS 5479, pp. 278-299. Springer-Verlag, 2009.
[45] Dunkelman O, Fleischmann E, Gorski M, Lucks S. Related-Key Rectangle Attackof the Full HAS-160 Encryption Mode. IndoCrypt 2009. LNCS 5922, pp. 157-168.Springer-Verlag, 2009.
[46] Dunkelman O, Keller N. An Improved Impossible Differential Attack on MISTY1.Advances in Cryptology—AsiaCrypt 2008. LNCS 5350, pp. 441-454. Springer-Verlag, 2008.
[47] Duo L, Li C, Feng K. New Observation on Camellia. Selected Areas in Cryptography—SAC 2005. LNCS 3897, pp. 51-64. Springer-Verlag, 2006.
[48] Feistel H. Cryptography and Data Security. Scientific American228(5), pp. 15-23,1973.
[49] Feistel H, Notz W. Smith J. Some Cryptographic Techniques for Machine to MachineDataCommunications.ProceedingsoftheIEEE.Vol.63,No.11,pp.1545-1554.1975.
[50] Ferguson N, Kelsey J, Lucks S, Schneier B, Stay M, Wagner D, Whiting D. ImprovedCryptanalysis of Rijndael. Fast Software Encryption—FSE 2000. LNCS 1978, pp.213-230. Springer-Verlag, 2001.
[51] Ferguson N, Lucks S, Schneier B, Whiting D, Bellare M, Kohno T, Callas, J, WalkerJ. The Skein Hash Function Family. Submission to SHA-3 Competition , 2008.
[52] FIPS 46-3, Data Encryption Standard. In National Institute of Standards and Technol-ogy, 1977.
[53] Fleischmann E, Gorski M, and Lucks S. Memoryless Related-Key Boomerang Attackon the Full Tiger Block Cipher. ISPEC 2009. LNCS 5451, pp. 298-309. Springer-Verlag, 2009.
[54] Fleischmann E, Gorski M, Lucks S. Memoryless Related-Key Boomerang Attack on39-RoundSHACAL-2.ISPEC2009.LNCS5451,pp.310-323.Springer-Verlag,2009.
[55] Galice S, Minier M. Improving Integral Attacks against Rijndael-256 Up to 9 Rounds.AfricaCrypt 2008. LNCS 5023, pp.1-15. Springer-Verlag, 2008.
[56] Gauravaram P, Knudsen L, Matusiewicz K, Mendel F, Rechberger C, Schl?ffer M,Thomsen S. Gr?stl—A SHA 3 Candidate. Submission to SHA-3 Competition, 2008.
[57] Gilbert H, Minier M. A Collision Attack on 7 Rounds of Rijndael. The Third AESCandidate Conference. pp. 230-241. 2000.
[58] Hatano Y, Tanaka H, Kaneko T. Higher Order Differential Attacks of Camellia. Se-lectedAreasinCryptography—SAC2002.LNCS2595.pp.129-146.Springer-Verlag,2003.
[59] Hemme L. A Differential Fault Attack against Early Rounds of ( Triple-) DES. Cryp-tographic Hardware and Embedded Systems—CHES 2004. LNCS 3156, pp. 254-267.Springer-Verlag, 2004.
[60] Hong D, Koo B, Sasaki Y. Improved Preimage Attack for 68-Step HAS-160. ICISC2009, LNCS 5984, pp. 332-348. Springer-Verlag, 2010.
[61] Hong S, Kim J, Kim G, Lee S, Preneel Bart. Related-Key Rectangle Attacks on Re-duced Versions of SHACAL-1 and AES-192. Fast Software Encryption—FSE 2005.LNCS 3557, pp. 368-383. Springer-Verlag,2005.
[62] Hong S, Kim J, Kim G, Sung J, Lee C, Lee S. Impossible Differential Attack on 30-RoundSHACAL-2.IndoCrypt2003.LNCS2904, pp.97-106.Springer-Verlag, 2003.
[63] HongS,KimJ,LeeS,PreneelB.Related-KeyRectangleAttacksonReducedVersionsof SHACAL-1 and AES-192. Fast Software Encryption—FSE 2005. LNCS 3557, pp.368-383. Springer-Verlag, 2005.
[64] Hong S, Lee S, Lim J, Sung J, Cheon D, Cho I. Provable Security against DifferentialandLinearCryptanalysisfortheSPNStructure.FastSoftwareEncryption—FSE2000.LNCS 1978, pp. 273-283. Springer-Verlag, 2000.
[65] Iwata T, Yagi T, Kurosawa K. On the Pseudorandomness of KASUMI Type Permu-tations. Australasian Conference on Information Security and Privacy—ACISP 2003.LNCS 2727, pp. 217-289. Springer-Verlag, 2003.
[66] Jakobsen T, Knudsen L. The Interpolation Attack on Block Cipher. Fast Software En-cryption—FSE 1997. LNCS 1008, pp. 28-40. Springer-Verlag, 1997.
[67] Junod P, Vaudenay S. Fox: A New Family of Block Ciphers. Selected Areas in Cryp-tography—SAC 2004. LNCS 3357, pp. 114-129. Springer-Verlag, 2004.
[68] Junod P, Vaudenay S. Perfect Diffusion Primitives for Block Ciphers-Building Effi-cient MDS Matrices. Selected Areas in Cryptography—SAC 2004. LNCS 3357. pp.84-99. Springer-Verlag, 2004.
[69] Kaliski B, Robshaw M. Linear Cryptanalysis Using Multiple Approximations andFEAL. Fast Software Encryption—FSE 1994. LNCS 839, pp. 26-39. Springer-Verlag,1994.
[70] Kanda M , Moriai S, Aoki K, Ueda H, Takashima Y, Ohta K, and Matsumoto T. E2—A New 128-Bit Block Cipher. IEICE Transactions Fundamentals of Electronics,Communications and Computer Sciences. Vol. E83-A, No. 1, pp. 48-59, 2000.
[71] Kanda M. Practical Security Evaluation against Differential and Linear Attacks forFeistel Ciphers with SPN Round Function. Selected Areas in Cryptography—SAC2000. LNCS 2012, pp.168-179, Springer-Verlag,2000.
[72] Kanda M, Takashima Y, Matsumoto T, Aoki K, and Ohta K. A Strategy for Con-structing Fast Round Functions with Practical Security against Differential and LinearCryptanalysis.SelectedAreasinCryptography—SAC1998.LNCS1556,pp.264-279.Springer-Verlag, 1999.
[73] Kang J, Hong S, Lee S, Yi O, Park C, Lim J. Practial and Provable Security againstDifferential and Linear Cryptanalysis for Substitution-Permutation Networks. ETRIJournal. Vol 23, No. 4, pp. 158-167. 2001.
[74] Kelsey J, Kohno T, Schneier B. Amplified Boomerang Attacks against Reduced-RoundMARSandSerpent.FastSoftwareEncryption—FSE2000.LNCS1978,pp.75-93. Springer-Verlag, 2000.
[75] Kim J, Hong S, Sung J, Lee S, Lim J. Impossible Differential Cryptanalysis for BlockCipher Structures. Indocrypt 2003. LNCS 2904, pp. 82-96. Springer-Verlag, 2003.
[76] Kim J, Hong S, Preneel B. Related-Key Rectangle Attacks on Reduced AES-192 andAES-256. Fast Software Encryption—FSE 2007. LNCS 4593, pp.225-241. Springer-Verlag, 2007.
[77] Kim J, Kim G, Hong S, Hong D. The Related-Key Rectangle Attack-Application toSHACAL-1. Australasian Conference on Information Security and Privacy—ACISP2004. LNCS 3108, pp.123-136. Springer-Verlag, 2004.
[78] Kim J, Kim G, Lee S, Lim J, Song J. Related-Key Attacks on Reduced Rounds ofSHACAL-2. IndoCrypt 2004. LNCS 3348, pp. 175-190. Springer-Verlag, 2004.
[79] Knudsen L. DEAL—A 128-bit Block Cipher. Technical Report 151, Department ofInformatics, University of Bergen, Bergen, Norway, 1998.
[80] Knudsen L. Truncated and High Order Differentials. Fast Software Encryption—FSE1995, LNCS 1008, pp. 196-211. Springer-Verlag, 1995.
[81] Knudsen L, Robshaw M. Non-Linear Approximations in Linear Cryptanalysis. Ad-vances in Cryptology—EuroCrypt 1996. LNCS 1070, pp. 224-236. Springer-Verlag,1996.
[82] Knudsen L, Wagner D. Integral cryptanalysis. Fast Software Encryption—FSE 2002.LNCS 2365, pp. 112-127. Springer-Verlag, 2002.
[83] Kocher Paul. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, andOther Systems. Advances in Cryptology—Crypto 1996. LNCS 1109, pp.104-113.Springer-Verlag, 1996.
[84] Kwon D, Kim J, etc. New Block Cipher: ARIA. Information Security and Cryptology—ICISC 2003. LNCS 2971, pp. 432-445. Springer-Verlag,2004.
[85] Lai X. High Order Derivatives and Differential Cryptanalysis. Communications andCryptography. 1994: 227-233.
[86] LaiX,MasseyJ.AProposalforaNewBlockEncryptionStandard.AdvancesinCryp-tology—EuroCrypt 1990. LNCS 473, pp. 389-404. Springer-Verlag,1991.
[87] Lee C, Cha Y. The Block Cipher: SNAKE with Provable Resistance against DC andLC attacks. JW-ISC 1997, pp. 3-17, 1997.
[88]李超,孙兵,李瑞林.分组密码的攻击方法与实例分析.北京,科学出版社.176-177.
[89]李琳,李瑞林,谢端强,李超. KeeLoq和SHACAL-1算法的差分故障攻击.武汉大学学报, 2008, 54(5): 507-512.LiL,LiR,XieD,LiC.DifferentialFaultAnalysisonKeeloqandSHACAL-1.Journalof Wuhan University, 54(5): 507-512. 2008.
[90]李玮,谷大武.基于密钥编排故障的SMS4算法的差分故障分析,通信学报.29(10), 135-142. 2008.Li W, Gu D. Differential Fault Analysis on the SMS4 Cipher by Inducing Faults to theKey Schedule. Journal of China Institute of Communications. 29(10), 135-142. 2008.
[91] Li W, Gu D, Li J. Differential Fault Analysis on the ARIA Algorithm. InformationSciences. 178(19): 3727-3737. 2008.
[92] Lidl R, Niederreiter H. Finite Fields. Encyclopedia of Mathematics and Its Applica-tions. Vol. 20. Cambridge University Press, 1997.
[93] Lim C. A Revised Version of Crypton-Crypton v1.0. Fast Software Encryption—FSE1999. LNCS 1636, pp. 31-45. Springer-Verlag, 1999.
[94] Lim C. Crypton: A New 128-Bit Block Cipher. The First Advanced Encryption Stan-dard Candidate Conference, NIST, 1998.
[95] Lu J. Related-Key Rectangle Attack on 36 Rounds of the XTEA Block Cipher,Int.J. Inf. Secur. (2009) 8:1-11.
[96] Lu J, Dunkelman O, Keller N, Kim J. New Impossible Differential Attacks on AES.IndoCrypt 2008, LNCS 5365, pp. 279-293. Springer-Verlag, 2009.
[97] Lu J, Kim J. Attacking 44 Rounds of the SCHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis. IEICE Transactions 91-A(9), 2588-2596, 2008.
[98] Lu J, Kim J, Keller N, Dunkelman O. Improving the Efficiency of Impossible Differ-ential Cryptanalysis of Reduced Camellia and MISTY1. CT-RSA 2008. LNCS 4964,pp. 370-386. Springer-Verlag, 2008.
[99] Lu J, Kim J, Keller N, Dunkelman O. Related-Key Rectangle Attack on 42-RoundSHACAL-2. Information Security Conference—ISC 2006. LNCS 4176, pp. 85-100.Springer-Verlag, 2006.
[100] Luby M, Rackoff C. How to Construct Pseudorandom Permutations from Pseudoran-dom Functions. SIAM J. Comput. 17(2): 373-386. 1988.
[101] Lucks S. The Saturation Attack—A Bait for Twofish. Fast Software Encryption—FSE2001. LNCS 2355, pp. 1-15. Springer-Verlag, 2002.
[102] MacWilliams F, Sloane N. The Theory of Error-Correcting Codes. North-Holland,1977.
[103] MalaH,ShakibaM,Dakhilalian M.New Impossible Differential Attackson Reduced-Round Crypton. Computer Standards and Interfaces. 32(2010), pp. 222-227.
[104] MalaH,ShakibaM,DakhilalianM,BagherikaramG.NewResultsonImpossibleDif-ferentialCryptanalysisofReduced-RoundCamellia—128.SelectedAreasinCryptog-raphy—SAC 2009. LNCS 5867, pp. 281-294. Springer-Verlag, 2009.
[105] Mangard S. A Simple Power-Analysis (SPA) Attack on Implementations of the AESKey Expansion. Information Security and Cryptology—ICISC 2002. LNCS 2587,pp.343-358. Springer-Verlag, 2003.
[106] Massey J. SAFER-K64, A Byte-Oriented Block Ciphering Algorithm. Fast SoftwareEncryption—FSE 1994, LNCS 809, pp. 1-7. Springer-Verlag, 1994.
[107] MatsuiM.NewStructureofBlockCipherswithProvableSecurityagainstDifferentialandLinearCryptanalysis.FastSoftwareEncryption—FSE1996.LNCS1039,pp.205-217. Springer-Verlag, 1996.
[108] Matsui M. Linear Cryptanalysis Method for DES Cipher. Advances in Cryptology—EuroCrypt 1993. LNCS 765, pp. 386-397. Springer-Verlag, 1993.
[109] Matsui M, Tokita T. Cryptanalysis of a Reduced Version of the Block Cipher E2. FastSoftware Encryption—FSE 1999. LNCS 1636, pp. 71-80. Springer-Verlag, 1999.
[110] Maurer U. A Simplified and Generalized Treatment of Luby-Rackoff PseudorandomPermutation Generator. Advances in Cryptology—EuroCrypt 1992. LNCS 658, pp.239-255. Springer-Verlag, 1992.
[111] Maurer U, Oswald A, Pietrzak K, Sj?din J. Luby-Rackoff Ciphers from Weak RoundFunctions? Advances in Cryptology—EuroCrypt 2006. LNCS 4004, pp. 391-408.Springer-Verlag, 2006.
[112] Mendel F, Rijmen V. Colliding Message Pair for 53-Step HAS-160. Information Secu-rity and Cryptology—ICISC 2007, LNCS 4817, pp. 324-334. Springer-Verlag, 2007.
[113] MerkleR.OneWayHashFunctionsandDES.AdvancesinCryptology—Crypto1989.LNCS 435, pp. 428-446. Springer-Verlag, 1990.
[114] Minier M. An Integral Cryptanalysis against a Five Rounds Version of FOX. WesternEuropean Workshop on Research in Cryptology 2005. LNI P-74, 98-103.
[115] Minier M, Gilbert H. Stochastic Cryptanalysis of Crypton. Fast Software Encryption—FSE 2000. LNCS 1978, pp. 121-133. Springer-verlag, 2001.
[116] Moriai S, Shimoyama T, Kaneko T. Higher Order differential Attack of a CAST Ci-pher. Fast Software Encryption—FSE 1998. LNCS 1372, pp. 17-31. Springer-Verlag,1998.
[117] Moriai S, Sugita M, Aoki K, Kanda M. Security of E2 against Truncated DifferentialCryptanalysis.SelectedAreasinCryptography—SAC1999.LNCS1758,pp.106-117.Springer-Verlag, 2000.
[118] Moriai S, Vaudenay S. On the Pseudorandomness of Top-Level Schemes of Block Ci-phers.AdvancesinCryptology—AsiaCrypt2000.LNCS1976, pp.289-302.Springer-Verlag, 2000.
[119] Murtaza G, Ikram N. Direct Exponent and Scalar Multiplication Classes of an MDSMatrix. http://eprint.iacr.org/2011/151.pdf.
[120] National Institute of Standards and Technology. FIPS 180-1: Secure Hash Stan-dard(SHS). 1995. http://csrc. nist. gov.
[121] National Institute of Standards and Technology. FIPS 180-2: Secure Hash Stan-dard(SHS). 2002. http://csrc. nist. gov.
[122] Nyberg K, Knudsen L. Provable Security against a Differential Attack. Journal ofCryptology. Vol. 8, No.1, pp. 27-38. 1995.
[123] Osvik D, Shamir A, Tromer E. Cache Attacks and Countermeasures: The Case ofAES. CT-RSA 2006. LNCS 3860, pp. 1-20. Springer-Verlag, 2006.
[124] PatarinJ.AboutFeistelSchemeswithSix(orMore)Rounds.FastSoftwareEncryption—FSE 1998. LNCS 1372, pp. 103-121. Springer-Verlag, 1998.
[125] Patarin J, Nachef V. Berbain C. Generic Attacks on Unbalanced Feistel Schemes withContracting Functions. Advances in Cryptology—AsiaCrypt 2006. LNCS 4284, pp.396-411. Springer-Verlag, 2006.
[126] Piret G, Quisquater J. A Differential Fault Attack Technique against SPN Structures,with Application to the AES and KHAZAD. Cryptographic Hardware and EmbeddedSystems—CHES 2003. LNCS 2779, pp. 77-88. Springer-Verlag, 2003.
[127] Piret G, Quisquater J. Security of the MISTY Structure in the Luby-Rackoff Model:Improved Results. Selected Areas in Cryptography—SAC 2004. LNCS 3357, pp.100-115. Springer-Verlag, 2005.
[128] RijmenV,DeamenJ,PreneelB,BosselaersA,WinE.TheBlockCipherSHARK.FastSoftware Encryption—FSE 1996. LNCS 1039, pp. 99-111. Springer-Verlag, 1996.
[129] Rijmen V, Preneel B, Win E. On Weaknesses of Non-Surjective Round Functions.Designs, Codes and Cryptography. 12(3), pp. 253-266. 1997.
[130] Rivest R. The MD5 Message-Digest Algorithm. Request for Comments. 1321 (April1992), http://tools.ietf.org/ html/rfc1321.
[131] Sasaki Y, Aoki K. A Preimage Attack for 52-Step HAS-160. Information Security andCryptology—ICISC 2008. LNCS 5461, pp. 302-317. Springer-Verlag, 2009.
[132] Schneier B, Kelsey J. Unbalanced Feistel Networks and Block-Cipher Design. FastSoftware Encryption—FSE 1996. LNCS 1039, pp. 121-144. Springer-Verlag, 1996.
[133] Seki H, Kaneko T. Cryptanalysis of Five Rounds of Crypton Using Impossible Differ-entials. Advances in Cryptology—Asiacrypt 1999. LNCS 1716, pp. 45-51. Springer-Verlag, 1999.
[134] Shamir A. On the Security of DES. Advances in Cryptology—Crypto 1985. LNCS218, pp. 280-281. Springer-Verlag, 1985.
[135] ShannonC.CommunicationTheoryofSecreteSystem.BellSystemTechnicalJournal,28, (4), pp. 656-715.
[136] Shimizu A, Miyaguchi S. Fast Data Encryption Algorithm FEAL. Advances in Cryp-tology—EuroCrypt 1987. LNCS 304, pp. 67-278. Springer-verlag, 1988.
[137] Shin Y, Kim J, Kim G, Hong S. Lee S. Differential-Linear Type Attack on ReducedRounds of SHACAL-2. Australasian Conference on Information Security and Privacy—ACISP 2004. LNCS 3108, pp. 110-122. Springer-Verlag, 2004.
[138] Shirai T, Preneel B. On Feistel Structures Using a Diffusion Mappings across MultipleRounds. Advances in Cryptology—AsiaCrypt 2004. LNCS 3329, pp. 1-15. Springer-Verlag, 2004.
[139] Shirai T, Shibutani K. On Feistel Structures Using A Diffusion Switching Mechanism.Fast Software Encryption—FSE 2006. LNCS 4047, pp. 41-56. Springer-Verlag, 2006.
[140] SonyCorporation.The128-bitBlockCipherCLEFIA:AlgorithmSpecification.2007.
[141] Sugita M. Security of Block Ciphers with SPN-Structures. Technical Report of IEICE.ISEC 98-30. 1999.
[142] Sugita M, Kobara K, Imai H. Pseudorandomness and Maximum Average of Differ-ential Probability of Block Ciphers with SPN-Structures Like E2. Proceedings of theSecond Advanced Encryption Standard Candidate Conference. pp. 200-214. 1999.
[143] Sugita M, Kobara K, Imai H. Security of Reduced Version of the Block Cipher Camel-lia against Truncated and Impossible Differential Cryptanalysis. Advances in Cryptol-ogy—AsiaCrypt 2001, LNCS 2248. pp. 193-207. Springer-Verlag, 2001.
[144] Sun B, Qu L, Li C. New Cryptanalysis of Block Ciphers with Low Algebraic Degree.Fast Software Encryption—FSE 2009. LNCS 5665, pp. 180-192. Springer-Verlag,2009.
[145] Tanaka H, Hisamatsu K, Kaneko T. On the Strength of KASUMI Without FL Func-tions against Higher Order Differential Attack. Information Security and Cryptology—ICISC 2000. LNCS 2015 pp. 14-21. Springer-Verlag, 2001.
[146] Telecommunications Technology Association. Hash Function Standard Part 2: HashFunction Algorithm Standard, HAS-160. 2000.
[147] Treger J, Patarin J. Generic Attacks on Feistel Networks with Internal Permutations.AfricaCrypt 2009. LNCS 5580, pp. 41-59. Springer-Verlag, 2009.
[148] Tsunoo Y, Saito T, Shigeri M. Kawabata T. Higher Order Differential Attacks onReduced-RoundMISTY1.InformationSecurityandCryptology—ICISC2008.LNCS5461, pp. 415-431. Springer-Verlag, 2009.
[149] Vaudenay S. On the Lai-Massey Scheme. Advances in Cryptology—AsiaCrypt 1999.LNCS 1718, pp. 8-19. Springer-Verlag, 1999.
[150] Wagner D. The Boomerang Attack. Fast Software Encryption—FSE 1999. LNCS1636, pp. 156-170. Springer-Verlag, 1999.
[151] Wang G. Related-Key Rectangle Attack on 43-Round SHACAL-2. ISPEC 2007.LNCS 4464, pp. 33-42. Springer-Verlag, 2007.
[152]王薇,王小云. CLEFIA算法的饱和攻击.通信学报. 2008, (10): 88-92.WangW,WangX.SaturationCryptanalysisofCLEFIA.JournalofCommunnications,2008, (10): 88-92.
[153] Wang X, Lai X, Feng D, Yu H. Cryptanalysisi of the Hash Functions MD4 andRIPEMD. Adances in Cryptology—EuroCrypt 2005. LNCS 3494, pp. 1-18. Springer-Verlag, 2005.
[154] Wang X, Yin H, Yu H. Finding Collisions in the Full SHA-1. Adances in Cryptology—Crypto 2005. LNCS 3621, pp. 17-36. Springer-Verlag, 2005.
[155] WangX,YuH.HowtoBreakMD5andOtherHashFunctions.AdancesinCryptology—EuroCrypt 2005. LNCS 3494, pp. 19-35. Springer-Verlag, 2005.
[156] Wang X, Yu H, Yin Y. Efficient Collision Search Attacks on SHA-0. Adances in Cryp-tology—Crypto 2005. LNCS 3621, pp. 1-16. Springer-Verlag, 2005.
[157]韦永壮,胡予濮.新区分器的构造及其在分组密码分析中的应用.西安电子科技大学博士学位论文. 2009.
[158] Wu H. The Hash Function JH. Submission to SHA-3 Competition, 2008.
[159] Wu W. Pseudorandomness of Camellia-Like Scheme. Journal of Computer Scienceand Technology. Vol.12, No.1 pp. 1-10. 2006.
[160] Wu W, Feng D, Chen H. Collision Attack and Pseudorandomness of Reduced-RoundCamellia. Selected Areas in Cryptography—SAC 2004. LNCS 3357, pp. 252-266.Springer-Verlag, 2005.
[161]吴文玲,李超.分组密码发展专题报告.国家商用密码管理办公室.
[162]吴文玲,卫宏儒.低轮FOX分组密码的碰撞积分攻击.电子学报. 2005, 33(7):1307-1310.Wu W, Wei H. Collision-Integral Attack of Reduced-Round Fox. Chinese of JournalElectronics. 2005, 33(7): 1307-1310.
[163] Wu W, Zhang L, Zhang W. Improved Impossible Differential Cryptanalysis ofReduced-Round Camellia. Selected Areas in Cryptography—SAC 2008. LNCS 5381,pp. 442-456. Springer-Verlag, 2009.
[164] Wu W, Zhang W, Feng D. Impossible Differential Cryptanalysis of Reduced-RoundARIAandCamellia.JournalofComputerScienceandTechnology22(3),pp.449-456,2007.
[165] Wu, W. Zhang W, Feng D. Integral Cryptanalysis of Reduced FOX Block Cipher. In-formationSecurityandCryptology—ICISC2005.LNCS3935,pp.229-241.Springer-Verlag, 2006.
[166] WuW,ZhangW,LinD.OntheSecurityofGeneralizedFeistelSchemewithSPRoundFunction. International Journal Network Security. Vol. 2, No. 3, pp. 296-305. 2006.
[167] Wu Z, Luo Y, Lai X, Zhu B. Cryptanalysis of the FOX Block Cipher. INTRUST 2009.LNCS 6163, pp. 236-249. Springer-Verlag, 2010.
[168] YunA,SungS,ParkS,ChangD,HongS,ChoH.FingdingCollisionon45-StepHAS-160. Information Security and Cryptology—ICISC 2005. LNCS 3935, pp. 146-155.Springer-Verlag, 2006.
[169] Z'aba M, Raddu H. Henricksen M, and Dawson E. Bit-Pattern Based Integral Attack.Fast Software Encryption—FSE 2008. LNCS 5086, pp. 363-381. Springer-Verlag,2008.
[170]张蕾,吴文玲.SMS4密码算法的差分故障攻击.计算机学报. 29(9): 1596-1602.2006.Zhang L, Wu W. Differential Fault Analysis on SMS4. Chinese Journal of Computers.29(9): 1596-1602. 2006.
[171] Zhang W, Han J. Impossible Differential Analysis of Reduced Round CLEFIA. In-scrypt 2008. LNCS 5487, pp. 181-191. Springer-Verlag, 2009.
[172] Zhang W, Wu W, Zhang Lei, Feng D. Improved Related-key Impossible DifferentialAttacks on Reduced-Round AES-192. Selected Areas in Cryptography—SAC 2006.LNCS 4356, pp. 15-27. Springer-Verlag,2007.
[173] Zhang W, Zhang L, Wu W, Feng D. Related-Key Differential-Linear Attacks on Re-duced AES-192. IndoCrypt 2007. LNCS 4859, pp.73-85. Springer-Verlag,2007.
[174]国家商用密码管理办公室.无线局域网产品使用的SMS4密码算法. http://www.oscca.gov.cn/UpFile/200622026423297990.pdf.
[175]国家商用密码管理办公室. SM3密码杂凑算法. http://www. os-cca.gov.cn/UpFile/20101222141857786.pdf.
[2] AlquiéD.2-RoundSubstitution-Permutationand3-RoundFeistelNetworksHaveBadAlgebraic Degree. http://eprint.iacr.org/2010/071.
[3] AokiK,IchikawaT,KandaM,etc.SpecificationofCamellia—a128-bitBlockCipher.Selected Areas in Cryptography—SAC 2000. LNCS 2012, pp. 183-191. Springer-Verlag, 2001.
[4] Aoki K, Kanda M. Search for Impossible Differential of E2. http://csrc. nist. gov/en-cryption/aes/round1/comment.
[5] Arthur S, Lucifer. A Cryptographic Algorithm. Cryptologia. Vol. 8, No. 1, pp. 22-41.1984.
[6] Aumasson J, Henzen L, Meier W, Phan R. SHA-3 Proposal BLAKE. Submission toSHA-3 Competition, 2008.
[7] Barreto P, Rijmen V. The Khazad Legacy-Level Block Cipher. First Open NESSIEWorkshop. Leuven, 2000. http://www.cryptonessie.org.
[8] Bertoni G, Daemen J, Peeters M, and Assch G. KECCAK Sponge Function FamilyMain Document. Submission to SHA-3 Competition, 2008.
[9] Biehl I, Meyer B, Müller V. Differential Fault Attacks on Elliptic Curve Cryptosys-tems. Advances in Cryptology—Crypto 2000. LNCS 1880, pp. 131-146. Springer-Verlag, 2000.
[10] Biham E. New Types of Cryptanalytic Attacks Using Related Keys. Journal of Cryp-tology. 4(1), pp. 3-72. 1991.
[11] BihamE,BiryukovA,ShamirA.CryptanalysisofSkipjackReducedto31RoundsUs-ing Impossible Differentials. Adances in Cryptology—EuroCrypt 1999. LNCS 1592,pp. 12-23. Springer-Verlag, 1999.
[12] BihamE,BiryukovA,ShamirA.MissintheMiddleAttacksonIDEAandKhufu.FastSoftware Encryption—FSE 1999. LNCS 1636, pp. 124-138. Springer-Verlag, 1999.
[13] Biham E, Dunkelman O, Keller N. Related-Key Boomerang and Rectangle Attacks.Advances in Cryptology—EuroCrypt 2005. LNCS 3557, pp. 507-525. Springer-Verlag, 2005.
[14] Biham E, Dunkelman O, Keller N. Related-Key Impossible Differential Attacks on8-Round AES-192, CT-RSA 2006. LNCS 3860, pp. 21-33. Springer-Verlag, 2006.
[15] Biham E, Dunkelman O, Keller N. The Rectangle Attack - Rectangling the Ser-pent. Advances in Cryptology—EuroCrypt 2001. LNCS 2045, pp. 340-357. Springer-Verlag, 2001.
[16] BihamE,ShamirA.DifferentialCryptanalysisofDES-LikeCryptosystems.Advancesin Cryptology—CRYPTO 1990. LNCS 537, pp. 2-21. Springer-Verlag, 1991.
[17] Biham E, Shamir A. Differential Cryptanalysis of the Full 16-Round DES. Advancesin Cryptology—Crypto 1992. LNCS 740, pp. 487-496. Springer-Verlag, 1993.
[18] Biham E, Shamir A. Differential Fault Analysis of Secret Key Cryptosystems. Ad-vancesinCryptology—Crypto1997.LNCS1294,pp.513-525.Springer-Verlag,1997.
[19] Biryukov A, Khovratovich D, Nikoli Ivica. Distinguisher and Related-Key Attack ontheFullAES-256,AdvancesinCryptology—Crypto2009.LNCS5677, pp.231-249.Springer-Verlag, 2009.
[20] Biryukov A, Nikolic I. Automatic Search for Related-Key Differential Characteris-tics in Byte-Oriented Block ciphers: Application to AES, Camellia, Khazad and Oth-ers. Advances in Cryptology—EuroCrypt 2010, LNCS 6110, pp. 322-344. Springer-Verlag, 2010.
[21] Biryukov A, Shamir A. Structural Cryptanalysis of SASAS. Advances in Cryptology—EuroCrypt 2001. LNCS 2045, pp. 394-405. Springer-Verlag, 2001.
[22] Biryukov A, Wagner D. Slide Attacks. Fast Software Encryption—FSE 1999. LNCS1636, pp. 245-259. Springer-Verlag.
[23] Bogdanov A, Khovratovich D, Rechberger C. Biclique Cryptanalysis of the Full AES.AsiaCrypt 2011. To appear.
[24] Bogdanov A, Knudsen L , Leander G, Paar C, Poschmann A, Robshaw B, Seurin Y,Vikkelsoe. PRESENT: An Ultra-Lightweight Block Cipher. Cryptographic Hardwareand Embedded Systems—CHES 2007. LNCS 4727, pp. 450-466. Springer-Verlag,2007.
[25] Boneh D, DeMillo R, Lipton R. On the Importance of Checking Cryptographic Pro-tocols for Faults. Advances in Cryptology—EuroCrypt 1997. LNCS 1233, pp. 37-51.Springer-Verlag, 1997.
[26] Boura C, Canteaut. Zero-Sum Distinguishers for Iterated Permutation and ApplicationtoKECCAK-f andHamsi-256.SelectedAreasinCryptography—SAC2010.LNCS6544,pp. 1-17. Springer-Verlag, 2011.
[27] Chen H, Wu W, Feng D. Differential Fault Analysis on CLEFIA. International Con-ference on Information and Communication Security—ICICS 2007. LNCS 4861, pp.284-295. Springer-Verlag, 2007.
[28] Cheon J, Kim M, Kim K, Lee J. Improved Impossible Differential Differential Crypt-analysis of Rijndael and Crypton. Information Security and Cryptology—ICISC 2001.LNCS 2288, pp. 39-49. Springer-Verlag, 2002.
[29] Cho H, Park S, Sung S, Yun A. Collision Search Attack for 53-Step HAS-160. Infor-mation Security and Cryptology—ICISC 2006. LNCS 4296, pp. 286-295. Springer-Verlag, 2006.
[30] Choy J, Chew G, Khoo K, Yap H. Cryptographic Properties and Application of a Gen-eralized Unbalanced Feistel Network Structure. Australasian Conference on Informa-tion Security and Privacy—ACISP 2009. LNCS 5594, pp. 73-89. Springer-Verlag,2009.
[31] Cid C, Leurent G. An Analysis of the XSL Algorithm. Advances in Cryptology—AsiaCrypt 2005. LNCS 3788, pp. 333-352. Springer-Verlag, 2005.
[32] Courtois N, Pieprzyk J. Cryptanalysis of Block Ciphers with Overdefined Systemsof Equations. Advances in Cryptology—AsiaCrypt 2002. LNCS 2501, pp. 267-287.Springer-Verlag, 2002.
[33] Courtois N. The Inverse S-Box, Non-linear Polynomial Relations and Cryptanalysisof Block Ciphers. The Fourth AES Candidate Conference—AES 2004. LNCS 3373,pp. 170-188. 2005.
[34] Courtois N, Debraize B. Specific S-Box Criteria in Algebraic Attacks on Block Ci-phers with Several Known Plaintexts. WEWoRC 2007. LNCS 4945, pp. 100-113.2008.
[35] Daemen J, Knudsen L, Rijmen V. The Block Cipher Square. Fast Software Encryption—FSE 1997. LNCS 1267, pp. 149-165. Springer-Verlag, 1997.
[36] Daeman J, Rijmen V. The Design of Rijndael: AES—the Advanced Encryption Stan-dard. Information Security and Cryptography. Springer-Verlag, 2002.
[37] Damg?rd I. Design Principle for Hash Functions. Advances in Cryptology—Crypto1989. LNCS 435, pp. 416-427. Springer-Verlag, 1990.
[38] Demirci H, Sel?uk A. A Meet in the Middle Attack on 8-round AES. Fast SoftwareEncryption—FSE 2008. LNCS 5086, pp. 116-126. Springer-Verlag, 2008.
[39] Demirci H, Sel?uk A, Türe E. A New Meet-in-the-Middle Attack on the IDEA BlockCipher. Selected Areas in Cryptography—SAC 2003. LNCS 3006, pp. 117-129.Springer-Verlag, 2004.
[40] Demirci H, Ta?km I, ?oban M, Baysal A. Improved Meet-in-the-Middle Attacks onAES. IndoCrypt 2009. LNCS 5922, pp. 144-156. Springer-Verlag, 2009.
[41] D'Halluin G, Bijnens G, Rijmen V, and Preneel B. Attack on Six Rounds of Crypton.Fast Software Encryption—FSE 1999. LNCS 1636, pp. 46-59. Springer-Verlag, 1999.
[42] Diffie W, Hellman M. New Direction in Cryptography. IEEE Trans. Inform. Theory.22(6). pp. 644-654, 1976.
[43] DiffieW,HellmanM.ExhaustiveCryptanalysisoftheNBSDataEncryptionStandard.Computer 10(6), pp. 74-84. 1977.
[44] Dinur I, Shamir A. Cube Attacks on Tweakable Black Box Polynomials. Advances inCryptology—EuroCrypt 2009. LNCS 5479, pp. 278-299. Springer-Verlag, 2009.
[45] Dunkelman O, Fleischmann E, Gorski M, Lucks S. Related-Key Rectangle Attackof the Full HAS-160 Encryption Mode. IndoCrypt 2009. LNCS 5922, pp. 157-168.Springer-Verlag, 2009.
[46] Dunkelman O, Keller N. An Improved Impossible Differential Attack on MISTY1.Advances in Cryptology—AsiaCrypt 2008. LNCS 5350, pp. 441-454. Springer-Verlag, 2008.
[47] Duo L, Li C, Feng K. New Observation on Camellia. Selected Areas in Cryptography—SAC 2005. LNCS 3897, pp. 51-64. Springer-Verlag, 2006.
[48] Feistel H. Cryptography and Data Security. Scientific American228(5), pp. 15-23,1973.
[49] Feistel H, Notz W. Smith J. Some Cryptographic Techniques for Machine to MachineDataCommunications.ProceedingsoftheIEEE.Vol.63,No.11,pp.1545-1554.1975.
[50] Ferguson N, Kelsey J, Lucks S, Schneier B, Stay M, Wagner D, Whiting D. ImprovedCryptanalysis of Rijndael. Fast Software Encryption—FSE 2000. LNCS 1978, pp.213-230. Springer-Verlag, 2001.
[51] Ferguson N, Lucks S, Schneier B, Whiting D, Bellare M, Kohno T, Callas, J, WalkerJ. The Skein Hash Function Family. Submission to SHA-3 Competition , 2008.
[52] FIPS 46-3, Data Encryption Standard. In National Institute of Standards and Technol-ogy, 1977.
[53] Fleischmann E, Gorski M, and Lucks S. Memoryless Related-Key Boomerang Attackon the Full Tiger Block Cipher. ISPEC 2009. LNCS 5451, pp. 298-309. Springer-Verlag, 2009.
[54] Fleischmann E, Gorski M, Lucks S. Memoryless Related-Key Boomerang Attack on39-RoundSHACAL-2.ISPEC2009.LNCS5451,pp.310-323.Springer-Verlag,2009.
[55] Galice S, Minier M. Improving Integral Attacks against Rijndael-256 Up to 9 Rounds.AfricaCrypt 2008. LNCS 5023, pp.1-15. Springer-Verlag, 2008.
[56] Gauravaram P, Knudsen L, Matusiewicz K, Mendel F, Rechberger C, Schl?ffer M,Thomsen S. Gr?stl—A SHA 3 Candidate. Submission to SHA-3 Competition, 2008.
[57] Gilbert H, Minier M. A Collision Attack on 7 Rounds of Rijndael. The Third AESCandidate Conference. pp. 230-241. 2000.
[58] Hatano Y, Tanaka H, Kaneko T. Higher Order Differential Attacks of Camellia. Se-lectedAreasinCryptography—SAC2002.LNCS2595.pp.129-146.Springer-Verlag,2003.
[59] Hemme L. A Differential Fault Attack against Early Rounds of ( Triple-) DES. Cryp-tographic Hardware and Embedded Systems—CHES 2004. LNCS 3156, pp. 254-267.Springer-Verlag, 2004.
[60] Hong D, Koo B, Sasaki Y. Improved Preimage Attack for 68-Step HAS-160. ICISC2009, LNCS 5984, pp. 332-348. Springer-Verlag, 2010.
[61] Hong S, Kim J, Kim G, Lee S, Preneel Bart. Related-Key Rectangle Attacks on Re-duced Versions of SHACAL-1 and AES-192. Fast Software Encryption—FSE 2005.LNCS 3557, pp. 368-383. Springer-Verlag,2005.
[62] Hong S, Kim J, Kim G, Sung J, Lee C, Lee S. Impossible Differential Attack on 30-RoundSHACAL-2.IndoCrypt2003.LNCS2904, pp.97-106.Springer-Verlag, 2003.
[63] HongS,KimJ,LeeS,PreneelB.Related-KeyRectangleAttacksonReducedVersionsof SHACAL-1 and AES-192. Fast Software Encryption—FSE 2005. LNCS 3557, pp.368-383. Springer-Verlag, 2005.
[64] Hong S, Lee S, Lim J, Sung J, Cheon D, Cho I. Provable Security against DifferentialandLinearCryptanalysisfortheSPNStructure.FastSoftwareEncryption—FSE2000.LNCS 1978, pp. 273-283. Springer-Verlag, 2000.
[65] Iwata T, Yagi T, Kurosawa K. On the Pseudorandomness of KASUMI Type Permu-tations. Australasian Conference on Information Security and Privacy—ACISP 2003.LNCS 2727, pp. 217-289. Springer-Verlag, 2003.
[66] Jakobsen T, Knudsen L. The Interpolation Attack on Block Cipher. Fast Software En-cryption—FSE 1997. LNCS 1008, pp. 28-40. Springer-Verlag, 1997.
[67] Junod P, Vaudenay S. Fox: A New Family of Block Ciphers. Selected Areas in Cryp-tography—SAC 2004. LNCS 3357, pp. 114-129. Springer-Verlag, 2004.
[68] Junod P, Vaudenay S. Perfect Diffusion Primitives for Block Ciphers-Building Effi-cient MDS Matrices. Selected Areas in Cryptography—SAC 2004. LNCS 3357. pp.84-99. Springer-Verlag, 2004.
[69] Kaliski B, Robshaw M. Linear Cryptanalysis Using Multiple Approximations andFEAL. Fast Software Encryption—FSE 1994. LNCS 839, pp. 26-39. Springer-Verlag,1994.
[70] Kanda M , Moriai S, Aoki K, Ueda H, Takashima Y, Ohta K, and Matsumoto T. E2—A New 128-Bit Block Cipher. IEICE Transactions Fundamentals of Electronics,Communications and Computer Sciences. Vol. E83-A, No. 1, pp. 48-59, 2000.
[71] Kanda M. Practical Security Evaluation against Differential and Linear Attacks forFeistel Ciphers with SPN Round Function. Selected Areas in Cryptography—SAC2000. LNCS 2012, pp.168-179, Springer-Verlag,2000.
[72] Kanda M, Takashima Y, Matsumoto T, Aoki K, and Ohta K. A Strategy for Con-structing Fast Round Functions with Practical Security against Differential and LinearCryptanalysis.SelectedAreasinCryptography—SAC1998.LNCS1556,pp.264-279.Springer-Verlag, 1999.
[73] Kang J, Hong S, Lee S, Yi O, Park C, Lim J. Practial and Provable Security againstDifferential and Linear Cryptanalysis for Substitution-Permutation Networks. ETRIJournal. Vol 23, No. 4, pp. 158-167. 2001.
[74] Kelsey J, Kohno T, Schneier B. Amplified Boomerang Attacks against Reduced-RoundMARSandSerpent.FastSoftwareEncryption—FSE2000.LNCS1978,pp.75-93. Springer-Verlag, 2000.
[75] Kim J, Hong S, Sung J, Lee S, Lim J. Impossible Differential Cryptanalysis for BlockCipher Structures. Indocrypt 2003. LNCS 2904, pp. 82-96. Springer-Verlag, 2003.
[76] Kim J, Hong S, Preneel B. Related-Key Rectangle Attacks on Reduced AES-192 andAES-256. Fast Software Encryption—FSE 2007. LNCS 4593, pp.225-241. Springer-Verlag, 2007.
[77] Kim J, Kim G, Hong S, Hong D. The Related-Key Rectangle Attack-Application toSHACAL-1. Australasian Conference on Information Security and Privacy—ACISP2004. LNCS 3108, pp.123-136. Springer-Verlag, 2004.
[78] Kim J, Kim G, Lee S, Lim J, Song J. Related-Key Attacks on Reduced Rounds ofSHACAL-2. IndoCrypt 2004. LNCS 3348, pp. 175-190. Springer-Verlag, 2004.
[79] Knudsen L. DEAL—A 128-bit Block Cipher. Technical Report 151, Department ofInformatics, University of Bergen, Bergen, Norway, 1998.
[80] Knudsen L. Truncated and High Order Differentials. Fast Software Encryption—FSE1995, LNCS 1008, pp. 196-211. Springer-Verlag, 1995.
[81] Knudsen L, Robshaw M. Non-Linear Approximations in Linear Cryptanalysis. Ad-vances in Cryptology—EuroCrypt 1996. LNCS 1070, pp. 224-236. Springer-Verlag,1996.
[82] Knudsen L, Wagner D. Integral cryptanalysis. Fast Software Encryption—FSE 2002.LNCS 2365, pp. 112-127. Springer-Verlag, 2002.
[83] Kocher Paul. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, andOther Systems. Advances in Cryptology—Crypto 1996. LNCS 1109, pp.104-113.Springer-Verlag, 1996.
[84] Kwon D, Kim J, etc. New Block Cipher: ARIA. Information Security and Cryptology—ICISC 2003. LNCS 2971, pp. 432-445. Springer-Verlag,2004.
[85] Lai X. High Order Derivatives and Differential Cryptanalysis. Communications andCryptography. 1994: 227-233.
[86] LaiX,MasseyJ.AProposalforaNewBlockEncryptionStandard.AdvancesinCryp-tology—EuroCrypt 1990. LNCS 473, pp. 389-404. Springer-Verlag,1991.
[87] Lee C, Cha Y. The Block Cipher: SNAKE with Provable Resistance against DC andLC attacks. JW-ISC 1997, pp. 3-17, 1997.
[88]李超,孙兵,李瑞林.分组密码的攻击方法与实例分析.北京,科学出版社.176-177.
[89]李琳,李瑞林,谢端强,李超. KeeLoq和SHACAL-1算法的差分故障攻击.武汉大学学报, 2008, 54(5): 507-512.LiL,LiR,XieD,LiC.DifferentialFaultAnalysisonKeeloqandSHACAL-1.Journalof Wuhan University, 54(5): 507-512. 2008.
[90]李玮,谷大武.基于密钥编排故障的SMS4算法的差分故障分析,通信学报.29(10), 135-142. 2008.Li W, Gu D. Differential Fault Analysis on the SMS4 Cipher by Inducing Faults to theKey Schedule. Journal of China Institute of Communications. 29(10), 135-142. 2008.
[91] Li W, Gu D, Li J. Differential Fault Analysis on the ARIA Algorithm. InformationSciences. 178(19): 3727-3737. 2008.
[92] Lidl R, Niederreiter H. Finite Fields. Encyclopedia of Mathematics and Its Applica-tions. Vol. 20. Cambridge University Press, 1997.
[93] Lim C. A Revised Version of Crypton-Crypton v1.0. Fast Software Encryption—FSE1999. LNCS 1636, pp. 31-45. Springer-Verlag, 1999.
[94] Lim C. Crypton: A New 128-Bit Block Cipher. The First Advanced Encryption Stan-dard Candidate Conference, NIST, 1998.
[95] Lu J. Related-Key Rectangle Attack on 36 Rounds of the XTEA Block Cipher,Int.J. Inf. Secur. (2009) 8:1-11.
[96] Lu J, Dunkelman O, Keller N, Kim J. New Impossible Differential Attacks on AES.IndoCrypt 2008, LNCS 5365, pp. 279-293. Springer-Verlag, 2009.
[97] Lu J, Kim J. Attacking 44 Rounds of the SCHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis. IEICE Transactions 91-A(9), 2588-2596, 2008.
[98] Lu J, Kim J, Keller N, Dunkelman O. Improving the Efficiency of Impossible Differ-ential Cryptanalysis of Reduced Camellia and MISTY1. CT-RSA 2008. LNCS 4964,pp. 370-386. Springer-Verlag, 2008.
[99] Lu J, Kim J, Keller N, Dunkelman O. Related-Key Rectangle Attack on 42-RoundSHACAL-2. Information Security Conference—ISC 2006. LNCS 4176, pp. 85-100.Springer-Verlag, 2006.
[100] Luby M, Rackoff C. How to Construct Pseudorandom Permutations from Pseudoran-dom Functions. SIAM J. Comput. 17(2): 373-386. 1988.
[101] Lucks S. The Saturation Attack—A Bait for Twofish. Fast Software Encryption—FSE2001. LNCS 2355, pp. 1-15. Springer-Verlag, 2002.
[102] MacWilliams F, Sloane N. The Theory of Error-Correcting Codes. North-Holland,1977.
[103] MalaH,ShakibaM,Dakhilalian M.New Impossible Differential Attackson Reduced-Round Crypton. Computer Standards and Interfaces. 32(2010), pp. 222-227.
[104] MalaH,ShakibaM,DakhilalianM,BagherikaramG.NewResultsonImpossibleDif-ferentialCryptanalysisofReduced-RoundCamellia—128.SelectedAreasinCryptog-raphy—SAC 2009. LNCS 5867, pp. 281-294. Springer-Verlag, 2009.
[105] Mangard S. A Simple Power-Analysis (SPA) Attack on Implementations of the AESKey Expansion. Information Security and Cryptology—ICISC 2002. LNCS 2587,pp.343-358. Springer-Verlag, 2003.
[106] Massey J. SAFER-K64, A Byte-Oriented Block Ciphering Algorithm. Fast SoftwareEncryption—FSE 1994, LNCS 809, pp. 1-7. Springer-Verlag, 1994.
[107] MatsuiM.NewStructureofBlockCipherswithProvableSecurityagainstDifferentialandLinearCryptanalysis.FastSoftwareEncryption—FSE1996.LNCS1039,pp.205-217. Springer-Verlag, 1996.
[108] Matsui M. Linear Cryptanalysis Method for DES Cipher. Advances in Cryptology—EuroCrypt 1993. LNCS 765, pp. 386-397. Springer-Verlag, 1993.
[109] Matsui M, Tokita T. Cryptanalysis of a Reduced Version of the Block Cipher E2. FastSoftware Encryption—FSE 1999. LNCS 1636, pp. 71-80. Springer-Verlag, 1999.
[110] Maurer U. A Simplified and Generalized Treatment of Luby-Rackoff PseudorandomPermutation Generator. Advances in Cryptology—EuroCrypt 1992. LNCS 658, pp.239-255. Springer-Verlag, 1992.
[111] Maurer U, Oswald A, Pietrzak K, Sj?din J. Luby-Rackoff Ciphers from Weak RoundFunctions? Advances in Cryptology—EuroCrypt 2006. LNCS 4004, pp. 391-408.Springer-Verlag, 2006.
[112] Mendel F, Rijmen V. Colliding Message Pair for 53-Step HAS-160. Information Secu-rity and Cryptology—ICISC 2007, LNCS 4817, pp. 324-334. Springer-Verlag, 2007.
[113] MerkleR.OneWayHashFunctionsandDES.AdvancesinCryptology—Crypto1989.LNCS 435, pp. 428-446. Springer-Verlag, 1990.
[114] Minier M. An Integral Cryptanalysis against a Five Rounds Version of FOX. WesternEuropean Workshop on Research in Cryptology 2005. LNI P-74, 98-103.
[115] Minier M, Gilbert H. Stochastic Cryptanalysis of Crypton. Fast Software Encryption—FSE 2000. LNCS 1978, pp. 121-133. Springer-verlag, 2001.
[116] Moriai S, Shimoyama T, Kaneko T. Higher Order differential Attack of a CAST Ci-pher. Fast Software Encryption—FSE 1998. LNCS 1372, pp. 17-31. Springer-Verlag,1998.
[117] Moriai S, Sugita M, Aoki K, Kanda M. Security of E2 against Truncated DifferentialCryptanalysis.SelectedAreasinCryptography—SAC1999.LNCS1758,pp.106-117.Springer-Verlag, 2000.
[118] Moriai S, Vaudenay S. On the Pseudorandomness of Top-Level Schemes of Block Ci-phers.AdvancesinCryptology—AsiaCrypt2000.LNCS1976, pp.289-302.Springer-Verlag, 2000.
[119] Murtaza G, Ikram N. Direct Exponent and Scalar Multiplication Classes of an MDSMatrix. http://eprint.iacr.org/2011/151.pdf.
[120] National Institute of Standards and Technology. FIPS 180-1: Secure Hash Stan-dard(SHS). 1995. http://csrc. nist. gov.
[121] National Institute of Standards and Technology. FIPS 180-2: Secure Hash Stan-dard(SHS). 2002. http://csrc. nist. gov.
[122] Nyberg K, Knudsen L. Provable Security against a Differential Attack. Journal ofCryptology. Vol. 8, No.1, pp. 27-38. 1995.
[123] Osvik D, Shamir A, Tromer E. Cache Attacks and Countermeasures: The Case ofAES. CT-RSA 2006. LNCS 3860, pp. 1-20. Springer-Verlag, 2006.
[124] PatarinJ.AboutFeistelSchemeswithSix(orMore)Rounds.FastSoftwareEncryption—FSE 1998. LNCS 1372, pp. 103-121. Springer-Verlag, 1998.
[125] Patarin J, Nachef V. Berbain C. Generic Attacks on Unbalanced Feistel Schemes withContracting Functions. Advances in Cryptology—AsiaCrypt 2006. LNCS 4284, pp.396-411. Springer-Verlag, 2006.
[126] Piret G, Quisquater J. A Differential Fault Attack Technique against SPN Structures,with Application to the AES and KHAZAD. Cryptographic Hardware and EmbeddedSystems—CHES 2003. LNCS 2779, pp. 77-88. Springer-Verlag, 2003.
[127] Piret G, Quisquater J. Security of the MISTY Structure in the Luby-Rackoff Model:Improved Results. Selected Areas in Cryptography—SAC 2004. LNCS 3357, pp.100-115. Springer-Verlag, 2005.
[128] RijmenV,DeamenJ,PreneelB,BosselaersA,WinE.TheBlockCipherSHARK.FastSoftware Encryption—FSE 1996. LNCS 1039, pp. 99-111. Springer-Verlag, 1996.
[129] Rijmen V, Preneel B, Win E. On Weaknesses of Non-Surjective Round Functions.Designs, Codes and Cryptography. 12(3), pp. 253-266. 1997.
[130] Rivest R. The MD5 Message-Digest Algorithm. Request for Comments. 1321 (April1992), http://tools.ietf.org/ html/rfc1321.
[131] Sasaki Y, Aoki K. A Preimage Attack for 52-Step HAS-160. Information Security andCryptology—ICISC 2008. LNCS 5461, pp. 302-317. Springer-Verlag, 2009.
[132] Schneier B, Kelsey J. Unbalanced Feistel Networks and Block-Cipher Design. FastSoftware Encryption—FSE 1996. LNCS 1039, pp. 121-144. Springer-Verlag, 1996.
[133] Seki H, Kaneko T. Cryptanalysis of Five Rounds of Crypton Using Impossible Differ-entials. Advances in Cryptology—Asiacrypt 1999. LNCS 1716, pp. 45-51. Springer-Verlag, 1999.
[134] Shamir A. On the Security of DES. Advances in Cryptology—Crypto 1985. LNCS218, pp. 280-281. Springer-Verlag, 1985.
[135] ShannonC.CommunicationTheoryofSecreteSystem.BellSystemTechnicalJournal,28, (4), pp. 656-715.
[136] Shimizu A, Miyaguchi S. Fast Data Encryption Algorithm FEAL. Advances in Cryp-tology—EuroCrypt 1987. LNCS 304, pp. 67-278. Springer-verlag, 1988.
[137] Shin Y, Kim J, Kim G, Hong S. Lee S. Differential-Linear Type Attack on ReducedRounds of SHACAL-2. Australasian Conference on Information Security and Privacy—ACISP 2004. LNCS 3108, pp. 110-122. Springer-Verlag, 2004.
[138] Shirai T, Preneel B. On Feistel Structures Using a Diffusion Mappings across MultipleRounds. Advances in Cryptology—AsiaCrypt 2004. LNCS 3329, pp. 1-15. Springer-Verlag, 2004.
[139] Shirai T, Shibutani K. On Feistel Structures Using A Diffusion Switching Mechanism.Fast Software Encryption—FSE 2006. LNCS 4047, pp. 41-56. Springer-Verlag, 2006.
[140] SonyCorporation.The128-bitBlockCipherCLEFIA:AlgorithmSpecification.2007.
[141] Sugita M. Security of Block Ciphers with SPN-Structures. Technical Report of IEICE.ISEC 98-30. 1999.
[142] Sugita M, Kobara K, Imai H. Pseudorandomness and Maximum Average of Differ-ential Probability of Block Ciphers with SPN-Structures Like E2. Proceedings of theSecond Advanced Encryption Standard Candidate Conference. pp. 200-214. 1999.
[143] Sugita M, Kobara K, Imai H. Security of Reduced Version of the Block Cipher Camel-lia against Truncated and Impossible Differential Cryptanalysis. Advances in Cryptol-ogy—AsiaCrypt 2001, LNCS 2248. pp. 193-207. Springer-Verlag, 2001.
[144] Sun B, Qu L, Li C. New Cryptanalysis of Block Ciphers with Low Algebraic Degree.Fast Software Encryption—FSE 2009. LNCS 5665, pp. 180-192. Springer-Verlag,2009.
[145] Tanaka H, Hisamatsu K, Kaneko T. On the Strength of KASUMI Without FL Func-tions against Higher Order Differential Attack. Information Security and Cryptology—ICISC 2000. LNCS 2015 pp. 14-21. Springer-Verlag, 2001.
[146] Telecommunications Technology Association. Hash Function Standard Part 2: HashFunction Algorithm Standard, HAS-160. 2000.
[147] Treger J, Patarin J. Generic Attacks on Feistel Networks with Internal Permutations.AfricaCrypt 2009. LNCS 5580, pp. 41-59. Springer-Verlag, 2009.
[148] Tsunoo Y, Saito T, Shigeri M. Kawabata T. Higher Order Differential Attacks onReduced-RoundMISTY1.InformationSecurityandCryptology—ICISC2008.LNCS5461, pp. 415-431. Springer-Verlag, 2009.
[149] Vaudenay S. On the Lai-Massey Scheme. Advances in Cryptology—AsiaCrypt 1999.LNCS 1718, pp. 8-19. Springer-Verlag, 1999.
[150] Wagner D. The Boomerang Attack. Fast Software Encryption—FSE 1999. LNCS1636, pp. 156-170. Springer-Verlag, 1999.
[151] Wang G. Related-Key Rectangle Attack on 43-Round SHACAL-2. ISPEC 2007.LNCS 4464, pp. 33-42. Springer-Verlag, 2007.
[152]王薇,王小云. CLEFIA算法的饱和攻击.通信学报. 2008, (10): 88-92.WangW,WangX.SaturationCryptanalysisofCLEFIA.JournalofCommunnications,2008, (10): 88-92.
[153] Wang X, Lai X, Feng D, Yu H. Cryptanalysisi of the Hash Functions MD4 andRIPEMD. Adances in Cryptology—EuroCrypt 2005. LNCS 3494, pp. 1-18. Springer-Verlag, 2005.
[154] Wang X, Yin H, Yu H. Finding Collisions in the Full SHA-1. Adances in Cryptology—Crypto 2005. LNCS 3621, pp. 17-36. Springer-Verlag, 2005.
[155] WangX,YuH.HowtoBreakMD5andOtherHashFunctions.AdancesinCryptology—EuroCrypt 2005. LNCS 3494, pp. 19-35. Springer-Verlag, 2005.
[156] Wang X, Yu H, Yin Y. Efficient Collision Search Attacks on SHA-0. Adances in Cryp-tology—Crypto 2005. LNCS 3621, pp. 1-16. Springer-Verlag, 2005.
[157]韦永壮,胡予濮.新区分器的构造及其在分组密码分析中的应用.西安电子科技大学博士学位论文. 2009.
[158] Wu H. The Hash Function JH. Submission to SHA-3 Competition, 2008.
[159] Wu W. Pseudorandomness of Camellia-Like Scheme. Journal of Computer Scienceand Technology. Vol.12, No.1 pp. 1-10. 2006.
[160] Wu W, Feng D, Chen H. Collision Attack and Pseudorandomness of Reduced-RoundCamellia. Selected Areas in Cryptography—SAC 2004. LNCS 3357, pp. 252-266.Springer-Verlag, 2005.
[161]吴文玲,李超.分组密码发展专题报告.国家商用密码管理办公室.
[162]吴文玲,卫宏儒.低轮FOX分组密码的碰撞积分攻击.电子学报. 2005, 33(7):1307-1310.Wu W, Wei H. Collision-Integral Attack of Reduced-Round Fox. Chinese of JournalElectronics. 2005, 33(7): 1307-1310.
[163] Wu W, Zhang L, Zhang W. Improved Impossible Differential Cryptanalysis ofReduced-Round Camellia. Selected Areas in Cryptography—SAC 2008. LNCS 5381,pp. 442-456. Springer-Verlag, 2009.
[164] Wu W, Zhang W, Feng D. Impossible Differential Cryptanalysis of Reduced-RoundARIAandCamellia.JournalofComputerScienceandTechnology22(3),pp.449-456,2007.
[165] Wu, W. Zhang W, Feng D. Integral Cryptanalysis of Reduced FOX Block Cipher. In-formationSecurityandCryptology—ICISC2005.LNCS3935,pp.229-241.Springer-Verlag, 2006.
[166] WuW,ZhangW,LinD.OntheSecurityofGeneralizedFeistelSchemewithSPRoundFunction. International Journal Network Security. Vol. 2, No. 3, pp. 296-305. 2006.
[167] Wu Z, Luo Y, Lai X, Zhu B. Cryptanalysis of the FOX Block Cipher. INTRUST 2009.LNCS 6163, pp. 236-249. Springer-Verlag, 2010.
[168] YunA,SungS,ParkS,ChangD,HongS,ChoH.FingdingCollisionon45-StepHAS-160. Information Security and Cryptology—ICISC 2005. LNCS 3935, pp. 146-155.Springer-Verlag, 2006.
[169] Z'aba M, Raddu H. Henricksen M, and Dawson E. Bit-Pattern Based Integral Attack.Fast Software Encryption—FSE 2008. LNCS 5086, pp. 363-381. Springer-Verlag,2008.
[170]张蕾,吴文玲.SMS4密码算法的差分故障攻击.计算机学报. 29(9): 1596-1602.2006.Zhang L, Wu W. Differential Fault Analysis on SMS4. Chinese Journal of Computers.29(9): 1596-1602. 2006.
[171] Zhang W, Han J. Impossible Differential Analysis of Reduced Round CLEFIA. In-scrypt 2008. LNCS 5487, pp. 181-191. Springer-Verlag, 2009.
[172] Zhang W, Wu W, Zhang Lei, Feng D. Improved Related-key Impossible DifferentialAttacks on Reduced-Round AES-192. Selected Areas in Cryptography—SAC 2006.LNCS 4356, pp. 15-27. Springer-Verlag,2007.
[173] Zhang W, Zhang L, Wu W, Feng D. Related-Key Differential-Linear Attacks on Re-duced AES-192. IndoCrypt 2007. LNCS 4859, pp.73-85. Springer-Verlag,2007.
[174]国家商用密码管理办公室.无线局域网产品使用的SMS4密码算法. http://www.oscca.gov.cn/UpFile/200622026423297990.pdf.
[175]国家商用密码管理办公室. SM3密码杂凑算法. http://www. os-cca.gov.cn/UpFile/20101222141857786.pdf.