分组密码的分析技术
|
摘要
现代密码学理论和密码技术是信息安全的重要基础。分组密码是密码学的一个重要分支,它具有速度快、易于标准化和便于软硬件实现等特点,通常是信息与网络安全中实现数据加密、数字签名、认证及密钥管理的核心体制。论文对高级加密标准AES等分组算法的分析方法进行了研究。得到如下主要研究结果:
1.利用不可能差分特性,构造一个4轮AES的不可能差分分析的区分器,在此区分器的基础上给出一种不可能差分分析6轮AES的新方法。整个攻击过程需要2~(99.5)选择明文,约2~(85)的6轮AES运算,所需的存储空间为2~(57)分组。
2.利用AES-192和AES-256的密钥编排方案,提出不可能差分分析7轮AES-192和8轮AES-256的方法。分析7轮AES-192共需要2~(106)选择明文,约2~(157)的7轮AES-192加密,所需的存储空间为2~(129)分组;分析8轮AES-256共需要2~(103)选择明文,约2~(244)的8轮AES-256加密,所需的存储空间为2~(217)分组。
3.分析了我国官方公布的第一个商用分组密码算法SMS4,根据SMS4每一轮输入输出对差分的变化,给出一个14轮SMS4的不可能差分,并提出一种不可能差分分析17轮SMS4的方法。分析17轮的SMS4,需要2~(103)选择明文,2~(124)的17轮加密以及2~(89)分组的存储空间,猜测密钥的错误概率仅为2~(-88.7)。
4.利用AES-192密钥扩展算法的特点,并选择合适的相关密钥,结合Square攻击分别给出了一个相关密钥Square攻击7轮和8轮AES-192的新方法。在分析8轮AES-192时,利用密钥扩展算法确定了在特定相关密钥差分下的前8轮子密钥所有确切差分值。新方法攻击8轮AES-192仅需2~(45)选择明文,2~(40)存储以及2~(167)的8轮AES-192加密。
5.利用AES-128密钥扩展算法的特点,并选择合适的相关密钥,结合矩形攻击,首次给出相关密钥矩形攻击7轮AES-128的方法。该方法攻击7轮AES-128需要2~(115)选择明文(256个相关密钥)以及2~(115)的7轮AES-128加密,成功恢复密钥的概率约为95.8%。
6.利用模式的局部差分恒等原理,针对PMAC和TMAC-V两种基于分组密码的工作模式,给出一种新的随机消息伪造攻击。该攻击可对随机消息的PMAC和TMAC-V进行伪造,伪造的成功概率均为86.5%,高于已有文献中63%的成功概率。对PMAC输出无截断的攻击复杂度为[0,2~(n/2+1),1,0],输出有截断的攻击复杂度为[0,2~(n/2+1),「n/τ(?),2~(n-τ)];对TMAC-V的攻击复杂度为[0,2~(n/2+1),1,0]。
Modern cryptological theory and technology are important basis of information security. Block cipher is an important branch of cryptology, and it has many attractive features such as high rates, easy for standardization, and efficient for both software and hardware implementations. Block cipher is usually core components in information and Internet security for data encryption, data signature, authentication and key management. This dissertation investigates the techniques for cryptanalysis of block ciphers, with emphasis on Advanced Encryption Standard (AES). The author obtains main results as follows:
1.An impossible differential property for 4-round AES is determined. Based on this property, a new method is proposed for cryptanalyzing the 6-round AES. This attack on the reduced 6-round AES requires about 2~(99.5) chosen plaintexts, performs 2~(85) 6-round AES encryptions, and demands 2~(57) words of memory.
2.Two methods for impossible differential cryptanalysis of 7-round AES-192 and 8-round AES-256 are presented, by exploiting weaknesses in their key schedule. This attack on the reduced to 7-round AES-192 requires about 2~(106) chosen plaintexts, performs 2~(157) 7-round AES-192 encryptions, and demands 2~(129) words of memory. Furthermore, this attack on the reduced to 8-round AES-256 requires about 2~(103) chosen plaintexts, performs 2~(244) 8-round AES-256 encryptions, and demands 2~(217) words of memory.
3.SMS4 is the first commercial block cipher published by our government. By analyzing the changes of its difference between input and output pairs in each round, an impossible differential is presented for 14-round SMS4. Based on this property, a new method is proposed for cryptanalyzing the 17-round SMS4. This attack on the reduced 17-round SMS4 requires about 2~(103) chosen plaintexts, performs 2~(124) 17-round SMS4 encryptions, and demands 2~(89) words of memory. Furthermore, it is only 2~(-88.7) of the probability to fail to recover the secret key.
4.Two new methods are presented for related-key Square attack on 7-round and 8-round AES-192, by exploiting appropriate related-key differences of AES-192 and weaknesses in their key schedule. When the related-key of AES-192 is appointed, the exact difference of subkey is determined in the first 8 rounds using the property of its key schedule. This attack on the reduced to 8-round AES-192 requires only about 2~(45) chosen plaintexts, demands 2~(40) memory, performs 2~(167) 8-round AES-192 encryptions.
5.A method for related-key rectangle attack on 7-round AES-128 is firstly proposed, by exploiting appropriate related-key differences of AES-128 and weaknesses in their key schedule. This attack on the reduced to 7-round AES-128 requires about 2~(115) chosen plaintexts with 256 related keys, performs 2~(115) 7-round AES-128 encryptions. Furthermore, the probability is about 95.8% to succeed in recovering the secret key.
6.A new forgery attack on PMAC and TMAC-V based on block ciphers with random message is presented, which make use of the principle of differential identical in part of the mode. The new attack can forge the PMAC and TMAC-V of random message, with a probability of 86.5% higher than 63% in the known reference. The complexity of this new attack is [0, 2~(n/2+1), 1, 0] for PMAC where no truncation is performed. For PMAC where truncation is performed, the complexity of this attack is [0, 2~(n/2+1),[n/τ],2~(n-τ)]. And thecomplexity of this attack is [0, 2~(n/2+1),1, 0] for TMAC-V.
1.利用不可能差分特性,构造一个4轮AES的不可能差分分析的区分器,在此区分器的基础上给出一种不可能差分分析6轮AES的新方法。整个攻击过程需要2~(99.5)选择明文,约2~(85)的6轮AES运算,所需的存储空间为2~(57)分组。
2.利用AES-192和AES-256的密钥编排方案,提出不可能差分分析7轮AES-192和8轮AES-256的方法。分析7轮AES-192共需要2~(106)选择明文,约2~(157)的7轮AES-192加密,所需的存储空间为2~(129)分组;分析8轮AES-256共需要2~(103)选择明文,约2~(244)的8轮AES-256加密,所需的存储空间为2~(217)分组。
3.分析了我国官方公布的第一个商用分组密码算法SMS4,根据SMS4每一轮输入输出对差分的变化,给出一个14轮SMS4的不可能差分,并提出一种不可能差分分析17轮SMS4的方法。分析17轮的SMS4,需要2~(103)选择明文,2~(124)的17轮加密以及2~(89)分组的存储空间,猜测密钥的错误概率仅为2~(-88.7)。
4.利用AES-192密钥扩展算法的特点,并选择合适的相关密钥,结合Square攻击分别给出了一个相关密钥Square攻击7轮和8轮AES-192的新方法。在分析8轮AES-192时,利用密钥扩展算法确定了在特定相关密钥差分下的前8轮子密钥所有确切差分值。新方法攻击8轮AES-192仅需2~(45)选择明文,2~(40)存储以及2~(167)的8轮AES-192加密。
5.利用AES-128密钥扩展算法的特点,并选择合适的相关密钥,结合矩形攻击,首次给出相关密钥矩形攻击7轮AES-128的方法。该方法攻击7轮AES-128需要2~(115)选择明文(256个相关密钥)以及2~(115)的7轮AES-128加密,成功恢复密钥的概率约为95.8%。
6.利用模式的局部差分恒等原理,针对PMAC和TMAC-V两种基于分组密码的工作模式,给出一种新的随机消息伪造攻击。该攻击可对随机消息的PMAC和TMAC-V进行伪造,伪造的成功概率均为86.5%,高于已有文献中63%的成功概率。对PMAC输出无截断的攻击复杂度为[0,2~(n/2+1),1,0],输出有截断的攻击复杂度为[0,2~(n/2+1),「n/τ(?),2~(n-τ)];对TMAC-V的攻击复杂度为[0,2~(n/2+1),1,0]。
Modern cryptological theory and technology are important basis of information security. Block cipher is an important branch of cryptology, and it has many attractive features such as high rates, easy for standardization, and efficient for both software and hardware implementations. Block cipher is usually core components in information and Internet security for data encryption, data signature, authentication and key management. This dissertation investigates the techniques for cryptanalysis of block ciphers, with emphasis on Advanced Encryption Standard (AES). The author obtains main results as follows:
1.An impossible differential property for 4-round AES is determined. Based on this property, a new method is proposed for cryptanalyzing the 6-round AES. This attack on the reduced 6-round AES requires about 2~(99.5) chosen plaintexts, performs 2~(85) 6-round AES encryptions, and demands 2~(57) words of memory.
2.Two methods for impossible differential cryptanalysis of 7-round AES-192 and 8-round AES-256 are presented, by exploiting weaknesses in their key schedule. This attack on the reduced to 7-round AES-192 requires about 2~(106) chosen plaintexts, performs 2~(157) 7-round AES-192 encryptions, and demands 2~(129) words of memory. Furthermore, this attack on the reduced to 8-round AES-256 requires about 2~(103) chosen plaintexts, performs 2~(244) 8-round AES-256 encryptions, and demands 2~(217) words of memory.
3.SMS4 is the first commercial block cipher published by our government. By analyzing the changes of its difference between input and output pairs in each round, an impossible differential is presented for 14-round SMS4. Based on this property, a new method is proposed for cryptanalyzing the 17-round SMS4. This attack on the reduced 17-round SMS4 requires about 2~(103) chosen plaintexts, performs 2~(124) 17-round SMS4 encryptions, and demands 2~(89) words of memory. Furthermore, it is only 2~(-88.7) of the probability to fail to recover the secret key.
4.Two new methods are presented for related-key Square attack on 7-round and 8-round AES-192, by exploiting appropriate related-key differences of AES-192 and weaknesses in their key schedule. When the related-key of AES-192 is appointed, the exact difference of subkey is determined in the first 8 rounds using the property of its key schedule. This attack on the reduced to 8-round AES-192 requires only about 2~(45) chosen plaintexts, demands 2~(40) memory, performs 2~(167) 8-round AES-192 encryptions.
5.A method for related-key rectangle attack on 7-round AES-128 is firstly proposed, by exploiting appropriate related-key differences of AES-128 and weaknesses in their key schedule. This attack on the reduced to 7-round AES-128 requires about 2~(115) chosen plaintexts with 256 related keys, performs 2~(115) 7-round AES-128 encryptions. Furthermore, the probability is about 95.8% to succeed in recovering the secret key.
6.A new forgery attack on PMAC and TMAC-V based on block ciphers with random message is presented, which make use of the principle of differential identical in part of the mode. The new attack can forge the PMAC and TMAC-V of random message, with a probability of 86.5% higher than 63% in the known reference. The complexity of this new attack is [0, 2~(n/2+1), 1, 0] for PMAC where no truncation is performed. For PMAC where truncation is performed, the complexity of this attack is [0, 2~(n/2+1),[n/τ],2~(n-τ)]. And thecomplexity of this attack is [0, 2~(n/2+1),1, 0] for TMAC-V.
引文
[1] E. Biham, N. Keller. Cryptanalysis of Reduced Variants of Rijndael. Available at http://csrc.nist.gov/envryption/aes/round2/conf3/aes3papers.html, 2000.
[2] 冯登国,吴文玲.分组密码的设计与分析.清华大学出版社.2000年9月.
[3] 胡予濮,张玉清,肖国镇.对称密码学.机械工业出版社.2002年3月.
[4] C. E. Shannon. Communication Theory of Secrecy Systems. Bell SystemTechnical Journal, 1949, vol.28, pp.656-715.
[5] National Bureau of Standards. Federal Information Processing StandardPublication 46: Data Encryption Standard (DES). 1977.
[6] Jorge, Nakahara Junior. Cryptanalysis and Design of Block Ciphers. PhD thesis,KATHOLIEKE UNIVERSITY, LEUVEN, June 2003.
[7] National Institute of Standards and Technology (NIST). Federal InformationProcessing Standards Publication 81 (FIPS PUB 81): DES Modes of Operation,December 1980.
[8] National Institute of Standards and Technology (NIST). NIST Special Publication80023 8 A, Recommendation for Block Cipher Modes of Operation: Methods andTechniques, December 2001.
[9] National Institute of Standards and Technology (NIST). NIST Special Publication80023 8B, Recommendation for Block Cipher Modes of Operation: The CMACMode for Authentication, May 2005.
[10] National Institute of Standards and Technology (NIST). NIST Special Publication80023 8C, Recommendation for Block Cipher Modes of Operation: The CCMMode for Authentication and Confidentiality, May 2004.
[11] International Organization for Standardization. ISO/IEC WD 19772: 2004,Information Technology-Security Techniques-Authenticated EncryptionMechanisms, 2004.
[12] European Telecommunications Standards Institute (ETSI). 3GPP TS 351201, 3rdGeneration Partnership Project; Technical Specification Group Services andSystem Aspects; 3G Security; Specification of the 3GPP Confidentiality andIntegrity Algorithms; Document 1: f8 and f9 Specification, June 2002.
[13] D. Whiting, N. Ferguson, R. Housley. Counter with CBC-MAC (CCM).Submission to NIST of Operation Process. Available at http://csrc.nist.gov/CryptoToolkit/modes/p roposedmodes/.
[14] M. Bellare, P. Rogaway, D.Wagner. The EAX Mode of Operation. Fast Software Encryption-FSE, Springer-Verlag, 2004, LNCS: 3017, pp.389-407.
[15] T. Kohno, J. Viega, D.Whiting. The CWC-AES Dual-use Mode. Submission to NIST Modes of Operation Process, Available at http://csrc.nist.gov /CryptoToolkit /modes/proposedmodes, 2003 .
[16] M. Bellare, J. Kilian, P. Rogaway. The Security of the Cipherblock Chaining Message Authentication Code. Journal of Computerand System Sciences, 2000, vol.61(3),pp.362-399.
[17] L. R. Knudsen. Block Ciphers-a Survey. State of the Art in Applied Cryptography, Springer-Verlag, 1998, LNCS: 1528, pp. 18-48.
[18] J. Borst. Block Ciphers: Design, Analysis and Side-Channel Analysis. PhD thesis, Department Elektrotechniek, Katholieke Universiteit Leuven, Belgium, Sep 2001.
[19] NESSIE. New European Schemes for Signatures, Integrity, and Encryption. http://vyww.cosic.esat.kuleuven.ac.be/nessie/index.html.
[20] M.J.O. Saarinen. Cryptanalysis of Block Ciphers Based on SHA-1 and MD5. Proceeding of FSE, Springer-Verlag, 2003, LNCS: 2887, pp.36-44.
[21] P. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. Advances in Cryptology-CRYPTO, Springer -Verlag, 1996, LNCS: 1109, pp.104-113.
[22] Wen-Ling Wu, Wen-Tao Zhang, Deng-Guo Feng. Impossible Differential Cryptanalysis of Reduced-Round ARIA and Camellia. Journal of Computer Science and Technology, 2007, vol.22 (3), pp.449-456.
[23] P. Kocher, J. Jaffe, B. Jun. Introduction to Differential Power Analysis and Related Attacks. Available at http://www.cryptography.com/pad/technical/.
[24] M. Bellare, J. Kilian, P. Rogaway. The Security of Cipher Blockchaining. Advances in Cryptology, Springer-Verlag, 1994, LNCS: 839, pp.341-358.
[25] M. Bellare, J. Kilian, P. Rogaway. The Security of the Cipher Block Chaining Message Authentication Code. Journal of Computer and System Sciences, 2000, vol.61, pp.262-399.
[26] J. Buchmann, A. Pyshkin, R. Weinmann. Block Ciphers Sensitive to Grobner Basis Attacks. Topics in Cryptology - CT-RSA, Springer-Verlag, 2006, LNCS: 3860, pp.313-331.
[27] T. Courtois, V. Bard. Algebraic Cryptanalysis of the Data Encryption Standard. Available at http://eprint.iacr.org/2006/402. 2006-11-10.
[28] P. Marques-Silva, A. Sakallah. GRASP—a Search Algorithm for Prepositional Satisfiability. IEEE Transactions in Computers, 1999, vol.48(5), pp.506-521.
[29] F. Massacci, L. Marraro. Logical Cryptanalysis as a SAT Problem. Journal of Automated Reasoning, 2000, vol.24, pp.165-203.
[30] Niklas Een, Niklas Sorensson. An extensible SAT-solver. In Proceedings of the International Symposium on the Theory and Applications of Satisfiability Testing (SAT), 2003.
[31] Wikipedia. Keeloq Algorithm. Available at http://en.wikipedia.org/wiki/KeeLoq. November 2006.
[32] T. Courtois, V. Bard, David Wagner. Algebraic and Slide Attacks on KeeLoq. Available at http://eprint.iacr.org/2007/062,2007-2-19.
[33] Microchip. An Introduction to KeeLoq Code Hopping. Available at http://wwl .microchip.com/do wnloads/en/AppNotes/91002a.pdf, 1996.
[34] A. Osvik, A. Shamir, E. Tromer. Cache Attacks and Countermeasures: The Case of AES. Topics in Cryptology-CT-RSA, Springer-Verlag, 2006, LNCS: 3860, pp. 1-20.
[35] Raphael C.-W. Phan, Sung-Ming Yen. Amplifying Side-Channel Attacks with Techniques from Block Cipher Cryptanalysis. CARDIS 2006, Springer-Verlag, 2006, LNCS: 3928, pp.135-150.
[36] S. Skorobogatov, R. Anderson. Optical Fault Induction Attacks. Cryptographic Hardware and Embedded Systems - CHES 2002, Springer-Verlag, 2003, LNCS: 2523, pp.2-12.
[37] J. Bonneau, I. Mironov. Cache-Collision Timing Attacks against AES. CHES 2006, Springer-Verlag, 2006, LNCS: 4249, pp.201-215.
[38] M. Liskov, L. Rivest, D. Wagner. Tweakable Block Ciphers. Advances in Cryptology-CRYPTO 2002, Springer-Verlag, 2002, LNCS: 2442, pp.31-46.
[39] T.Courtois, J. Pieprzyk. Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. AsiaCrypt2002, Springer-Verlag, 2002, LNCS: 2501, pp.267-287.
[40] E. Biham, A. Shamir. Differential Cryptanalysis of DES-like Cryptosystems. Journal of Cryptology, 1991, vol.4(1), pp.3-72.
[41] M.Matsui. Linear Cryptanalysis Method for DES Cipher. Advances in Cryptology-Eurocrypt'93, Springer-Verlag, 1993, LNCS: 765, pp.386-397.
[42] S.K Langford, M.E. Hellman. Different-Linear Cryptanalysis. Advanced in Cryptology-CRYOTO'94, Springer-Verlag, 1994, LNCS: 839, pp.5-12.
[43] X. Lai. Higher Order Derivatives and Different Cryptanalysis. Communications and Cryptography: two sides of one tapestry, Kluwer Academic Publishers, 1994, pp.227-233.
[44] E. Biham. New Types of Cryptanalytic Attacks using Related Keys. Journal of Cryptology, 1994, vol.7(l), pp.229-246.
[45] L.R. Knudsen. Truncated and Higher Order Differentials. Fast software Encryption, Springer-Verlage, 1995, LNCS: 1008, pp. 196-211.
[46] C. Harpes, G. Kramer, J. L. Massey. A Generalization of Linear Cryptanalysis and the Applicability of Matsui's Piling-Up Lemma. Advances in Cryptology -Eurocrypt'95, Springer-Verlage, 1995, LNCS: 921, pp.24-38.
[47]冯登国.频谱理论及其在通信保密技术中的应用.西安电子科技大学博士论 文,1995年4月.
[48] L. Knudsen, M. Robshaw. Non-linear Approximations in Linear Cryptanalysis. InAdvances in Cryptology-Eurocrypt'95, Springer-Verlag, 1996, LNCS: 1074,pp.252-267.
[49] T. Jakobsen. The Interpolation Attack on Block Cipher. Fast software Encryption,Springer-Verlag, 1997,pp.28-40.
[50] J.Daemen, L. R, Knudsen, V. Rijmen. The Block Cipher Square, Fast softwareEncryption, Springer-Verlag, 1997, LNCS: 1267, pp. 149-165.
[51] Guang Gong, Solomon W. Golomb. Transform Domain Analysis of DES. IEEETrans on Information Theory, 1999, IT- 45(6), pp.2065-2068.
[52] E. Biham, A. Biryukov, A. Shamir. Cryptanalysis of Skipjack Reduced to 31Rounds using Impossible Differentials. Proceedings of Eurocrypt'99,Springer-Verlag, 1999, LNCS: 1592, pp. 12-23.
[53] D. Wagner. The Boomerang Attack. Fast Software Encryption-FSE'99, Springer-Verlag, 1999, LNCS: 1636, pp.156-170.
[54] http://www.cs.berkeley.edu/-daw/papers/.
[55] E. Biham, O.Dunkelman, N. Neller. The Rectangle Attack-Rectangling theSerpent. In Proceedings of Eurocrypt'01, Springer-Verlag, 2001, LNCS: 2045,pp.340-357.
[56] S.Lucks. The Saturation Attack-a bait for two fish. FSE'01, Springer-Verlag, 2001,LNCS: 2355, pp. 187-205.
[57] H. Gilbert, M. Minier. A Collision Attack on 7 Rounds of Rijndael. 3rd AdvancedEncryption Standard Candidate Conference, National Institute of Standards andTechnology, April 2000, pp.230-241.
[58] G. Piret, J. J. Quisquater. Integral Crytanalysis on Reduced-round Safer++.Available at http://www.cryptonessie.org, 2003.3.
[59] S. Murphy, M. Robshaw. Essential Algebraic Structure within the AES. Advancedin Cryptology-CRYPTO'02, Springer-Verlag, 2002, LNCS: 2442, pp.1-16.
[60] D. Wagner. Towards a Unifying View of Block Cipher Cryptanalysis. FastSoftware Encryption 2004, Available at http://www.cs.berkeley.edu/-daw/papers/. February 7,2004.
[61] G. Jakimoski, Y. Desmedt. Related-key Differential Cryptanalysis of 192-bit Key AES Variants. SAC 2003, Springer-Verlag, 2004, LNCS: 3006, pp.208-221.
[62] E. Biham, O. Dunkelman, N. Keller. New Combined Attack on Block Ciphers. FSE 2005, Springer-Verlag, 2005, LNCS: 3557, pp.126-143.
[63] E. Biham, A. Shamir. Differential Fault Analysis of Secret Key Cryptosystems. Advances in Cryptology — CRYPTO, Springer-Verlag, 1997, LNCS: 1294, pp.513-525.
[64] J. Kelsey, B. Schneier, D. Wagner, C. Hall. Side Channel Cryptanalysis of Product Ciphers. Proc. 5th European Symposium on Research in Computer Security, Springer-Verlag, 1998, LNCS: 1485, pp.97-110.
[65] P. Kocher, J. Jaffe, B. Jun. Differential Power Analysis. In Advances in Cryptology-CRYPTO'99, 1999, Springer-Verlag, LNCS: 1666, pp.386-397.
[66] J. R. Rao, P. Rohatgi. EM Powering Side-Channel Attacks. Cryptology ePrint, Report 2001/037, Available at http://eprint.iacr.org/. 2001.
[67] G. Piret, J. J. Quisquater. A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD. CHES 2003, Springer-Verlag, 2003, LNCS: 2779, pp.77-88.
[68] B. Kaliski, M. Robshaw. Linear Cryptanalysis using Multiple Approximations and FEAL. In Proc. Advances in Cryptology-Crypto'94, Springer-Verlag, 1994, LNCS: 839, pp.26-39.
[69] L. Knudsen, M. Robshaw. Non-linear Approximations in Linear Cryptanalysis. Advances in Cryptology-Eurocrypto'96, Springer-Verlag, 1996, LNCS: 1070, pp. 252-267.
[70] T. Jakobsen, L.R. Knudsen. The Interpolation Attack on Block Ciphers. 4th Fast Software Encryption Workshop, Springer-Verlag, 1997, LNCS: 1267, pp.28-40.
[71] N. Courtois. The Security of Hidden Field Equations (HFE). In: Proc. Of RSA Conference 2001. Springer-Verlag, 1986, LNCS: 2020, pp.523-534.
[72] E. Biham, O. Dunkelman, N. Keller. A Simple Related-Key Attack on the Full SHACAL-1. CT-RSA 2007, Springer-Verlag, 2007, LNCS: 4377, pp.20-30.
[73] N.Courtois, A. Klimov, J. Patarin, A. Shamir. Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. Advances in Cryptology—EUROCRYPT, Springer-Verlag, 2000, LNCS: 1807, pp.463-474.
[74] A.J.M. Segers. Algebraic Attack from a Grobner Basis Perspective. Master thesis http://alexandria.tue.nl/extral/afstversl/wsk-i/Segers2004 .pdf.
[75] J. H. Cheon, M. J. Kim, K. Kim, J.Y. Lee, S. W. Kang. Improved Impossible??Differential Cryptanalysis of Rijndael and Crypton, ICICS2001, Springer-Verlag, 2002, LNCS: 2288, pp.39-49.
[76] Raphael C.-W.Phan. Impossible Differential Cryptanalysis of 7-round Advanced Encryption Standard. Information Processing Letters, 2004, vol.91, Elsevier, pp.33-38.
[77]陈杰,张跃宇,胡予濮.一种新的6轮AES不可能差分密码分析方法.西安 电子科技大学学报,2006,vol.33(4),pp.598-601.
[78] R.C.W. Phan, M.U. Siddiqi. Generalised Impossible Differential of Advanced Encryption Standard, IEE Electronics Letters, 2001, vol.37 (14), pp.896-898.
[79] W. Diffie, M. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, November 1976, IT-22 (6), pp.644-654.
[80]冯登国,裴定一.密码学导引.科学出版社,北京,1999.
[81] NIST-AES. Federal Information Processing Standard (FIPS) for the AdvancedEncryption Standard. http://csrc.nist.gov/CryptoToolkit/aes/.
[82] H.Yoshida, A.Biryukov, et al. Nonrandomness of the Full 4 and 5-pass HAVAL.Proceedings of SCN 2004, Springer-Verlag, 2005, LNCS: 3352, pp.324-336.
[83] CRYPTREC. Evaluation of Cryptographic Techniques, http://www.ipa.go.jp/security/ene/CRYPTREC/index-e.html.
[84] Office of State Commercial Cipher Administration. Block Cipher for WLANProducts-SMS4, http://www.oscca.gov.cn/UpFile/2006021016423197990. 2006.
[85]张蕾,吴文玲.SMS4密码算法的差分故障攻击.计算机学报,2006,vol.29(9): 1594-1600.
[86] J. Kelsey, T. Kohno, B. Schneier. Amplified Boomerang Attacks AgainstReduced-Round MARS and Serpent. Proceedings of Fast Software Encryption,Springer-Verlag, 1999, LNCS: 1978, pp. 75-93.
[87] E. Biham, O. Dunkelman, N. Keller. Related-key Boomerang and RectangleAttacks. Proceedings of Eurocrypt'05, Springer-Verlag, 2005, LNCS: 3557, pp.507-525.
[88] S. Hong, J. S. Kim, S. J. Lee, B. Preneel. Related-key Rectangle Attacks onApplication to SHACAL-1 and AES-192. Proceedings of Fast SoftwareEncryption '05, Springer-Verlag, 2005, LNCS: 3557, pp.368-383.
[89] J. S. Kim, S. Hong, B. Preneel. Related-key Rectangle Attacks on ReducedAES-192 and AES-256. Proceedings of Fast Software Encryption'07,Springer-Verlag, 2007, LNCS: 4593, pp.225-241.
[90] J. Kim, G. Kim, S. Lee, D. Hong. The Related-key Rectangle Attack Applicationto SHACAL-1. Proceedings of International Conference on Information Security??and Privacy 2004, Springer-Verlag, 2004, LNCS: 3108, pp.123-136.
[91] A. Biryukov. The Boomerang Attack on 5 and 6-round AES. Proceedings ofAdvanced Encryption Standard 4, available at http://www.esat.kuleuven.ac.be/-abiryuko/, 2004.
[92] N. Ferguson, J. Kelsey, S. Lucks, et al. Improved Cryptanalysis of Rijndael.FSE'2000, Springer-Verlag, 2001, LNCS: 1978, pp.213-230.
[93] J. Daemen, V. Rijnmen. AES Proposal: Rijndael, http://csrc.nist.gov/envryption/aes/rijndael.
[94] E. Biham, O. Dunkelman, N. Keller. Related-key Impossible Differential Attackson 8-round AES-192. Proceeding of CT-RSA 2006, Springer-Verlag, 2006,LNCS: 3860, pp.21-33.
[95] W. T. Zhang, W. L. Wu, L. Zhang, D. G. Feng. Improved Related-Key ImpossibleDifferential Attacks on Reduced-Round AES-192. Selected Areas in Cryptography-SAC'06, Springer-Verlag, 2007, LNCS: 4356, pp.15-27.
[96] F. Liu, W. Ji, L. Hu, et.al. Analysis of the SMS4 Block Cipher. ACISP 2007,Springer-Verlag, 2007, LNCS: 4586, pp.158-170.
[97] J. Black, P. Rogaway. A Block-cipher Mode of Operation for ParallelizableMessage Authentication. Advances in Cryptology- Eurocrypt'02, Springer-Verlag,2002, LNCS: 2332, pp.384-397.
[98] K. Kurosawa, T. Iwata. TMAC: Two-key CBC-MAC. Topic in Cryptology-CT-RSA 2003, Springer-Verlag, 2003, LNCS: 2612, pp.33-49.
[99] C. Mitchell. Partial Key Recovery Attack on XCBC, TMAC, and OMAC.Cryptography and Coding, 10th IMA international conference-CCC 2005,Springer-Verlag, 2005, LNCS: 3796, pp. 155-167.
[100] E. N. Gilbert, F. J. MacWilliams, N. J. Sloane. Codes Which Detect Deception.Bell System Technical Journal, 1974, vol.53, pp.405-424.
[101] G. J.Simmons. A Game Theory Model of Digital Message Authentication. 11thAnnual Conference on Numerical Mathematics and Computing, Univ. ofManitoba, Winnipeg, Canada, Oct. 1-3, 1981, CA: Congressus Numerantium,1982, vol. 34,pp.413-424.
[102] G. J.Simmons. A System for Verifying user Identity and Authorization at thePoint-of-sale or Access. Cryptologia, 1984, vol. 8(1), pp. 1-21.
[103] G. J.Simmons. A Cartesian Product Construction for Unconditionally SecureAuthentication Codes that Permit Arbitration. Journal of Cryptology, 1990, vol.2(2),pp.77-104.
[104]ISO/IEC 9797-1. Information Technology-security Techniques-message Authentication Code (MACs)-Part 1: Mechanism using a block cipher, international organization for standardization, Geneve, Swizerland, 1999.
[105] V. Gligor, P. Donescu. Fast Encryption and Authentication: XCBC encryption and XECB authentication modes. Fast Software Encryption-FSE'Ol, Springer-Verlag, 2002, LNCS: 2355, pp.92-108.
[106] C. H. Lee, J. S. Kim, J. C. Sung. Forgery and Key Recovery Attacks on PMAC and Mitchell's TMAC Variant. 11th Australasian Conference ACISP 2006, Springer-Verlag, 2006, LNCS: 4058, pp.421-431.
[107] A. Menezes, P. C. Oorschot, S. Vanstone. Handbook of Applied Cryptography. New York: CRC Press, 1997.
[108] J. Fournier, M. Tunstall. Cache Based Power Analysis Attacks on AES. ACISP 2006, Springer-Verlag, 2006, LNCS 4058, pp. 17-28.
[109] O. Ac(?)icmez, W. Schindler, K. K. Cetin. Cache Based Remote Timing Attack on the AES. Topics in Cryptology-CT-RSA 2007, Springer-Verlag, 2007, LNCS: 4377,pp.271-286.
[110] E. Biham, O. Dunkelman, N. Keller. A Related-Key Rectangle Attack on the Full KASUMI. ASIACRYPT 2005, Springer-Verlag, 2005, LNCS: 3788, pp.443-461.
[2] 冯登国,吴文玲.分组密码的设计与分析.清华大学出版社.2000年9月.
[3] 胡予濮,张玉清,肖国镇.对称密码学.机械工业出版社.2002年3月.
[4] C. E. Shannon. Communication Theory of Secrecy Systems. Bell SystemTechnical Journal, 1949, vol.28, pp.656-715.
[5] National Bureau of Standards. Federal Information Processing StandardPublication 46: Data Encryption Standard (DES). 1977.
[6] Jorge, Nakahara Junior. Cryptanalysis and Design of Block Ciphers. PhD thesis,KATHOLIEKE UNIVERSITY, LEUVEN, June 2003.
[7] National Institute of Standards and Technology (NIST). Federal InformationProcessing Standards Publication 81 (FIPS PUB 81): DES Modes of Operation,December 1980.
[8] National Institute of Standards and Technology (NIST). NIST Special Publication80023 8 A, Recommendation for Block Cipher Modes of Operation: Methods andTechniques, December 2001.
[9] National Institute of Standards and Technology (NIST). NIST Special Publication80023 8B, Recommendation for Block Cipher Modes of Operation: The CMACMode for Authentication, May 2005.
[10] National Institute of Standards and Technology (NIST). NIST Special Publication80023 8C, Recommendation for Block Cipher Modes of Operation: The CCMMode for Authentication and Confidentiality, May 2004.
[11] International Organization for Standardization. ISO/IEC WD 19772: 2004,Information Technology-Security Techniques-Authenticated EncryptionMechanisms, 2004.
[12] European Telecommunications Standards Institute (ETSI). 3GPP TS 351201, 3rdGeneration Partnership Project; Technical Specification Group Services andSystem Aspects; 3G Security; Specification of the 3GPP Confidentiality andIntegrity Algorithms; Document 1: f8 and f9 Specification, June 2002.
[13] D. Whiting, N. Ferguson, R. Housley. Counter with CBC-MAC (CCM).Submission to NIST of Operation Process. Available at http://csrc.nist.gov/CryptoToolkit/modes/p roposedmodes/.
[14] M. Bellare, P. Rogaway, D.Wagner. The EAX Mode of Operation. Fast Software Encryption-FSE, Springer-Verlag, 2004, LNCS: 3017, pp.389-407.
[15] T. Kohno, J. Viega, D.Whiting. The CWC-AES Dual-use Mode. Submission to NIST Modes of Operation Process, Available at http://csrc.nist.gov /CryptoToolkit /modes/proposedmodes, 2003 .
[16] M. Bellare, J. Kilian, P. Rogaway. The Security of the Cipherblock Chaining Message Authentication Code. Journal of Computerand System Sciences, 2000, vol.61(3),pp.362-399.
[17] L. R. Knudsen. Block Ciphers-a Survey. State of the Art in Applied Cryptography, Springer-Verlag, 1998, LNCS: 1528, pp. 18-48.
[18] J. Borst. Block Ciphers: Design, Analysis and Side-Channel Analysis. PhD thesis, Department Elektrotechniek, Katholieke Universiteit Leuven, Belgium, Sep 2001.
[19] NESSIE. New European Schemes for Signatures, Integrity, and Encryption. http://vyww.cosic.esat.kuleuven.ac.be/nessie/index.html.
[20] M.J.O. Saarinen. Cryptanalysis of Block Ciphers Based on SHA-1 and MD5. Proceeding of FSE, Springer-Verlag, 2003, LNCS: 2887, pp.36-44.
[21] P. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. Advances in Cryptology-CRYPTO, Springer -Verlag, 1996, LNCS: 1109, pp.104-113.
[22] Wen-Ling Wu, Wen-Tao Zhang, Deng-Guo Feng. Impossible Differential Cryptanalysis of Reduced-Round ARIA and Camellia. Journal of Computer Science and Technology, 2007, vol.22 (3), pp.449-456.
[23] P. Kocher, J. Jaffe, B. Jun. Introduction to Differential Power Analysis and Related Attacks. Available at http://www.cryptography.com/pad/technical/.
[24] M. Bellare, J. Kilian, P. Rogaway. The Security of Cipher Blockchaining. Advances in Cryptology, Springer-Verlag, 1994, LNCS: 839, pp.341-358.
[25] M. Bellare, J. Kilian, P. Rogaway. The Security of the Cipher Block Chaining Message Authentication Code. Journal of Computer and System Sciences, 2000, vol.61, pp.262-399.
[26] J. Buchmann, A. Pyshkin, R. Weinmann. Block Ciphers Sensitive to Grobner Basis Attacks. Topics in Cryptology - CT-RSA, Springer-Verlag, 2006, LNCS: 3860, pp.313-331.
[27] T. Courtois, V. Bard. Algebraic Cryptanalysis of the Data Encryption Standard. Available at http://eprint.iacr.org/2006/402. 2006-11-10.
[28] P. Marques-Silva, A. Sakallah. GRASP—a Search Algorithm for Prepositional Satisfiability. IEEE Transactions in Computers, 1999, vol.48(5), pp.506-521.
[29] F. Massacci, L. Marraro. Logical Cryptanalysis as a SAT Problem. Journal of Automated Reasoning, 2000, vol.24, pp.165-203.
[30] Niklas Een, Niklas Sorensson. An extensible SAT-solver. In Proceedings of the International Symposium on the Theory and Applications of Satisfiability Testing (SAT), 2003.
[31] Wikipedia. Keeloq Algorithm. Available at http://en.wikipedia.org/wiki/KeeLoq. November 2006.
[32] T. Courtois, V. Bard, David Wagner. Algebraic and Slide Attacks on KeeLoq. Available at http://eprint.iacr.org/2007/062,2007-2-19.
[33] Microchip. An Introduction to KeeLoq Code Hopping. Available at http://wwl .microchip.com/do wnloads/en/AppNotes/91002a.pdf, 1996.
[34] A. Osvik, A. Shamir, E. Tromer. Cache Attacks and Countermeasures: The Case of AES. Topics in Cryptology-CT-RSA, Springer-Verlag, 2006, LNCS: 3860, pp. 1-20.
[35] Raphael C.-W. Phan, Sung-Ming Yen. Amplifying Side-Channel Attacks with Techniques from Block Cipher Cryptanalysis. CARDIS 2006, Springer-Verlag, 2006, LNCS: 3928, pp.135-150.
[36] S. Skorobogatov, R. Anderson. Optical Fault Induction Attacks. Cryptographic Hardware and Embedded Systems - CHES 2002, Springer-Verlag, 2003, LNCS: 2523, pp.2-12.
[37] J. Bonneau, I. Mironov. Cache-Collision Timing Attacks against AES. CHES 2006, Springer-Verlag, 2006, LNCS: 4249, pp.201-215.
[38] M. Liskov, L. Rivest, D. Wagner. Tweakable Block Ciphers. Advances in Cryptology-CRYPTO 2002, Springer-Verlag, 2002, LNCS: 2442, pp.31-46.
[39] T.Courtois, J. Pieprzyk. Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. AsiaCrypt2002, Springer-Verlag, 2002, LNCS: 2501, pp.267-287.
[40] E. Biham, A. Shamir. Differential Cryptanalysis of DES-like Cryptosystems. Journal of Cryptology, 1991, vol.4(1), pp.3-72.
[41] M.Matsui. Linear Cryptanalysis Method for DES Cipher. Advances in Cryptology-Eurocrypt'93, Springer-Verlag, 1993, LNCS: 765, pp.386-397.
[42] S.K Langford, M.E. Hellman. Different-Linear Cryptanalysis. Advanced in Cryptology-CRYOTO'94, Springer-Verlag, 1994, LNCS: 839, pp.5-12.
[43] X. Lai. Higher Order Derivatives and Different Cryptanalysis. Communications and Cryptography: two sides of one tapestry, Kluwer Academic Publishers, 1994, pp.227-233.
[44] E. Biham. New Types of Cryptanalytic Attacks using Related Keys. Journal of Cryptology, 1994, vol.7(l), pp.229-246.
[45] L.R. Knudsen. Truncated and Higher Order Differentials. Fast software Encryption, Springer-Verlage, 1995, LNCS: 1008, pp. 196-211.
[46] C. Harpes, G. Kramer, J. L. Massey. A Generalization of Linear Cryptanalysis and the Applicability of Matsui's Piling-Up Lemma. Advances in Cryptology -Eurocrypt'95, Springer-Verlage, 1995, LNCS: 921, pp.24-38.
[47]冯登国.频谱理论及其在通信保密技术中的应用.西安电子科技大学博士论 文,1995年4月.
[48] L. Knudsen, M. Robshaw. Non-linear Approximations in Linear Cryptanalysis. InAdvances in Cryptology-Eurocrypt'95, Springer-Verlag, 1996, LNCS: 1074,pp.252-267.
[49] T. Jakobsen. The Interpolation Attack on Block Cipher. Fast software Encryption,Springer-Verlag, 1997,pp.28-40.
[50] J.Daemen, L. R, Knudsen, V. Rijmen. The Block Cipher Square, Fast softwareEncryption, Springer-Verlag, 1997, LNCS: 1267, pp. 149-165.
[51] Guang Gong, Solomon W. Golomb. Transform Domain Analysis of DES. IEEETrans on Information Theory, 1999, IT- 45(6), pp.2065-2068.
[52] E. Biham, A. Biryukov, A. Shamir. Cryptanalysis of Skipjack Reduced to 31Rounds using Impossible Differentials. Proceedings of Eurocrypt'99,Springer-Verlag, 1999, LNCS: 1592, pp. 12-23.
[53] D. Wagner. The Boomerang Attack. Fast Software Encryption-FSE'99, Springer-Verlag, 1999, LNCS: 1636, pp.156-170.
[54] http://www.cs.berkeley.edu/-daw/papers/.
[55] E. Biham, O.Dunkelman, N. Neller. The Rectangle Attack-Rectangling theSerpent. In Proceedings of Eurocrypt'01, Springer-Verlag, 2001, LNCS: 2045,pp.340-357.
[56] S.Lucks. The Saturation Attack-a bait for two fish. FSE'01, Springer-Verlag, 2001,LNCS: 2355, pp. 187-205.
[57] H. Gilbert, M. Minier. A Collision Attack on 7 Rounds of Rijndael. 3rd AdvancedEncryption Standard Candidate Conference, National Institute of Standards andTechnology, April 2000, pp.230-241.
[58] G. Piret, J. J. Quisquater. Integral Crytanalysis on Reduced-round Safer++.Available at http://www.cryptonessie.org, 2003.3.
[59] S. Murphy, M. Robshaw. Essential Algebraic Structure within the AES. Advancedin Cryptology-CRYPTO'02, Springer-Verlag, 2002, LNCS: 2442, pp.1-16.
[60] D. Wagner. Towards a Unifying View of Block Cipher Cryptanalysis. FastSoftware Encryption 2004, Available at http://www.cs.berkeley.edu/-daw/papers/. February 7,2004.
[61] G. Jakimoski, Y. Desmedt. Related-key Differential Cryptanalysis of 192-bit Key AES Variants. SAC 2003, Springer-Verlag, 2004, LNCS: 3006, pp.208-221.
[62] E. Biham, O. Dunkelman, N. Keller. New Combined Attack on Block Ciphers. FSE 2005, Springer-Verlag, 2005, LNCS: 3557, pp.126-143.
[63] E. Biham, A. Shamir. Differential Fault Analysis of Secret Key Cryptosystems. Advances in Cryptology — CRYPTO, Springer-Verlag, 1997, LNCS: 1294, pp.513-525.
[64] J. Kelsey, B. Schneier, D. Wagner, C. Hall. Side Channel Cryptanalysis of Product Ciphers. Proc. 5th European Symposium on Research in Computer Security, Springer-Verlag, 1998, LNCS: 1485, pp.97-110.
[65] P. Kocher, J. Jaffe, B. Jun. Differential Power Analysis. In Advances in Cryptology-CRYPTO'99, 1999, Springer-Verlag, LNCS: 1666, pp.386-397.
[66] J. R. Rao, P. Rohatgi. EM Powering Side-Channel Attacks. Cryptology ePrint, Report 2001/037, Available at http://eprint.iacr.org/. 2001.
[67] G. Piret, J. J. Quisquater. A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD. CHES 2003, Springer-Verlag, 2003, LNCS: 2779, pp.77-88.
[68] B. Kaliski, M. Robshaw. Linear Cryptanalysis using Multiple Approximations and FEAL. In Proc. Advances in Cryptology-Crypto'94, Springer-Verlag, 1994, LNCS: 839, pp.26-39.
[69] L. Knudsen, M. Robshaw. Non-linear Approximations in Linear Cryptanalysis. Advances in Cryptology-Eurocrypto'96, Springer-Verlag, 1996, LNCS: 1070, pp. 252-267.
[70] T. Jakobsen, L.R. Knudsen. The Interpolation Attack on Block Ciphers. 4th Fast Software Encryption Workshop, Springer-Verlag, 1997, LNCS: 1267, pp.28-40.
[71] N. Courtois. The Security of Hidden Field Equations (HFE). In: Proc. Of RSA Conference 2001. Springer-Verlag, 1986, LNCS: 2020, pp.523-534.
[72] E. Biham, O. Dunkelman, N. Keller. A Simple Related-Key Attack on the Full SHACAL-1. CT-RSA 2007, Springer-Verlag, 2007, LNCS: 4377, pp.20-30.
[73] N.Courtois, A. Klimov, J. Patarin, A. Shamir. Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. Advances in Cryptology—EUROCRYPT, Springer-Verlag, 2000, LNCS: 1807, pp.463-474.
[74] A.J.M. Segers. Algebraic Attack from a Grobner Basis Perspective. Master thesis http://alexandria.tue.nl/extral/afstversl/wsk-i/Segers2004 .pdf.
[75] J. H. Cheon, M. J. Kim, K. Kim, J.Y. Lee, S. W. Kang. Improved Impossible??Differential Cryptanalysis of Rijndael and Crypton, ICICS2001, Springer-Verlag, 2002, LNCS: 2288, pp.39-49.
[76] Raphael C.-W.Phan. Impossible Differential Cryptanalysis of 7-round Advanced Encryption Standard. Information Processing Letters, 2004, vol.91, Elsevier, pp.33-38.
[77]陈杰,张跃宇,胡予濮.一种新的6轮AES不可能差分密码分析方法.西安 电子科技大学学报,2006,vol.33(4),pp.598-601.
[78] R.C.W. Phan, M.U. Siddiqi. Generalised Impossible Differential of Advanced Encryption Standard, IEE Electronics Letters, 2001, vol.37 (14), pp.896-898.
[79] W. Diffie, M. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, November 1976, IT-22 (6), pp.644-654.
[80]冯登国,裴定一.密码学导引.科学出版社,北京,1999.
[81] NIST-AES. Federal Information Processing Standard (FIPS) for the AdvancedEncryption Standard. http://csrc.nist.gov/CryptoToolkit/aes/.
[82] H.Yoshida, A.Biryukov, et al. Nonrandomness of the Full 4 and 5-pass HAVAL.Proceedings of SCN 2004, Springer-Verlag, 2005, LNCS: 3352, pp.324-336.
[83] CRYPTREC. Evaluation of Cryptographic Techniques, http://www.ipa.go.jp/security/ene/CRYPTREC/index-e.html.
[84] Office of State Commercial Cipher Administration. Block Cipher for WLANProducts-SMS4, http://www.oscca.gov.cn/UpFile/2006021016423197990. 2006.
[85]张蕾,吴文玲.SMS4密码算法的差分故障攻击.计算机学报,2006,vol.29(9): 1594-1600.
[86] J. Kelsey, T. Kohno, B. Schneier. Amplified Boomerang Attacks AgainstReduced-Round MARS and Serpent. Proceedings of Fast Software Encryption,Springer-Verlag, 1999, LNCS: 1978, pp. 75-93.
[87] E. Biham, O. Dunkelman, N. Keller. Related-key Boomerang and RectangleAttacks. Proceedings of Eurocrypt'05, Springer-Verlag, 2005, LNCS: 3557, pp.507-525.
[88] S. Hong, J. S. Kim, S. J. Lee, B. Preneel. Related-key Rectangle Attacks onApplication to SHACAL-1 and AES-192. Proceedings of Fast SoftwareEncryption '05, Springer-Verlag, 2005, LNCS: 3557, pp.368-383.
[89] J. S. Kim, S. Hong, B. Preneel. Related-key Rectangle Attacks on ReducedAES-192 and AES-256. Proceedings of Fast Software Encryption'07,Springer-Verlag, 2007, LNCS: 4593, pp.225-241.
[90] J. Kim, G. Kim, S. Lee, D. Hong. The Related-key Rectangle Attack Applicationto SHACAL-1. Proceedings of International Conference on Information Security??and Privacy 2004, Springer-Verlag, 2004, LNCS: 3108, pp.123-136.
[91] A. Biryukov. The Boomerang Attack on 5 and 6-round AES. Proceedings ofAdvanced Encryption Standard 4, available at http://www.esat.kuleuven.ac.be/-abiryuko/, 2004.
[92] N. Ferguson, J. Kelsey, S. Lucks, et al. Improved Cryptanalysis of Rijndael.FSE'2000, Springer-Verlag, 2001, LNCS: 1978, pp.213-230.
[93] J. Daemen, V. Rijnmen. AES Proposal: Rijndael, http://csrc.nist.gov/envryption/aes/rijndael.
[94] E. Biham, O. Dunkelman, N. Keller. Related-key Impossible Differential Attackson 8-round AES-192. Proceeding of CT-RSA 2006, Springer-Verlag, 2006,LNCS: 3860, pp.21-33.
[95] W. T. Zhang, W. L. Wu, L. Zhang, D. G. Feng. Improved Related-Key ImpossibleDifferential Attacks on Reduced-Round AES-192. Selected Areas in Cryptography-SAC'06, Springer-Verlag, 2007, LNCS: 4356, pp.15-27.
[96] F. Liu, W. Ji, L. Hu, et.al. Analysis of the SMS4 Block Cipher. ACISP 2007,Springer-Verlag, 2007, LNCS: 4586, pp.158-170.
[97] J. Black, P. Rogaway. A Block-cipher Mode of Operation for ParallelizableMessage Authentication. Advances in Cryptology- Eurocrypt'02, Springer-Verlag,2002, LNCS: 2332, pp.384-397.
[98] K. Kurosawa, T. Iwata. TMAC: Two-key CBC-MAC. Topic in Cryptology-CT-RSA 2003, Springer-Verlag, 2003, LNCS: 2612, pp.33-49.
[99] C. Mitchell. Partial Key Recovery Attack on XCBC, TMAC, and OMAC.Cryptography and Coding, 10th IMA international conference-CCC 2005,Springer-Verlag, 2005, LNCS: 3796, pp. 155-167.
[100] E. N. Gilbert, F. J. MacWilliams, N. J. Sloane. Codes Which Detect Deception.Bell System Technical Journal, 1974, vol.53, pp.405-424.
[101] G. J.Simmons. A Game Theory Model of Digital Message Authentication. 11thAnnual Conference on Numerical Mathematics and Computing, Univ. ofManitoba, Winnipeg, Canada, Oct. 1-3, 1981, CA: Congressus Numerantium,1982, vol. 34,pp.413-424.
[102] G. J.Simmons. A System for Verifying user Identity and Authorization at thePoint-of-sale or Access. Cryptologia, 1984, vol. 8(1), pp. 1-21.
[103] G. J.Simmons. A Cartesian Product Construction for Unconditionally SecureAuthentication Codes that Permit Arbitration. Journal of Cryptology, 1990, vol.2(2),pp.77-104.
[104]ISO/IEC 9797-1. Information Technology-security Techniques-message Authentication Code (MACs)-Part 1: Mechanism using a block cipher, international organization for standardization, Geneve, Swizerland, 1999.
[105] V. Gligor, P. Donescu. Fast Encryption and Authentication: XCBC encryption and XECB authentication modes. Fast Software Encryption-FSE'Ol, Springer-Verlag, 2002, LNCS: 2355, pp.92-108.
[106] C. H. Lee, J. S. Kim, J. C. Sung. Forgery and Key Recovery Attacks on PMAC and Mitchell's TMAC Variant. 11th Australasian Conference ACISP 2006, Springer-Verlag, 2006, LNCS: 4058, pp.421-431.
[107] A. Menezes, P. C. Oorschot, S. Vanstone. Handbook of Applied Cryptography. New York: CRC Press, 1997.
[108] J. Fournier, M. Tunstall. Cache Based Power Analysis Attacks on AES. ACISP 2006, Springer-Verlag, 2006, LNCS 4058, pp. 17-28.
[109] O. Ac(?)icmez, W. Schindler, K. K. Cetin. Cache Based Remote Timing Attack on the AES. Topics in Cryptology-CT-RSA 2007, Springer-Verlag, 2007, LNCS: 4377,pp.271-286.
[110] E. Biham, O. Dunkelman, N. Keller. A Related-Key Rectangle Attack on the Full KASUMI. ASIACRYPT 2005, Springer-Verlag, 2005, LNCS: 3788, pp.443-461.