One document matched: draft-irtf-cfrg-cipher-catalog-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc,
which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!-- One method to get references from the online citation libraries.
There has to be one entity for each item to be referenced.
An alternate method (rfc include) is described in the references. -->
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC2629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2629.xml">
<!ENTITY RFC3552 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3552.xml">
<!ENTITY RFC5794 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5794.xml">
<!ENTITY RFC6114 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6114.xml">
<!ENTITY RFC4269 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4269.xml">
<!ENTITY RFC3713 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3713.xml">
<!ENTITY RFC2612 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2612.xml">
<!ENTITY RFC2994 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2994.xml">
<!ENTITY RFC2268 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2268.xml">
<!ENTITY RFC2144 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2144.xml">
<!ENTITY RFC5830 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5830.xml">
<!ENTITY RFC4503 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4503.xml">
<!ENTITY RFC4949 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4949.xml">
<!ENTITY RFC5116 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5116.xml">
<!ENTITY RFC4772 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4772.xml">
<!ENTITY I-D.kiyomoto-kcipher2 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-kiyomoto-kcipher2-06.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
(Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<!--<rfc category="info" docName="draft-irtf-cfrg-cipher-catalog-00" ipr="trust200811"> -->
<rfc category="info" docName="draft-irtf-cfrg-cipher-catalog-01" ipr="trust200902">
<!-- category values: std, bcp, info, exp, and historic
ipr values: full3667, noModification3667, noDerivatives3667
you can add the attributes updates="NNNN" and obsoletes="NNNN"
they will automatically be output with "(if approved)" -->
<!-- ***** FRONT MATTER ***** -->
<front>
<!-- The abbreviated title is used in the page header - it is only necessary if the
full title is longer than 39 characters -->
<title abbrev="Ciphers on the Internet">Ciphers in Use in the Internet</title>
<!-- add 'role="editor"' below for the editors if appropriate -->
<!-- Another author who claims to be an editor -->
<author fullname="David McGrew" initials="D" surname="McGrew">
<organization>Cisco Systems</organization>
<address><postal>
<street>13600 Dulles Technology Drive</street>
<city>Herndon </city>
<code>20171</code>
<region>VA</region>
<country>USA</country>
</postal><email> mcgrew@cisco.com </email></address>
</author>
<author fullname="Sean Shen" initials="S." surname="Shen">
<organization> Chinese Academy of Science</organization>
<address>
<postal>
<street> No.4 South 4th Zhongguancun Street </street>
<!-- Reorder these if your country does things differently -->
<city>Beijing</city>
<region></region>
<code>100190</code>
<country>China</country>
</postal>
<phone>+86 10-58813038</phone>
<email>shenshuo@cnnic.cn</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<date month="October" year="2012" />
<!-- If the month and year are both specified and are the current ones, xml2rfc will fill
in the current day for you. If only the current year is specified, xml2rfc will fill
in the current day and month for you. If the year is not the current one, it is
necessary to specify at least a month (xml2rfc assumes day="1" if not specified for the
purpose of calculating the expiry date). With drafts it is normally sufficient to
specify just the year. -->
<!-- Meta-data Declarations -->
<area>General</area>
<workgroup>Internet Research Task Force</workgroup>
<!-- WG name at the upperleft corner of the doc,
IETF is fine for individual submissions.
If this element is not present, the default is "Network Working Group",
which is used by the RFC Editor as a nod to the history of the IETF. -->
<keyword>Cipher, encryption, cryptography</keyword>
<!-- Keywords will be incorporated into HTML output
files in a meta tag but they have no effect on text or nroff
output. If you submit your draft to the RFC Editor, the
keywords will be used for the search engine. -->
<abstract>
<t>
This note catalogs the ciphers in use on the Internet, to
guide users and standards processes. It presents
the security goals, security analysis and results,
specification, intellectual property considerations, and
publication date of each cipher. Background information and
security guidance is provided as well.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
This note is a catalog of the ciphers in use on the Internet,
and/or defined or referenced in IETF RFCs.
</t>
<t>
This note is not a standards document; instead it aims to
capture the consensus of the Cryto Forum Research Group
at the time of publication, and to provide technical guidance
to standards groups that are selecting ciphers.
</t>
<t>
This note groups together ciphers with similar block structure,
and lists ciphers in decreasing order of the year of their
publication.
</t>
<section title="Document History">
<t>
This is the second version of this note; it is a work in progress,
and it should not yet be considered as representative of a
consensus. Comments are solicited and should be sent to the
authors and to cfrg@irtf.org.
</t>
<t>
This section is to be removed by the RFC Editor upon publication
as an RFC.
</t>
</section>
<section title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</section>
</section>
<section title="Background">
<t>
A cipher is an encryption method. Encryption is a transformation
of data that uses a secret key to change a plaintext value, which
needs to be kept secret, into a ciphertext value, which can be
safely revealed without the loss of the confidentiality of the
plaintext. Ciphertext can be converted back into plaintext,
through the use of the secret key, via a decryption algorithm that
is the reverse of the encryption algorithm. Importantly,
encryption does not protect the integrity or authenticity of the
plaintext; it does not provide a data integrity service, or a data
origin authentication service <xref target="RFC4949"/>.
</t>
<t>
Authenticated Encryption is an encryption method that does protect
the integrity and authenticity of the plaintext, as well as the
confidentiality of the plaintext. Authenticated Encryption with
Associated Data (AEAD) protects the confidentiality, integrity,
and authenticity of the plaintext, and also protects the integrity
and authenticity of some associated data <xref target="RFC5116"/>.
</t>
<t>
A Block Cipher is an encryption algorithm that encrypts a
fixed-size plaintext block with a secret key, resulting in a
fixed-size ciphertext block. The encryption is reversible, so
that the plaintext block can be computed from the key and the
ciphertext block. Block ciphers are not directly used to encrypt
data, but instead are used in a mode of operation, as described
below. A block cipher has two parameters: block size (the number
of bits in the fixed-size blocks), and key size (the number
of bits in the key). Some block ciphers accept more than one
key size.
</t>
<t>
A Block Cipher Mode of Operation is a method for encrypting and/or
authenticating data. Most modes of operation can operate on
arbitrary-length data, unlike the block cipher itself, which can
only operate on fixed length data. The mode of operation
logically breaks plaintext into fixed-size blocks, and processes
these blocks using the block cipher (and other operations such
as bitwise exclusive-or).
</t>
<t>
A Stream Cipher is an encryption method that does not use a block
cipher, and is not used in a mode of operation; instead, the
stream cipher defines its own encryption method. Most stream
ciphers encrypt plaintext by generating pseudorandom data with a
secret key, then bitwise exclusive-oring the pseudorandom data
with the plaintext to produce the ciphertext. Some stream ciphers
take an Initialization Vector (IV) as input; a different IV is
provided to the cipher for each different message that is
encrypted. A stream cipher has two parameters: IV size (the
number of bits in the IV), and key size (the number of bits in the
key). Some stream ciphers accept more than one key size.
</t>
<section title="Attack Models">
<t>
There are many different attack models that are used to analyze
the security of ciphers. An attack model is a formal statement of
the attacker's capabilities. A particular cipher may be strong in
one attack model, but weak in another; the suitability of that
cipher for use in a particular application will depend entirely on
the attacker's actual capabilities in the real world.
</t>
<t>
In a Known-Plaintext Attack (KPA), the attacker knows some (but
not all) of the plaintexts that are encrypted with an unknown
secret key, and can learn the resulting ciphertexts. The
attacker's goal is to determine the value of
some of unknown plaintexts.
</t>
<t>
In a Chosen-Plaintext Attack (CPA), the attacker can choose some
(but not all) of the plaintexts that are encrypted with an unknown
secret key, and can learn the resulting ciphertexts. A CPA is
adaptive if the attacker can adapt the plaintexts that it chooses
based on the ciphertexts that it observes. The attacker's
goal is to determine the value of some of the plaintexts that
it does not choose and that it does not know.
</t>
<t>
In a Chosen-Ciphertext Attack (CCA), the attacker can cause the
decryption of some ciphertexts of its choice, and can learn the
results of those decryptions. The attacker can also observe the
ciphertext resulting from the encryption of some unknown
plaintexts. A CCA is adaptive if the attacker can adapt the
ciphertexts that it chooses based on other data that it observes.
The attacker's goal is to determine the value of some of the
unknown plaintexts.
(Authenticated Encryption protects against these attacks.)
</t>
<t>
In a Related-Key Attack (RKA), the attacker can cause the
encryption of unknown plaintext values under two or more keys,
where the relationship between the keys is known to the attacker,
but the actual value of the keys is not known. For example, if
keys K1 and K2 are in use, the attacker might know the value of
the bitwise exclusive-or of K1 and K2, while not knowing the value
of either key. Related-Key Attacks do not have any effect on
security when keys are chosen independently, as is the case in
most communication security protocols. It is a theoretical
impossibility for a cipher to be resistant to all types of RKAs,
which underscores the need for sound key generation and key
management.
</t>
<t>
In a Side-Channel Attack (SCA), the attacker has access to
physical side information beyond the digital representation of the
plaintexts and ciphertexts, such as the voltage levels used during
the encryption process, or fine-grained timing information about
the duration of the encryption operations. SCAs act against an
implementation of a cipher, rather than against the cipher design,
since the side information is a property of the former and not the
latter. Nonetheless, it is important to study methods of
defending a particular cipher design from SCAs.
</t>
<t>
In a Key Recovery Attack (KRA), the attacker learns the secret key
that is used to encrypt some ciphertext. In a Plaintext Recovery
Attack (PRA), the attacker learns some unknown plaintext, but
does not learn the secret key. A successful KRA is devastating,
but a successful PRA can also be just as damaging.
</t>
</section>
<section title="Security Goals">
<t>
There are several security goals for block ciphers; understanding these
goals is important to understanding the actual security provided
by ciphers in the real world. This section reviews
the most important security goals.
</t>
<section title="Exhaustive Search">
<t>
For each cipher, the best attack is described. Any cipher can be
defeated, in theory, by exhaustively searching over every possible
key, but in practice this attack is computationally feasible only
for smaller key sizes.
The 1998 Deep Crack machine cost $250,000 and could break a 56-bit
key by exhaustive search in about one day <xref target="K98"/>.
Due to the exponentially fast decrease in the cost of computing
power (Moore's Law), the length of a key that can be broken for a
fixed amount of money goes up by one bit every 1.5 years.
Combining these facts, we estimate that a $250,000 machine can
break 66-bit keys via exhaustive search in 2013, and that a $32M
machine can break 73-bit keys.
</t>
</section>
<section title="Attacks on reduced-round versions">
<t>
In most block ciphers, the encryption operation essentially consists
of a round function that is repeated multiple times, each time with
a different subkey. The plaintext block is input to the first
round, and the ciphertext block is the output of the final round.
Cryptanalysts investigating the security of a block cipher often
consider the strength of the cipher against reduced-round versions,
that is, a variant of the cipher that includes fewer rounds than the
actual cipher. Most attacks against block ciphers can be easily
generalized to attacks on reduced-round variants of block ciphers.
The effectiveness of an attack against a block cipher is measured,
in part, by the number of rounds that the attack can defeat.
</t>
<t>
The number of chosen plaintext blocks, chosen ciphertext blocks, or
known plaintext blocks that are used in an attack is an important
measure of the strength of that attack. For instance, an attack
against a 128-bit block cipher that requires more than 2^64 known
plaintext blocks has little effect on practical security, because
those ciphers are not used to encrypt that much data with a single
key (see <xref target="ind"/>).
</t>
</section>
<section anchor="ind" title="Indistinguishability and the birthday bound">
<t>
An encryption method is indistinguishable from random whenever its
ciphertext cannot be distinguished from a random value by a
computationally limited adversary. This idea has been mathematically
formalized, and is fundamental to the analysis of ciphers. A cipher
cannot be secure unless it is indistinguishable, and thus,
this is the main security goal.
</t>
<t>
Typical block cipher modes of operation are insecure when the amount
of data processed by a single key is larger than w * 2^(w/2) bits,
where w is the block size of the block cipher. (Here and below 2^w
denotes 2 to the power w.) This limit is called the birthday bound,
by analogy to the fact that, in a group of people, a birthday common
to two people is more likely than one might expect.
The birthday bound is a primary
consideration for the security of block ciphers.
Above the
birthday bound, all of the block cipher modes of operation that are in
common use are distinguishable from random, and are vulnerable to
plaintext recovery attacks.
<list>
<t>
The bound for a 64-bit block cipher is 2^34 bytes, or 4 Gigabytes, and
</t>
<t>
The bound for a 128-bit block cipher is 2^67 bytes, or 128 Trillion Gigabytes.
</t>
</list>
In practice, it is highly desirable that the amount of data is
significantly below the birthday bound, in order to make the
likelihood of a successful plaintext recovery attack negligible.
</t>
<t>
It is highly desirable that a block cipher be indistinguishable from
random even if the attacker knows most of the 2^w possible w-bit
plaintext/ciphertext pairs for a given key. However, because of the
birthday bound, a block cipher should not be used to encrypt more than
2^(w/2) plaintexts, and attacks against a block cipher that require
more than 2^(w/2) plaintexts or ciphertexts likely have no effect on the
practical security of that cipher.
</t>
</section>
</section>
</section>
<section title="Guidance">
<t>
It is STRONGLY RECOMMENDED that any cipher used be secure in the
KPA, adaptive CPA, and adaptive CCA models. The security against
this type of attack is determined by the cipher design.
</t>
<t>
It is RECOMMENDED that any implementation of a cipher be secure in
the SCA model, and it is STRONGLY RECOMMENDED that any
implementation that must operate while in the physical possession
of an attacker be secure in the SCA model. The security against
this type of attack is determined by the particulars of the
implementation, and not the design of the cipher. However, a
specific cipher design may be easier to implement such that it is
secure in the SCA model, compared to other ciphers.
</t>
<t>
When encryption is in use, it is STRONGLY RECOMMENDED that either
1) Authenticated Encryption or AEAD be used, or 2) an encryption
method be used in conjunction with an algorithm that protects the
authenticity of the data, such as a Message Authentication Code
<xref target="RFC4949"/>.
</t>
<t>
64-bit block ciphers SHOULD NOT be used in general-purpose
systems, because of the plaintext recovery attacks that are
possible against them. When a 64-bit block cipher is used for
legacy reasons, it is RECOMMENDED that the amount of data
encrypted by a single key is 1 Megabyte. For special purpose
applications in which the amount of encrypted data is below this
threshold, 64-bit block ciphers MAY be used.
</t>
<section title="AES Compatibility">
<t>
At present, the most widely used cipher is the Advanced Encryption
Standard (see Section <xref target="AES"/>), which is believed to
provide adequate security for the foreseeable future. It has a
block size of 128 bits, and key sizes of 128, 192, or 256 bits.
We say that a cipher is AES-compatible if it supports the same
block and key sizes, and that a cipher is partially AES-compatible
if it supports the same block size and at least one of the key
sizes.
</t>
<t>
AES-compatible ciphers include ARIA, CAST-256, Camellia, Serpent,
and Twofish. Partly-AES-compatible ciphers include SEED and SMS4,
both of which only support 128 bit keys. All of these ciphers,
except for SMS4, are either free from intellectual property
claims, or are available worldwide royalty free.
</t>
<t>
The existence of strong ciphers that are free of intellectual
property restrictions shows that it is not necessary to use
encumbered ciphers in order to obtain good security.
</t>
</section>
</section>
<section title="128-bit Block Ciphers">
<section title="ARIA">
<t>
ARIA was first published in 2003 <xref target="NBC:KKP03"/>
by a large group of researchers from the Republic of South Korea.
It is specified in <xref target="RFC5794"/>,
and supports a block length of 128 bits and keys length of 128 bits, 192 bits, and 256 bits.
Thus ARIA is AES-compatible.
</t>
<t>
IETF uses includes 21 RFCs and 11 Internet Drafts.
</t>
<t>
Intellectual Property Rights have not been claimed
on ARIA.
</t>
<t>
The best known attack against this cipher is meet-in-the-middle
attack on 8 rounds (out of 12) with data complexity 2^56, which
was shown in <xref target="MMA:TSLL10"/>. There have been other
analyses as well. Classical linear and differential
cryptanalysis were shown in <xref target="SPAA:BC03"/>.
Truncated differentials, boomerang and slide attacks were shown
in <xref target="INDOCRYPT:FFGL10"/> and <xref
target="SPAA:BC03"/>. Impossible differential cryptanalysis
appared in <xref target="CANS:DuChe10"/>. SCA security was
considered in <xref target="WISA:YHMOM06"/>.
</t>
<!--
<t>
The Smallest ARIA Module with 16-Bit Architecture was shown in <xref
target="ICISC:YanParYou06"/>.
</t>
-->
<t>
In 2004, the Korean Agency for Technology and Standards selected
ARIA as a standard cryptographic technique. The algorithm uses a
substitution-permutation network (SPN) structure like that of
AES. The number of rounds is 12, 14, or 16, depending on the key
sizes. ARIA uses two 8 x 8-bit substitution tables and their inverses in
alternate rounds; one of these is the AES substitution table. The key
schedule processes the key using a 3-round 256-bit Feistel
cipher.
</t>
</section>
<section title="CLEFIA">
<t>
CLEFIA was designed by the SONY corporation, and was first
published in 2007 <xref target="BC:SSAMI07"/>,<xref
target="FSE:SSAMI07"/>. It is specified in <xref
target="RFC6114"/>, and supports keys lengths of 128, 192, and
256.
</t>
<t>
IETF uses include 1 RFC, which specifies the cipher, and 2
Internet Drafts, defining its use in IPsec and TLS.
</t>
<t>
Intellectual Property Rights have been claimed
on CLEFIA. The owner of those rights is SONY.
</t>
<t>
The best known attack against this cipher is the improbable
differential cryptanalysis of reduced round CLEFIA presented in
<xref target="INDOCRYPT:Tezcan10"/>. It requires 2^126.8 chosen
plaintexts and breaks 13 (out of 18) rounds with a complexity of
2^126.8 encryptions for the key size of 128 bits. Similar
attacks apply for 14 and 15 rounds of CLEFIA for the key sizes
192 and 256 bits,respectively.
</t>
<t>
This cipher has also been analyzed by differential and linear
cryptanalysis. Impossible Differential Cryptanalysis was shown
in <xref target="IDCC:TTSSSK08"/>. SCA has been considered;
cryptanalysis using differential methods with cache trace
patterns was described in <xref target="RSA:RebMuk11"/> and
differential fault analysis was described in <xref
target="ICICS:CheWuFen07"/>.
</t>
<t>
CLEFIA has 18, 22, or 16 rounds, for key sizes of 128 bits, 192
bits, and 256 bits, respectively. It is intended to be used in
Digital Rights Management (DRM) systems.
</t>
</section>
<section title="SMS4">
<t>
SMS4 was first published in 2006.
It is specified in <xref target="SMS4"/>,
and supports a keys length of 128 bits.
</t>
<t>
There are not yet any IETF uses.
</t>
<t>
Intellectual Property Rights have been claimed on SMS4. The
owner of those rights is BDST.
</t>
<t>
The best known attack against SMS4 are the linear and
differential attacks against 22 rounds (out of 32) shown in
<xref target="LDC:KKHS08"/>. These attacks require 2^117 known
plaintexts and 2^118 chosen plaintexts, respectively. Rectangle
and impossible differential attacks were shown in <xref
target="AARRS:DT08"/>. Other attacks against reduced-round
versions of SMS4 have appeared <xref target="ACISP:ZhaZhaWu08"/>
<xref target="SAC:EtrRob08"/> <xref target="ICICS:TozDun08"/>
<xref target="ICICS:Lu07"/>.
</t>
<t>
Algebraic and XLS attacks against reduced-round SMS4 have been
pusued <xref target="CANS:ChoYapKho09"/> <xref
target="ICISC:EriDinChr09"/> <xref target="INDOCRYPT:JiHu07"/>.
</t>
<!--
<t>Parallelizing the Camellia and
SMS4 Block Ciphers was shown in <xref
target="AFRICACRYPT:YapKhoPos10"/>.
</t>
-->
<t>
SMS4 is used in the Chinese National Standard for Wireless LAN
WAPI. SMS4 was a proposed cipher to be used in IEEE 802.11i
standard, but so far has been rejected by ISO. One of the
reasons for the rejection has been opposition to the WAPI
fast-track proposal by the IEEE. SMS4 uses an 8-bit
substitution table, and performs 32 rounds to process one block.
A non-linear key schedule is used to produce the round keys.
</t>
</section>
<section title="SEED">
<t>
SEED was first published in 1998.
It is specified in <xref target="RFC4269"/>,
and supports a key length of 128 bits.
</t>
<t>
IETF use includes 7 RFCs and 1 Internet Draft, which specify the
cipher and define its use in CMS, TLS, IPsec, SRTP, and MIKEY.
</t>
<t>
Intellectual Property Rights have not been claimed on SEED.
</t>
<t>
The best attack against SEED is a differential attack against
eight (out of 16) rounds <xref target="S11"/> that requires
2^125 chosen plaintexts. Differential and linear attacks were
also shown <xref target="DC:YS03"/> <xref target="SKES:WMF03"/>
<xref target="SCN:YanShi02"/>. SCA was considered in <xref
target="WISA:YKHMP04"/>.
</t>
<t>
SEED is a 16-round Feistel network that uses two 8 x 8 S-boxes
that are derived from discrete exponentiation, as in the design
of the SAFER block cipher. It was developed by the Korean
Information Security Agency (KISA). It is used broadly in South
Korea, but not often used elsewhere. It was adopted in Korea
because the 40-bit "export strength" cryptography, as was common
at the time in the Secure Sockets Layer (SSL) in web browers,
was rightly regarded as insufficient; KISA developed its own the
SEED standard to address this fact. However, SEED is a national
rather than international standard, and this fact limits the
interoperability of SEED implementations in communications
across national borders.
</t>
<t>
<!-- It also has some
resemblance to MISTY1 in the recursiveness of its structure: the
128-bit full cipher is a Feistel network with an F-function
operating on 64-bit halves, while the F-function itself is a
Feistel network composed of a G-function operating on 32-bit
halves. However the recursion does not extend further because
the G-function is not a Feistel network. In the G-function, the
32-bit word is considered as four 8-bit bytes, each of which is
passed through one or the other of the S-boxes, then combined in
a moderately complex set of boolean functions such that each
output bit depends on 3 of the 4 input bytes. SEED has a fairly
complex key schedule, generating its thirty-two 32-bit subkeys
through application of its G-function on a series of rotations
of the raw key, combined with round constants derived (as in
TEA) from the Golden ratio.
-->
</t>
</section>
<section title="Camellia">
<t>
Camellia was first published in 2000 in <xref target="SC:AIKMMNT00"/>.
It is specified in <xref target="RFC3713"/>,
and supports keys lengths 128, 192, and 256.
</t>
<t>
IETF uses include 15 RFCs and 6 Internet Drafts, which specify
the cipher and define its use in XMLsec, TLS, IPsec, OpenPGP,
CMS, PSKC, and Kerberos.
</t>
<t>
Intellectual Property Rights have been claimed on CAMELLIA. The
owner of those rights is NTT, who has stated that it "intends to
grant royalty-free licenses for the essential patents"
needed to implement Camellia <xref target="NTT"/>.
</t>
<t>
The best known attack against Camellia is an impossible differential
attack against 10 (out of 18) rounds that uses 2^112.4 chosen plaintext
blocks <xref target="ISPEC:BaiLi11"/>.
Higher order differential attacks were shown in <xref
target="HRDA:HSK02"/> and <xref target="SAC:HatSekKan02"/>.
Truncated and impossible differential cryptanalysis have been
presented <xref target="AC:SugKobIma01"/> <xref
target="ICISC:LHLLY01"/> <xref target="FSE:KanMat01"/> <xref
target="DLBRC:S02"/> <xref target="RSA:LKKD08"/> <xref
target="SAC:WuZhaZha08"/> <xref target="SAC:MSDB09"/> <xref
target="FSE:ShiKanAbe02"/>. Other analyses include the square
attack (integral cryptanalysis)
<xref target="ICICS:LeiLiFen07"/>
<xref target="FSE:YeoParKim02"/>
<xref target="ICICS:HeQin01"/>
and
collision attacks <xref
target="CANS:JieZho06"/><xref target="SAC:WuFenChe04"/>.
<!--
Parallelizing the Camellia and SMS4 Block Ciphers was shown in <xref target="AFRICACRYPT:YapKhoPos10"/>.
Unified Hardware Architecture for 128-Bit Block Ciphers AES and Camellia was shown in <xref target="CHES:SatMor03"/>.
Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers was shown in <xref target="EC:BirNik10"/>.
Hardware-Focused Performance Comparison for the Standard Block Ciphers AES Camellia,and Triple-DES was shown in <xref target="ISC:SatMor03"/>.
New Observation on Camellia was shown in <xref target="SAC:LeiChaFen05"/>.
-->
</t>
<t>
Camellia is a 128-bit block cipher jointly developed by
Mitsubishi and NTT. The cipher has been approved for use by the
ISO/IEC, the European Union's NESSIE project and the Japanese
CRYPTREC project. The cipher has security levels and processing
abilities comparable to the Advanced Encryption Standard.
Camellia's block size is 16 bytes (128 bits). The block cipher
was designed to be suitable for both software and hardware
implementations, from low-cost smart cards to high-speed network
systems. Camellia is a Feistel cipher with either 18 rounds
(for 128-bit keys) or 24 rounds (for 192 or 256 bit keys). Every
six rounds, a logical transformation layer is applied: the
so-called "FL-function" or its inverse. Camellia uses four 8 x
8-bit S-boxes with input and output affine transformations and
logical operations. The cipher also uses input and output key
whitening. The diffusion layer uses a linear transformation
based on an MDS matrix with a branch number of 5.
</t>
</section>
<section title="CAST-256">
<t>
CAST-256 was first published in 1998 in <xref target="EA:C98"/>.
It is specified in <xref target="RFC2612"/>,
and supports keys lengths 128, 160, 192, 224 and 256.
</t>
<t>
Its IETF use is RFC 2612, which defines the cipher.
</t>
<t>
Intellectual Property Rights have been claimed on CAST-256 by
Entrust. According to RFC 2612, it "is available worldwide on a
royalty-free and license-free basis for commercial and non-
commercial uses."
</t>
<t>
The best known attack against 12 (out of 48) rounds of CAST-256
is linear attack that requires 2^101 known plaintext blocks
<xref target="SAC:WamWanHu08"/>. Other analysis includes
differential and linear attacks <xref target="CA:AHTW99"/>
higher order differential attacks <xref
target="FSE:MorShiKan98"/>.
</t>
<t>
The CAST-256 (or CAST6) block cipher was submitted as a
candidate for the Advanced Encryption Standard (AES); however,
it was not among the five AES finalists. It is an extension of
an earlier cipher, CAST-128; both were designed according to the
"CAST" design methodology invented by Carlisle Adams and
Stafford Tavares. Howard Heys and Michael Wiener also
contributed to the design. CAST-256 uses the same elements as
CAST-128, including S-boxes, but is adapted for a block size of
128 bits, twice the size of its 64-bit predecessor. (A similar
construction occurred in the evolution of RC5 into RC6).
CAST-256 is composed of 48 rounds, sometimes described as 12
"quad-rounds", arranged in a generalised Feistel network.
</t>
</section>
<section anchor="AES" title="Advanced Encryption Standard (AES)">
<t>
AES was first published in 1998 in <xref target="AP:DR99"/>, and
was originally called RIJNDAEL. It is specified in <xref
target="FIPS-197"/>, and supports keys lengths of 128, 192, and
256 bits.
</t>
<t>
IETF uses include 29 RFCs and 3 Internet Drafts.
</t>
<t>
Intellectual Property Rights have not been claimed
on AES.
</t>
<t>
The best known attack against this cipher is biclique
cryptanalysis, which works against the full 10 rounds of AES-129
and requires 2^88 chosen plaintexts and 2^126 operations <xref
target="AC:BogKhoRec11"/>. Besides this work, there has been
considerable attention paid to the AES cipher by cryptanalysts,
making it the most-studied cipher ever.
Much of this work is in the KPA, CPA, and CCA models
<xref target="C:BouDerFou11"/>
<xref target="FSE:DemSel08"/>
<xref target="FSE:BucPysWei06"/>
<xref target="INDOCRYPT:DTCB09"/>
<xref target="INDOCRYPT:LDKK08"/>
<xref target="SAC:MPRS09"/>
<xref target="AC:PSCYL02"/>
<xref target="SAC:ZWZF06"/>
<xref target="CAOR:GM00"/>
<xref target="KRBR:BDK05"/>
<xref target="RKIDA:BDK06"/>
<xref target="MITMA:DS08"/>
<xref target="ACISP:FleGorLuc09"/>
<xref target="SAC:KelMeiTav01"/>
<xref target="FSE:GilPey10"/>
<xref target="AC:DunKelSha10"/>
<xref target="AFRICACRYPT:GalMin08"/>
<xref target="FSE:Sasaki11"/>
<xref target="EC:BirNik10"/>
<xref target="ISC:ZWPKY08"/>
<xref target="ISC:NakPav07"/>.
</t>
<t>
The RKA model for AES has also been well studied
<xref target="C:BirKhoNik09"/>
<xref target="SAC:JakDes03"/>
<xref target="AC:BirKho09"/>
<xref target="INDOCRYPT:ZZWF07"/>
<xref target="INDOCRYPT:GorLuc08"/>
<xref target="FSE:HKLP05"/>
<xref target="RSA:BihDunKel06"/>
<xref target="FSE:KimHonPre07"/>
<xref target="IWSEC:Sasaki10"/>.
</t>
<t>
Considerable work has been done on SCA, including power analysis attacks and defenses
<xref target="CHES:GouMar11"/>
<xref target="CHES:CFGRV11"/>
<xref target="AFRICACRYPT:GenProQui11"/>
<xref target="AFRICACRYPT:AliMuk11"/>
<xref target="ACNS:LuPanHar10"/>
<xref target="ACNS:CanBat08"/>
<xref target="ACNS:TilHerMan07"/>
<xref target="ASIACCS:NevSeiWan06"/>
<xref target="ACISP:FouTun06"/>
<xref target="ACNS:DusLetViv03"/>
<xref target="INDOCRYPT:KumMukCho07"/>
<xref target="ISC:BatGieLem08"/>
<xref target="SAC:Bogdanov07"/>
<xref target="CANS:ZhaYuLiu10"/>
<xref target="CHES:KimHonLim11"/>
<xref target="CHES:RKSF11"/>
<xref target="SAC:CEJV02"/>
<xref target="CHES:DerFouLer11"/>
<xref target="ICISC:ZhaWuFen07"/>
<xref target="INDOCRYPT:MDRM10"/>
<xref target="INDOCRYPT:MulWysPre10"/>
<xref target="FSE:OMPR05"/>
<xref target="CHES:RivPro10"/>
<xref target="CHES:Bogdanov08"/>
<xref target="CHES:RenStaVey09"/>
<xref target="CHES:SSHA08"/>
<xref target="CHES:KerRey08"/>
<xref target="CHES:TilHer08"/>
<xref target="CHES:Jaffe07"/>
<xref target="CHES:SLFP04"/>
<xref target="CHES:PirQui03"/>
<xref target="CHES:ManPraOsw05"/>
<xref target="CHES:AkkGir01"/>
<xref target="CHES:TriDeSGer02"/>
<xref target="CHES:GolTym02"/>
<xref target="RSA:BEPW10"/>
<xref target="RSA:SakYagOht09"/>
<xref target="FC:BloSei03"/>
<xref target="ICICS:ZSMTS07"/>
<xref target="RSA:SchPaa06"/>
<xref target="ICISC:Mangard02"/>
<xref target="INDOCRYPT:ProRoc10"/>
<xref target="WISA:SchKim08"/>
<xref target="WISA:OswSch05"/>
<xref target="ICISC:CouGou05"/>
<xref target="ICISC:Karroumi10"/>
<xref target="SAC:BloGuaKru04"/>
<xref target="SAC:BilGilEch04"/>
<xref target="CHES:GebHoTiu05"/>
<xref target="CHES:StaBerPre04"/>.
</t>
<t>
Cache-timing attacks and defenses have also been analyzed
<xref target="RSA:Konighofer08"/>
<xref target="CHES:KasSch09"/>
<xref target="CHES:BonMir06"/>
<xref target="RSA:AciSchKoc07"/>
<xref target="RSA:OsvShaTro06"/>
<xref target="SP:GulBanKre11"/>
<xref target="ICICS:AciKoc06"/>
<xref target="SAC:BloKru07"/>
<xref target="SAC:NevSei06"/>
<xref target="WISA:GalKizTun10"/>.
</t>
<t>
<!--
Design of AES Based on Dual Cipher and Composite Field was shown in <xref target="RSA:WuLuLai04"/>.
An ASIC Implementation of the AES S-Boxes was shown in <xref target="RSA:WolOswLam02"/>.
Pushing the Limits: A Very Compact and a Threshold Implementation of AES was shown in <xref target="EC:MPLPW11"/>.
Key Recovery Attacks of Practical Complexity on AES-256 Variants with up to 10 Rounds was shown in <xref target="EC:BDKKS10"/>.
-->
<!-- AES and the Wide Trail Design Strategy (Invited Talk) was shown in <xref target="EC:DaeRij02"/>.
Secure Multiparty AES was shown in <xref target="FC:DamKel10"/>.
Fast Software AES Encryption was shown in <xref target="FSE:OBSC10"/>.
-->
<!--
Intel's New AES Instructions for Enhanced Performance and Security (Invited Talk) was shown in <xref target="FSE:Gueron09"/>.
Provably Secure MACs from Differentially-Uniform Permutations and AES-Based Implementations was shown in <xref target="FSE:MinTsu06"/>.
The Poly1305-AES Message-Authentication Code was shown in <xref target="FSE:Bernstein05"/>.
Small Scale Variants of the AES was shown in <xref target="FSE:CidMurRob05"/>.
Using Normal Bases for Compact Hardware Implementations of the AES S-Box was shown in <xref target="SCN:NikRijSch08"/>.
-->
</t>
<t>
The mathematical structure of AES has also been studied
<xref target="SCN:DaeRij06"/>
<xref target="SAC:BaiVau05"/>
<xref target="ICICS:MonVau04"/>
<xref target="FSE:SonSeb03"/>
<xref target="FSE:Wernsdorf02"/>
<xref target="ICISC:SonSeb02"/>
<xref target="C:MurRob02"/>
<xref target="AC:BarBih02"/>
<xref target="SAC:FegSchWhi01"/>.
</t>
<t>
<!-- Secure and Efficient AES Software Implementation for Smart Cards was shown in <xref target="WISA:TriKor04"/>.
Distinguishers for Ciphers and Known Key Attack against Rijndael with Large Blocks was shown in <xref target="AFRICACRYPT:MinPhaPou09"/>.
A Compact Rijndael Hardware Architecture with S-Box Optimization was shown in <xref target="AC:SMTM01"/>.
NanoCMOS-Molecular Realization of Rijndael was shown in <xref target="CHES:MasRaiAhm06"/>.
Efficient Implementation of Rijndael Encryption in Reconfigurable Hardware was shown in <xref target="CHES:SRQL03"/>.
Architectural Optimization for a 1.82Gbits/sec VLSI Implementation of the AES Rijndael Algorithm was shown in <xref target="CHES:KuoVer01"/>.
High Performance Single-Chip FPGA Rijndael Algorithm Implementations was shown in <xref target="CHES:McLMcC01"/>.
Two Methods of Rijndael Implementation in Reconfigurable Hardware was shown in <xref target="CHES:FisDru01"/>.
A Systematic Evaluation of Compact Hardware mplementations for the Rijndael S-Box was shown in <xref target="RSA:MBPV05"/>.
Experimental Testing of the Gigabit IPSec-Compliant Implementations of Rijndael and Triple DES Using SLAAC-1V FPGA Accelerator Board was shown in <xref target="ISC:CGBS01"/>.
-->
<!--
An FPGA Implementation of CCM Mode Using AES was shown in <xref target="ICISC:LopRodDia05"/>.
A Program Generator for Intel AES-NI Instructions was shown in <xref target="INDOCRYPT:ManGre10"/>.
New AES Software Speed Records was shown in <xref target="INDOCRYPT:BerSch08"/>.
AES Software Implementations on ARM7TDMI <xref target="INDOCRYPT:DarKuh06"/>.
Vortex: A New Family of One-Way Hash Functions Based on AES Rounds and Carry-Less Multiplication was shown in <xref target="ISC:GueKou08"/>.
Hardware-Focused Performance Comparison for the Standard Block Ciphers AES Camellia,and Triple-DES was shown in <xref target="ISC:SatMor03"/>.
Bitstream Encryption and Authentication Using AES-GCM in Dynamically Reconfigurable Systems was shown in <xref target="IWSEC:HSST08"/>.
Low Power AES Hardware Architecture for Radio Frequency Identification was shown in <xref target="IWSEC:KRCJ06"/>.
Securing RSA-KEM via the AES was shown in <xref target="PKC:JonRob05"/>.
Transactional contention management as a non-clairvoyant scheduling problem was shown in <xref target="PODC:AEST06"/>.
Tweaking AES was shown in <xref target="SAC:Nikolic10"/>.
A More Compact AES was shown in <xref target="SAC:CanOsv09"/>.
An Improved Recovery Algorithm for Decayed AES Key Schedule Images was shown in <xref target="SAC:Tsow09"/>.
-->
<!--
Implementation of the AES-128 on Virtex-5 FPGAs was shown in <xref target="AFRICACRYPT:BSQPR08"/>.
Bitslice Implementation of AES was shown in <xref target="CANS:RebSelDev06"/>.
Unbelievable Security. Matching AES Security Using Public Key Systems was shown in <xref target="AC:Lenstra01"/>.
Higher-Order Glitches Free Implementation of the AES Using Secure Multi-party Computation Protocols was shown in <xref target="CHES:ProRoc11"/>.
The Intel AES Instructions Set and the SHA-3 Candidates was shown in <xref target="AC:BBGR09"/>.
Efficient Hashing Using the AES Instruction Set was shown in <xref target="CHES:BosOzeSta11"/>.
Mixed Bases for Efficient Inversion in F_((2^2)^2)^2 and Conversion Matrices of SubBytes of AES was shown in <xref target="CHES:NNTHM10"/>.
Accelerating AES with Vector Permute Instructions was shown in <xref target="CHES:Hamburg09"/>.
Collision Attacks on AES-Based MAC: Alpha-MAC was shown in <xref target="CHES:BBKK07"/>.
Multi-gigabit GCM-AES Architecture Optimized for FPGAs was shown in <xref target="CHES:LWFB07"/>.
Power Analysis Resistant AES was shown in <xref target="CHES:TilGro07"/>.
Pinpointing the Side-Channel Leakage of Masked AES Hardware Implementations was shown in <xref target="CHES:ManSch06"/>.
A Generalized Method of Differential Fault Attack Against AES Cryptosystem was shown in <xref target="CHES:MorShaSal06"/>.
Instruction Set Extensions for Efficient AES Implementation on 32-bit Processors was shown in <xref target="CHES:TilGro06"/>.
A Very Compact S-Box for AES was shown in <xref target="CHES:Canright05"/>.
AES on FPGA from the Fastest to the Smallest was shown in <xref target="CHES:GooBen05"/>.
Strong Authentication for RFID Systems Using the AES Algorithm was shown in <xref target="CHES:FelDomWol04"/>.
Unified Hardware Architecture for 128-Bit Block Ciphers AES and Camellia was shown in <xref target="CHES:SatMor03"/>.
Very Compact FPGA Implementation of the AES Algorithm was shown in <xref target="CHES:ChoGaj03"/>.
An Optimized S-Box Circuit Architecture for Low Power AES Design was shown in <xref target="CHES:MorSat02"/>.
Architectural Optimization for a 1.82Gbits/sec VLSI Implementation of the AES Rijndael Algorithm was shown in <xref target="CHES:KuoVer01"/>.
A Comparative Study of Performance of AES Final Candidates Using FPGAs was shown in <xref target="CHES:DanPraRol00"/>.
Boosting AES Performance on a Tiny Processor Core was shown in <xref target="RSA:TilHer08"/>.
-->
</t>
<t>
(AES) is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used
worldwide.
AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26,
2001 after a five-year standardization process in which fifteen competing designs were presented and evaluated before it was
selected as the most suitable. It became effective as a Federal government standard on May 26, 2002 after approval by the
Secretary of Commerce. It is available in many different encryption packages. AES is the first publicly accessible and open
cipher approved by the National Security Agency (NSA) for top secret information.
Originally called Rijndael, the cipher was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, and submitted
by them to the AES selection process.
AES is based on a design principle known as a substitution-permutation network. It is fast in both software and hardware.
AES operates on a 4 x 4 column-major order matrix of bytes, termed the state (versions of Rijndael with a larger block size
have additional columns in the state). Most AES calculations are done in a special finite field.The AES cipher is specified
as a number of repetitions of transformation rounds that convert the input plaintext into the final output of ciphertext.
Each round consists of several processing steps, including one that depends on the encryption key. A set of reverse rounds
are applied to transform ciphertext back into the original plaintext using the same encryption key.
</t>
</section>
<section title="Twofish">
<t>
Twofish was first published in 1998. It is specified in <xref
target="Twofish"/>, and supports keys lengths of 128, 192, and 256 bits.
</t>
<t>
IETF use include 9 RFCs, that specify its use in OpenPGP, SSH, and ZRTP.
</t>
<t>
Intellectual Property Rights have not been claimed
on Twofish.
</t>
<t>
Attack:
The best known attack against this cipher is truncated differential attack,which was shown in <xref target="TC:MY00"/>.
Truncated differential,impossible differential attack that breaks was shown in <xref target="TC:MY00"/>.
The Saturation Attack - A Bait for Twofish was shown in <xref target="FSE:Lucks01"/>.
Analysis:
Improved Impossible Differentials on Twofish was shown in <xref target="INDOCRYPT:BihFur00"/>.
On the Twofish Key Schedul was shown in <xref target="SAC:SKWWH98"/>.
</t>
<t>
Twofish is a symmetric key block cipher with a block size of
128 bits. It was one of the five finalists of the Advanced
Encryption Standard contest, but was not selected for
standardisation. Twofish is related to the earlier block
cipher Blowfish. Twofish's distinctive features are the use
of pre-computed key-dependent S-boxes, and a relatively
complex key schedule.Twofish borrows some elements from other
designs; for example, the pseudo-Hadamard transform (PHT) from
the SAFER family of ciphers. Twofish uses the same Feistel
structure as DES. On most software platforms Twofish was
slightly slower than Rijndael for 128-bit keys, but somewhat
faster for 256-bit keys. Twofish was designed by Bruce
Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall,
and Niels Ferguson; Twofish algorithm is free for anyone to
use without any restrictions whatsoever. It is one of a few
ciphers included in the OpenPGP standard (RFC 4880). However,
Twofish has seen less widespread usage than Blowfish, which
has been available longer.
</t>
</section>
<section title="Serpent">
<t>
Serpent was first published in 1998.
It is specified in <xref target="Serpent"/>,
and supports keys lengths of 128, 192, and 256 bits.
</t>
<t>
IETF uses include 6 RFCs, which specify its use in SSH.
</t>
<t>
Intellectual Property Rights have not been claimed
on Serpent.
</t>
<t>
Attack:
The best known attack against this cipher is linear attack.
The Rectangle Attack - Rectangling the Serpent was shown in <xref target="EC:BihDunKel01"/>.
Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent was shown in <xref target="FSE:KelKohSch00"/>.
A Differential-Linear Attack on 12-Round Serpent was shown in <xref target="INDOCRYPT:DunIndKel08"/>.
Analysis:
Amplified boomerang,rectangle,differential cryptanalysis,linear cryptanalysis and differential-linear cryptanalysis
were shown in <xref target="ABA:KKS00"/>,<xref target="RA:BDK01"/>,<xref target="DC:WH00"/>,<xref target="LC:BDK02"/>,<xref target="DLC:BDK03"/>.
Multidimensional Linear Cryptanalysis of Reduced Round Serpent was shown in <xref target="ACISP:HerChoNyb08"/>.
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent was shown in <xref target="FSE:ColStaQui08"/>.
Differential-Linear Cryptanalysis of Serpent was shown in <xref target="FSE:BihDunKel03a"/>.
Linear Cryptanalysis of Reduced Round Serpent was shown in <xref target="FSE:BihDunKel01"/>.
A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent was shown in <xref target="ICISC:ChoHerNyb08"/>.
A Dynamic FPGA Implementation of the Serpent Block Cipher was shown in <xref target="CHES:Patterson00"/>.
On the Pseudorandomness of the AES Finalists - RC6 and Serpent was shown in <xref target="FSE:IwaKur00"/>.
Serpent: A New Block Cipher Proposal was shown in <xref target="FSE:BihAndKnu98"/>.
</t>
<t>
Serpent was a finalist in the AES contest,where it came second to Rijndael.Serpent was designed by Ross Anderson,Eli Biham,and Lars Knudsen.
Serpent was widely viewed as taking a more conservative approach to security than the other AES finalists, opting for a larger
security margin: the designers deemed 16 rounds to be sufficient against known types of attack, but specified 32 rounds as insurance
against future discoveries in cryptanalysis.
The Serpent cipher is in the public domain and has not been patented. There are no restrictions or encumbrances whatsoever regarding its
use. As a result, anyone is free to incorporate Serpent in their software (or hardware implementations) without paying license fees.
</t>
</section>
</section>
<section title="64-bit Block Ciphers">
<section title="MISTY1">
<t>
MISTY1 was first published in 1995.
It is specified in <xref target="RFC2994"/>,
and supports key lengths 128.
</t>
<t>
IETF use includes RFC 2994, which specifies the cipher.
</t>
<t>
Intellectual Property Rights have been claimed on MISTY1. The
owner of those rights is Mistsubishi. According to <xref
target="RFC2994"/>, "the algorithm is freely available for
academic (non-profit) use. Additionally, the algorithm can be
used for commercial use without paying the patent fee if you
contract with Mitsubishi Electric Corporation. For more
information, please contact at MISTY@isl.melco.co.jp."
</t>
<t>
<!--
The best known attack against this cipher is (CITATION).
This cipher has been analyzed by (CITATION).
-->
Attack:
An Improved Impossible Differential Attack on MISTY1 was shown in <xref target="AC:DunKel08a"/>.
Higher Order Differential Attacks on Reduced-Round MISTY1 was shown in <xref target="ICISC:TSSK08"/>.
Improved Integral Attacks on MISTY1 was shown in <xref target="SAC:SunLai09"/>.
Analysis:
Cryptanalysis of Reduced-Round MISTY was shown in <xref target="EC:Kuhn01"/>.
Improved Cryptanalysis of MISTY1 was shown in <xref target="FSE:Kuhn02"/>.
Security Analysis of MISTY1 was shown in <xref target="WISA:THSK07"/>.
Improving the Efficiency of Impossible Differential Cryptanalysis of Reduced Camellia and MISTY1 was shown in <xref target="RSA:LKKD08"/>.
On MISTY1 Higher Order Differential Cryptanalysis was shown in <xref target="ICISC:BabFri00"/>.
Security of the MISTY Structure in the Luby-Rackoff Model was shown in <xref target="SAC:PirQui04"/>.
Round Security and Super-Pseudorandomness of MISTY Type Structure was shown in <xref target="FSE:IYYK01"/>.
A Very Compact Hardware Implementation of the MISTY1 Block Cipher was shown in <xref target="CHES:YamYajIto08"/>.
New Block Encryption Algorithm MISTY was shown in <xref target="FSE:Matsui97"/>.
</t>
</section>
<section title="SKIPJACK">
<t>
SKIPJACK was first published in 1998, and is specified in <xref target="SKIPJACK"/>. It
supports a key length of 80 bits.
</t>
<t>
IETF use includes 15 RFCs, which describe its use in CMS and TELNET.
</t>
<t>
Intellectual Property Rights have not been claimed
on SKIPJACK.
</t>
<t>
<!--
The best known attack against this cipher is (CITATION).
This cipher has been analyzed by (CITATION).
-->
Attack:
Saturation Attacks on Reduced Round Skipjack was shown in <xref target="FSE:KLLLL02"/>.
Analysis:
Provable Security for the Skipjack-like Structure against Differential Cryptanalysis and Linear Cryptanalysis was shown in <xref target="AC:SLLHP00"/>.
Truncated Differentials and Skipjack was shown in <xref target= "C:KnuRobWag99"/>.
Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials was shown in <xref target= "EC:BihBirSha99"/>.
Flaws in Differential Cryptanalysis of Skipjack was shown in <xref target="FSE:Granboulan01"/>.
Markov Truncated Differential Cryptanalysis of Skipjack was shown in <xref target="SAC:ReiWag02"/>.
Initial Observations on Skipjack:Cryptanalysis of Skipjack-3XOR (Invited Talk) was shown in <xref target="SAC:BBDRS98"/>.
</t>
</section>
<section title="RC2">
<t>
RC2 was first published in 1998.
It is specified in <xref target="RFC2268"/>,
and supports keys lengths of 8, 16, 24, ... , 1024 bits.
</t>
<t>
IETF use includes 36 RFCs, which specify the cipher and describe its use in CMS, SMIME, TLS, and PKIX.
</t>
<t>
Intellectual Property Rights have not been claimed on RC2,
though <xref target="RFC2268"/> says that "RC2 is a registered
trademark of RSA Data Security, Inc. RSA's copyrighted RC2
software is available under license from RSA Data Security, Inc."
</t>
<t>
<!--
The best known attack against this cipher is (CITATION).
This cipher has been analyzed by (CITATION).
-->
On the Design and Security of RC2 was shown in <xref target="FSE:KRRR98"/>.
Related-key cryptanalysis of 3-WAY Biham-DES,CAST DES-X, NewDES, RC2, and TEA was shown in <xref target="ICICS:KelSchWag97"/>.
</t>
</section>
<section title="CAST-128">
<t>
CAST-128 was first published in 1997.
It is specified in <xref target="RFC2144"/>,
and supports a key length of 128 bits.
</t>
<t>
IETF use includes 20 RFCs that specify the cipher and define its use in OpenPGP, IPsec, CMS, and PKIX.
</t>
<t>
Intellectual Property Rights have been claimed on CAST-128 by
Entrust. According to <xref target="RFC2144"/>, "The CAST-128
cipher described in this document is available worldwide on a
royalty-free basis for commercial and non-commercial uses."
</t>
<!--
<t>
The best known attack against this cipher is (CITATION).
This cipher has been analyzed by (CITATION).
</t>
<t>
This space for commentary - history, background, interesting properties.
</t>
-->
</section>
<section title="BLOWFISH">
<t>
BLOWFISH was first published in 1994.
It is specified in <xref target="Blowfish"/>,
and supports keys lengths 32,64,96, ... , 448.
</t>
<t>
IETF use includes None.
</t>
<t>
Intellectual Property Rights have not been claimed
on BLOWFISH.
</t>
<t>
<!--
The best known attack against this cipher is (CITATION).
This cipher has been analyzed by (CITATION).
-->
A New Class of Weak Keys for Blowfish was shown in <xref target="FSE:KarMan07"/>.
On the Weak Keys of Blowfish was shown in <xref target="FSE:Vaudenay96"/>.
Description of a New Variable-Length Key 64-bit Block Cipher (Blowfish) was shown in <xref target="FSE:Schneier93"/>.
</t>
</section>
<section title="International Data Encryption Algorithm (IDEA)">
<t>
IDEA was first published in 1992.
It is specified in <xref target="IDEA"/>,
and supports key length of 128 bits.
</t>
<t>
IETF use includes 9 RFCs, which describe its use in TLS and IPsec (but not in OpenPGP,
though IDEA was used in earlier PGP versions).
</t>
<t>
Intellectual Property Rights have been claimed on IDEA. The
owner of those rights is MediaCrypt AG.
</t>
<t>
<!--
The best known attack against this cipher is (CITATION).
This cipher has been analyzed by (CITATION).
-->
Attack:
Two Attacks on Reduced IDEA was shown in <xref target="EC:BorKnuRij97"/>.
A New Attack on 6-Round IDEA was shown in <xref target="FSE:BihDunKel07b"/>.
New Attacks Against Reduced-Round Versions of IDEA was shown in <xref target="FSE:Junod05"/>.
Miss in the Middle Attacks on IDEA and Khufu was shown in <xref target="FSE:BihBirSha99"/>.
A New Meet-in-the-Middle Attack on the IDEA Block Cipher was shown in <xref target="SAC:DemSelTur03"/>.
Square-like Attacks on Reduced Rounds of IDEA was shown in <xref target="SAC:Demirci02"/>.
Analysis:
On the Security of the IDEA Block Cipher was shown in <xref target="EC:Meier93"/>.
Cryptanalysis of IDEA-X/2 was shown in <xref target="FSE:Raddum03"/>.
New Cryptanalytic Results on IDEA was shown in <xref target="AC:BihDunKel06"/>.
On Applying Linear Cryptanalysis to IDEA was shown in <xref target="AC:HawOCo96"/>.
Key-Schedule Cryptoanalysis of IDEA G-DES,GOST SAFER, and Triple-DES was shown in <xref target="C:KelSchWag96"/>.
Fault Analysis Study of IDEA was shown in <xref target="RSA:ClaGieVer08"/>.
Differential-Linear Weak Key Classes of IDEA was shown in <xref target="EC:Hawkes98"/>.
Improved DST Cryptanalysis of IDEA was shown in <xref target="SAC:AyaSel06"/>.
Weak Keys for IDEA was shown in <xref target="C:DaeGovVan93"/>.
New Weak-Key Classes of IDEA was shown in <xref target="ICICS:BNPV02"/>.
</t>
<t>
DPA on n-Bit Sized Boolean and Arithmetic Operations and Its Application to IDEA RC6,
and the HMAC-Construction was shown in <xref target="CHES:LemSchPaa04"/>.
Switching Blindings with a View Towards IDEA was shown in <xref target="CHES:NeiPul04"/>.
Tradeoffs in Parallel and Serial Implementations of the International Data Encryption Algorithm
IDEA was shown in <xref target="CHES:CTLL01"/>.
Revisiting the IDEA Philosophy was shown in <xref target="FSE:JunMac09"/>.
Nonlinearity Properties of the Mixing Operations of the Block Cipher IDEA was shown in <xref target="INDOCRYPT:Yildirim03"/>.
A Note on Weak Keys of PES IDEA,and Some Extended Variants was shown in <xref target="ISC:NakPreVan03"/>.
IDEA: A Cipher For Multimedia Architectures? was shown in <xref target="SAC:Lipmaa98"/>.
</t>
</section>
<section title="GOST 28147-89">
<t>
The GOST 28147-89 was first published in 1989.
It is specified in <xref target="RFC5830"/>,
and supports a key length of 256 bits.
256 Bit Standardized Crypto for 650 GE - GOST Revisited was shown in <xref target="CHES:PosLinWan10"/>.
</t>
<t>
IETF use includes 7 RFCs.
</t>
<t>
Intellectual Property Rights have not been claimed
on GOST 28147-89.
</t>
<t>
<!--
The best known attack against this cipher is (CITATION).
This cipher has been analyzed by (CITATION).
-->
Attack:
A Single-Key Attack on the Full GOST Block Ciphe was shown in <xref target="FSE:Isobe11"/>.
<!--
A (Second) Preimage Attack on the GOST Hash Function was shown in <xref target="FSE:MenPraRec08"/>.
-->
Analysis:
Cryptanalysis of the GOST Hash Function was shown in <xref target="C:MPRKS08"/>.
Key-Schedule Cryptoanalysis of IDEA G-DES,GOST SAFER, and Triple-DES was shown in <xref target="C:KelSchWag96"/>.
Differential Cryptanalysis of Reduced Rounds of GOST was shown in <xref target="SAC:SekKan00"/>.
</t>
</section>
<section title="Triple Data Encryption Standard (TDES)">
<t>
The Triple Data Encryption Standard (TDES, or sometimes 3DES)
was first published in 1979. It is specified in
<xref target="FIPS-46-3"/>, and supports key lengths
of 112.
</t>
<t>
IETF uses include citations in 143 RFCs, which describe the use of the cipher
in IPsec, TLS, SMIME, CMS, PKIX, PPP, SSH, GSAKMP.
</t>
<t>
Intellectual Property Rights have been claimed on TDES. The
owner of those rights is IBM. According to <xref
target="FIPS-46-3"/>, TDES may be "covered by U.S. and foreign
patents, including patents issued to the International Business
Machines Corporation. However, IBM has granted nonexclusive,
royalty-free licenses under the patents to make, use and sell
apparatus which complies with the standard."
</t>
<t>
<!--
The best known attack against this cipher is (CITATION).
This cipher has been analyzed by (CITATION).
-->
Attack:
Attacking Triple Encryption was shown in <xref target="FSE:Lucks98"/>.
A Known Plaintext Attack on Two-Key Triple Encryption was shown in <xref target="EC:VanWie90"/>.
Analysis:
The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs was shown in <xref target="EC:BelRog06"/>.
</t>
</section>
<section title="Data Encryption Standard (DES)">
<t>
DES was first published in 1977.
It is specified in <xref target="FIPS-46"/>,
and its key length is 56 bits.
</t>
<t>
IETF use includes 66 drafts and 158 RFCs.
</t>
<t>
Intellectual Property Rights have been claimed on DES. The
owner of those rights is IBM. According to <xref
target="FIPS-46-3"/>, TDES may be "covered by U.S. and foreign
patents, including patents issued to the International Business
Machines Corporation. However, IBM has granted nonexclusive,
royalty-free licenses under the patents to make, use and sell
apparatus which complies with the standard."
</t>
<t>
<!--
The best known attack against this cipher is (CITATION).
This cipher has been analyzed by (CITATION).
-->
DES is currently obsolete; its key size is inadequate to
protect against attackers with access to modern computing
resources. The security implications of using DES are
discussed at length in <xref target="RFC4772"/>. Historically,
DES was intstrumental in the development of moden cryptography;
Differential <xref target="C:BihSha90"/> and Linear <xref
target="EC:Matsui93"/> Cryptanalysis were developed through the
analysis of the DES algorithm.
</t>
<t>
DES was designed by an IBM research team led by Horst Feistel, a
German-born cryptographer. DES was a refinement of the earlier
LUCIFER cipher, which is the first modern block cipher that has been
publicly described.
</t>
</section>
</section>
<section title="Stream Ciphers">
<section title="Kcipher-2">
<t>
Kcipher-2 was first published in 2011.
It is specified in
<xref target="I-D.kiyomoto-kcipher2"/>
and supports a key length of 128 bits, and a 128-bit
initialization vector.
</t>
<t>
IETF use includes 2 drafts, which specify the cipher and describe
its use in TLS.
</t>
<t>
Intellectual Property Rights have been claimed on Kcipher-2.
The owners of those rights are KDDI and Qualcomm.
</t>
<t>
<!--
The best known attack against this cipher is (CITATION).
This cipher has been analyzed by (CITATION).
-->
</t>
<t>
KCipher-2 has been used for industrial applications, especially
for mobile health monitoring and diagnostic services in Japan.
</t>
</section>
<section title="Rabbit">
<t>
Rabbit was first published in 2003 <xref target="FSE:BVPCS03"/> in a
peer-reviewed workshop.
It is specified in <xref target="RFC4503"/>, and
supports a keys length of 128 bits, and a 64-bit IV.
</t>
<t>
The only citation in IETF documents is the cipher specification itself.
</t>
<t>
Intellectual Property Rights have been claimed on this cipher.
The owner of those rights is Cryptico A/S.
</t>
<t>
The best known attacks against this cipher have a complexity
greather than 2^128, and thus do not violate its security goals.
Distinguishing attacks were shown in <xref target="ISC:LuDes10"/> <xref target="ISC:LuWanLin08"/>.
Side channels and fault injection attacks were considered in <xref target="INDOCRYPT:BerCanGou09"/> and <xref target="SAC:KirYou09"/>,
which described state-recovery attacks
with 2^38 complexity.
</t>
<t>
Rabbit is the only finalist from eSTREAM, the ECRYPT Stream
Cipher Project, that appears in this note. Rabbit has a
relatively small internal state of about 64 bytes, and it
updates all words of state at each iteration, in contrast to RC4
(<xref target="RC4"/>).
</t>
</section>
<section anchor="RC4" title="RC4">
<t>
RC4 was first described in 1994. No normative specification
exists; it is sometimes called ARCFOUR, which is short for
alleged RC4. The cipher supports key lengths of 8, 16, 24, ...,
1024 bits. RC4 does not accept an initialization vector.
<!--
It is specified in <xref target="draft-ietf-krb-wg-des-die-die-die-04"/>(REFERENCE),
and supports keys lengths 8,16,24, ... ,and 1024.
-->
</t>
<t>
IETF use includes 54 RFCs and 23 drafts, which
describe the use of RC4
in TLS, Kerberos, and SSH.
</t>
<t>
Intellectual Property Rights have not been claimed
on RC4.
</t>
<t>
<!--
The best known attack against this cipher is (CITATION).
This cipher has been analyzed by (CITATION).
-->
Attack:
A Practical Attack on the Fixed RC4 in the WEP Mode was shown in <xref target="AC:Mantin05"/>.
New State Recovery Attack on RC4 was shown in <xref target="C:MaxKho08"/>.
Statistical Attack on RC4 - Distinguishing WPA was shown in <xref target="EC:SepVauVua11"/>.
Predicting and Distinguishing Attacks on RC4 Keystream Generator was shown in <xref target="EC:Mantin05"/>.
Attack on Broadcast RC4 Revisited was shown in <xref target="FSE:MaiPauSen11"/>.
Key Collisions of the RC4 Stream Cipher was shown in <xref target="FSE:Matsui09"/>.
Two Linear Distinguishing Attacks on VMPC and RC4A and Weakness of RC4 Family of Stream Ciphers was shown in <xref target="FSE:Maximov05"/>.
A Practical Attack on Broadcast RC4 was shown in <xref target="FSE:ManSha01"/>.
Collisions for RC4-Hash was shown in <xref target="ISC:IndPre08"/>.
Passive-Only Key Recovery Attacks on RC4 was shown in <xref target="SAC:VauVua07"/>.
Generalized RC4 Key Collisions and Hash Collisions was shown in <xref target="SCN:CheMiy10"/>.
Analysis:
New Correlations of RC4 PRGA Using Nonzero-Bit Differences was shown in <xref target="ACISP:MiySuk09"/>.
Cache Timing Analysis of RC4 was shown in <xref target="ACNS:ChaFouLer11"/>.
Impossible Fault Analysis of RC4 and Differential Fault Analysis of RC4 was shown in <xref target="FSE:BihGraNgu05"/>.
Statistical Analysis of the Alleged RC4 Keystream Generator was shown in <xref target="FSE:FluMcG00"/>.
Analysis of RC4 and Proposal of Additional Layers for Better Security Margin was shown in <xref target="INDOCRYPT:MaiPau08"/>.
Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator was shown in <xref target="INDOCRYPT:PauPre03"/>.
Cryptanalysis of RC4-like Ciphers was shown in <xref target="SAC:MisTav98"/>.
Recovering RC4 Permutation from 2048 Keystream Bytes if j Is Stuck was shown in <xref target="ACISP:MaiPau08"/>.
(Not So) Random Shuffles of RC4 was shown in <xref target="C:Mironov02"/>.
Linear Statistical Weakness of Alleged RC4 Keystream Generator was shown in <xref target="EC:Golic97a"/>.
New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4 was shown in <xref target="FSE:MaiPau08"/>.
Efficient Reconstruction of RC4 Keys from Internal States was shown in <xref target="FSE:BihCar08"/>.
A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher was shown in <xref target="FSE:PauPre04"/>.
One Byte per Clock: A Novel RC4 Hardware was shown in <xref target="INDOCRYPT:SSMS10"/>.
New Results on the Key Scheduling Algorithm of RC4 was shown in <xref target="INDOCRYPT:AkgKavDem08"/>.
Discovery and Exploitation of New Biases in RC4 was shown in <xref target="SAC:SepVauVua10"/>.
Permutation After RC4 Key Scheduling Reveals the Secret Key was shown in <xref target="SAC:PauMai07"/>.
Weaknesses in the Key Scheduling Algorithm of RC4 was shown in <xref target="SAC:FluManSha01"/>.
</t>
</section>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>
Thanks are due to Jon Callas and Kevin Igoe.
</t>
</section>
<!-- Possibly a 'Contributors' section ... -->
<section anchor="IANA" title="IANA Considerations">
<t>This memo includes no request to IANA.</t>
<!--
<t>All drafts are required to have an IANA considerations section (see
<xref target="I-D.narten-iana-considerations-rfc2434bis"/>the update of
RFC 2434</xref> for a guide). If the draft does not require IANA to do
anything, the section contains an explicit statement that this is the
case (as above). If there are no requirements for IANA, the section will
be removed during conversion into an RFC by the RFC Editor.</t>
-->
</section>
<section anchor="Security" title="Security Considerations">
<t>
Security is the main topic of this note.
</t>
</section>
</middle>
<!-- *****BACK MATTER ***** -->
<back>
<!-- References split into informative and normative -->
<!-- There are 2 ways to insert reference entries from the citation libraries:
1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
(for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")
Both are cited textually in the same manner: by using xref elements.
If you use the PI option, xml2rfc will, by default, try to find included files in the same
directory as the including file. You can also define the XML_LIBRARY environment variable
with a value containing a set of directories to search. These can be either in the local
filing system or remote ones accessed by http (http://domain/dir/... ).-->
<references title="Normative References">
<!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?-->
&RFC2119;
</references>
<references title="Informative References">
<!-- Here we use entities that we defined at the beginning. -->
&RFC5116;
&RFC4949;
&RFC4772;
&I-D.kiyomoto-kcipher2;
<reference anchor="K98">
<front>
<title> Record Breaking DES Key Search Completed</title>
<author surname="Cryptography Research">
<organization></organization>
</author>
<date year="1998" />
</front>
<format type='HTML' target='http://www.cryptography.com/technology/applied-research/research-efforts/des-key-search.html' />
</reference>
<reference anchor="NTT">
<front>
<title>
Announcement of Royalty-free Licenses for Essential
Patents of NTT Encryption and Digital Signature Algorithms
</title>
<author surname="NTT">
<organization></organization>
</author>
<date year="2001" />
</front>
<format type='HTML' target='http://www.ntt.co.jp/news/news01e/0104/010417.html' />
</reference>
<reference anchor="SMS4">
<front>
<title> The SMS4 Block Cipher</title>
<author surname="OSCCA">
<organization></organization>
</author>
<date year="2006" />
</front>
<format type='PDF' target='http://www.oscca.gov.cn/UpFile/200621016423197990.pdf' />
</reference>
<reference anchor="ISPEC:BaiLi11">
<front>
<title> New Impossible Differential Attacks on Camellia</title>
<author surname="Bai">
<organization></organization>
</author>
<author surname="Li">
<organization></organization>
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ISPEC 2012" />
<format type='PS' target='https://eprint.iacr.org/2011/661.ps' />
</reference>
<reference anchor="Twofish">
<front>
<title> The Twofish Block Cipher</title>
<author surname="Schneier">
<organization></organization>
</author>
<author surname="Kelsey">
<organization></organization>
</author>
<author surname="Whiting">
<organization></organization>
</author>
<author surname="Wagner">
<organization></organization>
</author>
<author surname="Hall">
<organization></organization>
</author>
<author surname="Fergusen">
<organization></organization>
</author>
<date year="1998" />
</front>
<!--
<format type='PDF' target='http://www.oscca.gov.cn/UpFile/200621016423197990.pdf' />
-->
</reference>
<reference anchor="Serpent">
<front>
<title> The Serpent Block Cipher</title>
<author surname="Anderson">
<organization></organization>
</author>
<author surname="Biham">
<organization></organization>
</author>
<author surname="Knudsen">
<organization></organization>
</author>
<date year="1998" />
</front>
<format type='PDF' target='http://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf' />
</reference>
<reference anchor="SKIPJACK">
<front>
<title> SKIPJACK and KEA Specifications</title>
<author surname="U.S. National Institute of Standards and Technology">
<organization></organization>
</author>
<date year="1998" />
</front>
<format type='PDF' target='http://csrc.nist.gov/encryption/skipjack/skipjack.pdf' />
</reference>
<reference anchor="Blowfish">
<front>
<title> Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish)</title>
<author surname="Schneier">
<organization></organization>
</author>
<date year="1994" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse94vol" />
<format type='HTML' target='http://www.schneier.com/paper-blowfish-fse.html' />
</reference>
<reference anchor="IDEA">
<front>
<title>
A Proposal for a New Block Encryption Standard
</title>
<author surname="Lai">
<organization></organization>
</author>
<author surname="Massey">
<organization></organization>
</author>
<date year="1990" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt90vol" />
<format type='HTML' target='http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.14.3451' />
</reference>
&RFC5794;
&RFC6114;
&RFC4269;
&RFC3713;
&RFC2612;
&RFC2994;
&RFC2268;
&RFC2144;
&RFC5830;
&RFC4503;
<reference anchor="FIPS-197">
<front>
<title>Specification for the Advanced Encryption Standard (AES)</title>
<author>
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="November" year="2001"></date>
</front>
<seriesInfo name="FIPS" value="197"></seriesInfo>
</reference>
<reference anchor="FIPS-46">
<front>
<title>Data Encryption Standard (DES)</title>
<author>
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="July" year="1977"></date>
</front>
<seriesInfo name="FIPS" value="46"></seriesInfo>
</reference>
<reference anchor="FIPS-46-3">
<front>
<title>Data Encryption Standard (DES) (Revision 3)</title>
<author>
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="October" year="1999"></date>
</front>
<seriesInfo name="FIPS" value="46-3"></seriesInfo>
</reference>
<!-- A reference written by by an organization not a person. -->
<!-- AIRA -->
<reference anchor="NBC:KKP03">
<front>
<title> Aria: New Block Cipher </title>
<author surname="Kwon" initials="D.">
<organization />
</author>
<author surname="Kim" initials="J.">
<organization />
</author>
<author surname="Park" initials="S.">
<organization />
</author>
<author surname="Sung" initials="S.">
<organization />
</author>
<author surname="Sohn" initials="Y.">
<organization />
</author>
<author surname="Song" initials="J.">
<organization />
</author>
<author surname="Yeom" initials="Y.">
<organization />
</author>
<author surname="Lee" initials="S.">
<organization />
</author>
<author surname="Lee" initials="J.">
<organization />
</author>
<author surname="Chee" initials="S.">
<organization />
</author>
<author surname="Lee" initials="J.">
<organization />
</author>
<author surname="Han" initials="D.">
<organization />
</author>
<author surname="Hong" initials="J.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="In Proc. Information Security and Cryptology-ICISC" value="" />
</reference>
<!--
<reference anchor="NBC:KKP03">
<front>
<title>Aria: New Block Cipher </title>
<author surname="Kwon" initials="D.">
<orgnization/>
</author>
<author surname="Kim" initials="J.">
<organization />
</author>
<author surname="Park" initials="S.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="In Proc.Information Security and Cryptology-ICISC" value="NBC03vol" />
</reference>
-->
<reference anchor="MMA:TSLL10">
<front>
<title>Aria: A Meet-in-the-middle Attack on Aria</title>
<author surname="Tang" initials="X.">
<organization />
</author>
<author surname="Sun" initials="B.">
<organization />
</author>
<author surname="Li" initials="R.">
<organization />
</author>
<author surname="Li" initials="C.">
<organization />
</author>
<date year="2010" />
</front>
</reference>
<reference anchor="SPAA:BC03">
<front>
<title>Security and Performance Analysis of Aira</title>
<author surname="Biryukov" initials="A.">
<organization />
</author>
<author surname="Canniere" initials="C.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="ARIA-COSIC report.pdf" value="SPAA03vol" />
</reference>
<reference anchor="CANS:DuChe10">
<front>
<title>Impossible Differential Cryptanalysis of ARIA Reduced to 7 Rounds</title>
<author surname="Chen" initials="J.">
<organization />
</author>
<author surname="Du" initials="C.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="cans10vol" />
</reference>
<reference anchor="ICISC:YanParYou06">
<front>
<title>The Smallest ARIA Module with 16-Bit Architecture</title>
<author surname="Park" initials="J.">
<organization />
</author>
<author surname="You" initials="Y.">
<organization />
</author>
<author surname="Yang" initials="S.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icisc06vol" />
</reference>
<reference anchor="INDOCRYPT:FFGL10">
<front>
<title>New Boomerang Attacks on ARIA</title>
<author surname="Forler" initials="C.">
<organization />
</author>
<author surname="Gorski" initials="M.">
<organization />
</author>
<author surname="Lucks" initials="S.">
<organization />
</author>
<author surname="Fleischmann" initials="E.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt10vol" />
</reference>
<reference anchor="WISA:YHMOM06">
<front>
<title>Investigations of Power Analysis Attacks and Countermeasures for ARIA</title>
<author surname="Herbst" initials="C.">
<organization />
</author>
<author surname="Mangard" initials="S.">
<organization />
</author>
<author surname="Oswald" initials="E.">
<organization />
</author>
<author surname="Moon" initials="S.">
<organization />
</author>
<author surname="Yoo" initials="H.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="wisa06vol" />
</reference>
<!-- CLEFIA -->
<reference anchor="BC:SSAMI07">
<front>
<title>Clefia: The 128-bit blockcipher CLEFIA </title>
<author surname="Shirai" initials="T.">
<organization />
</author>
<author surname="Shibutani" initials="K.">
<organization />
</author>
<author surname="Akishita" initials="T.">
<organization />
</author>
<author surname="Moriai" initials="S.">
<organization />
</author>
<author surname="Iwata" initials="T.">
<organization />
</author>
<date year="2007" />
</front>
</reference>
<reference anchor="FSE:SSAMI07">
<front>
<title>The 128-Bit Blockcipher CLEFIA (Extended Abstract)</title>
<author surname="Shibutani" initials="K.">
<organization />
</author>
<author surname="Akishita" initials="T.">
<organization />
</author>
<author surname="Moriai" initials="S.">
<organization />
</author>
<author surname="Iwata" initials="T.">
<organization />
</author>
<author surname="Shirai" initials="T.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse07vol" />
</reference>
<reference anchor="IDCC:TTSSSK08">
<front>
<title>CLEFIA:Impossible Differential Cryptanalysis of CLEFIA</title>
<author surname="Tsunoo" initials="Y.">
<organization />
</author>
<author surname="Tsujihara2" initials="E.">
<organization />
</author>
<author surname="Shigeri" initials="M.">
<organization />
</author>
<author surname="Saito" initials="T.">
<organization />
</author>
<author surname="Suzaki" initials="T.">
<organization />
</author>
<author surname="Kubo" initials="H.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Fast Software Encryption-FSE" value="IDCC08vol" />
</reference>
<reference anchor="RSA:RebMuk11">
<front>
<title>Cryptanalysis of CLEFIA Using Differential Methods with Cache Trace Patterns</title>
<author surname="Mukhopadhyay" initials="D.">
<organization />
</author>
<author surname="Rebeiro" initials="C.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="rsa11vol" />
</reference>
<reference anchor="ICICS:CheWuFen07">
<front>
<title>Differential Fault Analysis on CLEFIA</title>
<author surname="Wu" initials="W.">
<organization />
</author>
<author surname="Feng" initials="D.">
<organization />
</author>
<author surname="Chen" initials="H.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icics07vol" />
</reference>
<reference anchor="INDOCRYPT:Tezcan10">
<front>
<title>The Improbable Differential Attack: Cryptanalysis of Reduced Round CLEFIA</title>
<author surname="Tezcan" initials="C.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt10vol" />
</reference>
<!-- SMS4 -->
<reference anchor="LDC:KKHS08">
<front>
<title>SMS4: Linear and Differential Cryptanalysis of Reduced SMS4 Block Cipher</title>
<author surname="Kim" initials="T.">
<organization />
</author>
<author surname="Kim" initials="J.">
<organization />
</author>
<author surname="Hong" initials="S.">
<organization />
</author>
<author surname="Sun" initials="J.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Cryptology ePrint Archive" value="LDC08vol" />
</reference>
<reference anchor="AARRS:DT08">
<front>
<title>SMS4: Analysis of the Attacking Reduced-Round Versions of the SMS4</title>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Toz" initials="D.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="International Conference on Information and Communications Security-ICICS" value="AARRS:DT08vol" />
</reference>
<reference anchor="ACISP:ZhaZhaWu08">
<front>
<title>Cryptanalysis of Reduced-Round SMS4 Block Cipher</title>
<author surname="Zhang" initials="W.">
<organization />
</author>
<author surname="Wu" initials="W.">
<organization />
</author>
<author surname="Zhang" initials="L.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="acisp08vol" />
</reference>
<!--
<reference anchor="AFRICACRYPT:YapKhoPos10">
<front>
<title>Parallelizing the Camellia and SMS4 Block Ciphers</title>
<author surname="Khoo" initials="K.">
<organization />
</author>
<author surname="Poschmann" initials="A.">
<organization />
</author>
<author surname="Yap" initials="H.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="africacrypt10vol" />
</reference>
-->
<reference anchor="CANS:ChoYapKho09">
<front>
<title>An Analysis of the Compact XSL Attack on BES and Embedded SMS4</title>
<author surname="Yap" initials="H.">
<organization />
</author>
<author surname="Khoo" initials="K.">
<organization />
</author>
<author surname="Choy" initials="J.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="cans09vol" />
</reference>
<reference anchor="ICICS:TozDun08">
<front>
<title>Analysis of Two Attacks on Reduced-Round Versions of the SMS4</title>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Toz" initials="D.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icics08vol" />
</reference>
<reference anchor="ICICS:Lu07">
<front>
<title>Attacking Reduced-Round Versions of the SMS4 Block Cipher in the Chinese WAPI Standard</title>
<author surname="Lu" initials="J.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icics07vol" />
</reference>
<reference anchor="ICISC:EriDinChr09">
<front>
<title>Algebraic Cryptanalysis of SMS4: Gr\obner Basis Attack and SAT Attack Compared"</title>
<author surname="Ding" initials="J.">
<organization />
</author>
<author surname="Christensen" initials="C.">
<organization />
</author>
<author surname="Erickson" initials="J.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icisc09vol" />
</reference>
<reference anchor="INDOCRYPT:JiHu07">
<front>
<title>New Description of SMS4 by an Embedding over GF(2^8)</title>
<author surname="Hu" initials="L.">
<organization />
</author>
<author surname="Ji" initials="W.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt07vol" />
</reference>
<reference anchor="SAC:EtrRob08">
<front>
<title>The Cryptanalysis of Reduced-Round SMS4</title>
<author surname="J." initials="M.">
<organization />
</author>
<author surname="Etrog" initials="J.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac08vol" />
</reference>
<!-- SEED -->
<reference anchor="DC:YS03">
<front>
<title>SEED: Differential Cryptanalysis of a Reduced-Round SEED</title>
<author surname="Yanami" initials="H.">
<organization />
</author>
<author surname="Shimoyama" initials="T.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Security in Communication Networks-SCN 2002" value="YS03vol" />
</reference>
<reference anchor="SKES:WMF03">
<front>
<title>SEED: Security on Korean Encryption Standard</title>
<author surname="Wu" initials="W.">
<organization />
</author>
<author surname="Ma" initials="H.">
<organization />
</author>
<author surname="Feng" initials="D.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Acta Electronica Sinica" value="2003-2004" />
</reference>
<reference anchor="SCN:YanShi02">
<front>
<title>Differential Cryptanalysis of a Reduced-Round SEED</title>
<author surname="Shimoyama" initials="T.">
<organization />
</author>
<author surname="Yanami" initials="H.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="scn02vol" />
</reference>
<reference anchor="WISA:YKHMP04">
<front>
<title>Side Channel Cryptanalysis on SEED</title>
<author surname="Kim" initials="C.">
<organization />
</author>
<author surname="Ha" initials="J.">
<organization />
</author>
<author surname="Moon" initials="S.">
<organization />
</author>
<author surname="Park" initials="I.">
<organization />
</author>
<author surname="Yoo" initials="H.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="wisa04vol" />
</reference>
<!-- Camellia -->
<reference anchor="SC:AIKMMNT00">
<front>
<title>Camellia: Specification of Camellia--128-bit block cipher</title>
<author surname="AOKI" initials="K.">
<organization />
</author>
<author surname="ICHIKAWA" initials="T.">
<organization />
</author>
<author surname="KANDA" initials="M.">
<organization />
</author>
<author surname="MATSUI" initials="M.">
<organization />
</author>
<author surname="MORIAI" initials="S.">
<organization />
</author>
<author surname="NAKAJIMA" initials="J.">
<organization />
</author>
<author surname="TOKITA" initials="T.">
<organization />
</author>
<date year="2000" />
</front>
</reference>
<reference anchor="DLBRC:S02">
<front>
<title>Camellia: Differential,linear,boomerang and rectangle cryptannalysis of reduced-round Camellia</title>
<author surname="Shirai" initials="T.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="The third MESSIE Workshop" value="DLBRC:S02" />
</reference>
<reference anchor="HRDA:HSK02">
<front>
<title>Camellia: Higher order differential attack of Camellia(2)</title>
<author surname="Hatano" initials="Y.">
<organization />
</author>
<author surname="Sekine" initials="H.">
<organization />
</author>
<author surname="Kaneko" initials="T.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Selected areas in cryptography-sac 2002" value="HRDA:HSK02" />
</reference>
<reference anchor="AFRICACRYPT:YapKhoPos10">
<front>
<title>Parallelizing the Camellia and SMS4 Block Ciphers</title>
<author surname="Khoo" initials="K.">
<organization />
</author>
<author surname="Poschmann" initials="A.">
<organization />
</author>
<author surname="Yap" initials="H.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="africacrypt10vol" />
</reference>
<reference anchor="AC:SugKobIma01">
<front>
<title>Security of Reduced Version of the Block Cipher Camellia against Truncated and Impossible Differential Cryptanalysis</title>
<author surname="Kobara" initials="K.">
<organization />
</author>
<author surname="Imai" initials="H.">
<organization />
</author>
<author surname="Sugita" initials="M.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="asiacrypt01vol" />
</reference>
<reference anchor="CANS:JieZho06">
<front>
<title>Improved Collision Attack on Reduced Round Camellia</title>
<author surname="Zhongya" initials="Z.">
<organization />
</author>
<author surname="Jie" initials="G.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="cans06vol" />
</reference>
<reference anchor="CHES:SatMor03">
<front>
<title>Unified Hardware Architecture for 128-Bit Block Ciphers AES and Camellia</title>
<author surname="Morioka" initials="S.">
<organization />
</author>
<author surname="Satoh" initials="A.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches03vol" />
</reference>
<reference anchor="RSA:LKKD08">
<front>
<title>Improving the Efficiency of Impossible Differential Cryptanalysis of Reduced Camellia and MISTY1</title>
<author surname="Kim" initials="J.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Lu" initials="J.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="rsa08vol" />
</reference>
<reference anchor="EC:BirNik10">
<front>
<title>Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES Camellia, Khazad and Others,</title>
<author surname="Nikolic" initials="I.">
<organization />
</author>
<author surname="Biryukov" initials="A.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt10vol" />
</reference>
<reference anchor="FSE:ShiKanAbe02">
<front>
<title>Improved Upper Bounds of Differential and Linear Characteristic Probability for Camellia</title>
<author surname="Kanamaru" initials="S.">
<organization />
</author>
<author surname="Abe" initials="G.">
<organization />
</author>
<author surname="Shirai" initials="T.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse02vol" />
</reference>
<reference anchor="FSE:KanMat01">
<front>
<title>Security of Camellia against Truncated Differential Cryptanalysis</title>
<author surname="Matsumoto" initials="T.">
<organization />
</author>
<author surname="Kanda" initials="M.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse01vol" />
</reference>
<reference anchor="ICICS:LeiLiFen07">
<front>
<title>Square Like Attack on Camellia</title>
<author surname="Li" initials="C.">
<organization />
</author>
<author surname="Feng" initials="K.">
<organization />
</author>
<author surname="Lei" initials="D.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icics07vol" />
</reference>
<reference anchor="ICICS:HeQin01">
<front>
<title>Square Attack on Reduced Camellia Cipher</title>
<author surname="Qing" initials="S.">
<organization />
</author>
<author surname="He" initials="Y.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icics01vol" />
</reference>
<reference anchor="ICISC:LHLLY01">
<front>
<title>Truncated Differential Cryptanalysis of Camellia</title>
<author surname="Hong" initials="S.">
<organization />
</author>
<author surname="Lee" initials="S.">
<organization />
</author>
<author surname="Lim" initials="J.">
<organization />
</author>
<author surname="Yoon" initials="S.">
<organization />
</author>
<author surname="Lee" initials="S.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icisc01vol" />
</reference>
<reference anchor="ISC:SatMor03">
<front>
<title>Hardware-Focused Performance Comparison for the Standard Block Ciphers AES Camellia,and Triple-DES</title>
<author surname="Morioka" initials="S.">
<organization />
</author>
<author surname="Satoh" initials="A.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="isc03vol" />
</reference>
<reference anchor="SAC:MSDB09">
<front>
<title>New Results on Impossible Differential Cryptanalysis of Reduced-Round Camellia-128</title>
<author surname="Shakiba" initials="M.">
<organization />
</author>
<author surname="Dakhilalian" initials="M.">
<organization />
</author>
<author surname="Bagherikaram" initials="G.">
<organization />
</author>
<author surname="Mala" initials="H.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac09vol" />
</reference>
<reference anchor="SAC:WuZhaZha08">
<front>
<title>Improved Impossible Differential Cryptanalysis of Reduced-Round Camellia</title>
<author surname="Zhang" initials="L.">
<organization />
</author>
<author surname="Zhang" initials="W.">
<organization />
</author>
<author surname="Wu" initials="W.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac08vol" />
</reference>
<reference anchor="SAC:LeiChaFen05">
<front>
<title>New Observation on Camellia</title>
<author surname="Chao" initials="L.">
<organization />
</author>
<author surname="Feng" initials="K.">
<organization />
</author>
<author surname="Lei" initials="D.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac05vol" />
</reference>
<reference anchor="SAC:WuFenChe04">
<front>
<title>Collision Attack and Pseudorandomness of Reduced-Round Camellia</title>
<author surname="Feng" initials="D.">
<organization />
</author>
<author surname="Chen" initials="H.">
<organization />
</author>
<author surname="Wu" initials="W.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac04vol" />
</reference>
<reference anchor="SAC:HatSekKan02">
<front>
<title>Higher Order Differential Attack of Camellia (II)</title>
<author surname="Sekine" initials="H.">
<organization />
</author>
<author surname="Kaneko" initials="T.">
<organization />
</author>
<author surname="Hatano" initials="Y.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac02vol" />
</reference>
<reference anchor="FSE:YeoParKim02">
<front>
<title>On the Security of CAMELLIA against the Square Attack</title>
<author surname="Park" initials="S.">
<organization />
</author>
<author surname="Kim" initials="I.">
<organization />
</author>
<author surname="Yeom" initials="Y.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse02vol" />
</reference>
<!-- CAST-256 -->
<reference anchor="EA:C98">
<front>
<title>Cast-256: The CAST-256 Encryption Algorithm</title>
<author surname="Adams" initials="C.">
<organization />
</author>
<date year="1998" />
</front>
</reference>
<reference anchor="CA:AHTW99">
<front>
<title>Cast-256:An Analysis of the CAST-256 Cipher</title>
<author surname="Adams" initials="C.">
<organization />
</author>
<author surname="Heys" initials="H.">
<organization />
</author>
<author surname="Tavares" initials="S.">
<organization />
</author>
<author surname="Wiener" initials="M">
<organization />
</author>
<date year="1999" />
</front>
<seriesInfo name="Proceedings of IEEE Canadian Conference on Electrical and Computer Engineering" value="CA:AHTW99" />
</reference>
<reference anchor="FSE:MorShiKan98">
<front>
<title>Higher Order Differential Attak of CAST Cipher</title>
<author surname="Shimoyama" initials="T.">
<organization />
</author>
<author surname="Kaneko" initials="T.">
<organization />
</author>
<author surname="Moriai" initials="S.">
<organization />
</author>
<date year="1998" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse98vol" />
</reference>
<reference anchor="ICICS:KelSchWag97">
<front>
<title>Related-key cryptanalysis of 3-WAY Biham-DES,CAST DES-X, NewDES, RC2, and TEA,</title>
<author surname="Schneier" initials="B.">
<organization />
</author>
<author surname="Wagner" initials="D.">
<organization />
</author>
<author surname="Kelsey" initials="J.">
<organization />
</author>
<date year="1997" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icics97vol" />
</reference>
<reference anchor="SAC:WamWanHu08">
<front>
<title>New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256</title>
<author surname="Wang" initials="X.">
<organization />
</author>
<author surname="Hu" initials="C.">
<organization />
</author>
<author surname="Wang" initials="M.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac08vol" />
</reference>
<!-- Advanced Encryption Standard (AES) -->
<reference anchor="AP:DR99">
<front>
<title>AES:AES Proposal: Rijndael</title>
<author surname="Daemen" initials="J.">
<organization />
</author>
<author surname="Rijmen" initials="V.">
<organization />
</author>
<date year="1999" />
</front>
</reference>
<reference anchor="CAOR:GM00">
<front>
<title>AES: A collision attack on seven rounds of Rijndael</title>
<author surname="Gilbert" initials="H.">
<organization />
</author>
<author surname="Minier" initials="M.">
<organization />
</author>
<date year="2000" />
</front>
<seriesInfo name="Proceedings of the third AES candidate conference" value="CAOR:GM00" />
</reference>
<reference anchor="KRBR:BDK05">
<front>
<title>AES: Related-key boomerang and rectangle attacks</title>
<author surname="Bilham" initials="E.">
<organization />
</author>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Advances in cryptology-EUROCRYPT" value="KRBR:BDK05" />
</reference>
<reference anchor="RKIDA:BDK06">
<front>
<title>AES: Related-key impossible defferential attacks on 8-round AES-192</title>
<author surname="Bilham" initials="E.">
<organization />
</author>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Topics in Cryptology-CT-RSA" value="KRBR:BDK06" />
</reference>
<reference anchor="MITMA:DS08">
<front>
<title>AES: A meet-in-the-middle attack on 8-round AES</title>
<author surname="Demirci" initials="H.">
<organization />
</author>
<author surname="Selcuk" initials="A.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Fast software Encryption-FSE" value="MITMA:DS08" />
</reference>
<reference anchor="ACISP:FleGorLuc09">
<front>
<title>Attacking 9 and 10 Rounds of AES-256</title>
<author surname="Gorski" initials="M.">
<organization />
</author>
<author surname="Lucks" initials="S.">
<organization />
</author>
<author surname="Fleischmann" initials="E.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="acisp09vol" />
</reference>
<reference anchor="ACISP:FouTun06">
<front>
<title>Cache Based Power Analysis Attacks on AES</title>
<author surname="Tunstall" initials="M.">
<organization />
</author>
<author surname="J." initials="J.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="acisp06vol" />
</reference>
<reference anchor="ACNS:LuPanHar10">
<front>
<title>Principles on the Security of AES against First and Second-Order Differential Power Analysis</title>
<author surname="Pan" initials="J.">
<organization />
</author>
<author surname="den" initials="J.">
<organization />
</author>
<author surname="Lu" initials="J.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="acns10vol" />
</reference>
<reference anchor="ACNS:CanBat08">
<front>
<title>A Very Compact ``Perfectly Masked'' S-Box for AES</title>
<author surname="Batina" initials="L.">
<organization />
</author>
<author surname="Canright" initials="D.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="acns08vol" />
</reference>
<reference anchor="ACNS:TilHerMan07">
<front>
<title>Protecting AES Software Implementations on 32-Bit Processors Against Power Analysis</title>
<author surname="Herbst" initials="C.">
<organization />
</author>
<author surname="Mangard" initials="S.">
<organization />
</author>
<author surname="Tillich" initials="S.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="acns07vol" />
</reference>
<reference anchor="ACNS:HerOswMan06">
<front>
<title>An AES Smart Card Implementation Resistant to Power Analysis Attacks</title>
<author surname="Oswald" initials="E.">
<organization />
</author>
<author surname="Mangard" initials="S.">
<organization />
</author>
<author surname="Herbst" initials="C.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="acns06vol" />
</reference>
<reference anchor="ACNS:DusLetViv03">
<front>
<title>Differential Fault Analysis on AES</title>
<author surname="Letourneux" initials="G.">
<organization />
</author>
<author surname="Vivolo" initials="O.">
<organization />
</author>
<author surname="Dusart" initials="P.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="acns03vol" />
</reference>
<reference anchor="AFRICACRYPT:GenProQui11">
<front>
<title>Montgomery's Trick and Fast Implementation of Masked AES</title>
<author surname="Prouff" initials="E.">
<organization />
</author>
<author surname="Quisquater" initials="M.">
<organization />
</author>
<author surname="Genelle" initials="L.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="africacrypt11vol" />
</reference>
<reference anchor="AFRICACRYPT:AliMuk11">
<front>
<title>An Improved Differential Fault Analysis on AES-256</title>
<author surname="Mukhopadhyay" initials="D.">
<organization />
</author>
<author surname="Ali" initials="S.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="africacrypt11vol" />
</reference>
<reference anchor="AFRICACRYPT:BSQPR08">
<front>
<title>Implementation of the AES-128 on Virtex-5 FPGAs</title>
<author surname="Standaert" initials="F.">
<organization />
</author>
<author surname="Quisquater" initials="J.">
<organization />
</author>
<author surname="Pellegrin" initials="P.">
<organization />
</author>
<author surname="Rouvroy" initials="G.">
<organization />
</author>
<author surname="Bulens" initials="P.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="africacrypt08vol" />
</reference>
<reference anchor="ASIACCS:NevSeiWan06">
<front>
<title>A refined look at Bernstein's AES side-channel analysis (Fast abstract)</title>
<author surname="Seifert" initials="J.">
<organization />
</author>
<author surname="Wang" initials="Z.">
<organization />
</author>
<author surname="Neve" initials="M.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="" value="" />
</reference>
<reference anchor="AC:DunKelSha10">
<front>
<title>Improved Single-Key Attacks on 8-Round AES-192 and AES-256</title>
<author surname="Keller" initials="N.">
<organization />
</author>
<author surname="Shamir" initials="A.">
<organization />
</author>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="asiacrypt10vol" />
</reference>
<reference anchor="AC:BirKho09">
<front>
<title>Related-Key Cryptanalysis of the Full AES-192 and AES-256</title>
<author surname="Khovratovich" initials="D.">
<organization />
</author>
<author surname="Biryukov" initials="A.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="asiacrypt09vol" />
</reference>
<reference anchor="AC:BBGR09">
<front>
<title>The Intel AES Instructions Set and the SHA-3 Candidates</title>
<author surname="Billet" initials="O.">
<organization />
</author>
<author surname="Gueron" initials="S.">
<organization />
</author>
<author surname="J." initials="M.">
<organization />
</author>
<author surname="Benadjila" initials="R.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="asiacrypt09vol" />
</reference>
<reference anchor="AC:Lenstra01">
<front>
<title>Unbelievable Security. Matching AES Security Using Public Key Systems (Invited Talk)</title>
<author surname="K." initials="A.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="asiacrypt01vol" />
</reference>
<reference anchor="CANS:ZhaYuLiu10">
<front>
<title>An Algorithm Based Concurrent Error Detection Scheme for AES</title>
<author surname="Yu" initials="Q.">
<organization />
</author>
<author surname="Wei" initials="X.">
<organization />
</author>
<author surname="N." initials="C.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="cans10vol" />
</reference>
<reference anchor="CANS:RebSelDev06">
<front>
<title>Bitslice Implementation of AES</title>
<author surname="David" initials="A.">
<organization />
</author>
<author surname="S." initials="A.">
<organization />
</author>
<author surname="Rebeiro" initials="C.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="cans06vol" />
</reference>
<reference anchor="CHES:CFGRV11">
<front>
<title>Improved Collision-Correlation Power Analysis on First Order Protected AES</title>
<author surname="Feix" initials="B.">
<organization />
</author>
<author surname="Gagnerot" initials="G.">
<organization />
</author>
<author surname="Roussellet" initials="M.">
<organization />
</author>
<author surname="Verneuil" initials="V.">
<organization />
</author>
<author surname="Clavier" initials="C.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches11vol" />
</reference>
<reference anchor="CHES:ProRoc11">
<front>
<title>Higher-Order Glitches Free Implementation of the AES Using Secure Multi-party Computation Protocols</title>
<author surname="Roche" initials="T.">
<organization />
</author>
<author surname="Prouff" initials="E.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches11vol" />
</reference>
<reference anchor="CHES:GouMar11">
<front>
<title>Protecting AES with Shamir's Secret Sharing Scheme</title>
<author surname="Martinelli" initials="A.">
<organization />
</author>
<author surname="Goubin" initials="L.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches11vol" />
</reference>
<reference anchor="CHES:KimHonLim11">
<front>
<title>A Fast and Provably Secure Higher-Order Masking of AES S-Box</title>
<author surname="Hong" initials="S.">
<organization />
</author>
<author surname="Lim" initials="J.">
<organization />
</author>
<author surname="Kim" initials="H.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches11vol" />
</reference>
<reference anchor="CHES:RKSF11">
<front>
<title>Information Theoretic and Security Analysis of a 65-Nanometer DDSLL AES S-Box</title>
<author surname="Kamel" initials="D.">
<organization />
</author>
<author surname="Standaert" initials="F.">
<organization />
</author>
<author surname="Flandre" initials="D.">
<organization />
</author>
<author surname="Renauld" initials="M.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches11vol" />
</reference>
<reference anchor="CHES:DerFouLer11">
<front>
<title>Meet-in-the-Middle and Impossible Differential Fault Analysis on AES</title>
<author surname="Fouque" initials="P.">
<organization />
</author>
<author surname="Leresteux" initials="D.">
<organization />
</author>
<author surname="Derbez" initials="P.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches11vol" />
</reference>
<reference anchor="CHES:BosOzeSta11">
<front>
<title>Efficient Hashing Using the AES Instruction Set</title>
<author surname="\Ozen" initials="O.">
<organization />
</author>
<author surname="Stam" initials="M.">
<organization />
</author>
<author surname="W." initials="J.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches11vol" />
</reference>
<reference anchor="CHES:NNTHM10">
<front>
<title>Mixed Bases for Efficient Inversion in F_((2^2)^2)^2 and Conversion Matrices of SubBytes of AES</title>
<author surname="Nekado" initials="K.">
<organization />
</author>
<author surname="Toyota" initials="T.">
<organization />
</author>
<author surname="Hongo" initials="N.">
<organization />
</author>
<author surname="Morikawa" initials="Y.">
<organization />
</author>
<author surname="Nogami" initials="Y.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches10vol" />
</reference>
<reference anchor="CHES:RivPro10">
<front>
<title>Provably Secure Higher-Order Masking of AES</title>
<author surname="Prouff" initials="E.">
<organization />
</author>
<author surname="Rivain" initials="M.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches10vol" />
</reference>
<reference anchor="CHES:KasSch09">
<front>
<title>Faster and Timing-Attack Resistant AES-GCM</title>
<author surname="Schwabe" initials="P.">
<organization />
</author>
<author surname="K\asper" initials="E.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches09vol" />
</reference>
<reference anchor="CHES:Hamburg09">
<front>
<title>Accelerating AES with Vector Permute Instructions</title>
<author surname="Hamburg" initials="M.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches09vol" />
</reference>
<reference anchor="CHES:RenStaVey09">
<front>
<title>Algebraic Side-Channel Attacks on the AES: Why Time also Matters in DPA</title>
<author surname="Standaert" initials="F.">
<organization />
</author>
<author surname="Veyrat-Charvillon" initials="N.">
<organization />
</author>
<author surname="Renauld" initials="M.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches09vol" />
</reference>
<reference anchor="CHES:Bogdanov08">
<front>
<title>Multiple-Differential Side-Channel Collision Attacks on AES</title>
<author surname="Bogdanov" initials="A.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches08vol" />
</reference>
<reference anchor="CHES:SSHA08">
<front>
<title>High-Performance Concurrent Error Detection Scheme for AES Hardware</title>
<author surname="Sugawara" initials="T.">
<organization />
</author>
<author surname="Homma" initials="N.">
<organization />
</author>
<author surname="Aoki" initials="T.">
<organization />
</author>
<author surname="Satoh" initials="A.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches08vol" />
</reference>
<reference anchor="CHES:KerRey08">
<front>
<title>A Lightweight Concurrent Fault Detection Scheme for the AES S-Boxes Using Normal Basis</title>
<author surname="Reyhani-Masoleh" initials="A.">
<organization />
</author>
<author surname="Mozaffari" initials="M.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches08vol" />
</reference>
<reference anchor="CHES:TilHer08">
<front>
<title>Attacking State-of-the-Art Software Countermeasures-A Case Study for AES</title>
<author surname="Herbst" initials="C.">
<organization />
</author>
<author surname="Tillich" initials="S.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches08vol" />
</reference>
<reference anchor="CHES:Jaffe07">
<front>
<title>A First-Order DPA Attack Against AES in Counter Mode with Unknown Initial Counter</title>
<author surname="Jaffe" initials="J.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches07vol" />
</reference>
<reference anchor="CHES:BBKK07">
<front>
<title>Collision Attacks on AES-Based MAC: Alpha-MAC</title>
<author surname="Bogdanov" initials="A.">
<organization />
</author>
<author surname="Khovratovich" initials="D.">
<organization />
</author>
<author surname="Kasper" initials="T.">
<organization />
</author>
<author surname="Biryukov" initials="A.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches07vol" />
</reference>
<reference anchor="CHES:HarWal07">
<front>
<title>AES Encryption Implementation and Analysis on Commodity Graphics Processing Units</title>
<author surname="Waldron" initials="J.">
<organization />
</author>
<author surname="Harrison" initials="O.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches07vol" />
</reference>
<reference anchor="CHES:LWFB07">
<front>
<title>Multi-gigabit GCM-AES Architecture Optimized for FPGAs</title>
<author surname="Wolkerstorfer" initials="J.">
<organization />
</author>
<author surname="Felber" initials="N.">
<organization />
</author>
<author surname="Braendli" initials="M.">
<organization />
</author>
<author surname="Lemsitzer" initials="S.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches07vol" />
</reference>
<reference anchor="CHES:TilGro07">
<front>
<title>Power Analysis Resistant AES Implementation with Instruction Set Extensions</title>
<author surname="Gro\sssch\adl" initials="J.">
<organization />
</author>
<author surname="Tillich" initials="S.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches07vol" />
</reference>
<reference anchor="CHES:ManSch06">
<front>
<title>Pinpointing the Side-Channel Leakage of Masked AES Hardware Implementations</title>
<author surname="Schramm" initials="K.">
<organization />
</author>
<author surname="Mangard" initials="S.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches06vol" />
</reference>
<reference anchor="CHES:MorShaSal06">
<front>
<title>A Generalized Method of Differential Fault Attack Against AES Cryptosystem</title>
<author surname="T." initials="M.">
<organization />
</author>
<author surname="Salmasizadeh" initials="M.">
<organization />
</author>
<author surname="Moradi" initials="A.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches06vol" />
</reference>
<reference anchor="CHES:BonMir06">
<front>
<title>Cache-Collision Timing Attacks Against AES</title>
<author surname="Mironov" initials="I.">
<organization />
</author>
<author surname="Bonneau" initials="J.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches06vol" />
</reference>
<reference anchor="CHES:TilGro06">
<front>
<title>Instruction Set Extensions for Efficient AES Implementation on 32-bit Processors</title>
<author surname="Gro\sssch\adl" initials="J.">
<organization />
</author>
<author surname="Tillich" initials="S.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches06vol" />
</reference>
<reference anchor="CHES:ManPraOsw05">
<front>
<title>Successfully Attacking Masked AES ardware Implementations</title>
<author surname="Pramstaller" initials="N.">
<organization />
</author>
<author surname="Oswald" initials="E.">
<organization />
</author>
<author surname="Mangard" initials="S.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches05vol" />
</reference>
<reference anchor="CHES:GooBen05">
<front>
<title>AES on FPGA from the Fastest to the Smallest</title>
<author surname="Benaissa" initials="M.">
<organization />
</author>
<author surname="Good" initials="T.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches05vol" />
</reference>
<reference anchor="CHES:Canright05">
<front>
<title>A Very Compact S-Box for AES</title>
<author surname="Canright" initials="D.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches05vol" />
</reference>
<reference anchor="CHES:SLFP04">
<front>
<title>A Collision-Attack on AES:Combining Side Channel- and Differential-Attack</title>
<author surname="Leander" initials="G.">
<organization />
</author>
<author surname="Felke" initials="P.">
<organization />
</author>
<author surname="Paar" initials="C.">
<organization />
</author>
<author surname="Schramm" initials="K.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches04vol" />
</reference>
<reference anchor="CHES:FelDomWol04">
<front>
<title>Strong Authentication for RFID Systems Using the AES Algorithm</title>
<author surname="Dominikus" initials="S.">
<organization />
</author>
<author surname="Wolkerstorfer" initials="J.">
<organization />
</author>
<author surname="Feldhofer" initials="M.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches04vol" />
</reference>
<reference anchor="CHES:PirQui03">
<front>
<title>A Differential Fault Attack Technique against SPN Structures with Application to the AES and KHAZAD</title>
<author surname="Quisquater" initials="J.">
<organization />
</author>
<author surname="Piret" initials="G.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches03vol" />
</reference>
<!--
<reference anchor="CHES:SatMor03">
<front>
<title>Unified Hardware Architecture for 128-Bit Block Ciphers AES and Camellia</title>
<author surname="Morioka" initials="S.">
<organization />
</author>
<author surname="Satoh" initials="A.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches03vol" />
</reference>
-->
<reference anchor="CHES:ChoGaj03">
<front>
<title>Very Compact FPGA Implementation of the AES Algorithm</title>
<author surname="Gaj" initials="K.">
<organization />
</author>
<author surname="Chodowiec" initials="P.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches03vol" />
</reference>
<reference anchor="CHES:MorSat02">
<front>
<title>An Optimized S-Box Circuit Architecture for Low Power AES Design</title>
<author surname="Satoh" initials="A.">
<organization />
</author>
<author surname="Morioka" initials="S.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches02vol" />
</reference>
<reference anchor="CHES:TriDeSGer02">
<front>
<title>Simplified Adaptive Multiplicative Masking for AES</title>
<author surname="De" initials="D.">
<organization />
</author>
<author surname="Germani" initials="L.">
<organization />
</author>
<author surname="Trichina" initials="E.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches02vol" />
</reference>
<reference anchor="CHES:GolTym02">
<front>
<title>Multiplicative Masking and Power Analysis of AES</title>
<author surname="Tymen" initials="C.">
<organization />
</author>
<author surname="Dj." initials="J.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches02vol" />
</reference>
<reference anchor="CHES:KuoVer01">
<front>
<title>Architectural Optimization for a 1.82Gbits/sec VLSI Implementation of the AES Rijndael Algorithm</title>
<author surname="Verbauwhede" initials="I.">
<organization />
</author>
<author surname="Kuo" initials="H.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches01vol" />
</reference>
<reference anchor="CHES:AkkGir01">
<front>
<title>An Implementation of DES and AES Secure against Some Attacks</title>
<author surname="Giraud" initials="C.">
<organization />
</author>
<author surname="Akkar" initials="M.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches01vol" />
</reference>
<reference anchor="CHES:DanPraRol00">
<front>
<title>A Comparative Study of Performance of AES Final Candidates Using FPGAs</title>
<author surname="K." initials="V.">
<organization />
</author>
<author surname="D." initials="J.">
<organization />
</author>
<author surname="Dandalis" initials="A.">
<organization />
</author>
<date year="2000" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches00vol" />
</reference>
<reference anchor="C:BouDerFou11">
<front>
<title>Automatic Search of Attacks on Round-Reduced AES and Applications</title>
<author surname="Derbez" initials="P.">
<organization />
</author>
<author surname="Fouque" initials="P.">
<organization />
</author>
<author surname="Bouillaguet" initials="C.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="crypto11vol" />
</reference>
<reference anchor="C:BirKhoNik09">
<front>
<title>Distinguisher and Related-Key Attack on the Full AES-256</title>
<author surname="Khovratovich" initials="D.">
<organization />
</author>
<author surname="Nikolic" initials="I.">
<organization />
</author>
<author surname="Biryukov" initials="A.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="crypto09vol" />
</reference>
<reference anchor="C:MurRob02">
<front>
<title>Essential Algebraic Structure within the AES</title>
<author surname="J." initials="M.">
<organization />
</author>
<author surname="Murphy" initials="S.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="crypto02vol" />
</reference>
<reference anchor="RSA:BEPW10">
<front>
<title>Differential Cache-Collision Timing Attacks on AES with Applications to Embedded CPUs</title>
<author surname="Eisenbarth" initials="T.">
<organization />
</author>
<author surname="Paar" initials="C.">
<organization />
</author>
<author surname="Wienecke" initials="M.">
<organization />
</author>
<author surname="Bogdanov" initials="A.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="rsa10vol" />
</reference>
<reference anchor="RSA:SakYagOht09">
<front>
<title>Fault Analysis Attack against an AES Prototype Chip Using RSL</title>
<author surname="Yagi" initials="T.">
<organization />
</author>
<author surname="Ohta" initials="K.">
<organization />
</author>
<author surname="Sakiyama" initials="K.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="rsa09vol" />
</reference>
<reference anchor="RSA:TilHer08">
<front>
<title>Boosting AES Performance on a Tiny Processor Core</title>
<author surname="Herbst" initials="C.">
<organization />
</author>
<author surname="Tillich" initials="S.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="rsa08vol" />
</reference>
<reference anchor="RSA:Konighofer08">
<front>
<title>A Fast and Cache-Timing Resistant Implementation of the AES</title>
<author surname="K\onighofer" initials="R.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="rsa08vol" />
</reference>
<reference anchor="RSA:AciSchKoc07">
<front>
<title>Cache Based Remote Timing Attack on the AES</title>
<author surname="Schindler" initials="W.">
<organization />
</author>
<author surname="Kaya" initials=".">
<organization />
</author>
<author surname="Acii\ccmez" initials="O.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="rsa07vol" />
</reference>
<reference anchor="RSA:OsvShaTro06">
<front>
<title>Cache Attacks and Countermeasures: The Case of AES</title>
<author surname="Shamir" initials="A.">
<organization />
</author>
<author surname="Tromer" initials="E.">
<organization />
</author>
<author surname="Arne" initials="D.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="rsa06vol" />
</reference>
<reference anchor="RSA:BihDunKel06">
<front>
<title>Related-Key Impossible Differential Attacks on 8-Round AES-192</title>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<author surname="Biham" initials="E.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="rsa06vol" />
</reference>
<reference anchor="RSA:SchPaa06">
<front>
<title>Higher Order Masking of the AES</title>
<author surname="Paar" initials="C.">
<organization />
</author>
<author surname="Schramm" initials="K.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="rsa06vol" />
</reference>
<reference anchor="RSA:WuLuLai04">
<front>
<title>Design of AES Based on Dual Cipher and Composite Field</title>
<author surname="Lu" initials="S.">
<organization />
</author>
<author surname="Laih" initials="C.">
<organization />
</author>
<author surname="Wu" initials="S.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="rsa04vol" />
</reference>
<reference anchor="RSA:WolOswLam02">
<front>
<title>An ASIC Implementation of the AES S-Boxes</title>
<author surname="Oswald" initials="E.">
<organization />
</author>
<author surname="Lamberger" initials="M.">
<organization />
</author>
<author surname="Wolkerstorfer" initials="J.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="rsa02vol" />
</reference>
<reference anchor="EC:MPLPW11">
<front>
<title>Pushing the Limits: A Very Compact and a Threshold Implementation of AES</title>
<author surname="Poschmann" initials="A.">
<organization />
</author>
<author surname="Ling" initials="S.">
<organization />
</author>
<author surname="Paar" initials="C.">
<organization />
</author>
<author surname="Wang" initials="H.">
<organization />
</author>
<author surname="Moradi" initials="A.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt11vol" />
</reference>
<reference anchor="EC:BDKKS10">
<front>
<title>Key Recovery Attacks of Practical Complexity on AES-256 Variants with up to 10 Rounds</title>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<author surname="Khovratovich" initials="D.">
<organization />
</author>
<author surname="Shamir" initials="A.">
<organization />
</author>
<author surname="Biryukov" initials="A.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt10vol" />
</reference>
<!--
<reference anchor="EC:BirNik10">
<front>
<title>Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES Camellia, Khazad and Others,</title>
<author surname="Nikolic" initials="I.">
<organization />
</author>
<author surname="Biryukov" initials="A.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt10vol" />
</reference>
-->
<reference anchor="EC:DaeRij02">
<front>
<title>AES and the Wide Trail Design Strategy (Invited Talk)</title>
<author surname="Rijmen" initials="V.">
<organization />
</author>
<author surname="Daemen" initials="J.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt02vol" />
</reference>
<reference anchor="FC:DamKel10">
<front>
<title>Secure Multiparty AES</title>
<author surname="Keller" initials="M.">
<organization />
</author>
<author surname="Damg\aard" initials="I.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fc10vol" />
</reference>
<reference anchor="FC:BloSei03">
<front>
<title>Fault Based Cryptanalysis of the Advanced Encryption Standard (AES)</title>
<author surname="Seifert" initials="J.">
<organization />
</author>
<author surname="Bl\omer" initials="J.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fc03vol" />
</reference>
<reference anchor="FSE:Sasaki11">
<front>
<title>Meet-in-the-Middle Preimage Attacks on AES Hashing Modes and an Application to Whirlpool</title>
<author surname="Sasaki" initials="Y.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse11vol" />
</reference>
<reference anchor="FSE:OBSC10">
<front>
<title>Fast Software AES Encryption</title>
<author surname="W." initials="J.">
<organization />
</author>
<author surname="Stefan" initials="D.">
<organization />
</author>
<author surname="Canright" initials="D.">
<organization />
</author>
<author surname="Arne" initials="D.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse10vol" />
</reference>
<reference anchor="FSE:GilPey10">
<front>
<title>Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations</title>
<author surname="Peyrin" initials="T.">
<organization />
</author>
<author surname="Gilbert" initials="H.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse10vol" />
</reference>
<reference anchor="FSE:Gueron09">
<front>
<title>Intel's New AES Instructions for Enhanced Performance and Security (Invited Talk)</title>
<author surname="Gueron" initials="S.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse09vol" />
</reference>
<reference anchor="FSE:DemSel08">
<front>
<title>A Meet-in-the-Middle Attack on 8-Round AES</title>
<author surname="Aydin" initials="A.">
<organization />
</author>
<author surname="Demirci" initials="H.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse08vol" />
</reference>
<reference anchor="FSE:KimHonPre07">
<front>
<title>Related-Key Rectangle Attacks on Reduced AES-192 and AES-256</title>
<author surname="Hong" initials="S.">
<organization />
</author>
<author surname="Preneel" initials="B.">
<organization />
</author>
<author surname="Kim" initials="J.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse07vol" />
</reference>
<reference anchor="FSE:BucPysWei06">
<front>
<title>A Zero-Dimensional Gr\obner Basis for AES-128"</title>
<author surname="Pyshkin" initials="A.">
<organization />
</author>
<author surname="Weinmann" initials="R.">
<organization />
</author>
<author surname="Buchmann" initials="J.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse06vol" />
</reference>
<reference anchor="FSE:MinTsu06">
<front>
<title>Provably Secure MACs from Differentially-Uniform Permutations and AES-Based Implementations</title>
<author surname="Tsunoo" initials="Y.">
<organization />
</author>
<author surname="Minematsu" initials="K.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse06vol" />
</reference>
<reference anchor="FSE:Bernstein05">
<front>
<title>The Poly1305-AES Message-Authentication Code</title>
<author surname="J." initials="D.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse05vol" />
</reference>
<reference anchor="FSE:CidMurRob05">
<front>
<title>Small Scale Variants of the AES</title>
<author surname="Murphy" initials="S.">
<organization />
</author>
<author surname="J." initials="M.">
<organization />
</author>
<author surname="Cid" initials="C.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse05vol" />
</reference>
<reference anchor="FSE:HKLP05">
<front>
<title>Related-Key Rectangle Attacks on Reduced Versions of SHACAL-1 and AES-192</title>
<author surname="Kim" initials="J.">
<organization />
</author>
<author surname="Lee" initials="S.">
<organization />
</author>
<author surname="Preneel" initials="B.">
<organization />
</author>
<author surname="Hong" initials="S.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse05vol" />
</reference>
<reference anchor="FSE:OMPR05">
<front>
<title>A Side-Channel Analysis Resistant Description of the AES S-Box</title>
<author surname="Mangard" initials="S.">
<organization />
</author>
<author surname="Pramstaller" initials="N.">
<organization />
</author>
<author surname="Rijmen" initials="V.">
<organization />
</author>
<author surname="Oswald" initials="E.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse05vol" />
</reference>
<reference anchor="FSE:SonSeb03">
<front>
<title>Further Observations on the Structure of the AES Algorithm</title>
<author surname="Seberry" initials="J.">
<organization />
</author>
<author surname="Song" initials="B.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse03vol" />
</reference>
<reference anchor="FSE:Messerges00">
<front>
<title>Securing the AES Finalists Against Power Analysis Attacks</title>
<author surname="S." initials="T.">
<organization />
</author>
<date year="2000" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse00vol" />
</reference>
<reference anchor="FSE:IwaKur00">
<front>
<title>On the Pseudorandomness of the AES Finalists - RC6 and Serpent</title>
<author surname="Kurosawa" initials="K.">
<organization />
</author>
<author surname="Iwata" initials="T.">
<organization />
</author>
<date year="2000" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse00vol" />
</reference>
<reference anchor="FSE:AES97">
<front>
<title>Advanced Encryption Standard (Discussion)</title>
<author surname="Anderson" initials="R.">
<organization />
</author>
<date year="1997" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse97vol" />
</reference>
<reference anchor="ICICS:ZSMTS07">
<front>
<title>Compact and Secure Design of Masked AES S-Box</title>
<author surname="Salmasizadeh" initials="M.">
<organization />
</author>
<author surname="Moradi" initials="A.">
<organization />
</author>
<author surname="Tabandeh" initials="M.">
<organization />
</author>
<author surname="T." initials="M.">
<organization />
</author>
<author surname="Zakeri" initials="B.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icics07vol" />
</reference>
<reference anchor="ICICS:AciKoc06">
<front>
<title>Trace-Driven Cache Attacks on AES (Short Paper)</title>
<author surname="Kaya" initials=".">
<organization />
</author>
<author surname="Acii\ccmez" initials="O.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icics06vol" />
</reference>
<reference anchor="ICICS:MonVau04">
<front>
<title>On Some Weak Extensions of AES and BES</title>
<author surname="Vaudenay" initials="S.">
<organization />
</author>
<author surname="Monnerat" initials="J.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icics04vol" />
</reference>
<reference anchor="ICICS:WLFQ9">
<front>
<title>Cryptanalysis of some AES Candidate Algorithms</title>
<author surname="Li" initials="B.">
<organization />
</author>
<author surname="Feng" initials="D.">
<organization />
</author>
<author surname="Qing" initials="S.">
<organization />
</author>
<author surname="Wu" initials="W.">
<organization />
</author>
<date year="1999" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icics99vol" />
</reference>
<reference anchor="ICISC:Karroumi10">
<front>
<title>Protecting White-Box AES with Dual Ciphers</title>
<author surname="Karroumi" initials="M.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icisc10vol" />
</reference>
<reference anchor="ICISC:ZhaWuFen07">
<front>
<title>New Results on Impossible Differential Cryptanalysis of Reduced AES</title>
<author surname="Wu" initials="W.">
<organization />
</author>
<author surname="Feng" initials="D.">
<organization />
</author>
<author surname="Zhang" initials="W.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icisc07vol" />
</reference>
<reference anchor="ICISC:CouGou05">
<front>
<title>An Algebraic Masking Method to Protect AES Against Power Attacks</title>
<author surname="Goubin" initials="L.">
<organization />
</author>
<author surname="Courtois" initials="N.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icisc05vol" />
</reference>
<reference anchor="ICISC:LopRodDia05">
<front>
<title>An FPGA Implementation of CCM Mode Using AES</title>
<author surname="Rodr\'iguez-Henr\'iquez" initials="F.">
<organization />
</author>
<author surname="D\'iaz-P\'erez" initials="A.">
<organization />
</author>
<author surname="L\'opez-Trejo" initials="E.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icisc05vol" />
</reference>
<reference anchor="ICISC:Mangard02">
<front>
<title>A Simple Power-Analysis (SPA) Attackon Implementations of the AES Key Expansion</title>
<author surname="Mangard" initials="S.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icisc02vol" />
</reference>
<reference anchor="SP:GulBanKre11">
<front>
<title>Cache Games - Bringing Access-Based Cache Attacks on AES to Practice</title>
<author surname="Bangerter" initials="E.">
<organization />
</author>
<author surname="Krenn" initials="S.">
<organization />
</author>
<author surname="Gullasch" initials="D.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="" value="" />
</reference>
<reference anchor="IMA:Knudsen99">
<front>
<title>Advanced Encryption Standard (AES) - An Update</title>
<author surname="R." initials="L.">
<organization />
</author>
<date year="1999" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ima99vol" />
</reference>
<reference anchor="INDOCRYPT:ProRoc10">
<front>
<title>Attack on a Higher-Order Masking of the AES Based on Homographic Functions</title>
<author surname="Roche" initials="T.">
<organization />
</author>
<author surname="Prouff" initials="E.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt10vol" />
</reference>
<reference anchor="INDOCRYPT:MDRM10">
<front>
<title>Improved Impossible Differential Cryptanalysis of 7-Round AES-128</title>
<author surname="Dakhilalian" initials="M.">
<organization />
</author>
<author surname="Rijmen" initials="V.">
<organization />
</author>
<author surname="Modarres-Hashemi" initials="M.">
<organization />
</author>
<author surname="Mala" initials="H.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt10vol" />
</reference>
<reference anchor="INDOCRYPT:MulWysPre10">
<front>
<title>Cryptanalysis of a Perturbated White-Box AES Implementation</title>
<author surname="Wyseur" initials="B.">
<organization />
</author>
<author surname="Preneel" initials="B.">
<organization />
</author>
<author surname="De" initials="Y.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt10vol" />
</reference>
<reference anchor="INDOCRYPT:ManGre10">
<front>
<title>A Program Generator for Intel AES-NI Instructions</title>
<author surname="Gregg" initials="D.">
<organization />
</author>
<author surname="Manley" initials="R.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt10vol" />
</reference>
<reference anchor="INDOCRYPT:DTCB09">
<front>
<title>Improved Meet-in-the-Middle Attacks on AES</title>
<author surname="Taskin" initials="I.">
<organization />
</author>
<author surname="\cCoban" initials="M.">
<organization />
</author>
<author surname="Baysal" initials="A.">
<organization />
</author>
<author surname="Demirci" initials="H.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt09vol" />
</reference>
<reference anchor="INDOCRYPT:GorLuc08">
<front>
<title>New Related-Key Boomerang Attacks on AES</title>
<author surname="Lucks" initials="S.">
<organization />
</author>
<author surname="Gorski" initials="M.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt08vol" />
</reference>
<reference anchor="INDOCRYPT:LDKK08">
<front>
<title>New Impossible Differential Attacks on AES</title>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<author surname="Kim" initials="J.">
<organization />
</author>
<author surname="Lu" initials="J.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt08vol" />
</reference>
<reference anchor="INDOCRYPT:BerSch08">
<front>
<title>New AES Software Speed Records</title>
<author surname="Schwabe" initials="P.">
<organization />
</author>
<author surname="J." initials="D.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt08vol" />
</reference>
<reference anchor="INDOCRYPT:ZZWF07">
<front>
<title>Related-Key Differential-Linear Attacks on Reduced AES-192</title>
<author surname="Zhang" initials="L.">
<organization />
</author>
<author surname="Wu" initials="W.">
<organization />
</author>
<author surname="Feng" initials="D.">
<organization />
</author>
<author surname="Zhang" initials="W.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt07vol" />
</reference>
<reference anchor="INDOCRYPT:KumMukCho07">
<front>
<title>Design of a Differential Power Analysis Resistant Masked AES S-Box (Short Presentation)</title>
<author surname="Mukhopadhyay" initials="D.">
<organization />
</author>
<author surname="Roy" initials="D.">
<organization />
</author>
<author surname="Kumar" initials="K.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt07vol" />
</reference>
<reference anchor="INDOCRYPT:DarKuh06">
<front>
<title>AES Software Implementations on ARM7TDMI</title>
<author surname="Kuhlman" initials="D.">
<organization />
</author>
<author surname="Darnall" initials="M.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt06vol" />
</reference>
<reference anchor="ISC:GueKou08">
<front>
<title>Vortex: A New Family of One-Way Hash Functions Based on AES Rounds and Carry-Less Multiplication</title>
<author surname="E." initials="M.">
<organization />
</author>
<author surname="Gueron" initials="S.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="isc08vol" />
</reference>
<reference anchor="ISC:BatGieLem08">
<front>
<title>Comparative Evaluation of Rank Correlation Based DPA on an AES Prototype Chip</title>
<author surname="Gierlichs" initials="B.">
<organization />
</author>
<author surname="Lemke-Rust" initials="K.">
<organization />
</author>
<author surname="Batina" initials="L.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="isc08vol" />
</reference>
<!--
<reference anchor="ISC:SatMor03">
<front>
<title>Hardware-Focused Performance Comparison for the Standard Block Ciphers AES Camellia,and Triple-DES</title>
<author surname="Morioka" initials="S.">
<organization />
</author>
<author surname="Satoh" initials="A.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="isc03vol" />
</reference>
-->
<reference anchor="IWSEC:HSST08">
<front>
<title>Bitstream Encryption and Authentication Using AES-GCM in Dynamically Reconfigurable Systems</title>
<author surname="Satoh" initials="A.">
<organization />
</author>
<author surname="Sakane" initials="H.">
<organization />
</author>
<author surname="Toda" initials="K.">
<organization />
</author>
<author surname="Hori" initials="Y.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="iwsec08vol" />
</reference>
<reference anchor="IWSEC:KRCJ06">
<front>
<title>Low Power AES Hardware Architecture for Radio Frequency Identification</title>
<author surname="Ryou" initials="J.">
<organization />
</author>
<author surname="Choi" initials="Y.">
<organization />
</author>
<author surname="Jun" initials="S.">
<organization />
</author>
<author surname="Kim" initials="M.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="iwsec06vol" />
</reference>
<reference anchor="PKC:JonRob05">
<front>
<title>Securing RSA-KEM via the AES</title>
<author surname="J." initials="M.">
<organization />
</author>
<author surname="Jonsson" initials="J.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="pkc05vol" />
</reference>
<reference anchor="PODC:AEST06">
<front>
<title>Transactional contention management as a non-clairvoyant scheduling problem</title>
<author surname="Epstein" initials="L.">
<organization />
</author>
<author surname="Shachnai" initials="H.">
<organization />
</author>
<author surname="Tamir" initials="T.">
<organization />
</author>
<author surname="Attiya" initials="H.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="" value="" />
</reference>
<reference anchor="SAC:Nikolic10">
<front>
<title>Tweaking AES</title>
<author surname="Nikolic" initials="I.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac10vol" />
</reference>
<reference anchor="SAC:MPRS09">
<front>
<title>Improved Cryptanalysis of the Reduced Gr\ostl Compression Function ECHO Permutation and AES Block Cipher,</title>
<author surname="Peyrin" initials="T.">
<organization />
</author>
<author surname="Rechberger" initials="C.">
<organization />
</author>
<author surname="Schl\affer" initials="M.">
<organization />
</author>
<author surname="Mendel" initials="F.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac09vol" />
</reference>
<reference anchor="SAC:CanOsv09">
<front>
<title>A More Compact AES</title>
<author surname="Arne" initials="D.">
<organization />
</author>
<author surname="Canright" initials="D.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac09vol" />
</reference>
<reference anchor="SAC:Tsow09">
<front>
<title>An Improved Recovery Algorithm for Decayed AES Key Schedule Images</title>
<author surname="Tsow" initials="A.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac09vol" />
</reference>
<reference anchor="AC:BogKhoRec11">
<front>
<title>Biclique Cryptanalysis of the Full AES</title>
<author surname="Khovratovich" initials="D.">
<organization />
</author>
<author surname="Rechberger" initials="C.">
<organization />
</author>
<author surname="Bogdanov" initials="A.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="asiacrypt11vol" />
</reference>
<reference anchor="SAC:Bogdanov07">
<front>
<title>Improved Side-Channel Collision Attacks on AES</title>
<author surname="Bogdanov" initials="A.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac07vol" />
</reference>
<reference anchor="SAC:BloKru07">
<front>
<title>Analysis of Countermeasures Against Access Driven Cache Attacks on AES</title>
<author surname="Krummel" initials="V.">
<organization />
</author>
<author surname="Bl\omer" initials="J.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac07vol" />
</reference>
<reference anchor="SAC:ZWZF06">
<front>
<title>Improved Related-Key Impossible Differential Attacks on Reduced-Round AES-192</title>
<author surname="Wu" initials="W.">
<organization />
</author>
<author surname="Zhang" initials="L.">
<organization />
</author>
<author surname="Feng" initials="D.">
<organization />
</author>
<author surname="Zhang" initials="W.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac06vol" />
</reference>
<reference anchor="SAC:NevSei06">
<front>
<title>Advances on Access-Driven Cache Attacks on AES</title>
<author surname="Seifert" initials="J.">
<organization />
</author>
<author surname="Neve" initials="M.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac06vol" />
</reference>
<reference anchor="SAC:BaiVau05">
<front>
<title>Proving the Security of AES Substitution-Permutation Network</title>
<author surname="Vaudenay" initials="S.">
<organization />
</author>
<author surname="Baign\`eres" initials="T.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac05vol" />
</reference>
<reference anchor="SAC:BloGuaKru04">
<front>
<title>Provably Secure Masking of AES</title>
<author surname="Guajardo" initials="J.">
<organization />
</author>
<author surname="Krummel" initials="V.">
<organization />
</author>
<author surname="Bl\omer" initials="J.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac04vol" />
</reference>
<reference anchor="SAC:BilGilEch04">
<front>
<title>Cryptanalysis of a White Box AES Implementation</title>
<author surname="Gilbert" initials="H.">
<organization />
</author>
<author surname="Ech-Chatbi" initials="C.">
<organization />
</author>
<author surname="Billet" initials="O.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac04vol" />
</reference>
<reference anchor="SAC:JakDes03">
<front>
<title>Related-Key Differential Cryptanalysis of 192-bit Key AES Variants</title>
<author surname="Desmedt" initials="Y.">
<organization />
</author>
<author surname="Jakimoski" initials="G.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac03vol" />
</reference>
<reference anchor="SAC:CEJV02">
<front>
<title>White-Box Cryptography and an AES Implementation</title>
<author surname="A." initials="P.">
<organization />
</author>
<author surname="Johnson" initials="H.">
<organization />
</author>
<author surname="C." initials="P.">
<organization />
</author>
<author surname="Chow" initials="S.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac02vol" />
</reference>
<reference anchor="SCN:NikRijSch08">
<front>
<title>Using Normal Bases for Compact Hardware Implementations of the AES S-Box</title>
<author surname="Rijmen" initials="V.">
<organization />
</author>
<author surname="Schl\affer" initials="M.">
<organization />
</author>
<author surname="Nikova" initials="S.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="scn08vol" />
</reference>
<reference anchor="SCN:DaeRij06">
<front>
<title>Understanding Two-Round Differentials in AES</title>
<author surname="Rijmen" initials="V.">
<organization />
</author>
<author surname="Daemen" initials="J.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="scn06vol" />
</reference>
<reference anchor="WISA:GalKizTun10">
<front>
<title>Improved Trace-Driven Cache-Collision Attacks against Embedded AES Implementations</title>
<author surname="Kizhvatov" initials="I.">
<organization />
</author>
<author surname="Tunstall" initials="M.">
<organization />
</author>
<author surname="Gallais" initials="J.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="wisa10vol" />
</reference>
<reference anchor="WISA:SchKim08">
<front>
<title>A Probing Attack on AES</title>
<author surname="Hee" initials="C.">
<organization />
</author>
<author surname="Schmidt" initials="J.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="wisa08vol" />
</reference>
<reference anchor="WISA:OswSch05">
<front>
<title>An Efficient Masking Scheme for AES Software Implementations</title>
<author surname="Schramm" initials="K.">
<organization />
</author>
<author surname="Oswald" initials="E.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="wisa05vol" />
</reference>
<reference anchor="WISA:TriKor04">
<front>
<title>Secure and Efficient AES Software Implementation for Smart Cards</title>
<author surname="Korkishko" initials="L.">
<organization />
</author>
<author surname="Trichina" initials="E.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="wisa04vol" />
</reference>
<reference anchor="AFRICACRYPT:MinPhaPou09">
<front>
<title>Distinguishers for Ciphers and Known Key Attack against Rijndael with Large Blocks</title>
<author surname="C.-W." initials="R.">
<organization />
</author>
<author surname="Pousse" initials="B.">
<organization />
</author>
<author surname="Minier" initials="M.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="africacrypt09vol" />
</reference>
<reference anchor="AFRICACRYPT:GalMin08">
<front>
<title>Improving Integral Attacks Against Rijndael-256 Up to 9 Rounds</title>
<author surname="Minier" initials="M.">
<organization />
</author>
<author surname="Galice" initials="S.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="africacrypt08vol" />
</reference>
<reference anchor="AC:BarBih02">
<front>
<title>In How Many Ways Can You Write Rijndael?</title>
<author surname="Biham" initials="E.">
<organization />
</author>
<author surname="Barkan" initials="E.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="asiacrypt02vol" />
</reference>
<reference anchor="AC:PSCYL02">
<front>
<title>On the Security of Rijndael-Like Structures against Differential and Linear Cryptanalysis</title>
<author surname="Hak" initials="S.">
<organization />
</author>
<author surname="Chee" initials="S.">
<organization />
</author>
<author surname="Yoon" initials="E.">
<organization />
</author>
<author surname="Lim" initials="J.">
<organization />
</author>
<author surname="Park" initials="S.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="asiacrypt02vol" />
</reference>
<reference anchor="AC:SMTM01">
<front>
<title>A Compact Rijndael Hardware Architecture with S-Box Optimization</title>
<author surname="Morioka" initials="S.">
<organization />
</author>
<author surname="Takano" initials="K.">
<organization />
</author>
<author surname="Munetoh" initials="S.">
<organization />
</author>
<author surname="Satoh" initials="A.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="asiacrypt01vol" />
</reference>
<reference anchor="CHES:MasRaiAhm06">
<front>
<title>NanoCMOS-Molecular Realization of Rijndael</title>
<author surname="Raissi" initials="F.">
<organization />
</author>
<author surname="Ahmadian" initials="M.">
<organization />
</author>
<author surname="Masoumi" initials="M.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches06vol" />
</reference>
<reference anchor="CHES:GebHoTiu05">
<front>
<title>EM Analysis of Rijndael and ECC on a Wireless Java-Based PDA</title>
<author surname="Ho" initials="S.">
<organization />
</author>
<author surname="C." initials="C.">
<organization />
</author>
<author surname="H." initials="C.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches05vol" />
</reference>
<reference anchor="CHES:StaBerPre04">
<front>
<title>Power Analysis of an FPGA:Implementation of Rijndael:s Pipelining a DPA Countermeasure?</title>
<author surname="Berna" initials="S.">
<organization />
</author>
<author surname="Preneel" initials="B.">
<organization />
</author>
<author surname="Standaert" initials="F.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches04vol" />
</reference>
<reference anchor="CHES:SRQL03">
<front>
<title>Efficient Implementation of Rijndael Encryption in Reconfigurable Hardware:Improvements and Design Tradeoffs</title>
<author surname="Rouvroy" initials="G.">
<organization />
</author>
<author surname="Quisquater" initials="J.">
<organization />
</author>
<author surname="Legat" initials="J.">
<organization />
</author>
<author surname="Standaert" initials="F.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches03vol" />
</reference>
<!--
<reference anchor="CHES:KuoVer01">
<front>
<title>Architectural Optimization for a 1.82Gbits/sec VLSI Implementation of the AES Rijndael Algorithm</title>
<author surname="Verbauwhede" initials="I.">
<organization />
</author>
<author surname="Kuo" initials="H.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches01vol" />
</reference>
-->
<reference anchor="CHES:McLMcC01">
<front>
<title>High Performance Single-Chip FPGA Rijndael Algorithm Implementations</title>
<author surname="V." initials="J.">
<organization />
</author>
<author surname="McLoone" initials="M.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches01vol" />
</reference>
<reference anchor="CHES:FisDru01">
<front>
<title>Two Methods of Rijndael Implementation in Reconfigurable Hardware</title>
<author surname="Drutarovsk\'y" initials="M.">
<organization />
</author>
<author surname="Fischer" initials="V.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches01vol" />
</reference>
<reference anchor="RSA:MBPV05">
<front>
<title>A Systematic Evaluation of Compact Hardware mplementations for the Rijndael S-Box</title>
<author surname="Batina" initials="L.">
<organization />
</author>
<author surname="Preneel" initials="B.">
<organization />
</author>
<author surname="Verbauwhede" initials="I.">
<organization />
</author>
<author surname="Mentens" initials="N.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="rsa05vol" />
</reference>
<reference anchor="ICISC:SonSeb02">
<front>
<title>Consistent Differential Patterns of Rijndael</title>
<author surname="Seberry" initials="J.">
<organization />
</author>
<author surname="Song" initials="B.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icisc02vol" />
</reference>
<reference anchor="ISC:ZWPKY08">
<front>
<title>Improved Impossible Differential Attacks on Large-Block Rijndael</title>
<author surname="Wu" initials="W.">
<organization />
</author>
<author surname="Hong" initials="J.">
<organization />
</author>
<author surname="Wook" initials="B.">
<organization />
</author>
<author surname="Yeom" initials="Y.">
<organization />
</author>
<author surname="Zhang" initials="L.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="isc08vol" />
</reference>
<reference anchor="ISC:NakPav07">
<front>
<title>Impossible-Differential Attacks on Large-Block Rijndael</title>
<author surname="Carlos" initials="I.">
<organization />
</author>
<author surname="Nakahara" initials="J.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="isc07vol" />
</reference>
<reference anchor="ISC:CGBS01">
<front>
<title>Experimental Testing of the Gigabit IPSec-Compliant Implementations of Rijndael and Triple DES Using SLAAC-1V FPGA Accelerator Board</title>
<author surname="Gaj" initials="K.">
<organization />
</author>
<author surname="Bellows" initials="P.">
<organization />
</author>
<author surname="Schott" initials="B.">
<organization />
</author>
<author surname="Chodowiec" initials="P.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="isc01vol" />
</reference>
<reference anchor="IWSEC:Sasaki10">
<front>
<title>Known-Key Attacks on Rijndael with Large Blocks and Strengthening ShiftRow Parameter</title>
<author surname="Sasaki" initials="Y.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="iwsec10vol" />
</reference>
<reference anchor="SAC:FegSchWhi01">
<front>
<title>A Simple Algebraic Representation of Rijndael</title>
<author surname="Schroeppel" initials="R.">
<organization />
</author>
<author surname="Whiting" initials="D.">
<organization />
</author>
<author surname="Ferguson" initials="N.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac01vol" />
</reference>
<reference anchor="SAC:KelMeiTav01">
<front>
<title>Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael</title>
<author surname="Meijer" initials="H.">
<organization />
</author>
<author surname="E." initials="S.">
<organization />
</author>
<author surname="Keliher" initials="L.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac01vol" />
</reference>
<reference anchor="FSE:Wernsdorf02">
<front>
<title>The Round Functions of RIJNDAEL Generate the Alternating Group</title>
<author surname="Wernsdorf" initials="R.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse02vol" />
</reference>
<!-- Twofish -->
<reference anchor="TC:MY00">
<front>
<title>Twofish: Cryptanalysis of twofish(2)</title>
<author surname="Moriai" initials="S.">
<organization />
</author>
<author surname="Yin" initials="Y.">
<organization />
</author>
<date year="2000" />
</front>
<seriesInfo name="Technical report,IEICE" value="TC:MY00" />
</reference>
<reference anchor="FSE:Lucks01">
<front>
<title>The Saturation Attack - A Bait for Twofish</title>
<author surname="Lucks" initials="S.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse01vol" />
</reference>
<reference anchor="INDOCRYPT:BihFur00">
<front>
<title>Improved Impossible Differentials on Twofish</title>
<author surname="Furman" initials="V.">
<organization />
</author>
<author surname="Biham" initials="E.">
<organization />
</author>
<date year="2000" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt00vol" />
</reference>
<reference anchor="SAC:SKWWH98">
<front>
<title>On the Twofish Key Schedule</title>
<author surname="Kelsey" initials="J.">
<organization />
</author>
<author surname="Whiting" initials="D.">
<organization />
</author>
<author surname="Wagner" initials="D.">
<organization />
</author>
<author surname="Hall" initials="C.">
<organization />
</author>
<author surname="Schneier" initials="B.">
<organization />
</author>
<date year="1999" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac98vol" />
</reference>
<!-- Serpent -->
<reference anchor="ABA:KKS00">
<front>
<title>Serpent: Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent</title>
<author surname="Kelsey" initials="J.">
<organization />
</author>
<author surname="Kohno" initials="T.">
<organization />
</author>
<author surname="Schneier" initials="B.">
<organization />
</author>
<date year="2000" />
</front>
<seriesInfo name="Fast software encryption-FSE" value="ABA:KKS00" />
</reference>
<reference anchor="RA:BDK01">
<front>
<title>Serpent: The rectangle attack-rectangling the serpent</title>
<author surname="Bilham" initials="E.">
<organization />
</author>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Advances in cryptology-EUROCRYPT" value="RA:BDK01" />
</reference>
<reference anchor="DC:WH00">
<front>
<title>Serpent: The differential cryptanalysis of an AES finalist-serpent</title>
<author surname="Wang" initials="X.">
<organization />
</author>
<author surname="Hui" initials="L.">
<organization />
</author>
<date year="2000" />
</front>
<seriesInfo name="Technical report TP-2000-04" value="TC:MY00" />
</reference>
<reference anchor="LC:BDK02">
<front>
<title>Serpent: Linear cryptanalysis of reduced round serpent </title>
<author surname="Bilham" initials="E.">
<organization />
</author>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Fast software encryption-FSE 2003" value="LC:BDK02" />
</reference>
<reference anchor="DLC:BDK03">
<front>
<title>Serpent: Differential-Linear cryptanalysis of serpent </title>
<author surname="Bilham" initials="E.">
<organization />
</author>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Fast software encryption-FSE 2003" value="DLC:BDK03" />
</reference>
<reference anchor="ACISP:HerChoNyb08">
<front>
<title>Multidimensional Linear Cryptanalysis of Reduced Round Serpent</title>
<author surname="Yeon" initials="J.">
<organization />
</author>
<author surname="Nyberg" initials="K.">
<organization />
</author>
<author surname="Hermelin" initials="M.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="acisp08vol" />
</reference>
<reference anchor="CHES:Patterson00">
<front>
<title>A Dynamic FPGA Implementation of the Serpent Block Cipher</title>
<author surname="Patterson" initials="C.">
<organization />
</author>
<date year="2000" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches00vol" />
</reference>
<reference anchor="EC:BihDunKel01">
<front>
<title>The Rectangle Attack - Rectangling the Serpent</title>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<author surname="Biham" initials="E.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt01vol" />
</reference>
<reference anchor="FSE:ColStaQui08">
<front>
<title>Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent</title>
<author surname="Standaert" initials="F.">
<organization />
</author>
<author surname="Quisquater" initials="J.">
<organization />
</author>
<author surname="Collard" initials="B.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse08vol" />
</reference>
<reference anchor="FSE:BihDunKel03a">
<front>
<title>Differential-Linear Cryptanalysis of Serpent</title>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<author surname="Biham" initials="E.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse03vol" />
</reference>
<reference anchor="FSE:BihDunKel01">
<front>
<title>Linear Cryptanalysis of Reduced Round Serpent</title>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<author surname="Biham" initials="E.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse01vol" />
</reference>
<reference anchor="FSE:KelKohSch00">
<front>
<title>Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent</title>
<author surname="Kohno" initials="T.">
<organization />
</author>
<author surname="Schneier" initials="B.">
<organization />
</author>
<author surname="Kelsey" initials="J.">
<organization />
</author>
<date year="2000" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse00vol" />
</reference>
<!--
<reference anchor="FSE:IwaKur00">
<front>
<title>On the Pseudorandomness of the AES Finalists - RC6 and Serpent</title>
<author surname="Kurosawa" initials="K.">
<organization />
</author>
<author surname="Iwata" initials="T.">
<organization />
</author>
<date year="2000" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse00vol" />
</reference>
-->
<reference anchor="FSE:BihAndKnu98">
<front>
<title>Serpent: A New Block Cipher Proposal</title>
<author surname="J." initials="R.">
<organization />
</author>
<author surname="R." initials="L.">
<organization />
</author>
<author surname="Biham" initials="E.">
<organization />
</author>
<date year="1998" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse98vol" />
</reference>
<reference anchor="ICISC:ChoHerNyb08">
<front>
<title>A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent</title>
<author surname="Hermelin" initials="M.">
<organization />
</author>
<author surname="Nyberg" initials="K.">
<organization />
</author>
<author surname="Yeon" initials="J.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icisc08vol" />
</reference>
<reference anchor="INDOCRYPT:DunIndKel08">
<front>
<title>A Differential-Linear Attack on 12-Round Serpent</title>
<author surname="Indesteege" initials="S.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt08vol" />
</reference>
<!-- Rabbit has 5 citations -->
<reference anchor="INDOCRYPT:BerCanGou09">
<front>
<title>Fault Analysis of Rabbit: Toward a Secret Key Leakage</title>
<author surname="Canovas-Dumas" initials="C.">
<organization />
</author>
<author surname="Goubin" initials="L.">
<organization />
</author>
<author surname="Berzati" initials="A.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt09vol" />
</reference>
<reference anchor="ISC:LuDes10">
<front>
<title>Improved Distinguishing Attack on Rabbit</title>
<author surname="Desmedt" initials="Y.">
<organization />
</author>
<author surname="Lu" initials="Y.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="isc10vol" />
</reference>
<reference anchor="ISC:LuWanLin08">
<front>
<title>Cryptanalysis of Rabbit</title>
<author surname="Wang" initials="H.">
<organization />
</author>
<author surname="Ling" initials="S.">
<organization />
</author>
<author surname="Lu" initials="Y.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="isc08vol" />
</reference>
<reference anchor="SAC:KirYou09">
<front>
<title>Differential Fault Analysis of Rabbit</title>
<author surname="M." initials="A.">
<organization />
</author>
<author surname="Kircanski" initials="A.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac09vol" />
</reference>
<reference anchor="FSE:BVPCS03">
<front>
<title>Rabbit: A New High-Performance Stream Cipher</title>
<author surname="Vesterager" initials="M.">
<organization />
</author>
<author surname="Pedersen" initials="T.">
<organization />
</author>
<author surname="Christiansen" initials="J.">
<organization />
</author>
<author surname="Scavenius" initials="O.">
<organization />
</author>
<author surname="Boesgaard" initials="M.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse03vol" />
</reference>
<!-- kcipher-2
note: cipher is called "K2" in its peer reviewed publications
citations from the specification internet draft:
[SASC07] S. Kiyomoto, T. Tanaka, and K. Sakurai, "A Word-Oriented
Stream Cipher Using Clock Control", Proc. SASC 2007 pp.
260-274.
[SECRYPT07] S. Kiyomoto, T. Tanaka, and K. Sakurai, "K2: A Stream
Cipher Algorithm Using Dynamic Feedback Control", Proc.
SECRYPT 2007 pp. 204-213.
[ICETE07] S. Kiyomoto, T. Tanaka, and K. Sakurai, "K2 Stream Cipher",
Proc. ICETE 2007 pp. 214-226.
[CRYPTEC] A. Bogdanov, B. Preneel, and V. Rijmen, "Security
Evaluation of the K2 Stream Cipher", 2010.
http://www.cryptrec.go.jp/english/estimation.html
-->
<reference anchor="ACISP:HYYKT10">
<front>
<title>Side-Channel Analysis of the K2 Stream Cipher</title>
<author surname="Yap" initials="W.">
<organization />
</author>
<author surname="Hoo" initials="C.">
<organization />
</author>
<author surname="Kiyomoto" initials="S.">
<organization />
</author>
<author surname="Tanaka" initials="T.">
<organization />
</author>
<author surname="Henricksen" initials="M.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="acisp10vol" />
</reference>
<!-- DES - 85 -->
<reference anchor="C:BihSha90">
<front>
<title>Differential Cryptanalysis of DES-like Cryptosystems</title>
<author surname="Shamir" initials="A.">
<organization />
</author>
<author surname="Biham" initials="E.">
<organization />
</author>
<date year="1991" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="crypto90vol" />
</reference>
<reference anchor="EC:Matsui93">
<front>
<title>Linear Cryptoanalysis Method for DES Cipher</title>
<author surname="Matsui" initials="M.">
<organization />
</author>
<date year="1993" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt93vol" />
</reference>
<!-- Triple-DES -->
<reference anchor="FSE:Lucks98">
<front>
<title>Attacking Triple Encryption</title>
<author surname="Lucks" initials="S.">
<organization />
</author>
<date year="1998" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse98vol" />
</reference>
<reference anchor="EC:VanWie90">
<front>
<title>A Known Plaintext Attack on Two-Key Triple Encryption</title>
<author surname="J." initials="M.">
<organization />
</author>
<author surname="C." initials="P.">
<organization />
</author>
<date year="1990" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt90vol" />
</reference>
<reference anchor="EC:BelRog06">
<front>
<title>The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs</title>
<author surname="Rogaway" initials="P.">
<organization />
</author>
<author surname="Bellare" initials="M.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt06vol" />
</reference>
<!-- RC4 -->
<reference anchor="ACISP:MiySuk09">
<front>
<title>New Correlations of RC4 PRGA Using Nonzero-Bit Differences</title>
<author surname="Sukegawa" initials="M.">
<organization />
</author>
<author surname="Miyaji" initials="A.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="acisp09vol" />
</reference>
<reference anchor="ACISP:MaiPau08">
<front>
<title>Recovering RC4 Permutation from 2048 Keystream Bytes if j Is Stuck</title>
<author surname="Paul" initials="G.">
<organization />
</author>
<author surname="Maitra" initials="S.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="acisp08vol" />
</reference>
<reference anchor="ACNS:ChaFouLer11">
<front>
<title>Cache Timing Analysis of RC4</title>
<author surname="Fouque" initials="P.">
<organization />
</author>
<author surname="Leresteux" initials="D.">
<organization />
</author>
<author surname="Chardin" initials="T.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="acns11vol" />
</reference>
<reference anchor="AC:Mantin05">
<front>
<title>A Practical Attack on the Fixed RC4 in the WEP Mode</title>
<author surname="Mantin" initials="I.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="asiacrypt05vol" />
</reference>
<reference anchor="C:MaxKho08">
<front>
<title>New State Recovery Attack on RC4</title>
<author surname="Khovratovich" initials="D.">
<organization />
</author>
<author surname="Maximov" initials="A.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="crypto08vol" />
</reference>
<reference anchor="C:Mironov02">
<front>
<title>(Not So) Random Shuffles of RC4</title>
<author surname="Mironov" initials="I.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="crypto02vol" />
</reference>
<reference anchor="EC:SepVauVua11">
<front>
<title>Statistical Attack on RC4 - Distinguishing WPA</title>
<author surname="Vaudenay" initials="S.">
<organization />
</author>
<author surname="Vuagnoux" initials="M.">
<organization />
</author>
<author surname="Sepehrdad" initials="P.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt11vol" />
</reference>
<reference anchor="EC:Mantin05">
<front>
<title>Predicting and Distinguishing Attacks on RC4 Keystream Generator</title>
<author surname="Mantin" initials="I.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt05vol" />
</reference>
<reference anchor="EC:Golic97a">
<front>
<title>Linear Statistical Weakness of Alleged RC4 Keystream Generator</title>
<author surname="Dj." initials="J.">
<organization />
</author>
<date year="1997" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt97vol" />
</reference>
<reference anchor="FSE:MaiPauSen11">
<front>
<title>Attack on Broadcast RC4 Revisited</title>
<author surname="Paul" initials="G.">
<organization />
</author>
<author surname="Sengupta" initials="S.">
<organization />
</author>
<author surname="Maitra" initials="S.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse11vol" />
</reference>
<reference anchor="FSE:Matsui09">
<front>
<title>Key Collisions of the RC4 Stream Cipher</title>
<author surname="Matsui" initials="M.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse09vol" />
</reference>
<reference anchor="FSE:MaiPau08">
<front>
<title>New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4</title>
<author surname="Paul" initials="G.">
<organization />
</author>
<author surname="Maitra" initials="S.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse08vol" />
</reference>
<reference anchor="FSE:BihCar08">
<front>
<title>Efficient Reconstruction of RC4 Keys from Internal States</title>
<author surname="Carmeli" initials="Y.">
<organization />
</author>
<author surname="Biham" initials="E.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse08vol" />
</reference>
<reference anchor="FSE:Maximov05">
<front>
<title>Two Linear Distinguishing Attacks on VMPC and RC4A and Weakness of RC4 Family of Stream Ciphers</title>
<author surname="Maximov" initials="A.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse05vol" />
</reference>
<reference anchor="FSE:BihGraNgu05">
<front>
<title>Impossible Fault Analysis of RC4 and Differential Fault Analysis of RC4</title>
<author surname="Granboulan" initials="L.">
<organization />
</author>
<author surname="Q." initials="P.">
<organization />
</author>
<author surname="Biham" initials="E.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse05vol" />
</reference>
<reference anchor="FSE:PauPre04">
<front>
<title>A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher</title>
<author surname="Preneel" initials="B.">
<organization />
</author>
<author surname="Paul" initials="S.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse04vol" />
</reference>
<reference anchor="FSE:ManSha01">
<front>
<title>A Practical Attack on Broadcast RC4</title>
<author surname="Shamir" initials="A.">
<organization />
</author>
<author surname="Mantin" initials="I.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse01vol" />
</reference>
<reference anchor="FSE:FluMcG00">
<front>
<title>Statistical Analysis of the Alleged RC4 Keystream Generator</title>
<author surname="A." initials="D.">
<organization />
</author>
<author surname="R." initials="S.">
<organization />
</author>
<date year="2000" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse00vol" />
</reference>
<reference anchor="INDOCRYPT:SSMS10">
<front>
<title>One Byte per Clock: A Novel RC4 Hardware</title>
<author surname="Sinha" initials="K.">
<organization />
</author>
<author surname="Maitra" initials="S.">
<organization />
</author>
<author surname="P." initials="B.">
<organization />
</author>
<author surname="Sengupta" initials="S.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt10vol" />
</reference>
<reference anchor="INDOCRYPT:MaiPau08">
<front>
<title>Analysis of RC4 and Proposal of Additional Layers for Better Security Margin</title>
<author surname="Paul" initials="G.">
<organization />
</author>
<author surname="Maitra" initials="S.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt08vol" />
</reference>
<reference anchor="INDOCRYPT:AkgKavDem08">
<front>
<title>New Results on the Key Scheduling Algorithm of RC4</title>
<author surname="Kavak" initials="P.">
<organization />
</author>
<author surname="Demirci" initials="H.">
<organization />
</author>
<author surname="Akg\un" initials="M.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt08vol" />
</reference>
<reference anchor="INDOCRYPT:PauPre03">
<front>
<title>Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator</title>
<author surname="Preneel" initials="B.">
<organization />
</author>
<author surname="Paul" initials="S.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt03vol" />
</reference>
<reference anchor="ISC:IndPre08">
<front>
<title>Collisions for RC4-Hash</title>
<author surname="Preneel" initials="B.">
<organization />
</author>
<author surname="Indesteege" initials="S.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="isc08vol" />
</reference>
<reference anchor="SAC:SepVauVua10">
<front>
<title>Discovery and Exploitation of New Biases in RC4</title>
<author surname="Vaudenay" initials="S.">
<organization />
</author>
<author surname="Vuagnoux" initials="M.">
<organization />
</author>
<author surname="Sepehrdad" initials="P.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac10vol" />
</reference>
<reference anchor="SAC:VauVua07">
<front>
<title>Passive-Only Key Recovery Attacks on RC4</title>
<author surname="Vuagnoux" initials="M.">
<organization />
</author>
<author surname="Vaudenay" initials="S.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac07vol" />
</reference>
<reference anchor="SAC:PauMai07">
<front>
<title>Permutation After RC4 Key Scheduling Reveals the Secret Key</title>
<author surname="Maitra" initials="S.">
<organization />
</author>
<author surname="Paul" initials="G.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac07vol" />
</reference>
<reference anchor="SAC:FluManSha01">
<front>
<title>Weaknesses in the Key Scheduling Algorithm of RC4</title>
<author surname="Mantin" initials="I.">
<organization />
</author>
<author surname="Shamir" initials="A.">
<organization />
</author>
<author surname="R." initials="S.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac01vol" />
</reference>
<reference anchor="SAC:MisTav98">
<front>
<title>Cryptanalysis of RC4-like Ciphers</title>
<author surname="E." initials="S.">
<organization />
</author>
<author surname="Mister" initials="S.">
<organization />
</author>
<date year="1999" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac98vol" />
</reference>
<reference anchor="SCN:CheMiy10">
<front>
<title>Generalized RC4 Key Collisions and Hash Collisions</title>
<author surname="Miyaji" initials="A.">
<organization />
</author>
<author surname="Chen" initials="J.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="scn10vol" />
</reference>
<!--skipjack-->
<reference anchor="AC:SLLHP00">
<front>
<title>Provable Security for the Skipjack-like Structure
against Differential Cryptanalysis and Linear
Cryptanalysis</title>
<author surname="Lee" initials="S.">
<organization />
</author>
<author surname="In" initials="J.">
<organization />
</author>
<author surname="Hong" initials="S.">
<organization />
</author>
<author surname="Park" initials="S.">
<organization />
</author>
<author surname="Sung" initials="J.">
<organization />
</author>
<date year="2000" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="asiacrypt00vol" />
</reference>
<reference anchor="S11">
<front>
<title>
Differential cryptanalysis of eight-round SEED
</title>
<author surname="Sung" initials="J.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Information Processing Letters" value="Volume 111" />
</reference>
<reference anchor="C:KnuRobWag99">
<front>
<title>Truncated Differentials and Skipjack</title>
<author surname="J." initials="M.">
<organization />
</author>
<author surname="Wagner" initials="D.">
<organization />
</author>
<author surname="R." initials="L.">
<organization />
</author>
<date year="1999" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="crypto99vol" />
</reference>
<reference anchor="EC:BihBirSha99">
<front>
<title>Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials</title>
<author surname="Biryukov" initials="A.">
<organization />
</author>
<author surname="Shamir" initials="A.">
<organization />
</author>
<author surname="Biham" initials="E.">
<organization />
</author>
<date year="1999" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt99vol" />
</reference>
<reference anchor="FSE:KLLLL02">
<front>
<title>Saturation Attacks on Reduced Round Skipjack</title>
<author surname="Lee" initials="W.">
<organization />
</author>
<author surname="Lee" initials="S.">
<organization />
</author>
<author surname="Lee" initials="S.">
<organization />
</author>
<author surname="Lim" initials="J.">
<organization />
</author>
<author surname="Hwang" initials="K.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse02vol" />
</reference>
<reference anchor="FSE:Granboulan01">
<front>
<title>Flaws in Differential Cryptanalysis of Skipjack</title>
<author surname="Granboulan" initials="L.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse01vol" />
</reference>
<reference anchor="SAC:ReiWag02">
<front>
<title>Markov Truncated Differential Cryptanalysis of Skipjack</title>
<author surname="Wagner" initials="D.">
<organization />
</author>
<author surname="Reichardt" initials="B.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac02vol" />
</reference>
<reference anchor="SAC:BBDRS98">
<front>
<title>Initial Observations on Skipjack:Cryptanalysis of Skipjack-3XOR (Invited Talk)</title>
<author surname="Biryukov" initials="A.">
<organization />
</author>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Richardson" initials="E.">
<organization />
</author>
<author surname="Shamir" initials="A.">
<organization />
</author>
<author surname="Biham" initials="E.">
<organization />
</author>
<date year="1999" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac98vol" />
</reference>
<!--misty1-->
<reference anchor="AC:DunKel08a">
<front>
<title>An Improved Impossible Differential Attack on MISTY1</title>
<author surname="Keller" initials="N.">
<organization />
</author>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="asiacrypt08vol" />
</reference>
<reference anchor="CHES:YamYajIto08">
<front>
<title>A Very Compact Hardware Implementation of the MISTY1 Block Cipher</title>
<author surname="Yajima" initials="J.">
<organization />
</author>
<author surname="Itoh" initials="K.">
<organization />
</author>
<author surname="Yamamoto" initials="D.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches08vol" />
</reference>
<!--
<reference anchor="RSA:LKKD08">
<front>
<title>Improving the Efficiency of Impossible Differential Cryptanalysis of Reduced Camellia and MISTY1</title>
<author surname="Kim" initials="J.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Lu" initials="J.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="rsa08vol" />
</reference>
-->
<reference anchor="EC:Kuhn01">
<front>
<title>Cryptanalysis of Reduced-Round MISTY</title>
<author surname="Kuhn" initials="U.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt01vol" />
</reference>
<reference anchor="FSE:Kuhn02">
<front>
<title>Improved Cryptanalysis of MISTY1</title>
<author surname="Kuhn" initials="U.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse02vol" />
</reference>
<reference anchor="FSE:IYYK01">
<front>
<title>Round Security and Super-Pseudorandomness of MISTY Type Structure</title>
<author surname="Yoshino" initials="T.">
<organization />
</author>
<author surname="Yuasa" initials="T.">
<organization />
</author>
<author surname="Kurosawa" initials="K.">
<organization />
</author>
<author surname="Iwata" initials="T.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse01vol" />
</reference>
<reference anchor="FSE:Matsui97">
<front>
<title>New Block Encryption Algorithm MISTY</title>
<author surname="Matsui" initials="M.">
<organization />
</author>
<date year="1997" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse97vol" />
</reference>
<reference anchor="ICISC:TSSK08">
<front>
<title>Higher Order Differential Attacks on Reduced-Round MISTY1</title>
<author surname="Saito" initials="T.">
<organization />
</author>
<author surname="Shigeri" initials="M.">
<organization />
</author>
<author surname="Kawabata" initials="T.">
<organization />
</author>
<author surname="Tsunoo" initials="Y.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icisc08vol" />
</reference>
<reference anchor="ICISC:BabFri00">
<front>
<title>On MISTY1 Higher Order Differential Cryptanalysis</title>
<author surname="Frisch" initials="L.">
<organization />
</author>
<author surname="Babbage" initials="S.">
<organization />
</author>
<date year="2000" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icisc00vol" />
</reference>
<reference anchor="SAC:SunLai09">
<front>
<title>Improved Integral Attacks on MISTY1</title>
<author surname="Lai" initials="X.">
<organization />
</author>
<author surname="Sun" initials="X.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac09vol" />
</reference>
<reference anchor="SAC:PirQui04">
<front>
<title>Security of the MISTY Structure in the Luby-Rackoff Model: Improved Results</title>
<author surname="Quisquater" initials="J.">
<organization />
</author>
<author surname="Piret" initials="G.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac04vol" />
</reference>
<reference anchor="WISA:THSK07">
<front>
<title>Security Analysis of MISTY1</title>
<author surname="Hatano" initials="Y.">
<organization />
</author>
<author surname="Sugio" initials="N.">
<organization />
</author>
<author surname="Kaneko" initials="T.">
<organization />
</author>
<author surname="Tanaka" initials="H.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="wisa07vol" />
</reference>
<!--RC2-->
<reference anchor="FSE:KRRR98">
<front>
<title>On the Design and Security of RC2</title>
<author surname="Rijmen" initials="V.">
<organization />
</author>
<author surname="L." initials="R.">
<organization />
</author>
<author surname="J." initials="M.">
<organization />
</author>
<author surname="R." initials="L.">
<organization />
</author>
<date year="1998" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse98vol" />
</reference>
<!--
<reference anchor="ICICS:KelSchWag97">
<front>
<title>Related-key cryptanalysis of 3-WAY Biham-DES,CAST DES-X, NewDES, RC2, and TEA,</title>
<author surname="Schneier" initials="B.">
<organization />
</author>
<author surname="Wagner" initials="D.">
<organization />
</author>
<author surname="Kelsey" initials="J.">
<organization />
</author>
<date year="1997" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icics97vol" />
</reference>
-->
<!--blowfish-->
<reference anchor="FSE:KarMan07">
<front>
<title>A New Class of Weak Keys for Blowfish</title>
<author surname="Manap" initials="C.">
<organization />
</author>
<author surname="Kara" initials="O.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse07vol" />
</reference>
<reference anchor="FSE:Vaudenay96">
<front>
<title>On the Weak Keys of Blowfish</title>
<author surname="Vaudenay" initials="S.">
<organization />
</author>
<date year="1996" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse96vol" />
</reference>
<reference anchor="FSE:Schneier93">
<front>
<title>Description of a New Variable-Length Key 64-bit Block Cipher (Blowfish)</title>
<author surname="Schneier" initials="B.">
<organization />
</author>
<date year="1993" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse93vol" />
</reference>
<!--gost-->
<reference anchor="CHES:PosLinWan10">
<front>
<title>256 Bit Standardized Crypto for 650 GE - GOST Revisited</title>
<author surname="Ling" initials="S.">
<organization />
</author>
<author surname="Wang" initials="H.">
<organization />
</author>
<author surname="Poschmann" initials="A.">
<organization />
</author>
<date year="2010" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches10vol" />
</reference>
<reference anchor="C:MPRKS08">
<front>
<title>Cryptanalysis of the GOST Hash Function</title>
<author surname="Pramstaller" initials="N.">
<organization />
</author>
<author surname="Rechberger" initials="C.">
<organization />
</author>
<author surname="Kontak" initials="M.">
<organization />
</author>
<author surname="Szmidt" initials="J.">
<organization />
</author>
<author surname="Mendel" initials="F.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="crypto08vol" />
</reference>
<reference anchor="C:KelSchWag96">
<front>
<title>Key-Schedule Cryptoanalysis of IDEA G-DES,GOST SAFER, and Triple-DES,</title>
<author surname="Schneier" initials="B.">
<organization />
</author>
<author surname="Wagner" initials="D.">
<organization />
</author>
<author surname="Kelsey" initials="J.">
<organization />
</author>
<date year="1996" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="crypto96vol" />
</reference>
<reference anchor="FSE:Isobe11">
<front>
<title>A Single-Key Attack on the Full GOST Block Cipher</title>
<author surname="Isobe" initials="T.">
<organization />
</author>
<date year="2011" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse11vol" />
</reference>
<reference anchor="FSE:MenPraRec08">
<front>
<title>A (Second) Preimage Attack on the GOST Hash Function</title>
<author surname="Pramstaller" initials="N.">
<organization />
</author>
<author surname="Rechberger" initials="C.">
<organization />
</author>
<author surname="Mendel" initials="F.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse08vol" />
</reference>
<reference anchor="SAC:SekKan00">
<front>
<title>Differential Cryptanalysis of Reduced Rounds of GOST</title>
<author surname="Kaneko" initials="T.">
<organization />
</author>
<author surname="Seki" initials="H.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac00vol" />
</reference>
<!--idea-->
<reference anchor="AC:BihDunKel06">
<front>
<title>New Cryptanalytic Results on IDEA</title>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<author surname="Biham" initials="E.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="asiacrypt06vol" />
</reference>
<reference anchor="AC:HawOCo96">
<front>
<title>On Applying Linear Cryptanalysis to IDEA</title>
<author surname="O'Connor" initials="L.">
<organization />
</author>
<author surname="Hawkes" initials="P.">
<organization />
</author>
<date year="1996" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="asiacrypt96vol" />
</reference>
<reference anchor="CHES:LemSchPaa04">
<front>
<title>DPA on n-Bit Sized Boolean and Arithmetic Operations and Its Application to IDEA RC6,and the HMAC-Construction</title>
<author surname="Schramm" initials="K.">
<organization />
</author>
<author surname="Paar" initials="C.">
<organization />
</author>
<author surname="Lemke" initials="K.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches04vol" />
</reference>
<reference anchor="CHES:NeiPul04">
<front>
<title>Switching Blindings with a View Towards IDEA</title>
<author surname="Pulkus" initials="J.">
<organization />
</author>
<author surname="Nei\sse" initials="O.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches04vol" />
</reference>
<reference anchor="CHES:CTLL01">
<front>
<title>Tradeoffs in Parallel and Serial Implementations of the International Data Encryption Algorithm IDEA</title>
<author surname="Hung" initials="K.">
<organization />
</author>
<author surname="Heng" initials="P.">
<organization />
</author>
<author surname="P." initials="M.">
<organization />
</author>
<author surname="Y." initials="O.">
<organization />
</author>
<date year="2001" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="ches01vol" />
</reference>
<!--
<reference anchor="C:KelSchWag96">
<front>
<title>Key-Schedule Cryptoanalysis of IDEA G-DES,GOST SAFER, and Triple-DES,</title>
<author surname="Schneier" initials="B."
<organization />
</author>
<author surname="Wagner" initials="D.">
<organization />
</author>
<author surname="Kelsey" initials="J.">
<organization />
</author>
<date year="1996" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="crypto96vol" />
</reference>
-->
<reference anchor="C:DaeGovVan93">
<front>
<title>Weak Keys for IDEA</title>
<author surname="Govaerts" initials="R.">
<organization />
</author>
<author surname="Vandewalle" initials="J.">
<organization />
</author>
<author surname="Daemen" initials="J.">
<organization />
</author>
<date year="1994" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="crypto93vol" />
</reference>
<reference anchor="RSA:ClaGieVer08">
<front>
<title>Fault Analysis Study of IDEA</title>
<author surname="Gierlichs" initials="B.">
<organization />
</author>
<author surname="Verbauwhede" initials="I.">
<organization />
</author>
<author surname="Clavier" initials="C.">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="rsa08vol" />
</reference>
<reference anchor="EC:Hawkes98">
<front>
<title>Differential-Linear Weak Key Classes of IDEA</title>
<author surname="Hawkes" initials="P.">
<organization />
</author>
<date year="1998" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt98vol" />
</reference>
<reference anchor="EC:BorKnuRij97">
<front>
<title>Two Attacks on Reduced IDEA</title>
<author surname="R." initials="L.">
<organization />
</author>
<author surname="Rijmen" initials="V.">
<organization />
</author>
<author surname="Borst" initials="J.">
<organization />
</author>
<date year="1997" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt97vol" />
</reference>
<reference anchor="EC:Meier93">
<front>
<title>On the Security of the IDEA Block Cipher</title>
<author surname="Meier" initials="W.">
<organization />
</author>
<date year="1993" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="eurocrypt93vol" />
</reference>
<reference anchor="FSE:JunMac09">
<front>
<title>Revisiting the IDEA Philosophy</title>
<author surname="Macchetti" initials="M.">
<organization />
</author>
<author surname="Junod" initials="P.">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse09vol" />
</reference>
<reference anchor="FSE:BihDunKel07b">
<front>
<title>A New Attack on 6-Round IDEA</title>
<author surname="Dunkelman" initials="O.">
<organization />
</author>
<author surname="Keller" initials="N.">
<organization />
</author>
<author surname="Biham" initials="E.">
<organization />
</author>
<date year="2007" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse07vol" />
</reference>
<reference anchor="FSE:Junod05">
<front>
<title>New Attacks Against Reduced-Round Versions of IDEA</title>
<author surname="Junod" initials="P.">
<organization />
</author>
<date year="2005" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse05vol" />
</reference>
<reference anchor="FSE:Raddum03">
<front>
<title>Cryptanalysis of IDEA-X/2</title>
<author surname="Raddum" initials="H.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse03vol" />
</reference>
<reference anchor="FSE:BihBirSha99">
<front>
<title>Miss in the Middle Attacks on IDEA and Khufu</title>
<author surname="Biryukov" initials="A.">
<organization />
</author>
<author surname="Shamir" initials="A.">
<organization />
</author>
<author surname="Biham" initials="E.">
<organization />
</author>
<date year="1999" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="fse99vol" />
</reference>
<reference anchor="ICICS:BNPV02">
<front>
<title>New Weak-Key Classes of IDEA</title>
<author surname="Nakahara" initials="J.">
<organization />
</author>
<author surname="Preneel" initials="B.">
<organization />
</author>
<author surname="Vandewalle" initials="J.">
<organization />
</author>
<author surname="Biryukov" initials="A.">
<organization />
</author>
<date year="2002" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="icics02vol" />
</reference>
<reference anchor="INDOCRYPT:Yildirim03">
<front>
<title>Nonlinearity Properties of the Mixing Operations of the Block Cipher IDEA</title>
<author surname="Murat" initials="H.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="indocrypt03vol" />
</reference>
<reference anchor="ISC:NakPreVan03">
<front>
<title>A Note on Weak Keys of PES IDEA,and Some Extended Variants</title>
<author surname="Preneel" initials="B.">
<organization />
</author>
<author surname="Vandewalle" initials="J.">
<organization />
</author>
<author surname="Nakahara" initials="J.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="isc03vol" />
</reference>
<reference anchor="SAC:AyaSel06">
<front>
<title>Improved DST Cryptanalysis of IDEA</title>
<author surname="Aydin" initials="A.">
<organization />
</author>
<author surname="Serdar" initials="E.">
<organization />
</author>
<date year="2006" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac06vol" />
</reference>
<reference anchor="SAC:DemSelTur03">
<front>
<title>A New Meet-in-the-Middle Attack on the IDEA Block Cipher</title>
<author surname="Aydin" initials="A.">
<organization />
</author>
<author surname="Ture" initials="E.">
<organization />
</author>
<author surname="Demirci" initials="H.">
<organization />
</author>
<date year="2004" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac03vol" />
</reference>
<reference anchor="SAC:Demirci02">
<front>
<title>Square-like Attacks on Reduced Rounds of IDEA</title>
<author surname="Demirci" initials="H.">
<organization />
</author>
<date year="2003" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac02vol" />
</reference>
<reference anchor="SAC:Lipmaa98">
<front>
<title>IDEA: A Cipher For Multimedia Architectures?</title>
<author surname="Lipmaa" initials="H.">
<organization />
</author>
<date year="1999" />
</front>
<seriesInfo name="Lecture Notes in Computer Science" value="sac98vol" />
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:54:40 |