分组密码的分析与设计
|
摘要
随着计算机网络和通信技术的飞速发展,现代社会已经步入信息时代。人们对信息的安全存储、处理和传输的需求越来越迫切,信息的安全保护问题已经显得十分突出。密码学作为信息安全领域的基石,是各类信息安全技术的基础,它由各种各样的加密算法来具体实施,并以较小的代价提供较大的安全保护。分组密码属于对称密码的一个重要分支,由于其安全、高效和易于标准化等特点,近些年已经在密码学中得到了广泛的应用,并受到了人们的极大关注。在此背景下,本文研究分组密码的分析和设计理论,主要包括如下两个部分:
第一部分主要研究分组密码的分析理论,取得的相关成果包含如下三个方面:
第一,研究了SPN密码算法抵抗不可能差分分析和高阶积分分析的能力。以有限域上的矩阵理论为工具,提出了刻画SPN密码算法不可能差分的一系列准则,该方法可以推广至轮函数为SPN型的其它密码结构的不可能差分分析,从而为特殊类型密码算法不可能差分的自动搜索提供了新的途径。以线性空间的直和分解理论为工具,提出了SPN密码算法的高阶积分区分扩展理论,统一了分组密码AES和ARIA算法的4轮高阶积分的寻找流程,该方法亦可推广至对各种分组密码结构的高阶积分分析,从而克服了以往该领域研究主要依赖于密码分析者经验判断的缺陷。第二,评估了一类广义非平衡Feistel结构GF-NLFSR的安全性,通过代数方法对该结构加密流程的刻画,指出该结构扩散性较弱,由此大大改进了对它的区分攻击。针对GF-NLFSR变种结构提出了一种在组件均是双射的某些密码算法中实施非满射攻击的方法,并在个人机器上对基于AES的S盒设计的Toy密码进行了实验验证。该分析方法的最大优点是数据复杂度仅为分组长度的线性函数。第三,采用面向字节的随机故障模型对SMS4算法抵抗差分故障分析的能力进行了评估,通过对轮函数为SPN型的SMS4-型广义Feistel结构的5轮差分传播性质研究,发现只需在第28轮输入的第2、第3或者第4个寄存器中导入1个单字节的随机故障,即可将穷尽搜索所需的128-bit的密钥量降为平均22.11-bit的密钥量。这表明SMS4算法针对故障攻击的免疫性较弱,因此算法在密码设备中实现时需要做出相应的防护措施。
第二部分主要研究分组密码的设计理论,取得的相关成果包含如下三个方面:第一,研究了基于循环移位和异或运算设计的对合线性变换,完全给出了这类线性变换的具体表达式和计数公式,指出它们的分支数上界为4,并讨论了循环移位的参数与分支数之间的关系,从而为基于这类运算设计的线性变换提供了理论依据。第二,研究了轮函数为SPN型的MISTY结构掩码传播特性,基于“分而治之”的策略,重新给出了这类密码结构连续4r轮线性特征中活跃S盒数目的下界,统一了这类密码结构针对差分和线性密码分析的实际可证明安全界。第三,提出了MISTY结构的两种推广结构:第I类和第II类广义MISTY结构,分别给出了这两类结构抵抗差分和线性密码分析的实际可证明安全,从而为基于这两类结构设计的算法提供了理论依据。基于第II类广义MISTY结构,给出了两个高效的分组密码算法的设计框架。
Oursocietyhadsteppedintoanexcellentinformationagewiththerapiddevelopmentof computer networks and communication technologies. In this environment, the securitystorage, process and transformation of information are urgent needed, thus the problem ofinformation security protection is very pressing. Cryptography is a useful and major ap-proach for security protection, which achieves the goals by various encryption algorithms,and nowadays, it had been the basis of the information security. Block ciphers belongsto the field of symmetric cryptography, it attracts more attention in recent years, due totheir features of high security, efficient implementations and easy standardizations. Underthis background, this thesis concentrates on the cryptanalysis and design methodologiesof block ciphers, and it mainly contains two parts.
In the first part, we focus on the cryptanalytic methods for block ciphers, and obtainsome results that are related to the following three aspects:
In the first aspect, we study the resistance of SPN ciphers against impossible differ-ential cryptanalysis and higher-order integral cryptanalysis. We adopt the matrix theoryon finite fields to propose several criteria for characterizing the existence of impossibledifferentials of SPN ciphers. This method can be extended to analyze other block cipherstructureswithSPN-typeroundfunction,andthuscanprovideusanewpotentialapproachto automatically search impossible differentials for various ciphers. We also borrow fromthelinearalgebrawiththetoolofdirectdecompositionofalinearspacetoproposeatheoryforhigher-orderintegralextensionofSPNciphers, whichunifiestheprocessforfinding4-round higher-order integrals of AES and ARIA. This method can be further generalized toanalyze the case of block cipher structures, and thus overcome the traditional approacheswith cryptanalyst's experience and intuition. In the second aspect, we evaluate the secu-rity of a kind of generalized unbalanced Feistel network structure, called GF-NLFSR. Byalgebraic methods, the encryption characteristic can be expressed clearly, which directlydemonstrates a poor diffusion property of GF-NLFSR. Thus, the distinguishing attacks onGF-NLFSR can be significantly improved. Another contribution regarding to the securityof a variant of GF-NLFSR is the proposition of a kind of non-surjective attack, whichcan be applied to some block ciphers with bijective components. Such a kind of attack is verified through a experiment on a toy cipher based on GF-NLFSR and the sbox of AES.The most merit of this method is that its data complexity is only a linear function of theblock length. In the third aspect, we apply differential fault analysis on SMS4based onthe random byte fault model. By observing a difference propagation property of5-roundSMS4-type generalized Feistel structure with SPN round function, we show that if a ran-dombytefaultisinducedintoeitherthesecond,third,orfourthwordregisterattheinputofthe28-th round, we can break SMS4by an exhaustive search with time complexity222.11.This efficient attack implies that SMS4should be carefully protected when implementedin the products.
The second part belongs to the design theory of block ciphers, and it contains thefollowing results:
First, we concentrate on a kind of involutional linear transformation which is basedon the XOR of several rotations, the numeration of this kind of linear transformation isgiven and its branch number is shown to be upper bounded by4. Meanwhile, the relation-ship between the parameters of the rotations and the branch number is discussed, whichprovides a theoretical basis for the design. Then, we turn to the field of practical securityaspectsofblockcipherstructures.ThemainobjectistheMISTYstructurewithSPNroundfunction. According to the mask propagation and "divide-and-conquer" strategy, we pro-vide a new lower bound of the number of active s-boxes for consecutive4r-round linearcharacteristics of such block cipher construction, and thus unifies the practical securitybounds for this construction against differential and linear cryptanalysis. Last, we gener-alize the MISTY structure and propose two kinds of block cipher structures called Type-Iand Type-II generalized MISTY structure. For these two block cipher constructions, weprovide the proofs of their practical security against differential and linear cryptanalysis,which is the basis for the design of new block ciphers basing these structures. Accord-ingly, two efficient block cipher framework are proposed based on the Type-II generalizedMISTY structure.
第一部分主要研究分组密码的分析理论,取得的相关成果包含如下三个方面:
第一,研究了SPN密码算法抵抗不可能差分分析和高阶积分分析的能力。以有限域上的矩阵理论为工具,提出了刻画SPN密码算法不可能差分的一系列准则,该方法可以推广至轮函数为SPN型的其它密码结构的不可能差分分析,从而为特殊类型密码算法不可能差分的自动搜索提供了新的途径。以线性空间的直和分解理论为工具,提出了SPN密码算法的高阶积分区分扩展理论,统一了分组密码AES和ARIA算法的4轮高阶积分的寻找流程,该方法亦可推广至对各种分组密码结构的高阶积分分析,从而克服了以往该领域研究主要依赖于密码分析者经验判断的缺陷。第二,评估了一类广义非平衡Feistel结构GF-NLFSR的安全性,通过代数方法对该结构加密流程的刻画,指出该结构扩散性较弱,由此大大改进了对它的区分攻击。针对GF-NLFSR变种结构提出了一种在组件均是双射的某些密码算法中实施非满射攻击的方法,并在个人机器上对基于AES的S盒设计的Toy密码进行了实验验证。该分析方法的最大优点是数据复杂度仅为分组长度的线性函数。第三,采用面向字节的随机故障模型对SMS4算法抵抗差分故障分析的能力进行了评估,通过对轮函数为SPN型的SMS4-型广义Feistel结构的5轮差分传播性质研究,发现只需在第28轮输入的第2、第3或者第4个寄存器中导入1个单字节的随机故障,即可将穷尽搜索所需的128-bit的密钥量降为平均22.11-bit的密钥量。这表明SMS4算法针对故障攻击的免疫性较弱,因此算法在密码设备中实现时需要做出相应的防护措施。
第二部分主要研究分组密码的设计理论,取得的相关成果包含如下三个方面:第一,研究了基于循环移位和异或运算设计的对合线性变换,完全给出了这类线性变换的具体表达式和计数公式,指出它们的分支数上界为4,并讨论了循环移位的参数与分支数之间的关系,从而为基于这类运算设计的线性变换提供了理论依据。第二,研究了轮函数为SPN型的MISTY结构掩码传播特性,基于“分而治之”的策略,重新给出了这类密码结构连续4r轮线性特征中活跃S盒数目的下界,统一了这类密码结构针对差分和线性密码分析的实际可证明安全界。第三,提出了MISTY结构的两种推广结构:第I类和第II类广义MISTY结构,分别给出了这两类结构抵抗差分和线性密码分析的实际可证明安全,从而为基于这两类结构设计的算法提供了理论依据。基于第II类广义MISTY结构,给出了两个高效的分组密码算法的设计框架。
Oursocietyhadsteppedintoanexcellentinformationagewiththerapiddevelopmentof computer networks and communication technologies. In this environment, the securitystorage, process and transformation of information are urgent needed, thus the problem ofinformation security protection is very pressing. Cryptography is a useful and major ap-proach for security protection, which achieves the goals by various encryption algorithms,and nowadays, it had been the basis of the information security. Block ciphers belongsto the field of symmetric cryptography, it attracts more attention in recent years, due totheir features of high security, efficient implementations and easy standardizations. Underthis background, this thesis concentrates on the cryptanalysis and design methodologiesof block ciphers, and it mainly contains two parts.
In the first part, we focus on the cryptanalytic methods for block ciphers, and obtainsome results that are related to the following three aspects:
In the first aspect, we study the resistance of SPN ciphers against impossible differ-ential cryptanalysis and higher-order integral cryptanalysis. We adopt the matrix theoryon finite fields to propose several criteria for characterizing the existence of impossibledifferentials of SPN ciphers. This method can be extended to analyze other block cipherstructureswithSPN-typeroundfunction,andthuscanprovideusanewpotentialapproachto automatically search impossible differentials for various ciphers. We also borrow fromthelinearalgebrawiththetoolofdirectdecompositionofalinearspacetoproposeatheoryforhigher-orderintegralextensionofSPNciphers, whichunifiestheprocessforfinding4-round higher-order integrals of AES and ARIA. This method can be further generalized toanalyze the case of block cipher structures, and thus overcome the traditional approacheswith cryptanalyst's experience and intuition. In the second aspect, we evaluate the secu-rity of a kind of generalized unbalanced Feistel network structure, called GF-NLFSR. Byalgebraic methods, the encryption characteristic can be expressed clearly, which directlydemonstrates a poor diffusion property of GF-NLFSR. Thus, the distinguishing attacks onGF-NLFSR can be significantly improved. Another contribution regarding to the securityof a variant of GF-NLFSR is the proposition of a kind of non-surjective attack, whichcan be applied to some block ciphers with bijective components. Such a kind of attack is verified through a experiment on a toy cipher based on GF-NLFSR and the sbox of AES.The most merit of this method is that its data complexity is only a linear function of theblock length. In the third aspect, we apply differential fault analysis on SMS4based onthe random byte fault model. By observing a difference propagation property of5-roundSMS4-type generalized Feistel structure with SPN round function, we show that if a ran-dombytefaultisinducedintoeitherthesecond,third,orfourthwordregisterattheinputofthe28-th round, we can break SMS4by an exhaustive search with time complexity222.11.This efficient attack implies that SMS4should be carefully protected when implementedin the products.
The second part belongs to the design theory of block ciphers, and it contains thefollowing results:
First, we concentrate on a kind of involutional linear transformation which is basedon the XOR of several rotations, the numeration of this kind of linear transformation isgiven and its branch number is shown to be upper bounded by4. Meanwhile, the relation-ship between the parameters of the rotations and the branch number is discussed, whichprovides a theoretical basis for the design. Then, we turn to the field of practical securityaspectsofblockcipherstructures.ThemainobjectistheMISTYstructurewithSPNroundfunction. According to the mask propagation and "divide-and-conquer" strategy, we pro-vide a new lower bound of the number of active s-boxes for consecutive4r-round linearcharacteristics of such block cipher construction, and thus unifies the practical securitybounds for this construction against differential and linear cryptanalysis. Last, we gener-alize the MISTY structure and propose two kinds of block cipher structures called Type-Iand Type-II generalized MISTY structure. For these two block cipher constructions, weprovide the proofs of their practical security against differential and linear cryptanalysis,which is the basis for the design of new block ciphers basing these structures. Accord-ingly, two efficient block cipher framework are proposed based on the Type-II generalizedMISTY structure.
引文
[1] Abdelraheem M.A, Leander G, Zenner E. Differential cryptanalysis of Round-Reduced PRINTcipher: Computing roots of permutations. FSE2011, LNCS6733, pp.1-17. Springer,2011.
[2] AES计划主页. http://csrc.nist.gov/encryption/aes/
[3] Aoki K, and Sasaki Y. Meet-in-the-middle preimage attacks against reduced SHA-0and SHA-1. CRYPTO2009, LNCS5677, pp.70-89. Springer,2009.
[4] Aoki K, Ichikawa T, Kanda M, Matsui M, Moriai S, Nakajima J, Tokita T. Camellia:A128-bit block cipher suitable for multiple platforms. SAC2000, LNCS2012, pp.41-54, Springer,2001.
[5] Biham E. On Matsui's linear cryptanalysis. EUROCRYPT1994, LNCS950, pp.341-355, Springer,1995.
[6] Biham E. New types of cryptanalytic attacks using related keys. EUROCRYPT1993,LNCS765, pp.398-409, Springer,1994.
[7] Biham E, Biryukov A, Shamir A. Cryptanalysis of Skipjack Reduced to31RoundsUsing Impossible Differentials. Eurocrypt1999, LNCS1592, pp.12-23. Springer,1999.
[8] Biham E, Biryukov A, Shamir A. Miss in the Middle Attacks on IDEA and Khufu.FSE1999, LNCS1636, pp.124-138. Springer,1999.
[9] BihamE,DunkelmanO,KellerN.Newcombinedattacksonblockciphers.FSE2005,LNCS3557, pp.126-144, Springer,2005.
[10] Biham E, Dunkelman O, Keller N. Enhancing differential-linear cryptanalysis. ASI-ACRYPT2002, LNCS2501, pp.254-266Springer,2002.
[11] Biham E, Dunkelman O, Keller N. Related-Key Boomerang and Rectangle Attacks.Eurocrypt2005, LNCS3557, pp.507-525. Springer,2005.
[12] Biham E, Dunkelman O, Keller N. The Rectangle Attack-Rectangling the Serpent.Eurocrypt2001, LNCS2045, pp.340-357. Springer,2001.
[13] Biham E, Shamir A. Differential Cryptanalysis of DES-Like Cryptosystems (Ex-tended Abstract). CRYPTO1990, LNCS537, pp.2-21. Springer,1991.
[14] Biham E, Shamir A. Differential Cryptanalysis of the Full16-Round DES. Crypto1992, LNCS740, pp.487-496. Springer,1993.
[15] Biham E, Shamir A. Differential cryptanalysis of DES-like cryptosystems. Journalof Cryptology,1991,2(3):3-72.
[16] Biham E, Shamir A. Differential Cryptanalysis of the Data Encryption Standard.Springer,1993.
[17] BihamE,ShamirA.DifferentialFaultAnalysisofSecretKeyCryptosystems.Crypto1997, LNCS1294, pp.513-525. Springer,1997.
[18] Biryukov A, Cannière C, Quisquater M. On multiple linear approximations.CRYPTO2004, LNCS3152, pp.1-22, Springe,2004.
[19] Biryukov A, Khovratovich D, Nikoli Ivica. Distinguisher and Related-Key Attackon the Full AES-256. Crypto2009, LNCS5677, pp.231-249. Springer,2009.
[20] Biryukov A, Khovratovich D. Related-key cryptanalysis of the full AES-192andAES-256. ASIACRYPT2009, LNCS5912, pp.1-18, Springer,2009.
[21] Biryukov A, Nikoli I. Automatic Search for Related-Key Differential Characteris-ticsinByte-OrientedBlockciphers: ApplicationtoAES,Camellia,KhazadandOthers.EuroCrypt2010, LNCS6110, pp.322-344. Springer,2010.
[22] Biryukov A, Nikoli I. Search for Related-Key Differential Characteristics in DES-Like Ciphers. FSE2011, LNCS6733, pp.18-34, Springer,2011.
[23] Biryukov A, Shamir A. Structural Cryptanalysis of SASAS. Eurocrypt2001, LNCS2045, pp.394-405. Springer,2001.
[24] Biryukov A and Wagner D. Advanced Slide Attack. EUROCRYPT2000, LNCS1807, pp.589-606, Springer,2000.
[25] Biryukov A, Wagner D. Slide Attacks. FSE1999, LNCS1636, pp.245-259.Springer.
[26] BlondeauC,andGérardB.MultipleDifferentialCryptanalysis: TheoryandPractice.FSE2011, LNCS6733, pp.35-54, Springer,2011.
[27] Bogdanov A, Khovratovich D, and Rechberger C. Biclique Cryptanalysis of the FullAES. ASIACRYPT2011, LNCS7073, pp.344-371, Springer,2011.
[28] Bogdanov A. Linear sldie attack on the KeeLoq block cipher. Inscrypt2007, LNCS4990, pp.66-80, Springer,2008.
[29] BogdanovA,KnudsenL,LeanderG,PaarC,PoschmannA,RobshawM.J.B,SeurinY, and Vikkelsoe C. PRESENT: An Ultra-Lightweight Block Cipher. CHES2007,LNCS4727, pp.450-466. Springer,2007.
[30] BogdanovAandRechbergerC.A3-SubsetMeet-in-the-MiddleAttack: Cryptanaly-sis of the Lightweight Block Cipher KTANTAN. SAC2010, LNCS6544, pp.229-240.Springer,2010.
[31] Bogdanov A, Rijmen V. Linear Hulls with Correlation Zero and Linear Cryptanaly-sis of Block Ciphers. Cryptology ePrint Archive, Report2011/123. Available throughhttp://eprint.iacr.org/2011/123.
[32] Bogdanov A, and Shibutani K. Double SP-Functions: Enhanced Generalized FeistelNetworks(ExtendedAbstract).ACISP2011,LNCS6812, pp.106-119,Springer,2011.
[33] Boneh D, DeMillo R, Lipton R. On the Importance of Checking Cryptographic Pro-tocols for Faults. Eurocrypt1997, LNCS1233, pp.37-51. Springer,1997.
[34] Bouillaguet C, Dunkelman O, Fougue P-A, Leurent G. New Insights on ImpossibleDifferential Cryptanalysis. SAC2011, LNCS7118, pp.243-259, Springer,2012.
[35] Bouillaguet C, Derbez P, Fougue P-A. Automatic Search of Attacks on Round-Reduced AES and Applications. CRYPTO2011, LNCS, pp., Springer,2011
[36] Cho J. Y, and Nyberg K. Improved Linear Cryptanalysis of SMS4Block Cipher.SKEW2011.
[37] Choy J, Chew G, Khoo K, Yap H. Cryptographic Properties and Application of aGeneralized Unbalanced Feistel Network Structure. ACISP2009, LNCS5594, pp.73-89. Springer,2009.
[38] Choy J, Yap H, and Khoo K. An Analysis of the Compact XSL Attack on BES andEmbedded SMS4. CANS2009, LNCS5888, pp.103-118, Springer,2009.
[39] Cid C, Leurent G. An Analysis of the XSL Algorithm. Asiacrypt2005, LNCS3788,pp.333-352. Springer,2005.
[40] Collard B, Standaert F.X. A statistical saturation attack against the block cipherpresent. CT-RSA2009, LNCS5473, pp.195-210, Springer,2009.
[41] Coron J-S, and Mandal A. PSS Is Secure against Random Fault Attacks. ASI-ACRYPT2009, LNCS5912, pp.653-666, Springer,2009.
[42] Courtois N. T, Bard G. V, and Wagner D. Algebraic and Slide Attacks on KeeLoq.FSE2008, LNCS5086, pp.97-115, Springer,2008.
[43] Courtois N. T, Klimov A, Pararin J, and Shamir A. Efficient Algorithms for Solv-ing Overdefined Systems of Multivariate Polynomial Equations. EUROCRYPT2000,LNCS1807, pp.392-407, Springer,2000.
[44] CourtoisN.T,PieprzykJ.CryptanalysisofBlockCipherswithOverdefinedSystemsof Equations. AsiaCrypt2002. LNCS2501, pp.267-287. Springer,2002.
[45] DaemenJ.Cipherandhashfunctiondesignstrategiesbasedonlinearanddifferentialcryptanalysis. Doctoral Dissertation, K.U.Leuven, March1995.
[46] Daemen J, Knudsen L, Rijmen V. The Block Cipher Square. FSE1997, LNCS1267,pp.149-165. Springer,1997.
[47] Daemen J, Rijmen V. The wide trail design strategy. IMA CC2001, LNCS2260, pp.222-238Springer,2001.
[48] Daeman J, and Rijmen V. The Design of Rijndael: AES—the Advanced EncryptionStandard. Information Security and Cryptography, Springer,2002.
[49] Daemen J. and Rijmen V. Probability Distributions of Correlation and Differentialsin Block Ciphers. Journal of Mathematical Cryptology,1(3):221-242,2007.
[50] Demirci H, Sel uk A. A Meet in the Middle Attack on8-round AES. FSE2008,LNCS5086, pp.116-126. Springer,2008.
[51] Demirci H, Ta km I, oban M, Baysal A. Improved Meet-in-the-Middle Attacks onAES. Indocrypt2009, LNCS5922, pp.144-156. Springer,2009.
[52] Diffie W, Hellman M. New Direction in Cryptography. IEEE Trans. Inform. Theory.22(6). pp.644-654,1976.
[53] Diffie W, Hellman M. Exhaustive Cryptanalysis of the NBS Data Encryption Stan-dard. Computer10(6), pp.74-84.1977.
[54] Dinur I, Shamir A. Cube Attacks on Tweakable Black Box Polynomials. Eurocrypt2009, LNCS5479, pp.278-299. Springer,2009.
[55] Dinur I, Shamir A. Side Channel Cube Attack on Block Ciphers. Cryptology ePrintArchive Report,2009/127. Available through http://eprint.iacr.org/2009/127.pdf.
[56] DinurI,ShamirA.GeneticAnalysisofSmallCryptographicLeaks.FDTC2010, pp.38-49, IEEE computer society,2010.
[57] Dunkelman O, Keller N. An Improved Impossible Differential Attack on MISTY1.Asiacrypt2008, LNCS5350, pp.441-454. Springer,2008.
[58] Duo L, Li C, Feng K. New Observation on Camellia. SAC2005, LNCS3897, pp.51-64. Springer,2006.
[59] Duo L, Li C, and Feng K. Square like Attack on Camellia, ICICS2007, LNCS4861,pp.269-283, Springer-Verlag,2007.
[60] Erickson J, Ding J, and Christensen C. Algebraic cryptanalysis of SMS4: Gr bnerbasis attack and SAT attack compared. ICISC2009, LNCS5984, pp.73-86, Springer,2010.
[61] eSTREAM计划主页. http://www.ecrypt.eu.org/stream.
[62] EtrogJandRobshawM.J.B.Thecryptanalysisofreduced-roundSMS4.SAC2008,LNCS5381, pp.51-65, Springer,2009.
[63] Etrog J and Robshaw M. J. B. On Unbiased Linear Approximations. ACISP2010,LNCS6168, pp.74–86. Springer,2010.
[64] Feller W. An Introduction to Probability Theory and Its Applications,3rd Edition.Wiley, New York,1968.
[65] Ferguson N, Kelsey J, Lucks S, etc. Improved Cryptanalysis of Rijndael. FSE2000,LNCS1978, pp.213-230. Springer,2001.
[66] FIPS46-3, Data Encryption Standard. National Bureau of Standard, WashingtonD.C. Jan.1977.
[67] Gilbert H, Minier M. A Collision Attack on7Rounds of Rijndael. The Third AESCandidate Conference. pp.230-241,2000.
[68] GilbertH,andMinierM.Newresultsonthepseudorandomnessofsomeblockcipherconstructions. FSE2001, LNCS2355, pp.248-266, Springer,2002.
[69] Gilbert H, and Peyrin T.Super-Sbox Cryptanalysis: Improved Attacks for AES-LikePermutations. FSE2010, LNCS6147, pp.365-383, Springer,2010.
[70] Gong Z, Nikova S, and Law Y. KLEIN: A New Family of Lightweight Block Ci-phers. In RFIDsec2011.
[71] Guo J, Ling S., Rechberger C, Wang H. Advanced meet-in-the-middle preimageattacks: First results on full tiger, and improved results on MD4and SHA-2. ASI-ACRYPT2010, LNCS6477, pp.56-75. Springer,2010.
[72] Guo J, Peyrin T, Poschmann A, and Robshaw M. The LED Block Cipher. CHES2011, LNCS6917, pp.326-341, Springer,2011.
[73]国家商用密码管理办公室.无线局域网产品使用的SMS4密码算法.http://www.oscca.gov.cn/UpFile/200622026423297990.pdf.
[74] Hatano Y, Tanaka H, Kaneko T. Higher Order Differential Attacks of Camellia (II).SAC2002, LNCS2595, pp.129-146. Springer,2003.
[75] HermelinM,ChoJ.Y,NybergK.MultidimensionalLinearCryptanalysisofReducedRound Serpent. ACISP2008, LNCS5107, pp.203-215, Springer,2008.
[76] Hermelin M, Cho J.Y, Nyberg K. Multidimensional extension of Matsui's algo-rithm2. FSE2009, LNCS5665, pp.209-227, Springer,2009.
[77] Hong S, Kim J, Lee S, Preneel B. Related-Key Rectangle Attacks on Reduced Ver-sions of SHACAL-1and AES-192. FSE2005, LNCS3557, pp.368-383, Springer,2005.
[78] HongS,LeeS,LimJ,SungJ,CheonD,ChoI.ProvableSecurityagainstDifferentialand Linear Cryptanalysis for the SPN Structure. FSE2000, LNCS1978, pp.273-283.Springer,2000.
[79] Hu Y, Zhang Y, Xiao G. Integral cryptanalysis of SAFER+, Electronics Letters,35(17):1458-1459, IEE,1999.
[80] Indesteege S, Keller N, Dunkelman O, Biham E, and Preneel B. A Practical Attackon KeeLoq. EUROCRYPT2008, LNCS4965, pp.1-18, Springer,2008.
[81] Isobe T. A Single-Key Attack on the Full GOST Block Cipher. FSE2011, LNCS6733, pp.290-305, Springer,2011.
[82] JakobsenT,KnudsenL.TheInterpolationAttackonBlockCipher.FSE1997, LNCS1008, pp.28-40. Springer,1997.
[83] Ji W, Hu L. New description of SMS4by an embedding over GF(28). Indocrypt2007, LNCS4859, pp.238-251, Springer,2007.
[84] JrJ,andPav oI.ImpossibleDifferentialAttacksonLarge-BlockRijndael.ISC2007,LNCS4779, pp.104-117, Springer,2007.
[85] Junod P, Vaudenay S. FOX: A New Family of Block Ciphers. SAC2004. LNCS3357, pp.114-129. Springer,2005.
[86] Junod P, Vaudenay S. Pergect Diffusion Primitives for Block Ciphers-Building Ef-ficient MDS Matrices. SAC2004, LNCS3357, pp.84-99, Springer,2005.
[87] Kaliski Jr B. S, Robshaw M. J. B. Linear Cryptanalysis Using Multiple Approxima-tions. CRYPTO1994, LNCS839, pp.26-39. Springer,1994.
[88] Kanda M. Practical Security Evaluation against Differential and Linear Attacksfor Feistel Ciphers with SPN Round Function. SAC2000, LNCS2012, pp.168-179,Springer,2000.
[89] Kang J, Hong S, Lee S, Yi O, Park C, Lim J. Practial and Provable Security againstDifferential and Linear Cryptanalysis for Substitution-Permutation Networks. ETRIJournal,23(4):158-167,2001.
[90] Kara O. Reflection Cryptanalysis of Some Ciphers. INDOCRYPT2008, LNCS5365, pp.294-307. Springer,2008.
[91] KaraO,ManapC.ANewClassofWeakKeysforBlowfish.FSE2007, pp.167-180,2007.
[92] Kelsey J, Kohno T, Schneier B. Amplified Boomerang Attacks against Reduced-Round MARS and Serpent. FSE2000, LNCS1978, pp.75-93. Springer,2000.
[93] Kelsey J, Schneier B, Wagner D. Key-schedule cryptanalysis of IDEA, G-DES,GOST, SAFER, and Triple-DES. Crypto1996, LNCS1109, pp.237-251, Springer,1996.
[94] Kelsey J, Schneier B, Wagner D. Related-key cryptanalysis of3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA. ICICS1997, LNCS1334, pp.233-246,Springer,1997.
[95] Kelsey J, Schneier B, Wagner D, Hall C. Side channel cryptanalysis of product ci-phers. ESORICS1998, LNCS1485, pp.97-110, Springer,1998.
[96] KimJ,HongS,SungJ,LeeS,LimJ.ImpossibleDifferentialCryptanalysisforBlockCipher Structures. Indocrypt2003. LNCS2904, pp.82-96. Springer,2003.
[97] Kim J, Kim G, Hong S, Hong D. The Related-Key Rectangle Attack-Application toSHACAL-1. ACISP2004. LNCS3108, pp.123-136. Springer,2004.
[98] Kim J, Lee C, Sung J, Hong S, Lee S, Lim J. Seven NEw Block Cipher Structureswith Provable Security against Differential Cryptanalysis. IEICE Trans. FundamentalsE91-A(10)(2008).
[99] Kim T, Kim J, Hong S, Sung J. Linear and diffrential cryptanalysis of reducedSMS4block cipher. Cryptology ePrint Archive, Report2008/281. Available throughhttp://eprint.iacr.org/2008/281.
[100] Kipnis A, and Shamir A. Cryptanalysis of the HFE Public Key Cryptosystem byRelinearization. CRYPTO1999, LNCS1666, pp19-30, Springer,1999.
[101] Knudsen L. Cryptanalysis of LOKI. ASIACRYPT1991, LNCS739, pp.22-35,Springer,1993.
[102] KnudsenL.CryptanalysisofLOKI91.AUSCRYPT1992, LNCS718, pp.196-208,Springer,1993.
[103] Knudsen L. Pracital secure Feistel ciphers. FSE1994, LNCS809, pp.211-221,Springer,1994.
[104] Knudsen L. DEAL—A128-bit Block Cipher. Technical Report151, Departmentof Informatics, University of Bergen, Bergen, Norway,1998.
[105] Knudsen L. Truncated and High Order Differentials. FSE1995, LNCS1008, pp.196-211, Springer,1995.
[106] KnudsenL,LeanderG,PoschmannA,andRobshawM.J.B.PRINTcipher: ABlockCipher for IC-Printing. CHES2010, LNCS6225, pp.16-32, Springer,2010.
[107] Knudsen L, Robshaw M. Non-Linear Approximations in Linear Cryptanalysis. Eu-rocrypt1996, LNCS1070, pp.224-236. Springer,1996.
[108] Knudsen L, Rijmen V. Known-Key Distinguishers for some block ciphers. ASI-ACRYPT2007, LNCS4833, pp.315-324, Springer,2007.
[109] Knudsen L, WagnerD. Integral cryptanalysis. FSE2002, LNCS2365, pp.112-127.Springer,2002.
[110] Koo B, Jang H, and Song J. Constructing and Cryptanalysis of a16×16BinaryMatrix as a Diffusion Layer. WISA2003, LNCS2908, pp.489-503, Springer,2004.
[111] Koo B, Jang H, and Song J. On Constructing of a32×32Binary Matrix as a Diffu-sion Layer for a256-Bit Block Cipher. ICISC2006, LNCS4296, pp.51-64, Springer,2006.
[112] Kwon D, Kim J, et al. New Block Cipher: ARIA. ICISC2003, LNCS2971, pp.432-445. Springer,2004.
[113] LaiX.HighOrderDerivativesandDifferentialCryptanalysis.CommunicationsandCryptography,1994:227-233.
[114] LaiX,MasseyJ.AProposalforaNewBlockEncryptionStandard.Eurocrypt1990,LNCS473, pp.389-404. Springer,1991.
[115] Lai X, Massey J, Murphy S. Markov ciphers and differential cryptanalysis. Euro-crypt1991, LNCS547, pp.17-38, Springer,1991.
[116] Langford S, Hellman M. Differential-Linear Cryptanalysis. CRYPTO1994, LNCS839, pp.17-25, Springer,1994.
[117] Leander G. On Linear Hulls, Statistical Saturation Attacks, PRESENT and a Crypt-analysis of PUFFIN. Eurocrypt2011, LNCS6632, pp.303-322, Springer,2011.
[118] Leander G, Abdelraheem M. A, AlKhzaimi H, and Zenner E. A Cryptanalysis ofPRINTcipher: The Invariant Subspace Attack. CRYPTO2011, LNCS6841, pp.206-221, Springer,2011.
[119] Lee C, Kim J, Sung J, Hong S, and Lee S. Provable Security for an RC6-like struc-ture and a MISTY-FO-like Structure against Differential Cryptanalysis. ICCSA2006,LNCS3982, pp.446-455, Springer,2006.
[120] Lidl R, Niederreiter H. Finite Fields. Encyclopedia of Mathematics and Its Appli-cations. Vol.20. Cambridge University Press,1997.
[121] LiuF,JiW,HuL,DingJ,LvS,PyshkinA,andWeinmannR.AnalysisoftheSMS4block cipher. ACISP2007, LNCS4586, pp.158-170, Springer,2007.
[122] Li P, Sun B, Li C. Integral cryptanalysis of ARIA. Inscrypt2009, LNCS6151, pp.1-14, Springer,2010.
[123] Li R, Li C, Gong C. Differential fault analysis on SHACAL-1. In proceeding ofthe Sixth International Workshop on Fault Diagnosis and Tolerance in Cryptography,FDTC2009, pp.120-126, IEEE Computer Society, Lausanne, Switzerland,2009.
[124] Li R, Li C, Su J, Sun B. Security Evaluation of MISTY Structure with SPNRound Function. Cryptology ePrint Archive, Report2010/661. Avaiable throughhttp://eprint.iacr.org/2010/661.
[125] Li R, Sun B, Li C. A Link Between Integrals and Higher-Order Integrals of SPNCiphers. ETRI Journal,2012.
[126] Li R, Sun B, Zhang P and Li C. New Impossible Differential Cryptanal-ysis of ARIA. Cryptology ePrint Archive, Report2008/227. Available throughhttp://eprint.iacr.org/2008/227.
[127] Li W. Personal communications, February2010.
[128] Li W, Gu D. An improved method of differential fault analysis on the SMS4cryp-tosystem. ISDPE2007, pp.175-180, IEEE Computer Society,2007.
[129]李玮,谷大武.基于密钥编排故障的SMS4算法的差分故障分析,通信学报.29(10):135-142.2008.
[130] LiY,WuW,ZhangL.Integralattacksonreduced-roundARIAblockcipher.ISPEC2010, LNCS6047, pp.19-29, Springer,2010.
[131] Luby M, Rackoff C. How to Construct Pseudorandom Permutations from Pseudo-random Functions. SIAM J. Comput.17(2):373-386,1988.
[132] Lucks S. The Saturation Attack—A Bait for Twofish. FSE2001, LNCS2355, pp.1-15. Springer,2002.
[133] Lu X, and Heys H. M. Hardware design and analysis of block cipher components.ICISC2002, LNCS2587, pp.164-181, Springer,2003.
[134] LuoY,WuZ,LaiX,GongG.Unifiedimpossibledifferentialcryptanalysisonblockcipher structures. Cryptology ePrint Archive, Report2009/627. Available through:http://eprint.iacr.org/2009/627.
[135] Lv J. Attacking reduced-round versions of the SMS4block cipher in the ChineseWAPI standard. ICICS2007, LNCS4861, pp.306-318, Springer,2007.
[136] LvJ,DunkelmanO,KellerN,KimJ.NewImpossibleDifferentialAttacksonAES.IndoCrypt2008, LNCS5365, pp.279-293. Springer,2009.
[137] Lv J, Kim J, Keller N, Kim J. Improving the Efficiency of Impossible DifferentialCryptanalysisofReducedCamelliaandMISTY1.CT-RSA2008,LNCS4964,pp.370-386. Springer,2008.
[138] MacWilliams F, Sloane N. The Theory of Error-Correcting Codes. North-Holland,1977.
[139] Mala H, Shakiba M, Dakhilalian M, Bagherikaram G. New Results on ImpossibleDifferential Cryptanalysis of Reduced-Round Camellia-128. SAC2009, LNCS5867,pp.281-294. Springer,2010.
[140] Massey J. SAFER-K64, A Byte-Oriented Block Ciphering Algorithm. FSE1994,LNCS809, pp.1-7. Springer,1994.
[141] Matsui M. Linear Cryptanalysis Method for DES Cipher. Eurocrypt1993. LNCS765, pp.386-397. Springer,1993.
[142] Matsui M. The first experimental cryptanalysis of the Data Encryption Standard.CRYPTO'94, LNCS839, pp.1-11, Springer,1994.
[143] Matsui M. On correlation between the order of S-boxes and the strength of DES.EUROCRYPT1994, LNCS950, pp.366-375, Springer,1995.
[144] MatsuiM.Newstructureofblockcipherswithprovablesecurityagainstdifferentialand linear cryptanalysis. FSE1996, LNCS1039, pp.205-218, Springer,1996.
[145] Matsui M. New block encryption algorithm MISTY. FSE1997, LNCS1267, pp.54-68, Springer,1997.
[146] Mendel F, Peyrin T, Rechberger C, Schl ffer M. Improved cryptanalysis of the re-duced Gr tl compression function, ECHO permutation and AES block cipher. SAC2009, LNCS5867, pp.16-35. Springer,2009.
[147] Minematsu K, Suzaki T, and Shigeri M. On Maximum Differential Probability ofGeneralized Feistel. ACISP2011, LNCS6812, pp.89-105, Springer,2011.
[148] MittenthalL.BlockSubstitutionsUsingOrthomorphicMappings.AdvancesinAp-plied Mathematics, Vol16(1), pp.59-71,1995.
[149] Mouha N, Wang Q, Gu D, Preneel B. Differential and Linear Cryptanalysis usingMixed-Integer Linear Programming. Inscrypt2011, SPringer,2012.
[150] Mukhopadhyay D. An improved fault based attack of the Advanced EncryptionStandard. Africacrypt2009, LNCS5580, pp.421-434, Springer,2009.
[151] National Institute of Standards and Technology. FIPS-197: Advanced EncryptionStandard (AES)(November2001).
[152] NESSIE计划主页. http://www.cryptonessie.org.
[153] Nyberg K. Perfect Nonlinear S-boxes. EUROCRYPT1991, LNCS547, pp.378-386, Springer,1992.
[154] NybergK.Differentiallyuniformmappingsfor cryptography.EUROCRYPT1993,LNCS765, pp.55-64, Springer,1994.
[155] Nyberg K. Linear approximation of block ciphers. Eurocrypt1994, LNCS950,pp.439-444, Springer,1994.
[156] Nyberg K. Generalized Feistel networks. ASIACRYPT1996, LNCS1163, pp.91-104, Springer,1996.
[157] Nyberg K, Knudsen L. Provable Security against a Differential Attack. Journal ofCryptology. Vol.8, No.1, pp.27-38.1995.
[158] Park S, Sung S, Lee S, and Lim J. Improving the Upper Bound on the MaximumDifferential and the Maximum Linear Hull Probability for SPN Structures and AES.FSE2003, LNCS2887, pp.247--260, Springer,2003.
[159] Piret G, Quisquater J. A Differential Fault Attack Technique against SPN Struc-tures,withApplicationtotheAESandKHAZAD.CHES2003,LNCS2779,pp.77-88.Springer,2003.
[160] PiretG,QuisquaterJ.SecurityoftheMISTYStructureintheLuby-RackoffModel:Improved Results. SAC2004, LNCS3357, pp.100-115. Springer,2005.
[161] Piret G, Standaert F-X. Provable security of block ciphers against linear cryptanal-ysis: a mission impossible? Designs, Codes, and Cryptography,2009(50):325-338,Springer,2009.
[162] Rijmen V, Deamen J, Preneel B, Bosselaers A, Win E. The Block Cipher SHARK.FSE1996, LNCS1039, pp.99-111. Springer,1996.
[163] Rijmen V, Preneel B, Win E. On Weaknesses of Non-Surjective Round Functions.Designs, Codes and Cryptography,12(3):253-266.1997.
[164] Roberts F, and Tesman B. Applied Combinatorics,2nd Edition. Pearson Education,2005.
[165] Schneier B, Kelsey J. Unbalanced Feistel Networks and Block-Cipher Design. FSE1996, LNCS1039, pp.121-144. Springer,1996.
[166] Shannon C. A mathematical theory of communication, Bell System Techical Jour-nal, Vol.27, pp.379-423,1948.
[167] Shannon C. Communication Theory of Secrete System. Bell System TechnicalJournal,28(4):656-715.
[168] SHA-3计划主页. http://www.nist.gov/encryption/sha-3/
[169] Shibutani K. On the Diffusion of Generalized Feistel Structures Regarding Differ-ential and Linear Cryptanalysis. SAC2010, LNCS6544, pp.211-228, Springer,2011.
[170] Shibutani K, Isobe T, Hiwatari H, Mitsuda A, Akishita T, and Shirai T. Piccolo:An Ultra-Lightweight Blockcipher. CHES2011, LNCS6917, pp.342-357, Springer,2011.
[171] Shin Y, Kim J, Kim G, Hong S, Lee S. Differential-Linear Type Attack on ReducedRounds of SHACAL-2. ACISP2004, LNCS3108, pp.110-122. Springer,2004.
[172] Shirai T, Araki K. On generalized Feistel structures using the diffusion switchingmechanism. IEICE Trans. Fundamentals E91-A(8), pp.2120-2129,2008.
[173] Shirai T, and Shibutani K. Improving immunity of Feistel ciphers against differen-tial cryptanalysis by using multiple MDS matrices. FSE2004, LNCS3017, pp.260-278, Sorubger,2004.
[174] Shirai T, Preneel B. On Feistel Structures Using a Diffusion Mappings across Mul-tiple Rounds. AsiaCrypt2004, LNCS3329, pp.1-15. Springer,2004.
[175] Shirai T, Shibutani K. On Feistel Structures Using A Diffusion Switching Mecha-nism. FSE2006, LNCS4047, pp.41-56. Springer,2006.
[176] Shirai T, Shibutani K, Akishita T, Moriai S, Iwata T. The128-bit Block CipherCLEFIA (Extended Abstract). FSE2007, LNCS4593, pp.181-195, Springer,2007.
[177] Su B, Wu W, Zhang W. Security of the SMS4Block Cipher Against DifferentialCryptanalysis. Journal of Computer Science and Technology,26(1):130-138,2011.
[178] Sun B, Li R, Qu L, Li C. Square attack on block ciphers with low algebraic degree.Science in Chine, Information Science, Vol.53, Issue10, pp.1988-1995,2010.
[179] Sun B, Qu L, Li C. New Cryptanalysis of Block Ciphers with Low Algebraic De-gree. FSE2009, LNCS5665, pp.180-192. Springer,2009.
[180] Sun X, and Lai X. Improved Integral Attacks on MISTY1. SAC2009, LNCS5867,pp.266-280, Springer,2009.
[181] Takahashi J, and Fukunaga T. Improved differential fault analysis on CLEFIA.FDTC2008, pp.25-34, IEEE Computer Society,2008.
[182] Toz D, and Dunkelman O. Analysis of two attacks on reduced-round versions ofthe SMS4. ICICS2008, LNCS5308, pp.141-156, Springer,2008.
[183] Vaudenay S. On the Lai-Massey Scheme. Asiacrypt1999, LNCS1718, pp.8-19.Springer,1999.
[184] Vaudenay S. Decorrelation: a theory for block cipher security. Journal of Cryptol-ogy,16(4):249-286, Springer,2003.
[185] Wagner D. The Boomerang Attack. FSE1999, LNCS1636, pp.156-170. Springer,1999.
[186]王金波.基于循环移位构造最优线性变换。中国密码学会2007年会,pp.306-307,2007.
[187] Wang X, Yin H, Yu H. Finding Collisions in the Full SHA-1. Crypto2005, LNCS3621, pp.17-36. Springer,2005.
[188] Wang X, Yu H. How to Break MD5and Other Hash Functions. EuroCrypt2005,LNCS3494, pp.19-35. Springer,2005.
[189] Wei Y, Li P, Sun B, and Li C. Impossible Differential Cryptanalysis on FeistelCiphers with SP and SPS Round Functions. ACNS2010, LNCS6123, pp.105-122,Springer,2010.
[190] Wu S, Wang M. Security Evaluation against Differential Cryptanalysis for BlockCipher Structures. IACR ePrint Archive Report,2011/551.
[191]吴文玲,冯登国,张文涛.分组密码的设计与分析(第2版).清华大学出版社,北京,2009.
[192] Wu W, Feng D, Chen H. Collision Attack and Pseudorandomness of Reduced-Round Camellia. SAC2004, LNCS3357, pp.252-266. Springer,2005.
[193] Wu W, Zhang L. LBlock: A Lightweight Block Cipher. ACNS2011, LNCS6715,pp.327-344, Springer,2011.
[194] Wu W, Zhang L, Zhang L, and Zhang W. Security Analysis of the GF-NLFSRStructure and Four-Cell Block Cipher. ICICS2009, LNCS5927, pp.17-31, Springer,2009.
[195] WuW,ZhangW,FengD.ImpossibleDifferentialCryptanalysisofReduced-RoundARIA and Camellia. Journal of Computer Science and Technology,22(3):449-456,2007.
[196] Wu W, Zhang W, Feng D. Integral Cryptanalysis of Reduced Fox Block Cipher.ICISC2005, LNCS3935, pp.229-241, Springer,2006.
[197] Wu W, Zhang W, Lin D. On the Security of Generalized Feistel Scheme with SPRound Function. International Journal Network Security,2(3):296-305,2006.
[198] Yap H, Khoo K, and Poschmann A. Parallelizing the Camellia and SMS4blockciphers. AFRICACRYPT2010, LNCS6055, pp.387-406, Springer,2010.
[199] Z'aba M, Raddu H. Henricksen M, and Dawson E. Bit-Pattern Based Integral At-tack. FSE2008, LNCS5086, pp.363-381, Springer,2008.
[200]张蕾,吴文玲. SMS4密码算法的差分故障攻击.计算机学报,29(9):1596-1602,2006.
[201] Zhang L, Wu W, Park J, Koo B, and Yeom Y. Improved Impossible DifferentialAttacks on Large-Block Rijndael. ISC2008, LNCS5222, pp.298-315, Springer,2008.
[202] ZhangL,ZhangW,andWuW.Cryptanalysisofreduced-roundSMS4blockcipher.ACISP2008, LNCS5107, pp.216-229, Springer,2008.
[203] Zhang W, Wu W, and Feng D. New Results on Impossible Differential Cryptanal-ysis of Reduced AES. ICISC2007, LNCS4817, pp.239-250, Springer,2007.
[204] Zhang W, Wu W, Feng D, and Su B. Some New Observations on the SMS4Block Cipher in the Chinese WAPI Standard. ISPEC2009, LNCS5451, pp.324-335,Springer,2009.
[205] Zheng Y, Matsumoto T, and Imai H. On the construction of block ciphers provablesecure and not relying on any unproved hypotheses. CRYPTO1989, LNCS435, pp.461-480, Springer,1990.
[2] AES计划主页. http://csrc.nist.gov/encryption/aes/
[3] Aoki K, and Sasaki Y. Meet-in-the-middle preimage attacks against reduced SHA-0and SHA-1. CRYPTO2009, LNCS5677, pp.70-89. Springer,2009.
[4] Aoki K, Ichikawa T, Kanda M, Matsui M, Moriai S, Nakajima J, Tokita T. Camellia:A128-bit block cipher suitable for multiple platforms. SAC2000, LNCS2012, pp.41-54, Springer,2001.
[5] Biham E. On Matsui's linear cryptanalysis. EUROCRYPT1994, LNCS950, pp.341-355, Springer,1995.
[6] Biham E. New types of cryptanalytic attacks using related keys. EUROCRYPT1993,LNCS765, pp.398-409, Springer,1994.
[7] Biham E, Biryukov A, Shamir A. Cryptanalysis of Skipjack Reduced to31RoundsUsing Impossible Differentials. Eurocrypt1999, LNCS1592, pp.12-23. Springer,1999.
[8] Biham E, Biryukov A, Shamir A. Miss in the Middle Attacks on IDEA and Khufu.FSE1999, LNCS1636, pp.124-138. Springer,1999.
[9] BihamE,DunkelmanO,KellerN.Newcombinedattacksonblockciphers.FSE2005,LNCS3557, pp.126-144, Springer,2005.
[10] Biham E, Dunkelman O, Keller N. Enhancing differential-linear cryptanalysis. ASI-ACRYPT2002, LNCS2501, pp.254-266Springer,2002.
[11] Biham E, Dunkelman O, Keller N. Related-Key Boomerang and Rectangle Attacks.Eurocrypt2005, LNCS3557, pp.507-525. Springer,2005.
[12] Biham E, Dunkelman O, Keller N. The Rectangle Attack-Rectangling the Serpent.Eurocrypt2001, LNCS2045, pp.340-357. Springer,2001.
[13] Biham E, Shamir A. Differential Cryptanalysis of DES-Like Cryptosystems (Ex-tended Abstract). CRYPTO1990, LNCS537, pp.2-21. Springer,1991.
[14] Biham E, Shamir A. Differential Cryptanalysis of the Full16-Round DES. Crypto1992, LNCS740, pp.487-496. Springer,1993.
[15] Biham E, Shamir A. Differential cryptanalysis of DES-like cryptosystems. Journalof Cryptology,1991,2(3):3-72.
[16] Biham E, Shamir A. Differential Cryptanalysis of the Data Encryption Standard.Springer,1993.
[17] BihamE,ShamirA.DifferentialFaultAnalysisofSecretKeyCryptosystems.Crypto1997, LNCS1294, pp.513-525. Springer,1997.
[18] Biryukov A, Cannière C, Quisquater M. On multiple linear approximations.CRYPTO2004, LNCS3152, pp.1-22, Springe,2004.
[19] Biryukov A, Khovratovich D, Nikoli Ivica. Distinguisher and Related-Key Attackon the Full AES-256. Crypto2009, LNCS5677, pp.231-249. Springer,2009.
[20] Biryukov A, Khovratovich D. Related-key cryptanalysis of the full AES-192andAES-256. ASIACRYPT2009, LNCS5912, pp.1-18, Springer,2009.
[21] Biryukov A, Nikoli I. Automatic Search for Related-Key Differential Characteris-ticsinByte-OrientedBlockciphers: ApplicationtoAES,Camellia,KhazadandOthers.EuroCrypt2010, LNCS6110, pp.322-344. Springer,2010.
[22] Biryukov A, Nikoli I. Search for Related-Key Differential Characteristics in DES-Like Ciphers. FSE2011, LNCS6733, pp.18-34, Springer,2011.
[23] Biryukov A, Shamir A. Structural Cryptanalysis of SASAS. Eurocrypt2001, LNCS2045, pp.394-405. Springer,2001.
[24] Biryukov A and Wagner D. Advanced Slide Attack. EUROCRYPT2000, LNCS1807, pp.589-606, Springer,2000.
[25] Biryukov A, Wagner D. Slide Attacks. FSE1999, LNCS1636, pp.245-259.Springer.
[26] BlondeauC,andGérardB.MultipleDifferentialCryptanalysis: TheoryandPractice.FSE2011, LNCS6733, pp.35-54, Springer,2011.
[27] Bogdanov A, Khovratovich D, and Rechberger C. Biclique Cryptanalysis of the FullAES. ASIACRYPT2011, LNCS7073, pp.344-371, Springer,2011.
[28] Bogdanov A. Linear sldie attack on the KeeLoq block cipher. Inscrypt2007, LNCS4990, pp.66-80, Springer,2008.
[29] BogdanovA,KnudsenL,LeanderG,PaarC,PoschmannA,RobshawM.J.B,SeurinY, and Vikkelsoe C. PRESENT: An Ultra-Lightweight Block Cipher. CHES2007,LNCS4727, pp.450-466. Springer,2007.
[30] BogdanovAandRechbergerC.A3-SubsetMeet-in-the-MiddleAttack: Cryptanaly-sis of the Lightweight Block Cipher KTANTAN. SAC2010, LNCS6544, pp.229-240.Springer,2010.
[31] Bogdanov A, Rijmen V. Linear Hulls with Correlation Zero and Linear Cryptanaly-sis of Block Ciphers. Cryptology ePrint Archive, Report2011/123. Available throughhttp://eprint.iacr.org/2011/123.
[32] Bogdanov A, and Shibutani K. Double SP-Functions: Enhanced Generalized FeistelNetworks(ExtendedAbstract).ACISP2011,LNCS6812, pp.106-119,Springer,2011.
[33] Boneh D, DeMillo R, Lipton R. On the Importance of Checking Cryptographic Pro-tocols for Faults. Eurocrypt1997, LNCS1233, pp.37-51. Springer,1997.
[34] Bouillaguet C, Dunkelman O, Fougue P-A, Leurent G. New Insights on ImpossibleDifferential Cryptanalysis. SAC2011, LNCS7118, pp.243-259, Springer,2012.
[35] Bouillaguet C, Derbez P, Fougue P-A. Automatic Search of Attacks on Round-Reduced AES and Applications. CRYPTO2011, LNCS, pp., Springer,2011
[36] Cho J. Y, and Nyberg K. Improved Linear Cryptanalysis of SMS4Block Cipher.SKEW2011.
[37] Choy J, Chew G, Khoo K, Yap H. Cryptographic Properties and Application of aGeneralized Unbalanced Feistel Network Structure. ACISP2009, LNCS5594, pp.73-89. Springer,2009.
[38] Choy J, Yap H, and Khoo K. An Analysis of the Compact XSL Attack on BES andEmbedded SMS4. CANS2009, LNCS5888, pp.103-118, Springer,2009.
[39] Cid C, Leurent G. An Analysis of the XSL Algorithm. Asiacrypt2005, LNCS3788,pp.333-352. Springer,2005.
[40] Collard B, Standaert F.X. A statistical saturation attack against the block cipherpresent. CT-RSA2009, LNCS5473, pp.195-210, Springer,2009.
[41] Coron J-S, and Mandal A. PSS Is Secure against Random Fault Attacks. ASI-ACRYPT2009, LNCS5912, pp.653-666, Springer,2009.
[42] Courtois N. T, Bard G. V, and Wagner D. Algebraic and Slide Attacks on KeeLoq.FSE2008, LNCS5086, pp.97-115, Springer,2008.
[43] Courtois N. T, Klimov A, Pararin J, and Shamir A. Efficient Algorithms for Solv-ing Overdefined Systems of Multivariate Polynomial Equations. EUROCRYPT2000,LNCS1807, pp.392-407, Springer,2000.
[44] CourtoisN.T,PieprzykJ.CryptanalysisofBlockCipherswithOverdefinedSystemsof Equations. AsiaCrypt2002. LNCS2501, pp.267-287. Springer,2002.
[45] DaemenJ.Cipherandhashfunctiondesignstrategiesbasedonlinearanddifferentialcryptanalysis. Doctoral Dissertation, K.U.Leuven, March1995.
[46] Daemen J, Knudsen L, Rijmen V. The Block Cipher Square. FSE1997, LNCS1267,pp.149-165. Springer,1997.
[47] Daemen J, Rijmen V. The wide trail design strategy. IMA CC2001, LNCS2260, pp.222-238Springer,2001.
[48] Daeman J, and Rijmen V. The Design of Rijndael: AES—the Advanced EncryptionStandard. Information Security and Cryptography, Springer,2002.
[49] Daemen J. and Rijmen V. Probability Distributions of Correlation and Differentialsin Block Ciphers. Journal of Mathematical Cryptology,1(3):221-242,2007.
[50] Demirci H, Sel uk A. A Meet in the Middle Attack on8-round AES. FSE2008,LNCS5086, pp.116-126. Springer,2008.
[51] Demirci H, Ta km I, oban M, Baysal A. Improved Meet-in-the-Middle Attacks onAES. Indocrypt2009, LNCS5922, pp.144-156. Springer,2009.
[52] Diffie W, Hellman M. New Direction in Cryptography. IEEE Trans. Inform. Theory.22(6). pp.644-654,1976.
[53] Diffie W, Hellman M. Exhaustive Cryptanalysis of the NBS Data Encryption Stan-dard. Computer10(6), pp.74-84.1977.
[54] Dinur I, Shamir A. Cube Attacks on Tweakable Black Box Polynomials. Eurocrypt2009, LNCS5479, pp.278-299. Springer,2009.
[55] Dinur I, Shamir A. Side Channel Cube Attack on Block Ciphers. Cryptology ePrintArchive Report,2009/127. Available through http://eprint.iacr.org/2009/127.pdf.
[56] DinurI,ShamirA.GeneticAnalysisofSmallCryptographicLeaks.FDTC2010, pp.38-49, IEEE computer society,2010.
[57] Dunkelman O, Keller N. An Improved Impossible Differential Attack on MISTY1.Asiacrypt2008, LNCS5350, pp.441-454. Springer,2008.
[58] Duo L, Li C, Feng K. New Observation on Camellia. SAC2005, LNCS3897, pp.51-64. Springer,2006.
[59] Duo L, Li C, and Feng K. Square like Attack on Camellia, ICICS2007, LNCS4861,pp.269-283, Springer-Verlag,2007.
[60] Erickson J, Ding J, and Christensen C. Algebraic cryptanalysis of SMS4: Gr bnerbasis attack and SAT attack compared. ICISC2009, LNCS5984, pp.73-86, Springer,2010.
[61] eSTREAM计划主页. http://www.ecrypt.eu.org/stream.
[62] EtrogJandRobshawM.J.B.Thecryptanalysisofreduced-roundSMS4.SAC2008,LNCS5381, pp.51-65, Springer,2009.
[63] Etrog J and Robshaw M. J. B. On Unbiased Linear Approximations. ACISP2010,LNCS6168, pp.74–86. Springer,2010.
[64] Feller W. An Introduction to Probability Theory and Its Applications,3rd Edition.Wiley, New York,1968.
[65] Ferguson N, Kelsey J, Lucks S, etc. Improved Cryptanalysis of Rijndael. FSE2000,LNCS1978, pp.213-230. Springer,2001.
[66] FIPS46-3, Data Encryption Standard. National Bureau of Standard, WashingtonD.C. Jan.1977.
[67] Gilbert H, Minier M. A Collision Attack on7Rounds of Rijndael. The Third AESCandidate Conference. pp.230-241,2000.
[68] GilbertH,andMinierM.Newresultsonthepseudorandomnessofsomeblockcipherconstructions. FSE2001, LNCS2355, pp.248-266, Springer,2002.
[69] Gilbert H, and Peyrin T.Super-Sbox Cryptanalysis: Improved Attacks for AES-LikePermutations. FSE2010, LNCS6147, pp.365-383, Springer,2010.
[70] Gong Z, Nikova S, and Law Y. KLEIN: A New Family of Lightweight Block Ci-phers. In RFIDsec2011.
[71] Guo J, Ling S., Rechberger C, Wang H. Advanced meet-in-the-middle preimageattacks: First results on full tiger, and improved results on MD4and SHA-2. ASI-ACRYPT2010, LNCS6477, pp.56-75. Springer,2010.
[72] Guo J, Peyrin T, Poschmann A, and Robshaw M. The LED Block Cipher. CHES2011, LNCS6917, pp.326-341, Springer,2011.
[73]国家商用密码管理办公室.无线局域网产品使用的SMS4密码算法.http://www.oscca.gov.cn/UpFile/200622026423297990.pdf.
[74] Hatano Y, Tanaka H, Kaneko T. Higher Order Differential Attacks of Camellia (II).SAC2002, LNCS2595, pp.129-146. Springer,2003.
[75] HermelinM,ChoJ.Y,NybergK.MultidimensionalLinearCryptanalysisofReducedRound Serpent. ACISP2008, LNCS5107, pp.203-215, Springer,2008.
[76] Hermelin M, Cho J.Y, Nyberg K. Multidimensional extension of Matsui's algo-rithm2. FSE2009, LNCS5665, pp.209-227, Springer,2009.
[77] Hong S, Kim J, Lee S, Preneel B. Related-Key Rectangle Attacks on Reduced Ver-sions of SHACAL-1and AES-192. FSE2005, LNCS3557, pp.368-383, Springer,2005.
[78] HongS,LeeS,LimJ,SungJ,CheonD,ChoI.ProvableSecurityagainstDifferentialand Linear Cryptanalysis for the SPN Structure. FSE2000, LNCS1978, pp.273-283.Springer,2000.
[79] Hu Y, Zhang Y, Xiao G. Integral cryptanalysis of SAFER+, Electronics Letters,35(17):1458-1459, IEE,1999.
[80] Indesteege S, Keller N, Dunkelman O, Biham E, and Preneel B. A Practical Attackon KeeLoq. EUROCRYPT2008, LNCS4965, pp.1-18, Springer,2008.
[81] Isobe T. A Single-Key Attack on the Full GOST Block Cipher. FSE2011, LNCS6733, pp.290-305, Springer,2011.
[82] JakobsenT,KnudsenL.TheInterpolationAttackonBlockCipher.FSE1997, LNCS1008, pp.28-40. Springer,1997.
[83] Ji W, Hu L. New description of SMS4by an embedding over GF(28). Indocrypt2007, LNCS4859, pp.238-251, Springer,2007.
[84] JrJ,andPav oI.ImpossibleDifferentialAttacksonLarge-BlockRijndael.ISC2007,LNCS4779, pp.104-117, Springer,2007.
[85] Junod P, Vaudenay S. FOX: A New Family of Block Ciphers. SAC2004. LNCS3357, pp.114-129. Springer,2005.
[86] Junod P, Vaudenay S. Pergect Diffusion Primitives for Block Ciphers-Building Ef-ficient MDS Matrices. SAC2004, LNCS3357, pp.84-99, Springer,2005.
[87] Kaliski Jr B. S, Robshaw M. J. B. Linear Cryptanalysis Using Multiple Approxima-tions. CRYPTO1994, LNCS839, pp.26-39. Springer,1994.
[88] Kanda M. Practical Security Evaluation against Differential and Linear Attacksfor Feistel Ciphers with SPN Round Function. SAC2000, LNCS2012, pp.168-179,Springer,2000.
[89] Kang J, Hong S, Lee S, Yi O, Park C, Lim J. Practial and Provable Security againstDifferential and Linear Cryptanalysis for Substitution-Permutation Networks. ETRIJournal,23(4):158-167,2001.
[90] Kara O. Reflection Cryptanalysis of Some Ciphers. INDOCRYPT2008, LNCS5365, pp.294-307. Springer,2008.
[91] KaraO,ManapC.ANewClassofWeakKeysforBlowfish.FSE2007, pp.167-180,2007.
[92] Kelsey J, Kohno T, Schneier B. Amplified Boomerang Attacks against Reduced-Round MARS and Serpent. FSE2000, LNCS1978, pp.75-93. Springer,2000.
[93] Kelsey J, Schneier B, Wagner D. Key-schedule cryptanalysis of IDEA, G-DES,GOST, SAFER, and Triple-DES. Crypto1996, LNCS1109, pp.237-251, Springer,1996.
[94] Kelsey J, Schneier B, Wagner D. Related-key cryptanalysis of3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA. ICICS1997, LNCS1334, pp.233-246,Springer,1997.
[95] Kelsey J, Schneier B, Wagner D, Hall C. Side channel cryptanalysis of product ci-phers. ESORICS1998, LNCS1485, pp.97-110, Springer,1998.
[96] KimJ,HongS,SungJ,LeeS,LimJ.ImpossibleDifferentialCryptanalysisforBlockCipher Structures. Indocrypt2003. LNCS2904, pp.82-96. Springer,2003.
[97] Kim J, Kim G, Hong S, Hong D. The Related-Key Rectangle Attack-Application toSHACAL-1. ACISP2004. LNCS3108, pp.123-136. Springer,2004.
[98] Kim J, Lee C, Sung J, Hong S, Lee S, Lim J. Seven NEw Block Cipher Structureswith Provable Security against Differential Cryptanalysis. IEICE Trans. FundamentalsE91-A(10)(2008).
[99] Kim T, Kim J, Hong S, Sung J. Linear and diffrential cryptanalysis of reducedSMS4block cipher. Cryptology ePrint Archive, Report2008/281. Available throughhttp://eprint.iacr.org/2008/281.
[100] Kipnis A, and Shamir A. Cryptanalysis of the HFE Public Key Cryptosystem byRelinearization. CRYPTO1999, LNCS1666, pp19-30, Springer,1999.
[101] Knudsen L. Cryptanalysis of LOKI. ASIACRYPT1991, LNCS739, pp.22-35,Springer,1993.
[102] KnudsenL.CryptanalysisofLOKI91.AUSCRYPT1992, LNCS718, pp.196-208,Springer,1993.
[103] Knudsen L. Pracital secure Feistel ciphers. FSE1994, LNCS809, pp.211-221,Springer,1994.
[104] Knudsen L. DEAL—A128-bit Block Cipher. Technical Report151, Departmentof Informatics, University of Bergen, Bergen, Norway,1998.
[105] Knudsen L. Truncated and High Order Differentials. FSE1995, LNCS1008, pp.196-211, Springer,1995.
[106] KnudsenL,LeanderG,PoschmannA,andRobshawM.J.B.PRINTcipher: ABlockCipher for IC-Printing. CHES2010, LNCS6225, pp.16-32, Springer,2010.
[107] Knudsen L, Robshaw M. Non-Linear Approximations in Linear Cryptanalysis. Eu-rocrypt1996, LNCS1070, pp.224-236. Springer,1996.
[108] Knudsen L, Rijmen V. Known-Key Distinguishers for some block ciphers. ASI-ACRYPT2007, LNCS4833, pp.315-324, Springer,2007.
[109] Knudsen L, WagnerD. Integral cryptanalysis. FSE2002, LNCS2365, pp.112-127.Springer,2002.
[110] Koo B, Jang H, and Song J. Constructing and Cryptanalysis of a16×16BinaryMatrix as a Diffusion Layer. WISA2003, LNCS2908, pp.489-503, Springer,2004.
[111] Koo B, Jang H, and Song J. On Constructing of a32×32Binary Matrix as a Diffu-sion Layer for a256-Bit Block Cipher. ICISC2006, LNCS4296, pp.51-64, Springer,2006.
[112] Kwon D, Kim J, et al. New Block Cipher: ARIA. ICISC2003, LNCS2971, pp.432-445. Springer,2004.
[113] LaiX.HighOrderDerivativesandDifferentialCryptanalysis.CommunicationsandCryptography,1994:227-233.
[114] LaiX,MasseyJ.AProposalforaNewBlockEncryptionStandard.Eurocrypt1990,LNCS473, pp.389-404. Springer,1991.
[115] Lai X, Massey J, Murphy S. Markov ciphers and differential cryptanalysis. Euro-crypt1991, LNCS547, pp.17-38, Springer,1991.
[116] Langford S, Hellman M. Differential-Linear Cryptanalysis. CRYPTO1994, LNCS839, pp.17-25, Springer,1994.
[117] Leander G. On Linear Hulls, Statistical Saturation Attacks, PRESENT and a Crypt-analysis of PUFFIN. Eurocrypt2011, LNCS6632, pp.303-322, Springer,2011.
[118] Leander G, Abdelraheem M. A, AlKhzaimi H, and Zenner E. A Cryptanalysis ofPRINTcipher: The Invariant Subspace Attack. CRYPTO2011, LNCS6841, pp.206-221, Springer,2011.
[119] Lee C, Kim J, Sung J, Hong S, and Lee S. Provable Security for an RC6-like struc-ture and a MISTY-FO-like Structure against Differential Cryptanalysis. ICCSA2006,LNCS3982, pp.446-455, Springer,2006.
[120] Lidl R, Niederreiter H. Finite Fields. Encyclopedia of Mathematics and Its Appli-cations. Vol.20. Cambridge University Press,1997.
[121] LiuF,JiW,HuL,DingJ,LvS,PyshkinA,andWeinmannR.AnalysisoftheSMS4block cipher. ACISP2007, LNCS4586, pp.158-170, Springer,2007.
[122] Li P, Sun B, Li C. Integral cryptanalysis of ARIA. Inscrypt2009, LNCS6151, pp.1-14, Springer,2010.
[123] Li R, Li C, Gong C. Differential fault analysis on SHACAL-1. In proceeding ofthe Sixth International Workshop on Fault Diagnosis and Tolerance in Cryptography,FDTC2009, pp.120-126, IEEE Computer Society, Lausanne, Switzerland,2009.
[124] Li R, Li C, Su J, Sun B. Security Evaluation of MISTY Structure with SPNRound Function. Cryptology ePrint Archive, Report2010/661. Avaiable throughhttp://eprint.iacr.org/2010/661.
[125] Li R, Sun B, Li C. A Link Between Integrals and Higher-Order Integrals of SPNCiphers. ETRI Journal,2012.
[126] Li R, Sun B, Zhang P and Li C. New Impossible Differential Cryptanal-ysis of ARIA. Cryptology ePrint Archive, Report2008/227. Available throughhttp://eprint.iacr.org/2008/227.
[127] Li W. Personal communications, February2010.
[128] Li W, Gu D. An improved method of differential fault analysis on the SMS4cryp-tosystem. ISDPE2007, pp.175-180, IEEE Computer Society,2007.
[129]李玮,谷大武.基于密钥编排故障的SMS4算法的差分故障分析,通信学报.29(10):135-142.2008.
[130] LiY,WuW,ZhangL.Integralattacksonreduced-roundARIAblockcipher.ISPEC2010, LNCS6047, pp.19-29, Springer,2010.
[131] Luby M, Rackoff C. How to Construct Pseudorandom Permutations from Pseudo-random Functions. SIAM J. Comput.17(2):373-386,1988.
[132] Lucks S. The Saturation Attack—A Bait for Twofish. FSE2001, LNCS2355, pp.1-15. Springer,2002.
[133] Lu X, and Heys H. M. Hardware design and analysis of block cipher components.ICISC2002, LNCS2587, pp.164-181, Springer,2003.
[134] LuoY,WuZ,LaiX,GongG.Unifiedimpossibledifferentialcryptanalysisonblockcipher structures. Cryptology ePrint Archive, Report2009/627. Available through:http://eprint.iacr.org/2009/627.
[135] Lv J. Attacking reduced-round versions of the SMS4block cipher in the ChineseWAPI standard. ICICS2007, LNCS4861, pp.306-318, Springer,2007.
[136] LvJ,DunkelmanO,KellerN,KimJ.NewImpossibleDifferentialAttacksonAES.IndoCrypt2008, LNCS5365, pp.279-293. Springer,2009.
[137] Lv J, Kim J, Keller N, Kim J. Improving the Efficiency of Impossible DifferentialCryptanalysisofReducedCamelliaandMISTY1.CT-RSA2008,LNCS4964,pp.370-386. Springer,2008.
[138] MacWilliams F, Sloane N. The Theory of Error-Correcting Codes. North-Holland,1977.
[139] Mala H, Shakiba M, Dakhilalian M, Bagherikaram G. New Results on ImpossibleDifferential Cryptanalysis of Reduced-Round Camellia-128. SAC2009, LNCS5867,pp.281-294. Springer,2010.
[140] Massey J. SAFER-K64, A Byte-Oriented Block Ciphering Algorithm. FSE1994,LNCS809, pp.1-7. Springer,1994.
[141] Matsui M. Linear Cryptanalysis Method for DES Cipher. Eurocrypt1993. LNCS765, pp.386-397. Springer,1993.
[142] Matsui M. The first experimental cryptanalysis of the Data Encryption Standard.CRYPTO'94, LNCS839, pp.1-11, Springer,1994.
[143] Matsui M. On correlation between the order of S-boxes and the strength of DES.EUROCRYPT1994, LNCS950, pp.366-375, Springer,1995.
[144] MatsuiM.Newstructureofblockcipherswithprovablesecurityagainstdifferentialand linear cryptanalysis. FSE1996, LNCS1039, pp.205-218, Springer,1996.
[145] Matsui M. New block encryption algorithm MISTY. FSE1997, LNCS1267, pp.54-68, Springer,1997.
[146] Mendel F, Peyrin T, Rechberger C, Schl ffer M. Improved cryptanalysis of the re-duced Gr tl compression function, ECHO permutation and AES block cipher. SAC2009, LNCS5867, pp.16-35. Springer,2009.
[147] Minematsu K, Suzaki T, and Shigeri M. On Maximum Differential Probability ofGeneralized Feistel. ACISP2011, LNCS6812, pp.89-105, Springer,2011.
[148] MittenthalL.BlockSubstitutionsUsingOrthomorphicMappings.AdvancesinAp-plied Mathematics, Vol16(1), pp.59-71,1995.
[149] Mouha N, Wang Q, Gu D, Preneel B. Differential and Linear Cryptanalysis usingMixed-Integer Linear Programming. Inscrypt2011, SPringer,2012.
[150] Mukhopadhyay D. An improved fault based attack of the Advanced EncryptionStandard. Africacrypt2009, LNCS5580, pp.421-434, Springer,2009.
[151] National Institute of Standards and Technology. FIPS-197: Advanced EncryptionStandard (AES)(November2001).
[152] NESSIE计划主页. http://www.cryptonessie.org.
[153] Nyberg K. Perfect Nonlinear S-boxes. EUROCRYPT1991, LNCS547, pp.378-386, Springer,1992.
[154] NybergK.Differentiallyuniformmappingsfor cryptography.EUROCRYPT1993,LNCS765, pp.55-64, Springer,1994.
[155] Nyberg K. Linear approximation of block ciphers. Eurocrypt1994, LNCS950,pp.439-444, Springer,1994.
[156] Nyberg K. Generalized Feistel networks. ASIACRYPT1996, LNCS1163, pp.91-104, Springer,1996.
[157] Nyberg K, Knudsen L. Provable Security against a Differential Attack. Journal ofCryptology. Vol.8, No.1, pp.27-38.1995.
[158] Park S, Sung S, Lee S, and Lim J. Improving the Upper Bound on the MaximumDifferential and the Maximum Linear Hull Probability for SPN Structures and AES.FSE2003, LNCS2887, pp.247--260, Springer,2003.
[159] Piret G, Quisquater J. A Differential Fault Attack Technique against SPN Struc-tures,withApplicationtotheAESandKHAZAD.CHES2003,LNCS2779,pp.77-88.Springer,2003.
[160] PiretG,QuisquaterJ.SecurityoftheMISTYStructureintheLuby-RackoffModel:Improved Results. SAC2004, LNCS3357, pp.100-115. Springer,2005.
[161] Piret G, Standaert F-X. Provable security of block ciphers against linear cryptanal-ysis: a mission impossible? Designs, Codes, and Cryptography,2009(50):325-338,Springer,2009.
[162] Rijmen V, Deamen J, Preneel B, Bosselaers A, Win E. The Block Cipher SHARK.FSE1996, LNCS1039, pp.99-111. Springer,1996.
[163] Rijmen V, Preneel B, Win E. On Weaknesses of Non-Surjective Round Functions.Designs, Codes and Cryptography,12(3):253-266.1997.
[164] Roberts F, and Tesman B. Applied Combinatorics,2nd Edition. Pearson Education,2005.
[165] Schneier B, Kelsey J. Unbalanced Feistel Networks and Block-Cipher Design. FSE1996, LNCS1039, pp.121-144. Springer,1996.
[166] Shannon C. A mathematical theory of communication, Bell System Techical Jour-nal, Vol.27, pp.379-423,1948.
[167] Shannon C. Communication Theory of Secrete System. Bell System TechnicalJournal,28(4):656-715.
[168] SHA-3计划主页. http://www.nist.gov/encryption/sha-3/
[169] Shibutani K. On the Diffusion of Generalized Feistel Structures Regarding Differ-ential and Linear Cryptanalysis. SAC2010, LNCS6544, pp.211-228, Springer,2011.
[170] Shibutani K, Isobe T, Hiwatari H, Mitsuda A, Akishita T, and Shirai T. Piccolo:An Ultra-Lightweight Blockcipher. CHES2011, LNCS6917, pp.342-357, Springer,2011.
[171] Shin Y, Kim J, Kim G, Hong S, Lee S. Differential-Linear Type Attack on ReducedRounds of SHACAL-2. ACISP2004, LNCS3108, pp.110-122. Springer,2004.
[172] Shirai T, Araki K. On generalized Feistel structures using the diffusion switchingmechanism. IEICE Trans. Fundamentals E91-A(8), pp.2120-2129,2008.
[173] Shirai T, and Shibutani K. Improving immunity of Feistel ciphers against differen-tial cryptanalysis by using multiple MDS matrices. FSE2004, LNCS3017, pp.260-278, Sorubger,2004.
[174] Shirai T, Preneel B. On Feistel Structures Using a Diffusion Mappings across Mul-tiple Rounds. AsiaCrypt2004, LNCS3329, pp.1-15. Springer,2004.
[175] Shirai T, Shibutani K. On Feistel Structures Using A Diffusion Switching Mecha-nism. FSE2006, LNCS4047, pp.41-56. Springer,2006.
[176] Shirai T, Shibutani K, Akishita T, Moriai S, Iwata T. The128-bit Block CipherCLEFIA (Extended Abstract). FSE2007, LNCS4593, pp.181-195, Springer,2007.
[177] Su B, Wu W, Zhang W. Security of the SMS4Block Cipher Against DifferentialCryptanalysis. Journal of Computer Science and Technology,26(1):130-138,2011.
[178] Sun B, Li R, Qu L, Li C. Square attack on block ciphers with low algebraic degree.Science in Chine, Information Science, Vol.53, Issue10, pp.1988-1995,2010.
[179] Sun B, Qu L, Li C. New Cryptanalysis of Block Ciphers with Low Algebraic De-gree. FSE2009, LNCS5665, pp.180-192. Springer,2009.
[180] Sun X, and Lai X. Improved Integral Attacks on MISTY1. SAC2009, LNCS5867,pp.266-280, Springer,2009.
[181] Takahashi J, and Fukunaga T. Improved differential fault analysis on CLEFIA.FDTC2008, pp.25-34, IEEE Computer Society,2008.
[182] Toz D, and Dunkelman O. Analysis of two attacks on reduced-round versions ofthe SMS4. ICICS2008, LNCS5308, pp.141-156, Springer,2008.
[183] Vaudenay S. On the Lai-Massey Scheme. Asiacrypt1999, LNCS1718, pp.8-19.Springer,1999.
[184] Vaudenay S. Decorrelation: a theory for block cipher security. Journal of Cryptol-ogy,16(4):249-286, Springer,2003.
[185] Wagner D. The Boomerang Attack. FSE1999, LNCS1636, pp.156-170. Springer,1999.
[186]王金波.基于循环移位构造最优线性变换。中国密码学会2007年会,pp.306-307,2007.
[187] Wang X, Yin H, Yu H. Finding Collisions in the Full SHA-1. Crypto2005, LNCS3621, pp.17-36. Springer,2005.
[188] Wang X, Yu H. How to Break MD5and Other Hash Functions. EuroCrypt2005,LNCS3494, pp.19-35. Springer,2005.
[189] Wei Y, Li P, Sun B, and Li C. Impossible Differential Cryptanalysis on FeistelCiphers with SP and SPS Round Functions. ACNS2010, LNCS6123, pp.105-122,Springer,2010.
[190] Wu S, Wang M. Security Evaluation against Differential Cryptanalysis for BlockCipher Structures. IACR ePrint Archive Report,2011/551.
[191]吴文玲,冯登国,张文涛.分组密码的设计与分析(第2版).清华大学出版社,北京,2009.
[192] Wu W, Feng D, Chen H. Collision Attack and Pseudorandomness of Reduced-Round Camellia. SAC2004, LNCS3357, pp.252-266. Springer,2005.
[193] Wu W, Zhang L. LBlock: A Lightweight Block Cipher. ACNS2011, LNCS6715,pp.327-344, Springer,2011.
[194] Wu W, Zhang L, Zhang L, and Zhang W. Security Analysis of the GF-NLFSRStructure and Four-Cell Block Cipher. ICICS2009, LNCS5927, pp.17-31, Springer,2009.
[195] WuW,ZhangW,FengD.ImpossibleDifferentialCryptanalysisofReduced-RoundARIA and Camellia. Journal of Computer Science and Technology,22(3):449-456,2007.
[196] Wu W, Zhang W, Feng D. Integral Cryptanalysis of Reduced Fox Block Cipher.ICISC2005, LNCS3935, pp.229-241, Springer,2006.
[197] Wu W, Zhang W, Lin D. On the Security of Generalized Feistel Scheme with SPRound Function. International Journal Network Security,2(3):296-305,2006.
[198] Yap H, Khoo K, and Poschmann A. Parallelizing the Camellia and SMS4blockciphers. AFRICACRYPT2010, LNCS6055, pp.387-406, Springer,2010.
[199] Z'aba M, Raddu H. Henricksen M, and Dawson E. Bit-Pattern Based Integral At-tack. FSE2008, LNCS5086, pp.363-381, Springer,2008.
[200]张蕾,吴文玲. SMS4密码算法的差分故障攻击.计算机学报,29(9):1596-1602,2006.
[201] Zhang L, Wu W, Park J, Koo B, and Yeom Y. Improved Impossible DifferentialAttacks on Large-Block Rijndael. ISC2008, LNCS5222, pp.298-315, Springer,2008.
[202] ZhangL,ZhangW,andWuW.Cryptanalysisofreduced-roundSMS4blockcipher.ACISP2008, LNCS5107, pp.216-229, Springer,2008.
[203] Zhang W, Wu W, and Feng D. New Results on Impossible Differential Cryptanal-ysis of Reduced AES. ICISC2007, LNCS4817, pp.239-250, Springer,2007.
[204] Zhang W, Wu W, Feng D, and Su B. Some New Observations on the SMS4Block Cipher in the Chinese WAPI Standard. ISPEC2009, LNCS5451, pp.324-335,Springer,2009.
[205] Zheng Y, Matsumoto T, and Imai H. On the construction of block ciphers provablesecure and not relying on any unproved hypotheses. CRYPTO1989, LNCS435, pp.461-480, Springer,1990.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |