分组密码分析技术的研究
|
摘要
本论文主要对现代分组密码的分析技术进行较为深入的研究,着重于利用传统的密码分析技术对美国高级加密标准AES和中国的无线局域网加密标准SMS4进行分析。主要成果有:
1.研究了不可能差分攻击的原理和目前为止所有对AES的不可能差分攻击。提出了对七轮AES的不可能差分攻击的一般方法,并利用第七轮和第六轮输入的全0列数(α,β)作为参数,得到不可能差分攻击过程中所需的明文对数与加密轮数的权衡关系,给出了(α,β)在不同密钥长度下对应的明文对数与加密轮数,其对应关系直接说明了对AES-128、AES-192和AES-256攻击的可行性以及攻击复杂度。
2.研究SMS4的差分特性,设计了一种方法求任意轮的差分特征的活动S盒的下限。首先通过将任意轮的任意差分模式进行分解,得到十种段,即任意的差分模式都可由这些十种段的其中一些段来组成,然后分析了这十种段的差分模式的活动S盒的下限,再研究了这十种段的任意组合的活动S盒的下限,从而求出任意的差分模式所对应的所有可能的差分特征概率的上限。
3.研究了有关飞来器攻击的理论,分析了SMS4的增强的飞来器攻击成功攻击的必要条件和明文四重组选择需要考虑的问题,然后对一个14轮矩形区分器进行分析,证明了这个矩形区分器并不存在。最后也分析了AES的增强的飞来器攻击成功攻击的必要条件。
An investigation of the cryptanalysis techniques of the modern block cipher is taken in this thesis. We have focused on applying the traditional cryptanalysis techniques on the AES (Advanced Encryption Standard of USA) and SMS4 (block cipher for WAPI). Our contributions are summarized as follows.
1. All published papers on the Impossible Differential Attack on AES are discussed. Some similarities among them are summarized and a general impossible differential attack on 7-round AES with varied key length is presentd. Such attack takes the number of all-zero columns of the 7th and the 6th round as parameters(α,β). And a trade-off relation between the number of plaintexts and times of encryptions in the process of the attack is derived, which makes only some values of(α,β)allowed in the attack for different key length.
2. In order to evaluate the security against the differential cryptanalysis of SMS4, we design a method to calculate the lower bounds on the number of active S-Boxes for all kinds of differential characteristics (or differential patterns). Firstly, we divide the pattern into ten kinds of sections, the lower bounds on the active S-box of which are calculated in detail. Then the lower bounds on the active S-box in all combinations of the ten kinds of sections are derived. Finally, we show that there is no differential attack against more than 31 rounds SMS4 based on certain differential characteristic.
3. Discuss the development from the Boomerang attack to the Rectangle attack. The necessary condition of the existence of Amplified Boomerang distinguisher on the block cipher SMS4 is presented. And it is analyzed how to choose the the plaintext quartets. Then, an example of a 14-round rectangle distinguisher is discussed and proved to be inexistence. Finally, the necessary condition of the existence of Amplified Boomerang distinguisher on the block cipher AES is also discussed.
1.研究了不可能差分攻击的原理和目前为止所有对AES的不可能差分攻击。提出了对七轮AES的不可能差分攻击的一般方法,并利用第七轮和第六轮输入的全0列数(α,β)作为参数,得到不可能差分攻击过程中所需的明文对数与加密轮数的权衡关系,给出了(α,β)在不同密钥长度下对应的明文对数与加密轮数,其对应关系直接说明了对AES-128、AES-192和AES-256攻击的可行性以及攻击复杂度。
2.研究SMS4的差分特性,设计了一种方法求任意轮的差分特征的活动S盒的下限。首先通过将任意轮的任意差分模式进行分解,得到十种段,即任意的差分模式都可由这些十种段的其中一些段来组成,然后分析了这十种段的差分模式的活动S盒的下限,再研究了这十种段的任意组合的活动S盒的下限,从而求出任意的差分模式所对应的所有可能的差分特征概率的上限。
3.研究了有关飞来器攻击的理论,分析了SMS4的增强的飞来器攻击成功攻击的必要条件和明文四重组选择需要考虑的问题,然后对一个14轮矩形区分器进行分析,证明了这个矩形区分器并不存在。最后也分析了AES的增强的飞来器攻击成功攻击的必要条件。
An investigation of the cryptanalysis techniques of the modern block cipher is taken in this thesis. We have focused on applying the traditional cryptanalysis techniques on the AES (Advanced Encryption Standard of USA) and SMS4 (block cipher for WAPI). Our contributions are summarized as follows.
1. All published papers on the Impossible Differential Attack on AES are discussed. Some similarities among them are summarized and a general impossible differential attack on 7-round AES with varied key length is presentd. Such attack takes the number of all-zero columns of the 7th and the 6th round as parameters(α,β). And a trade-off relation between the number of plaintexts and times of encryptions in the process of the attack is derived, which makes only some values of(α,β)allowed in the attack for different key length.
2. In order to evaluate the security against the differential cryptanalysis of SMS4, we design a method to calculate the lower bounds on the number of active S-Boxes for all kinds of differential characteristics (or differential patterns). Firstly, we divide the pattern into ten kinds of sections, the lower bounds on the active S-box of which are calculated in detail. Then the lower bounds on the active S-box in all combinations of the ten kinds of sections are derived. Finally, we show that there is no differential attack against more than 31 rounds SMS4 based on certain differential characteristic.
3. Discuss the development from the Boomerang attack to the Rectangle attack. The necessary condition of the existence of Amplified Boomerang distinguisher on the block cipher SMS4 is presented. And it is analyzed how to choose the the plaintext quartets. Then, an example of a 14-round rectangle distinguisher is discussed and proved to be inexistence. Finally, the necessary condition of the existence of Amplified Boomerang distinguisher on the block cipher AES is also discussed.
引文
[1] William Stallings, Cryptography and network security principles and practices, Third Edition.《密码编码学与网络安全-原理与实践》(第三版)刘玉珍等译。电子工业出版社。
[2] J. Callas, An introduction to cryptography, Chief Technology Officer and Chief Security Officer. 2008 by PGP Corporation.
[3] C.E. Shannon. A mathematical Theory of Communication. The Bell System Technical Journal, Vol. 27, No. 4, pp.379-423, 623-656, July, October, 1948.
[4] C.E. Shannon. Communication Theory of Secrecy Systems. The Bell System Technical Journal, Vol. 38, No. 4, pp.656-715. 1949.中译本:保密系统的信息理论,王育民译,电信技术参考资料,第四期,西北电讯工程学院。
[5] R.G. Gallager, C.E. Shannon: A Retrospective on His life, work, and impact. IEEE transactions on information theory, Vol. 47, No.7, Nov. 2001.
[6] W. Diffie, M. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, November 1976, IT-22 (6), pp.644-654.
[7] National Bureau of Standards. Federal Information Processing Standard Publication 46: Data Encryption Standard (DES). 1977.
[8] Lawrence Peter Brown, PhD Thesis: Analysis of the DES and the Design of the LOKI Encryption Scheme
[9] LOKI91 homepage: http://www.unsw.adfa.edu.au/~lpb/research/loki91/
[10]LOKI97 homepage: http://www.unsw.adfa.edu.au/~lpb/research/loki97/
[11]GOST: http://tools.ietf.org/html/rfc4357
[12] E. Biham, and A. Shamir, Differential cryptanalysis of DES-like cryptosystems, Journal of Cryptology, Vol.4, No.1, pp.3-72, 1991.
[13] M. Matsui. Linear cryptanalysis method for DES cipher. Advances in Cryptology: EUROCRYPT’93. Berlin: Spring-Verlag, 1994. 386-397.
[14] X.J. Lai and J.L. Massey, A Proposal for a New Block Encryption Standard, EUROCRYPT 1990, pp389–404
[15] X.J. Lai and J.L. Massey and S.Murphy, Markov ciphers and differential cryptanalysis, Advances in Cryptology—Eurocrypt '91, Springer-Verlag (1992), pp17–38.
[16] V. Rijmen, J. Daemen, B. Preneel, A. Bosselaers, E.D. Win (February 1996). "The Cipher SHARK" (PDF/PostScript). 3rd International Workshop on Fast SoftwareEncryption (FSE '96). Cambridge: Springer-Verlag. pp.99–111. http://citeseer.ist.psu.edu/rijmen96cipher.html
[17]J. Daemen, L. Knudsen, Vincent Rijmen . The Block Cipher Square Fast Software Encryption (FSE) 1997, Volume 1267 of Lecture Notes in Computer Science.
[18]J. Daemen, V. Rijmen,(谷大武,徐胜波译),高级加密标准(AES)算法-Rijndael的设计。Springer, TUP清华大学出版社。
[19]A.Kerckhoffs. La Cryptographie Militaire. Journal des Sciences Militaires, IX:5-38, Jan 1883.
[20] M. Kanda, et al. E2– A new 128-bit Block Cipher. IEICE Trans. Fund. E83-A(1), JAN 2000.
[21] C. Adams, The CAST-256 Encryption Algorithm. RFC2612– http://www.faqs.org/rfcs/rfc2612.html
[22]R. Anderson, E. Biham, L.R. Knudsen, Serpent: A Proposal for the Advanced Encryption Standard, NIST AES Proposal, 1998.
[23] J.L. Massey, G.H. Khachatrian, and Kuregian M.K. Nomination of SAFER++. as Candidate Algorithm for NESSIE. Available at http://www.cryptonessie.org.
[24] D. Whiting, N. Ferguson, R. Housley. Counter with CBC-MAC (CCM). Submission to NIST of Operation Process. Available at http://csrc.nist.gov/CryptoToolkit/modes/p roposedmodes/
[25] M. Bellare, P. Rogaway, D.Wagner. The EAX Mode of Operation. Fast Software Encryption-FSE, Springer-Verlag, 2004, LNCS: 3017, pp.389-407.
[26] T. Kohno, J. Viega, D.Whiting. The CWC-AES Dual-use Mode. Submission to NIST Modes of Operation Process, Available at http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes, 2003 .
[27] M. Bellare, J. Kilian, P. Rogaway. The Security of the Cipherblock Chaining Message Authentication Code. Journal of Computerand System Sciences, 2000, vol.61(3), pp.362-399.
[28] FIPS 81, DES MODES of OPERATION: http://www.itl.nist.gov/fipspubs/fip81.htm.
[29] Recommendation for Block Cipher Modes of Operation Methods and Techniques: http://cryptome.info/0001/bcm/sp800-38a.htm
[30]冯登国,吴文玲,《分组密码的设计与分析》
[31] C. de chnniere, A. Biryukov, and B. Preneel. An introduction to Block cipher cryptanalysis. Proceedings of THE IEEE, Vol. 94, No. 2, February, 2006. (Invited paper).
[32] L. Knudsen. Contemporary block ciphers. In I. Damgffard, editor, Lectures on Data Security - Modern Cryptology in Theory and Practice, volume 1561 of Lecture Notes in Computer Science, pages 105-126. Springer-Verlag, 1998.
[33] P. C. Kocher,“Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems,”in Advances in Cryptology—CRYPTO’96, N. Koblitz, Ed. Heidelberg, Germany: Springer-Verlag, 1996, vol. 1109, Lecture Notes in Computer Science, pp. 104–113.
[34] P. C. Kocher, J. Jaffe, and B. Jun,“Differential power analysis,”in Advances in Cryptology—CRYPTO’99, M. Wiener, Ed. Heidelberg, Germany: Springer-Verlag, 1999, vol. 1666, Lecture Notes in Computer Science, pp. 388–397.
[35] J.-J. Quisquater and D. Samyde,“Electromagnetic analysis (EMA): Measures and counter-measures for smart cards,”in Proc. Int. Conf. Research in Smart Cards 2001, pp. 200–210.
[36] S. Mangard,“A simple power-analysis (SPA) attack on implementations of the AES key expansion,”in Information Security and Cryptology—ICISC 2002, P. J. Lee and C. H. Lim, Eds. Heidelberg, Germany: Springer-Verlag, 2002, vol. 2587, Lecture Notes in Computer Science, pp. 343–358.
[37] D. Boneh, R.A. DeMillo, R.J. Lipton. On the importance of checking cryptographic protocols for faults. In: Proceedings of the EUROCRYPT’97, Konstanz, Germany, 1997, 37-51.
[38] E. Biham, A. Shamir, Differential fault analysis of secret key cryptosystems. In: Proceedings of the CRYPTO’97, Santa Barbara, California, USA, 1997, 513-525.
[39]J. Kelsey, B. Schneier, D. Wagner, C. Hall, Side channel cryptanalysis of product ciphers, in Proc. 5th European Symposium on Research in Computer Security. Lecture Notes in Computer Science, vol. 1485 (Springer, Berlin, 1998), pp. 97–110
[40] B. Preneel, A. Biryukov, E. Oswald, B. Van Rompay, L. Granboulan, E. Dottax, S. Murphy, A. Dent, J. White, M. Dichtl, S. Pyka, M. Schafheutle, P. Serf, E. Biham, E. Barkan, O. Dunkelman, J.-J. Quisquater, M. Ciet, F. Sica, L. Knudsen, M. Parker, and H. Raddum. NESSIE Security Report v2.0. Technical Report NES/DOC/ENS/WP5/D20/2, New European Schemes for Signatures, Integrity, and Encryption (NESSIE), 2003. Available at https://www.cryptonessie.org.
[41] M. Misztal. The signal to noise ratio in the differential cryptanalysis of 9 rounds of data encryption standard. Journal of Telecommunications and information technology, 3/2006. pp. 49-59.
[42]L. Knudsen. Truncated and higher order differentials. In B. Preneel, editor, FastSoftware Encryption: Second International Workshop. Leuven, Belgium, 14-16 December 1994. Proceedings, volume 1008 of Lecture Notes in Computer Science, pages 196-211. Springer-Verlag, 1995.
[43] J. Borst, L. Knudsen, and V. Rijmen. Two attacks on reduced IDEA (extended abstract). In W. Fumy, editor, Advances in Cryptology -Eurocrypt'97: International Conference on the Theory and Application of Cryptographic Techniques, Konstanz, Germany, May 1997. Proceedings, volume 1233 of Lecture Notes in Computer Science, pages 1-13. Springer-Verlag, 1997.
[44] L. Knudsen and T. Berson. Truncated differentials of SAFER.In D. Gollman, editor, Fast Software Encryption, Third International Workshop, Cambridge, UK, February 21-23, 1996. Proceedings, volume 1039 of Lecture Notes in Computer Science, pages 15-26. Springer-Verlag, 1996.
[45] L. Knudsen. Truncated and higher order differentials. In B. Preneel, editor, Fast Software Encryption: Second International Workshop. Leuven, Belgium, 14-16 December 1994. Proceedings, volume 1008 of Lecture Notes in Computer Science, pages 196-211. Springer-Verlag, 1995.
[46] L. Granboulan. Flaws in differential cryptanalysis of Skipjack. In M. Matsui, editor, Fast Software Encryption: 8th International Workshop, FSE 2001, Yokohama, Japan, April 2-4, 2001. Revised Papers, volume 2355 of Lecture Notes in Computer Science, pages 328-335. Springer-Verlag, 2002.
[47] B. Reichardt and D. Wagner. Markov truncated differential cryptanalysis of Skipjack. In K. Nyberg and H. Heys, editors, Selected Areas in Cryptography: 9th Annual International Workshop, SAC 2002, St. John's, Newfoundland, Canada, August 15-16, 2002. Revised Papers, volume 2595 of Lecture Notes in Computer Science, pages 110-128. Springer-Verlag, 2003.
[48] S. Lee, S. Hong, S. Lee, J. Lim and S. Yoon, Truncated Differential Cryptanalysis of Camellia, Lecture Notes in Computer Science, Vol. 2288/2002, pp.287-342.
[49] X. Lai. Higher order derivatives and differential cryptanalysis. In Symposium on Communication, Coding and Cryptography, pages 227-233. Kluwer Academic Publishers, 1994.
[50]S. Moriai, T. Shimoyama, and T. Kaneko. Higher order differential attack of a CAST cipher. In S. Vaudenay, editor, Fast Software Encryption, 5th International Workshop, FSE'98, Paris, France, March 23-25, 1998. Proceedings, volume 1372 of Lecture Notes in Computer Science, pages 17-31. Springer-Verlag, 1998.
[51] H. Tanaka, K. Hisamatsu, and T. Kaneko. Strength of Misty1 without FL functions for higher order differential attack. In M. Fossorier, H. Imai, S. Lin, and A. Poli, editors, Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, 13th International Symposium, AAECC-13, Honolulu, Hawaii, USA, November 15-19, 1999. Proceedings, volume 1719 of Lecture Notes in Computer Science, pages 221-230. Springer-Verlag, 1999.
[52] Y. Hatano, H. Tanaka, and T. Kaneko. An optimized algebraic method for higher order differential attack. In M. Fossorier, T. Hofholdt, and A. Poli, editors, Applied Algebra, Algebraic Algorithms and Error- Correcting Codes, volume 2643 of Lecture Notes in Computer Science, pages 61-70. Springer-Verlag, 2003.
[53] E. Biham, On Matsui’s linear cryptanalysis. In: Advance in Cryptology- Eurocrypt’94 Proc, Berlin: Springer-Verlag, 1995.
[54] B. Kaliski and M. Robshaw. Linear cryptanalysis using multiple approximations. In Y. Desmedt, editor, Advances in Cryptology - Crypto'94: 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21-25, 1994. Proceedings, volume 839 of Lecture Notes in Computer Science, pages 26-39. Springer- Verlag, 1994.
[55] L. Knudsen and M. Robshaw. Non-linear approximations in linear cryptanalysis. In U. Maurer, editor, Advances in Cryptology - Euro- crypt'96: International Conference on the Theory and Application of Cryptographic Techniques, Saragossa, Spain, May 1996. Proceedings, volume 1070 of Lecture Notes in Computer Science, pages 224-236. Springer-Verlag, 1996.
[56] T. Shimoyama and T. Kaneko. Quadratic relation of S-box and its application to the linear attack of full round DES. In H. Krawczyk, editor, Advances in Cryptology - Crypto'98: 18th Annual International Cryptology Conference, Santa Barbara, California, USA, August 1998. Proceedings, volume 1462 of Lecture Notes in Computer Science, pages 200-211. Springer-Verlag, 1998.
[57] S. Lucks, The saturation attack– a bait for Twofish, Fast Software Encryption 2001, LNCS, M. Matsui, Ed., Springer-Verlag.
[58] A. Biryukov, A. Shamir,“Structural cryptanalysis of SASAS, Advances in Cryptology, Proc. Eurocrypt’01, LNCS 2045, B. Pfizmann, Ed., Springer Verlag, 2001, pp. 394-405.
[59] H. Gilbert, M. Minier, A collision attack on 7 rounds of Rijndael. In: The Third AES Candidate Conference (2000)。
[60] B. Bahrak, M.R. Aref, A novel impossible differential cryptanalysis of AES. In:Proceedings of theWestern EuropeanWorkshop on Research in Cryptology, volume Bochum of Germany (2007)
[61] B. Bahrak, M.R. Aref, Impossible differential attack on seven-round AES-128. IET Information Security Journal 2, 28–32 (2008)
[62]. W.T. Zhang, W.L. Wu, D.G. Feng, New Results on Impossible Differential Cryptanalysis of Reduced AES, proceedings of ICISC 2007, Lecture Notes in Computer Science 4817, pp. 239–250, Springer-Verlag, 2007.
[63] N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, Whiting, D.: Improved cryptanalysis of Rijndael. In: B. Schneier (ed.) FSE 2000. LNCS, vol. 1978, pp. 213–230. Springer, Heidelberg (2001)
[64] J. Lu, O. Dunkelman, N. Keller, J. Kim, New impossible differential attacks on AES. In: D.R. Chowdhury, V. Rijmen, A. Das, (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 279–293. Springer, Heidelberg (2008)
[65] H. Demirci, I. Taskin, M. Coban, A. Baysal, Improve meet-in-the-middle attacks on AES. INDOCRYPT 2009, LNCS 5922, pp. 144-156, 2009.
[66] Phan, R.C.W.: Impossible differential cryptanalysis of 7-round Advanced Encryption Standard AES. Information Processing Letters 91, 33–38 (2004)
[67] H. Demirci, and A. A. Selcuk. A meet-in-the-middle attack on 8-round AES. FSE 2008, LNCS 5086, pp. 116-126, 2008.
[68] G. Jakimoski, Y. Desmedt, Related-key differential cryptanalysis of 192-bit key AES variants. In: M. Matsui, R.J. Zuccherato, (eds.) SAC 2003. LNCS, vol. 3006, pp. 208–221. Springer, Heidelberg (2004)
[69] S. Hong, J. Kim, S. Lee, and B. Preneel. Related-key rectangle attacks on reduced versions of SHACAL-1 and AES-192. FSE 2005, LNCS 3557, pp. 368-383.
[70] E. Biham, O. Dunkelman, and N. Keller. Related-key boomerang and rectangle attacks. In EUROCRYPT'05, volume 3494 of LNCS, pages 507-525. Springer, 2005.
[71] E. Biham, O. Dunkelman, and N. Keller. Related key Impossible Differential attacks on 8-round AES-192. CT-RSA 2006, LNCS 3860, pp. 21-33, 2006.
[72] J. Kim, S. Hong, and B. Preneel. Related-key rectangle attacks on reduced AES-192 and AES-256. In FSE'07, volume 4593 of LNCS, pages 225-241. Springer, 2007.
[73]A. Biryukov and D. Khovratovich. Related key cryptanalysis of the full AES-192 and AES- 256. in M.Matsui(Ed.): Asiacrypt 2009, LNCS 5912, pp. 1-18, 2009.
[74] Lucks, S.: Attacking seven rounds of Rijndael under 192-bit and 256-bit keys. In: The Third AES Candidate Conference (2000)
[75] L. R. Knudsen and V. Rijmen. Known-Key Distinguishers for Some Block Ciphers. In K. Kurosawa, editor, ASIACRYPT, volume 4833 of Lecture Notes in Computer Science, pages 315-324. Springer, 2007.
[76]A. Biryukov, D. Khovratovich, and I. Nikolic. Distinguisher and related-key attack on the full AES-256. In CRYPTO’09, LNCS. Springer, 2009.
[77] H. Soleimany, A. Sharifi, M. Aref, Improved Related-Key impossible Differential Attacks on 8-Round AES-256. Int. Zurich Seminar on Communications (IZS), March 3-5, 2010.
[78]E. Biham, N. Keller. Cryptanalysis of Reduced Variants of Rijndael. Available at http://csrc.nist.gov/envryption/aes/round2/conf3/aes3papers.html, 2000.
[79] J.H. CHEON, M. KIM, K. KIM, J.Y. LEE, S. KANG:‘Improved impossible differential cryptanalysis of Rijndael and Crypton’. Proc. 3rd Int. Conf. Information Security and Cryptology (ICISC), Lect. Notes Comput. Sci., 2001,2288, pp. 39–49
[80]R.C.-W.Phan.‘Impossible Differential Cryptanalysis of 7-round Advanced Encryption Standard’. Information Processing Letters, 2004, vol.91, Elsevier,pp.33-38.
[81]W.T. Zhang, W.L. Wu, D.G. Feng:‘New Results on Impossible Differential Cryptanalysis of Reduced AES’. ICISC, LNCS 4817, pp.239-250, 2007.
[82] B. Bahrak, M.R. Aref:‘Impossilbe differential attack on seven-round AES-128’. IET Inf.secur., 2008, Vol.2, No.2, pp.28-32.
[83] M.L. Zhang, J.M. Liu, X.M. Wang, General impossible differential cryptanalysis on 7-round AES. IEICE Trans. Fundamentals, Vol. E93-A, No.1 JANUARY 2010.
[84] The Institute of Electrical and Electronics Engineers (IEEE), http://grouper.ieee.org/groups/802/11.
[85] specification of SMS4, Block Cipher for WLAN products– SMS4 (in Chinese), http://www.oscca.gov.cn/UpFile/200621016423197990.pdf.“无线局域网产品使用的SMS4密码算法”
[86] F. Liu, W. Ji, L. Hu, J.T. Ding, S.W. Lv, A. Pyshkin, and R.P. Weinmann. Analysis of the SMS4 block cipher. ACISP 2007, LNCS 4586, pp. 158-170, Springer-Verlag, 2007.
[87] J.Q. Lu, Attacking reduced-round versions of the SMS4 block cipher in the Chinese WAPI standard. ICICS 2007, LNCS 4861, pp. 306-318, Springer-Verlag, 2007.
[88] D. Toz and O. Dunkelman. Analysis of two attacks on reduced-round versions of the SMS4. ICICS 2008, LNCS 5308, pp. 141-156, Springer-Verlag, 2008.
[89] L. Zhang, W.T. Zhang and W.L. Wu, Cryptanalysis of reduced-round SMS4 Block cipher. ACISP 2008. LNCS, vol. 5107, pp. 216-299. Springer, 2008.
[90] W.T. Zhang, W.L. Wu, D.G. Feng and B.Z. Su. Some new observations on the SMS block cipher in the Chinese WAPI standard. ISPEC 2009, LNCS 5451. pp. 324-335, 2009.
[91] J. Etrog, Matt, J.B. Robshaw. The cryptanalysis of reduced-round SMS4. SAC 2008, LNCS 5381, pp. 51-65, Springer-Verlag, 2009.
[92]W. T. Zhang, W.L. Wu, D.G. Feng, and B.Z. Su, Some New Observations on the SMS4 Block Cipher in the Chinese WAPI Standard. ISPEC 2009. LNCS, vol. 5451, pp.324-335. Springer, 2009.
[93] T. Kim, J. Kim, S. Hong, J. Sun, Linear and Differential Cryptanalysis of Reduced SMS4 Block Cipher. Cryptology ePrint Archive, report 2008/281, available at http://eprint.iacr.org/.
[94] B.Z. Su, Wenling Wu, Wentao Zhang, Differential Cryptanalysis of SMS4 Block Cipher. Available at : Cryptology ePrint Archive, report 2010/062 http://eprint.iacr.org/2010/062
[95] T.Courtois, J. Pieprzyk. Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. AsiaCrypt2002, Springer-Verlag, 2002, LNCS: 2501, pp.267-287.
[96] W. Ji, L. Hu. New description of SMS4 by an embedding over GF( 28 )。Indocrypt 2007, LNCS 4859, pp. 238-251, Springer-Verlag, 2007.
[97] W. Ji, L. Hu, H. Ou, Algebraic attack to SMS4 and the comparison with AES. Information Assurance and Security, International Symposium on 1 (2009) 662–665.
[98] J. Erickson, J.T. Ding, and C. Christensen. Algebraic cryptanalysis of SMS4: Gr?bner Basis attack and SAT attack compared.
[99] J. Choy, H.H. Yap and K. Khoo. An analysis of the Compact XSL attack on BES and Embedded SMS4. CANS , Vol. 5888, pp. 103-118, Springer (2009).
[100] L. Zhang, W.L. Wu. Differential fault analysis on SMS4, Chinese Journal of Computers, 2006, 29(9): 1596-1602.
[101] W. Li, D. Gu. An improved method of differential fault analysis on the SMS4 cryptosystem. ISDPE 2007, pp. 175-180, IEEE Computer Society 2007.
[102] W. Li, D. Gu. Differential fault analysis on the SMS4 cipher by inducing faults to the key schedule. Chinese Journal on Communications, 2008, 29(10): 135-142.
[103] R.L. Li, B. Sun, C. Li, and J.X. You. Differential fault analysis on SMS4 using a single fault.
[104] T. Shirai and K. Shibutani. On Feistel Structures using a Diffusion Switching Mechanism. In M.J.B. Robshaw, editor, Proceedings of Fast Software Encryption–FSE’06, number 4047 in Lecture Notes in Computer Science, pages 41-56. Springer, 2006.
[105] M.Kanda, Y.TakAshima, T.MaTsumoto, K.Aoki, and K.Ohta,“A strategy for constructing fast round function with practical security against differential and linear cryptanalysis,”Selected Areas in Cryptography-5th Annual International Workshop, SAC’98, LNCS 1556.PP.264-279, 1999.
[106] D. Wagner. The Boomerang Attack. Fast Software Encryption-FSE’99, Springer-Verlag, 1999, LNCS: 1636, pp.156-170.
[107] J. Kelsey, T. Kohno, B. Schneier. Amplified Boomerang Attacks Against Reduced- Round MARS and Serpent. Proceedings of Fast Software Encryption, Springer-Verlag, 1999, LNCS: 1978, pp. 75-93.
[108] E. Biham, O.Dunkelman, N. Neller. The Rectangle Attack-Rectangling the Serpent. In Proceedings of Eurocrypt’01, Springer-Verlag, 2001, LNCS: 2045, pp.340-357.
[109] E. Biham, O. Dunkelman, N. Keller. Related-key Boomerang and Rectangle Attacks. Proceedings of Eurocrypt’05, Springer-Verlag, 2005, LNCS: 3557, pp. 507-525.
[110] J. Kim, G. Kim, S. Lee, D. Hong. The Related-key Rectangle Attack Application to SHACAL-1. Proceedings of International Conference on Information Security and Privacy 2004, Springer-Verlag, 2004, LNCS: 3108, pp.123-136.
[111] S. Murphy, the return of the Boomerang, Technical Report RHUL-MA-2009-20, 16 Oct. 2009. http://www.rhul.ac.uk/mathematics/techreports.
[112] E. Biham, O. Dunkelman, N. Keller. A Related-Key Rectangle Attack on the Full KASUMI. ASIACRYPT 2005, Springer-Verlag, 2005, LNCS: 3788, pp.443-461.
[113] S. Murphy and F. Piper and M.Walker and P.Wild. Maximum Likelihood Estimation for Block Cipher Keys. Technical Report RHUL-MA-2006-3, Royal Holloway (University of London), 1994. http://www.ma.rhul.ac.uk/techreports .
[2] J. Callas, An introduction to cryptography, Chief Technology Officer and Chief Security Officer. 2008 by PGP Corporation.
[3] C.E. Shannon. A mathematical Theory of Communication. The Bell System Technical Journal, Vol. 27, No. 4, pp.379-423, 623-656, July, October, 1948.
[4] C.E. Shannon. Communication Theory of Secrecy Systems. The Bell System Technical Journal, Vol. 38, No. 4, pp.656-715. 1949.中译本:保密系统的信息理论,王育民译,电信技术参考资料,第四期,西北电讯工程学院。
[5] R.G. Gallager, C.E. Shannon: A Retrospective on His life, work, and impact. IEEE transactions on information theory, Vol. 47, No.7, Nov. 2001.
[6] W. Diffie, M. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, November 1976, IT-22 (6), pp.644-654.
[7] National Bureau of Standards. Federal Information Processing Standard Publication 46: Data Encryption Standard (DES). 1977.
[8] Lawrence Peter Brown, PhD Thesis: Analysis of the DES and the Design of the LOKI Encryption Scheme
[9] LOKI91 homepage: http://www.unsw.adfa.edu.au/~lpb/research/loki91/
[10]LOKI97 homepage: http://www.unsw.adfa.edu.au/~lpb/research/loki97/
[11]GOST: http://tools.ietf.org/html/rfc4357
[12] E. Biham, and A. Shamir, Differential cryptanalysis of DES-like cryptosystems, Journal of Cryptology, Vol.4, No.1, pp.3-72, 1991.
[13] M. Matsui. Linear cryptanalysis method for DES cipher. Advances in Cryptology: EUROCRYPT’93. Berlin: Spring-Verlag, 1994. 386-397.
[14] X.J. Lai and J.L. Massey, A Proposal for a New Block Encryption Standard, EUROCRYPT 1990, pp389–404
[15] X.J. Lai and J.L. Massey and S.Murphy, Markov ciphers and differential cryptanalysis, Advances in Cryptology—Eurocrypt '91, Springer-Verlag (1992), pp17–38.
[16] V. Rijmen, J. Daemen, B. Preneel, A. Bosselaers, E.D. Win (February 1996). "The Cipher SHARK" (PDF/PostScript). 3rd International Workshop on Fast SoftwareEncryption (FSE '96). Cambridge: Springer-Verlag. pp.99–111. http://citeseer.ist.psu.edu/rijmen96cipher.html
[17]J. Daemen, L. Knudsen, Vincent Rijmen . The Block Cipher Square Fast Software Encryption (FSE) 1997, Volume 1267 of Lecture Notes in Computer Science.
[18]J. Daemen, V. Rijmen,(谷大武,徐胜波译),高级加密标准(AES)算法-Rijndael的设计。Springer, TUP清华大学出版社。
[19]A.Kerckhoffs. La Cryptographie Militaire. Journal des Sciences Militaires, IX:5-38, Jan 1883.
[20] M. Kanda, et al. E2– A new 128-bit Block Cipher. IEICE Trans. Fund. E83-A(1), JAN 2000.
[21] C. Adams, The CAST-256 Encryption Algorithm. RFC2612– http://www.faqs.org/rfcs/rfc2612.html
[22]R. Anderson, E. Biham, L.R. Knudsen, Serpent: A Proposal for the Advanced Encryption Standard, NIST AES Proposal, 1998.
[23] J.L. Massey, G.H. Khachatrian, and Kuregian M.K. Nomination of SAFER++. as Candidate Algorithm for NESSIE. Available at http://www.cryptonessie.org.
[24] D. Whiting, N. Ferguson, R. Housley. Counter with CBC-MAC (CCM). Submission to NIST of Operation Process. Available at http://csrc.nist.gov/CryptoToolkit/modes/p roposedmodes/
[25] M. Bellare, P. Rogaway, D.Wagner. The EAX Mode of Operation. Fast Software Encryption-FSE, Springer-Verlag, 2004, LNCS: 3017, pp.389-407.
[26] T. Kohno, J. Viega, D.Whiting. The CWC-AES Dual-use Mode. Submission to NIST Modes of Operation Process, Available at http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes, 2003 .
[27] M. Bellare, J. Kilian, P. Rogaway. The Security of the Cipherblock Chaining Message Authentication Code. Journal of Computerand System Sciences, 2000, vol.61(3), pp.362-399.
[28] FIPS 81, DES MODES of OPERATION: http://www.itl.nist.gov/fipspubs/fip81.htm.
[29] Recommendation for Block Cipher Modes of Operation Methods and Techniques: http://cryptome.info/0001/bcm/sp800-38a.htm
[30]冯登国,吴文玲,《分组密码的设计与分析》
[31] C. de chnniere, A. Biryukov, and B. Preneel. An introduction to Block cipher cryptanalysis. Proceedings of THE IEEE, Vol. 94, No. 2, February, 2006. (Invited paper).
[32] L. Knudsen. Contemporary block ciphers. In I. Damgffard, editor, Lectures on Data Security - Modern Cryptology in Theory and Practice, volume 1561 of Lecture Notes in Computer Science, pages 105-126. Springer-Verlag, 1998.
[33] P. C. Kocher,“Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems,”in Advances in Cryptology—CRYPTO’96, N. Koblitz, Ed. Heidelberg, Germany: Springer-Verlag, 1996, vol. 1109, Lecture Notes in Computer Science, pp. 104–113.
[34] P. C. Kocher, J. Jaffe, and B. Jun,“Differential power analysis,”in Advances in Cryptology—CRYPTO’99, M. Wiener, Ed. Heidelberg, Germany: Springer-Verlag, 1999, vol. 1666, Lecture Notes in Computer Science, pp. 388–397.
[35] J.-J. Quisquater and D. Samyde,“Electromagnetic analysis (EMA): Measures and counter-measures for smart cards,”in Proc. Int. Conf. Research in Smart Cards 2001, pp. 200–210.
[36] S. Mangard,“A simple power-analysis (SPA) attack on implementations of the AES key expansion,”in Information Security and Cryptology—ICISC 2002, P. J. Lee and C. H. Lim, Eds. Heidelberg, Germany: Springer-Verlag, 2002, vol. 2587, Lecture Notes in Computer Science, pp. 343–358.
[37] D. Boneh, R.A. DeMillo, R.J. Lipton. On the importance of checking cryptographic protocols for faults. In: Proceedings of the EUROCRYPT’97, Konstanz, Germany, 1997, 37-51.
[38] E. Biham, A. Shamir, Differential fault analysis of secret key cryptosystems. In: Proceedings of the CRYPTO’97, Santa Barbara, California, USA, 1997, 513-525.
[39]J. Kelsey, B. Schneier, D. Wagner, C. Hall, Side channel cryptanalysis of product ciphers, in Proc. 5th European Symposium on Research in Computer Security. Lecture Notes in Computer Science, vol. 1485 (Springer, Berlin, 1998), pp. 97–110
[40] B. Preneel, A. Biryukov, E. Oswald, B. Van Rompay, L. Granboulan, E. Dottax, S. Murphy, A. Dent, J. White, M. Dichtl, S. Pyka, M. Schafheutle, P. Serf, E. Biham, E. Barkan, O. Dunkelman, J.-J. Quisquater, M. Ciet, F. Sica, L. Knudsen, M. Parker, and H. Raddum. NESSIE Security Report v2.0. Technical Report NES/DOC/ENS/WP5/D20/2, New European Schemes for Signatures, Integrity, and Encryption (NESSIE), 2003. Available at https://www.cryptonessie.org.
[41] M. Misztal. The signal to noise ratio in the differential cryptanalysis of 9 rounds of data encryption standard. Journal of Telecommunications and information technology, 3/2006. pp. 49-59.
[42]L. Knudsen. Truncated and higher order differentials. In B. Preneel, editor, FastSoftware Encryption: Second International Workshop. Leuven, Belgium, 14-16 December 1994. Proceedings, volume 1008 of Lecture Notes in Computer Science, pages 196-211. Springer-Verlag, 1995.
[43] J. Borst, L. Knudsen, and V. Rijmen. Two attacks on reduced IDEA (extended abstract). In W. Fumy, editor, Advances in Cryptology -Eurocrypt'97: International Conference on the Theory and Application of Cryptographic Techniques, Konstanz, Germany, May 1997. Proceedings, volume 1233 of Lecture Notes in Computer Science, pages 1-13. Springer-Verlag, 1997.
[44] L. Knudsen and T. Berson. Truncated differentials of SAFER.In D. Gollman, editor, Fast Software Encryption, Third International Workshop, Cambridge, UK, February 21-23, 1996. Proceedings, volume 1039 of Lecture Notes in Computer Science, pages 15-26. Springer-Verlag, 1996.
[45] L. Knudsen. Truncated and higher order differentials. In B. Preneel, editor, Fast Software Encryption: Second International Workshop. Leuven, Belgium, 14-16 December 1994. Proceedings, volume 1008 of Lecture Notes in Computer Science, pages 196-211. Springer-Verlag, 1995.
[46] L. Granboulan. Flaws in differential cryptanalysis of Skipjack. In M. Matsui, editor, Fast Software Encryption: 8th International Workshop, FSE 2001, Yokohama, Japan, April 2-4, 2001. Revised Papers, volume 2355 of Lecture Notes in Computer Science, pages 328-335. Springer-Verlag, 2002.
[47] B. Reichardt and D. Wagner. Markov truncated differential cryptanalysis of Skipjack. In K. Nyberg and H. Heys, editors, Selected Areas in Cryptography: 9th Annual International Workshop, SAC 2002, St. John's, Newfoundland, Canada, August 15-16, 2002. Revised Papers, volume 2595 of Lecture Notes in Computer Science, pages 110-128. Springer-Verlag, 2003.
[48] S. Lee, S. Hong, S. Lee, J. Lim and S. Yoon, Truncated Differential Cryptanalysis of Camellia, Lecture Notes in Computer Science, Vol. 2288/2002, pp.287-342.
[49] X. Lai. Higher order derivatives and differential cryptanalysis. In Symposium on Communication, Coding and Cryptography, pages 227-233. Kluwer Academic Publishers, 1994.
[50]S. Moriai, T. Shimoyama, and T. Kaneko. Higher order differential attack of a CAST cipher. In S. Vaudenay, editor, Fast Software Encryption, 5th International Workshop, FSE'98, Paris, France, March 23-25, 1998. Proceedings, volume 1372 of Lecture Notes in Computer Science, pages 17-31. Springer-Verlag, 1998.
[51] H. Tanaka, K. Hisamatsu, and T. Kaneko. Strength of Misty1 without FL functions for higher order differential attack. In M. Fossorier, H. Imai, S. Lin, and A. Poli, editors, Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, 13th International Symposium, AAECC-13, Honolulu, Hawaii, USA, November 15-19, 1999. Proceedings, volume 1719 of Lecture Notes in Computer Science, pages 221-230. Springer-Verlag, 1999.
[52] Y. Hatano, H. Tanaka, and T. Kaneko. An optimized algebraic method for higher order differential attack. In M. Fossorier, T. Hofholdt, and A. Poli, editors, Applied Algebra, Algebraic Algorithms and Error- Correcting Codes, volume 2643 of Lecture Notes in Computer Science, pages 61-70. Springer-Verlag, 2003.
[53] E. Biham, On Matsui’s linear cryptanalysis. In: Advance in Cryptology- Eurocrypt’94 Proc, Berlin: Springer-Verlag, 1995.
[54] B. Kaliski and M. Robshaw. Linear cryptanalysis using multiple approximations. In Y. Desmedt, editor, Advances in Cryptology - Crypto'94: 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21-25, 1994. Proceedings, volume 839 of Lecture Notes in Computer Science, pages 26-39. Springer- Verlag, 1994.
[55] L. Knudsen and M. Robshaw. Non-linear approximations in linear cryptanalysis. In U. Maurer, editor, Advances in Cryptology - Euro- crypt'96: International Conference on the Theory and Application of Cryptographic Techniques, Saragossa, Spain, May 1996. Proceedings, volume 1070 of Lecture Notes in Computer Science, pages 224-236. Springer-Verlag, 1996.
[56] T. Shimoyama and T. Kaneko. Quadratic relation of S-box and its application to the linear attack of full round DES. In H. Krawczyk, editor, Advances in Cryptology - Crypto'98: 18th Annual International Cryptology Conference, Santa Barbara, California, USA, August 1998. Proceedings, volume 1462 of Lecture Notes in Computer Science, pages 200-211. Springer-Verlag, 1998.
[57] S. Lucks, The saturation attack– a bait for Twofish, Fast Software Encryption 2001, LNCS, M. Matsui, Ed., Springer-Verlag.
[58] A. Biryukov, A. Shamir,“Structural cryptanalysis of SASAS, Advances in Cryptology, Proc. Eurocrypt’01, LNCS 2045, B. Pfizmann, Ed., Springer Verlag, 2001, pp. 394-405.
[59] H. Gilbert, M. Minier, A collision attack on 7 rounds of Rijndael. In: The Third AES Candidate Conference (2000)。
[60] B. Bahrak, M.R. Aref, A novel impossible differential cryptanalysis of AES. In:Proceedings of theWestern EuropeanWorkshop on Research in Cryptology, volume Bochum of Germany (2007)
[61] B. Bahrak, M.R. Aref, Impossible differential attack on seven-round AES-128. IET Information Security Journal 2, 28–32 (2008)
[62]. W.T. Zhang, W.L. Wu, D.G. Feng, New Results on Impossible Differential Cryptanalysis of Reduced AES, proceedings of ICISC 2007, Lecture Notes in Computer Science 4817, pp. 239–250, Springer-Verlag, 2007.
[63] N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, Whiting, D.: Improved cryptanalysis of Rijndael. In: B. Schneier (ed.) FSE 2000. LNCS, vol. 1978, pp. 213–230. Springer, Heidelberg (2001)
[64] J. Lu, O. Dunkelman, N. Keller, J. Kim, New impossible differential attacks on AES. In: D.R. Chowdhury, V. Rijmen, A. Das, (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 279–293. Springer, Heidelberg (2008)
[65] H. Demirci, I. Taskin, M. Coban, A. Baysal, Improve meet-in-the-middle attacks on AES. INDOCRYPT 2009, LNCS 5922, pp. 144-156, 2009.
[66] Phan, R.C.W.: Impossible differential cryptanalysis of 7-round Advanced Encryption Standard AES. Information Processing Letters 91, 33–38 (2004)
[67] H. Demirci, and A. A. Selcuk. A meet-in-the-middle attack on 8-round AES. FSE 2008, LNCS 5086, pp. 116-126, 2008.
[68] G. Jakimoski, Y. Desmedt, Related-key differential cryptanalysis of 192-bit key AES variants. In: M. Matsui, R.J. Zuccherato, (eds.) SAC 2003. LNCS, vol. 3006, pp. 208–221. Springer, Heidelberg (2004)
[69] S. Hong, J. Kim, S. Lee, and B. Preneel. Related-key rectangle attacks on reduced versions of SHACAL-1 and AES-192. FSE 2005, LNCS 3557, pp. 368-383.
[70] E. Biham, O. Dunkelman, and N. Keller. Related-key boomerang and rectangle attacks. In EUROCRYPT'05, volume 3494 of LNCS, pages 507-525. Springer, 2005.
[71] E. Biham, O. Dunkelman, and N. Keller. Related key Impossible Differential attacks on 8-round AES-192. CT-RSA 2006, LNCS 3860, pp. 21-33, 2006.
[72] J. Kim, S. Hong, and B. Preneel. Related-key rectangle attacks on reduced AES-192 and AES-256. In FSE'07, volume 4593 of LNCS, pages 225-241. Springer, 2007.
[73]A. Biryukov and D. Khovratovich. Related key cryptanalysis of the full AES-192 and AES- 256. in M.Matsui(Ed.): Asiacrypt 2009, LNCS 5912, pp. 1-18, 2009.
[74] Lucks, S.: Attacking seven rounds of Rijndael under 192-bit and 256-bit keys. In: The Third AES Candidate Conference (2000)
[75] L. R. Knudsen and V. Rijmen. Known-Key Distinguishers for Some Block Ciphers. In K. Kurosawa, editor, ASIACRYPT, volume 4833 of Lecture Notes in Computer Science, pages 315-324. Springer, 2007.
[76]A. Biryukov, D. Khovratovich, and I. Nikolic. Distinguisher and related-key attack on the full AES-256. In CRYPTO’09, LNCS. Springer, 2009.
[77] H. Soleimany, A. Sharifi, M. Aref, Improved Related-Key impossible Differential Attacks on 8-Round AES-256. Int. Zurich Seminar on Communications (IZS), March 3-5, 2010.
[78]E. Biham, N. Keller. Cryptanalysis of Reduced Variants of Rijndael. Available at http://csrc.nist.gov/envryption/aes/round2/conf3/aes3papers.html, 2000.
[79] J.H. CHEON, M. KIM, K. KIM, J.Y. LEE, S. KANG:‘Improved impossible differential cryptanalysis of Rijndael and Crypton’. Proc. 3rd Int. Conf. Information Security and Cryptology (ICISC), Lect. Notes Comput. Sci., 2001,2288, pp. 39–49
[80]R.C.-W.Phan.‘Impossible Differential Cryptanalysis of 7-round Advanced Encryption Standard’. Information Processing Letters, 2004, vol.91, Elsevier,pp.33-38.
[81]W.T. Zhang, W.L. Wu, D.G. Feng:‘New Results on Impossible Differential Cryptanalysis of Reduced AES’. ICISC, LNCS 4817, pp.239-250, 2007.
[82] B. Bahrak, M.R. Aref:‘Impossilbe differential attack on seven-round AES-128’. IET Inf.secur., 2008, Vol.2, No.2, pp.28-32.
[83] M.L. Zhang, J.M. Liu, X.M. Wang, General impossible differential cryptanalysis on 7-round AES. IEICE Trans. Fundamentals, Vol. E93-A, No.1 JANUARY 2010.
[84] The Institute of Electrical and Electronics Engineers (IEEE), http://grouper.ieee.org/groups/802/11.
[85] specification of SMS4, Block Cipher for WLAN products– SMS4 (in Chinese), http://www.oscca.gov.cn/UpFile/200621016423197990.pdf.“无线局域网产品使用的SMS4密码算法”
[86] F. Liu, W. Ji, L. Hu, J.T. Ding, S.W. Lv, A. Pyshkin, and R.P. Weinmann. Analysis of the SMS4 block cipher. ACISP 2007, LNCS 4586, pp. 158-170, Springer-Verlag, 2007.
[87] J.Q. Lu, Attacking reduced-round versions of the SMS4 block cipher in the Chinese WAPI standard. ICICS 2007, LNCS 4861, pp. 306-318, Springer-Verlag, 2007.
[88] D. Toz and O. Dunkelman. Analysis of two attacks on reduced-round versions of the SMS4. ICICS 2008, LNCS 5308, pp. 141-156, Springer-Verlag, 2008.
[89] L. Zhang, W.T. Zhang and W.L. Wu, Cryptanalysis of reduced-round SMS4 Block cipher. ACISP 2008. LNCS, vol. 5107, pp. 216-299. Springer, 2008.
[90] W.T. Zhang, W.L. Wu, D.G. Feng and B.Z. Su. Some new observations on the SMS block cipher in the Chinese WAPI standard. ISPEC 2009, LNCS 5451. pp. 324-335, 2009.
[91] J. Etrog, Matt, J.B. Robshaw. The cryptanalysis of reduced-round SMS4. SAC 2008, LNCS 5381, pp. 51-65, Springer-Verlag, 2009.
[92]W. T. Zhang, W.L. Wu, D.G. Feng, and B.Z. Su, Some New Observations on the SMS4 Block Cipher in the Chinese WAPI Standard. ISPEC 2009. LNCS, vol. 5451, pp.324-335. Springer, 2009.
[93] T. Kim, J. Kim, S. Hong, J. Sun, Linear and Differential Cryptanalysis of Reduced SMS4 Block Cipher. Cryptology ePrint Archive, report 2008/281, available at http://eprint.iacr.org/.
[94] B.Z. Su, Wenling Wu, Wentao Zhang, Differential Cryptanalysis of SMS4 Block Cipher. Available at : Cryptology ePrint Archive, report 2010/062 http://eprint.iacr.org/2010/062
[95] T.Courtois, J. Pieprzyk. Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. AsiaCrypt2002, Springer-Verlag, 2002, LNCS: 2501, pp.267-287.
[96] W. Ji, L. Hu. New description of SMS4 by an embedding over GF( 28 )。Indocrypt 2007, LNCS 4859, pp. 238-251, Springer-Verlag, 2007.
[97] W. Ji, L. Hu, H. Ou, Algebraic attack to SMS4 and the comparison with AES. Information Assurance and Security, International Symposium on 1 (2009) 662–665.
[98] J. Erickson, J.T. Ding, and C. Christensen. Algebraic cryptanalysis of SMS4: Gr?bner Basis attack and SAT attack compared.
[99] J. Choy, H.H. Yap and K. Khoo. An analysis of the Compact XSL attack on BES and Embedded SMS4. CANS , Vol. 5888, pp. 103-118, Springer (2009).
[100] L. Zhang, W.L. Wu. Differential fault analysis on SMS4, Chinese Journal of Computers, 2006, 29(9): 1596-1602.
[101] W. Li, D. Gu. An improved method of differential fault analysis on the SMS4 cryptosystem. ISDPE 2007, pp. 175-180, IEEE Computer Society 2007.
[102] W. Li, D. Gu. Differential fault analysis on the SMS4 cipher by inducing faults to the key schedule. Chinese Journal on Communications, 2008, 29(10): 135-142.
[103] R.L. Li, B. Sun, C. Li, and J.X. You. Differential fault analysis on SMS4 using a single fault.
[104] T. Shirai and K. Shibutani. On Feistel Structures using a Diffusion Switching Mechanism. In M.J.B. Robshaw, editor, Proceedings of Fast Software Encryption–FSE’06, number 4047 in Lecture Notes in Computer Science, pages 41-56. Springer, 2006.
[105] M.Kanda, Y.TakAshima, T.MaTsumoto, K.Aoki, and K.Ohta,“A strategy for constructing fast round function with practical security against differential and linear cryptanalysis,”Selected Areas in Cryptography-5th Annual International Workshop, SAC’98, LNCS 1556.PP.264-279, 1999.
[106] D. Wagner. The Boomerang Attack. Fast Software Encryption-FSE’99, Springer-Verlag, 1999, LNCS: 1636, pp.156-170.
[107] J. Kelsey, T. Kohno, B. Schneier. Amplified Boomerang Attacks Against Reduced- Round MARS and Serpent. Proceedings of Fast Software Encryption, Springer-Verlag, 1999, LNCS: 1978, pp. 75-93.
[108] E. Biham, O.Dunkelman, N. Neller. The Rectangle Attack-Rectangling the Serpent. In Proceedings of Eurocrypt’01, Springer-Verlag, 2001, LNCS: 2045, pp.340-357.
[109] E. Biham, O. Dunkelman, N. Keller. Related-key Boomerang and Rectangle Attacks. Proceedings of Eurocrypt’05, Springer-Verlag, 2005, LNCS: 3557, pp. 507-525.
[110] J. Kim, G. Kim, S. Lee, D. Hong. The Related-key Rectangle Attack Application to SHACAL-1. Proceedings of International Conference on Information Security and Privacy 2004, Springer-Verlag, 2004, LNCS: 3108, pp.123-136.
[111] S. Murphy, the return of the Boomerang, Technical Report RHUL-MA-2009-20, 16 Oct. 2009. http://www.rhul.ac.uk/mathematics/techreports.
[112] E. Biham, O. Dunkelman, N. Keller. A Related-Key Rectangle Attack on the Full KASUMI. ASIACRYPT 2005, Springer-Verlag, 2005, LNCS: 3788, pp.443-461.
[113] S. Murphy and F. Piper and M.Walker and P.Wild. Maximum Likelihood Estimation for Block Cipher Keys. Technical Report RHUL-MA-2006-3, Royal Holloway (University of London), 1994. http://www.ma.rhul.ac.uk/techreports .