基于分组密码分析设计Hash函数
|
摘要
分组密码和Hash函数是对称密码学领域的两个重要分支,分组密码在数据加密和MAC等领域有着广泛的应用,Hash函数在电子签名、消息认证、防否认等领域有着广泛应用。
早在上个世纪九十年代,人们意识到分组密码标准DES已不能满足高速发展的信息时代的加密需求,1997年NIST(美国国家标准与技术研究所)启动了AES(高级加密标准)计划,并最终选用Rijndael作为新一轮加密算法标准。继美国征集AES活动之后,欧洲在2000年启动了NESSIE计划。伴随着AES计划和NESSIE计划的实施,分组密码研究从一种经验设计走向理论设计的道路,分组密码理论得到飞速发展。
相比之下人们对在用的Hash函数安全性估计过于乐观,相关研究比较滞后。2004年底山东大学王小云教授和她的工作团队给出了MD5和SHA1算法的碰撞攻击,国际上也陆续推出了系列攻击,给在用的Hash函数带来了重创。Hash函数已成为密码学领域一个热门话题。NIST决定在2008年启动高级Hash函数算法征集活动-AHS计划,预计5年时间。如何设计、分析和评价Hash函数,以及如何给出一个可证明安全的Hash函数等问题将贯穿于整个活动。Hash函数研究深度远远不及分组密码,能否将分组密码理论用于专用Hash函数的设计中,已成为一个热点话题。
大多Hash函数均是通过迭代结构对压缩函数进行迭代而实现的。Hash函数设计包括迭代结构的设计和压缩函数的设计两部分。本文目标是设计一个新的Hash函数,这要求对当前分组密码和Hash函数设计原理和攻击方法有充分的认识。本文最终给出了一个Hash函数,命名为Dolly。在该算法设计中,我们给出了一个新的迭代结构FHash,新的压缩函数结构FL-结构和新的压缩函数算法。我们构造的压缩函数同时也是一个加密分组长度为256比特,密钥长度为512比特的分组密码,同时给出了一个不可逆的密钥扩展算法。
本文的主要创新成果如下:
(1)给出Camellia密码四个等价结构,提出Camellia密码的变种Square攻击,同时改进了Yeom等在FSE2002上给出的Square攻击的界。Camellia相关攻击结果是当时最有效的攻击方法,被日本当年的信息安全年报引用。CRYPTREC关于Camellia算法的2006年年度报告中仍然引用我们的结论作为该算法的安全现状。
(2)发现Camellia算法P置换与S盒变换的特殊联系,在特殊明文条件下,P置换导致几个S盒的模加相互抵消。根据这一特性,给出了新的变种Square攻击,将Camellia攻击结果再次改进,这一结果是目前对Camellia算法的最好攻击结果,该结果收录在ICICS2007。
(3)引入有向图理论和Game-Based proof方法,将基于分组密码构造的64种压缩函数方案归为四类,并给出了每一类的抗原像、次原像和碰撞攻击的界。这种归类比Black、Rogaway和Shrimpton在Crypto2002上给出的三种分类更加精确,并改进了BRS给出的抗碰撞和原像攻击的界。同时给出了基于固定点多碰撞中碰撞个数、算法复杂度与消息长度之间的关系。
(4)我们发现Merkle-Damgard结构迭代过程中不一定能够继承压缩函数的分布特性,并举例说明了这一现象的存在,其中一个几乎均匀分布的函数在Merkle-Damgard迭代结构下,生成的新函数分布上界为1,完全不符合几乎均匀分布。我们进一步证明迭代后函数分布特性与压缩函数分布特性和迭代次数有关,最坏情况下,迭代次数与分布的界构成指数关系。同时给出了其它几个结构的分布特性。我们发现Merkle-Damgard结构下基于分组密码构造压缩函数的64种方案的概率分布特性,只有四个方案的概率分布与迭代次数无关,但这四种方案均是不抗原像攻击的,该结论在文献[87]中给出。
(5)Bellare等在AsiaCrypt2006上给出了EMD结构,第一个直接继承压缩函数抗碰撞攻击特性、伪随机预言机(该性质称为indifferentiability)特性和伪随机函数特性的迭代结构,使Hash函数安全性问题归结到压缩函数的安全性问题上。我们认为均匀分布也是一非常重要的性质需要继承。令人遗憾的是EMD结构无法满足这一特性。我们给出了一个新的结构(定义为ECM结构),它满足EMD所有特性且继承了压缩函数分布特性,并给出了详细证明,该结果收录在Indocrypt2007。
(6)对Feistel结构进行变形,给出了一个满足单向性要求的压缩函数结构FL-结构,并给出一个Hash迭代结构FHash,同时给出了FL-结构和FHash安全性的形式化证明,在此基础上构造了一个新的Hash函数Dolly。Dolly算法采用了AES的扩散准则,因此继承了AES算法的抗线性和差分攻击特性,同时我们给出了一个不可逆的密钥扩展算法,尽可能地增强了压缩函数的抗碰撞特性。
Dolly中的压缩函数轮函数和密钥扩展算法还有待更深入的分析和评价。
Block ciphers and hash functions are two important branches in symmetric cryptology. Block ciphers play important roles in data encryption. Hash functions are widely used in digital signature schemes, message authentication and integrity checking.
In the early 1990s, people realized that DES (Data Encryption Standard) was not suitable for data encryption requirements of the rapidly developing information era. In 1997 NIST (National Institute for Standards and Technology) published an open call for the Advanced Encryption Standard (AES). Rijndael by Rijmen and Daemen was selected as the AES to succeed DES. In 2000, the European Community started the NESSIE project. Studies made during these processes led to important theoretical advances in the public knowledge on the design and analysis of block ciphers.
Comparatively, research on hash functions lagged behind due to over-optimistic attitude on the security of the MD family hash functions. In 2004, Wang and her team members gave collision attacks on some of MD family hash functions. Subsequently more weakness have been found on MD families. Hash functions are now a hotspot in the area of cryptography, a trend that will endure for five or six years as NIST has decided to hold new hash algorithm competition (AHS project). Topics related to design, analysis and evaluation of hash functions (including with provable security) will be discussed in the competition. Since there are plenty of good results in block ciphers, many cryptographers have been considering designing a hash function following block cipher theory.
Most hash functions are based upon iterated compression functions, design of which includes compression function design and iterated structure design. The goal of this paper is to give a new hash algorithm, which requires good understanding and analysis on the theory of block cipher and hash function. The thesis concludes with a new hash function algorithm called Dolly, in which the compression function follows the block cipher design idea of using S-boxes transformation to achieve nonlinear transformation and the iterated structure is a modified structure of Merkle-Damg(a|°)rd construction to prevent some known weaknesses in it.
The contributions of this paper are as follows.
(1) Four equivalent structures of Camellia are founded, based on which a variant Square attack on Camellia is presented. We also improve the square attack bound given by Yeom et.al and the collision attack bound given by Wu et. al. Our results were the best results on Camellia and were cited by Japanese CRYPTREC 2005 annual reports. CRYPTREC 2006 annual report on Camellia still cited our results as the current security status of the cipher.
(2) A new relationship between the P permutation and S-boxes are discovered in Camellia, which results in the cancellation of S-boxes during P permutation transformation. Based on such property, a new variant square attack is proposed and the attack results on Camellia again improved. Both our new results on 128 bit and 256 bit keys are the best attack results on Camellia. This result is accepted by ICICS2007.
(3) Digraph theory and Game-Based proof method are applied in security analysis of Merkle-Damg(a|°)rd construction, then PGV schemes are divided into four groups and the bounds of preimage, second preimage and collision attack are given. Our results improve the classification and attacking bounds given by Black, Rogaway and Shrimpton.
(4) The Merkle-Damg(a|°)rd construction can not guarantee good distribution properties of its compression function being inherited during the iteration. The distribution bound of Merkle-Damg(a|°)rd construction with MD-strengthening may reach 1, even if its compression function has a good distribution bound, where the bound is not only related to the distribution bound of compression function, but also to the length of message being hashed. We prove that, in the worst case, the distribution bound of construction will increase exponentially to the message length.
(5) The EMD (Enveloped Merkle-Damg(a|°)rd ) transformation, which was proposed by Bellare et. al at AsiaCrypt2006, was the first structure to satisfy collision resistance preservation, pseudo random oracle preservation (Indifferentiability) and pseudo random function preservation. We think that, the almost uniformly distribution preserving is also an important property for a structure. However, EMD is not a structure of almost uniform distribution preservation. Then, we recommend a new structure called ECM construction satisfying collision resistance preservation, pseudo random oracle preservation (Indifferentiability) and pseudo random function preservation and almost uniformly distribution preservation. The proofs are also presented. This result is accepted by Indocrypt 2007.
(6) A variant Feistel structure called FL-construction, which is a one way structure, and a new hash iterated hash structure FHash are presented. The security proofs of FHash and FL-construction are given based on heuristic proof method. We design a new hash function, which is named Dolly, its round function inherit that of Rijndael. And our new hash function has a not invertible key schedule algorithm.
早在上个世纪九十年代,人们意识到分组密码标准DES已不能满足高速发展的信息时代的加密需求,1997年NIST(美国国家标准与技术研究所)启动了AES(高级加密标准)计划,并最终选用Rijndael作为新一轮加密算法标准。继美国征集AES活动之后,欧洲在2000年启动了NESSIE计划。伴随着AES计划和NESSIE计划的实施,分组密码研究从一种经验设计走向理论设计的道路,分组密码理论得到飞速发展。
相比之下人们对在用的Hash函数安全性估计过于乐观,相关研究比较滞后。2004年底山东大学王小云教授和她的工作团队给出了MD5和SHA1算法的碰撞攻击,国际上也陆续推出了系列攻击,给在用的Hash函数带来了重创。Hash函数已成为密码学领域一个热门话题。NIST决定在2008年启动高级Hash函数算法征集活动-AHS计划,预计5年时间。如何设计、分析和评价Hash函数,以及如何给出一个可证明安全的Hash函数等问题将贯穿于整个活动。Hash函数研究深度远远不及分组密码,能否将分组密码理论用于专用Hash函数的设计中,已成为一个热点话题。
大多Hash函数均是通过迭代结构对压缩函数进行迭代而实现的。Hash函数设计包括迭代结构的设计和压缩函数的设计两部分。本文目标是设计一个新的Hash函数,这要求对当前分组密码和Hash函数设计原理和攻击方法有充分的认识。本文最终给出了一个Hash函数,命名为Dolly。在该算法设计中,我们给出了一个新的迭代结构FHash,新的压缩函数结构FL-结构和新的压缩函数算法。我们构造的压缩函数同时也是一个加密分组长度为256比特,密钥长度为512比特的分组密码,同时给出了一个不可逆的密钥扩展算法。
本文的主要创新成果如下:
(1)给出Camellia密码四个等价结构,提出Camellia密码的变种Square攻击,同时改进了Yeom等在FSE2002上给出的Square攻击的界。Camellia相关攻击结果是当时最有效的攻击方法,被日本当年的信息安全年报引用。CRYPTREC关于Camellia算法的2006年年度报告中仍然引用我们的结论作为该算法的安全现状。
(2)发现Camellia算法P置换与S盒变换的特殊联系,在特殊明文条件下,P置换导致几个S盒的模加相互抵消。根据这一特性,给出了新的变种Square攻击,将Camellia攻击结果再次改进,这一结果是目前对Camellia算法的最好攻击结果,该结果收录在ICICS2007。
(3)引入有向图理论和Game-Based proof方法,将基于分组密码构造的64种压缩函数方案归为四类,并给出了每一类的抗原像、次原像和碰撞攻击的界。这种归类比Black、Rogaway和Shrimpton在Crypto2002上给出的三种分类更加精确,并改进了BRS给出的抗碰撞和原像攻击的界。同时给出了基于固定点多碰撞中碰撞个数、算法复杂度与消息长度之间的关系。
(4)我们发现Merkle-Damgard结构迭代过程中不一定能够继承压缩函数的分布特性,并举例说明了这一现象的存在,其中一个几乎均匀分布的函数在Merkle-Damgard迭代结构下,生成的新函数分布上界为1,完全不符合几乎均匀分布。我们进一步证明迭代后函数分布特性与压缩函数分布特性和迭代次数有关,最坏情况下,迭代次数与分布的界构成指数关系。同时给出了其它几个结构的分布特性。我们发现Merkle-Damgard结构下基于分组密码构造压缩函数的64种方案的概率分布特性,只有四个方案的概率分布与迭代次数无关,但这四种方案均是不抗原像攻击的,该结论在文献[87]中给出。
(5)Bellare等在AsiaCrypt2006上给出了EMD结构,第一个直接继承压缩函数抗碰撞攻击特性、伪随机预言机(该性质称为indifferentiability)特性和伪随机函数特性的迭代结构,使Hash函数安全性问题归结到压缩函数的安全性问题上。我们认为均匀分布也是一非常重要的性质需要继承。令人遗憾的是EMD结构无法满足这一特性。我们给出了一个新的结构(定义为ECM结构),它满足EMD所有特性且继承了压缩函数分布特性,并给出了详细证明,该结果收录在Indocrypt2007。
(6)对Feistel结构进行变形,给出了一个满足单向性要求的压缩函数结构FL-结构,并给出一个Hash迭代结构FHash,同时给出了FL-结构和FHash安全性的形式化证明,在此基础上构造了一个新的Hash函数Dolly。Dolly算法采用了AES的扩散准则,因此继承了AES算法的抗线性和差分攻击特性,同时我们给出了一个不可逆的密钥扩展算法,尽可能地增强了压缩函数的抗碰撞特性。
Dolly中的压缩函数轮函数和密钥扩展算法还有待更深入的分析和评价。
Block ciphers and hash functions are two important branches in symmetric cryptology. Block ciphers play important roles in data encryption. Hash functions are widely used in digital signature schemes, message authentication and integrity checking.
In the early 1990s, people realized that DES (Data Encryption Standard) was not suitable for data encryption requirements of the rapidly developing information era. In 1997 NIST (National Institute for Standards and Technology) published an open call for the Advanced Encryption Standard (AES). Rijndael by Rijmen and Daemen was selected as the AES to succeed DES. In 2000, the European Community started the NESSIE project. Studies made during these processes led to important theoretical advances in the public knowledge on the design and analysis of block ciphers.
Comparatively, research on hash functions lagged behind due to over-optimistic attitude on the security of the MD family hash functions. In 2004, Wang and her team members gave collision attacks on some of MD family hash functions. Subsequently more weakness have been found on MD families. Hash functions are now a hotspot in the area of cryptography, a trend that will endure for five or six years as NIST has decided to hold new hash algorithm competition (AHS project). Topics related to design, analysis and evaluation of hash functions (including with provable security) will be discussed in the competition. Since there are plenty of good results in block ciphers, many cryptographers have been considering designing a hash function following block cipher theory.
Most hash functions are based upon iterated compression functions, design of which includes compression function design and iterated structure design. The goal of this paper is to give a new hash algorithm, which requires good understanding and analysis on the theory of block cipher and hash function. The thesis concludes with a new hash function algorithm called Dolly, in which the compression function follows the block cipher design idea of using S-boxes transformation to achieve nonlinear transformation and the iterated structure is a modified structure of Merkle-Damg(a|°)rd construction to prevent some known weaknesses in it.
The contributions of this paper are as follows.
(1) Four equivalent structures of Camellia are founded, based on which a variant Square attack on Camellia is presented. We also improve the square attack bound given by Yeom et.al and the collision attack bound given by Wu et. al. Our results were the best results on Camellia and were cited by Japanese CRYPTREC 2005 annual reports. CRYPTREC 2006 annual report on Camellia still cited our results as the current security status of the cipher.
(2) A new relationship between the P permutation and S-boxes are discovered in Camellia, which results in the cancellation of S-boxes during P permutation transformation. Based on such property, a new variant square attack is proposed and the attack results on Camellia again improved. Both our new results on 128 bit and 256 bit keys are the best attack results on Camellia. This result is accepted by ICICS2007.
(3) Digraph theory and Game-Based proof method are applied in security analysis of Merkle-Damg(a|°)rd construction, then PGV schemes are divided into four groups and the bounds of preimage, second preimage and collision attack are given. Our results improve the classification and attacking bounds given by Black, Rogaway and Shrimpton.
(4) The Merkle-Damg(a|°)rd construction can not guarantee good distribution properties of its compression function being inherited during the iteration. The distribution bound of Merkle-Damg(a|°)rd construction with MD-strengthening may reach 1, even if its compression function has a good distribution bound, where the bound is not only related to the distribution bound of compression function, but also to the length of message being hashed. We prove that, in the worst case, the distribution bound of construction will increase exponentially to the message length.
(5) The EMD (Enveloped Merkle-Damg(a|°)rd ) transformation, which was proposed by Bellare et. al at AsiaCrypt2006, was the first structure to satisfy collision resistance preservation, pseudo random oracle preservation (Indifferentiability) and pseudo random function preservation. We think that, the almost uniformly distribution preserving is also an important property for a structure. However, EMD is not a structure of almost uniform distribution preservation. Then, we recommend a new structure called ECM construction satisfying collision resistance preservation, pseudo random oracle preservation (Indifferentiability) and pseudo random function preservation and almost uniformly distribution preservation. The proofs are also presented. This result is accepted by Indocrypt 2007.
(6) A variant Feistel structure called FL-construction, which is a one way structure, and a new hash iterated hash structure FHash are presented. The security proofs of FHash and FL-construction are given based on heuristic proof method. We design a new hash function, which is named Dolly, its round function inherit that of Rijndael. And our new hash function has a not invertible key schedule algorithm.
引文
[1]多磊,李超.循环移位对Rijndael密码安全性的影响,通信学报,2003-24(9):153-161.
[2]多磊,李超.Rijndael密码的逆序Square攻击.电子与信息学报,2004-26(1):65-71.
[3]冯国柱,多磊,李超.AES密码的三种等价形式,国防科技大学学报,已录用
[4]张文涛,分组密码的分析与设计,中国科学院,博士论文.
[5]Advanced Hash Standard Competation,http://csrc.nist.gov/pik/HashWorkshop/
[6]Anderson R.and Biham E.,Tiger:a fast new Hash function,in Fast Software Encryption(D.Gollmann,ed.),LNCS 1039,pp.89-97,Springer-Vedag,1996.
[7]Aoki K.,Ichikawa T.,Kanda M.,Matsui M.,Moriai S.,Nakajima J.,and Tokita T.,The 128-Bit Block Cipher Camellia,IEICE transactions on fundamentals,Vol.E85-A No.1,2001.
[8]Barreto P.S.L.M.and Rijmen V.,The Whirlpool hashing function.Primitive submitted to NESSIE,2000.Available at http://www.cryptonessie.org/.
[9]Barreto P.and Rijmen V.,The Whirlpool Hashing Function,First open NESSIE Workshop,Leuven,Belgium,13-14 November 2000.
[10]Bellare M.,New proofs for NMAC and HMAC:Security without collision-resistance.CRYPTO 2006,LNCS4117,pp.602-619,2006.
[11]Bellare M.,Canetti R.,and Krawczyk H.,Keying Hash functions for message authentication.In Advances in Cryptology-CRYPTO'96,LNCS 1109,pp.1-15,Springer-Verlag,1996.
[12]Bellare M.,Guerin R.,and Rogaway P.,XOR MACs:New methods for message authentication using Finite Pseudorandom Functions.In Advances in Cryptology-CRYPTO'95,LNCS 963,pp.15-28,Springer-Verlag,1995.
[13]Bellare M.,Boldyreva A.,and Palacio A.,An uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem,In Advances in Cryptology—ECRYPTO'2004,LNCS 3027,pp.171-188 Springer-Verlag,2004.
[14]Bellare M.,Pietrzak K.,and P.Rogaway,Improved security analyses for CBC MACs,In Advances in Cryptology Crypto 2005,LNCS 3621,pp.527-545,Springer-Verlag,2005.
[15] Bellare M. and Rogaway P., Random oracles are practical : a paradigm for designing efficient protocols. Proceedings of the First Annual Conference on Computer and Commmunications Security, ACM, 1993.
[16] Bellare M. and Rogaway P., Introduction to Modern Cryptography.
[17] Bellare M. and Rogaway P., Code-based game-playing proofs and the security of triple encryption, http://eprint.iacr.org/2004/331 .pdf.
[18] Bellare M. and Ristenpart T., Multi-property-preserving Hash domain extension and the EMD transform, ASIACRYPT 2006, LNCS 4284, pp.299-314, 2006,http://eprint.iacr.org/2006/399.pdf
[19] Berger T.P., Canteaut A., Charpin P., and Laigle-Chapuy Y., On almost perfect nonlinear functions. IEEE Transactions on Information Theory, 52(9): 4160-4170, 2006.
[20] Biham E., Recent advances in Hash functions-the way to go. Presented at ECRYPT Conference on Hash Functions (Cracow, June 2005), see http://www.ecrypt.eu.org/stvl/hfw/Biham.ps.
[21] Biham E., New types of cryptanalytic attacks using related keys, Advances in Cryptology EUROCRYPT'93, LNCS 765, pp.398-409, Springer-Verlag, 1994.
[22] Biham E. and Biryukov A., An improvement of Davies' attack on DES. Advances in Cryptology Eurocrypt'94: LNCS 950, pp.461-467. Springer-Verlag, 1995.
[23] Biham E. and Biryukov A. An improvement of Davies' attack on DES. Journal of Cryptology,10(3): pp.195-205, Springer-Verlag, 1997.
[24] Biham E., A. Biryukov, and A. Shamir. Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. Advances in Cryptology Eurocrypt'99: LNCS 1592, pp.12-23. Springer-Verlag, 1999.
[25] Biham E. and Chen R., Near-collisions of SHA-0 and SHA-1. In Selected Areas in Cryptography-SAC 2004, Invided Speaker.
[26] Biham E. and Chen R., Near-collisions of SHA-0, CRYPTO'2004, LNCS 3152, pp.290-305,Springer-Verlag, 2004.
[27] Biham E. and Dunkelman O., A Framework for iterative hash functions—HAIFA, http://www.csrc. nist.gov/pki/HashWorkshop/2006/Papers/.
[28]Biham E.,Dunkelman O.,Furman V.,and Mor T.,Preliminary report on the NESSIE submissions Anubis,Camellia,IDEA,Khazad,Mistyl,Nimbus,Q,NESSIE public report,NES/-DOC/TEC/WP3/011/b.
[29]Biham E.,Dunkelman O.,and Keller N.,The rectangle attack rectangling the serpent,Advances in Cryptology,proceedings of EUROCRYPT 2001,LNCS2045,pp.340-357,Springer-Verlag,2001.
[30]Biham E.,Dunkelman O.,and Keller N.,Linear cryptanalysis of reduced round serpent,Fast Software Encryption FSE2001,LNCS2355,pp.16-27,Springer-Verlag,2002.
[31]Biham E.,Dunkelman O.,and Keller N.,New results on boomerang and rectangle attacks,proceedings of Fast Software Encryption FSE2002,LNCS2365,pp.1-16,Springer-Verlag,2002.
[32]Biham E.,Dunkelman O.,and Keller N.,Enhanced differential-linear cryptanalysis,Advances in Cryptology,proceedings of ASIACRYPT 2002,LNCS2501,pp.254-266,Springer-Verlag,2002.
[33]Biham E.,Dunkelman O.,and Keller N.,Differential-linear sryptanalysis of serpent,proceedings of Fast Software Encryption FSE2003,LNCS2887,pp.9-21,Springer-Verlag,2003.
[34]Biham E.,Dunkelman O.,and Keller N.,Rectangle attacks on 49-rround SHACAL-1,proceedings of Fast Software Encryption FSE2003,LNCS2887,pp.22-35,Springer-Verlag,2003.
[35]Biham E.,Dunkelman O.,and Keller N.,Related-key boomerang and rectangle attacks,Advances in Cryptology,proceedings of EUROCRYPT 2005,LNCS3494,pp.507-525,Springer-Verlag,2005.
[36]Biham E.,Dunkelman O.,and Keller N.,New combined attacks on block ciphers,proceedings of Fast Software Encryption 12,LNCS3557,pp.126-144,Springer-Verlag,2005.
[37]Biham E.,Dunkelman O.,and Keller N.,A related-key rectangle attack on the full KASUMI,Advances in Cryptology,proceedings of ASIACRYPT 2005,LNCS3788,pp.443-461,Springer-Verlag,2005.
[38]Biham E.,Dunkelman O.,and Keller N.,Related-key impossible differential attacks on 8-round AES-192,proceedings of RSA 2006 conference,LNCS3860,pp.21-33,Springer-Verlag,2006.
[39]Biham E.and Shamir A.,Diffrential cryptanalysis of DES-like cryptosystems,Journal of Cryptology,Vol.4,No.1,pp.3-72,Springer-Verlag,1991.
[40]Biham E.and Shamir A.,Differential cryptanalysis of DES-like cryptosystems.Joumal ot Cryptology,4(1):pp.3-72,Springer-Verlag,1991.
[41]Biham E.and Shamir A.,Differential cryptanalysis of the data encryption standard.Springer-Verlag,1993.
[42]Biryukov A.and Cannire C.D.,Block ciphers and systems of quadratic equations,Fast Software Encryption 10th International Workshop,FSE 2003,LNCS 2887,Springer-Veflag,2003.
[43]Biryukov A.,Canniere C.D.,et al,Security and performance analysis of ARIA.http://homes.esat.kuleuven.be/abiryuko/ARIA-COSICreport.pdf
[44]Biryukov A.and Shamir A.,Structural cryptanalysis of SASAS.Advances in Cryptology Eurocrypt 2001,LNCS 2045,pp.394-405.Springer-Verlag,2001.
[45]Biryukov A.and Wagner D.,Slide attacks.Fast Software Encryption:FSE'99,LNCS 1636,pp.245-259.Springer-Verlag,1999.
[46]Biryukov A.and Wagner D.,Advanced slide attacks.Advances in Cryptology-Eurocrypt 2000,LNCS 1807,pp.589-606.Springer-Verlag,2000.
[47]Black J.,The ideal-cipher model,revisited:An uninstantiable blockcipher-based hash function.In Preproceedings of the 13th Fast Software Encryption Workshop(FSE 2006),pp.349-361,Springer-Verlag,2006.
[48]Black J.,Cochran M.,Shrimpto T.,On the impossibility of highly-efficient block cipher-based hash functions,pp.526-539,Springer-Verlag,2004.
[49]Black J.,Halevi S.,Krawczyk H.,Krovetz T.,and Rogaway P.,UMAC:Fast and Secure Message Authentication.In Advances in Cryptology-CRYPTO'99,LNCS 1666,pp.216-233,Springer-Verlag,1999.
[50]Black J.and Rogaway P.,A Block-cipher mode of operation for parallelizable aessage authentication.In Advances in Cryptology-EUROCRYPT2002,LNCS 2332,pp.384-397,Springer-Verlag,2002.
[51]Black J.and Rogaway P.,CBC MACs for arbitrary-length messages:the three-key constructions.In Advances in Cryptology-CRYPTO'2000,LNCS 1880,pp.197-215,Springer-Verlag,2000.
[52]Black J.Rogaway P.,and Shrimpton T.,Black-box analysis of the block-cipher-based hashfunction constructions from PGV,CRYPTO'02,LNCS 2442,pp.320-335,Springer-Verlag,2002.
[53]Boer B.and Bosselaers A.,Collisions for the compression function of MD5.In Advances in Cryptology-EUROCRYPT'93,LNCS 765,pp.293-299,Springer-Verlag,1993.
[54]Bosselaers A.,Govaerts R.,and Vandewalle J.,Fast hashing on the pentium,in Advances in Cryptology-Crypto'96,LNCS 1109,pp.298-312,Springer-Verlag,1996.
[55]Braziler Y.,The statistical evaluation of the NESSIE submission Camellia,NESSIE public report,NES/DOC/TEC/WP3/019/1.
[56]Budaghyan L.,Cadet C.,Felke P.,and Leander G.,New classes of almost bent and almost perfect nonlinear polynomials.IEEE Transactions on Information Theory,52(3):pp.1141-1152,2006.
[57]Budaghyan L.,Cadet C.,and Pott A.,New constructions of almost bent and almost perfect nonlinear polynomials.In Workshop on Coding and Cryptography WCC 2005,pp.306-315,2005.
[58]Chchin C.,Entropy measures and uncoditional security in cryptography,PHD thesis.
[59]Canetti R.,Goldreich O.,and Halevi S.,The random oracle methodology,revisited,STOC'98,ACM,1998.
[60]Canetti R.,Goldreich O.,and Halevi S.,On the random oracle methodology as applied to length-restricted Signature Schemes.In Proceedings of Theory of Cryptology Conference,pp.40-57,2004.
[61]Chabaud E and Joux A.,Differential collisions in SHA-0.In Advances in Cryptology-CRYPTO'98,LNCS 1462,pp.56-71,Springer-Vedag,1998.
[62]Chang D.,Lee S.,Nandi M.,and Yung M.,Indiffrentiable security analysis of popular hash functions with prefix-free padding,ASIACRYPT 2006,LNCS 4284,pp.283-298,Springer-Verlag,2006.
[63]Coron J.S.,Dodis Y.,Malinaud C.,and Puniya P.,Merkle-damgard revisited:How to construct a Hash Function,In Advances in Cryptology—CRYPTO'05,LNCS 3621,pp.430-448,Springer-Verlag,2005.
[64]Courtois N.T.and Pieprzyk J.,Cryptanalysis of block ciphers with overdefined systems of equations,Advances in Cryptology ASIACRYPT 2002,LNCS 2501,Springer-Vedag,2002.
[65]Courtois N.Fast algebraic attacks on stream ciphers with linear feedback.Advances in Cryptology-Crypto 2003,LNCS 2729,pp.176-194.Springer-Vedag,2003.
[66]Courtois N.Higher order correlation attacks,XL algorithm and cryptanalysis of Toyocrypt.Information Security and Cryptology ICISC 2002,LNCS 2587,pp.182-199.Springer-Verlag,2003.
[67]Courtois N.and W.Meier.Algebraic attacks on stream ciphers with linear feedback.In E.Biham,editor,Advances in Cryptology Eurocrypt 2003:LNCS 2656,pp.345-359.Springer-Verlag,2003.
[68]Christophe C.,Mendel E,and Rechberger C.,Collisions for 70-step SHA-1:On the full cost of collision search.Selected Areas in Cryptography(SAC 2007),pp.16-17,Springer-Verlag.
[69]Christophe C.and Rechberger C.,Finding SHA-1 characteristics:General results and applications.In Proceedings of ASIACRYPT 2006,LNCS 4284,pp.1-20,Springer-Verlag,2006.
[70]日本电子政务网,http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html
[71]CRYPTREC 2006 Camellia安全评价报告,http://info.isl.ntt.cojp/crypt/camellia/dl/
[72]Camelllia相关攻击结果,http://info.isl.ntt.co.jp/crypt/eng/camellia/reference.html
[73]Daemen J.,Knudsen L.R.,and Rijmen V.,The block cipher Square.In Fast Software Encryption,LNCS 1267.pp.149-165,Springer-Verlag,1997.
[74]Daemen J.and Rijmen V.,AES Proposal:RIJNDAEL.AES submission,http://www.nist.gov/aes
[75]Daemen J.and Rijmen V.,The design of Rijndael,AES-The advanced encryption standard,Springer-Verlag,2002.
[76]Daemen J.and Rijmen V.,A new MAC construction aired and a specific instance Alpha-MAC,Fast Software Encryption 2005,LNCS 3554,pp.1-17Springer-Verlag,2005.
[77]Damgard I.,A design principle for hash functions.Advances in Cryptology-CRYPTO' 89,LNCS 435,pp.416-427,Springer-Verlag,1990.
[78]Davies D.and Murphy S.,Pairs and triples of DES S-boxes.Journal of Cryptology,8(1):pp.1-25,Springer-Verlag,1995.
[79]Dean R.D.,Formal aspects of mobile code security.PhD.dissertation,Princeton University,1999.
[80]Diestel R.,Graph theory,Springer-Verlag Heidelberg,New York 1997,2000,2005
[81]Dunkelman O.,Techniques for cryptanalysis of block ciphers,PhD thesis,Israel Institute of Technology,2006.
[82]Dunkelman O.and Preneel B.,Generalizing the herding attack to concatenated hashing schemes,ECRYPT Hash Workshop 2007,http://events.iaik.mgraz.at/HashWorkshop07/papers/
[83]Dobbertin H.,Cryptanalysis of MD4.In D.Gollmann,editor,Proceedings of Fast Software Encryption 1996,LNCS 1039,pp.53-70,Springer-Verlag,1996.
[84]Dobbertin H.,A.Bosselaers,B.Preneel,RIPMEMD-160:A strengthened version of RIPMMD,FastSoftware EncrZption,LNCS 1039,pp.71-82,Springer-Verlag,1996.
[85]Dodis Y.,Oliveira R.,and Pietrzak K.,On the generic insecurity of the full domain hash,Advances in Cryptology-CRYPTO-2005,LNCS 3621,pp.449-466,Springer-Verlag,2005.
[86]Duo L.,Li C.,and Feng K.,New observation on Camellia.Selected Area in Cryptography,SAC 2005,LNCS 3897,pp.51-64,Springer-Verlag,2006.
[87]Duo L.,Feng G.,Li C.,and Li R.,Revised:Block cipher based hash function construction from PGV,密码学进展—ChinaCrypt'06,中国科学技术出版社,2006.11
[88]Duo Lei,Li Chao and Feng Keqin,Square like attack on Camellia,ICICS2007(International Conference on Information and Communications Security 2007),LNCS 4861,pp.269-283,Springer-Verlag,2007.
[89]Duo Lei and Li Chao.Extended multi-property-preserving and ECM-construction,Progress in Cryptology Indocrypt2007,LNCS 4859,pp.361-372,Springer-Verlag,2007.
[90]Duo L.,Henricksen M.,and Li C.,On analyzing Merkle-Damgard-construction through directed graphs,http://eprint.iacr.org/2006/462.pdf
[91]Duo L.,F-HASH:Securing hash functions using Feistel chaining.Cryptology ePrint Archive,Report 2005/430,http://eprint.iacr.org/2005/430.pdf.
[92]Duo L.,New integrated proof method on iterated hash structure and new structures.Cryptology ePrint Archive,Report 2006/147,2006.Available at http://eprint.iacr.org120061147.pdf.
[93]Duo L.,Dolly:A new block cipher based dedicate hash function,preprint.
[94]ECRYPT Network of Excellence.Ongoing research areas in symmetric cryptography.Available via http://www.ecrypt.eu.org/documents/D.STVL.3-2.5.pdf.
[95]ECRYPT Network of Excellence.Recent collision attacks on hash functions:ECRYPT Position Paper.Available viahttp://www.ecrypt.eu.org/documents/ECRYPT-Hash-statement.pdf,http://www.ecrypt.eu.org/documents/STVL-ERICS-2-HASH-STMT-1.1.pdf.
[96]EFIPS46-3:Data encryption standard.In National Institute of Standards and Technology,1979.
[97]Feistel H.,Cryptography and computer privacy.Scientific American.Vol.228,No.5,pp.15-23,May 1973.
[98]Feistel H.,Notz W.A.and Smith J.L.,Some cryptographic techniques for machine to machine data communications,Proceedings of the IEEE,Vol.63,No.11,pp.1545-1554,November 1975.
[99]Ferguson N.,Schroe pp.el R.,and Whiting D.,A simple algebraic representation of Rijndael,Eighth Annual International Workshop on Selected Areas in Cryptography(SAC 2001),LNCS 2259,pp.103-111,Springer-Verlag,2001.
[100]FIPS 180-2,"Secure hash standard(SHS)." National Institute of Standards and Technology,Aug.2002.Change notice added in Feb.2004.
[101]FIPS 46-3,Data encryption standard.In National Institute of Standards and Technology,Oct.1999.
[102]Gauravaram P.,Millan W.,Neito J.G.,and Dawson E.,3C-A provably secure pseudorandom function and message authentication code.A New mode of operation for Cryptographic Hash Function.The preliminary draft version of this work is available at eprint-2005/390.
[103]Gauravaram P.and Kelsey J.,Cryptanalysis of a class of cryptographic hash functions,http://eprint.iacr.org/2007/277.pdf.
[104]Halevei S.and Krawczyk H.,Strengthening digital signatures via randomized hashing,Advances in Cryptology,proceedings of CRYPTO 2006,LNCS 4117,pp.41-59,Springer-Verlag,2006.
[105]Handschuh H.and Naccache D.,SHACAL,2001.Available at https://www.cosic.esat.kuleuven.ac.be/nessie/tweaks.html/shacaltweak.pdf.
[106]Harpes C.,Kramer G.,and Massey J.,A generalization of linear cryptanalysis and the a pp.licability of Matsui's Piling-up lemma.In Louis Guillou and Jean-Jacques Quisquater,editors,Advances in Cryptology-Proceedings of EUROCRYPT 95,LNCS 921 pp.24-38,1995.
[107]Hatano Y.,Sekine H.,and Kaneko T.,Higher order differential attack of Camellia(Ⅱ),Selected Areas in Cryptography 9th Annual International Workshop,SAC 2002,LNCS 2595,Springer-Verlag,2002.
[108]He Y.and Qing S.,Square attack on reduced Camellia cipher.In:ICICS 2001,LNCS 2229,pp.238-245,Springer-Verlag,Berlin Heidelberg New York(2001).
[109]Hirose S.,Some plausible constructions of double-block-length hash functions.In Preproceedings of the 13th Fast Software Encryption Workshop(FSE 2006),pp.231-246,2006.
[110]Hirose S.,Secure block ciphers are not sufficient for one-way hash functions in the Preneel-Govaerts-Vandewalle model.In Proceedings of the 9th Selected Areas in Cryptography(SAC 2002),LNCS 2595,pp.339-352,Springer-Verlag,2002.
[111]Hirose S.,Provably secure double-ldock-length hash functions in a black-box model.In Proceedings of the 7th lntematinal Conference on Information Security and Cryptology(ICISC 2004),LNCS 3506,pp.330-342,Springer-Verlag,2005.
[112]Hold W.,Lai X.,Meier T.,and Waldvogel C.,Security of iterated hash functions based on block ciphers.In CRYPTO'93 Proceedings,LNCS 773,pp.379-390,1994.
[113]Hoch J.and Shamir A.,Breaking the ICE-finding multicollisions in iterated concatenated and expanded(ICE) hash functions.In Proceedings of Fast Software Encryption Workshop-FSE 2006,LNCS 4047,pp.179-194,Springer-Verlag,2006.
[114]Hong D.,Preneel B.,and Lee S.,Higher order universal one-way Hash functions,ASIACRYPT 2004,LNCS 3329,pp.201-213,2004.
[115]Hu Y.,Zhang Y.,and Xiao G.,Integral cryptanalysis of SAFER+.Electronic Letters,35(17):pp.1458-1459,August 1999.
[116]ISO/IEC18033-3,http://www.iso.ch/iso/en/.
[117] Jaulmes E., Joux A., and F.Valette. On the security of randomized CBC-MAC beyond the birthday paradox limit: A new construction. In Fast Software Encryption -FSE'02, LNCS 2365,pp.237-251, Springer-Verlag, 2002.
[118] Jensen J. B. and Gutin G., Digraphs, Theory, Algorithms and Applications. Springer, 2001.
[119] Jakobsen T. and Knudsen L., The interpolation attack against block ciphers. Fast Software Encryption FSE'97 Proceedings, LNCS 1267, pp.28-40. Springer-Verlag, 1997.
[120] Joux A., Multicollisions in iterated Hash functions. A pplication to cascaded constructions.Crypto-2004, LNCS 3152, pp.306-316,Springer-Verlag, 2004.
[121] Joux A., Carribault P., Jalby W. and Lemuet C., Collisions in SHA-0. Presented at the rump session of CRYPTO'2004, 2004.
[122] Junod P. and Vaudenay S., FOX : a new family of block ciphers, Selected Areas in Cryptography-SAC 2004, LNCS 2595, pp.131-146, Springer-Verlag, 2005.
[123] Jutla C.S., Encryption modes with almost free message integrity. In Advances in Cryptology-EUROCRYPT'2001, LNCS 2045, pp.529-544, Springer-Verlag, 2001.
[124] Kanda M. and Matsumoto T., Security of Camellia against truncated differential cryptanalysis.FSE2001, LNCS 2355, pp.286-299, Springer-Verlag, 2001.
[125] Kanda M., Practical security evaluation against differential and Linear Cryptanalyses for Feistel Ciphers with SPN Round Function, SAC 2000, LNCS 2012, Springer-Verlag, 2000.
[126] Kawabata T. and Kaneko T., A study on higher order differential attack of Camellia.: The 2nd open NESSIE workshop (2001).
[127] Kelsey J. and Gauravaram P., Linear checksums don't help Damgard-Merkle, Rump session,Crypto 2006.
[128] Kelsey J. and Schneier B., Second preimages on n-bit hash functions for much less than 2n work. EUROCRYPT 2005, LNCS 3494, pp.474-490, Springer-Verlag, 2005.
[129] Kelsey J. and Kohno T., Herding Hash functions and the nostradamus attack, EUROCRYPT 2006, LNCS 4004, pp.183-200, Springer-Verlag, 2006.
[130]Kelsey J.,Kohno T.,and Schneier B.,Ampfified boomerang attacks against reduced-round MARS and Serpent.Fast Software Encryption FSE 2000,LNCS 1978,pp.75-93.Springer-Verlag,2001.
[131]Knudsen L.R.,Analysis of Camellia,April 2000.This note is a part of Japanese contribution for ISO/IEC JTC1/SC27,Call for contribution on NP18033:Encryption Algorithms,Part 3:Block Ciphers.
[132]Knudsen L.,Contemporary block ciphers,LNCS 1561,pp.105-126,Springer-Verleg,1999.
[133]Knuclsen L.,Truncated and higher order differentials.In B.Preneel,editor,Fast Software Encryption:Second International Workshop.LNCS 1008,pp.196-211,Springer-Verlag,1995.
[134]Knudsen L.,Lai X.,and Preneel B.,Attacks on fast double block length hash functions.Journal of Cryptology,11(1):59-72,Springer-Verlag,1998.
[135]Knudsen L.and Muller F.,Some attacks against a double length hash proposal.In ASIACRYPT 2005 Proceedings,LNCS 3788,pp.462-473,Springer-Verlag,2005.
[136]Knudsen L.and Preneel B.,Hash functions based on block ciphers and quaternary codes.In ASIACRYPT'96 Proceedings,LNCS 1163,pp.77-90,Springer-Verlag,1996.
[137]Knuclsen L.and Wagner D.,Integral cryptanalysis,proceedings of Fast Software Encryption 9,LNCS 2365,pp.112-127,Springer-Verlag,2002.
[138]Knudsen L.,Rechberger C.,and Thomsen S.,Grindahl-a family of hash functions,Fast Software Encryption-FSE2007,LNCS 4593,pp.39-57,Springer-Verlag,2007.
[139]Koo B.,Jang H.,Song J..Constructing and cryptanalysis of a 16×16 binary matrix as a diffusion layer.WISA2003,LNCS 2908,pp.324-338,Springer,2003.
[140]Kwon D.,Kim J.,Park S.,et al,New block cipher:ARIA.Information Security and Cryptology-ICISC'03,LNCS 2971,pp.432-445,Springer-Verlag,2004.
[141]Lai X.,Higher order derivatives and differential cryptanalysis.In Symposium on Communication,Coding and Cryptography,pp.227-233.Kluwer Academic Publishers,1994.
[142]Lai X.and Massey J.L.,Hash functions based on block ciphers.In Advances in Cryptology Eurocrypt'92,LNCS 658,pp.15-23,Springer-Verlag,1993.
[143] Lai X. and Massey J., A proposal for a new block encryption standard, Advances in Cryptology—EUROCRYPT'90, LNCS 473, pp.389-404, Springer-Verlag, 1991.
[144] Ledig H., Muller F. and Valette F., Enhancing collision attacks, the 6th International workshop on Cryptographic Hardware and Embedded Systems, CHES 2004, LNCS 3156, Springer-Verlag.
[145] Lee S., Hong S., Lee S., Lim J. and Yoon S., Truncated differential cryptanalysis of Camellia.In: ICISC 2001, LNCS 2288. pp. 32-38, Springer-Verlag, 2001.
[146] Lenstra A., Progress in hashing cryptanalysis. Available viahttp://cm.bell-labs.com/who/akl/Hash.pdf.
[147] Liang J. and Lai X., Improved collision attack on Hash function MD5.http://eprint.icar.org/2005/425.pdf
[148] Liskov M., Constructing an ideal Hash gunction from weakldeal compression functions, In Proceedings of SAC 2006, LNCS, pp.331-349, Springer-Verlag, 2006.
[149] Luby M. and Rackoff C, How to construct pseudorandom permutations from pseudorandom functions. SIAM Journal on Computing, Vol. 17, No. 2 (1988) pp.373-386.
[150] Lucks S., A Collision-resistant rate-1 double-block-length Hash function,http://th.informatik.uni-mannheim.de/peopleAucks/
[151] Lucks S., A failure-friendly design principle for Hash functions, ASIACRYPT 2005, LNCS 3788, pp.474-494, Springer-Verlag, 2005.
[152] Lucks S., The saturation attack - a bait for Twofish. Fast Software Encryption FSE 2001, LNCS 2355, pp.1-15. Springer-Verlag, 2002.
[153] Matsui M., Linear cryptanalysis method for DES cipher. Advances in Cryptology-EUROCRYPT'93, LNCS 765, pp.386-397, Springer-Verlag 1993.
[154] Maurer U., Renner R. and Holenstein C, Indifferentiability, impossibility results on reductions and applications to the random oracle methodology, TCC 2004, LNCS 2951, pp.21-39,Springer-Verlag, 2004.
[155] Meier W. and Staffelbach O., Nonlinearity criteria for cryptographic functions. In Advances in Cryptology - EUROCRYPT'89, LNCS 434, p. 549-562. Springer-Verlag, 1990.
[156]Mendel F.,Pramstaller N.,Rechberger C.and Rijmen V.,Analysis of step-reduced SHA-256.In Proceedings of Fast Software Encryption-FSE 2006,LNCS 4047,pp.126-143,Springer-Verlag,2006.
[157]Mendel F.,Pramstaller N.,Rechberger C.and Rijmen V.,The impact of carries on the complexity of collision Attacks on SHA-1.In Proceedings of Fast Software Encryption-FSE 2006,LNCS 4047,pp.278-292,Springer-Verlag,2006.
[158]Menezes A.J.,Oorschot P.C.van,and Vanstone S.A.,Handbook of A pp.lied Cryptography,CRC Press,1997.
[159]Merkle R.C.,One way Hash functions and DECS,Cryptology-CRYPTO'89,LNCS 435,pp.428-446,1990.
[160]Meyer C.H.and Matyas S.M.,Cryptography:a new dimension in data security.Wiley & Sons,1982.
[161]Nandi M.,Lee W.,Sakurai K.,and Lee S.,Security analysis of a 2/3-rate double length compression function in black-box model.Fast Software Encryption-FSE 2005,LNCS 3557,pp.243-254.Springer-Verlag,2005.
[162]Ecrypt Consortium.Ongoing research areas in symmetric cryptography,January 2005.Available at URL https://www.cosic.esat.kuleuven.ac.be/nessie/deliverables/D.STVL.3-2.1.pdf.
[163]NESSIE Performance of Optimized Implementations of the NESSIE Primitives,version 2.0,NESSIE Deliverables of the NESSIE project D21,NES/DOC/TEC/WP6/D21/2,Feb.2003.
[164]NESSIE Security Report,version 2.0,NESSIE Deliverables of the NESSIE project D20,NES/-DOC/ENS/WP5/D20/2,Feb.2003.
[165]http://www.cosic.esat.kuleuven.ac.be/nessie/
[166]Nielsen J.B.,Separating Random Oracle Proofs from Complexity Theoretic Proofs:The Non-Committing Encryption Case.In Advances in Cryptology-Crypto 2002,PP.111-126,Springer-Verlag,2002.
[167]http://www.nist.gov/aes/
[168]National Institute of Standards and Technology(NIST),Brief Comments on Recent Cryptanalytic Attacks on Secure Hashing Functions and the Continued Security Provided by SHA-1,Available via http://csrc.nist.gov/Hashstandardscomments.pdf.
[169] Nyberg K., Perfect nonlinear S-boxes. In Advances in Cryptology-EUROCRYPT'91, LNCS 547, pp.378-385. Springer-Verlag, 1991.
[170] Nyberg K., Differentially uniform mappings for cryptography. In Advances in Cryptology-EUROCRYPT'93, LNCS 765, pp.55-64. Springer-Verlag, 1993.
[171] Nyberg K., S-boxes and round functions with controllable linearity and differential uniformity.In Fast Software Encryption - FSE'94, LNCS 1008, Springer-Verlag, 1995.
[172] Nyberg K. and Knudsen L.R., Provable security against differential cryptanalysis. In Advances in Cryptology - CRYPTO'92, LNCS 740, pp.566-574. Springer-Verlag, 1993.
[173] Patarin J., Feistel schemes with six (or More) rounds, Fast Software Encryption 1998, LNCS 1372 ,pp.103-121, Springer-Verlag, 1998.
[174] Patarin J., Luby-Rackoff 7 rounds are enough for 2n~((1-ε)) security. CRYPTO'03, LNCS 2729,pp.513-529, Springer-Verlag, 2003.
[175] Patarin J., Security of random Feistel scemes with 5 or more rounds. CRYPTO'04, LNCS 3152, pp.106-122, Springer-Verlag, 2004.
[176] Patarin J., Generic attacks on Feistel schemes, Available from the author.
[177] Patarin J., Security of random Feistel schemes with 5 or more rounds, Available from the author.
[178] Patel S., An Efficient MAC for short messages. In Selected Areas in Cryptography, SAC2002,LNCS 2595, pp.353-368, Springer-Verlag, 2002.
[179] Peyrin T., Gilbert H., Muller F., and Robshaw M., Combining compression functions and block cipher-based Hash functions, ASIACRYPT 2006, LNCS 4284, pp.315-331, Springer-Verlag,2006.
[180] Piret G., Block Ciphers: Security proofs, cryptanalysis, design, and fault attacks, PHD, 2005.
[181] Piret G., Luby-Rackoff Revisited: On the use of permutations as inner functions of a Feistel scheme, Designs, Codes and Cryptography, 39, pp.233-245, Springer-Verlag, 2006.
[182] Preneel B., The State of Cryptographic Hash Functions. In Lectures on Data Security, LNCS 1561, pp.158-182, Springer-Verlag, 1999.
[183]Preneel B.,Analysis and design of cryptographic hash functions.PhD thesis,Katholieke Universiteit Leuven,1993.
[184]Preneel B.,Govaerts R.,and J.Vandewalle,Hash functions based on block ciphers,In Advances in Cryptology -CRYPTO'93,LNCS 773,pp.368-378.Springer-Verlag,1994.
[185]Preneel B.,Govaerts R.,and Vandewalle J.,Cryptographically secure hash functions:an overview.ESAT Internal Report,K.U.Leuven,1989.
[186]Preneel B.,Rijmen V.,and Bosselaers A..Recent developments in the design of conventional cryptographic algorithms.In State of the Art and Evolution of Computer Security and Industrial Cryptography.LNCS 1528,pp.106-131,Springer-Verlag,1998.
[187]Rabin M.O.,Digitalized Signatures.In R.A.Demillo,D.P.Dopkin,A.K.Jones and R.J.Lipton,editors,Foundations of Secure Computation,pp.155-166,New York,1978.Academic Press.
[188]IETF 文档 RFC 3657,http://www.ietf.org/rfc/rfc3657.txt?number=3657.
[189]Rijmen V.,Cryptanalysis and design of iterated block ciphers,Katholieke Universiteit Leuven,Belgium,9 October 1997
[190]Rijmen V.,Preneel B.,and Win E.,On weaknesses of non-surjective round functions.Designs,Codes and Cryptography,12(3):pp.253-266,Springer-Verlag,1997.
[191]Rivest R.L.,The MD4 Message Digest Algorithm,Request for Comments(RFC)1320,Internet Activities Board,Internet Privacy Task Force,1992.
[192]Rivest R.L,The MD5 message digest algorithm,Request for Comments(RFC) 1321,Internet Activities Board,Internet PrivacZ Task Force,1992.
[193]Rivest R.,Robshaw M.,Sidney R.and Lin Y.,The RC6 block cipher,The First Advanced Encryption Standard Candidate Conference,Proceedings,Ventura,California,August 1998.
[194]Rogaway P.,M.Bellare and J.Blaek.OCB:A block-cipher mode of operation for efficient authenticated encryption.ACM Trans.Information System and Security,6(3),pp.365-403,2000.
[195]Rogaway P.and Shrimpton T.,Cryptographic Hash-function basics:definitions,implications,and separations for Preimage Resistance,Second-Preimage Resistance,and Collision-Resistance.FSE 2004,LNCS 3017,pp.371-388.
[196] Rompay B.V., Analysis and design of cryptographic hash functions, MAC algorithms and block cipher, K. U. Leuven, Juni 2004.
[197] Secure Hash Standard, Federal Information Processing Standard (FTPS), Draft, National Institute of Standards and Technology, US Department of Commerce, Washington D.C., 1992.
[198] SHA-1 announcement, www.schneier.com/blog/archives/2005/02/shalbroken.html.
[199] Shannon C.E., A Mathematical theory of communication, The Bell System Technical Journal,Vol.27, pp.379-423, 1948.
[200] Shannon C.E., Communication theory of secrecy systems, Bell ystem Technical Journal, Vol 28: pp.656-715, 1949.
[201] Shirai T., Differential, linear, boomerang and rectangle cryptanalysis of reduced-round Camellia, in proceedings of 3rd NESSIE workshop, Nov. 2002.
[202] Schneier B. and Kelsey J., Unbalanced Feistel networks and block-cipher design, Fast Software Encryption: Third International Workshop, LNCS 1039, pp.121-144, Springer-Verlag, 1996.
[203] Shirai T., Kanamaru S., and G. Abe, Improved upper bounds of differential and linear characteristic probability for Camellia, FSE 2002, LNCS 2365, Springer-Verlag, 2002.
[204] Shirai T. and Shibutani K., Improving immunity of Feistel ciphers against Differential Cryptanalysis by Using Multiple MDS Matrices, FFSE 2004, LNCS 3017, Springer-Verlag, 2004.
[205] Shoup V., Sequences of games: a tool for taming complexity in security proofs,http://eprint.iacr.org/2004/332.pdf
[206] Stevens M. Lenstra A. and Weger B., Chosen-Prefix collisions for MD5 and Colliding X.509 Certificates for Different Identities, EUROCRYPT 2007, LNCS 4515, pp.1-22, Springer-Verlag,2007.
[207] Stinson D. R., Cryptography theory and practice, Second Edition, CRC Press, 2002
[208] Sugita M., Kobara K., and Imai H., Best truncated and impossible differentials of Feistel block ciphers with S-D (Substitution and Diffusion) or D-S Round Functions, IEICE transactions on fundamentals, Vol. E86-A No. 1, 2002.
[209]Sugita M.,Kobara K.,and Imai H.,Security of reduced version of the block cipher Camellia against Truncated and Impossible Differential Cryptanalysis.In:ASIACRYPT 2001,LNCS 2248.pp.193-207,Springer-Verlag,2001.
[210]Vaudenay S.,On the need for multipermutations:cryptanalysis of MD4 and SAFER.FastSoftware Encryption,Second International Workshop proceedings,pp.286-308,Springer-Verlag,1995.
[211]Vaudenay S.,On the Lai-Massey scheme.In Advances in Cryptology-ASIACRYPT'99,LNCS 1716,pp.8-19,Springer-Verlag,2000.
[212]Vaudenay S.,Decorrelation:A theory for block cipher security.Journal of Cryptology,16(4):pp.249-286,Springer-Verlag,2003.
[213]Wagner D.,The boomerang attack.Fast Software Encryption,FSE'99,LNCS 1636,pp.156-170.Springer-Verlag,1999.
[214]Wang X.,The Collision attack on SHA-0.In Chinese,to appear on www.infosec.edu.cn,1997.
[215]Wang X.,Lai X.,Feng D.,and Yu H.,Collisions for hash functions MD4,MD5,HAVAL-128and RIPEMD.Presented at the rump session of CRYPTO'2004.(http://eprint.iacr.org/2004/199).
[216]Wang X.,Lai X.,Feng D.,Chen H.,and Yu X.,Cryptanalysis of the hash functions MD4 and RIPEMD,EUROCRYPT 2005,LNCS 3494,pp.1-18,Springer-Verlag,2005.
[217]Wang X.and Yu H.,How to break MD5 and other hash functions,EUROCRYPT'2005,LNCS 3494,pp.19-35,Springer-Verlag,2005.
[218]Wang X.,Yin Y.,and Yu H.,Finding collisions in the full SHA-1.In Advances in Cryptology -CRYPTO'05,Springer-Verlag,2005.
[219]Webster A.F.and TavaresS.E.,On the design of S-boxes.Advances in Cryptology-CRYPTO'85LNCS 218,pp.523-534,Springer-Verlag,1985.
[220]Weis R.and Lucks S.,Cryptographic hash functions recent results on cryptanalysis and their implications on system security.
[221]Wu W.,Feng D.and Chen H.,Collision attack and pseudorandomness of reduced-round Camellia.SAC2004,LNCS 3357,PP.256-270,Springer-Verlag,2005.
[222] Wu W., Zhang W. and Feng D., Impossible differential Cryptanalyssi of ARIA and Camellia,JCST.
[223] Yeom Y., Park S., and Kim I., On the security of Camellia against the Square attack. FSE2002,LNCS 2365, pp.89-99, Springer-Verlag, 2002.
[224] Yeom Y., Park S., and Kim I., A study of integral type cryptanalysis on Camellia, Proceedings of the 2003 Symposium on Cryptography and Information Security SCIS2003, 6D-2, pp.453-456, Jan. 2003.
[225] Yin Y. L., A note on the block cipher Camellia, August 2000. This note is a part of Japanese contribution for ISO/IEC JTC1/SC27, Call for contribution on NP18033: Encryption Algorithms, Part 3: Block Ciphers.
[226] Youssef A.M., S.E.Tavares and H.M.Heys. A new class of substitution-permutation networks,Workshop on Select Areas in Cryptography, SAC1996, Workshop record, pp.132-144, 1996.
[227] Zheng Y., Pieprzyk J., and Seberry J., HAVAL-a one-way hashing algorithm with variable length of output. in Advances in Cryptology-Auscrypt'92 (J. Seberry and Y. Zheng, eds.), LNCS 718, pp.83-104, Springer-Verlag, 1993.
[228] Wu H., Related-cipher attacks. Information and Communications Security ICICS 2002, LNCS 2513, pp.447-455. Springer-Verlag, 2002.
[2]多磊,李超.Rijndael密码的逆序Square攻击.电子与信息学报,2004-26(1):65-71.
[3]冯国柱,多磊,李超.AES密码的三种等价形式,国防科技大学学报,已录用
[4]张文涛,分组密码的分析与设计,中国科学院,博士论文.
[5]Advanced Hash Standard Competation,http://csrc.nist.gov/pik/HashWorkshop/
[6]Anderson R.and Biham E.,Tiger:a fast new Hash function,in Fast Software Encryption(D.Gollmann,ed.),LNCS 1039,pp.89-97,Springer-Vedag,1996.
[7]Aoki K.,Ichikawa T.,Kanda M.,Matsui M.,Moriai S.,Nakajima J.,and Tokita T.,The 128-Bit Block Cipher Camellia,IEICE transactions on fundamentals,Vol.E85-A No.1,2001.
[8]Barreto P.S.L.M.and Rijmen V.,The Whirlpool hashing function.Primitive submitted to NESSIE,2000.Available at http://www.cryptonessie.org/.
[9]Barreto P.and Rijmen V.,The Whirlpool Hashing Function,First open NESSIE Workshop,Leuven,Belgium,13-14 November 2000.
[10]Bellare M.,New proofs for NMAC and HMAC:Security without collision-resistance.CRYPTO 2006,LNCS4117,pp.602-619,2006.
[11]Bellare M.,Canetti R.,and Krawczyk H.,Keying Hash functions for message authentication.In Advances in Cryptology-CRYPTO'96,LNCS 1109,pp.1-15,Springer-Verlag,1996.
[12]Bellare M.,Guerin R.,and Rogaway P.,XOR MACs:New methods for message authentication using Finite Pseudorandom Functions.In Advances in Cryptology-CRYPTO'95,LNCS 963,pp.15-28,Springer-Verlag,1995.
[13]Bellare M.,Boldyreva A.,and Palacio A.,An uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem,In Advances in Cryptology—ECRYPTO'2004,LNCS 3027,pp.171-188 Springer-Verlag,2004.
[14]Bellare M.,Pietrzak K.,and P.Rogaway,Improved security analyses for CBC MACs,In Advances in Cryptology Crypto 2005,LNCS 3621,pp.527-545,Springer-Verlag,2005.
[15] Bellare M. and Rogaway P., Random oracles are practical : a paradigm for designing efficient protocols. Proceedings of the First Annual Conference on Computer and Commmunications Security, ACM, 1993.
[16] Bellare M. and Rogaway P., Introduction to Modern Cryptography.
[17] Bellare M. and Rogaway P., Code-based game-playing proofs and the security of triple encryption, http://eprint.iacr.org/2004/331 .pdf.
[18] Bellare M. and Ristenpart T., Multi-property-preserving Hash domain extension and the EMD transform, ASIACRYPT 2006, LNCS 4284, pp.299-314, 2006,http://eprint.iacr.org/2006/399.pdf
[19] Berger T.P., Canteaut A., Charpin P., and Laigle-Chapuy Y., On almost perfect nonlinear functions. IEEE Transactions on Information Theory, 52(9): 4160-4170, 2006.
[20] Biham E., Recent advances in Hash functions-the way to go. Presented at ECRYPT Conference on Hash Functions (Cracow, June 2005), see http://www.ecrypt.eu.org/stvl/hfw/Biham.ps.
[21] Biham E., New types of cryptanalytic attacks using related keys, Advances in Cryptology EUROCRYPT'93, LNCS 765, pp.398-409, Springer-Verlag, 1994.
[22] Biham E. and Biryukov A., An improvement of Davies' attack on DES. Advances in Cryptology Eurocrypt'94: LNCS 950, pp.461-467. Springer-Verlag, 1995.
[23] Biham E. and Biryukov A. An improvement of Davies' attack on DES. Journal of Cryptology,10(3): pp.195-205, Springer-Verlag, 1997.
[24] Biham E., A. Biryukov, and A. Shamir. Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. Advances in Cryptology Eurocrypt'99: LNCS 1592, pp.12-23. Springer-Verlag, 1999.
[25] Biham E. and Chen R., Near-collisions of SHA-0 and SHA-1. In Selected Areas in Cryptography-SAC 2004, Invided Speaker.
[26] Biham E. and Chen R., Near-collisions of SHA-0, CRYPTO'2004, LNCS 3152, pp.290-305,Springer-Verlag, 2004.
[27] Biham E. and Dunkelman O., A Framework for iterative hash functions—HAIFA, http://www.csrc. nist.gov/pki/HashWorkshop/2006/Papers/.
[28]Biham E.,Dunkelman O.,Furman V.,and Mor T.,Preliminary report on the NESSIE submissions Anubis,Camellia,IDEA,Khazad,Mistyl,Nimbus,Q,NESSIE public report,NES/-DOC/TEC/WP3/011/b.
[29]Biham E.,Dunkelman O.,and Keller N.,The rectangle attack rectangling the serpent,Advances in Cryptology,proceedings of EUROCRYPT 2001,LNCS2045,pp.340-357,Springer-Verlag,2001.
[30]Biham E.,Dunkelman O.,and Keller N.,Linear cryptanalysis of reduced round serpent,Fast Software Encryption FSE2001,LNCS2355,pp.16-27,Springer-Verlag,2002.
[31]Biham E.,Dunkelman O.,and Keller N.,New results on boomerang and rectangle attacks,proceedings of Fast Software Encryption FSE2002,LNCS2365,pp.1-16,Springer-Verlag,2002.
[32]Biham E.,Dunkelman O.,and Keller N.,Enhanced differential-linear cryptanalysis,Advances in Cryptology,proceedings of ASIACRYPT 2002,LNCS2501,pp.254-266,Springer-Verlag,2002.
[33]Biham E.,Dunkelman O.,and Keller N.,Differential-linear sryptanalysis of serpent,proceedings of Fast Software Encryption FSE2003,LNCS2887,pp.9-21,Springer-Verlag,2003.
[34]Biham E.,Dunkelman O.,and Keller N.,Rectangle attacks on 49-rround SHACAL-1,proceedings of Fast Software Encryption FSE2003,LNCS2887,pp.22-35,Springer-Verlag,2003.
[35]Biham E.,Dunkelman O.,and Keller N.,Related-key boomerang and rectangle attacks,Advances in Cryptology,proceedings of EUROCRYPT 2005,LNCS3494,pp.507-525,Springer-Verlag,2005.
[36]Biham E.,Dunkelman O.,and Keller N.,New combined attacks on block ciphers,proceedings of Fast Software Encryption 12,LNCS3557,pp.126-144,Springer-Verlag,2005.
[37]Biham E.,Dunkelman O.,and Keller N.,A related-key rectangle attack on the full KASUMI,Advances in Cryptology,proceedings of ASIACRYPT 2005,LNCS3788,pp.443-461,Springer-Verlag,2005.
[38]Biham E.,Dunkelman O.,and Keller N.,Related-key impossible differential attacks on 8-round AES-192,proceedings of RSA 2006 conference,LNCS3860,pp.21-33,Springer-Verlag,2006.
[39]Biham E.and Shamir A.,Diffrential cryptanalysis of DES-like cryptosystems,Journal of Cryptology,Vol.4,No.1,pp.3-72,Springer-Verlag,1991.
[40]Biham E.and Shamir A.,Differential cryptanalysis of DES-like cryptosystems.Joumal ot Cryptology,4(1):pp.3-72,Springer-Verlag,1991.
[41]Biham E.and Shamir A.,Differential cryptanalysis of the data encryption standard.Springer-Verlag,1993.
[42]Biryukov A.and Cannire C.D.,Block ciphers and systems of quadratic equations,Fast Software Encryption 10th International Workshop,FSE 2003,LNCS 2887,Springer-Veflag,2003.
[43]Biryukov A.,Canniere C.D.,et al,Security and performance analysis of ARIA.http://homes.esat.kuleuven.be/abiryuko/ARIA-COSICreport.pdf
[44]Biryukov A.and Shamir A.,Structural cryptanalysis of SASAS.Advances in Cryptology Eurocrypt 2001,LNCS 2045,pp.394-405.Springer-Verlag,2001.
[45]Biryukov A.and Wagner D.,Slide attacks.Fast Software Encryption:FSE'99,LNCS 1636,pp.245-259.Springer-Verlag,1999.
[46]Biryukov A.and Wagner D.,Advanced slide attacks.Advances in Cryptology-Eurocrypt 2000,LNCS 1807,pp.589-606.Springer-Verlag,2000.
[47]Black J.,The ideal-cipher model,revisited:An uninstantiable blockcipher-based hash function.In Preproceedings of the 13th Fast Software Encryption Workshop(FSE 2006),pp.349-361,Springer-Verlag,2006.
[48]Black J.,Cochran M.,Shrimpto T.,On the impossibility of highly-efficient block cipher-based hash functions,pp.526-539,Springer-Verlag,2004.
[49]Black J.,Halevi S.,Krawczyk H.,Krovetz T.,and Rogaway P.,UMAC:Fast and Secure Message Authentication.In Advances in Cryptology-CRYPTO'99,LNCS 1666,pp.216-233,Springer-Verlag,1999.
[50]Black J.and Rogaway P.,A Block-cipher mode of operation for parallelizable aessage authentication.In Advances in Cryptology-EUROCRYPT2002,LNCS 2332,pp.384-397,Springer-Verlag,2002.
[51]Black J.and Rogaway P.,CBC MACs for arbitrary-length messages:the three-key constructions.In Advances in Cryptology-CRYPTO'2000,LNCS 1880,pp.197-215,Springer-Verlag,2000.
[52]Black J.Rogaway P.,and Shrimpton T.,Black-box analysis of the block-cipher-based hashfunction constructions from PGV,CRYPTO'02,LNCS 2442,pp.320-335,Springer-Verlag,2002.
[53]Boer B.and Bosselaers A.,Collisions for the compression function of MD5.In Advances in Cryptology-EUROCRYPT'93,LNCS 765,pp.293-299,Springer-Verlag,1993.
[54]Bosselaers A.,Govaerts R.,and Vandewalle J.,Fast hashing on the pentium,in Advances in Cryptology-Crypto'96,LNCS 1109,pp.298-312,Springer-Verlag,1996.
[55]Braziler Y.,The statistical evaluation of the NESSIE submission Camellia,NESSIE public report,NES/DOC/TEC/WP3/019/1.
[56]Budaghyan L.,Cadet C.,Felke P.,and Leander G.,New classes of almost bent and almost perfect nonlinear polynomials.IEEE Transactions on Information Theory,52(3):pp.1141-1152,2006.
[57]Budaghyan L.,Cadet C.,and Pott A.,New constructions of almost bent and almost perfect nonlinear polynomials.In Workshop on Coding and Cryptography WCC 2005,pp.306-315,2005.
[58]Chchin C.,Entropy measures and uncoditional security in cryptography,PHD thesis.
[59]Canetti R.,Goldreich O.,and Halevi S.,The random oracle methodology,revisited,STOC'98,ACM,1998.
[60]Canetti R.,Goldreich O.,and Halevi S.,On the random oracle methodology as applied to length-restricted Signature Schemes.In Proceedings of Theory of Cryptology Conference,pp.40-57,2004.
[61]Chabaud E and Joux A.,Differential collisions in SHA-0.In Advances in Cryptology-CRYPTO'98,LNCS 1462,pp.56-71,Springer-Vedag,1998.
[62]Chang D.,Lee S.,Nandi M.,and Yung M.,Indiffrentiable security analysis of popular hash functions with prefix-free padding,ASIACRYPT 2006,LNCS 4284,pp.283-298,Springer-Verlag,2006.
[63]Coron J.S.,Dodis Y.,Malinaud C.,and Puniya P.,Merkle-damgard revisited:How to construct a Hash Function,In Advances in Cryptology—CRYPTO'05,LNCS 3621,pp.430-448,Springer-Verlag,2005.
[64]Courtois N.T.and Pieprzyk J.,Cryptanalysis of block ciphers with overdefined systems of equations,Advances in Cryptology ASIACRYPT 2002,LNCS 2501,Springer-Vedag,2002.
[65]Courtois N.Fast algebraic attacks on stream ciphers with linear feedback.Advances in Cryptology-Crypto 2003,LNCS 2729,pp.176-194.Springer-Vedag,2003.
[66]Courtois N.Higher order correlation attacks,XL algorithm and cryptanalysis of Toyocrypt.Information Security and Cryptology ICISC 2002,LNCS 2587,pp.182-199.Springer-Verlag,2003.
[67]Courtois N.and W.Meier.Algebraic attacks on stream ciphers with linear feedback.In E.Biham,editor,Advances in Cryptology Eurocrypt 2003:LNCS 2656,pp.345-359.Springer-Verlag,2003.
[68]Christophe C.,Mendel E,and Rechberger C.,Collisions for 70-step SHA-1:On the full cost of collision search.Selected Areas in Cryptography(SAC 2007),pp.16-17,Springer-Verlag.
[69]Christophe C.and Rechberger C.,Finding SHA-1 characteristics:General results and applications.In Proceedings of ASIACRYPT 2006,LNCS 4284,pp.1-20,Springer-Verlag,2006.
[70]日本电子政务网,http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html
[71]CRYPTREC 2006 Camellia安全评价报告,http://info.isl.ntt.cojp/crypt/camellia/dl/
[72]Camelllia相关攻击结果,http://info.isl.ntt.co.jp/crypt/eng/camellia/reference.html
[73]Daemen J.,Knudsen L.R.,and Rijmen V.,The block cipher Square.In Fast Software Encryption,LNCS 1267.pp.149-165,Springer-Verlag,1997.
[74]Daemen J.and Rijmen V.,AES Proposal:RIJNDAEL.AES submission,http://www.nist.gov/aes
[75]Daemen J.and Rijmen V.,The design of Rijndael,AES-The advanced encryption standard,Springer-Verlag,2002.
[76]Daemen J.and Rijmen V.,A new MAC construction aired and a specific instance Alpha-MAC,Fast Software Encryption 2005,LNCS 3554,pp.1-17Springer-Verlag,2005.
[77]Damgard I.,A design principle for hash functions.Advances in Cryptology-CRYPTO' 89,LNCS 435,pp.416-427,Springer-Verlag,1990.
[78]Davies D.and Murphy S.,Pairs and triples of DES S-boxes.Journal of Cryptology,8(1):pp.1-25,Springer-Verlag,1995.
[79]Dean R.D.,Formal aspects of mobile code security.PhD.dissertation,Princeton University,1999.
[80]Diestel R.,Graph theory,Springer-Verlag Heidelberg,New York 1997,2000,2005
[81]Dunkelman O.,Techniques for cryptanalysis of block ciphers,PhD thesis,Israel Institute of Technology,2006.
[82]Dunkelman O.and Preneel B.,Generalizing the herding attack to concatenated hashing schemes,ECRYPT Hash Workshop 2007,http://events.iaik.mgraz.at/HashWorkshop07/papers/
[83]Dobbertin H.,Cryptanalysis of MD4.In D.Gollmann,editor,Proceedings of Fast Software Encryption 1996,LNCS 1039,pp.53-70,Springer-Verlag,1996.
[84]Dobbertin H.,A.Bosselaers,B.Preneel,RIPMEMD-160:A strengthened version of RIPMMD,FastSoftware EncrZption,LNCS 1039,pp.71-82,Springer-Verlag,1996.
[85]Dodis Y.,Oliveira R.,and Pietrzak K.,On the generic insecurity of the full domain hash,Advances in Cryptology-CRYPTO-2005,LNCS 3621,pp.449-466,Springer-Verlag,2005.
[86]Duo L.,Li C.,and Feng K.,New observation on Camellia.Selected Area in Cryptography,SAC 2005,LNCS 3897,pp.51-64,Springer-Verlag,2006.
[87]Duo L.,Feng G.,Li C.,and Li R.,Revised:Block cipher based hash function construction from PGV,密码学进展—ChinaCrypt'06,中国科学技术出版社,2006.11
[88]Duo Lei,Li Chao and Feng Keqin,Square like attack on Camellia,ICICS2007(International Conference on Information and Communications Security 2007),LNCS 4861,pp.269-283,Springer-Verlag,2007.
[89]Duo Lei and Li Chao.Extended multi-property-preserving and ECM-construction,Progress in Cryptology Indocrypt2007,LNCS 4859,pp.361-372,Springer-Verlag,2007.
[90]Duo L.,Henricksen M.,and Li C.,On analyzing Merkle-Damgard-construction through directed graphs,http://eprint.iacr.org/2006/462.pdf
[91]Duo L.,F-HASH:Securing hash functions using Feistel chaining.Cryptology ePrint Archive,Report 2005/430,http://eprint.iacr.org/2005/430.pdf.
[92]Duo L.,New integrated proof method on iterated hash structure and new structures.Cryptology ePrint Archive,Report 2006/147,2006.Available at http://eprint.iacr.org120061147.pdf.
[93]Duo L.,Dolly:A new block cipher based dedicate hash function,preprint.
[94]ECRYPT Network of Excellence.Ongoing research areas in symmetric cryptography.Available via http://www.ecrypt.eu.org/documents/D.STVL.3-2.5.pdf.
[95]ECRYPT Network of Excellence.Recent collision attacks on hash functions:ECRYPT Position Paper.Available viahttp://www.ecrypt.eu.org/documents/ECRYPT-Hash-statement.pdf,http://www.ecrypt.eu.org/documents/STVL-ERICS-2-HASH-STMT-1.1.pdf.
[96]EFIPS46-3:Data encryption standard.In National Institute of Standards and Technology,1979.
[97]Feistel H.,Cryptography and computer privacy.Scientific American.Vol.228,No.5,pp.15-23,May 1973.
[98]Feistel H.,Notz W.A.and Smith J.L.,Some cryptographic techniques for machine to machine data communications,Proceedings of the IEEE,Vol.63,No.11,pp.1545-1554,November 1975.
[99]Ferguson N.,Schroe pp.el R.,and Whiting D.,A simple algebraic representation of Rijndael,Eighth Annual International Workshop on Selected Areas in Cryptography(SAC 2001),LNCS 2259,pp.103-111,Springer-Verlag,2001.
[100]FIPS 180-2,"Secure hash standard(SHS)." National Institute of Standards and Technology,Aug.2002.Change notice added in Feb.2004.
[101]FIPS 46-3,Data encryption standard.In National Institute of Standards and Technology,Oct.1999.
[102]Gauravaram P.,Millan W.,Neito J.G.,and Dawson E.,3C-A provably secure pseudorandom function and message authentication code.A New mode of operation for Cryptographic Hash Function.The preliminary draft version of this work is available at eprint-2005/390.
[103]Gauravaram P.and Kelsey J.,Cryptanalysis of a class of cryptographic hash functions,http://eprint.iacr.org/2007/277.pdf.
[104]Halevei S.and Krawczyk H.,Strengthening digital signatures via randomized hashing,Advances in Cryptology,proceedings of CRYPTO 2006,LNCS 4117,pp.41-59,Springer-Verlag,2006.
[105]Handschuh H.and Naccache D.,SHACAL,2001.Available at https://www.cosic.esat.kuleuven.ac.be/nessie/tweaks.html/shacaltweak.pdf.
[106]Harpes C.,Kramer G.,and Massey J.,A generalization of linear cryptanalysis and the a pp.licability of Matsui's Piling-up lemma.In Louis Guillou and Jean-Jacques Quisquater,editors,Advances in Cryptology-Proceedings of EUROCRYPT 95,LNCS 921 pp.24-38,1995.
[107]Hatano Y.,Sekine H.,and Kaneko T.,Higher order differential attack of Camellia(Ⅱ),Selected Areas in Cryptography 9th Annual International Workshop,SAC 2002,LNCS 2595,Springer-Verlag,2002.
[108]He Y.and Qing S.,Square attack on reduced Camellia cipher.In:ICICS 2001,LNCS 2229,pp.238-245,Springer-Verlag,Berlin Heidelberg New York(2001).
[109]Hirose S.,Some plausible constructions of double-block-length hash functions.In Preproceedings of the 13th Fast Software Encryption Workshop(FSE 2006),pp.231-246,2006.
[110]Hirose S.,Secure block ciphers are not sufficient for one-way hash functions in the Preneel-Govaerts-Vandewalle model.In Proceedings of the 9th Selected Areas in Cryptography(SAC 2002),LNCS 2595,pp.339-352,Springer-Verlag,2002.
[111]Hirose S.,Provably secure double-ldock-length hash functions in a black-box model.In Proceedings of the 7th lntematinal Conference on Information Security and Cryptology(ICISC 2004),LNCS 3506,pp.330-342,Springer-Verlag,2005.
[112]Hold W.,Lai X.,Meier T.,and Waldvogel C.,Security of iterated hash functions based on block ciphers.In CRYPTO'93 Proceedings,LNCS 773,pp.379-390,1994.
[113]Hoch J.and Shamir A.,Breaking the ICE-finding multicollisions in iterated concatenated and expanded(ICE) hash functions.In Proceedings of Fast Software Encryption Workshop-FSE 2006,LNCS 4047,pp.179-194,Springer-Verlag,2006.
[114]Hong D.,Preneel B.,and Lee S.,Higher order universal one-way Hash functions,ASIACRYPT 2004,LNCS 3329,pp.201-213,2004.
[115]Hu Y.,Zhang Y.,and Xiao G.,Integral cryptanalysis of SAFER+.Electronic Letters,35(17):pp.1458-1459,August 1999.
[116]ISO/IEC18033-3,http://www.iso.ch/iso/en/.
[117] Jaulmes E., Joux A., and F.Valette. On the security of randomized CBC-MAC beyond the birthday paradox limit: A new construction. In Fast Software Encryption -FSE'02, LNCS 2365,pp.237-251, Springer-Verlag, 2002.
[118] Jensen J. B. and Gutin G., Digraphs, Theory, Algorithms and Applications. Springer, 2001.
[119] Jakobsen T. and Knudsen L., The interpolation attack against block ciphers. Fast Software Encryption FSE'97 Proceedings, LNCS 1267, pp.28-40. Springer-Verlag, 1997.
[120] Joux A., Multicollisions in iterated Hash functions. A pplication to cascaded constructions.Crypto-2004, LNCS 3152, pp.306-316,Springer-Verlag, 2004.
[121] Joux A., Carribault P., Jalby W. and Lemuet C., Collisions in SHA-0. Presented at the rump session of CRYPTO'2004, 2004.
[122] Junod P. and Vaudenay S., FOX : a new family of block ciphers, Selected Areas in Cryptography-SAC 2004, LNCS 2595, pp.131-146, Springer-Verlag, 2005.
[123] Jutla C.S., Encryption modes with almost free message integrity. In Advances in Cryptology-EUROCRYPT'2001, LNCS 2045, pp.529-544, Springer-Verlag, 2001.
[124] Kanda M. and Matsumoto T., Security of Camellia against truncated differential cryptanalysis.FSE2001, LNCS 2355, pp.286-299, Springer-Verlag, 2001.
[125] Kanda M., Practical security evaluation against differential and Linear Cryptanalyses for Feistel Ciphers with SPN Round Function, SAC 2000, LNCS 2012, Springer-Verlag, 2000.
[126] Kawabata T. and Kaneko T., A study on higher order differential attack of Camellia.: The 2nd open NESSIE workshop (2001).
[127] Kelsey J. and Gauravaram P., Linear checksums don't help Damgard-Merkle, Rump session,Crypto 2006.
[128] Kelsey J. and Schneier B., Second preimages on n-bit hash functions for much less than 2n work. EUROCRYPT 2005, LNCS 3494, pp.474-490, Springer-Verlag, 2005.
[129] Kelsey J. and Kohno T., Herding Hash functions and the nostradamus attack, EUROCRYPT 2006, LNCS 4004, pp.183-200, Springer-Verlag, 2006.
[130]Kelsey J.,Kohno T.,and Schneier B.,Ampfified boomerang attacks against reduced-round MARS and Serpent.Fast Software Encryption FSE 2000,LNCS 1978,pp.75-93.Springer-Verlag,2001.
[131]Knudsen L.R.,Analysis of Camellia,April 2000.This note is a part of Japanese contribution for ISO/IEC JTC1/SC27,Call for contribution on NP18033:Encryption Algorithms,Part 3:Block Ciphers.
[132]Knudsen L.,Contemporary block ciphers,LNCS 1561,pp.105-126,Springer-Verleg,1999.
[133]Knuclsen L.,Truncated and higher order differentials.In B.Preneel,editor,Fast Software Encryption:Second International Workshop.LNCS 1008,pp.196-211,Springer-Verlag,1995.
[134]Knudsen L.,Lai X.,and Preneel B.,Attacks on fast double block length hash functions.Journal of Cryptology,11(1):59-72,Springer-Verlag,1998.
[135]Knudsen L.and Muller F.,Some attacks against a double length hash proposal.In ASIACRYPT 2005 Proceedings,LNCS 3788,pp.462-473,Springer-Verlag,2005.
[136]Knudsen L.and Preneel B.,Hash functions based on block ciphers and quaternary codes.In ASIACRYPT'96 Proceedings,LNCS 1163,pp.77-90,Springer-Verlag,1996.
[137]Knuclsen L.and Wagner D.,Integral cryptanalysis,proceedings of Fast Software Encryption 9,LNCS 2365,pp.112-127,Springer-Verlag,2002.
[138]Knudsen L.,Rechberger C.,and Thomsen S.,Grindahl-a family of hash functions,Fast Software Encryption-FSE2007,LNCS 4593,pp.39-57,Springer-Verlag,2007.
[139]Koo B.,Jang H.,Song J..Constructing and cryptanalysis of a 16×16 binary matrix as a diffusion layer.WISA2003,LNCS 2908,pp.324-338,Springer,2003.
[140]Kwon D.,Kim J.,Park S.,et al,New block cipher:ARIA.Information Security and Cryptology-ICISC'03,LNCS 2971,pp.432-445,Springer-Verlag,2004.
[141]Lai X.,Higher order derivatives and differential cryptanalysis.In Symposium on Communication,Coding and Cryptography,pp.227-233.Kluwer Academic Publishers,1994.
[142]Lai X.and Massey J.L.,Hash functions based on block ciphers.In Advances in Cryptology Eurocrypt'92,LNCS 658,pp.15-23,Springer-Verlag,1993.
[143] Lai X. and Massey J., A proposal for a new block encryption standard, Advances in Cryptology—EUROCRYPT'90, LNCS 473, pp.389-404, Springer-Verlag, 1991.
[144] Ledig H., Muller F. and Valette F., Enhancing collision attacks, the 6th International workshop on Cryptographic Hardware and Embedded Systems, CHES 2004, LNCS 3156, Springer-Verlag.
[145] Lee S., Hong S., Lee S., Lim J. and Yoon S., Truncated differential cryptanalysis of Camellia.In: ICISC 2001, LNCS 2288. pp. 32-38, Springer-Verlag, 2001.
[146] Lenstra A., Progress in hashing cryptanalysis. Available viahttp://cm.bell-labs.com/who/akl/Hash.pdf.
[147] Liang J. and Lai X., Improved collision attack on Hash function MD5.http://eprint.icar.org/2005/425.pdf
[148] Liskov M., Constructing an ideal Hash gunction from weakldeal compression functions, In Proceedings of SAC 2006, LNCS, pp.331-349, Springer-Verlag, 2006.
[149] Luby M. and Rackoff C, How to construct pseudorandom permutations from pseudorandom functions. SIAM Journal on Computing, Vol. 17, No. 2 (1988) pp.373-386.
[150] Lucks S., A Collision-resistant rate-1 double-block-length Hash function,http://th.informatik.uni-mannheim.de/peopleAucks/
[151] Lucks S., A failure-friendly design principle for Hash functions, ASIACRYPT 2005, LNCS 3788, pp.474-494, Springer-Verlag, 2005.
[152] Lucks S., The saturation attack - a bait for Twofish. Fast Software Encryption FSE 2001, LNCS 2355, pp.1-15. Springer-Verlag, 2002.
[153] Matsui M., Linear cryptanalysis method for DES cipher. Advances in Cryptology-EUROCRYPT'93, LNCS 765, pp.386-397, Springer-Verlag 1993.
[154] Maurer U., Renner R. and Holenstein C, Indifferentiability, impossibility results on reductions and applications to the random oracle methodology, TCC 2004, LNCS 2951, pp.21-39,Springer-Verlag, 2004.
[155] Meier W. and Staffelbach O., Nonlinearity criteria for cryptographic functions. In Advances in Cryptology - EUROCRYPT'89, LNCS 434, p. 549-562. Springer-Verlag, 1990.
[156]Mendel F.,Pramstaller N.,Rechberger C.and Rijmen V.,Analysis of step-reduced SHA-256.In Proceedings of Fast Software Encryption-FSE 2006,LNCS 4047,pp.126-143,Springer-Verlag,2006.
[157]Mendel F.,Pramstaller N.,Rechberger C.and Rijmen V.,The impact of carries on the complexity of collision Attacks on SHA-1.In Proceedings of Fast Software Encryption-FSE 2006,LNCS 4047,pp.278-292,Springer-Verlag,2006.
[158]Menezes A.J.,Oorschot P.C.van,and Vanstone S.A.,Handbook of A pp.lied Cryptography,CRC Press,1997.
[159]Merkle R.C.,One way Hash functions and DECS,Cryptology-CRYPTO'89,LNCS 435,pp.428-446,1990.
[160]Meyer C.H.and Matyas S.M.,Cryptography:a new dimension in data security.Wiley & Sons,1982.
[161]Nandi M.,Lee W.,Sakurai K.,and Lee S.,Security analysis of a 2/3-rate double length compression function in black-box model.Fast Software Encryption-FSE 2005,LNCS 3557,pp.243-254.Springer-Verlag,2005.
[162]Ecrypt Consortium.Ongoing research areas in symmetric cryptography,January 2005.Available at URL https://www.cosic.esat.kuleuven.ac.be/nessie/deliverables/D.STVL.3-2.1.pdf.
[163]NESSIE Performance of Optimized Implementations of the NESSIE Primitives,version 2.0,NESSIE Deliverables of the NESSIE project D21,NES/DOC/TEC/WP6/D21/2,Feb.2003.
[164]NESSIE Security Report,version 2.0,NESSIE Deliverables of the NESSIE project D20,NES/-DOC/ENS/WP5/D20/2,Feb.2003.
[165]http://www.cosic.esat.kuleuven.ac.be/nessie/
[166]Nielsen J.B.,Separating Random Oracle Proofs from Complexity Theoretic Proofs:The Non-Committing Encryption Case.In Advances in Cryptology-Crypto 2002,PP.111-126,Springer-Verlag,2002.
[167]http://www.nist.gov/aes/
[168]National Institute of Standards and Technology(NIST),Brief Comments on Recent Cryptanalytic Attacks on Secure Hashing Functions and the Continued Security Provided by SHA-1,Available via http://csrc.nist.gov/Hashstandardscomments.pdf.
[169] Nyberg K., Perfect nonlinear S-boxes. In Advances in Cryptology-EUROCRYPT'91, LNCS 547, pp.378-385. Springer-Verlag, 1991.
[170] Nyberg K., Differentially uniform mappings for cryptography. In Advances in Cryptology-EUROCRYPT'93, LNCS 765, pp.55-64. Springer-Verlag, 1993.
[171] Nyberg K., S-boxes and round functions with controllable linearity and differential uniformity.In Fast Software Encryption - FSE'94, LNCS 1008, Springer-Verlag, 1995.
[172] Nyberg K. and Knudsen L.R., Provable security against differential cryptanalysis. In Advances in Cryptology - CRYPTO'92, LNCS 740, pp.566-574. Springer-Verlag, 1993.
[173] Patarin J., Feistel schemes with six (or More) rounds, Fast Software Encryption 1998, LNCS 1372 ,pp.103-121, Springer-Verlag, 1998.
[174] Patarin J., Luby-Rackoff 7 rounds are enough for 2n~((1-ε)) security. CRYPTO'03, LNCS 2729,pp.513-529, Springer-Verlag, 2003.
[175] Patarin J., Security of random Feistel scemes with 5 or more rounds. CRYPTO'04, LNCS 3152, pp.106-122, Springer-Verlag, 2004.
[176] Patarin J., Generic attacks on Feistel schemes, Available from the author.
[177] Patarin J., Security of random Feistel schemes with 5 or more rounds, Available from the author.
[178] Patel S., An Efficient MAC for short messages. In Selected Areas in Cryptography, SAC2002,LNCS 2595, pp.353-368, Springer-Verlag, 2002.
[179] Peyrin T., Gilbert H., Muller F., and Robshaw M., Combining compression functions and block cipher-based Hash functions, ASIACRYPT 2006, LNCS 4284, pp.315-331, Springer-Verlag,2006.
[180] Piret G., Block Ciphers: Security proofs, cryptanalysis, design, and fault attacks, PHD, 2005.
[181] Piret G., Luby-Rackoff Revisited: On the use of permutations as inner functions of a Feistel scheme, Designs, Codes and Cryptography, 39, pp.233-245, Springer-Verlag, 2006.
[182] Preneel B., The State of Cryptographic Hash Functions. In Lectures on Data Security, LNCS 1561, pp.158-182, Springer-Verlag, 1999.
[183]Preneel B.,Analysis and design of cryptographic hash functions.PhD thesis,Katholieke Universiteit Leuven,1993.
[184]Preneel B.,Govaerts R.,and J.Vandewalle,Hash functions based on block ciphers,In Advances in Cryptology -CRYPTO'93,LNCS 773,pp.368-378.Springer-Verlag,1994.
[185]Preneel B.,Govaerts R.,and Vandewalle J.,Cryptographically secure hash functions:an overview.ESAT Internal Report,K.U.Leuven,1989.
[186]Preneel B.,Rijmen V.,and Bosselaers A..Recent developments in the design of conventional cryptographic algorithms.In State of the Art and Evolution of Computer Security and Industrial Cryptography.LNCS 1528,pp.106-131,Springer-Verlag,1998.
[187]Rabin M.O.,Digitalized Signatures.In R.A.Demillo,D.P.Dopkin,A.K.Jones and R.J.Lipton,editors,Foundations of Secure Computation,pp.155-166,New York,1978.Academic Press.
[188]IETF 文档 RFC 3657,http://www.ietf.org/rfc/rfc3657.txt?number=3657.
[189]Rijmen V.,Cryptanalysis and design of iterated block ciphers,Katholieke Universiteit Leuven,Belgium,9 October 1997
[190]Rijmen V.,Preneel B.,and Win E.,On weaknesses of non-surjective round functions.Designs,Codes and Cryptography,12(3):pp.253-266,Springer-Verlag,1997.
[191]Rivest R.L.,The MD4 Message Digest Algorithm,Request for Comments(RFC)1320,Internet Activities Board,Internet Privacy Task Force,1992.
[192]Rivest R.L,The MD5 message digest algorithm,Request for Comments(RFC) 1321,Internet Activities Board,Internet PrivacZ Task Force,1992.
[193]Rivest R.,Robshaw M.,Sidney R.and Lin Y.,The RC6 block cipher,The First Advanced Encryption Standard Candidate Conference,Proceedings,Ventura,California,August 1998.
[194]Rogaway P.,M.Bellare and J.Blaek.OCB:A block-cipher mode of operation for efficient authenticated encryption.ACM Trans.Information System and Security,6(3),pp.365-403,2000.
[195]Rogaway P.and Shrimpton T.,Cryptographic Hash-function basics:definitions,implications,and separations for Preimage Resistance,Second-Preimage Resistance,and Collision-Resistance.FSE 2004,LNCS 3017,pp.371-388.
[196] Rompay B.V., Analysis and design of cryptographic hash functions, MAC algorithms and block cipher, K. U. Leuven, Juni 2004.
[197] Secure Hash Standard, Federal Information Processing Standard (FTPS), Draft, National Institute of Standards and Technology, US Department of Commerce, Washington D.C., 1992.
[198] SHA-1 announcement, www.schneier.com/blog/archives/2005/02/shalbroken.html.
[199] Shannon C.E., A Mathematical theory of communication, The Bell System Technical Journal,Vol.27, pp.379-423, 1948.
[200] Shannon C.E., Communication theory of secrecy systems, Bell ystem Technical Journal, Vol 28: pp.656-715, 1949.
[201] Shirai T., Differential, linear, boomerang and rectangle cryptanalysis of reduced-round Camellia, in proceedings of 3rd NESSIE workshop, Nov. 2002.
[202] Schneier B. and Kelsey J., Unbalanced Feistel networks and block-cipher design, Fast Software Encryption: Third International Workshop, LNCS 1039, pp.121-144, Springer-Verlag, 1996.
[203] Shirai T., Kanamaru S., and G. Abe, Improved upper bounds of differential and linear characteristic probability for Camellia, FSE 2002, LNCS 2365, Springer-Verlag, 2002.
[204] Shirai T. and Shibutani K., Improving immunity of Feistel ciphers against Differential Cryptanalysis by Using Multiple MDS Matrices, FFSE 2004, LNCS 3017, Springer-Verlag, 2004.
[205] Shoup V., Sequences of games: a tool for taming complexity in security proofs,http://eprint.iacr.org/2004/332.pdf
[206] Stevens M. Lenstra A. and Weger B., Chosen-Prefix collisions for MD5 and Colliding X.509 Certificates for Different Identities, EUROCRYPT 2007, LNCS 4515, pp.1-22, Springer-Verlag,2007.
[207] Stinson D. R., Cryptography theory and practice, Second Edition, CRC Press, 2002
[208] Sugita M., Kobara K., and Imai H., Best truncated and impossible differentials of Feistel block ciphers with S-D (Substitution and Diffusion) or D-S Round Functions, IEICE transactions on fundamentals, Vol. E86-A No. 1, 2002.
[209]Sugita M.,Kobara K.,and Imai H.,Security of reduced version of the block cipher Camellia against Truncated and Impossible Differential Cryptanalysis.In:ASIACRYPT 2001,LNCS 2248.pp.193-207,Springer-Verlag,2001.
[210]Vaudenay S.,On the need for multipermutations:cryptanalysis of MD4 and SAFER.FastSoftware Encryption,Second International Workshop proceedings,pp.286-308,Springer-Verlag,1995.
[211]Vaudenay S.,On the Lai-Massey scheme.In Advances in Cryptology-ASIACRYPT'99,LNCS 1716,pp.8-19,Springer-Verlag,2000.
[212]Vaudenay S.,Decorrelation:A theory for block cipher security.Journal of Cryptology,16(4):pp.249-286,Springer-Verlag,2003.
[213]Wagner D.,The boomerang attack.Fast Software Encryption,FSE'99,LNCS 1636,pp.156-170.Springer-Verlag,1999.
[214]Wang X.,The Collision attack on SHA-0.In Chinese,to appear on www.infosec.edu.cn,1997.
[215]Wang X.,Lai X.,Feng D.,and Yu H.,Collisions for hash functions MD4,MD5,HAVAL-128and RIPEMD.Presented at the rump session of CRYPTO'2004.(http://eprint.iacr.org/2004/199).
[216]Wang X.,Lai X.,Feng D.,Chen H.,and Yu X.,Cryptanalysis of the hash functions MD4 and RIPEMD,EUROCRYPT 2005,LNCS 3494,pp.1-18,Springer-Verlag,2005.
[217]Wang X.and Yu H.,How to break MD5 and other hash functions,EUROCRYPT'2005,LNCS 3494,pp.19-35,Springer-Verlag,2005.
[218]Wang X.,Yin Y.,and Yu H.,Finding collisions in the full SHA-1.In Advances in Cryptology -CRYPTO'05,Springer-Verlag,2005.
[219]Webster A.F.and TavaresS.E.,On the design of S-boxes.Advances in Cryptology-CRYPTO'85LNCS 218,pp.523-534,Springer-Verlag,1985.
[220]Weis R.and Lucks S.,Cryptographic hash functions recent results on cryptanalysis and their implications on system security.
[221]Wu W.,Feng D.and Chen H.,Collision attack and pseudorandomness of reduced-round Camellia.SAC2004,LNCS 3357,PP.256-270,Springer-Verlag,2005.
[222] Wu W., Zhang W. and Feng D., Impossible differential Cryptanalyssi of ARIA and Camellia,JCST.
[223] Yeom Y., Park S., and Kim I., On the security of Camellia against the Square attack. FSE2002,LNCS 2365, pp.89-99, Springer-Verlag, 2002.
[224] Yeom Y., Park S., and Kim I., A study of integral type cryptanalysis on Camellia, Proceedings of the 2003 Symposium on Cryptography and Information Security SCIS2003, 6D-2, pp.453-456, Jan. 2003.
[225] Yin Y. L., A note on the block cipher Camellia, August 2000. This note is a part of Japanese contribution for ISO/IEC JTC1/SC27, Call for contribution on NP18033: Encryption Algorithms, Part 3: Block Ciphers.
[226] Youssef A.M., S.E.Tavares and H.M.Heys. A new class of substitution-permutation networks,Workshop on Select Areas in Cryptography, SAC1996, Workshop record, pp.132-144, 1996.
[227] Zheng Y., Pieprzyk J., and Seberry J., HAVAL-a one-way hashing algorithm with variable length of output. in Advances in Cryptology-Auscrypt'92 (J. Seberry and Y. Zheng, eds.), LNCS 718, pp.83-104, Springer-Verlag, 1993.
[228] Wu H., Related-cipher attacks. Information and Communications Security ICICS 2002, LNCS 2513, pp.447-455. Springer-Verlag, 2002.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |