**AES(Rijndael)**- The Rijndael Page, Joan Daemen, and Vincent Rijmen.
- AES Proposal: Rijndael (corrected version), Joan Daemen, and Vincent Rijmen (local copy).
- Annex to AES Proposal: Rijndael, Joan Daemen, and Vincent Rijmen (local copy).
- Rijndael Test Values, NIST.
- Attacking Seven Rounds of Rijndael under 192-bit and 256-bit Keys, Stefan Lucks, Presented at the 3rd AES Candidate Conference (local copy).
- A collision attack on 7 rounds of Rijndael, Henri Gilbert, and Marine Minier, Presented at the 3rd AES Candidate Conference (local copy).
- Relationships among Differential, Truncated Differential, Impossible Differential Cryptanalyses against Word-Oriented Block Ciphers like Rijndael, E2, Makoto Sugita, Kazukuni Kobara, Kazuhiro Uehara, Shuji Kubota, and Hideki Imai, Presented at the 3rd AES Candidate Conference (local copy).
- Cryptanalysis of Reduced Variants of Rijndael, Eli Biham, and Nathan Keller, Presented at the 3rd AES Candidate Conference (local copy).
- Improved Cryptanalysis of Rijndael, Niels Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, Mike Stay, David Wagner, and Doug Whiting, Proceedings of FSE 2000 (local copy).
- Advanced Encryption Standard Simplified, Adam Berent, July 2003. (local copy).

**Blowfish**- The Blowfish Encryption Algorithm page, Bruce Schneier.
- Description of a New Variable-Length Key, 64-Bit Cipher (Blowfish), Bruce Schneier, Fast Software Encryption, LNCS 809, pp.191-204. Springer-Verlag, 1994.
- Blowfish — One Year Later, Bruce Schneier, Dr. Dobb’s Journal, September 1995.
- Blowfish test vectors, Eric Young.
- On the weak keys of Blowfish, S. Vaudenay, Fast Software Encryption, Third International Workshop, LNCS 1008, pp. 286-297. Springer-Verlag, 1995 (local copy).

**CAST-128 / CAST-256**- The CAST-128 Encryption Algorithm, Carlisle Adams, RFC 2144, May 1997.
- The CAST-256 Encryption Algorithm, Carlisle Adams, and Jeff Gilchrist, RFC 2612, June 1999.
- CAST-256 Test Values, NIST.
- An Analysis of the CAST-256 Cipher, C. Adams, H. Heys, S. Tavares, and M. Wiener, Proceedings of IEEE Canadian Conference on Electrical and Computer Engineering, 1999 (local copy).
- [Patent] Carlisle Adams

Symmetric cryptographic system for data encryption, U.S. Patent 5,511,123, filed August 4 1994, issued April 23 1996.

**CRYPTON**- CRYPTON : A new 128-bit block cipher.
- Specification and Analysis of CRYPTON Version 1.0, Chae Hoon Lim, June 1999.
- CRYPTON v1.0 Test Values, Future Systems, Inc.

**DES / 3DES(DESede)**- Data Encryption Standard, NIST FIPS PUB 46-2 (supercedes FIPS PUB 46-1), U.S. Department of Commerce, December 1993.
- Data Encryption Standard, NIST DRAFT FIPS PUB 46-3, U.S. Department of Commerce, 1999.
- Section 7.4 DES, A. Menezes, P.C. van Oorschot, amd S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997 (local copy).
- Triple DES Test Vectors, NIST.
- A Known-Plaintext Attack on Two-Key Triple Encryption, Paul van Oorshot, and Michael Wiener, Advances in Cryptology – EUROCRYPT ’90 Proceedings, LNCS 473, pp. 318-325. Springer-Verlag, 1991 (local copy).
- Differential Cryptanalysis of the Full 16-Round DES, E. Biham, and A. Shamir, CS 708, Proceedings of Crypto ’92, LNCS 740, December 1991 (local copy).
- Linear cryptanalysis method for DES cipher, M. Matsui, Advances in Cryptology – EUROCRYPT ’93 Proceedings, LNCS 765, pp. 386-397. Springer-Verlag, 1994 (local copy).
- New potentially weak keys for DES and LOKI, Lars Knudsen, Advances in Cryptology – EUROCRYPT ’94 Proceedings, LNCS 950, pp. 419-424. Springer Verlag, 1995 (local copy).
- An Improvement of Davies’ Attack on DES, E. Biham, and A. Biryukov, CS 817, EUROCRYPT ’94 Proceedings, LNCS 950, Springer Verlag, 1995, and Journal of Cryptology, Vol. 10, No. 3, pp. 195-206, 1997 (local copy).
- Attacking Triple Encryption, Stefan Lucks, Fast Software Encryption ’98, LNCS 1372, Springer-Verlag, 1998 (local copy).

**DESX**- How to protect DES against exhaustive key search, Joe Kilian, and Phillip Rogaway, Earlier version in Advances in Cryptology – Crypto ’96, LNCS 1109, pp. 252-267. Springer-Verlag, 1996 (local copy).
- Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA, J. Kelsey, B. Schneier, and D. Wagner, ICICS ’97 Proceedings, Springer-Verlag, November 1997 (local copy).

**IDEA**- The IDEA Algorithm page.
- Section 7.6 IDEA, A. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997 (local copy).
- IDEA C Source Code and Test Data (corrected version, May 1999), Ascom Systec, Ltd.
- On the design and security of block ciphers, X. Lai, ETH Series in Information Processing, Vol. 1, Hartung-Gorre Verlag, Konstanz Technische Hochschule (Zurich), 1992.
- Markov Ciphers and Differential Cryptanalysis, X. Lai, J.L. Massey, and S. Murphy, Advances in Cryptology – EUROCRYPT ’91, LNCS 547, pp. 17-38. Springer-Verlag, 1991 (local copy).
- Weak Keys of IDEA, Joan Daemen, Rene Govaerts, and Joos Vandewalle, Advances in Cryptology – CRYPTO ’93 Proceedings, LNCS 773, pp. 224-231. Springer-Verlag, 1994 (local copy).
- Cryptanalysis of 2.5 Rounds of IDEA, Joan Daemen, Rene Govaerts, and Joos Vandewalle, ESAT-COSIC Technical Report 93/1, 1993 (local copy).
- Two attacks on reduced IDEA, J. Borst, L. Knudsen, and V. Rijmen, Advances in Cryptology – EUROCRYPT ’97 Proceedings, LNCS 1233, pp. 1-13. Springer-Verlag, 1997 (local copy).
- Truncated Differentials of IDEA, L. Knudsen, and V. Rijmen, ESAT-COSIC Technical Report 97-1.
- Side Channel Cryptanalysis of Product Ciphers, J. Kelsey, B. Schneier, D. Wagner, and C. Hall, ESORICS ’98 Proceedings pp. 97-110, Springer-Verlag, September 1998 (local copy).
- Side Channel Attack Hardening of the IDEA(TM) Cipher, Ascom Systec White Paper (corrected version, May 1999)
- [Patent].

**MARS**- MARS – A candidate cipher for AES,” (corrected version), Carolynn Burwick, Don Coppersmith, Edward D’Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas Jr., Luke O’Connor, Mohammad Peyravian, David Safford, and Nevenko Zunicof. [Note that the key schedule described here is for the initial version of MARS submitted as a first round AES candidate.]
- Modification for MARS, Shai Halevi.
- MARS-2 Test Vectors, IBM Corporation.
- On Differential Properties of Data-Dependent Rotations and Their Use in MARS and RC6, Scott Contini, and Yiqun Lisa Yin, Presented at the 2nd AES Conference. (local copy).
- MARS Attacks! Preliminary Cryptanalysis of Reduced-Round MARS Variants, John Kelsey, and Bruce Schneier, Presented at the 3rd AES Candidate Conference. (local copy).
- Impossible Differential on 8-Round MARS’ Core, Eli Biham, and Vladimir Furman, March 15, 2000. Presented at the 3rd AES Candidate Conference (local copy).
- The Complete Distribution of Linear Probabilities of MARS’ s-box, Kazumaro Aoki (local copy).
- [Patent]

[need patent title and date] U.S. Patent Application: IBM application CR998021.

**RC2**- A Description of the RC2(r) Encryption Algorithm, Ron Rivest, RFC 2268, March 1998.
- On the design and security of RC2, L.R. Knudsen, V. Rijmen, R.L. Rivest, and M.J.B. Robshaw, Fast Software Encryption, LNCS 1372, pp. 206-221. Springer-Verlag, 1998 (local copy).
- Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA, J. Kelsey, B. Schneier, and D. Wagner, ICICS ’97 Proceedings, Springer-Verlag, November 1997 (local copy).

**RC5**- The RC5 Encryption Algorithm (revised 20 March 1997), Ron Rivest (local copy).
- The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms, Ron Rivest, RFC 2040, October 1996.
- Section 7.7.2 RC5, A. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997 (local copy).
- On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm, B.S. Kaliski, and Y.L. Yin, Advances in Cryptology – CRYPTO ’95, pp. 171-184. Springer-Verlag, 1995. (local copy).
- Improved differential attack on RC5, Lars Knudsen, and W. Meier, Advances in Cryptology – Crypto ’96 Proceedings, LNCS 1109, pp. 216-228. Springer-Verlag, 1996 (local copy).
- Linearly Weak Keys of RC5, H. Heys, IEE Electronics Letters, vol. 33, no. 10, pp. 836-838, 1997 (local copy).
- Improved Cryptanalysis of RC5, A. Biryukov, and E. Kushilevitz, Advances in Cryptology – EuroCrypt ’98 (local copy).
- A Timing Attack on RC5, H. Heys, Workshop on Selected Areas in Cryptography – SAC ’98, Queen’s University, Kingston, Ontario, Aug. 1998 (local copy). To be published by Springer-Verlag.
- A Timing Attack on RC5, Helena Handschuh, Gemplus’ Corporate Product R&D Division: Technical Report SC02-1998 (local copy).
- On the Security of the RC5 Encryption Algorithm, B.S. Kaliski Jr., and Y.L. Yin, RSA Laboratories Technical Report TR-602, 1998 (local copy).
- Correlation Attack to the Block Cipher RC5 and the Simplified Variants of RC6, Takeshi Shimoyama, Kiyofumi Takeuchi, and Juri Hayakawa, Presented at the 3rd AES Candidate Conference (local copy).
- [Patent] RSA Data Security (assignee)

“Block Encryption Algorithm with Data-Dependent Rotations,” U.S. Patent 5,724,428, filed November 1 1995, issued March 3 1998.

“Block Encryption Algorithm with Data-Dependent Rotations,” U.S. Patent 5,835,600, filed April 21 1997, issued November 10 1998.

**RC6**- The RC6 Block Cipher, Ron Rivest, M.J.B. Robshaw, R. Sidney, and Y.L. Yin (local copy).
- Further notes on RC6, Ron Rivest.
- RC6 Test Values, NIST.
- On Differential Properties of Data-Dependent Rotations and Their Use in MARS and RC6, Scott Contini, and Yiqun Lisa Yin, Presented at the 2nd AES Conference (local copy).
- A note regarding the hash function use of MARS and RC6, Markku-Juhani Saarinen (local copy).
- Correlations in RC6, Willi Meier, and Lars Knudsen, July 29, 1999 (local copy).
- Correlation Attack to the Block Cipher RC5 and the Simplified Variants of RC6, Takeshi Shimoyama, Kiyofumi Takeuchi, and Juri Hayakawa, Presented at the 3rd AES Candidate Conference (local copy).
- [Patent] RSA Data Security (assignee)

“Block Encryption Algorithm with Data-Dependent Rotations,” U.S. Patent 5,724,428, filed November 1 1995, issued March 3 1998.

“Block Encryption Algorithm with Data-Dependent Rotations,” U.S. Patent 5,835,600, filed April 21 1997, issued November 10 1998.

“Enhanced Block Encryption Algorithm with Data-Dependent Rotations,” U.S. Patent Application 09/094,649. Filed June 15, 1998.

**SAFER-K / SAFER-SK**- SAFER K-64: A Byte-Oriented Block Ciphering Algorithm, Massey, J. L., Fast Software Encryption, Proceedings of the Cambridge Security Workshop, Cambridge, U.K., December 9-11, 1993, pp. 1-17. LNCS 809, Springer, 1994.
- SAFER K-64: One Year Later, Massey, J. L., Fast Software Encryption: Second International Workshop, LNCS 1008, pp. 212-241, Leuven, Belgium, 14-16 December 1994. Springer-Verlag, 1995.
- Section 7.7.1 SAFER, A. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997 (local copy).
- Announcement of a Strengthened Key Schedule for the Cipher SAFER, Massey, J. L., September 9, 1995, (see file ‘SAFER_SK.TXT’ included in the SAFER toolkit, below).
- A Key-Schedule Weakness in SAFER K-64, Lars Knudsen, Advances in Cryptology – Crypto ’95 Proceedings, LNCS 963, Springer-Verlag, 1995 (local copy). (appendix with corrections).
- A Generalization of Linear Cryptanalysis Applied to SAFER, C. Harpes, Internal report, Signal and Information Processing Lab., Swiss Federal Institute of Technology, Zurich, March 9, 1995 (local copy).
- Truncated differentials of SAFER, Lars Knudsen, and T.A. Berson, Fast Software Encryption, LNCS 1039, pp. 15-26. Springer-Verlag, 1996 (local copy).

**SEED**- 128비트 블록 암호알고리즘 (SEED) 개발 및 분석 보고서, 한국정보보호센터(KISA), 1998.12 (*임시 사용불가)
- TTA.KO-12.0004: 128비트 블록암호알고리즘 표준, 1999.

**Serpent**- Serpent home page, Ross Anderson, (source code in C, Python and Ada).
- Serpent page at Technion University, Eli Biham.
- Serpent: A Proposal for the Advanced Encryption Standard, Ross Anderson, Eli Biham, and Lars Knudsen (local copy).
- Serpent Test Values, NIST.
- An Analysis of Serpent-p and Serpent-p-ns, Orr Dunkelman, 2nd AES Conference, February 1999 (local copy).
- Speeding up Serpent, Dag Arne Osvik, March 13, 2000. Presented at the 3nd AES Candidate Conference (local copy).
- Preliminary Cryptanalysis of Reduced-Round Serpent, T. Kohno, John Kelsey, and Bruce Schneier, Third AES Candidate Conference, 2000.
- [Patent] Ross Anderson, Eli Biham, Lars Knudsen

“Fast Block Cipher,” U.K. Patent Application 9722798.9. Filed October 30, 1997.

**Skipjack**- SKIPJACK and KEA Specifications,, NIST, May 1998 (local copy).
- Observations on the SkipJack Encryption Algorithm maintained by Eli Biham, Alex Biryukov, Orr Dunkelman, Eran Richardson, and Adi Shamir.
- Initial Observations on Skipjack: Cryptanalysis of Skipjack-3XOR, E. Biham, A. Biryukov, O. Dunkelman, E. Richardson, and A. Shamir, Proceedings of SAC’98 (local copy).
- Truncated differentials and Skipjack, Lars R. Knudsen, M.J.B. Robshaw, and David Wagner, Proceedings of CRYPTO ’99 (local copy).

**Square**- The Square Page, Joan Daemen, Lars Knudsen, and Vincent Rijmen.
- The Block Cipher Square, Joan Daemen, Lars Knudsen, and Vincent Rijmen, Fast Software Encryption, LNCS 1267, pp. 149-165. Springer-Verlag, 1997 (local copy).
- Validation data set for Square v1.0, Paulo Barreto.

**Twofish**- The Twofish: A New Block Cipher Page, Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson.
- Twofish: A 128-bit Block Cipher, Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson, 15 June 1998. Presented at the 1st AES Conference.
- Twofish Test Values, NIST.
- On the Twofish Key Schedule, Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson, Twofish Technical Report #3, Fifth Annual Workshop on Selected Areas in Cryptography, Springer Verlag, August 1998.
- An Observation on the Key Schedule of Twofish, Fauzan Mirza, and Sean Murphy, Presented at the 2nd AES Conference (local copy).
- The Saturation Attack – a Bait for Twofish, Stefan Lucks.

### Block cipher Modes and Paddings

**ECB/CBC/CFB/OFB mode 공통**- DES Modes of Operation, NIST FIPS PUB 81, U.S. Department of Commerce, December 1980.
- Part 5: Product Ciphers (5.14), sci.crypt FAQ.

**ECB mode****CBC mode****CFB mode**- Cryptanalysis of the CFB mode of the DES with a reduced number of rounds, B. Preneel, M. Nuttin, V. Rijmen, and J. Buelens, Advances in Cryptology, Proceedings Crypto’93, LNCS 773 , Springer-Verlag, 1994, pp. 212-223 (local copy).

**OFB mode**- Analysis of Certain Aspects of Output Feedback Mode, Robert R. Jueneman, Advances in Cryptology – Crypto ’82 Proceedings, Plenum Press, 1982, pp. 99-127 (local copy).
- The average cycle size of the key stream in output feedback encipherment, D.W. Davies, and G.I.P. Parkin, Cryptography, Proceedings of the Workshop on Cryptography, Burg-Feuerstein, Germany, March 29-April 2, 1982, Springer-Verlag, 1983, pp. 263-279. Also in Advances in Cryptology – Crypto ’82 Proceedings, Plenum Press, 1983, pp. 97-98 (local copy(Abstract)).

**Counter mode**- A Note on NSA’s Dual Counter Mode of Encryption, Pompiliu Donescu, Virgil D. Gligor, and David Wagner, Preliminary version, August 5, 2001. (local copy).
- Comments to NIST Concerning AES-modes of Operations: CTR-mode Encryption, Helger Lipmaa, Phillip Rogaway and David Wagner, Comments to NIST Concerning AES-modes of Operations: CTR-mode Encryption. In Symmetric Key Block Cipher Modes of Operation Workshop, Baltimore, Maryland, US, 2000,10 (local copy).
- Section 9.9 Counter Mode, Bruce Schneier, Applied Cryptography, Second Edition, John Wiley & Sons, 1996.

**AONT(All-or-nothing transform)**- On Perfect and Adaptive Security in Exposure-Resilient Cryptography, Yevgeniy Dodis, Amit Sahai and Adam Smith, Proc. of Eurocrypt’2001, Springer-Verlag, LNCS 2045, pp.301-324, 2001 (local copy).
- The Security of All-Or-Nothing Encryption: Protecting Against Exhaustive Key Search, A. Desai, Full paper of Crypto’2000 Proceedings, Springer-Verlag, LNCS 1880, pp.359-375, 2000 (local copy)
- Exposure-Resilient Functions and All-Or-Nothing Transforms, Ran Canetti, Yevgeniy Dodis, Shaih Halevi, Eyal Kushilevitz and Amit Sahai, Proc. of Eurocrypt’2000, Springer-Verlag, LNCS 1807, pp.453-470, 2000 (local copy)
- On the Security Properties of OAEP as an All-or-nothing Transform, Victor Boyko, Full paper of Crypto’99 Proceedings, Springer-Verlag, LNCS 1666, pp.503-518, 1999 (local copy)
- Something About All or Nothing (Transforms), Doug Stinson, Short Notes, 1999 (local copy).
- All-or-nothing encryption and the package transform, R. Rivest, Proc. of FSE’97, Springer-Verlag, LNCS 1267, pp.210-218, 1997 (local copy).

**PKCS Padding**- PKCS #7: Cryptographic Message Syntax Standard, RSA Security.
- PKCS #5: Password-Based Encryption Standard, RSA Security.

**OneAndZeroes****CTS**- The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms, Ron Rivest, RFC 2040, October 1996. (The “RC5-CTS” mode is equivalent to RC5/CBC/CTS; this gives a source of test vectors, at least for one cipher.)

**NoPadding**

### Stream ciphers

**RC4**- RC4 page
- Using the Fluhrer, Mantin, and Shamir Attack to Break WEP, Adam Stubblefield, John Ioannidis, Aviel D. Rubin, Technical report AT&T, August 06, 2001. (local copy)
- Weaknesses in the key scheduling algorithm of RC4, S. Fluhrer,I. Mantin, A. Shamir, Eighth Annual Workshop on Selected Areas in Cryptography(SAC), August 2001. (local copy)
- A Practical Attack on Broadcast RC4, Mantin and Shamir, FSE 2001. (local copy)
- Statistical Analysis of the Alleged RC4 Key stream Generator, Fluhrer and McGrew, FSE 2000. (local copy)
- Analysis Methods for (Alleged) RC4, Knudsen, Meier, Preneel, Rijmen and Verdoolaege, ASIACRYPT 1998. (local copy)
- Linear Statistical Weakness of Alleged RC4 Key stream Generator, Golic, EUROCRYPT 1997. (local copy)

**SEAL**- A Software-Optimized Encryption Algorithm, (revised September 1997), P. Rogaway, and D. Coppersmith (local copy).
- Section 6.4.1 SEAL, A. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997 (local copy).
- X2 [chi-squared] Cryptanalysis of the SEAL Encryption Algorithm, H. Handschuh, and H. Gilbert, Fast Software Encryption – FSE4, LNCS 1267, pp. 1-12, 1997 (local copy).
- [Patent] P. Rogaway, D. Coppersmith

“Software-efficient pseudorandom function and the use thereof for encryption,” U.S. Patent 5,454,039, filed December 6 1993, issued September 26 1995.

“Software-efficient pseudorandom function and the use thereof for encryption,” U.S. Patent 5,675,652, filed June 7 1995, issued October 7 1997.

### Provable Security of Symmetric Cryptosystem

**Notions of Security**- A Concrete Security Treatment of Symmetric Encryption: Analysis of the DES Modes of Operation, M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, Full paper of 38th Annual Symposium on Foundations of Computer Science Proceedings, IEEE, 1997 (local copy).
- Complete Characterization of Security Notions for Probabilistic Private-Key Encryption, J. Katz and M. Yung, Proc. of STOC’2000, pp.245-254, ACM, 2000.

**Construction**- New Paradigms for Constructing Symmetric Encryption Schemes Secure Against Chosen-Ciphertext Attack, Anand Desai, Full paper of Crypto’2000 Proceedings, Springer-Verlag, LNCS 1880, pp.394-412, 2000 (local copy).
- Unforgeable Encryption and Adaptively Secure Modes of Operation, K. Katz and M. Yung, Proc. of FSE’00, Springer-Verlag, LNCS 1978, pp.284-299, 2000
- Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm, M. Bellare and C. Namprempre, Full paper of Asiacrypt’2000 Proceedings, Springer-Verlag, LNCS 1976, pp.531-545, 2000 (local copy).
- Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography, M. Bellare and P. Rogaway, Proc. of Asiscrypt’2000, Springer-Verlag, LNCS 1976, pp.317-330, 2000 (local copy).
- The Security of Chaffing and Winnowing, M. Bellare and A. Boldyreva, Full paper of Asiacrypt’2000 Proceedings, Springer-Verlag, LNCS 1976, pp.517-530, 2000 (local copy).
- Chaffing and winnowing: Confidentiality without encryption, R. Rivest, CryptoBytes of RSA Laboratories, vol.4(1):12-17, 1998,summer (local copy).

**Attacks**- The Rectangle Attack-Rectangling the Serpent, E. Biham, O. Dunkelman and N. Keller, Proc. of Eurocrypt’2001, Springer-Verlag, LNCS 2045, pp.340-357, 2001 (local copy).
- Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent, J. Kelsey, T. Kohno, and B. Schneier, Proc. of FSE’2000, Springer-Verlag, LNCS 1978, pp.75-93, 2001 (local copy).
- The boomerang attack, David Wagner, Proc. of FSE’99, Springer-Verlag, LNCS 1636, pp.156-170, 1999 (local copy). (local copy(slide)).
- Advanced Slide Attacks, Alex Biryukov and David Wagner, Proc. of Eurocrypt’2000, Springer-Verlag, LNCS 1807, pp.589-606, 2000 (local copy).
- Slide attacks, Alex Biryukov and David Wagner, Proc. of FSE’99, Springer-Verlag, LNCS 1636, pp.245-259, 1999 (local copy).
- A Chosen-Plaintext Linear Attack on DES, Lars R. Knudsen and John Erik Mathiassen, Proc. of FSE’2000, Springer-Verlag, LNCS 1978, pp.262-272, 2001
- From Differential Cryptanalysis to Ciphertext-Only Attacks, A.Biryukov and E.Kushilevitz, Proc. of CRYPTO’98, Springer-Verlag, LNCS 1462, pp.72-88, 1998 (local copy).
- A chosen plaintext attack of the 16-round Khufu cryptosystem, H. Gilbert and P. Chauvaud, Proc. of Crypto’94, Springer-Verlag, LNCS 839, pp.359-368, 1994
- A new method for known plaintext attack of FEAL cipher, M. Matsui and A. Yamagishi, Proc. of Eurocrypt’92, Springer-Verlag, LNCS 658, pp.81-91, 1992

### Design/Cryptanalysis

**[Collection of papers]**

- Cryptanalysis of Block Ciphers by Thomas Jakobsen (Last update: June 15, 1998).
- Differential Cryptanalysis: A Literature Survey by Terry Ritter.
- Linear Cryptanalysis: A Literature Survey by Terry Ritter.
- Cryptanalysis Papers by Michael Graffam.
- Analysis and design of cryptographic algorithms, R. Anderson.
- Methods of Cryptanalysis, Dr. Alex Biryukov. (Lecture)
**[Paper]** - A Mathematical Theory of Communication, Claude E. Shannon, Bell System Technical Journal, vol. 27, pp.379-423 and 623-656, July and October, 1948. (local copy).
- Communication Theory of Secrecy Systems, Claude Shannon, Bell System Technical Journal, Vol 28, Oct 1949, pp.656-715.
- Cryptography and Computer Privacy, Horst Feistel, Scientific American, Vol. 228, No.5 , 1973.
- A practical approach to the design of high speed self-synchronizing stream ciphers, J. Daemen, R. Govaerts, and J. Vandewalle, Singapore ICCS/ISITA ’92 Conference Proceedings, IEEE, 1992, pp. 279-283 (local copy).
- A Fast Method for Cryptanalysis of Substitution Ciphers, T. Jakobsen, and Thomas Jakobsen, Cryptologia 19(3), July 1995 (local copy).
- Cipher and hash function design. Strategies based on linear and differential cryptanalysis, J. Daemen, Doctoral Dissertation , March 1995.
- Known Plaintext Cryptanalysis of Tree-Structured Block Ciphers, H. Heys and S. Tavares, IEE Electronics Letters, v. 31, n. 10, 1995, pp. 784-785. (Also presented at TRIO Researcher’s Retreat, Kingston, Ontario, May 1994).
- Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis, H. Heys and S. E. Tavares, Journal of Cryptology, v. 9, n. 1, 1996, pp. 1-19. (Also presented at 2nd ACM Conference on Computer and Communications Security, Fairfax, Virginia, Nov. 1994) (local copy).
- Unbalanced Feistel Networks and Block Cipher Design, B. Schneier and J. Kelsey, Fast Software Encryption, Third International Workshop Proceedings (February 1996), Springer-Verlag, 1996, pp. 121-144.
- Cryptanalysis of Substitution-Permutation Networks Using Key-Dependent Degeneracy, H. Heys and S. Tavares, Cryptologia, v. XX, n. 3, 1996, pp. 258-274 (local copy).
- Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES, J. Kelsey, B. Schneier, and D. Wagner, Advances in Cryptology – Crypto ’96 Proceedings, pp. 237-251. Springer-Verlag, August 1996.
- Self-Study Course in Block Cipher Cryptanalysis, B. Schneier, Cryptologia, v.24, n.1, Jan 2000, pp. 18-34. (local copy).

### Related Links/Resources

- NESSIE (New European Schemes for Signatures, Integrity, and Encryption).
- Standard Cryptographic Algorithm Naming.
- Block Ciphers by Helger Lipmaa.
- Block Ciphers: Cryptanalysis by Helger Lipmaa.

- Cryptography A-2-Z, SSH Communications Security Corp.
- Encryption Algorithms based on the Block Cipher Principles, Security.KAIST.
- Cryptography by Michael Graffam.
- Advanced Encryption Standard (AES).
- Public Workshop on Symmetric Key Block Cipher Modes of Operation, NIST, October 20, 2000.
- The Third Advanced Encryption Standard (AES) Candidate Conference, NIST, April 13-14, 2000.
- Second AES Candidate Conference (AES2), NIST, March 22-23, 1999.
- First AES Candidate Conference (AES1), NIST, August 20-22, 1998.

- ISO 8372: 1987, Modes of operation for a 64- bit block cipher algorithm.
- ISO/IEC 10116: 1997, Modes of operation for an n- bit block cipher algorithm (2nd edition).