Cyber security experts from the University of Bristol have advised the European Union Agency for Network and Information Security (ENISA) on how to protect the personal data of millions of citizens.

Two reports, edited by Professor Nigel Smart, Professor of Cryptology, have been published by ENISA.

• The Algorithms, key size and parameters report 2014 is a reference document providing a set of guidelines to decision makers, in particular specialists designing and implementing cryptographic solutions related to commercial online services.
• The Study on cryptographic protocols provides an implementation perspective, covering guidelines regarding protocols required to protect commercial online communications containing personal data.

The reports give guidance to corporations, member states, and the wider community about current best scientific practice in the rapidly advancing field of cryptography.

The first report provides a set of proposals in an easy to use form, with a focus on commercial online services that collect, store and process the personal data of EU citizens.

The second report focuses on the current status in cryptographic protocols and encourages further research. A quick overview is presented on protocols which are used in relatively restricted application areas, such as wireless, mobile communications or banking (Bluetooth, WPA/WEP, UMTS/LTE, ZigBee, EMV) and specific environments focusing on Cloud computing.

The reports, which also had input from a number of members from the Cryptography Research group in the Department of Computer Science, provide an update to the 2013 cryptographic guidelines report on security measures required to protect personal data in online systems.

Professor Smart said: “It was a joy to work with ENISA once again on the 2014 reports. We received a lot of positive responses from various stakeholders related to last year’s report, and we hope the new reports will have a similar impact.”

http://phys.org/news/2014-11-academics-cyber-world.html

Notes from the ENISA documents

Privacy and cryptography

Cryptography is an essential technical means to provide privacy and privacy-related services. Gürses defines three privacy paradigms: confidentiality, control and practice [6].

1. In the first paradigm, privacy is ensured by keeping personal data confidential i.e. protecting it so that unauthorised people can’t access or modify it. This definition of privacy is clearly and strongly linked to classical cryptographic schemes: electronic data secure can be kept secure by using strong cryptography (and strong keys).
2. The second paradigm, which is more common in legal texts, adds the ability to control what happens with personal data. This is also called the right to informational self-determination. In this definition, several advanced cryptographic schemes can play an important role, e.g. techniques to reduce the amount of personal data that is released to the strictly required minimum. We discuss briefly some of these cryptographic techniques in the appendix.
3. The third paradigm defines privacy as transparency on the ways in which information is collected, aggregated and used. Cryptography plays here a much less visible role, but it is still present underneath as the method to enforce the policies formulated with respect to the treatment of personal data.

Security Requirements

Data protection is often described as a process based on three pillars: Confidentiality, Integrity and Availability (CIA). Although these three requirements are definitely very important, the problem of information security has more dimensions than those three.

Forward confidentiality

This property is a stronger form of confidentiality. It is applicable to systems that have a key architecture where keys with a long lifetime (long-term keys) are used to construct keys with a short lifetime (short-term keys), and all data is encrypted with the short-term keys. The concept forward security is defined as follows [9, 10]:

A protocol is said to have perfect forward secrecy if compromise of long-term keys does not compromise past session keys.

Algorithms, Key Size and Parameters

Primitives (basic cryptographic building blocks)

Figure 2.1: Just some of the design space for instantiating the ECIES public key encryption algorithm. Note, that not all standards documents will support all of these options. To read this diagram: A group of arrows starting with a circle implies the implementer needs to choose one of the resulting paths. A set of three arrows implies a part of the decision tree which we have removed due to space. In addition (again for reasons of space) we do not list all possible choices, e.g. some hash functions can be block cipher based. Even with these restrictions one can see the design space for a cipher as well studied and understood as ECIES can be quite complex.

Bibliography

1. ENISA, “Algorithms, Key Size and Parameters Report. 2013 Recommendations,” 2013. [Online]. Available: https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report
2. EU, “Commission Regulation (EU) No611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications,” 2013. [Online]. Available: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:173:0002:0008:en:PDF.
3. EU, “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,” 1995. [Online]. Available: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML. [Accessed 13 08 2013].
4. European Commission, “Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012),” 01 2012. [Online]. Available: http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf. [Accessed 16 07 2013].
5. ENISA, “Recommendations on technical implementation guidelines of Article 4,” 30 April 2012. [Online]. Available: http://www.enisa.europa.eu/activities/identity-and-trust/risks-and-data-breaches/dbn/art4_tech. [Accessed 8 8 2013].
6. D. Gollmann, Computer Security, Third edition ed., Wiley, 2011.
7. F. S. Gurses, Multilateral privacy requirements analysis in online social network services, Leuven: KU Leuven, 2010.
8. N. Smart, Cryptography, an introduction, 3rd Edition ed., 2009.
9. C. Paar and J. Pelzl, Understanding cryptography: a textbook for students and practitioners, Heidelberg: Springer, 2009.
10. A. J. Menezes, S. A. Vanstone and P. Van Oorschot, Handbook of applied cryptography, CRC, 1996.
11. R. Kissel, M. Scholl, S. Skolochenko and L. Xing, “Guidelines for media sanitization,” Gaithersburg, 2006.
12. L. R. Knudsen and M. Robshaw, The block cipher companion, Heidelberg: Springer, 2011.
13. M. Robshaw and O. Billet, Eds., New stream cipher designs, vol. LNCS 4986, Springer, 2008.
14. C. E. Shannon, “Communication theory of secrecy systems,” Bell System Technical Journal, vol. 28, pp. 656-715, 1949.
15. G. S. Vernam, “Secret signaling system”. U.S. Patent 1310719, 22 7 1919.
16. E. N. Gilbert, F. J. MacWilliams and N. J. A. Sloane, “Codes which detect deception,” Bell Systems Technical Journal, vol. 53, no. 3, pp. 405-424, 1974.
17. A. K. Lenstra, J. P. Hughes, M. Augier, J. W. Bos, T. Kleinjung and C. Wachter, “Ron was wrong, Whit is right,” 2012. [Online]. Available: eprint.iacr.org/2012/064. [Accessed 23 05 2013].
18. Community framework for electronic signatures, 1999.
19. V. Rijmen, “Methodology and security measures for securing personal data,” ENISA, 2013.
20. W. de Jonghe and B. Jacobs, “Privacy-friendly electronic traffic pricing via commits,” Formal Aspects in Security and Trust, vol. LNCS 5491, pp. 143-161, 2008.
21. A. Rial and G. Danezis, “Privacy-preserving smart metering,” in Proceedings of the 10th annual ACM workshop on privacy in the electronic society, 2011.
22. B. Chor, E. Kushilevitz, O. Goldreich and M. Sudan, “Private information retrieval,” Journal of the ACM, vol. 45, no. 6, pp. 965-981, 1998.
23. http://www.keylength.com/
24. Masayuki Abe, editor. Advances in Cryptology – ASIACRYPT 2010 – 16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 5-9, 2010. Proceedings, volume 6477 of Lecture Notes in Computer Science. Springer, 2010.
25. Carlisle M. Adams, Ali Miri, and Michael J. Wiener, editors. Selected Areas in Cryptography, 14th International Workshop, SAC 2007, Ottawa, Canada, August 16-17, 2007, Revised Selected Papers, volume 4876 of Lecture Notes in Computer Science. Springer, 2007.
26. Leonard M. Adleman. The function field sieve. In Leonard M. Adleman and Ming-Deh A. Huang, editors, ANTS, volume 877 of Lecture Notes in Computer Science, pages 108-121. Springer, 1994.
27. Martin Agren, Martin Hell, Thomas Johansson, and Willi Meier. Grain-128a: a new version of Grain-128 with optional authentication. IJWMC, 5(1):48-59, 2011.
28. Mehdi-Laurent Akkar and Christophe Giraud. An implementation of des and aes, secure against some attacks. In Cetin Kaya Koc et al. [69], pages 309-318.
29. Nadhem J. AlFardan, Daniel J. Bernstein, Kenneth G. Paterson, Bertram Poettering, and Jacob C. N. Schuldt. On the security of RC4 in TLS. In Samuel T. King, editor, USENIX Security, pages 305-320. USENIX Association, 2013.
30. Nadhem J. AlFardan and Kenneth G. Paterson. Lucky Thirteen: Breaking the TLS and DTLS Record Protocols. In IEEE Symposium on Security and Privacy. IEEE Computer Society, 2013.
31. Ammar Alkassar, Alexander Geraldy, Birgit Ptzmann, and Ahmad-Reza Sadeghi. Optimized self-synchronizing mode of operation. In Mitsuru Matsui, editor, FSE, volume 2355 of Lecture Notes in Computer Science, pages 78-91. Springer, 2001.
32. Jee Hea An, Yevgeniy Dodis, and Tal Rabin. On the security of joint signature and encryption. In Knudsen [198], pages 83-107.
33. ANSI X9.102. Symmetric key cryptography for the financial services industry – wrapping of keys and associated data. American National Standard Institute, 2008.
34. ANSI X9.19. Financial institution retail message authentication. American National Standard Institute, 1996.
35. ANSI X9.24. Retail financial services symmetric key management part 1: Using symmetric techniques. American National Standard Institute, 2009.
36. ANSI X9.62. Public key cryptography for the financial services industry – The elliptic curve digital signature algorithm (ECDSA). American National Standard Institute, 2005.
37. ANSI X9.63. Public key cryptography for the financial services industry – Key agreement and key transport using elliptic curve cryptography. American National Standard Institute, 2011.
38. ANSI X9.82. Random number generation part 1: Overview and basic principles. American National Standard Institute, 2006.
39. ANSSI. Referentiel General de Securite, Annexe B1 Mecanismes cryptographiques : Regles et recommandations concernant le choix et le dimensionnement des mecanismes cryptographiques, Version 1.20 du 26 janvier 2010. http://www.ssi.gouv.fr/IMG/pdf/RGS_B_1.pdf, 2010.
40. Kazumaro Aoki, Jian Guo, Krystian Matusiewicz, Yu Sasaki, and Lei Wang. Preimages for step-reduced SHA-2. In Matsui [226], pages 578-597.
41. Kazumaro Aoki and Yu Sasaki. Meet-in-the-middle preimage attacks against reduced SHA-0 and SHA-1. In Halevi [140], pages 70-89.
42. Dmitri Asonov and Rakesh Agrawal. Keyboard acoustic emanations. In IEEE Symposium on Security and Privacy, pages 3-11. IEEE Computer Society, 2004.
43. Jean-Philippe Aumasson, Itai Dinur, Willi Meier, and Adi Shamir. Cube testers and key recovery attacks on reduced-round MD6 and Trivium. In Orr Dunkelman, editor, FSE, volume 5665 of Lecture Notes in Computer Science, pages 1-22. Springer, 2009.
44. Jean-Philippe Aumasson, Simon Fischer, Shahram Khazaei, Willi Meier, and Christian Rechberger. New features of latin dances: Analysis of Salsa, ChaCha, and Rumba. In Nyberg [265], pages 470-488.
45. Steve Babbage and Matthew Dodd. The mickey stream ciphers. In Robshaw and Billet [295], pages 191-209.
46. Boaz Barak and Shai Halevi. A model and architecture for pseudo-random generation with applications to /dev/random. In Vijay Atluri, Catherine Meadows, and Ari Juels, editors, ACM Conference on Computer and Communications Security, pages 203-212. ACM, 2005.
47. Razvan Barbulescu, Pierrick Gaudry, Antoine Joux, and Emmanuel Thome. A quasipolynomial algorithm for discrete logarithm in finite fields of small characteristic, 2013.
48. Romain Bardou, Riccardo Focardi, Yusuke Kawamoto, Lorenzo Simionato, Graham Steel, and Joe-Kai Tsay. Efficient padding oracle attacks on cryptographic hardware. In Safavi-Naini and Canetti [308], pages 608-625.
49. Elad Barkan, Eli Biham, and Nathan Keller. Instant ciphertext-only cryptanalysis of GSM encrypted communication. J. Cryptology, 21(3):392-429, 2008.
50. Gilles Barthe, Benjamin Gregoire, and Santiago Zanella Beguelin. Formal certification of code-based cryptographic proofs. In Zhong Shao and Benjamin C. Pierce, editors, POPL, pages 90-101. ACM, 2009.
51. Mihir Bellare. New proofs for NMAC and HMAC: Security without collision resistance. In Dwork [101], pages 602-619.
52. Mihir Bellare, Zvika Brakerski, Moni Naor, Thomas Ristenpart, Gil Segev, Hovav Shacham, and Scott Yilek. Hedged public-key encryption: How to protect against bad randomness. In Matsui [226], pages 232-249.
53. Mihir Bellare, Anand Desai, E. Jokipii, and Phillip Rogaway. A concrete security treatment of symmetric encryption. In FOCS, pages 394-403. IEEE Computer Society, 1997.
54. Mihir Bellare and Chanathip Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In Tatsuaki Okamoto, editor, ASIACRYPT, volume 1976 of Lecture Notes in Computer Science, pages 531-545. Springer, 2000.
55. Mihir Bellare and Phillip Rogaway. Optimal asymmetric encryption. In Alfredo De Santis, editor, EUROCRYPT, volume 950 of Lecture Notes in Computer Science, pages 92-111. Springer, 1994.
56. Mihir Bellare, Phillip Rogaway, and David Wagner. The EAX mode of operation. In Roy and Meier [305], pages 389-407.
57. Come Berbain, Olivier Billet, Anne Canteaut, Nicolas Courtois, Henri Gilbert, Louis Goubin, Aline Gouget, Louis Granboulan, Cedric Lauradoux, Marine Minier, Thomas Pornin, and Herve Sibert. Sosemanuk, a fast software-oriented stream cipher. In Robshaw and Billet [295], pages 98-118.
58. Come Berbain, Henri Gilbert, and Alexander Maximov. Cryptanalysis of Grain. In Robshaw [294], pages 15-29.
59. Daniel J. Bernstein. Cache-timing attacks on AES. http://cr.yp.to/antiforgery/cachetiming-20050414.pdf, 2005.
60. Daniel J. Bernstein. Snuffle 2005: the Salsa20 encryption function, 2007. http://cr.yp.to/snuffle.html.
61. Daniel J. Bernstein, Yun-An Chang, Chen-Mou Cheng, Li-Ping Chou, Nadia Heninger, Tanja Lange, and Nicko van Someren. Factoring rsa keys from certified smart cards: Coppersmith in the wild. In Sako and Sarkar [309], pages 341-360.
62. Eli Biham. A fast new des implementation in software. In Eli Biham, editor, FSE, volume 1267 of Lecture Notes in Computer Science, pages 260-272. Springer, 1997.
63. Eli Biham and Yaniv Carmeli. Efficient reconstruction of RC4 keys from internal states. In Nyberg [265], pages 270-288.
64. Eli Biham, Orr Dunkelman, and Nathan Keller. A related-key rectangle attack on the full KASUMI. In Roy [304], pages 443-461.
65. Eli Biham and Adi Shamir. Differential cryptanalysis of DES-like cryptosystems. J. Cryptology, 4(1):3-72, 1991.
66. Alex Biryukov, editor. Fast Software Encryption, 14th International Workshop, FSE 2007, Luxembourg, Luxembourg, March 26-28, 2007, Revised Selected Papers, volume 4593 of Lecture Notes in Computer Science. Springer, 2007.
67. Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir. Key recovery attacks of practical complexity on AES-256 variants with up to 10 rounds. In Henri Gilbert, editor, EUROCRYPT, volume 6110 of Lecture Notes in Computer Science, pages 299-319. Springer, 2010.
68. Alex Biryukov and Dmitry Khovratovich. Related-key cryptanalysis of the full AES-192 and AES-256. In Matsui [226], pages 1-18.
69. Alex Biryukov, Sourav Mukhopadhyay, and Palash Sarkar. Improved time-memory tradeoffs with multiple data. In Bart Preneel and Stafford E. Tavares, editors, Selected Areas in Cryptography, volume 3897 of Lecture Notes in Computer Science, pages 110-127. Springer, 2005.
70. John Black, Shai Halevi, Hugo Krawczyk, Ted Krovetz, and Phillip Rogaway. UMAC: Fast and secure message authentication. In Wiener [351], pages 216-233.
71. S. Blake-Wilson, N. Bolyard, V. Gupta, C. Hawk, and B. Moeller. Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS). RFC 4492 (Informational), May 2006. Updated by RFC 5246.
72. Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In Hugo Krawczyk, editor, CRYPTO, volume 1462 of Lecture Notes in Computer Science, pages 1-12. Springer, 1998.
73. Lenore Blum, Manuel Blum, and Mike Shub. A simple unpredictable pseudo-random number generator. SIAM J. Comput., 15(2):364-383, 1986.
74. Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger. Biclique cryptanalysis of the full AES. In Lee and Wang [212], pages 344-371.
75. Dan Boneh and Xavier Boyen. Efficient selective-ID secure identity-based encryption without random oracles. In Christian Cachin and Jan Camenisch, editors, EUROCRYPT, volume 3027 of Lecture Notes in Computer Science, pages 223-238. Springer, 2004.
76. Dan Boneh and Glenn Durfee. Cryptanalysis of RSA with private key d less than n^0.292. IEEE Transactions on Information Theory, 46(4):1339-1349, 2000.
77. Dan Boneh and Matthew K. Franklin. Identity-based encryption from the Weil pairing. In Kilian [194], pages 213-229.
78. Dan Boneh and Matthew K. Franklin. Identity-based encryption from theWeil pairing. SIAM J. Comput., 32(3):586-615, 2003.
79. Joppe W. Bos and Marcelo E. Kaihara. Playstation 3 computing breaks 2⁶⁰ barrier: 112-bit prime ECDLP solved. EPFL Laboratory for cryptologic algorithms – LACAL, 2009.
80. Cyril Bouvier. Discrete logarithm in GF(2⁸⁰⁹) with FFS. Post to NMBRTHRY@ LISTSERV.NODAK.EDU, 2013.
81. Gilles Brassard, editor. Advances in Cryptology – CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 1989, Proceedings, volume 435 of Lecture Notes in Computer Science. Springer, 1990.
82. Ernest F. Brickell, David Pointcheval, Serge Vaudenay, and Moti Yung. Design validations for discrete logarithm based signature schemes. In Hideki Imai and Yuliang Zheng, editors, Public Key Cryptography, volume 1751 of Lecture Notes in Computer Science, pages 276-292. Springer, 2000.
83. Julien Brouchier, Tom Kean, Carol Marsh, and David Naccache. Temperature attacks. IEEE Security & Privacy, 7(2):79-82, 2009. Page: 82 Algorithms, Key Size and Parameters Report
84. Daniel R. L. Brown. Generic groups, collision resistance, and ECDSA. Des. Codes Cryptography, 35(1):119-152, 2005.
85. Daniel R. L. Brown and Kristian Gjsteen. A security analysis of the nist sp 800-90 elliptic curve random number generator. In Alfred Menezes, editor, CRYPTO, volume 4622 of Lecture Notes in Computer Science, pages 466-481. Springer, 2007.
86. BSI. Kryptographische Verfahren: Empfehlungen und Schlussellangen. BSI TR-02102 Version 2013.2, https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102_pdf.pdf?__blob=publicationFile, 2013.
87. Bundesnetzagentur. Bekanntmachung zur elektronischen Signatur nach dem Signaturgesetz und der Signaturverordnung. http://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/Sachgebiete/QES/Veroeffentlichungen/Algorithmen/2013Algorithmenkatalog.pdf?__blob=publicationFile&v=1, 2013.
88. Mihir Bellare Ran Canetti and Hugo Krawczyk. Keying hash functions for message authentication. In Koblitz [199], pages 1-15.
89. Christophe De Canniere and Christian Rechberger. Preimages for reduced SHA-0 and SHA-1. In Wagner [345], pages 179-202.
90. Anne Canteaut and Kapalee Viswanathan, editors. Progress in Cryptology – INDOCRYPT 2004, 5th International Conference on Cryptology in India, Chennai, India, December 20-22, 2004, Proceedings, volume 3348 of Lecture Notes in Computer Science. Springer, 2004.
91. Larry Carter and Mark N. Wegman. Universal classes of hash functions. J. Comput. Syst. Sci., 18(2):143-154, 1979.
92. C etin Kaya Koc, David Naccache, and Christof Paar, editors. Cryptographic Hardware and Embedded Systems – CHES 2001, Third International Workshop, Paris, France, May 14-16, 2001, Proceedings, volume 2162 of Lecture Notes in Computer Science. Springer, 2001.
93. Certicom. Certicom announces elliptic curve cryptosystem (ECC) challenge winner. Certicom Press Release, 2009.
94. Stephen Checkoway, Matthew Fredrikson, Ruben Niederhagen, Adam Everspaugh, Matthew Green, Tanja Lange, Thomas Ristenpart, Daniel J. Bernstein, Jake Maskiewicz, and Hovav Shacham. On the practical exploitability of Dual EC in TLS implementations. In USENIX Security Symposium, 2014.
95. Liqun Chen and Zhaohui Cheng. Security proof of Sakai-Kasahara’s identity-based encryption scheme. In Nigel P. Smart, editor, IMA Int. Conf., volume 3796 of Lecture Notes in Computer Science, pages 442-459. Springer, 2005. Page: 83
96. Liqun Chen, Zhaohui Cheng, John Malone-Lee, and Nigel P. Smart. An efficient ID-KEM based on the Sakai-Kasahara key construction. IEE Proc. Information Security, 153:19-26, 2006.
97. Jung Hee Cheon. Security analysis of the strong Diffie-Hellman problem. In Vaudenay [343], pages 1-11.
98. Olivier Chevassut, Pierre-Alain Fouque, Pierrick Gaudry, and David Pointcheval. Key derivation and randomness extraction. IACR Cryptology ePrint Archive, 2005:61, 2005.
99. Joo Yeon Cho and Miia Hermelin. Improved linear cryptanalysis of sosemanuk. In Donghoon Lee and Seokhie Hong, editors, ICISC, volume 5984 of Lecture Notes in Computer Science, pages 101-117. Springer, 2009.
100. Carlos Cid and Gaetan Leurent. An analysis of the XSL algorithm. In Roy [304], pages 333-352.
101. Don Coppersmith. Finding a small root of a bivariate integer equation; Factoring with high bits known. In Maurer [227], pages 178-189.
102. Don Coppersmith. Finding a small root of a univariate modular equation. In Maurer [227], pages 155-165.
103. Don Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology, 10(4):233-260, 1997.
104. Don Coppersmith, Matthew K. Franklin, Jacques Patarin, and Michael K. Reiter. Low-exponent RSA with related messages. In Maurer [227], pages 1-9.
105. Jean-Sebastien Coron. On the exact security of full domain hash. In Mihir Bellare, editor, CRYPTO, volume 1880 of Lecture Notes in Computer Science, pages 229-235. Springer, 2000.
106. Jean-Sebastien Coron. Optimal security proofs for PSS and other signature schemes. In Knudsen [198], pages 272-287.
107. Jean-Sebastien Coron, Marc Joye, David Naccache, and Pascal Paillier. New attacks on PKCS#1 v1.5 encryption. In Bart Preneel, editor, EUROCRYPT, volume 1807 of Lecture Notes in Computer Science, pages 369-381. Springer, 2000.
108. Jean-Sebastien Coron, David Naccache, and Julien P. Stern. On the security of RSA padding. In Wiener [351], pages 1-18.
109. Jean-Sebastien Coron, David Naccache, Mehdi Tibouchi, and Ralf-Philipp Weinmann. Practical cryptanalysis of ISO/IEC 9796-2 and EMV signatures. In Halevi [140], pages 428-444. Page: 84
110. Nicolas Courtois and Josef Pieprzyk. Cryptanalysis of block ciphers with overdefined systems of equations. In Yuliang Zheng, editor, ASIACRYPT, volume 2501 of Lecture Notes in Computer Science, pages 267-287. Springer, 2002.
111. Ronald Cramer, editor. Advances in Cryptology – EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings, volume 3494 of Lecture Notes in Computer Science. Springer, 2005.
112. Joan Daemen and Vincent Rijmen. The Design of Rijndael: AES – The Advanced Encryption Standard. Springer, 2002.
113. Ivan Damgard. A design principle for hash functions. In Brassard [58], pages 416-427.
114. Nasser Ramazani Darmian. A distinguish attack on rabbit stream cipher based on multiple cube tester. IACR Cryptology ePrint Archive, 2013:780, 2013.
115. Debian. Debian Security Advisory DSA-1571-1: OpenSSL – predictable random number generator, 2008. http://www.debian.org/security/2008/dsa-1571.
116. Jean Paul Degabriele, Anja Lehmann, Kenneth G. Paterson, Nigel P. Smart, and Mario Strefler. On the joint security of encryption and signature in EMV. In Orr Dunkelman, editor, CT-RSA, volume 7178 of Lecture Notes in Computer Science, pages 116-135. Springer, 2012.
117. T. Dierks and C. Allen. The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard), January 1999. Obsoleted by RFC 4346, updated by RFCs 3546, 5746, 6176.
118. Itai Dinur, Orr Dunkelman, and Adi Shamir. Improved practical attacks on round-reduced keccak. J. Cryptology, 27(2):183-209, 2014.
119. Itai Dinur, Pawel Morawiecki, Josef Pieprzyk, Marian Srebrny, and Michal Straus. Practical complexity cube attacks on round-reduced keccak sponge function. IACR Cryptology ePrint Archive, 2014:13, 2014.
120. Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergnaud, and Daniel Wichs. Security analysis of pseudo-random number generators with input: /dev/random is not robust. In Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung, editors, ACM Conference on Computer and Communications Security, pages 647-658. ACM, 2013.
121. Yevgeniy Dodis, Adi Shamir, Noah Stephens-Davidowitz, and Daniel Wichs. How to eat your entropy and have it too – optimal recovery strategies for compromised rngs. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO (2), volume 8617 of Lecture Notes in Computer Science, pages 37-54. Springer, 2014.
122. Leo Dorrendorf, Zvi Gutterman, and Benny Pinkas. Cryptanalysis of the random number generator of the Windows operating system. ACM Trans. Inf. Syst. Secur., 13(1), 2009.
123. Orr Dunkelman, Nathan Keller, and Adi Shamir. A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony. In Rabin [290], pages 393-410.
124. Cynthia Dwork, editor. Advances in Cryptology – CRYPTO 2006, 26th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 2006, Proceedings, volume 4117 of Lecture Notes in Computer Science. Springer, 2006.
125. E.A.Grechnikov. Collisions for 72-step and 73-step SHA-1: Improvements in the method of characteristics. Cryptology ePrint Archive, Report 2010/413, 2010. http://eprint.iacr.org/.
126. D. Eastlake 3rd, J. Schiller, and S. Crocker. Randomness Requirements for Security. RFC 4086 (Best Current Practice), June 2005.
127. ECRYPT II NoE. ECRYPT II Yearly Report on Algorithms and Key Lengths (2008-2009). ECRYPT II deliverable D.SPA.7-1.0, 2009.
128. ECRYPT II NoE. ECRYPT II Yearly Report on Algorithms and Key Lengths (2009-2010). ECRYPT II deliverable D.SPA.13-1.0, 2010.
129. ECRYPT II NoE. ECRYPT II Yearly Report on Algorithms and Key Lengths (2010-2011). ECRYPT II deliverable D.SPA.17-1.0, 2011.
130. ECRYPT II NoE. ECRYPT II Yearly Report on Algorithms and Key Lengths (2011-2012). ECRYPT II deliverable D.SPA.20-1.0, 2012.
131. ECRYPT NoE. ECRYPT Yearly Report on Algorithms and Key Lengths (2004). ECRYPT deliverable D.SPA.10-1.1, 2004.
132. ECRYPT NoE. ECRYPT Yearly Report on Algorithms and Key Lengths (2005). ECRYPT deliverable D.SPA.16-1.0, 2005.
133. ECRYPT NoE. ECRYPT Yearly Report on Algorithms and Key Lengths (2006). ECRYPT deliverable D.SPA.21-1.0, 2006.
134. ECRYPT NoE. ECRYPT Yearly Report on Algorithms and Key Lengths (2007-2008). ECRYPT deliverable D.SPA.28-1.0, 2008.
135. ENISA. The use of cryptographic techniques in Europe. http://www.enisa.europa.eu/activities/identity-and-trust/library/the-use-of-cryptographic-techniques-in-europe, 2011.
136. ENISA. Algorithms, key size and parameters report – 2013 recommendations. ENISA XXXX, 2013.
137. ENISA. Protocols report – 2014 recommendations. ENISA XXXX, 2014.
138. Matthias Ernst, Ellen Jochemsz, Alexander May, and Benne de Weger. Partial key exposure attacks on RSA up to full size exponents. In Cramer [88], pages 371-386.
139. ETSI TS 102 176-. Electronic signatures and infrastructures (ESI); Algorithms and parameters for secure electronic signatures; Part 1: Hash functions and asymmetric algorithms. European Telecommunications Standards Institute, 2007.
140. ETSI/SAGE Specification. Specification of the 3GPP Confidentiality and Integrity Algorithms. Document 2: Kasumi Algorithm Specification. ETSI/SAGE, 2011.
141. EU. EC regulation (EU) No 611/2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy and electronic communications. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:173:0002:0008:en:PDF.
142. European Payments Council. Guidelines on algorithms usage and key management, 2013.
143. Federal Information Processing Standards Publication 197. Advanced encryption standard (AES). National Institute of Standards and Technology, 2001.
144. Federal Information Processing Standards Publication 202. SHA-3 standard: Permutation-based hash and extendable-output functions (draft). National Institute of Standards and Technology, 2014.
145. Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu, and Dengguo Feng. A byte-based guess and determine attack on sosemanuk. In Abe [1], pages 146-157.
146. Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno. Cryptography Engineering | Design Principles and Practical Applications. Wiley, 2010.
147. Jens Franke. RSA576. Post to various internet discussion boards/email lists, 2003.
148. Jens Franke. RSA576. Post to various internet discussion boards/email lists, 2005.
149. Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern. RSA-OAEP is secure under the RSA assumption. In Kilian [194], pages 260-274.
150. M Peeters G. Bertoni, J. Daemen and G. Van Assche. The Keccak sponge function family. http://keccak.noekeon.org/.
151. Karine Gandol, Christophe Mourtel, and Francis Olivier. Electromagnetic analysis: Concrete results. In C etin Kaya Koc et al. [69], pages 251-261.
152. Pierrick Gaudry, Florian Hess, and Nigel P. Smart. Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptology, 15(1):19-46, 2002.
153. Danilo Gligoroski, Suzana Andova, and Svein J. Knapskog. On the importance of the key separation principle for different modes of operation. In Liqun Chen, Yi Mu, and Willy Susilo, editors, ISPEC, volume 4991 of Lecture Notes in Computer Science, pages 404-418. Springer, 2008.
154. Ian Goldberg and David Wagner. Randomness and the Netscape browser, 1996. http://www.drdobbs.com/windows/184409807.
155. Daniel M. Gordon. Discrete logarithms in GF(P) using the number field sieve. SIAM J. Discrete Math., 6(1):124-138, 1993.
156. GOST R 34-10-2001. Information technology – Cryptography data security – Formation and verification process of [electronic] signatures. State Standard of the Russion Federation, 2001.
157. Louis Goubin and Ange Martinelli. Protecting aes with shamir’s secret sharing scheme. In Bart Preneel and Tsuyoshi Takagi, editors, CHES, volume 6917 of Lecture Notes in Computer Science, pages 79-94. Springer, 2011.
158. Robert Granger. Discrete logarithms in GF(26120). Post to NMBRTHRY@ LISTSERV.NODAK.EDU, 2013.
159. Jian Guo, San Ling, Christian Rechberger, and Huaxiong Wang. Advanced meet-in-the middle preimage attacks: First results on full Tiger, and improved results on MD4 and SHA-2. In Abe [1], pages 56-75.
160. Peter Gutmann. Software generation of practically strong random numbers. In Aviel D. Rubin, editor, USENIX Security. USENIX Association, 1998.
161. Zvi Gutterman, Benny Pinkas, and Tzachy Reinman. Analysis of the linux random number generator. In IEEE Symposium on Security and Privacy, pages 371-385. IEEE Computer Society, 2006.
162. Shai Halevi. EME*: Extending EME to handle arbitrary-length messages with associated data. In Canteaut and Viswanathan [67], pages 315-327.
163. Shai Halevi, editor. Advances in Cryptology – CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings, volume 5677 of Lecture Notes in Computer Science. Springer, 2009.
164. Shai Halevi and Phillip Rogaway. A parallelizable enciphering mode. In Okamoto [267], pages 292-304.
165. Mike Hamburg, Paul Kocher, and Mark E. Marson. Analysis of Intel’s Ivy Bridge digital random number generator, March 2012. http://www.cryptography.com/public/pdf/Intel_TRNG_Report_20120312.pdf.
166. Helena Handschuh and Bart Preneel. Key-recovery attacks on universal hash function based MAC algorithms. In Wagner [345], pages 144-161.
167. D. Harkins. Synthethic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES). RFC 5297 (Informational), October 2008.
168. D. Harkins and D. Carrel. The Internet Key Exchange (IKE). RFC 2409 (Proposed Standard), November 1998. Obsoleted by RFC 4306, updated by RFC 4109.
169. Johan Hastad. Solving simultaneous modular equations of low degree. SIAM J. Comput., 17(2):336-341, 1988.
170. Johan Hastad and Mats Naslund. The security of all RSA and discrete log bits. J. ACM, 51(2):187-230, 2004.
171. Martin Hell, Thomas Johansson, Alexander Maximov, and Willi Meier. The Grain family of stream ciphers. In Robshaw and Billet [295], pages 179-190.
172. Martin Hell, Thomas Johansson, and Willi Meier. Grain: a stream cipher for constrained environments. IJWMC, 2(1):86-93, 2007.
173. Nadia Heninger, Zakir Durumeric, EricWustrow, and J.Alex Halderman. Mining your Ps and Qs: Detection of widespread weak keys in network devices. In USENIX Security Symposium – 2012, pages 205-220, 2012.
174. Mathias Herrmann and Alexander May. Maximizing small root bounds by linearization and applications to small secret exponent RSA. In Phong Q. Nguyen and David Pointcheval, editors, Public Key Cryptography, volume 6056 of Lecture Notes in Computer Science, pages 53-69. Springer, 2010.
175. Erwin Hess, Marcus Schafheutle, and Pascale Serf. The digital signature scheme ECGDSA, 2006.
176. R. Housley and M. Dworkin. Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm. RFC 5649 (Informational), August 2009.
177. Nick Howgrave-Graham and Nigel P. Smart. Lattice attacks on digital signature schemes. Des. Codes Cryptography, 23(3):283-290, 2001.
178. IEEE P1363.3 (Draft D5). Identity-based public key cryptography using pairings. Institute of Electrical and Electronics Engineers Standard, 2012.
179. Sebastiaan Indesteege, Florian Mendel, Bart Preneel, and Christian Rechberger. Collisions and other non-random properties for step-reduced SHA-256. In Roberto Maria Avanzi, Liam Keliher, and Francesco Sica, editors, Selected Areas in Cryptography, volume 5381 of Lecture Notes in Computer Science, pages 276-293. Springer, 2008.
180. Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware against probing attacks. In Dan Boneh, editor, CRYPTO, volume 2729 of Lecture Notes in Computer Science, pages 463-481. Springer, 2003.
181. Takanori Isobe, Toshihiro Ohigashi, Yuhei Watanabe, and Masakatu Morii. Full plaintext recovery attack on broadcast rc4. In Moriai [239], pages 179-202.
182. ISO/IEC 10118-2:2010. Information technology – Security techniques – Hash-functions – Part 2: Hash-functions using an n-bit block cipher. International Organization for Standardization, 2010.
183. ISO/IEC 11770-6. Information technology – Security techniques – Key management – Part 6: Key derivation. International Organization for Standardization, Under Development.
184. ISO/IEC 14888-3. Information technology – Security techniques – Digital signatures with appendix – Part 3: Discrete logarithm based mechanisms. International Organization for Standardization, 2009.
185. ISO/IEC 14888-3. Information technology – Security techniques – Digital signatures with appendix – Part 3: Discrete logarithm based mechanisms – Ammendment 1. International Organization for Standardization, 2009.
186. ISO/IEC 18031. Information technology – Security techniques – Random bit generator. International Organization for Standardization, 2011.
187. ISO/IEC 18033-2. Information technology – Security techniques – Encryption algorithms – Part 2: Asymmetric Ciphers. International Organization for Standardization, 2006.
188. ISO/IEC 18033-4. Information technology – Security techniques – Encryption algorithms – Part 4: Stream ciphers. International Organization for Standardization, 2011.
189. ISO/IEC 19772. Information technology – Security techniques – authenticated encryption. International Organization for Standardization, 2009.
190. ISO/IEC 19972. Information technology – Security techniques – Authenticated encryption. International Organization for Standardization, 2009.
191. ISO/IEC 29192-3. Information technology – Security techniques – Lightweight cryptography – Part 3: Stream ciphers. International Organization for Standardization, 2012.
192. ISO/IEC 9796-2. Information technology – Security techniques – Digital signatures giving message recovery – Part 2: Integer factorization based schemes. International Organization for Standardization, 2010.
193. ISO/IEC 9797-1:2011. Information technology – Security techniques – Digital signatures giving message recovery – Part 1: Mechanisms using a block cipher. International Organization for Standardization, 2011.
194. ISO/IEC 9797-2:2011. Information technology – Security techniques – Digital signatures giving message recovery – Part 2: Mechanisms using a dedicated hash-function. International Organization for Standardization, 2011.
195. Tetsu Iwata and Kaoru Kurosawa. OMAC: One-key CBC MAC. In Thomas Johansson, editor, FSE, volume 2887 of Lecture Notes in Computer Science, pages 129-153. Springer, 2003.
196. Tetsu Iwata, Keisuke Ohashi, and Kazuhiko Minematsu. Breaking and repairing GCM security proofs. In Safavi-Naini and Canetti [308], pages 31-49.
197. Thomas Johansson and Phong Q. Nguyen, editors. Advances in Cryptology – EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26-30, 2013. Proceedings, volume 7881 of Lecture Notes in Computer Science. Springer, 2013.
198. Jakob Jonsson. Security proofs for the RSA-PSS signature scheme and its variants. Cryptology ePrint Archive, Report 2001/053, 2001. http://eprint.iacr.org/.
199. Jakob Jonsson. On the security of CTR + CBC-MAC. In Kaisa Nyberg and Howard M. Heys, editors, Selected Areas in Cryptography, volume 2595 of Lecture Notes in Computer Science, pages 76-93. Springer, 2002.
200. Antoine Joux. Comments on the choice between CWC or GCM – authentication weaknesses in GCM. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf.
201. Antoine Joux. Comments on the draft GCM specification – authentication failures in NIST version of GCM. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/800-38_Series-Drafts/GCM/Joux_comments.pdf.
202. Antoine Joux. Discrete logarithms in GF(26168). Post to NMBRTHRY@ LISTSERV.NODAK.EDU, 2013.
203. Antoine Joux. Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields. In Johansson and Nguyen [174], pages 177-193.
204. Antoine Joux. A new index calculus algorithm with complexity $$l(1/4+o(1))$$ in small characteristic. In Tanja Lange, Kristin Lauter, and Petr Lisonek, editors, Selected Areas in Cryptography, volume 8282 of Lecture Notes in Computer Science, pages 355-379. Springer, 2013.
205. Antoine Joux, Reynald Lercier, Nigel P. Smart, and Frederik Vercauteren. The number field sieve in the medium prime case. In Dwork [101], pages 326-344.
206. Marc Joye and Sung-Ming Yen. The montgomery powering ladder. In Burton S. Kaliski Jr., C etin Kaya Koc, and Christof Paar, editors, CHES, volume 2523 of Lecture Notes in Computer Science, pages 291-302. Springer, 2002.
207. Hendrik W. Lenstra Jr. Factoring integers with elliptic curves. Annals of Mathematics, 126(3):649-673, 1987.
208. Saqib A. Kakvi and Eike Kiltz. Optimal security proofs for full domain hash, revisited. In David Pointcheval and Thomas Johansson, editors, EUROCRYPT, volume 7237 of Lecture Notes in Computer Science, pages 537-553. Springer, 2012.
209. B. Kaliski. PKCS #5: Password-Based Cryptography Specification Version 2.0. RFC 2898 (Informational), September 2000.
210. Seny Kamara and Jonathan Katz. How to encrypt with a malicious random number generator. In Nyberg [265], pages 303-315.
211. Ju-Sung Kang, Sang Uk Shin, Dowon Hong, and Okyeon Yi. Provable security of KASUMI and 3GPP encryption mode f8. In Colin Boyd, editor, ASIACRYPT, volume 2248 of Lecture Notes in Computer Science, pages 255-271. Springer, 2001.
212. Orhun Kara and Cevat Manap. A new class of weak keys for Blowfish. In Biryukov [43], pages 167-180.
213. Emilia Kasper and Peter Schwabe. Faster and timing-attack resistant aes-gcm. In Christophe Clavier and Kris Gaj, editors, CHES, volume 5747 of Lecture Notes in Computer Science, pages 1-17. Springer, 2009.
214. C. Kaufman. Internet Key Exchange (IKEv2) Protocol. RFC 4306 (Proposed Standard), December 2005. Obsoleted by RFC 5996, updated by RFC 5282.
215. John Kelsey, Bruce Schneier, and Niels Ferguson. Yarrow-160: Notes on the design and analysis of the yarrow cryptographic pseudorandom number generator. In Howard M. Heys and Carlisle M. Adams, editors, Selected Areas in Cryptography, volume 1758 of Lecture Notes in Computer Science, pages 13-33. Springer, 1999.
216. John Kelsey, Bruce Schneier, David Wagner, and Chris Hall. Cryptanalytic attacks on pseudorandom number generators. In Serge Vaudenay, editor, FSE, volume 1372 of Lecture Notes in Computer Science, pages 168-188. Springer, 1998.
217. Joe Kilian, editor. Advances in Cryptology – CRYPTO 2001, 21st Annual International Cryptology Conference, Santa Barbara, California, USA, August 19-23, 2001, Proceedings, volume 2139 of Lecture Notes in Computer Science. Springer, 2001.
218. A. Kircanski and A. M. Youssef. On the sliding property of SNOW 3G and SNOW 2.0. IET Inf. Secur., 5(4):199-206, 2011.
219. Thorsten Kleinjung. Discrete logarithms in GF(p) | 160 digits. Post to NMBRTHRY@ LISTSERV.NODAK.EDU, 2007.
220. Thorsten Kleinjung, Kazumaro Aoki, Jens Franke, Arjen K. Lenstra, Emmanuel Thome, Joppe W. Bos, Pierrick Gaudry, Alexander Kruppa, Peter L. Montgomery, Dag Arne Osvik, Herman J. J. te Riele, Andrey Timofeev, and Paul Zimmermann. Factorization of a 768-bit RSA modulus. In Rabin [290], pages 333-350.
221. Lars R. Knudsen, editor. Advances in Cryptology – EUROCRYPT 2002, International Conference on the Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, April 28 – May 2, 2002, Proceedings, volume 2332 of Lecture Notes in Computer Science. Springer, 2002.
222. Neal Koblitz, editor. Advances in Cryptology – CRYPTO ’96, 16th Annual International Cryptology Conference, Santa Barbara, California, USA, August 18-22, 1996, Proceedings, volume 1109 of Lecture Notes in Computer Science. Springer, 1996.
223. Paul C. Kocher. Timing attacks on implementations of diffe-hellman, rsa, dss, and other systems. In Koblitz [199], pages 104-113.
224. Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In Wiener [351], pages 388-397.
225. Tadayoshi Kohno, John Viega, and Doug Whiting. CWC: A high-performance conventional authenticated encryption mode. In Roy and Meier [305], pages 408-426.
226. H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication. RFC 2104 (Best Current Practice), February 1997.
227. Hugo Krawczyk. The order of encryption and authentication for protecting communications (or: How secure is ssl?). In Kilian [194], pages 310-331.
228. Hugo Krawczyk. Cryptographic extraction and key derivation: The HKDF scheme. In Rabin [290], pages 631-648.
229. Hugo Krawczyk. Hmac-based extract-and-expand key derivation function (hkdf). RFC 5869 (Informational), 2010.
230. Hugo Krawczyk, Kenneth G. Paterson, and Hoeteck Wee. On the security of the tls protocol: A systematic analysis. In Ran Canetti and Juan A. Garay, editors, CRYPTO (1), volume 8042 of Lecture Notes in Computer Science, pages 429-448. Springer, 2013.
231. T. Krovetz. UMAC: Message Authentication Code using Universal Hashing. RFC 4418 (Best Current Practice), March 2006.
232. Patrick Lacharme, Andrea Rock, Vincent Strubel, and Marion Videau. The linux pseudorandom number generator revisited. IACR Cryptology ePrint Archive, 2012:251, 2012.
233. Mario Lamberger, Florian Mendel, Christian Rechberger, Vincent Rijmen, and Martin Schlaer. Rebound distinguishers: Results on the full Whirlpool compression function. In Matsui [226], pages 126-143.
234. Franck Landelle and Thomas Peyrin. Cryptanalysis of full RIPEMD-128. In Johansson and Nguyen [174], pages 228-244.
235. Dong Hoon Lee and Xiaoyun Wang, editors. Advances in Cryptology – ASIACRYPT 2011 – 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4-8, 2011. Proceedings, volume 7073 of Lecture Notes in Computer Science. Springer, 2011.
236. Jung-Keun Lee, Dong Hoon Lee, and Sangwoo Park. Cryptanalysis of sosemanuk and snow 2.0 using linear masks. In Josef Pieprzyk, editor, ASIACRYPT, volume 5350 of Lecture Notes in Computer Science, pages 524-538. Springer, 2008.
237. Arjen Lenstra. Key lengths. In Hossein Bidgoli, editor, Handbook of Information Security: Volume II: Information Warfare; Social Legal, and International Issues; and Security Foundations, pages 617-635. Wiley, 2004.
238. Arjen K. Lenstra, James P. Hughes, Maxime Augier, Joppe W. Bos, Thorsten Kleinjung, and Christophe Wachter. Public keys. In Safavi-Naini and Canetti [308], pages 626-642.
239. Arjen K. Lenstra and Hendrik W. Lenstra. The development of the number field sieve, volume 1554 of Lecture Notes in Mathematics. Springer, 1993.
240. Arjen K. Lenstra and Eric R. Verheul. Selecting cryptographic key sizes. Datenschutz und Datensicherheit, 24(3), 2000.
241. Gaetan Leurent. Message freedom in MD4 and MD5 collisions: Application to APOP. In Biryukov [43], pages 309-328.
242. Chu-Wee Lim and Khoongming Khoo. An analysis of XSL applied to BES. In Biryukov [43], pages 242-253.
243. Moses Liskov and Kazuhiko Minematsu. Comments on the proposal to approve XTS-AES – Comments on XTS-AES. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/XTS_comments-Liskov_Minematsu.pdf.
244. Yi Lu, Willi Meier, and Serge Vaudenay. The conditional correlation attack: A practical attack on Bluetooth encryption. In Shoup [325], pages 97-117.
245. Subhamoy Maitra and Goutam Paul. New form of permutation bias and secret key leakage in keystream bytes of RC4. In Nyberg [265], pages 253-269.
246. James Manger. A chosen ciphertext attack on RSA optimal asymmetric encryption padding (OAEP) as standardized in PKCS #1 v2.0. In Kilian [194], pages 230-238.
247. M. Matsui, J. Nakajima, and S. Moriai. A Description of the Camellia Encryption Algorithm. RFC 3713 (Informational), April 2004.
248. Mitsuru Matsui. Linear cryptoanalysis method for DES cipher. In Tor Helleseth, editor, EUROCRYPT, volume 765 of Lecture Notes in Computer Science, pages 386-397. Springer, 1993.
249. Mitsuru Matsui, editor. Advances in Cryptology – ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6-10, 2009. Proceedings, volume 5912 of Lecture Notes in Computer Science. Springer, 2009.
250. Ueli M. Maurer, editor. Advances in Cryptology – EUROCRYPT ’96, International Conference on the Theory and Application of Cryptographic Techniques, Saragossa, Spain, May 12-16, 1996, Proceeding, volume 1070 of Lecture Notes in Computer Science. Springer, 1996.
251. Alexander Maximov and Alex Biryukov. Two trivial attacks on Trivium. In Adams et al. [2], pages 36-55.
252. Alexander Maximov and Dmitry Khovratovich. New state recovery attack on RC4. In Wagner [345], pages 297-316.
253. David A. McGrew. Efficient authentication of large, dynamic data sets using Galois/Counter mode (GCM). In IEEE Security in Storage Workshop, pages 89-94. IEEE Computer Society, 2005.
254. David A. McGrew and John Viega. The security and performance of the Galois/Counter mode (GCM) of operation. In Canteaut and Viswanathan [67], pages 343-355.
255. Florian Mendel, Tomislav Nad, Stefan Scherz, and Martin Schlaer. Differential attacks on reduced ripemd-160. In Dieter Gollmann and Felix C. Freiling, editors, ISC, volume 7483 of Lecture Notes in Computer Science, pages 23-38. Springer, 2012.
256. Florian Mendel, Tomislav Nad, and Martin Schlaer. Improving local collisions: New attacks on reduced SHA-256. In Johansson and Nguyen [174], pages 262-278.
257. Florian Mendel, Thomas Peyrin, Martin Schlaer, Lei Wang, and Shuang Wu. Improved cryptanalysis of reduced ripemd-160. In Sako and Sarkar [309], pages 484-503.
258. Florian Mendel, Norbert Pramstaller, Christian Rechberger, and Vincent Rijmen. On the collision resistance of RIPEMD-160. In Sokratis K. Katsikas, Javier Lopez, Michael Backes, Stefanos Gritzalis, and Bart Preneel, editors, ISC, volume 4176 of Lecture Notes in Computer Science, pages 101-116. Springer, 2006.
259. Florian Mendel, Christian Rechberger, and Martin Schlaer. Update on SHA-1. Presented at Rump Session of Crypto 2007, 2007.
260. Alfred Menezes, Tatsuaki Okamoto, and Scott A. Vanstone. Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory, 39(5):1639-1646, 1993.
261. Ralph C. Merkle. A certified digital signature. In Brassard [58], pages 218-238.
262. Shiho Moriai, editor. Fast Software Encryption – 20th International Workshop, FSE 2013, Singapore, March 11-13, 2013. Revised Selected Papers, volume 8424 of Lecture Notes in Computer Science. Springer, 2014.
263. Sean Murphy and Matthew J. B. Robshaw. Essential algebraic structure within the AES. In Moti Yung, editor, CRYPTO, volume 2442 of Lecture Notes in Computer Science, pages 1-16. Springer, 2002.
264. Chanathip Namprempre, Phillip Rogaway, and Thomas Shrimpton. Reconsidering generic composition. In Phong Q. Nguyen and Elisabeth Oswald, editors, EUROCRYPT, volume 8441 of Lecture Notes in Computer Science, pages 257-274. Springer, 2014.
265. Mridul Nandi. A unified method for improving PRF bounds for a class of blockcipher based MACs. In Seokhie Hong and Tetsu Iwata, editors, FSE, volume 6147 of Lecture Notes in Computer Science, pages 212-229. Springer, 2010.
266. National Security Agency. Suite b cryptography. http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml, 2009.
267. Gregory Neven, Nigel P. Smart, and Bogdan Warinschi. Hash function requirements for Schnorr signatures. J. Mathematical Cryptology, 3(1):69-87, 2009.
268. Phong Q. Nguyen and Igor Shparlinski. The insecurity of the digital signature algorithm with partially known nonces. J. Cryptology, 15(3):151-176, 2002.
269. Phong Q. Nguyen and Igor Shparlinski. The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptography, 30(2):201-217, 2003.
270. Svetla Nikova, Vincent Rijmen, and Martin Schlaffer. Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptology, 24(2):292-321, 2011.
271. NIST Special Publication 180-4. Secure hash standard (SHS). National Institute of Standards and Technology, 2012.
272. NIST Special Publication 186-4. Digital signature standard (DSS). National Institute of Standards and Technology, 2013.
273. NIST Special Publication 198-1. The keyed-hash message authentication code (HMAC). National Institute of Standards and Technology, 2008.
274. NIST Special Publication 800-108. Recommendation for key derivation using pseudorandom functions. National Institute of Standards and Technology, 2009.
275. NIST Special Publication 800-130. A framework for designing cryptographic key management systems. National Institute of Standards and Technology, 2013.
276. NIST Special Publication 800-132. Recommendation for password-based key derivation – Part 1: Storage applications. National Institute of Standards and Technology, 2010.
277. NIST Special Publication 800-38A. Recommendation for block cipher modes of operation – Modes and techniques. National Institute of Standards and Technology, 2001.
278. NIST Special Publication 800-38C. Recommendation for block cipher modes of operation – The CCM mode for authentication and confidentiality. National Institute of Standards and Technology, 2004.
279. NIST Special Publication 800-38D. Recommendation for block cipher modes of operation – Galois/Counter Mode (GCM) and GMAC. National Institute of Standards and Technology, 2007.
280. NIST Special Publication 800-38E. Recommendation for block cipher modes of operation – The XTS-AES mode for confidentiality on storage devices. National Institute of Standards and Technology, 2010.
281. NIST Special Publication 800-38F. Recommendation for block cipher modes of operation – Methods for Key Wrapping. National Institute of Standards and Technology, 2012.
282. NIST Special Publication 800-56A. Recommendation for pair-wise key establishment schemes using discrete logarithm cryptography. National Institute of Standards and Technology, 2007.
283. NIST Special Publication 800-56B. Recommendation for pair-wise key establishment schemes using integer factorization cryptography. National Institute of Standards and Technology, 2009.
284. NIST Special Publication 800-56C. Recommendation for key derivation through extraction-then-expansion. National Institute of Standards and Technology, 2009.
285. NIST Special Publication 800-57. Recommendation for key management – Part 1: General (Revision 3). National Institute of Standards and Technology, 2012.
286. NIST Special Publication 800-67-Rev1. Recommendation for the triple data encryption standard algorithm (tdea) block cipher. National Institute of Standards and Technology, 2012.
287. NIST Special Publication 800-90A. Recommendation for random number generation using deterministic random bit generators. National Institute of Standards and Technology, 2012.
288. Kaisa Nyberg, editor. Fast Software Encryption, 15th International Workshop, FSE 2008, Lausanne, Switzerland, February 10-13, 2008, Revised Selected Papers, volume 5086 of Lecture Notes in Computer Science. Springer, 2008.
289. Kaisa Nyberg and Johan Wallen. Improved linear distinguishers for SNOW 2.0. In Robshaw [294], pages 144-162.
290. Tatsuaki Okamoto, editor. Topics in Cryptology – CT-RSA 2004, The Cryptographers’ Track at the RSA Conference 2004, San Francisco, CA, USA, February 23-27, 2004, Proceedings, volume 2964 of Lecture Notes in Computer Science. Springer, 2004.
291. H. Orman and P. Hoffman. Determining Strengths For Public Keys Used For Exchanging Symmetric Keys. RFC 3766 (Best Current Practice), April 2004.
292. Christof Paar and J.XXXX Pelzl. Understanding cryptography: A textbook for students and practitioners. Springer, 2009.
293. Kenneth G. Paterson, Jacob C. N. Schuldt, and Dale L. Sibborn. Related randomness attacks for public key encryption. In Hugo Krawczyk, editor, Public Key Cryptography, volume 8383 of Lecture Notes in Computer Science, pages 465-482. Springer, 2014.
294. Kenneth G. Paterson, Jacob C. N. Schuldt, Martijn Stam, and Susan Thomson. On the joint security of encryption and signature, revisited. In Lee and Wang [212], pages 161-178.
295. Kenneth G. Paterson and Arnold K. L. Yau. Padding Oracle Attacks on the ISO CBC Mode Encryption Standard. In Okamoto [267], pages 305-323.
296. C. Percival and S. Josefsson. The scrypt Password-Based Key Derivation Function draft-josefsson-scrypt-kdf-01. Internet-Draft (Informational), September 2012.
297. Erez Petrank and Charles Rackoff. CBC MAC for real-time data sources. J. Cryptology, 13(3):315-338, 2000.
298. Raphael Chung-Wei Phan. Related-key attacks on triple-DES and DESX variants. In Okamoto [267], pages 15-24.
299. Krzysztof Pietrzak. A tight bound for EMAC. In Michele Bugliesi, Bart Preneel, Vladimiro Sassone, and Ingo Wegener, editors, ICALP (2), volume 4052 of Lecture Notes in Computer Science, pages 168-179. Springer, 2006.
300. Leon A. Pintsov and Scott A. Vanstone. Postal revenue collection in the digital age. In Yair Frankel, editor, Financial Cryptography, 4th International Conference, FC 2000 Anguilla, British West Indies, February 20-24, 2000, Proceedings, volume 1962 of Lecture Notes in Computer Science, pages 105-120. Springer, 2000.
301. PKCS #1 v1.5. RSA cryptography standard. RSA Laboratories, 1993.
302. PKCS #1 v2.1. RSA cryptography standard. RSA Laboratories, 2002.
303. David Pointcheval and Jacques Stern. Security arguments for digital signatures and blind signatures. J. Cryptology, 13(3):361-396, 2000.
304. David Pointcheval and Serge Vaudenay. On provable security for digital signature algorithms. Technical Report LIENS-96-17, 1996.
305. John M. Pollard. Monte Carlo methods for index computation (mod p). Math. Comput., 32(143):918-924, 1978.
306. Thomas Popp and Stefan Mangard. Masked dual-rail pre-charge logic: Dpa-resistance without routing constraints. In Josyula R. Rao and Berk Sunar, editors, CHES, volume 3659 of Lecture Notes in Computer Science, pages 172-186. Springer, 2005.
307. Axel Poschmann, Amir Moradi, Khoongming Khoo, Chu-Wee Lim, Huaxiong Wang, and San Ling. Side-channel resistant crypto for less than 2, 300 ge. J. Cryptology, 24(2):322-345, 2011.
308. Bart Preneel and Paul C. van Oorschot. MDx-MAC and building fast MACs from hash functions. In Don Coppersmith, editor, CRYPTO, volume 963 of Lecture Notes in Computer Science, pages 1-14. Springer, 1995.
309. Bart Preneel and Paul C. van Oorschot. On the security of iterated message authentication codes. IEEE Transactions on Information Theory, 45(1):188-199, 1999.
310. Gordon Procter and Carlos Cid. On weak keys and forgery attacks against polynomial-based mac schemes. In Moriai [239], pages 287-304.
311. Emmanuel Prouff and Matthieu Rivain. Masking against side-channel attacks: A formal security proof. In Johansson and Nguyen [174], pages 142-159.
312. Niels Provos and David Mazieres. A future-adaptable password scheme. In USENIX Annual Technical Conference, FREENIX Track, pages 81-91. USENIX, 1999.
313. Tal Rabin, editor. Advances in Cryptology – CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings, volume 6223 of Lecture Notes in Computer Science. Springer, 2010.
314. Ananth Raghunathan, Gil Segev, and Salil P. Vadhan. Deterministic public-key encryption for adaptively chosen plaintext distributions. In Johansson and Nguyen [174], pages 93-110.
315. Vincent Rijmen. Cryptanalysis and design of iterated block ciphers. PhD thesis, Katholieke Universiteit Leuven, 1997.
316. Thomas Ristenpart and Scott Yilek. When good randomness goes bad: Virtual machine reset vulnerabilities and hedging deployed cryptography. In NDSS. The Internet Society, 2010.
317. Matthew J. B. Robshaw, editor. Fast Software Encryption, 13th International Workshop, FSE 2006, Graz, Austria, March 15-17, 2006, Revised Selected Papers, volume 4047 of Lecture Notes in Computer Science. Springer, 2006.
318. Matthew J. B. Robshaw and Olivier Billet, editors. New Stream Cipher Designs – The eSTREAM Finalists, volume 4986 of Lecture Notes in Computer Science. Springer, 2008.
319. Phillip Rogaway. Authenticated-encryption with associated-data. In Vijayalakshmi Atluri, editor, ACM Conference on Computer and Communications Security, pages 98-107. ACM, 2002.
320. Phillip Rogaway. Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In Pil Joong Lee, editor, ASIACRYPT, volume 3329 of Lecture Notes in Computer Science, pages 16-31. Springer, 2004.
321. Phillip Rogaway. Nonce-based symmetric encryption. In Roy and Meier [305], pages 348-359.
322. Phillip Rogaway. Evaluation of some blockcipher modes of operation. Cryptography Research and Evaluation Committees (CRYPTREC) for the Government of Japan, 2011.
323. Phillip Rogaway. Free OCB licenses. http://www.cs.ucdavis.edu/~rogaway/ocb/license.htm, 2013.
324. Phillip Rogaway, Mihir Bellare, and John Black. OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur., 6(3):365-403, 2003.
325. Phillip Rogaway and Thomas Shrimpton. A provable-security treatment of the key-wrap problem. In Vaudenay [343], pages 373-390.
326. Phillip Rogaway and David Wagner. A critique of CCM. Cryptology ePrint Archive, Report 2003/070, 2003. http://eprint.iacr.org/.
327. Bimal K. Roy, editor. Advances in Cryptology – ASIACRYPT 2005, 11th International Conference on the Theory and Application of Cryptology and Information Security, Chennai, India, December 4-8, 2005, Proceedings, volume 3788 of Lecture Notes in Computer Science. Springer, 2005.
328. Bimal K. Roy and Willi Meier, editors. Fast Software Encryption, 11th International Workshop, FSE 2004, Delhi, India, February 5-7, 2004, Revised Papers, volume 3017 of Lecture Notes in Computer Science. Springer, 2004.
329. Markku-Juhani O. Saarinen. Weakness of the openssl prng in versions up to openssl 0.9.6a, 2001. http://mjos.fi/doc/secadv_prng.txt.
330. Markku-Juhani Olavi Saarinen. Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In Anne Canteaut, editor, FSE, volume 7549 of Lecture Notes in Computer Science, pages 216-225. Springer, 2012.
331. Reihaneh Safavi-Naini and Ran Canetti, editors. Advances in Cryptology – CRYPTO 2012 – 32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2012. Proceedings, volume 7417 of Lecture Notes in Computer Science. Springer, 2012.
332. Kazue Sako and Palash Sarkar, editors. Advances in Cryptology – ASIACRYPT 2013 – 19^th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1-5, 2013, Proceedings, Part II, volume 8270 of Lecture Notes in Computer Science. Springer, 2013.
333. Somitra Kumar Sanadhya and Palash Sarkar. New collision attacks against up to 24-step SHA-2. In Dipanwita Roy Chowdhury, Vincent Rijmen, and Abhijit Das, editors, IN-DOCRYPT, volume 5365 of Lecture Notes in Computer Science, pages 91-103. Springer, 2008.
334. Yu Sasaki. Meet-in-the-middle preimage attacks on AES hashing modes and an application to Whirlpool. In Antoine Joux, editor, FSE, volume 6733 of Lecture Notes in Computer Science, pages 378-396. Springer, 2011.
335. Yu Sasaki and Kazumaro Aoki. Finding preimages in full MD5 faster than exhaustive search. In Antoine Joux, editor, EUROCRYPT, volume 5479 of Lecture Notes in Computer Science, pages 134-152. Springer, 2009.
336. Yu Sasaki, Lei Wang, Kazuo Ohta, and Noboru Kunihiro. Security of MD5 challenge and response: Extension of APOP password recovery attack. In Tal Malkin, editor, CT-RSA, volume 4964 of Lecture Notes in Computer Science, pages 1-18. Springer, 2008.
337. Yu Sasaki, Lei Wang, Shuang Wu, and Wenling Wu. Investigating fundamental security requirements on whirlpool: Improved preimage and collision attacks. In Xiaoyun Wang and Kazue Sako, editors, ASIACRYPT, volume 7658 of Lecture Notes in Computer Science, pages 562-579. Springer, 2012.
338. Takakazu Satoh and Kiyomichi Araki. Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Commentarii Math. Univ. St. Pauli, 47:81-92, 1998.
339. J. Schaad and R. Housley. Advanced Encryption Standard (AES) Key Wrap Algorithm. RFC 3394 (Informational), September 2002.
340. Bruce Schneier. Description of a new variable-length key, 64-bit block cipher (Blowfish). In Ross J. Anderson, editor, FSE, volume 809 of Lecture Notes in Computer Science, pages 191-204. Springer, 1993.
341. Claus-Peter Schnorr. Efficient identification and signatures for smart cards. In Brassard [58], pages 239-252.
342. SEC 1. Elliptic curve cryptography – version 2.0. Standards for Efficient Cryptography Group, 2009.
343. SEC 2. Recommended elliptic curve domain parameters – version 2.0. Standards for Efficient Cryptography Group, 2010.
344. Igor A. Semaev. Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p. Math. Comput., 67(221):353-356, 1998.
345. Pouyan Sepehrdad, Serge Vaudenay, and Martin Vuagnoux. Statistical attack on RC4 -distinguishing WPA. In Kenneth G. Paterson, editor, EUROCRYPT, volume 6632 of Lecture Notes in Computer Science, pages 343-363. Springer, 2011.
346. Claude E. Shannon. Communication theory of secrecy systems. Bell System Technical Journal, 28(4):656-715, 1949.
347. Victor Shoup. A proposal for an ISO standard for public key encryption. Cryptology ePrint Archive, Report 2001/112, 2001. http://eprint.iacr.org/.
348. Victor Shoup, editor. Advances in Cryptology – CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings, volume 3621 of Lecture Notes in Computer Science. Springer, 2005.
349. Thomas Shrimpton and R. Seth Terashima. A provable security analysis of intel’s secure key rng. IACR Cryptology ePrint Archive, 2014:504, 2014.
350. Dan Shumov and Nils Ferguson. On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng, August 2007. Rump session presentation at Crypto 2007, http://rump2007.cr.yp.to/15-shumow.pdf.
351. Sergei P. Skorobogatov. Using optical emission analysis for estimating contribution to power analysis. In Luca Breveglieri, Israel Koren, David Naccache, Elisabeth Oswald, and Jean-Pierre Seifert, editors, FDTC, pages 111-119. IEEE Computer Society, 2009.
352. Nigel P. Smart. The discrete logarithm problem on elliptic curves of trace one. J. Cryptology, 12(3):193-196, 1999.
353. Marc Stevens. New collision attacks on SHA-1 based on optimal joint local-collision analysis. In Johansson and Nguyen [174], pages 245-261.
354. Marc Stevens, Arjen K. Lenstra, and Benne de Weger. Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In Moni Naor, editor, EUROCRYPT, volume 4515 of Lecture Notes in Computer Science, pages 1-22. Springer, 2007.
355. Marc Stevens, Arjen K. Lenstra, and Benne de Weger. Chosen-prefix collisions for MD5 and applications. IJACT, 2(4):322-359, 2012.
356. Marc Stevens, Alexander Sotirov, Jacob Appelbaum, Arjen K. Lenstra, David Molnar, Dag Arne Osvik, and Benne deWeger. Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In Halevi [140], pages 55-69.
357. Kris Tiri and Ingrid Verbauwhede. A logic level design methodology for a secure dpa resistant asic or fpga implementation. In DATE, pages 246-251. IEEE Computer Society, 2004.
358. Elena Trichina, Tymur Korkishko, and Kyung-Hee Lee. Small size, low power, side channel immune aes coprocessor: Design and synthesis results. In Hans Dobbertin, Vincent Rijmen, and Aleksandra Sowa, editors, AES Conference, volume 3373 of Lecture Notes in Computer Science, pages 113-127. Springer, 2004.
359. Eran Tromer, Dag Arne Osvik, and Adi Shamir. Efficient cache attacks on aes, and countermeasures. J. Cryptology, 23(1):37-71, 2010.
360. TTA.KO-12.0001/R1. Digital signature scheme with appendix – Part 2: Certificate-based digital signature algorithm. Korean Telecommunications Technology Association, 2000.
361. Kyushu University, NICT, and Fujitsu Laboratories. Achieve world record cryptanalysis of next-generation cryptography. http://www.nict.go.jp/en/press/2012/06/PDF-att/20120618en.pdf, 2012.
362. Paul C. van Oorschot and Michael J. Wiener. A known plaintext attack on two-key triple encryption. In Ivan Damgard, editor, EUROCRYPT, volume 473 of Lecture Notes in Computer Science, pages 318-325. Springer, 1990.
363. Paul C. van Oorschot and Michael J. Wiener. Parallel collision search with cryptanalytic applications. J. Cryptology, 12(1):1-28, 1999.
364. Serge Vaudenay. On the weak keys of Blowfish. In Dieter Gollmann, editor, FSE, volume 1039 of Lecture Notes in Computer Science, pages 27-32. Springer, 1996.
365. Serge Vaudenay. Security flaws induced by CBC padding – Applications to SSL, IPSEC, WTLS … In Knudsen [198], pages 534-546.
366. Serge Vaudenay, editor. Advances in Cryptology – EUROCRYPT 2006, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28 – June 1, 2006, Proceedings, volume 4004 of Lecture Notes in Computer Science. Springer, 2006.
367. Serge Vaudenay and Martin Vuagnoux. Passive-only key recovery attacks on RC4. In Adams et al. [2], pages 344-359.
368. David Wagner, editor. Advances in Cryptology – CRYPTO 2008, 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2008. Proceedings, volume 5157 of Lecture Notes in Computer Science. Springer, 2008.
369. Xiaoyun Wang. New collision search for SHA-1. Presented at Rump Session of Crypto 2005, 2005.
370. Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Finding collisions in the full SHA-1. In Shoup [325], pages 17-36.
371. Brent Waters. Efficient identity-based encryption without random oracles. In Cramer [88], pages 114-127.
372. Doug Whiting, Russ Housley, and Neils Ferguson. Submission to NIST: Counter with CBCMAC (CCM) – AES mode of operation. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/ccm.pdf.
373. Michael J. Wiener. Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory, 36(3):553-558, 1990.
374. Michael J. Wiener, editor. Advances in Cryptology – CRYPTO ’99, 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15-19, 1999, Proceedings, volume 1666 of Lecture Notes in Computer Science. Springer, 1999.
375. Hongjun Wu. A new stream cipher hc-256. In Roy and Meier [305], pages 226-244.
376. Hongjun Wu. The stream cipher hc-128. In Robshaw and Billet [295], pages 39-47.
377. Arnold K. L. Yau, Kenneth G. Paterson, and Chris J. Mitchell. Padding oracle attacks on CBC-mode encryption with secret and random IVs. In Henri Gilbert and Helena Handschuh, editors, FSE, volume 3557 of Lecture Notes in Computer Science, pages 299-319. Springer, 2005.
378. Scott Yilek. Resettable public-key encryption: How to encrypt on a virtual machine. In Josef Pieprzyk, editor, CT-RSA, volume 5985 of Lecture Notes in Computer Science, pages 41-56. Springer, 2010.

Study on cryptographic protocols

1. Technical Specificaiton Group Services 3rd Generation Parternship Project and 3G Security System Aspects. Confidentiality and integrity algorithms UEA1 & UIA1. Document 1: UEA1 and UIA1 specifications.
2. Technical Specificaiton Group Services 3rd Generation Parternship Project and 3G Security System Aspects. Confidentiality and integrity algorithms UEA2 & UIA2. Document 1: UEA2 and UIA2 specifications.
3. Technical Specificaiton Group Services 3rd Generation Parternship Project and 3G Security System Aspects. Confidentiality and integrity algorithms UEA2 & UIA2. Document 2: SNOW 3G specification.
4. Technical Specificaiton Group Services 3rd Generation Parternship Project and 3G Security System Aspects. Specification of the 3GPP confidentiality and integrity algorithms; Docu- ment 2: KASUMI specification, v.3.1.1.
5. Mart ́ın Abadi, Dan Boneh, Ilya Mironov, Ananth Raghunathan, and Gil Segev. Message-locked encryption for lock-dependent messages. In Canetti and Garay [76], pages 374–391.
6. Mart ́ın Abadi and Phillip Rogaway. Reconciling two views of cryptography (the computational soundness of formal encryption). In Proc. 1st IFIP International Conference on Theoretical Computer Science (IFIP–TCS’00), volume 1872 of Lecture Notes in Computer Science, pages 3–22, 2000.
7. Michel Abdalla, Mihir Bellare, Dario Catalano, Eike Kiltz, Tadayoshi Kohno, Tanja Lange, John Malone-Lee, Gregory Neven, Pascal Paillier, and Haixia Shi. Searchable encryption revisited: Consistency properties, relation to anonymous ibe, and extensions. J. Cryptology, 21(3):350–391, 2008.
8. Michel Abdalla, Olivier Chevassut, and David Pointcheval. One-time verifier-based encrypted key exchange. In Serge Vaudenay, editor, Public Key Cryptography, volume 3386 of Lecture Notes in Computer Science, pages 47–64. Springer, 2005.
9. Michel Abdalla and David Pointcheval. Simple password-based encrypted key exchange proto- cols. In Alfred Menezes, editor, CT-RSA, volume 3376 of Lecture Notes in Computer Science, pages 191–208. Springer, 2005.
10. Michel Abdalla and David Pointcheval. A scalable password-based group key exchange protocol in the standard model. In Xuejia Lai and Kefei Chen, editors, ASIACRYPT, volume 4284 of Lecture Notes in Computer Science, pages 332–347. Springer, 2006.
11. Ben Adida, Mike Bond, Jolyon Clulow, Amerson Lin, Ross J. Anderson, and Ronald L. Rivest. On the security of the EMV secure messaging API (extended abstract). In Bruce Christianson, Bruno Crispo, James A. Malcolm, and Michael Roe, editors, Security Protocols Workshop, volume 5964 of Lecture Notes in Computer Science, pages 147–149. Springer, 2007.
12. Ben Adida, Mike Bond, Jolyon Clulow, Amerson Lin, Steven J. Murdoch, Ross J. Anderson, and Ronald L. Rivest. Phish and chips. In Bruce Christianson, Bruno Crispo, James A. Malcolm, and Michael Roe, editors, Security Protocols Workshop, volume 5087 of Lecture Notes in Computer Science, pages 40–48. Springer, 2006.
13. Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, and Yirong Xu. Order-preserving encryption for numeric data. In Gerhard Weikum, Arnd Christian K ̈onig, and Stefan Deßloch, editors, SIGMOD Conference, pages 563–574. ACM, 2004.
14. Aiiad Albeshri, Colin Boyd, and Juan Manuel Gonz ́alez Nieto. Enhanced geoproof: improved geographic assurance for data in the cloud. Int. J. Inf. Sec., 13(2):191–198, 2014.
15. Martin R. Albrecht, Kenneth G. Paterson, and Gaven J. Watson. Plaintext recovery attacks against SSH. In IEEE Symposium on Security and Privacy, pages 16–26. IEEE Computer Society, 2009.
16. Nadhem J. AlFardan, Daniel J. Bernstein, Kenneth G. Paterson, Bertram Poettering, and Jacob C. N. Schuldt. On the security of RC4 in TLS. In Samuel T. King, editor, USENIX Security, pages 305–320. USENIX Association, 2013.
17. Nadhem J. AlFardan and Kenneth G. Paterson. Lucky Thirteen: Breaking the TLS and DTLS Record Protocols. In IEEE Symposium on Security and Privacy. IEEE Computer Society, 2013.
18. Jacob Alperin-Sheriff and Chris Peikert. Practical bootstrapping in quasilinear time. In Canetti and Garay [76], pages 1–20.
19. Jacob Alperin-Sheriff and Chris Peikert. Faster bootstrapping with polynomial error. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO (1), volume 8616 of Lecture Notes in Computer Science, pages 297–314. Springer, 2014.
20. ANSI X9.42. Agreement of symmetric keys using discrete logarithm cryptography. American National Standard Institute, 2005.
21. ANSI X9.42. Key agreement and key transport using factoring-based cryptography. American National Standard Institute, 2005.
22. ANSI X9.63. Public key cryptography for the financial services industry – Key agreement and key transport using elliptic curve cryptography. American National Standard Institute, 2011.
23. Myrto Arapinis, Loretta Ilaria Mancini, Eike Ritter, and Mark Ryan. Formal analysis of UMTS privacy. CoRR, abs/1109.2066, 2011.
24. Giuseppe Ateniese, Randal C. Burns, Reza Curtmola, Joseph Herring, Osama Khan, Lea Kissner, Zachary N. J. Peterson, and Dawn Song. Remote data checking using provable data possession. ACM Trans. Inf. Syst. Secur., 14(1):12, 2011.
25. Dirk Balfanz, Diana K. Smetters, Paul Stewart, and H. Chi Wong. Talking to strangers: Authentication in ad-hoc wireless networks. In NDSS. The Internet Society, 2002.
26. Boaz Barak, Ran Canetti, Yehuda Lindell, Rafael Pass, and Tal Rabin. Secure computation without authentication. J. Cryptology, 24(4):720–760, 2011.
27. Gilles Barthe, Benjamin Gr ́egoire, Sylvain Heraud, and Santiago Zanella B ́eguelin. Computer- aided security proofs for the working cryptographer. In Rogaway [274], pages 71–90.
28. Gilles Barthe, Benjamin Gr ́egoire, and Santiago Zanella-B ́eguelin. Formal certification of code-based cryptographic proofs. In 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2009, pages 90–101. ACM, 2009.
29. David A. Basin, Cas Cremers, and Simon Meier. Provably repairing the iso/iec 9798 standard for entity authentication. Journal of Computer Security, 21(6):817–846, 2013.
30. David A. Basin, Cas J. F. Cremers, and Simon Meier. Provably repairing the iso/iec 9798 standard for entity authentication. In Pierpaolo Degano and Joshua D. Guttman, editors, POST, volume 7215 of Lecture Notes in Computer Science, pages 129–148. Springer, 2012.
31. Donald Beaver, Silvio Micali, and Phillip Rogaway. The round complexity of secure protocols (extended abstract). In Ortiz [244], pages 503–513.
32. M. Bellare, T. Kohno, and C. Namprempre. The Secure Shell (SSH) Transport Layer En- cryption Modes. RFC 4344 (Proposed Standard), January 2006.
33. Mihir Bellare, Ran Canetti, and Hugo Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract). In Jeffrey Scott Vitter, editor, STOC, pages 419–428. ACM, 1998.
34. Mihir Bellare, Marc Fischlin, Shafi Goldwasser, and Silvio Micali. Identification protocols secure against reset attacks. In Pfitzmann [260], pages 495–511.
35. Mihir Bellare, Sriram Keelveedhi, and Thomas Ristenpart. Message-locked encryption and secure deduplication. In Johansson and Nguyen [178], pages 296–312.
36. Mihir Bellare, Tadayoshi Kohno, and Chanathip Namprempre. Breaking and provably re- pairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt- and-MAC paradigm. ACM Trans. Inf. Syst. Secur., 7(2):206–241, 2004.
37. Mihir Bellare, David Pointcheval, and Phillip Rogaway. Authenticated key exchange secure against dictionary attacks. In Preneel [266], pages 139–155.
38. Mihir Bellare and Phillip Rogaway. Entity authentication and key distribution. In Douglas R. Stinson, editor, CRYPTO, volume 773 of Lecture Notes in Computer Science, pages 232–249. Springer, 1993.
39. S. M. Bellovin and M. Merritt. Limitations of the Kerberos authentication system. SIGCOMM Comput. Commun. Rev., 20(5):119–132, October 1990.
40. Steven M. Bellovin. Problem areas for the IP security protocols. In Proceedings of the Sixth Usenix Unix Security Symposium, pages 1–16, 1996.
41. Steven M. Bellovin and Michael Merritt. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In Proceedings of the 1992 IEEE Symposium on Security and Privacy, SP ’92, pages 72–, Washington, DC, USA, 1992. IEEE Computer Society.
42. Steven M. Bellovin and Michael Merritt. Augmented encrypted key exchange: A password- based protocol secure against dictionary attacks and password file compromise. In Dorothy E. Denning, Raymond Pyle, Ravi Ganesan, Ravi S. Sandhu, and Victoria Ashby, editors, ACM Conference on Computer and Communications Security, pages 244–250. ACM, 1993.
43. Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. Completeness theorems for non- cryptographic fault-tolerant distributed computation (extended abstract). In Simon [287], pages 1–10.
44. Jens Bender, Marc Fischlin, and Dennis Ku ̈gler. Security analysis of the pace key-agreement protocol. In Pierangela Samarati, Moti Yung, Fabio Martinelli, and Claudio Agostino Ardagna, editors, ISC, volume 5735 of Lecture Notes in Computer Science, pages 33–48. Springer, 2009.
45. Rikke Bendlin, Ivan Damg ̊ard, Claudio Orlandi, and Sarah Zakarias. Semi-homomorphic encryption and multiparty computation. In Paterson [253], pages 169–188.
46. David Bernhard, Georg Fuchsbauer, Essam Ghadafi, Nigel P. Smart, and Bogdan Warinschi. Anonymous attestation with user-controlled linkability. Int. J. Inf. Sec., 12(3):219–249, 2013.
47. John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policy attribute-based encryption. In IEEE Symposium on Security and Privacy [161], pages 321–334.
48. D. Bider and M. Baushke. SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport Layer Protocol. RFC 6668 (Proposed Standard), July 2012.
49. Eli Biham, Orr Dunkelman, and Nathan Keller. A related-key rectangle attack on the full KASUMI. In Bimal K. Roy, editor, ASIACRYPT, volume 3788 of Lecture Notes in Computer Science, pages 443–461. Springer, 2005.
50. Alex Biryukov, Deike Priemuth-Schmid, and Bin Zhang. Multiset collision attacks on reduced- round SNOW 3G and SNOW 3G (+) . In Zhou and Yung [318], pages 139–153.
51. Andrea Bittau, Mark Handley, and Joshua Lackey. The final nail in WEP’s coffin. In IEEE Symposium on Security and Privacy, pages 386–400. IEEE Computer Society, 2006.
52. S. Blake-Wilson, N. Bolyard, V. Gupta, C. Hawk, and B. Moeller. Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS). RFC 4492 (Informational), May 2006. Updated by RFC 5246.
53. Simon Blake-Wilson, Don Johnson, and Alfred Menezes. Key agreement protocols and their security analysis. In Michael Darnell, editor, IMA Int. Conf., volume 1355 of Lecture Notes in Computer Science, pages 30–45. Springer, 1997.
54. Bruno Blanchet. An efficient cryptographic protocol verifier based on prolog rules. In CSFW, pages 82–96. IEEE Computer Society, 2001.
55. Bruno Blanchet and David Pointcheval. Automated security proofs with sequences of games. In Dwork [109], pages 537–554.
56. Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In Hugo Krawczyk, editor, CRYPTO, volume 1462 of Lecture Notes in Computer Science, pages 1–12. Springer, 1998.
57. Dan Bogdanov, Sven Laur, and Jan Willemson. Sharemind: A framework for fast privacy- preserving computations. In Sushil Jajodia and Javier L ́opez, editors, ESORICS, volume 5283 of Lecture Notes in Computer Science, pages 192–206. Springer, 2008.
58. Peter Bogetoft, Dan Lund Christensen, Ivan Damg ̊ard, Martin Geisler, Thomas P. Jakobsen, Mikkel Krøigaard, Janus Dam Nielsen, Jesper Buus Nielsen, Kurt Nielsen, Jakob Pagter, Michael I. Schwartzbach, and Tomas Toft. Secure multiparty computation goes live. In Dingledine and Golle [104], pages 325–343.
59. Alexandra Boldyreva, Nathan Chenette, Younho Lee, and Adam O’Neill. Order-preserving symmetric encryption. In Antoine Joux, editor, EUROCRYPT, volume 5479 of Lecture Notes in Computer Science, pages 224–241. Springer, 2009.
60. Alexandra Boldyreva, Nathan Chenette, and Adam O’Neill. Order-preserving encryption revisited: Improved security analysis and alternative solutions. In Rogaway [274], pages 578–595.
61. Alexandra Boldyreva and Virendra Kumar. Provable-security analysis of authenticated encryption in Kerberos. IET Information Security, 5(4):207–219, 2011.
62. Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei P. Skorobogatov, and Ross J. Anderson. Chip and skim: Cloning EMV cards with the pre-play attack. CoRR, abs/1209.2531, 2012.
63. Dan Boneh, Giovanni Di Crescenzo, Rafail Ostrovsky, and Giuseppe Persiano. Public key encryption with keyword search. In Christian Cachin and Jan Camenisch, editors, EURO- CRYPT, volume 3027 of Lecture Notes in Computer Science, pages 506–522. Springer, 2004.
64. Joppe W. Bos, Kristin Lauter, Jake Loftus, and Michael Naehrig. Improved security for a ring-based fully homomorphic encryption scheme. In Martijn Stam, editor, IMA Int. Conf., volume 8308 of Lecture Notes in Computer Science, pages 45–64. Springer, 2013.
65. Victor Boyko, Philip D. MacKenzie, and Sarvar Patel. Provably secure password- authenticated key exchange using diffie-hellman. In Preneel [266], pages 156–171.
66. Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (leveled) fully homomorphic encryption without bootstrapping. In Shafi Goldwasser, editor, ITCS, pages 309–325. ACM, 2012.
67. Zvika Brakerski and Vinod Vaikuntanathan. Fully homomorphic encryption from ring-lwe and security for key dependent messages. In Rogaway [274], pages 505–524.
68. Lu ́ıs T. A. N. Brand ̃ao. Secure two-party computation with reusable bit-commitments, via a cut-and-choose with forge-and-lose technique – (extended abstract). In Kazue Sako and Palash Sarkar, editors, ASIACRYPT (2), volume 8270 of Lecture Notes in Computer Science, pages 441–463. Springer, 2013.
69. Jørgen Brandt, Ivan Damg ̊ard, Peter Landrock, and Torben P. Pedersen. Zero-knowledge authentication scheme with secret key exchange (extended abstract). In Shafi Goldwasser, editor, CRYPTO, volume 403 of Lecture Notes in Computer Science, pages 583–588. Springer, 1988.
70. Emmanuel Bresson, Olivier Chevassut, and David Pointcheval. Security proofs for an efficient password-based key exchange. In Sushil Jajodia, Vijayalakshmi Atluri, and Trent Jaeger, editors, ACM Conference on Computer and Communications Security, pages 241–250. ACM, 2003.
71. Emmanuel Bresson, Olivier Chevassut, and David Pointcheval. New security results on encrypted key exchange. In Feng Bao, Robert H. Deng, and Jianying Zhou, editors, Public Key Cryptography, volume 2947 of Lecture Notes in Computer Science, pages 145–158. Springer, 2004.
72. Ernest F. Brickell, Jan Camenisch, and Liqun Chen. Direct anonymous attestation. In Vi- jayalakshmi Atluri, Birgit Pfitzmann, and Patrick Drew McDaniel, editors, ACM Conference on Computer and Communications Security, pages 132–145. ACM, 2004.
73. Christina Brzuska, Marc Fischlin, Nigel P. Smart, Bogdan Warinschi, and Stephen C. Williams. Less is more: relaxed yet composable security notions for key exchange. Int. J. Inf. Sec., 12(4):267–297, 2013.
74. Christina Brzuska, Nigel P. Smart, Bogdan Warinschi, and Gaven J. Watson. An analysis of the emv channel establishment protocol. In Sadeghi et al. [276], pages 373–386.
75. Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In FOCS, pages 136–145. IEEE Computer Society, 2001.
76. Ran Canetti and Juan A. Garay, editors. Advances in Cryptology – CRYPTO 2013 – 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part I, volume 8042 of Lecture Notes in Computer Science. Springer, 2013.
77. Ran Canetti and Juan A. Garay, editors. Advances in Cryptology – CRYPTO 2013 – 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part II, volume 8043 of Lecture Notes in Computer Science. Springer, 2013.
78. Ran Canetti, Shai Halevi, Jonathan Katz, Yehuda Lindell, and Philip D. MacKenzie. Universally composable password-based key exchange. In Cramer [90], pages 404–421.
79. Ran Canetti and Hugo Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In Pfitzmann [260], pages 453–474.
80. Ran Canetti, Ben Riva, and Guy N. Rothblum. Practical delegation of computation using multiple servers. In Yan Chen, George Danezis, and Vitaly Shmatikov, editors, ACM Conference on Computer and Communications Security, pages 445–454. ACM, 2011.
81. Brice Canvel, Alain P. Hiltgen, Serge Vaudenay, and Martin Vuagnoux. Password interception in a SSL/TLS channel. In Dan Boneh, editor, CRYPTO, volume 2729 of Lecture Notes in Computer Science, pages 583–599. Springer, 2003.
82. David Cash, Stanislaw Jarecki, Charanjit S. Jutla, Hugo Krawczyk, Marcel-Catalin Rosu, and Michael Steiner. Highly-scalable searchable symmetric encryption with support for boolean queries. In Canetti and Garay [76], pages 353–373.
83. David Cash, Alptekin Ku ̈p ̧cu ̈, and Daniel Wichs. Dynamic proofs of retrievability via oblivious ram. In Johansson and Nguyen [178], pages 279–295.
84. David Chaum, Claude Cr ́epeau, and Ivan Damg ̊ard. Multiparty unconditionally secure protocols (extended abstract). In Simon [287], pages 11–19.
85. Jung Hee Cheon, Jean-S ́ebastien Coron, Jinsu Kim, Moon Sung Lee, Tancr`ede Lepoint, Mehdi Tibouchi, and Aaram Yun. Batch fully homomorphic encryption over the integers. In Johansson and Nguyen [178], pages 315–335.
86. Kai-Min Chung, Yael Tauman Kalai, and Salil P. Vadhan. Improved delegation of computation using fully homomorphic encryption. In Rabin [268], pages 483–501.
87. Codenomicon. The Heartbleed bug. http://heartbleed.com/, 2014.
88. Hubert Comon-Lundh and Vitaly Shmatikov. Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In LICS, pages 271–. IEEE Computer Society, 2003.
89. Veronique Cortier, Steve Kremer, and Bogdan Warinschi. A survey of symbolic methods in computational analysis of cryptographic systems. J. Autom. Reasoning, 46(3-4):225–259, 2011.
90. Ronald Cramer, editor. Advances in Cryptology – EUROCRYPT 2005, 24th Annual Inter- national Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings, volume 3494 of Lecture Notes in Computer Science. Springer, 2005.
91. Cas J. F. Cremers. The scyther tool: Verification, falsification, and analysis of security protocols. In Aarti Gupta and Sharad Malik, editors, CAV, volume 5123 of Lecture Notes in Computer Science, pages 414–418. Springer, 2008.
92. Reza Curtmola, Juan A. Garay, Seny Kamara, and Rafail Ostrovsky. Searchable symmetric encryption: improved definitions and efficient constructions. In Juels et al. [180], pages 79–88.
93. F. Cusack and M. Forssen. Generic Message Exchange Authentication for the Secure Shell Protocol (SSH). RFC 4256 (Proposed Standard), January 2006.
94. W. Dai. An attack against SSH2 protocol. E-mail to the SECSH Working Group available from ftp://ftp.ietf.org/ietf-mail-archive/secsh/2002-02.mail, 6th Feb. 2002.
95. Ivan Damg ̊ard, Martin Geisler, Mikkel Krøigaard, and Jesper Buus Nielsen. Asynchronous multiparty computation: Theory and implementation. In Stanislaw Jarecki and Gene Tsudik, editors, Public Key Cryptography, volume 5443 of Lecture Notes in Computer Science, pages 160–179. Springer, 2009.
96. Ivan Damg ̊ard, Sigurd Meldgaard, and Jesper Buus Nielsen. Perfectly secure oblivious ram without random oracles. In Yuval Ishai, editor, TCC, volume 6597 of Lecture Notes in Computer Science, pages 144–163. Springer, 2011.
97. Ivan Damg ̊ard, Valerio Pastro, Nigel P. Smart, and Sarah Zakarias. Multiparty computation from somewhat homomorphic encryption. In Safavi-Naini and Canetti [277], pages 643–662.
98. Jean Paul Degabriele, Anja Lehmann, Kenneth G. Paterson, Nigel P. Smart, and Mario Strefler. On the joint security of encryption and signature in EMV. In Orr Dunkelman, editor, CT-RSA, volume 7178 of Lecture Notes in Computer Science, pages 116–135. Springer, 2012.
99. Jean Paul Degabriele and Kenneth G. Paterson. Attacking the IPsec standards in encryption- only configurations. In IEEE Symposium on Security and Privacy [161], pages 335–349.
100. Jean Paul Degabriele and Kenneth G. Paterson. On the (in)security of IPsec in MAC-then- encrypt configurations. In Ehab Al-Shaer, Angelos D. Keromytis, and Vitaly Shmatikov, editors, ACM Conference on Computer and Communications Security, pages 493–504. ACM, 2010.
101. T. Dierks and C. Allen. The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard), January 1999. Obsoleted by RFC 4346, updated by RFCs 3546, 5746, 6176.
102. T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard), April 2006. Obsoleted by RFC 5246, updated by RFCs 4366, 4680, 4681, 5746, 6176.
103. T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), August 2008. Updated by RFCs 5746, 5878, 6176.
104. Roger Dingledine and Philippe Golle, editors. Financial Cryptography and Data Security, 13th International Conference, FC 2009, Accra Beach, Barbados, February 23-26, 2009. Revised Selected Papers, volume 5628 of Lecture Notes in Computer Science. Springer, 2009.
105. Danny Dolev and Andrew Chi-Chih Yao. On the security of public key protocols (extended abstract). In FOCS, pages 350–357. IEEE Computer Society, 1981.
106. Saar Drimer, Steven J. Murdoch, and Ross J. Anderson. Optimised to fail: Card readers for online banking. In Dingledine and Golle [104], pages 184–200.
107. T. Duong and J. Rizzo. Here come the ⊕ ninjas. Unpublished manuscript, 2011.
108. Thai Duong and Juliano Rizzo. The CRIME attack. Presentation at ekoparty Security Conference, 2012.
109. Cynthia Dwork, editor. Advances in Cryptology – CRYPTO 2006, 26th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 2006, Proceedings, volume 4117 of Lecture Notes in Computer Science. Springer, 2006.
110. D. Eastlake. Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH). RFC 4305 (Proposed Standard), December 2005. Obsoleted by RFC 4835.
111. EMV Co. Book 2 – Security and key management. EMV 4.3, 2011.
112. ENISA. Cloud Computing Risk Assessment. https://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment, 2009.
113. ENISA. Algorithms, key size and parameters report – 2013 recommendations, http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report, 2013.
114. ENISA. Critical Cloud Computing – A CIIP perspective on cloud computing services. https://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing/ critical-cloud-computing, 2013.
115. ENISA. Algorithms, key size and parameters report – 2014, ISBN 978-92-9204-102-1, DOI 10.2824/36822, available at: https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-size-and-parameters-report-2014/, 2014.
116. Niels Ferguson and Bruce Schneier. A cryptographic evaluation of IPsec. Unpublished manuscript available from http://www.schneier.com/paper-ipsec.html, February 1999.
117. Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Andrew M. Odlyzko, editor, CRYPTO, volume 263 of Lecture Notes in Computer Science, pages 186–194. Springer, 1986.
118. Scott R. Fluhrer and Stefan Lucks. Analysis of the E0 encryption system. In Vaudenay and Youssef [304], pages 38–48.
119. Scott R. Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the key scheduling algorithm of RC4. In Vaudenay and Youssef [304], pages 1–24.
120. S. Frankel, R. Glenn, and S. Kelly. The AES-CBC Cipher Algorithm and Its Use with IPsec. RFC 3602 (Proposed Standard), September 2003.
121. S. Frankel and H. Herbert. The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec. RFC 3566 (Proposed Standard), September 2003.
122. Tore Kasper Frederiksen and Jesper Buus Nielsen. Fast and maliciously secure two-party computation using the gpu. In Michael J. Jacobson Jr., Michael E. Locasto, Payman Mohas- sel, and Reihaneh Safavi-Naini, editors, ACNS, volume 7954 of Lecture Notes in Computer Science, pages 339–356. Springer, 2013.
123. M. Friedl, N. Provos, and W. Simpson. Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol. RFC 4419 (Proposed Standard), March 2006.
124. D. Fu and J. Solinas. Elliptic Curve Groups modulo a Prime (ECP Groups) for IKE and IKEv2. RFC 5903 (Informational), June 2010.
125. Rosario Gennaro, Craig Gentry, and Bryan Parno. Non-interactive verifiable computing: Outsourcing computation to untrusted workers. In Rabin [268], pages 465–482.
126. Rosario Gennaro, Craig Gentry, Bryan Parno, and Mariana Raykova. Quadratic span pro- grams and succinct nizks without pcps. In Johansson and Nguyen [178], pages 626–645.
127. Craig Gentry. A fully homomorphic encryption scheme. PhD Thesis, Stanford, 2009.
128. Craig Gentry. Fully homomorphic encryption using ideal lattices. In Michael Mitzenmacher, editor, STOC, pages 169–178. ACM, 2009.
129. Craig Gentry, Shai Halevi, and Nigel P. Smart. Better bootstrapping in fully homomorphic encryption. In Marc Fischlin, Johannes Buchmann, and Mark Manulis, editors, Public Key Cryptography, volume 7293 of Lecture Notes in Computer Science, pages 1–16. Springer, 2012.
130. Craig Gentry, Shai Halevi, and Nigel P. Smart. Fully homomorphic encryption with polylog overhead. In David Pointcheval and Thomas Johansson, editors, EUROCRYPT, volume 7237 of Lecture Notes in Computer Science, pages 465–482. Springer, 2012.
131. Craig Gentry, Shai Halevi, and Nigel P. Smart. Homomorphic evaluation of the aes circuit. In Safavi-Naini and Canetti [277], pages 850–867.
132. Henri Gilbert, editor. Advances in Cryptology – EUROCRYPT 2010, 29th Annual Inter- national Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30 – June 3, 2010. Proceedings, volume 6110 of Lecture Notes in Computer Science. Springer, 2010.
133. Marc Girault. Self-certified public keys. In Donald W. Davies, editor, EUROCRYPT, volume 547 of Lecture Notes in Computer Science, pages 490–497. Springer, 1991.
134. Marc Girault and Jean-Claude Paill ́es. On-line/off-line RSA-like. In Proceedings of WCC 2003, pages 173–184, 2003.
135. Eu-Jin Goh. Secure indexes. IACR Cryptology ePrint Archive, 2003:216, 2003.
136. Ian Goldberg, Atefeh Mashatan, and Douglas R. Stinson. On message recognition protocols: recoverability and explicit confirmation. IJACT, 2(2):100–120, 2010.
137. Oded Goldreich and Yehuda Lindell. Session-key generation using human passwords only. J. of Cryptology, 19(3):241–340, 2006.
138. Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game or a completeness theorem for protocols with honest majority. In Alfred V. Aho, editor, STOC, pages 218–229. ACM, 1987.
139. Oded Goldreich and Rafail Ostrovsky. Software protection and simulation on oblivious rams. J. ACM, 43(3):431–473, 1996.
140. Michael T. Goodrich and Michael Mitzenmacher. Privacy-preserving access of outsourced data via oblivious ram simulation. In Luca Aceto, Monika Henzinger, and Jiri Sgall, editors, ICALP (2), volume 6756 of Lecture Notes in Computer Science, pages 576–587. Springer, 2011.
141. Michael T. Goodrich, Michael Mitzenmacher, Olga Ohrimenko, and Roberto Tamassia. Privacy-preserving group data access via stateless oblivious ram simulation. In Rabani [267], pages 157–167.
142. Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-based encryption for fine-grained access control of encrypted data. In Juels et al. [180], pages 89–98.
143. Patrick Grofig, Martin H ̈arterich, Isabelle Hang, Florian Kerschbaum, Mathias Kohler, Andreas Schaad, Axel Schr ̈opfer, and Walter Tighzert. Experiences and observations on the industrial implementation of a system to search over outsourced encrypted data. In Stefan Katzenbeisser, Volkmar Lotz, and Edgar R. Weippl, editors, Sicherheit, volume 228 of LNI, pages 115–125. GI, 2014.
144. Louis C. Guillou and Jean-Jacques Quisquater. A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In Christoph G. Gu ̈nther, editor, EUROCRYPT, volume 330 of Lecture Notes in Computer Science, pages 123–128. Springer, 1988.
145. Finn Michael Halvorsen, Olav Haugen, Martin Eian, and Stig Fr. Mjølsnes. An improved attack on TKIP. In Audun Jøsang, Torleiv Maseng, and Svein J. Knapskog, editors, NordSec, volume 5838 of Lecture Notes in Computer Science, pages 120–132. Springer, 2009.
146. Feng Hao and Peter Ryan. J-pake: Authenticated key exchange without pki. Transactions on Computational Science, 11:192–206, 2010.
147. Feng Hao and Peter Y. A. Ryan. Password authenticated key exchange by juggling. In Bruce Christianson, James A. Malcolm, Vashek Matyas, and Michael Roe, editors, Security Protocols Workshop, volume 6615 of Lecture Notes in Computer Science, pages 159–171. Springer, 2008.
148. D. Harkins and G.Zorn. Extensible authentication protocol (eap) authentication using only a password. RFC 5931 (Informational), 2010.
149. Dan Harkins. Simultaneous authentication of equals: A secure, password-based key exchange for mesh networks. In Proceedings of the 2008 Second International Conference on Sensor Technologies and Applications, SENSORCOMM ’08, pages 839–844, Washington, DC, USA, 2008. IEEE Computer Society.
150. B. Harris. RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol. RFC 4432 (Proposed Standard), March 2006.
151. Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J.Alex Halderman. Mining your Ps and Qs: Detection of widespread weak keys in network devices. In USENIX Security Symposium – 2012, pages 205–220, 2012.
152. Miia Hermelin and Kaisa Nyberg. Correlation properties of the Bluetooth combiner generator. In JooSeok Song, editor, ICISC, volume 1787 of Lecture Notes in Computer Science, pages 17–29. Springer, 1999.
153. P. Hoffman. Cryptographic Suites for IPsec. RFC 4308 (Proposed Standard), December 2005.
154. R. Housley. Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP). RFC 3686 (Proposed Standard), January 2004.
155. R. Housley. Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP). RFC 4309 (Proposed Standard), December 2005.
156. Yan Huang, Jonathan Katz, and David Evans. Efficient secure two-party computation using symmetric cut-and-choose. In Canetti and Garay [77], pages 18–35.
157. G. Hudson. Camellia Encryption for Kerberos 5. RFC 6803 (Informational), November 2012.
158. IEEE 802.11. Wireless LAN medium access control MAC and physical layer PHY specifications. Institute of Electrical and Electronics Engineers Standard, 1999.
159. IEEE 802.11-2012 (Revision of IEEE 802.11-2007). Wireless LAN medium access control MAC and physical layer PHY specifications. Institute of Electrical and Electronics Engineers Standard, 2012.
160. IEEE 802.15.4 . Law rate WPAN. Institute of Electrical and Electronics Engineers Standard, 2012.
161. IEEE Computer Society. 2007 IEEE Symposium on Security and Privacy (S&P 2007), 20-23 May 2007, Oakland, California, USA, 2007.
162. K. Igoe and J. Solinas. AES Galois Counter Mode for the Secure Shell Transport Layer Protocol. RFC 5647 (Informational), August 2009.
163. ISO/IEC 11770-2. Information technology – Security techniques – Key management – Part 2: Mechanisms using symmetric techniques. International Organization for Standardization, 2008.
164. ISO/IEC 11770-3. Information technology – Security techniques – Key management – Part 3: Mechanisms using asymmetric techniques. International Organization for Standardization, 2008.
165. ISO/IEC 11770-4. Information technology – Security techniques – Key management – Part 3: Mechanisms based on weak secrets. International Organization for Standardization, 2006.
166. ISO/IEC 29192-4. Information technology – Security techniques – Lightweight cryptography – Part 4: Mechanisms using asymmetric techniques. International Organization for Standardization, 2013.
167. ISO/IEC 9796-2. Information technology – Security techniques – Digital signatures giving message recovery – Part 2: Integer factorization based schemes. International Organization for Standardization, 2010.
168. ISO/IEC 9798-1. Information technology – Security techniques – Entity authentication – Part 1: General. International Organization for Standardization, 2010.
169. ISO/IEC 9798-2. Information technology – Security techniques – Entity authentication – Part 2: Mechanisms using symmetric encipherment techniques. International Organization for Standardization, 2008.
170. ISO/IEC 9798-3. Information technology – Security techniques – Entity authentication – Part 3: Mechanisms using digital signature techniques. International Organization for Standardization, 1998.
171. ISO/IEC 9798-4. Information technology – Security techniques – Entity authentication – Part 4: Mechanisms using a cryptographic check function. International Organization for Standardization, 1999.
172. ISO/IEC 9798-5. Information technology – Security techniques – Entity authentication – Part 5: Mechanisms using zero-knowledge techniques. International Organization for Standardization, 2009.
173. ISO/IEC 9798-6. Information technology – Security techniques – Entity authentication – Part 6: Mechanisms using manual data transfer. International Organization for Standardization, 2010.
174. David P. Jablon. Extended password key exchange protocols immune to dictionary attacks. In WETICE, pages 248–255. IEEE Computer Society, 1997.
175. David P. Jablon and Westboro Ma. Strong password-only authenticated key exchange. ACM Computer Communications Review, 26:5–26, 1996.
176. Tibor Jager, Florian Kohlar, Sven Sch ̈age, and J ̈org Schwenk. On the security of TLS-DHE in the standard model. In Safavi-Naini and Canetti [277], pages 273–293.
177. Tibor Jager, Florian Kohlar, Sven Sch ̈age, and J ̈org Schwenk. On the security of tls-dhe in the standard model. In Safavi-Naini and Canetti [277], pages 273–293.
178. Thomas Johansson and Phong Q. Nguyen, editors. Advances in Cryptology – EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26-30, 2013. Proceedings, volume 7881 of Lecture Notes in Computer Science. Springer, 2013.
179. Ari Juels and Burton S. Kaliski Jr. Pors: proofs of retrievability for large files. In Ning et al. [239], pages 584–597.
180. Ari Juels, Rebecca N. Wright, and Sabrina De Capitani di Vimercati, editors. Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, Alexandria, VA, USA, Ioctober 30 – November 3, 2006. ACM, 2006.
181. Ronald Kainda, Ivan Flechais, and A. W. Roscoe. Usability and security of out-of-band channels in secure device pairing protocols. In Lorrie Faith Cranor, editor, SOUPS, ACM International Conference Proceeding Series. ACM, 2009.
182. Seny Kamara and Kristin Lauter. Cryptographic cloud storage. In Radu Sion, Reza Curtmola, Sven Dietrich, Aggelos Kiayias, Josep M. Miret, Kazue Sako, and Francesc Seb ́e, editors, Financial Cryptography Workshops, volume 6054 of Lecture Notes in Computer Science, pages 136–149. Springer, 2010.
183. Seny Kamara, Charalampos Papamanthou, and Tom Roeder. Dynamic searchable symmetric encryption. In Yu et al. [315], pages 965–976.
184. A. Kato, M. Kanda, and S. Kanno. Modes of Operation for Camellia for Use with IPsec. RFC 5529 (Proposed Standard), April 2009.
185. Jonathan Katz, Rafail Ostrovsky, and Moti Yung. Efficient and secure authenticated key exchange using weak passwords. J. ACM, 57(1), 2009.
186. Ethan Katz-Bassett, John P. John, Arvind Krishnamurthy, David Wetherall, Thomas E. Anderson, and Yatin Chawathe. Towards ip geolocation using delay and topology measurements. In Jussara M. Almeida, Virg ́ılio A. F. Almeida, and Paul Barford, editors, Internet Measurement Conference, pages 71–84. ACM, 2006.
187. C. Kaufman. Internet Key Exchange (IKEv2) Protocol. RFC 4306 (Proposed Standard), December 2005. Obsoleted by RFC 5996, updated by RFC 5282.
188. C. Kaufman, P. Hoffman, Y. Nir, and P. Eronen. Internet Key Exchange Protocol Version 2 (IKEv2). RFC 5996 (Proposed Standard), September 2010. Updated by RFC 5998.
189. S. Kelly and S. Frankel. Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec. RFC 4868 (Proposed Standard), May 2007.
190. S. Kent. Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet Security Association and Key Management Protocol (ISAKMP). RFC 4304 (Proposed Standard), December 2005.
191. S. Kent. IP Authentication Header. RFC 4302 (Proposed Standard), December 2005.
192. S. Kent. IP Encapsulating Security Payload (ESP). RFC 4303 (Proposed Standard), December 2005.
193. S. Kent and K. Seo. Security Architecture for the Internet Protocol. RFC 4301 (Proposed Standard), December 2005. Updated by RFC 6040.
194. Aleksandar Kircanski and Amr M. Youssef. On the sliding property of SNOW 3G and SNOW 2.0. IET Information Security, 5(4):199–206, 2011.
195. T. Kivinen and M. Kojo. More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE). RFC 3526 (Proposed Standard), May 2003.
196. John T. Kohl. The use of encryption in Kerberos for network authentication. In Gilles Brassard, editor, CRYPTO, volume 435 of Lecture Notes in Computer Science, pages 35–43. Springer, 1989.
197. Geir M. Køien and Vladimir A. Oleshchuk. Location privacy for cellular systems; analysis and solution. In George Danezis and David Martin, editors, Privacy Enhancing Technologies, volume 3856 of Lecture Notes in Computer Science, pages 40–58. Springer, 2005.
198. H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication. RFC 2104 (Best Current Practice), February 1997.
199. Hugo Krawczyk, Kenneth G. Paterson, and Hoeteck Wee. On the security of the tls protocol: A systematic analysis. In Canetti and Garay [76], pages 429–448.
200. Benjamin Kreuter, Abhi Shelat, and Chih-Hao Shen. Billion-gate secure computation with malicious adversaries. In Tadayoshi Kohno, editor, USENIX Security Symposium, pages 285–300. USENIX Association, 2012.
201. D. Kuegler and Y. Sheffer. Password authenticated connection establishment with the internet key exchange protocol version 2 (ikev2). RFC 2104 (Best Current Practice), 2012.
202. Eyal Kushilevitz, Steve Lu, and Rafail Ostrovsky. On the (in)security of hash-based oblivious ram and a new balancing scheme. In Rabani [267], pages 143–156.
203. Sven Laur and Kaisa Nyberg. Efficient mutual data authentication using manually authenticated strings. In David Pointcheval, Yi Mu, and Kefei Chen, editors, CANS, volume 4301 of Lecture Notes in Computer Science, pages 90–107. Springer, 2006.
204. Sven Laur and Sylvain Pasini. Sas-based group authentication and key agreement protocols. In Ronald Cramer, editor, Public Key Cryptography, volume 4939 of Lecture Notes in Computer Science, pages 197–213. Springer, 2008.
205. Sven Laur and Sylvain Pasini. User-aided data authentication. IJSN, 4(1/2):69–86, 2009.
206. Laurie Law, Alfred Menezes, Minghua Qu, Jerome A. Solinas, and Scott A. Vanstone. An efficient protocol for authenticated key agreement. Des. Codes Cryptography, 28(2):119–134, 2003.
207. Dong Hoon Lee and Xiaoyun Wang, editors. Advances in Cryptology – ASIACRYPT 2011 – 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4-8, 2011. Proceedings, volume 7073 of Lecture Notes in Computer Science. Springer, 2011.
208. M. Lepinski and S. Kent. Additional Diffie-Hellman Groups for Use with IETF Standards. RFC 5114 (Informational), January 2008.
209. Allison B. Lewko, Tatsuaki Okamoto, Amit Sahai, Katsuyuki Takashima, and Brent Waters. Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption. In Gilbert [132], pages 62–91.
210. Allison B. Lewko and Brent Waters. Decentralizing attribute-based encryption. In Paterson [253], pages 568–588.
211. Allison B. Lewko and Brent Waters. Unbounded hibe and attribute-based encryption. In Paterson [253], pages 547–567.
212. Yehuda Lindell. Fast cut-and-choose based protocols for malicious and covert adversaries. In Canetti and Garay [77], pages 1–17.
213. Yehuda Lindell and Benny Pinkas. An efficient protocol for secure two-party computation in the presence of malicious adversaries. In Moni Naor, editor, EUROCRYPT, volume 4515 of Lecture Notes in Computer Science, pages 52–78. Springer, 2007.
214. Yehuda Lindell and Benny Pinkas. Secure two-party computation via cut-and-choose oblivious transfer. J. Cryptology, 25(4):680–722, 2012.
215. J. Linn. Generic Security Service Application Program Interface Version 2, Update 1. RFC 2743 (Proposed Standard), January 2000. Updated by RFC 5554.
216. Chang Liu, Michael Hicks, and Elaine Shi. Memory trace oblivious program execution. In CSF, pages 51–65. IEEE, 2013.
217. Adriana L ́opez-Alt, Eran Tromer, and Vinod Vaikuntanathan. On-the-fly multiparty com- putation on the cloud via multikey fully homomorphic encryption. In Howard J. Karloff and Toniann Pitassi, editors, STOC, pages 1219–1234. ACM, 2012.
218. Gavin Lowe. Casper: A compiler for the analysis of security protocols. Journal of Computer Security, 6(1-2):53–84, 1998.
219. Philip MacKenzie. On the security of the SPEKE password-authenticated key exchange protocol. IACR Cryptology ePrint Archive, 2001:19, 2001.
220. C. Madson and R. Glenn. The Use of HMAC-MD5-96 within ESP and AH. RFC 2403 (Proposed Standard), November 1998.
221. C. Madson and R. Glenn. The Use of HMAC-SHA-1-96 within ESP and AH. RFC 2404 (Proposed Standard), November 1998.
222. Atefeh Mashatan and Douglas R. Stinson. Practical unconditionally secure two-channel message authentication. Des. Codes Cryptography, 55(2-3):169–188, 2010.
223. Atefeh Mashatan and Serge Vaudenay. A message recognition protocol based on standard assumptions. In Zhou and Yung [318], pages 384–401.
224. D. McGrew and D. Bailey. AES-CCM Cipher Suites for Transport Layer Security (TLS). RFC 6655 (Best Current Practice), July 2012.
225. D. McGrew and J. Viega. The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH. RFC 4543 (Proposed Standard), May 2006.
226. S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. Saltzer. Kerberos authentication and authorization system. In In Project Athena Technical Plan, 1987.
227. Chris J. Mitchell and Chan Yeob Yeun. Fixing a problem in the helsinki protocol. Operating Systems Review, 32(4):21–24, 1998.
228. Vebjørn Moen, H ̊avard Raddum, and Kjell Jørgen Hole. Weaknesses in the temporal key hash of WPA. Mobile Computing and Communications Review, 8(2):76–83, 2004.
229. Payman Mohassel and Matthew K. Franklin. Efficiency tradeoffs for malicious two-party computation. In Yung et al. [316], pages 458–473.
230. Masakatu Morii and Yosuke Todo. Cryptanalysis for RC4 and breaking WEP/WPA-TKIP. IEICE Transactions, 94-D(11):2087–2094, 2011.
231. Paul Morrissey, Nigel P. Smart, and Bogdan Warinschi. The TLS handshake protocol: A modular analysis. J. Cryptology, 23(2):187–223, 2010.
232. Steven J. Murdoch, Saar Drimer, Ross J. Anderson, and Mike Bond. Chip and pin is broken. In IEEE Symposium on Security and Privacy, pages 433–446. IEEE Computer Society, 2010.
233. Mihir Nanavati, Patrick Colp, Bill Aiello, and Andrew Warfield. Cloud security: a gathering storm. Commun. ACM, 57(5):70–79, 2014.
234. Moni Naor, Gil Segev, and Adam Smith. Tight bounds for unconditional authentication protocols in the manual channel and shared key models. In Dwork [109], pages 214–231.
235. Moni Naor, Gil Segev, and Adam Smith. Tight bounds for unconditional authentication protocols in the manual channel and shared key models. IEEE Transactions on Information Theory, 54(6):2408–2425, 2008.
236. Roger M. Needham and Michael D. Schroeder. Using encryption for authentication in large networks of computers. Commun. ACM, 21(12):993–999, 1978.
237. C. Neuman, T. Yu, S. Hartman, and K. Raeburn. The Kerberos Network Authentication Service (V5). RFC 4120 (Proposed Standard), July 2005. Updated by RFCs 4537, 5021, 5896, 6111, 6112, 6113, 6649, 6806.
238. Jesper Buus Nielsen, Peter Sebastian Nordholt, Claudio Orlandi, and Sai Sheshank Burra. A new approach to practical active-secure two-party computation. In Safavi-Naini and Canetti [277], pages 681–700.
239. Peng Ning, Sabrina De Capitani di Vimercati, and Paul F. Syverson, editors. Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, October 28-31, 2007. ACM, 2007.
240. NIST Special Publication 800-56A. Recommendation for pair-wise key establishment schemes using discrete logarithm cryptography. National Institute of Standards and Technology, 2007.
241. NIST Special Publication 800-56B. Recommendation for pair-wise key establishment schemes using integer factorization cryptography. National Institute of Standards and Technology, 2009.
242. Open SSH Project. OpenSSH project. http://www.openssh.org/.
243. Emmanuela Orsini, Joop van de Pol, and Nigel P. Smart. Bootstrapping BGV ciphertexts with a wider choice of p and q. IACR Cryptology ePrint Archive, 2014:408, 2014.
244. Harriet Ortiz, editor. Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, May 13-17, 1990, Baltimore, Maryland, USA. ACM, 1990.
245. Rafail Ostrovsky. Efficient computation on oblivious rams. In Ortiz [244], pages 514–523.
246. Rafail Ostrovsky, Amit Sahai, and Brent Waters. Attribute-based encryption with non- monotonic access structures. In Ning et al. [239], pages 195–203.
247. Rafail Ostrovsky and Victor Shoup. Private information storage (extended abstract). In Frank Thomson Leighton and Peter W. Shor, editors, STOC, pages 294–303. ACM, 1997.
248. Bryan Parno, Jon Howell, Craig Gentry, and Mariana Raykova. Pinocchio: Nearly practical verifiable computation. In IEEE Symposium on Security and Privacy, pages 238–252. IEEE Computer Society, 2013.
249. Bryan Parno, Mariana Raykova, and Vinod Vaikuntanathan. How to delegate and verify in public: Verifiable computation from attribute-based encryption. In Ronald Cramer, editor, TCC, volume 7194 of Lecture Notes in Computer Science, pages 422–439. Springer, 2012.
250. Sylvain Pasini and Serge Vaudenay. An optimal non-interactive message authentication protocol. In David Pointcheval, editor, CT-RSA, volume 3860 of Lecture Notes in Computer Science, pages 280–294. Springer, 2006.
251. Sylvain Pasini and Serge Vaudenay. Sas-based authenticated key agreement. In Yung et al. [316], pages 395–409.
252. Kenneth G. Paterson. A cryptographic tour of the IPsec standards. Cryptology ePrint Archive, Report 2006/097, 2006. http://eprint.iacr.org/.
253. Kenneth G. Paterson, editor. Advances in Cryptology – EUROCRYPT 2011 – 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15-19, 2011. Proceedings, volume 6632 of Lecture Notes in Computer Science. Springer, 2011.
254. Kenneth G. Paterson, Bertram Poettering, and Jacob C. N. Schuldt. Plaintext recovery attacks against wpa/tkip. IACR Cryptology ePrint Archive, 2013:748, 2013.
255. Kenneth G. Paterson, Thomas Ristenpart, and Thomas Shrimpton. Tag size does matter: Attacks and proofs for the tls record protocol. In Lee and Wang [207], pages 372–389.
256. Kenneth G. Paterson and Gaven J. Watson. Plaintext-dependent decryption: A formal security treatment of SSH-CTR. In Gilbert [132], pages 345–361.
257. Kenneth G. Paterson and Arnold K. L. Yau. Cryptography in theory and practice: The case of encryption in IPsec. In Serge Vaudenay, editor, EUROCRYPT, volume 4004 of Lecture Notes in Computer Science, pages 12–29. Springer, 2006.
258. Lawrence C. Paulson. A fixedpoint approach to (co)inductive and (co)datatype definitions. In Gordon D. Plotkin, Colin Stirling, and Mads Tofte, editors, Proof, Language, and Interaction, pages 187–212. The MIT Press, 2000.
259. R. Pereira and R. Adams. The ESP CBC-Mode Cipher Algorithms. RFC 2451 (Proposed Standard), November 1998.
260. Birgit Pfitzmann, editor. Advances in Cryptology – EUROCRYPT 2001, International Conference on the Theory and Application of Cryptographic Techniques, Innsbruck, Austria, May 6-10, 2001, Proceeding, volume 2045 of Lecture Notes in Computer Science. Springer, 2001.
261. Benny Pinkas and Tzachy Reinman. Oblivious ram revisited. In Rabin [268], pages 502–519.
262. Benny Pinkas, Thomas Schneider, Nigel P. Smart, and Stephen C. Williams. Secure two-party computation is practical. In Mitsuru Matsui, editor, ASIACRYPT, volume 5912 of Lecture Notes in Computer Science, pages 250–267. Springer, 2009.
263. Matthew Pirretti, Patrick Traynor, Patrick McDaniel, and Brent Waters. Secure attribute- based systems. In Juels et al. [180], pages 99–112.
264. Raluca A. Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and Hari Balakrishnan. Cryptdb: processing queries on an encrypted database. Commun. ACM, 55(9):103–111, 2012.
265. Guillaume Poupard and Jacques Stern. Security analysis of a practical ”on the fly” authentication and signature generation. In Kaisa Nyberg, editor, EUROCRYPT, volume 1403 of Lecture Notes in Computer Science, pages 422–436. Springer, 1998.
266. Bart Preneel, editor. Advances in Cryptology – EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000, Proceeding, volume 1807 of Lecture Notes in Computer Science. Springer, 2000.
267. Yuval Rabani, editor. Proceedings of the Twenty-Third Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2012, Kyoto, Japan, January 17-19, 2012. SIAM, 2012.
268. Tal Rabin, editor. Advances in Cryptology – CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings, volume 6223 of Lecture Notes in Computer Science. Springer, 2010.
269. K. Raeburn. Advanced Encryption Standard (AES) Encryption for Kerberos 5. RFC 3962 (Proposed Standard), February 2005.
270. K. Raeburn. Encryption and Checksum Specifications for Kerberos 5. RFC 3961 (Proposed Standard), February 2005.
271. Mohammad Reza Reyhanitabar, Shuhong Wang, and Reihaneh Safavi-Naini. Non-interactive manual channel message authentication based on etcr hash functions. In Josef Pieprzyk, Hossein Ghodosi, and Ed Dawson, editors, ACISP, volume 4586 of Lecture Notes in Computer Science, pages 385–399. Springer, 2007.
272. Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Ehab Al- Shaer, Somesh Jha, and Angelos D. Keromytis, editors, ACM Conference on Computer and Communications Security, pages 199–212. ACM, 2009.
273. P. Rogaway. Problems with proposed IP cryptography. Available at http://www.cs. ucdavis.edu/~rogaway/papers/draft-rogaway-ipsec-comments-00.txt, 61995.
274. Phillip Rogaway, editor. Advances in Cryptology – CRYPTO 2011 – 31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2011. Proceedings, volume 6841 of Lecture Notes in Computer Science. Springer, 2011.
275. Michael Rusinowitch and Mathieu Turuani. Protocol insecurity with finite number of sessions is NP-complete. In Proc. of the 14th Computer Security Foundations Workshop (CSFW’01), pages 174–190, Cape Breton, Nova Scotia, Canada, 2001. IEEE Computer Society Press.
276. Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung, editors. 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS’13, Berlin, Germany, November 4-8, 2013. ACM, 2013.
277. Reihaneh Safavi-Naini and Ran Canetti, editors. Advances in Cryptology – CRYPTO 2012 – 32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2012. Proceedings, volume 7417 of Lecture Notes in Computer Science. Springer, 2012.
278. Amit Sahai and Brent Waters. Fuzzy identity-based encryption. In Cramer [90], pages 457– 473.
279. J. Salowey, A. Choudhury, and D. McGrew. AES Galois Counter Mode (GCM) Cipher Suites for TLS. RFC 5288 (Proposed Standard), August 2008.
280. J. Schiller. Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2). RFC 4307 (Proposed Standard), December 2005.
281. Pouyan Sepehrdad, Serge Vaudenay, and Martin Vuagnoux. Statistical attack on rc4 – distinguishing wpa. In Paterson [253], pages 343–363.
282. Hovav Shacham and Brent Waters. Compact proofs of retrievability. J. Cryptology, 26(3):442– 483, 2013.
283. Abhi Shelat and Chih-Hao Shen. Fast two-party secure computation with minimal assumptions. In Sadeghi et al. [276], pages 523–534.
284. Elaine Shi, T.-H. Hubert Chan, Emil Stefanov, and Mingfei Li. Oblivious ram with o((logn)3) worst-case cost. In Lee and Wang [207], pages 197–214.
285. Elaine Shi, Emil Stefanov, and Charalampos Papamanthou. Practical dynamic proofs of retrievability. In Sadeghi et al. [276], pages 325–336.
286. Victor Shoup. A proposal for an ISO standard for public key encryption. Cryptology ePrint Archive, Report 2001/112, 2001. http://eprint.iacr.org/.
287. Janos Simon, editor. Proceedings of the 20th Annual ACM Symposium on Theory of Computing, May 2-4, 1988, Chicago, Illinois, USA. ACM, 1988.
288. Nigel P. Smart. Access control using pairing based cryptography. In Marc Joye, editor, CT-RSA, volume 2612 of Lecture Notes in Computer Science, pages 111–121. Springer, 2003.
289. Nigel P. Smart. Errors matter: Breaking rsa-based pin encryption with thirty ciphertext validity queries. In Josef Pieprzyk, editor, CT-RSA, volume 5985 of Lecture Notes in Computer Science, pages 15–25. Springer, 2010.
290. Nigel P. Smart and Frederik Vercauteren. Fully homomorphic simd operations. Des. Codes Cryptography, 71(1):57–81, 2014.
291. Dawn Xiaodong Song, David Wagner, and Adrian Perrig. Practical techniques for searches on encrypted data. In IEEE Symposium on Security and Privacy, pages 44–55. IEEE Computer Society, 2000.
292. Frank Stajano and Ross J. Anderson. The resurrecting duckling: Security issues for ad-hoc wireless networks. In Bruce Christianson, Bruno Crispo, James A. Malcolm, and Michael Roe, editors, Security Protocols Workshop, volume 1796 of Lecture Notes in Computer Science, pages 172–194. Springer, 1999.
293. D. Stebila and J. Green. Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer. RFC 5656 (Proposed Standard), December 2009.
294. Emil Stefanov, Elaine Shi, and Dawn Xiaodong Song. Towards practical oblivious ram. In NDSS. The Internet Society, 2012.
295. Emil Stefanov, Marten van Dijk, Elaine Shi, Christopher W. Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas. Path oram: an extremely simple oblivious ram protocol. In Sadeghi et al. [276], pages 299–310.
296. Erik Tews and Martin Beck. Practical attacks against wep and wpa. In David A. Basin, Srdjan Capkun, and Wenke Lee, editors, WISEC, pages 79–86. ACM, 2009.
297. Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin. Breaking 104 bit WEP in less than 60 seconds. In Sehun Kim, Moti Yung, and Hyung-Woo Lee, editors, WISA, volume 4867 of Lecture Notes in Computer Science, pages 188–202. Springer, 2007.
298. F. Javier Thayer, Jonathan C. Herzog, and Joshua D. Guttman. Strand spaces: Why is a security protocol correct? In IEEE Symposium on Security and Privacy, pages 160–171. IEEE Computer Society, 1998.
299. Yosuke Todo, Yuki Ozawa, Toshihiro Ohigashi, and Masakatu Morii. Falsification attacks against WPA-TKIP in a realistic environment. IEICE Transactions, 95-D(2):588–595, 2012.
300. Marten van Dijk, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan. Fully homomorphic encryption over the integers. In Gilbert [132], pages 24–43.
301. Peter van Liesdonk, Saeed Sedghi, Jeroen Doumen, Pieter H. Hartel, and Willem Jonker. Computationally efficient searchable symmetric encryption. In Willem Jonker and Milan Petkovic, editors, Secure Data Management, volume 6358 of Lecture Notes in Computer Science, pages 87–100. Springer, 2010.
302. Serge Vaudenay. Security flaws induced by CBC padding – Applications to SSL, IPSEC, WTLS … In Lars R. Knudsen, editor, EUROCRYPT, volume 2332 of Lecture Notes in Computer Science, pages 534–546. Springer, 2002.
303. Serge Vaudenay. Secure communications over insecure channels based on short authenticated strings. In Victor Shoup, editor, CRYPTO, volume 3621 of Lecture Notes in Computer Science, pages 309–326. Springer, 2005.
304. Serge Vaudenay and Amr M. Youssef, editors. Selected Areas in Cryptography, 8th Annual International Workshop, SAC 2001 Toronto, Ontario, Canada, August 16-17, 2001, Revised Papers, volume 2259 of Lecture Notes in Computer Science. Springer, 2001.
305. Gaven J. Watson, Reihaneh Safavi-Naini, Mohsen Alimomeni, Michael E. Locasto, and Shiv- aramakrishnan Narayan. Lost: location based storage. In Ting Yu, Srdjan Capkun, and Seny Kamara, editors, CCSW, pages 59–70. ACM, 2012.
306. Peter Williams and Radu Sion. Single round access privacy on outsourced storage. In Yu et al. [315], pages 293–304.
307. Peter Williams, Radu Sion, and Bogdan Carbunar. Building castles out of mud: practical access pattern privacy and correctness on untrusted storage. In Peng Ning, Paul F. Syverson, and Somesh Jha, editors, ACM Conference on Computer and Communications Security, pages 139–148. ACM, 2008.
308. Peter Williams, Radu Sion, and Alin Tomescu. Privatefs: a parallel oblivious file system. In Yu et al. [315], pages 977–988.
309. Stephen C. Williams. Analysis of the SSH key exchange protocol. In Liqun Chen, editor, IMA Int. Conf., volume 7089 of Lecture Notes in Computer Science, pages 356–374. Springer, 2011.
310. Andrew Chi-Chih Yao. Protocols for secure computations (extended abstract). In FOCS, pages 160–164. IEEE Computer Society, 1982.
311. Andrew Chi-Chih Yao. How to generate and exchange secrets (extended abstract). In FOCS, pages 162–167. IEEE Computer Society, 1986.
312. T. Ylonen and C. Lonvick. The Secure Shell (SSH) Authentication Protocol. RFC 4252 (Proposed Standard), January 2006.
313. T. Ylonen and C. Lonvick. The Secure Shell (SSH) Protocol Architecture. RFC 4251 (Proposed Standard), January 2006.
314. T. Ylonen and C. Lonvick. The Secure Shell (SSH) Transport Layer Protocol. RFC 4253 (Proposed Standard), January 2006. Updated by RFC 6668.
315. Ting Yu, George Danezis, and Virgil D. Gligor, editors. the ACM Conference on Computer and Communications Security, CCS’12, Raleigh, NC, USA, October 16-18, 2012. ACM, 2012.
316. Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, editors. Public Key Cryptography – PKC 2006, 9th International Conference on Theory and Practice of Public-Key Cryptography, New York, NY, USA, April 24-26, 2006, Proceedings, volume 3958 of Lecture Notes in Computer Science. Springer, 2006.
317. Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. Cross-vm side channels and their use to extract private keys. In Yu et al. [315], pages 305–316.
318. Jianying Zhou and Moti Yung, editors. Applied Cryptography and Network Security, 8th International Conference, ACNS 2010, Beijing, China, June 22-25, 2010. Proceedings, volume 6123 of Lecture Notes in Computer Science, 2010.
319. L. Zhu and B. Tung. Public Key Cryptography for Initial Authentication in Kerberos (PKINIT). RFC 4556 (Proposed Standard), June 2006. Updated by RFC 6112.