×

On the resilience of Even-Mansour to invariant permutations. (English) Zbl 1462.94045

Summary: Symmetric cryptographic primitives are often exposed to invariances: deterministic relations between plaintexts and ciphertexts that propagate through the primitive. Recent invariant subspace attacks have shown that these can be a serious issue. One way to mitigate invariant subspace attacks is at the primitive level, namely by proper use of round constants [C. Beierle et al., Lect. Notes Comput. Sci. 10402, 647–678 (2017; Zbl 1410.94045)]. In this work, we investigate how to thwart invariance exploitation at the mode level, namely by assuring that a mode never evaluates its underlying primitive under any invariance. We first formalize the use of invariant cryptographic permutations from a security perspective, and analyze the Even-Mansour block cipher construction. We further demonstrate how the model composes, and apply it to the keyed sponge construction. The security analyses exactly pinpoint how the presence of linear invariances affects the bounds compared with analyses in the random permutation model. As such, they give an exact indication how invariances can be exploited. From a practical side, we apply the derived security bounds to the case where the Even-Mansour construction is instantiated with the 512-bit ChaCha permutation, and derive a distinguishing attack against Even-Mansour-ChaCha in \(2^{128}\) queries, faster than the birthday bound. Comparable results are derived for instantiation using the 200-bit Keccak permutation without round constants (attack in \(2^{50}\) queries), the 1024-bit CubeHash permutation (attack in \(2^{256}\) queries), and the 384-bit Gimli permutation without round constants (attack in \(2^{96}\) queries). The attacks do not invalidate the security of the permutations themselves, but rather they demonstrate the tightness of our bounds and confirm that care should be taken when employing a cryptographic primitive that has nontrivial linear invariances.

MSC:

94A60 Cryptography

Citations:

Zbl 1410.94045
PDF BibTeX XML Cite
Full Text: DOI

References:

[1] Aerts, W.; Biham, E.; Moitie, DD; Mulder, ED; Dunkelman, O.; Indesteege, S.; Keller, N.; Preneel, B.; Vandenbosch, GAE; Verbauwhede, I., A practical attack on KeeLoq, J. Cryptol., 25, 1, 136-157 (2012) · Zbl 1279.94049
[2] Andreeva E., Daemen J., Mennink B., Van Assche G.: Security of Keyed Sponge Constructions Using a Modular Proof Approach. In: Leander [78], pp. 364-384. · Zbl 1382.94045
[3] Aumasson J., Brier E., Meier W., Naya-Plasencia M., Peyrin T.: Inside the Hypercube. In: C. Boyd, J.M.G. Nieto (eds.) ACISP 2009, LNCS, vol. 5594, pp. 202-213. Springer (2009). · Zbl 1307.94035
[4] Aumasson J., Jovanovic P., Neves S.: NORX: Parallel and Scalable AEAD. In: M. Kutylowski, J. Vaidya (eds.) ESORICS 2014, Part II, LNCS, vol. 8713, pp. 19-36. Springer (2014). · Zbl 1443.94088
[5] Aumasson J., Neves S., Wilcox-O’Hearn Z., Winnerlein C.: BLAKE2: Simpler, Smaller, Fast as MD5. In: M.J.J. Jr., M.E. Locasto, P. Mohassel, R. Safavi-Naini (eds.) ACNS 2013, LNCS, vol. 7954, pp. 119-135. Springer (2013). · Zbl 1330.94034
[6] Banik S., Bogdanov A., Isobe T., Shibutani K., Hiwatari H., Akishita T., Regazzoni F.: Midori: A Block Cipher for Low Energy. In: Iwata and Cheon [68], pp. 411-436. · Zbl 1382.94057
[7] Bar-On, A.; Biham, E.; Dunkelman, O.; Keller, N., Efficient slide attacks, J. Cryptol., 31, 3, 641-670 (2018) · Zbl 1400.94116
[8] Barkan E., Biham E.: In How Many Ways Can You Write Rijndael? In: Y. Zheng (ed.) ASIACRYPT 2002, LNCS, vol. 2501, pp. 160-175. Springer (2002). · Zbl 1065.68529
[9] Beierle C., Canteaut A., Leander G., Rotella Y.: Proving Resistance Against Invariant Attacks: How to Choose the Round Constants. In: J. Katz, H. Shacham (eds.) CRYPTO 2017, Part II, LNCS, vol. 10402, pp. 647-678. Springer (2017). · Zbl 1410.94045
[10] Bellare M., Rogaway P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: D.E. Denning, R. Pyle, R. Ganesan, R.S. Sandhu, V. Ashby (eds.) CCS ’93, pp. 62-73. ACM (1993).
[11] Benaloh J. (ed.): CT-RSA 2014, LNCS, vol. 8366. Springer, (2014). · Zbl 1283.94001
[12] Bernstein D.J.: Cache-timing attacks on AES (2004). http://cr.yp.to/papers.html#cachetiming. ID: cd9faae9bd5308c440df50fc26a517b4.
[13] Bernstein D.J.: ChaCha, a variant of Salsa20. https://cr.yp.to/chacha.html (2008).
[14] Bernstein D.J.: CubeHash specification (2.B.1) (2008). https://cubehash.cr.yp.to/submission.html.
[15] Bernstein D.J.: The Salsa20 Family of Stream Ciphers. In: M.J.B. Robshaw, O. Billet (eds.) New Stream Cipher Designs - The eSTREAM Finalists, LNCS, vol. 4986, pp. 84-97. Springer (2008).
[16] Bernstein D.J., Kölbl S., Lucks S., Massolino P.M.C., Mendel F., Nawaz K., Schneider T., Schwabe P., Standaert F., Todo Y., Viguier B.: Gimli : A Cross-Platform Permutation. In: W. Fischer, N. Homma (eds.) CHES 2017, LNCS, vol. 10529, pp. 299-320. Springer (2017).
[17] Bertoni G., Daemen J., Peeters M., Van Assche G.: Sponge functions. Ecrypt Hash. Workshop 2007, (2007).
[18] Bertoni G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference (2011). https://keccak.team/files/Keccak-reference-3.0.pdf · Zbl 1306.94028
[19] Bertoni G., Daemen J., Peeters M., Van Assche G.: On the security of the keyed sponge construction. Symmetric Key Encryption Workshop (SKEW 2011) (2011). · Zbl 1149.94304
[20] Beyne T.: Block Cipher Invariants as Eigenvectors of Correlation Matrices. In: T. Peyrin, S.D. Galbraith (eds.) ASIACRYPT 2018, Part I, LNCS, vol. 11272, pp. 3-31. Springer (2018). · Zbl 1446.94102
[21] Biryukov A., Udovenko A., Velichkov V.: Analysis of the NORX Core Permutation. Cryptology ePrint Archive, Report 2017/034 (2017).
[22] Biryukov A., Wagner D.A.: Slide Attacks. In: L.R. Knudsen (ed.) FSE ’99, LNCS, vol. 1636, pp. 245-259. Springer (1999). · Zbl 0942.94020
[23] Bogdanov A., Knudsen L.R., Leander G., Standaert F., Steinberger J.P., Tischhauser E.: Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations - (Extended Abstract). In: Pointcheval and Johansson [95], pp. 45-62. · Zbl 1290.94044
[24] Boros, E.; Szonyi, T.; Tichler, K., On defining sets for projective planes, Discrete Math., 303, 1-3, 17-31 (2005) · Zbl 1086.51008
[25] Bouillaguet C., Dunkelman O., Leurent G., Fouque P.: Another Look at Complementation Properties. In: S. Hong, T. Iwata (eds.) FSE 2010, LNCS, vol. 6147, pp. 347-364. Springer (2010). · Zbl 1279.94055
[26] Brualdi, RA; Pless, V.; Wilson, RM, Short codes with a given covering radius, IEEE Trans. Inf. Theory, 35, 1, 99-109 (1989) · Zbl 0671.94015
[27] Bulygin, S.; Walter, M.; Buchmann, JA, Full analysis of PRINTcipher with respect to invariant subspace attack: efficient key recovery and countermeasures, Des. Codes Cryptogr, 73, 3, 997-1022 (2014) · Zbl 1308.94062
[28] CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness (2018). http://competitions.cr.yp.to/caesar.html
[29] Castro J.C.H., Estévez-Tapiador J.M., Quisquater J.: On the Salsa20 Core Function. In: K. Nyberg (ed.) FSE 2008, LNCS, vol. 5086, pp. 462-469. Springer (2008). · Zbl 1154.68392
[30] Chaigneau C., Fuhr T., Gilbert H., Jean J., Reinhard J.: Cryptanalysis of NORX v2.0. IACR Trans. Symmetric Cryptol. 2017(1), 156-174 (2017).
[31] Chang D., Dworkin M., Hong S., Kelsey J., Nandi M.: A keyed sponge construction with pseudorandomness in the standard model. NIST’s 3rd SHA-3 Candidate Conference 2012 (2012).
[32] Chen S., Lampe R., Lee J., Seurin Y., Steinberger J.P.: Minimizing the Two-Round Even-Mansour Cipher. In: J.A. Garay, R. Gennaro (eds.) CRYPTO 2014, Part I, LNCS, vol. 8616, pp. 39-56. Springer (2014). · Zbl 1317.94095
[33] Chen S., Steinberger J.P.: Tight Security Bounds for Key-Alternating Ciphers. In: P.Q. Nguyen, E. Oswald (eds.) EUROCRYPT 2014, LNCS, vol. 8441, pp. 327-350. Springer (2014). · Zbl 1317.94096
[34] Clark, WE; Pedersen, J., Sum-Free Sets in Vector Spaces over GF(2), J. Comb. Theory Ser. A, 61, 2, 222-229 (1992) · Zbl 0762.05018
[35] Cogliati B., Lampe R., Seurin Y.: Tweaking Even-Mansour Ciphers. In: Gennaro and Robshaw [60], pp. 189-208. · Zbl 1369.94526
[36] Cohen, G.; Honkala, I.; Litsyn, S.; Lobstein, A., Covering Codes. North-Holland Mathematical Library (1997), Amsterdam: Elsevier Science, Amsterdam · Zbl 0874.94001
[37] Courtois N.T.: On the existence of non-linear invariants and algebraic polynomial constructive approach to backdoors in block ciphers. Cryptology ePrint Archive, Report 2018/807 (2018).
[38] Courtois N.T.: Structural Nonlinear Invariant Attacks on T-310: Attacking Arbitrary Boolean Functions. Cryptology ePrint Archive, Report 2018/1242 (2018).
[39] Daemen J.: Cipher and hash function design, strategies based on linear and differential cryptanalysis, PhD Thesis. KU Leuven (1995).
[40] Daemen J., Hoffert S., Van Assche G., Van Keer R.: Xoodoo cookbook. Cryptology ePrint Archive, Report 2018/767 (2018).
[41] Daemen J., Mennink B., Van Assche G.: Full-State Keyed Duplex with Built-In Multi-user Support. In: T. Takagi, T. Peyrin (eds.) ASIACRYPT 2017, Part II, LNCS, vol. 10625, pp. 606-637. Springer (2017). · Zbl 1417.94055
[42] Daemen J., Peeters M., Van Assche G.: Bitslice Ciphers and Power Analysis Attacks. In: B. Schneier (ed.) FSE 2000, LNCS, vol. 1978, pp. 134-149. Springer (2000). · Zbl 0999.94544
[43] Daemen J., Peeters M., Van Assche G., Rijmen V.: Nessie Proposal: Noekeon. http://gro.noekeon.org/Noekeon-spec.pdf (2000).
[44] Daemen, J.; Rijmen, V., The Design of Rijndael: AES - The Advanced Encryption Standard (2002), New York: Springer, New York · Zbl 1065.94005
[45] Daemen J., Rijmen V.: The MAC function Pelican 2.0. Cryptology ePrint Archive, Report 2005/088 (2005).
[46] Davies, DW; Chaum, D.; Rivest, RL; Sherman, AT, Some Regular Properties of the ‘Data Encryption Standard’ Algorithm, CRYPTO ’82, 89-96 (1982), New York: Plenum Press, New York
[47] Davydov, AA, Constructions and families of covering codes and saturated sets of points in projective geometry, IEEE Trans. Inf. Theory, 41, 6, 2071-2080 (1995) · Zbl 0845.94022
[48] Davydov, AA; Marcugini, S.; Pambianco, F., Minimal 1-saturating sets and complete caps in binary projective spaces, J. Comb. Theory Ser. A, 113, 4, 647-663 (2006) · Zbl 1100.51007
[49] Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Ascon v1.2 (2016). Submission to CAESAR competition. · Zbl 1382.94096
[50] Dunkelman O., Keller N., Shamir A.: Minimalism in Cryptography: The Even-Mansour Scheme Revisited. In: Pointcheval and Johansson [95], pp. 336-354. · Zbl 1297.94065
[51] Dunkelman, O.; Keller, N.; Shamir, A., Almost universal forgery attacks on AES-based MAC’s, Des. Codes Cryptogr., 76, 3, 431-449 (2015) · Zbl 1359.94589
[52] Ehrsam W.F., Meyer C.H., Smith J.L., Tuchman W.L.: Message verification and transmission error detection by block chaining (1978). US Patent 4,074,066.
[53] Even S., Mansour Y.: A Construction of a Cipher From a Single Pseudorandom Permutation. In: H. Imai, R.L. Rivest, T. Matsumoto (eds.) ASIACRYPT ’91, LNCS, vol. 739, pp. 210-224. Springer (1991). · Zbl 0808.94024
[54] Farshim P., Procter G.: The Related-Key Security of Iterated Even-Mansour Ciphers. In: Leander [78], pp. 342-363. · Zbl 1382.94102
[55] Ferguson N., Lucks S., McKay K.A.: Symmetric States and their Structure: Improved Analysis of CubeHash. Cryptology ePrint Archive, Report 2010/273 (2010).
[56] FIPS 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions (2015)
[57] Flajolet, P.; Gardy, D.; Thimonier, L., Birthday paradox, coupon collectors, caching algorithms and self-organizing search, Discret. Appl. Math., 39, 3, 207-229 (1992) · Zbl 0762.60006
[58] Gabidulin, EM; Davydov, AA; Tombak, LM, Linear codes with covering radius 2 and other new covering codes, IEEE Trans. Inf. Theory, 37, 1, 219-224 (1991) · Zbl 0713.94018
[59] Gazi P., Pietrzak K., Tessaro S.: The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC. In: Gennaro and Robshaw [60], pp. 368-387. · Zbl 1375.94127
[60] Gennaro R., Robshaw M. (eds.): CRYPTO 2015, Part I, LNCS, vol. 9215. Springer, (2015).
[61] Giulietti M.: The geometry of covering codes: small complete caps and saturating sets in Galois spaces. In: S.R. Blackburn, S. Gerke, M. Wildon (eds.) Surveys in Combinatorics 2013, London Mathematical Society Lecture Note Series, vol. 409, pp. 51-90. Cambridge University Press (2013). · Zbl 1337.51004
[62] Granger R., Jovanovic P., Mennink B., Neves S.: Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption. In: M. Fischlin, J. Coron (eds.) EUROCRYPT 2016, Part I, LNCS, vol. 9665, pp. 263-293. Springer (2016). · Zbl 1384.94065
[63] Gueron S., Mouha N.: Simpira v2: A Family of Efficient Permutations Using the AES Round Function. In: J.H. Cheon, T. Takagi (eds.) ASIACRYPT 2016, Part I, LNCS, vol. 10031, pp. 95-125 (2016). · Zbl 1404.94077
[64] Guo, J.; Jean, J.; Nikolic, I.; Qiao, K.; Sasaki, Y.; Sim, SM, Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs, IACR Trans. Symmetric Cryptol., 2016, 1, 33-56 (2016)
[65] Guo J., Karpman P., Nikolic I., Wang L., Wu S.: Analysis of BLAKE2. In: Benaloh [11], pp. 402-423. · Zbl 1337.94038
[66] Guo J., Peyrin T., Poschmann A.: The PHOTON Family of Lightweight Hash Functions. In: Rogaway [96], pp. 222-239 · Zbl 1287.94069
[67] Hoang V.T., Krovetz T., Rogaway P.: Robust Authenticated-Encryption AEZ and the Problem That It Solves. In: Oswald and Fischlin [91], pp. 15-44. · Zbl 1365.94485
[68] Iwata T., Cheon J.H. (eds.): ASIACRYPT 2015, Part II, LNCS, vol. 9453. Springer, (2015).
[69] Jean, J., Cryptanalysis of Haraka, IACR Trans. Symmetric Cryptol., 2016, 1, 1-12 (2016)
[70] Jean J., Nikolic I., Peyrin T.: Tweaks and Keys for Block Ciphers: The TWEAKEY Framework. In: P. Sarkar, T. Iwata (eds.) ASIACRYPT 2014, Part II, LNCS, vol. 8874, pp. 274-288. Springer (2014). · Zbl 1317.94113
[71] Jean J., Nikolic I., Sasaki Y., Wang L.: Practical Cryptanalysis of PAES. In: Joux and Youssef [73], pp. 228-242. · Zbl 1382.94125
[72] Jean, J.; Nikolic, I.; Sasaki, Y.; Wang, L., Practical forgeries and distinguishers against PAES, IEICE Trans., 99-A, 1, 39-48 (2016)
[73] Joux A., Youssef A.M. (eds.): SAC 2014, LNCS, vol. 8781. Springer, (2014).
[74] Kavun E., Lauridsen M., Leander G., Rechberger C., Schwabe P., Yalçın T.: Prøst v1 (2014). Submission to CAESAR competition.
[75] Knudsen L.R., Leander G., Poschmann A., Robshaw M.J.B.: PRINTcipher: A Block Cipher for IC-Printing. In: S. Mangard, F. Standaert (eds.) CHES 2010, LNCS, vol. 6225, pp. 16-32. Springer (2010). · Zbl 1297.94080
[76] Kölbl, S.; Lauridsen, MM; Mendel, F.; Rechberger, C., Haraka v2 - Efficient Short-Input Hashing for Post-Quantum Applications, IACR Trans. Symmetric Cryptol., 2016, 2, 1-29 (2016)
[77] Krovetz T., Rogaway P.: The Software Performance of Authenticated-Encryption Modes. In: A. Joux (ed.) FSE 2011, LNCS, vol. 6733, pp. 306-327. Springer (2011). · Zbl 1307.94119
[78] Leander G. (ed.): FSE 2015, LNCS, vol. 9054. Springer, (2015). · Zbl 1318.68029
[79] Leander G., Abdelraheem M.A., AlKhzaimi H., Zenner E.: A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack. In: Rogaway [96], pp. 206-221. · Zbl 1287.94080
[80] Leander G., Minaud B., Rønjom S.: A Generic Approach to Invariant Subspace Attacks: Cryptanalysis of Robin, iSCREAM and Zorro. In: Oswald and Fischlin [91], pp. 254-283. · Zbl 1370.94525
[81] Lee, J.; Luykx, A.; Mennink, B.; Minematsu, K., Connecting tweakable and multi-key blockcipher security, Des. Codes Cryptogr., 86, 3, 623-640 (2018) · Zbl 1426.94109
[82] Liskov M., Rivest R.L., Wagner D.A.: Tweakable Block Ciphers. In: M. Yung (ed.) CRYPTO 2002, LNCS, vol. 2442, pp. 31-46. Springer (2002). · Zbl 1026.94533
[83] McGrew D.A., Viega J.: The Security and Performance of the Galois/Counter Mode (GCM) of Operation. In: A. Canteaut, K. Viswanathan (eds.) INDOCRYPT 2004, LNCS, vol. 3348, pp. 343-355. Springer (2004). · Zbl 1113.94315
[84] Mennink B.: XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees. In: M. Robshaw, J. Katz (eds.) CRYPTO 2016, Part I, LNCS, vol. 9814, pp. 64-94. Springer (2016). · Zbl 1351.94058
[85] Mennink B., Reyhanitabar R., Vizár D.: Security of Full-State Keyed Sponge and Duplex: Applications to Authenticated Encryption. In: Iwata and Cheon [68], pp. 465-489. · Zbl 1382.94142
[86] Minaud B., Seurin Y.: The Iterated Random Permutation Problem with Applications to Cascade Encryption. In: Gennaro and Robshaw [60], pp. 351-367. · Zbl 1375.94151
[87] Mouha N.: Chaskey: a MAC Algorithm for Microcontrollers - Status Update and Proposal of Chaskey-12. Cryptology ePrint Archive, Report 2015/1182 (2015).
[88] Mouha N., Luykx A.: Multi-key Security: The Even-Mansour Construction Revisited. In: Gennaro and Robshaw [60], pp. 209-223. · Zbl 1369.94559
[89] Mouha N., Mennink B., Herrewege A.V., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: An Efficient MAC Algorithm for 32-bit Microcontrollers. In: Joux and Youssef [73], pp. 306-323. · Zbl 1382.94145
[90] Naito Y., Yasuda K.: New Bounds for Keyed Sponges with Extendable Output: Independence Between Capacity and Message Length. In: T. Peyrin (ed.) FSE 2016, LNCS, vol. 9783, pp. 3-22. Springer (2016). · Zbl 1387.94094
[91] Oswald E., Fischlin M. (eds.): EUROCRYPT 2015, Part I, LNCS, vol. 9056. Springer, (2015).
[92] Patarin J.: étude des générateurs de permutations basés sur le schéma du D.E.S. Ph.D. thesis, Université Paris 6, Paris, France (1991). · Zbl 0925.94085
[93] Patarin J.: The “Coefficients H” Technique. In: R.M. Avanzi, L. Keliher, F. Sica (eds.) SAC 2008, LNCS, vol. 5381, pp. 328-345. Springer (2008). · Zbl 1256.94060
[94] Peyrin T.: Improved Differential Attacks for ECHO and Grøstl. In: T. Rabin (ed.) CRYPTO 2010, LNCS, vol. 6223, pp. 370-392. Springer (2010). 10.1007/978-3-642-14623-7. · Zbl 1283.94081
[95] Pointcheval D., Johansson T. (eds.): EUROCRYPT 2012, LNCS, vol. 7237. Springer, (2012).
[96] Rogaway P. (ed.): CRYPTO 2011, LNCS, vol. 6841. Springer, (2011). · Zbl 1219.94002
[97] Rønjom S.: Invariant subspaces in Simpira. Cryptology ePrint Archive, Report 2016/248 (2016).
[98] Saarinen M.O.: CBEAM: Efficient Authenticated Encryption from Feebly One-Way \(\phi\) Functions. In: Benaloh [11], pp. 251-269. · Zbl 1337.94066
[99] Stoffelen, K.; Daemen, J., Column Parity Mixers, IACR Trans. Symmetric Cryptol., 2018, 1, 126-159 (2018)
[100] Todo Y., Leander G., Sasaki Y.: Nonlinear Invariant Attack - Practical Attack on Full SCREAM, iSCREAM, and Midori64. In: J.H. Cheon, T. Takagi (eds.) ASIACRYPT 2016, Part II, LNCS, vol. 10032, pp. 3-33 (2016). · Zbl 1380.94126
[101] Ughi, E., Saturated Configurations of Points in Projective Galois Spaces, Eur. J. Comb., 8, 3, 325-334 (1987) · Zbl 0645.51011
[102] Van Le T., Sparr R., Wernsdorf R., Desmedt Y.: Complementation-Like and Cyclic Properties of AES Round Functions. In: H. Dobbertin, V. Rijmen, A. Sowa (eds.) AES 2004, LNCS, vol. 3373, pp. 128-141. Springer (2004). · Zbl 1117.94325
[103] Wagner D.: Re: Re-rolled Salsa20 function. http://groups.google.com/group/sci.crypt/msg/0692e3aaf78687a3 (2005).
[104] Whiting D., Housley R., Ferguson N.: AES Encryption and Authentication Using CTR Mode and CBC-MAC. IEEE 802.11-02/001r2 (2002).
[105] Ye D., Wang P., Hu L., Wang L., Xie Y., Sun S., Wang P.: PAES v1: Parallelizable Authenticated Encryption Schemes based on AES Round Function (2014). Submission to CAESAR competition.
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. It attempts to reflect the references listed in the original paper as accurately as possible without claiming the completeness or perfect precision of the matching.