[1]

American National Standards Institute (ANSI). American National Standard for Information Systems–Data Encryption Algorithm–Modes of Operation (1983)

[2]

K. Aoki, H. Lipmaa, Fast implementations of AES candidates, in *Third AES Candidate Conference*, April 2000

[3]

M. Bellare, J. Killian, P. Rogaway, The security of cipher block chaining message authentication code.

*JCSS*
**61**(3), 362–399 (2000)

MATH[4]

M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. Full version, available at

http://www-cse.ucsd.edu/users/mihir/papers/rka.html
[5]

M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in

*Advances in Cryptology—EUROCRYPT 2003*, ed. by E. Biham. Lecture Notes in Computer Science (Springer, Berlin, 2003), pp. 491–506

CrossRef[6]

D.J. Bernstein, Floating-point arithmetic and message authentication, March 2000. Unpublished manuscript. Available at

http://cr.yp.to/papers.html#hash127
[7]

E. Biham, New types of cryptanalytic attacks using related keys.

*J. Cryptol.*
**7**(4), 229–246 (1994)

CrossRefMATH[8]

E. Biham, A. Biryukov, How to strengthen DES using existing hardware, in *Proceedings ASIACRYPT ’94*. Lecture Notes in Computer Science, vol. 917 (Springer, Berlin, 1994), pp. 398–412

[9]

J. Black, M. Cochran, T. Shrimpton, On the impossibility of highly-efficient blockcipher-based hash functions, in

*Advances in Cryptology—EUROCRYPT 2005*, ed. by R. Cramer. Lecture Notes in Computer Science (Springer, Berlin, 2005), pp. 526–541

CrossRef[10]

J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway, UMAC: Fast and secure message authentication, in *Proceedings CRYPTO ’99*. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 216–233

[11]

J. Black, P. Rogaway, CBC MACs for arbitrary-length messages: The three-key constructions.

*J. Cryptol.*
**18**(2), 111–131 (2005)

CrossRefMATHMathSciNet[12]

D. Chakraborty, P. Sarkar, A general construction of tweakable block ciphers and different modes of operations, in *Inscrypt 2006—Information Security and Cryptography, Second SKLOIS Conference*. Lecture Notes in Computer Science, vol. 4318 (Springer, Berlin, 2006), pp. 88–102

[13]

P. Crowley, Mercy: A fast large block cipher for disk sector encryption, in

*Fast Software Encryption: 7th International Workshop*. Lecture Notes in Computer Science, vol. 1978 (Springer, Berlin, 2000), pp. 49–63. Also available at:

www.ciphergoth.org/crypto/mercy
CrossRef[14]

J. Daemen, Limitations of the Even–Mansour construction, in *Proceedings ASIACRYPT ’91*. Lecture Notes in Computer Science, LNCS, vol. 739 (Springer, Berlin, 1991), pp. 495–499

[15]

J. Daemen, V. Rijmen, AES proposal: Rijndael. Available at

http://www.nist.gov/aes. August (1998)

[16]

S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation.

*J. Cryptol.*
**10**(3), 151–161 (1997)

CrossRefMATHMathSciNet[17]

S. Fluhrer, Cryptanalysis of the Mercy block cipher, in

*Fast Software Encryption, 8th International Workshop*, ed. by M. Matsui. Lecture Notes in Computer Science, vol. 2355 (Springer, Berlin, 2002), pp. 28–36

CrossRef[18]

D. Goldenberg, S. Hohenberger, M. Liskov, H. Seyalioglu, E.C. Schwartz, On tweaking Luby–Rackoff blockciphers, in

*Advances in Cryptology—ASIACRYPT 2007*. Lecture Notes in Computer Science, vol. 4833 (Springer, Berlin, 2007), pp. 342–356

CrossRef[19]

L. Granboulan, P. Nguyen, F. Noilhan, S. Vaudenay, DFCv2, in

*Selected Areas in Cryptography*. Lecture Notes in Computer Science, vol. 2012 (Springer, Berlin, 2001), pp. 57–71

CrossRef[20]

S. Halevi, EME*: Extending EME to Handle Arbitrary-Length Messages with Associated Data, in

*INDOCRYPT*, ed. by A. Canteaut, K. Viswanathan. Lecture Notes in Computer Science, vol. 3348 (Springer, Berlin, 2004), pp. 315–327

CrossRef[21]

S. Halevi, P. Rogaway, A tweakable enciphering mode, in

*Advances in Cryptology: CRYPTO 2003*, ed. by D. Boneh. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 482–429

CrossRef[22]

S. Halevi, P. Rogaway, A parallelizable enciphering mode, in

*Topics in Cryptology, CT-RSA 2004*. LNCS, vol. 2964 (Springer, Berlin, 2004), pp. 292–304

CrossRef[23]

C. Jutla, Encryption modes with almost free message integrity, in *Advances in Cryptology—EUROCRYPT 2001*, ed. by B. Pfitzmann. Lecture Notes in Computer Science, vol. 2045 (Springer, Berlin, 2001)

[24]

J. Kilian, P. Rogaway, How to protect DES against exhaustive search (an analysis of DESX), in

*Proceedings CRYPTO ’96*. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 252–267. See

http://www.cs.ucdavis.edu/rogaway/papers/desx.ps for an updated version

[25]

M. Liskov, New tools in cryptography: Mutually independent commitment, tweakable block ciphers, and plaintext awareness via key registration. Ph.D. Thesis, MIT Laboratory for Computer Science (2004)

[26]

M. Liskov, R. Rivest, D. Wagner, Tweakable block ciphers, in

*Advances in Cryptology—CRYPTO 2002*, ed. by M. Yung. Lecture Notes in Computer Science (Springer, Berlin, 2002), pp. 31–46

CrossRef[27]

M. Luby, C. Rackoff, How to construct pseudorandom permutations from pseudorandom functions, in *Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing*, Berkeley, California, 28–30 May 1986

[28]

Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone,

*Handbook of Applied Cryptography* (CRC Press, Boca Raton, 1997)

MATH[29]

K. Minematsu, Improved security analysis of XEX and LRW modes, in

*Selected Areas in Cryptography—SAC 2006*. Lecture Notes in Computer Science, vol. 4356 (Springer, Berlin, 2006), pp. 96–113

CrossRef[30]

R. Morris, K. Thompson, Password security: A case history.

*Commun. ACM*
**22**(11), 594–597 (1979)

CrossRef[31]

M. Naor, O. Reingold, On the construction of pseudo-random permutations: Luby-Rackoff revisited.

*J. Cryptol.*
**12**, 29–66 (1999). Extended abstract in

*Proc. 29th Annual ACM STOC* (1997), pp. 189–199

CrossRefMATHMathSciNet[32]

P. Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC, in *Advances in Cryptology—ASIACRYPT 2004*, Jeju Island, Korea, 5–9 December 2004, ed. by P.J. Lee. Lecture Notes in Computer Science, vol. 3329 (Springer, Berlin, 2004)

[33]

P. Rogaway, M. Bellare, J. Black, T. Krovetz, A block-cipher mode of operation for efficient authenticated encryption, in

*Eighth ACM Conference on Computer and Communications Security (CCS-8)* (ACM, New York, 2001), pp. 196–205. See

http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-doc.htm
CrossRef[34]

B. Schneier, *Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C* (Wiley, New York, 1996)

[35]

R. Schroeppel, The Hasty Pudding Cipher. NIST AES proposal, available at

http://www.cs.arizona.edu/~rcs/hpc/ (1998)

[36]

Victor Shoup, On fast and provably secure message authentication based on universal hashing, in *Proceedings CRYPTO ’96*. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 313–328

[37]

US Department of Commerce National Bureau of Standards. DES modes of operation (1980). Federal Information Processing Standards Publication 81