[1]

M. Ågren, M. Hell, T. Johansson, W. Meier, A new version of Grain-128 with authentication, in

*ECRYPT Symmetric Key Encryption Workshop 2011* (2011). Available at

http://skew2011.mat.dtu.dk/
[2]

J.-P. Aumasson, E. Brier, W. Meier, M. Naya-Plasencia, T. Peyrin, Inside the hypercube, in *ACISP*, ed. by C. Boyd, J. Manuel González Nieto. LNCS, vol. 5594 (Springer, Berlin, 2009), pp. 202–213

[3]

J.-P. Aumasson, I. Dinur, L. Henzen, W. Meier, A. Shamir, Efficient FPGA implementations of highly-dimensional cube testers on the stream cipher Grain-128, in *SHARCS* (2009)

[4]

J.-P. Aumasson, I. Dinur, W. Meier, A. Shamir, Cube testers and key recovery attacks on reduced-round MD6 and Trivium, in *FSE*, ed. by O. Dunkelman. LNCS, vol. 5665 (Springer, Berlin, 2009), pp. 1–22

[5]

J.-P. Aumasson, L. Henzen, W. Meier, M. Naya-Plasencia, Quark: a lightweight hash, in *Mangard and Standaert [50]* (2010), pp. 1–15

[6]

G.V. Bard, N. Courtois, J. Nakahara, P. Sepehrdad, B. Zhang, Algebraic, AIDA/cube and side channel analysis of KATAN family of block ciphers, in *Gong and Gupta [39]* (2010), pp. 176–196

[7]

M. Bellare, T. Ristenpart, Multi-property-preserving hash domain extension and the EMD transform, in *ASIACRYPT*, ed. by X. Lai, K. Chen. LNCS, vol. 4284 (Springer, Berlin, 2006), pp. 299–314

[8]

M. Bernet, L. Henzen, H. Kaeslin, N. Felber, W. Fichtner, Hardware implementations of the SHA-3 candidates Shabal and CubeHash, in *CT-MWSCAS* (IEEE, New York, 2009)

[9]

D.J. Bernstein, CubeHash appendix: complexity of generic attacks. Submission to NIST, 2008.

http://cubehash.cr.yp.to/submission/generic.pdf
[10]

D.J. Bernstein, CubeHash parameter tweak: 16 times faster, 2009.

http://cubehash.cr.yp.to/submission/tweak.pdf
[11]

D.J. Bernstein, CubeHash specification (2.B.1). Submission to NIST (Round 2), 2009.

http://cubehash.cr.yp.to/submission2/spec.pdf
[12]

G. Bertoni, J. Daemen, M. Peeters, G. Van Assche,

RadioGatún, a belt-and-mill hash function, in

*Second NIST Cryptographic Hash Function Workshop* (2006).

http://radiogatun.noekeon.org/
[13]

G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, On the indifferentiability of the sponge construction, in *EUROCRYPT*, ed. by N.P. Smart. LNCS, vol. 4965 (Springer, Berlin, 2008), pp. 181–197

[14]

G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Keccak sponge function family main document (version 2.1). Submission to NIST (Round 2), 2010.

http://keccak.noekeon.org/Keccak-main-2.1.pdf
[15]

G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Sponge-based pseudo-random number generators, in *Mangard and Standaert [50]* (2010), pp. 33–47

[16]

G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, On the security of the keyed sponge construction, in

*ECRYPT Symmetric Key Encryption Workshop 2011* (2011). Available at

http://skew2011.mat.dtu.dk/
[17]

G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Sponge functions.

http://sponge.noekeon.org/SpongeFunctions.pdf
[18]

G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Duplexing the sponge: single-pass authenticated encryption and other applications. Cryptology ePrint Archive, Report 2011/499, 2011

[19]

E. Biham, O. Dunkelman, A framework for iterative hash functions—HAIFA. Cryptology ePrint Archive, Report 2007/278, 2007

[20]

A. Biryukov, D. Wagner, Slide attacks, in *FSE*, ed. by L. Knudsen. LNCS, vol. 1636 (Springer, Berlin, 1999), pp. 245–259

[21]

A. Bogdanov, C. Rechberger, A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN. Cryptology ePrint Archive, Report 2010/532, 2010

[22]

A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J.B. Robshaw, Y. Seurin, C. Vikkelsoe, PRESENT: an ultra-lightweight block cipher, in *CHES*, ed. by P. Paillier, I. Verbauwhede. LNCS, vol. 4727 (Springer, Berlin, 2007), pp. 450–466

[23]

A. Bogdanov, G. Leander, C. Paar, A. Poschmann, M.J.B. Robshaw, Y. Seurin, Hash functions and RFID tags: mind the gap, in *CHES*, ed. by E. Oswald, P. Rohatgi. LNCS, vol. 5154 (Springer, Berlin, 2008), pp. 283–299

[24]

A. Bogdanov, M. Knezevic, G. Leander, D. Toz, K. Varici, I. Verbauwhede, SPONGENT: a lightweight hash function, in *CHES*, ed. by B. Preneel, T. Takagi. LNCS, vol. 6917 (Springer, Berlin, 2011), pp. 312–325

[25]

J.Y. Cho, Linear cryptanalysis of reduced-round PRESENT, in *CT-RSA*, ed. by J. Pieprzyk. LNCS, vol. 5985 (Springer, Berlin, 2010), pp. 302–317

[26]

C. Clavier, K. Gaj (eds.),

*Cryptographic Hardware and Embedded Systems—CHES 2009, 11th International Workshop, Lausanne, Switzerland, September 6–9, 2009, Proceedings*. LNCS, vol. 5747 (Springer, Berlin, 2009)

MATH[27]

J.-S. Coron, Y. Dodis, C. Malinaud, P. Puniya, Merkle–Damgård revisited: how to construct a hash function, in *CRYPTO*, ed. by V. Shoup. LNCS, vol. 3621 (Springer, Berlin, 2005), pp. 430–448

[28]

C. De Cannière, B. Preneel, Trivium, in

*New Stream Cipher Designs*. LNCS, vol. 4986 (Springer, Berlin, 2008), pp. 84–97

CrossRef[29]

C. De Cannière, Ö. Kücük, B. Preneel, Analysis of Grain’s initialization algorithm, in *SASC 2008* (2008)

[30]

C. De Cannière, O. Dunkelman, M. Knezevic, KATAN and KTANTAN—a family of small and efficient hardware-oriented block ciphers, in *Clavier and Gaj [26]* (2009), pp. 272–288

[31]

I. Dinur, A. Shamir, Cube attacks on tweakable black box polynomials, in *EUROCRYPT*, ed. by A. Joux. LNCS, vol. 5479 (Springer, Berlin, 2009), pp. 278–299

[32]

I. Dinur, A. Shamir, Breaking Grain-128 with dynamic cube attacks. Cryptology ePrint Archive, Report 2010/570, 2010

[33]

I. Dinur, T. Güneysu, C. Paar, A. Shamir, R. Zimmermann, An experimentally verified attack on full Grain-128 using dedicated reconfigurable hardware, in *ASIACRYPT*, ed. by D.H. Lee, X. Wang. LNCS, vol. 7073 (Springer, Berlin, 2011), pp. 327–343

[34]

H. Englund, T. Johansson, M.S. Turan, A framework for chosen IV statistical analysis of stream ciphers, in *INDOCRYPT*, ed. by K. Srinathan, C. Pandu Rangan, M. Yung. LNCS, vol. 4859 (Springer, Berlin, 2007), pp. 268–281

[35]

M. Feldhofer, C. Rechberger, A case against currently used hash functions in RFID protocols, in *OTM Workshops (1)*, ed. by R. Meersman, Z. Tari, P. Herrero. LNCS, vol. 4277 (Springer, Berlin, 2006), pp. 372–381

[36]

M. Feldhofer, J. Wolkerstorfer, Strong crypto for RFID tags—a comparison of low-power hardware implementations, in *ISCAS 2007* (IEEE, New York, 2007), pp. 1839–1842

[37]

W. Fischer, B.M. Gammel, O. Kniffler, J. Velten, Differential power analysis of stream ciphers, in *SASC 2007* (2007)

[38]

P.-A. Fouque, G. Leurent, D. Réal, F. Valette, Practical electromagnetic template attack on HMAC, in *Clavier and Gaj [26]* (2009), pp. 66–80

[39]

G. Gong, K.C. Gupta (eds.),

*Progress in Cryptology—INDOCRYPT 2010—11th International Conference on Cryptology in India*, Hyderabad, India, December 12–15, 2010. LNCS, vol. 6498 (Springer, Berlin, 2010)

MATH[40]

T. Good, M. Benaissa, Hardware performance of eSTREAM phase-III stream cipher candidates, in *SASC* (2008)

[41]

J. Guo, T. Peyrin, A. Poschmann, The PHOTON family of lightweight hash functions, in *CRYPTO*, ed. by P. Rogaway. LNCS, vol. 6841 (Springer, Berlin, 2011), pp. 222–239

[42]

J. Guo, T. Peyrin, A. Poschmann, The PHOTON family of lightweight hash functions (2011). Available on

https://sites.google.com/site/photonhashfunction/. Full version of [41]

[43]

M. Hell, T. Johansson, A. Maximov, W. Meier, A stream cipher proposal: Grain-128, in *IEEE International Symposium on Information Theory (ISIT 2006)* (2006)

[44]

M. Hell, T. Johansson, W. Meier, Grain: a stream cipher for constrained environments.

*Int. J. Wirel. Mob. Comput.*
**2**(1), 86–93 (2007)

CrossRef[45]

E.B. Kavun, T. Yalcin, A lightweight implementation of Keccak hash function for radio-frequency identification applications, in *RFIDSec*, ed. by S.B.O. Yalcin. LNCS, vol. 6370 (Springer, Berlin, 2010), pp. 258–269

[46]

J. Kelsey, T. Kohno, Herding hash functions and the Nostradamus attack, in *EUROCRYPT*, ed. by S. Vaudenay. LNCS, vol. 4004 (Springer, Berlin, 2006), pp. 183–200

[47]

S. Knellwolf, W. Meier, M. Naya-Plasencia, Conditional differential cryptanalysis of NLFSR-based cryptosystems, in *ASIACRYPT*, ed. by M. Abe. LNCS, vol. 6477 (Springer, Berlin, 2010), pp. 130–145

[48]

S. Knellwolf, W. Meier, M. Naya-Plasencia, Conditional differential cryptanalysis of Trivium and KATAN, in

*Selected Areas in Cryptography*, ed. by A. Miri, S. Vaudenay. LNCS, vol. 7118 (Springer, Berlin, 2012), pp. 200–212

CrossRef[49]

Y. Lee, K. Jeong, J. Sung, S. Hong, Related-key chosen IV attacks on Grain-v1 and Grain-128, in *ACISP*, ed. by Y. Mu, W. Susilo, J. Seberry. LNCS, vol. 5107 (Springer, Berlin, 2008), pp. 321–335

[50]

S. Mangard, F.-X. Standaert (eds.),

*Cryptographic Hardware and Embedded Systems, CHES 2010, 12th International Workshop*, Santa Barbara, CA, USA, August 17–20, 2010. LNCS, vol. 6225 (Springer, Berlin, 2010)

MATH[51]

R.P. McEvoy, M. Tunstall, C.C. Murphy, W.P. Marnane, Differential power analysis of HMAC based on SHA-2, and countermeasures, in *WISA*, ed. by S. Kim, M. Yung, H.-W. Lee. LNCS, vol. 4867 (Springer, Berlin, 2007), pp. 317–332

[52]

NIST, Cryptographic hash algorithm competition.

http://www.nist.gov/hash-competition
[53]

M. O’Neill, Low-cost SHA-1 hash function architecture for RFID tags, in *Workshop on RFID Security RFIDsec* (2008)

[54]

M. Renauld, F.-X. Standaert, Combining algebraic and side-channel cryptanalysis against block ciphers, in

*30th Symposium on Information Theory in the Benelux* (2009), pp. 97–104.

http://www.dice.ucl.ac.be/~fstandae/68.pdf
[55]

M.-J.O. Saarinen, Chosen-IV statistical attacks on eStream ciphers, in *SECRYPT*, ed. by M. Malek, E. Fernández-Medina, J. Hernando (INSTICC Press, Setubal, 2006), pp. 260–266

[56]

P. Sarkar, S. Maitra, Construction of nonlinear boolean functions with important cryptographic properties, in *EUROCRYPT*, ed. by B. Preneel. LNCS, vol. 1807 (Springer, Berlin, 2000), pp. 485–506

[57]

A. Shamir, SQUASH—a new MAC with provable security properties for highly constrained devices such as RFID tags, in *FSE*, ed. by K. Nyberg. LNCS, vol. 5086 (Springer, Berlin, 2008), pp. 144–157

[58]

P. Stankovski, Greedy distinguishers and nonrandomness detectors, in *Gong and Gupta [39]* (2010), pp. 210–226

[59]

G. Van Assche, Errata for Keccak presentation. Email sent to the NIST SHA-3 mailing list on Feb. 7, 2011, on behalf of the Keccak team

[60]

L. Wei, C. Rechberger, J. Guo, H. Wu, H. Wang, S. Ling, Improved meet-in-the-middle cryptanalysis of KTANTAN (poster), in *ACISP*, ed. by U. Parampalli, P. Hawkes. LNCS, vol. 6812 (Springer, Berlin, 2011), pp. 433–438

[61]

H. Yoshida, D. Watanabe, K. Okeya, J. Kitahara, H. Wu, O. Kucuk, B. Preneel, MAME: a compression function with reduced hardware requirements, in *ECRYPT Hash Workshop 2007* (2007)