{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,2]],"date-time":"2026-04-02T15:56:43Z","timestamp":1775145403134,"version":"3.50.1"},"publisher-location":"Cham","reference-count":77,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783031158018","type":"print"},{"value":"9783031158025","type":"electronic"}],"license":[{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022]]},"DOI":"10.1007\/978-3-031-15802-5_4","type":"book-chapter","created":{"date-parts":[[2022,10,11]],"date-time":"2022-10-11T16:59:52Z","timestamp":1665507592000},"page":"94-124","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":15,"title":["Triangulating Rebound Attack on AES-like Hashing"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3444-6030","authenticated-orcid":false,"given":"Xiaoyang","family":"Dong","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8847-6748","authenticated-orcid":false,"given":"Jian","family":"Guo","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7663-8321","authenticated-orcid":false,"given":"Shun","family":"Li","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5806-2154","authenticated-orcid":false,"given":"Phuong","family":"Pham","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,10,12]]},"reference":[{"key":"4_CR1","unstructured":"Alliance, Z.: ZigBee 2007 specification (2007). http:\/\/www.zigbee.org\/"},{"key":"4_CR2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"325","DOI":"10.1007\/978-3-319-72565-9_16","volume-title":"Selected Areas in Cryptography \u2013 SAC 2017","author":"G Banegas","year":"2018","unstructured":"Banegas, G., Bernstein, D.J.: Low-communication parallel quantum multi-target preimage search. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 325\u2013335. Springer, Cham (2018). https:\/\/doi.org\/10.1007\/978-3-319-72565-9_16"},{"issue":"4","key":"4_CR3","first-page":"318","volume":"2019","author":"Z Bao","year":"2019","unstructured":"Bao, Z., Ding, L., Guo, J., Wang, H., Zhang, W.: Improved meet-in-the-middle preimage attacks against AES hashing modes. IACR Trans. Symmetric Cryptol. 2019(4), 318\u2013347 (2019)","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"4_CR4","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"771","DOI":"10.1007\/978-3-030-77870-5_27","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2021","author":"Z Bao","year":"2021","unstructured":"Bao, Z., et al.: Automatic search of meet-in-the-middle preimage attacks on AES-like hashing. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021, Part I. LNCS, vol. 12696, pp. 771\u2013804. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-77870-5_27"},{"key":"4_CR5","unstructured":"Bao, Z., Guo, J., Li, S., Pham, P.: Quantum multi-collision distinguishers. Cryptology ePrint Archive, Report 2021\/703 (2021). https:\/\/ia.cr\/2021\/703"},{"key":"4_CR6","unstructured":"Barreto, P.S., Rijmen, V.: The Whirlpool hashing function. Submitted to NESSIE"},{"key":"4_CR7","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"123","DOI":"10.1007\/978-3-662-53008-5_5","volume-title":"Advances in Cryptology \u2013 CRYPTO 2016","author":"C Beierle","year":"2016","unstructured":"Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 123\u2013153. Springer, Heidelberg (2016). https:\/\/doi.org\/10.1007\/978-3-662-53008-5_5"},{"key":"4_CR8","unstructured":"Benadjila, R., et al: SHA-3 proposal: ECHO. Submission to NIST (updated), p. 113 (2009)"},{"key":"4_CR9","unstructured":"Bernstein, D.J.: Cost analysis of hash collisions: will quantum computers make SHARCS obsolete. In: SHARCS 2009, vol. 9, p. 105 (2009)"},{"key":"4_CR10","unstructured":"Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Keccak sponge function family main document. Submission to NIST (Round 2), 3(30), 320\u2013337 (2009)"},{"key":"4_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"344","DOI":"10.1007\/978-3-642-25385-0_19","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2011","author":"A Bogdanov","year":"2011","unstructured":"Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344\u2013371. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-25385-0_19"},{"key":"4_CR12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"552","DOI":"10.1007\/978-3-030-34578-5_20","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2019","author":"X Bonnetain","year":"2019","unstructured":"Bonnetain, X., Hosoyamada, A., Naya-Plasencia, M., Sasaki, Yu., Schrottenloher, A.: Quantum attacks without superposition queries: the offline Simon\u2019s algorithm. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part I. LNCS, vol. 11921, pp. 552\u2013583. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-34578-5_20"},{"key":"4_CR13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"492","DOI":"10.1007\/978-3-030-38471-5_20","volume-title":"Selected Areas in Cryptography \u2013 SAC 2019","author":"X Bonnetain","year":"2020","unstructured":"Bonnetain, X., Naya-Plasencia, M., Schrottenloher, A.: On quantum slide attacks. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 492\u2013519. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-38471-5_20"},{"issue":"2","key":"4_CR14","doi-asserted-by":"publisher","first-page":"55","DOI":"10.46586\/tosc.v2019.i2.55-93","volume":"2019","author":"X Bonnetain","year":"2019","unstructured":"Bonnetain, X., Naya-Plasencia, M., Schrottenloher, A.: Quantum security analysis of AES. IACR Trans. Symmetric Cryptol. 2019(2), 55\u201393 (2019)","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"4_CR15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"163","DOI":"10.1007\/BFb0054319","volume-title":"LATIN\u201998: Theoretical Informatics","author":"G Brassard","year":"1998","unstructured":"Brassard, G., H\u00f8yer, P., Tapp, A.: Quantum cryptanalysis of hash and claw-free functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163\u2013169. Springer, Heidelberg (1998). https:\/\/doi.org\/10.1007\/BFb0054319"},{"key":"4_CR16","unstructured":"Canteaut, A., et al.: A note on related-key attacks on Saturnin (2020). https:\/\/project.inria.fr\/saturnin\/files\/2020\/11\/Note-RK-1.pdf"},{"issue":"S1","key":"4_CR17","doi-asserted-by":"publisher","first-page":"160","DOI":"10.46586\/tosc.v2020.iS1.160-207","volume":"2020","author":"A Canteaut","year":"2020","unstructured":"Canteaut, A., et al.: Saturnin: a suite of lightweight symmetric algorithms for post-quantum security. IACR Trans. Symmetric Cryptol. 2020(S1), 160\u2013207 (2020)","journal-title":"IACR Trans. Symmetric Cryptol."},{"issue":"3","key":"4_CR18","doi-asserted-by":"publisher","first-page":"1","DOI":"10.46586\/tosc.v2017.i3.1-23","volume":"2017","author":"V Cauchois","year":"2017","unstructured":"Cauchois, V., Gomez, C., Lercier, R.: Gr\u00f8stl distinguishing attack: a new rebound attack of an AES-like permutation. IACR Trans. Symmetric Cryptol. 2017(3), 1\u201323 (2017)","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"4_CR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1007\/978-3-319-70697-9_8","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2017","author":"A Chailloux","year":"2017","unstructured":"Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 211\u2013240. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-70697-9_8"},{"key":"4_CR20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"78","DOI":"10.1007\/11832072_6","volume-title":"Security and Cryptography for Networks","author":"J Daemen","year":"2006","unstructured":"Daemen, J., Rijmen, V.: Understanding two-round differentials in AES. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 78\u201394. Springer, Heidelberg (2006). https:\/\/doi.org\/10.1007\/11832072_6"},{"key":"4_CR21","series-title":"Information Security and Cryptography","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-04722-4","volume-title":"The Design of Rijndael: AES - The Advanced Encryption Standard","author":"J Daemen","year":"2002","unstructured":"Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography, Springer, Cham (2002). https:\/\/doi.org\/10.1007\/978-3-662-04722-4"},{"key":"4_CR22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"416","DOI":"10.1007\/0-387-34805-0_39","volume-title":"Advances in Cryptology \u2014 CRYPTO\u2019 89 Proceedings","author":"IB Damg\u00e5rd","year":"1990","unstructured":"Damg\u00e5rd, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416\u2013427. Springer, New York (1990). https:\/\/doi.org\/10.1007\/0-387-34805-0_39"},{"key":"4_CR23","doi-asserted-by":"crossref","unstructured":"Delaune, S., Derbez, P., Vavrille, M.: Catching the fastest boomerangs. IACR Trans. Symmetric Cryptol. 104\u2013129 (2020)","DOI":"10.46586\/tosc.v2020.i4.104-129"},{"key":"4_CR24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"371","DOI":"10.1007\/978-3-642-38348-9_23","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2013","author":"P Derbez","year":"2013","unstructured":"Derbez, P., Fouque, P.-A., Jean, J.: Improved key recovery attacks on reduced-round AES in the single-key setting. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 371\u2013387. Springer, Heidelberg (2013). https:\/\/doi.org\/10.1007\/978-3-642-38348-9_23"},{"key":"4_CR25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"359","DOI":"10.1007\/978-3-030-56877-1_13","volume-title":"Advances in Cryptology \u2013 CRYPTO 2020","author":"P Derbez","year":"2020","unstructured":"Derbez, P., Huynh, P., Lallemand, V., Naya-Plasencia, M., Perrin, L., Schrottenloher, A.: Cryptanalysis results on Spook - bringing full-round Shadow-512 to the light. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part III. LNCS, vol. 12172, pp. 359\u2013388. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-56877-1_13"},{"key":"4_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"719","DOI":"10.1007\/978-3-642-32009-5_42","volume-title":"Advances in Cryptology \u2013 CRYPTO 2012","author":"I Dinur","year":"2012","unstructured":"Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 719\u2013740. Springer, Heidelberg (2012). https:\/\/doi.org\/10.1007\/978-3-642-32009-5_42"},{"issue":"6","key":"4_CR27","doi-asserted-by":"publisher","first-page":"1179","DOI":"10.1007\/s10623-020-00741-y","volume":"88","author":"X Dong","year":"2020","unstructured":"Dong, X., Dong, B., Wang, X.: Quantum attacks on some Feistel block ciphers. Des. Codes Cryptogr. 88(6), 1179\u20131203 (2020). https:\/\/doi.org\/10.1007\/s10623-020-00741-y","journal-title":"Des. Codes Cryptogr."},{"key":"4_CR28","doi-asserted-by":"crossref","unstructured":"Dong, X., Guo, J., Li, S., Pham, P.: Triangulating rebound attack on AES-like hashing. Cryptology ePrint Archive, Paper 2022\/731 (2022). https:\/\/eprint.iacr.org\/2022\/731","DOI":"10.1007\/978-3-031-15802-5_4"},{"key":"4_CR29","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"278","DOI":"10.1007\/978-3-030-84252-9_10","volume-title":"Advances in Cryptology \u2013 CRYPTO 2021","author":"X Dong","year":"2021","unstructured":"Dong, X., Hua, J., Sun, S., Li, Z., Wang, X., Hu, L.: Meet-in-the-middle attacks revisited: key-recovery, collision, and preimage attacks. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part III. LNCS, vol. 12827, pp. 278\u2013308. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-84252-9_10"},{"key":"4_CR30","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"727","DOI":"10.1007\/978-3-030-64834-3_25","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2020","author":"X Dong","year":"2020","unstructured":"Dong, X., Sun, S., Shi, D., Gao, F., Wang, X., Hu, L.: Quantum collision attacks on AES-like hashing with low quantum random access memories. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part II. LNCS, vol. 12492, pp. 727\u2013757. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-64834-3_25"},{"key":"4_CR31","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"241","DOI":"10.1007\/978-3-030-92062-3_9","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2021","author":"X Dong","year":"2021","unstructured":"Dong, X., Zhang, Z., Sun, S., Wei, C., Wang, X., Hu, L.: Automatic classical and quantum rebound attacks on AES-like hashing by exploiting related-key differentials. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021, Part I. LNCS, vol. 13090, pp. 241\u2013271. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-92062-3_9"},{"key":"4_CR32","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"402","DOI":"10.1007\/978-3-642-34047-5_23","volume-title":"Fast Software Encryption","author":"A Duc","year":"2012","unstructured":"Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack: application to Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 402\u2013421. Springer, Heidelberg (2012). https:\/\/doi.org\/10.1007\/978-3-642-34047-5_23"},{"key":"4_CR33","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"158","DOI":"10.1007\/978-3-642-17373-8_10","volume-title":"Advances in Cryptology - ASIACRYPT 2010","author":"O Dunkelman","year":"2010","unstructured":"Dunkelman, O., Keller, N., Shamir, A.: Improved single-key attacks on 8-round AES-192 and AES-256. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 158\u2013176. Springer, Heidelberg (2010). https:\/\/doi.org\/10.1007\/978-3-642-17373-8_10"},{"key":"4_CR34","unstructured":"Gauravaram, P., et al.: Gr\u00f8stl - a SHA-3 candidate. In: Symmetric Cryptography, 11\u201316 January 2009 (2009)"},{"key":"4_CR35","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"365","DOI":"10.1007\/978-3-642-13858-4_21","volume-title":"Fast Software Encryption","author":"H Gilbert","year":"2010","unstructured":"Gilbert, H., Peyrin, T.: Super-Sbox cryptanalysis: improved attacks for AES-like permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365\u2013383. Springer, Heidelberg (2010). https:\/\/doi.org\/10.1007\/978-3-642-13858-4_21"},{"key":"4_CR36","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"527","DOI":"10.1007\/978-3-030-03326-2_18","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2018","author":"L Grassi","year":"2018","unstructured":"Grassi, L., Naya-Plasencia, M., Schrottenloher, A.: Quantum algorithms for the $$k$$-xor problem. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part I. LNCS, vol. 11272, pp. 527\u2013559. Springer, Cham (2018). https:\/\/doi.org\/10.1007\/978-3-030-03326-2_18"},{"key":"4_CR37","doi-asserted-by":"crossref","unstructured":"Guo, C., Katz, J., Wang, X., Yu, Y.: Efficient and secure multiparty computation from fixed-key block ciphers. In: 2020 IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 18\u201321 May 2020, pp. 825\u2013841 (2020)","DOI":"10.1109\/SP40000.2020.00016"},{"key":"4_CR38","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"198","DOI":"10.1007\/978-3-319-76953-0_11","volume-title":"Topics in Cryptology \u2013 CT-RSA 2018","author":"A Hosoyamada","year":"2018","unstructured":"Hosoyamada, A., Sasaki, Yu.: Cryptanalysis against symmetric-key schemes with online classical queries and offline quantum computations. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 198\u2013218. Springer, Cham (2018). https:\/\/doi.org\/10.1007\/978-3-319-76953-0_11"},{"key":"4_CR39","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"249","DOI":"10.1007\/978-3-030-45724-2_9","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2020","author":"A Hosoyamada","year":"2020","unstructured":"Hosoyamada, A., Sasaki, Yu.: Finding hash collisions with quantum computers by using differential trails with smaller probability than birthday bound. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 249\u2013279. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-45724-2_9"},{"key":"4_CR40","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"616","DOI":"10.1007\/978-3-030-84242-0_22","volume-title":"Advances in Cryptology \u2013 CRYPTO 2021","author":"A Hosoyamada","year":"2021","unstructured":"Hosoyamada, A., Sasaki, Yu.: Quantum collision attacks on reduced SHA-256 and SHA-512. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 616\u2013646. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-84242-0_22"},{"key":"4_CR41","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"350","DOI":"10.1007\/978-3-030-25510-7_19","volume-title":"Post-Quantum Cryptography","author":"A Hosoyamada","year":"2019","unstructured":"Hosoyamada, A., Sasaki, Yu., Tani, S., Xagawa, K.: Improved quantum multicollision-finding algorithm. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 350\u2013367. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-25510-7_19"},{"key":"4_CR42","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"179","DOI":"10.1007\/978-3-319-70697-9_7","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2017","author":"A Hosoyamada","year":"2017","unstructured":"Hosoyamada, A., Sasaki, Yu., Xagawa, K.: Quantum multicollision-finding algorithm. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 179\u2013210. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-70697-9_7"},{"key":"4_CR43","unstructured":"ISO\/IEC. 10118-2:2010 Information technology\u2014Security techniques \u2013 Hash-functions \u2013 Part 2: Hash-functions using an $$n$$-bit block cipher. 3rd edn., International Organization for Standardization, Geneve, Switzerland, October 2010"},{"key":"4_CR44","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"107","DOI":"10.1007\/978-3-642-21702-9_7","volume-title":"Fast Software Encryption","author":"J Jean","year":"2011","unstructured":"Jean, J., Fouque, P.-A.: Practical near-collisions and collisions on round-reduced ECHO-256 compression function. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 107\u2013127. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-21702-9_7"},{"key":"4_CR45","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"110","DOI":"10.1007\/978-3-642-34047-5_7","volume-title":"Fast Software Encryption","author":"J Jean","year":"2012","unstructured":"Jean, J., Naya-Plasencia, M., Peyrin, T.: Improved rebound attack on the finalist Gr\u00f8stl. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 110\u2013126. Springer, Heidelberg (2012). https:\/\/doi.org\/10.1007\/978-3-642-34047-5_7"},{"key":"4_CR46","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"533","DOI":"10.1007\/978-3-662-43414-7_27","volume-title":"Selected Areas in Cryptography \u2013 SAC 2013","author":"J Jean","year":"2014","unstructured":"Jean, J., Naya-Plasencia, M., Peyrin, T.: Multiple limited-birthday distinguishers and applications. In: Lange, T., Lauter, K., Lison\u011bk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 533\u2013550. Springer, Heidelberg (2014). https:\/\/doi.org\/10.1007\/978-3-662-43414-7_27"},{"key":"4_CR47","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"207","DOI":"10.1007\/978-3-662-53008-5_8","volume-title":"Advances in Cryptology \u2013 CRYPTO 2016","author":"M Kaplan","year":"2016","unstructured":"Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using\u00a0quantum\u00a0period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 207\u2013237. Springer, Heidelberg (2016). https:\/\/doi.org\/10.1007\/978-3-662-53008-5_8"},{"issue":"1","key":"4_CR48","doi-asserted-by":"publisher","first-page":"71","DOI":"10.46586\/tosc.v2016.i1.71-94","volume":"2016","author":"M Kaplan","year":"2016","unstructured":"Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Quantum differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2016(1), 71\u201394 (2016)","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"4_CR49","doi-asserted-by":"crossref","unstructured":"Keller, M., Orsini, E., Scholl, P.: MASCOT: faster malicious arithmetic secure computation with oblivious transfer. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24\u201328 October 2016, pp. 830\u2013842 (2016)","DOI":"10.1145\/2976749.2978357"},{"key":"4_CR50","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"164","DOI":"10.1007\/978-3-642-00862-7_11","volume-title":"Topics in Cryptology \u2013 CT-RSA 2009","author":"D Khovratovich","year":"2009","unstructured":"Khovratovich, D., Biryukov, A., Nikolic, I.: Speeding up collision search for byte-oriented hash functions. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 164\u2013181. Springer, Heidelberg (2009). https:\/\/doi.org\/10.1007\/978-3-642-00862-7_11"},{"issue":"3","key":"4_CR51","doi-asserted-by":"publisher","first-page":"452","DOI":"10.1007\/s00145-013-9150-0","volume":"27","author":"D Khovratovich","year":"2014","unstructured":"Khovratovich, D., Nikolic, I., Rechberger, C.: Rotational rebound attacks on reduced Skein. J. Cryptol. 27(3), 452\u2013479 (2014)","journal-title":"J. Cryptol."},{"key":"4_CR52","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"39","DOI":"10.1007\/978-3-540-74619-5_3","volume-title":"Fast Software Encryption","author":"LR Knudsen","year":"2007","unstructured":"Knudsen, L.R., Rechberger, C., Thomsen, S.S.: The Grindahl hash functions. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 39\u201357. Springer, Heidelberg (2007). https:\/\/doi.org\/10.1007\/978-3-540-74619-5_3"},{"issue":"2","key":"4_CR53","first-page":"1","volume":"2016","author":"S K\u00f6lbl","year":"2016","unstructured":"K\u00f6lbl, S., Lauridsen, M.M., Mendel, F., Rechberger, C.: Haraka v2 - efficient short-input hashing for post-quantum applications. IACR Trans. Symmetric Cryptol. 2016(2), 1\u201329 (2016)","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"4_CR54","doi-asserted-by":"crossref","unstructured":"Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. In: Proceedings of ISIT 2010, Austin, Texas, USA, 13\u201318 June 2010, pp. 2682\u20132685 (2010)","DOI":"10.1109\/ISIT.2010.5513654"},{"key":"4_CR55","unstructured":"Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: ISITA 2012, Honolulu, HI, USA, 28\u201331 October 2012, pp. 312\u2013316 (2012)"},{"key":"4_CR56","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"126","DOI":"10.1007\/978-3-642-10366-7_8","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2009","author":"M Lamberger","year":"2009","unstructured":"Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schl\u00e4ffer, M.: Rebound distinguishers: results on the full Whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126\u2013143. Springer, Heidelberg (2009). https:\/\/doi.org\/10.1007\/978-3-642-10366-7_8"},{"key":"4_CR57","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"161","DOI":"10.1007\/978-3-319-70697-9_6","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2017","author":"G Leander","year":"2017","unstructured":"Leander, G., May, A.: Grover meets Simon \u2013 quantumly attacking the FX-construction. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 161\u2013178. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-70697-9_6"},{"key":"4_CR58","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"189","DOI":"10.1007\/978-3-030-17659-4_7","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2019","author":"Q Liu","year":"2019","unstructured":"Liu, Q., Zhandry, M.: On finding quantum multi-collisions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part III. LNCS, vol. 11478, pp. 189\u2013218. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-17659-4_7"},{"key":"4_CR59","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"106","DOI":"10.1007\/978-3-642-10366-7_7","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2009","author":"K Matusiewicz","year":"2009","unstructured":"Matusiewicz, K., Naya-Plasencia, M., Nikoli\u0107, I., Sasaki, Yu., Schl\u00e4ffer, M.: Rebound attack on the full Lane compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 106\u2013125. Springer, Heidelberg (2009). https:\/\/doi.org\/10.1007\/978-3-642-10366-7_7"},{"key":"4_CR60","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"16","DOI":"10.1007\/978-3-642-05445-7_2","volume-title":"Selected Areas in Cryptography","author":"F Mendel","year":"2009","unstructured":"Mendel, F., Peyrin, T., Rechberger, C., Schl\u00e4ffer, M.: Improved cryptanalysis of the reduced Gr\u00f8stl compression function, ECHO permutation and AES block cipher. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 16\u201335. Springer, Heidelberg (2009). https:\/\/doi.org\/10.1007\/978-3-642-05445-7_2"},{"key":"4_CR61","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"350","DOI":"10.1007\/978-3-642-11925-5_24","volume-title":"Topics in Cryptology - CT-RSA 2010","author":"F Mendel","year":"2010","unstructured":"Mendel, F., Rechberger, C., Schl\u00e4ffer, M., Thomsen, S.S.: Rebound attacks on the reduced Gr\u00f8stl hash function. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 350\u2013365. Springer, Heidelberg (2010). https:\/\/doi.org\/10.1007\/978-3-642-11925-5_24"},{"key":"4_CR62","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"260","DOI":"10.1007\/978-3-642-03317-9_16","volume-title":"Fast Software Encryption","author":"F Mendel","year":"2009","unstructured":"Mendel, F., Rechberger, C., Schl\u00e4ffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced Whirlpool and Gr\u00f8stl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260\u2013276. Springer, Heidelberg (2009). https:\/\/doi.org\/10.1007\/978-3-642-03317-9_16"},{"key":"4_CR63","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"509","DOI":"10.1007\/978-3-662-46706-0_26","volume-title":"Fast Software Encryption","author":"F Mendel","year":"2015","unstructured":"Mendel, F., Rijmen, V., Schl\u00e4ffer, M.: Collision attack on 5 rounds of Gr\u00f8stl. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 509\u2013521. Springer, Heidelberg (2015). https:\/\/doi.org\/10.1007\/978-3-662-46706-0_26"},{"key":"4_CR64","unstructured":"Menezes, A., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press (1996)"},{"key":"4_CR65","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"218","DOI":"10.1007\/0-387-34805-0_21","volume-title":"Advances in Cryptology \u2014 CRYPTO\u2019 89 Proceedings","author":"RC Merkle","year":"1990","unstructured":"Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218\u2013238. Springer, New York (1990). https:\/\/doi.org\/10.1007\/0-387-34805-0_21"},{"key":"4_CR66","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"188","DOI":"10.1007\/978-3-642-22792-9_11","volume-title":"Advances in Cryptology \u2013 CRYPTO 2011","author":"M Naya-Plasencia","year":"2011","unstructured":"Naya-Plasencia, M.: How to improve rebound attacks. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 188\u2013205. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-22792-9_11"},{"key":"4_CR67","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"311","DOI":"10.1007\/978-3-030-45724-2_11","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2020","author":"M Naya-Plasencia","year":"2020","unstructured":"Naya-Plasencia, M., Schrottenloher, A.: Optimal merging in quantum $$k$$-xor and k-sum algorithms. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 311\u2013340. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-45724-2_11"},{"key":"4_CR68","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"252","DOI":"10.1007\/978-3-642-25385-0_14","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2011","author":"M Naya-Plasencia","year":"2011","unstructured":"Naya-Plasencia, M., Toz, D., Varici, K.: Rebound attack on JH42. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 252\u2013269. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-25385-0_14"},{"key":"4_CR69","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"378","DOI":"10.1007\/978-3-642-21702-9_22","volume-title":"Fast Software Encryption","author":"Yu Sasaki","year":"2011","unstructured":"Sasaki, Yu.: Meet-in-the-middle preimage attacks on AES hashing modes and an application to Whirlpool. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 378\u2013396. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-21702-9_22"},{"key":"4_CR70","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"38","DOI":"10.1007\/978-3-642-17373-8_3","volume-title":"Advances in Cryptology - ASIACRYPT 2010","author":"Yu Sasaki","year":"2010","unstructured":"Sasaki, Yu., Li, Y., Wang, L., Sakiyama, K., Ohta, K.: Non-full-active Super-Sbox analysis: applications to ECHO and Gr\u00f8stl. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 38\u201355. Springer, Heidelberg (2010). https:\/\/doi.org\/10.1007\/978-3-642-17373-8_3"},{"key":"4_CR71","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"562","DOI":"10.1007\/978-3-642-34961-4_34","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2012","author":"Yu Sasaki","year":"2012","unstructured":"Sasaki, Yu., Wang, L., Wu, S., Wu, W.: Investigating fundamental security requirements on Whirlpool: improved preimage and collision attacks. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 562\u2013579. Springer, Heidelberg (2012). https:\/\/doi.org\/10.1007\/978-3-642-34961-4_34"},{"key":"4_CR72","unstructured":"Schl\u00e4ffer, M.: Updated differential analysis of Gr\u00f8stl. Gr\u00f8stl website, January 2011 (2011)"},{"key":"4_CR73","doi-asserted-by":"crossref","unstructured":"Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20\u201322 November 1994, pp. 124\u2013134 (1994)","DOI":"10.1109\/SFCS.1994.365700"},{"key":"4_CR74","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"570","DOI":"10.1007\/978-3-319-63688-7_19","volume-title":"Advances in Cryptology \u2013 CRYPTO 2017","author":"M Stevens","year":"2017","unstructured":"Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 570\u2013596. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-63688-7_19"},{"issue":"1","key":"4_CR75","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/PL00003816","volume":"12","author":"PC van Oorschot","year":"1999","unstructured":"van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1\u201328 (1999)","journal-title":"J. Cryptol."},{"key":"4_CR76","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"17","DOI":"10.1007\/11535218_2","volume-title":"Advances in Cryptology \u2013 CRYPTO 2005","author":"X Wang","year":"2005","unstructured":"Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17\u201336. Springer, Heidelberg (2005). https:\/\/doi.org\/10.1007\/11535218_2"},{"key":"4_CR77","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"19","DOI":"10.1007\/11426639_2","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2005","author":"X Wang","year":"2005","unstructured":"Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19\u201335. Springer, Heidelberg (2005). https:\/\/doi.org\/10.1007\/11426639_2"}],"container-title":["Lecture Notes in Computer Science","Advances in Cryptology \u2013 CRYPTO 2022"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-15802-5_4","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T22:05:58Z","timestamp":1760133958000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-15802-5_4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022]]},"ISBN":["9783031158018","9783031158025"],"references-count":77,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-15802-5_4","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022]]},"assertion":[{"value":"12 October 2022","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"CRYPTO","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Annual International Cryptology Conference","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Santa Barbara, CA","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"USA","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2022","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"15 August 2022","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"18 August 2022","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"42","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"crypto2022","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/crypto.iacr.org\/2022\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}