{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T11:21:22Z","timestamp":1774524082428,"version":"3.50.1"},"publisher-location":"Berlin, Heidelberg","reference-count":78,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"value":"9783662498897","type":"print"},{"value":"9783662498903","type":"electronic"}],"license":[{"start":{"date-parts":[[2016,1,1]],"date-time":"2016-01-01T00:00:00Z","timestamp":1451606400000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2016]]},"DOI":"10.1007\/978-3-662-49890-3_11","type":"book-chapter","created":{"date-parts":[[2016,4,27]],"date-time":"2016-04-27T04:40:46Z","timestamp":1461732046000},"page":"263-293","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":51,"title":["Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption"],"prefix":"10.1007","author":[{"given":"Robert","family":"Granger","sequence":"first","affiliation":[]},{"given":"Philipp","family":"Jovanovic","sequence":"additional","affiliation":[]},{"given":"Bart","family":"Mennink","sequence":"additional","affiliation":[]},{"given":"Samuel","family":"Neves","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2016,4,28]]},"reference":[{"key":"11_CR1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"168","DOI":"10.1007\/978-3-662-46706-0_9","volume-title":"Fast Software Encryption","author":"E Andreeva","year":"2015","unstructured":"Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: APE: authenticated permutation-based encryption for lightweight cryptography. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 168\u2013186. Springer, Heidelberg (2015)"},{"key":"11_CR2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"424","DOI":"10.1007\/978-3-642-42033-7_22","volume-title":"Advances in Cryptology - ASIACRYPT 2013","author":"E Andreeva","year":"2013","unstructured":"Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424\u2013443. Springer, Heidelberg (2013)"},{"key":"11_CR3","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"364","DOI":"10.1007\/978-3-662-48116-5_18","volume-title":"Fast Software Encryption","author":"E Andreeva","year":"2015","unstructured":"Andreeva, E., Daemen, J., Mennink, B., Van Assche, G.: Security of keyed sponge constructions using a modular proof approach. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 364\u2013384. Springer, Heidelberg (2015)"},{"key":"11_CR4","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"306","DOI":"10.1007\/978-3-319-16295-9_17","volume-title":"Progress in Cryptology - LATINCRYPT 2014","author":"JP Aumasson","year":"2015","unstructured":"Aumasson, J.P., Jovanovic, P., Neves, S.: Analysis of NORX: investigating differential and rotational properties. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 306\u2013324. Springer, Heidelberg (2015)"},{"key":"11_CR5","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"119","DOI":"10.1007\/978-3-642-38980-1_8","volume-title":"Applied Cryptography and Network Security","author":"JP Aumasson","year":"2013","unstructured":"Aumasson, J.P., Neves, S., Wilcox-O\u2019Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. In: Jacobson Jr., M.J., Locasto, M.E., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 13. LNCS, vol. 7954, pp. 119\u2013135. Springer, Heidelberg (2013)"},{"key":"11_CR6","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"221","DOI":"10.1007\/978-3-642-54631-0_13","volume-title":"Public-Key Cryptography GF$$(2^{809})$$ PKC 2014","author":"R Barbulescu","year":"2014","unstructured":"Barbulescu, R., Bouvier, C., Detrey, J., Gaudry, P., Jeljeli, H., Thom\u00e9, E., Videau, M., Zimmermann, P.: Discrete logarithm in GF$$(2^{809})$$ with FFS. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 221\u2013238. Springer, Heidelberg (2014)"},{"key":"11_CR7","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-642-55220-5_1","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2014","author":"R Barbulescu","year":"2014","unstructured":"Barbulescu, R., Gaudry, P., Joux, A., Thom\u00e9, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1\u201316. Springer, Heidelberg (2014)"},{"key":"11_CR8","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"320","DOI":"10.1007\/978-3-642-33027-8_19","volume-title":"Cryptographic Hardware and Embedded Systems \u2013 CHES 2012","author":"DJ Bernstein","year":"2012","unstructured":"Bernstein, D.J., Schwabe, P.: NEON crypto. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 320\u2013339. Springer, Heidelberg (2012)"},{"key":"11_CR9","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"320","DOI":"10.1007\/978-3-642-28496-0_19","volume-title":"Selected Areas in Cryptography","author":"G Bertoni","year":"2011","unstructured":"Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320\u2013337. Springer, Heidelberg (2011)"},{"key":"11_CR10","unstructured":"Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the security of the keyed sponge construction. In: SKEW 2011 (2011)"},{"key":"11_CR11","unstructured":"Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Using Keccak technology for AE: Ketje, Keyak and more. In: SHA-3 2014 Workshop (2014)"},{"key":"11_CR12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"384","DOI":"10.1007\/3-540-46035-7_25","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2002","author":"J Black","year":"2002","unstructured":"Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384\u2013397. Springer, Heidelberg (2002)"},{"issue":"3","key":"11_CR13","doi-asserted-by":"publisher","first-page":"285","DOI":"10.1016\/j.ffa.2003.08.004","volume":"10","author":"AW Bluher","year":"2004","unstructured":"Bluher, A.W.: On $$x^{q+1}+ax+b$$. Finite Fields Appl. 10(3), 285\u2013305 (2004)","journal-title":"Finite Fields Appl."},{"issue":"3\u20134","key":"11_CR14","doi-asserted-by":"publisher","first-page":"235","DOI":"10.1006\/jsco.1996.0125","volume":"24","author":"W Bosma","year":"1997","unstructured":"Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system. I. The user language. J. Symbolic Comput. 24(3\u20134), 235\u2013265 (1997). Computational algebra and number theory (London, 1993)","journal-title":"J. Symbolic Comput."},{"key":"11_CR15","unstructured":"CAESAR \u2013 Competition for Authenticated Encryption: Security, Applicability, and Robustness (2014)"},{"key":"11_CR16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"137","DOI":"10.1007\/978-3-642-40588-4_10","volume-title":"Security Engineering and Intelligence Informatics","author":"DF C\u00e2mara","year":"2013","unstructured":"C\u00e2mara, D.F., Gouv\u00eaa, C.P.L., L\u00f3pez, J., Dahab, R.: Fast software polynomial multiplication on ARM processors using the NEON engine. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E.R., Xu, L. (eds.) Security Engineering and Intelligence Informatics. LNCS, vol. 8128, pp. 137\u2013154. Springer, Heidelberg (2013)"},{"key":"11_CR17","doi-asserted-by":"crossref","unstructured":"Canteaut, A., Carpov, S., Fontaine, C., Lepoint, T., Naya-Plasencia, M., Paillier, P., Sirdey, R.: Stream ciphers: a practical solution for efficient homomorphic-ciphertext compression. In: FSE 2016. LNCS. Springer, Heidelberg, March 2016 (to appear)","DOI":"10.1007\/978-3-662-52993-5_16"},{"issue":"5","key":"11_CR18","doi-asserted-by":"publisher","first-page":"1991","DOI":"10.1109\/TIT.2008.920247","volume":"54","author":"D Chakraborty","year":"2008","unstructured":"Chakraborty, D., Sarkar, P.: A general construction of tweakable block ciphers and different modes of operations. IEEE Trans. Inf. Theory 54(5), 1991\u20132006 (2008)","journal-title":"IEEE Trans. Inf. Theory"},{"key":"11_CR19","unstructured":"Chakraborty, D., Sarkar, P.: On modes of operations of a block cipher for authentication and authenticated encryption. Cryptology ePrint Archive, Report 2014\/627 (2014)"},{"key":"11_CR20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"39","DOI":"10.1007\/978-3-662-44371-2_3","volume-title":"Advances in Cryptology \u2013 CRYPTO 2014","author":"S Chen","year":"2014","unstructured":"Chen, S., Lampe, R., Lee, J., Seurin, Y., Steinberger, J.P.: Minimizing the two-round Even-Mansour cipher. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 39\u201356. Springer, Heidelberg (2014)"},{"key":"11_CR21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"327","DOI":"10.1007\/978-3-642-55220-5_19","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2014","author":"S Chen","year":"2014","unstructured":"Chen, S., Steinberger, J.P.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327\u2013350. Springer, Heidelberg (2014)"},{"key":"11_CR22","doi-asserted-by":"publisher","first-page":"218","DOI":"10.1112\/S1461157014000242","volume":"17","author":"Q Cheng","year":"2014","unstructured":"Cheng, Q., Wan, D., Zhuang, J.: Traps to the BGJT-algorithm for discrete logarithms. LMS J. Comput. Math. 17, 218\u2013229 (2014)","journal-title":"LMS J. Comput. Math."},{"key":"11_CR23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"189","DOI":"10.1007\/978-3-662-47989-6_9","volume-title":"Advances in Cryptology \u2013 CRYPTO 2015","author":"B Cogliati","year":"2015","unstructured":"Cogliati, B., Lampe, R., Seurin, Y.: Tweaking Even-Mansour ciphers. In: Gennaro, R., Robshaw, M.J.B. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 189\u2013208. Springer, Heidelberg (2015)"},{"key":"11_CR24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"134","DOI":"10.1007\/978-3-662-48800-3_6","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2015","author":"B Cogliati","year":"2015","unstructured":"Cogliati, B., Seurin, Y.: Beyond-birthday-bound security for tweakable Even-Mansour ciphers with linear tweak and key mixing. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part II. LNCS, vol. 9453, pp. 134\u2013158. Springer, Heidelberg (2015)"},{"key":"11_CR25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"584","DOI":"10.1007\/978-3-662-46800-5_23","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2015","author":"B Cogliati","year":"2015","unstructured":"Cogliati, B., Seurin, Y.: On the provable security of the iterated Even-Mansour cipher against related-key and chosen-key attacks. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 584\u2013613. Springer, Heidelberg (2015)"},{"key":"11_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"196","DOI":"10.1007\/978-3-642-34047-5_12","volume-title":"Fast Software Encryption","author":"E Fleischmann","year":"2012","unstructured":"Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196\u2013215. Springer, Heidelberg (2012)"},{"key":"11_CR27","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"92","DOI":"10.1007\/3-540-45473-X_8","volume-title":"Fast Software Encryption","author":"VD Gligor","year":"2002","unstructured":"Gligor, V.D., Donescu, P.: Fast encryption and authentication: XCBC encryption and XECB authentication modes. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 92\u2013108. Springer, Heidelberg (2002)"},{"key":"11_CR28","doi-asserted-by":"crossref","unstructured":"Goll, M., Gueron, S.: Vectorization on ChaCha stream cipher. In: Latifi, S. (ed.) ITNG 2014, pp. 612\u2013615. IEEE Computer Society (2014)","DOI":"10.1109\/ITNG.2014.33"},{"key":"11_CR29","doi-asserted-by":"crossref","unstructured":"Goll, M., Gueron, S.: Vectorization of Poly1305 message authentication code. In: Latifi, S. (ed.) ITNG 2015, pp. 612\u2013615. IEEE Computer Society (2015)","DOI":"10.1109\/ITNG.2015.28"},{"key":"11_CR30","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"109","DOI":"10.1007\/978-3-642-40084-1_7","volume-title":"Advances in Cryptology \u2013 CRYPTO 2013","author":"F G\u00f6loglu","year":"2013","unstructured":"G\u00f6loglu, F., Granger, R., McGuire, G., Zumbr\u00e4gel, J.: On the function field sieve and the impact of higher splitting probabilities \u2013 application to discrete logarithms in $$\\mathbb{F}_{2^{1971}}$$ and $$\\mathbb{F}_{2^{3164}}$$. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 109\u2013128. Springer, Heidelberg (2013)"},{"key":"11_CR31","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"136","DOI":"10.1007\/978-3-662-43414-7_7","volume-title":"Selected Areas in Cryptography \u2013 SAC 2013","author":"F G\u00f6loglu","year":"2014","unstructured":"G\u00f6loglu, F., Granger, R., McGuire, G., Zumbr\u00e4gel, J.: Solving a 6120-bit DLP on a desktop computer. In: Lange, T., Lauter, K., Lisonek, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 136\u2013152. Springer, Heidelberg (2014)"},{"key":"11_CR32","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"126","DOI":"10.1007\/978-3-662-44381-1_8","volume-title":"Advances in Cryptology \u2013 CRYPTO 2014","author":"R Granger","year":"2014","unstructured":"Granger, R., Kleinjung, T., Zumbr\u00e4gel, J.: Breaking \u2018128-bit secure\u2019 supersingular binary curves \u2013 (or how to solve discrete logarithms in $${F}_{2^{4 \\cdot 1223}}$$ and $${F}_{2^{12 \\cdot 367}}$$). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 126\u2013145. Springer, Heidelberg (2014)"},{"key":"11_CR33","unstructured":"Granger, R., Kleinjung, T., Zumbr\u00e4gel, J.: On the powers of 2. Cryptology ePrint Archive, Report 2014\/300 (2014)"},{"key":"11_CR34","unstructured":"Granger, R., Kleinjung, T., Zumbr\u00e4gel, J.: On the discrete logarithm problem in finite fields of fixed characteristic. Cryptology ePrint Archive, Report 2015\/685 (2015)"},{"key":"11_CR35","unstructured":"Granger, R., Kleinjung, T., Zumbr\u00e4gel, J.: Discrete Logarithms in $$GF(2^{9234})$$. NMBRTHRY list, 31 January 2014"},{"key":"11_CR36","unstructured":"Gueron, S.: AES-GCM software performance on the current high end CPUs as a performance baseline for CAESAR competition. In: DIAC 2013 (2013)"},{"key":"11_CR37","doi-asserted-by":"crossref","unstructured":"Gueron, S., Lindell, Y.: GCM-SIV: full nonce misuse-resistant authenticated encryption at under one cycle per byte. In: Ray, I., Li, N., Kruegel: C. (eds.) ACM CCS 2015, pp. 109\u2013119. ACM Press, October 2015","DOI":"10.1145\/2810103.2813613"},{"key":"11_CR38","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"402","DOI":"10.1007\/978-3-319-04852-9_21","volume-title":"Topics in Cryptology \u2013 CT-RSA 2014","author":"J Guo","year":"2014","unstructured":"Guo, J., Karpman, P., Nikolic, I., Wang, L., Wu, S.: Analysis of BLAKE2. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 402\u2013423. Springer, Heidelberg (2014)"},{"issue":"3","key":"11_CR39","doi-asserted-by":"publisher","first-page":"385","DOI":"10.1287\/ijoc.1070.0251","volume":"20","author":"H Haramoto","year":"2008","unstructured":"Haramoto, H., Matsumoto, M., Nishimura, T., Panneton, F., L\u2019Ecuyer, P.: Efficient jump ahead for $$\\mathbb{F}_2$$-linear random number generators. INFORMS J. Comput. 20(3), 385\u2013390 (2008)","journal-title":"INFORMS J. Comput."},{"key":"11_CR40","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"15","DOI":"10.1007\/978-3-662-46800-5_2","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2015","author":"VT Hoang","year":"2015","unstructured":"Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 15\u201344. Springer, Heidelberg (2015)"},{"key":"11_CR41","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"493","DOI":"10.1007\/978-3-662-47989-6_24","volume-title":"Advances in Cryptology \u2013 CRYPTO 2015","author":"VT Hoang","year":"2015","unstructured":"Hoang, V.T., Reyhanitabar, R., Rogaway, P., Viz\u00e1r, D.: Online authenticated-encryption and its nonce-reuse misuse-resistance. In: Gennaro, R., Robshaw, M.J.B. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 493\u2013517. Springer, Heidelberg (2015)"},{"key":"11_CR42","unstructured":"Huang, M., Narayanan, A.K.: On the relation generation method of Joux for computing discrete logarithms. CoRR abs\/1312.1674 (2013)"},{"key":"11_CR43","unstructured":"Jean, J., Nikoli\u0107, I., Peyrin, T.: Deoxys v1.3. CAESAR Round 2 submission (2015)"},{"key":"11_CR44","unstructured":"Jean, J., Nikoli\u0107, I., Peyrin, T.: Joltik v1.3. CAESAR Round 2 submission (2015)"},{"key":"11_CR45","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"355","DOI":"10.1007\/978-3-662-43414-7_18","volume-title":"Selected Areas in Cryptography \u2013 SAC 2013","author":"A Joux","year":"2014","unstructured":"Joux, A.: A new index calculus algorithm with complexity $${L}(1\/4+o(1))$$ in small characteristic. In: Lange, T., Lauter, K., Lisonek, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 355\u2013379. Springer, Heidelberg (2014)"},{"key":"11_CR46","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"431","DOI":"10.1007\/3-540-45455-1_34","volume-title":"Algorithmic Number Theory","author":"A Joux","year":"2002","unstructured":"Joux, A., Lercier, R.: The function field sieve is quite special. In: Fieker, C., Kohel, D.R. (eds.) Algorithmic Number Theory. LNCS, vol. 2369, pp. 431\u2013445. Springer, Heidelberg (2002)"},{"key":"11_CR47","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"254","DOI":"10.1007\/11761679_16","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2006","author":"A Joux","year":"2006","unstructured":"Joux, A., Lercier, R.: The function field sieve in the medium prime case. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 254\u2013270. Springer, Heidelberg (2006)"},{"key":"11_CR48","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"378","DOI":"10.1007\/978-3-662-45611-8_20","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2014","author":"A Joux","year":"2014","unstructured":"Joux, A., Pierrot, C.: Improving the polynomial time precomputation of Frobenius representation discrete logarithm algorithms \u2013 simplified setting for small characteristic finite fields. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 378\u2013397. Springer, Heidelberg (2014)"},{"issue":"4","key":"11_CR49","doi-asserted-by":"publisher","first-page":"547","DOI":"10.1007\/s00145-008-9024-z","volume":"21","author":"CS Jutla","year":"2008","unstructured":"Jutla, C.S.: Encryption modes with almost free message integrity. J. Cryptology 21(4), 547\u2013578 (2008)","journal-title":"J. Cryptology"},{"key":"11_CR50","unstructured":"Kavun, E.B., Lauridsen, M.M., Leander, G., Rechberger, C., Schwabe, P., Yal\u00e7\u0131n, T.: Pr\u00f8st v1. CAESAR Round 1 submission (2014)"},{"key":"11_CR51","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"519","DOI":"10.1007\/978-3-662-48116-5_25","volume-title":"Fast Software Encryption","author":"D Khovratovich","year":"2015","unstructured":"Khovratovich, D., Nikolic, I., Pieprzyk, J., Sokolowski, P., Steinfeld, R.: Rotational cryptanalysis of ARX revisited. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 519\u2013536. Springer, Heidelberg (2015)"},{"key":"11_CR52","unstructured":"Kleinjung, T.: Discrete logarithms in GF($$2^{1279}$$). NMBRTHRY list, 17 October 2014"},{"key":"11_CR53","doi-asserted-by":"crossref","unstructured":"Krovetz, T., Rogaway, P.: The OCB authenticated-encryption algorithm. RFC 7253 (Informational) (2014)","DOI":"10.17487\/rfc7253"},{"key":"11_CR54","unstructured":"Krovetz, T.: HS1-SIV v1. CAESAR Round 1 submission (2014)"},{"key":"11_CR55","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"306","DOI":"10.1007\/978-3-642-21702-9_18","volume-title":"Fast Software Encryption","author":"T Krovetz","year":"2011","unstructured":"Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306\u2013327. Springer, Heidelberg (2011)"},{"issue":"10","key":"11_CR56","doi-asserted-by":"publisher","first-page":"5366","DOI":"10.1109\/TIT.2010.2059636","volume":"56","author":"K Kurosawa","year":"2010","unstructured":"Kurosawa, K.: Power of a public random permutation and its application to authenticated encryption. IEEE Trans. Inf. Theory 56(10), 5366\u20135374 (2010)","journal-title":"IEEE Trans. Inf. Theory"},{"issue":"193","key":"11_CR57","doi-asserted-by":"publisher","first-page":"329","DOI":"10.1090\/S0025-5718-1991-1052099-2","volume":"56","author":"HW Lenstra Jr","year":"1991","unstructured":"Lenstra Jr., H.W.: Finding isomorphisms between finite fields. Math. Comput. 56(193), 329\u2013347 (1991)","journal-title":"Math. Comput."},{"key":"11_CR58","volume-title":"Finite Fields, Encyclopedia of Mathematics and its Applications","author":"R Lidl","year":"1997","unstructured":"Lidl, R., Niederreiter, H.: Finite Fields, Encyclopedia of Mathematics and its Applications, vol. 20, 2nd edn. Cambridge University Press, Cambridge, United Kingdom (1997)","edition":"2"},{"issue":"14","key":"11_CR59","doi-asserted-by":"publisher","first-page":"1","DOI":"10.18637\/jss.v008.i14","volume":"8","author":"G Marsaglia","year":"2003","unstructured":"Marsaglia, G.: Xorshift RNGs. J. Stat. Softw. 8(14), 1\u20136 (2003)","journal-title":"J. Stat. Softw."},{"issue":"1","key":"11_CR60","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1145\/272991.272995","volume":"8","author":"M Matsumoto","year":"1998","unstructured":"Matsumoto, M., Nishimura, T.: Mersenne Twister: a 623-dimensionally equidistributed uniform pseudo-random number generator. ACM Trans. Model. Comput. Simul. 8(1), 3\u201330 (1998)","journal-title":"ACM Trans. Model. Comput. Simul."},{"key":"11_CR61","unstructured":"MEM Family of AEAD Schemes (2015). https:\/\/github.com\/MEM-AEAD"},{"key":"11_CR62","doi-asserted-by":"crossref","unstructured":"Mennink, B.: XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees. Cryptology ePrint Archive, Report 2015\/476 (2015)","DOI":"10.1007\/978-3-662-53018-4_3"},{"key":"11_CR63","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"465","DOI":"10.1007\/978-3-662-48800-3_19","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2015","author":"B Mennink","year":"2015","unstructured":"Mennink, B., Reyhanitabar, R., Viz\u00e1r, D.: Security of full-state keyed sponge and duplex: applications to authenticated encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part II. LNCS, vol. 9453, pp. 465\u2013489. Springer, Heidelberg (2015)"},{"key":"11_CR64","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"221","DOI":"10.1007\/978-3-642-41227-1_13","volume-title":"Provable Security","author":"K Minematsu","year":"2013","unstructured":"Minematsu, K.: A short universal hash function from bit rotation, and applications to blockcipher modes. In: Susilo, W., Reyhanitabar, R. (eds.) ProvSec 2013. LNCS, vol. 8209, pp. 221\u2013238. Springer, Heidelberg (2013)"},{"key":"11_CR65","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"257","DOI":"10.1007\/978-3-642-55220-5_15","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2014","author":"C Namprempre","year":"2014","unstructured":"Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257\u2013274. Springer, Heidelberg (2014)"},{"issue":"4","key":"11_CR66","doi-asserted-by":"publisher","first-page":"46","DOI":"10.1145\/1597036.1597050","volume":"5","author":"PQ Nguyen","year":"2009","unstructured":"Nguyen, P.Q., Stehl\u00e9, D.: Low-dimensional lattice basis reduction revisited. ACM Trans. Algorithms 5(4), 46 (2009)","journal-title":"ACM Trans. Algorithms"},{"key":"11_CR67","doi-asserted-by":"publisher","first-page":"301","DOI":"10.1016\/0024-3795(93)90247-L","volume":"192","author":"H Niederreiter","year":"1993","unstructured":"Niederreiter, H.: Factorization of polynomials and some linear-algebra problems over finite fields. Linear Algebra Appl. 192, 301\u2013328 (1993)","journal-title":"Linear Algebra Appl."},{"key":"11_CR68","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"328","DOI":"10.1007\/978-3-642-04159-4_21","volume-title":"Selected Areas in Cryptography","author":"J Patarin","year":"2009","unstructured":"Patarin, J.: The \u201ccoefficients H\u201d technique (invited talk). In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328\u2013345. Springer, Heidelberg (2009)"},{"key":"11_CR69","unstructured":"Peyrin, T.: Personal communication, February 2016"},{"key":"11_CR70","doi-asserted-by":"crossref","unstructured":"Peyrin, T., Seurin, Y.: Counter-in-tweak: authenticated encryption modes for tweakable block ciphers. Cryptology ePrint Archive, Report 2015\/1049 (2015)","DOI":"10.1007\/978-3-662-53018-4_2"},{"key":"11_CR71","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"16","DOI":"10.1007\/978-3-540-30539-2_2","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2004","author":"P Rogaway","year":"2004","unstructured":"Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16\u201331. Springer, Heidelberg (2004)"},{"key":"11_CR72","doi-asserted-by":"crossref","unstructured":"Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: ACM CCS 2001, pp. 196\u2013205. ACM Press (2001)","DOI":"10.1145\/501983.502011"},{"key":"11_CR73","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"373","DOI":"10.1007\/11761679_23","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2006","author":"P Rogaway","year":"2006","unstructured":"Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373\u2013390. Springer, Heidelberg (2006)"},{"issue":"8","key":"11_CR74","doi-asserted-by":"publisher","first-page":"4025","DOI":"10.1109\/TIT.2010.2050921","volume":"56","author":"P Sarkar","year":"2010","unstructured":"Sarkar, P.: Pseudo-random functions and parallelizable modes of operations of a block cipher. IEEE Trans. Inf. Theory 56(8), 4025\u20134037 (2010)","journal-title":"IEEE Trans. Inf. Theory"},{"key":"11_CR75","unstructured":"Sasaki, Y., Todo, Y., Aoki, K., Naito, Y., Sugawara, T., Murakami, Y., Matsui, M., Hirose, S.: Minalpher v1. CAESAR Round 1 submission (2014)"},{"key":"11_CR76","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"107","DOI":"10.1007\/3-540-45682-1_7","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2001","author":"E Thom\u00e9","year":"2001","unstructured":"Thom\u00e9, E.: Computation of discrete logarithms in $$F_{2^{607}}$$. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 107\u2013124. Springer, Heidelberg (2001)"},{"key":"11_CR77","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"316","DOI":"10.1007\/978-3-540-71039-4_20","volume-title":"Fast Software Encryption","author":"K Yasuda","year":"2008","unstructured":"Yasuda, K.: A one-pass mode of operation for deterministic message authentication- security beyond the birthday barrier. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 316\u2013333. Springer, Heidelberg (2008)"},{"key":"11_CR78","unstructured":"Zeng, G., Han, W., He, K.: High efficiency feedback shift register: $$\\sigma -$$LFSR. Cryptology ePrint Archive, Report 2007\/114 (2007)"}],"container-title":["Lecture Notes in Computer Science","Advances in Cryptology \u2013 EUROCRYPT 2016"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-662-49890-3_11","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,2]],"date-time":"2025-06-02T22:03:33Z","timestamp":1748901813000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-662-49890-3_11"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016]]},"ISBN":["9783662498897","9783662498903"],"references-count":78,"URL":"https:\/\/doi.org\/10.1007\/978-3-662-49890-3_11","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2016]]},"assertion":[{"value":"28 April 2016","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"This content has been made available to all.","name":"free","label":"Free to read"}]}}