{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T03:41:59Z","timestamp":1767930119138,"version":"3.49.0"},"reference-count":110,"publisher":"International Association for Cryptologic Research","issue":"4","license":[{"start":{"date-parts":[[2025,10,8]],"date-time":"2025-10-08T00:00:00Z","timestamp":1759881600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,12,2]]},"abstract":"<jats:p>We present MSX, a new family of 64\/128-bit block ciphers. It aims to provide fast execution on microcontrollers and comes with a highly reliable argument on the resistance against basic differential\/linear attacks, backed by the classical differential\/linear probability analysis on Feistel ciphers and Vaudenay's decorrelation theory. MSX are classical (generalized) Feistel ciphers with a round function. Similar to many existing ARX ciphers, its round function uses arithmetic operations and does not have an S-box. A unique feature of MSX is its use of 32-bit integer multiplication, which enables proving an ideally strong differential\/linear property by design. It could be interpreted as an application of Vaudenay's decorrelation theory.  We provide a detailed security analysis on attacks beyond differential and linear ones and conduct a benchmark on a range of popular microcontrollers with a comparison to Speck, a top performer on microcontrollers. The results show MSX's good performance on 32-bit microcontrollers, maintaining a sufficiently large security margin. MSX aims at security under single key, and related-key security is not the focus.<\/jats:p>","DOI":"10.62056\/av11c3c2h","type":"journal-article","created":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T23:39:47Z","timestamp":1767915587000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["MSX: Lightweight Block Ciphers for Microcontrollers with High-assurance against Differential and Linear Attacks"],"prefix":"10.62056","volume":"2","author":[{"given":"Kazuhiko","family":"Minematsu","sequence":"first","affiliation":[{"name":"NEC Corporation","place":["Kawasaki, Japan"]}]},{"given":"Tomoyasu","family":"Suzaki","sequence":"additional","affiliation":[{"name":"NEC Solution Innovator","place":["Hokuriku, Japan"]}]},{"given":"Mostafizar","family":"Rahman","sequence":"additional","affiliation":[{"name":"Kyoto University","place":["Kyoto, Japan"]}]},{"given":"Sahiba","family":"Suryawanshi","sequence":"additional","affiliation":[{"name":"University of Hyogo","place":["Hyogo, Japan"]}]},{"given":"Takanori","family":"Isobe","sequence":"additional","affiliation":[{"name":"The University of Osaka","place":["Osaka, Japan"]}]}],"member":"48349","published-online":{"date-parts":[[2026,1,8]]},"reference":[{"key":"ref1:FSE:WheNee94","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"363","DOI":"10.1007\/3-540-60590-8_29","article-title":"TEA, a Tiny Encryption Algorithm","volume":"1008","author":"David J. Wheeler","year":"1995"},{"key":"ref2:DBLP:conf\/dac\/BeaulieuSSTWW15","doi-asserted-by":"publisher","DOI":"10.1145\/2744769.2747946","article-title":"The SIMON and SPECK lightweight block ciphers","author":"Ray Beaulieu","year":"2015"},{"key":"ref3:WISA:HLKKRL13","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-319-05149-9_1","article-title":"LEA: A 128-Bit Block Cipher for Fast Encryption on\n  Common Processors","volume":"8267","author":"Deukjo Hong","year":"2014"},{"key":"ref4:DBLP:conf\/fse\/AbedLLW14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"525","DOI":"10.1007\/978-3-662-46706-0_27","article-title":"Differential Cryptanalysis of Round-Reduced Simon and\n  Speck","volume":"8540","author":"Farzaneh Abed","year":"2014"},{"key":"ref5:DBLP:conf\/fse\/Biryukov0V14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"546","DOI":"10.1007\/978-3-662-46706-0_28","article-title":"Differential Analysis of Block Ciphers SIMON and\n  SPECK","volume":"8540","author":"Alex Biryukov","year":"2014"},{"key":"ref6:DBLP:conf\/ctrsa\/BiryukovV14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"227","DOI":"10.1007\/978-3-319-04852-9_12","article-title":"Automatic Search for Differential Trails in ARX\n  Ciphers","volume":"8366","author":"Alex Biryukov","year":"2014"},{"key":"ref7:DBLP:conf\/sacrypt\/Dinur14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"147","DOI":"10.1007\/978-3-319-13051-4_9","article-title":"Improved Differential Cryptanalysis of Round-Reduced\n  Speck","volume":"8781","author":"Itai Dinur","year":"2014"},{"key":"ref8:DBLP:journals\/ipl\/LiuFWSW16","doi-asserted-by":"publisher","first-page":"259","DOI":"10.1016\/J.IPL.2015.11.005","article-title":"Linear cryptanalysis of reduced-round SPECK","volume":"116","author":"Yu Liu","year":"2016","journal-title":"Inf. Process. Lett."},{"key":"ref9:DBLP:journals\/scn\/HuangW20","doi-asserted-by":"publisher","DOI":"10.1155\/2020\/4898612","article-title":"Automatic Search for the Linear (Hull) Characteristics of\n  ARX Ciphers: Applied to SPECK, SPARX, Chaskey, and CHAM-64","volume":"2020","author":"Mingjiang Huang","year":"2020","journal-title":"Secur. Commun. Networks"},{"key":"ref10:SAC:SMMK12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"339","DOI":"10.1007\/978-3-642-35999-6_22","article-title":"$\\textnormal{\\textsc{{TWINE}}}$ : A Lightweight Block\n  Cipher for Multiple Platforms","volume":"7707","author":"Tomoyasu Suzaki","year":"2013"},{"key":"ref11:ACNS:WuZha11","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"327","DOI":"10.1007\/978-3-642-21554-4_19","article-title":"LBlock: A Lightweight Block Cipher","volume":"6715","author":"Wenling Wu","year":"2011"},{"key":"ref12:noekeon","volume-title":"Nessie Proposal: NOEKEON","author":"Joan Daemen","year":"2000"},{"key":"ref13:DBLP:journals\/iacr\/ZhangBLRYV14","first-page":"84","article-title":"RECTANGLE: A Bit-slice Ultra-Lightweight Block Cipher\n  Suitable for Multiple Platforms","author":"Wentao Zhang","year":"2014","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref14:DBLP:conf\/cardis\/StandaertPGQ06","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"222","DOI":"10.1007\/11733447_16","article-title":"SEA: A Scalable Encryption Algorithm for Small Embedded\n  Applications","volume":"3928","author":"Fran\u00e7ois-Xavier Standaert","year":"2006"},{"key":"ref15:DBLP:conf\/lightsec\/BaysalS15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"58","DOI":"10.1007\/978-3-319-29078-2_4","article-title":"RoadRunneR: A Small and Fast Bitslice Block Cipher for Low\n  Cost 8-Bit Processors","volume":"9542","author":"Adnan Baysal","year":"2015"},{"key":"ref16:FSE:GLSV14","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"18","DOI":"10.1007\/978-3-662-46706-0_2","article-title":"LS-Designs: Bitslice Encryption for Efficient Masked\n  Software Implementations","volume":"8540","author":"Vincent Grosso","year":"2015"},{"key":"ref17:CHES:BPPSST17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"321","DOI":"10.1007\/978-3-319-66787-4_16","article-title":"GIFT: A Small Present - Towards Reaching the Limit of\n  Lightweight Encryption","volume":"10529","author":"Subhadeep Banik","year":"2017"},{"key":"ref18:TCHES:AdoNajPey20","doi-asserted-by":"publisher","first-page":"402","DOI":"10.13154\/tches.v2020.i3.402-427","article-title":"Fixslicing: A New GIFT Representation","volume":"2020","author":"Alexandre Adomnicai","year":"2020","journal-title":"IACR TCHES","ISSN":"https:\/\/id.crossref.org\/issn\/2569-2925","issn-type":"electronic"},{"key":"ref19:AC:DPUVGB16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"484","DOI":"10.1007\/978-3-662-53887-6_18","article-title":"Design Strategies for ARX with Provable Bounds: Sparx and\n  LAX","volume":"10031","author":"Daniel Dinu","year":"2016"},{"key":"ref20:C:BBSGPU20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"419","DOI":"10.1007\/978-3-030-56877-1_15","article-title":"Alzette: A 64-Bit ARX-box - (Feat. CRAX and\n  TRAX)","volume":"12172","author":"Christof Beierle","year":"2020"},{"key":"ref21:Thorup15","article-title":"High Speed Hashing for Integers and Strings","volume":"abs\/1504.06804","author":"Mikkel Thorup","year":"2015","journal-title":"CoRR"},{"key":"ref22:DBLP:conf\/stacs\/Vaudenay98","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"249","DOI":"10.1007\/BFB0028566","article-title":"Provable Security for Block Ciphers by Decorrelation","volume":"1373","author":"Serge Vaudenay","year":"1998"},{"key":"ref23:SAC:Vaudenay98","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/3-540-48892-8_1","article-title":"Feistel Ciphers with $L_2$-Decorrelation","volume":"1556","author":"Serge Vaudenay","year":"1999"},{"key":"ref24:SAC:Vaudenay99","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"49","DOI":"10.1007\/3-540-46513-8_4","article-title":"Adaptive-Attack Norm for Decorrelation and\n  Super-Pseudorandomness","volume":"1758","author":"Serge Vaudenay","year":"1999"},{"key":"ref25:JC:Vaudenay03","doi-asserted-by":"publisher","first-page":"249","DOI":"10.1007\/s00145-003-0220-6","article-title":"Decorrelation: A Theory for Block Cipher Security","volume":"16","author":"Serge Vaudenay","year":"2003","journal-title":"Journal of Cryptology"},{"key":"ref26:DBLP:conf\/cardis\/PoupardV98","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"254","DOI":"10.1007\/10721064_24","article-title":"Decorrelated Fast Cipher: An AES Candidate Well Suited for\n  Low Cost Smart Card Applications","volume":"1820","author":"Guillaume Poupard","year":"1998"},{"key":"ref27:SAC:GNNV00","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"57","DOI":"10.1007\/3-540-44983-3_5","article-title":"DFCv2","volume":"2012","author":"Louis Granboulan","year":"2001"},{"key":"ref28:INDOCRYPT:CLLL00","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"262","DOI":"10.1007\/3-540-44495-5_23","article-title":"New Block Cipher DONUT Using Pairwise Perfect\n  Decorrelation","volume":"1977","author":"Dong Hyeon Cheon","year":"2000"},{"key":"ref29:FSE:KnuRij99","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1007\/3-540-48519-8_7","article-title":"On the Decorrelated Fast Cipher (DFC) and Its Theory","volume":"1636","author":"Lars R. Knudsen","year":"1999"},{"key":"ref30:nimbus","volume-title":"The Nimbus cipher: A proposal for NESSIE.","author":"Alexis Warner Machado","year":"2000"},{"key":"ref31:SAC:BaiFin06","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"76","DOI":"10.1007\/978-3-540-74462-7_7","article-title":"Dial C for Cipher","volume":"4356","author":"Thomas Baign\u00e8res","year":"2007"},{"key":"ref32:Dietzfelbinger96","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"569","DOI":"10.1007\/3-540-60922-9_46","article-title":"Universal Hashing and k-Wise Independent Random Variables\n  via Integer Arithmetic without Primes","volume":"1046","author":"Martin Dietzfelbinger","year":"1996"},{"key":"ref33:INDOCRYPT:McGVie04","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"343","DOI":"10.1007\/978-3-540-30556-9_27","article-title":"The Security and Performance of the Galois\/Counter Mode\n  (GCM) of Operation","volume":"3348","author":"David A. McGrew","year":"2004"},{"key":"ref34:FSE:Bernstein05","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"32","DOI":"10.1007\/11502760_3","article-title":"The Poly1305-AES Message-Authentication Code","volume":"3557","author":"Daniel J. Bernstein","year":"2005"},{"key":"ref35:FSE:HalKra97","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"172","DOI":"10.1007\/BFb0052345","article-title":"MMH: Software Message Authentication in the\n  Gbit\/Second Rates","volume":"1267","author":"Shai Halevi","year":"1997"},{"key":"ref36:C:BHKKR99","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"216","DOI":"10.1007\/3-540-48405-1_14","article-title":"UMAC: Fast and Secure Message Authentication","volume":"1666","author":"John Black","year":"1999"},{"key":"ref37:ToSC:ChaGhoSar17","doi-asserted-by":"publisher","first-page":"106","DOI":"10.13154\/tosc.v2017.i1.106-128","article-title":"A Fast Single-Key Two-Level Universal Hash Function","volume":"2017","author":"Debrup Chakraborty","year":"2017","journal-title":"IACR Trans. Symm. Cryptol.","ISSN":"https:\/\/id.crossref.org\/issn\/2519-173X","issn-type":"electronic"},{"key":"ref38:ToSC:GhoAmiDae23","doi-asserted-by":"publisher","first-page":"1","DOI":"10.46586\/tosc.v2023.i3.1-24","article-title":"Multimixer-128: Universal Keyed Hashing Based on Integer\n  Multiplication","volume":"2023","author":"Koustabh Ghosh","year":"2023","journal-title":"IACR Trans. Symm. Cryptol."},{"key":"ref39:TCHES:AdoPey21","doi-asserted-by":"publisher","first-page":"402","DOI":"10.46586\/tches.v2021.i1.402-425","article-title":"Fixslicing AES-like Ciphers","volume":"2021","author":"Alexandre Adomnicai","year":"2021","journal-title":"IACR TCHES","ISSN":"https:\/\/id.crossref.org\/issn\/2569-2925","issn-type":"electronic"},{"key":"ref40:DBLP:conf\/fse\/FuWGSH16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"268","DOI":"10.1007\/978-3-662-52993-5_14","article-title":"MILP-Based Automatic Search Algorithms for Differential and\n  Linear Trails for Speck","volume":"9783","author":"Kai Fu","year":"2016"},{"key":"ref41:DBLP:conf\/acisp\/SongHY16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"379","DOI":"10.1007\/978-3-319-40367-0_24","article-title":"Automatic Differential Analysis of ARX Block Ciphers with\n  Application to SPECK and LEA","volume":"9723","author":"Ling Song","year":"2016"},{"key":"ref42:ChaCha","volume-title":"ChaCha, a variant of Salsa20","author":"Daniel J. Bernstein","year":"2008"},{"key":"ref43:SAC:MMVWPV14","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"306","DOI":"10.1007\/978-3-319-13051-4_19","article-title":"Chaskey: An Efficient MAC Algorithm for 32-bit\n  Microcontrollers","volume":"8781","author":"Nicky Mouha","year":"2014"},{"key":"ref44:INDOCRYPT:AumBer12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"489","DOI":"10.1007\/978-3-642-34931-7_28","article-title":"SipHash: A Fast Short-Input PRF","volume":"7668","author":"Jean-Philippe Aumasson","year":"2012"},{"key":"ref45:DBLP:series\/isc\/AumassonMPH14","series-title":"Information Security and Cryptography","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-662-44757-4","volume-title":"The Hash Function BLAKE","author":"Jean-Philippe Aumasson","year":"2014"},{"key":"ref46:skein","volume-title":"The Skein Hash Function Family","author":"Niels Ferguson","year":"2010"},{"key":"ref47:sparkle","volume-title":"SPARKLE (SCHWAEMM and ESCH)","author":"Christof Beierle","year":"2019"},{"key":"ref48:ascon","volume-title":"Ascon","author":"Christoph Dobraunig","year":"2019"},{"key":"ref49:ToSC:GerPeyTan21","doi-asserted-by":"publisher","first-page":"102","DOI":"10.46586\/tosc.v2021.i3.102-136","article-title":"Exploring Differential-Based Distinguishers and Forgeries\n  for ASCON","volume":"2021","author":"David Gerault","year":"2021","journal-title":"IACR Trans. Symm. Cryptol.","ISSN":"https:\/\/id.crossref.org\/issn\/2519-173X","issn-type":"electronic"},{"key":"ref50:EC:LaiMas90","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"389","DOI":"10.1007\/3-540-46877-3_35","article-title":"A Proposal for a New Block Encryption Standard","volume":"473","author":"Xuejia Lai","year":"1991"},{"key":"ref51:rc6","volume-title":"The RC6 Block Cipher","author":"Ronald L. Rivest","year":"1998"},{"key":"ref52:ToSC:BFLLPS21","doi-asserted-by":"publisher","first-page":"78","DOI":"10.46586\/tosc.v2021.i1.78-129","article-title":"MOE: Multiplication Operated Encryption with Trojan\n  Resilience","volume":"2021","author":"Olivier Bronchain","year":"2021","journal-title":"IACR Trans. Symm. Cryptol.","ISSN":"https:\/\/id.crossref.org\/issn\/2519-173X","issn-type":"electronic"},{"key":"ref53:SAC:Noilhan99","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"175","DOI":"10.1007\/3-540-46513-8_13","article-title":"Software Optimization of Decorrelation Module","volume":"1758","author":"Fabrice Noilhan","year":"1999"},{"key":"ref54:FSE:Matsui97","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1007\/BFb0052334","article-title":"New Block Encryption Algorithm MISTY","volume":"1267","author":"Mitsuru Matsui","year":"1997"},{"key":"ref55:FSE:NguRos12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"326","DOI":"10.1007\/978-3-642-34047-5_19","article-title":"Short-Output Universal Hash Functions and Their Use in Fast\n  and Secure Data Authentication","volume":"7549","author":"Long Hoang Nguyen","year":"2012"},{"key":"ref56:deGroot15","volume-title":"A performance study of X25519 on Cortex-M3 and M4","author":"Wouter de Groot","year":"2015"},{"key":"ref57:bearssl_mul","volume-title":"Constant-Time Mul","author":"Thomas Pornin","year":"2018"},{"key":"ref58:SAC:BBIKLM20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"535","DOI":"10.1007\/978-3-030-81652-0_21","article-title":"WARP : Revisiting GFN for Lightweight 128-Bit Block\n  Cipher","volume":"12804","author":"Subhadeep Banik","year":"2020"},{"key":"ref59:C:NybKnu92","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"566","DOI":"10.1007\/3-540-48071-4_41","article-title":"Provable Security Against Differential Cryptanalysis (Rump\n  Session)","volume":"740","author":"Kaisa Nyberg","year":"1993"},{"key":"ref60:JC:NybKnu95","doi-asserted-by":"publisher","first-page":"27","DOI":"10.1007\/BF00204800","article-title":"Provable Security Against a Differential Attack","volume":"8","author":"Kaisa Nyberg","year":"1995","journal-title":"Journal of Cryptology"},{"key":"ref61:EC:Nyberg94","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"439","DOI":"10.1007\/BFb0053460","article-title":"Linear Approximation of Block Ciphers (Rump Session)","volume":"950","author":"Kaisa Nyberg","year":"1995"},{"key":"ref62:AokiOhta97","first-page":"2","article-title":"Strict Evaluation of the Maximum Average of Differential\n  Probability and the Maximum Average of Linear Probability","volume":"80","author":"Kazumaro Aoki","year":"1997","journal-title":"IEICE Trans. Fundam. Electron. Commun. Comput. Sci."},{"key":"ref63:KimLSHLL08","doi-asserted-by":"publisher","first-page":"3047","DOI":"10.1093\/IETFEC\/E91-A.10.3047","article-title":"Seven New Block Cipher Structures with Provable Security\n  against Differential Cryptanalysis","volume":"91-A","author":"Jongsung Kim","year":"2008","journal-title":"IEICE Trans. Fundam. Electron. Commun. Comput. Sci."},{"key":"ref64:DBLP:journals\/jss\/TangSLL11","doi-asserted-by":"publisher","first-page":"1191","DOI":"10.1016\/J.JSS.2011.02.024","article-title":"Impossible differential cryptanalysis of 13-round\n  CLEFIA-128","volume":"84","author":"Xuehai Tang","year":"2011","journal-title":"J. Syst. Softw."},{"key":"ref65:DBLP:journals\/tosc\/HadipourNE22","doi-asserted-by":"publisher","first-page":"271","DOI":"10.46586\/TOSC.V2022.I3.271-302","article-title":"Throwing Boomerangs into Feistel Structures Application to\n  CLEFIA, WARP, LBlock, LBlock-s and TWINE","volume":"2022","author":"Hosein Hadipour","year":"2022","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref66:DBLP:conf\/crypto\/HadipourDE24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"38","DOI":"10.1007\/978-3-031-68385-5_2","article-title":"Revisiting Differential-Linear Attacks via a Boomerang\n  Perspective with Application to AES, Ascon, CLEFIA, SKINNY, PRESENT, KNOT,\n  TWINE, WARP, LBlock, Simeck, and SERPENT","volume":"14923","author":"Hosein Hadipour","year":"2024"},{"key":"ref67:DBLP:journals\/tosc\/SahaSSSSZ20","doi-asserted-by":"publisher","first-page":"152","DOI":"10.13154\/TOSC.V2020.I3.152-174","article-title":"On the Security Margin of TinyJAMBU with Refined\n  Differential and Linear Cryptanalysis","volume":"2020","author":"Dhiman Saha","year":"2020","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref68:DBLP:journals\/iacr\/JanaRS22","first-page":"1123","article-title":"DEEPAND: In-Depth Modeling of Correlated AND Gates for\n  NLFSR-based Lightweight Block Ciphers","author":"Amit Jana","year":"2022","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref69:DBLP:conf\/fse\/BorisovCJW02","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"17","DOI":"10.1007\/3-540-45661-9_2","article-title":"Multiplicative Differentials","volume":"2365","author":"Nikita Borisov","year":"2002"},{"key":"ref70:DBLP:conf\/fse\/Furman01","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"187","DOI":"10.1007\/3-540-45473-X_16","article-title":"Differential Cryptanalysis of Nimbus","volume":"2355","author":"Vladimir Furman","year":"2001"},{"key":"ref71:DBLP:conf\/fse\/MRaihiNSV97","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"166","DOI":"10.1007\/BFB0052344","article-title":"XMX: A Firmware-Oriented Block Cipher Based on Modular\n  Multiplications","volume":"1267","author":"David M'Ra\u00efhi","year":"1997"},{"key":"ref72:beale2001screamer","volume-title":"Microsoft\u2019s Digital Rights Management Scheme\u2014Technical\n  Details","author":"Beale Screamer","year":"2001"},{"key":"ref73:DBLP:conf\/eurocrypt\/Todo15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"287","DOI":"10.1007\/978-3-662-46800-5_12","article-title":"Structural Evaluation by Generalized Integral Property","volume":"9056","author":"Yosuke Todo","year":"2015"},{"key":"ref74:DBLP:conf\/fse\/DaemenKR97","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"149","DOI":"10.1007\/BFB0052343","article-title":"The Block Cipher Square","volume":"1267","author":"Joan Daemen","year":"1997"},{"key":"ref75:DBLP:conf\/fse\/KnudsenW02","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"112","DOI":"10.1007\/3-540-45661-9_9","article-title":"Integral Cryptanalysis","volume":"2365","author":"Lars R. Knudsen","year":"2002"},{"key":"ref76:lai1994higher","doi-asserted-by":"publisher","first-page":"227","DOI":"10.1007\/978-1-4615-2694-0_23","article-title":"Higher order derivatives and differential cryptanalysis","author":"Xuejia Lai","year":"1994","journal-title":"Communications and Cryptography: Two Sides of One Tapestry"},{"key":"ref77:DBLP:conf\/fse\/Knudsen94","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"196","DOI":"10.1007\/3-540-60590-8_16","article-title":"Truncated and Higher Order Differentials","volume":"1008","author":"Lars R. Knudsen","year":"1994"},{"key":"ref78:DBLP:journals\/dm\/KimHL10","doi-asserted-by":"publisher","first-page":"988","DOI":"10.1016\/J.DISC.2009.10.019","article-title":"Impossible differential cryptanalysis using matrix\n  method","volume":"310","author":"Jongsung Kim","year":"2010","journal-title":"Discret. Math."},{"key":"ref79:SAC:ChaCogPat24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"85","DOI":"10.1007\/978-3-031-82841-6_4","article-title":"Classical and Quantum Generic Attacks on 6-Round Feistel\n  Schemes","volume":"15517","author":"Maya Chartouny","year":"2024"},{"key":"ref80:DBLP:conf\/africacrypt\/TregerP09","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"41","DOI":"10.1007\/978-3-642-02384-2_4","article-title":"Generic Attacks on Feistel Networks with Internal\n  Permutations","volume":"5580","author":"Joana Treger","year":"2009"},{"key":"ref81:DBLP:journals\/joc\/Knudsen02","doi-asserted-by":"publisher","first-page":"207","DOI":"10.1007\/S00145-002-9839-Y","article-title":"The Security of Feistel Ciphers with Six Rounds or Less","volume":"15","author":"Lars R. Knudsen","year":"2002","journal-title":"J. Cryptol."},{"key":"ref82:DBLP:journals\/iacr\/Patarin08b","first-page":"36","article-title":"Generic Attacks on Feistel Schemes","author":"Jacques Patarin","year":"2008","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref83:DBLP:conf\/sacrypt\/BiryukovLP15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"102","DOI":"10.1007\/978-3-319-31301-6_6","article-title":"Cryptanalysis of Feistel Networks with Secret Round\n  Functions","volume":"9566","author":"Alex Biryukov","year":"2015"},{"key":"ref84:DBLP:conf\/crypto\/BiryukovP15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"116","DOI":"10.1007\/978-3-662-47989-6_6","article-title":"On Reverse-Engineering S-Boxes with Hidden Design Criteria\n  or Structure","volume":"9215","author":"Alex Biryukov","year":"2015"},{"key":"ref85:EC:BihBirSha99","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"12","DOI":"10.1007\/3-540-48910-X_2","article-title":"Cryptanalysis of Skipjack Reduced to 31 Rounds Using\n  Impossible Differentials","volume":"1592","author":"Eli Biham","year":"1999"},{"key":"ref86:DBLP:conf\/asiacrypt\/BanikBISHAR15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"411","DOI":"10.1007\/978-3-662-48800-3_17","article-title":"Midori: A Block Cipher for Low Energy","volume":"9453","author":"Subhadeep Banik","year":"2015"},{"key":"ref87:DBLP:conf\/fse\/KhovratovichN10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"333","DOI":"10.1007\/978-3-642-13858-4_19","article-title":"Rotational Cryptanalysis of ARX","volume":"6147","author":"Dmitry Khovratovich","year":"2010"},{"key":"ref88:Daum2005","volume-title":"Cryptanalysis of Hash Functions of the MD4-Family","author":"Magnus Daum","year":"2005"},{"key":"ref89:DBLP:conf\/fse\/Wagner99","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"156","DOI":"10.1007\/3-540-48519-8_12","article-title":"The Boomerang Attack","volume":"1636","author":"David A. Wagner","year":"1999"},{"key":"ref90:DBLP:journals\/tit\/Murphy11","doi-asserted-by":"publisher","first-page":"2517","DOI":"10.1109\/TIT.2011.2111091","article-title":"The Return of the Cryptographic Boomerang","volume":"57","author":"Sean Murphy","year":"2011","journal-title":"IEEE Trans. Inf. Theory"},{"key":"ref91:DBLP:conf\/asiacrypt\/BiryukovK09","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-642-10366-7_1","article-title":"Related-Key Cryptanalysis of the Full AES-192 and\n  AES-256","volume":"5912","author":"Alex Biryukov","year":"2009"},{"key":"ref92:DBLP:conf\/crypto\/DunkelmanKS10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"393","DOI":"10.1007\/978-3-642-14623-7_21","article-title":"A Practical-Time Related-Key Attack on the KASUMI\n  Cryptosystem Used in GSM and 3G Telephony","volume":"6223","author":"Orr Dunkelman","year":"2010"},{"key":"ref93:DBLP:journals\/joc\/DunkelmanKS14","doi-asserted-by":"publisher","first-page":"824","DOI":"10.1007\/s00145-013-9154-9","article-title":"A Practical-Time Related-Key Attack on the KASUMI\n  Cryptosystem Used in GSM and 3G Telephony","volume":"27","author":"Orr Dunkelman","year":"2014","journal-title":"J. Cryptol."},{"key":"ref94:DBLP:conf\/eurocrypt\/CidHPSS18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"683","DOI":"10.1007\/978-3-319-78375-8_22","article-title":"Boomerang Connectivity Table: A New Cryptanalysis Tool","volume":"10821","author":"Carlos Cid","year":"2018"},{"key":"ref95:DBLP:journals\/tosc\/WangP19","doi-asserted-by":"publisher","first-page":"142","DOI":"10.13154\/TOSC.V2019.I1.142-169","article-title":"Boomerang Switch in Multiple Rounds. Application to AES\n  Variants and Deoxys","volume":"2019","author":"Haoyang Wang","year":"2019","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref96:DBLP:journals\/tosc\/DelauneDV20","doi-asserted-by":"publisher","first-page":"104","DOI":"10.46586\/TOSC.V2020.I4.104-129","article-title":"Catching the Fastest Boomerangs Application to SKINNY","volume":"2020","author":"St\u00e9phanie Delaune","year":"2020","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref97:DBLP:conf\/asiacrypt\/DerbezEFN22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"68","DOI":"10.1007\/978-3-031-22969-5_3","article-title":"Revisiting Related-Key Boomerang Attacks on AES Using\n  Computer-Aided Tool","volume":"13793","author":"Patrick Derbez","year":"2022"},{"key":"ref98:DBLP:journals\/tosc\/WangWS23","doi-asserted-by":"publisher","first-page":"152","DOI":"10.46586\/TOSC.V2023.I1.152-191","article-title":"SAT-aided Automatic Search of Boomerang Distinguishers for\n  ARX Ciphers","volume":"2023","author":"Dachao Wang","year":"2023","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref99:DBLP:conf\/crypto\/LangfordH94","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"17","DOI":"10.1007\/3-540-48658-5_3","article-title":"Differential-Linear Cryptanalysis","volume":"839","author":"Susan K. Langford","year":"1994"},{"key":"ref100:DBLP:conf\/asiacrypt\/BihamDK02","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"254","DOI":"10.1007\/3-540-36178-2_16","article-title":"Enhancing Differential-Linear Cryptanalysis","volume":"2501","author":"Eli Biham","year":"2002"},{"key":"ref101:DBLP:conf\/eurocrypt\/Bar-OnDKW19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"313","DOI":"10.1007\/978-3-030-17653-2_11","article-title":"DLCT: A New Tool for Differential-Linear Cryptanalysis","volume":"11476","author":"Achiya Bar-On","year":"2019"},{"key":"ref102:DBLP:conf\/ctrsa\/BelliniGGMP23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"252","DOI":"10.1007\/978-3-031-30872-7_10","article-title":"Fully Automated Differential-Linear Attacks Against ARX\n  Ciphers","volume":"13871","author":"Emanuele Bellini","year":"2023"},{"key":"ref103:specksrc","volume-title":"simon-speck-supercop","year":"2021"},{"key":"ref104:supercop","volume-title":"Supercop \u2013 eBACS: ECRYPT Benchmarking of Cryptographic\n  Systems","author":"Daniel J. Bernstein","year":"2018"},{"key":"ref105:felics","volume-title":"FELICS - Fair Evaluation of LIghtweight Cryptographic\n  Systems","author":"Daniel Dinu","year":"2015"},{"key":"ref106:JCEng:DCKPGB19","doi-asserted-by":"publisher","first-page":"283","DOI":"10.1007\/s13389-018-0193-x","article-title":"Triathlon of lightweight block ciphers for the Internet of\n  things","volume":"9","author":"Daniel Dinu","year":"2019","journal-title":"Journal of Cryptographic Engineering"},{"key":"ref107:FSE:IMGM14","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"149","DOI":"10.1007\/978-3-662-46706-0_8","article-title":"CLOC: Authenticated Encryption for Short Input","volume":"8540","author":"Tetsu Iwata","year":"2015"},{"key":"ref108:DBLP:conf\/lightsec\/BeaulieuSSTWW14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-319-16363-5_1","article-title":"The Simon and Speck Block Ciphers on AVR 8-Bit\n  Microcontrollers","volume":"8898","author":"Ray Beaulieu","year":"2014"},{"key":"ref109:aessrc","volume-title":"Fast constant-time AES implementations on 32-bit\n  architectures","year":"2020"},{"key":"ref110:DBLP:journals\/tches\/KarabulutA24","doi-asserted-by":"publisher","first-page":"483","DOI":"10.46586\/TCHES.V2024.I4.483-508","article-title":"Masking FALCON's Floating-Point Multiplication in Hardware","volume":"2024","author":"Emre Karabulut","year":"2024","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T23:41:35Z","timestamp":1767915695000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/4\/32"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,8]]},"references-count":110,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2026,1,8]]}},"URL":"https:\/\/doi.org\/10.62056\/av11c3c2h","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,8]]},"assertion":[{"value":"2025-10-08","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-12-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-4-68"}}