{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,7]],"date-time":"2025-12-07T13:10:37Z","timestamp":1765113037241,"version":"3.41.2"},"reference-count":65,"publisher":"International Association for Cryptologic Research","license":[{"start":{"date-parts":[[2024,4,8]],"date-time":"2024-04-08T00:00:00Z","timestamp":1712534400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,9,2]]},"abstract":"<jats:p>    In order to maintain a similar security level in a post-quantum setting, many symmetric primitives should have to double their keys and increase their state sizes. So far, no generic way for doing this is known that would provide convincing quantum security guarantees.     In this paper we propose a new generic construction, QuEME, that allows one to double the key and the state size of a block cipher in such a way that a decent level of quantum security is guaranteed.     The QuEME design is inspired by the ECB-Mix-ECB (EME) construction, but is defined for a different choice of mixing function than what we have seen before, in order to withstand a new quantum superposition attack that we introduce as a side result: this quantum superposition attack exhibits a periodic property found in collisions and breaks EME and a large class of its variants.     We prove that QuEME achieves n-bit security in the classical setting, where n is the block size of the underlying block cipher, and at least (n\/6)-bit security in the quantum setting. We finally propose a concrete instantiation of this construction, called Double-AES, that is built with variants of the standardized AES-128 block cipher. <\/jats:p>","DOI":"10.62056\/av4fvua5v","type":"journal-article","created":{"date-parts":[[2024,10,7]],"date-time":"2024-10-07T15:13:33Z","timestamp":1728314013000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":2,"title":["Block Cipher Doubling for a Post-Quantum World"],"prefix":"10.62056","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2883-4870","authenticated-orcid":false,"given":"Ritam","family":"Bhaumik","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02kvxyf05","id-type":"ROR","asserted-by":"publisher"}],"name":"Inria","place":["Paris, France"]},{"id":[{"id":"https:\/\/ror.org\/02s376052","id-type":"ROR","asserted-by":"publisher"}],"name":"EPFL","place":["Lausanne, Switzerland"]},{"id":[{"id":"https:\/\/ror.org\/001kv2y39","id-type":"ROR","asserted-by":"publisher"}],"name":"TII","place":["Abu Dhabi, UAE"]}]},{"given":"Andr\u00e9","family":"Chailloux","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02kvxyf05","id-type":"ROR","asserted-by":"publisher"}],"name":"Inria","place":["Paris, France"]}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-8720-4810","authenticated-orcid":false,"given":"Paul","family":"Frixons","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02kvxyf05","id-type":"ROR","asserted-by":"publisher"}],"name":"Inria","place":["Paris, France"]},{"id":[{"id":"https:\/\/ror.org\/035j0tq82","id-type":"ROR","asserted-by":"publisher"}],"name":"Orange Labs","place":["Paris, France"]},{"id":[{"id":"https:\/\/ror.org\/03fcjvn64","id-type":"ROR","asserted-by":"publisher"}],"name":"Loria","place":["Nancy, France"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6679-1878","authenticated-orcid":false,"given":"Bart","family":"Mennink","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/016xsfp80","id-type":"ROR","asserted-by":"publisher"}],"name":"Radboud University","place":["Nijmegen, The Netherlands"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0059-5417","authenticated-orcid":false,"given":"Mar\u00eda","family":"Naya-Plasencia","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02kvxyf05","id-type":"ROR","asserted-by":"publisher"}],"name":"Inria","place":["Paris, France"]}]}],"member":"48349","published-online":{"date-parts":[[2024,10,7]]},"reference":[{"key":"ref1:DBLP:conf\/isita\/KuwakadoM12","first-page":"312","article-title":"Security on the quantum-type Even-Mansour cipher","author":"Hidenori Kuwakado","year":"2012"},{"key":"ref2:DBLP:conf\/isit\/KuwakadoM10","doi-asserted-by":"publisher","first-page":"2682","DOI":"10.1109\/ISIT.2010.5513654","article-title":"Quantum distinguisher between the 3-round Feistel cipher\n  and the random permutation","author":"Hidenori Kuwakado","year":"2010"},{"key":"ref3:DBLP:conf\/crypto\/KaplanLLN16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"207","DOI":"10.1007\/978-3-662-53008-5_8","article-title":"Breaking Symmetric Cryptosystems Using Quantum Period\n  Finding","volume":"9815","author":"Marc Kaplan","year":"2016"},{"key":"ref4:DBLP:books\/sp\/DaemenR02","series-title":"Information Security and Cryptography","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-04722-4","volume-title":"The Design of Rijndael: AES - The Advanced Encryption\n  Standard","author":"Joan Daemen","year":"2002","ISBN":"https:\/\/id.crossref.org\/isbn\/3540425802"},{"key":"ref5:DBLP:journals\/joc\/KilianR01","doi-asserted-by":"publisher","first-page":"17","DOI":"10.1007\/s001450010015","article-title":"How to Protect DES Against Exhaustive Key Search (an\n  Analysis of DESX)","volume":"14","author":"Joe Kilian","year":"2001","journal-title":"J. Cryptol."},{"key":"ref6:DBLP:conf\/asiacrypt\/Leander017","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"161","DOI":"10.1007\/978-3-319-70697-9_6","article-title":"Grover Meets Simon - Quantumly Attacking the\n  FX-construction","volume":"10625","author":"Gregor Leander","year":"2017"},{"key":"ref7:DBLP:conf\/tcc\/JaegerST21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"209","DOI":"10.1007\/978-3-030-90459-3_8","article-title":"Quantum Key-Length Extension","volume":"13042","author":"Joseph Jaeger","year":"2021"},{"key":"ref8:DBLP:conf\/eurocrypt\/AlagicBKM22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"458","DOI":"10.1007\/978-3-031-07082-2_17","article-title":"Post-Quantum Security of the Even-Mansour Cipher","volume":"13277","author":"Gorjan Alagic","year":"2022"},{"key":"ref9:DBLP:conf\/asiacrypt\/ChaillouxNS17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1007\/978-3-319-70697-9_8","article-title":"An Efficient Quantum Collision Search Algorithm and\n  Implications on Symmetric Cryptography","volume":"10625","author":"Andr\u00e9 Chailloux","year":"2017"},{"key":"ref10:DBLP:journals\/tosc\/CanteautDLNPPS20","doi-asserted-by":"publisher","first-page":"160","DOI":"10.13154\/tosc.v2020.iS1.160-207","article-title":"Saturnin: a suite of lightweight symmetric algorithms for\n  post-quantum security","volume":"2020","author":"Anne Canteaut","year":"2020","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref11:DBLP:conf\/asiacrypt\/HosoyamadaI19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"145","DOI":"10.1007\/978-3-030-34578-5_6","article-title":"4-Round Luby-Rackoff Construction is a qPRP","volume":"11921","author":"Akinori Hosoyamada","year":"2019"},{"key":"ref12:DBLP:conf\/ctrsa\/ItoHMSI19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"391","DOI":"10.1007\/978-3-030-12612-4_20","article-title":"Quantum Chosen-Ciphertext Attacks Against Feistel\n  Ciphers","volume":"11405","author":"Gembu Ito","year":"2019"},{"key":"ref13:DBLP:journals\/chinaf\/DongW18","doi-asserted-by":"publisher","DOI":"10.1007\/s11432-017-9468-y","article-title":"Quantum key-recovery attack on Feistel structures","volume":"61","author":"Xiaoyang Dong","year":"2018","journal-title":"Sci. China Inf. Sci."},{"key":"ref14:DBLP:conf\/ctrsa\/HaleviR04","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"292","DOI":"10.1007\/978-3-540-24660-2_23","article-title":"A Parallelizable Enciphering Mode","volume":"2964","author":"Shai Halevi","year":"2004"},{"key":"ref15:DBLP:conf\/eurocrypt\/BellareKR98","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"266","DOI":"10.1007\/BFb0054132","article-title":"Luby-Rackoff Backwards: Increasing Security by Making Block\n  Ciphers Non-invertible","volume":"1403","author":"Mihir Bellare","year":"1998"},{"key":"ref16:DBLP:conf\/eurocrypt\/Lucks00","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"470","DOI":"10.1007\/3-540-45539-6_34","article-title":"The Sum of PRPs Is a Secure PRF","volume":"1807","author":"Stefan Lucks","year":"2000"},{"key":"ref17:DBLP:conf\/icits\/Patarin08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"232","DOI":"10.1007\/978-3-540-85093-9_22","article-title":"A Proof of Security in $O(2^n)$ for the Xor of Two Random\n  Permutations","volume":"5155","author":"Jacques Patarin","year":"2008"},{"volume-title":"Introduction to Mirror Theory: Analysis of Systems of\n  Linear Equalities and Linear Non Equalities for Cryptography","year":"2010","author":"Jacques Patarin","key":"ref18:cryptoeprint:2010\/287"},{"key":"ref19:DBLP:conf\/crypto\/DaiHT17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"497","DOI":"10.1007\/978-3-319-63697-9_17","article-title":"Information-Theoretic Indistinguishability via the\n  Chi-Squared Method","volume":"10403","author":"Wei Dai","year":"2017"},{"volume-title":"Security of balanced and unbalanced Feistel Schemes with\n  Linear Non Equalities","year":"2010","author":"Jacques Patarin","key":"ref20:cryptoeprint:2010\/293"},{"key":"ref21:DBLP:conf\/fse\/CogliatiLP14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"285","DOI":"10.1007\/978-3-662-46706-0_15","article-title":"The Indistinguishability of the XOR of k Permutations","volume":"8540","author":"Benoit Cogliati","year":"2014"},{"key":"ref22:DBLP:conf\/eurocrypt\/CogliatiDNPS23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"470","DOI":"10.1007\/978-3-031-30634-1_16","article-title":"Proof of Mirror Theory for a Wide Range of\n  $\\xi_{\\text{max}}$","volume":"14007","author":"Beno\u00eet Cogliati","year":"2023"},{"key":"ref23:DBLP:conf\/crypto\/Zhandry19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"239","DOI":"10.1007\/978-3-030-26951-7_9","article-title":"How to Record Quantum Queries, and Applications to Quantum\n  Indifferentiability","volume":"11693","author":"Mark Zhandry","year":"2019"},{"key":"ref24:DBLP:conf\/eurocrypt\/Dinur15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"231","DOI":"10.1007\/978-3-662-46800-5_10","article-title":"Cryptanalytic Time-Memory-Data Tradeoffs for\n  FX-Constructions with Applications to PRINCE and PRIDE","volume":"9056","author":"Itai Dinur","year":"2015"},{"key":"ref25:DBLP:conf\/crypto\/Patarin04","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"106","DOI":"10.1007\/978-3-540-28628-8_7","article-title":"Security of Random Feistel Schemes with 5 or More Rounds","volume":"3152","author":"Jacques Patarin","year":"2004"},{"volume-title":"Quantum Chosen-Ciphertext Attacks against Feistel\n  Ciphers","year":"2018","author":"Gembu Ito","key":"ref26:cryptoeprint:2018:1193"},{"key":"ref27:DBLP:conf\/sacrypt\/Patarin08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"328","DOI":"10.1007\/978-3-642-04159-4_21","article-title":"The \u201cCoefficients H\u201d Technique","volume":"5381","author":"Jacques Patarin","year":"2008"},{"key":"ref28:DBLP:conf\/eurocrypt\/ChenS14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"327","DOI":"10.1007\/978-3-642-55220-5_19","article-title":"Tight Security Bounds for Key-Alternating Ciphers","volume":"8441","author":"Shan Chen","year":"2014"},{"key":"ref29:DBLP:conf\/crypto\/ChenLLSS14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"39","DOI":"10.1007\/978-3-662-44371-2_3","article-title":"Minimizing the Two-Round Even-Mansour Cipher","volume":"8616","author":"Shan Chen","year":"2014"},{"volume-title":"A Note on Quantum-Secure PRPs","year":"2016","author":"Mark Zhandry","key":"ref30:cryptoeprint:2016:1076"},{"key":"ref31:DBLP:journals\/tosc\/HosoyamadaI21","doi-asserted-by":"publisher","first-page":"337","DOI":"10.46586\/tosc.v2021.i1.337-377","article-title":"Provably Quantum-Secure Tweakable Block Ciphers","volume":"2021","author":"Akinori Hosoyamada","year":"2021","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref32:DBLP:journals\/tosc\/KaplanLLN16","doi-asserted-by":"publisher","first-page":"71","DOI":"10.13154\/tosc.v2016.i1.71-94","article-title":"Quantum Differential and Linear Cryptanalysis","volume":"2016","author":"Marc Kaplan","year":"2016","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref33:DBLP:journals\/siamcomp\/Simon97a","doi-asserted-by":"publisher","first-page":"1474","DOI":"10.1137\/S0097539796298637","article-title":"On the Power of Quantum Computation","volume":"26","author":"Daniel R. Simon","year":"1997","journal-title":"SIAM J. Comput."},{"key":"ref34:DBLP:conf\/stoc\/Grover96","doi-asserted-by":"publisher","first-page":"212","DOI":"10.1145\/237814.237866","article-title":"A Fast Quantum Mechanical Algorithm for Database Search","author":"Lov K. Grover","year":"1996"},{"key":"ref35:DBLP:conf\/latin\/BrassardHT98","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"163","DOI":"10.1007\/BFb0054319","article-title":"Quantum Cryptanalysis of Hash and Claw-Free Functions","volume":"1380","author":"Gilles Brassard","year":"1998"},{"key":"ref36:DBLP:conf\/eurocrypt\/LaiM92","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"55","DOI":"10.1007\/3-540-47555-9_5","article-title":"Hash Function Based on Block Ciphers","volume":"658","author":"Xuejia Lai","year":"1992"},{"key":"ref37:DBLP:conf\/asiacrypt\/BonnetainHNSS19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"552","DOI":"10.1007\/978-3-030-34578-5_20","article-title":"Quantum Attacks Without Superposition Queries: The Offline\n  Simon's Algorithm","volume":"11921","author":"Xavier Bonnetain","year":"2019"},{"key":"ref38:DBLP:conf\/icisc\/Patarin05","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"299","DOI":"10.1007\/11734727_25","article-title":"On Linear Systems of Equations with Distinct Variables and\n  Small Block Size","volume":"3935","author":"Jacques Patarin","year":"2005"},{"key":"ref39:DBLP:conf\/crypto\/Patarin03","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"513","DOI":"10.1007\/978-3-540-45146-4_30","article-title":"Luby-Rackoff: 7 Rounds Are Enough for $2^{n(1-\\epsilon)}$\n  Security","volume":"2729","author":"Jacques Patarin","year":"2003"},{"volume-title":"CENC is Optimally Secure","year":"2016","author":"Tetsu Iwata","key":"ref40:cryptoeprint:2016\/1087"},{"key":"ref41:DBLP:conf\/crypto\/MenninkN17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"556","DOI":"10.1007\/978-3-319-63697-9_19","article-title":"Encrypted Davies-Meyer and Its Dual: Towards Optimal\n  Security Using Mirror Theory","volume":"10403","author":"Bart Mennink","year":"2017"},{"key":"ref42:DBLP:journals\/scn\/ZhangHY18","doi-asserted-by":"publisher","DOI":"10.1155\/2018\/9715947","article-title":"Close to Optimally Secure Variants of GCM","volume":"2018","author":"Ping Zhang","year":"2018","journal-title":"Secur. Commun. Networks"},{"key":"ref43:DBLP:conf\/indocrypt\/BhattacharjeeBN22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"171","DOI":"10.1007\/978-3-031-22912-1_8","article-title":"Offset-Based BBB-Secure Tweakable Block-ciphers with\n  Updatable Caches","volume":"13774","author":"Arghya Bhattacharjee","year":"2022"},{"key":"ref44:DBLP:journals\/tit\/DuttaNS22","doi-asserted-by":"publisher","first-page":"6218","DOI":"10.1109\/TIT.2022.3171178","article-title":"Proof of Mirror Theory for $\\xi_{\\text{max}} = 2$","volume":"68","author":"Avijit Dutta","year":"2022","journal-title":"IEEE Trans. Inf. Theory"},{"key":"ref45:DBLP:journals\/qic\/Zhandry15","doi-asserted-by":"publisher","first-page":"557","DOI":"10.26421\/QIC15.7-8-2","article-title":"A note on the quantum collision and set equality\n  problems","volume":"15","author":"Mark Zhandry","year":"2015","journal-title":"Quantum Inf. Comput."},{"volume-title":"Compressed Permutation Oracles (And the\n  Collision-Resistance of Sponge\/SHA3)","year":"2021","author":"Dominique Unruh","key":"ref46:cryptoeprint:2021:062"},{"key":"ref47:DBLP:conf\/fse\/FergusonKLSSWW00","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"213","DOI":"10.1007\/3-540-44706-7_15","article-title":"Improved Cryptanalysis of Rijndael","volume":"1978","author":"Niels Ferguson","year":"2000"},{"key":"ref48:DBLP:journals\/siamcomp\/Ambainis07","doi-asserted-by":"publisher","first-page":"210","DOI":"10.1137\/S0097539705447311","article-title":"Quantum Walk Algorithm for Element Distinctness","volume":"37","author":"Andris Ambainis","year":"2007","journal-title":"SIAM J. Comput."},{"key":"ref49:DBLP:conf\/sacrypt\/SchwabeS16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"180","DOI":"10.1007\/978-3-319-69453-5_10","article-title":"All the AES You Need on Cortex-M3 and M4","volume":"10532","author":"Peter Schwabe","year":"2016"},{"key":"ref50:DBLP:conf\/crypto\/Bar-OnDKRS18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"185","DOI":"10.1007\/978-3-319-96881-0_7","article-title":"Improved Key Recovery Attacks on Reduced-Round AES with\n  Practical Data and Memory Complexities","volume":"10992","author":"Achiya Bar-On","year":"2018"},{"key":"ref51:DBLP:conf\/asiacrypt\/RonjomBH17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"217","DOI":"10.1007\/978-3-319-70694-8_8","article-title":"Yoyo Tricks with AES","volume":"10624","author":"Sondre R\u00f8njom","year":"2017"},{"key":"ref52:DBLP:conf\/secrypt\/Tunstall12","doi-asserted-by":"publisher","first-page":"25","DOI":"10.5220\/0003990300250034","article-title":"Improved \u201cPartial Sums\u201d-based Square Attack on AES","author":"Michael Tunstall","year":"2012"},{"key":"ref53:DBLP:conf\/eurocrypt\/DunkelmanKRS20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"280","DOI":"10.1007\/978-3-030-45721-1_11","article-title":"The Retracing Boomerang Attack","volume":"12105","author":"Orr Dunkelman","year":"2020"},{"key":"ref54:DBLP:journals\/tosc\/RahmanS021","doi-asserted-by":"publisher","first-page":"137","DOI":"10.46586\/tosc.v2021.i3.137-169","article-title":"Boomeyong: Embedding Yoyo within Boomerang and its\n  Applications to Key Recovery Attacks on AES and Pholkos","volume":"2021","author":"Mostafizar Rahman","year":"2021","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref55:DBLP:journals\/tosc\/BaoGL20","doi-asserted-by":"publisher","first-page":"197","DOI":"10.13154\/tosc.v2020.i3.197-261","article-title":"Extended Truncated-differential Distinguishers on\n  Round-reduced AES","volume":"2020","author":"Zhenzhen Bao","year":"2020","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref56:DBLP:conf\/indocrypt\/LuDKK08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"279","DOI":"10.1007\/978-3-540-89754-5_22","article-title":"New Impossible Differential Attacks on AES","volume":"5365","author":"Jiqiang Lu","year":"2008"},{"key":"ref57:DBLP:conf\/asiacrypt\/DunkelmanKS10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"158","DOI":"10.1007\/978-3-642-17373-8_10","article-title":"Improved Single-Key Attacks on 8-Round AES-192 and\n  AES-256","volume":"6477","author":"Orr Dunkelman","year":"2010"},{"key":"ref58:DBLP:journals\/joc\/BouraLNS18","doi-asserted-by":"publisher","first-page":"101","DOI":"10.1007\/s00145-016-9251-7","article-title":"Making the Impossible Possible","volume":"31","author":"Christina Boura","year":"2018","journal-title":"J. Cryptol."},{"key":"ref59:DBLP:conf\/eurocrypt\/LeurentP21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1007\/978-3-030-77870-5_3","article-title":"New Representations of the AES Key Schedule","volume":"12696","author":"Ga\u00ebtan Leurent","year":"2021"},{"key":"ref60:DBLP:conf\/eurocrypt\/DerbezFJ13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"371","DOI":"10.1007\/978-3-642-38348-9_23","article-title":"Improved Key Recovery Attacks on Reduced-Round AES in the\n  Single-Key Setting","volume":"7881","author":"Patrick Derbez","year":"2013"},{"key":"ref61:DBLP:conf\/eurocrypt\/BiryukovN10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"322","DOI":"10.1007\/978-3-642-13190-5_17","article-title":"Automatic Search for Related-Key Differential\n  Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia,\n  Khazad and Others","volume":"6110","author":"Alex Biryukov","year":"2010"},{"key":"ref62:DBLP:conf\/crypto\/FouqueJP13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"183","DOI":"10.1007\/978-3-642-40041-4_11","article-title":"Structural Evaluation of AES and Chosen-Key Distinguisher\n  of 9-Round AES-128","volume":"8042","author":"Pierre-Alain Fouque","year":"2013"},{"key":"ref63:DBLP:conf\/sacrypt\/GrassiLRTW20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"141","DOI":"10.1007\/978-3-030-81652-0_6","article-title":"Weak-Key Distinguishers for AES","volume":"12804","author":"Lorenzo Grassi","year":"2020"},{"key":"ref64:DBLP:conf\/asiacrypt\/Gilbert14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"200","DOI":"10.1007\/978-3-662-45611-8_11","article-title":"A Simplified Representation of AES","volume":"8873","author":"Henri Gilbert","year":"2014"},{"key":"ref65:DBLP:journals\/dcc\/GrassiR20","doi-asserted-by":"publisher","first-page":"1401","DOI":"10.1007\/s10623-020-00756-5","article-title":"Revisiting Gilbert's known-key distinguisher","volume":"88","author":"Lorenzo Grassi","year":"2020","journal-title":"Des. Codes Cryptogr."}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2024,12,10]],"date-time":"2024-12-10T21:28:06Z","timestamp":1733866086000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/3\/4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,10,7]]},"references-count":65,"URL":"https:\/\/doi.org\/10.62056\/av4fvua5v","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"subject":[],"published":{"date-parts":[[2024,10,7]]},"assertion":[{"value":"2024-04-08","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-09-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-2-48"}}