Cover -- Title Page -- Copyright Page -- Contents -- Preface -- Part 1. Design of Symmetric-key Algorithms -- Chapter 1. Introduction to Design in Symmetric Cryptography -- 1.1. Introduction -- 1.2. Cryptographic building blocks -- 1.2.1. The block cipher and its variants -- 1.3. Differentially uniform functions -- 1.4. Arbitrary-length schemes -- 1.4.1. Modes and constructions -- 1.4.2. Dedicated schemes -- 1.4.3. Modes and constructions versus primitives -- 1.5. Iterated (tweakable) block ciphers and permutations -- 1.5.1. Cryptanalysis and safety margin -- 1.5.2. Designing the round function of primitives -- 1.6. A short history -- 1.6.1. The data encryption standard -- 1.6.2. The block cipher FEAL -- 1.6.3. Differential and linear cryptanalysis -- 1.6.4. The block cipher IDEA -- 1.6.5. The advanced encryption standard -- 1.6.6. Cache attacks -- 1.6.7. KECCAK -- 1.6.8. Lightweight cryptography -- 1.7. Acknowledgments -- 1.8. References -- Chapter 2. The Design of Stream Ciphers -- 2.1. Introduction -- 2.1.1. What is a synchronous additive stream cipher? -- 2.1.2. Generic construction -- 2.1.3. Generic attacks -- 2.1.4. Open competitions -- 2.1.5. Standards -- 2.2. Constructions based on FSRs -- 2.2.1. LFSR-based constructions -- 2.2.2. NFSR-based constructions -- 2.3. Table-based constructions -- 2.4. Block ciphers and permutations in stream cipher mode -- 2.4.1. Block cipher modes OFB and CTR -- 2.4.2. Permutations in stream cipher mode -- 2.5. Authenticated encryption (AE) -- 2.5.1. Block ciphers and permutations in stream cipher modes -- 2.6. Emerging low-complexity stream ciphers -- 2.7. References -- Chapter 3. Block Ciphers -- 3.1. General purpose block ciphers -- 3.1.1. Feistel block ciphers -- 3.1.2. Substitution permutation networks -- 3.2. Key schedule algorithms -- 3.3. Generic attacks -- 3.4. Tweakable block ciphers.

3.5. Some positive results concerning security -- 3.6. The case of algebraic ciphers -- 3.7. References -- Chapter 4. Hash Functions -- 4.1. Definitions and requirements -- 4.1.1. An ideal model: the random oracle -- 4.1.2. Expressing security claims -- 4.2. Design of hash functions -- 4.2.1. The Merkle-Damgård construction -- 4.2.2. Fixing the Merkle-Damgård construction -- 4.2.3. Building a compression function -- 4.2.4. Indifferentiability -- 4.2.5. The sponge construction -- 4.2.6. KECCAK, SHA-3 and beyond -- 4.3. Tree hashing -- 4.4. References -- Chapter 5. Modes of Operation -- 5.1. Encryption schemes -- 5.1.1. Cipher block chaining -- 5.1.2. Counter mode -- 5.2. Message authentication codes -- 5.2.1. CBC-MAC -- 5.2.2. PMAC -- 5.2.3. Hash-based MACs -- 5.2.4. Wegman-Carter MACs and GMAC -- 5.3. Security of modes: generic attacks -- 5.3.1. The birthday bound -- 5.3.2. Generic attack against iterated MACs -- 5.3.3. Generic attack against Wegman-Carter MACs -- 5.3.4. Generic attack against CBC -- 5.3.5. Generic attack against CTR -- 5.3.6. Small block sizes -- 5.3.7. Misuse -- 5.3.8. Limitations of encryption -- 5.4. References -- Chapter 6. Authenticated Encryption Schemes -- 6.1. Introduction -- 6.2. Security notions -- 6.3. Design strategies for authenticated encryption -- 6.3.1. Generic composition -- 6.3.2. Dedicated primitive-based designs -- 6.3.3. Fully dedicated designs -- 6.3.4. Standards and competitions -- 6.4. References -- Chapter 7. MDS Matrices -- 7.1. Definition -- 7.1.1. Differential and linear properties -- 7.1.2. Near-MDS matrices -- 7.2. Constructions -- 7.3. Implementation cost -- 7.3.1. Optimizing the implementation of a matrix -- 7.3.2. Implementation of the inverse matrix -- 7.4. Construction of lightweight MDS matrices -- 7.4.1. Choice of the field or ring -- 7.4.2. MDS matrices with the lowest XOR count.

7.4.3. Iterative MDS matrices -- 7.4.4. Involutory MDS matrices -- 7.5. References -- Chapter 8. S-boxes -- 8.1. Important design criteria -- 8.1.1. Differential properties -- 8.1.2. Linear properties -- 8.1.3. Algebraic properties -- 8.1.4. Other properties -- 8.2. Popular S-boxes for different dimensions -- 8.2.1. S-boxes with an odd number of variables -- 8.2.2. 4-bit S-boxes -- 8.2.3. 8-bit S-boxes -- 8.3. Further reading -- 8.4. References -- Chapter 9. Rationale, Backdoors and Trust -- 9.1. Lifecycle of a cryptographic primitive -- 9.1.1. Design phase -- 9.1.2. Public cryptanalysis -- 9.1.3. Deployment? -- 9.1.4. The limits of this process -- 9.2. When a selection process fails -- 9.2.1. Under-engineered algorithms -- 9.2.2. Primitives with hidden properties -- 9.3. Can we trust modern algorithms? -- 9.3.1. Standardization and normalization -- 9.3.2. Some rules of thumb -- 9.4. References -- Part 2. Security Proofs for Symmetric-key Algorithms -- Chapter 10. Modeling Security -- 10.1. Different types of adversary models -- 10.2. When is an attack considered successful? -- 10.3. Random oracle -- 10.4. Distinguishing advantage -- 10.5. Understanding the distinguishing advantage -- 10.5.1. Adversarial complexity -- 10.5.2. Claiming security -- 10.5.3. Breaking claims -- 10.6. Adaptation to block ciphers -- 10.6.1. Distinguishing advantage -- 10.6.2. Security of AES -- 10.7. Acknowledgments -- 10.8. References -- Chapter 11. Encryption and Security of Counter Mode -- 11.1. Block encryption -- 11.1.1. Padding -- 11.1.2. Cipher block chaining -- 11.2. Stream encryption -- 11.2.1. Output feedback mode -- 11.2.2. Counter mode -- 11.3. Provable security of modes: the case of counter mode -- 11.4. Acknowledgments -- 11.5. References -- Chapter 12. Message Authentication and Authenticated Encryption -- 12.1. Message authentication.

12.1.1. WCS construction -- 12.1.2. Provable security -- 12.2. Authenticated encryption -- 12.2.1. GCM, Galois/counter mode -- 12.2.2. Provable security -- 12.3. References -- Chapter 13. H-coefficients Technique -- 13.1. The H-Coefficients technique -- 13.2. A worked out example: the three-round Feistel construction -- 13.3. The Even-Mansour construction -- 13.3.1. H-coefficients security proof -- 13.3.2. Extension to multiple rounds -- 13.4. References -- Chapter 14. Chi-square Method -- 14.1. Introduction -- 14.2. Preliminaries -- 14.2.1. PRF-security definition -- 14.2.2. Hypergeometric distribution -- 14.3. Truncation of random permutation -- 14.3.1. PRF-security of truncation -- 14.4. XOR of random permutations -- 14.5. Other applications of the chi-squared method -- 14.6. Acknowledgments -- 14.7. References -- Part 3. Appendices -- Appendix 1. Data Encryption Standard (DES) -- Appendix 2. Advanced Encryption Standard (AES) -- Appendix 3. PRESENT -- Appendix 4. KECCAK -- List of Authors -- Index -- Summary of Volume 2 -- EULA.