Cover -- Title Page -- Copyright Page -- Contents -- Preface -- Part 1. Cryptanalysis of Symmetric-key Algorithms -- Chapter 1. Differential Cryptanalysis -- 1.1. Statistical attacks on block ciphers: preliminaries -- 1.2. Principle of differential cryptanalysis and application to DES -- 1.2.1. Differential transitions and differential characteristics -- 1.2.2. Derivation of non-trivial differential characteristics -- 1.2.3. Leveraging characteristics to mount a key-recovery attack -- 1.3. Some refinements and generalizations -- 1.3.1. Differential effect -- 1.3.2. Truncated differentials -- 1.4. Design strategies and evaluation -- 1.4.1. Case of the AES -- 1.4.2. Automated analysis -- 1.5. Further notes and references -- 1.6. References -- Chapter 2. Linear Cryptanalysis -- 2.1. History -- 2.2. Correlation and linear hull -- 2.3. Multidimensional linear approximation -- 2.4. Walsh-Hadamard transform -- 2.5. Linear approximation of an iterative block cipher -- 2.6. Matsui's Algorithm 1 type of key recovery -- 2.7. Matsui's Algorithm 2 type of key recovery -- 2.8. Searching for linear approximations and estimating correlations -- 2.9. Speeding up key recovery -- 2.10. Key-recovery distinguisher -- 2.11. Classical model of Algorithm 2 -- 2.12. Algorithm 2 with distinct known plaintext and randomized key -- 2.13. Multiple linear approximations -- 2.14. Multidimensional linear cryptanalysis -- 2.15. References -- Chapter 3. Impossible Differential Cryptanalysis -- 3.1. Finding impossible differentials -- 3.2. Key recovery -- 3.2.1. Data, time and memory complexities -- 3.3. Some improvements -- 3.3.1. Early abort technique -- 3.3.2. Multiple impossible differentials or multiple extension paths -- 3.4. Applications -- 3.5. References -- Chapter 4. Zero-Correlation Cryptanalysis -- 4.1. Correlation and linear cryptanalysis -- 4.1.1. Correlation matrix.

4.1.2. Linear trails and linear hulls -- 4.1.3. Approximations of linear functions -- 4.1.4. Computing the correlations over a permutation -- 4.2. Attacks using a linear hull with correlation zero -- 4.2.1. Correlation zero in random permutations -- 4.2.2. Distinguisher -- 4.2.3. Reducing the data complexity -- 4.3. Linear hulls with correlation zero -- 4.3.1. Feistel ciphers -- 4.3.2. AES -- 4.3.3. Extended result on AES -- 4.4. References -- Chapter 5. Differential-Linear Cryptanalysis -- 5.1. Brief introduction of differential-linear attacks -- 5.2. How to estimate correlations of a differential-linear distinguisher -- 5.3. On the key recovery -- 5.4. State of the art for differential-linear attacks -- 5.4.1. Differential-linear connecting table -- 5.4.2. Three techniques to improve differential-linear attacks -- 5.5. References -- Chapter 6. Boomerang Cryptanalysis -- 6.1. Basic boomerang attack -- 6.2. Variants and refinements -- 6.3. Tricks and failures -- 6.4. Formalize the dependency -- 6.5. References -- Chapter 7. Meet-in-the-Middle Cryptanalysis -- 7.1. Introduction -- 7.2. Basic meet-in-the-middle framework -- 7.2.1. The 2DES attack -- 7.2.2. Algorithmic framework -- 7.2.3. Complexity analysis and memory usage -- 7.3. Meet-in-the-middle techniques -- 7.3.1. Filtering -- 7.3.2. Splice-and-cut -- 7.3.3. Bicliques -- 7.4. Automatic tools -- 7.5. References -- Chapter 8. Meet-in-the-Middle Demirci-Selçuk Cryptanalysis -- 8.1. Original Demirci-Selçuk attack -- 8.2. Improvements -- 8.2.1. Data/time/memory trade-off -- 8.2.2. Difference instead of value -- 8.2.3. Multiset -- 8.2.4. Linear combinations -- 8.2.5. Differential enumeration technique -- 8.3. Finding the best attacks -- 8.3.1. Tools -- 8.3.2. Results -- 8.4. References -- Chapter 9. Invariant Cryptanalysis -- 9.1. Introduction -- 9.2. Invariants for permutations and block ciphers.

9.2.1. Invariant subspaces -- 9.2.2. Quadratic invariants -- 9.3. On design criteria to prevent attacks based on invariants -- 9.4. A link to linear approximations -- 9.5. References -- Chapter 10. Higher Order Differentials, Integral Attacks and Variants -- 10.1. Integrals and higher order derivatives -- 10.2. Algebraic degree of an iterated function -- 10.3. Division property -- 10.4. Attacks based on integrals -- 10.4.1. Distinguishers -- 10.4.2. Attacks -- 10.5. References -- Chapter 11. Cube Attacks and Distinguishers -- 11.1. Cube attacks and cube testers -- 11.1.1. Terminology -- 11.1.2. Main observation -- 11.1.3. The basic cube attack -- 11.1.4. The preprocessing phase on cube attacks -- 11.1.5. Cube testers -- 11.1.6. Applications -- 11.2. Conditional differential attacks and dynamic cube attacks -- 11.2.1. Conditional differential attacks -- 11.2.2. Dynamic cube attacks -- 11.2.3. A toy example -- 11.3. References -- Chapter 12. Correlation Attacks on Stream Ciphers -- 12.1. Correlation attacks on the nonlinear combination generator -- 12.2. Correlation attacks and decoding linear codes -- 12.3. Fast correlation attacks -- 12.3.1. Fast correlation attacks and low weight feedback polynomials -- 12.3.2. Finding low weight multiples of the feedback polynomial -- 12.3.3. Fast correlation attacks by reducing the code dimension -- 12.4. Generalizing fast correlation attacks -- 12.4.1. The E0 stream cipher -- 12.4.2. The A5/1 stream cipher -- 12.5. References -- Chapter 13. Addition, Rotation, XOR -- 13.1. What is ARX? -- 13.1.1. Structure of an ARX-based primitive -- 13.1.2. Development of ARX -- 13.2. Understanding modular addition -- 13.2.1. Expressing modular addition in Fn2 -- 13.2.2. Cryptographic properties of modular addition -- 13.3. Analyzing ARX-based primitives -- 13.3.1. Searching for differential and linear trails.

13.3.2. Proving security against differential and linear attacks -- 13.3.3. Other cryptanalysis techniques -- 13.4. References -- Chapter 14. SHA-3 Contest Related Cryptanalysis -- 14.1. Chapter overview -- 14.2. Differences between attacks against keyed and keyless primitives -- 14.3. Rebound attack -- 14.3.1. Basic strategy of the rebound attack -- 14.3.2. Rebound attack against AES-like structures -- 14.4. Improving rebound attacks with Super-Sbox -- 14.5. References for further reading about rebound attacks -- 14.6. Brief introduction of other cryptanalysis -- 14.6.1. Internal differential cryptanalysis -- 14.6.2. Rotational cryptanalysis -- 14.7. References -- Chapter 15. Cryptanalysis of SHA-1 -- 15.1. Design of SHA-1 -- 15.2. SHA-1 compression function -- 15.3. Differential analysis -- 15.4. Near-collision attacks -- 15.5. Near-collision search -- 15.6. Message expansion differences -- 15.7. Differential trail -- 15.8. Local collisions -- 15.9. Disturbance vector -- 15.10. Disturbance vector selection -- 15.11. Differential trail construction -- 15.12. Message modification techniques -- 15.13. Overview of published collision attacks -- 15.14. References -- Part 2. Future Directions -- Chapter 16. Lightweight Cryptography -- 16.1. Lightweight cryptography standardization efforts -- 16.2. Desired features -- 16.3. Design approaches in lightweight cryptography -- 16.4. References -- Chapter 17. Post-Quantum Symmetric Cryptography -- 17.1. Different considered models -- 17.1.1. With respect to the queries -- 17.1.2. With respect to memory -- 17.2. On Simon's and Q2 attacks -- 17.2.1. Off-line Simon's attack -- 17.3. Quantizing classical attacks in Q1 -- 17.3.1. About collisions -- 17.4. On the design of quantum-safe primitives -- 17.5. Perspectives and conclusion -- 17.5.1. About losing the quantum and classical surname -- 17.5.2. No panic.

17.6. References -- Chapter 18. New Fields in Symmetric Cryptography -- 18.1. Arithmetization-oriented symmetric primitives (ZK proof systems) -- 18.1.1. The current understanding of this new language -- 18.1.2. The first attempts -- 18.1.3. Cryptanalysis -- 18.2. Symmetric ciphers for hybrid homomorphic encryption -- 18.2.1. The current understanding of this new language -- 18.2.2. First design strategies -- 18.3. Parting thoughts -- 18.4. References -- Chapter 19. Deck-function-based Cryptography -- 19.1. Block-cipher centric cryptography -- 19.2. Permutation-based cryptography -- 19.3. The problem of the random permutation security model -- 19.4. Deck functions -- 19.5. Modes of deck functions and instances -- 19.6. References -- List of Authors -- Index -- Summary of Volume 1 -- EULA.