J. Aae-+-14]-ange-albertini, M. Aumasson, F. Eichlseder, M. Mendel, and . Schläffer, Malicious hashing: Eve's variant of SHA-1, SAC 2014: 21st Annual International Workshop on Selected Areas in Cryptography, vol.8781, pp.1-19, 2014.

, National Institute of Standards and Technology (NIST), FIPS PUB 197, 2001.

T. Ashur, Simon: NSA-designed Cipher in the Post-snowden World, 2015. Talk at the Technion's CRYPTODAY

, Notes on the design and analysis of SIMON and SPECK" and an Analysis of it, 2017.

R. Altawy and A. M. Youssef, Watch your constants: Malicious streebog, Cryptology ePrint Archive, vol.879, 2014.

E. Biham, R. J. Anderson, and L. R. Knudsen, Serpent: A new block cipher proposal, Fast Software Encryption -FSE'98, vol.1372, pp.222-238, 1998.

A. Bannier, N. Bodin, and E. Filiol, Partition-based trapdoor ciphers, Cryptology ePrint Archive, 2016.

C. Boura, A. Canteaut, and C. D. Cannière, Higher-order differential properties of Keccak and Luffa, Fast Software Encryption -FSE 2011, vol.6733, pp.252-269, 2011.
URL : https://hal.archives-ouvertes.fr/hal-00738195

T. Baignères, C. Delerablée, M. Finiasz, L. Goubin, T. Lepoint et al., Trap me if you can, 2016.

G. Bertoni, J. Daemen, M. Peeters, G. Van-assche, and . Keccak, Advances in Cryptology -EUROCRYPT 2013, vol.7881, pp.313-314, 2013.

J. Daniel and . Bernstein, Chacha, a variant of salsa20, Workshop Record of SASC, vol.8, pp.3-5, 2008.

D. Bernstein, Safecurves: choosing safe curves for elliptic-curve cryptography, 2013.

. Bkl-+-07-;-andrey, L. R. Bogdanov, G. Knudsen, C. Leander, A. Paar et al., PRESENT: An ultra-lightweight block cipher, Cryptographic Hardware and Embedded Systems -CHES 2007, vol.4727, pp.450-466, 2007.

K. Bhargavan and G. Leurent, On the practical (in-)security of 64-bit block ciphers: Collision attacks on HTTP over TLS and OpenVPN, ACM CCS 2016: 23rd Conference on Computer and Communications Security, pp.456-467, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01404208

A. Biryukov and L. Perrin, On reverse-engineering S-boxes with hidden design criteria or structure, Advances in Cryptology -CRYPTO 2015, Part I, vol.9215, pp.116-140, 2015.

X. Bonnetain, L. Perrin, and S. Tian, Anomalies and vector space search: Tools for S-box reverse-engineering, Cryptology ePrint Archive, 2019.

A. Biryukov, L. Perrin, and A. Udovenko, Reverse-engineering the S-box of streebog, kuznyechik and STRIBOBr1, Advances in Cryptology -EUROCRYPT 2016, Part I, vol.9665, pp.372-402, 2016.

E. Biham and A. Shamir, Differential cryptanalysis of DES-like cryptosystems, Advances in Cryptology -CRYPTO'90, vol.537, pp.2-21, 1991.

R. Beaulieu, D. Shors, J. Smith, S. Treatman-clark, B. Weeks et al., The SIMON and SPECK families of lightweight block ciphers, Cryptology ePrint Archive, 2013.

R. Beaulieu, D. Shors, J. Smith, S. Treatman-clark, B. Weeks et al., Notes on the design and analysis of SIMON and SPECK. Cryptology ePrint Archive, 2017.

A. Bogdanov and M. Wang, Zero correlation linear cryptanalysis with reduced data complexity, Fast Software Encryption -FSE 2012, vol.7549, pp.29-48, 2012.

R. Civino, C. Blondeau, and M. Sala, Differential attacks: using alternative operations. Designs, Codes and Cryptography, vol.87, pp.225-247, 2019.

S. Checkoway, S. Cohney, C. Garman, M. Green, N. Heninger et al., A systematic analysis of the juniper dual EC incident, Cryptology ePrint Archive, vol.376, 2016.

D. Chaum and J. Evertse, Crytanalysis of DES with a reduced number of rounds: Sequences of linear factors in block ciphers

. Williams, Advances in Cryptology -CRYPTO'85, vol.218, pp.192-211, 1986.

S. Checkoway, J. Maskiewicz, C. Garman, J. Fried, S. Cohney et al., A systematic analysis of the juniper dual EC incident, ACM CCS 2016: 23rd Conference on Computer and Communications Security, pp.468-479, 2016.

S. Checkoway, R. Niederhagen, A. Everspaugh, M. Green, T. Lange et al., On the practical exploitability of dual EC in TLS implementations, USENIX Security 2014: 23rd USENIX Security Symposium, pp.319-335, 2014.

D. Coppersmith, The data encryption standard (DES) and its strength against attacks, IBM journal of research and development, vol.38, issue.3, pp.243-250, 1994.

C. De-cannière, O. Dunkelman, and M. Kne?evi?, KATAN and KTANTAN -a family of small and efficient hardware-oriented block ciphers, Cryptographic Hardware and Embedded Systems -CHES 2009, vol.5747, pp.272-288, 2009.

C. De-cannière, Trivium: A stream cipher construction inspired by block cipher design principles, ISC 2006: 9th International Conference on Information Security, vol.4176, pp.171-186, 2006.

, NBS FIPS PUB, vol.46, 1977.

W. Diffie and M. E. Hellman, Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard, IEEE Computer, vol.10, issue.6, pp.74-84, 1977.

J. Daemen, L. R. Knudsen, and V. Rijmen, The block cipher Square, Fast Software Encryption -FSE'97, vol.1267, pp.149-165, 1997.

L. Dpu-+-16]-daniel-dinu, A. Perrin, V. Udovenko, J. Velichkov, A. Großschädl et al., Design strategies for ARX with provable bounds: Sparx and LAX, Advances in Cryptology -ASIACRYPT 2016, Part I, vol.10031, pp.484-513, 2016.

W. Diffie and G. Ledin, SMS4 encryption algorithm for wireless networks, Cryptology ePrint Archive, 2008.

. Etsi/sage, Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2. Document 2: SNOW 3G Specification, 2006.

, Federal Agency on Technical Regulation and Metrology. Information technology -data security: Hash function, 2012.

, Federal Agency on Technical Regulation and Metrology. Information technology -data security: Block ciphers, 2015.

, Horest Feistel. Cryptography and Computer Privacy. Scientific American, vol.228, issue.5, pp.15-23, 1973.

M. Fischlin, C. Janson, and S. Mazaheri, Backdoored Hash Functions: Immunizing HMAC and HKDF, 31st IEEE Computer Security Foundations Symposium, CSF 2018, pp.105-118, 2018.

I. Goldberg, D. Wagner, and L. Green, The (Real-Time) Cryptanalysis of A5/2, 1999. Rump Session Presentation at CRYPTO, 1999.

M. Hermelin, Y. Joo, K. Cho, and . Nyberg, Multidimensional linear cryptanalysis of reduced round Serpent, ACISP 08: 13th Australasian Conference on Information Security and Privacy, vol.5107, pp.203-215, 2008.

C. Harpes and J. L. Massey, Partitioning cryptanalysis, Fast Software Encryption -FSE'97, vol.1267, pp.13-27, 1997.

M. Hellman, R. Merkle, R. Schroeppel, L. Washington, W. Diffie et al., Results of an initial attempt to cryptanalyze the NBS Data Encryption Standard, 1976.

H. Krawczyk, M. Bellare, and R. Canetti, HMAC: Keyed-hashing for message authentication, 1997.

L. R. Knudsen, Truncated and higher order differentials, Fast Software Encryption -FSE'94, vol.1008, pp.196-211, 1995.

L. R. Knudsen and H. Raddum, On noekeon, 2001.

L. R. Knudsen and D. Wagner, Integral cryptanalysis, Fast Software Encryption -FSE 2002, vol.2365, pp.112-127, 2002.

G. Leander, M. A. Abdelraheem, H. Alkhzaimi, and E. Zenner, A cryptanalysis of PRINTcipher: The invariant subspace attack, Advances in Cryptology -CRYPTO 2011, vol.6841, pp.206-221, 2011.

S. K. Langford and M. E. Hellman, Differential-linear cryptanalysis, Advances in Cryptology -CRYPTO'94, vol.839, pp.17-25, 1994.

F. Liu, W. Ji, L. Hu, J. Ding, S. Lv et al., Analysis of the SMS4 block cipher, ACISP 07: 12th Australasian Conference on Information Security and Privacy, vol.4586, pp.158-170, 2007.

X. Lai and J. L. Massey, A proposal for a new block encryption standard, Advances in Cryptology -EUROCRYPT'90, vol.473, pp.389-404, 1991.

S. Lucks, The saturation attack -a bait for Twofish, Fast Software Encryption -FSE, vol.2355, pp.1-15, 2001.

M. Matsui, Linear cryptanalysis method for DES cipher, Advances in Cryptology -EUROCRYPT'93, vol.765, pp.386-397, 1994.

, Pawel Morawiecki. Malicious Keccak. Cryptology ePrint Archive, 1085.

, National Institute of Standards and Technology. FIPS 180-1: Secure hash standard, 1995.

K. Nyberg and L. R. Knudsen, Provable security against a differential attack, Journal of Cryptology, vol.8, issue.1, pp.27-37, 1995.

K. G. Paterson, Imprimitive permutation groups and trapdoors in iterated block ciphers, Fast Software Encryption -FSE'99, vol.1636, pp.201-214, 1999.

L. Perrin and . Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms, 2017.

L. Perrin, Partitions in the S-box of Streebog and Kuznyechik. IACR Transactions on Symmetric Cryptology, vol.2019, pp.302-329, 2019.
URL : https://hal.archives-ouvertes.fr/hal-02396814

L. Perrin and A. Udovenko, Exponential s-boxes: a link between the s-boxes of BelT and Kuznyechik/Streebog, IACR Transactions on Symmetric Cryptology, vol.2016, issue.2, pp.99-124, 2016.

F. Quick, Common cryptographic algorithms, 2009.

V. Rijmen and B. Preneel, A family of trapdoor ciphers, Fast Software Encryption -FSE'97, vol.1267, pp.139-148, 1997.

V. Rudskoy, Note on Streebog constants origin, 2015.

. Sbk-+-17]-marc, E. Stevens, P. Bursztein, A. Karpman, Y. Albertini et al., The first collision for full SHA-1, Advances in Cryptology -CRYPTO 2017, pp.570-596, 2017.

B. Schneier, Description of a new variable-length key, 64-bit block cipher (Blowfish), Fast Software Encryption -FSE'93, vol.809, pp.191-204, 1994.

B. Schneier, M. Fredrikson, T. Kohno, and T. Ristenpart, Surreptitiously weakening cryptographic systems, Cryptology ePrint Archive, 2015.

C. E. Shannon, Communication theory of secrecy systems, Bell Systems Technical Journal, vol.28, issue.4, pp.656-715, 1949.

, National Institute of Standards and Technology (NIST), FIPS PUB 180-4, 2015.

, Sha-3 standard: Permutation-based hash and extendable-output function. National Institute of Standards and Technology (NIST), FIPS PUB 202, 2015.

G. J. Simmons, The prisoners' problem and the subliminal channel, Advances in Cryptology -CRYPTO'83, pp.51-67, 1983.

V. Shishkin and G. Marshalko, A Memo on Kuznyechik S-Box

, ISO/IEC JTC 1/SC 27/WG 2 Officer's Contribution N1804, 2018.

A. Sorkin, Lucifer, a Cryptographic Algorithm, Cryptologia, vol.8, issue.1, pp.22-42, 1984.

Y. Todo, Structural evaluation by generalized integral property, Advances in Cryptology -EU-ROCRYPT 2015, Part I, vol.9056, pp.287-314, 2015.

U. S. , Department Of Commerce/National Institute of Standards and Technology. Skipjack and KEA algorithms specifications, 1998.

, Adapting Rigidity to Symmetric Cryptography: Towards "Unswerving" Designs

D. Wagner, The boomerang attack, Fast Software Encryption -FSE'99, vol.1636, pp.156-170, 1999.

H. Wu, F. Bao, R. H. Deng, and Q. Ye, Cryptanalysis of Rijmen-Preneel trapdoor ciphers, Advances in Cryptology -ASIACRYPT'98, vol.1514, pp.126-132, 1998.

D. Wagner, B. Schneier, and J. Kelsey, Cryptanalysis of the cellular encryption algorithm, Advances in Cryptology -CRYPTO'97, vol.1294, pp.526-537, 1997.

A. F. Webster and S. E. Tavares, On the design of S-boxes (impromptu talk), Advances in Cryptology -CRYPTO'85, vol.218, pp.523-534, 1986.

H. Yoshida and J. Hammell, Meeting report for the discussion on Kuznyechik and Streebog, 2019.

A. Young and M. Yung, Kleptography: Using cryptography against cryptography, Advances in Cryptology -EUROCRYPT'97, vol.1233, pp.62-74, 1997.

A. Young and M. Yung, A subliminal channel in secret block ciphers, SAC 2004: 11th Annual International Workshop on Selected Areas in Cryptography, vol.3357, pp.198-211, 2004.

A. Young and M. Yung, A space efficient backdoor in RSA and its applications, SAC 2005: 12th Annual International Workshop on Selected Areas in Cryptography, vol.3897, pp.128-143, 2006.