M. A. Abdelraheem, M. Ågren, P. Beelen, and G. Leander, On the distribution of linear biases: Three instructive examples, CRYPTO 2012, vol.7417, pp.50-67, 2012.

, Advanced Encryption Standard (AES), 2001.

E. Andreeva, A. Bogdanov, Y. Dodis, B. Mennink, and J. P. Steinberger, On the indifferentiability of key-alternating ciphers, CRYPTO 2013, Part I. LNCS, vol.8042, pp.531-550, 2013.

C. Beierle, A. Canteaut, G. Leander, and Y. Rotella, Proving resistance against invariant attacks: How to choose the round constants, Part II, vol.10402, pp.647-678, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01631130

E. Biham and A. Shamir, Differential cryptanalysis of DES-like cryptosystems, CRYPTO'90, vol.537, pp.2-21, 1991.

A. Biryukov and D. Khovratovich, Related-key cryptanalysis of the full AES-192 and AES-256, ASIACRYPT 2009, vol.5912, pp.1-18, 2009.

A. Biryukov, D. Khovratovich, and I. Nikolic, Distinguisher and related-key attack on the full AES-256, CRYPTO 2009, vol.5677, pp.231-249, 2009.

A. Biryukov and L. Perrin, On reverse-engineering S-boxes with hidden design criteria or structure, CRYPTO 2015, Part I. LNCS, vol.9215, pp.116-140, 2015.

C. Blondeau and K. Nyberg, Improved parameter estimates for correlation and capacity deviates in linear cryptanalysis, IACR Trans. Symm. Cryptol, vol.2016, issue.2, pp.162-191, 2016.

A. Bogdanov, L. R. Knudsen, G. Leander, F. X. Standaert, J. P. Steinberger et al., Key-alternating ciphers in a provable setting: Encryption using a small number of public permutations -(extended abstract), EUROCRYPT 2012, vol.7237, pp.45-62, 2012.

C. Boura, A. Canteaut, and C. De-cannière, Higher-order differential properties of Keccak and Luffa, FSE 2011, vol.6733, pp.252-269, 2011.
URL : https://hal.archives-ouvertes.fr/hal-00738195

A. Canteaut, V. Lallemand, G. Leander, P. Neumann, and F. Wiemer, BISONinstantiating the whitened swap-or-not construction, Cryptology ePrint Archive, 1011.

A. Canteaut and J. Roué, On the behaviors of affine equivalent sboxes regarding differential and linear attacks, EUROCRYPT 2015, Part I. LNCS, vol.9056, pp.45-74, 2015.
URL : https://hal.archives-ouvertes.fr/hal-01104051

C. Carlet, Boolean Functions for Cryptography and Error Correcting Codes, Boolean Methods and Models, 2007.

S. Chen and J. P. Steinberger, Tight security bounds for key-alternating ciphers, EUROCRYPT 2014, vol.8441, pp.327-350, 2014.

J. Daemen, Cipher and hash function design, strategies based on linear and differential cryptanalysis, 1995.

J. Daemen, R. Govaerts, and J. Vandewalle, Block ciphers based on modular arithmetic, State and Progress in the Research of Cryptography, pp.80-89, 1993.

J. Daemen, R. Govaerts, and J. Vandewalle, Correlation matrices, FSE'94, vol.1008, pp.275-285, 1995.

J. Daemen and V. Rijmen, The block cipher rijndael, CARDIS'98, vol.1820, pp.277-284, 1998.

J. Daemen and V. Rijmen, The wide trail design strategy, 8th IMA International Conference on Cryptography and Coding, vol.2260, pp.222-238, 2001.

J. Daemen and V. Rijmen, The Design of Rijndael: AES -The Advanced Encryption Standard. Information Security and Cryptography, 2002.

J. Daemen and V. Rijmen, Understanding two-round differentials in AES, SCN 06, vol.4116, pp.78-94, 2006.

P. Derbez, P. A. Fouque, and J. Jean, Improved key recovery attacks on reduced-round AES in the single-key setting, EURO-CRYPT 2013, vol.7881, pp.371-387, 2013.
URL : https://hal.archives-ouvertes.fr/hal-01094304

J. F. Dillon, A survey of bent functions, The NSA technical journal, vol.191, p.215, 1972.

S. Even and Y. Mansour, A construction of a cipher from a single pseudorandom permutation, Journal of Cryptology, vol.10, issue.3, pp.151-162, 1997.

N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay et al., Improved cryptanalysis of Rijndael, FSE 2000, vol.1978, pp.213-230, 2001.

H. Gilbert and M. Minier, A collision attack on 7 rounds of rijndael, vol.230, p.241, 2000.

L. Grassi, C. Rechberger, and S. Rønjom, Subspace trail cryptanalysis and its applications to AES, IACR Trans. Symm. Cryptol, vol.2016, issue.2, pp.192-225, 2016.

L. Grassi, C. Rechberger, and S. Rønjom, A new structural-differential property of 5-round AES, Part II, vol.10211, pp.289-317, 2017.

C. Guo and D. Lin, On the indifferentiability of key-alternating Feistel ciphers with no key derivation, TCC 2015, Part I. LNCS, vol.9014, pp.110-133, 2015.

V. T. Hoang, B. Morris, and P. Rogaway, An enciphering scheme based on a card shuffle, CRYPTO 2012, vol.7417, pp.1-13, 2012.

V. T. Hoang and S. Tessaro, Key-alternating ciphers and key-length extension: Exact bounds and multi-user security, CRYPTO 2016, Part I. LNCS, vol.9814, pp.3-32, 2016.

S. Hong, S. Lee, J. Lim, J. Sung, D. H. Cheon et al., Provable security against differential and linear cryptanalysis for the SPN structure, FSE 2000, vol.1978, pp.273-283, 2001.

T. Jakobsen and L. R. Knudsen, The interpolation attack on block ciphers, FSE'97, vol.1267, pp.28-40, 1997.

L. Keliher and J. Sui, Exact maximum expected differential and linear probability for two-round advanced encryption standard, IET Information Security, vol.1, issue.2, pp.53-57, 2007.

T. Kranz, G. Leander, and F. Wiemer, Linear cryptanalysis: Key schedules and tweakable block ciphers, IACR Trans. Symm. Cryptol, vol.2017, issue.1, pp.474-505, 2017.

X. Lai, J. L. Massey, and S. Murphy, Markov ciphers and differential cryptanalysis, EUROCRYPT'91, vol.547, pp.17-38, 1991.

R. Lampe and Y. Seurin, Security analysis of key-alternating Feistel ciphers, FSE 2014, vol.8540, pp.243-264, 2015.
URL : https://hal.archives-ouvertes.fr/hal-02176873

G. Leander, M. A. Abdelraheem, H. Alkhzaimi, and E. Zenner, A cryptanalysis of PRINTcipher: The invariant subspace attack, CRYPTO 2011, vol.6841, pp.206-221, 2011.

M. Matsui, On correlation between the order of S-boxes and the strength of DES, EUROCRYPT'94, vol.950, pp.366-375, 1995.

W. Meier and O. Staffelbach, Nonlinearity criteria for cryptographic functions, EUROCRYPT'89, vol.434, pp.549-562, 1990.

S. Miracle and S. Yilek, Cycle slicer: An algorithm for building permutations on special domains, Cryptology ePrint Archive, vol.873, 2017.

K. Nyberg, Linear approximation of block ciphers (rump session), EUROCRYPT'94, vol.950, pp.439-444, 1995.

K. Nyberg, provable" security against differential and linear cryptanalysis (invited talk), FSE 2012, vol.7549, pp.1-8, 2012.

K. Nyberg and L. R. Knudsen, Provable security against a differential attack, Journal of Cryptology, vol.8, issue.1, pp.27-37, 1995.

S. Park, S. H. Sung, S. Lee, and J. Lim, Improving the upper bound on the maximum differential and the maximum linear Hull probability for SPN structures and AES, FSE 2003, vol.2887, pp.247-260, 2003.

O. S. Rothaus, On 'bent' functions, Journal of Combinatorial Theory, Series A, vol.20, issue.3, pp.300-305, 1976.

S. Tessaro, Optimally secure block ciphers from ideal primitives, ASIACRYPT 2015, Part II. LNCS, vol.9453, pp.437-462, 2015.

S. Tessaro, Optimally secure block ciphers from ideal primitives, Cryptology ePrint Archive, vol.868, 2015.

Y. Todo, G. Leander, and Y. Sasaki, Nonlinear invariant attack -practical attack on full SCREAM, iSCREAM, and Midori64, ASIACRYPT 2016, Part II, vol.10032, pp.3-33, 2016.

S. Vaudenay, Provable security for block ciphers by decorrelation, STACS'98, vol.1373, pp.249-275, 1998.

S. Vaudenay, The end of encryption based on card shuffling, CRYPTO 2012 Rump Session, 2012.