Federal information processing standards publication 197: advanced encryption standard. 2001. URL: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf.

[aes01b]

Report on the development of the advanced encryption standard (aes). 2001. URL: https://nvlpubs.nist.gov/nistpubs/jres/106/3/j63nec.pdf.

[ecd02]

Algorithms and identifiers for the internet x.509 public key infrastructure certificate and certificate revocation list (crl) profile. 2002. URL: https://datatracker.ietf.org/doc/html/rfc3279.

[dh-03]

More modular exponential (modp) diffie-hellman groups for internet key exchange (ike). 2003. URL: https://www.rfc-editor.org/rfc/rfc3526.html.

[ope07]

Openpgp message format. 2007. URL: https://datatracker.ietf.org/doc/html/rfc4880.

[ips11]

Ip security (ipsec) and internet key exchange (ike) document roadmap. 2011. URL: https://datatracker.ietf.org/doc/html/rfc6071.

[det13]

Deterministic usage of the digital signature algorithm (dsa) and elliptic curve digital signature algorithm (ecdsa). 2013. URL: https://datatracker.ietf.org/doc/html/rfc6979.

[fip13]

Federal information processing standards publication 186: digital signature standard (dss). 2013. URL: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf.

[wap14]

Compromise needed on smartphone encryption. 2014. URL: https://www.washingtonpost.com/opinions/compromise-needed-on-smartphone-encryption/2014/10/03/96680bf8-4a77-11e4-891d-713f052086a0_story.html.

[nis15]

Recommendation for random number generation using deterministic random bit generators. 2015. URL: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf.

[sha15]

Sha-3 standard: permutation-based hash and extendable-output functions. 2015. URL: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf.

[ev116]

Journey to an extended validation certificate. 2016. URL: https://www.troyhunt.com/journey-to-an-extended-validation-certificate/.

[lin16]

Linux kernel source tree. 2016. URL: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=818e607b57c94ade9824dad63a96c2ea6b21baf3.

[pkc16]

Pkcs #1: rsa cryptography specifications version 2.2. 2016. URL: https://datatracker.ietf.org/doc/html/rfc8017.

[str17]

Nope, this isn’t the https-validated stripe website you think it is. 2017. URL: https://arstechnica.com/information-technology/2017/12/nope-this-isnt-the-https-validated-stripe-website-you-think-it-is/.

[ev219]

Extended validation certificates are (really, really) dead. 2019. URL: https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/.

[ftc20]

Ftc requires zoom to enhance its security practices as part of settlement. 2020. URL: https://www.ftc.gov/news-events/news/press-releases/2020/11/ftc-requires-zoom-enhance-its-security-practices-part-settlement.

[fiv20]

International statement: end-to-end encryption and public safety. 2020. URL: https://www.justice.gov/opa/pr/international-statement-end-end-encryption-and-public-safety.

[app21a]

An open letter against Apple's privacy-invasive content scanning technology. 2021. URL: https://appleprivacyletter.com/.

[app21b]

Apple platform security: random number generation. 2021. URL: https://support.apple.com/en-ie/guide/security/seca0c73a75b/web.

[app21c]

Expanded protections for children frequently asked questions. 2021. URL: https://www.apple.com/child-safety/pdf/Expanded_Protections_for_Children_Frequently_Asked_Questions.pdf.

[app21d]

CSAM detection technical summary. 2021. URL: https://www.apple.com/child-safety/pdf/CSAM_Detection_Technical_Summary.pdf.

[ora22]

Critical cryptographic java security blunder patched – update now! 2022. URL: https://nakedsecurity.sophos.com/2022/04/20/critical-cryptographic-java-security-blunder-patched-update-now/.

[ran22]

Randstorm: you can’t patch a house of cards. 2022. URL: https://www.unciphered.com/blog/randstorm-you-cant-patch-a-house-of-cards.

[A+97]

Hal Abelson and others. The risks of key recovery, key escrow, and trusted third-party encryption. 1997. URL: https://academiccommons.columbia.edu/doi/10.7916/D8GM8F2W.

[A+15a]

Hal Abelson and others. Keys under doormats. 2015. URL: https://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf.

[A+15b]

D. Adrian and others. Weak diffie-hellman and the logjam attack. 2015. URL: https://weakdh.org/.

[AP13]

Nadhem J. AlFardan and Kenneth G. Paterson. Lucky Thirteen: breaking the TLS and DTLS record protocols. 2013. URL: http://www.isg.rhul.ac.uk/tls/Lucky13.html.

[AR19]

E. Alshawali and K. Rasmussen. What's in a downgrade? a taxonomy of downgrade attacks in the tls protocol and application protocols using tls. 2019. URL: https://arxiv.org/abs/1809.05681.

[AIK+00]

Kazumaro Aoki, Tetsuya Ichikawa, Masayuki Kanda, Mitsuru Matsui, Shiho Moriai, Junko Nakajima, and Toshio Tokita. Specification of Camellia - a 128-bit block cipher. 2000. URL: https://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf.

[Ber05]

D. Bernstein. The poly1305-aes message-authentication code. 2005. URL: https://cr.yp.to/mac/poly1305-20050329.pdf.

[BL]

D. Bernstein and T. Lange. Safecurves. URL: https://safecurves.cr.yp.to/.

[BBM+21]

Abhishek Bhowmick, Dan Boneh, Steve Myers, Kunal Talwar, and Karl Tarbe. The Apple PSI system. 2021. URL: https://www.apple.com/child-safety/pdf/Apple_PSI_System_Security_Protocol_and_Analysis.pdf.

[BS93]

E. Biham and A. Shamir. Differential cryptanalysis of the data encryption standard. 1993. URL: https://link.springer.com/book/10.1007/978-1-4613-9314-6.

[BC08]

Eli Biham and Yaniv Carmeli. Efficient reconstruction of rc4 keys from internal states. 2008. URL: https://link.springer.com/chapter/10.1007/978-3-540-71039-4_17.

[BDK+09]

A. Biryukov, O. Dunkelman, N. Keller, D. Khovratovich, and A. Shamir. Key recovery attacks of practical complexity on aes variants with up to 10 rounds. 2009. URL: https://eprint.iacr.org/2009/374.pdf.

[BKN09]

A. Biryukov, D. Khovratovich, and I. Nikolić. Distinguisher and related-key attack on the full aes-256. 2009. URL: https://link.springer.com/chapter/10.1007/978-3-642-03356-8_14.

[Bla94]

Matt Blaze. Protocol failure in the escrowed encryption standard. 1994. URL: https://www.mattblaze.org/papers/eesproto.pdf.

[Ble98]

D. Bleichenbacher. Chosen ciphertext attacks against protocols based on the rsa encryption standard pkcs #1. 1998. URL: http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf.

[BBS86]

L. Blum, M. Blum, and M. Shub. A simple unpredictable pseudo-random number generator. 1986. URL: https://shub.ccny.cuny.edu/articles/1986-A_simple_unpredictable_pseudo-random_number_generator.pdf.

[Bon99]

D. Boneh. Twenty years of attacks on the rsa cryptosystem. 1999. URL: http://crypto.stanford.edu/~dabo/papers/RSA-survey.pdf.

[BB03]

D. Brumley and D. Boneh. Remote timing attacks are practical. 2003. URL: http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf.

[Boc22]

H. Böck. Fermat attack on rsa. 2022. URL: https://fermatattack.secvuln.info/.

[BSY18]

H. Böck, J. Somorovsky, and C. Young. Return of bleichenbacher's oracle threat. 2018. URL: https://www.robotattack.org/.

[CGM12]

O. Choudary, F. Gröbert, and J. Metz. Infiltrate the vault: security analysis and decryption of lion full disk encryption. 2012. URL: https://eprint.iacr.org/2012/374.pdf.

[Com14]

James Comey. Going dark: are technology, privacy, and public safety on a collision course? 2014. URL: https://www.fbi.gov/news/speeches/going-dark-are-technology-privacy-and-public-safety-on-a-collision-course.

[Cor21]

Cory Cornelius. Working collision? 2021. URL: AsuharietYgvar/AppleNeuralHash2ONNX#1.

[CJNP00]

J.-S. Coron, M. Joye, D. Naccache, and P. Paillier. New attacks on PKCS#1 v1.5 encryption. 2000. URL: https://link.springer.com/content/pdf/10.1007/3-540-45539-6_25.pdf.

[CWR09]

S. Crosby, D. Wallach, and R. Riedi. Opportunities and limits of remote timing attacks. 2009. URL: https://www.cs.rice.edu/~dwallach/pub/crosby-timing2009.pdf.

[dW17]

R. de Wolf. The potential impact of quantum computers on society. 2017. URL: https://arxiv.org/abs/1712.05380, arXiv:1712.05380.

[DH76]

W. Diffie and M. Hellman. New directions in cryptography. 1976. URL: https://ee.stanford.edu/~hellman/publications/24.pdf.

[DVOW92]

W. Diffie, P. Van Oorschot, and M. Wiener. Authentication and authenticated key exchanges. 1992. URL: https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.59.6682.

[Doc16]

Cory Doctorow. The fbi wants a backdoor only it can use – but wanting it doesn't make it possible. 2016. URL: https://www.theguardian.com/technology/2016/feb/24/the-fbi-wants-a-backdoor-only-it-can-use-but-wanting-it-doesnt-make-it-possible.

[DR09]

T. Duong and J. Rizzo. Flickr's api signature forgery vulnerability. 2009. URL: https://web.archive.org/web/20220202233901/https://netifera.com/research/flickr_api_signature_forgery.pdf.

[FS16]

N. Ferguson and B. Schneier. A cryptographic evaluation of ipsec. 2016. URL: https://www.schneier.com/wp-content/uploads/2016/02/paper-ipsec.pdf.

[FSK10]

Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno. Practical Cryptography, chapter Fortuna. John Wiley & Sons, 2010. URL: https://www.schneier.com/wp-content/uploads/2015/12/fortuna.pdf.

[FMS01]

Scott Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the key scheduling algorithm of rc4. 2001. URL: https://link.springer.com/chapter/10.1007/3-540-45537-X_1.

[FVC14]

Dan Froomkin and Natasha Vargas-Cooper. The fbi director's evidence against encryption is pathetic. 2014. URL: https://theintercept.com/2014/10/17/draft-two-cases-cited-fbi-dude-dumb-dumb/.

[GNST22]

D. Genkin, N. Nissan, R. Schuster, and E. Tromer. Lend me your ear: passive remote physical side channels on pcs. 2022. URL: https://www.usenix.org/conference/usenixsecurity22/presentation/genkin.

[GS21]

Matthew D. Green and Alex Stamos. Apple wants to protect children. but it’s creating serious privacy risks. 2021. URL: https://www.nytimes.com/2021/08/11/opinion/apple-iphones-privacy.html.

[GLL19]

S. Gueron, A. Langley, and Y. Lindell. Aes-gcm-siv: nonce misuse-resistant authenticated encryption. 2019. URL: https://datatracker.ietf.org/doc/html/rfc8452.

[HDWH12]

N. Heninger, Z. Durumeric, E. Wustrow, and J. Halderman. Minding your ps and qs: detection of widespread weak keys in network devices. 2012. URL: https://factorable.net/weakkeys12.conference.pdf.

[IT88]

T. Itoh and S. Tsujii. A fast algorithm for computing multiplicative inverses in gf(2^m) using normal bases. 1988. URL: https://www.sciencedirect.com/science/article/pii/0890540188900247.

[JS13]

Tom Jenkyns and Ben Stephenson. Fundamentals of Discrete Math for Computer Science, chapter Boolean Expressions, Logic, and Proof, pages 121. Springer, 2013.

[Jou]

A. Joux. Authentication failures in nist version of gcm. URL: https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/800-38-series-drafts/gcm/joux_comments.pdf.

[Kel02]

J. Kelsey. Compression and information leakage of plaintext. 2002. URL: https://link.springer.com/chapter/10.1007/3-540-45661-9_21.

[KS04]

J. Kelsey and B. Schneier. Second preimages on n-bit hash functions for much less than 2^n work. 2004. URL: https://eprint.iacr.org/2004/304.pdf.

[Kra15]

David Kravets. Uk prime minister wants backdoors into messaging apps or he'll ban them. 2015. URL: https://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/.

[Kra01]

H. Krawczyk. The order of encryption and authentication for protecting communications. 2001. URL: https://iacr.org/archive/crypto2001/21390309.pdf.

[Kra10]

H. Krawczyk. Cryptographic extraction and key derivation: the hkdf scheme. 2010. URL: https://eprint.iacr.org/2010/264.pdf.

[Kre22]

Brian Krebs. Hackers gaining power of subpoena via fake "emergency data requests". 2022. URL: https://krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/.

[LEcuyerS09]

Pierre L'Ecuyer and Richard Simard. Testu01. 2009. URL: http://simul.iro.umontreal.ca/testu01/tu01.html.

[LMQ+03]

L. Law, A. Menezes, M. Qu, J. Solinas, and S. Vanstone. An efficient protocol for authenticated key agreement. 2003. URL: https://link.springer.com/article/10.1023/A:1022595222606.

[LRW02]

M. Liskov, R. Rivest, and D. Wagner. Tweakable block ciphers. 2002. URL: https://people.eecs.berkeley.edu/~daw/papers/tweak-crypto02.pdf.

[Man01]

J. Manger. A chosen ciphertext attack on rsa optimal asymmetric encryption padding (oaep) as standardized in pkcs #1 v2.0. 2001. URL: https://link.springer.com/content/pdf/10.1007/3-540-44647-8_14.pdf.

[Mar11]

M. Marlinspike. The cryptographic doom principle. 2011. URL: https://moxie.org/2011/12/13/the-cryptographic-doom-principle.html.

[Mat93]

M. Matsui. Linear cryptanalysis method for des cipher. 1993. URL: https://link.springer.com/chapter/10.1007/3-540-48285-7_33.

[MV]

D. McGrew and J. Viega. The galois/counter mode of operation. URL: https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf.

[MDK14]

B. Möller, T. Duong, and K. Kotowicz. This poodle bites: exploiting the ssl 3.0 fallback. 2014. URL: https://www.openssl.org/~bodo/ssl-poodle.pdf.

[NA21]

Ellen Nakashima and Reed Albergotti. An australian hacking firm solved fbi's iphone problem. 2021. URL: https://www.washingtonpost.com/technology/2021/04/14/azimuth-san-bernardino-apple-iphone-fbi/.

[NSS+17]

M. Nemec, M. Sys, P. Svenda, D. Klinec, and V. Matyas. The return of coppersmith's attack: practical factorization of widely used rsa moduli. 2017. URL: https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf.

[NL18]

Yoav Nir and Adam Langley. Chacha20 and poly1305 for ietf protocols. 2018. URL: https://datatracker.ietf.org/doc/html/rfc8439.

[Owe21]

Malcolm Owen. German government wants Tim Cook to reconsider CSAM plans. 2021. URL: https://appleinsider.com/articles/21/08/17/germany-writes-to-tim-cook-to-reconsider-csam-plans.

[PPK21]

Nilay Patel, Riana Pfefferkorn, and Jen King. Here's why Apple's new child safety features are so controversial. 2021. URL: https://www.theverge.com/22617554/apple-csam-child-safety-features-jen-king-riana-pfefferkorn-interview-decoder.

[P+]

D. Poddebniak and others. Efail: breaking s/mime and openpgp email encryption using exfiltration channels. URL: https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-poddebniak.pdf.

[Pta19]

T. Ptacek. The pgp problem. 2019. URL: https://latacora.micro.blog/2019/07/16/the-pgp-problem.html.

[Reg24]

O. Regev. An efficient quantum factoring algorithm. 2024. URL: https://arxiv.org/abs/2308.06572, arXiv:2308.06572.

[Ros17]

Rod Rosenstein. Remarks on encryption. 2017. URL: https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-delivers-remarks-encryption-united-states-naval.

[SC14]

David E. Sanger and Brian X. Chen. Signaling post-snowden era, new iphone locks out n.s.a. 2014. URL: https://www.nytimes.com/2014/09/27/technology/iphone-locks-out-the-nsa-signaling-a-post-snowden-era-.html.

[Sch94]

Bruce Schneier. Description of a new variable-length key, 64-bit block cipher (Blowfish). 1994. URL: https://www.schneier.com/academic/archives/1994/09/description_of_a_new.html.

[Sch96a]

Bruce Schneier. Applied Cryptography, chapter Algorithm Types and Modes. John Wiley & Sons, Inc., 1996.

[Sch96b]

Bruce Schneier. Applied Cryptography, chapter Data Encryption Standard (DES). John Wiley & Sons, 1996.

[Sch07]

Bruce Schneier. The strange story of dual_ec_drbg. 2007. URL: https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html.

[Sch16]

Bruce Schneier. Decrypting an iphone for the fbi. 2016. URL: https://www.schneier.com/blog/archives/2016/02/decrypting_an_i.html.

[SRW22]

A. Shakevsky, E. Ronen, and A. Wool. Trust dies in darkness: shedding light on samsung’s trustzone keymaster design. 2022. URL: https://eprint.iacr.org/2022/208.pdf.

[Sho94]

P.W. Shor. Algorithms for quantum computation: discrete logarithms and factoring. In Proceedings 35th Annual Symposium on Foundations of Computer Science, volume, 124–134. 1994. doi:10.1109/SFCS.1994.365700.

[SF07]

Dan Shumow and Niels Ferguson. On the possibility of a back door in the nist sp800-90 dual ec prng. 2007. URL: http://rump2007.cr.yp.to/15-shumow.pdf.

[Ska04]

Matthew Skala. What Colour are your bits? 2004. URL: https://ansuz.sooke.bc.ca/entry/23.

[S+09]

A. Sotirov and others. Md5 considered harmful today. 2009. URL: https://www.win.tue.nl/hashclash/rogue-ca/.

[S+17]

M. Stevens and others. Shattered. 2017. URL: https://shattered.io/.

[TW15]

B. Tao and H. Wu. Improving the biclique cryptanalysis of aes. 2015. URL: https://link.springer.com/chapter/10.1007/978-3-319-19962-7_3.

[TM14]

Craig Timberg and Greg Miller. Fbi blasts apple, google for locking police out of phones. 2014. URL: https://www.washingtonpost.com/business/technology/2014/09/25/68c4e08e-4344-11e4-9a15-137aa0153527_story.html.

[VP15]

Mathy Vanhoef and Frank Piessens. Rc4 nomore. 2015. URL: https://www.rc4nomore.com/.

[Vau02]

S. Vaudenay. Security flaws induced by cbc padding applications to ssl, ipsec, wtls... 2002. URL: https://www.iacr.org/cryptodb/archive/2002/EUROCRYPT/2850/2850.pdf.

[WT99]

A. Whitten and J. Tygar. Why johnny can't encrypt: a usability evaluation of pgp 5.0. 1999. URL: https://people.eecs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/USENIX.pdf.

[XLF13]

T. Xie, F. Liu, and D. Feng. Fast collision attack on md5. 2013. URL: https://eprint.iacr.org/2013/170.pdf.

[Yad15]

Danny Yadron. Obama sides with cameron in encryption fight. 2015. URL: https://www.wsj.com/articles/BL-DGB-39944.