D. A. McGrew and J. Viega, "The Galois/Counter Mode of operation (GCM).", http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/gcm/gcm-spec.pdf.
R. Abarzúa, C. Valencia and J. López, "Survey for Performance & Security Problems of Passive Side-channel Attacks Countermeasures in ECC", https://eprint.iacr.org/2019/010.pdf
A. Antipa, D. Brown, A. Menezes, R. Struik, S. Vanstone, "Validation of Elliptic Curve Public Keys", PKC 2003, https://www.iacr.org/archive/pkc2003/25670211/25670211.pdf
T. Akishita, T. Takagi, "Zero-Value Point Attacks on Elliptic Curve Cryptosystem", ISC 2003, pp. 218-233. https://www-old.cdc.informatik.tu-darmstadt.de/reports/TR/TI-03-01.zvp.pdf
I. Biehl, B. Meyer, V. Müller, "Differential Fault Attacks on Elliptic Curve Cryptosystems", Crypto '00, pp. 131-164
Bellare, Rogaway, "Encode-Then-Encipher Encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography", Asiacrypt 2000, pp.317--330.
J. Fried, P. Gaudry, N. Heininger, E. Thome, "A kilobit hidden SNFS discrete logarithm computation". http://eprint.iacr.org/2016/961.pdf
L. Goubin, "A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems", PKC’03, pp. 199–210, https://www.iacr.org/archive/pkc2003/25670199/25670199.pdf
D. M. Gordon. "Designing and detecting trapdoors for discrete log cryptosystems." CRYPTO’92, pp. 66–75.
D. Genkin, L. Pachmanov, I. Pipman, E. Tromer, "ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs", http://cs.tau.ac.il/~tromer/papers/ecdh.pdf
C.H. Lim and P.J. Lee, "A key recovery attack on discrete log-based schemes using a prime order subgroup", CRYPTO' 98, pp 249--263.
A. Joux, "Authentication failures in NIST version of GCM", http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/800-38_Series-Drafts/GCM/Joux_comments.pdf.
N. Ferguson, "Authentication weaknesses in GCM", https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/ferguson2.pdf
N.A. Howgrave-Graham, N.P. Smart, "Lattice Attacks on Digital Signature Schemes" http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf
H. Krawczyk, "Cryptographic extraction and key derivation: the HKDF scheme", https://eprint.iacr.org/2010/264.pdf
P. Nguyen, “Can we trust cryptographic software? Cryptographic flaws in Gnu privacy guard 1.2.3”, Eurocrypt 2004, https://www.iacr.org/archive/eurocrypt2004/30270550/ProcEC04.pdf
A. M. Odlyzko, "The rise and fall of knapsack cryptosystems", Cryptology and Computational Number Theory, pp.75-88, 1990
P. C. van Oorschot, M. J. Wiener, "On Diffie-Hellman key agreement with short exponents", Eurocrypt 96, pp 332--343.
D. Adrian et al. "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" CCS '15 pp 5--17. https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
A good analysis of various DH implementations. Some misconfigurations pointed out in the paper are: p is composite, p-1 contains no large prime factor, q is used instead of the generator g.
"The Eurocrypt'92 Controversial Issue Trapdoor Primes and Moduli", EUROCRYPT '92, LNCS 658, pp. 194-199.
D. Bleichenbacher, "Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS# 1", Crypto 98.
J. Manger, "A chosen ciphertext attack on RSA optimal asymmetric encryption padding (OAEP) as standardized in PKCS# 1 v2.0", Crypto 2001.
This paper shows that OAEP is susceptible to a chosen ciphertext attack if error messages distinguish between different failure condidtions.
N. Smart, "Errors matter: Breaking RSA-based PIN encryption with thirty ciphertext validity queries", RSA conference, 2010.
This paper shows that padding oracle attacks can be successful with even a small number of queries.
V. Klima, O. Pokorny, and T. Rosa, "Attacking RSA-based Sessions in SSL/TLS", https://eprint.iacr.org/2003/052/
R. Bardou, R. Focardi, Y. Kawamoto, L. Simionato, G. Steel, J.K. Tsay, "Efficient padding oracle attacks on cryptographic hardware" Crypto 2012
Yearly Report on Algorithms and Keysizes (2011-2012), http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf
"Recommendation for block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC", http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
NIST SP 800-56A, revision 2, May 2013. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf
Transitioning the Use of Cryptographic Algorithms and Key Lengths https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf Some notable changes in revision 2: Keys with less than 112 bit security are now disallowed. EdDSA will be added with FIPS 186-5. TDES is disallowed after 2023. RSA PKCS 1 v.1.5 for encryption is disallowed after 2023.
Enisa, "Algorithms, key size and parameters report – 2014" https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014
National Institute of Standards and Technology, "Digital Signature Standard (DSS)", July 2013. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
"PKCS #3, Diffie–Hellman Key Agreement". http://uk.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-3-diffie-hellman-key-agreement-standar.htm
Alibaba 2.0 generated RSA key pairs with an exponent 1
Java JSSE provider leaked information through exceptions and timing. Both the PKCS #1 padding and the OAEP padding were broken: http://www-brs.ub.ruhr-uni-bochum.de/netahtml/HSS/Diss/MeyerChristopher/diss.pdf
Utimaco HSMs vulnerable to invalid curve attacks.
The Bouncy Castle Java library before 1.51 does not validate a point is on the elliptic curve, allowing an "invalid curve attack".
go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm.
Issue with elliptic curve addition in mixed Jacobian-affine coordinates. Firefox and Java suffered from a bug where adding a point to itself resulted in the point at infinity.
node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack.
The AES-GCM implementation in jdk9 handled CTR overflows incorrectly.
Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange http://www.cs.technion.ac.il/~biham/BT/
golang/elliptic ECDH has an arithmetic error that allows to find private keys with an adaptive chosen message attack.