\bibitem{1} WANG X, YU H. How to break MD5 and other hash functions[C]. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer Berlin Heidelberg, 2005: 19--35.
\bibitem{2} WANG X, YIN Y L, YU H. Finding collisions in the full SHA-1[C]. In: Annual International Cryptology Conference. Springer Berlin Heidelberg, 2005: 17--36.
\bibitem{3} STEVENS M, BURSZTEIN E, KARPMAN P, et al. The first collision for full SHA-1[J]. Cryptology ePrint Archive, Report 2017/190, 2017.
\bibitem{4} ISOBE T, SHIBUTANI K. Preimage attacks on reduced Tiger and SHA-2[C]. In: Proceedings of 16th International Workshop on Fast Software Encryption. Springer Berlin Heidelberg, 2009: 139--155.
\bibitem{5} GUO J, LING S, RECHBERGER C, et al. Advanced meet-in-the-middle preimage attacks: first results on full Tiger, and improved results on MD4 and SHA-2[C]. In: Proceedings of 16th International Conference on the Theory and Application of Cryptology and Information Security. Springer Berlin Heidelberg, 2010: 56--75.
\bibitem{6} KHOVRATOVICH D, RECHBERGER C, SAVELIEVA A. Bicliques for preimages: attacks on Skein-512 and the SHA-2 family[C]. In: Proceedings of 19th International Workshop on Fast Software Encryption. Springer Berlin Heidelberg, 2012: 244--263.
\bibitem{7} MENDEL F, PRAMSTALLER N, RECHBERGER C, et al. Analysis of step-reduced SHA-256[C]. In: Proceedings of 13th International Workshop on Fast Software Encryption. Springer Berlin Heidelberg, 2006: 126--143.
\bibitem{8} SANADHYA S K, SARKAR P. New collision attacks against up to 24-step SHA-2[C]. In: Proceedings of 9th International Conference on Cryptology in India, 2008. Springer Berlin Heidelberg, 2008: 91--103.
\bibitem{9} NIKOLIC I, BIRYUKOY A. Collisions for step-reduced SHA-256[C]. In: Proceedings of 15th International Workshop on Fast Software Encryption. Springer Berlin Heidelberg, 2008: 1--15.
\bibitem{10} INDESTEEGE S, MENDEL F, PRENEEL B, et al. Collisions and other non-random properties for step-reduced SHA-256[C]. In: Proceedings of 15th International Workshop on Selected Areas in Cryptography. Springer Berlin Heidelberg, 2008: 276--293.
\bibitem{11} MENDEL F, NAD T, SCHLAFFER M. Finding SHA-2 characteristics: searching through a minefield of contradictions[C]. In: Advances in Cryptology–ASIACRYPT 2011. Springer Berlin Heidelberg, 2011: 288--307.
\bibitem{12} MENDEL F, NAD T, SCHLAFFER M. Improving local collisions: new attacks on reduced SHA-256[C]. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer Berlin Heidelberg, 2013: 262--278
\bibitem{13} BERTONI G, DAEMEN J, PEETERS M, et al. The keccak sha-3 submission[R]. submission to NIST (round3)(2011).
\bibitem{14} DINUR I, DUNKELMAN O, SHAMIR A. New attacks on keccak-224 and keccak-256[C]. In: Fast Software Encryption. Springer Berlin Heidelberg,2012: 442--461.
\bibitem{15} DINUR I, DUNKELMAN O, SHAMIR A. Collision attacks on up to 5 rounds of sha-3 using generalized internal differentials[C]. In: Fast Software Encryption. Springer Berlin Heidelberg, 2013: 219--240.
\bibitem{16} NAVA-PLASENCIA M, RÖCK A, et al. Practical analysis of reduced-round Keccak[C]. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. Springer Berlin Heidelberg, 2011: 236–254.
\bibitem{17} MORAWIECKI P, PIEPRZYK, SREBRNY M. Rotational cryptanalysis of round-reduced Keccak[J]. In: International Workshop on Fast Software Encryption. Springer Berlin Heidelberg, 2013: 241--262.
\bibitem{18} GUO J, LIU M, SONG L. Linear structures: applications to cryptanalysis of round-reduced Keccak[C]. In: Advances in Cryptology---ASIACRYPT 2016. Springer Berlin Heidelberg, 2016: 249--274.
\bibitem{19} AUMASSON J P, MEIER W. Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi[C]. In: Rump Session of Cryptographic Hardware and Embedded Systems---CHES 2009. Springer Berlin Heidelberg, 2009: 67.
\bibitem{20} BOURA C, CANTEAUT A. Zero-sum distinguishers for iterated permutations and application to Keccak-f and Hamsi-256[C]. In: Proceedings of the 17th International Workshop on Selected Areas in Cryptography 2010. LNCS Springer Press, 2010: 1--17.
\bibitem{21} DUAN M, LAI X J. Improved zero-sum distinguisher for full round Keccak-f permutation[J]. Chinese Science Bulletin, 2012, 57(6): 694--697.
\bibitem{22} DUC A, GUO J, PEYRIN T, et al. Unaligned rebound attack: application to keccak[C]. In: Fast Software Encryption---FSE 2012. Springer Berlin Heidelberg, 2012: 402–421.
\bibitem{23} JEAN J, NIKOLIĆ I. Internal Dierential boomerangs: practical analysis of the round-reduced Keccak-f permutation[C]. In: Fast Software Encryption---FSE 2015. Springer Berlin Heidelberg, 2015: 537--556.
\bibitem{24} NAVA-PLASENCIA M, RÖCK A, Willi M. Practical analysis of reduced-round keccak[C]. In: Progress in Cryptology---INDOCRYPT 2011. Springer Berlin Heidelberg, 2011: 236--254.
\bibitem{25} DAS S, MEIER W. Differential biases in reduced-round keccak[C]. In Progress in Cryptology---AFRICACRYPT 2014. Springer Berlin Heidelberg, 2014: 69--87.
\bibitem{26} DINUR I, MORAWIECKI P, PIEPRZYK J, et al. Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function[C]. In: Advances in Cryptology---EUROCRYPT 2015. Springer Berlin Heidelberg, 2015: 733--761.
\bibitem{27} HUANG S Y, WANG X, XU G W, et al. Conditional cube attack on reduced-round keccak sponge function[J]. Cryptology ePrint Archive, Report 2016/790, 2016.
\bibitem{28} DINUR I, DUNKELMAN O, SHAMIR A. Improved practical attacks on round-reduced Keccak[J]. Journal of Cryptology, 2014, 27(2): 183--209.