D. A. McGrew and J. Viega, "The Galois/Counter Mode of operation (GCM).", https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
R. Abarzúa, C. Valencia and J. López, "Survey for Performance & Security Problems of Passive Side-channel Attacks Countermeasures in ECC", https://eprint.iacr.org/2019/010.pdf
A. Antipa, D. Brown, A. Menezes, R. Struik, S. Vanstone, "Validation of Elliptic Curve Public Keys", PKC 2003, https://www.iacr.org/archive/pkc2003/25670211/25670211.pdf
T. Akishita, T. Takagi, "Zero-Value Point Attacks on Elliptic Curve Cryptosystem", ISC 2003, pp. 218-233. https://download.hrz.tu-darmstadt.de/pub/FB20/Dekanat/Publikationen/CDC/TI-03-01.zvp.pdf
I. Biehl, B. Meyer, V. Müller, "Differential Fault Attacks on Elliptic Curve Cryptosystems", Crypto '00, pp. 131-164
Bellare, Rogaway, "Encode-Then-Encipher Encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography", Asiacrypt 2000, pp.317--330.
J. Breitner and N. Heninger, "Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies",
https://eprint.iacr.org/2019/023
D. R. L. Brown "What Hashes Make RSA-OAEP Secure?", IACR e-print, 2007, https://eprint.iacr.org/2006/223.pdf
R. Bardou, R. Focardi, Y. Kawamoto, L. Simionato, G. Steel, J.K. Tsay, "Efficient padding oracle attacks on cryptographic hardware", Crypto 2012
D. Detering, J. Somorovsky, C. Mainka, V. Mladenov, J. Schwenk "On The (In-)Security Of JavaScript Object Signing And Encryption" https://www.nds.rub.de/media/ei/veroeffentlichungen/2017/10/17/main.pdf
N. Ferguson, "Authentication weaknesses in GCM", https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/ferguson2.pdf
J. Fried, P. Gaudry, N. Heininger, E. Thome, "A kilobit hidden SNFS discrete logarithm computation". http://eprint.iacr.org/2016/961.pdf
L. Goubin, "A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems", PKC’03, pp. 199–210, https://www.iacr.org/archive/pkc2003/25670199/25670199.pdf
D. M. Gordon. "Designing and detecting trapdoors for discrete log cryptosystems." CRYPTO’92, pp. 66–75.
D. Genkin, L. Pachmanov, I. Pipman, E. Tromer, "ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs", http://cs.tau.ac.il/~tromer/papers/ecdh.pdf
N.A. Howgrave-Graham, N.P. Smart, "Lattice Attacks on Digital Signature Schemes", https://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf
A. Joux, "Authentication failures in NIST version of GCM", http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/800-38_Series-Drafts/GCM/Joux_comments.pdf.
C.H. Lim and P.J. Lee, "A key recovery attack on discrete log-based schemes using a prime order subgroup", CRYPTO' 98, pp 249--263.
V. Klima, O. Pokorny, and T. Rosa, "Attacking RSA-based Sessions in SSL/TLS", https://eprint.iacr.org/2003/052/
H. Krawczyk, "Cryptographic extraction and key derivation: the HKDF scheme", https://eprint.iacr.org/2010/264.pdf
Neil Madden, "CVE-2022-21449: Psychic Signatures in Java", https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/
I. Nicolic, "Tiaoxin -- 346", https://competitions.cr.yp.to/round3/tiaoxinv21.pdf
P. Nguyen, “Can we trust cryptographic software? Cryptographic flaws in Gnu privacy guard 1.2.3”, Eurocrypt 2004, https://www.iacr.org/archive/eurocrypt2004/30270550/ProcEC04.pdf
P.Q. Nguyen and I.E. Sparlinski, "The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces" Designs, Codes and Cryptography, 30, 201–217, 2003
E. Ronen, R. Gillham, D. Genkin, A. Shamir D. Wong, Y. Yarom "The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations", https://eprint.iacr.org/2018/1173.pdf
A. M. Odlyzko, "The rise and fall of knapsack cryptosystems", Cryptology and Computational Number Theory, pp.75-88, 1990
P. C. van Oorschot, M. J. Wiener, "On Diffie-Hellman key agreement with short exponents", Eurocrypt 96, pp 332--343.
D. Adrian et al. "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" CCS '15 pp 5--17. https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
A good analysis of various DH implementations. Some misconfigurations pointed out in the paper are: p is composite, p-1 contains no large prime factor, q is used instead of the generator g.
D. Bleichenbacher, "Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS# 1", Crypto 98.
J. Manger, "A chosen ciphertext attack on RSA optimal asymmetric encryption padding (OAEP) as standardized in PKCS# 1 v2.0", Crypto 2001.
This paper shows that OAEP is susceptible to a chosen ciphertext attack if error messages distinguish between different failure condidtions.
N. Smart, "Errors matter: Breaking RSA-based PIN encryption with thirty ciphertext validity queries", RSA conference, 2010.
This paper shows that padding oracle attacks can be successful with even a small number of queries.
S. Vaudenay, D. Vizár, "Under Pressure: Security of Caesar Candidates beyond their Guarantees" https://eprint.iacr.org/2017/1147.pdf
H. Wu, B. Preneel, "AEGIS: A fast authenticated encryption algorithm" CAESAR submission http://competitions.cr.yp.to/round1/aegisv1.pdf
Project Paranoid https://github.com/google/paranoid_crypto
"The Eurocrypt'92 Controversial Issue Trapdoor Primes and Moduli", EUROCRYPT '92, LNCS 658, pp. 194-199.
Yearly Report on Algorithms and Keysizes (2011-2012), http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf
"Recommendation for block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC", http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
NIST SP 800-56A, revision 3, April 2018. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
Transitioning the Use of Cryptographic Algorithms and Key Lengths https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf Some notable changes in revision 2: Keys with less than 112 bit security are now disallowed. EdDSA will be added with FIPS 186-5. TDES is disallowed after 2023. RSA PKCS 1 v.1.5 for encryption is disallowed after 2023.
Enisa, "Algorithms, key size and parameters report – 2014" https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014
National Institute of Standards and Technology, "Digital Signature Standard (DSS)", July 2013. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
"PKCS #3, Diffie–Hellman Key Agreement". An RSA Laboratories Technical Note Version 1.4 Revised November 1, 1993
Alibaba 2.0 generated RSA key pairs with an exponent 1
Java JSSE provider leaked information through exceptions and timing. Both the PKCS #1 padding and the OAEP padding were broken: https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-meyer.pdf
Utimaco HSMs vulnerable to invalid curve attacks.
The Bouncy Castle Java library before 1.51 does not validate a point is on the elliptic curve, allowing an "invalid curve attack".
go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm.
Issue with elliptic curve addition in mixed Jacobian-affine coordinates. Firefox and Java suffered from a bug where adding a point to itself resulted in the point at infinity.
node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack.
The AES-GCM implementation in jdk9 handled CTR overflows incorrectly.
Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange http://www.cs.technion.ac.il/~biham/BT/
golang/elliptic ECDH has an arithmetic error that allows to find private keys with an adaptive chosen message attack.