[dwils098]

DES : - (Matsui, M. (1994, January). Linear cryptanalysis method for DES cipher. In Advances in Cryptology—EUROCRYPT’93 (pp. 386-397). Springer Berlin Heidelberg.)

- Biham, E., & Shamir, A. (1991). Differential cryptanalysis of DES-like cryptosystems. Journal of CRYPTOLOGY, 4(1), 3-72.

AES : - Billet, O., Gilbert, H., & Ech-Chatbi, C. (2005, January). Cryptanalysis of a white box AES implementation. In Selected Areas in Cryptography (pp. 227-240). Springer Berlin Heidelberg.

- Bogdanov, A., Khovratovich, D., & Rechberger, C. (2011). Biclique cryptanalysis of the full AES. In Advances in Cryptology–ASIACRYPT 2011 (pp. 344-371). Springer Berlin Heidelberg.

[tptacek]

Billet attacks a white-box construction, not AES itself. White box cryptography involves allowing the attacker access to both the algorithm and the key; you can think of it as a mathematical abstraction of a tamper-proof smartcard. It's not a cryptanalysis of AES.

[brohee]

DES, never approved for classified data.

The biclique attack on AES looks a lot more impractical than the results on GOST... Looks like O(2^124) time complexity and a stupendous amount of data if I scanned the paper properly....