Papers

I originally created this page to make some publications available that would otherwise be hard to find. This is still the case but I also include some more recent publications I co-wrote and have something to say about. For the papers I published with other members of the Keccak team I refer to the Keccak team website. For a more extended list of publications you can have a look on DBLP and Google Scholar.

The design of Xoodoo and Xoofff

2019

Joan Daemen, Seth Hoffert, Gilles Van Assche and Ronny Van Keer

Keywords: design: primitives: permutation: Xoodoo, deck function: Xoofff

We were dreaming of a doubly-extendable cryptographic keyed (deck) function based on farfalle that could be called lightweight and saw that Keccak-p instances are either too wide or have a lane size unsuited for modern CPUs. We got inspired by the Gimli primitive and built a permutation with the dimensions of Gimli and the design philosophy of Keccak-p. This paper gives a rationale for the design of Xoodoo and the farfalle instance using it, Xoofff. I am very enthousiastic about Xoodoo and Xoofff!

Get the paper and bibtex from ToSC

Xoodoo cookbook

2018

Joan Daemen, Seth Hoffert, Gilles Van Assche and Ronny Van Keer

Keywords: design: primitives: permutation: Xoodoo, deck function: Xoofff, duplex object: Xoodyak, modes: deck-SANE, deck-SANSE, deck-WBC

We first presented Xoodoo at the Workshop on Elliptic Curve Cryptography in November 2017 in Nijmegen and made reference code available on GitHub. Nine months later we published this document on eprint, specifying Xoodoo and the deck function Xoofff. It also specifies two session authenticated encryption modes for deck functions and a wide tweakable block cipher mode, all to be instantiated with Xoofff. Recently, we added the specification of our duplex-based lightweight primitive Xoodyak

Get the paper and bibtex from eprint

Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers

2018

Joan Daemen, Bart Mennink and Gilles Van Assche

Keywords: modes: hashing, design, security reduction proofs: indifferentiability

We specify simple conditions for hashing modes to offer the best possible generic security and provide proofs for these super-tight security bounds. This is in my opinion the reference on the subject.

Get the paper and bibtex from ToSC

KangarooTwelve: Fast Hashing Based on Keccak-p

2018

Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche, Ronny Van Keer, Benoît Viguier

Keywords: design: parallel hashing, primitives: KangarooTwelve

The sponge construction underlying Keccak is inherently serial, preventing it from fully exploiting the massive amounts of parallelism available on modern high-end CPU's. Moreover, the Keccak-f permutation in Keccak has an overly conservative number of rounds: 24. We built KangarooTwelve to address these issues: KangarooTwelve has parallelism by means of tree hashing having as underlying compression function a Keccak variant with 12-round Keccak-p as its permutation.

Get the paper from eprint and bibtex from DBLP

Column Parity Mixers

2018

Ko Stoffelen and Joan Daemen

Keywords: design: mixing layer, alignment, inverse

In the last years we have witnessed an explosion of publications on lightweight MDS matrices. At the end of the previous century I thought MDS mixing layers were the way to go, but now I know bit-oriented mappings are better. In this paper, Ko and I study the properties of my favourite type of mixing layer: column parity mixers (CPM), a generalization of the mixing layer in the round function of Keccak-f. We illustrate that CPMs can also be used to build strongly aligned primitives with strong bounds with a permutation called called Mixifer.

Get the paper and bibtex from ToSC

Farfalle: parallel permutation-based cryptography

2017

Guido Bertoni, Joan Daemen, Seth Hoffert, Michaël Peeters, Gilles Van Assche and Ronny Van Keer

Keywords: design: permutation-based function, construction: farfalle, primitive: Kravatte

The sponge and duplex constructions are very nice but inherently serial. In 2013 we started looking for a parallelizable counterpart, and the result of our search, that followed a long and curvy road, is farfalle. Farfalle is a permutation-based construction for building a cryptographic keyed function with variable-length input and arbitrary-length output, a type of function that we later baptized deck function.

Get the paper and bibtex from ToSC

New techniques for trail bounds and application to differential trails in Keccak

2017

Silvia Mella, Joan Daemen and Gilles Van Assche

Keywords: cryptanalysis: differential cryptanalysis: trail weight bounds, primitives: Keccak-p

Lower bounds on the weight of multi-round linear and differential trails are very important for evaluating the security of cryptographic permutations and block ciphers. For ciphers with a round function that combines weak alignment with high diffusion, proving such bounds requires scanning a space that grows exponentially with the weight in the bound. In this paper, Silvia, Gilles and I give insight and techniques to push these bounds to higher weights than ever before for Keccak-f and similar permutations.

Get the paper and bibtex from ToSC

Changing of the Guards: a simple and efficient method for achieving uniformity in threshold sharing

2017

Joan Daemen

Keywords: side-channel attack countermeasures: threshold schemes: uniformity, primitives: Keccak-p

In one of the proposals in our paper with Begül, Ventzi and Svetla for solving the non-uniformity issue of the 3-share threshold scheme for the Chi step in Keccak-f, only two fresh random bits per round were needed. I thought it should be possible to reduce this to zero random bits by not generating them freshly but rather recycle them from the previous round. After some puzzling I found the surprisingly simple and lightweight solution and called it changing of the guards.

Get the paper from eprint and bibtex from DBLP

Full-State Keyed Duplex With Built-In Multi-User Support

2017

Joan Daemen, Bart Mennink and Gilles Van Assche

Keywords: modes: keyed duplex, design, security reduction proofs: indistinguishability

This is the endpoint of a series of papers on the generic security of keyed sponge and duplex constructions. We prove a tight security bound that can be applied widely making this paper my opinion the reference on the subject.

Get the paper from eprint and bibtex from DBLP

Symmetrische cryptografie 2.0

2017

Joan Daemen

Keywords: permutatie-gebaseerde cryptografie, constructies: spons, farfalle

Collega Bart Mennink vroeg of ik een bijdrage wilde leveren voor een nummer van het Nieuw Archief voor Wiskunde gewijd aan cryptografie. Het resultaat is dit artikel dat permutatie-gebaseerde cryptografie op een eenvoudige manier uitlegt.

Je kunt het artikel vinden in het Nieuw Archief voor Wiskunde en bibtex vind je hier

Spectral Characterization of Iterating Lossy Mappings

2016

Joan Daemen

Keywords: theory: correlation matrices, non-uniformity

The proposals in our paper with Begül, Ventzi and Svetla for solving the non-uniformity issue of the Chi sharing in Keccak-p came at the cost of an additional share or two fresh random bits per round. However, I was (and still am) not convinced that the non-uniformity can actually be exploited in an attack and this paper can be seen as a step towards understanding how non-uniformity evolves when we iterate transformations that are not invertible. I took the spectral perspective as this is in my opinion the relevant one.

Get the paper from eprint and bibtex from DBLP

The MAC function Pelican 2.0

2014

Joan Daemen and Vincent Rijmen

Keywords: primitives: Pelican-MAC, design

After writing our paper on Alred, we took a closer look at our concrete AES-based proposal Alpha-MAC and concluded that it could be simplified and made more efficient at the same time. This resulted in Pelican-MAC, a very simple MAC function about 2.5 times faster than any AES-based CBC-MAC variant requiring less RAM and with a smaller fixed overhead per message. Despite fierce attacks, the security claims of Pelican-MAC still stand up to this day.

The original version of Pelican-MAC dates from 2005. In 2014 we presented an update called Pelican 2.0, with only change a different initial value. The reason for this is the negative impact on security of the original Pelican if a key check value is available for the key computed according to a widespread algorithm.

Get the paper from eprint and bibtex from DBLP

Efficient and First-Order DPA Resistant Implementations of Keccak

2013

Begül Bilgin, Joan Daemen, Ventzislav Nikov, Svetla Nikova, Vincent Rijmen and Gilles Van Assche

Keywords: side-channel attacks: differential power analysis (DPA), countermeasures: threshold schemes: uniformity, primitives: Keccak-p

After defining a 3-share threshold scheme for the 5-bit Chi mapping in Keccak-f (also used in our paper with Nicolas and Thanh-Ha), we found out that it was not uniform: the 15-bit mapping from the 3 input shares to the 3 output shares is not a permutation. Moreover, all our attempts to specify a uniform threshold scheme failed and we strongly suspect such a thing does not exist. Therefore we decided to team up with the people that discovered the non-uniformity in the first place to fix the problem. In this paper, we did this by proposing 4-share threshold schemes and a scheme where we require 2 random bits per round for re-masking a single column, and remask all the other columns with two input bits from the neighboring column.

Get the paper here and bibtex from DBLP

Power Analysis of Hardware Implementations Protected with Secret Sharing

2012

Guido Bertoni, Joan Daemen, Nicolas Debande, Thanh-Ha Le, Michaël Peeters, Gilles Van Assche

Keywords: side-channel attacks: differential power analysis (DPA), countermeasures: threshold schemes, primitives: Keccak-p

The round function of Keccak-f has algebraic degree two and hence can be protected against first-order differential power analysis (DPA) with a 3-share threshold scheme. Higher order DPA remains possible but the question is: how much does the security increase? In this paper we investigated this question and derived expressions for the success probability for DPA attacks for an unprotected and threshold-scheme protected implementation and link these to the Kullback-Leibler divergence of the distributions for the wrong and right hypotheses. We verify the theoretical results with simulated experiments.

Get the paper from eprint and bibtex from DBLP

On the related-key attacks against AES

2011

Joan Daemen and Vincent Rijmen

Keywords: cryptanalysis: related-key attacks, primitives: block ciphers: Rijndael: AES

After some fuss was created on related-key attacks on full-round AES with 256-bit and 192-bit key length, Vincent and I felt the need to put things in perspective. After giving a number of presentations on the subject, we wrote it down in this paper.

Get the paper here and bibtex here

Correlation Analysis in GF(2n)

2011

Joan Daemen and Vincent Rijmen

Keywords: LC, finite fields, linear algebra, primitives: Rijndael, design

You can describe the propagation of linear masks through maps such as MixColumns in Rijndael without having to fix a basis. This paper explains how and also provides a description of Rijndael using only the multiplication and addition in GF(28). Part of the material of this paper already appeared as an appendix of our book on Rijndael.

Get the paper here and bibtex here

Refinements of the Alred Construction and MAC Security Claims

2010

Joan Daemen and Vincent Rijmen

Keywords: primitives: MAC functions: Alred: Pelican-MAC, security claims, design

The security claims for MAC functions proposed in our original paper on Alred were problematic and this paper fixes the problem. This paper contains some additional analysis of internal collisions in the Alred construction. It is also the first peer-reviewed publication of Pelican-MAC.

Get the paper here and bibtex from DBLP

The Self-Synchronizing Stream Cipher Moustique

2008

Joan Daemen and Paris Kitsos

Keywords: primitives: self-synchronizing stream ciphers: Moustique, design

Self-synchronizing stream ciphers are a rarity in cryptography. You can do self-synchronizing encryption with a block cipher in 1-bit CFB mode but this is very inefficient. The (academic) question is: is it possible to design a dedicated self-synchronizing stream cipher that is substantially more efficient? In 1992 I proposed a design strategy for high throughput and a proof-of-concept design called Knot, as documented in my thesis. Knot went through some changes and in 2005 hardware expert Paris Kitsos and I joined to build Mosquito that we submitted to eSTREAM. This was soon broken and after tweaking it we called the result Moustique. This paper describes Moustique and its design philosophy and is a chapter in a book that came out of eStream. Soon after, Moustique was also broken. I still believe the underlying design strategy is OK and that Moustique can be repaired with a simple tweak. This has been on my todo list for years now.

Get the paper here and bibtex from DBLP

Probability Distributions of Correlation and Differentials in Block Ciphers

2007

Joan Daemen and Vincent Rijmen

Keywords: random permutations and block ciphers, LC/DC

When investigating Rijndael, Vincent and I felt the need for improving our understanding of the typical correlation and differential propagation properties of random S-boxes, permutations or block ciphers. Building on the work of Luke O'Connor, in this paper we derive the distributions of DC and LC values and their maxima in random permutations and block ciphers.

Get the paper here and bibtex from DBLP

New criteria for linear maps in AES-like ciphers

2007

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers: Rijndael, design, DC, linear algebra

In this paper we summed up plateau trails and introduced the interesting concept of related differentials. This is a property of linear mappings that leads to sub-optimal behaviour when considering plateau trails. Circulant MDS matrices for instance, such as the one we used in Rijndael, structurally exhibit related differentials. Whether this sub-optimal behavior can be exploited in actual attacks is an open question.

Get the paper here and bibtex from DBLP

Plateau Characteristics

2007

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers: Rijndael, design, DC, linear algebra

In this paper we showed that differential trails in Rijndael have a behaviour that is very different from what Markov cipher theory would predict. Instead of having a differential probability (DP) that is largely independent from the key, the vast majority of trails in AES turn out to have non-zero DP for a small subset of the keys and zero DP for all other keys. We used the term characteristics to indicate trails because the editor would not accept a paper using the term trails.

Get the paper here and bibtex from DBLP

Producing Collisions for Panama, Instantaneously

2007

Joan Daemen and Gilles Van Assche

Keywords: primitives: stream/hash modules: Panama, DC

In 2002, Vincent Rijmen, Bart van Rompay and Bart Preneel had broken the Panama hash function academically. In 2006, we, the Keccak team avant la lettre, had presented RadioGatún as a hash function proposal. When looking at the 2002 attack on Panama, it was clear to us that Vincent et al. had not pushed their attack very far and that it could be made practical by exploiting some available degrees of freedom. We suspected that such an attack would put RadioGatún in a bad light, unless it would come from us. So Gilles and I took a shot at it, leading to collisions that take less effort to generate than to verify.

Get the paper here and bibtex from DBLP

Understanding Two-Round Differentials in AES

2006

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers, Rijndael, design, DC

For Shark, Square and Rijndael, Vincent and I had formulated simple proofs lower bounding the number of active S-boxes in linear and differential trails. However, the probability of a multi-round differential is equal to the sum of the differential probabilities (DP) of trails compatible with it. Clustering of many trails of negligible DP may give rise to a differentials with non-negligible DP. This paper is the result of our study how two-round differential trails cluster into differentials in Rijndael, which turned out to be a non-trivial exercise. The inverse mapping in the S-box interacts with the MixColumns mapping in unexpected ways. I think it would be interesting to do a similar exercise for linear trails, but I expect this to be even more complex so I removed it from my todo list.

Get the paper here and bibtex from DBLP

Two-Round AES Differentials

2006

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers, Rijndael, design, DC

This paper is an early version of what would later become our papers Understanding Two-Round Differentials in Rijndael and Plateau Characteristics. Most of the material of this paper is covered in two latter papers, but Section 6.3 of this paper describes a key recovery attack of up to four rounds exploiting the specific properties we discovered, that we never published elsewhere.

Get the paper eprint and bibtex from DBLP

RadioGatún, a belt-and-mill hash function

2006

Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche

Keywords: primitives: hash functions: RadioGatún, design, security claims, cryptanalysis: trail backtracking

RadioGatún is a research hash function proposal that was a predecessor of Keccak. It can be seen as tweaked version of Panama. Even though it was quite different from Keccak, it played an important role in the design process of the latter.

Get the paper from eprint and bibtex from DBLP

A new MAC Construction Alred and a Specific Instance Alpha-MAC

2005

Joan Daemen and Vincent Rijmen

Keywords: primitives: MAC functions: Alred: Alpha-MAC, security claims, design

Looking at existing MAC function constructions such as CBC variants, HMAC and those based on so-called universal one-way hash functions, we decided to investigate the possibility to build MAC functions from a block cipher that are at the same time cleaner and more efficient. We started with specifying security claims that explicitly take into account the finite internal state of MAC functions in the form of the capacity concept. We proposed a generic way to build a MAC function from a block cipher called Alred and an AES-based proof of concept called Alpha-MAC.

Get the paper here and bibtex from DBLP

Probability Distributions of Correlation and Differentials in Block Ciphers (on ePrint)

2005

Joan Daemen and Vincent Rijmen

Keywords: random and iterated permutations and block ciphers, LC/DC

This is an earlier version of our paper with the same title that was later published. It has sections that deal with key-alternating block ciphers that are not present in the published version. We made some derivations based on assumptions that turned out not to hold for Rijndael and relatives and were contradicted by plateau trails. Still, we did not withdraw this version of the paper from ePrint as these sections have in the meanwhile inspired follow-on work and are likely to be valid for ciphers and permutations that have weak alignment.

Get this earlier version from eprint and bibtex from DBLP

Distinguishing Stream Ciphers with Convolutional Filters

2005

Joan Daemen and Gilles Van Assche

Keywords: primitives: stream ciphers: irregularly clocked LFSR, cryptanalysis: correlation attack

After reviewing a paper containing sub-optimal attacks on the shrinking generator and the alternating-step generator, I thought they could be improved. I teamed up with Gilles to try it and the result is this paper. We improve upon existing attacks by introducing convolutional filters, theoretically predict their efficiency and confirm this with experiments.

Get the paper from eprint and bibtex from DBLP

The Design of Rijndael: AES - The Advanced Encryption Standard

2002

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers: key-alternating ciphers: Rijndael, design: wide trail strategy, LC/DC

This the book on Rijndael that Vincent and I wrote after winning the AES contest. Among other things, it specifies Rijndael, motivates and explains the underlying design approach and treats the propagation of differential and linear trails in key-alternating ciphers and how they combine into differentials and input-output correlations. In 2020 we published a second edition of our book, integrating a number of articles we wrote after the first edition appeared.

Get a PDF of the first edition of the book here and errata here. Get bibtex from DBLP

Linear Frameworks for Block Ciphers

2001

Joan Daemen, Lars Knudsen and Vincent Rijmen

Keywords: primitives: block ciphers: key-alternating ciphers, design: wide trail strategy, LC/DC

In this paper we generalize the structure of our designs Shark, Square and Rijndael. We included all relevant material in this paper in our book on Rijndael.

Get the paper here and bibtex from DBLP

The Wide Trail Design Strategy

2001

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers: key-alternating ciphers, design: wide trail strategy, LC/DC

In this paper we concentrate on the wide trail strategy flavor as we applied it in Shark, Square and Rijndael. All relevant material in this paper was later included in our book on Rijndael.

Get the paper here and bibtex from DBLP

Bitslice Ciphers and Power Analysis Attacks

2000

Joan Daemen, Michaël Peeters and Gilles Van Assche

Keywords: primitives: block ciphers: bitslice cipers: BaseKing, implementation: power analysis resistance

In this paper we discuss the limitations of the so-called duplication method as applied to DES and present techniques to protect bitslice ciphers against differential power analysis (DPA).

Get the paper here and bibtex from DBLP

Nessie Proposal: Noekeon

2000

Joan Daemen, Michaël Peeters, Gilles Van Assche and Vincent Rijmen

Keywords: primitives: block ciphers: Noekeon, design, DC/LC

This is the submission document of Noekeon to the Nessie call. Noekeon is a lightweight block cipher that can compete with modern lightweight designs and has powerful lower bounds for the weight of linear and differential trails. It was kicked out of the Nessie competition due to existential related-key properties. We argue that the only protocols that allow their exploitation will have to be especially designed with this purpose.

Get the paper here and bibtex here

AES Proposal: Rijndael

1999

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers: Rijndael, design: wide trail strategy, LC/DC

This is the submission document of Rijndael to the AES call, updated for the second round. We included all relevant material in this document in our book on Rijndael.

Get the document here and bibtex here

The block cipher BKSQ

1998

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers: BKSQ, design

My colleague Michel Dawirs had designed the BST protocol that makes use of many calls to one-way functions and he was looking for such a one-way function that was suited for smart cards. As a response, Vincent and I designed a variant of Square with a block size of 96 bits for this purpose.

Get the paper here and bibtex from DBLP

The Banksys signature transport (BST) protocol

1998

Michel Dawirs and Joan Daemen

Keywords: cryptographic protocols: (Banksys) signature transport, design

The Banksys signature transport protocol is suitable for offline electronic payments and makes use of Lamport signatures and structures that remind of Merkle trees. Michel Dawirs came up with the protocol and I proposed some optimizations and wrote the paper.

Get the paper here and bibtex from DBLP

Management of Secret Keys: Dynamic Key Handling

1998

Joan Daemen

Keywords: (symmetric) key management techniques: forward secrecy, key evolution

When I arrived at Banksys, cryptography in payment transactions was still fully based on Triple-DES. I discovered that some interesting key handling techniques were being used to address very specific requirements. When being asked to give a presentation at the COSIC cryptographyc course, I decided to speak about these techniques and this paper is a chapter in a book accompanying the course.

Get the paper here and bibtex from DBLP

Fast Hashing and Stream Encryption with Panama

1998

Joan Daemen and Craig Clapp

Keywords: primitives: stream/hash modules: Panama, design

Craig Clapp and I reworked an earlier design presented in my thesis called StepRightUp and we named the result Panama. Panama can do hashing and keystream generation, both extremely fast. In the meanwhile the Panama hash function has been badly broken but the Panama stream cipher is still standing.

Get the paper here and bibtex from DBLP

The block cipher Square

1997

Joan Daemen, Lars Knudsen and Vincent Rijmen

Keywords: primitives: block ciphers: Square, design: wide trail strategy, LC/DC, cryptanalysis: Square attack

Square is was a block cipher that has most of the elements of Rijndael: its S-box, MDS matrix and provable bounds on trails weights. This paper also introduced the square attack, invented by Lars.

Get the paper here and bibtex from DBLP

The Cipher Shark

1996

Vincent Rijmen, Joan Daemen, Bart Preneel, Antoon Bosselaers and Erik De Win

Keywords: primitives: block ciphers: Shark, design: wide trail strategy, LC/DC

In this paper we introduced the following elements of Rijndael: the strongly byte-aligned structure, the use of MDS matrices for diffusion and the multiplicative inverse in GF(28) for non-linearity.

Get the paper here and bibtex from DBLP

Cipher and hash function design - PhD thesis

1995

Joan Daemen

Keywords: primitives: block ciphers, stream/hash modules, self-synchronizing stream ciphers, design: wide trail strategy, shift-invariant transformations, analysis: LC/DC: correlation matrices, cryptanalysis: weak keys of IDEA, Even-Mansour, re-synchronization attacks,

My PhD thesis in a printer-friendly layout.

Get it here and bibtex here


 
(top) Last modified: March 22, 2023