I originally created this page to make some publications available that would otherwise be hard to find. This is still the case but I also include some more recent publications I co-wrote and have something to say about. For the papers I published with other members of the Keccak team I refer to the Keccak team website. For a more extended list of publications you can have a look on DBLP and Google Scholar.
The design of Xoodoo and Xoofff
2019
Keywords: design: primitives: permutation: Xoodoo, deck function: Xoofff
We were dreaming of a doubly-extendable cryptographic keyed (deck) function based on farfalle that could be called lightweight and saw that Keccak-p instances are either too wide or have a lane size unsuited for modern CPUs. We got inspired by the Gimli primitive and built a permutation with the dimensions of Gimli and the design philosophy of Keccak-p. This paper gives a rationale for the design of Xoodoo and the farfalle instance using it, Xoofff. I am very enthousiastic about Xoodoo and Xoofff!
Get the paper and bibtex from ToSC
Xoodoo cookbook
2018
Keywords: design: primitives: permutation: Xoodoo, deck function: Xoofff, duplex object: Xoodyak, modes: deck-SANE, deck-SANSE, deck-WBC
We first presented Xoodoo at the Workshop on Elliptic Curve Cryptography in November 2017 in Nijmegen and made reference code available on GitHub. Nine months later we published this document on eprint, specifying Xoodoo and the deck function Xoofff. It also specifies two session authenticated encryption modes for deck functions and a wide tweakable block cipher mode, all to be instantiated with Xoofff. Recently, we added the specification of our duplex-based lightweight primitive Xoodyak
Get the paper and bibtex from eprint
Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers
2018
Keywords: modes: hashing, design, security reduction proofs: indifferentiability
We specify simple conditions for hashing modes to offer the best possible generic security and provide proofs for these super-tight security bounds. This is in my opinion the reference on the subject.
Get the paper and bibtex from ToSC
KangarooTwelve: Fast Hashing Based on Keccak-p
2018
Keywords: design: parallel hashing, primitives: KangarooTwelve
The sponge construction underlying Keccak is inherently serial, preventing it from fully exploiting the massive amounts of parallelism available on modern high-end CPU's. Moreover, the Keccak-f permutation in Keccak has an overly conservative number of rounds: 24. We built KangarooTwelve to address these issues: KangarooTwelve has parallelism by means of tree hashing having as underlying compression function a Keccak variant with 12-round Keccak-p as its permutation.
Get the paper from eprint and bibtex from DBLP
Column Parity Mixers
2018
Keywords: design: mixing layer, alignment, inverse
In the last years we have witnessed an explosion of publications on lightweight MDS matrices. At the end of the previous century I thought MDS mixing layers were the way to go, but now I know bit-oriented mappings are better. In this paper, Ko and I study the properties of my favourite type of mixing layer: column parity mixers (CPM), a generalization of the mixing layer in the round function of Keccak-f. We illustrate that CPMs can also be used to build strongly aligned primitives with strong bounds with a permutation called called Mixifer.
Get the paper and bibtex from ToSC
Farfalle: parallel permutation-based cryptography
2017
Keywords: design: permutation-based function, construction: farfalle, primitive: Kravatte
The sponge and duplex constructions are very nice but inherently serial. In 2013 we started looking for a parallelizable counterpart, and the result of our search, that followed a long and curvy road, is farfalle. Farfalle is a permutation-based construction for building a cryptographic keyed function with variable-length input and arbitrary-length output, a type of function that we later baptized deck function.
Get the paper and bibtex from ToSC
New techniques for trail bounds and application to differential trails in Keccak
2017
Keywords: cryptanalysis: differential cryptanalysis: trail weight bounds, primitives: Keccak-p
Lower bounds on the weight of multi-round linear and differential trails are very important for evaluating the security of cryptographic permutations and block ciphers. For ciphers with a round function that combines weak alignment with high diffusion, proving such bounds requires scanning a space that grows exponentially with the weight in the bound. In this paper, Silvia, Gilles and I give insight and techniques to push these bounds to higher weights than ever before for Keccak-f and similar permutations.
Get the paper and bibtex from ToSC
Changing of the Guards: a simple and efficient method for achieving uniformity in threshold sharing
2017
Keywords: side-channel attack countermeasures: threshold schemes: uniformity, primitives: Keccak-p
In one of the proposals in our paper with Begül, Ventzi and Svetla for solving the non-uniformity issue of the 3-share threshold scheme for the Chi step in Keccak-f, only two fresh random bits per round were needed. I thought it should be possible to reduce this to zero random bits by not generating them freshly but rather recycle them from the previous round. After some puzzling I found the surprisingly simple and lightweight solution and called it changing of the guards.
Get the paper from eprint and bibtex from DBLP
Full-State Keyed Duplex With Built-In Multi-User Support
2017
Keywords: modes: keyed duplex, design, security reduction proofs: indistinguishability
This is the endpoint of a series of papers on the generic security of keyed sponge and duplex constructions. We prove a tight security bound that can be applied widely making this paper my opinion the reference on the subject.
Get the paper from eprint and bibtex from DBLP
Symmetrische cryptografie 2.0
2017
Keywords: permutatie-gebaseerde cryptografie, constructies: spons, farfalle
Collega Bart Mennink vroeg of ik een bijdrage wilde leveren voor een nummer van het Nieuw Archief voor Wiskunde gewijd aan cryptografie. Het resultaat is dit artikel dat permutatie-gebaseerde cryptografie op een eenvoudige manier uitlegt.
Je kunt het artikel vinden in het Nieuw Archief voor Wiskunde en bibtex vind je hier
Spectral Characterization of Iterating Lossy Mappings
2016
Keywords: theory: correlation matrices, non-uniformity
The proposals in our paper with Begül, Ventzi and Svetla for solving the non-uniformity issue of the Chi sharing in Keccak-p came at the cost of an additional share or two fresh random bits per round. However, I was (and still am) not convinced that the non-uniformity can actually be exploited in an attack and this paper can be seen as a step towards understanding how non-uniformity evolves when we iterate transformations that are not invertible. I took the spectral perspective as this is in my opinion the relevant one.
Get the paper from eprint and bibtex from DBLP
The MAC function Pelican 2.0
2014
Keywords: primitives: Pelican-MAC, design
After writing our paper on Alred, we took a closer look at our concrete AES-based proposal Alpha-MAC and concluded that it could be simplified and made more efficient at the same time. This resulted in Pelican-MAC, a very simple MAC function about 2.5 times faster than any AES-based CBC-MAC variant requiring less RAM and with a smaller fixed overhead per message. Despite fierce attacks, the security claims of Pelican-MAC still stand up to this day.
The original version of Pelican-MAC dates from 2005. In 2014 we presented an update called Pelican 2.0, with only change a different initial value. The reason for this is the negative impact on security of the original Pelican if a key check value is available for the key computed according to a widespread algorithm.
Get the paper from eprint and bibtex from DBLP
Efficient and First-Order DPA Resistant Implementations of Keccak
2013
Keywords: side-channel attacks: differential power analysis (DPA), countermeasures: threshold schemes: uniformity, primitives: Keccak-p
After defining a 3-share threshold scheme for the 5-bit Chi mapping in Keccak-f (also used in our paper with Nicolas and Thanh-Ha), we found out that it was not uniform: the 15-bit mapping from the 3 input shares to the 3 output shares is not a permutation. Moreover, all our attempts to specify a uniform threshold scheme failed and we strongly suspect such a thing does not exist. Therefore we decided to team up with the people that discovered the non-uniformity in the first place to fix the problem. In this paper, we did this by proposing 4-share threshold schemes and a scheme where we require 2 random bits per round for re-masking a single column, and remask all the other columns with two input bits from the neighboring column.
Get the paper here and bibtex from DBLP
Power Analysis of Hardware Implementations Protected with Secret Sharing
2012
Keywords: side-channel attacks: differential power analysis (DPA), countermeasures: threshold schemes, primitives: Keccak-p
The round function of Keccak-f has algebraic degree two and hence can be protected against first-order differential power analysis (DPA) with a 3-share threshold scheme. Higher order DPA remains possible but the question is: how much does the security increase? In this paper we investigated this question and derived expressions for the success probability for DPA attacks for an unprotected and threshold-scheme protected implementation and link these to the Kullback-Leibler divergence of the distributions for the wrong and right hypotheses. We verify the theoretical results with simulated experiments.
Get the paper from eprint and bibtex from DBLP
On the related-key attacks against AES
2011
Keywords: cryptanalysis: related-key attacks, primitives: block ciphers: Rijndael: AES
After some fuss was created on related-key attacks on full-round AES with 256-bit and 192-bit key length, Vincent and I felt the need to put things in perspective. After giving a number of presentations on the subject, we wrote it down in this paper.
Get the paper here and bibtex here
Correlation Analysis in GF(2n)
2011
Keywords: LC, finite fields, linear algebra, primitives: Rijndael, design
You can describe the propagation of linear masks through maps such as MixColumns in Rijndael without having to fix a basis. This paper explains how and also provides a description of Rijndael using only the multiplication and addition in GF(28). Part of the material of this paper already appeared as an appendix of our book on Rijndael.
Get the paper here and bibtex here
Refinements of the Alred Construction and MAC Security Claims
2010
Keywords: primitives: MAC functions: Alred: Pelican-MAC, security claims, design
The security claims for MAC functions proposed in our original paper on Alred were problematic and this paper fixes the problem. This paper contains some additional analysis of internal collisions in the Alred construction. It is also the first peer-reviewed publication of Pelican-MAC.
Get the paper here and bibtex from DBLP
The Self-Synchronizing Stream Cipher Moustique
2008
Keywords: primitives: self-synchronizing stream ciphers: Moustique, design
Self-synchronizing stream ciphers are a rarity in cryptography. You can do self-synchronizing encryption with a block cipher in 1-bit CFB mode but this is very inefficient. The (academic) question is: is it possible to design a dedicated self-synchronizing stream cipher that is substantially more efficient? In 1992 I proposed a design strategy for high throughput and a proof-of-concept design called Knot, as documented in my thesis. Knot went through some changes and in 2005 hardware expert Paris Kitsos and I joined to build Mosquito that we submitted to eSTREAM. This was soon broken and after tweaking it we called the result Moustique. This paper describes Moustique and its design philosophy and is a chapter in a book that came out of eStream. Soon after, Moustique was also broken. I still believe the underlying design strategy is OK and that Moustique can be repaired with a simple tweak. This has been on my todo list for years now.
Get the paper here and bibtex from DBLP
Probability Distributions of Correlation and Differentials in Block Ciphers
2007
Keywords: random permutations and block ciphers, LC/DC
When investigating Rijndael, Vincent and I felt the need for improving our understanding of the typical correlation and differential propagation properties of random S-boxes, permutations or block ciphers. Building on the work of Luke O'Connor, in this paper we derive the distributions of DC and LC values and their maxima in random permutations and block ciphers.
Get the paper here and bibtex from DBLP
New criteria for linear maps in AES-like ciphers
2007
Keywords: primitives: block ciphers: Rijndael, design, DC, linear algebra
In this paper we summed up plateau trails and introduced the interesting concept of related differentials. This is a property of linear mappings that leads to sub-optimal behaviour when considering plateau trails. Circulant MDS matrices for instance, such as the one we used in Rijndael, structurally exhibit related differentials. Whether this sub-optimal behavior can be exploited in actual attacks is an open question.
Get the paper here and bibtex from DBLP
2007
Keywords: primitives: block ciphers: Rijndael, design, DC, linear algebra
In this paper we showed that differential trails in Rijndael have a behaviour that is very different from what Markov cipher theory would predict. Instead of having a differential probability (DP) that is largely independent from the key, the vast majority of trails in AES turn out to have non-zero DP for a small subset of the keys and zero DP for all other keys. We used the term characteristics to indicate trails because the editor would not accept a paper using the term trails.
Get the paper here and bibtex from DBLP
Producing Collisions for Panama, Instantaneously
2007
Keywords: primitives: stream/hash modules: Panama, DC
In 2002, Vincent Rijmen, Bart van Rompay and Bart Preneel had broken the Panama hash function academically. In 2006, we, the Keccak team avant la lettre, had presented RadioGatún as a hash function proposal. When looking at the 2002 attack on Panama, it was clear to us that Vincent et al. had not pushed their attack very far and that it could be made practical by exploiting some available degrees of freedom. We suspected that such an attack would put RadioGatún in a bad light, unless it would come from us. So Gilles and I took a shot at it, leading to collisions that take less effort to generate than to verify.
Get the paper here and bibtex from DBLP
Understanding Two-Round Differentials in AES
2006
Keywords: primitives: block ciphers, Rijndael, design, DC
For Shark, Square and Rijndael, Vincent and I had formulated simple proofs lower bounding the number of active S-boxes in linear and differential trails. However, the probability of a multi-round differential is equal to the sum of the differential probabilities (DP) of trails compatible with it. Clustering of many trails of negligible DP may give rise to a differentials with non-negligible DP. This paper is the result of our study how two-round differential trails cluster into differentials in Rijndael, which turned out to be a non-trivial exercise. The inverse mapping in the S-box interacts with the MixColumns mapping in unexpected ways. I think it would be interesting to do a similar exercise for linear trails, but I expect this to be even more complex so I removed it from my todo list.
Get the paper here and bibtex from DBLP
Two-Round AES Differentials
2006
Keywords: primitives: block ciphers, Rijndael, design, DC
This paper is an early version of what would later become our papers Understanding Two-Round Differentials in Rijndael and Plateau Characteristics. Most of the material of this paper is covered in two latter papers, but Section 6.3 of this paper describes a key recovery attack of up to four rounds exploiting the specific properties we discovered, that we never published elsewhere.
Get the paper eprint and bibtex from DBLP
RadioGatún, a belt-and-mill hash function
2006
Keywords: primitives: hash functions: RadioGatún, design, security claims, cryptanalysis: trail backtracking
RadioGatún is a research hash function proposal that was a predecessor of Keccak. It can be seen as tweaked version of Panama. Even though it was quite different from Keccak, it played an important role in the design process of the latter.
Get the paper from eprint and bibtex from DBLP
A new MAC Construction Alred and a Specific Instance Alpha-MAC
2005
Keywords: primitives: MAC functions: Alred: Alpha-MAC, security claims, design
Looking at existing MAC function constructions such as CBC variants, HMAC and those based on so-called universal one-way hash functions, we decided to investigate the possibility to build MAC functions from a block cipher that are at the same time cleaner and more efficient. We started with specifying security claims that explicitly take into account the finite internal state of MAC functions in the form of the capacity concept. We proposed a generic way to build a MAC function from a block cipher called Alred and an AES-based proof of concept called Alpha-MAC.
Get the paper here and bibtex from DBLP
Probability Distributions of Correlation and Differentials in Block Ciphers (on ePrint)
2005
Keywords: random and iterated permutations and block ciphers, LC/DC
This is an earlier version of our paper with the same title that was later published. It has sections that deal with key-alternating block ciphers that are not present in the published version. We made some derivations based on assumptions that turned out not to hold for Rijndael and relatives and were contradicted by plateau trails. Still, we did not withdraw this version of the paper from ePrint as these sections have in the meanwhile inspired follow-on work and are likely to be valid for ciphers and permutations that have weak alignment.
Get this earlier version from eprint and bibtex from DBLP
Distinguishing Stream Ciphers with Convolutional Filters
2005
Keywords: primitives: stream ciphers: irregularly clocked LFSR, cryptanalysis: correlation attack
After reviewing a paper containing sub-optimal attacks on the shrinking generator and the alternating-step generator, I thought they could be improved. I teamed up with Gilles to try it and the result is this paper. We improve upon existing attacks by introducing convolutional filters, theoretically predict their efficiency and confirm this with experiments.
Get the paper from eprint and bibtex from DBLP
The Design of Rijndael: AES - The Advanced Encryption Standard
2002
Keywords: primitives: block ciphers: key-alternating ciphers: Rijndael, design: wide trail strategy, LC/DC
This the book on Rijndael that Vincent and I wrote after winning the AES contest. Among other things, it specifies Rijndael, motivates and explains the underlying design approach and treats the propagation of differential and linear trails in key-alternating ciphers and how they combine into differentials and input-output correlations. In 2020 we published a second edition of our book, integrating a number of articles we wrote after the first edition appeared.
Get a PDF of the first edition of the book here and errata here. Get bibtex from DBLP
Linear Frameworks for Block Ciphers
2001
Keywords: primitives: block ciphers: key-alternating ciphers, design: wide trail strategy, LC/DC
In this paper we generalize the structure of our designs Shark, Square and Rijndael. We included all relevant material in this paper in our book on Rijndael.
Get the paper here and bibtex from DBLP
The Wide Trail Design Strategy
2001
Keywords: primitives: block ciphers: key-alternating ciphers, design: wide trail strategy, LC/DC
In this paper we concentrate on the wide trail strategy flavor as we applied it in Shark, Square and Rijndael. All relevant material in this paper was later included in our book on Rijndael.
Get the paper here and bibtex from DBLP
Bitslice Ciphers and Power Analysis Attacks
2000
Keywords: primitives: block ciphers: bitslice cipers: BaseKing, implementation: power analysis resistance
In this paper we discuss the limitations of the so-called duplication method as applied to DES and present techniques to protect bitslice ciphers against differential power analysis (DPA).
Get the paper here and bibtex from DBLP
Nessie Proposal: Noekeon
2000
Keywords: primitives: block ciphers: Noekeon, design, DC/LC
This is the submission document of Noekeon to the Nessie call. Noekeon is a lightweight block cipher that can compete with modern lightweight designs and has powerful lower bounds for the weight of linear and differential trails. It was kicked out of the Nessie competition due to existential related-key properties. We argue that the only protocols that allow their exploitation will have to be especially designed with this purpose.
Get the paper here and bibtex here
AES Proposal: Rijndael
1999
Keywords: primitives: block ciphers: Rijndael, design: wide trail strategy, LC/DC
This is the submission document of Rijndael to the AES call, updated for the second round. We included all relevant material in this document in our book on Rijndael.
Get the document here and bibtex here
The block cipher BKSQ
1998
Keywords: primitives: block ciphers: BKSQ, design
My colleague Michel Dawirs had designed the BST protocol that makes use of many calls to one-way functions and he was looking for such a one-way function that was suited for smart cards. As a response, Vincent and I designed a variant of Square with a block size of 96 bits for this purpose.
Get the paper here and bibtex from DBLP
The Banksys signature transport (BST) protocol
1998
Keywords: cryptographic protocols: (Banksys) signature transport, design
The Banksys signature transport protocol is suitable for offline electronic payments and makes use of Lamport signatures and structures that remind of Merkle trees. Michel Dawirs came up with the protocol and I proposed some optimizations and wrote the paper.
Get the paper here and bibtex from DBLP
Management of Secret Keys: Dynamic Key Handling
1998
Keywords: (symmetric) key management techniques: forward secrecy, key evolution
When I arrived at Banksys, cryptography in payment transactions was still fully based on Triple-DES. I discovered that some interesting key handling techniques were being used to address very specific requirements. When being asked to give a presentation at the COSIC cryptographyc course, I decided to speak about these techniques and this paper is a chapter in a book accompanying the course.
Get the paper here and bibtex from DBLP
Fast Hashing and Stream Encryption with Panama
1998
Keywords: primitives: stream/hash modules: Panama, design
Craig Clapp and I reworked an earlier design presented in my thesis called StepRightUp and we named the result Panama. Panama can do hashing and keystream generation, both extremely fast. In the meanwhile the Panama hash function has been badly broken but the Panama stream cipher is still standing.
Get the paper here and bibtex from DBLP
The block cipher Square
1997
Keywords: primitives: block ciphers: Square, design: wide trail strategy, LC/DC, cryptanalysis: Square attack
Square is was a block cipher that has most of the elements of Rijndael: its S-box, MDS matrix and provable bounds on trails weights. This paper also introduced the square attack, invented by Lars.
Get the paper here and bibtex from DBLP
The Cipher Shark
1996
Keywords: primitives: block ciphers: Shark, design: wide trail strategy, LC/DC
In this paper we introduced the following elements of Rijndael: the strongly byte-aligned structure, the use of MDS matrices for diffusion and the multiplicative inverse in GF(28) for non-linearity.
Get the paper here and bibtex from DBLP
Cipher and hash function design - PhD thesis
1995
Keywords: primitives: block ciphers, stream/hash modules, self-synchronizing stream ciphers, design: wide trail strategy, shift-invariant transformations, analysis: LC/DC: correlation matrices, cryptanalysis: weak keys of IDEA, Even-Mansour, re-synchronization attacks,
My PhD thesis in a printer-friendly layout.
(top) | Last modified: March 22, 2023 |