When I learned about DES and its modes of use in 1988, I was struck by their ugliness. I figured it should be possible to come up with nicer designs. This has been the main goal of my research ever since: the design of symmetric cryptographic primitives and modes that are nice and original. Naturally, this involves cryptanalysis and the study of propagation properties where I try to improve on the descriptions given in cryptographic literature.


During my PhD (1988-1995) I mostly worked alone and proposed several bit-oriented lightweight designs: modules that can be used both as a stream cipher and a hash function, but also block ciphers. I had a great time during my PhD and it is the basis of all my work on crypto I did later, up to this day. It contained a lot of innovation, as I illustrate here below.

Some of my design innovations:

Some innovative mappings for use in round functions:

Innovative concepts and formalism to describe and measure propagation properties:

It was also the start of my strained relationship with some theories:

Collaboration with Vincent Rijmen

In 1993 I first collaborated with Vincent Rijmen, in some consultancy work and this was a very positive experience. Two years later I defended my PhD thesis and due to some administrative complication my contract at the university ended one month after that. During this last month, I was looking into the block cipher Blowfish in the context of some cryptanalysis contest. Then I had a very promising idea to build a round function, very different from the constructions I had done before. After starting at my next job, that did not include cryptography, I continued working on this idea after working hours. I soon realized that this would go must faster with some help and contacted Vincent to collaborate on this. This was probably one of the best decisions of my research life, as it led via some intermediate stages to our AES submission Rijndael. Our cipher became the NIST standard AES in 2001, as documented in our Rijndael book.

Rijndael has become quite a success with massive real-world impact, see e.g. the NIST report The Economic Impacts of the Advanced Encryption Standard, 1996-2017. It has also inspired numerous other cryptographic designs. Despite its success, I am no longer enthousiastic about Rijndael as symmetric cryptography based on (bitslice) permutations is much nicer and more efficient than block-cipher-based crypto. I am now convinced that in, say, thirty years we will look back on block ciphers as we do now on rotor machines.

Still, I remain very proud of the research that Vincent and I did together. We have published the results of our collaboration before Rijndael became AES in our book. After its publication, Vincent and I continued our collaboration, investigating the propagation properties of Rijndael and proposed some MAC constructions. I refer to My papers page for our book and the most interesting papers we wrote together.

Keccak team

In 1998, our company Proton World hired a number of very talented people, including Gilles Van Assche and Michael Peeters. They were interested in doing research on crypto and in 1999 we started collaborating on block ciphers leading to a paper on masking of bitslice ciphers and our block cipher Noekeon (in collaboration with Vincent). In 2006 Guido Bertoni joined our effort and we started working on hash functions. This was the start of the Keccak team, the most innovative design team in the history of symmetric crypto. Our research led to the sponge construction and the SHA-3 contest submission Keccak that was announced winner by NIST in 2012. Later, our colleague Ronny Van Keer joined us and we shifted our focus to authenticated encryption with instances Keyak and Ketje. Since a few years Seth Hoffert, based in Lincoln, Nebraska, joined the Keccak team. In this new constellation, we have developed a parallelizable permutation-based construction called farfalle, that can be used for all keyed symmetric cryptographic functions. Later we designed a permutation that is ideally suited for this construction: Xoodoo resulting in the function Xoofff. In parallel, we have started a long-term collaboration with Bart Mennink (formerly COSIC, now Radboud) on proving bounds for the generic security of our constructions.


Since October 2018, we are doing research in the context of my ESCADA project with 6 PhD students and several postdocs. ESCADA is about reducing the gap between the secure and the lightweight in symmetric crypto and focuses on lightweight round functions of algebraic degree 2. Since August 2019, together with Bart Mennink we also have an NWO-funded project called SCALAR with 2 PhD students and 1 postdoc. SCALAR is about building symmetric cryptography that makes use of available multipliers. Two industry-funded projects complement these research directions with lightweight and low-latency symmetric cryptography, involving two more PhD students and a part-time postdoc.


(top) Last modified: March 22, 2023