Welcome to my homepage. I created this page to make some publications available that would otherwise be hard to find. My employer is the multinational semiconductor company STMicroelectronics, or ST for short. I work in the branch office in Diegem, Belgium as a cryptographer and IT security architect. If you want to contact me, I guess it is not so hard to find my email address.
I focus on the design of primitives and modes in symmetric cryptography. I am also interested in types of cryptanalysis that are relevant in the real world or impose new criteria for design. I like to do my research in long-term collaborations and count myself lucky to work with Vincent Rijmen since the early nineties and Gilles Van Assche, Michaël Peeters and (somewhat later) Guido Bertoni since the beginning of this millenium.
Here I have listed a number of my publications. They cover most of my research except that on Keccak and the sponge construction and permutation-based cryptography. For my publications on those subjects I refer to our page of Keccak-related papers and our page of sponge-related papers.
On the related-key attacks against AES
2011
Keywords: cryptanalysis: related-key attacks, primitives: block ciphers: Rijndael: AES
After some fuss was created on related-key attacks on full-round AES with 256-bit and 192-bit key length, Vincent and I felt the need to put things in perspective. After giving a number of presentations on the subject, we wrote it down in this paper.
Get the paper here and bibtex here
Sufficient conditions for sound hashing using a truncated permutation
2011
Keywords: modes: permutation-based hashing, design, security reduction proofs: indifferentiability
Tony did an internship at ST in 2010 and the result of our collaboration is this paper. We formulate a small set of simple conditions sufficient for truncated permutation based hashing modes to be sound. These hashing modes include tree hashing modes and sequential hashing modes. We prove that for any hashing mode satisfying the conditions, it achieves the maximum possible security level you can expect, assuming that the underlying permutation is ideal.
Get the paper from eprint and bibtex from DBLP
Correlation Analysis in GF(2n)
2011
Keywords: LC, finite fields, linear algebra, primitives: Rijndael, design
You can describe the propagation of linear masks through maps such as MixColumns in Rijndael without having to fix a basis. This paper explains how and also provides a description of Rijndael using only the multiplication and addition in GF(28). Part of the material of this paper already appeared as an the appendix of our book on Rijndael.
Get the paper here and bibtex here
Refinements of the Alred Construction and MAC Security Claims
2010
Keywords: primitives: MAC functions: Alred: Pelican-MAC, security claims, design
The security claims for MAC functions proposed in our original paper on Alred were problematic and this paper fixes the problem. This paper contains some additional analysis of internal collisions in the Alred construction. It is also the first peer-reviewed publication of Pelican-MAC.
Get the paper here and bibtex from DBLP
Sufficient conditions for sound tree and sequential hashing modes
2009
Keywords: modes: hashing, design, security reduction proofs: indifferentiability
In this paper we prove that if a hashing mode satisfies a set of three simple conditions, it achieves the maximum possible security level you can expect, assuming an ideal underlying compression function. This covers tree and sequential hashing modes
Get the paper from eprint and bibtex from DBLP
The Self-Synchronizing Stream Cipher Moustique
2008
Keywords: primitives: self-synchronizing stream ciphers: Moustique, design
Self-synchronizing stream ciphers are a rarity in cryptography. You can do self-synchronizing encryption with a block cipher in 1-bit CFB mode but this is very inefficient. The (academic) question is: is it possible to design a dedicated self-synchronizing stream cipher that is substantially more efficient? In 1992 I proposed a design strategy for high throughput and a proof-of-concept design called Knot, as documented in my thesis. Knot went through some changes and in 2005 hardware expert Paris Kitsos and I joined to build Mosquito that we submitted to eSTREAM. This was soon broken and after tweaking it we called the result Moustique. This paper describes Moustique and its design philosophy and is a chapter in a book that came out of eStream. Soon after, Moustique was also broken. I still believe the underlying design strategy is OK and that Moustique can be repaired with a simple tweak. This has been on my todo list for years now.
Get the paper here and bibtex from DBLP
Probability Distributions of Correlation and Differentials in Block Ciphers
2007
Keywords: random permutations and block ciphers, LC/DC
When investigating Rijndael, Vincent and I felt the need for improving our understanding of the typical correlation and differential propagation properties of random S-boxes, permutations or block ciphers. Building on the work of Luke O'Connor, in this paper we derive the distributions of DC and LC values and their maxima in random permutations and block ciphers.
Get the paper here and bibtex from DBLP
New criteria for linear maps in AES-like ciphers
2007
Keywords: primitives: block ciphers: Rijndael, design, DC, linear algebra
In this paper we summed up plateau trails and introduced the interesting concept of related differentials. This is a property of linear mappings that leads to sub-optimal behaviour when considering plateau trails. Circulant MDS matrices for instance, such as the one we used in Rijndael, structurally exhibit related differentials. Whether this sub-optimal behavior can be exploited in actual attacks is an open question.
Get the paper here and bibtex from DBLP
2007
Keywords: primitives: block ciphers: Rijndael, design, DC, linear algebra
In this paper we showed that differential trails in Rijndael have a behaviour that is very different from what Markov cipher theory would predict. Instead of having a differential probability (DP) that is largely independent from the key, the vast majority of trails in AES turn out to have non-zero DP for a small subset of the keys and zero DP for all other keys. We used the term characteristics to indicate trails because the editor would not accept a paper using the term trails.
Get the paper here and bibtex from DBLP
Producing Collisions for Panama, Instantaneously
2007
Keywords: primitives: stream/hash modules: Panama, DC
In 2002, Vincent Rijmen, Bart van Rompay and Bart Preneel had broken the Panama hash function academically. In 2006, we, the Keccak team avant la lettre, had presented RadioGatún as a hash function proposal. When looking at the 2002 attack on Panama, it was clear to us that Vincent et al. had not pushed their attack very far and that it could be made practical by exploiting some available degrees of freedom. We suspected that such an attack would put RadioGatún in a bad light, unless it would come from us. So Gilles and I took a shot at it, leading to collisions that take less effort to generate than to verify.
Get the paper here and bibtex from DBLP
Understanding Two-Round Differentials in AES
2006
Keywords: primitives: block ciphers, Rijndael, design, DC
For Shark, Square and Rijndael, Vincent and I had formulated simple proofs lower bounding the number of active S-boxes in linear and differential trails. However, the probability of a multi-round differential is equal to the sum of the differential probabilities (DP) of trails compatible with it. Clustering of many trails of negligible DP may give rise to a differentials with non-negligible DP. This paper is the result of our study how two-round differential trails cluster into differentials in Rijndael, which turned out to be a non-trivial exercise. The inverse mapping in the S-box interacts with the MixColumns mapping in unexpected ways. I think it would be interesting to do a similar exercise for linear trails, but I expect this to be even more complex so I removed it from my todo list.
Get the paper here and bibtex from DBLP
Two-Round AES Differentials
2006
Keywords: primitives: block ciphers, Rijndael, design, DC
This paper is an early version of what would later become our papers Understanding Two-Round Differentials in Rijndael and Plateau Characteristics. Most of the material of this paper is covered in two latter papers, but Section 6.3 of this paper describes a key recovery attack of up to four rounds exploiting the specific properties we discovered, that we never published elsewhere.
Get the paper eprint and bibtex from DBLP
RadioGatún, a belt-and-mill hash function
2006
Keywords: primitives: hash functions: RadioGatún, design, security claims, cryptanalysis: trail backtracking
RadioGatún is a research hash function proposal that was a predecessor of Keccak. It can be seen as tweaked version of Panama. Even though it was quite different from Keccak, it played an important role in the design process of the latter.
Get the paper from eprint and bibtex from DBLP
The Pelican MAC Function
2005
Keywords: primitives: Pelican-MAC, design
After writing our paper on Alred, we took a closer look at our concrete AES-based proposal Alpha-MAC and concluded that it could be simplified and made more efficient at the same time. This resulted in Pelican-MAC, a very simple MAC function about 2.5 times faster than any AES-based CBC-MAC variant requiring less RAM and with a smaller fixed overhead per message. Despite fierce attacks, the security claims of Pelican-MAC still stand up to this day.
Get the paper from eprint and bibtex from DBLP
A new MAC Construction Alred and a Specific Instance Alpha-MAC
2005
Keywords: primitives: MAC functions: Alred: Alpha-MAC, security claims, design
Looking at existing MAC function constructions such as CBC variants, HMAC and those based on so-called universal one-way hash functions, we decided to investigate the possibility to build MAC functions from a block cipher that are at the same time cleaner and more efficient. We started with specifying security claims that explicitly take into account the finite internal state of MAC functions in the form of the capacity concept. We proposed a generic way to build a MAC function from a block cipher called Alred and an AES-based proof of concept called Alpha-MAC.
Get the paper here and bibtex from DBLP
Probability Distributions of Correlation and Differentials in Block Ciphers (on ePrint)
2005
Keywords: random and iterated permutations and block ciphers, LC/DC
This is an earlier version of our paper with the same title that was later published. It has sections that deal with key-alternating block ciphers that are not present in the published version. We made some derivations based on assumptions that turned out not to hold for Rijndael and relatives and were contradicted by plateau trails. Still, we did not withdraw this version of the paper from ePrint as these sections have in the meanwhile inspired follow-on work and are likely to be valid for ciphers and permutations that have weak alignment.
Get this earlier version from eprint and bibtex from DBLP
Distinguishing Stream Ciphers with Convolutional Filters
2005
Keywords: primitives: stream ciphers: irregularly clocked LFSR, cryptanalysis: correlation attack
After reviewing a paper containing sub-optimal attacks on the shrinking generator and the alternating-step generator, I thought they could be improved. I teamed up with Gilles to try it and the result is this paper. We improve upon existing attacks by introducing convolutional filters, theoretically predict their efficiency and confirm this with experiments.
Get the paper from eprint and bibtex from DBLP
The Design of Rijndael: AES - The Advanced Encryption Standard
2002
Keywords: primitives: block ciphers: key-alternating ciphers: Rijndael, design: wide trail strategy, LC/DC
This the book on Rijndael that Vincent and I wrote after winning the AES contest. Among other things, it specifies Rijndael, motivates and explains the underlying design approach and treats the propagation of differential and linear trails in key-alternating ciphers and how they combine into differentials and input-output correlations.
Get a PDF of the book here and errata here. Get bibtex from DBLP
Linear Frameworks for Block Ciphers
2001
Keywords: primitives: block ciphers: key-alternating ciphers, design: wide trail strategy, LC/DC
In this paper we generalize the structure of our designs Shark, Square and Rijndael. We included all relevant material in this paper in our book on Rijndael.
Get the paper here and bibtex from DBLP
The Wide Trail Design Strategy
2001
Keywords: primitives: block ciphers: key-alternating ciphers, design: wide trail strategy, LC/DC
In this paper we concentrate on the wide trail strategy flavor as we applied it in Shark, Square and Rijndael. All relevant material in this paper was later included in our book on Rijndael.
Get the paper here and bibtex from DBLP
Bitslice Ciphers and Power Analysis Attacks
2000
Keywords: primitives: block ciphers: bitslice cipers: BaseKing, implementation: power analysis resistance
In this paper we discuss the limitations of the so-called duplication method as applied to DES and present techniques to protect bitslice ciphers against differential power analysis (DPA).
Get the paper here and bibtex from DBLP
Nessie Proposal: Noekeon
2000
Keywords: primitives: block ciphers: Noekeon, design, DC/LC
This is the submission document of Noekeon to the Nessie call. Noekeon is a lightweight block cipher that can compete with modern lightweight designs and has powerful lower bounds for the weight of linear and differential trails. It was kicked out of the Nessie competition due to existential related-key properties. We argue that the only protocols that allow their exploitation will have to be especially designed with this purpose.
Get the paper here and bibtex here
AES Proposal: Rijndael
1999
Keywords: primitives: block ciphers: Rijndael, design: wide trail strategy, LC/DC
This is the submission document of Rijndael to the AES call, updated for the second round. We included all relevant material in this document in our book on Rijndael.
Get the document here and bibtex here
The block cipher BKSQ
1998
Keywords: primitives: block ciphers: BKSQ, design
My colleague Michel Dawirs had designed the BST protocol that makes use of many calls to one-way functions and he was looking for such a one-way function that was suited for smart cards. As a response, Vincent and I designed a variant of Square with a block size of 96 bits for this purpose.
Get the paper here and bibtex from DBLP
The Banksys signature transport (BST) protocol
1998
Keywords: cryptographic protocols: (Banksys) signature transport, design
The Banksys signature transport protocol is suitable for offline electronic payments and makes use of Lamport signatures and structures that remind of Merkle trees. Michel Dawirs came up with the principal idea and I proposed some optimizations and wrote the paper.
Get the paper here and bibtex from DBLP
Management of Secret Keys: Dynamic Key Handling
1998
Keywords: (symmetric) key management techniques: forward secrecy, key evolution
When I arrived at Banksys, cryptography in payment transactions was still fully based on Triple-DES. I discovered that some interesting key handling techniques were being used to address very specific requirements. When being asked to give a presentation at the COSIC cryptographyc course, I decided to speak about these techniques and this paper is a chapter in a book accompanying the course.
Get the paper here and bibtex from DBLP
Fast Hashing and Stream Encryption with Panama
1998
Keywords: primitives: stream/hash modules: Panama, design
Craig Clapp and I reworked an earlier design presented in my thesis called StepRightUp and we named the result Panama. Panama can do hashing and keystream generation, both extremely fast. In the meanwhile the Panama hash function has been badly broken but the Panama stream cipher is still standing.
Get the paper here and bibtex from DBLP
The block cipher Square
1997
Keywords: primitives: block ciphers: Square, design: wide trail strategy, LC/DC, cryptanalysis: Square attack
Square is was a block cipher that has most of the elements of Rijndael: its S-box, MDS matrix and provable bounds on trails weights. This paper also introduced the square attack, invented by Lars.
Get the paper here and bibtex from DBLP
The Cipher Shark
1996
Keywords: primitives: block ciphers: Shark, design: wide trail strategy, LC/DC
In this paper we introduced the following elements of Rijndael: the strongly byte-aligned structure, theuse of MDS matrices for diffusion and the multiplicative inverse in GF(28) for non-linearity.
Get the paper here and bibtex from DBLP
Cipher and hash function design - PhD thesis
1995
Keywords: primitives: block ciphers, stream/hash modules, self-synchronizing stream ciphers, design: wide trail strategy, shift-invariant transformations, analysis: LC/DC: correlation matrices, cryptanalysis: weak keys of IDEA, Even-Mansour, re-synchronization attacks,
My PhD thesis in a printer-friendly layout.