Here is my publications list. Please note that some versions available from here may differ from their publication form and that the published versions are in general copyright from the publisher (check on the corresponding links).

Last update: January 18th, 2023.

PhD: The Security of Cryptographic Primitives
Habilitation to Supervise Research: Towards a Theory of Symmetric Encryption
Exercices book, Dunod: Algorithmique et optimisation: exercices corrigés
Textbook on cryptography, Springer: A Classical Introduction to Cryptography - Applications for Communications Security (external URL)
Exercise book on cryptography, Springer: A Classical Introduction to Cryptography - Exercise Book (external URL)
Textbook on cryptography, PPUR (in French): La fracture cryptographique (external URL)
LNCS volume: FSE' 98 (external URL)
LNCS volume: SAC' 01 (external URL)
LNCS volume: PKC' 05 (external URL)
LNCS volume: Mycrypt' 05 (external URL)
LNCS volume: EUROCRYPT' 06 (external URL)
LNCS volume: AFRICACRYPT' 08 (external URL)
LNCS volume: SAC' 11 (external URL)
LNCS volume: AFRICACRYPT' 12 (external URL)
LNCS volume: INDOCRYPT' 13 (external URL)
LNCS volume: ACNS' 14 (external URL)
LNCS volume: CANS' 20 (external URL)
Stinson's book (1st Edition), ITP: Cryptographie Théorie et Pratique
Stinson's book (2nd Edition), Vuibert: Cryptographie Théorie et Pratique
Martin's book, PPUR: Codage, Cryptographie et Applications (external URL)
Journal of Cryptology (published by Springer-Verlag)
JoC 97: The Security of the Birational Permutation Signature Schemes
JoC 98: Black Box Cryptanalysis of Cryptographic Primitives
JoC 01: Cryptanalysis of the Chor-Rivest Cryptosystem
JoC 03: Decorrelation: a Theory for Block Cipher Security
JoC 08: Cryptanalysis of an E0-like Combiner with Memory
JoC 11: Short Undeniable Signatures Based on Group Homomorphisms
Other Journals
CIS 01: Decorrelation over Infinite Domains: the Encrypted CBC-MAC Case
MC2R 03: Cryptography with Guardian Angels: Bringing Civilization to Pirates - Abstract
IPL 05: Generating Anomalous Elliptic Curves
IPL 07: How to Safely Close a Discussion
J. of Physics 07: About Machine-Readable Travel Documents
Security & Privacy 07: E-Passport Threats
CCDS 12: Synthetic Linear Analysis with Applications to CubeHash and Rabbit
IJCNS 12: Cryptanalysis of the Double-Moduli Cryptosystem
Comput. J. 13: On Selecting the Nonce Length in Distance-Bounding Protocols
SACS 13: UC and EUC Weak Bit-Commitments Using Seal-Once Tamper-Evidence
Proc Of The Romanian Academy 13: A Fully Dynamic Universal Accumulator
Computers & Security 14: Location Leakage in Distance Bounding: Why Location Privacy does not Work
CCDS 14: Revisiting Iterated Attacks in the Context of Decorrelation Theory
Security & Privacy 15: Challenges in Distance Bounding
Computer Security 15: Practical and Provably Secure Distance-Bounding
Computer Security 15: Expected Loss Analysis for Authentication in Constrained Channels
IJIS 15: On Selection of Samples in Algebraic Attacks and a New Technique to Find Hidden Low Degree Equations
CCDS 15: On solving LPN using BKW and variants Implementation and Analysis
Studia Scientiarum Mathematicarum Hungarica 15: Cryptanalysis of Chosen Symmetric Homomorphic Schemes
IFS 16: Privacy Failure in the Public-Key Distance-Bounding Protocols
Cryptologia 16: DES S-box Generator
CCDS 18: Cryptanalysis of a Homomorphic Encryption Scheme
CSUR 18: Security of Distance-Bounding: A Survey
TMMP 19: Cryptanalysis of Enhanced MORE
DTRAP 22: SwissCovid in the Perspective of its Goals
Book Chapters
Springer 12: TCHO: A Code-Based Cryptosystem
Crypto Series (published as Springer-Verlag's LNCS volumes)
Crypto' 92: FFT-Hash-II is not yet Collision-Free
Crypto' 93: Attacks on the Birational Permutation Signature
Crypto' 96: Hidden Collisions on DSS
Crypto' 98: Cryptanalysis of the Chor-Rivest Cryptosystem
Crypto' 03: Password Interception in a SSL/TLS Channel
Crypto' 04: Faster Correlation Attack on Bluetooth E0 Keystream Generator
Crypto' 05: Secure Communications over Insecure Channels Based on Short Authenticated Strings
Crypto' 05: The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption
Crypto' 12: Resistance Against Iterated Attacks by Decorrelation Revisited
Crypto' 15: Capacity and Data Complexity in Multidimensional Linear Attack
Crypto' 17: Breaking the FF3 Format-Preserving Encryption Standard Over a Small Domain (Eprint 2017/521)
Eurocrypt Series (published as Springer-Verlag's LNCS volumes)
Eurocrypt' 94: Links between Differential and Linear Cryptanalysis
Eurocrypt' 94: Complexity Trade-Offs with the Digital Signature Standard
Eurocrypt' 94: Black Box Cryptanalysis of Hash Networks based on Multipermutations
Eurocrypt' 99: Resistance Against General Iterated Attacks
Eurocrypt' 02: Security Flaws Induced by CBC Padding --- Applications to SSL, IPSEC, WTLS...
Eurocrypt' 09: Smashing SQUASH-0
Eurocrypt' 11: Statistical Attack on RC4: Distinguishing WPA
Eurocrypt' 15: Better Algorithms for LWE and LWR
Eurocrypt' 19: Misuse Attacks on Post-quantum Cryptosystems
Eurocrypt' 22: On IND-qCCA Security in the ROM and Its Applications - CPA Security Is Sufficient for TLS 1.3
Asiacrypt Series (published as Springer-Verlag's LNCS volumes)
Asiacrypt' 96: Authenticated Multi-Party Key Agreement
Asiacrypt' 96: Minding your p's and q's
Asiacrypt' 99: On the Lai-Massey Scheme
Asiacrypt' 00: On the Pseudorandomness of Top-Level Schemes of Block Ciphers
Asiacrypt' 04: Generic Homomorphic Undeniable Signatures
Asiacrypt' 04: Cryptanalysis of Bluetooth Keystream Generator Two-level E0
Asiacrypt' 04: How Far Can We Go Beyond Linear Cryptanalysis?
Asiacrypt' 07: On Privacy Models for RFID
Asiacrypt' 08: On the Security of HB# against a Man-in-the-Middle Attack
Asiacrypt' 15: How to Sequentialize Independent Parallel Attacks? Biased Distributions Have a Phase Transition
Asiacrypt' 16: Optimization of LPN Solving Algorithms
Asiacrypt' 16: Efficient Public-Key Distance Bounding Protocol
Asiacrypt' 16: Authenticated Encryption with Variable Stretch
Asiacrypt' 20: Determining the Core Primitive for Optimally Secure Ratcheting (also Eprint 2020/148)
Asiacrypt' 21: FAST: Secure and High Performance Format-Preserving Encryption and Tokenization (also Eprint 2021/1171)
Asiacrypt' 21: New Attacks on LowMC Instances with a Single Plaintext/Ciphertext Pair (also Eprint 2021/1345)
Fast Software Encryption Series (published as Springer-Verlag's LNCS volumes or IACR ToSC journal)
Fse' 93: Parallel FFT-Hashing
Fse' 94: On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER
Fse' 96: On the Weak Keys of Blowfish
Fse' 97: xmx - a Firmware-Oriented Block Cipher based on Modular Multiplications
Fse' 98: CS-Cipher
Fse' 99: On the Security of CS-Cipher
Fse' 00: A Statistical Attack on RC6
Fse' 03: Optimal Key Ranking Procedures in a Statistical Cryptanalysis
Fse' 12: ElimLin Algorithm Revisited
Fse' 13: Smashing WEP in A Passive Attack
Fse' 13: Towards Secure Distance Bounding
Fse' 15: Protecting against Multidimensional Linear and Truncated Differential Cryptanalysis by Decorrelation
Fse' 15: Boosting OMD for Almost Free Authentication of Associated Data
Fse' 20: Swap and Rotate: Lightweight Linear Layers for SPN-based Blockciphers
Fse' 21: Cryptanalysis of LowMC instances using single plaintext/ciphertext pair
Selected Areas on Cryptography (SAC) Series (published as Springer-Verlag's LNCS volumes)
Sac' 98: Feistel Ciphers with L_2-Decorrelation
Sac' 99: Adaptive-Attack Norm for Decorrelation and Super-Pseudorandomnes
Sac' 99: A Universal Encryption Standard
Sac' 00: Decorrelation over Infinite Domains: the Encrypted CBC-MAC Case
Sac' 00: DFCv2
Sac' 03: On the Use of GF-Inversion as a Cryptographic Primitive
Sac' 04: FOX: a new Family of Block Ciphers
Sac' 04: Perfect Diffusion Primitives for Block Ciphers
Sac' 05: Proving the Security of AES Substitution-Permutation Network
Sac' 06: When Stream Cipher Analysis Meets Public-Key Cryptography
Sac' 07: Passive-Only Key Recovery Attacks on RC4
Sac' 07: Linear Cryptanalysis of Non Binary Ciphers
Sac' 10: Discovery and Exploitation of New Biases in RC4
Sac' 14: OMD: A Compression Function Mode of Operation for Authenticated Encryption
Public Key Cryptography (PKC) Series (published as Springer-Verlag's LNCS volumes)
Pkc' 00: Design Validations for Discrete Logarithm Based Signature Schemes
Pkc' 03: The Security of DSA and ECDSA
Pkc' 04: Undeniable Signatures Based on Characters
Pkc' 06: SAS-Based Authenticated Key Agreement
Pkc' 21: Beyond Security and Efficiency: On-Demand Ratcheting with Security Awareness (also Eprint 2019/965)
Other Series Published as Springer-Verlag's LNCS Volumes
Information Hiding' 96: The Newton Channel
Financial Cryptography' 97: SVP: a Flexible Micropayment Scheme
Cardis' 98: Decorrelated Fast Cipher: an AES Candidate well suited for Low Cost Smart Cards Applications
Stacs' 98: Provable Security for Block Ciphers by Decorrelation
Icisc' 99: On Provable Security for Conventional Cryptography
Ches' 00: Efficient Generation of Prime Numbers
Wisa' 03: Fair Exchange with Guardian Angels
Acisp' 04: Digital Signature Schemes with Domain Parameters
Acisp' 04: Optimistic Fair Exchange based on Publicly Verifiable Secret Sharing
Icics' 04: On someWeak Extensions of AES and BES
Isc' 05: Chaum's Designated Confirmer Signature Revisited
Mycrypt' 05: Optimization of the MOVA Undeniable Signature Scheme
Cisc' 05: On Bluetooth Repairing: Key Agreement based on Symmetric-Key Cryptography
Cisc' 05: Enforcing Email Addresses Privacy using Tokens
Ct-rsa' 06: An Optimal Non-Interactive Message Authentication Protocol
Icisc' 06: RFID Privacy based on Public-Key Cryptography
Acisp' 07: TCHo: a Hardware-Oriented Trapdoor Cipher
Acisp' 07: Hash-and-Sign with Weak Hashing Made Secure
Icisc' 07: Security-Preserving Asymmetric Protocol Encapsulation
Icits' 08: The Complexity of Distinguishing Distributions
Iwcc' 09: On the Impossibility of Strong Encryption over aleph0
Ches' 09: On Tamper-Resistance from a Theoretical Viewpoint: The Power of Seals
Acns' 09: Efficient Deniable Authentication for Signatures, Application to Machine-Readable Travel Document
Ches' 10: ARMADILLO: A Multi-purpose Cryptographic Primitive Dedicated to Hardware
Acns' 10: A Message Recognition Protocol Based on Standard Assumptions
Provsec' 10: Distinguishing Distributions Using Chernoff Information
Cans' 10: Cryptanalysis of Reduced-Round MIBS Block Cipher
Icisc' 11: Synthetic Linear Analysis: Improved Attacks on CubeHash and Rabbit
Acns' 11: On Hiding a Plaintext Length by Preencryption
Quisquater' 12: Deniable RSA Signature: The Raise and Fall of Ali Baba
Cardis' 11: Fast Key Recovery Attack on ARMADILLO1 and Variants
Cardis' 12: Multipurpose Cryptographic Primitive ARMADILLO3
Provsec' 12: Several Weak Bit-Commitments Using Seal-Once Tamper-Evident Devices
Latincrypt' 12: On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols
Indocrypt' 12: Resistance against Adaptive Plaintext-Ciphertext Iterated Distinguishers
Cans' 12: Strong Privacy for RFID Systems from Plaintext-Aware Encryption
Inscrypt' 12: The Bussard-Bagga and Other Distance-Bounding Protocols under Attacks
Lightsec' 13: Secure & Lightweight Distance-Bounding
Provsec' 13: On Modeling Terrorist Frauds
Provsec' 13: Input-Aware Equivocable Commitments and UC-secure Commitments With Atomic Exchanges
Acns' 13: Primeless Factoring-Based Cryptography
Acisp' 14: On Selection of Samples in Algebraic Attacks and a New Technique to Find Hidden Low Degree Equations
Iwsec' 14: Improved Linear Cryptanalysis of Reduced-Round MIBS
Provsec' 14: Misuse-Resistant Variants of the OMD Authenticated Encryption Mode
Inscrypt' 14: Optimal Proximity Proofs
Indocrypt' 14: On the Key Schedule of Lightweight Block Ciphers
Icisc' 14: Compact and Efficient UC Commitments under Atomic-Exchanges
Fc' 15: Private and Secure Public-Key Distance Bounding: Application to NFC Payment
Acns' 15: Optimal Proximity Proofs Revisited
Provsec' 15: Sound Proof of Proximity of Knowledge
Provsec' 15: On Privacy for RFID
Kahn' 16: Clever Arbiters versus Malicious Adversaries
Secitc' 16: Circular Security Reconsidered
Cans' 16: Distance Bounding based on PUF
Cans' 16: When Constant-time Source Yields Variable-time Binary: Exploiting Curve25519-donna Built with MSVC 2015
Cans' 16: Side-Channel Attacks on Threshold Implementations using a Glitch Algebra
Isc' 17: Contactless Access Control Based on Distance Bounding
Acns' 18: Generic Round-Function-Recovery Attacks for Feistel Networks over Small Domains
Acns' 18: Formal Analysis of Distance Bounding with Secure Hardware
Acns' 18: Can Caesar Beat Galois?
Acisp' 18: Secure Contactless Payment
Iwsec' 19: Bidirectional Asynchronous Ratcheted Key Agreement with Linear Complexity
Wisa' 19: Timed-Release Encryption With Master Time Bound Key
Stm' 19: BioID: a Privacy-Friendly Identity Document
Iwsec' 20: Sublinear Bounds on the Distinguishing Advantage for Multiple Samples
Iwsec' 20: Symmetric Asynchronous Ratcheted Communication with Associated Data
Acns' 20: BioLocker: A Practical Biometric Authentication Mechanism Based on 3D Fingervein (also Eprint 2020/453)
Acns' 20: Classical Misuse Attacks on NIST Round~2 PQC - The Power of Rank-Based Schemes (also Eprint 2020/409)
Acns' 21: Towards Efficient LPN-Based Symmetric Encryption
Ct-rsa' 21: On the Effectiveness of Time Travel to Inject COVID-19 Alerts (also Eprint 2020/1393)
Icisc' 21: Towards Witness Encryption Without Multilinear Maps
Cans' 21: FO-like Combiners and Hybrid Post-Quantum Cryptography (also Eprint 2021/1288)
Other Conference Proceedings
Eurocode' 92: One-Time Identification with Low Memory
Acm ccs' 96: An Experiment on DES - Statistical Cryptanalysis
AES Submission, Extended Abstract: Decorrelated Fast Cipher: an AES Candidate
Report for the AES2 Workshop: Report on the AES Candidates
Report for the AES2 Workshop: DFC Update
Santha's crypto get together' 03: On Measuring Resistance to Linear Cryptanalysis
Yacc' 04: How to Sign with One Bit
Sec' 05: The Pairing Problem with User Interaction
Bsym' 06: A Protection Scheme for MoC-Enabled Smart Cards
Rfid sec' 07: About Machine-Readable Travel Documents
Asiaccs' 08: Mutual Authentication in RFID: Security and Privacy
Rfid sec' 09: Pathchecker: An RFID Application for Tracing Products in Supply-Chains
Biosig' 09: The Extended Access Control for Machine Readable Travel Documents
Secrypt' 11: Related-Key Attack against Triple Encryption based on Fixed Points
Icete' 11: A Related-Key Attack against Multiple Encryption based on Fixed Points
Yacc' 12: HELEN: a Public-key Cryptosystem Based on the LPN Problem (Extended Abstract)
Yacc' 12: Primeless Modular Cryptography (Extended Abstract)
Ieee rfid-ta' 12: Mafia Fraud Attack against the RC Distance-Bounding Protocol
Infocomm' 12: Expected Loss Bounds for Authentication in Constrained Channels
Asiaccs' 15: The Limits of Composable Crypto with Transferable Setup Devices
Scis' 20: Smart Contract with Secret Parameters
Itc' 21: Post-Compromise Security in Self-Encryption
Technical Report: On Provable Security for Digital Signature Algorithms
Rump Session of Asiacrypt'96 (unpublished): On the Security of Lenstra's DSA Variant
Technical Report: Provable Security for Block Ciphers by Decorrelation
Official Comment of AES: Comparison of the Randomness Provided by Some AES Candidates
Technical Report: CBC Padding: Security Flaws in SSL, IPSEC, WTLS, ...
Technical Report: FOX Specifications Version 1.1
Technical Report: FOX Specifications Version 1.2
Eprint 16: Observations on the LPN Solving Algorithm from Eurocrypt'16
Articcrypt 16: Cryptanalysis of a Homomorphic Encryption Scheme
Esc' 17: Breaking the FF3 Format-Preserving Encryption
Eprint 18: Generic Round-Function-Recovery Attacks for Feistel Networks over Small Domains
Eprint 20: Analysis of DP3T - Between Scylla and Charybdis
Online 20: Le traçage anonyme, dangereux oxymore. Analyse de risques à destination des non-spécialistes
Eprint 20: Centralized or Decentralized? The Contact Tracing Dilemma
Online 20: Own Analysis of SwissCovid
Online 20: The Dark Side of SwissCovid

Complexity Trade-Offs with the Digital Signature Standard

Joint work with David M'Raihi, David Naccache and Dan Raphaeli
In Advances in Cryptology EUROCRYPT'94, Perugia, Italy, Lecture Notes in Computer Science No. 950, pp. 77-85, Springer-Verlag, 1995.
The Digital Signature Algorithm (DSA) was proposed in 1991 by the US National Institute of Standards and Technology to provide an appropriate core for applications requiring digital signatures. Undoubtelly, many applications will include this standard in the future and thus, the foreseen domination of DSA as legal certification tool is sufficiently important to focus research endeavours on the suitability of this scheme to various situations. In this paper, we present six new DSA-based protocols for: performing a quick batch-verification of n signatures; avoiding the cumbersome calculation of 1/k mod q by the signer; compressing sets of DSA transactions into shorter archive signatures; generating signatures from pre-calculated "Use & Throw" 224-bit signature-coupons; self-certifying the moduli and bit-patterning directly q on p. All our schemes combine in a natural way full DSA compatibility and flexible trade-offs between computational complexity, transmission overheads and key sizes.

Serge Vaudenay