Last update: December 20th, 2016.

**Dissertations****PhD**: The Security of Cryptographic Primitives**Habilitation to Supervise Research**: Towards a Theory of Symmetric Encryption**Books****Exercices book, Dunod**: Algorithmique et optimisation: exercices corrigés**Textbook on cryptography, Springer**: A Classical Introduction to Cryptography - Applications for Communications Security (external URL)**Exercise book on cryptography, Springer**: A Classical Introduction to Cryptography - Exercise Book (external URL)**Textbook on cryptography, PPUR (in French)**: La fracture cryptographique (external URL)**Proceedings****LNCS volume**: Fast Software Encryption' 98 (external URL)**LNCS volume**: Selected Areas in Cryptography' 01 (external URL)**LNCS volume**: Public Key Cryptography' 05 (external URL)**LNCS volume**: Mycrypt' 05 (external URL)**LNCS volume**: EUROCRYPT' 06 (external URL)**LNCS volume**: AFRICACRYPT' 08 (external URL)**LNCS volume**: SAC' 11 (external URL)**LNCS volume**: AFRICACRYPT' 12 (external URL)**LNCS volume**: ACNS' 14 (external URL)**Translations****Stinson's book (1st Edition), ITP**: Cryptographie Théorie et Pratique**Stinson's book (2nd Edition), Vuibert**: Cryptographie Théorie et Pratique**Prefaces****Martin's book, PPUR**: Codage, Cryptographie et Applications (external URL)**Journal of Cryptology**(published by Springer-Verlag)**JoC 97**: The Security of the Birational Permutation Signature Schemes**JoC 98**: Black Box Cryptanalysis of Cryptographic Primitives**JoC 01**: Cryptanalysis of the Chor-Rivest Cryptosystem**JoC 03**: Decorrelation: a Theory for Block Cipher Security**JoC 08**: Cryptanalysis of an E0-like Combiner with Memory**JoC 11**: Short Undeniable Signatures Based on Group Homomorphisms**Other Journals****CIS 01**: Decorrelation over Infinite Domains: the Encrypted CBC-MAC Case**MC2R 03**: Cryptography with Guardian Angels: Bringing Civilization to Pirates - Abstract**IPL 05**: Generating Anomalous Elliptic Curves**IPL 07**: How to Safely Close a Discussion**J. of Physics 07**: About Machine-Readable Travel Documents**Security & Privacy 07**: E-Passport Threats**CCDS 12**: Synthetic Linear Analysis with Applications to CubeHash and Rabbit**IJCNS 12**: Cryptanalysis of the Double-Moduli Cryptosystem**Comput. J. 13**: On Selecting the Nonce Length in Distance-Bounding Protocols**SACS 13**: UC and EUC Weak Bit-Commitments Using Seal-Once Tamper-Evidence**Proc Of The Romanian Academy 13**: A Fully Dynamic Universal Accumulator**Computers & Security 14**: Location Leakage in Distance Bounding: Why Location Privacy does not Work**CCDS 14**: Revisiting Iterated Attacks in the Context of Decorrelation Theory**Security & Privacy 15**: Challenges in Distance Bounding**Computer Security 15**: Practical and Provably Secure Distance-Bounding**Computer Security 15**: Expected Loss Analysis for Authentication in Constrained Channels**IJIS 15**: On Selection of Samples in Algebraic Attacks and a New Technique to Find Hidden Low Degree Equations**CCDS 15**: On solving LPN using BKW and variants Implementation and Analysis**Studia Scientiarum Mathematicarum Hungarica 15**: Cryptanalysis of Chosen Symmetric Homomorphic Schemes**IFS 16**: Privacy Failure in the Public-Key Distance-Bounding Protocols**Cryptologia 16**: DES S-box Generator**Book Chapters****Springer 12**: TCHO: A Code-Based Cryptosystem**Crypto Series**(published as Springer-Verlag's LNCS volumes)**Crypto' 92**: FFT-Hash-II is not yet Collision-Free**Crypto' 93**: Attacks on the Birational Permutation Signature**Crypto' 96**: Hidden Collisions on DSS**Crypto' 98**: Cryptanalysis of the Chor-Rivest Cryptosystem**Crypto' 03**: Password Interception in a SSL/TLS Channel**Crypto' 04**: Faster Correlation Attack on Bluetooth E0 Keystream Generator**Crypto' 05**: Secure Communications over Insecure Channels Based on Short Authenticated Strings**Crypto' 05**: The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption**Crypto' 12**: Resistance Against Iterated Attacks by Decorrelation Revisited**Crypto' 15**: Capacity and Data Complexity in Multidimensional Linear Attack**Eurocrypt Series**(published as Springer-Verlag's LNCS volumes)**Eurocrypt' 94**: Links between Differential and Linear Cryptanalysis**Eurocrypt' 94**: Complexity Trade-Offs with the Digital Signature Standard**Eurocrypt' 94**: Black Box Cryptanalysis of Hash Networks based on Multipermutations**Eurocrypt' 99**: Resistance Against General Iterated Attacks**Eurocrypt' 02**: Security Flaws Induced by CBC Padding --- Applications to SSL, IPSEC, WTLS...**Eurocrypt' 09**: Smashing SQUASH-0**Eurocrypt' 11**: Statistical Attack on RC4: Distinguishing WPA**Eurocrypt' 15**: Better Algorithms for LWE and LWR**Asiacrypt Series**(published as Springer-Verlag's LNCS volumes)**Asiacrypt' 96**: Authenticated Multi-Party Key Agreement**Asiacrypt' 96**: Minding your p's and q's**Asiacrypt' 99**: On the Lai-Massey Scheme**Asiacrypt' 00**: On the Pseudorandomness of Top-Level Schemes of Block Ciphers**Asiacrypt' 04**: Generic Homomorphic Undeniable Signatures**Asiacrypt' 04**: Cryptanalysis of Bluetooth Keystream Generator Two-level E0**Asiacrypt' 04**: How Far Can We Go Beyond Linear Cryptanalysis?**Asiacrypt' 07**: On Privacy Models for RFID**Asiacrypt' 08**: On the Security of HB# against a Man-in-the-Middle Attack**Asiacrypt' 15**: How to Sequentialize Independent Parallel Attacks? Biased Distributions Have a Phase Transition**Asiacrypt' 16**: Optimization of LPN Solving Algorithms**Asiacrypt' 16**: Efficient Public-Key Distance Bounding Protocol**Asiacrypt' 16**: Authenticated Encryption with Variable Stretch**Fast Software Encryption Series**(published as Springer-Verlag's LNCS volumes)**Fse' 93**: Parallel FFT-Hashing**Fse' 94**: On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER**Fse' 96**: On the Weak Keys of Blowfish**Fse' 97**: xmx - a Firmware-Oriented Block Cipher based on Modular Multiplications**Fse' 98**: CS-Cipher**Fse' 99**: On the Security of CS-Cipher**Fse' 00**: A Statistical Attack on RC6**Fse' 03**: Optimal Key Ranking Procedures in a Statistical Cryptanalysis**Fse' 12**: ElimLin Algorithm Revisited**Fse' 13**: Smashing WEP in A Passive Attack**Fse' 13**: Towards Secure Distance Bounding**Fse' 15**: Protecting against Multidimensional Linear and Truncated Differential Cryptanalysis by Decorrelation**Fse' 15**: Boosting OMD for Almost Free Authentication of Associated Data**Selected Areas on Cryptography (SAC) Series**(published as Springer-Verlag's LNCS volumes)**Sac' 98**: Feistel Ciphers with L_2-Decorrelation**Sac' 99**: Adaptive-Attack Norm for Decorrelation and Super-Pseudorandomnes**Sac' 99**: A Universal Encryption Standard**Sac' 00**: Decorrelation over Infinite Domains: the Encrypted CBC-MAC Case**Sac' 00**: DFCv2**Sac' 03**: On the Use of GF-Inversion as a Cryptographic Primitive**Sac' 04**: FOX: a new Family of Block Ciphers**Sac' 04**: Perfect Diffusion Primitives for Block Ciphers**Sac' 05**: Proving the Security of AES Substitution-Permutation Network**Sac' 06**: When Stream Cipher Analysis Meets Public-Key Cryptography**Sac' 07**: Passive-Only Key Recovery Attacks on RC4**Sac' 07**: Linear Cryptanalysis of Non Binary Ciphers**Sac' 10**: Discovery and Exploitation of New Biases in RC4**Sac' 14**: OMD: A Compression Function Mode of Operation for Authenticated Encryption**Public Key Cryptography (PKC) Series**(published as Springer-Verlag's LNCS volumes)**Pkc' 00**: Design Validations for Discrete Logarithm Based Signature Schemes**Pkc' 03**: The Security of DSA and ECDSA**Pkc' 04**: Undeniable Signatures Based on Characters**Pkc' 06**: SAS-Based Authenticated Key Agreement**Other Series Published as Springer-Verlag's LNCS Volumes****Information Hiding' 96**: The Newton Channel**Financial Cryptography' 97**: SVP: a Flexible Micropayment Scheme**Cardis' 98**: Decorrelated Fast Cipher: an AES Candidate well suited for Low Cost Smart Cards Applications**Stacs' 98**: Provable Security for Block Ciphers by Decorrelation**Icisc' 99**: On Provable Security for Conventional Cryptography**Ches' 00**: Efficient Generation of Prime Numbers**Wisa' 03**: Fair Exchange with Guardian Angels**Acisp' 04**: Digital Signature Schemes with Domain Parameters**Acisp' 04**: Optimistic Fair Exchange based on Publicly Verifiable Secret Sharing**Icics' 04**: On someWeak Extensions of AES and BES**Isc' 05**: Chaum's Designated Confirmer Signature Revisited**Mycrypt' 05**: Optimization of the MOVA Undeniable Signature Scheme**Cisc' 05**: On Bluetooth Repairing: Key Agreement based on Symmetric-Key Cryptography**Cisc' 05**: Enforcing Email Addresses Privacy using Tokens**Ct-rsa' 06**: An Optimal Non-Interactive Message Authentication Protocol**Icisc' 06**: RFID Privacy based on Public-Key Cryptography**Acisp' 07**: TCHo: a Hardware-Oriented Trapdoor Cipher**Acisp' 07**: Hash-and-Sign with Weak Hashing Made Secure**Icisc' 07**: Security-Preserving Asymmetric Protocol Encapsulation**Icits' 08**: The Complexity of Distinguishing Distributions**Iwcc' 09**: On the Impossibility of Strong Encryption over aleph0**Ches' 09**: On Tamper-Resistance from a Theoretical Viewpoint: The Power of Seals**Acns' 09**: Efficient Deniable Authentication for Signatures, Application to Machine-Readable Travel Document**Ches' 10**: ARMADILLO: A Multi-purpose Cryptographic Primitive Dedicated to Hardware**Acns' 10**: A Message Recognition Protocol Based on Standard Assumptions**Provsec' 10**: Distinguishing Distributions Using Chernoff Information**Cans' 10**: Cryptanalysis of Reduced-Round MIBS Block Cipher**Icisc' 11**: Synthetic Linear Analysis: Improved Attacks on CubeHash and Rabbit**Acns' 11**: On Hiding a Plaintext Length by Preencryption**Quisquater' 12**: Deniable RSA Signature: The Raise and Fall of Ali Baba**Cardis' 11**: Fast Key Recovery Attack on ARMADILLO1 and Variants**Cardis' 12**: Multipurpose Cryptographic Primitive ARMADILLO3**Provsec' 12**: Several Weak Bit-Commitments Using Seal-Once Tamper-Evident Devices**Latincrypt' 12**: On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols**Indocrypt' 12**: Resistance against Adaptive Plaintext-Ciphertext Iterated Distinguishers**Cans' 12**: Strong Privacy for RFID Systems from Plaintext-Aware Encryption**Inscrypt' 12**: The Bussard-Bagga and Other Distance-Bounding Protocols under Attacks**Lightsec' 13**: Secure & Lightweight Distance-Bounding**Provsec' 13**: On Modeling Terrorist Frauds**Provsec' 13**: Input-Aware Equivocable Commitments and UC-secure Commitments With Atomic Exchanges**Acns' 13**: Primeless Factoring-Based Cryptography**Acisp' 14**: On Selection of Samples in Algebraic Attacks and a New Technique to Find Hidden Low Degree Equations**Iwsec' 14**: Improved Linear Cryptanalysis of Reduced-Round MIBS**Provsec' 14**: Misuse-Resistant Variants of the OMD Authenticated Encryption Mode**Inscrypt' 14**: Optimal Proximity Proofs**Indocrypt' 14**: On the Key Schedule of Lightweight Block Ciphers**Icisc' 14**: Compact and Efficient UC Commitments under Atomic-Exchanges**Fc' 15**: Private and Secure Public-Key Distance Bounding: Application to NFC Payment**Acns' 15**: Optimal Proximity Proofs Revisited**Provsec' 15**: Sound Proof of Proximity of Knowledge**Provsec' 15**: On Privacy for RFID**Kahn' 16**: Clever Arbiters versus Malicious Adversaries**Secitc' 16**: Circular Security Reconsidered**Cans' 16**: Distance Bounding based on PUF**Cans' 16**: When Constant-time Source Yields Variable-time Binary: Exploiting Curve25519-donna Built with MSVC 2015**Cans' 16**: Side-Channel Attacks on Threshold Implementations using a Glitch Algebra**Other Conference Proceedings****Eurocode' 92**: One-Time Identification with Low Memory**Acm ccs' 96**: An Experiment on DES - Statistical Cryptanalysis**AES Submission, Extended Abstract**: Decorrelated Fast Cipher: an AES Candidate**Report for the AES2 Workshop**: Report on the AES Candidates**Report for the AES2 Workshop**: DFC Update**Santha's crypto get together' 03**: On Measuring Resistance to Linear Cryptanalysis**Yacc' 04**: How to Sign with One Bit**Sec' 05**: The Pairing Problem with User Interaction**Bsym' 06**: A Protection Scheme for MoC-Enabled Smart Cards**Rfid sec' 07**: About Machine-Readable Travel Documents**Asiaccs' 08**: Mutual Authentication in RFID: Security and Privacy**Rfid sec' 09**: Pathchecker: An RFID Application for Tracing Products in Supply-Chains**Biosig' 09**: The Extended Access Control for Machine Readable Travel Documents**Secrypt' 11**: Related-Key Attack against Triple Encryption based on Fixed Points**Icete' 11**: A Related-Key Attack against Multiple Encryption based on Fixed Points**Yacc' 12**: HELEN: a Public-key Cryptosystem Based on the LPN Problem (Extended Abstract)**Yacc' 12**: Primeless Modular Cryptography (Extended Abstract)**Ieee rfid-ta' 12**: Mafia Fraud Attack against the RC Distance-Bounding Protocol**Infocomm' 12**: Expected Loss Bounds for Authentication in Constrained Channels**Asiaccs' 15**: The Limits of Composable Crypto with Transferable Setup Devices**Miscellaneaous****Technical Report**: On Provable Security for Digital Signature Algorithms**Rump Session of Asiacrypt'96 (unpublished)**: On the Security of Lenstra's DSA Variant**Technical Report**: Provable Security for Block Ciphers by Decorrelation**Official Comment of AES**: Comparison of the Randomness Provided by Some AES Candidates**Technical Report**: CBC Padding: Security Flaws in SSL, IPSEC, WTLS, ...**Technical Report**: FOX Specifications Version 1.1**Technical Report**: FOX Specifications Version 1.2**Eprint 16**: Observations on the LPN Solving Algorithm from Eurocrypt'16**Articcrypt 16**: Cryptanalysis of a Homomorphic Encryption Scheme

The Digital Signature Algorithm (DSA) was proposed in 1991 by the US National Institute of Standards and Technology to provide an appropriate core for applications requiring digital signatures. Undoubtelly, many applications will include this standard in the future and thus, the foreseen domination of DSA as legal certification tool is sufficiently important to focus research endeavours on the suitability of this scheme to various situations. In this paper, we present six new DSA-based protocols for: performing a quick batch-verification of n signatures; avoiding the cumbersome calculation of 1/k mod q by the signer; compressing sets of DSA transactions into shorter archive signatures; generating signatures from pre-calculated "Use & Throw" 224-bit signature-coupons; self-certifying the moduli and bit-patterning directly q on p. All our schemes combine in a natural way full DSA compatibility and flexible trade-offs between computational complexity, transmission overheads and key sizes.

Serge Vaudenay