#### Filter Results:

#### Publication Year

2010

2017

#### Publication Type

#### Co-author

#### Publication Venue

#### Key Phrases

Learn More

- Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink, Elmar Tischhauser, Kan Yasuda
- ASIACRYPT
- 2013

Online ciphers encrypt an arbitrary number of plaintext blocks and output ciphertext blocks which only depend on the preceding plaintext blocks. All online ciphers proposed so far are essentially serial, which significantly limits their performance on parallel architectures such as modern general-purpose CPUs or dedicated hardware. We propose the first… (More)

- Jorge Guajardo, Bart Mennink, Berry Schoenmakers
- Financial Cryptography
- 2010

For the homomorphic Paillier cryptosystem we construct a protocol for secure modulo reduction, that on input of an encryption x with x of bit length x and a public 'modulus' a of bit length a outputs an encryption x mod a. As a result, a protocol for computing an encrypted integer division x div a is obtained. Surprisingly, efficiency of the protocol is… (More)

- Bart Mennink, Bart Preneel
- IACR Cryptology ePrint Archive
- 2011

We consider the family of 2n-ton bit compression functions that are solely based on at most three permutation executions and on XOR-operators, and analyze its collision and preimage security. Despite their elegance and simplicity, these designs are not covered by the results of Rogaway and Steinberger (CRYPTO 2008). By defining a carefully chosen… (More)

- Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink, Nicky Mouha, Kan Yasuda
- ASIACRYPT
- 2014

Given Nandi's attack on XLS, we intend to tweak COPA by removing XLS and extending the use of tag-splitting from short messages to arbitrary length messages. Formal specification to follow later.

- Elena Andreeva, Bart Mennink, Bart Preneel
- IACR Cryptology ePrint Archive
- 2010

In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to vulnerabilities identified in existing hash functions, such as MD5 and SHA-1. NIST received many submissions, 51 of which got accepted to the first round. At present, 14 candidates are left in the second round.… (More)

- Philipp Jovanovic, Atul Luykx, Bart Mennink
- ASIACRYPT
- 2014

The Sponge function is known to achieve 2 c/2 security, where c is its capacity. This bound was carried over to keyed variants of the function, such as SpongeWrap, to achieve a min{2 c/2 , 2 κ } security bound, with κ the key length. Similarly, many CAESAR competition submissions are designed to comply with the classical 2 c/2 security bound. We show that… (More)

The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KAt consists of a small number t of fixed permutations Pi on n bits, separated by key addition: kt) are obtained from the master key K using some key… (More)

- Nicky Mouha, Bart Mennink, Anthony Van Herrewege, Dai Watanabe, Bart Preneel, Ingrid Verbauwhede
- Selected Areas in Cryptography
- 2014

We propose Chaskey: a very efficient Message Authentication Code (MAC) algorithm for 32-bit microcontrollers. It is intended for applications that require 128-bit security, yet cannot implement standard MAC algorithms because of stringent requirements on speed, energy consumption , or code size. Chaskey is a permutation-based MAC algorithm that uses the… (More)

- Elena Andreeva, Bart Mennink, Bart Preneel
- SCN
- 2010

The notion of indifferentiability, introduced by Maurer et al., is an important criterion for the security of hash functions. Concretely, it ensures that a hash function has no structural design flaws and thus guarantees security against generic attacks up to the proven bounds. In this work we prove the indifferentiability of Grøstl, a second round SHA-3… (More)

- Elena Andreeva, Begül Bilgin, +4 authors Kan Yasuda
- IACR Cryptology ePrint Archive
- 2013

The domain of lightweight cryptography focuses on cryptographic algorithms for extremely constrained devices. It is very costly to avoid nonce reuse in such environments, because this requires either a hardware source of randomness, or non-volatile memory to store a counter. At the same time, a lot of cryptographic schemes actually require the nonce… (More)