## Publications

- On the cost of computing
isogenies between supersingular elliptic curves

(with G. Adj, D. Cervantes-Vazquez, J. Chi-Dominguez and F. Rodriguez-Henriquez)

Preprint. - On isogeny graphs of
supersingular elliptic curves over finite fields

(with G. Adj and O. Ahmadi)

Preprint. - On the security of the
WOTS-PRF signature scheme

(with P. Lafrance)

Preprint. - Computing discrete logarithms in
cryptographically-interesting characteristic-three finite fields

(with G. Adj, I. Canales-Martinez, N. Cruz-Cortes, T. Oliveira, L. Rivera-Zamarripa and F. Rodriguez-Henriquez)

Preprint. - Cryptographers
prepare for a possible post-quantum future

(with N. Koblitz)

*CMS Notes*, Vol. 49, No. 5 (2017), 16-17. - Another look
at tightness II: practical issues in cryptography

(with S. Chatterjee, N. Koblitz and P. Sarkar)

*Mycrypt 2016*, Lecture Notes in Computer Science, 10311 (2017), 21-55.

Preprint. - Challenges
with assessing the impact
of NFS advances on the security of pairing-based cryptography

(with P. Sarkar and S. Singh)

*Mycrypt 2016*, Lecture Notes in Computer Science, 10311 (2017), 83-108.

Preprint. - On
instantiating pairing-based protocols
with elliptic curves of embedding degree one

(with S. Chatterjee and F. Rodriguez-Henriquez)

*IEEE Transactions on Computers*, 66 (2017), 1061-1070.

Preprint. - A
riddle wrapped in an enigma

(with N. Koblitz)

*IEEE Security & Privacy*, 14 (2016), 34-42.

Preprint. - Cryptocash,
cryptocurrencies, and cryptocontracts

(with N. Koblitz)

*Designs, Codes and Cryptography*, 78 (2016), 87-102.

Preprint. - Type 2
structure-preserving signature schemes revisited

(with S. Chatterjee)

*ASIACRYPT 2015*, Lecture Notes in Computer Science, 9452 (2015), 286-310.

Preprint. - The random oracle model:
A twenty-year retrospective

(with N. Koblitz)

*Designs, Codes and Cryptography*, 77 (2015), 587-610.

Preprint. - Special
Issue on Cryptography, Codes, Designs and Finite Fields: In Memory
of Scott A. Vanstone

(edited with I. Blake and D. Stinson)

*Designs, Codes and Cryptography*, 77 (2-3), 2015. - Fault
attacks on
pairing-based protocols revisited

(with S. Chatterjee and K. Karabina)

*IEEE Transactions on Computers*, 64 (2015), 1707-1714.

Preprint - Progress in
Cryptology - LATINCRYPT 2014

(edited with D. Aranha)

Lecture Notes in Computer Science, 8895, Springer-Verlag, 2015. - Computing
discrete logarithms in
*F*and_{36 • 137}*F*using Magma_{36 • 163}

(with G. Adj, T. Oliveira and F. Rodriguez-Henriquez)

*WAIFI 2014*, Lecture Notes in Computer Science, 9061 (2015), 3-22. - Weakness of
*F*and_{36 • 1429}*F*for discrete logarithm cryptography_{24 • 3041}

(with G. Adj, T. Oliveira and F. Rodriguez-Henriquez)

*Finite Fields and Their Applications*, 32 (2015), 148-170. - Another look
at security theorems for 1-key nested MACs

(with N. Koblitz)

C.K. Koc (ed.),*Open Problems in Mathematics and Computational Science*, Springer 2014, 69-89. - Weakness of
*F*for discrete logarithm cryptography_{36 • 509}

(with G. Adj, T. Oliveira and F. Rodriguez-Henriquez)

*Pairing-Based Cryptography -- Pairing 2013*, Lecture Notes in Computer Science, 8365 (2014), 20-44. - Another look
at non-uniformity

(with N. Koblitz)

*Groups Complexity Cryptology*, 5 (2013), 117-139. - Another look at HMAC

(with N. Koblitz)

*Journal of Mathematical Cryptology*, 7 (2013), 225-251. - Introduction to Cryptography

Section 16.1 of Handbook of Finite Fields, edited by G. Mullen and D. Panario, Chapman & Hall/CRC, 2013 - Implementing
pairings at the 192-bit security level

(with D. Aranha, L. Fuentes-Castaneda, E. Knapp and F. Rodriguez-Henriquez)

*Pairing-Based Cryptography -- Pairing 2012*, Lecture Notes in Computer Science, 7708 (2013), 177-195. - Generalizations of Verheul's theorem to asymmetric pairings

(with K. Karabina and E. Knapp)

*Advances in Mathematics of Communications*, 7 (2013), 103-111.

Preprint. - Another look
at security definitions

(with N. Koblitz)

*Advances in Mathematics of Communications*, 7 (2013), 1-38. - Another
look at tightness

(with S. Chatterjee and P. Sarkar)

*Proceedings of SAC 2011*, Lecture Notes in Computer Science, 7118 (2012), 293-319.

- Parallelizing
the Weil and Tate pairings

(with D. Aranha, E. Knapp and F. Rodriguez-Henriquez)

*Cryptography and Coding 2011*, Lecture Notes in Computer Science, 7089 (2011), 275-295. - Discrete
logarithms, Diffie-Hellman, and reductions

(with N. Koblitz and I. Shparlinski)

*Vietnam Journal of Mathematics*, 39 (2011), 267-285. - A generic
variant of NIST's KAS2 key agreement protocol

(with S. Chatterjee and B. Ustaoglu)

*Proceedings of ACISP 2011*, Lecture Notes in Computer Science, 6812 (2011), 353-370.

Full version. - Elliptic curve
cryptography: The serpentine course of a paradigm shift

(with A. Hibner Koblitz and N. Koblitz)

*Journal of Number Theory*, 131 (2011), 781-814. - On cryptographic
protocols employing asymmetric pairings - The role of Ψ revisited

(with S. Chatterjee)

*Discrete Applied Mathematics*, 159 (2011), 1311-1322. - Several sections on elliptic curve
cryptography

(with D. Hankerson)

Encyclopedia of Cryptography and Security (second edition), edited by H. van Tilborg and S. Jajodia, Springer-Verlag, 2011. - On reusing ephemeral public
keys in Diffie-Hellman key agreement protocols

(with B. Ustaoglu)

*International Journal of Applied Cryptography*, 2 (2010), 154-158. - Combined security
analysis of the one- and three-pass unified model key agreement
protocols

(with S. Chatterjee and B. Ustaoglu)

*Indocrypt 2010*, Lecture Notes in Computer Science, 6498 (2010), 49-68. - On the efficiency
and security of pairing-based protocols in the Type 1 and Type 4
settings

(with S. Chatterjee and D. Hankerson)

*WAIFI 2010*, Lecture Notes in Computer Science, 6087 (2010), 114-134.

Full version. - On the asymptotic
effectiveness of Weil descent attacks

(with K. Karabina, C. Pomerance and I. Shparlinski)

*Journal of Mathematical Cryptology*, 4 (2010), 175-191. - Intractable problems in
cryptography

(with N. Koblitz)

Revised version of a paper that appeared in*Finite Fields: Theory and Applications*, Contemporary Mathematics, 518 (2010), 279-300.

See also The brave new world of bodacious assumptions in cryptography

*Notices of the AMS*, 57 (2010), 357-365. - Comparing two
pairing-based aggregate signature schemes

(with S. Chatterjee, D. Hankerson and E. Knapp)

*Designs, Codes and Cryptography*, 55 (2010), 141-167. - Reusing static
keys in key agreement protocols

(with S. Chatterjee and B. Ustaoglu)

*Indocrypt 2009*, Lecture Notes in Computer Science, 5922 (2009), 39-56.

Full version. - A new
protocol for the nearby friend problem

(with S. Chatterjee and K. Karabina)

*Cryptography and Coding 2009*, Lecture Notes in Computer Science, 5921 (2009), 236-251. - Analyzing
the Galbraith-Lin-Scott point multiplication method for elliptic curves
over binary fields

(with D. Hankerson and K. Karabina)

*IEEE Transactions on Computers*, 58 (2009), 1411-1420. - An introduction to
pairing-based cryptography

*Recent Trends in Cryptography*, edited by I. Luengo, volume 477 of Contemporary Mathematics, AMS-RSME, 2009, 47-65. - Comparing the pre- and post-specified
peer models for key agreement

(with B. Ustaoglu)

*International Journal of Applied Cryptography*, 1 (2009), 236-250.

An earlier version appeared in*Proceedings of ACISP 2008*, Lecture Notes in Computer Science, 5107 (2008), 53-68. - Software
implementation of pairings

(with D. Hankerson and M. Scott)

*Identity-Based Cryptography*, edited by M. Joye and G. Neven, IOS Press, 2008, 188-206. - Another look at
non-standard discrete log and Diffie-Hellman problems

(with N. Koblitz)

*Journal of Mathematical Cryptology*, 4 (2008), 311-326. - Security arguments for the UM key
agreement protocol in the NIST SP 800-56A standard

(with B. Ustaoglu)

*Proceedings of ASIACCS '08*, ACM Press, 261-270. - Software
implementation of arithmetic in
*F*_{3m}

(with O. Ahmadi and D. Hankerson)

*Proceedings of WAIFI 2007*, Lecture Notes in Computer Science, 4547 (2007), 85-102. - Advances
in Cryptology - CRYPTO 2007 (edited volume)

Lecture Notes in Computer Science, 4622, Springer-Verlag, 2007. - Formulas for
cube roots in
*F*_{3m}

(with O. Ahmadi and D. Hankerson)

*Discrete Applied Mathematics*, 155 (2007), 260-270. - Irreducible polynomials of maximum
weight

(with O. Ahmadi)

*Utilitas Mathematica*, 72 (2007), 111-123. - Another
look at HMQV

*Journal of Mathematical Cryptology*, 1 (2007), 47-64. - Another look at generic
groups

(with N. Koblitz)

*Advances in Mathematics of Communications*, 1 (2007), 13-28. - Another look at
"provable security"

(with N. Koblitz)

*Journal of Cryptology*, 20 (2007), 3-37. - Another look at
"provable security". II

(with N. Koblitz)

*Progress in Cryptology - Indocrypt 2006*, Lecture Notes in Computer Science, 4329 (2006), 148-175.

Spanish translation by Francisco Rodriguez-Henriquez. - On the importance of
public-key validation in the MQV and HMQV key agreement protocols

(with B. Ustaoglu)

*Progress in Cryptology - Indocrypt 2006*, Lecture Notes in Computer Science, 4329 (2006), 133-147. - Software
multiplication using Gaussian normal bases

(with R. Dahab, D. Hankerson, F. Hu, M. Long and J. López)

*IEEE Transactions on Computers*, 55 (2006), 974-984. - Cryptographic
implications of Hess' generalized GHS attack

(with E. Teske)

*Applicable Algebra in Engineering, Communication and Computing*, 16 (2006), 439-460. - On the number of
trace-one elements in polynomial bases for
*GF(2*^{n})

(with O. Ahmadi)

*Designs, Codes and Cryptography*, 37 (2005), 493-507. - Pairing-based
cryptography at high security levels

(with N. Koblitz)

*Cryptography and Coding 2005*, Lecture Notes in Computer Science, 3796 (2005), 13-36. - Algebraic curves
and cryptography

(with S. Galbraith)

*Finite Fields and Their Applications*, 11 (2005), 544-577. - Several sections on elliptic curve
cryptography

(with D. Hankerson)

Encyclopedia of Cryptography and Security, edited by Henk van Tilborg, Springer-Verlag, 2005. -
Topics in Cryptology - CT-RSA 2005 (edited volume)

Lecture Notes in Computer Science, 3376, Springer-Verlag, 2005. - A survey of public-key
cryptosystems

(with N. Koblitz)

*SIAM Review*, 46 (2004), 599-634. - Security
of signature schemes in a multi-user setting

(with N. Smart)

*Designs, Codes and Cryptography*, 33 (2004), 261-274. - Hyperelliptic curves and cryptography

(with M. Jacobson and A. Stein)

*High Primes and Misdemeanours: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams*,

Fields Institute Communications Series, 41 (2004), 255-282. - Obstacles to the torsion-subgroup attack on the decision
Diffie-Hellman problem

(with N. Koblitz)

*Mathematics of Computation*, 73 (2004), 2027-2041. - Field
inversion and point halving revisited

(with K. Fong, D. Hankerson and J. López)

*IEEE Transactions on Computers*, 53 (2004), 1047-1059. - Weak fields for ECC

(with E. Teske and A. Weng)

*Topics in Cryptology - CT-RSA 2004*, Lecture Notes in Computer Science, 2964 (2004), 366-386. -
Guide to Elliptic Curve Cryptography

(with D. Hankerson and S. Vanstone)

Springer, 2004. - An efficient
protocol for authenticated key agreement

(with L. Law, M. Qu, J. Solinas and S. Vanstone)

*Designs, Codes and Cryptography*, 28 (2003), 119-134. - Validation of
elliptic curve public keys

(with A. Antipa, D. Brown, R. Struik and S. Vanstone)

*Proceedings of PKC 2003*, Lecture Notes in Computer Science, 2567 (2003), 211-223. - A small subgroup attack on a key
agreement protocol of Arazi

(with D. Brown)

*Bulletin of the ICA*, 37 (2003), 45-50. -
Progress in Cryptology - INDOCRYPT 2002

(edited with P. Sarkar)

Lecture Notes in Computer Science, 2551, Springer-Verlag, 2002. - Analysis of the
GHS Weil descent attack on the ECDLP over characteristic two finite
fields of composite degree

(with M. Maurer and E. Teske)

*LMS Journal of Computation and Mathematics*, 5 (2002), 127-174

An earlier version appeared in*Proceedings of Indocrypt 2001*, Lecture Notes in Computer Science, 2247 (2001), 195-213. - Isomorphism classes
of genus-2 hyperelliptic curves over finite fields

(with L. Encinas and J. Masque)

*Applicable Algebra in Engineering, Communication and Computing*, 13 (2002), 57-65. - Solving elliptic curve discrete
logarithm problems using Weil descent

(with M. Jacobson and A. Stein)

*Journal of the Ramanujan Mathematical Society*, 16 (2001), 231-260. - The
elliptic curve digital signature algorithm (ECDSA)

(with D. Johnson and S. Vanstone)

*International Journal on Information Security*, 1 (2001), 36-63. - Software
implementation of the NIST elliptic curves over prime fields

(with M. Brown, D. Hankerson and J. Hernandez)

*Topics in Cryptology - CT-RSA 2001*, Lecture Notes in Computer Science, 2020 (2001), 250-265. - Analysis of the
Weil descent attack of Gaudry, Hess and Smart

(with M. Qu)

*Topics in Cryptology - CT-RSA 2001*, Lecture Notes in Computer Science, 2020 (2001), 308-318. - Software
implementation of elliptic curve cryptography over binary fields

(with D. Hankerson and J. Hernandez)

*Proceedings of CHES 2000*, Lecture Notes in Computer Science, 1965 (2000), 1-24. - PGP in constrained wireless devices

(with M. Brown, D. Cheung, D. Hankerson, J. Hernandez and M. Kirkup)

*Proceedings of the 9th USENIX Security Symposium*, 2000, 247-261. - The
state of elliptic curve cryptography

(with N. Koblitz and S. Vanstone)

*Designs, Codes and Cryptography*, 19 (2000), 173-193. - Coding Theory and Cryptology

(with P. van Oorschot)

chapter in Handbook of Discrete and Combinatorial Mathematics, CRC Press, 1999, pages 889-954. - Authenticated
Diffie-Hellman key agreement protocols

(with S. Blake-Wilson)

*Proceedings of the 5th Annual Workshop on Selected Areas in Cryptography (SAC '98)*, Lecture Notes in Computer Science, 1556 (1999), 339-361. - Unknown key-share
attacks on the station-to-station (STS) protocol

(with S. Blake-Wilson)

*Proceedings of PKC '99*, Lecture Notes in Computer Science, 1560 (1999), 154-170. - Entity authentication and
authenticated key transport protocols employing asymmetric
techniques

(with S. Blake-Wilson)

*Proceedings of the 5th International Workshop on Security Protocols*, Lecture Notes in Computer Science, 1361 (1998), 137-158. - The discrete logarithm problem
in
*GL(n,q)*

(with Yi-Hong Wu)

*Ars Combinatoria*, 47 (1998), 23-32. - An elementary introduction
to hyperelliptic curves

(with Yi-Hong Wu and R. Zuccherato)

appendix in Algebraic Aspects of Cryptography by Neal Koblitz, Springer-Verlag, 1998, pages 155-178. - Key agreement protocols
and their security analysis

(with D. Johnson and S. Blake-Wilson)

*Proceedings of the Sixth IMA International Conference on Cryptography and Coding*, Lecture Notes in Computer Science, 1355 (1997), 30-45.

Full version. - Handbook of Applied
Cryptography

(with P. van Oorschot and S. Vanstone)

CRC Press, 1997. - Elliptic curves and cryptography

(with A. Jurisic)

Dr. Dobb's Journal, April 1997, 23-36. - Some new key agreement protocols providing mutual
implicit authentication

(with M. Qu and S. Vanstone)

*Workshop on Selected Areas in Cryptography (SAC '95)*, 22-32, 1995. - Elliptic curve cryptosystems

*CryptoBytes - The Technical Newsletter of RSA Laboratories*, Volume 1, Number 2, Summer 1995, 1-4. - Elliptic Curve Public Key Cryptosystems

Kluwer Academic Publishers, 1993. - Reducing elliptic curve
logarithms to logarithms in a finite field

(with T. Okamoto and S. Vanstone)

*IEEE Transactions on Information Theory*, 39 (1993), 1639-1646. - Elliptic curve
cryptosystems and their implementation

(with S. Vanstone)

*Journal of Cryptology*, 6 (1993), 209-224 - Public-key
cryptosystems with very small key lengths

(with G. Harper and S. Vanstone)

*Advances in Cryptology - EUROCRYPT '92*, Lecture Notes in Computer Science, 658 (1993), 163-173. - Counting
points on elliptic curves over
*F*_{2m}

(with S. Vanstone and R. Zuccherato)

*Mathematics of Computation*, 60 (1993), 407-420. - Applications of Finite Fields

(with I. Blake, S. Gao, R. Mullin, S. Vanstone and T. Yaghoobian)

Kluwer Academic Publishers, 1992. - Subgroup refinement algorithms for root finding in
*GF(q)*

(with P. van Oorschot and S. Vanstone)

*SIAM Journal on Computing*, 21 (1992), 228-239. - A note on cyclic groups,
finite fields, and the discrete logarithm problem

(with S. Vanstone)

*Applicable Algebra in Engineering, Communication and Computing*, 3 (1992), 67-74. - Advances in
Cryptology - Proceedings of CRYPTO '90

(edited with S. Vanstone)

Lecture Notes in Computer Science, 537, Springer-Verlag, 1991. - The implementation of
elliptic curve cryptosystems

(with S. Vanstone)

*Advances in Cryptology - AUSCRYPT '90*, Lecture Notes in Computer Science, 453 (1990), 2-13. - Isomorphism classes of elliptic curves over finite
fields of characteristic 2

(with S. Vanstone)

*Utilitas Mathematica*, 38 (1990), 135-154. - On the number
of self-dual bases of
*GF(q*over^{m})*GF(q)*

(with D. Jungnickel and S. Vanstone)

*Proceedings of the American Mathematics Society*, 109 (1990), 23-29. - Some computational
aspects of root finding in
*GF(q*^{m})

(with S. Vanstone and P. van Oorschot)

*Symbolic and Algebraic Computation*, Lecture Notes in Computer Science, 358 (1989), 259-270.