| year | title | booktitle | pages |
|---|
| 1 | 2012 | Identity-Based (Lossy) Trapdoor Functions and Applications | eurocrypt | 228-245 |
| 2 | 2012 | Standard Security Does Not Imply Security against Selective-Opening | eurocrypt | 645-662 |
| 3 | 2012 | Semantic Security for the Wiretap Channel | crypto | 294-311 |
| 4 | 2012 | Multi-instance Security and Its Application to Password-Based Cryptography | crypto | 312-329 |
| 5 | 2011 | Authenticated and Misuse-Resistant Encryption of Key-Dependent Data | crypto | 607 |
| 6 | 2011 | Cryptography Secure against Related-Key Attacks and Tampering | asiacrypt | 486-503 |
| 7 | 2011 | Identity-Based Encryption Secure Against Selective Opening Attack | tcc | 235 |
| 8 | 2010 | Pseudorandom Functions and Permutations Provably Secure Against Related-Key Attacks | eprint | online |
| 9 | 2010 | Identity-Based Encryption Secure under Selective Opening Attack | eprint | online |
| 10 | 2010 | Robust Encryption | tcc | 480-497 |
| 11 | 2010 | Pseudorandom Functions and Permutations Provably Secure against Related-Key Attacks | crypto | 666-684 |
| 12 | 2010 | Cryptographic Agility and Its Relation to Circular Encryption | eurocrypt | 403-422 |
| 13 | 2010 | Cryptographic Agility and its Relation to Circular Encryption | eprint | online |
| 14 | 2009 | Encryption Schemes Secure under Selective Opening Attack | eprint | online |
| 15 | 2009 | Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening | eurocrypt | 1-35 |
| 16 | 2009 | Simulation without the Artificial Abort: Simplified Proof and Improved Concrete Security for Waters' IBE Scheme | eprint | online |
| 17 | 2009 | Key Insulation and Intrusion Resilience Over a Public Channel | eprint | online |
| 18 | 2009 | Hedged Public-Key Encryption: How to Protect against Bad Randomness | asiacrypt | 232-249 |
| 19 | 2009 | Security Proofs for Identity-Based Identification and Signature Schemes | jofc | 1-61 |
| 20 | 2009 | Simulation without the Artificial Abort: Simplified Proof and Improved Concrete Security for Waters' IBE Scheme | eurocrypt | 407-424 |
| 21 | 2008 | Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions | jofc | 350-391 |
| 22 | 2008 | Deterministic Encryption: Definitional Equivalences and Constructions without Random Oracles | eprint | online |
| 23 | 2008 | Deterministic Encryption: Definitional Equivalences and Constructions without Random Oracles | crypto | 360-378 |
| 24 | 2008 | Hash Functions from Sigma Protocols and Improvements to VSH | asiacrypt | 125-142 |
| 25 | 2008 | Hash Functions from Sigma Protocols and Improvements to VSH | eprint | online |
| 26 | 2008 | Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm | jofc | 469-491 |
| 27 | 2007 | Deterministic and Efficiently Searchable Encryption | crypto | 535-552 |
| 28 | 2007 | On-Line Ciphers and the Hash-CBC Constructions | eprint | online |
| 29 | 2007 | Two-Tier Signatures, Strongly Unforgeable Signatures, and Fiat-Shamir Without Random Oracles | pkc | 201-216 |
| 30 | 2007 | Hash Functions in the Dedicated-Key Setting: Design Choices and MPP Transforms | eprint | online |
| 31 | 2007 | Two-Tier Signatures, Strongly Unforgeable Signatures, and Fiat-Shamir without Random Oracles | eprint | online |
| 32 | 2006 | Unrestricted Aggregate Signatures | eprint | online |
| 33 | 2006 | New Proofs for NMAC and HMAC: Security Without Collision-Resistance | eprint | online |
| 34 | 2006 | On Probabilistic versus Deterministic Provers in the Definition of Proofs Of Knowledge | eprint | online |
| 35 | 2006 | New Proofs for | crypto | online |
| 36 | 2006 | Multi-Property-Preserving Hash Domain Extension and the EMD Transform | asiacrypt | online |
| 37 | 2006 | Multi-Property-Preserving Hash Domain Extension and the EMD Transform | eprint | online |
| 38 | 2006 | Deterministic and Efficiently Searchable Encryption | eprint | online |
| 39 | 2006 | Robust Computational Secret Sharing and a Unified Account of Classical Secret-Sharing Goals | eprint | online |
| 40 | 2006 | Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-based Characterization | eprint | online |
| 41 | 2006 | The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs | eurocrypt | online |
| 42 | 2006 | Stateful Public-Key Cryptosystems: How to Encrypt with One 160-bit Exponentiation | eprint | online |
| 43 | 2005 | Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions | eprint | online |
| 44 | 2005 | Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions | crypto | online |
| 45 | 2005 | Improved Security Analyses for CBC MACs | crypto | online |
| 46 | 2004 | Code-Based Game-Playing Proofs and the Security of Triple Encryption | eprint | online |
| 47 | 2004 | Foundations of Group Signatures: The Case of Dynamic Groups | eprint | online |
| 48 | 2004 | Hash Function Balance and Its Impact on Birthday Attacks | eurocrypt | online |
| 49 | 2004 | Security Proofs for Identity-Based Identification and Signature Schemes | eurocrypt | online |
| 50 | 2004 | Towards Plaintext-Aware Public-Key Encryption Without Random Oracles | asiacrypt | online |
| 51 | 2004 | Towards Plaintext-Aware Public-Key Encryption without Random Oracles | eprint | online |
| 52 | 2004 | The EAX Mode of Operation | fse | 389-407 |
| 53 | 2004 | An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem | eurocrypt | online |
| 54 | 2004 | The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols | crypto | online |
| 55 | 2004 | The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols | eprint | online |
| 56 | 2004 | The Power of Verification Queries in Message Authentication and Authenticated Encryption | eprint | online |
| 57 | 2003 | Hash Function Balance and its Impact on Birthday Attacks | eprint | online |
| 58 | 2003 | The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme | jofc | 185-215 |
| 59 | 2003 | EAX: A Conventional Authenticated-Encryption Mode | eprint | online |
| 60 | 2003 | An Uninstantiable Random-Oracle-Model Scheme for a Hybrid Encryption Problem | eprint | online |
| 61 | 2003 | Randomness Re-use in Multi-recipient Encryption Schemeas | pkc | 85-99 |
| 62 | 2003 | A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications | eurocrypt | online |
| 63 | 2003 | Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions | eurocrypt | 614-629 |
| 64 | 2002 | A Note on Negligible Functions | jofc | 271-284 |
| 65 | 2002 | From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security | eprint | online |
| 66 | 2002 | Protecting against Key Exposure: Strongly Key-Insulated Encryption with Optimal Threshold | eprint | online |
| 67 | 2002 | Transitive Signatures Based on Factoring and RSA | asiacrypt | online |
| 68 | 2002 | From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security | eurocrypt | online |
| 69 | 2002 | GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks | crypto | online |
| 70 | 2001 | Identification Protocols Secure against Reset Attacks | eurocrypt | 495-511 |
| 71 | 2001 | Key-Privacy in Public-Key Encryption | asiacrypt | 566-582 |
| 72 | 2001 | Online Ciphers and the Hash-CBC Construction | crypto | 292-309 |
| 73 | 2001 | OCB Mode | eprint | online |
| 74 | 2001 | Forward-Security in Private-Key Cryptography | eprint | online |
| 75 | 2001 | The Security of Practical Two-Party RSA Signature Schemes | eprint | online |
| 76 | 2001 | Does Encryption with Redundancy Provide Authenticity? | eurocrypt | 512-528 |
| 77 | 2000 | Increasing the Lifetime of a Key: A Comparative Analysis of the Security of Re-keying Techniques | asiacrypt | 546-559 |
| 78 | 2000 | Authenticated Key Exchange Secure against Dictionary Attacks | eurocrypt | 139-155 |
| 79 | 2000 | The Security of Chaffing and Winnowing | eprint | online |
| 80 | 2000 | Authenticated Key Exchange Secure Against Dictionary Attacks | eprint | online |
| 81 | 2000 | Identification Protocols Secure Against Reset Attacks | eprint | online |
| 82 | 2000 | Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm | eprint | online |
| 83 | 2000 | The Security of Chaffing and Winnowing | asiacrypt | 517-530 |
| 84 | 2000 | Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm | asiacrypt | 531-545 |
| 85 | 2000 | Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography | asiacrypt | 317-330 |
| 86 | 2000 | Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements | eurocrypt | 259-274 |
| 87 | 1999 | Translucent Cryptography - An Alternative to Key Escrow, and Its Implementation via Fractional Oblivious Transfer | jofc | 117-139 |
| 88 | 1999 | DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem | eprint | online |
| 89 | 1999 | A forward-secure digital signature scheme | eprint | online |
| 90 | 1999 | Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization | eprint | online |
| 91 | 1999 | A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion | eprint | online |
| 92 | 1999 | Stateless Evaluation of Pseudorandom Functions: Security beyond the Birthday Barrier | crypto | 270-287 |
| 93 | 1999 | On the Construction of Variable-Input-Length Ciphers | fse | 231-244 |
| 94 | 1999 | A Forward-Secure Digital Signature Scheme | crypto | 431-448 |
| 95 | 1999 | Constructing VIL-MACsfrom FIL-MACs: Message Authentication under Weakened Assumptions | crypto | 252-269 |
| 96 | 1999 | Non-malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization | crypto | 519-536 |
| 97 | 1998 | Fast Batch Verification for Modular Exponentiation and Digital Signatures | eurocrypt | 236-250 |
| 98 | 1998 | Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-invertible | eurocrypt | 266-280 |
| 99 | 1998 | Fast Batch Verification for Modular Exponentiation and Digital Signatures | eprint | online |
| 100 | 1998 | A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols | eprint | online |
| 101 | 1998 | Many-to-one Trapdoor Functions and their Relation to Public-key Cryptosystems | eprint | online |
| 102 | 1998 | Relations among Notions of Security for Public-Key Encryption Schemes | eprint | online |
| 103 | 1998 | Security amplification by composition: The case of doubly-iterated, ideal ciphers | eprint | online |
| 104 | 1998 | Relations Among Notions of Security for Public-Key Encryption Schemes | crypto | 26-45 |
| 105 | 1998 | Many-to-One Trapdoor Functions and Their Ralation to Public-Key Cryptosystems | crypto | 283-298 |
| 106 | 1998 | Security Amplification by Composition: The Case of Doubly-Iterated, Ideal Ciphers | crypto | 390-407 |
| 107 | 1997 | A New Paradigm for Collision-free Hashing: Incrementality at Reduced Cost | eprint | online |
| 108 | 1997 | Round-Optimal Zero-Knowledge Arguments Based on any One-Way Function | eprint | online |
| 109 | 1997 | A note on negligible functions | eprint | online |
| 110 | 1997 | Round-Optimal Zero-Knowledge Arguments Based on any One-Way Function | eurocrypt | 280-305 |
| 111 | 1997 | A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost | eurocrypt | 163-192 |
| 112 | 1997 | "Pseudo-Random" Number Generation Within Cryptographic Algorithms: The DDS Case | crypto | 277-291 |
| 113 | 1997 | Collision-Resistant Hashing: Towards Making UOWHFs Practical | crypto | 470-484 |
| 114 | 1996 | Certifying Permutations: Noninteractive Zero-Knowledge Based on Any Trapdoor Permutation | jofc | 149-166 |
| 115 | 1996 | Verifiable Partial Key Escrow | eprint | online |
| 116 | 1996 | Keying Hash Functions for Message Authentication | crypto | 1-15 |
| 117 | 1996 | The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin | eurocrypt | 399-416 |
| 118 | 1995 | XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions | crypto | 15-28 |
| 119 | 1994 | Optimal Asymmetric Encryption | eurocrypt | 92-111 |
| 120 | 1994 | Incremental Cryptography: The Case of Hashing and Signing | crypto | 216-233 |
| 121 | 1994 | The Security of Cipher Block Chaining | crypto | 341-358 |
| 122 | 1993 | Entity Authentication and Key Distribution | crypto | 232-249 |
| 123 | 1992 | On Defining Proofs of Knowledge | crypto | 390-420 |
| 124 | 1992 | Certifying Cryptographic Tools: The Case of Trapdoor Permutations | crypto | 442-460 |
| 125 | 1989 | On the Structure of Secret Key Exchange Protocols | crypto | 604-605 |
| 126 | 1989 | New Paradigms for Digital Signatures and Message Authentication Based on Non-Interative Zero Knowledge Proofs | crypto | 194-211 |
| 127 | 1989 | Non-Interactive Oblivious Transfer and Spplications | crypto | 547-557 |
| 128 | 1988 | How To Sign Given Any Trapdoor Function | crypto | 200-215 |
