| year | title | booktitle | pages |
|---|
| 1 | 2012 | Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems | crypto  | 719-740 |
| 2 | 2012 | Improved Attacks on Full GOST | fse | 9-28 |
| 3 | 2012 | New Attacks on Keccak-224 and Keccak-256 | fse | 442-461 |
| 4 | 2012 | Minimalism in Cryptography: The Even-Mansour Scheme Revisited | eurocrypt | 336-354 |
| 5 | 2011 | An Experimentally Verified Attack on Full Grain-128 Using Dedicated Reconfigurable Hardware | asiacrypt | 327-343 |
| 6 | 2011 | An Improved Algebraic Attack on Hamsi-256 | fse | 88 |
| 7 | 2011 | Breaking Grain-128 with Dynamic Cube Attacks | fse | 167 |
| 8 | 2010 | Improved Single-Key Attacks on 8-Round AES-192 and AES-256 | asiacrypt | 158-176 |
| 9 | 2010 | A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony | eprint | online |
| 10 | 2010 | Structural Cryptanalysis of SASAS | jofc | 505-518 |
| 11 | 2010 | A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony | crypto | 393-410 |
| 12 | 2010 | Efficient Cache Attacks on AES, and Countermeasures | jofc | 37-71 |
| 13 | 2010 | Fast Exhaustive Search for Polynomial Systems in $F_2$ | eprint | online |
| 14 | 2010 | Fast Exhaustive Search for Polynomial Systems in F2 | ches | 203-218 |
| 15 | 2010 | Improved Single-Key Attacks on 8-round AES | eprint | online |
| 16 | 2010 | Key Recovery Attacks of Practical Complexity on AES-256 Variants with up to 10 Rounds | eurocrypt | 299-319 |
| 17 | 2009 | Cube Attacks on Tweakable Black Box Polynomials | eurocrypt | 278-299 |
| 18 | 2009 | Un-Trusted-HB: Security Vulnerabilities of Trusted-HB | eprint | online |
| 19 | 2009 | Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium | fse | 1-22 |
| 20 | 2008 | SQUASH - A New MAC with Provable Security Properties for Highly Constrained Devices Such as RFID Tags | fse | 144-157 |
| 21 | 2008 | Bug Attacks | crypto | 221-240 |
| 22 | 2008 | On the Strength of the Concatenated Hash Combiner when All the Hash Functions are Weak | eprint | online |
| 23 | 2008 | RSA-Past, Present, Future | ches | 443 |
| 24 | 2008 | Collision-Based Power Analysis of Modular Exponentiation Using Chosen-Message Pairs | ches | 15-29 |
| 25 | 2008 | Second Preimage Attacks on Dithered Hash Functions | eurocrypt | 270-288 |
| 26 | 2008 | Cube Attacks on Tweakable Black Box Polynomials | eprint | online |
| 27 | 2007 | Practical Cryptanalysis of SFLASH | crypto | 1-12 |
| 28 | 2007 | Second Preimage Attacks on Dithered Hash Functions | eprint | online |
| 29 | 2007 | Practical Cryptanalysis of SFLASH | eprint | online |
| 30 | 2007 | Cryptanalysis of Group-Based Key Agreement Protocols Using Subgroup Distance Functions | pkc | 61-75 |
| 31 | 2006 | Rigorous Bounds on Cryptanalytic Time/Memory Tradeoffs | crypto | online |
| 32 | 2006 | Breaking the ICE - Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions | fse | online |
| 33 | 2006 | Length-based cryptanalysis: The case of Thompson's Group | eprint | online |
| 34 | 2005 | New Applications of T-Functions in Block Ciphers and Hash Functions | fse | online |
| 35 | 2005 | Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials | jofc | 291-311 |
| 36 | 2005 | Cache attacks and Countermeasures: the Case of AES | eprint | online |
| 37 | 2005 | Scalable Hardware for Sparse Systems of Linear Equations, with Applications to Integer Factorization | ches | online |
| 38 | 2005 | Analysis of the Non-linear Part of Mugi | fse | online |
| 39 | 2004 | New Cryptographic Primitives Based on Multiword T-Functions | fse | 1-15 |
| 40 | 2004 | Fault Analysis of Stream Ciphers | ches | 240-253 |
| 41 | 2004 | Stream Ciphers: Dead or Alive? | asiacrypt | 78 |
| 42 | 2003 | Guaranteeing the diversity of number generators | eprint | online |
| 43 | 2003 | Factoring Estimates for a 1024-Bit RSA Modulus | asiacrypt | online |
| 44 | 2003 | Factoring Large Number with the TWIRL Device | crypto | online |
| 45 | 2002 | Analysis of Bernstein's Factorization Circuit | asiacrypt | online |
| 46 | 2002 | The LSD Broadcast Encryption Scheme | crypto | online |
| 47 | 2002 | A New Class of Invertible Mappings | ches | 470-483 |
| 48 | 2002 | Analysis of Neural Cryptography | asiacrypt | online |
| 49 | 2001 | New Directions in Croptography | ches | 159 |
| 50 | 2001 | Structural Cryptanalysis of SASAS | eurocrypt | 394-405 |
| 51 | 2001 | A Practical Attack on Broadcast RC4 | fse | 152-164 |
| 52 | 2001 | How to Leak a Secret | asiacrypt | 552-565 |
| 53 | 2001 | Improved Online/Offline Signature Schemes | crypto | 355-367 |
| 54 | 2000 | Protecting Smart Cards from Passive Power Analysis with Detached Power Supplies | ches | 71-77 |
| 55 | 2000 | Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers | asiacrypt | 1-13 |
| 56 | 2000 | Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations | eurocrypt | 392-407 |
| 57 | 2000 | Real Time Cryptanalysis of A5/1 on a PC | fse | 1-18 |
| 58 | 2000 | Analysis and Optimization of the TWINKLE Factoring Device | eurocrypt | 35-52 |
| 59 | 1999 | Factoring Large Numbers with the Twinkle Device (Extended Abstract) | ches | 2-12 |
| 60 | 1999 | How to Copyright a Function? | pkc | 188-196 |
| 61 | 1999 | Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization | crypto | 19-30 |
| 62 | 1999 | Miss in the Middle Attacks on IDEA and Khufu | fse | 124-138 |
| 63 | 1999 | Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials | eurocrypt | 12-23 |
| 64 | 1998 | Cryptanalysis of the Oil & Vinegar Signature Scheme | crypto | 257-266 |
| 65 | 1998 | Visual Cryptanalysis | eurocrypt | 201-210 |
| 66 | 1997 | Differential Fault Analysis of Secret Key Cryptosystems | crypto | 513-525 |
| 67 | 1997 | Lattice Attacks on NTRU | eurocrypt | 52-61 |
| 68 | 1996 | Visual Cryptography II: Improving the Contrast Via the Cover Base | eprint | online |
| 69 | 1994 | Visual Cryptography | eurocrypt | 1-12 |
| 70 | 1994 | Memory Efficient Variants of Public-Key Schemes for Smart Card Applications | eurocrypt | 445-449 |
| 71 | 1993 | Efficient Signature Schemes Based on Birational Permutations | crypto | 1-12 |
| 72 | 1993 | Universal Tests for Nonuniform Distributions | jofc | 119-133 |
| 73 | 1992 | Differential Cryptanalysis of the Full 16-Round DES | crypto | 487-496 |
| 74 | 1991 | A One-Round, Two-Prover, Zero-Knowledge Protocol for NP | crypto | 213-224 |
| 75 | 1991 | Differential Cryptanalysis of Snefru, Khafre, REDOC-II, LOKI and Lucifer | crypto | 156-171 |
| 76 | 1991 | Differential Cryptoanalysis of Feal and N-Hash | eurocrypt | 1-16 |
| 77 | 1991 | Differential Cryptanalysis of DES-like Cryptosystems | jofc | 3-72 |
| 78 | 1990 | Publicly Verifiable Non-Interactive Zero-Knowledge Proofs | crypto | 353-365 |
| 79 | 1990 | Differential Cryptanalysis of DES-like Cryptosystems | crypto | 2-21 |
| 80 | 1989 | Zero Knowledge Proofs of Knowledge in Two Rounds | crypto | 526-544 |
| 81 | 1989 | An Efficient Identification Scheme Based on Permuted Kernels (Extended Abstract) | crypto | 606-609 |
| 82 | 1988 | The Noisy Oracle Problem | crypto | 284-296 |
| 83 | 1988 | Zero-Knowledge Proofs of Identity | jofc | 77-94 |
| 84 | 1988 | An Improvement of the Fiat-Shamir Identification and Signature Scheme | crypto | 244-247 |
| 85 | 1987 | A Video Scrambling Technique Based On Space Filling Curves | crypto | 398-417 |
| 86 | 1986 | How to Prove Yourself: Practical Solutions to Identification and Signature Problems | crypto | 186-194 |
| 87 | 1985 | Efficient Factoring Based on Partial Information | eurocrypt | 31-34 |
| 88 | 1985 | On the Security of DES | crypto | 280-281 |
| 89 | 1985 | On the Security of Ping-Pong Protocols when Implemented using the RSA | crypto | 58-72 |
| 90 | 1984 | Efficient Signature Schemes Based on Polynomial Equations | crypto | 37-46 |
| 91 | 1984 | Identity-Based Cryptosystems and Signature Schemes | crypto | 47-53 |
| 92 | 1982 | A Polynomial Time Algorithm for Breaking the Basic Merkle-Hellman Cryptosystem | crypto | 279-288 |
| 93 | 1981 | The Generation of Cryptographically Strong Pseudo-Random Sequences | crypto | 1 |
