| year | title | booktitle | pages |
|---|
| 1 | 2018 | Deterministic Encryption with the Thorp Shuffle | jofc | 521-536 |
| 2 | 2018 | Simplifying Game-Based Definitions | crypto | 3-32 |
| 3 | 2016 | Big-Key Symmetric Encryption: Resisting Key Exfiltration | crypto | 373-402 |
| 4 | 2015 | Robust Authenticated Encryption and the Limits of Symmetric Cryptography | eprint | 893 |
| 5 | 2015 | Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance | eprint | 189 |
| 6 | 2015 | Augmented Secure Channels and the Goal of the TLS 1.3 Record Layer | eprint | 394 |
| 7 | 2015 | Robust Authenticated-Encryption AEZ and the Problem That It Solves | eurocrypt | 15-44 |
| 8 | 2015 | Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance | crypto | 493-517 |
| 9 | 2014 | Security of Symmetric Encryption against Mass Surveillance | crypto | 1-19 |
| 10 | 2014 | Reconsidering Generic Composition | eurocrypt | 257-274 |
| 11 | 2014 | Sometimes-Recurse Shuffle - Almost-Random Permutations in Logarithmic Expected Time | eurocrypt | 311-326 |
| 12 | 2014 | Security of Symmetric Encryption against Mass Surveillance | eprint | 438 |
| 13 | 2014 | Reconsidering Generic Composition | eprint | 206 |
| 14 | 2012 | An Enciphering Scheme Based on a Card Shuffle | crypto | 1-13 |
| 15 | 2012 | Adaptively Secure Garbling with Applications to One-Time Programs and Secure Outsourcing | asiacrypt | 134-153 |
| 16 | 2012 | The Security of Ciphertext Stealing | fse | 180-195 |
| 17 | 2011 | The Software Performance of Authenticated-Encryption Modes | fse | 306 |
| 18 | 2011 | Advances in Cryptology - CRYPTO 2011 - 31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2011. Proceedings | crypto | online |
| 19 | 2010 | An Analysis of the Blockcipher-Based Hash Functions from PGV | jofc | 519-545 |
| 20 | 2010 | On Generalized Feistel Networks | crypto | 613-630 |
| 21 | 2010 | On generalized Feistel networks | eprint | online |
| 22 | 2009 | How to Encipher Messages on a Small Domain | crypto | 286-302 |
| 23 | 2008 | Security/Efficiency Tradeoffs for Permutation-Based Hashing | eurocrypt | 220-236 |
| 24 | 2008 | Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers | crypto | 433-450 |
| 25 | 2007 | How to Enrich the Message Space of a Cipher | fse | 101-118 |
| 26 | 2007 | Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) | jofc | 395 |
| 27 | 2007 | How to Enrich the Message Space of a Cipher | eprint | online |
| 28 | 2006 | The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs | eurocrypt | online |
| 29 | 2006 | A Provable-Security Treatment of the Key-Wrap Problem | eurocrypt | online |
| 30 | 2006 | Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem | eprint | online |
| 31 | 2006 | Formalizing Human Ignorance: Collision-Resistant Hashing without the Keys | eprint | online |
| 32 | 2006 | Robust Computational Secret Sharing and a Unified Account of Classical Secret-Sharing Goals | eprint | online |
| 33 | 2005 | Improved Security Analyses for CBC MACs | crypto | online |
| 34 | 2005 | CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions | jofc | 111-131 |
| 35 | 2004 | Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC | asiacrypt | online |
| 36 | 2004 | The EAX Mode of Operation | fse | 389-407 |
| 37 | 2004 | Nonce-Based Symmetric Encryption | fse | 348-359 |
| 38 | 2004 | Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance | fse | 371-388 |
| 39 | 2004 | Cryptographic Hash-Function Basics: Definitions, Implications and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance | eprint | online |
| 40 | 2004 | Code-Based Game-Playing Proofs and the Security of Triple Encryption | eprint | online |
| 41 | 2003 | A Tweakable Enciphering Mode | crypto | online |
| 42 | 2003 | A Critique of CCM | eprint | online |
| 43 | 2003 | EAX: A Conventional Authenticated-Encryption Mode | eprint | online |
| 44 | 2003 | A Parallelizable Enciphering Mode | eprint | online |
| 45 | 2003 | A Tweakable Enciphering Mode | eprint | online |
| 46 | 2002 | Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV | crypto | online |
| 47 | 2002 | A Block-Cipher Mode of Operation for Parallelizable Message Authentication | eurocrypt | online |
| 48 | 2002 | Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) | jofc | 103-127 |
| 49 | 2002 | Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV | eprint | online |
| 50 | 2002 | Encryption-Scheme Security in the Presence of Key-Dependent Messages | eprint | online |
| 51 | 2002 | The EMD Mode of Operation (A Tweaked, Wide-Blocksize, Strong PRP) | eprint | online |
| 52 | 2001 | Ciphers with Arbitrary Finite Domains | eprint | online |
| 53 | 2001 | OCB Mode | eprint | online |
| 54 | 2001 | A Block-Cipher Mode of Operation for Parallelizable Message Authentication | eprint | online |
| 55 | 2001 | How to Protect DES Against Exhaustive Key Search (an Analysis of DESX) | jofc | 17-35 |
| 56 | 2000 | Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography | asiacrypt | 317-330 |
| 57 | 2000 | CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions | crypto | 197-215 |
| 58 | 2000 | Authenticated Key Exchange Secure against Dictionary Attacks | eurocrypt | 139-155 |
| 59 | 2000 | Authenticated Key Exchange Secure Against Dictionary Attacks | eprint | online |
| 60 | 1999 | UMAC: Fast and Secure Message Authentication | crypto | 216-233 |
| 61 | 1999 | On the Construction of Variable-Input-Length Ciphers | fse | 231-244 |
| 62 | 1999 | DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem | eprint | online |
| 63 | 1999 | Bucket Hashing and Its Application to Fast Message Authentication | jofc | 91-115 |
| 64 | 1998 | Relations Among Notions of Security for Public-Key Encryption Schemes | crypto | 26-45 |
| 65 | 1998 | Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-invertible | eurocrypt | 266-280 |
| 66 | 1998 | Relations among Notions of Security for Public-Key Encryption Schemes | eprint | online |
| 67 | 1998 | A Software-Optimized Encryption Algorithm | jofc | 273-287 |
| 68 | 1997 | Collision-Resistant Hashing: Towards Making UOWHFs Practical | crypto | 470-484 |
| 69 | 1997 | Locally Random Reductions: Improvements and Applications | jofc | 17-36 |
| 70 | 1996 | How to Protect DES Against Exhaustive Key Search | crypto | 252-267 |
| 71 | 1996 | The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin | eurocrypt | 399-416 |
| 72 | 1995 | XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions | crypto | 15-28 |
| 73 | 1995 | Bucket Hashing and its Application to Fast Message Authentication | crypto | 29-42 |
| 74 | 1994 | The Security of Cipher Block Chaining | crypto | 341-358 |
| 75 | 1994 | Optimal Asymmetric Encryption | eurocrypt | 92-111 |
| 76 | 1993 | Entity Authentication and Key Distribution | crypto | 232-249 |
| 77 | 1993 | A Software-Optimised Encryption Algorithm | fse | 56-63 |
| 78 | 1991 | Secure Computation (Abstract) | crypto | 392-404 |
| 79 | 1990 | Security with Low Communication Overhead | crypto | 62-76 |
| 80 | 1988 | Everything Provable is Provable in Zero-Knowledge | crypto | 37-56 |
