| year | title | booktitle | pages |
|---|
| 1 | 2015 | Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search | eprint | 522 |
| 2 | 2015 | Cryptanalysis of SHA-0 and Reduced SHA-1 | jofc | 110-160 |
| 3 | 2015 | Nearly Sparse Linear Algebra | eprint | 930 |
| 4 | 2014 | Multi-user Collisions: Applications to Discrete Logarithm, Even-Mansour and PRINCE | asiacrypt | 420-438 |
| 5 | 2014 | Improving the Polynomial time Precomputation of Frobenius Representation Discrete Logarithm Algorithms - Simplified Setting for Small Characteristic Finite Fields | asiacrypt | 378-397 |
| 6 | 2014 | Symmetrized Summation Polynomials: Using Small Order Torsion Points to Speed Up Elliptic Curve Index Calculus | eurocrypt | 40-57 |
| 7 | 2014 | A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic | eurocrypt  | 1-16 |
| 8 | 2013 | Faster Index Calculus for the Medium Prime Case Application to 1175-bit and 1425-bit Finite Fields | eurocrypt | 177-193 |
| 9 | 2012 | Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs | ches | 193-212 |
| 10 | 2012 | Cover and Decomposition Index Calculus on Elliptic Curves Made Practical - Application to a Previously Unreachable Curve over $F_(p^6)$ | eurocrypt | 9-26 |
| 11 | 2012 | Decoding Random Binary Linear Codes in 2 n/20: How 1 + 1 = 0 Improves Information Set Decoding | eurocrypt | 520-536 |
| 12 | 2012 | A Tutorial on High Performance Computing Applied to Cryptanalysis - (Invited Talk Abstract) | eurocrypt | 1-7 |
| 13 | 2011 | Improved Generic Algorithms for Hard Knapsacks | eurocrypt | 364 |
| 14 | 2011 | Fast Software Encryption - 18th International Workshop, FSE 2011, Lyngby, Denmark, February 13-16, 2011, Revised Selected Papers | fse | online |
| 15 | 2011 | Cryptanalysis of the RSA Subgroup from TCC 2005 | pkc | 147 |
| 16 | 2010 | Elliptic Curve Discrete Logarithm Problem over Small Degree Extension Fields. Application to the static Diffie-Hellman problem on $E(\F_{q^5})$ | eprint | online |
| 17 | 2010 | A variant of the F4 algorithm | eprint | online |
| 18 | 2010 | New generic algorithms for hard knapsacks | eprint | online |
| 19 | 2010 | New Generic Algorithms for Hard Knapsacks | eurocrypt | 235-256 |
| 20 | 2010 | Pairing computation on curves with efficiently computable endomorphism and small embedding degree | eprint | online |
| 21 | 2009 | On the Security of Iterated Hashing based on Forgery-resistant Compression Functions | eprint | online |
| 22 | 2009 | Improved Generic Algorithms for 3-Collisions | asiacrypt | 347-363 |
| 23 | 2009 | Factoring pq2 with Quadratic Forms: Nice Cryptanalyses | asiacrypt | 469-486 |
| 24 | 2009 | Fault Attacks on RSA Signatures with Partially Unknown Messages | ches | 444-456 |
| 25 | 2008 | Another approach to pairing computation in Edwards coordinates | eprint | online |
| 26 | 2008 | Oracle-Assisted Static Diffie-Hellman Is Easier Than Discrete Logarithms | eprint | online |
| 27 | 2007 | Toward a Rigorous Variation of Coppersmith's Algorithm on Three Variables | eurocrypt | 361-378 |
| 28 | 2007 | Hash Functions and the (Amplified) Boomerang Attack | crypto | 244-263 |
| 29 | 2007 | When e-th Roots Become Easier Than Factoring | eprint | online |
| 30 | 2007 | Overtaking VEST | fse | 58-72 |
| 31 | 2007 | When e-th Roots Become Easier Than Factoring | asiacrypt | 13-28 |
| 32 | 2006 | Inverting HFE Is Quasipolynomial | crypto | online |
| 33 | 2006 | The Number Field Sieve in the Medium Prime Case | crypto | online |
| 34 | 2006 | The Function Field Sieve in the Medium Prime Case | eurocrypt | online |
| 35 | 2006 | Chosen-Ciphertext Attacks Against MOSQUITO | fse | online |
| 36 | 2006 | Counting points on elliptic curves in medium characteristic | eprint | online |
| 37 | 2005 | Collisions of SHA-0 and Reduced SHA-1 | eurocrypt | online |
| 38 | 2005 | Two Attacks Against the HBB Stream Cipher | fse | online |
| 39 | 2005 | Cryptanalysis of the Tractable Rational Map Cryptosystem | pkc | online |
| 40 | 2004 | A One Round Protocol for Tripartite Diffie-Hellman | jofc | 263-276 |
| 41 | 2004 | Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions | crypto | online |
| 42 | 2004 | Cryptanalysis of a Provably Secure Cryptographic Hash Function | eprint | online |
| 43 | 2003 | Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases | crypto | online |
| 44 | 2003 | Loosening the KNOT | fse | online |
| 45 | 2003 | New Attacks against Standardized MACs | fse | online |
| 46 | 2003 | Separating Decision Diffie-Hellman from Computational Diffie-Hellman in Cryptographic Groups | jofc | 239-247 |
| 47 | 2003 | Cryptanalysis of the EMD Mode of Operation | eurocrypt | online |
| 48 | 2002 | On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit: A New Construction | fse | online |
| 49 | 2002 | Fast Correlation Attacks: An Algorithmic Point of View | eurocrypt | online |
| 50 | 2002 | Blockwise-Adaptive Attackers: Revisiting the (In)Security of Some Provably Secure Encryption Models: CBC, GEM, IACBC | crypto | online |
| 51 | 2001 | Cryptanalysis of PKP: A New Approach | pkc | 165-172 |
| 52 | 2001 | Separating Decision Diffie-Hellman from Diffie-Hellman in cryptographic groups | eprint | online |
| 53 | 2001 | On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit - A New Construction | eprint | online |
| 54 | 2000 | A NICE Cryptanalysis | eurocrypt | 382-391 |
| 55 | 2000 | Why Textbook ElGamal and RSA Encryption Are Insecure | asiacrypt | 30-43 |
| 56 | 2000 | A Chosen-Ciphertext Attack against NTRU | crypto | 20-35 |
| 57 | 2000 | A Statistical Attack on RC6 | fse | 64-74 |
| 58 | 1998 | Differential Collisions in SHA-0 | crypto | 56-71 |
| 59 | 1998 | Lattice Reduction: A Toolbox for the Cryptanalyst | jofc | 161-185 |
| 60 | 1994 | A Practical Attack against Knapsack based Hash Functions (Extended Abstract) | eurocrypt | 58-66 |
| 61 | 1991 | The Cryptoanalysis of a New Public-Key Cryptosystem Based on Modular Knapsacks | crypto | 204-212 |
| 62 | 1991 | Cryptanalysis of Another Knapsack Cryptosystem | asiacrypt | 470-476 |
