
The Advanced Encryption Standard: 20 years later
(with D. Stebila)
IEEE Security & Privacy, 196 (2021), 98102. 
Endtoend security: when do we have it?
(with D. Stebila)
IEEE Security & Privacy, 194 (2021), 6064. 
Challenges in cryptography
(with D. Stebila)
IEEE Security & Privacy, 192 (2021), 7073. 
Several sections on elliptic curve cryptography
(with D. Hankerson)
Encyclopedia of Cryptography, Security and Privacy (third edition), edited by S. Jajodia, P. Samarati and M. Yung, SpringerVerlag, 2021. 
Critical perspectives on provable security: Fifteen years of "Another Look" papers
(with N. Koblitz)
Advances in Mathematics of Communications, 13 (2019), 517558.
Updated paper. 
On the cost of computing isogenies between supersingular elliptic curves
(with G. Adj, D. CervantesVazquez, J. ChiDominguez and F. RodriguezHenriquez)
SAC 2018, Lecture Notes in Computer Science, 11349 (2019), 322343.
Preprint. 
On the security of the WOTSPRF signature scheme
(with P. Lafrance)
Advances in Mathematics of Communications, 13 (2019), 185193.
Preprint. 
On isogeny graphs of supersingular elliptic curves over finite fields
(with G. Adj and O. Ahmadi)
Finite Fields and Their Applications, 55 (2019), 267283.
Preprint. 
Computing discrete logarithms in cryptographicallyinteresting characteristicthree finite fields
(with G. Adj, I. CanalesMartinez, N. CruzCortes, T. Oliveira, L. RiveraZamarripa and F. RodriguezHenriquez)
Advances in Mathematics of Communications, 12 (2018), 741759.
Preprint. 
Coding Theory
(with P. van Oorschot, D. Joyner and T. Shaska)
chapter in Handbook of Discrete and Combinatorial Mathematics, second edition, CRC Press, 2018, pages 10231067. 
Cryptographers prepare for a possible postquantum future
(with N. Koblitz)
CMS Notes, Vol. 49, No. 5 (2017), 1617. 
Another look at tightness II: practical issues in cryptography
(with S. Chatterjee, N. Koblitz and P. Sarkar)
Mycrypt 2016, Lecture Notes in Computer Science, 10311 (2017), 2155.
Preprint. 
Challenges with assessing the impact of NFS advances on the security of pairingbased cryptography
(with P. Sarkar and S. Singh)
Mycrypt 2016, Lecture Notes in Computer Science, 10311 (2017), 83108.
Preprint. 
On instantiating pairingbased protocols with elliptic curves of embedding degree one
(with S. Chatterjee and F. RodriguezHenriquez)
IEEE Transactions on Computers, 66 (2017), 10611070.
Preprint. 
A riddle wrapped in an enigma
(with N. Koblitz)
IEEE Security & Privacy, 14 (2016), 3442.
Preprint. 
Cryptocash, cryptocurrencies, and cryptocontracts
(with N. Koblitz)
Designs, Codes and Cryptography, 78 (2016), 87102.
Preprint: cryptocash.pdf 
Type 2 structurepreserving signature schemes revisited
(with S. Chatterjee)
ASIACRYPT 2015, Lecture Notes in Computer Science, 9452 (2015), 286310.
Preprint. 
The random oracle model: A twentyyear retrospective
(with N. Koblitz)
Designs, Codes and Cryptography, 77 (2015), 587610.
Preprint. 
Special Issue on Cryptography, Codes, Designs and Finite Fields: In Memory of Scott A. Vanstone
(edited with I. Blake and D. Stinson)
Designs, Codes and Cryptography, 77 (23), 2015. 
Fault attacks on pairingbased protocols revisited
(with S. Chatterjee and K. Karabina)
IEEE Transactions on Computers, 64 (2015), 17071714.
Preprint 
Progress in Cryptology  LATINCRYPT 2014
(edited with D. Aranha)
Lecture Notes in Computer Science, 8895, SpringerVerlag, 2015. 
Computing discrete logarithms in F_{36 • 137} and F_{36 • 163} using Magma
(with G. Adj, T. Oliveira and F. RodriguezHenriquez)
WAIFI 2014, Lecture Notes in Computer Science, 9061 (2015), 322.
Preprint. 
Weakness of F_{36 • 1429} and F_{24 • 3041} for discrete logarithm cryptography
(with G. Adj, T. Oliveira and F. RodriguezHenriquez)
Finite Fields and Their Applications, 32 (2015), 148170.
Preprint. 
Another look at security theorems for 1key nested MACs
(with N. Koblitz)
C.K. Koc (ed.), Open Problems in Mathematics and Computational Science, Springer 2014, 6989.
Preprint. 
Weakness of F_{36 • 509} for discrete logarithm cryptography
(with G. Adj, T. Oliveira and F. RodriguezHenriquez)
PairingBased Cryptography  Pairing 2013, Lecture Notes in Computer Science, 8365 (2014), 2044.
Preprint. 
Another look at nonuniformity
(with N. Koblitz)
Groups Complexity Cryptology, 5 (2013), 117139.
Preprint. 
Another look at HMAC
(with N. Koblitz)
Journal of Mathematical Cryptology, 7 (2013), 225251.
Preprint. 
Introduction to Cryptography
Section 16.1 of Handbook of Finite Fields, edited by G. Mullen and D. Panario, Chapman & Hall/CRC, 2013 
Implementing pairings at the 192bit security level
(with D. Aranha, L. FuentesCastaneda, E. Knapp and F. RodriguezHenriquez)
PairingBased Cryptography  Pairing 2012, Lecture Notes in Computer Science, 7708 (2013), 177195.
Preprint. 
Generalizations of Verheul's theorem to asymmetric pairings
(with K. Karabina and E. Knapp)
Advances in Mathematics of Communications, 7 (2013), 103111.
Preprint: verheul.pdf 
Another look at security definitions
(with N. Koblitz)
Advances in Mathematics of Communications, 7 (2013), 138.
Preprint. 
Another look at tightness
(with S. Chatterjee and P. Sarkar)
Proceedings of SAC 2011, Lecture Notes in Computer Science, 7118 (2012), 293319.
Preprint. 
Parallelizing the Weil and Tate pairings
(with D. Aranha, E. Knapp and F. RodriguezHenriquez)
Cryptography and Coding 2011, Lecture Notes in Computer Science, 7089 (2011), 275295. 
Discrete logarithms, DiffieHellman, and reductions
(with N. Koblitz and I. Shparlinski)
Vietnam Journal of Mathematics, 39 (2011), 267285. 
A generic variant of NIST's KAS2 key agreement protocol
(with S. Chatterjee and B. Ustaoglu)
Proceedings of ACISP 2011, Lecture Notes in Computer Science, 6812 (2011), 353370.
Full version: kas2.pdf 
Elliptic curve cryptography: The serpentine course of a paradigm shift
(with A. Hibner Koblitz and N. Koblitz)
Journal of Number Theory, 131 (2011), 781814.
Preprint. 
On cryptographic protocols employing asymmetric pairings  The role of Ψ revisited
(with S. Chatterjee)
Discrete Applied Mathematics, 159 (2011), 13111322.
Preprint. 
Several sections on elliptic curve cryptography
(with D. Hankerson)
Encyclopedia of Cryptography and Security (second edition), edited by H. van Tilborg and S. Jajodia, SpringerVerlag, 2011. 
On reusing ephemeral public keys in DiffieHellman key agreement protocols ephemeral.pdf
(with B. Ustaoglu)
International Journal of Applied Cryptography, 2 (2010), 154158. 
Combined security analysis of the one and threepass unified model key agreement protocols
(with S. Chatterjee and B. Ustaoglu)
Indocrypt 2010, Lecture Notes in Computer Science, 6498 (2010), 4968. 
On the efficiency and security of pairingbased protocols in the Type 1 and Type 4 settings
(with S. Chatterjee and D. Hankerson)
WAIFI 2010, Lecture Notes in Computer Science, 6087 (2010), 114134.
Full version. 
On the asymptotic effectiveness of Weil descent attacks weildescent.pdf
(with K. Karabina, C. Pomerance and I. Shparlinski)
Journal of Mathematical Cryptology, 4 (2010), 175191. 
Intractable problems in cryptography dlog.pdf
(with N. Koblitz)
Revised version of a paper that appeared in Finite Fields: Theory and Applications, Contemporary Mathematics, 518 (2010), 279300.
See also The brave new world of bodacious assumptions in cryptography
Notices of the AMS, 57 (2010), 357365. 
Comparing two pairingbased aggregate signature schemes
(with S. Chatterjee, D. Hankerson and E. Knapp)
Designs, Codes and Cryptography, 55 (2010), 141167.
Preprint. 
Reusing static keys in key agreement protocols
(with S. Chatterjee and B. Ustaoglu)
Indocrypt 2009, Lecture Notes in Computer Science, 5922 (2009), 3956.
Full version: static.pdf 
A new protocol for the nearby friend problem
(with S. Chatterjee and K. Karabina)
Cryptography and Coding 2009, Lecture Notes in Computer Science, 5921 (2009), 236251. 
Analyzing the GalbraithLinScott point multiplication method for elliptic curves over binary fields
(with D. Hankerson and K. Karabina)
IEEE Transactions on Computers, 58 (2009), 14111420.
Preprint. 
An introduction to pairingbased cryptography pairings.pdf
Recent Trends in Cryptography, edited by I. Luengo, volume 477 of Contemporary Mathematics, AMSRSME, 2009, 4765. 
Comparing the pre and postspecified peer models for key agreement prepost.pdf
(with B. Ustaoglu)
International Journal of Applied Cryptography, 1 (2009), 236250.
An earlier version appeared in Proceedings of ACISP 2008, Lecture Notes in Computer Science, 5107 (2008), 5368. 
Software implementation of pairings pairings_software.pdf
(with D. Hankerson and M. Scott)
IdentityBased Cryptography, edited by M. Joye and G. Neven, IOS Press, 2008, 188206. 
Another look at nonstandard discrete log and DiffieHellman problems
(with N. Koblitz)
Journal of Mathematical Cryptology, 4 (2008), 311326.
Preprint. 
Security arguments for the UM key agreement protocol in the NIST SP 80056A standard um.pdf
(with B. Ustaoglu)
Proceedings of ASIACCS '08, ACM Press, 261270. 
Software implementation of arithmetic in F_{3m}
(with O. Ahmadi and D. Hankerson)
Proceedings of WAIFI 2007, Lecture Notes in Computer Science, 4547 (2007), 85102. 
Advances in Cryptology  CRYPTO 2007 (edited volume)
Lecture Notes in Computer Science, 4622, SpringerVerlag, 2007. 
Formulas for cube roots in F_{3m}
(with O. Ahmadi and D. Hankerson)
Discrete Applied Mathematics, 155 (2007), 260270. 
Irreducible polynomials of maximum weight weightn.pdf
(with O. Ahmadi)
Utilitas Mathematica, 72 (2007), 111123. 
Another look at HMQV
Journal of Mathematical Cryptology, 1 (2007), 4764.
Preprint. 
Another look at generic groups
(with N. Koblitz)
Advances in Mathematics of Communications, 1 (2007), 1328.
Preprint. 
Another look at "provable security"
(with N. Koblitz)
Journal of Cryptology, 20 (2007), 337.
Preprint. 
Another look at "provable security". II
(with N. Koblitz)
Progress in Cryptology  Indocrypt 2006, Lecture Notes in Computer Science, 4329 (2006), 148175.
Spanish translation by Francisco RodriguezHenriquez.
Preprint. 
On the importance of publickey validation in the MQV and HMQV key agreement protocols
(with B. Ustaoglu)
Progress in Cryptology  Indocrypt 2006, Lecture Notes in Computer Science, 4329 (2006), 133147. 
Software multiplication using Gaussian normal bases
(with R. Dahab, D. Hankerson, F. Hu, M. Long and J. López)
IEEE Transactions on Computers, 55 (2006), 974984. 
Cryptographic implications of Hess' generalized GHS attack
(with E. Teske)
Applicable Algebra in Engineering, Communication and Computing, 16 (2006), 439460.
Preprint. 
On the number of traceone elements in polynomial bases for GF(2 ^{n})
(with O. Ahmadi)
Designs, Codes and Cryptography, 37 (2005), 493507. 
Pairingbased cryptography at high security levels
(with N. Koblitz)
Cryptography and Coding 2005, Lecture Notes in Computer Science, 3796 (2005), 1336.
Preprint. 
Algebraic curves and cryptography
(with S. Galbraith)
Finite Fields and Their Applications, 11 (2005), 544577. 
Several sections on elliptic curve cryptography
(with D. Hankerson)
Encyclopedia of Cryptography and Security, edited by Henk van Tilborg, SpringerVerlag, 2005. 
Topics in Cryptology  CTRSA 2005 (edited volume)
Lecture Notes in Computer Science, 3376, SpringerVerlag, 2005. 
A survey of publickey cryptosystems publickey.pdf
(with N. Koblitz)
SIAM Review, 46 (2004), 599634. 
Security of signature schemes in a multiuser setting
(with N. Smart)
Designs, Codes and Cryptography, 33 (2004), 261274. 
Hyperelliptic curves and cryptography hcc.pdf
(with M. Jacobson and A. Stein)
High Primes and Misdemeanours: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams,
Fields Institute Communications Series, 41 (2004), 255282. 
Obstacles to the torsionsubgroup attack on the decision DiffieHellman problem
(with N. Koblitz)
Mathematics of Computation, 73 (2004), 20272041. 
Field inversion and point halving revisited
(with K. Fong, D. Hankerson and J. López)
IEEE Transactions on Computers, 53 (2004), 10471059. 
Weak fields for ECC
(with E. Teske and A. Weng)
Topics in Cryptology  CTRSA 2004, Lecture Notes in Computer Science, 2964 (2004), 366386.
Preprint. 
Guide to Elliptic Curve Cryptography
(with D. Hankerson and S. Vanstone)
Springer, 2004. 
An efficient protocol for authenticated key agreement
(with L. Law, M. Qu, J. Solinas and S. Vanstone)
Designs, Codes and Cryptography, 28 (2003), 119134. 
Validation of elliptic curve public keys
(with A. Antipa, D. Brown, R. Struik and S. Vanstone)
Proceedings of PKC 2003, Lecture Notes in Computer Science, 2567 (2003), 211223. 
A small subgroup attack on a key agreement protocol of Arazi arazi.pdf
(with D. Brown)
Bulletin of the ICA, 37 (2003), 4550. 
Progress in Cryptology  INDOCRYPT 2002
(edited with P. Sarkar)
Lecture Notes in Computer Science, 2551, SpringerVerlag, 2002. 
Analysis of the GHS Weil descent attack on the ECDLP over characteristic two finite fields of composite degree
(with M. Maurer and E. Teske)
LMS Journal of Computation and Mathematics, 5 (2002), 127174
An earlier version appeared in Proceedings of Indocrypt 2001, Lecture Notes in Computer Science, 2247 (2001), 195213.
Preprint. 
Isomorphism classes of genus2 hyperelliptic curves over finite fields
(with L. Encinas and J. Masque)
Applicable Algebra in Engineering, Communication and Computing, 13 (2002), 5765. 
Solving elliptic curve discrete logarithm problems using Weil descent
(with M. Jacobson and A. Stein)
Journal of the Ramanujan Mathematical Society, 16 (2001), 231260. 
The elliptic curve digital signature algorithm (ECDSA)
(with D. Johnson and S. Vanstone)
International Journal on Information Security, 1 (2001), 3663. 
Software implementation of the NIST elliptic curves over prime fields
(with M. Brown, D. Hankerson and J. Hernandez)
Topics in Cryptology  CTRSA 2001, Lecture Notes in Computer Science, 2020 (2001), 250265. 
Analysis of the Weil descent attack of Gaudry, Hess and Smart
(with M. Qu)
Topics in Cryptology  CTRSA 2001, Lecture Notes in Computer Science, 2020 (2001), 308318. 
Software implementation of elliptic curve cryptography over binary fields
(with D. Hankerson and J. Hernandez)
Proceedings of CHES 2000, Lecture Notes in Computer Science, 1965 (2000), 124. 
PGP in constrained wireless devices pager.pdf
(with M. Brown, D. Cheung, D. Hankerson, J. Hernandez and M. Kirkup)
Proceedings of the 9th USENIX Security Symposium, 2000, 247261. 
The state of elliptic curve cryptography
(with N. Koblitz and S. Vanstone)
Designs, Codes and Cryptography, 19 (2000), 173193. 
Coding Theory and Cryptology
(with P. van Oorschot)
chapter in Handbook of Discrete and Combinatorial Mathematics, CRC Press, 1999, pages 889954. 
Authenticated DiffieHellman key agreement protocols
(with S. BlakeWilson)
Proceedings of the 5th Annual Workshop on Selected Areas in Cryptography (SAC '98), Lecture Notes in Computer Science, 1556 (1999), 339361. 
Unknown keyshare attacks on the stationtostation (STS) protocol
(with S. BlakeWilson)
Proceedings of PKC '99, Lecture Notes in Computer Science, 1560 (1999), 154170. 
Entity authentication and authenticated key transport protocols employing asymmetric techniques
(with S. BlakeWilson)
Proceedings of the 5th International Workshop on Security Protocols, Lecture Notes in Computer Science, 1361 (1998), 137158. 
The discrete logarithm problem in GL(n,q) glnq.pdf
(with YiHong Wu)
Ars Combinatoria, 47 (1998), 2332. 
An elementary introduction to hyperelliptic curves hyperelliptic.pdf
(with YiHong Wu and R. Zuccherato)
appendix in Algebraic Aspects of Cryptography by Neal Koblitz, SpringerVerlag, 1998, pages 155178. 
Key agreement protocols and their security analysis
(with D. Johnson and S. BlakeWilson)
Proceedings of the Sixth IMA International Conference on Cryptography and Coding, Lecture Notes in Computer Science, 1355 (1997), 3045.
Full version agreement.pdf 
Handbook of Applied Cryptography
(with P. van Oorschot and S. Vanstone)
CRC Press, 1997. 
Elliptic curves and cryptography
(with A. Jurisic)
Dr. Dobb's Journal, April 1997, 2336. 
Some new key agreement protocols providing mutual implicit authentication
(with M. Qu and S. Vanstone)
Workshop on Selected Areas in Cryptography (SAC '95), 2232, 1995. 
Elliptic curve cryptosystems
CryptoBytes  The Technical Newsletter of RSA Laboratories, Volume 1, Number 2, Summer 1995, 14. 
Elliptic Curve Public Key Cryptosystems
Kluwer Academic Publishers, 1993. 
Reducing elliptic curve logarithms to logarithms in a finite field
(with T. Okamoto and S. Vanstone)
IEEE Transactions on Information Theory, 39 (1993), 16391646. 
Elliptic curve cryptosystems and their implementation
(with S. Vanstone)
Journal of Cryptology, 6 (1993), 209224 
Publickey cryptosystems with very small key lengths
(with G. Harper and S. Vanstone)
Advances in Cryptology  EUROCRYPT '92, Lecture Notes in Computer Science, 658 (1993), 163173. 
Counting points on elliptic curves over F_{2m}
(with S. Vanstone and R. Zuccherato)
Mathematics of Computation, 60 (1993), 407420. 
Applications of Finite Fields
(with I. Blake, S. Gao, R. Mullin, S. Vanstone and T. Yaghoobian)
Kluwer Academic Publishers, 1992. 
Subgroup refinement algorithms for root finding in GF(q)
(with P. van Oorschot and S. Vanstone)
SIAM Journal on Computing, 21 (1992), 228239. 
A note on cyclic groups, finite fields, and the discrete logarithm problem
(with S. Vanstone)
Applicable Algebra in Engineering, Communication and Computing, 3 (1992), 6774. 
Advances in Cryptology  Proceedings of CRYPTO '90
(edited with S. Vanstone)
Lecture Notes in Computer Science, 537, SpringerVerlag, 1991. 
The implementation of elliptic curve cryptosystems
(with S. Vanstone)
Advances in Cryptology  AUSCRYPT '90, Lecture Notes in Computer Science, 453 (1990), 213. 
Isomorphism classes of elliptic curves over finite fields of characteristic 2
(with S. Vanstone)
Utilitas Mathematica, 38 (1990), 135154. 
On the number of selfdual bases of GF(q^{m}) over GF(q)
(with D. Jungnickel and S. Vanstone)
Proceedings of the American Mathematics Society, 109 (1990), 2329. 
Some computational aspects of root finding in GF(q^{m})
(with S. Vanstone and P. van Oorschot)
Symbolic and Algebraic Computation, Lecture Notes in Computer Science, 358 (1989), 259270.