### Journal papers

- Practical Cryptanalysis of ISO 9796-2 and EMV Signatures (Journal of Cryptology, 2016)
- How to Build an Ideal Cipher: The Indifferentiability of the Feistel Construction (Journal of Cryptology, 2016)
- A Note on the Bivariate Coppersmith Theorem (Journal of Cryptology, 2013)
- Cryptanalysis of ISO/IEC 9796-1 (Journal of Cryptology, 2008)
- Deterministic Polynomial-Time Equivalence of Computing the RSA Secret Key and Factoring (Journal of Cryptology, 2007)
- Index Calculation Attacks on RSA Signature and Encryption (Designs, Codes and Cryptography, 2006)

### International Conference papers

- Secure Wire Shuffling in the Probing Model (Crypto 2021)
- Random Probing Security: Verification, Composition, Expansion and New Constructions (Crypto 2020)
- A Polynomial-Time Algorithm for Solving the Hidden Subset Sum Problem (Crypto 2020)
- Side-Channel Masking with Pseudo-Random Generator (Eurocrypt 2020)
- On Kilian's Randomization of Multilinear Map Encodings (Asiacrypt 2019)
- Cryptanalysis of CLT13 Multilinear Maps with Independent Slots (Asiacrypt 2019)
- Cryptanalysis of GGH15 Multilinear Maps (Crypto 2016)
- Zeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations (Crypto 2015)
- New Multilinear Maps over the Integers (Crypto 2015)
- Higher Order Masking of Look-Up Tables (Eurocrypt 2014)
- Practical Multilinear Maps over the Integers (Crypto 2013)
- Batch Fully Homomorphic Encryption over the Integers (Eurocrypt 2013)
- Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers (Eurocrypt 2012)
- Fully Homomorphic Encryption over the Integers with Shorter Public Keys (Crypto 2011)
- Improved Generic Algorithms for Hard Knapsacks (Eurocrypt 2011)
- Efficient Indifferentiable Hashing into Ordinary Elliptic Curves (Crypto 2010)
- PSS is Secure against Random Fault Attacks (Asiacrypt 2009)
- Practical Cryptanalysis of ISO/IEC 9796-2 and EMV Signatures (Crypto 2009)
- The Random Oracle Model and the Ideal Cipher Model are Equivalent (Crypto 2008)
- Finding Small Roots of Bivariate Integer Polynomial Equations: a Direct Approach (Crypto 2007)
- Merkle-Damgard Revisited: how to construct a hash-function (Crypto 2005)
- Finding small roots of bivariate integer equations revisited (Eurocrypt 2004)
- Boneh et al's k-Element Aggregate Extraction Assumption Is Equivalent to The Diffie-Hellman Assumption (Asiacrypt 2003)
- Security Proof for Partial-Domain Hash Signature Schemes (Crypto '02)
- Universal padding schemes for RSA (Crypto '02)
- Optimal security proofs for PSS and other signature schemes (Eurocrypt '02)
- Cryptanalysis of RSA signatures with fixed pattern padding (Crypto '01)
- From fixed-length to arbitrary length RSA padding schemes (Asiacrypt '00)
- On the exact security of Full Domain Hash (Crypto 2000)
- Security analysis of the Gennaro-Halevi-Rabin signature scheme (Eurocrypt 2000)
- New attacks on PKCS#1 v1.5 encryption (Eurocrypt 2000)
- Elliptic Curve Cryptography : do we need to count ? (Asiacrypt '99)
- On the security of RSA padding (Crypto '99)

### International Workshop papers

- High-order Table-based Conversion Algorithms and Masking Lattice-based Encryption (CHES 2022)
- Simultaneous Diagonalization of Incomplete Matrices and Applications (ANTS 2020)
- High Order Masking of Look-up Tables with Common Shares (CHES 2018)
- Improved High-Order Conversion From Boolean to Arithmetic Masking (CHES 2018)
- Formal Verification of Side-Channel Countermeasures via Elementary Circuit Transformations (ACNS 2018)
- Improved Factorization of N=p^rq^s (CT-RSA 2018)
- Zeroizing Attacks on Indistinguishability Obfuscation over CLT13 (PKC 2017)
- High-Order Conversion from Boolean to Arithmetic Masking (CHES 2017)
- Faster Evaluation of SBoxes via Common Shares (CHES 2016)
- Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme (CHES 2016)
- Factoring N=p^r q^s for Large r and s (CT-RSA 2016)
- Improved Side-Channel Analysis of Finite-Field Multiplication (CHES 2015)
- Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity (FSE 2015)
- Fast Evaluation of Polynomials over Binary Finite Fields and Application to Side-channel Countermeasures (CHES 2014)
- Secure Conversion between Boolean and Arithmetic Masking of Any Order (CHES 2014)
- Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences (PKC 2014)
- Scale-Invariant Fully Homomorphic Encryption over the Integers (PKC 2014)
- Higher-Order Side Channel Security and Mask Refreshing (FSE 2013)
- Supplemental Access Control (PACE v2): Security Analysis of PACE Integrated Mapping (Cryptography and Security 2012)
- On the Use of Shamir's Secret Sharing against Side-Channel Analysis (CARDIS 2012)
- Conversion of Security Proofs from One Leakage Model to Another: A New Issue (COSADE 2012)
- Cryptanalysis of the RSA Subgroup Assumption from TCC 2005 (PKC 2011)
- Analysis and Improvement of the Random Delay Countermeasure of CHES 2009 (CHES 2010)
- A Domain Extender for the Ideal Cipher (TCC 2010)
- Fault Attacks Against EMV Signatures (CT-RSA 2010)
- Fault Attacks on RSA Signatures with Partially Unknown Messages (CHES 2009)
- An Efficient Method for Random Delay Generation in Embedded Software (CHES 2009)
- A New DPA Countermeasure Based on Permutation Tables (SCN 2008)
- Attack and Improvement of a Secure S-Box Calculation Based on the Fourier Transform (CHES 2008)
- Side Channel Cryptanalysis of a High Order Masking Scheme (CHES 2007)
- On the Implementation of a Fast Prime Generation Algorithm (CHES 2007)
- A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis (CHES 2005)
- Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt '95 (CT-RSA 2004)
- A New Algorithm for Switching from Arithmetic to Boolean Masking (CHES '03)
- Optimal Chosen-Ciphertext Secure Encryption of Arbitrary-Length Messages (PKC '02)
- GEM: a Generic Chosen-Ciphertext Secure Encryption Method (CT-RSA '02)
- Fast Generation of Pairs (k, [k]P) for Koblitz Elliptic Curves (SAC '01)
- Differential Power Analysis in the Presence of Hardware Countermeasures (CHES '00)
- On Boolean and Arithmetic Masking against Differential Power Analysis (CHES '00)
- Statistics and secret leakage (Financial Crypto '00)
- Resistance against Differential Power Analysis for elliptic curves cryptosystems (CHES '99)
- On the security of RSA screening (PKC '99)
- On the security of random sources (PKC '99)
- An accurate evaluation of maurer's universal test (SAC '98)