Last updated: Aug 2018. For an up to date list please see DBLP or Google scholar.
See also Publications by Topic
Books and survey papers

A Graduate Course in Applied Cryptography.
Available at cryptobook.us 
Twenty years of attacks on the RSA cryptosystem.
Notices of the American Mathematical Society (AMS), Vol. 46, No. 2, pp. 203213, 1999

The decision DiffieHellman problem.
In Proceedings of the Third Algorithmic Number Theory Symposium,
Lecture Notes in Computer Science, Vol. 1423, SpringerVerlag, pp. 4863, 1998 
A Survey of Two Signature Aggregation Techniques.
In CryptoBytes Vol. 6, No. 2, 2003Full paper: pdf
Research papers: cryptography and computer security
The list below contains some of my publications on cryptography and computer security.
Threshold Cryptosystems From Threshold Fully Homomorphic Encryption.
In proceedings of Crypto 2018, pp. 565596.Full paper: pdf 
Multiparty NonInteractive Key Exchange and More From Isogenies on Elliptic Curves.
In proceedings of MathCrypt 2018Full paper: pdf 
A Survey of Two Verifiable Delay Functions.
Cryptology ePrint Archive: Report 2018/712Full paper: pdf 
Verifiable Delay Functions.
In proceedings of Crypto 2018, pp. 757788.Full paper: pdf 
QuasiOptimal SNARGs via Linear MultiProver Interactive Proofs.
In proceedings of Eurocrypt 2018, pp. 222255. 
Compact MultiSignatures for Smaller Blockchains..
To appear in Asiacrypt 2018Full paper: pdf 
BLS MultiSignatures With PublicKey Aggregation.
web noteFull paper: html 
Bulletproofs: Efficient Range Proofs for Confidential Transactions.
In proceedings of the IEEE S&P conference, Oakland 2018.Full paper: pdf 
Prio: Private, Robust, and Scalable Computation of Aggregate Statistics.
In proceedings of NSDI 2017, pp. 7681.Full paper: pdf 
Constrained Keys for Invertible Pseudorandom Functions.
In proceedings of TCC 2017, pp. 237263.Full paper: pdf 
Private Puncturable PRFs From Standard Lattice Assumptions.
In proceedings of Eurocrypt 2017, pp. 415445.Full paper: pdf 
Constraining Pseudorandom Functions Privately.
In proceedings of PKC 2017, pp. 494524.Full paper: pdf 
LatticeBased SNARGs and Their Application to More Efficient Obfuscation.
In proceedings of Eurocrypt 2017, pp. 247277.Full paper: pdf 
Deriving Genomic Diagnoses Without Revealing Patient Genomes.
Science, vol. 357, no. 6352, 2017, pp. 692695.Full paper: pdf 
Trust but Verify: Auditing the Secure Internet of Things.
In proceedings of Mobisys 2017, pp. 464474.Full paper: pdf 
Quantum Operating Systems.
In proceedings of HotOS 2017, pp. 7681.Full paper: pdf 
IRON: Functional Encryption using Intel SGX.
In proceedings of ACM CCS 2017, pp. 765782.Full paper: pdf 
Surnaming Schemes, Fast Verification,and Applications to SGX Technology.
In proceedings of RSACT 2017, pp. 149164.Full paper: pdf 
LatticeBased DAPS and Generalizations: Selfenforcement in Signature Schemes.
In proceedings of ACNS 2017, pp. 457477.Full paper: pdf 
T/Key: SecondFactor Authentication From Secure Hash Chains.
In proceedings of ACM CCS 2017, pp. 983999.Full paper: pdf 
Balloon Hashing: A MemoryHard Function Providing Provable Protection Against Sequential Attacks.
In proceedings of ASIACRYPT 2016, pp. 220248.Full paper: pdf 
5Gen: A Framework for Prototyping Applications Using Multilinear Maps and Matrix Branching Programs.
In proceedings of ACM CCS 2016, pp. 981992.Full paper: pdf 
Privacy, Discovery, and Authentication for the Internet of Things.
In proceedings of ESORICS 2016, pp. 301319.Full paper: pdf 
Cryptographically Enforced Control Flow Integrity.
In proceedings of ACM CCS 2015, pp. 941951.Full paper: pdf 
Provisions: Privacypreserving Proofs of Solvency for Bitcoin Exchanges.
In proceedings ACM CCS 2015, pp. 720731.Full paper: pdf 
Semantically Secure OrderRevealing Encryption: Multiinput Functional Encryption Without Obfuscation.
In proceedings of Eurocrypt 2015, LNCS 9057, pp. 563594Full paper: pdf 
Hosting Services on an Untrusted Cloud.
In proceedings of Eurocrypt 2015, LNCS 9057, pp. 404436Full paper: pdf 
Riposte: An Anonymous Messaging System Handling Millions of Users.
IEEE Symposium on Security and Privacy 2015, pp. 321338.Full paper: pdf 
Stickler: Defending Against Malicious CDNs in an Unmodified Browser.
In IEEE Security & Privacy, Vol. 14, number 2, pp. 2228, 2016. Extended abstract in proceedings of W2SP 2015Full paper: pdf 
PowerSpy: Location Tracking using Mobile Device Power Analysis.
In proceedings of USENIX Security 2015, pp. 785800.Full paper: pdf 
Bivariate Polynomials Modulo Composites and Their Applications.
In proceedings of Asiacrypt 2014, LNCS 8873, pp. 4262Full paper: pdf 
Immunizing Multilinear Maps Against Zeroizing Attacks.
Cryptology ePrint Archive, Report 2014/930Full paper: pdf 
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation.
In Algorithmica vol. 79, no. 4, pp. 12331285, 2017. Extended abstract in Crypto 2014, LNCS 8616, pp. 480499.Full paper: pdf 
Low Overhead Broadcast Encryption from Multilinear Maps.
In proceedings Crypto 2014, LNCS 8616, pp. 206223.Full paper: pdf 
Fully KeyHomomorphic Encryption, Arithmetic Circuit ABE and Compact Garbled Circuits.
In proceedings of Eurocrypt 2014, LNCS 8441, pp. 533556.Full paper: pdf 
DifferingInputs Obfuscation and Applications.
Cryptology ePrint Archive: Report 2013/689Full paper: pdf 
Constrained Pseudorandom Functions and Their Applications.
In proceedings of Asiacrypt 2013, LNCS 8270, pp. 280300.Full paper: pdf 
Gyrophone: Recognizing Speech From Gyroscope Signals.
In proceedings of Usenix Security 2014Full paper: pdf 
Password Managers: Attacks and Defenses.
To appear at Usenix Security 2014 
Tick Tock: Building Browser Red Pills from Timing Side Channels.
To appear at Usenix WOOT 2014Full paper: pdf 
Hacking Blind.
In proceedings of the IEEE S&P conference, Oakland 2014.Full paper: pdf 
An Experimental Study of TLS Forward Secrecy Deployments.
In proceedings of W2SP 2014
IEEE Internet Computing 18(6): 4351 (2014)Full paper: pdf 
OSS: Using Online Scanning Services for Censorship Circumvention.
Full paper: pdf 
FunctionPrivate SubspaceMembership Encryption and Its Applications.
In Proceedings of Asiacrypt 2013.Full paper: PDF 
Key Homomorphic PRFs and Their Applications.
In Proceedings of Crypto 2013, pp. 410428. [BIBTEX]Full paper: pdf 
FunctionPrivate IdentityBased Encryption: Hiding the Function in Functional Encryption.
In Proceedings of Crypto 2013, pp. 461478. [BIBTEX]Full paper: PDF 
Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World.
In Proceedings of Crypto 2013, pp. 461478. [BIBTEX]Full paper: pdf 
MessageLocked Encryption for LockDependent Messages.
In Proceedings of Crypto 2013, pp. 374391. [BIBTEX]Full paper: PDF 
A Note on Barrington's Theorem.
web noteFull paper: html

Ensuring highquality randomness in cryptographic key generation.
In Proceedings of ACM CCS 2013, pp. 685696. [BIBTEX]Full paper: PDF 
Privacypreserving matrix factorization.
In Proceedings of ACM CCS 2013, pp. 801812. [BIBTEX]Full paper: PDF 
PrivacyPreserving Ridge Regression on Hundreds of Millions of Records.
In Proceedings of IEEE Symposium on Security and Privacy 2013, pp. 334348. [BIBTEX]Full paper: PDF 
Private Database Queries Using Somewhat Homomorphic Encryption.
In Proceedings of ACNS '13, Lecture Notes in Computer Science, Vol. 7954, SpringerVerlag, pp. 102118, 2013Full paper: PDF 
QuantumSecure Message Authentication Codes.
In proc. of Eurocrypt 2013, LNCS 7881, pp. 592608. [BIBTEX]Full paper: pdf 
Neuroscience Meets Cryptography:
Designing Crypto Primitives Secure Against Rubber Hose Attacks.
In proceedings of Usenix security 2012. 
Evading Censorship with BrowserBased Proxies.
In proceedings of PETS 2012, LNCS 7384, pp. 239258, 2012.Full paper: pdf 
The most dangerous code in the world: validating SSL certificates in nonbrowser software.
In proceedings of ACM CCS '12, pp. 3849, 2012 [BIBTEX]Full paper: pdf 
StegoTorus: a camouflage proxy for the Tor anonymity system.
In proceedings of ACM CCS '12, pp. 109120, 2012 [BIBTEX] 
Who Killed My Battery: Analyzing Mobile Browser Energy Consumption.
In Proceedings of the 21st International World Wide Web conference (WWW), 2012, ACM Press, pp. 4150.Full paper: pdf 
SessionJuggler: Secure Web Login From an Untrusted Terminal Using Session Hijacking.
In Proceedings of the 21st International World Wide Web conference (WWW), 2012, ACM Press, pp. 321330.Full paper: pdf 
Targeted malleability: homomorphic encryption for restricted computations.
In proceedings of Innovations in Theoretical Computer Science (ITCS), ACM, 2012, pp.350366. [BIBTEX]Full paper: pdf 
Towards ShortLived Certificates.
In proceedings of IEEE Oakland Web 2.0 Security and Privacy (W2SP 2012).Full paper: pdf. 
The case for prefetching and prevalidating TLS server certificates.
In proceedings of the 19th Annual Network & Distributed System Security Conference (NDSS 2012)Full paper: pdf. 
Persistent OSPF Attacks.
In proceedings of the 19th Annual Network & Distributed System Security Conference (NDSS 2012)Full paper: pdf. 
Random Oracles in a Quantum World.
In proceedings of Asiacrypt 2011, LNCS 7073, pp. 4169, 2011. [BIBTEX]Full paper: pdf 
OpenConflict: preventing real time map hacks in online games.
In proceedings of the 2011 IEEE Oakland Security and Privacy conference, pp. 506522 [BIBTEX]Full paper: pdf. 
Homomorphic Signatures for Polynomial Functions.
In proceedings of Eurocrypt 2011, LNCS 6632, pp. 149168, 2011. [BIBTEX]Full paper: pdf 
Functional encryption: definitions and challenges.
In proceedings of TCC'11, LNCS 6597, pp. 253273.Full paper: pdf 
Computing on Authenticated Data.
Full paper: pdf 
Linearly homomorphic signatures over binary fields and new tools for latticebased signatures.
In proceedings of PKC'11, LNCS 6571, pp. 116.Full paper: pdf 
Location privacy via private proximity testing.
In proceedings of NDSS 2011.Full paper: pdf 
Algebraic pseudorandom functions with improved efficiency from
the augmented cascade.
In proceedings of the 17'th ACM conference on Computer and Communications Security (CCS), 2010. [BIBTEX]Full paper: pdf 
Lattice basis delegation in fixed dimension and shorter ciphertext hierarchical IBE.
In proceedings of Crypto 2010, LNCS 6223, pp. 98115, 2010 [BIBTEX]Full paper: pdf 
Efficient lattice (H)IBE in the standard model.
In proceedings of Eurocrypt 2010, LNCS 6110, pp. 553572, 2010. [BIBTEX] 
An analysis of private browsing modes in modern browsers.
In proceedings of Usenix Security 2010. [BIBTEX]Full paper: pdf 
The case for ubiquitous transportlevel encryption.
In proceedings of Usenix Security 2010.Full paper: pdf 
Framing attacks on smart phones and dumb routers:
tapjacking and geolocalization attacks.
Full paper: pdf 
Busting frame busting: a study of clickjacking vulnerabilities at popular sites.
In proceedings of IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010).Full paper: pdf 
Kamouflage: lossresistant password management.
In proceedings of ESORICS 2010. [BIBTEX]Full paper: pdf 
Finding composite order ordinary elliptic curves using the CocksPinch method.
Journal of Number Theory, Vol. 131 (5), 2011, pp. 832841. [BIBTEX]Full paper: pdf 
Privacy preserving targeted advertising.
In proceedings of NDSS 2010.Full paper: pdf 
XCS: cross channel scripting and its impact on web applications.
In proceedings of the 16'th ACM conference on Computer and Communications Security (CCS), 2009.Full paper: pdf 
Fast symmetric cryptography in Javascript.
In proceedings of ACSAC 2009.Full paper: pdf 
Preventing pollution attacks in multisource network coding.
In proceedings of PKC 2010.Full paper: pdf 
Signing a Linear Subspace: Signature Schemes for Network Coding.
In proceedings of PKC 2009, LNCS 5443, pp. 6887.Full paper: pdf 
Homomorphic MACs: MACBased Integrity for Network Coding.
In proceedings of ACNS 2009, LNCS 5536, pp. 292305Full paper: pdf 
CircularSecure Encryption from Decision DiffieHellman.
In proceedings of Crypto 2008, LNCS 5157, pp. 108125.Full paper: pdf 
On The Impossibility of Basing Identity Based Encryption on Trapdoor Permutations.
In proceedings of FOCS 2008, pp. 283292 
Generalized Identity Based and Broadcast Encryption Schemes.
In proceedings of Asiacrypt 2008, LNCS 5350, pp. 455470 
Traitor Tracing with Constant Size Ciphertext.
In proceedings of the 15'th ACM conference on Computer and Communications Security (CCS), pp. 455470, 2008.Full paper: pdf 
SpaceEfficient Identity Based Encryption Without Pairings.
In proceedings of FOCS 2007, pp. 647657, 2007Full paper: pdf 
Protecting Browsers from DNS Rebinding Attacks.
ACM Transactions on the Web (TWEB), Vol. 3(1), 2009,
extended abstract in proceedings of the 14'th ACM conference on Computer and Communications Security (CCS), pp. 421431, 2007Full paper: pdf 
Overshadow: A VirtualizationBased Approach to Retrofitting Protection
in Commodity Operating Systems.
In proceedings of ACM ASPLOS 2008, pp. 213Full paper: pdf 
Transaction Generators: Root Kits for the Web.
In proceedings of the 2nd USENIX Workshop on Hot Topics in Security, 2007Full paper: pdf 
Reducing Shouldersurfing by Using Gazebased Password Entry.
In proceedings of the 2007 Symposium On Usable Privacy and Security (SOUPS)Full paper: pdf 
Private Web Search.
In proceedings of the 6th ACM Workshop on Privacy in the Electronic Society (WPES) 2007Full paper: pdf 
Covert Channels in PrivacyPreserving Identification Systems.
In proceedings of the 14'th ACM conference on Computer and Communications Security (CCS), pp. 297306, 2007 
Public Key Encryption That Allows PIR Queries.
In proceedings of Crypto 2007, LNCS 4622, pp. 5067, 2007 
Geoencryption using Loran.
In proceedings of the 2007 National Technical Meeting of the Institute of Navigation, pp. 104115, 2007Full paper: pdf 
Exposing private information by timing web applications.
In proceedings of the 16th International Conference on World Wide Web, WWW 2007, ACM 2007, pp. 621628Full paper: pdf 
Cryptographic Methods for Storing Ballots on a Voting Machine.
In proceedings of the 14th Annual Network & Distributed System Security Conference (NDSS 2007)Full paper: pdf 
Conjunctive, subset, and range queries on encrypted data.
In proceedings of TCC'07, LNCS 4392, pp. 535554, 2007Full paper: pdf 
On the impossibility of efficiently combining collision resistant
hash functions.
In proceedings of Crypto '06, LNCS 4117, pp. 570583, 2006Full paper: pdf 
A collusion resistant broadcast, trace and revoke system.
In proceedings of ACM CCS '06, pp. 211220, 2006Full paper: pdf 
Secure function evaluation with ordered binary decision diagrams.
In proceedings of the ACM Conference on Computer and Communications Security (CCS) 2006, pp. 410420 
SANE: A protection architecture for enterprise networks.
In proceedings of Usenix Security '06, pp. 137151, 2006Full paper: pdf 
Fully Collusion Resistant Traitor Tracing With Short Ciphertexts and Private Keys.
In proceedings of Eurocrypt '06, LNCS 4004, 2006, pp. 573592Full paper: pdf 
Protecting Browser State from Web Privacy Attacks.
In Proceedings of the 15th International Conference on World Wide Web, WWW '06, ACM Press, pp. 737744Full paper: pdf 
Strongly Unforgeable Signatures Based on Computational DiffieHellman.
In proceedings of PKC '06, LNCS 3958, pp. 229240, 2006Full paper: pdf 
Private encrypted content distribution using private broadcast encryption.
In proceedings of Financial Crypto (FC) '06, 2006, LNCS 4107, pp. 5264Full paper: html 
Stronger Password Authentication Using Browser Extensions.
In proceedings of Usenix security 2005Full paper: pdf 
Chosen Ciphertext Secure Public Key Threshold Encryption Without Random Oracles.
In proceedings of RSACT '06, LNCS 3860, pp. 226243, 2006Full paper: pdf 
ChosenCiphertext Security from IdentityBased Encryption.
SIAM J. of Computing (SICOMP), Volume 36, Issue 5, pp. 915942, 2006Full paper: pdf 
Collusion Resistant Broadcast Encryption With Short Ciphertexts
and Private Keys.
In proceedings of Crypto '05, LNCS 3621, pp. 258275, 2005Full paper: pdf 
Hierarchical Identity Based Encryption with Constant Size Ciphertext.
In proceedings of Eurocrypt '05, LNCS 3493, pp. 440456Full paper: pdf 
Evaluating 2DNF Formulas on Ciphertexts.
In proceedings of Theory of Cryptography (TCC) '05, LNCS 3378, pp. 325341, 2005Full paper: pdf 
Improved Efficiency for CCASecure Cryptosystems Built Using
Identity Based Encryption.
In proceedings of RSACT '05, LNCS 3376, pp. 87103, 2005Full paper: pdf 
Group Signatures with VerifierLocal Revocation.
In proceedings of the 11'th ACM conference on Computer and Communications Security (CCS), pp. 168177, 2004Full paper: pdf 
On the Effectiveness of AddressSpace Randomization.
In proceedings of the 11'th ACM conference on Computer and Communications Security (CCS), pp. 298307, 2004Full paper: pdf 
Short Group Signatures.
In proceedings of Crypto '04, LNCS 3152, pp. 4155, 2004Full paper: pdf 
Secure Identity Based Encryption Without Random Oracles.
In proceedings of Crypto '04, LNCS 3152, 2004Full paper: pdf 
Efficient Selective IdentityBased Encryption Without Random Oracles.
Journal of Cryptology (JOC), 24 (4):659693, 2011.
Extended abstract in proceedings of Eurocrypt 2004, LNCS 3027, pp. 223238, 2004 [BIBTEX]Full paper: pdf 
Short Signatures Without Random Oracles.
Journal of Cryptology, 21(2), pp. 149177, 2008.
Extended abstract in proceedings of Eurocrypt 2004, LNCS 3027, pp. 5673, 2004Full paper: pdf 
Public key encryption with keyword search.
In proceedings of Eurocrypt 2004, LNCS 3027, pp. 506522, 2004Full paper: pdf 
A Secure Signature Scheme from Bilinear Maps.
In proceedings of RSACT '03, LNCS 2612, pp. 98110Full paper: pdf 
Oblivious SignatureBased Envelope.
Distributed Computing 17(4), pp. 293302, May 2005
Extended abstract in proceedings of the 22nd ACM Symposium on Principles of Distributed Computing (PODC), pp. 182189, 2003Full paper: pdf 
Terra: A Virtual MachineBased Platform for Trusted Computing.
In Proceedings of 19th ACM Symposium on Operating Systems Principles (SOSP), pp 193206, 2003Full paper: pdf 
The Design and Implementation of Protocolbased Hidden Key Recovery.
In proceedings of the 6th Information Security Conference 2003, LNCS 2851, pp. 165179, 2003.Full paper: pdf 
Flexible OS support and applications for trusted computing.
In the 9th Hot Topics in Operating Systems (HOTOSIX), 2003 
Remote timing attacks are practical.
In proceedings of the 12th Usenix Security Symposium, 2003 
Aggregate and Verifiably Encrypted Signatures from Bilinear Maps.
In proceedings of Eurocrypt 2003, LNCS 2656, pp. 416432, 2003Full paper: pdf 
SiRiUS: Securing Remote Untrusted Storage.
In proceedings of the Internet Society (ISOC) Network and Distributed Systems Security (NDSS) Symposium 2003, pp. 131145Full paper: ps 
Almost entirely correct mixing with applications to voting.
In proceedings of the 9'th ACM conference on Computer and Communications Security (CCS), 2002 
Attacking an obfuscated cipher by injecting faults.
In proceedings of the 2002 ACM Workshop on Digital Rights ManagementFull paper: PDF 
Client side caching for TLS.
ACM Trans. Info. and Sys. Security, 7(4):55375, Nov. 2004
Extended abstract in NDSS 2002Full paper: PDF 
Fast variants of RSA.
CryptoBytes, Vol. 5, No. 1, pp. 19, 2002Full paper: pdf 
Applications of Multilinear Forms to Cryptography.
Contemporary Mathematics Vol. 324, American Mathematical Society, pp. 7190, 2003Full paper: PDF 
The Modular Inversion Hidden Number Problem.
In proceedings of Asiacrypt '01, LNCS Vol. 2248, SpringerVerlag, pp. 3651, 2001 
Short signatures from the Weil pairing.
J. of Cryptology, Vol. 17, No. 4, pp. 297319, 2004
Extended abstract in Asiacrypt 2001Full paper: postscript 
Identity based encryption from the Weil pairing.
SIAM J. of Computing, Vol. 32, No. 3, pp. 586615, 2003
Extended abstract in Crypto 2001, LNCS 2139, pp. 213229, 2001. [BIBTEX]Full paper: PDF 
Simplified OAEP for the RSA and Rabin functions.
In proceedings of Crypto '2001, Lecture Notes in Computer Science, Vol. 2139, SpringerVerlag, pp. 275291, 2001Full paper: PostScript

On the Unpredictability of Bits of the Elliptic Curve DiffieHellman Scheme.
In proceedings of Crypto '2001, Lecture Notes in Computer Science, Vol. 2139, SpringerVerlag, pp. 201212, 2001Full paper: PostScript 
A Method for Fast Revocation of Public Key Certificates and
Security Capabilities.
In proceedings of the 10th USENIX Security Symposium, pp. 297308Full paper: pdf 
Lower Bounds for Multicast Message Authentication.
In proceedings of Eurocrypt '2001, Lecture Notes in Computer Science, Vol. 2045, SpringerVerlag, pp. 437452, 2001Full paper: PostScript 
Improving SSL Handshake Performance via Batching.
In proceedings RSA '2001, Lecture Notes in Computer Science, Vol. 2020, SpringerVerlag, pp. 2843, 2001Full paper: PostScript 
Why Textbook ElGamal and RSA Encryption are Insecure.
In Proceedings AsiaCrypt '00, Lecture Notes in Computer Science, Vol. 1976, SpringerVerlag, pp. 3044, 2000Full paper: pdf 
Timed Commitments.
In proceedings of Crypto '2000, Santa Barbara, LNCS 1880, Springer Verlag, pp. 236254, 2000Full paper: PostScript 
Generating RSA Keys on a Handheld Using an Untrusted Server.
In proceedings of Indocrypt 2000, LNCS 1977, pp. 271282, 2000Full paper: PostScript 
Anonymous authentication with subset queries.
In proceedings of the 6th ACM conference on Computer and Communications Security, pp. 113119, 1999 
An efficient public key traitor tracing scheme.
In Proceedings Crypto '99, Lecture Notes in Computer Science, Vol. 1666, SpringerVerlag, pp. 338353, 1999Full paper: PostScript 
Building intrusion tolerant applications.
In proceedings of the 8th USENIX Security Symposium, pp. 7991, 1999Full paper: PostScript, PDF 
Factoring N=p^{r}q for large r.
In Proceedings Crypto '99, Lecture Notes in Computer Science, Vol. 1666, SpringerVerlag, pp. 326337, 1999Full paper: PostScript 
Cryptanalysis of RSA with private key d less
than N^{0.292}.
IEEE Transactions on Information Theory, Vol 46, No. 4, pp. 13391349, July 2000
Extended abstract in proceedings of Eurocrypt 1998Full paper: PostScript 
Experimenting with electronic commerce on the PalmPilot.
In proceedings of Financial Cryptography '99, Lecture Notes in Computer Science, Vol. 1648, SpringerVerlag, pp. 116, 1999Full paper: PostScript 
Experimenting with Shared Generation of RSA keys.
In proceedings of the Internet Society's 1999 Symposium on Network and Distributed System Security (NDSS), pp. 4356Full paper: PostScript 
An attack on RSA given a small fraction of the private key bits.
In proceedings AsiaCrypt '98, Lecture Notes in Computer Science, Vol. 1514, SpringerVerlag, pp. 2534, 1998Full paper: PostScript 
A generalized wallet architecture.
In proceedings of the 3rd USENIX Workshop on Electronic Commerce, 1998Full paper: gzippedPostScript 
Generating a Product of Three Primes With an Unknown Factorization.
In Proceedings of the third Algorithmic Number Theory Symposium, Lecture Notes in Computer Science, Vol. 1423, SpringerVerlag, pp. 237251, 1998Full paper: gzippedPostScript 
Breaking RSA may not be equivalent to factoring.
In Proceedings Eurocrypt '98, Lecture Notes in Computer Science, Vol. 1233, SpringerVerlag, pp. 5971, 1998Full paper: gzippedPostScript, PDF 
Breaking generalized DiffieHellman modulo a composite is no easier
than factoring.
In Information Processing Letters (IPL), Vol. 70, 1999, pp. 8387Full paper: gzippedPostScript 
Efficient generation of shared RSA keys.
Journal of the ACM (JACM), Vol. 48, Issue 4, pp. 702722, July 2001
Extended abstract in proceedings of Crypto '97Full paper: PostScript 
Revocation of unread Email in an untrusted network.
In Proceedings 1997 Australian Conference on Information Security, ACISP 1997, LNCS 1270, pp. 6275Full paper: HTML 
On the importance of checking cryptographic protocols for faults.
Journal of Cryptology, SpringerVerlag, Vol. 14, No. 2, pp. 101119, 2001
Extended abstract in proceedings of Eurocrypt '97Full paper: gzippedPostScript 
Rounding in lattices and its cryptographic applications.
In Proceedings of SODA 1997, pp. 675681Full paper: gzippedPostScript 
A revocable backup system.
In Proceedings 6th USENIX Security Conference, pp. 9196, 1996Full paper: gzippedPostScript, PDF 
Hardness of computing the most significant bits of
secret keys in DiffieHellman and related schemes.
In Proceedings Crypto '96, Lecture Notes in Computer Science, Vol. 1109, SpringerVerlag, pp. 129142, 1996Full paper: PostScript 
Algorithms for black box fields and their application to cryptography.
In Proceedings Crypto '96, Lecture Notes in Computer Science, Vol. 1109, SpringerVerlag, pp. 283297, 1996Full paper: PostScript 
Collusion secure fingerprinting for digital data.
IEEE Transactions on Information Theory, Vol 44, No. 5, pp. 18971905, 1998
Extended abstract in proceedings of Crypto '95Full paper: gzippedPostScript 
Quantum cryptanalysis of hidden linear forms.
In Proceedings of Crypto '95, Lecture Notes in Computer Science, Vol. 963, SpringerVerlag, pp. 424437, 1995Full paper: PDF
Research Papers: Learning Theory

Learning using group representations.
In Proceedings COLT 1995, pp. 418426, Santa Cruz, CaliforniaFull paper: gzippedPostScript

Where Genetic Algorithms excel.
Evolutionary Computation, MIT Press, Vol. 9, No. 1, pp. 93124, 2001
Extended abstract in proceedings of COLT 1995Full paper: html 
Amplification of weak learning over the uniform distribution.
In Proceedings COLT 1993, pp. 347351, Santa Cruz, CaliforniaFull paper: gzippedPostScript
Research Papers: DNA Computing

On the computational power of DNA.
In Discrete Applied Mathematics, Special Issue on Computational Molecular Biology, Vol. 71 (1996), pp. 7994Full paper: gzippedPostScript 
Breaking DES using a molecular computer.
In Proceedings of DIMACS workshop on DNA computing, 1995. published by the AMSFull paper: gzippedPostScript 
Making DNA computers error resistant.
In proceedings of 2nd annual DIMACS conference on DNA computing, 1996Full paper: gzippedPostScript 
Running dynamic programming algorithms on a DNA computer.
In proceedings of the 2nd annual conference on DNA computing, 1996Full paper: gzippedPostScript
Research Papers: Misc.

Finding smooth integers in short intervals using CRT decoding.
Journal of Computer and System Sciences (JCSS), Vol. 64, pp. 768784, 2002
Extended abstract in STOC '2000, pp. 265272, Portland, Oregon, 2000Full paper: PostScript 
Effect of operators on straight line complexity.
In proceedings of ISTCS, RamatGan, Israel, 1997Full paper: gzippedPostScript