Welcome to my academic website. I'm associate professor at DTU, Denmark. Previously, I was a postdoctorial research associate at ENS Ulm, and had similar roles at KU Leuven and TU Graz, and was a visiting researcher at MSR Redmond. Since 2008 I'm coordinating the hash function working group within the ECRYPT II Network of Excellence.

My research is centered around the design, analysis, and implementation of the fundamental building blocks that form the basis of current and future IT systems: ciphers, hash functions, authentication codes. Applications range from tiny RFID tags to cloud computing services.


Matematiktorvet 303B
DK-2800 Lyngby


Upcoming and recent events:

When?Where?What?more infos
August 11, 2012Hefei, CHNCryptanalytic ideas for SHA and AESInvited talk at Chinacrypt 2012(in English)
August 24, 2012Beijing, CHNNarrow-Bicliques: Cryptanalysis of Full IDEASeminar at Institute of Advanced Study, Tsinghua University. A video from a shorter version of this talk from Eurocrypt 2012 can be found here
August 30, 2012Beijing, CHNPRINCE - A Low-latency Block Cipher for Pervasive Computing ApplicationsSeminar at Institute for Software, Chinese Academy of Science
Sept 21, 2012Sofia, BULThe SHA-3 CompetitionInvited talk at BulCrypt 2012
Sept 27, 2012Porquerolles Island, FRAYet another cryptanalysis of the AESInvited talk at YACC 2012
Oct 18, 2012Brugge, BELRelated-key and Biclique cryptanalysis of AESInvited talk at AES day 2012
Nov 21, 2012Antwerp, BELPRINCE - A Low-latency Block Cipher for Pervasive Computing ApplicationsInvited talk at Workshop on Cryptography for the Internet of Things
Nov 30, 2012Seoul, KORNew meet-in-the-middle attacks in symmetric cryptanalysisInvited talk at The 15th Annual International Conference on Information Security and Cryptology

Program committees:

ACM CCS 2012, Asiacrypt 2012, Crypto 2013, FSE 2013, Indocrypt 2012, ICISC 2012

Selection of past committees:
Africacrypt 2010-2012, Asiacrypt 2011, Eurocrypt 2009, FSE 2009-2011, Hash 2011 (chair), IWSEC 2011, Indocrypt 2008, 2011, Latincrypt 2010, 2012, SAC 2010, Weworc 2009 (chair), 2011

Recent publications:

(last update October 2011)

"Rotational Rebound Attacks on Reduced Skein"
with Dmitry Khovratovich and Ivica Nikolic [pdf]
Appeared at Asiacrypt 2010
Best results on the SHA-3 candidate Skein. Awarded "Best Paper" and received invitation to Journal of Cryptology.

"Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2"
with Jian Guo, San Ling, and Huaxiong Wang [pdf]
Appeared at Asiacrypt 2010
Among other results, gives the first attack on the hash function Tiger as proposed in 1996.

"Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family"
with Dmitry Khovratovich and Alexandra Savelieva [pdf]
Introduces "Biclique Cryptanalysis". Improved Results on the SHA-2 hash functions and the SHA-3 finalist Skein.

"Biclique Cryptanalysis of the Full AES"
with Andrey Bogdanov and Dmitry Khovratovich [pdf]
First cryptanalytic results on the full AES block cipher. All Versions. No related-key assumptions needed. First application of "Biclique Cryptanalysis" to block ciphers.

Most of my publications are indexed by DBLP, repositories of different subsets can be found either here or here. Maybe this is also useful.

For a list of related talks until 2009, see e.g. here.