Welcome to my academic website. Since 2011, I'm associate professor at the Technical University of Denmark, DTU. Previously, I was a postdoctorial research associate at ENS Ulm, and had similar roles at KU Leuven and TU Graz, and was a visiting researcher at MSR Redmond. From 2008-2013 I was coordinating the hash function working group within the ECRYPT II Network of Excellence.

My research is centered around the design, analysis, and implementation of the fundamental building blocks that form the basis of current and future IT systems: ciphers, hash functions, authentication codes. Applications range from tiny RFID tags to cloud computing services.


Matematiktorvet 303B
DK-2800 Lyngby


Upcoming and recent events:

When?Where?What?more infos
Jan 14, 2014New York, USASymmetric-crypto Research Meets Practice: A Low Latency CipherInvited talk at Workshop on Real World Cryptography 2014
Feb 2, 2014Haifa, ILSymmetric-crypto Research Meets Practice: A Low Latency CipherInvited talk at Lightweight security day
May 26, 2014Copenhagen, DENSecurity and Anonymity of BitcoinInvited talk at Bitcoin - the math and the consequences

Program committees:

ACM CCS 2012, Asiacrypt 2012, Crypto 2013, FSE 2013, Indocrypt 2012, ICISC 2012

Selection of past committees:
Africacrypt 2010-2012, Asiacrypt 2011, Eurocrypt 2009, FSE 2009-2011, Hash 2011 (chair), IWSEC 2011, Indocrypt 2008, 2011, Latincrypt 2010, 2012, SAC 2010, Weworc 2009 (chair), 2011

Recent publications:

(last update October 2011)

"Rotational Rebound Attacks on Reduced Skein"
with Dmitry Khovratovich and Ivica Nikolic [pdf]
Appeared at Asiacrypt 2010
Best results on the SHA-3 candidate Skein. Awarded "Best Paper" and received invitation to Journal of Cryptology.

"Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2"
with Jian Guo, San Ling, and Huaxiong Wang [pdf]
Appeared at Asiacrypt 2010
Among other results, gives the first attack on the hash function Tiger as proposed in 1996.

"Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family"
with Dmitry Khovratovich and Alexandra Savelieva [pdf]
Introduces "Biclique Cryptanalysis". Improved Results on the SHA-2 hash functions and the SHA-3 finalist Skein.

"Biclique Cryptanalysis of the Full AES"
with Andrey Bogdanov and Dmitry Khovratovich [pdf]
First cryptanalytic results on the full AES block cipher. All Versions. No related-key assumptions needed. First application of "Biclique Cryptanalysis" to block ciphers.

Most of my publications are indexed by DBLP, repositories of different subsets can be found either here or here. Maybe this is also useful.

For a list of related talks until 2009, see e.g. here.