Homepage Joan Daemen

Welcome to my homepage. I created this page to make some publications available that would otherwise be hard to find. I have two affiliations: Radboud University in Nijmegen, the Netherlands and STMicroelectronics (ST for short). At Radboud I am part-time professor Symmetric Cryptography in the Institute for Computing and Information Sciences (ICIS) at the Faculty of Science. At ST I work in the branch office in Diegem, Belgium as a cryptographer and IT security architect. If you want to contact me, I guess it is not so hard to find my email address.

Research interests

I focus on the design of primitives and modes in symmetric cryptography. I am also interested in types of cryptanalysis that are relevant in the real world or impose new criteria for design. I like to do my research in long-term collaborations and count myself lucky to work with Vincent Rijmen since the early nineties and Gilles Van Assche, Michaël Peeters and (somewhat later) Guido Bertoni since the beginning of this millenium.

Selected publications

Here I have listed a number of my publications. They cover most of my research except that on Keccak and the sponge construction and permutation-based cryptography. For my publications on those subjects I refer to our page of Keccak-related papers and our page of sponge-related papers.

The MAC function Pelican 2.0

2014

Joan Daemen and Vincent Rijmen

Keywords: primitives: Pelican-MAC, design

After writing our paper on Alred, we took a closer look at our concrete AES-based proposal Alpha-MAC and concluded that it could be simplified and made more efficient at the same time. This resulted in Pelican-MAC, a very simple MAC function about 2.5 times faster than any AES-based CBC-MAC variant requiring less RAM and with a smaller fixed overhead per message. Despite fierce attacks, the security claims of Pelican-MAC still stand up to this day.

The original version of Pelican dates from 2005. In 2014 we presented an update called Pelican 2.0, with only change a different initial value. The reason for this is the negative impact on security of the original Pelican MAC if a key check value is available for the key computed according to a widespread algorithm.

Get the paper from eprint and bibtex from DBLP

On the related-key attacks against AES

2011

Joan Daemen and Vincent Rijmen

Keywords: cryptanalysis: related-key attacks, primitives: block ciphers: Rijndael: AES

After some fuss was created on related-key attacks on full-round AES with 256-bit and 192-bit key length, Vincent and I felt the need to put things in perspective. After giving a number of presentations on the subject, we wrote it down in this paper.

Get the paper here and bibtex here

Sufficient conditions for sound hashing using a truncated permutation

2011

Joan Daemen, Tony Dusenge and Gilles Van Assche

Keywords: modes: permutation-based hashing, design, security reduction proofs: indifferentiability

Tony did an internship at ST in 2010 and the result of our collaboration is this paper. We formulate a small set of simple conditions sufficient for truncated permutation based hashing modes to be sound. These hashing modes include tree hashing modes and sequential hashing modes. We prove that for any hashing mode satisfying the conditions, it achieves the maximum possible security level you can expect, assuming that the underlying permutation is ideal.

Get the paper from eprint and bibtex from DBLP

Correlation Analysis in GF(2n)

2011

Joan Daemen and Vincent Rijmen

Keywords: LC, finite fields, linear algebra, primitives: Rijndael, design

You can describe the propagation of linear masks through maps such as MixColumns in Rijndael without having to fix a basis. This paper explains how and also provides a description of Rijndael using only the multiplication and addition in GF(28). Part of the material of this paper already appeared as an the appendix of our book on Rijndael.

Get the paper here and bibtex here

Refinements of the Alred Construction and MAC Security Claims

2010

Joan Daemen and Vincent Rijmen

Keywords: primitives: MAC functions: Alred: Pelican-MAC, security claims, design

The security claims for MAC functions proposed in our original paper on Alred were problematic and this paper fixes the problem. This paper contains some additional analysis of internal collisions in the Alred construction. It is also the first peer-reviewed publication of Pelican-MAC.

Get the paper here and bibtex from DBLP

Sufficient conditions for sound tree and sequential hashing modes

2009

Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche

Keywords: modes: hashing, design, security reduction proofs: indifferentiability

In this paper we prove that if a hashing mode satisfies a set of three simple conditions, it achieves the maximum possible security level you can expect, assuming an ideal underlying compression function. This covers tree and sequential hashing modes

Get the paper from eprint and bibtex from DBLP

The Self-Synchronizing Stream Cipher Moustique

2008

Joan Daemen and Paris Kitsos

Keywords: primitives: self-synchronizing stream ciphers: Moustique, design

Self-synchronizing stream ciphers are a rarity in cryptography. You can do self-synchronizing encryption with a block cipher in 1-bit CFB mode but this is very inefficient. The (academic) question is: is it possible to design a dedicated self-synchronizing stream cipher that is substantially more efficient? In 1992 I proposed a design strategy for high throughput and a proof-of-concept design called Knot, as documented in my thesis. Knot went through some changes and in 2005 hardware expert Paris Kitsos and I joined to build Mosquito that we submitted to eSTREAM. This was soon broken and after tweaking it we called the result Moustique. This paper describes Moustique and its design philosophy and is a chapter in a book that came out of eStream. Soon after, Moustique was also broken. I still believe the underlying design strategy is OK and that Moustique can be repaired with a simple tweak. This has been on my todo list for years now.

Get the paper here and bibtex from DBLP

Probability Distributions of Correlation and Differentials in Block Ciphers

2007

Joan Daemen and Vincent Rijmen

Keywords: random permutations and block ciphers, LC/DC

When investigating Rijndael, Vincent and I felt the need for improving our understanding of the typical correlation and differential propagation properties of random S-boxes, permutations or block ciphers. Building on the work of Luke O'Connor, in this paper we derive the distributions of DC and LC values and their maxima in random permutations and block ciphers.

Get the paper here and bibtex from DBLP

New criteria for linear maps in AES-like ciphers

2007

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers: Rijndael, design, DC, linear algebra

In this paper we summed up plateau trails and introduced the interesting concept of related differentials. This is a property of linear mappings that leads to sub-optimal behaviour when considering plateau trails. Circulant MDS matrices for instance, such as the one we used in Rijndael, structurally exhibit related differentials. Whether this sub-optimal behavior can be exploited in actual attacks is an open question.

Get the paper here and bibtex from DBLP

Plateau Characteristics

2007

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers: Rijndael, design, DC, linear algebra

In this paper we showed that differential trails in Rijndael have a behaviour that is very different from what Markov cipher theory would predict. Instead of having a differential probability (DP) that is largely independent from the key, the vast majority of trails in AES turn out to have non-zero DP for a small subset of the keys and zero DP for all other keys. We used the term characteristics to indicate trails because the editor would not accept a paper using the term trails.

Get the paper here and bibtex from DBLP

Producing Collisions for Panama, Instantaneously

2007

Joan Daemen and Gilles Van Assche

Keywords: primitives: stream/hash modules: Panama, DC

In 2002, Vincent Rijmen, Bart van Rompay and Bart Preneel had broken the Panama hash function academically. In 2006, we, the Keccak team avant la lettre, had presented RadioGatún as a hash function proposal. When looking at the 2002 attack on Panama, it was clear to us that Vincent et al. had not pushed their attack very far and that it could be made practical by exploiting some available degrees of freedom. We suspected that such an attack would put RadioGatún in a bad light, unless it would come from us. So Gilles and I took a shot at it, leading to collisions that take less effort to generate than to verify.

Get the paper here and bibtex from DBLP

Understanding Two-Round Differentials in AES

2006

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers, Rijndael, design, DC

For Shark, Square and Rijndael, Vincent and I had formulated simple proofs lower bounding the number of active S-boxes in linear and differential trails. However, the probability of a multi-round differential is equal to the sum of the differential probabilities (DP) of trails compatible with it. Clustering of many trails of negligible DP may give rise to a differentials with non-negligible DP. This paper is the result of our study how two-round differential trails cluster into differentials in Rijndael, which turned out to be a non-trivial exercise. The inverse mapping in the S-box interacts with the MixColumns mapping in unexpected ways. I think it would be interesting to do a similar exercise for linear trails, but I expect this to be even more complex so I removed it from my todo list.

Get the paper here and bibtex from DBLP

Two-Round AES Differentials

2006

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers, Rijndael, design, DC

This paper is an early version of what would later become our papers Understanding Two-Round Differentials in Rijndael and Plateau Characteristics. Most of the material of this paper is covered in two latter papers, but Section 6.3 of this paper describes a key recovery attack of up to four rounds exploiting the specific properties we discovered, that we never published elsewhere.

Get the paper eprint and bibtex from DBLP

RadioGatún, a belt-and-mill hash function

2006

Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche

Keywords: primitives: hash functions: RadioGatún, design, security claims, cryptanalysis: trail backtracking

RadioGatún is a research hash function proposal that was a predecessor of Keccak. It can be seen as tweaked version of Panama. Even though it was quite different from Keccak, it played an important role in the design process of the latter.

Get the paper from eprint and bibtex from DBLP

A new MAC Construction Alred and a Specific Instance Alpha-MAC

2005

Joan Daemen and Vincent Rijmen

Keywords: primitives: MAC functions: Alred: Alpha-MAC, security claims, design

Looking at existing MAC function constructions such as CBC variants, HMAC and those based on so-called universal one-way hash functions, we decided to investigate the possibility to build MAC functions from a block cipher that are at the same time cleaner and more efficient. We started with specifying security claims that explicitly take into account the finite internal state of MAC functions in the form of the capacity concept. We proposed a generic way to build a MAC function from a block cipher called Alred and an AES-based proof of concept called Alpha-MAC.

Get the paper here and bibtex from DBLP

Probability Distributions of Correlation and Differentials in Block Ciphers (on ePrint)

2005

Joan Daemen and Vincent Rijmen

Keywords: random and iterated permutations and block ciphers, LC/DC

This is an earlier version of our paper with the same title that was later published. It has sections that deal with key-alternating block ciphers that are not present in the published version. We made some derivations based on assumptions that turned out not to hold for Rijndael and relatives and were contradicted by plateau trails. Still, we did not withdraw this version of the paper from ePrint as these sections have in the meanwhile inspired follow-on work and are likely to be valid for ciphers and permutations that have weak alignment.

Get this earlier version from eprint and bibtex from DBLP

Distinguishing Stream Ciphers with Convolutional Filters

2005

Joan Daemen and Gilles Van Assche

Keywords: primitives: stream ciphers: irregularly clocked LFSR, cryptanalysis: correlation attack

After reviewing a paper containing sub-optimal attacks on the shrinking generator and the alternating-step generator, I thought they could be improved. I teamed up with Gilles to try it and the result is this paper. We improve upon existing attacks by introducing convolutional filters, theoretically predict their efficiency and confirm this with experiments.

Get the paper from eprint and bibtex from DBLP

The Design of Rijndael: AES - The Advanced Encryption Standard

2002

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers: key-alternating ciphers: Rijndael, design: wide trail strategy, LC/DC

This the book on Rijndael that Vincent and I wrote after winning the AES contest. Among other things, it specifies Rijndael, motivates and explains the underlying design approach and treats the propagation of differential and linear trails in key-alternating ciphers and how they combine into differentials and input-output correlations.

Get a PDF of the book here and errata here. Get bibtex from DBLP

Linear Frameworks for Block Ciphers

2001

Joan Daemen, Lars Knudsen and Vincent Rijmen

Keywords: primitives: block ciphers: key-alternating ciphers, design: wide trail strategy, LC/DC

In this paper we generalize the structure of our designs Shark, Square and Rijndael. We included all relevant material in this paper in our book on Rijndael.

Get the paper here and bibtex from DBLP

The Wide Trail Design Strategy

2001

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers: key-alternating ciphers, design: wide trail strategy, LC/DC

In this paper we concentrate on the wide trail strategy flavor as we applied it in Shark, Square and Rijndael. All relevant material in this paper was later included in our book on Rijndael.

Get the paper here and bibtex from DBLP

Bitslice Ciphers and Power Analysis Attacks

2000

Joan Daemen, Michaël Peeters and Gilles Van Assche

Keywords: primitives: block ciphers: bitslice cipers: BaseKing, implementation: power analysis resistance

In this paper we discuss the limitations of the so-called duplication method as applied to DES and present techniques to protect bitslice ciphers against differential power analysis (DPA).

Get the paper here and bibtex from DBLP

Nessie Proposal: Noekeon

2000

Joan Daemen, Michaël Peeters, Gilles Van Assche and Vincent Rijmen

Keywords: primitives: block ciphers: Noekeon, design, DC/LC

This is the submission document of Noekeon to the Nessie call. Noekeon is a lightweight block cipher that can compete with modern lightweight designs and has powerful lower bounds for the weight of linear and differential trails. It was kicked out of the Nessie competition due to existential related-key properties. We argue that the only protocols that allow their exploitation will have to be especially designed with this purpose.

Get the paper here and bibtex here

AES Proposal: Rijndael

1999

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers: Rijndael, design: wide trail strategy, LC/DC

This is the submission document of Rijndael to the AES call, updated for the second round. We included all relevant material in this document in our book on Rijndael.

Get the document here and bibtex here

The block cipher BKSQ

1998

Joan Daemen and Vincent Rijmen

Keywords: primitives: block ciphers: BKSQ, design

My colleague Michel Dawirs had designed the BST protocol that makes use of many calls to one-way functions and he was looking for such a one-way function that was suited for smart cards. As a response, Vincent and I designed a variant of Square with a block size of 96 bits for this purpose.

Get the paper here and bibtex from DBLP

The Banksys signature transport (BST) protocol

1998

Michel Dawirs and Joan Daemen

Keywords: cryptographic protocols: (Banksys) signature transport, design

The Banksys signature transport protocol is suitable for offline electronic payments and makes use of Lamport signatures and structures that remind of Merkle trees. Michel Dawirs came up with the principal idea and I proposed some optimizations and wrote the paper.

Get the paper here and bibtex from DBLP

Management of Secret Keys: Dynamic Key Handling

1998

Joan Daemen

Keywords: (symmetric) key management techniques: forward secrecy, key evolution

When I arrived at Banksys, cryptography in payment transactions was still fully based on Triple-DES. I discovered that some interesting key handling techniques were being used to address very specific requirements. When being asked to give a presentation at the COSIC cryptographyc course, I decided to speak about these techniques and this paper is a chapter in a book accompanying the course.

Get the paper here and bibtex from DBLP

Fast Hashing and Stream Encryption with Panama

1998

Joan Daemen and Craig Clapp

Keywords: primitives: stream/hash modules: Panama, design

Craig Clapp and I reworked an earlier design presented in my thesis called StepRightUp and we named the result Panama. Panama can do hashing and keystream generation, both extremely fast. In the meanwhile the Panama hash function has been badly broken but the Panama stream cipher is still standing.

Get the paper here and bibtex from DBLP

The block cipher Square

1997

Joan Daemen, Lars Knudsen and Vincent Rijmen

Keywords: primitives: block ciphers: Square, design: wide trail strategy, LC/DC, cryptanalysis: Square attack

Square is was a block cipher that has most of the elements of Rijndael: its S-box, MDS matrix and provable bounds on trails weights. This paper also introduced the square attack, invented by Lars.

Get the paper here and bibtex from DBLP

The Cipher Shark

1996

Vincent Rijmen, Joan Daemen, Bart Preneel, Antoon Bosselaers and Erik De Win

Keywords: primitives: block ciphers: Shark, design: wide trail strategy, LC/DC

In this paper we introduced the following elements of Rijndael: the strongly byte-aligned structure, theuse of MDS matrices for diffusion and the multiplicative inverse in GF(28) for non-linearity.

Get the paper here and bibtex from DBLP

Cipher and hash function design - PhD thesis

1995

Joan Daemen

Keywords: primitives: block ciphers, stream/hash modules, self-synchronizing stream ciphers, design: wide trail strategy, shift-invariant transformations, analysis: LC/DC: correlation matrices, cryptanalysis: weak keys of IDEA, Even-Mansour, re-synchronization attacks,

My PhD thesis in a printer-friendly layout.

Get it here and bibtex here