Papers in Cryptography – Phillip Rogaway

See dblp for an automated enumeration of my papers.
See Google Scholar for a citation-ordered list with reverse references.


  1. On Committing Authentiated-Encryption by John Chan and Phillip Rogaway. ESORICS (2), pp. 275-294, 2022. [cae]
  2. The Design and Evolution of OCB by Ted Krovetz and Phillip Rogaway. Jounral of Cryptology, vol. 34, no. 36, 2021. [ocb3]
  3. Reimagining Secret Sharing: Creating a Safer and More Versatile Primitive by Adding Authenticity, Correcting Errors, and Reducing Randomness Requirements by Mihir Bellare and Phillip Rogaway. PoPETS 2020(4): pp. 461-490, 2020. [adss]
  4. Anonymous AE by John Chan and Phillip Rogaway. Asiacrypt 2019(2): pp. 183-208. [anae]
  5. Onion-AE by Phillip Rogaway and Yusi Zhang. PoPETS 2018(2), pp. 85-104. [onion]
  6. An Obsessions with Definitions by Phillip Rogaway. LATINCRYPT 2017: pp. 3-20. [defs2]
  7. Practice-Oriented Provable Security and the Social Construction of Cryptography by Phillip Rogaway. IEEE Secur. Priv. 14(6), pp. 10-17, 2016. [pops2] (essay)
  8. Simplifying Game-Based Definitions: Indistinguishability up to Correctness and Its Application to Stateful AE. CRYPTO 2018(2), Springer, pp. 3-32. [indc] (essay)
  9. Big-Key Symmetric Encryption: Resisting Key Exfiltration by Mihir Bellare, Daniel Kane, and Phillip Rogaway. CRYPTO 2016, Springer, pp. 373-402. abstract [bigkey]
  10. The Moral Character of Cryptographic Work (with footnotes; also available with endnotes). Phillip Rogaway. Manuscript written to accompany an invited talk at Asiacrypt 2015. abstract [moral] (essay)
  11. Robust Authenticated Encryption and the Limits of Symmetric Cryptography. Christian Badertscher, Christian Matt, Ueli Maurer, Phillip Rogaway, and Björn Tackmann. IMA International Conference on Cryptography and Coding 2015. [eth2]
  12. Augmented Secure Channels and the Goal of the TLS 1.3 Record Layer. Christian Badertscher, Christian Matt, Ueli Maurer, Phillip Rogaway, and Björn Tackmann. ProvSec 2015. [eth1]
  13. Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance. Viet Tung Hoang and Reza Reyhanitabar and Phillip Rogaway and Damian Vizár. CRYPTO 2015, Springer, pp. 493-517. [oae]
  14. Robust Authenticated-Encryption: AEZ and the Problem that it Solves. Viet Tung Hoang, Ted Krovetz, and Phillip Rogaway. AEZ homepage. EUROCRYPT 2015. [aez]
  15. AEZ v4.1: Authenticated Encryption by Enciphering. Viet Tung Hoang, Ted Krovetz, and Phillip Rogaway. AEZ homepage. Manuscript submitted to the CAESAR competition. 2014-15. [aez]
  16. Security of Symmetric Encryption against Mass Surveillance. Mihir Bellare, Kenny Paterson, and Phillip Rogaway. CRYPTO 2014, Springer, pp. 1-19. abstract. [msr]
  17. Reconsidering Generic Composition. Chanathip Namprempre, Phillip Rogaway, and Tom Shrimpton. EUROCRYPT 2014, pp. 257-274. abstract. [nae]
  18. Sometimes-Recurse Shuffle: Almost-Random Permutations in Logarithmic Expected Time. Ben Morris and Phillip Rogaway. EUROCRYPT 2014, pp. 311-326. abstract. [sr]
  19. AE5 Security Notions: Definitions Implicit in the CAESAR Call. Chanathip Namprempre, Phillip Rogaway, and Tom Shrimpton. Unpublished note. abstract. [ae5] (note)
  20. Efficient Garbling from a Fixed-Key Blockcipher. Mihir Bellare, Viet Tung Hoang, Sriram Keelveedhi, and Phillip Rogaway. IEEE Security and Privacy 2013. abstract. [eff]
  21. Adaptively Secure Garbling with Applications to One-Time Programs and Secure Outsourcing. Mihir Bellare, Viet Tung Hoang, and Phillip Rogaway. ASIACRYPT 2012. abstract [dyn]
  22. Foundations of Garbled Circuits. Mihir Bellare, Viet Tung Hoang, and Phillip Rogaway. ACM CCS 2012. abstract. [gc]
  23. An Enciphering Scheme Based on a Card Shuffle. Viet Tung Hoang, Ben Morris, and Phillip Rogaway. CRYPTO 2012, LNCS vol. 7417,Springer, pp. 1-13. abstract. [shuffle]
  24. The Security of Ciphertext Stealing. Phillip Rogaway, Mark Wooding, and Haibin Zhang. FSE 2012, LNCS vol. 7549, Springer, pp. 180-195. abstract. [steal]
  25. Constructing Cryptographic Definitions. Phillip Rogaway. Written to accompany ISCISC 2011 invited talk, similar in themes to Eurocrypt 2009 invited talk. [ccd] (essay)
  26. Online Ciphers from Tweakable Blockciphers. CT-RSA 2011. Springer, pp. 237-249, 2011. [online]
  27. The Software Performance of Authenticated-Encryption Modes. Ted Krovetz and Phillip Rogaway. FSE 2011. LNCS 6733, Springer, pp. 306-327, 2011. abstract. [ae]
  28. Evaluation of Some Blockcipher Modes of Operation. Phillip Rogaway. Unpublished manuscript (CRYPTREC report on ECB, CBC, CFB, OFB, CTR, XTS, CBC-MAC, CMAC, HMAC, GMAC, CCM, GCM). February 2011. [bc] (survey)
  29. Online Ciphers from Tweakable Blockciphers. Phillip Rogaway and Haibin Zhang. CT-RSA 2011. LNCS 6558, Springer, pp. 237-249, 2011. abstract. [online]
  30. On Generalized Fiestel Networks. Viet Tung Hoang and Phillip Rogaway. CRYPTO 2010. LNCS 6223, Springer, pp. 613-660, 2010. abstract. [feistel]
  31. A Synopsis of Format-Preserving Encryption. Phillip Rogaway. Unpublished manuscript, survey of FPE. March 2010. [synopsis] (survey)
  32. The FFX Mode of Operation for Format Preserving Encryption. Mihir Bellare, Phillip Rogaway, and Terence Spies. Unpublished manuscript, submitted to NIST for possible standardization. February 20, 2010. [ffx1] (spec)
  33. Addendum to “The FFX Mode of Operation for Format Preserving Encryption”. Mihir Bellare, Phillip Rogaway, and Terence Spies. Unpublished manuscripts, submitted to NIST for possible standardization. September 3, 2010. [ffx2] (spec)
  34. Format Preserving Encryption. Mihir Bellare, Tom Ristenpart, Phillip Rogaway, and Till Stegers. SAC 2009. LNCS 5867, Springer, pp. 295-312, 2009. abstract. [fpe].
  35. How to Encipher Messages on a Small Domain: Deterministic Encryption and the Thorp Shuffle. By Ben Morris, Phillip Rogaway, and Till Stegers. CRYPTO 2009. LNCS 5677, Springer, pp. 286-302, 2009. abstract. Also: JoC 31(2), 2018. [thorp].
  36. Practice-Oriented Provable Security and the Social Construction of Cryptography. By Phillip Rogaway. Unpublished essay corresponding to an invited talk at EUROCRYPT 2009. May 6, 2009. abstract. [cc] (essay)
  37. Authentication without Elision: Partially Specified Protocols, Associated Data, and Cryptographic Models Described by Code. Phillip Rogaway and Till Stegers. Computer Security Foundations Symposium (CSF-22, CSF 2009), IEEE Press, 2009. abstract. [psp]
  38. Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers. Phillip Rogaway and John Steinberger. CRYPTO 2008, LNCS vol. 5157, Springer, pp. 433-450, 2008. abstract. [lp]
  39. Security/Efficiency Tradeoffs for Permutation-Based Hashing. Phillip Rogaway and John Steinberger. EUROCRYPT 2008, LNCS vol. 4965, Springer, pp. 220-236, 2008. abstract. [tradeoff]
  40. Robust Computational Secret Sharing and a Unified Account of Classical Secret-Sharing Goals. Mihir Bellare and Phillip Rogaway. ACM CCS 2007. abstract. [rcss]
  41. How to Enrich the Message Space of a Cipher. Fast Software Encryption (FSE) 2007, Thomas Ristenpart and Phillip Rogaway. LNCS vol. 4593, Springer, pp. 101-118, 2007. abstract. [extend] This paper has been retracted.
  42. Formalizing Human Ignorance: Collision-Resistant Hashing without the Keys. Phillip Rogaway. Vietcrypt 2006. LNCS vol. 4341, Springer, pp. 221-228, 2006. abstract. [ignorance]
  43. Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Keywrap Problem. Phillip Rogaway and Tom Shrimpton. EUROCRYPT 2006. LNCS vol. 4004, Springer, 2006. abstract. [dae]
  44. The SIV Mode of Operation for Deterministic Authenticated-Encryption (Key Wrap) and Misuse-Resistant Nonce-Based Authenticated-Encryption. Phillip Rogaway and Tom Shrimpton. Specification document corresponding to the above. Submitted to NIST, August 2007. abstract. [siv].
  45. Variationally Universal Hashing. Ted Krovetz and Phillip Rogaway. Information Processing Letters (IPL), vol. 100, no. 1, pp. 36-39, 2006. abstract. [vu]
  46. Code-Based Game-Playing Proofs and the Security of Triple Encryption. Mihir Bellare and Phillip Rogaway. EUROCRYPT 2006. LNCS vol. 4004, Springer, 2006. abstract. [games] Note: see Gazi and Maurer for a description of some bugs in the proof for triple encryption.
  47. UMAC: Message Authentication Code Using Universal Hashing. Ted Krovetz (editor), John Black, Shai Halevi, Alejandro Hevia, Hugo Krawczyk, and Phillip Rogaway. RFC 4418, March 2006. RFC based on the UMAC paper. abstract. [rfc4418]
  48. Improved Security Analyses for CBC MACs. Mihir Bellare, Krzysztof Pietrzak, and Phillip Rogaway. CRYPTO 2005, LNCS vol. 3621, Springer, pp. 527-541, 2005. abstract. [cbc2]
  49. The OCB Authenticated-Encryption Algorithm Ted Krovetz and Phillip Rogaway. abstract. RFC 7253. May 2014. [ocb-spec]
  50. On the Role of Definitions in and Beyond Cryptography. Phillip Rogaway. ASIAN’04, The Ninth Asian Computing Science Conference. LNCS vol. 3321. Springer, 2004. Note: A working draft of this paper appeared in the LNCS proceedings due to an editorial error; please use this version instead. abstract. [def]
  51. Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC. Phillip Rogaway. Asiacrypt 2004. LNCS vol. 3329. Springer, 2004. abstract. [offsets]
  52. Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision-Resistance. Phillip Rogaway and Tom Shrimpton. Fast Software Encryption (FSE) 2004, LNCS vol. 3017, pp. 371-388, Springer, 2004. abstract. [relates]
  53. Nonce-Based Symmetric Encryption. Fast Software Encryption (FSE) 2004, LNCS vol. 3017, Phillip Rogaway. pp. 348-359, Springer, 2004. abstract. [nonce]
  54. The EAX Mode of Operation (A Two-Pass Authenticated Encryption Scheme Optimized for Simplicity and Efficiency). Mihir Bellare, Phillip Rogaway, and David Wagner. Fast Software Encryption (FSE), LNCS vol. 3017, pp. 389-407, 2004. abstract. [eax]
  55. A Critique of CCM. Manuscript (service contribution), content largely absorbed into the above. February 2003. Phillip Rogaway and David Wagner. abstract [ccm]
  56. A Parallelizable Enciphering Mode. Shai Halevi and Phillip Rogaway. Topics in Cryptology, CT-RSA 2004, LNCS vol. 2964, pp. 292-304, Springer, 2004. abstract. [eme]
  57. A Tweakable Enciphering Mode. CRYPTO 2003, LNCS vol. 2729, pp. 482-499, Springer, 2003. abstract. [cmc]
  58. Authenticated-Encryption with Associated-Data. Phillip Rogaway. ACM Conference on Computer and Communications Security 2002 (CCS’02), ACM Press, pp. 98-107, September 2002. abstract. [aead]
  59. Block-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. John Black, Phillip Rogaway, and Tom Shrimpton. CRYPTO 2002, LNCS vol. 2442, pp. 320-335, Springer, 2002. abstract. [hash]
  60. Encryption-Scheme Security in the Presence of Key-Dependent Messages. John Black, Phillip Rogaway, and Tom Shrimpton. Selected Areas in Cryptography 2002 (SAC 2002), LNCS vol. 2595, pp. 62-75, Springer, 2002. abstract. [kdm]
  61. A Block-Cipher Mode of Operation for Parallelizable Message Authentication.
    John Black and Phillip Rogaway. EUROCRYPT 2002, LNCS vol. 2332, pp. 384-397, Springer, 2002. abstract. [pmac]
  62. Ciphers with Arbitrary Finite Domains. John Black and Phillip Rogaway. RSA Data Security Conference, Cryptographer’s Track (RSA CT ’02), LNCS vol. 2271, pp. 114-130, Springer, 2002. abstract. [subset]
  63. OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption. Phillip Rogaway, Mihir Bellare, and John Black. ACM Transactions on Information and System Security (TISSEC), vol. 6, no. 3, pp. 365-403, August 2003. Earlier version, with Ted Krovetz, in Eighth ACM Conference on Computer and Communications Security (ACM CCS), ACM Press, pp. 196-205, 2001. Further information available from the OCB homepage. abtract. [ocb]
  64. Counter-mode encryption. Helger Lipmaa, Phillip Rogaway, and David Wagner. Contribution to NIST on CTR. [ctr]
  65. Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption). Martín Abadi and Phillip Rogaway. J. of Cryptology, vol. 15, no. 2, pp. 103-127, 2002. Earlier version in Theoretical Computer Science, Exploring New Frontiers in Theoretical Informatics. LNCS vol. 1872, pp. 3-22, Springer, 2000. abstract [equiv]
  66. Fast Universal Hashing with Small Keys and no Preprocessing: the PolyR Construction. Ted Krovetz and Phillip Rogaway. Information Security and Cryptology - ICICS 2000, LNCS vol. 2015, pp. 73-89, Springer, 2000. abstract. [poly]
  67. Encode-then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography. Mihir Bellare and Phillip Rogaway. Asiacrypt ’00, LNCS vol. 1976, pp. 317-330, Springer, 2000. abstract. [encode]
  68. CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions. John Black and Phillip Rogaway. J. of Cryptology, vol. 18, no. 2, pp. 111-131, 2005. Earlier version in CRYPTO 2000. abstract. [3key]
  69. Authenticated Key Exchange Secure against Dictionary Attacks. Mihir Bellare, David Pointcheval, and Phillip Rogaway. EUROCRYPT 2000, LNCS vol. 1807, pp. 139-155, Springer, 2000. abstract. [dict]
  70. The AuthA Protocol for Password-Based Authenticated Key Exchange. Mihir Bellare and Phillip Rogaway. Unpublished manuscript (service contribution) submitted to IEEE P1363. abstract. [autha]
  71. UMAC: Fast and Secure Message Authentication. John Black, Shai Halevi, Hugo Krawczyk, Ted Krovetz, and Phillip Rogaway. Crypto ’99, LNCS vol. 1666. pp. 216-233, Springer, 1999. abstract. [umac]
  72. On the Construction of Variable-Input-Length Ciphers. Mihir Bellare and Phillip Rogaway. Fast Software Encryption, 6th International Workshop, FSE’99, LNCS vol. 1636, pp. 321-344, Springer, 1999. abstract. [vil]
  73. The Oracle Diffie-Hellman Assumption and an Analysis of DHIES. Michael Abdalla, Mihir Bellare, and Phillip Rogaway. Topics in Cryptology - CT RSA 01. LNCS vol. 2020, Springer, 2001. abstract. [dhies]
  74. PSS: Provably Secure Encoding Method for Digital Signatures. Mihir Bellare and Phillip Rogaway. Submission to IEEE P1363a (service contribution corresponding to the above). abstract. [pss]
  75. A Software-Optimized Encryption Algorithm. Phillip Rogaway and Don Coppersmith. Journal of Cryptology, vol. 11, num 4, pp. 273-287, 1998. abstract. [seal]
  76. When to Hyphenate Phrases such as “Public Key”. Kathleen Ward and Phillip Rogaway. Technical (so-to-speak) content of the possibly-humorous rump-session talk given at CRYPTO ’98. [hyphen] (essay)
  77. Relations among Notions of Security for Public-Key Encryption Schemes. Mihir Bellare, Anand Desai, David Pointcheval, and Phillip Rogaway. Crypto ’98, LNCS vol. 1462, pp. 26-45, Springer, 1998. abstract. [relations]
  78. Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-Invertible. Mihir Bellare, Ted Krovetz, and Phillip Rogaway. EUROCRPYT ’98, LNCS vol. 1403, pp. 266-280, Springer, 1998. abstract. [p2f]
  79. A Concrete Security Treatment of Symmetric Encryption: Analysis of the DES Modes of Operation. Mihir Bellare, Anand Desai, Eron Jokipii, and Phillip Rogaway. Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 97), pp. 394-403, IEEE Press, 1997. abstract. [se]
  80. Collision-Resistant Hashing: Towards Making UOWHFs Practical. Mihir Bellare and Phillip Rogaway. Crypto ’97, LNCS vol. 1294, pp. 470-484, Springer, 1997. abstract. [tcr]
  81. Bucket Hashing and its Application to Fast Message Authentication. Phillip Rogaway. Journal of Cryptology , vol. 12, num. 2, pp. 91-115, 1999. Earlier version in CRYPTO ’95. abstract. [bucket]
  82. Locally Random Reductions: Improvements and Applications. Don Beaver, Joan Feigenbaum, Joe Kilian, and Phillip Rogaway. Journal of Cryptology, Winter 1997, pp. 17-36. abstract. [lrr]
  83. How to Protect DES Against Exhaustive Key Search (an analysis of DESX). Joe Kilian and Phillip Rogaway. J. of Cryptology, vol. 14, no. 1, pp. 17-35, 2001. Earlier version in CRYPTO ’96. abstract. [desx]
  84. The Security of DESX. Phillip Rogaway. RSA Laboratories’ CryptoBytes, Summer 1996. Less technical summary of the above article. abstract. [desx2]
  85. The Exact Security of Digital Signatures – How to Sign with RSA and Rabin. Mihir Bellare and Phillip Rogaway. Advance in Cryptology - EUROCRYPT ’96, LNCS vol. 1070, pp. 399-416, Springer, 1996. abstract. [sig]
  86. XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions. Mihir Bellare, Roch Guerin, and Phillip Rogaway. Crypto ’95, LNCS vol. 963, pp. 15-28, Springer, 1995. abstract. [xormac]
  87. Provably Secure Session Key Distribution - The Three Party Case. Mihir Bellare and Phillip Rogaway. Proc. 27th Annual Symposium on the Theory of Computing (STOC 95), pp. 57-66, ACM, 1995. abstract [3pkd]
  88. Optimal Asymmetric Encryption – How to Encrypt with RSA. Mihir Bellare and Phillip Rogaway. EUROCRYPT ’94, LNCS vol. 950, pp. 341-358, Springer, 1995. abstract. [oaep]
  89. The Security of the Cipher Block Chaining Message Authentication Code. Mihir Bellare, Joe Kilian, and Phillip Rogaway. Journal of Computer and System Sciences (JCSS), vol. 61, no. 3, pp. 362-399, Dec 2000. Earlier version in CRYPTO ’94. abstract. [cbcmac]
  90. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. Mihir Bellare and Phillip Rogaway. Extended abstract in Proc. First Annual Conference on Computer and Communications Security, ACM, 1993. abstract. [ro]
  91. Entity Authentication and Key Distribution. Mihir Bellare and Phillip Rogaway. Crypto 93, LNCS vol. 773, pp. 232-249, Springer, 1994. abstract. [eakd]
  92. The Complexity of Approximating a Nonlinear Program. Mihir Bellare and Phillip Rogaway. Journal of Mathematical Programming B, vol. 69, no. 3, pp. 429-441, September 1995. Also in Complexity of Numerical Optimization, ed. P. M. Pardalos, World Scientific, 1993. abstract. [qp]
  93. The Round Complexity of Secure Protocols. Phillip Rogaway. MIT Ph.D. Thesis, June 1991. Note: Definitions and a fuller treatment of [BMR90]. Sometimes cited a full proof for garbled circuits, but the method descrbed is buggy: see Tate and Xu, 2003. [thesis]

Rogaway’s home page.