Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

John M. Kelsey (Fed)

Computer Scientist


I have been working in cryptography for about 15 years now, since 1994. In that time, I've done research and written papers, worked as a consultant, helped write standards, written and reviewed code, attended all sorts of meetings, reviewed papers, and served on program committees. I've designed algorithms and protocols, some of which were broken, others which have survived so far.

My main interests center around using cryptography and computer security to solve real-world problems. I've done a fair bit of work in cryptographic random number generation, cryptanalysis and design of block ciphers and hash functions, analysis and design of cryptographic protocols, and electronic voting.

My background is unusual. I never studied cryptography in school, beyond a couple weeks talking about RSA in an algorithms class. I never attended graduate school in anything. Instead, I got interested in cryptography many years ago, began reading books and papers, took part in endless discussions on sci.crypt, and eventually started working in the field. Sometimes, I feel like I'm still playing catch-up, studying things everyone else learned in some class I never took. My first job in the field was with Counterpane Systems, Bruce Schneier's company, back when it was a crypto consulting company. Later, I worked as a consultant for Certicom.

I've been working for NIST since 2003. In that time, I've had the opportunity to work on some really fascinating projects, including secure random number generation, electronic voting, and selecting a new standard hash function. I've been really fortunate in my employers, all have provided me interesting problems to work on, and let me pursue my own research interests.


Peer Reviewed Papers:

1. Praveen Gauravaram, John Kelsey, Lars R. Knudsen, S�ren S. Thomsen: �On hash functions using checksums,� to appear, International Journal of Information Security.

2. John Kelsey , Andrew Regenscheid , Tal Moran , and David Chaum: "Attacking Paper-Based E2E Voting Systems", to appear, Best of WOTE, 2009.

3. Elena Andreeva, Charles Bouillaguet, Orr Dunkelman, and John Kelsey: "Herding, Second Preimage and Trojan Message Attacks Beyond Merkle-Damgaard" SAC 2009.

4. Praveen Garuvarum, John Kelsey: "Linear-XOR and Additive Checksums Don't Protect Damgaard-Merkle Hashes from Generic Attacks." CT-RSA 2008: 36-51.

5. Elena Andreeva, Charles Bouillaguet, Pierre-Alain Fouque, Jonathan J. Hoch, John Kelsey, Adi Shamir, S'bastien Zimmer: "Second Preimage Attacks on Dithered Hash Functions". EUROCRYPT 2008: 270-288.

6. John Kelsey, Tadayoshi Kohno: "Herding Hash Functions and the Nostradamus Attack". EUROCRYPT 2006: 183-200 [16].

7. John Kelsey, Stefan Lucks: "Collisions and Near-Collisions for Reduced-Round Tiger". FSE 2006: 111-125.

8. John Kelsey, Bruce Schneier: "Second Preimages on n-Bit Hash Functions for Much Less than 2n Work". EUROCRYPT 2005: 474-490.

9. Niels Ferguson, Doug Whiting, Bruce Schneier, John Kelsey, Stefan Lucks, Tadayoshi Kohno: "Helix: Fast Encryption and Authentication in a Single Cryptographic Primitive". FSE 2003: 330-346 2002.

10. John Kelsey: "Compression and Information Leakage of Plaintext". FSE 2002: 263-276.

11. Niels Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, Michael Stay, David Wagner, Doug Whiting: Improved Cryptanalysis of Rijndael. FSE 2000: 213-230.

12. John Kelsey, Tadayoshi Kohno, Bruce Schneier, "Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent". FSE 2000: 75-93.

13. John Kelsey, Bruce Schneier, David Wagner, Chris Hall: "Side Channel Cryptanalysis of Product Ciphers". Journal of Computer Security 8(2/3): (2000) 1999.

14. John Kelsey, Bruce Schneier, David Wagner: "Mod n Cryptanalysis, with Applications Against RC5P and M6". Fast Software Encryption 1999: 139-155.

15. John Kelsey, Bruce Schneier: "Minimizing Bandwidth for Remote Access to Cryptographically Protected Audit Logs", Recent Advances in Intrusion Detection 1999.

16. John Kelsey, Bruce Schneier: "Key-Schedule Cryptanalysis of DEALSelected Areas in Cryptography 1999: 118-134.

17. John Kelsey, Bruce Schneier, Niels Ferguson:"Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator." Selected Areas in Cryptography 1999: 13-33.

18. Bruce Schneier, John Kelsey: "Secure Audit Logs to Support Computer Forensics." ACM Trans. Inf. Syst. Secur. 2(2): 159-176 (1999).

19. John Kelsey, Bruce Schneier: "The Street Performer Protocol and Digital Copyrights." First Monday 4(6): (1999).

20. John Kelsey, Bruce Schneier. "Authenticating secure tokens using slow memory access (extended abstract)". In USENIX Workshop on Smart Card Technology, pages 101--106. USENIX Press, 1999.

21. John Kelsey, Bruce Schneier: "Secure Authentication with Multiple Parallel Keys." CARDIS 1998: 150-156.

22. Chris Hall, David Wagner, John Kelsey, Bruce Schneier: "Building PRFs from PRPs." CRYPTO 1998: 370-389.

23. John Kelsey, Bruce Schneier, David Wagner, Chris Hall: "Side Channel Cryptanalysis of Product Ciphers."ESORICS 1998: 97-110.

24. John Kelsey, Bruce Schneier, David Wagner, Chris Hall: "Cryptanalytic Attacks on Pseudorandom Number Generators". Fast Software Encryption1998: 168-188.

25. Don Coppersmith, David Wagner, Bruce Schneier, John Kelsey: Cryptanalysis of TWOPRIMEFast Software Encryption1998: 32-48.

26. Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall: "On the Twofish Key Schedule", Selected Areas in Cryptography 1998.

27. David Wagner, Leone Simpson, Ed Dawson, John Kelsey, William Millan, Bruce Schneier: "Cryptanalysis of ORYX."Selected Areas in Cryptography 1998: 296-305.

28. Bruce Schneier, John Kelsey: "Cryptographic Support for Secure Logs on Untrusted Machines", Proceedings of the Seventh USENIX Security Symposium, 1998.

29. Chris Hall, John Kelsey, Vincent Rijmen, Bruce Schneier, David Wagner: "Cryptanalysis of SPEED," Selected Areas in Cryptography 1998: 319-338.

30. John Kelsey, Bruce Schneier: "Conditional Purchase Orders," ACM Conference on Computer and Communications Security 1997: 117-124.

31. David Wagner, Bruce Schneier, John Kelsey: "Cryptanalysis of the Cellular Encryption Algorithm", CRYPTO 1997: 526-537.

32. John Kelsey, Bruce Schneier, David Wagner: "Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA," ICICS 1997: 233-246.

33. John Kelsey, Bruce Schneier, Chris Hall, David Wagner: "Secure Applications of Low-Entropy Keys," ISW 1997: 121-134.

34. John Kelsey, Bruce Schneier, David Wagner: "Protocol Interactions and the Chosen Protocol Attack", Security Protocols Workshop 1997: 91-104.

35. John Kelsey, Bruce Schneier, Chris Hall: "An Authenticated Camera." ACSAC 1996: 24-31.

36. Bruce Schneier, John Kelsey: "Authenticating Outputs of Computer Software Using a Cryptographic Coprocessor." CARDIS 1996.

37. John Kelsey, Bruce Schneier, David Wagner: "Key-Schedule Cryptoanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES." CRYPTO 1996: 237-251.

38. Bruce Schneier, John Kelsey, Jay Walker: "Distributed Proctoring." ESORICS 1996: 172-182.

39. Bruce Schneier, John Kelsey: "Unbalanced Feistel Networks and Block Cipher Design." Fast Software Encryption 1996: 121-144.

40. Bruce Schneier, John Kelsey: "Automatic Event-Stream Notarization Using Digital Signatures." Security Protocols Workshop 1996: 155-169.

Non-Peer Reviewed Papers:

41. Elaine Barker, John Kelsey, Recommendation for Random Number Generation Using Deterministic Random Bit GeneratorsNIST Special Publication 800-90, March 2007 [6].

42. Tadayoshi Kohno, John Kelsey, Bruce Schneier: "Preliminary Cryptanalysis of Reduced-Round Serpent". AES Candidate Conference 2000: 195-211 [10].

43. Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Niels Ferguson: "Comments on Twofish as an AES Candidate". AES Candidate Conference 2000: 355-356 [3].

44. John Kelsey, Bruce Schneier: "MARS Attacks! Preliminary Cryptanalysis of Reduced-Round MARS Variants". AES Candidate Conference 2000: 169-185 [2].

45. John Kelsey, "Key Separation in Twofish," Twofish Technical Report #7, 7 Apr 2000 [6].

46. Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson, "Performance Comparison of the AES Submissions," [57].

47. Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson, "The Twofish Encryption Algorithm: A 128-Bit Block Cipher" (Book) [no citations].

48. Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson, "Twofish: A 128-Bit Block Cipher", AES Candidate Submission [121].

Recent Significant Invited Talks:

1. Dagstuhl Seminar: Frontiers of e-Voting, " Some Attacks on Paper-Based End to End Voting Systems", August 2007, Dagstuhl, Germany

2. ECRYPT Hash Workshop 2007, "How to Evaluate a Hash Proposal," May 2007, Barcelona

3. RSA Conference 2006, "New Cryptography in X9F1", February 2006

4. ECRYPT Hash Workshop 2005, "Hash Functions - Perspective from the United States", June 2005, Krakow<

5. AES: 4th International Conference, "Current Status of AES", May 2004, Bonn


Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process

Gorjan Alagic, David A. Cooper, Quynh Dang, Thinh Dang, John M. Kelsey, Jacob Lichtinger, Yi-Kai Liu, Carl A. Miller, Dustin Moody, Rene Peralta, Ray Perlner, Angela Robinson, Daniel Smith-Tone, Daniel Apon
The National Institute of Standards and Technology is in the process of selecting public-key cryptographic algorithms through a public, competition-like process

Coalition and Threshold Hash-Based Signatures

John M. Kelsey, Stefan Lucks
We show how to construct a threshold version of stateful hash-based signature schemes like those defined in XMSS (defined in RFC8391) and LMS (defined in

Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process

Dustin Moody, Gorjan Alagic, Daniel C. Apon, David A. Cooper, Quynh H. Dang, John M. Kelsey, Yi-Kai Liu, Carl A. Miller, Rene C. Peralta, Ray A. Perlner, Angela Y. Robinson, Daniel C. Smith-Tone, Jacob Alperin-Sheriff
The National Institute of Standards and Technology is in the process of selecting one or more public-key cryptographic algorithms through a public, competition

TMPS: Ticket-Mediated Password Strengthening

John M. Kelsey, Dana Dachman-Soled, Meltem Sonmez Turan, Sweta Mishra
We introduce the notion of Ticket-Mediated Password Strengthening (TMPS), a technique for allowing users to derive keys from passwords while imposing a strict
Created October 9, 2019, Updated July 11, 2022