Kristian Gjøsteen

Professor at The Norwegian University of Science and Technology, Department of Mathematical Sciences.

My interests include provable security, protocol analysis, subgroup membership problems, and elliptic curves. I worked on electronic voting for the Norwegian government from 2009-2013. I have also done some work on BankID, a Norwegian PKI substitute.


Previous Projects

Contact information

E-mail address:
+47-7355-0242 (office)
848, Sentralbygg II.
Mail address:
Department of Mathematical Sciences
Norwegian University of Science and Technology
N-7491 Trondheim


  • 1999: Sivilingeniør, Department of mathematical sciences, The Norwegian University of Science and Technology (NTNU), Trondheim
  • 1999: Mathematical studies/national service.
  • 2000-2004: Ph.D. student (NTNU).
  • 2004: Lecturer (NTNU).
  • 2005: Post.doc./lecturer (NTNU).
  • 2006-2008: Post.doc. (NTNU).
  • 2008-2014: Associate professor (NTNU).
  • 2014-: Professor (NTNU).

Some publications

  • My thesis Subgroup membership problems and public key cryptography.
  • Symmetric Subgroup Membership Problems. In Serge Vaudenay, editor, Proceedings of Public Key Cryptography 2005, volume 3386 of LNCS, pages 104--119. Springer-Verlag, 2005. (link)
  • Security Notions for Disk Encryption. In Sabrina de Capitani di Vimercati et al, editors, Proceedings of ESORICS'05, volume 3679 of LNCS, pages 455-474. Springer-Verlag, 2005. (link)
  • Homomorphic cryptosystems based on subgroup membership problems. In Ed Dawson and Serge Vaudenay, editors, Proceedings of MyCrypt'05, volume 3715 of LNCS, pages 314-327. Springer-Verlag, 2005. (link)
  • with James Aspnes, Zoë Diamadi, René Peralta and Aleksandr Yampolskiy. Spreading Alerts Quietly and the Subgroup Escape Problem. In Bimal Roy, editors, Proceedings of AsiaCrypt'05, volume 3788 of LNCS, pages 253 - 272. Springer-Verlag, 2005. (link)
  • A new security proof for Damgård's ElGamal. In David Pointcheval, editor, Proceedings of CT-RSA 2006, volume 3860 of LNCS, pages 150-158. Springer-Verlag, 2006. (link)
  • with Lillian Kråkmo, Universally Composable Signcryption, Proceedings of EuroPKI 2007, volume 4582 of LNCS, pages 346-353. (link)
  • with Daniel R. L. Brown, A Security Analysis of the NIST SP 800-90 Elliptic Curve Random Number Generator. Proceedings of CRYPTO 2007, volume 4622 of LNCS, pages 466-481. (link, preprint)
  • with Suzana Andova, Cas Cremers, Sjouke Mauw, Stig F. Mjolsnes, Sasa Radomirovic, A framework for compositional verification of security protocols. Information and Computation, 206:425-459, February-April 2008. Joint Workshop on Foundations of Computer Security and Automated Reasoning for Security Protocol Analysis (FCS-ARSPA '06). (link, preprint)
  • A Latency-Free Election Scheme. Proceedings of CT-RSA 2008, volume 4964 of LNCS, pages 425-436. (link, preprint)
  • Weaknesses in BankID, a Norwegian PKI substitute deployed by Norwegian banks. Proceedings of EuroPKI 2008, volume 5057 of LNCS, pages 196-206. (link, errata).
  • with Lillian Kråkmo. Round-Optimal Blind Signatures from Waters Signatures Proceedings of ProvSec 2008, volume 5324 of LNCS, pages 112-126. (link)
  • with George Petrides and Asgeir Steine. A Novel Framework for Protocol Analysis. Proceedings of ProvSec 2011, volume 6980 of LNCS, pages 340-347. (link)
  • with Øystein Thuen. Password-Based Signatures. Proceedings of EuroPKI 2011, volume 7163 of LNCS, pages 17-33. (link)
  • The Norwegian Internet Voting Protocol. Proceedings of VoteID 2011, volume 7187 of LNCS, pages 1-18. (link)
  • with George Petrides, Asgeir Steine. Towards Privacy Preserving Mobile Internet Communications - How Close Can We Get? Proceedings of ACISP 2013, volume 7959 of LNCS, pages 379-387. (link)


  • with Aslak Bakke Buan and Lillian Kråkmo, Universally Composable Blind Signatures in the Plain Model. (link)
  • Analysis of an internet voting protocol (link)


  • Comments on Dual-EC-DRBG/NIST SP 800-90, Draft March 2006. (link)