The research work of the team project CODES is mostly devoted to the design and analysis of cryptographic algorithms through the study of the discrete structures that they involve.

Our multiple competences in mathematics and algorithmics have allowed us to address a large variety of problems related to information protection. Most of our work mix fundamental aspects (study of mathematical objects) and practical aspects (cryptanalysis, design of algorithms, implementations).

Our application domains are mainly cryptography, error correcting codes and code recognition (``electronic war''). Even though these domains may appear different, our approach is unified. For instance, decoding techniques are used to design new error correcting codes, but also new cryptanalysis. Code recognition (that is recognizing an unknown coding scheme from a sample), is very similar to stream cipher cryptanalysis...

Our research is driven by the belief that discrete mathematics and algorithmics of finite structure form the scientific core of (algorithmic) data protection. We think that our past results justify this approach and we feel that, with the evolution of cryptographic research, more and more researchers will follow this path.

Our purpose is not to present more evidence that algebraic coding theory or discrete mathematics can be ``applied to'' cryptography, but to convince that these fields belong the the scientific foundations of cryptography or more generally data protection techniques.

Error correcting codes

Cryptology

Code reconstruction

Anne Canteaut, Cédric Lauradoux and Marine Minier are co-authors of three new stream cipher proposals which have been submitted to the eSTREAM project: Sosemanuk, DECIM and F-FCSR. These three ciphers have been implemented in software and the corresponding implementations are available on http://www.ecrypt.eu.org/stream/.

Since Sosemanukis a software-oriented stream cipher aiming at a high throughput, some optimized implementations have been developed. Actually, Sosemanukis one of the fastest and most secure ciphers among the 22 eSTREAM candidates dedicated to software applications.

Decimand F-FCSR are dedicated to hardware environments where the available resources such as gate complexity and power might be heavily restricted. A VHDL implementation of both ciphers has been realized by Cédric Lauradoux.

From outside, it might appear that symmetric techniques become obsolete after the invention of public-key cryptography in the mid 1970's. However, they are still widely used because they are the only ones that can achieve some major functionalities as high-speed or low-cost encryption, fast authentication, and efficient hashing. Today, we find symmetric algorithms in GSM mobile phones, in credit cards, in WLAN connections. Symmetric cryptology is a very active research area which is stimulated by a pressing industrial demand for low-cost implementations (in terms of power consumption, gate complexity...).

Research in symmetric cryptography is obviously characterized by a sequence of defenses and attacks. But, each new dedicated attack against a given cryptosystem must be formalized, its scope must be analyzed and the structural properties which make it feasible must be highlighted. This approach is the only one which can lead to new design criteria and to the constructions of building blocks which guarantee to a provable resistance to the known attacks. However, such an analysis yields a practical system only if it includes the implementation requirements arising from the applications. Therefore, our work considers all aspects of the field, from the practical ones (new attacks, concrete specifications of new systems) to the most theoretical ones (study of the algebraic structure of underlying mathematical objects, definition of optimal objects). But, our purpose is to study these aspects not separately but as several sides of the same domain. This joint approach of the different aspects of symmetric cryptography is quite peculiar to our work.

In the last few years, with the eSTREAM project, our cryptanalytic effort has focused on stream ciphers. We have investigated the recent algebraic attacks, which are an important breakthrough especially in the cryptanalysis of stream ciphers based on linear feedback shift registers. We have proposed new algorithms for computing the algebraic immunity of a function , , . These algorithms have complexity which ranges from linear to quadratic in the annihilator space dimension (depending on the parameters of the algebraic attack) and are the best known to perform such a task. We have also shown the existence of functions with a high algebraic immunity and have provided some constructions for them in .

A last type of attacks investigated in the project are the cache attacks which exploit the power consumption or the timing variations induced by the memory accesses to lookup tables, especially to S-boxes, during the encryption process , .

The construction of building blocks which guarantee a high resistance to the known attacks is a major topic in our project, both for stream ciphers and for block ciphers. This work involves fundamental aspects related to discrete mathematics and implementation aspects. Actually, characterizing the structures of the building blocks which are optimal regarding to some attacks is very important for finding appropriate constructions and also for determining whether the underlying structure induces some weaknesses or not.

For these reasons, we have investigated several families of filtering functions and of S-boxes which are well-suited for their cryptographic properties or for their implementation characteristics. For instance, bent functions, which are the Boolean functions which achieve the highest possible nonlinearity, have been extensively studied in order to provide some elements for a classification, or to adapt these functions to practical cryptographic constructions , . We have also been interested in APN functions, which are the S-boxes ensuring an optimal resistance to differential cryptanalysis. An important open problem is to find APN permutations depending on an even number of variables. In this context, we have proved that some families of functions do not contain any APN mapping .

The previously described long-term research work in symmetric cryptographic has also led to concrete realizations since A. Canteaut, C. Lauradoux and M. Minier are co-authors of three new stream cipher proposals which have been submitted to the eSTREAM project: Sosemanuk, DECIM and F-FCSR . Sosemanukis one of the fastest and most secure ciphers among the 22 eSTREAM candidates dedicated to software applications (the first evaluation phase of eSTREAM put it in the ``focus cipher'' category). DECIM and F-FCSR are hardware-oriented cipher for low-resource environments and have been selected for the next evaluation phase.

Most popular public key cryptographic schemes rely either on the factorization problem (RSA, Rabin), or on the discrete logarithm problem (Diffie-Hellman, El Gamal, DSA). These systems have
evolved and today instead of the classical groups (
Z/
nZ) we may use groups on elliptic curves. They allow a shorter block and key size for the same level of security. An intensive effort of the research community has
been and is still being conducted to investigate the main aspects of these systems: implementation, theoretical and practical security.

It must be noted that these systems all rely on algorithmic number theory. As they are used in most, if not all, applications of public key cryptography today (and it will probably remain so in the near future), cryptographic applications are thus vulnerable to a single breakthrough in algorithmics or in hardware (a quantum computer can break all those scheme).

Diversity is a way to dilute that risk, and it is the duty of the cryptographic research community to prepare and propose alternatives to the number theoretic based systems. The most serious tracks today are lattices (NTRU,...), multivariate cryptography (HFE,...) and code-based cryptography (McEliece encryption scheme,...).

We have been investigating in details the latter field. The first cryptosystem based on error-correcting codes was a public key encryption scheme proposed by Bob McEliece in 1978, a dual variant was proposed in 1986 by Harald Niederreiter. We proposed the first (and only) digital signature scheme in 2001. Those systems enjoy very interesting features (fast encryption/decryption, short signature, good security reduction) but also have their drawbacks (large public key, encryption overhead, expensive signature generation). Some of the main issues in this field are

- implementation and practicality of existing solutions,

- reducing the key size, by using rank metric instead of Hamming metric, or by using particular families of codes,

- trying new hard problems, like decoding Reed-Solomon codes above the list-decoding radius,

- address new functionalities, like hashing or symmetric key encryption.

The original McEliece cryptosystem remains unbroken. Nicolas Sendrier has proved , that its security is provably reduced to two problems, conjectured to be hard, of coding theory:

- hardness of decoding in a random binary code,
*in the average case*, pseudorandomness of Goppa codes.

This result also applies to Niederreiter's scheme and a similar result was already known for the digital signature scheme . The reduction is not a guaranty of security, but we know that a significant improvement on one of the above problem must occur before the system is seriously threatened.

Another important work in the period was on the implementation aspects. One of the most promising code-based cryptosystem is the digital signature scheme: with 80 bits, its produces the shortest known digital signatures (without compromising the security level). The drawback is that signing a document required more than one minute on a standard PC. A work in collaboration with ENS Lyon (ARENAIRE) and the LIRMM was initiated, and funded through the ACI OCAM. This resulted in an improved software version (about 10 seconds) and a fast FPGA implementation in less than one second (on a low cost FPGA).

Various aspects of implementation where also considered throughout the period, see for instance, where the problem of fast encoding of words with constant Hamming weight (required in Niederreiter's encryption scheme) is addressed. In practice this encoding is the most expensive part of Niederreiter's encryption and we obtain a speedup factor of 8 (33 Mbit/s instead of 4 Mbits/s).

This family of cryptosystems is roughly based on the same principle as the McEliece cryptosystem, except that the metric in use is the rank metric . This allows taking public-keys of a much smaller size than for McEliece cryptosystem, typically between ten and twenty times smaller.

Pierre Loidreau and Thierry Berger have been working on new variants of this system , which also considered the possibility of achieving non-malleability. Pierre Loidreau also designed the first decoding algorithm of Gabidulin's codes in quadratic time (previous ones were cubic) . Finally, he designed and studied with Cédric Faure a rank metric equivalent of Augot/Finiasz PR based encryption scheme (see next subsubsection).

The Polynomial Reconstruction problem (PR) considered by Naor and Pinkas 1999 then Kiayias and Yung in 2002 states that decoding more than a certain number of errors in a Reed-Solomon code is difficult. Daniel Augot and Matthieu Finiasz have designed an encryption scheme based on this problem . This system possesses the efficiency of code-based systems and enjoys a much shorter public key. Unfortunately, as pointed out by Coron , if the message security reduces to a difficult problem, the key security was not good enough.

Interestingly, though it was broken, this cryptosystem raised a lot of interest. The new cryptographic function that was exhibited did not allow the design of an encryption scheme, because the trapdoor (for decryption) could not be securely concealed. However, diversity is among the important concerns of cryptographic research. Proposing new primitives, with different features, might be of interest for future needs.

We have proposed a new collision resistant hash-function based on the problem of decoding general binary linear codes
. It has the advantage of being fast and of
having a
*security reduction*, on the opposite of classical designs, based on MD5 and relatives, which have been broken recently.

We have proposed a new protocol for enabling participants to share a common secret key, which is later used with symmetric cryptography (authentication, encryption). This protocol has the desirable property of being resilient to connectivity losses, a property which makes it suitable for Ad Hoc networks.

We have also suggested a new authentication procedure for the service messages in reactive routing protocols. Our procedure enables to aggregate these authentication codes of routing messages in a single, fixed size, message.

The announced objective in 2002 which was `` applications of new decoding algorithms; resolution of algebraic systems '' has evolved with the arrival of Jean-Pierre Tillich. It has laid more stress on probabilistic decoding algorithms and applications in error correcting. We are focusing now on studying or on improving various decoding algorithms which are either algebraic or probabilistic in nature, not only for cryptographic purposes but also for coding theory by itself. We have also strengthened our ties with the INRIA project-team SALSA (formerly SPACES) with the co-direction of Magali Bardet's thesis and during the ACI POLYCRYPT.

Research on decoding algorithms is one of the most active area in coding theory, be they of algebraic or probabilistic nature. These algorithms have found areas of applications outside the sole scope of error-correcting codes: complexity theory, theoretical computer science and cryptology among others. We are mainly interested in cryptographic applications of these algorithms: for example in fast correlation attacks on stream ciphers involving iterative decoding algorithms, or for the approximation of the output bits of the intermediate rounds of block ciphers. We have also found a new domain of application for iterative decoding algorithms, namely quantum error correcting codes for which we have shown that some of them can be decoded successfully with these algorithms. Moreover, the tools we had to investigate, for instance, the Gröbner bases techniques in the problem of decoding general cyclic codes, enabled us to study also algebraic attacks on cryptosystems. We also mention that we still study more traditional aspects of coding theory by searching for codes with good decoding performances for instance.

The first family of codes what we have studied in detail is the family of Reed-Muller codes. Being able to decode efficiently members of this family on various channels is very helpful for cryptanalysis: the decoding of first order Reed-Muller codes on the binary symmetric channel is a useful task for linear cryptanalysis whereas decoding general Reed-Muller codes on the erasure channel can be used in algebraic attacks of ciphers. In particular in his thesis , Cédric Tavernier found new (local) decoding algorithms for first order Reed-Muller codes over the binary symmetric channel, which improve upon the Goldreich-Rubinfeld-Sudan algorithm. He implemented them for finding approximations of the outputs of several rounds of the DES. This way he found, using his software, not only the linear equations found by Matsui in his famous linear cryptanalysis of the DES, but also several other equations with biases of the same order as Matsui's ones. On the other hand, Frédéric Didier and Jean-Pierre Tillich have focused on decoding Reed-Muller codes efficiently on the erasure channel. They have proposed various decoding algorithms whose complexity is sometimes linear and in general at most quadratic in the code dimension. These algorithms have been implemented, have lead to several decoding records and can be used to determine the algebraic immunity of Boolean functions against algebraic attacks , , .

From the algebraic systems point of view, SALSA, in collaboration with CODES, performed the cryptanalysis of the HFE cryptosystems (Hidden Field Equations), performed by Faugère by a computation of a few days . It was followed by the thesis of Magali Bardet which covers theoretical aspects of the HFE cryptanalysis (why it was feasible), and also the decoding of cyclic codes with Gröbner bases: it was demonstrated that it is possible to find decoding formulas for all cyclic codes, by a Gröbner basis off-line computation. But, from the efficiency point of view, it was found that it is better to perform an on-line Gröbner bases computation, whose cost is reasonable. This enables to decode any cyclic code, up to their true minimum distance , .

Concerning the part of our work devoted to error-correcting codes, we have focused on codes which have good iterative decoding algorithms. This kind of codes has by now probably become the most popular coding scheme due to their exceptional performances at a reasonable algorithmic cost. We have in particular studied families of codes which are in a sense intermediate between turbo-codes and LDPC codes, and have found several instances of this family covering a large range of rates which are among the best known for a large range of target error probabilities after decoding . This work has been supported by France Telecom.

The knowledge we have acquired in iterative decoding techniques has also lead to study whether or not the very same techniques could also be used to decode quantum codes. Part of the ACI project ``RQ'' in which we were involved is about this topic. Notice that protecting quantum information from external noise is an issue of paramount importance for building a quantum computer. It also worthwhile to notice that all quantum error-correcting code schemes proposed up to now suffer from the very same problem that the first (classical) error-correcting codes had: there are constructions of good quantum codes, but for the best of them it is not known how to decode them in polynomial time. Our approach for overcoming this problem has been to study whether or not the family of turbo-codes and LDPC codes (and the associated iterative decoding algorithms) have a quantum counterpart. We have shown that the classical iterative decoding algorithms can be generalized to the quantum setting and have come up with some families of quantum LDPC codes and quantum serial turbo-codes with rather good performances under iterative decoding .

Finally, another important result related to decoding, the coset distribution of some BCH codes, was proven by Charpin, Helleseth and Zinoviev . It answered to an old research problem formulated in the 70s.

The context of this work is the reverse engeneering of the components of a transmission scheme. We start from the observation of a noisy binary stream. We wish to determine by algorithmic means which error correcting code has been used. Matthieu Cluzeau is the main contributor with a conference at ISIT 2006 and an article in IEEE Computers. He defended his phd thesis in November (co-advisors: Anne Canteaut and Nicolas Sendrier). Two new phd students started on this topic in 2006: Maxime Côte (co-advisors: Nicolas Sendrier and Jean-Pierre Tillich) and Christophe Chabot (co-advisors: Thierry Berger and Nicolas Sendrier). blabla

( 02/06 01/08) This is a follow-up of a previous contract, aiming at constructing new family of binary codes with very good iterative decoding performances for a large range of rates and target error probabilities after decoding. The purpose is now to explore non-binary codes and completing the range of rates left by the previous contract.

( 10/06 9/09) We collaborate with the IPSIS company on the code reconstruction problem by sharing a PhD student, Maxime Côte, who is paid by a CIFRE grant.

( 07/03 07/06) One of the goals of this project is to propose quantum codes for protecting quantum information against external noise. It has lead us to find quantum analogues for LDPC codes, convolutional codes and serial turbo-codes.

Partners: Université Paris XI.

( 11/03 11/06) The goal of UNIHAVEGE was to test and extend the random number generator HAVEGE (Hardware Volatile Entropy Gathering and Expansion) designed by Andre Seznec and Nicolas Sendrier. During the last three years, no weaknesses were found. HAVEGE has been integrated to Linux Kernel through a module

Partner: IRISA team CAPS (Andre Seznec and Olivier Rochecouste)

( 07/03 12/06) The primary goal of the project is to produce an FPGA implementation of a digital signature algorithm based on coding theory. This algorithm produces the shortest known signature but is very slow in software. Additional goals are to consider other code-based cryptosystems and their hardware implementation, with a particular focus on finite fields arithmetic.

Partners: ARENAIRE project-team, LIRMM (Montpellier).

( 09/04 09/07) New applications of error correcting codes to information security. The project studies the impact of certain error-correcting tools for cryptographic purposes, more specifically:

- attacks on ciphers making use of decoding techniques are investigated,

- authentication and biometric schemes based on error-correcting codes are developed.

Partners: ENST, Université Paris VIII.

( 09/04 09/07) Security for Wireless Ad Hoc Networks. This covers several aspects of security: first the problem of securing the routing process itself, like OLSR; then the problem of developing more high level security primitives, which still have to be secured even in presence of network failures typical of Ad Hoc networks.

Partners: USTL (Lille), INRIA (CODES, TANC and HIPERCOM) and GET (ENST).

( 05/04 05/07) Interactions between computer security and legal security for the progress of regulations in the Information Society.

The aim of this multi-disciplinary project is to have a scientific reading of the French legal texts related to computer and network security. One main concern is to discuss the laws which concern the notion of proof, probative value and also to convervation of numerical documents. Anne Canteaut and Marion Videau have provided a scientific view of many laws on these topics. This project has also some consequences on cryptographic protocols, since the legal requirements may differ from classical cryptographic hypotheses.

Partners: CNRS (labo. CECOJI), Univ. Versailles, Univ. Montpellier, INT, Univ. Lille 2, INRIA.

( 12/03 12/06) The aim is to conceive cryptographic tools crafted to high speed networks and also wireless networks, which both have high security and consume few resources. Two stream ciphers have been developed: Sosemanukand Decim.

Partners: Axalto, ENS Ulm, France Telecom, Cryptolog International, Université de Versailles, INRIA.

( 02/04 02/08) This a Network of Excellence in research in all the aspects of cryptology. It has been structured in ``virtual labs''. Anne Canteaut is leading a working group within the virtual lab on symmetric techniques, and CODES is also involved in the AZTEC virtual lab (new primitives for public key cryptography).

Partners: more than thirty, both academic and industry.

( 09/06 09/07) The aim of this study is to analyze the efficiency of fast correlation attacks (of stream ciphers) based on iterative decoding algorithms. The work is to cryptanalyze several challenging stream ciphers, provided by the CELAR, which are weak versions of public domain ciphers. This should lead to a precise analysis of the efficiency of these attacks, and also to variants of the classical iterative decoding algorithms.

associate editors: Anne Canteaut for
*Cryptography and Complexity*2005-2008.

associate editor: Pascale Charpin, since 2003.

Special Issue on
*Gröbner Bases Techniques in Cryptography and Coding Theory*(2007), D. Augot guest editor.

IEEE International Symposium on Information Theory) G. Kabatianski;

Fast Software Encryption, A. Canteaut;

A. Canteaut, C. Carlet, N. Sendrier;

International conference on sequences and their applications, A. Canteaut, C. Carlet;

International Workshop on Algebraic and Combinatorial Coding Theory, G. Kabatianski, program chair;

International Joint Conference on E-business and Telecommunications, P. Charpin;

Yet Another Conference on Cryptography, C. Carlet;

State of the Art in Stream ciphers, eSTREAM workshop, A. Canteaut, program chair;

All members of
Codesare involved in the organization of the
*Workshop on Coding Theory and Cryptography (WCC)*which will be held at INRIA in 2007. A. Canteaut and P. Charpin are general co-chairs. This workshop aims at bringing together
researchers in all aspects of coding theory, cryptography and related areas.

Scientific committee of the national research program on Security and Computer Science,
*ACI-Sécurité et Informatique*: P. Charpin (2003-07);

Scientific committee of the national research program SetIn (Security and Computer Science) of the National Agency for Research (ANR): 2006 (A. Canteaut);

*Computer Science - Mathematics*(IM): Claude Carlet is in charge of the group
*Coding and Cryptography*;

Pascale Charpin is an external expert for the Délégation Générale pour l'Armement (DGA);

(Committees for the selection of professors and assistant professors): University Paris 8 (C. Carlet, J-P. Tillich), University of Limoges (A. Canteaut, P. Charpin, C. Carlet), École Normale Supérieure Paris (J-P. Tillich);

Pascale Charpin was a member of the committee for the selection of CR2 at INRIA-Rocquencourt (2006);

Anne Canteaut is a member of the ``Comité de Suivi Doctoral'' of INRIA-Rocquencourt since 2004.

Anne Canteaut is a member of the steering committee of the eSTREAM project http://www.ecrypt.eu.org/stream/.

Daniel Augot and J.P. Tillich are teaching in Master Recherche 2, Master Parisien de Recherche en Informatique (MPRI), University Paris 7, ENS Paris, ENS Cachan and École Polytechnique, 30 hours.

Daniel Augot is teaching in Master Recherche 2 "Science Informatique", University of Marne-la-Vallée, 9 hours.

Nicolas Sendrier is "professeur chargé de cours" in Computer Science at École Polytechnique Palaiseau. He is teaching 80-100 hours.

Jean-Pierre Tillich is teaching at the Institut Supérieur d'Électronique de Paris (ISEP), 3rd year of engineering school, 10 hours.

Jean-Pierre Tillich is teaching in Master 2, ENST Paris, 6 hours, since 2006.

Most of the Ph.D. students in the team are associated either with the doctoral program of the University Pierre and Marie Curie (Paris 6) or with the doctoral program of École Polytechnique Palaiseau.

An Braeken,
*Cryptographic properties of Boolean functions and S-boxes*, University of Leuven, Belgium, committee : A. Canteaut (reviewer).

Yi Lu,
*Applied stream ciphers in mobile communications.*, EPFL, Switzerland, committee : A. Canteaut (reviewer).

R. Bhaskar,
*Cryptographic protocols for mobile ad hoc networks*, École Polytechnique, committee : D. Augot.

V. Bénony,
*Étude et conception de systèmes de chiffrement à flot dans le contexte d'architectures matérielles fortement contraintes*, Université de Lille, committee : N. Sendrier (reviewer).

A. Canteaut,
*Analyse et conception de chiffrements à clé secrète*, Université Paris VI, committee : C. Carlet, P. Charpin.

Mathieu Cluzeau,
*Reconnaissance d'un schéma de codage*, École Polytechnique, committee : A. Canteau (co-director), N. Sendrier (director), J.P. Tillich.

Iryna Andryanova,
*Etude d'une certaine construction de codes définis par des graphes: les codes TLDPC*, École Nationale Supérieure des Télécommunications, committee : J.P. Tillich.

SASC 2006, Leuven, Belgique, Anne CANTEAUT, Fabien GALAND, Cédric LAURADOUX, Andrea ROECK, Bassem SAKKOUR.

FSE, Graz, Anne CANTEAUT, Pascale CHARPIN, Frédéric DIDIER, Andrea ROECK, Jean-Pierre TILLICH.

Special semester on Groebner bases and related methods, Linz, Daniel AUGOT, Frédéric DIDIER, Yann LAIGLE-CHAPUY.

Workshop on Coding and Cryptography, Cork, Irland,Daniel AUGOT.

Post Quantum Cryptography, Leuven Belgique, Nicolas SENDRIER.

EUROCRYPT, St Petersbourg, Claude CARLET .

SSTIC Conference, Rennes, Cédric LAURADOUX.

ICC Conference, Istambul, Jean-Pierre TILLICH.

Summer school, Louvain la Neuve, Cédric LAURADOUX.

YACC'2006, Porquerolles, Françoise LEVY-DIT-VEHEL, Nicolas SENDRIER.

ISIT, USA, Anne CANTEAUT, Pascale CHARPIN, Mathieu CLUZEAU, Fabien GALAND, Jean-Pierre TILLICH.

ACCT 10, Zvenigorod, Russie, Daniel AUGOT, Pascale CHARPIN, Cédric FAURE, Pierre LOIDREAU.

CLC 2006, Darmstadt, Allemagne, Daniel AUGOT, Andrea ROECK.

Journées C2, Eymoutiers, Daniel AUGOT, Anne CANTEAUT, Pascale CHARPIN, Mathieu CLUZEAU, Frédéric DIDIER, Cédric FAURE, Yann LAIGLE-CHAPUY, Cédric LAURADOUX, Maria NAYA PLASENCIA, Andrea ROECK.

ECRYPT meeting, Graz, Autriche, Anne CANTEAUT.

Paristic meeting, Nancy, Anne CANTEAUT, Cédric LAURADOUX, Nicolas SENDRIER, Jean-Pierre TILLICH.

Coding meeting, Zurich, Daniel AUGOT, Françoise LEVY-DIT-VEHEL.

INDOCRYPT, Calcutta, Frédéric DIDIER, Nicolas SENDRIER.

13-23/12/06, 24/09-07/10/06, 09-22/04/06.

27/11-01/12/06.

17-29/11/06.

14-16/09/06.

14-18/09/06.

13-18/09/06.

01/08-15/12/06 (internship).

05-15/06/06.

03-30/04/06.

17-24/03/06.

15-20/01/06.

13-14/01/06.