Cryptographic algorithms are the equivalent of locks, seals, security stamps and identification documents on the Internet. They are essential to protect our on-line bank transactions, credit cards, medical and personal information and to support e-commerce and e-government. They come in different flavors. Encryption algorithms are essential to protect sensitive information such as medical data, financial information and Personal Identification Numbers (PINs) from prying eyes. Digital signature algorithms (in combination with hash functions) replace hand-written signatures in electronic transactions. A similar role can be played by MAC algorithms. Identification protocols allow to securely verify the identity of the party at the other end of the line. Therefore, cryptology is a research area with a high strategic impact for industries, individuals, and for the society as a whole. The research activity of the project-team CASCADE addresses the following topics, which cover almost all the domains that are currently active in the international cryptographic community:

Implementation of cryptographic and applied cryptography

Design and provable security, for

signature schemes

public-key encryption schemes

identity-based encryption schemes

key agreement protocols

group-oriented protocols

Attacks, using

side-channels

algebraic techniques

Design and analysis of symmetric schemes

Since the beginning of public-key cryptography, with the seminal Diffie-Hellman paper , many suitable algorithmic problems for cryptography have been proposed and many cryptographic schemes have been designed, together with more or less heuristic proofs of their security relative to the intractability of the underlying problems. However, many of those schemes have thereafter been broken. The simple fact that a cryptographic algorithm withstood cryptanalytic attacks for several years has often been considered as a kind of validation procedure, but schemes may take a long time before being broken. An example is the Chor-Rivest cryptosystem , based on the knapsack problem, which took more than 10 years to be totally broken , whereas before this attack it was believed to be strongly secure. As a consequence, the lack of attacks at some time should never be considered as a full security validation of the proposal.

A completely different paradigm is provided by the concept of "provable" security. A significant line of research has tried to provide proofs in the framework of complexity theory (a.k.a. "reductionist" security proofs): the proofs provide reductions from a well-studied problem (factoring, RSA or the discrete logarithm) to an attack against a cryptographic protocol.

At the beginning, researchers just tried to define the security notions required by actual cryptographic schemes, and then to design protocols which could achieve these notions. The techniques were directly derived from complexity theory, providing polynomial reductions. However, their aim was essentially theoretical. They were indeed trying to minimize the required assumptions on the primitives (one-way functions or permutations, possibly trapdoor, etc) , without considering practicality. Therefore, they just needed to design a scheme with polynomial-time algorithms, and to exhibit polynomial reductions from the basic mathematical assumption on the hardness of the underlying problem into an attack of the security notion, in an asymptotic way. However, such a result has no practical impact on actual security. Indeed, even with a polynomial reduction, one may be able to break the cryptographic protocol within a few hours, whereas the reduction just leads to an algorithm against the underlying problem which requires many years. Therefore, those reductions only prove the security when very huge (and thus maybe unpractical) parameters are in use, under the assumption that no polynomial time algorithm exists to solve the underlying problem.

For a few years, more efficient reductions have been expected, under the denomination of either "exact security" or "concrete security" , which provide more practical security results. The perfect situation is reached when one is able to prove that, from an attack, one can describe an algorithm against the underlying problem, with almost the same success probability within almost the same amount of time: "tight reductions". We have then achieved "practical security" .

Unfortunately, in many cases, even just provable security is at the cost of an important loss in terms of efficiency for the cryptographic protocol. Thus, some models have been proposed, trying to deal with the security of efficient schemes: some concrete objects are identified with ideal (or black-box) ones. For example, it is by now usual to identify hash functions with ideal random functions, in the so-called "random-oracle model", informally introduced by Fiat and Shamir , and later formalized by Bellare and Rogaway . Similarly, block ciphers are identified with families of truly random permutations in the "ideal cipher model" . A few years ago, another kind of idealization was introduced in cryptography, the black-box group, where the group operation, in any algebraic group, is defined by a black-box: a new element necessarily comes from the addition (or the subtraction) of two already known elements. It is by now called the "generic model" , . Some works even require several ideal models together to provide some new validations .

More recently, the new trend is to get provable security, without such ideal assumptions (there are currently a long list of publications showing "without random oracles" in their title), but under new and possibly stronger computational assumptions. As a consequence, a cryptographer has to deal with the three following important steps:

which are the foundations of the security. We thus need to have a strong evidence that the computational problems are reasonably hard to solve. We study several assumptions, by improving algorithms (attacks), and notably using lattice reductions. We furthermore contribute to the list of "potential" hard problems.

which makes precise the security notions one wants to achieve, as well as the means the adversary may be given. We contribute to this point, in several ways:

by providing a security model for many primitives and protocols, and namely group-oriented protocols, which involve many parties, but also many communications (group key exchange, group signatures, etc);

by enhancing some classical security models;

by considering new means for the adversary, such as side-channel information.

of new schemes/protocols, or more efficient, with additional features, etc.

which consists in exhibiting a reduction.

For a long time, the security proofs by reduction used classical techniques from complexity theory, with a direct description of the reduction, and then a long and quite technical analysis for providing the probabilistic estimates. Such analysis is unfortunately error-prone. Victor Shoup proposed a nice way to organize the proofs, and eventually obtain the probabilities, using a sequence of games , , which highlights the computational assumptions, and splits the analysis in small independent problems. We early adopted and developed this technique, and namely in . We applied this methodology to various kinds of systems, in order to achieve the highest security properties: authenticity, integrity, confidentiality, privacy, anonymity. Nevertheless, efficiency was also a basic requirement.

However, such reductions are notoriously error-prone: errors have been found in many published protocols. Security errors can have serious consequences, such as loss of money in the case of electronic commerce. Moreover, security errors cannot be detected by testing, because they appear only in the presence of a malicious adversary.

Security protocols are therefore an important area for formal verification.

We thus worked on the development of two successful automatic protocol verifiers, ProVerif in the formal model and CryptoVerif in the computational model, and we plan to pursue research on this topic, in particular with extensions to CryptoVerif.

Because there is no absolute proof of security, it is essential to study cryptanalysis, which is roughly speaking the science of code-breaking. As a result, key-sizes are usually selected
based on the state-of-the-art in cryptanalysis. The previous section emphasized that public-key cryptography required hard computational problems: if there is no hard problem, there cannot be
any public-key cryptography either. If any of the computational problems mentioned above turns out to be easy to solve, then the corresponding cryptosystems can be broken, as the public key
would actually disclose the private key. This means that one obvious way to cryptanalyze is to solve the underlying algorithmic problems, such as integer factorization, discrete logarithm,
lattice reduction, Gröbner bases,
*etc.*Here, we mean a study of the computational problem in its full generality. The project-team has a strong expertise (both in design and analysis) on the best algorithms for lattice
reduction, which are also very useful to attack classical schemes based on factorization or discrete logarithm.

Alternatively, one may try to exploit the special properties of the cryptographic instances of the computational problem. Even if the underlying general problem is NP-hard, its cryptographic instances may be much easier, because the cryptographic functionalities typically require a specific mathematical structure. In particular, this means that there might be an attack which can only be used to break the scheme, but not to solve the underlying problem in general. This happened many times in knapsack cryptography and multivariate cryptography. Interestingly, generic tools to solve the general problem perform sometimes even much better on cryptographic instances (this happened for Gröbner bases and lattice reduction).

However, if the underlying computational problem turns out to be really hard both in general and for instances of cryptographic interest, this will not necessarily imply that the
cryptosystem is secure. First of all, it is not even clear what is meant exactly by the term
*secure*or
*insecure*. Should an encryption scheme which leaks the first bit of the plaintext be considered secure? Is the secret key really necessary to decrypt ciphertexts or to sign messages? If a
cryptosystem is theoretically secure, could there be potential security flaws for its implementation? For instance, if some of the temporary variables (such as pseudo-random numbers) used
during the cryptographic operations are partially leaked, could it have an impact on the security of the cryptosystem? This means that there is much more into cryptanalysis than just trying to
solve the main algorithmic problems. In particular, cryptanalysts are interested in defining and studying realistic environments for attacks (adaptive chosen-ciphertext attacks, side-channel
attacks,
*etc.*), as well as goals of attacks (key recovery, partial information, existential forgery, distinguishability,
*etc.*). As such, there are obvious connections with provable security. It is perhaps worth noting that cryptanalysis also proved to be a good incentive for the introduction of new
techniques in cryptology. Indeed, several mathematical objects now considered invaluable in cryptographic design were first introduced in cryptology as cryptanalytic tools, including lattices
and pairings. The project-team has a strong expertise in cryptanalysis: many schemes have been broken, and new techniques have been developed.

Even if asymmetric cryptography has been a major breakthrough in cryptography, and a key element in its recent development, conventional cryptography (a.k.a. symmetric, or secret key cryptography) is still required in any application: asymmetric cryptography is much more powerful and convenient, since it allows signatures, key exchange, etc. However, it is not well-suited for high-rate communication links, such as video or audio streaming. Therefore, block-ciphers remain a fundamental primitive. However, since the AES Competition (which started in January 1997, and eventually selected the Rijndael algorithm in October 2000), this domain has become less active, even though some researchers are still trying to develop new attacks. On the opposite, because of the lack of widely admitted stream ciphers (able to encrypt high-speed streams of data), ECRYPT (the European Network of Excellence in Cryptology) launched the eSTREAM project, which investigated research on this topic, at the international level: many teams proposed candidates that have been analyzed by the entire cryptographic community. Similarly, in the last few years, hash functions , , , , , which are an essential primitive in many protocols, received a lot of attention: they were initially used for improving efficiency in signature schemes, hence the requirement of collision-resistance. But afterwards, hash functions have been used for many purposes, such as key derivation, random generation, and random functions (random oracles ). Recently, a bunch of attacks , , , , , , have shown several drastic weaknesses on all known hash functions. Knowing more (how weak they are) about them, but also building new hash functions are major challenges. For the latter goal, the first task is to formally define a security model for hash functions, since no realistic formal model exists at the moment: in a way, we expect too much from hash functions, and it is therefore impossible to design such "ideal" functions. Because of the high priority of this goal (the design of a new hash function), the NIST has launched an international competition, called SHA-3 (similar to the AES competition 10 years ago), in order to select and standardize a hash function in 2012.

One way to design new hash functions may be a new mode of operation, which would involve a block cipher, iterated in a specific manner. This is already used to build stream ciphers and message authentication codes (symmetric authentication). Under some assumptions on the block cipher, it might be possible to apply the above methodology of provable security in order to prove the validity of the new design, according to a specific security model.

Since the previous section just ended on this topic, we start with it for the major problems to address within the next 5 years. A NIST competition on hash functions has been launched late 2007. In the first step, cryptographers had to build and analyze their own candidate; in a second step, cryptanalysts are solicited, in order to analyze and break all the proposals. The conclusion is planned for 2012.

The symmetric people of the Cascade team have worked this year on the development of a new hash function called SIMD that has been selected for the second round of the NIST SHA-3 competition. SIMD hash function is quite similar to members of the MD/SHA family. It is based on a familiar Merkle-Damgard design, where the compression function is built from a Feistel-like cipher in Davies-Meyer mode. However there are some innovations in this design: the internal state is twice as big as the output size, we use a strong message expansion, and we use a modified feed-forward in the compression function. The main design criteria was to follow the MD/SHA designs principle which are quite well understood, and to add some elements to avoid all known attacks. SIMD is particularly efficient on platforms with vector instructions (SIMD) which are available on many processors. Such instructions have been proposed since 1997 and are now widely deployed. Moreover, it is also possible to use two cores on multicore processors to boost the performances with a factor 1.8 by splitting the message expansion function and the hashing process.

We've also drawn some analyses and attacks on the other candidates.

A relatively new goal of growing importance of cryptography is
*privacy*. In a digital world where data is ubiquitous, users are more and more concerned about confidentiality of their personal data. Cryptography makes it possible to benefit from the
advantages of digital technology while at the same time providing means for privacy protection. An example is anonymous authentication: A user can convincingly prove that she has certain rights
without however revealing her identity. Privacy and anonymity remains thus one of the main challenges for the next years.

Similarly to the privacy concern, the digital world makes easy the large-scale diffusion of information. But in some cases, this can be used in violation of some copyrights. Cryptography should help at solving this problem, which is actually two-fold: one can either mark the original document in order to be able to follow the distribution (and possibly trace the traitor who illegally made it public) or one can publish information in an encrypted way, so that authorized people only can access it.

In 1996, Ajtai
showed that lattices, which up to that point had only been used as
tools in cryptanalysis, can actually be used to
*construct*cryptographic primitives. He proposed a cryptographic primitive whose security is based on the worst-case hardness of lattice problems: if one succeeds in breaking the
primitive, even with some small probability, then one can also solve any instance of a certain lattice problem. This powerful property makes lattice-based cryptographic constructions very
attractive. In contrast, virtually all other cryptographic constructions are based on some average-case assumption. Furthermore, there are currently very few alternatives to traditional
number-theoretic based cryptography such as RSA. Such alternatives will be needed in case an efficient algorithm for factoring integers is ever found, a possibility some leading number
theorists consider as quite likely. In fact, efficient quantum algorithms for factoring integers and computing discrete logarithms already exist
. Although large-scale quantum computers are not expected to exist
for at least a decade, this fact should already be regarded as a warning. In contrast, there are currently no known quantum algorithms for lattice problems. Finally, the computations involved
in lattice-based cryptography are typically very fast and often require only modular additions, making them attractive for many applications.

For all these reasons, lattice-based cryptography has become a hot topic, especially in the last few years, and our group is playing an important part in this effort.

As already explained, even with the
*provable security*concept, cryptanalysis is still an important area, and attacks can be done at several levels. Algebraic tools (against integer factoring, discrete logarithm, polynomial
multivariate systems, lattice reduction, etc) have thus to be studied and improved in order to further evaluation of the actual security level of cryptographic schemes.

At the hardware level, side-channel information has to be identified (time, power, radiation, noise, heat, etc) in order to securely protect embedded systems. But such information may also be used in a positive way....

The purpose of
MitMTool is to look for guess-and-determine and meet-in-the-middle attacks on AES and AES-based constructions. This tool allows us to improve
known attacks on round-reduced versions of AES, on the LEX stream-cipher on the PELICAN Message Authentication Code and on fault attack on AES. Basically, it solves the problem to find all the
solutions of a linear system of equations on the variables

ProVerif (
www.

It can handle many different cryptographic primitives, including shared- and public-key cryptography (encryption and signatures), hash functions, and Diffie–Hellman key agreements, specified both as rewrite rules or as equations.

It can handle an unbounded number of sessions of the protocol (even in parallel) and an unbounded message space. This result has been obtained thanks to some well-chosen approximations. This means the verifier can give false attacks, but if it claims that the protocol satisfies some property, then the property is actually satisfied. ProVerif also provides attack reconstruction: when it cannot prove a property, it tries to reconstruct an attack, that is, an execution trace of the protocol that falsifies the desired property.

The ProVerif verifier can prove the following properties:

secrecy (the adversary cannot obtain the secret);

authentication and more generally correspondence properties, of the form "if an event has been executed, then other events have been executed as well";

strong secrecy (the adversary does not see the difference when the value of the secret changes);

equivalences between processes that differ only by terms;

ProVerif has been used by researchers for studying various kinds of protocols, including electronic voting protocols, certified email protocols, and zero-knowledge protocols. It has been used as a back-end for the tool TulaFaleimplemented at Microsoft Research Cambridge, which verifies web services protocols. It has also been used as a back-end for verifying implementations of protocols in F# (a dialect of ML included in .NET), by Microsoft Research Cambridge and the joint INRIA-Microsoft research center.

ProVerif is freely available on the web, at
www.

CryptoVerif (
www.

secrecy;

correspondences, which include in particular authentication.

CryptoVerif provides a generic mechanism for specifying the security assumptions on cryptographic primitives, which can handle in particular symmetric encryption, message authentication codes, public-key encryption, signatures, hash functions, Diffie-Hellman key agreement.

The generated proofs are proofs by sequences of games, as used by cryptographers. These proofs are valid for a number of sessions polynomial in the security parameter, in the presence of an active adversary. CryptoVerif can also evaluate the probability of success of an attack against the protocol as a function of the probability of breaking each cryptographic primitive and of the number of sessions (exact security).

CryptoVerif is still at a rather early stage of development, but it has already been used for a study of Kerberos in the computational model. It is also used as a back-end for verifying implementations of protocols in F# at Microsoft Research Cambridge and at the joint INRIA-Microsoft research center.

CryptoVerif is freely available on the web, at
www.

**SAPHIR-II**
*(Sécurité et Analyse des Primitives de Hachage Innovantes et Récentes)*
**
**

** Security and analysis of innovating and recent hashing primitives.**

From April 2009 to March 2013.

Partners: France Telecom R&D, Gemalto, EADS, SAGEM, DCSSI, Cryptolog, INRIA/Secret, UVSQ, XLIM, CryptoExperts.

**PACE: Pairings and Advances in Cryptology for E-cash.**

From December 2007 to February 2012.

Partners: France Telecom R&D, NXP, Gemalto, CNRS/LIX (INRIA/TANC), Univ. Caen, Cryptolog.

*This project aims at studying new properties of groups (similar to pairings, or variants), and then to exploit them in order to achieve more practical e-cash systems.*

**PAMPA: Password Authentication and Methods for Privacy and Anonymity.**

From December 2007 to December 2011.

Partners: EADS, Cryptolog.

*One of the goals of this project is to improve existing password-based techniques, not only by using a stronger security model but also by integrating one-time passwords (OTP). This
could avoid for example having to trust the client machine, which seems hard to guarantee in practice due the existence of numerous viruses, worms, and Trojan horses. Another extension of
existing techniques is related to group applications, where we want to allow the establishment of secure multicast networks via password authentication. Several problems are specific to
this scenario, such as dynamicity, robustness, and the random property of the session key, even in the presence of dishonest participants.*

*Finally, the need for authentication is often a concern of service providers and not of users, who are usually more interested in anonymity, in order to protect their privacy. Thus,
the second goal of this project is to combine authentication methods with techniques for anonymity in order to address the different concerns of each party. However, anonymity is
frequently associated with fraud, without any possible pursuit. Fortunately, cryptography makes it possible to provide conditional anonymity, which can be revoked by a judge whenever
necessary. This is the type of anonymity that we will privilege.*

**BEST: Broadcast Encryption for Secure Telecommunications.**

From December 2009 to November 2013.

Partners: Thales, Nagra, CryptoExperts, Univ Paris 8.

*This project aims at studying broadcast encryption and traitor tracing, with applications to the Pay-TV and geolocalisation services.*

**PRINCE: Proven Resilience against Information leakage in Cryptographic Engineering.**

From December 2010 to November 2014.

Partners: UVSQ, Oberthur Technologies, Ingenico, Gemalto, Tranef.

*We aim to undertake research in the field of leakage-resilient cryptography with a practical point of view. Our goal is to design efficient leakage-resilient cryptographic algorithms
and invent new countermeasures for non-leakage-resilient cryptographic standards. These outcomes shall realize a provable level of security against side-channel attacks and come with a
formally verified implementation. For this every practical aspect of the secure implementation of cryptographic schemes must be taken into account, ranging from the high-level security
protocols to the cryptographic algorithms and from these algorithms to their implementation on specific devices which hardware design may feature different leakage models.*

**ProSe: Security protocols : formal model, computational model, and implementations.**

From December 2010 to November 2014.

Partners: ENS Cachan-INRIA/Secsi, LORIA-INRIA/Cassis, Verimag.

*The goal of the project is to increase the confidence in security protocols, and in order to reach this goal, provide security proofs at three levels: the symbolic level, in which
messages are terms; the computational level, in which messages are bitstrings; the implementation level: the program itself.*

**ECRYPT-II: Network of Excellence in Cryptology.**

From August 2008 to July 2012.

*There are three virtual labs that focus on the following core research areas: symmetric key algorithms (STVL), public key algorithms and protocols (MAYA), and secure and efficient
implementations (VAMPIRE).*

*ENS/INRIA/CASCADE leads the MAYA virtual lab.*

**ERC Starting Grant: LATTICE.**

Oded Regev (2008 – 2013)

**SecFuNet: Security for Future Networks.**

From July 2011 to December 2013

**Chaire ENS – France Télécom pour la sécurité des réseaux de télécommunications.**

From January 2006 to December 2012.

**Fondation EADS Grant.**

Charles Bouillaguet, in PhD Thesis from September 2008 to August 2011

**Donation of Tilera multicore cluster (512 core, 64 bits each) by Tilera.**

This supercomputer allows the team to experiment various cryptanalysis and simulations. The machine was installed at ENS for the team, in recognition of the team's cryptanalytic and research achievements.

Zvika Brakerski – Weizmann Institute, Israel

Vincent Cheval – ENS Cachan, France

Angelo De Caro – Univ. Salerno, Italy

Karina M. Magalhães – University of Campinas, Brazil)

Petros Mol – UC San Diego, USA

Takashi Nishide – Kyushu University, Japan

Chris Peikert – Georgia Tech , USA

Adi Shamir – Weizmann Institute, Israel

of the
*International Journal of Applied Cryptography (IJACT)*– Inderscience Publishers: David Pointcheval

of the
*Theory of Computing (ToC)*: Oded Regev

of the
*International Journal of Applied Cryptography (IJACT)*– Inderscience Publishers: Bruno Blanchet

of the
*Journal of Cryptology*: Phong Nguyen

of the
*Journal of Mathematical Cryptology*: Phong Nguyen

of
*Security and Communication Networks*: David Naccache

of
*Journal of Cryptographic Design*: David Naccache

of
*Encyclopedia of Cryptography and Security*: David Naccache

of
*Journal of Small Scale Digital Device Forensics (publication currently on hold for financial reasons)*: David Naccache

of
*Computers & Security Elsevier Advanced Technology*– Elsevier: David Naccache

of
*Cryptologia*– Taylor & Francis: David Naccache

of
*Information Processing Letters*– Elsevier: David Pointcheval

of
*IEEE Transactions on Information Forensics and Security*: Michel Abdalla

of the
*IEEE Security and Privacy Magazine*: David Naccache

SOFSEM – January 2011, Nový Smokovec, Slovakia: Phong Nguyen

COSADE – February 2011, Darmstadt, Germany: David Naccache

CT-RSA – February 2011, San Francisco, USA: David Pointcheval

ESSoS – February 2011, Madrid, Spain: Bruno Blanchet

FSE – February 2011, Copenhague, Denmark: Pierre-Alain Fouque

NTMS - Security Track – February 2011, Paris, France: David Naccache

AsiaCCS – March 2011, Hong Kong, China: Damien Vergnaud

TCC – March 2011, Providence, USA : Vadim Lyubashevsky

PKC – March 2011, Taormina, Italy: Dario Fiore

EUROCRYPT – May 2011, Tallinn, Estonia: Michel Abdalla, Vadim Lyubashevsky, David Pointcheval

CryptoForma workshop – June 2011, Limerick, Ireland: Bruno Blanchet

ACNS – June 2011, Malaga, Spain: Michel Abdalla, David Naccache

TRUST – June 2011, Pittsburgh, PA USA: David Naccache

FCC workshop – June 2011, Paris, France: Bruno Blanchet

IEEE ISCC – June 2011, Kerkyra, Greece: David Naccache

ACISP – July 2011, Melbourne, Australia: Michel Abdalla, Damien Vergnaud

AFRICACRYPT – July 2011, Dakar, Senegal: David Pointcheval (Program Chair), Damien Vergnaud

SECRYPT – July 18-21, Seville, Spain: David Naccache

CRYPTO – August 2011, Santa-Barbara, USA: Phong Nguyen

CHES – September 2011, Nara, Japan: Pierre-Alain Fouque, David Naccache

ISC – October 2011, Xi'an, China: Michel Abdalla

CCS – October 2011, Chicago, USA: Bruno Blanchet, David Naccache

Provsec – October 2011, Xi'an, China: David Naccache, Damien Vergnaud

PQC – November 2011, Taipei, Taiwan : Vadim Lyubashevsky

INTRUST – November 2011, Beijing, China: David Naccache

ECRYPT Workshop on Lightweight Cryptography – November 2011, Louvain-la-Neuve, Belgium: David Naccache

ASIACRYPT – December 2011, Seoul, South Korea: Michel Abdalla, Phong Nguyen

IMACC – December 2011, Oxford, UK: David Naccache

Indocrypt – December 2011: Vadim Lyubashevsky

David Naccache

Oded Regev

David Naccache

David Naccache, Jacques Stern, Damien Vergnaud

Phong Nguyen

Michel Abdalla, Vadim Lyubashevsky

Bruno Blanchet

David Naccache

David Naccache

David Naccache

Duong-Hieu Phan

David Pointcheval

Bruno Blanchet

Bruno Blanchet

Mehdi Tibouchi – Ph.D. – 23 sept. 2011 – Université Paris VII – France

*Hachage vers les courbes elliptiques et cryptanalyse de schémas RSA*

Charles Bouillaguet – Ph.D. – 26 sept. 2011 – Université Paris VII – France

*Etudes d'hypothèses algorithmiques et analyse de primitives cryptographiques*

Michel Abdalla – HDR – 24 nov. 2011 – ENS – France

Alexandre Venelli – Ph.D. – 31 Jan. 2011 - Uni. Aix-Marseille 2 – France

*Contribution à la sécurité physique des cryptosystèmes embarqués*

David Naccache (reviewer)

Amandine Jambert – Ph.D. – 15 Mar. 2011 – Uni. Bordeaux I – France

*Outils Crytographiques pour la Protection des Contenus et de la Vie Privée des Utilisateurs*

David Pointcheval (reviewer)

Steve Kremer – HDR – 17 Mar. 2011 – Ecole Normale Supérieure de Cachan – France

*Modelling and Analyzing Security Protocols in Cryptographic Process Calculi*

David Pointcheval

Stéphanie Delaune – HDR – 18 Mar. 2011 – Ecole Normale Supérieure de Cachan – France

*Verification of security protocols: from confidentiality to privacy*

Bruno Blanchet

Moez Ben Mbarka – Ph.D. – 6 Apr. 2011 – Université Bordeaux I – France

*Signatures électroniques avancées : modélisation de la validation à long terme et sécurité des autorités de certification*

Bruno Blanchet

Jean Lancrenon – Ph.D. – 22 June 2011 – Univ. Grenoble – France

*Protocoles d’authentification d’objets à distance*

David Pointcheval (reviewer)

Carla Ràfols – Ph.D. – 19 July 2011 – Universitat Politècnica de Catalunya – Spain

*Some issues in public key cryptography: hard-core predicates, distributed protocols and functional encryption*

Damien Vergnaud (reviewer)

Mehdi Tibouchi – Ph.D. – 23 Sept. 2011 – Université Paris VII – France

*Hachage vers les courbes elliptiques et cryptanalyse de schémas RSA*

Pierre-Alain Fouque, David Naccache (co-advisor), Jacques Stern

Charles Bouillaguet – Ph.D. – 26 Sept. 2011 – Université Paris VII – France

*Etudes d'hypothèses algorithmiques et analyse de primitives cryptographiques*

Pierre-Alain Fouque (co-advisor), David Pointcheval (co-advisor), Jacques Stern

Luk Bettale – Ph.D. – 3 Oct. 2011 – Université Paris VI – France

*Cryptanalyse Algébrique: Outils et Applications*

Pierre-Alain Fouque (reviewer)

Damien Stehlé – HDR – 14 Oct. 2011 – ENS Lyon – France

*Euclidean Lattices: Algorithms and Cryptography*

Oded Regev (reviewer)

Pierre Girard – HDR – 20 Oct. 2011 – Uni. Limoges (XLIM) – France

*Contribution à la sécurité des cartes à puce et de leur utilisation*

David Naccache (reviewer)

Jop Briët – Ph.D. – 27 Oct. 2011 – CWI, Amsterdam – The Netherlands

*Grothendieck inequalities, Nonlocal games and Optimization*

Oded Regev (reviewer)

Jean Martinelli – Ph.D. – 18 Nov. 2011 – Université Versailles-Saint Quentin en Yvelines – France

*Protection d'algorithmes de chiffrement par blocs contre les attaques par canaux auxiliaires d'ordre supérieur*

Pierre-Alain Fouque (reviewer)

Michel Abdalla – HDR – 24 Nov. 2011 – ENS – France

*Reducing The Need For Trusted Parties In Cryptography*

David Pointcheval (advisor), Jacques Stern

Youssef Souissi – Ph.D. – 6 December 2011 – Telecom ParisTech – France

*Méthodes optimisant l'analyse des cryptoprocesseurs sur les canaux cachés*

David Naccache (reviewer)

Moulay Abdelaziz El Aabid – Ph.D. – 7 Dec. 2011 – Univ. Paris 8 – France

*Attaques par canaux cachés : expérimentations avancées sur les attaques templates*

David Naccache (reviewer)

Ştefan Ciobâcă – Ph.D. – 9 Dec. 2011 – Ecole Normale Supérieure de Cachan – France

*Verification and Composition of Security Protocols with Applications to Electronic Voting*

Bruno Blanchet (reviewer)

Eric Laurent Ricard – Ph.D. – 9 Dec. 2011 – Univ. Paris 2 – France

*Rétablir la confiance dans les messages électroniques*

David Naccache (advisor)

Fabien Laguillaumie – HDR – 12 Dec. 2011 – Univ. Caen Basse Normandie – France

*Public-Key Cryptography: Design and Algorithmic*

David Pointcheval (reviewer)

Jean-René Reinhard – Ph.D. – 14 Dec. 2011 – Université Versailles-Saint Quentin en Yvelines – France

*Étude de Primitives Cryptographiques Symétriques: Chiffrements par Flot et Fonctions de Hachage*

Pierre-Alain Fouque (reviewer)

Khaled Ouafi – Ph.D. – 19 Dec. 2011 – EPFL – Switzerland

*Security and privacy in RFID Systems*

David Naccache (reviewer)

Amir Pasha Mirbaha – Ph.D. – 20 Dec. 2011 – Ecole nationale sup. des Mines de St Etienne – France

*Study of the Vulnerability of Cryptographic Circuits by Laser Fault Injection*

David Naccache (co-advisor)

Marco Ramilli – Ph.D. – [date to be set in 2011] – DEIS University of Bologna – Italy

*A design methodology for security test planning in distributed systems*

David Naccache (reviewer)

QIP 2010, Singapore (January): Oded Regev

CASED Distinguished Lecture + Additional Lecture for Students, Germany (January): David Naccache

Anniversary workshop in honour of Gérard Berry and Jean-Jacques Lévy, Gérardmer, France (February): Bruno Blanchet

Two talks in workshop, Dagstuhl, Germany (March): Oded Regev

Journées Codage et Cryptographie, St. Pierre d'Oleron, France (April): Vadim Lyubashevsky, Damien Vergnaud

30th EUROCRYPT Conference, Tallinn, Estonia (May): Phong Nguyen

Mathématiques en mouvement, Paris, France (May): Phong Nguyen

Coding, Cryptology, and Combinatorial Design, Singapore (May): Vadim Lyubashevsky

International Workshop on Mathematical Cryptology, Daejeon, South Korea (June): Michel Abdalla

WISTP 2011, Heraklion, Crete, Greece (June): David Naccache

Introductory Workshop on Quantitative Geometry, MSRI, Berkeley, California, USA (August): Oded Regev

Course on Foundations of Cryptography and Impossibility Results, Scuola Superiore di Catania, Catania, Italy (September): Dario Fiore

Faces of Modern Cryptography, New York City, USA (September) : Vadim Lyubashevsky

5th CHINACRYPT, Changsha, China (October): Phong Nguyen

IEEE Information Theory Workshop, Paraty, Brazil (October): Vadim Lyubashevsky

São Paulo Advanced School of Cryptography, Campinas, Brazil (October): Michel Abdalla, Vadim Lyubashevsky, Jacques Stern

4th PQCrypto Conference, Taipeh, Taiwan (November): Phong Nguyen

European Postdoctoral Day of Excellence in Cryptography, Darmstadt, Germany (November): Dario Fiore

Congrès du LIA CNRS Formath Vietnam (November): Duong Hieu Phan

New York Theory Day (November): Oded Regev

7th INSCRYPT Conference, Beijing, China (December): Phong Nguyen

10th CANS Conference, Sanya, China (December): Phong Nguyen

IMACC, Oxford, UK (December): David Naccache

Weizmann Institute, Jan 23 - Feb 8: Oded Regev

New York University, Oct 8 - Jan 2: Oded Regev

Weizmann Institute, Oct 28 - Nov 8: Pierre-Alain Fouque

Séminaire Codage, Cryptologie, Algorithmes (CCA), Paris, France (January): Oded Regev

Theory seminar, Technion, Israel (January): Oded Regev

Cryptography Group, Bristol University, UK (January): Mehdi Tibouchi

LIRMM, Montpellier, France (January): Mehdi Tibouchi

Theory seminar, Weizmann Institute, Israel (February): Oded Regev

GREYC, Université de Caen, France (February): Mehdi Tibouchi

TELECOM ParisTech, Paris, France (February): Mehdi Tibouchi

Newton Institute, Cambridge (March): Oded Regev

Univ. of Limoges, France (March): Vadim Lyubashevsky

ENS Lyon, France (March): Vadim Lyubashevsky

Univ. of Grenoble, France (March): Phong Nguyen

East China Normal Univ., China (April): Phong Nguyen

IRSEM – IDEST, Paris, France (June): David Naccache

Univ. of Grenoble, France (June): David Pointcheval

Univ. of Rennes, France (June): Vadim Lyubashevsky

ENPC, Marne la Vallée, France (September): David Pointcheval

IQC, Waterloo, Canada (September) : Vadim Lyubashevsky

IRISA, Rennes, France (October): Bruno Blanchet

ENS Cachan, Ker Lann, France (November): Pierre-Alain Fouque

Univ. of Rennes, France (November): David Naccache

LACS, University of Luxembourg, Luxembourg (May): Dario Fiore

GREYCC, Université de Caen, France (June): Dario Fiore

Tsinghua Univ., China (August): Phong Nguyen

Seminar, Haifa University, Israel (November): Pierre-Alain Fouque

Theory seminar, Weizmann Institute, Israel (November): Pierre-Alain Fouque

CSDM seminar, Institute for Advanced Study, Princeton, USA (November): Oded Regev

IMATH, Université Sud Toulon Var, France (November): Aurore Guillevic

PRiSM, Université de Versailles, France (November): Aurore Guillevic

ENS Cachan, Cachan, France (November): Pierre-Alain Fouque

IRISA, Rennes, France (December): Pierre-Alain Fouque

Oded Regev

Oded Regev

Michel Abdalla

Oded Regev

: Vadim Lyubashevsky

Jérémy Jean

Pierre-Alain Fouque

Michel Abdalla, David Pointcheval, Dario Fiore, Mehdi Tibouchi, Damien Vergnaud, Olivier Blazy, David Naccache

David Pointcheval

Phong Nguyen, David Pointcheval, Jacques Stern, Dario Fiore, Damien Vergnaud, David Naccache

Dario Fiore, Mario Strefler

Bruno Blanchet, David Cadé, Miriam Paiola

Michel Abdalla

Oded Regev

David Naccache

David Pointcheval, Damien Vergnaud

: Michel Abdalla, Dario Fiore

Charles Bouillaguet, Jérémy Jean

Michel Abdalla, David Pointcheval, Pierre-Alain Fouque, Patrick Derbez, Charles Bouillaguet, Jacques Stern, Jérémy Jean, Dario Fiore, Mehdi Tibouchi, Vadim Lyubashevsky

Oded Regev

Aurore Guillevic

Mehdi Tibouchi

: Michel Abdalla

Oded Regev

: Vadim Lyubashevsky

Michel Abdalla, Pierre-Alain Fouque, Damien Vergnaud

a weekly seminar is organized:
http://

Chair of the Program Committee of Africacrypt – David Pointcheval

Board of the
*International Association for Cryptologic Research*(IACR) – David Naccache (2010 – 2012), David Pointcheval (2008–2013)

Recruitment committee at Université Paris VIII (PR 27): David Pointcheval

Recruitment committee at Université Versailles-Saint Quentin en Yvelines (MdC 27): Pierre-Alain Fouque

Recruitment committee at Université Paris II (MdC 26): David Naccache

Recruitment committee at Université Paris I (PR 27): David Naccache

INRIA Paris-Rocquencourt seminar committee: Phong Nguyen

Member of the scientific committee of the LabEx AMIES (Agence pour les Mathématiques et Interaction avec l'Entreprise et la Société)