The focus of this project is cryptanalysis, which is traditionally defined as the art of code-breaking: cryptanalysis studies the best attacks on cryptographic schemes, from a theoretical point of view (algorithm design) but also from a practical of view (implementation weaknesses, side-channel attacks). Cryptanalysis has a significant impact in the real world, because cryptographic algorithms and protocols, as well as keysizes, are selected based on the state-of-the-art in cryptanalysis. While provable security has made great advances in the past thirty years, it is alone insufficient to select cryptographic parameters: in general, choosing parameters based purely on security proofs leads to rather inefficient schemes. Cryptanalysis is therefore complementary of provable security, and both are essential to our understanding of security.

We consider cryptanalysis in the two worlds of cryptography: public-key cryptography (also called
asymmetric cryptography) and secret-key cryptography (also called symmetric cryptography).
Secret-key cryptography is much more efficient (and therefore more widespread) than public-key cryptography,
but also less powerful because it requires to share secret keys:
it encompasses symmetric encryption (stream ciphers, block ciphers), message authentication codes,
and hash functions. Public-key cryptography provides more functionalities such as
digital signatures, identity-based encryption and more generally functional encryption.
Current public-key cryptographic techniques are based on advanced mathematics
such as number theory (*e.g.* elliptic curves and lattices).

Inside public-key cryptanalysis, we focus on lattice techniques in particular, because lattice-based cryptography has been attracting considerable interest in the past few years, due to unique features such as potential resistance to quantum computers and new functionalities such as fully-homomorphic encryption (which allows to compute on encrypted data without requiring secret keys), noisy multi-linear maps and even (indistinguishability) obfuscation . These new functionalities have dramatically increased the popularity of lattice-based cryptography.

Inside secret-key cryptanalysis, we are especially interested in standard hash functions and the five SHA-3 finalists, due to the importance of the SHA-3 competition for a new hash function standard. We are also interested in the security of widespread symmetric ciphers, such as the AES block cipher standard (implemented in Intel processors) and the RC4 stream cipher (widely deployed in wireless protocols).

This project deals with both public-key cryptanalysis and secret-key cryptanalysis. Most of the researchers working in cryptanalysis only study one of the two, but there seems to be more and more interaction between the two fields, despite their apparent independence:

For instance, coding theory techniques are now used in both secret-key cryptanalysis and public-key cryptanalysis: as an example, several standard hash functions implicitly use a linear code, and the properties of this code are related to the security of the hash function; and public-key cryptosystems based on coding theory problems have been studied for more than thirty years.

Similarly, Groëbner bases and related techniques are now used in both secret-key cryptanalysis and public-key cryptanalysis: algebraic attacks on stream ciphers and block ciphers are now well-established, and there are still a few multivariate public-key cryptosystems, more than twenty years after the Matsumoto-Imai cryptosystem. Recently, techniques to solve systems of polynomial equations have been used in breakthrough results for solving the discrete logarithm problem over special finite fields and elliptic curves.

As another example, time/memory tradeoffs are routinely used in both secret-key cryptanalysis and public-key cryptanalysis.

As a side objective, this project also aims at developing European-Chinese collaboration in cryptologic research.

Cryptanalysis has a long history, dating back to secret writing. Until the seventies, most of the work on cryptanalysis was kept secret, but it is has now evolved from art to science, thanks to the liberalization of cryptologic research. In general, cryptanalysis tries to answer the following question: what is the best attack against a given cryptosystem, and how much does it cost? There is generally no definite answer to this question, and the state-of-the-art regularly evolves over time. Cryptanalysis is a field mixing theory and practice: while more and more advanced techniques are used, one is also concerned with very applied issues such as hardware/software efficiency.

In the past fifteen years, a new kind of attacks have appeared in the research literature: side-channel attacks. Such attacks arguably existed long before 1996, but were not advertised in public research. In a side-channel attack, the attacker exploits physical information which can sometimes be obtained in a concrete implementation, such as the power consumption of the cryptographic device, or the running time of the cryptographic process, etc. The attack could be either passive or active: for instance, in a so-called fault attack, the attacker physically perturbates the cryptographic device, and depending on the type of perturbations, the faulty outputs may disclose valuable information which may leak the whole secret key. Side-channel attacks have had a huge impact in industry: many cryptographic certifications now require more or less strong resistance to side-channel attacks, and there is an annual international conference dedicated to side-channel attacks, namely the CHES conference organized by IACR.

Cryptanalysis is particularly important in secret-key cryptography, due to the lack of provable security techniques. In public-key cryptanalysis, studying the best attack often consists in answering the following two questions:

What is the best algorithm to solve the computational problem (integer factoring, discrete logarithm, etc.) related to the security of the public-key cryptosystem? In particular, industry is very interested in a practical version of this question: which keysizes are recommended? How much computational effort would be required exactly to break a given keysize? This question is arguably well-understood for integer factoring and discrete logarithm: there is more or less a consensus on what is the security level provided by a given RSA modulus or ECC elliptic curve. But it is more difficult to answer for alternative (post-quantum) problems such as lattice reduction, solving systems of polynomial equations over finite fields, and coding theory problems. Traditionally, there are more parameters for these problems.

Is there a short-cut to attack the public-key cryptosystem, rather than trying to solve the underlying computational problem stated by the designer(s)? This is especially relevant when the public-key cryptosystem does not have provable security guarantees. And this question is also related to side-channel attacks.

This project is interested in any public-key cryptanalysis, in the broad sense.

Historically, one useful side-effect of public-key cryptanalysis has been the introduction of advanced mathematical objects in cryptology, which were later used for cryptographic design. The most famous examples are elliptic curves (first introduced in cryptology to factor integer numbers), lattices (first introduced in cryptology to attack knapsack cryptosystems) and pairings over elliptic curves (first introduced in cryptology to attack the discrete logarithm problem over special elliptic curves). It is therefore interesting to develop the mathematics of public-key cryptanalysis. In particular, we would like to deepen our understanding of lattices by studying well-known mathematical aspects such as packing problems, transference theorems or random lattices.

Due to the strong interest surrounding lattice-based cryptography at the moment, our main focus is to attack lattice-based cryptosystems, particularly the most efficient ones (such as NTRU), and the ones providing new functionalities such as fully-homomorphic encryption or noisy multi-linear maps: recent cryptanalysis examples include , for the latter, and for the former. We want to assess the concrete security level of lattice-based cryptosystems, as has been done for cryptosystems based on integer factoring or discrete logarithms: this has been explored in , but needs to be developed. This requires to analyze and design the best algorithms for solving lattice problems, either exactly or approximately. In this area, much progress has been obtained the past few years (such as ), but we believe there is still more to come. We are working on new lattice computational records.

We are also interested in lattice-based cryptanalysis of non-lattice cryptosystems, by designing new attacks or improving old attacks. A well-known example is RSA for which the best attacks in certain settings are based on lattice techniques, following a seminal work by Coppersmith in 1996: recently , we improved the efficiency of some of these attacks on RSA, and we would like to extend this kind of results.

In the past few years, new cryptographic functionalities (such as fully-homomorphic encryption, noisy multinear maps, indistinguishability obfuscation, etc.) have appeared, many of which being based on lattices. They usually introduce new algorithmic problems whose hardness is not well-understood. It is extremely important to study the hardness of these new assumptions, in order to evaluate the feasability of these new functionalities. Sometimes, the problem itself is not new, but the (aggressive) choices of parameters are: for instance, several implementations of fully-homorphic encryption used well-known lattice problems like LWE or BDD but with very large parameters which have not been studied much.

Currently, there are very few articles studying the concrete hardness of these new assumptions, especially compared to the articles using these new assumptions.

Though secret-key cryptanalysis is the oldest form of cryptanalysis, there is regular progress in this area.

In the past few years, the most important event has been the SHA-3 competition for a new hash function standard. This competition ended in 2012, with Keccak selected as the winner. We intend to study Keccak, together with the four other SHA-3 finalists. New cryptanalytical techniques designed to attack SHA-3 candidates are likely to be useful to attack other schemes. For instance, this was the case for the so-called rebound attack.

However, it is also interesting not to forget widespread hash functions: while it is now extremely easy to generate new MD5 collisions, a collision for SHA-1 has yet to be found, despite the existence of theoretical collision attacks faster than birthday attacks. Besides, there are still very few results on the SHA-2 standards family.

We may also be interested in related topics such as message authentication codes, especially those based on hash functions, which we explored in the past.

Symmetric ciphers are widely deployed because of their high performances: a typical case is disk encryption and wireless communications.

We intend to study widespread block ciphers, such as the AES (now implemented in Intel processors) and Kasumi (used in UMTS) standards, as illustrated in recent publications , , , of the team. Surprisingly, new attacks , on the AES have appeared in the past few years, such as related-key attacks and single-key attacks. It is very important to find out if these attacks can be improved, even if they are very far from being practical. An interesting trend in block cipher cryptanalysis is to adapt recent attacks on hash functions: this is the reciprocal of the phenomenon of ten years ago, when Wang's MD5 collision attack was based on differential cryptanalysis.

Similarly to block ciphers, we intend to study widespread stream ciphers, such as RC4. The case of RC4 is particularly interesting due to the extreme simplicity of this cipher, and its deployment in numerous applications such as wireless Internet protocols. In the past few years, new attacks on RC4 based on various biases (such as ) have appeared, and several attacks on RC4 are used in WEP-attack tools.

The team published improved single-key attacks on reduced-round AES: AES is currently the most widespread block cipher standard, it is implemented in Intel processors.

Phong Nguyen was Program co-Chair of the 33rd IACR Eurocrypt Conference (EUROCRYPT 2014) .

2013CB834205

Phong Nguyen and Xiaoyun Wang

2013-17

MOST is China's Ministry of Science and Technology.

NSFC Key Project 61133013

Phong Nguyen and Xiaoyun Wang

2013-16

NSFC is the National Natural Science Foundation of China.

CWI: Cryptography team of Ronald Cramer (Netherlands) organisme 1, labo 1 (pays 1) This team is officially a partner of LIAMA's CRYPT international project.

CRYPT is an international project from LIAMA in China, hosted by Tsinghua University in Beijing. It is a joint project between Inria, Tsinghua University, CAS Academy of Mathematics and System Sciences, and CWI (Netherlands).

Phong Nguyen is the European director of LIAMA.

Univ. Oklahoma, USA

Univ. Wisconsin, USA

(Univ. Oklahoma, USA)

(NTT, Japan)

(Univ. Wisconsin, USA)

Xiaoyun Wang was General Chair of the 10th China International Conference on Information Security and Cryptology (Inscrypt 2014) in Beijing (China), from December 13 to 15, 2014.

Phong Nguyen was an organizer of the LIAMA France-China 50 Workshop, in May 2014, in Paris (France).

the 33rd IACR Eurocrypt Conference (EUROCRYPT 2014) : Phong Nguyen.

Eleventh Algorithmic Number Theory Symposium ANTS-XI (August 6 ? 11, 2014, Korea): Phong Nguyen.

The members of the team reviewed numerous papers for numerous international conferences.

Advances in Mathematics of Communications: Xiaoyun Wang

Journal of Cryptology: Phong Nguyen and Xiaoyun Wang

Journal of Mathematical Cryptology: Phong Nguyen

Natural Science Review: Xiaoyun Wang

PhD: Phong Nguyen, Advanced Lattice Algorithms, 12h, CAS, China.

PhD: Phong Nguyen, Introduction to Lattice Algorithms, 3h, EPFL Winter School, Switzerland.

PhD: Wei Wei, New Transference Theorems on Lattices Possessing Gaps, Tsinghua, June 2014, Xiaoyun Wang

PhD: Feng Zhang, Theory, Algorithm and Applications for Solving SVP and CVP in Lattices, CAS, Summer 2014, Yanbin Pan

PhD: Wei Wei, New Transference Theorems on Lattices Possessing Gaps, Tsinghua, June 2014, Xiaoyun Wang (supervisor)

PhD: Chenggang Wu, Property Testing and Related Problems, Tsinghua (Institute for Interdisciplinary Information Sciences), June 2014, Phong Nguyen (Jury member)

PhD: Feng Zhang, Theory, Algorithm and Applications for Solving SVP and CVP in Lattices, CAS, Summer 2014, Yanbin Pan (supervisor)

Phong Nguyen gave several invited talks:

at the First NTU-VIASM Workshop on Discrete Mathematics, in Vietnam.

at the 2014 CTIC-IIIS Theory of Cryptography workshop, in China.

at the Mathematical Workshop of the Chinese Association for Cryptologic Research, in China.