Section: Overall Objectives

State of the Art

Cryptanalysis has a long history, dating back to secret writing. Until the seventies, most of the work on cryptanalysis was kept secret, but it is has now evolved from art to science, thanks to the liberalization of cryptologic research. In general, cryptanalysis tries to answer the following question: what is the best attack against a given cryptosystem, and how much does it cost? There is generally no definite answer to this question, and the state-of-the-art regularly evolves over time. Cryptanalysis is a field mixing theory and practice: while more and more advanced techniques are used, one is also concerned with very applied issues such as hardware/software efficiency.

In the past fifteen years, a new kind of attacks have appeared in the research literature: side-channel attacks. Such attacks arguably existed long before 1996, but were not advertised in public research. In a side-channel attack, the attacker exploits physical information which can sometimes be obtained in a concrete implementation, such as the power consumption of the cryptographic device, or the running time of the cryptographic process, etc. The attack could be either passive or active: for instance, in a so-called fault attack, the attacker physically perturbates the cryptographic device, and depending on the type of perturbations, the faulty outputs may disclose valuable information which may leak the whole secret key. Side-channel attacks have had a huge impact in industry: many cryptographic certifications now require more or less strong resistance to side-channel attacks, and there is an annual international conference dedicated to side-channel attacks, namely the CHES conference organized by IACR.

Cryptanalysis is particularly important in secret-key cryptography, due to the lack of provable security techniques. In public-key cryptanalysis, studying the best attack often consists in answering the following two questions:

• What is the best algorithm to solve the computational problem (integer factoring, discrete logarithm, etc.) related to the security of the public-key cryptosystem? In particular, industry is very interested in a practical version of this question: which keysizes are recommended? How much computational effort would be required exactly to break a given keysize? This question is arguably well-understood for integer factoring and discrete logarithm: there is more or less a consensus on what is the security level provided by a given RSA modulus or ECC elliptic curve. But it is more difficult to answer for alternative (post-quantum) problems such as lattice reduction, solving systems of polynomial equations over finite fields, and coding theory problems. Traditionally, there are more parameters for these problems.

• Is there a short-cut to attack the public-key cryptosystem, rather than trying to solve the underlying computational problem stated by the designer(s)? This is especially relevant when the public-key cryptosystem does not have provable security guarantees. And this question is also related to side-channel attacks.