Design and study of a new construction for low-latency block ciphers, named reflection ciphers, which generalizes the so-called $\alpha$-reflection property exploited in PRINCE. This construction aims at reducing the implementation overhead of decryption on top of encryption .

Design of a new permutation for wide-block block ciphers: N. Mouha and S. Gueron have proposed a family of cryptographic permutations, named Simpira, that supports inputs of $128b$ bits, where $b$ is a positive integer . This wide-block permutation is mainly based on the AES round-function. It then achieves a very high throughput on virtually all modern 64-bit processors that have native instructions for AES.

Analysis of the division property against block ciphers , : A. Canteaut, together with C. Boura, gave a new approach to the division property, which has been recently introduced as a distinguishing property on block ciphers. This work provides a simpler and more general view of the division property which allows the attacker to take into account the characteristics of the building-blocks of the cipher. As an illustration, this new approach provides low-data distinguishers against reduced-round Present, which reach a much higher number of rounds than previously known distinguishers of the same type.

Modes of operation for full disk encryption : L. Khati, N. Mouha and D. Vergnaud have classified various FDE modes of operation according to their security in a setting where there is no space to store additional data, like an IV or a MAC value. They also introduce the notion of a diversifier, which does not require additional storage, but allows the plaintext of a particular sector to be encrypted into different ciphertexts.

Attack against $\pi$-Cipher : G. Leurent and his coauthors have presented a guess-and-determine attack against some variants of the $\pi$-Cipher family, which is a second-round candidate to the Caesar competition. More precisely, they showed a key recovery attack with time complexity little higher than $2^{4\omega }$, and low data complexity, against variants of the cipher with $\omega$-bit words, when the internal permutation is reduced to 2.5 rounds out of 3.

Improved generic attacks against hash-based MAC 

Cryptanalysis of 7 (out of 8) rounds of the Chaskey MAC . This work has led the designers of Chaskey to increase the number of rounds.

Design of encryption schemes for efficient homomorphic-ciphertext compression (see Section ): A. Canteaut, M. Naya-Plasencia together with their coauthors have investigated the constraints on the symmetric cipher imposed by this application and they have proposed some solutions based on additive IV-based stream ciphers , .

Cryptanalysis of the FLIP family of stream ciphers: S. Duval, V. Lallemand and Y. Rotella have exhibited an attack against a new family of stream ciphers intended for use in Fully Homomorphic Encryption systems, and proposed by Méaux et al. at Eurocrypt 2016 , . More precisely, their attack applies to the early version of FLIP. It exploits the structure of the filter function and the constant internal state of the cipher. The proposed algorithm then recovers the secret key for the two instantiations originally proposed by Méaux et al.

New types of correlation attacks against filter generators: A. Canteaut and Y. Rotella presented a new family of attacks against filter generators, which exploit a change of the primitive root defining the LFSR . Most notably, an attack can often be mounted by considering non-bijective monomial mappings. In this setting, a divide-and-conquer strategy applies, based on a search within a multiplicative subgroup of ${𝔽}_{2^n}$ where $n$ is the LFSR length. If the LFSR length is not a prime, a fast correlation involving a shorter LFSR can then be performed.

Cryptographic properties of involutions: P. Charpin, together with S. Mesnager and S. Sarkar, has provided a rigorous study of involutions over the finite field of order $2^n$ which are relevant primitives for cryptographic designs . Most notably, they have focused on the class of involutions defined by Dickson polynomials .

Construction of a new family of permutations over binary fields of dimension $(4k+2)$ with good cryptographic properties. An interesting property is that this family includes as a specific case the only known APN permutation of an even number of variables .

Construction of cryptographic permutations over finite fields with a sparse representation: P. Charpin, together with N. Cepak and E. Pasalic, exhibited permutations which are derived from sparse functions via linear translators .

New methods for determining the differential spectrum of an Sbox: P. Charpin and G. Kyureghyan have proved that the whole differential spectrum of an Sbox can be determined without examining all derivatives of the mapping, but only the derivatives with respect to an element within a hyperplane . Also, they have proved that, for mappings of a special shape, it is enough to consider the derivatives with respect to all elements within a suitable multiplicative subgroup of ${𝔽}_{2^n}$.

Differential fault attack against the block cipher PRIDE : the efficiency of this attack mainly originate from the design of the linear layer of the cipher which relies on the interleaved construction.

Study of the criteria to quantify the resistance offered by an Sbox to differential power analysis . This work by K. Chakraborty and his coauthors shows that the classical criterion, called transparency order, has many limitations; an alternative definition is then proposed.

Impact of hash function collisions on the security of TLS: most practitioners believe that the hash function only need to resist preimage attacks for this use. However, K.  Bhargavan and G. Leurent have shown that collisions in the hash function are sufficient to break the integrity of these protocols, and to impersonate some of the parties , . Since many protocols still allow the use of MD5 or SHA-1 (for which collision attacks are known), this results in some practical attacks, and extends the real-world impact of the collision attacks against MD5 and SHA-1. This work has already influenced the latest TLS 1.3 draft, and the main TLS libraries are removing support of MD5 signatures.

Use of block ciphers operating on small blocks: It is well-known that most modes of operation, like CBC, are not secure if the same key is used for encrypting $2^{n/2}$ blocks of plaintext, where $n$ is the block size. But this threat has traditionally been dismissed as impractical, even for 64-bit blocks, since it requires some prior knowledge of the plaintext and even then, it only leaks a few secret bits per gigabyte. In this context, K.  Bhargavan and G. Leurent demonstrated two concrete attacks that exploit such short block ciphers . First, they presented an attack on the use of 3DES in HTTPS that can be used to recover a secret session cookie. Second, they showed how a similar attack on Blowfish can be used to recover HTTP BasicAuth credentials sent over OpenVPN connections.

Introduction of a new class of quantum LDPC codes, “Quantum expander codes”, featuring a simple and very efficient decoding algorithm which can correct arbitrary patterns of errors of size scaling as the square-root of the length of the code. These are the first codes with constant rate for which such an efficient decoding algorithm is known , .

A. Chailloux, together with colleagues from IRIF and Jerusalem, established the existence of quantum weak coin flipping with arbitrarily small bias .

A. Chailloux and international collaborators performed an experimental verification of multipartite entanglement in quantum networks .

A. Chailloux and collaborators established the optimal bounds for quantum weak oblivious transfer .

Security analysis of quantum key distribution with continuous variables .

R. Bricout and A. Chailloux considered explicit attacks against the relativistic protocol for bit commitment mentioned above and proved that the security analysis published in Physical Review Letters 2015 is essentially tight.

A drawback of the relativistic bit commitment protocol is that it requires that all communications remain perfectly synchronized during the entire commitment time, and a single network failure leads to aborting the protocol. K. Chakraborty, A. Chailloux and A. Leverrier proposed a more robust version of the protocol allowing to deal with such network failures, a required feature in order to implement the protocol in realistic conditions , .

Differential and linear attacks in the quantum setting: G. Leurent, A. Leverrier and M. Naya Plasencia, in collaboration with M. Kaplan, have obtained some results on quantum versions of differential and linear cryptanalysis . They show that it is usually possible to use quantum computations to obtain a quadratic speed-up for these attacks, but not for all variants. Therefore, the best attack in the classical world does not necessarily lead to the best quantum one.

Application of Simon's algorithm to symmetric cryptanalysis , : Leurent et al. also proved that several attacks can be dramatically sped up using a quantum procedure known as Simon's algorithm for finding the period of a function. As a first application, the most widely used modes of operation for authentication and authenticated encryption (e.g. CBC-MAC, PMAC, GMAC, GCM, and OCB) are completely broken in this security model. These quantum attacks are also applicable to many CAESAR candidates: CLOC, AEZ, COPA, OTR, POET, OMD, and Minalpher. Second, Simon's algorithm can also be applied to slide attacks, leading to an exponential speed-up of a classical symmetric cryptanalysis technique in the quantum model.