Section: Research Program
Secret-Key Cryptanalysis
Though secret-key cryptanalysis is the oldest form of cryptanalysis, there is regular progress in this area.
Hash Functions
In the past few years, the most important event has been the SHA-3 competition for a new hash function standard. This competition ended in 2012, with Keccak selected as the winner. We intend to study Keccak, together with the four other SHA-3 finalists, such as in [12] . New cryptanalytical techniques designed to attack SHA-3 candidates are likely to be useful to attack other schemes. For instance, this was the case for the so-called rebound attack.
However, it is also interesting not to forget widespread hash functions: while it is now extremely easy to generate new MD5 collisions, a collision for SHA-1 has yet to be found, despite the existence of theoretical collision attacks faster than birthday attacks. Besides, there are still very few results on the SHA-2 standards family.
We may also be interested in related topics such as message authentication codes, especially those based on hash functions, which we explored in the past.
Symmetric Ciphers
Symmetric ciphers are widely deployed because of their high performances: a typical case is disk encryption and wireless communications.
We intend to study widespread block ciphers, such as the AES (now implemented in Intel processors) and Kasumi (used in UMTS) standards, as illustrated in recent publications [7] , [9] , [10] , [9] and [15] , [16] of the team. Surprisingly, new attacks [21] , [20] on the AES have appeared in the past few years, such as related-key attacks and single-key attacks. It is very important to find out if these attacks can be improved, even if they are very far from being practical. An interesting trend in block cipher cryptanalysis is to adapt recent attacks on hash functions: this is the reciprocal of the phenomenon of ten years ago, when Wang's MD5 collision attack was based on differential cryptanalysis.
Similarly to block ciphers, we intend to study widespread stream ciphers, such as RC4. The case of RC4 is particularly interesting due to the extreme simplicity of this cipher, and its deployment in numerous applications such as wireless Internet protocols. In the past few years, new attacks on RC4 based on various biases (such as [27] ) have appeared, and several attacks on RC4 are used in WEP-attack tools.