Section: Highlights of the Year

Highlights of the Year

Post-quantum symmetric cryptanalysis

We have been considering the problem of symmetric cryptography in the future environment that will see the arrival of quantum computers. Indeed, this environment will pose a real problem for the majority of asymmetric primitives, but little is known about the implications for the security of symmetric primitives. Confidence in our symmetric primitives is entirely based on our knowledge within the field of cryptanalysis, but in reality, we do not know much about the symmetric post-quantum attacks. If we want post-quantum systems to be reliable and efficient, we need to understand how adversaries might exploit this new computing power. This year, two preliminary results have been obtained within the team and published at CRYPTO 2016 [51] and in the IACR Transactions on Symmetric Cryptology [23]. They include surprising results demonstrating that, in some scenarios, some symmetric systems can also become vulnerable to the quantum computer. Recently María Naya-Plasencia has been awarded an ERC starting grant, QUASYModo, to work on this subject. This grant will enable us to continue this work in more depth.

Real-word impact of some theoretical cryptanalytic works

Weak cryptography can be used long after weaknesses have been found by the academic community. For instance, Rogaway warned that the predictable IV used in TLS was a problem in 2002, but it took a public demonstration with a practical exploit in 2011 (the BEAST attack) for servers and clients to implement countermeasures. The same happened with the use of compression (CRIME), unsecure version fallback (POODLE), and known biases in RC4 (RC4NOMORE), to name a few examples. In joint works at NDSS and ACM CCS, K. Bhargavan from the PROSECCO project-team and G. Leurent showed two almost practical attacks against deprecated cryptographic primitives that are still used in real-world applications. The SLOTH attack targeted the use of MD5 in TLS for in-protocol signatures, and the Sweet32 attack targeted the use of 64-bit block ciphers: Blowfish in OpenVPN, and 3DES in TLS. Moreover, the SLOTH attack received a distinguished paper award at NDSS.

Symmetric ciphers for homomorphic encryption schemes

In order to avoid the (extremely) high expansion rate of homomorphic encryption, a solution consists in transmitting to the server the ciphertext c obtained by encrypting m with a symmetric scheme (the corresponding secret key encrypted by the homomorphic cipher is also transmitted). The server then needs to compute m encrypted with the homomorphic scheme from c, i.e. the server needs to homomorphically evaluate the decryption circuit of the symmetric cipher. Hybrid encryption schemes dedicated to this application then require the use of symmetric ciphers with very specific features. Our team has two important contributions on this topic: the design of new appropriate solutions based on stream ciphers [44], and the attack of a cipher proposed by Méaux et al. in this context [48], [32].


Best Papers Awards:
A. Phesso, J.-P. Tillich.

An Efficient Attack on a Code-Based Signature Scheme, in: Post-Quantum Cryptography - 7th International Workshop, PQCrypto 2016, Fukuoka, Japan, T. Takagi (editor), Lecture Notes in Computer Science, Post-Quantum Cryptography - 7th International Workshop, PQCrypto 2016, Springer, February 2016, vol. 9606, pp. 86-103. [ DOI : 10.1007/978-3-319-29360-8_7 ]


K. Bhargavan, G. Leurent.

Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH, in: Network and Distributed System Security Symposium – NDSS 2016, San Diego, United States, February 2016. [ DOI : 10.14722/ndss.2016.23418 ]