## Section: New Results

### Solving Systems in Finite Fields, Applications in Cryptology and Algebraic Number Theory.

#### Private Multiplication over Finite Fields

The notion of privacy in the probing model, introduced by Ishai, Sahai, and Wagner in 2003, is nowadays frequently involved to assess the security of circuits manipulating sensitive information. However, provable security in this model still comes at the cost of a significant overhead both in terms of arithmetic complexity and randomness complexity. In [13], we deal with this issue for circuits processing multiplication over finite fields. Our contributions are manifold. Extending the work of Belaïd, Benhamouda, Passelègue, Prouff, Thillard, and Vergnaud at Eurocrypt 2016, we introduce an algebraic characterization of the privacy for multiplication in any finite field and we propose a novel algebraic characterization for non-interference (a stronger security notion in this setting). Then, we present two generic constructions of multiplication circuits in finite fields that achieve non-interference in the probing model. The second proposal achieves a linear complexity in terms of randomness consumption. This complexity is proved to be almost optimal. Eventually, we show that our constructions can always be instantiated in large enough finite fields.

#### Convolutional Neural Networks with Data Augmentation Against Jitter-Based Countermeasures - Profiling Attacks Without Pre-processing

In the context of the security evaluation of cryptographic implementations, profiling attacks (aka Template Attacks) play a fundamental role. Nowadays the most popular Template Attack strategy consists in approximating the information leakages by Gaussian distributions. Nevertheless this approach suffers from the difficulty to deal with both the traces misalignment and the high dimensionality of the data. This forces the attacker to perform critical preprocessing phases, such as the selection of the points of interest and the temporal realignment of measurements. Some software and hardware countermeasures have been conceived exactly to create such a misalignment. In [17], we propose an end-to-end profiling attack strategy based on Deep Learning algorithms combined with Data Augmentation strategies.

#### Submissions to the `NIST` Post-Quantum Standardization Process

We have submitted three cryptosystems to the current process leads by
`NIST` for standardizing post-quantum public-key algorithms.

*G*e*MSS*

The acronym stands for a Gr*e*at Multivariate Signature Scheme [18]. As suggested by its name, *G*e*MSS* is a multivariate-based signature scheme producing small signatures. It has a fast verification process, and a medium/large public-key. *G*e*MSS* is in direct lineage from `QUARTZ` and borrows some design rationale of the `Gui` multivariate
signature scheme.
The former schemes are built from the *Hidden Field Equations* crypotsystem (`HFE` ) by using the so-called minus and vinegar modifiers.
It is fair to say that `HFE` and its variants, are the most studied schemes in multivariate cryptography. `QUARTZ` produces signatures of 128 bits for a security level of 80 bits and was submitted to the *Nessie Ecrypt* competition for public-key signatures. In contrast to many multivariate schemes, no practical attack has been reported against `QUARTZ` .
This is remarkable knowing the intense activity in the cryptanalysis of multivariate schemes.

*G*e*MSS* is a faster variant of `QUARTZ` that incorporates the
latest results in multivariate cryptography to reach higher security
levels than `QUARTZ` whilst improving efficiency.

#####
*DualModeMS*

*DualModeMS* [20]
is a multivariate-based signature scheme with a rather
peculiar property. Its public-key is small whilst the signature is
large. This is in sharp contrast with traditional multivariate
signature schemes based on the so-called *Matsumoto and Imai*
(`MI` ) principle, such as `QUARTZ` or `Gui` , that produce
short signatures but have larger public-keys.

*DualModeMS* is based on the method proposed by A. Szepieniec,
W. Beullens, and B. Preneel at PQC'17 where they present a generic
technique permitting to transform any (`MI` -based multivariate
signature scheme into a new scheme with much shorter public-key but
larger signatures. This technique can be viewed as a *mode of
operations* that offers a new flexibility for `MI` -like
signature schemes. Thus, we believe that *DualModeMS* could also be
useful for others multivariate-based signature candidates proposed to
`NIST` .

#####
*CPFKM*

*CPFKM* [19] is a based on the
problem of solving a system of noisy
non-linear polynomials, also known as the PoSSo with Noise
Problem. Our scheme largely borrows its design rationale from key
encapsulation schemes based on the Learning With Errors (LWE) problem
and its derivatives. The main motivation of building this scheme is to
have a key exchange and encapsulation scheme based on the hardness of
solving system of noisy polynomials.

#### The Point Decomposition Problem over Hyperelliptic Curves: toward efficient computations of Discrete Logarithms in even characteristic

Computing discrete logarithms is generically a difficult problem. For divisor class groups of curves defined over extension fields, a variant of the Index-Calculus called Decomposition attack is used, and it can be faster than generic approaches. In this situation, collecting the relations is done by solving multiple instances of the Point $m$-Decomposition Problem (${PDP}_{m}$). An instance of this problem can be modelled as a zero-dimensional polynomial system. Solving is done with Gröbner bases algorithms, where the number of solutions of the system is a good indicator for the time complexity of the solving process. For systems arising from a ${PDP}_{m}$ context, this number grows exponentially fast with the extension degree. To achieve an efficient harvesting, this number must be reduced as much as possible. Extending the elliptic case, we introduce in [4] a notion of Summation Ideals to describe ${PDP}_{m}$ instances over higher genus curves, and compare to Nagao's general approach to ${PDP}_{m}$. In even characteristic we obtain reductions of the number of solutions for both approaches, depending on the curve's equation. In the best cases, for a hyperelliptic curve of genus $g$, we can divide the number of solutions by ${2}^{(n-1)(g+1)}$. For instance, for a type II genus 2 curve defined over ${\mathbb{F}}_{293}$ whose divisor class group has cardinality a near-prime 184 bits integer, the number of solutions is reduced from 4096 to 64. This is enough to build the matrix of relations in around 7 days with 8000 cores using a dedicated implementation.