Homepage Inria website

Section: New Results

Solving Systems in Finite Fields, Applications in Cryptology and Algebraic Number Theory.

Private Multiplication over Finite Fields

The notion of privacy in the probing model, introduced by Ishai, Sahai, and Wagner in 2003, is nowadays frequently involved to assess the security of circuits manipulating sensitive information. However, provable security in this model still comes at the cost of a significant overhead both in terms of arithmetic complexity and randomness complexity. In [13], we deal with this issue for circuits processing multiplication over finite fields. Our contributions are manifold. Extending the work of Belaïd, Benhamouda, Passelègue, Prouff, Thillard, and Vergnaud at Eurocrypt 2016, we introduce an algebraic characterization of the privacy for multiplication in any finite field and we propose a novel algebraic characterization for non-interference (a stronger security notion in this setting). Then, we present two generic constructions of multiplication circuits in finite fields that achieve non-interference in the probing model. The second proposal achieves a linear complexity in terms of randomness consumption. This complexity is proved to be almost optimal. Eventually, we show that our constructions can always be instantiated in large enough finite fields.

Convolutional Neural Networks with Data Augmentation Against Jitter-Based Countermeasures - Profiling Attacks Without Pre-processing

In the context of the security evaluation of cryptographic implementations, profiling attacks (aka Template Attacks) play a fundamental role. Nowadays the most popular Template Attack strategy consists in approximating the information leakages by Gaussian distributions. Nevertheless this approach suffers from the difficulty to deal with both the traces misalignment and the high dimensionality of the data. This forces the attacker to perform critical preprocessing phases, such as the selection of the points of interest and the temporal realignment of measurements. Some software and hardware countermeasures have been conceived exactly to create such a misalignment. In [17], we propose an end-to-end profiling attack strategy based on Deep Learning algorithms combined with Data Augmentation strategies.

Submissions to the NIST Post-Quantum Standardization Process

We have submitted three cryptosystems to the current process leads by NIST for standardizing post-quantum public-key algorithms.


The acronym stands for a Great Multivariate Signature Scheme [18]. As suggested by its name, GeMSS is a multivariate-based signature scheme producing small signatures. It has a fast verification process, and a medium/large public-key. GeMSS is in direct lineage from QUARTZ and borrows some design rationale of the Gui multivariate signature scheme. The former schemes are built from the Hidden Field Equations crypotsystem (HFE ) by using the so-called minus and vinegar modifiers. It is fair to say that HFE and its variants, are the most studied schemes in multivariate cryptography. QUARTZ produces signatures of 128 bits for a security level of 80 bits and was submitted to the Nessie Ecrypt competition for public-key signatures. In contrast to many multivariate schemes, no practical attack has been reported against QUARTZ . This is remarkable knowing the intense activity in the cryptanalysis of multivariate schemes.

GeMSS is a faster variant of QUARTZ that incorporates the latest results in multivariate cryptography to reach higher security levels than QUARTZ whilst improving efficiency.


DualModeMS  [20] is a multivariate-based signature scheme with a rather peculiar property. Its public-key is small whilst the signature is large. This is in sharp contrast with traditional multivariate signature schemes based on the so-called Matsumoto and Imai (MI ) principle, such as QUARTZ or Gui , that produce short signatures but have larger public-keys.

DualModeMS is based on the method proposed by A. Szepieniec, W. Beullens, and B. Preneel at PQC'17 where they present a generic technique permitting to transform any (MI -based multivariate signature scheme into a new scheme with much shorter public-key but larger signatures. This technique can be viewed as a mode of operations that offers a new flexibility for MI -like signature schemes. Thus, we believe that DualModeMS could also be useful for others multivariate-based signature candidates proposed to NIST .


CPFKM [19] is a based on the problem of solving a system of noisy non-linear polynomials, also known as the PoSSo with Noise Problem. Our scheme largely borrows its design rationale from key encapsulation schemes based on the Learning With Errors (LWE) problem and its derivatives. The main motivation of building this scheme is to have a key exchange and encapsulation scheme based on the hardness of solving system of noisy polynomials.

The Point Decomposition Problem over Hyperelliptic Curves: toward efficient computations of Discrete Logarithms in even characteristic

Computing discrete logarithms is generically a difficult problem. For divisor class groups of curves defined over extension fields, a variant of the Index-Calculus called Decomposition attack is used, and it can be faster than generic approaches. In this situation, collecting the relations is done by solving multiple instances of the Point m-Decomposition Problem (PDPm). An instance of this problem can be modelled as a zero-dimensional polynomial system. Solving is done with Gröbner bases algorithms, where the number of solutions of the system is a good indicator for the time complexity of the solving process. For systems arising from a PDPm context, this number grows exponentially fast with the extension degree. To achieve an efficient harvesting, this number must be reduced as much as possible. Extending the elliptic case, we introduce in [4] a notion of Summation Ideals to describe PDPm instances over higher genus curves, and compare to Nagao's general approach to PDPm. In even characteristic we obtain reductions of the number of solutions for both approaches, depending on the curve's equation. In the best cases, for a hyperelliptic curve of genus g, we can divide the number of solutions by 2(n-1)(g+1). For instance, for a type II genus 2 curve defined over 𝔽293 whose divisor class group has cardinality a near-prime 184 bits integer, the number of solutions is reduced from 4096 to 64. This is enough to build the matrix of relations in around 7 days with 8000 cores using a dedicated implementation.