Section: New Results
Symmetric cryptology
Participants : Xavier Bonnetain, Christina Boura, Anne Canteaut, Pascale Charpin, Sébastien Duval, Gaëtan Leurent, María Naya Plasencia, Yann Rotella, Ferdinand Sibleyras, Tim Beyne, Mathilde de La Morinerie, André Schrottenloher.
Primitives: block ciphers, stream ciphers, ...
Our recent results mainly concern either the analysis and design of lightweight block ciphers.
Recent results:

Analysis of linear invariant attacks [41], [54], [28], [29]: C. Beierle, A. Canteaut, G. Leander and Y. Rotella have studied SPN ciphers with a very simple key schedule, such as Prince . They introduce properties of the linear layer and of the round constants than can be used to prove that there are no nonlinear invariants.

Analysis of the probability of differential characteristics for unkeyed constructions [19]: This work shows that the probabilities of some fixedkey differential characteristics are higher than expected when assuming independent SBoxes. This leads to improved attacks against RoadRunneR and Minalpher.

Design and study of a new construction for lowlatency block ciphers, named reflection ciphers, which generalizes the socalled $\alpha $reflection property exploited in Prince . This construction aims at reducing the implementation overhead of decryption on top of encryption [15].

Modular construction of primitives with codehardness, timehardness or memoryhardness [42]. A. Biryukov and L. Perrin have introduced new definitions to formalize hardness, and constructions that are hard to compute for common users, but easy for users knowing a secret.

Design of encryption schemes for efficient homomorphicciphertext compression: A. Canteaut, M. NayaPlasencia together with their coauthors have investigated the constraints on the symmetric cipher imposed by this application and they have proposed some solutions based on additive IVbased stream ciphers [17].
Cryptographic properties and construction of appropriate building blocks
The construction of building blocks which guarantee a high resistance against the known attacks is a major topic within our projectteam, for stream ciphers, block ciphers and hash functions. The use of such optimal objects actually leads to some mathematical structures which may be at the origin of new attacks. This work involves fundamental aspects related to discrete mathematics, cryptanalysis and implementation aspects. Actually, characterizing the structures of the building blocks which are optimal regarding to some attacks is very important for finding appropriate constructions and also for determining whether the underlying structure induces some weaknesses or not. For these reasons, we have investigated several families of filtering functions and of Sboxes which are wellsuited for their cryptographic properties or for their implementation characteristics.
Recent results:

Boolean functions with restricted input: Y. Rotella, together with C. Carlet and P. Méaux, has introduced some new criteria on filtering Boolean functions, which measure the security of the recent stream cipher proposal FLIP. Indeed, in this context, the inputs of the filtering function are not uniformly distributed but have a fixed Hamming weight. Then, the main properties of filtering functions (e.g. nonlinearity, algebraic immunity...) have been revisited [20].

Differential Equivalence of Sboxes: C. Boura, A. Canteaut and their coauthors have studied two notions of differential equivalence of Sboxes corresponding to the case when the functions have the same difference table, or when their difference tables have the same support [45]. They proved that these two notions do not coincide, and that they are invariant under some classical equivalence relations like EA and CCZ equivalence. They also proposed an algorithm for determining the whole equivalence class of a given function.

A. Canteaut, S. Duval and L. Perrin proposed a construction of a new family of permutations over binary fields of dimension $(4k+2)$ with good cryptographic properties. An interesting property is that this family includes as a specific case the only known APN permutation of an even number of variables [55], [18].

Construction of cryptographic permutations over finite fields with a sparse representation: P. Charpin, together with N. Cepak and E. Pasalic, exhibited permutations which are derived from sparse functions via linear translators [21].

New methods for determining the differential spectrum of an Sbox: P. Charpin and G. Kyureghyan have proved that the whole differential spectrum of an Sbox can be determined without examining all derivatives of the mapping, but only the derivatives with respect to an element within a hyperplane [23]. Also, they have proved that, for mappings of a special shape, it is enough to consider the derivatives with respect to all elements within a suitable multiplicative subgroup of ${\mathbb{F}}_{{2}^{n}}$.
Sidechannel attacks
Physical attacks must be taken into account in the evaluation of the security of lightweight primitives. Indeed, these primitives are often dedicated to IoT devices in pervasive environments, where an attacker has an easy access to the devices where the primitive is implemented.
Recent results:

Differential fault attack against LSdesigns and SCREAM [52]: this attack generalized previous work on PRIDE to the class of LSDesigns.
Modes of operation and generic attacks
In order to use a block cipher in practice, and to achieve a given security notion, a mode of operation must be used on top of the block cipher. Modes of operation are usually studied through security, and we now that their use is secure as long as the underlying primitive are secure, and we respect some limits on the amount of data processed. The analysis of generic attack helps us understand what happens when the hypothesis of the security proofs do not hold, or the corresponding limits are not respected. Comparing proofs and attack also shows gaps where our analysis is incomplete, and improved proof or attacks are required.
Recent results:

Use of block ciphers operating on small blocks with the CBC mode [31]: it is wellknown that CBC is not secure if the same key is used for encrypting ${2}^{n/2}$ blocks of plaintext, but this threat has traditionally been dismissed as impractical, even for 64bit blocks. K. Bhargavan and G. Leurent demonstrated concrete attacks that exploit such short block ciphers in CBC mode.

Use of block ciphers operating on small blocks with the CTR mode [77]: the security proof of the CTR mode also requires that no more than ${2}^{n/2}$ blocks are encrypted with the same key, but the known attacks reveal very little information and are considered even less problematic than on CBC. During his internship with G. Leurent, F. Sibleyras has studied concrete attacks against the CTR mode when processing close to ${2}^{n/2}$ blocks of data, and has shown that an attacker can actually extract as much information as in the case of CBC encryption.

Improved generic attacks against hashbased MAC [25].

Modes of operation for full disk encryption [51]: L. Khati, N. Mouha and D. Vergnaud have classified various FDE modes of operation according to their security in a setting where there is no space to store additional data, like an IV or a MAC value. They also introduce the notion of a diversifier, which does not require additional storage, but allows the plaintext of a particular sector to be encrypted into different ciphertexts.