Section: New Results
Symmetric cryptology
Participants : Xavier Bonnetain, Christina Boura, Anne Canteaut, Pascale Charpin, Daniel Coggia, Sébastien Duval, Gaëtan Leurent, María Naya Plasencia, Léo Perrin, Yann Rotella, André Schrottenloher, Ferdinand Sibleyras.
Block ciphers
Our recent results mainly concern either the analysis or the design of lightweight block ciphers.
Recent results:

Nonlinear approximations of block ciphers: A. Canteaut, together with C. Beierle and G. Leander have exhibited the relationship between nonlinear invariants for block ciphers and nonlinear approximations. They have shown that, in some cases, the linear hull effect may be formalized in terms of nonlinear invariants. They have also introduced a new framework to study the probability of nonlinear approximations over iterated block ciphers [13], [26]

Impossible differential cryptanalysis: C. Boura, V. Lallemand and M. NayaPlasencia have introduced new techniques and complexity analyses for impossible differential cryptanalysis. They also showed that the technique of multiple differentials can be applied to impossible differential attacks [16]

Construction of lightweight MDS matrices: S. Duval and G. Leurent have exhibited MDS matrices with the lowest known implementation cost. They have been constructed by a search through a space of circuits yielding MDS matrices [20], [11]
Stream ciphers
Stream ciphers provide an alternative to blockcipherbased encryption schemes. They are especially wellsuited in applications which require either extremely fast encryption or a very lowcost hardware implementation.
Recent results:

Design of encryption schemes for efficient homomorphicciphertext compression: A. Canteaut, M. NayaPlasencia together with their coauthors have investigated the constraints on the symmetric cipher imposed by this application and they have proposed some solutions based on additive IVbased stream ciphers [17].

Cryptanalysis of Goldreich pseudorandom generator: Goldreich's PRG is a theoretical construction which expands a short random string into a long pseudorandom string by applying a simple $d$ary predicate to public random sized subsets of the bits of the seed. While the security of Goldreich's PRG has been thoroughly investigated, with a variety of results deriving provable security guarantees against classes of attacks in some parameter regimes and necessary criteria to be satisfied by the underlying predicate, little was known about its concrete security and efficiency. Motivated by the hope of getting practical instantiations of this construction, Y. Rotella and his coauthors initiated a study of the concrete security of Goldreich's PRG, and evaluated its resistance to cryptanalytic attacks. They developped a new guessanddeterminestyle attack, and identified new criteria which captured the security guarantees [44].
Authenticated encryption
A limitation of all classical block ciphers is that they aim at protecting confidentiality only, while most applications need both encryption and authentication. These two functionalities are provided by using a block cipher like the AES together with an appropriate mode of operation. However, it appears that the most widelyused mode of operation for authenticated encryption, AESGCM, is not very efficient for highspeed networks. Also, the security of the GCM mode completely collapses when an IV is reused. These severe drawbacks have then motivated an international competition named CAESAR, partly supported by the NIST, which has been launched in order to define some new authenticated encryption schemes (http://competitions.cr.yp.to/caesar.html). The projectteam is involved in a national cryptanalytic effort in this area led by the BRUTUS project funded by the ANR. In this context, the members of the projectteam have obtained some cryptanalytic results on several candidates to the CAESAR competition.
Recent results:

Staterecovery attack on a simplified version of Ketje Jr. [21], [34]

Cryptanalysis of Morus, one of the finalists of the CAESAR competition [42]
Cryptographic properties and construction of appropriate building blocks
The construction of building blocks which guarantee a high resistance against the known attacks is a major topic within our projectteam, for stream ciphers, block ciphers and hash functions. The use of such optimal objects actually leads to some mathematical structures which may be at the origin of new attacks. This work involves fundamental aspects related to discrete mathematics, cryptanalysis and implementation aspects. Actually, characterizing the structures of the building blocks which are optimal regarding to some attacks is very important for finding appropriate constructions and also for determining whether the underlying structure induces some weaknesses or not. For these reasons, we have investigated several families of filtering functions and of Sboxes which are wellsuited for their cryptographic properties or for their implementation characteristics.
Recent results:

Differential Equivalence of Sboxes: C. Boura, A. Canteaut and their coauthors have studied two notions of differential equivalence of Sboxes corresponding to the case when the functions have the same difference table, or when their difference tables have the same support [15], [25]. They proved that these two notions do not coincide, and that they are invariant under some classical equivalence relations like EA and CCZ equivalence. They also proposed an algorithm for determining the whole equivalence class of a given function.

Boomerang Uniformity of Sboxes: The boomerang attack is a cryptanalysis technique against block ciphers which combines two differentials for the upper part and the lower part of the cipher. The Boomerang Connectivity Table (BCT) is a tool introduced by Cid et al. at Eurocrypt 2018 for analysing the dependency between these two differentials. C. Boura and A. Canteaut [14] have provided an indepth analysis of BCT, by studying more closely differentially 4uniform Sboxes. They have completely characterized the BCT of all differentially 4uniform permutations of 4 bits and then study these objects for some cryptographically relevant families of Sboxes, as the inverse function and quadratic permutations. These two families are the first examples of differentially 4uniform Sboxes optimal against boomerang attacks for an even number of variables, answering an open question raised by Cid et al..

CCZ equivalence of Sboxes: A. Canteaut and L. Perrin have characterized CCZequivalence as a property of the zeroes in the Walsh spectrum of an Sbox (or equivalently in their DDT). They used this framework to show how to efficiently upper bound the number of distinct EAequivalence classes in a given CCZequivalence class. More importantly, they proved that CCZequivalence can be reduced to the association of EAequivalence and an operation called twisting. They then revisited several results from the literature on CCZequivalence and showed how they can be interpreted in light of this new framework [18], [29]

Links between linear and differential properties of Sboxes: P. Charpin together with J. Peng has established new links between the differential uniformity and the nonlinearity of some Sboxes in the case of twovalued functions and quadratic functions. More precisely, they have exhibited a lower bound on the nonlinearity of monomial permutations depending on their differential uniformity, as well as an upper bound in the case of differentially twovalued functions [19], [55]

Construction of buildingblocks with resistance against faultattacks at a low implementation overhead [50].
Modes of operation and generic attacks
In order to use a block cipher in practice, and to achieve a given security notion, a mode of operation must be used on top of the block cipher. Modes of operation are usually studied through provable security, and we know that their use is secure as long as the underlying primitive is secure, and we respect some limits on the amount of data processed. The analysis of generic attack helps us understand what happens when the hypotheses of the security proofs do not hold, or the corresponding limits are not respected. Comparing proofs and attacks also shows gaps where our analysis is incomplete, and when improved proof or attacks are required.
Recent results:

Use of block ciphers operating on small blocks with the CTR mode [53]: the security proof of the CTR mode requires that no more than ${2}^{n/2}$ blocks are encrypted with the same key, but the known attacks reveal very little information and are considered less problematic than on CBC. However, G. Leurent and F. Sibleyras have exhibited concrete attacks against the CTR mode when processing close to ${2}^{n/2}$ blocks of data, and have shown that an attacker can actually extract as much information as in the case of CBC encryption.

Generic attacks against some MAC constructions based on block ciphers [52]: G. Leurent and F. Sibleyras, together with M. Nandi, have studied the security of several recent MAC constructions with provable security beyond the birthday bound, namely SUMECBC , PMAC+ , 3kf9 , GCMSIV2 , and some variants. They described a new cryptanalysis technique for doubleblock MACs and they showed how to build a forgery attack with query complexity $\mathcal{O}\left({2}^{3n/4}\right)$, proving that these schemes do not reach full security in the informationtheoretic model. Surprisingly, their attack on LightMAC+ invalidates a recent security proof by Naito. Moreover, they gave the first attack against SUMECBC and GCMSIV2 , with complexity below ${2}^{n}$.