Keywords
 A1.2.8. Network security
 A3.1.5. Control access, privacy
 A4. Security and privacy
 A4.2. Correcting codes
 A4.3. Cryptography
 A4.3.1. Public key cryptography
 A4.3.2. Secret key cryptography
 A4.3.3. Cryptographic protocols
 A4.3.4. Quantum Cryptography
 A6.2.3. Probabilistic methods
 A7.1. Algorithms
 A7.1.4. Quantum algorithms
 A8.1. Discrete mathematics, combinatorics
 A8.6. Information theory
 B6.4. Internet of things
 B6.5. Information systems
 B9.5.1. Computer science
 B9.5.2. Mathematics
 B9.10. Privacy
1 Team members, visitors, external collaborators
Research Scientists
 JeanPierre Tillich [Team leader, Inria, Senior Researcher, HDR]
 Ivan Bardet [Inria, Starting Research Position]
 Ritam Bhaumik [Inria, Starting Research Position, from Mar 2021]
 Anne Canteaut [Inria, Senior Researcher, HDR]
 André Chailloux [Inria, Researcher]
 Pascale Charpin [Inria, Emeritus, HDR]
 Nicholas Connolly [Inria, Starting Research Position, from Sep 2021]
 Gaëtan Leurent [Inria, Researcher]
 Anthony Leverrier [Inria, Researcher, HDR]
 María Naya Plasencia [Inria, Senior Researcher, HDR]
 Leo Perrin [Inria, Researcher]
 Nicolas Sendrier [Inria, Senior Researcher, HDR]
 Thomas Vidick [Inria, Chair, from May 2021 until Jul 2021, Inria international chair]
Faculty Member
 Magali Bardet [Université de Rouen, Associate Professor, until Aug 2021]
PostDoctoral Fellows
 Ritam Bhaumik [Inria]
 Dragos Alexandru Cojocaru [Inria]
PhD Students
 Augustin Bariant [Inria, from Mar 2021]
 Jules Baudrin [Inria, from Sep 2021]
 Clemence Bouvier [Sorbonne Université]
 Pierre Briaud [Sorbonne Université]
 Rémi Bricout [Inria, until Apr 2021]
 Daniel Coggia [DGA, until Aug 2021]
 Nicolas David [Inria]
 Loic Demange [UDcast, CIFRE]
 Aurelie Denys [Inria]
 Simona Etinski [Université de Paris]
 Antonio Florez Gutierrez [Inria]
 Paul Frixons [Orange Labs, CIFRE]
 Shouvik Ghorai [Sorbonne Université, until Feb 2021]
 Lucien Groues [Sorbonne Université]
 Johanna Loyer [Inria]
 Charles MeyerHilfiger [Inria, from Nov 2021]
 Rocco Mora [Sorbonne Université]
 Andrea Olivo [Inria, until Jun 2021]
 Clara Pernot [Inria]
 Maxime Remaud [Bull, CIFRE]
 Andre Schrottenloher [Inria, until Feb 2021]
Technical Staff
 Valentin Vasseur [Inria, Engineer]
Interns and Apprentices
 Jules Baudrin [Inria, from Mar 2021 until Aug 2021]
 Julien Du Crest [École Normale Supérieure de Lyon, from Mar 2021 until Jul 2021]
 Freja Elbro [Université technique du Danemark, from Sep 2021 until Oct 2021]
 Mathias Joly [Inria, from May 2021 until Aug 2021]
 Charles MeyerHilfiger [Inria, from Mar 2021 until Sep 2021]
 Justine Sauvage [Inria, from Mar 2021 until Jul 2021]
Administrative Assistants
 Christelle Guiziou [Inria]
 Mathieu Mourey [Inria, until Oct 2021]
 Scheherazade Rouag [Inria, from Oct 2021]
2 Overall objectives
The research work within the projectteam is mostly devoted to the design and analysis of cryptographic algorithms, in the classical or in the quantum setting. It is especially motivated by the fact that the current situation of cryptography is rather fragile: many of the available symmetric and asymmetric primitives have been either threatened by recent progress in cryptanalysis or by the possible invention of a large quantum computer. Most of our work mixes fundamental aspects and practical aspects of information protection (cryptanalysis, design of algorithms, implementations). In particular we devise
 new cryptanalysis, classical or quantum, in symmetric and asymmetric cryptography,
 new designs of classical symmetric and asymmetric primitives or quantum primitives that are resistant against a classical and quantum adversary,
work on practical aspects in cryptography, e.g. lightweight constructions and implementation, but also on more fundamental issues, either on discrete mathematics or on quantum information.
3 Research program
3.1 Quantum algorithms and cryptanalysis
The current stateoftheart asymmetric cryptography would become insecure in a postquantum world, and the community is actively searching for alternatives. Symmetric cryptography, essential for enabling secure communications, used to seem much less affected at first sight: the biggest known threat was Grover's algorithm, which allows exhaustive key searches in the square root of the search space. Thus, it was believed that doubling keylengths suffices to maintain an equivalent security in the postquantum world. This conventional wisdom was contradicted by Kuwakado and Morii in 2012 when they proposed for the first time to use Simon's algorithm in symmetric cryptanalysis 81, proving the popular EvenMansour construction to be insecure in a strong security model called the superposition model.
This model allows an attacker to query quantumly the block cipher. Simon's algorithm 83 contrarily to Grover's algorithm gives an exponential speedup and can therefore be devastating in this setting.
In the framework of our ERC QUASYModo, we studied in detail this algorithm and possible applications, and we were able to show that Simon's algorithm applies to other schemes as well, such as for instance to the CAESAR candidate AEZ 76. It also allows to break some wellknown modes of operation for MACs and authenticated encryption and provides devastating quantum slide attacks 9. Other quantum algorithms turned out be useful in this model, such as for instance Kuperberg's algorithm 80. It allowed to break a tweak 71 to counter the previous attack of 9 or to devise a quantum attack in the superposition model on the Poly1305 MAC primitive 74, which is largely used and claimed to be quantumly secure.
All these results show that in symmetric (and asymmetric) cryptography, the impact of quantum computers goes well beyond Grover's and Shor's algorithms and has to be studied carefully in order to understand if a given cryptographic primitive is secure or not in a quantum world. To correctly evaluate the security of cryptographic primitives in the postquantum world, it is really desirable to elaborate a quantum cryptanalysis toolbox. This is precisely the first objective of the ERC QUASYModo regarding symmetric cryptanalysis. We plan in the coming years to continue to actively contribute to this toolbox. This goes together with improving or finding new quantum algorithms for cryptanalysis, possibly adapted to some particular situations or scenarios that have not been studied before, like the $k$XOR problem. This whole thread of research, that needs to combine techniques from symmetric or asymmetric cryptanalysis together with quantum algorithmic tools, came naturally in our team. We are namely composed of symmetric and asymmetric cryptologists as well as of experts in quantum computing and we are in a privileged position to perform this kind of research.
3.2 Symmetric cryptology
Symmetric techniques are widely used because they are the only ones that can achieve some major features such as highspeed or lowcost encryption, fast authentication, and efficient hashing. It is a very active research area which is stimulated by a pressing industrial demand for lowcost implementations. Even if the block cipher standard AES remains unbroken 20 years after its design, it clearly appears that it cannot serve as a Swiss Army knife in all environments. In particular an important challenge raised by several new applications is the design of symmetric encryption schemes with some additional properties compared to the AES, either in terms of implementation performance (lowcost hardware implementation, low latency, resistance against sidechannel attacks...) or in terms of functionalities. The past decade has then been characterized by a multiplicity of new proposals and evaluating their security has become a primordial task which requires the attention of the community.
This proliferation of symmetric primitives has been amplified by public competitions, including the recent NIST lightweight standardization effort, which have encouraged innovative but unconventional constructions in order to answer the harsh implementation constraints. These promising but new designs need to be carefully analyzed since they may introduce unexpected weaknesses in the ciphers. Our research work captures this conflict for all families of symmetric ciphers. It includes new attacks and the search for new building blocks which ensure both a high resistance to known attacks and a low implementation cost. This work, which combines cryptanalysis and the theoretical study of discrete mathematical objects, is essential to progress in the formal analysis of the security of symmetric systems.
Our specificity, compared to most groups in the area, is that our research work tackles all aspects of the problem, from the practical ones (new attacks, concrete constructions of primitives and lowcost buildingblocks) to the most theoretical ones (study of the algebraic structure of underlying mathematical objects, definition of optimal objects). We study these aspects not separately but as several sides of the same domain.
3.3 Postquantum asymmetric cryptology
Current publickey cryptography is particularly threatened by quantum computers, since almost all cryptosystems used in practice rely on related numbertheoretic security problems that can be easily solved on a quantum computer as shown by Shor in 1994. This very worrisome situation has prompted NIST to launch a standardization process in 2017 for quantumresistant alternatives to those cryptosystems. This concerns all three major asymmetric primitives, namely publickey encryption schemes, keyexchange protocols and digital signatures. The NIST has made it clear that for each primitive there will be several selected candidates relying on different security assumptions. It publicly admits that the evaluation process for these postquantum cryptosystems is significantly more complex than the evaluation of the SHA3 and AES candidates for instance.
There were 69 (valid) submissions to this call in November 2017, with numerous latticebased, codebased and multivariatecryptography submissions and some submissions based either on hashing or on supersingular elliptic curve isogenies. In January 2019, 26 of these submissions were selected for the second round and 7 of them are codebased submissions. In July 2020, 15 schemes were selected as third round finalists/alternate candidates, 3 of them are codebased. NIST has anounced in 2021 that this call for postquantum primitives would be extended specifically for digital signatures based on techniques other than lattices. This new call should be released in the first quarter of 2022.
The research of the projectteam in this field is focused on the design and cryptanalysis of cryptosystems making use of coding theory and we have proposed codebased candidates to the NIST call for the first two types of primitives, namely publickey encryption and keyexchange protocols and have two candidates among the finalists/alternate candidates. We are also preparing proposals of codebased signatures schemes for the call which is expected in 2022.
3.4 Quantum information
The field of quantum information and computation aims at exploiting the laws of quantum physics to manipulate information in radically novel ways. There are two main applications:

(i)
quantum computing, that offers the promise of solving some problems that seem to be intractable for classical computers such as for instance factorization or solving the discrete logarithm problem;

(ii)
quantum cryptography, which provides new ways to exchange data in a provably secure fashion. For instance it allows key distribution by using an authenticated channel and quantum communication over an unreliable channel with informationtheoretic security, in the sense that its security can be proven rigorously by using only the laws of quantum physics, even with allpowerful adversaries.
Our team deals with quantum coding theoretic issues related to building a large quantum computer and with quantum cryptography. If these two questions may seem at first sight quite distinct, they are in fact closely related in the sense that they both concern the protection of (quantum) information either against an adversary in the case of quantum cryptography or against the environment in the case of quantum errorcorrection. This connection is actually quite deep since an adversary in quantum cryptography is typically modeled by a party having access to the entire environment. The goals of both topics are then roughly to be able to measure how much information has leaked to the environment for cryptography and to devise mechanisms that prevent information from leaking to the environment in the context of error correction.
While quantum cryptography is already getting out of the labs, this is not yet the case of quantum computing, with large quantum computers capable of breaking RSA with Shor's algorithms maybe still decades away. The situation is evolving very quickly, however, notably thanks to massive public investments in the past couple of years and all the major software or hardware companies starting to develop their own quantum computers. One of the main obstacles towards building a quantum computer is the fragility of quantum information: any unwanted interaction with the environment gives rise to the phenomenon of decoherence which prevents any quantum speedup from occurring. In practice, all the hardware of the quantum computer is intrinsically faulty: the qubits themselves, the logical gates and the measurement devices. To address this issue, one must resort to quantum faulttolerance techniques which in turn rely on the existence of good families of quantum errorcorrecting codes that can be decoded efficiently. Our expertise in this area lies in the study of a particularly important class of quantum codes called quantum lowdensity paritycheck (LDPC) codes. The LDPC property, which is wellknown in the classical context where it allows for very efficient decoding algorithms, is even more crucial in the quantum case since enforcing interactions between a large number of qubits is very challenging. Quantum LDPC codes solve this issue by requiring each qubit to only interact with a constant number of other qubits.
4 Application domains
4.1 Designing, Analyzing and Choosing Cryptographic Standards
The research community is strongly involved in the development and evolution of cryptographic standards. Many standards are developed through open competitions (e.g. AES, SHA3) where multiple teams propose new designs, and a joint cryptanalysis effort allows to select the most suitable proposals. The analysis of established standards is also an important work, in order to depreciate weak algorithms before they can be exploited. Several members of the team have been involved in this type of effort and we plan to continue this work to ensure that secure algorithms are widely available. We believe that good cryptographic standards have a large socioeconomic impact, and we are active in proposing schemes to future competitions, and in analyzing schemes proposed to current or future competitions, as well as widelyused algorithms and standards.
At the moment, we are involved in the two standardization efforts run by NIST for postquantum cryptography and lightweight cryptography. We have also uncovered potential backdoors in two algorithms from the Russian Federation (Streebog and Kuznyechik), and successfully presented the standardization of the latter by ISO. We have also implemented practical attacks against SHA1 to speedup its deprecation.
NIST postquantum competition.
The NIST postquantum competition1 aims at standardizing quantumsafe publickey primitives. It is really about offering a credible quantumsafe alternative for the schemes based on number theory which are severely threatened by the advent of quantum computers. It is expected to have a huge and longterm impact on all publickey cryptography. It has received 69 proposals in November 2017, among which five have been codesigned by the projectteam. Four of them have made it to the second round in January 2019. One of them was chosen in July 2020 for the third round and another one was chosen as an alternate third round finalist. We have also broken two first round candidates EdonK 82 and RankSign 79, and have devised a partial break of the RLCE encryption scheme 77. In 2020, we obtained a significant breakthrough in solving more efficiently the MinRank problem and the decoding problem in the rank metric 72, 73 by using algebraic techniques. This had several consequences: all second round rank metric candidates were dismissed from the third round (including our own candidate) and it was later found out that this algebraic algorithm could also be used to attack the third round multivariate finalist, namely Rainbow and the alternate third round finalist GeMSS.
NIST competition on lightweight symmetric encryption.
The NIST lightweight cryptography standardization process2 is an initiative to develop and standardize new authenticated encryption algorithms suitable for constrained devices. As explained in Subsection 3.2, there is a real need for new standards in lightweight cryptography, and the selected algorithms are expected to be widely deployed within the Internet of Things, as well as on more constrained devices such as contactless smart cards, or medical implants. The NIST received 56 submissions in February 2019, three of which have been codesigned by members of the team.
Monitoring Current Standards
While we are very involved in the design phase of new cryptographic standards (see above), we also monitor the algorithms that are already standardized. In practice, this work has two sides.
First, we work towards the deprecation of algorithms known to be unsage. Unfortunately, even when this fact is known in the academic community, standardizing bodies can be slow to implement the required changes to their standards. This prompted for example G. Leurent to implement even better attacks against SHA1 to illustrate its very practical weakness, and L. Perrin and X. Bonnetain (then a COSMIQ member) to find simple arguments proving that a subfunction used by the current Russian standards was not generated randomly, despite the claims of its authors.
Second, it also means that we participate to the relevant ISO meetings discussing the standardization of cryptographic primitives (JC27/WG2), and that we follow the discussions of the IETF and IRTF on RFCs. We have also provided technical assistance to members of other standardizing bodies such as the ETSI.
4.2 Large scale deployment of quantum cryptography
Major academic and industrial efforts are currently underway to implement quantum key distribution at large scale by integrating this technology within existing telecommunication networks. Colossal investments have already taken place in China to develop a large network of several thousand kilometers secured by quantum cryptography, and there is little doubt that Europe will follow the same strategy, as testified by the current European projects CiViQ (in which we are involved), OpenQKD and the future initiative EuroQCI (Quantum Communication Infrastructure). While the main objectives of these actions are to develop better systems at lower cost and are mainly engineering problems, it is crucial to note that the security of the quantum key distribution protocols to be deployed remains far from being completely understood. For instance, while the asymptotic regime of these protocols (where one assumes a perfect knowledge of the quantum channel for instance) has been thoroughly studied in the literature, it is not the case of the much more relevant finitesize regime accounting for various sources of statistical uncertainties for instance. Another issue is that compliance with the standards of the telecommunication industry requires much improved performances compared to the current stateoftheart, and this can only be achieved by significantly tweaking the original protocols. It is therefore rather urgent to better understand whether these more efficient protocols remain as secure as the previous ones. Our work in this area is to build upon our own expertise in continuousvariable quantum key distribution, for which we have developed the most advanced security proofs, to give security proofs for the protocols used in this kind of quantum networks.
5 Social and environmental responsibility
5.1 Oversight of COVID Digital Tools
During the course of the COVID19 pandemic, several digital tools were developped to help mitigating the pandemic. We have not been involved in the developpement of these tools, but we took an active role in analyzing them, and contributing to the political debate.

Digital Contact Tracing:
During the first wave of the COVID19 pandemic, several efforts were initiated to develop smartphone applications intended to contribute to contact tracing. The core idea consists in using Bluetooth signal to estimate the distance and the duration of a contact between two app users.
Later, venue tracking was implemented in several countries. The core idea is to warn patrons when a public place is detected to be a cluster: patrons scan a QRcode with a random identifier when entering the venue, and a list of identifiers with known clusters is published daily.
In France Bluetooth tracing was implemented in the StopCovid application launched on June 2 2020, and renamed TousAntiCovid on October 22 2020. Venue tracking was added on June 9 2021.

Covid Certificates:
At the end of 2020, discussions began in the European Union about vaccine passports and covid certificates, and the first guidelines from European institutions were published in January 2021. A Covid Certificate is a machinereadable document (usually in the form of a QRcode) containing health information with a cryptographic signature from a health autority.
Covid certificates started to be used in France on June 9 2021, and the European version was put in place on July 1st 2021.
Members of the COSMIQ team began to be involved in this topic in April 2020. As several contact tracing projects became public, an interdisciplinary collaboration between researchers in cryptography, in security and in technology law, involving the COSMIQ, CARAMBA, PESTO projectteams and other academic institutions, was initiated in order to investigate the consequences of the deployment of such applications in terms of privacy and security. Indeed, a public (and often external) security analysis is always expected for applications dealing with sensitive data such as, in this instance, medical information and each user's social graph. As mentioned in the introduction of Inria's white book on cybersecurity, "the first step in cybersecurity is to identify threats and define a corresponding attacker model. [...] Since zero risk cannot exist, the early detection and mitigation of attacks is as important as the attempt to reduce the risk of successful attacks." Understanding the limits of a system is then necessary to improve its security and to decide whether it can be deployed without taking illconsidered risks, exactly as the side effects of a drug should be documented.
As political discussions and decisions were taking place, we contributed to these debates by providing an easy to understand description of the security pitfalls that are inherent to bluetoothbased contact tracing: "le traçage anonyme, un bel oxymore" 75. The analysis presented in 75 is, in most cases, independent of the subtleties of the privacypreserving mechanism, and in particular can be applied to both socalled "centralized" and "decentralized" systems. As a consequence, its authors also worked with researchers based in the UK to provide an English translation https://tracingrisks.com/.
This work had a significant impact (the website received more than 100K unique visitors) and led to further contributions from researchers from the COSMIQ team.
 Anne Canteaut was invited to present the results of 75 to the Commission de la Culture, de l'Education et de la Communication of the Sénat on May 27, 2020 (see https://www.senat.fr/compterenducommissions/20200525/cult.html).
 Gaëtan Leurent identified inconsistencies between the specification of Stopcovid and its implementation pertaining to the amount of data sent to the central server. This was notified to the StopCovid projectteam using the bug tracking system3, and the CNIL required the issue to be fixed in a formal notice4.
 Anne Canteaut, as the program cochair of Eurocrypt'20, organized a panel discussion on bluetoothbased contact tracing at this conference. Among the speakers invited at this discussion were designers of such contact tracing applications, including Stopcovid (France), and Swisscovid (Switzerland). This panel discussion was attended by approximately 1900 persons.
 Léo Perrin was invited to present contact tracing applications, their principle, and the corresponding debates at two venues: the seminar of the working group Maths4Covid of the JacquesLouis Lions lab, and to students of the law faculty of CergyPontoise.5
 Léo Perrin was invited to a panel on contact tracing at the summer school of the Haifa Technion (Israel)6 along with designers of the Swiss and Israeli contact tracing applications.
 Anne Canteaut contributed to the definition of an outreach activity for highschool students devoted to epidemics and contact tracing, and initiated by the French Academy of Sciences https://www.academiesciences.fr/pdf/rapport/guide_module_tracage.pdf.
 Gaëtan Leurent wrote an analysis of the TACW protocol, which was meant to be used for venue tracking7 in France. TACW had serious issues, and was replaced by CLÉA.
 Gaëtan Leurent contributed to an analysis of the statistics collection in TousAntiCovid8. This functionality was leaking a lot of private data and has been partially fixed.
 Gaëtan Leurent made several Freedom of Information requests for documents related to those digitals tools and their evaluation:
5.2 Footprint of research activities
During this second year of the COVID19 pandemic, most conferences and workshops have been either cancelled or modified to be online events. Anne Canteaut played a significant role in enabling this transition as the program chair of Eurocrypt 2020 and Eurocrypt 2021. Eurocrypt 2021 was the first flagship conference in cryptography held in a hybrid format. The concomitance of remote talks and of inperson talks required to adapt the format of the conference, the lengths of the talks... This very first experience will motivate discussions on the future format of conferences in our area.
5.3 Impact of research results on standardisation
Our cryptanalysis results on SHA1 10 and GEA 28 have helped convince users and industry to deprecate those obsolete standards. Publication of those attacks and discussion with industry has resulted in concrete actions to reduce usage of those ciphers.
Our project is also involved in two NIST competitions: the competition for lightweight cryptography and the competition for standardizing quantum safe cryptosystems. In the first competition, our team has still one candidate in the third round of the competition, while in the second competition we have one candidate that is a third round finalist and another one which is an alternate third round finalist. The outcome of these two competitions will have a strong impact since the standardized solutions will likely replace large parts of the world’s infrastructure underpinning secure global communication.
6 Highlights of the year

PhD thesis of André Schrottenloher:
We consider this PhD 53 as a landmark in the domain of quantum cryptanalysis. It contains major results:
 the first proof of an actual quantum time speedup for collision search in case of polynomially bounded quantum memory, solving here a long standing open question;
 optimal quantum algorithms for solving fundamental problems such as kXOR or kSUM;
 a general methodology for converting classical research problems into nested quantum research problems, with many applications in cryptanalysis;
 an offline Simon algorithm which enables to use for the first time Simon's algorithm in the standard attack model;
 a distinguisher on the Gimli lightweight permutation.

NIST competition on lightweight cryptography:
On 2019, the American NIST published the candidates that were submitted by teams from the whole world for a new standardization effort. Its aim is to choose one or several symmetric cryptographic primitives that are intended to run on low power devices (RFID tags, sensor networks, and whatever else will be connected in the Internet of Things). COSMIQ has been heavily involved in this process, coauthoring 3 of the 56 initial submissions (SATURNIN, SPOOK and SPARKLE), and publishing security analysis of many of these candidates. In March 2021, NIST announced the 10 finalists of this competition, among which SPARKLE is listed. This algorithm is the outcome of a collaboration between Léo Perrin, and researchers from the universities of Luxembourg and Edinburgh, as well the company CryptoExperts. Furthermore, our cryptanalysis results had an impact on the list of finalists since, for example, GIMLI and mixFeed did not make it to this list. Our attacks against Gimli had obtained a best paper award at Asiacrypt in 2020 8, while our results on mixFeed are included in more general results on the AES that received a best paper award at Eurocrypt 2021 40.

Research highlights in the Communications of the ACM:
The threshold theorem is a seminal result in the field of quantum computing asserting that arbitrarily long quantum computations can be performed on a faulty quantum computer provided that the noise level is below some constant threshold. This remarkable result comes at the price of increasing the number of qubits (quantum bits) by a large factor that scales polylogarithmically with the size of the quantum computation we wish to realize. In a paper published at FOCS 2018 23, and highlighted in the Communications of the ACM, Omar Fawzi, Antoine Grospellier and Anthony Leverier improved on this result and showed that the polylogarithmic factor in the standard threshold theorem is in fact not needed and that there is a faulttolerant construction that uses a number of qubits that is only a constant factor more than the number of qubits of the ideal computation. This result was conjectured by Gottesman who suggested to replace the concatenated codes from the standard threshold theorem by quantum errorcorrecting codes with a constant encoding rate.
6.1 Awards

Laureate of the Woman Cyber Researcher award 2021:
Anne Canteaut https://cyberwomendaycefcys.com/en/

Prix de thèse Gilles Kahn 2020:
Thomas DebrisAlazard, Cryptographie fondée sur les codes: nouvelles approches pour constructions et preuves; contribution en cryptanalyse, 78
Sorbonne Universités, UPMC University of Paris 6, 2019, https://www.societeinformatiquedefrance.fr/2021/01/rechercheprixdethesegilleskahnlaureats2020/

Eurocrypt best paper award:
40 Clara Pernot, Gaëtan Leurent, New Representations of the AES Key Schedule, EUROCRYPT 2021  40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, Jun 16, 2021.
7 New software and platforms
7.1 New software
7.1.1 Wave

Name:
Wave

Keywords:
Cryptography, Error Correction Code

Functional Description:
Implementation of the code based signature scheme Wave whose security relies solely on decoding large Hamming weight errors and distinguishing a generalized U,U+V code from a random code.
 URL:

Authors:
Nicolas Sendrier, Thomas Debris

Contact:
Nicolas Sendrier
7.1.2 Collision Decoding

Keywords:
Algorithm, Binary linear code

Functional Description:
Collision Decoding implements two variants of information set decoding : SternDumer, and MMT. To our knowledge it is the best fullfledged opensource implementation of generic decoding of binary linear codes. It is the best generic attack against codebased cryptography.
 URL:

Contact:
Nicolas Sendrier

Participants:
Grégory Landais, Nicolas Sendrier
8 New results
8.1 Quantum algorithms and cryptanalysis
Participants: Ritam Bhaumik, Rémi Bricout, André Chailloux, Nicolas David, Simona Etinski, Antonio FlórezGutiérrez, Paul Frixons, Gaëtan Leurent, Johanna Loyer, María NayaPlasencia, Maxime Remaud, André Schrottenloher.
We have kept on working on symmetric quantum cryptanalysis and generic quantum algorithms related to cryptanalysis, and in addition, started looking at some asymmetric cryptanalysis problems:

André Schrottenloher PhD thesis
This thesis 53 contains major results:
 the first proof of an actual quantum time speedup for collision search in case of polynomially bounded quantum memory, solving here a long standing open question;
 optimal quantum algorithms for solving fundamental problems such as kXOR or kSUM;
 a general methodology for converting classical research problems into nested quantum research problems, with many applications in cryptanalysis;
 an offline Simon algorithm which enables to use for the first time Simon's algorithm in the standard attack model;
 a distinguisher on the Gimli lightweight permutation.

Quantum Linearization Attacks.
In 2016, we have shown that many modes widely used in symmetric cryptography are completely broken by quantum superposition queries, using Simon's periodfinding algorithm 9. In a new work published at Asiacrypt this year 30, we generalized those attacks to quantum linearization attacks, and broke several modes that were not yet known to be broken in this model (LightMAC, PMAC, OCB, ZMAC ...). We also describe variants of attacks using other quantum algorithms that had not been used previously in symmetric cryptanalysis: Deutsch’s, BernsteinVazirani’s, and Shor’s algorithms.

QCB.
Since many widely used modes are not secure against quantum superposition queries, we have proposed a new authenticated encryption mode with security against quantum adversaries: QCB 29. QCB is inspired by TAE and OCB, and is the first mode offering quantum security with high efficiency: it is parallelizable and has rate one.

Quantum Boomerang Attacks and Some Applications.
We give in 38 for the first time a quantum speedup for Boomerang attacks. In certain cases, we even obtain quadratic speedups, which results in a similar speedup as for differential attacks. This enlarges the toolbox for attacking quantumly symmetric primitives and results in a better general understanding of the resistance of symmetric ciphers against quantum computers.

Lattice sieving via quantum walks.
Latticebased cryptography is one of the most promising solutions for postquantum cryptography. For many of the proposed cryptosystems, the best algorithm to attack them is the BKZ algorithm which uses as its core several calls to an algorithm that solves the Shortest Vector Problem. This year, in the Asiacrypt paper 35 André Chailloux and Johanna Loyer improved the best quantum algorithms for SVP using quantum walks. As a direct consequence, this work reduces the quantum security of all latticebased schemes proposed at the postquantum NIST competition which must increase their parameters if they want to maintain the level of security they announced.

Quantum Security of the Legendre PRF.
In 39, we study the security of the Legendre PRF against quantum attackers, given classical queries only, and without quantum randomaccess memories. We give two algorithms that recover the key of a shifted Legendre symbol with unknown shift, with a complexity smaller than the exhaustive search of the key. The first one is a quantum variant of the tablebased collision algorithm. The second one is an offline variant of Kuperberg's abelian hidden shift algorithm.
8.2 Symmetric cryptology
Participants: Augustin Bariant, Jules Baudrin, Ritam Bhaumik, Clémence Bouvier, Anne Canteaut, Pascale Charpin, Daniel Coggia, Nicolas David, Gaëtan Leurent, María NayaPlasencia, Clara Pernot, Léo Perrin, André Schrottenloher.
Our recent results in symmetric cryptography concern either the security analysis of existing primitives, or the design of new primitives. This second topic includes some work on the construction and properties of suitable buildingblocks for these primitives, e.g. on the search of highly nonlinear functions.
8.2.1 Cryptanalysis

AES 40.
We have analyzed the key schedule of the AES cipher, and discovered that it can be split into four independent parallel computations. We show two consequences of this surprising property. First, iterations of the key schedule have short cycles, resulting in breaks of AEAD schemes mixFeed and ALE. Second, some cryptanalytic attacks against AES can be improved slightly, using our observation to efficiently combine information from different subkeys. This paper received a best paper award at Eurocrypt 2021.

Gimli 24.
We leveraged the slow diffusion provided by the round function of the permutation used by Gimli to identify full round distinguishers. This paper was invited to the Journal of Cryptology after receiving a best paper award at Asiacrypt 2020 8. The journal version includes new results, in particular a linear distinguisher for the full permutation.

Simon and Simeck 41.
Simon is a lightweight bock cipher designed by the NSA, and Simeck is an academic variant. We have shown that there is a strong clustering effect in these ciphers: a large number of trails contribute to the same differential or linear hull. Using this property we improve significantly the previous analysis based on linear and differential cryptanalysis.

GEA 28.
The GEA1 and GEA2 algorithms are used to encrypt data traffic in the 2G telephony standards (GPRS), designed in the late 1990's. We have shown that GEA1 was deliberately weakened so that it could be broken in practice with very little known plaintext. GEA2 does not show signs of deliberate weaknesses, but it can also be broken with more computational resources and a larger amount of known plaintext.

FlexAEAD 22.
FlexAEAD was a firstround candidate in the NIST lightweight cryptography effort, but previous work has shown a forgery attack with complexity ${2}^{46}$. Building upon these results, we obtain a keyrecovery attack with practical complexity (around ${2}^{31}$ encryptions), that has been verified with the reference implementation.

SHA1 36.
Following our work on SHA1 chosenprefix collisions 10, we have studied the possibility of a hardware implementation of this attack. We find that the GPU implementation is better suited when running the attack only a few times, but a dedicate hardware cluster requires fewer energy per collision. We estimate that an ASIC cluster costing a few million dollars could generate SHA1 chosenprefix collisions in a few days.

Daniel Coggia's PhD thesis
This thesis 51 presents several new cryptanalysis results based on different types of attacks: subspacetrail cryptanalysis, MILP models for studying differentials, and algebraic methods related to cube attacks.

Improving DifferentialLinear Attacks
Differentiallinear attacks are a cryptanalysis family that has recently benefited from various technical improvements, mainly in the context of ARX constructions. In 61, we push further this refinement, proposing several new improvements. In particular, we develop a better understanding of the related correlations, improve upon the statistics by using the LLR, and finally use ideas from conditional differentials for finding many right pairs. We illustrate the usefulness of these ideas by presenting the first 7.5round attack on Chaskey. Finally, we present a new competitive attack on 12 rounds of Serpent, and as such the first cryptanalytic progress on Serpent in 10 years.

Generic Framework for KeyGuessing Improvements
In 32, we propose a general technique to improve the keyguessing step of several attacks on block ciphers (linear, differential, rectangle...). This is achieved by defining and studying some new properties of the associated Sboxes and by representing them as a special type of decision trees that are crucial for finding finegrained guessing strategies for various attack vectors. We also show how to use them in different cryptanalytic scenarii and how this method can be used to speed up significantly the best known attacks.
8.2.2 Design

Tweakable Luby–Rackoff 17.
We have improved the indifferentiability proofs of the 3round tweakable Luby–Rackoff, from $n/2$ bits to $n2logn$ (with $n$ the size of the branch).

Trojan Resilient Encryption
Encryption algorithm may be implemented in hardware, i.e. using dedicated chips that then handle both the sensitive data and the encryption keys used to process them. In the most sensitive applications, this can be an issue. Indeed, manufacturing chips can only be done cheaply by a few countries, and a few companies. What can we do to make sure that an encryption key remains secure even if the hardware using it cannot be trusted? We give a practical solution to this problem in 18 where we present MOE, a block cipher with a special round function that is particularly suitable for secret sharing. Several untrusted chips implement the various operations it requires, and an extremely simple (and thus cheap, even if made inhouse) master chip combines their results to obtain the actual encryption. It ensures that the data sent to each chip is statistically independent from the secrets involved.

DLCT of Sboxes
The differentiallinear connectivity table (DLCT) is a tool introduced by BarOn et al. at Eurocrypt'19, for taking into account the dependency between the two subciphers involved in differentiallinear attacks. In 33, we have proved that the DLCT actually corresponds (up to a constant factor) to the autocorrelation table. The DLCT of some important families of Sboxes are then studied in light of the notion of autocorrelation.

Extendedaffine equivalence of Sboxes
ExtendedAffine (EA) equivalence is the equivalence relation between two vectorial Boolean functions $F$ and $G$ such that there exist two affine permutations $A$, $B$ and an affine function $C$ satisfying $G=A\circ F\circ B+C$. In 62, we have proposed, in the case of quadratic functions, a new efficient algorithm for recovering $(A,B,C)$ if it exists, and a method for simply deciding whether $F$ and $G$ are EAequivalent. This last method enabled us to sort tens of thousands of quadratic APN functions of 8 variables into distinct EAclasses

Crooked functions
65 is an extensive study of crooked functions, which are vectorial Boolean functions with remarkable properties since they form a subclass of almost bent functions.
8.3 Postquantum asymmetric cryptology
Participants: Magali Bardet, Pierre Briaud, Rémi Bricout, Etienne Burle, André Chailloux, Loïc Demange, Matthieu Lequesne, Charles MeyerHilfiger, Rocco Mora, Maxime Remaud, Nicolas Sendrier, JeanPierre Tillich, Valentin Vasseur.
Our work in this area is mainly focused on codebased cryptography, but some of our contributions, namely algebraic attacks, have applications in multivariate cryptography or in algebraic coding theory. Many contributions relate to the NIST call for postquantum primitives, either cryptanalysis or design.
We have also been organizing since 2015 a working group held every month or every two months on codebased cryptography that structures the French efforts on this topic: every meeting is attended by most of the groups working in France on this topic (projectteam GRACE, University of Bordeaux, University of Limoges, University of Rennes and University of Rouen).
Our main contributions during the period are given below

Algebraic attacks
A series of works are related to algebraic attacks and Gröbner basis. An effective attack on the SIDON cryptosystem 31, an improvement on the best known attacks against the RSL (Rank Support Learning) problem 26, and also other cryptanalytic works in progress which relate to the NIST competition, either rank metricbased or multivariate cryptography 55, 56. This research also has applications in algebraic coding theory 27.

NIST competition
Two of our NIST candidates are still in the third round of the competition. First ClassicMcEliece, which is a KEM (Key Encapsulation Mechanism) finalist and is a stabilized system which does not require further research work. Also BIKE, which is a KEM alternative candidate. The stateoftheart about the decoding failure rate (DFR) of BIKE 68 is part of Valentin Vasseur's PhD 54, and is one of the key points to estimate the the security of the scheme. Another work in progress about BIKE 67 considers the protection against some sidechannel attacks (timing, cache).

Followup of the NIST competition on signatures
We are also working to prepare the extension of the NIST call to digital signatures. Codebased signatures were not ready in 2017 when the first call was made, and all codebased signatures were discarded. There has been considerable progress since then. The projectteam has been preparing to submit new proposals using Wave 6, or other techniques60.

Fundamental issues in codebased cryptography
We have also been working on fundamental and prospective topics. For instance, we have devised a general framework 34 for the computation of the complexity of classical and quantum information set decoding techniques, and have applied for the Lee metric in particular, or through various fundamental works exploring the weaknesses involved by the use of codes with algebraic structure in cryptography 19, 52. Some of this work was motivated by effective attacks on existing cryptosystems, but the scope of the results often went beyond that. Another fundamental problem, especially if one wants to build signature schemes is to understand the difficulty of the low weight codeword search problem. One possible path for achieving this is to relate it to the decoding problem. In latticebased cryptography, this is analoguous to relate the LWE problem to the SIS problem. A fundamental tool is here Regev's quantum reduction from SIS to LWE. We have obtained a similar reduction in the context of coding theory in 66 for various codebased metrics.
8.4 Quantum information
Participants: Ivan Bardet, Rémi Bricout, André Chailloux, Aurélie Denys, Shouvik Gorai, Lucien Grouès, Anthony Leverrier, Andrea Olivo, JeanPierre Tillich.
Most of our work in quantum information deals with either quantum algorithms, quantum error correction or cryptography.

Security of continuousvariable protocols
A major question in the field of quantum key distribution is to prove the security of practical continuousvariable protocols. The main advantage of these protocols is that they can be implemented with standard equipment from optical telecommunications, and do not require specific hardware such as singlephoton detectors. Up until now, all security proofs were restricted to protocols exploiting Gaussian modulation of coherent states. In contrast, practical protocols rely on discrete modulation where the coherent states are chosen from a finite constellation. In 20, Aurélie Denys, Peter Brown and Anthony Leverrier establish for the first time the security of such protocols in the asymptotic regime, and give explicit closedform expressions for the secret key rate of these protocols for arbitrary constellations. This work was presented at QCrypt 2021 43 and ICQOM 2021 44.

Feasibility of quantum key distribution with satellites
Another major challenge in the field of quantum key distribution is to improve the range of the protocols, and communication via satellites offers a promising approach compared to fiberbased implementations. We have studied the feasibility of continuousvariable quantum key distribution with satellites in 21 and found that loworbit satellites can indeed realistically help distribute secret keys.

Decoding algorithms for quantum error correcting codes
In the context of quantum error correcting codes, we have been developing several new decoding algorithms for constant rate quantum LDPC codes. A theoretical result demonstrating that quantum faulttolerance can be obtained with constant overhead was invited as a research highlight of the Communications of the ACM 23. We have tested numerically the corresponding codes and decoder in 25 and found them to be competitive with the stateoftheart decoders for quantum LDPC codes, while displaying a reduced complexity. Recently, we considered an alternative decoder consisting in formulating the decoding problem as a linear program, and also obtained encouraging numerical results 37.

Locally testable quantum LDPC codes
Our work on quantum error correction also focuses on the construction of interesting quantum LDPC codes. In particular, we have devised a family of locally testable quantum codes with a record soundness parameter 42.

Quantum information theory
We also study very fundamental questions in quantum information theory and have derived new quantum information theoretic inequalities such as the approximate tensorization of the relative entropy 15. We also provide there estimates on the constants in terms of conditions of clustering of correlations in the setting of quantum lattice spin systems. A related functional approach is also used to get estimations of the decoherence times, of private and quantum capacities, of entanglementassisted classical capacities, as well as estimation of entanglement breaking times 16 or a better understanding of the heatbath dynamics of 1D systems 14.
9 Bilateral contracts and grants with industry
9.1 Bilateral contracts with industry

LOTUS:(01/2021 > 30/06/2021) Contract with Thales for a survey on the implementation of codebased postquantum cryptosystems.
45 kEuros.
9.2 Bilateral grants with industry

Orange Labs Caen (11/2019 > 11/2022) Funding for the supervision of Paul Frixon's PhD.
30 kEuros.

BullATOS (07/2020 > 06/2023) Funding for the supervision of Maxime Rémaud's PhD.
60 kEuros.

Thalès (11/2020 > 10/2023) Funding for the supervision of Loïc Demange's PhD.
45 kEuros.
10 Partnerships and cooperations
10.1 International initiatives
10.1.1 Participation in other International Programs

ANR SELECT (07/21→06/24)
Security Evaluation of Lightweight Encryption using new Cryptanalysis Techniques
ANR Program: AAP Générique 2020 (PRCI)
Partners: Inria COSMIQ, Nanyang Technological University (Singapour)
476 kEuros
In the last decades, we have seen a large deployment of smart devices and contactless smart cards, with applications to the Internet of Things and smart cities. These devices have strong security requirements as they communicate sensitive data by radio, but they have very low resources available: constrained computing capabilities and limited energy. This led to security disasters with the use of weak homemade cryptography such as KeeLoq or MIFARE. More recently, the academic cryptography community has come up with dedicated lightweight designs such as PRESENT or Skinny, and the NIST is currently organizing a competition to select the next worldwide standards. The goal of this project is to perform a wide security evaluation of the designs submitted to the NIST competition, and of lightweight cryptographic algorithms in general. We will use latest cryptanalysis advances, but also propose new attacks; study classical attacks, but also physical ones (very powerful in such scenarios).
10.2 International research visitors
10.2.1 Visits of international scientists
Inria International Chair
Thomas Vidick

Status:
Professor

Institution of origin:
Caltech

Country:
USA

Dates:
2020–2024

Context of the visit:
Thomas Vidick holds an Inria International Chair on the 20202024 period, hosted by our team. Thomas' research revolves around the understanding the capabilities, and limitations, of quantum devices for computation and secure communication. He is a leading expert in this domain, in particular he has developed and shown the security of schemes for (postquantum) randomness extraction, certified randomness, key distribution, and delegated computation. His work on quantum interactive proofs has led to a deeper understanding of entanglement, including better entanglement tests and security proofs in deviceindependent cryptography. The aim is to develop a longlasting collaboration with our team on the themes of quantum complexity, errorcorrecting codes, and cryptography. He gave a very inspiring FSMP course held at the Institute Henri Poincaré on interactive proofs with quantum devices last fall. See http://users.cms.caltech.edu/ vidick/teaching/fsmp/index.html.

Mobility program/type of mobility:
Research stay and lectures.
Informal International Partners
 Nanyang Technological University (Singapore): cryptanalysis of symmetric primitives.
 RuhrUniversität Bochum (Germany): design and cryptanalysis of symmetric primitives.
 NTT Secure Platforms Laboratories (Japan): quantum cryptanalysis, symmetric cryptography.
 CWI (the Netherlands): links between lattice based and code based cryptography.
10.3 European initiatives
10.3.1 FP7 & H2020 projects
ERC QUASYModo

Title: QUASYModo Symmetric Cryptography in the PostQuantum World

Program: ERC starting grant
 Duration: September 2017  August 2023

PI: María NayaPlasencia

As years go by, the existence of quantum computers becomes more tangible and the scientific community is already anticipating the enormous consequences of the induced breakthrough in computational power. Cryptology is one of the affected disciplines. Indeed, the current stateoftheart asymmetric cryptography would become insecure, and we are actively searching for alternatives. Symmetric cryptography, essential for enabling secure communications, seems much less affected at first sight: its biggest known threat is Grover's algorithm, which allows exhaustive key searches in the square root of the normal complexity. Thus, so far, it is believed that doubling key lengths suffices to maintain an equivalent security in the post quantum world. The security of symmetric cryptography is completely based on cryptanalysis: we only gain confidence in the security of a symmetric primitive through extensive and continuous scrutiny. It is therefore not possible to determine whether a symmetric primitive might be secure or not in a postquantum world without first understanding how a quantum adversary could attack it. Correctly evaluating the security of symmetric primitives in the postquantum world cannot be done without a corresponding cryptanalysis toolbox, which neither exists nor has ever been studied. This is the big gap I have identified and that I plan to fill with this project. Next, doubling the key length is not a trivial task and needs to be carefully studied. My ultimate aim is to propose efficient solutions secure in the postquantum world with the help of our previously obtained quantum symmetric cryptanalysis toolbox. This will help prevent the chaos that big quantum computers would generate: being ready in advance will definitely save a great amount of time and money, while protecting our current and future communications. The main challenge of QUASYModo is to redesign symmetric cryptography for the postquantum world.
H2020 FET Flagship on Quantum Technologies  CiViQ

Title: CiViQ Continuous Variable Quantum Communications

Program: H2020 FET Flagship on Quantum Technologies

Duration: October 2018  September 2021

PI: Anthony Leverrier

The goal of the CiViQ project is to open a radically novel avenue towards flexible and costeffective integration of quantum communication technologies, and in particular ContinuousVariable QKD, into emerging optical telecom munication networks. CiViQ aims at a broad technological impact based on a systematic analysis of telecomdefined userrequirements. To this end CiViQ unites for the first time a broad interdisciplinary community of 21 partners with unique breadth of experience, involving major telecoms, integrators and developers of QKD. The work targets advancing both the QKD technology itself and the emerging “software network” approach to lay the foundations of future seamless integration of both. CiViQ will culminate in a validation in true telecom network environment. Projectspecific network integration and software development work will empower QKD to be used as a physicallayeranchor securing critical infrastruc tures, with demonstration in QKDextended softwaredefined networks.
10.3.2 Other european programs/initiatives

QCDA

Program: QuantERA ERANET Cofund in Quantum Technologies

Project acronym: QCDA

Project title: Quantum Code Design and Architecture

Duration: February 2018  November 2021

Coordinator: Earl Campbell, University of Sheffield, UK

Other partners: University of Sheffield (UK), TU Delft (Netherlands), TU Munich (Germany), University College London (UK)

Inria contact: Anthony Leverrier

General purpose quantum computers must follow a faulttolerant design to prevent ubiquitous decoherence processes from corrupting computations. All approaches to faulttolerance demand extra physical hardware to perform a quantum computation. Kitaev's surface, or toric, code is a popular idea that has captured the hearts and minds of many hardware developers, and has given many people hope that faulttolerant quantum computation is a realistic prospect. Major industrial hardware developers include Google, IBM, and Intel. They are all currently working toward a faulttolerant architecture based on the surface code. Unfortunately, however, detailed resource analysis points towards substantial hardware requirements using this approach, possibly millions of qubits for commercial applications. Therefore, improvements to faulttolerant designs are a pressing nearfuture issue. This is particularly crucial since sufficient time is required for hardware developers to react and adjust course accordingly.
This consortium will initiate a European coordinated approach to designing a new generation of codes and protocols for faulttolerant quantum computation. The ultimate goal is the development of highperformance architectures for quantum computers that offer significant reductions in hardware requirements; hence accelerating the transition of quantum computing from academia to industry. Key directions developed to achieve these improvements include: the economies of scale offered by large blocks of logical qubits in highrate codes; and the exploitation of continuousvariable degrees of freedom.
The project further aims to build a European community addressing these architectural issues, so that a productive feedback cycle between theory and experiment can continue beyond the lifetime of the project itself. Practical protocols and recipes resulting from this project are anticipated to become part of the standard arsenal for building scalable quantum information processors.


MCCL – Modular Code Cryptanalysis Library
Collaboration between CWI and Inria whose purpose is to improve the state of the art of the implementation of ISD (Information Set Decoding). In particular by solving new decoding challenges. This intiative is a followup of the July 2021 InriaCWI workshop. The first meeting took place in Paris in November 2021 and gathered 12 people from both institutions.
10.4 National initiatives

ANR DEREC (10/16→03/22)
Relativistic cryptography
ANR Program: jeunes chercheurs
244 kEuros
The goal of project DEREC is to demonstrate the feasibility of guaranteeing the security of some cryptographic protocols using the relativistic paradigm, which states that information propagation is limited by the speed of light. We plan to study some two party primitives such as bit commitment and their security against classical and quantum adversaries in this model. We then plan to the integration of those primitives into larger cryptosystems. Finally, we plan on performing a demonstration of those systems in real life conditions.

ANR CBCRYPT (10/17→03/22)
Codebased cryptography
ANR Program: AAP Générique 2017
Partners: Inria COSMIQ (coordinator), XLIM, Univ. Rouen, Univ. Bordeaux.
197 kEuros
The goal of CBCRYPT is to propose codebased candidates to the NIST call aiming at standardizing publickey primitives which resist to quantum attacks. These proposals are based either on codebased schemes relying on the usual Hamming metric or on the rank metric. The project does not deal solely with the NIST call. We also develop some other codebased solutions: these are either primitives that are not mature enough to be proposed in the first NIST call or whose functionalities are not covered by the NIST call, such as identitybased encryption, broadcast encryption, attribute based encryption or functional encryption. A third goal of this project is of a more fundamental nature: namely to lay firm foundations for codebased cryptography by developing thorough and rigorous security proofs together with a set of algorithmic tools for assessing the security of codebased cryptography.

ANR quBIC (10/17→03/22)
Quantum Banknotes and InformationTheoretic Credit Cards
ANR Program: AAP Générique 2017
Partners: Univ. ParisDiderot (coordinator), Inria COSMIQ, UPMC (LIP6), CNRS (Laboratoire Kastler Brossel)
87 kEuros
For a quantumsafe future, classical security systems as well as quantum protocols that guarantee security against all adversaries must be deployed. Here, we will study and implement one of the most promising quantum applications, namely unforgeable quantum money. A money scheme enables a secure transaction between a client, a vendor and a bank via the use of a credit card or via the use of banknotes, with maximal security guarantees. Our objectives are to perform a theoretical analysis of quantum money schemes, in realistic conditions and for encodings in both discrete and continuous variables, and to demonstrate experimentally these protocols using stateoftheart quantum memories and integrated detection devices.

ANR SWAP (02/22→01/26)
Sboxes for SymmetricKey Primitives
ANR Program: AAP Générique 2021
Partners: UVSQ (coordinateur), Inria COSMIQ, ANSSI, CryptoExperts, Univ. of Rouen, Univ. of Toulon.
172 kEuros
Sboxes are small nonlinear functions that are crucial components of most symmetrickey designs and their properties are highly related to the security of the overall construction. The development of new attacks has given rise to many Sbox design criteria. However, the emerge of new contexts, applications and environments requires the development of new design criteria and strategies. The SWAP project aims first at investigating such criteria for emerging use cases like whitebox cryptography, fully homomorphic encryption and sidechannel resistance. Then, we wish for analyzing the impact of these particular designs on cryptanalysis and see how the use of Sboxes with some special mathematical structures can accelerate some known attacks or introduce new ones. Finally, we aim at studying Sboxes from a mathematical point of view and provide new directions to the Big APN problem, an old conjecture on the existence of a particular type of optimal permutations.
10.5 Regional initiatives
DIM SIRTEQ The SIRTEQ project labeled Major Interest Domain (DIM) is funded by the IledeFrance Region. SIRTEQ brings together the largest European concentration of academic teams in the field of quantum technologies. Its main objective is to promote an excellent academic research in the field of quantum technologies in Ile de France, taking into account the actual current societal challenges and the importance of the transfer of knowledge and technologies.
We are involved in this project in the quantum communications (quantum cryptography) and quantum computation (quantum error codes, quantum cryptanalysis) themes.
11 Dissemination
11.1 Promoting scientific activities
11.1.1 Scientific events: organisation
General chair, scientific chair
 Dagstuhl seminar 21421 "Quantum Cryptanalysis": October 1722, 2021, Dagstuhl (Germany): M. NayaPlasencia cochair.
 WCC 2022: March 713, 2022, Rostock (Allemagne): cochair, L. Perrin.
 Dagstuhl seminar 22141 "Symmetric Cryptography": April 38, 2022, Dagstuhl (Germany): M. NayaPlasencia cochair.
Member of the organizing committees
 Journées C2 2022: April 1015 2022, Hendaye (France): G. Leurent, L. Perrin.
11.1.2 Scientific events: selection
Chair of conference program committees
 PQCrypto 2021: July 2022, 2021, Daejeon, South Korea, cochair: J.P. Tillich.
 Eurocrypt 2021: October 1721, 2021, Zagreb, Croatia, cochair: A. Canteaut.
 WCC 2022: March 713, 2022, Rostock (Allemagne): cochair, L. Perrin.
Member of the conference program committees
 TQC 2021: July 58, ,2021, Riga, Latvia (Online), (A. Leverrier).
 ISIT 2021: July 1220, 2021, Melbourne, Australia (Online), (J.P. Tillich).
 PQCrypto 2021: July 2022, 2021, Daejeon, South Korea (M. Bardet, A. Chailloux, N. Sendrier, J.P. Tillich).
 TQC 2021: July 58, ,2021, Riga, Latvia (Online), (A. Leverrier).
 CFail 2021: August 14, 2021, SantaBarbara, USA (Online), (M. NayaPlasencia).
 BFA 2021: September 610, 2021, Rosendal, Norway (L. Perrin).
 Eurocrypt 2021: October 1721, 2021, Zagreb, Croatia, (M. NayaPlasencia).
 Indocrypt 2021: December 1215, 2021, Jaipur, India (G. Leurent).
 IMACC 2021: December 1415, 2021, Online Event (L. Perrin).
 WCC 2022: March 711, 2022, Rostock, Germany, (A. Canteaut, N. Sendrier, J.P. Tillich).
 Eurocrypt 2022: May 30June 3, 2022, Trondheim, Norway, (G. Leurent).
11.1.3 Journal
Member of the editorial boards
 Advances in Mathematics of Communications, associate editors: N. Sendrier and J.P. Tillich.
 Applicable Algebra in Engineering, Communication and Computing, associate editor: A. Canteaut
 Designs, Codes and Cryptography, associate editors: P. Charpin M. NayaPlasencia.
 Finite Fields and their Applications, associate editors: A. Canteaut, P. Charpin.
 IACR Transactions in Symmetric Cryptology, editorial board member editor: L. Perrin.
 IEEE Transactions on Information Theory, associate editor until Oct. 2021 and area editor since July 2021 (for cryptography and sequences): A. Canteaut.
 Journal of Cryptology, associate editor: A. Canteaut.
 Quantum, editor: A. Leverrier.
11.1.4 Invited talks
 A. Canteaut, Recovering or Testing ExtendedAffine Equivalence, Carleton Finite Fields eSeminar, Ottawa, Canada (online), April 14, 2021.
 M. NayaPlasencia Quantum Safe Symmetric Cryptography  Keynote speaker, Indocrypt 2021, Jaipur, India, December 1215, 2021.
11.1.5 Leadership within the scientific community
 A. Canteaut serves as a chair of the steering committee of Fast Software Encryption (FSE), M. NayaPlasencia and G. Leurent also serve on the committee.
 A. Canteaut serves on the International Scientific Advisory Board of the Flemish Strategic Research Program on Cybersecurity.
11.1.6 Scientific expertise
 Reviewer ERC starting Grant 2021 (A. Leverrier, M. NayaPlasencia).
 Reviewer for EIC (European Innovation Council) Pathfinder (A. Leverrier).
11.1.7 Research administration
 A. Canteaut serves as Head of Inria Evaluation Committee since September 2019.
 A. Chailloux serves in the Inria CES (Commission des emplois Scientiiques).
 A. Leverrier serves on the steering committee of the Domaine d'Intérêt Majeur SIRTEQ since 2018.
 A. Leverrier is the coordinator of the Inria challenge EQIP on Quantum Technologies.
11.1.8 Committees for the selection of professors, assistant professors and researchers
 2021 Head of the jury d'admissibilité Inria DR2, (A. Canteaut)
 2021 Jury d'admissibilité Inria DR2, (M. NayaPlasencia)
 2021 Jury d'admissibilité Inria de Paris CRCN/ISFP, (J.P. Tillich)
 2021 Jury d'admission Inria CRCN, (A. Canteaut)
 2021 Jury d'admission Inria DR2, (A. Canteaut)
 2021 Tenure Track hiring jury at DTU, Denmark, (A. Canteaut)
11.2 Teaching  Supervision  Juries
11.2.1 Teaching
 Master: A. Canteaut, Errorcorrecting codes and applications to cryptology, 12 hours, M2, University ParisDiderot (MPRI), France;
 Master: A. Chailloux, Quantum Circuits and Logic Gates, 12 hours, M1, Sorbonne Université
 Master: A. Chailloux, Quantum information, 12 hours, M2, University ParisDiderot (MPRI), France;
 Master: A. Chailloux, Quantum algorithms, 4 hours, M2, Ecole Normale Supérieure de Lyon, France;
 Master: A. Leverrier, Quantum information and quantum cryptography, 12 hours, M2, University ParisDiderot (MPRI), France;
 Master: L. Perrin, Application Web et Sécurité, 24 hours, M1, UVSQ, France;
 Bachelor: L. Perrin, Cryptographie, 29 hours, L3, UVSQ, France;
 Master: J.P. Tillich, Introduction to Information Theory, 36 hours, M2, Ecole Polytechnique, France;
 Master: J.P. Tillich, Quantum Information and Applications, 36 hours, M2, Ecole Polytechnique, France.
11.2.2 Supervision
 PhD : André Schrottenloher, Longterm security of symmetric primitives, Sorbonne Université, February 8, 2021 supervisors: A. Chailloux and M. NayaPlasencia.
 PhD : Shouvik Ghorai, Continuousvariable quantum cryptographic protocols, February 12, 2021, supervisors: E. Diamanti (UPMC), A. Leverrier.
 PhD : Rémi Bricout, Quantum algorithms for the knapsack problem and decoding, March 30,2021, supervisors: A. Chailloux and A. Leverrier.
 PhD : Valentin Vasseur, Postquantum cryptography: study on the decoding of QCMDPC codes, March 29, 2021, supervisor: N. Sendrier.
 PhD : Matthieu Lequesne, Analysis of codebased postquantum cryptosystems, Sorbonne Univ, May 25, 2021 supervisor: N. Sendrier.
 PhD : Daniel Coggia, Techniques of cryptanalysis for symmetrickey primitives, Sorbonne Université, October 8, 2021, supervisors: A. Canteaut and C. Boura.
 PhD in progress: Andrea Olivo, Partir de contraintes relativistes pour faire de la cryptographie quantique, since November 2017, supervisors: A. Chailloux and F. Grosshans (laboratoire Aimé Cotton).
 PhD in progress: Simona Etinski, Quantum algorithms and protocols, since October 2019, supervisors: A. Chailloux, A. Leverrier and F. Magniez (Université de Paris).
 PhD in progress: A. Florez Gutierrez, Secure Symmetric Primitives and the PostQuantum World, since September 2019, supervisor: M. Naya Plasencia.
 PhD in progress: Lucien Grouès, Decoding algorithms for quantum LDPC codes, since October 2019, supervisors: A. Leverrier and O. Fawzi (Ecole Normale Supérieure de Lyon).
 PhD in progress: Rocco Mora, Algebraic structures in codebased cryptography, since October 2019, supervisor: J.P. Tillich.
 PhD in progress: Paul Frixons, Impact d'un attaquant quantique dans les télécommunications, since November 2019, supervisor: M. Naya Plasencia.
 PhD in progress: Maxime Remaud, Quantum cryptanalysis in codebased and latticebased cryptography, since July 2020, supervisor: J.P. Tillich.
 PhD in progress: Clémence Bouvier, Analyse de la sécurité de primitives symétriques dédiées à divers usages émergents, since September 2020, supervisors: A. Canteaut, L. Perrin.
 PhD in progress: Nicolas David, Secure primitives and the postquantum world, since September 2020, supervisor: M. Naya Plasencia.
 PhD in progress: Clara Pernot, Cryptanalyse des algorithmes de cryptographie symétrique, since September 2020, supervisors: L. Perrin, M. Naya Plasencia.
 PhD in progress: Pierre Briaud, Cryptosystems based on the MinRank problem, since October 2020, supervisor: J.P. Tillich.
 PhD in progress: Aurélie Denys, Security proofs for continuous variable quantum cryptography protocols, since October 2020, supervisor: A. Leverrier.
 PhD in progress: Johanna Loyer, Quantum algorithms on lattices, since October 2020, supervisor: A. Chailloux.
 PhD in progress: Loïc Demange, Implementation of BIKE, since November 2020, supervisor: N. Sendrier.
 PhD in progress: Augustin Bariant, Sécurité des algorithmes cryptographiques à bas coût, since March 2021, supervisors: A. Canteaut, G. Leurent.
 PhD in progress: Jules Baudrin, Analyse de la sécurité de primitives symétriques légères, since September 2021, supervisors: A. Canteaut, L. Perrin.
 PhD in progress: Charles MeyerHilfiger, Cryptographie postquantique : Conception, analyse et mise œuvre d'algorithmes de décodage générique, since November 2021, supervisor: N. Sendrier.
11.2.3 Juries
 I. Villa, Analysis, classification and construction of optimal cryptographic Boolean functions, University of Bergen (Norway), January 4, 2021, committee: A. Canteaut (reviewer).
 A. Schrottenloher, Longterm security of symmetric primitives, Sorbonne Univ., February 8, 2021, committee: A. Chailloux (supervisor), M. NayaPlasencia (supervisor).
 S. Ghorai, Continuousvariable quantum cryptographic protocols, Sorbonne Univ, February 12, 2021, committee: A. Leverrier (supervisor).
 C. Kaspers, Equivalence problems of Almost Perfect Nonlinear Functions and Disjoint Difference Families, OttovonGuericke Universität Magdeburg (Germany), March 22, 2021, committee: A. Canteaut (reviewer).
 V. Vasseur, Postquantum cryptography: study on the decoding of QCMDPC codes, Univ. of Paris, March 29, 2021, committee: N. Sendrier (supervisor), J.P. Tillich.
 R. Bricout, Quantum algorithms for the knapsack problem and decoding, Sorbonne Univ., March 30, 2021, committee: M. Bardet, A. Chailloux (supervisor), A. Leverrier (supervisor), J.P. Tillich.
 Y. Shen, Classical and quantum cryptanalysis for Euclidean lattices and subset sums, Univ. of Paris, May 11, 2021, committee: M. NayaPlasencia, J.P. Tillich (chair).
 M. Lequesne, Analysis of codebased postquantum cryptosystems, Sorbonne Univ, May 25, 2021, committee: M. Bardet, N. Sendrier (supervisor).
 A. Langlois, On the hardness of the Learning With Errors problem and its variants, HDR, Univ. Rennes, Rennes, June 22, 2021, committee: M. NayaPlasencia.
 V. Savin, Contributions to the construction and decoding of LDPC and polar codes, HDR, Univ. Grenoble Alpes, June 24, 2021, committee: J.P. Tillich (reviewer).
 Y. Hamoudi, Quantum Algorithms for the Monte Carlo Method, Univ. de Paris, July 7, 2021, committee: M. NayaPlasencia.
 N. Kaleyski, Towards a deeper understanding of APN functions and related longstanding problems, University of Bergen (Norway), August 24, 2021, committee: A. Canteaut (reviewer).
 J. Lin, Security Analysis of Quantum Key Distribution: Methods and Applications, Univ. Waterloo (Canada), September 8, 2021, committee: A. Leverrier (external examiner).
 S. Pal, Cryptanalysis of Stream Ciphers, Homi Bhabha National Institute, Inde, September, 2021, committee: M. NayaPlasencia. (reviewer).
 D. Coggia, Techniques de cryptanalyse dédiées au chiffrement à bas coût, Sorbonne Univ., October 8, 2021, committee: A. Canteaut (supervisor).
 A. Goswami, Quantum polar codes, Univ. Grenoble Alpes, October 25, 2021, committee: J.P. Tillich (chair).
 H. Nguyen, Cryptographic aspects of orthogonal lattices, November 15, 2021, committee: J.P. Tillich (reviewer).
 Z. Van Herstraeten, Majorization theoretical approach to quantum uncertainty, Univ. Libre Bruxelles (Belgium), November 18, 2021, committee: A. Leverrier (examiner).
 F. Centrone, Practical protocols for quantum communication networks, Sorbonne Univ., November 25, 2021, committee: A. Leverrier (reviewer).
 I. Panaccione, On decoding algorithms for algebraic geometry codes beyond half the minimum distance, Inst. Polyt. Paris, December 3, 2021, committee: J.P. Tillich (chair).
 N. Bordes, Sécurité des primitives symétriques et de leurs implémentations, Université Grenoble Alpes, December 9, 2021, committee: A. Canteaut (reviewer).
 B. Viguier, A Panorama on Classical Cryptography, Radboud University, The Netherlands, December 13, 2021, committee: M. NayaPlasencia (reviewer).
 G. Rezgui, Errorcontrol codes and coded modulations for the optical fiber communication, Cergy Paris Uni., December 14, committee: J.P. Tillich (reviewer).
 M. Chenu de la Morinerie, Supersingular Group Actions and Postquantum Key Exchange, Institut Polytechnique de Paris, December 17, 2021, committee: A. Canteaut (chair), N. Sendrier.
 J. Yang, Contributions to Confidentiality and Integrity Algorithms for 5G, Lund University, Sweden, December 17, 2021, committee: M. NayaPlasencia.
 K. W. Stoffelen, Optimizations in Symmetric cryptography, Radboud Univ. The Netherlands, December 27, 2021, committee: A. Canteaut (reviewer).
 V. Mollimard, Algorithmes pour la Cryptanalyse Differentielle, Rennes Univ., January 11, 2022, committee: M. NayaPlasencia (reviewer).
11.3 Popularization
11.3.1 Articles and contents
 A. Chailloux Quand la sécurité informatique repose sur la limite de la vitesse de la lumière Science et Vie, online, https://www.scienceetvie.com/technosetfutur/quandlasecuriteinformatiquereposesurlalimitedelavitessedelalumiere65201
 M. NayaPlasencia La cryptanalyse, la base de la confiance 1  Blog binaire  Le Monde, April 9, 2021.
 M. NayaPlasencia La cryptanalyse, la base de la confiance 2  Blog binaire  Le Monde, April 13, 2021.
 G. Leurent Que saiton aujourd'hui de l'efficacité de TousAntiCovid ?  Atlantico, December 15, 2021
11.3.2 Education
Organization of the event “Rendezvous des Jeunes Mathématiciennes et Informaticiennes” at Inria Paris (November 23) by C. Bouvier and A. Denys, a 2day camp for 24 highschool girls interested in mathematics and computer science. J. Baudrin and C. Pernot conducted sessions there.
11.3.3 Interventions
C. Pernot gave a talk in the event “Rendezvous des Jeunes Mathématiciennes et Informaticiennes” at ENS on November 28.
12 Scientific production
12.1 Major publications
 1 inproceedingsProving Resistance Against Invariant Attacks: How to Choose the Round Constants..Crypto 2017  Advances in Cryptology10402LNCS  Lecture Notes in Computer ScienceSteven MyersSanta Barbara, United StatesSpringerAugust 2017, 647678
 2 articleOn CCZEquivalence, ExtendedAffine Equivalence, and Function Twisting.Finite Fields and Their Applications56March 2019, 209246
 3 inproceedingsAn Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography.Asiacrypt 2017  Advances in Cryptology10625 LNCS  Lecture Notes in Computer ScienceHong Kong, ChinaSpringerDecember 2017, 211240
 4 articleArbitrarily Long Relativistic Bit Commitment.Physical Review Letters115December 2015
 5 articleSparse Permutations with Low Differential Uniformity.Finite Fields and Their Applications28March 2014, 214243
 6 inproceedingsWave: A New Family of Trapdoor OneWay Preimage Sampleable Functions Based on Codes.ASIACRYPT 2019  25th International Conference on the Theory and Application of Cryptology and Information Security11921LNCSKobe, JapanSpringerDecember 2019, 2151
 7 inproceedingsConstant overhead quantum faulttolerance with quantum expander codes.FOCS 2018  59th Annual IEEE Symposium on Foundations of Computer ScienceParis, FranceOctober 2018, 743754
 8 inproceedingsNew results on Gimli: fullpermutation distinguishers and improved collisions.Asiacrypt 2020  26th Annual International Conference on the Theory and Application of Cryptology and Information SecurityDaejeon / Virtual, South KoreaDecember 2020
 9 inproceedingsBreaking Symmetric Cryptosystems Using Quantum Period Finding.Crypto 2016  36th Annual International Cryptology Conference9815LNCS  Lecture Notes in Computer ScienceSanta Barbara, United StatesSpringerAugust 2016, 207237
 10 inproceedingsSHA1 is a Shambles.USENIX 2020  29th USENIX Security SymposiumBoston / Virtual, United StatesAugust 2020
 11 articleSecurity of ContinuousVariable Quantum Key Distribution via a Gaussian de Finetti Reduction.Physical Review Letters11820May 2017, 124
 12 inproceedingsMDPCMcEliece: New McEliece Variants from Moderate Density ParityCheck Codes.IEEE International Symposium on Information Theory  ISIT 2013Istanbul, TurkeyJuly 2013, 20692073
 13 articlePartitions in the SBox of Streebog and Kuznyechik.IACR Transactions on Symmetric Cryptology20191March 2019, 302329
12.2 Publications of the year
International journals
 14 articleOn the modified logarithmic Sobolev inequality for the heatbath dynamics for 1D systems.Journal of Mathematical Physics626June 2021, 061901
 15 articleApproximate tensorization of the relative entropy for noncommuting conditional expectations.Annales Henri Poincaré231January 2022, 101140
 16 articleGroup transference techniques for the estimation of the decoherence times and capacities of quantum Markov semigroups.IEEE Transactions on Information Theory675May 2021, 28782909
 17 articleImproved indifferentiability security proof for 3round tweakable Luby–Rackoff.Designs, Codes and Cryptography8910October 2021, 22552281
 18 articleMOE: Multiplication Operated Encryption with Trojan Resilience.IACR Transactions on Symmetric Cryptology20211March 2021, 78129
 19 articleOn the security of subspace subcodes of ReedSolomon codes for public key encryption.IEEE Transactions on Information Theory681October 2021, 632648
 20 articleExplicit asymptotic secret key rate of continuousvariable quantum key distribution with an arbitrary modulation.Quantum5September 2021, 540
 21 articleFeasibility of satellitetoground continuousvariable quantum key distribution.npj Quantum Information71January 2021, 10
 22 articlePractical Key Recovery Attacks on FlexAEAD.Designs, Codes and Cryptography2022
 23 articleConstant overhead quantum fault tolerance with quantum expander codes.Communications of the ACM641January 2021, 106114
 24 articleInternal Symmetries and Linear Properties: Fullpermutation Distinguishers and Improved Collisions on Gimli.Journal of Cryptology344October 2021, 45
 25 articleCombining hard and soft decoders for hypergraph product codes.Quantum5432April 2021
International peerreviewed conferences
 26 inproceedingsAn algebraic approach to the Rank Support Learning problem.PQCrypto 2021  PostQuantum Cryptography 12th International Workshop12841Lecture Notes in Computer ScienceDaejeon, South KoreaSpringerJuly 2021, 442462
 27 inproceedingsDecoding ReedSolomon codes by solving a bilinear system with a Gröbner basis approach.ISIT 2021  IEEE International Symposium on Information TheoryProceedings of the IEEE Symposium on Information TheoryMelbourne, AustraliaIEEEJuly 2021, 872877
 28 inproceedingsCryptanalysis of the GPRS Encryption Algorithms GEA1 and GEA2.EUROCRYPT 2021  40th Annual International Conference on the Theory and Applications of Cryptographic Techniques12697Lecture Notes in Computer ScienceZagreb, CroatiaSpringerJune 2021, 155183
 29 inproceedingsQCB: Efficient QuantumSecure Authenticated Encryption.ASIACRYPT 2021  27th Annual International Conference on the Theory and Application of Cryptology and Information Security13090Lecture Notes in Computer ScienceSingapore / Virtual, SingaporeSpringer International PublishingDecember 2021, 668698
 30 inproceedingsQuantum Linearization Attacks.ASIACRYPT 2021  27th Annual International Conference on the Theory and Application of Cryptology and Information Security13090Lecture Notes in Computer ScienceSingapore / Virtual, SingaporeSpringer International PublishingDecember 2021, 422452
 31 inproceedingsA polynomial time keyrecovery attack on the Sidon cryptosystem.SAC 2021  Selected Areas in CryptographyVictoria, CanadaSeptember 2021
 32 inproceedingsGeneric Framework for KeyGuessing Improvements.ASIACRYPT 2021  27th Annual International Conference on the Theory and Application of Cryptology and Information Security13090Lecture Notes in Computer ScienceSingapour, SingaporeDecember 2021, 453483
 33 inproceedingsAutocorrelations of Vectorial Boolean Functions.Progress in Cryptology – LATINCRYPT 2021LATINCRYPT 2021  7th International Conference on Cryptology and Information Security in Latin America12912Lecture Notes in Computer ScienceBogota, ColombiaSpringer International PublishingSeptember 2021, 233253
 34 inproceedingsClassical and Quantum Algorithms for Generic Syndrome Decoding Problems and Applications to the Lee Metric.PostQuantum CryptographyPQCrypto 2021  PostQuantum Cryptography 12th International Workshop12841Lecture Notes in Computer ScienceDaejeon, South KoreaSpringer International PublishingJuly 2021, 4462
 35 inproceedingsLattice Sieving via Quantum Random Walks.ASIACRYPT 2021  27th Annual International Conference on the Theory and Application of Cryptology and Information Security13093Lecture Notes in Computer ScienceVirtual, SingaporeSpringer International PublishingDecember 2021, 6391
 36 inproceedingsOn the Cost of ASIC Hardware Crackers: A SHA1 Case Study.CTRSA 2021  The Cryptographer’s Track at the RSA Conference12704Lecture Notes in Computer ScienceVirtual, United StatesSpringerMay 2021, 657681
 37 inproceedingsLinear programming decoder for hypergraph product quantum codes.IEEE ITW 2020  IEEE Information theory workshop 2020Riva del Garda / Virtual, ItalyApril 2021
 38 inproceedingsQuantum Boomerang Attacks and Some Applications.SAC 2021  Selected Areas in CryptographyVirtual, CanadaSeptember 2021
 39 inproceedingsQuantum Security of the Legendre PRF.MathCrypt 2021Santa Barbara / Virtual, United StatesAugust 2021
 40 inproceedingsNew Representations of the AES Key Schedule.EUROCRYPT 2021  40th Annual International Conference on the Theory and Applications of Cryptographic Techniques12696Lecture Notes in Computer ScienceZagreb, CroatiaSpringerJune 2021, 5484
 41 inproceedingsClustering Effect in Simon and Simeck.ASIACRYPT 2021  27th International Conference on the Theory and Application of Cryptology and Information Security13090Lecture Notes in Computer ScienceVirtual, SingaporeSpringerDecember 2021, 272302
 42 inproceedingsTowards Local Testability for Quantum Coding.ITCS 2021  12th Conference on Innovations in Theoretical Computer Science185Leibniz International Proceedings in Informatics (LIPIcs)Washington / Virtual, United StatesSchloss DagstuhlJanuary 2021, 65:165:11
Conferences without proceedings
 43 inproceedingsExplicit asymptotic secret key rate of continuousvariable quantum key distribution with an arbitrary modulation.QCrypt 2021  11th International Conference on Quantum CryptographyAmsterdam / Virtual, NetherlandsAugust 2021
 44 inproceedingsExplicit asymptotic secret key rate of continuousvariable quantum key distribution with an arbitrary modulation.ICQOM 2021  International Conference on Quantum CommunicationParis, FranceOctober 2021
Edition (books, proceedings, special issue of a journal)
 45 bookAdvances in Cryptology – EUROCRYPT 2021  Part I.12696Lecture Notes in Computer ScienceSpringer International Publishing2021
 46 bookAdvances in Cryptology – EUROCRYPT 2021  Part II.12697Lecture Notes in Computer ScienceSpringer International Publishing2021
 47 bookAdvances in Cryptology – EUROCRYPT 2021  Part III.12698Lecture Notes in Computer ScienceSpringer International Publishing2021
 48 proceedingsJ. H.Jung Hee CheonJ.P.JeanPierre TillichPQCrypto 2021: International Conference on PostQuantum Cryptography.PQCrypto 202112841Lecture Notes in Computer ScienceDaejeon, South KoreaSpringer International PublishingJuly 2021
 49 bookQuantum Cryptanalysis (Dagstuhl Seminar 21421). Dagstuhl Report..2021
Doctoral dissertations and habilitation theses
 50 thesisHow to use quantum algorithms to solve the knapsack problem and the syndrome decoding problem..Sorbonne UniversitéMarch 2021
 51 thesisTechniques of cryptanalysis for symmetrickey primitives.Sorbonne UniversitéOctober 2021
 52 thesisAnalysis of codebased postquantum cryptosystems.Sorbonne UniversitéMay 2021
 53 thesisQuantum Algorithms for Cryptanalysis and Quantumsafe Symmetric Cryptography.Sorbonne UniversitéFebruary 2021
 54 thesisPostquantum cryptography: a study of the decoding of QCMDPC codes.Université de ParisMarch 2021
Reports & preprints
 55 miscImproving SupportMinors rank attacks: applications to GeMSS and Rainbow.January 2022
 56 miscImprovements of Algebraic Attacks for solving the Rank Decoding and MinRank problems.February 2021
 57 miscEntropy decay for Davies semigroups of a one dimensional quantum lattice.January 2022
 58 miscRapid thermalization of spin chain commuting Hamiltonians.January 2022
 59 reportPractical Algebraic Attacks against some Arithmetizationoriented Hash Functions.InriaJanuary 2022
 60 miscQuasiCyclic Stern Proof of Knowledge.January 2022
 61 reportFurther Improving DifferentialLinear Attacks: Applications to Chaskey and Serpent.IACR Cryptology ePrint ArchiveJune 2021
 62 miscRecovering or Testing ExtendedAffine Equivalence.March 2021
 63 reportÉvaluation des Logiciels.InriaJanuary 2021
 64 reportSoftware Evaluation.InriaJanuary 2021
 65 miscThe crooked property.August 2021
 66 miscQuantum Reduction of Finding Short Code Vectors to the Decoding Problem.January 2022
 67 miscSecure Sampling of ConstantWeight Words Application to BIKE.January 2022
 68 miscQCMDPC codes DFR and the INDCCA security of BIKE.January 2022
Other scientific publications
 69 thesisCryptanalysis of a lightweight primitive submitted to the NIST standardization process: ASCON.Université de Versailles SaintQuentin (Paris Saclay)September 2021
 70 inproceedingsExplicit asymptotic secret key rate of continuousvariable QKD with an arbitrary modulation.IQFA  12ème Colloque du DGR IQFALyon, FranceNovember 2021
12.3 Cited publications
 71 inproceedingsQuantumSecure SymmetricKey Cryptography Based on Hidden Shifts.Advances in Cryptology  EUROCRYPT 2017  36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30  May 4, 2017, Proceedings, Part III10212Lecture Notes in Computer Science2017, 6593URL: https://doi.org/10.1007/9783319566177_3
 72 inproceedingsAn Algebraic Attack on Rank Metric CodeBased Cryptosystems.EUROCRYPT 2020  39th Annual International Conference on the Theory and Applications of Cryptographic Techniques12107Lecture Notes in Computer ScienceZagreb / Virtual, CroatiaSpringerMay 2020, 6493
 73 inproceedingsImprovements of Algebraic Attacks for Solving the Rank Decoding and MinRank Problems.ASIACRYPT 2020  26th International Conference on the Theory and Application of Cryptology and Information Security12491Lecture Notes in Computer ScienceDaejeon / Virtual, South KoreaSpringerDecember 2020, 507536
 74 inproceedingsThe Poly1305AES MessageAuthentication Code.Fast Software Encryption: 12th International Workshop, FSE 2005, Paris, France, February 2123, 2005, Revised Selected Papers3557Lecture Notes in Computer ScienceSpringer2005, 3249URL: https://doi.org/10.1007/11502760_3
 75 unpublishedLe traçage anonyme, dangereux oxymore.April 2020, working paper or preprint
 76 inproceedingsQuantum KeyRecovery on full AEZ. SAC 2017  Selected Areas in CryptographyOttawa, CanadaAugust 2017
 77 inproceedingsRecovering short secret keys of RLCE encryption scheme in polynomial time.PQCrypto 2019  International Conference on PostQuantum CryptographyChongqing, ChinaMay 2019
 78 phdthesisCryptographie fondée sur les codes : nouvelles approches pour constructions et preuves ; contribution en cryptanalyse.Sorbonne UniversitéDecember 2019
 79 inproceedingsTwo attacks on rank metric codebased schemes: RankSign and an IBE scheme.ASIACRYPT 2018  24th International Conference on the Theory and Application of Cryptology and Information Security11272LNCS  Lecture Notes in Computer ScienceBrisbane, AustraliaSpringerDecember 2018, 6292
 80 articleA SubexponentialTime Quantum Algorithm for the Dihedral Hidden Subgroup Problem.SIAM J. Comput.3512005, 170188URL: https://doi.org/10.1137/S0097539703436345
 81 inproceedingsSecurity on the quantumtype EvenMansour cipher.Proceedings of the International Symposium on Information Theory and its Applications, ISITA 2012, Honolulu, HI, USA, October 2831, 2012IEEE2012, 312316URL: http://ieeexplore.ieee.org/document/6400943/
 82 inproceedingsAttack on the EdonK Key Encapsulation Mechanism.ISIT 2018  IEEE International Symposium on Information TheoryVail, United StatesJune 2018, 981985
 83 inproceedingsOn the Power of Quantum Computation.35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 2022 November 1994IEEE Computer Society1994, 116123URL: https://doi.org/10.1109/SFCS.1994.365701