2023Activity reportProjectTeamCAPSULE
RNSR: 202324388N Research center Inria Centre at Rennes University
 In partnership with:Université de Rennes
 Team name: Applied Cryptography and Implementation Security
 In collaboration with:Institut de recherche en informatique et systèmes aléatoires (IRISA)
 Domain:Algorithmics, Programming, Software and Architecture
 Theme:Algorithmics, Computer Algebra and Cryptology
Keywords
Computer Science and Digital Science
 A1.2.8. Network security
 A4.3. Cryptography
 A4.3.1. Public key cryptography
 A4.3.2. Secret key cryptography
 A4.3.3. Cryptographic protocols
 A4.6. Authentication
 A4.8. Privacyenhancing technologies
 A7.1.4. Quantum algorithms
 A8.5. Number theory
Other Research Topics and Application Domains
 B6.4. Internet of things
 B9.5.1. Computer science
 B9.5.2. Mathematics
 B9.10. Privacy
1 Team members, visitors, external collaborators
Research Scientists
 Andre Schrottenloher [INRIA, Researcher]
 Alexandre Wallet [INRIA, Researcher]
Faculty Members
 PierreAlain Fouque [Team leader, UNIV RENNES, Professor, HDR]
 Patrick Derbez [UNIV RENNES, Associate Professor, HDR]
 Damien Marion [UNIV RENNES, Associate Professor, from Sep 2023, Previously postdoctorate student in the CAPSULE team]
PostDoctoral Fellows
 Alexandre Gonzalvez [CNRS]
 Andrea Lesavourey [CNRS, from Mar 2023 until Aug 2023]
PhD Students
 Agathe Cheriere [CNRS, until Nov 2023, DGA grant]
 Clemence Chevignard [UNIV RENNES, from May 2023, PEPR PQTLS]
 Mathieu Degre [UNIV RENNES, from May 2023, ANR OREO grant ]
 Arthur Gontier [UNIV RENNES, until Nov 2023, DECRYPT grant]
 Aymeric Hiltenbrand [UNIV RENNES, from Oct 2023]
 Corentin Jeudy [ORANGE LABS, CIFRE]
 Thi Thu Quyen Nguyen [IDEMIA, CIFRE, from Oct 2023]
 Phuong Nguyen [UNIV RENNES, Brittany grant, CRYPTAUDIT and DECRYPT grant]
 Lucas Prabel [UNIV RENNES, until Sep 2023]
Interns and Apprentices
 Lucas Giordani [UNIV RENNES, Intern, from May 2023]
 Jerome Guyot [ENS PARISSACLAY, Intern, from Jun 2023 until Jul 2023]
 Rayan Lachguel [UNIV RENNES, Intern, from Nov 2023]
 Lucie Lahaye [ENS DE LYON, Intern, from Jun 2023 until Jul 2023]
 Heorhii Pliatsok [UNIV RENNES, Intern, from Apr 2023 until Sep 2023]
Administrative Assistants
 Isobelle Kelly [Inria, from Oct 2023]
 Veronique Martinet [Inria]
External Collaborators
 Julien Devigne [DGA]
 Marie Euler [DGA]
 Benoît Gérard [DGA]
 TuongHuy Nguyen [DGA, until Nov 2023]
2 Overall objectives
Nowadays, and contrary to the past decades, the design of cryptographic algorithms follows an integrated approach which considers security, efficiency and implementation requirements at the same time. The research activities of the team CAPSULE tackle these challenges in order to provide more secure cryptographic implementations and applications deployed in the real world.
 Highly efficient symmetric cryptosystems are a prerequisite for all cryptographic infrastructure. Recently, many new designs have been proposed, which aim to perform well under various constraints (e.g., lightweight cryptographic schemes, or schemes tailored for advanced FHE and MPC protocols). The confidence in these schemes is based on cryptanalysis, analyzing their security against classical and quantum adversaries. Our research lies not only in finding new attacks, but also in designing automated audit tools that simplify and systematize this task.
 Postquantum security is a major challenge that cryptographers are facing right now. As new postquantum designs for encryption and digital signatures are being standardized by NIST, the CAPSULE team is actively involved in further improving the efficiency of these schemes and their security analysis.
 Both symmetric and asymmetric cryptosystems need ultimately to be implemented, and these implementations can be vulnerable to various types of sidechannel attacks. Finding new attacks and implementing new countermeasures are two sides of the same coin.
 We are also interested in studying the security of wellknown deployed systems such as the security of TLS or secure messaging, and on the security of databases.
3 Research program
3.1 Security against postquantum attackers
The seminal paper of Peter Shor at FOCS 1994 63 shows that if we were able to build quantum computers, then the factorization and discrete logarithm problems could be solved in polynomial time. Since then, there is a tremendous effort in the cryptographic community to propose cryptosystems that are secured in the presence of quantum computers. Many alternatives to the two number theoretic problems above have been proposed. Among them, our team already has activities and interests in two types of assumptions:
 latticebased schemes, where security is based on the difficulty on computing short vectors in random euclidean lattices;
 codebased schemes, where security is based on the difficulty on computing low hamming weight words in random codes.
Euclidean lattices are discrete subgroups of ${\mathbb{R}}^{n}$, while codes are linear subspaces of a vector space over a finite field. The semantic similarities on the hardness assumptions is not unexpected: lattices and codes appearing in cryptography are often related objects, that one could say considered from different metric perspectives.
In postquantum cryptography, latticebased assumptions take an important place and received an increasing amount of attention in the last decade, thank to the strong security guarantees provided by these assumptions as well as their flexibility for cryptographic designs. Indeed, Ajtai and Regev presented reductions between, respectively, finding Short Integer Solutions of random linear systems (SIS) or solving random noisy linear system (“Learning With Errors”, LWE) and computing short vectors in euclidean lattices in the worst case. They both served as the fundation of security to design publickey encryptions, digital signatures, zeroknowledge proof systems, keyencapsulation mechanisms, homomorphic encryptions, ... In order to improve practical efficiency, "structured" versions of these problems relying on lattices with symmetries have been proposed. Such lattices are related to algebraic objects appearing in the geometry of numbers and some of the resulting schemes have been the clear winners of NIST's call for standardization.
Better Reductions.
Our trust in the hardness of latticebased constructions relies fundamentally on our understanding of the security reductions between the (many, structured) variants of SIS and LWE. Depending on the additional structure allowed to the designer, they are associated to number rings, ideals and more generally modules over the integer ring of a number field, and related to the corresponding class of lat tices with symmetries. Additionnally, for LWE the noise distributions is also a parameter of the problem. Overall, this leads to a plethora of variants and versions that need some hierarchizing and a better understanding of the interplay between their related parameters. Thankfully, important classifying works have already been presented, regularly involving members of our team (e.g. 35, 61, 32.
Yet, there are still many unclear results or relations that are not yet satisfyingly understood. For example, the fundamental reductions of Ajtai and Regev are far from tight, incurring a blowup in important parameters (sometime estimated to be in $O\left({n}^{11}\right)$). While this is not a problem asymptotically, it clearly raises concerns on how to select parameters and the level of security they actually achieve. However, these proofs techniques have not been updated since their presentations: it is not unlikely that more recent tools could lead to improvements. In another example, there seem to be a non smooth gap of difficulty between the hardness of very structured variants of LWE (linked to “ideal lattices problems”) and lessbutstillquite structured ones. Roughly speaking, the former seems to belong to subexponential complexity while the latter variants are still considered exponential. Our current knowledge is also not enough to guarantee the actual existence of this gap, which prevents an accurate understanding of the underlying problems' concrete hardness. In a last example, one can also notice that all the proof strategies for these general reductions rely on the same highlevel arguments. Yet, multiple works dealing with subcases had to be presented to reach the current state of the art. On the one hand, it could be that there is a unifying, allencompassing presentation that would greatly simplify the state of the affairs and bring a kind of maturity to this field. On the other hand, there may be fundamental obstructions to a general framework, and highlighting them would definitely help the community's understanding. These three examples raise important questions first about security, but also about our way of using the mathematical tools behind these results. Our team's objectives are to investigate all these paths and to find either positive or negative answers to improve the general understanding of the area.
Algorithms for hard problems and attacks on cryptosystems.
We have proposed some algorithms to study the security of hard computational problems in cyclotomic fields as the Principal Ideal Problem (PIP) in 29, reducing module lattices as a generalization of the LLL algorithm in the ring of integers of a number field in 55 or in a tower of cyclotomic fields in 52. We generalized the BKW algorithm to binary LWE setting in 53 and studied the Learning Parities with Noise (LPN) Problem in 56.
We have also attacked concrete cryptographic schemes. We broke some multivariate schemes such as the SFLASH signature schemes in 43 and variants 48, and the ASASA schemes in 58. We have also broken FHE schemes based on overstretched NTRU parameters in 54 or concrete FHE in 38.
We want to study the resistance of postquantum cryptosystems and hard problems against classical and quantum adversaries. It is particularly interesting for lattice problems since the cryptanalysis of these problems is very young. One key objective in this line of research would be to find an analog of the BKZ algorithm for structured lattices defined over number field. It is also interesting to improve the recent work of 27, which suggests that this problem may be weaker than previously thought.
Constructions and practical cryptosystems.
Applications of cryptography usually culminates with the description of an efficient cryptosystem. An important part of our activity in postquantum cryptography therefore targets the design of new schemes resistant to quantum attackers, providing advanced functionalities to its users, without sacrificing in efficiency.
In this area, members of CAPSULE have worked on the latticebased signature scheme Falcon and its efficiencysecurity tradeoff ModFalcon 39. A first objective would be to extend in a useful way the socalled “trapdoor generation” which is core to the two schemes above. In a nutshell, the secret key corresponds to a basis of short vectors of a lattice, that only the user should be able to compute efficiently. ModFalcon already extended the class of lattices for which this can be done, and it is an interesting question to manage an even larger class of lattice. In terms of applications, this would allow for even more flexibility, which can be particularly useful when the signature scheme is used as a black box inside a larger cryptographic algorithm. It could also allow for other functionalities such as threshold signatures or maybe masked signatures. On this line of thought, we are also interested in designing masked lattice signatures or even multiparty signatures. While there have been very recent proposals (relying on a different paradigm than the Falcon family), the efficiency is still lacking in practice. A success here could lead to concrete industrial applications.
But this is not the only construction on which the team is currently working. There are many interesting cryptographic constructions that need to be studied to obtain efficient postquantum schemes, such as signatures and zeroknowledge proofs, but also signatures with more properties like group signatures, blind signatures ... and applications like evoting. Indeed, a lot of progress have been made to obtain efficient signatures and public key encryptions, especially with the NIST competition, but the efficiency of more advanced schemes is still far from existing (but not postquantum) solutions. One of the big challenge would be to obtain efficient zeroknowledge proof systems, as this primitive is often an easy way to build more advanced primitives.
3.2 Symmetric Cryptography
Despite being one of the oldest forms of cryptography, symmetric cryptography is a very active research area, with recent activity focusing on new designs optimized for specific operational constraints. For example, the lightweight cryptography competition launched by the NIST1 in 2017 concluded in 2023 by selecting the lightweight cipher family Ascon 42, optimized for hardware implementations. At the same time, many new ciphers have been proposed which are optimized to be integrated in advanced cryptographic protocols, such as the FHEfriendly block cipher LowMC, or protected hardware implementations.
The team CAPSULE studies the security of symmetric primitives such as block ciphers, stream ciphers and hash functions, against various types of attacks. We consider both classical and quantum security, the latter being a prerequisite for postquantum cryptography architectures.
Tools for discovering new attacks.
Symmetric cryptosystems are widely used because they are the only ones that can achieve some major functionalities such as highspeed or lowcost encryption, fast message authentication, and efficient hashing. But, unlike publickey cryptographic algorithms, secretkey primitives do not have satisfying security proofs. The security of these algorithms is empirically established by cryptanalysis.
It is obvious that this security criterion, despite its so far success, is not completely satisfactory. For instance we may estimate that, for a given primitive, no more than a few dozens of researchers are actively working on breaking it. Hence, due to this weak effort, the nondiscovery of an attack against a particular primitive does not mean so much. Besides, finding the best attacks on a given design is a timeconsuming work, and errors can lead to under or overestimating its security.
Therefore, our team specializes in building tools for automatically finding large classes of attacks. This transforms the statement “we did not find any attack of this kind”, which is only a subjective guarantee, into “the audit tool X did not find any attack”, which is a formal statement, giving a quantifiable objective guarantee.
In the past, the members of the team have proposed many tools, for example for improving attacks on roundreduced versions of AES 33, DemirciSelçuk attacks on AES 41, and impossible differential attacks 40.
Our more recent work uses tools based on MILP (Mixed Integer Linear Programming), SAT (Satisfiability) or CP (Constraint Programming). In this setting, the search and optimization of an attack are reduced to a problem of a specific form, for which an offtheshelf solver is used. Besides the actual work of implementing this reduction, our research aims at better understanding the differences between these optimization tools, finding which ones are more adapted for a given problem, and adapting some of these generalpurpose softwares to particular cryptographic problems.
Finding and optimizing a cryptanalytic attack in its entirety is an especially interesting problem, since it requires to integrate different steps (for example a good distinguisher and a keyrecovery phase). Since the search space is of exponential size, often making the problem intractable, it is possible to first find an approximation of the best attacks and then instantiate precisely the values of the parameters. Also, if MILP, SAT and CP tools quickly give an answer, it is tempting to build adhoc tools that can more efficiently take into account the weaknesses discovered by these tools.
Finally, there are only a few tools for analyzing the security of ARX ciphers based on additions, rotations and xor operations. These functions are hard to analyze with the current cryptanalytic techniques, and no attack has really endangered the full Chacha stream cipher proposed by Dan Bernstein or the block cipher Speck proposed by the NSA. They can be implemented very efficiently in x86 processors and currently Chacha is in the most used ciphersuites on TLS, making them prominent targets for cryptanalysis.
New Designs.
Our goal is to analyze the security of the new symmetrickey designs by developing new cryptanalytic techniques. The LowMC block cipher is one of the first symmetric primitives designed for taking into account the efficiency constraints of publickey cryptosystems. It has been built as a FHEfriendly cipher, by minimizing the number of multiplicative gates which are the main efficiency bottleneck for this application. Several attacks have been proposed on LowMC and LowMC v2. LowMC v3 was used in Picnic, a ZeroKnowledgebased postquantum signature scheme proposed at the NIST competition, which wasn't standardized.
The Keccak hash function has been standardized in 2015 as SHA3. Keccak brought new interest in a new design called Sponge function and permutationbased primitives. Some roundreduced versions of SHA3 have been used in many constructions from PseudoRandom Generator in SHAKE, to the PseudoRandom Function Farfalle 28, the authenticated ecryption scheme Keyak, or the hash function KangarooTwelve proposed as an RFC. Only a few attacks have been proposed against SHA3 and new cryptanalysis tools need to be designed.
Quantum Cryptanalysis.
Since 2016, many works have been done in the cryptanalysis of symmetric primitives using quantum algorithms. While symmetric cryptosystems are generally believed to hold well against adversaries equipped with a quantum computer, these works have substantiated these claims with dedicated security analyses, such as the best attacks against reducedround versions of the standard AES 30.
Grover's search algorithm, which can provide a quadratic speedup on exhaustive key search (from ${2}^{k}$ operations to ${2}^{k/2}$), is often cited as the main player in the quantum security of symmetric primitives. However, in the past few years, the landscape of quantum algorithms for cryptanalysis has considerably expanded, with notable results such as quantum speedups above quadratic for specific constructions 31. These recent works highlight the benefit of combining stateoftheart quantum algorithms and symmetric cryptanalysis techniques.
In team CAPSULE, our research in quantum cryptanalysis is threefold.
First, we develop new quantum algorithms for cryptanalytic problems, which we aim to apply in symmetric cryptography, but may also have applications in publickey cryptography. An example of such a doubleedged sword is our recent work on quantum walks 9.
Second, we analyze existing classical cryptanalysis techniques and study how to translate them into quantum cryptanalysis techniques. Intuitively, a primitive that is classically vulnerable should be quantumly broken as well, but this is not always the case, as classical attack strategies are not always exploitable in the quantum setting. Our research in this area focuses on the strategies which can exhibit the largest quantum speedups, quadratic (like Grover's search) or even above by using advanced frameworks.
Finally, after identifying new classes of quantum attacks, we aim at integrating these attacks into automated tools. Indeed, the task of finding and optimizing quantum attacks can be even more challenging that classical ones, since they rely often on different strategies, sometimes counterintuitive. Furthermore, since the resulting procedures are quantum algorithms, the analysis of their time and memory complexities comes with specific technicalities. Our goal is to automatize this step as well in a way that may benefit cryptanalysts interested in this topic but unfamiliar with quantum algorithms.
3.3 Security of cryptographic implementation and RealWorld Cryptography
In this research axis, our aim is to study the security of implementations against various side channels such as fault attacks, power analysis and electromagnetic emanations, as well as timing attacks on various cryptographic schemes deployed in realworld systems. We are also interested in providing security proofs for realworld systems or improving their security.
Hardware and embedded implementations.
Side Channel Attacks (SCA) rely on statistical tools to extract the secret information from leakage traces. Then, algorithmic techniques usually based on previous cryptanalytic results are used to efficiently recover secret data. Indeed, the known blackbox attacks are extended by exploiting the leakage information, that gives more information on the internal secret variables, a.k.a. the greybox model. The SCA information can be for instance the Hamming weight of a limited number of variables. Recently, the whitebox model has been proposed, where the adversary can stop the execution of a process and has access to all variables.
Sidechannel attacks have been successfully applied to break many embedded implementations these last 20 years. After the information theoretic approach of Ishai, Sahai and Wagner 50 to prove the security of implementations, secure theoretical foundations have been laid by Prouff and Rivain and later Duc et al. in 60, 44. Soon after, some tools have been developed such as 23, 24, 22 to protect software and hardware implementations with masking techniques. Nowadays, we have sound masking schemes. Some of them already have been introduced into latticebased implementations 25, where generally securing randomness presents an interesting challenges. We aim at extending the results of 25, 26, 57, 47 to other postquantum alternatives like codebased, multivariate, or hashbased schemes and to provide secure implementations.
More recently, other tools coming from statistical learning (such as deep learning) have been proposed to break embedded implementations. They open the door to powerful techniques and more efficient attacks. Template attacks model the leakage distribution with a Gaussian distribution, approximating the actual distribution by considering its mean and its standard deviation. More standard attacks, a.k.a. Differential Power Analysis (DPA), only consider the mean. However, higher moments can be useful to consider. Deep learning techniques are useful to efficiently extract complex relations between variables even in the presence of noise. Taking into account these more powerful deep learning or whitebox attacks as well as developing countermeasures is a hot, trendy topic in SCA. In the former, deep learning allow to find correlations between many points of interest of one curve, a.k.a. horizontal attacks. In the latter, whitebox cryptography provides the adversary with the same kind of information, since they can stop the execution of the program and get noiseless information on all of its variables. Taking into account such powerful attackers is one main challenge for sidechannel attacks.
Finally, we are interested to work on the new microarchitectural attacks HertzBleed and others. These attacks show that sidechannel attacks are also a threat to software implementations. Porting to software some of the many techniques used to secure embedded systems is thus a major topic.
Software implementations.
Constanttime implementation is a programming principle that aims at providing code where the running time and memory accesses are independent of the secret values. Timing leakage can be used to mount attacks on computers and smartphones. There exist many tools in the litterature that help developers to avoid these leakage, but insecure implementations are stille aplenty. For instance, we recently broke the WPA3 implementation used in FreeRadius and iwd (iNet Wireless Daemon) 34, and also found other weaknesses.
We want to discover new attacks in opensource libraries and to help developers in order to verify the constanttime property of their codes. For example, some tools are tailored to small pieces of cryptographic codes and do not scale well with more complex codes that rely on many libraries. Our goal is to provide verification tools for analyzing the constanttime property of large source codes. We are also interested in studying the security of DRM systems used in widely deployed systems. We do not have permanent researchers on reverseengineering, but we work with postdoc students such as Alexandre Gonzalvez, as well as Mohamed Sabt from the Spicy team on this topic. Besides, we cosupervise 3 theses on the security of software implementations.
Security Proofs of Protocols and RealWorld Systems.
We are interested in studying the security of cryptographic protocols deployed in the realworld such as WhatsApp, middlebox, ContentDelivery Network (CDN), TLS, and 5G networks. Recently, we have also considered the security of searchable symmetric encryption, where the goal is to outsource the storage of a database to an untrusted server, while maintaining search capabilities. This last area is a nice application of secure computations and the PhD thesis of R. Bost (P.A. Fouque's PhD student) in this domain received the GDR Security price of the best PhD in 2018. We also work with Cristina Onete, an assistant professor at Limoges on this topic. Currently, we are interested to propose hybridization techniques between pre and postquantum cryptography for various protocols such as Signal, IPSEC, ... in the PEPR postquantum cryptography.
4 Application domains
4.1 Designing, Analyzing and Choosing Cryptographic Standards
The research community is strongly involved in the development and evolution of cryptographic standards. Many standards are developed through open competitions (e.g. AES, SHA3) where multiple teams propose new designs, and a joint cryptanalysis effort allows to select the most suitable proposals. The analysis of established standards is also an important work, in order to depreciate weak algorithms before they can be exploited. Several members of the team have been involved in this type of effort and we plan to continue this work to ensure that secure algorithms are widely available. We believe that good cryptographic standards have a large socioeconomic impact; thus, we are active in proposing schemes to future competitions, and in analyzing schemes proposed to current or future competitions, as well as widelyused algorithms and standards. At the moment, we are involved in the two standardization efforts run by NIST for postquantum cryptography and lightweight cryptography, and other realworld protocols.
NIST postquantum competition.
The NIST postquantum competition aims at standardizing quantumsafe publickey primitives. The goal is to propose a quantumsafe alternative for the schemes based on number theory which are threatened by the advent of quantum computers. It is expected to have a huge and longterm impact on all publickey cryptography. It received 69 proposals in November 2017. The Falcon signature scheme, codesigned by some members of the Capsule team, has been selected by NIST in July 2022. We have also submitted Solmae to the Korean PostQuantum Competition, which is a variant of Falcon that is easier to implement hence to protect from SCA. Finally, we have also proposed BAT 46, an encryption scheme that follows the design rationale of Falcon. We plan to submit this scheme to the IETF as it enjoys interesting properties in terms of bandwidth, that not displayed by NIST's selected key encapsulation scheme, Kyber.
In June 2023, we have submitted the PROV and VOX signature schemes to NIST's new call for digital signatures. These two schemes are based on multivariate cryptography problems, and are variants of the unbalanced OilandVinegar signature schemes, proposed in 1997 by Patarin. PROV has a security proof, while VOX is a stronger version of UOV that avoids known weaknesses (namely, UOV has a large set of isotropic vectors common to all quadratic forms of the public key).
NIST competition on lightweight symmetric encryption.
The NIST lightweight cryptography standardization process is an initiative to develop and standardize new authenticated encryption algorithms suitable for constrained devices. There is a real need for new standards in lightweight cryptography, and the selected algorithms are expected to be widely deployed within the Internet of Things, as well as on more constrained devices such as contactless smart cards, or medical implants. The NIST received 56 submissions in February 2019. Team Capsule has studied the security of some of these schemes.
Monitoring Current Standards.
While we are very involved in the design phase of new cryptographic standards, we also monitor the algorithms that are already standardized. We look at some implementations of WPA3 and we discovered a microarchitectural attack 8. We also study the privacy of the EME standard (Encrypted Media Extensions) for Digital Rights Managments in browsers in 18.
5 Social and environmental responsibility
5.1 Impact of research results
After the discovery of some privacy issues in EME, our findings have been timely communicated to all concerned parties following responsible disclosure processes. Mozilla Firefox was quite responsive, and we got rewarded via their bug bounty program. The Mozilla EME team investigated our findings and released a patch to address the identified privacy issues and acknowledged us in the Mozilla Hall of Fame. Regarding Client ID being in clear in renewal requests, we first contacted the EME Chrome team that reviewed our disclosure report and showed concerns about its privacy consequence, namely the EME useragent. They confirmed our intuition that the problem is caused by the Widevine CDM. Therefore, we filed a Widevine bug report about missing Privacy Mode on VMP systems, and are still in communication with them.
Concerning our microarchitectural attack on WPA3, we disclosed our findings to the hostap security team in December 2021. We contacted other affected projects (iwd/ell from Intel and FreeRadius) in January 2022. hostap promptly reacted, asking us to review a patch, which later was committed, and a security advisory has been published. Intel decided to fix their cryptographic library, ell, and also asked us to review their patch. Both iwd and hostap released a new stable version patching the vulnerability soon after our disclosure. FreeRadius has committed our patch to their project. We contacted OpenSSL and WolfSSL in May 2022 to disclose our second vulnerability. Both acknowledged our analysis, but argued that it is the developers' responsibility to avoid calling their leaky functions with secretdependent values.
6 Highlights of the year
PierreAlain Fouque was appointed Senior member of the IUF (Institut Universitaire de France) for 5 years starting in September 2023.
6.1 Awards

ACNS 2023 Best Student Paper Award 1
Agathe Cheriere, Nicolas Aragon, Tania Richmond, Benoît Gérard, “BIKE KeyRecovery: Combining Power Consumption Analysis and InformationSet Decoding.” ACNS 2023  21st International Conference on Applied Cryptography and Network Security, Kyoto, Japan, May 29, 2023

ASIACRYPT 2023 Best Paper Award 2
Thomas Espitau, Alexandre Wallet, Yang Yu, “On Gaussian sampling, smoothing parameter: Application to lattice signatures.” ASIACRYPT 2023  29th International Conference on the Theory and Application of Cryptology and Information Security, Guangzhou (Canton), China, Dec 4, 2023

NIST prize
To the Falcon Team, "NIST extends its appreciation to the Falcon Team for outstanding contributions to the NIST PQC Standardization process through the design of FNDSA", University of Maryland, August, 2023.
7 New software, platforms, open data
The code that we develop is for demonstration or specific for some attacks, or implementation. Consequently, we do not work on any software. We do not use a particular platform. Some of the data we use in some work are made available.
8 New results
8.1 Symmetric Cryptanalysis
Participants: Mathieu Degré, Patrick Derbez, Marie Euler, Arthur Gontier, Lucie Lahaye, Phuong Nguyen, André Schrottenloher.
This year we developed a new cryptanalysis technique related to differential cryptanalysis which allowed us to break more rounds of two wellstudied block ciphers: the AES and SKINNY. We also developed a new tool permitting to fully automatize the search of the best differential characteristics on a large class of ciphers. Finally, we solved an algorithmic problem related to AES by providing a dynamicprogramming based algorithm able to find the best truncated relatedkey differential characteristics on all versions of AES.
Differential Meetinthemiddle Attacks.
Meetinthemiddle and differential attacks are two cornerstones of modern cryptanalysis, which have been applied successfully on block ciphers for decades. In 4, we introduced the new framework of differential meetinthemiddle attacks, which combines technique from both meetinthemiddle and differential cryptanalysis. As such, this technique can be seen both as an extension of meetinthemiddle attacks, and as a novel way of performing the keyrecovery in differential attacks. We applied this technique to two very well studied ciphers, SKINNY and the international standard AES, and obtained new results on weakened (reducedround) variants, including a relatedkey attack on 12 rounds out of 14 on AES256 with only two related keys.
RelatedKey Differential Analysis of the AES.
The relatedkey setting, in which a block cipher may be queried with several unknown keys having some known relation, is a scenario in which AES is known to be quite weak. However, finding relatedkey characteristics is a difficult process which nowadays can be done only with the help of automatic tools. In 10 we gave new tools dedicated to this task, both ad hoc and based on MILP. We also built a new tool to search for differential MITM attacks, which improved the 12rounds attack above to 13 rounds.
A CPbased Automatic Tool for Instantiating Truncated Differential Characteristics.
An important criteria to assert the security of a cryptographic primitive is its resistance against differential cryptanalysis. For wordoriented primitives, a common technique to determine the number of rounds required to ensure the immunity against differential distinguishers is to consider truncated differential characteristics and to count the number of active Sboxes. Doing so allows one to provide an upper bound on the probability of the best differential characteristic with a reduced computational cost. However, in order to design very efficient primitives, it might be needed to evaluate the probability more accurately. This is usually done in a second step, during which one tries to instantiate truncated differential characteristics with actual values and computes its corresponding probability. This step is usually done either with adhoc algorithms or with CP, SAT or MILP models that are solved by generic solvers. In 12, we present a generic tool for automatically generating these models to handle all wordoriented ciphers. Furthermore the running times to solve these models are very competitive with all the previous dedicated approaches.
Equivalence of Generalised Feistel Networks.
We also focused on equivalences between Generalised Feistel Networks (GFN) of typeII. We introduced a new definition of equivalence which captures the concept that two GFNs are identical up to relabelling of the inputs/outputs and are therefore cryptographically equivalent for several classes of attacks. It induces a reduction of the space of possible GFNs: the set of the ${(k!)}^{2}$ possible evenodd GFNs with $2k$ branches can be partitioned into $k!$ different classes. From a designer perspective, it means that a much wider spectrum of candidates can be explored to choose a good permutation. In particular, using this new equivalence relation led us to five 62branch permutations performing better than WARP regarding the number of differentially/linearly active SBoxes and to a new family of permutations with good diffusion properties. This work is under submission.
Cryptanalysis of ASCON.
During the internships of Mathieu Degré and Lucie Lahaye, we started studying the cryptanalysis of the ASCON family of lightweight primitives, which is a highprofile target as it has been recently selected for standardization by the NIST. Our goal in this project was to obtain simpler modelings of different types of cryptanalysis, based on MILP and SAT encodings, which were easier not only to describe but also to run. Our results are under submission.
8.2 Quantum Algorithms and Cryptanalysis
Participants: André Schrottenloher.
During this year, we have introduced several advanced quantum algorithms with applications in cryptanalysis (symmetric and asymmetric), as well as new frameworks for symmetric cryptanalysis which we plan to build upon in the next few years.
Applications in Asymmetric Cryptanalysis.
In 9 we introduced the new algorithmic technique of chained quantum walks. This technique is key to an improvement on quantum algorithms for the multiple collision search problem, an extension of the collision search problem, which asks to find pairs of colliding outputs generated by a random function. It allowed us to improve the previous best quantum algorithm for lattice sieving 37, reducing its asymptotic time complexity from ${2}^{0.2570d+o\left(d\right)}$ to ${2}^{0.2563d+o\left(d\right)}$ where $d$ is the lattice dimension. These algorithms are of high interest since they underlie the security analyses of latticebased cryptography at large.
In 19, we gave new quantum tradeoffs for the Dihedral Coset Problem, which is a computational problem of high interest. In particular, its hardness underlies the security of postquantum cryptosystems based on Abelian group actions such as CSIDH 36. These cryptosystems are the only highprofile postquantum proposals for which a quantum attacker enjoys a large speedup (from exponential classical time to subexponential quantum time). Thus their security analysis relies primarily on the quantum side.
Applications in Symmetric Cryptanalysis.
In 20 we introduced a new framework of quantum linear keyrecovery attacks on block ciphers. In classical cryptanalysis, linear cryptanalysis is a powerful keyrecovery attack exploiting the linear biases which may appear in reducedround ciphers. While modern linear keyrecovery attacks rely on the Fast Fourier Transform, a potential application of the Quantum Fourier Transform remained an open question in previous works 51. In this work, we showed that this was possible, and could lead to new quantum attacks on block ciphers. The new framework relies on computing correlations of Boolean functions “analogically” in the amplitudes of quantum states, which generates technical difficulties and new open questions that need further investigation. Despite the current limitations, this framework may reach up to a superquadratic speedup in keyrecovery attacks, which coïncides with the current best speedup reported in 31 for specific constructions of block ciphers.
In 6 we described a generic framework of quantum impossible differential attacks on block ciphers, with a generic formula from their time complexity and a procedure to easily translate classical attacks into quantum ones.
In 7 we introduced an automatic search and optimization tool for quantum meetinthemiddle keyrecovery attacks on block ciphers. This tool expands a previous modeling technique which we introduced in the past year 62.
8.3 Publickey cryptography
Participant: Alexandre Wallet, PierreAlain Fouque, Corentin Jeudy, Lucas Prabel.
This year we proposed new designs and tradeoffs for the core building blocks of hashthensign latticebased signatures. This is in direct continuation with the results obtained last year, and initiated a participation to a national standardization competition (namely, South Korea's KPQC) as a direct application of our new results. We also submitted two Multivariate Cryptography signature schemes, PROV and VOX, to the recent call in June 2023. Finally, we obtained new results in the construction of advanced cryptographic protocols.
Optimal trapdoors for practical latticebased hashthensign
Last year we described in 45 Mitaka, a variant of Falcon with much simpler implementation, larger parameter space, better parallelism and easier to protect from sidechannel adversaries. One of the drawback of our scheme was its slightly lower security level. Indeed, finding good trapdoors in the keygeneration process for Mitaka remained a costly task, and we had to sacrifice security for concrete efficiency. In 13 we propose a completely novel approach to find good trapdoors in an essentially optimal way, with much freedom in the quality that we impose on them. Our method stems from the geometric identification of the space where one can find them, and the design of a simple, natural sampler to draw from. It combines Fast Fourier Transform techniques with finegrained error rounding analysis into a keygeneration algorithm called Antrag, achieving the same efficiency as Falcon's, without sacrificing any bitsecurity.
Concretely, this technique make Mitaka as secure as Falcon. This prompted its use into a candidate for standardization in a national process (as mentioned above), called Solmae (Falcon in Korean), and submitted for the first round of evaluation. Despite Solmae having the minimal bandwith consumption of all candidates and concrete signing speed on par with the other lattice contender HaeTae (Dilithium's natural update), it was not selected to advance to the second round2.
Unifying Lattice Gaussian sampling.
Lattice Gaussian sampling is nowaday a pervasive technique in all aspects of the field: reductions between problems (in the complexity theory sense), as a concrete building block for primitives, in security arguments,... Many methods to sample lattice Gaussians existed in the toolbox of the cryptographers, but perhaps surprisingly, most of them felt unrelated one to another. This made it rather difficult to understand where improvement vectors could be found. In 14 we proposed a generic, abstract framework allowing to recover almost if not all known approaches, while openingup the design space for further explorations. Among samplers we recover naturally are the important approach of as 49, 59. We provided novel samplers following this new avenues, illustrating how to use our framework. Some of our new designs demonstrated important security improvements in concrete schemes (such as Mitaka), while also displaying more simplicity in their description. On a more foundational aspect, we gave a new exact expansion of the socalled smoothing parameter of a lattice. This important quantity is used in many security arguments, where the finer the estimate, the better control over security one gets. We believe that this new expression has application in more mathematical aspects of lattice theory, such as improved transference bounds.
Reductions between variants of the ModuleLWE problem.
The Module Learning With Errors problem (MLWE) is a core computational assumption of latticebased cryptography which offers an interesting tradeoff between guaranteed security and concrete efficiency. The problem is parameterized by a secret distribution as well as an error distribution. There is a gap between the choices of those distributions for theoretical hardness results (standard formulation of MLWE, i.e., uniform secret modulo $q$ and Gaussian error) and practical schemes (small bounded secret and error). In 3, we make progress towards narrowing this gap. More precisely, we prove that MLWE with uniform $\eta $bounded secret for any $1\le \eta \ll q$ and Gaussian error, in both its search and decision variants, is at least as hard as the standard formulation of MLWE, provided that the module rank $d$ is at least logarithmic in the ring degree $n$. We also prove that the search version of MLWE with large uniform secret and uniform $\eta $bounded error is at least as hard as the standard MLWE problem, if the number of samples $m$ is close to the module rank $d$ and with further restrictions on $\eta $. The latter result can be extended to provide the hardness of MLWE with uniform $\eta $bounded secret and error under specific parameter conditions. Overall, the results apply to all cyclotomic fields, but most of the intermediate results are proven in more general number fields.
Lattice Signature with Efficient Protocols, Application to Anonymous Credentials.
Digital signature is an essential primitive in cryptography, which can be used as the digital analogue of handwritten signatures but also as a building block for more complex systems. In the latter case, signatures with specific features are needed, so as to smoothly interact with the other components of the systems, such as zeroknowledge proofs. This has given rise to socalled signatures with efficient protocols, a versatile tool that has been used in countless applications. Designing such signatures is however quite difficult, in particular if one wishes to withstand quantum computing. We are indeed aware of only one postquantum construction, proposed by Libert et al. at Asiacrypt’16, yielding very large signatures and proofs.
In 17, we propose a new construction that can be instantiated both in standard lattices and structured ones, resulting in each case in dramatic performance improvements. In particular, the size of a proof of messagesignature possession, which is one of the main metrics for such schemes, can be brought down to less than 650 KB. As our construction retains all the features expected from signatures with efficient protocols, it can be used as a dropin replacement in all systems using them, which mechanically improves their own performance, and has thus a direct impact on many applications. It can also be used to easily design new privacypreserving mechanisms. As an example, we provide the first latticebased anonymous credentials system.
IdentityBased Encryption from Lattices Using Approximate Trapdoors.
Practical implementations of advanced latticebased constructions have received much attention since the first practical identitybased encryption scheme instantiated over NTRUlattices, proposed by Prest et al. (Asiacrypt 2014). This particular design uses powerful latticebased building blocks to allow efficient Gaussian preimage sampling and trapdoor generation. In 16, we propose two different constructions and implementations of identitybased encryption schemes (IBE) using Chen et al. (Asiacrypt 2019)approximate variants of “gadgetbased” trapdoors. Both constructions are proven secure.
Our first IBE scheme is an adaptation of the Bert et al. scheme (PQCrypto 2021) to the approximate setting, relying on the ModuleNTRU hardness assumption and making use of the MicciancioPeikert paradigm for approximate trapdoors. The second IBE relies on a variant of the NTRU hardness assumption.
We provide several timings and a comparison analysis to explain our results. The two different instantiations give interesting tradeoffs in terms of security and efficiency and both benefit from the use of approximate trapdoors. Though our second IBE construction is less efficient than other NTRUbased IBEs, we believe our work provides useful insights into efficient advanced latticebased constructions.
New Security Proof in the QROM model.
In 15, we present a new generic transform that takes a multiround interactive proof for the membership of a language L and outputs a noninteractive zeroknowledge proof (not of knowledge) in the common reference string model. Similar to the FiatShamir transform, it requires a hash function H. However, in our transform the zeroknowledge property is in the standard model, and the adaptive soundness is in the nonprogrammable random oracle model (NPROM). Behind this new generic transform, we build a new generic ORcomposition of two multiround interactive proofs. Note that the two common techniques for building ORproofs (parallel ORproof and sequential ORproof) cannot be naturally extended to the multiround setting. We also give a proof of security for our ORproof in the quantum oracle model (QROM), surprisingly the security loss in QROM is independent from the number of rounds.
Factorization Algorithms.
In 21, we study new factorization algorithms. The Number Field Sieve (NFS) is the stateofthe art algorithm for integer factoring, and sieving is its most crucial step. It is a very timeconsuming operation, aiming at collecting many relations. The ultimate goal is to generate random smooth integers mod N together with their prime decomposition, where smooth is defined on the rational and algebraic sides according to two prime factor bases.
In modern factorization tools, such as CadoNFS, sieving is split into different stages depending on the size of the primes, but defining good parameters for all stages is based on heuristic and practical arguments. At the beginning, candidates are sieved by small primes on both sides, and if they pass the test, they continue to the next stages with bigger primes, up to the final one where the remaining part is factored using the ECM algorithm. On the one hand, first stages are fast but many false relations pass them, and we spend a lot of time with useless relations. On the other hand final stages are more time demanding but outputs less relations. It is not easy to evaluate the performance of the best strategy on the overall sieving step since it depends on the distribution of numbers that results at each stage.
In 21, we examine different sieving strategies to speedup this step, since many improvements have been done on all other steps of the NFS. Based on the relations collected during the record RSA250 factorization and all its parameters, we study the many different strategies that have been defined for NFS. Our result is an experimental evaluation of them.
8.4 SideChannel Attacks
Participant: PierreAlain Fouque, Agathe Cheriere, Damien Marion.
BIKE KeyRecovery: Combining Power Consumption Analysis and InformationSet Decoding.
In 11, we present a singletrace attack on a BIKE CortexM4 implementation proposed by Chen et al. at CHES 2021. BIKE is a keyencapsulation mechanism, candidate to the NIST postquantum cryptography standardisation process. We attack by exploiting the rotation function that circularly shifts an array depending on the private key. Chen et al. implemented two versions of this function, one in C and one in assembly. Our attack uses subtraces clustering combined with a combinatorial attack to recover the full private key. We obtained a high clustering accuracy in our experiments, and we provide ways to deal with the errors. We are able to recover all the private keys for the C implementation, and while the assembly version is harder to attack using our technique, we still manage to reduce BIKE Level1 security from 128 to 65 bits for a significant proportion of the private keys.
8.5 RealWorld Cryptography
Participant: PierreAlain Fouque.
From Dragondoom to Dragonstar: Sidechannel Attacks and Formally Verified Implementation of WPA3 Dragonfly Handshake.
In 8 we develop a new software attack on the WPA3. It is universally acknowledged that WiFi communications are important to secure. Thus, the WiFi Alliance published WPA3 in 2018 with a distinctive security feature: it leverages a PasswordAuthenticated Key Exchange (PAKE) protocol to protect users' passwords from offline dictionary attacks. Unfortunately, soon after its release, several attacks were reported against its implementations, in response to which the protocol was updated in a besteffort manner. In this paper, we show that the proposed mitigations are not enough, especially for a complex protocol to implement even for savvy developers. Indeed, we present Dragondoom, a collection of sidechannel vulnerabilities of varying strength allowing attackers to recover users' passwords in widely deployed WiFi daemons, such as hostap in its default settings. Our findings target both password conversion methods, namely the default probabilistic huntingandpecking and its newly standardized deterministic alternative based on SSWU. We successfully exploit our leakage in practice through microarchitectural mechanisms, and overcome the limited spatial resolution of Flush+Reload. Our attacks outperform previous works in terms of required measurements. Then, driven by the need to end the spiral of patchand hack in Dragonfly implementations, we propose Dragonstar, an implementation of Dragonfly leveraging a formally verified implementation of the underlying mathematical operations, thereby removing all the related leakage vector. Our implementation relies on HACL*, a formally verified crypto library guaranteeing secretindependence. We design Dragonstar, so that its integration within hostap requires minimal modifications to the existing project. Our experiments show that the performance of HACL*based hostap is comparable to OpenSSLbased, implying that Dragonstar is both efficient and proved to be leakagefree.
Your DRM Can Watch You Too: Exploring the Privacy Implications of Browsers (mis)Implementations of Widevine EME.
In 18, we study the security of Digital Rights Management Systems. Thanks to HTML5, users can now view videos on Web browsers without installing plugins or relying on specific devices. In 2017, W3C published Encrypted Media Extensions (EME) as the first official Web standard for Digital Rights Management (DRM), with the overarching goal of allowing seamless integration of DRM systems on browsers. EME has prompted numerous voices of dissent with respect to the inadequate protection of users. Of particular interest, privacy concerns were articulated, especially that DRM systems inherently require uniquely identifying information on users' devices to control content distribution better. Despite this anecdotal evidence, we lack a comprehensive overview of how browsers have supported EME in practice and what privacy implications are caused by their implementations. In this paper, we fill this gap by investigating privacy leakage caused by EME relying on proprietary and closedsource DRM systems. We focus on Google Widevine because of its versatility and wide adoption. We conduct empirical experiments to show that browsers diverge when complying EME privacy guidelines, which might undermine users' privacy. For instance, we find that many browsers gladly give away the identifying Widevine Client ID with no or little explicit consent from users. Moreover, we characterize the privacy risks of users tracking when browsers miss applying EME guidelines regarding privacy. Because of being closedsource, our work involves reverse engineering to dissect the contents of EME messages as instantiated by Widevine. Finally, we implement EME Track, a tool that automatically exploits bad Widevinebased implementations to break privacy.
9 Bilateral contracts and grants with industry
9.1 Bilateral contracts with industry
Participants: Patrick Derbez, PierreAlain Fouque, André Schrottenloher.

KDDI: (T0: 11/2022 –> 02/2023)
Lead by University of Rennes.
KDDI (Japan) would like to propose the RoccaS encryption scheme to some international standardization process. However, such organization require an external evaluation provided by an independent third parties. KDDI contacted us to perform this analysis. Some outputs of this work are currently under review.
9.2 Bilateral Grants with Industry
Participants: Patrick Derbez, PierreAlain Fouque, André Schrottenloher, Alexandre Wallet.
 Supervision of Quentin Edme's PhD (T0: 12/2023 > 12/2026) Funding provided by Orange Labs Caen for the supervision of the CIFRE PhD thesis
 Supervision of Roderick Asselineau's PhD (T0: 12/2023 > 12/2026) Funding provided by Airbus Security for the supervision of the PhD thesis

Resque: (T0: 09/2022 –> 08/2026)
BPi France project.
Lead by Thales.
Participating entities on the industrial side: Thales SIX and DIS, TheGreenBow, CryptoExperts, CryptoNext. Participating entities on the public side: Inria, ANSSI.
In this project, Inria is represented by two teams: Capsule (Inria Rennes), with PierreAlain Fouque as the coordinator; and Cascade (Inria Paris), with Céline Chevalier as collaborator.
Resque project, "Résilience Quantique" aims at combining two usecases allowing to construct two software and hardware components: i) VPN [virtual private network] hybrid and agile and a HSM [hardware security module] robust and efficient, providing the security of exchanged information. The cryptographic agility will allow to perform regular and continuous update of the postquantum algorithms.

Hyperform: (T0: 09/2022 –> 08/2026)
BPi France project.
Lead by Idemia.
Participating entities on the industrial side: Idemia, Atempo, PrimX, CryptoNext, Sinacktiv. Participating entities on the public side: Inria, ANSSI, CEA.
In this project, Inria is represented by two teams: Grace (Inria Saclay), with Ben Smith as the coordinator; and Capsule (Inria Rennes), with Alexandre Wallet as collaborator.
Hyperform aims at being an international leading force in the development of quantumresilient secure elements for embedded systems, as well as a primary actor in the design of hybrid solutions at scale, that is, mixing pre and postquantum cryptography in a provably secure way, formally verified, into industrial products. One essential goal of the project is to produce a demonstrator: an secure element with dedicated hardware/software embedding postquantum cryptographic algorithms, providing a level of resilience against sidechannel attackers while maintaing a high level of performances on par with the demands of realworld situations.
10 Partnerships and cooperations
10.1 International initiatives
10.1.1 Visits to international teams
Research stays abroad
Patrick Derbez

Visited institution:
University of Chinese Academy of Sciences

Country:
China

Dates:
11/25  11/30

Context of the visit:
Invited by Prof. Siwei Sun to intiate collaboration and give a talk.

Mobility program/type of mobility:
research stay
Phuong Hoa Nguyen

Visited institution:
University of Graz

Country:
Austria

Dates:
09/01  12/31

Context of the visit:
Collaboration with Maria Eichlseder to initiate collaboration on automatic tools.

Mobility program/type of mobility:
research stay
10.2 National initiatives
Participants: Alexandre Wallet, PierreAlain Fouque, André Schrottenloher, Patrick Derbez.

The PQTLS (01/2022 –> 12/27)
Postquantum padlock for web browser
PEPR Quantique
Partners: GREYC (Caen), ENS Lyon, Inria GRACE, Inria Cosmiq, Inria Prosecco, Inria Caramba, Inria Lfant, Inria Capsule, UVSQ, Cryptis, ARCAD, SESAM, CEA LETI, University of Rouen, Rennes, Bordeaux.
The famous "padlock" appearing in browsers when one visits websites whose address is preceded by "https" relies on cryptographic primitives that would not withstand a quantum computer. This integrated project aims to develop in 5 years postquantum primitives in a prototype of "postquantum lock" that will be implemented in an open source browser. The evolution of cryptographic standards has already started, the choice of new primitives will be made quickly, and the transition will be made in the next few years. The objective is to play a driving role in this evolution and to make sure that the French actors of postquantum cryptography, already strongly involved, are able to influence the cryptographic standards of the decades to come.

Cryptanalyse (12/2023 –> 12/28)
PEPR Cybersécurité
Partners: Inria GRACE, Inria Cosmiq, Almasty, Inria Caramba, Inria Lfant, Inria Capsule, Crypto, Eco, Canari, UGA.
The Cryptanalyse project focuses on the study and standardization of cryptographic primitives. Modern cryptography has become an indispensable tool for securing personal, commercial and institutional communications. This project will provide an estimate of the difficulties involved in solving the underlying problems, and deduce the level of security conferred by the use of these primitives. The aim is to evaluate the security of cryptographic algorithms.

ANR AMIRAL (01/2022 –> 12/2024)
Digital signatures from latticebased assumptions
ANR ASTRID, Appel 2021
Partners: GREYC (Caen), Inria Lyon
The focus of AMIRAL is the improvement of latticebased digital signatures schemes at large. More precisely, three research axes are considered. First, we will design concrete improvements and novel tweaks for the optimization of NIST's selected candidates (Falcon and Dillithium) or to extend their usecases to a larger surface of scenarios. Second is the conception and study of signatures with advanced properties (such as: aggregated, threshold, ...) in order to substantially improve the stateoftheart. Third, the study of the interplay between the improvements in the design of signatures and the efficiency of broader, more complex cryptographic primitives such as attributebased encryption.

CROWD (2023 –> 2027).
Codebased practical cryptography
ANRDFG
Partners: TU Munich, IRMAR (Rennes), Inria (Rennes)
The aim of this project is the examination of skew metrics and their application in cryptography. These metrics can be considered as a generalization of the socalled rank metric, which has significant applications in coding theory, cryptography, data storage, and network coding. The connection of these metrics lies in the noncommutativity of Euclidean rings, called Ore rings, which extend the classical notation of commutative polynomial rings by 'skewing' (twisting) multiplication. These operations allow the development of metrics and new codes with efficient arithmetic operations. This holds promise for secure and efficient cryptographic implementations. Three avenues are explored: 1) investigates the foundations of algebraic codes in these skewmetrics; 2) design novel decoding algorithms and cryptographic schemes from these codes, and assess their security from a cryptanalytic and sidechannel point of view; 3) produce practically efficient implementation of core cryptographic primitive, such as digital signatures, with the goal of entering the next turn of the NIST standardization.
Participants: Damien Marion.

ANR IDROMEL (2021 –> 2025)
Improving the Design of secure systems by a Reduction Of Microarchitectural Effects on sidechanneL Attacks
Partners: LAASCNRS, LIP6, CEA, ARM, IRISA
The IDROMEL project aims to contribute to the design of secure systems against sidechannel attacks based on power and electromagnetic observations, for a wide range of computing systems (from IoT devices to mobile phones). IDROMEL will investigate the impact of the processor microarchitecture on power and electromagnetic sidechannel attacks as a key concern for the design of secure systems. IDROMEL will produce:
 Leakage sources characterization: a methodology to evaluate leakage sources from detailed description of the microarchitecture (greybox approach) or from public information (blackbox approach), with reproducible characterization based on public test vectors;
 Security assessment methods: formal code verification, leakage simulators and vulnerability analysis;
 Automated security tools: a compiler for the application of software countermeasures;
 Hardware hardening techniques: configurable design technique for the application of hardware countermeasures.
11 Dissemination
Participants: Patrick Derbez, PierreAlain Fouque, André Schrottenloher, Damien Marion.
11.1 Promoting scientific activities
11.1.1 Scientific events: organisation
The PQTLS, project of the PEPR Quantique, has organized a workshop at the École normale supérieure on the security of recently submitted postquantum signature in June 2023, and another workshop with the French companies that are developing a quantum computer in June 2023 at the Cyber Campus in Paris.
Member of the organizing committees
 Séminaire CRYPTO (IRMAR, IRISA, Rennes): Alexandre Wallet, André Schrottenloher.
11.1.2 Scientific events: selection
Chair of conference program committees
 EUROCRYPT 2024 (May 2630, 2024, Zurich, Switzerland): PierreAlain Fouque (Area Chair)
Member of the conference program committees
 ACNS 2023 (June 1922, 2023, Kyoto, Japan): Alexandre Wallet;
 CRYPTO 2023 (August 1924, 2023, Santa Barbara, USA): PierreAlain Fouque, André Schrottenloher;
 CFAIL 2023 (August 19, 2023, Santa Barbara, USA): Alexandre Wallet;
 Journées Nationales de Codages et Cryptographie (JC2), October 1520, 2023, Najac, France): Alexandre Wallet
 ASIACRYPT 2023 (December 48, 2023, Guangzhou, China): Patrick Derbez, Alexandre Wallet
 INDOCRYPT 2023 (December 1013 , 2023, Goa, India): Alexandre Wallet
 EUROCRYPT 2024 (May 2630, 2024, Zurich, Switzerland): Patrick Derbez, PierreAlain Fouque (Area Chair), André Schrottenloher;
 AAC 2024 (March 58, 2024, Abu Dhabi, UAE): Alexandre Wallet;
External Reviewer
 EUROCRYPT 2023: Alexandre Wallet;
 EUROCRYPT 2024: Alexandre Wallet;
11.1.3 Journal
Member of the editorial boards
 IACR Transactions on Symmetric Cryptology, associate editors: Patrick Derbez, André Schrottenloher
Reviewer  reviewing activities
 Journal of Cryptology: Alexandre Wallet;
 Design, Codes, Cryptography: André Schrottenloher, Alexandre Wallet;
 Finite fields and applications: Alexandre Wallet;
11.1.4 Invited talks
 Alexandre Wallet was invited at PQ Shield (Paris, France) to present his work accepted at Asiacrypt 2023: On Gaussian sampling, smoothing parameter, applications to signatures — October 2023.
11.1.5 Scientific expertise
We evaluated research projects for many research funding agencies.
11.1.6 Research administration
PierreAlain Fouque is the scientific coordinator of the PEPR project PQTLS.
11.2 Teaching  Supervision  Juries
11.2.1 Teaching
 Master: Alexandre Wallet, Euclidean Lattices in Cryptography (REC), 12 hours, M2, University of Rennes, France;
 Master: Alexandre Wallet, Cryptanalysis (CRA), 8h, M2, University of Rennes and ISTIC, France;
 1st year of engineer cycle: Alexandre Wallet, Introduction to Programming with Java (INF361), 40h, École polytechnique, France;
 3rd year of engineer cycle: Alexandre Wallet, Cybersecurity (INF565), 12h, École polytechnique, France;
 André Schrottenloher was Oral examiner for fundamental computer science in the entrance examinations of the ENS (Écoles Normales Supérieures).
 Master: PierreAlain Fouque, Advanced Course in Cryptography for security (BCS), 16 hours, M2, University of Rennes, France;
 Master: Damien Marion, Advanced Course in Cryptography for security (BCS), 16 hours, M2, University of Rennes, France;
 Master: PierreAlain Fouque, Basic Course in Cryptographhy (BC), 16 hours, M1, University of Rennes, France;
 Master: Damien Marion, Basic Course in Cryptographhy (BC), 12 hours, M1, University of Rennes, France;
 Master: PierreAlain Fouque, Design and Analysis of Algorithm (ADA), 16 hours, M1, University of Rennes, France;
 Master: Damien Marion, Design and Analysis of Algorithm (ADA), 12 hours, M1, University of Rennes, France;
 Master: Alexandre Gonzalvez, Cryptography in Java, 30 hours, M1, University of Rennes, France;
 Master: PierreAlain Fouque, Security Proof, 7,5 hours, M2, University of Rennes, France;
 Master: PierreAlain Fouque, Security of Data (SDATA), 12 hours, M1, University of Rennes.
 Master: Damien Marion, Security of Data (SDATA), 32 hours, M1, University of Rennes.
 Master: Damien Marion, Lowlevel Programming (LLP), 20 hours, M1, University of Rennes.
 Master: Damien Marion, network security, 20 hours, M1, University of Rennes.
 Master: Damien Marion, Secured Implementation for Cryptography (SIMP), 25 hours, M2, University of Rennes.
 Master: Damien Marion, research project, 24 hours, M1, University of Rennes.
 Bachelor: Damien Marion, Enjeux sociétaux et empreinte écologique du numérique (3EN), 12 hours, L3, University of Rennes, France;
 Bachelor: Damien Marion, Algorithmique et complexité (ACO), 16 hours, L2, University of Rennes, France;
11.2.2 Supervision
 PhD: Agathe Cheriere, SideChannel Resistance of Cryptographic Primitives Based on ErrorCorrecting Codes, defense in December 2023. Supervisors: Benoît Gérard and Pierre Loidreau.
 PhD: Lucas Prable, Trappes en Cryptographie Basée sur les Réseaux Euclidiens : Applications et Implémentation, defense in October 2023. Supervisors: Adeline RouxLanglois and PierreAlain Fouque.
 PhD: Arthur Gontier, Utilisation de solveurs génériques pour la cryptanalyse de chiffrements symétriques, defense in November 2023. Supervisors:
 PhD in progress: Phuong Hoa Nguyen, MILP and symmetrickey cryptanalysis, started October 2021. Supervisors: Patrick Derbez and PierreAlain Fouque.
 PhD in progress: Corentin Jeudy, Advanced PostQuantum Protocol, started October 2021. Supervisors: PierreAlain Fouque and Adeline RouxLanglois.
 PhD in progress: Thi Thu Quyen Nguyen, Déploiements des signatures fondées sur les réseaux Euclidiens, started November 2021. Supervisors: Adeline RouxLanglois (GREYC, Caen), Paul Dischamp (Idemia) and Alexandre Wallet.
 PhD in progress: Léo Ackermann, Constructions cryptographiques fondées sur les réseaux Euclidiens: nouvelles hypothèses, started Septembre 2022. Supervisors: Adeline RouxLanglois (GREYC, Caen) and Alexandre Wallet.
 PhD in progress: Clémence Chevignard, ModuleLIP: réductions, cryptanalyse, algorithmes, started November 2023. Supervisors: PierreAlain Fouque, Alexandre Wallet and Rémi Giraud (Qualcomm).
 PhD in progress: Mathieu Degré, Nouveaux modèles MILP adaptés aux problèmes cryptographiques, starting January 2024. Supervisors: Patrick Derbez, André Schrottenloher.
 PhD in progress: Quentin Edme, Preuves et attaques quantiques contre les primitives et protocoles cryptographiques, starting January 2024. Supervisors: Loïc Ferreira (Orange Labs, Caen), PierreAlain Fouque, André Schrottenloher.
 PhD in progress: Aymeric Hiltenbrand, Attaques par canaux auxiliaires sur la cryptographie postquantique, starting December 2023. Supervisors: Guenael Renault (ANSSI), PierreAlain Fouque.
 PhD in progress: Roderick Asselineau, Symmetric System in RealWorld Cryptography, starting December 2023. Supervisors: Patrick Derbez.
 Internship: Clémence Chevignard, Cryptanalyse du schéma Hawk, MarchSeptember 2023. Supervisors: PierreAlain Fouque and Alexandre Wallet.
 Internship: Heorhii Pliatsok (M2), Hermitian Decompositions in Cyclotomic Fields, AprilOctober 2023. Supervisor: Alexandre Wallet.
 Internship: Mathieu Degré (M2), A new approach to MILP modeling to reduce the differential gap of ASCON, AprilOctober 2023. Supervisor: Patrick Derbez.
 Internship: Jérome Guyot (L3), Algorithmes pour le problème des rotations du réseau cubique, JuneAugust 2023. Supervisors: PierreAlain Fouque and Alexandre Wallet.
 Internship: Lucie Layahe (L3), Attaques algébriques sur des fonctions de hachage, JuneJuly 2023. Supervisor: André Schrottenloher.
 Internship: Rayan Lachguel (M1), Implémentation du schéma de signature postquantique Falcon, November 2023March 2024. Supervisor: PierreAlain Fouque.
11.2.3 Juries
 Chloé Gravouil, June 27th, 2023, PierreAlain Fouque (Examiner)
 Julien Devevey, September 18th, 2023, PierreAlain Fouque (President of the jury)
 Christophe GeneveyMetat, September 28th, 2023, PierreAlain Fouque (Examiner)
 Lucas Prabel, October 5th, 2023, PierreAlain Fouque (Supervisor)
 Michael Reichle, October 9th, 2023, PierreAlain Fouque (Examiner)
 Nicolas David, November 8th, 2023, Patrick Derbez (Examiner)
 Clémence Bouvier, November 27th, 2023, PierreAlain Fouque (President of the jury)
 Léonard Assouline, December 1st, 2023, PierreAlain Fouque (Examiner)
 Pierre Briaud, December 11th, 2023, PierreAlain Fouque (President of the jury)
 Gwendal Patat, December 15th, 2023, PierreAlain Fouque (Supervisor)
 Johanna Loyer, December 18th, 2023, André Schrottenloher (Examiner)
 Agathe Cheriere, December 19th, 2023, PierreAlain Fouque (Supervisor)
 Samuel Tap, December 19th, 2023, PierreAlain Fouque (Examiner)
 Pierre Galissant, December 21th, 2023, PierreAlain Fouque (Examiner)
11.2.4 Education
 Alexandre Wallet, Petit panorama de la cryptographie postquantique, École polytechnique, March 6, 2023. General talk on the upcoming standardization of postquantum cryptography for students in cybersecurity.
 PierreAlain Fouque and André Schrottenloher participated at the first Spring School of the CyberSchool at University of Rennes.
12 Scientific production
12.1 Major publications
 1 inproceedingsBest paperBIKE KeyRecovery: Combining Power Consumption Analysis and InformationSet Decoding.Lecture Notes in Computer ScienceACNS 2023  21st International Conference on Applied Cryptography and Network Security13905Lecture Notes in Computer ScienceKyoto, JapanSpringer Nature SwitzerlandMay 2023, 725748HALDOIback to text
 2 inproceedingsBest paperOn Gaussian sampling, smoothing parameter: Application to lattice signatures.Lecture notes in Computer ScienceASIACRYPT 2023  29th International Conference on the Theory and Application of Cryptology and Information SecurityGuangzhou (Canton), ChinaDecember 2023, 156HALback to text
12.2 Publications of the year
International journals
 3 articleOn the Hardness of Module Learning with Errors with Short Distributions.Journal of Cryptology361January 2023, 172HALDOIback to text
 4 articleRelatedKey Differential Analysis of the AES.IACR Transactions on Symmetric Cryptology20234December 2023, 215243HALDOIback to text
 5 articleExploiting ROLLO’s constanttime implementations with a singletrace analysis.Designs, Codes and CryptographySpecial Issue: Coding and Cryptography 2022April 2023HALDOI
 6 articleQuantum Impossible Differential Attacks: Applications to AES and SKINNY.Designs, Codes and Cryptography2023, 133HALDOIback to text
 7 articleSimplified Modeling of MITM Attacks for Block Ciphers: New (Quantum) Attacks.IACR Transactions on Symmetric Cryptology20233September 2023, 146183HALDOIback to text
International peerreviewed conferences
 8 inproceedingsFrom Dragondoom to Dragonstar: Sidechannel Attacks and Formally Verified Implementation of WPA3 Dragonfly Handshake.EuroS&P 2023  IEEE 8th European Symposium on Security and PrivacyDelft, NetherlandsIEEEJuly 2023, 707723HALDOIback to textback to text
 9 inproceedingsFinding many Collisions via Reusable Quantum Walks: Application to Lattice Sieving.Lecture Notes in Computer ScienceEUROCRYPT 2023  International Conference on the Theory and Applications of Cryptographic Techniques14008Lecture Notes in Computer ScienceLyon, FranceSpringer Nature SwitzerlandApril 2023, 221251HALDOIback to textback to text
 10 inproceedingsDifferential MeetInTheMiddle Cryptanalysis.LNCS  Lecture Notes in Computer ScienceCRYPTO 2023  43rd International Cryptology Conference14083Lecture Notes in Computer ScienceSanta Barabara, United StatesSpringer Nature SwitzerlandAugust 2023, 240272HALDOIback to text
 11 inproceedingsBest paperBIKE KeyRecovery: Combining Power Consumption Analysis and InformationSet Decoding.Lecture Notes in Computer ScienceACNS 2023  21st International Conference on Applied Cryptography and Network Security13905Lecture Notes in Computer ScienceKyoto, JapanSpringer Nature SwitzerlandMay 2023, 725748HALDOIback to text
 12 inproceedingsA CPbased Automatic Tool for Instantiating Truncated Differential Characteristics ⋆.LNCSINDOCRYPT 2023  24th International Conference on Cryptology in IndiaGoa, IndiaSpringerDecember 2023, 123HALback to text
 13 inproceedingsAntrag: Annular Ntru Trapdoor Generation: Making Mitaka As Secure As Falcon.Lecture notes in Computer ScienceASIACRYPT 2023  29th International Conference on the Theory and Application of Cryptology and Information SecurityGuangzhou (Canton), ChinaSpringer2023, 156HALback to text
 14 inproceedingsBest paperOn Gaussian sampling, smoothing parameter: Application to lattice signatures.Lecture notes in Computer ScienceASIACRYPT 2023  29th International Conference on the Theory and Application of Cryptology and Information SecurityGuangzhou (Canton), ChinaDecember 2023, 156HALback to text
 15 inproceedingsA Generic Transform from MultiRound Interactive Proof to NIZK.Lecture Notes in Computer SciencePKC 2023  International Conference on Practice and Theory of PublicKey Cryptography13941Lecture Notes in Computer ScienceAtlanta, United StatesSpringer Nature SwitzerlandMay 2023, 461481HALDOIback to text
 16 inproceedingsIdentityBased Encryption from Lattices Using Approximate Trapdoors.ACISP 2023  28th Australasian Conference on Information Security and Privacy13915Lecture Notes in Computer ScienceBrisbane, AustraliaSpringer Nature SwitzerlandJune 2023, 270290HALDOIback to text
 17 inproceedingsLattice Signature with Efficient Protocols, Application to Anonymous Credentials.Crypto 2023  43rd Annual International Cryptology Conference14082Lecture Notes in Computer ScienceSanta Barbara, United StatesSpringer Nature SwitzerlandAugust 2023, 351383HALDOIback to text
 18 inproceedingsYour DRM Can Watch You Too: Exploring the Privacy Implications of Browsers (mis)Implementations of Widevine EME.PETS 2023  Privacy Enhancing Technologies Symposium20234Lausanne, SwitzerlandOctober 2023, 306321HALDOIback to textback to text
 19 inproceedingsTime and Query Complexity Tradeoffs for the Dihedral Coset Problem.LNCS  Lecture Notes in Computer SciencePQCrypto 2023  14th International Conference on PostQuantum Cryptography14154Lecture Notes in Computer ScienceCollege Park, United StatesSpringer Nature SwitzerlandAugust 2023, 505532HALDOIback to text
 20 inproceedingsQuantum Linear KeyRecovery Attacks Using the QFT.Lecture Notes in Computer ScienceCRYPTO 2023  43rd International Cryptology Conference14085Lecture Notes in Computer ScienceSanta Barbara, CA, United StatesSpringer Nature SwitzerlandAugust 2023, 258291HALDOIback to text
Reports & preprints
 21 miscWe Are on the Same Side. Alternative Sieving Strategies for the Number Field Sieve.May 2023HALback to textback to text
12.3 Cited publications
 22 inproceedingsmaskVerif: Automated Verification of HigherOrder Masking in Presence of Physical Defaults.ESORICS (1)11735Lecture Notes in Computer ScienceSpringer2019, 300318back to text
 23 inproceedingsVerified Proofs of HigherOrder Masking.EUROCRYPT (1)9056Lecture Notes in Computer ScienceSpringer2015, 457485back to text
 24 inproceedingsStrong NonInterference and TypeDirected HigherOrder Masking.CCSACM2016, 116129back to text
 25 inproceedingsMasking the GLP LatticeBased Signature Scheme at Any Order.EUROCRYPT (2)10821Lecture Notes in Computer ScienceSpringer2018, 354384back to textback to text
 26 inproceedingsGALACTICS: Gaussian Sampling for LatticeBased Constant Time Implementation of Cryptographic Signatures, Revisited.CCSACM2019, 21472164back to text
 27 inproceedingsTwistedPHS: Using the Product Formula to Solve ApproxSVP in Ideal Lattices.ASIACRYPT (2)12492Lecture Notes in Computer ScienceSpringer2020, 349380back to text
 28 articleFarfalle: parallel permutationbased cryptography.IACR Trans. Symmetric Cryptol.201742017, 138back to text

29
inproceedingsComputing Generator in Cyclotomic Integer Rings  A Subfield Algorithm for the Principal Ideal Problem in
${L}_{{}_{}}(1/2)$ and Application to the Cryptanalysis of a FHE Scheme.EUROCRYPT (1)10210Lecture Notes in Computer Science2017, 6088back to text  30 articleQuantum Security Analysis of AES.IACR Trans. Symmetric Cryptol.201922019, 5593URL: https://doi.org/10.13154/tosc.v2019.i2.5593DOIback to text
 31 inproceedingsBeyond Quadratic Speedups in Quantum Attacks on Symmetric Schemes.EUROCRYPT (3)13277Lecture Notes in Computer ScienceSpringer2022, 315344back to textback to text
 32 inproceedingsTowards Classical Hardness of ModuleLWE: The Linear Rank Case.ASIACRYPT (2)12492Lecture Notes in Computer ScienceSpringer2020, 289317back to text
 33 inproceedingsAutomatic Search of Attacks on RoundReduced AES and Applications.CRYPTO6841Lecture Notes in Computer ScienceSpringer2011, 169187back to text
 34 inproceedingsDragonblood is Still Leaking: Practical Cachebased SideChannel in the Wild.ACSACACM2020, 291303back to text
 35 inproceedingsClassical hardness of learning with errors.STOCACM2013, 575584back to text
 36 inproceedingsCSIDH: An Efficient PostQuantum Commutative Group Action.ASIACRYPT (3)11274Lecture Notes in Computer ScienceSpringer2018, 395427back to text
 37 inproceedingsLattice Sieving via Quantum Random Walks.ASIACRYPT (4)13093Lecture Notes in Computer ScienceSpringer2021, 6391back to text
 38 inproceedingsCryptanalysis of the New CLT Multilinear Map over the Integers.EUROCRYPT (1)9665Lecture Notes in Computer ScienceSpringer2016, 509536back to text
 39 inproceedingsModFalcon: Compact Signatures Based On ModuleNTRU Lattices.AsiaCCSACM2020, 853866back to text
 40 inproceedingsAutomatic Search of MeetintheMiddle and Impossible Differential Attacks.Advances in Cryptology  CRYPTO 2016  36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 1418, 2016, Proceedings, Part II9815Lecture Notes in Computer ScienceSpringer2016, 157184DOIback to text
 41 inproceedingsExhausting DemirciSelçuk MeetintheMiddle Attacks Against ReducedRound AES.FSE8424Lecture Notes in Computer ScienceSpringer2013, 541560back to text
 42 articleAscon v1.2: Lightweight Authenticated Encryption and Hashing.J. Cryptol.3432021, 33back to text
 43 inproceedingsPractical Cryptanalysis of SFLASH.CRYPTO4622Lecture Notes in Computer ScienceSpringer2007, 112back to text
 44 inproceedingsUnifying Leakage Models: From Probing Attacks to Noisy Leakage.EUROCRYPT8441Lecture Notes in Computer ScienceSpringer2014, 423440back to text
 45 inproceedingsMITAKA: A Simpler, Parallelizable, Maskable Variant of FALCON.Eurocrypt 2022  International Conference on the Theory and Applications of Cryptographic TechniquesTrondheim, NorwayMay 2022, 150HALback to text
 46 articleBAT: Small and Fast KEM over NTRU Lattices.IACR Trans. Cryptogr. Hardw. Embed. Syst.202222022, 240265URL: https://doi.org/10.46586/tches.v2022.i2.240265DOIback to text
 47 inproceedingsKey Recovery from GramSchmidt Norm Leakage in HashandSign Signatures over NTRU Lattices.EUROCRYPT (3)12107Lecture Notes in Computer ScienceSpringer2020, 3463back to text
 48 inproceedingsKey Recovery on Hidden Monomial Multivariate Schemes.EUROCRYPT4965Lecture Notes in Computer ScienceSpringer2008, 1930back to text
 49 inproceedingsTrapdoors for hard lattices and new cryptographic constructions.Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 1720, 2008ACM2008, 197206back to text
 50 inproceedingsPrivate Circuits: Securing Hardware against Probing Attacks.CRYPTO2729Lecture Notes in Computer ScienceSpringer2003, 463481back to text
 51 articleQuantum Differential and Linear Cryptanalysis.IACR Trans. Symmetric Cryptol.201612016, 7194back to text
 52 inproceedingsFast Reduction of Algebraic Lattices over Cyclotomic Fields.CRYPTO (2)12171Lecture Notes in Computer ScienceSpringer2020, 155185back to text
 53 inproceedingsAn Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices.CRYPTO (1)9215Lecture Notes in Computer ScienceSpringer2015, 4362back to text
 54 inproceedingsRevisiting Lattice Attacks on Overstretched NTRU Parameters.EUROCRYPT (1)10210Lecture Notes in Computer Science2017, 326back to text
 55 inproceedingsAn LLL Algorithm for Module Lattices.ASIACRYPT (2)11922Lecture Notes in Computer ScienceSpringer2019, 5990back to text
 56 inproceedingsAn Improved LPN Algorithm.SCN4116Lecture Notes in Computer ScienceSpringer2006, 348359back to text
 57 inproceedingsMasking Dilithium  Efficient Implementation and SideChannel Evaluation.ACNS11464Lecture Notes in Computer ScienceSpringer2019, 344362back to text
 58 articleKeyRecovery Attacks on ASASA.J. Cryptol.3132018, 845884back to text
 59 inproceedingsAn Efficient and Parallel Gaussian Sampler for Lattices.Advances in Cryptology  CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 1519, 2010. Proceedings6223Lecture Notes in Computer ScienceSpringer2010, 8097URL: https://doi.org/10.1007/9783642146237_5DOIback to text
 60 inproceedingsMasking against SideChannel Attacks: A Formal Security Proof.EUROCRYPT7881Lecture Notes in Computer ScienceSpringer2013, 142159back to text
 61 inproceedingsOn the RingLWE and PolynomialLWE Problems.EUROCRYPT (1)10820Lecture Notes in Computer ScienceSpringer2018, 146173back to text
 62 inproceedingsSimplified MITM Modeling for Permutations: New (Quantum) Attacks.CRYPTO (3)13509Lecture Notes in Computer ScienceSpringer2022, 717747back to text
 63 inproceedingsAlgorithms for Quantum Computation: Discrete Logarithms and Factoring.FOCSIEEE Computer Society1994, 124134back to text