Better Reductions.

Our trust in the hardness of lattice-based constructions relies fundamentally on our understanding of the security reductions between the (many, structured) variants of SIS and LWE. Depending on the additional structure allowed to the designer, they are associated to number rings, ideals, and, more generally, modules over the integer ring of a number field, and related to the corresponding class of lattices with symmetries. Additionally, for LWE the noise distribution is also a parameter of the problem. Overall, this leads to a plethora of variants and versions that need some hierarchizing and a better understanding of the interplay between their related parameters. Thankfully, important classifying works have already been presented, regularly involving members of our team (e.g. 48, 73, 44.

Yet, there are still many unclear results or relations that are not yet satisfyingly understood. For example, the fundamental reductions of Ajtai and Regev are far from tight, incurring a blowup in important parameters (sometimes estimated to be in $O\left(n^{11}\right)$). While this is not a problem asymptotically, it clearly raises concerns on how to select parameters and the level of security they actually achieve. However, these proofs techniques have not been updated since their presentations: it is not unlikely that more recent tools could lead to improvements. In another example, there seems to be a non smooth gap of difficulty between the hardness of very structured variants of LWE (linked to “ideal lattices problems”) and less-but-still-quite structured ones. Roughly speaking, the former seems to belong to subexponential complexity while the latter variants are still considered exponential. Our current knowledge is also not enough to guarantee the actual existence of this gap, which prevents an accurate understanding of the underlying problems' concrete hardness. In a last example, one can also notice that all the proof strategies for these general reductions rely on the same high-level arguments. Yet, multiple works dealing with subcases had to be presented to reach the current state of the art. On the one hand, it could be that there is a unifying, all-encompassing presentation that would greatly simplify the state of the affairs and bring a kind of maturity to this field. On the other hand, there may be fundamental obstructions to a general framework, and highlighting them would definitely help the community's understanding. These three examples raise important questions first about security, but also about our way of using the mathematical tools behind these results. Our team's objectives are to investigate all these paths and to find either positive or negative answers to improve the general understanding of the area.

Algorithms for hard problems and attacks on cryptosystems.

We have proposed some algorithms to study the security of hard computational problems in cyclotomic fields as the Principal Ideal Problem (PIP) in 40, reducing module lattices as a generalization of the LLL algorithm in the ring of integers of a number field in 64 or in a tower of cyclotomic fields in 61. We generalized the BKW algorithm to binary LWE setting in 62 and studied the Learning Parities with Noise (LPN) Problem in 65.

We have also attacked concrete cryptographic schemes. We broke some multivariate schemes such as the SFLASH signature schemes in 54 and variants 58, and the ASASA schemes in 69. We have also broken FHE schemes based on overstretched NTRU parameters in 63 or concrete FHE in 49.

We want to study the resistance of post-quantum cryptosystems and hard problems against classical and quantum adversaries. It is particularly interesting for lattice problems since the cryptanalysis of these problems is very young. One key objective in this line of research would be to find an analog of the BKZ algorithm for structured lattices defined over a number field. It is also interesting to improve the recent work of 37, which suggests that this problem may be weaker than previously thought.

Constructions and practical cryptosystems.

Applications of cryptography usually culminate with the description of an efficient cryptosystem. An important part of our activity in post-quantum cryptography therefore targets the design of new schemes resistant to quantum attackers, providing advanced functionalities to its users, without sacrificing efficiency.

In this area, members of CAPSULE have worked on the lattice-based signature scheme Falcon and its efficiency-security trade-off ModFalcon 50. A first objective would be to extend in a useful way the so-called “trapdoor generation” which is core to the two schemes above. In a nutshell, the secret key corresponds to a basis of short vectors of a lattice, that only the user should be able to compute efficiently. ModFalcon already extended the class of lattices for which this can be done, and it is an interesting question to manage an even larger class of lattice. In terms of applications, this would allow for even more flexibility, which can be particularly useful when the signature scheme is used as a black box inside a larger cryptographic algorithm. It could also allow for other functionalities such as threshold signatures or maybe masked signatures. On this line of thought, we are also interested in designing masked lattice signatures or even multi-party signatures. While there have been very recent proposals (relying on a different paradigm than the Falcon family), the efficiency is still lacking in practice. A success here could lead to concrete industrial applications.

But this is not the only construction on which the team is currently working. There are many interesting cryptographic constructions that need to be studied to obtain efficient post-quantum schemes, such as signatures and zero-knowledge proofs, but also signatures with more properties like group signatures, blind signatures ... and applications like e-voting. Indeed, a lot of progress have been made to obtain efficient signatures and public key encryptions, especially with the NIST competition, but the efficiency of more advanced schemes is still far from existing (but not post-quantum) solutions. One of the big challenges would be to obtain efficient zero-knowledge proof systems, as this primitive is often an easy way to build more advanced primitives.

Tools for discovering new attacks.

Symmetric cryptosystems are widely used because they are the only ones that can achieve some major functionalities such as high-speed or low-cost encryption, fast message authentication, and efficient hashing. But, unlike public-key cryptographic algorithms, secret-key primitives do not have satisfying security proofs. The security of these algorithms is empirically established by cryptanalysis.

It is obvious that this security criterion, despite its success so far, is not completely satisfactory. For instance we may estimate that, for a given primitive, no more than a few dozens of researchers are actively working on breaking it. Hence, due to this weak effort, the non-discovery of an attack against a particular primitive does not mean so much. Besides, finding the best attacks on a given design is a time-consuming work, and errors can lead to under- or over-estimating its security.

Therefore, our team specializes in building tools for automatically finding large classes of attacks. This transforms the statement “we did not find any attack of this kind”, which is only a subjective guarantee, into “the audit tool X did not find any attack”, which is a formal statement, giving a quantifiable objective guarantee.

In the past, the members of the team have proposed many tools, for example for improving attacks on round-reduced versions of AES 45, Demirci-Selçuk attacks on AES 52, and impossible differential attacks 51.

Our more recent work uses tools based on MILP (Mixed Integer Linear Programming), SAT (Satisfiability) or CP (Constraint Programming). In this setting, the search and optimization of an attack are reduced to a problem of a specific form, for which an off-the-shelf solver is used. Besides the actual work of implementing this reduction, our research aims at better understanding the differences between these optimization tools, finding which ones are more adapted for a given problem, and adapting some of these general-purpose software tools to particular cryptographic problems.

Finding and optimizing a cryptanalytic attack in its entirety is an especially interesting problem, since it requires the integration of different steps (for example a good distinguisher and a key-recovery phase). Since the search space is of exponential size, often making the problem intractable, it is possible to first find an approximation of the best attacks and then instantiate precisely the values of the parameters. Also, if MILP, SAT and CP tools quickly give an answer, it is tempting to build ad-hoc tools that can more efficiently take into account the weaknesses discovered by these tools.

Finally, there are only a few tools for analyzing the security of ARX ciphers based on additions, rotations and xor operations. These functions are hard to analyze with the current cryptanalytic techniques, and no attack has really endangered the full Chacha stream cipher proposed by Dan Bernstein or the block cipher Speck proposed by the NSA. They can be implemented very efficiently in x86 processors and currently Chacha is in the most used ciphersuites on TLS, making them prominent targets for cryptanalysis.

New Designs.

Our goal is to analyze the security of the new symmetric-key designs by developing new cryptanalytic techniques. The LowMC block cipher is one of the first symmetric primitives designed for taking into account the efficiency constraints of public-key cryptosystems. It has been built as a FHE-friendly cipher, by minimizing the number of multiplicative gates which are the main efficiency bottleneck for this application. Several attacks have been proposed on LowMC and LowMC v2. LowMC v3 was used in Picnic, a Zero-Knowledge-based post-quantum signature scheme proposed at the NIST competition, which wasn't standardized.

The Keccak hash function has been standardized in 2015 as SHA-3. Keccak brought new interest in a new design called Sponge function and permutation-based primitives. Some round-reduced versions of SHA-3 have been used in many constructions from Pseudo-Random Generator in SHAKE, to the Pseudo-Random Function Farfalle 39, the authenticated encryption scheme Keyak, or the hash function KangarooTwelve proposed as an RFC. Only a few attacks have been proposed against SHA-3 and new cryptanalysis tools need to be designed.

Quantum Cryptanalysis.

Since 2016, many works have been done in the cryptanalysis of symmetric primitives using quantum algorithms. While symmetric cryptosystems are generally believed to hold well against adversaries equipped with a quantum computer, these works have substantiated these claims with dedicated security analyses, such as the best attacks against reduced-round versions of the standard AES 42.

Grover's search algorithm, which can provide a quadratic speedup on exhaustive key search (from $2^k$ operations to $2^{k/2}$), is often cited as the main player in the quantum security of symmetric primitives. However, in the past few years, the landscape of quantum algorithms for cryptanalysis has considerably expanded, with notable results such as quantum speedups above quadratic for specific constructions 43. These recent works highlight the benefit of combining state-of-the-art quantum algorithms and symmetric cryptanalysis techniques.

In team CAPSULE, our research in quantum cryptanalysis is three-fold.

First, we develop new quantum algorithms for cryptanalytic problems, which we aim to apply in symmetric cryptography, but may also have applications in public-key cryptography. An example of such a double-edged sword is our recent work on quantum walks 41.

Second, we analyze existing classical cryptanalysis techniques and study how to translate them into quantum cryptanalysis techniques. Intuitively, a primitive that is classically vulnerable should be quantumly broken as well, but this is not always the case, as classical attack strategies are not always exploitable in the quantum setting. Our research in this area focuses on the strategies which can exhibit the largest quantum speedups, quadratic (like Grover's search) or even above by using advanced frameworks.

Finally, after identifying new classes of quantum attacks, we aim at integrating these attacks into automated tools. Indeed, the task of finding and optimizing quantum attacks can be even more challenging that classical ones, since they rely often on different strategies, sometimes counterintuitive. Furthermore, since the resulting procedures are quantum algorithms, the analysis of their time and memory complexities comes with specific technicalities. Our goal is to automatize this step as well in a way that may benefit cryptanalysts interested in this topic but unfamiliar with quantum algorithms.

Hardware and embedded implementations.

Side Channel Attacks (SCA) rely on statistical tools to extract the secret information from leakage traces. Then, algorithmic techniques usually based on previous cryptanalytic results are used to efficiently recover secret data. Indeed, the known black-box attacks are extended by exploiting the leakage information, that gives more information on the internal secret variables, a.k.a. the grey-box model. The SCA information can be for instance the Hamming weight of a limited number of variables. Recently, the white-box model has been proposed, where the adversary can stop the execution of a process and has access to all variables.

Side-channel attacks have been successfully applied to break many embedded implementations these last 20 years. After the information theoretic approach of Ishai, Sahai and Wagner 60 to prove the security of implementations, secure theoretical foundations have been laid by Prouff and Rivain and later Duc et al. in 72, 55. Soon after, some tools have been developed such as 31, 32, 30 to protect software and hardware implementations with masking techniques. Nowadays, we have sound masking schemes. Some of them already have been introduced into lattice-based implementations 33, where generally securing randomness presents an interesting challenge. We aim at extending the results of 33, 34, 68, 57 to other post-quantum alternatives like code-based, multivariate, or hash-based schemes and to provide secure implementations.

More recently, other tools coming from statistical learning (such as deep learning) have been proposed to break embedded implementations. They open the door to powerful techniques and more efficient attacks. Template attacks model the leakage distribution with a Gaussian distribution, approximating the actual distribution by considering its mean and its standard deviation. More standard attacks, a.k.a. Differential Power Analysis (DPA), only consider the mean. However, higher moments can be useful to consider. Deep learning techniques are useful to efficiently extract complex relations between variables even in the presence of noise. Taking into account these more powerful deep learning or white-box attacks as well as developing countermeasures is a hot, trendy topic in SCA. In the former, deep learning allow to find correlations between many points of interest of one curve, a.k.a. horizontal attacks. In the latter, white-box cryptography provides the adversary with the same kind of information, since they can stop the execution of the program and get noiseless information on all of its variables. Taking into account such powerful attackers is one main challenge for side-channel attacks.

Finally, we are interested to work on the new micro-architectural attacks HertzBleed and others. These attacks show that side-channel attacks are also a threat to software implementations. Porting to software some of the many techniques used to secure embedded systems is thus a major topic.

Software implementations.

Constant-time implementation is a programming principle that aims at providing code where the running time and memory accesses are independent of the secret values. Timing leakage can be used to mount attacks on computers and smartphones. There exist many tools in the literature that help developers to avoid these leakage, but insecure implementations are still aplenty. For instance, we recently broke the WPA-3 implementation used in FreeRadius and iwd (iNet Wireless Daemon) 46, and also found other weaknesses.

We want to discover new attacks in open-source libraries and to help developers in order to verify the constant-time property of their codes. For example, some tools are tailored to small pieces of cryptographic codes and do not scale well with more complex codes that rely on many libraries. Our goal is to provide verification tools for analyzing the constant-time property of large source codes. We are also interested in studying the security of DRM systems used in widely deployed systems. We do not have permanent researchers on reverse-engineering, but we work with postdoc students such as Alexandre Gonzalvez, as well as Mohamed Sabt from the Spicy team on this topic. Besides, we co-supervise 3 theses on the security of software implementations.

Security Proofs of Protocols and Real-World Systems.

We are interested in studying the security of cryptographic protocols deployed in the real-world such as WhatsApp, middlebox, Content-Delivery Network (CDN), TLS, and 5G networks. Recently, we have also considered the security of searchable symmetric encryption, where the goal is to outsource the storage of a database to an untrusted server, while maintaining search capabilities. This last area is a nice application of secure computations and the PhD thesis of R. Bost (P.A. Fouque's PhD student) in this domain received the GDR Security price of the best PhD in 2018. We also work with Cristina Onete, an assistant professor at Limoges on this topic. Currently, we are interested to propose hybridization techniques between pre- and post-quantum cryptography for various protocols such as Signal, IPSEC, ... in the PEPR post-quantum cryptography.

NIST post-quantum competition.

The NIST post-quantum competition aims at standardizing quantum-safe public-key primitives. The goal is to propose a quantum-safe alternative for the schemes based on number theory which are threatened by the advent of quantum computers. It is expected to have a huge and long-term impact on all public-key cryptography. It received 69 proposals in November 2017. The Falcon signature scheme, co-designed by some members of the Capsule team, has been selected by NIST in July 2022. We have also submitted Solmae to the Korean Post-Quantum Competition, which is a variant of Falcon that is easier to implement hence to protect from SCA. Finally, we have also proposed BAT 56, an encryption scheme that follows the design rationale of Falcon. We plan to submit this scheme to the IETF as it enjoys interesting properties in terms of bandwidth, that are not displayed by NIST's selected key encapsulation scheme, Kyber.

In June 2023, we have submitted the PROV and VOX signature schemes to NIST's new call for digital signatures. These two schemes are based on multivariate cryptography problems, and are variants of the unbalanced Oil-and-Vinegar signature schemes, proposed in 1997 by Patarin. PROV has a security proof, while VOX is a stronger version of UOV that avoids known weaknesses (namely, UOV has a large set of isotropic vectors common to all quadratic forms of the public key).

NIST competition on lightweight symmetric encryption.

The NIST lightweight cryptography standardization process is an initiative to develop and standardize new authenticated encryption algorithms suitable for constrained devices. There is a real need for new standards in lightweight cryptography, and the selected algorithms are expected to be widely deployed within the Internet of Things, as well as on more constrained devices such as contactless smart cards, or medical implants. The NIST received 56 submissions in February 2019. Team Capsule has studied the security of some of these schemes.

Monitoring Current Standards.

While we are very involved in the design phase of new cryptographic standards, we also monitor the algorithms that are already standardized. We look at some implementations of WPA3 and we discovered a micro-architectural attack 47. We also studied the privacy of the EME standard (Encrypted Media Extensions) for Digital Rights Managments in browsers in 70.

7.1.1 TNFS-alpha

• Name:
  alpha for the Tower Number Field Sieve algorithm
• Keyword:
  Cryptography
• Functional Description:
  This library implements a simulation tool for the tower number field sieve algorithm computing discrete logarithms in extension fields of small degree (tested up to 54). The library contains an implementation of the exact computation of alpha, the bias between the expected smoothness of an integer and the expected smoothness of a norm of an algebraic integer in a number field made of two extensions. The algorithm is a generalization to extensions of the exact implementation of alpha in the software CADO-NFS. The software contains an implementation of the E-function of B. A. Murphy (Murphy's E) which estimates the quality of the polynomial selection step in TNFS through a simulation of the yield of the relation collection in the TNFS algorithm. Finally, it contains a database of pairing-friendly curve seeds with the estimated level of security w.r.t. a discrete logarithm computation in the corresponding finite field.
• News of the Year:
  In 2024, the new pairing-friendly elliptic curves obtained in the work by Gasnier and Guillevic were included in the library as a few family of curves like BN, BLS or KSS. The library was extended to consider the curves selected in Aranha, Fotiadis and Guillevic at the 192-bit security level.
• URL:
  https://­gitlab.­inria.­fr/­tnfs-alpha/­alpha
• Publications:
  hal-04666521, hal-04205681, hal-03667798, hal-03371573, hal-02263098, hal-02396352
• Contact:
  Aurore Guillevic
• Participant:
  Aurore Guillevic

7.1.2 ALPINAC

• Name:
  ALgorithmic Process for Identification of Non-targeted Atmospheric Compounds
• Keyword:
  Chemistry
• Functional Description:
  ALPINAC identifies up to 95% of the measured signal obtained from an Electron-Impact Time-of-Flight High Resolution Mass Spectrometer (EI ToF HRMS) on air sampling, without a-priori knowledge on the encountered chemical compounds, without database search. The software was successfully tested on mass spectrum ranging from 23 m/z to 330 m/z.
• URL:
  https://­gitlab.­inria.­fr/­guillevi/­alpinac
• Publication:
  hal-03176025
• Contact:
  Aurore Guillevic
• Partner:
  EMPA

Key Committing Attacks against AES-based AEAD Schemes

 7

Participants: Patrick Derbez, Pierre-Alain Fouque, André Schrottenloher.

The security of authenticated encryption with associated data (AEAD) cryptosystems in the context of key commitment has been the topic of several recent works 67. In this context, in addition to ensuring authenticity and confidentiality of the data, the cryptosystem should ensure that an adversary cannot produce two sets of key and messages that would be encrypted into the same ciphertext. This property appears to be particularly useful for real-world scenarios such as encrypted messaging. In this work, we show that the schemes AEGIS and Rocca-S are not key-committing.

Part of the results obtained in this work originated from our security analysis of Rocca-S, performed during 2023 under a contract with KDDI (Japan)

Improving Generic Attacks Using Exceptional Functions

 11

Participants: André Schrottenloher.

The paper 11 with Xavier Bonnetain (Inria team CARAMBA), Rachelle Heim Boissier and Gaëtan Leurent (Inria team COSMIQ) proposes new attacks on symmetric constructions using the statistical properties of random functions. The starting point is a technique of Gilbert et al. 59, who gave a new forgery attack on the Duplex authenticated encryption mode by finding exceptional random functions. These exceptional functions are those for which their graph admits a large component with an exceptionally small graph.

This work first improves the attack of Gilbert et al. from an asymptotic complexity $𝒪\left(2^{3c/4}\right)$ to $𝒪\left(2^{2c/3}\right)$, where $c$ is the capacity of the Duplex, using nested exceptional functions. Then, new generic attacks against Merkle-Damgård hash combiners are introduced, which improve the complexities of the best existing attacks on the XOR combiner, Zipper Hash and Hash-Twice.

A Generic Algorithm for Efficient Key Recovery in Differential Attacks - and its Associated Tool

12

Participants: Patrick Derbez.

The paper 12 presents a new algorithm dedicated to the key recovery of differential attacks. This algorithm, under some assumptions on the ciphers, allows to determine the optimal order in which the key bits involved in the key recovery should be guessed. We also propose an efficient implementation of this algorithm, the KiRiDi tool, and improved several differential attacks. We have made this tool available on the Inria Gitlab platform.

Alternative Key Schedules for the AES

13

Participants: Patrick Derbez.

In the paper 13 we study alternative key schedules for the different versions of the AES. We focused on permutations and differential cryptanalysis. The main result of this paper is the new framework we introduce to search for the best permutation to be used as a key schedule. Our approach relies on two MILP models, one to generate permutations and a second to search for differential characteristics activating less than $b$ active S-boxes, $b$ being given by the user. Each time the second model finds a differential characteristic, a constraint is added to the first model such that all the next permutations it will generate cannot lead to the same characteristic. As a result we propose new key schedules for all three versions of AES that improve the resistance against differential cryptanalysis.

Revisiting Differential-Linear Attacks via a Boomerang Perspective with Application to AES, Ascon, CLEFIA, SKINNY, PRESENT, KNOT, TWINE, WARP, LBlock, Simeck, and SERPENT

16

Participants: Patrick Derbez.

In the paper 16, we show the similarities between two cryptanalysis techniques: boomerang attacks and differential-linear attacks. We then use this to propose new models to search the best differential-linear distinguishers on a large number of ciphers. As a result we found many new distinguishers, improving the best known results regarding this cryptanalysis technique.

Equivalence of Generalised Feistel Networks

6

Participants: Patrick Derbez, Marie Euler.

Generalized Feistel Networks (GFN) are defined by their internal branch-permutations. To find the best GFN, we thus have to exhaust the space of permutations which grows exponentially with the number of branches. To reduce the number of permutations to study it is important to rely on equivalence classes. Therefore in the work 6 we propose a new equivalence class regarding the diffusion round, which is the number of rounds required to achieve full diffusion. As a result, the search space is much smaller than with previous approaches and we were able to find better permutations for the cipher WARP.

Cryptanalysis of Full-Round BipBip

9

Participants: Patrick Derbez.

Cryptographic Capability Computing (C3) is the first stateless memory safety mechanism that eliminates the need for additional metadata storage. C3 relies on an ultra-low-latency cipher to prevent load delays, requiring a block size as small as 24 bits. This is the context in which the block cipher BipBip was designed. In the paper 9 we mount an advanced meet-in-the-middle attack against the full cipher, showing that the security offered by BipBip is lower than expected by its designers.

Does quantum lattice sieving require quantum RAM?

24

Participants: Yixin Shen.

This paper studies the requirement for quantum random access memory (QRAM) in quantum lattice sieving, a fundamental algorithm for lattice-based cryptanalysis.

First, we obtain a lower bound on the cost of quantum lattice sieving with a bounded size QRAM. We do so in a new query model encompassing a wide range of lattice sieving algorithms similar to those in the classical sieving lower bound by Kirshanova and Laarhoven [CRYPTO 21]. This implies that, under reasonable assumptions, quantum speedups in lattice sieving require the use of QRAM. In particular, no quantum speedup is possible without QRAM.

Second, we investigate the trade-off between the size of QRAM and the quantum speedup. We obtain a new interpolation between classical and quantum lattice sieving. Moreover, we show that further improvements require a novel way to use the QRAM by proving the optimality of some subroutines. An important caveat is that this trade-off requires a strong assumption on the efficient replacement of QRAM data, indicating that even speedups with a small QRAM are already challenging.

Finally, we provide a circuit for quantum lattice sieving without using QRAM. Our circuit has a better depth complexity than the best classical algorithms but requires an exponential amount of qubits. To the best of our knowledge, this is the first quantum speedup for lattice sieving without QRAM in the standard quantum circuit model. We explain why this circuit does not contradict our lower bound, which considers the query complexity.

Single-Query Quantum Hidden Shift Attacks

4

Participants: André Schrottenloher.

This paper with Xavier Bonnetain (Inria team CARAMBA) introduces a new family of quantum attacks in the superposition query model (also named Q2 in the literature), which perform forgery or key-recovery for some authenticated encryption (AE) schemes.

Traditionally Q2 attacks use a period-finding algorithm such as Simon's algorithm to recover some secret information. The exponential acceleration offered by such algorithms, they allow to break some classically secure primitives. However, such breaks require superposition query access, which is a rather theoretical model (in particular, the schemes attacked in our paper remain secure against standard quantum adversaries).

In this paper, we use a different period-finding algorithm than Simon's, allowing to succeed in some cases where only one such superposition query is allowed, usually as the result of using a nonce in the mode. This leads to attacks against Rocca, Rocca-S, Tiaoxin-346 and AEGIS-128L.

Quantum Procedures for Nested Search Problems: with Applications in Cryptanalysis

8

Participants: André Schrottenloher.

In this paper we study the family of nested search algorithms, which often arise in the context of cryptanalysis. These algorithms perform an exhaustive search in several layers, where each layer introduces a new degree of freedom and / or constraints.

While it is well known that Grover's algorithm and Amplitude Amplification speed up generically these nested searches, the analysis of such algorithm has often been performed in a case-by-case manner. To remedy this issue, and allow for an easier estimation of the overall complexities, we introduce a generic framework and tools to transform a classical nested search into a quantum procedure. We give generic complexity formulas and reach further improvements using numerical optimization. We demonstrate our framework by giving a tighter analysis of quantum attacks on reduced-round versions of the block cipher AES.

Reducing the Number of Qubits in Quantum Information Set Decoding.

14

Participants: Clémence Chevignard, Pierre-Alain Fouque, André Schrottenloher.

This paper optimizes the number of qubits used in the quantum variant of Prange's Information Set Decoding (ISD) algorithm, which was originally proposed by Bernstein 38. This algorithm is especially important for post-quantum cryptography, as it largely determines the level of quantum security that one can expect from code-based cryptosystems.

This algorithm has a very simple structure: it performs a Grover search which, at each iteration, inverts a matrix. Our contribution focuses on the matrix inversion circuit. Here, we show that this inversion can be performed in an implicit way, reducing the number of qubits from quadratic to linear in the code length (i.e., the security parameter of the cryptosystem). We give several trade-offs and perform a precise estimation of the resources required by this circuit, which is supported by a full implementation. We have made this implementation available on the Inria Gitlab platform. As an example, while the computational complexity remains asymptotically unchanged, our new trade-offs reduce the number of qubits from millions to tens of thousands in attacking the Classic McEliece scheme.

Reducing the Number of Qubits in Quantum Factoring.

20

Participants: Clémence Chevignard, Pierre-Alain Fouque, André Schrottenloher.

This paper obtains a significant reduction in the number of qubits in Shor's factoring algorithm. The main idea of the paper is to realize explicitly the output compression technique of May and Schlieper 66. Indeed, Shor's algorithm needs to find the period of a modular exponentiation function: the space then depends on the size of the input ($𝒪\left(n\right)$ bits), the size of the output ($n$ bits for $n$-bit numbers) and the additional space needed for performing reversible arithmetic operations. May and Schlieper showed that the algorithm will still work if one reduces the output size. Whether this could be used to reduce the total space was so far an open question.

In this work, we designed a new classical reversible circuit for the operation $x\to \left(a^x(modN)\right)(mod{2}^r)$, where $a,N,r$ are fixed, and $r$ is a constant, using only $𝒪(loglogN)$ space in addition to the size of $x$. This circuit, which is based on a Residue Number System, allows the effective compression of the output space in Shor's algorithm, leading to the smallest numbers of qubits for factoring RSA moduli known to date. Indeed we estimate that only 1730 qubits would be needed to factor RSA-2048, at the expense of an increase in gate count (while the asymptotic cost remains $𝒪\left({(logN)}^3\right)$).

In order to perform precise resource estimates, we have fully implemented the circuits and made these implementations available on the Inria Gitlab platform. The full version of the paper is currently a preprint and it will be presented as a plenary talk in the upcoming QIP 2025 conference 1.

8.4.1 Lattices

8.4.2 Elliptic curves

Participants: Aurore Guillevic.

Masking the GLP Lattice-Based Signature Scheme at Any Order

3

Participants: Pierre-Alain Fouque.

This paper is the journal version of a Eurocrypt 2018 paper. Recently, numerous physical attacks have been demonstrated against lattice-based schemes, often exploiting their unique properties such as the reliance on Gaussian distributions, rejection sampling and FFT-based polynomial multiplication. As the call for concrete implementations and deployment of postquantum cryptography becomes more pressing, protecting against those attacks is an important problem. However, few countermeasures have been proposed so far. In particular, masking has been applied to the decryption procedure of some lattice-based encryption schemes, but the much more difficult case of signatures (which are highly nonlinear and typically involve randomness) has not been considered until now. In this paper, we describe the first masked implementation of a lattice-based signature scheme. Since masking Gaussian sampling and other procedures involving contrived probability distributions would be prohibitively inefficient, we focus on the GLP scheme of Güneysu, Lyubashevsky and Pöppelmann (CHES 2012). We show how to provably mask it in the Ishai–Sahai–Wagner model (CRYPTO 2003) at any order in a relatively efficient manner, using extensions of the techniques of Coron et al. for converting between arithmetic and Boolean masking. Our proof relies on a mild generalization of probing security that supports the notion of public outputs. We also provide a proof-of-concept implementation to assess the efficiency of the proposed countermeasure.

They're not that hard to mitigate: What Cryptographic Library Developers Think About Timing Attacks

17

Participants: Daniel de Almeida Braga, Pierre-Alain Fouque.

This paper is a survey we set up to ask 44 developers of 27 widespread cryptographic libraries about their awareness and practices regarding side-channel threats. Side channel attacks have been known for decades, but still plague current cryptographic implementations, and not a year passes without new published attacks, targeting widespread implementation. Most academic work toward solving these issues focuses on suggesting new designs that are not affected by these attacks, or providing analysis tools to detect them. The residual side channel vulnerabilities reflect a gap between academic research and real-world engineering. The goal of this survey is to understand the source of that gap, and identify ways to reduce it, by asking feedback to the very people who will handle the practical deployment of solutions. The main findings highlight a leaky pipeline in the process of treating the cause of side-channels: all candidates were aware of the side-channel threat, but only part of them included it in the threat model, to prioritize other issues. Some of the main aspects hindering the use of academic tools include their usability, and lack of consideration to real-world constraints (CI/CD, delta mode, ...). Based on these observations, we made a list of recommendations addressed to tool developers and library developers.

“These results must be false”: A usability evaluation of constant-time analysis tools

21

Participants: Daniel de Almeida Braga, Pierre-Alain Fouque.

The paper 21 is a follow-up study on our previous work 17. In the first work, we higlighted usability as one of the main hinderance to the constant-time anlysis tool's deployment. The goal of this paper is to study the elements that make this specific class of tool "usable". As the previous paper focused on a survey, asking theoretical questions, we designed this study to gain knowledge on practical elements related to tools usage. To do so, we conducted a two-part usability study on 6 tools across various tasks that emulate the learning of each tool on textbook exercises, and on real-world contexts. We found that all tools face similar usability issues at different levels, hindering their use in all cases. Based on these observations, we addressed a series of recommendations, as a checklist for future tool developers, and complemented the documentation and bootstrapping of the tools involved in our study, to ease future use.

10.1.1 Horizon Europe

• ERC SoBaSyC (2024 –> 2029)

Participants: Patrick Derbez  (Expert Contributor, involved at 20%).

Symmetric cryptography, essential for enabling secure communications, has benefited from an explosion of new results in the last two decades, in big part due to several standardization efforts: many public competitions have been launched since 1997, where the community proposes cryptographic constructions and simultaneously evaluates their security and performance. The security of symmetric cryptography is based on cryptanalysis: we only gain confidence in a symmetric cryptographic function through extensive and continuous scrutiny. However, the current context has not allowed the community to digest all the new findings, as can be seen from several recurrent issues. The two main ones are: 1) primitives proposed at top-tier venues often get broken by slight modifications of already known techniques; 2) published cryptanalysis at top conferences sometimes include mistakes, are not optimal, or are often re-invented and re-named. The main challenge of SoBaSyC is to establish solid bases for symmetric cryptography.

Using cryptanalysis as the starting point, the aim is to unify the knowledge obtained through the years on the different families of attacks, to transform it with an algorithmic approach and to endow it with optimizations. The final result will be a toolbox congregating all our newly proposed optimized algorithms, that will provide the best known attacks on a given construction, through an easy application. Next, the plan is to derive from this algorithmic approach some theoretical bounds, as well as some properties that will be included in the security proofs of symmetric constructions, providing more meaningful and realistic security arguments. This would allow, for the first time, to ensure that any newly proposed primitive or construction is already resistant to all known attacks, and will considerably increase the confidence on these functions. It will also save a considerable amount of time and allow the field to advance, at last, on solid ground.

The PI of this project is María Naya-Plasencia from the Inria team COSMIQ.

11.1.1 Scientific events: organisation

11.1.2 Scientific events: selection

11.1.3 Journal

11.1.4 Invited talks

• Pierre-Alain Fouque - Summer School on PQC co-organized with IACR, 2 talks on Quantum Factorization and Falcon signature, July 14-17, 2024, Warsaw, Poland
• Pierre-Alain Fouque - Summer School on PQC - Introduction to lattice-based cryptography, 2 courses, September 9-13, 2024, Corsica, France
• Pierre-Alain Fouque - Post-Quantum Cryptography Journée Scientifique Inria, August 28-30, 2024, Grenoble, France
• Pierre-Alain Fouque - Transition Post-Quantique - Journée scientifique du PEPR Cybersécurité, December 11, 2024, Campus Cyber, Paris, France
• Patrick Derbez - KiRiDi Tool for Key recovery in Differential attacks - Dagsthul Seminar, January 21-26, 2024, Dagsthul, Germany
• Aurore Guillevic - Elliptic curves for SNARK and proof systems - Journées Numération, Arithmétique, Cryptographie February 29 – March 1st 2024, Jussieu, Paris, to celebrate the retirement of Jean-Claude Bajard
• André Schrottenloher - Quantum Security of Symmetric Cryptosystems - QSI Spring School on post-quantum cryptography, March 12-15, 2024, Porto (Portugal)
• Patrick Derbez - Alternative Key Schedules for the AES - September 25, 2024, NTT, Japan
• Aurore Guillevic - Introduction on Elliptic Curves, Introduction on Pairings and on the CM Method - School on Elliptic Curve Cryptography (ECC), Taipei, Taiwan, October 28-29, 2024
• Aurore Guillevic - Elliptic Curves for SNARK and Proof Systems - ECC 2024, Taipei, Taiwan, October 30 - November 1, 2024
• André Schrottenloher - Single-query Quantum Hidden Shift Attacks - ASK 2024, Kolkata, India, December 14-17, 2024
• Patrick Derbez - Alternative Key Schedules for the AES - ASK 2024, Kolkata, India, December 14-17, 2024

11.2.1 Teaching

• Master: Pierre-Alain Fouque, Advanced Course in Cryptography for security (BCS), 16 hours, M2, University of Rennes, France;
• Master: Pierre-Alain Fouque, Basic Course in Cryptography (BC), 12 hours, M1, University of Rennes, France;
• Master: Pierre-Alain Fouque, Design and Analysis of Algorithm (ADA), 32 hours, M1, University of Rennes, France;
• Master: Pierre-Alain Fouque, Security Proof, 7,5 hours, M2, University of Rennes, France;
• Master: Pierre-Alain Fouque, Security of Data (SDATA), 12 hours, M1, University of Rennes.
• Master: André Schrottenloher, Enjeux de la cryptographie post-quantique, 7.5h eqTD, CentraleSupélec Rennes
• Engineer cycle: André Schrottenloher, Théorie de la cryptologie - Introduction à la cryptographie post-quantique, 15h eqTD, IMT Atlantique
• Master: Aurore Guillevic, Advanced Course in Cryptography for security (BCS), 16.5 hours lab sessions, M2, University of Rennes, France;
• Master: Aurore Guillevic, Mathematics for security (MSEC), 12 hours lectures, 2 $\times$ 12 hours lab sessions, M1, University of Rennes, France;
• Master: Aurore Guillevic, Unix refresher crash course, 6 hours lab sessions, M1, University of Rennes, France;
• Master: Daniel De Almeida Braga, Cybersécurité: Menaces et organisations, hygiène numérique (SENV), 6 hours lectures, 10.5 hours lab sessions, M1, University of Rennes, France;
• Master: Daniel De Almeida Braga, Sécurité avancée des SI d'entreprise (SSYS2), 18 hours lectures, 36 hours lab sessions, M2, University of Rennes, France;
• Master: Daniel De Almeida Braga, Low Level Programming (LLP), 19.5 hours lab sessions, M1, University of Rennes, France;
• Master: Daniel De Almeida Braga, Project Security, 24 hours eqTD, M1, University of Rennes, France;
• Master: Daniel De Almeida Braga, Basic Course in Cryptography (BC), 12 hours lab sessions, M1, University of Rennes, France;
• Bachelor: Daniel De Almeida Braga, Introduction à la Securité (ISE), 1.5 hour lecture, 3 hours lab sessions, L1, University of Rennes, France;
• Bachelor: Patrick Derbez, Introduction à la Sécurité (ISE), 5.25 hours eqTD, L1, University of Rennes, France;
• Bachelor: Patrick Derbez, Introduction à la Programmation Impérative (IPI), 28.5 hours eqTD, L1, University of Rennes, France;
• Bachelor: Patrick Derbez, Algorithmique et Complexité (ACO), 56.25 hours eqTD, L2, University of Rennes, France;
• Bachelor: Patrick Derbez, Arithmétique pour la cybersecurite (ARIC), 18 hours eqTD, L2, University of Rennes, France;
• Master: Patrick Derbez, Project Security, 24 hours eqTD, M1, University of Rennes, France;
• Master: Patrick Derbez, Cryptanalyse, 24 hours eqTD, M2, University of Rennes, France;
• Master: Damien Marion, Security of Data (SDATA), 32 hours, M1, University of Rennes;
• Master: Damien Marion, Secured Implementation for Cryptography (SIMP), 25 hours, M2, University of Rennes (with students from INSA, IMT-Atlantique and CentraleSupélec rennes).
• Bachelor: Damien Marion, Enjeux sociétaux et empreinte écologique du numérique (3EN), 18 hours, L3, University of Rennes, France;
• Master: Damien Marion, project supervision, 12 hours, M1, University of Rennes;
• Master: Damien Marion, database security, 12 hours, M1, University of Rennes;
• André Schrottenloher was Oral examiner for fundamental computer science in the entrance examinations of the ENS (Écoles Normales Supérieures). (20 hours of examinations).

11.2.2 Supervision

• PhD: Corentin Jeudy, Design of Advanced Post-Quantum Signature Schemes, Defended on June 18th, 2024. Supervisors: Pierre-Alain Fouque and Adeline Roux-Langlois.
• PhD: Thi Thu Quyen Nguyen, Déploiements des signatures fondées sur les réseaux euclidiens, Defended on December 12, 2024. Supervisors: Adeline Roux-Langlois (GREYC, Caen), Paul Dischamp (Idemia) and Alexandre Wallet.
• PhD in progress: Phuong Hoa Nguyen, MILP and symmetric-key cryptanalysis, started October 2021. Supervisors: Patrick Derbez and Pierre-Alain Fouque.
• PhD in progress: Clémence Chevignard, Module-LIP: réductions, cryptanalyse, algorithmes, started November 2023. Supervisors: Pierre-Alain Fouque, Alexandre Wallet and Rémi Giraud (Qualcomm).
• PhD in progress: Mathieu Degré, Nouveaux modèles MILP adaptés aux problèmes cryptographiques, started January 2024. Supervisors: Patrick Derbez, André Schrottenloher.
• PhD in progress: Aurel Pichollet–Mugnier, Security of ASCON and Lightweight Symmetric Primitives against Quantum Attackers, started November 2024. Supervisors: Patrick Derbez, André Schrottenloher, Zoé Amblard (Thales SIX)
• PhD in progress: Baptiste Germon, Independence hypothesis in differential cryptanalysis, started October 2024. Supervisors: Patrick Derbez, Christina Boura (IRIF)
• PhD in progress: Gaël Claudel, Analyse des attaques par canaux auxiliaires de schémas de signature post quantique : approches combinées. Supervisors: Patrick Derbez, Damien Marion, Aurore Guillevic, Benoît Gérard (ANSSI)
• PhD in progress: Aymeric Hiltenbrand, Attaques par canaux auxiliaires sur la cryptographie post-quantique, from December 2023. Supervisors: Guenael Renault (ANSSI), Pierre-Alain Fouque .
• PhD in progress: Guilhem Niot, Threshold Post-Quantum Cryptography. Supervisors: Pierre-Alain Fouque and Thomas Prest (PQShield).
• Internship: Baptiste Germon (M2): On the quasidifferential framework (April - September 2024). Supervisor: Patrick Derbez
• Internship: Gaël Claudel (M2)
• Internship: Todd Cauet-Male
• Internship: Jules Rousseau (M2): Cube cryptanalysis of Ascon and Gift (April-September 2024). Supervisors: André Schrottenloher, Patrick Derbez
• Internship: Laz Panard (M2): Se débarrasser de l'arithmétique à virgule flottante : Preuve de concept et benchmarking du cryptosystème de signature numérique $\mathbb{Z}$alcon (May-October 2024). Supervisors: Aurore Guillevic, Daniel De Almeida Braga, Pierre-Alain Fouque
• Internship: Thibault Didier (L3): Optimisation d'un circuit multi-somme réversible pour la factorisation quantique (June-July 2024). Supervisor: André Schrottenloher

11.2.3 Juries

• Pierre-Alain Fouque was a reviewer of the PhD thesis of Clara Pernot (February 2, 2024, Inria Paris and Université Paris Cité, France).
• Pierre-Alain Fouque was a member (advisor) for the Ph.D. thesis committee of Corentin Jeudy (June 18, 2024, Université de Rennes, France).
• Pierre-Alain Fouque was reviewer for the Ph.D. thesis of Augustin Bariant (June 27, 2024, Sorbonne Université, France).
• Pierre-Alain Fouque was reviewer for the Ph.D. thesis of Pouria Fallahpour (July 5, 2024, École normale supérieure de Lyon, France).
• Pierre-Alain Fouque was member for the Ph.D. thesis committee of Margot Funk (October 14, 2024, Université de Versailles-Saint-Quentin-en-Yvelines, France).
• Pierre-Alain Fouque was president of the Ph.D. thesis committee of Rachelle Heim Boissier (October 15, 2024, Université Paris-Saclay, France).
• Pierre-Alain Fouque was member for the Ph.D. thesis committee of Hugo Beguinet (November 18, 2024, Université Paris sciences et lettres, France).
• Yixin Shen was member (examinor) for the Ph.D. thesis committee of Clément Ducros (November 12, 2024, Université Paris Cité).

11.3.1 Participation in Live events

• André Schrottenloher was a panelist at the event Techno conférence Voyage au centre du Quantique - Capteurs, Communications, Informatique organized by Images et Réseaux (April 4th, 2024)

International journals

• 2 articleD. F.Diego F. Aranha, G.Georgios Fotiadis and A.Aurore Guillevic. A short-list of pairing-friendly curves resistant to the Special TNFS algorithm at the 192-bit security level.IACR Communications in Cryptology13October 2024, 44HALback to text
• 3 articleG.Gilles Barthe, S.Sonia Belaïd, T.Thomas Espitau, P.-A.Pierre-Alain Fouque, B.Benjamin Grégoire, M.Mélissa Rossi and M.Mehdi Tibouchi. Masking the GLP Lattice-Based Signature Scheme at Any Order.Journal of Cryptology371January 2024, 5HALDOIback to text
• 4 articleX.Xavier Bonnetain and A.André Schrottenloher. Single-Query Quantum Hidden Shift Attacks.IACR Transactions on Symmetric Cryptology20243September 2024, 266-297HALDOIback to text
• 5 articleD.Debasmita Chakraborty, H.Hosein Hadipour, P. H.Phuong Hoa Nguyen and M.Maria Eichlseder. Finding Complete Impossible Differential Attacks on AndRX Ciphers and Efficient Distinguishers for ARX Designs.IACR Transactions on Symmetric Cryptology20243September 2024, 84-176HALDOI
• 6 articleP.Patrick Derbez and M.Marie Euler. Equivalence of Generalised Feistel Networks.IACR Transactions on Symmetric Cryptology2024March 2024, 412 - 440HALDOIback to textback to text
• 7 articleP.Patrick Derbez, P.-A.Pierre-Alain Fouque, T.Takanori Isobe, M.Mostafizar Rahman and A.André Schrottenloher. Key Committing Attacks against AES-based AEAD Schemes.IACR Transactions on Symmetric Cryptology20241March 2024, 135-157HALDOIback to text
• 8 articleA.André Schrottenloher and M.Marc Stevens. Quantum Procedures for Nested Search Problems: with Applications in Cryptanalysis.IACR Communications in CryptologyOctober 2024, 1-38HALDOIback to text
• 9 articleJ.Jinliang Wang, C.Christina Boura, P.Patrick Derbez, K.Kai Hu, M.Muzhou Li and M.Meiqin Wang. Cryptanalysis of Full-Round BipBip.IACR Transactions on Symmetric Cryptology202422024, 68-84HALDOIback to textback to text

International peer-reviewed conferences

• 10 inproceedingsO.Olivier Bernard, P.-A.Pierre-Alain Fouque and A.Andrea Lesavourey. Computing e -th roots in number fields.ALENEX 2024 - SIAM Symposium on Algorithm Engineering and ExperimentsAlexandria, United StatesSociety for Industrial and Applied MathematicsJanuary 2024, 207-219HALDOIback to text
• 11 inproceedingsX.Xavier Bonnetain, R.Rachelle Heim Boissier, G.Gaëtan Leurent and A.André Schrottenloher. Improving Generic Attacks Using Exceptional Functions.LNCSCRYPTO 2024 - 44th Annual International Cryptology Conference14923Santa Barbara, United StatesSpringer2024, 105-138HALDOIback to textback to text
• 12 inproceedingsC.Christina Boura, N.Nicolas David, P.Patrick Derbez, R.Rachelle Heim Boissier and M.Maria Naya Plasencia. A Generic Algorithm for Efficient Key Recovery in Differential Attacks – and its Associated Tool.EUROCRYPT 2024 - 43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques14651Lecture Notes in Computer ScienceZurich, SwitzerlandSpringer Nature SwitzerlandApril 2024, 217-248HALDOIback to textback to text
• 13 inproceedingsC.Christina Boura, P.Patrick Derbez and M.Margot Funk. Alternative Key Schedules for the AES.LNCS : Applied Cryptography and Network SecurityACNS 2024 - 22nd International Conference on Applied Cryptography and Network Security14584Abu Dhabi, United Arab Emirates2024, 485-506HALDOIback to textback to text
• 14 inproceedingsC.Clémence Chevignard, P.-A.Pierre-Alain Fouque and A.André Schrottenloher. Reducing the Number of Qubits in Quantum Information Set Decoding.Lecture Notes in Computer ScienceASIACRYPT 2024 - International Conference on the Theory and Application of Cryptology and Information SecurityKolkata, IndiaSpringer2024, 1-36HALback to text
• 15 inproceedingsT.Thomas Espitau, G.Guilhem Niot and T.Thomas Prest. Flood and Submerse: Distributed Key Generation and Robust Threshold Signature from Lattices.CRYPTO 2024 - Annual International Cryptology Conference14926Lecture Notes in Computer ScienceSanta Barbara, United StatesSpringer Nature SwitzerlandAugust 2024, 425-458HALDOIback to text
• 16 inproceedingsH.Hosein Hadipour, P.Patrick Derbez and M.Maria Eichlseder. Revisiting Differential-Linear Attacks via a Boomerang Perspective with Application to AES, Ascon, CLEFIA, SKINNY, PRESENT, KNOT, TWINE, WARP, LBlock, Simeck, and SERPENT.LNCSCRYPTO 2024 - 44th Annual International Cryptology Conference14923Lecture Notes in Computer ScienceSanta barbara, United StatesSpringer Nature SwitzerlandAugust 2024, 38-72HALDOIback to textback to text
• 17 inproceedingsJ.Jan Jancar, M.Marcel Fourné, D.Daniel de Almeida Braga, M.Mohamed Sabt, P.Peter Schwabe, G.Gilles Barthe, P.-A.Pierre-Alain Fouque and Y.Yasemin Acar. They’re not that hard to mitigate: What Cryptographic Library Developers Think About Timing Attacks.ASE 2024 - 21st Workshop on Automotive Software EngineeringLinz (AUSTRIA), AustriaGesellschaft für Informatik e.V.2024HALDOIback to textback to text
• 18 inproceedingsC.Corentin Jeudy, A.Adeline Roux-Langlois and O.Olivier Sanders. Phoenix: Hash-and-Sign with Aborts from Lattice Gadgets.PQCrypto 2024 - 15th International Conference on Post-Quantum Cryptography14771Lecture Notes in Computer ScienceOxford, United KingdomSpringer Nature SwitzerlandJune 2024, 265 - 299HALDOIback to text
• 19 inproceedingsG.Guilhem Mureau, A.Alice Pellet-Mary, G.Georgii Pliatsok and A.Alexandre Wallet. Cryptanalysis of rank-2 module-LIP in Totally Real Number Fields.Advances in Cryptology – EUROCRYPT 202443rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zurich, Switzerland, May 26–30, 2024, Proceedings, Part VIIEurocrypt 2024 - 43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques14657Lecture Notes in Computer ScienceZurich, SwitzerlandSpringer Nature SwitzerlandApril 2024, 226-255HALDOIback to text

Conferences without proceedings

• 20 inproceedingsC.Clémence Chevignard, P.-A.Pierre-Alain Fouque and A.André Schrottenloher. Reducing the Number of Qubits in Quantum Factoring.QIP 2025 - 28th Annual Conference on Quantum Information ProcessingRaleigh, North Carolina, United StatesFebruary 2025HALback to text
• 21 inproceedingsM.Marcel Fourné, D.Daniel de Almeida Braga, J.Jan Jancar, M.Mohamed Sabt, P.Peter Schwabe, G.Gilles Barthe, P.-A.Pierre-Alain Fouque and Y.Yasemin Acar. "These results must be false": A usability evaluation of constant-time analysis tools.2024 - 33rd USENIX Security SymposiumPhiladelphia, Pennsylvania, USA, United StatesAugust 2024, 1-18HALback to textback to text
• 22 inproceedingsA.Amaury Pouly and Y.Yixin Shen. Discrete gaussian sampling for BKZ-reduced basis.ArcticCrypt 2025Longyearbyen, Svalbard, NorwayJuly 2025HALback to textback to text

Doctoral dissertations and habilitation theses

• 23 thesisC.Corentin Jeudy. Design of advanced post-quantum signature schemes.Université de RennesJune 2024HAL

Reports & preprints

• 24 misc B.Beomgeun Cho, M.Minki Hhan, T.Taehyun Kim, J.Jeonghoon Lee and Y.Yixin Shen. Does quantum lattice sieving require quantum RAM? 2024 HAL DOI back to text
• 25 miscJ.Jean Gasnier and A.Aurore Guillevic. An Algebraic Point of View on the Generation of Pairing-Friendly Curves.December 2024HALback to text
• 26 miscA.Aurore Guillevic and S.Simon Masson. Embedded Curves and Embedded Families for SNARK-Friendly Curves.October 2024HALback to text
• 27 miscA.Amaury Pouly and Y.Yixin Shen. Smoothing Parameter and Shortest Vector Problem on Random Lattices.2024HALback to textback to text
• 28 reportJ.Jules ROUSSEAU. Cube-based cryptanalysis of Ascon and Gift.Université de rennes; Irisa Institut de Recherche en Informatique et Systèmes AléatoiresSeptember 2024, 32HAL