2023Activity reportProject-TeamCAPSULE

Better Reductions.

Our trust in the hardness of lattice-based constructions relies fundamentally on our understanding of the security reductions between the (many, structured) variants of SIS and LWE. Depending on the additional structure allowed to the designer, they are associated to number rings, ideals and more generally modules over the integer ring of a number field, and related to the corresponding class of lat- tices with symmetries. Additionnally, for LWE the noise distributions is also a parameter of the problem. Overall, this leads to a plethora of variants and versions that need some hierarchizing and a better understanding of the interplay between their related parameters. Thankfully, important classifying works have already been presented, regularly involving members of our team (e.g.  35, 61, 32.

Yet, there are still many unclear results or relations that are not yet satisfyingly understood. For example, the fundamental reductions of Ajtai and Regev are far from tight, incurring a blowup in important parameters (sometime estimated to be in $O\left(n^{11}\right)$). While this is not a problem asymptotically, it clearly raises concerns on how to select parameters and the level of security they actually achieve. However, these proofs techniques have not been updated since their presentations: it is not unlikely that more recent tools could lead to improvements. In another example, there seem to be a non smooth gap of difficulty between the hardness of very structured variants of LWE (linked to “ideal lattices problems”) and less-but-still-quite structured ones. Roughly speaking, the former seems to belong to subexponential complexity while the latter variants are still considered exponential. Our current knowledge is also not enough to guarantee the actual existence of this gap, which prevents an accurate understanding of the underlying problems' concrete hardness. In a last example, one can also notice that all the proof strategies for these general reductions rely on the same high-level arguments. Yet, multiple works dealing with subcases had to be presented to reach the current state of the art. On the one hand, it could be that there is a unifying, all-encompassing presentation that would greatly simplify the state of the affairs and bring a kind of maturity to this field. On the other hand, there may be fundamental obstructions to a general framework, and highlighting them would definitely help the community's understanding. These three examples raise important questions first about security, but also about our way of using the mathematical tools behind these results. Our team's objectives are to investigate all these paths and to find either positive or negative answers to improve the general understanding of the area.

Algorithms for hard problems and attacks on cryptosystems.

We have proposed some algorithms to study the security of hard computational problems in cyclotomic fields as the Principal Ideal Problem (PIP) in  29, reducing module lattices as a generalization of the LLL algorithm in the ring of integers of a number field in  55 or in a tower of cyclotomic fields in  52. We generalized the BKW algorithm to binary LWE setting in  53 and studied the Learning Parities with Noise (LPN) Problem in  56.

We have also attacked concrete cryptographic schemes. We broke some multivariate schemes such as the SFLASH signature schemes in  43 and variants  48, and the ASASA schemes in  58. We have also broken FHE schemes based on overstretched NTRU parameters in  54 or concrete FHE in  38.

We want to study the resistance of post-quantum cryptosystems and hard problems against classical and quantum adversaries. It is particularly interesting for lattice problems since the cryptanalysis of these problems is very young. One key objective in this line of research would be to find an analog of the BKZ algorithm for structured lattices defined over number field. It is also interesting to improve the recent work of  27, which suggests that this problem may be weaker than previously thought.

Constructions and practical cryptosystems.

Applications of cryptography usually culminates with the description of an efficient cryptosystem. An important part of our activity in post-quantum cryptography therefore targets the design of new schemes resistant to quantum attackers, providing advanced functionalities to its users, without sacrificing in efficiency.

In this area, members of CAPSULE have worked on the lattice-based signature scheme Falcon and its efficiency-security trade-off ModFalcon  39. A first objective would be to extend in a useful way the so-called “trapdoor generation” which is core to the two schemes above. In a nutshell, the secret key corresponds to a basis of short vectors of a lattice, that only the user should be able to compute efficiently. ModFalcon already extended the class of lattices for which this can be done, and it is an interesting question to manage an even larger class of lattice. In terms of applications, this would allow for even more flexibility, which can be particularly useful when the signature scheme is used as a black box inside a larger cryptographic algorithm. It could also allow for other functionalities such as threshold signatures or maybe masked signatures. On this line of thought, we are also interested in designing masked lattice signatures or even multi-party signatures. While there have been very recent proposals (relying on a different paradigm than the Falcon family), the efficiency is still lacking in practice. A success here could lead to concrete industrial applications.

But this is not the only construction on which the team is currently working. There are many interesting cryptographic constructions that need to be studied to obtain efficient post-quantum schemes, such as signatures and zero-knowledge proofs, but also signatures with more properties like group signatures, blind signatures ... and applications like e-voting. Indeed, a lot of progress have been made to obtain efficient signatures and public key encryptions, especially with the NIST competition, but the efficiency of more advanced schemes is still far from existing (but not post-quantum) solutions. One of the big challenge would be to obtain efficient zero-knowledge proof systems, as this primitive is often an easy way to build more advanced primitives.

Tools for discovering new attacks.

Symmetric cryptosystems are widely used because they are the only ones that can achieve some major functionalities such as high-speed or low-cost encryption, fast message authentication, and efficient hashing. But, unlike public-key cryptographic algorithms, secret-key primitives do not have satisfying security proofs. The security of these algorithms is empirically established by cryptanalysis.

It is obvious that this security criterion, despite its so far success, is not completely satisfactory. For instance we may estimate that, for a given primitive, no more than a few dozens of researchers are actively working on breaking it. Hence, due to this weak effort, the non-discovery of an attack against a particular primitive does not mean so much. Besides, finding the best attacks on a given design is a time-consuming work, and errors can lead to under- or over-estimating its security.

Therefore, our team specializes in building tools for automatically finding large classes of attacks. This transforms the statement “we did not find any attack of this kind”, which is only a subjective guarantee, into “the audit tool X did not find any attack”, which is a formal statement, giving a quantifiable objective guarantee.

In the past, the members of the team have proposed many tools, for example for improving attacks on round-reduced versions of AES  33, Demirci-Selçuk attacks on AES  41, and impossible differential attacks  40.

Our more recent work uses tools based on MILP (Mixed Integer Linear Programming), SAT (Satisfiability) or CP (Constraint Programming). In this setting, the search and optimization of an attack are reduced to a problem of a specific form, for which an off-the-shelf solver is used. Besides the actual work of implementing this reduction, our research aims at better understanding the differences between these optimization tools, finding which ones are more adapted for a given problem, and adapting some of these general-purpose softwares to particular cryptographic problems.

Finding and optimizing a cryptanalytic attack in its entirety is an especially interesting problem, since it requires to integrate different steps (for example a good distinguisher and a key-recovery phase). Since the search space is of exponential size, often making the problem intractable, it is possible to first find an approximation of the best attacks and then instantiate precisely the values of the parameters. Also, if MILP, SAT and CP tools quickly give an answer, it is tempting to build ad-hoc tools that can more efficiently take into account the weaknesses discovered by these tools.

Finally, there are only a few tools for analyzing the security of ARX ciphers based on additions, rotations and xor operations. These functions are hard to analyze with the current cryptanalytic techniques, and no attack has really endangered the full Chacha stream cipher proposed by Dan Bernstein or the block cipher Speck proposed by the NSA. They can be implemented very efficiently in x86 processors and currently Chacha is in the most used ciphersuites on TLS, making them prominent targets for cryptanalysis.

New Designs.

Our goal is to analyze the security of the new symmetric-key designs by developing new cryptanalytic techniques. The LowMC block cipher is one of the first symmetric primitives designed for taking into account the efficiency constraints of public-key cryptosystems. It has been built as a FHE-friendly cipher, by minimizing the number of multiplicative gates which are the main efficiency bottleneck for this application. Several attacks have been proposed on LowMC and LowMC v2. LowMC v3 was used in Picnic, a Zero-Knowledge-based post-quantum signature scheme proposed at the NIST competition, which wasn't standardized.

The Keccak hash function has been standardized in 2015 as SHA-3. Keccak brought new interest in a new design called Sponge function and permutation-based primitives. Some round-reduced versions of SHA-3 have been used in many constructions from Pseudo-Random Generator in SHAKE, to the Pseudo-Random Function Farfalle 28, the authenticated ecryption scheme Keyak, or the hash function KangarooTwelve proposed as an RFC. Only a few attacks have been proposed against SHA-3 and new cryptanalysis tools need to be designed.

Quantum Cryptanalysis.

Since 2016, many works have been done in the cryptanalysis of symmetric primitives using quantum algorithms. While symmetric cryptosystems are generally believed to hold well against adversaries equipped with a quantum computer, these works have substantiated these claims with dedicated security analyses, such as the best attacks against reduced-round versions of the standard AES  30.

Grover's search algorithm, which can provide a quadratic speedup on exhaustive key search (from $2^k$ operations to $2^{k/2}$), is often cited as the main player in the quantum security of symmetric primitives. However, in the past few years, the landscape of quantum algorithms for cryptanalysis has considerably expanded, with notable results such as quantum speedups above quadratic for specific constructions  31. These recent works highlight the benefit of combining state-of-the-art quantum algorithms and symmetric cryptanalysis techniques.

In team CAPSULE, our research in quantum cryptanalysis is three-fold.

First, we develop new quantum algorithms for cryptanalytic problems, which we aim to apply in symmetric cryptography, but may also have applications in public-key cryptography. An example of such a double-edged sword is our recent work on quantum walks  9.

Second, we analyze existing classical cryptanalysis techniques and study how to translate them into quantum cryptanalysis techniques. Intuitively, a primitive that is classically vulnerable should be quantumly broken as well, but this is not always the case, as classical attack strategies are not always exploitable in the quantum setting. Our research in this area focuses on the strategies which can exhibit the largest quantum speedups, quadratic (like Grover's search) or even above by using advanced frameworks.

Finally, after identifying new classes of quantum attacks, we aim at integrating these attacks into automated tools. Indeed, the task of finding and optimizing quantum attacks can be even more challenging that classical ones, since they rely often on different strategies, sometimes counterintuitive. Furthermore, since the resulting procedures are quantum algorithms, the analysis of their time and memory complexities comes with specific technicalities. Our goal is to automatize this step as well in a way that may benefit cryptanalysts interested in this topic but unfamiliar with quantum algorithms.

Hardware and embedded implementations.

Side Channel Attacks (SCA) rely on statistical tools to extract the secret information from leakage traces. Then, algorithmic techniques usually based on previous cryptanalytic results are used to efficiently recover secret data. Indeed, the known black-box attacks are extended by exploiting the leakage information, that gives more information on the internal secret variables, a.k.a. the grey-box model. The SCA information can be for instance the Hamming weight of a limited number of variables. Recently, the white-box model has been proposed, where the adversary can stop the execution of a process and has access to all variables.

Side-channel attacks have been successfully applied to break many embedded implementations these last 20 years. After the information theoretic approach of Ishai, Sahai and Wagner  50 to prove the security of implementations, secure theoretical foundations have been laid by Prouff and Rivain and later Duc et al. in  60, 44. Soon after, some tools have been developed such as  23, 24, 22 to protect software and hardware implementations with masking techniques. Nowadays, we have sound masking schemes. Some of them already have been introduced into lattice-based implementations  25, where generally securing randomness presents an interesting challenges. We aim at extending the results of  25, 26, 57, 47 to other post-quantum alternatives like code-based, multivariate, or hash-based schemes and to provide secure implementations.

More recently, other tools coming from statistical learning (such as deep learning) have been proposed to break embedded implementations. They open the door to powerful techniques and more efficient attacks. Template attacks model the leakage distribution with a Gaussian distribution, approximating the actual distribution by considering its mean and its standard deviation. More standard attacks, a.k.a. Differential Power Analysis (DPA), only consider the mean. However, higher moments can be useful to consider. Deep learning techniques are useful to efficiently extract complex relations between variables even in the presence of noise. Taking into account these more powerful deep learning or white-box attacks as well as developing countermeasures is a hot, trendy topic in SCA. In the former, deep learning allow to find correlations between many points of interest of one curve, a.k.a. horizontal attacks. In the latter, white-box cryptography provides the adversary with the same kind of information, since they can stop the execution of the program and get noiseless information on all of its variables. Taking into account such powerful attackers is one main challenge for side-channel attacks.

Finally, we are interested to work on the new micro-architectural attacks HertzBleed and others. These attacks show that side-channel attacks are also a threat to software implementations. Porting to software some of the many techniques used to secure embedded systems is thus a major topic.

Software implementations.

Constant-time implementation is a programming principle that aims at providing code where the running time and memory accesses are independent of the secret values. Timing leakage can be used to mount attacks on computers and smartphones. There exist many tools in the litterature that help developers to avoid these leakage, but insecure implementations are stille aplenty. For instance, we recently broke the WPA-3 implementation used in FreeRadius and iwd (iNet Wireless Daemon)  34, and also found other weaknesses.

We want to discover new attacks in open-source libraries and to help developers in order to verify the constant-time property of their codes. For example, some tools are tailored to small pieces of cryptographic codes and do not scale well with more complex codes that rely on many libraries. Our goal is to provide verification tools for analyzing the constant-time property of large source codes. We are also interested in studying the security of DRM systems used in widely deployed systems. We do not have permanent researchers on reverse-engineering, but we work with postdoc students such as Alexandre Gonzalvez, as well as Mohamed Sabt from the Spicy team on this topic. Besides, we co-supervise 3 theses on the security of software implementations.

Security Proofs of Protocols and Real-World Systems.

We are interested in studying the security of cryptographic protocols deployed in the real-world such as WhatsApp, middlebox, Content-Delivery Network (CDN), TLS, and 5G networks. Recently, we have also considered the security of searchable symmetric encryption, where the goal is to outsource the storage of a database to an untrusted server, while maintaining search capabilities. This last area is a nice application of secure computations and the PhD thesis of R. Bost (P.A. Fouque's PhD student) in this domain received the GDR Security price of the best PhD in 2018. We also work with Cristina Onete, an assistant professor at Limoges on this topic. Currently, we are interested to propose hybridization techniques between pre- and post-quantum cryptography for various protocols such as Signal, IPSEC, ... in the PEPR post-quantum cryptography.

NIST post-quantum competition.

The NIST post-quantum competition aims at standardizing quantum-safe public-key primitives. The goal is to propose a quantum-safe alternative for the schemes based on number theory which are threatened by the advent of quantum computers. It is expected to have a huge and long-term impact on all public-key cryptography. It received 69 proposals in November 2017. The Falcon signature scheme, co-designed by some members of the Capsule team, has been selected by NIST in July 2022. We have also submitted Solmae to the Korean Post-Quantum Competition, which is a variant of Falcon that is easier to implement hence to protect from SCA. Finally, we have also proposed BAT  46, an encryption scheme that follows the design rationale of Falcon. We plan to submit this scheme to the IETF as it enjoys interesting properties in terms of bandwidth, that not displayed by NIST's selected key encapsulation scheme, Kyber.

In June 2023, we have submitted the PROV and VOX signature schemes to NIST's new call for digital signatures. These two schemes are based on multivariate cryptography problems, and are variants of the unbalanced Oil-and-Vinegar signature schemes, proposed in 1997 by Patarin. PROV has a security proof, while VOX is a stronger version of UOV that avoids known weaknesses (namely, UOV has a large set of isotropic vectors common to all quadratic forms of the public key).

NIST competition on lightweight symmetric encryption.

The NIST lightweight cryptography standardization process is an initiative to develop and standardize new authenticated encryption algorithms suitable for constrained devices. There is a real need for new standards in lightweight cryptography, and the selected algorithms are expected to be widely deployed within the Internet of Things, as well as on more constrained devices such as contactless smart cards, or medical implants. The NIST received 56 submissions in February 2019. Team Capsule has studied the security of some of these schemes.

Monitoring Current Standards.

While we are very involved in the design phase of new cryptographic standards, we also monitor the algorithms that are already standardized. We look at some implementations of WPA3 and we discovered a micro-architectural attack  8. We also study the privacy of the EME standard (Encrypted Media Extensions) for Digital Rights Managments in browsers in  18.

Differential Meet-in-the-middle Attacks.

Meet-in-the-middle and differential attacks are two cornerstones of modern cryptanalysis, which have been applied successfully on block ciphers for decades. In  4, we introduced the new framework of differential meet-in-the-middle attacks, which combines technique from both meet-in-the-middle and differential cryptanalysis. As such, this technique can be seen both as an extension of meet-in-the-middle attacks, and as a novel way of performing the key-recovery in differential attacks. We applied this technique to two very well studied ciphers, SKINNY and the international standard AES, and obtained new results on weakened (reduced-round) variants, including a related-key attack on 12 rounds out of 14 on AES-256 with only two related keys.

Related-Key Differential Analysis of the AES.

The related-key setting, in which a block cipher may be queried with several unknown keys having some known relation, is a scenario in which AES is known to be quite weak. However, finding related-key characteristics is a difficult process which nowadays can be done only with the help of automatic tools. In  10 we gave new tools dedicated to this task, both ad hoc and based on MILP. We also built a new tool to search for differential MITM attacks, which improved the 12-rounds attack above to 13 rounds.

A CP-based Automatic Tool for Instantiating Truncated Differential Characteristics.

An important criteria to assert the security of a cryptographic primitive is its resistance against differential cryptanalysis. For word-oriented primitives, a common technique to determine the number of rounds required to ensure the immunity against differential distinguishers is to consider truncated differential characteristics and to count the number of active S-boxes. Doing so allows one to provide an upper bound on the probability of the best differential characteristic with a reduced computational cost. However, in order to design very efficient primitives, it might be needed to evaluate the probability more accurately. This is usually done in a second step, during which one tries to instantiate truncated differential characteristics with actual values and computes its corresponding probability. This step is usually done either with ad-hoc algorithms or with CP, SAT or MILP models that are solved by generic solvers. In  12, we present a generic tool for automatically generating these models to handle all word-oriented ciphers. Furthermore the running times to solve these models are very competitive with all the previous dedicated approaches.

Equivalence of Generalised Feistel Networks.

We also focused on equivalences between Generalised Feistel Networks (GFN) of type-II. We introduced a new definition of equivalence which captures the concept that two GFNs are identical up to re-labelling of the inputs/outputs and are therefore cryptographically equivalent for several classes of attacks. It induces a reduction of the space of possible GFNs: the set of the ${(k!)}^2$ possible even-odd GFNs with $2k$ branches can be partitioned into $k!$ different classes. From a designer perspective, it means that a much wider spectrum of candidates can be explored to choose a good permutation. In particular, using this new equivalence relation led us to five 62-branch permutations performing better than WARP regarding the number of differentially/linearly active S-Boxes and to a new family of permutations with good diffusion properties. This work is under submission.

Cryptanalysis of ASCON.

During the internships of Mathieu Degré and Lucie Lahaye, we started studying the cryptanalysis of the ASCON family of lightweight primitives, which is a high-profile target as it has been recently selected for standardization by the NIST. Our goal in this project was to obtain simpler modelings of different types of cryptanalysis, based on MILP and SAT encodings, which were easier not only to describe but also to run. Our results are under submission.

Applications in Asymmetric Cryptanalysis.

In  9 we introduced the new algorithmic technique of chained quantum walks. This technique is key to an improvement on quantum algorithms for the multiple collision search problem, an extension of the collision search problem, which asks to find pairs of colliding outputs generated by a random function. It allowed us to improve the previous best quantum algorithm for lattice sieving  37, reducing its asymptotic time complexity from $2^{0.2570d+o\left(d\right)}$ to $2^{0.2563d+o\left(d\right)}$ where $d$ is the lattice dimension. These algorithms are of high interest since they underlie the security analyses of lattice-based cryptography at large.

In  19, we gave new quantum trade-offs for the Dihedral Coset Problem, which is a computational problem of high interest. In particular, its hardness underlies the security of post-quantum cryptosystems based on Abelian group actions such as CSIDH  36. These cryptosystems are the only high-profile post-quantum proposals for which a quantum attacker enjoys a large speedup (from exponential classical time to subexponential quantum time). Thus their security analysis relies primarily on the quantum side.

Applications in Symmetric Cryptanalysis.

In  20 we introduced a new framework of quantum linear key-recovery attacks on block ciphers. In classical cryptanalysis, linear cryptanalysis is a powerful key-recovery attack exploiting the linear biases which may appear in reduced-round ciphers. While modern linear key-recovery attacks rely on the Fast Fourier Transform, a potential application of the Quantum Fourier Transform remained an open question in previous works  51. In this work, we showed that this was possible, and could lead to new quantum attacks on block ciphers. The new framework relies on computing correlations of Boolean functions “analogically” in the amplitudes of quantum states, which generates technical difficulties and new open questions that need further investigation. Despite the current limitations, this framework may reach up to a super-quadratic speedup in key-recovery attacks, which coïncides with the current best speedup reported in  31 for specific constructions of block ciphers.

In  6 we described a generic framework of quantum impossible differential attacks on block ciphers, with a generic formula from their time complexity and a procedure to easily translate classical attacks into quantum ones.

In  7 we introduced an automatic search and optimization tool for quantum meet-in-the-middle key-recovery attacks on block ciphers. This tool expands a previous modeling technique which we introduced in the past year  62.

Optimal trapdoors for practical lattice-based hash-then-sign

Last year we described in  45 Mitaka, a variant of Falcon with much simpler implementation, larger parameter space, better parallelism and easier to protect from side-channel adversaries. One of the drawback of our scheme was its slightly lower security level. Indeed, finding good trapdoors in the key-generation process for Mitaka remained a costly task, and we had to sacrifice security for concrete efficiency. In  13 we propose a completely novel approach to find good trapdoors in an essentially optimal way, with much freedom in the quality that we impose on them. Our method stems from the geometric identification of the space where one can find them, and the design of a simple, natural sampler to draw from. It combines Fast Fourier Transform techniques with fine-grained error rounding analysis into a key-generation algorithm called Antrag, achieving the same efficiency as Falcon's, without sacrificing any bit-security.

Concretely, this technique make Mitaka as secure as Falcon. This prompted its use into a candidate for standardization in a national process (as mentioned above), called Solmae (Falcon in Korean), and submitted for the first round of evaluation. Despite Solmae having the minimal bandwith consumption of all candidates and concrete signing speed on par with the other lattice contender HaeTae (Dilithium's natural update), it was not selected to advance to the second round2.

Unifying Lattice Gaussian sampling.

Lattice Gaussian sampling is nowaday a pervasive technique in all aspects of the field: reductions between problems (in the complexity theory sense), as a concrete building block for primitives, in security arguments,... Many methods to sample lattice Gaussians existed in the toolbox of the cryptographers, but perhaps surprisingly, most of them felt unrelated one to another. This made it rather difficult to understand where improvement vectors could be found. In 14 we proposed a generic, abstract framework allowing to recover almost if not all known approaches, while opening-up the design space for further explorations. Among samplers we recover naturally are the important approach of as  49, 59. We provided novel samplers following this new avenues, illustrating how to use our framework. Some of our new designs demonstrated important security improvements in concrete schemes (such as Mitaka), while also displaying more simplicity in their description. On a more foundational aspect, we gave a new exact expansion of the so-called smoothing parameter of a lattice. This important quantity is used in many security arguments, where the finer the estimate, the better control over security one gets. We believe that this new expression has application in more mathematical aspects of lattice theory, such as improved transference bounds.

Reductions between variants of the Module-LWE problem.

The Module Learning With Errors problem (M-LWE) is a core computational assumption of lattice-based cryptography which offers an interesting trade-off between guaranteed security and concrete efficiency. The problem is parameterized by a secret distribution as well as an error distribution. There is a gap between the choices of those distributions for theoretical hardness results (standard formulation of M-LWE, i.e., uniform secret modulo $q$ and Gaussian error) and practical schemes (small bounded secret and error). In  3, we make progress towards narrowing this gap. More precisely, we prove that M-LWE with uniform $\eta$-bounded secret for any $1\le \eta \ll q$ and Gaussian error, in both its search and decision variants, is at least as hard as the standard formulation of M-LWE, provided that the module rank $d$ is at least logarithmic in the ring degree $n$. We also prove that the search version of M-LWE with large uniform secret and uniform $\eta$-bounded error is at least as hard as the standard M-LWE problem, if the number of samples $m$ is close to the module rank $d$ and with further restrictions on $\eta$. The latter result can be extended to provide the hardness of M-LWE with uniform $\eta$-bounded secret and error under specific parameter conditions. Overall, the results apply to all cyclotomic fields, but most of the intermediate results are proven in more general number fields.

Lattice Signature with Efficient Protocols, Application to Anonymous Credentials.

Digital signature is an essential primitive in cryptography, which can be used as the digital analogue of handwritten signatures but also as a building block for more complex systems. In the latter case, signatures with specific features are needed, so as to smoothly interact with the other components of the systems, such as zero-knowledge proofs. This has given rise to so-called signatures with efficient protocols, a versatile tool that has been used in countless applications. Designing such signatures is however quite difficult, in particular if one wishes to withstand quantum computing. We are indeed aware of only one post-quantum construction, proposed by Libert et al. at Asiacrypt’16, yielding very large signatures and proofs.

In  17, we propose a new construction that can be instantiated both in standard lattices and structured ones, resulting in each case in dramatic performance improvements. In particular, the size of a proof of message-signature possession, which is one of the main metrics for such schemes, can be brought down to less than 650 KB. As our construction retains all the features expected from signatures with efficient protocols, it can be used as a drop-in replacement in all systems using them, which mechanically improves their own performance, and has thus a direct impact on many applications. It can also be used to easily design new privacy-preserving mechanisms. As an example, we provide the first lattice-based anonymous credentials system.

Identity-Based Encryption from Lattices Using Approximate Trapdoors.

Practical implementations of advanced lattice-based constructions have received much attention since the first practical identity-based encryption scheme instantiated over NTRU-lattices, proposed by Prest et al. (Asiacrypt 2014). This particular design uses powerful lattice-based building blocks to allow efficient Gaussian preimage sampling and trapdoor generation. In  16, we propose two different constructions and implementations of identity-based encryption schemes (IBE) using Chen et al. (Asiacrypt 2019)approximate variants of “gadget-based” trapdoors. Both constructions are proven secure.

Our first IBE scheme is an adaptation of the Bert et al. scheme (PQCrypto 2021) to the approximate setting, relying on the Module-NTRU hardness assumption and making use of the Micciancio-Peikert paradigm for approximate trapdoors. The second IBE relies on a variant of the NTRU hardness assumption.

We provide several timings and a comparison analysis to explain our results. The two different instantiations give interesting trade-offs in terms of security and efficiency and both benefit from the use of approximate trapdoors. Though our second IBE construction is less efficient than other NTRU-based IBEs, we believe our work provides useful insights into efficient advanced lattice-based constructions.

New Security Proof in the QROM model.

In  15, we present a new generic transform that takes a multi-round interactive proof for the membership of a language L and outputs a non-interactive zero-knowledge proof (not of knowledge) in the common reference string model. Similar to the Fiat-Shamir transform, it requires a hash function H. However, in our transform the zero-knowledge property is in the standard model, and the adaptive soundness is in the non-programmable random oracle model (NPROM). Behind this new generic transform, we build a new generic OR-composition of two multi-round interactive proofs. Note that the two common techniques for building OR-proofs (parallel OR-proof and sequential OR-proof) cannot be naturally extended to the multi-round setting. We also give a proof of security for our OR-proof in the quantum oracle model (QROM), surprisingly the security loss in QROM is independent from the number of rounds.

Factorization Algorithms.

In  21, we study new factorization algorithms. The Number Field Sieve (NFS) is the state-of-the art algorithm for integer factoring, and sieving is its most crucial step. It is a very time-consuming operation, aiming at collecting many relations. The ultimate goal is to generate random smooth integers mod N together with their prime decomposition, where smooth is defined on the rational and algebraic sides according to two prime factor bases.

In modern factorization tools, such as Cado-NFS, sieving is split into different stages depending on the size of the primes, but defining good parameters for all stages is based on heuristic and practical arguments. At the beginning, candidates are sieved by small primes on both sides, and if they pass the test, they continue to the next stages with bigger primes, up to the final one where the remaining part is factored using the ECM algorithm. On the one hand, first stages are fast but many false relations pass them, and we spend a lot of time with useless relations. On the other hand final stages are more time demanding but outputs less relations. It is not easy to evaluate the performance of the best strategy on the overall sieving step since it depends on the distribution of numbers that results at each stage.

In  21, we examine different sieving strategies to speed-up this step, since many improvements have been done on all other steps of the NFS. Based on the relations collected during the record RSA-250 factorization and all its parameters, we study the many different strategies that have been defined for NFS. Our result is an experimental evaluation of them.

BIKE Key-Recovery: Combining Power Consumption Analysis and Information-Set Decoding.

In 11, we present a single-trace attack on a BIKE Cortex-M4 implementation proposed by Chen et al. at CHES 2021. BIKE is a key-encapsulation mechanism, candidate to the NIST post-quantum cryptography standardisation process. We attack by exploiting the rotation function that circularly shifts an array depending on the private key. Chen et al. implemented two versions of this function, one in C and one in assembly. Our attack uses subtraces clustering combined with a combinatorial attack to recover the full private key. We obtained a high clustering accuracy in our experiments, and we provide ways to deal with the errors. We are able to recover all the private keys for the C implementation, and while the assembly version is harder to attack using our technique, we still manage to reduce BIKE Level-1 security from 128 to 65 bits for a significant proportion of the private keys.

From Dragondoom to Dragonstar: Side-channel Attacks and Formally Verified Implementation of WPA3 Dragonfly Handshake.

In  8 we develop a new software attack on the WPA3. It is universally acknowledged that Wi-Fi communications are important to secure. Thus, the Wi-Fi Alliance published WPA3 in 2018 with a distinctive security feature: it leverages a Password-Authenticated Key Exchange (PAKE) protocol to protect users' passwords from offline dictionary attacks. Unfortunately, soon after its release, several attacks were reported against its implementations, in response to which the protocol was updated in a best-effort manner. In this paper, we show that the proposed mitigations are not enough, especially for a complex protocol to implement even for savvy developers. Indeed, we present Dragondoom, a collection of side-channel vulnerabilities of varying strength allowing attackers to recover users' passwords in widely deployed Wi-Fi daemons, such as hostap in its default settings. Our findings target both password conversion methods, namely the default probabilistic hunting-and-pecking and its newly standardized deterministic alternative based on SSWU. We successfully exploit our leakage in practice through microarchitectural mechanisms, and overcome the limited spatial resolution of Flush+Reload. Our attacks outperform previous works in terms of required measurements. Then, driven by the need to end the spiral of patch-and hack in Dragonfly implementations, we propose Dragonstar, an implementation of Dragonfly leveraging a formally verified implementation of the underlying mathematical operations, thereby removing all the related leakage vector. Our implementation relies on HACL*, a formally verified crypto library guaranteeing secret-independence. We design Dragonstar, so that its integration within hostap requires minimal modifications to the existing project. Our experiments show that the performance of HACL*-based hostap is comparable to OpenSSL-based, implying that Dragonstar is both efficient and proved to be leakage-free.

Your DRM Can Watch You Too: Exploring the Privacy Implications of Browsers (mis)Implementations of Widevine EME.

In  18, we study the security of Digital Rights Management Systems. Thanks to HTML5, users can now view videos on Web browsers without installing plug-ins or relying on specific devices. In 2017, W3C published Encrypted Media Extensions (EME) as the first official Web standard for Digital Rights Management (DRM), with the overarching goal of allowing seamless integration of DRM systems on browsers. EME has prompted numerous voices of dissent with respect to the inadequate protection of users. Of particular interest, privacy concerns were articulated, especially that DRM systems inherently require uniquely identifying information on users' devices to control content distribution better. Despite this anecdotal evidence, we lack a comprehensive overview of how browsers have supported EME in practice and what privacy implications are caused by their implementations. In this paper, we fill this gap by investigating privacy leakage caused by EME relying on proprietary and closed-source DRM systems. We focus on Google Widevine because of its versatility and wide adoption. We conduct empirical experiments to show that browsers diverge when complying EME privacy guidelines, which might undermine users' privacy. For instance, we find that many browsers gladly give away the identifying Widevine Client ID with no or little explicit consent from users. Moreover, we characterize the privacy risks of users tracking when browsers miss applying EME guidelines regarding privacy. Because of being closed-source, our work involves reverse engineering to dissect the contents of EME messages as instantiated by Widevine. Finally, we implement EME Track, a tool that automatically exploits bad Widevine-based implementations to break privacy.

10.1.1 Visits to international teams

11.1.1 Scientific events: organisation

The PQTLS, project of the PEPR Quantique, has organized a workshop at the École normale supérieure on the security of recently submitted post-quantum signature in June 2023, and another workshop with the French companies that are developing a quantum computer in June 2023 at the Cyber Campus in Paris.

11.1.2 Scientific events: selection

11.1.3 Journal

11.1.4 Invited talks

• Alexandre Wallet was invited at PQ Shield (Paris, France) to present his work accepted at Asiacrypt 2023: On Gaussian sampling, smoothing parameter, applications to signatures — October 2023.

11.1.5 Scientific expertise

We evaluated research projects for many research funding agencies.

11.1.6 Research administration

Pierre-Alain Fouque is the scientific coordinator of the PEPR project PQTLS.

11.2.1 Teaching

• Master: Alexandre Wallet, Euclidean Lattices in Cryptography (REC), 12 hours, M2, University of Rennes, France;
• Master: Alexandre Wallet, Cryptanalysis (CRA), 8h, M2, University of Rennes and ISTIC, France;
• 1st year of engineer cycle: Alexandre Wallet, Introduction to Programming with Java (INF361), 40h, École polytechnique, France;
• 3rd year of engineer cycle: Alexandre Wallet, Cybersecurity (INF565), 12h, École polytechnique, France;
• André Schrottenloher was Oral examiner for fundamental computer science in the entrance examinations of the ENS (Écoles Normales Supérieures).
• Master: Pierre-Alain Fouque, Advanced Course in Cryptography for security (BCS), 16 hours, M2, University of Rennes, France;
• Master: Damien Marion, Advanced Course in Cryptography for security (BCS), 16 hours, M2, University of Rennes, France;
• Master: Pierre-Alain Fouque, Basic Course in Cryptographhy (BC), 16 hours, M1, University of Rennes, France;
• Master: Damien Marion, Basic Course in Cryptographhy (BC), 12 hours, M1, University of Rennes, France;
• Master: Pierre-Alain Fouque, Design and Analysis of Algorithm (ADA), 16 hours, M1, University of Rennes, France;
• Master: Damien Marion, Design and Analysis of Algorithm (ADA), 12 hours, M1, University of Rennes, France;
• Master: Alexandre Gonzalvez, Cryptography in Java, 30 hours, M1, University of Rennes, France;
• Master: Pierre-Alain Fouque, Security Proof, 7,5 hours, M2, University of Rennes, France;
• Master: Pierre-Alain Fouque, Security of Data (SDATA), 12 hours, M1, University of Rennes.
• Master: Damien Marion, Security of Data (SDATA), 32 hours, M1, University of Rennes.
• Master: Damien Marion, Low-level Programming (LLP), 20 hours, M1, University of Rennes.
• Master: Damien Marion, network security, 20 hours, M1, University of Rennes.
• Master: Damien Marion, Secured Implementation for Cryptography (SIMP), 25 hours, M2, University of Rennes.
• Master: Damien Marion, research project, 24 hours, M1, University of Rennes.
• Bachelor: Damien Marion, Enjeux sociétaux et empreinte écologique du numérique (3EN), 12 hours, L3, University of Rennes, France;
• Bachelor: Damien Marion, Algorithmique et complexité (ACO), 16 hours, L2, University of Rennes, France;

11.2.2 Supervision

• PhD: Agathe Cheriere, Side-Channel Resistance of Cryptographic Primitives Based on Error-Correcting Codes, defense in December 2023. Supervisors: Benoît Gérard and Pierre Loidreau.
• PhD: Lucas Prable, Trappes en Cryptographie Basée sur les Réseaux Euclidiens : Applications et Implémentation, defense in October 2023. Supervisors: Adeline Roux-Langlois and Pierre-Alain Fouque.
• PhD: Arthur Gontier, Utilisation de solveurs génériques pour la cryptanalyse de chiffrements symétriques, defense in November 2023. Supervisors:
• PhD in progress: Phuong Hoa Nguyen, MILP and symmetric-key cryptanalysis, started October 2021. Supervisors: Patrick Derbez and Pierre-Alain Fouque.
• PhD in progress: Corentin Jeudy, Advanced Post-Quantum Protocol, started October 2021. Supervisors: Pierre-Alain Fouque and Adeline Roux-Langlois.
• PhD in progress: Thi Thu Quyen Nguyen, Déploiements des signatures fondées sur les réseaux Euclidiens, started November 2021. Supervisors: Adeline Roux-Langlois (GREYC, Caen), Paul Dischamp (Idemia) and Alexandre Wallet.
• PhD in progress: Léo Ackermann, Constructions cryptographiques fondées sur les réseaux Euclidiens: nouvelles hypothèses, started Septembre 2022. Supervisors: Adeline Roux-Langlois (GREYC, Caen) and Alexandre Wallet.
• PhD in progress: Clémence Chevignard, Module-LIP: réductions, cryptanalyse, algorithmes, started November 2023. Supervisors: Pierre-Alain Fouque, Alexandre Wallet and Rémi Giraud (Qualcomm).
• PhD in progress: Mathieu Degré, Nouveaux modèles MILP adaptés aux problèmes cryptographiques, starting January 2024. Supervisors: Patrick Derbez, André Schrottenloher.
• PhD in progress: Quentin Edme, Preuves et attaques quantiques contre les primitives et protocoles cryptographiques, starting January 2024. Supervisors: Loïc Ferreira (Orange Labs, Caen), Pierre-Alain Fouque, André Schrottenloher.
• PhD in progress: Aymeric Hiltenbrand, Attaques par canaux auxiliaires sur la cryptographie post-quantique, starting December 2023. Supervisors: Guenael Renault (ANSSI), Pierre-Alain Fouque.
• PhD in progress: Roderick Asselineau, Symmetric System in Real-World Cryptography, starting December 2023. Supervisors: Patrick Derbez.
• Internship: Clémence Chevignard, Cryptanalyse du schéma Hawk, March-September 2023. Supervisors: Pierre-Alain Fouque and Alexandre Wallet.
• Internship: Heorhii Pliatsok (M2), Hermitian Decompositions in Cyclotomic Fields, April-October 2023. Supervisor: Alexandre Wallet.
• Internship: Mathieu Degré (M2), A new approach to MILP modeling to reduce the differential gap of ASCON, April-October 2023. Supervisor: Patrick Derbez.
• Internship: Jérome Guyot (L3), Algorithmes pour le problème des rotations du réseau cubique, June-August 2023. Supervisors: Pierre-Alain Fouque and Alexandre Wallet.
• Internship: Lucie Layahe (L3), Attaques algébriques sur des fonctions de hachage, June-July 2023. Supervisor: André Schrottenloher.
• Internship: Rayan Lachguel (M1), Implémentation du schéma de signature post-quantique Falcon, November 2023-March 2024. Supervisor: Pierre-Alain Fouque.

11.2.3 Juries

• Chloé Gravouil, June 27th, 2023, Pierre-Alain Fouque (Examiner)
• Julien Devevey, September 18th, 2023, Pierre-Alain Fouque (President of the jury)
• Christophe Genevey-Metat, September 28th, 2023, Pierre-Alain Fouque (Examiner)
• Lucas Prabel, October 5th, 2023, Pierre-Alain Fouque (Supervisor)
• Michael Reichle, October 9th, 2023, Pierre-Alain Fouque (Examiner)
• Nicolas David, November 8th, 2023, Patrick Derbez (Examiner)
• Clémence Bouvier, November 27th, 2023, Pierre-Alain Fouque (President of the jury)
• Léonard Assouline, December 1st, 2023, Pierre-Alain Fouque (Examiner)
• Pierre Briaud, December 11th, 2023, Pierre-Alain Fouque (President of the jury)
• Gwendal Patat, December 15th, 2023, Pierre-Alain Fouque (Supervisor)
• Johanna Loyer, December 18th, 2023, André Schrottenloher (Examiner)
• Agathe Cheriere, December 19th, 2023, Pierre-Alain Fouque (Supervisor)
• Samuel Tap, December 19th, 2023, Pierre-Alain Fouque (Examiner)
• Pierre Galissant, December 21th, 2023, Pierre-Alain Fouque (Examiner)

11.2.4 Education

• Alexandre Wallet, Petit panorama de la cryptographie post-quantique, École polytechnique, March 6, 2023. General talk on the upcoming standardization of post-quantum cryptography for students in cybersecurity.
• Pierre-Alain Fouque and André Schrottenloher participated at the first Spring School of the CyberSchool at University of Rennes.

International journals

• 3 articleK.Katharina Boudgoust, C.Corentin Jeudy, A.Adeline Roux-Langlois and W.Weiqiang Wen. On the Hardness of Module Learning with Errors with Short Distributions.Journal of Cryptology361January 2023, 1-72HALDOIback to text
• 4 articleC.Christina Boura, P.Patrick Derbez and M.Margot Funk. Related-Key Differential Analysis of the AES.IACR Transactions on Symmetric Cryptology20234December 2023, 215-243HALDOIback to text
• 5 articleA.Agathe Cheriere, L.Lina Mortajine, T.Tania Richmond and N.Nadia El Mrabet. Exploiting ROLLO’s constant-time implementations with a single-trace analysis.Designs, Codes and CryptographySpecial Issue: Coding and Cryptography 2022April 2023HALDOI
• 6 articleN.Nicolas David, M.María Naya-Plasencia and A.André Schrottenloher. Quantum Impossible Differential Attacks: Applications to AES and SKINNY.Designs, Codes and Cryptography2023, 1-33HALDOIback to text
• 7 articleA.André Schrottenloher and M.Marc Stevens. Simplified Modeling of MITM Attacks for Block Ciphers: New (Quantum) Attacks.IACR Transactions on Symmetric Cryptology20233September 2023, 146-183HALDOIback to text

International peer-reviewed conferences

• 8 inproceedingsD.Daniel de Almeida Braga, N.Natalia Kulatova, M.Mohamed Sabt, P.-A.Pierre-Alain Fouque and K.Karthikeyan Bhargavan. From Dragondoom to Dragonstar: Side-channel Attacks and Formally Verified Implementation of WPA3 Dragonfly Handshake.EuroS&P 2023 - IEEE 8th European Symposium on Security and PrivacyDelft, NetherlandsIEEEJuly 2023, 707-723HALDOIback to textback to text
• 9 inproceedingsX.Xavier Bonnetain, A.André Chailloux, A.André Schrottenloher and Y.Yixin Shen. Finding many Collisions via Reusable Quantum Walks: Application to Lattice Sieving.Lecture Notes in Computer ScienceEUROCRYPT 2023 - International Conference on the Theory and Applications of Cryptographic Techniques14008Lecture Notes in Computer ScienceLyon, FranceSpringer Nature SwitzerlandApril 2023, 221-251HALDOIback to textback to text
• 10 inproceedingsC.Christina Boura, N.Nicolas David, P.Patrick Derbez, G.Gregor Leander and M.María Naya-Plasencia. Differential Meet-In-The-Middle Cryptanalysis.LNCS - Lecture Notes in Computer ScienceCRYPTO 2023 - 43rd International Cryptology Conference14083Lecture Notes in Computer ScienceSanta Barabara, United StatesSpringer Nature SwitzerlandAugust 2023, 240-272HALDOIback to text
• 11 inproceedingsBest paperA.Agathe Cheriere, N.Nicolas Aragon, T.Tania Richmond and B.Benoît Gérard. BIKE Key-Recovery: Combining Power Consumption Analysis and Information-Set Decoding.Lecture Notes in Computer ScienceACNS 2023 - 21st International Conference on Applied Cryptography and Network Security13905Lecture Notes in Computer ScienceKyoto, JapanSpringer Nature SwitzerlandMay 2023, 725-748HALDOIback to text
• 12 inproceedingsF.François Delobel, P.Patrick Derbez, A.Arthur Gontier, L.Loïc Rouquette and C.Christine Solnon. A CP-based Automatic Tool for Instantiating Truncated Differential Characteristics ⋆.LNCSINDOCRYPT 2023 - 24th International Conference on Cryptology in IndiaGoa, IndiaSpringerDecember 2023, 1-23HALback to text
• 13 inproceedingsT.Thomas Espitau, Q. T.Quyen Thi Thu Nguyen, C.Chao Sun, M.Mehdi Tibouchi and A.Alexandre Wallet. Antrag: Annular Ntru Trapdoor Generation: Making Mitaka As Secure As Falcon.Lecture notes in Computer ScienceASIACRYPT 2023 - 29th International Conference on the Theory and Application of Cryptology and Information SecurityGuangzhou (Canton), ChinaSpringer2023, 1-56HALback to text
• 14 inproceedingsBest paperT.Thomas Espitau, A.Alexandre Wallet and Y.Yang Yu. On Gaussian sampling, smoothing parameter: Application to lattice signatures.Lecture notes in Computer ScienceASIACRYPT 2023 - 29th International Conference on the Theory and Application of Cryptology and Information SecurityGuangzhou (Canton), ChinaDecember 2023, 1-56HALback to text
• 15 inproceedingsP.-A.Pierre-Alain Fouque, A.Adela Georgescu, C.Chen Qian, A.Adeline Roux-Langlois and W.Weiqiang Wen. A Generic Transform from Multi-Round Interactive Proof to NIZK.Lecture Notes in Computer SciencePKC 2023 - International Conference on Practice and Theory of Public-Key Cryptography13941Lecture Notes in Computer ScienceAtlanta, United StatesSpringer Nature SwitzerlandMay 2023, 461-481HALDOIback to text
• 16 inproceedingsM.Malika Izabachène, L.Lucas Prabel and A.Adeline Roux-Langlois. Identity-Based Encryption from Lattices Using Approximate Trapdoors.ACISP 2023 - 28th Australasian Conference on Information Security and Privacy13915Lecture Notes in Computer ScienceBrisbane, AustraliaSpringer Nature SwitzerlandJune 2023, 270-290HALDOIback to text
• 17 inproceedingsC.Corentin Jeudy, A.Adeline Roux-Langlois and O.Olivier Sanders. Lattice Signature with Efficient Protocols, Application to Anonymous Credentials.Crypto 2023 - 43rd Annual International Cryptology Conference14082Lecture Notes in Computer ScienceSanta Barbara, United StatesSpringer Nature SwitzerlandAugust 2023, 351-383HALDOIback to text
• 18 inproceedingsG.Gwendal Patat, M.Mohamed Sabt and P.-A.Pierre-Alain Fouque. Your DRM Can Watch You Too: Exploring the Privacy Implications of Browsers (mis)Implementations of Widevine EME.PETS 2023 - Privacy Enhancing Technologies Symposium20234Lausanne, SwitzerlandOctober 2023, 306-321HALDOIback to textback to text
• 19 inproceedingsM.Maxime Remaud, A.André Schrottenloher and J.-P.Jean-Pierre Tillich. Time and Query Complexity Tradeoffs for the Dihedral Coset Problem.LNCS - Lecture Notes in Computer SciencePQCrypto 2023 - 14th International Conference on Post-Quantum Cryptography14154Lecture Notes in Computer ScienceCollege Park, United StatesSpringer Nature SwitzerlandAugust 2023, 505-532HALDOIback to text
• 20 inproceedingsA.André Schrottenloher. Quantum Linear Key-Recovery Attacks Using the QFT.Lecture Notes in Computer ScienceCRYPTO 2023 - 43rd International Cryptology Conference14085Lecture Notes in Computer ScienceSanta Barbara, CA, United StatesSpringer Nature SwitzerlandAugust 2023, 258-291HALDOIback to text

Reports & preprints

• 21 miscC.Charles Bouillaguet, A.Ambroise Fleury, P.-A.Pierre-Alain Fouque and P.Paul Kirchner. We Are on the Same Side. Alternative Sieving Strategies for the Number Field Sieve.May 2023HALback to textback to text