2.1 Presentation

Cryptographic algorithms are the equivalent of locks, seals, and identification documents over the Internet. They are essential to protect our online bank transactions, medical and personal information, and to support e-commerce and e-government. These algorithms come in various forms. Encryption algorithms protect sensitive data from unauthorized access. Digital signature algorithms—often used in combination with hash functions—and message authentication codes (MACs) serve as digital replacements for handwritten signatures in electronic transactions. Identification protocols enable the secure verification of a remote party’s identity. As a whole, cryptology is a research area with a high strategic impact in industry, for individuals, and for society. The research activities of the CASCADE project-team address the following topics, which cover most of the areas currently active in the international cryptographic community, with a focus on public-key algorithms:

1. Algorithm and protocol design, with provable security;
2. Theoretical and practical attacks.

2.2 Design of Provably Secure Primitives and Protocols

Since the advent of public-key cryptography, marked by the seminal Diffie–Hellman paper, many algorithmic problems suitable for cryptographic use have been proposed, and numerous cryptographic schemes have been designed—often accompanied by more or less heuristic proofs of their security, based on the assumed intractability of the underlying problems. However, many of these schemes have subsequently been broken. The mere fact that a cryptographic algorithm has withstood cryptanalytic attacks for several years is often taken as a kind of validation, but it may take a long time before a scheme is broken. As a result, the absence of known attacks at a given time should never be considered a full validation of a scheme’s security.

A fundamentally different approach is offered by the concept of provable security. A significant line of research has aimed to provide formal proofs within the framework of computational complexity theory (also known as reductionist security proofs). These proofs reduce the task of breaking a cryptographic protocol to solving a well-studied hard problem (e.g., factoring, RSA, or the discrete logarithm problem).

Initially, researchers focused on defining the security notions required by practical cryptographic schemes, and then designing protocols that satisfied these notions. The techniques were derived directly from complexity theory, relying on polynomial-time reductions. However, this line of work was primarily theoretical in nature. The goal was to minimize the assumptions needed on cryptographic primitives (e.g., one-way functions, permutations, possibly with trapdoors), without regard to practical efficiency. Thus, it was sufficient to design a scheme with polynomial-time algorithms and to present polynomial reductions from the hardness of the underlying problem to an attack on the security notion, in an asymptotic sense. However, such results have limited practical impact on real-world security.

Over time, the community has sought more efficient, quantitatively meaningful reductions—an approach known as exact or concrete security—which aims to produce security guarantees that are not only theoretically sound but also practically relevant, with concrete efficiency parameters.

To this aim, a cryptographer has to deal with the following four important steps, which are all main goals of ours:

• computational assumptions,
  which are the foundation of the security. We thus need to have a strong evidence that the computational problems are reasonably hard to solve, for concrete parameters;
• security model,
  which makes precise the security notions one wants to achieve, as well as the means the adversary may be given. We contribute to this point, in several ways:

  • by providing security models for many primitives and protocols;
  • by enhancing some classical security models;
  • by considering new means for the adversary.
• design
  of new schemes/protocols, or more efficient ones, with additional features, etc.
• security proof,
  which consists in exhibiting a reduction.

2.3 Attacks and security analysis

But, some schemes are still published without complete security proofs, hence their security requires further analysis, and attacks may be found. And even for provably secure schemes, attacks are not excluded, and may appear at several levels:

• A computational assumption may prove wrong. So we study them, and in particular the ones that are believed to resist quantum computers.
• the security model may be inappropriate, and allow for devastating attacks in concrete usage scenarios.

3.1 Quantum-safe cryptography

The security of almost all public-key cryptographic protocols in use today relies on the presumed hardness of problems from number theory such as factoring and computing discrete logarithms. This is problematic because these problems have very similar underlying structure, and its unforeseen exploit can render all currently used public-key cryptography insecure. This structure was in fact exploited by Shor to construct efficient quantum algorithms that break all hardness assumptions from number theory that are currently in use. And so naturally, an important area of research is to build provably secure protocols based on mathematical problems that are unrelated to factoring and discrete log. One of the most promising directions in this line of research is using lattice problems as a source of computational hardness, which also offer features that other alternative public-key cryptosystems (such as MQ-based, code-based, isogeny-based or hash-based schemes) cannot provide. The ERC Advanced Grant PARQ aims at evaluating the security of lattice-based cryptography, with respect to the most powerful adversaries, such as quantum computers and large-scale parallel computers.

In the meantime, although a universal quantum computer may be some decades in the future, quantum communication and quantum error correcting codes are beginning to become concretely available. It is already possible to prepare, manipulate and precisely control systems involving a few quantum information bits (qubits). Such quantum technologies could help improve the efficiency and security of concrete cryptographic protocols. The ANR JCJC project CryptiQ aims at considering three possible scenarios (first, the simple existence of a quantum attacker, then the access to quantum communication for anyone, and finally a complete quantum world) and studies the consequences on the cryptographic protocols currently available. This implies elaborating adversarial models and designing or analyzing concrete protocols with formal security proofs, in order to get ready as soon as one of these scenarios becomes the new reality.

3.2 Computations on encrypted data

In the area of computations on encrypted data, there are three main families of approaches:

• Advanced Encryption,
  with fully homomorphic encryption and functional encryption:

  • Fully Homomorphic Encryption (FHE), which has been announced in 2009, allows to perform any computation on encrypted data, getting the result encrypted under the same key. This is perfect in order to outsource computation in the Cloud, on encrypted data: the Cloud provider does not learn any information;
  • Functional Encryption (FE), proposed in 2011, allows an authority to deliver functional decryption keys, for any function $f$ of his choice, so that on the encryption of any message $m$, the functional decryption key leads to $f\left(m\right)$. This is a generalization of Identity-Based Encryption (IBE), Attribute-Based Encryption (ABE) and Predicate Encryption (PE), which where limited to the identity function, under some access-control.
• Secure Multi-Party Computation (SMPC)
  is an interactive protocol between 2 or more parties, with their own private inputs. After several communications, this is possible to let each party to learn specific evaluations on the inputs, and nothing else.
• Searchable Symmetric Encryption (SSE)
  proposes a trade-off between efficiency and security, using fast (structured) symmetric encryption, but allowing some leakage of information. The goal is akin to private information retrieval: one can retrieve records in a database without leaking much information about the query.

4.1 Privacy for the Cloud

Many companies have already started the migration to the Cloud and many individuals share their personal informations on social networks. While some of the data are public information, many of them are personal and even quite sensitive. Unfortunately, the current access mode is purely right-based: the provider first authenticates the client, and grants him access, or not, according to his rights in the access-control list. Therefore, the provider itself not only has total access to the data, but also knows which data are accessed, by whom, and how: privacy, which includes secrecy of data (confidentiality), identities (anonymity), and requests (obliviousness), should be enforced. Moreover, while high availability can easily be controlled, and thus any defect can immediately be detected, failures in privacy protection can remain hidden for a long time. The industry of the Cloud introduces a new implicit trust requirement: nobody has any idea at all of where and how his data are stored and manipulated, but everybody should blindly trust the providers. The providers will definitely do their best, but this is not enough. Privacy-compliant procedures cannot be left to the responsibility of the provider: however strong the trustfulness of the provider may be, any system or human vulnerability can be exploited against privacy. This presents too huge a threat to tolerate. The distribution of the data and the secrecy of the actions must be given back to the users. It requires promoting privacy as a global security notion.

In order to protect the data, one needs to encrypt it. Unfortunately, traditional encryption systems are inadequate for most applications involving big, complex data. Recall that in traditional public key encryption, a party encrypts data to a single known user, which lacks the expressiveness needed for more advanced data sharing. In enterprise settings, a party will want to share data with groups of users based on their credentials. Similarly, individuals want to selectively grant access to their personal data on social networks as well as documents and spreadsheets on Google Docs. Moreover, the access policy may even refer to users who do not exist in the system at the time the data is encrypted. Solving this problem requires an entirely new way of encrypting data.

A first natural approach would be fully homomorphic encryption (FHE, see above), but a second one is also Functional Encryption (FE), that is an emerging paradigm for public-key encryption: it enables more fine-grained access control to encrypted data, for instance, the ability to specify a decryption policy in the ciphertext so that only individuals who satisfy the policy can decrypt, or the ability to associate keywords to a secret key so that it can only decrypt documents containing the keyword. Our work on functional encryption centers around two goals:

1. to obtain more efficient pairings-based functional encryption;
2. and to realize new functionalities and more expressive functional encryption schemes.

Another approach is secure multi-party computation protocols, where interactivity might provide privacy in a more efficient way, namely for machine learning techniques. Machine learning makes an intensive use of comparisons, for the activation of neurons, and new approaches have been proposed for efficient comparisons with interactive protocols.

4.2 Searchable Encryption

Searchable Encryption (SE) is another technique that aims to protect users' privacy with regard to data uploaded to the cloud. Searchable Encryption is equally concerned with scalability, with the aim to accomodate large real-world databases. As a concrete application, an email provider may wish to store its users’ emails in an encrypted form to provide privacy; but it is obviously highly desirable that users should still be able to search for emails that contain a given word, or whose date falls within a given range. Businesses may also want to outsource databases containing sensitive information, such as client data, for example to dispense with a costly dedicated IT department. To be usable at all, the outsourced encrypted database should still offer some form of search functionality. Failing that, the entire database must be downloaded to process each query to the database, defeating the purpose of cloud storage.

In many contexts, the amount of data outsourced by a client is large, and the overhead incurred by generic solutions such as FHE or FE becomes prohibitive. The goal of Searchable Encryption is to find practical trade-offs between privacy, functionality, and efficiency. Regarding functionality, the focus is mainly on privately searching over encrypted cloud data, altough many SE schemes also support simple forms of update operation. Regarding privacy, SE typically allows the server to learn some information on the encrypted data. This information is formally captured by a leakage function. Security proofs show that the cloud server does not learn any more information about the client's data than what is expressed by the leakage function.

The additional flexibility afforded by allowing a controlled amount of leakage enables SE to offer highly efficient solutions, which can be deployed in practice on large datasets. The main goal of our research in this area is to analyze the precise privacy impact of different leakage functions; propose new techniques to reduce this leakage; as well as extend the range of functionality achieved by Searchable Encryption.

4.3 Post-Quantum Standardization

In recent years, there has been very significant investment on research on quantum computers – machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere. The goal of post-quantum cryptography (also called quantum-resistant cryptography or quantum-safe cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communication protocols and networks.

In 2016, NIST initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms. The first selection of standards was announced in July 2022. Out of four standards, three are based on lattice problems: CRYSTALS-KYBER for encryption, CRYSTALS-DILITHIUM and FALCON for signature. We intend to study the best lattice algorithms in order to assess the security of the three NIST standards (and two other NIST finalists SABER and NTRU) based on the hardness of lattice problems.

4.4 Provable Security for the Quantum Internet

With several initiatives such as the development of a 2,000 km quantum network in China, the access of IBM's quantum platform freely available and the efforts made in the EU for instance with the quantum internet alliance team, we can assume that in a further future, not only the adversary has potential access to a quantum computer, but everybody may have access to quantum channels, allowing honest parties to exchange quantum data up to a limited amount. Going one step further than post-quantum cryptography, it is therefore needed to carefully study the security models and properties of classical protocols or the soundness of classical theoretical results in such a setting. Some security notions have already been defined but others have to be extended, such as the formal treatment of superposition attacks initiated by Zhandry.

On the positive side, some quantum primitives which are already well-studied, unconditionally quantum secure and already deployed in practice (such as Quantum Key Distribution) allow for new security properties such as everlasting confidentiality for sensitive long-lived data (which holds even if an attacker stores encrypted data now and decrypts them later when a quantum computer becomes available). We intend to study to what extent allowing honest parties to have access to currently available (or near-term) quantum technologies allows to achieve quantum-enhanced protocols (for classical functionalities) with improved security or efficiency beyond what is possible classically.

5.1 Footprint of research activities

Unfortunately, private computation is usually at a huge cost: it definitely costs more to compute on encrypted data than on clear inputs. However, our goal is definitely to reduce this cost, as it will improve the user experience at the same time, with shorter computation time.

5.2 Impact of research results

Strong privacy for the Cloud would have a huge societal impact since it would revolutionize the trust model: users would be able to make safe use of outsourced storage, namely for personal, financial and medical data, without having to worry about failures or attacks of the server.

Both design of new primitives and study of the best attacks are essential for this goal.

8.1 Bilateral contracts with industry

• PhD CIFRE Cosmian
  – Paola de Perthuis (2020–2024) – Efficient Protocols for Secure Computation over Confidential Data
• PhD CIFRE Thales
  – Hugo Beguinet (2021–2024) – Chiffrement avancé post-quantique sur les réseaux euclidiens
• PhD CIFRE CryptoExperts
  – Nicolas Bon (2022–2025) – Design of optimized operations for homomorphic cryptography
• PhD ANSSI
  – Guirec Lebrun (2022–2025) – Protocoles cryptographiques d’authentification post-quantique
• PhD Thales
  – Éric Sageloli (2023–2026) – Sécurité de protocoles et primitives cryptographiques face à un attaquant quantique

8.2 Grants with industry

9.1 International research visitors

9.2 European initiatives

9.3 National initiatives

10.1 Promoting scientific activities

10.2 Teaching - Supervision - Juries

• Introduction to Cryptology (ENS 1st year students): a total of 20 hours of lecture, 20 hours of TA/year
• Techniques in cryptography and cryptanalysis (Master M2 MPRI): 24 hours of lecture/year
• Cryptographic protocols: computational and symbolic proofs (Master M2 MPRI): 12 hours of lecture/year
• Introduction to Cryptography (Master M1, ESI Léonard de Vinci)
• Cryptography (Master MSSIS, ESIEA)
• Joint directorship of MPRI (M2, PSL/IPP/UPC/UPS).
• Examinator for entrance exams to ENS (oral exam in Fundamental Computer Science).

10.3 Popularization

11.1 Major publications

• 1 articleM.Michel Abdalla, D.Dario Catalano and D.Dario Fiore. Verifiable Random Functions: Relations to Identity-Based Key Encapsulation and New Constructions.Journal of Cryptology2732014, 544-593
• 2 articleM.Masayuki Abe, G.Georg Fuchsbauer, J.Jens Groth, K.Kristiyan Haralambiev and M.Miyako Ohkubo. Structure-Preserving Signatures and Commitments to Group Elements.Journal of Cryptology2922016, 363--421
• 3 inproceedingsD.Divesh Aggarwal, J.Jianwei Li, P. Q.Phong Q Nguyen and N.Noah Stephens-Davidowitz. Slide Reduction, Revisited—Filling the Gaps in SVP Approximation.CRYPTO 2020 - 40th Annual International Cryptology ConferenceSanta Barbara / Virtual, United StatesAugust 2020, 274-295HALDOI
• 4 inproceedingsF.Fabrice Benhamouda, O.Olivier Blazy, C.Céline Chevalier, D.David Pointcheval and D.Damien Vergnaud. New Techniques for SPHFs and Efficient One-Round PAKE Protocols.Advances in Cryptology -- Proceedings of CRYPTO '13 (1)8042Lecture Notes in Computer ScienceSpringer2013, 449-475
• 5 inproceedingsP.Pyrros Chaidos, V.Véronique Cortier, G.Georg Fuchsbauer and D.David Galindo. BeleniosRF: A Non-interactive Receipt-Free Electronic Voting Scheme.Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS '16)ACM Press2016, 1614--1625
• 6 inproceedingsJ.Jérémy Chotard, E.Edouard Dufour Sans, R.Romain Gay, D.David Pointcheval and D. H.Duong Hieu Phan. Decentralized Multi-Client Functional Encryption for Inner Product.ASIACRYPT '18 - 24th Annual International Conference on the Theory and Application of Cryptology and Information SecurityLecture Notes in Computer ScienceAdvances in Cryptology - ASIACRYPT '1811273Brisbane, AustraliaSpringerDecember 2018HALDOI
• 7 inproceedingsY.Yevgeniy Dodis, D.David Pointcheval, S.Sylvain Ruhault, D.Damien Vergnaud and D.Daniel Wichs. Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust.Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS '13)Berlin, GermanyACM Press2013, 647--658
• 8 inproceedingsR.Romain Gay, D.Dennis Hofheinz, E.Eike Kiltz and H.Hoeteck Wee. Tightly CCA-Secure Encryption Without Pairings.Advances in Cryptology -- Proceedings of Eurocrypt '16 (2)9665Lecture Notes in Computer ScienceSpringer2016, 1--27
• 9 inproceedingsS.Sergey Gorbunov, V.Vinod Vaikuntanathan and H.Hoeteck Wee. Predicate Encryption for Circuits from LWE.Advances in Cryptology -- Proceedings of CRYPTO '15 (2)9216Lecture Notes in Computer ScienceSpringer2015, 503-523
• 10 articleV.Vadim Lyubashevsky, C.Chris Peikert and O.Oded Regev. On Ideal Lattices and Learning with Errors over Rings.Journal of the ACM6062013, 43:1--43:35
• 11 inproceedingsB.Brice Minaud and M.Michael Reichle. Dynamic Local Searchable Symmetric Encryption.Crypto 2022 - 42nd Annual International Cryptology ConferenceLNCS - 13510Advances in Cryptology – CRYPTO 2022Santa Barbara, United StatesSpringerAugust 2022HALDOI
• 12 inproceedingsW.Willy Quach, H.Hoeteck Wee and D.Daniel Wichs. Laconic Function Evaluation and Applications.59th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2018)IEEE2018

11.2 Publications of the year