2023Activity reportProject-TeamGRACE

6.1.1 snark-2-chains

• Name:
  Families of SNARK-friendly 2-chains of elliptic curves
• Keywords:
  Cryptography, Cryptocurrency, Blockchain
• Functional Description:
  This library implements finite field and elliptic curve arithmetic for BN curves (Barreto-Naehrig), BLS (Barreto-Lynn-Scott), KSS (Kachisa-Schaefer-Scott), and 2-chains made of BW6 (Brezing-Weng curves of embedding degree 6), CP8, CP12 (Cocks-Pinch curves of embedding degree 8 and 12) for use with zk-snarks (zero-knowledge succinct non-interactive argument of knowledge). The cryptographic applications are: pairing, scalar multiplication on the curves, hashing on the curves. The code is a proof of concept tied to two papers and is not optimized.
• URL:
  https://­gitlab.­inria.­fr/­zk-curves/­snark-2-chains
• Publications:
  hal-03667798, hal-03371573
• Contact:
  Aurore Guillevic

6.1.2 WaveSign

• Name:
  Wave Signatures: Reference Implementation
• Keywords:
  Post-quantum, Digital signature, Cryptographic protocol, Cryptography
• Functional Description:
  This software provides a complete and functional reference implementation in C99 for Wave, a post-quantum digital signature scheme based on hard problems in coding theory. Key generation, signing, and verification functions are provided, compliant with the API specified by NIST for their post-quantum signature on-ramp call. The emphasis is on portability, rather than targeted optimizations.
• URL:
  https://­wave-sign.­org
• Contact:
  Nicolas Sendrier
• Partner:
  Qualcomm France

7.1.1 Search-to-decision reductions in code–based cryptography

Participants: A. Couvreur, M. Bombar, T. Debris–Alazard.

The security of most code–based cryptosystem relies on the hardness of the so–called Decoding Problem. If its search version (Given a random linear code, and a noisy codeword, it should be hard to decode, i.e. to remove the error and recover the original message) is quite well understood, many proposals actually rely on the decision version which can be formulated as follows: Given a random linear code it should be hard to distinguish between a uniformly random vector of the ambiant space, and a noisy codeword. This decision version can be thought as the code–based analogue of the Decisional Diffie Hellman problem, and for general random linear codes both search and decision problem are known to be equivalent. Such a result is known as a search to decision reduction. However, for efficiency purposes, it is very appealing to use algebraically structured codes such as quasi-cyclic codes, that can be represented more compactly. In this situation, the hardness of the decision Decoding problem is only conjectured. On the other hand, one of the reasons of the success of lattice–based cryptography is that it benefits from a rich literature of security reductions for both general lattices and so–called structured lattices, i.e. lattices arising from orders of number fields.

In 44, based on a strong analogy between number fields and function fields, and especially using Carlitz modules which can be somehow considered as an analogue of cyclotomic number fields in positive characteristics, we introduce a new generic problem that we call Function Field Decoding Problem, and derive the first search to decision reduction in this context.

In 19, we revisit the tool called the OHCP framework (for Oracle with Hidden Center Problem) which has been introduced by Peikert et al. (STOC 2017) in the lattice-based context. This framework has proved to be very useful as a black box inside reductions and we have adapted it in the code-based context by extracting its very essence, namely the Oracle Comparison Problem (OCP). It has yield to a new worst-case to average-case search-to-decision reduction. We have then turned to the structured versions and explain why this is not as straightforward as for Euclidean lattices. If we fail to give a search-to-decision reduction for structured codes, we believe that our work opens the way towards new reductions for structured codes, given that the OHCP framework proved to be so powerful in lattice-based cryptography. Furthermore, we also believe that this technique could be extended to codes endowed with other metrics, such as the rank metric, for which no reduction is known.

7.1.2 New algorithms to solve the generic decoding problem

Participants: T. Debris–Alazard.

The security of code-based cryptography relies primarily on the hardness of generic decoding with linear codes. The best generic decoding algorithms are all improvements of an old algorithm due to Prange: they are known under the name of information set decoders (ISD). A while ago, a generic decoding algorithm which does not belong to this family was proposed: statistical decoding. It is a randomized algorithm that requires the computation of a large set of parity-checks of moderate weight, and uses some kind of majority voting on these equations to recover the error we are looking for in the decoding problem. This algorithm was long forgotten because even the best variants of it performed poorly when compared to the simplest ISD algorithm. In 46, we revisit this old algorithm by using parity-check equations in a more general way. Here the parity-checks are used to get LPN samples with a secret which is part of the error and the LPN noise is related to the weight of the parity-checks we produce. The corresponding LPN problem is then solved by standard Fourier techniques. By properly choosing the method of producing these low weight equations and the size of the LPN problem, we are able to outperform in this way significantly information set decoders at code rates smaller than 0.3. It gives for the first time after 60 years, a better decoding algorithm for a significant range which does not belong to the ISD family.

In 31 we revisit RLPN-decoding by noticing that, in this algorithm, decoding is in fact reduced to a sparse-LPN problem, namely with a secret whose Hamming weight is small. Our new approach consists this time in making an additional reduction from sparse-LPN to plain-LPN with a coding approach inspired by coded-BKW. It outperforms significantly the ISD's and RLPN for code rates smaller than 0.42. This algorithm can be viewed as the code-based cryptography cousin of recent dual attacks in lattice-based cryptography. We depart completely from the traditional analysis of this kind of algorithm which uses a certain number of independence assumptions that have been strongly questioned recently in the latter domain. We give instead a formula for the LPN noise relying on duality which allows to analyze the behavior of the algorithm by relying only on the analysis of a certain weight distribution. By using only a minimal assumption whose validity has been verified experimentally we are able to justify the correctness of our algorithm. This key tool, namely the duality formula, can be readily adapted to the lattice setting and is shown to give a simple explanation for some phenomena observed on dual attacks in lattices.

7.1.3 Cryptanalysis

Participants: Alain Couvreur.

In 23, we propose a new attack on rank metric based encryption schemes by revisiting and extending Overbeck's attack. This novel approach involving the computation of code's stabilizer algebras and their Artin-Wedderburn decomposition. This permitted in particular to break the system proposed in 48.

In another work 22, we proposed a new distinguisher on binary and $q$–ary Goppa codes: the codes used in NIST submission Classic McEliece which runs in the 4th round of NIST's standardisation process. Our distinguisher consists in reducing the Goppa distinguishing problem to a MinRank instance in a space of symmetric matrices. Despite, the obtained distinguisher works only on high rate Goppa codes and hence does not break Classic McEliece, this is a completely novel approach and the first result on binary Goppa codes cryptanalysis for over 10 years.

7.1.4 Isogeny evaluation algorithms over extension fields

Participants: Anaëlle Le Dévéhat, Benjamin Smith.

Consider the basic problem of efficiently evaluating an isogeny $\varphi :E\to E/H$ of elliptic curves over ${𝔽}_q$, where the kernel $H=\langle G\rangle$ is a cyclic group of odd (prime) order: given $E$, $G$, and one or more points $P$ on $E$, we want to compute $\varphi \left(P\right)$. This problem is at the heart of essentially all efficient implementations of group-action- and isogeny-based post-quantum cryptosystems, such as CSIDH. Algorithms based on Vélu's formulæ give an efficient solution to this problem when the kernel generator $G$ is defined over ${𝔽}_q$. However, for general isogenies, $G$ is only defined over some extension ${𝔽}_{q^k}$, even though the kernel subgroup $H=\langle G\rangle$ as a whole (and thus $\varphi$) is defined over the base field ${𝔽}_q$; and the performance of Vélu-style algorithms degrades rapidly as $k$ grows. In 29, joint work with our former postdoc Gustavo Banegas and former intern Valerie Gilchrist, we revisit the isogeny-evaluation problem with a special focus on the case where $1\le k\le 12$. We improve Vélu-style isogeny evaluation for many cases where $k=1$ using special addition chains, and combine this with the action of Galois to give greater improvements when $k>1$.

7.3.1 Verifiable computation based on coding theory

Participants: Daniel Augot, Tanguy Medevielle.

In the coding theoretic setting, these protocols are made popular, in particular in the blockchain area, under the name of (ZK-)STARKS, Scalable Transparent Arguments of Knowledge, introduced in 2018. The short non interactive proofs are derived for protocols which are called IOPs Interactive Oracle Proofs, which are combination of IPs Interactive Proofs and PCPs Probabilistically Checkable Proofs, for combining the best of both worlds, and making PCPs pratical.

At the core of these protocols lies the following coding problem: how to decide, with high confidence, that a very long ambient word is close to a given code, while looking at very few coordinates of it.

An important issue is to have a smaller alphabet, and this can be done using algebraic-geometric codes. This was done by Sarah Bordage, Matthieu Lhotel, Jade Nardi and Hugues Randriambololona  45, using curves with a resoluble automorphims group, which enable to build codes which are foldable in way similar to the Reed-Solomon codes with are folded in the "FRI" protocol  43. Their protocol has very good perfomance, akin to the Reed-Solomon case. Towers of curves are considered for this construction, to enable good asymptotic results.

The internship of Tanguy Medevielle in Spring 2023 allowed to prove that these codes admit a quasi linear encoding algorithm under mild constraints.

7.6.1 Modular polynomials

Participants: François Morain.

Basic isogeny computations require the use of modular polynomials in two ways. The roots of a modular polynomial first indicate the existence of curves isogenous to the curve of interest. Second, these isogenous curves are computed using explicit formulas involving derivatives of the modular polynomial, as first described by Atkin for two families of modular polynomials. The height of the polynomial is critical, since it is the dominant parameter in the complexity analysis of the various methods used to compute them. We started to investigate the theory and practice of modular polynomials, in search of smaller and easier families to be used for the efficient computation of isogenies. See the two preprints 35 and 36.

9.2.1 Horizon Europe

9.3.1 ANR CIAO

Participants: Benjamin Smith, Luca De Feo, Antonin Leroux, Mathilde Chenu.

ANR CIAO (Cryptography, Isogenies, and Abelian varieties Overwhelming) is a JCJC 2019 project, led by Damien Robert (Inria EP LFANT). This project, which started in October 2019, will examine applications of higher-dimensional abelian varieties in isogeny-based cryptography.

9.3.2 ANR COLA

Participants: Alain Couvreur, Thomas Debris–Alazard.

ANR COLA (An interface between COde and LAttice-based cryptography) is a project from (Appel à projets générique, Défi 9, Liberté et sécurité de l’Europe, de ses citoyens et de ses résidents, Axe 4 ; Cybersécurité). This project (ANR JCJC), starting in october 2021 led by Thomas Debris-Alazard focusses on bringing closer post-quantum solutions based on codes and lattices to improve our trust in cryptanalysis and to open new perspectives in terms of design.

9.3.3 ANR BARRACUDA

Participants: Daniel Augot, Alain Couvreur, Françoise Levy-dit-Vehel.

BARRACUDA is a collaborative ANR project accepted in 2021 and led by A. Couvreur .

Website : barracuda.inria.fr

The project gathers specialists of coding and cryptology on one hand and specialists of number theory and algebraic geometry on the other hand. The objectives concern problems arising from modern cryptography which require the use of advanced algebra based objects and techniques. It concerns for instance mathematical problems with applications to distributed storage, multi-party computation or zero knowledge proofs for protocols.

9.3.4 ANR SANGRIA

Participants: Olivier Blazy.

SANGRIA is a collaborative ANR project accepted in 2021.

Website : lip6.fr/Damien.Vergnaud/projects/sangria/

The main scientific challenge of the SANGRIA (Secure distributed computAtioN - cryptoGRaphy, combinatorIcs and computer Algebra) project are (1) to construct specific protocols that take into account practical constraints and prove them secure, (2) to implement them and to improve the efficiency of existing protocols significantly. The SANGRIA project (for Secure distributed computAtioN: cryptoGRaphy, combinatorIcs and computer Algebra) aims to undertake research in these two aspects while combining research from cryptography, combinatorics and computer algebra. It is expected to impact central problems in secure distributed computation, while enriching the general landscape of cryptography.

9.3.5 ANR MobiS5

Participants: Olivier Blazy.

MobiS5 is a collaborative ANR project accepted in 2018.

Website : mobis5.limos.fr/

MobiS5 will aim to foresee and counter the threats posed in 5G architectures by the architectural modifications suggested in TR 22.861-22.864. Concretely, we will provide a provably-secure cryptographic toolbox for 5G networks, validated formally and experimentally, responding to the needs of 5G architectures at three levels:

* Challenge 1: security in the network infrastructure and end points: including core network security and attack detection and prevention; * Challenge 2: cryptographic primitives and protocols, notably : a selection of basic primitives, an authenticated key-exchange protocol, tools to compute on encrypted data, and post-quantum cryptographic countermeasures * Challenge 3: mobile applications, specifically in the use-case of a secure server that aids or processes outsourced computation; and the example of a smart home.

9.3.6 ANR CryptiQ

Participants: Olivier Blazy.

CryptiQ is a collaborative ANR project accepted in 2018.

The goal of the CryptiQ project is to major changes due to Quantum Computing by considering three plausible scenarios, from the closest to the furthest foreseeable future, depending on the means of the adversary and the honest parties. In the first scenario, the honest execution of protocols remains classical while the adversary may have oracle access to a quantum computer. This is the so-called post-quantum cryptography, which is the best known setting. In the second scenario (quantum-enhanced classical cryptography), we allow honest parties to have access to quantum technologies in order to achieve enhanced properties, but we restrict this access to those quantum technologies that are currently available (or that can be built in near-term). The adversary is still allowed to use any quantum technology. Finally, in the third scenario (cryptography in a quantum world), we allow the most general quantum operations to an adversary and we consider that anybody can now have access to both quantum communication and computation.

9.3.7 PEPR sur les technologues quantiques - Projet intégré "Un cadenas post-quantique pour les navigateurs web"

Participants: Alain Couvreur, Thomas Debris–Alazard, Benjamin Smith, Anaëlle Le Devehat, Matthieu Lequesne.

This projet intégré aims to develop post quantum cryptographic primitives in 5 years which would be implemented in an open source web browser. The evolution of cryptographic standards has already begun. The choice of new primitives will be made soon and the transition should be operated in a few years. The objective of the project is to play a crucial role in this evolution so that french researchers, which are already strongly implied in this process could influence the choice of cryptographic standards in the next years.

9.3.8 Inria Défi RIOT-fp: Reconcile IoT and Future-Proof Security

Participants: Benjamin Smith, Gustavo Banegas.

RIOT-fp is a research project on cyber-security targeting low-end, microcontroller-based IoT devices, on which run operating systems such as RIOT and a low-power network stack. It links the project-teams EVA, GRACE, PROSECCO, TRiBE, and TEA. Taking a global and practical approach, RIOT-fp gathers partners planning to enhance RIOT with an array of security mechanisms. The main challenges tackled by RIOT-fp are:

1. developing high-speed, high-security, low-memory IoT crypto primitives,
2. providing guarantees for software execution on low-end IoT devices, and
3. enabling secure IoT software updates and supply-chain, over the network.

Beyond academic outcomes, the output of RIOT-fp is open source code published, maintained and integrated in the open source ecosystem around RIOT. As such, RIOT-fp strives to contribute usable building blocks for an open source IoT solution improving the typical functionality vs. risk tradeoff for end-users.

9.3.9 Inria AEx CACHAÇA

Participants: Benjamin Smith, Guenael Renault, Anaelle Le Devehat.

The Action Exploratoire CACHAÇA, led by Benjamin Smith and based at Campus Cyber, started in 2022. CACHAÇA aims to bring high-assurance techniques from formal methods to the initial design and implementation phase for new postquantum cryptosystems, to produce fast, safe, and portable software implementations, especially for constrained environments such as IoT devices. Guenael Renault has associate researcher status, and so CACHAÇA is an anchor-point for collaborations between GRACE and the Secure Components laboratory at ANSSI. It will also englobe GRACE's contribution to planned industrial consortia (expected to begin in 2023).

10.1.1 Scientific events: selection

10.1.2 Journal

10.1.3 Invited talks

• A. Couvreur was invited to give a talk at the special session Algebraic coding theory and cryptography of the 29th Nordic Congress of Mathematicians

10.1.4 Leadership within the scientific community

• O. Blazy and A. Couvreur are co-responsible of the Groupe de Travail Codes et Cryptographie (C2) of the GdR's Informatique Mathématiques and Sécurité Informatique.

10.1.5 Scientific expertise

• A. Couvreur was referee for the PhD commitee of Mathieu Lhotel (Université de Franche-Comté, 3/7/2023)
• A. Couvreur was referee for the PhD commitee of Thibauld Feneuil (Sorbonne Université, 23/10/2023)
• A. Couvreur was referee for the HDR commitee of Eleonora Guerrini (Université de Montpellier, 4/12/2023)
• O. Blazy was referee for the PhD commitee of Cyrius Nugier (Insa Toulouse, 04/07/2023)
• O. Blazy was referee for the PhD commitee of Vigile Dossou Yovo (Université d'Abomey-Calavi (Bénin), 09/08/2023)
• O. Blazy was referee for the PhD commitee of Lucas Prabel (Université de Rennes, 05/10/2023)
• O. Blazy was referee for the PhD committee of Elie Bouscatié (Université de Bordeaux, 19/12/2023)

10.1.6 Research administration

• D. Augot was member of a Comité de sélection for a Maître de conférence position at Université de Limoges.
• D. Augot was member of the scientific PhD jury of Institut Polytechnique de Paris (attributing PhD fundings in computer science).
• D. Augot was in the HCERÉS visiting committee of lab LIP6 (CNRS and Sciences Sorbonne Université), 21-24 November 2023.
• A. Couvreur is elected member of Inria's Commission d'Évaluation. He served in the recruitment juries:
  • CRCN Centre Inria de Lyon;
  • DR2 National.
• A. Couvreur is coordiator for Inria of the Axis PQ-TLS of PEPR quantique and in charge of the work package on code-based cryptography with Philippe Gaborit (University of Limoges).
• B. Smith is in charge of the work package on isogeny-based cryptography of the axis PQ-TLS of PEPR quantique.
• O. Blazy is a member of the Conseil Scientifique et Pédagogique for the EUR Tactic.

10.2.1 Teaching

• Licence :
  • O. Blazy : CSE101: Introduction to Computer Programming (Tutorials), 58h, L1, École polytechnique, France
  • M. Bombar : INF361: Introduction à l'informatique (tutorials), 40h (equiv TD), 1st year (L3), École polytechnique.
  • T. Debris–Alazard , Exercises for INF361: “Introduction à l'informatique”, 15h (equiv TD), 1st year (L3), École polytechnique.
  • F. Morain , Lectures for INF361: “Introduction à l'informatique”, 15h (equiv TD), 1st year (L3), École polytechnique. Coordinator of this module (350 students).
  • B. Smith : CSE101: Introduction to Computer Programming, 31.5h, L1, École polytechnique, France
  • B. Smith : CSE207: Introduction to Networks (Tutorials), 14h, L2, École polytechnique, France
• Master:
  • D. Augot : lectures and Labs on crypto in blockchains, 24h, M2, École polytechnique, France.
  • D. Augot designed with Julien Prat the cursus of a course in blockchains and economics, and made lectures on zero-knowledge.
  • O. Blazy : Lectures and Labs for INF646: Introduction to formal methods, 20h, M2, École polytechnique, France
  • Master : O. Blazy : Lectures and Labs for Authentification, VPN et Chiffrement, 6h, M2, Telecom Sud Paris, France
  • T. Debris–Alazard , Lectures for INF587: “Introduction to quantum computer science”, 45h, École polytechnique.
  • A. Couvreur and T. Debris–Alazard : Lectures in MPRI 2-13-2: Error Correcting codes and applications to cryptography
  • F. Morain , INF558, Lectures and labs Introduction to cryptology, 36h, M1, École Polytechnique
  • F. Levy-dit-Vehel , Lectures on discrete maths, 21h, M1, ENSTA
  • F. Levy-dit-Vehel , Lectures on cryptography, 24h, M2, ENSTA.
  • Matthieu Lequesne , INF558, labs Introduction to cryptology, 36h, M1, École Polytechnique
  • G. Renault : Lectures and Labs for INF565: Information Systems Security, 60h, M1, École polytechnique, France
  • G. Renault : Lectures and Labs for INF648: Embedded security: side-channel attacks; javacard, 60h, M2, École polytechnique, France
  • Master : G. Renault : Coordinator for INF637: Reverse engineering vs Obfuscation, 2h, M2, École polytechnique, France
  • B. Smith : INF568: Advanced Cryptography, 45h, M1, École polytechnique, France
  • B. Smith : MPRI 2-12-2: Algorithmes Arithmétiques pour la Cryptologie, 22.5h, M2, Master Parisien de Recherche en Informatique, France.
• Professional training:
  • D. Augot gave a two hours lecture at System-X.

10.2.2 Supervision

• Master : F. Morain is the scientific leader of the Master of Science and Technology Cybersecurity: Threats and Defense of École Polytechnique.
• Bachelor: O. Blazy is one of the academic advisor for the Computer Science Bachelor of École Polytechnique.
• Master : O. Blazy is one of the academic advisor of the new Master of Science and Technology Cybersecurity of École Polytechnique.

10.2.3 Juries

• T. Debris–Alazard was member of the jury for Gilles Kahn PhD award
• B. Smith was an examiner for the PhD of Marc Houben (KU Leuven, Belgium, 22/11/2023)
• D. Augot was a reviewer of the PhD of Simona Etinksi (Université Paris Cité, 28/6/2023)
• D. Augot was president of the PhD committee of Mathieu Lhotel (Université de Franche-Comté, 3/7/2023)
• A. Couvreur was president for the PhD commiteed of Rocco Mora (Sorbonne université, 7/4/2023)
• A. Couvreur was member the PhD commitee of Mathieu Lhotel (Université de Franche-Comté, 3/7/2023)
• A. Couvreur was member of the PhD commitee of Thibauld Feneuil (Sorbonne Université, 23/10/2023)
• A. Couvreur was member of the HDR commitee of Eleonora Guerrini (Université de Montpellier, 4/12/2023)
• O. Blazy was member for the PhD commitee of Quoc-Huy Vu (Panthéon-Assas, 01/02/2023).
• O. Blazy was president for the PhD commitee of Cyrius Nugier (Insa Toulouse, 04/07/2023)
• O. Blazy was member for the PhD commitee of Vigile Dossou Yovo (Université d'Abomey-Calavi (Bénin), 09/08/2023)
• O. Blazy was president for the PhD commitee of Hugo Senet (Panthéon-Assas, 22/09/2023).
• O. Blazy was member for the PhD commitee of Lucas Prabel (Université de Rennes, 05/10/2023)
• O. Blazy was member for the PhD committee of Elie Bouscatié (Université de Bordeaux, 19/12/2023)

10.3.1 Internal or external Inria responsibilities

• A. Couvreur was référent médiation scientifique of Inria Saclay research centre until september 2023. In this context,
  • he organised with the Service Communication et Médiation of Inria Saclay Les Rendez-vous des Jeunes Mathématiciennes et Informaticiennes at Inria Saclay;
  • he coordinated with the Service Communication et Médiation of Inria Saclay the La fête de la science at Institut Polytechnique de Paris and Université Paris Saclay
• O. Blazy is Référent Europe for the GDR Sécurité Informatique.

10.3.2 Articles and contents

• D. Augot was interviewed in a Polytechnique insights video on blockchains.
• O. Blazy gave numerous interview in national / international media about cybersecurity concerns, especially age verification / children onlinde protection. (L'Express, BFMTV, La Croix, Public Sénat, ...)

10.3.3 Interventions

• B. Smith gave the keynote at the 2023 BNP Paribas FRESH (Finance and Risk) team-building event on The transition to quantum-safe cryptography.
• B. Smith gave a keynote talk at the 2023 GFA Flag Attack (“the French–German CTF”) on The transition to quantum-safe cryptography
• A. Couvreur gave a popularization talk on the history of cryptography at the award ceremony of the Olympiades de Mathématiques de l'accadémie de Créteil.
• O. Blazy gave a presentation at the ERGA academy about age verification. (ERGA being the European Regulators Group for Audiovisual media).

International journals

• 8 articleG.Gustavo Banegas and R.Ricardo Villanueva-Polanco. On recovering block cipher secret keys in the cold boot attack setting.Cryptography and Communications - Discrete Structures, Boolean Functions and Sequences 2023HALDOI
• 9 articleG.Gautam Botrel and Y.Youssef El Housni. Faster Montgomery multiplication and Multi-Scalar-Multiplication for SNARKs.IACR Transactions on Cryptographic Hardware and Embedded SystemsJune 2023, 504-521HALDOI
• 10 articleT.Thomas Debris-Alazard, L.Léo Ducas, N.Nicolas Resch and J.-P.Jean-Pierre Tillich. Smoothing Codes and Lattices: Systematic Study and New Bounds.IEEE Transactions on Information Theory699September 2023, 6006-6027HALDOI
• 11 articleT.Thomas Debris-Alazard, M.Maxime Remaud and J.-P.Jean-Pierre Tillich. Quantum Reduction of Finding Short Code Vectors to the Decoding Problem.IEEE Transactions on Information Theory2023, 1-1HALDOI
• 12 articleE.Eleonora Guerrini, K.Kamel Lairedj, R.Romain Lebreton and I.Ilaria Zappatore. Simultaneous Rational Function Reconstruction with Errors: Handling Multiplicities and Poles.Journal of Symbolic Computation1162023, 345-364HALDOI

International peer-reviewed conferences

• 13 inproceedingsG.Gustavo Banegas, J.Juliane Krämer, T.Tanja Lange, M.Michael Meyer, L.Lorenz Panny, K.Krijn Reijnders, J.Jana Sotáková and M.Monika Trimoska. Disorientation Faults in CSIDH.EUROCRYPT 2023: Advances in Cryptology – EUROCRYPT 202314008Lecture Notes in Computer ScienceLyon, FranceSpringer Nature SwitzerlandApril 2023, 310-342HALDOI
• 14 inproceedingsA.Anaïs Barthoulot, O.Olivier Blazy and S.Sébastien Canard. Dually Computable Cryptographic Accumulators and Their Application to Attribute Based Encryption.Lecture Notes in Computer ScienceCANS 2023 - Cryptology and Network SecurityLNCS-14342Cryptology and Network Security 22nd International Conference, CANS 2023Augusta, United StatesSpringer Nature SingaporeOctober 2023, 538-562HALDOI
• 15 inproceedingsL.Luk Bettale, J.Julien Eynard, S.Simon Montoya, G.Guénaël Renault and R.Rémi Strullu. Security Assessment of NTRU Against Non-Profiled SCA.CARDIS 2022 - 21st Smart Card Research and Advanced Application Conference13820Lecture Notes in Computer ScienceBirmingham, United KingdomSpringer International PublishingJanuary 2023, 248-268HALDOI
• 16 inproceedingsO.Olivier Blazy, I.Ioana Boureanu, P.Pascal Lafourcade, C.Cristina Onete and L.Léo Robert. How fast do you heal? A taxonomy for post-compromise security in secure-channel establishment.Proceedings of the 32nd USENIX Conference on Security SymposiumUSENIX 2023 - The 32nd USENIX Security Symposium1Anaheim, United StatesUSENIX AssociationAugust 2023, 5917--5934HAL
• 17 inproceedingsO.Olivier Blazy, C.Céline Chevalier, G.Guillaume Renaut, T.Thomas Ricosset, É.Éric Sageloli and H.Hugo Senet. Efficient Implementation of a Post-Quantum Anonymous Credential Protocol.ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and SecurityARES 2023: The 18th International Conference on Availability, Reliability and SecurityBenevento, ItalyACMAugust 2023, 1-11HALDOI
• 18 inproceedingsM.Maxime Bombar, G.Geoffroy Couteau, A.Alain Couvreur and C.Clément Ducros. Correlated Pseudorandomness from the Hardness of Quasi-Abelian Decoding.Lecture Notes in Computer ScienceCRYPTO 2023 - 43rd Annual International Cryptology ConferenceLNCS-14084Advances in Cryptology – CRYPTO 2023Santa Barbara, United StatesSpringer Nature SwitzerlandAugust 2023, 567-601HALDOIback to text
• 19 inproceedingsM.Maxime Bombar, A.Alain Couvreur and T.Thomas Debris-Alazard. Pseudorandomness of Decoding, Revisited: Adapting OHCP to Code-Based Cryptography.Lecture notes in Computer ScienceASIACRYPT 2023 - International Conference on the Theory and Application of Cryptology and Information SecurityGuang Zhou, ChinaDecember 2023HALback to text
• 20 inproceedingsG.Geoffroy Couteau and C.Clément Ducros. Pseudorandom Correlation Functions fromVariable-Density LPN, Revisited.26th IACR International Conference on Practice and Theory of Public-Key Cryptography13941Lecture Notes in Computer ScienceAtlanta, United StatesSpringer Nature SwitzerlandMay 2023, 221-250HALDOI
• 21 inproceedingsA.Alain Couvreur. Improved decoding of symmetric rank metric errors.2023 IEEE Information Theory Workshop (ITW)Saint-Malo, FranceIEEEDecember 2022, 238-242HALDOI
• 22 inproceedingsA.Alain Couvreur, R.Rocco Mora and J.-P.Jean-Pierre Tillich. A new approach based on quadratic forms to attack the McEliece cryptosystem.ASIACRYPT 2023Guangzhou, ChinaSpringerDecember 2023HALback to text
• 23 inproceedingsA.Alain Couvreur and I.Ilaria Zappatore. An extension of Overbeck's attack with an application to cryptanalysis of Twisted Gabidulin-based schemes.Lecture Notes in Computer SciencePost-Quantum Cryptography. PQCrypto 202314154Lecture Notes in Computer ScienceCollege Park, United StatesSpringer Nature SwitzerlandMay 2023, 3-37HALDOIback to text
• 24 inproceedingsY.Youssef El Housni. Pairings in Rank-1 Constraint Systems.ACNS2023 - 21st International Conference on Applied Cryptography and Network SecurityKyoto, JapanJune 2023HAL
• 25 inproceedingsA.Angelo Saadeh, P.Pierre Senellart and S.Stéphane Bressan. Confidential Truth Finding with Multi-Party Computation.DEXA 2023 - 34th International Conference on Database and Expert Systems ApplicationsPenang, MalaysiaAugust 2023HALback to text

Doctoral dissertations and habilitation theses

• 26 thesisM.Maxime Bombar. Structured Codes for Cryptography: from Source of Hardness to Applications.École PolytechniqueDecember 2023HAL
• 27 thesisA.Angelo Saadeh. Applications of secure multi-party computation in Machine Learning.Institut Polytechnique de ParisJune 2023HALback to text
• 28 thesisB.Benjamin Smith. Advances in asymmetric cryptographic algorithms.Institut polytechnique de ParisOctober 2023HAL

Reports & preprints

• 29 miscG.Gustavo Banegas, V.Valerie Gilchrist, A.Anaëlle Le Dévéhat and B.Benjamin Smith. Fast and Frobenius: Rational Isogeny Evaluation over Finite Fields.June 2023HALback to text
• 30 miscG.Gustavo Banegas, J.Juliane Krämer, T.Tanja Lange, M.Michael Meyer, L.Lorenz Panny, K.Krijn Reijnders, J.Jana Sotáková and M.Monika Trimoska. Disorientation faults in CSIDH.2023HAL
• 31 miscK.Kévin Carrier, T.Thomas Debris-Alazard, C.Charles Meyer-Hilfiger and J.-P.Jean-Pierre Tillich. Reduction from Sparse LPN to LPN, Dual Attack 3.0.December 2023HALback to text
• 32 miscP.Pierrick Dartois, A.Antonin Leroux, D.Damien Robert and B.Benjamin Wesolowski. SQISignHD: New Dimensions in Cryptography.March 2023HAL
• 33 miscT.Thomas Debris-Alazard and N.Nicolas Resch. Worst and average case hardness of decoding via smoothing bounds.December 2023HAL
• 34 miscA.Antonin Leroux and M.Maxime Roméas. Updatable Encryption from Group Actions.January 2024HAL
• 35 miscF.François Morain. Computing the Charlap-Coley-Robbins modular polynomials.February 2023HALback to text
• 36 miscF.François Morain. Using the Charlap-Coley-Robbins polynomials for computing isogenies.March 2023HALback to text
• 37 miscA.Angelo Saadeh, P.Pierre Senellart and S.Stéphane Bressan. Confidential Truth Finding with Multi-Party Computation (Extended Version).May 2023HALDOIback to text
• 38 miscB.Bruno Sterner. Towards Optimally Small Smoothness Bounds for Cryptographic-Sized Twin Smooth Integers and its Isogeny-based Applications.October 2023HAL

Other scientific publications

• 39 miscG.Gustavo Banegas, K.Kevin Carrier, A.André Chailloux, A.Alain Couvreur, T.Thomas Debris-Alazard, P.Philippe Gaborit, P.Pierre Karpman, J.Johanna Loyer, R.Ruben Niederhagen, N.Nicolas Sendrier, B.Benjamin Smith and J.-P.Jean-Pierre Tillich. WAVE: Round 1 Submission.June 2023HALback to text

Educational activities

• 40 unpublishedT.Thomas Debris-Alazard. Code-based Cryptography: Lecture Notes.April 2023, DoctoralFranceHAL