The research work within the project-team is mostly devoted to the design and analysis of cryptographic algorithms, especially through the study of the involved discrete structures. This work is essential since the current situation of cryptography is rather fragile: many cryptographic protocols are now known whose security can be formally proved assuming that the involved cryptographic primitives are ideal (random oracle model, ideal cipher model,...). However, the security of the available primitives has been so much threatened by the recent progress in cryptanalysis that only a few stream ciphers and hash functions are nowadays considered to be secure. In other words, there is usually no concrete algorithm available to instantiate the ideal “black boxes” used in these protocols!

In this context, our research work focuses on both families of cryptographic primitives,
*symmetric*and
*asymmetric*primitives. More precisely, our domain in cryptology includes the analysis and the design of symmetric algorithms (a.k.a. secret-key algorithms), and also the study of the
public-key algorithms based on hard problems coming from coding theory. Moreover, our approach on the previous problems relies on a competence whose impact is much wider than cryptology. Our
tools come from information theory, discrete mathematics, probabilities, algorithmics... Most of our work mix fundamental aspects (study of mathematical objects) and practical aspects
(cryptanalysis, design of algorithms, implementations). Our research is mainly driven by the belief that discrete mathematics and algorithmics of finite structures form the scientific core of
(algorithmic) data protection.

**Selection of two stream ciphers designed by the project-team in the final eSTREAM portfolio of recommended ciphers
**eSTREAM is a multi-year project running from 2004 to 2008, launched by the European network of excellence ECRYPT, to identify new stream ciphers that might become
suitable for widespread adoption

**Design of two new hash functions which have been submitted to the SHA-3 competition.**This international competition, launched by the American National Institute of Standards and
Technology, aims at selecting a new standard for hash functions

**Reference implementations of code-based cryptosystems.**The first open-source reference implementations of code-based cryptography, namely of two versions McEliece public-key cipher
and of the FSB hash function, have been written within the project-team and have been made publicly available. The implementation of McEliece cryptosystem has been included in the
benchmarking tool SUPERCOP (System for Unified Performance Evaluation Related to Cryptographic Operations and Primitives) developed within the European network of excellence ECRYPT

Our research work is mainly devoted to the design and analysis of cryptographic algorithms. However, our approach on the previous problems based on discrete mathematics and algorithmics, and some of our long-term research works have a much wider impact. Our main application domains are therefore:

cryptology,

error-correcting codes

reverse-engineering of communication systems

We also investigate some cross-disciplinary domains, which require a scientific competence coming from other areas, mainly social aspects of cryptology and quantum error correcting codes for fault tolerant quantum computing and quantum communications.

The authors of HyMESare B. Biswas and N. Sendrier. It is available at http://www-rocq.inria.fr/secret/CBCrypto/index.php?pg=hymesand it is the first free open-source implementation of McEliece public-key encryption scheme. The software is meant to demonstrate the feasibility and the performances of code-based cryptosystems. It cannot be used for actual data encryption in the present version.

The three stream ciphers which have been submitted to the eSTREAM project, Sosemanuk, DECIM and F-FCSR, have been implemented in software and the corresponding implementations are available on http://www.ecrypt.eu.org/stream/.

From outside, it might appear that symmetric techniques become obsolete after the invention of public-key cryptography in the mid 1970's. However, they are still widely used because they are the only ones that can achieve some major features as high-speed or low-cost encryption, fast authentication, and efficient hashing. Today, we find symmetric algorithms in GSM mobile phones, in credit cards, in WLAN connections. Symmetric cryptology is a very active research area which is stimulated by a pressing industrial demand for low-cost implementations (in terms of power consumption, gate complexity...). These extremely restricting implementation requirements are crucial when designing secure symmetric primitives and they might be at the origin of some weaknesses. Actually, these constraints seem quite incompatible with the rather complex mathematical tools needed for constructing a provably secure system.

The specificity of our research work is that it considers all aspects of the field, from the practical ones (new attacks, concrete specifications of new systems) to the most theoretical ones (study of the algebraic structure of underlying mathematical objects, definition of optimal objects). But, our purpose is to study these aspects not separately but as several sides of the same domain. Our approach mainly relies on the idea that, in order to guarantee a provable resistance to the known attacks and to achieve extremely good performance, a symmetric cipher must use very particular building blocks, whose algebraic structures may introduce unintended weaknesses. Our research work captures this conflict for all families of symmetric ciphers. It includes new attacks and the search for new building blocks which ensure both a high resistance to the known attacks and a low implementation cost. This work, which combines cryptanalysis and the theoretical study of discrete mathematical objects, is essential to progress in the formal analysis of the security of symmetric systems.

In this context, two very important challenges are the designs of low-cost stream ciphers and of secure hash functions. Most teams in the research community are actually working on the design and on the analysis (cryptanalysis and optimization of the performance) of such primitives.

Our research work on stream ciphers is a long-term work which is currently developed within the 4-year ANR RAPIDE project. The project-team is involved in some concrete realizations through the international call for proposals eSTREAM. Some researchers from the project-team are actually co-authors of three stream cipher proposals which have been submitted to the eSTREAM project: Sosemanuk, DECIM and F-FCSR. Sosemanukand F-FCSR belong to the 8 recommended ciphers which have been included in the final portfolio of eSTREAM in April 2008 (among 34 submissions). Our work within the eSTREAM project also includes an important cryptanalytic effort on stream ciphers.

**Recent results:**

Development of a new technique, which leads to a parallel implementation of sequences produced by feedback with carry shift register (FCSR); application to the eSTREAM candidate F-FCSR: , , ;

Estimation of the entropy loss of the internal state in some stream ciphers using a non-invertible next-state function: for a random next-state function and for an FCSR in Galois representation ;

Evaluation of the bias of parity-check relations in the context of cryptanalysis of combination generators: , ;

Analysis of the vulnerability of the filter generator to an algebraic attack based on low-degree relations for the augmented function: ;

Design of a new attack against the combination generator: .

Following the recent attacks against almost all existing hash functions (MD5, SHA-0, SHA-1...), we have initiated a research work in this area, especially within the EDHASH ANR Project and with S. Manuel's PhD thesis. Our work on hash functions is two-fold: we have designed two new hash functions, named FSB and Shabal, which have been submitted to the SHA-3 competition, and we have investigated the security of several hash functions, including the previous standards (SHA-0, SHA-1...) and some other SHA-3 candidates.

**Recent results:**

Design of two new hash functions, submitted to the SHA-3 competition launched by the U.S. National Institute of Standards and Technology for defining a new standard: FSB and Shabal ;

New cryptanalysis of SHA-0, the predecessor of the actual standard, SHA-1: ;

Cryptanalysis of a hash function family based on walks in LPS Ramanujan graphs recently introduced by Charles et al.: .

Cryptanalysis of two hash functions submitted to SHA-3: Ponic and MCSSHA-3 ;

Security evaluation of another SHA-3 candidate, CubeHash, which received the prize of the “most interesting CubeHash cryptanalysis” in November 2008

The construction of building blocks which guarantee a high resistance to the known attacks is a major topic within our project-team, for stream ciphers, block ciphers and hash functions. The use of such optimal objects actually leads to some mathematical structures which may be the origin of new attacks. This work involves fundamental aspects related to discrete mathematics, cryptanalysis and implementation aspects. Actually, characterizing the structures of the building blocks which are optimal regarding to some attacks is very important for finding appropriate constructions and also for determining whether the underlying structure induces some weaknesses or not.

For these reasons, we have investigated several families of filtering functions and of S-boxes which are well-suited for their cryptographic properties or for their implementation characteristics. For instance, bent functions, which are the Boolean functions which achieve the highest possible nonlinearity, have been extensively studied in order to provide some elements for a classification, or to adapt these functions to practical cryptographic constructions. We have also been interested in APN functions, which are the S-boxes ensuring an optimal resistance to differential cryptanalysis.

**Recent results:**

Study of monomial bent functions: these functions are of interest since they lie as far as possible to the functions of degree 1 and they have a low implementation cost. Several classes of such functions of degree 3 have been exhibited and it has been proved that no other cubic exponent leads to a similar bent function: , ;

Study of the hyperbent criterion: this criterion, introduced in 1999, characterizes the functions which lie at the highest distance to all monomial permutations. Our recent work investigates the case of monomial hyperbent functions and their characterizations in terms of Kloosterman sums and Dickson polynomials , ;

Divisibility properties of Kloosterman sums: the values of the so-called classical Kloosterman sums over the finite field with
2
^{m} elements is closely related to the Walsh spectra of some Boolean functions. Our new results on the divisibility of these values have also some impact for the
determination of the weight distributions of the cosets of some BCH codes:
,
,
;

Study of APN power functions,
*i.e.*, the functions which guarantee the best resistance to differential attacks:
;

Construction of a family of permutations over the field with
2
^{m} elements from other mappings:
;

Resistance of S-boxes to truncated differential attacks: .

Most popular public key cryptographic schemes rely either on the factorization problem (RSA, Rabin), or on the discrete logarithm problem (Diffie-Hellman, El Gamal, DSA). These systems have evolved and today instead of the classical groups ( ) we may use groups on elliptic curves. They allow a shorter block and key size for the same level of security. An intensive effort of the research community has been and is still being conducted to investigate the main aspects of these systems: implementation, theoretical and practical security. It must be noted that these systems all rely on algorithmic number theory. As they are used in most, if not all, applications of public key cryptography today (and it will probably remain so in the near future), cryptographic applications are thus vulnerable to a single breakthrough in algorithmics or in hardware (a quantum computer can break all those scheme).

Diversity is a way to dilute that risk, and it is the duty of the cryptographic research community to prepare and propose alternatives to the number theoretic based systems. The most serious
tracks today are lattice-based cryptography (NTRU,...), multivariate cryptography (HFE,...) and code-based cryptography (McEliece encryption scheme,...). All these alternatives are referred to
as
*post-quantum cryptosystems*, since they rely on difficult algorithmic problems which would not be solved by the coming-up of the quantum computer.

The code-based primitives have been investigated in details within the project-team. The first cryptosystem based on error-correcting codes was a public key encryption scheme proposed by McEliece in 1978; a dual variant was proposed in 1986 by Harald Niederreiter. We proposed the first (and only) digital signature scheme in 2001. Those systems enjoy very interesting features (fast encryption/decryption, short signature, good security reduction) but also have their drawbacks (large public key, encryption overhead, expensive signature generation). Some of the main issues in this field are

implementation and practicality of existing solutions,

reducing the key size,
*e.g.*, by using rank metric instead of Hamming metric, or by using particular families of codes,

trying new hard problems, like decoding Reed-Solomon codes above the list-decoding radius,

address new functionalities, like hashing or symmetric encryption.

The original McEliece cryptosystem remains unbroken. It has been proved by N. Sendrier , that its security is provably reduced to two problems, conjectured to be hard, of coding theory:

hardness of decoding in a random binary code,
*in the average case*,

pseudorandomness of Goppa codes.

This result also applies to Niederreiter's scheme and a similar result was already known for the digital signature scheme . The reduction is not a guaranty of security, but we know that a significant improvement on one of the above problem must occur before the system is seriously threatened.

**Recent results:**

Cryptanalysis of some variants of McEliece cryptosystem with a shorter public-key: the main drawback of the McEliece cryptosystem is probably the large size of its public key. There have been several attempts to reduce it. Using quasi-cyclic codes as the secret code of the scheme and preserving this property in the public code has been proposed repeatedly for this purpose in the literature , . A. Otmani, J.P. Tillich and L. Dalot have broken these schemes by providing a way for recovering the secret code in both cases: .

Cryptanalysis of McEliece-like ciphers using algebraic geometry codes: the PhD thesis of C. Faure will be defended in February 2009. There are mainly two parts in this work, one on rank metric codes with results in 2007 and before, and the other on algebraic geometry codes. C. Faure, together with L. Minder, has demonstrated that using algebraic geometry codes based on curves of low genus is not safe for McEliece-like cryptosystems. This work breaks a cryptosystem proposal by Janwa and Moreno, and has a strong negative impact on the use of the above family of codes in cryptography: .

Evaluation of the security of code-based authentication protocols for RFID tags: the lightweight authentication protocol HB+ and its variants may be vulnerable to some attacks using decoding algorithms. V. Herbert has studied these protocols and he has compared the complexities of different decoding techniques in this context: .

Open-source implementation of McEliece encryption scheme: the first open-source full implementation of (a variant of) McEliece encryption scheme has been provided by N. Sendrier and B. Biswas. A related paper was published at PQCrypto 2008 and also, in French, at the C2 meeting in Carcans . In particular, this implementation includes of improvement of the constant weight word encoding algorithm by N. Sendrier, a preliminary presentation of this work was made in and a paper is in preparation. Using the opportunity of the above implementation and of the SHA3 FSB submission, we have created a coded-based crypto web portal at http://www-rocq.inria.fr/secret/CBCrypto/which contains both HyMES and FSB and hopefully more in the future.

N. Sendrier is coauthor, with R. Overbeck, of a 50-page chapter on
*Code-based cryptography*in a book, entitled
*PQCrypto*, to appear at the end of 2008:
.

A new collision resistant hash-function has been proposed by the project-team for a few years based on the problem of decoding general binary linear codes
. It has the advantage of being fast and of having a
*security reduction*, on the opposite of classical designs, based on MD5 and relatives, which have been broken recently.

The one-wayness of syndrome computation can be exploited in conjunction with quasi-cyclic codes. The purpose is to reduce the size of the constants (a big binary matrix). We have made several new propositions based on this principle: an evolution of the syndrome-based hash function and a stream cipher. The last of those contributions is the submission of a hash function by M. Finiasz, P. Gaborit, S. Manuel and N. Sendrier, to the SHA-3 NIST competition. The security of the proposed hash function, called FSB (for Fast Syndrome Based) is provably reduced to hard problems of algorithmic coding theory. The proposal description and its reference implementation are available online at http://www-rocq.inria.fr/secret/CBCrypto/index.php?pg=fsb: .

Many cryptanalyses of cryptosystems rely on approximations of these systems by simple, easier functions. For instance, one tries to approximate the system by low degree polynomials, be they
in one variable over a huge finite field, or in several variables over the Boolean field. Once such an approximation has been found, the problem of finding the key or of inverting the system,
which is normally intractable with a direct approach, is written into a system of simple equations, where each equation holds with some probability. The probability is as good as the
approximation is close. For instance, a classical cryptanalysis of the stream ciphers which rely on linear feedback shift register filtered by a Boolean function models the attacked cipher as
the result of the transmission of a linear function through a very highly noisy channel. Then, removing the noise amounts to decoding a certain linear code. This code is highly structured, and
one of the most efficient methods to decode it exploits the fact that it has low density parity-check equations, and thus can be decoded as an LDPC

Besides the cryptographic applications of decoding algorithms, we also investigate two new application domains for decoding algorithms: reverse engineering of communication systems, and quantum error correcting codes for which we have shown that some of them can be decoded successfully with iterative decoding algorithms.

The first family of codes that we have studied in detail is the family of Reed-Muller codes. Being able to decode efficiently members of this family on various channels is very helpful for cryptanalysis: the decoding of first order Reed-Muller codes on the binary symmetric channel is a useful task for linear cryptanalysis whereas decoding general Reed-Muller codes on the erasure channel can be used in algebraic attacks of ciphers. In particular in his thesis , Cédric Tavernier found new (local) decoding algorithms for first order Reed-Muller codes over the binary symmetric channel, which improves upon the Goldreich-Rubinfeld-Sudan algorithm. This algorithm enables him to find new linear approximations of several rounds of the DES with biases of the same order as Matsui's approximations.

**Recent results:**

Linear cryptanalysis of block ciphers: following the work by C. Tavernier, B. Gérard has explored how to improve on Matsui's linear cryptanalysis by using all these new equations. It turns out that recovering the key from these approximations is equivalent to decoding a linear code on the Gaussian channel. This relationship has been used in order to evaluate accurately how many pairs of plaintext-ciphertext we need in this new attack and also to suggest an algorithm based on decoding techniques for recovering the secret key in a much more efficient way than what was known before: .

Generalization of the Guruswami-Sudan list decoding algorithm to Reed-Muller codes: .

Gröbner bases algorithms for solving algebraic systems is an important tool which can be applied both for error-correction and in cryptography, in the context of algebraic attacks.

**Recent results:**

Decoding algorithms for cyclic codes with Gröbner bases: it was demonstrated that it is possible to find decoding formulas for all cyclic codes, by a Gröbner basis off-line computation. But, from the efficiency point of view, it was found that it is better to perform an on-line Gröbner bases computation, whose cost is reasonable. This enables to decode any cyclic code, up to their true minimum distance , . An improved paper has been accepted for publication in the Journal of Symbolic Computation, with computational timings for non-trivial codes, of considerable length: .

D. Augot is co-author, with E. Betti and E. Orsini of a chapter introducing cyclic codes, with their decoding algorithms, in a book devoted to Gröbner bases, coding and cryptography, in the RISC Book series: .

Algebraic attacks: we have investigated some variants recent techniques for algebraic attacks, especially for stream cipher cryptanalysis: , , .

We also investigate more traditional aspects of coding theory by improving some decoding algorithms for error-correction and by searching for codes with good decoding performance.

**Recent results:**

Generalization of Roth and Ruckenstein's method: in 2000, a paper by Roth and Ruckenstein describes a very efficient method for implementing the Sudan decoding algorithm. During his internship, A. Zeh has successfully generalized this method to the Guruswami-Sudan list decoding algorithm, where multiplicities are involved: , , .

families of codes with good iterative decoding algorithms: this kind of codes has by now probably become the most popular coding scheme due to their exceptional performances at a reasonable algorithmic cost. We have in particular studied families of codes defined over large alphabets which are in a sense intermediate between turbo-codes and LDPC codes, and have found several instances of this family whose performance are quite close to the Shannon limit . This work has been supported by France Telecom: .

The knowledge we have acquired in iterative decoding techniques has also lead to study whether or not the very same techniques could also be used to decode quantum codes. Part of the old ACI project “RQ” in which we were involved and the new ANR project “COCQ” are about this topic. Notice that protecting quantum information from external noise is an issue of paramount importance for building a quantum computer. It also worthwhile to notice that all quantum error-correcting code schemes proposed up to now suffer from the very same problem that the first (classical) error-correcting codes had: there are constructions of good quantum codes, but for the best of them it is not known how to decode them in polynomial time. Our approach for overcoming this problem has been to study whether or not the family of turbo-codes and LDPC codes (and the associated iterative decoding algorithms) have a quantum counterpart. We have shown that the classical iterative decoding algorithms can be generalized to the quantum setting and have come up with some families of quantum LDPC codes and quantum serial turbo-codes with rather good performances under iterative decoding , , , .

To evaluate the quality of a cryptographic algorithm, it is usually assumed that its specifications are public, as, in accordance with Kerckhoffs principle
*La Cryptographie militaire*, published in 1883.

**Recent results:**

M. Cluzeau and J.P. Tillich have found a lower bound on the number of codewords which have to be intercepted in order to recover the code. This lower bound turns out to be tight for several interesting code families such as LDPC codes for instance: .

**France Telecom R&D**(
02/06
02/08)

*Application of treillis/turbo/LDPC codes to modulations with a large number of states*

52 kEuros.

This is a follow-up of a previous contract, aiming at constructing new families of binary codes with very good iterative decoding performances for a large range of rates and target error probabilities after decoding. The purpose is now to explore non-binary codes and completing the range of rates left by the previous contract.

**I2E/AMESYS (
01/07
06/10)**

*Recognition of a coding scheme*

Partners: ENSTA, LIX, XLIM, INRIA projet-team SECRET.

221 kEuros.

This contract is funded by the DGA AINTERCOM call for offers. The context of this work is the analysis of a binary string in a non cooperative environment. The purpose is an academic research on related reconstruction problems, with a focus on error-correcting codes.

**Société IPSIS (
11/06
10/09)**

*Recognition of a coding scheme*

60 kEuros.

This other contract on codes reconstruction provides the funding for Maxime Côte's PhD scholarship. It is funded by the DGA ACETE call for offers.

**ECRYPT – European Network of Excellence (
02/04
08/08)**

Partners: 33 European partners, both academic and industry.

176 kEuros.

This is a Network of Excellence in research in all the aspects of cryptology. It has been structured in “virtual labs”. Our project-team is leading a working group within the virtual
lab on symmetric techniques and it is in charge of the yearly deliverable
*Open Research Areas in Symmetric Cryptography and Technical Trends in Lightweight Cryptography*
. The project-team is also involved in the AZTEC virtual lab (new primitives for public key
cryptography).

**ANR RAPIDE (
01/07
12/10)**

*Design and analysis of stream ciphers dedicated to constraint environments*

http://

Partners: LORIA (project-team CACAO), INRIA (project-team SECRET), INSA Lyon (team Middleware/Security), University of Limoges (XLIM).

151 kEuros.

This project focuses on stream ciphers and especially on stream ciphers with an internal state governed by a non-linear transition function. We particularly draw our attention to ciphers whose characteristics make them especially fit constrained environments. These systems were not particularly studied up to now but could be good candidates to the replacement of stream ciphers based on linear transition functions (LFSR based) whose security tends to be less and less satisfying. The expected results of the project are practical as well as theoretical and concern both design and analysis of such stream ciphers.

**ANR EDHASH (
01/07
12/09)**

*Evaluation and Design of secure HASH functions*

http://

Partners: INRIA (project-team SECRET) and UVSQ/PRISM (Crypto team).

123 kEuros.

This project has two purposes: understanding the recent attacks on cryptographic hash functions and suggesting new constructions based on coding theory.

**Asphales (
05/04
01/08)**

*Interactions between computer security and legal security for the progress of regulations in the Information Society.*

http://

Partners: CNRS (labo. CECOJI), Univ. Versailles, Univ. Montpellier, INT, Univ. Lille 2, INRIA (project-team SECRET).

20.2 kEuros.

The aim of this multi-disciplinary project is to have a scientific reading of the French legal texts related to computer and network security. One main concern is to discuss the laws regarding the notion of proof, probative value and also the conservation of digital documents. Anne Canteaut and Marion Videau have provided a scientific view of many laws on these topics.

*Cahiers droit, sciences et technologies*, editorial board: A. Canteaut.

*IEEE Transactions on Information Theory*, associate editor: A. Canteaut for
*Cryptography and Complexity*2005-2008.

*Designs, Codes and Cryptography*, associate editor: P. Charpin, since 2003.

Special issue of
*Designs, Codes and Cryptography*dedicated to the WCC workshop, editors: D. Augot, P. Charpin and N. Sendrier.

*Journal of Symbolic Computation*, Special Issue on
*Gröbner Bases Techniques in Cryptography and Coding Theory*(2007), guest editor: D. Augot.

WCC 2009 (Workshop on coding and cryptography): May 10-15, 2009, Loftus, Norway (D. Augot, A. Canteaut, P. Charpin and N. Sendrier);

AfricaCrypt 2009: June 21-25, 2009, Gammarth, Tunisia (A. Canteaut);

Indocrypt 2008: December 14-17, 2008, Kharagpur, India (A. Canteaut);

PQCrypto 2008: October 17-19, 2008, Cincinnati, USA (N. Sendrier);

ITSL'08 (Conference on Information Theory and Statistical Learning: July 14-15, 2008, Las Vegas, USA (J.P. Tillich);

Waifi 2008 (International Workshop on the Arithmetic of Finite Fields): July 6-9, 2008, Siena, Italy. July 6-9, (D. Augot);

AfricaCrypt 2008: June 11-14, 2008, Casablanca, Marocco (A. Canteaut);

SCC 2008 (First International Conference on Symbolic Computation and Cryptography): April 28-30, 2008, Beijing, China (A. Canteaut)

Journées C2 “Codage et Cryptographie”: March 17-21, 2008, Carcans, France (D. Augot and J.P. Tillich);

FSE 2008, (Fast Software Encryption): Feb. 10-13, 2008, Lausanne, Switzerland (A. Canteaut);

SASC 2008 (State of the Art of Stream Ciphers), Feb. 13-14, 2008, Lausanne, Switzerland (A. Canteaut);

P. Charpin is an external expert for the Délégation Générale pour l'Armement (DGA);

A. Canteaut is a member of the scientific committee of the “UFR de sciences” of the university of Versailles-St Quentin;

**“Commission de spécialistes”(Committees for the selection of professors and assistant professors)**: University Paris 8 (J-P. Tillich), University of Limoges (A. Canteaut),
École Normale Supérieure Paris (J-P. Tillich), University of Caen (J.P. Tillich);

A. Canteaut was in the charge of “training-through-research” for the Paris-Rocquencourt center from January 2008 to September 2008;

A. Canteaut has been co-chair of the postdoc committee for the Paris-Rocquencourt center since September 2008.

Anne Canteaut is a member of the steering committee of the eSTREAM project http://www.ecrypt.eu.org/stream/and is in charge of the working group "Open research areas in symmetric cryptography" of the ECRYPT European network of excellence.

D. Augot,
*Error-correcting codes*, M2, Univ. Paris 7, 12 h;

D. Augot,
*Cryptography*, M2, Univ. Marne-la-Vallée, 9 h;

D. Augot,
*Cryptography*M1, École Polytechnique, as an assistant : 15 h;

D. Augot,
*Information theory*, M1, Ecole Polytechnique, 36 h;

D. Augot,
*Cryptography*, lectures to Tunisian officers, Thales Group, 6 h;

A. Canteaut,
*Symmetric cryptography*, M2, Télécom Paris, 3 h;

A. Canteaut,
*Cryptography*, lectures to Tunisian officers, Thales Group, 70 h;

A. Canteaut,
*Principles of programming languages*, L3, Ecole Polytechnique, 40 h;

J.-P. Tillich,
*Error-correcting codes*, M2, Univ. Paris 7, 15 h;

J.-P. Tillich,
*Error-correcting codes*, M2, ISEP (Institut Supérieur d'Electronique de Paris), 10 h.

J.-P. Tillich,
*Cryptography*, lectures to Tunisian officers, Thales Group, 45 h;

B. Debraize,
*Méthodes de cryptanalyse pour les schémas de chiffrement symétrique*, Université de Versailles-Saint Quentin, April 11, 2008, committee: A. Canteaut (reviewer);

R. Medeiros ,
*Zero-error capacity of quantum channels*, Telecom ParisTech, September 24, 2008, committee: J.P. Tillich;

P.-L. Cayrel,
*Construction et optimisation de cryptosystèmes basés sur les codes correcteurs d'erreurs*, Université de Limoges, October 2, 2008, committee: N. Sendrier (reviewer);

L. Sassatelli,
*Codes LDPC multi-binaires hybrides et méthodes de décodage itératif*, Université de Cergy-Pontoise, October 3, 2008, committee: J.P. Tillich (reviewer);

S. Lachartre,
*Algèbre linéaire dans la résolution de systèmes polynomiaux - Applications en cryptologie*, Université Paris 6, December 11, 2008, committee: N. Sendrier (reviewer).

ESC 2008, Echternach, Luxemburg, January 7-11, participant: Anne Canteaut.

FSE 2008, Lausanne, Switzerland, February 10-13, participants: María Naya-Plasencia, Andrea Röck, Pascale Charpin, Stéphane Manuel.

SASC 2008, Lausanne, Switzerland, February 13-14, participants: Maria Naya-Plasencia, Andrea Röck.

Workshop on Coding Theory, Alicante, Spain, March 12-15, participant: Daniel Augot.

Journées C2, Carcans, France, March 17-21, participants: Daniel Augot, Benoit Gérard, Bhaskar Biswas, Céline Blondeau, Anne Canteaut, Pascale Charpin, Cédric Faure, Yann Laigle-Chapuy, Stéphane Manuel, Maria Naya-Plasencia, Andrea Röck, Nicolas Sendrier, Jean-Pierre Tillich.

EUROCRYPT 2008, Istanbul, Turkey, April 14-17, participant: Jean-Pierre Tillich.

MITACS, Montreal, Canada, May 30-June 6, participant: Nicolas Sendrier.

Workshop hash functions in cryptology, Leiden, The Netherlands, June 1-6, participant: Stéphane Manuel.

AFRICACRYPT, Marocco, June 11-14, participant: Andrea Röck.

ACCT, Pamporovo, Bulgaria, June 16-22, participants: Pascale Charpin, Cédric Faure.

Workshop Kryptowochende, Germany, July 3-7, participant: Andrea Röck.

IEEE International Symposium on Information Theory - ISIT, Toronto, Canada, July 6-12, participants: Mathieu Cluzeau, Jean-Pierre Tillich, Alexander Zeh.

Waifi, Sienne, Italy, July 6-9, participant: Daniel Augot.

SAC 2008, Sackville, Canada, August 13-15, participant: Benoit Gérard.

Journées Cryptographie, Caen, France, September 5-6, participant: Jean-Pierre Tillich.

SETA, Lexington, USA, September 13-19, participant: Andrea Röck.

Workshop on Coding Theory Days, St Petersburg, Russia, October 4-12, participant: Pascale Charpin.

PQCrypto, Cincinnati, USA, October 16-21, participants: Bhaskar Biswas, Nicolas Sendrier.

ICT 2008, Lyon, France, November 25-27, participant: Stefan Dodunekov.

INDOCRYPT, Kharagpur, India, December 14-17, participant: Nicolas Sendrier.

Pr. Stefan Dodunekov, Institute of Mathematics and Informatics, Bulgarian Academy of Sciences, Sofia, Bulgaria, 01-28/11/08;

Pr. Sugata Gangopadhyay, Indian Institute of Technology, Roorkee, India, 20/05-20/07/08;

Pr. Grigory Kabatianskiy, Institute for Problems of Information Transmission, RAS, Moscow, Russia, 30/03-13/04/08, 15-19/12/08;

Lorenz Minder, LMA, EPFL, Switzerland, 03-06/02/08;

Raphael Overbeck, Technische Universität Darmstadt, Germany, 03-08/03/08;

Christiane Peters, Technische Universität Eindhoven, The Netherlands, 24-28/11/08;

Pr. Victor Zinoviev, Institute for Problems of Information Transmission, RAS, Moscow, Russia, 31/03-12/04/08.

Princeton University, USA (collaboration with C. Lauradoux), Andrea Röck, January 6-February 7.

EPFL, Communications Laboratory, Lausanne, Switzerland, Jean-Pierre Tillich, September 28-October 2.

Fachhochschule Nordwestschweiz, Windisch, Zurich, Switzerland (collaboration with W. Meier), Maria Naya-Plasencia, November 3-28.