Section: New Results
Keywords : symmetric cryptography, stream ciphers, hash functions, cryptanalysis.
Security analysis of symmetric cryptosystems
Participants : Céline Blondeau, Anne Canteaut, Pascale Charpin, Benoît Gérard, Stéphane Jacob, Yann LaigleChapuy, Stéphane Manuel, María Naya Plasencia, Andrea Röck, JeanPierre Tillich.
From outside, it might appear that symmetric techniques become obsolete after the invention of publickey cryptography in the mid 1970's. However, they are still widely used because they are the only ones that can achieve some major features as highspeed or lowcost encryption, fast authentication, and efficient hashing. Today, we find symmetric algorithms in GSM mobile phones, in credit cards, in WLAN connections. Symmetric cryptology is a very active research area which is stimulated by a pressing industrial demand for lowcost implementations (in terms of power consumption, gate complexity...). These extremely restricting implementation requirements are crucial when designing secure symmetric primitives and they might be at the origin of some weaknesses. Actually, these constraints seem quite incompatible with the rather complex mathematical tools needed for constructing a provably secure system.
The specificity of our research work is that it considers all aspects of the field, from the practical ones (new attacks, concrete specifications of new systems) to the most theoretical ones (study of the algebraic structure of underlying mathematical objects, definition of optimal objects). But, our purpose is to study these aspects not separately but as several sides of the same domain. Our approach mainly relies on the idea that, in order to guarantee a provable resistance to the known attacks and to achieve extremely good performance, a symmetric cipher must use very particular building blocks, whose algebraic structures may introduce unintended weaknesses. Our research work captures this conflict for all families of symmetric ciphers. It includes new attacks and the search for new building blocks which ensure both a high resistance to the known attacks and a low implementation cost. This work, which combines cryptanalysis and the theoretical study of discrete mathematical objects, is essential to progress in the formal analysis of the security of symmetric systems.
In this context, two very important challenges are the designs of lowcost stream ciphers and of secure hash functions. Most teams in the research community are actually working on the design and on the analysis (cryptanalysis and optimization of the performance) of such primitives.
Stream ciphers.
Our research work on stream ciphers is a longterm work which is currently developed within the 4year ANR RAPIDE project. The projectteam is involved in some concrete realizations through the international call for proposals eSTREAM. Some researchers from the projectteam are actually coauthors of three stream cipher proposals which have been submitted to the eSTREAM project: Sosemanuk , DECIM and FFCSR. Sosemanuk and FFCSR belong to the 8 recommended ciphers which have been included in the final portfolio of eSTREAM in April 2008 (among 34 submissions). Our work within the eSTREAM project also includes an important cryptanalytic effort on stream ciphers.
Recent results:

Development of a new technique, which leads to a parallel implementation of sequences produced by feedback with carry shift register (FCSR); application to the eSTREAM candidate FFCSR: [42] , [41] , [29] ;

Estimation of the entropy loss of the internal state in some stream ciphers using a noninvertible nextstate function: for a random nextstate function [34] and for an FCSR in Galois representation [34] ;

Evaluation of the bias of paritycheck relations in the context of cryptanalysis of combination generators: [38] , [17] ;

Analysis of the vulnerability of the filter generator to an algebraic attack based on lowdegree relations for the augmented function: [62] ;

Design of a new attack against the combination generator: [39] .
Hash functions.
Following the recent attacks against almost all existing hash functions (MD5, SHA0, SHA1...), we have initiated a research work in this area, especially within the EDHASH ANR Project and with S. Manuel's PhD thesis. Our work on hash functions is twofold: we have designed two new hash functions, named FSB and Shabal, which have been submitted to the SHA3 competition, and we have investigated the security of several hash functions, including the previous standards (SHA0, SHA1...) and some other SHA3 candidates.
Recent results:

Design of two new hash functions, submitted to the SHA3 competition launched by the U.S. National Institute of Standards and Technology for defining a new standard: FSB [54] and Shabal [59] ;

New cryptanalysis of SHA0, the predecessor of the actual standard, SHA1: [30] ;

Cryptanalysis of a hash function family based on walks in LPS Ramanujan graphs recently introduced by Charles et al.: [35] .

Cryptanalysis of two hash functions submitted to SHA3: Ponic [63] and MCSSHA3 [56] ;

Security evaluation of another SHA3 candidate, CubeHash, which received the prize of the “most interesting CubeHash cryptanalysis” in November 2008 (see http://cubehash.cr.yp.to/prizes.html ): [55] .
Cryptographic properties and construction of appropriate building blocks.
The construction of building blocks which guarantee a high resistance to the known attacks is a major topic within our projectteam, for stream ciphers, block ciphers and hash functions. The use of such optimal objects actually leads to some mathematical structures which may be the origin of new attacks. This work involves fundamental aspects related to discrete mathematics, cryptanalysis and implementation aspects. Actually, characterizing the structures of the building blocks which are optimal regarding to some attacks is very important for finding appropriate constructions and also for determining whether the underlying structure induces some weaknesses or not.
For these reasons, we have investigated several families of filtering functions and of Sboxes which are wellsuited for their cryptographic properties or for their implementation characteristics. For instance, bent functions, which are the Boolean functions which achieve the highest possible nonlinearity, have been extensively studied in order to provide some elements for a classification, or to adapt these functions to practical cryptographic constructions. We have also been interested in APN functions, which are the Sboxes ensuring an optimal resistance to differential cryptanalysis.
Recent results:

Study of monomial bent functions: these functions are of interest since they lie as far as possible to the functions of degree 1 and they have a low implementation cost. Several classes of such functions of degree 3 have been exhibited and it has been proved that no other cubic exponent leads to a similar bent function: [12] , [16] ;

Study of the hyperbent criterion: this criterion, introduced in 1999, characterizes the functions which lie at the highest distance to all monomial permutations. Our recent work investigates the case of monomial hyperbent functions and their characterizations in terms of Kloosterman sums and Dickson polynomials [13] , [23] ;

Divisibility properties of Kloosterman sums: the values of the socalled classical Kloosterman sums over the finite field with 2 ^{m} elements is closely related to the Walsh spectra of some Boolean functions. Our new results on the divisibility of these values have also some impact for the determination of the weight distributions of the cosets of some BCH codes: [15] , [14] , [24] ;

Study of APN power functions, i.e. , the functions which guarantee the best resistance to differential attacks: [27] ;

Construction of a family of permutations over the field with 2 ^{m} elements from other mappings: [25] ;

Resistance of Sboxes to truncated differential attacks: [57] .