Section: New Results
Keywords : publickey cryptography, codebased cryptography, postquantum cryptography, McEliece cryptosystem, hash functions.
Codebased cryptography
Participants : Daniel Augot, Biswas Bhaskar, Cédric Faure, Matthieu Finiasz, Stéphane Manuel, Nicolas Sendrier, JeanPierre Tillich.
Most popular public key cryptographic schemes rely either on the factorization problem (RSA, Rabin), or on the discrete logarithm problem (DiffieHellman, El Gamal, DSA). These systems have evolved and today instead of the classical groups ( ) we may use groups on elliptic curves. They allow a shorter block and key size for the same level of security. An intensive effort of the research community has been and is still being conducted to investigate the main aspects of these systems: implementation, theoretical and practical security. It must be noted that these systems all rely on algorithmic number theory. As they are used in most, if not all, applications of public key cryptography today (and it will probably remain so in the near future), cryptographic applications are thus vulnerable to a single breakthrough in algorithmics or in hardware (a quantum computer can break all those scheme).
Diversity is a way to dilute that risk, and it is the duty of the cryptographic research community to prepare and propose alternatives to the number theoretic based systems. The most serious tracks today are latticebased cryptography (NTRU,...), multivariate cryptography (HFE,...) and codebased cryptography (McEliece encryption scheme,...). All these alternatives are referred to as postquantum cryptosystems , since they rely on difficult algorithmic problems which would not be solved by the comingup of the quantum computer.
The codebased primitives have been investigated in details within the projectteam. The first cryptosystem based on errorcorrecting codes was a public key encryption scheme proposed by McEliece in 1978; a dual variant was proposed in 1986 by Harald Niederreiter. We proposed the first (and only) digital signature scheme in 2001. Those systems enjoy very interesting features (fast encryption/decryption, short signature, good security reduction) but also have their drawbacks (large public key, encryption overhead, expensive signature generation). Some of the main issues in this field are

implementation and practicality of existing solutions,

reducing the key size, e.g. , by using rank metric instead of Hamming metric, or by using particular families of codes,

trying new hard problems, like decoding ReedSolomon codes above the listdecoding radius,

address new functionalities, like hashing or symmetric encryption.
The class of McEliecelike cryptosystems.
The original McEliece cryptosystem remains unbroken. It has been proved by N. Sendrier [74] , [73] that its security is provably reduced to two problems, conjectured to be hard, of coding theory:

hardness of decoding in a random binary code, in the average case ,

pseudorandomness of Goppa codes.
This result also applies to Niederreiter's scheme and a similar result was already known for the digital signature scheme [71] . The reduction is not a guaranty of security, but we know that a significant improvement on one of the above problem must occur before the system is seriously threatened.
Recent results:

Cryptanalysis of some variants of McEliece cryptosystem with a shorter publickey: the main drawback of the McEliece cryptosystem is probably the large size of its public key. There have been several attempts to reduce it. Using quasicyclic codes as the secret code of the scheme and preserving this property in the public code has been proposed repeatedly for this purpose in the literature [72] , [69] . A. Otmani, J.P. Tillich and L. Dalot have broken these schemes by providing a way for recovering the secret code in both cases: [31] .

Cryptanalysis of McEliecelike ciphers using algebraic geometry codes: the PhD thesis of C. Faure will be defended in February 2009. There are mainly two parts in this work, one on rank metric codes with results in 2007 and before, and the other on algebraic geometry codes. C. Faure, together with L. Minder, has demonstrated that using algebraic geometry codes based on curves of low genus is not safe for McEliecelike cryptosystems. This work breaks a cryptosystem proposal by Janwa and Moreno, and has a strong negative impact on the use of the above family of codes in cryptography: [28] .

Evaluation of the security of codebased authentication protocols for RFID tags: the lightweight authentication protocol HB+ and its variants may be vulnerable to some attacks using decoding algorithms. V. Herbert has studied these protocols and he has compared the complexities of different decoding techniques in this context: [61] .

Opensource implementation of McEliece encryption scheme: the first opensource full implementation of (a variant of) McEliece encryption scheme has been provided by N. Sendrier and B. Biswas. A related paper was published at PQCrypto 2008 [22] and also, in French, at the C2 meeting in Carcans [37] . In particular, this implementation includes of improvement of the constant weight word encoding algorithm by N. Sendrier, a preliminary presentation of this work was made in [45] and a paper is in preparation. Using the opportunity of the above implementation and of the SHA3 FSB submission, we have created a codedbased crypto web portal at http://wwwrocq.inria.fr/secret/CBCrypto/ which contains both HyMES and FSB and hopefully more in the future.

N. Sendrier is coauthor, with R. Overbeck, of a 50page chapter on Codebased cryptography in a book, entitled PQCrypto , to appear at the end of 2008: [51] .
Cryptographic hash function with codes.
A new collision resistant hashfunction has been proposed by the projectteam for a few years based on the problem of decoding general binary linear codes [68] . It has the advantage of being fast and of having a security reduction , on the opposite of classical designs, based on MD5 and relatives, which have been broken recently.
The onewayness of syndrome computation can be exploited in conjunction with quasicyclic codes. The purpose is to reduce the size of the constants (a big binary matrix). We have made several new propositions based on this principle: an evolution of the syndromebased hash function and a stream cipher. The last of those contributions is the submission of a hash function by M. Finiasz, P. Gaborit, S. Manuel and N. Sendrier, to the SHA3 NIST competition. The security of the proposed hash function, called FSB (for Fast Syndrome Based) is provably reduced to hard problems of algorithmic coding theory. The proposal description and its reference implementation are available online at http://wwwrocq.inria.fr/secret/CBCrypto/index.php?pg=fsb : [54] .