## Section: Scientific Foundations

### Cryptanalysis

Because there is no absolute proof of security, it is essential to
study cryptanalysis, which is roughly speaking the science of code-breaking.
As a result, key-sizes are usually selected based on the
state-of-the-art in cryptanalysis.
The previous section emphasized that public-key cryptography required
hard computational problems:
if there is no hard problem, there cannot be any public-key
cryptography either. If any of the computational problems mentioned
above turns out to be easy to solve, then the corresponding
cryptosystems can be broken, as the public key would actually disclose
the private key.
This means that one obvious way to cryptanalyze is to solve the
underlying algorithmic problems, such as integer factorization,
discrete logarithm, lattice reduction, Gröbner bases, *etc.*
Here, we mean a study of the computational problem in its full generality.
The project-team has a strong expertise (both in design and analysis) on the
best algorithms for lattice reduction,
which are also very useful to attack classical schemes based on
factorization or discrete logarithm.

Alternatively, one may try to exploit the special properties of the cryptographic instances of the computational problem. Even if the underlying general problem is NP-hard, its cryptographic instances may be much easier, because the cryptographic functionalities typically require a specific mathematical structure. In particular, this means that there might be an attack which can only be used to break the scheme, but not to solve the underlying problem in general. This happened many times in knapsack cryptography and multivariate cryptography. Interestingly, generic tools to solve the general problem perform sometimes even much better on cryptographic instances (this happened for Gröbner bases and lattice reduction).

However, if the underlying computational problem turns out to be really hard
both in general and for instances of cryptographic interest,
this will not necessarily imply that the cryptosystem is secure.
First of all, it is not even clear what is meant exactly by the term
*secure* or *insecure* . Should an encryption scheme which
leaks the first bit of the plaintext be considered secure? Is the
secret key really necessary to decrypt ciphertexts or to sign
messages?
If a cryptosystem is theoretically secure, could there be potential
security flaws for its implementation?
For instance, if some of the temporary variables (such as pseudo-random numbers)
used during the cryptographic operations are partially leaked,
could it have an impact on the security of the cryptosystem?
This means that there is much more into cryptanalysis
than just trying to solve the main algorithmic problems.
In particular, cryptanalysts are interested in defining and studying
realistic environments for attacks (adaptive chosen-ciphertext
attacks, side-channel attacks, *etc.* ), as well as goals of
attacks (key recovery, partial information, existential forgery,
distinguishability, *etc.* ).
As such, there are obvious connections with provable security.
It is perhaps worth noting that cryptanalysis also proved to be a good
incentive for the introduction of new techniques in cryptology.
Indeed, several mathematical objects now considered invaluable in
cryptographic design were first introduced in cryptology as
cryptanalytic tools, including lattices and pairings.
The project-team has a strong expertise in cryptanalysis: many schemes have
been broken, and new techniques have been developed.