The research work within the project-team is mostly devoted to the design and analysis of cryptographic algorithms, in the classical or in the quantum setting. This work is essential since the current situation of cryptography is rather fragile. Many of the available symmetric and asymmetric primitives have been either threatened by recent progress in cryptanalysis or by the possible invention of a large quantum computer.

In this context, our research work focuses on both families of
cryptographic primitives, *symmetric* and *asymmetric*
primitives. More precisely, our domain in cryptology includes the
analysis and the design of

symmetric primitives (a.k.a. secret-key algorithms),

public-key primitives based on hard problems coming from coding theory which are likely to be resistant against a quantum computer,

quantum cryptographic algorithms whose security does not rely on computational assumptions but on the laws of quantum physics.

*Cryptanalysis of several recently proposed lightweight block ciphers:
* The area of lightweight primitives has drawn considerable attention over the last years, due to the need for low-cost cryptosystems for several emerging applications like RFID tags and sensor networks.
The strong demand from industry has led to the design of a large number of lightweight block ciphers, with different implementation features. In this context, the need for a significant cryptanalysis effort is obvious. The demand from industry for clearly recommended lightweight ciphers requires that the large number of these potential candidates be narrowed down.
In this context, the project-team has obtained cryptanalytic results on several recently proposed lightweight block ciphers, including an attack against the full cipher KLEIN-64, the best known attack against a round-reduced version of PRINCE, and some distinguishers on the internal permutation of LED.

*Cryptanalysis of a variant of the McEliece public-key cryptosystem based on some wild Goppa codes:* The original McEliece cryptosystem proposed in 1978 uses the class of classical binary Goppa codes as private codes. Many other classes of codes have been suggested since the original proposal, but most of them have been cryptanalysed, while the class of Goppa codes still resists all structural attacks. Then, the use of a more general family of Goppa codes over *et al.* in order to reduce the key size of the system. Our recent work leads to an attack which allows to recover the private key in polynomial time when wild Goppa codes over a quadratic finite field extension are used. This is the very first structural attack of the McEliece cryptosystem when some Goppa codes are used. The key-point in the attack is the behaviour of these codes with respect to component-wise product of codes. A similar technique has also been exploited for breaking some other variants of the McEliece system, including one based on Reed-Solomon codes.

*Experimental demonstration of long-distance continuous-variable
quantum key distribution:*
Distributing secret keys with information-theoretic security is arguably
one of the most important achievements of the field of quantum information
processing and communications. The rapid progress in this field has enabled
quantum key distribution in real-world conditions and commercial devices
are now readily available. Quantum key distribution systems based on
continuous variables provide the major advantage that they only require
standard telecommunication technology. However, to date, these systems have
been considered unsuitable for long-distance communication.
In collaboration with experimental groups, we have overcome all previous
limitations and demonstrated for the first time continuous-variable quantum
key distribution over 80 km of optical fibre. Our results correspond to an
implementation guaranteeing the strongest level of security for quantum key
distribution reported so far for such long distances and pave the way to
practical applications of secure quantum communications.

Our research work is mainly devoted to the design and analysis of cryptographic algorithms, either in the classical or in the quantum setting. Our approach on the previous problems relies on a competence whose impact is much wider than cryptology. Our tools come from information theory, discrete mathematics, probabilities, algorithmics, quantum physics... Most of our work mixes fundamental aspects (study of mathematical objects) and practical aspects (cryptanalysis, design of algorithms, implementations). Our research is mainly driven by the belief that discrete mathematics and algorithmics of finite structures form the scientific core of (algorithmic) data protection.

Our main application domains are:

cryptology, including classical cryptology and quantum cryptography,

error-correcting codes, especially codes for quantum communications and fault-tolerant quantum computing,

reverse-engineering of communication systems.

We also investigate some cross-disciplinary domains, which require a scientific competence coming from other areas, mainly social aspects of cryptology, cryptology for large databases.

From outside, it might appear that symmetric techniques become obsolete after the invention of public-key cryptography in the mid 1970's. However, they are still widely used because they are the only ones that can achieve some major features like high-speed or low-cost encryption, fast authentication, and efficient hashing. Today, we find symmetric algorithms in GSM mobile phones, in credit cards, in WLAN connections. Symmetric cryptology is a very active research area which is stimulated by a pressing industrial demand for low-cost implementations (in terms of power consumption, gate complexity...). These extremely restricted implementation requirements are crucial when designing secure symmetric primitives and they might be at the origin of some weaknesses. Actually, these constraints seem quite incompatible with the rather complex mathematical tools needed for constructing a provably secure system.

The specificity of our research work is that it considers all aspects of the field, from the practical ones (new attacks, concrete specifications of new systems) to the most theoretical ones (study of the algebraic structure of underlying mathematical objects, definition of optimal objects). But, our purpose is to study these aspects not separately but as several sides of the same domain. Our approach mainly relies on the idea that, in order to guarantee a provable resistance to the known attacks and to achieve extremely good performance, a symmetric cipher must use very particular building blocks, whose algebraic structures may introduce unintended weaknesses. Our research work captures this conflict for all families of symmetric ciphers. It includes new attacks and the search for new building blocks which ensure both a high resistance to the known attacks and a low implementation cost. This work, which combines cryptanalysis and the theoretical study of discrete mathematical objects, is essential to progress in the formal analysis of the security of symmetric systems.

In this context, the very important challenges are the designs of low-cost ciphers and of secure hash functions. Most teams in the research community are actually working on the design and on the analysis (cryptanalysis and optimisation of the performance) of such primitives.

Following the recent attacks against almost all existing hash functions (MD5, SHA-0, SHA-1...), we have initiated a research work in this area, especially within the Saphir-2 ANR project and with several PhD theses. Our work on hash functions is two-fold: we have designed two new hash functions, named FSB and Shabal, which have been submitted to the SHA-3 competition, and we have investigated the security of several hash functions, including the new SHA-3 standard.

**Recent results:**

Upper bounds on the degree of an iterated permutation from the degree of the inverse of the inner transformation; this result has been applied both to hash functions and to block ciphers. Most notably, this work leads to the best (theoretical) analysis of the hash function Keccak, which has been selected for the new SHA-3 standard .

Study of a new technique for attacking symmetric primitives based on the existence of linear relations between some input and output bits of the Sbox. This method has been used for improving the best known attack against the SHA-3 candidate Hamsi , .

Even if the security of the current block cipher standard, AES, is not threatened when it is used in a classical context, there is still a need for the design of improved attacks, and for the determination of design criteria which guarantee that the existing attacks do not apply. This notably requires a deep understanding of all previously proposed attacks. Moreover, there is a high demand from the industry of lightweight block ciphers for some constrained environments. Several such algorithms have been proposed in the last few years and their security should be carefully analysed. Most of our work in this area is related to an ANR Project named BLOC.

**Recent results:**

Cryptanalysis of several recently proposed lightweight block ciphers. This includes an attack against the full cipher KLEIN-64 , , and an attack against 8 rounds (out of 12) of PRINCE .

Analysis of the resistance of AES-like permutations to improved rebound attacks. Most notably, this improved technique leads to a distinguisher on 10 rounds of the internal permutation of the SHA-3 candidate Grøstl .

Proposal of a new family of distinguishers against AES-based permutations, named *limited-birthday distinguishers*; these distinguishers exploit some some improved rebound techniques. They have been successfully applied to various AES-based primitives including AES, ECHO, Grøstl, LED, PHOTON and Whirlpool .

Design of an improved variant of Meet-in-the-Middle attacks, named *Sieve-in-the-Middle*: instead of selecting the key candidates by searching for a collision in an intermediate state which can be computed forwards and backwards, we here look for the existence of valid transitions through some middle Sbox.
In the same paper, an improved technique is also proposed to build bicliques without needing any additional data (on the contrary to classical biclique attacks). These new methods have been exploited to break 8 rounds (out of 12) of the lightweight block cipher PRINCE , , .

Analysis of the differential properties of the AES Superbox .

Design of a new block cipher, named ZORRO, for which physical security is considered as an optimisation criterion .

Design and study of a new construction for low-latency block ciphers, named *reflection ciphers*, which generalises the so-called

The construction of building blocks which guarantee a high resistance against the known attacks is a major topic within our project-team, for stream ciphers, block ciphers and hash functions. The use of such optimal objects actually leads to some mathematical structures which may be at the origin of new attacks. This work involves fundamental aspects related to discrete mathematics, cryptanalysis and implementation aspects. Actually, characterising the structures of the building blocks which are optimal regarding to some attacks is very important for finding appropriate constructions and also for determining whether the underlying structure induces some weaknesses or not.

For these reasons, we have investigated several families of filtering
functions and of S-boxes which are well-suited for their cryptographic
properties or for their implementation characteristics. For instance,
bent functions, which are the Boolean functions which achieve the
highest possible nonlinearity, have been extensively studied in order
to provide some elements for a classification, or to adapt these
functions to practical cryptographic
constructions. We have also
been interested in functions with a low differential uniformity (*e.g.*, APN functions), which are the S-boxes ensuring an
(almost) optimal resistance to differential cryptanalysis.

**Recent results:**

Study of the algebraic properties (e.g. the algebraic degree) of the inverses of APN power permutations , .

Definition of a new criterion for Sboxes and link with some recent algebraic attacks on the hash function Hamsi , .

Definition of some extended criterion for estimating the resistance of a block cipher to differential attacks. Most notably, this new criterion points out the fact that affinely equivalent Sboxes may not provide the same security level regarding differential cryptanalysis. This work emphasizes the role played by the affine permutation of the set of 8-bit words which follows the inverse function in the AES , .

A new sufficient (and simpler) condition for checking that a mapping is APN has been established .

Most popular public-key cryptographic schemes rely either on the
factorisation problem (RSA, Rabin), or on the discrete logarithm
problem (Diffie-Hellman, El Gamal, DSA). These systems have evolved
and today instead of the classical groups (

Diversity is a way to dilute that risk, and it is the duty of the
cryptographic research community to prepare and propose alternatives
to the number theoretic based systems. The most serious tracks today
are lattice-based cryptography (NTRU,...), multivariate cryptography (HFE,...)
and code-based cryptography (McEliece encryption scheme,...). All
these alternatives are referred to as *post-quantum
cryptosystems*, since they rely on difficult algorithmic problems
which would not be solved by the coming-up of the quantum computer.

The code-based primitives have been investigated in details within the project-team. The first cryptosystem based on error-correcting codes was a public-key encryption scheme proposed by McEliece in 1978; a dual variant was proposed in 1986 by Niederreiter. We proposed the first (and only) digital signature scheme in 2001. Those systems enjoy very interesting features (fast encryption/decryption, short signature, good security reduction) but also have their drawbacks (large public key, encryption overhead, expensive signature generation). Some of the main issues in this field are

security analysis , implementation and practicality of existing solutions,

reducing the key size, *e.g.*, by using rank metric instead of Hamming metric, or by using particular families of codes,

addressing new functionalities, like hashing or symmetric encryption.

**Recent results:**

Design of a new variant of McEliece using Moderate Density Parity Check (MDPC) codes ;

Cryptanalysis of McEliece system based on Wild Goppa codes from a quadratic finite field extension. This polynomial-time structural attack relies on some filtration of nested subcodes which will reveal the secret algebraic description of the underlying secret code , .

Cryptanalysis of a variant of the McEliece cryptosystem based on Reed-Solomon codes .

Cryptanalysis of a variant of the McEliece cryptosystem based on convolutional codes proposed by Löndahl and Johansson in 2012 .

Design of the first algorithm for distinguishing between Goppa codes (or alternant codes) over any field and random codes. Provided that the codes have sufficiently large rates, this technique can solve in polynomial-time the Goppa-Code-Distinguishing problem, which is an assumption in the security proof of McEliece cryptosystem .

Study of the hardness of the code equivalence problem over

To assess the quality of a cryptographic algorithm, it is usually
assumed that its specifications are public, as, in accordance with
Kerckhoffs principle *La Cryptographie militaire*, published in
1883.

**Recent results:**

Reconstruction of the constellation labelling (i.e. used in the modulator of a communication system) in the presence of errors and when the underlying code is convolutional (Marion Bellard's PhD).

The field of Quantum Information and Computation aims at exploiting the laws of quantum physics to manipulate information in radically novel ways. Two main applications come to mind: quantum computers, that offer the promise of solving some problems intractable with classical computers (for instance, factorization); and quantum cryptography, which provides new ways to exchange data in a provably secure fashion.

The main obstacle towards the development of quantum computing is decoherence, a consequence of the interaction of the computer with a noisy environment. We investigate approaches to quantum error-correction as a way to fight against this effect, and we study more particularly some families of quantum error-correcting codes which generalise the best classical codes available today.

Our research also covers quantum cryptography where we study the security of efficient protocols for key distribution, in collaboration with experimental groups. More generally, we investigate how quantum theory severely constrains the action of honest and malicious parties in cryptographic scenarios.

Protecting quantum information from external noise is an issue of paramount importance for building a quantum computer. It also worthwhile to notice that all quantum error-correcting code schemes proposed up to now suffer from the very same problem that the first (classical) error-correcting codes had: there are constructions of good quantum codes, but for the best of them it is not known how to decode them in polynomial time. Our approach for overcoming this problem has been to study whether or not the family of turbo-codes and LDPC codes (and the associated iterative decoding algorithms) have a quantum counterpart.

**Recent results:**

Construction of quantum codes combining an improved version of a family of spatially coupled quantum LDPC codes with a family of error reducing turbo-codes ;

construction of quantum LDPC codes with fixed non-zero rate and a minimum distance which grows proportionally to the square root of the block-length. This greatly improves the previously best known construction whose minimum distance was logarithmic in the block-length .

A recent approach to cryptography takes into account that all interactions occur in a physical world described by the laws of quantum physics. These laws put severe constraints on what an adversary can achieve, and allow for instance to design provably secure key distribution protocols. We study such protocols as well as more general cryptographic primitives with security properties based on quantum theory.

**Recent results:**

Experimental demonstration of quantum key distribution with continuous variables over 80 km , greatly improving over previous records around 25 km.

Security proof of continuous-variable quantum key distribution protocols against general attacks , .

Security proof of device-independent quantum key distribution in the bounded storage model .

Study of BosonSampling, a recently introduced problem where quantum computers offer a provable speedup over classical computers , .

Introduction and study of “Local Orthogonality”, an information-theoretical principle for quantum correlations , .

Introduction of a general formalism for the study of contextuality and non locality in quantum theory, based on the combinatorics of hypergraphs , .

**High Tech Communications Services ( $09/13\to 09/14$)**

*Recovering a convolutional encoder followed by a block interleaver*

19 kEuros

**ANR SAPHIR-2 ( $03/09\to 03/13$)**

*Security and Analysis of Primitives of Hashing Innovatory and Recent 2*

ANR program: VERSO (Reseaux du Futur et Services)

Partners: France Telecom, Gemalto, Cryptolog international, EADS SN, Sagem Securite, ENS/LIENS, UVSQ/PRISM, Inria (project-team SECRET), ANSSI

153 kEuros

This industrial research project aims at participating to the NIST competition (cryptanalysis, implementations, optimizations, etc.), and in supporting the SHA-3 candidates proposed by its partners.

**ANR BLOC ( $10/11\to 09/15$)**

*Conception et analyse de chiffrements par blocs efficaces pour les environnements contraints *

ANR program: Ingénierie numérique et sécurité

Partners: INSA Lyon, Inria (project-team SECRET), University of Limoges (XLIM), CryptoExperts

446 kEuros

The BLOC project aims at providing strong theoretical and practical results in the domain of cryptanalyses and design of block ciphers.

**ANR KISS ( $12/11\to 12/15$)**

*Keep your personal Information Safe and Secure*

ANR program: Ingénierie numérique et sécurité

Partners: Inria (project-teams SMIS and SECRET), LIRIS, Gemalto, UVSQ (Prism), Conseil Général des Yvelines

64 kEuros

The KISS project builds upon the emergence of new portable and secure devices known as Secure Portable Tokens (e.g., mass storage SIM cards, secure USB sticks, smart sensors) combining the security of smart cards and the storage capacity of NAND Flash chips. The idea promoted in KISS is to embed, in such devices, software components capable of acquiring, storing and managing securely personal data.

**ANR CLE ( $10/13\to 10/17$)**

*Cryptography from learning with errors *

ANR program: Jeunes Chercheurs, SIMI2

Coordinator: Vadim Lyubashevsky (Inria, EPI Cascade)

The aim of this project is to combine algorithmic and algebraic techniques coming from asymmetric and symmetric cryptology in order to improve some attacks and to design some symmetric primitives which have a good resistance to side-channel attacks.

**French Ministry of Defense ( $01/11\to 12/13$)**

*Funding for the supervision of Marion Bellard's PhD.*

30 kEuros.

**French Ministry of Defense ( $10/12\to 09/15$)**

*Funding for the supervision of Audrey Tixier's PhD.*

30 kEuros.

**DGA-MI ( $12/11\to 02/13$)**

*Analysis of binary streams.*

20 kEuros.

**PEPS IQC 2013 ( $04/13\to 03/14$)**

*Topology and quantum codes*

coordinated by G. Zémor, Institut de Mathématiques de Bordeaux.

**PEPS IQC 2013 ( $04/13\to 03/14$)**

*Quantum Cryptography and distributed computing*

coordinated by Frédéric Grosshans, Laboratoire Aimé Cotton.

Program: COST

Project acronym: ICT COST Action IC1306

Project title: Cryptography for Secure Digital Interaction

Duration: January 2014 - November 2017

Coordinator: Claudio Orlandi, Aarhus University, Denmark

Other partners: see http://

Abstract: The aim of this COST action is to stimulate interaction between the different national efforts in order to develop new cryptographic solutions and to evaluate the security of deployed algorithms with applications to the secure digital interactions between citizens, companies and governments.

Otto-von-Guericke Universität Magdeburg, Institut für Algebra und Geometrie (Germany):

Study of Boolean functions for cryptographic applications

DTU - Danmarks Tekniske Universitet, Department of Mathematics:

Lightweight symmetric crytography and code-based cryptography

Indian Statistical Institute, Kolkata, India:

Symmetric cryptography

Grigory Kabatianskiy, Institute for Problems of Information Transmission, Moscow, Russia, November 23-30

Paulo Barreto, University of Sao Paulo, Brazil, November 22-30

Dimitrios Simos, SBA Research, Vienna, Austria, June 30-July 6

Bimal Roy, Indian Statistical Institute, Kolkata, India, June 15-23

University of Sherbrooke, Canada, July 14-21 (J.P. Tillich)

Newton Institute for Mathematical Sciences, Cambridge, United
Kingdom, November 6-8, invitation to the *Mathematical Challenges in
Quantum Information* Program, (A. Leverrier)

CWI, Amsterdam, Netherlands, November 26-27, collaboration with Christian Schaffner, (A. Leverrier)

FHNW, Windisch, Switzerland, May 27-31, visiting Willi Meier (M. Naya-Plasencia)

*CBC 2013 - the fourth Code-based Cryptography Workshop*, Rocquencourt, June 10-12, 2013. Organizing committee: G. Landais, Rafael Misoczki, N. Sendrier (chair) http://

*Designs, Codes and Cryptography*, associate editor: P. Charpin, since 2003.

*Finite Fields and Their Applications* associate editors: A. Canteaut,
P. Charpin.

Special issue in Coding and Cryptography, *Designs, Codes and Cryptography*, 2013, co-editor: A. Canteaut.

*Finite Fields and Their Applications.
Character Sums and Polynomials*,
Radon Series on Computational and Applied Mathematics, Degruyter,
In Press.
Editeurs: P. Charpin, A. Pott (U. Magdeburg) et A. Winterhof (Austrian Acad.
of Sc.)

A. Canteaut serves on the steering committee of *Fast Software Encryption (FSE)*;

N. Sendrier serves on the steering committee of *Post-quantum cryptography (PQCrypto)*;

M. Naya-Plasencia serves on the steering committee of the *Coding and Cryptography* group of GDR-IM https://

FSE 2013: March 11-13, 2013, Singapore, Singapore (A. Canteaut, M. Naya-Plasencia);

WCC 2013: April 15-19, 2013, Bergen, Norway (A. Canteaut, N. Sendrier);

PQCrypto 2013: June 4-7, 2013, Limoges, France (N. Sendrier, JP. Tillich);

CBC 2013: June, 10-12, 2013, Rocquencourt, France (N. Sendrier, JP. Tillich);

SAC 2013: August, 14-16, 2013, Vancouver, Canada (A. Canteaut, M. Naya-Plasencia);

MoCrySEn 2013: September, 2-6, 2013, Regensburg, Germany (N. Sendrier, co-chair; D. Simos, chair; M. Naya-Plasencia, J.P. Tillich);

Asiacrypt 2013: December 1-5, 2013, Bangalore, India (A. Canteaut, N. Sendrier);

*IMA International Conference on Cryptography and Coding*:
December 17-19, 2013, Oxford, UK (P. Charpin, M. Naya-Plasencia);

*Optimal Codes and Related Topics - OC 2013*, September 6-8, 2013,
Albena, Bulgaria (P. Charpin);

FSE 2014: March 2-5, 2014, London, UK (A. Canteaut);

Africacrypt 2014: May, 28-30, 2014, Marrakech, Morocco (M. Naya-Plasencia);

Eurocrypt 2014: May, 11-15, 2014, Copenhagen, Denmark (M. Naya-Plasencia);

YACC 2014: June, 9-14, 2014, Porquerolles, France (N. Sendrier, JP. Tillich)

ACNS 2014: June 10-13, 2014, Lausanne, Switzerland (A. Canteaut);

SAC 2014: August 14-15, 2014, Montréal, Canada (A. Canteaut, M. Naya-Plasencia);

Crypto 2014: August 17-21, 2014, Santa Barbara, USA (M. Naya-Plasencia);

SCN 2014: September 3-5, 2014, Amalfi, Italy (G. Leurent);

Latincrypt 2014: September, 17-19, 2014, Florianópolis, Brazil (N. Sendrier);

Asiacrypt 2014: December 7-11, 2014, China (M. Naya-Plasencia);

Indocrypt 2014: December 14-17, 2014, New Delhi, India (A. Canteaut).

A. Canteaut, *Extended differential properties of cryptographic functions*, The 11th International Conference on Finite Fields and their Applications - Fq11, Magdeburg, Germany, July 2013.

A. Canteaut, *Similarities between Encryption and Decryption: How far can we go?* (Stafford Tavares lecture,), Selected Areas in Cryptography - SAC 2013, Vancouver, Canada, August 2013.

A. Leverrier, *A Combinatorial Approach to Nonlocality and
Contextuality*, Quo Vadis, Quantum Physics?, Natal, Brazil, February 2013.

A. Leverrier, *Security of continuous-variable quantum key
distribution against general attacks*, APS March Meeting 2013, Baltimore,
United States of America, March 2013.

N. Sendrier, *The Construction of Code-Based Cryptosystems*, The 14th IMA International Conference on Cryptography and Coding, Oxford, United Kingdom, December 2013.

A. Canteaut and M. Naya-Plasencia have been invited to give a talk to the *Keccak & SHA-3 Day* organized in Brussels, following the selection of the hash function Keccak as the new SHA-3 standard:

A. Canteaut, *On some algebraic properties of Keccak*, Keccak & SHA-3 Day, Brussels, Belgium, March 2013;

M. Naya-Plasencia, *First practical results on reduced-round Keccak and Unaligned rebound attack*, Keccak & SHA-3 Day, Brussels, Belgium, March 2013.

The members of the project-team have also been invited to give talks to some workshops or international seminars, including:

P. Charpin, *On binary $[{2}^{n}-1,{2}^{n}-1-2n,d]$ codes*, workshop "Coding Theory", Dagstuhl Seminar 13351, August 2013.

A. Leverrier. *Does BosonSampling need Fault-Tolerance?*,
Journées Informatique Quantique 2013, Nancy, France, October 2013.

M. Naya-Plasencia, *Meet-in-the-middle through an Sbox*, ESC 2013 - Early Symmetric Crypto seminar, Luxembourg, Luxembourg, January 2013.

N. Sendrier, *Classical algorithm techniques for decoding generic linear codes*, workshop “Quantum Cryptanalysis”, Dagstuhl Seminar 13371, September 2013.

N. Sendrier is a vice-chair of the “Commission d'Evaluation” at Inria;

N. Sendrier served on the following Inria juries: admissibilité DR2, admissibilité CR2 Rennes, admission CR;

N. Sendrier has served on the selection committee of PEPS IQC (quantum information and communication, CNRS);

A. Canteaut is a member of the “Comité de pilotage” of the Fondation Sciences Mathématiques de Paris;

JP. Tillich is in charge of “Formation par la recherche” for the Paris-Rocquencourt Inria center.

P. Charpin served on the selection committee for postdoctoral positions, Inria Paris-Rocquencourt.

P. Charpin served on the selection committee for PhD fundings in Computer Science at University Pierre-et-Marie Curie (theme: *Software and Algorithms*).

Master: A. Canteaut, *Stream ciphers*, 9 hours, M2, Telecom ParisTech, France;

Master: A. Canteaut, *Introduction to symmetric cryptography*, 4.5 hours, M2, Telecom ParisTech, France;

Master: A. Canteaut, *Error-correcting codes and applications to cryptlogy*, 11 hours, M2, University Paris-Diderot (MPRI), France;

Master: N. Sendrier, *Code-based cryptography*, 4.5 hours, M2, University Paris-Diderot (MPRI), France;

Master: J.-P. Tillich, *Introduction to Information Theory*, 32 h, M2, Ecole Polytechnique, France.

The members of the project-team also gave advanced lectures to several summer schools for PhD students: *Icebreak 2013* (Reykjavik, Iceland, June 2013) , ; *Summer school on Design and Security of Cryptographic Functions, Algorithms and Devices* (Albena, Bulgaria, June 2013) ; *2013 Indian National Workshop on Cryptology* (Delhi, India, October 2013) ; *Forum des jeunes mathématicien-ne-s 2013* (Lyon, France, November 2013) .

PhD: Mamdouh Abbara, *Quantum turbo-codes*, Ecole Polytechnique, April 9, 2013 (supervisor: JP. Tillich)

PhD: Rafael Misoczki, *Two Approaches for Achieving Efficient Code-Based Cryptosystems*, Université Pierre-et-Marie Curie, November 25, 2013 (supervisor: N. Sendrier)

PhD: Jean-Christophe Sibel, *Region-based approximation to solve inference in loopy factor graphs: decoding LDPC codes by the Generalized Belief Propagation*, Université de Cergy-Pontoise, June 7, 2013 (supervisor : D. Declercq)

PhD in progress: Marion Bellard, *Influence du mapping pour la reconnaissance d'un
système de communication*, since January 2011, supervisors: N. Sendrier and J.-P. Tillich

PhD in progress: Virginie Lallemand, *Cryptanalysis for symmetric crytography*,
since October 2013, supervisors: M. Naya-Plasencia and A. Canteaut

PhD in progress: Grégory Landais, *Implementations of code-based cryptosystems and of their cryptanalyses*, since October 2010,
supervisors: M. Finiasz and N. Sendrier

PhD in progress: Denise Maurice, *Quantum LDPC codes*, since September 2010, supervisor: JP. Tillich

PhD in progress: Joëlle Roué, *Security analysis of block ciphers*, since September 2012, supervisor: A. Canteaut

PhD in progress: Valentin Suder, *Permutations for symmetric cryptography*, since October 2011, supervisor: P. Charpin

PhD in progress: Audrey Tixier, *Reconnaissance de turbo-codes et de codes LDPC*, since October 2013, supervisor: J.P. Tillich

Risto Hakala, *Results on Linear Models in Cryptography*,
Aalto University, Helsinki, Finlande, February 2013, committee:
P. Charpin (reviewer).

Mohamed Ahmed Abdelraheem, *Cryptanalysis of Some Lightweight Symmetric Ciphers*, Danmarks Tekniske Universitet, Denmark, February 7, 2012, committee: A. Canteaut (reviewer);

Mamdouh Abbara, *Turbo-codes quantiques*, Ecole Polytechnique, April 9, 2013, committee: JP. Tillich (supervisor);

Paul Stankovski, Lunds University, Sweden, June 17, 2013, committee: A. Canteaut (opponent);

Alexander Zeh, *Algebraic Soft- and Hard-Decision Decoding of Generalized Reed–Solomon and Cyclic Codes*,
Ecole Polytechnique/University of Ulm, September 2, 2013, committee: P. Charpin (reviewer), JP. Tillich;

Anne Marin, *Utilisation d'états multigraphes pour le partage de secret quantique*, Télécom ParisTech, September 17, 2013, committee: J.P. Tillich;

Jérémy Jean, *Cryptanalyse de primitives symétriques basées sur le chiffrement AES*, École Normale Supérieure, September 24, 2013, committee: A. Canteaut (reviewer);

Rafael Misoczki, *Two Approaches for Achieving Efficient Code-Based Cryptosystems*, University Pierre-et-Marie-Curie, November 25, 2013, committee: N. Sendrier (supervisor), JP. Tillich;

Julien Schrek, *Signatures et authentification pour les cryptosystèmes basés sur les codes correcteurs en
métrique de Hamming et en métrique rang*, University of Limoges, November 27, 2013, committee: N. Sendrier (reviewer), J.P. Tillich;

Patrick Debrez, *Attaques par Rencontre par le Milieu sur l’AES*, École Normale Supérieure, December 9, 2013, committee: G. Leurent

Alberto Passuello, *Semidefinite programming in combinatorial optimization with applications to coding theory and geometry*, University of Bordeaux,
December 17, 2013, committee: J.P. Tillich