Section: New Results
Codebased cryptography
Participants : Grégory Landais, Rafael Misoczki, Nicolas Sendrier, Dimitrios Simos, JeanPierre Tillich.
Most popular publickey cryptographic schemes rely either on the factorisation problem (RSA, Rabin), or on the discrete logarithm problem (DiffieHellman, El Gamal, DSA). These systems have evolved and today instead of the classical groups ($\mathbf{Z}/n\mathbf{Z}$) we may use groups on elliptic curves. They allow a shorter block and key size for the same level of security. An intensive effort of the research community has been and is still being conducted to investigate the main aspects of these systems: implementation, theoretical and practical security. It must be noted that these systems all rely on algorithmic number theory. As they are used in most, if not all, applications of publickey cryptography today (and it will probably remain so in the near future), cryptographic applications are thus vulnerable to a single breakthrough in algorithmics or in hardware (a quantum computer can break all those schemes).
Diversity is a way to dilute that risk, and it is the duty of the cryptographic research community to prepare and propose alternatives to the number theoretic based systems. The most serious tracks today are latticebased cryptography (NTRU,...), multivariate cryptography (HFE,...) and codebased cryptography (McEliece encryption scheme,...). All these alternatives are referred to as postquantum cryptosystems, since they rely on difficult algorithmic problems which would not be solved by the comingup of the quantum computer.
The codebased primitives have been investigated in details within the projectteam. The first cryptosystem based on errorcorrecting codes was a publickey encryption scheme proposed by McEliece in 1978; a dual variant was proposed in 1986 by Niederreiter. We proposed the first (and only) digital signature scheme in 2001. Those systems enjoy very interesting features (fast encryption/decryption, short signature, good security reduction) but also have their drawbacks (large public key, encryption overhead, expensive signature generation). Some of the main issues in this field are

security analysis , implementation and practicality of existing solutions,

reducing the key size, e.g., by using rank metric instead of Hamming metric, or by using particular families of codes,

addressing new functionalities, like hashing or symmetric encryption.
Recent results:

Design of a new variant of McEliece using Moderate Density Parity Check (MDPC) codes [45] ;

Cryptanalysis of McEliece system based on Wild Goppa codes from a quadratic finite field extension. This polynomialtime structural attack relies on some filtration of nested subcodes which will reveal the secret algebraic description of the underlying secret code [39] , [63] .

Cryptanalysis of a variant of the McEliece cryptosystem based on ReedSolomon codes [38] .

Cryptanalysis of a variant of the McEliece cryptosystem based on convolutional codes proposed by Löndahl and Johansson in 2012 [43] .

Design of the first algorithm for distinguishing between Goppa codes (or alternant codes) over any field and random codes. Provided that the codes have sufficiently large rates, this technique can solve in polynomialtime the GoppaCodeDistinguishing problem, which is an assumption in the security proof of McEliece cryptosystem [12] .

Study of the hardness of the code equivalence problem over ${\mathbf{F}}_{q}$. This problem has been extensively studied for permutationequivalence (which covers all cases for $q=2$). For $q\in \{3,4\}$, we have generalised the supportsplitting algorithm, and we have shown that the problem seems intractable for most instances when $q\ge 5$ [46] . This property has been exploited in an improvement version of an identification protocol due to Girault [47] .