Section: New Results
Symmetric cryptosystems
Participants : Anne Canteaut, Pascale Charpin, Virginie Lallemand, Gaëtan Leurent, María Naya Plasencia, Joëlle Roué, Valentin Suder.
From outside, it might appear that symmetric techniques become obsolete after the invention of publickey cryptography in the mid 1970's. However, they are still widely used because they are the only ones that can achieve some major features like highspeed or lowcost encryption, fast authentication, and efficient hashing. Today, we find symmetric algorithms in GSM mobile phones, in credit cards, in WLAN connections. Symmetric cryptology is a very active research area which is stimulated by a pressing industrial demand for lowcost implementations (in terms of power consumption, gate complexity...). These extremely restricted implementation requirements are crucial when designing secure symmetric primitives and they might be at the origin of some weaknesses. Actually, these constraints seem quite incompatible with the rather complex mathematical tools needed for constructing a provably secure system.
The specificity of our research work is that it considers all aspects in the field, from the practical ones (new attacks, concrete specifications of new systems) to the most theoretical ones (study of the algebraic structure of underlying mathematical objects, definition of optimal objects). But, our purpose is to study these aspects not separately but as several sides of the same domain. Our approach mainly relies on the idea that, in order to guarantee a provable resistance to the known attacks and to achieve extremely good performance, a symmetric cipher must use very particular building blocks, whose algebraic structures may introduce unintended weaknesses. Our research work captures this conflict for all families of symmetric ciphers. It includes new attacks and the search for new building blocks which ensure both a high resistance to the known attacks and a low implementation cost. This work, which combines cryptanalysis and the theoretical study of discrete mathematical objects, is essential to progress in the formal analysis of the security of symmetric systems.
In this context, the very important challenges are the designs of lowcost ciphers and of authenticated encryption schemes. Most teams in the research community are actually working on the design and on the analysis (cryptanalysis and optimization of the performance) of such primitives.
Block ciphers
Even if the security of the current block cipher standard, AES, is not threatened when it is used in a classical context, there is still a need for the design of improved attacks, and for the determination of design criteria which guarantee that the existing attacks do not apply. This notably requires a deep understanding of all previously proposed attacks. Moreover, there is a high demand from the industry of lightweight block ciphers for some constrained environments. Several such algorithms have been proposed in the last few years and their security should be carefully analyzed. Most of our work in this area is related to an ANR Project named BLOC. Our recent results then mainly concern either the analysis and design of lightweight block ciphers, or the indepth study of the security of the block cipher standard AES.
Recent results:

Cryptanalysis of several recently proposed lightweight block ciphers. This includes an attack against the full cipher KLEIN64 [60] , an attack against 8 rounds (out of 12) of PRINCE [48] , [77] , and an attack against Zorro and its variants [74] .

Formalization and generic improvements of impossible differential cryptanalysis: this type of attacks, even if extensively used, remains not fully understood, and it appears that there are numerous applications where mistakes have been discovered or where the attacks lack optimality. Our work then provides a general framework for impossible differential cryptanalysis including a generic complexity analysis of the optimal attack. Using these advances, we have also presented the best known impossible differential attacks against several ciphers including CLEFIA128, Camellia, LBlock and Simon [46] , [76] , [75] .

Design of a new family of block ciphers achieving very good software performance, especially on 8bit microcontrollers. A nice feature of these ciphers is that they offer an optimal resistance against sidechannel attacks in the sense that the cost of Boolean masking is minimized [58] .

Design and study of a new construction for lowlatency block ciphers, named reflection ciphers, which generalizes the socalled $\alpha $reflection property exploited in PRINCE. This construction aims at reducing the implementation overhead of decryption on top of encryption [24]

Proposal of a new family of distinguishers against AESbased permutations, named limitedbirthday distinguishers; these distinguishers exploit some some improved rebound techniques. They have been successfully applied to various AESbased primitives including AES, ECHO, Grøstl, LED, PHOTON and Whirlpool [18] .

Analysis of the differential and linear properties of the AES Superbox [65] .
Authenticated encryption
A limitation of all classical block ciphers is that they aim at protecting confidentiality only, while most applications need both encryption and authentication. These two functionalities are provided by using a block cipher like the AES together with an appropriate mode of operation. However, it appears that the most widelyused mode of operation for authenticated encryption, AESGCM, is not very efficient for highspeed networks. Also, the security of the GCM mode completely collapses when an IV is reused. These severe drawbacks have then motivated an international competition named CAESAR, partly supported by the NIST, which has been recently launched in order to define some new authenticated encryption schemes (http://competitions.cr.yp.to/caesar.html ). Our work related to this competition is then twofold: G. Leurent has participated to the design of a CAESAR candidate named SCREAM. Also, the projectteam is involved in a national cryptanalytic effort led by the BRUTUS project funded by the ANR which aims at evaluating the security of all CAESAR candidates.
Recent results:

Submission of a proposal to the CAESAR competition [88] , [67] .

Cryptanalysis of three CAESAR candidates: Wheesht [64] , $\pi $cipher [90] , LAC [69] .
Hash functions and MACS
The international research effort related to the selection of the new hash function standard SHA3 has led to many important results and to a better understanding of the security offered by hash functions. However, hash functions are used in a huge number of applications with different security requirements, and also form the buildingblocks of some other primitives, like MACs. In this context, we have investigated the security of some of these constructions, in order to determine whether some particular constructions for hash functions may affect the security of the associated MACs.
Recent results:

Improved generic attacks against hashbased MAC, including HMAC, when the hash function follows the Haifa construction [55] , [33] ;

Attack against Streebog, the new Russian hash function standard: we show that the specific instantiation of the Haifa construction used in Streebog makes it weak against secondpreimage attacks [59] .
Cryptographic properties and construction of appropriate building blocks
The construction of building blocks which guarantee a high resistance against the known attacks is a major topic within our projectteam, for stream ciphers, block ciphers and hash functions. The use of such optimal objects actually leads to some mathematical structures which may be at the origin of new attacks. This work involves fundamental aspects related to discrete mathematics, cryptanalysis and implementation aspects. Actually, characterizing the structures of the building blocks which are optimal regarding to some attacks is very important for finding appropriate constructions and also for determining whether the underlying structure induces some weaknesses or not.
For these reasons, we have investigated several families of filtering functions and of Sboxes which are wellsuited for their cryptographic properties or for their implementation characteristics. For instance, bent functions, which are the Boolean functions which achieve the highest possible nonlinearity, have been extensively studied in order to provide some elements for a classification, or to adapt these functions to practical cryptographic constructions. We have also been interested in functions with a low differential uniformity (e.g., APN functions), which are the Sboxes ensuring an (almost) optimal resistance to differential cryptanalysis.
Recent results:

Study of the algebraic properties (e.g. the algebraic degree) of the inverses of APN power permutations [19] .

Study of the cryptographic properties, including the degree, the differential uniformity and the size of the image set of permutations of the form $x\mapsto {x}^{s}+\gamma \mathrm{\U0001d5b3\U0001d5cb}\left({x}^{t}\right)$ over a finite field of characteristic two [15] . Since these functions are obtained by slightly modifying a power function, they share similar interesting implementation properties but do not present the weaknesses coming from their structure. In particular, an infinite family of permutations of this form with differential uniformity 4 has been exhibited.

Definition of an extended criterion for estimating the resistance of a block cipher to differential attacks. Most notably, this new criterion points out the fact that affinely equivalent Sboxes may not provide the same security level regarding differential and linear cryptanalysis. This work emphasizes the role played by the affine permutation of the set of 8bit words which follows the inverse function in the AES [65] .
Symmetric primitives based on lattices
Latticebased cryptography is an alternative to numbertheoretic constructions for publickey cryptography. Latticebased constructions enjoy a worstcase security reduction to hard lattice problems, and the area is very active, with many new designs offering attractive features.
Recently, this approach has also been used to build symmetric cryptosystems based on lattice problems. While those systems are less efficient than traditional symmetric systems, they are still reasonably efficient, and their security can be related to hard computational problems rather than being only heuristic. In addition, the underlying mathematical structure can offer extra properties such as parallelizability or easy protection against sidechannel attacks.
Recent results:

Design of a family of pseudorandom functions named SPRING which aims to combine the guarantees of security reductions with good performance [44] ; implementation of SPRING on FPGA and protection of this hardware implementation against sidechannel attacks [47] .

Implementation and sidechannel evaluation of the Lapin authentication protocol, based on the LPN problem [57] .