Section: New Results
Symmetric cryptology
Participants : Xavier Bonnetain, Christina Boura, Anne Canteaut, Daniel Coggia, Pascale Charpin, Daniel Coggia, Gaëtan Leurent, María Naya Plasencia, Léo Perrin, André Schrottenloher, Ferdinand Sibleyras.
Block ciphers
Our recent results mainly concern either the analysis or the design of lightweight block ciphers.
Recent results:

Design of Saturnin a new lightweight block cipher for authenticated encryption [74], which is resistant to quantum cryptanalysis. Saturnin has been submitted to the NIST competition for lightweight cryptography, and has been selected for the 2nd round of the competition (https://csrc.nist.gov/CSRC/media/Projects/lightweightcryptography/documents/round2/specdocrnd2/saturninspecround2.pdf).

Mixturedifferential distinguishers on AESlike ciphers [18].

Cryptanalysis of the Sbox of the Russian standards, Streebog and Kuznyechik [31], [56]. This work by L. Perrin received the best paper award at FSE 2019. Moreover, L. Perrin has been invited to present his results to AFNOR. He is involved in the international standardization processes in symmetric cryptography [50], [86] and has been invited to ISO meetings on this topic.

The work on the Streebog Sbox has led to a more general study on tools for quantifying anomalies in Sboxes [44].

Design of Bison , the first concrete block cipher following the whitened swapornot construction [46].
MACs and hash functions
The international research effort related to the selection of the new hash function standard SHA3 has led to many important results and to a better understanding of the security offered by hash functions. However, hash functions are used in a huge number of applications with different security requirements, and also form the buildingblocks of some other primitives, like MACs.
Recent results:

Chosenprefix collision attack on SHA1 [52]: A chosenprefix collision attack is a stronger variant of a collision attack, where an arbitrary pair of challenge prefixes are turned into a collision. Chosenprefix collisions are usually significantly harder to produce than (identicalprefix) collisions, but the practical impact of such an attack is much larger. G. Leurent and T. Peyrin proposed new techniques to turn collision attacks into chosenprefix collision attacks, and present such an attack against SHA1 with complexity between ${2}^{66.9}$ and ${2}^{69.4}$ (depending on assumptions about the cost of finding nearcollision blocks).

Design of lighweight MACs from universal hash functions [51]. Many constructions of MACs used in practice (such as GMAC or Poly1305AES) follow the WegmanCarterShoup construction, which is only secure up to ${2}^{64}$ queries with a 128bit state. S. Duval and G. Leurent proposed new constructions to reach security beyond the birthday bound, and proposed a concrete instantiation, with very good performances on ARM microcontrollers.
Cryptographic properties and construction of appropriate building blocks
The construction of building blocks which guarantee a high resistance against the known attacks is a major topic within our projectteam, for stream ciphers, block ciphers and hash functions. The use of such optimal objects actually leads to some mathematical structures which may be at the origin of new attacks. This work involves fundamental aspects related to discrete mathematics, cryptanalysis and implementation aspects. Actually, characterizing the structures of the building blocks which are optimal regarding to some attacks is very important for finding appropriate constructions and also for determining whether the underlying structure induces some weaknesses or not. For these reasons, we have investigated several families of filtering functions and of Sboxes which are wellsuited for their cryptographic properties or for their implementation characteristics.
Recent results:

Differential Equivalence of Sboxes: C. Boura, A. Canteaut and their coauthors have studied two notions of differential equivalence of Sboxes corresponding to the case when the functions have the same difference table, or when their difference tables have the same support [19]. They proved that these two notions do not coincide, and that they are invariant under some classical equivalence relations like EA and CCZ equivalence. They also proposed an algorithm for determining the whole equivalence class of a given function.

Boomerang Uniformity of Sboxes: The boomerang attack is a cryptanalysis technique against block ciphers which combines two differentials for the upper part and the lower part of the cipher. The Boomerang Connectivity Table (BCT) is a tool introduced by Cid et al. at Eurocrypt 2018 for analysing the dependency between these two differentials. C. Boura and A. Canteaut have provided an indepth analysis of BCT, by studying more closely differentially 4uniform Sboxes. More recently, C. Boura, L. Perrin and S. Tian have obtained new results on the boomerang uniformity of several constructions of Sboxes [57].

CCZ equivalence of Sboxes: A. Canteaut and L. Perrin have characterized CCZequivalence as a property of the zeroes in the Walsh spectrum of an Sbox (or equivalently in their DDT). They used this framework to show how to efficiently upper bound the number of distinct EAequivalence classes in a given CCZequivalence class. More importantly, they proved that CCZequivalence can be reduced to the association of EAequivalence and an operation called twisting. They then revisited several results from the literature on CCZequivalence and showed how they can be interpreted in light of this new framework [21], [58].

Links between linear and differential properties of Sboxes: P. Charpin together with J. Peng has established new links between the differential uniformity and the nonlinearity of some Sboxes in the case of twovalued functions and quadratic functions. More precisely, they have exhibited a lower bound on the nonlinearity of monomial permutations depending on their differential uniformity, as well as an upper bound in the case of differentially twovalued functions [27]

Study of the properties of the errorcorrecting codes associated to differentially 4uniform Sboxes [26]. Most notably, this work analyzes the relationship between the number of lowweight codewords and the nonlinearity of the corresponding Sbox.

Study of crooked and weaklycrooked functions [35]: Crooked functions form a family of APN functions whose derivaties take they values in an (affine) hyperplane.

APN functions with the butterfly construction [22], [34]: the butterfly construction, originally introduced by Perrin et al., is a general construction which includes the only known example of APN permutation operating on an even number of variables. A. Canteaut, L. Perrin and S. Tian have proved that the most recent generalization of this construction does not include any other APN function when the number of variables exceeds six.
Modes of operation and generic attacks
In order to use a block cipher in practice, and to achieve a given security notion, a mode of operation must be used on top of the block cipher. Modes of operation are usually studied through provable security, and we know that their use is secure as long as the underlying primitive is secure, and we respect some limits on the amount of data processed. The analysis of generic attack helps us understand what happens when the hypotheses of the security proofs do not hold, or the corresponding limits are not respected. Comparing proofs and attacks also shows gaps where our analysis is incomplete, and when improved proof or attacks are required.
Recent results:

Lowmemory attacks against the 2round EvenMansour construction, using the 3xor problem [41]: G. Leurent and F. Sibleyras proved that attacking the 2round EvenMansour construction with blocksize $n$ is related to the 3XOR problem with elements on size $2n$. Then, they exhibited the first generic attacks on this construction where both the data and the memory complexity are significantly lower than ${2}^{n}$.

Generic attacks against the tweakable FXconstruction [55]: F. Sibleyras exhibited a generic attack on the general tweakable iterated FXconstruction, which provides an upperbound on its security. Most notably, for two rounds, this upper bound matches the proof of the particular case of XHX2 by Lee and Lee at Asiacrypt 2018, thus proving for the first time its tightness.

Modes for authenticated encryption: Besides the design of new lightweight authenticated encryption schemes, we also analyzed some modes of operation in case of release of unverified plaintext (RUP). Indeed, in this setting, an adversary gets separated access to the decryption and verification functionality, and has more power in breaking the scheme. Our results include a forgery attack against the GCMRUP mode of operation [54], and the design of a new lightweight deterministic scheme, named ANYDAE, which is particularly efficient for short messages, and achieves both conventional security and RUP security [24].

Generic attacks on hash combiners [15]: G. Leurent and his coauthors analyzed the security of hash combiners, i.e. of procedures that combine two or more hash functions in a way that is hopefully more secure than each of the underlying hash functions, or at least remains secure as long as one of them is secure. They found generic attacks on the XOR combiner, on the concatenation of two MerkleDamgård hash functions and on the Zipper hash and on the HashTwice combiners when they both use MerkleDamgård hash constructions.