inria, evaluation of theme sym b · good performances, a symmetric cipher must use very particular...
TRANSCRIPT
INRIA, Evaluation of Theme Sym B
Project-team CODES
November 2006
Project-team title: CODES
Scientific leader: Nicolas Sendrier
Research center: Rocquencourt
1 Personnel
Personnel (March 2002)
Misc. INRIA CNRS University TotalDR (1) / Professors 1 1 2
CR (2) / Assistant Professors 4 4Permanent Engineers (3)Temporary Engineers (4)
PhD Students 5 1 3 9Post-Doc. 1 1
Total 5 6 5 16External Collaborators 6 4 9Visitors (> 1 month)
(1) “Senior Research Scientist (Directeur de Recherche)”(2) “Junior Research Scientist (Charge de Recherche)”(3) “Civil servant (CNRS, INRIA, ...)”(4) “Associated with a contract (Ingenieur Expert or Ingenieur Associe)”
Personnel (November 2006)
Misc. INRIA CNRS University TotalDR / Professors 3 3
CR / Assistant Professor 2 2Permanent EngineerTemporary Engineer
PhD Students 6 4 1 11Post-Doc. 1 1
Total 7 9 1 17External Collaborators 5 2 8Visitors (> 1 month)
1
Changes in staff
DR / Professors Misc. INRIA CNRS University totalCR / Assistant Professors
ArrivalLeaving
Comments: Claude Carlet was moved from “Staff” to “External Collaborators” be-cause of his involvement at the University Paris 8. Nicolas Sendrier and Anne Canteauthave been promoted from CR to DR during the period. Jean-Pierre Tillich was on atemporary INRIA CR position (“detachement”) and has now a permanent INRIA CRposition.
The following researchers had a temporary position in the group during the period:
• Enes Pasalic (Post-doc. in 2003)
• Emmanuel Cadic (Post-doc. in 2004)
• Avishek Adhikari (Post-doc. in 2004/2005)
• Michael Quisquater (Post-doc. in 2005/2006)
• Marine Minier (“Ingenieur Expert” in 2004/2005)
• Fabien Galand (“Ingenieur Expert” in 2005/2006)
Current composition of the project-team (November 2006):
• Anne Canteaut, DR INRIA
• Pascale Charpin, DR INRIA
• Nicolas Sendrier, DR INRIA
• Daniel Augot, CR INRIA
• Jean-Pierre Tillich, CR INRIA
• Deepak Dalai, Post-doc., French ministry of research scholarship (starting 12/2006)
• Bhaskar Biswas, PhD Student, INRIA scholarship
• Thomas Camara, PhD Student, MERT scholarship
• Christophe Chabot, PhD Student, DGA scholarship
• Mathieu Cluzeau, PhD Student, DGA scholarship
• Frederic Didier, PhD Student, AMN scholarship
• Cedric Faure, PhD Student, AMN scholarship
• Yann Laigle-Chapuy, PhD Student, AMN scholarship
• Cedric Lauradoux, PhD Student, INRIA scholarship
• Maria Naya Plasencia, PhD Student, INRIA scholarship
2
• Andrea Rock, PhD Student, INRIA scholarship
• Bassem Sakkour, PhD Student, ENSTA scholarship
• Claude Carlet, External Collaborator, Professor, University Paris 8
• Guy Chasse, External Collaborator, Professor, Ecole des Mines de Nantes
• Francoise Levy-dit-Vehel, External Collaborator, Professor, ENSTA
• Pierre Loidreau, External Collaborator, Professor, ENSTA
• Matthieu Finiasz, External Collaborator, Post-doc., EPFL, Switzerland
• Grigory Kabatianskiy, External Collaborator, Researcher IPIT, Russia
• Harold Ollivier, External Collaborator, French ministry of finances
• Ayoub Otmani, External Collaborator, Assistant Professor, University of Caen
Current position of former project-team members (including PhD stu-dents during the period):
• Gregory Olocco, Prospective Department Manager, Air Liquide, Paris
• Cedric Tavernier, R&D engineer, Thales, Colombes
• Matthieu Finiasz, Post-doc., EPFL, Switzerland ∗
• Harold Ollivier, French ministry of finances ∗
• Fabien Galand, Post-doc., IRISA, Rennes
• Magali Bardet, Assistant Professor, University of Rouen
• Carmen Nedeloaia, ATER, University of Paris 8
• Marine Minier, Assistant Professor, INSA Lyon
• Marion Videau, Assistant Professor, University of Nancy
• Ludovic Perret, Post-doc., UCL, Louvain, Belgium
• Michael Quisquater, Assistant Professor, University of Versailles Saint-Quentin
• Raghav Bhaskar, Post-doc., Microsoft Research, Bangalore, India
∗ also listed as external collaborators.
Last INRIA enlistments
• Nicolas Sendrier, DR2, 2003
• Jean-Pierre Tillich, CR1, 2003
• Anne Canteaut, DR2, 2006
All three were already in the research staff in March 2002, with a different status.
3
Other comments:
Nicolas Sendrier, with Daniel Augot as vice-leader, replaced Pascale Charpin as scientificleader in 2002.
2 Work progress
2.1 Keywords
Cryptography, Symmetric cryptography, Asymmetric cryptography, Cryptanalysis, Alge-braic coding theory, Iterative decoding, Discrete mathematics, Boolean functions, Coderecognition
2.2 Context and overall goal of the project
The research work of the team project CODES is mostly devoted to the design and analysisof cryptographic algorithms through the study of the discrete structures that they involve.
Our multiple competences in mathematics and algorithmics have allowed us to addressa large variety of problems related to information protection. Most of our work mixfundamental aspects (study of mathematical objects) and practical aspects (cryptanalysis,design of algorithms, implementations).
Our application domains are mainly cryptography, error correcting codes and coderecognition (“electronic war”). Even though these domains may appear different, our ap-proach is unified. For instance, decoding techniques are used to design new error correctingcodes, but also new cryptanalysis. Code recognition (that is recognizing an unknown cod-ing scheme from a sample), is very similar to stream cipher cryptanalysis. . .
Our research is driven by the belief that discrete mathematics and algorithmics offinite structure form the scientific core of (algorithmic) data protection. We think thatour past results justify this approach and we feel that, with the evolution of cryptographicresearch, more and more researchers will follow this path.
Our purpose is not to present more evidence that algebraic coding theory or discretemathematics can be “applied to” cryptography, but to convince that these fields belong thethe scientific foundations of cryptography or more generally data protection techniques.
2.3 Objectives for the evaluation period
The three objectives given in March 2002 were (in French)
1. Analyse formelle de la securite des systemes a clef secrete ;
2. Systemes a clef publique fondes sur les codes ;
3. Cryptanalyse : exploitation de nouvelles techniques de decodage, resolution dessystemes algebriques.
There has been some minor changes with the actual work during the period, mainly:
• The third objective is more oriented towards decoding. In March 2002, Jean-PierreTillich had a temporary CR1 position (on leave from University Paris 11). Hisrecruitment on a permanent position, and the opportunity to work with FranceTelecom on iterative decoding has increased the importance of error correcting codesas an application domain for our work.
4
• A new topic has appeared through our collaboration with DGA, and Mathieu Cluzeau’sthesis: electronic war. Fundamentally, this domain uses cryptographic tools and evencryptographic results. This allowed us to easily include Mathieu’s contributions inthe symmetric crypto and in the decoding subsections (objectives 1 and 3).
2.4 Security analysis of symmetric cryptosystems
2.4.1 Personnel
- Anne Canteaut, DR INRIA,- Pascale Charpin, DR INRIA,- Avishek Adhikari (Post-doc),- Mathieu Cluzeau (PhD),- Frederic Didier (PhD),- Yann Laigle-Chapuy (PhD),- Cedric Lauradoux (PhD),- Marine Minier (“Ingenieur Expert”),- Maria Naya Plasencia (PhD),- Enes Pasalic (Post-doc),- Marion Videau (PhD),- Claude Carlet (external collaborator, Prof. Univ. Paris 8).
2.4.2 Project-team positioning
From outside, it might appear that symmetric techniques become obsolete after the in-vention of public-key cryptography in the mid 1970’s. However, they are still widely usedbecause they are the only ones that can achieve some major functionalities as high-speedor low-cost encryption, fast authentication, and efficient hashing. Today, we find symmet-ric algorithms in GSM mobile phones, in credit cards, in WLAN connections. Symmetriccryptology is a very active research area which is stimulated by a pressing industrial de-mand for low-cost implementations (in terms of power consumption, gate complexity...).
Research in symmetric cryptography is obviously characterized by a sequence of de-fenses and attacks. But, each new dedicated attack against a given cryptosystem must beformalized, its scope must be analyzed and the structural properties which make it feasiblemust be highlighted. This approach is the only one which can lead to new design criteriaand to the constructions of building blocks which guarantee to a provable resistance to theknown attacks. However, such an analysis yields a practical system only if it includes theimplementation requirements arising from the applications. Therefore, our work considersall aspects of the field, from the practical ones (new attacks, concrete specifications ofnew systems) to the most theoretical ones (study of the algebraic structure of underlyingmathematical objects, definition of optimal objects). But, our purpose is to study theseaspects not separately but as several sides of the same domain. This joint approach of thedifferent aspects of symmetric cryptography is quite peculiar to our work.
Several research teams are working in symmetric cryptography (see e.g. Fast Soft-ware Encryption which is an annual conference dedicated to symmetric encryption). Themain peer or competitor groups are: Univ. of Bergen (T. Helleseth); France TelecomR& D (H. Gilbert, M. Robshaw); Lund University (T. Johansson); Ecole PolytechniqueFederale de Lausanne (S. Vaudenay); Technion Haifa, Israel (E. Biham); Nokia (K. Ny-berg); Katholieke University of Leuven (B. Preneel); University of Graz (V. Rijmen, E.Oswald). Some other groups specialized in one of the aspects must also be mentioned, e.g.
5
• cryptanalysis: Univ. of Versailles (A. Joux); Royal Holloway University of London(C. Cid, S. Murphy);
• theoretical study of some building blocks: University of Waterloo (G. Gong); ISICalcutta India (B. Roy and S. Maitra);
• implementation aspects: Universite Catholique de Louvain (J.-J. Quisquater); BochumUniversity (C. Paar).
2.4.3 Scientific achievements
Cryptanalysis. We have presented new cryptanalytic techniques on several symmetricprimitives. For block ciphers, A. Canteaut and M. Videau have proposed a new generalhigher-order differential attack which applies to any block cipher whose S-boxes have alltheir Walsh coefficients divisible by a high power of 2 [82]. A major issue raised by thisattack is that the involved property characterizes the S-boxes which provide an optimalresistance to both differential and linear attacks [29]. It stresses the following paradox: inorder to guarantee a provable resistance to the known attacks and to achieve extremelygood performances, a symmetric cipher must use very particular building blocks, whosealgebraic structures may introduce unintended weaknesses. M. Minier has also presentedsome attacks on other block ciphers, e.g. on FOX [176] and on reduced version of theAES [104].
In the last few years, with the eSTREAM project, our cryptanalytic effort has focusedon stream ciphers. We have first investigated the recent algebraic attacks, which are animportant breakthrough especially in the cryptanalysis of stream ciphers based on linearfeedback shift registers. Several results have been presented, concerning many differentaspects of these attacks: formalization of algebraic attacks [103, 131], algebraic attacks onsome particular ciphers [78], new algorithms for computing the algebraic immunity of afunction [93, 36, 92], existence and constructions of functions with a high algebraic immu-nity [143, 140]. We have also presented several algorithmic improvements for correlationattacks on stream ciphers [136, 80]. Some of these results exploit several ideas coming fromiterative decoding for improving the existing attacks, and they are detailed in MathieuCluzeau’s PhD thesis even if his work has been presented in a different practical context:the reconstruction of a linear scrambler from the knowledge of an intercepted output [151].
A last type of attacks investigated in the project are the cache attacks which exploitthe power consumption or the timing variations induced by the memory accesses to lookuptables, especially to S-boxes, during the encryption process [96, 228, 206].
Cryptographic properties and construction of appropriate building blocks.The construction of building blocks which guarantee a high resistance to the known at-tacks is a major topic in our project, both for stream ciphers and for block ciphers. Thiswork involves fundamental aspects related to discrete mathematics and implementationaspects. Actually, characterizing the structures of the building blocks which are optimalregarding to some attacks is very important for finding appropriate constructions and alsofor determining whether the underlying structure induces some weaknesses or not.
For these reasons, we have investigated several families of filtering functions and ofS-boxes which are well-suited for their cryptographic properties or for their implementa-tion characteristics. For instance, bent functions, which are the Boolean functions whichachieve the highest possible nonlinearity, have been extensively studied in order to providesome elements for a classification, or to adapt these functions to practical cryptographicconstructions [28, 30, 41, 44, 134, 150]. We have also been interested in APN functions,
6
which are the S-boxes ensuring an optimal resistance to differential cryptanalysis. Animportant open problem is to find APN permutations depending on an even number ofvariables. In this context, we have proved that some families of functions do not containany APN mapping [23]. On the other hand, some APN and AB functions which are notequivalent to power functions have been exhibited for the first time in [126]. P. Charpin,T. Helleseth and V. Zinoviev have also extensively studied the differential properties of theAES S-box, i.e. the inverse function, which is the power permutation of an even numberof variables offering the best resistance to differential cryptanalysis. More generally, allthese works on S-boxes highlight the importance of finding new classes of permutationpolynomials. This is the subject of Y. Laigle-Chapuy’s PhD thesis and his first results inthat direction have been published in [60].
A. Canteaut and M. Videau have investigated the cryptographic properties of the classof symmetric functions [31]: this class seems quite appropriate for a hardware implemen-tation since it can be realized by a circuit whose number of gates is linear in the numberof input variables. Most notably, this work points out that the balancedness requirementis a very restrictive property for a symmetric function. It also determines the algebraicnormal forms of all n-variable symmetric functions f with almost optimal nonlinearity.
Design of new primitives. The previously described long-term research work in sym-metric cryptographic has also led to concrete realizations since A. Canteaut, C. Lauradouxand M. Minier are co-authors of three new stream cipher proposals which have been sub-mitted to the eSTREAM project: Sosemanuk, DECIM and F-FCSR. Sosemanuk isone of the fastest and most secure ciphers among the 22 eSTREAM candidates dedicatedto software applications (the first evaluation phase of eSTREAM put it in the “focuscipher” category). DECIM and F-FCSR are hardware-oriented cipher for low-resourceenvironments and have been selected for the next evaluation phase.
2.4.4 Collaborations
• University of Limoges on stream ciphers (F-FCSR) and on APN functions [23];
• University of Bergen;
• the SOSEMANUK and DECIM stream ciphers have been co-designed with allother French groups working in symmetric cryptography in the context of the RNRTproject X-CRYPT.
2.4.5 External support
• ACI Cryptology CRAC and CRAC2;
• RNRT X-CRYPT: A. Canteaut is the leader of the stream cipher working group;
• IST NoE ECRYPT: A. Canteaut is the leader of the working group on Strategic Re-search on Symmetric Cryptography [232, 233], and we also participate to the workinggroup on stream ciphers and on AES evaluation [228];
• Several industrial contracts: with Canal+ Technologies, with CELAR.
7
2.4.6 Self assessment
Thanks to our work during the last years, our team has become one of the leading groups insymmetric cryptography. This position is illustrated by our involvement in the EuropeanNetwork of excellence ECRYPT for instance.
We do not plan to significantly modify our scientific approach. Actually, the cryptan-alytic effort must continue especially for evaluating the different ciphers submitted to theeSTREAM project. Some further fundamental works on the structural properties of thebuilding blocks are still needed, since we are far from being able to design provably securesymmetric ciphers with good implementation properties.
A major aspect which has been identified in the last period and which will be the focusof future work is the need for lightweight building blocks (especially for low-cost streamciphers), dedicated to hardware environments where the available resources are heavilyrestricted. Then, we plan to study in detail the implementation properties of severalfamilies of S-boxes and of filtering functions (e.g. rotation-symmetric Boolean functions),in order to identify some new classes of functions which have good properties regardingboth security and implementation.
2.5 Code-based cryptography
2.5.1 Personnel
- Daniel Augot, CR INRIA,- Nicolas Sendrier, DR INRIA,- Pierre Loidreau (external collaborator, Professor, ENSTA),- Matthieu Finiasz (PhD),- Cedric Lauradoux (PhD),- Cedric Faure (PhD).
2.5.2 Project-team positioning
Most popular public key cryptographic schemes rely either on the factorization problem(RSA, Rabin), or on the discrete logarithm problem (Diffie-Hellman, El Gamal, DSA).These systems have evolved and today instead of the classical groups (Z/nZ) we mayuse groups on elliptic curves. They allow a shorter block and key size for the same levelof security. An intensive effort of the research community has been and is still beingconducted to investigate the main aspects of these systems: implementation, theoreticaland practical security.
It must be noted that these systems all rely on algorithmic number theory. As theyare used in most, if not all, applications of public key cryptography today (and it willprobably remain so in the near future), cryptographic applications are thus vulnerable toa single breakthrough in algorithmics or in hardware (a quantum computer can break allthose scheme).
Diversity is a way to dilute that risk, and it is the duty of the cryptographic re-search community to prepare and propose alternatives to the number theoretic based sys-tems. The most serious tracks today are lattices (NTRU,. . . ), multivariate cryptography(HFE,. . . ) and code-based cryptography (McEliece encryption scheme,. . . ).
We have been investigating in details the latter field. The first cryptosystem based onerror-correcting codes was a public key encryption scheme proposed by Bob McEliece in1978, a dual variant was proposed in 1986 by Harald Niederreiter. We proposed the first(and only) digital signature scheme in 2001. Those systems enjoy very interesting features(fast encryption/decryption, short signature, good security reduction) but also have their
8
drawbacks (large public key, encryption overhead, expensive signature generation). Someof the main issues in this field are
• implementation and practicality of existing solutions,
• reducing the key size, by using rank metric instead of Hamming metric, or by usingparticular families of codes,
• trying new hard problems, like decoding Reed-Solomon codes above the list-decodingradius,
• address new functionalities, like hashing or symmetric key encryption.
Some groups and researchers involved: XLIM Limoges (T. Berger, P. Gaborit), FTR&D (M. Girault), Technische Universitat Darmstadt (U. Vollmer, R. Overbeck), K.Kobara (Imai Laboratory).
2.5.3 Scientific achievements
The class of McEliece like cryptosystems. The original McEliece cryptosystemremains unbroken. Nicolas Sendrier has proved [70, 19] that its security is provably reducedto two problems, conjectured to be hard, of coding theory:
• hardness of decoding in a random binary code, in the average case
• pseudorandomness of Goppa codes
This result also applies to Niederreiter’s scheme and a similar result was already knownfor the digital signature scheme1. The reduction is not a guaranty of security, but we knowthat a significant improvement on one of the above problem must occur before the systemis seriously threatened.
Another important work in the period was on the implementation aspects. One of themost promising code-based cryptosystem is the digital signature scheme: with 80 bits,its produces the shortest known digital signatures (without compromising the securitylevel). The drawback is that signing a document required more than one minute on astandard PC. A work in collaboration with ENS Lyon (ARENAIRE) and the LIRMMwas initiated, and funded through the ACI OCAM. This resulted in an improved softwareversion (about 10 seconds) and a fast FPGA implementation in less than one second (ona low cost FPGA).
Various aspects of implementation where also considered throughout the period, see[185] for instance, where the problem of fast encoding of words with constant Hammingweight (required in Niederreiter’s encryption scheme) is addressed. In practice this encod-ing is the most expensive part of Niederreiter’s encryption and we obtain a speedup factorof 8 (33 Mbit/s instead of 4 Mbits/s).
Cryptosystems based on decoding the rank metric. This family of cryptosystemsis roughly based on the same principle as the McEliece cryptosystem, except that themetric in use is the rank metric 2. This allows taking public-keys of a much smaller sizethan for McEliece cryptosystem, typically between ten and twenty times smaller.
1N. Courtois, M. Finiasz and N. Sendrier, How to achieve a McEliece-based digital signature scheme,ASIACRYPT 2001
2E. Gabidulin, A. Paramonov and O. Tretjakov, Ideals over a non-commutative ring and their applica-tion to cryptology, EUROCRYPT’91
9
Pierre Loidreau and Thierry Berger have been working on new variants of this sys-tem [120, 24] which also considered the possibility of achieving non-malleability. PierreLoidreau also worked on the structure of some families of sub-codes of Gabidulin’s codes[159, 160] and their application to cryptography. He also designed the first decoding algo-rithm of Gabidulin’s codes in quadratic time (previous ones were cubic) [61, 102]. Finally,he designed and studied with Cedric Faure [94] a rank metric equivalent of Augot/FiniaszPR based encryption scheme (see next paragraph).
Cryptographic hardness of Reed-Solomon decoding. The Polynomial Reconstruc-tion problem (PR) considered by Naor and Pinkas 1999 then Kiayias and Yung in 2002states that decoding more than a certain number of errors in a Reed-Solomon code is dif-ficult. Daniel Augot and Matthieu Finiasz have designed an encryption scheme based onthis problem [75]. This system possesses the efficiency of code-based systems and enjoys amuch shorter public key. Unfortunately, as pointed out by Coron3, if the message securityreduces to a difficult problem, the key security was not good enough.
Interestingly, though it was broken, this cryptosystem raised a lot of interest. Thenew cryptographic function that was exhibited did not allow the design of an encryptionscheme, because the trapdoor (for decryption) could not be securely concealed. However,diversity is among the important concerns of cryptographic research. Proposing newprimitives, with different features, might be of interest for future needs.
Other cryptographic functionalities with codes. At the beginning of the period,our interest for code-based cryptology was aimed towards public-key cryptography. Speedis among of the most interesting features, if we examine Niederreiter’s encryption scheme,the encryption consists in computing a syndrome, that adding bitwise t out of n vectors oflength r (t is few tens, r a few hundreds and n a few thousands). Syndrome computationis one-way and very fast, comparable in speed with one-way functions used, for instancein hash functions. Moreover, because there is an underlying difficult algorithmic problem,there is a security reduction. After several adjustments, a first version of this work waspublished [114, 76].
2.5.4 Collaborations
• ARENAIRE (LIP, Ens Lyon) and LIRMM, hardware implementation of a code-basedsignature scheme
2.5.5 External support
• ACI OCAM
• RNRT XCRYPT
• IST NoE ECRYPT
2.5.6 Self assessment
Public-key cryptosystems providing alternative to number theory and efficient primitiveswith security reduction (sometimes referred to as “provably secure”) are certainly major
3Jean-Sebastien Coron, Cryptanalysis of a public-key encryption scheme based on the polynomial recon-struction problem, IACR eprint archive 2003/036
10
issues for tomorrow’s cryptography. Code-based cryptography provides interesting ques-tions for both issues. The project CODES has an old and important experience in thatfield. We have been able to propose new promising and interesting cryptographic schemes.
It will take years to fully understand all aspects of the problem. The security reductionstatement uses two algorithmic problems that are conjectured to be hard. Just like RSA,more mathematical work is needed to assess the difficulty of those problems. In themeantime, a necessary work is to implement the McEliece cryptosystem, surprisingly nofast public implementation exists. We hope to provide the first such implementationthrough eBATS, the ECRYPT benchmarking of asymmetric systems. Recent advances inhash functions have created new needs. The NIST has announced a competition for hashfunctions similar to the AES call, our intention is to be ready to propose code-based hashfunctions to that call.
2.6 Decoding techniques, algebraic systems solving and applications
2.6.1 Personnel
- Daniel Augot, CR INRIA,- Jean-Pierre Tillich, CR INRIA,- Magali Bardet (PhD),- Emmanuel Cadic (Post-doc.),- Thomas Camara (PhD),- Mathieu Cluzeau (PhD),- Frederic Didier (PhD),- Harold Ollivier (PhD),- Gregory Olocco (PhD),- Michael Quisquater (Post-doc.),- Cedric Tavernier (PhD).
2.6.2 Project-team positioning
The announced objective in 2002 which was “ applications of new decoding algorithms;resolution of algebraic systems ” has evolved with the arrival of Jean-Pierre Tillich. It haslaid more stress on probabilistic decoding algorithms and applications in error correcting.We are focusing now on studying or on improving various decoding algorithms which areeither algebraic or probabilistic in nature, not only for cryptographic purposes but also forcoding theory by itself. We have also strengthened our ties with the INRIA project-teamSALSA (formerly SPACES) with the co-direction of Magali Bardet’s thesis and during theACI POLYCRYPT.
Research on decoding algorithms is one of the most active area in coding theory, bethey of algebraic or probabilistic nature. These algorithms have found areas of applicationsoutside the sole scope of error-correcting codes: complexity theory, theoretical computerscience and cryptology among others. We are mainly interested in cryptographic appli-cations of these algorithms: for example in fast correlation attacks on stream ciphersinvolving iterative decoding algorithms, or for the approximation of the output bits of theintermediate rounds of block ciphers. We have also found a new domain of application foriterative decoding algorithms, namely quantum error correcting codes for which we haveshown that some of them can be decoded successfully with these algorithms. Moreover,the tools we had to investigate, for instance, the Grobner bases techniques in the problemof decoding general cyclic codes, enabled us to study also algebraic attacks on cryptosys-tems. We also mention that we still study more traditional aspects of coding theory by
11
searching for codes with good decoding performances for instance.Peer or competitor groups in:
• decoding with Grobner bases: Universita di Genova (T. Mora), University of CollegeCork (P. Fitzpatrick),
• cryptanalysis with Grobner bases: FT R&D Issy les Moulineaux (H. Gilbert), Infor-mation Security Group Royal Holloway (C. Cid), Information-technology PromotionAgency, Japan Cryptography Research and Evaluation Group IT (M. Sugita),
• cryptanalysis with decoding algorithms: University of Bergen (T. Helleseth), Uni-versity of Lund (T. Johansson), University of Hawai (M. Fossorier), MathematicalInstitute of the Serbian Academy of Sciences and Arts (M. Mihaljevic),
• constructing good families of codes suitable for iterative decoding: City Universityof Hong-Kong (L. Ping), Ecole Polytechnique Federale de Lausanne (R. Urbanke),ENSEA (D. Declerq), ENST Bretagne (C. Berrou), ENST Paris (G. Boutros), Flar-ion Technologies (T. Richardson), University of California (S. Lin), University ofHawai (M. Fossorier),
• quantum error correcting codes: California Institute of Technology (J. Preskill),MIT (P. Shor), Perimeter Institute (D. Gottesman), University of Cambridge (D.MacKay).
2.6.3 Scientific achievements
Decoding algorithms and cryptanalysis. The first family of codes what we havestudied in detail is the family of Reed-Muller codes. Being able to decode efficientlymembers of this family on various channels is very helpful for cryptanalysis: the decodingof first order Reed-Muller codes on the binary symmetric channel is a useful task for linearcryptanalysis whereas decoding general Reed-Muller codes on the erasure channel can beused in algebraic attacks of ciphers. In particular in his thesis [20], Cedric Tavernierfound new (local) decoding algorithms for first order Reed-Muller codes over the binarysymmetric channel, which improve upon the Goldreich-Rubinfeld-Sudan algorithm. Heimplemented them for finding approximations of the outputs of several rounds of the DES.This way he found, using his software, not only the linear equations found by Matsui in hisfamous linear cryptanalysis of the DES, but also several other equations with biases of thesame order as Matsui’s ones. On the other hand, Frederic Didier and Jean-Pierre Tillichhave focused on decoding Reed-Muller codes efficiently on the erasure channel. They haveproposed various decoding algorithms whose complexity is sometimes linear and in generalat most quadratic in the code dimension. These algorithms have been implemented, havelead to several decoding records and can be used to determine the algebraic immunity ofBoolean functions against algebraic attacks [53, 92, 93].
Solving algebraic systems and applications. From the algebraic systems pointof view, SALSA, in collaboration with CODES, performed the cryptanalysis of the HFEcryptosystems (Hidden Field Equations), performed by Faugere by a computation of a fewdays 4. It was followed by the thesis of Magali Bardet [10] which covers theoretical aspectsof the HFE cryptanalysis (why it was feasible), and also the decoding of cyclic codes withGrobner bases: it was demonstrated that it is possible to find decoding formulas for allcyclic codes, by a Grobner basis off-line computation. But, from the efficiency point of
4Jean-Charles Faugere, Antoine Joux: Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryp-tosystems Using Grobner Bases. CRYPTO 2003
12
view, it was found that it is better to perform an on-line Grobner bases computation, whosecost is reasonable. This enables to decode any cyclic codes, up to their true minimumdistance [111, 10].
Coding theory. Concerning the part of our work devoted to error-correcting codes, wehave focused on codes which have good iterative decoding algorithms. This kind of codeshas by now probably become the most popular coding scheme due to their exceptionalperformances at a reasonable algorithmic cost. We have in particular studied families ofcodes which are in a sense intermediate between turbo-codes and LDPC codes, and havefound several instances of this family covering a large range of rates which are among thebest known for a large range of target error probabilities after decoding [192, 108, 109].This work has been supported by France Telecom.
The knowledge we have acquired in iterative decoding techniques has also lead to studywhether or not the very same techniques could also be used to decode quantum codes.Part of the ACI project “RQ” in which we were involved is about this topic. Noticethat protecting quantum information from external noise is an issue of paramount impor-tance for building a quantum computer. It also worthwhile to notice that all quantumerror-correcting code schemes proposed up to now suffer from the very same problem thatthe first (classical) error-correcting codes had: there are constructions of good quantumcodes, but for the best of them it is not known how to decode them in polynomial time.Our approach for overcoming this problem has been to study whether or not the familyof turbo-codes and LDPC codes (and the associated iterative decoding algorithms) havea quantum counterpart. We have shown that the classical iterative decoding algorithmscan be generalized to the quantum setting and have come up with some families of quan-tum LDPC codes and quantum serial turbo-codes with rather good performances underiterative decoding [67, 127, 178, 68].
Let us also mention that Mathieu Cluzeau in his PhD thesis also uses iterative decodingtechniques in a completely different setting: namely in the problem of reconstructing anLDPC code from an noisy sequence encoded in an unknown way.
Finally, another important result related to decoding, the coset distribution of someBCH codes, was proven by Charpin, Helleseth and Zinoviev [49]. It answered to an oldresearch problem stated in the 70s.
2.6.4 Collaborations
CODES has a strong relationship with SALSA in the area of multivariate polynomialsolving, for application in coding and cryptography. We have also developed a goodrelationship with France Telecom by working together on families of codes suitable foriterative decoding [108, 109]. We also enjoy a long lasting relationship with people workingin cryptography and coding at the ENST Paris (G. Cohen, G. Zemor) and with J. Friedmanat the University of British Columbia [193, 73, 194, 56, 57, 55].
2.6.5 External support
• For polynomial equations and cryptography: ACI POLYCRYPT (headed by SPACES,in which CODES was partner), ACI ACCESS.
• For applications of error-correcting codes to cryptology: ACI ACSION.
• For constructing good families of codes for iterative decoding: several industrialcontracts with France Telecom.
• For protecting quantum information against external noise: ACI RQ.
13
2.6.6 Self assessment
One strong point is the collaboration with SALSA, which has the expertise on the mostefficient algorithms for Grobner bases, both for the implementation and the analysis. Weplan to follow up this collaboration to describe and analyze some points of the algorithmof Guruswami-Sudan in terms of Grobner bases theory.
One of the objectives presented at the previous evaluation was to use Sudan andGuruswami-Sudan algorithms for performing (univariate) interpolation attacks. Thisfailed: this approach succeeded, as demonstrated by Justesen, for the cryptanalysis ofthe Knudsen-Nyberg cryptosystems, which is described in terms of univariate polynomi-als. But in general it appears that even approximating a block cipher by a univariatepolynomial of moderate degree may be impossible. This topic will not be continued.
Concerning our work about quantum codes, we plan to strengthen our ties with thecommunity in physics which is probably the most active one working on quantum error-correcting codes. Right now, we are working together with David Poulin in the Institutefor Quantum Information at Caltech about quantum serial turbo-codes.
3 Knowledge dissemination
3.1 Publications
2002 2003 2004 2005 2006PhD Thesis 1 5 3 1H.D.R (*) 1 1Journal 5 8 11 17 11Conference proceedings (**) 5 7 8 6 8Book chapter 4 1Book (written) 1Book (edited) 1 1 1PatentTechnical reportDeliverable 1 4 5 3
(*) HDR Habilitation a diriger des Recherches(**) Conference with a program committee (LNCS type articles)
Indicate the major journals in the field and, for each, indicate the number of paperscoauthored by members of the project-team that have been accepted during the evaluationperiod.
1. IEEE Transactions on Information Theory
13 papers
2. Design, Codes and Cryptography
6 papers
3. Finite Fields and their Applications
4 papers
4. Journal of Combinatorial Theory
5 papers
14
Indicate the major conferences in the field and, for each, indicate the number of paperscoauthored by members of the project-team that have been accepted during the evaluationperiod.
1. IEEE Symposium on Information Theory
34 contributions
2. IACR conferences (CRYPTO, EUROCRYPT, ASIACRYPT, FSE)
10 contributions
3. International Workshop on Coding and Cryptography (WCC)
7 contributions (2 editions only in the period)
4. Indocrypt
6 contributions
3.2 Software
Anne Canteaut, Cedric Lauradoux and Marine Minier are co-authors of three new streamcipher proposals which have been submitted to the eSTREAM project: Sosemanuk,DECIM and F-FCSR. These three ciphers have been implemented in software and thecorresponding implementations are available on http://www.ecrypt.eu.org/stream/.
Since Sosemanuk is a software-oriented stream cipher aiming at a high throughput,some optimized implementations have been developed. Actually, Sosemanuk is one of thefastest and most secure ciphers among the 22 eSTREAM candidates dedicated to softwareapplications.
Decim and F-FCSR are dedicated to hardware environments where the available re-sources such as gate complexity and power might be heavily restricted. A VHDL imple-mentation of both ciphers has been realized by Cedric Lauradoux.
3.2.1 Valorization and technology transfer
cf. §4 External Funding.
3.3 Teaching
Daniel Augot: Error-correcting codes, symbolic computing and applications to cryptogra-phy in Master Recherche 2, Master Parisien de Recherche en Informatique (MPRI),University Paris 7, ENS Paris, ENS Cachan and Ecole Polytechnique, 15 hours.
Daniel Augot: Introduction to cryptography in Master Recherche 2 ”Science Informa-tique”, University of Marne-la-Vallee, 9 hours.
Jean-Pierre Tillich: Error-correcting codes, symbolic computing and applications to cryp-tography in Master Recherche 2, Master Parisien de Recherche en Informatique(MPRI), Universite Paris 7, ENS Paris, ENS Cachan et Ecole Polytechnique, 15hours.
Jean-Pierre Tillich: Error-correcting codes, Institut Superieur d’Electronique de Paris(ISEP), 3rd year of engineering school, 10 hours, since 2004.
Jean-Pierre Tillich: Quantum codes in Master 2, ENST Paris, 6 hours, since 2006.
15
Anne Canteaut: C programming for cryptography, Master Pro 2 “Information security”and Master Recherche 2 “Cryptography and Coding” University of Limoges, 60heures, until 2006.
Nicolas Sendrier is ”professeur charge de cours” in Computer Science at Ecole Poly-technique Palaiseau. He is teaching Theoretical Computer Science and InformationTheory, 80-100 hours.
During the last 4 years, we hosted 23 intern students, including 10 “Master Recherche”students.
Most of the Ph.D. students in the team are associated either with the doctoral programof the University Pierre and Marie Curie (Paris 6) or with the doctoral program of EcolePolytechnique Palaiseau.
3.4 Visibility
Publishing activities.
• IEEE Transactions on Information Theory, associate editors: Anne Canteaut forCryptography and Complexity 2005-2008; Claude Carlet for Coding theory 2003-2005.
• IEEE Transactions on Computers, associate editor: Pascale Charpin for Codingtheory, 2000-2004.
• Designs, Codes and Cryptography, associate editor: Pascale Charpin, since 2003.
• Journal of Symbolic Computation, Special Issue on Grobner Bases Techniques inCryptography and Coding Theory (2007), D. Augot guest editor.
• Pascale Charpin is associate editor for the Encyclopedia of Information securitypublished by Springer in 2005. Anne Canteaut, Claude Carlet and Pascale Charpinare authors of most entries related to stream ciphers and Boolean functions; NicolasSendrier is the author of the entry on McEliece public-key cryptosystem.
Program commitees
• ISIT (IEEE International Symposium on Information Theory): 2006 (G. Kabatian-ski), 2007 (A. Canteaut, C. Carlet);
• EUROCRYPT: 2007 (A. Canteaut);
• CRYPTO: 2004 (A. Canteaut);
• ASIACRYPT: 2005 (N. Sendrier);
• Fast Software Encryption (FSE): 2003 (A. Canteaut), 2004 (C. Carlet), 2005 (A.Canteaut), 2006 (A. Canteaut);
• Indocrypt: 2003 (A. Canteaut), 2004 (A. Canteaut, program chair), 2005 (F. Levy-dit-Vehel), 2006 (A. Canteaut, C. Carlet, N. Sendrier);
• SETA (International conference on sequences and their applications): 2004 (C. Car-let), 2006 (A. Canteaut, C. Carlet);
16
• Workshop on Coding Theory and Cryptography (WCC): 2003 (D. Augot, C. Carlet;P. Charpin and G. Kabatianski program co-chairs), 2005 (D. Augot, P. Charpinprogram co-chair, C. Carlet, N. Sendrier);
• ACCT (International Workshop on Algebraic and Combinatorial Coding Theory):2006 (G. Kabatianski, program chair);
• ICETE (International Joint Conference on E-business and Telecommunications):2006 (P. Charpin);
• International Conference on Polynomial System Solving: 2004 (D. Augot);
• ITW (IEEE Information Theory Workshop: 2003 (A. Canteaut, N. Sendrier);
• AAECC (Applied Algebra, Algebraic algorithms and Error-correcting codes): 2003(C. Carlet);
• Finite Fields: 2003 (C. Carlet);
• YACC (Yet Another Conference on Cryptography): 2002 (A. Canteaut), 2004 (A.Canteaut), 2006 (C. Carlet);
• WEWoRC (Western European Workshop on Research in Cryptology): 2005 (A.Canteaut, N. Sendrier)
• SASC (State of the Art in Stream ciphers, eSTREAM workshop): 2006 (A. Canteaut,program chair);
• SKEW (ECRYPT Symmetric Key Encryption Workshop), Aarhus, Denmark, 2005(A. Canteaut);
• Joint BeNeLuxFra Conference in Mathematics (joint meeting of the Belgian, Dutch,Luxembourg and French mathematical societies), Gand, Belgique, 2005 (A. Can-teaut);
• BFCA (Workshop on Boolean functions): 2005 (C. Carlet)
Organization of conferences.
• All members of Codes are involved in the organization of the Workshop on CodingTheory and Cryptography (WCC) which has been held at INRIA in 2003 and 2007(the 2005 workshop has been hosted by Bergen University in Norway and P. Charpinwas program co-chair): 2003 (P. Loidreau, general chair), 2007 (A. Canteaut andP. Charpin, general co-chairs). This workshop aims at bringing together researchersin all aspects of coding theory, cryptography and related areas. The 2003 workshophad around 150 attendees. A selection of revised papers presented at WCC 2003has been published in a special issue in Coding and Cryptography of Discrete AppliedMathematics (P. Charpin and G. Kabatianski editors);
• ECRYPT Workshop on Provable Security, Rocquencourt, 2004 (N. Sendrier);
• Members of other organization commitees: FSE 2005 (P. Loidreau, F. Levy-dit-Vehel); Indocrypt 2004 (Cedric Lauradoux).
17
Other responsibilities in the national community.
• Scientific committee of the national research program on Security and ComputerScience, ACI-Securite et Informatique: P. Charpin (2003-07);
• Scientific committee of the national research program ”appels a projets non thematiques”in computer science of the National Agency for Research (ANR): 2005 (P. Charpin);
• Scientific committee of the national research program SetIn (Security and ComputerScience) of the National Agency for Research (ANR): 2006 (A. Canteaut);
• GDR Computer Science - Mathematics (IM): Claude Carlet is in charge of the groupCoding and Cryptography;
• Pascale Charpin is an external expert for the Delegation Generale pour l’Armement(DGA);
• “Commission de specialistes” (Committees for the selection of professors and assis-tant professors): University Paris 8 (C. Carlet, J-P. Tillich), University of Limoges(A. Canteaut, P. Charpin, C. Carlet), Ecole Normale Superieure Paris (J-P. Tillich);
• Pascale Charpin was a member of the committee for the selection of CR2 at INRIA-Rocquencourt (2006);
• Anne Canteaut is a member of the “Comite de Suivi Doctoral” of INRIA-Rocquencourtsince 2004.
Other responsabilities in the international community.
• Anne Canteaut is a member of the steering committee of the eSTREAM projecthttp://www.ecrypt.eu.org/stream/;
• Number of HDR and PhD jury in 2002-2006: 53.
• Number of invited talks: 21
18
4 External Funding
(k euros) 2002 2003 2004 2005 2006National initiativesACI CRAC 25.4 16.9ACI ACCESS 19.7 19.7 9.8ACI CRAC2 7.0 21.1 21.1 14.1ACI RQ 6.9 13.9 13.9 6.9ACI UNIHAVEGE 1.0 6.5 6.5 5.4ACI OCAM 2.8 8.6 8.6 5.7ACI ACSION 3.1 9.4 9.4ACI SERAC 3.2 9.7 9.7ACI ASPHALES 4.4 6.6 6.6RNRT DIPHONET 12.5 12.5 9.4RNRT X-CRYPT 58.5 58.5 58.5European projectsIST NoE ECRYPT 61.7 29.3 29.3ECONET 14.6 14.6Industrial contractsContract Canal+ 14.6 14.6Contract FT R&D 1 6.3 25.3 6.3Contract Banque de France 10.0Contract FT R&D 2 23.8ScholarshipsPhD * 242.2 277.9 306.4 235.1 256.5Post-doc. * 25.3 3.2 44.4 31.7AI+ODL#Other fundingConvention DGA 6.6 6.6Contract DGA-CELAR 5.5Total 321.8 412.3 534.4 457.4 449.5
† INRIA Cooperative Research Initiatives‡ Large-scale Initiative Actions∗ other than those supported by one of the above projects
estimation based on INRIA scholarship rate (28.5 keuros / year for PhD, 38.0 keuros/ year for Post-doc.)+ junior engineer supported by INRIA# engineer supported by INRIA
ARCs
None.
National initiatives
ACI CRAC (08/00 → 08/03) This funding was given to project-team CODES, underthe topic “support of teams of excellence”, to sustain our research in cryptology.
19
Most of our research topics in cryptology fitted in this ACI: public-key cryptography,secret-key cryptography, fundamentals and mathematics of cryptology.
ACI ACCES (05/01 → 05/04) One topic here was to investigate the so-called multi-variate cryptography. Several cryptographic primitives were previously proposed byPatarin et al, and the partners found many attacks on these primitives. Anothertheme was to study and develop cryptographic schemes relying on error correctingcodes.
Funding was done through INRIA.
Partners: only ENSTA, since it was an “action de cristallisation” aiming at promot-ing a new team.
ACI CRAC2 (08/02 → 08/05) Same kind of funding as CRAC: support to teams ofexcellence.
ACI RQ (07/03 → 07/06) One of the goals of this project is to propose quantum codesfor protecting quantum information against external noise. It has lead us to findquantum analogues for LDPC codes, convolutional codes and serial turbo-codes.
Partners: Universite Paris XI.
ACI UNIHAVEGE (11/03 → 11/06) The goal of UNIHAVEGE was to test and extendthe random number generator HAVEGE (Hardware Volatile Entropy Gathering andExpansion) designed by Andre Seznec and Nicolas Sendrier. During the last threeyears, no weaknesses were found. HAVEGE has been integrated to Linux Kernelthrough a module
Partner: IRISA team CAPS (Andre Seznec and Olivier Rochecouste)
ACI OCAM (07/03 → 12/06) The primary goal of the project is to produce an FPGAimplementation of a digital signature algorithm based on coding theory. This algo-rithm produces the shortest known signature but is very slow in software. Additionalgoals are to consider other code-based cryptosystems and their hardware implemen-tation, with a particular focus on finite fields arithmetic.
Partners: ARENAIRE project-team, LIRMM (Montpellier).
ACI ACSION (09/04 → 09/07) New applications of error correcting codes to informa-tion security. The project studies the impact of certain error-correcting tools forcryptographic purposes, more specifically:- attacks on ciphers making use of decoding techniques are investigated,- authentication and biometric schemes based on error-correcting codes are devel-oped.
Partners: ENST, Universite Paris VIII.
ACI SERAC (09/04 → 09/07) Security for Wireless Ad Hoc Networks. This coversseveral aspects of security: first the problem of securing the routing process itself, likeOLSR; then the problem of developing more high level security primitives, which stillhave to be secured even in presence of network failures typical of Ad Hoc networks.
Partners: USTL (Lille), INRIA (CODES, TANC and HIPERCOM) and GET (ENST).
ACI ASPHALES (05/04 → 05/07) Interactions between computer security and legalsecurity for the progress of regulations in the Information Society.
20
The aim of this multi-disciplinary project is to have a scientific reading of the Frenchlegal texts related to computer and network security. One main concern is to discussthe laws which concern the notion of proof, probative value and also to convervationof numerical documents. Anne Canteaut and Marion Videau have provided a sci-entific view of many laws on these topics. This project has also some consequenceson cryptographic protocols, since the legal requirements may differ from classicalcryptographic hypotheses.
Partners: CNRS (labo. CECOJI), Univ. Versailles, Univ. Montpellier, INT, Univ.Lille 2, INRIA.
RNRT DIPHONET (01/02 → 05/04) The aim of this project was to provide intellec-tual property rights protection on images by using watermarking. The cryptographicpart was to provide a protocol which enables an owner of a set of images to provethat an image I ′ found somewhere actually originates from an image I which belongsto him. This protocol led to a patent ENSTA/IRISA/CANON.
Founding was done through INRIA.
Partners: Canon Research France, ENSTA (UMA/ALI), IRISA (Temics, Vista),Supelec (Laboratoire de Signaux et Systemes), Andia presse
RNRT X-CRYPT (12/03 → 12/06) The aim is to conceive cryptographic tools craftedto high speed networks and also wireless networks, which both have high securityand consume few resources. Two stream ciphers have been developed: Sosemanukand Decim.
Partners: Axalto, ENS Ulm, France Telecom, Cryptolog International, Universitede Versailles, INRIA.
European projects
IST NoE ECRYPT (02/04 → 02/08) This a Network of Excellence in research in allthe aspects of cryptology. It has been structured in “virtual labs”. Anne Canteautis leading a working group within the virtual lab on symmetric techniques, andCODES is also involved in the AZTEC virtual lab (new primitives for public keycryptography).
Partners: more than thirty, both academic and industry.
ECONET (02/04 → 12/05) This program, introduced and funded by the French min-istry of foreign affairs is devoted to the development of research relations with EastEuropean countries. Priority is given to the sojourns of young researchers in thelaboratories of the partners.
The action is entitled Discrete Mathematics for coding and information protection.
Partners: Project CODES, INRIA: Pierre Loidreau (leader).Academy of Sciences of Bulgaria (Stefan Dodunekov).Moscow Institute of Physics and Technology (Ernst Gabidulin).St Petersburg State University of Aerospace Instrumentation (Natalia Shekhunova).
Associated teams and other international projects
None.
21
Industrial contracts
Canal+ (09/02 → 05/03) Daniel Augot and Anne Canteaut have done an expert analysisof a block cipher algorithm, which has been designed internally in Canal+, and whichhas been kept secret. This analysis has led to important modifications in the originaldesign.
FT R&D (10/03 → 04/05) The purpose of this contract with France Telecom was topropose a new family of binary codes with very good iterative decoding performancesfor a large range of rates and target error probabilities after decoding. This aim wasattained and was followed by the contract below.
FT R&D (02/06 → 01/08) This is a follow-up of the previous contract, the new aimbeing to explore non-binary codes and completing the range of rates left by theprevious contract.
Banque de France (2004) Banque de France wanted to put some kind of numericalsignature on banknotes. This was a preliminary contract for studying the issueswhich may have occurred when realizing such a solution.
Other funding,
Convention DGA (07/03 → 07/04) Anne Canteaut, Mathieu Cluzeau and NicolasSendrier have done a study, whose aim is to recognize an unknown coding scheme.That is to say, let there be given a bit stream, using for instance in satellite commu-nications, one has to recognize which error correcting coding (but also other partsof the whole coding scheme) has been used, even in the presence of noise.
Contract DGA-CELAR (09/06 → 09/07) The aim of this study is to analyze theefficiency of fast correlation attacks (of stream ciphers) based on iterative decodingalgorithms. The work is to cryptanalyze several challenging stream ciphers, providedby the CELAR, which are weak versions of public domain ciphers. This should leadto a precise analysis of the efficiency of these attacks, and also to variants of theclassical iterative decoding algorithms.
5 Objectives for the next four years
During the evaluation period our research field and our solicitations have naturally evolved.There are new application domains (“electronic war”), new topics coming from new sci-entific interactions (algebraic cryptanalysis, quantum codes). Some more classical topicsrequire new research (hash functions, stream ciphers). Also, with the settlement of AESas the reference block cipher, the research in symmetric cryptography is now more inclinedtowards its foundations.
Our long term and fundamental scientific approach have allowed us to answer to someof those new questions and to address those of new subjects. Our work for the next periodwill keep the same tracks. It will be focused on the following 4 orientations:
1. Symmetric cryptography and discrete mathematics.
Explore and define security criteria. In particular, investigate the theoretical andpractical aspects of the design of symmetric primitives.
22
2. Code-based cryptosystems.
Implementation of public-key scheme. Other functionalities like hashing or streamciphers.
3. Decoding and algorithmics.
Algebraic cryptanalysis. Iterative decoding. Fast algorithms from computer algebra.
4. “Electronic war”.
Driven by applications. Algorithmic aspects of communication schemes recognition.
6 Bibliography of the project-team
6.1 Books and Monographs and book chapters
[1] A. Canteaut. A5/1; Berlekamp-Massey algorithm; Combination generator; Correla-tion attack; Fast correlation attack; Filter generator; Inversion attack; Linear com-plexity; Linear consistency attack; Linear cryptanalysis for stream ciphers; Linearfeedback shift register; Linear syndrome attack; Minimal polynomial; Running-key;Stream cipher. In H.C.A. van Tilborg, editor, Encyclopedia of cryptography andsecurity. Springer, 2005.
[2] A. Canteaut and K. Viswanathan, editors. INDOCRYPT 2004, volume 3348 ofLNCS. Springer-Verlag, 2004.
[3] C. Carlet, editor. Discrete Applied Mathematics, volume 128 (1). Elsevier, May2003. Special issue on Coding and Cryptology.
[4] C. Carlet. Boolean functions; Correlation immune and resilient Boolean functions;Nonlinearity of Boolean functions; Propagation characteristics of Boolean functions.In H.C.A. van Tilborg, editor, Encyclopedia of cryptography and security. Springer,2005.
[5] P. Charpin. Cyclic codes; Reed-Muller codes. In H.C.A. van Tilborg, editor, Ency-clopedia of cryptography and security. Springer, 2005.
[6] P. Charpin and G. Kabatiansky, editors. Discrete Applied Mathematics, volume 154(2). Elsevier, 2006. Special issue on Coding and Cryptography.
[7] F. Levy dit Vehel. Encyclopedie des systemes d’information, chapter Cryptographie.C. Kichner editeur,Editions Vuibert, 2006. In press.
[8] G. Kabatiansky, E. Krouk, and S. Semenov. Error Correcting Codes and Securityfor Data Networks, volume ISBN 0-470-86754-X. John Willey & Sons Ltd, 2005.278 pages.
[9] N. Sendrier. McEliece public key cryptosystem; Niederreiter encryption scheme.In H.C.A. van Tilborg, editor, Encyclopedia of cryptography and security. Springer,2005.
23
6.2 Doctoral dissertations and “Habilitation” theses
[10] M. Bardet. Etude des systemes algebriques surdetermines. Applications aux codescorrecteurs et a la cryptographie. These de doctorat, Universite Paris 6, December2004.
[11] R. Bhaskar. Protocoles Cryptographiques pour les reseaux Ad hoc. These de doctorat,Ecole Polytechnique, June 2006.
[12] A. Canteaut. Analyse et conception de chiffrements a clef secrete. Memoired’habilitation a diriger des recherches, Universite Paris 6, September 2006.
[13] M. Finiasz. Nouvelles constructions utilisant des codes correcteurs d’erreurs en cryp-tographie a clef publique. These de doctorat, Ecole Polytechnique, Palaiseau, October2004.
[14] F. Galand. Constructions de codes Zpk-lineaires de bonne distance minimale, etschemas de dissimulation fondes sur les codes de recouvrements. These de doctorat,Universite de Caen, December 2004.
[15] C.S. Nedeloaia. Etude des enumerateurs des poids des codes lineaires utilisant desformes decomposees des matrices generatrices. These de doctorat, Universite deLimoges, February 2005.
[16] H. Ollivier. Elements de theorie de l’information quantique, decoherence et codescorrecteurs d’erreurs. These de doctorat, Ecole Polytechnique, Palaiseau, September2004.
[17] G. Olocco. Decodage iteratif et distance minimale d’une nouvelle famille de codesauto-duaux. These de doctorat, Universite Paris-Sud, Orsay, April 2003.
[18] L. Perret. Etude d’outils algebriques et combinatoires pour la cryptographie a clefpublique. These de doctorat, Universite de Marne-la-Vallee, October 2005.
[19] N. Sendrier. Cryptosystemes a cle publique bases sur les codes correcteurs d’erreurs.Memoire d’habilitation a diriger des recherches, Universite Paris 6, March 2002.
[20] C. Tavernier. Testeurs, problemes de reconstruction univaries et multivaries, etapplication a la cryptanalyse du DES. These de doctorat, Ecole Polytechnique,Palaiseau, January 2004.
[21] M. Videau. Criteres de securite des algorithmes de chiffrement a cle secrete. Thesede doctorat, Universite Pierre et Marie Curie (Paris 6), November 2005.
6.3 Articles in referred journals
[22] A.Barg and G.A. Kabatiansky. A class of i.p.p codes with efficient identification.Journal of Complexity, 20(2-3):137–147, 2004.
[23] T.P. Berger, A. Canteaut, P. Charpin, and Y. Laigle-Chapuy. On almost perfectnonlinear functions. IEEE Trans. Inform. Theory, 52(9):4160–4170, September 2006.
[24] T.P. Berger and P. Loidreau. How to mask the structure of codes for a cryptographicuse. Designs, Codes and Cryptography, 35:63–79, April 2005.
24
[25] S. Bezrukov, R. Elsasser, B. Monien, R. Preiss, and J.-P. Tillich. New spectral lowerbounds on the bisection width. Theoretical Computer Science, 320:155–174, 2004.
[26] R. Bhaskar, D. Augot, V. Issarny, and D. Sacchetti. A three round authenticatedgroup key agreement protocol for ad hoc networks. Journal on Pervasive and MobileComputing, 2005. In press.
[27] R. Bhaskar, J. Herranz, and F. Laguillaumie. Aggregate designated verifier sig-natures and application to secure routing. International Journal of Security andNetworks, 2006. Special Issue on Cryptography in Networks. In press.
[28] A. Canteaut and P. Charpin. Decomposing bent function. IEEE Transactions onInformation Theory, 49(8):2004–2019, August 2003.
[29] A. Canteaut, P. Charpin, and M. Videau. Cryptanalysis of block ciphers and weightdivisibility of some binary codes. In M. Blaum, P.G. Farrell, and H.C.A. van Tilborg,editors, Information, Coding and Mathematics, pages 75–97. Kluwer, 2002. In honorof Bob McEliece on his 60th birthday. Invited paper.
[30] A. Canteaut, M. Daum, G. Leander, and H. Dobbertin. Normal and non normal bentfunctions. Discrete Applied Mathematics, 154(2):202–218, February 2006. Specialissue in Coding and Cryptology.
[31] A. Canteaut and M. Videau. Symmetric Boolean functions. IEEE Transactions onInformation Theory, 51(8):2791–2811, 2005.
[32] C. Carlet. On the confusion and diffusion properties of Maiorana-McFarland’s andextended Maiorana-McFarland’s functions. Journal of Complexity, 20(2-3):182–204,2003. Special Issue on Coding and Cryptography.
[33] C. Carlet. On the degree, nonlinearity, algebraic thickness and non-normality ofBoolean functions, with developments on symmetric functions. IEEE Transactionson Information Theory, 50:2178–2185, 2004.
[34] C. Carlet. Concatenating indicators of flats for designing cryptographic functions.Designs, Codes and Cryptography, 36:189–202, 2005.
[35] C. Carlet and P. Charpin. Cubic Boolean functions with highest resiliency. IEEETransactions on Information Theory, 51(2):562–571, February 2005.
[36] C. Carlet, D.K. Dalai, K.C. Gupta, and S. Maitra. Algebraic immunity for crypto-graphically significant Boolean functions: analysis and construction. IEEE Trans-actions on Information Theory, 52(7):3105– 3121, July 2006.
[37] C. Carlet and C. Ding. Highly nonlinear mappings. Journal of Complexity, 20(2-3):205–244, 2004. Special Issue on Coding and Cryptography.
[38] C. Carlet and C. Ding. Nonlinearities of S-boxes. Finite Fields and Their Applica-tions, 2006. In press.
[39] C. Carlet, C. Ding, and H. Niederreiter. Authentication schemes from highly non-linear functions. Designs, Codes and Cryptography, 40(1):71–79, July 2005.
[40] C. Carlet, C. Ding, and J. Yuan. Linear codes from perfect nonlinear mappings andtheir secret sharing schemes. IEEE Transactions on Information Theory, 51(6):2089–2102, June 2005.
25
[41] C. Carlet and P. Gaborit. Hyper-bent functions and cyclic codes. Journal of Com-binatorial Theory, Series A, 2005. In press.
[42] C. Carlet and P. Sarkar. Spectral domain analysis of correlation immune and resilientBoolean functions. Finite Fields and Their Applications, 8:120–130, 2002.
[43] C. Carlet and Y. Tarannikov. Covering sequences of Boolean functions and theircryptographic significance. Designs, Codes and Cryptography, 25:263–279, 2002.
[44] C. Carlet and J.L. Yucas. Piecewise constructions of bent and almost optimalBoolean functions. Designs, Codes and Cryptography, 37(3):449–464, 2005.
[45] P. Charpin. Cyclic codes with few weights and Niho exponents. Jour. Comb. TheorySeries A, 108(2):247–259, November 2004.
[46] P. Charpin. Normal Boolean functions. Journal of Complexity, 20(2-3):245–265,2004. Special Issue on Coding and Cryptography.
[47] P. Charpin, T. Helleseth, and V. Zinoviev. On cosets of weight 4 of binary BCH codesof length 2m (m odd), with minimal distance 8, and exponential sums. Problems ofInformation Transmission, 41(4):331–348, 2005.
[48] P. Charpin, T. Helleseth, and V. Zinoviev. Propagation characteristics of x 7→ 1/xand Kloosterman sums. Finite Fields and Their Applications, 2005. In press.
[49] P. Charpin, T. Helleseth, and V. Zinoviev. The coset distribution of the triple-error-correcting binary primitive BCH codes. IEEE Transactions on Information Theory,52(4):1727–1732, 2006.
[50] P. Charpin, T. Helleseth, and V. Zinoviev. The divisibility modulo 24 of Kloostermansums on GF(2m), m odd. Journal of Combinatorial Theory, Series A, 2006. In press.
[51] P. Charpin and E. Pasalic. Highly nonlinear resilient functions through disjointcodes in projective spaces. Designs, Codes and Cryptography, 37(2):319–346, 2005.
[52] P. Charpin, E. Pasalic, and C. Tavernier. On bent and semi-bent quadratic Booleanfunctions. IEEE Transactions on Information Theory, 51(12):4286–4298, 2005.
[53] F. Didier. A new bound on the block error probability after decoding over the erasurechannel. IEEE Transactions on Information Theory, 52(10):4496–4503, October2006.
[54] H. Dobbertin, G. Leander, A. Canteaut, C. Carlet, P. Felke, and P. Gaborit. Con-struction of bent functions via Niho power functions. Journal of CombinatorialTheory, Series A, 113(5):779–798, July 2006.
[55] J. Friedman, R. Murty, and J.P. Tillich. Spectral estimates for Abelian Cayleygraphs. Journal of Combinatorial Theory Ser.B, 96(1):111–121, 2006.
[56] J. Friedman and J.-P. Tillich. Wave equations for graphs and the edge-based Lapla-cian. Pacific Journal of Mathematics, 216(2):229–266, October 2004.
[57] J. Friedman and J.-P. Tillich. Generalized Alon-Boppana theorems and error-correcting codes. SIAM Journal of Discrete Mathematics, 19(3):700–718, 2005.
26
[58] P. Gaborit, C. S. Nedeloaia, and A. Wassermann. Weight enumerators of duadic andquadratic residue codes. IEEE Transactions on Information Theory, 51(1):402–407,January 2005.
[59] G. Kabatiansky. Codes for copyright protection:the case of two pirates. InformationTransmission Problems, 41(2):123–127, 2005.
[60] Y. Laigle-Chapuy. Permutation polynomials and applications to coding theory. Fi-nite Fields and Their Applications, 2005. In press.
[61] P. Loidreau. Sur la reconstruction des polynomes lineaires : un nouvel algorithmede decodage des codes de Gabidulin. Comptes Rendus de l’Academie des Sciences :Serie I, 2004.
[62] P. Milman, H. Ollivier, and J.-M. Raimond. Universal quantum cloning in cavityQED. Phys. Rev. A, 67:12314, 2003. quant-ph 0207039.
[63] P. Milman, H. Ollivier, Y. Yamaguchi, M. Brune, J.-M. Raimond, and S. Haroche.Simple quantum information algorithms in cavity QED. J. Mod. Opt., 50(6-7):901–913, 2003.
[64] C. S. Nedeloaia. Weight distributions of cyclic self-dual codes. IEEE Transactionson Information Theory, 49(6):1582–1591, June 2003.
[65] H. Ollivier and P. Milman. Proposal for realization of a Toffoli gate via cavity-assisted collision. Quant. Info. Comput. J., 6, 2003. quant-ph 0306064.
[66] H. Ollivier, D. Poulin, and W.H. Zurek. Objective properties from subjective quan-tum states: Environment as a witness. Phys. Rev. Lett., 93(22):220401, 2004. quant-ph 0307229 (2003).
[67] H. Ollivier and J.-P. Tillich. Description of a quantum convolutional code. Phys.Rev. Lett., 91(17), 2003. quant-ph 0304189.
[68] H. Ollivier and J.-P. Tillich. Trellises for stabilizer codes : definition and uses. Phys.Rev. A, 74(3), September 2006.
[69] H. Ollivier and W. H. Zurek. Quantum discord: A measure of the quantumness ofcorrelations. Phys. Rev. Lett., 88:17901, 2002. quant-ph/0105072.
[70] N. Sendrier. On the security of the McEliece public-key cryptosystem. In M. Blaum,P.G. Farrell, and H. van Tilborg, editors, Information, Coding and Mathematics,pages 141–163. Kluwer, 2002. In honor of Bob McEliece on his 60th birthday. Invitedpaper.
[71] N. Sendrier. Linear codes with complementary duals meet the Gilbert-Varshamovbound. Discrete Mathematics, 285:345–347, 2004.
[72] A. Seznec and N. Sendrier. HAVEGE: User-level software heuristic for strong randomnumbers. ACM Transactions on Modeling and Computer Simulation, 14(4):334–346,October 2003.
[73] J.-P. Tillich and G. Zemor. The Gaussian isoperimetric inequality and decodingerror probabilities for the Gaussian channel. IEEE Transactions on InformationTheory, 50(2):328–331, February 2004.
27
6.4 Articles in referred conference proceedings
[74] F. Armknecht, C. Carlet, P. Gaborit, S. Kunzli, W. Meier, and O. Ruatta. Effi-cient computation of algebraic immunity for algebraic and fast algebraic attacks. InEUROCRYPT 2006, number 4004 in LNCS, pages 147–164. Springer-Verlag, 2006.
[75] D. Augot and M. Finiasz. A public key encryption scheme based on the polynomialreconstruction problem. In EUROCRYPT 2003, number 2656 in LNCS, pages 229–241. Springer-Verlag, 2003.
[76] D. Augot, M. Finiasz, and N. Sendrier. A family of fast syndrome based crypto-graphic hash functions. In Ed Dawson and Serge Vaudenay, editors, MYCRYPT2005, number 3715 in LNCS, pages 64–83. Springer-Verlag, 2005.
[77] T. P. Berger and P. Loidreau. Designing an efficient and secure public-key cryp-tosystem based on reducible rank codes. In INDOCRYPT 2004, number 3348 inLNCS, pages 218–229, 2004.
[78] T.P. Berger and M. Minier. Two algebraic attacks against the F-FCSRs using theIV mode. In INDOCRYPT 2005, number 3797 in LNCS, pages 143–154. Springer-Verlag, 2005.
[79] A. Canteaut. On the correlations between a combining function and functions offewer variables. In Proceedings of 2002 IEEE Information Theory Workshop, pages78–81, Bangalore, Inde, October 2002. IEEE Press. Invited paper.
[80] A. Canteaut. Fast correlation attacks against stream ciphers and related open prob-lems. In Proceedings of the 2005 IEEE Information Theory Workshop on Theory andPractice in Information-Theoretic Security (ITW 2005), pages 49–54, Awaji Island,Japon, October 2005. IEEE Press. Invited paper.
[81] A. Canteaut. Open problems related to algebraic attacks on stream ciphers. InO. Ytrehus, editor, Coding and Cryptography - WCC 2005 - Revised selected papers,volume 3969 of LNCS, pages 120–134. Springer-Verlag, 2006. Invited paper.
[82] A. Canteaut and M. Videau. Degree of composition of highly nonlinear functionsand applications to higher order differential cryptanalysis. In EUROCRYPT 2002,number 2332 in LNCS, pages 518–533. Springer-Verlag, 2002.
[83] C. Carlet. A larger class of cryptographic Boolean functions via a study of theMaiorana-McFarland construction. In CRYPTO 2002, number 2442 in LNCS, pages549–564. Springer-Verlag, 2002.
[84] C. Carlet. On the secondary constructions of resilient and bent functions. In Coding,Cryptography and Combinatorics, volume 23 of Progress in Computer Science andApplied Logic, pages 3–28. Birkhauser Verlag, Basel, 2004.
[85] C. Carlet. On highly nonlinear S-boxes and their inability to thwart DPA attack.In INDOCRYPT 2005, number 3797 in LNCS, pages 49–62. Springer-Verlag, 2005.
[86] C. Carlet and A. Gouget. An upper bound on the number of m-resilient Booleanfunctions. In ASIACRYPT 2002, volume 2501 of LNCS, pages 484–496. Springer-Verlag, 2002.
[87] C. Carlet and E. Prouff. On plateaued Boolean functions and their constructions.In FSE 2003, volume 2887 of LNCS, pages 54–73. Springer-Verlag, 2003.
28
[88] C. Carlet and E. Prouff. On a new notion of nonlinearity relevant to multi-outputpseudo-random generators. In SAC 2003, number 3006 in LNCS, pages 291–305.Springer-Verlag, 2004.
[89] C. Carlet and E. Prouff. Vectorial functions and covering sequences. In A. PoliG. L. Mullen and H. Stichtenoth, editors, Finite Fields and Applications, Fq7, vol-ume 2948 of LNCS, pages 215–248. Springer-Verlag, 2004.
[90] P. Charpin and E. Pasalic. On propagation characteristics of resilient functions. InSAC 2002, volume 2595 of LNCS, pages 356–365. Springer-Verlag, 2003.
[91] I. de Lamberterie and M. Videau. Regards croises de juristes et d’informaticiens surla securite informatique. In Actes du Symposium sur la Securite des Techologies del’Information et des Communications, 2006. Article invite.
[92] F. Didier. Using Wiedemann’s algorithm to compute the immunity against alge-braic and fast algebraic attacks. In Springer Verlag, editor, INDOCRYPT 2006,Proceedings, Kolkata, India, December 2006. to appear.
[93] F. Didier and J.-P. Tillich. Computing the algebraic immunity efficiently. In FSE2006, LNCS. Springer-Verlag, 2006. To appear.
[94] C. Faure and P. Loidreau. A new public-key cryptosystem based on the problem ofreconstruction of p-polynomials. In O. Ytrehus, editor, Coding and Cryptography -WCC 2005 - Revised selected papers, volume 3969 of LNCS, pages 304–315. Springer-Verlag, 2006.
[95] F. Galand. On the minimum distance of some families of Z2k -linear codes. InAAECC 15, Proceedings, volume 2643, pages 235 – 243, Toulouse, France, May2003. Springer-Verlag Heidelberg.
[96] C. Lauradoux. Collision attacks on processors with cache and countermeasures. InC. Wolf, S. Lucks, and P.-W. Yau, editors, WEWoRC 2005, volume P-74 of LectureNotes in Informatics, pages 76–85. Bonner Kollen Verlag, 2005.
[97] F. Levy-dit-Vehel and L. Perret. Polynomial equivalence problems and applicationsto multivariate cryptosystems. In INDOCRYPT 2003, number 2904 in LNCS, pages235–251. Springer-Verlag, 2003.
[98] F. Levy-dit-Vehel and L. Perret. Attacks on public-key cryptosystems based on freepartially commutative monoids and groups. In INDOCRYPT 2004, number 3348 inLNCS, pages 275–289. Springer-Verlag, 2004.
[99] F. Levy-dit-Vehel and L. Perret. A Polly Cracker system based on satisfiability.In Coding, Cryptography and Combinatorics, volume 23 of Progress in ComputerScience and Applied Logic, pages 177–192. Birkhauser Verlag, Basel, 2004.
[100] F. Levy-dit-Vehel and L. Perret. On Wagner-Magyarik cryptosystem. In O. Ytrehus,editor, Coding and Cryptography - WCC 2005 - Revised selected papers, volume 3969of LNCS, pages 316–329. Springer-Verlag, 2006.
[101] F. Levy-dit-Vehel and L. Perret. A polly cracker system secure against linear algebraattacks. In Proceedings of the Coding, Cryptography and Combinatorics Conference,pages 177–192, Yellow Moutain, China, June 2003.
29
[102] P. Loidreau. A Welch-Berlekamp like algorithm for decoding gabidulin codes. InO. Ytrehus, editor, Coding and Cryptography - WCC 2005 - Revised selected papers,volume 3969 of LNCS, pages 36–45. Springer-Verlag, 2006.
[103] W. Meier, E. Pasalic, and C. Carlet. Algebraic attacks and decomposition of Booleanfunctions. In EUROCRYPT 2004, number 3027 in LNCS, pages 474–491. Springer-Verlag, 2004.
[104] M. Minier. A three rounds property in the AES. In Proceedings of the fourthconference on the AES, number 3373 in LNCS, pages 16–26. Springer-Verlag, 2004.
[105] E. Pasalic. Degree optimized resilient Boolean functions from Maiorana-McFarlandclass. In Cryptography and Coding, volume 2898 of LNCS, pages 93–114. Springer-Verlag, 2003.
[106] L. Perret. A fast cryptanalysis of the isomorphism of polynomials with one secretproblem. In EUROCRYPT 2005, number 3494 in LNCS, pages 354–71. Springer-Verlag, 2005.
[107] C. Tavernier. Construction of modular curves and computation of their cardinalityon Fp. In Finite fields: Theory, Applications and Algorithms (6th Internationalconference on finite fields, Oaxaca, Mexique), Lecture Notes in Computer Science,pages 313–327. Springer-Verlag, 2002.
6.5 Publications in other conferences and workshops
[108] I. Andriyanova, J.-P. Tillich, and J.-C. Carlach. Asymptotically good codes withhigh iterative decoding performances. In ISIT 2005, Proceedings, pages 850–854,Adelaide, Australie, September 2005. IEEE Press.
[109] I. Andriyanova, J.-P. Tillich, and J.-C. Carlach. A new family of codes with highiterative decoding performances. In ICC 2006, Istambul, Turquie, June 2006.
[110] F. Arnault, T.P. Berger, and C. Lauradoux. Description of F-FCSR-8 and F-FCSR-Hstream ciphers. In Proceedings of SKEW, Aarhus, Danemark, May 2005. Submittedto eSTREAM, Call for Stream Cipher Primitives, ECRYPT.
[111] D. Augot, M. Bardet, and J-C. Faugere. Efficient decoding of (binary) cyclic codesabove the correction capacity of the code using Groebner bases. In ISIT 2003,Proceedings, page 362, Yokohama, Japan, June 2003. IEEE Press.
[112] D. Augot, M. Bardet, and J.-C. Faugere. Decoding cyclic codes with algebraicsystems. In Joint BeNeLuxFra Conference in Mathematics, Gand, Belgique, May2005.
[113] D. Augot, M. El-Khamy, R.J. McEliece, F. Parvaresh, M. Stepanov, and A. Vardy.Algebraic list decoding of Reed-Solomon product codes. In Proceedings of ACCT’10,pages 210–214, Zvenigorod, Russia, September 2006.
[114] D. Augot, M. Finiasz, and N. Sendrier. A family of fast syndrome based crypto-graphic hash function. In Ecrypt Conference on Hash Functions, Krakow, Poland,June 2005.
30
[115] D. Augot and M. Stepanov. Interpolation based decoding of Reed-Muller codes.In Grobner Bases in Cryptography, Coding Theory, and Algebraic Combinatorics,RICAM, University of Linz, Austria, May 2006. Invited talk.
[116] M. Bardet, J.C. Faugere, and B. Salvy. On the complexity of grobner basis compu-tation of semi-regular overdetermined algebraic equations. In Proc. ICPSS Interna-tional Conference on Polynomial System Solving Paris, November 24-25-26 2004 inhonor of Daniel Lazard, 2004.
[117] C. Berbain, O. Billet, A. Canteaut, N. Courtois, B. Debraize, H. Gilbert, L. Goubin,A. Gouget, L. Granboulan, C. Lauradoux, M. Minier, T. Pornin, and H. Sibert.Decim: a new stream cipher for hardware applications. In Proceedings of SKEW,Aarhus, Danemark, May 2005. Submitted to eSTREAM, Call for Stream CipherPrimitives, ECRYPT.
[118] C. Berbain, O. Billet, A. Canteaut, N. Courtois, B. Debraize, H. Gilbert, L. Goubin,A. Gouget, L. Granboulan, C. Lauradoux, M. Minier, T. Pornin, and H. Sibert.Decimv2. In Proceedings of SASC 2006 - ECRYPT Workshop on stream ciphers,Leuven, Belgique, February 2006.
[119] C. Berbain, O. Billet, A. Canteaut, N. Courtois, H. Gilbert, L. Goubin, A. Gouget,L. Granboulan, C. Lauradoux, M. Minier, T. Pornin, and H. Sibert. Sosemanuk:a fast oriented software-oriented stream cipher. In Proceedings of SKEW, Aarhus,Danemark, May 2005. Submitted to eSTREAM, Call for Stream Cipher Primitives,ECRYPT.
[120] T. Berger and P. Loidreau. Security of the Niederreiter version of the GPT publickey cryptosystem. In ISIT 2002, Proceedings, page 267, Lausanne, Switzerland, July2002. IEEE Press.
[121] T.P. Berger, A. Canteaut, P. Charpin, and Y. Laigle-Chapuy. On almost perfect non-linear mappings. In ISIT 2005, Proceedings, pages 2002–2006, Adelaide, Australie,September 2005. IEEE Press.
[122] R. Bhaskar, D. Augot, V. Issarny, and D. Sacchetti. An efficient group key agreementprotocol for Ad hoc networks. In IEEE Workshop on Trust, Security and Privacyin Ubiquitous Computing, Taormina, Italy, June 2005.
[123] R. Bhaskar, J. Herranz, and F. Laguillaumie. Efficient authentication for reactiverouting protocols. In Proceedings of Second International Workshop on Security inNetworks and Distributed Systems, April 2006. Vienna, Austria.
[124] G.R. Blakley and G. Kabatiansky. Random coding technique for digital fingerprint-ing codes: fighting two pirates revisited. In Proceedings 2004 IEEE InternationalSymposium on Information Theory, page 203, Chicago,USA, June 2004.
[125] L. Budaghyan, C. Carlet, P. Felke, and G. Leander. An infinite class of quadraticAPN functions which are not equivalent to power mappings. In ISIT 2006, Proceed-ings, pages 2637–2641, Seattle, USA, July 2006. IEEE Press.
[126] L. Budaghyan, C. Carlet, and A. Pott. New classes of almost bent and almost perfectnonlinear polynomials. In WCC 2005, pages 306–315, Bergen, Norway, March 2005.
[127] T. Camara, H. Ollivier, and J.-P. Tillich. Constructions of quantum LDPC codes.In EQUIS 2005, pages 65–66, September 2005.
31
[128] A. Canteaut. Cryptanalysis of block ciphers and related properties of the Walshspectra of S-boxes. In YACC 02, pages 3–4, Porquerolles, France, June 2002. Invitedtalk.
[129] A. Canteaut. Design criteria for symmetric primitives. In STORK CryptographyWorkshop, pages 44–45, Bruges, Belgique, November 2002.
[130] A. Canteaut. Decoding techniques for correlation attacks on stream ciphers. InYACC 2004, Porquerolles, France, June 2004. Invited talk.
[131] A. Canteaut. Decoding techniques for correlation attacks on stream ciphers. InAcademy Contact Forum ”Coding theory and cryptography”, The royal Flemishacademy of Belgium for science and the arts, Bruxelles, Belgique, October 2005.http://cage.rug.ac.be/~ls/website/contactforum2005.html. Invited talk.
[132] A. Canteaut. Le chiffrement a flot. In Ecole de Jeunes Chercheurs en Algorithmiqueet Calcul Formel 2005, Montpellier, April 2005.
[133] A. Canteaut and P. Charpin. Decomposing bent functions. In ISIT 2002, Proceed-ings, page 42, Lausanne, Switzerland, July 2002. IEEE Press.
[134] A. Canteaut, P. Charpin, and G. Kyureghyan. A new class of monomial bent func-tions. In Proceedings of the 2006 IEEE International Symposium on InformationTheory - ISIT, Seattle, USA, July 2006. IEEE Press.
[135] A. Canteaut, M. Daum, G. Leander, and H. Dobbertin. Normal and non normalbent functions. In WCC 2003, pages 91–100, Versailles, France, March 2003.
[136] A. Canteaut and E. Filiol. On the influence of the filtering function on the per-formance of fast correlation attacks on filter generators. In 23rd Symposium onInformation Theory in the Benelux, Louvain-la-Neuve, Belgium, May 2002.
[137] A. Canteaut and M. Videau. Higher order differential attacks on iterated blockciphers using almost bent round functions. In ISIT 2002, Proceedings, page 209,Lausanne, Switzerland, July 2002. IEEE Press.
[138] C. Carlet. On the algebraic thickness and non-normality of Boolean functions. InITW 2003, Proceedings, pages 147–150, Paris, France, March 2003. IEEE Press.
[139] C. Carlet. Designing bent functions and resilient functions from known ones, withoutextending their number of variables. In ISIT 2005, Proceedings, pages 1096–1100,Adelaide, Australie, September 2005. IEEE Press.
[140] C. Carlet. On bent and highly nonlinear balanced-resilient functions and their alge-braic immunities. In AAECC 16,, Las Vegas, USA, February 2006. Invited talk.
[141] C. Carlet and P. Charpin. Cubic Boolean functions with highest resiliency. In ISIT2004, Proceedings, page 497, Chicago,USA, June 2004. IEEE Press.
[142] C. Carlet and P. Gaborit. Hyper-bent functions and cyclic codes. In ISIT 2004,Proceedings, page 499, Chicago,USA, June 2004. IEEE Press.
[143] C. Carlet and P. Gaborit. On the construction of balanced Boolean functions witha good algebraic immunity. In ISIT 2005, Proceedings, pages 1101–1105, Adelaide,Australie, September 2005. IEEE Press.
32
[144] C. Carlet, S. Gangopadhyay, and S. Maitra. Crosscorrelation spectra of Dillon typefunctions. In IWSDA’05, Shimonoseki, Yamaguchi, Japan, October 2005.
[145] C. Carlet and A. Klapper. Upper bounds on the numbers of resilient functionsand of bent functions. In 23rd Symposium on Information Theory in the Benelux,Louvain-la-Neuve, Belgium, May 2002.
[146] C. Carlet and A. Klapper. Upper bounds on the numbers of resilient functions andof bent functions. In YACC 02, Porquerolles, France, June 2002.
[147] C. Carlet and S. Mesnager. Improving the upper bounds on the covering radii ofReed-Muller codes. In ISIT 2005, Proceedings, pages 795–799, Adelaide, Australie,September 2005. IEEE Press.
[148] P. Charpin, T. Helleseth, and V. Zinoviev. On binary BCH codes with minimaldistance 8 and Kloosterman sums. In Proceedings of ACCT 9, pages 90–94, Kranevo,Bulgaria, June 2004.
[149] P. Charpin, T. Helleseth, and V. Zinoviev. The coset distribution of the triple-error-correcting binary primitive BCH codes. In ISIT 2005, Proceedings, Adelaide,Australia, September 2005. IEEE Press.
[150] P. Charpin and G. Kyureghyan. On cubic bent functions in the class m. In Proceed-ings of ACCT’10, pages 52–56, Zvenigorod, Russia, September 2006.
[151] M. Cluzeau. Reconstruction of a linear scrambler. In ISIT 2004, Proceedings, page230, Chicago,USA, June 2004. IEEE Press.
[152] M. Cluzeau. Reconstruction d’un brasseur lineaire. In Ecole de Jeunes Chercheursen Algorithmique et Calcul Formel - EJC 2005, Montpellier, April 2005.
[153] M. Cluzeau. Block code reconstruction using iterative decoding techniques. InProceedings of the 2006 IEEE International Symposium on Information Theory -ISIT, Seattle, USA, July 2006. IEEE Press.
[154] N. Courtois, M. Finiasz, and N. Sendrier. Short McEliece-based digital signatures.In ISIT 2002, Proceedings, page 265, Lausanne, Switzerland, July 2002. IEEE Press.
[155] I. Dumer, G. Kabatiansky, and C. Tavernier. List decoding of second order Reed-Muller codes up to the Johnson bound with almost linear complexity. In Proceedingsof the 2006 IEEE International Symposium on Information Theory - ISIT, pages pp.138–142, Seattle, USA, July 2006. IEEE Press.
[156] C. Faure. Average number of gabidulin codewords within a sphere. In Proceedingsof ACCT’10, pages 86–90, Zvenigorod, Russia, September 2006.
[157] M. Finiasz. Words of minimal weight and weight distribution of binary Goppa codes.In ISIT 2003, Proceedings, page 70, Yokohama, Japan, June 2003. IEEE Press.
[158] M. Finiasz. Syndrome decoding in the non-standard cases. In CLC 2006, Darmstadt,Germany, September 2006. Invited talk.
[159] E. Gabidulin and P. Loidreau. On subspaces subcodes of rank codes. In Proceedingsof ACCT 9, pages 178–84, Kranevo, Bulgaria, June 2004.
33
[160] E. M. Gabidulin and P. Loidreau. On subcodes of codes in rank metric. In 2005IEEE International Symposium on Information Theory, ISIT’05, pages 121–123,Adelaide, Australie, September 2005.
[161] P. Gaborit, C. S. Nedeloaia, and A. Wassermann. Weight enumerators of duadicand quadratic residue codes. In Proceedings 2004 IEEE International Symposiumon Information Theory, page 485, Chicago,USA, June 2004.
[162] F. Galand. Practical construction against theoretical approach in fingerprinting. InProceedings of the 2006 IEEE International Symposium on Information Theory -ISIT, Seattle, USA, July 2006. IEEE Press.
[163] F. Galand and G. Kabatiansky. Information hiding by coverings. In ITW 2003,Proceedings, pages 151–154, Paris, France, March 2003. IEEE Press.
[164] F. Galand and G. Kabatiansky. Steganography via covering codes. In ISIT 2003,Proceedings, page 192, Yokohama, Japan, June 2003. IEEE Press.
[165] G. Kabatiansky. Good ternary 2-tracebility codes exist. In Proceedings 2004 IEEEInternational Symposium on Information Theory, page 204, Chicago,USA, June2004.
[166] G. Kabatiansky and C. Tavernier. List decoding of Reed-Muller codes. In Proceedingsof ACCT 9, pages 230–35, Kranevo, Bulgaria, June 2004.
[167] G. Kabatiansky and C. Tavernier. List decoding of second order Reed-Muller codes.In Proceedings of Eight International Symposium on Communication Theory andApplications, Ambelside, UK, July 2005.
[168] G. Kabatiansky and C. Tavernier. List decoding of second order Reed-Mullercodes, second part. In Proceedings of ACCT’10, pages 131–135, Zvenigorod, Russia,September 2006.
[169] C. Lauradoux. Collision attacks on processors with cache and countermeasures. InWeWork 2005, Western European Workshop on Research in Cryptology, Leuven,Belgium, July 2005.
[170] C. Lauradoux. Complexite des fonctions booleennes symetriques. In Ecole de JeunesChercheurs en Algorithmique et Calcul Formel, Montpellier, France, April 2005.
[171] C. Lauradoux. Machine virtuelle et pot de miel. In Ecole Internet NouvelleGeneration, ING 2005, Montreuil sur Mer, France, July 2005.
[172] P. Loidreau. On the decoding of maximum rank distance codes. In Conferencefranco-russe ”Mathematics of Communication, November 2003. Invited talk.
[173] P. Loidreau. How to reduce public-key size in McEliece-like public key cryptosystems.In CLC 2006, Darmstadt, Germany, September 2006. Invited talk.
[174] P. Loidreau and R. Overbeck. Decoding rank errors beyond the error-correctingcapacity. In Proceedings of ACCT’10, pages 186–190, Zvenigorod, Russia, September2006.
[175] P. Loidreau and B. Sakkour. Modified version of Sidelnikov-Peshakov decodingalgorithm for binary second order Reed-Muller codes. In Proceedings of ACCT 9,pages 266–72, Kranevo, Bulgaria, June 2004.
34
[176] M. Minier. An integral cryptanalysis of a five rounds version of FOX. In WEWoRC2005, Leuven, Belgium, July 2005.
[177] C. S. Nedeloaia. On weight distribution of cyclic self-dual codes. In Proceedings2002 IEEE International Symposium on Information Theory, page 232, Lausanne,Suisse, July 2002. IEEE.
[178] H. Ollivier and J.-P. Tillich. Interleaved serial concatenation of quantum convo-lutional codes: gate implementation and iterative error estimation algorithm. In26th Symposium on Information Theory in the Benelux, pages 149–158, Bruxelles,Belgium, 2005.
[179] L. Perret. A geometrical approach to a polynomial equivalence problem. In ICPSS2004, Paris, France, November 2004.
[180] L. Perret. Algorithms for solving the isomorphism of polynomials with one secretproblem. In Joint BeNeLuxFra Conference in Mathematics, Gand, Belgique, May2005.
[181] L. Perret. A chosen ciphertext attack on a public key cryptosystem based on lyndonwords. In WCC 2005, pages 235–245, Bergen, Norway, March 2005.
[182] L. Perret and A. Bayad. A differential approach to a polynomial equivalence problem.In ISIT 2004, Proceedings, page 142, Chicago,USA, June 2004. IEEE Press.
[183] N. Sendrier. Linear codes with complementary duals meet the Gilbert-Varshamovbound. In ISIT 2004, Proceedings, page 456, Chicago, USA, June 2004. IEEE Press.
[184] N. Sendrier. Coding-based cryptosystems. In ECRYPT summer school on crypt-analysis, Pythagorion, Samos, Greece, May 2005. Invited talk.
[185] N. Sendrier. Encoding information into constant weight words. In ISIT 2005, Pro-ceedings, pages 435–438, Adelaide, Australie, September 2005. IEEE Press.
[186] N. Sendrier. Public-key cryptology based on error-correcting codes. In CAEN’05,Caen, France, June 2005. Invited talk.
[187] N. Sendrier. Key security of code-based public key cryptosystem. In CLC 2006,Darmstadt, Germany, September 2006. Invited talk.
[188] N. Sendrier. Post-quantum code-based cryptography. In PQcrypto 2006, Leuven,Belgium, May 2006. Invited talk.
[189] N. Sendrier, D. Augot, M. Finiasz, and P. Loidreau. Diversity in public key cryptog-raphy using coding theory and related problems. In STORK cryptography workshop,Bruges, Belgium, November 2002.
[190] N. Sendrier and C. Lauradoux. HAVEGE: true random number generator in soft-ware. In YACC 06, Porquerolles Island, France, June 2006. Invited talk.
[191] V.V. Shorin and P. Loidreau. Application of Groebner bases techniques for searchingnew sequences with good periodic correlation properties. In ISIT 2005, Proceedings,pages 1196–1200, Adelaide, Australia, September 2005. IEEE Press.
[192] J.-P. Tillich. The average weight distribution of Tanner code ensembles and a way tomodify then to improve their weight distribution. In ISIT 2004, Proceedings, page 7,Chicago,USA, June 2004. IEEE Press.
35
[193] J.-P. Tillich and G. Zemor. The Gaussian isoperimetric inequality and the probabil-ity of a decoding error. In ISIT 2002, Proceedings, page 400, Lausanne, Switzerland,July 2002. IEEE Press.
[194] J.-P. Tillich and G. Zemor. On the minimum distance of structured LDPC codes withtwo variable nodes of degree 2 per parity-check equation. In ISIT 2006, Proceedings,pages 1549–1553, Seattle, USA, July 2006. IEEE Press.
[195] M. Videau. On some properties of symmetric Boolean functions. In ISIT 2004,Proceedings, page 500, Chicago,USA, June 2004. IEEE Press.
[196] M. Videau. Symmetric Boolean functions with high nonlinearity. In WEWoRC2005, Leuven, Belgium, July 2005.
6.6 Internal Reports
[197] D. Augot, M. Finiasz, and P. Loidreau. Using the trace operator to repair the polyno-mial reconstruction based cryptosystem, presented at eurocrypt 2003. Research pa-per, Cryptology ePrint Archive, Report 2003/209, 2003. http://eprint.iacr.org.
[198] D. Augot, M. Finiasz, and N. Sendrier. A fast provably secure cryptographic hashfunction. Research paper, Cryptology ePrint Archive, 2003. http://eprint.iacr.org/2003/230/.
[199] D. Augot, M. Finiasz, and N. Sendrier. A family of fast syndrome based crypto-graphic hash function. Rapport de Recherche RR-5592, INRIA, June 2005.
[200] M. Bardet, J.-C. Faugere, and B. Salvy. Complexity of Groebner basis computa-tion for semi-regular overdetermined sequences over GF(2) with solutions in GF(2).Rapport de Recherche RR-5049, INRIA, December 2003.
[201] I. ben Slimen. Codes correcteurs pour les protocoles de reconciliation quantique decles. Rapport de stage, INRIA, ENIT Tunisie, June 2006. Direction : J.P. Tillich.
[202] T.P. Berger, A. Canteaut, P. Charpin, and Y. Laigle-Chapuy. On almost perfectnonlinear functions. Rapport de recherche RR-5774, INRIA, December 2005. http://www.inria.fr/rrrt/rr-5774.html.
[203] R. Bhaskar. Group key agreement in ad hoc networks. Technical Report RR-4832,Rapport de Recherche INRIA, December 2003.
[204] Raghav Bhaskar. Group key agreement in ad hoc networks. Rapport de stage INRIA,Indian Institute of Technology, April 2003. Direction : Daniel Augot.
[205] T. Camara. Codes correcteurs quantiques. rapport de stage, DEA ”algorithmique”,Universite de Paris 6, September 2003. Direction : J.P. Tillich.
[206] A. Canteaut, C. Lauradoux, and A. Seznec. Understanding cache attacks. Rapportde recherche RR-5881, INRIA, April 2006. http://www.inria.fr/rrrt/.
[207] A. Canteaut and M. Videau. Weakness of block ciphers using highly nonlinearconfusion functions. Rapport de recherche RR-4367, INRIA, February 2002. http://www.inria.fr/rrrt/rr-4367.html.
[208] M. Cluzeau. Reconstruction d’un brasseur lineaire. Rapport de stage de DEA,Faculte des Sciences de Limoges, July 2003. Direction : A. Canteaut, N. Sendrier.
36
[209] X. Dahan. Generalisation de graphes de Ramanujan, application a la constructiondes codes correcteurs obtenus comme code des cycles d’un graphe. Rapport de stageINRIA, Universite de Versailles Saint-Quentin, August 2002. Direction : J.P. Tillich.
[210] M. Diarra. Analyse de la securite d’un protocole d’identification pour les RFID.Stage d’option, Ecole Polytechnique, July 2006. Direction : N. Sendrier.
[211] V. Dubois. Etudes de codes convolutifs quantiques. Stage d’option, Ecole polytech-nique, September 2003. Direction : J.P. Tillich.
[212] C. Faure. Etude d’un cryptosysteme a cle publique fonde sur le probleme de recon-struction de polynomes lineaires. rapport de stage, DEA “algorithmique”, ENSTA- INRIA, September 2004. Direction : P. Loidreau.
[213] D. Heitzler. Etude des proprietes cryptographiques des T-fonctions. Rapport destage de maitrise, Universite de Cergy-Pontoise, July 2005. Direction : A. Canteaut.
[214] Y. Laigle-Chapuy. Les polynomes de permutation. applications en theorie des codes.Stage, DEA ”algorithmique”, INRIA, June 2004. Direction : P. Charpin.
[215] F. Levy-dit-Vehel and L. Perret. A polly cracker system based on satisfiability.Rapport de recherche RR-4698, INRIA, January 2003.
[216] F. Levy-dit-Vehel and L. Perret. Polynomial equivalence problems and applicationsto multivariate cryptosystems. Rapport de recherche RR-5119, INRIA, February2004.
[217] P. Loidreau. An algebraic attack against Augot-Finiasz cryptosystem. Rapport derecherche RR-5662, INRIA, http://www.inria.fr/rrrt/rr-5662.html, 2005.
[218] S. Manuel. Codes d’authentification de messages - application aux fonctions dehachage fondees sur le decodage de syndrome rapide. Rapport de stage de maıtrise,Universite Paris 8, October 2004. Direction : N. Sendrier.
[219] M. Minier. A bottleneck attack on Crypton. Rapport de recherche RR-5324, INRIA,October 2004.
[220] C. S. Nedeloaia. Upper bounds on the dual distances of EBCH codes. TechnicalReport RR-5477, Rapport de Recherche INRIA, January 2005.
[221] M. Naya Plasencia. Cryptanalyse de systemes de chiffrement a flot : etude de lasecurite d’Achterbahn. Rapport de stage de Master Recherche II, Universite deVersailles-St Quentin, INRIA, September 2006. Direction : A. Canteaut.
[222] P. Quanty. Etude d’une attaque sur les algorithmes de chiffrement a flot. Rapportde stage de DEA, Universite de Limoges, June 2002. Direction : A. Canteaut et J.P.Tillich.
[223] Y. Ridene. Etude et implementation de primitives cryptographiques soumises auprojet eSTREAM. Rapport de stage de 1ere annee d’IUP GMI option MIME,Universite Paris 8, September 2005. Direction : A. Canteaut.
[224] T. Roetynck. Implementation d’un cryptosysteme base sur les codes correcteursd’erreurs. Rapport de stage ingenieur, ENSTB, September 2003. Direction : N.Sendrier.
37
[225] O. Trabelsi. Codes stabilisateurs quantiques. Master’s thesis, ENIT Tunisie, Septem-ber 2006. Direction : J.P. Tillich.
[226] R. Triki. Application de techniques de decodage a la cryptanalyse de systemes dechiffrements. rapport de stage, DEA ”algorithmique”, INRIA, June 2004. direction: J.P. Tillich.
[227] C. Vacher. Visualisation de la diffusion dans un chiffrement symetrique. Rapportde stage de DEUG MIAS, Universite de Cergy Pontoise, August 2004. Direction :A. Canteaut.
6.7 Deliverables
[228] D. Augot, A. Biryukov, A. Canteaut, C. Cid, N. Courtois, C. De Canniere,H. Gilbert, C. Lauradoux, M. Parker, B. Preneel, M. Robshaw, and Y. Seurin.D.STVL.2 – AES Security Report. Rapport du reseau d’excellence europeenECRYPT, 2006. 73 pages.
[229] D. Augot, F. Morain, C. Fontaine, J. Leneutre, S. Maag, A. Cavalli, and F. Nait-Abdesselam. Review of vulnerabilities in mobile ad-hoc networks: trust and routingprotocols views. Technical report, ACI SERAC, 2005. Delivrable de l’action con-certee incitative SERAC.
[230] A. Canteaut. Rapport final de l’action concertee incitative CrAC II. Technicalreport, ACI CrAC II, 2005. 15 pages.
[231] A. Canteaut and D. Augot. Rapport d’expertise de l’algorithme AAC. Rapport decontrat CANAL+ Technologies, April 2003. 244 pages.
[232] A. Canteaut (ed.), D. Augot, A. Biryukov, A. Braeken, C. Cid, H. Dobbertin,H. Englund, H. Gilbert, L. Granboulan, H. Handschuh, M. Hell, T. Johansson,A. Maximov, M. Parker, T. Pornin, B. Preneel, M. Robshaw, and M. Ward.D.STVL.3 – Open Research Areas in Symmetric Cryptography and Technical Trendsin Lightweight Cryptography. Rapport du reseau d’excellence europeen ECRYPT,February 2005. 82 pages.
[233] A. Canteaut (ed.), D. Augot, A. Biryukov, A. Braeken, C. Cid, H. Dobbertin,H. Englund, H. Gilbert, L. Granboulan, H. Handschuh, M. Hell, T. Johansson,A. Maximov, M. Parker, T. Pornin, B. Preneel, M. Robshaw, and M. Ward.D.STVL.4 – Open Research Areas in Symmetric Cryptography and Technical Trendsin Lightweight Cryptography. Rapport du reseau d’excellence europeen ECRYPT,February 2006. 88 pages.
[234] M. Cluzeau and N. Sendrier. Reconstruction d’un brasseur lineaire. Rapport tech-nique d’avancement - convention DGA 02 60 65 095 450 75 01, February 2004. 75pages.
[235] M. Cluzeau and N. Sendrier. Reconstruction d’un schema de codage. Rapporttechnique final - convention DGA 02 60 65 095 450 75 01, October 2004. 102 pages.
[236] A. Canteaut (co-author) Forum des Droits sur l’Internet. La conser-vation electronique des documents. http://www.foruminternet.org/, De-cember 2005. http://www.foruminternet.org/telechargement/documents/reco-archivage-20%051201.pdf.
38
[237] J. Kempe, H. Ollivier, and J. Kempe. Rapport final du projet “reseaux quantiques”de l’aci “securite informatique” numero 03510, August 2006. 13 pages.
[238] F. Levy-dit-Vehel. Rapport final de l’action concertee incitative ACCES. Technicalreport, ACI ACCES, 2004. 11 pages.
[239] M. Minier, A. Canteaut, N. Courtois, and H. Gilbert. Chiffrement a flot - Etat del’art. Rapport du projet RNRT X-CRYPT, February 2005. 44 pages.
[240] J.P. Tillich. Rapport final de contrat de recherche inria-projet codes/france telecomr&d “nouveaux turbo codes en bloc”, December 2004. 62 pages.
6.8 Vulgarization
[241] D. Augot. Les travaux de Madhu Sudan sur les codes correcteurs d’erreurs. Lagazette des mathematiciens, October 2003.
[242] A. Canteaut. Cryptanalyse de chiffrement a clef secrete par blocs. MISC - Lemagazine de la securite informatique, 2, March 2002.
[243] A. Canteaut. Le chiffrement a la volee. Pour la Science, pages 86–87, July 2002.Numero special La cryptographie, l’art du secret.
[244] A. Canteaut. La cryptographie ou les mathematiques au service de la protectionde l’information. In Ouverture des Olympiades de Mathematiques de l’Academie deVersailles, Universite de Versailles, January 2003.
[245] A. Canteaut. Comment concevoir un algorithme de chiffrement rapide et solide.In La face cachee des mathematiques, Paris, March 2004. Conference organisee parl’IHES, la Societe Mathematique de France, la Societe de Mathematiques Appliqueeset Industrielles et Pour la Science.
[246] A. Canteaut. Parcours et fiches sur les generateurs pseudo-aleatoires et le chiffrementa flot. portail Internet Cryptologie et Securite de l’Information, 2006. http://www.picsi.org/.
[247] C. Lauradoux. Machine virtuelle et honeypot. MISC - Le magazine de la securiteinformatique, 21, September 2005.
[248] C. Lauradoux. Timing attack et hyperthreading. MISC - Le magazine de la securiteinformatique, 20, July 2005.
[249] P. Loidreau. Le partage de secret. MISC - Le magazine de la securite informatique,3, 2002.
[250] P. Loidreau. Le transfert inconscient. MISC - Le magazine de la securite informa-tique, 2, 2002.
[251] P. Loidreau. L’identification a divulgation nulle de connaissance. MISC - Le maga-zine de la securite informatique, 1, 2002.
[252] P. Loidreau. Pour quelques bits d’information. MISC - Le magazine de la securiteinformatique, 20, July 2005.
[253] H. Ollivier and P. Pajot. La decoherence, espoir du calcul quantique. La Recherche,378(34), 2004.
39
[254] M. Videau and D. Eck. Les algorithmes de tri. Interstices, a la decouverte del’univers des STIC, 2004.
40