Meet-in-the-middle and differential attacks are two cornerstones of modern cryptanalysis, which have been applied successfully on block ciphers for decades. In  4, we introduced the new framework of differential meet-in-the-middle attacks, which combines technique from both meet-in-the-middle and differential cryptanalysis. As such, this technique can be seen both as an extension of meet-in-the-middle attacks, and as a novel way of performing the key-recovery in differential attacks. We applied this technique to two very well studied ciphers, SKINNY and the international standard AES, and obtained new results on weakened (reduced-round) variants, including a related-key attack on 12 rounds out of 14 on AES-256 with only two related keys.

The related-key setting, in which a block cipher may be queried with several unknown keys having some known relation, is a scenario in which AES is known to be quite weak. However, finding related-key characteristics is a difficult process which nowadays can be done only with the help of automatic tools. In  10 we gave new tools dedicated to this task, both ad hoc and based on MILP. We also built a new tool to search for differential MITM attacks, which improved the 12-rounds attack above to 13 rounds.

An important criteria to assert the security of a cryptographic primitive is its resistance against differential cryptanalysis. For word-oriented primitives, a common technique to determine the number of rounds required to ensure the immunity against differential distinguishers is to consider truncated differential characteristics and to count the number of active S-boxes. Doing so allows one to provide an upper bound on the probability of the best differential characteristic with a reduced computational cost. However, in order to design very efficient primitives, it might be needed to evaluate the probability more accurately. This is usually done in a second step, during which one tries to instantiate truncated differential characteristics with actual values and computes its corresponding probability. This step is usually done either with ad-hoc algorithms or with CP, SAT or MILP models that are solved by generic solvers. In  12, we present a generic tool for automatically generating these models to handle all word-oriented ciphers. Furthermore the running times to solve these models are very competitive with all the previous dedicated approaches.

We also focused on equivalences between Generalised Feistel Networks (GFN) of type-II. We introduced a new definition of equivalence which captures the concept that two GFNs are identical up to re-labelling of the inputs/outputs and are therefore cryptographically equivalent for several classes of attacks. It induces a reduction of the space of possible GFNs: the set of the ${(k!)}^2$ possible even-odd GFNs with $2k$ branches can be partitioned into $k!$ different classes. From a designer perspective, it means that a much wider spectrum of candidates can be explored to choose a good permutation. In particular, using this new equivalence relation led us to five 62-branch permutations performing better than WARP regarding the number of differentially/linearly active S-Boxes and to a new family of permutations with good diffusion properties. This work is under submission.

During the internships of Mathieu Degré and Lucie Lahaye, we started studying the cryptanalysis of the ASCON family of lightweight primitives, which is a high-profile target as it has been recently selected for standardization by the NIST. Our goal in this project was to obtain simpler modelings of different types of cryptanalysis, based on MILP and SAT encodings, which were easier not only to describe but also to run. Our results are under submission.

In  9 we introduced the new algorithmic technique of chained quantum walks. This technique is key to an improvement on quantum algorithms for the multiple collision search problem, an extension of the collision search problem, which asks to find pairs of colliding outputs generated by a random function. It allowed us to improve the previous best quantum algorithm for lattice sieving  37, reducing its asymptotic time complexity from $2^{0.2570d+o\left(d\right)}$ to $2^{0.2563d+o\left(d\right)}$ where $d$ is the lattice dimension. These algorithms are of high interest since they underlie the security analyses of lattice-based cryptography at large.

In  19, we gave new quantum trade-offs for the Dihedral Coset Problem, which is a computational problem of high interest. In particular, its hardness underlies the security of post-quantum cryptosystems based on Abelian group actions such as CSIDH  36. These cryptosystems are the only high-profile post-quantum proposals for which a quantum attacker enjoys a large speedup (from exponential classical time to subexponential quantum time). Thus their security analysis relies primarily on the quantum side.

In  20 we introduced a new framework of quantum linear key-recovery attacks on block ciphers. In classical cryptanalysis, linear cryptanalysis is a powerful key-recovery attack exploiting the linear biases which may appear in reduced-round ciphers. While modern linear key-recovery attacks rely on the Fast Fourier Transform, a potential application of the Quantum Fourier Transform remained an open question in previous works  51. In this work, we showed that this was possible, and could lead to new quantum attacks on block ciphers. The new framework relies on computing correlations of Boolean functions “analogically” in the amplitudes of quantum states, which generates technical difficulties and new open questions that need further investigation. Despite the current limitations, this framework may reach up to a super-quadratic speedup in key-recovery attacks, which coïncides with the current best speedup reported in  31 for specific constructions of block ciphers.

In  6 we described a generic framework of quantum impossible differential attacks on block ciphers, with a generic formula from their time complexity and a procedure to easily translate classical attacks into quantum ones.

In  7 we introduced an automatic search and optimization tool for quantum meet-in-the-middle key-recovery attacks on block ciphers. This tool expands a previous modeling technique which we introduced in the past year  62.

Last year we described in  45 Mitaka, a variant of Falcon with much simpler implementation, larger parameter space, better parallelism and easier to protect from side-channel adversaries. One of the drawback of our scheme was its slightly lower security level. Indeed, finding good trapdoors in the key-generation process for Mitaka remained a costly task, and we had to sacrifice security for concrete efficiency. In  13 we propose a completely novel approach to find good trapdoors in an essentially optimal way, with much freedom in the quality that we impose on them. Our method stems from the geometric identification of the space where one can find them, and the design of a simple, natural sampler to draw from. It combines Fast Fourier Transform techniques with fine-grained error rounding analysis into a key-generation algorithm called Antrag, achieving the same efficiency as Falcon's, without sacrificing any bit-security.

Concretely, this technique make Mitaka as secure as Falcon. This prompted its use into a candidate for standardization in a national process (as mentioned above), called Solmae (Falcon in Korean), and submitted for the first round of evaluation. Despite Solmae having the minimal bandwith consumption of all candidates and concrete signing speed on par with the other lattice contender HaeTae (Dilithium's natural update), it was not selected to advance to the second round2.

Lattice Gaussian sampling is nowaday a pervasive technique in all aspects of the field: reductions between problems (in the complexity theory sense), as a concrete building block for primitives, in security arguments,... Many methods to sample lattice Gaussians existed in the toolbox of the cryptographers, but perhaps surprisingly, most of them felt unrelated one to another. This made it rather difficult to understand where improvement vectors could be found. In 14 we proposed a generic, abstract framework allowing to recover almost if not all known approaches, while opening-up the design space for further explorations. Among samplers we recover naturally are the important approach of as  49, 59. We provided novel samplers following this new avenues, illustrating how to use our framework. Some of our new designs demonstrated important security improvements in concrete schemes (such as Mitaka), while also displaying more simplicity in their description. On a more foundational aspect, we gave a new exact expansion of the so-called smoothing parameter of a lattice. This important quantity is used in many security arguments, where the finer the estimate, the better control over security one gets. We believe that this new expression has application in more mathematical aspects of lattice theory, such as improved transference bounds.

The Module Learning With Errors problem (M-LWE) is a core computational assumption of lattice-based cryptography which offers an interesting trade-off between guaranteed security and concrete efficiency. The problem is parameterized by a secret distribution as well as an error distribution. There is a gap between the choices of those distributions for theoretical hardness results (standard formulation of M-LWE, i.e., uniform secret modulo $q$ and Gaussian error) and practical schemes (small bounded secret and error). In  3, we make progress towards narrowing this gap. More precisely, we prove that M-LWE with uniform $\eta$-bounded secret for any $1\le \eta \ll q$ and Gaussian error, in both its search and decision variants, is at least as hard as the standard formulation of M-LWE, provided that the module rank $d$ is at least logarithmic in the ring degree $n$. We also prove that the search version of M-LWE with large uniform secret and uniform $\eta$-bounded error is at least as hard as the standard M-LWE problem, if the number of samples $m$ is close to the module rank $d$ and with further restrictions on $\eta$. The latter result can be extended to provide the hardness of M-LWE with uniform $\eta$-bounded secret and error under specific parameter conditions. Overall, the results apply to all cyclotomic fields, but most of the intermediate results are proven in more general number fields.

Digital signature is an essential primitive in cryptography, which can be used as the digital analogue of handwritten signatures but also as a building block for more complex systems. In the latter case, signatures with specific features are needed, so as to smoothly interact with the other components of the systems, such as zero-knowledge proofs. This has given rise to so-called signatures with efficient protocols, a versatile tool that has been used in countless applications. Designing such signatures is however quite difficult, in particular if one wishes to withstand quantum computing. We are indeed aware of only one post-quantum construction, proposed by Libert et al. at Asiacrypt’16, yielding very large signatures and proofs.

In  17, we propose a new construction that can be instantiated both in standard lattices and structured ones, resulting in each case in dramatic performance improvements. In particular, the size of a proof of message-signature possession, which is one of the main metrics for such schemes, can be brought down to less than 650 KB. As our construction retains all the features expected from signatures with efficient protocols, it can be used as a drop-in replacement in all systems using them, which mechanically improves their own performance, and has thus a direct impact on many applications. It can also be used to easily design new privacy-preserving mechanisms. As an example, we provide the first lattice-based anonymous credentials system.

Practical implementations of advanced lattice-based constructions have received much attention since the first practical identity-based encryption scheme instantiated over NTRU-lattices, proposed by Prest et al. (Asiacrypt 2014). This particular design uses powerful lattice-based building blocks to allow efficient Gaussian preimage sampling and trapdoor generation. In  16, we propose two different constructions and implementations of identity-based encryption schemes (IBE) using Chen et al. (Asiacrypt 2019)approximate variants of “gadget-based” trapdoors. Both constructions are proven secure.

Our first IBE scheme is an adaptation of the Bert et al. scheme (PQCrypto 2021) to the approximate setting, relying on the Module-NTRU hardness assumption and making use of the Micciancio-Peikert paradigm for approximate trapdoors. The second IBE relies on a variant of the NTRU hardness assumption.

We provide several timings and a comparison analysis to explain our results. The two different instantiations give interesting trade-offs in terms of security and efficiency and both benefit from the use of approximate trapdoors. Though our second IBE construction is less efficient than other NTRU-based IBEs, we believe our work provides useful insights into efficient advanced lattice-based constructions.

In  15, we present a new generic transform that takes a multi-round interactive proof for the membership of a language L and outputs a non-interactive zero-knowledge proof (not of knowledge) in the common reference string model. Similar to the Fiat-Shamir transform, it requires a hash function H. However, in our transform the zero-knowledge property is in the standard model, and the adaptive soundness is in the non-programmable random oracle model (NPROM). Behind this new generic transform, we build a new generic OR-composition of two multi-round interactive proofs. Note that the two common techniques for building OR-proofs (parallel OR-proof and sequential OR-proof) cannot be naturally extended to the multi-round setting. We also give a proof of security for our OR-proof in the quantum oracle model (QROM), surprisingly the security loss in QROM is independent from the number of rounds.

In  21, we study new factorization algorithms. The Number Field Sieve (NFS) is the state-of-the art algorithm for integer factoring, and sieving is its most crucial step. It is a very time-consuming operation, aiming at collecting many relations. The ultimate goal is to generate random smooth integers mod N together with their prime decomposition, where smooth is defined on the rational and algebraic sides according to two prime factor bases.

In modern factorization tools, such as Cado-NFS, sieving is split into different stages depending on the size of the primes, but defining good parameters for all stages is based on heuristic and practical arguments. At the beginning, candidates are sieved by small primes on both sides, and if they pass the test, they continue to the next stages with bigger primes, up to the final one where the remaining part is factored using the ECM algorithm. On the one hand, first stages are fast but many false relations pass them, and we spend a lot of time with useless relations. On the other hand final stages are more time demanding but outputs less relations. It is not easy to evaluate the performance of the best strategy on the overall sieving step since it depends on the distribution of numbers that results at each stage.

In  21, we examine different sieving strategies to speed-up this step, since many improvements have been done on all other steps of the NFS. Based on the relations collected during the record RSA-250 factorization and all its parameters, we study the many different strategies that have been defined for NFS. Our result is an experimental evaluation of them.

In 11, we present a single-trace attack on a BIKE Cortex-M4 implementation proposed by Chen et al. at CHES 2021. BIKE is a key-encapsulation mechanism, candidate to the NIST post-quantum cryptography standardisation process. We attack by exploiting the rotation function that circularly shifts an array depending on the private key. Chen et al. implemented two versions of this function, one in C and one in assembly. Our attack uses subtraces clustering combined with a combinatorial attack to recover the full private key. We obtained a high clustering accuracy in our experiments, and we provide ways to deal with the errors. We are able to recover all the private keys for the C implementation, and while the assembly version is harder to attack using our technique, we still manage to reduce BIKE Level-1 security from 128 to 65 bits for a significant proportion of the private keys.

In  8 we develop a new software attack on the WPA3. It is universally acknowledged that Wi-Fi communications are important to secure. Thus, the Wi-Fi Alliance published WPA3 in 2018 with a distinctive security feature: it leverages a Password-Authenticated Key Exchange (PAKE) protocol to protect users' passwords from offline dictionary attacks. Unfortunately, soon after its release, several attacks were reported against its implementations, in response to which the protocol was updated in a best-effort manner. In this paper, we show that the proposed mitigations are not enough, especially for a complex protocol to implement even for savvy developers. Indeed, we present Dragondoom, a collection of side-channel vulnerabilities of varying strength allowing attackers to recover users' passwords in widely deployed Wi-Fi daemons, such as hostap in its default settings. Our findings target both password conversion methods, namely the default probabilistic hunting-and-pecking and its newly standardized deterministic alternative based on SSWU. We successfully exploit our leakage in practice through microarchitectural mechanisms, and overcome the limited spatial resolution of Flush+Reload. Our attacks outperform previous works in terms of required measurements. Then, driven by the need to end the spiral of patch-and hack in Dragonfly implementations, we propose Dragonstar, an implementation of Dragonfly leveraging a formally verified implementation of the underlying mathematical operations, thereby removing all the related leakage vector. Our implementation relies on HACL*, a formally verified crypto library guaranteeing secret-independence. We design Dragonstar, so that its integration within hostap requires minimal modifications to the existing project. Our experiments show that the performance of HACL*-based hostap is comparable to OpenSSL-based, implying that Dragonstar is both efficient and proved to be leakage-free.

In  18, we study the security of Digital Rights Management Systems. Thanks to HTML5, users can now view videos on Web browsers without installing plug-ins or relying on specific devices. In 2017, W3C published Encrypted Media Extensions (EME) as the first official Web standard for Digital Rights Management (DRM), with the overarching goal of allowing seamless integration of DRM systems on browsers. EME has prompted numerous voices of dissent with respect to the inadequate protection of users. Of particular interest, privacy concerns were articulated, especially that DRM systems inherently require uniquely identifying information on users' devices to control content distribution better. Despite this anecdotal evidence, we lack a comprehensive overview of how browsers have supported EME in practice and what privacy implications are caused by their implementations. In this paper, we fill this gap by investigating privacy leakage caused by EME relying on proprietary and closed-source DRM systems. We focus on Google Widevine because of its versatility and wide adoption. We conduct empirical experiments to show that browsers diverge when complying EME privacy guidelines, which might undermine users' privacy. For instance, we find that many browsers gladly give away the identifying Widevine Client ID with no or little explicit consent from users. Moreover, we characterize the privacy risks of users tracking when browsers miss applying EME guidelines regarding privacy. Because of being closed-source, our work involves reverse engineering to dissect the contents of EME messages as instantiated by Widevine. Finally, we implement EME Track, a tool that automatically exploits bad Widevine-based implementations to break privacy.