• Gilles Van Assche, – Keccak and permutation-based symmetric cryptography

In the last decades, mainstream symmetric cryptography has been dominated by block ciphers: block cipher modes of use have been employed to perform encryption, MAC computation, authenticated encryption and even internally in hash functions. One could therefore argue that the « swiss army knife » title usually attributed to the hash function belongs to the block cipher. In the last 5 years, Guido Bertoni, Joan Daemen, Michaël Peeters and I have proposed hashing (keyed or non-keyed), encryption (authenticated or plain) and other modes of use based on a fixed-length permutation rather than a block cipher. Such a permutation can be seen as a block cipher without a dedicated key input and can be constructed in the same way: by iterating a simple round function. Our modes, built on top of the sponge and duplex constructions, are simpler than the traditional block cipher modes and offer at the same time more flexibility. When designing a permutation suitable for this purpose, an obvious advantage is the absence of a key schedule. Moreover, thanks to the fact that the modes do not require the inverse permutation, there is also more freedom in the round function design than in the case of a block cipher.

This will be illustrated by the design of Keccak, which was submitted to the NIST SHA-3 competition and selected on October 2, 2012, to become the future SHA-3 standard.

Gilles.van.Asche-11-01-2012 (format pdf) Voir aussi keccak.noekeon.org, et sponge.noekeon.org

  • Anja Becker, – How to improve information set decoding exploiting that 1+1=0.

At Eurocrypt 2010, Howgrave-Graham and Joux described an algorithm for solving hard knapsacks of n elements and density close to 1 in time O(2^{0.337n}0 and memory O(2^{0.256n}). This improved a 30-year old algorithm by Shamir and Schroeppel of running time O(2^{0.5n}) and memory requirement O(2^{0.25n}). In this talk we will present the following: Using the simple observation that the solution to the knapsack problem, a binary vector, can be represented by two overlapping vectors with coefficients in {-1,0,1} , we can obtain a better algorithm of running time O(2^{0.291n}). Furthermore, this technique can be applied to improve information set decoding attacking linear codes such as used in McEliece public key encryption. We can improve recent results on half-distance decoding such as Ball-collision decoding and May-Meurer-Thomae–ISD of asymptotic time complexity O({2^{0.056n}}) and O(2^{0.054n}), respectively. Previous attempts split the solution vector in disjoint parts. We search the solution as decomposition of two overlapping vectors which permits to reduce the running time to O(2^{0.049n}) in the asymptotic case. The talk is based on the publications: http://eprint.iacr.org/2011/474 http://eprint.iacr.org/2012/026\\ a joint work with Jean-Sébastien Coron, Antoine Joux, Alexander Meurer and Alexander May.

Anja.Becker-11-01-2012 (format pdf)

  • Emmanuel Prouff, – Partage de Secret et Preuves de Sécurité En présence de Fuites d’Information

L’implantation des algorithmes cryptographiques est particulièrement sensible aux attaques dites par canaux auxiliaires. Ces dernières sont capables d’extraire de l’information sensible grâce à l’observation du comportement du matériel sur lequel se déroule les calculs. Depuis leur introduction dans le milieu des années 90, la protection des implantations contre ce type d’attaques a servi de base à une nouveau domaine de recherche, soutenu à la fois par les milieux de la recherche industrielle et académique. Parmi les nombreuses approches proposées, un technique appelée masquage des données s’est imposée comme étant celle offrant les meilleures garanties de sécurité. Les méthodes utilisées pour masquer un algorithme se sont révélées être très proches des schémas roposés en théorie du calcul multipartie sécurisé (SMC en anglais). Au cours de mon exposé, je propose de dresser une état de l’art des techniques de masquage et d’identifier précisément les ressemblances et différences avec les problématiques étudiées en SMC. J’en profiterai pour montrer comment il est possible d’exhiber des bornes de sécurité pour les implantations protégées grâce au masquage.

  • Matthieu Legeay, -« Utilisation du groupe de permutations des codes correcteurs pour améliorer l’efficacité du décodage »