Research topics

• Cryptographic analysis
• Design of cryptographic algorithms and protocols
• Lightweight cryptography
• Secure communication
• Wireless security
• Composability and setup assumptions
• Methodology and theory for cryptography
• Number theory and cryptography
• Automated security verification

 Research projects

Lightweight Cryptography

We study the design of lightweight cryptographic primitives of all kinds and their security.

• We have designed the FOX (IDEA NXT) block cipher.
  • FOX Specifications Version 1.2 (Technical Report 2005)
  • FOX: a New Family of Block Ciphers (SAC 2004)
• We have designed the ARMADILLO multi-purpose symmetric primitive.
  • Multipurpose Cryptographic Primitive ARMADILLO3 (CARDIS 2012)
  • Fast Key Recovery Attack on ARMADILLO1 and Variants (CARDIS 2011)
  • ARMADILLO: A Multi-purpose Cryptographic Primitive Dedicated to Hardware (CHES 2010)
• We have carried out cryptanalyses.
  • Unaligned Rebound Attack: Application on Keccak (FSE 2012)
  • Cryptanalysis of reduced-round MIBS Block cipher (CANS 2012)
  • Algebraic, AIDA/Cube and Side Channel Analysis of KATAN Family of Block Ciphers (INDOCRYPT 2010)
  • Cryptanalysis of the ISDB Scrambling Algorithm (MULTI2) (FSE 2009)
  • Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT (CANS 2009)

RFID and Distance Bounding

We formalize and study security and privacy issues in RFID protocols. A quite related topic is the notion of distance bounding protocol that aims to mitigate man-in-the-middle attacks.

• We have analyzed the security and privacy of RFID protocols and developed a formal model to assess it.
  • Strong Privacy for RFID Systems from Plaintext-Aware Encryption (CANS 2012)
  • Smashing SQUASH-0 (EUROCRYPT 2009)
  • Mutual Authentication in RFID: Security and Privacy (ASIACCS 2008)
  • On the Security of HB# against a Man-in-the-Middle Attack (ASIACRYPT 2008)
  • On Privacy Models for RFID (ASIACRYPT 2007)
• We have analyzed the security of distance bounding protocols.
  • The Bussard-Bagga and Other Distance-Bounding Protocols under Attacks (INSCRYPT 2012)
  • Mafia Fraud Attack against the RC Distance-Bounding Protocol (IEEE RFID TA 2012)
  • On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols (LATINCRYPT 2012)
• We proposed practical and provably secure distance bounding protocols.
  • Practical & Provably Secure Distance-Bounding (ISC 2013)
  • On Modeling Terrorist Frauds (PROVSEC 2013)
  • Secure & Lightweight Distance-Bounding (LIGHTSEC 2013)
  • Towards Secure Distance Bounding (FSE 2013)
• We have studied the path checker protocol for RFID.
  • Pathchecker: An RFID Application for Tracing Products in Supply-Chains (RFIDsec 2009)
• We have analyzed the standards for the biometric passport and alternatives.
  • Deniable RSA Signature: The Raise and Fall of Ali Baba (Cryptography and Security 2012)
  • The Extended Access Control for Machine Readable Travel Documents (BIOSIG 2009)
  • Efficient Deniable Authentication for Signatures, Application to Machine-Readable Travel Document (ACNS 2009)
  • E-Passport Threats (IEEE Security and Privacy Magazine 2007)
  • About Machine-Readable Travel Documents (Journal of Physics 2007)
  • About Machine-Readable Travel Documents (RFID Security 2007)
  • About Machine-Readable Travel Documents (ICS 2007)

Design of Public-Key Cryptography Primitives

We contribute to advances in public-key cryptography by designing new algorithms.

• We have designed the MOVA invisible signature protocol which provides the shortest possible signature length (in the random oracle model).
  • Short Undeniable Signatures Based on Group Homomorphisms (Journal of Cryptology 2011)
  • Optimization of the MOVA Undeniable Signature Scheme (MYCRYPT 2005)
• We have designed the TCHo public-key cryptosystem and extensions.
  • HELEN: A Public-Key Cryptosystem Based on the LPN and the Decisional Minimal Distance Problems (AFRICACRYPT 2013)
  • TCHO: A Code-Based Cryptosystem (book chapter 2013)
  • HELEN: a Public-key Cryptosystem Based on the LPN Problem (Extended Abstract) (YACC 2012)
  • TCHo: a Hardware-Oriented Trapdoor Cipher (ACISP 2007)
  • When Stream Cipher Analysis Meets Public-Key Cryptography (SAC 2006)
• We worked on other lattice-based/code-based cryptosystems.
  • Cryptanalysis of the Double-Moduli Cryptosystem (Int'l J. of Communications, Network and System Sciences 2012)
• We looked at how to get rid of prime number generation in cryptosystems.
  • Primeless Factoring-Based Cryptography (ACNS 2013)
  • Primeless Modular Cryptography (Extended Abstract) (YACC 2012)
• We worked on accumulators.
  • A Fully Dynamic Universal Accumulator (RCD 2013)

Robust Cryptography, Composability, and Setup Assumptions

We seek for making cryptographic schemes resilient to leakage and being composable.

• We have studied key agreement based on a narrowband out-of-band channel.
  • User-Aided Data Authentication (Journal of Security and Networks 2009)
  • SAS-Based Group Authentication and Key Agreement Protocols (PKC 2008)
  • An Optimal Non-Interactive Message Authentication Protocol (CT-RSA 2006)
  • SAS-based Authenticated Key Agreement (PKC 2006)
  • Secure Communications over Insecure Channels based on Short Authenticated Strings (CRYPTO 2005)
• We have studied tamper resistance/evidence and proved that it can create new primitives such as proofs of ignorance and break deniability or anonymity.
  • Deniable RSA Signature: The Raise and Fall of Ali Baba (Cryptography and Security 2012)
  • On Tamper-Resistance from a Theoretical Viewpoint: The Power of Seals (CHES 2009)
  • Several Weak Bit-Commitments Using Seal-Once Tamper-Evident Devices (PROVSEC 2012)
• We have studied isolation in protocol exchanges as a setup assumption.
  • Input-Aware Equivocable Commitments and UC-secure Commitments With Atomic Exchanges (PROVSEC 2013)
• We worked on leakage-resiliency in protocols.
  • Masking vs. Multiparty Computation: How Large Is the Gap for AES? (CHES 2013)
  • Outsourced Pattern Matching (ICALP 2013)
• We have studied encryption of variable-length messages.
  • On Hiding a Plaintext Length by Preencryption (ACNS 2011)
  • On the Impossibility of Strong Encryption over aleph_0 (IWCC 2009)

Cryptanalysis

We analyze the security of cryptographic primitives and protocols. Sometimes, this leads us to demonstrating insecurity.

• We have broken the Chor-Rivest Cryptosystem.
  • Cryptanalysis of the Chor-Rivest cryptosystem (Journal of Cryptology 2001)
• We have shown the insecurity of SSL/TLS encryption based on block ciphers by using padding oracles (through timing attacks).
  • Password Interception in a SSL/TLS Channel (CRYPTO 2003)
  • Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS... (EUROCRYPT 2002)
• We have exhibited the best known attack on Bluetooth/E0 encryption.
  • The Conditional Correlation Attack: a Practical Attack on Bluetooth Encryption (CRYPTO 2005)
  • Faster Correlation Attack on Bluetooth Keystream Generator E0 (CRYPTO 2004)
  • Cryptanalysis of Bluetooth Keystream Generator Two-level E0 (ASIACRYPT 2004)
• We have optimized the best known passive attacks on WEP and WPA.
  • Smashing WEP in A Passive Attack (FSE 2013)
  • Statistical Attack on RC4: Distinguishing WPA (EUROCRYPT 2011)
  • Discovery and Exploitation of New Biases in RC4 (SAC 2010)
  • Passive-Only Key Recovery Attacks on RC4 (SAC 2007)
• We have studied leakage by electromagnetic emanation from keyboards.
  • An Improved Technique to Discover Compromising Electromagnetic Emanations (EMC 2010)
  • Compromising Electromagnetic Emanations of Wired and Wireless Keyboards (USENIX Security 2009)

Methodology and Theory

We optimize algorithms which are used in cryptanalysis.

• We have studied statistical attacks.
  • Expected Loss Bounds for Authentication in Constrained Channels (INFOCOM 2012)
  • Statistical Attack on RC4: Distinguishing WPA (EUROCRYPT 2011)
  • Distinguishing Distributions Using Chernoff Information (PROVSEC 2010)
  • A new Approach to chi^2 Cryptanalysis of Block Ciphers (ISC 2009)
  • Optimal Key Ranking Procedures in a Statistical Cryptanalysis (FSE 2003)
  • An experiment on DES statistical cryptanalysis (ACM CCS 1996)
• We have studied algebraic attacks.
  • ElimLin Algorithm Revisited (FSE 2012)
• We have developed decorrelation theory.
  • Resistance against Adaptive Plaintext-Ciphertext Iterated Distinguishers (INDOCRYPT 2012)
  • Resistance Against Iterated Attacks by Decorrelation Revisited (CRYPTO 2012)
  • Decorrelation: a Theory for Block Cipher Security (Journal of Cryptology 2003)
  • On the Use of GF-Inversion as a Cryptographic Primitive (SAC 2003)
  • Resistance against General Iterated Attacks (EUROCRYPT 1999)

Automated Security Verification

We develop methods to verify automatically security of protocols.

• We have presented a methodology for the automatic verification of security protocols against temporal-epistemic specifications derived from higher-level descriptions given over convergent equational theories.
  • Automatic Verification of Temporal Epistemic Logic under Convergent Equational Theories (AAMAS 2012)

 Past research projects

RFID Security

We study identification protocols over radio link for very low-cost devices. We concentrate on privacy issues and security. We yield flaws in several proposed protocols. We derive a new protocol based on key search with time-memory tradeoffs together with applications and comparisons with alternate protocols. We formalize the notion of privacy and the connection with various communication layers.

Cryptographic Analysis

We enjoy breaking cryptographic schemes or studying ways to prove their security. So far, we played with the Chor-Rivest cryptosystem (one of the earliest cryptosystem based on knapsacks) and TLS (against which we mounted a timing attack over a network by using tools from our optimal distinguisher techniques). We also developed the decorrelation theory.

Stream Ciphers

In this project we study, analyze, construct stream ciphers and related toolkits. We derive a framework to identify and construct optimal distinguishers between random sources. The notion of sequential distinguisher and the link between distinguishers and hypothesis testing is identified. We provide attacks against the standard Bluetooth encryption E0. We construct a trapdoor stream cipher, that is a new public-key cryptosystem for which encryption is low-cost since entirely based on stream cipher techniques.

Ad-hoc Key Establishment

In this project we study alternate mechanisms to set up a secure communication channel, that is to establish a symmetric key. We derive and analyze a protocol to authenticate an arbitrary digital information over an insecure channel provided that we have a secure channel at disposal which can be used to authenticate a very short string. This can be used for instance to authenticate a Diffie-Hellman protocol or a public key with (only little) help of human monitoring. Main applications are for local wireless communications and peer-to-peer security. We derive and analyze variants which are non-interactive or with integrated key agreement. We construct series of 3-party protocols including a human operator who can be involved in small computations. We analyze the Bluetooth key establishment protocol and show that security could be higher than expected if properly used.

Short Signatures

In this project we derive and analyze a series of undeniable signature schemes and variants and we study applications. We derive MOVA, a generic undeniable signature scheme with arbitrary small signature length based on a secret group homomorphism which is hard to interpolate. We study several group homomorphisms and implementation issues.