INDEX

CONTACT

EPFL - I&C - LASEC

Station 14 - Building INF

CH-1015 Lausanne

Switzerland

Tel. +41 21 693 7603

Fax. +41 21 693 7689

**Job application or support letter request: **

please read our policy.

- Cryptographic analysis
- Design of cryptographic algorithms and protocols
- Lightweight cryptography
- Secure communication
- Wireless security
- Composability and setup assumptions
- Methodology and theory for cryptography
- Number theory and cryptography
- Automated security verification

We study the design of lightweight cryptographic primitives of all kinds and their security.

- We have designed the
**FOX (IDEA NXT)**block cipher. - We have designed the
**ARMADILLO**multi-purpose symmetric primitive. - We have carried out cryptanalyses.
- Unaligned Rebound Attack: Application on Keccak (FSE 2012)
- Cryptanalysis of reduced-round MIBS Block cipher (CANS 2012)
- Algebraic, AIDA/Cube and Side Channel Analysis of KATAN Family of Block Ciphers (INDOCRYPT 2010)
- Cryptanalysis of the ISDB Scrambling Algorithm (MULTI2) (FSE 2009)
- Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT (CANS 2009)

We formalize and study security and privacy issues in RFID protocols. A quite related topic is the notion of **distance bounding** protocol that aims to mitigate man-in-the-middle attacks.

- We have analyzed the security and privacy of
**RFID**protocols and developed a formal model to assess it. - We have analyzed the security of
**distance bounding**protocols. - We proposed practical and provably secure
**distance bounding**protocols. - We have studied the
**path checker**protocol for RFID. - We have analyzed the standards for the
**biometric passport**and alternatives.- Deniable RSA Signature: The Raise and Fall of Ali Baba (Cryptography and Security 2012)
- The Extended Access Control for Machine Readable Travel Documents (BIOSIG 2009)
- Efficient Deniable Authentication for Signatures, Application to Machine-Readable Travel Document (ACNS 2009)
- E-Passport Threats (IEEE Security and Privacy Magazine 2007)
- About Machine-Readable Travel Documents (Journal of Physics 2007)
- About Machine-Readable Travel Documents (RFID Security 2007)
- About Machine-Readable Travel Documents (ICS 2007)

We contribute to advances in public-key cryptography by designing new algorithms.

- We have designed the
**MOVA**invisible signature protocol which provides the shortest possible signature length (in the random oracle model). - We have designed the
**TCHo**public-key cryptosystem and extensions.- HELEN: A Public-Key Cryptosystem Based on the LPN and the Decisional Minimal Distance Problems (AFRICACRYPT 2013)
- TCHO: A Code-Based Cryptosystem (book chapter 2013)
- HELEN: a Public-key Cryptosystem Based on the LPN Problem (Extended Abstract) (YACC 2012)
- TCHo: a Hardware-Oriented Trapdoor Cipher (ACISP 2007)
- When Stream Cipher Analysis Meets Public-Key Cryptography (SAC 2006)

- We worked on other
**lattice-based/code-based**cryptosystems. - We looked at how to get rid of prime number generation in cryptosystems.
- We worked on
**accumulators**.

We seek for making cryptographic schemes resilient to leakage and being composable.

- We have studied
**key agreement**based on a narrowband out-of-band channel.- User-Aided Data Authentication (Journal of Security and Networks 2009)
- SAS-Based Group Authentication and Key Agreement Protocols (PKC 2008)
- An Optimal Non-Interactive Message Authentication Protocol (CT-RSA 2006)
- SAS-based Authenticated Key Agreement (PKC 2006)
- Secure Communications over Insecure Channels based on Short Authenticated Strings (CRYPTO 2005)

- We have studied
**tamper resistance/evidence**and proved that it can create new primitives such as**proofs of ignorance**and break deniability or anonymity. - We have studied
**isolation**in protocol exchanges as a setup assumption. - We worked on
**leakage-resiliency**in protocols. - We have studied encryption of variable-length messages.

We analyze the security of cryptographic primitives and protocols. Sometimes, this leads us to demonstrating insecurity.

- We have broken the
**Chor-Rivest Cryptosystem**. - We have shown the insecurity of
**SSL/TLS encryption**based on block ciphers by using padding oracles (through timing attacks). - We have exhibited the best known attack on
**Bluetooth/E0**encryption. - We have optimized the best known passive attacks on
**WEP and WPA**. - We have studied leakage by electromagnetic emanation from
**keyboards**.

We optimize algorithms which are used in cryptanalysis.

- We have studied
**statistical attacks**.- Expected Loss Bounds for Authentication in Constrained Channels (INFOCOM 2012)
- Statistical Attack on RC4: Distinguishing WPA (EUROCRYPT 2011)
- Distinguishing Distributions Using Chernoff Information (PROVSEC 2010)
- A new Approach to chi^2 Cryptanalysis of Block Ciphers (ISC 2009)
- Optimal Key Ranking Procedures in a Statistical Cryptanalysis (FSE 2003)
- An experiment on DES statistical cryptanalysis (ACM CCS 1996)

- We have studied
**algebraic attacks**. - We have developed
**decorrelation theory**.- Resistance against Adaptive Plaintext-Ciphertext Iterated Distinguishers (INDOCRYPT 2012)
- Resistance Against Iterated Attacks by Decorrelation Revisited (CRYPTO 2012)
- Decorrelation: a Theory for Block Cipher Security (Journal of Cryptology 2003)
- On the Use of GF-Inversion as a Cryptographic Primitive (SAC 2003)
- Resistance against General Iterated Attacks (EUROCRYPT 1999)

We develop methods to verify automatically security of protocols.

- We have presented a methodology for the automatic verification of security protocols against temporal-epistemic specifications derived from higher-level descriptions given over convergent equational theories.

We study **identification protocols** over radio link for very low-cost devices. We concentrate on **privacy** issues and security. We yield flaws in several proposed protocols. We derive a new protocol based on key search with time-memory tradeoffs together with applications and comparisons with alternate protocols. We formalize the notion of privacy and the connection with various communication layers.

We enjoy breaking cryptographic schemes or studying ways to prove their security. So far, we played with the **Chor-Rivest cryptosystem** (one of the earliest cryptosystem based on knapsacks) and **TLS** (against which we mounted a timing attack over a network by using tools from our optimal distinguisher techniques). We also developed the **decorrelation theory**.

In this project we study, analyze, construct stream ciphers and related toolkits. We derive a framework to identify and construct **optimal distinguishers** between random sources. The notion of **sequential distinguisher** and the link between distinguishers and hypothesis testing is identified. We provide attacks against the standard **Bluetooth encryption E0**. We construct a **trapdoor stream cipher**, that is a new public-key cryptosystem for which encryption is low-cost since entirely based on stream cipher techniques.

In this project we study alternate mechanisms to set up a secure communication channel, that is to establish a symmetric key. We derive and analyze a protocol to authenticate an arbitrary digital information over an insecure channel provided that we have a secure channel at disposal which can be used to authenticate a very short string. This can be used for instance to authenticate a Diffie-Hellman protocol or a public key with (only little) help of human monitoring. Main applications are for **local wireless communications** and **peer-to-peer security**. We derive and analyze variants which are non-interactive or with integrated key agreement. We construct series of 3-party protocols including a human operator who can be involved in small computations. We analyze the **Bluetooth** key establishment protocol and show that security could be higher than expected if properly used.

In this project we derive and analyze a series of **undeniable signature** schemes and variants and we study applications. We derive **MOVA**, a generic undeniable signature scheme with arbitrary small signature length based on a secret group homomorphism which is hard to interpolate. We study several group homomorphisms and implementation issues.