Applied Crypto Group

LACS Seminar, May 11th, 2018, 10:30 AM, room MNO-E03-25-110, Belval Campus.

Claire Delaplace (University of Rennes, France). Revisiting and Improving Algorithms for the 3XOR Problem

Abstract: The 3SUM problem is a well-known problem in computer science and many geometric problems have been reduced to it. We study the 3XOR variant which is more cryptologically relevant. In this problem, the attacker is given black-box access to three random functions $F$, $G$ and $H$ and she has to find three inputs $x$, $y$ and $z$ such that $F(x) \oplus G(y) \oplus H(z) = 0$. The 3XOR problem is a difficult case of the more-general k-list birthday problem.

Wagner's celebrated k-list birthday algorithm, and the ones inspired by it, work by querying the functions more than strictly necessary from an information-theoretic point of view. This gives some leeway to target a solution of a specific form, at the expense of processing a huge amount of data. However, to handle such a huge amount of data can be very difficult in practice. This is why we first restricted our attention to solving the 3XOR problem for which the total number of queries to $F$, $G$ and $H$ is minimal. If they are $n$-bit random functions, it is possible to solve the problem with roughly $O(2^{n/3})$ queries. In this setting, the folklore quadratic algorithm finds a solution after $O(2^{2n/3})$ operations.

We present a 3XOR algorithm that generalizes an idea of Joux, with complexity $O(2^{2n/3} / n)$ in time and $O(2^{n/3})$ in space. This algorithm is practical: it is up to 3 times faster than the quadratic algorithm. Furthermore, we show that it is possible to adapt this algorithm to any number of queries, so that it will always be at least as good as, if not better than, Wagner's descendants in the same settings. We also revisit a 3SUM algorithm by Baran-Demaine-Patrascu which is asymptotically $n^2 / \log^2 n$ times faster than the quadratic algorithm when adapted to the 3XOR problem, but is otherwise completely impractical.

This is a joint work with Pierre-Alain Fouque and Charles Bouillaguet.

LACS Seminar, April 13th, 2018, 11:00 AM, room MNO-E03-25-110, Belval Campus.

Benoit Cogliati. Provable security in symmetric cryptography

Abstract: Provable security is an essential part of both symmetric and public-key cryptography. Indeed, security proofs can increase confidence in the resistance of an algorithm against various types of attacks and justify its soundness. Moreover, theorems guide the choice of the security parameters in applications. In this context, tight security proofs are essential, since they prevent the use of unnecessarily high values for those parameters. In this talk, I will start by giving an overview of the indistinguishability notion and of the main theoretical models that are considered in symmetric cryptography. I will then illustrate these notions by presenting several results on the design of tweakable block ciphers, and on the construction of provably secure MACs based on block ciphers and tweakable block ciphers.

LACS Seminar, November 22nd, 2017, 10:30 AM, room MNO-E03-25-110, Belval Campus.

Tancrede Lepoint. Post-Quantum Cryptography using Module Lattices

Abstract: Recent advances in quantum computing and the announcement by the National Institute of Standards and Technology (NIST) to define new standards for digital-signature, encryption, and key-establishment protocols, spurred on the design and analysis of many post-quantum cryptographic schemes. One of the most efficient quantum-resilient alternatives for the above basic primitives is that of lattice cryptography.

Many lattice cryptography schemes are based on the learning-with-error problem over a ring. Past works have described digital signature schemes, encryption schemes, and key encapsulation mechanisms in one of two ways. Either they set the ring as Z_q[x]/(x^n+1) or as Z_q^n. The former choice results in schemes based on the hardness of the Ring-LWE and Ring-SIS problems (or the NTRU problem), while the latter choice of parameters results in schemes based on the LWE and SIS problems. In this talk, we consider the general case of setting the ring to (Z_q[x]/(x^d+1))^m, and design schemes based on the Module-LWE and Module-SIS hardness assumption. First, we explain how module lattices enable to design cryptographic primitives that are not only simple to implement securely, conservatively designed, and have a small memory footprint, but are modular, i.e., easily enable to vary security while keeping the same core operations. Then, we present CRYSTALS, the Cryptographic Suite for Algebraic Lattices submitted to the NIST call for post-quantum standards, that includes Kyber (Bos et al., 2017), a key encapsulation mechanism, and Dilithium (Ducas et al., 2017), a digital signature.

LACS Crypto Day, June 13th, 2017, room MSA 4.410, Belval campus