INRIA, Evaluation of Theme Sym B

Project-team CODES

November 2006

Project-team title: CODES Scientific leader: Nicolas Sendrier Research center: Rocquencourt 1 Personnel

Personnel (March 2002) Misc. INRIA CNRS University Total DR (1) / Professors 1 1 2 CR (2) / Assistant Professors 4 4 Permanent Engineers (3) Temporary Engineers (4) PhD Students 5 1 3 9 Post-Doc. 1 1 Total 5 6 5 16 External Collaborators 6 4 9 Visitors (> 1 month)

(1) “Senior Research Scientist (Directeur de Recherche)” (2) “Junior Research Scientist (Charg´ede Recherche)” (3) “Civil servant (CNRS, INRIA, ...)” (4) “Associated with a contract (Ing´enieurExpert or Ing´enieurAssoci´e)”

Personnel (November 2006) Misc. INRIA CNRS University Total DR / Professors 3 3 CR / Assistant Professor 2 2 Permanent Engineer Temporary Engineer PhD Students 6 4 1 11 Post-Doc. 1 1 Total 7 9 1 17 External Collaborators 5 2 8 Visitors (> 1 month)

1 Changes in staff DR / Professors Misc. INRIA CNRS University total CR / Assistant Professors Arrival Leaving

Comments: Claude Carlet was moved from “Staff” to “External Collaborators” be- cause of his involvement at the University Paris 8. Nicolas Sendrier and Anne Canteaut have been promoted from CR to DR during the period. Jean-Pierre Tillich was on a temporary INRIA CR position (“d´etachement”) and has now a permanent INRIA CR position. The following researchers had a temporary position in the group during the period:

• Enes Pasalic (Post-doc. in 2003)

• Emmanuel Cadic (Post-doc. in 2004)

• Avishek Adhikari (Post-doc. in 2004/2005)

• Michael Quisquater (Post-doc. in 2005/2006)

• Marine Minier (“Ing´enieurExpert” in 2004/2005)

• Fabien Galand (“Ing´enieurExpert” in 2005/2006)

Current composition of the project-team (November 2006): • Anne Canteaut, DR INRIA

• Pascale Charpin, DR INRIA

• Nicolas Sendrier, DR INRIA

• Daniel Augot, CR INRIA

• Jean-Pierre Tillich, CR INRIA

• Deepak Dalai, Post-doc., French ministry of research scholarship (starting 12/2006)

• Bhaskar Biswas, PhD Student, INRIA scholarship

• Thomas Camara, PhD Student, MERT scholarship

• Christophe Chabot, PhD Student, DGA scholarship

• Mathieu Cluzeau, PhD Student, DGA scholarship

• Fr´ed´ericDidier, PhD Student, AMN scholarship

• C´edricFaure, PhD Student, AMN scholarship

• Yann Laigle-Chapuy, PhD Student, AMN scholarship

• C´edricLauradoux, PhD Student, INRIA scholarship

• Maria Naya Plasencia, PhD Student, INRIA scholarship

2 • Andrea R¨ock, PhD Student, INRIA scholarship

• Bassem Sakkour, PhD Student, ENSTA scholarship

• Claude Carlet, External Collaborator, Professor, University Paris 8

• Guy Chass´e,External Collaborator, Professor, Ecole´ des Mines de Nantes

• Fran¸coiseLevy-dit-Vehel, External Collaborator, Professor, ENSTA

• Pierre Loidreau, External Collaborator, Professor, ENSTA

• Matthieu Finiasz, External Collaborator, Post-doc., EPFL, Switzerland

• Grigory Kabatianskiy, External Collaborator, Researcher IPIT, Russia

• Harold Ollivier, External Collaborator, French ministry of finances

• Ayoub Otmani, External Collaborator, Assistant Professor, University of Caen

Current position of former project-team members (including PhD stu- dents during the period): • Gregory Olocco, Prospective Department Manager, Air Liquide, Paris

• C´edricTavernier, R&D engineer, Thal`es,Colombes

• Matthieu Finiasz, Post-doc., EPFL, Switzerland ∗

• Harold Ollivier, French ministry of finances ∗

• Fabien Galand, Post-doc., IRISA, Rennes

• Magali Bardet, Assistant Professor, University of Rouen

• Carmen Nedeloaia, ATER, University of Paris 8

• Marine Minier, Assistant Professor, INSA Lyon

• Marion Videau, Assistant Professor, University of Nancy

• Ludovic Perret, Post-doc., UCL, Louvain, Belgium

• Michael Quisquater, Assistant Professor, University of Versailles Saint-Quentin

• Raghav Bhaskar, Post-doc., Microsoft Research, Bangalore, India

∗ also listed as external collaborators.

Last INRIA enlistments • Nicolas Sendrier, DR2, 2003

• Jean-Pierre Tillich, CR1, 2003

• Anne Canteaut, DR2, 2006

All three were already in the research staff in March 2002, with a different status.

3 Other comments: Nicolas Sendrier, with Daniel Augot as vice-leader, replaced Pascale Charpin as scientific leader in 2002.

2 Work progress

2.1 Keywords Cryptography, Symmetric cryptography, Asymmetric cryptography, Cryptanalysis, Alge- braic coding theory, Iterative decoding, Discrete mathematics, Boolean functions, Code recognition

2.2 Context and overall goal of the project The research work of the team project CODES is mostly devoted to the design and analysis of cryptographic algorithms through the study of the discrete structures that they involve. Our multiple competences in mathematics and algorithmics have allowed us to address a large variety of problems related to information protection. Most of our work mix fundamental aspects (study of mathematical objects) and practical aspects (cryptanalysis, design of algorithms, implementations). Our application domains are mainly cryptography, error correcting codes and code recognition (“electronic war”). Even though these domains may appear different, our ap- proach is unified. For instance, decoding techniques are used to design new error correcting codes, but also new cryptanalysis. Code recognition (that is recognizing an unknown cod- ing scheme from a sample), is very similar to stream cipher cryptanalysis. . . Our research is driven by the belief that discrete mathematics and algorithmics of finite structure form the scientific core of (algorithmic) data protection. We think that our past results justify this approach and we feel that, with the evolution of cryptographic research, more and more researchers will follow this path. Our purpose is not to present more evidence that algebraic coding theory or discrete mathematics can be “applied to” cryptography, but to convince that these fields belong the the scientific foundations of cryptography or more generally data protection techniques.

2.3 Objectives for the evaluation period The three objectives given in March 2002 were (in French)

1. Analyse formelle de la s´ecurit´edes syst`emes`aclef secr`ete;

2. Syst`emes`aclef publique fond´essur les codes ;

3. Cryptanalyse : exploitation de nouvelles techniques de d´ecodage, r´esolutiondes syst`emesalg´ebriques.

There has been some minor changes with the actual work during the period, mainly:

• The third objective is more oriented towards decoding. In March 2002, Jean-Pierre Tillich had a temporary CR1 position (on leave from University Paris 11). His recruitment on a permanent position, and the opportunity to work with France Telecom on iterative decoding has increased the importance of error correcting codes as an application domain for our work.

4 • A new topic has appeared through our collaboration with DGA, and Mathieu Cluzeau’s thesis: electronic war. Fundamentally, this domain uses cryptographic tools and even cryptographic results. This allowed us to easily include Mathieu’s contributions in the symmetric crypto and in the decoding subsections (objectives 1 and 3).

2.4 Security analysis of symmetric cryptosystems 2.4.1 Personnel - Anne Canteaut, DR INRIA, - Pascale Charpin, DR INRIA, - Avishek Adhikari (Post-doc), - Mathieu Cluzeau (PhD), - Fr´ed´ericDidier (PhD), - Yann Laigle-Chapuy (PhD), - C´edricLauradoux (PhD), - Marine Minier (“Ingenieur Expert”), - Maria Naya Plasencia (PhD), - Enes Pasalic (Post-doc), - Marion Videau (PhD), - Claude Carlet (external collaborator, Prof. Univ. Paris 8).

2.4.2 Project-team positioning From outside, it might appear that symmetric techniques become obsolete after the in- vention of public-key cryptography in the mid 1970’s. However, they are still widely used because they are the only ones that can achieve some major functionalities as high-speed or low-cost encryption, fast authentication, and efficient hashing. Today, we find symmet- ric algorithms in GSM mobile phones, in credit cards, in WLAN connections. Symmetric cryptology is a very active research area which is stimulated by a pressing industrial de- mand for low-cost implementations (in terms of power consumption, gate complexity...). Research in symmetric cryptography is obviously characterized by a sequence of de- fenses and attacks. But, each new dedicated attack against a given cryptosystem must be formalized, its scope must be analyzed and the structural properties which make it feasible must be highlighted. This approach is the only one which can lead to new design criteria and to the constructions of building blocks which guarantee to a provable resistance to the known attacks. However, such an analysis yields a practical system only if it includes the implementation requirements arising from the applications. Therefore, our work considers all aspects of the field, from the practical ones (new attacks, concrete specifications of new systems) to the most theoretical ones (study of the algebraic structure of underlying mathematical objects, definition of optimal objects). But, our purpose is to study these aspects not separately but as several sides of the same domain. This joint approach of the different aspects of symmetric cryptography is quite peculiar to our work. Several research teams are working in symmetric cryptography (see e.g. Fast Soft- ware Encryption which is an annual conference dedicated to symmetric encryption). The main peer or competitor groups are: Univ. of Bergen (T. Helleseth); France Telecom R& D (H. Gilbert, M. Robshaw); Lund University (T. Johansson); Ecole´ Polytechnique F´ed´eralede Lausanne (S. Vaudenay); Technion Haifa, Isra¨el(E. Biham); Nokia (K. Ny- berg); Katholieke University of Leuven (B. Preneel); University of Graz (V. Rijmen, E. Oswald). Some other groups specialized in one of the aspects must also be mentioned, e.g.

5 • cryptanalysis: Univ. of Versailles (A. Joux); Royal Holloway University of London (C. Cid, S. Murphy);

• theoretical study of some building blocks: University of Waterloo (G. Gong); ISI Calcutta India (B. Roy and S. Maitra);

• implementation aspects: Universit´eCatholique de Louvain (J.-J. Quisquater); Bochum University (C. Paar).

2.4.3 Scientific achievements Cryptanalysis. We have presented new cryptanalytic techniques on several symmetric primitives. For block ciphers, A. Canteaut and M. Videau have proposed a new general higher-order differential attack which applies to any block cipher whose S-boxes have all their Walsh coefficients divisible by a high power of 2 [82]. A major issue raised by this attack is that the involved property characterizes the S-boxes which provide an optimal resistance to both differential and linear attacks [29]. It stresses the following paradox: in order to guarantee a provable resistance to the known attacks and to achieve extremely good performances, a symmetric cipher must use very particular building blocks, whose algebraic structures may introduce unintended weaknesses. M. Minier has also presented some attacks on other block ciphers, e.g. on FOX [176] and on reduced version of the AES [104]. In the last few years, with the eSTREAM project, our cryptanalytic effort has focused on stream ciphers. We have first investigated the recent algebraic attacks, which are an important breakthrough especially in the cryptanalysis of stream ciphers based on linear feedback shift registers. Several results have been presented, concerning many different aspects of these attacks: formalization of algebraic attacks [103, 131], algebraic attacks on some particular ciphers [78], new algorithms for computing the algebraic immunity of a function [93, 36, 92], existence and constructions of functions with a high algebraic immu- nity [143, 140]. We have also presented several algorithmic improvements for correlation attacks on stream ciphers [136, 80]. Some of these results exploit several ideas coming from iterative decoding for improving the existing attacks, and they are detailed in Mathieu Cluzeau’s PhD thesis even if his work has been presented in a different practical context: the reconstruction of a linear scrambler from the knowledge of an intercepted output [151]. A last type of attacks investigated in the project are the cache attacks which exploit the power consumption or the timing variations induced by the memory accesses to lookup tables, especially to S-boxes, during the encryption process [96, 228, 206].

Cryptographic properties and construction of appropriate building blocks. The construction of building blocks which guarantee a high resistance to the known at- tacks is a major topic in our project, both for stream ciphers and for block ciphers. This work involves fundamental aspects related to discrete mathematics and implementation aspects. Actually, characterizing the structures of the building blocks which are optimal regarding to some attacks is very important for finding appropriate constructions and also for determining whether the underlying structure induces some weaknesses or not. For these reasons, we have investigated several families of filtering functions and of S-boxes which are well-suited for their cryptographic properties or for their implementa- tion characteristics. For instance, bent functions, which are the Boolean functions which achieve the highest possible nonlinearity, have been extensively studied in order to provide some elements for a classification, or to adapt these functions to practical cryptographic constructions [28, 30, 41, 44, 134, 150]. We have also been interested in APN functions,

6 which are the S-boxes ensuring an optimal resistance to differential cryptanalysis. An important open problem is to find APN permutations depending on an even number of variables. In this context, we have proved that some families of functions do not contain any APN mapping [23]. On the other hand, some APN and AB functions which are not equivalent to power functions have been exhibited for the first time in [126]. P. Charpin, T. Helleseth and V. Zinoviev have also extensively studied the differential properties of the AES S-box, i.e. the inverse function, which is the power permutation of an even number of variables offering the best resistance to differential cryptanalysis. More generally, all these works on S-boxes highlight the importance of finding new classes of permutation polynomials. This is the subject of Y. Laigle-Chapuy’s PhD thesis and his first results in that direction have been published in [60]. A. Canteaut and M. Videau have investigated the cryptographic properties of the class of symmetric functions [31]: this class seems quite appropriate for a hardware implemen- tation since it can be realized by a circuit whose number of gates is linear in the number of input variables. Most notably, this work points out that the balancedness requirement is a very restrictive property for a symmetric function. It also determines the algebraic normal forms of all n-variable symmetric functions f with almost optimal nonlinearity.

Design of new primitives. The previously described long-term research work in sym- metric cryptographic has also led to concrete realizations since A. Canteaut, C. Lauradoux and M. Minier are co-authors of three new stream cipher proposals which have been sub- mitted to the eSTREAM project: Sosemanuk, DECIM and F-FCSR. Sosemanuk is one of the fastest and most secure ciphers among the 22 eSTREAM candidates dedicated to software applications (the first evaluation phase of eSTREAM put it in the “focus cipher” category). DECIM and F-FCSR are hardware-oriented cipher for low-resource environments and have been selected for the next evaluation phase.

2.4.4 Collaborations • University of Limoges on stream ciphers (F-FCSR) and on APN functions [23];

• University of Bergen;

• the SOSEMANUK and DECIM stream ciphers have been co-designed with all other French groups working in symmetric cryptography in the context of the RNRT project X-CRYPT.

2.4.5 External support • ACI Cryptology CRAC and CRAC2;

• RNRT X-CRYPT: A. Canteaut is the leader of the stream cipher working group;

• IST NoE ECRYPT: A. Canteaut is the leader of the working group on Strategic Re- search on Symmetric Cryptography [232, 233], and we also participate to the working group on stream ciphers and on AES evaluation [228];

• Several industrial contracts: with Canal+ Technologies, with CELAR.

7 2.4.6 Self assessment Thanks to our work during the last years, our team has become one of the leading groups in symmetric cryptography. This position is illustrated by our involvement in the European Network of excellence ECRYPT for instance. We do not plan to significantly modify our scientific approach. Actually, the cryptan- alytic effort must continue especially for evaluating the different ciphers submitted to the eSTREAM project. Some further fundamental works on the structural properties of the building blocks are still needed, since we are far from being able to design provably secure symmetric ciphers with good implementation properties. A major aspect which has been identified in the last period and which will be the focus of future work is the need for lightweight building blocks (especially for low-cost stream ciphers), dedicated to hardware environments where the available resources are heavily restricted. Then, we plan to study in detail the implementation properties of several families of S-boxes and of filtering functions (e.g. rotation-symmetric Boolean functions), in order to identify some new classes of functions which have good properties regarding both security and implementation.

2.5 Code-based cryptography 2.5.1 Personnel - Daniel Augot, CR INRIA, - Nicolas Sendrier, DR INRIA, - Pierre Loidreau (external collaborator, Professor, ENSTA), - Matthieu Finiasz (PhD), - C´edricLauradoux (PhD), - C´edricFaure (PhD).

2.5.2 Project-team positioning Most popular public key cryptographic schemes rely either on the factorization problem (RSA, Rabin), or on the discrete logarithm problem (Diffie-Hellman, El Gamal, DSA). These systems have evolved and today instead of the classical groups (Z/nZ) we may use groups on elliptic curves. They allow a shorter block and key size for the same level of security. An intensive effort of the research community has been and is still being conducted to investigate the main aspects of these systems: implementation, theoretical and practical security. It must be noted that these systems all rely on algorithmic number theory. As they are used in most, if not all, applications of public key cryptography today (and it will probably remain so in the near future), cryptographic applications are thus vulnerable to a single breakthrough in algorithmics or in hardware (a quantum computer can break all those scheme). Diversity is a way to dilute that risk, and it is the duty of the cryptographic re- search community to prepare and propose alternatives to the number theoretic based sys- tems. The most serious tracks today are lattices (NTRU,. . . ), multivariate cryptography (HFE,. . . ) and code-based cryptography (McEliece encryption scheme,. . . ). We have been investigating in details the latter field. The first cryptosystem based on error-correcting codes was a public key encryption scheme proposed by Bob McEliece in 1978, a dual variant was proposed in 1986 by Harald Niederreiter. We proposed the first (and only) digital signature scheme in 2001. Those systems enjoy very interesting features (fast encryption/decryption, short signature, good security reduction) but also have their

8 drawbacks (large public key, encryption overhead, expensive signature generation). Some of the main issues in this field are

• implementation and practicality of existing solutions,

• reducing the key size, by using rank metric instead of Hamming metric, or by using particular families of codes,

• trying new hard problems, like decoding Reed-Solomon codes above the list-decoding radius,

• address new functionalities, like hashing or symmetric key encryption.

Some groups and researchers involved: XLIM Limoges (T. Berger, P. Gaborit), FT R&D (M. Girault), Technische Universit¨atDarmstadt (U. Vollmer, R. Overbeck), K. Kobara (Imai Laboratory).

2.5.3 Scientific achievements The class of McEliece like cryptosystems. The original McEliece cryptosystem remains unbroken. Nicolas Sendrier has proved [70, 19] that its security is provably reduced to two problems, conjectured to be hard, of coding theory:

• hardness of decoding in a random binary code, in the average case

• pseudorandomness of Goppa codes

This result also applies to Niederreiter’s scheme and a similar result was already known for the digital signature scheme1. The reduction is not a guaranty of security, but we know that a significant improvement on one of the above problem must occur before the system is seriously threatened. Another important work in the period was on the implementation aspects. One of the most promising code-based cryptosystem is the digital signature scheme: with 80 bits, its produces the shortest known digital signatures (without compromising the security level). The drawback is that signing a document required more than one minute on a standard PC. A work in collaboration with ENS Lyon (ARENAIRE) and the LIRMM was initiated, and funded through the ACI OCAM. This resulted in an improved software version (about 10 seconds) and a fast FPGA implementation in less than one second (on a low cost FPGA). Various aspects of implementation where also considered throughout the period, see [185] for instance, where the problem of fast encoding of words with constant Hamming weight (required in Niederreiter’s encryption scheme) is addressed. In practice this encod- ing is the most expensive part of Niederreiter’s encryption and we obtain a speedup factor of 8 (33 Mbit/s instead of 4 Mbits/s).

Cryptosystems based on decoding the rank metric. This family of cryptosystems is roughly based on the same principle as the McEliece cryptosystem, except that the metric in use is the rank metric 2. This allows taking public-keys of a much smaller size than for McEliece cryptosystem, typically between ten and twenty times smaller.

1N. Courtois, M. Finiasz and N. Sendrier, How to achieve a McEliece-based digital signature scheme, ASIACRYPT 2001 2E. Gabidulin, A. Paramonov and O. Tretjakov, Ideals over a non-commutative ring and their applica- tion to cryptology, EUROCRYPT’91

9 Pierre Loidreau and Thierry Berger have been working on new variants of this sys- tem [120, 24] which also considered the possibility of achieving non-malleability. Pierre Loidreau also worked on the structure of some families of sub-codes of Gabidulin’s codes [159, 160] and their application to cryptography. He also designed the first decoding algo- rithm of Gabidulin’s codes in quadratic time (previous ones were cubic) [61, 102]. Finally, he designed and studied with C´edricFaure [94] a rank metric equivalent of Augot/Finiasz PR based encryption scheme (see next paragraph).

Cryptographic hardness of Reed-Solomon decoding. The Polynomial Reconstruc- tion problem (PR) considered by Naor and Pinkas 1999 then Kiayias and Yung in 2002 states that decoding more than a certain number of errors in a Reed-Solomon code is dif- ficult. Daniel Augot and Matthieu Finiasz have designed an encryption scheme based on this problem [75]. This system possesses the efficiency of code-based systems and enjoys a much shorter public key. Unfortunately, as pointed out by Coron3, if the message security reduces to a difficult problem, the key security was not good enough. Interestingly, though it was broken, this cryptosystem raised a lot of interest. The new cryptographic function that was exhibited did not allow the design of an encryption scheme, because the trapdoor (for decryption) could not be securely concealed. However, diversity is among the important concerns of cryptographic research. Proposing new primitives, with different features, might be of interest for future needs.

Other cryptographic functionalities with codes. At the beginning of the period, our interest for code-based cryptology was aimed towards public-key cryptography. Speed is among of the most interesting features, if we examine Niederreiter’s encryption scheme, the encryption consists in computing a syndrome, that adding bitwise t out of n vectors of length r (t is few tens, r a few hundreds and n a few thousands). Syndrome computation is one-way and very fast, comparable in speed with one-way functions used, for instance in hash functions. Moreover, because there is an underlying difficult algorithmic problem, there is a security reduction. After several adjustments, a first version of this work was published [114, 76].

2.5.4 Collaborations • ARENAIRE (LIP, Ens Lyon) and LIRMM, hardware implementation of a code-based signature scheme

2.5.5 External support • ACI OCAM

• RNRT XCRYPT

• IST NoE ECRYPT

2.5.6 Self assessment Public-key cryptosystems providing alternative to number theory and efficient primitives with security reduction (sometimes referred to as “provably secure”) are certainly major

3Jean-S´ebastienCoron, Cryptanalysis of a public-key encryption scheme based on the polynomial recon- struction problem, IACR eprint archive 2003/036

10 issues for tomorrow’s cryptography. Code-based cryptography provides interesting ques- tions for both issues. The project CODES has an old and important experience in that field. We have been able to propose new promising and interesting cryptographic schemes. It will take years to fully understand all aspects of the problem. The security reduction statement uses two algorithmic problems that are conjectured to be hard. Just like RSA, more mathematical work is needed to assess the difficulty of those problems. In the meantime, a necessary work is to implement the McEliece cryptosystem, surprisingly no fast public implementation exists. We hope to provide the first such implementation through eBATS, the ECRYPT benchmarking of asymmetric systems. Recent advances in hash functions have created new needs. The NIST has announced a competition for hash functions similar to the AES call, our intention is to be ready to propose code-based hash functions to that call.

2.6 Decoding techniques, algebraic systems solving and applications 2.6.1 Personnel - Daniel Augot, CR INRIA, - Jean-Pierre Tillich, CR INRIA, - Magali Bardet (PhD), - Emmanuel Cadic (Post-doc.), - Thomas Camara (PhD), - Mathieu Cluzeau (PhD), - Fr´ed´ericDidier (PhD), - Harold Ollivier (PhD), - Gr´egoryOlocco (PhD), - Micha¨elQuisquater (Post-doc.), - C´edricTavernier (PhD).

2.6.2 Project-team positioning The announced objective in 2002 which was “ applications of new decoding algorithms; resolution of algebraic systems ” has evolved with the arrival of Jean-Pierre Tillich. It has laid more stress on probabilistic decoding algorithms and applications in error correcting. We are focusing now on studying or on improving various decoding algorithms which are either algebraic or probabilistic in nature, not only for cryptographic purposes but also for coding theory by itself. We have also strengthened our ties with the INRIA project-team SALSA (formerly SPACES) with the co-direction of Magali Bardet’s thesis and during the ACI POLYCRYPT. Research on decoding algorithms is one of the most active area in coding theory, be they of algebraic or probabilistic nature. These algorithms have found areas of applications outside the sole scope of error-correcting codes: complexity theory, theoretical computer science and cryptology among others. We are mainly interested in cryptographic appli- cations of these algorithms: for example in fast correlation attacks on stream ciphers involving iterative decoding algorithms, or for the approximation of the output bits of the intermediate rounds of block ciphers. We have also found a new domain of application for iterative decoding algorithms, namely quantum error correcting codes for which we have shown that some of them can be decoded successfully with these algorithms. Moreover, the tools we had to investigate, for instance, the Gr¨obnerbases techniques in the problem of decoding general cyclic codes, enabled us to study also algebraic attacks on cryptosys- tems. We also mention that we still study more traditional aspects of coding theory by

11 searching for codes with good decoding performances for instance. Peer or competitor groups in:

• decoding with Gr¨obnerbases: Universita di Genova (T. Mora), University of College Cork (P. Fitzpatrick),

• cryptanalysis with Gr¨obnerbases: FT R&D Issy les Moulineaux (H. Gilbert), Infor- mation Security Group Royal Holloway (C. Cid), Information-technology Promotion Agency, Japan Cryptography Research and Evaluation Group IT (M. Sugita),

• cryptanalysis with decoding algorithms: University of Bergen (T. Helleseth), Uni- versity of Lund (T. Johansson), University of Hawai (M. Fossorier), Mathematical Institute of the Serbian Academy of Sciences and Arts (M. Mihaljevic),

• constructing good families of codes suitable for iterative decoding: City University of Hong-Kong (L. Ping), Ecole´ Polytechnique F´ed´eralede Lausanne (R. Urbanke), ENSEA (D. Declerq), ENST Bretagne (C. Berrou), ENST Paris (G. Boutros), Flar- ion Technologies (T. Richardson), University of California (S. Lin), University of Hawai (M. Fossorier),

• quantum error correcting codes: California Institute of Technology (J. Preskill), MIT (P. Shor), Perimeter Institute (D. Gottesman), University of Cambridge (D. MacKay).

2.6.3 Scientific achievements Decoding algorithms and cryptanalysis. The first family of codes what we have studied in detail is the family of Reed-Muller codes. Being able to decode efficiently members of this family on various channels is very helpful for cryptanalysis: the decoding of first order Reed-Muller codes on the binary symmetric channel is a useful task for linear cryptanalysis whereas decoding general Reed-Muller codes on the erasure channel can be used in algebraic attacks of ciphers. In particular in his thesis [20], C´edricTavernier found new (local) decoding algorithms for first order Reed-Muller codes over the binary symmetric channel, which improve upon the Goldreich-Rubinfeld-Sudan algorithm. He implemented them for finding approximations of the outputs of several rounds of the DES. This way he found, using his software, not only the linear equations found by Matsui in his famous linear cryptanalysis of the DES, but also several other equations with biases of the same order as Matsui’s ones. On the other hand, Fr´ed´ericDidier and Jean-Pierre Tillich have focused on decoding Reed-Muller codes efficiently on the erasure channel. They have proposed various decoding algorithms whose complexity is sometimes linear and in general at most quadratic in the code dimension. These algorithms have been implemented, have lead to several decoding records and can be used to determine the algebraic immunity of Boolean functions against algebraic attacks [53, 92, 93]. Solving algebraic systems and applications. From the algebraic systems point of view, SALSA, in collaboration with CODES, performed the cryptanalysis of the HFE cryptosystems (Hidden Field Equations), performed by Faug`ereby a computation of a few days 4. It was followed by the thesis of Magali Bardet [10] which covers theoretical aspects of the HFE cryptanalysis (why it was feasible), and also the decoding of cyclic codes with Gr¨obnerbases: it was demonstrated that it is possible to find decoding formulas for all cyclic codes, by a Gr¨obnerbasis off-line computation. But, from the efficiency point of

4Jean-Charles Faug`ere,Antoine Joux: Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryp- tosystems Using Gr¨obnerBases. CRYPTO 2003

12 view, it was found that it is better to perform an on-line Gr¨obnerbases computation, whose cost is reasonable. This enables to decode any cyclic codes, up to their true minimum distance [111, 10]. Coding theory. Concerning the part of our work devoted to error-correcting codes, we have focused on codes which have good iterative decoding algorithms. This kind of codes has by now probably become the most popular coding scheme due to their exceptional performances at a reasonable algorithmic cost. We have in particular studied families of codes which are in a sense intermediate between turbo-codes and LDPC codes, and have found several instances of this family covering a large range of rates which are among the best known for a large range of target error probabilities after decoding [192, 108, 109]. This work has been supported by France Telecom. The knowledge we have acquired in iterative decoding techniques has also lead to study whether or not the very same techniques could also be used to decode quantum codes. Part of the ACI project “RQ” in which we were involved is about this topic. Notice that protecting quantum information from external noise is an issue of paramount impor- tance for building a quantum computer. It also worthwhile to notice that all quantum error-correcting code schemes proposed up to now suffer from the very same problem that the first (classical) error-correcting codes had: there are constructions of good quantum codes, but for the best of them it is not known how to decode them in polynomial time. Our approach for overcoming this problem has been to study whether or not the family of turbo-codes and LDPC codes (and the associated iterative decoding algorithms) have a quantum counterpart. We have shown that the classical iterative decoding algorithms can be generalized to the quantum setting and have come up with some families of quan- tum LDPC codes and quantum serial turbo-codes with rather good performances under iterative decoding [67, 127, 178, 68]. Let us also mention that Mathieu Cluzeau in his PhD thesis also uses iterative decoding techniques in a completely different setting: namely in the problem of reconstructing an LDPC code from an noisy sequence encoded in an unknown way. Finally, another important result related to decoding, the coset distribution of some BCH codes, was proven by Charpin, Helleseth and Zinoviev [49]. It answered to an old research problem stated in the 70s.

2.6.4 Collaborations CODES has a strong relationship with SALSA in the area of multivariate polynomial solving, for application in coding and cryptography. We have also developed a good relationship with France Telecom by working together on families of codes suitable for iterative decoding [108, 109]. We also enjoy a long lasting relationship with people working in cryptography and coding at the ENST Paris (G. Cohen, G. Z´emor)and with J. Friedman at the University of British Columbia [193, 73, 194, 56, 57, 55].

2.6.5 External support • For polynomial equations and cryptography: ACI POLYCRYPT (headed by SPACES, in which CODES was partner), ACI ACCESS.

• For applications of error-correcting codes to cryptology: ACI ACSION.

• For constructing good families of codes for iterative decoding: several industrial contracts with France Telecom.

• For protecting quantum information against external noise: ACI RQ.

13 2.6.6 Self assessment One strong point is the collaboration with SALSA, which has the expertise on the most efficient algorithms for Gr¨obnerbases, both for the implementation and the analysis. We plan to follow up this collaboration to describe and analyze some points of the algorithm of Guruswami-Sudan in terms of Gr¨obnerbases theory. One of the objectives presented at the previous evaluation was to use Sudan and Guruswami-Sudan algorithms for performing (univariate) interpolation attacks. This failed: this approach succeeded, as demonstrated by Justesen, for the cryptanalysis of the Knudsen-Nyberg cryptosystems, which is described in terms of univariate polynomi- als. But in general it appears that even approximating a block cipher by a univariate polynomial of moderate degree may be impossible. This topic will not be continued. Concerning our work about quantum codes, we plan to strengthen our ties with the community in physics which is probably the most active one working on quantum error- correcting codes. Right now, we are working together with David Poulin in the Institute for Quantum Information at Caltech about quantum serial turbo-codes.

3 Knowledge dissemination

3.1 Publications 2002 2003 2004 2005 2006 PhD Thesis 1 5 3 1 H.D.R (*) 1 1 Journal 5 8 11 17 11 Conference proceedings (**) 5 7 8 6 8 Book chapter 4 1 Book (written) 1 Book (edited) 1 1 1 Patent Technical report Deliverable 1 4 5 3 (*) HDR Habilitation `adiriger des Recherches (**) Conference with a program committee (LNCS type articles)

Indicate the major journals in the field and, for each, indicate the number of papers coauthored by members of the project-team that have been accepted during the evaluation period.

1. IEEE Transactions on Information Theory 13 papers

2. Design, Codes and Cryptography 6 papers

3. Finite Fields and their Applications 4 papers

4. Journal of Combinatorial Theory 5 papers

14 Indicate the major conferences in the field and, for each, indicate the number of papers coauthored by members of the project-team that have been accepted during the evaluation period.

1. IEEE Symposium on Information Theory 34 contributions

2. IACR conferences (CRYPTO, EUROCRYPT, ASIACRYPT, FSE) 10 contributions

3. International Workshop on Coding and Cryptography (WCC) 7 contributions (2 editions only in the period)

4. Indocrypt 6 contributions

3.2 Software Anne Canteaut, C´edricLauradoux and Marine Minier are co-authors of three new stream cipher proposals which have been submitted to the eSTREAM project: Sosemanuk, DECIM and F-FCSR. These three ciphers have been implemented in software and the corresponding implementations are available on http://www.ecrypt.eu.org/stream/. Since Sosemanuk is a software-oriented stream cipher aiming at a high throughput, some optimized implementations have been developed. Actually, Sosemanuk is one of the fastest and most secure ciphers among the 22 eSTREAM candidates dedicated to software applications. Decim and F-FCSR are dedicated to hardware environments where the available re- sources such as gate complexity and power might be heavily restricted. A VHDL imple- mentation of both ciphers has been realized by C´edricLauradoux.

3.2.1 Valorization and technology transfer cf. §4 External Funding.

3.3 Teaching Daniel Augot: Error-correcting codes, symbolic computing and applications to cryptogra- phy in Master Recherche 2, Master Parisien de Recherche en Informatique (MPRI), University Paris 7, ENS Paris, ENS Cachan and Ecole´ Polytechnique, 15 hours.

Daniel Augot: Introduction to cryptography in Master Recherche 2 ”Science Informa- tique”, University of Marne-la-Vall´ee,9 hours.

Jean-Pierre Tillich: Error-correcting codes, symbolic computing and applications to cryp- tography in Master Recherche 2, Master Parisien de Recherche en Informatique (MPRI), Universit´eParis 7, ENS Paris, ENS Cachan et Ecole´ Polytechnique, 15 hours.

Jean-Pierre Tillich: Error-correcting codes, Institut Sup´erieurd’Electronique´ de Paris (ISEP), 3rd year of engineering school, 10 hours, since 2004.

Jean-Pierre Tillich: Quantum codes in Master 2, ENST Paris, 6 hours, since 2006.

15 Anne Canteaut: C programming for cryptography, Master Pro 2 “Information security” and Master Recherche 2 “Cryptography and Coding” University of Limoges, 60 heures, until 2006.

Nicolas Sendrier is ”professeur charg´ede cours” in Computer Science at Ecole´ Poly- technique Palaiseau. He is teaching Theoretical Computer Science and Information Theory, 80-100 hours.

During the last 4 years, we hosted 23 intern students, including 10 “Master Recherche” students. Most of the Ph.D. students in the team are associated either with the doctoral program of the University Pierre and Marie Curie (Paris 6) or with the doctoral program of Ecole´ Polytechnique Palaiseau.

3.4 Visibility Publishing activities.

• IEEE Transactions on Information Theory, associate editors: Anne Canteaut for Cryptography and Complexity 2005-2008; Claude Carlet for Coding theory 2003-2005.

• IEEE Transactions on Computers, associate editor: Pascale Charpin for Coding theory, 2000-2004.

• Designs, Codes and Cryptography, associate editor: Pascale Charpin, since 2003.

• Journal of Symbolic Computation, Special Issue on Gr¨obnerBases Techniques in Cryptography and Coding Theory (2007), D. Augot guest editor.

• Pascale Charpin is associate editor for the Encyclopedia of Information security published by Springer in 2005. Anne Canteaut, Claude Carlet and Pascale Charpin are authors of most entries related to stream ciphers and Boolean functions; Nicolas Sendrier is the author of the entry on McEliece public-key cryptosystem.

Program commitees

• ISIT (IEEE International Symposium on Information Theory): 2006 (G. Kabatian- ski), 2007 (A. Canteaut, C. Carlet);

• EUROCRYPT: 2007 (A. Canteaut);

• CRYPTO: 2004 (A. Canteaut);

• ASIACRYPT: 2005 (N. Sendrier);

• Fast Software Encryption (FSE): 2003 (A. Canteaut), 2004 (C. Carlet), 2005 (A. Canteaut), 2006 (A. Canteaut);

• Indocrypt: 2003 (A. Canteaut), 2004 (A. Canteaut, program chair), 2005 (F. L´evy- dit-V´ehel),2006 (A. Canteaut, C. Carlet, N. Sendrier);

• SETA (International conference on sequences and their applications): 2004 (C. Car- let), 2006 (A. Canteaut, C. Carlet);

16 • Workshop on Coding Theory and Cryptography (WCC): 2003 (D. Augot, C. Carlet; P. Charpin and G. Kabatianski program co-chairs), 2005 (D. Augot, P. Charpin program co-chair, C. Carlet, N. Sendrier);

• ACCT (International Workshop on Algebraic and Combinatorial Coding Theory): 2006 (G. Kabatianski, program chair);

• ICETE (International Joint Conference on E-business and Telecommunications): 2006 (P. Charpin);

• International Conference on Polynomial System Solving: 2004 (D. Augot);

• ITW (IEEE Information Theory Workshop: 2003 (A. Canteaut, N. Sendrier);

• AAECC (Applied Algebra, Algebraic algorithms and Error-correcting codes): 2003 (C. Carlet);

• Finite Fields: 2003 (C. Carlet);

• YACC (Yet Another Conference on Cryptography): 2002 (A. Canteaut), 2004 (A. Canteaut), 2006 (C. Carlet);

• WEWoRC (Western European Workshop on Research in Cryptology): 2005 (A. Canteaut, N. Sendrier)

• SASC (State of the Art in Stream ciphers, eSTREAM workshop): 2006 (A. Canteaut, program chair);

• SKEW (ECRYPT Symmetric Key Encryption Workshop), Aarhus, Denmark, 2005 (A. Canteaut);

• Joint BeNeLuxFra Conference in Mathematics (joint meeting of the Belgian, Dutch, Luxembourg and French mathematical societies), Gand, Belgique, 2005 (A. Can- teaut);

• BFCA (Workshop on Boolean functions): 2005 (C. Carlet)

Organization of conferences.

• All members of Codes are involved in the organization of the Workshop on Coding Theory and Cryptography (WCC) which has been held at INRIA in 2003 and 2007 (the 2005 workshop has been hosted by Bergen University in Norway and P. Charpin was program co-chair): 2003 (P. Loidreau, general chair), 2007 (A. Canteaut and P. Charpin, general co-chairs). This workshop aims at bringing together researchers in all aspects of coding theory, cryptography and related areas. The 2003 workshop had around 150 attendees. A selection of revised papers presented at WCC 2003 has been published in a special issue in Coding and Cryptography of Discrete Applied Mathematics (P. Charpin and G. Kabatianski editors);

• ECRYPT Workshop on Provable Security, Rocquencourt, 2004 (N. Sendrier);

• Members of other organization commitees: FSE 2005 (P. Loidreau, F. L´evy-dit- V´ehel);Indocrypt 2004 (C´edricLauradoux).

17 Other responsibilities in the national community.

• Scientific committee of the national research program on Security and Computer Science, ACI-S´ecurit´eet Informatique: P. Charpin (2003-07);

• Scientific committee of the national research program ”appels `aprojets non th´ematiques” in computer science of the National Agency for Research (ANR): 2005 (P. Charpin);

• Scientific committee of the national research program SetIn (Security and Computer Science) of the National Agency for Research (ANR): 2006 (A. Canteaut);

• GDR Computer Science - Mathematics (IM): Claude Carlet is in charge of the group Coding and Cryptography;

• Pascale Charpin is an external expert for the D´el´egationG´en´eralepour l’Armement (DGA);

• “Commission de sp´ecialistes”(Committees for the selection of professors and assis- tant professors): University Paris 8 (C. Carlet, J-P. Tillich), University of Limoges (A. Canteaut, P. Charpin, C. Carlet), Ecole´ Normale Sup´erieureParis (J-P. Tillich);

• Pascale Charpin was a member of the committee for the selection of CR2 at INRIA- Rocquencourt (2006);

• Anne Canteaut is a member of the “Comit´ede Suivi Doctoral” of INRIA-Rocquencourt since 2004.

Other responsabilities in the international community.

• Anne Canteaut is a member of the steering committee of the eSTREAM project http://www.ecrypt.eu.org/stream/;

• Number of HDR and PhD jury in 2002-2006: 53.

• Number of invited talks: 21

18 4 External Funding

(k euros) 2002 2003 2004 2005 2006 National initiatives ACI CRAC 25.4 16.9 ACI ACCESS 19.7 19.7 9.8 ACI CRAC2 7.0 21.1 21.1 14.1 ACI RQ 6.9 13.9 13.9 6.9 ACI UNIHAVEGE 1.0 6.5 6.5 5.4 ACI OCAM 2.8 8.6 8.6 5.7 ACI ACSION 3.1 9.4 9.4 ACI SERAC 3.2 9.7 9.7 ACI ASPHALES 4.4 6.6 6.6 RNRT DIPHONET 12.5 12.5 9.4 RNRT X-CRYPT 58.5 58.5 58.5 European projects IST NoE ECRYPT 61.7 29.3 29.3 ECONET 14.6 14.6 Industrial contracts Contract Canal+ 14.6 14.6 Contract FT R&D 1 6.3 25.3 6.3 Contract Banque de France 10.0 Contract FT R&D 2 23.8 Scholarships PhD * 242.2 277.9 306.4 235.1 256.5 Post-doc. * 25.3 3.2 44.4 31.7 AI+ ODL# Other funding Convention DGA 6.6 6.6 Contract DGA-CELAR 5.5 Total 321.8 412.3 534.4 457.4 449.5

† INRIA Cooperative Research Initiatives ‡ Large-scale Initiative Actions ∗ other than those supported by one of the above projects estimation based on INRIA scholarship rate (28.5 keuros / year for PhD, 38.0 keuros / year for Post-doc.) + junior engineer supported by INRIA # engineer supported by INRIA

ARCs None.

National initiatives ACI CRAC (08/00 → 08/03) This funding was given to project-team CODES, under the topic “support of teams of excellence”, to sustain our research in cryptology.

19 Most of our research topics in cryptology fitted in this ACI: public-key cryptography, secret-key cryptography, fundamentals and mathematics of cryptology.

ACI ACCES (05/01 → 05/04) One topic here was to investigate the so-called multi- variate cryptography. Several cryptographic primitives were previously proposed by Patarin et al, and the partners found many attacks on these primitives. Another theme was to study and develop cryptographic schemes relying on error correcting codes. Funding was done through INRIA. Partners: only ENSTA, since it was an “action de cristallisation” aiming at promot- ing a new team.

ACI CRAC2 (08/02 → 08/05) Same kind of funding as CRAC: support to teams of excellence.

ACI RQ (07/03 → 07/06) One of the goals of this project is to propose quantum codes for protecting quantum information against external noise. It has lead us to find quantum analogues for LDPC codes, convolutional codes and serial turbo-codes. Partners: Universit´eParis XI.

ACI UNIHAVEGE (11/03 → 11/06) The goal of UNIHAVEGE was to test and extend the random number generator HAVEGE (Hardware Volatile Entropy Gathering and Expansion) designed by Andre Seznec and Nicolas Sendrier. During the last three years, no weaknesses were found. HAVEGE has been integrated to Linux Kernel through a module Partner: IRISA team CAPS (Andre Seznec and Olivier Rochecouste)

ACI OCAM (07/03 → 12/06) The primary goal of the project is to produce an FPGA implementation of a digital signature algorithm based on coding theory. This algo- rithm produces the shortest known signature but is very slow in software. Additional goals are to consider other code-based cryptosystems and their hardware implemen- tation, with a particular focus on finite fields arithmetic. Partners: ARENAIRE project-team, LIRMM (Montpellier).

ACI ACSION (09/04 → 09/07) New applications of error correcting codes to informa- tion security. The project studies the impact of certain error-correcting tools for cryptographic purposes, more specifically: - attacks on ciphers making use of decoding techniques are investigated, - authentication and biometric schemes based on error-correcting codes are devel- oped. Partners: ENST, Universit´eParis VIII.

ACI SERAC (09/04 → 09/07) Security for Wireless Ad Hoc Networks. This covers several aspects of security: first the problem of securing the routing process itself, like OLSR; then the problem of developing more high level security primitives, which still have to be secured even in presence of network failures typical of Ad Hoc networks. Partners: USTL (Lille), INRIA (CODES, TANC and HIPERCOM) and GET (ENST).

ACI ASPHALES (05/04 → 05/07) Interactions between computer security and legal security for the progress of regulations in the Information Society.

20 The aim of this multi-disciplinary project is to have a scientific reading of the French legal texts related to computer and network security. One main concern is to discuss the laws which concern the notion of proof, probative value and also to convervation of numerical documents. Anne Canteaut and Marion Videau have provided a sci- entific view of many laws on these topics. This project has also some consequences on cryptographic protocols, since the legal requirements may differ from classical cryptographic hypotheses. Partners: CNRS (labo. CECOJI), Univ. Versailles, Univ. Montpellier, INT, Univ. Lille 2, INRIA.

RNRT DIPHONET (01/02 → 05/04) The aim of this project was to provide intellec- tual property rights protection on images by using watermarking. The cryptographic part was to provide a protocol which enables an owner of a set of images to prove that an image I0 found somewhere actually originates from an image I which belongs to him. This protocol led to a patent ENSTA/IRISA/CANON. Founding was done through INRIA. Partners: Canon Research France, ENSTA (UMA/ALI), IRISA (Temics, Vista), Sup´elec(Laboratoire de Signaux et Syst`emes),Andia presse

RNRT X-CRYPT (12/03 → 12/06) The aim is to conceive cryptographic tools crafted to high speed networks and also wireless networks, which both have high security and consume few resources. Two stream ciphers have been developed: Sosemanuk and Decim. Partners: Axalto, ENS Ulm, France Telecom, Cryptolog International, Universit´e de Versailles, INRIA.

European projects IST NoE ECRYPT (02/04 → 02/08) This a Network of Excellence in research in all the aspects of cryptology. It has been structured in “virtual labs”. Anne Canteaut is leading a working group within the virtual lab on symmetric techniques, and CODES is also involved in the AZTEC virtual lab (new primitives for public key cryptography). Partners: more than thirty, both academic and industry.

ECONET (02/04 → 12/05) This program, introduced and funded by the French min- istry of foreign affairs is devoted to the development of research relations with East European countries. Priority is given to the sojourns of young researchers in the laboratories of the partners. The action is entitled Discrete Mathematics for coding and information protection. Partners: Project CODES, INRIA: Pierre Loidreau (leader). Academy of Sciences of Bulgaria (Stefan Dodunekov). Moscow Institute of Physics and Technology (Ernst Gabidulin). St Petersburg State University of Aerospace Instrumentation (Natalia Shekhunova).

Associated teams and other international projects None.

21 Industrial contracts Canal+ (09/02 → 05/03) Daniel Augot and Anne Canteaut have done an expert analysis of a block cipher algorithm, which has been designed internally in Canal+, and which has been kept secret. This analysis has led to important modifications in the original design.

FT R&D (10/03 → 04/05) The purpose of this contract with France Telecom was to propose a new family of binary codes with very good iterative decoding performances for a large range of rates and target error probabilities after decoding. This aim was attained and was followed by the contract below.

FT R&D (02/06 → 01/08) This is a follow-up of the previous contract, the new aim being to explore non-binary codes and completing the range of rates left by the previous contract.

Banque de France (2004) Banque de France wanted to put some kind of numerical signature on banknotes. This was a preliminary contract for studying the issues which may have occurred when realizing such a solution.

Other funding, Convention DGA (07/03 → 07/04) Anne Canteaut, Mathieu Cluzeau and Nicolas Sendrier have done a study, whose aim is to recognize an unknown coding scheme. That is to say, let there be given a bit stream, using for instance in satellite commu- nications, one has to recognize which error correcting coding (but also other parts of the whole coding scheme) has been used, even in the presence of noise.

Contract DGA-CELAR (09/06 → 09/07) The aim of this study is to analyze the efficiency of fast correlation attacks (of stream ciphers) based on iterative decoding algorithms. The work is to cryptanalyze several challenging stream ciphers, provided by the CELAR, which are weak versions of public domain ciphers. This should lead to a precise analysis of the efficiency of these attacks, and also to variants of the classical iterative decoding algorithms.

5 Objectives for the next four years

During the evaluation period our research field and our solicitations have naturally evolved. There are new application domains (“electronic war”), new topics coming from new sci- entific interactions (algebraic cryptanalysis, quantum codes). Some more classical topics require new research (hash functions, stream ciphers). Also, with the settlement of AES as the reference block cipher, the research in symmetric cryptography is now more inclined towards its foundations. Our long term and fundamental scientific approach have allowed us to answer to some of those new questions and to address those of new subjects. Our work for the next period will keep the same tracks. It will be focused on the following 4 orientations:

1. Symmetric cryptography and discrete mathematics. Explore and define security criteria. In particular, investigate the theoretical and practical aspects of the design of symmetric primitives.

22 2. Code-based cryptosystems. Implementation of public-key scheme. Other functionalities like hashing or stream ciphers.

3. Decoding and algorithmics. Algebraic cryptanalysis. Iterative decoding. Fast algorithms from computer algebra.

4. “Electronic war”. Driven by applications. Algorithmic aspects of communication schemes recognition.

6 Bibliography of the project-team

6.1 Books and Monographs and book chapters [1] A. Canteaut. A5/1; Berlekamp-Massey algorithm; Combination generator; Correla- tion attack; Fast correlation attack; Filter generator; Inversion attack; Linear com- plexity; Linear consistency attack; Linear cryptanalysis for stream ciphers; Linear feedback shift register; Linear syndrome attack; Minimal polynomial; Running-key; Stream cipher. In H.C.A. van Tilborg, editor, Encyclopedia of cryptography and security. Springer, 2005.

[2] A. Canteaut and K. Viswanathan, editors. INDOCRYPT 2004, volume 3348 of LNCS. Springer-Verlag, 2004.

[3] C. Carlet, editor. Discrete Applied Mathematics, volume 128 (1). Elsevier, May 2003. Special issue on Coding and Cryptology.

[4] C. Carlet. Boolean functions; Correlation immune and resilient Boolean functions; Nonlinearity of Boolean functions; Propagation characteristics of Boolean functions. In H.C.A. van Tilborg, editor, Encyclopedia of cryptography and security. Springer, 2005.

[5] P. Charpin. Cyclic codes; Reed-Muller codes. In H.C.A. van Tilborg, editor, Ency- clopedia of cryptography and security. Springer, 2005.

[6] P. Charpin and G. Kabatiansky, editors. Discrete Applied Mathematics, volume 154 (2). Elsevier, 2006. Special issue on Coding and Cryptography.

[7] F. Levy dit Vehel. Encyclop´ediedes syst`emesd’information, chapter Cryptographie. C. Kichner editeur,Editions Vuibert, 2006. In press.

[8] G. Kabatiansky, E. Krouk, and S. Semenov. Error Correcting Codes and Security for Data Networks, volume ISBN 0-470-86754-X. John Willey & Sons Ltd, 2005. 278 pages.

[9] N. Sendrier. McEliece public key cryptosystem; Niederreiter encryption scheme. In H.C.A. van Tilborg, editor, Encyclopedia of cryptography and security. Springer, 2005.

23 6.2 Doctoral dissertations and “Habilitation” theses [10] M. Bardet. Etude des syst`emesalg´ebriquessurd´etermin´es.Applications aux codes correcteurs et `ala cryptographie. Th`esede doctorat, Universit´eParis 6, December 2004.

[11] R. Bhaskar. Protocoles Cryptographiques pour les r´eseaux Ad hoc. Th`esede doctorat, Ecole´ Polytechnique, June 2006.

[12] A. Canteaut. Analyse et conception de chiffrements `a clef secr`ete. M´emoire d’habilitation `adiriger des recherches, Universit´eParis 6, September 2006.

[13] M. Finiasz. Nouvelles constructions utilisant des codes correcteurs d’erreurs en cryp- tographie `aclef publique. Th`esede doctorat, Ecole´ Polytechnique, Palaiseau, October 2004.

[14] F. Galand. Constructions de codes Zpk -lin´eaires de bonne distance minimale, et sch´emasde dissimulation fond´essur les codes de recouvrements. Th`esede doctorat, Universit´ede Caen, December 2004.

[15] C.S. Nedeloaia. Etude des ´enum´erateurs des poids des codes lin´eaires utilisant des formes d´ecompos´eesdes matrices g´en´eratrices. Th`esede doctorat, Universit´ede Limoges, February 2005.

[16] H. Ollivier. Elements de th´eoriede l’information quantique, d´ecoh´erence et codes correcteurs d’erreurs. Th`esede doctorat, Ecole´ Polytechnique, Palaiseau, September 2004.

[17] G. Olocco. D´ecodage it´eratif et distance minimale d’une nouvelle famille de codes auto-duaux. Th`esede doctorat, Universit´eParis-Sud, Orsay, April 2003.

[18] L. Perret. Etude d’outils alg´ebriqueset combinatoires pour la cryptographie `aclef publique. Th`esede doctorat, Universit´ede Marne-la-Vall´ee,October 2005.

[19] N. Sendrier. Cryptosyst`emes`acl´epublique bas´essur les codes correcteurs d’erreurs. M´emoired’habilitation `adiriger des recherches, Universit´eParis 6, March 2002.

[20] C. Tavernier. Testeurs, probl`emesde reconstruction univari´eset multivari´es,et application `ala cryptanalyse du DES. Th`esede doctorat, Ecole´ Polytechnique, Palaiseau, January 2004.

[21] M. Videau. Crit`eres de s´ecurit´edes algorithmes de chiffrement `acl´esecr`ete. Th`ese de doctorat, Universit´ePierre et Marie Curie (Paris 6), November 2005.

6.3 Articles in referred journals [22] A.Barg and G.A. Kabatiansky. A class of i.p.p codes with efficient identification. Journal of Complexity, 20(2-3):137–147, 2004.

[23] T.P. Berger, A. Canteaut, P. Charpin, and Y. Laigle-Chapuy. On almost perfect nonlinear functions. IEEE Trans. Inform. Theory, 52(9):4160–4170, September 2006.

[24] T.P. Berger and P. Loidreau. How to mask the structure of codes for a cryptographic use. Designs, Codes and Cryptography, 35:63–79, April 2005.

24 [25] S. Bezrukov, R. Elsasser, B. Monien, R. Preiss, and J.-P. Tillich. New spectral lower bounds on the bisection width. Theoretical Computer Science, 320:155–174, 2004.

[26] R. Bhaskar, D. Augot, V. Issarny, and D. Sacchetti. A three round authenticated group key agreement protocol for ad hoc networks. Journal on Pervasive and Mobile Computing, 2005. In press.

[27] R. Bhaskar, J. Herranz, and F. Laguillaumie. Aggregate designated verifier sig- natures and application to secure routing. International Journal of Security and Networks, 2006. Special Issue on Cryptography in Networks. In press.

[28] A. Canteaut and P. Charpin. Decomposing bent function. IEEE Transactions on Information Theory, 49(8):2004–2019, August 2003.

[29] A. Canteaut, P. Charpin, and M. Videau. Cryptanalysis of block ciphers and weight divisibility of some binary codes. In M. Blaum, P.G. Farrell, and H.C.A. van Tilborg, editors, Information, Coding and Mathematics, pages 75–97. Kluwer, 2002. In honor of Bob McEliece on his 60th birthday. Invited paper.

[30] A. Canteaut, M. Daum, G. Leander, and H. Dobbertin. Normal and non normal bent functions. Discrete Applied Mathematics, 154(2):202–218, February 2006. Special issue in Coding and Cryptology.

[31] A. Canteaut and M. Videau. Symmetric Boolean functions. IEEE Transactions on Information Theory, 51(8):2791–2811, 2005.

[32] C. Carlet. On the confusion and diffusion properties of Maiorana-McFarland’s and extended Maiorana-McFarland’s functions. Journal of Complexity, 20(2-3):182–204, 2003. Special Issue on Coding and Cryptography.

[33] C. Carlet. On the degree, nonlinearity, algebraic thickness and non-normality of Boolean functions, with developments on symmetric functions. IEEE Transactions on Information Theory, 50:2178–2185, 2004.

[34] C. Carlet. Concatenating indicators of flats for designing cryptographic functions. Designs, Codes and Cryptography, 36:189–202, 2005.

[35] C. Carlet and P. Charpin. Cubic Boolean functions with highest resiliency. IEEE Transactions on Information Theory, 51(2):562–571, February 2005.

[36] C. Carlet, D.K. Dalai, K.C. Gupta, and S. Maitra. Algebraic immunity for crypto- graphically significant Boolean functions: analysis and construction. IEEE Trans- actions on Information Theory, 52(7):3105– 3121, July 2006.

[37] C. Carlet and C. Ding. Highly nonlinear mappings. Journal of Complexity, 20(2- 3):205–244, 2004. Special Issue on Coding and Cryptography.

[38] C. Carlet and C. Ding. Nonlinearities of S-boxes. Finite Fields and Their Applica- tions, 2006. In press.

[39] C. Carlet, C. Ding, and H. Niederreiter. Authentication schemes from highly non- linear functions. Designs, Codes and Cryptography, 40(1):71–79, July 2005.

[40] C. Carlet, C. Ding, and J. Yuan. Linear codes from perfect nonlinear mappings and their secret sharing schemes. IEEE Transactions on Information Theory, 51(6):2089– 2102, June 2005.

25 [41] C. Carlet and P. Gaborit. Hyper-bent functions and cyclic codes. Journal of Com- binatorial Theory, Series A, 2005. In press.

[42] C. Carlet and P. Sarkar. Spectral domain analysis of correlation immune and resilient Boolean functions. Finite Fields and Their Applications, 8:120–130, 2002.

[43] C. Carlet and Y. Tarannikov. Covering sequences of Boolean functions and their cryptographic significance. Designs, Codes and Cryptography, 25:263–279, 2002.

[44] C. Carlet and J.L. Yucas. Piecewise constructions of bent and almost optimal Boolean functions. Designs, Codes and Cryptography, 37(3):449–464, 2005.

[45] P. Charpin. Cyclic codes with few weights and Niho exponents. Jour. Comb. Theory Series A, 108(2):247–259, November 2004.

[46] P. Charpin. Normal Boolean functions. Journal of Complexity, 20(2-3):245–265, 2004. Special Issue on Coding and Cryptography.

[47] P. Charpin, T. Helleseth, and V. Zinoviev. On cosets of weight 4 of binary BCH codes of length 2m (m odd), with minimal distance 8, and exponential sums. Problems of Information Transmission, 41(4):331–348, 2005.

[48] P. Charpin, T. Helleseth, and V. Zinoviev. Propagation characteristics of x 7→ 1/x and Kloosterman sums. Finite Fields and Their Applications, 2005. In press.

[49] P. Charpin, T. Helleseth, and V. Zinoviev. The coset distribution of the triple-error- correcting binary primitive BCH codes. IEEE Transactions on Information Theory, 52(4):1727–1732, 2006.

[50] P. Charpin, T. Helleseth, and V. Zinoviev. The divisibility modulo 24 of Kloosterman sums on GF(2m), m odd. Journal of Combinatorial Theory, Series A, 2006. In press.

[51] P. Charpin and E. Pasalic. Highly nonlinear resilient functions through disjoint codes in projective spaces. Designs, Codes and Cryptography, 37(2):319–346, 2005.

[52] P. Charpin, E. Pasalic, and C. Tavernier. On bent and semi-bent quadratic Boolean functions. IEEE Transactions on Information Theory, 51(12):4286–4298, 2005.

[53] F. Didier. A new bound on the block error probability after decoding over the erasure channel. IEEE Transactions on Information Theory, 52(10):4496–4503, October 2006.

[54] H. Dobbertin, G. Leander, A. Canteaut, C. Carlet, P. Felke, and P. Gaborit. Con- struction of bent functions via Niho power functions. Journal of Combinatorial Theory, Series A, 113(5):779–798, July 2006.

[55] J. Friedman, R. Murty, and J.P. Tillich. Spectral estimates for Abelian Cayley graphs. Journal of Combinatorial Theory Ser.B, 96(1):111–121, 2006.

[56] J. Friedman and J.-P. Tillich. Wave equations for graphs and the edge-based Lapla- cian. Pacific Journal of Mathematics, 216(2):229–266, October 2004.

[57] J. Friedman and J.-P. Tillich. Generalized Alon-Boppana theorems and error- correcting codes. SIAM Journal of Discrete Mathematics, 19(3):700–718, 2005.

26 [58] P. Gaborit, C. S. Nedeloaia, and A. Wassermann. Weight enumerators of duadic and quadratic residue codes. IEEE Transactions on Information Theory, 51(1):402–407, January 2005.

[59] G. Kabatiansky. Codes for copyright protection:the case of two pirates. Information Transmission Problems, 41(2):123–127, 2005.

[60] Y. Laigle-Chapuy. Permutation polynomials and applications to coding theory. Fi- nite Fields and Their Applications, 2005. In press.

[61] P. Loidreau. Sur la reconstruction des polynˆomeslin´eaires: un nouvel algorithme de d´ecodage des codes de Gabidulin. Comptes Rendus de l’Acad´emiedes Sciences : S´erieI, 2004.

[62] P. Milman, H. Ollivier, and J.-M. Raimond. Universal quantum cloning in cavity QED. Phys. Rev. A, 67:12314, 2003. quant-ph 0207039.

[63] P. Milman, H. Ollivier, Y. Yamaguchi, M. Brune, J.-M. Raimond, and S. Haroche. Simple quantum information algorithms in cavity QED. J. Mod. Opt., 50(6-7):901– 913, 2003.

[64] C. S. Nedeloaia. Weight distributions of cyclic self-dual codes. IEEE Transactions on Information Theory, 49(6):1582–1591, June 2003.

[65] H. Ollivier and P. Milman. Proposal for realization of a Toffoli gate via cavity- assisted collision. Quant. Info. Comput. J., 6, 2003. quant-ph 0306064.

[66] H. Ollivier, D. Poulin, and W.H. Zurek. Objective properties from subjective quan- tum states: Environment as a witness. Phys. Rev. Lett., 93(22):220401, 2004. quant- ph 0307229 (2003).

[67] H. Ollivier and J.-P. Tillich. Description of a quantum convolutional code. Phys. Rev. Lett., 91(17), 2003. quant-ph 0304189.

[68] H. Ollivier and J.-P. Tillich. Trellises for stabilizer codes : definition and uses. Phys. Rev. A, 74(3), September 2006.

[69] H. Ollivier and W. H. Zurek. Quantum discord: A measure of the quantumness of correlations. Phys. Rev. Lett., 88:17901, 2002. quant-ph/0105072.

[70] N. Sendrier. On the security of the McEliece public-key cryptosystem. In M. Blaum, P.G. Farrell, and H. van Tilborg, editors, Information, Coding and Mathematics, pages 141–163. Kluwer, 2002. In honor of Bob McEliece on his 60th birthday. Invited paper.

[71] N. Sendrier. Linear codes with complementary duals meet the Gilbert-Varshamov bound. Discrete Mathematics, 285:345–347, 2004.

[72] A. Seznec and N. Sendrier. HAVEGE: User-level software heuristic for strong random numbers. ACM Transactions on Modeling and Computer Simulation, 14(4):334–346, October 2003.

[73] J.-P. Tillich and G. Z´emor. The Gaussian isoperimetric inequality and decoding error probabilities for the Gaussian channel. IEEE Transactions on Information Theory, 50(2):328–331, February 2004.

27 6.4 Articles in referred conference proceedings [74] F. Armknecht, C. Carlet, P. Gaborit, S. K¨unzli,W. Meier, and O. Ruatta. Effi- cient computation of algebraic immunity for algebraic and fast algebraic attacks. In EUROCRYPT 2006, number 4004 in LNCS, pages 147–164. Springer-Verlag, 2006. [75] D. Augot and M. Finiasz. A public key encryption scheme based on the polynomial reconstruction problem. In EUROCRYPT 2003, number 2656 in LNCS, pages 229– 241. Springer-Verlag, 2003. [76] D. Augot, M. Finiasz, and N. Sendrier. A family of fast syndrome based crypto- graphic hash functions. In Ed Dawson and Serge Vaudenay, editors, MYCRYPT 2005, number 3715 in LNCS, pages 64–83. Springer-Verlag, 2005. [77] T. P. Berger and P. Loidreau. Designing an efficient and secure public-key cryp- tosystem based on reducible rank codes. In INDOCRYPT 2004, number 3348 in LNCS, pages 218–229, 2004. [78] T.P. Berger and M. Minier. Two algebraic attacks against the F-FCSRs using the IV mode. In INDOCRYPT 2005, number 3797 in LNCS, pages 143–154. Springer- Verlag, 2005. [79] A. Canteaut. On the correlations between a combining function and functions of fewer variables. In Proceedings of 2002 IEEE Information Theory Workshop, pages 78–81, Bangalore, Inde, October 2002. IEEE Press. Invited paper. [80] A. Canteaut. Fast correlation attacks against stream ciphers and related open prob- lems. In Proceedings of the 2005 IEEE Information Theory Workshop on Theory and Practice in Information-Theoretic Security (ITW 2005), pages 49–54, Awaji Island, Japon, October 2005. IEEE Press. Invited paper. [81] A. Canteaut. Open problems related to algebraic attacks on stream ciphers. In O. Ytrehus, editor, Coding and Cryptography - WCC 2005 - Revised selected papers, volume 3969 of LNCS, pages 120–134. Springer-Verlag, 2006. Invited paper. [82] A. Canteaut and M. Videau. Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis. In EUROCRYPT 2002, number 2332 in LNCS, pages 518–533. Springer-Verlag, 2002. [83] C. Carlet. A larger class of cryptographic Boolean functions via a study of the Maiorana-McFarland construction. In CRYPTO 2002, number 2442 in LNCS, pages 549–564. Springer-Verlag, 2002. [84] C. Carlet. On the secondary constructions of resilient and bent functions. In Coding, Cryptography and Combinatorics, volume 23 of Progress in Computer Science and Applied Logic, pages 3–28. Birkh¨auserVerlag, Basel, 2004. [85] C. Carlet. On highly nonlinear S-boxes and their inability to thwart DPA attack. In INDOCRYPT 2005, number 3797 in LNCS, pages 49–62. Springer-Verlag, 2005. [86] C. Carlet and A. Gouget. An upper bound on the number of m-resilient Boolean functions. In ASIACRYPT 2002, volume 2501 of LNCS, pages 484–496. Springer- Verlag, 2002. [87] C. Carlet and E. Prouff. On plateaued Boolean functions and their constructions. In FSE 2003, volume 2887 of LNCS, pages 54–73. Springer-Verlag, 2003.

28 [88] C. Carlet and E. Prouff. On a new notion of nonlinearity relevant to multi-output pseudo-random generators. In SAC 2003, number 3006 in LNCS, pages 291–305. Springer-Verlag, 2004.

[89] C. Carlet and E. Prouff. Vectorial functions and covering sequences. In A. Poli G. L. Mullen and H. Stichtenoth, editors, Finite Fields and Applications, Fq7, vol- ume 2948 of LNCS, pages 215–248. Springer-Verlag, 2004.

[90] P. Charpin and E. Pasalic. On propagation characteristics of resilient functions. In SAC 2002, volume 2595 of LNCS, pages 356–365. Springer-Verlag, 2003.

[91] I. de Lamberterie and M. Videau. Regards crois´esde juristes et d’informaticiens sur la s´ecurit´einformatique. In Actes du Symposium sur la S´ecurit´edes Techologies de l’Information et des Communications, 2006. Article invit´e.

[92] F. Didier. Using Wiedemann’s algorithm to compute the immunity against alge- braic and fast algebraic attacks. In Springer Verlag, editor, INDOCRYPT 2006, Proceedings, Kolkata, India, December 2006. to appear.

[93] F. Didier and J.-P. Tillich. Computing the algebraic immunity efficiently. In FSE 2006, LNCS. Springer-Verlag, 2006. To appear.

[94] C. Faure and P. Loidreau. A new public-key cryptosystem based on the problem of reconstruction of p-polynomials. In O. Ytrehus, editor, Coding and Cryptography - WCC 2005 - Revised selected papers, volume 3969 of LNCS, pages 304–315. Springer- Verlag, 2006.

[95] F. Galand. On the minimum distance of some families of Z2k -linear codes. In AAECC 15, Proceedings, volume 2643, pages 235 – 243, Toulouse, France, May 2003. Springer-Verlag Heidelberg.

[96] C. Lauradoux. Collision attacks on processors with cache and countermeasures. In C. Wolf, S. Lucks, and P.-W. Yau, editors, WEWoRC 2005, volume P-74 of Lecture Notes in Informatics, pages 76–85. Bonner K¨ollenVerlag, 2005.

[97] F. Levy-dit-Vehel and L. Perret. Polynomial equivalence problems and applications to multivariate cryptosystems. In INDOCRYPT 2003, number 2904 in LNCS, pages 235–251. Springer-Verlag, 2003.

[98] F. Levy-dit-Vehel and L. Perret. Attacks on public-key cryptosystems based on free partially commutative monoids and groups. In INDOCRYPT 2004, number 3348 in LNCS, pages 275–289. Springer-Verlag, 2004.

[99] F. Levy-dit-Vehel and L. Perret. A Polly Cracker system based on satisfiability. In Coding, Cryptography and Combinatorics, volume 23 of Progress in Computer Science and Applied Logic, pages 177–192. Birkh¨auserVerlag, Basel, 2004.

[100] F. Levy-dit-Vehel and L. Perret. On Wagner-Magyarik cryptosystem. In O. Ytrehus, editor, Coding and Cryptography - WCC 2005 - Revised selected papers, volume 3969 of LNCS, pages 316–329. Springer-Verlag, 2006.

[101] F. Levy-dit-Vehel and L. Perret. A polly cracker system secure against linear algebra attacks. In Proceedings of the Coding, Cryptography and Combinatorics Conference, pages 177–192, Yellow Moutain, China, June 2003.

29 [102] P. Loidreau. A Welch-Berlekamp like algorithm for decoding gabidulin codes. In O. Ytrehus, editor, Coding and Cryptography - WCC 2005 - Revised selected papers, volume 3969 of LNCS, pages 36–45. Springer-Verlag, 2006.

[103] W. Meier, E. Pasalic, and C. Carlet. Algebraic attacks and decomposition of Boolean functions. In EUROCRYPT 2004, number 3027 in LNCS, pages 474–491. Springer- Verlag, 2004.

[104] M. Minier. A three rounds property in the AES. In Proceedings of the fourth conference on the AES, number 3373 in LNCS, pages 16–26. Springer-Verlag, 2004.

[105] E. Pasalic. Degree optimized resilient Boolean functions from Maiorana-McFarland class. In Cryptography and Coding, volume 2898 of LNCS, pages 93–114. Springer- Verlag, 2003.

[106] L. Perret. A fast cryptanalysis of the isomorphism of polynomials with one secret problem. In EUROCRYPT 2005, number 3494 in LNCS, pages 354–71. Springer- Verlag, 2005.

[107] C. Tavernier. Construction of modular curves and computation of their cardinality on Fp. In Finite fields: Theory, Applications and Algorithms (6th International conference on finite fields, Oaxaca, Mexique), Lecture Notes in Computer Science, pages 313–327. Springer-Verlag, 2002.

6.5 Publications in other conferences and workshops [108] I. Andriyanova, J.-P. Tillich, and J.-C. Carlach. Asymptotically good codes with high iterative decoding performances. In ISIT 2005, Proceedings, pages 850–854, Adelaide, Australie, September 2005. IEEE Press.

[109] I. Andriyanova, J.-P. Tillich, and J.-C. Carlach. A new family of codes with high iterative decoding performances. In ICC 2006, Istambul, Turquie, June 2006.

[110] F. Arnault, T.P. Berger, and C. Lauradoux. Description of F-FCSR-8 and F-FCSR-H stream ciphers. In Proceedings of SKEW, Aarhus, Danemark, May 2005. Submitted to eSTREAM, Call for Stream Cipher Primitives, ECRYPT.

[111] D. Augot, M. Bardet, and J-C. Faug`ere.Efficient decoding of (binary) cyclic codes above the correction capacity of the code using Groebner bases. In ISIT 2003, Proceedings, page 362, Yokohama, Japan, June 2003. IEEE Press.

[112] D. Augot, M. Bardet, and J.-C. Faug`ere. Decoding cyclic codes with algebraic systems. In Joint BeNeLuxFra Conference in Mathematics, Gand, Belgique, May 2005.

[113] D. Augot, M. El-Khamy, R.J. McEliece, F. Parvaresh, M. Stepanov, and A. Vardy. Algebraic list decoding of Reed-Solomon product codes. In Proceedings of ACCT’10, pages 210–214, Zvenigorod, Russia, September 2006.

[114] D. Augot, M. Finiasz, and N. Sendrier. A family of fast syndrome based crypto- graphic hash function. In Ecrypt Conference on Hash Functions, Krakow, Poland, June 2005.

30 [115] D. Augot and M. Stepanov. Interpolation based decoding of Reed-Muller codes. In Gr¨obnerBases in Cryptography, Coding Theory, and Algebraic Combinatorics, RICAM, University of Linz, Austria, May 2006. Invited talk.

[116] M. Bardet, J.C. Faug`ere,and B. Salvy. On the complexity of gr¨obnerbasis compu- tation of semi-regular overdetermined algebraic equations. In Proc. ICPSS Interna- tional Conference on Polynomial System Solving Paris, November 24-25-26 2004 in honor of Daniel Lazard, 2004.

[117] C. Berbain, O. Billet, A. Canteaut, N. Courtois, B. Debraize, H. Gilbert, L. Goubin, A. Gouget, L. Granboulan, C. Lauradoux, M. Minier, T. Pornin, and H. Sibert. Decim: a new stream cipher for hardware applications. In Proceedings of SKEW, Aarhus, Danemark, May 2005. Submitted to eSTREAM, Call for Stream Cipher Primitives, ECRYPT.

[118] C. Berbain, O. Billet, A. Canteaut, N. Courtois, B. Debraize, H. Gilbert, L. Goubin, A. Gouget, L. Granboulan, C. Lauradoux, M. Minier, T. Pornin, and H. Sibert. Decimv2. In Proceedings of SASC 2006 - ECRYPT Workshop on stream ciphers, Leuven, Belgique, February 2006.

[119] C. Berbain, O. Billet, A. Canteaut, N. Courtois, H. Gilbert, L. Goubin, A. Gouget, L. Granboulan, C. Lauradoux, M. Minier, T. Pornin, and H. Sibert. Sosemanuk: a fast oriented software-oriented stream cipher. In Proceedings of SKEW, Aarhus, Danemark, May 2005. Submitted to eSTREAM, Call for Stream Cipher Primitives, ECRYPT.

[120] T. Berger and P. Loidreau. Security of the Niederreiter version of the GPT public key cryptosystem. In ISIT 2002, Proceedings, page 267, Lausanne, Switzerland, July 2002. IEEE Press.

[121] T.P. Berger, A. Canteaut, P. Charpin, and Y. Laigle-Chapuy. On almost perfect non- linear mappings. In ISIT 2005, Proceedings, pages 2002–2006, Adelaide, Australie, September 2005. IEEE Press.

[122] R. Bhaskar, D. Augot, V. Issarny, and D. Sacchetti. An efficient group key agreement protocol for Ad hoc networks. In IEEE Workshop on Trust, Security and Privacy in Ubiquitous Computing, Taormina, Italy, June 2005.

[123] R. Bhaskar, J. Herranz, and F. Laguillaumie. Efficient authentication for reactive routing protocols. In Proceedings of Second International Workshop on Security in Networks and Distributed Systems, April 2006. Vienna, Austria.

[124] G.R. Blakley and G. Kabatiansky. Random coding technique for digital fingerprint- ing codes: fighting two pirates revisited. In Proceedings 2004 IEEE International Symposium on Information Theory, page 203, Chicago,USA, June 2004.

[125] L. Budaghyan, C. Carlet, P. Felke, and G. Leander. An infinite class of quadratic APN functions which are not equivalent to power mappings. In ISIT 2006, Proceed- ings, pages 2637–2641, Seattle, USA, July 2006. IEEE Press.

[126] L. Budaghyan, C. Carlet, and A. Pott. New classes of almost bent and almost perfect nonlinear polynomials. In WCC 2005, pages 306–315, Bergen, Norway, March 2005.

[127] T. Camara, H. Ollivier, and J.-P. Tillich. Constructions of quantum LDPC codes. In EQUIS 2005, pages 65–66, September 2005.

31 [128] A. Canteaut. Cryptanalysis of block ciphers and related properties of the Walsh spectra of S-boxes. In YACC 02, pages 3–4, Porquerolles, France, June 2002. Invited talk.

[129] A. Canteaut. Design criteria for symmetric primitives. In STORK Cryptography Workshop, pages 44–45, Bruges, Belgique, November 2002.

[130] A. Canteaut. Decoding techniques for correlation attacks on stream ciphers. In YACC 2004, Porquerolles, France, June 2004. Invited talk.

[131] A. Canteaut. Decoding techniques for correlation attacks on stream ciphers. In Academy Contact Forum ”Coding theory and cryptography”, The royal Flemish academy of Belgium for science and the arts, Bruxelles, Belgique, October 2005. http://cage.rug.ac.be/~ls/website/contactforum2005.html. Invited talk.

[132] A. Canteaut. Le chiffrement `aflot. In Ecole´ de Jeunes Chercheurs en Algorithmique et Calcul Formel 2005, Montpellier, April 2005.

[133] A. Canteaut and P. Charpin. Decomposing bent functions. In ISIT 2002, Proceed- ings, page 42, Lausanne, Switzerland, July 2002. IEEE Press.

[134] A. Canteaut, P. Charpin, and G. Kyureghyan. A new class of monomial bent func- tions. In Proceedings of the 2006 IEEE International Symposium on Information Theory - ISIT, Seattle, USA, July 2006. IEEE Press.

[135] A. Canteaut, M. Daum, G. Leander, and H. Dobbertin. Normal and non normal bent functions. In WCC 2003, pages 91–100, Versailles, France, March 2003.

[136] A. Canteaut and E. Filiol. On the influence of the filtering function on the per- formance of fast correlation attacks on filter generators. In 23rd Symposium on Information Theory in the Benelux, Louvain-la-Neuve, Belgium, May 2002.

[137] A. Canteaut and M. Videau. Higher order differential attacks on iterated block ciphers using almost bent round functions. In ISIT 2002, Proceedings, page 209, Lausanne, Switzerland, July 2002. IEEE Press.

[138] C. Carlet. On the algebraic thickness and non-normality of Boolean functions. In ITW 2003, Proceedings, pages 147–150, Paris, France, March 2003. IEEE Press.

[139] C. Carlet. Designing bent functions and resilient functions from known ones, without extending their number of variables. In ISIT 2005, Proceedings, pages 1096–1100, Adelaide, Australie, September 2005. IEEE Press.

[140] C. Carlet. On bent and highly nonlinear balanced-resilient functions and their alge- braic immunities. In AAECC 16,, Las Vegas, USA, February 2006. Invited talk.

[141] C. Carlet and P. Charpin. Cubic Boolean functions with highest resiliency. In ISIT 2004, Proceedings, page 497, Chicago,USA, June 2004. IEEE Press.

[142] C. Carlet and P. Gaborit. Hyper-bent functions and cyclic codes. In ISIT 2004, Proceedings, page 499, Chicago,USA, June 2004. IEEE Press.

[143] C. Carlet and P. Gaborit. On the construction of balanced Boolean functions with a good algebraic immunity. In ISIT 2005, Proceedings, pages 1101–1105, Adelaide, Australie, September 2005. IEEE Press.

32 [144] C. Carlet, S. Gangopadhyay, and S. Maitra. Crosscorrelation spectra of Dillon type functions. In IWSDA’05, Shimonoseki, Yamaguchi, Japan, October 2005.

[145] C. Carlet and A. Klapper. Upper bounds on the numbers of resilient functions and of bent functions. In 23rd Symposium on Information Theory in the Benelux, Louvain-la-Neuve, Belgium, May 2002.

[146] C. Carlet and A. Klapper. Upper bounds on the numbers of resilient functions and of bent functions. In YACC 02, Porquerolles, France, June 2002.

[147] C. Carlet and S. Mesnager. Improving the upper bounds on the covering radii of Reed-Muller codes. In ISIT 2005, Proceedings, pages 795–799, Adelaide, Australie, September 2005. IEEE Press.

[148] P. Charpin, T. Helleseth, and V. Zinoviev. On binary BCH codes with minimal distance 8 and Kloosterman sums. In Proceedings of ACCT 9, pages 90–94, Kranevo, Bulgaria, June 2004.

[149] P. Charpin, T. Helleseth, and V. Zinoviev. The coset distribution of the triple- error-correcting binary primitive BCH codes. In ISIT 2005, Proceedings, Adelaide, Australia, September 2005. IEEE Press.

[150] P. Charpin and G. Kyureghyan. On cubic bent functions in the class m. In Proceed- ings of ACCT’10, pages 52–56, Zvenigorod, Russia, September 2006.

[151] M. Cluzeau. Reconstruction of a linear scrambler. In ISIT 2004, Proceedings, page 230, Chicago,USA, June 2004. IEEE Press.

[152] M. Cluzeau. Reconstruction d’un brasseur lin´eaire.In Ecole´ de Jeunes Chercheurs en Algorithmique et Calcul Formel - EJC 2005, Montpellier, April 2005.

[153] M. Cluzeau. Block code reconstruction using iterative decoding techniques. In Proceedings of the 2006 IEEE International Symposium on Information Theory - ISIT, Seattle, USA, July 2006. IEEE Press.

[154] N. Courtois, M. Finiasz, and N. Sendrier. Short McEliece-based digital signatures. In ISIT 2002, Proceedings, page 265, Lausanne, Switzerland, July 2002. IEEE Press.

[155] I. Dumer, G. Kabatiansky, and C. Tavernier. List decoding of second order Reed- Muller codes up to the Johnson bound with almost linear complexity. In Proceedings of the 2006 IEEE International Symposium on Information Theory - ISIT, pages pp. 138–142, Seattle, USA, July 2006. IEEE Press.

[156] C. Faure. Average number of gabidulin codewords within a sphere. In Proceedings of ACCT’10, pages 86–90, Zvenigorod, Russia, September 2006.

[157] M. Finiasz. Words of minimal weight and weight distribution of binary Goppa codes. In ISIT 2003, Proceedings, page 70, Yokohama, Japan, June 2003. IEEE Press.

[158] M. Finiasz. Syndrome decoding in the non-standard cases. In CLC 2006, Darmstadt, Germany, September 2006. Invited talk.

[159] E. Gabidulin and P. Loidreau. On subspaces subcodes of rank codes. In Proceedings of ACCT 9, pages 178–84, Kranevo, Bulgaria, June 2004.

33 [160] E. M. Gabidulin and P. Loidreau. On subcodes of codes in rank metric. In 2005 IEEE International Symposium on Information Theory, ISIT’05, pages 121–123, Adelaide, Australie, September 2005.

[161] P. Gaborit, C. S. Nedeloaia, and A. Wassermann. Weight enumerators of duadic and quadratic residue codes. In Proceedings 2004 IEEE International Symposium on Information Theory, page 485, Chicago,USA, June 2004.

[162] F. Galand. Practical construction against theoretical approach in fingerprinting. In Proceedings of the 2006 IEEE International Symposium on Information Theory - ISIT, Seattle, USA, July 2006. IEEE Press.

[163] F. Galand and G. Kabatiansky. Information hiding by coverings. In ITW 2003, Proceedings, pages 151–154, Paris, France, March 2003. IEEE Press.

[164] F. Galand and G. Kabatiansky. Steganography via covering codes. In ISIT 2003, Proceedings, page 192, Yokohama, Japan, June 2003. IEEE Press.

[165] G. Kabatiansky. Good ternary 2-tracebility codes exist. In Proceedings 2004 IEEE International Symposium on Information Theory, page 204, Chicago,USA, June 2004.

[166] G. Kabatiansky and C. Tavernier. List decoding of Reed-Muller codes. In Proceedings of ACCT 9, pages 230–35, Kranevo, Bulgaria, June 2004.

[167] G. Kabatiansky and C. Tavernier. List decoding of second order Reed-Muller codes. In Proceedings of Eight International Symposium on Communication Theory and Applications, Ambelside, UK, July 2005.

[168] G. Kabatiansky and C. Tavernier. List decoding of second order Reed-Muller codes, second part. In Proceedings of ACCT’10, pages 131–135, Zvenigorod, Russia, September 2006.

[169] C. Lauradoux. Collision attacks on processors with cache and countermeasures. In WeWork 2005, Western European Workshop on Research in Cryptology, Leuven, Belgium, July 2005.

[170] C. Lauradoux. Complexit´edes fonctions bool´eennessym´etriques.In Ecole´ de Jeunes Chercheurs en Algorithmique et Calcul Formel, Montpellier, France, April 2005.

[171] C. Lauradoux. Machine virtuelle et pot de miel. In Ecole´ Internet Nouvelle G´en´eration, ING 2005, Montreuil sur Mer, France, July 2005.

[172] P. Loidreau. On the decoding of maximum rank distance codes. In Conf´erence franco-russe ”Mathematics of Communication, November 2003. Invited talk.

[173] P. Loidreau. How to reduce public-key size in McEliece-like public key cryptosystems. In CLC 2006, Darmstadt, Germany, September 2006. Invited talk.

[174] P. Loidreau and R. Overbeck. Decoding rank errors beyond the error-correcting capacity. In Proceedings of ACCT’10, pages 186–190, Zvenigorod, Russia, September 2006.

[175] P. Loidreau and B. Sakkour. Modified version of Sidelnikov-Peshakov decoding algorithm for binary second order Reed-Muller codes. In Proceedings of ACCT 9, pages 266–72, Kranevo, Bulgaria, June 2004.

34 [176] M. Minier. An integral cryptanalysis of a five rounds version of FOX. In WEWoRC 2005, Leuven, Belgium, July 2005. [177] C. S. Nedeloaia. On weight distribution of cyclic self-dual codes. In Proceedings 2002 IEEE International Symposium on Information Theory, page 232, Lausanne, Suisse, July 2002. IEEE. [178] H. Ollivier and J.-P. Tillich. Interleaved serial concatenation of quantum convo- lutional codes: gate implementation and iterative error estimation algorithm. In 26th Symposium on Information Theory in the Benelux, pages 149–158, Bruxelles, Belgium, 2005. [179] L. Perret. A geometrical approach to a polynomial equivalence problem. In ICPSS 2004, Paris, France, November 2004. [180] L. Perret. Algorithms for solving the isomorphism of polynomials with one secret problem. In Joint BeNeLuxFra Conference in Mathematics, Gand, Belgique, May 2005. [181] L. Perret. A chosen ciphertext attack on a public key cryptosystem based on lyndon words. In WCC 2005, pages 235–245, Bergen, Norway, March 2005. [182] L. Perret and A. Bayad. A differential approach to a polynomial equivalence problem. In ISIT 2004, Proceedings, page 142, Chicago,USA, June 2004. IEEE Press. [183] N. Sendrier. Linear codes with complementary duals meet the Gilbert-Varshamov bound. In ISIT 2004, Proceedings, page 456, Chicago, USA, June 2004. IEEE Press. [184] N. Sendrier. Coding-based cryptosystems. In ECRYPT summer school on crypt- analysis, Pythagorion, Samos, Greece, May 2005. Invited talk. [185] N. Sendrier. Encoding information into constant weight words. In ISIT 2005, Pro- ceedings, pages 435–438, Adelaide, Australie, September 2005. IEEE Press. [186] N. Sendrier. Public-key cryptology based on error-correcting codes. In CAEN’05, Caen, France, June 2005. Invited talk. [187] N. Sendrier. Key security of code-based public key cryptosystem. In CLC 2006, Darmstadt, Germany, September 2006. Invited talk. [188] N. Sendrier. Post-quantum code-based cryptography. In PQcrypto 2006, Leuven, Belgium, May 2006. Invited talk. [189] N. Sendrier, D. Augot, M. Finiasz, and P. Loidreau. Diversity in public key cryptog- raphy using coding theory and related problems. In STORK cryptography workshop, Bruges, Belgium, November 2002. [190] N. Sendrier and C. Lauradoux. HAVEGE: true random number generator in soft- ware. In YACC 06, Porquerolles Island, France, June 2006. Invited talk. [191] V.V. Shorin and P. Loidreau. Application of Groebner bases techniques for searching new sequences with good periodic correlation properties. In ISIT 2005, Proceedings, pages 1196–1200, Adelaide, Australia, September 2005. IEEE Press. [192] J.-P. Tillich. The average weight distribution of Tanner code ensembles and a way to modify then to improve their weight distribution. In ISIT 2004, Proceedings, page 7, Chicago,USA, June 2004. IEEE Press.

35 [193] J.-P. Tillich and G. Z´emor.The Gaussian isoperimetric inequality and the probabil- ity of a decoding error. In ISIT 2002, Proceedings, page 400, Lausanne, Switzerland, July 2002. IEEE Press.

[194] J.-P. Tillich and G. Z´emor.On the minimum distance of structured LDPC codes with two variable nodes of degree 2 per parity-check equation. In ISIT 2006, Proceedings, pages 1549–1553, Seattle, USA, July 2006. IEEE Press.

[195] M. Videau. On some properties of symmetric Boolean functions. In ISIT 2004, Proceedings, page 500, Chicago,USA, June 2004. IEEE Press.

[196] M. Videau. Symmetric Boolean functions with high nonlinearity. In WEWoRC 2005, Leuven, Belgium, July 2005.

6.6 Internal Reports [197] D. Augot, M. Finiasz, and P. Loidreau. Using the trace operator to repair the polyno- mial reconstruction based cryptosystem, presented at eurocrypt 2003. Research pa- per, Cryptology ePrint Archive, Report 2003/209, 2003. http://eprint.iacr.org.

[198] D. Augot, M. Finiasz, and N. Sendrier. A fast provably secure cryptographic hash function. Research paper, Cryptology ePrint Archive, 2003. http://eprint.iacr. org/2003/230/.

[199] D. Augot, M. Finiasz, and N. Sendrier. A family of fast syndrome based crypto- graphic hash function. Rapport de Recherche RR-5592, INRIA, June 2005.

[200] M. Bardet, J.-C. Faug`ere,and B. Salvy. Complexity of Groebner basis computa- tion for semi-regular overdetermined sequences over GF(2) with solutions in GF(2). Rapport de Recherche RR-5049, INRIA, December 2003.

[201] I. ben Slimen. Codes correcteurs pour les protocoles de reconciliation quantique de cl´es.Rapport de stage, INRIA, ENIT Tunisie, June 2006. Direction : J.P. Tillich.

[202] T.P. Berger, A. Canteaut, P. Charpin, and Y. Laigle-Chapuy. On almost perfect nonlinear functions. Rapport de recherche RR-5774, INRIA, December 2005. http: //www.inria.fr/rrrt/rr-5774.html.

[203] R. Bhaskar. Group key agreement in ad hoc networks. Technical Report RR-4832, Rapport de Recherche INRIA, December 2003.

[204] Raghav Bhaskar. Group key agreement in ad hoc networks. Rapport de stage INRIA, Indian Institute of Technology, April 2003. Direction : Daniel Augot.

[205] T. Camara. Codes correcteurs quantiques. rapport de stage, DEA ”algorithmique”, Universit´ede Paris 6, September 2003. Direction : J.P. Tillich.

[206] A. Canteaut, C. Lauradoux, and A. Seznec. Understanding cache attacks. Rapport de recherche RR-5881, INRIA, April 2006. http://www.inria.fr/rrrt/.

[207] A. Canteaut and M. Videau. Weakness of block ciphers using highly nonlinear confusion functions. Rapport de recherche RR-4367, INRIA, February 2002. http: //www.inria.fr/rrrt/rr-4367.html.

[208] M. Cluzeau. Reconstruction d’un brasseur lin´eaire. Rapport de stage de DEA, Facult´edes Sciences de Limoges, July 2003. Direction : A. Canteaut, N. Sendrier.

36 [209] X. Dahan. G´en´eralisationde graphes de Ramanujan, application `ala construction des codes correcteurs obtenus comme code des cycles d’un graphe. Rapport de stage INRIA, Universit´ede Versailles Saint-Quentin, August 2002. Direction : J.P. Tillich.

[210] M. Diarra. Analyse de la s´ecurit´ed’un protocole d’identification pour les RFID. Stage d’option, Ecole´ Polytechnique, July 2006. Direction : N. Sendrier.

[211] V. Dubois. Etudes de codes convolutifs quantiques. Stage d’option, Ecole´ polytech- nique, September 2003. Direction : J.P. Tillich.

[212] C. Faure. Etude d’un cryptosyst`eme`acl´epublique fond´esur le probl`emede recon- struction de polynˆomeslin´eaires.rapport de stage, DEA “algorithmique”, ENSTA - INRIA, September 2004. Direction : P. Loidreau.

[213] D. Heitzler. Etude des propri´et´escryptographiques des T-fonctions. Rapport de stage de maitrise, Universit´ede Cergy-Pontoise, July 2005. Direction : A. Canteaut.

[214] Y. Laigle-Chapuy. Les polynˆomesde permutation. applications en th´eoriedes codes. Stage, DEA ”algorithmique”, INRIA, June 2004. Direction : P. Charpin.

[215] F. Levy-dit-Vehel and L. Perret. A polly cracker system based on satisfiability. Rapport de recherche RR-4698, INRIA, January 2003.

[216] F. Levy-dit-Vehel and L. Perret. Polynomial equivalence problems and applications to multivariate cryptosystems. Rapport de recherche RR-5119, INRIA, February 2004.

[217] P. Loidreau. An algebraic attack against Augot-Finiasz cryptosystem. Rapport de recherche RR-5662, INRIA, http://www.inria.fr/rrrt/rr-5662.html, 2005.

[218] S. Manuel. Codes d’authentification de messages - application aux fonctions de hachage fond´eessur le d´ecodage de syndrome rapide. Rapport de stage de maˆıtrise, Universit´eParis 8, October 2004. Direction : N. Sendrier.

[219] M. Minier. A bottleneck attack on Crypton. Rapport de recherche RR-5324, INRIA, October 2004.

[220] C. S. Nedeloaia. Upper bounds on the dual distances of EBCH codes. Technical Report RR-5477, Rapport de Recherche INRIA, January 2005.

[221] M. Naya Plasencia. Cryptanalyse de syst`emesde chiffrement `aflot : ´etudede la s´ecurit´ed’Achterbahn. Rapport de stage de Master Recherche II, Universit´ede Versailles-St Quentin, INRIA, September 2006. Direction : A. Canteaut.

[222] P. Quanty. Etude d’une attaque sur les algorithmes de chiffrement `aflot. Rapport de stage de DEA, Universit´ede Limoges, June 2002. Direction : A. Canteaut et J.P. Tillich.

[223] Y. Ridene. Etude et impl´ementation de primitives cryptographiques soumises au projet eSTREAM. Rapport de stage de 1`ereann´eed’IUP GMI option MIME, Universit´eParis 8, September 2005. Direction : A. Canteaut.

[224] T. Roetynck. Impl´ementation d’un cryptosyst`emebas´esur les codes correcteurs d’erreurs. Rapport de stage ing´enieur,ENSTB, September 2003. Direction : N. Sendrier.

37 [225] O. Trabelsi. Codes stabilisateurs quantiques. Master’s thesis, ENIT Tunisie, Septem- ber 2006. Direction : J.P. Tillich.

[226] R. Triki. Application de techniques de d´ecodage `ala cryptanalyse de syst`emesde chiffrements. rapport de stage, DEA ”algorithmique”, INRIA, June 2004. direction : J.P. Tillich.

[227] C. Vacher. Visualisation de la diffusion dans un chiffrement sym´etrique. Rapport de stage de DEUG MIAS, Universit´ede Cergy Pontoise, August 2004. Direction : A. Canteaut.

6.7 Deliverables [228] D. Augot, A. Biryukov, A. Canteaut, C. Cid, N. Courtois, C. De Canni`ere, H. Gilbert, C. Lauradoux, M. Parker, B. Preneel, M. Robshaw, and Y. Seurin. D.STVL.2 – AES Security Report. Rapport du r´eseau d’excellence europ´een ECRYPT, 2006. 73 pages.

[229] D. Augot, F. Morain, C. Fontaine, J. Leneutre, S. Maag, A. Cavalli, and F. Nait- Abdesselam. Review of vulnerabilities in mobile ad-hoc networks: trust and routing protocols views. Technical report, ACI SERAC, 2005. D´elivrablede l’action con- cert´eeincitative SERAC.

[230] A. Canteaut. Rapport final de l’action concert´eeincitative CrAC II. Technical report, ACI CrAC II, 2005. 15 pages.

[231] A. Canteaut and D. Augot. Rapport d’expertise de l’algorithme AAC. Rapport de contrat CANAL+ Technologies, April 2003. 244 pages.

[232] A. Canteaut (ed.), D. Augot, A. Biryukov, A. Braeken, C. Cid, H. Dobbertin, H. Englund, H. Gilbert, L. Granboulan, H. Handschuh, M. Hell, T. Johansson, A. Maximov, M. Parker, T. Pornin, B. Preneel, M. Robshaw, and M. Ward. D.STVL.3 – Open Research Areas in Symmetric Cryptography and Technical Trends in Lightweight Cryptography. Rapport du r´eseaud’excellence europ´eenECRYPT, February 2005. 82 pages.

[233] A. Canteaut (ed.), D. Augot, A. Biryukov, A. Braeken, C. Cid, H. Dobbertin, H. Englund, H. Gilbert, L. Granboulan, H. Handschuh, M. Hell, T. Johansson, A. Maximov, M. Parker, T. Pornin, B. Preneel, M. Robshaw, and M. Ward. D.STVL.4 – Open Research Areas in Symmetric Cryptography and Technical Trends in Lightweight Cryptography. Rapport du r´eseaud’excellence europ´eenECRYPT, February 2006. 88 pages.

[234] M. Cluzeau and N. Sendrier. Reconstruction d’un brasseur lin´eaire.Rapport tech- nique d’avancement - convention DGA 02 60 65 095 450 75 01, February 2004. 75 pages.

[235] M. Cluzeau and N. Sendrier. Reconstruction d’un sch´emade codage. Rapport technique final - convention DGA 02 60 65 095 450 75 01, October 2004. 102 pages.

[236] A. Canteaut (co-author) Forum des Droits sur l’Internet. La conser- vation ´electronique des documents. http://www.foruminternet.org/, De- cember 2005. http://www.foruminternet.org/telechargement/documents/ reco-archivage-20%051201.pdf.

38 [237] J. Kempe, H. Ollivier, and J. Kempe. Rapport final du projet “r´eseauxquantiques” de l’aci “s´ecurit´einformatique” num´ero03510, August 2006. 13 pages.

[238] F. Levy-dit-Vehel. Rapport final de l’action concert´eeincitative ACCES. Technical report, ACI ACCES, 2004. 11 pages.

[239] M. Minier, A. Canteaut, N. Courtois, and H. Gilbert. Chiffrement `aflot - Etat de l’art. Rapport du projet RNRT X-CRYPT, February 2005. 44 pages.

[240] J.P. Tillich. Rapport final de contrat de recherche inria-projet codes/france t´el´ecom r&d “nouveaux turbo codes en bloc”, December 2004. 62 pages.

6.8 Vulgarization [241] D. Augot. Les travaux de Madhu Sudan sur les codes correcteurs d’erreurs. La gazette des math´ematiciens, October 2003.

[242] A. Canteaut. Cryptanalyse de chiffrement `aclef secr`etepar blocs. MISC - Le magazine de la s´ecurit´einformatique, 2, March 2002.

[243] A. Canteaut. Le chiffrement `ala vol´ee. Pour la Science, pages 86–87, July 2002. Num´erosp´ecial La cryptographie, l’art du secret.

[244] A. Canteaut. La cryptographie ou les math´ematiquesau service de la protection de l’information. In Ouverture des Olympiades de Math´ematiquesde l’Acad´emiede Versailles, Universit´ede Versailles, January 2003.

[245] A. Canteaut. Comment concevoir un algorithme de chiffrement rapide et solide. In La face cach´eedes math´ematiques, Paris, March 2004. Conf´erenceorganis´eepar l’IHES,´ la Soci´et´eMath´ematiquede France, la Soci´et´ede Math´ematiquesAppliqu´ees et Industrielles et Pour la Science.

[246] A. Canteaut. Parcours et fiches sur les g´en´erateurspseudo-al´eatoireset le chiffrement `aflot. portail Internet Cryptologie et S´ecurit´ede l’Information, 2006. http://www. picsi.org/.

[247] C. Lauradoux. Machine virtuelle et honeypot. MISC - Le magazine de la s´ecurit´e informatique, 21, September 2005.

[248] C. Lauradoux. Timing attack et hyperthreading. MISC - Le magazine de la s´ecurit´e informatique, 20, July 2005.

[249] P. Loidreau. Le partage de secret. MISC - Le magazine de la s´ecurit´einformatique, 3, 2002.

[250] P. Loidreau. Le transfert inconscient. MISC - Le magazine de la s´ecurit´einforma- tique, 2, 2002.

[251] P. Loidreau. L’identification `adivulgation nulle de connaissance. MISC - Le maga- zine de la s´ecurit´einformatique, 1, 2002.

[252] P. Loidreau. Pour quelques bits d’information. MISC - Le magazine de la s´ecurit´e informatique, 20, July 2005.

[253] H. Ollivier and P. Pajot. La d´ecoh´erence,espoir du calcul quantique. La Recherche, 378(34), 2004.

39 [254] M. Videau and D. Eck. Les algorithmes de tri. Interstices, `ala d´ecouverte de l’univers des STIC, 2004.

40