2025Activity‌ reportProject-TeamCOSMIQ

3.1 Quantum algorithms and​​ cryptanalysis

Well-analyzed mathematical problems​​​‌ such as integer factorization‌ or the discrete logarithm‌​‌ problem, that have been​​ the foundations of asymmetric​​​‌ cryptographic for many years,‌ were found to be‌​‌ easily solved with Shor's​​ algorithm by a quantum​​​‌ computer. This has prompted‌ the community to actively‌​‌ search for alternatives and​​ the NIST to launch​​​‌ in 2017 a still‌ ongoing competition aiming at‌​‌ standardizing the most suitable​​ candidates. Even if the​​​‌ proposed solutions to this‌ competition have good reasons‌​‌ to be believed resistant​​ to a quantum computer,​​​‌ they often have a‌ rich mathematical structure that‌​‌ makes them tantalizing targets​​ for quantum speedups that​​​‌ go beyond the usual‌ Grover/quantum-walk speedups. The recent‌​‌ work of Chen, Liu​​ and Zhandry on solving​​​‌ LWE in superposition (Eurocrypt‌ 2022) is a good‌​‌ illustration of this potential.​​ It gives a quantum​​​‌ polynomial time algorithm of‌ the Short Integer Solution‌​‌ (SIS) problem for some​​ parameters seemingly unreachable for​​​‌ classical computers. The SIS‌ problem appears in lattice-based‌​‌ cryptography and while this​​ does not break current​​​‌ proposals for lattice-based cryptography,‌ it shows that even‌​‌ computational assumptions believed to​​ be secure against quantum​​​‌ computers are at risk‌ with quantum algorithms going‌​‌ way beyond Shor's algorithm.​​

On the other hand,​​​‌ symmetric cryptography, essential for‌ enabling secure communications, used‌​‌ to seem much less​​ affected at first sight:​​​‌ the biggest known threat‌ was Grover's algorithm, which‌​‌ allows exhaustive key searches​​ in the square root​​​‌ of the normal complexity.‌ Thus, it was believed‌​‌ that doubling key-lengths suffices​​ to maintain an equivalent​​​‌ security in the post-quantum‌ world, but this has‌​‌ changed since our project​​ QUASYModo.

Indeed, our results​​​‌ have shown that both‌ for symmetric and asymmetric‌​‌ cryptography, the impact of​​​‌ quantum computers goes well​ beyond Grover's and Shor's​‌ algorithms and has to​​ be studied carefully in​​​‌ order to understand if​ a given cryptographic primitive​‌ is secure or not​​ in a quantum world.​​​‌ To correctly evaluate the​ security of cryptographic primitives​‌ in the post-quantum world,​​ it is really desirable​​​‌ to elaborate a quantum​ cryptanalysis toolbox. This whole​‌ thread of research, that​​ needs to combine techniques​​​‌ from symmetric or asymmetric​ cryptanalysis together with quantum​‌ algorithmic tools, came naturally​​ in our team which​​​‌ is composed of symmetric​ and asymmetric cryptologists as​‌ well as of experts​​ in quantum computing. We​​​‌ have exploited this unique​ opportunity to become one​‌ of the leading research​​ teams in the field.​​​‌ We have also managed​ to pass on the​‌ interest and the focus​​ in this research direction​​​‌ to other international groups​ that have recently published​‌ some interesting new results​​ on quantum cryptanalysis, like:​​​‌ G. Leander and A.​ May (U. Bochum), T.​‌ Iwata (U. Nagoya), Y.​​ Sasaki and A. Hosoyamada​​​‌ (NTT), Xiaoyun Wang et​ al. (Tsinghua U, Beijing),​‌ Li Yang et al.​​ (Chinese academy of science)...​​​‌

3.2 Symmetric cryptology

Symmetric​ techniques are widely used​‌ because they are the​​ only ones that can​​​‌ achieve some major features​ such as high-speed or​‌ low-cost encryption, fast authentication,​​ and efficient hashing. It​​​‌ is a very active​ research area which is​‌ stimulated by a pressing​​ industrial demand for low-cost​​​‌ implementations. Even if the​ block cipher standard AES​‌ remains unbroken 25 years​​ after its design, it​​​‌ clearly appears that it​ cannot serve as a​‌ Swiss Army knife in​​ all environments. In particular​​​‌ an important challenge raised​ by several new applications​‌ is the design of​​ symmetric encryption schemes with​​​‌ some additional properties compared​ to the AES, either​‌ in terms of implementation​​ performance (low-cost hardware implementation,​​​‌ low latency, resistance against​ side-channel attacks...) or in​‌ terms of functionalities. The​​ past decade has then​​​‌ been characterized by a​ multiplicity of new proposals​‌ and evaluating their security​​ has become a primordial​​​‌ task which requires the​ attention of the community.​‌

This proliferation of symmetric​​ primitives has been amplified​​​‌ by public competitions, including​ the recent NIST lightweight​‌ standardization effort, which have​​ encouraged innovative but unconventional​​​‌ constructions in order to​ answer the harsh implementation​‌ constraints. These promising but​​ new designs need to​​​‌ be carefully analyzed since​ they may introduce unexpected​‌ weaknesses in the ciphers.​​ Our research work captures​​​‌ this conflict for all​ families of symmetric ciphers.​‌ It includes new attacks​​ and the search for​​​‌ new building blocks which​ ensure both a high​‌ resistance to known attacks​​ and a low implementation​​​‌ cost. This work, which​ combines cryptanalysis and the​‌ theoretical study of discrete​​ mathematical objects, is essential​​​‌ to progress in the​ formal analysis of the​‌ security of symmetric systems.​​

Our specificity, compared to​​​‌ most groups in the​ area, is that our​‌ research work tackles all​​ aspects of the problem,​​​‌ from the practical ones​ (new attacks, concrete constructions​‌ of primitives and low-cost​​ building-blocks) to the most​​ theoretical ones (study of​​​‌ the algebraic structure of‌ underlying mathematical objects, definition‌​‌ of optimal objects). We​​ study these aspects not​​​‌ separately but as several‌ sides of the same‌​‌ domain.

3.3 Post-quantum asymmetric​​ cryptology

Current public-key cryptography​​​‌ is particularly threatened by‌ quantum computers, since almost‌​‌ all cryptosystems used in​​ practice rely on related​​​‌ number-theoretic security problems that‌ can be easily solved‌​‌ on a quantum computer​​ as shown by Shor​​​‌ in 1994. This very‌ worrisome situation has prompted‌​‌ NIST to launch a​​ standardization process in 2017​​​‌ for quantum-resistant alternatives to‌ those cryptosystems. This concerns‌​‌ all three major asymmetric​​ primitives, namely public-key encryption​​​‌ schemes, key-exchange protocols and‌ digital signatures. The NIST‌​‌ has made it clear​​ that for each primitive​​​‌ there will be several‌ selected candidates relying on‌​‌ different security assumptions. It​​ publicly admits that the​​​‌ evaluation process for these‌ post-quantum cryptosystems is significantly‌​‌ more complex than the​​ evaluation of the SHA-3​​​‌ and AES candidates for‌ instance.

There were 69‌​‌ (valid) submissions to this​​ call in November 2017,​​​‌ with numerous lattice-based, code-based‌ and multivariate-cryptography submissions and‌​‌ some submissions based either​​ on hashing or on​​​‌ supersingular elliptic curve isogenies.‌ In January 2019, 26‌​‌ of these submissions were​​ selected for the second​​​‌ round and 7 of‌ them are code-based submissions.‌​‌ In July 2020, 15​​ schemes were selected as​​​‌ third round finalists/alternate candidates,‌ 3 of them are‌​‌ code-based. In July 2022,​​ the NIST announced the​​​‌ first candidates to be‌ standardized: one lattice-based encryption/KEM‌​‌ and three digital signature​​ schemes (two lattice-based and​​​‌ one hash based). Meanwhile‌ four encryption/KEM schemes (three‌​‌ code-based and one isogeny​​ based) which were still​​​‌ under discussion advanced to‌ the fourth round. The‌​‌ isogeny based candidate was​​ broken shortly afterwards and​​​‌ finally the code based‌ candidate HQC was selected‌​‌ in March 2025. Note​​ that our team is​​​‌ involved in all three‌ code-based schemes that remained.‌​‌

The lack of diversity​​ among the signatures left​​​‌ in the process prompted‌ the NIST to suggest‌​‌ to the community to​​ propose in June 2023​​​‌ additional signature schemes relying‌ on other security assumptions‌​‌ than the ones that​​ have been selected. Forty​​​‌ additional submissions of this‌ kind were accepted in‌​‌ July.

The research of​​ the project-team in this​​​‌ field is focused on‌ the design and cryptanalysis‌​‌ of cryptosystems making use​​ of coding theory and​​​‌ we have proposed code-based‌ candidates to the NIST‌​‌ call for the first​​ two types of primitives,​​​‌ namely public-key encryption and‌ key-exchange protocols and have‌​‌ two candidates among the​​ finalists/alternate candidates. We also​​​‌ submitted Wave to the‌ second call of signature‌​‌ schemes and are involved​​ in the submission MIRA,​​​‌ PERK and RYDE. The‌ last three made it‌​‌ to the second round​​ in 2024.

3.4 Quantum​​​‌ information

The field of‌ quantum information and computation‌​‌ aims at exploiting the​​ laws of quantum physics​​​‌ to manipulate information in‌ radically novel ways. There‌​‌ are two main applications:​​

• (i)
  quantum computing, that​​​‌ offers the promise of‌ solving some problems that‌​‌ seem to be intractable​​​‌ for classical computers such​ as for instance factorization​‌ or solving the discrete​​ logarithm problem;
• (ii)
  quantum​​​‌ cryptography, which provides new​ ways to exchange data​‌ in a provably secure​​ fashion. For instance it​​​‌ allows key distribution by​ using an authenticated channel​‌ and quantum communication over​​ an unreliable channel with​​​‌ information-theoretic security, in the​ sense that its security​‌ can be proven rigorously​​ by using only the​​​‌ laws of quantum physics,​ even with all-powerful adversaries.​‌

Our team deals with​​ quantum coding theoretic issues​​​‌ related to building a​ large quantum computer and​‌ with quantum cryptography. If​​ these two questions may​​​‌ seem at first sight​ quite distinct, they are​‌ in fact closely related​​ in the sense that​​​‌ they both concern the​ protection of (quantum) information​‌ either against an adversary​​ in the case of​​​‌ quantum cryptography or against​ the environment in the​‌ case of quantum error-correction.​​ This connection is actually​​​‌ quite deep since an​ adversary in quantum cryptography​‌ is typically modeled by​​ a party having access​​​‌ to the entire environment.​ The goals of both​‌ topics are then roughly​​ to be able to​​​‌ measure how much information​ has leaked to the​‌ environment for cryptography and​​ to devise mechanisms that​​​‌ prevent information from leaking​ to the environment in​‌ the context of error​​ correction.

While quantum cryptography​​​‌ is already getting out​ of the labs, this​‌ is not yet the​​ case of quantum computing,​​​‌ with large quantum computers​ capable of breaking RSA​‌ with Shor's algorithms maybe​​ still decades away. The​​​‌ situation is evolving very​ quickly, however, notably thanks​‌ to massive public investments​​ in the past couple​​​‌ of years and all​ the major software or​‌ hardware companies starting to​​ develop their own quantum​​​‌ computers. One of the​ main obstacles towards building​‌ a quantum computer is​​ the fragility of quantum​​​‌ information: any unwanted interaction​ with the environment gives​‌ rise to the phenomenon​​ of decoherence which prevents​​​‌ any quantum speedup from​ occurring. In practice, all​‌ the hardware of the​​ quantum computer is intrinsically​​​‌ faulty: the qubits themselves,​ the logical gates and​‌ the measurement devices. To​​ address this issue, one​​​‌ must resort to quantum​ fault-tolerance techniques which in​‌ turn rely on the​​ existence of good families​​​‌ of quantum error-correcting codes​ that can be decoded​‌ efficiently. Our expertise in​​ this area lies in​​​‌ the study of a​ particularly important class of​‌ quantum codes called quantum​​ low-density parity-check (LDPC) codes.​​​‌ The LDPC property, which​ is well-known in the​‌ classical context where it​​ allows for very efficient​​​‌ decoding algorithms, is even​ more crucial in the​‌ quantum case since enforcing​​ interactions between a large​​​‌ number of qubits is​ very challenging. Quantum LDPC​‌ codes solve this issue​​ by requiring each qubit​​​‌ to only interact with​ a constant number of​‌ other qubits.

4.1 Designing, Analyzing​​​‌ and Choosing Cryptographic Standards​

The research community is​‌ strongly involved in the​​ development and evolution of​​​‌ cryptographic standards. Many standards​ are developed through open​‌ competitions (e.g. AES,​​ SHA-3) where multiple teams​​ propose new designs, and​​​‌ a joint cryptanalysis effort‌ allows to select the‌​‌ most suitable proposals. The​​ analysis of established standards​​​‌ is also an important‌ work, in order to‌​‌ depreciate weak algorithms before​​ they can be exploited.​​​‌ Several members of the‌ team have been involved‌​‌ in this type of​​ effort and we plan​​​‌ to continue this work‌ to ensure that secure‌​‌ algorithms are widely available.​​ We believe that good​​​‌ cryptographic standards have a‌ large socio-economic impact, and‌​‌ we are active in​​ proposing schemes to future​​​‌ competitions, and in analyzing‌ schemes proposed to current‌​‌ or future competitions, as​​ well as widely-used algorithms​​​‌ and standards.

We have‌ been involved in the‌​‌ two standardization efforts run​​ by NIST for post-quantum​​​‌ cryptography and lightweight cryptography.‌ We have also uncovered‌​‌ potential backdoors in two​​ algorithms from the Russian​​​‌ Federation (Streebog and Kuznyechik),‌ and successfully presented the‌​‌ standardization of the latter​​ by ISO. We have​​​‌ also implemented practical attacks‌ against SHA-1 to speed-up‌​‌ its deprecation.

NIST post-quantum​​ competition.

The NIST post-quantum​​​‌ competition1 aims at‌ standardizing quantum-safe public-key primitives.‌​‌ It is really about​​ offering a credible quantum-safe​​​‌ alternative for the schemes‌ based on number theory‌​‌ which are severely threatened​​ by the advent of​​​‌ quantum computers. We are‌ involved in two of‌​‌ the three candidates which​​ remain in the fourth​​​‌ round of the competition.‌ In 2020, we obtained‌​‌ a significant breakthrough in​​ solving more efficiently the​​​‌ MinRank problem and the‌ decoding problem in the‌​‌ rank metric 74,​​ 75 by using algebraic​​​‌ techniques. This had several‌ consequences: all second round‌​‌ rank metric candidates were​​ dismissed from the third​​​‌ round (including our own‌ candidate) and it was‌​‌ later found out that​​ this algebraic algorithm could​​​‌ also be used to‌ attack the third round‌​‌ multivariate finalist, namely Rainbow​​ and the alternate third​​​‌ round finalist GeMSS.‌ Various algebraic techniques were‌​‌ also developed to attack​​ the McEliece cryptosystem 79​​​‌, 76, 78‌ or for related schemes‌​‌ based on other families​​ of algebraic codes 77​​​‌. Even if these‌ algebraic techniques are right‌​‌ now not a threat​​ against the NIST fourth-round​​​‌ finalist 73ClassicMcEliece,‌ they indeed show that‌​‌ the square-code based distinguisher​​ of high-rate Goppa codes​​​‌ or alternant codes that‌ we devised in our‌​‌ project ten years ago,​​ can indeed be transformed​​​‌ in most of the‌ cases into an actual‌​‌ attack on a McEliece​​ scheme based on them.​​​‌ This is not a‌ threat though on the‌​‌ ClassicMcEliece proposal, because the​​ rate of the code​​​‌ used there is not‌ high enough to be‌​‌ in the distinguishable regime.​​ However in 78,​​​‌ we have significantly enlarged‌ the region of rates‌​‌ where there is a​​ rather efficient distinguisher thanks​​​‌ to a novel concept,‌ namely associating to a‌​‌ code a space of​​ quadratic forms containing very​​​‌ low rank quadratic forms‌ if the code is‌​‌ a Goppa code. This​​ paves the way for​​​‌ new algebraic attacks on‌ the McEliece cryptosystem.

NIST‌​‌ competition on lightweight symmetric​​​‌ encryption.

The NIST lightweight​ cryptography standardization process2​‌ is an initiative to​​ develop and standardize new​​​‌ authenticated encryption algorithms suitable​ for constrained devices. As​‌ explained in Subsection 3.2​​, there is a​​​‌ real need for new​ standards in lightweight cryptography,​‌ and the selected algorithms​​ are expected to be​​​‌ widely deployed within the​ Internet of Things, as​‌ well as on more​​ constrained devices such as​​​‌ contactless smart cards, or​ medical implants. The NIST​‌ received 56 submissions in​​ February 2019, three of​​​‌ which, including one of​ 10 finalists, have been​‌ co-designed by members of​​ the team.

Monitoring Current​​​‌ Standards

While we are​ very involved in the​‌ design phase of new​​ cryptographic standards (see above),​​​‌ we also monitor the​ algorithms that are already​‌ standardized. In practice, this​​ work has two sides.​​​‌

First, we work towards​ the deprecation of algorithms​‌ known to be unsage.​​ Unfortunately, even when this​​​‌ fact is known in​ the academic community, standardizing​‌ bodies can be slow​​ to implement the required​​​‌ changes to their standards.​ This prompted for example​‌ G. Leurent to implement​​ even better attacks against​​​‌ SHA-1 to illustrate its​ very practical weakness, and​‌ L. Perrin and X.​​ Bonnetain (then a COSMIQ​​​‌ member) to find simple​ arguments proving that a​‌ subfunction used by the​​ current Russian standards was​​​‌ not generated randomly, despite​ the claims of its​‌ authors.

Second, it also​​ means that we participate​​​‌ to the relevant ISO​ meetings discussing the standardization​‌ of cryptographic primitives (JC27/WG2),​​ and that we follow​​​‌ the discussions of the​ IETF and IRTF on​‌ RFCs. We have also​​ provided technical assistance to​​​‌ members of other standardizing​ bodies such as the​‌ ETSI.

4.2 Large scale​​ deployment of quantum cryptography​​​‌

Major academic and industrial​ efforts are currently underway​‌ to implement quantum key​​ distribution at large scale​​​‌ by integrating this technology​ within existing telecommunication networks.​‌ Colossal investments have already​​ taken place in China​​​‌ to develop a large​ network of several thousand​‌ kilometers secured by quantum​​ cryptography, and there is​​​‌ little doubt that Europe​ will follow the same​‌ strategy, as testified by​​ the current European projects​​​‌ CiViQ (in which we​ are involved), OpenQKD and​‌ the future initiative Euro-QCI​​ (Quantum Communication Infrastructure). While​​​‌ the main objectives of​ these actions are to​‌ develop better systems at​​ lower cost and are​​​‌ mainly engineering problems, it​ is crucial to note​‌ that the security of​​ the quantum key distribution​​​‌ protocols to be deployed​ remains far from being​‌ completely understood. For instance,​​ while the asymptotic regime​​​‌ of these protocols (where​ one assumes a perfect​‌ knowledge of the quantum​​ channel for instance) has​​​‌ been thoroughly studied in​ the literature, it is​‌ not the case of​​ the much more relevant​​​‌ finite-size regime accounting for​ various sources of statistical​‌ uncertainties for instance. Another​​ issue is that compliance​​​‌ with the standards of​ the telecommunication industry requires​‌ much improved performances compared​​ to the current state-of-the-art,​​​‌ and this can only​ be achieved by significantly​‌ tweaking the original protocols.​​ It is therefore rather​​ urgent to better understand​​​‌ whether these more efficient‌ protocols remain as secure‌​‌ as the previous ones.​​ Our work in this​​​‌ area is to build‌ upon our own expertise‌​‌ in continuous-variable quantum key​​ distribution, for which we​​​‌ have developed the most‌ advanced security proofs, to‌​‌ give security proofs for​​ the protocols used in​​​‌ this kind of quantum‌ networks.

5.1 Impact​​ of research results

Our​​​‌ project is still involved‌ in the NIST competition‌​‌ for standardizing quantum-safe cryptosystems​​ where we were involved​​​‌ in two fourth-round finalists‌ and are now part‌​‌ of the HQC team​​ which is the code​​​‌ based candidate selected for‌ standardization. This is expected‌​‌ to have a strong​​ impact since the standardized​​​‌ solution will likely replace‌ large parts of the‌​‌ world’s infrastructure underpinning secure​​ global communication.

6.1‌ Awards

Anne Canteaut and‌​‌ Anthony Leverrier are among​​ the hundred winners in​​​‌ Le Point’s 2025 Inventors’‌ Awards ranking. Their distinction‌​‌ continues a tradition within​​ the team, as Maria​​​‌ Naya-Plasencia had already been‌ honored in a previous‌​‌ edition of this ranking.​​

6.2 NIST PQC competition​​​‌ and standardization of HQC‌

Nicolas Sendrier , Jean-Pierre‌​‌ Tillich and Valentin Vasseur​​ are coauthors of the​​​‌ HQC proposal which was‌ selected by NIST in‌​‌ 2025 as standard for​​ post-quantum Key-Encapsulation Mechanism (KEM).​​​‌ This provides outstanding visibility‌ to the researchers involved‌​‌ and to the COSMIQ​​ team. The mathematical background​​​‌ of HQC relates to‌ codes defined as subspaces‌​‌ of binary cyclic polynomial​​ ring and to the​​​‌ hardness of their decoding,‌ topics in which the‌​‌ team members had numerous,​​ sometimes pioneering, contributions.

7.1 Latest‌​‌ software developments

8.1‌ Quantum algorithms and cryptanalysis‌​‌

Participants: Agathe Blanvillain,​​ Quentin Buzet, André​​​‌ Chailloux, Paul Hermouet‌, Christophe Piveteau,‌​‌ María Naya-Plasencia, Jean-Pierre​​ Tillich.

We have​​​‌ kept on working on‌ generic quantum algorithms related‌​‌ to cryptanalysis, and in​​ addition, have devised some​​​‌ new algorithms showing a‌ quantum advantage for solving‌​‌ approximate interpolation problems.

8.2​​ Symmetric cryptology

Participants: Sacha​​​‌ Baillarguet-Gajic, Antoine Bak‌, Augustin Bariant,‌​‌ Jules Baudrin, Aurélien​​ Boeuf, Anne Canteaut​​​‌, Pascale Charpin,‌ Baptiste Daumen, Merlin‌​‌ Fruchon, Pierre Galissant​​, Shibam Ghosh,​​​‌ Guilhem Jazeron, Eran‌ Lambooij, Gaëtan Leurent‌​‌, César Mathéus,​​​‌ Dounia M'Foukh, Bastien​ Michel, María Naya-Plasencia​‌, Patrick Neumann,​​ Léo Perrin, Jules​​​‌ Perrin De Brichambaut,​ Maria Slim, Quan​‌ Quan Tan.

Our​​ recent results in symmetric​​​‌ cryptography concern either the​ security analysis of existing​‌ primitives, or the design​​ of new primitives. This​​​‌ second topic includes some​ work on the construction​‌ and properties of suitable​​ building-blocks for these primitives,​​​‌ e.g. on the search​ of highly nonlinear functions.​‌

8.3 Post-quantum asymmetric cryptology​​

Participants: André Chailloux,​​​‌ Loïc Demange, Valerian​ Hatey, Axel Lemoine​‌, Laura Luzzi,​​ Antoine Mesnard, Charles​​​‌ Meyer-Hilfiger, Magali Salom​, Nicolas Sendrier,​‌ Jean-Pierre Tillich.

Our​​ work in this area​​​‌ is mainly focused on​ code-based cryptography, but some​‌ of our contributions, namely​​ algebraic attacks, have applications​​​‌ in multivariate cryptography or​ in algebraic coding theory.​‌ Many contributions relate to​​ the NIST call for​​​‌ postquantum primitives, either cryptanalysis​ or design.

We have​‌ also been organizing since​​ 2015 a working group​​​‌ held every month or​ every two months on​‌ code-based cryptography that structures​​ the French efforts on​​​‌ this topic: every meeting​ is attended by most​‌ of the groups working​​ in France on this​​​‌ topic (project-team GRACE, University​ of Bordeaux, University of​‌ Limoges, University of Rennes​​ and University of Rouen).​​​‌

8.4 Quantum information

Participants:​ André Chailloux, Bruno​‌ Costa Alves Freire,​​ Virgile Guémard, Thomas​​​‌ Van Himbeeck, Anthony​ Leverrier, Ewan Murphy​‌, Samuel Novak,​​ Clement Poirson, Etienne​​​‌ Stock, Jean-Pierre Tillich​, Michael John George​‌ Vasmer.

Most of​​ our work in quantum​​​‌ information deals with either​ quantum algorithms, quantum error​‌ correction or cryptography. Our​​ work on quantum error​​​‌ correction and fault tolerant​ quantum computation has significantly​‌ expanded with the arrival​​ of Michael Vasmer.

9.1 Bilateral​ grants with industry

• Thalès​‌ (10/2024 -> 9/2027) Funding​​ for the supervision of​​​‌ Magali Salom 's PhD.​

  45 kEuros.

• Alice &​‌ Bob (11/2024 -> 10/2027)​​ Funding for the supervision​​​‌ of Clement Poirson 's​ PhD.

  45 kEuros.

• Pasqal​‌ (11/2024 -> 10/2027) Funding​​ for the supervision of​​​‌ Bruno Costa Alves Freire​ 's PhD.

  45 kEuros.​‌

• Quandela (9/2025 -> 8/2028)​​ Funding for the supervision​​​‌ of Ewan Murphy 's​ PhD.

  45 kEuros.

• Apple​‌ Inc. (12/2024 -> 02/2026)​​

10.1 International initiatives

10.2 European initiatives​​​‌

10.3​​ National initiatives

• ANR SWAP​​​‌ (02/22→09/26)

  Sboxes for Symmetric-Key​ Primitives

  ANR Program: AAP​‌ Générique 2021

  Partners: UVSQ​​ (coordinateur), Inria COSMIQ, ANSSI,​​​‌ CryptoExperts, Univ. of Rouen,​ Univ. of Toulon.

  172​‌ kEuros

  Sboxes are small​​ nonlinear functions that are​​​‌ crucial components of most​ symmetric-key designs and their​‌ properties are highly related​​ to the security of​​​‌ the overall construction. The​ development of new attacks​‌ has given rise to​​ many Sbox design criteria.​​​‌ However, the emerge of​ new contexts, applications and​‌ environments requires the development​​ of new design criteria​​ and strategies. The SWAP​​​‌ project aims first at‌ investigating such criteria for‌​‌ emerging use cases like​​ whitebox cryptography, fully homomorphic​​​‌ encryption and side-channel resistance.‌ Then, we wish for‌​‌ analyzing the impact of​​ these particular designs on​​​‌ cryptanalysis and see how‌ the use of Sboxes‌​‌ with some special mathematical​​ structures can accelerate some​​​‌ known attacks or introduce‌ new ones. Finally, we‌​‌ aim at studying Sboxes​​ from a mathematical point​​​‌ of view and provide‌ new directions to the‌​‌ Big APN problem, an​​ old conjecture on the​​​‌ existence of a particular‌ type of optimal permutations.‌​‌

• CRYPTANALYSE (10/23$\to$09/28)​​

  Cryptanalysis of classical cryptographic​​​‌ primitives

  ANR Program: AAP‌ PEPR Cybersécurité

  Partners: COSMIQ‌​‌ (coordinator), CARAMBA (coordinator), LFANT,​​ LIRMM, IRISA, LMV, MIS,​​​‌ LIP6, LJK

  605 kEuros‌ (Total amount: 5 MEuros)‌​‌

  This is one of​​ the ten projects within​​​‌ the Program on Cybersecurity(‌url), funded by‌​‌ the French investment plan,​​ France 2030. This project​​​‌ brings together the main‌ French research groups working‌​‌ on cryptanalysis. It will​​ study simultaneously the most​​​‌ widely used cryptographic primitives,‌ the more recent primitives‌​‌ which have been around​​ for a shorter time​​​‌ or which are within‌ the long process of‌​‌ academic approval or standardisation,​​ and finally the project​​​‌ also studies specialized primitives‌ which are designed for‌​‌ some specific application contexts.​​ In all cases, the​​​‌ main goal is to‌ provide accurate hardness estimations‌​‌ for the underlying problems​​ and, ultimately, a good​​​‌ understanding of the security‌ level, both for symmetric‌​‌ and for asymmetric primitives.​​ Software tools, which will​​​‌ be made openly available‌ when appropriate, are bound‌​‌ to play a key​​ role in this work.​​​‌ This project will advance‌ the state of the‌​‌ art in cryptanalysis, and​​ eventually increase the security​​​‌ of primitives used today‌ and in the future.‌​‌

• ANR EPIQ (01/22$\to $12/27)

  Quantum Software -​​​‌ Study of the quantum‌ stack: Algorithm, models, and‌​‌ simulation for quantum computing​​

  ANR Program: PEPR on​​​‌ Quantum Technologies

  Partners: MOCQA(coordinator),‌ COSMIQ, CEA (LIST, IPHT,MEM),‌​‌ Inria (Paris, Bordeaux, Nancy,​​ Lyon, Rennes, Saclay), University​​​‌ of Aix-Marseille (LIS), University‌ of Bordeaux (LABRI), University‌​‌ of Bourgogne and Franche​​ Comté (ICB), University of​​​‌ Grenoble (LPMMC,NEEL), University of‌ Paris (IRIF), Sorbonne University‌​‌ (LIP6),

  230 kEuros

  The​​ purpose of this project​​​‌ is (i) to understand‌ the advantages and limits‌​‌ of quantum computing via​​ both quantum complexity research​​​‌ and the discovery and‌ enhancement of algorithms, (ii)‌​‌ to define the framework​​ for quantum computation using​​​‌ high-level languages, comparison of‌ computational models as well‌​‌ as using their relations​​ for program optimization, (iii)​​​‌ develop simulation tools to‌ anticipate the performances of‌​‌ algorithms on noisy quantum​​ machines. We are involved​​​‌ in studying the limits‌ of quantum algorithms in‌​‌ cryptanalysis.

• ANR NISQ2LSQ (01/22​​$\to$12/27)

  From NISQ​​​‌ to LSQ: Bosonic and‌ LDPC codes

  ANR Program:‌​‌ PEPR on Quantum Technologies​​

  Partners: COSMIQ (coordinator), Inria​​​‌ (Paris, Nancy, Lyon, Saclay),‌ SPEC/CEA Saclay, PHELIQS/ CEA‌​‌ Grenoble, LPMMC, ENS Lyon,​​ LPTHE, Alice$\&$Bob,​​​‌ C2N, Majulab, LCF, LIP6,‌ LKB, MPQ, Quandela, Institut‌​‌ de Mathématiques de Bordeaux,​​​‌ CEA-LETI, GR2IF, XLIM

  420​ kEuros

  This project aims​‌ at accelerating the R​​$\&$D efforts in​​​‌ the theory and conception​ of hardware-efficient fault- tolerant​‌ quantum codes. As far​​ as codes are concerned,​​​‌ the project focuses on​ two of the most​‌ promising solutions, namely bosonic​​ codes and Low-Density Parity-Check​​​‌ (LDPC) codes. On the​ hardware side, the targeted​‌ platforms are superconducting qubits​​ and photonic ones.

• ANR​​​‌ TLS-PQ (01/22$\to$12/26)​

  Post-quantum padlock for web​‌ browser

  ANR Program: PEPR​​ on Quantum Technologies

  Partners:​​​‌ CAPSULE(coordinator), COSMIQ, Inria (Paris,​ Bordeaux, Nancy, Lyon, Rennes,​‌ Saclay), CEA-LETI, University of​​ Bordeaux (TDN), University of​​​‌ Caen (AMACC), University of​ Limoges (Cryptis), University of​‌ Rouen (CA), University of​​ Saint-Etienne (SESAM), University of​​​‌ Versailles (Cryptis), ARCAD

  430​ kEuros

  This integrated project​‌ aims to develop in​​ 5 years post-quantum primitives​​​‌ in a prototype of​ « post-quantum lock »​‌ that will be implemented​​ in an open-source browser.​​​‌ We are involved in​ developing code-based solutions and​‌ analyzing the security of​​ the proposed algorithms.

• Q-LOOP​​​‌ (01/24 $\to$ 12/29)

  Préparer​ le contrôle commande de​‌ l'ordinateur quantique ANR program​​ on Quantum Technologies

  Patners:​​​‌ CEA, IRT, CNRS, Inria,​ Siemens, A&B, C12, Quandela,​‌ Quobly 120 kEuros

  This​​ project aims at building​​​‌ a portfolio of HW​ and SW technologies enabling​‌ the control at large​​ scale of emerging solid​​​‌ state qubits technologies e.g.​ Superconducting cat qubits, semiconductor​‌ qubits (carbon nanotubes, spin​​ qubits) and photonic qubits​​​‌ in development by emerging​ industrial actors. The project​‌ will cover a large​​ span of technologies ranging​​​‌ from cryo-electronics to real​ time error correction under​‌ a system approach encompassing​​ the development of models​​​‌ for control chains enabling​ the exploration of various​‌ architectures and leading to​​ demonstration of solutions representative​​​‌ of future scaling requirements.​

11.1 Promoting​‌ scientific activities

11.2 Teaching​​​‌ - Supervision - Juries​ - Educational and pedagogical​‌ outreach

• Master: Anne Canteaut​​ , Canteaut, Error-correcting codes​​​‌ and applications to cryptology​, 12 hours, M2,​‌ University Paris-Cité (MPRI), France;​​
• Master: André Chailloux ,​​​‌ Quantum Circuits and Logic​ Gates, 12 hours,​‌ M1, Sorbonne Université;
• Master:​​ André Chailloux , Quantum​​​‌ information, 12 hours, M2,​ University Paris-Cité (MPRI), France;​‌
• Master: André Chailloux Quantum​​ algorithms, 4 hours, M2,​​​‌ Ecole Normale Supérieure de​ Lyon, France;
• Master: Léo​‌ Perrin , Application Web​​ et Sécurité, 24 hours,​​​‌ M1, UVSQ, France;
• Master:​ Anne Canteaut , María​‌ Naya Plasencia , Léo​​ Perrin , Symmetric Cryptography​​​‌, M2, 6+6+6 hours,​ Université Paris-Cité (MIC), France.​‌
• Master: Michael John George​​ Vasmer , Introduction to​​​‌ quantum information theory,​ 32 hours, M2, Université​‌ PSL, France
• Spring school:​​ Anne Canteaut and Léo​​​‌ Perrin gave 6-hour lectures​ at the Spring School​‌ on Symmetric Cryptography, Rome,​​ Italy, Feb. 9-14.

11.3 Popularization

• Rencontre avec​ la chercheuse qui casse​‌ les codes secrets,​​ Paris Saclay Summit, Feb.​​​‌ 13, 2025. Anne Canteaut​ .
• La recherche sur​‌ le numérique : périmètre​​ et enjeux scientifiques et​​​‌ sociétaux, INSP, January​ 24, 2025. Anne Canteaut​‌ .
• Quel(s) type(s) d’engagement,​​ de l’individu aux institutions​​​‌ ?, Congrès du​ Collège des Sociétés savantes​‌, Montpellier, Feb. 4,​​ 2025. Anne Canteaut .​​​‌
• Pilotage de la recherche​ et liberté académique,​‌ AFDESRI (Association des femmes​​ dirigeantes de l'ESRI), Nogent-sur-Marne,​​​‌ May 14, 2025. Anne​ Canteaut .
• Demi-journée "Carrières​‌ après le doctorat", GDR​​ Sécurité, May 5, 2025.​​​‌ Anne Canteaut .
• Journées​ Parité, Scientific Boards of​‌ CNRS Sciences Informatiques et​​ CNRS Mathématiques, Oct 2025.​​​‌ Anne Canteaut .
• Cybersécurité​ - Un temps d'avance​‌, CNRS, December 2025.​​ Anne Canteaut .

12.1​​ Major publications

• 1 inproceedings​​​‌C.Christof Beierle,‌ A.Anne Canteaut,‌​‌ G.Gregor Leander and​​ Y.Yann Rotella.​​​‌ Proving Resistance Against Invariant‌ Attacks: How to Choose‌​‌ the Round Constants..​​Crypto 2017 - Advances​​​‌ in Cryptology10402LNCS‌ - Lecture Notes in‌​‌ Computer ScienceSteven Myers​​Santa Barbara, United States​​​‌SpringerAugust 2017,‌ 647--678HALDOI
• 2‌​‌ articleA.Anne Canteaut​​ and L.Léo Perrin​​​‌. On CCZ-Equivalence, Extended-Affine‌ Equivalence, and Function Twisting‌​‌.Finite Fields and​​ Their Applications56March​​​‌ 2019, 209-246HAL‌DOI
• 3 inproceedingsA.‌​‌André Chailloux, M.​​María Naya-Plasencia and A.​​​‌André Schrottenloher. An‌ Efficient Quantum Collision Search‌​‌ Algorithm and Implications on​​ Symmetric Cryptography.Asiacrypt​​​‌ 2017 - Advances in‌ Cryptology10625 LNCS -‌​‌ Lecture Notes in Computer​​ ScienceHong Kong, China​​​‌SpringerDecember 2017,‌ 211--240HALDOI
• 4‌​‌ articleK.Kaushik Chakraborty​​, A.André Chailloux​​​‌ and A.Anthony Leverrier‌. Arbitrarily Long Relativistic‌​‌ Bit Commitment.Physical​​ Review Letters115December​​​‌ 2015HALDOI
• 5‌ articleP.Pascale Charpin‌​‌, G. M.Gohar​​ M. Kyureghyan and V.​​​‌Valentin Suder. Sparse‌ Permutations with Low Differential‌​‌ Uniformity.Finite Fields​​ and Their Applications28​​​‌March 2014, 214-243‌HALDOI
• 6 inproceedings‌​‌T.Thomas Debris-Alazard,​​ N.Nicolas Sendrier and​​​‌ J.-P.Jean-Pierre Tillich.‌ Wave: A New Family‌​‌ of Trapdoor One-Way Preimage​​ Sampleable Functions Based on​​​‌ Codes.ASIACRYPT 2019‌ - 25th International Conference‌​‌ on the Theory and​​ Application of Cryptology and​​​‌ Information Security11921LNCS‌Kobe, JapanSpringerDecember‌​‌ 2019, 21-51HAL​​DOI
• 7 inproceedingsO.​​​‌Omar Fawzi, A.‌Antoine Grospellier and A.‌​‌Anthony Leverrier. Constant​​ overhead quantum fault-tolerance with​​​‌ quantum expander codes.‌FOCS 2018 - 59th‌​‌ Annual IEEE Symposium on​​ Foundations of Computer Science​​​‌Paris, FranceOctober 2018‌, 743-754HALDOI‌​‌
• 8 inproceedingsA.Antonio​​ Florez-Gutierrez, G.Gaëtan​​​‌ Leurent, M.María‌ Naya-Plasencia, L.Léo‌​‌ Perrin, A.André​​ Schrottenloher and F.Ferdinand​​​‌ Sibleyras. New results‌ on Gimli: full-permutation distinguishers‌​‌ and improved collisions.​​Asiacrypt 2020 - 26th​​​‌ Annual International Conference on‌ the Theory and Application‌​‌ of Cryptology and Information​​ Security12491Lecture Notes​​​‌ in Computer ScienceDaejeon‌ / Virtual, South Korea‌​‌December 2020, 33--63​​HALDOI
• 9 inproceedings​​​‌M.Marc Kaplan,‌ G.Gaëtan Leurent,‌​‌ A.Anthony Leverrier and​​ M.María Naya-Plasencia.​​​‌ Breaking Symmetric Cryptosystems Using‌ Quantum Period Finding.‌​‌Crypto 2016 - 36th​​ Annual International Cryptology Conference​​​‌9815LNCS - Lecture‌ Notes in Computer Science‌​‌Santa Barbara, United States​​SpringerAugust 2016,​​​‌ 207-237HALDOI
• 10‌ inproceedingsG.Gaëtan Leurent‌​‌ and T.Thomas Peyrin​​. SHA-1 is a​​​‌ Shambles.USENIX 2020‌ - 29th USENIX Security‌​‌ SymposiumBoston / Virtual,​​ United StatesAugust 2020​​​‌HAL
• 11 articleA.‌Anthony Leverrier. Security‌​‌ of Continuous-Variable Quantum Key​​ Distribution via a Gaussian​​​‌ de Finetti Reduction.‌Physical Review Letters118‌​‌20May 2017,​​​‌ 1--24HALDOI
• 12​ inproceedingsR.Rafael Misoczki​‌, J.-P.Jean-Pierre Tillich​​, N.Nicolas Sendrier​​​‌ and P. S.Paulo​ S. L. M. Barreto​‌. MDPC-McEliece: New McEliece​​ Variants from Moderate Density​​​‌ Parity-Check Codes.IEEE​ International Symposium on Information​‌ Theory - ISIT 2013​​Istanbul, TurkeyJuly 2013​​​‌, 2069-2073HAL
• 13​ articleL.Léo Perrin​‌. Partitions in the​​ S-Box of Streebog and​​​‌ Kuznyechik.IACR Transactions​ on Symmetric Cryptology2019​‌1March 2019,​​ 302-329HALDOI

12.2​​​‌ Publications of the year​

12.3 Cited publications

• 73​​​‌ miscM. R.Martin‌ R. Albrecht, D.‌​‌ J.Daniel J. Bernstein​​, T.Tung Chou​​​‌, C.Carlos Cid‌, J.Jan Gilcher‌​‌, T.Tanja Lange​​, V.Varun Maram​​​‌, I. V.Ingo‌ Von Maurich, R.‌​‌Rafael Misoczki, R.​​Ruben Niederhagen, K.​​​‌ G.Kenneth G. Paterson‌, E.Edoardo Persichetti‌​‌, C.Christiane Peters​​, P.Peter Schwabe​​​‌, N.Nicolas Sendrier‌, J.Jakub Szefer‌​‌, C. J.Cen​​ Jung Tjhai, M.​​​‌Martin Tomlinson and W.‌Wen Wang. Classic‌​‌ McEliece: conservative code-based cryptography​​.Round 4 submission​​​‌ to the NIST call‌ for postquantum cryptographic primitives‌​‌October 2022HALback​​ to text
• 74 inproceedings​​​‌M.Magali Bardet,‌ P.Pierre Briaud,‌​‌ M.Maxime Bros,​​ P.Philippe Gaborit,​​​‌ V.Vincent Neiger,‌ O.Olivier Ruatta and‌​‌ J.-P.Jean-Pierre Tillich.​​ An Algebraic Attack on​​​‌ Rank Metric Code-Based Cryptosystems‌.EUROCRYPT 2020 -‌​‌ 39th Annual International Conference​​​‌ on the Theory and​ Applications of Cryptographic Techniques​‌12107Lecture Notes in​​ Computer ScienceZagreb /​​​‌ Virtual, CroatiaSpringerMay​ 2020, 64--93HAL​‌DOIback to text​​
• 75 inproceedingsM.Magali​​​‌ Bardet, M.Maxime​ Bros, D.Daniel​‌ Cabarcas, P.Philippe​​ Gaborit, R.Ray​​​‌ Perlner, D.Daniel​ Smith-Tone, J.-P.Jean-Pierre​‌ Tillich and J.Javier​​ Verbel. Improvements of​​​‌ Algebraic Attacks for Solving​ the Rank Decoding and​‌ MinRank Problems.ASIACRYPT​​ 2020 - 26th International​​​‌ Conference on the Theory​ and Application of Cryptology​‌ and Information Security12491​​Lecture Notes in Computer​​​‌ ScienceDaejeon / Virtual,​ South KoreaSpringerDecember​‌ 2020, 507--536HAL​​DOIback to text​​​‌
• 76 articleM.Magali​ Bardet, R.Rocco​‌ Mora and J.-P.Jean-Pierre​​ Tillich. Polynomial time​​​‌ key-recovery attack on high​ rate random alternant codes​‌.IEEE Transactions on​​ Information Theory706​​​‌June 2024, 4492-4511​HALDOIback to​‌ text
• 77 articleA.​​Alain Couvreur and M.​​​‌Matthieu Lequesne. On​ the security of subspace​‌ subcodes of Reed-Solomon codes​​ for public key encryption​​​‌.IEEE Transactions on​ Information Theory681​‌October 2021, 632-648​​HALDOIback to​​​‌ text
• 78 inproceedingsA.​Alain Couvreur, R.​‌Rocco Mora and J.-P.​​Jean-Pierre Tillich. A​​​‌ new approach based on​ quadratic forms to attack​‌ the McEliece cryptosystem.​​Advances in Cryptology -​​​‌ ASIACRYPT 202314441Lecture​ Notes in Computer Science​‌68 pages (Long version)​​Guo, J. and Steinfeld,​​​‌ R.Guangzhou, ChinaSpringer​ Nature SingaporeDecember 2023​‌, 3-38HALDOI​​back to textback​​​‌ to text
• 79 article​R.Rocco Mora and​‌ J.-P.Jean-Pierre Tillich.​​ On the dimension and​​​‌ structure of the square​ of the dual of​‌ a Goppa code.​​Designs, Codes and Cryptography​​​‌914November 2022​, 1351--1372HALDOI​‌back to text