- Céline Chevalier (Université Paris 2)
- Luca De Feo (IBM, Zürich)
- Pierrick Gaudry (Loria, Nancy)
- Annelie Heuser (Irisa, Rennes)
- Gaëtan Leurent (Inria, Paris)
- Gilles Zémor (Institut de Mathématiques de Bordeaux)
Céline Chevalier. Security proofs for (post-)quantum cryptography
Luca de Feo. Proofs of isogeny knoweldge: techniques, properties, applications
Pierrick Gaudry. Weaknesses in the Moscow internet voting system
In September 2019, voters for the election at the Parliament of the city of Moscow were allowed to use an Internet voting system. The source code of it had been made available for public testing. In this talk we explain two successful attacks on the encryption scheme (a variant of ElGamal) implemented in the voting system. In the first attack we show that the used key sizes are so small that it is possible to retrieve the private keys from the public keys in a matter of minutes. The second attack is a subgroup attack were one bit of information is leaked from the encrypted message, which can mean almost the whole of the cleartext in a very plausible scenario.
In a second part of the talk, we will discuss the numerous properties that are in principle desired for an internet voting system, how these were not fulfilled by the Moscow system, and how it is difficult to combine all of them in a practical system that must be usable by everybody.
Finally we will say a few words about our interaction with the news media, in Russia, in France, and in general, hoping that some of the lessons I learned can be useful for others who might end-up in the same situation.
Annelie Heuser. Side-channel resistance of Sboxes
Physical side-channel attacks use unintentionally transmitted information to reveal sensitive processed data from embedded devices. Common targets are for example secret keys of block ciphers. In this talk, we take a detailed look at the resistance of Sboxes against side-channel attacks. We discuss why Sboxes are the main target point in a block cipher and which properties influence their resistance to side-channel attacks.
Gaëtan Leurent. SHA-1 is a Shambles – The first chosen-prefix collision for SHA-1
The SHA-1 hash function was designed in 1995 and has been widely used during two decades. A theoretical collision attack was first proposed in 2004, but due to its high complexity it was only implemented in practice in 2017, using a large GPU cluster. Despite this, SHA-1 is still supported and used in many internet protocols.
In this talk I will describe the first chosen-prefix collision attack against SHA-1, a more powerful attack allowing to build colliding messages with two arbitrary prefixes. This type of attack is much more threatening for real protocols, and we demonstrate its security impact with a PGP/GnuPG impersonation attack.
This is a joint work with Thomas Peyrin.