Sites Inria

Version française

CASCADE Research team

Construction and Analysis of Systems for Confidentiality and Authenticity of Data and Entities

Team presentation

Cryptography, or the "Science of Secret", aims at protecting digital data during communications, or while they are locally stored. On this security track, two activities fight: the design of systems achieving the security goal, and the attack that tries to defeat security protections. The CASCADE project-team studies a very large range of cryptography: design of primitives and protocols, together with the security analysis, which can turn out to provide attacks at various levels: on the mathematics or algorithmic, on the actual implementation, or exploiting side-channel informations for the hardware.

Research themes

While confidentiality of data, and authentication of users are classical and well-known problems, some new important security concerns, which are by now our priority, are related to users' privacy and right protection of digital contents. Most of the transactions, communications and access controls are now automatized, and therefore one can easily draw profiles of users. With the huge increase of high-speed connections, digital contents (audio and video streams) are easily and quickly distributed, duplicated; etc. Cryptography can help for the development of the Internet, while preserving users' privacy as well as copyrights, in a transparent way.

From a constructive point of view, the CASCADE project-team is a world leader for "provable security". The design of new cryptosystems does not guarantee by itself the actual security level: one has to formally prove it. To this aim, one should first define the required security notions, and model them in an appropriate security game. Therefore, one proves that an attacker able to win the security game must be able to break a well-known computational assumption, and widely admitted as intractable: under this intractability assumption, no adversary can break the cryptosystem.

Unfortunately, provable security does not exclude cryptanalysis: weaknesses may still remain at several places: at the mathematical level, the security theorem relies on a computational assumption that can be threatened by new techniques, algorithms or hardware; at the protocol level, by querying parties outside the formal security model and thus getting additional information not initially authorized in the security game; at the implementation level, by exploiting bugs and mistakes in the development. A recent approach also consists of using side-channels, at the physical level on hardware devices: power consumption, electro-magnetic radiations, etc.


  • RSA-OAEP Security Proof: OAEP had been selected as a major asymmetric encryption standard by several standardization bodies, because of its "provable security" initially provided by Bellare et Rogaway, relatively to the highest security level. In 2001, Victor Shoup noted that there is a gap in the widely-believed security result of OAEP against adaptive chosen-ciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the one-wayness of the underlying trapdoor permutation. The CASCADE project-team and Japanese colleagues quickly provided another result on the security of OAEP: OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partial-domain one-wayness of the RSA function is equivalent to its (full-domain) one-wayness, it follows that the security of RSA-OAEP can actually be proven under the sole RSA assumption.
  • Cryptanalysis of SFLASH: SFLASH is a signature scheme, based on multivariate cryptography, which security relies on an unusual computational assumption: the hardness of solving systems of quadratic multivariate equations over finite fields. The European Consortium NESSIE had recommended it. Nevertheless, recently, the CASCADE project-team and Adi Shamir exploited invariants related to the secret key. This new technique has been devastating, since it only needs the public key and requires about one second to forge a signature for any message, after a one-time computation of several minutes.

Keywords: Cryptography Privacy Authenticity Anonymity Cryptanalysis