Zone de Texte:  Name: Tavernier Cédric


Institution: Communication & Systèmes


Title: PhD thesis in Computer Science from Ecole Polytechnique (Fr).


Current Position: Expert in cryptography at CS (France).



Web Page:


Today:  In charge of cryptographic designs and cryptographic mechanisms in the division “Export”. I direct with the professor Claude Carlet the thesis of Rafael Fourquet.




I. Dumer, G. Kabatiansky et C. Tavernier List Decoding of Biorthogonal Codes and the Hadamard Transform With Linear Complexity, in IEEE Transactions on Information Theory Oct. 2008, Vol. 54; No. 10, pages 4488-4492.


R. Fourquet and C. Tavernier, An improved List Decoding Algorithm for the Second Order Reed-Muller Codes and its Applications, in Designs, codes and cryptography (DCC), 2007.




Title of Project: List decoding of Reed-Muller codes and Multi-linear Power Analysis


Abstract: Many applications work with hardware components, as Smart Card, FPGA, ASIC, RFID. Privacy highly depends of the security these components. For example, IP VPN that integrate ASIC or FPGA has to insure confidentiality and integrity in a network, and attackers may have access to the materials.

Since the Differential Power Analysis attacks (DPA, HODPA) were introduced by P. Kocher et al. it became necessary to develop sound and efficient countermeasures. Nowadays most embedded cryptographic primitives integrate one or several of these countermeasures (e.g. masking techniques, asynchronous designs, balanced dynamic dualrail gates designs, noise adding, power consumption smoothing, etc. ...). This subject presents new power analysis attacks using multi-linear approximations (MLPA attacks) that still work even when the symmetric cipher implementation is resistant to DPA and HO-DPA attacks.


Given a Boolean function g, we want to construct  {f є RM(1,m) | dH(f,g) < 2m(1/2-e)}.


Can be done by a decoding algorithm with complexity Min(2mlog2(e),m2/e6). Recently: m/e2


Application to cryptanalysis (Side channel attack): Given a block cipher Encrypt(X,K), then in a


reasonable time, we can find the list of  L є RM(1,m), s.t.


<α, Weight(Encrypt(X,K))>  + <β,X> + <γ,K> = 0  with proba.  ½ +  e