**Name:**
Tavernier Cédric

**Title:** PhD thesis in
Computer Science from Ecole Polytechnique (Fr).

**Current Position:** Expert in cryptography at CS (France).

**Email:** cedric.tavernier@c-s.fr

**Web Page:** http://ced.tavernier.free.fr.

**Today:** In charge of cryptographic
designs and cryptographic mechanisms in the division “Export”. I direct with
the professor Claude Carlet the thesis of Rafael Fourquet.

**Publications:**

I. Dumer, G. Kabatiansky et
C. Tavernier **“List Decoding of Biorthogonal Codes and the Hadamard
Transform With Linear Complexity ”**

** **

R. Fourquet and C. Tavernier, **“****An improved List Decoding Algorithm for the Second Order Reed-Muller
Codes and its Applications”**,
*in Designs, codes and cryptography (DCC),*
**2007**.

**Title of Project: **List decoding of Reed-Muller codes and Multi-linear
Power Analysis

**Abstract: **Many applications
work with hardware components, as Smart Card, FPGA, ASIC, RFID. Privacy highly
depends of the security these components. For example, IP VPN that integrate
ASIC or FPGA has to insure confidentiality and integrity in a network, and
attackers may have access to the materials.

Since the Differential Power
Analysis attacks (DPA, HODPA) were introduced by P. Kocher et al. it became
necessary to develop sound and efficient countermeasures. Nowadays most
embedded cryptographic primitives integrate one or several of these
countermeasures (e.g. masking techniques, asynchronous designs, balanced
dynamic dualrail gates designs, noise adding, power consumption smoothing, etc.
...). This subject presents new power analysis attacks using multi-linear
approximations (MLPA attacks) that still work even when the symmetric cipher
implementation is resistant to DPA and HO-DPA attacks.

Given a Boolean function **g**, we want to construct **{f є RM(1,m) | d _{H}(f,g)
< 2^{m}(1/2-**

Can be done by a decoding algorithm with complexity **Min(2 ^{m}log^{2}(**

Application to cryptanalysis (Side channel attack): Given a block cipher
**Encrypt(X,K)**, then in a

reasonable time, we can find the list of **L є RM(1,m)**, s.t.

**<α,
Weight(Encrypt(X,K))> + <β,X>
+ <γ,K> = 0 with proba. ½ + ****e**

** **