Yann Rotella


Associate Professor (Maître de Conférences) in Mathematics and Computer Science at Université Paris-Saclay

About me

I'm a Maître de Conférences (associate professor) at the Université Paris-Saclay (UVSQ) in the Computer Science Department and I'm affiliated with the Laboratoire de Mathématiques de Versailles.

As a teacher, I really enjoy pedagogical sciences and I'm always looking for ideas to improve my courses. You can see my courses in the Teaching section.

Doctor in Computer Science and specialized in Symmetric Cryptography, my research work focus mainly on design and analysis of cryptographic primitives. I really enjoy discrete mathematics (Finite Fields, Boolean functions). I am trying to identify different structures of mathematical objects that we use, in order to refine knowledge about the security of cryptographic constructions. I like to cryptanalyze ciphers.

I'm really invested in scientific mediation. Besides giving some talks here and there about cryptography, I'm a co-designer of the exercices for the very exciting Alkindi competition for 15 year old students.

Because my life is not entirely dedicated to research and teaching cryptography, I also have some hobbies. Here they are: hiking, alpinism, skiing. In other words if there is the mountains, I'm in, and if there is the snow, I'm in twice!


I wish my students can find back the knowledge without learning it by heart. More precisely, I like to instil into my students an in-depth understanding of concepts by minimizing the size of the data stored in their brain. I also really like to teach the students to work in groups, mainly because it's a skill I find extremely usefull but unfortunately very little mastered. At the end of my courses, I wish my students don't need anyone to reinforce their knowledge in the field of expertise I teach them. If you have any ideas or just want to discuss on this, don't hesitate to contact me. I'm constantly looking for improving myself on this, which is a hard topic.



Subterranean 2.0 in the NIST-lightweight competition:
  • In 2019, National Institute for Standard Technology started a crypto-competition where the goal is to standardize (some) maybe new lightweight cryptographic algorithms in symmetric-key cryptography. See [ here].
  • In February 2019, Joan Daemen, Pedro Maat Costa Massolino and I proposed an hardware-oriented and permutation-based cipher. The inner permutation dates back to 1992. See the following paper Luc J. M. Claesen, Joan Daemen, Mark Genoe, and G. Peeters,Subterranean: A600 mbit/sec cryptographic VLSI chip, Proceedings 1993 International Conferenceon Computer Design: VLSI in Computers & Processors, ICCD ’93, Cambridge, MA,USA, October 3-6, 1993, IEEE Computer Society, 1993, pp. 610–613.
  • We made an SAE scheme, together with a hash functionnality called Subterranean 2.0. Here is a link for the specifications of the algorithm [SPECS].
  • In summer 2019, Fukang Liu, Takanori Isobe and Willi Meier analyzed Subterranean with respect to cube-like attacks. See paper [here]. They mount an attack on the nonce-missuse scenario. For nonce-respecting users, they can mount a key-recovery on subterranean if the number of blank rounds is reduced from 8 to 4 with a complexity of 2^122 calls. All in all this cryptanalysis does not threaten Subterraean-SAE scheme but it enhances the understanding of our primitve.
  • In september 2019, NIST announced the second round candidates. Subterranean is still on the run.
  • Subterranean is really looking good in terms of energy and throughput ! See last ASIC benchmarking results here.
International conferences and journals papers:
  • The Subterranean 2.0 Cipher Suite Joan Daemen, Pedro Maat Costa Massolino, Alireza Mehrdad and Yann Rotella, Radboud University, Nijmegen, Netherlands and UVSQ, LMV, Université Paris Saclay, Versailles, France, ToSC 2020 Special Issue (1) May 2020 [Final published version][Video]
  • Algebraic and Higher-Order Differential Cryptanalysis of Pyjamask-96 Christoph Dobraunig, Yann Rotella and Jan Schoone, Radboud University, Nijmegen, Nehterlands and UVSQ, LMV, Université Paris Saclay, Versailles, France, ToSC 2020 (1) March 2020 [Final published version][Video]
  • On the Concrete Security of Goldreich's Pseudorandom Generator Geoffroy Couteau, Aurélien Dupin, Pierrick Méaux, Mélissa Rossi and Yann Rotella, Karlsruhe Institute of Technology, CentraleSupélec Rennes and Irisa Rennes and ICTEAM/ELEN/Crypto Group Université catholique de Louvain, ENS de Paris, Digital Security Group Radboud University, Asiacrypt 2018 December 2018 [eprint Full Version]
  • Cryptanalysis of MORUS Tomer Ashur, Maria Eichlseder, Martin M. Lauridsen, Gaëtan Leurent, Brice Minaud, Yann Rotella, Yu Sasaki and Benoît Viguier, imec-COSIC, KU Leuven, Graz University of Technology, Inria de Paris, Royal Holloway University of London, NTT Tokyo, Radboud University, Nijmegen, Inria de Paris, Asiacrypt 2018 December 2018 [eprint]
  • State-Recovery Attacks on Modified Ketje Jr Thomas Fuhr, María Naya-Plasencia and Yann Rotella, ANSSI, Inria de Paris - SECRET, ToSC 2018 (1) March 2018 [Final published version]
  • Boolean functions with restricted input and their robustness; application to the FLIP cipher Claude Carlet, Pierrick Méaux and Yann Rotella, LAGA, Department of mathematics, University Paris 8, Paris 13 and CNRS - Inria, CNRS, ENS and PSL Research University, Inria de Paris - SECRET, ToSC 2017 (3) November 2017 [Final published version]
  • Proving Resistance against Invariant Attacks: How to Choose the Round Constants Christof Beierle, Anne Canteaut, Gregor Leander and Yann Rotella, HG Institute for IT security, Ruhr-Universitat Bochum, Inria de Paris - SECRET, Crypto 2017 August 2017 [eprint]
  • Cryptanalysis of the FLIP Family of Stream Ciphers. Sébastien Duval, Virginie Lallemand and Yann Rotella, Inria de Paris - SECRET,Crypto 2016 August 2016 [eprint]
  • Attacks against Filter Generators Exploiting Monomial Mappings. Anne Canteaut and Yann Rotella, Inria de Paris - SECRET, FSE 2016 March 2016 [eprint][Video][Slides]
Reviews, Subreviews and Boards Seminar and other presentations:
  • Subterranean 2.0, and a closer look at XoodYak, Special Crypto-Seminar of Versailles on NIST-lightweight Cryptography Competition December 19, 2020 [Subterranean-short][XoodYak-short]
  • On generating collisions in blinded keyed hashing, Crypto-Seminar of Versailles, France. January 21, 2020 [Slides]
  • How to use Differential Trails to attack compression functions, Dagstuhl Seminar, Germany. January 21, 2020 [Slides]
  • Cryptanalysis of Full Pyjamask-96, Laboratory of Mathematics of Versailles Seminar, Paris-Saclay University, France. September 4, 2019 [Slides]
  • Attacks Against Filter Generators Exploiting Monomial Mappings, SIAM, Bern, Switzerland, Finite Fields and Cryptography workshop. July 12, 2019 [Slides]
  • Finding collisions using differentials, Invited Seminar CASYS-team, Grenoble, France, Jean Kuntzmann Laboratory June 27, 2019 [Slides]
  • Invariant attacks; how to choose the round constants, Invited Seminar team GRACE, Laboratoire d'Informatique de l'X, Saclay, France April 9, 2019 [Slides]
  • Subterranean 2.0: a lightweight proposal for the NIST Lightweight Crypto Competition for Standardisation Radboud University, Nijmegen, Netherlands, Digital Security March 12, 2019 [Slides]
  • On the concrete security of Goldreich's Pseudorandom Generator Invited talk CARAMBA-team Inria Nancy, January 31, 2019 [Slides]
  • Choosing Round Constants in Lightweight Block Ciphers Seminar CRYPTO UVSQ, PRISM Laboratory, January 2019 [Slides]
  • Discrete Mathematics Applied to Symmetric Cryptography PhD defense, Sorbonne Université September 19, 2018 [Slides]
  • Algebraic Attacks Revisited CCA (now C2), June 15, 2018 [Slides]
  • Boolean functions with restricted input and their robustness; application to the FLIP cipher FSE 2018, March 2018 [Slides]
  • New directions in attacks against stream ciphers (LFSR and FLIP) Invited talk EPFL, February 2018
  • Attacks against Filter Generators Exploiting Monomial Mappings (extended) GT BAC, October 20, 2017 [Slides]
  • Attaques par invariant: Comment s'en protéger? JC2 2017 April 2017 [Slides]
  • Des nouvelles attaques sur les registres filtrés exploitant la structure des corps finis. Seminar CRYPTO UVSQ, PRISM Laboratory May 2016 [Slides]
  • Cryptanalysis of the stream cipher FLIP Seminar ANR BLOC, Inria de Paris, March 2016. [Slides]
  • Attacks against Filter Generators Exploiting Monomial Mappings. FSE 2016 March 2016 [Video][Slides]
  • Attaques exploitant les représentations équivalentes des LFSR filtrés. JC2 2015 October 2015 [HAL][PDF][Slides]
PhD thesis:
  • Discrete Mathematics applied to Symmetric Cryptology (French). Yann Rotella, Inria - SECRET, Sorbonne Université. September 2018 [HAL][10 pages english summary]
Master thesis:
  • Equivalent representations of LFSR and their impact in cryptanalysis (only in French). Yann Rotella, Inria de Paris - SECRET, Paris Diderot university, MPRI September 2015 [HAL][PDF]


Since 2021, the Crypto-Seminar of Versailles has been refurbished into an hybrid version and the presentations are recorded and put online on Youtube. Christina Boura and myself are organizing. If you have something interesting about cryptography, don't hesitate to contact us!

I really like to do scientific interventions outside the university for explaining cryptography. I gave some talks in high school. A wanderfull competition in France: Alkindi, competition for 14 and 15 year old students on cryptanalysis. very interesting!