Implementation of TFHE on RISC-V based embedded systems
Fully Homomorphic Encryption (FHE) is a technology that allows computations to be performed directly on encrypted data, meaning that we can process information without ever knowing its actual content. For example, it could enable online searches where the server never sees what you are looking for, or AI inference tasks on private data that remain fully confidential. Despite its potential, current FHE implementations remain computationally intensive and require substantial processing power, typically relying on high-end CPUs or GPUs with significant energy consumption. In particular, the bootstrapping operation represents a major performance bottleneck that prevents large-scale adoption. Existing CPU-based FHE implementations can take over 20 seconds on standard x86 architectures, while custom ASIC solutions, although faster, are prohibitively expensive, often exceeding 150 mm² in silicon area. This PhD project aims to accelerate the TFHE scheme, a more lightweight and efficient variant of FHE. The objective is to design and prototype innovative implementations of TFHE on RISC-V–based systems, targeting a significant reduction in bootstrapping latency. The research will explore synergies between hardware acceleration techniques developed for post-quantum cryptography and those applicable to TFHE, as well as tightly coupled acceleration approaches between RISC-V cores and dedicated accelerators. Finally, the project will investigate the potential for integrating a fully homomorphic computation domain directly within the processor’s instruction set architecture (ISA).
Electron beam probing of integrated circuits
The security of numerical systems relies on cryptographic chains of trust starting from the hardware up to end-user applications. The root of chain of trust is called a “root of trust” and takes the form a dedicated Integrated Circuit (IC), which stores and manipulates secrets. Thanks to countermeasures, those secrets are kept safe from extraction and tampering from attackers.
Scanning Electron Microscope (SEM) probing is a well-known technique in failure analysis that allows extracting such sensitive information. Indeed, thanks to a phenomenon known as voltage contrast, SEM probing allows reading levels of transistors or metal lines. This technique was widely used in the 90s on ICs frontside, but progressively became impractical with the advance of manufacturing technologies, in particular the increasing number of metal layers. Recent research work (2023) showed that SEM-based probing was possible from the backside of the IC instead of frontside. The experiments were carried-out on a quite old manufacturing technology (135 µm). Therefore, it is now essential to characterize this threat on recent technologies, as it could compromise future root of trusts and the whole chains of trust build on top of them.
The first challenge of this PhD is to build a reliable sample preparation process allowing backside access to active regions while maintaining the device functional. The second challenge is to characterize the voltage contrast phenomenon and instrument the SEM for probing active areas. Once the technique will be mature, we will compare the effect of the manufacturing technology against those threats. The FD-SOI will be specifically analyzed for potential intrinsic benefits against SEM probing.
Physical-attack-assisted cryptanalysis for error-correcting code-based schemes
The security assessment of post-quantum cryptography, from the perspective of physical attacks, has been extensively studied in the literature, particularly with regard to the ML-KEM and ML-DSA standards, which are based on Euclidean lattices. Furthermore, in March 2025, the HQC scheme, based on error-correcting codes, was standardized as an alternative key encapsulation mechanism to ML-KEM. Recently, Soft-Analytical Side-Channel Attacks (SASCA) have been used on a wide variety of algorithms to combine information related to intermediate variables in order to trace back to the secret, providing a form of “correction” to the uncertainty associated with profiled attacks. SASCA is based on probabilistic models called “factor graphs,” to which a “belief propagation” algorithm is applied. In the case of attacks on post-quantum cryptosystems, it is theoretically possible to use the underlying mathematical structure to process the output of a SASCA attack in the form of cryptanalysis. This has been demonstrated, for example, on ML-KEM. The objective of this thesis is to develop a methodology and the necessary tools for cryptanalysis and residual complexity calculation for cryptography based on error-correcting codes. These tools will need to take into account information (“hints”) obtained from a physical attack. A second part of the thesis will be to study the impact that this type of tool can have on the design of countermeasures.