TANC is located in the Laboratoire d'Informatique de l'École polytechnique (LIX).
The aim of the TANC project is to promote the study, implementation and use of robust and verifyable asymmetric cryptosystems based on algorithmic number theory.
It is clear from this sentence that we combine high-level mathematics and efficient programming. Our main area of competence and interest is that of algebraic curves over finite fields, most notably the computational aspects of these objects, that appear as a substitute of good old fashioned cryptography based on modular arithmetic. One of the reasons for this change appears to be the key-size that is smaller for an equivalent security. We participate in the recent bio-diversity mood that tries to find substitutes for RSA, in case some attack would appear and destroy the products that employ it.
Whenever possible, we produce certificates (proofs) of validity for the objects and systems we build. For instance, an elliptic curve has many invariants, and their values need to be proved, since they may be difficult to compute.
Our research area comprises:
Fundamental algorithmic arithmetic: we are interested in primality proving algorithms based on elliptic curves (F. Morain being the world leader in this topic), integer factorization, and the computation of discrete logarithms over finite fields. These problems lie at the heart of the security of arithmetic based cryptosystems.
Complex multiplication: the theory of complex multiplication is a meeting point of algebra, complex analysis and algebraic geometry. Its applications range from primality proving to the efficient construction of elliptic cryptosystems.
Algebraic curves over finite fields: the algorithmic problems that we tackle deal with the efficient computation of group laws on Jacobians of curves, evaluation of the cardinality of these objects, and the study of the security of the discrete logarithm problem in such groups. These topics are the crucial points to be solved for potential use in real crypto-products.
Once considered as beautiful and useless, arithmetic has proven
incredibly efficient when asked to assist the creation of a new
paradigm in cryptography. Old cryptography was mainly concerned with
symmetric techniques: two principals wishing to communicate
secretly had to share a common secret beforehand and this same secret
was used both for encrypting the message and for decrypting it. This
way of communication was enough when traffic was low, or when the
principals could meet prior to communication.
It is clear that modern networks are too large for this to be efficient any
longer. Hence the need for cryptography without first contact. In
theory, this is easy. Find two algorithms Internet (ssh, ssl/tls,
etc.).
Of course, everything has to be presented in the modern language of
complexity theory: computing
Now, where do difficult problems come from? Lattice theory is one point, though the resulting cryptosystems turned out to be too weak. Arithmetic is the next available field of problems. There we find the integer factoring problem, the discrete logarithm problem, etc. All these now form cryptographic primitives that need to be assembled in protocols, and finally in commercial products.
Our activity is concerned with the beginning of this process: we are interested in difficult problems arising in computational number theory and the efficient construction of these primitives.
Our main field of applications is clearly that of telecommunications. We participate to the protection of information. We are more on a theoretical level, but also ready to develop applications using modern techniques and objects used in cryptology, with a main focus on elliptic curve cryptography.
F. Morain has been improving his primality proving algorithm called
ECPP. Binaries for version 6.4.5 are available since 2001 on his web
page. Proving the primality of a 512 bit number requires a few
seconds on a 700 MHz PC. His personal record is about
The mpc library, developed by A. Enge in collaboration
with P. Zimmermann, implements the basic operations on complex numbers
in arbitrary precision, which can be tuned to the bit. This library is
based on the multiprecision libraries gmp and mpfr. Each
operation has a precise semantics, in such a way that the results do
not depend on the underlying architecture. Several rounding modes are
available. This software, licensed under the GNU Lesser General
Public License (LGPL), can be downloaded freely from the URL
de facto incorporated in the ECPP program.
Curves with complex multiplication (e.g., the curve of equation
isPrime? was recently shown
to be in P (by the work of Agrawal, Kayal, Saxena), practical
primality proving is done only with ECPP. This work of AKS has motivated
the work of F. Morain on a fast variant of ECPP, called fastECPP,
who led him to gain one order of magnitude in the complexity of the
problem. The complexity of this variant is heuristically
Curves with complex multiplication are very interesting in cryptography, since computing their cardinality is easy. This is in contrast with random curves, for which this task is still cumbersome. These CM curves enabled A. Enge, R. Dupont and F. Morain to give an algorithm for building good curves that can be used in identity based cryptosystems (cf. infra).
CM curves are defined by algebraic integers, whose minimal polynomial
has to be computed exactly, its coefficients being exact integers. The
fastest algorithm to perform these computations requires a floating
point evaluation of the roots of the polynomial to a high precision.
F. Morain on the one hand and A. Enge (together with R. Schertz) on
the other, have developed the use of new class invariants that
characterize the CM curves. The union
of these two families is actually the best that can be done in the
field (see
In order to build a cryptosystem based on an algebraic curve over a finite field, one needs to efficiently compute the group law (hence have a nice representation of the elements of the Jacobian of the curve). Next, computing the cardinality of the Jacobian is required, so that we can find generators of the group, or check the difficulty of the discrete logarithm in the group.
A curve that interests us is typically defined over a finite field
The points of an elliptic curve tangent-and-chord formulas. When dealing with a genus
A. Enge and N. Gürel have an active collaboration with J. -C. Faugère and
A. Basiri (LIP 6) on the arithmetic of superelliptic cubic
curves (
Once the group law is tractable, one has to find means of computing the cardinality of the group, which is not an easy task in general. Of course, it has to be done as fast as possible, if changing the group very frequently in applications is imperative.
Two parameters enter the scene: the genus before joining INRIA),
world-widespread implementations are able to build cryptographically
strong curves in less than one minute on a standard PC.
When
When
When
Closing the gap between small and large characteristic leads to
pushing the
This is a new direction for our project. Everybody knows that the most
difficult problem in modern cryptography, and more precisely its
would-be widespread use, is the key authentification problem, or more
generally that of authenticating principals on an open network. The
``classical'' approach to this problem is that of a public key
infrastructure (PKI), in which some centralized or decentralized
authority issues certificates for authenticating the different
users. Another approach, less publicized, is that of identity
based cryptography (ID), in which the public key of a user can be built
very easily from his email address for instance. The cryptographic
burden is then put on the shoulders of the private key generator
(PKG) that must be contacted by the users privately to get his secret
key and open their emails. The ID approach can be substituted to the PKI
approach in some cases, where some form of ideal trustable PKG exists
(private networks, etc.).
This ID idea is not new, but no efficient and robust protocol was
known prior to the ideas of Boneh et al. using pairings on elliptic curves.
R. Dupont and A. Enge have worked on such an ID-system. They have defined a
notion of security for such a protocol and have given a proof of
security of a generalization of a system of Sakai, Ohgishi and
Kasahara' in this model
E. Thomé has recently devoted most of his time to the finishing of his PhD
thesis, defended on May 12, 2003 (he got the Prix de thèse de
l'École polytechnique for it). The dissertation's title is
``Algorithmes de calcul de logarithme discret dans les corps finis''.
More precisely, this encompasses a thorough work on the computation of
discrete logarithms in finite fields of characteristic 2, which led to a
record-size computation of discrete logs in
E. Thomé has also started a cooperation with G. White, a PhD student at the
department of mathematics of the university of Sydney, whose aim is to
bring to the computer algebra system Magma the best of the
current technology for computing discrete logarithms in finite fields. In
2001, E. Thomé had already contributed to Magma a port of his
implementation of Coppersmith's algorithm. E. Thomé and GW started working
therefore on the ``next step'', which is an implementation of the more
general function field sieve algorithm, which allows computation
of discrete logarithms in fields like
Additionally, E. Thomé is currently designing a software library dedicated to
computations in
Starting October 1st, 2003, E. Thomé has a permanent research position in the SPACES group at INRIA Lorraine.
ACI CRYPTO
Gemplus : thesis of É. Brier on the use of hyperelliptic curves in cryptology.
ACI SÉCURITÉ CESAM : elliptic curves for the security of mobile networks.
AS of the RTP13 : new trends in cryptography.
Together with the CODES project at INRIA Rocquencourt, the project
TANC participates in ECRYPT, a NoE in the Information Society
Technologies theme of the 6th European Framework Programme (FP6).
F. Morain was a member of the program committee of WCC-03, held in Rocquencourt.
François Morain is the head of the 1st year course ``Introduction à l'informatique et à la programmation'' at École polytechnique, and gives a cryptology course in Majeure 2. He teaches algorithmic number theory in the DEA-Algo (with G. Hanrot, P. Gaudry).
Andreas Enge participated in the course ``Programmation et Algorithmique'' of 1st year at École polytechnique.
Andreas Enge was invited to present his work at the school of young researchers in cryptology at Bedlewo, Pologne: "Cryptology - Fundamentals and Frontiers" (05/03).
Pierrick Gaudry presented his work during the Workshop ``Next generation cryptography and related mathematics'' (Tokyo, Japan, 02/03), in the Workshop ``Computational aspects of algebraic curves, and cryptography'' (Gainesville, Florida, 03/03), to the Workshop ``Cryptography number theory'' (London, 04/03), to the conference ``Finite Fields and Applications, Fq7'' (Toulouse, 05/03), and during the ``Rencontres Arithmétiques'' (Caen, 06/03). He gave talks at École de cryptologie de Bordeaux (02/03).
François Morain was invited to speak on primality in Lille (31/01/03), to the séminaire Bourbaki (15/03/03). He was invited speaker in Journées du Calcul Formel (Luminy, 01/03). He presented his work with A. Enge on algorithmic Galois theory during the international workshop AAECC-15 (Toulouse, 05/03). He gave a colloquium in Paris 7 (22/05/03) on integer factorization.