TANC is located in the Laboratoire d'Informatique de l'École polytechnique (LIX).

The aim of the TANC project is to promote the study, implementation and use of robust and verifyable asymmetric cryptosystems based on algorithmic number theory.

It is clear from this sentence that we combine high-level mathematics and efficient programming. Our main area of competence and interest is that of algebraic curves over finite fields, most notably the computational aspects of these objects, that appear as a substitute of good old fashioned cryptography based on modular arithmetic. One of the reasons for this change appears to be the key-size that is smaller for an equivalent security. We participate in the recent bio-diversity mood that tries to find substitutes for RSA, in case some attack would appear and destroy the products that employ it.

Whenever possible, we produce certificates (proofs) of validity for the objects and systems we build. For instance, an elliptic curve has many invariants, and their values need to be proved, since they may be difficult to compute.

Our research area comprises:

Fundamental algorithmic arithmetic: we are interested in primality proving algorithms based on elliptic curves (F. Morain being the world leader in this topic), integer factorization, and the computation of discrete logarithms over finite fields. These problems lie at the heart of the security of arithmetic based cryptosystems.

Complex multiplication: the theory of complex multiplication is a meeting point of algebra, complex analysis and algebraic geometry. Its applications range from primality proving to the efficient construction of elliptic cryptosystems.

Algebraic curves over finite fields: the algorithmic problems that we tackle deal with the efficient computation of group laws on Jacobians of curves, evaluation of the cardinality of these objects, and the study of the security of the discrete logarithm problem in such groups. These topics are the crucial points to be solved for potential use in real crypto-products.

Once considered as beautiful and useless, arithmetic has proven
incredibly efficient when asked to assist the creation of a new
paradigm in cryptography. Old cryptography was mainly concerned with
*symmetric techniques*: two principals wishing to communicate
secretly had to share a common secret beforehand and this same secret
was used both for encrypting the message and for decrypting it. This
way of communication was enough when traffic was low, or when the
principals could meet prior to communication.

It is clear that modern networks are too large for this to be efficient any
longer. Hence the need for cryptography without first contact. In
theory, this is easy. Find two algorithms

Of course, everything has to be presented in the modern language of
complexity theory: computing

Now, where do difficult problems come from? Lattice theory is one point, though the resulting cryptosystems turned out to be too weak. Arithmetic is the next available field of problems. There we find the integer factoring problem, the discrete logarithm problem, etc. All these now form cryptographic primitives that need to be assembled in protocols, and finally in commercial products.

Our activity is concerned with the beginning of this process: we are interested in difficult problems arising in computational number theory and the efficient construction of these primitives.

Our main field of applications is clearly that of telecommunications. We participate to the protection of information. We are more on a theoretical level, but also ready to develop applications using modern techniques and objects used in cryptology, with a main focus on elliptic curve cryptography.

F. Morain has been improving his primality proving algorithm called
ECPP. Binaries for version 6.4.5 are available since 2001 on his web
page. Proving the primality of a 512 bit number requires less than a
second on a GHz PC. His personal record is about

The `mpc` library, developed by A. Enge in collaboration
with P. Zimmermann, implements the basic operations on complex numbers
in arbitrary precision, which can be tuned to the bit. This library is
based on the multiprecision libraries `gmp` and `mpfr`. Each
operation has a precise semantics, in such a way that the results do
not depend on the underlying architecture. Several rounding modes are
available. This software, licensed under the GNU Lesser General
Public License (LGPL), can be downloaded freely from the URL

http://www.lix.polytechnique.fr/Labo/Andreas.Enge/Software.html
This library is used in our team to build curves with complex
multiplication, and is *de facto* incorporated in the ECPP program.

Elliptic curves with complex multiplication (e.g., the curve of equation
*P* (by the work of Agrawal, Kayal, Saxena), practical
primality proving is done only with ECPP. This work of AKS has motivated
the work of F. Morain on a fast variant of ECPP, called fastECPP,
who led him to gain one order of magnitude in the complexity of the
problem. The complexity of this variant is heuristically

Curves with complex multiplication are very interesting in cryptography, since computing their cardinality is easy. This is in contrast with random curves, for which this task is still cumbersome. These CM curves enabled A. Enge, R. Dupont and F. Morain to give an algorithm for building good curves that can be used in identity based cryptosystems (cf. infra).

CM curves are defined by algebraic integers, whose minimal polynomial has to be computed exactly, its coefficients being exact integers. The fastest algorithm to perform these computations requires a floating point evaluation of the roots of the polynomial to a high precision. F. Morain on the one hand and A. Enge (together with R. Schertz) on the other, have developed the use of new class invariants that characterize the CM curves. The union of these two families is actually the best that can be done in the field (see ). More recently, F. Morain and A. Enge have designed a fast method for the computation of the roots of this polynomial over a finite field using Galois theory . These invariants, together with this new algorithm, are incorporated in the working version of the program ECPP.

A. Enge has been able to analyse precisely the complexity of class polynomial
computations via complex floating point approximations. In fact, this approach
has recently been challenged by algorithms using

R. Dupont has investigated the complexity of the evaluation of some modular
functions and forms (such as the elliptic modular function

Exploiting the deep connection between the arithmetic-geometric mean (AGM) and a special kind of modular forms known as theta constants, he devised an algorithm based on Newton iterations and the AGM that has quasi-optimal complexity. In order to certify the correctness of the result to a specified precision, a fine analysis of the algorithm and its complexity was necessary .

The theory of Complex Multiplication also exists for non-elliptic curves,
but is more intricate. P. Gaudry, T. Houtmann, D. Kohel, C. Ritzenthaler
and A. Weng have designed a new approach for
constructing class polynomials of genus 2 curves having CM. The main
feature of their method is the use of

Building upon his work in genus 1, R. Dupont is developping a similar
algorithm in genus

In order to build a cryptosystem based on an algebraic curve over a finite field, one needs to efficiently compute the group law (hence have a nice representation of the elements of the Jacobian of the curve). Next, computing the cardinality of the Jacobian is required, so that we can find generators of the group, or check the difficulty of the discrete logarithm in the group.

A curve that interests us is typically defined over a finite field

The points of an elliptic curve *tangent-and-chord* formulas. When dealing with a genus

A. Enge and N. Gürel have been working with J. -C. Faugère and
A. Basiri (LIP 6) on the arithmetic of superelliptic and

Once the group law is tractable, one has to find means of computing the cardinality of the group, which is not an easy task in general. Of course, it has to be done as fast as possible, if changing the group very frequently in applications is imperative.

Two parameters enter the scene: the genus *before* joining INRIA),
world-widespread implementations are able to build cryptographically
strong curves in less than one minute on a standard PC.

When

When

When

Closing the gap between small and large characteristic leads to
pushing the

Elliptic curves in cryptography have first been used to replace finite fields in protocols whose security relies on the discrete logarithm problem, essentially keeping the protocols as they are and substituting one algebraic structure for another. There are, however, new applications of elliptic curves that exploit specific additional structures that are not found in the finite field setting, for instance the Tate and Weil pairings.

Everybody knows that the most
difficult problem in modern cryptography, and more precisely its
would-be widespread use, is the key authentification problem, or more
generally that of authenticating principals on an open network. The
``classical'' approach to this problem is that of a *public key
infrastructure* (PKI), in which some centralized or decentralized
authority issues certificates for authenticating the different
users. Another approach, less publicized, is that of *identity
based cryptography* (ID), in which the public key of a user can be built
very easily from his email address for instance. The cryptographic
burden is then put on the shoulders of the *private key generator*
(PKG) that must be contacted by the users privately to get his secret
key and open their emails. The ID approach can be substituted to the PKI
approach in some cases, where some form of ideal trustable PKG exists
(private networks, etc.).

This ID idea is not new, but no efficient and robust protocol was known prior to the ideas of Boneh et al. using pairings on elliptic curves. R. Dupont and A. Enge have worked on such an ID-system. They have defined a notion of security for such a protocol and have given a proof of security of a generalization of a system of Sakai, Ohgishi and Kasahara' in this model .

The CESAM project is a contract of the ACI Sécurité Informatique, involving TANC and the crypto team at ENS. The goal of this project is to study cryptographic protocols involving elliptic curves, with a view towards specific environment where the resources (cpu, memory, bandwidth) are limited.

The curves that can be used in this protocol are not the same as the curves that are used in classical protocols, since the group orders of the curve and of the quadratic twist need both to be prime. A. Enge has made use of the complex multiplication approach presented above to generate such curves. Finding curves of cryptographic size (192 bits) is a matter of seconds with his implementation. A note is in preparation.

F. Morain and D. Augot (CODES) participate in the ACI SERAC (SEcuRity models and protocols for Ad-hoC Networks), which started in september 2004. Their interest there is to understand the (new?) cryptographic needs required and to try to invent new trust models.

It is clear that the arrival of Hipercom (also a member of SERAC) at École polytechnique will trigger new collaborations in that direction too.

It is important to stress that the two cases widely used in practice,
which are

As a consequence, curves of genus 3 and larger than 3 should be used
with extreme care when deployed in a cryptosystem. At the very least,
a cryptosystem based on a genus 3 curves must have a key-size about

ACI CRYPTO

Gemplus : thesis of É. Brier on the use of hyperelliptic curves in cryptology.

ACI SÉCURITÉ CESAM : elliptic curves for the security of mobile networks.

ACI SÉCURITÉ SERAC: SEcuRity models and protocols for Ad-hoC Networks.

Together with the CODES project at INRIA Rocquencourt, the project TANC participates in ECRYPT, a NoE in the Information Society Technologies theme of the 6th European Framework Programme (FP6).

A. Enge has been a member of the programme committee of Indocrypt 2004, held in Chennai, India.

François Morain is the head of the 1st year course ``Introduction à l'informatique et à la programmation'' at École polytechnique, and gives a cryptology course in Majeure 2. He represents École polytechnique in the Commission des Études of the Master MPRI.

A. Enge has been responsible for an introductory course on cryptology for PhD students at the University Bordeaux I. During the summer, he has conceived and realised a multimedia lecture on selected cryptologic topics proposed to students of École polytechnique in the framework of the European project Convergence. Furthermore, he has given lectures on the hyperelliptic discrete logarithm problem during the summer school on elliptic curve cryptography at Bochum.

A. Enge and P. Gaudry give lectures in the MPRI Master. R. Dupont, A .Enge, P. Gaudry, F. Morain, A. Weng have given lectures during the special semester on explicit methods in number theory at Institut Henry Poincaré, Paris (RD on his work, AE/AW/FM on complex multiplication, PG on point counting over finite fields).

P. Gaudry is also active at École polytechnique (Majeure 2, etc.).

F. Morain participated for the second time in the ACM International Programming Contest (SWERC04) in november 2004, as one of the problem authors. This contest was held at École polytechnique.

A. Enge has given a survey on elliptic curve cryptography and recent progress in the field during the ``Journée Sécurité de l'Information et Cryptographie'' in Limoges in november. He has presented his work on the complexity of class polynomial computation at the workshop ``Algorithms and Number Theory'' at Dagstuhl in may.

P. Gaudry was a invited speaker for the ECC-2004 conference in Bochum (Germany), 20-22/09/04. He gave a talk during the Journées ACI Sécurité Informatique à Toulouse (16/11/04).

F. Morain has given talks on fastECPP in Amiens, Paris 6, Ensta. He presented in Burlington.

N. Gürel has given talks in Caen; ENSTA; Sydney (Univ. Sydney, Univ. Macquarie) during his postdoctoral stay. R. Dupont has presented his work in Caen (march 2004). T. Houtmann attended Eurocrypt '04 in Interlaken.

AE, RD, NG, FM all attended ANTS-VI in Burlington.

A. Enge has taken part in the INRIA booth during the ``Salon des jeux et de la culture mathématiques'' in Paris with a presentation of public key cryptography aimed at a general public. He was an active participant in the ``Fête de la Science'' at the Ferme du Moulon, proposing activities on secret writing and cryptanalysis to students of age 12 to 14.