The
Cacaoproject-team has been officially created on October 9, 2006, after having
*de facto*existed for more than one year. The objectives of the project-team are along the following lines:

Study arithmetic of curves of small genus, with a particular emphasis on applications to cryptology;

Improve the efficiency and the reliability of arithmetics in a broad sense (i.e., the arithmetics of a wide variety of objects).

These two objectives interplay strongly. On the one hand, arithmetics are at the core of optimizing algorithms on curves, starting evidently with the arithmetic of curves themselves. On the other hand, curves can sometimes be a tool to solve some arithmetical problems as integer factorization.

To reach these objectives, we have isolated three key axes of work:

**Algebraic Curves and Cryptology**: the main issue here is to investigate curves of small genus over finite fields (base field
, for various
pand
n). The main tasks are to compute in the Jacobian of a given curve, to be able to check that this variety is suitable for cryptography (cardinality, smoothness test) and to solve
problems in those structures (discrete logarithm). Applications go from number theory (integer factorization) to cryptography (an alternative to RSA).

**Arithmetics**: Here, we consider algorithms dealing with multiple-precision integers, floating-points numbers,
p-adic numbers and finite fields. For such basic data structures, we do not expect new algorithms with better asymptotic behavior to be discovered; however, since those are
first-class objects in all our computations, any speedup is most welcome, even by a factor of 2. Since January 2007,
Cacaohas also been strongly involved in a project on the number field sieve (NFS), an integer factorization algorithm. We aim at developing an
efficient implementation of the NFS, study its distribution, and fine-tune it in the currently “practical” range, i.e., 100-150 decimal digits.

**Linear Algebra and Lattices**: solving large linear systems is a key point of factoring and of discrete logarithm algorithms, which we need to investigate if curves are to be applied
in cryptology. Lattices are central points of the new ideas that have emerged over the very last years for several problems in computer arithmetic or discrete logarithms algorithms.

Another new direction of research has started since Fall 2006 with the arrival of Marion Videau, who has been hired as an assistant professor at UHP, coming from the CODES project-team (INRIA Paris - Rocquencourt). This should allow the project-team to start an axis around symmetric primitives for cryptology; this is an interesting complement to the expertise already present regarding asymmetric (and especially curve-based) primitives for cryptology.

Though we are interested in algebraic curves by themselves, the applications to cryptology remain a motivation of our research, which is therefore especially focused on curves defined over finite fields.

In the mid-eighties, Koblitz and Miller proposed to use elliptic curves as a basis of public key cryptosystems. Indeed, the set of points on an elliptic curve is an abelian group, which is finite if the base field is a finite field. In this group, the discrete logarithm problem is thought to be difficult in general, in the sense that the best known algorithm to solve it has an exponential complexity. This has to be compared with the classical RSA algorithm, the security of which relies on the difficulty of factoring integers, but where the best known factoring algorithm has subexponential complexity. In practice, this means that the size of the parameters is much smaller for elliptic curve based cryptosystems than for classical ones.

More generally, for an algebraic curve over a finite field, there is a finite abelian group associated to it, called the Jacobian of the curve. Algebraic curves can be classified by their genus; the genus of a conic is zero and elliptic curves are curves of genus 1 (in that case, the Jacobian is isomorphic to the curve). As long as the genus is not too large, the discrete logarithm problem in the Jacobian of a curve is thought to be difficult in general, therefore one can also base cryptosystems on non-elliptic curves.

The main algorithmic tasks in relation to the use of curves in cryptography are the following:

Have an explicit description of the group and the group operation, as efficient as possible. The speed of ciphering and deciphering is indeed directly linked to the efficiency of the group operation.

Construct curves suitable for cryptographic use: the minimal requirement for the discrete logarithm to be difficult is to have a large prime factor in the group order.
It is therefore necessary to compute the group order to check that property. This is what we call the
*point counting task*.

Study the security of curve-based primitives. By this, since no general framework exists to assess that security, we mean undertake an as thorough as possible study of the security offered by those groups. The most standard way to do this is by trying to solve discrete logarithm problems in certain classes of curves.

With “linear algebra and lattices”, we denote two classes of problems of interest: computing vectors of the kernel of a large sparse matrix defined over a finite field, and studying algorithms to handle lattices that are given by a vector basis.

Huge linear systems are frequently encountered as last steps of “index-calculus” based algorithms for factoring or discrete logarithm computations. Those systems correspond to a particular presentation of the underlying group by generators and relations; they are thus always defined on a base ring which is modulo the exponent of the group, typically in the case of factorization, when trying to solve a discrete logarithm problem over . Those systems are often extremely sparse, so that specialized algorithms (Lanczós, Wiedemann) relying only on the evaluation of matrix-vector products essentially have a quadratic complexity, instead of being cubic with the classical Gaussian elimination.

The sizes of the matrices that are handled in record computations are such that they do not fit in the central memory of a single machine, even using a representation adapted to their sparse nature. Some parallelism is then required, yielding various difficulties that are different from the ones encountered in the classical linear algebra problems linked to numerical analysis. Specifically, dealing with matrices defined over finite fields precludes direct adaptation of numerical methods based on the notion of convergence and fixed-point theorems.

The second main topic is algorithmic lattice theory. Lattices are key tools in numerous problems in computer algebra, algorithmic number theory and cryptology. The typical questions one
wants to solve are to find the shortest nonzero vector in a lattice and to find the closest lattice vector to a given vector. A more general concern is to find a better lattice basis than the
one provided by the user; by “better” we mean that it consists of short, almost orthogonal vectors. This is a difficult problem in general, since finding the shortest nonzero vector is
already NP-hard, under probabilistic reductions. In 1982, Lenstra, Lenstra, and Lovász
defined the notion of a LLL-reduced basis and described an algorithm to compute such a basis in polynomial time.
Although not always sufficient, the LLL-reduction is sometimes enough for the application. Some stronger notions of reduction exist, such as Hermite-Korkine-Zolotarev
(HKZ) reduction, which require exponential or super-exponential time but solve the shortest vector problem in an
exact way. Schnorr
introduced a complete hierarchy of reductions ranging from LLL to HKZ both in quality and in complexity, the
so-called
k-BKZ reductions.

We consider here the following arithmetics: integers, rational numbers, integers modulo a fixed modulus
n, finite fields, floating-point numbers and
p-adic numbers. We can divide those numbers in two classes:
*exact numbers*(integers, rationals, modular computations or finite fields), and
*inexact numbers*(floating-point and
p-adic numbers).

Algorithms on integers (respectively floating-point numbers) are very similar to those on polynomials, respectively Taylor or Laurent series. The main objective in that domain is to find new algorithms that make operations on those numbers more efficient. These new algorithms may use an alternate number representation.

In the case of integers, we are interested in multiprecision arithmetic. Various algorithms are to be used, depending on the sizes of the objects, starting with the most simple “schoolbook” methods to the most advanced, asymptotically fast algorithms. The latter are often based on Fourier transforms.

The case of modular arithmetic and finite fields is the first where the representation of the elements has to be chosen carefully. Depending on the type of operations one wants to perform, one must choose between a classical representation, the Montgomery representation, a look-up table, a polynomial representation, a normal basis representation, ... Then appropriate algorithms must be chosen.

With
p-adic numbers, we get the first examples of non-exact representations. In that setting, one has to keep track of the precision all along a computation. The mechanisms to handle that
issue can vary: since the precision losses are not too difficult to control, one can work with a fixed global precision, or one can choose to have each element carrying its precision.
Additionally, there are several choices for representing elements, in particular when dealing with algebraic extensions of the
p-adics (ramified or unramified).

Last but not least, we are interested in the arithmetics of real numbers of floating-point type. Again, we have a notion of approximation. It is therefore necessary to decide of a
*format*that defines a set of representable numbers. Then, when the result of an arithmetical operation on two representable numbers is not representable, one should define a way to
*round*it to a meaningful representable number. The purpose of the IEEE-754 standard is to give a uniform answer to these questions in order to guarantee the reliability and portability
of floating-point computations. The standard is restricted to the 4 basic field operations and the square root on a small number of possible formats (single, double, double-extended binary
formats), but it can be extended to arbitrary precision and all classical mathematical functions. This leads to efficiency questions, in particular to guarantee that the result of an
operation has been correctly rounded.

The main application domain of our project-team is cryptology. Algebraic curves have taken an increasing importance in cryptology over the last ten years. Various works have shown the usability and the usefulness of elliptic curves in cryptology, standards (for instance, IEEE P1363 and real-world applications (like the electronic passport).

We study the suitability of higher genus curves to cryptography (mainly hyperelliptic curves of genus two, three). In particular, we work on improving the arithmetic of those curves, on the point counting problem, and on the discrete logarithm problem.

We also have connections to cryptology through the study and development of the integer LLL algorithm, which is one of the favourite tools to cryptanalyze public-key cryptosystems. Examples are the cryptanalysis of knapsack-based cryptosystems, the cryptanalyses of some fast variants of RSA, the cryptanalyses of fast variants of signature schemes such as DSA or Elgamal, or the attacks against lattice based cryptosystems like NTRU. The use of floating-point arithmetic dramatically speeds up this algorithm, which renders the aforementioned cryptanalyses more feasible.

Finally, we are studying integer factoring algorithms which are of utmost importance for the evaluation of the security of the still widely used RSA cryptosystem. In the context of our ANR CADO grant, we are investigating the Number Field Sieve algorithm, which is the best known algorithm for factoring numbers of the kind used in practical RSA instances.

We have strong ties with several computational number theory systems, and code written by members of the project-team can be found in the Magma software and in the Pari/GP software.

Magma

Pari/GP

SAGE

Another indirect transfer is the usage of Mpfrin gfortran(since 2004), and in Gcc, up from version 4.3. mpfris currently used at compile-time, to convert expressions like sin(3.1416)into binary double-precision, when the rounding mode can be statically determined. The Mpfrlibrary is also used by the cgalsoftware, a library for computational geometry developed by the Geometrica project-team ( InriaSophia Antipolis - Méditerranée).

A major part of the research done in the Cacaoproject-team is published within software. On the one hand, this enables everyone to check that the algorithms we develop are really efficient in practice; on the other hand, this gives other researchers — and us of course — basic software components on which they — and we — can build other applications.

Mpfris one of the main pieces of software developed by the Cacaoteam. Since end 2006, with the departure of Vincent Lefèvre to EnsLyon, it has become a joint project between Cacaoand the Arenaireproject-team ( InriaGrenoble - Rhône-Alpes). Mpfris a library for computing with arbitrary precision floating-point numbers, together with well-defined semantics, distributed under the Lgpllicense. In particular, all arithmetic operations are performed according to a rounding mode provided by the user, and all results are guaranteed correct to the last bit, according to the given rounding mode.

Several software systems use Mpfr, for example: the Gccand Gfortrancompilers; the Sagecomputer algebra system; the Kdecalculator Abakus by Michael Pyne; cgal(Computational Geometry Algorithms Library) developed by the Geometrica project-team ( InriaSophia Antipolis - Méditerranée); Gappa, by Guillaume Melquiond; Genius Math Tool and the Gellanguage, by Jiri Lebl; Giac/Xcas, a free computer algebra system, by Bernard Parisse; the iRRAM exact arithmetic implementation from Norbert Müller (University of Trier, Germany); the Magma computational algebra system; and the Wcalc calculator by Kyle Wheeler.

The main developments in 2007 were: (i) the start of the MPtools project (see below); (ii) the release of
Mpfr2.3.0, which integrates new functions, among which the Bessel functions, on August 29; and (iii) the organization of the
Cea-
Edf-
Inriaschool
*Certified Numerical Computation*on October 25-26 in Nancy

In 2007, an ODL (
*Opération de Développement Logiciel*) called MPtools was supported by
Inriafor two years. A new engineer, Philippe Théveny, was hired in September. The objectives of the MPtools project are to add new mathematical
functions to
Mpfrand
Mpc. As of October, the following new functions were already implemented: the arithmetic functions combining
Mpfrand the double type (
`mpfr_add_d`,
`mpfr_sub_d`,
`mpfr_d_sub`,
`mpfr_mul_d`,
`mpfr_div_d`,
`mpfr_d_div`), the
`mpfr_modf`function (simultaneous integer and fractional part), the
`mpfr_fmod`and
`mpfr_remainder`functions (remainder of the division of two floating-point numbers, with different rounding modes), the
`mpfr_fms`function (fused multiply and subtract), the
`mpfr_sinh_cosh`function (simultaneous hyperbolic sine and cosine), the
`mpfr_lgamma`function (logarithm of the gamma function), the J and Y Bessel functions.

Mpcis a floating-point library for complex numbers, which is developed on top of the
Mpfrlibrary, and distributed under the
Lgpllicense. It is co-written with Andreas Enge (
Tancteam,
InriaFuturs Saclay). A complex floating-point number is represented by
x+
iy, where
xand
yare real floating-point numbers, represented using the
Mpfrlibrary. The
Mpclibrary currently implements all basic arithmetic operations, the exponential and sine functions, all with correct rounding on both the real part
xand the imaginary part
yof any result. A new version,
Mpc0.4.6, was released in 2007.
Mpcis used in particular in the
Tripcelestial mechanics system developed at
Imcce(
*Institut de Mécanique Céleste et de Calcul des Éphémérides*).

Gmp-Ecmis a program to factor integers using the Elliptic Curve Method. Its efficiency comes both from the use of the Gmplibrary, and from the implementation of state-of-the-art algorithms. Gmp-Ecmcontains a library ( libecm) in addition of the binary program ( ecm). The binary program is distributed under Gpl, while the library is distributed under Lgpl, to allow its integration into other non- Gplsoftware. For example, the Magma computational number theory software and the Sagecomputer algebra system both use libecm.

In October 2005, this project moved to
http://

Gmp-Ecmis used by many mathematicians and computer scientists to factor integers; for example it can be used to prove the primality of an integer, since several primality tests require to factor a given proportion of a number .

In June, a collaboration has started between Alexander Kruppa and Peter Montgomery; they are designing a new algorithm for the so-called Phase 2 of the
p+ 1and
p-1algorithms which can be seen as particular cases of
Ecm. Their new algorithm is currently being implemented and tested within
Gmp-Ecm, and a new
p+ 1record prime factor of 60 digits was set by this implementation in October. An article has been submitted
.

In September, version 6.1.3 of Gmp-Ecmwas released.

Mploc is a
`C`library for computing in
p-adic fields and their unramified extensions. The focus is mainly on
for prime
p, and unramified extensions of
. The ability to compute in these structures is important to several applications, such as point counting or building curves with a prescribed number of points.

The Mploc library is already distributed
`C`source code.

`mp`is (yet another) library for computing in finite fields. The purpose of
`mp`is not to provide a software layer for accessing finite fields determined at runtime within a computer algebra system like Magma, but rather to give a very efficient, optimized code for
computing in finite fields precisely known at
*compile time*.
`mp`is not restricted to a finite field in particular, and can adapt to finite fields of any characteristic and any extension degree. However, one of the targets being use in cryptology,
`mp`somehow focuses on prime fields and on fields of characteristic two.

`mp`'s ability to generate specialized code for desired finite fields differentiates this library from its competitors. The performance achieved is far superior. For example,
`mp`can be readily used to assess the throughput of an efficient software implementation of a given cryptosystem. Such an evaluation is the purpose of the “EBats” benchmarking tool
`mp`
have been submitted to the “EBats” contest. In particular, the authors improved over the fastest examples of key-sharing software in genus 1 and 2, both over binary fields and
prime fields.

The library's purpose being the
*generation*of code rather than its execution, the working core of
`mp`
consists of roughly 5,000 lines of Perl code, which generate most of the currently 13,000 lines of
`C`code.
`mp`
is currently under active development, and a first release is expected in early 2008. An article describing the
`mp`
library and its use for implementing curve-based cryptosystems has been published
.

gf2x is a set of programs for polynomial multiplication over the binary field, developed together with Richard Brent (Australian National University,
Canberra, Australia). There are implementations of various algorithms corresponding to different degrees of the input polynomials. In the case of polynomials that fit into one or two
machine-words, the schoolbook algorithm has been improved and implemented using
Sseinstructions for maximum speed. For small degrees, we switch to Karatsuba's algorithm and then to Toom-Cook's algorithm. These have been
implemented using the most recent improvements. Finally, for very large degrees one has to switch to Fourier-transform based algorithms, namely Schönhage's or Cantor's algorithm. In order to
choose between these two asymptotically fast algorithms, we have implemented and compared them. A first release of
gf2x, version 0.1, is available from
http://

Mpqsis a program that factors integers using the Multiple Polynomial Quadratic Sieve, developed by Scott Contini and Paul Zimmermann. It is
distributed under
Gplfrom
http://

Two papers written in end-2006, on worst cases of periodic functions for large arguments, and on floating-point
L^{2}approximations to functions, have been published in 2007, see
,
.

The paper analyzing the error bounds on the complex floating-point multiplication finally appeared, see .

We have worked on Schönhage-Strassen's algorithm for multiplying very large integers. Starting with the
Gmpimplementation, we have designed several improvements, some of them are more implementation tricks (like preserving locality in the computation to
stay in the cache as much as possible), and some of them are algorithmic improvements (like combining a Mersenne- and a Fermat-like transform). These ideas have been published in
, and the corresponding code is released under the
Lgpllicense as a patch against the
Gmplibrary

In collaboration with Cheng and Zima, see
, we have improved upon the best known algorithms for computing hypergeometric constants. The theoretical
asymptotical complexity is unchanged, but the practical behaviour is better. We demonstrated the efficiency by computing billions of digits of
and 2 billions of digits of
, which is a new record

Richard Brent and P. Zimmermann are collaborating on a book called “Modern Computer Arithmetic”. A preliminary version
has been published on the web. An
Inriaassociate team

Another common project with Richard Brent is the search for primitive trinomials over . A new factoring algorithm has been designed in this context, see , thus most of the operations are now squares which are very cheap in characteristic 2. One of our goals is to improve algorithms for finding primitive trinomials of degree a Mersenne prime. An implementation of the latter algorithm was first used to check our previous search for primitive trinomials of degree 6972593, one of the largest Mersenne primes known: we observed a speedup of a factor 70 over the previous algorithm. Then we searched for new primitive trinomials of degree 24036583, and we found exactly two (and their reciprocal):

x^{24036583}+
x^{8412642}+ 1,
x^{24036583}+
x^{8785528}+ 1.

The search for the next Mersenne exponent, 25964951, was performed using the idle cycles of the Grid 5000 platform (“besteffort” mode); four primitive trinomials were found:

x^{25964951}+
x^{880890}+ 1,
x^{25964951}+
x^{4627670}+ 1,
x^{25964951}+
x^{4830131}+ 1,
x^{25964951}+
x^{6383880}+ 1.

All those primitive trinomials have been checked by Allan Steel using Magma. A journal paper
describing in detail the new algorithm has been accepted to a special issue of
*Contemporary Mathematics*.

In the context of genus 2 cryptography, we have designed fast explicit formulæ for the group law in the Jacobian; in fact the formulæ work in the so-called Kummer surface, that is a point
and its opposite are merged into a single element. The Kummer surface is not a group, but there is still enough structure to add an element with itself, and then to build cryptosystems. Our
formulæ are much faster than previously known formulæ for genus 2 arithmetic. For the case of odd characteristic, the resulting algorithm has been published in
. The formulæ have been extended to characteristic 2. Although they do work in all examples we have tested, a
rigorous proof of their validity is yet to be found. All these algorithms have been implemented on top of the
`mp`
library, thus confirming that genus 2 cryptosystems can be faster than elliptic ones. This implementation has been the subject of a publication, see
.

Another “constructive” work has been done in collaboration with Laurent Théry. The goal was to give a rigorous proof of the primality of an integer. There exist software tools that produce
elliptic certificates of primality, for instance,
`fastECPP`written by François Morain. The algorithm for checking the certificates is much simpler than for producing it, and it has been possible to implement it within
`Coq`. This implementation is described in
.

The paper written on the algorithm developed in 2005 (using a double large prime variation for the discrete logarithm problem, Dlpfor short, in Jacobian of curves) with Gaudry, Thomé, Diem and Thériault has been published .

The improvement by Diem in the case of small degree curves has been more precisely studied by Diem and Thomé who improved the heuristic proof towards a more rigorous one, where the only
remaining heuristic argument is reduced to a random graph comparison result. That paper will be published in
*Journal of Cryptology*, and is already electronically published
.

Another contribution in the context of discrete logarithms has been obtained by Enge and Gaudry. For a general curve of large enough genus
gover a finite field
q, the complexity of a discrete log computation is in
L_{qg}(1/2), where
L()is the classical subexponential function (this has been recently proven in a rigorous way by Hess
). Enge and Gaudry
have shown that for plane curves having a particular shape of degrees in
xand
y, this complexity can been reduced heuristically to
L_{qg}(1/3 +
), recovering the kind of complexity we have for integer
factorization or discrete logarithms in finite fields. We are now working on removing the
in the complexity.

Concerning lattices, Hanrot and Stehlé (
Arenaireproject-team,
InriaGrenoble - Rhône-Alpes) completed an analysis of Kannan's enumeration algorithm, the best deterministic algorithm for finding a shortest
non-zero vector in a lattice, or a closest vector to a given point. They proved that, in contradiction to what was believed since the beginning of the 90's, the complexity of the former
problem is at most
d^{d/(2
e) +
o(
d)}arithmetic operations on integers of polynomial size (instead of
d^{d/2 +
o(
d)}); for the latter problem, the complexity drops from
d^{d+
o(
d)}to
d^{d/2 +
o(
d)}. These analysis more generally yield results on the complexity of HKZ-reduction, which is also
d^{d/(2
e) +
o(
d)}. This work was presented at the Crypto'07 conference, see
.

Using an adaptation of the Number Field Sieve algorithm, Joux, Naccache and Thomé obtained a variety of new signature forgery algorithms for the
Rsadigital signature algorithm, when one uses
*affine padding*(where one uses e.g.,
(
c+
x)
^{d}as the signature of a message
x). The basic assumption is that the attacker has access to an oracle providing modular
e-th roots of the form
. Within subexponential complexity, it is shown that additional such roots can be obtained. The attack has the same complexity as the
*special*Number Field Sieve algorithm, which is much lower than the
*general*Number Field Sieve. Another result of this work is a new subexponential algorithm solving the
*one-more-rsa*problem. This work was presented at the Asiacrypt 2007 conference, see
.

2007 was last year for the project Asphalès which had been selected for funding in 2004 by AciSécurité et Informatique. The project goal is the study of the interaction between information security and legal safeguards. Marion Videau coordinates the projet, jointly with Isabelle de Lamberterie and Stéphanie Lacour. She has worked on the probative value of electronic data media and their conservation. The article “Légistique de l'écrit électronique”, results of a joint work with Stéphanie Lacour ( Cnrs- Cecoji/ Ocde-Working Party on Nanotechnology) has been published among other contributions from various workshops held during Asphalès project lifetime by l'Harmattan in a book entitled “La Sécurité aujourd'hui dans la société de l'information”.

Marion Videau and Stéphanie Lacour continue their joint work on various aspects of information security (personal medical data files, nanotechnology development).

A non-exclusive license contract (CACAO-LICENCE MPQS-2680) has been signed on July 25th with Waterloo Maple Inc. (WMI), to enable the use of a fixed version of MPQS (see Section ) within the Maple computer algebra software.

The team has obtained a financial support from the ANR (“programme blanc”) for a project, common with the TANC project-team and the number theory team of the mathematics lab in Nancy (IECN). Its objective is to study the number field sieve algorithm.

We are working on several aspects of this factoring algorithm, that are linked to our main objectives. Among other things, we will investigate the so-called “polynomial selection” phase, which could possibly be improved using some lattice reduction tools, we will work on the parallelization (in a Grid context) of the linear algebra step, we also want to study the relation search phase, where the speed of the underlying arithmetic is crucial.

For all of that, it is important to us to have our own implementation. Therefore, we have started the writing of this implementation, that will be released under a free software license. The main goal is not to break records, but to have a convenient and configurable tool to test different strategies.

The project RAPIDE has begun January 1st, 2007. RAPIDE's goal is the study of the design and the analysis of efficient stream ciphers suitable for constrained environments. It has been granted and partially funded by the ANR during the SETIN 2006 call for proposals. Marion Videau is the head of this project. Guillaume Hanrot and Paul Zimmermann take part in the research activity.

The research activity is centered around the question of non-linear feedback functions. The idea is either to find a suitable way to use symmetric Boolean functions as feedback functions since they are well known for their good implementation properties or to find a way to synthesize new families of Boolean functions having both good cryptographic parameters and good implementation characteristics.

To improve the knowledge about symmetric Boolean functions and their potential use as nonlinear feedbacks, Marion Videau is currently working in collaboration with the university of Bergen, Selmer Center, Norway. Symmetric Boolean functions have indeed good representation properties that are currently studied in collaboration with Matthew G. Parker in order to apply them to quantum codes. Contacts have also been taken with Johannes Mykkeltveit for the study of sequences generated with symmetric feedbacks. On the synthesis side, Marion Videau is currently working with Cédric Lauradoux (post-doctoral fellow, Princeton University) on the properties of a special class of partially symmetric functions (a paper is currently submitted).

Richard Brent visited the CACAO team in May. This visit led to new results concerning the arithmetic of binary polynomials. To reinforce the active collaboration with Richard Brent and his
team, an “associate team” ANC (Algorithms, Numbers, Computers) has been proposed, and supported by INRIA

Florian Hess from TU Berlin visited us in January, working mainly with P. Gaudry on efficient group laws in Jacobians of curves. David Kohel from University of Sydney has spent 2 months in May/June with the CACAO team as an invited professor of Université Henri Poincaré. He was then hired as a professor in Marseille, and this visit has been a good opportunity to establish good relations with the new group he is starting there. Dan Bernstein and Tanja Lange from TU Eindhoven have visited us at the end of November to work on various topics, including integer factorisation and curve based cryptography.

Marion Videau has spent one month (July 2007) in Bergen, with Selmer Center, in order to develop common projects with the group of coding theory and cryptography which is worlwide renown in the field.

Guillaume Hanrot spent three weeks together with Nicolas Brisebarre (ARENAIRE project-team) at the Tsukuba University in order to prepare a collaboration on pairing computation, in software and hardware. A joint proposal has been submitted to the PHC Sakura program. The results are pending.

We have a seminar, where we have invited in 2007 the following speakers: Jean-Luc Beuchat, Richard Brent, Sylvain Chevillard, Jeremie Detrey, Christophe Doche, David Kohel, Christoph Lauter, David Lubicz, Guillaume Melquiond, Clément Pernet, Thomas Sirvent, Ben Smith, Ley Wilson.

Emmanuel Thomé has co-organized the
*Journées Nationales de calcul Formel*, that took place in Luminy in January. He will also co-organize the next meeting in 2008.

Pierrick Gaudry has co-organized the
*École Jeunes Chercheurs en Informatique Mathématique*, that took place in Nancy in March.

Guillaume Hanrot and Paul Zimmermann have organized the 1st school on
*Certified Numerical Computation*on October 25-26 in Nancy

Guillaume Hanrot was in the Program Committee of the ISSAC 2007 conference; Paul Zimmermann was in the Program Committee of the ARITH 18 conference; both are members of the steering committee of the RNC conference. Pierrick Gaudry was in the Program Committee of the WAIFI 2007 conference.

G. Hanrot is vice-head of the Project Committee of INRIA Lorraine. He is also an appointed member of the INRIA Commission d'Évaluation, of the Mathematics “Commissions de Spécialistes” from Universités Montpellier 2, Henri Poincaré Nancy 1-Nancy 2-INPL, Jean-Monnet Saint-Étienne. He was a member of the hiring committee for CR2 at INRIA Rocquencourt in 2007.

P. Gaudry is an appointed member of the Computer Science “Commissions de Spécialistes” from Universités Henri Poincaré Nancy 1 and Paris 8. He was one of the reviewers of the PhD these of J. Pujolas (Universitat Politècnica de Catalunya, Barcelona).

P. Zimmermann is an elected member from the INRIA Evaluation Committee, and of the Computer Science “Commission de Spécialistes” from University Henri Poincaré Nancy 1. He was member of the PhD thesis jury of Marc Glisse (Univ. Nancy 2), of Romain Péchoux (INPL), and of the habilitation jury of Isabelle Debled-Rennesson (Univ. Henri Poincaré Nancy 1). He was a member of the hiring committee for CR2 at INRIA Futurs Saclay in 2007.

G. Hanrot gave a one-hour invited talk for the LLL+25 conference, Caen, and wrote a survey on the topic of his talk, which shall be published in a proceedings volume. P. Gaudry gave a one-hour invited talk for the “Computational Challenges Arising in Algorithmic Number Theory and Cryptography Workshop”, Toronto and a one-hour invited talk for the ECC 2007 conference, Dublin. Paul Zimmermann gave invited talks at the “Conference on Algorithmic Number Theory” in Turku (Finland), at the “Explicit Methods and Number Theory” conference in Bordeaux (France), and at the SAGE Days 6 in Bristol (United Kingdom). M. Videau gave an invited talk at the C&ESAR 2007 (Computer & Electronics Security Applications Rendez-vous).

As an assistant professor, M. Videau teaches mainly at the master level. The courses directly related to her research activities are :
*Introduction to cryptography*(master degree, engineering school) and
*Introduction to the security of communicating systems*(master degree). She has supervised the master thesis of Pierre Dégardin (University of Limoges), entitled “Is it possible to replace
the S-box of the AES by a binomial or trinomial permutation function?”.

P. Gaudry gave three 3 hours lectures at MPRI (Master Parisien de Recherche en Informatique) about algorithmic number theory, in the Cryptology course.

E. Thomé gave 6 hours of computer lab at Université Henri Poincaré (M1 students) on the topic of the security of communicating systems.

P. Gaudry and G. Hanrot are members of the jury of “agrégation externe de mathématiques”, a competitive exam to hire high school teachers.

E. Thomé is a member of the jury of the competitive exam for the École polytechnique.