TANCis located in the Laboratoire d'Informatique de l'École polytechnique (LIX). The project was created on 2003-03-10.

The aim of the TANCproject is to promote the study, implementation and use of robust and verifiable asymmetric cryptosystems based on algorithmic number theory.

It is clear from this sentence that we combine high-level mathematics and efficient programming. Our main area of competence and interest is that of algebraic curves over finite fields, most notably the computational aspects of these objects, that appear as a substitute of good old-fashioned cryptography based on modular arithmetic. One of the reasons for this change is that the key-size is much smaller for an equivalent security. We participate in the recent bio-diversity mood that tries to find substitutes for old-fashioned cryptosystems as the very famous RSA system (for Rivest/Shamir/Adleman), in case some attack would appear and destroy the products that employ it.

Whenever possible, we produce certificates (proofs) of validity for the objects and systems we build. For instance, an elliptic curve has many invariants, and their values need to be proved, since they may be difficult to compute.

Our research area includes:

Fundamental number theoretic algorithms: we are interested in primality proving algorithms based on elliptic curves, integer factorization, and the computation of discrete logarithms over finite fields. These problems lie at the heart of the security of arithmetic based cryptosystems.

Algebraic curves over finite fields: the algorithmic problems that we tackle deal with the efficient computation of group laws on Jacobians of curves, evaluation of the cardinality of these objects, and the study of the security of the discrete logarithm problem in such groups. These topics are the crucial points to be solved for potential use in real crypto-products.

Complex multiplication: the theory of complex multiplication is a meeting point of algebra, complex analysis and algebraic geometry. Its applications range from primality proving to the efficient construction of elliptic or hyperelliptic cryptosystems.

Pairings: The new number theoretic primitive of pairings (i.e., bilinear functions) on algebraic curves enables plenty of novel applications and poses algorithmic challenges concerning efficient implementations and the creation of secure instances.

As described in the name of our project, we aim at providing robust primitives for asymmetric cryptography. In recent years, we have made several attempts at coming closer to another part of
cryptology, by applying our knowledge to real life protocols. We are currently trying to promote the use of elliptic curves in environments where this could be useful, namely
*ad hoc*networks.

In another direction, Daniel Augot is studying the decoding of error correcting codes based on algebraic curves (algebraic geometry codes). These codes are a successful generalization of the
Reed-Solomon codes, because they provide good error correction capacities. The main drawback of these codes is that the known decoding algorithms of these codes have a too large complexity,
that is to say, higher than quadratic in terms of the length of the code. Project-Team TANC has successfully used techniques and advanced algorithms from computer algebra to obtain fast
algorithms in the domain of cryptography. Daniel Augot plans to build upon this knowledge to get efficient decoding algorithms of algebraic geometry codes. The first step is to efficiently
decode Hermitian codes, whose decoding complexity is currently in
O(
n^{7/3}). These codes are indeed the most understood of AG codes, and they are also good candidates for using the Guruswami-Sudan principles for list-decoding.

For the very first time in algebraic curve cryptography, A. Enge and P. Gaudry (CACAO) have exhibited a class of curves in which the discrete logarithm problem is attacked by a subexponential algorithm of complexity ressembling that of the most powerful algorithms that break the famous RSA cryptosystem. This makes the corresponding algebraic curve cryptosystems no more secure than RSA. This result is a major step towards the goal of the TANC project to catalogue all classes of curves suited for cryptography. The publication was rewarded as one of the three best papers at the Eurocrypt 2007 conference.

Once considered beautiful but useless, arithmetic has proven incredibly efficient when asked to assist the creation of a new paradigm in cryptography. Old cryptography was mainly concerned
with
*symmetric techniques*: two principals wishing to communicate secretly had to share a common secret beforehand and this same secret was used both for encrypting the message and for
decrypting it. This way of communication is efficient enough when traffic is low, or when the principals can meet prior to communication.

It is clear that modern networks are too large for this to remain efficient any longer. Hence the need for cryptography without first contact. In theory, this is easy. Find two algorithms
Eand
Dthat are reciprocal (i.e.,
D(
E(
m)) =
m) and such that the knowledge of
Edoes not help in computing
D. Then
Eis dubbed a public key available to anyone, and
Dis the secret key, reserved to a user. When Alice wants to send an email to Bob, she uses his public key and can send him the encrypted message, without agreeing on a common key
beforehand. Though simplified and somewhat idealized, this is the heart of asymmetric cryptology. Apart from confidentiality, modern cryptography provides good solutions to the signature
problem, as well as some solutions for identifying all parties in protocols, thus enabling products to be usable on the
Internet(ssh, ssl/tls, etc.).

Of course, everything has to be presented in the modern language of complexity theory: computing
Eand
Dmust be doable in polynomial time; finding
Dfrom
Ealone should be possible only in, say, exponential time, without some secret knowledge.

Now, where do difficult problems come from? Mostly from arithmetical problems. There we find the integer factoring problem, the discrete logarithm problem, etc. Varying the groups appears to be important, since this provides some bio-diversity which is the key of the resistance to attacks from crypto-analysts. Among the groups proposed: finite fields, modular integers, algebraic curves, class groups, etc. All these now form cryptographic primitives that need to be assembled in protocols, and finally in commercial products.

Our activity is concerned with the beginning of this process: we are interested in difficult problems arising in computational number theory and the efficient construction of these primitives. TANCconcentrates on modular arithmetic, finite fields and algebraic curves.

We have a strong well-known reputation of breaking records whatever the subject is: constructing systems or breaking them, including primality proving, class polynomials, modular equations, computing cardinalities of algebraic curves, discrete logs, etc. This means writing programs and putting in all the work needed to make them run for weeks or months. An important part of our task is now to transform record programs into ones that can solve everyday life problems for current sizes of the parameters.

Efficiency is not our single concern. Certificates are again another one. By this, we mean that we provide proofs of the properties of the objects we build. The traditional example is that
of prime numbers, where certificates were introduced by Pratt in 1974. These certificates might be difficult to build, yet they are easy to check (by customers, say). We know how to do this for
elliptic curves, with the aim of establishing what we call an
**identity card**for a curve, including its cardinality together with the proof of its factorization, its group structure (with proven generators), discriminant (and factorization), and
class number of the associated order. The theory is ready for this, algorithms not out of reach. This must be extended to other curves, and in several cases, the theory is almost ready or not
at all, and algorithms still to be found. This is one of the main problems we have to tackle in
TANC.

It is clear that more and more complex mathematics will be used in cryptology (see the recent algorithms that use
p-adic approaches). These cannot live if we do not implement them, and this is where we need more and more evolved algorithms, that are for the moment present in very rare mathematical
systems, like
Magmathat we use for this. Once the algorithms work in
Magma, it is customary to rewrite them in C or C++ to gain speed. Along the same lines, some of our C programs developped for our research (an old
version of ECPP, some parts of discrete log computations, cardinality of curves) are now included in this system, as a result of our collaboration with the Sydney group.

One of the most used protocols is that of Diffie-Hellman that enables Alice and Bob to exchange a secret information over an insecure channel. Given a publicly known cyclic group
Gof generator
g, Alice sends
g^{a}for a random
ato Bob, and Bob responds with a random
g^{b}. Both Alice and Bob can now compute
g^{ab}and this is henceforth their common secret. Of course, this a schematic presentation, since real-life protocols based on this need more security properties. Being unable to recover
afrom
g^{a}(the discrete log problem –
*DLP*) is a major concern for the security of the scheme, and groups for which the
*DLP*is difficult must be favored. Therefore, groups are important, and
TANCconcentrates on algebraic curves, since they offer a very interesting alternative to finite fields, in which the
*DLP*can be broken by subexponential algorithms, whereas exponential time is required for curves. Thus a smaller key can be used using curves, and this is very interesting as far as
limited powered devices are concerned.

In order to build a cryptosystem based on an algebraic curve over a finite field, one needs to efficiently compute the group law (hence have a nice representation of the elements of the Jacobian of the curve). Next, computing the cardinality of the Jacobian is required, so that we can find generators of the group. Once the curve is built, one needs to test its security, for example how hard the discrete logarithm in this group is.

A curve that interests us is typically defined over a finite field
GF (
p
^{n})where
pis the characteristic of the field. Part of what follows does not depend on this setting, and can be used as is over the rationals, for instance.

The points of an elliptic curve
E(of equation
y^{2}=
x^{3}+
ax+
b, say) form an abelian group, that was thoroughly studied during the preceding millenium. Adding two points is usually done using what is called the
*tangent-and-chord*formulae. When dealing with a genus
gcurve (the elliptic case being
g= 1), the associated group is the Jacobian (set of
g-tuples of points modulo an equivalence relation), an object of dimension
g. Points are replaced by polynomial ideals. This requires the help of tools from effective commutative algebra, such as Gröbner bases or Hermite normal forms.

A. Enge and N. Gürel have worked with J. -C. Faugère and A. Basiri (LIP 6) on the arithmetic of superelliptic and
C_{a,
b}curves, the next complex class of algebraic curves after the well understood hyperelliptic ones. They have dramatically improved the existing algorithms and have found new algorithms
for superelliptic cubic curves, that is, curves of the form
y^{3}=
f(
x)with
deg (
f)prime to 3 and at least 4
. They have generalized their work, in part based on Gröbner basis computations, to
C_{3, 4}curves and have provided explicit formulae for realizing the group law using only operations in the underlying (finite) field
.

The great catalog of usable curves is complete, as a result of the work of TANC, notably in two ACI ( cryptocourbesand cryptologie p-adique) that are finished now.

Once the group law is tractable, one has to find means of computing the cardinality of the group, which is not an easy task in general. Of course, this has to be done as fast as possible, if changing the group very frequently in applications is imperative.

Two parameters enter the scene: the genus
gof the curve, and the characteristic
pof the underlying finite field. When
g= 1and
pis large, the only current known algorithm for computing the number of points of
E/ GF (
p)is that of Schoof–Elkies–Atkin. Thanks to the works of the project, world-widespread implementations are able to build cryptographically strong curves in less than
one minute on a standard PC. Recent improvements were made by F. Morain and P. Gaudry (CACAO), see
.

When
pis small (one of the most interesting cases for hardware implementation in smart cards being
p= 2) the best current methods use
p-adic numbers, following the breakthrough of T. Satoh with a method working for
p5. The first version of this algorithm for
p= 2was proposed independently by M. Fouquet, P. Gaudry and R. Harley and by B. Skjernaa. J. -F. Mestre has designed the currently
fastest algorithm using the arithmetico-geometric mean (AGM) approach. Developed by R. Harley and P. Gaudry, it led to new world records. Then, P. Gaudry combined this method
together with other approaches, to make it competitive for cryptographic sizes
.

When
g>1and
pis large, polynomial time algorithms exist, but their implementation is not an easy task. P. Gaudry and É. Schost have modified the best existing algorithm so as to make it
more efficient. They were able to build the first random cryptographically strong genus 2 curves defined over a large prime field
. To get one step further, one needs to use genus 2 analogues of modular equations. After a theoretical study
, they are now investigating the practical use of these equations.

When
p= 2,
p-adic algorithms led to striking new results. First, the AGM approach extends to the case
g= 2and is competitive in practice (only three times slower than in the case
g= 1). In another direction, Kedlaya has introduced a new approach, based on the Monsky-Washnitzer cohomology. His algorithm works originally when
p>2. P. Gaudry and N. Gürel implemented this algorithm and extended it to superelliptic curves, which had the effect of adding these curves to the list
of those usable in cryptography.

Closing the gap between small and large characteristic leads to pushing the
p-adic methods as far as possible. In this spirit, P. Gaudry and N. Gürel have adapted Kedlaya's algorithm and exhibited a linear complexity in
p, making it possible to reach a characteristic of around 1000 (see
). For larger
p's, one can use the Cartier-Manin operator. Recently, A. Bostan, P. Gaudry and É. Schost have found a much faster algorithm than currently known ones
. Primes
paround
10
^{9}are now doable.

The core of the Schoof-Elkies-Atkin (SEA) algorithm that computes the cardinality of elliptic curves over finite fields consists in using the theory of isogenies to find small factors of division polynomials. SEA is still the method of choice for the large characteristic case, but no longer for small characteristics.

Isogenies are also a tool for understanding the difficulty of the Discrete Log problem among classes of elliptic curves . Recently, there appeared suggestions to use isogenies in a cryptographic context, replacing the multiplication on curves by the use of such morphisms , .

Algorithms for computing isogenies are very well known and used in the large characteristic case. When the characteristic is small, three algorithms exist: two of these are due to Couveignes , , and one to Lercier .

The discrete logarithm problem is one of the major difficult problems that allow to build secure cryptosystems. It has essentially been proved equivalent to the computational
Diffie–Hellman problem, which is closer to the actual security of many systems. For an arbitrary group of prime order
N, it can be solved by a generic, exponential algorithm using
group operations. For elliptic curves, set aside some rare and easily avoidable instances, no faster algorithms are known.

In higher genus curves, the algorithms with the best complexity create relations as smooth principal divisors on the curve and use linear algebra to deduce discrete logarithms, similarly
to the quadratic sieve for factoring. The first such algorithm for high genus hyperelliptic curves with a heuristic complexity analysis is given in
, and A. Enge has developed the first algorithm with a proven subexponential run time of
L(1/2)in
. Generalisations to further groups suggested for cryptography, in particular ideal class groups of imaginary
quadratic number fields, are obtained by A. Enge and P. Gaudry in
,
. Proofs for arbitrary curves of large genus are given by J.-M. Couveignes
and F. Heß (see
).

The existence of subexponential algorithms shows that high genus curves are less secure than, say, elliptic ones in cryptography. By analysing the same algorithms differently, concrete recommendations for key lengths can be obtained, an approach introduced by P. Gaudry in and pursued in . It turns out that elliptic curves and hyperelliptic curves of genus 2 are not affected, while the key lengths have to be increased in higher genus, for instance by 12 %in genus 3.

Algebraic curves have first been used in cryptography as a source for groups in which the discrete logarithm problem should be harder than in the multiplicative group of a finite field. Totally new applications stem from the use of structures proper to algebraic curves, the Tate and Weil pairings. These are bilinear maps that associate to two group elements, at least one of which is defined in an extension field, a root of unity in the same extension field. Among the first new cryptographic primitives were a tripartite Diffie–Hellman key exchange and identity based encryption . Subsequently, the number of articles concerned with pairings has exploded, and a specialised series of conferences has been inaugurated with Pairings 2007 in Tokyo, A. Enge being a member of the programme committees in 2007 and 2008.

One of the most challenging problems related to pairing based cryptography is to find suitable curves, that are hidden like needles in a hay stack. Supersingular elliptic curves yield a rather limited supply of doubtful security. Using its expertise on complex multiplication, the TANC team has published one of the first two algorithms for finding pairing friendly ordinary curves for arbitrary field extension degrees in , the other one being developed in .

Despite the achievements described above, random curves are sometimes difficult to use, since their cardinality is not easy to compute or useful instances are too rare to occur (curves for
pairings for instance). In some cases, curves with special properties can be used. For instance curves with
*complex multiplication*(in brief CM), whose cardinalities are easy to compute. For example, the elliptic curve defined over
GF(
p)of equation
y^{2}=
x^{3}+
xhas cardinality
p+ 1-2
u, when
p=
u^{2}+
v^{2}, and computing
uis easy.

The CM theory for genus 1 is well known and dates back to the middle of the nineteenth century (Kronecker, Weber, etc.). Its algorithmic part is also well understood, and recently more
work was done, largely by
TANC. Twenty years ago, this theory was applied by Atkin to the primality proving of arbitrary integers, yielding the ECPP algorithm developed ever
since by F. Morain. Though the decision problem
isPrime?was shown to be in
*P*(by the 2002 work of Agrawal, Kayal, Saxena), practical primality proving of large random numbers is still done only with ECPP.

These CM curves enabled A. Enge, R. Dupont and F. Morain to give an algorithm for building good curves that can be used in identity based cryptosystems .

CM curves are defined by algebraic integers, whose minimal polynomials have to be computed exactly, the coefficients being exact integers. The fastest algorithm to perform these computations requires a floating point evaluation of the roots of the polynomial to a high precision. F. Morain on the one hand and A. Enge (together with R. Schertz) on the other, have developed the use of new class invariants that characterize CM curves. The union of these two families is currently the best that can be achieved in the field (see ). Later, F. Morain and A. Enge have designed a fast method for the computation of the roots of this polynomial over a finite field using Galois theory . These invariants, together with this new algorithm, are incorporated in the working version of the program ECPP.

In his thesis, R. Dupont has investigated the complexity of the evaluation of some modular functions and forms (such as the elliptic modular function
jor the Dedekind eta function for example). High precision evaluation of such functions is at the core of algorithms to compute class polynomials (used in complex multiplication) or
modular polynomials (used in the SEA elliptic curve point counting algorithm).

Exploiting the deep connection between the arithmetic-geometric mean (AGM) and a special kind of modular forms known as theta constants, he devised an algorithm based on Newton iterations and the AGM that has quasi-optimal linear complexity. In order to certify the correctness of the result to a specified precision, a fine analysis of the algorithm and its complexity was necessary .

Using similar techniques, he has given a proven algorithm for the evaluation of the logarithm of complex numbers with quasi-optimal time complexity.

The theory of Complex Multiplication also exists for non-elliptic curves, but is more intricate, and only recently can we dream to use them. Some of the recent results occurred as the work of R. Dupont (former member of TANC) in his thesis.

R. Dupont has worked on adapting his algorithm to genus 2, which induces great theoretical and technical difficulties. He has studied a generalization of the AGM known as
Borchardt sequences, has proven the convergence of these sequences in a general setting, and has determined the set of limits such sequences have in genus 2. He has then developped an
algorithm for the fast evaluation of theta constants in genus 2, and as a byproduct obtains an algorithm to compute the Riemann matrix of a given hyperelliptic curve: given the equation
of such a curve, it computes a lattice
Lsuch that the Jacobian of the curve is isomorphic to
. These algorithms are both quasi-linear, and have been implemented (in
C, using the multiprecision package
GMP– see
http://

Using these implementations, R. Dupont has began computing modular polynomials for groups of the form
_{0}(
p)in genus 2 (these polynomials link the genus 2
j-invariants of
p-isogenous curves). He computed the modular polynomials for
p= 2, which had never been done before, and did some partial computations for
p= 3(results are available at
http://

He also studied more theoretically the main ingredient used in his algorithms in genus 2, a procedure known as Borchardt sequences. In particular, he proved a theorem that parametrizes the set of all possible limits of Borchardt sequences starting with a fixed 4-tuple.

Our main field of applications is clearly that of telecommunications. We participate in the protection of information. We are proficient on a theoretical level, as well as ready to develop
applications using modern cryptologic techniques, with a main focus on elliptic curve cryptography. One potential application are cryptosystems in environments with limited resources as smart
cards, mobile phones or
*ad hoc*networks.

F. Morain has been continuously improving his primality proving algorithm called ECPP, originally developed in the early '90. Binaries for version 6.4.5 are available since 2001 on his web page. Proving the primality of a 512 bit number requires less than a second on a GHz PC. His personal record is about 20, 000decimal digits, with the fast version he started developing in 2003. Everything there is written in C, based on the GMPpackage.

The
`mpc`library, developed in C by A. Enge in collaboration with P. Zimmermann, implements the basic operations on complex numbers in arbitrary precision, which can be tuned to
the bit. This library is based on the multiprecision libraries
GMPand
`mpfr`. Each operation has a precise semantics, in such a way that the results do not depend on the underlying architecture. Several rounding modes are available. This software, licensed
under the GNU Lesser General Public License (LGPL), can be downloaded freely from the URL

http://

The latest version 0.4.6 has been released in September 2007. The library currently benefits from an Opération de développement logiciel of INRIA.

The
`mpc`library is used in our team to build curves with complex multiplication and to compute modular polynomials (cf. Section
), and it is
*de facto*incorporated in the ECPP program.

The
`mpfrcx`library is developed in C by A. Enge to implement the arithmetic of univariate polynomials with floating point coefficients of arbitrary precision, be they real (
`mpfr`) or complex (
`mpc`). The first version 0.1, published in October 2007 and available at

http://

and contains the functionality needed for the author's complex multiplication program. Advanced asymptotically fast algorithms have been implemented, such as Karatsuba and Toom–Cook multiplication, various flavours of the FFT and division with remainder by Newton iterations. Special algorithms of symbolic computation such as fast multievaluation are also available.

Publishing
`mpfrcx`is part of an ongoing effort to make A. Enge's program for building elliptic curves with complex multiplication available. This program is a very important building block
for cryptographic purposes as well as for primality proving (fastECPP).

We have hired J. Milan as
*ingénieur associé*to help us with our programs. He first spent some time making a tour of publicly available platforms implementing the IEEE P-1363 cryptography standards. Following this
work, it appeared not interesting to add a new one to the list, and he switched to one of our other themes, namely writing integer factorization software for which the results can be
guaranteed.

However, besides this quite daunting task, we have a more pragmatic, twofold-interest in fast factorization implementations for small numbers.

Our first motivation is directly related to the ANR CADO project we are involved in, together with other teams such as the INRIA project-team CACAO. The objective of the CADO project is to implement an optimized and distributed implementation of the Number Field Sieve (NFS), asymptotically the fastest integer factorization algorithm currently known. This algorithm needs to factor a lot of much smaller integers (about 80 bits for current factorization records). Since a recursive application of the NFS would be totally inefficient in practice, there is indeed a need for routines better suited to factor this wealth of smaller by-products.

Our second motivation lies in our long-term commitment to produce identity cards for elliptic curves in order to select those curves with the needed properties for cryptographic use. Such an identification would require the knowledge of the factorization of the order of the curve (about 200 bits for cryptographic use).

Hence, J. Milan is still actively developing the so-called TIFA library (short for Tools for Integer FActorization). TIFA is made up of a base library written in C99 and using the GMP library, together with stand-alone factorization programs and a basic benchmarking framework to assess the performance of the relative algorithms.

During the past year, TIFA has gone through a significant code refactoring aimed at facilitating its extensibility. Aside from optimizations made to the base library, several factorization algorithms were also added. As of september 2007, the following algorithms have been implemented:

CFRAC | (Continued FRACtion factorization ) |

Fermat | (McKee's “fast” variant of Fermat's algorithm ) |

QS | (Quadratic Sieve ) |

SIQS | (Self-Initializing Quadratic Sieve ) |

SQUFOF | (SQUare FOrm Factorization ) |

In particular, a significant effort was made to fine tune the SQUFOF implementation for small (at most) double-precision numbers. We believe that TIFA's SQUFOF is quite competitive compared to other similar implementations, even if in practice, SQUFOF is rapidly outperformed by TIFA's QS. However, it should be stressed that our implementation of SIQS still lags behind performance-wise with respect to the competition. We stand committed to address this shortcoming in the near term.

While still kept internal to the TANC team and CADO project, TIFA will eventually be made public under an open source license, most probably the Lesser General Public License version 2.1 or higher.

The new record of SEA is currently (September 2007) for a prime
pof 2500 decimal digits (again compared to 500dd back in 1995), using the work in
(see below), as well as
, in which a new approach to the eigenvalue computation is described and proven.

A crucial ingredient for these records was A. Enge's new algorithm
for computing modular equations of index greater than 2000. The algorithm computes bivariate modular polynomials by
an evaluation and interpolation approach and relies on the ability to rapidly evaluate modular functions in complex floating point arguments. It has a quasi-linear complexity with respect to
its output size, so that the performance of the algorithm is limited only by the size of the result: we have in fact been able to compute modular polynomials of degree larger than 10000 and
of size 16 GB by a parallelised implementation of the algorithm, that uses
`mpc`and
`mpfrcx`for the arithmetic of complex numbers and of polynomials with floating point coefficients, see Sections
and
. For the point counting algorithm, the polynomials of prime level up to 6000 have been used. They occupy a disk space of
close to 1 TB. Despite this progress, computing modular polynomials remains the stumbling block for new point counting records. Clearly, to circumvent the memory problems, one would need
an algorithm that directly obtains the polynomial specialised in one variable.

We plan to make our new implementation available as an extension to the NTL library.

Together with A. Bostan, B. Salvy (from projet
ALGO), and É. Schost, F. Morain gave quasi-linear algorithms for computing the explicit form of a strict isogeny between two elliptic
curves, another important block in the SEA algorithm
. This article contains a survey of previous methods, all applicable in the large characteristic case. Joux and
Lercier have recently announced a
p-adic approach for computing isogenies in medium characteristic.

For the small case, the old algorithms of Couveignes and Lercier were studied from scratch, and Lercier's algorithm reimplemented in NTL by F. Morain, as a benchmark for other methods
still being developped. In his master internship, L. De Feo, has been cleaning the most recent of them, known as CouveignesII, that involves building the explicit
p^{k}torsion of the curve and finding isomorphisms between Artin-Schreier towers. This work already led to the clarification of the complexities involved, and a fresh implementation in NTL
is needed, that will be his first thesis work. A publication on the first results obtained is in preparation.

For the very first time in algebraic curve cryptography, A. Enge and P. Gaudry have exhibited a class of curves in which the discrete logarithm problem is attacked by a
subexponential algorithm of complexity less than
L(1/2). Precisely, the complexity is in
L(1/3)for the preliminary phase of computing the group structure and
L(1/3 +
)for any
>0for the discrete logarithms themselves. This shows that the
corresponding algebraic curve cryptosystems, essentially based on
C_{a,
b}curves with the degrees in
Xand
Ygrowing in a special way with the genus, are no more secure than RSA and thus of no cryptographic interest. This result is a major step towards the goal of the TANC project to
catalogue all classes of curves suited for cryptography. The publication
was rewarded as one of the three best papers at the Eurocrypt 2007 conference, and we are invited to submit an
extended version to
*Journal of Cryptology*. A comparative implementation of the different algorithms of complexity
L(1/2)resp.
L(1/3)is underway by a master student of A. Enge's, J.-F. Biasse.

The work of AKS motivated the work of F. Morain on a fast variant of ECPP, called fastECPP, which led him to gain one order of magnitude in the complexity of the problem (see
), reaching heuristically
, compared to
for the basic version. By comparison, the best proven version of AKS
has complexity
and has not been implemented so far; the best randomized version
reaches the same
bound but suffers from memory problems and is not competitive yet. F. Morain implemented fastECPP and was able to prove the primality of
10, 000decimal digit numbers
, as opposed to
5, 000for the basic (historical) version. Continuously improving this algorithm, this led to new records in primality proving, some of which obtained
with his co-authors J. Franke, T. Kleinjung and T. Wirth
who developed their own programs. F. Morain set the current world record to 20,562 decimal digits early June
2006, as opposed to 15,071 two years before. This record was made possible by using an updated MPI-based implementation of the algorithm and its distribution process on a cluster of 64-bit
bi-processors (AMD Opteron(tm) Processor 250 at 2.39 GHz). In 2007, another large number was proven to be prime, namely
(2
^{42737}+ 1)/3with
12, 865decimal digits.

A. Enge has been able to analyze precisely the complexity of class polynomial computations via complex floating point approximations. In fact, this approach has recently been
challenged by algorithms using
p-adic liftings, that achieve a running time that is (up to logarithmic factors) linear in the output size. He has shown that the algorithm using complex numbers, in its currently
implemented form, has a slightly worse asymptotic complexity (polynomial with exponent
1.25). Using techniques from fast symbolic computation, namely multievaluation of polynomials, he has obtained an asymptotically optimal (up to
logarithmic factors) algorithm with floating point approximations. The implementation has shown, however, that in the currently practical range, the asymptotically fast algorithm is slower
than the previous one. This is due, on the one hand, to the multitude of algorithmic improvements introduced in
, and on the other hand, to the lack of logarithmic factors and better constants.

Using R. Dupont's results , A. Enge has devised a second quasi-linear algorithm (that actually even saves a logarithmic factor in the complexity). Breaking the record for class polynomial computations, he has computed a polynomial of degree 100,000, the largest coefficient of which has almost 250,000 bits. For this enormous example, the asymptotically fast algorithm finally beats the one with exponent 1.25. The implementation is based on GMP, mpfr and mpc (see Section 5.2) and a library of A. Enge's for fast arithmetic with polynomials over multiprecision floating point numbers. It turns out that the algorithms are so optimized that the limiting factor becomes the memory consumption .

P. Gaudry, T. Houtmann, D. Kohel, C. Ritzenthaler and A. Weng , have designed a new approach to construct class polynomials of genus two curves having complex multiplication. The main feature of their method is the use of 2-adic numbers instead of complex floating-point approximations. Although that method suffers from limitations due to the fact that its initialisation highly depends of the splitting of 2 in the quartic CM field, the corresponding algorithm is very efficient compared to previous approaches.

T. Houtmann worked on both the aspects for an alternative to
p-adic method and classical CM method. He improved the period matrices computation phase, collaborated with R. Dupont to improve the analytic phase and did work on using the very
method to generate hyperelliptic curves suitable for cryptography. As far as his work is advanced, he managed to compute a 132-degree Igusa class polynomial system.

One of the main goals of the TANC project is to determine the
*identity card*of an elliptic curve, that collects and certifies properties of potential relevance for its cryptographic security. These include the cardinality (see Section
) and the endomorphism ring (cf. Section
on complex multiplication, that permits to construct a curve with a given endomorphism ring).

For a random curve, the class group of its endomorphism ring, an order in an imaginary quadratic number field, is of interest; some cryptographic standards, for instance, prescribe a minimum
size of this class group
. G. Guerpillon, master student of A. Enge's, has implemented and optimised a subexponential algorithm for
computing these class groups. The currently undertaken parallelisation of his implementation should enable us to reach a new record for this kind of computation. One of the main ingredients,
the Hermite normal form computation of an integral matrix, has been reused by J.-F. Biasse in the context of discrete logarithms on
C_{a,
b}curves, see Section
.

The subexponential algorithm returns the group as a product of cyclic groups with their generators. For the case when all elements need to be explicitly enumerated, A. Enge has developed quasi-linear algorithms in .

F. Morain and D. Augot ( CODES) participate in the ACI SERAC (SEcuRity models and protocols for Ad-hoC Networks), which started in september 2004. Their interest there is to understand the (new?) cryptographic needs required and to try to invent new trust models.

It is clear that the recent arrival of Hipercom(also a member of SERAC) at École polytechnique triggers new collaborations in that direction.

Achieving secure routing in ad-hoc networks is a big challenge. The typical way to prevent or reduce the possible attacks is to use mechanisms to authenticate the origin of all messages. Standard (asymmetric) signature schemes provide these mechanisms, but may result in inefficient implementations, especially when many nodes (and so many signatures) are expected.

This corresponds to É. Brier's thesis on the use of (hyper-)elliptic curves in cryptology.

Together with the CODES project at INRIA Rocquencourt, the project TANCparticipates in ECRYPT, a NoE in the Information Society Technologies theme of the 6th European Framework Programme (FP6).

J. Herranz and F. Laguillaumie have participated in the AZTEC working group WG3 on asymmetric techniques with special properties on November 23–24.

F. Laguillaumie participated in the WG3 of NEO ECRYPT (July 16-17).

ACI SÉCURITÉ SERAC: SEcuRity models and protocols for Ad-hoC networks (since 2004-09-01).

ANR Cado (since 2006-09-01): two meetings (18-19/01/07 in Nancy for the kickoff and 21-21/06/07 in Paris).

The TANC project is involved in the associated team ECHECS (“Extreme Computing for (Hyper-)Elliptic Cryptographic Systems”) with É. Schost of University of Western Ontario, London, continuing a long-standing collaboration. Our joint work is concerned with using advanced algorithms of symbolic computation (speciality of the Canadian team) in the context of elliptic and hyperelliptic curve cryptography (speciality of TANC), in particular for the instantiation of secure cryptosystems.

TANC, together with the Hipercom EPI, has started an OMT (offre de maturation technologique) financed by Digiteo. The aim of the Cryptonet OMT is to realize a proof of concept of the use of elliptic curves over finite fields in providing security on ad hoc networks. The main interest of elliptic curves in that setting is the low cost and (a priori) low bandwith required for a given level of security, as compared to traditional finite field based systems. The engineer attached to this project will inject our knowledge into a standard network simulator.

A. Enge took part in the program committees of Pairing 2007 – First International Conference on Pairing-Based Cryptography in Tokio and WCC 2007 – International Workshop on Coding and Cryptography in Versailles. He acted on the scientific advisary board of the Journées Nationales de Calcul Formel 2007 at Luminy.

François Morain was in charge of half of the 2nd year course “Algorithmes et Programmation: du séquentiel au distribué”, together with J.-M. Steyaert. He gives a cryptology course in Majeure 2. He is vice-head of the Département d'Informatique. He has been representing École polytechnique in the Commission des Études du Master MPRI, since its creation in 2004.

At École polytechnique, A. Enge has proposed computer science labs for the first year course “Introduction à l'informatique”. He has developed the practical module for the master level cryptology course, centred around securing a network application in the Java cryptography framework JCE.

F. Morain has been invited as a plenary lecturer to the “Workshop on Computational challenges arising in algorithmic number theory and Cryptography”, October 30- November 3, 2006, in the Fields Institute in Toronto (Canada). There he presented .

A. Enge has been invited as a plenary lecturer to ACISP 2007 – 12th Australasian Conference on Information Security and Privacy at Townsville, Australia, with a talk entitled "Constructing cryptographic curves"; and to Fq8 – 8th International Conference on Finite Fields and Applications at Melbourne, speaking on "The discrete logarithm problem for algebraic curves".

A. Enge is editor of “Designs, Codes and Cryptography”. He has co-edited the special issue “Algorithmic Number Theory and Its Applications” of the Japan Journal of Industrial and Applied Mathematics.

F. Morain was in the thesis committee of Bassem Sakkour (2007-04-06) and of Cédric Lauradoux (2007-06-22); in the HdR committee for P. Loidreau (2007-01-25); D. Augot (2007-06-07).

A. Enge is a member of the International Relations Working Group (GTRI) at the Scientific and Technological Orientation Council (COST) of INRIA. As such, he regularly participates in the selection of postdoc positions for the European ERCIM consortium and of international Associated teams. He also acts as the scientific representative for European affairs at INRIA Saclay.

F. Morain represents INRIA in the “Conseil d'UFR 929 Maths Université Paris 6” since September 2005. F. Morain participated in the evaluation of the
*Unité de Mathématiques Appliquées*of ENSTA (05/07/06).