TANC Théorie Algorithmique des Nombres pour la Cryptologie SYM François Morain UnivFr Enseignant Saclay Professor at École polytechnique oui Andreas Enge INRIA Chercheur Saclay CR1 oui Thomas Houtmann AutreEtablissementPublic PhD Saclay CNRS/DGA until 2008-09-01 Luca De Feo UnivFr PhD Saclay École polytechnique since 2007-09-01 Jean-François Biasse AutreEtablissementPublic PhD Saclay DGA since 2007-09-01 Évelyne Rayssac UnivFr Assistant Saclay École polytechnique Daniel Augot INRIA Chercheur Saclay CR1 oui Ben Smith INRIA Chercheur Saclay CR2 Morgan Barbier UnivFr PhD Saclay École polytechnique since 2008-10-01 Jérôme Milan INRIA Technique Saclay Ingénieur de Développement Digiteo Overall Objectives Main topics

TANCis located in the Laboratoire d'Informatique de l'École polytechnique (LIX). The project was created on 2003-03-10.

The aim of the TANCproject is to promote the study, implementation and use of robust and verifiable asymmetric cryptosystems based on algorithmic number theory.

It is clear from this statement that we combine high-level mathematics and efficient programming. Our main area of competence and interest is that of algebraic curves over finite fields, most notably the computational aspects of these objects, that appear as a substitute of good old-fashioned cryptography based on modular arithmetic. One of the reasons for this change is that the key-size is much smaller for an equivalent security. We participate in the recent bio-diversity mood that tries to find substitutes for old-fashioned cryptosystems as the very famous RSA system (for Rivest/Shamir/Adleman), in case some attack would appear and destroy the products that employ it.

Whenever possible, we produce certificates (proofs) of validity for the objects and systems we build. For instance, an elliptic curve has many invariants, and their values need to be proved, since they may be difficult to compute.

Our research area includes:

  • Fundamental number theoretic algorithms: we are interested in primality proving algorithms based on elliptic curves, integer factorization, and the computation of discrete logarithms over finite fields. These problems lie at the heart of the security of arithmetic based cryptosystems.

  • Algebraic curves over finite fields: the algorithmic problems that we tackle deal with the efficient computation of group laws on Jacobians of curves, evaluation of the cardinality of these objects, and the study of the security of the discrete logarithm problem in such groups. These topics are the crucial problems to be solved for potential use in real crypto-products.

  • Complex multiplication: the theory of complex multiplication is a meeting point of algebra, complex analysis and algebraic geometry. Its applications range from primality proving to the efficient construction of elliptic and hyperelliptic curve-based cryptosystems.

  • Pairings: The new number theoretic primitive of pairings (i.e. bilinear functions) on algebraic curves enables many novel applications, and poses algorithmic challenges concerning efficient implementation and the creation of secure instances.

  • Decoding algorithms for Algebraic Geometric codes. The algorithmic knowledge of TANC will be used to accelerate the decoding algorithms, be they the classical one (up to half to the minimum distance), or new ones, which decode many more errors.

    •      Exploratory topics

    As described in the name of our project, we aim to provide robust primitives for asymmetric cryptography. In recent years, we have made several attempts at applying our knowledge to real life protocols. We are currently trying to promote the use of elliptic curves in environments where they could be useful, such as ad hocnetworks. We will also try to promote the use of AG codes, which are to coding theory what elliptic curve cryptography is to cryptology.

     Highlights of the year

    B. Smith won the Best Paper award at EUROCRYPT 2008, the premier European conference in cryptology, for his work on discrete logarithms in genus 3  .

    A. Enge has won the Selfridge Prize of the Number Theory Foundation for the best paper presented at ANTS-VIII in Banff, the main, biennial conference for algorithmic number theory.

    The team organized the C4 (Computations on Curves for Crypto and Coding) workshop, held on the 9th and 10th of June 2008 at the École polytechnique, bringing together leading researchers from France, the United States, Canada, Denmark, and the Netherlands.

    The team has contributed to the organisation of the CADO Workshop on Integer Factorization, held jointly with the CACAO project team in Nancy .

         Scientific Foundations General overview Cryptology arithmetic

    Once considered beautiful but useless, arithmetic has proven incredibly efficient when asked to assist the creation of a new paradigm in cryptography. Classical cryptography was mainly concerned with symmetric techniques: two principals wishing to communicate secretly had to share a common secret beforehand and this same secret was used both for encrypting the message and for decrypting it. This way of communication is efficient enough when traffic is low, or when the principals can meet prior to communication.

    It is clear that modern networks are too large for this to remain efficient any longer. Hence the need for cryptography without first contact. In theory, this is easy. Find two algorithms Eand Dthat are reciprocal (i.e., D( E( m)) = m) and such that the knowledge of Edoes not help in computing D. Then Eis dubbed a public key available to anyone, and Dis the secret key, reserved to a user. When Alice wants to send an email to Bob, she uses his public key and can send him the encrypted message, without agreeing on a common key beforehand. Though simplified and somewhat idealized, this is the heart of asymmetric cryptology. Apart from confidentiality, modern cryptography provides good solutions to the signature problem, as well as some solutions for identifying all parties in protocols, thus enabling products to be usable on the Internet(ssh, ssl/tls, etc.).

    Of course, everything has to be presented in the modern language of complexity theory: Eand Dmust be computable in polynomial time; finding Dfrom Ealone should be possible only in, say, exponential time, without some secret knowledge.

    Now, where do difficult problems come from? Mostly from arithmetic, where we find problems such as the integer factorization problem and the discrete logarithm problem. Varying the groups appears to be important, since this provides some bio-diversity which is the key of the resistance to attacks from crypto-analysts. Among the groups proposed: finite fields, modular integers, algebraic curves, class groups, etc. All these now form cryptographic primitives that need to be assembled in protocols, and finally in commercial products.

    Our activity is concerned with the beginning of this process: we are interested in difficult problems arising in computational number theory and the efficient construction of these primitives. TANCconcentrates on modular arithmetic, finite fields and algebraic curves.

    We have a strong well-known reputation of breaking records whatever the subject is: constructing systems or breaking them, including primality proving, class polynomials, modular equations, computing cardinalities of algebraic curves, discrete logs, etc. This means writing programs and putting in all the work needed to make them run for weeks or months. An important part of our task is now to transform record programs into ones that can solve everyday life problems for current sizes of the parameters.

    Efficiency is not our single concern. Certificates are again another one. By this, we mean that we provide proofs of the properties of the objects we build. The traditional example is that of prime numbers, where certificates were introduced by Pratt in 1974. These certificates might be difficult to build, yet they are easy to check (by customers, say). We know how to do this for elliptic curves, with the aim of establishing what we call an identity cardfor a curve, including its cardinality together with the proof of its factorization, its group structure (with proven generators), discriminant (and factorization), and class number of the associated order. The theory is ready for this, algorithms not out of reach. This must be extended to other curves, and in several cases, the theory is almost ready or not at all, and algorithms still to be found. This is one of the main problems we have to tackle in TANC.

    It is clear that more and more complex mathematics will be used in cryptology (see the recent algorithms that use p-adic approaches). These cannot live if we do not implement them, and this is where we need more and more evolved algorithms, that are for the moment present in very rare mathematical systems, like Magmathat we use for this. Once the algorithms work in Magma, it is customary to rewrite them in C or C++ to gain speed. Along the same lines, some of our C programs developped for our research (an old version of ECPP, some parts of discrete log computations, cardinality of curves) are now included in this system, as a result of our collaboration with the Sydney group.

     Algebraic curves over finite fields

    One of the most used protocols is that of Diffie-Hellman that enables Alice and Bob to exchange a secret information over an insecure channel. Given a publicly known cyclic group Gof generator g, Alice sends gafor a random ato Bob, and Bob responds with a random gb. Both Alice and Bob can now compute gaband this is henceforth their common secret. Of course, this a schematic presentation, since real-life protocols based on this need more security properties. Being unable to recover afrom ga(the discrete log problem – DLP) is a major concern for the security of the scheme, and groups for which the DLPis difficult must be favored. Therefore, groups are important, and TANCconcentrates on algebraic curves, since they offer a very interesting alternative to finite fields, in which the DLPcan be broken by subexponential algorithms, whereas exponential time is required for curves. Thus a smaller key can be used using curves, and this is very interesting as far as limited powered devices are concerned.

    In order to build a cryptosystem based on an algebraic curve over a finite field, one needs to efficiently compute the group law (hence have a nice representation of the elements of the Jacobian of the curve). Next, computing the cardinality of the Jacobian is required, so that we can find generators of the group. Once the curve is built, one needs to test its security, for example how hard the discrete logarithm in this group is.

    Effective group laws

    A curve that interests us is typically defined over a finite field GF ( p n), where pis the characteristic of the field.

    The points of an elliptic curve E(of equation y2= x3+ ax+ b, say) form an abelian group, that was thoroughly studied during the preceding millenium. Adding two points is usually done using the so-called chord-and-tangentformulæ. When dealing with a genus gcurve (the elliptic case being g= 1), the associated group is the Jacobian (set of g-tuples of points modulo an equivalence relation), an object of dimension g. Points are replaced by polynomial ideals. This requires the help of tools from effective commutative algebra, such as Gröbner bases or Hermite normal forms.

    The great catalog of usable curves is now complete, as a result of the work of TANC, notably in two ACI ( cryptocourbesand cryptologie p-adique) that are finished now.

     Cardinality

    Once the group law is tractable, one has to find means of computing the cardinality of the group, which is not an easy task in general. Of course, this has to be done as fast as possible, if changing the group very frequently in applications is imperative.

    Two parameters enter the scene: the genus gof the curve, and the characteristic pof the underlying finite field. When g= 1and pis large, the only current known algorithm for computing the number of points of E/ GF ( p)is that of Schoof–Elkies–Atkin. Thanks to the works of the project, world-widespread implementations are able to build cryptographically strong curves in less than one minute on a standard PC. Recent improvements were made by F. Morain and P. Gaudry (CACAO), see . The current record of SEA was established by F. Morain in 2007 for a prime pof 2500 decimal digits (again compared to 500dd back in 1995), using the work in (see below), as well as , in which a new approach to the eigenvalue computation is described and proven.

    When pis small (one of the most interesting cases for hardware implementation in smart cards being p= 2) the best current methods use p-adic numbers, following the breakthrough of T. Satoh with a method working for p$ \ge$5. The first version of this algorithm for p= 2was proposed independently by M. Fouquet, P. Gaudry and R. Harley and by B. Skjernaa. J. -F. Mestre has designed the currently fastest algorithm using the arithmetico-geometric mean (AGM) approach. Developed by R. Harley and P. Gaudry, it led to new world records. Then, P. Gaudry combined this method together with other approaches, to make it competitive for cryptographic sizes .

    When g>1and pis large, polynomial time algorithms exist, but their implementation is not an easy task. P. Gaudry and É. Schost have modified the best existing algorithm so as to make it more efficient. They were able to build the first random cryptographically strong genus 2 curves defined over a large prime field . To get one step further, one needs to use genus 2 analogues of modular equations. After a theoretical study , they are now investigating the practical use of these equations.

    When p= 2, p-adic algorithms led to striking new results. First, the AGM approach extends to the case g= 2and is competitive in practice (only three times slower than in the case g= 1). In another direction, Kedlaya has introduced a new approach, based on the Monsky-Washnitzer cohomology. His algorithm works originally when p>2. P. Gaudry and N. Gürel implemented this algorithm and extended it to superelliptic curves, which had the effect of adding these curves to the list of those usable in cryptography.

    Closing the gap between small and large characteristic leads to pushing the p-adic methods as far as possible. In this spirit, P. Gaudry and N. Gürel have adapted Kedlaya's algorithm and exhibited a linear complexity in p, making it possible to reach a characteristic of around 1000 (see ). For larger p's, one can use the Cartier-Manin operator. Recently, A. Bostan, P. Gaudry and É. Schost have found a much faster algorithm than currently known ones . Primes paround 10 9are now doable.

     Computing isogenies

    The core of the Schoof-Elkies-Atkin (SEA) algorithm that computes the cardinality of elliptic curves over finite fields consists in using the theory of isogenies to find small factors of division polynomials. SEA is still the method of choice for the large characteristic case, but no longer for small characteristics.

    Isogenies are also a tool for understanding the difficulty of the Discrete Log problem among classes of elliptic curves . Recently, there appeared suggestions to use isogenies in a cryptographic context, replacing the multiplication on curves by the use of such morphisms , .

    Algorithms for computing isogenies are very well known and used in the large characteristic case. When the characteristic is small, three algorithms exist: two of these are due to Couveignes , , and one to Lercier .

     The discrete logarithm problem

    The discrete logarithm problem is one of the major difficult problems that allow to build secure cryptosystems. It has essentially been proved equivalent to the computational Diffie–Hellman problem, which is closer to the actual security of many systems. For an arbitrary group of prime order N, it can be solved by a generic, exponential algorithm using Im1 ${\#920 (\sqrt N)}$group operations. For elliptic curves, set aside some rare and easily avoidable instances, no faster algorithms are known.

    In higher genus curves, the algorithms with the best complexity create relations as smooth principal divisors on the curve and use linear algebra to deduce discrete logarithms, similarly to the quadratic sieve for factoring. The first such algorithm for high genus hyperelliptic curves with a heuristic complexity analysis is given in , and A. Enge has developed the first algorithm with a proven subexponential run time of L(1/2)in . Generalisations to further groups suggested for cryptography, in particular ideal class groups of imaginary quadratic number fields, are obtained by A. Enge and P. Gaudry in . Proofs for arbitrary curves of large genus are given by J.-M. Couveignes and F. Heß .

    The existence of subexponential algorithms shows that high genus curves are less secure than, say, elliptic ones in cryptography. By analysing the same algorithms differently, concrete recommendations for key lengths can be obtained, an approach introduced by P. Gaudry in and pursued in . It turns out that elliptic curves and hyperelliptic curves of genus 2 are not affected, while the key lengths have to be increased in higher genus, for instance by 12 %in genus 3.

    Using similar algorithms to those analysed in , C. Diem has shown in that non-hyperelliptic curves (of genus at least 3) are even less secure than hyperelliptic ones of the same genus. This effectively leaves elliptic and low genus hyperelliptic curves as potential sources for public-key cryptosystems.

     Pairings on algebraic curves

    Algebraic curves have first been used in cryptography as a source for groups in which the discrete logarithm problem should be harder than in the multiplicative group of a finite field. Totally new applications stem from the use of structures proper to algebraic curves, the Tate and Weil pairings. These are bilinear maps that associate to two group elements, at least one of which is defined in an extension field, a root of unity in the same extension field. Among the first new cryptographic primitives were a tripartite Diffie–Hellman key exchange and identity based encryption . Subsequently, the number of articles concerned with pairings has exploded, and a specialised series of conferences has been inaugurated with Pairings 2007 in Tokyo, A. Enge being a member of the programme committees in 2007 and 2008.

    One of the most challenging problems related to pairing based cryptography is to find suitable curves, that are hidden like needles in a hay stack. Supersingular elliptic curves yield a rather limited supply of doubtful security. Using its expertise on complex multiplication, the TANC team has published one of the first two algorithms for finding pairing friendly ordinary curves for arbitrary field extension degrees in , the other one being developed in .

         Complex multiplication Genus 1

    Despite the achievements described above, random curves are sometimes difficult to use, since their cardinality is not easy to compute or useful instances are too rare to occur (curves for pairings for instance). In some cases, curves with special properties can be used. For instance curves with complex multiplication(in brief CM), whose cardinalities are easy to compute. For example, the elliptic curve defined over GF( p)of equation y2= x3+ xhas cardinality p+ 1-2 u, when p= u2+ v2, and computing uis easy.

    The CM theory for genus 1 is well known and dates back to the middle of the nineteenth century (Kronecker, Weber, etc.). Its algorithmic part is also well understood, and recently more work was done, largely by TANC. Twenty years ago, this theory was applied by Atkin to the primality proving of arbitrary integers, yielding the ECPP algorithm developed ever since by F. Morain. Though the decision problem isPrime?was shown to be in P(by the 2002 work of Agrawal, Kayal, Saxena), practical primality proving of large random numbers is still done only with ECPP.

    These CM curves enabled A. Enge, R. Dupont and F. Morain to give an algorithm for building good curves that can be used in identity based cryptosystems .

    CM curves are defined by algebraic integers, whose minimal polynomials have to be computed exactly, the coefficients being exact integers. The fastest algorithm to perform these computations requires a floating point evaluation of the roots of the polynomial to a high precision. F. Morain on the one hand and A. Enge (together with R. Schertz) on the other, have developed the use of new class invariants that characterize CM curves. The union of these two families is currently the best that can be achieved in the field (see ). Later, F. Morain and A. Enge have designed a fast method for the computation of the roots of this polynomial over a finite field using Galois theory . These invariants, together with this new algorithm, are incorporated in the working version of the program ECPP.

    F. Morain analyzed a fast variant of ECPP, called fastECPP, which led him to gain one order of magnitude in the complexity of the problem (see ), reaching heuristically Im2 ${O({(logN)}^{4+\#1013 })}$, compared to Im3 ${O({(logN)}^{5+\#1013 })}$for the basic version. By comparison, the best proven version of AKS has complexity Im4 ${O({(logN)}^{6+\#1013 })}$and has not been implemented so far; the best randomized version reaches the same Im2 ${O({(logN)}^{4+\#1013 })}$bound but suffers from memory problems and is not competitive yet. F. Morain implemented fastECPP and was able to prove the primality of 10, 000decimal digit numbers , as opposed to 5, 000for the basic (historical) version. Continuously improving this algorithm, this led to new records in primality proving, some of which obtained with his co-authors J. Franke, T. Kleinjung and T. Wirth who developed their own programs. F. Morain set the current world record to 20,562 decimal digits early June 2006, as opposed to 15,071 two years before. This record was made possible by using an updated MPI-based implementation of the algorithm and its distribution process on a cluster of 64-bit bi-processors (AMD Opteron(tm) Processor 250 at 2.39 GHz). In 2007, another large number was proven to be prime, namely (2 42737+ 1)/3with 12, 865decimal digits.

    In his thesis, R. Dupont has investigated the complexity of the evaluation of some modular functions and forms (such as the elliptic modular function  jor the Dedekind eta function for example). High precision evaluation of such functions is at the core of algorithms to compute class polynomials (used in complex multiplication) or modular polynomials (used in the SEA elliptic curve point counting algorithm).

    Exploiting the deep connection between the arithmetic-geometric mean (AGM) and a special kind of modular forms known as theta constants, he devised an algorithm based on Newton iterations and the AGM that has quasi-optimal linear complexity. In order to certify the correctness of the result to a specified precision, a fine analysis of the algorithm and its complexity was necessary .

    Using similar techniques, he has given a proven algorithm for the evaluation of the logarithm of complex numbers with quasi-optimal time complexity.

     Genus 2

    The theory of Complex Multiplication also exists for non-elliptic curves, but is more intricate, and only recently can we dream to use them. Some of the recent results occurred as the work of R. Dupont (former member of TANC) in his thesis.

    R. Dupont has worked on adapting his algorithm to genus 2, which induces great theoretical and technical difficulties. He has studied a generalization of the AGM known as Borchardt sequences, has proven the convergence of these sequences in a general setting, and has determined the set of limits such sequences have in genus 2. He has then developped an algorithm for the fast evaluation of theta constants in genus 2, and as a byproduct obtains an algorithm to compute the Riemann matrix of a given hyperelliptic curve: given the equation of such a curve, it computes a lattice  Lsuch that the Jacobian of the curve is isomorphic to Im5 ${\#8450 /L}$. These algorithms are both quasi-linear, and have been implemented (in C, using the multiprecision package GMP– see http:// gmplib. org/ ).

    Using these implementations, R. Dupont has began computing modular polynomials for groups of the form  $ \upper_gamma$0( p)in genus 2 (these polynomials link the genus 2 j-invariants of p-isogenous curves). He computed the modular polynomials for  p= 2, which had never been done before, and did some partial computations for  p= 3(results are available at  http:// www. lix. polytechnique. fr/ Labo/ Regis. Dupont).

    He also studied more theoretically the main ingredient used in his algorithms in genus 2, a procedure known as Borchardt sequences. In particular, he proved a theorem that parametrizes the set of all possible limits of Borchardt sequences starting with a fixed 4-tuple.

         Algebraic Geometry codes

    There are many other applications of algorithmic methods on algebraic curves than simple cryptography. Daniel Augot plans to develop a new activity around algebraic geometry codes, in short AG codes, which are a very powerful family of codes, who often beat records on their parameters: they often offer the best correction capacity. The main topics of research is to accelerate the decoding algorithms of these codes, who have a slightly expensive cost . A reference implementation would be of major interest, to help people comparing these codes with the Reed-Solomon codes.

    A breakthrought has been obtained by Guruswami and Sudan for decoding these codes with many errors. Still, yet no implementation is avalaible, even for the most simple AG codes, which are the Hermitian codes. In this domain too, an objective is to produce a publicly available reference implementation.

         Application Domains Telecom

    Our main field of applications is clearly that of telecommunications. We participate in the protection of information. We are proficient on a theoretical level, as well as ready to develop applications using modern cryptologic techniques, with a main focus on elliptic curve cryptography. One potential application are cryptosystems in environments with limited resources as smart cards, mobile phones or ad hocnetworks.

         Software ECPP

    F. Morain has been continuously improving his primality proving algorithm called ECPP, originally developed in the early '90. Binaries for version 6.4.5 are available since 2001 on his web page. Proving the primality of a 512 bit number requires less than a second on a GHz PC. His personal record is about 20, 000decimal digits, with the fast version he started developing in 2003. Everything there is written in C, based on the GMPpackage.

     mpc

    The mpclibrary, developed in C by A. Enge in collaboration with Ph. Théveny and P. Zimmermann, implements the basic operations on complex numbers in arbitrary precision, which can be tuned to the bit. This library is based on the multiprecision libraries GMPand mpfr. Each operation has a precise semantics, in such a way that the results do not depend on the underlying architecture. Several rounding modes are available. This software, licensed under the GNU Lesser General Public License (LGPL), can be downloaded freely from the URL http:// www. multiprecision. org/ mpc/ .

    The library currently benefits from an Opération de développement logiciel of INRIA. The latest version 0.5 has been released in September 2008. A Debian package is available in the unstable distribution since October 2008. The perl wrapper Math::MPC ( http:// search. cpan. org/ ~sisyphus/ Math-MPC/ ) is available on CPAN since version 0.4.6.

    The mpclibrary is used in our team to build curves with complex multiplication and to compute modular polynomials (cf. Section  ), and it is de factoincorporated in the ECPP program. It is used by the Magma Computational Algebra System ( http:// magma. maths. usyd. edu. au/ magma/ ) and by Trip ( http:// www. imcce. fr/ Equipes/ ASD/ trip/ trip. php), a symbolic-numeric system for celestial mechanics developed at Institut de Mécanique Céleste et de Calcul des Éphémérides

     mpfrcx

    The mpfrcxlibrary is developed in C by A. Enge to implement the arithmetic of univariate polynomials with floating point coefficients of arbitrary precision, be they real ( mpfr) or complex ( mpc). The first version 0.1, published in October 2007 and available at http:// www. lix. polytechnique. fr/ Labo/ Andreas. Enge/ Software. html, contains the functionality needed for the author's complex multiplication program. Advanced asymptotically fast algorithms have been implemented, such as Karatsuba and Toom–Cook multiplication, various flavours of the FFT and division with remainder by Newton iterations. Special algorithms of symbolic computation such as fast multievaluation are also available.

    Publishing mpfrcxis part of an ongoing effort to make A. Enge's program for building elliptic curves with complex multiplication available. This program is a very important building block for cryptographic purposes as well as for primality proving (fastECPP).

     TIFA

    We have hired J. Milan as ingénieur associéto help us with our programs. He first spent some time making a tour of publicly available platforms implementing the IEEE P-1363 cryptography standards. Following this work, it appeared not interesting to add a new one to the list, and he switched to one of our other themes, namely writing integer factorization software for which the results can be guaranteed.

    However, besides this quite daunting task, we have a more pragmatic, twofold-interest in fast factorization implementations for small numbers.

  • Our first motivation is directly related to the ANR CADO project we are involved in, together with other teams such as the INRIA project-team CACAO. The objective of the CADO project is to implement an optimized and distributed implementation of the Number Field Sieve (NFS), asymptotically the fastest integer factorization algorithm currently known. This algorithm needs to factor a lot of much smaller integers (about 80 bits for current factorization records). Since a recursive application of the NFS would be totally inefficient in practice, there is indeed a need for routines better suited to factor this wealth of smaller by-products.

  • Our second motivation lies in our long-term commitment to produce identity cards for elliptic curves in order to select those curves with the needed properties for cryptographic use. Such an identification would require the knowledge of the factorization of the order of the curve (about 200 bits for cryptographic use).

    •

    Hence, J. Milan is still actively developing the so-called TIFA library (short for Tools for Integer FActorization). TIFA is made up of a base library written in C99 and using the GMP library, together with stand-alone factorization programs and a basic benchmarking framework to assess the performance of the relative algorithms.

    During the past year, TIFA has gone through a significant code refactoring aimed at facilitating its extensibility. Aside from optimizations made to the base library, several factorization algorithms were also added. As of september 2007, the following algorithms have been implemented:

    CFRAC (Continued FRACtion factorization )
    ECM (Elliptic Curve Method)
    Fermat (McKee's “fast” variant of Fermat's algorithm )
    QS (Quadratic Sieve )
    SIQS (Self-Initializing Quadratic Sieve )
    SQUFOF (SQUare FOrm Factorization )

    In particular, a significant effort was made to fine tune the SQUFOF implementation for small (at most) double-precision numbers. We believe that TIFA's SQUFOF is quite competitive compared to other similar implementations, even if in practice, SQUFOF is rapidly outperformed by TIFA's QS. Our implementations of QS and SIQS have been substancially revamped in late 2007/early 2008. While still slightly slower then the best available implementations, the performance gap has been dramatically narrowe. An implementation of ECM has been added to TIFA in late 2007. However its performance is far from being on par with the competition. We hope to address these shortcomings – if time permits – in the near future.

    While still kept internal to the TANC team and CADO project, TIFA will eventually be made public under an open source license, most probably the Lesser General Public License version 2.1 or higher.

         New Results Algebraic curves over finite fields Cardinality Andreas Enge François Morain

    A crucial ingredient for these records was A. Enge's new algorithm for computing modular equations of index greater than 2000. The algorithm computes bivariate modular polynomials by an evaluation and interpolation approach and relies on the ability to rapidly evaluate modular functions in complex floating point arguments. It has a quasi-linear complexity with respect to its output size, so that the performance of the algorithm is limited only by the size of the result: we have in fact been able to compute modular polynomials of degree larger than 10000 and of size 16 GB by a parallelised implementation of the algorithm, that uses mpcand mpfrcxfor the arithmetic of complex numbers and of polynomials with floating point coefficients, see Sections  and . For the point counting algorithm, the polynomials of prime level up to 6000 have been used. They occupy a disk space of close to 1 TB. Despite this progress, computing modular polynomials remains the stumbling block for new point counting records. Clearly, to circumvent the memory problems, one would need an algorithm that directly obtains the polynomial specialised in one variable.

    We plan to make our new implementation available as an extension to the NTL library.

     Isogenies François Morain Luca De Feo

    Together with A. Bostan, B. Salvy (from projet ALGO), and É. Schost, F. Morain gave quasi-linear algorithms for computing the explicit form of a strict isogeny between two elliptic curves, another important block in the SEA algorithm . This article contains a survey of previous methods, all applicable in the large characteristic case. Joux and Lercier have recently announced a p-adic approach for computing isogenies in all characteristic with the same complexity and based on our work.

    For the small case, the old algorithms of Couveignes and Lercier were studied from scratch, and Lercier's algorithm reimplemented in NTL by F. Morain, as a benchmark for other methods still being developped. In his master internship, L. De Feo, started cleaning the most recent of them, known as CouveignesII. This algorithm involves building the explicit pktorsion of the curve and finding isomorphisms between Artin-Schreier towers. This work already led to the clarification of the complexities involved in several parts. Ongoing work with É. Schost already led to improved theoretical constructions and faster algorithms. Several articles are in preparation as a result of a long term visit of De Feo in London (Ontario). A fresh implementation in NTL will follow.

     Discrete logarithms on curves Andreas Enge Jean-François Biasse Benjamin Smith

    In 2007 for the very first time in algebraic curve cryptography, A. Enge and P. Gaudry have exhibited a class of curves in which the discrete logarithm problem is attacked by a subexponential algorithm of complexity less than L(1/2) . Precisely, the complexity is in L(1/3)for the preliminary phase of computing the group structure and L(1/3 + $ \varepsilon$)for any $ \varepsilon$>0for the discrete logarithms themselves. This shows that the corresponding algebraic curve cryptosystems, essentially based on Ca, bcurves with the degrees in Xand Ygrowing in a special way with the genus, are no more secure than RSA and thus of no cryptographic interest.

    This year, we have been able to extend the attack to a much larger class of curves, not necessarily of Ca, btype, for which the degrees in Xand Ygrow in a controlled way. We have removed the $ \varepsilon$for the discrete logarithm phase, and have come up with a tight complexity analysis that explains the phase change between the L(1/3)and the L(1/2)zone. A publication is in preparation.

    Jean-François Biasse has worked on an implementation of a subexponential algorithm which solves the discrete logarithm problem on hyperelliptic curves of genus 8 in order to study the efficiency of a cryptosystem that Edlyn Teske has presented. This cryptosystem relies on the facility of solving this problem, as well as the difficulty of solving the discrete logarithm problem on an elliptic curve. This work was presented in October 2008 at the "Journée Nationales du Calcul Formel" in Luminy.

    In another direction, B. Smith has given a polynomial-time reduction of discrete logarithm problem instances from a large class of hyperelliptic curves of genus 3 to non-hyperelliptic curves of genus 3, where Diem's algorithm can solve the discrete logarithm problem in time O( q). This is a significant improvement over the previous best known algorithm for solving hyperelliptic genus 3 discrete logarithms, due to P. Gaudry, E. Thomé, N. Thériault, and C. Diem  , which runs in time O( q4/3).

         Complex multiplication Andreas Enge François Morain

    A. Enge has been able to analyse precisely the complexity of class polynomial computations via complex floating point approximations . Using techniques from fast symbolic computation, namely multievaluation of polynomials, and results from R. Dupont's PhD thesis , he has obtained two algorithms which are quasi-linear (up to logarithmic factors) in the output size. The second algorithm has been used for a record computation of a class polynomial of degree 100,000, the largest coefficient of which has almost 250,000 bits. The implementation is based on GMP, mpfr, mpc and mpfrcx (see Section 5); the only limiting factor for going further has become the memory requirements of the final result.

    Alternative algorithms use p-adic approximations or the Chinese remainder theorem to compute class polynomials over the integers. A. Enge and his coauthors have presented an optimised algorithm based on Chinese remaindering in and improved the number theoretic bounds underlying the complexity analysis. They have shown that all three different approaches have a quasi-linear complexity, while the the floating point algorithm appeared to be the fastest one in practice.

    Inspired by , A. Sutherland has come up with a new implementation of the Chinese remainder based algorithm that has led to new record computations . Unlike the other algorithms, this approach does not need to hold the complete polynomial in main memory, but essentially only one coefficient at a time, which enables it to go much further. The main bottleneck is currently an extension of the algorithm to class invariants, which is work in progress by A. Enge.

     Decoding algebraic codes Daniel Augot Morgan Barbier

    This is a new activity of the TANC project-team, whose aim is to accelerate decoding algorithms of Reed-Solomon codes (with the Guruswami-Sudan algorithm), and of Algebraic Geometric codes. With Alexander Zeh, Daniel has found a relation between so-called key equations, which are the standard tool for decoding algebraic codes, and the new interpolation based algorithms  . The connection is established, and the next step is to use efficient algorithms, that are used for key equations, in the context of the Guruswami-Sudan algorithm.

    Another new topic that begins with the arrival of Morgan Barbier is to study list decoding algorithms for codes defined over small alphabets. It was a challenging open problem until the publication of Wu  , which achieves a high decoding radius for BCH codes, which are subfield subcodes of Reed-Solomon codes. This opens a new field of applications of these algorithms, and we have in mind to apply Wu's algorithm for steganography, using the ideas of Fontaine and Galand . They used Reed-Solomon codes, it seems very natural to use the same ideas with BCH codes. Providing an implementation of Wu's algorithm and apply it to steganography is the plan of Barbier's thesis.

     Security in ad hocnetworks François Morain Daniel Augot Jérôme Milan

    As we mentioned in our previous activity reports, we saw the recent arrival of Hipercomat École polytechnique as an opportunity to trigger inter-project collaborations in the field of security and cryptographic applications in the context of ad hoc networks.

    Following upon our involvement in the ACI SERAC (SEcuRity models and protocols for Ad-hoC Networks) a short one-year teamwork between TANCand Hipercom@LIXwas initiated in January 2008 as part of the so-called Cryptonet OMT (Opération de Maturation Technologique). This joint effort is mainly financed by the Digiteo foundation who hired J. Milan to work as a software programmer and provides marketing and intellectual property legal assistance.

    The main goal of Cryptonet is to present a proof-of-concept of an hardened, more robust OLSRv2  ad hoc network protocol. For this, we are working with Thomas Clausen and Ulrich Herberg from the Hipercom@LIXteam to bring some basic authentification mechanism in OLSRv2 using digital signature based on elliptic curves (ECDSA  and pairings on such curves (BSL-like signature  ).

    Such a mechanism has been developped and integrated within Hipercom@LIX's jOlsrv2  framework which provides a Java-based implementation of the OLSRv2 protocol and interfaces with the NS2 network simulator.

    Of course achieving ad hoc network security requires far more than mere application of cryptographic primitives. However, by presenting a first milestone, our goal is to spread awareness on major security issues arising in the mobile ad hoc network context. We hope to attract industrial partners with a practical stance on security and ultimately foster new academic-industrial partnerships.

    Daniel Augot, in cooperation with Hipercom, has worked on Group Key Agreement Protocols, generalizing the Diffie-Hellman protocol. ALthought the theoretical part has been published, a new paper with simulation results is in preparation.

         Contracts and Grants with Industry Gemplus

    This corresponds to É. Brier's thesis on the use of (hyper-)elliptic curves in cryptology.

     Industrial ANR

    Pace: Pairings and advances in cryptology for e-cash, since 2007; with France Télécom R&D, Gemalto, NXP Semiconductors, Cryptolog International, École normale supérieure Paris and Université Caen

         Other Grants and Activities Network of excellence

    Together with the SECRETproject at INRIA Rocquencourt, the project TANChas taken part in Ecrypt, a NoE in the Information Society Technologies theme of the 6th European Framework Programme (FP6).

     ANR

    Cado(since 2006-09-01): two meetings (18-19/01/07 in Nancy for the kickoff and 21-21/06/07 in Paris).

     Associated team

    The TANC project is involved in the associated team ECHECS (“Extreme Computing for (Hyper-)Elliptic Cryptographic Systems”) with É. Schost of University of Western Ontario, London, continuing a long-standing collaboration. Our joint work is concerned with using advanced algorithms of symbolic computation (speciality of the Canadian team) in the context of elliptic and hyperelliptic curve cryptography (speciality of TANC), in particular for the instantiation of secure cryptosystems.

    As part of this collaboration, L. De Feo visited twice University of Western Ontario (march 2008, november-december 2008) to work with E. Schost on fast symbolic algorithms for isogeny computation.

     OMT

    TANC, together with the Hipercom EPI, has started an OMT (offre de maturation technologique) financed by Digiteo. The aim of the Cryptonet OMT is to realize a proof of concept of the use of elliptic curves over finite fields in providing security on ad hoc networks. The main interest of elliptic curves in that setting is the low cost and (a priori) low bandwith required for a given level of security, as compared to traditional finite field based systems. The engineer attached to this project will inject our knowledge into a standard network simulator. Scientific details are provided in Section  .

    The project brings very short signature to OLSR, and such a small size may have non negative impact on the network performance. Testing of such small signatures is in progress.

    The code is in java and is integrated in the Java OLSRv2 implementation of Hipercom. We use the java framework for cryptography, which enables us to use any signature algorithm, not necessarly ours.

         Dissemination Programme committees

    A. Enge took part in the programme committee of Pairing 2008 – International Conference on Pairing-Based Cryptography at Royal Holloway University of London. He acted on the scientific advisary board of the Journées Nationales de Calcul Formel 2008 at Luminy.

     Teaching

    François Morain was in charge of half of the 2nd year course “Algorithmes et Programmation: du séquentiel au distribué”, together with J.-M. Steyaert. He gives a cryptology course in Majeure 2. He is vice-head of the Département d'Informatique. He has been representing École polytechnique in the Commission des Études du Master MPRI, since its creation in 2004.

    At École polytechnique, A. Enge has proposed computer science labs for the second year course “Algorithmes et Programmation: du séquentiel au distribué”. He has developed the practical module for the master level cryptology course, centred around securing a network application in the Java cryptography framework JCE.

    B. Smith taught the module on elliptic curve cryptography and pairings in the MPRI course on Cryptologie.

    Daniel Augot taught an introductory course of cryptography (Master 2) at Université de Marne la vallée. He also gave some lectures on algebraic coding theory in the MPRI Master 2. He also gave a lecture in the context of a cycles of lectures on cryptology for tunisian officers, organized by Thales.

     Seminars and talks

    Daniel Augot gave a talk “Algorithme de Guruswami-Sudan et généralisations multivariées” au séminaire de de l'IRMAR (Université de Rennes). He was invited at the University of Zürich (Joachim Rosenthal), and gave a talk on key equations for the Guruswami-Sudan list decoding algorithm.

    has been presented at ANTS-VIII in Banff by A. Enge; it has been rewarded by the Selfridge Prize of the Number Theory Foundation for the best paper.

    A. Enge has given an invited lecture on “Discrete logarithms in curves: from L(1/2)to L(1/3)” at the Third Franco-Japanese Computer Security Workshop at Nancy.

    He has given three lectures entitled “Un algorithme en L(1/3 + $ \varepsilon$)pour le problème du logarithme discret dans certaines courbes” at the seminar Arithmétique et théorie de l'information at Luminy, the cryptography seminar at Rennes and the seminar Arith at Montpellier.

    A. Enge has spoken on “Constructions de courbes algébriques pour la cryptographie” at the number theory seminar of Marrakech.

    F. Morain spent a week in Tokyo (Chuo University) and gave a talk on Recent improvements to the SEA algorithm in genus 1. F. Morain was invited speaker for ANTS8 in Banff (May 2008); his talk was survey on algorithms for computing isogenies on low genus curves.

    L. De Feo gave a lecture on “Fast arithmetics in Artin-Schreier towers over finite fields” at C4 in École Polytechnique. He gave a lecture on “Transposition principle” at Journées nationales de calcul formel 2008 held in Luminy.

    J.F. Biasse also gave a lecture on “Logarithme discret dans les courbes hyperelliptiques” at Journées nationales de calcul formel 2008 held in Luminy.

    B. Smith presented the research in  at EUROCRYPT 2008 in Istanbul, where it won the best paper award. He gave an invited talk on discrete logarithms on genus 3 curves in the special session on low-genus curves and applications of the 2008 Joint Meetings of the American Mathematical Society and the Mathematical Association of America in San Diego, and also gave a talk on the same subject in the Séminaire de Cryptologie at the Université de Caen.

    Vulgarisation and Summer schools

    B. Smith gave two lectures on advanced topics in elliptic curves at the DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography in September 2008 in Eindhoven.

    B. Smith has given a lecture on pairings on elliptic curves at the 3rd EcryptPhD Summer School on Advanced Topics in Cryptography in May 2008 on Crete.

    A. Enge has taken part in the school “Référentiels de la cryptographie moderne” organised from October 28 to 31 in Rabat by the Association Marocaine de Cryptographie with a lecture series on pairings entitled “Couplages sur les courbes elliptiques — Fondements mathématiques et calcul”.

     Editorship

    A. Enge is editor of “Designs, Codes and Cryptography” since 2004.

    Daniel Augot is guest editor, with Jean-Charles Faugère and Ludovic Perret of a special issue of the Journal of Symbolic Computation, on Gröbner Bases Techniques in Cryptography and Coding Theory.

     Awards

    B. Smith has received the best paper award for at Eurocrypt 2008 in Istanbul. He has been invited to submit an extended version to the Journal of Cryptology.

    A. Enge has received the Selfridge Prize of the Number Theory Foundation for the best paper presented at Algorithmic Number Theory Symposium — ANTS-VIII in Banff.

     Thesis committees

    F. Morain was the president of the defense committee for F. Didier (19/12/2007).

     Research administration

    A. Enge is correspondent for European affairs of INRIA Saclay–Île-de-France (formerly INRIA Futurs) since 2006 and correspondent for international affairs since 2007.

    F. Morain represents INRIA in the “Conseil d'UFR 929 Maths Université Paris 6” since September 2005.

         Isogenies and the Discrete Logarithm Problem in Jacobians of Genus 3 Hyperelliptic Curves B. Smith B. N. Smart N. Advances in Cryptology - EUROCRYPT 2008 Lecture Notes in Comput. Sci. 4965 Springer 2008 163-180 Annual International Conference on the Theory and Applications of Cryptographic Techniques 27 EUROCRYPT Computing Hilbert class polynomials Juliana Belding J. Reinier Bröker R. Andreas Enge A. Kristin Lauter K. Alf van der Poorten A. Andreas Stein A. Algorithmic Number Theory - ANTS-VIII, Berlin Lecture Notes in Computer Science 5011 Springer-Verlag 2008 282–295 Algorithmic Number Theory Symposium 8 ANTS Linear recurrences with polynomial coefficients and computation of the Cartier-Manin operator on hyperelliptic curves A. Bostan A. P. Gaudry P. É. Schost É. G. Mullen G. A. Poli A. H. Stichtenoth H. Finite Fields and Applications, 7th International Conference, Fq7 Lecture Notes in Comput. Sci. 2948 Springer-Verlag 2004 40–58 http:// www. lix. polytechnique. fr/ Labo/ Pierrick. Gaudry/ publis/ cartierFq7. ps. gz Do All Elliptic Curves of the Same Order Have the Same Difficulty of Discrete Log? D. Jao D. S. D. Miller S. D. R. Venkatesan R. ASIACRYPT Lecture Notes in Comput. Sci. 2005 21-40 An elliptic trapdoor system E. Teske E. J. of Cryptology 19 1 2006 115–133 Public-key cryptosystem based on isogenies A. Rostovtsev A. A. Stolbunov A. 2006 http:// eprint. iacr. org/ Cryptology ePrint Archive, Report 2006/145 Quelques calculs en théorie des nombres J.-M. Couveignes J.-M. Thèse Université de Bordeaux I July 1994 Computing <span class="math" align="left"><hi rend="it">l</hi></span>-isogenies using the <span class="math" align="left"><hi rend="it">p</hi></span>-torsion J.-M. Couveignes J.-M. H. Cohen H. Algorithmic Number Theory Lecture Notes in Comput. Sci. Second International Symposium, ANTS-II, Talence, France, May 1996, Proceedings 1122 Springer Verlag 1996 59–65 Computing isogenies between elliptic curves over <span class="math" align="left"><hi rend="it">F</hi><sub><hi rend="it">p</hi><sup><hi rend="it">n</hi></sup></sub></span>using Couveignes's algorithm R. Lercier R. F. Morain F. Math. Comp. 69 229 January 2000 351–370 Computing isogenies in <span class="math" align="left"><hi rend="it">F</hi><sub>2 <sup><hi rend="it">n</hi></sup></sub></span> R. Lercier R. H. Cohen H. Algorithmic Number Theory Lecture Notes in Comput. Sci. Second International Symposium, ANTS-II, Talence, France, May 1996, Proceedings 1122 Springer Verlag 1996 197–212 A Subexponential Algorithm for Discrete Logarithms over the Rational Subgroup of the Jacobians of Large Genus Hyperelliptic Curves over Finite Fields Leonard M. Adleman L. M. Jonathan DeMarrais J. Ming-Deh Huang M.-D. Leonard M. Adleman L. M. Ming-Deh Huang M.-D. Algorithmic Number Theory, Berlin Lecture Notes in Comput. Sci. 877 Springer-Verlag 1994 28–40 Computing Discrete Logarithms in High-Genus Hyperelliptic Jacobians in Provably Subexponential Time Andreas Enge A. Math. Comp. 71 238 2002 729–742 CADO — Number field sieve: distribution, optimization The CADO Team 2008 http:// cado. gforge. inria. fr/ A general framework for subexponential discrete logarithm algorithms A. Enge A. P. Gaudry P. Acta Arith. CII 1 2002 83–103 A General Framework for Subexponential Discrete Logarithm Algorithms in Groups of Unknown Order Andreas Enge A. A. Blokhuis A. J. W. P. Hirschfeld J. W. P. D. Jungnickel D. J. A. Thas J. A. Finite Geometries, Dordrecht Developments in Mathematics 3 Kluwer Academic Publishers 2001 133–146 Algebraic Groups and Discrete Logarithm Jean-Marc Couveignes J.-M. K. Alster K. J. Urbanowicz J. H. C. Williams H. C. Public-Key Cryptography and Computational Number Theory, Berlin De Gruyter 2001 17–27 Computing Relations in Divisor Class Groups of Algebraic Curves over Finite Fields Florian Hess F. Draft version 2004 http:// www. math. tu-berlin. de/ ~hess/ personal/ dlog. ps. gz An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves Pierrick Gaudry P. Bart Preneel B. Advances in Cryptology — EUROCRYPT 2000, Berlin Lecture Notes in Comput. Sci. 1807 Springer-Verlag 2000 19–34 A double large prime variation for small genus hyperelliptic index calculus P. Gaudry P. E. Thomé E. N. Thériault N. C. Diem C. Math. Comp. 76 2007 475–492 http:// www. loria. fr/ ~gaudry/ publis/ dbleLP. ps. gz An Index Calculus Algorithm for Plane Curves of Small Degree Claus Diem C. Florian Hess F. Sebastian Pauli S. Michael Pohst M. Algorithmic Number Theory — ANTS-VII, Berlin Lecture Notes in Computer Science 4076 Springer-Verlag 2006 543–557 A One Round Protocol for Tripartite Diffie–Hellman Antoine Joux A. Wieb Bosma W. Algorithmic Number Theory — ANTS-IV, Berlin Lecture Notes in Comput. Sci. 1838 Springer-Verlag 2000 385–393 Cryptosystems based on pairing R. Sakai R. K. Ohgishi K. M. Kasahara M. SCIS 2000, The 2000 Symposium on Cryptography and Information Security, Okinawa, Japan, January 26–28 2000 Building curves with arbitrary small MOV degree over finite prime fields R. Dupont R. A. Enge A. F. Morain F. J. of Cryptology 18 2 2005 79–89 http:// www. lix. polytechnique. fr/ Labo/ Andreas. Enge/ vorabdrucke/ mov. ps. gz Fast algorithms for computing the eigenvalue in the Schoof-Elkies-Atkin algorithm P. Gaudry P. F. Morain F. ISSAC '06: Proceedings of the 2006 international symposium on Symbolic and algebraic computation, New York, NY, USA ACM Press 2006 109–115 http:// hal. inria. fr/ inria-00001009 Constructing Elliptic Curves with Prescribed Embedding Degrees Paulo S. L. M. Barreto P. S. L. M. Ben Lynn B. Michael Scott M. Stelvio Cimato S. Clemente Galdi C. Giuseppe Persiano G. Security in Communication Networks — Third International Conference, SCN 2002, Amalfi, Italy, September 2002, Berlin Lecture Notes in Comput. Sci. 2576 Springer-Verlag 2003 257–267 Comparing Invariants for Class Fields of Imaginary Quadratic Fields A. Enge A. F. Morain F. C. Fieker C. D. R. Kohel D. R. Algorithmic Number Theory Lecture Notes in Comput. Sci. 5th International Symposium, ANTS-V, Sydney, Australia, July 2002, Proceedings 2369 Springer-Verlag 2002 252–266 Fast decomposition of polynomials with known Galois group A. Enge A. F. Morain F. M. Fossorier M. T. Høholdt T. A. Poli A. Applied Algebra, Algebraic Algorithms and Error-Correcting Codes Lecture Notes in Comput. Sci. 15th International Symposium, AAECC-15, Toulouse, France, May 2003, Proceedings 2643 Springer-Verlag 2003 254–264 Implementing the asymptotically fast version of the elliptic curve primality proving algorithm F. Morain F. Math. Comp. 76 2007 493–505 F. Morain F. Elliptic curves for primality proving Encyclopedia of cryptography and security H. C. A. van Tilborg H. C. A. Springer 2005 Primality testing with Gaussian periods H. W. Jr. Lenstra H. W. Jr. C. Pomerance C. Preliminary version July 2005 http:// www. math. dartmouth. edu/ ~carlp/ PDF/ complexity072805. pdf Proving primality in essentially quartic expected time D. Bernstein D. Math. Comp. 76 2007 389–403 Proving the primality of very large numbers with fastECPP J. Franke J. T. Kleinjung T. F. Morain F. T. Wirth T. D. Buell D. Algorithmic Number Theory Lecture Notes in Comput. Sci. 6th International Symposium, ANTS-VI, Burlington, VT, USA, June 2004, Proceedings 3076 Springer-Verlag 2004 194–207 Fast evaluation of modular functions using Newton iterations and the AGM R. Dupont R. 0025-5718 Math. Comp. To appear 2008 http:// www. lix. polytechnique. fr/ Labo/ Regis. Dupont/ preprints/ Dupont_FastEvalMod. ps. gz T. Høholdt T. J. H. van Lint J. H. R. Pellikaan R. Algebraic geometry codes Handbook of Coding Theory I Elsevier 1998 871–961 Fast algorithms for computing isogenies between elliptic curves A. Bostan A. F. Morain F. B. Salvy B. É. Schost É. 0025-5718 Math. Comp. 77 2008 1755–1778 Improved decoding of Reed-Solomon and algebraic-geometry codes Venkatesan Guruswami V. Madhu Sudan M. IEEE Transactions on Information Theory 45 6 1999 1757–1767 A method of factoring and the factorization of <span class="math" align="left"><hi rend="it">F</hi><sub>7</sub></span> M. A. Morrison M. A. J. Brillhart J. Math. Comp. 29 129 January 1975 183-205 Speeding Fermat's Factoring Method J. McKee J. Math. Comp. 68 228 October 1999 1729-1737 Factoring integers with the self-initializing quadratic sieve S. Contini S. 1997 http:// citeseer. ist. psu. edu/ contini97factoring. html Square form factorization J. E. Gower J. E. S. S. Wagstaff, Jr. S. S. Math. Comp. 77 2008 551–588 Computing modular polynomials in quasi-linear time Andreas Enge A. 0025-5718 Mathematics of Computation To appear 2008 An <span class="math" align="left"><hi rend="it">L</hi>(1/3 + <img width="10" height="12" align="bottom" border="0" src="../../images/img_varepsilon.png" alt="$ \varepsilon$"/></span>) algorithm for the discrete logarithm problem for low degree curves Andreas Enge A. Pierrick Gaudry P. Moni Naor M. Advances in Cryptology — Eurocrypt 2007, Berlin Lecture Notes in Comput. Sci. 4515 Springer-Verlag 2007 379–393 http:// hal. inria. fr/ inria-00135324 The complexity of class polynomial computation via floating point approximations Andreas Enge A. 0025-5718 Mathematics of Computation To appear 2008 Moyenne arithmético-géométrique, suites de Borchardt et applications R. Dupont R. Ph. D. Thesis École polytechnique 2006 Computing Hilbert class polynomials with the CRT method Andrew Sutherland A. Talk at the 12th Workshop on Elliptic Curve Cryptography (ECC) 2008 http:// www. hyperelliptic. org/ tanja/ conf/ ECC08/ slides/ Andrew-V-Sutherland. pdf Computing the eigenvalue in the Schoof-Elkies-Atkin algorithm using Abelian lifts P. Mihăilescu P. F. Morain F. É. Schost É. ISSAC '07: Proceedings of the 2007 international symposium on Symbolic and algebraic computation, New York, NY, USA ACM Press 2007 285–292 http:// hal. inria. fr/ inria-00130142 On the Roth and Ruckenstein equations for the Guruswami-Sudan algorithm Daniel Augot D. Alexander Zeh A. Information Theory, 2008. ISIT 2008. IEEE International Symposium on 2008 2620–2624 http:// dx. doi. org/ 10. 1109/ ISIT. 2008. 4595466 IEEE International Symposium on Information Theory 2008 ISIT New List Decoding Algorithms for Reed-Solomon and BCH Codes Y. Wu Y. Information Theory, IEEE Transactions on 54 8 2008 3611–3630 http:// dx. doi. org/ 10. 1109/ TIT. 2008. 926355 How Can Reed-Solomon Codes Improve Steganographic Schemes? Caroline Fontaine C. Fabien Galand F. Teddy Furon T. François Cayre F. Gwenaël Doërr G. Patrick Bas P. Information Hiding Lecture Notes in Computer Science 4567 Springer Berlin / Heidelberg 2007 130–144 http:// www-rocq. inria. fr/ secret/ Frederic. Didier/ machines. php The Optimized Link State Routing Protocol version 2 C. Clausen C. P. Jacquet P. Technical report IETF Draft 2008 Digital Signature Standard (DSS) Technical report FIPS PUB 186-3 National Institute of Standards and Technology 2006 Short signatures from the Weil pairing D Boneh D. B Lynn B. H Shacham H. Colin Boyd C. Advances in Cryptology - ASIACRYPT 2001, 7th International Conference on the Theory and Application of Cryptology and Information Security, Gold Coast, Australia, December 9-13, 2001, Proceedings Lecture Notes in Computer Science 2248 Springer 2001 514-532 JOLSRv2: An OLSRv2 implementation in Java Urlich Herberg U. 4th OLSR Interop Workshop, Ottawa, Canada 2008 Isogenies and the discrete logarithm problem in Jacobians of genus 3 hyperelliptic curves B. Smith B. 0933-2790 J. of Cryptology To appear 2008 Discrete logarithms in curves over finite fields Andreas Enge A. Gary L. Mullen G. L. Daniel Panario D. Igor E. Shparlinski I. E. Finite Fields and Applications Contemporary Mathematics 461 American Mathematical Society 2008 119–139 International Conference on Finite Fields and Applications 9 FQ La primalité en temps polynomial [d'après Adleman, Huang; Agrawal, Kayal, Saxena] F. Morain F. Astérisque Séminaire Bourbaki. Vol. 2002/2003 294 2004 Exp. No. 917, 205–230 A comparison and a combination of SST and AGM algorithms for counting points of elliptic curves in characteristic 2 P. Gaudry P. Y. Zheng Y. Advances in Cryptology – ASIACRYPT 2002 Lecture Notes in Comput. Sci. 2501 Springer–Verlag 2002 311–327 Constructing elliptic curves over finite fields using double eta-quotients A. Enge A. R. Schertz R. Journal de Théorie des Nombres de Bordeaux 16 2004 555–568 http:// www. lix. polytechnique. fr/ Labo/ Andreas. Enge/ vorabdrucke/ cm. ps. gz The Arithmetic of Jacobian Groups of Superelliptic Cubics A. Basiri A. A. Enge A. J.-C. Faugère J.-C. N. Gürel N. Math. Comp. 74 2005 389–410 https:// hal. inria. fr/ inria-00071967 Computing the cardinality of CM elliptic curves using torsion points F. Morain F. Journal de Théorie des Nombres de Bordeaux 19 3 2007 663–681 http:// arxiv. org/ ps/ math. NT/ 0210173 Construction of Secure Random Curves of Genus 2 over Prime Fields P. Gaudry P. É. Schost É. C. Cachin C. J. Camenisch J. Advances in Cryptology – EUROCRYPT 2004 Lecture Notes in Comput. Sci. 3027 Springer-Verlag 2004 239–256 http:// www. lix. polytechnique. fr/ Labo/ Pierrick. Gaudry/ publis/ secureg2. ps. gz Modular equations for hyperelliptic curves P. Gaudry P. É. Schost É. Math. Comp. 74 2005 429–454 http:// www. lix. polytechnique. fr/ Labo/ Pierrick. Gaudry/ publis/ eqmod2. ps. gz Counting points in medium characteristic using Kedlaya's algorithm P. Gaudry P. N. Gürel N. Experiment. Math. 12 4 2003 395–402 http:// www. expmath. org/ expmath/ volumes/ 12/ 12. html Isogenies and the discrete logarithm problem in Jacobians of genus 3 hyperelliptic curves Benjamin Smith B. Lecture Notes in Comput. Sci. 4965 2008 163-180