Lfantis an INRIA project-team joint with University of Bordeaux and CNRS (IMB, UMR 5251). The team was created on March 1st, 2009, and has become a project-team on January 1st, 2010.

Algorithmic number theory dates back to the dawn of mathematics itself,
*cf.*Eratosthenes's sieve to enumerate consecutive prime numbers. With the arrival of computers, previously unsolvable problems have come into reach, which has boosted the development of
more or less practical algorithms for essentially all number theoretic problems. The field is now mature enough for a more computer science driven approach, taking into account the theoretical
complexities and practical running times of the algorithms.

Concerning the lower level multiprecision arithmetic, folklore has asserted for a long time that asymptotically fast algorithms such as Schönhage–Strassen multiplication are impractical; nowadays, however, they are used routinely. On a higher level, symbolic computation provides numerous asymptotically fast algorithms (such as for the simultaneous evaluation of a polynomial in many arguments or linear algebra on sparse matrices), which have only partially been exploited in computational number theory. Moreover, precise complexity analyses do not always exist, nor do sound studies to choose between different algorithms (an exponential algorithm may be preferable to a polynomial one for a large range of inputs); folklore cannot be trusted in a fast moving area such as computer science.

Another problem is the reliability of the computations; many number theoretic algorithms err with a small probability, depend on unknown constants or rely on a Riemann hypothesis. The
correctness of their output can either be ensured by a special design of the algorithm itself (slowing it down) or by an
*a posteriori*verification. Ideally, the algorithm outputs a certificate, providing an independent
*fast*correctness proof. An example is integer factorisation, where factors are hard to obtain but trivial to check; primality proofs have initiated sophisticated generalisations.

One of the long term goals of the Lfantproject team is to make an inventory of the major number theoretic algorithms, with an emphasis on algebraic number theory and arithmetic geometry, and to carry out complexity analyses. So far, most of these algorithms have been designed and tested over number fields of small degree and scale badly. A complexity analysis should naturally lead to improvements by identifying bottlenecks, systematically redesigning and incorporating modern asymptotically fast methods.

Reliability of the developed algorithms is a second long term goal of our project team. Short of proving the Riemann hypothesis, this could be achieved through the design of specialised, slower algorithms not relying on any unproven assumptions. We would prefer, however, to augment the fastest unproven algorithms with the creation of independently verifiable certificates. Ideally, it should not take longer to check the certificate than to generate it.

All theoretical results are complemented by concrete reference implementations in Pari/Gp, which allow to determine and tune the thresholds where the asymptotic complexity kicks in and help to evaluate practical performances on problem instances provided by the research community. Another important source for algorithmic problems treated by the Lfantproject team is modern cryptology. Indeed, the security of all practically relevant public key cryptosystems relies on the difficulty of some number theoretic problem; on the other hand, implementing the systems and finding secure parameters require efficient algorithmic solutions to number theoretic problems.

With Pari/Gp2.5.0, the first major stable release of the software since 2007 has been made in June 2011.

In March 2011, the Mpcsoftware has become an official Gnupackage with Andreas Enge as its maintainer.

Modern number theory has been introduced in the second half of the 19th century by Dedekind, Kummer, Kronecker, Weber and others, motivated by Fermat's conjecture: There is no non-trivial
solution in integers to the equation

The solution requires to augment the integers by
*algebraic numbers*, that are roots of polynomials in
*number field*consists of the rationals to which have been added finitely many algebraic numbers together with their sums, differences, products and quotients. It turns out that actually
one generator suffices, and any number field
*algebraic integers*, “numbers without denominators”, that are roots of a monic polynomial. For instance,
*ring of integers*of

Unfortunately, elements in
*ideals*, subsets of
*principal*, that is, generated by one element, so that ideals and numbers are essentially the same. In particular, the unique factorisation of ideals then implies the unique factorisation
of numbers. In general, this is not the case, and the
*class group*
*class number*

Using ideals introduces the additional difficulty of having to deal with
*fundamental units*. The
*regulator*

One of the main concerns of algorithmic algebraic number theory is to explicitly compute these invariants (

The
*analytic class number formula*links the invariants
*generalised Riemann hypothesis (GRH)*, which remains unproved even over the rationals, states that any such

When

Algebraic curves over finite fields are used to build the currently most competitive public key cryptosystems. Such a curve is given by a bivariate equation
*elliptic curves*of equation
*hyperelliptic curves*of equation

The cryptosystem is implemented in an associated finite abelian group, the
*Jacobian*
*rational function field*with subring
*function field*of
*coordinate ring*

The size of the Jacobian group, the main security parameter of the cryptosystem, is given by an
*genus*

The security of the cryptosystem requires more precisely that the
*discrete logarithm problem*(DLP) be difficult in the underlying group; that is, given elements

For any integer
*Weil pairing*
*Tate-Lichtenbaum pairing*, that is more difficult to define, but more efficient to implement, has similar properties. From a constructive point of view, the last few years have seen a
wealth of cryptosystems with attractive novel properties relying on pairings.

For a random curve, the parameter

Complex multiplication provides a link between number fields and algebraic curves; for a concise introduction in the elliptic curve case, see
Sect. 1.1, for more background material,
. In fact, for most curves
*CM field*. The CM field of an elliptic curve is an imaginary-quadratic field
*Hilbert class field*

Algebraically,
*Galois*if
*Galois group*
*abelian*extension is a Galois extension with abelian Galois group.

Analytically, in the elliptic case
*singular value*
*modular*function

The same theory can be used to develop algorithms that, given an arbitrary curve over a finite field, compute its

A generalisation is provided by
*ray class fields*; these are still abelian, but allow for some well-controlled ramification. The tools for explicitly constructing such class fields are similar to those used for Hilbert
class fields.

Being able to compute quickly and reliably algebraic invariants is an invaluable aid to mathematicians: It fosters new conjectures, and often shoots down the too optimistic ones. Moreover, a large body of theoretical results in algebraic number theory has an asymptotic nature and only applies for large enough inputs; mechanised computations (preferably producing independently verifiable certificates) are often necessary to finish proofs.

For instance, many Diophantine problems reduce to a set of Thue equations of the form

Deeper invariants such as the Euclidean spectrum are related to more theoretical concerns, e.g., determining new examples of principal, but not norm-Euclidean number fields, but could
also yield practical new algorithms: Even if a number field has class number larger than 1 (in particular, it is not norm-Euclidean), knowing the upper part of the spectrum should give a
*partial*gcd algorithm, succeeding for almost all pairs of elements of

Algorithms developed by the team are implemented in the free Pari/Gpsystem for number theory maintained by K. Belabas, which is a reference and the tool of choice for the worldwide number theory community.

Public key cryptology has become a major application domain for algorithmic number theory. This is already true for the ubiquitous RSA system, but even more so for cryptosystems relying on the discrete logarithm problem in algebraic curves over finite fields . For the same level of security, the latter require smaller key lengths than RSA, which results in a gain of bandwidth and (depending on the precise application) processing time. Especially in environments that are constrained with respect to space and computing power such as smart cards and embedded devices, algebraic curve cryptography has become the technology of choice. Most of the research topics of the Lfantteam concern directly problems relevant for curve-based cryptology: The difficulty of the discrete logarithm problem in algebraic curves determines the security of the corresponding cryptosystems. Complex multiplication, point counting and isogenies provide, on one hand, the tools needed to create secure instances of curves. On the other hand, isogenies have been found to have direct cryptographic applications to hash functions and encryption . Pairings in algebraic curves have proved to be a rich source for novel cryptographic primitives. Class groups of number fields also enter the game as candidates for algebraic groups in which cryptosystems can be implemented. However, breaking these systems by computing discrete logarithms has proved to be easier than in algebraic curves; we intend to pursue this cryptanalytic strand of research.

Apart from solving specific problems related to cryptology, number theoretic expertise is vital to provide cryptologic advice to industrial partners in joint projects. It is to be expected that continuing pervasiveness and ubiquity of very low power computing devices will render the need for algebraic curve cryptography more pressing in coming years.

http://

Pari/Gpis a widely used computer algebra system designed for fast computations in number theory (factorisation, algebraic number theory, elliptic curves, ...), but it also contains a large number of other useful functions to compute with mathematical entities such as matrices, polynomials, power series, algebraic numbers, etc., and many transcendental functions.

Pariis a C library, allowing fast computations.

Gpis an easy-to-use interactive shell giving access to the Parifunctions.

`gp2c`, the GP-to-C compiler, combines the best of both worlds by compiling
Gpscripts to the C language and transparently loading the resulting functions into
Gp; scripts compiled by
`gp2c`will typically run three to four times faster.

2011 has seen the release of the next major stable version, 2.5, ending the 2.3 release series started in 2007.

Version of Pari/Gp: 2.5.0

Version of
`gp2c`: 0.0.7pl11

License: GPL v2+

Programming language: C

http://

Mpcis a C library for the arithmetic of complex numbers with arbitrarily high precision and correct rounding of the result. It is built upon and follows the same principles as Mpfr.

It is a prerequisite for the Gnucompiler collection Gccsince version 4.5, where it is used in the C and Fortran frontends for constant folding, the evaluation of constant mathematical expressions during the compilation of a program. Since 2011, it is an official Gnuproject.

Version: 0.9
*Epilobium montanum*

License: LGPL v2.1+

ACM: G.1.0 (Multiple precision arithmetic)

AMS: 30.04 Explicit machine computation and programs

APP: Dépôt APP le 2003-02-05 sous le numéro IDDN FR 001 060029 000 R P 2003 000 10000

Programming language: C

http://

Mpfrcxis a library for the arithmetic of univariate polynomials over arbitrary precision real ( Mpfr) or complex ( Mpc) numbers, without control on the rounding. For the time being, only the few functions needed to implement the floating point approach to complex multiplication are implemented. On the other hand, these comprise asymptotically fast multiplication routines such as Toom-Cook and the FFT.

Version: 0.3.1
*Banane*

License: LGPL v2.1+

Programming language: C

http://

The Cmsoftware implements the construction of ring class fields of imaginary quadratic number fields and of elliptic curves with complex multiplication via floating point approximations. It consists of libraries that can be called from within a C program and of executable command line applications. For the implemented algorithms, see .

Version: 0.1
*Apfelkraut*

License: LGPL v2+

Programming language: C

http://

AVIsogenies(Abelian Varieties and Isogenies) is a Magmapackage for working with abelian varieties, with a particular emphasis on explicit isogeny computation.

Its prominent feature is the computation of

It can also be used to compute endomorphism rings of abelian surfaces, and find complete addition laws on them.

Version: 0.4

License: LGPL v2.1+

Programming language: Magma

http://

Cubicis a standalone program that prints out generating equations for cubic fields of either signature and bounded discriminant. It depends on the Parilibrary. The algorithm has quasi-linear time complexity in the size of the output.

Version: 1.2

License: GPL v2+

Programming language: C

In
, we presented for the first time an algorithm for the discrete
logarithm problem in certain algebraic curves that runs in subexponential time less than

J.-F.Biasse has determined a class of number fields for which the ideal class group, the regulator, and a system of fundamental units of the maximal order can be computed in subexponential
time
*Mathematics of Computation*.

Using new theoretical ideas and his novel algorithmic approach, J.-P. Cerri has discovered examples of generalised Euclidean number fields and of 2-stage norm-Euclidean number fields in degree greater than 2 . These notions, extending the link between usual Euclideanity and principality of the ring of integers of a number field had already received much attention before; however, examples were only known for quadratic fields.

P. Lezowski extended J.-P. Cerri's algorithm, which was restricted to totally real number fields, to decide whether a generic number field is norm-Euclidean. His procedure allowed to find
principal and non norm-Euclidean number fields of various signatures and degrees up to 8, but also to give further insight about the norm-Euclideanity of some cyclotomic fields. Besides, many
new examples of generalised Euclidean and 2-stage Euclidean number fields were obtained. The article
has been submitted to
*Mathematics of Computation*.

In another direction, norm-Euclidean ideal classes have been studied. They generalise the notion of norm-Euclideanity to non principal number fields. Very few such number fields were known
before. A modification of the algorithm provided many new examples and allowed to complete the study of pure cubic fields equipped with a norm-Euclidean ideal class. The article
has been submitted to
*International Journal of Number Theory*.

With E. Hallouin, J.-M. Couveignes has studied descent obstructions for varieties . Such obstructions play an important role when one studies families of varieties (e.g. curves of a given genus). Obstructions are often measured by elements in groups like class groups. The theory of stacks provides a more general treatment for these obstructions. Couveignes and Hallouin give the first example of a global obstruction for a variety (that is an obstruction that vanishes locally at every place).

In joint work with R. Scheidler and M. Jacobson, P. Rozenhart has generalized Belabas's algorithm for tabulating cubic number fields to cubic function fields
. This generalization required function field analogues of the
Davenport-Heilbronn Theorem and of the reduction theory of binary cubic and quadratic forms. As an additional application, they have modified the tabulation algorithm to compute 3-ranks of
quadratic function fields by way of a generalisation of a theorem due to Hasse. The algorithm, whose complexity is quasi-linear in the number of reduced binary cubic forms up to some upper
bound

The computation of the Galois representations uses their realisation, following Shimura and Deligne, in the torsion subgroup of Jacobian varieties of modular curves. The main challenge is then to perform the necessary computations in time polynomial in the dimension of these highly nonlinear algebraic varieties. Exact computations involving systems of polynomial equations in many variables take exponential time. This is avoided by numerical approximations with a precision that suffices to derive exact results from them. Bounds for the required precision – in other words, bounds for the height of the rational numbers that describe the Galois representation to be computed – are obtained from Arakelov theory. Two types of approximations are treated: one using complex uniformisation and another one using geometry over finite fields.

With F. Morain, A. Enge has determined exhaustively under which conditions “generalised Weber functions”, that is, simple quotients of

With J.-C. Faugère and D. Lubicz, D. Robert has given an explicit construction for a modular correspondance between abelian varieties . This correspondance describes the algebraic relations of ThetaNullWerte of different levels on isogenous abelian varieties. With R. Cosset, D. Robert has then given an algorithm explaining how to construct the corresponding isogeny, when we are given its (maximally isotropic) kernel . This usse a formula by Koizumi for changing the level of the ThetaNullWerte. This is the first algorithm allowing to compute in polynomial time an isogeny between abelian varieties, and a public implementation is available in AVIsogenies.

With K. Lauter, D. Robert has worked on improving the computation of class polynomials in genus 2 by the CRT method. This involves some improvements to detect if the curve is maximal, a
better sieving of the primes used, and the use of the CRT over the real quadratic field rather than over

In joint work with C. Clavier, B. Feix, G. Gagnerot and M. Roussellet, V. Verneuil has presented in new side-channel analysis results on the AES. They propose improvements on collision-correlation attacks which require less power traces than classical second-order power analysis techniques. In particular, two new methods are presented and are shown to be efficient in practice on two first-order protected AES implementations. They also mention that other symmetric embedded algorithms can be targeted by these new techniques.

With the same coauthors, V. Verneuil has presented new exponentiation algorithms for embedded implementations in . Embedded exponentiation techniques have become a key concern for security and efficiency in hardware devices using public key cryptography. An exponentiation is basically a sequence of multiplications and squarings, but this sequence may reveal exponent bits to an attacker on an unprotected implementation. Although this subject has been covered for years, they present new exponentiation algorithms based on trading multiplications for squarings. This method circumvents attacks aimed at distinguishing squarings from multiplications at a lower cost than other countermeasures. Finally, they present new algorithms using two parallel squaring blocks which provide one of the fastest exponentiation algorithms.

Together with D. Lubicz, D. Robert has extended their algorithm to compute pairings on abelian varieties using theta functions (published at ANTS 2010) to the case of the ate and
optimal ate pairings. This involves a description of the Miller functions in term of theta coordinates and an extension of the addition law using more general Riemann relations in order to
compute them. The case of theta functions of level 2 has been optimised by introducing a way to compute “compatible” additions without the need for a square roots. A preprint describing
these results is being written, and some details can be found in the talk
http://

https://

The Paceproject unites researchers of France Télécom, Gemalto, NXP, Cryptolog International, the Inriaproject teams Cascadeand Lfantand University of Caen. It deals with electronic commerce and more precisely with electronic cash systems. Electronic cash refers to money exchanged electronically, with the aim of emulating paper money and its traditional properties and use cases, such as the anonymity of users during spending. The goal of Paceis to use the new and powerful tool of bilinear pairings on algebraic curves to solve remaining open problems in electronic cash, such as the strong unforgeability of money and the strong unlinkability of transactions, which would allow users to conveniently be anonymous and untraceable. It also studies some cryptographic tools that are useful in the design of e-cash systems.

Contract with
*DGA maîtrise de l'information*about number theory and cryptography

Duration: two years, 2011–2012

Scientific coordinator: K. Balabas

Topics covered: index calculus and discrete logarithms, fast arithmetic for polynomials, pairings and cryptography, algorithmics of the Langlands programme

Vincent Verneuil, co-directed with B. Feix (Inside Contactless) and C. Clavier (Université de Limoges), works at Inside Contactless on elliptic curve cryptography, with an emphasis on embedded systems and side-channel attacks.

http://

The AlgoLproject comprises research teams in Bordeaux, Montpellier, Lyon, Toulouse and Besançon.

It studies the so-called

Most of current number theory conjectures originate from (usually mechanised) computations, and have been thoroughly checked numerically.

New theoretical results are translated into new or more efficient functions in the Pari/Gpsystem.

Program: Erasmus Mundus

Project acronym: ALGANT

Project title: ALgebra, Geometry and Number Theory

Duration: 09/2004–

Coordinator: University Bordeaux 1

Other partners: University Leiden (Netherlands), University Milano (Italy), University Padova (Italy), University Paris-Sud (France), Chennai Mathematical Institute (India), Concordia University (Canada), Stellenbosch University (South Africa)

Abstract: Joint master and doctoral programme; the PhD theses of Athanasios Angelakis and Julio Brau are co-supervised by P. Stevenhagen (Leiden) and K. Belabas

The following researchers have visited the Lfantteam:

Christophe Ritzenthaler, Luminy, Marseille, February 23–25

Bernadette Perrin-Riou, Université d'Orsay, March 4–18 and June 10–17

Vanessa Vitse, Universié de Versailles–St.-Quentin-en-Yvelines, April 13–14

Jérémy Le Borgne, University of Rennes, April 27–28

Andy Novocin, ÉNS Lyon and Inriaproject-team Arénaire, May 4–5

Lassina Dembelé, University of Warwick, May 18–19

Jean-François Biasse, University of Calgary, May 25–26

David Lubicz, Université de Rennes, July 18–22

Eduardo Friedman, Universidad de Chile, October 3–21

Michael Rubinstein, University of Waterloo, October 3–7

Tony Ezome, Université de Franceville, Gabon, December 2011–January 2012

K. Belabas acts on the editorial board of
*Journal de Théorie des Nombres de Bordeaux*since 2005 and of
*Archiv der Mathematik*since 2006.

H. Cohen is an editorial board member of
*Journal de Théorie des Nombres de Bordeaux*; he is an editor for the Springer book series
*Algorithms and Computations in Mathematics (ACM)*.

J.-M. Couveignes is associate editor of
*Séminaires et Congrès*since 2008, of
*Mathematics of Computation*since 2008, of
*London Mathematical Society Journal for Computation and Mathematics*since 2009 and of
*Publications mathématiques de Besançon*since 2010.

A. Enge is an editor of
*Designs, Codes and Cryptography*since 2004.

K, Belabas: “Théorie algébrique des nombres et calcul formel” at
*Journées Nationales de Calcul Formel*, Luminy, November 2011

J.-M. Couveignes: “The geometry of flex tangents to a cubic curve and its parameterizations” at
*Elliptic Curve Cryptography – ECC 2011*, Nancy, September 2011

A. Enge: “Algorithms for complex multiplication of elliptic curves” at
*Coding, Cryptology and Combinatoric Designs*, Singapore,, 23rd to 26th May

A. Enge acts on the scientific advisory board of the
*Journées Nationales de Calcul Formel.*

The following external speakers have given a presentation at the Lfantseminar, see

http://

Christophe Ritzenthaler (Marseilles): “Couplages sur les courbes d'Edwards et formules d'addition complètes”

Martin Weimann: “Factorisation torique des polynômes bivariés”

Vanessa Vitse (Versailles): “Attaques par recouvrement et décomposition du logarithme discret sur courbes elliptiques”

Jérémie Le Borgne (Rennes): “Algorithmique des phi-modules pour les représentations galoisiennes

Andy Novocin (Lyon): “L1 a new quasi-linear LLL algorithm”

Lassina Dembelé (Warwick): “Sur la conjecture de Gross”

Jean-François Biasse (Calgary): “Calcul du groupe de classes et des unités dans les corps de nombres”

Peter Stevenhagen (Leiden): “Radical extensions and primitive roots”

Michael Rubinstein (Waterloo): “Conjectures, experiments, and algorithms concerning the moments of

K. Belabas is the head of the mathematics department of University Bordeaux 1. He also leads the computer science support service (“cellule informatique”) of the Institute of Mathematics of Bordeaux and coordinates the participation of the institute in the regional computation cluster PlaFRIM.

He is an elected member of the councils of both the math and computer science department (UFR) and the Math Institute (IMB).

J.-P. Cerri is an elected member of the scientific council of the Mathematics Institute of Bordeaux (IMB) and responsible for the bachelor programme in mathematics and informatics.

Since January 2011, J.-M. Couveignes is involved in the
*GDR mathématiques et entreprises*and in the
*Agence pour les mathématiques en interaction avec l’entreprise et la société*.

A. Enge is responsible for the international affairs of INRIA–Bordeaux-Sud-Ouest and a member of the COST-GTRI, the INRIA body responsible for evaluating international partnerships.

K. Belabas

*Algèbre et Calcul Formel*, 75h, M2, Université Bordeaux 1, France

J.-P. Cerri

*Algorithmique Algébrique 1*, 26h, L3, Université Bordeaux 1, France

*Arithmétique*, 40h, M1, Université Bordeaux 1, France

J.-M. Couveignes

*Algorithms for public key cryptograph*, 40h, M2, Université Bordeaux 1, France

*Algorithms for number fields*, 40h, M2, Université Bordeaux 1, France

A. Enge: Chargé d'enseignement at École polytechnique

*Cryptologie*, 38.25h, M1, École polytechnique, France

*Modex Programmation Web*, 37.125h, L3, École polytechnique, France

P. Lezowski: Moniteur at Université Bordeaux 1

*MHT411: Groupes, anneaux, corps, TD*, 40h, L2, Université Bordeaux 1, France

*MOSE1003: Analyse et algèbre, cours–TD*, 27h, L1, Université Bordeaux 1, France

N. Mascot: Moniteur at Université Bordeaux 1

*MOSE1003: Analyse et algèbre, cours–TD*, 29h h, L1, Université Bordeaux 1, France

*M1MI1001: Bases de l'analyse, cours–TD*, 20h, L1, Université Bordeaux 1, France

A. Page: Moniteur at Université Bordeaux 1

*M1CP3022:Maths analyse II, TD*, 42h, L2, Université Bordeaux 1, France

K. Belabas

PhD Claire Bourbon,
*Propagation de la 2-birationalité*, Bordeaux, 2011 (committee), Jean-François Jaulent.

PhD Jérémy Berthomieu,
*Contributions à la résolution des systèmes algébriques: réduction, localisation, traitement des singularités; implantations*, Polytechnique, 2011 (committee), Marc Giusti and
Grégoire Lecerf.

HdR Damien Stehlé,
*Réseaux Euclidiens: Algorithmes et Cryptographie*, ENS Lyon, 2011 (committee).

J.-M. Couveignes

PhD Jean Lancrenon,
*Authentification d'objets à distance*, Grenoble, 2011 (committee)

PhD Safia Haloui,
*Sur le nombre de points rationnels des variétés abéliennes sur les corps finis*, Marseille, 2011 (committee)

A. Enge

PhD Ezekiel Kachisa,
*Constructing Suitable Ordinary Pairing-friendly Hyperelliptic Curves*, Dublin City University, 2011-05-08 (report)

PhD Amandine Jambert,
*Outils cryptographiques pour la protection des contenus et de la vie privé des utilisateurs*, Université Bordeaux 1, 2011-03-15 (committee)

PhD Pierre Castel,
*Un algorithme de résolution des équations quadratiques en dimension 5 sans factorisation*, Université de Caen, 2011-08-06 (committee)

PhD Vanessa Vitse,
*Attaques algébriques du problème du logarithme discret sur courbes elliptiques*, Université de Versailles–Saint-Quentin-en-Yvelines, 2011-10-20 (committee)