TANCis located in the Laboratoire d'Informatique de l'École polytechnique (LIX). The project was created on the 10th of March 2003.

The aim of the TANCproject is to promote the study, implementation and use of robust and verifiable asymmetric cryptosystems based on algorithmic number theory.

It is clear from this statement that we combine high-level mathematics with efficient programming. Our main area of competence and interest is that of algebraic curves over finite fields, and most notably their computational aspects; these objects appear as a substitute for modular arithmetic in new analogues of old-fashioned cryptography. One reason for this change is that we can achieve an equivalent security level with a much smaller key size. Our research contributes to the global search for a diverse range of secure substitutes for the famous RSA (Rivest–Shamir–Adleman) cryptosystem, in case some attack appears and destroys the products that use it.

Whenever possible, we produce certificates (proofs) of validity for the objects and systems we build. For instance, an elliptic curve has many invariants, and their values need to be proved, since they may be difficult to (re-)compute.

Our research area includes:

*Fundamental number theoretic algorithms*: We are interested in primality proving algorithms based on elliptic curves, integer factorization, and the computation of
discrete logarithms over finite fields. These problems lie at the heart of the security of arithmetic based cryptosystems.

*Algebraic curves over finite fields*: We tackle algorithmic problems involving efficiently computing group laws on Jacobians of curves, evaluating the cardinality
of these objects, and studying the security of the discrete logarithm problem in such groups. These topics are crucial to the applicability of these objects in real crypto products. The
theory of curves over finite fields is also essential in the field of AG codes, and the algorithmic aspects of curves and their Jacobians are important for good implementations and
analysis.

*Complex multiplication*: The theory of Complex Multiplication is a meeting point of algebra, complex analysis and algebraic geometry. Its applications range from
primality proving to the efficient construction of elliptic and hyperelliptic curve-based cryptosystems.

*List Decoding of Algebraic codes*Using List Decoding one can fight adversarial noise at the same level as the Shannon limit for stochastic noise.

*Decoding algorithms for Algebraic Geometric codes*: We use our algorithmic knowledge to accelerate decoding algorithms, be they the classical one (up to half to
the minimum distance), or new ones which decode many more errors.

As our project-team name suggests, we aim to provide robust primitives for asymmetric cryptography. In recent years, we have made several attempts at applying our knowledge to real life
protocols. We also aim to promote the use of curve-based cryptography in new environments such as
*ad hoc*networks. We will also try to promote the use of AG codes, which are the coding-theoretic analogue of elliptic curves in cryptology.

Once considered beautiful but useless, arithmetic has proven a spectacular success in the creation of a new paradigm in cryptography. Classical cryptography was mainly concerned with
*symmetric*techniques: two parties wishing to communicate secretly had to share a common secret (the “key”) beforehand, and this same secret key was used both for encrypting the message
and for decrypting it. This mode of communication is efficient enough when traffic is low, or when the parties can meet prior to communication. However, modern networks are simply too large for
the classical paradigm to remain efficient any longer.

We therefore need cryptography
*without*prior contact. In theory, this is simple: find two algorithms
*asymmetric*cryptology. Modern asymmetric cryptography provides not only secure communication channels but also solutions to the signature problem, as well as some solutions for
identifying all parties in protocols, thus enabling products to be usable on the Internet (such as ssh and ssl/tls).

Now, where do the hard problems behind encryption and decryption come from? Mostly from arithmetic, where we find problems such as integer factorization and the discrete logarithm problem (DLP). It appears to be important to vary the groups which act as settings for concrete instances of the abstract hard problems, since this provides some bio-diversity which is key to resisting crypto-analytic attacks. The groups proposed include finite fields, modular integers, algebraic curves, and class groups. All of these now form cryptographic primitives that need to be assembled in protocols, and finally in commercial products.

Our activity is concerned with the beginning of this process: we are interested in difficult problems arising in computational number theory, and the efficient construction of these primitives. TANCconcentrates on modular arithmetic, finite fields and algebraic curves.

We have a strong, well-known reputation for breaking records, whatever the subject is: constructing systems or breaking them. We have world-record computations in areas including primality proving, class polynomials, modular equations, computing cardinalities of algebraic curves, and discrete logarithms. This means writing programs and putting in all the work needed to support calculations that run for weeks or months. An important part of our task is now to transform record-breaking programs into programs to solve everyday cryptographic problems for current parameter sizes.

Certificates are another of our major concerns. By certificates, we mean efficiently verifiable proofs of the properties of the objects we build. While these certificates might be difficult
to build, they are easy to check (by customers, for example). The traditional example is certificates for primality of prime numbers, introduced by Pratt in 1974. We know how to construct
certificates for the important properties of elliptic curves, with the aim of establishing what we call an
**identity card**for a curve (including its cardinality, together with the proof of its factorization, its group structure with proven generators, its discriminant with proven factorization,
and the class number of the associated order). The theory is ready for this, and the algorithms are not out of reach. This approach must be extended to other curves; the theory is almost ready
in several cases, but algorithms are still to be found. This is one of the main problems facing
TANC.

The mathematics used in cryptology is becoming more and more complex (for example, consider recent algorithms based on

One of the most common cryptographic protocols is Diffie–Hellman Key Exchange, which enables Alice and Bob to exchange secret information over an insecure channel. Given a publicly known
cyclic group
*DLP*) is fundamental to the security of the scheme, and groups for which the DLP is hard must be favored. Therefore, the choice of group

In order to build a cryptosystem based on an algebraic curve over a finite field, one needs to efficiently compute the group law (and hence have a nice representation for elements of the Jacobian of the curve). Next, one must compute the cardinality of the Jacobian, so that we can find generators of the group. Once the curve is built, one needs to test its security, for example by determining the hardness of the DLP in its Jacobian.

The curves that interest us are typically defined over a finite field
*chord-and-tangent*formulæ. When dealing with a genus

The great catalog of usable curves is now complete, as a result of the work of TANC, notably in two ACI ( cryptocourbesand cryptologie p-adique) that are now completed.

Once the group law is tractable, one has to find means of computing the cardinality of the group: this is not an easy task in general. Of course, if frequently changing the group is imperative in applications, then this computation has to be done as fast as possible.

Two parameters enter the scene: the genus

When

When

When

Closing the gap between small and large characteristic leads to pushing the

The core of the Schoof–Elkies–Atkin (SEA) algorithm for computing cardinality of elliptic curves over large-characteristic finite fields consists in using the theory of isogenies to find small factors of division polynomials.

Isogenies are also a tool for understanding the difficulty of the Discrete Log problem among classes of elliptic curves . Recently, there appeared suggestions to use isogenies in a cryptographic context, replacing the multiplication on curves by composition of isogenies , .

Algorithms for computing isogenies are very well known and widely used in the large characteristic case. When the characteristic is small, three algorithms exist: two due to Couveignes , , , and one due to Lercier .

The Discrete Logarithm Problem (DLP) is one of the major difficult problems upon which we build secure cryptosystems. It has essentially been proven equivalent to the computational
Diffie–Hellman problem, which corresponds more closely to the actual security of many protocols. For an arbitrary group of prime order

For higher genus curves, the algorithms with the best complexity create relations as smooth principal divisors on the curve and use linear algebra to deduce discrete logarithms, similarly
to the quadratic sieve for factoring. The first such algorithm for high genus hyperelliptic curves with a heuristic complexity analysis is given in
, and A. Enge developed the first algorithm with a proven
subexponential run time of

The existence of subexponential algorithms shows that high genus curves are less secure than low-genus curves (including elliptic curves) in cryptography. By analyzing the same algorithms
differently, concrete recommendations for key lengths can be obtained, an approach introduced by P. Gaudry in
and pursued in
. It turns out that elliptic curves and hyperelliptic curves of
genus 2 are not affected, while the key lengths have to be increased in higher genus, for instance by

Using similar algorithms to those analyzed in , C. Diem has shown in that non-hyperelliptic curves (of genus at least 3) are even less secure than hyperelliptic ones of the same genus. This effectively leaves only elliptic and low genus hyperelliptic curves as potential sources for public-key cryptosystems.

Despite the achievements described above, random curves are sometimes difficult to use, since their cardinality is not easy to compute or some useful properties are too rare to occur
(suitability for pairings, for instance). In some cases, curves with special properties can be used. For example, curves with
*complex multiplication*(in brief CM), have easily-computable cardinalities. For example, the elliptic curve by the equation

The CM theory for genus 1 is well known, dating back to the middle of the nineteenth century (Kronecker, Weber, etc.). Its algorithmic aspects are also well understood; recently more work
was done, largely by
TANC. Twenty years ago, this theory was applied by Atkin to the primality proving of arbitrary integers, yielding the ECPP algorithm developed since
then by F. Morain. Though the decision problem
isPrime?was shown to be in
*P*(by the work of Agrawal, Kayal, and Saxena in 2002), practical primality proving for large random numbers is still done only with ECPP.

These CM curves enabled A. Enge, R. Dupont and F. Morain to give an algorithm for building good curves for use in Identity Based Cryptosystems .

CM curves are defined by algebraic integers, whose minimal polynomials have to be computed exactly, the coefficients being exact integers. The fastest algorithm to perform these computations requires a floating point evaluation of the roots of the polynomial to a high precision. F. Morain on one hand, and A. Enge (together with R. Schertz) on the other, have developed the use of new class invariants characterizing CM curves. The union of these two families is currently the state of the art in the field (see ). More recently, F. Morain and A. Enge have designed a fast method for the computation of the roots of this polynomial over a finite field using Galois theory . These invariants, together with this new algorithm, are incorporated in the working version of the program ECPP.

F. Morain analyzed a fast variant of ECPP, called fastECPP, which led him to gain one order of magnitude in the complexity of the problem (see
), reaching heuristically

In his thesis, R. Dupont investigated the complexity of the evaluation of some modular functions and forms (such as the elliptic modular function

Exploiting the deep connection between the arithmetic-geometric mean (AGM) and a special kind of modular forms known as theta constants, he devised an algorithm based on Newton iterations and the AGM that has quasi-optimal linear complexity. In order to certify the correctness of the result to a specified precision, a fine analysis of the algorithm and its complexity was necessary.

Using similar techniques, he has given a proven algorithm for the evaluation of the logarithm of complex numbers with quasi-optimal time complexity.

A. Enge has been able to analyse precisely the complexity of class polynomial computations via complex floating point approximations . Using techniques from fast symbolic computation (multievaluation of polynomials) and results from R. Dupont's PhD thesis , he has obtained two algorithms which are quasi-linear (up to logarithmic factors) in the output size. The second algorithm has been used for a record computation of a class polynomial of degree 100,000, the largest coefficient of which has almost 250,000 bits. The implementation is based on GMP, mpfr, mpc and mpfrcx (see Section 5); the only limiting factor for going further has become the memory requirements of the final result.

Alternative algorithms use

Inspired by , A. Sutherland has come up with a new implementation of the Chinese remainder based algorithm that has led to new record computations . Unlike the other algorithms, this approach does not need to hold the complete polynomial in main memory, but essentially only one coefficient at a time, which enables it to go much further. The main bottleneck is currently an extension of the algorithm to class invariants, which is work in progress by A. Enge.

The theory of Complex Multiplication also exists for non-elliptic curves, but is more intricate, and only recently can we dream to use them. Some of the recent results occurred as the work of R. Dupont (former member of TANC) in his thesis.

R. Dupont has worked on adapting his algorithm to genus 2, which induces great theoretical and technical difficulties. He has studied a generalization of the AGM known as
Borchardt sequences, proven the convergence of these sequences in a general setting, and determined the set of limits of such sequences in genus 2. In particular, he proved a theorem
parametrizing the set of all possible limits of Borchardt sequences starting with a fixed 4-tuple. He developed an algorithm for the fast evaluation of theta constants in genus 2, and as
a byproduct obtained an algorithm to compute the Riemann matrix of a given hyperelliptic curve: given the equation of such a curve, it computes a lattice

Using these implementations, R. Dupont has began computing modular polynomials for groups of the form

There are many other applications of algorithmic methods for algebraic curves besides asymmetric cryptography. These algebraic geometry (AG) codes form a very powerful family of codes that often beat records for their parameters: they often offer the best correction capacity. The main topic of research is to accelerate the decoding algorithms of these codes, which have a slightly expensive cost . A reference implementation would be of major interest, to help people compare AG codes with Reed–Solomon codes.

Guruswami and Sudan have obtained a breakthrough for decoding AG codes with many errors. Still, there is no implementation available yet, even for the most simple AG codes (which are the Hermitian codes). In this domain too, the main problem is find a reasoneable complexity for these algorithms. implementation.

Clearly, our main field of applications is telecommunications. We participate in the protection of information. We are proficient on a theoretical level, and ready to develop applications
using modern cryptographic techniques, with a main focus on elliptic curve cryptography and codes based on algebraic curves. One potential application is cryptosystems in environments with
limited resources as smart cards, mobile phones, and
*ad hoc*networks. For coding, we envisage developing algebraic codes for the erasure channel or distributed storage.

F. Morain has been continuously improving his primality proving algorithm called ECPP, originally developed in the early 1990s. Binaries for version 6.4.5 have been available since 2001
on his web page. Proving the primality of a 512 bit number requires less than a second on an average PC. His personal record is around

Together with E. Schost and L. DeFeo, F. Morain has developed a new implementation of the SEA algorithm that computes the cardinality of elliptic curves over finite fields
(large prime case, case
`gforge`project.

The TIFA library (short for Tools for Integer FActorization) was initially developed in 2006 and has been continuously improved during the last few years. TIFA is made up of a base library written in C99 using the GMP library, together with stand-alone factorization programs and a basic benchmarking framework to assess the performance of each algorithm.

As of november 2011, the library includes the following algorithms:

CFRAC (Continued FRACtion factorization )

ECM (Elliptic Curve Method)

Fermat (McKee's “fast” variant of Fermat's algorithm )

SIQS (Self-Initializing Quadratic Sieve )

SQUFOF (SQUare FOrm Factorization )

The complete TIFA package has been registered at the French Agency for Software Protection (APP –
http://
^{st}2011 with the Inter Deposit Digital Number:

`IDDN.FR.001.220019.000.S.A.2011.000.31235.`

It is now available online at
http://

The FAAST library is developed in C++ by L. De Feo and makes use of the NTL library. It implements the algorithms presented in , plus other algorithms needed by the author for his research on explicit isogenies.

Version 0.2.0, released on July 11 2009, is available at
http://

FAAST is a very efficient library for lattices of extensions of finite fields. Our aim is to add support for arbitrary finite fields, making it an essential building block for efficient computer algebra systems.

The Quintix library is a Mathemagix package available at
http://

Quintix is a very efficient library for Galois rings, extensions of Galois rings and root-finding in Galois rings.

As part of his activity in the PACE ANR, J. Milan completed, under the supervision of A. Enge, the development of APIP (Another Pairings Implementation in PARI), a PARI/GP module to compute state-of-the-art cryptographic pairings over elliptic curves. This module was intended to be an experimental framework for comparing the performances of the main cryptographic pairings with an emphasis on the standard 128, 192 and 256 bit high security levels.

APIP implements the Tate, Weil, ate and twisted ate pairings together with some optimal variants of the ate and twisted ate pairings for some elliptic curve families. Due to its very flexible architecture, it makes it easy to select several algorithm variants for each step of a pairing computation for a finer analysis.

Due to its emphasis on pairings for cryptographic purposes only, it is doubtful that the APIP module will be integrated in the upstream PARI/GP code base. We hope to be able to distribute APIP as an independent module in the near future, ideally under an open-source licence.

In joint work with Pierrick Gaudry (CARAMEL) and David Kohel (Marseille), B. Smith developed an accelerated Schoof-type point counting algorithm for genus 2 curves with efficiently computable real multiplication endomorphisms. This project has made the computation of cryptographic-sized group orders practical for curves of genus 2 over prime finite fields. Going way beyond the current cryptographic range, the algorithm has been used to compute the group order of a 1024-bit Jacobian (smashing the previous 256-bit record of Gaudry and Schost). The article describing this algorithm has been awarded the Best Paper prize at ASIACRYPT 2011 , and an extended version has been invited for submission to Journal of Cryptology (the leading journal in the field).

F. Morain has been investigating new invariants for building class polynomials with small coefficients. This is still work in progress, though advertised in some talks of his.

D. Augot, M. Barbier and Caroline Fontaine randomized the bounded syndrome coding problem on wet paper—an important embedding problem in steganography—such that this problem always has a solution . This randomization is inspired the Courtois–Finiasz–Sendrier signature scheme, and shows nice results for linear perfect codes. In the special case of binary Hamming codes, this new method reaches exactly the necessary and sufficient bounds to ensure the embedding. The previous bounds were introduced by Carlos Munuera and M. Barbier . These bounds depend on the dual distance of the code used. Thanks to the generalized Hamming weight, they proved that codes with low MDS rank are better in this context. Since the nature of their results are combinatorial, the authors generalized a bound for systematic non linear codes and showed that the non-linear systematic codes could be good candidates, as shown by the example of the Nadler code.

D. Augot, in collaboration with L. Perret from Salsa team, and Bochum Universität
, designed a “secret-key” homomorphic encryption scheme, which is much
more efficient than the public-key ones. It is based on

D. Augot, M. Barbier and A. Couvreur wrote on how to decode binary Goppa codes. Augot, Barbier, and Couvreur presented a simple way, with a clean study of the complexity . Using this list decoding algorithm, Barbier and Paulo Barreto proposed a key reduction for the McEliece cryptosystem . The list decoding algorithm above allowed them to add more errors during the McEliece encryption step, making decoding attacks more difficult. At the same complexity of these attacks, using the list decoding algorithm decreases the public key size, which is the main drawback of this cryptosystem.

B. Smith constructed six infinite series of families of pairs of algebraic curves of arbitrarily high genus , defined over number fields, together with an explicit isogeny between the Jacobians of the curves splitting multiplication by 2, 3, or 4.

M. Barbier, Christophe Chabot and G. Quintin exhibited a bijective correspondence between the

Jérémy Berthomieu, Grégoire Lecerf and G. Quintin presented a new algorithm to find all the roots of a given polynomial with coefficients in a Galois ring . It has been used to study the behavior of the Sudan algorithm for Reed-Solomon codes over Galois rings. The algorithm has been adapted to work over rings of power series in several variables. It was implemented in the Quintix package of Mathemagix.

A GEMPLUS contract corresponds to É. Brier's thesis on the use of (hyper-)elliptic curves in cryptology.

D. Augot, with Christine Eisenbess, is in discussion with MassiveRand, an SME providing random bits at high rate, in order to provide Rabin's HyperEncryption, which is provably secure.

Digiteocontributed the operational funding for the project AMIGA(Advanced Methods for Isogeny Graph Analysis), with B. Smith as the scientific leader of the project. On a national level, the DGA contributed a postdoctoral salary to the project (see National Initiatives).

The DGA funded a postdoctoral researcher's salary for Sorina Ionica, allowing her to join TANCfor one year (10/2010–09/2011) as a postdoctoral researcher for the AMIGAproject.

The team received DGA funding for the project DIFMAT, joint with ENSTA, to find good MDS matrices, which are used for diffusion in block ciphers. The period is October 2011–September 2012, eventually renewable one year.

Partner 1: Ulm Universität, TAIT group, Germany.

Subject 1: bridging Ulm's unique decoding with Guruswami-Sudan list decoding. Funded by a PHC Hubert Curien.

DTU, Denmark.

Kamal Khuri–Makdisi, American University of Beirut, two weeks.

Iwan Duursma, University of Illinois at Urbana Champaign, two weeks,

D. Augot is a member of the scientific committee for the French CCA seminar.

D. Augot was co-chair, with Anne Canteaut, of WCC 2001, and is guest editor of a special issue of Design, Codes, and Cryptography dedicated to the conference.

F. Morain was invited speaker at the C2 meeting (Ile d'Oléron, spring 2011).

F. Morain gave two lectures in the summer school linked to ECC2011.

B. Smith organised the rump session at ECC2011.

D. Augot

18 hours, “Codes correcteurs d'erreurs et applications à la cryptographie”, M2, MPRI, France.

F. Morain:

10 lectures of 1.5h, 1st year course “Introduction à l'informatique” (INF311) at École polytechnique.

7.5h Algorithmes arithmétiques pour la cryptologie, M2, MPRI, France.

B. Smith:

INF321: Les principes des langages de programmation, 40h (TD), L1, École polytechnique, France

Algorithmes arithmétiques pour la cryptologie, 9h, M2, MPRI, France

PhD & HdR (Les thèses soutenues doivent figurer dans la bibliographie) :

PhD: Morgan Barbier, “Décodage en liste et application à la sécurité de l’information”, defended December 2nd, 2011, D. Augot.

PhD in progress : Cécile GONÇALVES, Advanced cardinality algorithms for cryptographically interesting curves, 01/10/2011, F. Morain and B. Smith

D. Augot made a presentation “Quand 1+1=0” to Lycée students at Savigny-sur-Orge.

D. Augot participated in a S[cube] meeting at Gif-sur-Yvette, about mathematicians.

D. Augot was interviewed for a video about Évariste Galois.

D. Augot, M. Barbier, C. Gonçalves, S. Ionica, and B. Smith took part in the “Nuit des chercheurs” at the École polytechnique.