GRACE has two broad application domains—cryptography and coding
theory—linked by a common foundation in
algorithmic number theory and the geometry of algebraic curves.
In our research, which combines theoretical work
with practical software development,
we use algebraic curves
to *create better cryptosystems*,
to *provide better security assessments*
for cryptographic key sizes,
and to *build the best error-correcting codes*.

Coding and cryptography deal (in different ways) with securing communication systems for high-level applications. In our research, the two domains are linked by the computational issues related to algebraic curves (over various fields) and arithmetic rings. These fundamental number-theoretic algorithms, at the crossroads of a rich area of mathematics and computer science, have already proven their relevance in public key cryptography, with industrial successes including the RSA cryptosystem and elliptic curve cryptography. It is less well-known that the same branches of mathematics can be used to build very good codes for error correction. While coding theory has traditionally had an electrical engineering flavour, recent developments in computer science have shed new light on coding theory, leading to new applications more central to computer science.

Algorithmic Number Theory is concerned with replacing special cases with general algorithms to solve problems in number theory. In the Grace project, it appears in three main threads:

fundamental algorithms for integers and polynomials (including primality and factorization);

algorithms for finite fields (including discrete logarithms); and

algorithms for algebraic curves.

Clearly, we use computer algebra in many ways. Research in cryptology
has motivated a renewed interest in Algorithmic Number Theory in
recent decades—but the fundamental problems still exist *per
se*. Indeed, while algorithmic number theory application in
cryptanalysis is epitomized by applying factorization to breaking RSA
public key, many other problems, are relevant to various area of
computer science. Roughly speaking, the problems of the cryptological
world are of bounded size, whereas Algorithmic Number Theory is also
concerned with asymptotic results.

*Arithmetic Geometry* is the meeting point of algebraic geometry and
number theory: that is, the study of geometric objects defined over
arithmetic number systems (such as the integers and finite fields).
The fundamental objects for our applications
in both coding theory and cryptology
are curves and their Jacobians over finite fields.

An algebraic *plane curve*

(Not every curve is planar—we may have more variables, and more
defining equations—but from an algorithmic point of view,
we can always reduce to the plane setting.)
The *genus* *elliptic curves*;
they are typically defined by equations of the form

The curve *Jacobian* of

Jacobians of curves are excellent candidates for cryptographic groups when constructing efficient instances of public-key cryptosystems. Diffie–Hellman key exchange is an instructive example.

Suppose Alice and Bob want to establish a secure communication
channel. Essentially, this means establishing a common secret
*key*, which they will then use for encryption and decryption.
Some decades ago, they would have exchanged this key in person, or
through some trusted intermediary; in the modern, networked world,
this is typically impossible, and in any case completely unscalable.
Alice and Bob may be anonymous parties who want to do e-business, for
example, in which case they cannot securely meet, and they have no way
to be sure of each other's identities. Diffie–Hellman key exchange
solves this problem. First, Alice and Bob publicly agree on a
cryptographic group

This simple protocol has been in use, with only minor modifications,
since the 1970s. The challenge is to create examples of groups

The classic example of a group suitable for the Diffie–Hellman protocol
is the multiplicative group of a finite field

This is where Jacobians of algebraic curves come into their own.
First, elliptic curves and Jacobians of genus 2 curves do not have a
subexponential index calculus algorithm: in particular, from the point
of view of the DLP, a generic elliptic curve is currently *as
strong as* a generic group of the same size. Second, they provide
some diversity: we have many degrees of freedom in choosing
curves over a fixed

Coding Theory studies originated with the idea of using redundancy in
messages to protect against noise and errors. The last decade of the
20th century has seen the success of so-called iterative decoding
methods, which enable us to get very close to the Shannon
capacity. The capacity of a given channel is the best achievable
transmission *rate* for reliable transmission. The consensus in
the community is that this capacity is more easily reached with these
iterative and probabilistic methods than with algebraic codes (such as
Reed–Solomon codes).

However, algebraic coding is useful in settings other than the Shannon context. Indeed, the Shannon setting is a random case setting, and promises only a vanishing error probability. In contrast, the algebraic Hamming approach is a worst case approach: under combinatorial restrictions on the noise, the noise can be adversarial, with strictly zero errors.

These considerations are renewed by the topic of *list decoding*
after the breakthrough of Guruswami and Sudan at the end of the
nineties. List decoding relaxes the uniqueness requirement of
decoding, allowing a small list of candidates to be returned instead
of a single codeword. List decoding can reach a capacity close
to the Shannon capacity, with zero failure, with small lists, in
the adversarial case.
The method of Guruswami and Sudan enabled list decoding of most of the
main algebraic codes: Reed–Solomon codes and Algebraic–Geometry (AG)
codes and new related constructions “capacity-achieving list
decodable codes”. These results open the way to applications again
adversarial channels, which correspond to worst case settings in
the classical computer science language.

Another avenue of our studies is AG codes over various geometric objects. Although Reed–Solomon codes are the best possible codes for a given alphabet, they are very limited in their length, which cannot exceed the size of the alphabet. AG codes circumvent this limitation, using the theory of algebraic curves over finite fields to construct long codes over a fixed alphabet. The striking result of Tsfasman–Vladut–Zink showed that codes better than random codes can be built this way, for medium to large alphabets. Disregarding the asymptotic aspects and considering only finite length, AG codes can be used either for longer codes with the same alphabet, or for codes with the same length with a smaller alphabet (and thus faster underlying arithmetic).

From a broader point of view, wherever Reed–Solomon codes are used, we can substitute AG codes with some benefits: either beating random constructions, or beating Reed–Solomon codes which are of bounded length for a given alphabet.

Another area of Algebraic Coding Theory with which we are more recently concerned is the one of Locally Decodable Codes. After having been first theoretically introduced, those codes now begin to find practical applications, most notably in cloud-based remote storage systems.

In the twenty-first century, cryptography plays two essential roles:
it is used to ensure *security* and *integrity*
of communications and communicating entities.
Contemporary cryptographic techniques can be used
to hide private data,
and to prove that public data has not been modified;
to provide anonymity, and to assert and prove public identities.
The creation and testing of practical cryptosystems involves

The design of provably secure protocols;

The design and analysis of compact and efficient algorithms to implement those protocols, and to attack their underlying mathematical and computational problems;

The robust implementation of those algorithms in low-level software and hardware, and their deployment in the wild.

While these layers are interdependent, GRACE's cryptographic research is focused heavily on the middle layer: we design, implement, and analyze the most efficient algorithms for fundamental tasks in contemporary cryptography. Our “clients”, in a sense, are protocol designers on the one hand, and software and hardware engineers on the other.

F. Morain and B. Smith work primarily on the number-theoretic algorithms that underpin the current state-of-the-art in public-key cryptography (which is used to establish secure connections, and create and verify digital signatures, among other applications). For example, their participation in the ANR CATREL project aims to give a realistic assessment of the security of systems based on the Discrete Logarithm Problem, by creating a free, open, algorithmic package implementing the fastest known algorithms for attacking DLP instances. This will have an extremely important impact on contemporary pairing-based cryptosystems, as well as legacy finite field-based cryptosystems. On a more constructive note, F. Morain' elliptic curve point counting and primality proving algorithms are essential tools in the everyday construction of strong public-key cryptosystems, while B. Smith's recent work on elliptic curves aims to improve the speed of curve-based cryptosystems (such as Elliptic Curve Diffie–Hellman key exchange, a crucial step in establishing secure internet connections) without compromising their security.

D. Augot, F. Levy-dit-Vehel, and A. Couvreur's
research on codes has far-reaching applications in
*code-based cryptography*.
This is a field which is growing rapidly in importance—partly
due to the supposed resistance of code-based cryptosystems to
attacks from quantum computing, partly due to the range of new
techniques on offer, and partly because the fundamental problem
of parameter selection is relatively poorly understood.
For example, A. Couvreur's work on filtration attacks on codes has an
important impact on the design of code-based systems using wild Goppa
codes or
algebraic geometry codes, and on the choice of parameter sizes
for secure implementations.

Coding theory also has important practical applications in the improvement of conventional symmetric cryptosystems. For example, D. Augot's recent work on MDS matrices via BCH codes gives a more efficient construction of optimal diffusion layers in block ciphers. Here we use combinatorial, non-algorithmic properties of codes, in the internals of designs of block ciphers.

While coding theory brings tools as above for the classical
problems of encryption, authentication, and so on, it can also
provide solutions to new cryptographic problems. This is
classically illustrated by the use of Reed-Solomon codes in secret
sharing schemes. Grace is involved in the study, construction and
implementation of locally decodable codes, which have applications
in quite a few cryptographic protocols : *Private Information Retrieval*,
*Proofs of Retrievability*, *Proofs of Ownership*, etc.

F. Morain is one of the developers of CADO-NFS (available at
http://

Working with C. Costello (Microsoft Research) and H. Hisil (Yasar),
B. Smith contributed to the development of
a competitive, high-speed,
open implementation of the Diffie–Hellman protocol
(described in ), targeting the 128-bit
security level on Intel platforms.
The source code is freely available at
http://

In the beginning of 2014,D. Augot and C. Pernet submitted an IJD proposal (ingénieur jeune diplomé) to Inria, called Projet Actis (Algorithmic Coding Theory In Sage). The aim of this project is to vastly improve the state of the error correcting library in Sage. The existing library does not present a good and usable API, and the provided algorithms are very basic, irrelevant, and outdated. We thus have two directions for improvement: renewing the APIs to make them actually usable by researchers, and incorporating efficient programs for decoding, like J. Nielsen's CodingLib, which contains many new algorithms.

We hired D. Lucas on October 1st; he has started implementing various basic things, in a standalone manner. We plan to publish these snippets of code to the Sage community in January 2015. Our plan is to interact a lot with the Sage community, to ensure that our new APIs will cover most of the needs of various communities.

F. Morain and A. Guillevic (with their co-authors R. Barbulescu
and P. Gaudry) broke the discrete logarithm world record for finite
fields of the form

D. Augot and M. Finiasz received the best paper award at FSE 2014 . FSE is the most important conference devoted to symmetric cryptography. Grace contribution is to propose a mathematical construction which enables direct construction of so-called diffusion layers in block ciphers.

A. Zeh, former Grace PhD student, received the special Prize of the Université Franco-Allemande (UFA) Jury 2014 at the French Ambassy in Berlin, on November 21st.

*MDS matrices* allow the construction of optimal linear
diffusion layers in block ciphers. However, MDS matrices usually
have a large description (for example, they can never be sparse),
and this results in costly software/hardware implementations. We
can solve this problem using *recursive MDS matrices*, which
can be computed as a power of a simple companion matrix—and thus
have a compact description suitable for constrained environments.
Until now, finding recursive MDS matrices required an exhaustive
search on families of companion matrices; this clearly limited the
size of MDS matrices that one could look for. We have found a new
direct construction, based on shortened BCH codes, which allows us
to efficiently construct these matrices for arbitrary parameter
sizes . D. Augot and M. Finiasz received
the best paper award at FSE 2014, and were invited to submit an
extended journal version to *Journal of Cryptology*.

P. Karpman started to study sub-optimal diffusion layers, which can be built using algebraic geometry codes with a large automorphism group. Preliminary work has been done, leading to promising results . To properly assert the cryptanalytic properties of these codes, V. Ducet is starting to implement a method for computing efficiently the weight distribution of AG codes.

Rank metric and Gabidulin codes over the rationals promise
interesting applications to space-time coding. We have constructed
optimal codes, similar to Gabidulin codes, in the case of infinite
fields. We use algebraic extensions, and we have determined the
condition on the considered extension to enable this construction.
For example: we can design codes with complex coefficients, using
number fields and Galois automorphisms.
Then, in the rank metric setting, codewords can be seen as matrices.
In this setting, a channel introduces errors (a matrix of small rank

We also have used this framework to build rank-metric codes over the field of rational functions, using algebraic function fields with cyclic Galois group (Kummer and Artin extensions). These codes can be seen as a generator of infinitely many convolutional codes .

Determining the tensor rank of multiplication over finite fields is
a problem of great interest in algebraic complexity theory, but it
also has practical importance: it allows us to obtain multiplication
algorithms with a low bilinear complexity, which are of crucial
significance in cryptography. In collaboration with S. Ballet and
J. Chaumine , J. Pieltant obtained new
asymptotic bounds for the symmetric tensor rank of multiplication in
finite extensions of finite fields

The McEliece encryption scheme based on binary Goppa codes was one of the first public-key encryption schemes . Its security rests on the difficulty of decoding an arbitrary code. The original proposal uses classical Goppa codes, and while it still remains unbroken, it requires a huge size of key. On the other hand, many derivative systems based on other families of algebraic codes have been subject to key recovery attacks. Up to now, key recovery attacks were based either on a variant of Sidelnikov and Shestakov's attack , where the first step involves the computation of minimum-weight codewords, or on the resolution of a system of polynomial equations using Gröbner bases.

**Distinguishing** the public code from a random one using
the square code operation.

**Computing a filtration** of the
public code using the distinguisher, and deriving from this filtration
an efficient decoding algorithm for the public code.

This new style of attack allowed A. Couvreur, A. Otmani and J.-P. Tillich to break (in polynomial time) McEliece based on wild Goppa codes over quadratic extensions ; and A. Couvreur, I. Márquez-Corbella, and R. Pellikaan to break McEliece based on algebraic geometry codes from curves of arbitrary genus , .

where for all positive integer

By combining algebraic geometric methods with a combinatorial method of double counting, A. Couvreur proved this conjecture and got a more general upper bound on the number of rational points of arbitrary varieties (possibly non-equidimensional). In addition, he proved that () is sharp by providing examples of varieties reaching this bound.

B. Smith has pioneered the use of mod-

Recent results of R. Barbulescu, P. Gaudry, A. Joux, and E. Thomé
seem to indicate that
solving the discrete logarithm problem over finite fields of small
characteristic is easier than was precedently thought. F. Morain
and A. Guillevic, joined by R. Barbulescu and P. Gaudry, embarked on an
attempt to assess the security of the discrete logarithm problem in a
closely related context: that of finite fields with large characteristic and
small degree. Improving on the methods of A. Joux, R. Lercier and others, they
found new algorithms to select polynomials for the Number Field Sieve
– the algorithm of choice in this setting. Moreover, a clever study
of the algebraic properties of the fields used (e.g., algebraic
units), enabled them to break the world record for the case of

Together with two researchers in quantum physics (F. Grosshans and T. Lawson), F. Morain and B. Smith have been working on the number theoretical postprocessing in Shor's algorithm. A preprint is being written.

Within the framework of the joint lab Inria-ALU, Grace and Alcatel-Lucent collaborate on the topic of Private Information Retrieval: that is, enabling a user to retrieve data from a remote database while revealing neither the query nor the retrieved data. (This is not the same as data confidentiality, which refers to the need for users to ensure secrecy of their data; this is classically obtained through encryption, which prevents access to data in the clear.)

A typical application would be a centralized database of medical records, which can be accessed by doctors, nurses, and so on. A desirable privacy goal would be that the central system does not know which patient is queried for when a query is made, and this goal is precisely achieved by a Private Information Retrieval protocol. Note also that in this scenario the database is not encrypted, since many users are allowed to access it.

We are exploring applications of Locally Decodable Codes to Private Information Retrieval in the multi-cloud (multi-host) setting, to ensure both secure, reliable storage, and privacy of database queries.

We hired Man-Cuong Ngo as a PhD student, in February 2014. We proposed a much better way of using LDC codes in PIR protocols, allowing less storage and a very small number of servers. This idea was at the heart of a European patent (EP14305549.9), co-submitted by Inria and Alcatel-Lucent. A preliminary presentation was made at CANS .

From late 2012 through 2013, D. Augot was
heavily involved in the preparation of the *Institut de la
société du numérique* (Digital Society Institute) proposal
within IDEX Paris-Saclay. Led by N. Boujemaa, this proposal aims to
be a catalyst for interdisciplinary research (involving computer
scientists and researchers from the humanities) on societal
challenges inherent to eLife/life digitization. The proposal has
initial funding from the IDEX, and will hopefully be self-funding
within three years. Two kick-off projects were defined: joint human
& machine interaction, and privacy and digital identity.

Within IDEX Paris-Saclay, the PAIP (Pour une Approche Interdisciplinaire de la Privacy) project was proposed and accepted in September 2013, with a small budget (30 keuros) for all the partners of the privacy group.

D. Augot engaged in monthly brainstorming meetings with researchers
from Inria Paris–Rocquencourt (project-team SMIS), Université Jean
Monnet's ADIS and CERDI labs (A. Rallet, A. Bensamoun),
and Télécom ParisTech (C. Levallois-Barth). Topics under
discussion include terms of service of various cloud storage
providers; SMIS's *TrustedCell* secure token initiative for
helding private and secure personal data; privacy leaks; and
measurements on smartphones.

A one-day conference was held in Paris in December 2014.

Within the group PAIP (Pour une Approche Interdisciplinaire de la Privacy), D. Augot presented the cryptographic and peer-to-peer principles at the heart of the Bitcoin protocol (electronic signature, hash functions, and so on). Most of the information is publicly available: the history of all transactions, evolution of the source code, developers' mailing lists, and the Bitcoin exchange rate. It was recognized by the economists in our group that such an amount of data is very rare for an economic phenomenon, and it was decided to start research on the history of Bitcoin, to study the interplay between the development of protocol and the development of the economical phenomenon.

The project
**Aije-Bitcoin** (analyse
informatique, juridique et économique de Bitcoin) was accepted as
interdisciplinary research for a PEPS (Projet exploratoire Premier
Soutien) cofunded by the CNRS and Université de Paris-Saclay.
This one-year preliminary program will enable the group to master the
understanding of Bitcoin from various angles, allowing more advanced
research in the following years.

Idealcodes is a two-year Digiteo research project, started in October 2014. The partners involved are the École Polytechnique (X) and the Université de Versailles–Saint-Quentin-en-Yvelines (Luca de Feo, UVSQ). It funds one two-year post-doc, J. Nielsen, working at the boundary between coding theory, cryptography, and computer algebra.

Idealcodes spans the three research areas of algebraic coding theory, cryptography, and computer algebra, by investigating the problem of lattice reduction (and root-finding). In algebraic coding theory this is found in Guruswami and Sudan's list decoding of algebraic geometry codes and Reed–Solomon codes. In cryptography, it is found in Coppersmith's method for finding small roots of integer equations. These topics were unified and generalised by H. Cohn and N. Heninger , by considering algebraic geometry codes and number field codes under the deep analogy between polynomials and integers. Sophisticated results in coding theory could be then carried over to cryptanalysis, and vice-versa. The generalized view raises problems of computing efficiently, which is one of the main research topics of Idealcodes.

CATREL (accepted June 2012, Kickoff December 14, 2012, Starting January 1st, 2013): “Cribles: Améliorations Théoriques et Résolution Effective du Logarithme” (Sieve Algorithms: Theoretical Advances and Effective Resolution of the Discrete Logarithm Problem). This project aims to make effective “attacks” on reduced-size instances of the discrete logarithm problem (DLP). This is a key ingredient for the assessment of the security of cryptosystems relying on the hardness of the DLP in finite fields, and for deciding on relevant key sizes.

DIFMAT-3: this one-year project aims to find matrices with good diffusion properties over small finite fields, in the spirit of . The principle is to find non-maximal matrices, but with better coefficients and implementation properties. The relevant cryptographic properties to be studied correspond to the weight distribution of the associated code. Since we use Algebraic-Geometry codes, much more powerful techniques can be used for computing these weight distribution, using and improving Duursma's ideas .

Cybersecurity. Inria and DGA contracted for three PhD topics at the national level, one of them involving Grace. Grace started a new PhD, and hired P. Karpman. The topic of this PhD is complementary to the above DIFMAT-3: while DIFMAT-3 provides fundamental methods for dealing with AG codes, in application for diffusion layers in block ciphers, the topic here is to make concrete propositions of block ciphers using these matrices. P. Karpman is coadvised by T. Peyrin (Nanyang Technological University, Singapore), by P.-A. Fouque (Université de de Rennes), and D. Augot.

PQCRYPTO (Post-Quantum Cryptography) is a proposal which was submitted in 2014 by Tanja Langa (Tu/E), with Inria as a partner. We received in September 2014 the notification that it was accepted. Inria's Secret and Grace project-teams are part of this proposal, whose starting date is March 2015.

Program: COST

Project acronym: COST 4175/11

Project title: Random Network Coding and Designs over GF(q) http://www.network-coding.eu/index.html

Duration: 04/2012 - 04/2016

Coordinator: Marcus Greferath

Other partners: Camilla Hollanti, Aalto University, Finland Simon R. Blackburn, Royal Holloway, University of London, UK Tuvi Etzion, Technion, Israel Ángeles Vázquez-Castro, Autonomous University of Barcelona, Spain Joachim Rosenthal, University of Zurich, Switzerland (Chairs of the five working groups).

Abstract: Random network coding emerged through an award-winning paper by R. Koetter and F. Kschischang in 2008 and has since then opened many new directions in networking, internet, wireless communication systems, and cloud computing. This COST Action will set up a European research network and establish network coding as a European core area in communication technology. Its aim is to bring together experts from pure and applied mathematics, computer science, and electrical engineering, who are working in the areas of discrete mathematics, coding theory, information theory, and related fields.

M. Bossert, Institute of Communications Engineering, Ulm Universität.

S. Galbraith, Department of Mathematics, University of Auckland.

Ruud Pellikaan (Department of Mathematics and Computing Science Eindhoven University of Technology) visited us from April 24th to May 21st.

D. Augot is member of the committee of the CCA seminar on coding and cryptology. This seminar regularly attracts around 30 participants.

J. Nielsen, with L. de Feo, organized a Digiteo event CLIC related to J. Nielsen's Ditigeo funding IDEALCODES. This non-recurrent event attracted 30 participants.

D. Augot was a member of the WAIFI 2014 programm committee (International Workshop on the Arithmetic of Finite Fields, Gebze, Turkey)

D. Augot was a reviewer for ITW (Information Theory Workshop) 2015.

B. Smith was a reviewer for Eurocrypt 2014, CRYPTO 2014, PKC (Public Key Cryptography) 2014, and ANTS (Algorithmic Number Theory Symposium) 2014.

D. Augot is member of the editorial board of the *RAIRO -
Theoretical Informatics and Applications*, a Cambridge journal
published by EDP Sciences.

D. Augot is member of the editorial board of the *International
Journal of Information and Coding Theory*, InderScience publishers.

D. Augot was reviewer for

*Designs, Codes and Cryptography*;

*Discrete Mathematics*.

*IEEE Transactions in
Information Theory*;

A. Couvreur was reviewer for

*Design, Codes and Cryptography*;

*Finite Fields and Their Applications*;

*IEEE Transactions on Communication*;

*Journal of Symbolic Computation*.

B. Smith was a reviewer for

*Designs, Codes and Cryptography*

*Mathematics of Computation*

*ETRI Journal*

**Master**

D. Augot, Error-correcting codes and applications to cryptography, 6h00, level M2, MPRI, France.

A. Couvreur, Error-correcting codes and applications to cryptography, 12h, level M2, MPRI, France.

A. Couvreur is *Chargé d'enseignement* at the École Polytechnique
for the academic year 2014-2015.

A. Couvreur gave a one-week crash course in cryptology at the university of Masuku (Franceville, Gabon). Level M1.

B. Smith, Algorithmes arithmétiques pour la cryptologie, 13.5h (equiv TD), level M2, MPRI, France.

F. Morain, Algorithmes arithmétiques pour la cryptologie, 9h (equiv TD), M2, level M2, MPRI, France.

B. Smith, Cryptologie, 18h (equiv TD), M1, École polytechnique, France

F. Morain, 9 lectures of 1.5h, 3rd year (M1) course “cryptology” at École polytechnique.

F. Levy-dit-Vehel, “Cours de Cryptographie”, 30h. (equiv TD), 3rd year (M1), ENSTA ParisTech, France.

**Licence**

F. Morain 10 lectures of 1.5h, 1st year course “Introduction à l'informatique” (INF311) at École polytechnique (L3). Responsability of this module (350 students).

B. Smith Introduction à l'informatique, 40h (equiv TD), L3, École polytechnique, France course “Introduction à l'informatique” (INF311) at École polytechnique (L3).

A. Couvreur Introduction à l'informatique, 40h (equiv TD), L3, École polytechnique, France course “Introduction à l'informatique” (INF311) at École polytechnique (L3).

A. Couvreur Les bases de la programmation et de l'algorithmique, 32h (equiv TD), M1, École polytechnique, France course (INF411) at École polytechnique (M1).

F. Levy-dit-Vehel, “Mathématiques discrètes pour la protection de l'information”, 24h. (equiv TD), 2nd year (L3), ENSTA ParisTech, France.

**E-learning**

I. Márquez-Corbella, with D. Augot's help, is currently preparing a
MOOC on *code-based cryptology*. This MOOC is intended
for an audience of M2 or PhD students who are
interested in this sub-branch of cryptology. This can bring
in students from coding theory, cryptology, or even physicists
interested in post-quantum cryptography.
N. Sendrier and M. Finiasz will complement and bring
scientific authority to these lectures, by addressing more
advanced topics.
This bilingual MOOC (Spanish and English) is planned to be
open in March, with a five week duration. It is supported by
the Inria MOOC Lab, and will be hosted on the platform FUN.

D. Augot, advised two students, Gaspard Ferey and Sylvain Colin, for a “Projet personnel en laboratoire”, whose object of study was attacks on code-based cryptosystems and their relation to the Chor-Rivest cryptosystem. 12h, level M1, Polytechnique, France.

A. Couvreur advised one student, Alexander Schaub, for a “Projet personnel en laboratoire” on an oblivious transfer protocol using a noisy channel. 12h, level M1, Polytechnique, France.

A. Couvreur advised the Masters thesis of Elise Barelli (Master Cryptis, University of Limoges). 6 month internship, level M2.

B. Smith supervised Charlotte Scribot's Masters thesis (Master P7). 6 month internship, level M2.

B. Smith co-supervised the third year of Cécile Gonçalves' PhD project.

F. Levy-dit-Vehel supervised Julien Lavauzelle's end of ENSTA studies internship (level M2), 5 months.

D. Augot was a member of Maurice Denise's PhD committee, for her defense “Codes correcteurs quantiques pouvant se décoder itérativement”, June 26th.

D. Augot was a member of Nicolás Bordenabe's PhD committee, for his defense “Measuring Privacy with Distinguishability Metrics: Definitions, Mechanisms and Application to Location Privacy”, September 12th.

D. Augot was a reviewer of Clément Pernet's HDR thesis “High Performance and Reliable Algebraic Computing”, and member of his defense committee, November 21st.

A. Couvreur is a member of the jury of the *agrégation de mathématiques*.

B. Smith was a member of Ivan Boyer's PhD jury, for his defense “Variétés abéliennes et jacobiennes de courbes hyperelliptiques, en particulier à multiplication réelle ou complexe”, January 24th.

B. Smith was a member of Jean-Christophe Zapalowicz's PhD jury for his defense “Sécurité des générateurs pseudo-aléatoires et des implémentations de schémas de signature à clé publique”, November 21st.

D. Augot made a presentation, “Décodage des codes de Reed-Solomon et logarithme discret dans les corps finis”, at the Cryptography Seminar of Université de Rennes I, March 21st

D. Augot made a presentation for the Secret project-team at Inria Rocquencourt “Bitcoin hors-sol”, November 13th.

A. Couvreur was an invited speaker at *Journées Codage et Cryptographie*, Grenoble in march 2014.

A. Couvreur has been invited to give a talk at regular seminars in Rennes, Caen, University Paris 6, University Paris 8 and Bordeaux.

B. Smith was an invited speaker at *YACC 2014*, Porquerolles, June
2014.

B. Smith was an invited speaker in the *Computational Number
Theory* workshop at *FOCM 2014*, Montevideo, Uruguay, December
2014.

B. Smith was an invited speaker at the inaugural *MCrypt Workshop*,
Les Deux Alpes, August 2014.

B. Smith was an invited speaker at *DLP2014* (Theoretical and
Practical Aspects of the Discrete Logarithm Problem), Ascona,
Switzerland, May 2014.

B. Smith gave a talk in the regular *PolSys* seminar at UPMC,
March 2014.

D. Augot made a presentation “Quand 1

J. Pieltant was one of the presenters for Inria's stand at « Bouge la Science » at Supélec.

A. Couvreur gave a conference “Les mathématiques pour protéger l'information” for the pupils of Collège Moreau in Monthléry (91).

A. Couvreur is an elected member of Saclay's *commité de centre*.

A. Couvreur was a member of the commission for the recruitment of post-doc researchers in 2014 at LIX in the programm Qualcomm-Carnot.

A. Couvreur is the *jeune chercheur référent* for the *commission
de suivi doctoral* of Inria Saclay.

D. Augot was a member of RTRA Digiteo program committee.

D. Augot is a member of LIX's *conseil de direction*.

D. Augot is a member of the *conseil de l'école doctorale
en informatique de Paris-Sud*

D. Augot is the vice-head of Inria's *comité de suivi doctoral*

D. Augot is a member of LIX's *conseil de laboratoire*

D. Augot and B. Smith were reviewers for ANRT CIFRE fundings.

F. Morain, J. Pieltant and B. Smith are elected members
of the *Conseil de Laboratoire* of the LIX.

F. Morain is vice-head of the Département d'informatique of Ecole Polytechnique.

F. Morain represents École polytechnique in the
committee in charge of *Mention HPC* in the
*Master de l'université Paris Saclay*.

B. Smith is a *Correspondant* for International Relations
at Saclay.

B. Smith is a member of the COST-GTRI.

B. Smith is a member of the teaching committee of the Department of Computer Science of the École polytechnique.