GRACE has two broad application domains—cryptography and coding
theory—linked by a common foundation in
algorithmic number theory and the geometry of algebraic curves.
In our research, which combines theoretical work
with practical software development,
we use algebraic curves
to *create better cryptosystems*,
to *provide better security assessments*
for cryptographic key sizes,
and to *build the best error-correcting codes*.

Coding and cryptography deal (in different ways) with securing communication systems for high-level applications. In our research, the two domains are linked by the computational issues related to algebraic curves (over various fields) and arithmetic rings. These fundamental number-theoretic algorithms, at the crossroads of a rich area of mathematics and computer science, have already proven their relevance in public key cryptography, with industrial successes including the RSA cryptosystem and elliptic curve cryptography. It is less well-known that the same branches of mathematics can be used to build very good codes for error correction. While coding theory has traditionally had an electrical engineering flavour, recent developments in computer science have shed new light on coding theory, leading to new applications more central to computer science.

Algorithmic Number Theory is concerned with replacing special cases with general algorithms to solve problems in number theory. In the Grace project, it appears in three main threads:

fundamental algorithms for integers and polynomials (including primality and factorization);

algorithms for finite fields (including discrete logarithms); and

algorithms for algebraic curves.

Clearly, we use computer algebra in many ways. Research in cryptology
has motivated a renewed interest in Algorithmic Number Theory in
recent decades—but the fundamental problems still exist *per
se*. Indeed, while algorithmic number theory application in
cryptanalysis is epitomized by applying factorization to breaking RSA
public key, many other problems, are relevant to various area of
computer science. Roughly speaking, the problems of the cryptological
world are of bounded size, whereas Algorithmic Number Theory is also
concerned with asymptotic results.

Theme: Arithmetic Geometry: Curves and their Jacobians

*Arithmetic Geometry* is the meeting point of algebraic geometry and
number theory: that is, the study of geometric objects defined over
arithmetic number systems (such as the integers and finite fields).
The fundamental objects for our applications
in both coding theory and cryptology
are curves and their Jacobians over finite fields.

An algebraic *plane curve*

(Not every curve is planar—we may have more variables, and more
defining equations—but from an algorithmic point of view,
we can always reduce to the plane setting.)
The *genus* *elliptic curves*;
they are typically defined by equations of the form

The curve *Jacobian* of

Theme: Curve-Based Cryptology

Jacobians of curves are excellent candidates for cryptographic groups when constructing efficient instances of public-key cryptosystems. Diffie–Hellman key exchange is an instructive example.

Suppose Alice and Bob want to establish a secure communication
channel. Essentially, this means establishing a common secret
*key*, which they will then use for encryption and decryption.
Some decades ago, they would have exchanged this key in person, or
through some trusted intermediary; in the modern, networked world,
this is typically impossible, and in any case completely unscalable.
Alice and Bob may be anonymous parties who want to do e-business, for
example, in which case they cannot securely meet, and they have no way
to be sure of each other's identities. Diffie–Hellman key exchange
solves this problem. First, Alice and Bob publicly agree on a
cryptographic group

This simple protocol has been in use, with only minor modifications,
since the 1970s. The challenge is to create examples of groups

The classic example of a group suitable for the Diffie–Hellman protocol
is the multiplicative group of a finite field

This is where Jacobians of algebraic curves come into their own.
First, elliptic curves and Jacobians of genus 2 curves do not have a
subexponential index calculus algorithm: in particular, from the point
of view of the DLP, a generic elliptic curve is currently *as
strong as* a generic group of the same size. Second, they provide
some diversity: we have many degrees of freedom in choosing
curves over a fixed

Theme: Coding theory

Coding Theory studies originated with the idea of using redundancy in
messages to protect against noise and errors. The last decade of the
20th century has seen the success of so-called iterative decoding
methods, which enable us to get very close to the Shannon
capacity. The capacity of a given channel is the best achievable
transmission *rate* for reliable transmission. The consensus in
the community is that this capacity is more easily reached with these
iterative and probabilistic methods than with algebraic codes (such as
Reed–Solomon codes).

However, algebraic coding is useful in settings other than the Shannon context. Indeed, the Shannon setting is a random case setting, and promises only a vanishing error probability. In contrast, the algebraic Hamming approach is a worst case approach: under combinatorial restrictions on the noise, the noise can be adversarial, with strictly zero errors.

These considerations are renewed by the topic of *list decoding*
after the breakthrough of Guruswami and Sudan at the end of the
nineties. List decoding relaxes the uniqueness requirement of
decoding, allowing a small list of candidates to be returned instead
of a single codeword. List decoding can reach a capacity close
to the Shannon capacity, with zero failure, with small lists, in
the adversarial case.
The method of Guruswami and Sudan enabled list decoding of most of the
main algebraic codes: Reed–Solomon codes and Algebraic–Geometry (AG)
codes and new related constructions “capacity-achieving list
decodable codes”. These results open the way to applications again
adversarial channels, which correspond to worst case settings in
the classical computer science language.

Another avenue of our studies is AG codes over various geometric objects. Although Reed–Solomon codes are the best possible codes for a given alphabet, they are very limited in their length, which cannot exceed the size of the alphabet. AG codes circumvent this limitation, using the theory of algebraic curves over finite fields to construct long codes over a fixed alphabet. The striking result of Tsfasman–Vladut–Zink showed that codes better than random codes can be built this way, for medium to large alphabets. Disregarding the asymptotic aspects and considering only finite length, AG codes can be used either for longer codes with the same alphabet, or for codes with the same length with a smaller alphabet (and thus faster underlying arithmetic).

From a broader point of view, wherever Reed–Solomon codes are used, we can substitute AG codes with some benefits: either beating random constructions, or beating Reed–Solomon codes which are of bounded length for a given alphabet.

Another area of Algebraic Coding Theory with which we are more recently concerned is the one of Locally Decodable Codes. After having been first theoretically introduced, those codes now begin to find practical applications, most notably in cloud-based remote storage systems.

In the twenty-first century, cryptography plays two essential roles:
it is used to ensure *security* and *integrity*
of communications and communicating entities.
Contemporary cryptographic techniques can be used
to hide private data,
and to prove that public data has not been modified;
to provide anonymity, and to assert and prove public identities.
The creation and testing of practical cryptosystems involves

The design of provably secure protocols;

The design and analysis of compact and efficient algorithms to implement those protocols, and to attack their underlying mathematical and computational problems;

The robust implementation of those algorithms in low-level software and hardware, and their deployment in the wild.

While these layers are interdependent, GRACE's cryptographic research is focused heavily on the middle layer: we design, implement, and analyze the most efficient algorithms for fundamental tasks in contemporary cryptography. Our “clients”, in a sense, are protocol designers on the one hand, and software and hardware engineers on the other.

F. Morain and B. Smith work primarily on the number-theoretic algorithms that underpin the current state-of-the-art in public-key cryptography (which is used to establish secure connections, and create and verify digital signatures, among other applications). For example, their participation in the ANR CATREL project aims to give a realistic assessment of the security of systems based on the Discrete Logarithm Problem, by creating a free, open, algorithmic package implementing the fastest known algorithms for attacking DLP instances. This will have an extremely important impact on contemporary pairing-based cryptosystems, as well as legacy finite field-based cryptosystems. On a more constructive note, F. Morain' elliptic curve point counting and primality proving algorithms are essential tools in the everyday construction of strong public-key cryptosystems, while B. Smith's recent work on elliptic curves aims to improve the speed of curve-based cryptosystems (such as Elliptic Curve Diffie–Hellman key exchange, a crucial step in establishing secure internet connections) without compromising their security.

D. Augot, F. Levy-dit-Vehel, and A. Couvreur's
research on codes has far-reaching applications in
*code-based cryptography*.
This is a field which is growing rapidly in importance—partly
due to the supposed resistance of code-based cryptosystems to
attacks from quantum computing, partly due to the range of new
techniques on offer, and partly because the fundamental problem
of parameter selection is relatively poorly understood.
For example, A. Couvreur's work on filtration attacks on codes has an
important impact on the design of code-based systems using wild Goppa
codes or
algebraic geometry codes, and on the choice of parameter sizes
for secure implementations.

Coding theory also has important practical applications in the improvement of conventional symmetric cryptosystems. For example, D. Augot's recent work on MDS matrices via BCH codes gives a more efficient construction of optimal diffusion layers in block ciphers. Here we use combinatorial, non-algorithmic properties of codes, in the internals of designs of block ciphers.

While coding theory brings tools as above for the classical
problems of encryption, authentication, and so on, it can also
provide solutions to new cryptographic problems. This is
classically illustrated by the use of Reed-Solomon codes in secret
sharing schemes. Grace is involved in the study, construction and
implementation of locally decodable codes, which have applications
in quite a few cryptographic protocols : *Private Information Retrieval*,
*Proofs of Retrievability*, *Proofs of Ownership*, etc.

**Freestart collision for the full SHA-1.**

Together with M. Stevens and T. Peyrin, P. Karpman gave the first freestart collision for the full SHA-1 hash function .
Although theoretical attacks on this function were known since 2005, this work is an important milestone in SHA-1
cryptanalysis and it had a concrete impact on the use of SHA-1 in existing systems, such as TLS certificates.
In particular, the CA/Browser forum (which regroups some of the major industries of the internet) withdrew an internal
ballot proposing to extend the use of SHA-1 in new certificates through 2016. Major browser developers such as Mozilla
are also encouraging the timely withdrawal of SHA-1 certificates by updating the in-browser security warnings when such certificates are used.
This result was also vulgarised in technical press such as *Ars Technica* and more general newspapers such as *Le monde*.

**Discrete logarithm record computation in finite fields**

F. Morain and A. Guillevic together with P. Gaudry (CARAMEL team, Inria
Nancy Grand Est) and R. Barbulescu (CNRS, IMJ) published a new
discrete logarithm record in a finite field of 180 decimal digits
(dd), i.e. 595 bits. This result was presented at the Eurocrypt 2015
conference .
The Discrete Logarithm Problem (DLP) is widely studied in prime fields
GF

Algorithm | relation collection | linear algebra | total |

NFS-IF | 5 years | 5.5 months | 5.5 years |

NFS-DL |
50 years | 80 years | 130 years |

NFS-DL |
157 days | 18 days (GPU) | 0.5 years |

F. Morain and A. Guillevic contributed with P. Gaudry and E. Thomé to other
DL computation records in finite fields GF

**CATREL conference**

The 1st and 2nd of October 2015, F. Morain, B. Smith and A. Guillevic organized an international workshop to conclude the CATREL project. There were 14 invited speakers from all around the world, from Palaiseau with A. Guillevic to as far as Auckland in New Zealand with S. Galbraith. A. Joux presented an historical summary of DL computation from the 80's. P. Gaudry, E. Thomé and C. Bouvier from the Caramel Team (Inria Nancy), presented their contribution, and K. Bhargavan presented the Logjam attack. There were also members of abroad teams leader in discrete logarithm record breaking. G. Adj from Mexico and R. Granger and T. Kleinjung presented their recent records in small characteristic.

We hosted more than 50 participants for the two intensive days of the
workshop.
The schedule of the workshop is available on the following link.
http://

**AGC ${}^{2}$T 15**

A. Couvreur was one of the organizers of the conference AGC

Keyword: Cryptography

Functional Description

A competitive, high-speed, open implementation of the Diffie–Hellman protocol, targeting the 128-bit security level on Intel platforms. This download contains Magma files that demonstrate how to compute scalar multiplications on the x-line of an elliptic curve using endomorphisms. This accompanies the EuroCrypt 2014 paper by Costello, Hisil and Smith, the full version of which can be found here: http://eprint.iacr.org/2013/692 . The corresponding SUPERCOP-compatible crypto_dh application can be downloaded from http://hhisil.yasar.edu.tr/files/hisil20140318compact.tar.gz .

Participant: Benjamin Smith

Contact: Benjamin Smith

URL: http://

Functional Description

The aim of this project is to vastly improve the state of the error correcting library in Sage. The existing library does not present a good and usable API, and the provided algorithms are very basic, irrelevant, and outdated. We thus had two directions for improvement:

renewing the APIs to make them actually usable by researchers, and

incorporating efficient programs for decoding, like J. Nielsen's CodingLib, which contains many new algorithms.

After a year on the project, which started October 1st, 2014, we have been able to completely rethink and rewrite the API to a new structure able to support many mathematical constructions and integrate it in Sage. We also implemented numerous code classes and decoding algorithms, including cyclic codes over any finite field and list decoding of GRS codes, which are not available in Maple, Magma and Mathematica. As integrating code in Sage is a slow process, which requires external developers, we attended two Sage workshops (Sage Days 66 in Liège and Sage Days 70 in Berkeley) and welcomed one at Inria Saclay http://

Contact: David Lucas

URL: https://

One can check a full list of accepted and pending ACTIS patches for Sage here : http://

V. Ducet worked on the weight distribution of geometric codes following a method initiated by Duursma. More precisely he implemented his method in magma and was able to compute the weight distribution of the geometric codes coming from two optimal curves of genus 2 and 3 over the finite fields of size 16 and 9 respectively. The aim is to compute the weight distribution of the Hermitian code over the finite field of size 16, for which computational improvements of the implementation are necessary.

B. Smith made several contributions to the development of faster
arithmetic on elliptic curves and genus 2 Jacobians in 2015.
First, an extended and more detailed treatment of his

Integer factorization via Shor's algorithm is a benchmark problem for general quantum computers, but surprisingly little work has been done on optimizing the algorithm for use as a serious factoring tool once large quantum computers are built (rather than as a proof of concept). In the meantime, given the limited size of contemporary quantum computers and the practical difficulties involved in building them, any optimizations to quantum factoring algorithms can lead to significant practical improvements. In a new interdisciplinary project with physicists F. Grosshans and T. Lawson, F. Morain and B. Smith have derived a simple new quantum factoring algorithm for cryptographic integers; its expected runtime is lower than Shor's factoring algorithm, and it should also be easier to implement in practice.

The McEliece encryption scheme based on binary Goppa codes was one of the first public-key encryption schemes . Its security rests on the difficulty of decoding an arbitrary code. The original proposal uses classical Goppa codes, and while it still remains unbroken, it requires a huge size of key. On the other hand, many derivative systems based on other families of algebraic codes have been subject to key recovery attacks. Up to now, key recovery attacks were based either on a variant of Sidelnikov and Shestakov's attack , where the first step involves the computation of minimum-weight codewords, or on the resolution of a system of polynomial equations using Gröbner bases.

**Distinguishing** the public code from a random one using
the square code operation.

**Computing a filtration** of the
public code using the distinguisher, and deriving from this filtration
an efficient decoding algorithm for the public code.

This new style of attack allowed A. Couvreur, A. Otmani and J.-P. Tillich to break (in polynomial time) McEliece based on wild Goppa codes over quadratic extensions and more recently to break the BBCRS cryptosystem . A. Couvreur, Irene Márquez–Corbella, and R. Pellikaan broke McEliece based on algebraic geometry codes from curves of arbitrary genus , by reconstructing optimal polynomial time decoding algorithms from the raw data of a generator matrix.

Quantum codes are the analogous of error correcting codes
for a quantum computer. A well known family of quantum codes
are the CSS codes due to Calderbank, Shor and Steane
can be represented by a pair of matrices

In an article in preparation, Benjamin Audoux (I2M, Marseille) and A. Couvreur
investigate a problem suggested by Bravyi and Hastings. They studied the
behaviour of iterated tensor powers of CSS codes and prove in
particular that such families always have a minimum distance tending to
infinity. They propose also 3 families of LDPC codes whose minimum
distance is in

The best discrete logarithm record computations in prime fields and large characteristic finite fields are obtained with Number Field Sieve algorithm (NFS) at the moment. This algorithm is made of four steps:

polynomial selection;

relation collection (with a sieving technique);

linear algebra (computing the kernel of a huge matrix, of millions of rows and columns);

individual discrete logarithm computation.

The two more time consuming steps are the relation collection step and the linear algebra step. The polynomial selection is quite fast but is very important since it determines the complexity of the algorithm. Selecting better polynomials is a key to improve the overall running-time of the NFS algorithm. The final step: individual discrete logarithm, was though to be quite fast but F. Morain and A. Guillevic showed that it has an increasing complexity with respect to the extension degree of the finite field. A. Guillevic proposed a new method to reduce considerably the complexity, with at most a factor two speed-up in the exponent .

In 2015, F. Morain and A. Guillevic released with P. Gaudry and
R. Barbulescu a major discrete logarithm record in a quadratic finite
field GF

In order to compare the practical running time of discrete logarithm computation in prime fields and quadratic finite fields, F. Morain and A. Guillevic with P. Gaudry and R. Barbulescu launched a DL record in a 180dd finite field. The last DL record in a prime field was held by the CARAMEL team of Nancy, in 2014, in a 180 dd prime field. The parameters chosen for the quadratic finite field are the following.

The discrete logarithm computation was made modulo

The two polynomials used in the NFS algorithm were chosen to be the following:

We indeed designed a new polynomial selection method, that we called
the Conjugation method. It is very well suited for quadratic and cubic
finite fields GF

We finally computed the discrete logarithm in basis

The running time was very surprising: our record was much faster than the concurrent DL computation in a prime field of the same global size of 180dd, and even faster than the RSA modulus factorization of the same size.

Algorithm | relation collection | linear algebra | total |

NFS-IF | 5 years | 5.5 months | 5.5 years |

NFS-DL |
50 years | 80 years | 130 years |

NFS-DL |
157 days | 18 days (GPU) | 0.5 years |

A big difference between prime fields and finite fields of small
extension such as GF*small* elements. This table was obtained at the
end of the linear algebra step.
The target needs to be decomposed into small enough elements whose
discrete logarithm is in the table, so that one can recompose the
discrete logarithm of the target. This decomposition is quite fast for
prime fields but we realized that is becomes more and more time
consuming when the extension degree increase.
A. Guillevic developed a new technique to improve considerably this
step. The main idea is to use the structure of the finite
field: the subfields. These improvements were presented at the
Asiacrypt 2015 conference in Auckland, New Zealand and published in
the proceedings .

The codes we used in our PIR protocols, namely Reed-Muller and their
generalization Multiplicity codes, are locally *correctable* :
that means that local decoding allows to retrieve encoded
symbols. In most applications, it is very desirable to retrieve *information* symbols. Another line of work in this topic was thus
to find an encoding method for multiplicity codes so as to directly
recover an information symbol from local correction, and not an
encoded symbol. To do so we defined information sets for
multiplicity codes, and design a systematic encoding based on this
information set. This work was presented at ISIT'2015 in Hong-Kong
in June .

Rank metric and Gabidulin codes over the rationals promise
interesting applications to space-time coding. We have constructed
optimal codes, similar to Gabidulin codes, in the case of infinite
fields. We use algebraic extensions, and we have determined the
condition on the considered extension to enable this construction.
For example: we can design codes with complex coefficients, using
number fields and Galois automorphisms.
Then, in the rank metric setting, codewords can be seen as matrices.
In this setting, a channel introduces errors (a matrix of small rank

We also have used this framework to build rank-metric codes over the field of rational functions, using algebraic function fields with cyclic Galois group (Kummer and Artin extensions). These codes can be seen as a generator of infinitely many convolutional codes.

Cryptographic hash functions are versatile primitives that are used in
many cryptographic protocols. The security of a hash function

A popular hash function is the SHA-1 algorithm. Although theoretical collision attacks were found in 2005, it is still being used in some applications, for instance as the hash function in some TLS certificates. Hence cryptanalysis of SHA-1 is still a major topic in cryptography.

In 2015, we improved the state-of-the-art on SHA-1 analysis in two ways:

T. Espitau, P.-A. Fouque and P. Karpman improved the previous preimage attacks on SHA-1, reaching up to 62 rounds (out of 80), up from 57. The corresponding paper was published at CRYPTO 2015 .

P. Karpman, T. Peyrin and M. Stevens developed collision attacks on the compression function of SHA-1 (i.e. freestart collisions). This exploits a model that is slightly more generous to the attacker in order to find explicit collisions on more rounds than what was previously possible. A first work resulted in freestart collisions for SHA-1 reduced to 76 steps; this attack takes less than a week to compute on a common GPU. The corresponding paper was published at CRYPTO 2015 . This was later improved to attack the full compression function. Although the attack is more expensive it is still practical, taking less than two weeks on a 64 GPU cluster. The corresponding paper is currently under review for EUROCRYPT 2016 .

Block ciphers are one of the most basic cryptographic primitives, yet block cipher analysis is still a major research topic.
In recent years, the community also shifted focus to the more general setting of *authenticated encryption*, where one
specifies an (set of) algorithm(s) providing both encryption and authentication for messages of arbitrary length. A major
current event in that direction is the CAESAR academic competition, which aims to select a portfolio of good algorithms.

During this year, we helped to improve the state of the art in block cipher research in several ways:

P. Karpman found a very efficient related-key attack on the CAESAR candidate Prøst-OTR. A related-key model is very generous to the attacker, but the attack in this case can be run instantaneously. The corresponding paper was published at ISC 2015

B. Minaud, P. Derbez, P.-A. Fouque and P. Karpman developed a family of attacks that breaks all the remaining unbroken instances of the ASASA construction, that was presented at ASIACRYPT 2014. Using algebraic properties of the ciphers, for each type of instance, the attack allows to recover an algorithm equivalent to the secret key in near-practical time. This applies to a multivariate public-key scheme, a classical block cipher and small block ciphers used in white-box constructions. The corresponding paper was published at ASIACRYPT 2015 and was honoured as one of the three best papers of the conference .

P. Karpman developed a compact 8-bit S-box with branch number three, which can be used as a basis to construct a lightweight block cipher particularly efficient on 8-bit microcontrollers. The corresponding paper is currently under review for FSE 2016.

Within the framework of the joint lab Inria-ALU, Grace and Alcatel-Lucent collaborate on the topic of Private Information Retrieval: that is, enabling a user to retrieve data from a remote database while revealing neither the query nor the retrieved data. (This is not the same as data confidentiality, which refers to the need for users to ensure secrecy of their data; this is classically obtained through encryption, which prevents access to data in the clear.)

A typical application would be a centralized database of medical records, which can be accessed by doctors, nurses, and so on. A desirable privacy goal would be that the central system does not know which patient is queried for when a query is made, and this goal is precisely achieved by a Private Information Retrieval protocol. Note also that in this scenario the database is not encrypted, since many users are allowed to access it.

We are exploring applications of Locally Decodable Codes to Private Information Retrieval in the multi-cloud (multi-host) setting, to ensure both secure, reliable storage, and privacy of database queries.

Our progress on information sets of multiplicity codes was presented at the ISIT 2015 conference

Within the group PAIP (Pour une Approche Interdisciplinaire de la Privacy), D. Augot presented the cryptographic and peer-to-peer principles at the heart of the Bitcoin protocol (electronic signature, hash functions, and so on). Most of the information is publicly available: the history of all transactions, evolution of the source code, developers' mailing lists, and the Bitcoin exchange rate. It was recognized by the economists in our group that such an amount of data is very rare for an economic phenomenon, and it was decided to start research on the history of Bitcoin, to study the interplay between the development of protocol and the development of the economical phenomenon.

The project
**Aije-Bitcoin** (analyse
informatique, juridique et économique de Bitcoin) was accepted as
interdisciplinary research for a PEPS (Projet exploratoire Premier
Soutien) cofunded by the CNRS and Université de Paris-Saclay. This
one-year preliminary program will enable the group to master the
understanding of Bitcoin from various angles, allowing more advanced
research in the following years.

Two M2 interns, Loïs Saublet and Kofi Manful, have been hired, located in Aviz team, and D. Augot co-supervised them with Petra and Tobias Isenberg.

Idealcodes is a two-year Digiteo research project, started in October 2014. The partners involved are the École Polytechnique (X) and the Université de Versailles–Saint-Quentin-en-Yvelines (Luca de Feo, UVSQ). After hiring J. Nielsen the first year, we have hired V. Ducet for the second year, both working at the boundary between coding theory, cryptography, and computer algebra

Idealcodes spans the three research areas of algebraic coding theory, cryptography, and computer algebra, by investigating the problem of lattice reduction (and root-finding). In algebraic coding theory this is found in Guruswami and Sudan's list decoding of algebraic geometry codes and Reed–Solomon codes. In cryptography, it is found in Coppersmith's method for finding small roots of integer equations. These topics were unified and generalised by H. Cohn and N. Heninger , by considering algebraic geometry codes and number field codes under the deep analogy between polynomials and integers. Sophisticated results in coding theory could be then carried over to cryptanalysis, and vice-versa. The generalized view raises problems of computing efficiently, which is one of the main research topics of Idealcodes.

CATREL (accepted June 2012, ending December 2015): “Cribles: Améliorations Théoriques et Résolution Effective du Logarithme” (Sieve Algorithms: Theoretical Advances and Effective Resolution of the Discrete Logarithm Problem). This project aims to make effective “attacks” on reduced-size instances of the discrete logarithm problem (DLP). This is a key ingredient for the assessment of the security of cryptosystems relying on the hardness of the DLP in finite fields, and for deciding on relevant key sizes.

MANTA (accepted July 2015, starting January 2016): “Curves, surfaces, codes and cryptography”. This project deals with applications of coding theory error correcting codes to in cryptography, multi-party computation, and complexity theory, using advanced topics in algebraic geometry and number theory. See http://anr-manta.inria.fr/

DIFMAT-3: this one-year project aims to find matrices with good diffusion properties over small finite fields. The principle is to find non-maximal matrices, but with better coefficients and implementation properties. The relevant cryptographic properties to be studied correspond to the weight distribution of the associated code. Since we use Algebraic-Geometry codes, much more powerful techniques can be used for computing these weight distribution, using and improving Duursma's ideas .

Cybersecurity. Inria and DGA contracted for three PhD topics at the national level, one of them involving Grace. Grace started a new PhD, and hired P. Karpman. The topic of this PhD is complementary to the above DIFMAT-3: while DIFMAT-3 provides fundamental methods for dealing with AG codes, in application for diffusion layers in block ciphers, the topic here is to make concrete propositions of block ciphers using these matrices. P. Karpman is coadvised by T. Peyrin (Nanyang Technological University, Singapore), by P.-A. Fouque (Université de Rennes), and D. Augot.

Title: Post-quantum cryptography for long-term security

Programm: H2020

Duration: March 2015 - March 2018

Coordinator: TECHNISCHE UNIVERSITEIT EINDHOVEN

Partners:

Academia Sinica (Taiwan)

Bundesdruckerei (Germany)

Danmarks Tekniske Universitet (Denmark)

Katholieke Universiteit Leuven (Belgium)

Nxp Semiconductors Belgium Nv (Belgium)

Ruhr-Universitaet Bochum (Germany)

Stichting Katholieke Universiteit (Netherlands)

Coding Theory and Cryptology group, Technische Universiteit Eindhoven (Netherlands)

Technische Universitaet Darmstadt (Germany)

University of Haifa (Israel)

Inria contact: Nicolas Sendrier

Online security depends on a very few underlying cryptographic algorithms. Public-key algorithms are particularly crucial since they provide digital signatures and establish secure communication. Essentially all applications today are based on RSA or on the discrete-logarithm problem in finite fields or on elliptic curves. Cryptographers optimize parameter choices and implementation details for these systems and build protocols on top of these systems; cryptanalysts fine-tune attacks and establish exact security levels for these systems.

It might seem that having three systems offers enough variation, but these systems are all broken as soon as large quantum computers are built. The EU and governments around the world are investing heavily in building quantum computers; society needs to be prepared for the consequences, including cryptanalytic attacks accelerated by these computers. Long-term confidential documents such as patient health-care records and state secrets have to guarantee security for many years, but information encrypted today using RSA or elliptic curves and stored until quantum computers are available will then be as easy to decipher.

PQCRYPTO will allow users to switch to post-quantum cryptography: cryptographic systems that are not merely secure for today but that will also remain secure long-term against attacks by quantum computers. PQCRYPTO will design a portfolio of high-security post-quantum public-key systems, and will improve the speed of these systems, with reference implementations.

Program: COST

Project acronym: COST 4175/11

Project title: Random Network Coding and Designs over GF(q) http://www.network-coding.eu/index.html

Duration: 04/2012 - 04/2016

Coordinator: Marcus Greferath

Other partners: Camilla Hollanti, Aalto University, Finland Simon R. Blackburn, Royal Holloway, University of London, UK Tuvi Etzion, Technion, Israel Ángeles Vázquez-Castro, Autonomous University of Barcelona, Spain Joachim Rosenthal, University of Zurich, Switzerland (Chairs of the five working groups).

Abstract: Random network coding emerged through an award-winning paper by R. Koetter and F. Kschischang in 2008 and has since then opened many new directions in networking, internet, wireless communication systems, and cloud computing. This COST Action will set up a European research network and establish network coding as a European core area in communication technology. Its aim is to bring together experts from pure and applied mathematics, computer science, and electrical engineering, who are working in the areas of discrete mathematics, coding theory, information theory, and related fields.

P. Beelen, J. Nielsen, DTU Lyngby

M. Bossert, Ulm Universität

S. Galbraith, Department of Mathematics, University of Auckland.

C. Berghoff is a visiting Phd student, from Bonn Universität.

D. Augot is member of the committee of the CCA seminar on coding and cryptology. This seminar regularly attracts around 30 participants.

A. Couvreur organized with David Kohel (I2M, Marseille) and Alp Bassa
(Bogazici University, Turkey) the conference AGC

F. Morain, B. Smith and A. Guillevic were the organizers of Advances in Discrete Logarithms, an international workshop on discrete logarithms to conclude the CATREL project, at École polytechnique from October 1 to 2, 2015.

P. Lebacque and B. Smith organized Arithmetic Geometry: Explicit Methods and Applications with C. Ritzenthaler and A. Zykin. This was an international number theory conference, held in Moscow from December 7 to 11, 2015.

A. Guillevic and P. Karpman were members of the local organizing team of CHES 2015 (Cryptographic Harware and Embedded Systems), at Saint-Malo, France, in September.

A. Couvreur was member of the program committee of *Journées Codes
et Cryptographie 2015*, La Londe les Maure. October 2015.

A. Couvreur was member of the program committee of WCC (Workshop on Codes and Cryptology) 2015. Paris, May 2015.

A. Couvreur was member of the scientific committee of the
*École Mathématique Africaine: Theorie des nombres et Cryptologie,
Équations aux dérivées partielles, analyse numérique et calcul
scientifique*. March 2015, Franceville (Gabon).

D. Augot was reviewer for

ISIT 2015 (International Symposium on Information Theory)

CAI 2015 (6th International Conference on Algebraic Informatics)

SODA 2016 (Symposium on Discrete Algorithms)

A. Couvreur was reviewer for

PQCrypto 2016.

P. Karpman was reviewer for

ACNS 2015

CRYPTO 2015

ASIACRYPT 2015

INDOCRYPT 2015

EUROCRYPT 2016

FSE 2016

B. Smith was a reviewer for

MEGA 2015

PKC 2015

EUROCRYPT 2016

D. Augot is member of the editorial board of the *RAIRO -
Theoretical Informatics and Applications*, a Cambridge journal
published by EDP Sciences.

D. Augot is member of the editorial board of the *International
Journal of Information and Coding Theory*, InderScience publishers.

D. Augot was a reviewer for

Designs, Codes and Cryptography

IEEE Transactions on Information Theory

Discrete Mathematics

Transactions on Computers

Applicable Algebra in Engineering, Communication and Computing

Advances in Mathematics of Communications

Ars Comb

A. Couvreur was reviewer for

Finite Fields Appl.

Des. Codes Cryptogr.

Mosc. Math. J.

J. Numbers.

B. Smith was a reviewer for

Journal of Cryptology

SICOMP (SIAM Journal on Computing)

D. Augot was invited to the colloquium of IRMAR, Rennes

D. Augot was invited to the workshop "Codage et cryptographie", USTHB, Algiers, November 2-5.

A. Couvreur was invited at the seminar of number theory of University of Oxford.

A. Couvreur was invited speaker at the conference *Arithmetic Geometry:
explicit methods and applications*, Moscow, december 2015.

A. Guillevic was invited at the Workshop in Elliptic Curve Cryptography (ECC), Bordeaux, September 2015.

A. Guillevic was invited at the CATREL Workshop on Discrete Logarithms organized by the GRACE team at Palaiseau, October 2015.

P. Karpman was invited at the RISC seminar of CWI, Amsterdam.

B. Smith was an invited speaker in the LFANT seminar, Bordeaux, February 2015

B. Smith was an invited speaker in the security seminar at University College London, UK, May 2015

B. Smith was an invited speaker at the Colóquio de Geometria e Aritmética (Geometry and Arithmetic Colloquium) at IMPA, Rio de Janeiro, Brazil, October 2015

B. Smith gave an invited Tech Talk at Cisco France, Paris, November 2015

B. Smith gave an invited talk in the cryptography and security seminar at Radboud University Nijmegen, Netherlands, December 2015

Together with Inria Nancy Caramel team, we are leader on records discrete logarithms, thanks to the CATREL project, which delivered the CADO-NFS software, and to our experience to run hard computationnal projects to achieve these records. We have also proposed the best curves for cryptographic computations.

D. Augot explained the fundamental concepts underlying bitcoin to the “Direction de la prospective de la Poste”

Committees

A. Couvreur is an elected member of Saclay's *comité de centre*.

A. Couvreur is an elected member of Saclay's *Comité local
Hygiène, Sécurité et Conditions de Travail*.

A. Couvreur is the *jeune chercheur référent* for the *commission
de suivi doctoral* of Inria Saclay.

D. Augot is a member of LIX's *conseil de direction*.

D. Augot is the vice-head of Inria's *comité de suivi doctoral*

D. Augot is a member of LIX's *conseil de laboratoire*

D. Augot is elected member of the *conseil académique
consultatif* of Paris-Saclay University.

B. Smith was a reviewer for ANRT CIFRE funding.

F. Morain and B. Smith are elected members
of the *Conseil de Laboratoire* of the LIX.

F. Morain is vice-head of the Département d'informatique of Ecole Polytechnique.

F. Morain represents École polytechnique in the
committee in charge of *Mention HPC* in the
*Master de l'université Paris Saclay*.

F. Morain is member of the Board of Master Parisien de Recherche en Informatique (MPRI).

B. Smith is a *Correspondant* for International Relations
at Saclay.

B. Smith is a member of the COST-GTRI.

B. Smith is a member of the teaching committee of the Department of Computer Science of the École polytechnique.

Juries

D. Augot was in committee assessing candidates for Institut Mines-Télécom.

**Licence**

A. Couvreur, INF311: “Introduction à l'informatique”, 40h (equiv TD), L3, École polytechnique, France

A. Couvreur INF411: “Les bases de la programmation et de l'algorithmique”, 32h (equiv TD), M1, École polytechnique, France

F. Levy-dit-Vehel, “Cours de Cryptographie”, 30h. (equiv TD), 3rd year (M1), ENSTA ParisTech, France.

F. Levy-dit-Vehel, “Mathématiques discrètes pour la protection de l'information”, 24h (equiv TD), 2nd year (L3), ENSTA ParisTech, France.

F. Morain, Lectures for INF311: “Introduction à l'informatique”, 15h (equiv TD), 1st year (L3), École polytechnique. Coordinator of this module (350 students).

B. Smith, INF442: “Traitement des données massives”, 32h (equiv TD), L4, École polytechnique, France

**Master**

A. Couvreur, “Error-correcting codes and applications to cryptography”, 12h (equiv TD), M2, MPRI, France.

F. Morain, “Algorithmes arithmétiques pour la cryptologie”, 9h (equiv TD), M2, MPRI, France.

F. Morain, Lectures for INF568: “Cryptology”, 13.5h (equiv TD), 3rd year (M1), École polytechnique, France.

B. Smith, “Algorithmes arithmétiques pour la cryptologie”, 13.5h (equiv TD), M2, MPRI, France.

B. Smith, Cryptologie, 18h (equiv TD), M1, École polytechnique, France

PhD: G. Robert defended his thesis on December 4th, 2015 .

PhD in progress. J. Lavauzelle has began his Ph.D. on locally decodable codes and cryptogra[hic applications, on October 1st, 2015, under the supervision of D. Augot and F. Levy-dit-Vehel.

PhD in progress. E. Barelli has begun his PhD on Algebraic-Geometry codes for code-based crypto on October 1st, 2015, under the supervision of D. Augot and A. Couvreur.

PhD in progress. N. Duhamel has begun his PhD on genus 2 curves for cryptography, under the supervision of B. Smith and F. Morain.

PhD in progress. P. Karpman, starting in 2013, will defend in 2016 his PhD on security of symmetric crytographic primitives.

D. Augot was reviewer of

J. Roué PhD thesis, “Analyse de la résistance des chiffrements par blocs aux attaques linéaires et différentielles”, Université Pierre et Marie Curie

F. de Portzamparc PhD thesis, “Algebraic and Physical Security in Code-Based Cryptography”, Université Pierre et Marie Curie

A. Couvreur

was reviewer of F. de Portzamparc PhD thesis, “Algebraic and Physical Security in Code-Based Cryptography”, Université Pierre et Marie Curie

is member of the Jury of Agrégation de Mathématiques and in charge
of option C (*Algèbre et calcul formel*)

B. Smith

was an examiner for L. Xu's PhD thesis, “Vérification formelle de la vie privée dans les systèmes concurrents”, École polytechinique, 4/5/2015.

D. Augot gave a lecture about bits, exclusive-or, coding and digital pictures, at Lycée de la vallée de Chevreuse (Jan 22)

D. Augot, N. Duhamel, A. Guillevic, J. Lavauzelle, D. Lucas, and B. Smith participated in the Fête la Science at École polytechnique (Oct 12)

A. Couvreur gave a conference “Les mathématiques pour protéger l'information” for the pupils of Collège Moreau in Monthléry (91).

F. Levy-dit-Vehel is member of ENSTA ParisTech working group “compétences et validation des acquis de l'expérience”.

B. Smith was “responsable des bureaux” (responsible for allocating desks and offices) at LIX.