The main focus of the POLSYS project is to solve systems of polynomial equations.

Our main objectives are:

**Fundamental Algorithms and Structured Systems.** The
objective is to propose fast exponential exact algorithms for
solving polynomial equations
and to identify large classes of structured polynomial systems which can be solved in polynomial time.

**Solving Systems over the Reals and Applications.** For
positive dimensional systems basic questions over the reals may be
very difficult (for instance testing the existence of solutions) but
also very useful in applications (e.g. global optimization problems).
We plan to propose efficient algorithms and implementations to address
the most important issues: computing sample points in the real
solution sets, decide if two such sample points can be path-connected
and, as a long term objective, perform quantifier elimination over the
reals (computing a quantifier-free formula which is equivalent to a
given quantified boolean formula of polynomial
equations/inequalities).

**Dedicated Algebraic Computation and Linear Algebra.** While
linear algebra is a key step in the computation of Gröbner bases,
the matrices generated by the algorithms

**Solving Systems in Finite Fields, Applications in
Cryptology and Algebraic Number Theory.** We propose to develop a
systematic use of *structured systems* in Algebraic
Cryptanalysis. We want to improve the efficiency and to predict the
theoretical complexity of such attacks. We plan to demonstrate the
power of algebraic techniques in new areas of cryptography such as
Algebraic Number Theory (typically, in curve based cryptography).

Polynomial system solving is a fundamental problem in Computer Algebra with many applications in cryptography, robotics, biology, error correcting codes, signal theory, .... Among all available methods for solving polynomial systems, computation of Gröbner bases remains one of the most powerful and versatile method since it can be applied in the continuous case (rational coefficients) as well as in the discrete case (finite fields). Gröbner bases are also a building blocks for higher level algorithms who compute real sample points in the solution set of polynomial systems, decide connectivity queries and quantifier elimination over the reals. The major challenge facing the designer or the user of such algorithms is the intrinsic exponential behaviour of the complexity for computing Gröbner bases. The current proposal is an attempt to tackle these issues in a number of different ways: improve the efficiency of the fundamental algorithms (even when the complexity is exponential), develop high performance implementation exploiting parallel computers, and investigate new classes of structured algebraic problems where the complexity drops to polynomial time.

Efficient algorithms *A
new efficient algorithm for computing Gröbner bases without reduction
to zero (F5).* In Proceedings of ISSAC '02, pages 75-83, New York, NY,
USA, 2002. ACM.

*(i)* developing dedicated
linear algebra routines performing the Gaussian elimination steps:
this is precisely the objective 2 described below;

*(ii)*
generating smaller or simpler matrices to which we will apply Gaussian
elimination.

We describe here our goals for the latter
problem. First, we focus on algorithms for computing a Gröbner basis
of *general polynomial systems*. Next, we present our goals on
the development of dedicated algorithms for computing Gröbner bases
of *structured polynomial systems* which arise in various
applications.

**Algorithms for general systems.** Several
degrees of freedom are available to the designer of a Gröbner basis
algorithm to generate the matrices occurring during the
computation. For instance, it would be desirable to obtain matrices
which would be almost triangular or very sparse. Such a goal can be
achieved by considering various interpretations of the

**Algorithms dedicated to ****structured****
polynomial systems.** A complementary approach is to exploit the
structure of the input polynomials to design specific algorithms. Very
often, problems coming from applications are not random but are
highly structured. The specific nature of these systems may vary a
lot: some polynomial systems can be sparse (when the number of terms
in each equation is low), overdetermined (the number of the equations
is larger than the number of variables), invariants by the action of
some finite groups, multi-linear (each equation is linear w.r.t. to
one block of variables) or more generally multihomogeneous. In each
case, the ultimate goal is to identify large classes of problems whose theoretical/practical complexity drops and to propose in each case
dedicated algorithms.

We shall develop algorithms for solving polynomial systems over complex/real numbers. Again, the goal is to extend significantly the range of reachable applications using algebraic techniques based on Gröbner bases and dedicated linear algebra routines. Targeted application domains are global optimization problems, stability of dynamical systems (e.g. arising in biology or in control theory) and theorem proving in computational geometry.

The following functionalities shall be requested by the end-users:

*(i)* deciding the emptiness of the real solution set of systems
of polynomial equations and inequalities,

*(ii)* quantifier
elimination over the reals or complex numbers,

*(iii)* answering
connectivity queries for such real solution sets.

We will focus on these functionalities.

We will develop algorithms based on the so-called critical point
method to tackle systems of equations and inequalities
(problem *(i)*) . These techniques are based on solving
0-dimensional polynomial systems encoding "critical points" which are
defined by the vanishing of minors of jacobian matrices (with
polynomial entries). Since these systems are highly structured, the
expected results of Objective 1 and 2 may allow us to obtain dramatic
improvements in the computation of Gröbner bases of such polynomial
systems. This will be the foundation of practically fast
implementations (based on singly exponential algorithms) outperforming
the current ones based on the historical Cylindrical Algebraic
Decomposition (CAD) algorithm (whose complexity is doubly exponential
in the number of variables). We will also develop algorithms and
implementations that allow us to analyze, at least locally, the
topology of solution sets in some specific situations. A
long-term goal is obviously to obtain an analysis of the global
topology.

Here, the primary objective is to focus on *dedicated* algorithms
and software for the linear algebra steps in Gröbner bases
computations and for problems arising in Number Theory. As explained
above, linear algebra is a key step in the process of computing
efficiently Gröbner bases. It is then natural to develop specific
linear algebra algorithms and implementations to further strengthen
the existing software. Conversely, Gröbner bases computation is
often a key ingredient in higher level algorithms from Algebraic
Number Theory. In these cases, the algebraic problems are very
particular and specific. Hence dedicated Gröbner bases algorithms
and implementations would provide a better efficiency.

**Dedicated linear algebra tools.**FGb is
an efficient library for Gröbner bases computations which can be used,
for instance, via Maple. However, the library is sequential. A
goal of the project is to extend its efficiency to new trend parallel
architectures such as clusters of multi-processor systems in order to
tackle a broader class of problems for several applications.
Consequently, our first aim is to provide a durable, long term
software solution, which will be the successor of the existing FGb library. To achieve this goal, we will first develop a high
performance linear algebra package (under the LGPL license). This
could be organized in the form of a collaborative project between the
members of the team. The objective is not to develop a general
library similar to the Linbox project but to propose a dedicated
linear algebra package taking into account the specific properties of
the matrices generated by the Gröbner bases algorithms. Indeed these
matrices are sparse (the actual sparsity depends strongly on the
application), almost block triangular and not necessarily of full
rank. Moreover, most of the pivots are known at the beginning of the
computation. In practice, such matrices are huge (more than

Fast linear algebra packages would also benefit to the transformation of a Gröbner basis of a zero–dimensional ideal with respect to a given monomial ordering into a Gröbner basis with respect to another ordering. In the generic case at least, the change of ordering is equivalent to the computation of the minimal polynomial of a so-called multiplication matrix. By taking into account the sparsity of this matrix, the computation of the Gröbner basis can be done more efficiently using variant of the Wiedemann algorithm. Hence, our goal is also to obtain a dedicated high performance library for transforming (i.e. change ordering) Gröbner bases.

**Dedicated algebraic tools for Algebraic Number
Theory.** Recent results in Algebraic Number Theory tend to show that
the computation of Gröbner basis is a key step toward the resolution
of difficult problems in this
domain *Index calculus for abelian
varieties of small dimension and the elliptic curve discrete logarithm
problem*, Journal of Symbolic Computation 44,12 (2009)
pp. 1690-1702

Here, we focus on solving polynomial systems over finite fields
(i.e. the discrete case) and the corresponding applications
(Cryptology, Error Correcting Codes, ...). Obviously this
objective can be seen as an application of the results of the two
previous objectives. However, we would like to emphasize that it is
also the source of new theoretical problems and practical challenges.
We propose to develop a systematic use of *structured systems* in
*algebraic cryptanalysis*.

*(i)* So far, breaking a cryptosystem using algebraic
techniques could be summarized as modeling the problem by algebraic
equations and then computing a, usually, time consuming Gröbner
basis. A new trend in this field is to require a theoretical
complexity analysis. This is needed to explain the behavior of the
attack but also to help the designers of new cryptosystems to propose
actual secure parameters.

*(ii)* To assess the security of
several cryptosystems in symmetric cryptography (block ciphers, hash
functions, ...), a major difficulty is the size of the systems
involved for this type of attack. More specifically, the bottleneck
is the size of the linear algebra problems generated during a Gröbner basis
computation.

We propose to develop a
systematic use of *structured systems* in *algebraic
cryptanalysis*.

The first objective is to build on the recent breakthrough in
attacking McEliece's cryptosystem: it is the first structural
weakness observed on one of the oldest public key cryptosystem. We
plan to develop a well founded framework for assessing the security of
public key cryptosystems based on coding theory from the algebraic
cryptanalysis point of view. The answer to this issue is strongly
related to the complexity of solving bihomogeneous systems (of
bidegree

Dedicated tools for linear algebra problems generated during the Gröbner basis computation will be used in algebraic cryptanalysis. The promise of considerable algebraic computing power beyond the capability of any standard computer algebra system will enable us to attack various cryptosystems or at least to propose accurate secure parameters for several important cryptosystems. Dedicated linear tools are thus needed to tackle these problems. From a theoretical perspective, we plan to further improve the theoretical complexity of the hybrid method and to investigate the problem of solving polynomial systems with noise, i.e. some equations of the system are incorrect. The hybrid method is a specific method for solving polynomial systems over finite fields. The idea is to mix exhaustive search and Gröbner basis computation to take advantage of the over-determinacy of the resulting systems.

Polynomial system with noise is currently emerging as a problem of major interest in cryptography. This problem is a key to further develop new applications of algebraic techniques; typically in side-channel and statistical attacks. We also emphasize that recently a connection has been established between several classical lattice problems (such as the Shortest Vector Problem), polynomial system solving and polynomial systems with noise. The main issue is that there is no sound algorithmic and theoretical framework for solving polynomial systems with noise. The development of such framework is a long-term objective.

Our joint research project GOAL@SiliconValley with Californian University UC Berkeley has been selected by Inria (2015-2018). GOAL led by Bernd Sturmfels (UC Berkeley) and Jean-Charles Faugère (POLSYS, Inria Paris-Rocquencourt) on “Geometry and Optimization with ALgebraic methods“: The goal of this project is to develop algorithms and mathematical tools to solve geometric and optimization problems through algebraic techniques. As a long-term goal, the joint team plans to develop new software to solve these problems more efficiently. These objectives encompass the challenge of identifying instances of these problems that can be solved in polynomial time with respect to the number of solutions and modeling these problems with polynomial equations.

The webpage of the research project is
http://

The kickoff workshop was held at UC Berkeley in May 2015,
see https://

Functional Description

FGb is a powerful software for computing Groebner bases.It includes the new generation of algorihms for computing Gröbner bases polynomial systems (mainly the F4,F5 and FGLM algorithms).It is implemented in C/C++ (approximately 250000 lines), standalone servers are available on demand. Since 2006, FGb is dynamically linked with Maple software (version 11 and higher) and is part of the official distribution of this software.

Participant: Jean-Charles Faugère

Contact: Jean-Charles Faugère

Participant: Jean-Charles Faugère

Contact: Jean-Charles Faugère

Functional Description

GBLA is an open source C library for linear algebra specialized for eliminating matrices generated during Gröbner basis computations in algorithms like F4 or F5.

Contact: Brice Boyer

Functional Description

RAGLib is a Maple library for solving over the reals polynomial systems and computing sample points in semi-algebraic sets.

Contact: Mohab Safey El Din

Functional Description

SLV is a software package in C that provides routines for isolating (and subsequently refine) the real roots of univariate polynomials with integer or rational coefficients based on subdivision algorithms and on the continued fraction expansion of real numbers. Special attention is given so that the package can handle polynomials that have degree several thousands and size of coefficients hundrends of Megabytes.
Currently the code consists of

Contact: Elias Tsigaridas

We study the complexity of Gröbner bases computation, in particular in the generic situation where the variables are in simultaneous Noether position with respect to the system.

We give a bound on the number of polynomials of degree

Our estimates show that the version of

Solving polynomial systems arising from applications is frequently
made easier by the structure of the systems. Weighted homogeneity
(or quasi-homogeneity) is one example of such a structure: given a
system of weights

Sakata generalized the Berlekamp – Massey algorithm to *black-box* model: we assume
probing the
table is expensive and we minimize the number of probes to the table in our
complexity model.
We produce an fglm-like algorithm for finding the relations in the
table, which lets us use linear algebra techniques. Under some additional
assumptions, we make this algorithm adaptive and reduce further the number
of table probes.
This number can be estimated by counting the number of distinct elements in a
multi-Hankel matrix (a multivariate generalization of Hankel matrices); we can
relate this quantity with the *geometry* of the final staircase. Hence,
in favorable cases such as convex ones, the complexity is
essentially linear in
the size of the output. Finally, when using the lex ordering, we can
make use of fast structured linear algebra similarly to the Hankel
interpretation of Berlekamp – Massey.

Let

Let

Let

Polynomial systems of equations are a central object of study in computer algebra. Among the many existing algorithms for solving polynomial systems, perhaps the most successful numerical ones are the homotopy algorithms. The number of operations that these algorithms perform depends on the condition number of the roots of the polynomial system. Roughly speaking the condition number expresses the sensitivity of the roots with respect to small perturbation of the input coefficients. A natural question to ask is how can we bound, in the worst case, the condition number when the input polynomials have integer coefficients? In we address this problem and we provide effective bounds that depend on the number of variables, the degree and the maximum coefficient bitsize of the input polynomials. Such bounds allows to estimate the bit complexity of the algorithms that depend on the separation bound, like the homotopy algorithms, for solving polynomial systems.

The known algorithms approximate the roots of a complex univariate polynomial in nearly optimal arithmetic and Boolean time. They are, however, quite involved and require a high precision of computing when the degree of the input polynomial is large, which causes numerical stability problems. We observe that these difficulties do not appear at the initial stages of the algorithms, and in we extend one of these stages, analyze it, and avoid the cited problems, still achieving the solution within a nearly optimal complexity estimates, provided that some mild initial isolation of the roots of the input polynomial has been ensured. The resulting algorithms promise to be of some practical value for root-finding and can be extended to the problem of polynomial factorization, which is of interest on its own right. We conclude with outlining such an extension, which enables us to cover the cases of isolated multiple roots and root clusters.

Interrupt Timed Automata (ITA) form a subclass of stopwatch automata where reachability and some variants of timed model checking are decidable even in presence of parameters. They are well suited to model and analyze real-time operating systems. Here we extend ITA with polynomial guards and updates, leading to the class of polynomial ITA (polITA). In , we prove that reachability is decidable in 2EXPTIME on polITA, using an adaptation of the cylindrical algebraic decomposition algorithm for the first-order theory of reals using symbolic computation. Compared to previous approaches, our procedure handles parameters and clocks in a unified way. We also obtain decidability for the model checking of a timed version of CTL and for reachability in several extensions of polITA.

Boneh *et al.* showed at Crypto 99 that moduli of the form

A very popular trend in code-based cryptography is to
decrease the public-key size by focusing on subclasses of
alternant/Goppa codes which admit a very compact public matrix,
typically quasi-cyclic (QC), quasi-dyadic (QD), or quasi-monoidic
(QM) matrices. In , we show
that the very same reason which allows to
construct a compact public-key makes the key-recovery problem
intrinsically much easier. The gain on the public-key size induces
an important security drop, which is as large as the compression
factor p on the public-key. The fundamental remark is that from
the

**Input :
**

**Find : ** a subspace

where

This problem underlies the security of the first public-key
quantum money scheme that is proved to be cryptographically secure
under a non quantum but classic hardness assumption. This scheme
was proposed by
S. Aaronson and P. Christiano at STOC'12. In particular,
it depends upon the hardness of

The main practical limitation of the McEliece public-key encryption scheme is probably the size of its key. A famous trend to overcome this issue is to focus on subclasses of alternant/Goppa codes with a non trivial automorphism group. Such codes display then symmetries allowing compact parity-check or generator matrices. For instance, a key-reduction is obtained by taking quasi-cyclic (QC) or quasi-dyadic (QD) alternant/Goppa codes. We show that the use of such symmetric alternant/Goppa codes in cryptography introduces a fundamental weakness. It is indeed possible to reduce the key-recovery on the original symmetric public-code to the key-recovery on a (much) smaller code that has not anymore symmetries. This result is obtained thanks to a new operation on codes called folding that exploits the knowledge of the automorphism group. This operation consists in adding the coordinates of codewords which belong to the same orbit under the action of the automorphism group. The advantage is twofold: the reduction factor can be as large as the size of the orbits, and it preserves a fundamental property: folding the dual of an alternant (resp. Goppa) code provides the dual of an alternant (resp. Goppa) code. A key point is to show that all the existing constructions of alternant/Goppa codes with symmetries follow a common principal of taking codes whose support is globally invariant under the action of affine transformations (by building upon prior works of T. Berger and A. Dür). This enables not only to present a unified view but also to generalize the construction of QC, QD and even quasi-monoidic (QM) Goppa codes. All in all, our results can be harnessed to boost up any key-recovery attack on McEliece systems based on symmetric alternant or Goppa codes, and in particular algebraic attacks.

The best algorithms for discrete logarithms in Jacobians of algebraic curves of small genus are based on index calculus methods coupled with large prime variations. For hyperelliptic curves, relations are obtained by looking for reduced divisors with smooth Mumford representation (Gaudry); for non-hyperelliptic curves it is faster to obtain relations using special linear systems of divisors (Diem, Diem and Kochinke). Recently, Sarkar and Singh have proposed a sieving technique, inspired by an earlier work of Joux and Vitse, to speed up the relation search in the hyperelliptic case. In , we give a new description of this technique, and show that this new formulation applies naturally to the non-hyperelliptic case with or without large prime variations. In particular, we obtain a speed-up by a factor approximately 3 for the relation search in Diem and Kochinke's methods.

**Gemalto.** Gemalto is an international IT security company providing software applications,
secure personal devices such as smart cards and token, POLSYS is currently working with
Gemalto – thanks to a CIFRE PhD grant – on the security analysis of code-based cryptosystems
(Participants: J.-C. Faugère, L. Perret, F. Urvoy de Portzamparc).

Until the mid 2000’s, multivariate cryptography was developing very rapidly, producing many interesting and versatile public-key schemes. However, many of them were soon successfully cryptanalysed (a lot have been done in this group). As a consequence, the confidence in multivariate cryptography cryptosystems declined. It seems that there have emerged new important reasons for renewal of the interest in a new generation of multivariate schemes. In the past two years, the algorithms for solving the Discrete Logarithm Problem over small characteristic fields underwent an extraordinary development. This clearly illustrates the risk to not consider alternatives to classical assumptions based on number theory. In parallel, two of the most important standardization bodies in the world, NIST and ETSI have recently started initiatives for developing cryptographic standards not based on number theory, with a particular focus on primitives resistant to quantum algorithms. An objective here is then to focus on the design of multivariate schemes.

The team is now involved in the industrial transfer of post-quantum cryptography. The project is supervised by SATT-LUTECH. SATT Lutech specializes in the processing and transfer of technologies from research laboratories of its shareholders: Inria, CNRS, University of Technology of Compiègne, National Museum of Natural History, Institute Curie, Université Panthéon-Assas, Paris Sorbonne University and National School of Industrial Creation).

The team has recently developed, in partnership with a mobile application development company (WASSA), an Android app for smartphones (Samsung G5 type) that uses multivariate cryptography. The application has been tested mid-November in a series of experiments supervised by DGA and French Minsitry of Defense. The experiment gathered a total of hundred participants from various operational units. This is a first milestone in the maturation project whose goal is to create a start-up.

**ANR Grant HPAC: High Performance Algebraic Computing
(2012-2016).** The pervasive ubiquity of parallel architectures
and memory hierarchy has led to a new quest for parallel
mathematical algorithms and software capable of exploiting the
various levels of parallelism: from hardware acceleration
technologies (multi-core and multi-processor system on chip, GPGPU,
FPGA) to cluster and global computing platforms. For giving a
greater scope to symbolic and algebraic computing, beyond the
optimization of the application itself, the effective use of a large
number of resources (memory and specialized computing units) is
expected to enhance the performance multi-criteria objectives: time,
resource usage, reliability, even energy consumption. The design and
the implementation of mathematical algorithms with provable,
adaptive and sustainable performance is a major challenge. In this
context, this project is devoted to fundamental and practical
research speciﬁcally in exact linear algebra and system solving that
are two essential "dwarfs" (or "killer kernels") in scientiﬁc and
algebraic computing. The project should lead to progress in matrix
algorithms and challenge solving in cryptology, and should provide
new insights into high performance programming and library design
problems (J.-C. Faugère [contact], L. Perret, G. Renault, M. Safey
El Din).

**ANR Grant GeoLMI: Geometry of Linear Matrix Inequalities
(2011-2015).** GeoLMI project aims at developing an algebraic
and geometric study of linear matrix inequalities (LMI) for systems
control theory. It is an interdisciplinary project at the border
between information sciences (systems control), pure mathematics
(algebraic geometry) and applied mathematics (optimisation). The
project focuses on the geometry of determinantal varieties, on
decision problems involving positive polynomials, on computational
algorithms for algebraic geometry, on computational algorithms for
semi-deﬁnite programming, and on applications of algebraic geometry
techniques in systems control theory, namely for robust control of
linear systems and polynomial optimal control (Participants:
J.-C. Faugère, M. Safey El Din [contact], E. Tsigaridas).

Type: PEOPLE

Instrument: Career Integration Grant

Duration: May 2013 - April 2017

Coordinator: Jean-Charles Faugère

Partner: Institut National de Recherche en Informatique et en Automatique (Inria), France

Inria contact: Elias Tsigaridas

Abstract: The project Algebraic Algorithms and Applications (A3) is an interdisciplinary and multidisciplinary project, with strong international synergy. It consists of four work packages The first (Algebraic Algorithms) focuses on fundamental problems of computational (real) algebraic geometry: effective zero bounds, that is estimations for the minimum distance of the roots of a polynomial system from zero, algorithms for solving polynomials and polynomial systems, derivation of non-asymptotic bounds for basic algorithms of real algebraic geometry and application of polynomial system solving techniques in optimization. We propose a novel approach that exploits structure and symmetry, combinatorial properties of high dimensional polytopes and tools from mathematical physics. Despite the great potential of the modern tools from algebraic algorithms, their use requires a combined effort to transfer this technology to specific problems. In the second package (Stochastic Games) we aim to derive optimal algorithms for computing the values of stochastic games, using techniques from real algebraic geometry, and to introduce a whole new arsenal of algebraic tools to computational game theory. The third work package (Non-linear Computational Geometry), we focus on exact computations with implicitly defined plane and space curves. These are challenging problems that commonly arise in geometric modeling and computer aided design, but they also have applications in polynomial optimization. The final work package (Efficient Implementations) describes our plans for complete, robust and efficient implementations of algebraic algorithms.

Program: ICT COST Action IC1403

Project acronym : CRYPTACUS)

Project title: Cryptanalysis of ubiquitous computing systems

Duration: 12/2014 – 12/2018

Coordinator: Prof Gildas AVOINE

Abstract: Recent technological advances in hardware and software have irrevocably affected the classical picture of computing systems. Today, these no longer consist only of connected servers, but involve a wide range of pervasive and embedded devices, leading to the concept of "ubiquitous computing systems".

The objective of the Action is to improve and adapt the existent cryptanalysis methodologies and tools to the ubiquitous computing framework. Cryptanalysis, which is the assessment of theoretical and practical cryptographic mechanisms designed to ensure security and privacy, will be implemented along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems.

Researchers have only recently started to focus on the security of ubiquitous computing systems. Despite the critical flaws found, the required highly-specialized skills and the isolation of the involved disciplines are a true barrier for identifying additional issues. The Action will establish a network of complementary skills, so that expertise in cryptography, information security, privacy, and embedded systems can be put to work together.

The outcome will directly help industry stakeholders and regulatory bodies to increase security and privacy in ubiquitous computing systems, in order to eventually make citizens better protected in their everyday life.

Program: COST Action IC1306

Project acronym : CryptoAction

Project title: Cryptography for Secure Digital Interaction

Duration: 04/2014 – 04/2018

Coordinator: Dr. Claudio ORLANDI

Abstract: As increasing amounts of sensitive data are exchanged and processed every day on the Internet, the need for security is paramount. Cryptography is the fundamental tool for securing digital interactions, and allows much more than secure communication: recent breakthroughs in cryptography enable the protection - at least from a theoretical point of view - of any interactive data processing task. This includes electronic voting, outsourcing of storage and computation, e-payments, electronic auctions, etc. However, as cryptography advances and becomes more complex, single research groups become specialized and lose contact with "the big picture". Fragmentation in this field can be dangerous, as a chain is only as strong as its weakest link. To ensure that the ideas produced in Europe's many excellent research groups will have a practical impact, coordination among national efforts and different skills is needed. The aim of this COST Action is to stimulate interaction between the different national efforts in order to develop new cryptographic solutions and to evaluate the security of deployed algorithms with applications to the secure digital interactions between citizens, companies and governments. The Action will foster a network of European research centers thus promoting movement of ideas and people between partners.

See https://

Associate Team involved in the International Lab:

GOAL

Title: Geometry and Optimization with ALgebraic methods.

International Partner (Institution - Laboratory - Researcher):

University of California Berkeley (United States) - Dept. of Mathematics - Bernd Sturmfels

Start year: 2015

Polynomial optimization problems form a subclass of general global optimization problems, which have received a lot of attention from the research community recently; various solution techniques have been designed. One reason for the spectacular success of these methods is the potential impact in many fields: data mining, big data, energy savings, etc. More generally, many areas in mathematics, as well as applications in engineering, biology, statistics, robotics etc. require a deeper understanding of the algebraic structure of their underlying objects.

A new trend in the polynomial optimization community is the combination of algebraic and numerical methods. Understanding and characterizing the algebraic properties of the objects occurring in numerical algorithms can play an important role in improving the efficiency of exact methods. Moreover, this knowledge can be used to estimate the quality (for example the number of significant digits) of numerical algorithms. In many situations each coordinate of the optimum is an algebraic number. The degree of the minimal polynomials of these algebraic numbers is the Algebraic Degree of the problem. From a methodological point of view, this notion of Algebraic Degree emerges as an important complexity parameter for both numerical and the exact algorithms. However, algebraic systems occurring in applications often have special algebraic structures that deeply influence the geometry of the solution set. Therefore, the (true) algebraic degree could be much less than what is predicted by general worst case bounds (using Bézout bounds, mixed volume, etc.), and would be very worthwhile to understand it more precisely.

The goal of this proposal is to develop algorithms and mathematical tools to solve geometric and optimization problems through algebraic techniques. As a long-term goal, we plan to develop new software to solve these problems more efficiently. These objectives encompass the challenge of identifying instances of these problems that can be solved in polynomial time with respect to the number of solutions and modeling these problems with polynomial equations.

The kickoff workshop was held at UC Berkeley in May 2015,
see https://

Both Carlos Améndola Cerón and Kaies Kubjas visited the team one month through the associated team.

Associate Team involved in the International Lab:

ECCA

Title: Exact/Certifed Computation with Algebraic Systems

International Partner (Institution - Laboratory - Researcher):

KLMM – Chinese Academy of Sciences, Lihong Zhi.

Start year: 2012

Exact/Certifed Computation with Algebraic Systems (ECCA) is a project run within the LIAMA Consortium as a cooperation project between CNRS/Inria/LIP6, KLMM, SKLOIS and LMIB. The main scientific objective of this project is to study and compute the solutions of nonlinear algebraic systems and their structures and properties with target applications to computational geometry, algebraic cryptanalysis, global optimization, and algebraic biology.

Carlos Améndola Cerón

Date: Sept. 2015

Institution: Technische Universität Berlin, Germany

Kaie Kubjas

Date: Oct. 2015

Institution: Aalto Science Institute, Finland

Cordian Riener

Date: May 2015

Institution: Aalto Science Institute, Finland

Igor Shparlinski

Date: Sept. 2015

Institution: The University of New South Wales, Australia

Rekha Thomas

Date: Feb. 2015

Institution: University of Washington, USA.

Matías Bender

Date: Sep 2014 - Feb 2015

Institution: Universidad de Buenos Aires (Argentina)

Supervisor: Jean-Charles Faugère

Jérôme Govinden

Date: Feb. 2015 - Sept. 2015

Institution: UPMC

Supervisors: Jean-Charles Faugère, Ludovic Perret

Guénaël Renault and Emmanuel Prouff were both General Co-chairs of CHES 2015.

Dongming Wang was involved in the organization of the following conferences

Fourth International Seminar on Program Verification, Automated Debugging and Symbolic Computation (PAS 2015) (Beijing, China, October 21-23, 2015);

Dagstuhl Seminar 15471: Symbolic Computation and Satisfiability Checking ((SC)² 2015) (Dagstuhl, Germany, November 15-20, 2015);

International Seminar on Geometric Computation (GC 2015) (Nanning, China, February 2-4, 2015).

Dongming Wang was Program Co-chair of the following conferences

Fourth International Seminar on Program Verification, Automated Debugging and Symbolic Computation (PAS 2015) (Beijing, China, October 21-23, 2015);

Dagstuhl Seminar 15471: Symbolic Computation and Satisfiability Checking ((SC)² 2015) (Dagstuhl, Germany, November 15-20, 2015);

International Seminar on Geometric Computation (GC 2015) (Nanning, China, February 2-4, 2015).

Jean-Charles Faugère was member of the program committees of the following conferences

PKC 2015

Eurocrypt 2016

Ludovic Perret was member of the program committees of the following conferences

The 7th International Workshop on Parallel Symbolic Computation (PASCO'15)

The 41th International Symposium on Symbolic and Algebraic Computation (ISSAC'16)

Emmanuel Prouff was member of the program committees of the following conferences

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2015);

14th Smart Card Research and Advanced Application Conference (CARDIS 2015);

6th International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE);

Indocrypt 2015.

Guénaël Renault was member of the program committees of the following conferences

International Symposium on Symbolic and Algebraic Computation (ISSAC 2015)

Mohab Safey El Din was was member of the program committees of the following conference

International Conference on Mathematical Aspects of Computer and Information Sciences (MACIS) 2015;

Dongming Wang was member of the program committees of the following conferences

International Conference on Mathematical Aspects of Computer and Information Sciences (MACIS);

International Symposium on Symbolic Computation in Software Science (SCSS).

Ludovic Perret is Member of the Editorial Board of Designs, Codes and Cryptography.

Mohab Safey El Din is member of the editorial board of Journal of Symbolic Computation.

Dongming Wang has the following editorial activities:

Editor-in-Chief and Managing Editor for the journal

Mathematics in Computer Science (published by Birkhäuser/Springer, Basel).

Executive Associate Editor-in-Chief for the journal

SCIENCE CHINA Information Sciences (published by Science China Press, Beijing and Springer, Berlin).

Member of the Editorial Boards for the

Journal of Symbolic Computation (published by Academic Press/Elsevier, London),

Frontiers of Computer Science (published by Higher Education Press, Beijing and Springer, Berlin),

Texts and Monographs in Symbolic Computation (published by Springer, Wien New York),

Member of the International Advisory Board for the Communications of JSSAC (Japan Society for Symbolic and Algebraic Computation) (published by JSSAC).

Jean-Charles Faugère was invited speaker at

Workshop on “Grobner bases techniques for post-quantum cryptography”, March 27, 2015 Washington (USA)

Workshop on Algebra, Geometry and Proofs in Symbolic Computation Thematic Program on Computer Algebra, Fields Inst. Toronto, Dec. 2015.

Sixth International Conference on Mathematical Aspects of Computer and Information Sciences (MACIS) Nov 11–13, 2015 Zuse Institute Berlin (ZIB), Germany.

Journées Nationales de Calcul Formel (3 hours lecture) Oct 2015, Cluny France

Daniel Lazard was special invited talk at Effective Methods in Algebraic Geometry 2015 - Università di Trento, Trento, June 2015.

Emmanuel Prouff was invited talk at Workshop on Constructive Side-Channel Analysis and Secure Design 2015, Mövenpick Hotel, Berlin, Apr. 2015.

Mohab Safey El Din was invited speaker at

Workshop on Algebra, Geometry and Proofs in Symbolic Computation Thematic Program on Computer Algebra, Fields Inst. Toronto, Dec. 2015.

Workshop on Linear Computer Algebra and Symbolic-Numeric Computation, Thematic Program on Computer Algebra, Fields Inst. Toronto, Oct. 2015.

Workshop Algebraic Vision, TU Berlin, October 2015.

Dagstuhl seminar on Complexity of Symbolic and Numeric Procedures, Dagstuhl, Germany, June 2015.

Czech workshop on applied mathematics in engineering Prague, Czech, February, 2015.

Mohab Safey El Din was also invited to give talks at

Minisymposium on Maximum Likelihood Degrees and Critical Points, SIAM Conference on Applied Algebraic Geometry, Daejoon, Aug. 2015, South-Korea.

Minisymposium on Real algebraic geometry and Optimization, SIAM Conference on Applied Algebraic Geometry, Daejoon, Aug. 2015, South-Korea.

Minisymposium on Polynomial Optimization and Moments, SIAM Conference on Applied Algebraic Geometry, Daejoon, Aug. 2015, South-Korea.

Elias Tsigaridas was invited speaker at

Workshop on Algebra, Geometry and Proofs in Symbolic Computation Thematic Program on Computer Algebra, Fields Inst. Toronto, Dec. 2015.

Structured Matrices Days 2015 June 4–5, 2015 XLIM-DMI, Université de Limoges, France.

Computer Algebra in Scientific Computing (CASC) September 14–18, 2015 RWTH Aachen University, Aachen, Germany.

Guénaël Renault had the following scientific expertise activities :

member of jury de selection du concours CR2 Inria Saclay

participating to the panel for research proposals selection in the field of theoretical computer science, Finland Academy.

Jérémy Berthomieu had the following teaching activities:

Master : Modeling and problems numerical and symbolic solving through Maple and MATLAB software, 52 hours, M1, Université Pierre-et-Marie-Curie, France

Master : In charge of Basics of Algebraic Algorithms, 70 hours, M1, Université Pierre-et-Marie-Curie, France

Master : Introduction to Security, 20 hours, M1, Université Pierre-et-Marie-Curie, France

Licence : Numerical Algorithmic, 6 hours, L3, Université Pierre-et-Marie-Curie, France

Licence : Representations and Numerical Methods, 40 hours, L2, Université Pierre-et-Marie-Curie, France

Licence : Projects supervision, 20 hours, L2, Université Pierre-et-Marie-Curie, France

Jean-Charles Faugère had the following teaching activities:

Master: Fundamental Algorithms in Real Algebraic Geometry, 13,5 hours, M2, ENS de Lyon, France

Master : Polynomial Systems solving, 12 hours, M2, MPRI

Ludovic Perret had the following teaching activities amounting to around 220 hours:

Master : Polynomial Systems solving, M2, MPRI

Master : In charge of Introduction to Security, M1, Université Pierre-et-Marie-Curie, France

Master : In charge of Complexity, M1, Université Pierre-et-Marie-Curie, France

Licence : Introduction to Algorithmic, L2, Université Pierre-et-Marie-Curie, France

Licence : In charge of the Computer Science – Applied Mathematics Program (PIMA) in Licence, L2, Université Pierre-et-Marie-Curie, France

Licence : Project supervision, L2, Université Pierre-et-Marie-Curie, France

Guénaël Renault had the following teaching activities:

Master : In charge of the Security, Reliability and Numerical Efficiency Program in Master, 45 hours, M1 and M2, Université Pierre-et-Marie-Curie, France

Master : In charge of Advanced and Applied Cryptology, 70 hours, M2, Université Pierre-et-Marie-Curie, France

Master : In charge of Security and Side-channels, 10 hours, M2, Université Pierre-et-Marie-Curie, France

Master : In charge of Threats and Attacks Modeling, 40 hours, M1, Université Pierre-et-Marie-Curie, France

Master : Pro/Research internships supervision, 40 hours, M2, Université Pierre-et-Marie-Curie, France

Master : Projects supervision, 20 hours, M1, Université Pierre-et-Marie-Curie, France

Licence : In charge of Introduction to Cryptology, 30 hours, L3, Université Pierre-et-Marie-Curie, France

Licence : Project supervision, 10 hours, L2, Université Pierre-et-Marie-Curie, France

Mohab Safey El Din had the following teaching activities:

Master : In charge of Modeling and problems numerical and symbolic solving through Maple and MATLAB software, 18 hours, M1, Université Pierre-et-Marie-Curie, France

Master : In charge of Introduction to polynoomial systems solving, 48 hours, M2, Université Pierre-et-Marie-Curie, France

Master: In charge of Fundamental Algorithms in Real Algebraic Geometry, 22,5 hours, M2, ENS de Lyon, France

Licence : Introduction to Cryptology, 20 hours, L3, Université Pierre-et-Marie-Curie, France

Licence : In charge of the Computer Science – Applied Mathematics Program (PIMA) in Licence, L2 and L3, Université Pierre-et-Marie-Curie, France

Mohab Safey El Din gave also a course at the “Ecole Jeunes Chercheurs 2015” of GDR IM.

PhD in progress : Ivan Bannwarth, Fast algorithms for studying real algebraic sets, started in Sept. 2014, Mohab Safey El Din

PhD in progress : Matías Bender, Algorithms for Sparse Gröbner basis and applications, started in Dec 2015, Jean-Charles Faugère and Elias Tsigaridas

PhD in progress : Eleonora Cagli, Analysis and interest points research in the attacks by observation context, Emmanuel Prouff and Cécile Dumas

PhD : Simone Naldi, Exact algorithms for determinantal varieties and semidefinite programming, Univ. Toulouse, defended in Sept. 2015, Didier Henrion and Mohab Safey El Din

PhD in progress : Adrian Thillard, Countermeasures to side-channel attacks and secure multi-party computation, Damien Vergnaud, Emmanuel Prouff

PhD : Fréderic Urvoy de Portzamparc, Algebraic and physical security based on error-correcting codes, Université Pierre-et-Marie-Curie, defended in Apr. 2015, Jean-Charles Faugère and Ludovic Perret

PhD in progress : Thibaut Verron, Gröbner bases and structured polynomial systems, started in Sept. 2012, Jean-Charles Faugère and Mohab Safey El Din

PhD : Rina Zeitoun, Algebraic methods for the analysis of the security of cryptographic algorithms implementations, Université Pierre-et-Marie-Curie, defended in July 2015, Jean-Charles Faugère and Guénaël Renault

Jean-Charles Faugère was:

reviewer and member of the PhD committee of Tristan Vaccon;

member of the PhD committee of Simone Naldi;

member of the PhD committee of Frédéric de Portzamparc;

member of the PhD committee of Simone Naldi;

Ludovic Perret was:

member of the PhD committee of Frédéric de Portzamparc;

Emmanuel Prouff was:

member of the PhD committee of Luke Maher;

member of the PhD committee of Mathieu Carbone;

member of the PhD committee of Praveen Vadnala;

member of the PhD committee of Sonia Belaid;

member of the PhD committee of Sylvain Ruhault;

member of the PhD committee of Vincent Grosso;

member of the PhD committee of Annelie Heuser as reviewer;

member of the PhD committee of Kevin Layat.

Guénaël Renault was:

member of the PhD committee of Rina Zeitoun;

member of mid-term evaluation committee of Nicolas Bruneau;

Mohab Safey El Din was:

member of the PhD committee of Simone Naldi;

member of the PhD committee of Frédéric Urvoy de Portzamparc;

Elias Tsigaridas was

member of the PhD committee of Aaron Herman;

member of the mid-term evaluation committee of Mario Cornejo-Ramirez;

Mohab Safey El Din gave a course at the “Ecole Jeunes Chercheurs 2015” of GDR IM and wrote for it a book chapter .