Our research addresses the broad application domain of cryptography and cryptanalysis from the algorithmic perspective. We study all the algorithmic aspects, from the top-level mathematical background down to the optimized high-performance software implementations. Several kinds of mathematical objects are commonly encountered in our research. Some basic ones are truly ubiquitous: integers, finite fields, polynomials, real and complex numbers. We also work with more structured objects such as number fields, algebraic curves, or polynomial systems. In all cases, our work is geared towards making computations with these objects effective and fast.

The mathematical objects we deal with are of utmost importance for the
applications to cryptology, as they are the background of the most widely
developed cryptographic primitives, such as the RSA cryptosystem or the
Diffie–Hellman key exchange. The two facets of cryptology—cryptography
and cryptanalysis—are central to our research. The key challenges are
the assessment of the security of proposed cryptographic primitives,
through the study of the cornerstone problems, which are the integer
factorization and discrete logarithm problems, as well as the
optimization work in order to enable cryptographic implementations that
are both efficient *and* secure.

Among the research themes we set forth, two are guided by the most important mathematical objects used in today's cryptography, and two others are rather guided by the technological background we use to address these problems.

Extended NFS family. A common algorithmic framework, called the Number Field Sieve (NFS), addresses both the integer factorization problem as well as the discrete logarithm problem over finite fields. We have numerous algorithmic contributions in this context, and develop software to illustrate them.

We plan to improve on the existing state of the art in this domain by researching new algorithms, by optimizing the software performance, and by demonstrating the reach of our software with highly visible computations.

Algebraic curves and their Jacobians. We develop algorithms and software for computing essential properties of algebraic curves for cryptology, eventually enabling their widespread cryptographic use.

One of the challenges we address here is point counting. In a wider perspective, we also study the link between abelian varieties over finite fields and principally polarized abelian varieties over fields of characteristic zero, together with their endomorphism ring. In particular, we work in the direction of making this link an effective one. We are also investigating various approaches for attacking the discrete logarithm problem in Jacobians of algebraic curves.

Arithmetic. Our work relies crucially on efficient arithmetic, be it for small or large sizes. We work on improving algorithms and implementations, for computations that are relevant to our application areas.

Polynomial systems. It is rather natural with algebraic curves, and occurs also in NFS-related contexts, that many important challenges can be represented via polynomial systems, which have structural specificities. We intend to develop algorithms and tools that, when possible, take advantage of these specificities.

We consider that the impact of our research on cryptology in general owes a lot to the publication of concrete practical results. We are strongly committed to making our algorithms available as software implementations. We thus have several long-term software development projects that are, and will remain, parts of our research activity.

Public-key cryptography is our main application target. We are interested in the study of the cryptographic primitives that serve as a basis for the most widespread protocols.

Since the early days of public-key cryptography, and through the
practices and international standards that have been established for
several decades, the most widespread cryptographic primitives have been
the RSA cryptosystem, as well as the Diffie–Hellman key exchange using
multiplicative groups of finite fields. The level of security provided
by these cryptographic primitives is related to the hardness of the
underlying mathematical problems, which are integer factorization and the
discrete logarithm problem. The complexity of attacking them is known to
be subexponential in the public key size, and more precisely written as

This complexity is achieved with the Number Field
Sieve (NFS) algorithm and its many derivatives. This means that as the
desired security level

Software for NFS is obviously the entry point to computational records. Few complete NFS implementations exist, and their improvement is of crucial importance for better assessment of the hardness of the key cryptographic primitives considered. Here, “improvement” may be understood in many ways: better algorithms (outperforming the NFS algorithm as a whole is certainly a tremendous improvement, but replacing one of its numerous substeps is one, too), better implementations, better parallelization, or better adaptation to suitable hardware. The numerous sub-algorithms of NFS strongly depend on arithmetic efficiency. This concerns various mathematical objects, from integers and polynomials to ideals in number fields, lattices, or linear algebra.

Since the early 1990's, no new algorithm improved on the complexity of
NFS. As it is used in practice, the algorithm has complexity

While it is relatively easy to set public key sizes for RSA or
Diffie–Hellman that are “just above” the reach of academic computing
power with NFS, the sensible cryptographic choice is to aim at security
parameters that are of course well above this feasibility limit, in
particular because assessing this limit precisely is in fact a very
difficult problem. In line with the security levels offered by symmetric
primitives such as AES-128, public key sizes should be chosen so that
with current algorithmic knowledge, an attacker would need at least

Since the mid-1980's, elliptic curves, and more generally Jacobians of algebraic curves, have been proposed as alternative mathematical settings for building cryptographic primitives.

The discrete logarithm problem in these groups is formidably hard, and in comparison to the situation with the traditional primitives mentioned above, the cryptanalysis algorithms are such that the appropriate public-key size grows only linearly with the desired security level: a 256-bit public key, using algebraic curves, is well suited to match the hardness of AES-128. This asset makes algebraic curves more attractive for the future of public-key cryptography.

Challenges related to algebraic curves in cryptology are rather various, and call for expertise in several areas. Suggesting curves to be used in the cryptographic context requires to solve the point counting problem. This may be done by variants of the Schoof–Elkies–Atkin algorithm and its generalizations (which, in genus 2, require arithmetic modulo multivariate systems of equations), or alternatively the use of the complex multiplication method, a rich theory that opens the way to several problems in computational number theory.

The long-awaited transition from the legacy primitives to primitives based on curves is ready to happen, only circumstantially slowed down presently by the need to agree on a new set of elliptic curves (not because of any attack, but because of skepticism over how the currently widespread ones have been generated). The Internet Research Task Force has completed in 2015 a standardization proposal . In this context, the recommended curves are not of the complex multiplication family, and enjoy instead properties that allow fast implementation, and avoid a few implementation difficulties. Those are also naturally chosen to be immune to the few known attacks on the discrete logarithm problem for curves. No curve of genus 2 has made its way to the standardization process so far, however one candidate exists for the 128-bit security level .

The discrete logarithm problem on curves is very hard. Some results were obtained however for curves over extension fields, using techniques such as the Weil descent, or the point decomposition problem. In this context, the algorithmic setup connects to polynomial system solving, fast arithmetic, and linear algebra.

Another possible route for transitioning away from RSA and finite field-based cryptography is suggested, namely the switch to the “post-quantum” cryptographic primitives. Public-key cryptographic primitives that rely on mathematical problems related to Euclidean lattices or coding theory have an advantage: they would resist the potential advent of a quantum computer. Research on these topics is quite active, and there is no doubt that when the efficiency challenges that are currently impeding their deployment are overcome, the standardization of some post-quantum cryptographic primitives will be a worthwhile addition to the general cryptographic portfolio. The NSA has recently devoted an intriguing position text to this topic (for a glimpse of some of the reactions within the academic community, the reference is useful). Post-quantum cryptography, as a research topic, is complementary to the topics we address most, which are NFS and algebraic curves. We are absolutely confident that, at the very least for the next decade, primitives based on integer factoring, finite fields, and algebraic curves will continue to hold the lion's share in the cryptographic landscape. We also expect that before the advent of standardized and widely developed post-quantum cryptographic primitives, the primitives based on algebraic curves will become dominant (despite the apparent restraint from the NSA on this move).

We acknowledge that the focus on cryptographic primitives is part of a larger picture. Cryptographic primitives are part of cryptographic protocols, which eventually become part of cryptographic software. All these steps constitute research topics in their own right, and need to be scrutinized (as part of independent research efforts) in order to be considered as dependable building blocks. This being said, the interplay of the different aspects, from primitives to protocols, sometimes spawns very interesting and fruitful collaborations. A very good example of this is the LogJam attack .

The Number Field Sieve (NFS) has been the leading algorithm for factoring integers for more than 20 years, and its variants have been used to set records for discrete logarithms in finite fields. It is reasonable to understand NFS as a framework that can be used to solve various sorts of problems. Factoring integers and computing discrete logarithms are the most prominent for the cryptographic observer, but the same framework can also be applied to the computation of class groups.

The state of the art with NFS is built from numerous improvements of its inner steps. In terms of algorithmic improvements, the recent research activity on the NFS family has been rather intense. Several new algorithms have been discovered in over the 2014–2016 period, and their practical reach has been demonstrated by actual experiments.

The algorithmic contributions of the CARAMBA members to NFS would
hardly be possible without access to a dependable software
implementation. To this end, members of the CARAMBA team have been
developing the Cado-NFS software suite since 2007. Cado-NFS is now the
most widely visible open source implementation of NFS, and is a crucial
platform for developing prototype implementations for new ideas for the
many sub-algorithms of NFS. Cado-NFS is free software (LGPL) and
follows an open development model, with publicly accessible development
repository and regular software releases. Competing free software
implementations exist, such as `msieve`, developed by J.
Papadopoulos. In Lausanne, T. Kleinjung develops his own code base, which
is unfortunately not public.

The workplan of CARAMBA on the topic of the Number Field Sieve algorithm and its cousins includes the following aspects:

Pursue the work on NFS, which entails in particular making it ready to tackle larger challenges. Several of the important computational steps of NFS that are currently identified as stumbling blocks will require algorithmic advances and implementation improvements. We will illustrate the importance of this work by computational records.

Work on the specific aspects of the computation of discrete logarithms in finite fields.

As a side topic, the application of the broad methodology of NFS to the treatment of “ideal lattices” and their use in cryptographic proposals based on Euclidean lattices is also relevant.

The challenges associated to algebraic curves in cryptology are diverse, because of the variety of mathematical objects to be considered. These challenges are also connected to each other. On the cryptographic side, efficiency matters. As of 2016, the most widely used set of elliptic curves, the so-called NIST curves, are in the process of being replaced by a new set of candidate elliptic curves for future standardization. This is the topic of RFC 7748 .

On the cryptanalytic side, the discrete logarithm problem on (Jacobians
of) curves has resisted all attempts for many years. Among the currently
active topics, the decomposition algorithms raise interesting problems
related to polynomial system solving, as do attempts to solve the
discrete logarithm problem on curves defined over binary fields. In
particular, while it is generally accepted that the so-called Koblitz
curves (base field extensions of curves defined over

The research objectives of CARAMBA on the topic of algebraic curves for cryptology are as follows:

Work on the practical realization of some of the rich mathematical theory behind algebraic curves. In particular, some of the fundamental mathematical objects have potentially important connections to the broad topic of cryptology: Abel-Jacobi map, Theta functions, computation of isogenies, computation of endomorphisms, complex multiplication.

Improve the point counting algorithms so as to be able to tackle larger problems. This includes significant work connected to polynomial systems.

Seek improvements on the computation of discrete logarithms on curves, including by identifying weak instances of this problem.

Computer arithmetic is part of the common background of all team members, and is naturally ubiquitous in the two previous application domains mentioned. However involved the mathematical objects considered may be, dealing with them first requires to master more basic objects: integers, finite fields, polynomials, and real and complex floating-point numbers. Libraries such as GNU MP, GNU MPFR, GNU MPC do an excellent job for these, both for small and large sizes (we rarely, if ever, focus on small-precision floating-point data, which explains our lack of mention of libraries relevant to it).

Most of our involvement in subjects related to computer arithmetic is to
be understood in connection to our applications to the Number Field Sieve
and to abelian varieties. As such, much of the research work we envision
will appear as side-effects of developments in these contexts. On the
topic of arithmetic work *per se*:

We will seek algorithmic and practical improvements to the most basic algorithms. That includes for example the study of advances algorithms for integer multiplication, and their practical reach.

We will continue to work on the arithmetic libraries in which we have crucial involvement, such as GNU MPFR, GNU MPC, GF2X, MPFQ, and also GMP-ECM.

Systems of polynomial equations have been part of the cryptographic landscape for quite some time, with applications to the cryptanalysis of block and stream ciphers, as well as multivariate cryptographic primitives.

Polynomial systems arising from cryptology are usually not generic, in the sense that they have some distinct structural properties, such as symmetries, or bi-linearity for example. During the last decades, several results have shown that identifying and exploiting these structures can lead to dedicated Gröbner bases algorithms that can achieve large speedups compared to generic implementations , .

Solving polynomial systems is well done by existing software, and duplicating this effort is not relevant. However we develop test-bed open-source software for ideas relevant to the specific polynomial systems that arise in the context of our applications. The TinyGB software, that we describe further in , is our platform to test new ideas.

We aim to work on the topic of polynomial system solving in connection with our involvement in the aforementioned topics.

We have high expertise on Elliptic Curve Discrete Logarithm Problem on small characteristic finite fields, because it also involves highly structured polynomial systems. While so far we have not contributed to this hot topic, this could of course change in the future.

Recent hirings (Minier) are likely to lead the team to study particular polynomial systems in context which are more related to symmetric key cryptography.

More centered on polynomial systems *per se*, we will
mainly pursue the study of the specificities of the polynomial
systems that are strongly linked to our targeted applications,
and for which we have significant expertise
, . We also want to see these recent
results provide practical benefits compared to existing software,
in particular for systems relevant for cryptanalysis.

Our study of the Number Field Sieve family of algorithms aims at showing
how the threats underlying various supposedly hard problems are real. Our
record computations, as well as new algorithms, contribute to having a
scientifically accurate assessment of the feasibility limit for these
problems, given academic computing resources. The data we provide in this
way is a primary ingredient for government agencies whose purpose
includes guidance for the choice of appropriate cryptographic primitives.
For example the French ANSSI

The software we make available to achieve these cryptanalytic computations also allows us to give cost estimates for potential attacks to cryptographic systems that are taking the security/efficiency/legacy compatibility trade-offs too lightly. Attacks such as LogJam are understood as being serious concerns thanks to our convincing proof-of-concepts. In the LogJam context, this impact has led to rapid worldwide security advisories and software updates that eventually defeat some potential intelligence threats and improve confidentiality of communications.

We also promote the switch to algebraic curves as cryptographic primitives. Those offer nice speed and excellent security, while primitives based on elementary number theory (integer factorization, discrete logarithm in finite fields), which underpin e.g., RSA, are gradually forced to adopt unwieldy key sizes so as to comply with the desired security guarantees of modern cryptography. Our contributions to the ultimate goal of having algebraic curves eventually take over the cryptographic landscape lie in our fast arithmetic contributions, our contributions to the point counting problem, and more generally our expertise on the diverse surrounding mathematical objects, or on the special cases where the discrete logarithm problem is not hard enough and should be avoided.

We also promote cryptographically sound electronic voting, for which we develop the Belenios prototype software, (licensed under the AGPL). It depends on research made in collaboration with the PESTO team, and provides stronger guarantees than current state of the art.

The vast majority of our work is eventually realized as software. We can roughly categorize it in two groups. Some of our software covers truly fundamental objects, such as the GNU MPFR, GNU MPC, GF2X, or MPFQ packages. To their respective extent, these software packages are meant to be included or used in broader projects. For this reason, it is important that the license chosen for this software allows proper reuse, and we favor licenses such as the LGPL, which is not restrictive. We can measure the impact of this software by the way it is used in e.g., the GNU Compiler Collection (GCC), in Victor Shoup's Number Theory Library (NTL), or in the Sage computer algebra system. The availability of these software packages in most Linux distributions is also a good measure for the impact of our work.

We also develop more specialized software. Our flagship software package is Cado-NFS, and we also develop some others with various levels of maturity, such as GMP-ECM, CMH, or Belenios, aiming at quite diverse targets. Within the lifespan of the CARAMBA project, we expect more software packages of this kind to be developed, specialized towards tasks relevant to our research targets: important mathematical structures attached to genus 2 curves, generation of cryptographically secure curves, or tools for attacking cryptographically hard problems. Such software both illustrates our algorithms, and provides a base on which further research work can be established. Because of the very nature of these specialized software packages as research topics in their own right, needing both to borrow material from other projects, and being possible source of inspiring material for others, it is again important that these be developed in a free and open-source development model.

The Caramba project-team was created on January 1st, 2016!

In October 2016, Pierrick Gaudry and Emmanuel Thomé, together with colleagues from the University of Pennsylvania (USA), have performed a discrete logarithm computation of a 1024-bit trapdoored prime .

Belenios - Verifiable online voting system

Keyword: E-voting

Functional Description

Belenios is an online voting system that provides confidentiality and verifiability. End-to-end verifiability relies on the fact that the ballot box is public (voters can check that their ballots have been taken into account) and on the fact that the tally is publicly verifiable (anyone can recount the votes). Confidentiality relies on the encryption of the votes and the distribution of the decryption key.

Belenios builds upon Helios, a voting protocol used in several elections. The main design enhancement of Belenios vs Helios is that the ballot box can no longer add (fake) ballots, due to the use of credentials.

In 2016 our online platform has been used for several elections, for instance: representatives at the “comité de centre” in several Inria research centers, at the “conseil de laboratoire” at IRISA, and for the head of the “GT Calcul Formel” of the GDR-IM.

Participants: Pierrick Gaudry, Stéphane Glondu and Véronique Cortier

Partners: CNRS - Inria

Contact: Stéphane Glondu

Keywords: Factorization - Kalray

Functional Description

Implementation of the factorization algorithm based on elliptic curves (ECM) for the MPPA-256 Kalray processor.

Authors: Jérémie Detrey, Pierrick Gaudry and Masahiro Ishii

Partner: Nara Institute of Science and Technology, Japan

Contact: Jérémie Detrey

Author: Pierre-Jean Spaenlehauer

Contact: Pierre-Jean Spaenlehauer

Licence: LGPL-3.0+

`TinyGB` is a software implementing tools for computing Gröbner bases of
ideals in polynomial rings over finite fields. It has been released in April
2016.

It is not competitive with state-of-art software for computations over small
prime fields. However, for polynomial systems over `Magma-2.22-2` (although the `Magma` is much better in terms of
memory requirements). This is due to the fact that `TinyGB` relies on
the library `MPFQ` (developed in the Caramba team) for the efficient
arithmetic over large prime fields. For instance, computing the grevlex
Gröbner basis of a system of 13 dense homogeneous quadratic equations in 13
variables over the field `TinyGB`, whereas `Magma-2.22-2`
requires 4459 seconds (on an Intel Core i5-4590@3.30GHz).

The distribution of `TinyGB` contains the libraries `OpenBLAS`, `FFLAS-FFPACK` and `MPFQ`.

We study the relation collection of NFS in medium characteristic,
especially in

A survey on the elliptic curve discrete logarithm problem has been written in collaboration with S. Galbraith (Auckland). It appeared in a special issue of DCC , for the 25th birthday of the journal.

In the context of a book project entitled “Topics in Computational Number Theory inspired by Peter L. Montgomery” (edited by Joppe W. Bos and Arjen K. Lenstra), E. Thomé contributed a chapter on “the Block Lanczos algorithm” (owed to Peter L. Montgomery ). This was the occasion to rework and streamline the presentation of the block Lanczos algorithm. In fact, several new characteristics of the algorithm were obtained in this process: a version adapted to homogeneous systems, an improvement on the memory footprint of the algorithm, and a heuristic justification for the success probability of the algorithm. While the collated book is still not published yet (publication is expected in 2017), the chapter is published in preprint form as .

In May 2016 we have completed with CADO-NFS the factorization of RSA-220
, which was started in
December 2013. The sieving was completed in September 2014, and the first phase
of the linear algebra (`krylov`) in October 2014.
However we had to improve CADO-NFS to be able to run the `lingen` sub-step
of the linear algebra. This was completed in January 2016, and the end of the
factorization ran smoothly.
This factorization is the largest one done with CADO-NFS, and the third largest
one overall, after RSA-768 (232 digits) factored in December 2009,
and

Following discussion with Jean-Guillaume Dumas which began in March
2015 on the topic of computing checkpoints for the `krylov`
step of the block Wiedemann algorithm, we determined that a scheme
very similar to this checkpointing technique (originally designed to
spot data corruption errors) was able to provide a proving algorithm
—in the cryptographic sense— for the computation of the minimal
polynomial of a sparse matrix, or for its determinant. This led to a
joint paper with Jean-Guillaume Dumas, Erich Kaltofen and Gilles
Villard, published at ISSAC 2016 .

In collaboration with Josh Fried and Nadia Heninger from University
of Pennsylvania, we worked on discrete logarithm computation modulo
primes of a special form, amenable to computation with the Special
Number Field Sieve (SNFS). Our original interest in this question came
from the observation that primes which are conspicuous SNFS targets
*are* found in the wild, as we observed in the context of the
LogJam attack in 2015. We first ran a test computation on such a
prime in March (

The project of computing discrete
logarithms in finite fields of the form

The next step will be to adapt the new NFS variant called
Extended-Tower-NFS to attack MNT-4 and MNT-6 curves, which means
computing discrete logarithms in GF

Most of the results have been obtained in 2015. The article was accepted for publication in 2016 .

We study the multiprecision computation of the theta function in
genus 1, *i.e.,* the Jacobi theta function. The main result is that

Along with this work, we have publicly released an open source implementation of the algorithm in C (using the GNU MPC library). This implementation shows this algorithm is faster than a more naive approach for precisions greater than 300,000 digits.

We study the multiprecision computation of the theta function in
genus 2. We extend the quasi-linear algorithm for Jacobi's theta to
genus 2, generalizing the approach we undertook in previous work; this
required finding workarounds, most notably for the choice of signs and
for being able to apply Newton's method. We also give an outline of an
algorithm for the theta function in genus

We released along with this work a Magma implementation of our fast genus 2 algorithm, along with an implementation of a somewhat naive (but previously state-of-the-art) algorithm for genus 2. Our results show that our algorithm is faster than the naive one for precisions greater than 3,000 digits.

This is a joint work with Jean-Charles Faugère (Inria, EPI Polsys) and Jules Svartz (Inria EPI Polsys/Ministère Éducation Nationale). Most of the results have been obtained in 2015. This work was finalized and published in 2016 .

We study how Gröbner bases algorithms can be adapted to compute
certificates that *quadratic fewnomial
systems* (*i.e.*, systems in which only a small subset of monomials occur
in the equations) do not have any solution. The main results are algorithms
and complexity bounds which take into account the sparsity of the monomial
support of the system, under some mild genericity assumptions on the
coefficients of the systems.

This is a joint work with Mohab Safey El Din (Univ. Paris 6, EPI Polsys). This work led to a publication in the proceedings of the ISSAC conference .

Let

This is a joint work with Frédéric Bihan (Univ. de Savoie, LAMA). Most of the results have been obtained in 2015 ; we improved the results during 2016.

Consider a regular triangulation of the convex-hull

In collaboration with Masahiro Ishii from the Nara Institute of Science and Technology, Nara (Japan) we have developed a fast modular arithmetic library for the Kalray MPPA-256, which is a many-core processor with a VLIW architecture. Carefully written assembly allowed us to obtain a close to optimal use of the computing units of all the cores for the multiprecision multiplication of integers. As an application, the ECM factoring algorithm was implemented on top of our library. The performances are very interesting compared to other architectures like GPU, especially in terms of power consumption .

This is a joint work with Simon Perdrix (CNRS, Carte Team at Loria). This work has begun in 2014.

The starting point for this work was about a problem in «Quantum cloud computing». A person with a classical resource wants to perform a quantum computation. To do so he asks some quantum resources to perform his computation. The difficult part is that he wants to be sure that the quantum resources he asks to perform his computation don't cheat and return him the good results. This kind of «Quantum cloud computing» is called interactive proofs. The quantum resources are called the provers. Real Measurement-based quantum computing (MBQC) has been used for interactive proofs by McKague.

Measurement-based quantum computing (MBQC) is a universal model for quantum computation. The combinatorial characterization of determinism in this model, powered by measurements, and hence, fundamentally probabilistic, is the cornerstone of most of the breakthrough results in this field. To answer our question, we needed to develop some tools in this MBQC field. The most general known sufficient condition for a deterministic MBQC to be driven is that the underlying graph of the computation has a particular kind of flow called Pauli flow. The necessity of the Pauli flow was an open question. We showed that the Pauli flow is necessary for real-MBQC, and not in general providing counter-examples for (complex) MBQC. We explored the consequences of this result for real MBQC and its applications. Real MBQC and more generally real quantum computing is known to be universal for quantum computing. In the interactive proofs developed by McKague, the two-prover case corresponds to real-MBQC on bipartite graphs. While (complex) MBQC on bipartite graphs are universal, the universality of real MBQC on bipartite graphs was an open question. We showed that real bipartite MBQC is not universal: we proved that all measurements of real bipartite MBQC can be parallelized. Therefore, real bipartite MBQC leads to constant depth computations. As a consequence, McKague techniques cannot lead to two-prover interactive proofs.

This is a joint work with Richard Brent (University of Newcastle, Australia).

We have performed a search for primitive trinomials

The training and consulting activities begun in 2012 with the HTCS company have been pursued, and the existing contract has been renewed in identical form.

The SPICE proposal (“Systèmes Polynomiaux et calcul d'Indice sur les Courbes Elliptiques : indicateurs de complexité en petite caractéristique”) has been accepted in the PEPS JCJC INS2I program in 2016. It involves Pierre-Jean Spaenlehauer (CARAMBA) and Vanessa Vitse (Université Joseph Fourier). This project is coordinated by Vanessa Vitse.

Together with Anne-Lise Charbonnier (Inria Nancy – Grand Est), the Caramba team is organizing the “Journées Codage et Cryptographie 2017”, whose objective is to regroup the French speaking community working on error-correcting codes and on cryptography. It is affiliated with the “Groupe de travail C2” of the GDR-IM.

Pierrick Gaudry is a member of the steering committee of the Workshop on Elliptic Curve Cryptography (ECC).

Emmanuel Thomé was a member of the program committee of the 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt 2016).

Marine Minier was a member of the Program Committee of the conference MyCrypt 2016.

Pierrick Gaudry was a member of the Program Committee of the conference Selected Areas in Cryptography SAC 2016 and of EUROCRYPT 2017.

Paul Zimmermann was a member of the Program Committee of the International Workshop on the Arithmetic of Finite Fields (WAIFI 2016).

Pierrick Gaudry is a member of the editorial board of the journal Applicable Algebra in Engineering, Communication and Computing.

Members of the project-team did share in reviewing submissions to renowned conferences and journals. Actual publications venues are not disclosed for anonymity reasons.

Emmanuel Thomé was invited as a Distinguished Lecturer for the Computer and Information Security Seminar at the University of Pennsylvania in November 2016.

Pierrick Gaudry was invited speaker at the YACC 2016 conference in Porquerolles, at the workshop “Mathematical Structures for Cryptography” in Leiden (Netherlands), and at the “Journées Aléa 2016” in Marseille.

Jérémie Detrey is chairing the *Commission des Utilisateurs
des Moyens Informatiques* (CUMI) of the Inria Nancy – Grand Est research
center.

Emmanuel Thomé is a member of

the management committee for the research project “CPER Cyberentreprises” (co-chair).

the *Comité Local Hygiène,
Sécurité, et Conditions de Travail* of the Inria Nancy – Grand
Est research center.

Pierrick Gaudry is vice-head of the *Commission de mention
Informatique* of the *École doctorale IAEM* of the University
of Lorraine;

Pierre-Jean Spaenlehauer is a member of the *Commission
développement technologique* (CDT) of the Inria Nancy – Grand Est
research center.

Paul Zimmermann is member of the Scientific Committee of the EXPLOR
*Mésocentre*, and was member until August of the Inria Evaluation
Board and the CoSI (*Commission Scientifique*).

Laurent Grémy is a member of the *Conseil de laboratoire* of the
Loria.

Master: Jérémie Detrey, *Sécurité des systèmes d'information*, 6
hours (practical sessions), M2 Informatique, Université de Lorraine,
Faculté des sciences et technologies, Vandœuvre-les-Nancy, France.

Master: Pierre-Jean Spaenlehauer, *Introduction à la
cryptographie*, 18h eq. TD, M1 Informatique, Université de Lorraine,
Faculté des sciences et technologies, Vandœuvre-les-Nancy, France.

Master: Pierre-Jean Spaenlehauer, *Introduction à la
sécurité des systèmes et à la cryptographie*, 32h eq. TD, M2 Mathématiques
IMOI, Université de Lorraine, Faculté des sciences et technologies,
Vandœuvre-les-Nancy, France.

Master: Emmanuel Thomé, *Introduction to Cryptography*,
12 hours (lectures), M1, Télécom Nancy, Villers-lès-Nancy, France.

Master: Emmanuel Thomé, *Cryptography and Security*,
20 hours (lectures + exercises), M2, Télécom Nancy and École des Mines de
Nancy, France.

Licence: Jérémie Detrey, *Méthodologie*, 24 hours (practical
sessions), L1, Université de Lorraine, Faculté des sciences et
technologies, Vandœuvre-les-Nancy, France.

Licence: Jérémie Detrey, *Sécurité des applications Web*, 2 hours
(lecture), L1, Université de Lorraine, IUT Charlemagne, Nancy, France.

Jérémie Detrey, *Introduction à la sécurité et à la
cryptographie*, 10 hours (lectures) + 10 hours (tutorial sessions) + 10
hours (practical sessions), L3, Université de Lorraine, Faculté des
sciences et technologies, Vandœuvre-les-Nancy, France.

Licence: Pierrick Gaudry, *Méthodologie*, 48 hours (practical
sessions), L1, Université de Lorraine, Faculté des sciences et
technologies, Vandœuvre-lès-Nancy, France.

Internship: Nicolas Levy, *Algorithmes de factorisation
d'entiers basés sur la structure des corps quadratiques réels*, L3 ÉNS
Lyon, June-July, Pierre-Jean Spaenlehauer.

Internship: Joshua Peigner, *Factorisation d’idéaux pour
l’implantation du crible algébrique*, ÉNS Rennes, June-July,
Emmanuel Thomé.

Internship: Robin Fedele, *Consolidation de la couche Python de CADO-NFS*, Univ. Lorraine, May-June, Paul Zimmermann.

Internship: Élise Tasso, *Étude comparative de divers
algorithmes de friabilisation*, Mines Nancy, October-June (1
day each week), Pierrick Gaudry.

Ph.D. in progress: Simon Abelard, *Comptage de points de courbes algébriques sur
les corps finis et interactions avec les systèmes polynomiaux*, Univ.
Lorraine; since Sep. 2015, Pierrick Gaudry & Pierre-Jean Spaenlehauer.

Ph.D. in progress: Svyatoslav Covanov, *Algorithmes de multiplication :
complexité bilinéaire et méthodes asymptotiquement rapides*,
since Sep. 2014, Jérémie Detrey et Emmanuel Thomé.

Ph.D. in progress: Laurent Grémy, *Analyse et optimisation
d’algorithmes de cribles arithmétiques*, since Oct.
2013, Pierrick Gaudry & Marion Videau.

Ph.D. defended: Hugo Labrande, *Explicit computation of
the Abel-Jacobi map and its inverse* , defended
on November 14th, 2016.

Marine Minier: reviewer of the PhD *Implantation sécurisée de protocoles cryptographiques basés sur les codes correcteurs d'erreurs* by Tania Richmont defended at Univ. Jean Monnet Saint-Etienne, October 24th, 2016.

Pierrick Gaudry: reviewer of the PhD *Computational
Aspects of Jacobians of Hyperelliptic Curves* by Alina
Dudeanu defended at EPFL, Switzerland; member of the jury
for the PhD of Florent Ulpat Rovetta (Marseille) and of
Hugo Labrande (Nancy).

Emmanuel Thomé: reviewer (and president of jury) of the Habilitation Thesis
*Contributions à la Résolution Algébrique et
Applications en Cryptologie* by Guénaël Renault, defended
at University Pierre et Marie Curie, December 8th, 2016.

Emmanuel Thomé: jury member (advisor) for the PhD of Hugo Labrande (see above).

Laurent Grémy and Pierre-Jean Spaenlehauer have animated a stand in the “Village des Sciences du Loria” in March 2016.

Laurent Grémy and Pierre-Jean Spaenlehauer have animated a stand during the celebration of the Loria's 40 years anniversary in June 2016.

Pierrick Gaudry organized and participated to a debate fed by excerpts from movies on the topic of cryptography and privacy in October 2016.