GRACE has two broad application domains—cryptography and coding
theory—linked by a common foundation in
algorithmic number theory and the geometry of algebraic curves.
In our research, which combines theoretical work
with practical software development,
we use algebraic curves
to *create better cryptosystems*,
to *provide better security assessments*
for cryptographic key sizes,
and to *build the best error-correcting codes*.

Coding and cryptography deal (in different ways) with securing communication systems for high-level applications. In our research, the two domains are linked by the computational issues related to algebraic curves (over various fields) and arithmetic rings. These fundamental number-theoretic algorithms, at the crossroads of a rich area of mathematics and computer science, have already proven their relevance in public key cryptography, with industrial successes including the RSA cryptosystem and elliptic curve cryptography. It is less well-known that the same branches of mathematics can be used to build very good codes for error correction. While coding theory has traditionally had an electrical engineering flavour, recent developments in computer science have shed new light on coding theory, leading to new applications more central to computer science.

Algorithmic Number Theory is concerned with replacing special cases with general algorithms to solve problems in number theory. In the Grace project, it appears in three main threads:

fundamental algorithms for integers and polynomials (including primality and factorization);

algorithms for finite fields (including discrete logarithms); and

algorithms for algebraic curves.

Clearly, we use computer algebra in many ways. Research in cryptology
has motivated a renewed interest in Algorithmic Number Theory in
recent decades—but the fundamental problems still exist *per
se*. Indeed, while algorithmic number theory application in
cryptanalysis is epitomized by applying factorization to breaking RSA
public key, many other problems, are relevant to various area of
computer science. Roughly speaking, the problems of the cryptological
world are of bounded size, whereas Algorithmic Number Theory is also
concerned with asymptotic results.

Theme: Arithmetic Geometry: Curves and their Jacobians
*Arithmetic Geometry* is the meeting point of algebraic geometry and
number theory: that is, the study of geometric objects defined over
arithmetic number systems (such as the integers and finite fields).
The fundamental objects for our applications
in both coding theory and cryptology
are curves and their Jacobians over finite fields.

An algebraic *plane curve*

(Not every curve is planar—we may have more variables, and more
defining equations—but from an algorithmic point of view,
we can always reduce to the plane setting.)
The *genus* *Jacobian* of

The simplest curves with nontrivial Jacobians are
curves of genus 1,
known as *elliptic curves*;
they are typically defined by equations of the form

Theme: Curve-Based Cryptology

Jacobians of curves are excellent candidates for cryptographic groups when constructing efficient instances of public-key cryptosystems. Diffie–Hellman key exchange is an instructive example.

Suppose Alice and Bob want to establish a secure communication
channel. Essentially, this means establishing a common secret
*key*, which they will then use for encryption and decryption.
Some decades ago, they would have exchanged this key in person, or
through some trusted intermediary; in the modern, networked world,
this is typically impossible, and in any case completely unscalable.
Alice and Bob may be anonymous parties who want to do e-business, for
example, in which case they cannot securely meet, and they have no way
to be sure of each other's identities. Diffie–Hellman key exchange
solves this problem. First, Alice and Bob publicly agree on a
cryptographic group

This simple protocol has been in use, with only minor modifications,
since the 1970s. The challenge is to create examples of groups

The classic example of a group suitable for the Diffie–Hellman protocol
is the multiplicative group of a finite field

This is where Jacobians of algebraic curves come into their own.
First, elliptic curves and Jacobians of genus 2 curves do not have a
subexponential index calculus algorithm: in particular, from the point
of view of the DLP, a generic elliptic curve is currently *as
strong as* a generic group of the same size. Second, they provide
some diversity: we have many degrees of freedom in choosing
curves over a fixed

Theme: Coding theory

Coding Theory studies originated with the idea of using redundancy in messages to protect against noise and errors. The last decade of the 20th century has seen the success of so-called iterative decoding methods, which enable us to get very close to the Shannon capacity. The capacity of a given channel is the best achievable transmission rate for reliable transmission. The consensus in the community is that this capacity is more easily reached with these iterative and probabilistic methods than with algebraic codes (such as Reed–Solomon codes).

However, algebraic coding is useful in settings other than the Shannon context. Indeed, the Shannon setting is a random case setting, and promises only a vanishing error probability. In contrast, the algebraic Hamming approach is a worst case approach: under combinatorial restrictions on the noise, the noise can be adversarial, with strictly zero errors.

These considerations are renewed by the topic of list decoding after the breakthrough of Guruswami and Sudan at the end of the nineties. List decoding relaxes the uniqueness requirement of decoding, allowing a small list of candidates to be returned instead of a single codeword. List decoding can reach a capacity close to the Shannon capacity, with zero failure, with small lists, in the adversarial case. The method of Guruswami and Sudan enabled list decoding of most of the main algebraic codes: Reed–Solomon codes and Algebraic–Geometry (AG) codes and new related constructions “capacity-achieving list decodable codes”. These results open the way to applications again adversarial channels, which correspond to worst case settings in the classical computer science language.

Another avenue of our studies is AG codes over various geometric objects. Although Reed–Solomon codes are the best possible codes for a given alphabet, they are very limited in their length, which cannot exceed the size of the alphabet. AG codes circumvent this limitation, using the theory of algebraic curves over finite fields to construct long codes over a fixed alphabet. The striking result of Tsfasman–Vladut–Zink showed that codes better than random codes can be built this way, for medium to large alphabets. Disregarding the asymptotic aspects and considering only finite length, AG codes can be used either for longer codes with the same alphabet, or for codes with the same length with a smaller alphabet (and thus faster underlying arithmetic).

From a broader point of view, wherever Reed–Solomon codes are used, we can substitute AG codes with some benefits: either beating random constructions, or beating Reed–Solomon codes which are of bounded length for a given alphabet.

Another area of Algebraic Coding Theory with which we are more recently concerned is the one of Locally Decodable Codes. After having been first theoretically introduced, those codes now begin to find practical applications, most notably in cloud-based remote storage systems.

In the twenty-first century, cryptography plays two essential roles:
it is used to ensure *security* and *integrity*
of communications and communicating entities.
Contemporary cryptographic techniques can be used
to hide private data,
and to prove that public data has not been modified;
to provide anonymity, and to assert and prove public identities.
The creation and testing of practical cryptosystems involves

The design of provably secure protocols;

The design and analysis of compact and efficient algorithms to implement those protocols, and to attack their underlying mathematical and computational problems;

The robust implementation of those algorithms in low-level software and hardware, and their deployment in the wild.

While these layers are interdependent, GRACE's cryptographic research is focused heavily on the middle layer: we design, implement, and analyze the most efficient algorithms for fundamental tasks in contemporary cryptography. Our “clients”, in a sense, are protocol designers on the one hand, and software and hardware engineers on the other.

F. Morain and B. Smith work primarily on the number-theoretic algorithms that underpin the current state-of-the-art in public-key cryptography (which is used to establish secure connections, and create and verify digital signatures, among other applications). For example, their participation in the ANR CATREL project aims to give a realistic assessment of the security of systems based on the Discrete Logarithm Problem, by creating a free, open, algorithmic package implementing the fastest known algorithms for attacking DLP instances. This will have an extremely important impact on contemporary pairing-based cryptosystems, as well as legacy finite field-based cryptosystems. On a more constructive note, F. Morain' elliptic curve point counting and primality proving algorithms are essential tools in the everyday construction of strong public-key cryptosystems, while B. Smith's recent work on elliptic and genus 2 curves aims to improve the speed of curve-based cryptosystems (such as Elliptic Curve Diffie–Hellman key exchange, a crucial step in establishing secure internet connections) without compromising their security.

D. Augot, F. Levy-dit-Vehel, and A. Couvreur's
research on codes has far-reaching applications in
*code-based cryptography*.
This is a field which is growing rapidly in importance—partly
due to the supposed resistance of code-based cryptosystems to
attacks from quantum computing, partly due to the range of new
techniques on offer, and partly because the fundamental problem
of parameter selection is relatively poorly understood.
For example, A. Couvreur's work on filtration attacks on codes has an
important impact on the design of code-based systems using wild Goppa
codes or
algebraic geometry codes, and on the choice of parameter sizes
for secure implementations.

Coding theory also has important practical applications in the improvement of conventional symmetric cryptosystems. For example, D. Augot's recent work on MDS matrices via BCH codes gives a more efficient construction of optimal diffusion layers in block ciphers. Here we use combinatorial, non-algorithmic properties of codes, in the internals of designs of block ciphers.

While coding theory brings tools as above for the classical
problems of encryption, authentication, and so on, it can also
provide solutions to new cryptographic problems. This is
classically illustrated by the use of Reed-Solomon codes in secret
sharing schemes. Grace is involved in the study, construction and
implementation of locally decodable codes, which have applications
in quite a few cryptographic protocols : *Private Information Retrieval*,
*Proofs of Retrievability*, *Proofs of Ownership*, etc.

A. Couvreur, D. Augot and D. Lucas organized with L. De Feo and Hugues Randriambololona (ENST ParisTech) a spring school on coding and cryptology in la Chapelle Gauthier (Seine et Marne).

A. Couvreur and D. Augot organized 4 days workshop in november 2016 for the ANR MANTA. The topics were: “Decoding” and “Codes from surfaces”.

SageDays75. To conclude the ACTIS projet, we organized a one-week SageDays in August 2016. The day was spent at Inria Saclay, and people were staying at night in a cottage in Vallée de Chevreuse.

The overall theme of this Sage Days was coding theory and exact linear algebra related to it, but there was be lots of general hacking. The aim of this Sage Days was to Introduce Sage to coding theorists; have presentations about the enhancements we made to Sage's coding theory library during Inria's ACTIS project; Help people to work on their own projects.

We had a few talks on the mornings, and coding sprints on the afternoons. The first days' talks were focused on basic functionalities of our library, the last 2 days on advanced functionalities, with an emphasis on Sage development.

We were glad to attract several core sage developpers, who recognized the quality of the work done by D. Lucas.

Functional Description

The aim of this project is to vastly improve the state of the error correcting library in Sage. The existing library does not present a good and usable API, and the provided algorithms are very basic, irrelevant, and outdated. We thus have two directions for improvement: renewing the APIs to make them actually usable by researchers, and incorporating efficient programs for decoding, like J. Nielsen's CodingLib, which contains many new algorithms.

Contact: David Lucas

During the project, D. Lucas and J. Nielsen proposed a google summer of code project on rank-metric codes under our ACTIS framework. The intern was Arpit Merchant, who visited us for SageDays75.

Keyword: Cryptography

Functional Description

A competitive, high-speed, open implementation of the Diffie–Hellman key exchange protocol and a Schnorr-type digital signature scheme, targeting the 128-bit security level on two microcontroller platforms: the classic AVR ATMega 8-bit platform and the more modern ARM Cortex M0 32-bit platform. These downloads contain mixed C and assembly sources for the implementations described in .

Participant: Benjamin Smith

Contact: Benjamin Smith

ATMega implementation URL: http://

Cortex M0 implementation URL: http://

B. Smith made several contributions to the development of faster arithmetic on elliptic curves and genus 2 Jacobians in 2016. In joint work with C. Costello and P.-N. Chung, he gave a new, efficient, uniform, and constant-time scalar multiplication algorithm for genus 2 Jacobians exploiting fast Kummer surface arithmetic and features of differential addition chains; this was presented at SAC 2016. The theory in this article was the basis of a highly competitive implementation of key exchange and signatures for microcontroller platforms, in joint work with J. Renes, P. Schwabe, and L. Batina, presented at CHES 2016.

Integer factorization via Shor's algorithm is a benchmark problem for general quantum computers, but surprisingly little work has been done on optimizing the algorithm for use as a serious factoring tool once large quantum computers are built (rather than as a proof of concept). In the meantime, given the limited size of contemporary quantum computers and the practical difficulties involved in building them, any optimizations to quantum factoring algorithms can lead to significant practical improvements. In a new interdisciplinary project with physicists F. Grosshans and T. Lawson, F. Morain and B. Smith have derived a simple new quantum factoring algorithm for cryptographic integers; its expected runtime is lower than Shor's factoring algorithm, and it should also be easier to implement in practice .

Determining the number of points on an elliptic curve, or more generally on the Jacobian of an algebraic curve, is a classic problem in algorithmic number theory that is now crucial for efficiently generating secure cryptographic parameters. Together with C. Scribot, F. Morain and B. Smith developed an improved version of the state-of-the-art SEA algorithm for certain families of elliptic curves with special endomorphisms; this was presented at ANTS-XII . B. Smith also led a project group on special genus-2 point counting algorithms at the "Algebraic Geometry for Coding Theory and Cryptography" workshop at IPAM, UCLA, in 2016.

The McEliece encryption scheme based on binary Goppa codes was one of the first public-key encryption schemes . Its security rests on the difficulty of decoding an arbitrary code. The original proposal uses classical Goppa codes, and while it still remains unbroken, it requires a huge size of key. On the other hand, many derivative systems based on other families of algebraic codes have been subject to key recovery attacks. Up to now, key recovery attacks were based either on a variant of Sidelnikov and Shestakov's attack , where the first step involves the computation of minimum-weight codewords, or on the resolution of a system of polynomial equations using Gröbner bases.

**Distinguishing** the public code from a random one using
the square code operation.

**Computing a filtration** of the
public code using the distinguisher, and deriving from this filtration
an efficient decoding algorithm for the public code.

This new style of attack allowed A. Couvreur, A. Otmani and J.-P. Tillich to break (in polynomial time) McEliece based on wild Goppa codes over quadratic extensions . A detailed long version has been written and recently published . A. Couvreur, Irene Márquez–Corbella, and R. Pellikaan broke McEliece based on algebraic geometry codes from curves of arbitrary genus , by reconstructing optimal polynomial time decoding algorithms decoding up to the half minimum distance minus half the genus. This can be computed from the raw data of a generator matrix. In a recently submitted long version the algorithm has been improved and permits to reconstruct a decoding algorithm up to the half minimum distance.

Quantum codes are the analogous of error correcting codes
for a quantum computer. A well known family of quantum codes
are the CSS codes due to Calderbank, Shor and Steane
can be represented by a pair of matrices

The best discrete logarithm record computations in prime fields and large characteristic finite fields are obtained with Number Field Sieve algorithm (NFS) at the moment. This algorithm is made of four steps:

polynomial selection;

relation collection (with a sieving technique);

linear algebra (computing the kernel of a huge matrix, of millions of rows and columns);

individual discrete logarithm computation.

The two more time consuming steps are the relation collection step and the linear algebra step. The polynomial selection is quite fast but is very important since it determines the complexity of the algorithm. Selecting better polynomials is a key to improve the overall running-time of the NFS algorithm.

A. Guillevic and F. Morain have written a chapter on discrete logarithm computations for a book on pairings.

There is a reduction between an elliptic curve *embedding
degree*) of the base field, using pairing computations. In brief, one
can transport the discrete logarithm problem from

Rank metric and Gabidulin codes over the rationals promise
interesting applications to space-time coding. We have constructed
optimal codes, similar to Gabidulin codes, in the case of infinite
fields. We use algebraic extensions, and we have determined the
condition on the considered extension to enable this construction.
For example: we can design codes with complex coefficients, using
number fields and Galois automorphisms.
Then, in the rank metric setting, codewords can be seen as matrices.
In this setting, a channel introduces errors (a matrix of small rank

We also have used this framework to build rank-metric codes over the field of rational functions, using algebraic function fields with cyclic Galois group (Kummer and Artin extensions). These codes can be seen as a generator of infinitely many convolutional codes.

Cryptographic hash functions are versatile primitives that are used in
many cryptographic protocols. The security of a hash function

A popular hash function is the SHA-1 algorithm. Although theoretical collision attacks were found in 2005, it is still being used in some applications, for instance as the hash function in some TLS certificates. Hence cryptanalysis of SHA-1 is still a major topic in cryptography.

In 2015, we improved the state-of-the-art on SHA-1 analysis in two ways:

T. Espitau, P.-A. Fouque and P. Karpman improved the previous preimage attacks on SHA-1, reaching up to 62 rounds (out of 80), up from 57. The corresponding paper was published at CRYPTO 2015.

P. Karpman, T. Peyrin and M. Stevens developed collision attacks on the compression function of SHA-1 (i.e. freestart collisions). This exploits a model that is slightly more generous to the attacker in order to find explicit collisions on more rounds than what was previously possible. A first work resulted in freestart collisions for SHA-1 reduced to 76 steps; this attack takes less than a week to compute on a common GPU. The corresponding paper was published at CRYPTO 2015. This was later improved to attack the full compression function. Although the attack is more expensive it is still practical, taking less than two weeks on a 64 GPU cluster. The corresponding paper was accepted at EUROCRYPT 2016 .

Block ciphers are one of the most basic cryptographic primitives, yet block cipher analysis is still a major research topic.
In recent years, the community also shifted focus to the more general setting of *authenticated encryption*, where one
specifies an (set of) algorithm(s) providing both encryption and authentication for messages of arbitrary length. A major
current event in that direction is the CAESAR academic competition, which aims to select a portfolio of good algorithms.

In 2015, we helped to improve the state of the art in block cipher research in several ways:

P. Karpman developed a compact 8-bit S-box with branch number three, which can be used as a basis to construct a lightweight block cipher particularly efficient on 8-bit microcontrollers .

In 2016, together with P.-A. Fouque, P. Kirchner and B. Minaud, P. Karpman designed a family of efficient provably incompressible symmetric primitives, which corresponds to a weak notion of white-box cryptography. The objective of such algorithms is that given an implementation of a certain target size, an adversary shouldn't be able to efficiently find a smaller implementation with comparable functionality. We introduced a security model that captures the behaviour of realistic adversaries and used this model to prove the security of a family of block cipher and a family of key generating functions. The corresponding paper was published at ASIACRYPT 2016 .

V. Ducet worked on the weight distribution of geometric codes following a method initiated by Duursma. More precisely he implemented his method in magma and was able to compute the weight distribution of the geometric codes coming from two optimal curves of genus 2 and 3 over the finite fields of size 16 and 9 respectively. The aim is to compute the weight distribution of the Hermitian code over the finite field of size 16, for which computational improvements of the implementation are necessary.

The Chor-Rivest cryptosystem from the 90's was “broken” by Vaudenay. However, Vaudenay's attack applies only for the range of parameters originally proposed. The major recent breakthrough in discrete logarithm computations enable to redesign the system with a completly different range of paramaters, possibly thwarting Vaudenay's attack. D. Augot and C. Barbin tried to find a new attack against this discrete log and knapsack-based cryptosystem, using the Sidelnikov-Shestakov algorithm for recovering a Reed-Solomon code. Apparently, our new attack does not outperform S. Vaudenay's original attack, and it may be possible that the Chor-Rivest could be redesigned in a secure way.

A Proof of Retrievability (PoR) is a cryptographic protocol which aims at ensuring a user that he can retrieve files he previously stored on a server. J. Lavauzelle and F. Levy-dit-Vehel studied a new approach for the construction of PoRs. The idea is to encode the file so that the user can check with low communication whether its file has been damaged. Such an encoding can be efficiently done with locally decodable and testable codes, and especially with the family of lifted codes introduced by Guo, Kopparty and Sudan . In practice, PoRs thus defined achieve very efficient storage overhead and acceptable communication, compared to the existing litterature. This new construction has been presented during the ISIT2016 conference in Barcelona.

N. Coxon has produced a fast implementation which demonstrates that
the multiplicity codes from Kopparty, Saraf and Yehkanin are indeed
practical for very large databases (when used in the Private
Information Retrieval setting). For instance, we can
encode a

Imagine the following scenario, in which a researcher wants to access many sustrings a DNA sequences, while maintaining the privacy of the request. The privacy or the secrecy of the database is not a concern here: for instance, this researcher wants to access many DNA subsequences of drosophila melanogaster, hosted on a remote data broker, and clearly the concern is not to protect the private life of flies. But the information leaked about the queries may endanger the novel aspect of the discovery the researcher is about to make, by revealing which DNA sequences he is studying.

Private Information Retrieval (PIR) schemes are designed to achieve this
goal: a user queries a database

These PIR schemes can be achieved in an unconditionally secure way using the above Multiplicity codes, which N. Coxon made practical. In September, we explained this scenario and demoed our software at Nokia Bell Lab's Future X days a use case of Multiplicity codes for private access to DNA sequences.

In 1978, McEliece , introduced a public key
cryptosystem based on linear codes and suggested to use classical
Goppa codes which belong to the family of alternant codes. This
proposition remains secure but leads to very large public keys
compared to other public-key cryptosystems. Many proposals have been
made in order to reduce the key size, in particular quasi-cyclic
alternant codes. Quasi-cyclic alternant codes refer to alternant
codes admitting a generator matrix made of severals cyclic
bloks. These alternant codes contains weakness because they have a
non-trivial automorphism group. Thanks to this property we can
build, from a quasi-cyclic alternant code, an alternant code with
smaller parameters which has almost same private elements than the
original code. Faugère, Otmani, Tillich, Perret and Portzamparc
showed this fact for alternant codes
obtained by using supports

In order to suggest compact keys for the McEliece cryptosystem E. Barelli and A. Couvreur studied quasi-cyclic alternant gemeotric codes. Alternant geometric codes means a subfield subcode of an algebraic-geometry codes. To build these codes, we need curves with automorphisms. In particular, we studied Kummer cover of plane curves.

Within the framework of the joint lab Inria-ALU, Grace and Alcatel-Lucent collaborate on the topic of Private Information Retrieval: that is, enabling a user to retrieve data from a remote database while revealing neither the query nor the retrieved data. (This is not the same as data confidentiality, which refers to the need for users to ensure secrecy of their data; this is classically obtained through encryption, which prevents access to data in the clear.)

A typical application would be a centralized database of medical records, which can be accessed by doctors, nurses, and so on. A desirable privacy goal would be that the central system does not know which patient is queried for when a query is made, and this goal is precisely achieved by a Private Information Retrieval protocol. Note also that in this scenario the database is not encrypted, since many users are allowed to access it.

We are exploring applications of Locally Decodable Codes to Private Information Retrieval in the multi-cloud (multi-host) setting, to ensure both secure, reliable storage, and privacy of database queries.

N. Coxon made the first implementation of these codes, who are indeed
very practical. On a laptop, we can encode an ADN of a drosophilia in
two seconds, and a

A contract has been signed in November 2016 between Safran Identity and Security and École polytechnique, for one year post-doc position. A candidate has been found, and will arrive early 2017 (January).

The topic is the research is to use bitcoin's blockchain to issue and manipulate certification of identities, which is very close to the (trendy) topic of diplomation with blockchains.

Safran had a preliminary construction for doing that, and a preliminary version has been submitted to the IEEE Security and Privacy on the Blockchain Workshop.

Within the group PAIP (Pour une Approche Interdisciplinaire de la Privacy), D. Augot presented the cryptographic and peer-to-peer principles at the heart of the Bitcoin protocol (electronic signature, hash functions, and so on). Most of the information is publicly available: the history of all transactions, evolution of the source code, developers' mailing lists, and the Bitcoin exchange rate. It was recognized by the economists in our group that such an amount of data is very rare for an economic phenomenon, and it was decided to start research on the history of Bitcoin, to study the interplay between the development of protocol and the development of the economical phenomenon.

The project
**Aije-Bitcoin** (analyse
informatique, juridique et economique de Bitcoin) was accepted as
interdisciplinary research for a PEPS (Projet exploratoire Premier
Soutien) cofunded by the CNRS and Universite de Paris-Saclay. This
one-year preliminary program will enable the group to master the
understanding of Bitcoin from various angles, allowing more advanced
research in the following years.

One M2 intern, E. Palazzollo, was intern in Sceaux, with aim to qualify the nature of bitcoin, as an asset, curency, etc.

This project ended in March 2016

Idealcodes is a two-year Digiteo research project, started in October 2014. The partners involved are the École Polytechnique (X) and the Université de Versailles–Saint-Quentin-en-Yvelines (Luca de Feo, UVSQ). After hiring J. Nielsen the first year, we have hired V. Ducet for the second year, both working at the boundary between coding theory, cryptography, and computer algebra

Idealcodes spans the three research areas of algebraic coding theory, cryptography, and computer algebra, by investigating the problem of lattice reduction (and root-finding). In algebraic coding theory this is found in Guruswami and Sudan's list decoding of algebraic geometry codes and Reed–Solomon codes. In cryptography, it is found in Coppersmith's method for finding small roots of integer equations. These topics were unified and generalised by H. Cohn and N. Heninger , by considering algebraic geometry codes and number field codes under the deep analogy between polynomials and integers. Sophisticated results in coding theory could be then carried over to cryptanalysis, and vice-versa. The generalized view raises problems of computing efficiently, which is one of the main research topics of Idealcodes.

The last year of the one-year project aims to find matrices with good diffusion properties over small finite fields. The principle is to find non-maximal matrices, but with better coefficients and implementation properties. The relevant cryptographic properties to be studied correspond to the weight distribution of the associated code. Since we use Algebraic-Geometry codes, much more powerful techniques can be used for computing these weight distribution, using and improving Duursma's ideas .

D. Augot is co-advising a PhD candidate, H.-M. Bisserier, on “les relations contractuelles de droit privé à l'épreuve de la technologie des blockchains”, i.e. on (French) law and so-called “smart contracts”. D. Augot will mainly help H.-M. Bisserier to clarify the essential computer science topics and issues relevant to the most important blockchains (bitcoin, ethereum). Then H.-M. Bisserier will be advised by C. Zolynksi for remaining two years, fixing research directions.

MANTA (accepted July 2015, starting March 2016): “Curves, surfaces, codes and cryptography”. This project deals with applications of coding theory error correcting codes to in cryptography, multi-party computation, and complexity theory, using advanced topics in algebraic geometry and number theory. The kickoff was a one week-retreat in Dordogne (20 participants), and we had another four day meeting in Saclay in November 17. See http://anr-manta.inria.fr/.

Cybersecurity. Inria and DGA contracted for three PhD topics at the national level, one of them involving Grace. Grace started a new PhD, and hired P. Karpman. The topic of this PhD is complementary to the above DIFMAT-3: while DIFMAT-3 provides fundamental methods for dealing with AG codes, in application for diffusion layers in block ciphers, the topic here is to make concrete propositions of block ciphers using these matrices. P. Karpman is coadvised by T. Peyrin (Nanyang Technological University, Singapore), by P.-A. Fouque (Université de Rennes), and D. Augot.

Title: Post-quantum cryptography for long-term security

Programm: H2020

Duration: March 2015 - March 2018

Coordinator: TECHNISCHE UNIVERSITEIT EINDHOVEN

Partners:

Academia Sinica (Taiwan)

Bundesdruckerei (Germany)

Danmarks Tekniske Universitet (Denmark)

Katholieke Universiteit Leuven (Belgium)

Nxp Semiconductors Belgium Nv (Belgium)

Ruhr-Universitaet Bochum (Germany)

Stichting Katholieke Universiteit (Netherlands)

Coding Theory and Cryptology group, Technische Universiteit Eindhoven (Netherlands)

Technische Universitaet Darmstadt (Germany)

University of Haifa (Israel)

Inria contact: Nicolas Sendrier

Online security depends on a very few underlying cryptographic algorithms. Public-key algorithms are particularly crucial since they provide digital signatures and establish secure communication. Essentially all applications today are based on RSA or on the discrete-logarithm problem in finite fields or on elliptic curves. Cryptographers optimize parameter choices and implementation details for these systems and build protocols on top of these systems; cryptanalysts fine-tune attacks and establish exact security levels for these systems.

It might seem that having three systems offers enough variation, but these systems are all broken as soon as large quantum computers are built. The EU and governments around the world are investing heavily in building quantum computers; society needs to be prepared for the consequences, including cryptanalytic attacks accelerated by these computers. Long-term confidential documents such as patient health-care records and state secrets have to guarantee security for many years, but information encrypted today using RSA or elliptic curves and stored until quantum computers are available will then be as easy to decipher.

PQCRYPTO will allow users to switch to post-quantum cryptography: cryptographic systems that are not merely secure for today but that will also remain secure long-term against attacks by quantum computers. PQCRYPTO will design a portfolio of high-security post-quantum public-key systems, and will improve the speed of these systems, with reference implementations.

Our team is engaged in WP3.3 “advanced applications for the cloud”. We envision to focus essentially on secure multiparty computation, essentially the information theoretically secure constructions, who are naturally secure against a quantum computer invoked on classical queries. We will study whether these protocols still resist quantum queries. This work sub package started March 2015, and is dealt with by D. Augot.

D. Augot is member of the committee of the CCA seminar on coding and cryptology. This seminar regularly attracts around 30 participants.

D. Augot was reviewer for International Symposium on Information Theory

D. Augot is member of the editorial board of the *RAIRO -
Theoretical Informatics and Applications*, a Cambridge journal
published by EDP Sciences.

D. Augot is member of the editorial board of the *International
Journal of Information and Coding Theory*, InderScience publishers.

F. Morain is member of the editorial board of the
*Applicable Algebra in Engineering, Communication and Computing*,
Springer.

A. Couvreur was editor with Alp Bassa (Bogazici University, Turkey) and
David Kohel (Aix-Marseille University) of a number of *AMS
Contemporary Mathematics* for the proceedings of the conference
AGCT (*Arithmetic Geometry Cryptography and Coding Theory*)
2015.

D. Augot was reviewer for

Discrete Mathematics

Designs, Codes and Cryptography

Linear and Multilinear Algebra

Finite Fields and their applications

A. Couvreur was reviewer for

Discrete Mathematics

Designs, Codes and Cryptography

Journal of Algebra

D. Augot was invited speaker at Yet Another Cryptography Conference (YACC), Porquerolles, June 2016.

B. Smith was an invited speaker at the 20th international Workshop on Elliptic Curve Cryptography (ECC), Izmir, Turkey, September 2016.

A. Couvreur gave a talk to represent the group *Codes et Cryptographie*
of the GdR *Informatique Mathématiques* (GdR IM) at the *Journées
nationales du GdR IM* at University Paris 13 (January 13).

D. Augot participated in a round table at a workshop organized by French National Assembly (lower house) at, on blockchains (March 24th).

D. Augot participated in a round table at Paris Dauphine on blockchains, organized by the chair “Chaire Gouvernance & Régulation” (November 1).

D. Augot made a talk on hashing and blockchain at a workshop on blockchains held at Institut Poincaré (November 16).

B. Smith gave lectures on
*Basic public-key constructions with elliptic curves*
and
*Advanced constructions in curve-based cryptography*
at the
*Summer school on real-world crypto and privacy*,
Sibenik, Croatia, June 2016.

B. Smith gave a course on *asymmetric cryptography and
elliptic curves* at the
*Crypto-CO summer school on cryptography and security*,
Bogota, Colombia, July 2016.

B. Smith gave lectures on elliptic curves
at the
*ECC2016 Computational Algebraic Number Theory School*,
Izmir, Turkey, September 2016.

Committees

A. Couvreur is an elected member of Saclay's *comité de centre*.

A. Couvreur is an elected member of Saclay's *Comité local
Hygiène, Sécurité et Conditions de Travail*.

A. Couvreur is the *jeune chercheur référent* for the *commission
de suivi doctoral* of Inria Saclay.

D. Augot is a member of LIX's *conseil de direction*.

D. Augot is the vice-head of Inria's *comité de suivi doctoral*

D. Augot is a member of LIX's *assemblée des chefs d'équipe*

D. Augot is elected member of the *conseil académique
consultatif* of Paris-Saclay University.

F. Levy-dit-Vehelis a representative of “enseignants-chercheurs” of LIX.

F. Morain, B. Smith and A. Couvreur are elected members
of the *Conseil de Laboratoire* of the LIX.

F. Morain is vice-head of the Département d'informatique of Ecole Polytechnique.

F. Morain represents École polytechnique in the
committee in charge of *Mention HPC* in the
*Master de l'université Paris Saclay*.

F. Morain is member of the Board of Master Parisien de Recherche en Informatique (MPRI).

B. Smith is a *Correspondant* for International Relations
at Saclay.

B. Smith is a member of the COST-GTRI.

B. Smith is a member of the teaching committee of the Department of Computer Science of the École polytechnique.

B. Smith is the academic coordinator for Computer Science in the
new *Bachelor* program at École polytechnique.

Committees

D. Augot was in the committee assessing candidates for Univ. Paris 8.

Licence :

D. Augot was mentoring a group of polytechnique students on a L3 projet on homomorphic encryption and voting (6 students)

D. Augot was mentoring a group of polytechnique students on a L3 projet on blockchains and hyperledger, in collaboration with Orange (5 students)

F. Levy-dit-Vehel, “Mathématiques discrètes pour la protection de l'information”, 24h (equiv TD), 2nd year (L3), ENSTA ParisTech, France.

J. Lavauzelle, 1I002, “Introduction à la programmation en C”, tutorial class (38.5h), L1, Université Pierre et Marie Curie, France

J. Lavauzelle, 2I011, “Méthodes numériques”, tutorial class (21h), L2, Université Pierre et Marie Curie, France

J. Lavauzelle, 1I001, “Éléments de programmation”, tutorial class (38.5h), L1, Université Pierre et Marie Curie, France

J. Lavauzelle, 2I003, “Initiation à l'algorithmique”, tutorial class (21.25h), L2, Université Pierre et Marie Curie, France

A. Couvreur and E. Barelli, INF311, ”Introduction à l'informatique“, 26.7h(equiv TD), 1st year, Ecole Polytechnique, France.

E. Barelli, INF411, "Les bases de la programmation et de l'algorithmique", 21.3h (equiv TD), 2nd year (L3), Ecole Polytechnique, France.

B. Smith, INF442, "Traitement des données massives", 32h TD, 2nd year, École polytechnique

A. Couvreur and B. Smith, INF411, "Les bases de la programmation et de l'algorithmique", 32h TD, 2nd year, École polytechnique

Master :

D. Augot was mentoring François Bonnal, on a M1 research training projet, “bitcoin malleability”

D. Augot was mentoring Édouard Dufour-Sans, on a M1 research training projet, “symmetric information theoretically secure private information retrieval schemes and applications”

F. Levy-dit-Vehel, “Cours de Cryptographie”, 30h. (equiv TD), 3rd year (M1), ENSTA ParisTech, France.

B. Smith, “Algorithmes arithmétiques pour la cryptologie”, 15h, MPRI (M2), Paris

A. Couvreur, INF558a, “Introduction to cryptology”, 25h, Ecole Polytechnique (M1).

A. Couvreur, “Introduction to coding theory and cryptology”, 10h, MPRI (M2), Paris.

B. Smith supervised Nagarjun Chinthamani Dwarakanath for a 3A project and an M1 project on efficient curve-based cryptosystems at École polytechnique

A. Couvreur supervised Evrim Petek's M2 internship on the power decoding algorithm.

A. Couvreur supervised Anas Aarab's M1 TRE (*Travail
de Recherche Encadré*) on the decoding of Reed Solomon
codes.

Doctorat :

Ben Smith made a lecture at the spring school on coding and cryptology at La Chapelle-Gauthier.

PhD in progress. J. Lavauzelle has began his Ph.D. on locally decodable codes and cryptogra[hic applications, on October 1st, 2015, under the supervision of D. Augot and F. Levy-dit-Vehel.

PhD in progress. E. Barelli has begun his PhD on Algebraic-Geometry codes for code-based crypto on October 1st, 2015, under the supervision of D. Augot and A. Couvreur.

PhD in progress. N. Duhamel has begun his PhD on genus 2 curves for cryptography, under the supervision of B. Smith and F. Morain.

Completed PhD. P. Karpman, starting in 2013, defended in November 2016 his PhD on security of symmetric crytographic primitives.

D. Augot was examiner in the jury of Fanny Jardel, who defended her thesis “Calcul et Stockage Distribués pour les Réseaux de Communication”, January 11, Télécom-ParisTech

D. Augot was examiner in the jury of Cécile Pierrot, who defended her thesis “Le logarithme discret dans les corps finis”, November 25, Pierre and Marie Curie University.

F. Morain was referee and examiner in the jury of Alexandre WALLET, who defended his thesis “Le problème de décomposition de points dans les variétés jacobiennes”, December 14, Pierre and Marie Curie University.

A. Couvreur is member of the jury of the agrégation de mathématiques and coordinator of option C (“algèbre et calcul formel).

At the occasion of Nokia Bell Labs Future X-Days, September 2016, D. Augot,
N. Coxon and F. Levy-dit-Vehel demoed N. Coxon's implementation of a code
based *private information retrieval scheme*

D. Augot made a two hours lecture on bitcoin to the French *institut des actuaires*.