Algorithmic number theory dates back to the dawn of mathematics
itself, *cf.* Eratosthenes's sieve to enumerate consecutive prime numbers.
With the
arrival of computers, previously unsolvable problems have come into reach,
which has boosted the development of more or less practical algorithms
for essentially all number theoretic problems. The field is now mature
enough for a more computer science driven approach, taking into account
the theoretical complexities and practical running times of the algorithms.

Concerning the lower level multiprecision arithmetic, folklore has asserted for a long time that asymptotically fast algorithms such as SchÃ¶nhage–Strassen multiplication are impractical; nowadays, however, they are used routinely. On a higher level, symbolic computation provides numerous asymptotically fast algorithms (such as for the simultaneous evaluation of a polynomial in many arguments or linear algebra on sparse matrices), which have only partially been exploited in computational number theory. Moreover, precise complexity analyses do not always exist, nor do sound studies to choose between different algorithms (an exponential algorithm may be preferable to a polynomial one for a large range of inputs); folklore cannot be trusted in a fast moving area such as computer science.

Another problem is the reliability of the computations; many number
theoretic algorithms err with a
small probability, depend on unknown constants or rely on a Riemann
hypothesis. The correctness of their output can either be ensured by a
special design of the algorithm itself (slowing it down) or by an *a
posteriori* verification. Ideally, the algorithm outputs a certificate,
providing an independent *fast* correctness proof. An example is integer
factorisation, where factors are hard to obtain but trivial to
check; primality proofs have initiated sophisticated generalisations.

One of the long term goals of the Lfant project team is to make an inventory of the major number theoretic algorithms, with an emphasis on algebraic number theory and arithmetic geometry, and to carry out complexity analyses. So far, most of these algorithms have been designed and tested over number fields of small degree and scale badly. A complexity analysis should naturally lead to improvements by identifying bottlenecks, systematically redesigning and incorporating modern asymptotically fast methods.

Reliability of the developed algorithms is a second long term goal of our project team. Short of proving the Riemann hypothesis, this could be achieved through the design of specialised, slower algorithms not relying on any unproven assumptions. We would prefer, however, to augment the fastest unproven algorithms with the creation of independently verifiable certificates. Ideally, it should not take longer to check the certificate than to generate it.

All theoretical results are complemented by concrete reference implementations in Pari/Gp, which allow to determine and tune the thresholds where the asymptotic complexity kicks in and help to evaluate practical performances on problem instances provided by the research community. Another important source for algorithmic problems treated by the Lfant project team is modern cryptology. Indeed, the security of all practically relevant public key cryptosystems relies on the difficulty of some number theoretic problem; on the other hand, implementing the systems and finding secure parameters require efficient algorithmic solutions to number theoretic problems.

Modern number theory has been introduced in the second half of the 19th
century by Dedekind, Kummer, Kronecker, Weber and others, motivated by
Fermat's conjecture: There is no non-trivial solution in integers to the
equation

The solution requires to augment the integers by *algebraic
numbers*, that are roots of polynomials in *number
field* consists of the rationals to which have been added finitely
many algebraic numbers together with their sums, differences, products
and quotients. It turns out that actually one generator suffices, and
any number field *algebraic integers*, “numbers without denominators”,
that are roots of a monic polynomial. For instance, *ring of integers* of

Unfortunately, elements in *ideals*, subsets of *principal*, that is,
generated by one element, so that ideals and numbers are essentially
the same. In particular, the unique factorisation of ideals then
implies the unique factorisation of numbers. In general, this is not
the case, and the *class group* *class number*

Using ideals introduces the additional difficulty of having to deal
with *fundamental units*. The *regulator*

One of the main concerns of algorithmic algebraic number theory is to
explicitly compute these invariants (

The *analytic class number formula* links the invariants
*generalised Riemann hypothesis
(GRH)*, which remains unproved even over the rationals, states that
any such

When

Algebraic curves over finite fields are used to build the currently
most competitive public key cryptosystems. Such a curve is given by
a bivariate equation *elliptic curves* of equation
*hyperelliptic curves* of
equation

The cryptosystem is implemented in an associated finite
abelian group, the *Jacobian* *rational function field* with subring *function field* of *coordinate ring*

The size of the Jacobian group, the main security parameter of the
cryptosystem, is given by an *genus*

The security of the cryptosystem requires more precisely that the
*discrete logarithm problem* (DLP) be difficult in the underlying
group; that is, given elements

For any integer *Weil pairing* *Tate-Lichtenbaum pairing*, that is more difficult to define,
but more efficient to implement, has similar properties. From a
constructive point of view, the last few years have seen a wealth of
cryptosystems with attractive novel properties relying on pairings.

For a random curve, the parameter

Complex multiplication provides a link between number fields and
algebraic curves; for a concise introduction in the elliptic curve case,
see Sect. 1.1, for more background material,
. In fact, for most curves *CM field*. The CM field
of an elliptic curve is an imaginary-quadratic field *Hilbert class field*

Algebraically, *Galois* if *Galois group* *abelian* extension is a Galois extension with abelian Galois
group.

Analytically, in the elliptic case *singular value* *modular* function

The same theory can be used to develop algorithms that, given an
arbitrary curve over a finite field, compute its

A generalisation is provided by *ray class fields*; these are
still abelian, but allow for some well-controlled ramification. The tools
for explicitly constructing such class fields are similar to those used
for Hilbert class fields.

Release of Pari 2.9 after two years of development. This stable releases
includes three brand new modules (

Iuliana Ciocanea-Teodorescu has defended her PhD thesis on *Algorithms for finite rings* in June 2016 http://

Pinar Kiliçer has defended her PhD thesis on *The class number one problem for genus-2 curves* in July 2016 .

Another Pairing Implementation in PARI

Scientific Description

Apip , Another Pairing Implementation in PARI, is a library for computing standard and optimised variants of most cryptographic pairings.

The following pairings are available: Weil, Tate, ate and twisted ate, optimised versions (à la Vercauteren–Hess) of ate and twisted ate for selected curve families.

The following methods to compute the Miller part are implemented: standard Miller double-and-add method, standard Miller using a non-adjacent form, Boxall et al. version, Boxall et al. version using a non-adjacent form.

The final exponentiation part can be computed using one of the following variants: naive exponentiation, interleaved method, Avanzi–Mihailescu's method, Kato et al.'s method, Scott et al.'s method.

Part of the library has been included into Pari/Gp proper.

Functional Description

APIP is a library for computing standard and optimised variants of most cryptographic pairings.

Participant: Jérôme Milan

Contact: Jérôme Milan

URL: http://

Functional Description

Arb is a C library for arbitrary-precision floating-point ball arithmetic. It supports real and complex numbers, polynomials, power series, matrices, and evaluation of many transcendental functions. All is done with automatic, rigorous error bounds. It has been accepted for inclusion in SageMath.

Participant: Fredrik Johansson

Contact: Fredrik Johansson

Abelian Varieties and Isogenies

Functional Description

AVIsogenies is a Magma package for working with abelian varieties, with a particular emphasis on explicit isogeny computation.

Its prominent feature is the computation of (l,l)-isogenies between Jacobian varieties of genus-two hyperelliptic curves over finite fields of characteristic coprime to l, practical runs have used values of l in the hundreds.

It can also be used to compute endomorphism rings of abelian surfaces, and find complete addition laws on them.

Participants: Gaëtan Bisson, Romain Cosset and Damien Robert

Contact: Damien Robert

Functional Description

The Cm software implements the construction of ring class fields of imaginary quadratic number fields and of elliptic curves with complex multiplication via floating point approximations. It consists of libraries that can be called from within a C program and of executable command line applications.

Participant: Andreas Enge

Contact: Andreas Enge

URL: http://

Computation of Igusa Class Polynomials

Keywords: Mathematics - Cryptography - Number theory

Functional Description

Cmh computes Igusa class polynomials, parameterising two-dimensional abelian varieties (or, equivalently, Jacobians of hyperelliptic curves of genus 2) with given complex multiplication.

Participants: Emmanuel Thomé, Andreas Enge and Regis Dupont

Contact: Emmanuel Thomé

Functional Description

Cubic is a stand-alone program that prints out generating equations for cubic fields of either signature and bounded discriminant. It depends on the Pari library. The algorithm has quasi-linear time complexity in the size of the output.

Participant: Karim Belabas

Contact: Karim Belabas

URL: http://

Functional Description

Euclid is a program to compute the Euclidean minimum of a number field. It is the practical implementation of the algorithm described in [38] . Some corresponding tables built with the algorithm are also available. Euclid is a stand-alone program depending on the PARI library.

Participants: Pierre Lezowski and Jean-Paul Cerri

Contact: Pierre Lezowski

URL: http://

Functional Description FLINT is a C library for number theory and basic computer algebra, maintained by William Hart with code by William Hart, Sebastian Pancratz, Andy Novocin, Fredrik Johansson, Tom Bachmann, Mike Hansen, Martin Lee, David Harvey, and a large number of other authors.

FLINT is used as a back end library for polynomial arithmetic and number theory functionality in a large number of applications, including SageMath and Singular.

Participant: Fredrik Johansson

Contact: William Hart

URL: http://

Functional Description

Mpc is a C library for the arithmetic of complex numbers with arbitrarily high precision and correct rounding of the result. It is built upon and follows the same principles as Mpfr. The library is written by Andreas Enge, Philippe Théveny and Paul Zimmermann.

Participants: Andreas Enge, Paul Zimmermann, Philippe Theveny and Mickaël Gastineau

Contact: Andreas Enge

Functional Description

KleinianGroups is a Magma package that computes fundamental domains of arithmetic Kleinian groups.

Participant: Aurel Page

Contact: Aurel Page

URL: http://

Functional Description mpmath is a Python library for real and complex floating-point arithmetic with arbitrary precision. It has been developed by Fredrik Johansson since 2007, with help from many contributors.

As a dependency of the SymPy computer algebra system as well as SageMath, mpmath is a core component of the Python scientific software ecosystem.

Participant: Fredrik Johansson

Contact: Fredrik Johansson

URL: http://

Functional Description

Mpfrcx is a library for the arithmetic of univariate polynomials over arbitrary precision real (Mpfr ) or complex (Mpc ) numbers, without control on the rounding. For the time being, only the few functions needed to implement the floating point approach to complex multiplication are implemented. On the other hand, these comprise asymptotically fast multiplication routines such as Toom-Cook and the FFT.

Participant: Andreas Enge

Contact: Andreas Enge

Functional Description Nemo is a computer algebra package for the Julia programming language maintained by William Hart with code by William Hart, Tommy Hofmann, Claus Fieker, Fredrik Johansson, Oleksandr Motsak).

The features of Nemo include multiprecision integers and rationals,
integers modulo

Participant: Fredrik Johansson

Contact: William Hart

URL: http://

Functional Description

Pari/Gp is a widely used computer algebra system designed for fast computations in number theory (factorisation, algebraic number theory, elliptic curves, ...), but it also contains a large number of other useful functions to compute with mathematical entities such as matrices, polynomials, power series, algebraic numbers, etc., and many transcendental functions.

Participants: Karim Belabas, Bill Allombert, Henri Cohen and Andreas Enge

Contact: Karim Belabas

Abelian surfaces, or equivalently, Jacobian varieties of genus 2 hyperelliptic curves, offer the same security as elliptic curves in a cryptographic setting and often better efficiency, and could thus be an attractive alternative. The theory of complex multiplication can be used to obtain cryptographically secure curves. Relying on Shimura reciprocity for Siegel modular forms, we have developed the necessary mathematical theory in . It requires deeper algebraic reasoning than for elliptic curves: Ideals of the endomorphism rings of the abelian varieties are no more two-dimensional modules over the integers, but two-dimensional projective modules over quadratic number rings. We succeed in proving results adapted from the elliptic curve case by suitably normalising quadratic forms over number rings and using strong approximation. The result is an elegant theory that leads to clearly formulated and practical algorithms, which we illustrate by examples.

Theta functions, and in particular the Dedekind eta function, are at the
heart of complex multiplication constructions of curves.
They can be written as sparse power series with coefficients

Hypergeometric functions are among the most important mathematical functions,
with a wide range of applications in everything from physics to number theory.
The practical computation of such functions is a challenging problem.
The preprint .
presents an efficient implementation of hypergeometric functions in
arbitrary-precision interval arithmetic.
The functions

Logarithmic class groups and units, introduced by Jaulent in 1994, are an
intriguing

The article by H. Cohen and F. Thorne
on Dirichlet series associated to quartic fields with given
cubic resolvent has been published.
This article gives an explicit formula for the
Dirichlet series

In her thesis, Iuliana Ciocanea-Teodorescu describes algorithms that answer questions arising in ring and module theory. The first main result of this thesis concerns the module isomorphism problem, how to compute a set of generators of minimal cardinality, and how to construct projective covers and injective hulls. The thesis also describe tests for module simplicity, projectivity, and injectivity, and constructive tests for existence of surjective module homomorphisms between two finite modules, one of which is projective. As a negative result, the problem of testing for existence of injective module homomorphisms between two finite modules, one of which is projective, is NP-complete. The last part of the thesis is concerned with finding a good working approximation of the Jacobson radical of a finite ring, that is, a two-sided nilpotent ideal such that the corresponding quotient ring is almost semisimple. The notion used to approximate semisimplicity is that of separability.

http://

The Simpatic project is an industrial research project, formed by academic research teams and industrial partners: Orange Labs, École Normale Supérieure, INVIA, Oberthur Technologies, ST-Ericsson France, Université de Bordeaux 1, Université de Caen Basse-Normandie, Université de Paris 8.

The aim of the Simpatic project is to provide the most efficient and secure hardware/software implementation of a bilinear pairing in a SIM card. This implementation will then be used to improve and develop new cryptographic algorithms and protocols in the context of mobile phones and SIM cards. The project will more precisely focus on e-ticketing and e-cash, on cloud storage and on the security of contactless and of remote payment systems.

D. Robert is a participant in the Task 2 whose role is to give state of the art algorithms for pairing computations, adapted to the specific hardware requirements of the Simpatic Project.

G. Castagnos is a participant in the Task 4 whose role is to design new cryptographic primitives adapted to the specific applications of the Simpatic Project.

The Simpatic project has ended in August 2016. The project has shown that pairings can now efficiently be integrated into smart cards publicly deployed, by obtaining performances that outperform the state of the art. Cryptographic tools designed by the project are moreover capable of combining complex functionalities and efficiency in many areas such as digital signatures, minimization of personal data in contactless services, pay TV, or protecting data stored in an untrusted cloud.

https://

The Alambic project is a research project formed by members of the Inria Project-Team CASCADE of ENS Paris, members of the AriC Inria project-team of ENS Lyon, and members of the CRYPTIS of the university of Limoges. G. Castagnos is an external member of the team of Lyon for this project.

Non-malleability is a security notion for public key cryptographic encryption schemes that ensures that it is infeasible for an adversary to modify ciphertexts into other ciphertexts of messages which are related to the decryption of the first ones. On the other hand, it has been realized that, in specific settings, malleability in cryptographic protocols can actually be a very useful feature. For example, the notion of homomorphic encryption allows specific types of computations to be carried out on ciphertexts and generate an encrypted result which, when decrypted, matches the result of operations performed on the plaintexts. The homomorphic property can be used to create secure voting systems, collision-resistant hash functions, private information retrieval schemes, and for fully homomorphic encryption enables widespread use of cloud computing by ensuring the confidentiality of processed data.

The aim of the Alambic project to investigate further theoretical and practical applications of malleability in cryptography. More precisely, this project focuses on three different aspects: secure computation outsourcing and server-aided cryptography, homomorphic encryption and applications and << paradoxical >> applications of malleability.

Title: Algorithmic Number Theory in Computer Science

Program: FP7

Duration: January 2012 - December 2016

Coordinator: Inria

Inria contact: Andreas Enge

'During the past twenty years, we have witnessed profound technological changes, summarised under the terms of digital revolution or entering the information age. It is evident that these technological changes will have a deep societal impact, and questions of privacy and security are primordial to ensure the survival of a free and open society. Cryptology is a main building block of any security solution, and at the heart of projects such as electronic identity and health cards, access control, digital content distribution or electronic voting, to mention only a few important applications. During the past decades, public-key cryptology has established itself as a research topic in computer science; tools of theoretical computer science are employed to “prove” the security of cryptographic primitives such as encryption or digital signatures and of more complex protocols. It is often forgotten, however, that all practically relevant public-key cryptosystems are rooted in pure mathematics, in particular, number theory and arithmetic geometry. In fact, the socalled security “proofs” are all conditional to the algorithmic untractability of certain number theoretic problems, such as factorisation of large integers or discrete logarithms in algebraic curves. Unfortunately, there is a large cultural gap between computer scientists using a black-box security reduction to a supposedly hard problem in algorithmic number theory and number theorists, who are often interested in solving small and easy instances of the same problem. The theoretical grounds on which current algorithmic number theory operates are actually rather shaky, and cryptologists are generally unaware of this fact. The central goal of ANTICS is to rebuild algorithmic number theory on the firm grounds of theoretical computer science.'

Title: OpenDreamKit

Program: H2020

Duration: January 2016 - December 2020

Inria contact: Karim Belabas

Description
http://

** MACISA**

Title: Mathematics Applied to Cryptology and Information Security in Africa

International Partner (Institution - Laboratory - Researcher):

Université des Sciences et Techniques de Masuku (Gabon) - Faculté des Sciences - Dpt de Mathématiques et Informatique - Tony Ezome

Duration: 2012 - 2016

The projects aims at understanding the role played by algebraic maps in public key cryptography. Since this is a very broad topic, we will focus on objects of dimension zero (finite sets and rings) and one (algebraic curves, their differentials and jacobians). The proposed project-team consists of African and French researchers working in mathematical and statistical aspects of public-key cryptology. The French researchers work in the Inria project-team LFANT in Bordeaux, and the IRMAR (Institut de Recherche en Mathématiques et Applications de Rennes) in Rennes. The African researchers already cooperate in the project PRMAIS (Pole of Research in Mathematics and their Applications in Information Security in Sub-Saharan Africa) supported by the Simons' foundation.

The project is managed by a team of five permanent researchers: G. Nkiet, J.-M. Couveignes, T. Ezome, D. Robert and A. Enge. Since Sep. 2014 the coordinator is T. Ezome and the vice-coordinator is D. Robert. The managing team organises the cooperation, schedules meetings, prepares reports, controls expenses, reports to the LIRIMA managing team and administrative staff.

A non-exhaustive list of activities organised or sponsored by Macisa includes

The Summer school (EMA) in Bamenda with the International Center for Pure and Applied Mathematics (ICPAM/CIMPA), June 2016;

The visit of Abdoulaye Maiga in Bordeaux to work with D. Robert on canonical lifts of genus 2 curves.

2016 was the last year of Macisa. A new project FAST “(Harder Better) FAster STronger cryptography” has been proposed as an associated team between LFANT and the PREMA (Pole of Research in Mathematics and Applications in Africa) Simon's foundation project.

The team is used to collaborate with Leiden University through the ALGANT program for PhD joint supervision.

Eduardo Friedman (U. of Chile), long term collaborator of K. Belabas and H. Cohen is a regular visitor in Bordeaux (about 1 month every year).

Researchers visiting the team to give a talk to the team seminar include Enea Milio (Inria Nancy Grand Est), Gregor Seiler (ETH Zurich), Aurélien Focqué (Industry) and Razvan Barbulescu (University Paris 6). Researchers visting the team for collaboration include Bernadette Perrin-Riou (Paris-Sud).

F. Johansson visited during 1 week the PolSys team at LIP6, Pierre et Marie Curie University.

F. Johansson visited during 1 week (two times) with the Computer Algebra group, TU Kaiserslautern.

A. Enge: 20th Workshop on Elliptic Curve Cryptography ECC 2016, İzmir

D. Robert was a member of the scientific committee for the Ecole Mathematique Africaine organised by Emmanuel Fouotsa at Bamenda.

F. Johansson organized the session: High-precision arithmetic, effective analysis and special functions. ICMS 2016, The 5th International Congress on Mathematical Software, ZIB Berlin.

K. Belabas acts on the editorial board of
*Journal de Théorie des Nombres de Bordeaux* since 2005
and of *Archiv der Mathematik* since 2006.

H. Cohen is an editorial board member of
*Journal de Théorie des Nombres de Bordeaux*;
he is an editor for the Springer book series
*Algorithms and Computations in Mathematics (ACM)*.

J.-M. Couveignes is a member of the editorial board
of the *Publications mathématiques de Besançon* since 2010.

A. Enge is an editor of *Designs, Codes and Cryptography*
since 2004.

F. Johansson reviewed for IEEE Transactions on Circuits and Systems I, IEEE Transactions on Computers, and ACM Transactions on Mathematical Software.

A. Enge: Mathematical Structures for Cryptography, Leiden: Short addition sequences for theta functions

F. Johansson: talk at RAIM 2016, Banyuls-sur-mer on "Fast reversion of formal power series" and at FastRelax meeting, LAAS-CNRS, Toulouse on "Hypergeometric functions in Arb".

J.-M. Couveignes is a member of the scientific council of the labex "Fondation Sciences Mathématiques de Paris", FSMP, Paris.

J.-M. Couveignes is a member of the 'conseil d'orientation' of the labex "Institut de Recherche en Mathématiques, Interactions et Applications", IRMIA, Strasbourg.

A. Enge: Head of COST-GTRI, responsible for the scientific evaluation of all international cooperations of Inria

Since January 2015, K. Belabas is vice-head of the Math Institute (IMB). He also leads the computer science support service (“cellule informatique”) of IMB and coordinates the participation of the institute in the regional computation cluster PlaFRIM.

He is an elected member of “commission de la recherche” in the academic senate of Bordeaux University.

He is a member of the “Conseil National des Université” (25th section, pure mathematics).

J.-P. Cerri is an elected member of the scientific council of the Mathematics Institute of Bordeaux (IMB) and responsible for the bachelor programme in mathematics and informatics.

Since January 2015, J.-M. Couveignes is the head of the Math Institute (IMB).

Master : G. Castagnos, *Cryptanalyse*,
60h, M2, University of Bordeaux, France;

Master : G. Castagnos, *Cryptologie avancée*,
30h, M2, University of Bordeaux, France;

Master : G. Castagnos, *Courbes elliptiques*,
60h, M2, University of Bordeaux, France;

Master : D. Robert, *Courbes elliptiques*,
60h, M2, University of Bordeaux, France;

Pinar Kiliçer: The class number one problem for genus-2 curves, Universities of Bordeaux and Leiden, supervised by A. Enge, M. Streng and P. Stevenhagen.

Iuliana Ciocanea-Teodorescu, Algorithms for finite rings, Universities of Bordeaux and Leiden, supervised by K. Belabas and H. Lenstra.

PhD in progress: Abdoulaye Maiga,
*Computing canonical lift of genus 2 hyperelliptic curves*,
University Dakar,
supervised by Djiby Sow, Abdoul Aziz Ciss and D. Robert.

PhD in progress: Emmanouil Tzortzakis
*Algorithms for $\mathbb{Q}$-curves*,
supervised by K. Belabas and P. Bruin

PhD in progress: Pavel Solomatin
*Topics on $L$-functions*,
supervised by B. de Smit and K. Belabas

Liu Zhengying: Height of class polynomials. Ecole Polytechnique third year internship, supervised by D. Robert.

PhD report by A. Enge on Loubna Ghammam: Utilisation des couplages en cryptographie asymétrique pour la micro-électronique, University of Rennes

PhD report and jury by D. Robert on Alina Dudeanu: Computational Aspects of Jacobians of Hyperelliptic Curves, EPFL.

D. Robert is a member of the jury of Agregations de Mathematiques. He is also the codirector with Alain Couvreur of the option “calcul formel” of the Modelisation part of the oral examination.

D. Robert wrote with Sorina Ionica the chapter “Pairings” of the book Guide to Pairing-Based Cryptography which will be published by CHAPMAN and HALL/CRC. This book aims to help Engineers understand and implement pairing based cryptography. In the Chapter Pairings D. Robert give a self contained definition and proof of the Weil and Tate pairing; including how to handle divisors with non disjoint support (this is often skipped in scientific papers but is important for practical implementations).

H. Cohen wrote a vulgarisation article on Fermat's last theorem. This article explain (through the example of congruent numbers) the role of elliptic curves and algebraic number theory in the solution of Fermat's last theorem.

During the last Pariatelier four talks , , , have been filmed and are available under a creative common licence. This will allow people from all the world to get started faster with Pari. The first two talks focus on setting up personal computers for the atelier and the new features of Pari. The next two are more technical and explain the new L-functions and modular forms features.