The main focus of the PolSys project is to solve systems of polynomial equations.

Our main objectives are:

**Fundamental Algorithms and Structured Systems.** The
objective is to propose fast exponential exact algorithms for
solving polynomial equations
and to identify large classes of structured polynomial systems which can be solved in polynomial time.

**Solving Systems over the Reals and Applications.** For
positive dimensional systems basic questions over the reals may be
very difficult (for instance testing the existence of solutions) but
also very useful in applications (e.g. global optimization problems).
We plan to propose efficient algorithms and implementations to address
the most important issues: computing sample points in the real
solution sets, decide if two such sample points can be path-connected
and, as a long term objective, perform quantifier elimination over the
reals (computing a quantifier-free formula which is equivalent to a
given quantified boolean formula of polynomial
equations/inequalities).

**Dedicated Algebraic Computation and Linear Algebra.** While
linear algebra is a key step in the computation of Gröbner bases,
the matrices generated by the algorithms

**Solving Systems in Finite Fields, Applications in
Cryptology and Algebraic Number Theory.** We propose to develop a
systematic use of *structured systems* in Algebraic
Cryptanalysis. We want to improve the efficiency and to predict the
theoretical complexity of such attacks. We plan to demonstrate the
power of algebraic techniques in new areas of cryptography such as
Algebraic Number Theory (typically, in curve based cryptography).

Polynomial system solving is a fundamental problem in Computer Algebra with many applications in cryptography, robotics, biology, error correcting codes, signal theory, .... Among all available methods for solving polynomial systems, computation of Gröbner bases remains one of the most powerful and versatile method since it can be applied in the continuous case (rational coefficients) as well as in the discrete case (finite fields). Gröbner bases are also a building blocks for higher level algorithms who compute real sample points in the solution set of polynomial systems, decide connectivity queries and quantifier elimination over the reals. The major challenge facing the designer or the user of such algorithms is the intrinsic exponential behaviour of the complexity for computing Gröbner bases. The current proposal is an attempt to tackle these issues in a number of different ways: improve the efficiency of the fundamental algorithms (even when the complexity is exponential), develop high performance implementation exploiting parallel computers, and investigate new classes of structured algebraic problems where the complexity drops to polynomial time.

Efficient algorithms *A
new efficient algorithm for computing Gröbner bases without reduction
to zero (F5).* In Proceedings of ISSAC '02, pages 75-83, New York, NY,
USA, 2002. ACM.

*(i)* developing dedicated
linear algebra routines performing the Gaussian elimination steps:
this is precisely the objective 2 described below;

*(ii)*
generating smaller or simpler matrices to which we will apply Gaussian
elimination.

We describe here our goals for the latter
problem. First, we focus on algorithms for computing a Gröbner basis
of *general polynomial systems*. Next, we present our goals on
the development of dedicated algorithms for computing Gröbner bases
of *structured polynomial systems* which arise in various
applications.

**Algorithms for general systems.** Several
degrees of freedom are available to the designer of a Gröbner basis
algorithm to generate the matrices occurring during the
computation. For instance, it would be desirable to obtain matrices
which would be almost triangular or very sparse. Such a goal can be
achieved by considering various interpretations of the

**Algorithms dedicated to ****structured****
polynomial systems.** A complementary approach is to exploit the
structure of the input polynomials to design specific algorithms. Very
often, problems coming from applications are not random but are
highly structured. The specific nature of these systems may vary a
lot: some polynomial systems can be sparse (when the number of terms
in each equation is low), overdetermined (the number of the equations
is larger than the number of variables), invariants by the action of
some finite groups, multi-linear (each equation is linear w.r.t. to
one block of variables) or more generally multihomogeneous. In each
case, the ultimate goal is to identify large classes of problems whose theoretical/practical complexity drops and to propose in each case
dedicated algorithms.

We shall develop algorithms for solving polynomial systems over complex/real numbers. Again, the goal is to extend significantly the range of reachable applications using algebraic techniques based on Gröbner bases and dedicated linear algebra routines. Targeted application domains are global optimization problems, stability of dynamical systems (e.g. arising in biology or in control theory) and theorem proving in computational geometry.

The following functionalities shall be requested by the end-users:

*(i)* deciding the emptiness of the real solution set of systems
of polynomial equations and inequalities,

*(ii)* quantifier
elimination over the reals or complex numbers,

*(iii)* answering
connectivity queries for such real solution sets.

We will focus on these functionalities.

We will develop algorithms based on the so-called critical point
method to tackle systems of equations and inequalities
(problem *(i)*) . These techniques are based on solving
0-dimensional polynomial systems encoding "critical points" which are
defined by the vanishing of minors of jacobian matrices (with
polynomial entries). Since these systems are highly structured, the
expected results of Objective 1 and 2 may allow us to obtain dramatic
improvements in the computation of Gröbner bases of such polynomial
systems. This will be the foundation of practically fast
implementations (based on singly exponential algorithms) outperforming
the current ones based on the historical Cylindrical Algebraic
Decomposition (CAD) algorithm (whose complexity is doubly exponential
in the number of variables). We will also develop algorithms and
implementations that allow us to analyze, at least locally, the
topology of solution sets in some specific situations. A
long-term goal is obviously to obtain an analysis of the global
topology.

Here, the primary objective is to focus on *dedicated* algorithms
and software for the linear algebra steps in Gröbner bases
computations and for problems arising in Number Theory. As explained
above, linear algebra is a key step in the process of computing
efficiently Gröbner bases. It is then natural to develop specific
linear algebra algorithms and implementations to further strengthen
the existing software. Conversely, Gröbner bases computation is
often a key ingredient in higher level algorithms from Algebraic
Number Theory. In these cases, the algebraic problems are very
particular and specific. Hence dedicated Gröbner bases algorithms
and implementations would provide a better efficiency.

**Dedicated linear algebra tools.**FGb is
an efficient library for Gröbner bases computations which can be used,
for instance, via Maple. However, the library is sequential. A
goal of the project is to extend its efficiency to new trend parallel
architectures such as clusters of multi-processor systems in order to
tackle a broader class of problems for several applications.
Consequently, our first aim is to provide a durable, long term
software solution, which will be the successor of the existing FGb library. To achieve this goal, we will first develop a high
performance linear algebra package (under the LGPL license). This
could be organized in the form of a collaborative project between the
members of the team. The objective is not to develop a general
library similar to the Linbox project but to propose a dedicated
linear algebra package taking into account the specific properties of
the matrices generated by the Gröbner bases algorithms. Indeed these
matrices are sparse (the actual sparsity depends strongly on the
application), almost block triangular and not necessarily of full
rank. Moreover, most of the pivots are known at the beginning of the
computation. In practice, such matrices are huge (more than

Fast linear algebra packages would also benefit to the transformation of a Gröbner basis of a zero–dimensional ideal with respect to a given monomial ordering into a Gröbner basis with respect to another ordering. In the generic case at least, the change of ordering is equivalent to the computation of the minimal polynomial of a so-called multiplication matrix. By taking into account the sparsity of this matrix, the computation of the Gröbner basis can be done more efficiently using a variant of the Wiedemann algorithm. Hence, our goal is also to obtain a dedicated high performance library for transforming (i.e. change ordering) Gröbner bases.

**Dedicated algebraic tools for Algebraic Number
Theory.** Recent results in Algebraic Number Theory tend to show that
the computation of Gröbner basis is a key step toward the resolution
of difficult problems in this
domain *Index calculus for abelian
varieties of small dimension and the elliptic curve discrete logarithm
problem*, Journal of Symbolic Computation 44,12 (2009)
pp. 1690-1702

Here, we focus on solving polynomial systems over finite fields
(i.e. the discrete case) and the corresponding applications
(Cryptology, Error Correcting Codes, ...). Obviously this
objective can be seen as an application of the results of the two
previous objectives. However, we would like to emphasize that it is
also the source of new theoretical problems and practical challenges.
We propose to develop a systematic use of *structured systems* in
*algebraic cryptanalysis*.

*(i)* So far, breaking a cryptosystem using algebraic
techniques could be summarized as modeling the problem by algebraic
equations and then computing a, usually, time consuming Gröbner
basis. A new trend in this field is to require a theoretical
complexity analysis. This is needed to explain the behavior of the
attack but also to help the designers of new cryptosystems to propose
actual secure parameters.

*(ii)* To assess the security of
several cryptosystems in symmetric cryptography (block ciphers, hash
functions, ...), a major difficulty is the size of the systems
involved for this type of attack. More specifically, the bottleneck
is the size of the linear algebra problems generated during a Gröbner basis
computation.

We propose to develop a
systematic use of *structured systems* in *algebraic
cryptanalysis*.

The first objective is to build on the recent breakthrough in
attacking McEliece's cryptosystem: it is the first structural
weakness observed on one of the oldest public key cryptosystem. We
plan to develop a well founded framework for assessing the security of
public key cryptosystems based on coding theory from the algebraic
cryptanalysis point of view. The answer to this issue is strongly
related to the complexity of solving bihomogeneous systems (of
bidegree

Dedicated tools for linear algebra problems generated during the Gröbner basis computation will be used in algebraic cryptanalysis. The promise of considerable algebraic computing power beyond the capability of any standard computer algebra system will enable us to attack various cryptosystems or at least to propose accurate secure parameters for several important cryptosystems. Dedicated linear tools are thus needed to tackle these problems. From a theoretical perspective, we plan to further improve the theoretical complexity of the hybrid method and to investigate the problem of solving polynomial systems with noise, i.e. some equations of the system are incorrect. The hybrid method is a specific method for solving polynomial systems over finite fields. The idea is to mix exhaustive search and Gröbner basis computation to take advantage of the over-determinacy of the resulting systems.

Polynomial system with noise is currently emerging as a problem of major interest in cryptography. This problem is a key to further develop new applications of algebraic techniques; typically in side-channel and statistical attacks. We also emphasize that recently a connection has been established between several classical lattice problems (such as the Shortest Vector Problem), polynomial system solving and polynomial systems with noise. The main issue is that there is no sound algorithmic and theoretical framework for solving polynomial systems with noise. The development of such framework is a long-term objective.

The goal of the RISQ project is to prepare the security industry to the upcoming shift of classical cryptography to quantum-safe cryptography. The RISQ project is a massive effort at the French level to embrace the quantum-safe revolution. The project gather 15 partners : ANSSI, C&S, CEA, Crypto Experts, EADS, ENS Lyon, ENS Paris, Gemalto, Orange, PCQC, PolSys (Inria de Paris), Université de Rennes, Secure IC, Thales CS, and Université de Versailles.

The RISQ project is certainly the biggest (in term of number of partners, as well as funding) industrial project ever organized in quantum-safe cryptography. RISQ is one of few projects accepted in the “Grands Défis du Numérique” which is managed by BPI France, and will be funded thanks to the PIA.

PolSys actively participated to gather the partners of RISQ, and in defining the proposal. PolSys will lead the academic effort in RISQ.

Jointly with LAAS (D. Henrion, S. Naldi), we have released
a new Maple library SPECTRA for finding a real point

Our open source C library SLV has been officially released
this year with a presentation at ISSAC. It aims at
solating and approximating the real roots of univariate polynomials
with integer coefficients
(see http://

Matías Bender received the Distinguished Student Author Award of
ISSAC2016 for his paper
written with J.-Ch. Faugère, L. Perret and
E. Tsigaridas.

Functional Description

Epsilon is a library of functions implemented in Maple and Java for polynomial elimination and decomposition with (geometric) applications.

Contact: Dongming Wang

Functional Description

FGb is a powerful software for computing Groebner bases. It includes the new generation of algorihms for computing Gröbner bases polynomial systems (mainly the F4,F5 and FGLM algorithms).It is implemented in C/C++ (approximately 250000 lines), standalone servers are available on demand. Since 2006, FGb is dynamically linked with Maple software (version 11 and higher) and is part of the official distribution of this software.

Participant: Jean-Charles Faugère

Contact: Jean-Charles Faugère

Functional Description

Gröbner basis computation modulo p (p is a prime integer of 16 bits).

Participant: Jean-Charles Faugère

Contact: Jean-Charles Faugère

Functional Description

GBLA is an open source C library for linear algebra specialized for eliminating matrices generated during Gröbner basis computations in algorithms like F4 or F5.

Contact: Jean-Charles Faugère

Functional Description

Public-key cryptography system enabling an authentification of dematerialized data.

Authors: Jean-Charles Faugère and Ludovic Perret

Partner: UPMC

Contact: Jean-Charles Faugère

Real Algebraic Geometry library

Functional Description

RAGLib is a powerful library, written in Maple, dedicated to solving over the reals polynomial systems. It is based on the FGb library for computing Grobner bases. It provides functionalities for deciding the emptiness and/or computing sample points to real solution sets of polynomial systems of equations and inequalities. This library provides implementations of the state-of-the-art algorithms with the currently best known asymptotic complexity for those problems.

Contact: Mohab Safey El Din

Functional Description

SLV is a software package in C that provides routines for isolating (and subsequently refine) the real roots of univariate polynomials with integer or rational coefficients based on subdivision algorithms and on the continued fraction expansion of real numbers. Special attention is given so that the package can handle polynomials that have degree several thousands and size of coefficients hundrends of Megabytes.
Currently the code consists of

Contact: Elias Tsigaridas

Semidefinite Programming solved Exactly with Computational Tools of Real Algebra

Functional Description

SPECTRA is a Maple library devoted to solving exactly Semi-Definite Programs. It can handle rank constraints on the solution. It is based on the FGb library for computing Grobner bases and provides either certified numerical approximations of the solutions or exact representations of them.

Contact: Mohab Safey El Din

The so-called Berlekamp – Massey – Sakata algorithm
computes a Gröbner
basis of a 0-dimensional ideal of relations satisfied by an input
table. It extends the Berlekamp – Massey algorithm
to

As each query to the table can be expensive,
we design a second algorithm
requiring fewer queries, in general.
This FGLM-like algorithm allows us to compute the relations of the
table by extracting a full rank submatrix of a *multi-Hankel*
matrix (a multivariate generalization of Hankel matrices).

Under some
additional assumptions, we make a third, adaptive, algorithm and reduce
further the number of table queries.
Then, we relate the number of queries of
this third algorithm to the
*geometry* of the final staircase and we show that it is
essentially linear in the size of the output when the staircase is convex.
As a direct application to this, we decode

We show that the multi-Hankel matrices are heavily structured when using the LEX ordering and that we can speed up the computations using fast algorithms for quasi-Hankel matrices. Finally, we design algorithms for computing the generating series of a linear recursive table.

Given several

A P-recursive sequence

Finally, we show how to incorporate Gröbner bases computations in an
Ore algebra

For any polynomial ideal

Solving polynomial systems arising from applications is frequently
made easier by the structure of the systems. Weighted homogeneity
(or quasi-homogeneity) is one example of such a structure: given a
system of weights

Gröbner bases for weighted homogeneous systems can be computed by
adapting existing algorithms for homogeneous systems to the weighted
homogeneous case. In , we show that in
this case, the complexity estimate for Algorithm F5

Furthermore, the maximum degree reached in a run of Algorithm F5 is
bounded by the weighted Macaulay bound

We provide some experimental results based on systems arising from a cryptography problem and from polynomial inversion problems. They show that taking advantage of the weighted homogeneous structure yields substantial speed-ups, and allows us to solve systems which were otherwise out of reach.

Symmetric Tensor Decomposition is a major problem that arises in areas such as signal processing, statistics, data analysis and computational neuroscience. It is equivalent to a homogeneous polynomial in

Let

Let

A roadmap for a semi-algebraic set

Control theory has recently been involved in the field of nuclear magnetic resonance imagery. The goal is to control the magnetic field optimally in order to improve the contrast between two biological matters on the pictures. Geometric optimal control leads us here to analyze mero-morphic vector fields depending upon physical parameters, and having their singularities defined by a determinantal variety. The involved matrix has polynomial entries with respect to both the state variables and the parameters. Taking into account the physical constraints of the problem, one needs to classify, with respect to the parameters, the number of real singularities lying in some prescribed semi-algebraic set. In , we develop a dedicated algorithm for real root classification of the singularities of the rank defects of a polynomial matrix, cut with a given semi-algebraic set. The algorithm works under some genericity assumptions which are easy to check. These assumptions are not so restrictive and are satisfied in the aforementioned application. As more general strategies for real root classification do, our algorithm needs to compute the critical loci of some maps, intersections with the boundary of the semi-algebraic domain, etc. In order to compute these objects, the determinantal structure is exploited through a stratification by the rank of the polynomial matrix. This speeds up the computations by a factor 100. Furthermore, our implementation is able to solve the application in medical imagery, which was out of reach of more general algorithms for real root classification. For instance, computational results show that the contrast problem where one of the matters is water is partitioned into three distinct classes.

The optimal control of an ensemble of Bloch equations describing the evolution of an ensemble of spins is the mathematical model used in Nuclear Resonance Imaging and the associated costs lead to consider Mayer optimal control problems. The Maximum Principle allows to parameterize the optimal control and the dynamics is analyzed in the framework of geometric optimal control. This leads to numerical implementations or suboptimal controls using averaging principle as presented in .

Let

A very popular trend in code-based cryptography is to decrease the
public-key size by focusing on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic (QC), quasi-dyadic (QD),
or quasi-monoidic (QM) matrices. We show in that the very same reason which allows to construct a compact
public-key makes the key-recovery problem intrinsically much easier.
The gain on the public-key size induces an important security drop, which is as large as the compression factor *folded code*. Any key-recovery attack
can be deployed equivalently on this smaller generator matrix.
To mount the key-recovery in practice, we also improve the algebraic
technique of Faugère, Otmani, Perret and Tillich (FOPT). In particular, we introduce new algebraic equations allowing to include codes defined over any prime field in the scope of our attack. We describe
a so-called “structural elimination” which is a new algebraic manipulation which simplifies the key-recovery system.
As a proof of concept, we report successful attacks on many cryptographic parameters available in the literature.
All the parameters of CFS-signatures based on QD/QM codes that have been proposed can be broken by this approach.
In most cases, our attack takes few seconds (the hardest case requires less than 2 hours). In the encryption case, the algebraic systems are harder to solve in practice. Still, our attack succeeds against several cryptographic challenges proposed for QD and QM encryption schemes. We mention that some parameters that have been proposed in the literature remain out of reach of the methods given here. weakness arising from Goppa codes with QM or QD symmetries. Indeed, the security of such schemes is not relying on the bigger compact public matrix but on the small folded code which can be efficiently broken in practice with an algebraic attack for a large set of parameters

The main practical limitation of the McEliece public-key encryption scheme is probably the size of its key. A famous trend to overcome this issue is to focus on subclasses of alternant/Goppa codes
with a non trivial automorphism group. Such codes display then *symmetries* allowing
compact parity-check or generator matrices. For instance, a key-reduction is obtained by taking
*quasi-cyclic* (QC) or *quasi-dyadic* (QD) alternant/Goppa codes.
We show in , that the use of such *symmetric* alternant/Goppa codes in cryptography introduces a fundamental weakness. It is indeed possible to reduce the key-recovery on the original symmetric public-code to the key-recovery on a (much) smaller code that has no symmetry anymore. This result is obtained thanks to an operation on codes called *folding* that exploits the knowledge of the automorphism group. This operation consists in adding the coordinates of codewords which belong to the same orbit under the action of the automorphism group. The advantage is twofold: the reduction factor can be as large as the size of the orbits, and it preserves a fundamental property:
folding the dual of an alternant (*resp*. Goppa) code provides the dual of an alternant (*resp*. Goppa) code. A key point is to show that all the existing constructions of alternant/Goppa codes with symmetries follow a common principal of taking codes whose support is globally invariant
under the action of affine transformations (by building upon prior works of T. Berger and A. Dür). This enables not only to present a unified view but also to generalize the construction of QC,QD and even *quasi-monoidic* (QM) Goppa codes.
Lastly, our results can be harnessed to boost up any key-recovery attack on McEliece systems based on symmetric alternant or Goppa codes, and in particular algebraic attacks.

D. Boneh, G. Durfee, and N. Howgrave-Graham showed at Crypto 99 that moduli of
the form

Nowadays, many strategies to solve polynomial systems use the computation of a
Gröbner basis for the graded reverse lexicographical ordering, followed by a
change of ordering algorithm to obtain a Gröbner basis for the lexicographical
ordering. The change of ordering algorithm is crucial for these strategies. In
, we study the

Whether it is for constant obfusation, opaque predicate or equation obfuscation,
Mixed Boolean-Arithmetic (MBA) expressions are a powerful tool providing
concrete ways to achieve obfuscation. Recent results introduced ways to mix such
a tool with permutation polynomials modulo

A common countermeasure against side-channel attacks consists in using the masking scheme originally introduced by Ishai, Sahai and Wagner (ISW) at Crypto 2003, and further generalized by Rivain and Prouff at CHES 2010. The countermeasure is provably secure in the probing model, and it was showed by Duc, Dziembowski and Faust at Eurocrypt 2014 that the proof can be extended to the more realistic noisy leakage model. However the extension only applies if the leakage noise increases at least linearly with the masking order n, which is not necessarily possible in practice. In , we investigate the security of an implementation when the previous condition is not satisﬁed, for example when the masking order n increases for a constant noise. We exhibit two (template) horizontal side-channel attacks against the Rivain-Prouff's secure multiplication scheme and we analyze their eﬃciency thanks to several simulations and experiments. Eventually, we describe a variant of Rivain-Prouff's multiplication that is still provably secure in the original ISW model, and also heuristically secure against our new attacks.

To reduce the memory and timing complexity of the Side-Channel Attacks (SCA), dimensionality reduction techniques are usually applied to the measurements. They aim to detect the so-called Points of Interest (PoIs), which are time samples which (jointly) depend on some sensitive information (e.g. secret key sub-parts), and exploit them to extract information. The extraction is done through the use of functions which combine the measurement time samples. Examples of combining functions are the linear combinations provided by the Principal Component Analysis or the Linear Discriminant Analysis. When a masking countermeasure is properly implemented to thwart SCAs, the selection of PoIs is known to be a hard task: almost all existing methods have a combinatorial complexity explosion, since they require an exhaustive search among all possible d-tuples of points. In this paper we propose an eﬃcient method for informative feature extraction in presence of masking countermeasure. This method, called Kernel Discriminant Analysis, consists in completing the Linear Discriminant Analysis with a so-called kernel trick, in order to efficiently perform it over the set of all possible d-tuples of points without growing in complexity with d. We identify and analyse the issues related to the application of such a method. Afterwards, its performances are compared to those of the Projection Pursuit (PP) tool for PoI selection up to a 4th-order context. Experiments show that the Kernel Discriminant Analysis remains eﬀective and efficient for high-order attacks, leading to a valuable alternative to the PP in constrained contexts where the increase of the order d does not imply a growth of the profiling datasets.

Side Channel Analysis (SCA) is a class of attacks that exploits leakage of information from a cryptographic implementation during execution. To thwart it, masking is a common countermeasure. The principle is to randomly split every sensitive intermediate variable occurring in the computation into several shares and the number of shares, called the masking order, plays the role of a security parameter. The main issue while applying masking to protect a block cipher implementation is to specify an efficient scheme to secure the S-box computations. Several masking schemes, applicable for arbitrary orders, have been recently introduced. Most of them follow a similar approach originally introduced in the paper of Carlet et al published at FSE 2012; the S-box to protect is viewed as a polynomial and strategies are investigated which minimize the number of ﬁeld multiplications which are not squarings. The paper aims at presenting all these works in a comprehensive way. The methods are discussed, their differences and similarities are identiﬁed and the remaining open problems are listed.

Until the mid 2000’s, multivariate cryptography was developing very rapidly, producing many interesting and versatile public-key schemes. However, many of them were soon successfully cryptanalysed (a lot have been done in this group). As a consequence, the confidence in multivariate cryptography cryptosystems declined. It seems that there have emerged new important reasons for renewal of the interest in a new generation of multivariate schemes. In the past two years, the algorithms for solving the Discrete Logarithm Problem over small characteristic fields underwent an extraordinary development. This clearly illustrates the risk to not consider alternatives to classical assumptions based on number theory. In parallel, two of the most important standardization bodies in the world, NIST and ETSI have recently started initiatives for developing cryptographic standards not based on number theory, with a particular focus on primitives resistant to quantum algorithms. An objective here is then to focus on the design of multivariate schemes.

The team is now involved in the industrial transfer of post-quantum cryptography. The project is supervised by SATT-LUTECH. SATT-LUTECH specializes in the processing and transfer of technologies from research laboratories of its shareholders: Inria, CNRS, University of Technology of Compiègne, National Museum of Natural History, Institute Curie, Université Panthéon-Assas, Paris Sorbonne University and National School of Industrial Creation).

The team has recently developed, in partnership with a mobile application development company (WASSA), an Android app for smartphones (Samsung G5 type) that uses multivariate cryptography. The application has been tested mid-November in a series of experiments supervised by DGA and French Ministry of Defense. The experiment gathered a total of hundred participants from various operational units. This is a first milestone in the maturation project whose goal is to create a start-up.

**ANR Grant HPAC: High Performance Algebraic Computing
(2012-2016).** The pervasive ubiquity of parallel architectures
and memory hierarchy has led to a new quest for parallel
mathematical algorithms and software capable of exploiting the
various levels of parallelism: from hardware acceleration
technologies (multi-core and multi-processor system on chip, GPGPU,
FPGA) to cluster and global computing platforms. For giving a
greater scope to symbolic and algebraic computing, beyond the
optimization of the application itself, the effective use of a large
number of resources (memory and specialized computing units) is
expected to enhance the performance multi-criteria objectives: time,
resource usage, reliability, even energy consumption. The design and
the implementation of mathematical algorithms with provable,
adaptive and sustainable performance is a major challenge. In this
context, this project is devoted to fundamental and practical
research speciﬁcally in exact linear algebra and system solving that
are two essential "dwarfs" (or "killer kernels") in scientiﬁc and
algebraic computing. The project should lead to progress in matrix
algorithms and challenge solving in cryptology, and should provide
new insights into high performance programming and library design
problems (J.-C. Faugère [contact], L. Perret, G. Renault, M. Safey
El Din).

**PIA grant RISQ: Regroupement of the Security Industry for Quantum-Safe security
(2017-2020).** The goal of the RISQ project is to prepare the security industry to the upcoming shift of classical cryptography to quantum-safe cryptography.
(J.-C. Faugère [contact], and L. Perret).

Type: PEOPLE

Instrument: Career Integration Grant

Duration: May 2013 - April 2017

Coordinator: Jean-Charles Faugère

Partner: Institut National de Recherche en Informatique et en Automatique (Inria), France

Inria contact: Elias Tsigaridas

Abstract: The project Algebraic Algorithms and Applications (A3) is an interdisciplinary and multidisciplinary project, with strong international synergy. It consists of four work packages The first (Algebraic Algorithms) focuses on fundamental problems of computational (real) algebraic geometry: effective zero bounds, that is estimations for the minimum distance of the roots of a polynomial system from zero, algorithms for solving polynomials and polynomial systems, derivation of non-asymptotic bounds for basic algorithms of real algebraic geometry and application of polynomial system solving techniques in optimization. We propose a novel approach that exploits structure and symmetry, combinatorial properties of high dimensional polytopes and tools from mathematical physics. Despite the great potential of the modern tools from algebraic algorithms, their use requires a combined effort to transfer this technology to specific problems. In the second package (Stochastic Games) we aim to derive optimal algorithms for computing the values of stochastic games, using techniques from real algebraic geometry, and to introduce a whole new arsenal of algebraic tools to computational game theory. The third work package (Non-linear Computational Geometry), we focus on exact computations with implicitly defined plane and space curves. These are challenging problems that commonly arise in geometric modeling and computer aided design, but they also have applications in polynomial optimization. The final work package (Efficient Implementations) describes our plans for complete, robust and efficient implementations of algebraic algorithms.

Program: COST

Project acronym: CryptoAction

Project title: Cryptography for Secure Digital Interaction

Duration: 04 2014 - 04 2018

Coordinator: Claudio ORLANDI

Abstract: As increasing amounts of sensitive data are exchanged and processed every day on the Internet, the need for security is paramount. Cryptography is the fundamental tool for securing digital interactions, and allows much more than secure communication: recent breakthroughs in cryptography enable the protection - at least from a theoretical point of view - of any interactive data processing task. This includes electronic voting, outsourcing of storage and computation, e-payments, electronic auctions, etc. However, as cryptography advances and becomes more complex, single research groups become specialized and lose contact with "the big picture". Fragmentation in this field can be dangerous, as a chain is only as strong as its weakest link. To ensure that the ideas produced in Europe's many excellent research groups will have a practical impact, coordination among national efforts and different skills is needed. The aim of this COST Action is to stimulate interaction between the different national efforts in order to develop new cryptographic solutions and to evaluate the security of deployed algorithms with applications to the secure digital interactions between citizens, companies and governments. The Action will foster a network of European research centers thus promoting movement of ideas and people between partners.

Program: COST

Project acronym: CRYPTACUS

Project title: Cryptanalysis of ubiquitous computing systems

Duration: 12 2014 - 12 2018

Coordinator: Gildas AVOINE

Abstract: Recent technological advances in hardware and software have irrevocably affected the classical picture of computing systems. Today, these no longer consist only of connected servers, but involve a wide range of pervasive and embedded devices, leading to the concept of “ubiquitous computing systems”. The objective of the Action is to improve and adapt the existent cryptanalysis methodologies and tools to the ubiquitous computing framework. Cryptanalysis, which is the assessment of theoretical and practical cryptographic mechanisms designed to ensure security and privacy, will be implemented along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. Researchers have only recently started to focus on the security of ubiquitous computing systems. Despite the critical flaws found, the required highly-specialized skills and the isolation of the involved disciplines are a true barrier for identifying additional issues. The Action will establish a network of complementary skills, so that expertise in cryptography, information security, privacy, and embedded systems can be put to work together. The outcome will directly help industry stakeholders and regulatory bodies to increase security and privacy in ubiquitous computing systems, in order to eventually make citizens better protected in their everyday life.

Title: Geometry and Optimization with ALgebraic methods.

International Partner (Institution - Laboratory - Researcher):

University of California Berkeley (United States) - Dept. of Mathematics - Bernd Sturmfels

Start year: 2015

Polynomial optimization problems form a subclass of general global optimization problems, which have received a lot of attention from the research community recently; various solution techniques have been designed. One reason for the spectacular success of these methods is the potential impact in many fields: data mining, big data, energy savings, etc. More generally, many areas in mathematics, as well as applications in engineering, biology, statistics, robotics etc. require a deeper understanding of the algebraic structure of their underlying objects.

A new trend in the polynomial optimization community is the combination of algebraic and numerical methods. Understanding and characterizing the algebraic properties of the objects occurring in numerical algorithms can play an important role in improving the efficiency of exact methods. Moreover, this knowledge can be used to estimate the quality (for example the number of significant digits) of numerical algorithms. In many situations each coordinate of the optimum is an algebraic number. The degree of the minimal polynomials of these algebraic numbers is the Algebraic Degree of the problem. From a methodological point of view, this notion of Algebraic Degree emerges as an important complexity parameter for both numerical and the exact algorithms. However, algebraic systems occurring in applications often have special algebraic structures that deeply influence the geometry of the solution set. Therefore, the (true) algebraic degree could be much less than what is predicted by general worst case bounds (using Bézout bounds, mixed volume, etc.), and would be very worthwhile to understand it more precisely.

The goal of this proposal is to develop algorithms and mathematical tools to solve geometric and optimization problems through algebraic techniques. As a long-term goal, we plan to develop new software to solve these problems more efficiently. These objectives encompass the challenge of identifying instances of these problems that can be solved in polynomial time with respect to the number of solutions and modeling these problems with polynomial equations.

Carlos Améndola Cerón

Date: May 2016

Institution: Technische Universität Berlin, Germany

Christoph Koutschan

Date: Nov. 2016

Institution: Österreichische Akademie der Wissenschaften, Linz

Didier Henrion

Date: Nov. 2016

Institution: LAAS, CNRS

Simone Naldi

Date: Nov. 2016

Institution: TU Univ. Dortmund, Germany.

Ioannis Psarros

Date: May. 2016

Institution: University of Athens, Greece.

Vincent Guisse

Date: Apr. 2016 - Jul. 2016

Institution: Université Paris – Diderot

Supervisor: Jean-Charles Faugère, Jérémy Berthomieu

Ramon Ronzon

Date: Mar. 2016 - Sep. 2016

Institution: École polytechnique

Supervisor: Jean-Charles Faugère, Ludovic Perret

Sènan Dossa

Date: Mar. 2016 - Sep. 2016

Institution: ENS Lyon

Supervisor: Jean-Charles Faugère, Ludovic Perret

Dongming Wang was involved in the organization of the following conferences

Special Session on Software of Polynomial Systems at the 5th International Congress on Mathematical Software (ICMS 2016) (Berlin, Germany, July 11-14, 2016).

Emmanuel Prouff was member of the program committees of the following conferences

Conference on Cryptographic Hardware and Embedded Systems 2016 (CHES 2016) (Santa Barbara, CA, USA, Aug. 17-19, 2016);

Smart Card Research and Advanced Application Conference (CARDIS 2016) (Cannes, France, Nov. 7-9, 2016);

International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE 2016) (Graz, Austria, Apr. 14-15);

23rd ACM Conference on Computer and Communications Security (ACM CCS 2016) (Vienna, Austria, Oct. 24-28).

Dongming Wang was member of the program committees of the following conferences

11th International Workshop on Automated Deduction in Geometry (ADG 2016) (Strasbourg, France, June 27-29, 2016);

7th International Symposium on Symbolic Computation in Software Science (SCSS 2016) (Tokyo, Japan, March 28-31, 2016).

Elias Tsigaridas was member of the program committees of the following conferences

Computer Algebra in Scientific Computing (CASC 2016), Sept 2016 Bucharest, Romania.

Ludovic Perret is Member of the Editorial Board of Designs, Codes and Cryptography.

Emmanuel Prouff is member of the editorial board of Journal of Cryptographic Engineering.

Mohab Safey El Din is member of the editorial board of Journal of Symbolic Computation.

Dongming Wang has the following editorial activities:

Editor-in-Chief and Managing Editor for the journal

Mathematics in Computer Science (published by Birkhäuser/Springer, Basel).

Executive Associate Editor-in-Chief for the journal

SCIENCE CHINA Information Sciences (published by Science China Press, Beijing and Springer, Berlin).

Member of the Editorial Boards for the

Journal of Symbolic Computation (published by Academic Press/Elsevier, London),

Frontiers of Computer Science (published by Higher Education Press, Beijing and Springer, Berlin),

Texts and Monographs in Symbolic Computation (published by Springer, Wien New York),

Member of the International Advisory Board for the Communications of JSSAC (Japan Society for Symbolic and Algebraic Computation) (published by JSSAC).

Emmanuel Prouff was invited speaker at

EUROCRYPT 2016 (invited tutorial), Vienna, Austria, on Securing Cryptography Implementations in Embedded Systems.

SPACE 2016 (invited speaker), Hyderabad, India on Breaking Cryptographic Implementations Using Deep Learning Techniques.

Mohab Safey El Din was invited speaker at

the SMAI-MODE session on semi-algebraic optimization, Toulouse, March 2016, France.

the AIM Workshop on Algebraic Vision which was held at the American Institute of Mathematics, San Jose, May 2016, USA.

the NCSU seminar on Symbolic Computation, Raleigh, May 2016, USA.

the PGMO session on Semi-Definite Programming, Palaiseau, October 2016, France.

Ludovic Perret was invited speaker at 17th World Conference on Information Security Applications (WISA 2016, August, Korea).

Elias Tsigaridas was invited speaker at

the Department Seminar Series, of the Computer Science Department of the University of Liverpool, Apr 2016, UK.

the Seminar of RICAM, University of Linz, Austria (Dec. 2016)

Jérémy Berthomieu had the following teaching activities:

Master : Modeling and problems numerical and symbolic solving through Maple and MATLAB software, 34 hours, M1, Université Pierre-et-Marie-Curie, France

Master : In charge of Basics of Algebraic Algorithms, 70 hours, M1, Université Pierre-et-Marie-Curie, France

Master : Introduction to Security, 20 hours, M1, Université Pierre-et-Marie-Curie, France

Master : Projects supervision, 8 hours, L2, Université Pierre-et-Marie-Curie, France

Licence : Introduction to Algorithmics, 49 hours, L3, Université Pierre-et-Marie-Curie, France

Licence : Representations and Numerical Methods, 41 hours, L2, Université Pierre-et-Marie-Curie, France

Licence : Projects supervision, 10 hours, L2, Université Pierre-et-Marie-Curie, France

Jean-Charles Faugère had the following teaching activities:

Master: Fundamental Algorithms in Real Algebraic Geometry, 13,5 hours, M2, ENS de Lyon, France

Master : Polynomial Systems solving, 12 hours, M2, MPRI

Ludovic Perret had the following teaching activities amounting to around 220 hours:

Master : Polynomial Systems solving, M2, MPRI

Master : In charge of Introduction to Security, M1, Université Pierre-et-Marie-Curie, France

Master : In charge of Complexity, M1, Université Pierre-et-Marie-Curie, France

Licence : Introduction to Algorithmic, L2, Université Pierre-et-Marie-Curie, France

Licence : In charge of the Computer Science – Applied Mathematics Program (PIMA) in Licence, L2, Université Pierre-et-Marie-Curie, France

Licence : Project supervision, L2, Université Pierre-et-Marie-Curie, France

Guénaël Renault had the following teaching activities:

Master : In charge of the Security, Reliability and Numerical Efficiency Program in Master, 45 hours, M1 and M2, Université Pierre-et-Marie-Curie, France

Master : In charge of Advanced and Applied Cryptology, 70 hours, M2, Université Pierre-et-Marie-Curie, France

Master : In charge of Security and Side-channels, 10 hours, M2, Université Pierre-et-Marie-Curie, France

Master : In charge of Threats and Attacks Modeling, 40 hours, M1, Université Pierre-et-Marie-Curie, France

Master : Pro/Research internships supervision, 40 hours, M2, Université Pierre-et-Marie-Curie, France

Master : Projects supervision, 20 hours, M1, Université Pierre-et-Marie-Curie, France

Licence : In charge of Introduction to Cryptology, 30 hours, L3, Université Pierre-et-Marie-Curie, France

Licence : Project supervision, 10 hours, L2, Université Pierre-et-Marie-Curie, France

Mohab Safey El Din had the following teaching activities:

Master : In charge of Modeling and problems numerical and symbolic solving through Maple and MATLAB software, 36 hours, M1, Université Pierre-et-Marie-Curie, France

Master : In charge of Introduction to polynomial system solving, 48 hours, M2, Université Pierre-et-Marie-Curie, France

Master: In charge of Fundamental Algorithms in Real Algebraic Geometry, 22,5 hours, M2, ENS de Lyon, France

Master : In charge of the Security, Reliability and Numerical Efficiency Program in Master, 12 hours, M1 and M2, Université Pierre-et-Marie-Curie, France

Master : Introduction to Security, 10 hours, M1, Université Pierre-et-Marie-Curie, France

Licence : Introduction to Cryptology, 20 hours, L3, Université Pierre-et-Marie-Curie, France

Licence : In charge of the Computer Science – Applied Mathematics Program (PIMA) in Licence, L2 and L3, Université Pierre-et-Marie-Curie, France

PhD in progress : Ivan Bannwarth, Fast algorithms for studying real algebraic sets, started in Sept. 2014, Mohab Safey El Din

PhD in progress : Matías Bender, Algorithms for Sparse Gröbner basis and applications, started in Dec. 2015, Jean-Charles Faugère and Elias Tsigaridas

PhD in progress : Eleonora Cagli, Analysis and interest points research in the attacks by observation context, Emmanuel Prouff and Cécile Dumas

PhD in progress : Clayton Eduardo Lente da Silva, Planar discontinuous dynamical system, Universidade Estadual Paulista (São José do Rio Preto), started in Sep. 2013, Paulo Ricardo da Silva and Alain Jacquemard

HdR : Ludovic Perret, Université Pierre-et-Marie-Curie, defended in Dec. 2016

HdR : Guénaël Renault, Université Pierre-et-Marie-Curie, defended in Dec. 2016

PhD : Thársis Souza Silva, Relay Systems, Universidade Federal de Goiás, Goiânia, defended in May 2016, Ronaldo Alves Garcia and Alain Jacquemard

PhD : Adrian Thillard, Countermeasures to Side-Channel Attacks and Secure- Multi-Party Computation, ENS Paris, defended in Dec. 2016 Damien Vergnaud and Emmanuel Prouff

PhD : Thibaut Verron, Gröbner bases and structured polynomial systems, Université Pierre-et-Marie-Curie, defended in Sept. 2016, Jean-Charles Faugère and Mohab Safey El Din

PhD : Alexandre Wallet, The point decomposition problem in Jacobian varieties, Université Pierre-et-Marie-Curie, defended in Dec. 2016, Jean-Charles Faugère

Jean-Charles Faugère was examiner in the PhD committees of C. Chenavier, V. Neiger, T. Verron and A. Wallet and in the HDR committees of L. Perret and G. Renault.

Alain Jacquemard was examiner in the PhD committee of T.S. Silva.

Emmanuel Prouff was reviewer of the PhD theses of A. Battistello and D. Martin. He was examiner in the PhD committee of A. Battistello, D. Martin and A. Thillard and in the HDR committees of G. Renault.

Mohab Safey El Din was examiner in the PhD committees of T. Verron and A. Wallet and in the HDR committees of L. Perret and G. Renault.

J.-C. Faugère and L. Perret wrote a paper “Le grand défi du post-quantique” for MISC (HS 13, April 2016).