**The overall objective of AriC (Arithmetic and Computing) is, through computer arithmetic and computational
mathematics, to improve computing at large.**

A major challenge in modeling and scientific computing is the simultaneous mastery of hardware capabilities, software design, and mathematical algorithms for the efficiency of the computation. Further, performance relates as much to efficiency as to reliability, requiring progress on automatic proofs, certificates and code generation. In this context, computer arithmetic and mathematical algorithms are the keystones of AriC. Our approach conciliates fundamental studies, practical performance and qualitative aspects, with a shared strategy going from high-level problem specifications and normalization actions, to computer arithmetic and the lowest-level details of implementations.

We focus on the following lines of action:

Design and integration of new methods and tools for mathematical program specification, certification, security, and guarantees on numerical results. Some main ingredients here are: the interleaving of formal proofs, computer arithmetic and computer algebra; error analysis and computation of certified error bounds; the study of the relationship between performance and numerical quality; and on the cryptology aspects, focus on the practicality of existing protocols and design of more powerful lattice-based primitives.

Generalization of a hybrid symbolic-numeric trend, and interplay between arithmetics for both improving and controlling numerical approaches (symbolic

Mathematical and algorithmic foundations of computing. We address algorithmic complexity and fundamental aspects of approximation, polynomial and matrix algebra, and lattice-based cryptology. Practical questions concern the design of high performance and reliable computing kernels, thanks to optimized computer arithmetic operators and an improved adequacy between arithmetic bricks and higher level ones.

According to the application domains that we target and our main fields of expertise, these lines of actions are declined in three themes with specific objectives. These themes also correspond to complementary angles for addressing the general computing challenge stated at the beginning of this introduction:

**Efficient approximation methods** (§). Here lies the question of interleaving formal proofs, computer arithmetic and computer algebra, for significantly extending the range of functions whose reliable evaluation can be optimized.

**Lattices: algorithms and cryptology** (§). Long term goals are to go beyond the current design paradigm in basis reduction, and to demonstrate the superiority of lattice-based cryptography over contemporary public-key cryptographic approaches.

**Algebraic computing and high performance kernels** (§).
The problem is to keep the algorithm and software designs in line with the scales of computational capabilities and application needs, by simultaneously working on the structural and the computer arithmetic levels.

We plan to focus on the generation of certified and efficient approximations for solutions of linear differential equations. These functions cover many classical mathematical functions and many more can be built by combining them. One classical target area is the numerical evaluation of elementary or special functions. This is currently performed by code specifically handcrafted for each function. The computation of approximations and the error analysis are major steps of this process that we want to automate, in order to reduce the probability of errors, to allow one to implement “rare functions”, to quickly adapt a function library to a new context: new processor, new requirements – either in terms of speed or accuracy.

In order to significantly extend the current range of functions under consideration, several methods originating from approximation theory have to be considered (divergent asymptotic expansions; Chebyshev or generalized Fourier expansions; Padé approximants; fixed point iterations for integral operators). We have done preliminary work on some of them. Our plan is to revisit them all from the points of view of effectivity, computational complexity (exploiting linear differential equations to obtain efficient algorithms), as well as in their ability to produce provable error bounds. This work is to constitute a major progress towards the automatic generation of code for moderate or arbitrary precision evaluation with good efficiency. Other useful, if not critical, applications are certified quadrature, the determination of certified trajectories of spatial objects and many more important questions in optimal control theory.

As computer arithmeticians, a wide and important target for us is the design of efficient and certified linear filters in digital signal processing (DSP). Actually, following the advent of MATLAB as the major tool for filter design, the DSP experts now systematically delegate to MATLAB all the part of the design related to numerical issues. And yet, various key MATLAB routines are neither optimized, nor certified. Therefore, there is a lot of room for enhancing numerous DSP numerical implementations and there exist several promising approaches to do so.

The main challenge that we want to address over the next period is the development and the implementation of optimal methods for rounding the coefficients involved in the design of the filter. If done in a naive way, this rounding may lead to a significant loss of performance. We will study in particular FIR and IIR filters.

Implementing “ultimately accurate” functions (i.e., rounded to nearest) requires either the knowledge of hardest-to-round cases, or an as tight as possible lower bound on the distance between the image of a floating-point number by the function and the middle of two consecutive floating-point numbers. Obtaining such results is a challenge. Several computer manufacturers have contacted us to obtain new cases. One of our current solutions for obtaining hardest-to-round cases is based on Lefèvre's algorithm. We aim at rewriting the current implementations of this algorithm, and giving formal proofs of their correction.

We plan to use uniform polynomial approximation and diophantine techniques in order to tackle the case of the IEEE quad precision, and continue to use analytic number theory techniques (exponential sums estimates) for counting the hardest-to-round cases.

Lattice-based cryptography (LBC) is an utterly promising, attractive (and competitive) research ground in cryptography, thanks to a combination of unmatched properties:

**Improved performance.** LBC primitives have low asymptotic costs, but remain cumbersome in practice (e.g., for parameters achieving security against computations of up to 2100 bit operations). To address this limitation, a whole branch of LBC has evolved where security relies on the restriction of lattice problems to a family of more structured lattices called *ideal lattices*. Primitives based on such lattices can have quasi-optimal costs (i.e., quasi-constant amortized complexities), outperforming all contemporary primitives. This asymptotic performance sometimes translates into practice, as exemplified by NTRUEncrypt.

**Improved security.** First, lattice problems seem to remain hard even for quantum computers. Moreover, the security of most of LBC holds under the assumption that standard lattice problems are hard in the worst case. Oppositely, contemporary cryptography assumes that specific problems are hard with high probability, for some precise input distributions. Many of these problems were artificially introduced for serving as a security foundation of new primitives.

**Improved flexibility.** The master primitives (encryption, signature) can all be realized based on worst-case (ideal) lattice assumptions. More evolved primitives such as ID-based encryption (where the public key of a recipient can be publicly derived from its identity) and group signatures, that were the playing-ground of pairing-based cryptography (a subfield of elliptic curve cryptography), can also be realized in the LBC framework, although less efficiently and with restricted security properties. More intriguingly, lattices have enabled long-wished-for primitives. The most notable example is homomorphic encryption, enabling computations on encrypted data. It is the appropriate tool to securely outsource computations, and will help overcome the privacy concerns that are slowing down the rise of the cloud.

We work on three directions, detailed now.

All known lattice reduction algorithms follow the same design principle: perform a sequence of small elementary steps transforming a current basis of the input lattice, where these steps are driven by the Gram-Schmidt orthogonalisation of the current basis.

In the short term, we will fully exploit this paradigm, and hopefully lower the cost of reduction algorithms with respect to the lattice dimension. We aim at asymptotically fast algorithms with complexity bounds closer to those of basic and normal form problems (matrix multiplication, Hermite normal form). In the same vein, we plan to investigate the parallelism potential of these algorithms.

Our long term goal is to go beyond the current design paradigm, to reach better trade-offs between run-time and shortness of the output bases. To reach this objective, we first plan to strengthen our understanding of the interplay between lattice reduction and numerical linear algebra (how far can we push the idea of working on approximations of a basis?), to assess the necessity of using the Gram-Schmidt orthogonalisation (e.g., to obtain a weakening of LLL-reduction that would work up to some stage, and save computations), and to determine whether working on generating sets can lead to more efficient algorithms than manipulating bases. We will also study algorithms for finding shortest non-zero vectors in lattices, and in particular look for quantum accelerations.

We will implement and distribute all algorithmic improvements, e.g., within the fplll library. We are interested in high performance lattice reduction computations (see application domains below), in particular in connection with/continuation of the HPAC ANR project (algebraic computing and high performance consortium).

Our long term goal is to demonstrate the superiority of lattice-based cryptography over contemporary public-key cryptographic approaches. For this, we will 1- Strengthen its security foundations, 2- Drastically improve the performance of its primitives, and 3- Show that lattices allow to devise advanced and elaborate primitives.

The practical security foundations will be strengthened by the improved understanding of the limits of lattice reduction algorithms (see above). On the theoretical side, we plan to attack two major open problems: Are ideal lattices (lattices corresponding to ideals in rings of integers of number fields) computationally as hard to handle as arbitrary lattices? What is the quantum hardness of lattice problems?

Lattice-based primitives involve two types of operations: sampling from discrete Gaussian distributions (with lattice supports), and arithmetic in polynomial rings such as

Our main objective in terms of cryptographic functionality will be to determine the extent to which lattices can help securing cloud services. For example, is there a way for users to delegate computations on their outsourced dataset while minimizing what the server eventually learns about their data? Can servers compute on encrypted data in an efficiently verifiable manner? Can users retrieve their files and query remote databases anonymously provided they hold appropriate credentials? Lattice-based cryptography is the only approach so far that has allowed to make progress into those directions. We will investigate the practicality of the current constructions, the extension of their properties, and the design of more powerful primitives, such as functional encryption (allowing the recipient to learn only a function of the plaintext message). To achieve these goals, we will in particular focus on cryptographic multilinear maps.

This research axis of AriC is gaining strength thanks to the recruitment of Benoit Libert. We will be particularly interested in the practical and operational impacts, and for this reason we envision a collaboration with an industrial partner.

Diophantine equations. Lattice reduction algorithms can be used to solve diophantine equations, and in particular to find simultaneous rational approximations to real numbers. We plan to investigate the interplay between this algorithmic task, the task of finding integer relations between real numbers, and lattice reduction. A related question is to devise LLL-reduction algorithms that exploit specific shapes of input bases.

Communications. We will continue our collaboration with Cong Ling (Imperial College) on the use of lattices in communications. We plan to work on the wiretap channel over a fading channel (modeling cell phone communications in a fast moving environment). The current approaches rely on ideal lattices, and we hope to be able to find new approaches thanks to our expertise on them due to their use in lattice-based cryptography. We will also tackle the problem of sampling vectors from Gaussian distributions with lattice support, for a very small standard deviation parameter. This would significantly improve current schemes for communication schemes based on lattices, as well as several cryptographic primitives.

Cryptanalysis of variants of RSA. Lattices have been used extensively
to break variants of the RSA encryption scheme, via Coppersmith's method to
find small roots of polynomials. We plan to work with Nadia Heninger (U. of Pennsylvania)
on improving these attacks, to make them more practical. This is an excellent test case
for testing the practicality of LLL-type algorithm. Nadia Heninger has a strong
experience in large scale cryptanalysis based on Coppersmith's method (http://

The main theme here is the study of fundamental operations (“kernels”) on a hierarchy of symbolic or numeric data types spanning integers, floating-point numbers, polynomials, power series, as well as matrices of all these. Fundamental operations include basic arithmetic (e.g., how to multiply or how to invert) common to all such data, as well as more specific ones (change of representation/conversions, GCDs, determinants, etc.). For such operations, which are ubiquitous and at the very core of computing (be it numerical, symbolic, or hybrid numeric-symbolic), our goal is to ensure both high performance and reliability.

On the symbolic side, we will focus on the design and complexity analysis of algorithms for matrices over various domains (fields, polynomials, integers) and possibly with specific properties (structure). So far, our algorithmic improvements for polynomial matrices and structured matrices have been obtained in a rather independent way. Both types are well known to have much in common, but this is sometimes not reflected by the complexities obtained, especially for applications in cryptology and coding theory. Our goal in this area is thus to explore these connections further, to provide a more unified treatment, and eventually bridge these complexity gaps, A first step towards this goal will be the design of enhanced algorithms for various generalizations of Hermite-Padé approximation; in the context of list decoding, this should in particular make it possible to match or even improve over the structured-matrix approach, which is so far the fastest known.

On the other hand we will focus on the design of algorithms for certified computing. We will study the use of various representations, such as mid-rad for classical interval arithmetic, or affine arithmetic. We will explore the impact of precision tuning in intermediate computations, possibly dynamically, on the accuracy of the results (e.g. for iterative refinement and Newton iterations). We will continue to revisit and improve the classical error bounds of numerical linear algebra in the light of the subtleties of IEEE floating-point arithmetic.

Our goals in linear algebra and lattice basis reduction that have been detailed above in Section will be achieved in the light of a hybrid symbolic-numeric approach.

We aim at providing tight error bounds for basic “buiding blocks” of numerical computing. Examples are complex arithmetic (in the continuity of what we have already done), Fourier transforms.

We will also work on the interplay between floating-point and integer arithmetics.
Currently, small numerical kernels like an exponential or a

A third direction will be to work on algorithms for performing correctly-rounded arithmetic operations in medium precision as efficiently and reliably as possible. Indeed, many numerical problems require higher precision than the conventional floating-point (single, double) formats. One solution is to use multiple precision libraries, such as GNU MPFR, which allow the manipulation of very high precision numbers, but their generality (they are able to handle numbers with millions of digits) is a quite heavy alternative when high performance is needed. Our objective here is thus to design a multiple precision arithmetic library that would allow to tackle problems where a precision of a few hundred bits is sufficient, but which have strong performance requirements. Applications include the process of long-term iteration of chaotic dynamical systems ranging from the classical Henon map to calculations of planetary orbits. The designed algorithms will be formally proved.

Finally, our work on the IEEE 1788 standard leads naturally to the development of associated reference libraries for interval arithmetic. A first direction will be to implement IEEE 1788 interval arithmetic within MPFI, our library for interval arithmetic using the arbitrary precision floating-point arithmetic provided by MPFR: indeed, MPFI has been originally developed with definitions and handling of exceptions which are not compliant with IEEE 1788. Another one will be to provide efficient support for multiple-precision intervals, in mid-rad representation and by developing MPFR-based code-generation tools aimed at handling families of functions.

The algorithmic developments for medium precision floating-point arithmetic discussed above will lead to high performance implementations on GPUs. As a follow-up of the HPAC project (which ended in December 2015) we shall pursue the design and implementation of high performance linear algebra primitives and algorithms.

Our expertise on validated numerics is useful to analyze and improve, and guarantee the quality of numerical results in a wide range of applications including:

scientific simulation;

global optimization;

control theory.

Much of our work, in particular the development of correctly rounded elementary functions, is critical to the

reproducibility of floating-point computations.

Lattice reduction algorithms have direct applications in

public-key cryptography;

diophantine equations;

communications theory.

Damien Stehlé was nominated IUF junior member.

Publication of the second edition of the “Handbook of Floating-Point Arithmetic” .

Keywords: Euclidean Lattices - Computer algebra system (CAS) - Cryptography

Scientific Description: The fplll library is used or has been adapted to be integrated within several mathematical computation systems such as Magma, Sage, and PariGP. It is also used for cryptanalytic purposes, to test the resistance of cryptographic primitives.

Functional Description: fplll contains implementations of several lattice algorithms. The implementation relies on floating-point orthogonalization, and LLL is central to the code, hence the name.

It includes implementations of floating-point LLL reduction algorithms, offering different speed/guarantees ratios. It contains a 'wrapper' choosing the estimated best sequence of variants in order to provide a guaranteed output as fast as possible. In the case of the wrapper, the succession of variants is oblivious to the user.

It includes an implementation of the BKZ reduction algorithm, including the BKZ-2.0 improvements (extreme enumeration pruning, pre-processing of blocks, early termination). Additionally, Slide reduction and self dual BKZ are supported.

It also includes a floating-point implementation of the Kannan-Fincke-Pohst algorithm that finds a shortest non-zero lattice vector. For the same task, the GaussSieve algorithm is also available in fplll. Finally, it contains a variant of the enumeration algorithm that computes a lattice vector closest to a given vector belonging to the real span of the lattice.

Author: Damien Stehlé

Contact: Damien Stehlé

*generating functions package*

Keyword: Symbolic computation

Functional Description: Gfun is a Maple package for the manipulation of linear recurrence or differential equations. It provides tools for guessing a sequence or a series from its first terms, for manipulating rigorously solutions of linear differential or recurrence equations, using the equation as a data-structure.

Contact: Bruno Salvy

URL: http://

Keywords: Multiple-Precision - Floating-point - Correct Rounding

Functional Description: GNU MPFR is an efficient arbitrary-precision floating-point library with well-defined semantics (copying the good ideas from the IEEE 754 standard), in particular correct rounding in 5 rounding modes. It provides about 80 mathematical functions, in addition to utility functions (assignments, conversions...). Special data (Not a Number, infinities, signed zeros) are handled like in the IEEE 754 standard. GNU MPFR is based on the mpn and mpz layers of the GMP library.

Participants: Guillaume Hanrot, Paul Zimmermann, Philippe Théveny and Vincent Lefèvre

Contact: Vincent Lefèvre

Publications: Correctly Rounded Arbitrary-Precision Floating-Point Summation -
Optimized Binary64 and Binary128 Arithmetic with GNU MPFR -
Évaluation rapide de fonctions hypergéométriques -
Arbitrary Precision Error Analysis for computing

Keywords: Floating-point - Correct Rounding

Functional Description: Sipe is a mini-library in the form of a C header file, to perform radix-2 floating-point computations in very low precisions with correct rounding, either to nearest or toward zero. The goal of such a tool is to do proofs of algorithms/properties or computations of tight error bounds in these precisions by exhaustive tests, in order to try to generalize them to higher precisions. The currently supported operations are addition, subtraction, multiplication (possibly with the error term), fused multiply-add/subtract (FMA/FMS), and miscellaneous comparisons and conversions. Sipe provides two implementations of these operations, with the same API and the same behavior: one based on integer arithmetic, and a new one based on floating-point arithmetic.

Participant: Vincent Lefèvre

Contact: Vincent Lefèvre

Publications: SIPE: Small Integer Plus Exponent - Sipe: a Mini-Library for Very Low Precision Computations with Correct Rounding

Keyword: Exact linear algebra

Functional Description: LinBox is an open-source C++ template library for exact, high-performance linear algebra computations. It is considered as the reference library for numerous computations (such as linear system solving, rank, characteristic polynomial, Smith normal forms,...) over finite fields and integers with dense, sparse, and structured matrices.

Participants: Clément Pernet and Thierry Gautier

Contact: Clément Pernet

URL: http://

Keywords: Euclidean Lattices - Computer algebra system (CAS)

Functional Description: Software library for linear algebra and Euclidean lattice problems

Contact: Gilles Villard

Many applications of finite impulse response (FIR) digital filters impose strict format constraints for the filter coefficients. Such requirements increase the complexity of determining optimal designs for the problem at hand. In , we introduce a fast and efficient method, based on the computation of good nodes for polynomial interpolation and Euclidean lattice basis reduction. Experiments show that it returns quasi-optimal finite wordlength FIR filters; compared to previous approaches it also scales remarkably well (length 125 filters are treated in

A complexity analysis shows that the number of arithmetic operations needed by this algorithm (in floating-point or interval arithmetics) is proportional to the approximation degree when the differential equation is considered fixed. Finally, we illustrate the efficiency of this fully automated validation method on an example of a coupled Airy-like system.

Rounding error analyses of numerical algorithms are most often carried out
via repeated applications of the so-called standard models of floating-point arithmetic.
Given a round-to-nearest function

Triple-word arithmetic consists in representing high-precision numbers as the unevaluated sum of three floating-point numbers. In , we introduce and analyze various algorithms for manipulating triple-word numbers. Our new algorithms are faster than what one would obtain by just using the usual floating-point expansion algorithms in the special case of expansions of length 3, for a comparable accuracy.

As a typical application, the LLL lattice basis reduction algorithm is applied to bases of the orthogonal lattice of a given integer matrix, via reducing lattice bases of a special type. With such bases in input, we have proposed in a new technique for bounding from above the number of iterations required by the LLL algorithm. The main technical ingredient is a variant of the classical LLL potential, which could prove useful to understand the behavior of LLL for other families of input bases.

Ring signatures make it possible for a signer to anonymously and, yet, convincingly leak a secret by signing a message while concealing his identity within a flexibly chosen ring of users. Unlike group signatures, they do not involve any setup phase or tracing authority. Despite a lot of research efforts in more than 15 years, most of their realizations require linear-size signatures in the cardinality of the ring. In the random oracle model, two recent constructions decreased the signature length to be only logarithmic in the number N of ring members. On the downside, their suffer from rather loose reductions incurred by the use of the Forking Lemma. This paper considers the problem of proving them tightly secure without affecting their space efficiency. Surprisingly, existing techniques for proving tight security in ordinary signature schemes do not trivially extend to the ring signature setting. The paper overcomes these difficulties by combining the Groth-Kohlweiss

In distributed pseudorandom functions (DPRFs), a PRF secret key

The IND-CCA security and anonymity of our two ANOBE schemes can be tightly reduced to standard k-Linear assumption (and the existence of other primitives). For a broadcast system with n users, Libert et al.'s security analysis suffers from

Our first ANOBE supports fast decryption and has a shorter ciphertext than the fast-decryption version of Libert et al.'s concrete ANOBE. Our second ANOBE is adapted from the first one. We sacrifice the fast decryption feature and achieve shorter ciphertexts than Libert et al.'s concrete ANOBE with the help of bilinear groups. Technically, we start from an instantiation of Libert et al.'s generic ANOBE [PKC, 2012], but we work out all our proofs from scratch instead of relying on their generic security result. This intuitively allows our optimizations in the concrete setting.

Our first IPE scheme is based on the standard

Our second IPE scheme is adapted from the first one; the security is based on the XDLIN assumption (as Okamoto and Takashima's IPE) but now it also enjoys shorter ciphertexts.

Technically, instead of starting from composite-order IPE and applying existing transformation, we start from an IPE scheme in a very restricted setting but already in the prime-order group, and then gradually upgrade it to our full-fledged IPE scheme. This method allows us to integrate Chen et al.'s framework [Eurocrypt'15] with recent new techniques [TCC'17, Eurocrypt'18] in an optimized way.

The Rényi divergence is a measure of closeness of two probability distributions. In this paper , we show that it can often be used as an alternative to the statistical distance in security proofs for lattice-based cryptography. Using the Rényi divergence is particularly suited for security proofs of primitives in which the attacker is required to solve a search problem (e.g., forging a signature). We show that it may also be used in the case of distinguishing problems (e.g., semantic security of encryption schemes), when they enjoy a public sampleability property. The techniques lead to security proofs for schemes with smaller parameters, and sometimes to simpler security proofs than the existing ones.

The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm is central in cryptanalysis, in particular for lattice-based cryptography. A precise understanding of its practical behavior in terms of run-time and output quality is necessary for parameter selection in cryptographic design. As the provable worst-case bounds poorly reflect the practical behavior, cryptanalysts rely instead on the heuristic BKZ simulator of Chen and Nguyen (Asiacrypt'11). It fits better with practical experiments, but not entirely. In particular, it over-estimates the norm of the first few vectors in the output basis. Put differently, BKZ performs better than its Chen-Nguyen simulation.

Rapid advances in quantum computing, together with the announcement by the National Institute of Standards and Technology (NIST) to define new standards for digital signature, encryption, and key-establishment protocols, have created significant interest in post-quantum cryptographic schemes. This paper introduces Kyber (part of CRYSTALS - Cryptographic Suite for Algebraic Lattices - a package submitted to NIST post-quantum standardization effort in November 2017), a portfolio of post-quantum cryptographic primitives built around a key-encapsulation mechanism (KEM), based on hardness assumptions over module lattices. Our KEM is most naturally seen as a successor to the NEWHOPE KEM (Usenix 2016). In particular, the key and ciphertext sizes of our new construction are about half the size, the KEM offers CCA instead of only passive security, the security is based on a more general (and flexible) lattice problem, and our optimized implementation results in essentially the same running time as the aforementioned scheme. We first introduce a CPA-secure public-key encryption scheme, apply a variant of the Fujisaki-Okamoto transform to create a CCA-secure KEM, and eventually construct, in a black-box manner, CCA-secure encryption, key exchange, and authenticated-key-exchange schemes. The security of our primitives is based on the hardness of Module-LWE in the classical and quantum random oracle models, and our concrete parameters conservatively target more than 128 bits of postquantum security.

The hardness of the learning with errors (LWE) problem is one of the most fruitful resources of modern cryptography. In particular, it is one of the most prominent candidates for secure post-quantum cryptography. Understanding its quantum complexity is therefore an important goal. In this paper , we show that under quantum polynomial time reductions, LWE is equivalent to a relaxed version of the dihedral coset problem (DCP), which we call extrapolated DCP (eDCP). The extent of extrapolation varies with the LWE noise rate. By considering different extents of extrapolation, our result generalizes Regev's famous proof that if DCP is in BQP (quantum poly-time) then so is LWE (FOCS'02). We also discuss a connection between eDCP and Childs and Van Dam's algorithm for generalized hidden shift problems (SODA'07). Our result implies that a BQP solution for LWE might not require the full power of solving DCP, but rather only a solution for its relaxed version, eDCP, which could be easier.

At EUROCRYPT 2013, Garg, Gentry and Halevi proposed a candidate construction (later referred as GGH13) of cryptographic multilinear map (MMap). Despite weaknesses uncovered by Hu and Jia (EUROCRYPT 2016), this candidate is still used for designing obfuscators. The naive version of the GGH13 scheme was deemed susceptible to averaging attacks, i.e., it could suffer from a statistical leak (yet no precise attack was described). A variant was therefore devised, but it remains heuristic. Recently, to obtain MMaps with low noise and modulus, two variants of this countermeasure were developed by Döttling et al. (EPRINT:2016/599). In this work , we propose a systematic study of this statistical leak for all these GGH13 variants. In particular, we confirm the weakness of the naive version of GGH13. We also show that, among the two variants proposed by Döttling et al., the so-called conservative method is not so effective: it leaks the same value as the unprotected method. Luckily, the leak is more noisy than in the unprotected method, making the straightforward attack unsuccessful. Additionally, we note that all the other methods also leak values correlated with secrets. As a conclusion, we propose yet another countermeasure, for which this leak is made unrelated to all secrets. On our way, we also make explicit and tighten the hidden exponents in the size of the parameters, as an effort to assess and improve the efficiency of MMaps.

Since 2016 and the introduction of the exTNFS (extended tower number field sieve) algorithm, the security of cryptosystems based on nonprime finite fields, mainly the pairing- and torus-based ones, is being reassessed. The feasibility of the relation collection, a crucial step of the NFS variants, is especially investigated. It usually involves polynomials of degree 1, i.e., a search space of dimension 2. However, exTNFS uses bivariate polynomials of at least four coefficients. If sieving in dimension 2 is well described in the literature, sieving in higher dimensions has received significantly less attention. In this work , we describe and analyze three different generic algorithms to sieve in any dimension for the NFS algorithms. Our implementation shows the practicability of dimension-4 sieving, but the hardness of dimension-6 sieving.

The Ring Learning With Errors problem (RLWE) comes in
various forms. Vanilla RLWE is the decision dual-RLWE variant, consisting
in distinguishing from uniform a distribution depending on a secret
belonging to the dual

A *witness encryption (WE)* scheme can take any NP statement as a public-key and use it to encrypt a message. If the statement is true then it is possible to decrypt the message given a corresponding witness, but if the statement is false then the message is computationally hidden. Ideally, the encryption procedure should run in polynomial time, but it is also meaningful to define a weaker notion, which we call *non-trivially exponentially efficient* WE (XWE), where the encryption run-time is only required to be much smaller than the trivial *attribute-based encryption*.

We also show how to upgrade the above results to get non-trivially exponentially efficient *indistinguishability obfuscation for null circuits (niO)*, which guarantees that the obfuscations of any two circuits that always output 0 are indistinguishable. In particular, under the LWE assumptions we get a XniO scheme where the obfuscation time is

Lastly, we explore a potential approach toward constructing fully efficient WE and niO schemes via multi-input ABE.

Multi-input functional encryption is a paradigm that allows an authorized user to compute a certain function—and nothing more—over multiple plaintexts given only their encryption. The particular case of two-input functional encryption has very exciting applications, including comparing the relative order of two plaintexts from their encrypted form (order-revealing encryption).

While being extensively studied, multi-input functional encryption is not ready for a practical deployment, mainly for two reasons. First, known constructions rely on heavy cryptographic tools such as multilinear maps. Second, their security is still very uncertain, as revealed by recent devastating attacks.

Pseudorandom functions (PRFs) are one of the fundamental building blocks in cryptography. We explore a new space of plausible PRF candidates that are obtained by mixing linear functions over different small moduli. Our candidates are motivated by the goals of maximizing simplicity and minimizing complexity measures that are relevant to cryptographic applications such as secure multiparty computation.

The advantage of our approach is
twofold. On the theoretical side, the simplicity of our candidates
enables us to draw natural connections between their hardness
and questions in complexity theory or learning theory (e.g., learnability
of depth-2

Finally,
we introduce a new primitive we call an *encoded-input PRF*,
which can be viewed as an interpolation between weak PRFs and standard (strong)
PRFs. As we demonstrate, an encoded-input PRF can often be
used as a drop-in replacement for a strong PRF, combining the efficiency benefits of weak PRFs
and the security benefits of strong PRFs.
We conclude by showing that
our main weak PRF candidate can plausibly be boosted to an encoded-input PRF
by leveraging error-correcting codes.

Related-key attacks (RKAs) concern the security of cryptographic primitives in the situation where the key can be manipulated by the adversary. In the RKA setting, the adversary’s power is expressed through the class of related-key deriving (RKD) functions which the adversary is restricted to using when modifying keys. Bellare and Kohno (Eurocrypt 2003) first formalised RKAs and pin-pointed the foundational problem of constructing RKA-secure pseudorandom functions (RKA-PRFs). To date there are few constructions for RKA-PRFs under standard assumptions, and it is a major open problem to construct RKA-PRFs for larger classes of RKD functions. We make significant progress on this problem. In , we first show how to repair the Bellare-Cash framework for constructing RKA-PRFs and extend it to handle the more challenging case of classes of RKD functions that contain claws. We apply this extension to show that a variant of the NaorReingold function already considered by Bellare and Cash is an RKA-PRF for a class of affine RKD functions under the DDH assumption, albeit with an exponential-time security reduction. We then develop a second extension of the Bellare-Cash framework, and use it to show that the same Naor-Reingold variant is actually an RKA-PRF for a class of degree d polynomial RKD functions under the stronger decisional d-Diffie-Hellman inversion assumption. As a significant technical contribution, our proof of this result avoids the exponential-time security reduction that was inherent in the work of Bellare and Cash and in our first result.

Hermite reduction is a classical algorithmic tool in symbolic integration. It is used to decompose a given rational function as a sum of a function with simple poles and the derivative of another rational function. In , we extend Hermite reduction to arbitrary linear differential operators instead of the pure derivative, and develop efficient algorithms for this reduction. We then apply the generalized Hermite reduction to the computation of linear operators satisfied by single definite integrals of D-finite functions of several continuous or discrete parameters. The resulting algorithm is a generalization of reduction-based methods for creative telescoping.

The probabilistic behaviour of many data-structures, like series-parallel graphs used as a running example is this tutorial , can be analysed very precisely, thanks to a set of high-level tools provided by Analytic Combinatorics, as described in the book by Flajolet and Sedgewick. In this framework, recursive combinatorial definitions lead to generating function equations from which efficient algorithms can be designed for enumeration, random generation and, to some extent, asymptotic analysis. With a focus on random generation, this tutorial given at STACS first covers the basics of Analytic Combinatorics and then describes the idea of Boltzmann sampling and its realisation. The tutorial addresses a broad TCS audience and no particular pre-knowledge on analytic combinatorics is expected.

A lot of information concerning solutions of linear differential equations can be computed directly from the equation. It is therefore natural to consider these equations as a data-structure, from which mathematical properties can be computed. A variety of algorithms has thus been designed in recent years that do not aim at “solving”, but at computing with this representation. Many of these results are surveyed in .

Bosch (Germany) ordered from us some support for implementing complex numerical algorithms (participants: Claude-Pierre Jeannerod and Jean-Michel Muller).

Miruna Rosca and Radu Titiu are employees of BitDefender. Their PhD's are supervised by Damien Stehlé and Benoît Libert, respectively. Miruna Rosca works on the foundations of lattice-based cryptography, and Radu Titiu works on pseudo-random functions and functional encryption.

Adel Hamdi is doing is PhD with Orange Labs and is supervised by Fabien Laguillaumie. He is working on advanced encryption protocols for the cloud.

Dyna3S has been a 2013-2018 ANR project headed by Valérie Berthé (IRIF, U. Paris 7). The Web page of the project
is https://

FastRelax stands for “Fast and Reliable Approximation”. It is a four year ANR project (started in October 2014 and extended till September 2019).
The web page of the project is http://

The aim of this project is to develop computer-aided proofs of numerical values, with certified and reasonably tight error bounds, without sacrificing efficiency. Applications to zero-finding, numerical quadrature or global optimization can all benefit from using our results as building blocks. We expect our work to initiate a “fast and reliable” trend in the symbolic-numeric community. This will be achieved by developing interactions between our fields, designing and implementing prototype libraries and applying our results to concrete problems originating in optimal control theory.

MetaLibm is a four-year project (started in October 2013 and extended till March 2018) focused on the
design and implementation of code generators for mathematical functions and filters.
The web page of the project is
http://

ALAMBIC is a four-year project (started in October 2016) focused on the
applications of cryptographic primitives with homomorphic or malleability properties.
The web page of the project is
https://

RISQ (Regroupement de l’Industrie française pour la Sécurité Post –
Quantique) is a BPI-DGE four-year project (started in January 2017)
focused on the transfer of post-quantum cryptography from academia to
industrial poducts. The web page of the project is
http://

Damien Stehlé was awarded an ERC
Starting Grant for his project *Euclidean lattices: algorithms and cryptography* (LattAC) in
2013 (1.4Meur for 5 years from January 2014). The LattAC project aims at studying all computational aspects of lattices,
from algorithms for manipulating them to applications. The main objective is to enable the rise of lattice-based cryptography.

PROMETHEUS (Privacy-Preserving Systems from Advanced Cryptographic Mechanisms Using Lattices) is a 4-year European H2020 project (call H2020-DS-2016-2017, Cybersecurity PPP Cryptography, DS-06-2017) that started in January 2018. It gathers 8 academic partners (ENS de Lyon and Université de Rennes 1; CWI, Pays-Bas; IDC Herzliya, Israel; Royal Holloway University of London, United Kingdom; Universitat Politècnica de Catalunya, Spain; Ruhr-Universität Bochum, Germany; Weizmann Institute, Israel), 4 industrial partners (Orange, Thales, TNO, Scytl). The goal of this project is to develop a toolbox of privacy-preserving cryptographic algorithms and protocols (like group signatures, anonymous credentials, or digital cash systems) that resist quantum adversaries. Solutions will be mainly considered in the context of Euclidean lattices and they will be analyzed from a theoretical point of view (i.e., from a provable security aspect) and a practical angle (which covers the security of cryptographic implementations and side-channel leakages). The project is hosted by ENS de Lyon and Benoît Libert is the administrative coordinator while Orange is the scientific leader.

3-year project accepted in July 2018. Expected beginning on January 1, 2019. Benoît Libert is co-PI with Shweta Agrawal (IIT Madras, India). Budget on the French side amounts to 100k€.

Functional encryption is a paradigm that enables users to perform data mining and analysis on encrypted data. Users are provided cryptographic keys corresponding to particular functionalities which enable them to learn the output of the computation without learning anything about the input. Despite recent advances, efficient realizations of functional encryption are only available for restricted function families, which are typically represented by small-depth circuits: indeed, solutions for general functionalities are either way too inefficient for pratical use or they rely on uncertain security foundations like the existence of circuit obfuscators (or both). This project will explore constructions based on well-studied hardness assumptions and which are closer to being usable in real-life applications. To this end, we will notably consider solutions supporting other models of computation than Boolean circuits – like Turing machines – which support variable-size inputs. In the context of particular functionalities, the project will aim for more efficient realizations that satisfy stronger security notions.

Vincent Lefèvre actively participated in the revision of the IEEE Standard for Floating-Point Arithmetic (IEEE 754) for 2019.

Lloyd Nicholas Trefethen, from Oxford University (UK), is an expert in numerical analysis and notably the systematic use of Chebyshev approximation. He spent the academic year 2017-2018 with AriC.

Warwick Tucker, from Uppsala University (Sweden), is an expert of certified computation for dynamical systems. He spent the academic year 2017-2018 with AriC.

Monosij Maitra, PhD student at IIT Madras (India) under the supervision of Shweta Agrawal, did a 2-month internship, in September and October 2018.

Joel Dahne did an internship with Bruno Salvy from May to July.

From November 15 to December 15, 2018, Benoît Libert visited the “Cryptography and Coding Research Group” of the Nanyang Technological University (Singapore).

From July 1 to July 31, 2018, Damien Stehlé visited the cryptography group of Prof. Jung Hee Cheon, at Seoul National University (South Korea)

Claude-Pierre Jeannerod and Gilles Villard organized the workshop "Structured Matrix Days" (May 14–15, ENS de Lyon, France).

Fabien Laguillaumie and Damien Stehlé organized the National Codes and Cryptography Days (Journées C2), in Aussois, France.

Nathalie Revol co-organized the "École Jeunes Chercheurs et Jeunes Chercheuses en Programmation" (June 25–28, ENS de Lyon, France).

Bruno Salvy is a co-chair of AofA'2019 (Analysis of Algorithms), in Luminy, France.

Chitchanok Chuengsatiansup was in the program committee of CRYPTO 2018.

Gottfried Herold was in the program committee of INDOCRYPT 2018.

Elena Kirshanova was in the program committee of INDOCRYPT 2018.

Benoît Libert was in the program committees of ACNS 2018, SCN 2018, Asiacrypt 2018, PKC 2019.

Jean-Michel Muller was in the program committee of Arith'25 and ASAP'2018.

Alain Passelègue was in the program committee of PKC 2018.

Nathalie Revol was in the program committee of Arith'25, of SCAN 2018 and of Correctness 2018.

Bruno Salvy was in the program committee for AofA'2018, is in the program committee of FPSAC 2019, in the steering committee of AofA and in the scientific committee of OPSFA 2019.

Damien Stehlé was in the program committees of Eurocrypt 2018, SCN 2018, PQCrypto 2018 and PQCrypto 2019. He is in the steering committee of the PQCrypto conference series.

Fabien Laguillaumie was in the program committee of ACISP 2018

Jean-Michel Muller is associate editor of the IEEE Transactions on Computers.

Nathalie Revol is a member of the editorial board of Reliable Computing.

Damien Stehlé is a member of the editorial board of the IACR Journal of Cryptology.

Bruno Salvy and Gilles Villard are members of the editorial board of Journal of Symbolic Computation.

Bruno Salvy is a member of the editorial board of the collection *Text and Monographs in Symbolic Computation* (Springer) and has been for 10 years in the editorial board of the *Journal of Algebra* (section Computational Algebra), which he left in March.

Claude-Pierre Jeannerod gave an invited talk *Recent results in fine-grained rounding error analysis* at the SCAN 2018 conference (Tokyo, September 10–15, 2018).

Jean-Michel Muller gave an invited talk *Arithmétique et précision des calculs sur ordinateurs* at the conference *Tous mesureurs, tous mesurés*, organised by the INSHS and INP Institutes of CNRS, Paris, October 18-19, 2018.

Benoît Libert gave an invited talk *New Applications of the Lossy Mode of LWE* at the *Chinacrypt 2018* conference, organised by the Chinese Association for Cryptologic Research (CACR) in Chengdu (China) on October 27-28, 2018.

Damien Stehlé gave an invited talk *On algebraic variants of the LWE problem* at the ICERM workshop *Computational Challenges in the Theory of Lattices*, Providence (RI), on April 23-28, 2018. He also gave an invited talk on the same topic at the *Cryptography and Algorithmic Number Theory* workshop, held in Caen on June 20-22, 2018.

Elena Kirshanova gave an invited talk *Sieving algorithms for the Shortest Vector Problem* at the *Joint Meeting of the Korean Mathematical Society and the German Mathematical Society*, held in Seoul, Korea, on October 3-6, 2018.

Gottfried Herold gave an invited talk *Sieving in Practice* at the *Joint Meeting of the Korean Mathematical Society and the German Mathematical Society*, held in Seoul, Korea, on October 3-6, 2018.

Jean-Michel Muller gave an invited talk *Make computer arithmetic great again* at a panel session on the future of computer arithmetic at Arith-25, 25-27 june 2018.

Bruno Salvy gave an invited tutorial talk at STACS'2018 on random generation of combinatorial structures.

Claude-Pierre Jeannerod was member of the scientific committee of JNCF (Journées Nationales de Calcul Formel). He was also a member of the recruitment committee for postdocs and sabbaticals at Inria Grenoble Rhône-Alpes.

Jean-Michel Muller is co-director of the *Groupement de Recherche Informatique Mathématique* (GDR IM) of CNRS; he chaired the HCERES evaluation committees of IRIF (UMR 8243, march 2018) and LIX (UMR 7161, october 2018); he is a member of the Scientific Concil of CERFACS; he participated to the jury of the *Prix La Recherche* award in 2018.

Alain Passelègue is a member of the steering committee of the *Groupe de Travail Codage et Cryptographie* (GT-C2) of the GDR-IM.

Bruno Salvy was a member of the HCERES evaluation committees of IRIF.

Damien Stehlé was a member of the jury for *prix de thèse SIF*.

Gilles Villard is a member of the *Section 6* of the *Comité national de la recherche scientifique*.

Master: Claude-Pierre Jeannerod, Nathalie Revol, *Algorithmique numérique et fiabilité des calculs en arithmétique flottante* (24h), M2 ISFA (Institut de Science Financière et d'Assurances), Université Claude Bernard Lyon 1.

Master: Nicolas Brisebarre, Approximation Theory and Proof Assistants: Certified Computations, 18h, M2, ENS de Lyon, France

Master: Elena Kirshanova, Cryptanalysis, 18h, M2, ENS de Lyon, France

Master: Guillaume Hanrot, Cryptanalysis, 18h, M2, ENS de Lyon, France

Master: Damien Stehlé, Hard lattice problems, 36h, M2, ENS de Lyon, France

Post-graduate: Damien Stehlé, Hard lattice problems, 45h, Seoul National University, South Korea

Master: Elena Kirshanova, Computer Algebra, 10h, M1, ENS de Lyon, France

Master: Alexandre Wallet, Computer Algebra, 10h, M1, ENS de Lyon, France

Master: Guillaume Hanrot, Computer Algebra, 10h, M1, ENS de Lyon, France

Master: Bruno Salvy, Computer Algebra, 9h, MPRI, Paris, France

Master: Bruno Salvy, Logic and Complexity, 32h, École polytechnique, France

Master: Vincent Lefèvre, Computer arithmetic, 12h, M2 ISFA (Institut de Science Financière et d'Assurances), Université Claude Bernard Lyon 1.

Bachelor: Bruno Salvy, Design and Analysis of Algorithms, 15h, École polytechnique, France

Post-graduate: Bruno Salvy, Experimental Mathematics, 3h, Atelier jeunes chercheurs, St-Flour, France

Post-graduate: Bruno Salvy, Recent algorithms in symbolic summation and integration, 4h, Journées Louis Antoine, Rennes, France

Master: Fabien Laguillaumie, Cryptography, Security, Université Claude Bernard Lyon 1, 150h

Post-graduate : Fabien Laguillaumie, 2-party Computation and Homomorphic Encryption, 1h, École Cyber in Occitanie, France

PhD: Fabrice Mouhartem, Privacy-preserving cryptography from pairings and lattices, ENS de Lyon (UdL), 18/10/2018, Benoît Libert

PhD in progress: Radu Titiu, Pseudo-random functions and functional encryption from lattices, ENS de Lyon (UdL), 01/01/2017, Benoît Libert

PhD in progress: Chen Qian, Additively homomorphic encryption and its applications, ENS de Lyon (UdL), 01/09/2016, Benoît Libert

PhD: Weiqiang Wen, Contributions to the hardness foundations of lattice-based cryptography, ENS de Lyon (UdL), 01/09/2015, Damien Stehlé

PhD in progress: Miruna Rosca, Algebraic variants of the LWE problem, ENS de Lyon (UdL), 01/01/2017, Damien Stehlé

PhD in progress: Alice Pellet–Mary, obfuscation cryptanalysis, ENS de Lyon (UdL), 01/09/2016, Damien Stehlé

PhD in progress: Huyen Nguyen, mathematical foundations of lattice-based cryptography, ENS de Lyon (UdL), 01/09/2018, Damien Stehlé

PhD in progress: Florent Bréhard, Outils pour un calcul numérique certifié -Applications aux systèmes dynamiques et à la théorie du contrôle, Ens de Lyon (UdL), 01/09/2016, Nicolas Brisebarre, Mioara Joldeş (CRNS, LAAS) et Damien Pous (CNRS, LIP, Plume)

PhD in progress: Adel Hamdi, Chiffrement fonctionnel pour le traitement de données externes en aveugle, UCBL (UdL) & Orange, 07/12/2017, Sébastien Canard (Orange), Fabien Laguillaumie

PhD in progress: Ida Tucker, Conception de systèmes cryptographiques avancés reposant sur des briques homomorphes, Ens de Lyon (UdL) et Université de Bordeaux, 17/10/2017, Guilhem Castagnos (IMB, Université de Bordeaux), Fabien Laguillaumie

Benoît Libert: reviewer for the PhD thesis of Pierre-Alain Dupont, ENS, 29/08/2018.

Damien Stehlé: reviewer for the PhD thesis of Thomas Ricosset, ENSEEIHT, 12/11/2018; reviewer for the PhD thesis of Ilaria Chillotti, UVSQ, 17/05/2018; examiner for the PhD thesis of Rachel Player, Royal Holloway University of London, 19/03/2018; president for the PhD thesis of Guillaume Bonnoron, Ecole nationale supérieure Mines-Télécom Atlantique Bretagne Pays de la Loire, 15/03/2018; jury member for the PhD thesis of Quentin Santos, ENS, 20/12/2018.

Bruno Salvy: member of the HdR committee of Guillaume Chapuy, IRIF, April and of Enrica Duchi, IRIF, November; reviewer for the PhD thesis of Pablo Rotondo, IRIF, September.

Fabien Laguillaumie: reviewer for the PhD thesis of Raphaël Bost, Université Rennes 1, 08/01/2018, Xavier Bultel, Université Clermont Auvergne, 17/05/2018, Vincent Zucca, Sorbonne Université, 25/06/2018, Quentin Santos, ENS, 20/12/2018

Nathalie Revol: examiner for the PhD thesis of Romain Picot, Université Paris 6, 27/03/2018

Nathalie Revol is a member of the editorial board of interstices; she belongs to the steering committee of MMI (Maison des Mathématiques et de l'Informatique, Lyon)

Bruno Salvy is “référent chercheur” for the Inria Grenoble Center.

Nathalie Revol belonged to the working group that elaborated the "7 families of computer science" playcards

Nathalie Revol taught "Dissemination of Scientific Knowledge", 10h, to the 4th year students (between Master and PhD) of ENS de Lyon, France. She has been invited to a panel about "Flashmob" type activities, at ESOF 2018 (EuroScience Open Forum), July 9–14, 2018, Toulouse, France.

Nathalie Revol works with DANE (Délégation Académique au Numérique dans l'Éducation) of Rectorat de Lyon towards educating primary school teachers, by educating educators. She has been invited to present her past activities, using educational robots, at 3es Rencontres Nationales de la Robotique Éducative, October 2–3, Lyon, France.

Laurent Grémy and Fabrice Mouhartem gave talks at *Fête de la Science* for a general audience. Nathalie Revol gave talks at *Fête de la Science* for 3 classes (9 years old, 11 years old and 13 years old).

As an incentive for high-school pupils, and especially girls, to choose scientific careers, Nathalie Revol gave talks at Lycée Ella Fitzgerald (Saint-Romain-en-Gal) and Mondial des Métiers (in February 2018).
With Jérôme Germoni and Natacha Portier, she organized a day *Filles & Info* in March 2018, gathering about 100 high-school girls of 1e S.
She was part of the panel discussing with the audience after the movie "Les figures de l’ombre - Hidden figures" at Comoedia cinema in Lyon in March 2018.

Damien Stehlé received at ENS de Lyon several winning teams of the Alkindi highschool competition. Alice Pellet–Mary and Fabrice Mouhartem gave talks at this event.