Our research addresses the broad application domain of cryptography and cryptanalysis from the algorithmic perspective. We study all the algorithmic aspects, from the top-level mathematical background down to the optimized high-performance software implementations. Several kinds of mathematical objects are commonly encountered in our research. Some basic ones are truly ubiquitous: integers, finite fields, polynomials, real and complex numbers. We also work with more structured objects such as number fields, algebraic curves, or polynomial systems. In all cases, our work is geared towards making computations with these objects effective and fast.

The mathematical objects we deal with are of utmost importance for the
applications to cryptology, as they are the background of the most widely
developed public-key cryptographic primitives, such as the RSA cryptosystem or the
Diffie–Hellman key exchange. The two facets of cryptology—cryptography
and cryptanalysis—are central to our research. The key challenges are
the assessment of the security of proposed cryptographic primitives,
through the study of the cornerstone problems, which are the integer
factorization and discrete logarithm problems, as well as the
optimization work in order to enable cryptographic implementations that
are both efficient *and* secure.

Among the research themes we set forth, two are guided by the most important mathematical objects used in today's cryptography, and the two others are rather guided by the technological background we use to address these problems.

Extended NFS family. A common algorithmic framework, called the Number Field Sieve (NFS), addresses both the integer factorization problem as well as the discrete logarithm problem over finite fields. We have numerous algorithmic contributions in this context, and develop software to illustrate them.

We plan to improve on the existing state of the art in this domain by researching new algorithms, by optimizing the software performance, and by demonstrating the reach of our software with highly visible computations.

Algebraic curves and their Jacobians. We develop algorithms and software for computing essential properties of algebraic curves for cryptology, eventually enabling their widespread cryptographic use.

One of the challenges we address here is point counting. In a wider perspective, we also study the link between abelian varieties over finite fields and principally polarized abelian varieties over fields of characteristic zero, together with their endomorphism ring. In particular, we work in the direction of making this link an effective one. We are also investigating various approaches for attacking the discrete logarithm problem in Jacobians of algebraic curves.

Arithmetic. Our work relies crucially on efficient arithmetic, be it for small or large sizes. We work on improving algorithms and implementations, for computations that are relevant to our application areas.

Polynomial systems. It is rather natural with algebraic curves, and occurs also in NFS-related contexts, that many important challenges can be represented via polynomial systems, which have structural specificities. We intend to develop algorithms and tools that, when possible, take advantage of these specificities.

We consider that the impact of our research on cryptology in general owes a lot to the publication of concrete practical results. We are strongly committed to making our algorithms available as software implementations. We thus have several long-term software development projects that are, and will remain, parts of our research activity.

Public-key cryptography is our main application target. We are interested in the study of the cryptographic primitives that serve as a basis for the most widespread protocols.

Since the early days of public-key cryptography, and through the
practices and international standards that have been established for
several decades, the most widespread cryptographic primitives have been
the RSA cryptosystem, as well as the Diffie–Hellman key exchange using
multiplicative groups of finite fields. The level of security provided
by these cryptographic primitives is related to the hardness of the
underlying mathematical problems, which are integer factorization and the
discrete logarithm problem. The complexity of attacking them is known to
be subexponential in the public key size, and more precisely written as

This complexity is achieved with the Number Field
Sieve (NFS) algorithm and its many derivatives. This means that as the
desired security level

Software for NFS is obviously the entry point to computational records. Few complete NFS implementations exist, and their improvement is of crucial importance for better assessment of the hardness of the key cryptographic primitives considered. Here, “improvement” may be understood in many ways: better algorithms (outperforming the NFS algorithm as a whole is certainly a tremendous improvement, but replacing one of its numerous substeps is one, too), better implementations, better parallelization, or better adaptation to suitable hardware. The numerous sub-algorithms of NFS strongly depend on arithmetic efficiency. This concerns various mathematical objects, from integers and polynomials to ideals in number fields, lattices, or linear algebra.

Since the early 1990's, no new algorithm has improved on the complexity of
NFS. As it is used in practice, the algorithm has complexity

While it is relatively easy to set public key sizes for RSA or
Diffie–Hellman that are “just above” the reach of academic computing
power with NFS, the sensible cryptographic choice is to aim at security
parameters that are well above this feasibility limit, in
particular because assessing this limit precisely is in fact a very
difficult problem. In line with the security levels offered by symmetric
primitives such as AES-128, public key sizes should be chosen so that
with current algorithmic knowledge, an attacker would need at least

Since the mid-1980's, elliptic curves, and more generally Jacobians of algebraic curves, have been proposed as alternative mathematical settings for building cryptographic primitives.

The discrete logarithm problem in these groups is formidably hard, and in comparison to the situation with the traditional primitives mentioned above, the cryptanalysis algorithms are such that the appropriate public-key size grows only linearly with the desired security level: a 256-bit public key, using algebraic curves, is well suited to match the hardness of AES-128. This asset makes algebraic curves more attractive for the future of public-key cryptography.

Challenges related to algebraic curves in cryptology are rather various, and call for expertise in several areas. Suggesting curves to be used in the cryptographic context requires solving the point counting problem. This may be done by variants of the Schoof–Elkies–Atkin algorithm and its generalizations (which, in genus 2, require arithmetic modulo multivariate systems of equations), or alternatively the use of the complex multiplication method, a rich theory that opens the way to several problems in computational number theory.

The long-awaited transition from the legacy primitives to primitives based on curves is ready to happen, only circumstantially slowed down presently by the need to agree on a new set of elliptic curves (not because of any attack, but because of skepticism over how the currently widespread ones have been generated). The Internet Research Task Force has completed in 2015 a standardization proposal . In this context, the recommended curves are not of the complex multiplication family, and enjoy instead properties that allow fast implementation, and avoid a few implementation difficulties. Those are also naturally chosen to be immune to the few known attacks on the discrete logarithm problem for curves. No curve of genus 2 has made its way to the standardization process so far, however one candidate exists for the 128-bit security level .

The discrete logarithm problem on curves is very hard. Some results were obtained however for curves over extension fields, using techniques such as the Weil descent, or the point decomposition problem. In this context, the algorithmic setup connects to polynomial system solving, fast arithmetic, and linear algebra.

Another possible route for transitioning away from RSA and finite field-based cryptography is suggested, namely the switch to the “post-quantum” cryptographic primitives. Public-key cryptographic primitives that rely on mathematical problems related to Euclidean lattices or coding theory have an advantage: they would resist the potential advent of a quantum computer. Research on these topics is quite active, and there is no doubt that when the efficiency challenges that are currently impeding their deployment are overcome, the standardization of some post-quantum cryptographic primitives will be a worthwhile addition to the general cryptographic portfolio. The NSA has recently devoted an intriguing position text to this topic (for a glimpse of some of the reactions within the academic community, the reference is useful). Post-quantum cryptography, as a research topic, is complementary to the topics we address most, which are NFS and algebraic curves. We are absolutely confident that, at the very least for the next decade, primitives based on integer factoring, finite fields, and algebraic curves will continue to hold the lion's share in the cryptographic landscape. We also expect that before the advent of standardized and widely developed post-quantum cryptographic primitives, the primitives based on algebraic curves will become dominant (despite the apparent restraint from the NSA on this move).

We acknowledge that the focus on cryptographic primitives is part of a larger picture. Cryptographic primitives are part of cryptographic protocols, which eventually become part of cryptographic software. All these steps constitute research topics in their own right, and need to be scrutinized (as part of independent research efforts) in order to be considered as dependable building blocks. This being said, the interplay of the different aspects, from primitives to protocols, sometimes spawns very interesting and fruitful collaborations. A very good example of this is the LogJam attack .

The Number Field Sieve (NFS) has been the leading algorithm for factoring integers for more than 20 years, and its variants have been used to set records for discrete logarithms in finite fields. It is reasonable to understand NFS as a framework that can be used to solve various sorts of problems. Factoring integers and computing discrete logarithms are the most prominent for the cryptographic observer, but the same framework can also be applied to the computation of class groups.

The state of the art with NFS is built from numerous improvements of its inner steps. In terms of algorithmic improvements, the recent research activity on the NFS family has been rather intense. Several new algorithms have been discovered during the 2014–2016 period, and their practical reach has been demonstrated by actual experiments.

The algorithmic contributions of the CARAMBA members to NFS would
hardly be possible without access to a dependable software
implementation. To this end, members of the CARAMBA team have been
developing the Cado-NFS software suite since 2007. Cado-NFS is now the
most widely visible open source implementation of NFS, and is a crucial
platform for developing prototype implementations for new ideas for the
many sub-algorithms of NFS. Cado-NFS is free software (LGPL) and
follows an open development model, with publicly accessible development
repository and regular software releases. Competing free software
implementations exist, such as `msieve`, developed by J.
Papadopoulos. In Lausanne, T. Kleinjung develops his own code base, which
is unfortunately not public.

The work plan of CARAMBA on the topic of the Number Field Sieve algorithm and its cousins includes the following aspects:

Pursue the work on NFS, which entails in particular making it ready to tackle larger challenges. Several of the important computational steps of NFS that are currently identified as stumbling blocks will require algorithmic advances and implementation improvements. We will illustrate the importance of this work by computational records.

Work on the specific aspects of the computation of discrete logarithms in finite fields.

As a side topic, the application of the broad methodology of NFS to the treatment of “ideal lattices” and their use in cryptographic proposals based on Euclidean lattices is also relevant.

The challenges associated with algebraic curves in cryptology are diverse, because of the variety of mathematical objects to be considered. These challenges are also connected to each other. On the cryptographic side, efficiency matters. As of 2016, the most widely used set of elliptic curves, the so-called NIST curves, are in the process of being replaced by a new set of candidate elliptic curves for future standardization. This is the topic of RFC 7748 .

On the cryptanalytic side, the discrete logarithm problem on (Jacobians
of) curves has resisted all attempts for many years. Among the currently
active topics, the decomposition algorithms raise interesting problems
related to polynomial system solving, as do attempts to solve the
discrete logarithm problem on curves defined over binary fields. In
particular, while it is generally accepted that the so-called Koblitz
curves (base field extensions of curves defined over

The research objectives of CARAMBA on the topic of algebraic curves for cryptology are as follows:

Work on the practical realization of some of the rich mathematical theory behind algebraic curves. In particular, some of the fundamental mathematical objects have potentially important connections to the broad topic of cryptology: Abel-Jacobi map, Theta functions, computation of isogenies, computation of endomorphisms, complex multiplication.

Improve the point counting algorithms so as to be able to tackle larger problems. This includes significant work connected to polynomial systems.

Seek improvements on the computation of discrete logarithms on curves, including by identifying weak instances of this problem.

Since the recruiting of Marine Minier in September 2016 as a Professor at Université of Lorraine, and of Virginie Lallemand as a CNRS researcher in October 2018, a new research domain has emerged in the CARAMBA team: symmetric key cryptology. The aim is to design and analyze symmetric key cryptographic primitives focusing on the following particular aspects:

the use of constraint programming for the cryptanalysis, especially of block ciphers and the AES standard;

the design of lightweight cryptographic primitives well-suited for constraint environment such as micro-controllers, wireless sensors, etc.

white-box cryptography and software obfuscation methods to protect services execution on dedicated platforms.

Computer arithmetic is part of the common background of all team members, and is naturally ubiquitous in the two previous application domains mentioned. However involved the mathematical objects considered may be, dealing with them first requires to master more basic objects: integers, finite fields, polynomials, and real and complex floating-point numbers. Libraries such as GNU MP, GNU MPFR, GNU MPC do an excellent job for these, both for small and large sizes (we rarely, if ever, focus on small-precision floating-point data, which explains our lack of mention of libraries relevant to it).

Most of our involvement in subjects related to computer arithmetic is to
be understood in connection to our applications to the Number Field Sieve
and to abelian varieties. As such, much of the research work we envision
will appear as side-effects of developments in these contexts. On the
topic of arithmetic work *per se*:

We will seek algorithmic and practical improvements to the most basic algorithms. That includes for example the study of advanced algorithms for integer multiplication, and their practical reach.

We will continue to work on the arithmetic libraries in which we have crucial involvement, such as GNU MPFR, GNU MPC, GF2X, MPFQ, and also GMP-ECM.

Systems of polynomial equations have been part of the cryptographic landscape for quite some time, with applications to the cryptanalysis of block and stream ciphers, as well as multivariate cryptographic primitives.

Polynomial systems arising from cryptology are usually not generic, in the sense that they have some distinct structural properties, such as symmetries, or bi-linearity for example. During the last decades, several results have shown that identifying and exploiting these structures can lead to dedicated Gröbner basis algorithms that can achieve large speedups compared to generic implementations , .

Solving polynomial systems is well done by existing software, and duplicating this effort is not relevant. However we develop test-bed open-source software for ideas relevant to the specific polynomial systems that arise in the context of our applications. The TinyGB software is our platform to test new ideas.

We aim to work on the topic of polynomial system solving in connection with our involvement in the aforementioned topics.

We have high expertise on Elliptic Curve Cryptography in general. On the narrower topic of the Elliptic Curve Discrete Logarithm Problem on small characteristic finite fields, the highly structured polynomial systems that are involved match well our expertise on the topic of polynomial systems. Once a very hot topic in 2015, activity on this precise problem seems to have slowed down. Yet, the conjunction of skills that we have may lead to results in this direction in the future.

The recent hiring of Marine Minier is likely to lead the team to study particular polynomial systems in contexts related to symmetric key cryptography.

More centered on polynomial systems *per se*, we will
mainly pursue the study of the specificities of the polynomial
systems that are strongly linked to our targeted applications,
and for which we have significant expertise
, . We also want to see these recent
results provide practical benefits compared to existing software,
in particular for systems relevant for cryptanalysis.

Our study of the Number Field Sieve family of algorithms aims at showing
how the threats underlying various supposedly hard problems are real. Our
record computations, as well as new algorithms, contribute to having a
scientifically accurate assessment of the feasibility limit for these
problems, given academic computing resources. The data we provide in this
way is a primary ingredient for government agencies whose purpose
includes guidance for the choice of appropriate cryptographic primitives.
For example the French ANSSI

The software we make available to achieve these cryptanalytic computations also allows us to give cost estimates for potential attacks to cryptographic systems that are taking the security/efficiency/legacy compatibility trade-offs too lightly. Attacks such as LogJam are understood as being serious concerns thanks to our convincing proof-of-concepts. In the LogJam context, this impact has led to rapid worldwide security advisories and software updates that eventually defeat some potential intelligence threats and improve confidentiality of communications.

We also promote the switch to algebraic curves as cryptographic primitives. Those offer nice speed and excellent security, while primitives based on elementary number theory (integer factorization, discrete logarithm in finite fields), which underpin e.g., RSA, are gradually forced to adopt unwieldy key sizes so as to comply with the desired security guarantees of modern cryptography. Our contributions to the ultimate goal of having algebraic curves eventually take over the cryptographic landscape lie in our fast arithmetic contributions, our contributions to the point counting problem, and more generally our expertise on the diverse surrounding mathematical objects, or on the special cases where the discrete logarithm problem is not hard enough and should be avoided.

We also promote cryptographically sound electronic voting, for which we develop the Belenios prototype software (licensed under the AGPL). It depends on research made in collaboration with the PESTO team, and provides stronger guarantees than current state of the art.

The vast majority of our work is eventually realized as software. We can roughly categorize it in two groups. Some of our software covers truly fundamental objects, such as the GNU MPFR, GNU MPC, GF2X, or MPFQ packages. To their respective extent, these software packages are meant to be included or used in broader projects. For this reason, it is important that the license chosen for this software allows proper reuse, and we favor licenses such as the LGPL, which is not restrictive. We can measure the impact of this software by the way it is used in e.g., the GNU Compiler Collection (GCC), in Victor Shoup's Number Theory Library (NTL), or in the Sage computer algebra system. The availability of these software packages in most Linux distributions is also a good measure for the impact of our work.

We also develop more specialized software. Our flagship software package is Cado-NFS, and we also develop some others with various levels of maturity, such as GMP-ECM, CMH, or Belenios, aiming at quite diverse targets. Within the lifespan of the CARAMBA project, we expect more software packages of this kind to be developed, specialized towards tasks relevant to our research targets: important mathematical structures attached to genus 2 curves, generation of cryptographically secure curves, or tools for attacking cryptographically hard problems. Such software both illustrates our algorithms, and provides a base on which further research work can be established. Because of the very nature of these specialized software packages as research topics in their own right, needing both to borrow material from other projects, and being possible source of inspiring material for others, it is again important that these be developed in a free and open-source development model.

Several Invited talks: Pierrick Gaudry was an invited speaker
at the ECC 2018 workshop (Osaka, Japan); Emmanuel Thomé was an invited speaker at the ANTS-XIII conference in
Madison, WI, USA (The biennial ANTS conference is the main
international conference on algorithmic number theory);
Paul Zimmermann was an invited speaker at the 75th anniversary
celebration of the journal *Mathematics of Computation*
(Providence, RI, USA).

Cécile Pierrot was awarded the DGA (Direction Générale de l'Armement) Prize from Florence Parly, the Minister of the Armed Forces, for her PhD Thesis.

*Belenios - Verifiable online voting system*

Keyword: E-voting

Functional Description: Belenios is an open-source online voting system that provides confidentiality and verifiability. End-to-end verifiablity relies on the fact that the ballot box is public (voters can check that their ballots have been received) and on the fact that the tally is publicly verifiable (anyone can recount the votes). Confidentiality relies on the encryption of the votes and the distribution of the decryption key.

Belenios builds upon Helios, a voting protocol used in several elections. The main design enhancement of Belenios vs. Helios is that the ballot box can no longer add (fake) ballots, due to the use of credentials. Moreover, Belenios includes a practical threshold decryption system that allows splitting the decryption key among several authorities.

News Of The Year: Since 2015, it has been used by CNRS for remote election among its councils (more than 30 elections every year) and since 2016, it has been used by Inria to elect representatives in the “comités de centre” of each Inria center. In 2018, it has been used to organize about 250 elections (not counting test elections). Belenios is typically used for elections in universities as well as in associations. This goes from laboratory councils (e.g. Irisa, Cran), scientific societies (e.g. SMAI) to various associations (e.g. FFBS - Fédération Française de Baseball et Softball, or SRFA - Société du Rat Francophone et de ses Amateurs).

In total in 2018, more than 13000 ballots have been cast using the voting platform Belenios.

Participants: Pierrick Gaudry, Stéphane Glondu and Véronique Cortier

Partners: CNRS - Inria

Contact: Stéphane Glondu

*Crible Algébrique: Distribution, Optimisation - Number Field Sieve*

Keywords: Cryptography - Number theory

Functional Description: CADO-NFS is a complete implementation in C/C++ of the Number Field Sieve (NFS) algorithm for factoring integers and computing discrete logarithms in finite fields. It consists in various programs corresponding to all the phases of the algorithm, and a general script that runs them, possibly in parallel over a network of computers.

News Of The Year: The main program for relation collection now supports composite "special-q", and also parallelizes better. The memory footprint of the central step of linear algebra has been reduced, and the parallelism of this step has been improved.

Participants: Pierrick Gaudry, Emmanuel Thomé and Paul Zimmermann

Contact: Emmanuel Thomé

*RIemann-Roch spaces*

Keyword: Riemann-Roch spaces

Functional Description: The software rrspace implements an algorithm for computing a basis of the Riemann-Roch space associated to a divisor on a curve defined over a finite field. It also implements an algorithm for computing the group law in the Jacobian of such curves. The main algorithm is a variant of Brill-Noether's approach, designed during Aude Le Gluher's Master thesis.

Participants: Pierre-Jean Spaenlehauer and Aude Le Gluher

Contact: Pierre-Jean Spaenlehauer

The computational resources of Caramba have increased significantly in
2018. On the one hand, the CPER «CyberEntreprises» (French
Ministry of Research, Région Grand Est, Inria, CNRS) funded the
acquisition of a 64-node, 2,048-core cluster called `grvingt`.
This cluster is installed in the Inria facility. Other slightly older
hardware (a medium-size cluster called `grcinq` from 2013, funded
by ANR, and a special machine funded by the aforementioned
CPER grant) was moved in the same location to form a
coherent platform with about 3,000 cpu cores, 100 TB of storage, and
specific machines for RAM-demanding computation. As a whole, this
platform provides an excellent support for the computational part of the
work done in Caramba. This platform is also embedded in the larger
Grid'5000/Silecs platform (and accessible as a normal resource within
this platform). Technical administration is done by the Grid'5000
staff.

We improved in
the previous work on
speeding-up the first phase of the individual discrete logarithm computation,
the initial splitting, a.k.a. the smoothing phase.
We extended the algorithm to any non-prime
finite field

With the help of Karthik Bhargavan (Prosecco project-team),
we proved formally the correctness of the
`mpfr_add` code in case where all inputs and the output have the
same precision, and this precision is less than one limb (i.e., less than
64 bits on modern computers).
The algorithm was proven formally correct using the `mpfr_mul`, but the proof of correctness was only partly completed.

Together with Claude-Pierre Jeannerod and Jean-Michel Muller (AriC project-team), we revisited in an unified way the classical algorithms to split a floating-point number in two parts, and some applications of these algorithms. Some new algorithms were also designed. This work was presented at the 25th IEEE Symposium on Computer Arithmetic .

Together with Frédéric Bihan (Université Savoie Mont Blanc) and Francisco Santos (Universidad de Cantabria), we investigated in a version of Viro's method for constructing polynomial systems with many positive solutions, based on regular triangulations of the Newton polytope of the system. The number of positive solutions obtained with our method is governed by the size of the largest positively decorable subcomplex of the triangulation. Here, positive decorability is a property that we introduced and which is dual to being a subcomplex of some regular triangulation. Using this duality, we produced large positively decorable subcomplexes of the boundary complexes of cyclic polytopes. As a byproduct we obtained new lower bounds, some of them being the best currently known, for the maximal number of positive solutions of polynomial systems with prescribed numbers of monomials and variables. We also studied the asymptotics of these numbers and observed a log-concavity property.

In , we described a method improving on the
exhaustive search algorithm originally developed
in . We are able to compute new optimal
formulae for the short product modulo *Theoretical Computer Science* and is
tentatively accepted, pending minor revisions.

During these last six months, we prepared a submission to the NIST call dedicated on lightweight cryptography. The criteria required by this call are various and concern both small embedded micro-controllers and efficient hardware implementation with side channel and fault attack resistance. The proposal will be submitted by the call deadline, at the latest on Feb 25th, 2019.

We have training and consulting activities with the French Ministry of Defense.

Together with the PESTO team, we have a contract with the Docapost company, the purpose of which is to impove their e-voting solution by adding some verifiability properties and switching to elliptic curve cryptography.

In this contract handled in collaboration with the University of Bristol and the PESTO team, the goal is to audit and prove security properties of a new e-voting protocol called CHVote, to be used in a few cantons of Switzerland.

This contract with Orange Gardens at Chatillon-Montrouge is dedicated to the supervision of Sandra Rasoamiaramanana's PhD thesis about security in the white box context. The co-supervisor for Orange Gardens is Gilles Macario-rat.

This contract with Thales (Thales Communication & Security, Genneviliers, subsidiary of Thales Group) is dedicated to the supervision of Simon Masson's PhD thesis about elliptic curves for bilinear and post-quantum cryptography. The co-supervisor for Thales is Olivier Bernard.

Program: CPER (Contrat de Plan État Région)

Project title: Cyber-Entreprises

Duration: 01/07/2015 - 31/12/2020

Coordinator: Emmanuel Thomé and Marc Jungers (CRAN)

Other partners: Inria, LORIA, CRAN, IECL, Centrale Supelec, LCFC.

Abstract: cf web site (in French only).

A high-performance computer cluster was funded by the CPER Cyber-entreprises project (Région Grand-Est, French Ministry of Research and Higher Education, Inria, CNRS). This cluster is also mentioned in .

Program: FUI (Fonds Unique Interministériel)

Project acronym: PACLIDO

Project title: Protocoles et Algorithmes Cryptographiques Légers pour l’Internet Des Objets

Duration: 12/2017 - 12/2020

Coordinator: Airbus Cybersecurity.

Other partners: organisme, labo (pays) Airbus Cybersecurity, LORIA-CNRS, Rtone, Trusted Objects, CEA, Sophia Engineering, Université de Limoges, Saint-Quentin-en-Yvelines.

This contract is dedicated to the definition of new lightweight cryptographic primitives for the IoT. See web site for a full presentation.

Paul Zimmermann co-organized two workshops on the development of the iRRAM, GNU MPFR and GNU MPC libraries: one in Dagstuhl in April, with 10 participants, and one in Trier in November, with 12 participants.

Paul Zimmermann also chaired
the organizing committee of the EJCIM
(*École Jeunes Chercheurs Informatique Informatique Mathématique*)
which took place in Nancy in 2018.

Emmanuel Thomé is a member of the scientific directorate of the Dagstuhl computer science seminar series.

Pierrick Gaudry is a member of the steering committee of the Workshop on Elliptic Curve Cryptography (ECC).

Paul Zimmermann was a member of the program committee of ANTS XIII (Thirteenth Algorithmic Number Theory Symposium, University of Wisconsin, Madison, WI, USA).

Virginie Lallemand is a member of the editorial board of the IACR Transactions on Symmetric Cryptology (ToSC) Journal for 2018/2019. This journal is the open-access journal associated to the International Conference on Fast Software Encryption (FSE).

Marine Minier is a guest editor of the special issue of Workshop on Coding and Cryptography (WCC) in the journal Designs, Codes and Cryptography (DCC).

Members of the project-team did their share in reviewing submissions to renowned conferences and journals. Actual publications venues are not disclosed for anonymity reasons.

Emmanuel Thomé was invited to give a talk at the ANTS-XIII conference (Madison, WI, USA).

Marine Minier was invited to give a talk at the Journées Nationales du GT Codage & Cryptographie, Aussois, France.

Marine Minier was invited to give a talk at Journée “Protection du code et des données, obfuscation & whitebox cryptography”, Paris Saclay, France.

Paul Zimmermann was invited to give a talk at the topical workshop Celebrating 75 Years of Mathematics of Computation (ICERM, Providence, RI, USA).

Pierrick Gaudry was invited to give a talk at the 22nd Workshop on Elliptic Curve Cryptography (ECC 2018) in Osaka, Japan.

Jérémie Detrey chairs the *Commission des Utilisateurs
des Moyens Informatiques* (CUMI) of the Inria Nancy – Grand Est research
center.

Pierrick Gaudry is vice-head of the *Commission de
mention Informatique* of the *École doctorale IAEM* of
the University of Lorraine and is a member of the *Conseil Scientifique du GdR IM*.

He was:

member of the CoS, poste MCF number 27MCF1087, Université de Lorraine;

member of the CoS, poste PR number 25PR1054, Université de Lorraine;

member of the CoS, poste MCF number 25MCF4159, Université de Toulon.

Marine Minier is a member of Collegium of Science et Techniques of Université de Lorraine. She was:

president of the CoS, poste PR number 27PR1057, Université de Lorraine;

member of the CoS, poste MCF number 27MCF0403, Université de Grenoble;

member of the CoS, poste PR number 270001, École Navale de Brest;

member of the CoS, poste MCF number 27MCF4111, Université de Bretagne Sud;

Pierre-Jean Spaenlehauer is a member of the
*commission développement technologique* (CDT) of the
Inria Nancy Grand-Est research center.

Emmanuel Thomé

is a member of the management committee for the research project “CPER Cyberentreprises” (co-chair).

is a member of
the *Comité Local Hygiène,
Sécurité, et Conditions de Travail* of the Inria Nancy – Grand
Est research center.

chaired the hiring committee for the junior research positions (CR) at Inria Nancy.

Marion Videau

was a member of the hiring committee for the junior research positions (CR) at Inria Rennes.

Paul Zimmermann is member of the Scientific Committee of the EXPLOR
*Mésocentre*, of the “groupe de réflexion”
*Calcul, Codage, Information* of the GDR-IM, of the
advisory board of the OpenDreamKit european project, of the
scientific council of the LIRMM laboratory in Montpellier.

Licence: Cécile Pierrot, *Programmation avancée en Python - TCSS5AC*, 20 eq. TD,
L3, Ecole des Mines, Nancy, France.

Master: Cécile Pierrot, *Introduction à Latex*, 3 eq. TD, M1, Ecole des Mines, Nancy, France.

Licence: Jérémie Detrey, *Sécurité des applications Web*, 2 hours
(lecture), L1, Université de Lorraine, IUT Charlemagne, Nancy, France.

Licence, Aurore Guillevic,
*Méthodologie de conception et de programmation*,
16 eq. TD (24 TP), L1, Université de Lorraine, Nancy, France.

Formation Continue, Aurore Guillevic,
*Introduction à la cryptographie pour enseignants de l'option ISN
(informatique et sciences du numérique) en lycée*,
7 eq. TD, Espé de Lorraine (École supérieure du professorat et de l'éducation), Nancy, France.

Licence, Aurore Guillevic,
*Introduction to algorithms* (CSE103),
32 eq. TD, L1, École Polytechnique, Palaiseau, France.

Licence, Aurore Guillevic,
*Les bases de la programmation et de l'algorithmique* (INF411),
40 eq. TD, 2e année, École Polytechnique, Palaiseau, France.

Master: Marine Minier, *Contrôle d'accès*, 40h eq. TD, M2 Informatique, Université de Lorraine,
Faculté des sciences et technologies, Vandœuvre-les-Nancy, France.

Master: Marine Minier, *Introduction à la
cryptographie*, 18h eq. TD, M1 Informatique, Université de Lorraine,
Faculté des sciences et technologies, Vandœuvre-les-Nancy, France.

Licence: Marine Minier, *Introduction à la sécurité et à la
cryptographie*, 10 hours (lectures) + 10 hours (tutorial sessions) + 10
hours (practical sessions), L3, Université de Lorraine, Faculté des
sciences et technologies, Vandœuvre-les-Nancy, France.

Licence: Marine Minier, *Mathématiques Discrètes*, 80h eq.
TD, L2, Université de Lorraine, Faculté des
sciences et technologies, Vandœuvre-les-Nancy, France.

Responsability of the M2 SIRAV *Sécurité Informatique, Réseaux et Architectures Virtuelles*, 30 students: Marine Minier. Université de Lorraine, Faculté des
sciences et technologies, Vandœuvre-les-Nancy, France.

Master: Emmanuel Thomé, *Protocoles de sécurité et
Vérification* (sub-part dedicated to cryptographic
primitives), 8h
(lectures) + 6h (tutorial sessions).

Ph.D.: Simon Abelard, *Comptage de points de courbes algébriques sur
les corps finis et interactions avec les systèmes polynomiaux*, Univ.
Lorraine. Defended 7 sept 2018, Pierrick Gaudry & Pierre-Jean Spaenlehauer.

PhD: Svyatoslav Covanov,
*Algorithmes de multiplication : complexité bilinéaire et méthodes
asymptotiquement rapides*, Université de Lorraine. Defended 5 June 2018,
Emmanuel Thomé and Jérémie Detrey.

PhD in progress: Aude Le Gluher, *Analyse algorithmique fine et
simulation du crible algébrique*,
since Sep. 2018, Pierre-Jean Spaenlehauer and Emmanuel Thomé.

PhD in progress: Simon Masson, *Algorithmique des courbes destinées aux
contextes de la cryptographie bilinéaire et post-quantique*,
since Jan. 2018, Emmanuel Thomé and Aurore Guillevic.

PhD in progress: Gabrielle De Micheli, *Le logarithme discret
dans les corps finis*, since Oct. 2018, Cécile Pierrot et Pierrick
Gaudry.

PhD in progress: Paul Huynh, *analyse et conception de chiffrements authentifiés à bas coût*, since Oct. 2017, Marine Minier.

PhD in progress: Sandra Rasoamiaramanana, *Délivrance de contextes sécurisés par des approches hybrides*,
since May 2017, Ph.D. CIFRE Orange Gardens, Marine Minier.

Pierrick Gaudry: reviewer of the PhD thesis: *Arithmetric and
geometric structures in cryptography* defended by Benjamin
Wesolowski, October 2018, EPFL (Switzerland).

Marine Minier:

reviewer of the PhD thesis: *Trust evaluation in secure architectures* defended by Jean-Baptiste Orfila, July 2018, Université Grenoble Alpes.

member of the PhD thesis jury: *Security analysis of
contactless communication protocols* defended by David Gérault, November 2018, Université Clermont Auvergne.

member of the PhD thesis jury: *Cryptanalysis of symmetric key algorithms* defended by Colin Chaigneau, November 2018, Université de Versailles.

*In books/journals for the general public.*

Paul Zimmermann coordinated (and largely contributed to) the translation
into English of the 2013 book *Calcul mathématique avec Sage*.
At the same time, the book was updated to a more recent version of the Sage
software tool. The resulting book will be published by SIAM at the end of
2018, while an electronic version will remain available under a Creative
Commons license .

*For online publications.*
Pierrick Gaudry co-authored a blog article about e-voting and the
Belenios tool .

*Interviews in order to popularize.*
Cécile Pierrot gave a radio interview at France Bleue about being a cryptographer.

*Videos.*
Cécile Pierrot worked with Accustica, a company which promotes
popularization. A portrait was created for the exhibition “Les
filles, osez les sciences !”

Cécile Pierrot was invited to the exhibition “Les filles, osez les sciences !” to make teachers considers how to deconstruct gender stereotypes in (Computer) Science.

Pierrick Gaudry gave a talk about e-voting at the Académie des Sciences.

Emmanuel Thomé gave a talk for students of «classes préparatoires» in Nancy visiting the Inria Nancy research center, on the topic of trapdoored primes in cryptographic standards.

Paul Zimmermann participated in the *Maths-en-jeans* programme,
with a class from Lycée Vauban in Luxembourg.

Paul Zimmermann
(and Stéphane Glondu from the software development team SED)
participated in *Fête de la Science*
in October.

Cécile Pierrot co-organized and participated in *Ada Lovelace day*.

Cécile Pierrot gave a talk at Forum de l'Innovation des Armées 2018 about the discrete logarithm problem.

Cécile Pierrot led workshops for secondary-school pupils in Nancy, Reims and Toulouse about research in Computer Science.