GRACE has two broad application domains—cryptography and coding
theory—linked by a common foundation in
algorithmic number theory and the geometry of algebraic curves.
In our research, which combines theoretical work
with practical software development,
we use algebraic curves
to *create better cryptosystems*,
to *provide better security assessments*
for cryptographic key sizes,
and to *build the best error-correcting codes*.

Coding and cryptography deal (in different ways) with securing communication systems for high-level applications. In our research, the two domains are linked by the computational issues related to algebraic curves (over various fields) and arithmetic rings. These fundamental number-theoretic algorithms, at the crossroads of a rich area of mathematics and computer science, have already proven their relevance in public key cryptography, with industrial successes including the RSA cryptosystem and elliptic curve cryptography. It is less well-known that the same branches of mathematics can be used to build very good codes for error correction. While coding theory has traditionally had an electrical engineering flavour, recent developments in computer science have shed new light on coding theory, leading to new applications more central to computer science.

Algorithmic Number Theory is concerned with replacing special cases with general algorithms to solve problems in number theory. In the Grace project, it appears in three main threads:

fundamental algorithms for integers and polynomials (including primality and factorization);

algorithms for finite fields (including discrete logarithms); and

algorithms for algebraic curves.

Clearly, we use computer algebra in many ways. Research in cryptology
has motivated a renewed interest in Algorithmic Number Theory in
recent decades—but the fundamental problems still exist *per
se*. Indeed, while algorithmic number theory application in
cryptanalysis is epitomized by applying factorization to breaking RSA
public key, many other problems, are relevant to various area of
computer science. Roughly speaking, the problems of the cryptological
world are of bounded size, whereas Algorithmic Number Theory is also
concerned with asymptotic results.

Theme: Arithmetic Geometry: Curves and their Jacobians
*Arithmetic Geometry* is the meeting point of algebraic geometry and
number theory: that is, the study of geometric objects defined over
arithmetic number systems (such as the integers and finite fields).
The fundamental objects for our applications
in both coding theory and cryptology
are curves and their Jacobians over finite fields.

An algebraic *plane curve*

(Not every curve is planar—we may have more variables, and more
defining equations—but from an algorithmic point of view,
we can always reduce to the plane setting.)
The *genus* *Jacobian* of

The simplest curves with nontrivial Jacobians are
curves of genus 1,
known as *elliptic curves*;
they are typically defined by equations of the form

Theme: Curve-Based Cryptology

Jacobians of curves are excellent candidates for cryptographic groups when constructing efficient instances of public-key cryptosystems. Diffie–Hellman key exchange is an instructive example.

Suppose Alice and Bob want to establish a secure communication
channel. Essentially, this means establishing a common secret
*key*, which they will then use for encryption and decryption.
Some decades ago, they would have exchanged this key in person, or
through some trusted intermediary; in the modern, networked world,
this is typically impossible, and in any case completely unscalable.
Alice and Bob may be anonymous parties who want to do e-business, for
example, in which case they cannot securely meet, and they have no way
to be sure of each other's identities. Diffie–Hellman key exchange
solves this problem. First, Alice and Bob publicly agree on a
cryptographic group

This simple protocol has been in use, with only minor modifications,
since the 1970s. The challenge is to create examples of groups

The classic example of a group suitable for the Diffie–Hellman protocol
is the multiplicative group of a finite field

This is where Jacobians of algebraic curves come into their own.
First, elliptic curves and Jacobians of genus 2 curves do not have a
subexponential index calculus algorithm: in particular, from the point
of view of the DLP, a generic elliptic curve is currently *as
strong as* a generic group of the same size. Second, they provide
some diversity: we have many degrees of freedom in choosing
curves over a fixed

Theme: Coding theory

Coding Theory studies originated with the idea of using redundancy in messages to protect against noise and errors. The last decade of the 20th century has seen the success of so-called iterative decoding methods, which enable us to get very close to the Shannon capacity. The capacity of a given channel is the best achievable transmission rate for reliable transmission. The consensus in the community is that this capacity is more easily reached with these iterative and probabilistic methods than with algebraic codes (such as Reed–Solomon codes).

However, algebraic coding is useful in settings other than the Shannon context. Indeed, the Shannon setting is a random case setting, and promises only a vanishing error probability. In contrast, the algebraic Hamming approach is a worst case approach: under combinatorial restrictions on the noise, the noise can be adversarial, with strictly zero errors.

These considerations are renewed by the topic of list decoding after the breakthrough of Guruswami and Sudan at the end of the nineties. List decoding relaxes the uniqueness requirement of decoding, allowing a small list of candidates to be returned instead of a single codeword. List decoding can reach a capacity close to the Shannon capacity, with zero failure, with small lists, in the adversarial case. The method of Guruswami and Sudan enabled list decoding of most of the main algebraic codes: Reed–Solomon codes and Algebraic–Geometry (AG) codes and new related constructions “capacity-achieving list decodable codes”. These results open the way to applications again adversarial channels, which correspond to worst case settings in the classical computer science language.

Another avenue of our studies is AG codes over various geometric objects. Although Reed–Solomon codes are the best possible codes for a given alphabet, they are very limited in their length, which cannot exceed the size of the alphabet. AG codes circumvent this limitation, using the theory of algebraic curves over finite fields to construct long codes over a fixed alphabet. The striking result of Tsfasman–Vladut–Zink showed that codes better than random codes can be built this way, for medium to large alphabets. Disregarding the asymptotic aspects and considering only finite length, AG codes can be used either for longer codes with the same alphabet, or for codes with the same length with a smaller alphabet (and thus faster underlying arithmetic).

From a broader point of view, wherever Reed–Solomon codes are used, we can substitute AG codes with some benefits: either beating random constructions, or beating Reed–Solomon codes which are of bounded length for a given alphabet.

Another area of Algebraic Coding Theory with which we are more recently concerned is the one of Locally Decodable Codes. After having been first theoretically introduced, those codes now begin to find practical applications, most notably in cloud-based remote storage systems.

The *Internet of Things* (IoT) is the network and application
space formed by the millions of small, connected devices that are
increasingly present in our daily lives, and by the servers, clouds,
and apps that they communicate with.
This includes not only consumer devices such as smartphones,
household devices, and wearable technology,
but also an increasinly large proportion of our fundamental
civic infrastructure
(as is reflected by the increasing attention given to *Smart Cities*).

The IoT is therefore a massive, pervasive, and highly heterogeneous distributed computing system; a system that is mostly unprotected and insecure. Many of the devices are simply too small and underpowered to run the conventional cryptosystems that are standard for internet communications: even a minimalist TLS stack will often overwhelm the resources available on some small platforms. These limitations include small memory size, limited battery power, and low computational capacity. Not only are these devices harder to defend, but they are also much easier to attack: for example, these devices are generally extremely physically accessible (they must be, to fulfil their purpose), but this makes them extremely vulnerable to side-channel attacks.

Nevertheless, strong cryptography is essential to the future of IoT, precisely because these systems are so pervasive in our everyday lives, both individually (in our homes) and collectively (in our cities, industries, and urban infrastructure). We need strong cryptography to protect the personal and industrial data that these devices collect, process, and transmit; but we also need strong cryptography to ensure that devices and services can identify and authenticate themselves and each other with confidence. It is not enough to simply put secure systems in place; we must also develop reliable software update mechanisms, tailored to the needs and challenges of the IoT space.

While these technical challenges have been met, to some extent, for symmetric cryptosystems (which means that we have reasonable means of encrypting data and ensuring its integrity), they pose a massive problem for implementers of asymmetric cryptosystems (including key exchange, signatures, identification, and authentication). Efficient asymmetric cryptosystems have long been a research focus for GRACE, and our expertise in elliptic curve cryptosystems is of particular relevance for IoT, since these cryptosystems typically require the fewest memory and bandwidth resources.

Looking towards the future, the massive contemporary research effort in postquantum cryptosystems has so far mostly yielded systems even less-suited to IoT than conventional asymmetric systems are. Nevertheless, there is some hope that postquantum security can be brought to some IoT devices, and we are hopeful that GRACE's strength in isogeny-based cryptography will have an impact here.

The team is concerned with several aspect of reliability and security of cloud storage, obtained mainly with tools from coding theory. On the privacy side, we build protocols for so-called Private Information Retrieval which enable a user to query a remote database for an entry, while not revealing his query. For instance, a user could query a service for stock quotes without revealing with company he is interested in. On the availability side, we study protocols for proofs of retrievability, which enable a user to get assurance that a huge file is still available on a remote server, with a low bandwith protocol which does not require to download the whole file. For instance, in a peer-to-peer distributed storage system, where nodes could be rewarded for storing data, they can be audited with proof of retrievability protocols to make sure they indeed hold the data.

We investigate these problems with algebraic coding theory, mainly codes with locality (locally decodable codes, locally recoverable codes, and so on).

The huge interest shown by companies for blockchains and cryptocurrencies have attracted the attention of mainstream industries for new, advanced uses of cryptographic, beyond confidentiality, integrity and authentication. In particular, zero-knowledge proofs, computation with encrypted data, etc, are now revealing their potential in the blockchain context. Team Grace is investigating two topics in these areas: secure multiparty computation and so-called “STARKS”.

Secure multiparty computation enables several participants to compute a common function of data they each secretly own, without each participant revealing his data to the other participants. This area has seen great progress in recent years, and the cryptogaphic protocols are now mature enough for practical use. This topic is new to project-team Grace, and we will investigate it in the context of blockchains, through the lenses of use for private “smart contracts”. A PhD student has been hired since October, funded by IRT System-X.

(ZK-)STARKS stands for “(Zero-Knowledge) Scalable Transparent ARguments of Knowledge”, which can be zero knowledge or not. These techniques enable to have short probabilistic proof of correctness of program execution, which can be quicly checked by a verifier, without requiring the verifier to redo the computation again. This topic is close to the problem of computational integrity, and its theoretical foundations originate back to the 90's, which saw the formulation and proof of the celebrated PCP theorem. A protocol family equivalent of STARKS, “SNARKS”, are well established, performant and promoted by the zerocash protocol for anomymous cryptocurrency (and also available in Ethereum), and STARKS are seen as a future replacement for SNARKS, overcoming the SNARKS problem of trusted setup. At the core of STARKS lie algebraic codes, mainly basic Reed-Solomon codes, and we will investigate replacement for the Reed-Solomon codes, to allow more performant (shorter) STARKS.

*Algorithmic Coding Theory in Sage*

Functional Description: The aim of this project is to vastly improve the state of the error correcting library in Sage. The existing library does not present a good and usable API, and the provided algorithms are very basic, irrelevant, and outdated. We thus have two directions for improvement: renewing the APIs to make them actually usable by researchers, and incorporating efficient programs for decoding, like J. Nielsen's CodingLib, which contains many new algorithms.

Partner: Technical University Denmark

Contact: Daniel Augot

Keyword: Algebraic decoding

Functional Description: Decoding is a standalone C library. Its primary goal is to implement Guruswami–Sudan list decoding-related algorithms, as efficiently as possible. Its secondary goal is to give an efficient tool for the implementation of decoding algorithms (not necessarily list decoding algorithms) and their benchmarking.

Participant: Guillaume Quintin

Contact: Daniel Augot

Keyword: Cryptography

Functional Description: A competitive, high-speed, open implementation of the Diffie–Hellman protocol, targeting the 128-bit security level on Intel platforms. This download contains Magma files that demonstrate how to compute scalar multiplications on the x-line of an elliptic curve using endomorphisms. This accompanies the EuroCrypt 2014 paper by Costello, Hisil and Smith, the full version of which can be found here: http://eprint.iacr.org/2013/692 . The corresponding SUPERCOP-compatible crypto_dh application can be downloaded from http://hhisil.yasar.edu.tr/files/hisil20140318compact.tar.gz .

Participant: Benjamin Smith

Contact: Benjamin Smith

URL: http://

*Crible Algébrique: Distribution, Optimisation - Number Field Sieve*

Keywords: Cryptography - Number theory

Functional Description: CADO-NFS is a complete implementation in C/C++ of the Number Field Sieve (NFS) algorithm for factoring integers and computing discrete logarithms in finite fields. It consists in various programs corresponding to all the phases of the algorithm, and a general script that runs them, possibly in parallel over a network of computers.

News Of The Year: The main program for relation collection now supports composite "special-q", and also parallelizes better. The memory footprint of the central step of linear algebra has been reduced, and the parallelism of this step has been improved.

Participants: Pierrick Gaudry, Emmanuel Thomé and Paul Zimmermann

Contact: Emmanuel Thomé

With the aim of reaching fast, linear time, algorithms for encoding
multiplicity codes, which have good local properties, N. Coxon had to
develop subalgorithms for dealing with the Hermite
interpolation , which in turn relies on
computer algebra for fast transforms over fields of characteritic
two . Locally decodable codes are used for
private information retrieval, where a database can be privately
queried by a user, in such a way that the user does not reveal his
query. Using codes with locality for private information retrieval,
the database is first encoded, then queried using the local property
of the code. Since the databases in question can be large, only
linear time algorithms can be used. Our results achieve linear-time
complexity, and even with a non agressively optimized
implementation, can encode as much as

J. Lavauzelle continued his study on private information retrieval (PIR) protocols. First, he completed the construction of PIR protocols from transversal designs , initiated in 2017. Compared to existing protocols, the main benefit of the construction is to feature an optimal computation complexity for the servers. Sublinear communication complexity and negligeable storage overhead can also be achieved for some particular instances.

Second, in a joint work with R. Tajeddine, R. Freij-Hollanti and C. Hollanti from the University of Aalto (Finland), J. Lavauzelle considered the setting in which the database is encoded with an optimal regenerating code . Quantitatively, their construction of PIR protocols improves upon a recent work of Dorkson and Ng, for every non-trivial set of parameters.

In 2013, Guo, Kopparty and Sudan built a new family of locally
correctable codes from lifting, achieving an arbitrarily high
information rate for sublinear locality. J. Lavauzelle proposed an
analogue of this construction in projective
spaces . The parameters of this
construction are similar to the original work of Guo *et al.*
Intertwined relations between the two families of codes were proven
thanks to a careful analysis of their monomial bases. The
practicality of the construction was also established through an
implementation and a study of information sets and automorphisms of
the code.

Following NIST call for post quantum cryptography, A. Couvreur and E. Barelli designed a key recovery attack against a McEliece–like encryption scheme called DAGS .

In addition, in collaboration with Matthieu Lequesne and Jean-Pierre Tillich (Inria Paris, SECRET team), A. Couvreur designed an attack against another proposal called RLCE (Random Linear Code Encryption) .

Despite the many advances in post-quantum cryptography in recent
years, efficient drop-in replacements for the classic
Diffie–Hellman key exchange algorithm have proven elusive. L. De Feo,
J. Kieffer, and B. Smith laid the algorithmic groundwork for
*commutative isogeny-based key exchange*
in ; this work became the basis of the
exciting new CSIDH proposal .

Integer factoring is an old topic, and the situation is as follows: in the classical world, we think integer factoring is hard and the algorithms we have are quite powerful though of subexponential complexity and factoring numbers with several hundred bits; whereas in the quantum world, it is assumed to be easy (i.e., there exists a quantum polynomial time algorithm) but never experienced and the record is something like a few bits. F. Morain, helped by B. Smith and G. Renault (ANSSI) studied the theoretical problem of factoring integers given access to classical oracles, like the Euler totient function. They were able to give some interesting classes of numbers that could tackled, see .

Phase 2 has been finished, while a new phase, phase 3, has been negociated between Inria and Nokia. Grace finished his work on fast algorithms for polynomials over fields of small caracteristic, wth application to coding theory, multiplicity codes and private information retrieval. The new phase will fund a project on rank-metric codes for security and privacy in cloud storage (in collaboration with Gilles Zémor, Uni. Bordeaux).

A “research initiative” “BART” (Blockchain advanced research and
technologies) has been launched with three partners: Inria, Institut
Mines-Télécom, and System-X. This is funded by *Institut de
recherche* System-X, located in Paris-Saclay area, whose objective
is to connect industry and academia. A new PhD has been started,
with L. Benmouffok, hired in October 2018, whose topic is the use of secure
multiparty computation in blockchains.

MANTA (accepted July 2015, starting March 2016): “Curves, surfaces, codes and cryptography”. This project deals with applications of coding theory error correcting codes to in cryptography, multi-party computation, and complexity theory, using advanced topics in algebraic geometry and number theory. The kickoff was a one week-retreat in Dordogne (20 participants), and we had another four day meeting in Saclay in November 17. See http://anr-manta.inria.fr/.

Program: H2020

Project acronym: SPARTA

Project title: SPARTA

Duration: three years

Coordinator: CEA

Other partners: IMT, Inria, ANSSI

Abstract: Propose, test, validate and exploit the possible organizational, technological and operational setup of a cybersecurity competence network; Produce a roadmap that include targets to be achieved by the end of the project, as well as priorities to be addressed in the future by the Cybersecurity Competence Network; Serve to align research, education and certification; Build on and align existing roadmap efforts.

Title: Post-quantum cryptography for long-term security

Programm: H2020

Duration: March 2015 - March 2018

Coordinator: TECHNISCHE UNIVERSITEIT EINDHOVEN

Partners:

Academia Sinica (Taiwan)

Bundesdruckerei (Germany)

Danmarks Tekniske Universitet (Denmark)

Katholieke Universiteit Leuven (Belgium)

Nxp Semiconductors Belgium Nv (Belgium)

Ruhr-Universitaet Bochum (Germany)

Stichting Katholieke Universiteit (Netherlands)

Coding Theory and Cryptology group, Technische Universiteit Eindhoven (Netherlands)

Technische Universitaet Darmstadt (Germany)

University of Haifa (Israel)

Inria contact: Nicolas Sendrier

Online security depends on a very few underlying cryptographic algorithms. Essentially all applications today are based on RSA or on the discrete-logarithm problem in finite fields or on elliptic curves. Cryptographers optimize parameter choices and implementation details for these systems and build protocols on top of these systems; cryptanalysts fine-tune attacks and establish exact security levels for these systems.

These systems are all broken as soon as large quantum computers are built. Long-term confidential documents such as patient health-care records and state secrets have to guarantee security for many years, but information encrypted today using RSA or elliptic curves and stored until quantum computers are available will then be as easy to decipher.

PQCRYPTO will allow users to switch to post-quantum cryptography: PQCRYPTO will design a portfolio of high-security post-quantum public-key systems, and will improve the speed of these systems, with reference implementations.

Our team is engaged in WP3.3 “advanced applications for the cloud”. We envision to focus essentially on secure multiparty computation, essentially the information theoretically secure constructions, who are naturally secure against a quantum computer invoked on classical queries. We will study whether these protocols still resist quantum queries. This work sub package started March 2015, ended in March 2018.

D. Augot was in the program committee of FAB 2018, Foundations and Applications of Blockchain, Los Angeles.

D. Augot was in the program committee of WTSC 2018, Workshop on Trusted Smart Contracts, Curaçao.

D. Augot was in the program committee of WAIFI 2018, Workshop on the Arithmetic of Finite Fields, Bergen, Norway.

D. Augot was in the program committee of BCT 2018, International Workshop on Cryptocurrencies and Blockchain Technology, in conjunction with ESORICS 2018, Barcelona.

A. Couvreur was in the program committee of the *Journées
codes et cryptographie (C2) 2018*.

D. Augot: ISIT 2018 (International Symposium on Information Theory)

B. Smith: ANTS 2018, Indocrypt 2018, PKC 2019

F. Morain is member of the editorial board of the
*Applicable Algebra in Engineering, Communication and Computing*,
Springer.

With Thomas Johansson, Marine Minier, Faina Soloveva, Victor
Zinonviev, D. Augot is guest editor for a special issue of
*Designs, Codes and Cryptography*, devoted to WCC2017, Workshop
on Coding and Cryptography, St Petersburg, Russia.

A. Couvreur: Designs, Codes and Cryptography, Asiacrypt 2018, IEEE Transactions on information theory, Advances in Mathematics of communication, etc...

J. Lavauzelle: Designs, Codes and Cryptography (special issue WCC 2017)

B. Smith: Designs, Codes, and Cryptography, Finite Fields and their Applications, Journal of the London Mathematical Society, Mathematics of Computation,

D. Augot was an invited speaker of the Munich Workshop on Coding and Cryptography (MWCC) 2018

D. Augot was an invited speaker at ACA 2018, Application of Computer Algebra, Santiago de Compostela

D. Augot was invited at Dasgsthul Seminar 18511, Algebraic Coding Theory for Networks, Storage, and Security, and gave here a talk.

B. Smith was an invited speaker at the *International
Workshop on the Arithmetic of Finite Fields (WAIFI 2018)* (Bergen,
Norway).

B. Smith was an invited speaker at the *Journées Codage et
Cryptographie 2018* (Aussois, France).

F. Levy-dit-Vehel demoed our Private Information Retrieval protocol at “FIC”, International Security Forum, Lille, January 2018.

D. Augot is member of the scientific committee of the C2-CCA seminar, held three or four times a year, with a France wide audience, and which is the seminar of “groupe de travail” C2 “codage et cryptographie” of the GDR IM “groupement de recherche informatique mathématique”.

D. Augot is leading the scientific committee of the blocksem seminar of Plateau de Saclay.

A. Couvreur was evaluator for research grants attribution by university of Crete.

F. Morain is vice-head of the Département d'informatique of Ecole Polytechnique; in charge of years 1 and 2 for Computer Science courses.

F. Morain is member of the Board of Master Parisien de Recherche en Informatique (MPRI).

A. Couvreur is member of Inria Saclay *Commission Scientifique*.

D. Augot was member of the jury for two Inria Grenoble Rhône-Alpes positions

D. Augot was member of the jury for a position at Institut Mines-Télécom.

Licence :

F. Morain, Lectures for INF311: “Introduction à l'informatique”, 15h (equiv TD), 1st year (L3), École polytechnique. Coordinator of this module (350 students).

J. Lavauzelle,
*Éléments de programmation* (1I002), 13.5h, L1, Université Pierre et Marie Curie, France

A. Couvreur,
INF411 *Introduction à la programmation et à l'algorithmique*,
40h, L3, École Polytechnique,
France

B. Smith,
CSE101 *Introduction to Computer Programming*,
36h, L1, École polytechnique, France

Master :

F. Morain is the scientific leader of the
Graduate Degree *Cybersecurity: Threats and Defense* of École
Polytechnique.

A. Couvreur,
*Coding theory and application to cryptography*, 20h, M2,
MPRI (Université Paris VII, ENS Paris, ENS Cachan, École Polytechnique), France

F. Morain and A. Couvreur, INF558, *Introduction to cryptology*,
36h, M1, École Polytechnique.

B. Smith,
INF568 *Advanced Cryptography*, 36h, M1, École polytechnique

B. Smith and F. Morain,
*Algorithmes arithmétiques pour la cryptologie*, 20h, M2,
MPRI (Université Paris VII, ENS Paris, ENS Cachan, École Polytechnique), France

F. Levy-dit-Vehel, discrete maths, 21h, M1, ENSTA.

F. Levy-dit-Vehel, cryptography, 24h, M2, ENSTA.

Doctorat :

A. Couvreur, *Introduction to code based cryptography*, 6 hours.
Spring school *Post Scryptum*

PhD : J. Lavauzelle, *Codes à propriétés locales :
constructions et applications
à des protocoles cryptographiques*, Université Paris Saclay.

PhD : E. Barelli, *Étude de la sécurité de certaines clés compactes pour le schéma de McEliece utilisant des codes géométriques*,
Université Paris Saclay.

D. Augot, A. Couvreur, and F. Levy-dit-Vehelwere in the jury of J. Lavauzelle's
PhD defense, le 30 novembre 2018, à Palaiseau: *Codes à propriétés locales : constructions et applications à des protocoles cryptographiques*

D. Augot and A. Couvreur were in the jury of E. Barelli's PhD
defense, le 10 décembre 2018 à Palaiseau: *Étude de la sécurité
de certaines clés compactes pour le schéma de McEliece utilisant
des codes géométriques*

D. Augot was in in the committee of

Victor Cauchois, le jeudi 13 Décembre 2018 à Rennes: *Couches de diffusion linéaires à partir de matrices MDS*

Sviat Covanov, le 5 juin 2018 à Nancy: *Multiplication algorithms: algebraic
complexity and fast asymptotic methods*

Jonathan Detchart, le 5 décembre 2018, à Toulouse:
*Optimisation de codes correcteurs d’effacements par
application de transformées polynomiales*

D. Augot is member of the “comité de pilotage” the “BART” (Blockchain advanced research and technologies) research initiative, with Institut Mines Télécom and System-X.

D. Augot was interviewed on blockchains by three representatives of the French National Assembly.

D. Augot was interviewed by “France Stratégie”, an institution attached to the Prime Minister to support forward thinking of the French government.

F. Levy-dit-Vehel demoed our Private Information Retrieval protocol with partitionned locally decodable codes