OURAGAN proposes to focus on the transfer of computational algebraic methods to some related fields (computational geometry, topology, number theory, etc.) and some carefully chosen application domains (robotics, control theory, evaluation of the security of cryptographic systems, etc.), which implies working equally on the use (modeling, know - how) and on the development of new algorithms. The latest breakthrough developments and applications where algebraic methods are currently decisive remain few and very targeted. We wish to contribute to increase the impact of these methods but also the number of domains where the use of computational algebraic methods represent a significant added value. This transfer-oriented positioning does not imply to stop working on the algorithms, it simply sets the priorities.

An original aspect of the OURAGAN proposal is to blend into an environment of fundamental mathematics, at the Institut de Mathématiques de Jussieu – Paris Rive Gauche (IMJ-PRG CNRS 7586), and to be cross-functional to several teams (Algebraic Analysis, Complex Analysis and Geometry, Number Theory to name only the main ones), which will be our first source of transfer of computational know-how. The success of this coupling allows to maintain a strong theoretical basis and to measure objectively our transfer activity in the direction of mathematicians (in geometry, topology, number theory, etc.) and to consolidate the presence of Inria in scientific areas among the most theoretical.

We propose two general directions with four particular targets:

Number Theory

Algorithmic Number Theory

Topology in small dimension

Character varieties

Knot theory

Computational geometry

These actions come, of course, in addition to the study and development of a common set of core elements of

Basic theory and algorithms in algebra and geometry [Led by Antoine Joux and Fabrice Rouillier].

This core activity is the invention and study of fundamental algebraic algorithms and objects that can be grouped into 2 categories: algorithms designed to operate on finite fields and algorithms running on fields of characteristic 0; with 2 types of computational strategies: the exactness and the use of approximate arithmetic (but with exact results). This mix also installs joint studies between the various axes and is an originality of the project-team. For example many kinds of arithmetic tools around algebraic numbers have to face to similar theoretical problems such as finding a good representation for a number field; almost all problems related to the resolution of algebraic systems will reduce to the study of varieties in small dimension and in particular, most of the time, to the effective computation of the topology of curves and surfaces, or the certified drawing of non algebraic function over an algebraic variety.

The tools and objects developed for research on algorithmic number theory as well as in computational geometry apply quite directly on some selected connected challenging subjects:

Security of cryptographic systems

Control theory

Robotics

These applications will serve for the evaluation of the general tools we develop when used in a different context, in particular their capability to tackle state of the art problems.

The basic computable objects and algorithms we study, use, optimize or develop are among the most classical ones in computer algebra and are studied by many people around the world: they mainly focus on basic computer arithmetic, linear algebra, lattices and polynomial system solving.

Our approach for tackling these basic problems, whose solution is important for the work of the whole team, is three-fold. First, for some selected problems, we do propose and develop general algorithms (isolation of real roots of univariate polynomials, parametrizations of solutions of zero-dimensional polynomial systems, solutions of parametric equations, etc.). Second, for a selection of well-known problems, we propose different computational strategies (for example the use of approximate arithmetic to speed up LLL algorithm or root isolators, still certifying the final result). Last, we propose specialized variants of known algorithms optimized for a given problem (for example, dedicated solvers for degenerated bivariate polynomials to be used in the computation of the topology of plane curves).

In the context of OURAGAN, it is important to avoid reinventing the wheel and to re-use wherever possible existing objects and algorithms. The main effort being focused on finding good formulations/modelizations for an efficient use. However, on demand, we will propose implementations at many different levels. For example, for our ongoing work on hybrid strategies for LLL, mixing interval arithmetics and basic linear algebra operations, we have replaced our general reliable multiprecision interval artihmetic package (MPFI

In the activity of OURAGAN, many key objects or algorithms around the resolution of algebraic systems are developed within the team, such as the resolution of polynomials in one variable with real coefficients , , rational parameterizations of solutions of zero-dimensional systems with rational coefficients , or discriminant varieties for solving systems depending on parameters .

For our studies in number theory and applications to the security of cryptographic systems, our team works on three categories of basic algorithms: discrete logarithm computations (for example to make progress on the computation of class groups in number fields ), network reductions by means of LLL variants and obviously various computations in linear algebra, for example dedicated to *almost sparse* matrices .

These two directions of development are linked at several levels. For example, working with number fields, in particular finding good representations of number fields, lead to the same computational problems as working with roots of polynomial systems by means of triangular systems (towers of number fields) or rational parameterizations (unique number field). Making any progress in one direction will probably have direct consequences for almost all the problems we want to tackle.

Several strategies are also shared between these directions such as the use of approximate arithmetic to speed up certified computations. Sometimes these can also lead to improvement for a different purpose (for example computations over the rationals, deeply used in geometry can often be parallelized combining computations in finite fields together with fast Chinese remaindering and modular evaluations).

As single highlighted example of this sharing of tools and strategies, the use of approximate arithmetic is common to the work on LLL (use in the evaluation of the security of cryptographic systems), resolutions of real-world algebraic systems (used in our applications in robotics and control theory), computations of signs of trigonometric expressions used in knot theory or to certified evaluations of dilogarithm functions on an algebraic variety for the computation of volumes of representations in our work in topology .

The frontiers between computable objects, algorithms (above section), computational number theory and applications to security of cryptographic systems are very porous. This union of research fields is mainly driven by the algorithmic improvement to solve presumably hard problems relevant to cryptography, such as computation of discrete logarithms, resolution of hard subset-sum problems, decoding of random binary codes and search for close and short vectors in lattices. While factorization and discrete logarithm problems have a long history in cryptography, the recent post-quantum cryptosystems introduce a new variety of presumably hard problems/objects/algorithms with cryptographic relevance: the shortest vector problem (SVP), the closest vector problem (CVP) or the computation of isogenies between elliptic curves, especially in the supersingular case.

Solving the discrete logarithm problem in finite fields is a key question for the security of Diffie-Hellman based crypto and was the focus of a lot of academic research over the past 40 years. It is one of the expertise domain in the OURAGAN team.

Members of OURAGAN started working on the topic of discrete logarithms around 1998, with several computation records that were announced on the NMBRTHRY mailing list. In large characteristic, especially for the case of prime fields, the best current method is the number field sieve (NFS) algorithm. In particular, they published the first NFS based record computation . Despite huge practical improvements, the prime field case algorithm hasn't really changed since that first record. Around the same time, we also presented small characteristic computation record based on simplifications of the Function Field Sieve (FFS) algorithm .

In 2006, important changes occurred concerning the FFS and NFS algorithms, indeed, while the algorithms only covered the extreme case of constant characteristic and constant extension degree, two papers extended their ranges of applicability to all finite fields. At the same time, this permitted a big simplification of the FFS, removing the need for function fields.

Starting from 2012, new results appeared in small characteristic. Initially based on a simplification of the 2006 result, they quickly blossomed into the Frobenial representation methods, with quasi-polynomial time complexity , , . Recent progress were also made in larger characteristic , , , .

An interesting side-effect of this research was the need to revisit the key sizes of pairing-based cryptography. This type of cryptography is also a topic of interest for OURAGAN. In particular, it was introduced in 2000 . Recent re-evaluation of the necessary key size , making use of the overview of the possible discrete logarithm constructions are discussed .

The computations of *class groups in number fields* has strong links with the computations of discrete logarithms or factorizations using the NFS (number field sieve) strategy which as the name suggests is based on the use of number fields. Roughly speaking, the NFS algorithm uses two number fields and the strategy consists in choosing number fields with small sized coefficients in their definition polynomials. On the contrary, in class group computations, there is a single number field, which is clearly a simplification, but this field is given as input by some fixed definition polynomial. Obviously, the degree of this polynomial as well as the size of its coefficients are both influencing the complexity of the computations so that finding other polynomials representing the same class group but with a better characterization (degree or coefficient's sizes) is a mathematical problem with direct practical consequences. We proposed a method to address the problem in , but many issues remain open.

Computing generators of principal ideals of cyclotomic fields is also strongly related to the computation of class groups in number fields. Ideals in cyclotomic fields are used in a number of recent public-key cryptosystems. Among the difficult problems that ensure the safety of these systems, there is one that consists in finding a small generator, if it exists, of an ideal. The case of cyclotomic fields is considered in .

We also use the computations of class numbers to search for examples and counter-examples for mathematical conjectures. For example a study of cyclic cubic fields allowed to progress in the study of Greenberg's conjecture

Another consecrated problem in algorithmic number theory is smoothness testing, i.e. given an integer, decide if all its prime factors are smaller than a given bound. The only subexponential algorithm for this is H. Lenstra's elliptic curve method. Many of the families of elliptic curves here were found (according to the authors) by ad-hoc methods. We introduced a new point of view which allows to make rapidly a finite list of families which are guaranteed to contain the good families for the elliptic curve method of factorization .

There is a tradition of using computations and software to study and understand the topology of small dimensional manifolds, going back at least to Thurston's works (and before him, Riley's pionering work). The underlying philosophy of these tools is to build combinatorial models of manifolds (for example, the torus is often described as a square with an identification of the sides). For dimension 2, 3, 4, this approach is relevant and effective. In the team OURAGAN, we focus on the dimension 3, where the manifolds are modelized by a finite numbers of tetrahedra with identification of the faces. The software SnapPy

This philosophy (modelization of manifolds by quite simple combinatoric models to compute such complicated objects as representations of the fundamental group) was applied in a pioneering work of Falbel when he begins to look for another type of geometry on 3-dimensional manifolds (called CR-spherical geometry). From a computational point of view, this change of objectives was a jump in the unknown: the theoretical justification for the computations were missing, and the number of variables of the systems were multiplied by four. So instead of a relatively small system that could be tackled by Newton methods and numerical approximations, we had to deal with/study (were in front of) relatively big systems (the smallest example being 8 variables of degree 6) with no a priori description of the solutions. This input from OURAGAN was needed and proved to be useful.

Still, the computable objects that appear from the theoretical study are very often outside the reach of automated computations and are to be handled case by case. A few experts around the world have been tackling this kind of computations (Dunfield, Goerner, Heusener, Porti, Tillman, Zickert) and the main current achievement is the *Ptolemy module*

From these early computational needs, topology in small dimension has historically been the source of collaboration with the IMJ-PRG laboratory.
At the beginning, the goal was essentially to provide computational tools for finding geometric structures in triangulated 3-dimensional varieties.
Triangulated varieties can be topologically encoded by a collection of tetrahedra with gluing constraints (this can be called a triangulation or mesh, but it is not an approximation of the variety by simple structures, rather a combinatorial model).
Imposing a geometric structure on this combinatorial object defines a number of constraints
that we can translate into an algebraic system that we then have to solve to study
geometric structures of the initial variety, for example in
relying on solutions to study representations of the fundamental group of the variety.
For these studies, a large part of the computable objects or algorithms we develop are required, from the algorithms for univariate polynomials to systems depending on parameters. It should be noted that most of the computational work lies in the modeling of problems (see ) that have strictly no
chance to be solved by blindly running the most powerful black boxes: we usually deal here
with systems that have 24 to 64 variables, depend on 4 to 8 parameters and with degrees
exceeding 10 in each variable. With an ANR *deformation variety*.

Recent developments around Mahler measure lead to the study of new computable objects at a cross-road between geometry and number theory.

Knot theory is a wide area of mathematics. We are interested in polynomial representations of long knots, that is to say polynomial embeddings

Our activity in Knot theory is a bridge between our work in computational geometry (topology and drawing of real space curves) and our work on topology in small dimensions (varieties defined as a knot complement). It was first established that any knot can be parameterized by Chebyshev polynomials, then we have studied the properties of harmonic nodes which then opened the way to effective computations. We were able to give an exhaustive, minimal and certified list of Chebyshev parameterizations of the first rational knots, using blind computations . On the other hand, we propose the identification of Chebyshev knot diagrams () by developing new certified algorithms for computing trigonometric expressions , which was also the subject of Tran Cuong's PhD thesis at UPMC . These works share many tools with our action in visualization and computational geometry.

We made use of Chebyshev polynomials so as Fibonacci polynomials which are families of orthogonal polynomials. Considering the Alexander-Conway polynomials as continuant polynomials in the Fibonacci basis, we were able to give a partial answer to Hoste's conjecture on the roots of Alexander polynomials of alternating knots .

We study the lexicographic degree of the two-bridge knots, that is to say the minimal (multi)degree of a polynomial representation of a

The drawing of algebraic curves and surfaces is a critical action in OURAGAN since it is a key ingredient in numerous developments. For example, a certified plot of a discriminant variety could be the only admissible answer that can be proposed for engineering problems that need the resolution of parametric algebraic systems: this variety (and the connected components of its counter part) defines a partition of the parameter’s space in regions above which the solutions are numerically stable and topologically simple.

For our action in Algorithmic Geometry, we are associated with the GAMBLE EPI (Inria Nancy Grand Est) with the aim of developing computational techniques for the study, plotting and topology of real algebraic curves and surfaces. The work involves the development of effective methods of resolution of algebraic systems with 2 or 3 variables (see for example) which are basic engines for computing the topology , / or plotting.

The development of basic computable objects is somehow *on demand* and depends on all the other directions. However, some critical computations are already known to be bottlenecks and are sources of constant efforts.

Computations with algebraic numbers appear in almost all our activities: when working with number fields in our work in algorithmic number theory as well as in all the computations that involve the use of solutions of zero-dimensional systems of polynomial equations. Among the identified problems: finding good representations for single number fields (optimizing the size and degree of the defining polynomials), finding good representations for towers or products of number fields (typically working with a tower or finding a unique good extension), efficiently computing in practice with number fields (using certified approximation vs working with the formal description based on polynomial arithmetics). Strong efforts are currently done in the understanding of the various strategies by means of tight theoretical complexity studies , , and many other efforts will be required to find the right representation for the right problem in practice. For example, for isolating critical points of plane algebraic curves, it is still unclear (at least the theoretical complexity cannot help) that an intermediate formal parameterization is more efficient than a triangular decomposition of the system and it is still unclear that these intermediate computations could be dominated in time by the certified final approximation of the roots.

Concerning algorithmic number theory, the main problems we will be considering in the coming years are the following:

*Number fields.* We will continue working on the problems of class groups and generators. In particular, the existence and accessibility of *good* defining polynomials for a fixed number field remain very largely open. The impact of better polynomials on the algorithmic performance is a very important parameter, which makes this problem essential.

*Lattice reduction.* Despite a great amount of work in the past 35 years on the LLL algorithm and its successors, many open problems remain. We will continue the study of the use of interval arithmetic in this field and the analysis of variants of LLL along the lines of the *Potential*-LLL which provides improved reduction comparable to BKZ with a small block size but has better performance.

*Elliptic curves and Drinfeld modules.* The study of elliptic curves is a very fruitful area of number theory with many applications in crypto and algorithms. Drinfeld modules are “cousins” of elliptic curves which have been less explored in the algorithm context. However, some recent advances have used them to provide some fast sophisticated factoring algorithms. As a consequence, it is natural to include these objects in our research directions.

The brute force approach to computable objects from topology of small dimension will not allow any significant progress. As explained above, the systems that arise from these problems are simply outside the range of doable computations. We still continue the work in this direction by a four-fold approach, with all three directions deeply inter-related. First, we focus on a couple of especially meaningful (for the applications) cases, in particular the 3-dimensional manifold called Whitehead link complement. At this point, we are able to make steps in the computation and describe part of the solutions , ; we hope to be able to complete the computation using every piece of information to simplify the system. Second, we continue the theoretical work to understand more properties of these systems . These properties may prove how useful for the mathematical understanding is the resolution of such systems - or at least the extraction of meaningful information. This approach is for example carried on by Falbel and his work on configuration of flags , . Third, we position ourselves as experts in the know-how of this kind of computations and natural interlocutors for colleagues coming up with a question on such a computable object , . This also allows us to push forward the kind of computation we actually do and make progress in the direction of the second point. We are credible interlocutors because our team has the blend of theoretical knowledge and computational capabilities that grants effective resolutions of the problems we are presented. And last, we use the knowledge already acquired to pursue our theoretical study of the CR-spherical geometry , , .

Another direction of work is the help to the community in experimental mathematics on new objects. It involves downsizing the system we are looking at (for example by going back to systems coming from hyperbolic geometry and not CR-spherical geometry) and get the most out of what we can compute, by studying new objects. An example of this research direction is the work of Guilloux around the volume function on deformation varieties. This is a real-analytic function defined on the varieties we specialized in computing. Being able to do effective computations with this function led first to a conjecture . Then, theoretical discussions around this conjecture led to a paper on a new approach to the Mahler measure of some 2-variables polynomials . In turn, this last paper gave a formula for the Mahler measure in terms of a function akin to the volume function applied at points in an algebraic variety whose moduli of coordinates are 1. The OURAGAN team has the expertise to compute all the objects appearing in this formula, opening the way to another area of application. This area is deeply linked with number theory as well as topology of small dimension. It requires all the tools at disposition within OURAGAN.

We will carry on the exhaustive search for the lexicographic degrees for the rational knots. They correspond to trigonal space curves: computations in the braid group

On the other hand, a natural direction would be: given an explicit polynomial space curve, determine the under/over nature of the crossings when projecting, draw it and determine the known knot

As mentioned above, the drawing of algebraic curves and surfaces is a critical action in OURAGAN since it is a key ingredient in numerous developments. In some cases, one will need a fully certified study of the variety for deciding existence of solutions (for example a region in a robot's parameter's space with solutions to the DKP above or deciding if some variety crosses the unit polydisk for some stability problems in control-theory), in some other cases just a partial but certified approximation of a surface (path planning in robotics, evaluation of non algebraic functions over an algebraic variety for volumes of knot complements in the study of character varieties).

On the one hand, we will contribute to general tools like ISOTOP

A particular effort will be devoted to the resolution of overconstraint bivariate systems which are useful for the studies of singular points and to polynomials systems in 3 variables in the same spirit : avoid the use of Gröbner basis and propose a new algorithm with a state-of-the-art complexity and with a good practical behavior.

In parallel, one will have to carefully study the drawing of graphs of non algebraic functions over algebraic complex surfaces for providing several tools which are useful for mathematicians working on topology in small dimension (a well known example is the drawing of amoebia, a way of representing a complex curve on a sheet of paper).

The study of the security of asymmetric cryptographic systems comes as an application of the work carried out in algorithmic number theory and revolves around the development and the use of a small number of general purpose algorithms (lattice reduction, class groups in number fields, discrete logarithms in finite fields, ...). For example, the computation of generators of principal ideals of cyclotomic fields can be seen as one of these applications since these are used in a number of recent public key cryptosystems.

The cryptographic community is currently very actively assessing the threat coming for the development of quantum computers. Indeed, such computers would permit tremendous progresses on many number theoretic problems such as factoring or discrete logarithm computations and would put the security of current cryptosystem under a major risk. For this reason, there is a large global research effort dedicated to finding alternative methods of securing data. In particular, the US standardization agency called NIST has recently launched a standardization process around this issue. In this context, OURAGAN is part of the competition and has submitted a candidate, also published in . This method is based on number-theoretic ideas involving a new presumably difficult problem concerning the Hamming distance of integers modulo large numbers of Mersenne.

Algebraic computations have tremendously been used in Robotics, especially in kinematics, since the last quarter of the 20th century. For example, one can cite different proofs for the 40 possible solutions to the direct kinematics problem for steward platforms and companion experiments based on Gröbner basis computations. On the one hand, hard general kinematics problems involve too many variables for pure algebraic methods to be used in place of existing numerical or semi-numerical methods everywhere and everytime, and on the other hand, for some quite large classes, global algebraic studies allow to propose exhaustive classifications that cannot be reached by other methods.

Robotics is a long-standing collaborative work with LS2N (Laboratory of Numerical Sciences of Nantes). Work has recently focused on the offline study of mechanisms, mostly parallel, their singularities or at least some types of singularities (cuspidals robots: cusps in the workspace).

For most parallel or serial manipulators, pose variables and joints variables are linked by algebraic
equations and thus lie an algebraic variety. The two-kinematics problems (the direct kinematics problem - DKP- and the inverse kinematics problem - IKP) consist in studying the preimage of the projection of this algebraic variety onto a subset of unknowns. Solving the DKP remains to computing the possible positions for a given set of joint variables values while solving the IKP remains to computing the possible joints variables values for a given position. Algebraic methods have been deeply used in several situations for studying parallel and serial mechanisms, but finally their use stays quite confidential in the design process. Cylindrical Algebraic Decomposition coupled with variable's eliminations by means of Gröbner based computations can be used to model the workspace, the joint space and the computation of singularities. On the one hand, such methods suffer immediately when increasing the number of parameters or when working with imprecise data. On the other hand, when the problem can be handled, they might provide full and exhaustive classifications.
The tools we use in that context ( , , ) depend mainly on the resolution of parameter-based systems and therefore of study-dependent curves or flat algebraic surfaces (2 or 3 parameters), thus joining our thematic *Algorithmic Geometry*.

Many problems in control theory have been studied using general exact polynomial solvers in the past. One can cite the famous Routh-Hurwitz criterion (late 19th century) for the stability of a linear time invariant (LTI) control system and its relation with Sturm sequences and Cauchy index. However most of the strategies used were involving mostly tools for univariate polynomials and then tried to tackle multivariate problems recursively with respect to the variables. More recent work are using a mix of symbolic/numeric strategies, using semi-definite programming for classes of optimization problems or homotopy methods for some algebraic problems, but still very few practical experiments are currently involving certified algebraic using general solvers for polynomial equations.

Our work in control theory is a recent activity and it is done in collaboration with a group of specialists, the GAIA team, Inria Lille-Nord Europe. We started with a well-known problem, the study of the stability of differential delay systems and multidimensional systems with an important observation: with a correct modelization, some recent algebraic methods, derived from our work in algorithmic geometry and shared with applications in robotics, now allow some previously impossible computations and lead to a better understanding of the problems to be solved , . The field is porous to computer algebra since one finds for a long time algebraic criteria of all kinds but the technology seems blocked on a recursive use of one-variable methods, whereas our approach involves the direct processing of problems into a larger number of variables or variants.

The structural stability of

As computing Mahler measures is a well known challenge in number theory and as computing volumes of knots complements is a critical objective for our research on character varieties, this result make an original bridge between our two main research directions.

A key encapsulation message named Mersenne-756839 has been submitted at the NIST call for standard on Post-Quantum Cryptography. This submission is a complement to the article presented in three invited lectures by Antoine Joux (JFLI (UMI CNRS) / Tokyo university , Nanyang Technological University, LATtice Crypto and Algorithms conference).

Our agreement with WATERLOO MAPLE INC. has been reviewed for a two years term in 2018. Out next objective is the diffusion of our new solver for univariate polynomials with real coefficients.

*Topology and geometry of planar algebraic curves*

Keywords: Topology - Curve plotting - Geometric computing

Functional Description: Isotop is a Maple software for computing the topology of an algebraic plane curve, that is, for computing an arrangement of polylines isotopic to the input curve. This problem is a necessary key step for computing arrangements of algebraic curves and has also applications for curve plotting. This software has been developed since 2007 in collaboration with F. Rouillier from Inria Paris - Rocquencourt.

News Of The Year: In 2018, an engineer from Inria Nancy (Benjamin Dexheimer) finished the implementation of the web server to improve the diffusion of our software.

Participants: Luis Penaranda, Marc Pouget and Sylvain Lazard

Contact: Marc Pouget

Publications: Rational Univariate Representations of Bivariate Systems and Applications - Separating Linear Forms for Bivariate Systems - On The Topology of Planar Algebraic Curves - New bivariate system solver and topology of algebraic curves - Improved algorithm for computing separating linear forms for bivariate systems - Solving bivariate systems using Rational Univariate Representations - On the topology of planar algebraic curves - On the topology of real algebraic plane curves - Bivariate triangular decompositions in the presence of asymptotes - Separating linear forms and Rational Univariate Representations of bivariate systems

Functional Description: Real Roots isolation for algebraic systems with rational coefficients with a finite number of Complex Roots

Participant: Fabrice Rouillier

Contact: Fabrice Rouillier

*A New Descartes*

Keyword: Scientific computing

Functional Description: Computations of the real roots of univariate polynomials with rational coefficients.

Authors: Fabrice Rouillier, Alexander Kobel and Michael Sagraloff

Partner: Max Planck Institute for Software Systems

Contact: Fabrice Rouillier

Keywords: Robotics - Kinematics

Functional Description: Library of functions for certified computations of the properties of articulated mechanisms, particularly the study of their singularities

Authors: Damien Chablat, Fabrice Rouillier, Guillaume Moroz and Philippe Wenger

Partner: LS2N

Contact: Guillaume Moroz

Keyword: Arithmetic

Functional Description: MPFI is a C library based on MPFR and GMP for multi precision floating point arithmetic.

Contact: Fabrice Rouillier

A Chebyshev curve

Recent progress on NFS imposed a new estimation of the security of pairings. In , we study the best attacks against some of the most popular pairings. It allows us to propose new pairing-friendly curves of 128 bits and 192 bits of security.

Since their introduction in the late 90’s, side-channel attacks have been considered as a major threat against cryptographic implementations. This threat has raised the need for formal leakage models in which the security of implementations can be proved. At Eurocrypt 2013, Prouff and Rivain introduced the noisy leakage model which has been argued to soundly capture the physical reality of power and electromagnetic leakages. In their work, they also provide the first formal security proof for a masking scheme in the noisy leakage model. However their work has two important limitations: (i) the security proof relies on the existence of a leak-free component, (ii) the tolerated amount of information in the leakage (aka leakage rate) is of

The objective of our Agrement with WATERLOO MAPLE INC. is to promote software developments to which we actively contribute.

On the one hand, WMI provides man power, software licenses, technical support (development, documentation and testing) for an inclusion of our developments in their commercial products. On the other hand, OURAGAN offers perpetual licenses for the use of the concerned source code.

As past results of this agreement one can cite our C-Library *RS* for the computations of the real solutions zero-dimensional systems or also our collaborative development around the Maple package *DV* for solving parametric systems of equations.

For this term, the agreement covers algorithms developed in areas including but not limited to: 1) solving of systems of polynomial equations, 2) validated numerical polynomial root finding, 3) computational geometry, 4) curves and surfaces topology, 5) parametric algebraic systems, 6) cylindrical algebraic decompositions, 7) robotics applications.

In particular, it covers our collaborative work with some of our partners, especially the Gamble Project-Team - Inria Nancy Grand Est.

Program:H2020-EU.1.1. - EXCELLENT SCIENCE - European Research Council (ERC)

Project acronym: Almacrypt

Project title: Algorithmic and Mathematical Cryptology

Duration: 01/2016 - 12/2010

Coordinator: Antoine Joux

Abstract: Cryptology is a foundation of information security in the digital world. Today's internet is protected by a form of cryptography based on complexity theoretic hardness assumptions. Ideally, they should be strong to ensure security and versatile to offer a wide range of functionalities and allow efficient implementations. However, these assumptions are largely untested and internet security could be built on sand. The main ambition of Almacrypt is to remedy this issue by challenging the assumptions through an advanced algorithmic analysis. In particular, this proposal questions the two pillars of public-key encryption: factoring and discrete logarithms. Recently, the PI contributed to show that in some cases, the discrete logarithm problem is considerably weaker than previously assumed. A main objective is to ponder the security of other cases of the discrete logarithm problem, including elliptic curves, and of factoring. We will study the generalization of the recent techniques and search for new algorithmic options with comparable or better efficiency. We will also study hardness assumptions based on codes and subset-sum, two candidates for post-quantum cryptography. We will consider the applicability of recent algorithmic and mathematical techniques to the resolution of the corresponding putative hard problems, refine the analysis of the algorithms and design new algorithm tools. Cryptology is not limited to the above assumptions: other hard problems have been proposed to aim at post-quantum security and/or to offer extra functionalities. Should the security of these other assumptions become critical, they would be added to Almacrypt's scope. They could also serve to demonstrate other applications of our algorithmic progress. In addition to its scientific goal, Almacrypt also aims at seeding a strengthened research community dedicated to algorithmic and mathematical cryptology.

CQT Singapour (UMI CNRS Majulab)

UFPA - Para -Brésil (José Miguel Veloso)

Institut Joseph Fourier - Université Grenoble Alpes (Martin Deraux, V. Vitse et Pierre Will)

Max-Planck-Institut für Informatik - Saarbrücken - Germany (Michael Sagraloff)

Holon Institute of Technology, Israel (Jeremy Kaminsky)

Jeremy Kaminsky (Holon Institute of Technology, Israel). 3-months visitor in Ouragan and École Polytechnique (MAX) and École des Mines. Chateaubriand Fellow. Subjects: Control Theory, Algebraic Geometry and Computer Vision.

Antonin Guilloux is a Co-organizer of the International conference Dynamics of Groups Actions (Cetraro, may 2019)

Antoine Joux co-organized the Sprint Summer School *Post-Scryptum*

Antoine-Joux co-organized *Crypto in the quantum age (STIAS)*

Antoine Joux was Program Chair of Africacrypt

Elisha Falbel is a member of the editorial board of *São Paulo Journal of Mathematical Sciences - Springer*

Antoine Joux is a member of the editorial board of *Designs, Codes and Cryptography*

Fabrice Rouillier is a member of the editorial board of *Journal of Symbolic Computation*

Antonin Guilloux is reviewer in several journals, including Duke Math Journal.

Razvan Barbulescu is reviewer for several cryptology conferences including Eurocrypt and WAIFI.

Razvan Barbulescu, Cryptography and algorithmic number theory, june 2018, Caen

Elisha Falbel, Colloquium Heidelberg, June 2018 -Heidelberg -Alemagne

Elisha Falbel, Representation varieties and geometric structures in low dimensions , July 2018 -Warwick-UK

Elisha Falbel, Modern Trends in Differential Geometry, July 2018, Sao Paulo- Brazil

Antonin Guilloux, Computation in Geometric Topology, December 2017 - Warwick - UK.

Antonin Guilloux, Mahler Measure and values of L-functions, August 2018 - Copenhagen - Denmark.

Antoine Joux, JFLI (UMI CNRS) / Tokyo university, May 2018, Tokyo https://

Antoine Joux, Invited Lecture at the conference *Lattice crypto and algorithms*, May 2018, Bertinoro, Italy

Antoine Joux, The Mersenne Cryptosystem, Nanyang University, June 2018, Singapore

Fabrice Rouillier is a member of the scientific commitee of the Indo French Centre for Applied Mathematics

Elisha Falbel : courses in Algebra and Analysis, L1 , Sorbonne Université.

Elisha Falbel : Course in Probabiltés, L3, Polytech

Elisha Falbel : Introduction aux surfaces de Riemann, M1, Sorbonne Université.

Antonin Guilloux: Courses in General Mathematics, L1, Sorbonne Université.

Antonin Guilloux: Chair of the Mathematics in L1 at Sorbonne Université; Lead of the renewing of the mathematical courses in L1 at Sorbonne Université for 2019.

Antonin Guilloux: Course in Hyperbolic geometry and character varieties, M2, Sorbonne Université.

Antoine Joux : Course on Techniques in Cryptography and Cryptanalysis, M2, Parisian Master of Research in Computer Science.

Pierre-Vincent Koseleff : Course on Applied Algebra, L3 for undergraduate students (6th semester), Sorbonne Université.

Pierre-Vincent Koseleff : Préparation à l'agrégation de Mathématiques, M2. General Chair and teacher. Sorbonne Université.

Fabrice Rouillier : Course in Algebraic Computations, M1, 24h, Sorbonne Université.

Fabrice Rouillier : Course in "Agrégation Option - C", M2, 31 heures,Sorbonne Université.

Razvan Barbulescu : part of the Course at MPRI Arithmetic algorithms for cryptology 6h

Razvan Barbulescu : 3 projects of cryptology in Python

Razvan Barbulescu : exercice sessions for Algorithmic and complexity 30h

PhD in progress : Thomas Espitau, 09/2016, directed by Antoine Joux

PhD in progress : Natalia Kharchenko, 09/2016, directed by Antoine Joux

PhD in progress : Mahya Mehrabdollahei, 09/2018, directed by Antonin Guilloux and Fabrice Rouillier

PhD in progress : Sudarshan Shinde, 09/2016, directed by Razvan Barbulescu and Pierre-Vincent Koseleff

PhD in progress : Robin Timsit, 09/2015, directed by Elisha Falbel

Fabrice Rouillier was reviewer of the PhD of Ruben Becker (Universität des Saarlandes)

Antonin Guilloux, jury of the PhD thesis of Alexandre Bellis - Etude Topologique du Flot Horocyclique Le cas des surfaces Géométriquement Infnies - Supervisor: Françoise Dal'Bo.

Razvan Barbulescu is *chargé médiation* at IMJ-PRG

Razvan Barbulescu is a member of the steering commitee of the association *Animath*

Fabrice Rouillier is *chargé de mission médiation* at Inria Paris

Fabrice Rouillier is a member of the editorial board of *Interstices*

Fabrice Rouillier is the president of the association *Animath*

Razvan Barbulescu co-organizes the *Alkindi*