The main focus of the PolSys project is to solve systems of polynomial equations.

Our main objectives are:

**Fundamental Algorithms and Structured Systems.** The
objective is to propose fast exponential exact algorithms for
solving polynomial equations and to identify large classes of
structured polynomial systems which can be solved in polynomial
time.

**Solving Systems over the Reals and Applications.** For
positive dimensional systems basic questions over the reals may be
very difficult (for instance testing the existence of solutions)
but also very useful in applications (e.g. global optimization
problems). We plan to propose efficient algorithms and
implementations to address the most important issues: computing
sample points in the real solution sets, decide if two such sample
points can be path-connected and, as a long term objective,
perform quantifier elimination over the reals (computing a
quantifier-free formula which is equivalent to a given quantified
boolean formula of polynomial equations/inequalities).

**Dedicated Algebraic Computation and Linear Algebra.**
While linear algebra is a key step in the computation of Gröbner
bases, the matrices generated by the algorithms

**Solving Systems in Finite Fields, Applications in
Cryptology and Algebraic Number Theory.** We propose to develop a
systematic use of *structured systems* in Algebraic
Cryptanalysis. We want to improve the efficiency and to predict
the theoretical complexity of such attacks. We plan to demonstrate
the power of algebraic techniques in new areas of cryptography
such as Algebraic Number Theory (typically, in curve based
cryptography).

Polynomial system solving is a fundamental problem in Computer Algebra with many applications in cryptography, robotics, biology, error correcting codes, signal theory, ... Among all available methods for solving polynomial systems, computation of Gröbner bases remains one of the most powerful and versatile method since it can be applied in the continuous case (rational coefficients) as well as in the discrete case (finite fields). Gröbner bases are also building blocks for higher level algorithms that compute real sample points in the solution set of polynomial systems, decide connectivity queries and quantifier elimination over the reals. The major challenge facing the designer or the user of such algorithms is the intrinsic exponential behaviour of the complexity for computing Gröbner bases. The current proposal is an attempt to tackle these issues in a number of different ways: improve the efficiency of the fundamental algorithms (even when the complexity is exponential), develop high performance implementation exploiting parallel computers, and investigate new classes of structured algebraic problems where the complexity drops to polynomial time.

Efficient algorithms
*A new efficient algorithm for computing
Gröbner bases without reduction to zero (F5).* In Proceedings of
ISSAC '02, pages 75-83, New York, NY, USA, 2002. ACM.

*(i)* developing dedicated linear algebra routines
performing the Gaussian elimination steps: this is precisely the
objective 2 described below;

*(ii)* generating smaller or
simpler matrices to which we will apply Gaussian elimination.

We
describe here our goals for the latter problem. First, we focus on
algorithms for computing a Gröbner basis of *general
polynomial systems*. Next, we present our goals on the
development of dedicated algorithms for computing Gröbner bases of
*structured polynomial systems* which arise in various
applications.

**Algorithms for general systems.** Several
degrees of freedom are available to the designer of a Gröbner
basis algorithm to generate the matrices occurring during the
computation. For instance, it would be desirable to obtain matrices
which would be almost triangular or very sparse. Such a goal can be
achieved by considering various interpretations of the

**Algorithms dedicated to ****structured****
polynomial systems.** A complementary approach is to exploit the
structure of the input polynomials to design specific
algorithms. Very often, problems coming from applications are not
random but are highly structured. The specific nature of these
systems may vary a lot: some polynomial systems can be sparse (when
the number of terms in each equation is low), overdetermined (the
number of the equations is larger than the number of variables),
invariants by the action of some finite groups, multi-linear (each
equation is linear w.r.t. to one block of variables) or more
generally multihomogeneous. In each case, the ultimate goal is to
identify large classes of problems whose theoretical/practical
complexity drops and to propose in each case dedicated algorithms.

We shall develop algorithms for solving polynomial systems over complex/real numbers. Again, the goal is to extend significantly the range of reachable applications using algebraic techniques based on Gröbner bases and dedicated linear algebra routines. Targeted application domains are global optimization problems, stability of dynamical systems (e.g. arising in biology or in control theory) and theorem proving in computational geometry.

The following functionalities shall be requested by the end-users:

*(i)* deciding the emptiness of the real solution set of systems
of polynomial equations and inequalities,

*(ii)* quantifier
elimination over the reals or complex numbers,

*(iii)*
answering
connectivity queries for such real solution sets.

We will focus on these functionalities.

We will develop algorithms based on the so-called critical point
method to tackle systems of equations and inequalities (problem *(i)*) . These techniques are based on solving 0-dimensional
polynomial systems encoding "critical points" which are defined by
the vanishing of minors of Jacobian matrices (with polynomial
entries). Since these systems are highly structured, the expected
results of Objective 1 and 2 may allow us to obtain dramatic
improvements in the computation of Gröbner bases of such
polynomial systems. This will be the foundation of practically fast
implementations (based on singly exponential algorithms)
outperforming the current ones based on the historical Cylindrical
Algebraic Decomposition (CAD) algorithm (whose complexity is doubly
exponential in the number of variables). We will also develop
algorithms and implementations that allow us to analyze, at least
locally, the topology of solution sets in some specific
situations. A long-term goal is obviously to obtain an analysis of
the global topology.

Here, the primary objective is to focus on *dedicated*
algorithms and software for the linear algebra steps in Gröbner
bases computations and for problems arising in Number Theory. As
explained above, linear algebra is a key step in the process of
computing efficiently Gröbner bases. It is then natural to develop
specific linear algebra algorithms and implementations to further
strengthen the existing software. Conversely, Gröbner bases
computation is often a key ingredient in higher level algorithms
from Algebraic Number Theory. In these cases, the algebraic problems
are very particular and specific. Hence dedicated Gröbner bases
algorithms and implementations would provide a better efficiency.

**Dedicated linear algebra tools.**
The FGb library is
an efficient one for Gröbner bases computations which can be
used, for instance, via Maple. However, the library is
sequential. A goal of the project is to extend its efficiency to new
trend parallel architectures such as clusters of multi-processor
systems in order to tackle a broader class of problems for several
applications. Consequently, our first aim is to provide a durable,
long term software solution, which will be the successor of the
existing FGb library. To achieve this goal, we will first
develop a high performance linear algebra package (under the LGPL
license). This could be organized in the form of a collaborative
project between the members of the team. The objective is not to
develop a general library similar to the Linbox

Fast linear algebra packages would also benefit to the transformation of a Gröbner basis of a zero–dimensional ideal with respect to a given monomial ordering into a Gröbner basis with respect to another ordering. In the generic case at least, the change of ordering is equivalent to the computation of the minimal polynomial of a so-called multiplication matrix. By taking into account the sparsity of this matrix, the computation of the Gröbner basis can be done more efficiently using a variant of the Wiedemann algorithm. Hence, our goal is also to obtain a dedicated high performance library for transforming (i.e. change ordering) Gröbner bases.

**Dedicated algebraic tools for Algebraic
Number Theory.** Recent results in Algebraic Number Theory tend to
show that the computation of Gröbner basis is a key step toward
the resolution of difficult problems in this domain
*Index calculus for abelian
varieties of small dimension and the elliptic curve discrete
logarithm problem*, Journal of Symbolic Computation 44,12 (2009)
pp. 1690-1702

Here, we focus on solving polynomial systems over finite fields
(i.e. the discrete case) and the corresponding applications
(Cryptology, Error Correcting Codes, ...). Obviously this
objective can be seen as an application of the results of the two
previous objectives. However, we would like to emphasize that it is
also the source of new theoretical problems and practical
challenges. We propose to develop a systematic use of *structured systems* in *algebraic cryptanalysis*.

*(i)* So far, breaking a cryptosystem using algebraic
techniques could be summarized as modeling the problem by algebraic
equations and then computing a, usually, time consuming Gröbner
basis. A new trend in this field is to require a theoretical
complexity analysis. This is needed to explain the behavior of the
attack but also to help the designers of new cryptosystems to
propose actual secure parameters.

*(ii)* To assess the
security of several cryptosystems in symmetric cryptography (block
ciphers, hash functions, ...), a major difficulty is the size of
the systems involved for this type of attack. More specifically,
the bottleneck
is the size of the linear algebra problems generated during a
Gröbner basis computation.

We propose to develop a systematic use of *structured systems*
in *algebraic cryptanalysis*.

The first objective is to build on the recent breakthrough in
attacking McEliece's cryptosystem: it is the first structural
weakness observed on one of the oldest public key cryptosystem. We
plan to develop a well founded framework for assessing the security
of public key cryptosystems based on coding theory from the
algebraic cryptanalysis point of view. The answer to this issue is
strongly related to the complexity of solving bihomogeneous systems
(of bidegree

Dedicated tools for linear algebra problems generated during the Gröbner basis computation will be used in algebraic cryptanalysis. The promise of considerable algebraic computing power beyond the capability of any standard computer algebra system will enable us to attack various cryptosystems or at least to propose accurate secure parameters for several important cryptosystems. Dedicated linear tools are thus needed to tackle these problems. From a theoretical perspective, we plan to further improve the theoretical complexity of the hybrid method and to investigate the problem of solving polynomial systems with noise, i.e. some equations of the system are incorrect. The hybrid method is a specific method for solving polynomial systems over finite fields. The idea is to mix exhaustive search and Gröbner basis computation to take advantage of the over-determinacy of the resulting systems.

Polynomial system with noise is currently emerging as a problem of major interest in cryptography. This problem is a key to further develop new applications of algebraic techniques; typically in side-channel and statistical attacks. We also emphasize that recently a connection has been established between several classical lattice problems (such as the Shortest Vector Problem), polynomial system solving and polynomial systems with noise. The main issue is that there is no sound algorithmic and theoretical framework for solving polynomial systems with noise. The development of such framework is a long-term objective.

Jean-Charles Faugère and Ludovic Perret received
the Atos-Joseph Fourier 2018 prize

Functional Description: Epsilon is a library of functions implemented in Maple and Java for polynomial elimination and decomposition with (geometric) applications.

Contact: Dongming Wang

Keywords: Gröbner bases - Nonlinear system - Computer algebra

Functional Description: FGb is a powerful software for computing Gröbner bases. It includes the new generation of algorihms for computing Gröbner bases polynomial systems (mainly the F4, F5 and FGLM algorithms). It is implemented in C/C++ (approximately 250000 lines), standalone servers are available on demand. Since 2006, FGb is dynamically linked with Maple software (version 11 and higher) and is part of the official distribution of this software.

Participant: Jean Charles Faugere

Contact: Jean-Charles Faugère

Functional Description: Gröbner basis computation modulo p (p is a prime integer of 16 bits).

Participant: Jean-Charles Faugère

Contact: Jean-Charles Faugère

Functional Description: GBLA is an open source C library for linear algebra specialized for eliminating matrices generated during Gröbner basis computations in algorithms like F4 or F5.

Contact: Jean-Charles Faugère

Functional Description: Public-key cryptography system enabling an authentification of dematerialized data.

Authors: Jean-Charles Faugère and Ludovic Perret

Partner: UPMC

Contact: Jean-Charles Faugère

*Real Algebraic Geometry library*

Functional Description: RAGLib is a powerful library, written in Maple, dedicated to solving over the reals polynomial systems. It is based on the FGb library for computing Grobner bases. It provides functionalities for deciding the emptiness and/or computing sample points to real solution sets of polynomial systems of equations and inequalities. This library provides implementations of the state-of-the-art algorithms with the currently best known asymptotic complexity for those problems.

Contact: Mohab Safey El Din

Keywords: Polynomial or analytical systems - Univariate polynomial - Real solving

Functional Description: The package RealCertify aims at providing a full suite of hybrid algorithms for computing certificates of non-negativity based on numerical software for solving linear matrix inequalities. The module univsos handles the univariate case and the module multivsos is designed for the multivariate case.

Contact: Mohab Safey El Din

URL: https://

Functional Description: SLV is a software package in C that provides routines for isolating (and subsequently refine) the real roots of univariate polynomials with integer or rational coefficients based on subdivision algorithms and on the continued fraction expansion of real numbers. Special attention is given so that the package can handle polynomials that have degree several thousands and size of coefficients hundrends of Megabytes. Currently the code consists of approx. 5000 lines.

Contact: Elias Tsigaridas

*Semidefinite Programming solved Exactly with Computational Tools of Real Algebra*

Keyword: Linear Matrix Inequalities

Functional Description: SPECTRA is a Maple library devoted to solving exactly Semi-Definite Programs. It can handle rank constraints on the solution. It is based on the FGb library for computing Gröbner bases and provides either certified numerical approximations of the solutions or exact representations thereof.

Contact: Mohab Safey El Din

One of the biggest open problems in computational algebra is the design of efficient algorithms for Gröbner basis computations that take into account the sparsity of the input polynomials. We can perform such computations in the case of unmixed polynomial systems, that is systems with polynomials having the same support, using the approach of Faugère, Spaenlehauer, and Svartz [ISSAC'14]. In we present two algorithms for sparse Gröbner bases computations for mixed systems. The first one computes with mixed sparse systems and exploits the supports of the polynomials. Under regularity assumptions, it performs no reductions to zero. For mixed, square, and 0-dimensional multihomogeneous polynomial systems, we present a dedicated, and potentially more efficient, algorithm that exploits different algebraic properties that performs no reduction to zero. We give an explicit bound for the maximal degree appearing in the computations.

A fundamental problem in computational algebraic geometry is the computation
of the resultant. A central question is when and how to compute it
as the determinant of a matrix
whose elements are the coefficients of the input polynomials up-to sign.
This problem is well understood for unmixed
multihomogeneous systems, that is for systems consisting of multihomogeneous
polynomials with the same support.
However, little is known for mixed systems,
that is for systems consisting of polynomials with different supports.
In we consider the computation of the
multihomogeneous resultant of
bilinear systems involving two different supports. We present a
constructive approach that expresses the resultant as the exact
determinant of a *Koszul resultant matrix*, that is a matrix
constructed from maps in the Koszul complex.
We exploit the resultant matrix to propose an algorithm to solve
such systems. In the process we extend the classical eigenvalues
and eigenvectors criterion to a more general setting. Our extension
of the eigenvalues criterion applies to a general class of matrices,
including the Sylvester-type and the Koszul-type ones.

Sparse polynomial interpolation, sparse linear system solving or modular rational reconstruction are fundamental problems in Computer Algebra. They come down to computing linear recurrence relations of a sequence with the Berlekamp–Massey algorithm. Likewise, sparse multivariate polynomial interpolation and multidimensional cyclic code decoding require guessing linear recurrence relations of a multivariate sequence.

Several algorithms solve this problem. The so-called Berlekamp–Massey–Sakata algorithm (1988) uses polynomial additions and shifts by a monomial. The Scalar-FGLM algorithm (2015) relies on linear algebra operations on a multi-Hankel matrix, a multivariate generalization of a Hankel matrix. The Artinian Gorenstein border basis algorithm (2017) uses a Gram-Schmidt process.

A key observation in the design of this algorithm is to work on the mirror of the truncated generating series allowing us to use polynomial arithmetic modulo a monomial ideal. It appears to have some similarities with Padé approximants of this mirror polynomial.

Finally, we give a partial solution to the transformation of this algorithm into an adaptive one.

As an addition from the paper published at the ISSAC conferance, in , we give an adaptive variant of this algorithm taking into account the shape of the final Gröbner basis gradually as it is discovered. The main advantage of this algorithm is that its complexity in terms of operations and sequence queries only depends on the output Gröbner basis.

All these algorithms have been implemented in Maple and we report on our comparisons.

The Berlekamp–Massey–Sakata algorithm and the Scalar-FGLM algorithm both compute the ideal of relations of a multidimensional linear recurrent sequence.

Whenever quering a single sequence element is prohibitive, the bottleneck of these algorithms becomes the computation of all the needed sequence terms. As such, having adaptive variants of these algorithms, reducing the number of sequence queries, becomes mandatory.

A native adaptive variant of the Scalar-FGLM algorithm was presented by its authors, the so-called Adaptive Scalar-FGLM algorithm.

Then, we compare the two adaptive algorithms. We show that their behaviors differ in a way that it is not possible to tweak one of the algorithms in order to mimic exactly the behavior of the other. We detail precisely the differences and the similarities of both algorithms and conclude that in general the Adaptive Scalar-FGLM algorithm needs fewer queries and performs fewer basic operations than the Adaptive Berlekamp–Massey–Sakata algorithm.

We also show that these variants are always more efficient than the original algorithms.

In we present algorithmic, complexity and implementation results for
the problem of isolating the real roots of a univariate polynomial
in `MATHEMATICA` and we illustrate their efficiency over
various data sets.

The number of embeddings of minimally rigid graphs in *a priori* number of complex embeddings, where the
parameters correspond to edge lengths. To cope
with the huge dimension of the parameter space and find specializations of
the parameters that maximize the number of real embeddings, we
introduce a method based on coupler curves
that makes the sampling feasible for spatial minimally rigid
graphs.
Our methodology results in the first full classification of the
number of real embeddings of graphs with 7 vertices in

Computing the number of realizations of a minimally rigid graph is a notoriously difficult problem. Towards this goal, for graphs that are minimally rigid in the plane, we take advantage of a recently published algorithm, which is the fastest available method, although its complexity is still exponential. Combining computational results with the theory of constructing new rigid graphs by gluing, in we give a new lower bound on the maximal possible number of (complex) realizations for graphs with a given number of vertices. We extend these ideas to rigid graphs in three dimensions and we derive similar lower bounds, by exploiting data from extensive Gröbner basis computations.

Let

The positive semidefinite rank of a convex body

Let

It is well-known that every non-negative univariate real polynomial can be written as the sum of two polynomial squares with real coefficients. When one allows a weighted sum of finitely many squares instead of a sum of two squares, then one can choose all coefficients in the representation to lie in the field generated by the coefficients of the polynomial. In particular, this allows an effective treatment of polynomials with rational coefficients. In , we describe, analyze and compare both from the theoretical and practical points of view, two algorithms computing such a weighted sums of squares decomposition for univariate polynomials with rational coefficients. The first algorithm, due to the third author relies on real root isolation, quadratic approximations of positive polynomials and square-free decomposition but its complexity was not analyzed. We provide bit complexity estimates, both on the runtime and the output size of this algorithm. They are exponential in the degree of the input univariate polynomial and linear in the maximum bitsize of its complexity. This analysis is obtained using quantifier elimination and root isolation bounds. The second algorithm, due to Chevillard, Harrison, Joldes and Lauter, relies on complex root isolation and square-free decomposition and has been introduced for certifying positiveness of poly-nomials in the context of computer arithmetics. Again, its complexity was not analyzed. We provide bit complexity estimates, both on the runtime and the output size of this algorithm, which are polynomial in the degree of the input polynomial and linear in the maximum bitsize of its complexity. This analysis is obtained using Vieta's formula and root isolation bounds. Finally, we report on our implementations of both algorithms and compare them in practice on several application benchmarks. While the second algorithm is, as expected from the complexity result, more efficient on most of examples, we exhibit families of non-negative polynomials for which the first algorithm is better.

We consider the problem of finding exact sums of squares (SOS) decompositions for certain classes of non-negative multivariate polynomials, relying on semidefinite programming (SDP) solvers. In we start by providing a hybrid numeric-symbolic algorithm computing exact rational SOS decompositions for polynomials lying in the interior of the SOS cone. It computes an approximate SOS decomposition for a perturbation of the input polynomial with an arbitrary-precision SDP solver. An exact SOS decomposition is obtained thanks to the perturbation terms. We prove that bit complexity estimates on output size and runtime are both polynomial in the degree of the input polynomial and simply exponential in the number of variables. Next, we apply this algorithm to compute exact Polya and Putinar's representations respectively for positive definite forms and positive polynomials over basic compact semi-algebraic sets. We also compare the implementation of our algorithms with existing methods in computer algebra including cylindrical algebraic decomposition and critical point method.

To strengthen the resistance of countermeasures based on secret sharing, several works have suggested to use the scheme introduced by Shamir in 1978, which proposes to use the evaluation of a random d-degree polynomial into

Independent Component Analysis (ICA) is a powerful technique for blind source separation. It has been successfully applied to signal processing problems, such as feature extraction and noise reduction , in many different areas including medical signal processing and telecommunication. In , we propose a framework to apply ICA to denoise side-channel measurements and hence to reduce the complexity of key recovery attacks. Based on several case studies, we afterwards demonstrate the overwhelming advantages of ICA with respect to the commonly used preprocessing techniques such as the singular spectrum analysis. Mainly, we target a software masked implementation of an AES and a hardware unprotected one. Our results show a significant Signal-to-Noise Ratio (SNR) gain which translates into a gain in the number of traces needed for a successful side-channel attack. This states the ICA as an important new tool for the security assessment of cryptographic implementations.

Until the mid 2000's, multivariate cryptography was developing very rapidly, producing many interesting and versatile public-key schemes. However, many of them were soon successfully cryptanalysed (a lot have been done in this group). As a consequence, the confidence in multivariate cryptography cryptosystems declined. It seems that there have emerged new important reasons for renewal of the interest in a new generation of multivariate schemes. In the past two years, the algorithms for solving the Discrete Logarithm Problem over small characteristic fields underwent an extraordinary development. This clearly illustrates the risk to not consider alternatives to classical assumptions based on number theory. In parallel, two of the most important standardization bodies in the world, NIST and ETSI have recently started initiatives for developing cryptographic standards not based on number theory, with a particular focus on primitives resistant to quantum algorithms. An objective here is then to focus on the design of multivariate schemes.

The team is involved in the industrial transfer of post-quantum cryptography. The maturation project, called HFEBoost, is supervised by SATT-LUTECH.

SATT-LUTECH specializes in the processing and transfer of technologies from research laboratories of its shareholders: Inria, CNRS, University of Technology of Compiègne National Museum of Natural History, Institute Curie, Université Panthéon-Assas, Paris Sorbonne University and National School of Industrial Creation).

The team has recently developed, in partnership with a mobile application development company (WASSA), an Android app for smartphones (Samsung S5 type) that uses multivariate cryptography. The application has been tested mid-November in a series of experiments supervised by DGA and French Ministry of Defense. The experiment gathered a total of hundred participants from various operational units. This is a first milestone in the maturation project whose goal is to create a start-up.

CEA LETI / DSYS / CESTI

In smart card domain, the emanations of a component during a cryptographic computation may compromise the information that is directly or not linked to the secret keys. The most part of the side channel attacks are based on statistical tools that exploit relations between the handled data and the signals. However these methods do not take advantage of all the signal information. The goal is to study the existing algorithms in pattern and speech recognition and to apply them to signals related to cryptographic computations. The objective will be to improve the attacks efficiency and resolve more complex problems.

CIFRE Contract with ST Micro electronics that funds the PhD thesis of Simon Landry on "Threshold Implementations Against Side Channel Analysis". Supervisor Emmanuel Prouff.

**French Ministry of Armies**

PolSys has a collaboration with the French Ministry of Armies.

**Grant GAMMA** (funded by PGMO).

Global Algebraic Shooting Method in OptiMal Control and Applications

Optimal control consists in steering a system from an initial configuration to a final one, while minimizing some given cost criterion. One of the current main challenges is to develop innovative methods for computing global solutions. This is crucial for applications where validating the global control laws is a crucial but a highly time consuming and expensive phase. GAMMA focuses on the wide range of optimal control problems having an algebraic structure, involving for instance polynomial or semi-algebraic dynamics and costs, or switches between polynomial models. In this case, GAMMA aims at designing methods relying on algebraic computations to the mainstream shooting method in order to yield optimal solutions that purely numerical techniques cannot provide.

**ANR Jeunes Chercheurs GALOP
(Games through the lens of ALgebra and OPptimization)**

`Duration:` 2018–2022

GALOP

`Participants:` E. Tsigaridas [contact], F. Johansson, H. Gimbert, J.-C. Faugère, M. Safey El Din.

**PIA grant RISQ: Regroupement of the Security Industry for
Quantum-Safe security (2017-2020).** The goal of the RISQ
project is to prepare the security industry to the upcoming shift
of classical cryptography to quantum-safe cryptography.
(J.-C. Faugère [contact], and L. Perret).

The RISQ

The RISQ project is a natural continuation of PolSys commitment to the industrial transfert of quantum-safe cryptography. RISQ is a large scale version of the HFEBoost project; which demonstrated the potential of quantum-safe cryptography.

PolSys actively participated to shape the RISQ project. PolSys is now a member of the strategic board of RISQ, and is leading the task of designing and analyzing quantum-safe algorithms. In particular, a first milestone of this task was to prepare submissions to NIST's quantum-safe standardisation process.

**ANR SESAME (Singularités Et Stabilité des AsservisseMEnts
référencés capteurs)**

`Duration:` 2018–2022

`Participants:` J.-C. Faugère, M. Safey El Din.

**Innovative Training Network POEMA (Polynomial Optimization, Efficiency through Moments and Algebra)**

`Duration:` 2019-2022.

POEMA is a Marie Skłodowska-Curie Innovative Training Network (2019-2022).

Its goal is to train scientists at the interplay of algebra, geometry and computer science for polynomial optimization problems and to foster scientific and technological advances, stimulating interdisciplinary and intersectoriality knowledge exchange between algebraists, geometers, computer scientists and industrial actors facing real-life optimization problems.

`Participants:` J. Berthomieu, J.-C. Faugère, M. Safey El Din
[contact], E. Tsigaridas.

Program: COST

Project acronym: CryptoAction

Project title: Cryptography for Secure Digital Interaction

Duration: Apr. 2014 - Apr. 2018

Coordinator: Claudio ORLANDI

Abstract: As increasing amounts of sensitive data are exchanged and processed every day on the Internet, the need for security is paramount. Cryptography is the fundamental tool for securing digital interactions, and allows much more than secure communication: recent breakthroughs in cryptography enable the protection - at least from a theoretical point of view - of any interactive data processing task. This includes electronic voting, outsourcing of storage and computation, e-payments, electronic auctions, etc. However, as cryptography advances and becomes more complex, single research groups become specialized and lose contact with "the big picture". Fragmentation in this field can be dangerous, as a chain is only as strong as its weakest link. To ensure that the ideas produced in Europe's many excellent research groups will have a practical impact, coordination among national efforts and different skills is needed. The aim of this COST Action is to stimulate interaction between the different national efforts in order to develop new cryptographic solutions and to evaluate the security of deployed algorithms with applications to the secure digital interactions between citizens, companies and governments. The Action will foster a network of European research centers thus promoting movement of ideas and people between partners.

Program: COST

Project acronym: CRYPTACUS

Project title: Cryptanalysis of ubiquitous computing systems

Duration: Dec. 2014 - Dec. 2018

Coordinator: Gildas AVOINE

Abstract: Recent technological advances in hardware and software have irrevocably affected the classical picture of computing systems. Today, these no longer consist only of connected servers, but involve a wide range of pervasive and embedded devices, leading to the concept of “ubiquitous computing systems”. The objective of the Action is to improve and adapt the existent cryptanalysis methodologies and tools to the ubiquitous computing framework. Cryptanalysis, which is the assessment of theoretical and practical cryptographic mechanisms designed to ensure security and privacy, will be implemented along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. Researchers have only recently started to focus on the security of ubiquitous computing systems. Despite the critical flaws found, the required highly-specialized skills and the isolation of the involved disciplines are a true barrier for identifying additional issues. The Action will establish a network of complementary skills, so that expertise in cryptography, information security, privacy, and embedded systems can be put to work together. The outcome will directly help industry stakeholders and regulatory bodies to increase security and privacy in ubiquitous computing systems, in order to eventually make citizens better protected in their everyday life.

Reine Abi Rached

Date: Apr. 2018 - Aug. 2018

Institution: Université de Versailles –St-Quentin-en-Yvelines

Supervisor: Jean-Charles Faugère, Jérémy Berthomieu

Hadrien Brochet

Date: Jun. 2018 - Aug. 2018

Institution: ENS Lyon

Supervisor: Elias Tsigaridas

Phuoc Le

Date: Apr. 2018 - Aug. 2018

Institution: Université de Versailles –St-Quentin-en-Yvelines

Supervisor: Jean-Charles Faugère, Mohab Safey El Din

Elias Tsigaridas was a visiting research scientist at the ICERM institute (Brown University) during the special semester on "Nonlinear Algebra" (Sep – Nov 2018).

Dongming Wang was the General Chair of International Conference on Automated Deduction in Geometry (ADG 2018) (Nanning, China, September 11-14, 2018).

Dongming Wang was the General co-Chair of the 44th International Symposium on Symbolic and Algebraic Computation (ISSAC 2019) , Beijing, China, July 15-18, 2019), and the 13th International Conference on Artificial Intelligence and Symbolic Computation (AISC 2018) (Suzhou, China, September 16-19, 2018).

Elias Tsigaridas was a member of the program committees of the 20th International Workshop on Computer Algebra in Scientific Computing (CASC) 2018.

Mohab Safey El Din was member of the program committee of the 43rd International Symposium on Symbolic and Algebraic Computation (ISSAC) 2018.

Emmanuel Prouff was a member of the programm committee of the Conference on Cryptographic Hardware and Embedded Systems 2018 (CHES), Smart Card Research and Advanced Application Conference (CARDIS) 2018, and Constructive Side-Channel Analysis and Secure Design (COSADE) 2018.

Dongming Wang was a member of the program committee of 13th International Conference on Artificial Intelligence and Symbolic Computation (AISC 2018) (Suzhou, China, September 16-19, 2018) and the 4th International Conference on Numerical and Symbolic Computation (SYMCOMP 2019) (Porto, Portugal, April 11-12, 2019).

Mohab Safey El Din was reviewer of the M. Skomra's Phd (CMAP, École polytechnique).

Mohab Safey El Din is member of the editorial board of the Journal of Symbolic Computation.

Mohab Safey El Din (with Chee Yap, Courant Inst. NYU) is guest editor of the Journal of Symbolic Computation Special Issue on the 2017 International Symposium on Symbolic and Algebraic Computation.

Dongming Wang is a member of the editorial board of

Journal of Symbolic Computation (published by Academic Press/Elsevier, London),

Frontiers of Computer Science (published by Higher Education Press, Beijing and Springer, Berlin),

Texts and Monographs in Symbolic Computation (published by Springer, Wien New York).

Dongming Wang is a member of the Advisory Board for the journal SCIENCE CHINA Information Sciences (published by Science China Press, Beijing and Springer, Berlin).

Dongming Wang is the Editor-in-Chief for the journal Mathematics in Computer Science (published by Birkhäuser/Springer, Basel).

Elias Tsigaridas was invited speaker at

IBM T.J. Watson Research Center, (*Invited talk*) 28 Nov 2018.

*Applied Algebra Day*.
MIT, 17 Nov 2018.

ICERM, University of Brown, *Main seminar*, Nov, 2018.

Mohab Safey El Din was invited speaker at

Key Lab on Math. Mechanization, Chinese Academy of Sciences, *Invited talk*.

Dep. of Math. of Univ. of Tromso, *Invited talk*.

ICERM, Semester Prog. on Non-linear Algebra, Workshop on Real algebraic
geometry and optimization, *Plenary talk*.

Emmanuel Prouff was an invited speaker at

PANDA 2018 Conference (China) and talked on "Deep Learning for Embedded Security Evaluation".

COSADE 2018 Conference (Singapur) and talked on "Deep Learning for Embedded Security Evaluation".

Mohab Safey El Din is Chargé de Mission for Computer Science at Sorbonne Univ. (Faculté des Sciences et Ingéniérie).

Jérémy Berthomieu had the following teaching activities:

Master : Computation Modeling, 38 hours, M1, Sorbonne Université, France.

Master : In charge of Basics of Algebraic Algorithms, 74 hours, M1, Sorbonne Université & Polytech' UPMC, France.

Master : Projects supervision, 6 hours, M1, Sorbonne Université, France.

Licence : Introduction to Algorithmics, 33 hours, L2, Sorbonne Université , France.

Licence : Projects supervision, 10 hours, L2, Sorbonne Université, France.

Licence : In charge of Basics of Programmation 2, 50 hours, L1, Sorbonne Université, France.

Mohab Safey El Din has the following teaching activities:

Master : Computation Modeling, 33 hours, M1, Sorbonne Université, France.

Master : Polynomial System Solving, 40 hours, M1, Sorbonne Université, France.

Master : In charge of the curriculum on Security, Reliability of Performance in Computing, 30 hours, M1, Sorbonne Université , France.

Master : Projects management, 20 hours, M1, Sorbonne Université, France.

Licence : Projects supervision, 10 hours, L2, Sorbonne Université, France.

PhD in progress : Matías Bender, Algorithms for Sparse Gröbner basis and applications, started in Dec. 2015, Jean-Charles Faugère and Elias Tsigaridas.

PhD in progress : Thi Xuan Vu, Faster algorithms for structured polynomial systems, started in Oct. 2017, Jean-Charles Faugère and Mohab Safey El Din.

PhD in progress : Phuoc Le, Real root classification and polar varieties, started in Oct. 2018, Jean-Charles Faugère and Mohab Safey El Din.

PhD in progress : Simon Landry, Threshold Implementations Against Side Channel Analysis, Emmanuel Prouff.

CIFRE/Contract with ST Micro electronics.

Mohab Safey El Din was member of the PhD committees of M. Skomra (CMAP, École polytechnique) and T. Weisser (LAAS, CNRS).