Grace combines expertise and deep knowledge in algorithmic number theory and algebraic geometry, to build and analyse (public-key) cryptosystems, design new error correcting codes, with real-world concerns like cybersecurity or blockchains (software and hardware implemntations, secure implementations in constrained environments, countermeasures against side channel attacks, white box cryptography).

The foundations of Grace therefore lie in algorithmic number theory (fundamental algorithms primality, factorization), number fields, the arithmetic geometry of curves, algebraic gemoetry and the theory of algebraic codes.

Arithmetic Geometry is the meeting point of algebraic geometry and number theory: the study of geometric objects defined over arithmetic number systems. In our case, the most important objects are curves and their Jacobians over finite fields; these are fundamental to our applications in both coding theory and cryptology. Jacobians of curves are excellent candidates for cryptographic groups when constructing efficient instances of public-key cryptosystems, of which Diffie–Hellman key exchange is an instructive example.

Coding Theory studies originated with the idea of using redundancy in messages to protect them against noise and errors. While the last decade of the 20th century has seen the success of so-called iterative decoding methods, we see now many new ideas in the realm of algebraic coding, with the foremost example being list decoding, (zero knowledge or not) proofs of computation.

Part of the activities of the team are oriented towards post-quantum cryptography, either based on elliptic curves (isogenies) or code-based. Also the team study relevant cryptography for the blockchain arena.

The group is strongly invested in cybersecurity: software security, secure hardware implementations, privacy, etc.

Algorithmic Number Theory is concerned with replacing special cases with general algorithms to solve problems in number theory. In the Grace project, it appears in three main threads:

fundamental algorithms for integers and polynomials (including primality and factorization);

algorithms for finite fields (including discrete logarithms);

algorithms for algebraic curves.

Clearly, we use computer algebra in many ways. Research in cryptology
has motivated a renewed interest in Algorithmic Number Theory in
recent decades—but the fundamental problems still exist *per
se*. Indeed, while algorithmic number theory application in
cryptanalysis is epitomized by applying factorization to breaking RSA
public key, many other problems, are relevant to various area of
computer science. Roughly speaking, the problems of the cryptological
world are of bounded size, whereas Algorithmic Number Theory is also
concerned with asymptotic results.

Theme: Arithmetic Geometry: Curves and their Jacobians
*Arithmetic Geometry* is the meeting point of algebraic geometry and
number theory: that is, the study of geometric objects defined over
arithmetic number systems (such as the integers and finite fields).
The fundamental objects for our applications
in both coding theory and cryptology
are curves and their Jacobians over finite fields.

An algebraic *plane curve*

(Not every curve is planar—we may have more variables, and more
defining equations—but from an algorithmic point of view,
we can always reduce to the plane setting.)
The *genus* *Jacobian* of

The simplest curves with nontrivial Jacobians are
curves of genus 1,
known as *elliptic curves*;
they are typically defined by equations of the form

Theme: Curve-Based Cryptology

Jacobians of curves are excellent candidates for cryptographic groups when constructing efficient instances of public-key cryptosystems. Diffie–Hellman key exchange is an instructive example.

Suppose Alice and Bob want to establish a secure communication
channel. Essentially, this means establishing a common secret
*key*, which they will then use for encryption and decryption.
Some decades ago, they would have exchanged this key in person, or
through some trusted intermediary; in the modern, networked world,
this is typically impossible, and in any case completely unscalable.
Alice and Bob may be anonymous parties who want to do e-business, for
example, in which case they cannot securely meet, and they have no way
to be sure of each other's identities. Diffie–Hellman key exchange
solves this problem. First, Alice and Bob publicly agree on a
cryptographic group

This simple protocol has been in use, with only minor modifications,
since the 1970s. The challenge is to create examples of groups

The classic example of a group suitable for the Diffie–Hellman protocol
is the multiplicative group of a finite field

This is where Jacobians of algebraic curves come into their own.
First, elliptic curves and Jacobians of genus 2 curves do not have a
subexponential index calculus algorithm: in particular, from the point
of view of the DLP, a generic elliptic curve is currently *as
strong as* a generic group of the same size. Second, they provide
some diversity: we have many degrees of freedom in choosing
curves over a fixed

Theme: Coding theory

Coding Theory studies originated with the idea of using redundancy in messages to protect against noise and errors. The last decade of the 20th century has seen the success of so-called iterative decoding methods, which enable us to get very close to the Shannon capacity. The capacity of a given channel is the best achievable transmission rate for reliable transmission. The consensus in the community is that this capacity is more easily reached with these iterative and probabilistic methods than with algebraic codes (such as Reed–Solomon codes).

However, algebraic coding is useful in settings other than the Shannon context. Indeed, the Shannon setting is a random case setting, and promises only a vanishing error probability. In contrast, the algebraic Hamming approach is a worst case approach: under combinatorial restrictions on the noise, the noise can be adversarial, with strictly zero errors.

These considerations are renewed by the topic of list decoding after the breakthrough of Guruswami and Sudan at the end of the nineties. List decoding relaxes the uniqueness requirement of decoding, allowing a small list of candidates to be returned instead of a single codeword. List decoding can reach a capacity close to the Shannon capacity, with zero failure, with small lists, in the adversarial case. The method of Guruswami and Sudan enabled list decoding of most of the main algebraic codes: Reed–Solomon codes and Algebraic–Geometry (AG) codes and new related constructions “capacity-achieving list decodable codes”. These results open the way to applications again adversarial channels, which correspond to worst case settings in the classical computer science language.

Another avenue of our studies is AG codes over various geometric objects. Although Reed–Solomon codes are the best possible codes for a given alphabet, they are very limited in their length, which cannot exceed the size of the alphabet. AG codes circumvent this limitation, using the theory of algebraic curves over finite fields to construct long codes over a fixed alphabet. The striking result of Tsfasman–Vladut–Zink showed that codes better than random codes can be built this way, for medium to large alphabets. Disregarding the asymptotic aspects and considering only finite length, AG codes can be used either for longer codes with the same alphabet, or for codes with the same length with a smaller alphabet (and thus faster underlying arithmetic).

From a broader point of view, wherever Reed–Solomon codes are used, we can substitute AG codes with some benefits: either beating random constructions, or beating Reed–Solomon codes which are of bounded length for a given alphabet.

Another area of Algebraic Coding Theory with which we are more recently concerned is the one of Locally Decodable Codes. After having been first theoretically introduced, those codes now begin to find practical applications, most notably in cloud-based remote storage systems.

We are interesting in developing some interactions between cryptography and cybersecurity. In particular, we develop some researches in embedded security (side channels and fault attack), software security (finding vulnerability efficiently) and privacy (security of TOR).

The huge interest shown by companies for blockchains and cryptocurrencies have attracted the attention of mainstream industries for new, advanced uses of cryptographic, beyond confidentiality, integrity and authentication. In particular, zero-knowledge proofs, computation with encrypted data, etc, are now revealing their potential in the blockchain context. Team Grace is investigating two topics in these areas: secure multiparty computation and so-called “STARKS”.

Secure multiparty computation enables several participants to compute a common function of data they each secretly own, without each participant revealing his data to the other participants. This area has seen great progress in recent years, and the cryptogaphic protocols are now mature enough for practical use. This topic is new to project-team Grace, and we will investigate it in the context of blockchains, through the lenses of use for private “smart contracts”. A PhD student has been hired since October, funded by IRT System-X.

Daniel Augot is involved in blockchains from the point of view of cryptography for better blockchains, mainly for improving privacy. A PhD student has been enrolled at IRT System-X, to study pratical use cases of Secure Multiparty Computaiton.

Also Daniel Augot, together with Julian Prat (economist, ENSAE), is leading a Polytechnique teaching and research “chair”, funded by CapGemini, for blockchains in the industry, B2B platforms, supply chains, etc.

The team is concerned with several aspect of reliability and security of cloud storage, obtained mainly with tools from coding theory. On the privacy side, we build protocols for so-called Private Information Retrieval which enable a user to query a remote database for an entry, while not revealing his query. For instance, a user could query a service for stock quotes without revealing with company he is interested in. On the availability side, we study protocols for proofs of retrievability, which enable a user to get assurance that a huge file is still available on a remote server, with a low bandwith protocol which does not require to download the whole file. For instance, in a peer-to-peer distributed storage system, where nodes could be rewarded for storing data, they can be audited with proof of retrievability protocols to make sure they indeed hold the data.

We investigate these problems with algebraic coding theory, mainly codes with locality (locally decodable codes, locally recoverable codes, and so on).

An M2 intern, Maxime Roméas, Bordeaux university, studied the constructive cryptography model, "A study of the Constructive Cryptography model of Maurer et. al." 5 months, followed by a PhD grant from IP Paris/Ecole Polytechnique for a 3-year doctorate (Oct 2019-Sept 2022): "The Constructive Cryptography paradigm applied to Interactive Cryptographic Proofs".

The Constructive Cryptography framework redefines basic cryptographic primitives and protocols starting from discrete systems of three types (resources, converters, and distinguishers). This not only permits to construct them effectively, but also lighten and sharpen their security proofs. One strength of this model is its composability. The purpose of the PhD is to apply this model to rephrase existing interactive cryptographic proofs so as to assert their genuine security, as well as to design new proofs. The main concern here is security and privacy in Distributed Storage settings.

*Algorithmic Coding Theory in Sage*

Functional Description: The aim of this project is to vastly improve the state of the error correcting library in Sage. The existing library does not present a good and usable API, and the provided algorithms are very basic, irrelevant, and outdated. We thus have two directions for improvement: renewing the APIs to make them actually usable by researchers, and incorporating efficient programs for decoding, like J. Nielsen's CodingLib, which contains many new algorithms.

Partner: Technical University Denmark

Contact: Daniel Augot

Keyword: Algebraic decoding

Functional Description: Decoding is a standalone C library. Its primary goal is to implement Guruswami–Sudan list decoding-related algorithms, as efficiently as possible. Its secondary goal is to give an efficient tool for the implementation of decoding algorithms (not necessarily list decoding algorithms) and their benchmarking.

Participant: Guillaume Quintin

Contact: Daniel Augot

Keyword: Cryptography

Functional Description: A competitive, high-speed, open implementation of the Diffie–Hellman protocol, targeting the 128-bit security level on Intel platforms. This download contains Magma files that demonstrate how to compute scalar multiplications on the x-line of an elliptic curve using endomorphisms. This accompanies the EuroCrypt 2014 paper by Costello, Hisil and Smith, the full version of which can be found here: http://

Participant: Ben Smith

Contact: Ben Smith

URL: http://

*Crible Algébrique: Distribution, Optimisation - Number Field Sieve*

Keywords: Cryptography - Number theory

Functional Description: CADO-NFS is a complete implementation in C/C++ of the Number Field Sieve (NFS) algorithm for factoring integers and computing discrete logarithms in finite fields. It consists in various programs corresponding to all the phases of the algorithm, and a general script that runs them, possibly in parallel over a network of computers.

News Of The Year: The main program for relation collection now supports composite "special-q". The memory footprint of the central step of linear algebra was reduced. Parallelism of many of the Cado-NFS programs was improved considerably (sieving, relation filtering, as well as the central step of linear algebra).

Participants: Pierrick Gaudry, Emmanuel Thomé and Paul Zimmermann

Contact: Emmanuel Thomé

Algebraic codes such as Reed–Solomon codes and algebraic geometry
codes benefit from efficient decoding algorithms permitting to
correct errors up to half the minimum distance and sometimes
beyond. In 1992, Pellikaan proved that many **unique** decoding could be
unified using an object called *Error correcting pair*. In
short, given an error correcting code

On the other hand, in the late 90's, after the breakthrough of Sudan
and Guruswami Sudan the question of list decoding permitting to
decode beyond half the minimum distance. In a recently submitted
article, A. Couvreur and I. Panaccione
proposed a unified point of view for probabilistic decoding
algorithms decoding beyond half the minimum distance. Similarly to
Pellikaan's result, this framework applies to any code benefiting
from an *error locating pair* which is a relaxed version of
error correcting pairs.

Integer factoring is an old topic, and the situation is as follows: in the classical world, we think integer factoring is hard and the algorithms we have are quite powerful though of subexponential complexity and factoring numbers with several hundred bits; whereas in the quantum world, it is assumed to be easy (i.e., there exists a quantum polynomial time algorithm) but never experienced and the record is something like a few bits. F. Morain, helped by B. Smith and G. Renault studied the theoretical problem of factoring integers given access to classical oracles, like the Euler totient function. They were able to give some interesting classes of numbers that could tackled, The manuscript is currently being refereed.

Through École polytechnique, Daniel Augot is leader of a teaching and research chair on Blockchains for business, funded by CapGemini.

IRT System-X funds a PhD student for Secure Multiparty Computation in blockchains

Ernst & Young funds a contract for providing PhD guidance to one of its employee, on the topic of blockchains

Idemia funds a CIFRE PhD student on the secure implementation in constrained environement of post-quantum cryptosystems.

Quarkslab funds a CIFRE PhD student on the analysis of malware code

French Min. Arm. funds a PhD student on the analysis of the ToR network

Grant with Nokia with the Privacy “Action de recherche”.

Daniel Augot and Matthieu Rambaud (Institut Mines-Telecom) received a Digicosme Grant, to fund a new PhD student, A. Saadeh, starting November 2019, on the topic of Secure Multiparty Computation.

MANTA (accepted July 2015, starting March 2016, Ended September 2019): “Curves, surfaces, codes and cryptography”. This project deals with applications of coding theory error correcting codes to in cryptography, multi-party computation, and complexity theory, using advanced topics in algebraic geometry and number theory.

We have four annual national retreats, the last one in January 2019, and we organized a closing international workshop in August 2019, with more than 40 participants, half French, half international.

ANR **CIAO**
(Cryptography, Isogenies, and Abelian varieties Overwhelming)
is a JCJC 2019 project, led by Damien Robert (Inria EP LFANT).
This project, which started in October 2019,
will examine applications of higher-dimensional abelian
varieties in isogeny-based cryptography.

ANR **CBCRYPT** (Code–based Cryptography) This is a project
from (*Appel à projets générique, Défi 9, Liberté et sécurité
de l’Europe, de ses citoyens et de ses résidents, Axe 4 ;
Cybersécurité*). This project, starting in october 2017 led by
Jean-Pierre Tillich (Inria, EP Cosmiq) focusses on the design and
the security analysis of code–based primitives, in the context of
the current
NIST
competition.

SPARTA https://www.sparta.eu/ is a cybersecurity competence network, with the objective to collaboratively develop and implement top-tier research and innovation actions

Alessandro Neri visited us from September 2019 to December 2019, as post-doctoral visitor, to work on rank-metric codes.

Vincent Neiger (Mcf, Univ. Limoges) visited our team twice. One week in march and one meek in november, to work on the decoding of Reed–Solomon codes.

Tokenomics 2019, International Conference on Blockchain Economics, Security and Protocols, Paris: D. Augot.

FAB 2019, Second International Symposium on Foundations and Applications of Blockchain, Los Angeles: D. Augot

ICBC 2019 (IEEE International Conference on Blockchain and Cryptocurrency, Seoul): D. Augot

CBT 2019 (3rd International Workshop on Cryptocurrencies and Blockchain Technology, Barcelona)

ECC 2019 (23rd International Workshop on Elliptic Curve Cryptography, Bochum): B. Smith

Latincrypt 2019 (Santiago de Chile): B. Smith

C2SI (*Codes, Cryptographie et Sécurité Informatique*)
2019 (Rabat, Morocco) A. Couvreur

Eurocrypt 2019: D. Augot, B. Smith

Indocrypt 2019 (20th International Conference on Cryptology in India, Hyderabad):D. Augot

ISIT (International Symposium on Information Theory) 2019: D. Augot, A. Couvreur.

Latincrypt 2019. A. Couvreur.

SAC 2019: B. Smith

STACS 2020: B. Smith

F. Morain is member of the editorial board of the
*Applicable Algebra in Engineering, Communication and Computing*,
Springer.

A. Couvreur is member of the editorial board of the
*Publications mathématiques de l'Institut de mathématiques de Besançon,
Algèbre et Théorie des nombres*.

Applicable Algebra in Engineering, Communication, and Computing: B. Smith

Journal of Cryptographic Engineering: B. Smith

Journal of Cryptology: B. Smith

Publications Mathématiques de Besançon: B. Smith

Transactions on Mathematical Software: B. Smith

Designs, Codes and Cryptography: A. Couvreur.

IEEE, Transactions on Information Theory: A. Couvreur.

IEEE, Transactions on Communication: A. Couvreur.

D. Augot was invited to the joint Caen-Rouen ArcoCrypt colloquium.

F. Morain was invited to give a talk at the seminar of the ARIC project-team in Lyon.

G. Renault was invited to give the main keynote at PHISIC'19 workshop (Gardanne)

G. Renault was invited to give a talk at the Workshop on Randomness and Arithmetics for Cryptography on Hardware (Roscoff)

G. Renault was invited to give a talk at the Journée Internationale Post-Quantique organized by Institut Cyber de Grenoble Alpes.

B. Smith was invited to give a talk at the Workshop on Arithmetic of low-dimensional abelian varieties at ICERM (Providence, USA)

B. Smith and A. Couvreur were invited to give a talk in the mini-symposium on isogeny-based cryptography at the SIAM Conference on Applied Algebraic Geometry (Bern, Switzerland)

B. Smith was invited to give a talk in the Autumn session of
*Arithmétique en Plat Pays* (Mons, Belgium)

A. Couvreur was invited speaker at the
conference *WCC (Workshop on Coding and Cryptography) 2019*
Saint Jacut de la mer, France.

A. Couvreur was invited speaker at the conference
*NuTMIC (Number Theoretic Methods In Cryptography) 2019*,
Paris.

D. Augot is member of the scientific committee of the C2 seminar, which is the French wide, now itinerant, seminar of the subgroup “Codage et Cryptographie” of the CNRS GDR group “Informatique mathématique”.

G. Renault was member of the Comité d'Évaluation du LJK (Grenoble) pour l'Hcéres.

F. Morain is vice-head of the Département d'informatique of Ecole Polytechnique; in charge of years 1 and 2 for Computer Science courses.

F. Morain is member of the Board of Master Parisien de Recherche en Informatique (MPRI); also a member of the board of the Cybersecurity track in the CS Master of IPParis.

Recruitment committees:

D. Augot participated in a selection committee for an Assistant Professor position at École polytechnique.

A. Couvreur is member of the *commission scientifique*
of Inria Saclay's research centre.

Funding

D. Augot belongs to the Inria-NomadicLabs committee.

D. Augot belongs to MATH-INFO subcommittee of Saclay labex Laboratoire Jacques Hadamard, and has been replaced by A. Couvreur.

Licence : F. Morain, Lectures for INF361: “Introduction à l'informatique”, 15h (equiv TD), 1st year (L3), École polytechnique. Coordinator of this module (350 students).

Licence :
B. Smith:
*CSE101: Introduction to Computer Programming*,
42h, L1, École polytechnique, France

Licence : G. Renault: INF361, *Introduction à l'informatique*, 50h, L3, École Polytechnique, France.

Master : A. Couvreur :
*MPRI 2-13-2: Error Correcting codes and applications
to cryptography*.

Master : D. Augot: lectures and labs on crypto in blockchains, 24h, M2, École polytechnique, France.

Master : F. Morain is the scientific leader of the
Master of Science and Technology *Cybersecurity: Threats and
Defense* of École Polytechnique.

Master : F. Morain and A. Couvreur, INF558, *Introduction to
cryptology*, 36h, M1, École Polytechnique.

Master :
B. Smith:
*INF568: Advanced Cryptography*,
54h, M1, École polytechnique, France

Master :
B. Smith and F. Morain:
*MPRI 2-12-2: Algorithmes Arithmétiques pour la Cryptologie*,
22.5h, M2, Master Parisien de Recherche en Informatique, France

Master : F. Levy-dit-Vehel, discrete maths, 21h, M1, ENSTA.

Master : F. Levy-dit-Vehel, cryptography, 24h, M2, ENSTA.

HdR : A. Couvreur, Codes algébriques et géométriques, applications à la cryptographie et à l'information quantique, Paris Diderot University, December 16, 2019.

D. Augot was member of the thesis committee of Thomas Debris.

G. Renault was president of the thesis committee of François Boutigny.

G. Renault was member of the thesis committee of Ramtine Tofighi.

B. Smith was a member of the thesis committee of Louiza Papachristodoulou (Radboud Universiteit Nijmegen)

B. Smith was a member of the thesis committee of Joost Renes (Radboud Universiteit Nijmegen)

B. Smith was a *rapporteur* on the thesis of Yan Bo Ti
(University of Auckland).

D. Augot was invited to the mathematical colloquium of the University of Besançon.

Colloque “Blockchains et compétences” à l'Assemblée nationale le 14 mars: D. Augot, who participated to three meetings at Ministry of Finance and Ministry of Industry about blockchains.

A. Couvreur is *Correspondant de Médiation Scientifique*
of Inria Saclay's research centre.

A. Couvreur organised the *Fête de la science 2019* at
Inria Saclay on october 10 and 11 2019.
J. Nardi, S. Bordage, M. Chenu de la Morinerie, M. Romeas participated to the event
as volunteers.

A. Couvreur organised the Rendez-vous des Jeunes Mathématiciennes et Informaticiennes (RJMI) at Inria Saclay on october 21 and 22, 2019.