Our research addresses the broad application domain of cryptography and cryptanalysis from the algorithmic perspective. We study all the algorithmic aspects, from the top-level mathematical background down to the optimized high-performance software implementations. Several kinds of mathematical objects are commonly encountered in our research. Some basic ones are truly ubiquitous: integers, finite fields, polynomials, real and complex numbers. We also work with more structured objects such as number fields, algebraic curves, or polynomial systems. In all cases, our work is geared towards making computations with these objects effective and fast.

The two facets of cryptology—cryptography and cryptanalysis—are central to our research. The key challenges are the assessment of the security of proposed cryptographic primitives (both public- and secret-key), as well as the introduction of new cryptographic primitives, or the performance improvement of existing ones.

Our research connects to both symmetric and asymmetric key cryptography. While the basic principles of these domains are rather different—indeed their names indicate different handlings of the key—research in both domains is led by the same objective of finding the best trade-offs between efficiency and security. In addition to this, both require to study design and analysis together as these two aspects nurture each other.

Our research topics can be listed either with broad applications domains
in mind (a very coarse-grain view would have us list them under
cryptography and cryptanalysis), or more thematically (see
Figure 1). Either way, we
also identify a set of tools that we sometimes develop per
se, but most often as ingredients towards goals that are set in the
context of other themes. Following the “vertical” reading direction in
Figure 1, our research topics are as follows.

Extended NFS family. A common algorithmic framework, called the Number Field Sieve (NFS), addresses both the integer factorization problem as well as the discrete logarithm problem over finite fields. We have numerous algorithmic contributions in this context, and develop software to illustrate them.

We plan to improve on the existing state of the art in this domain by researching new algorithms, by optimizing the software performance, and by demonstrating the reach of our software with highly visible computations.

Algebraic curves and their Jacobians. We develop algorithms and software for computing essential properties of algebraic curves for cryptology, eventually enabling their widespread cryptographic use.

One of the challenges we address here is point counting. In a wider perspective, we also study the link between abelian varieties over finite fields and principally polarized abelian varieties over fields of characteristic zero, together with their endomorphism ring. In particular, we work in the direction of making this link an effective one. We are also investigating various approaches for attacking the discrete logarithm problem in Jacobians of algebraic curves. Questions more recently studied include the development of cryptosystems based on isogenies.

Symmetric key cryptography. This topic has emerged recently in the team, with the recruiting of Marine Minier and Virginie Lallemand. We are interested in particular in automatic tools for new paradigms of cryptanalysis, going beyond the classical linear and differential cryptanalysis techniques. Newer, more intricate techniques are rather hard to apply and are error-prone. The idea is then to automate the analysis process by developing tools implemented in constraint programming (CP) , satisfability (SAT) or mixed integer linear programming (MILP). We plan to pay special attention to the recent advances in cryptanalysis and to study recently proposed lightweight ciphers.

In addition, we also study new designs. The challenge of the lightweight world pushes symmetric cryptography to be ever more efficient while guaranteeing the same level of security as before. It is thus very important to scrutinize each building block of the symmetric key primitives to be convinced of their security.

Tools.
Several mathematical objects are pervasive in our
research. We sometimes study them per se, but they most
often play a key role in the work related to the topics above. In
particular, we study computer arithmetic, polynomial systems,
linear algebra. In the context
of symmetric cryptography,
the mathematical objects we deal with
are rather different:
we are mainly interested in small (4 or 8 bits)
non-linear permutations (the so-called S-boxes) and in linear
transformations based on coding theory (Maximum Distance Separable (MDS)
matrices or quasi-MDS matrices).

Our goals with all these basic objects include a strong commitment to providing high-quality software that can be used as a dependable building block in our research.

As a complement to the last point, we consider that the impact of our research on cryptology in general owes a lot to the publication of concrete practical results. We are strongly committed to making our algorithms available as software implementations. We thus have several long-term software development projects that are, and will remain, part of our research activity.

The Number Field Sieve (NFS) has been the leading algorithm for factoring integers for more than 20 years, and its variants have been used to set records for discrete logarithms in finite fields. It is reasonable to understand NFS as a framework that can be used to solve various sorts of problems. Factoring integers and computing discrete logarithms are the most prominent for the cryptographic observer, but the same framework can also be applied to the computation of class groups.

The state of the art with NFS is built from numerous improvements of its inner steps. In terms of algorithmic improvements, the recent research activity on the NFS family has been rather intense. Several new algorithms have been discovered since 2014, notably for non-prime fields, and their practical reach has been demonstrated by actual experiments.

The algorithmic contributions of the CARAMBA members to NFS would
hardly be possible without access to a dependable software
implementation. To this end, members of the CARAMBA team have been
developing the Cado-NFS software suite since 2007. Cado-NFS is now the
most widely visible open-source implementation of NFS, and is a crucial
platform for developing prototype implementations for new ideas for the
many sub-algorithms of NFS. Cado-NFS is free software (LGPL) and
follows an open development model, with publicly accessible development
repository and regular software releases. Competing free software
implementations exist, such as msieve, developed by J.
Papadopoulos (whose last commit is from August 2018).
In Lausanne, T. Kleinjung develops his own code base, which
is unfortunately not public.

The work plan of CARAMBA on the topic of the Number Field Sieve algorithm and its cousins includes the following aspects:

The challenges associated with algebraic curves in cryptology are diverse, because of the variety of mathematical objects to be considered. These challenges are also connected to each other. On the cryptographic side, efficiency matters. With the standardization of TLS 1.3 in 2018 33, the curves x25519 and x448 have entered the base specification of the standard. These curves were designed by academia and offer an excellent compromise between efficiency and security.

On the cryptanalytic side, the discrete logarithm problem on (Jacobians of) curves has resisted all attempts for many years. Among the currently active topics, the decomposition algorithms raise interesting problems related to polynomial system solving, as do attempts to solve the discrete logarithm problem on curves defined over binary fields. In particular, while it is generally accepted that the so-called Koblitz curves (base field extensions of curves defined over GF(2)) are likely to be a weak class among the various curve choices, no concrete attack supports this claim fully.

The research objectives of CARAMBA on the topic of algebraic curves for cryptology are as follows:

Since the recruiting of Marine Minier in September 2016 as a Professor at the Université de Lorraine, and of Virginie Lallemand as a CNRS researcher in October 2018, a new research domain has emerged in the CARAMBA team: symmetric key cryptology. Accompanied in this adventure by non-permanent team members, we are tackling problems related to both design and analysis. A large part of our recent researches has been motivated by the Lightweight Cryptography Standardization Process of the NIST 1 that embodies a crucial challenge of the last decade: finding ciphers that are suitable for resource-constrained devices.

On a general note, the working program of CARAMBA in symmetric cryptography is defined as follows:

Computer arithmetic is part of the common background of all team members, and is naturally ubiquitous in our application domains. However involved the mathematical objects considered may be, dealing with them first requires to master more basic objects: integers, finite fields, polynomials, and real and complex floating-point numbers. Libraries such as GNU MP, GNU MPFR, GNU MPC do an excellent job for these, both for small and large sizes (we rarely, if ever, focus on small-precision floating-point data, which explains our lack of mention of libraries relevant to it).

Most of our involvement in subjects related to computer arithmetic is to
be understood in connection to our applications to the Number Field Sieve
and to abelian varieties. As such, much of the research work we envision
will appear as side-effects of developments in these contexts. On the
topic of arithmetic work per se:

Systems of polynomial equations have been part of the cryptographic landscape for quite some time, with applications to the cryptanalysis of block and stream ciphers, as well as multivariate cryptographic primitives.

Polynomial systems arising from cryptology are usually not generic, in the sense that they have some distinct structural properties, such as symmetries, or bi-linearity for example. During the last decades, several results have shown that identifying and exploiting these structures can lead to dedicated Gröbner basis algorithms that can achieve large speedups compared to generic implementations 28, 29.

Solving polynomial systems is well done by existing software, and duplicating this effort is not relevant. However we develop test-bed open-source software for ideas relevant to the specific polynomial systems that arise in the context of our applications. The TinyGB software is our platform to test new ideas.

We aim to work on the topic of polynomial system solving in connection with our involvement in the aforementioned topics.

Our study of the Number Field Sieve family of algorithms aims at showing how the threats underlying various supposedly hard problems are real. Our record computations, as well as new algorithms, contribute to having a scientifically accurate assessment of the feasibility limit for these problems, given academic computing resources. The data we provide in this way is a primary ingredient for government agencies whose purpose includes guidance for the choice of appropriate cryptographic primitives. For example the French ANSSI 2, German BSI, or the NIST 3 in the United States base their recommendations on such computational achievements.

The software we make available to achieve these cryptanalytic computations also allows us to give cost estimates for potential attacks to cryptographic systems that are taking the security/efficiency/legacy compatibility trade-offs too lightly. Attacks such as LogJam 26 are understood as being serious concerns thanks to our convincing proof-of-concepts. In the LogJam context, this impact has led to rapid worldwide security advisories and software updates that eventually defeat some potential intelligence threats and improve confidentiality of communications.

We also promote the switch to algebraic curves as cryptographic primitives. Those offer nice speed and excellent security, while primitives based on elementary number theory (integer factorization, discrete logarithm in finite fields), which underpin e.g., RSA, are gradually forced to adopt unwieldy key sizes so as to comply with the desired security guarantees of modern cryptography. Our contributions to the ultimate goal of having algebraic curves eventually take over the cryptographic landscape lie in our contributions to fast arithmetic, our contributions to the point counting problem, and more generally our expertise on the diverse surrounding mathematical objects, or on the special cases where the discrete logarithm problem is not hard enough and should be avoided.

We also promote cryptographically sound electronic voting, for which we develop the Belenios prototype software (licensed under the AGPL). It depends on research made in collaboration with the PESTO team, and provides stronger guarantees than current state of the art.

The vast majority of our work is eventually realized as software. We can roughly categorize it in two groups. Some of our software covers truly fundamental objects, such as the GNU MPFR, GNU MPC, GF2X, or MPFQ packages. To their respective extent, these software packages are meant to be included or used in broader projects. For this reason, it is important that the license chosen for this software allows proper reuse, and we favor licenses such as the LGPL, which is not restrictive. We can measure the impact of this software by the way it is used in e.g., the GNU Compiler Collection (GCC), in Victor Shoup's Number Theory Library (NTL), or in the Sage computer algebra system. The availability of these software packages in most Linux distributions is also a good measure for the impact of our work.

We also develop more specialized software. Our flagship software package is Cado-NFS4, and we also develop some others with various levels of maturity, such as GMP-ECM, CMH, or Belenios, aiming at quite diverse targets. Within the lifespan of the CARAMBA project, we expect more software packages of this kind to be developed, specialized towards tasks relevant to our research targets: important mathematical structures attached to genus 2 curves, generation of cryptographically secure curves, or tools for attacking cryptographically hard problems. Such software both illustrates our algorithms, and provides a base on which further research work can be established. Because of the very nature of these specialized software packages as research topics in their own right, needing both to borrow material from other projects, and being possible source of inspiring material for others, it is again important that these be developed in a free and open-source development model.

On February 28th, 2020, the factorization of RSA-250 was announced.

Belenios is an open-source online voting system that provides vote confidentiality and verifiability. End-to-end verifiability relies on the fact that the ballot box is public (voters can check that their ballots have been received) and on the fact that the tally is publicly verifiable (anyone can recount the votes). Vote confidentiality relies on the encryption of the votes and the distribution of the decryption key (no one detains the secret key).

Belenios supports various kind of elections. In the standard mode, Belenios supports simple elections where voters simply select one or more candidates. It also supports arbitrary counting functions at the cost of a slightly more complex tally procedure for the authorities. For example, Belenios supports Condorcet, STV, and Majority Judgement, where voters order candidates and grade them.

Belenios is available in several languages for the voters as well as the administrators of an election. More languages can be freely added by users.

Belenios now supports verifiable mixnets for the tally procedure. Mixnets allow to shuffle and randomize ballots so that ballots can no longer be linked to the original ones. Then ballots can be decrypted one by one, yielding the set of the original votes, in a random order. As a result, arbitrary type of elections can be organized with Belenios, where voters rank or grade the candidates. Belenios offers a complete support of Condorcet, STV, and Majority Judgement but any function can be applied to the raw results.

Moreover, Belenios now features crowd-sourcing for translating the voter and the administrator interface. Anyone can contribute on https://hosted.weblate.org/projects/belenios/. Thanks to this development, Belenios now offers a dozen of languages.

Due to the pandemic, the use of our voting platform has increased by a factor of 10 in 2020, with more than 1400 elections organized with our platform and a cumulated total of more than 100 000 voters.

Cado-NFS has undergone little important change during year 2020. However, some specific parts of the code have been improved. - the simulation code that is used to try to predict matrix sizes is evolving. - the I/O layer in the linear algebra code has been simplified. - the central step of binary linear algebra is being prepared for an improvement of some operations that are currently costlier than they should be. - cofactorisation code has been improved.

Additionally, Cado-NFS has moved to the Inria gitlab platform. At this point, there is no certainty as to the permanent URL of the Cado-NFS software.

Since 2018, the CARAMBA team has been using in particular a computer
cluster called grvingt, acquired in 2018.
This equipment was funded by the CPER «CyberEntreprises» (French
Ministry of Research, Région Grand Est, Inria, CNRS) and comprises
a 64-node, 2,048-core cluster.
This cluster is installed in the Inria facility. Other slightly older
hardware (a medium-size cluster called grcinq from 2013, funded
by ANR, and a special machine funded by the aforementioned
CPER grant) is also installed in the same location, to form a
coherent platform with about 3,000 cpu cores, 100 TB of storage, and
specific machines for RAM-demanding computations. As a whole, this
platform provides an excellent support for the computational part of the
work done in CARAMBA. This platform is also embedded in the larger
Grid'5000/Silecs platform (and accessible as a normal resource within
this platform). Technical administration is done by the Grid'5000
staff.

This equipment has played a key role in the record factorization of RSA-240 done in February 2020, as well as the computation of discrete logarithms modulo a 240-digit prime, completed at the end of 2019.

The preprint version of

7appeared in the report of 2019, this paper was published in 2020 in the journal

. In this work we explored a modification of the Cocks-Pinch method to generate pairing-friendly curves resistant to the Special-Tower-NFS algorithm (STNFS). We carefully estimated the cost of the STNFS attack for existing families of curves, and chose curves of embedding degree five to eight. For prime embedding degrees 5 and 7, our curves are naturally immune to the STNFS attack, but their performance level is not high. For composite embedding degrees 6 and 8 for which the TNFS attack applies, we chose the parameters from a family that is general enough to thwart the “special” variant STNFS; we also optimized these parameter choices so that these curves can have a reasonably efficient pairing computation, close with the very best possible curve choices.

The preprint version of

16appeared in the report of 2019, this paper was published in 2020 in the proceedings of the (online) conference

, together with a 20' video at

https://. This paper applies the refinements of the paper

8to estimate the cost of the Special Tower NFS algorithm for particular pairing-friendly curves, whose target group is

, and where the characteristic is special, parameterized by a low degree polynomial. We show that with a new variant of the polynomial selection, the estimated cost is reduced, but stays above the theoretical bound of the Special NFS

. This variant does not apply to the Cocks-Pinch curves of

7. We list nine interesting pairing-friendly curves of embedding degrees between 10 and 16 at the 128-bit security level. This paper was completed with a webpage listing pairing-friendly curves at

https://.

This work with Youssef El Housni, PhD student in the GRACE team at Inria Saclay and at EY–Ernst & Young (now at

ConsenSys), selects a new elliptic curve for SNARKs (Succint Non-interactive ARguments of Knowledge)

14. The curve is named BW6-761 for a Brezing–Weng pairing-friendly curve of embedding degree 6 and defined over a 761-bit prime field. The curve is dedicated for recursive proofs of knowledge from Groth

30. The curve is coined with the elliptic curve BLS12-377, a Barreto–Lynn–Scott pairing-friendly curve over a 377-bit prime field

. For recursive proofs, the prime subgroup order of the curve BW6-761 is

, the base field of the curve BLS12-377. The new curve BW6-761 is an improvement of the

curve

27and provides a faster arithmetic; in particular, faster scalar multiplication and much faster pairing computation, resulting in a 30–fold speed-up in Groth'16 proof verification in RUST. The curve is deployed in many SNARK libraries and listed in

Ethereum Improvement Proposals (EIP). The security estimate of the new curve uses

7and

8. This joint work will be continued in 2021.

The preprint version of 13 appeared in the report of
2019, this paper was published in 2020 in the proceedings of the (online)
conference Africacrypt 2020.
ECDSA is a widely deployed public key signature protocol that uses elliptic curves.
One way of attacking ECDSA with wNAF implementation for the scalar
multiplication is to perform a side-channel analysis to collect information,
then use a lattice based method to recover the secret
key. In 13, we re-investigate the construction of the
lattice used in one of these methods, the Extended Hidden Number Problem
(EHNP). We find the secret key with only 3 signatures, thus reaching the
theoretical bound never achieved before.
Our attack is more efficient than previous attacks, has better probability of
success, and is still able to find the secret key with a small amount of
erroneous traces, up to 2% of false digits.

Side-channel attacks targeting cryptography may leak only partial or indirect information about the secret keys. There are a variety of techniques in the literature for recovering secret keys from partial information. In this tutorial 22, we survey several of the main families of partial key recovery algorithms for RSA, (EC)DSA, and (elliptic curve) Diffie-Hellman, the public-key cryptosystems in common use today. We categorize the known techniques by the structure of the information that is learned by the attacker, and give simplified examples for each technique to illustrate the underlying ideas.

This article, written in 2017 when the first author was in the group has been published in 10.

In

1, we reported on our computational records that were completed at the end of 2019 (integer factorization and discrete logarithms for 240-digit, 795-bit key sizes) and beginning of 2020 (integer factorization for 250-digit, 829-bit key sizes). This work was made possible by a series of improvements in the Number Field Sieve algorithm, and by the flexibility of the Cado-NFS software implementation which enabled us to experiment with a vast variety of parameter selection strategies. Our conclusions are two-fold. First, our computations were much faster than expected. At the 240-digit (795-bit) level, we show that our computation of discrete logarithms took actually 25% less time (measured on identical hardware) than the time that was reported for the computation of discrete logarithms modulo a 232-digit (768-bit) prime. Second, we simultaneously computed two records of the same size, one on integer factoring, and one on discrete logarithms. This double achievement gives a crucial data point regarding how to compare these problems, which are of utmost importance for public-key cryptography. We show that contrary to the common belief that discrete logarithms are very considerably harder to compute than integer factoring for similar key sizes, the difference is only a factor of roughly 3 for 795-bit key sizes, which is much less than previously thought. This paper was published in the proceedings of the conference Crypto 2020.

We also wrote a non-technical article in French, which aims at dissemination towards a more general public 25.

In

2, we study the discrete logarithm problem at the boundary case between small and medium characteristic finite fields, which is precisely the area where finite fields used in pairing-based cryptosystems live. In order to evaluate the security of pairing-based protocols, we thoroughly analyze the complexity of all the algorithms that coexist at this boundary case. We adapt the Function Field Sieve to the particular case where the extension degree is composite, and show how to lower the complexity by working in a shifted function field. All this study finally allows us to give precise values for the characteristic asymptotically achieving the highest security level for pairings. Surprisingly enough, there exist special characteristics that are as secure as general ones. This paper was published in the proceedings of the conference Crypto 2020.

In 23, we examine how it is possible to refine
the asymptotic complexity of the Number Field Sieve. Its most commonly used
expression, for the factorization of an diverges in a range that
widely encompasses the practical range. A consequence of this is that
predictions of the hardness of, say, 8000-bit RSA, given a data point for
800-bit RSA should be regarded with extreme care.

In 11, we study how the Function Field Sieve algorithm can extend to the medium prime range, and provide concrete experimental results for a kilobit finite field of 22-bit characteristic. The linear algebra step was manageable in this example thanks to the CARAMBA expertise. We also show that the linear algebra step can be expected to dominate in two chosen examples of slightly larger characteristic. This article was published in 2020 in the journal Advances in Mathematics of Communications.

Together with Charles Bouillaguet (now Sorbonne University, Paris, France),
we completely re-designed the structured Gaussian elimination step
of Cado-NFS (called merge).
The new algorithm is fully parallel, and scales quite well.
It was used for the new 240- and 250-digit record factorizations
and discrete logarithm computations 1.
The article describing the new parallel algorithm was finally
accepted for publication in 2020, and will appear in
Mathematical Cryptology4.

Together with Patrick Derbez

5, María Naya-Plasencia, Léo Perrin and André Schrottenloher

6we found a series of structural properties on Spook, one of the second round candidates of the NIST Lightweight Cryptography Standardization process. In

3, we managed to extend these properties and to build practical distinguishers of the full 6-step version of the underlying permutations of Spook, namely Shadow-512 and Shadow-384. We also proposed practical forgeries with 4-step Shadow for the S1P mode of operation in the nonce misuse scenario, which is allowed by the CIML2 security game considered by the authors. Our findings have led the designers of Spook to propose a tweaked version of their candidate in order to improve the security margins. This paper was published in the proceedings of the conference Crypto 2020.

The article 5 involved all the team members working in symmetric cryptography. It studied how to adapt the BCT, a recent tool introduced to better estimate the strength of so-called boomerang distinguishers, to the case of Feistel constructions. We investigated the properties of the newly introduced table (that we call the FBCT) and showed that its coefficients are related to the second order derivative of the function at play. We compared the properties of the BCT and of the FBCT, and concluded with an extension to more rounds and with an application of the results. This article was published in Transactions on Symmetric Cryptology.

This work 9 with Subhamoy Maitra and Dibyendu Roy7 and Thor Martinsen and Pantelimon Stanica8 is a substantially revised and extended version of the paper “Tools in analyzing linear approximation for Boolean functions related to FLIP” that appeared in the proceedings of Indocrypt 2018 32. We proposed a technique to study the cryptographic properties of Boolean functions, whose inputs do not follow uniform distribution, and obtain a lower bound for the bias of the nonlinear filter function of FLIP by using a biased Walsh–Hadamard transform. Our results provided more accurate calculation of the biases of Boolean function over restricted domain, which help to determine the security parameter of FLIP type ciphers.

In 6, with David Gérault9, Pascal Lafourcade10, and Christine Solnon11, we improve existing Constraint Programming (CP) approaches for computing optimal related-key differential characteristics: we add new constraints that detect inconsistencies sooner, and we introduce a new decomposition of the problem in two steps. These improvements allow us to compute all optimal related-key differential characteristics for AES-128, AES-192 and AES-256 in a few hours. This article was published in 2020 in the journal Artificial Intelligence.

The team is actively taking part in the lightweight cryptography standardization process of the NIST. The two major actions that have been taken are the following:

When a cryptographic algorithm is executed in a potentially hostile environment, techniques of white-box cryptography are used to protect a secret key from a fully-privileged adversary. However, even if the adversary is not able to extract the secret key from the implementation, they might lift the entire white-box code and execute it (this is called a code lifting attack). In 17, we introduce an encryption scheme that can be implemented on an untrusted environment and is still secure even if the white-box code has been lifted. We base our proposal on a Physically Unclonable Function (PUF) to ensure the execution context of our so-called PUF-based encryption scheme. This way, the encryption is “locked” by a particular device. This article was published in the proceedings of the 17th International Conference on Security and Cryptography.

In a short paper 12, contributed to the E-Vote-Id 2020 conference, we explain how, in the Belenios voting system, while not using the weak version of Fiat-Shamir, there is still a gap that allows to fake a zero-knowledge proof in certain circumstances. Therefore an attacker who corrupts the voting server and the decryption trustees could break verifiability.

The article 15 has been published in the proceedings of the Financial Crypto conference. It was also presented as invited contribution at Real World Crypto 2020 and the Workshop on Attacks in Crypto (Satellite of the Crypto 2020 conference).

Following a question of Neil Sloane, the author of the

(OEIS), Paul Zimmermann designed an efficient algorithm to compute the sequence

defined in

http://:

is the minimal positive

such that the concatenation of the decimal digits of

is divisible by

, or

if no such

exists. The new algorithm enabled to find the (previously unknown) values

and

and other values for

. The corresponding article is submitted for publication in the

.

The article

21, in French, examined the potential privacy implications of Covid-19 contact tracing systems that were to be deployed in various countries. We show that despite claims of “privacy by design”, privacy concerns do exist and cannot be dismissed light-heartedly.

Since January 2020 a virtual center for cybersecurity has been established between LORIA and CISPA in Saarbrucken (Germany). This virtual center is led by Marine Minier for LORIA and by Antoine Joux for CISPA.

Santanu Sarkar from Indian Institute of Technology Bombay, visited our team until Feb 2020. His three-months stay was the opportunity to work with him on secret key cryptography.

We have a contract with several partners dedicated to the definition of new lightweight cryptographic primitives for the IoT. Here is the main information about this partnership. See the web site for a full presentation.

This project aims to propose a declarative language dedicated to cryptanalytic problems in symmetric key cryptography using constraint programming (CP) to simplify the representation of attacks, to improve existing attacks and to build new cryptographic primitives that withstand these attacks. We also want to compare the different tools that can be used to solve these problems: SAT and MILP where the constraints are homogeneous and CP where the heterogeneous constraints can allow a more complex treatment.

One of the challenges of this project will be to define global constraints dedicated to the case of symmetric cryptography.

Concerning constraint programming, this project will define new dedicated global constraints, will improve the underlying filtering and solution search algorithms, and will propose dedicated explanations generated automatically. See web site for more information.

Members of the project-team did their share in reviewing submissions to renowned conferences and journals. Actual publications venues are not disclosed for anonymity reasons.

Members of the project-team did their share in reviewing submissions to renowned conferences and journals. Actual publications venues are not disclosed for anonymity reasons.

In connection with our recent factoring and discrete logarithm record computations, we wrote a non-technical article in French, which aims at dissemination towards a more general public 25.

Cécile Pierrot gave a wide audience talk about cryptography at La Cité des Sciences, Paris, for the the exhibition "Espions" - October 2019 to June 2021.