Our research addresses the broad application domain of cryptography and cryptanalysis from the algorithmic perspective. We study all the algorithmic aspects, from the top-level mathematical background down to the optimized high-performance software implementations. Several kinds of mathematical objects are commonly encountered in our research. Some basic ones are truly ubiquitous: integers, finite fields, polynomials, real and complex numbers. We also work with more structured objects such as number fields, algebraic curves, or polynomial systems. In all cases, our work is geared towards making computations with these objects effective and fast.

The two facets of cryptology—cryptography and cryptanalysis—are central to our research. The key challenges are the assessment of the classical and quantum security of proposed cryptographic primitives (both public- and secret-key), as well as the introduction of new cryptographic primitives, or the performance improvement of existing ones.

Our research connects to both symmetric and asymmetric key cryptography. While the basic principles of these domains are rather different—indeed their names indicate different handlings of the key—research in both domains is led by the same objective of finding the best trade-offs between efficiency and security. In addition to this, both require to study design and analysis together as these two aspects nurture each other.

Our research topics can be listed either with broad applications domains
in mind (a very coarse-grain view would have us list them under
cryptography and cryptanalysis), or more thematically (see
Figure ). Either way, we
also identify a set of tools that we sometimes develop per
se, but most often as ingredients towards goals that are set in the
context of other themes. Following the “vertical” reading direction in
Figure , our research topics are as follows.

Extended NFS family. A common algorithmic framework, called the Number Field Sieve (NFS), addresses both the integer factorization problem as well as the discrete logarithm problem over finite fields. We have numerous algorithmic contributions in this context, and develop software to illustrate them.

We plan to improve on the existing state of the art in this domain by researching new algorithms, by optimizing the software performance, and by demonstrating the reach of our software with highly visible computations.

Algebraic curves and their Jacobians. We develop algorithms and software for computing essential properties of algebraic curves for cryptology, eventually enabling their widespread cryptographic use.

Closely related to the Tower Number Field Sieve are pairing-friendly curves.
Pairings are bilinear maps

Questions more recently studied include the development of cryptosystems based on isogenies.

Symmetric key cryptography. This topic has emerged in the team with several new hires since 2016. We are interested in particular in automatic tools for new paradigms of cryptanalysis, going beyond the classical linear and differential cryptanalysis techniques. Newer, more intricate techniques are rather hard to apply and are error-prone. The idea is then to automate the analysis process by developing tools implemented in constraint programming (CP) , satisfability (SAT) or mixed integer linear programming (MILP). We plan to pay special attention to the recent advances in cryptanalysis and to study recently proposed lightweight ciphers.

In addition, we also study new designs. The challenge of the lightweight world pushes symmetric cryptography to be ever more efficient while guaranteeing the same level of security as before. It is thus very important to scrutinize each building block of the symmetric key primitives to be convinced of their security.

Tools.
Several mathematical objects are pervasive in our
research. We sometimes study them per se, but they most
often play a key role in the work related to the topics above. In
particular, we study computer arithmetic, polynomial systems,
linear algebra. In the context
of symmetric cryptography,
the mathematical objects we deal with
are rather different:
we are mainly interested in small (4 or 8 bits)
non-linear permutations (the so-called S-boxes) and in linear
transformations based on coding theory (Maximum Distance Separable (MDS)
matrices or quasi-MDS matrices).

Our goals with all these basic objects include a strong commitment to providing high-quality software that can be used as a dependable building block in our research.

As a complement to the last point, we consider that the impact of our research on cryptology in general owes a lot to the publication of concrete practical results. We are strongly committed to making our algorithms available as software implementations. We thus have several long-term software development projects that are, and will remain, part of our research activity.

The Number Field Sieve (NFS) has been the leading algorithm for factoring integers for more than 20 years, and its variants have been used to set records for discrete logarithms in finite fields. It is reasonable to understand NFS as a framework that can be used to solve various sorts of problems. Factoring integers and computing discrete logarithms are the most prominent for the cryptographic observer, but the same framework can also be applied to the computation of class groups.

The state of the art with NFS is built from numerous improvements of its inner steps. In terms of algorithmic improvements, the recent research activity on the NFS family has been rather intense. Several new algorithms have been discovered since 2014, notably for non-prime fields, and their practical reach has been demonstrated by actual experiments.

The algorithmic contributions of the CARAMBA members to NFS would
hardly be possible without access to a dependable software
implementation. To this end, members of the CARAMBA team have been
developing the Cado-NFS software suite since 2007. Cado-NFS is now the
most widely visible open-source implementation of NFS, and is a crucial
platform for developing prototype implementations for new ideas for the
many sub-algorithms of NFS. Cado-NFS is free software (LGPL) and
follows an open development model, with publicly accessible development
repository and regular software releases. Competing free software
implementations exist, such as msieve, developed by J.
Papadopoulos (whose last commit is from August 2018).
T. Kleinjung develops his own code base, which
is unfortunately not public.

The work plan of CARAMBA on the topic of the Number Field Sieve algorithm and its cousins includes the following aspects:

The challenges associated with algebraic curves in cryptology are diverse, because of the variety of mathematical objects to be considered. These challenges are also connected to each other. On the cryptographic side, efficiency matters, while cryptanalysis looks at the hardness of the discrete logarithm problem.

Several members have expertise in multiple facets of curve-based
cryptology, but recent work in the team has been concentrated on a few
precise topics. One of them is pairing-based
cryptography.
Pairing-friendly curves were introduced in 2001 in (constructive) cryptography
and should be designed with a a very precise application goal in mind, contrary to the widespread curves such as x25519
or x448 in TLS, or the NIST curves, which can be used much more
generically.
The bilinear pairing has two aspects. First a destructive side: it
transfers a discrete logarithm computation from the group of points of the curve
(where the DLP is known to be hard, of exponential complexity in the size
of the group), to a finite field extension

We also investigate the practical security (e.g. against physical attacks) of elliptic curves and their implementations. Our focus here is more on the connection of such problems with Euclidean lattice theory, for example.

With NIST's competition on post-quantum cryptographic primitives, the new area of isogenies on elliptic curves is developing. Efficient implementation of isogenies is an active area of research nowadays, together with better parameter selection. The elliptic curves suitable for isogenies require different properties: they are supersingular contrary to the ordinary curves in classical cryptography. Selecting parameters is a difficult task, and in some cases, it requires a large computational effort of a class number computation.

The research objectives of CARAMBA on the topic of algebraic curves for cryptology are as follows:

In symmetric key cryptology, we are tackling problems related to both design and analysis. A large part of our recent research has been motivated by the Lightweight Cryptography Standardization Process of the NIST that embodies a crucial challenge of the last decade: finding ciphers that are suitable for resource-constrained devices.

On a general note, the working program of CARAMBA in symmetric cryptography is defined as follows:

Computer arithmetic is part of the common background of all team members, and is naturally ubiquitous in our application domains. However involved the mathematical objects considered may be, dealing with them first requires to master more basic objects: integers, finite fields, polynomials, and real and complex floating-point numbers. Libraries such as GNU MP, GNU MPFR, GNU MPC do an excellent job for these, both for small and large sizes.

Most of our involvement in subjects related to computer arithmetic is to
be understood in connection to our applications to the Number Field Sieve
and to abelian varieties. As such, much of the research work we envision
will appear as side-effects of developments in these contexts. On the
topic of arithmetic work per se:

Our study of the Number Field Sieve family of algorithms aims at showing how the threats underlying various supposedly hard problems are real. Our record computations, as well as new algorithms, contribute to having a scientifically accurate assessment of the feasibility limit for these problems, given academic computing resources. The data we provide in this way is a primary ingredient for government agencies whose purpose includes guidance for the choice of appropriate cryptographic primitives. For example the French ANSSI , German BSI, or the NIST in the United States base their recommendations on such computational achievements.

The software we make available to achieve these cryptanalytic computations also allows us to give cost estimates for potential attacks to cryptographic systems that are taking the security/efficiency/legacy compatibility trade-offs too lightly. Attacks such as LogJam are understood as being serious concerns thanks to our convincing proof-of-concepts. In the LogJam context, this impact has led to rapid worldwide security advisories and software updates that eventually defeat some potential intelligence threats and improve confidentiality of communications.

We also promote the switch to algebraic curves as cryptographic primitives. Those offer nice speed and excellent security, while primitives based on elementary number theory (integer factorization, discrete logarithm in finite fields), which underpin e.g., RSA, are gradually forced to adopt unwieldy key sizes so as to comply with the desired security guarantees of modern cryptography. Our contributions to the ultimate goal of having algebraic curves eventually take over the cryptographic landscape lie in our contributions to fast arithmetic, our contributions to the point counting problem, and more generally our expertise on the diverse surrounding mathematical objects, or on the special cases where the discrete logarithm problem is not hard enough and should be avoided.

We also promote cryptographically sound electronic voting, for which we develop the Belenios prototype software (licensed under the AGPL). It depends on research made in collaboration with the PESTO team, and provides stronger guarantees than current state of the art.

The vast majority of our work is eventually realized as software. We can roughly categorize it in two groups. Some of our software covers truly fundamental objects, such as the GNU MPFR, GNU MPC, GF2X, or MPFQ packages. To their respective extent, these software packages are meant to be included or used in broader projects. For this reason, it is important that the license chosen for this software allows proper reuse, and we favor licenses such as the LGPL, which is not restrictive. We can measure the impact of this software by the way it is used in e.g., the GNU Compiler Collection (GCC), in Victor Shoup's Number Theory Library (NTL), or in the Sage computer algebra system. The availability of these software packages in most Linux distributions is also a good measure for the impact of our work.

This work is a generalization of published last year at CANS'2020, with Youssef El Housni, PhD student in the GRACE team at Inria Saclay, and . This paper considers chains of two pairing-friendly elliptic curves for SNARKs (Succint Non-interactive ARguments of Knowledge). In the previous work, one 2-chain was investigated: the curves BLS12-381 and BW6-761. This work considers 2-chains of curves where the first (inner) curve can be a BN (Barreto–Naehrig), or a BLS12 or BLS24 (Barreto–Lynn–Scott) curve. The second (outer) curve is obtained with the Brezing–Weng construction (BW6 curves) of the Cocks-Pinch curve. The aim is to provide other trade-offs in terms of size, and arithmetic and pairing efficiency. This preprint improves the operations on BLS curves: a general proof of faster cofactor multiplication is provided for example. The companion code is referenced in Section , and a full Golang implementation is developed in the library .

The preprint version of

appeared in the report of 2019, this paper was published in 2021 in the new diamond open-access journal

. With Shashank Singh from IISER Bhopal (former post-doc at CARAMBA in 2017), we generalized the ranking function

for the Tower setting of the Number Field Sieve in

. In the relation collection of the NFS algorithm, one tests the smoothness of algebraic norms (computed with resultants). The

function measures the bias of the average valuation at small primes of algebraic norms, compared to the average valuation at random integers of the same size. A negative

means more small divisors than average. We then estimate the total number of relations with a Monte-Carlo simulation, as a generalized Murphy's

function, and finally give a rough estimate of the total cost of TNFS for finite fields

of popular pairing-friendly curves. The companion code is referenced in Section

. The results of this paper and the source code were reused to assess the security of pairing-friendly elliptic curves in the context of SNARKs

, and the polynomial selection implementation was involved in the record computation

.

The Tower variant of the Number Field Sieve (TNFS) is known to be asymptotically the most efficient algorithm to solve the discrete logarithm problem in finite fields of medium characteristic, when the extension degree is composite. A major obstacle to an efficient implementation of TNFS is the collection of algebraic relations, as it happens in dimension greater than 2. This requires the construction of new sieving algorithms which remain efficient as the dimension grows. In

, we overcome this difficulty by considering a lattice enumeration algorithm which we adapt to this specific context. We also consider a new sieving area, a high-dimensional sphere, whereas previous sieving algorithms for the classical NFS considered an orthotope. Our new sieving technique leads to a much smaller running time, despite the larger dimension of the search space, and even when considering a larger target, as demonstrated by a record computation we performed in a 521-bit finite field

. The target finite field is of the same form than finite fields used in recent zero-knowledge proofs in some blockchains. This is the first reported implementation of TNFS.

The preprint version of this work was written in 2020. This paper was
published in 2021 in the new diamond open-access journal Mathematical
Cryptology.

In , we examine how it is possible to refine
the asymptotic complexity of the Number Field Sieve. Its most commonly used
expression, for the factorization of an diverges in a range that
widely encompasses the practical range. A consequence of this is that
predictions of the hardness of, say, 8000-bit RSA, given a data point for
800-bit RSA should be regarded with extreme care.

As most hardware design companies cannot afford having their own foundries, a common strategy consists in outsourcing the production of integrated circuits to external factories. While this solution allows them to reduce the production costs, it brings up the problem of trust in the third party. One of the most feared threats in this respect goes under the name of hardware Trojan, defined as a malicious modification of the circuit design. In this paper we studied the possibility of building a symmetric cipher that would reach Trojan-resilience in an efficient manner. Our concrete proposal is called MOE, acronym for “Multiplication Operated Encryption”. It can be implemented using (mostly) untrusted low-cost chips and provides robustness more efficiently than by exploiting secret sharing and multi-party computation on a standard block cipher. MOE exploits a simple round structure mixing a modular multiplication and a multiplication with a binary matrix. Besides being motivated as a new block cipher design for Trojan resilience, our research also exposes the cryptographic properties of the modular multiplication, which is of independent interest.

Furthermore, we propose a concrete instance with

In

, we propose automatic tools to find the best differential characteristics on the SKINNY block cipher. As usually done in the literature, we split this search in two stages denoted by Step 1 and Step 2. In Step 1, we aim at finding all truncated differential characteristics with a low enough number of active Sboxes. Then, in Step 2, we try to instantiate each difference value while maximizing the overall differential characteristic probability. We solve Step 1 using an ad-hoc method inspired from the work of Fouque et al. whereas Step 2 is modelized for the Choco-solver library as it seems to outperform all previous methods on this stage.

Notably, for SKINNY-128 in the SK model and for 13 rounds, we retrieve the results of Abdelkhalek et al. within a few seconds (instead of 16 days) and we provide, for the first time, the best differential related-tweakey characteristics up to 14 rounds for the TK1 model. Regarding the TK2 and the TK3 models, we were not able to test all the solutions in Step 1, and thus the differential characteristics we found up to 16 and 17 rounds are not necessarily optimal.

In

, we propose an instantiation, called Stanislas, of a dedicated Self-Synchronizing Stream Cipher (SSSC) involving an automaton with finite input memory using non-triangular state transition functions. Previous existing SSSCs are based on automata with shifts or triangular functions (T–functions) as state transition functions. Our algorithm Stanislas admits a matrix representation deduced from a general and systematic methodology called Linear Parameter Varying (LPV). This particular representation comes from the control theory, more specifically from a special property of dynamical systems called flatness. Hardware implementations and comparisons with some state-of-the-art stream ciphers on Xilinx FPGAs are presented. It turns out that Stanislas provides bigger throughput than the considered stream ciphers (synchronous and self-synchronizing) when straightforward implementations are considered. Moreover, its synchronization delay is much smaller than the SSSC Moustique (40 clock cycles instead of 105) and the standard approach CFB1-AES128 (40 clock cycles instead of 128).

The article

deals with an hybrid architecture involving LPV dynamical systems for encryption purposes, in the context of cybersecurity. Such an hybrid architecture is motivated by the fact that it is a natural model, recast in a control-theoretic framework, of a so-called statistical self-synchronizing stream cipher. It is shown that flatness is central to guarantee the necessary synchronization between the cipher and the decipher. In this context, beyond synchronization, security must be taken into account as well. We especially focus on diffusion as a security criterion. The hybrid architecture makes it possible to satisfy both properties simultaneously. An illustrative example presents a numerical application and must be considered as a proof-of-concept before further investigation.

The Swiss Post company is in the process of certification of its new e-voting system, to be used by the Swiss Cantons in the course of 2022. In this context, the specification and the source code are gradually revealed for being studied by the community. A private bug bounty program has first been launched and a public bug bounty has followed.

Together with Alexandre Debant and Véronique Cortier, from the PESTO team, we have discovered a privacy issue in the protocol and its implementation that would allow a collusion of a subset of the trust parties to learn the vote of any voter of their choice. This is in contradiction with the trust model imposed by the Federal Chancellery that imposes that privacy should be preserved unless all the trustees are dishonest.

We propose a multi-party computation toolbox dedicated to this kind of problems, and show that it allows us to tackle all famous tally functions, including the most complicated, like the Condorcet-Schulze, D'Hondt, STV, or Majority Judgement. We also explain how the classical ElGamal encryption (typically based on elliptic curves) can be used, instead of the Paillier scheme that is often chosen in theoretical papers, but is far less frequent in standard crypto libraries.

In this work

, we propose the first full resource estimate of a quantum attack on symmetric ciphers that is not a generic key search. In more details, we give complete quantum circuits for the Offline Simon's algorithm, instanciated to attack the block cipher PRINCE, the MAC (and ISO standard) Chaskey and the authenticated encryption scheme Elephant. This work shows that the attack has reasonable qubit requirements and a low time overhead compared to a simple asymptotic exponent-based analysis.

In this work

, we introduce the

, which is a novel way to use Simon's algorithm to attack symmetric schemes. It leverages a linear structure inside the construction.

We also present some variants of this attack that use other quantum algorithms, which are much less common in quantum symmetric cryptanalysis: Deutsch's, Bernstein-Vazirani's, and Shor's. To the best of our knowledge, this is the first time these algorithms have been used in quantum forgery or key-recovery attacks.

Our attacks break most parallelizable MACs such as LightMac, PMAC, and numerous variants with (classical) beyond-birthday-bound security (LightMAC+, PMAC) or using tweakable block ciphers (ZMAC). More generally, it shows that constructing parallelizable quantum-secure PRFs might be a challenging task.

In this work

, we propose QCB, the first parallelizable rate-one authenticated encryption mode proven secure against quantum superposition attacks. It builds upon a tweakable block cipher and is secure up to the birthday bound.

We also generalize some quantum attacks, which allows us to show that a large class of authenticated encryption modes is broken in a quantum setting, and discuss the quantum security notions for authenticated encryption modes.

The work

has nothing to do with cryptography, except that it uses combinatorics and algorithms to recover structured information from raw data. Somehow, it is a kind of cryptanalysis. It started as an informal discussion between the first two co-authors. In 2019–2021, M. Guillevic was a post-doctoral researcher at EMPA. The companion code is referenced in Section

.

The year 2021 was devoted to the preparation of the

project, which was officially started in 2022. The aim of CORE-MATH is to provide on-the-shelf open-source mathematical functions with correct rounding that will be integrated into current mathematical libraries (GNU libc, Intel Math Library, AMD Libm, Newlib, OpenLibm, Musl, Apple Libm, llvm-libc, CUDA libm, ROCm). These functions are implemented in the C language and target the three IEEE 754 binary formats (simple precision, double precision, quadruple precision), and also the extended double precision (significand of 64 bits).

In 2021, two functions were implemented for the above four formats: the
cubic root function (cbrt) and the arc-cosine function
(acos).
In parallel, the article about the accuracy of current mathematical
libraries was extended with the help of Vincenzo Innocente to the Apple
and CUDA mathematical libraries .
This article shows that current mathematical libraries return very different
results, and are far from correct rounding, even for rounding to nearest.

During his L3 internship, Samuel Vivien designed a parallel integer multiplication algorithm and did efficiently implement it on top of GNU MP. His implementation outperforms the Flint library, which is the only other software tool providing parallel integer multiplication. For example, on a 32-core Xeon Gold, a speedup of 20 is obtained for the multiplication of two integers of

words of 64 bits (over the sequential code). The article describing this work has been accepted to the 30th Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP 2022)

.

Together with the PESTO team, we had a short contract with Swiss Post. The goal was to update the formal proofs of their e-voting protocol, in order to follow its evolution and to fix a few problems.

Since January 2020 a virtual center for cybersecurity has been established between LORIA and CISPA in Saarbrucken (Germany). This virtual center is led by Marine Minier for LORIA and by Antoine Joux for CISPA.

This project aims to propose a declarative language dedicated to cryptanalytic problems in symmetric key cryptography using constraint programming (CP) to simplify the representation of attacks, to improve existing attacks and to build new cryptographic primitives that withstand these attacks. We also want to compare the different tools that can be used to solve these problems: SAT and MILP where the constraints are homogeneous and CP where the heterogeneous constraints can allow a more complex treatment.

One of the challenges of this project will be to define global constraints dedicated to the case of symmetric cryptography.

Concerning constraint programming, this project will define new dedicated global constraints, will improve the underlying filtering and solution search algorithms, and will propose dedicated explanations generated automatically. See for more information.

Members of the project-team did their share in reviewing submissions to renowned conferences and journals. Actual publications venues are not disclosed for anonymity reasons.

Paul Zimmermann also did a review of the article Integer Points Close
to a Transcendental Curve and Correctly-Rounded Evaluation of a Function
by Nicolas Brisebarre and Guillaume Hanrot (AriC project-team,
Inria Rhône-Alpes), and tested the accompanying
software tools. His comments are taken into account in the latest version .