Algorithmic number theory dates back to the dawn of mathematics
itself, cf. Eratosthenes's sieve to enumerate consecutive prime numbers.
With the
arrival of computers, previously unsolvable problems have come into reach,
which has boosted the development of more or less practical algorithms
for essentially all number theoretic problems. The field is now mature
enough for a more computer science driven approach, taking into account
the theoretical complexities and practical running times of the algorithms.

Concerning the lower level multiprecision arithmetic, folklore has asserted for a long time that asymptotically fast algorithms such as Schönhage–Strassen multiplication are impractical; nowadays, however, they are used routinely. On a higher level, symbolic computation provides numerous asymptotically fast algorithms (such as for the simultaneous evaluation of a polynomial in many arguments or linear algebra on sparse matrices), which have only partially been exploited in computational number theory. Moreover, precise complexity analyses do not always exist, nor do sound studies to choose between different algorithms (an exponential algorithm may be preferable to a polynomial one for a large range of inputs); folklore cannot be trusted in a fast moving area such as computer science.

Another problem is the reliability of the computations; many number
theoretic algorithms err with a
small probability, depend on unknown constants or rely on a Riemann
hypothesis. The correctness of their output can either be ensured by a
special design of the algorithm itself (slowing it down) or by an a
posteriori verification. Ideally, the algorithm outputs a certificate,
providing an independent fast correctness proof. An example is integer
factorisation, where factors are hard to obtain but trivial to
check; primality proofs have initiated sophisticated generalisations.

One of the long term goals of the Lfant project team is to make an
inventory of the major number theoretic algorithms, with an emphasis on
algebraic number theory and arithmetic geometry, and to carry out
complexity analyses. So far, most of these algorithms have been designed
and tested over number fields of small degree and scale badly. A complexity
analysis should naturally lead to improvements by identifying bottlenecks,
systematically redesigning and incorporating modern
asymptotically fast methods.

Reliability of the developed algorithms is a second long term goal of our project team. Short of proving the Riemann hypothesis, this could be achieved through the design of specialised, slower algorithms not relying on any unproven assumptions. We would prefer, however, to augment the fastest unproven algorithms with the creation of independently verifiable certificates. Ideally, it should not take longer to check the certificate than to generate it.

All theoretical results are complemented by concrete reference
implementations in Pari/Gp, which allow to determine and tune
the thresholds where the asymptotic complexity kicks in and help
to evaluate practical performances on problem instances
provided by the research community.
Another important source for algorithmic problems treated
by the Lfant project team is modern
cryptology. Indeed, the security of all practically relevant public key
cryptosystems relies on the difficulty of some number theoretic problem;
on the other hand, implementing the systems and finding secure parameters
require efficient algorithmic solutions to number theoretic problems.

Modern number theory has been introduced in the second half of the 19th
century by Dedekind, Kummer, Kronecker, Weber and others, motivated by
Fermat's conjecture: There is no non-trivial solution in integers to the
equation

The solution requires to augment the integers by algebraic
numbers, that are roots of polynomials in number
field consists of the rationals to which have been added finitely
many algebraic numbers together with their sums, differences, products
and quotients. It turns out that actually one generator suffices, and
any number field algebraic integers, “numbers without denominators”,
that are roots of a monic polynomial. For instance, ring of integers of

Unfortunately, elements in ideals, subsets of principal, that is,
generated by one element, so that ideals and numbers are essentially
the same. In particular, the unique factorisation of ideals then
implies the unique factorisation of numbers. In general, this is not
the case, and the class groupclass number

Using ideals introduces the additional difficulty of having to deal
with fundamental units. The regulator

One of the main concerns of algorithmic algebraic number theory is to
explicitly compute these invariants (

The analytic class number formula links the invariants
generalised Riemann hypothesis
(GRH), which remains unproved even over the rationals, states that
any such

When

Algebraic curves over finite fields are used to build the currently
most competitive public key cryptosystems. Such a curve is given by
a bivariate equation elliptic curves of equation
hyperelliptic curves of
equation

The cryptosystem is implemented in an associated finite
abelian group, the Jacobianrational function field with subring function field of coordinate ring

The size of the Jacobian group, the main security parameter of the
cryptosystem, is given by an genus

The security of the cryptosystem requires more precisely that the
discrete logarithm problem (DLP) be difficult in the underlying
group; that is, given elements

For any integer Weil pairingTate-Lichtenbaum pairing, that is more difficult to define,
but more efficient to implement, has similar properties. From a
constructive point of view, the last few years have seen a wealth of
cryptosystems with attractive novel properties relying on pairings.

For a random curve, the parameter

Complex multiplication provides a link between number fields and
algebraic curves; for a concise introduction in the elliptic curve case,
see Section 1.1 of ,
for more background material, see .
In fact, for most curves CM field. The CM field
of an elliptic curve is an imaginary-quadratic field Hilbert class field

Algebraically, Galois if Galois groupabelian extension is a Galois extension with abelian Galois
group.

Analytically, in the elliptic case singular valuemodular function

The same theory can be used to develop algorithms that, given an
arbitrary curve over a finite field, compute its

A generalisation is provided by ray class fields; these are
still abelian, but allow for some well-controlled ramification. The tools
for explicitly constructing such class fields are similar to those used
for Hilbert class fields.

Being able to compute quickly and reliably algebraic invariants is an invaluable aid to mathematicians: It fosters new conjectures, and often shoots down the too optimistic ones. Moreover, a large body of theoretical results in algebraic number theory has an asymptotic nature and only applies for large enough inputs; mechanised computations (preferably producing independently verifiable certificates) are often necessary to finish proofs.

For instance,
many Diophantine problems reduce to a set of Thue equations of the form

Deeper invariants such as the Euclidean spectrum are related to more theoretical
concerns, e.g., determining new examples of principal, but not norm-Euclidean number
fields, but could also yield practical new algorithms: Even if a number field
has class number larger than 1 (in particular, it is not norm-Euclidean),
knowing the upper part of the spectrum should give a partial gcd
algorithm, succeeding for almost all pairs of elements of

Algorithms developed by the team are implemented in the free Pari/Gp system
for number theory maintained by K. Belabas (see § for
details). They will thus have a high impact on the worldwide number theory
community, for which Pari/Gp is a reference and the tool of choice.

Public key cryptology has become a major application domain for algorithmic
number theory. This is already true for the ubiquitous RSA system, but even
more so for cryptosystems relying on the discrete logarithm problem in algebraic
curves over finite fields.
For the same level of security, the latter require
smaller key lengths than RSA, which results in a gain of bandwidth and
(depending on the precise application) processing time. Especially in
environments that are constrained with respect to space and computing power
such as smrt cards and embedded devices, algebraic curve cryptography has become
the technology of choice. Most of the research topics of the Lfant team
detailed in § concern directly problems relevant for
curve-based cryptology: The difficulty of the discrete logarithm problem in
algebraic curves (§) determines the security of the
corresponding cryptosystems. Complex multiplication, point counting and
isogenies (§) provide, on one hand,
the tools needed to create secure instances of curves. On the other hand,
isogenies have been found to have direct cryptographic applications to hash
functions and encryption . Pairings in algebraic
curves (§) have proved to be a a rich source for novel
cryptographic primitives. Class groups of number fields (§)
also enter the game as candidates for algebraic groups in which cryptosystems can
be implemented. However, breaking these systems by computing discrete logarithms
has proved to be easier than in algebraic curves; we intend to pursue this
cryptanalytic strand of research.

Apart from solving specific problems related to cryptology, number theoretic expertise is vital to provide cryptologic advice to industrial partners in joint projects. It is to be expected that continuing pervasiveness and ubiquity of very low power computing devices will render the need for algebraic curve cryptography more pressing in coming years.

Bill Allombert has been awarded the Médaille de Cristal du CNRS 2020, remise en 2021, for his outstanding work and dedication to the PARI/GP computer algebra system developed in the team. See an and a presenting his work.

Élie Eid has received the ISSAC 2021 Distinguished Student Author Award for his article . Alice Pellet-Mary and Damien Stehlé received the Asiacrypt 2021 best paper award for their article .

Damien Robert has defended his habilitation degree with a thesis entitled
Efficient algorithms for abelian varieties and their moduli spaces.

Jean Kieffer has defended his doctoral degree with a thesis entitled Higher-dimensional modular equations, applications to isogeny computations and point counting.

Élie Eid has defended his doctoral degree with a thesis entitled
On isogeny calculation by solving p-adic differential equations.

X. Caruso wrote a SageMath package implementing relaxed

Code implementing the article
for spanning the isogeny class of products of elliptic curves and
computing modular forms (and related obstruction) on them is available
as a Magma package called FromLatticesToModularForm.

The presumed hardness of the discrete logarithm problem (DLP) in
finite fields (or other families of groups) is a foundation of classical public-key
cryptography. It has recently been discovered that the DLP is much
easier than previously believed in an important family: finite fields
of small characteristic. Algorithms of quasi-polynomial
complexity have been discovered.

Pomerance proved in 1987 that the DLP in finite fields of fixed characteristic
can be solved in subexponential time. All improvements from that point to the
discrovery of the first quasi-polynomial algorithms have been heuristic.
In , T. Kleinjung and B. Wesolowski prove that
this problem can indeed be solved in quasi-polynomial expected time, bridging the
gap between the best heuristic and rigorous algorithms.
More generally, they prove that it can be solved in the field of cardinality

Many interesting applications of pattern matching like deep packet inspection target very sensitive data. In particular, spotting illegal behaviour in internet traffic conflicts with legitimate privacy requirements. The compromise between traffic analysis and privacy can be achieved through searchable encryption. However, as the traffic data is a stream and as the patterns to search are bound to evolve over time (e.g. new virus signatures), these applications require a kind of searchable encryption that provides more flexibility than the classical schemes. We indeed need to be able to search for patterns of variable sizes in an arbitrary long stream that has potentially been encrypted prior to pattern identification.

Timed commitments are the timed analogue of standard commitments, where the commitment can be non-interactively opened after a pre-specified amount of time passes. Timed commitments have a large spectrum of applications, such as sealed bid auctions, fair contract signing, fair multi-party computation, and cryptocurrency payments. Unfortunately, all practical constructions rely on a (private-coin) trusted setup and do not scale well with the number of participants.

To demonstrate the
applicability of their scheme, they use it to construct a new distributed
randomness generation protocol, where

The elliptic curve method of factorisation (ECM) is a building block of the best algorithms for factoring and computing discrete logarithms. ECM has a rigorous proof of complexity under the celebrated conjecture of existence of smooth numbers in short intervals. However, it does not correspond to the variant which is implemented and studied in the literature of ECM-friendly curves. In R. Barbulescu proves that the celebrated conjecture of Elliott-Halberstam implies this latter variant in the case of CM elliptic curves, for a smoothness bound larger than the one used in ECM. Then he proves that a recent conjecture of Pollack implies the correctness in the general case.

Many quantum algorithms have been developed with time-complexity in mind but the evolution of the technology made it important to create space-time tradeoffs where the space is the number of qbits. In a technical report , R. Barbulescu studies the case in which one can factors numbers up to 100 bits on a quantum computer in negligible time. A precise analysis of the algorithm and the difficult parameter tuning leads to the conclusion that one could obtain factoring records using classical-quantum algorithms, but this has a negligible implication on the security of the RSA cryptosystem.

It has been known since the work of Shor in 1994 that a functional,
large-scale quantum computer would be able to break most classical
public-key cryptosystems deployed today. The cryptographic community
has since then investigated new families of post-quantum
cryptosystems, meant to resist the advance of quantum computing.
Lattice-based cryptography, one of the leading post-quantum
candidates, relies on the presumed hardness of certain computational
problems in euclidean lattices. There is strong confidence in the
hardness of these problems in general, but the use of algebraic
lattices (necessary for efficiency or advanced functionalities) opens
new angles of attack. In , R. Cramer,
L. Ducas and B. Wesolowski expose an unexpected quantum hardness
gap between generic lattices and an important family of algebraic lattices,
so-called cyclotomic ideal lattices. This journal article
expands upon preliminary results presented at Eurocrypt 2017.
In , A. Pellet-Mary and D. Stehlé prove some
security guarantees for the algorithmic problem NTRU, used in
many post-quantum cryptographic primitives.

In , X. Caruso et A. Durand use (and extend) the theory of residues of Ore rational functions introduced in the aforementioned paper in order to give a description of the duals of linearized Reed-Solomon codes. Their construction shows in particular that, under some assumptions on the base field, the class of linearized Reed-Solomon codes is stable under duality.

Given an integer polynomial

K. Belabas and H. Cohen have published a book on numerical algorithms for
number theory, together with extensive
Pari/Gp programs available from the authors' website.
The goal of the book is to present a number of analytic and arithmetic
numerical methods used in number theory, with a particular emphasis on the
ones which are less known than they should be, although very classical
tools are also mentioned. Note that, as is very often the case in number
theory, numerical methods are wanted to give sometimes hundreds if not
thousands of decimal places of accuracy.

The best algorithms for integer factorisation use a non-negligible proportion of the time to enumerate smaller integers and to test if all their prime factors are below a given bound. A lot of effort has been spent in the literature to improve the best algorithm for this task, the elliptic curve method (ECM). In , R. Barbulescu and his doctoral student S. Shinde give a simple method which allows to find rapidly, in a unified manner, all the previously known families of elliptic curves for ECM. They prove that there are precisely 1525 ECM-friendly families using the theory of modular forms.

H. Cohen surveys a number of different methods for computing

G. Castagnos has a three years contract with Orange (Orange Labs Cesson-Sévigné) for the supervision of the PhD of Élie Bouscatié (Thèse CIFRE) from November 2020 to November 2023.

Duration: 2021–2024

One of the most promising candidates for quantum-resistant cryptography is lattice-based cryptography. In this framework, the security is inherited from the presumed computational intractability of certain problems on high-dimensional Euclidean lattices. Efficiency and functionality of lattice-based cryptography can be significantly improved by switching the underlying hardness assumptions to module lattices, which possess additional algebraic structure. For this reason, hardness assumptions for problems on algebraically-structured lattices have received significant attention in recent studies.

This ANR-NSF project aims at clarifying the landscape of module lattice problems. The prime objective is to provide a clearer understanding of the intractability of module lattice problems, via improved reductions between them and improved dedicated algorithms.

Duration: 2021–2022

This project called REDGATE (recherche et encadrement doctoral en géométrie algébrique et théorie des nombres effectives en Afrique) aims at supporting the activities of the Pole of Research in Mathematics and Applications in Africa a network of 60 African mathematicians, in the fields of algebraic geometry, number theory and their applications to information theory. The two main activities supported by the REDGATE project are research schools for graduate and PhD students in Africa and scientific visits to enhance collaborations.

Duration: 2016 – 2022

The Alambic project was planned to end in October 2020,
but was prolonged due to the pandemics to April 2021 and then to April 2022.

The Alambic project is a research project formed by members of the
INRIA Project-Team CASCADE of ENS Paris, members of the AriC INRIA
project-team of ENS Lyon, and members of the CRYPTIS of the university
of Limoges. G. Castagnos is an external member of the team of Lyon for
this project.

Non-malleability is a security notion for public key cryptographic encryption schemes that ensures that it is infeasible for an adversary to modify ciphertexts into other ciphertexts of messages which are related to the decryption of the first ones. On the other hand, it has been realised that, in specific settings, malleability in cryptographic protocols can actually be a very useful feature. For example, the notion of homomorphic encryption enables specific types of computations to be carried out on ciphertexts and to generate an encrypted result which, when decrypted, matches the result of operations performed on the plaintexts. The homomorphic property can be used to create secure voting systems, collision-resistant hash functions, private information retrieval schemes, and fully homomorphic encryption enables widespread use of cloud computing by ensuring the confidentiality of processed data.

The aim of the Alambic project is to investigate further theoretical
and practical applications of malleability in cryptography. More
precisely, this project focuses on three different aspects: secure
computation outsourcing and server-aided cryptography, homomorphic
encryption and applications and “paradoxical” applications of
malleability.

Duration: 2017–2021

Building on the unifying theme of Flair project
synthetises complementary point of views from multiple domains: analytic
approaches for classical

Developping systematically the emerging notion of good families of

Duration: 2018–2022

The

The CLap-CLap ANR project aims at accelerating the expansion of the

This project is also the opportunity to contribute to the
development of the mathematical software SageMath and to the expansion
of computational methodologies.

Duration: 2019–2023

The CIAO ANR project is a young researcher ANR project led by Damien Robert.

The aim of the CIAO project is to study the security and to improve the efficiency of the SIDH (supersingular isogenies Diffie Helmann) protocol, which is one of the post-quantum cryptographic project submitted to NIST, where it passed the first round of selections.

The project includes all aspects of SIDH, from theoretical ones (computing the endomorphism ring of supersingular elliptic curves, generalisation of SIDH to abelian surfaces) to more practical aspects like arithmetic efficiency and fast implementations, and also extending SIDH to more protocols than just key exchange.

Applications of this project are to improve the security of communication in a context where the currently used cryptosystems are vulnerable to quantum computers. Beyond post-quantum cryptography, isogeny based cryptosystems also allow one to construct new interesting cryptographic tools, such as verifiable delay functions used in block chains.

Duration: 2021–2025

The NuSCAP project aims at developing theorems, algorithms and software to improve the numerical safety of computer-aided proofs in mathematics.

Duration: 2021–2025

The MELODIA ANR project is a young researcher ANR project led by Gaetan Bisson.

Its main objective is to systematically study the algebraic structure of isogeny graphs of abelian varieties, with a view to attacking important open problems in number theory and cryptography.

It focuses on low-dimensional abelian varieties defined over finite fields and tackles the following (closely related) problems: describing the abstract structure of the isogeny graph; computing the endomorphism ring of an abelian variety; constructing an abelian variety with a prescribed number of points; obtaining a Gross-Zagier formula for such varieties.

The case of supersingular elliptic curves is of particular interest as the presumed hardness of the corresponding computational problems is of foundational importance to isogeny-based cryptography. The MELODIA project aims at pinpointing the precise hardness of these problems, to guide the choice of secure cryptographic parameters for a variety of post-quantum protocols.

Duration: 2021–2025

Secure distributed computation has long stood in the realm of theoretical cryptography, but it was known to have the potential of providing a disruptive change for practical security solutions. The concept was introduced by Yao in the 1980s and it allows mutually distrusting parties to run joint computations without disclosing any participant’s private inputs. New cryptographic tools have been invented in recent years (e.g. fully-homomorphic encryption, functional encryption, succinct proof systems, and so on). These constructions have opened the door to applications that were previously believed unattainable in practice (e.g. Cloud Computing, Big Data, Blockchain or the Internet of Things). There is currently a strong interest in secure distributed computation from governments and security organisations (in particular the National Institute of Standards and Technology, NIST), military, academia and industry. We are close to the stage where the secure distributed computation protocols can be applied to real-world security issues.

The main scientific challenges of the Sangria project are (1) to
construct specific protocols that take into account practical
constraints and prove them secure, (2) to implement them and to
improve the efficiency of existing protocols significantly. The
project aims at undertaking research in
these two directions while combining research from cryptography,
combinatorics and computer algebra. It is expected to impact central
problems in secure distributed computation, while enriching the
general landscape of cryptography.

Duration: 2021–2025

The AGDE ANR project is a young researcher ANR project led by Jean Raimbault.

Its main objects of study are groups of matrices with integer entries, as these are objects of interest in geometric group theory, number theory, differential geometry and topology. Its main objective is to study the properties that are common or different in various classes of such groups, with a particular focus on the asymptotic behaviour. The project focuses on torsion homology and regulators, and the classes of congruence groups, arithmetic but noncongruence groups, and thin subgroups. The development of computational methods is an important tool for the project.

B. Allombert and K. Belabas organised a PARI/GP Day to present the new features of the software. This online event replaced the usual PARI/GP workshop that was cancelled due to the pandemic.

B. Allombert, A. Page and A. Zekhnini organised a two-days online PARI/GP workshop to give an introduction to PARI/GP to the participants of the conference held in Oujda and to the students of the Afrimath network.

A. Pellet-Mary was a member of the programme committee of the conferences Asiacrypt 2021, PKC 2022 and Eurocrypt 2022.

B. Wesolowski was a member of the programme committee of the conference PKC 2022.

J.-M. Couveignes is a member of the programme committee of the conference
A Tour of Arithmetic Geometry, conference in honour of Bas Edixhoven’s 60th birthday,
Schiermonnikoog, April 2022.

X. Caruso is an editor and one of the founders of the journal
Annales Henri Lebesgue.

J.-M. Couveignes is a member of the editorial board (scientific committee)
of the Publications mathématiques de Besançon since 2010
and of Journal de Théorie des
Nombres de Bordeaux since 2020.

K. Belabas acts on the editorial board of Journal de Théorie des
Nombres de Bordeaux since 2005 and of Archiv der Mathematik since
2006.

A. Enge is an editor of Designs, Codes and Cryptography
since 2004.

K. Belabas is a member of the “conseil scientifique” of the Société Mathématique de France (second mandate).

X. Caruso is a member of the “conseil national des universités” (CNU) since 2021.

Since January 2015, K. Belabas is vice-head of the Mathematics Institute (IMB). He also leads the computer science support service (“cellule informatique”) of IMB and coordinates the participation of the institute in the regional computation cluster PlaFRIM.

Since September 2021, he is vice-head of the Unité de Formation Mathématiques et Interactions (UFMI)

He was an elected member of “commission de la recherche” in the academic senate of Université de Bordeaux from 2014 to 2021.

A. Enge is a member of the administrative council of the Société
Arithmétique de Bordeaux, which edits the
Journal de théorie des nombres de Bordeaux
and supports number theoretic conferences.

G. Castagnos is responsible for the bachelor programme in mathematics and informatics.

J.-M. Couveignes is co-responsible for the Graduate Programme Numerics of the Université de Bordeaux.

J.-M. Couveignes was head of the comité de visite, d'analyse
et de recommandation de l’équipe
Modélisation et Applications du LMNO de Caen at the request
of CNRS-INSMI and Université de Caen Normandie.

X. Caruso, P. Molin and A. Page supervised the computer algebra software sessions in the . Both Sagemath and PARI/GP were presented to the participants (PhD students in number theory).

X. Caruso and C. Ménini are leaders of the popularisation group at IMB (Institut de Mathématiques de Bordeaux).

X. Caruso and R. Barbulescu are the two members of the regional organisation committee of Tournoi français des jeunes mathématiciennes et mathématiciens (TFJM) in Bordeaux. B. Wesolowski and A. Pellet-Mary were jury members.

R. Barbulescu takes part in the action for central Africa of the NGO Animath. In 2020-2021, the sanitary context required to replace our regular actions, workshops with students in Africa, with online activities. Several countries took part in Olympiade Francophone de mathématiques and others organised Concours Alkindi. Our role was administrative: contact and discuss with institutions such as the French ambassy in Romania or the Inspectorat général du Ministère de l'Éducation du Sénégal.

X. Caruso wrote a webpage with several models of slide rules. Some of them were built in the FabLab at the IUT of Gradignan and are now exhibited in the library of our Math Department.