Algorithmic number theory dates back to the dawn of mathematics
itself, cf. Eratosthenes's sieve to enumerate consecutive prime numbers.
With the
arrival of computers, previously unsolvable problems have come into reach,
which has boosted the development of more or less practical algorithms
for essentially all number theoretic problems. The field is now mature
enough for a more computer science driven approach, taking into account
the theoretical complexities and practical running times of the algorithms.

Concerning the lower level multiprecision arithmetic, folklore has asserted for a long time that asymptotically fast algorithms such as Schönhage–Strassen multiplication are impractical; nowadays, however, they are used routinely. On a higher level, symbolic computation provides numerous asymptotically fast algorithms (such as for the simultaneous evaluation of a polynomial in many arguments or linear algebra on sparse matrices), which have only partially been exploited in computational number theory. Moreover, precise complexity analyses do not always exist, nor do sound studies to choose between different algorithms (an exponential algorithm may be preferable to a polynomial one for a large range of inputs); folklore cannot be trusted in a fast moving area such as computer science.

Another problem is the reliability of the computations; many number
theoretic algorithms err with a
small probability, depend on unknown constants or rely on a Riemann
hypothesis. The correctness of their output can either be ensured by a
special design of the algorithm itself (slowing it down) or by an a
posteriori verification. Ideally, the algorithm outputs a certificate,
providing an independent fast correctness proof. An example is integer
factorisation, where factors are hard to obtain but trivial to
check; primality proofs have initiated sophisticated generalisations.

One of the long term goals of the Lfant project team is to make an
inventory of the major number theoretic algorithms, with an emphasis on
algebraic number theory and arithmetic geometry, and to carry out
complexity analyses. So far, most of these algorithms have been designed
and tested over number fields of small degree and scale badly. A complexity
analysis should naturally lead to improvements by identifying bottlenecks,
systematically redesigning and incorporating modern
asymptotically fast methods.

Reliability of the developed algorithms is a second long term goal of our project team. Short of proving the Riemann hypothesis, this could be achieved through the design of specialised, slower algorithms not relying on any unproven assumptions. We would prefer, however, to augment the fastest unproven algorithms with the creation of independently verifiable certificates. Ideally, it should not take longer to check the certificate than to generate it.

All theoretical results are complemented by concrete reference
implementations in Pari/Gp, which allow to determine and tune
the thresholds where the asymptotic complexity kicks in and help
to evaluate practical performances on problem instances
provided by the research community.
Another important source for algorithmic problems treated
by the Lfant project team is modern
cryptology. Indeed, the security of all practically relevant public key
cryptosystems relies on the difficulty of some number theoretic problem;
on the other hand, implementing the systems and finding secure parameters
require efficient algorithmic solutions to number theoretic problems.

Modern number theory has been introduced in the second half of the 19th
century by Dedekind, Kummer, Kronecker, Weber and others, motivated by
Fermat's conjecture: There is no non-trivial solution in integers to the
equation

The solution requires to augment the integers by algebraic
numbers, that are roots of polynomials in number
field consists of the rationals to which have been added finitely
many algebraic numbers together with their sums, differences, products
and quotients. It turns out that actually one generator suffices, and
any number field algebraic integers, “numbers without denominators”,
that are roots of a monic polynomial. For instance, ring of integers of

Unfortunately, elements in ideals, subsets of principal, that is,
generated by one element, so that ideals and numbers are essentially
the same. In particular, the unique factorisation of ideals then
implies the unique factorisation of numbers. In general, this is not
the case, and the class groupclass number

Using ideals introduces the additional difficulty of having to deal
with fundamental units. The regulator

One of the main concerns of algorithmic algebraic number theory is to
explicitly compute these invariants (

The analytic class number formula links the invariants
generalised Riemann hypothesis
(GRH), which remains unproved even over the rationals, states that
any such

When

Algebraic curves over finite fields are used to build the currently
most competitive public key cryptosystems. Such a curve is given by
a bivariate equation elliptic curves of equation
hyperelliptic curves of
equation

The cryptosystem is implemented in an associated finite
abelian group, the Jacobianrational function field with subring function field of coordinate ring

The size of the Jacobian group, the main security parameter of the
cryptosystem, is given by an genus

The security of the cryptosystem requires more precisely that the
discrete logarithm problem (DLP) be difficult in the underlying
group; that is, given elements

For any integer Weil pairingTate-Lichtenbaum pairing, that is more difficult to define,
but more efficient to implement, has similar properties. From a
constructive point of view, the last few years have seen a wealth of
cryptosystems with attractive novel properties relying on pairings.

For a random curve, the parameter

Complex multiplication provides a link between number fields and
algebraic curves; for a concise introduction in the elliptic curve case,
see Section 1.1 of 56,
for more background material, see 55.
In fact, for most curves CM field. The CM field
of an elliptic curve is an imaginary-quadratic field Hilbert class field

Algebraically, Galois if Galois groupabelian extension is a Galois extension with abelian Galois
group.

Analytically, in the elliptic case singular valuemodular function

The same theory can be used to develop algorithms that, given an
arbitrary curve over a finite field, compute its

A generalisation is provided by ray class fields; these are
still abelian, but allow for some well-controlled ramification. The tools
for explicitly constructing such class fields are similar to those used
for Hilbert class fields.

Being able to compute quickly and reliably algebraic invariants is an invaluable aid to mathematicians: It fosters new conjectures, and often shoots down the too optimistic ones. Moreover, a large body of theoretical results in algebraic number theory has an asymptotic nature and only applies for large enough inputs; mechanised computations (preferably producing independently verifiable certificates) are often necessary to finish proofs.

For instance,
many Diophantine problems reduce to a set of Thue equations of the form

Deeper invariants such as the Euclidean spectrum are related to more theoretical
concerns, e.g., determining new examples of principal, but not norm-Euclidean number
fields, but could also yield practical new algorithms: Even if a number field
has class number larger than 1 (in particular, it is not norm-Euclidean),
knowing the upper part of the spectrum should give a partial gcd
algorithm, succeeding for almost all pairs of elements of

Algorithms developed by the team are implemented in the free Pari/Gp system
for number theory maintained by K. Belabas (see §6.1 for
details). They will thus have a high impact on the worldwide number theory
community, for which Pari/Gp is a reference and the tool of choice.

Public key cryptology has become a major application domain for algorithmic
number theory. This is already true for the ubiquitous RSA system, but even
more so for cryptosystems relying on the discrete logarithm problem in algebraic
curves over finite fields.
For the same level of security, the latter require
smaller key lengths than RSA, which results in a gain of bandwidth and
(depending on the precise application) processing time. Especially in
environments that are constrained with respect to space and computing power
such as smrt cards and embedded devices, algebraic curve cryptography has become
the technology of choice. Most of the research topics of the Lfant team
detailed in §3 concern directly problems relevant for
curve-based cryptology: The difficulty of the discrete logarithm problem in
algebraic curves (§3.2) determines the security of the
corresponding cryptosystems. Complex multiplication, point counting and
isogenies (§3.3) provide, on one hand,
the tools needed to create secure instances of curves. On the other hand,
isogenies have been found to have direct cryptographic applications to hash
functions 54 and encryption 57. Pairings in algebraic
curves (§3.2) have proved to be a a rich source for novel
cryptographic primitives. Class groups of number fields (§3.1)
also enter the game as candidates for algebraic groups in which cryptosystems can
be implemented. However, breaking these systems by computing discrete logarithms
has proved to be easier than in algebraic curves; we intend to pursue this
cryptanalytic strand of research.

Apart from solving specific problems related to cryptology, number theoretic expertise is vital to provide cryptologic advice to industrial partners in joint projects. It is to be expected that continuing pervasiveness and ubiquity of very low power computing devices will render the need for algebraic curve cryptography more pressing in coming years.

Bill Allombert has been awarded the Médaille de Cristal du CNRS 2020, remise en 2021, for his outstanding work and dedication to the PARI/GP computer algebra system developed in the team. See an article published by the CNRS and a video presenting his work.

Élie Eid has received the ISSAC 2021 Distinguished Student Author Award for his article 22. Alice Pellet-Mary and Damien Stehlé received the Asiacrypt 2021 best paper award for their article 26.

Damien Robert has defended his habilitation degree with a thesis entitled
Efficient algorithms for abelian varieties and their moduli spaces32.

Jean Kieffer has defended his doctoral degree with a thesis entitled Higher-dimensional modular equations, applications to isogeny computations and point counting31.

Élie Eid has defended his doctoral degree with a thesis entitled
On isogeny calculation by solving p-adic differential equations30.

AVIsogenies is a Magma package for working with abelian varieties, with a particular emphasis on explicit isogeny computation.

Its prominent feature is the computation of (l,l)-isogenies between Jacobian varieties of genus-two hyperelliptic curves over finite fields of characteristic coprime to l, practical runs have used values of l in the hundreds.

It can also be used to compute endomorphism rings of abelian surfaces, and find complete addition laws on them.

FromLatticesToModularForms is a magma package which allows to

- span the isogeny class (of principally polarised abelian varieties) of a power of an elliptic curve by enumerating unimodular hermitian lattices - compute the abelian variety A corresponding to a given lattice by exhibiting a kernel and an isogeny from Eĝ to A - A is represented by its theta null point (of level 2 or 4) in such a way that we give an affine lift of the theta null point corresponding to the pushforward of the standard diagonal differential dx/y on Eĝ - in particular one can evaluate rational modular forms on A - in dimension 2 or 3 we also provide code to recognize when A is a Jacobian and if so to find the corresponding curve.

SageMath is a free mathematics software system written in Python and combining a large number of mathematical libraries under a common interface.

INRIA teams contribute in different ways to the software collection. COATI adds new graph algorithms along with their documentations and the improvement of underlying data structures. LFANT contributes through libraries such as ARB and PARI/GP, and directly through SageMath code for algebras and ring and field extensions.

Apip , Another Pairing Implementation in PARI, is a library for computing standard and optimised variants of most cryptographic pairings.

The following pairings are available: Weil, Tate, ate and twisted ate, optimised versions (à la Vercauteren–Hess) of ate and twisted ate for selected curve families.

The following methods to compute the Miller part are implemented: standard Miller double-and-add method, standard Miller using a non-adjacent form, Boxall et al. version, Boxall et al. version using a non-adjacent form.

The final exponentiation part can be computed using one of the following variants: naive exponentiation, interleaved method, Avanzi–Mihailescu's method, Kato et al.'s method, Scott et al.'s method.

Part of the library has been included into Pari/Gp proper.

X. Caruso wrote a SageMath package implementing relaxed

Code implementing the article 17
for spanning the isogeny class of products of elliptic curves and
computing modular forms (and related obstruction) on them is available
as a Magma package called FromLatticesToModularForm.

The presumed hardness of the discrete logarithm problem (DLP) in
finite fields (or other families of groups) is a foundation of classical public-key
cryptography. It has recently been discovered that the DLP is much
easier than previously believed in an important family: finite fields
of small characteristic. Algorithms of quasi-polynomial
complexity have been discovered.

Pomerance proved in 1987 that the DLP in finite fields of fixed characteristic
can be solved in subexponential time. All improvements from that point to the
discrovery of the first quasi-polynomial algorithms have been heuristic.
In 18, T. Kleinjung and B. Wesolowski prove that
this problem can indeed be solved in quasi-polynomial expected time, bridging the
gap between the best heuristic and rigorous algorithms.
More generally, they prove that it can be solved in the field of cardinality

In 16,
R. Granger, T. Kleinjung, A. K. Lenstra, B. Wesolowski and J. Zumbrägel
demonstrate the practicality of these new methods through the
computation of a discrete logarithm in

Many interesting applications of pattern matching like deep packet inspection target very sensitive data. In particular, spotting illegal behaviour in internet traffic conflicts with legitimate privacy requirements. The compromise between traffic analysis and privacy can be achieved through searchable encryption. However, as the traffic data is a stream and as the patterns to search are bound to evolve over time (e.g. new virus signatures), these applications require a kind of searchable encryption that provides more flexibility than the classical schemes. We indeed need to be able to search for patterns of variable sizes in an arbitrary long stream that has potentially been encrypted prior to pattern identification.

In 20, É. Bouscatié, G. Castagnos and O. Sanders propose new public key encryption schemes that allows flexible pattern matching. Using pairings of elliptic curves, they propose two constructions. The first one dramatically reduces the size of the public key compared to previous solutions but its security is based on a strong algorithmic assumption. The second construction manages to retain most of the good features of the first one while exclusively relying on a simple assumption, a (static) variant of the decisional Diffie-Hellman assumption, which solves the security problem of previous works.

Timed commitments are the timed analogue of standard commitments, where the commitment can be non-interactively opened after a pre-specified amount of time passes. Timed commitments have a large spectrum of applications, such as sealed bid auctions, fair contract signing, fair multi-party computation, and cryptocurrency payments. Unfortunately, all practical constructions rely on a (private-coin) trusted setup and do not scale well with the number of participants.

In 27, S. Thyagarajan, G. Castagnos, F. Laguillaumie and G. Malavolta set out to resolve these two issues and propose an efficient timed commitment scheme that also satisfies the strong notion of CCA-security. Specifically, the scheme has a transparent (i.e. public-coin) one-time setup and the amount of sequential computation is essentially independent of the number of participants. As a key technical ingredient, they propose the first (linearly) homomorphic time-lock puzzle with a transparent setup, from class groups of imaginary quadratic order.

To demonstrate the
applicability of their scheme, they use it to construct a new distributed
randomness generation protocol, where

The note 50 was written by B. Wesolowski
in 2016, but never published before. Some of the ideas it contains
led to the construction of the first efficient verifiable delay function
by the same author. Other ideas, such as fading signatures and a
discussion on their (in-)feasibility, never appeared in public work.

The elliptic curve method of factorisation (ECM) is a building block of the best algorithms for factoring and computing discrete logarithms. ECM has a rigorous proof of complexity under the celebrated conjecture of existence of smooth numbers in short intervals. However, it does not correspond to the variant which is implemented and studied in the literature of ECM-friendly curves. In 35 R. Barbulescu proves that the celebrated conjecture of Elliott-Halberstam implies this latter variant in the case of CM elliptic curves, for a smoothness bound larger than the one used in ECM. Then he proves that a recent conjecture of Pollack implies the correctness in the general case.

Many quantum algorithms have been developed with time-complexity in mind but the evolution of the technology made it important to create space-time tradeoffs where the space is the number of qbits. In a technical report 34, R. Barbulescu studies the case in which one can factors numbers up to 100 bits on a quantum computer in negligible time. A precise analysis of the algorithm and the difficult parameter tuning leads to the conclusion that one could obtain factoring records using classical-quantum algorithms, but this has a negligible implication on the security of the RSA cryptosystem.

It has been known since the work of Shor in 1994 that a functional,
large-scale quantum computer would be able to break most classical
public-key cryptosystems deployed today. The cryptographic community
has since then investigated new families of post-quantum
cryptosystems, meant to resist the advance of quantum computing.
Lattice-based cryptography, one of the leading post-quantum
candidates, relies on the presumed hardness of certain computational
problems in euclidean lattices. There is strong confidence in the
hardness of these problems in general, but the use of algebraic
lattices (necessary for efficiency or advanced functionalities) opens
new angles of attack. In 14, R. Cramer,
L. Ducas and B. Wesolowski expose an unexpected quantum hardness
gap between generic lattices and an important family of algebraic lattices,
so-called cyclotomic ideal lattices. This journal article
expands upon preliminary results presented at Eurocrypt 2017.
In 26, A. Pellet-Mary and D. Stehlé prove some
security guarantees for the algorithmic problem NTRU, used in
many post-quantum cryptographic primitives.

In 19, C. Maire and A. Page revisit a construction due to Lenstra and Guruswami by generalising it to unit groups of division algebras. Lenstra and Guruswami described number field analogues of the algebraic geometry codes of Goppa. Recently, Maire and Oggier generalised these constructions to other arithmetic groups: unit groups in number fields and orders in division algebras; they suggested to use unit groups in quaternion algebras, but could not completely analyse the resulting codes. Maire and Page prove that the noncommutative unit group construction yields asymptotically good families of codes for the sum-rank metric from division algebras of any degree, and estimate the smallest possible size of the alphabet in terms of the degree of the algebra.

In 12, X. Caruso develops a theory of
residues for skew rational functions, that are elements of the
ring of fractions of a skew polynomial field

In 38, X. Caruso et A. Durand use (and extend) the theory of residues of Ore rational functions introduced in the aforementioned paper 12 in order to give a description of the duals of linearized Reed-Solomon codes. Their construction shows in particular that, under some assumptions on the base field, the class of linearized Reed-Solomon codes is stable under duality.

In 25, R. Pagès designs an algorithm for
computing the

Given an integer polynomial

A. Page and his coauthors have updated their
preprint 36, in which they analyse in detail the
subfield method to accelerate the computation of

K. Belabas and H. Cohen have published a book on numerical algorithms for
number theory29, together with extensive
Pari/Gp programs available from the authors' website.
The goal of the book is to present a number of analytic and arithmetic
numerical methods used in number theory, with a particular emphasis on the
ones which are less known than they should be, although very classical
tools are also mentioned. Note that, as is very often the case in number
theory, numerical methods are wanted to give sometimes hundreds if not
thousands of decimal places of accuracy.

The best algorithms for integer factorisation use a non-negligible proportion of the time to enumerate smaller integers and to test if all their prime factors are below a given bound. A lot of effort has been spent in the literature to improve the best algorithm for this task, the elliptic curve method (ECM). In 11, R. Barbulescu and his doctoral student S. Shinde give a simple method which allows to find rapidly, in a unified manner, all the previously known families of elliptic curves for ECM. They prove that there are precisely 1525 ECM-friendly families using the theory of modular forms.

In 17, M. Kirschmer, F. Narbonne,
C. Ritzenthaler and D. Robert give an algorithm to span the isomorphism
classes of principally polarised abelian varieties in the isogeny class
of

H. Cohen surveys a number of different methods for computing

In 46, F. Johansson shows that the
Dirichlet

In 44, E. Eid designs an algorithm for computing
explicit rational representations of

J. Asuncion shows in 33 how class fields of quartic CM fields can be obtained explicitly using CM constructions of higher moduli. He gives an explicit upper bound on the modulus and an algorithm for finding the smallest modulus, and he provides examples of previously unreachable class fields.

In 43, J.-M. Couveignes and T. Ezome study the complexity of multiplication in the context of normal bases of finite field extensions. They define the equivariant complexity of such an extension and prove general and specific bounds for it using the geometry of covers of curves and isogenies of Jacobian varieties.

A. Maiga and D. Robert examine in 24 modular polynomials for abelian surfaces with good reduction modulo 2, which enables them to compute canonical lifts of such surfaces over a finite field of characteristic 2 and to ultimately deduce their cardinality, the main security parameter for hyperelliptic curve cryptosystems. These modular polynomials use absolute invariants with good reduction modulo 2. They also explain how to lift the curve.

In 47, J. Kieffer gives degree and height bounds for modular equations on PEL Shimura varieties in terms of their level. In particular, his result answers previous questions about Hilbert and Siegel modular polynomials and the complexity of algorithms manipulating them.

In 13, X. Caruso, É. Eid and Reynald Lercier
design a new algorithm for computing isogenies between elliptic curves
over an extension of the field of 2-adic numbers. Their methods rely
on a highly efficient and numerically stable algorithm for solving
certain types of nonlinear singular 2-adic differential equations.
From this work, they deduce fast algorithms for computing isogenies
between elliptic curves in characteristic 2 and generating irreducible
polynomials of large degrees over

In 22, É. Eid extends the above strategy to the case of isogenies between Jacobians of hyperelliptic curves in odd characteristic. The obtained algorithm has quasi-linear complexity with respect to the degree of the isogeny.

In 28, B. Wesolowski proves that the path-finding
problem in

In 49, D. Lubicz and D. Robert explain how to recover the full matrix of the Frobenius action when computing canonical lifts of abelian varieties. Canonical lifts were introduced by Satoh to count the number of points of an elliptic curve over a finite field of small characteristic. The extension of this algorithm to abelian varieties computes the action of the Frobenius via modular forms, hence only recovers its determinant action. This is not always enough to obtain the full characteristic polynomial (hence the number of points) in higher dimension, and even when possible require an expansive LLL computation. In this article, the authors explain how to use isogenies and tangent spaces to recover the full matrix directly. Furthermore they explain how to work this out on the Kummer variety, which is more practical from the algorithmic view point, but not smooth at the neutral point. The resulting algorithm is of independent interest.

In 21, continuing their work on the computation
of Gröbner bases over Tate algebras, X. Caruso, T. Vaccon and T. Verron
give an adaptation of the FGLM algorithm in this context.
Beyond making possible a fast change of ordering, their algorithm can also
be used to change the radii of convergence, making then effective
the bridge between algebraic geometry over the

In 37, X. Caruso, A. David and A. Mézard study the relationships between certain Galois deformation spaces and the corresponding Kisin varieties (endowed with additional structures). They prove notably that the latter determines the number of irreducible components of the former and give fast algorithms to enumerate them.

In 40, X. Caruso studies the distribution of the
roots of a random

In 23, F. Johansson describes Calcium, a new library for exact real and complex arithmetic with the ability to prove equalities for a large class of numbers.

In 15, E. Friedman, F. Johansson and G. Ramirez-Raposo prove a conjecture from 2014 by Katok, Katok and Rodriguez Hertz, rigorously establishing the minimal value of the Fried average entropy for higher-rank Cartan actions.

In 45 F. Johansson provides an extensive review of multiprecision algorithms for computing the gamma function and makes some improvements to the fastest known algorithms.

In 39, X. Caruso, M. Mezzarobba, N. Takayama
and T. Vaccon give algorithms for computing values of many

G. Castagnos has a three years contract with Orange (Orange Labs Cesson-Sévigné) for the supervision of the PhD of Élie Bouscatié (Thèse CIFRE) from November 2020 to November 2023.

Duration: 2021–2024

One of the most promising candidates for quantum-resistant cryptography is lattice-based cryptography. In this framework, the security is inherited from the presumed computational intractability of certain problems on high-dimensional Euclidean lattices. Efficiency and functionality of lattice-based cryptography can be significantly improved by switching the underlying hardness assumptions to module lattices, which possess additional algebraic structure. For this reason, hardness assumptions for problems on algebraically-structured lattices have received significant attention in recent studies.

This ANR-NSF project aims at clarifying the landscape of module lattice problems. The prime objective is to provide a clearer understanding of the intractability of module lattice problems, via improved reductions between them and improved dedicated algorithms.

Duration: 2021–2022

This project called REDGATE (recherche et encadrement doctoral en géométrie algébrique et théorie des nombres effectives en Afrique) aims at supporting the activities of the Pole of Research in Mathematics and Applications in Africa , a network of 60 African mathematicians, in the fields of algebraic geometry, number theory and their applications to information theory. The two main activities supported by the REDGATE project are research schools for graduate and PhD students in Africa and scientific visits to enhance collaborations.

Duration: 2016 – 2022

The Alambic project was planned to end in October 2020,
but was prolonged due to the pandemics to April 2021 and then to April 2022.

The Alambic project is a research project formed by members of the
INRIA Project-Team CASCADE of ENS Paris, members of the AriC INRIA
project-team of ENS Lyon, and members of the CRYPTIS of the university
of Limoges. G. Castagnos is an external member of the team of Lyon for
this project.

Non-malleability is a security notion for public key cryptographic encryption schemes that ensures that it is infeasible for an adversary to modify ciphertexts into other ciphertexts of messages which are related to the decryption of the first ones. On the other hand, it has been realised that, in specific settings, malleability in cryptographic protocols can actually be a very useful feature. For example, the notion of homomorphic encryption enables specific types of computations to be carried out on ciphertexts and to generate an encrypted result which, when decrypted, matches the result of operations performed on the plaintexts. The homomorphic property can be used to create secure voting systems, collision-resistant hash functions, private information retrieval schemes, and fully homomorphic encryption enables widespread use of cloud computing by ensuring the confidentiality of processed data.

The aim of the Alambic project is to investigate further theoretical
and practical applications of malleability in cryptography. More
precisely, this project focuses on three different aspects: secure
computation outsourcing and server-aided cryptography, homomorphic
encryption and applications and “paradoxical” applications of
malleability.

Duration: 2017–2021

Building on the unifying theme of Flair project
synthetises complementary point of views from multiple domains: analytic
approaches for classical

Developping systematically the emerging notion of good families of

Duration: 2018–2022

The

The CLap-CLap ANR project aims at accelerating the expansion of the

This project is also the opportunity to contribute to the
development of the mathematical software SageMath and to the expansion
of computational methodologies.

Duration: 2019–2023

The CIAO ANR project is a young researcher ANR project led by Damien Robert.

The aim of the CIAO project is to study the security and to improve the efficiency of the SIDH (supersingular isogenies Diffie Helmann) protocol, which is one of the post-quantum cryptographic project submitted to NIST, where it passed the first round of selections.

The project includes all aspects of SIDH, from theoretical ones (computing the endomorphism ring of supersingular elliptic curves, generalisation of SIDH to abelian surfaces) to more practical aspects like arithmetic efficiency and fast implementations, and also extending SIDH to more protocols than just key exchange.

Applications of this project are to improve the security of communication in a context where the currently used cryptosystems are vulnerable to quantum computers. Beyond post-quantum cryptography, isogeny based cryptosystems also allow one to construct new interesting cryptographic tools, such as verifiable delay functions used in block chains.

Duration: 2021–2025

The NuSCAP project aims at developing theorems, algorithms and software to improve the numerical safety of computer-aided proofs in mathematics.

Duration: 2021–2025

The MELODIA ANR project is a young researcher ANR project led by Gaetan Bisson.

Its main objective is to systematically study the algebraic structure of isogeny graphs of abelian varieties, with a view to attacking important open problems in number theory and cryptography.

It focuses on low-dimensional abelian varieties defined over finite fields and tackles the following (closely related) problems: describing the abstract structure of the isogeny graph; computing the endomorphism ring of an abelian variety; constructing an abelian variety with a prescribed number of points; obtaining a Gross-Zagier formula for such varieties.

The case of supersingular elliptic curves is of particular interest as the presumed hardness of the corresponding computational problems is of foundational importance to isogeny-based cryptography. The MELODIA project aims at pinpointing the precise hardness of these problems, to guide the choice of secure cryptographic parameters for a variety of post-quantum protocols.

Duration: 2021–2025

Secure distributed computation has long stood in the realm of theoretical cryptography, but it was known to have the potential of providing a disruptive change for practical security solutions. The concept was introduced by Yao in the 1980s and it allows mutually distrusting parties to run joint computations without disclosing any participant’s private inputs. New cryptographic tools have been invented in recent years (e.g. fully-homomorphic encryption, functional encryption, succinct proof systems, and so on). These constructions have opened the door to applications that were previously believed unattainable in practice (e.g. Cloud Computing, Big Data, Blockchain or the Internet of Things). There is currently a strong interest in secure distributed computation from governments and security organisations (in particular the National Institute of Standards and Technology, NIST), military, academia and industry. We are close to the stage where the secure distributed computation protocols can be applied to real-world security issues.

The main scientific challenges of the Sangria project are (1) to
construct specific protocols that take into account practical
constraints and prove them secure, (2) to implement them and to
improve the efficiency of existing protocols significantly. The
project aims at undertaking research in
these two directions while combining research from cryptography,
combinatorics and computer algebra. It is expected to impact central
problems in secure distributed computation, while enriching the
general landscape of cryptography.

Duration: 2021–2025

The AGDE ANR project is a young researcher ANR project led by Jean Raimbault.

Its main objects of study are groups of matrices with integer entries, as these are objects of interest in geometric group theory, number theory, differential geometry and topology. Its main objective is to study the properties that are common or different in various classes of such groups, with a particular focus on the asymptotic behaviour. The project focuses on torsion homology and regulators, and the classes of congruence groups, arithmetic but noncongruence groups, and thin subgroups. The development of computational methods is an important tool for the project.

B. Allombert and K. Belabas organised a PARI/GP Day to present the new features of the software. This online event replaced the usual PARI/GP workshop that was cancelled due to the pandemic.

Atelier francophone en ligne PARI/GP 2021b

B. Allombert, A. Page and A. Zekhnini organised a two-days online PARI/GP workshop to give an introduction to PARI/GP to the participants of the conference JATNA 2021 held in Oujda and to the students of the Afrimath network.

A. Pellet-Mary was a member of the programme committee of the conferences Asiacrypt 2021, PKC 2022 and Eurocrypt 2022.

B. Wesolowski was a member of the programme committee of the conference PKC 2022.

J.-M. Couveignes is a member of the programme committee of the conference
A Tour of Arithmetic Geometry, conference in honour of Bas Edixhoven’s 60th birthday,
Schiermonnikoog, April 2022.

X. Caruso is an editor and one of the founders of the journal
Annales Henri Lebesgue.

J.-M. Couveignes is a member of the editorial board (scientific committee)
of the Publications mathématiques de Besançon since 2010
and of Journal de Théorie des
Nombres de Bordeaux since 2020.

K. Belabas acts on the editorial board of Journal de Théorie des
Nombres de Bordeaux since 2005 and of Archiv der Mathematik since
2006.

A. Enge is an editor of Designs, Codes and Cryptography
since 2004.

K. Belabas is a member of the “conseil scientifique” of the Société Mathématique de France (second mandate).

X. Caruso is a member of the “conseil national des universités” (CNU) since 2021.

Since January 2015, K. Belabas is vice-head of the Mathematics Institute (IMB). He also leads the computer science support service (“cellule informatique”) of IMB and coordinates the participation of the institute in the regional computation cluster PlaFRIM.

Since September 2021, he is vice-head of the Unité de Formation Mathématiques et Interactions (UFMI)

He was an elected member of “commission de la recherche” in the academic senate of Université de Bordeaux from 2014 to 2021.

A. Enge is a member of the administrative council of the Société
Arithmétique de Bordeaux, which edits the
Journal de théorie des nombres de Bordeaux
and supports number theoretic conferences.

G. Castagnos is responsible for the bachelor programme in mathematics and informatics.

J.-M. Couveignes is co-responsible for the Graduate Programme Numerics of the Université de Bordeaux.

J.-M. Couveignes was head of the comité de visite, d'analyse
et de recommandation de l’équipe
Modélisation et Applications du LMNO de Caen at the request
of CNRS-INSMI and Université de Caen Normandie.

X. Caruso, P. Molin and A. Page supervised the computer algebra software sessions in the 2021 JC2A Summer School. Both Sagemath and PARI/GP were presented to the participants (PhD students in number theory).

X. Caruso and C. Ménini are leaders of the popularisation group at IMB (Institut de Mathématiques de Bordeaux).

R. Barbulescu is one of the organisers of concours Alkindi 1, which proposes interactive exercises of cryptography for students of 8th, 9th and 10th grade (French 4e, 3e and 2nde). Together with the Ministries of Education and of Defense, the contest is supported by Inria and Thalès. In 2020-2021 the contest had 47000 participants and M. le Ministre Blanquer took part in the award ceremony, organised online. Barbulescu had two roles: an administrative task (he was one of the three organisers) and a scientific role (he was one of six researchers in this function), which consists in translating the latest research results into exercises adapted for middle- and high-school students.

X. Caruso and R. Barbulescu are the two members of the regional organisation committee of Tournoi français des jeunes mathématiciennes et mathématiciens (TFJM) in Bordeaux2. B. Wesolowski and A. Pellet-Mary were jury members.

R. Barbulescu takes part in the action for central Africa of the NGO Animath3. In 2020-2021, the sanitary context required to replace our regular actions, workshops with students in Africa, with online activities. Several countries took part in Olympiade Francophone de mathématiques and others organised Concours Alkindi. Our role was administrative: contact and discuss with institutions such as the French ambassy in Romania or the Inspectorat général du Ministère de l'Éducation du Sénégal.

X. Caruso wrote a webpage with several models of slide rules4. Some of them were built in the FabLab at the IUT of Gradignan and are now exhibited in the library of our Math Department.