Our research addresses the broad application domain of cryptography and cryptanalysis from the algorithmic perspective. We study all the algorithmic aspects, from the top-level mathematical background down to the optimized high-performance software implementations. Several kinds of mathematical objects are commonly encountered in our research. Some basic ones are truly ubiquitous: integers, finite fields, polynomials, real and complex numbers. We also work with more structured objects such as number fields, algebraic curves, or polynomial systems. In all cases, our work is geared towards making computations with these objects effective and fast.

The two facets of cryptology—cryptography and cryptanalysis—are central to our research. The key challenges are the assessment of the classical and quantum security of proposed cryptographic primitives (both public- and secret-key), as well as the introduction of new cryptographic primitives, or the performance improvement of existing ones.

Our research connects to both symmetric and asymmetric key cryptography. While the basic principles of these domains are rather different—indeed their names indicate different handlings of the key—research in both domains is led by the same objective of finding the best trade-offs between efficiency and security. In addition to this, both require to study design and analysis together as these two aspects nurture each other.

Our research topics can be listed either with broad applications domains
in mind (a very coarse-grain view would have us list them under
cryptography and cryptanalysis), or more thematically (see
Figure 1). Either way, we
also identify a set of tools that we sometimes develop per
se, but most often as ingredients towards goals that are set in the
context of other themes. Following the “vertical” reading direction in
Figure 1, our research topics are as follows.

Extended NFS family. A common algorithmic framework, called the Number Field Sieve (NFS), addresses both the integer factorization problem as well as the discrete logarithm problem over finite fields. We have numerous algorithmic contributions in this context, and develop software to illustrate them.

We plan to improve on the existing state of the art in this domain by researching new algorithms, by optimizing the software performance, and by demonstrating the reach of our software with highly visible computations.

Algebraic curves and their Jacobians. We develop algorithms and software for computing essential properties of algebraic curves for cryptology, eventually enabling their widespread cryptographic use.

Closely related to the Tower Number Field Sieve are pairing-friendly curves.
Pairings are bilinear maps

Questions more recently studied include the development of cryptosystems based on isogenies.

Symmetric key cryptography. This topic has emerged in the team with several new hires since 2016. We are interested in particular in automatic tools for new paradigms of cryptanalysis, going beyond the classical linear and differential cryptanalysis techniques. Newer, more intricate techniques are rather hard to apply and are error-prone. The idea is then to automate the analysis process by developing tools implemented in constraint programming (CP) , satisfability (SAT) or mixed integer linear programming (MILP). We plan to pay special attention to the recent advances in cryptanalysis and to study recently proposed lightweight ciphers.

In addition, we also study new designs. The challenge of the lightweight world (Embedded systems, Internet of Things) pushes symmetric cryptography to be ever more efficient while guaranteeing the same level of security as before. It is thus very important to scrutinize each building block of the symmetric key primitives to be convinced of their security.

Tools.
Several mathematical objects are pervasive in our
research. We sometimes study them per se, but they most
often play a key role in the work related to the topics above. In
particular, we study computer arithmetic, polynomial systems,
linear algebra. In the context
of symmetric cryptography,
the mathematical objects we deal with
are rather different:
we are mainly interested in small (4 or 8 bits)
non-linear permutations (the so-called S-boxes) and in linear
transformations based on coding theory (Maximum Distance Separable (MDS)
matrices or quasi-MDS matrices).

Our goals with all these basic objects include a strong commitment to providing high-quality software that can be used as a dependable building block in our research.

As a complement to the last point, we consider that the impact of our research on cryptology in general owes a lot to the publication of concrete practical results. We are strongly committed to making our algorithms available as software implementations. We thus have several long-term software development projects that are, and will remain, part of our research activity.

The Number Field Sieve (NFS) has been the leading algorithm for factoring integers for more than 25 years, and its variants have been used to set records for discrete logarithms in finite fields. It is reasonable to understand NFS as a framework that can be used to solve various sorts of problems. Factoring integers and computing discrete logarithms are the most prominent for the cryptographic observer, but the same framework can also be applied to the computation of class groups.

The state of the art with NFS is built from numerous improvements of its inner steps. In terms of algorithmic improvements, the recent research activity on the NFS family has been rather intense. Several new algorithms have been discovered since 2014, notably for non-prime fields, and their practical reach has been demonstrated by actual experiments.

The algorithmic contributions of the CARAMBA members to NFS would
hardly be possible without access to a dependable software
implementation. To this end, members of the CARAMBA team have been
developing the Cado-NFS software suite since 2007. Cado-NFS is now the
most widely visible open-source implementation of NFS, and is a crucial
platform for developing prototype implementations for new ideas for the
many sub-algorithms of NFS. Cado-NFS is free software (LGPL) and
follows an open development model, with a publicly accessible development
repository and regular software releases. Competing free software
implementations exist, such as msieve, developed by J.
Papadopoulos (whose last commit is from August 2018).
T. Kleinjung develops his own code base, which
is unfortunately not public.

The work plan of CARAMBA on the topic of the Number Field Sieve algorithm and its cousins includes the following aspects:

The challenges associated with algebraic curves in cryptology are diverse, because of the variety of mathematical objects to be considered. These challenges are also connected to each other. On the cryptographic side, efficiency matters, while cryptanalysis looks at the hardness of the discrete logarithm problem.

Several members have expertise in multiple facets of curve-based
cryptology, but recent work in the team has been concentrated on a few
precise topics. One of them is pairing-based
cryptography.
Pairing-friendly curves were introduced in 2001 in (constructive) cryptography
and should be designed with a very precise application goal in mind, contrary to the widespread curves such as x25519
or x448 in TLS, or the NIST curves, which can be used much more
generically.
The bilinear pairing has two aspects. First a destructive side: it
transfers a discrete logarithm computation from the group of points of the curve
(where the DLP is known to be hard, of exponential complexity in the size
of the group), to a finite field extension

We also investigate the practical security (e.g. against physical attacks) of elliptic curves and their implementations. Our focus here is more on the connection of such problems with Euclidean lattice theory, for example.

With NIST's competition on post-quantum cryptographic primitives, the new area of isogenies on elliptic curves is developing. Efficient implementation of isogenies is an active area of research nowadays, together with better parameter selection. The elliptic curves suitable for isogenies require different properties: they are supersingular contrary to the ordinary curves in classical cryptography. Selecting parameters is a difficult task, and in some cases, it requires a large computational effort of a class number computation.

The research objectives of CARAMBA on the topic of algebraic curves for cryptology are as follows:

In symmetric key cryptology, we are tackling problems related to both design and analysis. A large part of our recent research has been motivated by the Lightweight Cryptography Standardization Process of NIST 1 that embodies a crucial challenge of the last decade: finding ciphers that are suitable for resource-constrained devices.

On a general note, the working program of CARAMBA in symmetric cryptography is defined as follows:

Computer arithmetic is part of the common background of all team members, and is naturally ubiquitous in our application domains. However involved the mathematical objects considered may be, dealing with them first requires to master more basic objects: integers, finite fields, polynomials, and real and complex floating-point numbers. Libraries such as GNU MP, GNU MPFR, GNU MPC do an excellent job for these, both for small and large sizes.

Most of our involvement in subjects related to computer arithmetic is to
be understood in connection to our applications to the Number Field Sieve
and to Abelian varieties. As such, much of the research work we envision
will appear as side-effects of developments in these contexts. On the
topic of arithmetic work per se:

Our study of the Number Field Sieve family of algorithms aims at showing how the threats underlying various supposedly hard problems are real. Our record computations, as well as new algorithms, contribute to having a scientifically accurate assessment of the feasibility limit for these problems, given academic computing resources. The data we provide in this way is a primary ingredient for government agencies whose purpose includes guidance for the choice of appropriate cryptographic primitives. For example the French ANSSI 2, German BSI, or the NIST 3 in the United States base their recommendations on such computational achievements.

The software we make available to achieve these cryptanalytic computations also allows us to give cost estimates for potential attacks to cryptographic systems that are taking the security/efficiency/legacy compatibility trade-offs too lightly. Attacks such as LogJam 35 are understood as being serious concerns thanks to our convincing proof-of-concepts. In the LogJam context, this impact has led to rapid worldwide security advisories and software updates that eventually defeat some potential intelligence threats and improve confidentiality of communications.

We also promote the switch to algebraic curves as cryptographic primitives. Those offer nice speed and excellent security, while primitives based on elementary number theory (integer factorization, discrete logarithm in finite fields), which underpin e.g., RSA, are gradually forced to adopt unwieldy key sizes so as to comply with the desired security guarantees of modern cryptography. Our contributions to the ultimate goal of having algebraic curves eventually take over the cryptographic landscape lie in our contributions to fast arithmetic, our contributions to the point counting problem, and more generally our expertise on the diverse surrounding mathematical objects, or on the special cases where the discrete logarithm problem is not hard enough and should be avoided.

We also promote cryptographically sound electronic voting, for which we develop the Belenios prototype software (licensed under the AGPL). It depends on research made in collaboration with the PESTO team, and provides stronger guarantees than current state of the art.

The vast majority of our work is eventually realized as software. We can roughly categorize it in two groups. Some of our software covers truly fundamental objects, such as the GNU MPFR, GNU MPC, GF2X, or MPFQ packages. To their respective extent, these software packages are meant to be included or used in broader projects. For this reason, it is important that the license chosen for this software allows proper reuse, and we favor licenses such as the LGPL, which is not restrictive. We can measure the impact of this software by the way it is used in e.g., the GNU Compiler Collection (GCC), in Victor Shoup's Number Theory Library (NTL), or in the Sage computer algebra system. The availability of these software packages in most Linux distributions is also a good measure for the impact of our work.

We also develop more specialized software. Our flagship software package is Cado-NFS 41, and we also develop some others with various levels of maturity, such as GMP-ECM, CMH, or Belenios, aiming at quite diverse targets. Within the lifespan of the CARAMBA project, we expect more software packages of this kind to be developed, specialized towards tasks relevant to our research targets: important mathematical structures attached to genus 2 curves, generation of cryptographically secure curves, or tools for attacking cryptographically hard problems. Such software both illustrates our algorithms, and provides a base on which further research work can be established. Because of the very nature of these specialized software packages as research topics in their own right, needing both to borrow material from other projects, and being possible source of inspiring material for others, it is again important that these be developed in a free and open-source development model.

Over the last few years, and even more so in 2022, Inria's institutional positioning and communication policy have been the source of increasing trouble, which is harmful to our research environment. Bodies such as the CNRS national committee rightly pointed out the detrimental effect of Inria's ambition on the research ecosystem, especially in joint labs such as Loria. Lastly, Inria's top management has embarked on a preposterous crusade against its own evaluation body (the Evaluation Committee), which contributes in no way to a healthy research environment.

Belenios is an open-source online voting system that provides vote confidentiality and verifiability. End-to-end verifiability relies on the fact that the ballot box is public (voters can check that their ballots have been received) and on the fact that the tally is publicly verifiable (anyone can recount the votes). Vote confidentiality relies on the encryption of the votes and the distribution of the decryption key (no one detains the secret key).

Belenios supports various kind of elections. In the standard mode, Belenios supports simple elections where voters simply select one or more candidates. It also supports arbitrary counting functions at the cost of a slightly more complex tally procedure for the authorities. For example, Belenios supports Condorcet, STV, and Majority Judgement, where voters rank candidates and grade them.

Belenios is available in several languages for the voters as well as the administrators of an election. More languages can be freely added by users.

In 2022, our platform was used to run about 1400 elections, with about 50,000 ballots counted.

This year we released a major update of Belenios (2.0) that introduces a new election format where election events (e.g., ballot submission) are chained to each other. This sets the stage for a future release where the server will be able to commit to the actual content of an election. We have also improved the monitoring of the server (eg by making the voting authority code constant) and we have initiated compliance with the CNIL recommendations. We have hardened the security of Belenios by linking a voter to the public part of their voting code from the setup phase. To ensure better availability, Belenios is now hosted on OVH servers. Finally, we have pursued the development of the REST API in preparation of a major overhaul of the election administration interface.

In 2022, Cado-NFS evolved in the form of preparatory work for further computations. In particular, work has been done in order to make it possible to run Cado-NFS on small Docker containers, which is a useful first step towards easy deployment on various kinds of cloud-scale computing infrastructures, using engines such as Kubernetes, for example.

Furthermore, work towards some of the ideas in the context of the Kleptomaniac ANR project is ongoing within Cado-NFS, and will continue in 2023.

This project is an implementation, starting from scratch, of Drinfeld modules in SageMath. This module shall be integrated into SageMath.

Drinfeld modules are mathematical objects similar to elliptic curves, but in another setting, which is that of function fields.

The aim of this implementation is to provide researchers with all basic computational tools for Drinfeld modules, and to build a reliable basis for future, more sophisticated algorithms.

In this work 29 we expand the algorithmic toolbox for finite Drinfeld modules by designing algorithms and complexity bounds for the manipulation of isogenies of ordinary Drinfeld modules. This paper is an expanded version of a previous preprint which focused on cryptographic applications. Benjamin Wesolowski found a way to attack our proposed cryptographic applications, this is why this new version of the paper focuses more on purely algorithmic aspects and on effective number theory.

This work

19is a generalization of

37published at CANS'2020, with Youssef El Housni, PhD student in the GRACE team at Inria Saclay, and

ConsenSys. This paper considers chains of two pairing-friendly elliptic curves for SNARKs (Succinct Non-interactive ARguments of Knowledge). In the previous work, one 2-chain was investigated: the curves BLS12-381 and BW6-761. This work considers 2-chains of curves where the first (inner) curve can be a BN (Barreto–Naehrig), or a BLS12 or BLS24 (Barreto–Lynn–Scott) curve. The second (outer) curve is obtained with the Brezing–Weng construction (BW6 curves). Our comparison shows that it is faster than curves obtained with the Cocks-Pinch method. The aim is to provide other trade-offs in terms of size, and arithmetic and pairing efficiency. The companion code is referenced in Section

6.1.4, and a full Golang implementation is developed in the library

GNARK. The preprint appeared in the 2021 report and was published in the proceedings of the

EUROCRYPTconference in 2022.

The paper

19improved the group operations on BLS curves. These curves are not of prime order, and two important cryptographic operations are:

, that is multiplying a point on the curve by the cofactor so that the point has prime order, and

, that is testing if the point is in the subgroup of prime order. In

20with Youssef El Housni and Thomas Piellard (Consensys), we generalized our results for these two operations for all known pairing-friendly curves: the speed-up applies to many curves except the KSS curves. It was presented at the

AFRICACRYPT'2022conference.

On October 21, 2021, A. Guillevic received an invitation from Carla Ràfols to submit a survey paper on

to the special issue

of the DCC journal. This survey paper

10written with Diego Aranha (Aarhus University) and Youssef El Housni presents the area and the state of the art for 2-chains and cycles, the known constructions, and the known impossibility results on finding cycles. It also lists the open-source implementations of such curves available in 2022. The 2-chain constructions from

19were generalized to BN curves.

In the invited article 32 in IEEE Security & Privacy, we review the current state of the art of cryptanalysis for three number-theoretic problems using classical (nonquantum) computers, including, in particular, our most recent computational records for integer factoring and prime-field discrete logarithms. This work is connected to our earlier work on factoring and discrete logarithm records, which we put in perspective in the broader context of the assessment of the security of the classical public-key cryptographic primitives. Despite the hype about the future transition to post-quantum cryptographic algorithms, everyone is fully aware of the fact that classical algorithms are here to stay, at least for a long while. It is of utmost importance to properly assess the possible security risk that arises from their continued use.

The article

13published in Advances in Mathematics of Communications 2022 investigates the practicality of heuristic algorithms based on elliptic bases, for the computation of discrete logarithms in small characteristic finite fields. Elliptic curve representation is already used to achieve provable quasi-polynomial time but the idea here is to use a different model of the elliptic curve used for the elliptic basis that allows for a relatively simple adaptation of the techniques used with former Frobenius representation algorithms. Our experiments with the field

indicate that switching to elliptic representations might be possible with performances comparable to the current best practical methods.

The work

26deals with the splitting step in the number field sieve for finite fields of composite extension degree. The splitting step consists in finding an element

with a smooth norm and such that the logarithm of the target

can be easily deduced from the logarithm of

. The current state of the art takes advantage of lattice-reduction algorithms, such as LLL and BKZ in order to find such an element

. In this work, the authors explore the use of sublattices of the lattices usually used and perform experiments to validate this idea. Moreover, the authors give an asymptotic analysis of the individual logarithm step in NFS when LLL or BKZ are used as lattice-reduction in this new algorithm.

The aim of the CORE-MATH project is to provide on-the-shelf open-source mathematical functions with correct rounding that will be integrated into current mathematical libraries (GNU libc, Intel Math Library, AMD Libm, Newlib, OpenLibm, Musl, Apple Libm, llvm-libc, CUDA libm, ROCm). These functions are implemented in the C language and target the three IEEE 754 binary formats (single precision, double precision, quadruple precision), and also the extended double precision (significand of 64 bits). This project is motivated by the fact that current mathematical libraries are far from giving the best possible results, as demonstrated in 28.

In 2022, with the help of Stéphane Glondu, some tools were set up to assess the correctness of the CORE-MATH functions, and to measure their speed (both reciprocal throughput and latency). These tools are also able to test other mathematical libraries.

In 2022, a full set of C99 single precision (binary32) functions was
implemented. In addition, binary32 functions from the new C23 standard
were also implemented.
The article 22 detailing this work got the
Best Paper Award at the Arith'2022 conference.
A few double precision (binary64) functions are
now available: acos, asin, cbrt, exp, exp2,
hypot, log, rsqrt.
During his M1 internship, Tom Hubrecht designed an efficient pow
function in double precision, which is in review before inclusion into
CORE-MATH.

The development of CORE-MATH forced us to revisit some classical algorithms, for example FastTwoSum in the context of directed roundings 31.

Monthly video-conferences are organized with the LLVM developers who also develop correctly-rounded routines, and use the CORE-MATH tools to check their correctness and efficiency.

To design correctly-rounded functions as in the CORE-MATH project, it is of
utmost importance to know “worst cases” of mathematical functions, i.e.,
inputs

The research presented in

14studies how to build an automated tool that searches for good boomerang characteristics and boomerang attacks for Feistel ciphers, and how to apply these to the ciphers Warp, LBlock-S and Twine. By relying on the findings by Delaune and coauthors

36(for the distinguisher search) together with the work by Qin and co-authors

39for the inclusion of the key-recovery cost, we produce a new model that directly looks for an optimization of the boomerang attack as a whole. For the recent cipher Warp, this model returns a 26-round rectangle attack of time complexity equivalent to

cipher encryptions, which at the time was the best known attack on Warp (other techniques later presented were able to attack more rounds).

Cryptographic algorithms that can provide both encryption and authentication are increasingly required in modern security architectures and protocols (e.g. TLS v1.3). Many authenticated encryption systems have been proposed in the past few years, which has resulted in several contributions to research in cryptanalysis. In this same direction, the National Institute of Standards and Technology (NIST) is coordinating a large effort to find a new standard authenticated encryption algorithm to be used by resource-constrained and limited devices. In this paper, 12 algorithms of the 33 candidates of the Round 2 phase from NIST competition are being benchmarked on a real IoT test-bed. In

11, these 33 ciphers implement authenticated encryption with associated data which aims at preserving integrity, privacy and authenticity at the same time. In this work, we ported the 12 algorithms to different hardware platforms (an x86

64 PC, an AVR ATmega128, an MSP430F1611 and the IoT-LAB platform) and made a fair comparison between their performance. We adapted these algorithms to the Contiki operating system to evaluate the latency and efficiency of each algorithm on IoT applications deployed on a national experimental platform which is IoT-LAB. In addition, we used the FELICS-AE benchmark to quantify locally the RAM, execution time and code size of each algorithm. This work provides practical results of their performance in an IoT scenario, which pave the way for further research on other algorithms, platforms or OS.

Finding optimal related-key differential characteristics for a given cipher is a problem that hardly scales. For the first time, in

21we study this problem against the 25 instances of the block cipher Rijndael, which are the little brothers of AES. To achieve this, we adapt and improve an existing approach for AES which is based on Constraint Programming. The attacks presented here surpass all the previous cryptanalytic results of Rijndael. Among all our results, we obtain a 12-round (out of 13 rounds) related-key differential attack for Rijndael with a block size equal to 128 bits and a key size equal to 224 bits. We also obtain an 11-round related-key differential characteristic distinguisher for Rijndael with a block size equal to 160 bits and a key size equal to 256 bits leading to an attack on 12 rounds (out of 14 rounds).

In

12, we propose an instantiation, called Stanislas, of a dedicated Self-Synchronizing Stream Cipher (SSSC) involving an automaton with finite input memory using non-triangular state transition functions. Previous existing SSSCs are based on automata with shifts or triangular functions (T–functions) as state transition functions. Our algorithm Stanislas admits a matrix representation deduced from a general and systematic methodology called Linear Parameter Varying (LPV). This particular representation comes from control theory, more specifically from a special property of dynamical systems called flatness. Hardware implementations and comparisons with some state-of-the-art stream ciphers on Xilinx FPGAs are presented. It turns out that Stanislas provides bigger throughput than the considered stream ciphers (synchronous and self-synchronizing) when straightforward implementations are considered. Moreover, its synchronization delay is much smaller than the SSSC Moustique (40 clock cycles instead of 105) and the standard approach CFB1-AES128 (40 clock cycles instead of 128).

Among several solutions to face the unprecedented increase of attacks against Cyber Physical Systems, encryption plays a central role. In the form of a Proof of Concept and in 24, this contribution gives a new methodology for designing self-synchronizing automata, having in mind their use in symmetric cryptography, namely the Self-Synchronizing Stream Ciphers. The contribution of the paper is to recast the design as control theoretical issues. It calls for a graph-based approach and results borrowed from control theory and dynamical systems, in particular LPV systems. The design leads to not necessarily T -functions as state transition functions of the automata involved in the ciphering and deciphering sides. It is a consideration that is important for the sake of security. Another asset of the approach is that the resulting ciphers admit possibly vectorial inputs to enhance the throughput.

We report in 15 the first quantum key-recovery attack on a symmetric block cipher design, using classical queries only, with a more than quadratic time speedup compared to the best classical attack.

We study the 2XOR-Cascade construction of Gaži and Tessaro (EUROCRYPT 2012). It is a key length extension technique which provides an n-bit block cipher with 5n/2 bits of security out of an n-bit block cipher with 2n bits of key, with a security proof in the ideal model. We show that the offline-Simon algorithm of Bonnetain et al. (ASIACRYPT 2019) can be extended to, in particular, attack this construction in quantum time

Regarding post-quantum security of symmetric ciphers, it is commonly assumed that doubling the key sizes is a sufficient precaution. This is because Grover's quantum search algorithm, and its derivatives, can only reach a quadratic speedup at most. Our attack shows that the structure of some symmetric constructions can be exploited to overcome this limit. In particular, the 2XOR-Cascade cannot be used to generically strengthen block ciphers against quantum adversaries, as it would offer only the same security as the block cipher itself.

Together with Véronique Cortier (PESTO Team), Pierrick Gaudry wrote a general audience book 33 on various aspects of electronic voting, with an emphasis on security aspects. Written in French, this book was published by Odile Jacob and received a nice press coverage, including an article in Le Monde.

In a first work 18, we explore the possibility of revealing only the result of an election, without decrypting the individual ballots, or any side-information. The result must be computed in a way such that everyone can verify that it indeed corresponds to the (public) ballot box. Also, even the trust parties who possess the shares of the decryption key should not learn anything more than the winner of the election.

We propose a multi-party computation toolbox dedicated to this kind of problems, and show that it allows us to tackle all well-known tally functions, including the most complicated, like the Condorcet-Schulze, D'Hondt, STV, or Majority Judgement. We also explain how the classical ElGamal encryption (typically based on elliptic curves) can be used, instead of the Paillier scheme that is often chosen in theoretical papers, but is far less frequent in standard crypto libraries.

In 27, we show that the JCJ e-voting protocol that is the basis of many coercion-resistant systems is flawed, in the sense that the tally phase leaks more information than what it should. In some specific scenarios, this can give an advantage to a coercer. We therefore propose a new version of JCJ, that we call CHide, and that relies on the multi-party toolbox that we designed in the previous article. We also refine the existing formal definitions of coercion-resistance, in order to highlight the flaw, and prove that CHide fixes the problem.

This short paper 17 was written with V. Cortier and describes the list of features that have been added to the Belenios software in the past few years.

In collaboration with members of the PESTO team and members of the Idemia
company, we proposed a new voting system. The goal is to offer better
guarantees in a context of on-site voting. The main advantages of our
system is that it offers the cast-as-intended property, i.e. the
machines used by the voters can not cheat when preparing the electronic
ballot. This comes with a thorough study of accountability, that is the
possibility to blame the right entity, when a problem is detected. Formal
proofs of security are provided, using the ProVerif tool.

Together with the PESTO team, we had a consulting contract with Swiss Post. The topic was e-voting in general, and more precisely various topics (short-term and long-term design evolution, security analysis) related to their solution.

Together with the PESTO team, we had a contract with the French Ministry of Foreign Affairs (MEAE), in the context of the legislative elections, for which the French citizens from abroad had the possibility to vote over Internet. We played the role of external third-party, as required by the CNIL recommendations for such high-stake elections. While the contract was signed with the MEAE, it also involved interactions with the vendor of the solution (Voxaly), and the ANSSI who was the security advisor for the MEAE.

Since 1996 and the discovery of Shor's algorithm, new quantum threats emerged against classical security protocols and cryptographic primitives. The objective of the PQ-TLS project is to design a quantum-safe version of the security layer of web protocols, via the integration of post-quantum cryptographic primitives and the quantum cryptanalysis of existing systems. The project also aims at developping new techniques to compare existing primitives from the quantum viewpoint and at promoting arising solutions from the academic and industrial research. The goal is to develop a large toolbox whose targets range from the mathematical foundations of post-quantum cryptography to its concrete implementations.

Xavier Bonnetain is the national coordinator of the work package 5 "Quantum cryptanalysis".

Pierre-Jean Spaenlehauer is the local scientific coordinator for the CARAMBA team.

The RSA cryptosystem and the Diffie-Hellman key exchange protocol in finite fields were the first invented primitives of public-key cryptography.

It is hard to estimate the time and resources that are needed to factor an integer, and thereby how hard it is to break RSA. All regulatory bodies recommend that people either avoid RSA, or prefer large RSA key sizes for safety, above 2048 bits at least. In environments where computing power is plentiful, this recommendation is most often followed. Yet, it is a fact that we do rely on cryptography that uses smaller key sizes.

We plan to employ our expertise to provide solid hardness assessments for key sizes that are relevant today, and for which accuracy in the prediction is important. Our targets for accurate assessment are RSA-1024 and DH-1024 as well as specific discrete logarithm-related problems that arise in the blockchain context. We also intend to develop simulation software that would enable more accurate estimates.

In 2022, the work on the “double matrix” subtask was initiated, in collaboration with Charles Bouillaguet (Sorbonne University). This work is integrated in a branch of Cado-NFS.

This project aims to propose a declarative language dedicated to cryptanalytic problems in symmetric key cryptography using constraint programming (CP) to simplify the representation of attacks, to improve existing attacks and to build new cryptographic primitives that withstand these attacks. We also want to compare the different tools that can be used to solve these problems: SAT and MILP where the constraints are homogeneous and CP where the heterogeneous constraints can allow a more complex treatment.

One of the challenges of this project will be to define global constraints dedicated to the case of symmetric cryptography.

Concerning constraint programming, this project will define new dedicated global constraints, will improve the underlying filtering and solution search algorithms, and will propose dedicated explanations generated automatically. See the web site for more information.

The Citizen Trust in the Digital World (acronym DigiTrust) project is part of the latest wave of IMPACT projects within the Lorraine University of Excellence (LUE) initiative proposed under the PIA2 IDEX/I call for tenders -SITE. It was launched in April 2019 and its ambition is to build citizens' trust in the digital world around four areas of research.

The digital revolution has a fundamental impact on daily life, particularly on the way citizens get information, communicate and organize themselves. This revolution also changed the manufacturing and supply of goods and energy, the design of cities, transportation infrastructure, and even administration and politics. New paradigms such as smart cities, manufacturing or the use of connected objects (IoT) rely on permanently connected communication at all scales, which further increases the dependence of modern society on digital technologies. See the web site for more information.

Members of the project-team did their share in reviewing submissions to renowned conferences and journals. Actual publications venues are not disclosed for anonymity reasons.

Marine Minier obtains this year an half Inria Delegation.