The primary goals of the Canari project are, firstly, to design
algorithmic solutions to manipulate the objects involved in the Langlands
programme, secondly to develop algorithmic tools to handle the necessary
arithmetic and analysis (real, complex and

The Langlands programme postulates deep relationships between objects of three apparently unrelated worlds: the automorphic world, the world of Galois representations, and the motivic world.

The automorphic world belongs to the realm of analysis and infinite-dimensional
vector spaces: its main citizens are automorphic forms, which are certain
smooth functions satisfying nice differential equations. The number-theoretic content
comes from the domains of these functions: they are defined on so-called arithmetic
manifolds, of which many classical objects are special cases: modular curves,
moduli spaces of abelian varieties, the space of Euclidean lattices of a given
dimension, Arakelov class groups, etc.

The world of Galois representations is about symmetry and algebra. The main
citizen is the group of all symmetries of the field of all algebraic numbers,
the absolute Galois group

The motivic world is about geometry. Its main citizens are algebraic varieties, that is, sets of solutions of polynomial equations, and their associated cohomologies. Important examples are algebraic curves and abelian varieties. One can classify varieties by discrete, or cohomological, invariants such as dimension and genus (integers). On some families of algebraic varieties, after fixing these discrete invariants, the family is classified by a continuous space which is itself an algebraic variety called a moduli space. Moduli spaces of curves and abelian varieties play a key role in number theory and in cryptography.

These worlds are tied together via the central notion of

A strong focus on the team is on making our algorithms available through
open source software, notably Pari/GP, Flint (Arb, Calcium) and Mpc.

The team is organised around three axes. The goal of the first axis is to give a systematic computational treatment of objects from the Langlands programme, and to investigate algorithmic insight that can be gained by approching problems in computational number theory from the Langlands programme point of view.

These algorithms will be of two kinds:
exact or of analytic, approximated nature (

The goal of this axis is to design and implement efficient algorithms to enumerate, construct, represent, and compute with the fundamental objects of the Langlands programme and to explore their interactions. This will provide versatile tools for mathematicians to progress on difficult problems by directly manipulating intricate objects, and a collection of new problems and algorithms for cryptographers to use for the design of next-generation cryptographic primitives. Since many of these objects have a strong analytic flavour, the methods from our effective analysis axis will be vital.

The main topics of this theme will be:

The goal of this axis is to develop algorithms
for efficient and reliable arithmetics in various fields (real, complex,

There is a wealth of research questions to address to guarantee convergence, optimal complexities and efficiency at different precisions, as well as the exactness of the results.

The main topics of this theme will be:

While the objects mentioned in Axis 1 may appear excessively abstract, when suitably instantiated, they become basic building blocks for next generation cryptosystems. First, these algebraic objects make it possible to construct quantum-resistant public key cryptosystems, which may become indispensable to secure communications in a future where large-scale quantum computers have become a reality. Second, the richness of these objects enables the construction of cryptographic schemes with advanced properties, such as homomorphic encryption, decentralised cryptography, secure multiparty computation and verifiable delay functions. The cryptosystems that will be studied in the team are related to (generalisations) of ideals and class groups in number fields: algebraic lattices, actions of class groups of orders in number fields and actions of groupoids constructed from quaternion algebras. Building and analysing these cryptosystems requires a deep understanding of the mathematical structures underlying them, which cannot simply be treated as black boxes.

The main topics of this theme will be:

Our main existing and future impact is through our software, notably
Pari/GP, Flint (Arb, Calcium) and Mpc, which are world leaders in their
respective domains.
Pari/GP is the leading package used in number theory, and integrated into
wider platforms like SageMath.
Flint focus on lower level building blocks for number theory, like
polynomial arithmetic, interval arithmetic (Arb) and symbolic computations
(Calcium).
Mpc, with its guarantees of correct rounding for basic complex arithmetic
operations, operates on a lower level and thus has a larger scope. It serves
as a reference for the GNU C library and is installed alongside GCC on each
computer requiring the GNU Compiler Collection.
The interval arithmetic of Arb provides a more flexible use
case than Mpc, whence it has the widest potential of applications, far
beyond the need of algorithmic number theory. It is already used in
Mathematica and Maple, and a goal of the team will be to develop its reach
even more.

The main impact of Axis 1, apart from the cryptographic applications, will
be to give new tools to mathematicians to explore the world of the Langlands
programme, construct objects explicitly and carry out experimentations, in
particular via Pari/GP.

The main impact of Axis 2 will be the improvement of tools to handle
precision better (floating point,

Concerning Axis 3, the requirement by governmental agencies to have
post-quantum cryptographic solutions means that
the civil society already needs to pivot towards such solutions.
The NIST has an ongoing post-quantum cryptography
standardisation process.
This is an international process and the Canari team will contribute to
the analysis (and improvement) of the security of some of these schemes
(notably the isogeny based ones and the ideal lattices ones).

The main footprint of our research activites are:

Another possible impact of Axis 3 will be ecological. Moving blockchains from Proof of Work to Proof of Stake is key to reduce their ecological impact. Verifiable delay functions are a core component of proof of stake, so Axis 3 will play a small role in helping this transition. In the same vein, cryptography based on class groups makes it possible to reduce the bandwidth used for certain multiparty protocols.

Wessel van Woerden defended his PhD thesis, Lattice Cryptanalysis: from cryptanalysis to new foundations, February 2023, Leiden.

Élie Bouscatié defended his PhD thesis, Chiffrement compatible avec
l'analyse de flux, December 2023.

Flintsaw a new major release 3.0, merging Arb and Calcium.

The article 24 received the Eurocrypt honorable mention award.

FLINT is a C library for doing number theory. At its core, FLINT provides arithmetic in standard rings such as the integers, rationals, algebraic, real, complex and p-adic numbers, finite fields, and number fields. It also provides polynomials (univariate and multivariate), power series, and matrices.

FLINT covers a wide range of functionality: primality testing, integer factorisation, multivariate polynomial GCD and factorisation, FFTs, multimodular reconstruction, special functions, exact and approximate linear algebra, LLL, finite field embeddings, and more.

Changes in version 1.3.1, released in December 2022: - Bug fix: It is again possible to include mpc.h without including stdio.h.

Changes in version 1.3.0 ("Ipomoea batatas"), released in December 2022: - New function: mpc_agm - New rounding modes "away from zero", indicated by the letter "A" and corresponding to MPFR_RNDA on the designated real or imaginary part. - New experimental ball arithmetic. - New experimental function: mpc_eta_fund - Bug fixes: - mpc_asin for asin(z) with small |Re(z)| and tiny |Im(z)| - mpc_pow_fr: sign of zero part of result when the base has up to sign the same real and imaginary part, and the exponent is an even positive integer - mpc_fma: the returned 'int' value was incorrect in some cases (indicating whether the rounded real/imaginary parts were smaller/equal/greater than the exact values), but the computed complex value was correct. - Remove the unmaintained Makefile.vc, build files for Visual Studio can be found at https://github.com/BrianGladman/mpc .

In 26, H. Cohen wrote a survey on Computational Number Theory.

In 5, K. Belabas, F. Diaz y Diaz and E. Friedman study special values of narrow ray class partial zeta functions.

In 28, B. Allombert and D. Mayer study capitulation of cubic number fields.

In 35, H. Cohen exhibits parametric continued fractions for some well known number theoretic constants.

The paper 12 by P. Kılıçer, M. Streng which list all CM quartic fields with CM class number one has been published.

The article 14, which gives faster quantum algorithms to compute unit groups of cyclotomic fields has been published in AFRICACRYPT 2023.

Drinfeld modules can be considered as an analogue of elliptic curves
when working over a function field over SageMath 4.

X. Caruso, Agnès David and Ariane Mézard continued their study
of the potentially Barsotti–Tate deformation rings of a Galois
representation.
Using the Breuil–Mézard conjecture, they showed
in 8 that the gene
entirely determine the special fibre of those deformation rings.
In 25, they investigated the independence
of their constructions with respect to the underlying prime
number

Alin Bostan, X .Caruso and Julien Roques wrote a survey 32 on the theory of linear differential equations over number fields and finite fields, focusing on algebraic criteria for the existence of algebraic solutions.

In 27, Boris Adamczewski, Alin Bostan, X. Caruso gave an effective proof of the multivariate version of Christol’s theorem about algebraic power series with coefficients in finite fields. This proof allows for sharp effective estimates on the algebraic degree of many functions in positive characteristic, including diagonals of multivariate algebraic power series.

In 42, A. Page and B. Wesolowski leverage the theory of automorphic forms (the Jacquet–Langlands correspondence) to prove a powerful equidistribution theorem for graphs of supersingular elliptic curves equipped with extra structure: they introduce a new category-theoretic framework to describe suitable extra structures, prove a generalised Deuring correspondence for these structures (using adélic language), and relate them to structures coming from adélic groups, allowing the use of automorphic tools. The algorithmic and cryptographic consequences are described in Subsection 8.4.

In 13, Q. Liu gives an algorithm to compute the minimal Weierstrass equation of an hyperelliptic curve over principal ideal domains. This generalizes Tate's algorithm from elliptic curves to hyperelliptic curves.

In 30, R. Barbulescu and F. Jouve use the Elliott-Halberstam conjecture to measure how ECM friendly an elliptic curve with complex multiplication is. The ECM method is a probabilistic integer factorisation method using elliptic curves, the probability of success can be improved by selecting suitable elliptic curves, and this paper investigates ECM friendly elliptic curves.

In 36, J.-M. Couveignes and T. Ezome use the arithmetic and geometry of elliptic curves to study the complexity of multiplication of two elements in a finite field extension given by their coordinates in a normal basis.

In 7, Bouvier, Castagnos, Imbert and Laguillaumie introduce BICYCL, an Open Source C++ library that implements arithmetic in the ideal class groups of imaginary quadratic fields, together with a set of cryptographic primitives based on class groups. It is available at bicycl under the GNU General Public License version 3 or any later version. It provides significant speed-ups on the implementation of the arithmetic of class groups. Concerning cryptographic applications, BICYCL is orders of magnitude faster than any previous implementation of the Castagnos–Laguillaumie linearly homomorphic encryption scheme, making it faster than Paillier's encryption scheme at any security level. Linearly homomorphic encryption is the core of many multi-party computation protocols, sometimes involving a huge number of encryptions and homomorphic evaluations: class group based protocols become the best solution in terms of bandwidth and computational efficiency to rely upon.

Due to their use in crypto-currencies, threshold ECDSA signatures have received much attention in recent years. Though efficient solutions now exist both for the two party, and the full threshold scenario, there is still much room for improvement, be it in terms of protocol functionality, strengthening security or further optimising efficiency.

In the past few months, a range of protocols have been published, allowing for a non interactive – and hence extremely efficient – signing protocol; providing new features, such as identifiable aborts (parties can be held accountable if they cause the protocol to fail),
fairness in the honest majority setting (all parties receive output or nobody does) and other properties. In some cases, security is proven in the strong simulation based model.
In 10, G. Castagnos, D. Catalano,
F. Laguillaumie, F. Savasta and I. Tucker combine ideas from the aforementioned articles with the suggestion of Castagnos et al. (PKC 2020) to use the class group based CL framework so as to drastically reduce bandwidth consumption.

Building upon this latter protocol they present a new, maliciously secure, full threshold ECDSA protocol that achieves additional features without sacrificing efficiency. Their most basic protocol boasts a non interactive signature algorithm and identifiable aborts. They also propose a more advanced variant that achieves adaptive security (for the

Functional encryption features secret keys, each associated with a key function

A recent series of works has focused on the ability to search a pattern within a data stream, which can be expressed as a function

In 16, É. Bouscatié, G. Castagnos and O. Sanders revisit the relations between this primitive and two major subclasses of functional encryption, namely Hidden Vector Encryption (HVE) and Inner Product Encryption (IPE). They indeed first exhibit a generic transformation from HVE to SEPM, which immediately yields new efficient SEPM constructions with better features than existing ones. Then, they revisit the relations between HVE and IPE and show that they can actually do better than the transformation proposed by Katz, Sahai and Waters in their seminal paper on predicate encryption. This allows to fully leverage the vast state-of-the-art on IPE which contains adaptively secure constructions proven under standard assumptions. This results in countless new SEPM constructions, with all the features one can wish for. Beyond that, this work sheds a new light on the relations between IPE schemes and HVE schemes and in particular shows that some of the former are more suitable to construct the latter.

In 6, K. Belabas, T. Kleinjung, A. Sanso and B. Wesolowski show that in some particular class groups of quadratic imaginary orders, it is easier than expected to find elements of low order. This breaks an assumption used for VDF using class groups.

The impossibility to hash to supersingular elliptic curves require a trusted setup to build a supersingular elliptic curve with unknown endomorphism ring. In 15, A. Basso, G. Codogni, D. Connolly, L. de Feo, B. Fouotsa, G. Lido, T. Morrison, L. Panny, S. Patranabis, and B. Wesolowski builds SECUER, a multipartite scheme to build such a curve, relying on a zero-knowledge isogeny proof built from pushforward diagrams.

In 20, L. de Feo, A. Leroux, P. Longa and B. Wesolowski improve the SQISign signature scheme by developing a new algorithm for the Deuring correspondance using endomorphisms to refresh the intermediate torsion.

A completely unexpected direction in isogeny based cryptography was the spectacular breaking of SIDH 47 using isogenies in dimension 2. This attack was originally heuristic and applying only to a very special starting curve, but was soon extended by L. Maino, C. Martindale, L. Panny, G. Pope and B. Wesolowski, ini 22 to a subexponential heuristic attack on all curves, and then in 24 by D. Robert to a proved polynomial attack in all cases by moving to dimensions 4 and 8.

Moving to higher dimension allows considerable flexibility in manipulating
isogenies, thanks to the following embedding lemma proved in 24 using earlier work by Zarhin 50 and Kani 49:
For every

This powerful tool soon led the way to new algorithms.
In 43,
D. Robert proves that every isogeny admits an
efficient representation, which allows for evaluation in polynomial time
(in the logarithm of its degree).
And in 44, he proves that
the endomorphism ring of an ordinary elliptic curve can be
computed in polynomial time given the factorisation of its conductor,
and that canonical lifts of ordinary elliptic curves can be computed in polynomial
time (among others). Such powerful results were completely unexpected (the
previous best algorithms being subexponential time).
This lead to a new point counting algorithm for elliptic curve

These new algorithms in turn led to new cryptosystems, using higher
dimensional cryptography as a fundamental block.
In 38, P. Dartois, A. Leroux, D. Robert and
B. Wesolowski
present the SQISignHD protocol, which
has a much cleaner security proof than SQISign, even more compact
signatures, and much faster signing times.
The verification uses a

With the rise of higher dimensional cryptography, optimising the speed of
SageMath implementation gains a factor 10 compared to using Richelot
isogenies, and our low level Rust implementation a factor up to 40.
In 17, T. Decru and S. Kunzweiler give faster
formula for

In 29, S. Arpin, C. James, P. Dartois, J. Eriksen, K. Jonathan, P. Kutas, and B. Wesolowski, prove that the computing an orientation reduces in subexponential time to he equivalent decision problem.

In 42, A. Page and B. Wesolowski prove another algorithmic reduction, showing that being able to find a single endomorphism of an arbitrary supersingular elliptic curve is no easier than being able to find the entire endomorphism ring. As applications, they prove the collision-resistance of the CGL hash function and the soundness of the SQIsign identification scheme, under the standard assumption of hardness of the endomorphism ring problem.

In 19, L. Feo, B. Fouotsa, P. Kutas, A. Leroux, S. Merz, L. Panny, and B. Wesolowski introduce SCALLOP, a new commutative action isogeny scheme using orientations of supersingular elliptic curve. The idea is to build up an orientation by a quadratic order of large prime conductor to speed up computing the class group relations.

In 41, A. Page and D. Robert introduce Clapoti(s), a new algorithm to compute the class group action on an oriented elliptic curve in polynomial time. This solves a long standing problem in isogeny based cryptography: all existing algorithms were asymptotically subexponential.

In 45, D. Robert gives a geometric interpretation of the Tate pairing on abelian varieties. This interpretation shows that the Tate pairing can be used to probe the Galois structure of the isogenous abelian variety, generalising some ad-hoc construction in the literature. It also solves a conjecture by Castryck and Decru on multiradical isogenies.

In 40, J. Gasnier and A. Guillevic revisit the generation of pairing friendly curves from an algebraic point of view.

In June 2023, the NIST started an additional post-quantum signature standardization process.2 The objective of this new call is to standardize one or more post-quantum signature scheme, different from the ones standardized so far. J. Bos, O. Bronchain,L. Ducas, S. Fehr, Y. Huang, T. Pornin, E. Postlethwaite, T. Prest, L. Pulles, and W. van Woerden submitted the Hawk signature scheme to this standardization process, which is based on the article 48 by L. Ducas, E. Postlethwaite, T. Prest, L. Pulles, and W. van Woerden.

The security of most cryptographic schemes based on lattices relies on the hardness of computing short vectors in lattices. Very often, the lattices in question enjoy some additional properties, which makes the cryptographic schemes based on them more efficient. An important question is then to understand how hard is the problem of finding short vectors in these lattice, which enjoy some additional structure.

A very common way to add structure to a lattice is to consider module lattices, that is, lattices that are also free modules is as hard as computing a short vector in any module: if we have a polynomial time algorithm computing short vectors when given as input any free module, then there is a polynomial time algorithm computing short vectors when given as input any module (not necessarily free).

A special case of module lattices are ideal lattices, which are modules of rank

X. Caruso continued his work towards the development of coding theory in the sum-rank metric context. With A. Durand 9, he described the duals of Martinez-Penas' linearized Reed–Solomon codes. In collaboration with Elena Berardini 31, he introduced a linearized version of Algebraic Geometry codes and studied its parameters; in particular, they showed that the codes they introduced beat the (sum-rank analogue of the) Gilbert–Varshamov bound.

In 33, X. Caruso and F. Drain obtained a complete classification of self-dual skew cyclic and skew negacyclic codes. They also provided efficient algorithms for sampling and enumerating them.

In 37, J.-M. Couveignes and J. Gasnier study the effective aspects of group actions on algebraic curves
and more precisely the

In 46, A.-E. Wilke makes the analogy between between convexity and plurisubharmonicity in Banach spaces more precise.

In 11, F. Johansson presents improved algorithms for arbitrary-precision computation of the gamma function and related classical special functions.

The following international researchers have given a presentation
in the Canari team seminar:

Integrated project PQ-TLS: Post-quantum padlock for web browser

with Inria teams Grace, Cosmiq, Prosecco Universities of Bordeaux, Rennes, Limoges, Versailles–St. Quentin, Rouen,
St. Étienne,
and ENS Lyon and CEA

2022–2027, total budget 4180k€, of which 456k€ for Bordeaux

Integrated project CRYPTANALYSE:
Cryptanalysis of classical cryptographic primitives

with Inria teams Caramba, Cosmiq,
Universities of Rennes, Amiens, Sorbonne,
and CNRS

2023–2028, total budget 5000k€, of which about 90k€ for Bordeaux

France Hybrid HPC Quantum Initiative, R&D et support

17 partners in France; we will mainly work with LIP6 and ENS de Lyon

2021–2027, 165k€ for Bordeaux

Arithmetic and geometry of discrete groups

with Toulouse, Paris

2021–2025, 45k€ for Bordeaux

Isogeny based cryptosystems, applications to verifiable delay functions and post-quantum cryptography (PI D. Robert)

with Paris, Montpellier

2019–2024, 150k€ for Bordeaux

Cryptographic hardness of module lattices

with Florida Atlantic, Cornell, ENS Lyon

2021–2024, 205k€ for Bordeaux

Numerical safety for computer-aided proofs

with Lyon, Nantes, Paris, Sophia-Antipolis, Toulouse

2021–2025

with Besançon, Caen

2022–2026

Secure distributed computation: cryptography, combinatorics and computer algebra

with Paris and région Occitanie

2021–2025

Towards new assumptions in lattice-based cryptography (PI A. Pellet--Mary)

with Toulouse and Telecom Paris

2023–2027, 186k€

Correspondance de Langlands

with ENS Lyon, Paris Rive Gauche, Rennes

2019–2023, 198 k€

Familles de fonctions

with Besançon

2017–2021