Our research addresses the broad application domain of cryptography and cryptanalysis from the algorithmic perspective. We study all the algorithmic aspects, from the top-level mathematical background down to the optimized high-performance software implementations. Several kinds of mathematical objects are commonly encountered in our research. Some basic ones are truly ubiquitous: integers, finite fields, polynomials, real and complex numbers. We also work with more structured objects such as number fields, algebraic curves, or polynomial systems.

The first axis (§3.1) of our research work studies these mathematical objects mostly for their own sake. Our expertise in computational mathematics and computer algebra allows us to contribute to the general algorithmic toolbox that makes these mathematical objects easy to work with in practice: computations with these objects must be effective and fast. A sizeable portion of our work in this domain is realized in the form of software projects, which are developed over long periods of time (GNU MPFR, for example, was initiated by members of our group several decades ago, and is still maintained and developed).

A second part of our work (axes §3.2 and §3.3) is centered on cryptographic motivations. Quite often, our work here happens to be rooted in exactly the same core competences as the ones we use in our first research axis. We consider the two facets of cryptology: cryptography and cryptanalysis. The key challenges are the assessment of the classical and quantum security of proposed cryptographic primitives (both public- and secret-key), as well as the introduction of new cryptographic primitives, or the performance improvement of existing ones. While the basic principles of symmetric and asymmetric cryptography are rather different—indeed their names indicate different ways to handle the key—research in both domains is led by the same objective of finding the best trade-offs between efficiency and security. In addition to this, both require to study design and analysis together as these two aspects nurture each other.

Our last research axis (§3.4) uses our cryptographic knowledge to connect to more real world concerns, in connection with topics closer to computer security. Long-term aspects of this part of our activity are practical and theoretical research on electronic voting, and practical impact on key sizes of our factoring and discrete logarithm record computations. More isolated works in this axis include for instance some works on whitebox cryptography, IoT or contact-tracing. We also consider our growing activity on historical cryptography as part of this axis where cryptography is only one part of the study.

Several mathematical objects are pervasive in our research. We sometimes
study them per se, but they also often play a key role as tools in
other research topics. In particular, we study computer arithmetic,
polynomial systems, linear algebra, algebraic curves and abelian
varieties.

In the context of this research axis, we work on the key algorithms and mathematical results, as well as on the realization of these results in terms of software. In our approach, software is a key step in a feedback loop that goes from mathematics to algorithms, implementation, software, and back. By software here, we mean free and open-source software tools, often developed over several years, that can be used as dependable building blocks by us as well as by peers for reproducible research.

Our past and future topics in this research axis include the following.

Examples of publications in the recent past that illustrate our positioning on this research topic are 13, 35, 29, 7.

We study cryptographic and cryptanalytic aspects of secret-key primitives. We explore the following research directions in particular:

Examples of publications in the recent past that illustrate our positioning on this research topic are 1, 2, 11, 16, 9.

Our team has been studying the mathematical building blocks of public-key cryptography for a long time. More specifically, we have a long-established record on the study of the public-key cryptographic primitives based on integer factorization and finite field discrete logarithm, as well as on algebraic curves, abelian varieties, and their applications in cryptography. Most of the time we study them from a classical (non quantum) angle.

The algorithmic framework of the Number Field Sieve (NFS) addresses both the integer factorization problem as well as the discrete logarithm problem over finite fields. We have numerous algorithmic contributions in this context, and develop software to illustrate them.

Several of our current research directions in public-key cryptography are strongly connected to our general expertise on NFS.

In addition to the above, we also study other aspects of public-key cryptography, such as cryptographic constructions using isogenies between curves or more general algebraic structures, as well as their security. We have a strong record on this topic in general. The algorithmic toolbox to deal with such objects was enriched in 2022 with new practical results of Castryck–Decru, Robert, and Wesolowski. This topic is clearly in our research agenda.

As in the case of secret-key cryptology, some of our research work also takes into account quantum algorithms, and possibly the interplay of quantum and classical algorithms.

Examples of publications in the recent past that illustrate our positioning on this research topic are 3, 12, 8, as well as the Cado-NFS software described in 6.1.2.

The questions that we address in our last research axis are less problem-centered than above, and rather revolve around how the different building blocks that we work with can be assembled, and whether this leads to impactful results in computer security.

Examples of publications in the recent past that illustrate our positioning on this research topic are 6, 5, 4, 10.

Our study of the Number Field Sieve algorithm and its variants aims to show how the threats underlying various supposedly hard problems are real. Our record computations, as well as new algorithms, contribute to having a scientifically accurate assessment of the feasibility limit for these problems, given academic computing resources. The data we provide in this way is a primary ingredient for government agencies whose purpose includes guidance for choosing of appropriate cryptographic primitives. For example the French ANSSI 1, German BSI, or the NIST 2 in the United States base their recommendations on such computational achievements.

The software we make available to achieve these cryptanalytic computations also allows us to give cost estimates for potential attacks on cryptographic systems that are taking the security/efficiency/legacy compatibility trade-offs too lightly. Attacks such as LogJam 40 are understood as being serious concerns thanks to our convincing proof-of-concepts. In the LogJam context, this impact has led to rapid worldwide security advisories and software updates that eventually defeat some potential intelligence threats and improve the confidentiality of communications.

We also promote the switch to algebraic curves as cryptographic primitives. Those offer nice speed and excellent security, while primitives based on elementary number theory (integer factorization, discrete logarithm in finite fields), which underpin e.g., RSA, are gradually forced to adopt unwieldy key sizes so as to comply with the desired security guarantees of modern cryptography. Our contributions to the ultimate goal of having algebraic curves eventually take over the cryptographic landscape lie in our contributions to fast arithmetic, our contributions to the point counting problem, and more generally our expertise on the diverse surrounding mathematical objects, or on the special cases where the discrete logarithm problem is not hard enough and should be avoided.

We also promote cryptographically sound electronic voting, for which we develop the Belenios prototype software (licensed under the AGPL). It depends on research made in collaboration with the PESTO team, and provides stronger guarantees than the current state of the art.

The vast majority of our work is eventually realized as software. We can roughly categorize it into two groups. Some of our software covers truly fundamental objects, such as the GNU MPFR, GNU MPC, GF2X, or MPFQ packages. To their respective extent, these software packages are meant to be included or used in broader projects. For this reason, it is important that the license chosen for this software allows proper reuse, and we favor licenses such as the LGPL, which is not restrictive. We can measure the impact of this software by the way it is used in, e.g., the GNU Compiler Collection (GCC), Victor Shoup's Number Theory Library (NTL), or the Sage computer algebra system. The availability of these software packages in most Linux distributions is also a good measure of the impact of our work.

We also develop more specialized software. Our flagship software package is Cado-NFS 47, and we also develop some others with various levels of maturity, such as GMP-ECM, CMH, or Belenios, aiming at quite diverse targets. Within the lifespan of the CARAMBA project, we expect more software packages of this kind to be developed, specialized towards tasks relevant to our research targets: important mathematical structures attached to genus 2 curves, generation of cryptographically secure curves, or tools for attacking cryptographically hard problems. Such software both illustrates our algorithms, and provides a base on which further research work can be established. Because of the very nature of these specialized software packages as research topics in their own right, needing both to borrow material from other projects, and being possible sources of inspiring material for others, it is again important that these be developed in a free and open-source development model.

The CORE-MATH project reached a significant milestone in 2023, with correctly rounded implementations of all mathematical functions in C99 and C23, in double precision.

Véronique Cortier (team PESTO) and Pierrick Gaudry were awarded the Grand
Prix de l'Académie Lorraine des Sciences for their book entitled Le
vote électronique 6.

Belenios is an open-source online voting system that provides vote confidentiality and verifiability. End-to-end verifiability relies on the fact that the ballot box is public (voters can check that their ballots have been received) and on the fact that the tally is publicly verifiable (anyone can recount the votes). Vote confidentiality relies on the encryption of the votes and the distribution of the decryption key (no one detains the secret key).

Belenios supports various kind of elections. In the standard mode, Belenios supports simple elections where voters simply select one or more candidates. It also supports arbitrary counting functions at the cost of a slightly more complex tally procedure for the authorities. For example, Belenios supports Condorcet, STV, and Majority Judgement, where voters rank candidates and grade them.

Belenios is available in several languages for the voters as well as the administrators of an election. More languages can be freely added by users.

In 2023, our platform was used to run about 1500 elections, with about 175,000 registered voters and 55,000 ballots counted.

Some of the improvements made during this year are invisible for users. This includes the use of elliptic curves instead of finite fields, as a base group where the discrete logarithm problem is supposed to be hard. Also, some modifications have been made, so that the server can handle larger elections. This was successfully tested, with a real election of more than 30,000 voters.

Other changes are visible to users. A new election administration interface based on a REST API is now available for beta-testing to the users. Also, the voter's journey has been slightly simplified, without impact on security. Finally, the STV counting system for preferential voting is now fully supported.

This project is an implementation, starting from scratch, of Drinfeld modules in SageMath. This module has been directly merged into SageMath with version 10.0, and keeps evolving.

Drinfeld modules are mathematical objects similar to elliptic curves, but in another setting, which is that of function fields.

The aim of this implementation is to provide researchers with all basic computational tools for Drinfeld modules, and to build a reliable basis for future, more sophisticated algorithms.

The aim of the CORE-MATH project is to provide on-the-shelf open-source mathematical functions with correct rounding that will be integrated into current mathematical libraries (GNU libc, Intel Math Library, AMD Libm, Newlib, OpenLibm, Musl, Apple Libm, llvm-libc, CUDA libm, ROCm). These functions are implemented in the C language and target the three IEEE 754 binary formats (single precision, double precision, quadruple precision), and also the extended double precision (significand of 64 bits). This project is motivated by the fact that current mathematical libraries are far from giving the best possible results, as demonstrated in 34.

The development of CORE-MATH forced us to revisit some classical algorithms, for example FastTwoSum in the context of directed rounding 37. In 2023, a full set of binary64 (double-precision) functions for the C99 and C23 standards was developed, with correct-rounding, and efficiency close to that of the current mathematical libraries (GNU libc, Intel mathematical library, LLVM). In particular, efficient algorithms were designed and implemented for the power function 24. The long version of this article with full proofs is available 35, which enabled our colleagues Laurent Théry and Laurence Rideau (Inria Sophia-Antipolis) to make a formal proof of the “fast path”.

Drinfeld modules are mathematical objects that lie at the intersection of
number theory and computer science. They were introduced by Vladimir Drinfeld
in 1974 to be the counterpart of elliptic curves in the setting of
function fields.
Drinfeld modules are now
established as a standard tool for studying function fields.

We introduced new algorithms to compute characteristic polynomials of
endomorphisms of Drinfeld modules, as well as norms of
isogenies of Drinfeld modules 31. The former
problem is a Drinfeld module equivalent to the problem of counting points on an
elliptic curve; the latter is a generalization of the former. Works by Musleh
and Schost already computed characteristic polynomials in a very specific case
45. Thanks to a new approach, our algorithms work in
full generality and rely on simple linear algebra techniques. To our knowledge,
it is also the first time that the problem of computing norms of isogenies is
addressed.

We stress that in 2023, Schost and Musleh published an article in which they also compute characteristic polynomials of Drinfeld module endomorphisms 44. Their method, providing valuable insights, works for all endomorphisms and ranks. We provided a thorough comparison of the articles, and show that in many regimes, our algorithms are the fastest.

In April 2022, we began the first-ever implementation of Drinfeld modules to be
included in the standard distribution of SageMath. Our contribution was merged
in March 2023 and made available with version 10.0. The implementation is
thoroughly integrated within the SageMath ecosystem and includes all basic
operations on Drinfeld modules and their morphisms, as well as implementations
of the algorithms mentioned in the previous point. A software
presentation of our work was accepted at the 2023 International Symposium on
Symbolic and Algebraic Computation (ISSAC) 15.

Polynomial systems arising in applications (for instance in cryptography) often feature monomial structures. Therefore, it is an important question to investigate how these structures can be used to speed up solving algorithms. This is the main topic of the collaboration between Pierre-Jean Spaenlehauer and Matías Bender (EPI TROPICAL). Toric varieties built from polyhedral fans provide a way to homogenize such sparse structures. In 29, we study in which cases such homogenizations may introduce generically high-dimensional artefacts that may harm the efficiency of the computations.

To design correctly-rounded functions as in the CORE-MATH project, it is of
utmost importance to know the “worst cases” of mathematical functions, i.e.,
inputs

This article 16 studies the application of the cryptanalysis technique called the boomerang attack to ciphers following a Feistel construction and having a quadratic round function. We prove that many previously published papers give erroneous approximations of the probability of the distinguishers they use (most of the time it invalidates the attacks while in a few cases they are better than expected). We next propose a new SMT model that takes into account our findings and we are able to propose a 19-round distinguisher of the cipher Simon-32/64 that we convert into a 25-round attack, which to the best of our knowledge reaches one more round than previously published results.

In 17, we deal with hybrid dynamical systems in the context of cybersecurity and Cyber–Physical Systems. It is shown how the design of a cipher, called self-synchronizing stream cipher, can be recast as control-theoretic issues, in particular left inversion, flatness and structural analysis. From an automatic control point of view, the main contribution lies in a methodology to construct generic flat LPV systems. Beyond pure control theoretic matters, the design also addresses computational complexity and security concerns. Those considerations motivate a hybrid architecture involving switched automata. A Proof-Of-Concept example illustrates the design of a statistical self-synchronizing stream cipher and the way how it operates to encrypt data flows. Those results and all the ones with the CRAN laboratory are also summarized in 26.

This article 19 proposes an improved quantum algorithm to find multiple collisions. This new algorithm matches the lower bound for a large range of parameters. It has many direct cryptographic implications, such as impossible differentials in symmetric cryptography, or lattice sieving. In particular, thanks to our algorithm we obtain the most efficient generic heuristic algorithm for lattice reduction. It is a sieving algorithm with complexity

The work 14 deals with the splitting step in the number
field sieve for finite fields of composite extension degree. The splitting step
consists in finding an element

In 28 we generalize Coppersmith's factory's algorithm to compute discrete logarithms in several non-prime finite fields. The Number Field Sieve and its variants are the best algorithms to solve the discrete logarithm problem in finite fields (except for the weak small characteristic case). The Factory variant accelerates the computation when several prime fields are targeted. This article adapts the Factory variant to non-prime finite fields of medium and large characteristic. This idea is combined with two other variants of NFS, namely the tower and special variants. This combination improves the asymptotic complexity. Besides, this work provides estimates of the practicality of this method for 1024-bit targets of extension degree 6: our findings indicate that the factory approach begins to pay off when the cryptanalysis target consists of a few dozen of such finite fields.

The long version 18 of a previous work published in Asiacrypt 2021 has been published in the Journal of Cryptology. This describes the use of lattice techniques to implement the Tower NFS technique efficiently for discrete logarithm computations in finite fields in the so-called medium characteristic range. This long version includes in particular a new algorithm for making use of automorphisms in the linear algebra phase, by choosing appropriate Schirokauer maps.

The paper 33 with Jean Gasnier from the CANARI Team
(Bordeaux) is the achievement of Jean Gasnier's Masters internship in 2022
co-advised in Bordeaux by Jean-Marc Couveignes and remotely from Denmark by
Aurore Guillevic.
It aims to generalize The Kachisa–Schaefer–Scott technique to find more
pairing-friendly curves. The method allowed to obtain new curves for
interesting embedding degrees, such as

In 22, we show that the JCJ e-voting protocol that is the basis of many coercion-resistant systems is flawed, in the sense that the tally phase leaks more information than it should. In some specific scenarios, this can give an advantage to a coercer. Therefore, we propose a new version of JCJ, CHide, which relies on the multi-party toolbox that we designed earlier in the context of tally-hiding 41. We also refine the existing formal definitions of coercion-resistance, in order to highlight the flaw, and prove that CHide fixes the problem.

In another work related to coercion resistance 23, in collaboration with Université Catholique de Louvain, we explore the relations between the notions of coercion resistance, receipt freeness, and cast as intended. We show some impossibility results and propose adapting the security notions, to make possible some of the combinations of these properties.

The cast-as-intended property in e-voting means that the system remains secure, even if the device used by the voter is compromised: if malware is present on the voter's computer, the voter should still have the guarantee that the encrypted ballot that is sent to the server contains their intended choice. In 20 we propose a new approach for this question, based on an audit procedure made by the voter, that does not leak their choice, and will detect a fraudulent device, with a probability of at least one-half. An attacker who would like to change many votes is likely to be detected.

An unknown and almost fully encrypted letter written in 1547 by Emperor Charles V to his ambassador at the French Court, Jean de Saint-Mauris, was identified in a public library, the Bibliothèque Stanislas (Nancy, France). As no decryption of this letter was previously published or even known, a team of cryptographers and historians gathered together to study the letter and its encryption system. First, multiple approaches and methods were tested in order to decipher the letter without any other specimen. Then, the letter has now been inserted within the whole correspondence between Charles and Saint-Mauris, and the key has been consolidated thanks to previous key reconstructions. Finally, the decryption effort enabled us to uncover the content of the letter and investigate more deeply both cryptanalysis challenges and encryption methods 25. This is joint work with Camille Desenclos (University of Picardie).

Together with the PESTO team, we have a long-term consulting activity with Swiss Post on the e-voting topic. In 2023 we started a new contract to help them design the next generation of their e-voting protocol.

Together with the PESTO team, we had a contract with the French Ministry of Foreign Affairs (MEAE), in the context of the legislative elections, for which the French citizens from abroad had the possibility to vote over the Internet. We played the role of external third-party, as required by the CNIL recommendations for such high-stake elections. While the contract was signed with the MEAE, it also involved interactions with the vendor of the solution (Voxaly), and the ANSSI who was the security advisor for the MEAE. In three districts, the 2022 elections were cancelled and therefore had to be done again in 2023.

This experiment of verifiability for a high stake election was documented and discussed in a research article that we published in the E-Vote-Id conference 21.

In 2023, Stéphane Glondu joined the Inria Startup Studio program to prepare the creation of a society to exploit commercially the Belenios software. Michael Houalef, a person with a business background, joined the project. The society, called VCast, is to be launched in the first semester of 2024. Véronique Cortier (from PESTO) and Pierrick Gaudry, as co-founders of Belenios, were involved in the discussions concerning this creation.

Our team received several international visits in 2023 (at most a week in duration, and most often a day or two): Yixin Shen (Royal Holloway University of London), Katharina Boudgoust (Aarhus University), Keegan Ryan (University of California San Diego), Steven Galbraith (University of Auckland).

Since 1996 and the discovery of Shor's algorithm, new quantum threats emerged against classical security protocols and cryptographic primitives. The objective of the PQ-TLS project is to design a quantum-safe version of the security layer of web protocols, via the integration of post-quantum cryptographic primitives and the quantum cryptanalysis of existing systems. The project also aims at developing new techniques to compare existing primitives from the quantum viewpoint and at promoting arising solutions from academic and industrial research. The goal is to develop a large toolbox whose targets range from the mathematical foundations of post-quantum cryptography to its concrete implementations.

Xavier Bonnetain is the national coordinator of the work package 5 "Quantum cryptanalysis".

Pierre-Jean Spaenlehauer is the local scientific coordinator for the CARAMBA team.

Within the context of the national PEPR program “cybersecurité” (launched in 2021), a call for proposals was published in July 2023 to complement the set of topics with three new projects, among which one on the classical cryptanalysis of cryptographic primitives. We coordinated the nationwide answer to this call for proposals, submitted in September 2022, and the project was accepted on March 27, 2023. The project started on October 1, 2023.

Emmanuel Thomé and Gaëtan Leurent (Inria COSMIQ, Paris) lead the project. Several teams are involved. The project is divided into eight work packages, and the CARAMBA team is interested in most of them.

The RSA cryptosystem and the Diffie-Hellman key exchange protocol in finite fields were the first invented primitives of public-key cryptography.

It is hard to estimate the time and resources that are needed to factor an integer, and thereby how hard it is to break RSA. All regulatory bodies recommend that people either avoid RSA, or prefer large RSA key sizes for safety, above 2048 bits at least. In environments where computing power is plentiful, this recommendation is most often followed. Yet, it is a fact that we do rely on cryptography that uses smaller key sizes.

We plan to employ our expertise to provide solid hardness assessments for key sizes that are relevant today, and for which accuracy in the prediction is important. Our targets for accurate assessment are RSA-1024 and DH-1024 as well as specific discrete logarithm-related problems that arise in the blockchain context. We also intend to develop simulation software that would enable more accurate estimates.

In 2023, the work on the “double matrix” subtask initiated in 2022 was continued, in collaboration with Charles Bouillaguet (Sorbonne University). This work is integrated into a branch of Cado-NFS.

This project aimed to propose a declarative language dedicated to cryptanalytic problems in symmetric key cryptography using constraint programming (CP) to simplify the representation of attacks, to improve existing attacks and to build new cryptographic primitives that withstand these attacks. We also want to compare the different tools that can be used to solve these problems: SAT and MILP where the constraints are homogeneous and CP where the heterogeneous constraints can allow a more complex treatment.

One of the challenges of this project was to define global constraints dedicated to the case of symmetric cryptography.

Concerning constraint programming, this project defined new dedicated global constraints, improved the underlying filtering and solution search algorithms, and proposed dedicated explanations generated automatically. See the website for more information.

This ANR project focuses on the use of Mixed Integer Linear Programming
(MILP) in symmetric-key cryptography, a direction that enjoyed rapid
recognition in the symmetric-key community following the article by Mouha
et al 43.

MILP models can be used both to design and attack ciphers, but the technique suffers from several limitations, some of which we plan to address in this project. In particular, we aim to explore how to handle more complex cryptographic problems than what is done so far (yet ensuring a reasonable solving time). This might imply finding how to improve the modelization techniques or considering different approaches like first solving approximated models.

We participate in a working group led by ANSSI, the purpose of which is to help the governmental actors (CNIL, ANSSI) in defining the next documents regulating the use of electronic voting in France.

Members of the project-team did their share in reviewing submissions to renowned conferences and journals. Actual publications venues are not disclosed for anonymity reasons.

Marine Minier obtained an half Inria Delegation in 2023.

The deciphering of the encrypted letter from Emperor Charles V (see §7.4.3) had a large media coverage, both in French and international media. To cite a few: the French television (France 2, France 3, BFM TV, Arte), the French radio (France Inter, Europe 1, France Info, France Culture), French newspapers (Le Monde, Le Point), an excellent video on Nota Bonus, some international media (The Guardian, Radio Canada, BBC, RTVE, The Scientist).