Keywords
 A4.3.1. Public key cryptography
 A8.4. Computer Algebra
 A8.5. Number theory
 A8.10. Computer arithmetic
 B6. IT and telecom
 B9.5.2. Mathematics
1 Team members, visitors, external collaborators
Research Scientists
 Andreas Enge [Team leader, Inria, Senior Researcher, HDR]
 Razvan Barbaud [CNRS, Researcher]
 Xavier Caruso [CNRS, Senior Researcher, HDR]
 Fredrik Johansson [Inria, Researcher]
 Aurel Page [Inria, Researcher]
 Damien Robert [Inria, Researcher]
 Benjamin Wesolowski [CNRS, Researcher]
Faculty Members
 Karim Belabas [Univ de Bordeaux, Professor, HDR]
 Guilhem Castagnos [Univ de Bordeaux, Associate Professor, HDR]
 JeanPaul Cerri [Univ de Bordeaux, Associate Professor]
 Henri Cohen [Univ de Bordeaux, Emeritus, HDR]
 JeanMarc Couveignes [Univ de Bordeaux, Professor, HDR]
PhD Students
 Jared Guissmo Asuncion [Univ de Bordeaux]
 Amaury Durand [Univ de Bordeaux]
 Elie Eid [Univ de Rennes I]
 Jean Kieffer [École Normale Supérieure de Paris]
 Abdoulaye Maiga [Université Cheikh Anta Diop, Dakar, Sénégal]
 Pavel Solomatin [Université de Leiden  PaysBas]
 Ida Tucker [École Normale Supérieure de Lyon, until Sep 2020]
 Anne Edgar Wilke [Inria]
Technical Staff
 Bill Allombert [CNRS, Engineer]
Interns and Apprentices
 Pierre Briaud [Inria, Intern, from Mar 2020 until Jun 2020]
 Oren Nezer [Inria, Intern, from Mar 2020 until Jul 2020]
Administrative Assistant
 Sabrina Duthil [Inria]
External Collaborator
 Tony Ezome Mintsa [Université des Sciences et Techniques de Masuku  Gabon]
2 Overall objectives
2.1 Presentation
Algorithmic number theory dates back to the dawn of mathematics itself, cf. Eratosthenes's sieve to enumerate consecutive prime numbers. With the arrival of computers, previously unsolvable problems have come into reach, which has boosted the development of more or less practical algorithms for essentially all number theoretic problems. The field is now mature enough for a more computer science driven approach, taking into account the theoretical complexities and practical running times of the algorithms.
Concerning the lower level multiprecision arithmetic, folklore has asserted for a long time that asymptotically fast algorithms such as SchÃ¶nhage–Strassen multiplication are impractical; nowadays, however, they are used routinely. On a higher level, symbolic computation provides numerous asymptotically fast algorithms (such as for the simultaneous evaluation of a polynomial in many arguments or linear algebra on sparse matrices), which have only partially been exploited in computational number theory. Moreover, precise complexity analyses do not always exist, nor do sound studies to choose between different algorithms (an exponential algorithm may be preferable to a polynomial one for a large range of inputs); folklore cannot be trusted in a fast moving area such as computer science.
Another problem is the reliability of the computations; many number theoretic algorithms err with a small probability, depend on unknown constants or rely on a Riemann hypothesis. The correctness of their output can either be ensured by a special design of the algorithm itself (slowing it down) or by an a posteriori verification. Ideally, the algorithm outputs a certificate, providing an independent fast correctness proof. An example is integer factorisation, where factors are hard to obtain but trivial to check; primality proofs have initiated sophisticated generalisations.
One of the long term goals of the Lfant project team is to make an inventory of the major number theoretic algorithms, with an emphasis on algebraic number theory and arithmetic geometry, and to carry out complexity analyses. So far, most of these algorithms have been designed and tested over number fields of small degree and scale badly. A complexity analysis should naturally lead to improvements by identifying bottlenecks, systematically redesigning and incorporating modern asymptotically fast methods.
Reliability of the developed algorithms is a second long term goal of our project team. Short of proving the Riemann hypothesis, this could be achieved through the design of specialised, slower algorithms not relying on any unproven assumptions. We would prefer, however, to augment the fastest unproven algorithms with the creation of independently verifiable certificates. Ideally, it should not take longer to check the certificate than to generate it.
All theoretical results are complemented by concrete reference implementations in Pari/Gp, which allow to determine and tune the thresholds where the asymptotic complexity kicks in and help to evaluate practical performances on problem instances provided by the research community. Another important source for algorithmic problems treated by the Lfant project team is modern cryptology. Indeed, the security of all practically relevant public key cryptosystems relies on the difficulty of some number theoretic problem; on the other hand, implementing the systems and finding secure parameters require efficient algorithmic solutions to number theoretic problems.
3 Research program
3.1 Number fields, class groups and other invariants
Participants: Bill Allombert, Jared Guissmo Asuncion, Karim Belabas, Xavier Caruso, JeanPaul Cerri, Henri Cohen, JeanMarc Couveignes, Andreas Enge, Fredrik Johansson, Aurel Page.
Modern number theory has been introduced in the second half of the 19th century by Dedekind, Kummer, Kronecker, Weber and others, motivated by Fermat's conjecture: There is no nontrivial solution in integers to the equation ${x}^{n}+{y}^{n}={z}^{n}$ for $n\u2a7e3$. Kummer's idea for solving Fermat's problem was to rewrite the equation as $(x+y)(x+\zeta y)(x+{\zeta}^{2}y)\cdots (x+{\zeta}^{n1}y)={z}^{n}$ for a primitive $n$th root of unity $\zeta $, which seems to imply that each factor on the left hand side is an $n$th power, from which a contradiction can be derived.
The solution requires to augment the integers by algebraic numbers, that are roots of polynomials in $\mathbb{Z}\left[X\right]$. For instance, $\zeta $ is a root of ${X}^{n}1$, $\sqrt[3]{2}$ is a root of ${X}^{3}2$ and $\frac{\sqrt{3}}{5}$ is a root of $25{X}^{2}3$. A number field consists of the rationals to which have been added finitely many algebraic numbers together with their sums, differences, products and quotients. It turns out that actually one generator suffices, and any number field $K$ is isomorphic to $\mathbb{Q}\left[X\right]/\left(f\right(X\left)\right)$, where $f\left(X\right)$ is the minimal polynomial of the generator. Of special interest are algebraic integers, “numbers without denominators”, that are roots of a monic polynomial. For instance, $\zeta $ and $\sqrt[3]{2}$ are integers, while $\frac{\sqrt{3}}{5}$ is not. The ring of integers of $K$ is denoted by ${\mathcal{O}}_{K}$; it plays the same role in $K$ as $\mathbb{Z}$ in $\mathbb{Q}$.
Unfortunately, elements in ${\mathcal{O}}_{K}$ may factor in different ways, which invalidates Kummer's argumentation. Unique factorisation may be recovered by switching to ideals, subsets of ${\mathcal{O}}_{K}$ that are closed under addition and under multiplication by elements of ${\mathcal{O}}_{K}$. In $\mathbb{Z}$, for instance, any ideal is principal, that is, generated by one element, so that ideals and numbers are essentially the same. In particular, the unique factorisation of ideals then implies the unique factorisation of numbers. In general, this is not the case, and the class group${Cl}_{K}$ of ideals of ${\mathcal{O}}_{K}$ modulo principal ideals and its class number${h}_{K}=\left{Cl}_{K}\right$ measure how far ${\mathcal{O}}_{K}$ is from behaving like $\mathbb{Z}$.
Using ideals introduces the additional difficulty of having to deal with $\mathrm{\mathit{u}\mathit{n}\mathit{i}\mathit{t}\mathit{s}}$, the invertible elements of ${\mathcal{O}}_{K}$: Even when ${h}_{K}=1$, a factorisation of ideals does not immediately yield a factorisation of numbers, since ideal generators are only defined up to units. For instance, the ideal factorisation $\left(6\right)=\left(2\right)\xb7\left(3\right)$ corresponds to the two factorisations $6=2\xb73$ and $6=(2)\xb7(3)$. While in $\mathbb{Z}$, the only units are 1 and $1$, the unit structure in general is that of a finitely generated $\mathbb{Z}$module, whose generators are the fundamental units. The regulator${R}_{K}$ measures the “size” of the fundamental units as the volume of an associated lattice.
One of the main concerns of algorithmic algebraic number theory is to explicitly compute these invariants (${Cl}_{K}$ and ${h}_{K}$, fundamental units and ${R}_{K}$), as well as to provide the data allowing to efficiently compute with numbers and ideals of ${\mathcal{O}}_{K}$; see 54 for a recent account.
The analytic class number formula links the invariants ${h}_{K}$ and ${R}_{K}$ (unfortunately, only their product) to the $\zeta $function of $K$, ${\zeta}_{K}\left(s\right):={\prod}_{\U0001d52d\phantom{\rule{4.pt}{0ex}}\text{prime}\phantom{\rule{4.pt}{0ex}}\text{ideal}\phantom{\rule{4.pt}{0ex}}\text{of}\phantom{\rule{4.pt}{0ex}}{\mathcal{O}}_{K}}{\left(1N{\U0001d52d}^{s}\right)}^{1}$, which is meaningful when $\Re \left(s\right)>1$, but which may be extended to arbitrary complex $s\ne 1$. Introducing characters on the class group yields a generalisation of $\zeta $ to $L$functions. The generalised Riemann hypothesis (GRH), which remains unproved even over the rationals, states that any such $L$function does not vanish in the right halfplane $\Re \left(s\right)>1/2$. The validity of the GRH has a dramatic impact on the performance of number theoretic algorithms. For instance, under GRH, the class group admits a system of generators of polynomial size; without GRH, only exponential bounds are known. Consequently, an algorithm to compute ${Cl}_{K}$ via generators and relations (currently the only viable practical approach) either has to assume that GRH is true or immediately becomes exponential.
When ${h}_{K}=1$ the number field $K$ may be normEuclidean, endowing ${\mathcal{O}}_{K}$ with a Euclidean division algorithm. This question leads to the notions of the Euclidean minimum and spectrum of $K$, and another task in algorithmic number theory is to compute explicitly this minimum and the upper part of this spectrum, yielding for instance generalised Euclidean gcd algorithms.
3.2 Function fields, algebraic curves and cryptology
Participants: Razvan Barbulescu, Karim Belabas, Guilhem Castagnos, JeanMarc Couveignes, Andreas Enge, Damien Robert, Benjamin Wesolowski, Jean Kieffer.
Algebraic curves over finite fields are used to build the currently most competitive public key cryptosystems. Such a curve is given by a bivariate equation $\mathcal{C}(X,Y)=0$ with coefficients in a finite field ${\mathbb{F}}_{q}$. The main classes of curves that are interesting from a cryptographic perspective are elliptic curves of equation $\mathcal{C}={Y}^{2}({X}^{3}+aX+b)$ and hyperelliptic curves of equation $\mathcal{C}={Y}^{2}({X}^{2g+1}+\cdots )$ with $g\u2a7e2$.
The cryptosystem is implemented in an associated finite abelian group, the Jacobian${Jac}_{\mathcal{C}}$. Using the language of function fields exhibits a close analogy to the number fields discussed in the previous section. Let ${\mathbb{F}}_{q}\left(X\right)$ (the analogue of $\mathbb{Q}$) be the rational function field with subring ${\mathbb{F}}_{q}\left[X\right]$ (which is principal just as $\mathbb{Z}$). The function field of $\mathcal{C}$ is ${K}_{\mathcal{C}}={\mathbb{F}}_{q}\left(X\right)\left[Y\right]/\left(\mathcal{C}\right)$; it contains the coordinate ring${\mathcal{O}}_{\mathcal{C}}={\mathbb{F}}_{q}[X,Y]/\left(\mathcal{C}\right)$. Definitions and properties carry over from the number field case $K/\mathbb{Q}$ to the function field extension ${K}_{\mathcal{C}}/{\mathbb{F}}_{q}\left(X\right)$. The Jacobian ${Jac}_{\mathcal{C}}$ is the divisor class group of ${K}_{\mathcal{C}}$, which is an extension of (and for the curves used in cryptography usually equals) the ideal class group of ${\mathcal{O}}_{\mathcal{C}}$.
The size of the Jacobian group, the main security parameter of the cryptosystem, is given by an $L$function. The GRH for function fields, which has been proved by Weil, yields the Hasse–Weil bound ${(\sqrt{q}1)}^{2g}\u2a7d\left{Jac}_{\mathcal{C}}\right\u2a7d{(\sqrt{q}+1)}^{2g},$ or ${Jac}_{\mathcal{C}}\approx {q}^{g}$, where the genus$g$ is an invariant of the curve that correlates with the degree of its equation. For instance, the genus of an elliptic curve is 1, that of a hyperelliptic one is $\frac{{deg}_{X}\mathcal{C}1}{2}$. An important algorithmic question is to compute the exact cardinality of the Jacobian.
The security of the cryptosystem requires more precisely that the discrete logarithm problem (DLP) be difficult in the underlying group; that is, given elements ${D}_{1}$ and ${D}_{2}=x{D}_{1}$ of ${Jac}_{\mathcal{C}}$, it must be difficult to determine $x$. Computing $x$ corresponds in fact to computing ${Jac}_{\mathcal{C}}$ explicitly with an isomorphism to an abstract product of finite cyclic groups; in this sense, the DLP amounts to computing the class group in the function field setting.
For any integer $n$, the Weil pairing${e}_{n}$ on $\mathcal{C}$ is a function that takes as input two elements of order $n$ of ${Jac}_{\mathcal{C}}$ and maps them into the multiplicative group of a finite field extension ${\mathbb{F}}_{{q}^{k}}$ with $k=k\left(n\right)$ depending on $n$. It is bilinear in both its arguments, which allows to transport the DLP from a curve into a finite field, where it is potentially easier to solve. The TateLichtenbaum pairing, that is more difficult to define, but more efficient to implement, has similar properties. From a constructive point of view, the last few years have seen a wealth of cryptosystems with attractive novel properties relying on pairings.
For a random curve, the parameter $k$ usually becomes so big that the result of a pairing cannot even be output any more. One of the major algorithmic problems related to pairings is thus the construction of curves with a given, smallish $k$.
3.3 Complex multiplication
Participants: Jared Guissmo Asuncion, Karim Belabas, Henri Cohen, JeanMarc Couveignes, Andreas Enge, Fredrik Johansson, Damien Robert, AnneEdgar Wilke.
Complex multiplication provides a link between number fields and algebraic curves; for a concise introduction in the elliptic curve case, see 60, for more background material, 59. In fact, for most curves $\mathcal{C}$ over a finite field, the endomorphism ring of ${Jac}_{\mathcal{C}}$, which determines its $L$function and thus its cardinality, is an order in a special kind of number field $K$, called CM field. The CM field of an elliptic curve is an imaginaryquadratic field $\mathbb{Q}\left(\sqrt{D}\right)$ with $D<0$, that of a hyperelliptic curve of genus $g$ is an imaginaryquadratic extension of a totally real number field of degree $g$. Deuring's lifting theorem ensures that $\mathcal{C}$ is the reduction modulo some prime of a curve with the same endomorphism ring, but defined over the Hilbert class field${H}_{K}$ of $K$.
Algebraically, ${H}_{K}$ is defined as the maximal unramified abelian extension of $K$; the Galois group of ${H}_{K}/K$ is then precisely the class group ${Cl}_{K}$. A number field extension $H/K$ is called Galois if $H\simeq K\left[X\right]/\left(f\right)$ and $H$ contains all complex roots of $f$. For instance, $\mathbb{Q}\left(\sqrt{2}\right)$ is Galois since it contains not only $\sqrt{2}$, but also the second root $\sqrt{2}$ of ${X}^{2}2$, whereas $\mathbb{Q}\left(\sqrt[3]{2}\right)$ is not Galois, since it does not contain the root ${e}^{2\pi i/3}\sqrt[3]{2}$ of ${X}^{3}2$. The Galois group${Gal}_{H/K}$ is the group of automorphisms of $H$ that fix $K$; it permutes the roots of $f$. Finally, an abelian extension is a Galois extension with abelian Galois group.
Analytically, in the elliptic case ${H}_{K}$ may be obtained by adjoining to $K$ the singular value$j\left(\tau \right)$ for a complex valued, socalled modular function $j$ in some $\tau \in {\mathcal{O}}_{K}$; the correspondence between ${Gal}_{H/K}$ and ${Cl}_{K}$ allows to obtain the different roots of the minimal polynomial $f$ of $j\left(\tau \right)$ and finally $f$ itself. A similar, more involved construction can be used for hyperelliptic curves. This direct application of complex multiplication yields algebraic curves whose $L$functions are known beforehand; in particular, it is the only possible way of obtaining ordinary curves for pairingbased cryptosystems.
The same theory can be used to develop algorithms that, given an arbitrary curve over a finite field, compute its $L$function.
A generalisation is provided by ray class fields; these are still abelian, but allow for some wellcontrolled ramification. The tools for explicitly constructing such class fields are similar to those used for Hilbert class fields.
4 Application domains
4.1 Number theory
Being able to compute quickly and reliably algebraic invariants is an invaluable aid to mathematicians: It fosters new conjectures, and often shoots down the too optimistic ones. Moreover, a large body of theoretical results in algebraic number theory has an asymptotic nature and only applies for large enough inputs; mechanised computations (preferably producing independently verifiable certificates) are often necessary to finish proofs.
For instance, many Diophantine problems reduce to a set of Thue equations of the form $P(x,y)=a$ for an irreducible, homogeneous $P\in \mathbb{Z}[x,y]$, $a\in \mathbb{Z}$, in unknown integers $x,y$. In principle, there is an algorithm to solve the latter, provided the class group and units of a rupture field of $P$ are known. Since there is no other way to prove that the full set of solutions is obtained, these algebraic invariants must be computed and certified, preferably without using the GRH.
Deeper invariants such as the Euclidean spectrum are related to more theoretical concerns, e.g., determining new examples of principal, but not normEuclidean number fields, but could also yield practical new algorithms: Even if a number field has class number larger than 1 (in particular, it is not normEuclidean), knowing the upper part of the spectrum should give a partial gcd algorithm, succeeding for almost all pairs of elements of ${\mathcal{O}}_{K}$. As a matter of fact, every number field whose unit group has rank strictly greater than 1 is almost normEuclidean 57, 56.
Algorithms developed by the team are implemented in the free Pari/Gp system for number theory maintained by K. Belabas (see §6.1 for details). They will thus have a high impact on the worldwide number theory community, for which Pari/Gp is a reference and the tool of choice.
4.2 Cryptology
Public key cryptology has become a major application domain for algorithmic number theory. This is already true for the ubiquitous RSA system, but even more so for cryptosystems relying on the discrete logarithm problem in algebraic curves over finite fields. For the same level of security, the latter require smaller key lengths than RSA, which results in a gain of bandwidth and (depending on the precise application) processing time. Especially in environments that are constrained with respect to space and computing power such as smrt cards and embedded devices, algebraic curve cryptography has become the technology of choice. Most of the research topics of the Lfant team detailed in §3 concern directly problems relevant for curvebased cryptology: The difficulty of the discrete logarithm problem in algebraic curves (§3.2) determines the security of the corresponding cryptosystems. Complex multiplication, point counting and isogenies (§3.3) provide, on one hand, the tools needed to create secure instances of curves. On the other hand, isogenies have been found to have direct cryptographic applications to hash functions 58 and encryption 61. Pairings in algebraic curves (§3.2) have proved to be a a rich source for novel cryptographic primitives. Class groups of number fields (§3.1) also enter the game as candidates for algebraic groups in which cryptosystems can be implemented. However, breaking these systems by computing discrete logarithms has proved to be easier than in algebraic curves; we intend to pursue this cryptanalytic strand of research.
Apart from solving specific problems related to cryptology, number theoretic expertise is vital to provide cryptologic advice to industrial partners in joint projects. It is to be expected that continuing pervasiveness and ubiquity of very low power computing devices will render the need for algebraic curve cryptography more pressing in coming years.
5 Highlights of the year
5.1 Awards
B. Allombert has been awarded the Cristal medal of CNRS for outstanding contributions to the advancement of knowledge and the excellence of French research, as the main developer of the Pari/Gp computer algebra system.1
I. Tucker has received the 2020 Prix Jeunes Talents France L'Oréal–UNESCO pour les femmes et la science.2
B. Wesolowski and his coauthors have been awarded the Best Paper Award at ASIACRYPT 2020 for their article 23.
5.2 Defenses
I. Tucker has defended her doctoral thesis Functional encryption and distributed signatures based on projective hash functions, the benefit of class groups26.
Sudarshan Shinde has defended his doctoral thesis Cryptographic applications of modular curves25.
5.3 Major software releases
The PARI Group released a new version of Pari/Gp (2.13) featuring many bug fixes and optimizations, including a better MPQS integer factorization engine, a complete rewrite of algebraic number theory modules to use “compact units” representations throughout (represent algebraic numbers as formal products of small $S$units) and new tricks to avoid tough discrete logarithms by working in appropriate quotients, a new algorithm to compute subfields, and a rewrite of the Bernoulli numbers cache generation (inspired by Arb).
Arb has had two new releases, 2.18 and 2.19. These releases mainly feature a large number of bug fixes and optimizations.
The year 2020 has seen the release 1.2 Hyacinthus orientalis of GnuMpc. The release features the new functions mpc_sum and mpc_dot and several bug fixes, in particular to make functions more robust if the user reduces the exponent range. It also contains the tool mpcheck for easier comparison with computations by the C library on standard precision floatingpoint numbers.
5.4 Special events
The year 2020 was marked by the covid crisis and its impact on society and its overall activity. The world of research was also greatly affected: Faculty members have seen their teaching load increase significantly; PhD students and postdocs have often had to deal with a worsening of their working conditions, as well as with reduced interactions with their supervisors and colleagues; most scientific collaborations have been greatly affected, with many international activities cancelled or postponed to dates still to be defined.
The Lfant team was able, however, to organise a physical Pari/Gp workshop in Grenoble in January 2020, right before the pandemic struck, with videos of some presentations made available51, 49, 48, 50.
6 New software and platforms
6.1 New software
6.1.1 PARI/GP
 Keyword: Computational number theory
 Functional Description: Pari/Gp is a widely used computer algebra system designed for fast computations in number theory (factorisation, algebraic number theory, elliptic curves, modular forms ...), but it also contains a large number of other useful functions to compute with mathematical entities such as matrices, polynomials, power series, algebraic numbers, etc., and many transcendental functions.

URL:
http://
pari. math. ubordeaux. fr/  Contacts: Andreas Enge, Karim Belabas
 Participants: Andreas Enge, Hamish IveyLaw, Henri Cohen, Karim Belabas
 Partner: CNRS
6.1.2 Arb
 Name: Arb
 Keywords: MultiplePrecision, Interval arithmetic, Interval analysis, Computational number theory, Numerical algorithm
 Functional Description: C library for arbitraryprecision ball arithmetic

URL:
http://
arblib. org  Contact: Fredrik Johansson
6.1.3 GNU MPC
 Keyword: Arithmetic
 Functional Description: Mpc is a C library for the arithmetic of complex numbers with arbitrarily high precision and correct rounding of the result. It is built upon and follows the same principles as Mpfr. The library is written by Andreas Enge, Philippe Théveny and Paul Zimmermann.
 Release Contributions: Bug fixes:  Fix an incompatibility problem with GMP 6.0 and before.  Fix an intermediate overflow in asin.

URL:
http://
www. multiprecision. org/  Authors: Andreas Enge, Philippe Théveny, Paul Zimmermann, Mickaël Gastineau
 Contacts: Andreas Enge, Paul Zimmermann
 Participants: Andreas Enge, Mickaël Gastineau, Paul Zimmermann, Philippe Théveny
6.1.4 abelianbnf
 Keyword: Computational number theory
 Functional Description: abelianbnf is a gp script computing class groups of abelian fields using norm relations in the Galois group. Requires Pari/gp, development version or stable version v2.13+.

URL:
https://
hal. inria. fr/ hal02961482  Publication: hal02497890
 Contact: Aurel Page
6.1.5 APIP
 Name: Another Pairing Implementation in PARI
 Keywords: Cryptography, Computational number theory

Scientific Description:
Apip , Another Pairing Implementation in PARI, is a library for computing standard and optimised variants of most cryptographic pairings.
The following pairings are available: Weil, Tate, ate and twisted ate, optimised versions (à la Vercauteren–Hess) of ate and twisted ate for selected curve families.
The following methods to compute the Miller part are implemented: standard Miller doubleandadd method, standard Miller using a nonadjacent form, Boxall et al. version, Boxall et al. version using a nonadjacent form.
The final exponentiation part can be computed using one of the following variants: naive exponentiation, interleaved method, Avanzi–Mihailescu's method, Kato et al.'s method, Scott et al.'s method.
Part of the library has been included into Pari/Gp proper.
 Functional Description: APIP is a library for computing standard and optimised variants of most cryptographic pairings.

URL:
http://
www. lix. polytechnique. fr/ ~milanj/ apip/ apip. xhtml  Author: Jérôme Milan
 Contact: Andreas Enge
 Participant: Jérôme Milan
6.1.6 AVIsogenies
 Name: Abelian Varieties and Isogenies
 Keywords: Computational number theory, Cryptography

Functional Description:
AVIsogenies is a Magma package for working with abelian varieties, with a particular emphasis on explicit isogeny computation.
Its prominent feature is the computation of (l,l)isogenies between Jacobian varieties of genustwo hyperelliptic curves over finite fields of characteristic coprime to l, practical runs have used values of l in the hundreds.
It can also be used to compute endomorphism rings of abelian surfaces, and find complete addition laws on them.

URL:
http://
avisogenies. gforge. inria. fr/  Contact: Damien Robert
 Participants: Damien Robert, Gaëtan Bisson, Romain Cosset
6.1.7 CM
 Keyword: Arithmetic
 Functional Description: The Cm software implements the construction of ring class fields of imaginary quadratic number fields and of elliptic curves with complex multiplication via floating point approximations. It consists of libraries that can be called from within a C program and of executable command line applications.
 Release Contributions: Changes in version 0.3.1 ("Wurstebrei"):  increase minimal version number for mpfrcx to 0.5 and for pari to 2.9.  many internal rewrites  bug fixes

URL:
http://
www. multiprecision. org/ cm/ home. html  Author: Andreas Enge
 Contact: Andreas Enge
 Participant: Andreas Enge
6.1.8 CMH
 Name: Computation of Igusa Class Polynomials
 Keywords: Mathematics, Cryptography, Number theory
 Functional Description: Cmh computes Igusa class polynomials, parameterising twodimensional abelian varieties (or, equivalently, Jacobians of hyperelliptic curves of genus 2) with given complex multiplication.

URL:
http://
cmh. gforge. inria. fr  Authors: Andreas Enge, Emmanuel Thomé, Regis Dupont
 Contacts: Emmanuel Thomé, Andreas Enge
 Participants: Andreas Enge, Emmanuel Thomé, Regis Dupont
6.1.9 CUBIC
 Keyword: Number theory
 Functional Description: Cubic is a standalone program that prints out generating equations for cubic fields of either signature and bounded discriminant. It depends on the Pari library. The algorithm has quasilinear time complexity in the size of the output.

URL:
http://
www. math. ubordeaux. fr/ ~belabas/ research/ software/ cubic1. 2. tgz  Contact: Karim Belabas
 Participant: Karim Belabas
6.1.10 Euclid
 Keyword: Number theory
 Functional Description: Euclid is a program to compute the Euclidean minimum of a number field. It is the practical implementation of the algorithm described in [38] . Some corresponding tables built with the algorithm are also available. Euclid is a standalone program depending on the PARI library.

URL:
http://
www. math. ubordeaux1. fr/ ~plezowsk/ euclid/ index. php  Contact: JeanPaul Cerri
 Participants: JeanPaul Cerri, Pierre Lezowski
6.1.11 FromLatticesToModularForms
 Keyword: Cryptography

Functional Description:
FromLatticesToModularForms is a magma package which allows to
 span the isogeny class (of principally polarised abelian varieties) of a power of an elliptic curve by enumerating unimodular hermitian lattices  compute the abelian variety A corresponding to a given lattice by exhibiting a kernel and an isogeny from Eĝ to A  A is represented by its theta null point (of level 2 or 4) in such a way that we give an affine lift of the theta null point corresponding to the pushforward of the standard diagonal differential dx/y on Eĝ  in particular one can evaluate rational modular forms on A  in dimension 2 or 3 we also provide code to recognize when A is a Jacobian and if so to find the corresponding curve.

URL:
https://
gitlab. inria. fr/ roberdam/ fromlatticestomodularforms  Contact: Damien Robert
6.1.12 KleinianGroups
 Keywords: Computational geometry, Computational number theory
 Functional Description: KleinianGroups is a Magma package that computes fundamental domains of arithmetic Kleinian groups.

URL:
http://
www. normalesup. org/ ~page/ Recherche/ Logiciels/ logicielsen. html  Publication: hal00703043
 Contact: Aurel Page
6.1.13 MPFRCX
 Keyword: Arithmetic
 Functional Description: Mpfrcx is a library for the arithmetic of univariate polynomials over arbitrary precision real (Mpfr ) or complex (Mpc ) numbers, without control on the rounding. For the time being, only the few functions needed to implement the floating point approach to complex multiplication are implemented. On the other hand, these comprise asymptotically fast multiplication routines such as ToomCook and the FFT.
 Release Contributions: Changes in version 0.6:  new functions mpfrx_eval and mpcx_eval for evaluating polynomials in a single argument using a Horner scheme, this complements the existing functions mpcx_multieval and mpfrx_multieval  new convenience functions * mpcx_mul_c, mpcx_mul_fr, mpcx_mul_si, mpcx_mul_ui, mpfrx_mul_fr, mpfrx_mul_si, mpfrx_mul_ui for multiplying polynomials by constants of various types * mpcx_mul_x, mpfrx_mul_x for multiplying by powers of the variable  bug: make multieval work for polynomials of degree <= 1

URL:
http://
www. multiprecision. org/ mpfrcx/ home. html  Author: Andreas Enge
 Contact: Andreas Enge
 Participant: Andreas Enge
6.1.14 Nemo
 Name: Nemo
 Keywords: Computer algebra system (CAS), Symbolic computation
 Functional Description: A computer algebra package for the Julia programming language

URL:
http://
nemocas. org  Contact: Fredrik Johansson
 Partner: Technische Universität Kaiserslautern (UniKL), Allemagne
6.2 New platforms
6.2.1 Tate algebras
Following the article 32, Xavier Caruso and Thibaut Verron implemented the PoTe and the VaPoTe algorithm for computing Gröbner bases in Tate algebras; their implementation is part of the standard distribution of SageMath since version 9.1.
6.2.2 Ore polynomials
Xavier Caruso wrote a package on Ore polynomials, which has been accepted for inclusion in SageMath, version 9.2. Beyond basic operations, this implementation includes capabilities for working in the field of fractions of Ore algebras and an optimized factorization algorithm for skew polynomials over finite fields.
6.2.3 From Lattices To Modular Forms
A code implementing the article 46 for spanning the isogeny class of products of elliptic curves and computing modular forms (and related obstruction) on them is available as a Magma package called FromLatticesToModularForm.
6.2.4 Modular polynomials
The paper 19 was the first paper for
the reproducibility pilot of the Journal of Number Theory.
The reproducibility archive is available at
https://
7 New results
7.1 Cryptography
Participants: Razvan Barbulescu, Guilhem Castagnos, Ida Tucker, Benjamin Wesolowski.
Classical publickey cryptography.
The security of pairingbased cryptography requires discrete logarithms in finite fields of degree larger than 1 to be difficult to compute. After having proposed several improvements which reduced the security of the proposed pairings in the literature, R. Barbulescu together with Sylvain Duquesne suggested in 2019 a model to evaluate the security of pairings 53. In a subsequent work Nadia El Mrabet pointed out that exotic pairings, not studied in the literature before might be interesting, and this led to a joint study with Loubna Ghammam and R. Barbulescu of over 200 curve families 27, providing very precise security estimates.
The presumed hardness of the discrete logarithm problem (DLP) in finite fields (or other families of groups) is a foundation of classical publickey cryptography. It has recently been discovered that the DLP is much easier than previously believed in an important family: finite fields of small characteristic. Algorithms of quasipolynomial complexity have been discovered. In 37, R. Granger, T. Kleinjung, A. K. Lenstra, B. Wesolowski and J. Zumbrägel demonstrate the practicality of these new methods through the computation of a discrete logarithm in ${\mathbb{F}}_{{2}^{30750}}$, breaking by a large margin the previous record, which was set in January 2014 by a computation in ${\mathbb{F}}_{{2}^{9234}}$.
In 21, G. Castagnos, D. Catalano, F. Laguillaumie, F. Savasta and I. Tucker propose a new cryptographic protocol to compute threshold ECDSA signatures with two parties. ECDSA (Elliptic Curves Digital Signature Algorithm) is a widely adopted standard for electronic signatures. For instance, it is used in the TLS (Transport Layer Security) protocol and in many cryptocurrencies such as Bitcoin. Threshold Signatures allow $n$ parties to share the power of issuing digital signatures so that any coalition of size at least $t+1$ can sign, whereas groups of $t$ or less players cannot. Over the last few years many schemes addressed the question of realizing efficient threshold variants for the specific case of ECDSA signatures. In this work they present new solutions to the problem that aim at reducing the overall bandwidth consumption. The main contribution is a new variant of the Gennaro and Goldfeder protocol from ACM CCS 2018 using cryptography based of class groups of quadratic fields that avoids all the required range proofs, while retaining provable security against malicious adversaries in the dishonest majority setting. The experiments show that – for all levels of security – the new signing protocol reduces the bandwidth consumption of best previously known secure protocols for factors varying between 4.4 and 9, while key generation is consistently two times less expensive. Furthermore compared to these same protocols, signature generation is faster for 192bits of security and beyond.
Postquantum cryptography.
It has been known since the work of Shor in 1994 that a functional, largescale quantum computer would be able to break most classical publickey cryptosystems deployed today. The cryptographic community has since then investigated new families of postquantum cryptosystems, meant to resist the advance of quantum computing. Latticebased cryptography, one of the leading postquantum candidates, relies on the presumed hardness of certain computational problems in euclidean lattices. There is strong confidence in the hardness of these problems in general, but the use of algebraic lattices (necessary for efficiency or advanced functionalities) opens new angles of attack. In 14, R. Cramer, L. Ducas and B. Wesolowski expose an unexpected quantum hardness gap between generic lattices and an important family of algebraic lattices, socalled cyclotomic ideal lattices. This journal article expands upon preliminary results presented at Eurocrypt 2017.
An ideal lattice is essentially an ideal in the ring on integers of a number field that is stable by multiplication, with a geometry induced by the Minkowski embedding. Fixing a number field, the space of all ideal lattices, up to isometry, is naturally an abelian group called the Arakelov class group. In 22, K. De Boer, L. Ducas, A. PelletMary and B. Wesolowski study the relative hardness of computational problems within the Arakelov class group. More precisely, it is shown that the worstcase of the Shortest Vector Problem (IdealSVP) reduces to its averagecase (up to an approximation factor that depends on the field). In other words, “random” instances of IdealSVP are as hard as the hardest ones, an essential property for building cryptography. This result assumes the Riemann Hypothesis for Hecke $L$functions, which allows to prove that certain random walks in Arakelov class groups have rapid mixing properties.
Isogenybased cryptography is another popular candidate for postquantum cryptography. Their main asset: they allow for smaller keys than other postquantum candidates, and more confident keysize selection. For a while, is was unknown whether one could build an isogenybased digital signature scheme (besides the immediate but inefficient construction from the Jao–De Feo–Plût identification protocol). In 23, L. De Feo, D. Kohel, A. Leroux, C. Petit and B. Wesolowski introduce the signature scheme SQISign. Its most notable feature is its compactness: the signature and public key sizes combined are an order of magnitude smaller than all other postquantum signature schemes. It is however less efficient than its competitors: on a modern workstation, the proofofconcept C implementation takes 2.5s for signing, and 50ms for verification.
Verifiable delay functions.
In 20, B. Wesolowski constructs the first practical verifiable delay function (VDF). A VDF is a function whose evaluation requires running a given number of sequential steps, yet the result can be efficiently verified. They have applications in decentralised systems, such as the generation of trustworthy public randomness in a trustless environment, or resourceefficient blockchains. This journal article expands upon preliminary results presented at Eurocrypt 2019.
The construction is based on groups of unknown order such as an RSA group or the class group of an imaginary quadratic field. The “delaying” property relies on the assumption that in groups of unknown order, exponentiating a random element by ${2}^{t}$ essentially requires to perform $t$ squarings sequentially, and parallelisation does not allow to go faster. It is then important to understand precisely how quickly a single modular squaring operation can be computed, even in parallel on dedicated hardware. To this end, in 47, B. Wesolowski and R. Williams devise lower bounds for the depth of circuits computing modular squaring.
7.2 Number fields
Participants: Razvan Barbulescu, Henri Cohen, JeanMarc Couveignes, Aurel Page.
In 12, H. Cohen and F. Thorne give explicit formulæ for the Dirichlet series generating function of ${D}_{\ell}$extensions of odd prime degree $\ell $ with given quadratic resolvent.
In 11, Razvan Barbulescu in a joint work with Jishnu Ray (University of British Columbia, Vancouver) brings elements to support Greenberg's $p$rationality conjecture. On the theoretical side, they propose a new family proven to be $p$rational. On the algorithmic side, they compare the tools to enumerate number fields of given abelian Galois group and of computing class numbers, and extend the experiments on the Cohen–Lenstra–Martinet conjectures.
In 13 and 34, JeanMarc Couveignes constructs small models of number fields and functions fields. One option is to look for local equations rather than a full set of generators of the ideal of these models. Another option is to provide approximations of a small collection of algebraic numbers or functions in the field of interest, that are sharp enough to recover the ideal of relations. A consequence for number fields is a better bound for the number of number fields of given degree $n$ and discriminant bounded by $H$.
In 29, A. Page and his coauthors analyse in detail the subfield method to accelerate the computation of $S$units and class groups, in the Galois case. They introduce a new grouptheoretic notion of norm relation that extends classical ones and give criteria for the existence of such relations. They provide subfieldbased algorithms for the computation of invariants of number fields in the presence of a norm relation and prove a polynomialtime reduction to the subfields. They compute class groups of number fields of large degree that go far beyond previous records, both under GRH (degree 1728) and unconditionally (degree 576).
7.3 Modular forms and $L$functions
Participants: Razvan Barbulescu, Damien Robert.
The best algorithms for integer factorisation use a nonnegligible proportion of the time to enumerate smaller integers and to test if all their prime factors are below a given bound. A lot of effort has been spent in the literature to improve the best algorithm for this task, the elliptic curve method (ECM). In 28, R. Barbulescu and his doctoral student Sudarshan Shinde have given a simple method which allows to find rapidly, in a unified manner, all the previously known families of elliptic curves for ECM. They proved that there are precisely 1525 ECMfriendly families using the theory of modular forms.
In 46, M. Kirschmer, F. Narbonne, C. Ritzenthaler and D. Robert give an algorithm to span the isomorphism classes of principally polarized abelian varieties in the isogeny class of ${E}^{g}$, where $E$ is an elliptic curve. The varieties are first described as hermitian lattices over (not necessarily maximal) quadratic orders and then geometrically in terms of their algebraic theta null point. They also show how to algebraically compute Siegel modular forms of even weight given as polynomials in the theta constants by a careful choice of an affine lift of the theta null point. They then use these results to give an algebraic computation of Serre's obstruction for principally polarized abelian threefolds isogenous to ${E}^{3}$ and of the Igusa modular form in dimension 4. They illustrate these algorithms with examples of curves with many rational points over finite fields.
7.4 $p$adic rings and geometry
Participants: Xavier Caruso.
In 31, Xavier Caruso, Tristan Vaccon and Thibaut Verron continued to develop the theory of Gröbner bases over Tate algebras: they designed two F5like algorithms, called PoTe (Position over Term) and VaPoTe (Valuation over Position over Term) respectively and implemented them in the software SageMath.In the note 32, Xavier Caruso studied the localisation of roots in an algebraic closure of random polynomials with coefficients in ${\mathbb{Z}}_{p}$ (the ring of $p$adic numbers). He proved, in particular, that a polynomial of degree $d$ over ${\mathbb{Z}}_{p}$ has 1 root in ${\mathbb{Q}}_{p}$ on average, and $dO(1/p)$ roots on average in the maximal unramified extension of ${\mathbb{Q}}_{p}$.
7.5 Complex multiplication and isogenies of abelian varieties
Participants: Xavier Caruso, Elie Eid, Sorina Ionica, Jean Kieffer, Abdoulaye Maiga, Chloe Martindale, Enea Milio, Aurel Page, Damien Robert.
In 18, Chloe Martindale, former doctoral student in the team, presents an algorithm to compute higher dimensional Hilbert modular polynomials. She also explains applications of this algorithm to point counting, walking on isogeny graphs, and computing class polynomials.The paper by E. Milio, former doctoral student in the team, and D. Robert 19 on computing cyclic modular polynomials has been published. This was the first paper of the Journal of Number Theory with a reproducible archive for computations.
J. Kieffer, A. Page and D. Robert have updated their article 44 on computing isogenies between abelian surfaces using modular polynomials. They added a purely algebraic description of the deformation map and gave precise geometric conditions for the algorithm to work.
A. Maiga and D. Robert examine in 24 modular polynomials for abelian surfaces with good reduction modulo 2, which enables them to compute canonical lifts of such surfaces over a finite field of characteristic 2 and to ultimately deduce their cardinality, the main security parameter for hyperelliptic curve cryptosystems.
In 42, J. Kieffer gives degree and height bounds for modular equations on PEL Shimura varieties in terms of their level. In particular, this result answers previous questions about Hilbert and Siegel modular polynomials and the complexity of algorithms manipulating them.
In 45, J. Kieffer shows that the sign choices made in Dupont's algorithm to evaluate genus 2 theta constants in quasilinear time in the precision are indeed correct. This gives a positive answer to a question raised by Dupont in his 2006 thesis, and lifts one of the heuristic that Dupont's algorithm uses.
In 43, J. Kieffer designs an algorithm to evaluate Siegel and Hilbert modular polynomials over number fields, based on complex approximations and fast computations of theta functions in genus 2. Analyzing the possible precision losses and using interval arithmetic makes the output provably correct. In many situations, using this algorithm to evaluate modular equations on the fly is more efficient than precomputing and storing them.
In 16, Sorina Ionica, former postdoc of the team, and Emmanuel Thomé look at the structure of isogeny graphs of genus 2 Jacobians with maximal real multiplication. They generalise a result of Kohel's describing the structure of the endomorphism rings of the isogeny graph of elliptic curves. Their setting considers genus 2 jacobians with complex multiplication, with the assumptions that the real multiplication subring is maximal and has class number 1. Over finite fields, they derive a depth first search algorithm for computing endomorphism rings locally at prime numbers, if the real multiplication is maximal.
In 30, X. Caruso, E. Eid and Reynald Lercier designed a new algorithm for computing isogenies between elliptic curves over an extension of the field of 2adic numbers. Their methods rely on a highly efficient and numerically stable algorithm for solving certain types of nonlinear singular 2adic differential equations. From this work, they deduced fast algorithms for computing isogenies between elliptic curves in characteristic 2 and generating irreducible polynomials of large degrees over ${\mathbb{F}}_{2}$.
In 35, E. Eid extended the above strategy to the case of isogenies between Jacobians of hyperelliptic curves in odd characteristic. The obtained algorithm has quasilinear complexity with respect to the degree of the isogeny.
7.6 Multiprecision arithmetic
Participants: Henri Cohen, Fredrik Johansson.
H. Cohen in 33 examines the branches of the complex Lambert $W$function, branch identities and series developments.
In 38, F. Johansson describes Calcium, a new library for exact real and complex arithmetic with the ability to prove equalities for a large class of numbers.
In 36, E. Friedman, F. Johansson and G. RamirezRaposo prove a conjecture from 2014 by Katok, Katok and Rodriguez Hertz, rigorously establishing the minimal value of the Fried average entropy for higherrank Cartan actions.
In 41, F. Johansson reviews the PreparataSarwate algorithm for computing the characteristic polynomial and determinant of matrices, finding that it outperforms more widely used algorithms in some applications.
In 40, F. Johansson describes FunGrim, a semantic database of special function identities.3
In 17, F. Johansson gives an algorithm for computing all the complex branches of the Lambert W function in arbitraryprecision arithmetic with rigorous error bounds.
In 39, F. Johansson describes a new algorithm for computing coefficients of the $j$function and finds the first prime numbers in this sequence.
7.7 Miscellanea
Participants: Andreas Enge.
With his contribution 15 to the Ten Years Reproducibility Challenge4, A. Enge has endeavoured to reproduce the results of his 20 year old article on volume computation for convex polytopes 55. While the content is not related to number theory, the success of the reproduction confirms the choice of the Lfant team to provide software mainly as portable and standard C code.
8 Bilateral contracts and grants with industry
8.1 Bilateral contracts with industry
G. Castagnos has a three years contract with Orange (Orange Labs CessonSévigné) for the supervision of the PhD of Élie Bouscatié (Thèse CIFRE) from November 2020 to November 2023.
9 Partnerships and cooperations
9.1 International Initiatives
9.1.1 Visits of International Scientists
A. Bartel visited the team for two weeks in February.
9.2 National Initiatives
9.2.1 ANR Alambic – AppLicAtions of MalleaBIlity in Cryptography
Participants: Guilhem Castagnos.
https://
The Alambic project is a research project formed by members of the INRIA ProjectTeam CASCADE of ENS Paris, members of the AriC INRIA projectteam of ENS Lyon, and members of the CRYPTIS of the university of Limoges. G. Castagnos is an external member of the team of Lyon for this project.
Nonmalleability is a security notion for public key cryptographic encryption schemes that ensures that it is infeasible for an adversary to modify ciphertexts into other ciphertexts of messages which are related to the decryption of the first ones. On the other hand, it has been realized that, in specific settings, malleability in cryptographic protocols can actually be a very useful feature. For example, the notion of homomorphic encryption allows specific types of computations to be carried out on ciphertexts and generate an encrypted result which, when decrypted, matches the result of operations performed on the plaintexts. The homomorphic property can be used to create secure voting systems, collisionresistant hash functions, private information retrieval schemes, and for fully homomorphic encryption enables widespread use of cloud computing by ensuring the confidentiality of processed data.
The aim of the Alambic project to investigate further theoretical and practical applications of malleability in cryptography. More precisely, this project focuses on three different aspects: secure computation outsourcing and serveraided cryptography, homomorphic encryption and applications and << paradoxical >> applications of malleability.
9.2.2 ANR CLap–CLap – The $p$adicr Langlands correspondence: a constructive and algorithmical approach
Participants: Xavier Caruso, JeanMarc Couveignes.
The $p$adic Langlands correspondence has become nowadays one of the deepest and the most stimulating research programs in number theory. It was initiated in France in the early 2000's by Breuil and aims at understanding the relationships between the $p$adic representations of $p$adic absolute Galois groups on the one hand and the $p$adic representations of $p$adic reductive groups on the other hand. Beyond the case of ${\text{GL}}_{2}\left({\mathbb{Q}}_{p}\right)$ which is now well established, the $p$adic Langlands correspondence remains quite obscure and mysterious new phenomena enter the scene; for instance, on the ${\text{GL}}_{n}\left(F\right)$side one encounters a vast zoology of representations which seems extremely difficult to organize.
The CLap–CLap ANR project aims at accelerating the expansion of the $p$adic Langlands program beyond the wellestablished case of ${\text{GL}}_{2}\left({\mathbb{Q}}_{p}\right)$. Its main originality consists in its very constructive approach mostly based on algorithmics and calculations with computers at all stages of the research process. We shall pursue three different objectives closely related to our general aim:
 draw a conjectural picture of the (still hypothetical) $p$adic Langlands correspondence in the case of ${\text{GL}}_{n}$,
 compute many deformation spaces of Galois representations and make the bridge with deformation spaces of representations of reductive groups,
 design new algorithms for computations with Hilbert and Siegel modular forms and their associated Galois representations.
This project will also be the opportunity to contribute to the development of the mathematical software SageMath and to the expansion of computational methodologies.
9.2.3 ANR Ciao – Cryptography, Isogenies and Abelian varieties Overwhelming
Participants: JeanMarc Couveignes, Jean Kieffer, Aurel Page, Damien Robert.
The CIAO ANR project is a young researcher ANR project led by Damien Robert October 2019.
The aim of the CIAO project is to study the security and improve the efficiency of the SIDH (supersingular isogenies Diffie Helmann) protocol, which is one of the postquantum cryptographic project submitted to NIST, which passed the first round selection.
The project include all aspects of SIDH, from theoretical ones (computing the endomorphism ring of supersingular elliptic curves, generalisation of SIDH to abelian surfaces) to more practical aspects like arithmetic efficiency and fast implementations, and also extending SIDH to more protocols than just key exchange.
Applications of this project is to improve the security of communications in a context where the currently used cryptosystems are vulnerable to quantum computers. Beyond postquantum cryptography, isogeny based cryptosystems also allow to construct new interesting cryptographic tools, like Verifiable Delay Functions, used in block chains.
10 Dissemination
10.1 Promoting Scientific Activities
10.1.1 Journal
Member of Editorial Boards
X. Caruso is an editor and one of the founders of the journal Annales Henri Lebesgue.
J.M. Couveignes is a member of the editorial board (scientific committee) of the Publications mathématiques de Besançon since 2010.
K. Belabas acts on the editorial board of Journal de Théorie des Nombres de Bordeaux since 2005 and of Archiv der Mathematik since 2006.
A. Enge is an editor of Designs, Codes and Cryptography since 2004.
10.1.2 Scientific Expertise
K. Belabas is a member of the “conseil scientifique” of the Société Mathématique de France.
A. Enge has acted as an evaluator for the German National Research Data Infrastructure5 on the panel on mathematics, particle physics and astrophysics.
10.1.3 Research Administration
Since January 2015, K. Belabas is vicehead of the Mathematics Institute (IMB). He also leads the computer science support service (“cellule informatique”) of IMB and coordinates the participation of the institute in the regional computation cluster PlaFRIM.
He is an elected member of “commission de la recherche” in the academic senate of Bordeaux University.
Between January 2017 and June 2020, A. Enge was “délégué scientifique” of the BordeauxSudOuest Inria Research Centre. As such, he was also a designated member of the “commission d'évaluation” of INRIA.
He is a member of the administrative council of the Société Arithmétique de Bordeaux, which edits the Journal de théorie des nombres de Bordeaux and supports number theoretic conferences.
G. Castagnos is responsible for the bachelor programme in mathematics and informatics.
10.2 Teaching  Supervision  Juries
10.2.1 Teaching
 Master: G. Castagnos, Cryptanalyse, 60h, M2, University of Bordeaux, France;
 Master: G. Castagnos, Cryptologie avancée, 30h, M2, University of Bordeaux, France;
 Master: G. Castagnos, Courbes elliptiques, 30h, M2, University of Bordeaux, France;
 Licence: G. Castagnos, Arithmétique et Cryptologie, 24h, L3, Université de Bordeaux, France
 Master : D. Robert, Courbes elliptiques, 60h, M2, University of Bordeaux, France;
 Master: X. Caruso and J.M. Couveignes, Algorithmique arithmétique, introduction à l'algorithmique quantique, 60h, M2, University of Bordeaux, France;
 Master : K. Belabas, Algèbre et calcul formel 1 et 2, 91h, M2, University of Bordeaux, France;
 Licence: K. Belabas, Algorithmique mathématique 2, TD, 35h, L3, University of Bordeaux, France;
 Licence: K. Belabas, Structures algébriques 1, TD, 51h, L2, University of Bordeaux, France;
 Master: J.M. Couveignes, Modules, espaces quadratiques, 30h, M1, University of Bordeaux, France;
 Licence : J.P. Cerri, Arithmétique et Cryptologie, TD, 36h, L3, Université de Bordeaux, France;
 Licence : J.P. Cerri, Algèbre linéaire, TD, 51h, L2, Université de Bordeaux, France;
 Licence : J.P. Cerri, Topologie, TD, 35h, L3, Université de Bordeaux, France;
 Master : J.P. Cerri, Cryptologie, CoursTD, 60h, M1, Université de Bordeaux, France;
 Licence: J. Kieffer, Algorithmique Mathématique 2, 32h, L3, Université de Bordeaux, France;
 Master: R. Barbulescu, Arithmetic algorithms for cryptology, M2, Master Parisien de Recherche Informatique;
 Licence, Master : J.P. Cerri, 2 TER (L3, M1), 1 Projet (M2), Université de Bordeaux, France;
 Master : J. Asuncion, Elliptic curves, TD, 16h, M1, Universiteit Utrecht (Mastermath), PaysBas;
 Master: D. Robert, Courbes elliptiques, 30h, M2, University of Bordeaux, France;
 Licence : A.E. Wilke, Outils mathématiques pour la biologie, TD, 32h, Université de Bordeaux, France;
 Licence : A.E. Wilke, Coloration mathématique, TD, 32h, Université de Bordeaux, France.
10.2.2 Supervision
 Master thesis: Reem Chaalan, Gabidulin Codes and Skew Polynomials, supervised by Xavier Caruso
 Master thesis: William Dallaporta, Parametrization of ideals and other algebraic structures by quadratic forms, supervised by Karim Belabas
 Master thesis: Raoul Hallopeau, From Euler’s formula to derived categories, supervised by Xavier Caruso
 Master thesis: Raphaël Pagès, Étude d’algèbres d’opérateurs différentiels, techniques de calcul rapide de factorielles et applications au calcul de la $p$courbure, supervised by Alin Bostan and Xavier Caruso
 PhD in progress: Élie Bouscatié, Conception d'algorithmes de chiffrement cherchable, since November 2020, supervised by Guilhem Castagnos
 PhD in progress: Abdoulaye Maiga, Computing canonical lift of genus 2 hyperelliptic curves, University Dakar, supervised by Djiby Sow, Abdoul Aziz Ciss and D. Robert.
 PhD in progress: Jared Asuncion, Class fields of complex multiplication fields, since September 2017, supervised by A. Enge and Marco Streng (Universiteit Leiden).
 PhD in progress: Elie Eid, Computing isogenies between elliptic curves and curves of higher genus, since September 2018, supervised by Xavier Caruso and Reynald Lercier
 PhD in progress: Amaury Durand, Geometric Gabidulin codes, since September 2019, supervised by Xavier Caruso
 PhD in progress: Jean Kieffer, Computing isogenies between abelian surfaces, since September 2018, supervised by Damien Robert and Aurel Page
 PhD in progress: Raphaël Pagès, Factorisation des opérateurs différentiels en caractéristique $p$, since September 2020, supervised by Alin Bostan and Xavier Caruso
 PhD in progress: Pavel Solomatin Topics on $L$functions, since September 2018, supervised by B. de Smit and K. Belabas
 PhD in progress: AnneEdgar Wilke Enumerating integral orbits of prehomogeneous representations, since September 2019, supervised by K. Belabas.
 PhD defended in 2020: I. Tucker Functional encryption and distributed signatures based on projective hash functions, the benefit of class groups26, supervised by G. Castagnos with F. Laguillaumie, Université de Lyon
 PhD defended in 2020: Sudarshan Shinde Cryptographic applications of modular curves since October 2016, supervised by R. Barbulescu with PierreVincent Koseleff (Sorbonne Université) 25
10.2.3 Juries
 A. Enge has written a report for the doctoral dissertation by Simon Masson, Université de Lorraine: Algorithmique des courbes destinées au contexte de la cryptographie bilinéaire et postquantique.
 X. Caruso and J.M. Couveignes were part of the selection committee for a position of full professor in ENS Rennes.
 X. Caruso was part of the selection committee for a position of full professor in the University of Versailles.
 X. Caruso has written a report for the doctoral dissertation by Joelle Saade, Université de Limoges: Méthodes symboliques pour les systèmes différentiels linéaires à singularité irrégulière.
 K. Belabas was part of the selection committee for a position of full professor in Versailles SaintQuentinenYvelines University.
 R. Barbulescu was part of the three members jury of the oral examination in mathematics for mathinfo, the admission examination for ENS de Lyon.
 R. Barbulescu was a member of the jury for a lecturer position (maître de conférence) in the number theory team (mathematics) at University of Paris (former Paris 7).
 X. Caruso was part of the selection committee for a position of associate professor in the University of Limoges.
 D. Robert is a member of the jury of Agrégations de Mathématiques. He is also the director of the option “calcul formel” of the Modélisation part of the oral examination.
10.3 Popularization
X. Caruso and C. Ménini are leaders of the popularisation group at IMB (Institut de Mathématiques de Bordeaux).
R. Barbulescu, X. Caruso, A. Enge and B. Wesolowski have taken part as evaluators in the Tournois Français des Jeunes Mathématiciennes et Mathématiciens6, a competition between high school classes on mathematical research questions.
R. Barbulescu is one of the organizers of Concours Alkindi7, an online cryptography competition for middle and high school classes of French 4e, 3e and 2nde with 65000 participants in the 2019/2020 edition. Romania, Tunisia and Cameroun created national editions in which they use the same content as the French contest and had a few hundred participants.
10.3.1 Articles and contents
X. Caruso wrote several small webpages/apps in order to present interesting mathematical objects and highlight their more striking properties:
 a 2048like game, based on the properties of the Fibonacci sequence
https://
diffusion. math. ubordeaux. fr/ embed/ 987/  a walk on the flat surface of genus 2
https://
diffusion. math. ubordeaux. fr/ embed/ walks/ genus2. html  a dialog about the tilings of the hexagone
https://
diffusion. math. ubordeaux. fr/ tilehexa/
An ongoing collaboration with the PIRVI platform8 has started; its main objective is to realise a 3D rendering engine in hyperbolic geometry.
10.3.2 Interventions
X. Caruso gave a talk and animated a workshop on continued fractions and their applications to the construction of musical scales.
11 Scientific production
11.1 Major publications
 1 article Euclidean minima and central division algebrasInternational Journal of Number Theory572009, 11551168URL: http://www.worldscinet.com/ijnt/05/0507/S1793042109002614.html
 2 articleError estimates for the DavenportHeilbronn theoremsDuke Mathematical Journal15312010, 173210URL: http://projecteuclid.org/euclid.dmj/1272480934
 3 articleA new faster algorithm for factoring skew polynomials over finite fieldsJ. Symbolic Comput.792018, 411443

4
articleTracking
$p$ adic precision'LMS J. Comput. Math.172014, 274294  5 inproceedingsPractical Fully Secure Unrestricted Inner Product Functional Encryption modulo pAdvances in Cryptology – ASIACRYPT 2018, Part II11273Lecture Notes in Computer ScienceInternational Association for Cryptologic Research2018, 733–764
 6 bookModular Forms: A Classical Approach179Graduate Studies in MathematicsAmerican Mathematical Society2017, URL: http://bookstore.ams.org/gsm179/
 7 book Computational aspects of modular forms and Galois representations Princeton University Press 2011
 8 articleAn L(1/3) Discrete Logarithm Algorithm for Low Degree CurvesJournal of Cryptology2412011, 2441
 9 articleShort addition sequences for theta functionsJournal of Integer Sequences1822018, 1–34
 10 articleComputing isogenies between abelian varietiesCompositio Mathematica1480509 2012, 14831515URL: http://dx.doi.org/10.1112/S0010437X12000243
11.2 Publications of the year
International journals
 11 articleNumerical verification of the CohenLenstraMartinet heuristics and of Greenberg's prationality conjectureJournal de Théorie des Nombres de Bordeaux3212020, 159177

12
articleOn
${D}_{}$ extensions of odd prime degree$$ 'Proceedings of the London Mathematical Society12152020, 11711206  13 articleEnumerating number fieldsAnnals of Mathematics19222020, 487497
 14 articleMildly Short Vectors in Cyclotomic Ideal Lattices in Quantum Polynomial TimeJournal of the ACM (JACM)682January 2021, 126
 15 article[Re] Volume computation for polytopes: Vingt ans aprèsThe ReScience journal61December 2020, #17
 16 articleIsogeny graphs with maximal real multiplicationJournal of Number Theory207February 2020, 385422
 17 articleComputing the Lambert W function in arbitraryprecision complex interval arithmeticNumerical Algorithms831January 2020, 221242
 18 articleHilbert Modular PolynomialsJournal of Number Theory2132020, 464498
 19 article Modular polynomials on Hilbert surfaces Journal of Number Theory May 2020
 20 article Efficient Verifiable Delay Functions (extended version) Journal of Cryptology September 2020
International peerreviewed conferences
 21 inproceedingsBandwidthEfficient Threshold ECDSAPKC 2020  23rd IACR International Conference on Practice and Theory of PublicKey CryptographyPublicKey Cryptography  PKC 2020Edinburgh / Virtual, United KingdomApril 2020, 266296
 22 inproceedings Random Selfreducibility of IdealSVP via Arakelov Random Walks CRYPTO 2020 Santa Barbara, United States August 2020
 23 inproceedings SQISign: compact postquantum signatures from quaternions and isogenies ASIACRYPT 2020  26th Annual International Conference on the Theory and Application of Cryptology and Information Security Daejeon (virtual), South Korea December 2020
 24 inproceedings Computing the 2adic Canonical Lift of Genus 2 Curves ICMC 2021  7th International Conference on Mathematics and Computing Shibpur / Virtual, India March 2021
Doctoral dissertations and habilitation theses
 25 thesis Cryptographic applications of modular curves Sorbonne Université July 2020
 26 thesis Functional encryption and distributed signatures based on projective hash functions, the benefit of class groups Université de Lyon October 2020
Reports & preprints
 27 misc A taxonomy of pairings, their security, their complexity August 2020
 28 misc A classification of ECMfriendly families using modular curves: intégré à la thèse de doctorat de Sudarshan Shinde, Sorbonne Université, 10 juillet 2020. July 2020
 29 misc Norm relations and computational problems in number fields February 2020
 30 misc Fast computation of elliptic curve isogenies in characteristic two March 2020
 31 misc Signaturebased algorithms for Gröbner bases over Tate algebras 2020
 32 misc Where are the zeroes of a random padic polynomial? April 2020

33
misc
Lambert
$W$ Function Branch Identities' December 2020  34 misc Short models of global fields November 2020
 35 misc Fast computation of hyperelliptic curve isogenies in odd characteristic September 2020
 36 misc The minimal Fried average entropy for higherrank Cartan actions July 2020
 37 misc Computation of a 30 750Bit Binary Field Discrete Logarithm September 2020
 38 misc Calcium: computing in exact real and complex fields November 2020

39
misc
Computing isolated coefficients of the
$j$ function' November 2020  40 misc FunGrim: a symbolic library for special functions March 2020
 41 misc On a fast and nearly divisionfree algorithm for the characteristic polynomial November 2020
 42 misc Degree and height estimates for modular equations on PEL Shimura varieties January 2020
 43 misc Evaluating modular polynomials in genus 2 October 2020
 44 misc Computing isogenies from modular equations in genus two January 2020
 45 misc Sign choices in the AGM for genus two theta constants October 2020

46
misc
Spanning the isogeny class of a power of an ordinary elliptic curve over a finite field. Application to the number of rational points of curves of genus
$4$ ' April 2020  47 misc Lower bounds for the depth of modular squaring December 2020
Other scientific publications
 48 misc Bill Allombert  New GP features: Atelier PARI/GP 2020 January 2020
 49 misc Bill Allombert  Start of Atelier (setting up personal computers): Atelier PARI/GP 2020 January 2020
 50 misc Karim Belabas  Sunits and compact representations in number fields: Atelier PARI/GP 2020 January 2020
 51 misc Aurel Page  Construction of subfields and abelian overfields: Atelier PARI/GP 2020 January 2020
11.3 Other
Softwares
 52 software abelianbnf 1.0 hello September 2020
11.4 Cited publications
 53 articleUpdating key size estimations for pairingsJournal of Cryptology3242019, 12981336
 54 inproceedingsL'algorithmique de la théorie algébrique des nombresThéorie algorithmique des nombres et équations diophantiennes2005, 85155
 55 inproceedingsExact Volume Computation for Polytopes: A Practical StudyPolytopes — Combinatorics and Computation29DMV SeminarBaselBirkhäuser Verlag2000, 131–154
 56 articleInhomogeneous and Euclidean spectra of number fields with unit rank strictly greater than 1J. Reine Angew. Math.5922006, 4962
 57 phdthesisSpectres euclidiens et inhomogènes des corps de nombresIECN, Université Henri Poincaré, Nancy2005, URL: http://tel.archivesouvertes.fr/tel00011151/en/
 58 articleCryptographic Hash Functions from Expander GraphsJournal of Cryptology2212009, 93113
 59 inproceedings Computational class field theory Algorithmic Number Theory  Lattices, Number Fields, Curves and Cryptography 44 MSRI Publications Cambridge University Press 2008
 60 phdthesisCourbes algébriques et cryptologieUniversité Denis DiderotParis 72007, URL: http://tel.archivesouvertes.fr/tel00382535/en/
 61 unpublishedPublickey cryptosystem based on isogenies2006, Preprint, Cryptology ePrint Archive 2006/145URL: http://eprint.iacr.org/2006/145/