Keywords
 A1.1.2. Hardware accelerators (GPGPU, FPGA, etc.)
 A4.3.1. Public key cryptography
 A4.3.2. Secret key cryptography
 A4.8. Privacyenhancing technologies
 A6.2.7. High performance computing
 A7.1. Algorithms
 A7.1.4. Quantum algorithms
 A8.4. Computer Algebra
 A8.5. Number theory
 A8.10. Computer arithmetic
 B8.5. Smart society
 B9.5.1. Computer science
 B9.5.2. Mathematics
 B9.10. Privacy
1 Team members, visitors, external collaborators
Research Scientists
 Emmanuel Thomé [Team leader, Inria, Senior Researcher, until Jul 2021, HDR]
 Paul Zimmermann [Team leader, Inria, Senior Researcher, from Aug 2021, HDR]
 Xavier Bonnetain [Inria, Researcher, from Oct 2021]
 Pierrick Gaudry [CNRS, Senior Researcher, HDR]
 Aurore Guillevic [Inria, Researcher]
 Virginie Lallemand [CNRS, Researcher]
 Cécile Pierrot [Inria, Researcher]
 PierreJean Spaenlehauer [Inria, Researcher]
Faculty Members
 Sébastien Duval [Univ de Lorraine, Associate Professor, from Sep 2021]
 Marine Minier [Univ de Lorraine, Professor, HDR]
PhD Students
 Haetham Al Aswad [Inria, from Oct 2021]
 Hamid Boukerrou [Univ de Lorraine]
 Gabrielle De Micheli [Inria, until Aug 2021]
 Le Phuc Huynh [CNRS, until Feb 2021]
 Aude Le Gluher [Univ de Lorraine, until Aug 2021]
 Antoine Leudière [Inria, from Oct 2021]
 Simon Masson [UDcast, CIFRE, Jan 2021]
 Ana Margarita Rodriguez Cordero [Univ de Lorraine, from Oct 2021]
 Quentin Yang [Inria]
Interns and Apprentices
 Haetham Al Aswad [Inria, from Mar 2021 until Sep 2021]
 Nathan Chiche [Univ de Lorraine, from Apr 2021 until Aug 2021]
 Antoine Leudière [Inria, from Apr 2021 until Sep 2021]
 Marc Simard [Univ de Lorraine, until Jun 2021]
 Samuel Vivien [Inria, from Jun 2021 until Jul 2021]
Administrative Assistants
 Emmanuelle Deschamps [Inria]
 Virginie Priester [CNRS, until Mar 2021]
External Collaborator
 Luc Sanselme [Ministère de l'Education Nationale]
2 Overall objectives
Our research addresses the broad application domain of cryptography and cryptanalysis from the algorithmic perspective. We study all the algorithmic aspects, from the toplevel mathematical background down to the optimized highperformance software implementations. Several kinds of mathematical objects are commonly encountered in our research. Some basic ones are truly ubiquitous: integers, finite fields, polynomials, real and complex numbers. We also work with more structured objects such as number fields, algebraic curves, or polynomial systems. In all cases, our work is geared towards making computations with these objects effective and fast.
The two facets of cryptology—cryptography and cryptanalysis—are central to our research. The key challenges are the assessment of the classical and quantum security of proposed cryptographic primitives (both public and secretkey), as well as the introduction of new cryptographic primitives, or the performance improvement of existing ones.
Our research connects to both symmetric and asymmetric key cryptography. While the basic principles of these domains are rather different—indeed their names indicate different handlings of the key—research in both domains is led by the same objective of finding the best tradeoffs between efficiency and security. In addition to this, both require to study design and analysis together as these two aspects nurture each other.
Our research topics can be listed either with broad applications domains in mind (a very coarsegrain view would have us list them under cryptography and cryptanalysis), or more thematically (see Figure 1). Either way, we also identify a set of tools that we sometimes develop per se, but most often as ingredients towards goals that are set in the context of other themes. Following the “vertical” reading direction in Figure 1, our research topics are as follows.

Extended NFS family. A common algorithmic framework, called the Number Field Sieve (NFS), addresses both the integer factorization problem as well as the discrete logarithm problem over finite fields. We have numerous algorithmic contributions in this context, and develop software to illustrate them.
We plan to improve on the existing state of the art in this domain by researching new algorithms, by optimizing the software performance, and by demonstrating the reach of our software with highly visible computations.

Algebraic curves and their Jacobians. We develop algorithms and software for computing essential properties of algebraic curves for cryptology, eventually enabling their widespread cryptographic use.
Closely related to the Tower Number Field Sieve are pairingfriendly curves. Pairings are bilinear maps $e:{\mathbb{G}}_{1}\times {\mathbb{G}}_{2}\to {\mathbb{G}}_{T}$ available on dedicated elliptic curves. The target group ${\mathbb{G}}_{T}$ is an extension GF$\left({p}^{n}\right)$ of small degree ($1\le n\le 54$ in practice) where the TNFS algorithm and its variants apply. We study the security of these curves w.r.t. the TNFS algorithm, and we are interested in making recommendations of keysizes, elliptic curve choices, and providing faster implementation of pairings.
Questions more recently studied include the development of cryptosystems based on isogenies.

Symmetric key cryptography. This topic has emerged in the team with several new hires since 2016. We are interested in particular in automatic tools for new paradigms of cryptanalysis, going beyond the classical linear and differential cryptanalysis techniques. Newer, more intricate techniques are rather hard to apply and are errorprone. The idea is then to automate the analysis process by developing tools implemented in constraint programming (CP) , satisfability (SAT) or mixed integer linear programming (MILP). We plan to pay special attention to the recent advances in cryptanalysis and to study recently proposed lightweight ciphers.
In addition, we also study new designs. The challenge of the lightweight world pushes symmetric cryptography to be ever more efficient while guaranteeing the same level of security as before. It is thus very important to scrutinize each building block of the symmetric key primitives to be convinced of their security.
 Quantum cryptanalysis. Cryptanalysis is at the core of security assessments. With the current progress of quantum computing, we need to know the security of cryptosystems against a quantum computer, especially for longterm security. Hence, we study quantum cryptanalysis. We focus on quantum algorithms that are the most distinct from classical algorithms, like the algorithms for the hidden subgroup problem, and on quantum variants of our classical cryptanalyses.

Tools. Several mathematical objects are pervasive in our research. We sometimes study them per se, but they most often play a key role in the work related to the topics above. In particular, we study computer arithmetic, polynomial systems, linear algebra. In the context of symmetric cryptography, the mathematical objects we deal with are rather different: we are mainly interested in small (4 or 8 bits) nonlinear permutations (the socalled Sboxes) and in linear transformations based on coding theory (Maximum Distance Separable (MDS) matrices or quasiMDS matrices).
Our goals with all these basic objects include a strong commitment to providing highquality software that can be used as a dependable building block in our research.
As a complement to the last point, we consider that the impact of our research on cryptology in general owes a lot to the publication of concrete practical results. We are strongly committed to making our algorithms available as software implementations. We thus have several longterm software development projects that are, and will remain, part of our research activity.
3 Research program
3.1 The Extended Family of the Number Field Sieve
The Number Field Sieve (NFS) has been the leading algorithm for factoring integers for more than 20 years, and its variants have been used to set records for discrete logarithms in finite fields. It is reasonable to understand NFS as a framework that can be used to solve various sorts of problems. Factoring integers and computing discrete logarithms are the most prominent for the cryptographic observer, but the same framework can also be applied to the computation of class groups.
The state of the art with NFS is built from numerous improvements of its inner steps. In terms of algorithmic improvements, the recent research activity on the NFS family has been rather intense. Several new algorithms have been discovered since 2014, notably for nonprime fields, and their practical reach has been demonstrated by actual experiments.
The algorithmic contributions of the CARAMBA members to NFS would hardly be possible without access to a dependable software implementation. To this end, members of the CARAMBA team have been developing the CadoNFS software suite since 2007. CadoNFS is now the most widely visible opensource implementation of NFS, and is a crucial platform for developing prototype implementations for new ideas for the many subalgorithms of NFS. CadoNFS is free software (LGPL) and follows an open development model, with publicly accessible development repository and regular software releases. Competing free software implementations exist, such as msieve, developed by J. Papadopoulos (whose last commit is from August 2018). T. Kleinjung develops his own code base, which is unfortunately not public.
The work plan of CARAMBA on the topic of the Number Field Sieve algorithm and its cousins includes the following aspects:
 Pursue the work on NFS, which entails in particular making it ready to tackle larger challenges. Several of the important computational steps of NFS that are currently identified as stumbling blocks will require algorithmic advances and implementation improvements. We will illustrate the importance of this work by computational records.
 Work on the specific aspects of the computation of discrete logarithms in finite fields.
 As a side topic, the application of the broad methodology of NFS to the treatment of “ideal lattices” and their use in cryptographic proposals based on Euclidean lattices is also relevant.
3.2 Algebraic Curves for Cryptology
The challenges associated with algebraic curves in cryptology are diverse, because of the variety of mathematical objects to be considered. These challenges are also connected to each other. On the cryptographic side, efficiency matters, while cryptanalysis looks at the hardness of the discrete logarithm problem.
Several members have expertise in multiple facets of curvebased cryptology, but recent work in the team has been concentrated on a few precise topics. One of them is pairingbased cryptography. Pairingfriendly curves were introduced in 2001 in (constructive) cryptography and should be designed with a a very precise application goal in mind, contrary to the widespread curves such as x25519 or x448 in TLS, or the NIST curves, which can be used much more generically. The bilinear pairing has two aspects. First a destructive side: it transfers a discrete logarithm computation from the group of points of the curve (where the DLP is known to be hard, of exponential complexity in the size of the group), to a finite field extension $GF\left({p}^{n}\right)$ where better variants of the NFS algorithm apply. Hence pairingfriendly curves and in particular, wrong choices of parameters provide a large range of targets for record computations with the TNFS algorithm. Second, a constructive side: the pairing allows the multiplication in the exponents two hidden values (two secret scalars) without knowing them explicitly, thanks to the formula $e({g}_{1}^{a},{g}_{2}^{b})=e{({g}_{1},{g}_{2})}^{ab}$. We are looking for new curves that ensure a given security level, taking into account the latest advances in DL computation in $GF\left({p}^{n}\right)$, together with the development of faster pairing computation on these curves. Another growing area of interest for efficient pairings is zeroknowledge Succinct Noninteractive ARgument of Knowledge (zkSNARK). Dedicated pairingfriendly curves are required and the team is interested in finding new such curves, while ensuring a security margin w.r.t. the TNFS algorithm.
We also investigate the practical security (e.g. against physical attacks) of elliptic curves and their implementations. Our focus here is more on the connection of such problems with Euclidean lattice theory, for example.
With NIST's competition on postquantum cryptographic primitives, the new area of isogenies on elliptic curves is developing. Efficient implementation of isogenies is an active area of research nowadays, together with better parameter selection. The elliptic curves suitable for isogenies require different properties: they are supersingular contrary to the ordinary curves in classical cryptography. Selecting parameters is a difficult task, and in some cases, it requires a large computational effort of a class number computation.
The research objectives of CARAMBA on the topic of algebraic curves for cryptology are as follows:
 Ban obsolete parameters of pairingfriendly curves thanks to new discrete logarithm record computations. Investigate new parameter selections and build new cryptographic recommendations of pairingfriendly elliptic curves.
 Develop a full library of elliptic curves with their pairing computations in SageMath in the spirit of the Elliptic Curve Formula Database to bridge the gap between theoretical papers and efficient software library developments.
3.3 Symmetric Cryptography
In symmetric key cryptology, we are tackling problems related to both design and analysis. A large part of our recent research has been motivated by the Lightweight Cryptography Standardization Process of the NIST 1 that embodies a crucial challenge of the last decade: finding ciphers that are suitable for resourceconstrained devices.
On a general note, the working program of CARAMBA in symmetric cryptography is defined as follows:
 Develop automatic tools based on constraint programming to help find optimum attack parameters. The effort will be focused on the AES standard and on recent lightweight cipher proposals.
 Contribute to the security and performance analysis effort required to sort out the candidates for the NIST Lightweight Cryptography Standardization Process.
 Study how to protect services execution on dedicated platforms using whitebox cryptography and software obfuscation methods.
3.4 Computer Arithmetic
Computer arithmetic is part of the common background of all team members, and is naturally ubiquitous in our application domains. However involved the mathematical objects considered may be, dealing with them first requires to master more basic objects: integers, finite fields, polynomials, and real and complex floatingpoint numbers. Libraries such as GNU MP, GNU MPFR, GNU MPC do an excellent job for these, both for small and large sizes.
Most of our involvement in subjects related to computer arithmetic is to be understood in connection to our applications to the Number Field Sieve and to abelian varieties. As such, much of the research work we envision will appear as sideeffects of developments in these contexts. On the topic of arithmetic work per se:
 We will seek algorithmic and practical improvements to the most basic algorithms. That includes for example the study of advanced algorithms for integer multiplication, and their practical reach.
 We will continue to work on the arithmetic libraries in which we have crucial involvement, such as GNU MPFR, GNU MPC, GF2X, MPFQ, and also GMPECM.
4 Application domains
4.1 Better Awareness and Avoidance of Cryptanalytic Threats
Our study of the Number Field Sieve family of algorithms aims at showing how the threats underlying various supposedly hard problems are real. Our record computations, as well as new algorithms, contribute to having a scientifically accurate assessment of the feasibility limit for these problems, given academic computing resources. The data we provide in this way is a primary ingredient for government agencies whose purpose includes guidance for the choice of appropriate cryptographic primitives. For example the French ANSSI 2, German BSI, or the NIST 3 in the United States base their recommendations on such computational achievements.
The software we make available to achieve these cryptanalytic computations also allows us to give cost estimates for potential attacks to cryptographic systems that are taking the security/efficiency/legacy compatibility tradeoffs too lightly. Attacks such as LogJam 32 are understood as being serious concerns thanks to our convincing proofofconcepts. In the LogJam context, this impact has led to rapid worldwide security advisories and software updates that eventually defeat some potential intelligence threats and improve confidentiality of communications.
4.2 Promotion of Better Cryptography
We also promote the switch to algebraic curves as cryptographic primitives. Those offer nice speed and excellent security, while primitives based on elementary number theory (integer factorization, discrete logarithm in finite fields), which underpin e.g., RSA, are gradually forced to adopt unwieldy key sizes so as to comply with the desired security guarantees of modern cryptography. Our contributions to the ultimate goal of having algebraic curves eventually take over the cryptographic landscape lie in our contributions to fast arithmetic, our contributions to the point counting problem, and more generally our expertise on the diverse surrounding mathematical objects, or on the special cases where the discrete logarithm problem is not hard enough and should be avoided.
We also promote cryptographically sound electronic voting, for which we develop the Belenios prototype software (licensed under the AGPL). It depends on research made in collaboration with the PESTO team, and provides stronger guarantees than current state of the art.
4.3 Key Software Tools
The vast majority of our work is eventually realized as software. We can roughly categorize it in two groups. Some of our software covers truly fundamental objects, such as the GNU MPFR, GNU MPC, GF2X, or MPFQ packages. To their respective extent, these software packages are meant to be included or used in broader projects. For this reason, it is important that the license chosen for this software allows proper reuse, and we favor licenses such as the LGPL, which is not restrictive. We can measure the impact of this software by the way it is used in e.g., the GNU Compiler Collection (GCC), in Victor Shoup's Number Theory Library (NTL), or in the Sage computer algebra system. The availability of these software packages in most Linux distributions is also a good measure for the impact of our work.
We also develop more specialized software. Our flagship software package is CadoNFS 38, and we also develop some others with various levels of maturity, such as GMPECM, CMH, or Belenios, aiming at quite diverse targets. Within the lifespan of the CARAMBA project, we expect more software packages of this kind to be developed, specialized towards tasks relevant to our research targets: important mathematical structures attached to genus 2 curves, generation of cryptographically secure curves, or tools for attacking cryptographically hard problems. Such software both illustrates our algorithms, and provides a base on which further research work can be established. Because of the very nature of these specialized software packages as research topics in their own right, needing both to borrow material from other projects, and being possible source of inspiring material for others, it is again important that these be developed in a free and opensource development model.
5 Highlights of the year
5.1 Awards
 The article 4 got one of the three best paper awards at the Asiacrypt conference in December 2021. This article achieved a record computation of a discrete logarithm in a 521bit size finite field.
 Gabrielle De Micheli got the Price L’OréalUNESCO Young Talents France 2021 – for Women and Science. It aims to reward PhD students and postdoctoral researchers for their work in various area of Science.
 With colleagues from the PESTO team, Pierrick Gaudry was awarded a bug bounty for the discovery of a privacy attack in the SwissPost electronic voting system.
 Emmanuel Thomé was awarded a Fulbright grant to visit University of California San Diego for one year, and appointed as a visiting professor in San Diego for that time.
6 New software and platforms
6.1 New software
6.1.1 Belenios

Name:
Belenios  Verifiable online voting system

Keyword:
Evoting

Functional Description:
Belenios is an opensource online voting system that provides vote confidentiality and verifiability. Endtoend verifiability relies on the fact that the ballot box is public (voters can check that their ballots have been received) and on the fact that the tally is publicly verifiable (anyone can recount the votes). Vote confidentiality relies on the encryption of the votes and the distribution of the decryption key (no one detains the secret key).
Belenios supports various kind of elections. In the standard mode, Belenios supports simple elections where voters simply select one or more candidates. It also supports arbitrary counting functions at the cost of a slightly more complex tally procedure for the authorities. For example, Belenios supports Condorcet, STV, and Majority Judgement, where voters order candidates and grade them.
Belenios is available in several languages for the voters as well as the administrators of an election. More languages can be freely added by users.

News of the Year:
In 2021, our platform was used for the organization of about 2000 elections, with about 70,000 ballots counted.
This year, we modified the voting platform to make it more userfriendly and responsive: it automatically adapts on a cell phone, for example. We also developed two new interfaces to vote by ranking the candidates (Condorcet) or by rating them (Majority Judgement). Following several requests, Belenios now offers weighted votes, where each voter has a certain number of votes. Less visible to users, an important change was the update of the cryptographic core, in order to better link a ballot to the context of the election. Finally, we initiated the development of a REST API and modernized the management of administrator accounts.
 URL:

Contact:
Stéphane Glondu

Participants:
Pierrick Gaudry, Stéphane Glondu, Véronique Cortier

Partners:
CNRS, Inria
6.1.2 CADONFS

Name:
Crible Algébrique: Distribution, Optimisation  Number Field Sieve

Keywords:
Cryptography, Number theory

Functional Description:
CADONFS is a complete implementation in C/C++ of the Number Field Sieve (NFS) algorithm for factoring integers and computing discrete logarithms in finite fields. It consists in various programs corresponding to all the phases of the algorithm, and a general script that runs them, possibly in parallel over a network of computers.

News of the Year:
During year 2021, several internal aspects of the CADONFS code were modified.  some computations are now shared in order to save a significant number of modular inversions during the sieving step.  the Python script that orchestrates the computation has been improved.  32bit factor bases are now supported.  the filtering simulation code has been improved.  the continuous integration machinery has been considerably improved and extended.  tooling was put in place in order to automatically detect code defects with static analysis software (Coverity Scan).
In 2020, CADONFS has moved to the Inria gitlab platform. However, the question of a permanent URL that CadoNFS could use is still awaiting validation by the relevant service.
 URL:

Contact:
Emmanuel Thome

Participants:
Pierrick Gaudry, Emmanuel Thome, Paul Zimmermann
6.1.3 TNFSalpha

Name:
alpha for the Tower Number Field Sieve algorithm

Keyword:
Cryptography

Functional Description:
This library implements a simulation tool for the tower number field sieve algorithm computing discrete logarithms in extension fields of small degree (tested up to 54). The library contains an implementation of the exact computation of alpha, the bias between the expected smoothness of an integer and the expected smoothness of a norm of an algebraic integer in a number field made of two extensions. The algorithm is a generalization to extensions of the exact implementation of alpha in the software CADONFS. The software contains an implementation of the Efunction of B. A. Murphy (Murphy's E) which estimates the quality of the polynomial selection step in TNFS through a simulation of the yield of the relation collection in the TNFS algorithm. Finally it contains a database of pairingfriendly curve seeds with the estimated level of security w.r.t a discrete logarithm computation in the corresponding finite field.

News of the Year:
The paper hal02263098 was published in 2021 and the library was updated accordingly. The library was updated later in 2021 to estimate the security of the curves listed at https://members.loria.fr/AGuillevic/pairingfriendlycurves/ and other curves upon request (e.g. the Pluto BN curve).
 URL:
 Publications:

Contact:
Aurore Guillevic
6.1.4 ALPINAC

Name:
ALgorithmic Process for Identification of Nontargeted Atmospheric Compounds

Keyword:
Chemistry

Functional Description:
ALPINAC identifies up to 95% of the measured signal obtained from an ElectronImpact TimeofFlight High Resolution Mass Spectrometer (EI ToF HRMS) on air sampling, without apriori knowledge on the encountered chemical compounds, without database search. The software was successfully tested on mass spectrum ranging from 23 m/z to 330 m/z.

News of the Year:
ALPINAC was first released in July 2021.
 URL:
 Publication:

Contact:
Aurore Guillevic

Partner:
EMPA
6.1.5 snark2chains

Name:
Families of SNARKfriendly 2chains of elliptic curves

Keywords:
Cryptography, Cryptocurrency, Blockchain

Functional Description:
This small library implements finite field and elliptic curve arithmetic for BN curves (BarretoNaehrig), BLS curves (BarretoLynnScott), and 2chains made of BW6 (BrezingWeng curves of embedding degree 6), CP8, CP12 (CocksPinch curves of embedding degree 8 and 12) for use with zksnarks (zeroknowledge succinct noninteractive argument of knowledge). The cryptographic applications are: pairing, scalar multiplication on the curves, hashing on the curves. The code is a proof of concept tied to a preprint and is not optimized.

News of the Year:
The library was first released in October 2021.
 URL:
 Publication:

Contact:
Aurore Guillevic
7 New results
7.1 Algebraic curves for cryptology
7.1.1 Families of SNARKfriendly 2chains of elliptic curves
This work 30 is a generalization of 34 published last year at CANS'2020, with Youssef El Housni, PhD student in the GRACE team at Inria Saclay, and ConsenSys. This paper considers chains of two pairingfriendly elliptic curves for SNARKs (Succint Noninteractive ARguments of Knowledge). In the previous work, one 2chain was investigated: the curves BLS12381 and BW6761. This work considers 2chains of curves where the first (inner) curve can be a BN (Barreto–Naehrig), or a BLS12 or BLS24 (Barreto–Lynn–Scott) curve. The second (outer) curve is obtained with the Brezing–Weng construction (BW6 curves) of the CocksPinch curve. The aim is to provide other tradeoffs in terms of size, and arithmetic and pairing efficiency. This preprint improves the operations on BLS curves: a general proof of faster cofactor multiplication is provided for example. The companion code is referenced in Section 6.1.5, and a full Golang implementation is developed in the library GNARK.
7.2 The Number Field Sieve
7.2.1 On the Alpha value of polynomials in the Tower Number Field Sieve Algorithm
Participants: Aurore Guillevic.
The preprint version of 14 appeared in the report of 2019, this paper was published in 2021 in the new diamond openaccess journal Mathematical Cryptology. With Shashank Singh from IISER Bhopal (former postdoc at CARAMBA in 2017), we generalized the ranking function $\alpha $ for the Tower setting of the Number Field Sieve in 14. In the relation collection of the NFS algorithm, one tests the smoothness of algebraic norms (computed with resultants). The $\alpha $ function measures the bias of the average valuation at small primes of algebraic norms, compared to the average valuation at random integers of the same size. A negative $\alpha $ means more small divisors than average. We then estimate the total number of relations with a MonteCarlo simulation, as a generalized Murphy's $E$ function, and finally give a rough estimate of the total cost of TNFS for finite fields ${\mathbb{F}}_{{p}^{k}}$ of popular pairingfriendly curves. The companion code is referenced in Section 6.1.3. The results of this paper and the source code were reused to assess the security of pairingfriendly elliptic curves in the context of SNARKs 30, and the polynomial selection implementation was involved in the record computation 4.7.2.2 Lattice enumeration for Tower NFS: a 521bit discrete logarithm computation
Participants: Gabrielle De Micheli, Pierrick Gaudry, Cécile Pierrot.
The Tower variant of the Number Field Sieve (TNFS) is known to be asymptotically the most efficient algorithm to solve the discrete logarithm problem in finite fields of medium characteristic, when the extension degree is composite. A major obstacle to an efficient implementation of TNFS is the collection of algebraic relations, as it happens in dimension greater than 2. This requires the construction of new sieving algorithms which remain efficient as the dimension grows. In 4, we overcome this difficulty by considering a lattice enumeration algorithm which we adapt to this specific context. We also consider a new sieving area, a highdimensional sphere, whereas previous sieving algorithms for the classical NFS considered an orthotope. Our new sieving technique leads to a much smaller running time, despite the larger dimension of the search space, and even when considering a larger target, as demonstrated by a record computation we performed in a 521bit finite field ${\mathbb{F}}_{{p}^{6}}$. The target finite field is of the same form than finite fields used in recent zeroknowledge proofs in some blockchains. This is the first reported implementation of TNFS.7.2.3 Refined analysis of the asymptotic complexity of the Number Field Sieve
Participants: Aude Le Gluher, PierreJean Spaenlehauer, Emmanuel Thomé.
The preprint version of this work was written in 2020. This paper was published in 2021 in the new diamond openaccess journal Mathematical Cryptology.
In 15, we examine how it is possible to refine the asymptotic complexity of the Number Field Sieve. Its most commonly used expression, for the factorization of an $n$bit integer, is of the form $exp\left(\right(1+o\left(1\right)\left)f\right(n\left)\right)$. This $(1+o(1\left)\right)$ factor is present for reasons that pertain to analytic number theoretic results. In practical terms however, this inaccuracy is problematic since it can swallow potentially huge factors. Yet, extrapolations on the hardness of integer factoring, or of finite field discrete logarithms, resort to setting $o\left(1\right)=0$ by lack of a better alternative. In 15, we try to see what hides behind $o\left(1\right)$. On the positive side, we show that symbolic computation tools can be used to provide an asymptotic expansion to arbitrarily many terms. On the negative side, we show that this expansion is basically useless, as $o\left(1\right)$ stands in fact for a series that diverges in a range that widely encompasses the practical range. A consequence of this is that predictions of the hardness of, say, 8000bit RSA, given a data point for 800bit RSA should be regarded with extreme care.
7.2.4 History of cryptographic key sizes
Participants: Emmanuel Thomé.
The book chapter 23 (online in 2021, to be published in 2022) was written in the context of a festschrift dedicated to Arjen K. Lenstra, and relates the progression of cryptanalysis over several decades, and its impact on the recommendation of key sizes. Both secret and publickey settings are covered, and in particular the most recent computational records which were obtained by Caramba (and coauthors) using CadoNFS are of course part of this history.
7.3 Symmetric cryptology
7.3.1 MOE: Multiplication Operated Encryption with Trojan resilience
Participants: Virginie Lallemand.
As most hardware design companies cannot afford having their own foundries, a common strategy consists in outsourcing the production of integrated circuits to external factories. While this solution allows them to reduce the production costs, it brings up the problem of trust in the third party. One of the most feared threats in this respect goes under the name of hardware Trojan, defined as a malicious modification of the circuit design. In this paper 10 we studied the possibility of building a symmetric cipher that would reach Trojanresilience in an efficient manner. Our concrete proposal is called MOE, acronym for “Multiplication Operated Encryption”. It can be implemented using (mostly) untrusted lowcost chips and provides robustness more efficiently than by exploiting secret sharing and multiparty computation on a standard block cipher. MOE exploits a simple round structure mixing a modular multiplication and a multiplication with a binary matrix. Besides being motivated as a new block cipher design for Trojan resilience, our research also exposes the cryptographic properties of the modular multiplication, which is of independent interest.
7.3.2 CTET+: A beyondbirthdaybound secure tweakable enciphering scheme using a single pseudorandom permutation
Participants: Virginie Lallemand, Marine Minier.
In this paper 11, we build upon the results on tweakable SPNs (Single Pseudorandom Permutations) with independent round keys and permutations from CRYPTO 2018 by constructing a 2round tweakable substitutionpermutation network using a single secret Sbox. The construction is based on nonlinear permutation layers using independent round keys, and achieves security beyond the birthday bound in the random permutation model. When instantiated with an $n$bit block cipher with $k$bit keys, the resulting tweakable block cipher, dubbed CTET+, can be viewed as a tweakable enciphering scheme that encrypts $wn$bit messages for any integer $w>1$ using $5n+k$bit keys and $n$bit tweaks, providing $2n/3$bit security.
Furthermore, we propose a concrete instance with $n=128$ named AES6CTET+ which is a new tweakable enciphering scheme using a reduced round AES block cipher as the underlying secret Sbox.
7.3.3 Efficient methods to search for best differential characteristics on SKINNY
Participants: Marine Minier.
In 19, we propose automatic tools to find the best differential characteristics on the SKINNY block cipher. As usually done in the literature, we split this search in two stages denoted by Step 1 and Step 2. In Step 1, we aim at finding all truncated differential characteristics with a low enough number of active Sboxes. Then, in Step 2, we try to instantiate each difference value while maximizing the overall differential characteristic probability. We solve Step 1 using an adhoc method inspired from the work of Fouque et al. whereas Step 2 is modelized for the Chocosolver library as it seems to outperform all previous methods on this stage.Notably, for SKINNY128 in the SK model and for 13 rounds, we retrieve the results of Abdelkhalek et al. within a few seconds (instead of 16 days) and we provide, for the first time, the best differential relatedtweakey characteristics up to 14 rounds for the TK1 model. Regarding the TK2 and the TK3 models, we were not able to test all the solutions in Step 1, and thus the differential characteristics we found up to 16 and 17 rounds are not necessarily optimal.
7.3.4 Nontriangular selfsynchronizing stream ciphers
Participants: Paul Huynh, Marine Minier.
In 12, we propose an instantiation, called Stanislas, of a dedicated SelfSynchronizing Stream Cipher (SSSC) involving an automaton with finite input memory using nontriangular state transition functions. Previous existing SSSCs are based on automata with shifts or triangular functions (T–functions) as state transition functions. Our algorithm Stanislas admits a matrix representation deduced from a general and systematic methodology called Linear Parameter Varying (LPV). This particular representation comes from the control theory, more specifically from a special property of dynamical systems called flatness. Hardware implementations and comparisons with some stateoftheart stream ciphers on Xilinx FPGAs are presented. It turns out that Stanislas provides bigger throughput than the considered stream ciphers (synchronous and selfsynchronizing) when straightforward implementations are considered. Moreover, its synchronization delay is much smaller than the SSSC Moustique (40 clock cycles instead of 105) and the standard approach CFB1AES128 (40 clock cycles instead of 128).7.3.5 Hybrid architecture of LPV dynamical systems in the context of cybersecurity
Participants: Marine Minier, Hamid Boukerrou.
The article 21 deals with an hybrid architecture involving LPV dynamical systems for encryption purposes, in the context of cybersecurity. Such an hybrid architecture is motivated by the fact that it is a natural model, recast in a controltheoretic framework, of a socalled statistical selfsynchronizing stream cipher. It is shown that flatness is central to guarantee the necessary synchronization between the cipher and the decipher. In this context, beyond synchronization, security must be taken into account as well. We especially focus on diffusion as a security criterion. The hybrid architecture makes it possible to satisfy both properties simultaneously. An illustrative example presents a numerical application and must be considered as a proofofconcept before further investigation.7.4 Evoting
7.4.1 A privacy attack on the Swiss Post evoting system
Participants: Pierrick Gaudry.
The Swiss Post company is in the process of certification of its new evoting system, to be used by the Swiss Cantons in the course of 2022. In this context, the specification and the source code are gradually revealed for being studied by the community. A private bug bounty program has first been launched and a public bug bounty has followed.Together with Alexandre Debant and Véronique Cortier, from the PESTO team, we have discovered a privacy issue in the protocol and its implementation that would allow a collusion of a subset of the trust parties to learn the vote of any voter of their choice. This is in contradiction with the trust model imposed by the Federal Chancellery that imposes that privacy should be preserved unless all the trustees are dishonest.
For this result 28, accepted to RWC 2022, we obtained a generous reward from the bug bounty program (40 k euros). The protocol has been fixed, and the certification process continues.
7.4.2 A toolbox for verifiable tallyhiding evoting systems
Participants: Pierrick Gaudry, Quentin Yang.
In this work 29, we explore the possibility of revealing only the result of an election, without decrypting the individual ballots, or any sideinformation. The result must be computed in a way such that everyone can verify that it indeed corresponds to the (public) ballot box. Also, even the trust parties who possess the shares of the decryption key should not learn anything more than the winner of the election.
We propose a multiparty computation toolbox dedicated to this kind of problems, and show that it allows us to tackle all famous tally functions, including the most complicated, like the CondorcetSchulze, D'Hondt, STV, or Majority Judgement. We also explain how the classical ElGamal encryption (typically based on elliptic curves) can be used, instead of the Paillier scheme that is often chosen in theoretical papers, but is far less frequent in standard crypto libraries.
7.5 Quantum security
7.5.1 Quantum period finding against symmetric primitives in practice
Participants: Xavier Bonnetain.
In this work 8, we propose the first full resource estimate of a quantum attack on symmetric ciphers that is not a generic key search. In more details, we give complete quantum circuits for the Offline Simon's algorithm, instanciated to attack the block cipher PRINCE, the MAC (and ISO standard) Chaskey and the authenticated encryption scheme Elephant. This work shows that the attack has reasonable qubit requirements and a low time overhead compared to a simple asymptotic exponentbased analysis.7.5.2 Quantum linearization attacks
Participants: Xavier Bonnetain.
In this work 17, we introduce the quantum linearization attack, which is a novel way to use Simon's algorithm to attack symmetric schemes. It leverages a linear structure inside the construction.We also present some variants of this attack that use other quantum algorithms, which are much less common in quantum symmetric cryptanalysis: Deutsch's, BernsteinVazirani's, and Shor's. To the best of our knowledge, this is the first time these algorithms have been used in quantum forgery or keyrecovery attacks.
Our attacks break most parallelizable MACs such as LightMac, PMAC, and numerous variants with (classical) beyondbirthdaybound security (LightMAC+, PMAC) or using tweakable block ciphers (ZMAC). More generally, it shows that constructing parallelizable quantumsecure PRFs might be a challenging task.
7.5.3 QCB: efficient quantumsecure authenticated encryption
Participants: Xavier Bonnetain.
In this work 16, we propose QCB, the first parallelizable rateone authenticated encryption mode proven secure against quantum superposition attacks. It builds upon a tweakable block cipher and is secure up to the birthday bound.We also generalize some quantum attacks, which allows us to show that a large class of authenticated encryption modes is broken in a quantum setting, and discuss the quantum security notions for authenticated encryption modes.
7.6 Other
7.6.1 Automated fragment formula annotation for electron ionisation, high resolution mass spectrometry: application to atmospheric measurements of halocarbons
Participants: Aurore Guillevic.
The work 13 has nothing to do with cryptography, except that it uses combinatorics and algorithms to recover structured information from raw data. Somehow, it is a kind of cryptanalysis. It started as an informal discussion between the first two coauthors. In 2019–2021, M. Guillevic was a postdoctoral researcher at EMPA. The companion code is referenced in Section 6.1.4.7.6.2 The COREMATH project
Participants: Paul Zimmermann.
The year 2021 was devoted to the preparation of the COREMATH project, which was officially started in 2022. The aim of COREMATH is to provide ontheshelf opensource mathematical functions with correct rounding that will be integrated into current mathematical libraries (GNU libc, Intel Math Library, AMD Libm, Newlib, OpenLibm, Musl, Apple Libm, llvmlibc, CUDA libm, ROCm). These functions are implemented in the C language and target the three IEEE 754 binary formats (simple precision, double precision, quadruple precision), and also the extended double precision (significand of 64 bits).In 2021, two functions were implemented for the above four formats: the cubic root function (cbrt) and the arccosine function (acos). In parallel, the article about the accuracy of current mathematical libraries was extended with the help of Vincenzo Innocente to the Apple and CUDA mathematical libraries 31. This article shows that current mathematical libraries return very different results, and are far from correct rounding, even for rounding to nearest.
7.6.3 Parallel integer multiplication
Participants: Emmanuel Thomé, Samuel Vivien, Paul Zimmermann.
During his L3 internship, Samuel Vivien designed a parallel integer multiplication algorithm and did efficiently implement it on top of GNU MP. His implementation outperforms the Flint library, which is the only other software tool providing parallel integer multiplication. For example, on a 32core Xeon Gold, a speedup of 20 is obtained for the multiplication of two integers of ${10}^{7}$ words of 64 bits (over the sequential code). The article describing this work has been accepted to the 30th Euromicro International Conference on Parallel, Distributed and Networkbased Processing (PDP 2022) 20.8 Bilateral contracts and grants with industry
8.1 Bilateral contracts with industry
Participants: Pierrick Gaudry.
Together with the PESTO team, we had a short contract with Swiss Post. The goal was to update the formal proofs of their evoting protocol, in order to follow its evolution and to fix a few problems.
9 Partnerships and cooperations
9.1 International initiatives
9.1.1 Informal International Partners
Participants: Marine Minier, Virginie Lallemand.
Since January 2020 a virtual center for cybersecurity has been established between LORIA and CISPA in Saarbrucken (Germany). This virtual center is led by Marine Minier for LORIA and by Antoine Joux for CISPA.9.2 International research visitors
9.2.1 Visits to international teams
Sabbatical programme
Emmanuel Thomé

Visited institution:
University of California San Diego (ÉtatsUnis)

Dates of the stay:
From Sun Aug 01 2021 to Sun Jul 31 2022

Summary of the stay:
E. Thomé is visiting N. Heninger, associate professor in the Security and Cryptography group at University of California San Diego (UCSD). More precisely, the research topics of E. Thomé during his stay at UCSD are:
 Preparation for larger factoring and discrete logarithm computations.
 Better hardness estimates for the Number Field Sieve.
 Further development of the Factoringasaservice tool.
Aurore Guillevic

Visited institution:
Aarhus Universitet (Danemark)

Dates of the stay:
From Sun Aug 01 2021 to Sun Jul 31 2022

Summary of the stay:
A. Guillevic is visiting Diego F. Aranha, associate professor in the Cryptography and Security Group led by Ivan P. Damgård. A. Guillevic is working on
 More precise estimates of the SpecialTowerNFS algorithm in extension fields $\text{GF}\left({p}^{n}\right)$ from pairingbased cryptographic examples such as $\text{GF}\left({p}^{12}\right)$ where $p$ has a polynomial form (BN curves, BLS curves). This is based on 14 and the library in Section 6.1.3.
 A shortlist of pairingfriendly curves at the 192bit security level. Based on the results of the previous item, with Diego Aranha (Aarhus University) and Georgios Fotiadis from the University of Luxembourg, the work 35 will be extended to the 192bit security level.
 Elliptic curves for SNARK, with Youssef El Housni, see Section 7.1.1.
 SageMath/Python implementation of pairings and pairingfriendly curves, for now this is released as a compagnion code with 30, see Section 6.1.5.
 Elliptic curves for isogenies and postquantum cryptography.
A. Guillevic will be teaching in the Spring semester from January 31 to May 20 the Master course Elliptic Curves, Number Theory and Cryptography.
9.3 National initiatives
9.3.1 ANR Decrypt
Participants: Marine Minier, Virginie Lallemand.
 Program: ANR
 Project acronym: DECRYPT
 Duration: 01/2019  12/2022
 Coordinator: Caramba Team, LORIA
 Other partners: LIRIS (Lyon), LIMOS (ClermontFerrand), IRISA (Rennes), TASC (Nantes).
This project aims to propose a declarative language dedicated to cryptanalytic problems in symmetric key cryptography using constraint programming (CP) to simplify the representation of attacks, to improve existing attacks and to build new cryptographic primitives that withstand these attacks. We also want to compare the different tools that can be used to solve these problems: SAT and MILP where the constraints are homogeneous and CP where the heterogeneous constraints can allow a more complex treatment.
One of the challenges of this project will be to define global constraints dedicated to the case of symmetric cryptography.
Concerning constraint programming, this project will define new dedicated global constraints, will improve the underlying filtering and solution search algorithms, and will propose dedicated explanations generated automatically. See web site for more information.
10 Dissemination
10.1 Promoting scientific activities
10.1.1 Scientific events: organisation
 PierreJean Spaenlehauer is a member of the organisation committee of the Journées Nationales du Calcul Formel 2022.
10.1.2 Scientific events: selection
Member of conference program committees
 Aurore Guillevic was PC member of IACR Asiacrypt'2021 and Latincrypt'2021.
 Marine Minier was PC member of Latincrypt'2021.
 PierreJean Spaenlehauer was a member of the software presentation committee of ISSAC'2021.
 Pierrick Gaudry was a PC member of the CTRSA 2022, PKC 2022 and Eurocrypt 2022 conferences.
10.1.3 Journals
Member of editorial boards
 Xavier Bonnetain, Sébastien Duval and Virginie Lallemand are members of the editorial board of the IACR Transactions on Symmetric Cryptology (ToSC) Journal for 2021. This journal is the openaccess journal associated to the International Conference on Fast Software Encryption (FSE).
 Since October 2021, Emmanuel Thomé is a member of the editorial board of the Computational Algebra section of the Journal of Algebra.
Reviewer  reviewing activities
Members of the projectteam did their share in reviewing submissions to renowned conferences and journals. Actual publications venues are not disclosed for anonymity reasons.
Paul Zimmermann also did a review of the article Integer Points Close to a Transcendental Curve and CorrectlyRounded Evaluation of a Function by Nicolas Brisebarre and Guillaume Hanrot (AriC projectteam, Inria RhôneAlpes), and tested the accompanying software tools. His comments are taken into account in the latest version 33.
10.1.4 Invited talks
 Virginie Lallemand was invited to give a (remote) talk at the Séminaire Crypto & Sécurité of the GREYC Research Laboratory of Caen in June 2021. She also was invited to give two talks at the CISPALORIA workshops (February and November).
 Marine Minier was invited to give a talk to Cyber in Saclay, winter school of the GDR sécurité in February 2021.
 Cécile Pierrot was invited to give a talk to the Tutte Colloquium, University of Waterloo in June 2021.
 Xavier Bonnetain was invited to give two talks during the Dagstuhl Seminar 21421 on Quantum Cryptanalysis in October 2021.
 Aurore Guillevic was invited to give a talk at the online Journées Nationales Informatique Mathématique (Journées du GDRIM), March 16.
 Paul Zimmermann was invited to give a talk at the online CaSToRC HPC Seminar Series (Cyprus Supercomputing Center), November 16.
10.1.5 Leadership within the scientific community
 Cécile Pierrot is a member of the steering committee of the French working group Code and Cryptography.
 Pierrick Gaudry is a member of the Conseil Scientifique du GdR IM.
10.1.6 Scientific expertise
 Pierrick Gaudry was a member of a jury for the Innoviris LAUNCH program, whose goal is to fund startups created on the basis of academic work.
 Paul Zimmermann was a reviewer for the “Appel à projets Emergence” for Sorbonne University (France).
 JeanMichel Muller (AriC projectteam, Inria RhôneAlpes) and Paul Zimmermann were contacted by Andrew Haley to review the “Shubfach” algorithm proposed by Raffaello Giulietti for the double to string conversion (latest version here). This algorithm takes as input a binary64 number, and outputs a decimal string with minimal length so that, if we convert back that string to binary64 with rounding to nearest, we recover the original number. The corresponding OpenJDK patch had been stuck as an open pull request for nearly two years because of the difficulty of verifying the algorithm's correctness. A public review was made, which confirmed the correctness of the algorithm, and the OpenJDK patch will be included in the next release.
10.1.7 Research administration
 Marine Minier is (since September 2021) assistant director of the LORIA laboratory.
 Marine Minier is responsible for the LORIA laboratory of the cybersecurity axis.
 Marine Minier is cohead (with Antoine Joux from CISPA) of the GermanFrench virtual center for cybersecurity between LORIA and CISPA (Saarbrucken, Germany).
 Marine Minier is the scientific head of the LUE4 impact project DigiTrust (20182022, 2,2 Meuro).
 Marine Minier is an elected member of the Collégium “sciences et techniques” from University of Lorraine.
 Marine Minier is a member of the steering committee of the LHS – Laboratoire Haute Sécurité of LORIA.
 Marine Minier was president of the “comité de spécialistes” of the “poste 27MCF1352”, and member of the “comité de spécialistes” of the “poste 27PR4310”.
 PierreJean Spaenlehauer is a member of the Commission des Développements Technologiques of the Inria Nancy – Grand Est research center.
 Pierrick Gaudry was a member of the hiring committee for two Professors in mathematics (25) in the Institut de Mathématiques de JussieuParis Rive Gauche.
 Pierrick Gaudry is a member of the steering committee of the LHS – Laboratoire Haute Sécurité of LORIA.
 Cécile Pierrot is a member of the Comité de Centre Inria Nancy  Grand Est.
 Cécile Pierrot is a member of the working group concerning remote work at Inria.
 Cécile Pierrot is a leader and member of the local group for integration of young researchers in Nancy (Loria, Inria) and Strasbourg (Inria).
 Paul Zimmermann is member of the scientific committee of the EXPLOR computing center (Université de Lorraine).
10.2 Teaching  Supervision  Juries
10.2.1 Teaching
 Bachelor
 Pierrick Gaudry, Intégration Web, 48h eq. TD, IUT 1A, Université de Lorraine, IUT Charlemagne, Nancy, France.
 Sébastien Duval, Algorithmique et Programmation 3, 28h eq. TD, L2 Informatique, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Marine Minier, Introduction à la sécurité et à la cryptographie, 35h eq. TD, L3, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Marine Minier, Mathématiques Discrètes, 80h eq. TD, L2, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Master
 Sébastien Duval, Analyse et Conception de Logiciels, 22h eq. TD, M1 Informatique, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Sébastien Duval, Sécurité des Systèmes d'Information, 32h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Sébastien Duval, Sécurité des Applications Web, 32h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 PierreJean Spaenlehauer, Théorie analytique des nombres, géométrie algébrique, et applications à la cryptographie, 24h eq. TD, M2 Mathématiques Fondamentales et Appliquées, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Marine Minier is head of the M2 SIRAV, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy.
 Marine Minier, Contrôle d'accès, 40h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Marine Minier, Intégration Méthodologique, 36h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Marine Minier Sécurité Informatique, 18h eq. TD, M2 droit, Université de Lorraine.
 Marine Minier is head of the M2 SIRAV, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Engineering school
 Aurore Guillevic, RSA, Integer Factorization, record computations, 1h30 guest lecture, Master, MIT, Cambridge MA, Course 6.857: Computer and Network Security, Spring 2021
 Cécile Pierrot, Introduction to Modern Cryptography, 27h eq. TD, Second year of Engineering school, TELECOM Nancy, France.
 Cécile Pierrot, Cryptography and Communication, 15h eq. TD, Second year of Engineering school, TELECOM Nancy, France.
 Cécile Pierrot, Introduction to Cryptography, 54h eq. TD, Mastère spécialisé de cybersécurité, École des Mines de Nancy, France.
 Haetham AL ASWAD, Programming and Data Structures: Python, 22h eq. TD, First year of Engineering, École des Mines de Nancy, France.
 Antoine Leudière, Programming and Data Structures: Python, 22h eq. TD, First year of Engineering, École des Mines de Nancy, France.
10.2.2 Supervision
 Ph.D.: Gabrielle De Micheli, Discrete Logarithm Cryptanalyses : Number Field Sieve and Lattice Tools for SideChannel Attacks, Université de Lorraine, defended May 25, 2021, advised by Cécile Pierrot and Pierrick Gaudry 24.
 Ph.D.: Aude Le Gluher, Symbolic Computation and Complexity Analyses for Number Theory and Cryptography, Université de Lorraine, defended December 7, 2021, advised by PierreJean Spaenlehauer and Emmanuel Thomé 25.
 Ph.D. in progress: Antoine Leudière, Isogenies of Drinfeld modules and postquantum cryptography, since Oct. 2021, PierreJean Spaenlehauer and Emmanuel Thomé.
 Ph.D. in progress: Ana Rodriguez Cordero, Design and Cryptanalysis of New Symmetric Key Cryptographic Primitives, since Oct. 2021, Virginie Lallemand and Marine Minier.
 Ph.D. in progress: Loïc Rouquette, Constraint Programming for symmetric key cryptography, since Oct. 2019, Christine Solnon and Marine Minier, Ph.D. in Lyon.
 Ph.D. in progress: Hamid Boukerrou, Control Theory for stream ciphers, since Oct. 2019, Gilles Millerioux and Marine Minier, Ph.D. in the CRAN Lab.
10.2.3 Juries
 Virginie Lallemand was member of the PhD thesis jury Selected Topics in Cryptanalysis of Symmetric Ciphers defended by JohnPetter Indrøy, October 2021, University of Bergen (Norway).
 Aurore Guillevic was reviewer of the PhD thesis Conception de courbes elliptiques et applications defended by Rémi Clarisse, December 16, 2021, Université de Rennes 1.
 Pierrick Gaudry was a member of the PhD thesis jury Isolating the Singularities of the Plane Projection of Generic Space Curves and Applications in Robotics defended by George Krait, May 2021, Université de Lorraine.
 Marine Minier was reviewer of the PhD thesis Techniques de cryptanalyse dédiées au chiffrement à bas coût defended by Daniele Coggia, October 8 2021, Sorbonne Université.
 Marine Minier was reviewer of the PhD thesis La sécurité et l'optimisation des chaines à blocs et algorithmes associés defended by Mirko Koscina, October 5 2021, Université Paris Sciences et Lettres.
 Marine Minier was reviewer of the PhD thesis Modélisation de réseaux IoT hétérogènes à des fins d’évaluation de sécurité defended by Jonathan Tournier, March 10 2021, Université de Lyon.
 Marine Minier was reviewer of the PhD thesis On GDPR Compliant Data Processing defended by Supriya Adhatarao, July 22 2021, Université Grenoble Alpes.
 Marine Minier was president of the PhD thesis Conception, analyse et implémentation d'algorithmes de chiffrement symétrique sur FPGA defended by Loïc Besson, December 22 2021, Université de Versailles Saint Quentin en Yvelines.
 Paul Zimmermann was reviewer and member of the PhD thesis Softwarebased approximate computing for mathematical functions defended by Nicholas Gerard Timmons on June 18, 2021, Cambridge University.
 Paul Zimmermann was reviewer of the PhD thesis Building a Formally Verified HighPerformance MultiPlatform Cryptographic Library in F${}^{*}$ by Marina Polubelova, to be defended in 2022, PSL University (Paris, France).
10.3 Popularization
10.3.1 Interventions
 Cécile Pierrot, PierreJean Spaenlehauer and Paul Zimmermann are involved in the animation of a MATh. en. JEANS activity at the Lycée Vauban, Luxembourg.
 Cécile Pierrot took part to the event "Chiche ! Une classe, un chercheur" that intends to present computer science studies and careers to young people. She met 5 groups of 30 students each at Lycée Margueritte, Verdun, France.
10.3.2 Education
 Cécile Pierrot was invited to take part to discussions about the NSI (Numérique et Science Informatique) courses with highschool teachers from Académie de Reims, France.
11 Scientific production
11.1 Major publications
 1 inproceedingsQuantum Linearization Attacks.ASIACRYPT 2021  27th Annual International Conference on the Theory and Application of Cryptology and Information Security13090Lecture Notes in Computer ScienceSingapore / Virtual, SingaporeSpringer International PublishingDecember 2021, 422452
 2 inproceedingsComparing the difficulty of factorization and discrete logarithm: a 240digit experiment.Annual International Cryptology ConferenceAdvances in Cryptology – CRYPTO 202012171Lecture Notes in Computer ScienceSanta Barbara CA, United StatesSpringerAugust 2020, 6291
 3 inproceedingsAsymptotic complexities of discrete logarithm algorithms in pairingrelevant finite fields.Annual International Cryptology ConferenceCRYPTO 2020  40th Annual International Cryptology Conference12171Lecture Notes in Computer ScienceSanta Barbara / Virtual, United StatesSpringer2020, 3261
 4 inproceedingsLattice Enumeration for Tower NFS: a 521bit Discrete Logarithm Computation.Asiacrypt 202113090ASIACRYPTVirtual, SingaporeSpringer2021, 6796
 5 inproceedingsCryptanalysis Results on Spook: Bringing Fullround Shadow512 to the Light.CRYPTO 2020  40th Annual International Cryptology Conference12172Lecture Notes in Computer ScienceSanta Barbara / Virtual, United StatesAugust 2020, 359388
 6 articleComputing AES relatedkey differential characteristics with constraint programming.Artificial Intelligence278January 2020, 103183
11.2 Publications of the year
International journals
 7 articleThree Cousins of Recamán's Sequence.The Fibonacci Quarterly2021
 8 articleQuantum Period Finding against Symmetric Primitives in Practice.IACR Transactions on Cryptographic Hardware and Embedded Systems20221November 2021, 127
 9 articleParallel Structured Gaussian Elimination for the Number Field Sieve.Mathematical Cryptology01January 2021, 2239
 10 articleMOE: Multiplication Operated Encryption with Trojan Resilience.IACR Transactions on Symmetric Cryptology20211March 2021, 78129
 11 articleCTET+: A BeyondBirthdayBound Secure Tweakable Enciphering Scheme Using a Single Pseudorandom Permutation.IACR Transactions on Symmetric Cryptology20214December 2021, 135
 12 articleNontriangular selfsynchronizing stream ciphers.IEEE Transactions on Computers711January 2022, 134145
 13 articleAutomated fragment formula annotation for electron ionisation, high resolution mass spectrometry: application to atmospheric measurements of halocarbons.Journal of Cheminformatics1378October 2021, 127
 14 articleOn the Alpha Value of Polynomials in the Tower Number Field Sieve Algorithm.Mathematical Cryptology11February 2021, 139
 15 articleRefined Analysis of the Asymptotic Complexity of the Number Field Sieve.Mathematical Cryptology112021, 7188
International peerreviewed conferences
 16 inproceedingsQCB: Efficient QuantumSecure Authenticated Encryption.ASIACRYPT 2021  27th Annual International Conference on the Theory and Application of Cryptology and Information Security13090Lecture Notes in Computer ScienceSingapore / Virtual, SingaporeSpringer International PublishingDecember 2021, 668698
 17 inproceedingsQuantum Linearization Attacks.ASIACRYPT 2021  27th Annual International Conference on the Theory and Application of Cryptology and Information Security13090Lecture Notes in Computer ScienceSingapore / Virtual, SingaporeSpringer International PublishingDecember 2021, 422452
 18 inproceedingsLattice Enumeration for Tower NFS: a 521bit Discrete Logarithm Computation.ASIACRYPT 2021  27th Annual International Conference on the Theory and Application of Cryptology and Information Security13090ASIACRYPTVirtual, SingaporeSpringer2021, 6796
 19 inproceedingsEfficient Methods to Search for Best Differential Characteristics on SKINNY.Proceedings of the 19th International Conference on Applied Cryptography and Network SecurityACNS 2021  19th International Conference on Applied Cryptography and Network Security1272719th International Conference on Applied Cryptography and Network SecurityKamakura, JapanJune 2021, 184207
 20 inproceedingsParallel integer multiplication.30th Euromicro International Conference on Parallel, Distributed andNetworkbased Processing (PDP 2022)PDP 2022  30th Euromicron International Conference on Parallel, Distributed, and NetworkBased ProcessingValladoid, Spain2022
Conferences without proceedings
 21 inproceedingsHybrid architecture of LPV dynamical systems in the context of cybersecurity.LPVS 2021  4th IFAC Workshop on Linear Parameter Varying SystemsMilano, ItalyJuly 2021
 22 inproceedingsAn Upcycling Tokenization Method for Credit Card Numbers.SECRYPT 2021  18th International Conference on Security and CryptographyOnline, FranceJuly 2021
Scientific book chapters
 23 inbookHistory of Cryptographic Key Sizes.469Computational CryptographyLondon Mathematical Society Lecture Note SeriesCambridge University PressDecember 2021
Doctoral dissertations and habilitation theses
 24 thesisDiscrete Logarithm Cryptanalyses : Number Field Sieve and Lattice Tools for SideChannel Attacks.Université de LorraineMay 2021
 25 thesisSymbolic Computation and Complexity Analyses for Number Theory and Cryptography.Université de LorraineDecember 2021
Reports & preprints
 26 reportÉvaluation des Logiciels.InriaJanuary 2021
 27 reportSoftware Evaluation.InriaJanuary 2021
 28 reportA privacy attack on the Swiss Post evoting system.Université de Lorraine, CNRS, Inria, LORIANovember 2021
 29 miscA toolbox for verifiable tallyhiding evoting systems.April 2021
 30 miscFamilies of SNARKfriendly 2chains of elliptic curves.October 2021
 31 miscAccuracy of Mathematical Functions in Single, Double, Extended Double and Quadruple Precision.January 2022
11.3 Cited publications
 32 inproceedingsImperfect Forward Secrecy: How DiffieHellman fails in practice.CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityDenver, Colorado, United StatesACMOctober 2015, 517
 33 unpublishedInteger points close to a transcendental curve and correctlyrounded evaluation of a function.November 2021, working paper or preprint
 34 inproceedingsOptimized and secure pairingfriendly elliptic curves suitable for one layer proof composition.CANS 2020  19th International Conference on Cryptology and Network SecurityVienna, Austriahttps://cans2020.at/December 2020
 35 inproceedingsA shortlist of pairingfriendly curves resistant to Special TNFS at the 128bit security level.PKC 2020  IACR International Conference on Practice and Theory of PublicKey Cryptography12111LNCSEdinburgh, United Kingdomhttps://pkc.iacr.org/2020/April 2020, 535564
 36 inproceedingsFactorization of a 768bit RSA modulus.CRYPTO 20106223Lecture Notes in Comput. Sci.ProceedingsSpringerVerlag2010, 333350
 37 miscTransitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.First revision2011
 38 miscCADONFS, An Implementation of the Number Field Sieve Algorithm.Release 2.3.02017, URL: https://hal.inria.fr/hal02099620
 39 miscRéférentiel général de sécurité, annexe B1.Version 2.032014, URL: http://www.ssi.gouv.fr/uploads/2014/11/RGS_v20_B1.pdf