Keywords
Computer Science and Digital Science
 A2.3.1. Embedded systems
 A4.2. Correcting codes
 A4.3.1. Public key cryptography
 A4.3.3. Cryptographic protocols
 A4.4. Security of equipment and software
 A4.6. Authentication
 A4.8. Privacyenhancing technologies
 A4.9. Security supervision
 A7.1. Algorithms
 A8.1. Discrete mathematics, combinatorics
 A8.4. Computer Algebra
 A8.5. Number theory
Other Research Topics and Application Domains
 B5.11. Quantum systems
 B6.4. Internet of things
 B6.6. Embedded systems
 B9.5.1. Computer science
 B9.5.2. Mathematics
 B9.10. Privacy
1 Team members, visitors, external collaborators
Research Scientists
 Alain Couvreur [Team leader, INRIA, Senior Researcher, HDR]
 Daniel Augot [INRIA, Senior Researcher, HDR]
 Thomas DebrisAlazard [INRIA, Researcher]
 Benjamin Smith [INRIA, Researcher]
Faculty Members
 Olivier Blazy [LIX, Professor, HDR]
 Françoise LevyDitVehel [ENSTA, Associate Professor, HDR]
 François Morain [LIX, Professor, HDR]
PostDoctoral Fellows
 Gustavo Banegas [Inria, until Jul 2022]
 Matthieu Lequesne [Inria, from Dec 2022]
 Azam Soleimanian [LIX, until Feb 2022]
 Ilaria Zappatore [Inria, until Aug 2022]
PhD Students
 Anaïs Barthoulot [ORANGE]
 Maxime Bombar [LIX]
 Sarah Bordage [École Polytechnique, until Jun 2022]
 Alexis Challande [QUARKSLAB, until Oct 2022]
 Clément Ducros [UNIV PARIS CITÉ]
 Youssef El Housni [CONSENSYS, until Nov 2022]
 Anaelle Le Devehat [Inria, from Jul 2022]
 Antonin Leroux [LIX, until Aug 2022]
 Simon Montoya [IDEMIA, until Oct 2022]
 Maxime Romeas [LIX, until Nov 2022]
 Angelo Saadeh [TELECOM PARIS, until Aug 2022]
Administrative Assistant
 Maria Ronco [INRIA]
External Collaborators
 Philippe Lebacque [UNIV FRANCHECOMTE]
 Matthieu Rambaud [MINESPARISTECH, from Sep 2022]
 Guenael Renault [SGDSN]
2 Overall objectives
2.1 Scientific foundations
Grace combines expertise and deep knowledge in algorithmic number theory and algebraic geometry, to build and analyse (publickey) cryptosystems, design new error correcting codes, with realworld concerns like cybersecurity or blockchains (software and hardware implementations, secure implementations in constrained environments, countermeasures against side channel attacks, white box cryptography).
The foundations of Grace therefore lie in algorithmic number theory (fundamental algorithms primality, factorization), number fields, the arithmetic geometry of curves, algebraic geometry and the theory of algebraic codes.
Arithmetic Geometry is the meeting point of algebraic geometry and number theory: the study of geometric objects defined over arithmetic number systems. In our case, the most important objects are curves and their Jacobians over finite fields; these are fundamental to our applications in both coding theory and cryptology. Jacobians of curves are excellent candidates for cryptographic groups when constructing efficient instances of publickey cryptosystems, of which Diffie–Hellman key exchange is an instructive example.
Coding Theory studies originated with the idea of using redundancy in messages to protect them against noise and errors. While the last decade of the 20th century has seen the success of socalled iterative decoding methods, we see now many new ideas in the realm of algebraic coding, with the foremost example being list decoding, (zero knowledge or not) proofs of computation.
Part of the activities of the team are oriented towards postquantum cryptography, either based on elliptic curves (isogenies) or codebased. Also the team study relevant cryptography for the blockchain arena.
The group is strongly invested in cybersecurity: software security, secure hardware implementations, privacy, etc.
3 Research program
3.1 Algorithmic Number Theory
Participants: François Morain, Benjamin Smith, Antonin Leroux, Guénaël Renault.
Algorithmic Number Theory is concerned with replacing special cases with general algorithms to solve problems in number theory. In the Grace project, it appears in three main threads:
 fundamental algorithms for integers and polynomials (including primality and factorization);
 algorithms for finite fields (including discrete logarithms);
 algorithms for algebraic curves.
Clearly, we use computer algebra in many ways. Research in cryptology has motivated a renewed interest in Algorithmic Number Theory in recent decades—but the fundamental problems still exist per se. Indeed, while algorithmic number theory application in cryptanalysis is epitomized by applying factorization to breaking RSA public key, many other problems, are relevant to various area of computer science. Roughly speaking, the problems of the cryptological world are of bounded size, whereas Algorithmic Number Theory is also concerned with asymptotic results.
3.2 Arithmetic Geometry: Curves and their Jacobians
Participants: François Morain, Benjamin Smith, Antonin Leroux.
Theme: Arithmetic Geometry: Curves and their Jacobians Arithmetic Geometry is the meeting point of algebraic geometry and number theory: that is, the study of geometric objects defined over arithmetic number systems (such as the integers and finite fields). The fundamental objects for our applications in both coding theory and cryptology are curves and their Jacobians over finite fields.An algebraic plane curve$\mathcal{X}$ over a field
$\mathbf{K}$ is defined by an equation
(Not every curve is planar—we may have more variables, and more defining equations—but from an algorithmic point of view, we can always reduce to the plane setting.) The genus${g}_{\mathcal{X}}$ of $\mathcal{X}$ is a nonnegative integer classifying the essential geometric complexity of $\mathcal{X}$; it depends on the degree of ${F}_{\mathcal{X}}$ and on the number of singularities of $\mathcal{X}$. The curve $\mathcal{X}$ is associated in a functorial way with an algebraic group ${J}_{\mathcal{X}}$, called the Jacobian of $\mathcal{X}$. The group ${J}_{\mathcal{X}}$ has a geometric structure: its elements correspond to points on a ${g}_{\mathcal{X}}$dimensional projective algebraic group variety. Typically, we do not compute with the equations defining this projective variety: there are too many of them, in too many variables, for this to be convenient. Instead, we use fast algorithms based on the representation in terms of classes of formal sums of points on $\mathcal{X}$.
The simplest curves with nontrivial Jacobians are curves of genus 1, known as elliptic curves; they are typically defined by equations of the form ${y}^{2}={x}^{3}+Ax+B$. Elliptic curves are particularly important given their central role in publickey cryptography over the past two decades. Curves of higher genus are important in both cryptography and coding theory.
3.3 CurveBased cryptology
Participants: Gustavo Banegas, François Morain, Benjamin Smith, Anaelle Le Devehat, Antonin Leroux.
Theme: CurveBased Cryptology
Jacobians of curves are excellent candidates for cryptographic groups when constructing efficient instances of publickey cryptosystems. Diffie–Hellman key exchange is an instructive example.
Suppose Alice and Bob want to establish a secure communication channel. Essentially, this means establishing a common secret key, which they will then use for encryption and decryption. Some decades ago, they would have exchanged this key in person, or through some trusted intermediary; in the modern, networked world, this is typically impossible, and in any case completely unscalable. Alice and Bob may be anonymous parties who want to do ebusiness, for example, in which case they cannot securely meet, and they have no way to be sure of each other's identities. Diffie–Hellman key exchange solves this problem. First, Alice and Bob publicly agree on a cryptographic group $G$ with a generator $P$ (of order $N$); then Alice secretly chooses an integer $a$ from $[1..N]$, and sends $aP$ to Bob. In the meantime, Bob secretly chooses an integer $b$ from $[1..N]$, and sends $bP$ to Alice. Alice then computes $a\left(bP\right)$, while Bob computes $b\left(aP\right)$; both have now computed $abP$, which becomes their shared secret key. The security of this key depends on the difficulty of computing $abP$ given $P$, $aP$, and $bP$; this is the Computational Diffie–Hellman Problem (CDHP). In practice, the CDHP corresponds to the Discrete Logarithm Problem (DLP), which is to determine $a$ given $P$ and $aP$.
This simple protocol has been in use, with only minor modifications, since the 1970s. The challenge is to create examples of groups $G$ with a relatively compact representation and an efficiently computable group law, and such that the DLP in $G$ is hard (ideally approaching the exponential difficulty of the DLP in an abstract group). The Pohlig–Hellman reduction shows that the DLP in $G$ is essentially only as hard as the DLP in its largest primeorder subgroup. We therefore look for compact and efficient groups of prime order.
The classic example of a group suitable for the Diffie–Hellman protocol is the multiplicative group of a finite field ${\mathbf{F}}_{q}$. There are two problems that render its usage somewhat less than ideal. First, it has too much structure: we have a subexponential Index Calculus attack on the DLP in this group, so while it is very hard, the DLP falls a long way short of the exponential difficulty of the DLP in an abstract group. Second, there is only one such group for each $q$: its subgroup treillis depends only on the factorization of $q1$, and requiring $q1$ to have a large prime factor eliminates many convenient choices of $q$.
This is where Jacobians of algebraic curves come into their own. First, elliptic curves and Jacobians of genus 2 curves do not have a subexponential index calculus algorithm: in particular, from the point of view of the DLP, a generic elliptic curve is currently as strong as a generic group of the same size. Second, they provide some diversity: we have many degrees of freedom in choosing curves over a fixed ${\mathbf{F}}_{q}$, with a consequent diversity of possible cryptographic group orders. Furthermore, an attack which leaves one curve vulnerable may not necessarily apply to other curves. Third, viewing a Jacobian as a geometric object rather than a pure group allows us to take advantage of a number of special features of Jacobians. These features include efficiently computable pairings, geometric transformations for optimised group laws, and the availability of efficiently computable noninteger endomorphisms for accelerated encryption and decryption.
3.4 Algebraic Coding Theory
Participants: Daniel Augot, Alain Couvreur, Françoise LevyDitVehel, Maxime Roméas, Sarah Bordage, Maxime Bombar, Clément Ducros.
Theme: Coding theoryCoding Theory studies originated with the idea of using redundancy in messages to protect against noise and errors. The last decade of the 20th century has seen the success of socalled iterative decoding methods, which enable us to get very close to the Shannon capacity. The capacity of a given channel is the best achievable transmission rate for reliable transmission. The consensus in the community is that this capacity is more easily reached with these iterative and probabilistic methods than with algebraic codes (such as Reed–Solomon codes).
However, algebraic coding is useful in settings other than the Shannon context. Indeed, the Shannon setting is a random case setting, and promises only a vanishing error probability. In contrast, the algebraic Hamming approach is a worst case approach: under combinatorial restrictions on the noise, the noise can be adversarial, with strictly zero errors.
These considerations are renewed by the topic of list decoding after the breakthrough of Guruswami and Sudan at the end of the nineties. List decoding relaxes the uniqueness requirement of decoding, allowing a small list of candidates to be returned instead of a single codeword. List decoding can reach a capacity close to the Shannon capacity, with zero failure, with small lists, in the adversarial case. The method of Guruswami and Sudan enabled list decoding of most of the main algebraic codes: Reed–Solomon codes and Algebraic–Geometry (AG) codes and new related constructions “capacityachieving list decodable codes”. These results open the way to applications against adversarial channels, which correspond to worst case settings in the classical computer science language.
Another avenue of our studies is AG codes over various geometric objects. Although Reed–Solomon codes are the best possible codes for a given alphabet, they are very limited in their length, which cannot exceed the size of the alphabet. AG codes circumvent this limitation, using the theory of algebraic curves over finite fields to construct long codes over a fixed alphabet. The striking result of Tsfasman–Vladut–Zink showed that codes better than random codes can be built this way, for medium to large alphabets. Disregarding the asymptotic aspects and considering only finite length, AG codes can be used either for longer codes with the same alphabet, or for codes with the same length with a smaller alphabet (and thus faster underlying arithmetic).
From a broader point of view, wherever Reed–Solomon codes are used, we can substitute AG codes with some benefits: either beating random constructions, or beating Reed–Solomon codes which are of bounded length for a given alphabet.
Another area of Algebraic Coding Theory with which we are more recently concerned is the one of Locally Decodable Codes. After having been first theoretically introduced, those codes now begin to find practical applications, most notably in cloudbased remote storage systems.
3.5 Postquantum cryptography
Participants: Gustavo Banegas, Maxime Bombar, Alain Couvreur, Thomas DebrisAlazard, Anaelle Le Devehat, Antonin Leroux, Benjamin Smith, O. Blazy.
Theme: Cryptography
A huge amount of work is being put into developing an efficient quantum computer. But even if the advent of such a computer may wait for decades, it is urgent to deploy postquantum cryptography (PQC), i.e: solutions on our current devices that are quantumsafe. Indeed, an attacker could store encrypted sessions and wait until a quantum computer is available to decrypt. In this context the National Institute of Standard Technology (NIST) has launched in 2017 (see this website) a call for standardizing publickey PQC schemes (key exchanges and signatures). Among the mathematical objects to design post quantum primives, one finds error correcting codes, Euclidean lattices and isogenies.
We are currently in the final step of the standardization of the NIST and most of the selected solutions are based on codes and lattices. These preliminary results tend to show that codes and lattices will be in a near future at the ground of our numerical security. If isogenies are less represented, they remain of deep interest since they appear to be the post quantum solution providing the smallest key sizes. The purpose of our research program is to bring closer these solutions for a postquantum security in order to improve their efficiency, diversity and to increase our trust in these propositions.
3.6 Proofs of Computation
Participants: Daniel Augot, Sarah Bordage, Youssef El Housni, François Morain.
Proofs of computation are cryptographic protocols which allow a prover to convince a verifier that a statement or an output of a computation is correct. The prover is untrusted in the sense that it may try to convince the verifier that a false statement is true. On the other hand the prover is computationnally restricted, and have very small prower: the proof should be short and easy to verify. They can be interactive or not.
While the topic originates back to 1990, several important steps towards praticality has been made in last decade, with efficient, reallife implementations and industrial deployments in the last years, thanks to huge fundings.
There are several cryptographic paths for designing such proof systems. Within Grace, two main techniques are investigated. The first one relies on elliptic curves and pairings, and produce very short (constantsize) proofs. Y. El Housni defended his PhD on this topic, in particular on the arithmetic and implementation aspects. The second techniques relies on algebraic coding theory, with smaller cryptographic assumptions (cryptographic hash functions), and is postquantum, but provides longer proofs. S. Bordage defended her PhD on this second kind of techniques, extending existing proofs using ReedSolomon codes to more general class of codes, like product of codes and algebraicgeometry codes.
4 Application domains
4.1 Application Domain: cybersecurity
Participants: Guénaël Renault, Benjamin Smith, François Morain, Alexis Challande, Simon Montoya, Maxime Anvari, Gustavo Banegas, O. Blazy.
We are interested in developing some interactions between cryptography and cybersecurity. In particular, we develop some researches in embedded security (side channels and fault attack), software security (finding vulnerability efficiently) and privacy (security of TOR).
4.2 Application Domain: blockchains
Participants: Daniel Augot, Sarah Bordage, Youssef El Housni, François Morain, Matthieu Rambaud.
The huge hype about blockchains attracted the attention of many companies towards advanced cryptographic protocols. While basic and standard blockchain ideas rely, on the cryptographic side, on very basic and standard cryptographic primitives like signatures and hash functions, more elaborate techniques from crypto can alleviate some shortcomings of blockchain, like the poor bandwith and the lack of privacy.
The topic of verifiable computation consists in verifying heavy computations done by a remote computer, using a lightweight computer which is not able to do the computation. The remore computer, called the prover, is allowed to provided a proof aside the result of the computation. This proof must be very short and fast to verify. It can also be made zeroknowledge, where the prover hides some inputs to the computation, and yet prove the result is correct.
There are two competing propositions which provide a mathematical and algorithmic background for these proof techniques: one based on a line of research dating back to the celebrated 1990 PCP theorem (error correcting codes), and one based on the discrete logarithm problem and pairing based protocols (elliptic curves over finite fields). D. Augot is advising S. Bordage on the first topic, also known in the blockchain world as “STARKS” (Scalable Transparent Arguments of Knowledge), and F. Morain is advising Youssef El Housni on the second topic, known as “SNARKS” (Succint Non Interactive Arguments of Knowledge).
These proofs allows to move data and computation off chain, pushing the burden to offchain servers, who then commit short commitments of the update of their offchain data , accompanied by short proofs which are easy to verify onchain. This mecanism is called a rollup and is at the core of the proposed path for scaling Ethereum, a predominant blockchain, which will be “rollupcentric”.
Also Daniel Augot, together with Julien Prat (economist, ENSAE), is coleading a Polytechnique teaching and research “chair”, called Blockchain and B2B plaforms, funded by CapGemini, Caisse des dépots and NomadicLabs. This is patronage, which funded Sarah Bordage's PhD thesis. This gives visiblity and outreach beyond the academic sphere.
4.3 Cloud storage
Participants: Françoise LevyDitVehel, Maxime Roméas.
The team is concerned with several aspect of reliability and security of cloud storage, obtained mainly with tools from coding theory. On the privacy side, we build protocols for socalled Private Information Retrieval which enable a user to query a remote database for an entry, while not revealing his query. For instance, a user could query a service for stock quotes without revealing with company he is interested in. On the availability side, we study protocols for proofs of retrievability, which enable a user to get assurance that a huge file is still available on a remote server, with a low bandwith protocol which does not require to download the whole file. For instance, in a peertopeer distributed storage system, where nodes could be rewarded for storing data, they can be audited with proof of retrievability protocols to make sure they indeed hold the data.We investigate these problems with algebraic coding theory for the effective constuction of protocols. To this respect, we mainly use locally decodable codes and in particular highrate lifted codes.
Maxime Roméas is a PhD student of the team. (PhD grant from IP Paris/Ecole Polytechnique for a 3year doctorate, Oct 2019Sept 2022). The subject of his thesis is "The Constructive Cryptography paradigm applied to Interactive Cryptographic Proofs".
The Constructive Cryptography framework, introduced by Maurer in 2011, redefines basic cryptographic primitives and protocols starting from discrete systems of three types (resources, converters, and distinguishers). This not only permits to construct them effectively, but also lighten and sharpen their security proofs. One strength of this model is its composability. The purpose of the PhD is to apply this model to rephrase existing interactive cryptographic proofs so as to assert their genuine security, as well as to design new proofs. The main concern here is security and privacy in Distributed Storage settings. Another axis of the PhD is to augment the CC model by, e.g., introducing new functionalities to a socalled Server Memory Resource.
5 Highlights of the year
5.1 European Project ENCODE granted
Participants: D. Augot, A. Couvreur, F. LevyditVehel.
The project ENCODE is a doctoral network project submitted to the call Horizons Marie SłodowskaCurie Actions  Doctoral Networks 2021. The project's principal investigator is Eimear Byrne from university college Dublin. Grace Team is one of the 5 poles of the project. The project has been granted and got the grade 100%. It was ranked 1st among more than 1000 projects. ENCODE starts in march 2023.
5.2 AEx CACHAÇA
Participants: B. Smith.
The Action Exploratoire CACHAÇA, led by Benjamin Smith and based at Campus Cyber, started in 2022. Fast, safe, and strong cryptography is essential for secure networked communications. Currently, highassurance techniques from formal methods are only applied once cryptosystems reach maturity and standardization. CACHAÇA will bring these techniques to the initial design and implementation phase for new postquantum cryptosystems, to produce fast, safe, and portable software implementations, especially for constrained environments such as IoT devices.
5.3 Defences
Participants: Sarah Bordage, Alexis Challande, Youssef El Housni, Antonin Leroux, Simon Montoya, Maxime Roméas.
6 Ph.D. Students of the team defended their thesis during the last year:
 Sarah Bordage (June 16, 2022)
 Antonin Leroux (September 7, 2022)
 Alexis Challande (October 11, 2022)
 Simon Montoya (October 12, 2022)
 Youssef El Housni (November 18, 2022)
 Maxime Roméas (November 29, 2022)
5.4 Lack of consideration for research from our management
Participants: Whole Team.
We are concerned that our management neglects research of high quality, or even research by itself, showing preference for short term, short lived activities, judged by their “impact”, whatever it means.
We are proud that INRIA has a quality national evaluation committee (“commission d'évaluation”, CE) in charge of evaluating the scientific activity and merit of individual researchers. The committee members do a deep, sensible and thorough scientific analysis of each researcher's file, well beyond publications and bibliometrics. This give us strong confidence that recruitments are of high quality, that promotions are done on the core, reallife, and meaningful basis of our activity. Yet, during last year, our evaluation committee has been under veiled and constant criticism by our top management. We fear that future recruitments will be not based on scientific merit, lowering the quality of research done at INRIA.
Finally, please take note also that new information system “EKSAE” has been deployed at INRIA. EKSAE is completely malfunctioning and is a plague to administrative staff, who can not handle basic tasks. Ph.D. students are not reimbursed for their trips to conferences, invited researchers are not reimbursed for their cost, experts doing reports for the evaluation committee (CE) are not paid. At the international level, this destroys any credit INRIA could have, ashames us, and forbid us to establish important scientific connections.
6 New software and platforms
6.1 New software
6.1.1 snark2chains

Name:
Families of SNARKfriendly 2chains of elliptic curves

Keywords:
Cryptography, Cryptocurrency, Blockchain

Functional Description:
This small library implements finite field and elliptic curve arithmetic for BN curves (BarretoNaehrig), BLS curves (BarretoLynnScott), and 2chains made of BW6 (BrezingWeng curves of embedding degree 6), CP8, CP12 (CocksPinch curves of embedding degree 8 and 12) for use with zksnarks (zeroknowledge succinct noninteractive argument of knowledge). The cryptographic applications are: pairing, scalar multiplication on the curves, hashing on the curves. The code is a proof of concept tied to a preprint and is not optimized.

News of the Year:
The library was first released in October 2021.
 URL:
 Publication:

Contact:
Aurore Guillevic
7 New results
7.1 Post–quantum cryptography
7.1.1 Improved decoding of Gabidulin codes for various noise models
Participants: Maxime Bombar, Alain Couvreur.
When considering error correcting codes, one usually endows the ambient space with the Hamming metric. However, other metrics have been considered, and in particular, codes endowed with the rank metric have found applications in cryptography, in network communications or in data storage. Com pared to the Hamming world, only few families of codes endowed with the rank metric are known to have efficient decoding algorithms. As the rank metric analogues of ReedSolomon codes, $[n,k]$ Gabidulin codes are of particular interest because they are somehow optimal: they reach the rankmetric Singleton bound and benefit from efficient decoders uniquely correcting any error pattern of weight up to $\frac{nk}{2}$. However, in general, there exists no known decoders in polynomial time beyond this bound, even probabilistic ones. Nonetheless, previous works have considered different noise models for which decoders can be given. For instance, when considering $u$ codewords in parallel such that the channel corrupts all of them at once (this process is known as interleaving), it is possible to give a probabilistic decoder correcting up to $\frac{u}{u+1}(nk)$ rank errors, or when the error has a specific symmetric structure (more precisely when the row and column spaces of the error are equal), it is possible correct errors up to rank $\frac{3}{2}(nk)$.
In 42, A. Couvreur and M. Bombar build on their previous work 67 to give a new decoder of interleaved Gabidulin codes, working on the righthand side, which gives a simpler point of view on the decoding of such error patterns.
In 67, A. Couvreur proves that when the codes have rate $\frac{k}{n}<\frac{1}{2}$, it is possible to correct any symmetric error pattern, whatever its rank, without failure. This algorithm works for a broad family of codes which includes the aforementioned Gabidulin codes. Moreover, when the rate is larger than $\frac{1}{2}$, it achieves the best decoding radius conjectured in the literature for such noise model.
7.1.2 Searchtodecision reductions in code–based cryptography
Participants: A. Couvreur, M. Bombar, T. Debris–Alazard.
The security of most code–based cryptosystem relies on the hardness of the so–called Decoding Problem. If its search version (Given a random linear code, and a noisy codeword, it should be hard to decode, i.e. to remove the error and recover the original message) is quite well understood, many proposals actually rely on the decision version which can be formulated as follows: Given a random linear code it should be hard to distinguish between a uniformly random vector of the ambiant space, and a noisy codeword. This decision version can be thought as the code–based analogue of the Decisional Diffie Hellman problem, and for general random linear codes both search and decision problem are known to be equivalent. Such a result is known as a search to decision reduction. However, for efficiency purposes, it is very appealing to use algebraically structured codes such as quasicyclic codes, that can be represented more compactly. In this situation, the hardness of the decision Decoding problem is only conjectured. On the other hand, one of the reasons of the success of lattice–based cryptography is that it benefits from a rich literature of security reductions for both general lattices and so–called structured lattices, i.e. lattices arising from orders of number fields.
In 29, based on a strong analogy between number fields and function fields, and especially using Carlitz modules which can be somehow considered as an analogue of cyclotomic number fields in positive characteristics, we introduce a new generic problem that we call Function Field Decoding Problem, and derive the first search to decision reduction in this context.
7.1.3 New algorithm to solve the generic decoding problem
Participants: T. Debris–Alazard.
The security of codebased cryptography relies primarily on the hardness of generic decoding with linear codes. The best generic decoding algorithms are all improvements of an old algorithm due to Prange: they are known under the name of information set decoders (ISD). A while ago, a generic decoding algorithm which does not belong to this family was proposed: statistical decoding. It is a randomized algorithm that requires the computation of a large set of paritychecks of moderate weight, and uses some kind of majority voting on these equations to recover the error we are looking for in the decoding problem. This algorithm was long forgotten because even the best variants of it performed poorly when compared to the simplest ISD algorithm. In 31, we revisit this old algorithm by using paritycheck equations in a more general way. Here the paritychecks are used to get LPN samples with a secret which is part of the error and the LPN noise is related to the weight of the paritychecks we produce. The corresponding LPN problem is then solved by standard Fourier techniques. By properly choosing the method of producing these low weight equations and the size of the LPN problem, we are able to outperform in this way significantly information set decoders at code rates smaller than 0.3. It gives for the first time after 60 years, a better decoding algorithm for a significant range which does not belong to the ISD family. >>>>>>> 5a27469fe7075e10a50ee82951408ab3de01783b
In 42, A. Couvreur and M. Bombar build on their previous work 66 to give a new decoder of interleaved Gabidulin codes, working on the righthand side, which gives a simpler point of view on the decoding of such error pattern.
In 55, A. Couvreur proves that when the codes have rate $\frac{k}{n}<1/2$, it is possible to correct any symmetric error pattern, whatever its rank, without failure. This algorithm works for a broad family of codes which includes the aformentioned Gabidulin codes. Moreover, when the rate is larger than $1/2$, he achieves the best decoding radius conjectured in the litterature for such noise model.
7.1.4 Quantum reduction
Participants: Thomas DebrisAlazard.
We give a quantum reduction from finding short codewords in a random linear code to decoding for the Hamming metric. This is the first time such a reduction (classical or quantum) has been obtained. Our reduction adapts to linear codes StehléSteinfieldTanaka Xagawa’s reinterpretation of Regev’s quantum reduction from finding short lattice vectors to solving the Closest Vector Problem. The Hamming metric is a much coarser metric than the Euclidean metric and this adaptation has needed several new ingredients to make it work. For instance, in order to have a meaningful reduction it is necessary in the Hamming metric to choose a very large decoding radius and this needs in many cases to go beyond the radius where decoding is unique. Another crucial step for the analysis of the reduction is the choice of the errors that are being fed to the decoding algorithm. For lattices, errors are usually sampled according to a Gaussian distribution. However, it turns out that the Bernoulli distribution (the analogue for codes of the Gaussian) is too much spread out and can not be used for the reduction with codes. Instead we choose here the uniform distribution over errors of a fixed weight and bring in orthogonal polynomials tools to perform the analysis and an additional amplitude amplification step to obtain the aforementioned result.
The result is presented in the preprint 56.
7.1.5 LLL like algorithm for codes
Participants: Thomas DebrisAlazard.
In 18, we have proposed an adaptation of the algorithmic reduction theory of lattices to binary codes. This includes the celebrated LLL algorithm (Lenstra, Lenstra, Lovasz, 1982), as well as adaptations of associated algorithms such as the Nearest Plane Algorithm of Babai (1986). Interestingly, the adaptation of LLL to binary codes can be interpreted as an algorithmic version of the bound of Griesmer (1960) on the minimal distance of a code. Using these algorithms, we demonstrate —both with a heuristic analysis and in practice— a small polynomial speedup over the InformationSet Decoding algorithm of Lee and Brickell (1988) for random binary codes. This appears to be the first such speedup that is not based on a timememory tradeoff. The above speedup should be read as a very preliminary example of the potential of a reduction theory for codes, for example in cryptanalysis.
7.1.6 Wavelet: Codebased postquantum signatures with fast verification on microcontrollers
Participants: Gustavo Banegas, Thomas DebrisAlazard, Benjamin Smith.
This work 63 has presented the first full implementation of Wave, a postquantum codebased signature scheme. We define Wavelet, a concrete Wave scheme at the 128bit classical security level (or NIST postquantum security Level 1) equipped with a fast verification algorithm targeting embedded devices. Wavelet offers 930 byte signatures, with a public key of 3161 kB. We include implementation details using AVX instructions, and on ARM CortexM4, including a solution to deal with Wavelet’s large public keys, which do not fit in the SRAM of a typical embedded device. Our verification algorithm is approximately 4.65 times faster then the original, and verifies in 1 087 538 cycles using AVX instructions, or 13 172 ticks in an ARM CortexM4.
7.1.7 Quantumresistant software update security on lowpower networked embedded devices
Participants: Gustavo Banegas, Benjamin Smith.
Bringing practical postquantum security to lowend IoT devices is a pressing challenge. In 64 we evaluate a range of pre and postquantum secure signature schemes in the context of SUIT software updates (specified by the IETF), on three popular, offtheshelf microcontroller boards (ARM CortexM4, ESP32, and RISCV) that are representative of the 32bit landscape. We show that upgrading to postquantum security is practical now, and reflect on the best choices for various use cases. This work was selected for presentation at Real World Crypto 2022, and was published at ACNS 2022.
7.1.8 On Using RSA/ECC Coprocessor for Ideal LatticeBased Key Exchange
Participants: Guenael Renault, Simon Montoya.
Polynomial multiplication is one of the most costly operations of ideal latticebased cryptosystems. In 71, with Aurélien Greuet (Idemia), we study its optimizations when one of the operands has coefficients close to 0. We focus on this structure since it is at the core of latticebased Key Encapsulation Mechanisms submitted to the NIST call for postquantum cryptography. In particular, we propose optimization of this operation for embedded devices by using a RSA/ECC coprocessor that provides efficient and secure largeinteger arithmetic. In this context, we compare Kronecker Substitution, with two specific algorithms that we introduce: KSV, a variant of this substitution, and an adaptation of the schoolbook multiplication, denoted Shift&Add. All these algorithms rely on the transformation of polynomial multiplication to largeinteger arithmetic. Then, thanks to these algorithms, existing secure coprocessors dedicated to largeinteger can be repurposed in order to speedup postquantum schemes. The efficiency of these algorithms depends on the component specifications and the cryptosystem parameters set. Thus, we establish a methodology to determine which algorithm to use, for a given component, by only implementing basic largeinteger operations. Moreover, the three algorithms are assessed on a chip ensuring that the theoretical methodology matches with practical results.
7.1.9 Security Assessment of NTRU Against NonProfiled SCA
Participants: Guenael Renault, Simon Montoya.
NTRU was first introduced by J. Hoffstein, J. Pipher and J.H Silverman in 1998. Its security, efficiency and compactness properties have been carefully studied for more than two decades. A key encapsulation mechanism (KEM) version was even submitted to the NIST standardization competition and made it to the final round. Even though it has not been chosen to be a new standard, NTRU remains a relevant, practical and trustful postquantum cryptographic primitive. In 25, with Luk Bettale (Idemia), Julien Eynard (ANSSI) and Rémi Strullu (ANSSI), we investigate the sidechannel resistance of the NTRU Decrypt procedure. In contrast with previous works about sidechannel analysis on NTRU, we consider a weak attacker model and we focus on an implementation that incorporates some sidechannel countermeasures. The attacker is assumed to be unable to mount powerful attacks by using templates or by forging malicious ciphertexts for instance. In this context, we show how a nonprofiled sidechannel analysis can be done against a core operation of NTRU decryption. Despite the considered countermeasures and the weak attacker model, our experiments show that the secret key can be fully retrieved with a few tens of traces.
7.1.10 Postquantum Public Key Encryption from Isogenies
Participants: Luca De Feo, Antonin Leroux.
Together with Cyprien Delpech de Saint Guilhem (KU Leuven), Tako Boris Fouotsa (Universit`a Degli Studi Roma Tre), Peter Kutas (University of Birmingham), Christophe Petit (Université Libre de Bruxelles), Javier Silva ( Universitat Pompeu Fabra)and Benjamin Wesolowski (Institut Mathématiques de Bordeaux), Luca de Feo and Antonin Leroux have introduced a new postquantum public key encryption scheme that uses constructively the torsion point attack against the SIDH key exchange. The publication includes an implementation in C of this new construction. Another contribution of this work is the "uberisogeny assumption" which aims at generalizing some computational assumption encountered in various scheme of the literature.
7.1.11 Highspeed supersingularity testing for elliptic curves
Participants: Gustavo Banegas, Benjamin Smith.
Elliptic curves over finite fields are either ordinary or supersingular. Distinguishing supersingular elliptic curves is an important task in algorithmic number theory, and now forms a crucial step in publickey validation for some isogenybased cryptosystems such as CSIDH. In 13, we improve the stateoftheart of supersingularity testing, especially over ${\mathbb{F}}_{p}$ for cryptographic applications, with faster algorithms backed up with highspeed software implementations.7.1.12 The suborder isogeny representation and pSIDH
Participants: Antonin Leroux.
The tasks of evaluating and verifying isogenies are fundamental for isogenybased cryptography. The suborder representation introduced in 37 and presented at ASIACRYPT 2022 targets the case of (big) primedegree isogenies. The core of our new method is the revelation of endomorphisms of smooth norm inside a wellchosen suborder of the codomain's endomorphism ring. This new representation appears to be opening interesting prospects for isogenybased cryptography under the hardness of a new computational problem: the SubOrder to Ideal Problem (SOIP). As an application, we introduce pSIDH, a new NIKE based on the suborder representation. Studying new assumption appears to be particularly crucial in the light of the recent attacks against isogenybased cryptography.7.1.13 The supersingular isogeny graph of abelian surfaces
Participants: Benjamin Smith.
The special combinatorial properties of the elliptic supersingular isogeny graph have made it a fruitful setting for new isogenybased cryptosystems. Naturally, then, we seek to understand the properties of their generalizations, starting with the isogeny graphs formed by supersingular and superspecial abelian surfaces. In 20 we investigate the intricate local structure of these graphs.7.1.14 New isogenybased key exchange algorithms
Participants: Benjamin Smith.
In 17 we investigate the isogeny graphs of supersingular elliptic curves over ${\mathbb{F}}_{{p}^{2}}$ equipped with a $d$isogeny to their Galois conjugate. These curves are interesting because they are, in a sense, a generalization of curves defined over ${\mathbb{F}}_{p}$ , and there is an action of the ideal class group of $\mathbb{Q}\left(\sqrt{dp}\right)$ on the isogeny graphs. We investigate constructive and destructive aspects of these graphs in isogenybased cryptography, including generalizations of the CSIDH cryptosystem and the DelfsGalbraith algorithm.7.2 Secure multiparty computation
Participants: C. Ducros.
Pseudorandom correlation functions (Boyle et al. 68) allow two parties to locally generate, from short correlated keys, a nearunbounded amount of pseudorandom samples, according to a target correlation. The candidate introduced by Boyle et al. was constructed over a new assumption, variabledensity learning parity with noise (VDLPN), for which they provide support by showing its resistance to a large class of attacks (called linear attacks). In 57, G. Couteau and C. Ducros first improved the construction with a slightly different VDLPN assumption and a new analysis, giving us provable usable parameters. Second, we identify a flaw in the security analysis of Boyle et al. which we repair.
7.3 Verifiable computation
Participants: Daniel Augot, Sarah Bordage, Youssef El Housni, François Morain, Jade Nardi.
Suppose a user of a small device requires a powerful computer to perform a heavy computation for him. The computation can not be performed by the device. After completion of the computation, the powerful computer reports a result. Suppose now that the user has not full confidence that the remote computer performs correctly or behaves honestly. How can the user be assured that the correct result has been returned to him, given that he can not redo the computation ?The topic of verifiable computation deals with this issue. Essentially it is a cryptographic protocol where the prover (i.e. the remote computer) provides a proof to a waek verifier (i.e. the user) that a computation is correct. The protocol may be interactive, in which case there may be one or more rounds of interactions between the prover and the verifier, or non interactive, in which case the prover sends a proof that the computation is correct.
These protocols incorporate zeroknowledge variants, where the scenario is different. A service performs a computation on date, part of which remaining private (for instance statistics on citizen's incomes). It is possible for the service to prove the correctness of the result without revealing the data (which has to be committed anyway).
Two directions for building these protocols are discrete logarithms (and pairings) in elliptic curves or a coding theoretical setting (originating to the PCP theorem). Both variants admit a zeroknowledge version, and the core of the research is more on provable computation than the zeroknowledge aspect, which comes rather easily in comparison.
7.3.1 Verifiable computation based on coding theory
Participants: Daniel Augot, Sarah Bordage, Jade Nardi.
In the coding theoretic setting, these protocols are made popular, in particular in the blockchain area, under the name of (ZK)STARKS, Scalable Transparent Arguments of Knowledge, introduced in 2018. The short non interactive proofs are derived for protocols which are called IOPs Interactive Oracle Proofs, which are combination of IPs Interactive Proofs and PCPs Probabilistically Checkable Proofs, for combining the best of both worlds, and making PCPs pratical.
At the core of these protocols lies the following coding problem: how to decide, with high confidence, that a very long ambient word is close to a given code, while looking at very few coordinates of it.
These protocols were originally designed for the simplest algebraic codes, ReedSolomon codes. Daniel Augot and Sarah Bordage provided a generalization of these protocols to multivariate codes, i.e. product of ReedSolomon codes and ReedMuller codes. The performance does not degrade badly with respect to the basic ReedSolomon case 12. It remains to assert the revelance of these codes for building proof systems and to compare to litterature, where product of ReedSolomon codes have been studied for more than twenty years.
A very important issue is to have a smaller alphabet, and this can be done using algebraicgeometric codes. This was done by Sarah Bordage , Matthieu Lhotel, Jade Nardi and Hugues Randriambololona 30, using curves with a resoluble automorphims group, which enable to build codes which are foldable in way similar to the ReedSolomon codes with are folded in the "FRI" protocol 65. Their protocol has very good perfomance, akin to the ReedSolomon case. Towers of curves are considered for this construction, to enable good asymptotic results.
7.3.2 Verifiable computation based on elliptic curves
Participants: Daniel Augot, Youssef El Housni, François Morain.
Verifiable computation can also be built using the theory of ellitpic curves, the hardness of the discrete logarithms, and pairings, as introduced in 72 and made practical in 73. These proofs are much more shorter than the ones provided by the STARKS, with a higher cost for the prover. Furthermore, these systems are not postquantum, and there are important issues in the setting of the proof system, where a trusted third party is required.
The verifiable computation problems leads to several new questions in elliptic curves cryptographic, since the required operations depart from the standard ones used for instance in signature algorithms.
A very interesting topic is the notion of "proof of proofs". Essentially, verifying a proof is a computation, and a proof that a proof has been verified can be given. The same idea applies for verifying hundreds of proofs. A single proof can report that hundred of proofs have been checked.
This is very strong in the elliptic curve setting because the size of a proof is a constant (a few hundred bytes, only depending on the security parameter, not the computation). This means that the above hundred of statements admits a very short proof. In the blockchain world, this translates into a very short proof that many offchain transactions are correct.
To achieve this goal, this requires an ellitpic curve for proving computations done over an other elliptic curve. The problem is that there is an arithmetic mismatch: the statement which is to be proved is defined over ${\mathbb{F}}_{r}$, for a prime $r$ which is a size of a cyclic group provided by an elliptic curve defined over ${\mathbb{F}}_{q}$. Verifying the proof requires to do computations over ${\mathbb{F}}_{q}$, and thus, for the above recursion, one needs another curve over ${\mathbb{F}}_{{q}^{\text{'}}}$ providing a group of prime order $q$. Furthermore both curves must be pairingfriendly. This raises quite challenging questions, which are solved using the theory of complex multiplication.
In collaboration with Aurore Guillevic, Youssef El Housni provided curves which are very efficient for this recursion 7033. These curves beat the competition, an implementation has been provided here. Some other blockchain players CELO, Consensys also have used these curves in their implentations of verifiable computation and zeroknowledge proofs. A. Guillevic and Y. El Housni made a survey of relevant curves for recursive SNARKS 11.
Once the curves are built, it remains to do other ellitpic curves operations, which are particular to SNARKS, for instance doing a sum of a lot of scalar multiplication with differents points. Y. El Housni produced such multiscalar operations for SNARKS 54. Other technicalites also have been improved 34.
7.4 Machine learning on private data using multiplication
Participants: Daniel Augot, Angelo Saadeh.
In collaboration with Matthieu Rambaud (Télécom Paris), Daniel Augot is advising Angelo Saadeh. The issue which is adressed is the following. Two parties each hold privately some distinct slices of common data. compute a logistic regression on the whole set of data, without each party revealing its data to the other party.
Computing a common output from inputs of several participants in the above is done in cryptography using MPC Secure Multiparty Computation, as introduced by Yao 74, and made recently practical, with several implementations. Yet, as classically observed in MPC, the actual result, when learned, may leak information about the secret inputs. The same problem occurs here, where the model may leak information about the data.
Thus it is natural to investigate the use of $\u03f5$differential privacy, introduced by 69 on top of MPC. This raises the concern of obtaining a reasonnable accuracy, since noise has been introduced with differential privacy. Preliminary tests have been done, using the functional mechanism of 75, that Angelo Saadeh implemented in PySyft, which is a library of cryptographic primitives building on the PyTorch machine learning platform and the obtained accuracy is actually good. A publication is in preparation.
7.5 Cloud storage
Participants: Françoise LevyDitVehel, Maxime Roméas.
Proofs of Retrievability (PoR) protocols ensure that a client can fully retrieve a large outsourced file from an untrusted server. In 40 we design a good PoR based on a family of graph codes called expander codes. We use expander codes based on graphs derived from pointline incidence relations of finite affine planes. These codes have good dimension and minimum distance over a relatively small alphabet. Moreover, expander codes possess very efficient unique decoding algorithms. We take advantage of these results to design a PoR scheme that extracts the outsourced file in quasilinear time and features better concrete parameters than stateoftheart schemes w.r.t storage overhead and size of the outsourced file. This work has been presented at CANS 2022. Another line of work on PoRs was to design good PoR schemes with simple security proofs. To this end, in 39, we propose a framework for the design of secure and efficient PoR schemes that is based on Locally Correctable Codes, and whose security is phrased in the Constructive Cryptography model by Maurer. We give an instantiation of our framework using the high rate lifted codes introduced by Guo et al. This yields an infinite family of good PoRs. We assert their security by solving a finite geometry problem, giving an explicit formula for the probability of an adversary to fool the client. This was presented at I4CS 2022.7.6 Algorithmic number theory
7.6.1 Fast Cornacchia algorithm
Participants: François Morain.
Cornacchia's algorithm is an important building block of CM elliptic curve cryptography. Sharing many properties with fast integer gcd algorithms, we worked on a fast version for this tool. A paper is to be submitted at ISSAC'2022 and the code is to be available on gitlab.7.6.2 Prequantum factoring using elliptic curves
Participants: François Morain.
One of the most powerful factoring algorithm is ECM that uses elliptic curves. To improve it, families of curves are traditionally built over the rationals. In this work, number fields are used to treat the special numbers ${b}^{n}\pm 1$. See the preliminary results in 60.7.6.3 Trustless unknownorder groups
Participants: Benjamin Smith.
Groups of unknown order are a classic setting for asymmetric cryptosystems—RSA being the most famous example. In recent times, unknownorder groups have returned to prominence as a setting for new, advanced cryptosystems including accumulators and VDFs (Verifiable Delay Functions). In these applications, trustless setup becomes critical: not even the constructor of the group should know its order. In 19 (joint work with Samuel Dobson and Steven Galbraith), we reevaluate the security of ideal class groups—the most popular source of trustless unknownorder groups—and show that generally accepted parameters do not meet claimed security levels. We also propose a more efficient alternative: Jacobians of genus3 hyperelliptic curves.8 Bilateral contracts and grants with industry
8.1 Bilateral contracts with industry
Participants: Daniel Augot, Sarah Bordage, François Morain, Guénaël Renault, Benjamin Smith.
 Through École polytechnique, D. Augot is leader of a teaching and research chair on Blockchains "Blockchains and B2B platforms", funded by CapGemini, NomadicLabs and Caisse des dépôts, under the French patronage laws. This chair aims at fostering teaching and doing research in topics related to blockchains, from the points of view of both computer science and economics. This chair has a coleader, Julien Prat from the department of economics. This started in 2018, for a five years duration. Another mission of the chair is networking and outreach, (see this website). Sarah Bordage (PhD since 2019) was funded by this chair.
 Since October 2019, F. Morain and Aurore Guillveic are provided PhD advisorship to one of the employees of Consensys (main company for producing software for the Ethereum Blockchain) Y. El Housni , on the topic of zeroknowledge proofs.
 From October 2019 to October 2022, Idemia funds a CIFRE PhD student, Simon Montoya on the secure implementation in constrained environement of postquantum cryptosystems.
 From October 2019 to october 2022, Quarkslab funds a CIFRE PhD student, Alexis Challande, on the analysis of malware code.
 From November 2019 to october 2022, French Min. Arm. funds a PhD student, Maxime Anvari, on the analysis of the ToR network.
 Since October 2020, Orange funds a CIFRE PhD student, Anaïs Barthoulot on Advanced encryption for Sensitive data sharing.
 Nomadic Labs are funding the JasminEasyCrypt project, a collaboration between B. Smith , Benjamin Gregoire (Inria projectteam STAMP), and PierreYves Strub (Meta).
9 Partnerships and cooperations
9.1 European initiatives
9.1.1 H2020 projects
SPARTA
SPARTA project on cordis.europa.eu

Title:
Strategic programs for advanced research and technology in Europe

Duration:
From February 1, 2019 to June 30, 2022

Partners:
 INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET AUTOMATIQUE (INRIA), France
 CESNET ZAJMOVE SDRUZENI PRAVNICKYCH OSOB (CESNET), Czechia
 JOANNEUM RESEARCH FORSCHUNGSGESELLSCHAFT MBH (JOANNEUM RESEARCH), Austria
 NAUKOWA I AKADEMICKA SIEC KOMPUTEROWA  PANSTWOWY INSTYTUT BADAWCZY (NASK), Poland
 TARTU ULIKOOL (UNIVERSITY OF TARTU), Estonia
 MYKOLO ROMERIO UNIVERSITETAS (MYKOLAROMERIS UNIVERSITY), Lithuania
 LATVIJAS MOBILAIS TELEFONS SIA, Latvia
 SECURITY MADE IN LETZEBUERG (SMILE), Luxembourg
 FRAUNHOFER GESELLSCHAFT ZUR FORDERUNG DER ANGEWANDTEN FORSCHUNG EV (FHG), Germany
 FUNDACION TECNALIA RESEARCH & INNOVATION (TECNALIA), Spain
 TECHNISCHE UNIVERSITAET MUENCHEN (TUM), Germany
 THALES SIX GTS FRANCE SAS (THALES SIX GTS France), France
 COMMISSARIAT A L ENERGIE ATOMIQUE ET AUX ENERGIES ALTERNATIVES (CEA), France
 STOWARZYSZENIE POLSKA PLATFORMA BEZPIECZENSTWA WEWNETRZNEGO (PPBW), Poland
 INSTITUT NATIONAL DES SCIENCES APPLIQUEES DE LYON (INSA LYON), France
 SAP SE, Germany
 FORTISS GMBH, Germany
 LUXEMBOURG INSTITUTE OF SCIENCE AND TECHNOLOGY (LIST), Luxembourg
 VYSOKE UCENI TECHNICKE V BRNE (BRNO UNIVERSITY OF TECHNOLOGY), Czechia
 FUNDACION CENTRO DE TECNOLOGIAS DE INTERACCION VISUAL Y COMUNICACIONES VICOMTECH (VICOM), Spain
 INDRA SISTEMAS SA (INDRA), Spain
 INSTITUT MINESTELECOM, France
 RHEINISCHE FRIEDRICHWILHELMSUNIVERSITAT BONN, Germany
 UNIVERSITE DU LUXEMBOURG (uni.lu), Luxembourg
 CONSIGLIO NAZIONALE DELLE RICERCHE (CNR), Italy
 "NATIONAL CENTER FOR SCIENTIFIC RESEARCH ""DEMOKRITOS""" ("NCSR ""D"""), Greece
 LIETUVOS KIBERNETINIU NUSIKALTIMU KOMPETENCIJU IR TYRIMU CENTRAS (LITHUANIAN CYBERCRIME CENTER OF EXCELLENCE FOR TRAINING RESEARCH & EDUCATIO), Lithuania
 KENTRO MELETON ASFALEIAS (CENTER FORSECURITY STUDIES CENTRE D'ETUDES DE SECURITE), Greece
 INDRA FACTORIA TECNOLOGICA SL, Spain
 UNIVERSITAT KONSTANZ (UKON), Germany
 LEONARDO  SOCIETA PER AZIONI (LEONARDO), Italy
 KAUNO TECHNOLOGIJOS UNIVERSITETAS (UNIVERSITY OF TECHNOLOGY, KAUNAS), Lithuania
 TECHNIKON FORSCHUNGS UND PLANUNGSGESELLSCHAFT MBH (TECHNIKON), Austria
 ITTI SP ZOO (ITTI), Poland
 DIREZIONE GENERALE PER LE TECNOLOGIE DELLE COMUNICAZIONI E LA SICUREZZA INFORMATICA  ISTITUTO SUPERIORE DELLE COMUNICAZIONI E DELLE TECNOLOGIE DELL'INFORMAZIONE (DG TCSIISCOM), Italy
 GENEROLO JONO ZEMAICIO LIETUVOS KARO AKADEMIJA (GENERAL JONAS ZEMAITISMILITARY ACADEMY OF LITHUANIA), Lithuania
 FUNDACIO EURECAT (EURECAT), Spain
 CONSORZIO NAZIONALE INTERUNIVERSITARIO PER LE TELECOMUNICAZIONI (CNIT), Italy
 CENTRALESUPELEC (CentraleSupélec), France
 YES WE HACK (YWH), France
 INSTITUTO SUPERIOR TECNICO (IST), Portugal
 SECRETARIAT GENERAL DE LA DEFENSE ET DE LA SECURITE NATIONALE (SGDSN), France
 UNIVERSITE DE NAMUR ASBL (UNamur), Belgium
 INOV INSTITUTO DE ENGENHARIA DE SISTEMAS E COMPUTADORES INOVACAO (INOV), Portugal
 CENTRE D'EXCELLENCE EN TECHNOLOGIES DE L'INFORMATION ET DE LA COMMUNICATION (CETIC), Belgium
 CZ.NIC, ZSPO (CZ.NIC), Czechia
 CONSORZIO INTERUNIVERSITARIO NAZIONALE PER L'INFORMATICA (CINI), Italy

Inria contact:
Thomas Jensen
 Coordinator:

Summary:
In the domain of Cybersecurity Research and innovation, European scientists hold pioneering positions in fields such as cryptography, formal methods, or secure components. Yet this excellence on focused domains does not translate into largerscale, systemlevel advantages. Too often, scattered and small teams fall short of critical mass capabilities, despite demonstrating worldclass talent and results. Europe’s strength is in its diversity, but that strength is only materialised if we cooperate, combine, and develop common lines of research. Given today’s societal challenges, this has become more than an advantage – an urgent necessity. Various approaches are being developed to enhance collaboration at many levels. Europe’s framework programs have sprung projects in cybersecurity over the past thirty years, encouraging international cooperation and funding support actions. More recently, the Cybersecurity PPP has brought together public institutions and industrial actors around common roadmaps and projects. While encouraging, these efforts have highlighted the need to break the mould, to step up investments and intensify coordination. The SPARTA proposal brings together a unique set of actors at the intersection of scientific excellence, technological innovation, and societal sciences in cybersecurity. Strongly guided by concrete and risky challenges, it will setup unique collaboration means, leading the way in building transformative capabilities and forming worldleading expertise centres. Through innovative governance, ambitious demonstration cases, and active community engagement, SPARTA aims at rethinking the way cybersecurity research is performed in Europe across domains and expertise, from foundations to applications, in academia and industry.
9.2 National initiatives
9.2.1 ANR CIAO
Participants: Benjamin Smith, Luca De Feo, Antonin Leroux, Mathilde Chenu.
ANR CIAO (Cryptography, Isogenies, and Abelian varieties Overwhelming) is a JCJC 2019 project, led by Damien Robert (Inria EP LFANT). This project, which started in October 2019, will examine applications of higherdimensional abelian varieties in isogenybased cryptography.9.2.2 ANR CBCRYPT
Participants: Alain Couvreur, Olivier Blazy.
ANR CBCRYPT (Code–based Cryptography) This is a project from (Appel à projets générique, Défi 9, Liberté et sécurité de l’Europe, de ses citoyens et de ses résidents, Axe 4 ; Cybersécurité). This project, starting in october 2017 led by JeanPierre Tillich (Inria, EP Cosmiq) focusses on the design and the security analysis of code–based primitives, in the context of the current NIST competition.9.2.3 ANR COLA
Participants: Alain Couvreur, Thomas Debris–Alazard.
ANR COLA (An interface between COde and LAtticebased cryptography) is a project from (Appel à projets générique, Défi 9, Liberté et sécurité de l’Europe, de ses citoyens et de ses résidents, Axe 4 ; Cybersécurité). This project (ANR JCJC), starting in october 2021 led by Thomas DebrisAlazard focusses on bringing closer postquantum solutions based on codes and lattices to improve our trust in cryptanalysis and to open new perspectives in terms of design.9.2.4 ANR BARRACUDA
Participants: Daniel Augot, Alain Couvreur, Françoise LevyditVehel.
BARRACUDA is a collaborative ANR project accepted in 2021 and led by A. Couvreur .
Website : barracuda.inria.fr
The project gathers specialists of coding and cryptology on one hand and specialists of number theory and algebraic geometry on the other hand. The objectives concern problems arising from modern cryptography which require the use of advanced algebra based objects and techniques. It concerns for instance mathematical problems with applications to distributed storage, multiparty computation or zero knowledge proofs for protocols.
9.2.5 ANR SANGRIA
Participants: Olivier Blazy.
SANGRIA is a collaborative ANR project accepted in 2021.
Website : lip6.fr/Damien.Vergnaud/projects/sangria/
The main scientific challenge of the SANGRIA (Secure distributed computAtioN  cryptoGRaphy, combinatorIcs and computer Algebra) project are (1) to construct specific protocols that take into account practical constraints and prove them secure, (2) to implement them and to improve the efficiency of existing protocols significantly. The SANGRIA project (for Secure distributed computAtioN: cryptoGRaphy, combinatorIcs and computer Algebra) aims to undertake research in these two aspects while combining research from cryptography, combinatorics and computer algebra. It is expected to impact central problems in secure distributed computation, while enriching the general landscape of cryptography.
9.2.6 ANR MobiS5
Participants: Olivier Blazy.
MobiS5 is a collaborative ANR project accepted in 2018.
Website : mobis5.limos.fr/
MobiS5 will aim to foresee and counter the threats posed in 5G architectures by the architectural modifications suggested in TR 22.86122.864. Concretely, we will provide a provablysecure cryptographic toolbox for 5G networks, validated formally and experimentally, responding to the needs of 5G architectures at three levels:
* Challenge 1: security in the network infrastructure and end points: including core network security and attack detection and prevention; * Challenge 2: cryptographic primitives and protocols, notably : a selection of basic primitives, an authenticated keyexchange protocol, tools to compute on encrypted data, and postquantum cryptographic countermeasures * Challenge 3: mobile applications, specifically in the usecase of a secure server that aids or processes outsourced computation; and the example of a smart home.
9.2.7 ANR CryptiQ
Participants: Olivier Blazy.
CryptiQ is a collaborative ANR project accepted in 2018.
The goal of the CryptiQ project is to major changes due to Quantum Computing by considering three plausible scenarios, from the closest to the furthest foreseeable future, depending on the means of the adversary and the honest parties. In the first scenario, the honest execution of protocols remains classical while the adversary may have oracle access to a quantum computer. This is the socalled postquantum cryptography, which is the best known setting. In the second scenario (quantumenhanced classical cryptography), we allow honest parties to have access to quantum technologies in order to achieve enhanced properties, but we restrict this access to those quantum technologies that are currently available (or that can be built in nearterm). The adversary is still allowed to use any quantum technology. Finally, in the third scenario (cryptography in a quantum world), we allow the most general quantum operations to an adversary and we consider that anybody can now have access to both quantum communication and computation.
9.2.8 PEPR sur les technologues quantiques  Projet intégré "Un cadenas postquantique pour les navigateurs web"
Participants: Alain Couvreur, Thomas Debris–Alazard, Benjamin Smith, Anaëlle Le Devehat, Matthieu Lequesne.
This projet intégré aims to develop post quantum cryptographic primitives in 5 years which would be implemented in an open source web browser. The evolution of cryptographic standards has already begun. The choice of new primitives will be made soon and the transition should be operated in a few years. The objective of the project is to play a crucial role in this evolution so that french researchers, which are already strongly implied in this process could influence the choice of cryptographic standards in the next years.
9.2.9 Inria Défi RIOTfp: Reconcile IoT and FutureProof Security
Participants: Benjamin Smith, Gustavo Banegas.
RIOTfp is a research project on cybersecurity targeting lowend, microcontrollerbased IoT devices, on which run operating systems such as RIOT and a lowpower network stack. It links the projectteams EVA, GRACE, PROSECCO, TRiBE, and TEA. Taking a global and practical approach, RIOTfp gathers partners planning to enhance RIOT with an array of security mechanisms. The main challenges tackled by RIOTfp are: developing highspeed, highsecurity, lowmemory IoT crypto primitives,
 providing guarantees for software execution on lowend IoT devices, and
 enabling secure IoT software updates and supplychain, over the network.
Beyond academic outcomes, the output of RIOTfp is open source code published, maintained and integrated in the open source ecosystem around RIOT. As such, RIOTfp strives to contribute usable building blocks for an open source IoT solution improving the typical functionality vs. risk tradeoff for endusers.
9.2.10 Inria AEx CACHAÇA
Participants: Benjamin Smith, Guenael Renault, Anaelle Le Devehat.
The Action Exploratoire CACHAÇA, led by Benjamin Smith and based at Campus Cyber, started in 2022. CACHAÇA aims to bring highassurance techniques from formal methods to the initial design and implementation phase for new postquantum cryptosystems, to produce fast, safe, and portable software implementations, especially for constrained environments such as IoT devices. Guenael Renault has associate researcher status, and so CACHAÇA is an anchorpoint for collaborations between GRACE and the Secure Components laboratory at ANSSI. It will also englobe GRACE's contribution to planned industrial consortia (expected to begin in 2023).10 Dissemination
Participants: Daniel Augot, Olivier Blazy, Maxime Bombar, Alain Couvreur, Thomas DebrisAlazard, Françoise LevyditVehel, François Morain, Guenael Renault, Benjamin Smith.
10.1 Promoting scientific activities
10.1.1 Scientific events: organisation
 O. Blazy and A. Couvreur participated in the organisation of the Journées Codage et Cryptographie (C2) 2022.
 A. Couvreur organised the CIMPA Summer School SUmmer School in Applied Arithmetic at Nesin (SUSAAN) in Nesin math Village (Sirince, Turkey).
 D. Augot is member of the programm committee of the seminar of the “groupe de travail codage et cryptographie (GT C2) du groupement de recherche informatique mathématique (GDR IM)”
10.1.2 Scientific events: selection
Chair of conference program committees
 B. Smith was PC chair for SAC 2022 (Selected Areas in Cryptography, Windsor, Canada).
Member of the conference program committees
 A. Couvreur was member of the program committee of Journées scientifiques Inria 2022.
 O. Blazy was a member of the programm committees of CTRSA, Eurocrypt, SAC, PQCrypto
 F. LevyditVehel was a member of the program committee of 2022 IEEE International Symposium on Information Theory (ISIT2022)
 D. Augot was a member of the program committee of 2022 IEEE International Symposium on Information Theory (ISIT2022)
 D. Augot was a member of the program committee of the 6th International Workshop on Cryptocurrencies and Blockchain Technology
 D. Augot was a member of the program committee of the IEEE International Conference on Blockchain and Cryptocurrency
 D. Augot was a member of the program committee of the WCC 2022: The Twelfth International Workshop on Coding and Cryptography
 D. Augot was a member of the program committee of the 6th Workshop on Trusted Smart Contracts (WTSC2022)
 T. Debris–Alazard was a member of the jury for the PhD award Gilles Kahn of the Société Informatique de France.
 B. Smith was a member of the program committee of PQCrypto 2022
 B. Smith was a member of the program committee of ANTSXV
 T. Debris–Alazard was a member of the jury for the PhD award Gilles Kahn of the Société Informatique de France.
Reviewer
 A. Couvreur has been reviewer for the conferences Asiacrypt 2022; Workshop on Coding and Cryptograny (WCC) 2022 and IEEE Information Theory Workshop (ITW) 2022.
 O. Blazy has been a reviewer for the conferences Asiacrypt 2022; Crypto 2022; Workshop on Coding and Cryptograny (WCC) 2022 and Conference on Security and Cryptography for Networks (SCN) 2°22.
 T. Debris–Alazard has been reviewer for the conferences Asiacrypt 2022 and PostQuantum Crypto 2022.
 D. Augot has been reviewer for the conference 2022 Information Theory Workshop
 D. Augot has been reviewer for the conference Workshop on Coding and Cryptography (WCC22)
 M. Bombar has been reviewer for the conferences Workshop on Coding and Cryptography (WCC) 2022, Asiacrypt 2022, PKC 2023.
 B. Smith was a reviewer for the conference CTRSA 2022.
10.1.3 Journal
Member of the editorial boards
 A. Couvreur is member of the editorial board of Publications Mathématiques de Besançon.
 O. Blazy is a member of the editorial board of Computer Law & Security Review
Reviewer  reviewing activities
 A. Couvreur has been reviewer for the journals, Advances in Mathematics of Communication; Designs, Codes and Cryptography; IEEE, Transactions on Information Theory; Journal of Algebraic Combinatorics and Applicable Algebra in Engeneering, Communication and Computing.
 O. Blazy had been a review for the journals, IEEE, Transactions on Services Computing ; Designs, Codes and Cryptography; Journal of Cryptography; IEEE access
 T. Debris–Alazard has been reviewer for the journals, Advances in Mathemetics of Communication; Designs, Codes and Cryptography and Journal of Cryptography.
 D. Augot has been reviewer for Designs, Codes and Cryptography, Discrete Maths, SIAM Journal on Discrete Mathematics
 M. Bombar has been reviewer for the journals Advances in Mathematics of Communication; IEEE, Transactions on Information Theory.
 B. Smith was a reviewer for journals including Mathematics of Computation and Mathematical Cryptology
10.1.4 Invited talks
 A. Couvreur has been invited to give a lecture at the Algebraic Coding Theory (ACT) summer school 2022. 62.
 O. Blazy has been an invited panelist at Conference Privacy, Data Protection (CPDP) 2022.
 T. Debris–Alazard has been invited to give lectures at the Summer school in postquantum cryptography 2022.
 M. Bombar has been invited to give tutorials in code–based cryptography at the Summer school in postquantum cryptography 2022.
10.1.5 Leadership within the scientific community
 O. Blazy and A. Couvreur lead the CNRS' Groupe de travail Codage et Cryptographie of Groupes de recherche Sécurité Informatique and Informatique Mathématique.
 A. Couvreur was member of the Commité de Culture Mathématiques (CCM) of Institut Henri Poincaré.
 A. Couvreur is coordinator for Inria of the projet intégré “Un cadenas post–quantique pour les navigateurs web” (PQTLS) of the PEPR quantique.
 A. Couvreur is the principal investigator of the collaborative ANR project Barracuda.
10.1.6 Scientific expertise
 A. Couvreur was referee of the PhD thesis of Leonardo Landi (Danmarks Tekniske Universitet, Lyngby, Danemark).
 A. Couvreur was referee of the PhD of Étienne Marcatel (Université de Grenoble Alpes).
 A. Couvreur was referee of the PhD of Amaury Durand (Université de Bordeaux).
 A. Couvreur was referee of the PhD of Maxime Bros (Université de Limoges).
 O. Blazy was a referee of the PhD of Meryem Cherkaoui Semmouni (Ecole Nationale d'Informatique et d'Analyse des Systèmes, Rabat, Morocco).
 O. Blazy was a referee for the PhD of Tang Khai Hanh (Nanyang Technological University, Singapore, Singapore)
 G. Renault was referee for the PHD of Mohamed Traore (Université Grenoble Alpes)
 G. Renault was referee for the PHD of Davide Poggi (Université de Montpellier)
 G. Renault was referee for the PHD of Simon Landry (Sorbonne Université)
 G. Renault was referee for the PHD of Axel MathieuMahias (Université ParisSaclay)
 T. Debris–Alazard has been mandated as an expert for the ANR.
 B. Smith served as a scientific expert for Bpifrance.
10.1.7 Research administration
 A. Couvreur is elected member of Inria's Commission d'évaluation.
 A. Couvreur is member of the Comité scientifique du programme Maths et IA of the Labex Mathématiques Jacques Hadamard.
 O. Blazy was appointed référent europe for the GDR sécurité informatique
 O. Blazy was appointed as one of the academic member of the PostQuantum Cryptography Workgroup at Campus Cyber.
 B. Smith is a member of the PostQuantum Cryptography working group at Campus Cyber.
 B. Smith was a member of the Research and Innovation Committee of Labex Digicosme
 B. Smith is a member of the Commission Scientifique of Inria Saclay.
10.2 Teaching  Supervision  Juries
10.2.1 Teaching
 Licence : F. Morain , Lectures for INF361: “Introduction à l'informatique”, 15h (equiv TD), 1st year (L3), École polytechnique. Coordinator of this module (350 students).
 Licence : T. Debris–Alazard , Exercises for INF361: “Introduction à l'informatique”, 15h (equiv TD), 1st year (L3), École polytechnique.
 Licence : M. Bombar : INF361: Introduction à l'informatique (tutorials), 40h (equiv TD), 1st year (L3), École polytechnique.
 Licence : B. Smith : CSE101: Introduction to Computer Programming, 42h, L1, École polytechnique, France
 Licence : O. Blazy : CSE101: Introduction to Computer Programming (Tutorials), 58h, L1, École polytechnique, France
 Master : T. Debris–Alazard , Lectures for "Postquantum cryptography", 8h, 4th year, ENS Lyon,
 Master : A. Couvreur : MPRI 2132: Error Correcting codes and applications to cryptography.
 Master : T. Debris–Alazard : MPRI 2132: Error Correcting codes and applications to cryptography.
 Master A. Couvreur : Master QDCS Calcul quantique avancé et codes correcteurs. 10h.
 Master: D. Augot : lectures and labs on crypto in blockchains, 24h, M2, École polytechnique, France.
 Master: D. Augot designed with Julien Prat the cursus of a course in blockchains and economics, and made lectures on zeroknowledge.
 Master : F. Morain is the scientific leader of the Master of Science and Technology Cybersecurity: Threats and Defense of École Polytechnique.
 Master : F. Morain , INF558, Introduction to cryptology, 36h, M1, École Polytechnique. This special year included video making of all his courses.
 Master : M. Bombar : INF558 : Introduction to cryptology (tutorials), 22.5h (equiv TD), M1, École Polytechnique.
 Master : M. Bombar : INF550 : Advanced algorithms (tutorials), 18h (equiv TD), M1, École Polytechnique.
 Master : B. Smith : INF568: Advanced Cryptography, 45h, M1, École polytechnique, France
 Master : B. Smith and F. Morain : MPRI 2122: Algorithmes Arithmétiques pour la Cryptologie, 22.5h, M2, Master Parisien de Recherche en Informatique, France. The lectures were all given in live video.
 Master : F. LevyditVehel , Lectures on discrete maths, 21h, M1, ENSTA.
 Master : F. LevyditVehel , Lectures on cryptography, 24h, M2, ENSTA.
 Master Cybersecurity: D. Augot , cryptography in blockchains, 24h, M2.
 Master : G. Renault : Lectures and Labs for INF565: Information Systems Security, 60h, M1, École polytechnique, France
 Master : G. Renault : Lectures and Labs for INF648: Embedded security: sidechannel attacks; javacard, 60h, M2, École polytechnique, France
 Master : G. Renault : Coordinator for INF637: Reverse engineering vs Obfuscation, 2h, M2, École polytechnique, France
 Master : O. Blazy : Lectures and Labs for INF646: Introduction to formal methods, 20h, M2, École polytechnique, France
 Master : O. Blazy : Lectures and Labs for Authentification, VPN et Chiffrement, 6h, M2, Telecom Sud Paris, France
 Professionnal training: D. Augot gave a two hours lecture at SystemX.
10.2.2 Juries
 A. Couvreur was president of the PhD jury of Simon Montoya (Institut Polytechnique de Paris).
 O. Blazy and A. Couvreur were members of the PhD Jury of Maxime Bros (Université de Limoges).
 A. Couvreur was member of the PhD jury of Manon Bertin (Université de Rouen Normandie).
 O. Blazy was president of the PhD jury of Manon Bertin (Université de Rouen Normandie).
 A. Couvreur was member of the PhD jury of Étienne Marcatel (Université Grenoble Alpes).
 A. Couvreur was member of the PhD jury of Christophe Levrat (Sorbonne université).
 A. Couvreur was member of the PhD jury of Amaury Durand (Université de Bordeaux)
 A. Couvreur was member of the PhD jury of Leonardo Landi (Danmarks Tekniske Universitet, Lyngby, Danemark).
 O. Blazy was president of the PhD jury of Octavio Perez Kempner (Ecole Normale SupérieurePSL, Paris, France).
 O. Blazy was member of the PhD jury of Souha Masmoudi (Telecom Sud Paris, Evry, France).
 D. Augot was member of the HDR jury of Pascal Véron (Université de Toulon)
 D. Augot was member of the PhD jury of Marina DehezClementi (Université de Toulouse)
 B. Smith was a member of the PhD jury of Natalia Kulatova (ENS/PSL Université Paris).
 G. Renault was member of the HDR jury of Charles Bouillaguet (Sorbonne Université)
 G. Renault was member of the PHD jury of Mohamed Traore (Université Grenoble Alpes)
 G. Renault was member of the PHD jury of Davide Poggi (Université de Montpellier)
 G. Renault was member of the PHD jury of Simon Landry (Sorbonne Université)
 G. Renault was member of the PHD jury of Axel MathieuMahias (Université ParisSaclay)
 G. Renault was member of the PHD jury of Gabriel Destouet (Université Grenoble Alpes)
10.3 Popularization
10.3.1 Internal or external Inria responsibilities

A. Couvreur
is the référent médiation scientifique of
Saclay's research center.
 He organised the Rendezvous des Jeunes Mathématiciennes et Informaticiennes on February 21 and 22th 2022. The event happened online due to the pandemic.
 He participated in the organisation of Fête de la science 2022.
11 Scientific production
11.1 Major publications
 1 articleEfficient multivariate lowdegree tests via interactive oracle proofs of proximity for polynomial codes.Designs, Codes and Cryptography2022
 2 proceedingsG.Gustavo BanegasK.Koen ZandbergE.Emmanuel BaccelliA.Adrian HerrmannB.Benjamin SmithQuantumResistant Software Update Security on LowPower Networked Embedded Devices.13269Lecture Notes in Computer ScienceSpringer International PublishingJune 2022, 872891
 3 inproceedingsHow fast do you heal? A taxonomy for postcompromise security in securechannel establishment.USENIX 2023  The 32nd USENIX Security SymposiumUSENIX 2023  The 32nd USENIX Security SymposiumAnaheim, United StatesAugust 2023
 4 inproceedingsOn Codes and Learning With Errors over Function Fields.Lecture Notes in Computer ScienceCRYPTO 202213508Advances in Cryptology – CRYPTO 2022Santa Barbara (CA), United StatesSpringer Nature SwitzerlandOctober 2022, 513540
 5 articleAn Algorithmic Reduction Theory for Binary Codes: LLL and more.IEEE Transactions on Information TheoryJanuary 2022
 6 inproceedingsEfficient Proofs of Retrievability using Expander Codes.Cryptography and Network Security, CANS 2022Abu Dhabi, United Arab EmiratesNovember 2022
 7 articleDeterministic factoring with oracles.Applicable Algebra in Engineering, Communication and ComputingSeptember 2021
11.2 Publications of the year
International journals
 8 articleComputing RiemannRoch spaces via Puiseux expansions.Journal of ComplexityApril 2022
 9 articleEfficient computation of RiemannRoch spaces for plane curves with ordinary singularities.Applicable Algebra in Engineering, Communication and ComputingDecember 2022
 10 articleOuroboros An efficient and provably secure KEM family.IEEE Transactions on Information TheoryApril 2022, 11
 11 articleA survey of elliptic curves for proof systems.Designs, Codes and CryptographyDecember 2022, 46
 12 articleEfficient multivariate lowdegree tests via interactive oracle proofs of proximity for polynomial codes.Designs, Codes and Cryptography2022
 13 articleEfficient supersingularity testing over F_p and CSIDH key validation.Mathematical Cryptology21October 2022, 2135
 14 articleA gapless codebased hash proof system based on RQC and its applications.Designs, Codes and CryptographyAugust 2022
 15 articleAnonymous attributebased designated verifier signature.Journal of Ambient Intelligence and Humanized Computing689September 2022, 62336244
 16 articleRecovering or Testing ExtendedAffine Equivalence.IEEE Transactions on Information Theory689September 2022, 6187  6206
 17 articleHigherdegree supersingular group actions.Mathematical Cryptology12March 2022, 85101
 18 articleAn Algorithmic Reduction Theory for Binary Codes: LLL and more.IEEE Transactions on Information TheoryJanuary 2022
 19 articleTrustless unknownorder groups.Mathematical Cryptology12March 2022, 2539
 20 articleAn atlas of the Richelot isogeny graph.RIMS Kôkyûroku BessatsuB90June 2022, 195219
 21 articleModular curves over number fields and ECM.Research in Number Theory2022
 22 articleThe evolution of mining pools and miners’ behaviors in the Bitcoin blockchain.IEEE Transactions on Network and Service Management193September 2022, 36333644
International peerreviewed conferences
 23 inproceedings(Augmented) Broadcast Encryption from Identity Based Encryption with Wildcard.Cryptology and Network Security. 21st International Conference, CANS 2022 Dubai, United Arab Emirates, November 13–16, 2022, Proceedings.CANS 2022  21st International Conference on Cryptology and Network SecurityLNCS13641Cryptology and Network SecurityDubai, United Arab EmiratesSpringer International PublishingNovember 2022, 143164
 24 inproceedingsPostQuantum and UCsecure Oblivious Transfer from SPHF with Grey Zone.15th International Symposium on Foundations & Practice of Security (FPS2022)15th International Symposium on Foundations & Practice of Security (FPS – 2022).Ottawa, CanadaDecember 2022
 25 inproceedingsSecurity Assessment of NTRU Against NonProfiled SCA.CARDIS 2022Birmingham, United KingdomNovember 2022
 26 inproceedingsHow fast do you heal? A taxonomy for postcompromise security in securechannel establishment.USENIX 2023  The 32nd USENIX Security SymposiumUSENIX 2023  The 32nd USENIX Security SymposiumAnaheim, United StatesAugust 2023
 27 inproceedingsMARSHAL: Messaging with Asynchronous Ratchets and Signatures for faster HeALing.Symposium on Applied Computing (SAC)The 37th ACM/SIGAPP Symposium on Applied Computing, SAC (2022)Virtual, Czech RepublicACMApril 2022, 18
 28 inproceedingsIdentityBased Encryption in DDH Hard Groups.Lecture Notes in Computer ScienceAFRICACRYPT 2022  13th International Conference on Cryptology in AfricaLNCS13503Progress in Cryptology  AFRICACRYPT 2022Fes, MoroccoSpringer Nature Switzerland; Springer Nature SwitzerlandOctober 2022, 81102
 29 inproceedingsOn Codes and Learning With Errors over Function Fields.Lecture Notes in Computer ScienceCRYPTO 202213508Advances in Cryptology – CRYPTO 2022Santa Barbara (CA), United StatesSpringer Nature SwitzerlandOctober 2022, 513540
 30 inproceedingsInteractive Oracle Proofs of Proximity to Algebraic Geometry Codes.CCC '22: Proceedings of the 37th Computational Complexity ConferenceCCC 2022  37th Computational Complexity ConferencePhiladelphie, United StatesSeptember 2022, 30:130:45
 31 inproceedingsStatistical Decoding 2.0: Reducing Decoding to LPN.ASIACRYPT 2022  28th Annual International Conference on the Theory and Application of Cryptology and Information SecurityTaipei, TaiwanDecember 2022
 32 inproceedingsBuilding a Commitlevel Dataset of Realworld Vulnerabilities.CODASPY 2022  12th ACM Conference on Data and Application Security and PrivacyBaltimore MD USA, United StatesACMApril 2022, 101106
 33 inproceedingsFamilies of SNARKfriendly 2chains of elliptic curves.LNCSAdvances in Cryptology  EUROCRYPT 2022  41st Annual International Conference on the Theory and Applications of Cryptographic Techniques13276EUROCRYPT 2022Trondheim / Hybrid, NorwaySpringerMay 2022, 367396
 34 inproceedingsCofactor clearing and subgroup membership testing on pairingfriendly curves.AFRICACRYPT 2022  13th International Conference on Cryptology13503LNCSFes, MoroccoSpringerOctober 2022, 518536
 35 inproceedingsPairings in Rank1 Constraint Systems.ACNS2023  21st International Conference on Applied Cryptography and Network SecurityKyoto, JapanJune 2023
 36 inproceedingsCommunicationEfficient Proactive MPC for Dynamic Groups with Dishonest Majorities.ACNS 2022ACNS 2022Rome, Italy2021
 37 inproceedingsA New Isogeny Representation and Applications to Cryptography.ASIACRYPT 2022Taipei, TaiwanDecember 2022
 38 inproceedingsAn Effective Lower Bound on the Number of Orientable Supersingular Elliptic Curves.SAC 2022  Selected Areas in CryptographyWindsor, CanadaAugust 2022
 39 inproceedingsA Framework for the Design of Secure and Efficient Proofs of Retrievability.LNCSInternational Conference on Cryptology, Coding Theory, and Cybsersecurity, I4CSCasablanca, Morocco, MoroccoOctober 2022
 40 inproceedingsEfficient Proofs of Retrievability using Expander Codes.Cryptography and Network Security, CANS 2022Abu Dhabi, United Arab EmiratesNovember 2022
 41 inproceedingsImplementing the ThullYap algorithm for computing Euclidean remainder sequences.ISSAC2022Villeneuved’Ascq, FranceJuly 2022
Conferences without proceedings
 42 inproceedingsRighthand side decoding of Gabidulin codes and applications.WCC 2022 : The Twelfth International Workshop on Coding and CryptographyRostock, GermanyMarch 2022
 43 inproceedingsQuokka: A Fast and Accurate Binary Exporter.GreHack 2022  10th International Symposium on Research in GreyHat HackingGrenoble, FranceNovember 2022
Edition (books, proceedings, special issue of a journal)
 44 proceedingsG.Gustavo BanegasK.Koen ZandbergE.Emmanuel BaccelliA.Adrian HerrmannB.Benjamin SmithQuantumResistant Software Update Security on LowPower Networked Embedded Devices.13269Lecture Notes in Computer ScienceSpringer International PublishingJune 2022, 872891
Doctoral dissertations and habilitation theses
 45 thesisEfficient protocols for testing proximity to algebraic codes.Institut Polytechnique de ParisJune 2022
 46 thesisTowards 1day Vulnerability Detection using Semantic Patch Signatures.Institut polytechnique de ParisOctober 2022
 47 thesisThe Arithmetic of PairingBased Proof Systems.Institut Polytechnique de ParisNovember 2022
 48 thesisQuaternion Algebra and isogenybased cryptography.Ecole doctorale de l’Institut Polytechnique de ParisSeptember 2022
 49 thesisEmbedded latticebased cryptography.Institut polytechnique de ParisOctober 2022
 50 thesisModeling and construction of interactive cryptographic protocols for outsourced storage.Institut Polytechnique de Paris; Ecole PolytechniqueNovember 2022
Reports & preprints
 51 miscImprovements to the number field sieve for nonprime finite fields.August 2022
 52 miscA proof of the BrillNoether method from scratch.August 2022
 53 miscFailing to hash into supersingular isogeny graphs.July 2022
 54 miscEdMSM: MultiScalarMultiplication for recursive SNARKs and more.October 2022
 55 miscImproved decoding of symmetric rank metric errors.December 2022
 56 miscQuantum Reduction of Finding Short Code Vectors to the Decoding Problem.January 2022
 57 miscPseudorandom Correlation Functions fromVariableDensity LPN, Revisited.January 2023
 58 miscSimultaneous Rational Function Reconstruction with Errors: Handling Multiplicities and Poles.March 2022
 59 miscA Composable Look at Updatable Encryption.January 2022

60
miscSome factors of numbers of the form
${b}^{n}\pm 1$ found using ECM with new classes of curves.March 2022
Other scientific publications
 61 miscZeroKnowledge : trust and privacy on an industrial scale.January 2022
11.3 Other
Educational activities
 62 unpublishedCodes and modular curves.July 2022, DoctoralSwitzerland
11.4 Cited publications
 63 unpublishedWavelet: Codebased postquantum signatures with fast verification on microcontrollers.October 2021, working paper or preprint
 64 unpublishedQuantumResistant Security for Software Updates on Lowpower Networked Embedded Devices.June 2021, working paper or preprint
 65 inproceedingsFast ReedSolomon Interactive Oracle Proofs of Proximity.45th International Colloquium on Automata, Languages, and Programming, ICALP 2018, July 913, 2018, Prague, Czech Republic2018, 14:114:17
 66 inproceedingsDecoding Supercodes of Gabidulin Codes and Applications to Cryptanalysis.PostQuantum CryptographyChamSpringer International Publishing2021, 322
 67 inproceedingsDecoding supercodes of Gabidulin codes and applications to cryptanalysis.PostQuantum Cryptography 202112841PostQuantum Cryptography. PQCrypto 2021PQCrypto 2021. The Sage code is available on Github: https://github.com/mbombar/Attack_on_LIGADaejeon, South KoreaSpringerJuly 2021, 322
 68 inproceedingsCorrelated Pseudorandom Functions from VariableDensity LPN.FOCS 2020  Annual IEEE Symposium on Foundations of Computer ScienceDurham, United StatesNovember 2020
 69 inproceedingsCalibrating Noise to Sensitivity in Private Data Analysis.Theory of CryptographyBerlin, Heidelbergspringer2006, 265284
 70 inproceedingsOptimized and secure pairingfriendly elliptic curves suitable for one layer proof composition.CANS 2020  19th International Conference on Cryptology and Network Security12579Lecture Notes in Computer ScienceVienna / Virtual, AustriaSpringerDecember 2020, 259279
 71 inproceedingsOn Using RSA/ECC Coprocessor for Ideal LatticeBased Key Exchange.COSADE 2021Lugano, SwitzerlandOctober 2021
 72 inproceedingsShort PairingBased Noninteractive ZeroKnowledge Arguments.Advances in Cryptology  ASIACRYPT 2010Berlin, HeidelbergSpringer Berlin Heidelberg2010, 321340
 73 articlePinocchio: Nearly Practical Verifiable Computation.Commun. ACM592January 2016, 103–112
 74 inproceedingsProtocols for Secure Computations (Extended Abstract).FOCSIEEE Computer Society1982, 160164
 75 articleFunctional mechanism: regression analysis under differential privacy.arXiv preprint arXiv:1208.02192012