2023Activity reportProjectTeamCANARI
RNSR: 202324429H Research center Inria Centre at the University of Bordeaux
 In partnership with:CNRS, Université de Bordeaux
 Team name: Cryptography ANalysis and ARIthmetic
 In collaboration with:Institut de Mathématiques de Bordeaux (IMB)
 Domain:Algorithmics, Programming, Software and Architecture
 Theme:Algorithmics, Computer Algebra and Cryptology
Keywords
Computer Science and Digital Science
 A4.3.1. Public key cryptography
 A4.3.3. Cryptographic protocols
 A4.3.4. Quantum Cryptography
 A8.5. Number theory
 A8.10. Computer arithmetic
Other Research Topics and Application Domains
 B9.5.1. Computer science
 B9.5.2. Mathematics
 B9.8. Reproducibility
 B9.10. Privacy
1 Team members, visitors, external collaborators
Research Scientists
 Damien Olivier Robert [Team leader, INRIA, Senior Researcher, from Oct 2023, HDR]
 Razvan Barbulescu [CNRS, Researcher, from Jul 2023]
 Xavier Caruso [CNRS, Senior Researcher, from Jul 2023, HDR]
 Andreas Enge [INRIA, Senior Researcher, from Jul 2023, HDR]
 Fredrik Johansson [INRIA, Researcher, from Jul 2023]
 Aurel Page [INRIA, Researcher, from Jul 2023]
 Alice Pellet Mary [CNRS, Researcher, from Jul 2023]
Faculty Members
 Karim Belabas [UNIV BORDEAUX, Professor, from Jul 2023, HDR]
 Guilhem Castagnos [UNIV BORDEAUX, Associate Professor, from Jul 2023, HDR]
 Henri Cohen [UNIV BORDEAUX, Emeritus, from Jul 2023]
 JeanMarc Couveignes [UNIV BORDEAUX, Professor, from Jul 2023, HDR]
 Qing Liu [UNIV BORDEAUX, Associate Professor Delegation, from Sep 2023]
PostDoctoral Fellows
 Sabrina Kunzweiler [INRIA, PostDoctoral Fellow, from Jul 2023]
 Wessel Van Woerden [UNIV BORDEAUX, PostDoctoral Fellow, from Jul 2023]
PhD Students
 Agathe Beaugrand [UNIV BORDEAUX, from Jul 2023]
 Elie Bouscatie [ORANGE, CIFRE, from Jul 2023 until Nov 2023]
 Pierrick Dartois [IMT, from Jul 2023]
 Fabrice Etienne [UNIV BORDEAUX, from Jul 2023]
 Jean Gasnier [UNIV BORDEAUX, from Jul 2023]
 Guilhem Mureau [INRIA, from Sep 2023]
 Nicolas Sarkis [UNIV BORDEAUX, from Jul 2023]
 AnneEdgar Wilke [UNIV BORDEAUX, ATER, from Jul 2023]
Technical Staff
 Bill Allombert [CNRS, Engineer, from Jul 2023]
Administrative Assistant
 Joelle Rodrigues [INRIA]
External Collaborators
 Luca De Feo [IBM RESEARCH EUROPE, from Jul 2023, HDR]
 Benjamin Wesolowski [CNRS, from Jul 2023]
2 Overall objectives
The primary goals of the Canari project are, firstly, to design algorithmic solutions to manipulate the objects involved in the Langlands programme, secondly to develop algorithmic tools to handle the necessary arithmetic and analysis (real, complex and $p$adic) involved, and thirdly, to derive concrete applications, in particular to cryptography.
The Langlands programme postulates deep relationships between objects of three apparently unrelated worlds: the automorphic world, the world of Galois representations, and the motivic world.
The automorphic world belongs to the realm of analysis and infinitedimensional vector spaces: its main citizens are automorphic forms, which are certain smooth functions satisfying nice differential equations. The numbertheoretic content comes from the domains of these functions: they are defined on socalled arithmetic manifolds, of which many classical objects are special cases: modular curves, moduli spaces of abelian varieties, the space of Euclidean lattices of a given dimension, Arakelov class groups, etc.
The world of Galois representations is about symmetry and algebra. The main citizen is the group of all symmetries of the field of all algebraic numbers, the absolute Galois group ${G}_{\mathbb{Q}}$. Galois representations are linear actions of ${G}_{\mathbb{Q}}$ on finitedimensional vector spaces over a field (complex numbers, $p$adic numbers and finite fields are all important). They are like powerful microscopes that allow us to visualise a tiny portion of ${G}_{\mathbb{Q}}$ as a group of geometric symmetries.
The motivic world is about geometry. Its main citizens are algebraic varieties, that is, sets of solutions of polynomial equations, and their associated cohomologies. Important examples are algebraic curves and abelian varieties. One can classify varieties by discrete, or cohomological, invariants such as dimension and genus (integers). On some families of algebraic varieties, after fixing these discrete invariants, the family is classified by a continuous space which is itself an algebraic variety called a moduli space. Moduli spaces of curves and abelian varieties play a key role in number theory and in cryptography.
These worlds are tied together via the central notion of $L$function: generating series adapted to number theory. Each world has its own recipe to produce $L$functions, and the Langlands programme asserts that the $L$functions coming from the three worlds are the same; this has striking consequences as each origin then brings special properties to the other ones. A large portion of current research in number theory is placed in this context. Thus $L$functions can be seen as bridges between these three worlds, and the main goal of the team is to give algorithms to construct these bridges in practice.
A strong focus on the team is on making our algorithms available through open source software, notably Pari/GP, Flint (Arb, Calcium) and Mpc.
3 Research program
The team is organised around three axes. The goal of the first axis is to give a systematic computational treatment of objects from the Langlands programme, and to investigate algorithmic insight that can be gained by approching problems in computational number theory from the Langlands programme point of view.
These algorithms will be of two kinds: exact or of analytic, approximated nature ($p$adic, real or complex). Hence, the second axis is concerned with the development of effective complex and $p$adic analysis to handle the analytic objects that appear naturally. Finally, the new objects and computational problems will provide potential bases for nextgeneration cryptosystems, and the third axis uses these new insights to analyse the security of postquantum cryptography, build new cryptosystems and improve the existing ones and study their security.
3.1 Algorithms for higher dimensional number theory
The goal of this axis is to design and implement efficient algorithms to enumerate, construct, represent, and compute with the fundamental objects of the Langlands programme and to explore their interactions. This will provide versatile tools for mathematicians to progress on difficult problems by directly manipulating intricate objects, and a collection of new problems and algorithms for cryptographers to use for the design of nextgeneration cryptographic primitives. Since many of these objects have a strong analytic flavour, the methods from our effective analysis axis will be vital.
The main topics of this theme will be:
 Automorphic forms: compute spaces of automorphic forms (Siegel and Hilbert modular forms, ...)
 Galois representations: compute Artin representations using tools from representation theory, Iwasawa theory, $p$adic Hodge theory.
 Varieties: abelian varieties, curves of higher genus, Shimura varieties and moduli spaces, hypergeometric motives.
 Bridges from the Langlands programme.
3.2 Effective analysis
The goal of this axis is to develop algorithms for efficient and reliable arithmetics in various fields (real, complex, $p$adic, finite), which is a prerequisite for computing with the number theoretical objects of both Axis 1 and Axis 3, and especially $L$functions, which are analytic objects by nature (defined in terms of series and integrals). Beyond elementary arithmetic and linear and nonlinear algebra, we also frequently need effective algorithms in the realm of complex and $p$adic analysis, including algorithms for solving differential equations.
There is a wealth of research questions to address to guarantee convergence, optimal complexities and efficiency at different precisions, as well as the exactness of the results.
The main topics of this theme will be:
 Real and complex analysis: rigorous algorithms for evaluating holonomic functions. For analytic operations like limits, differentiation, summation and integration, develop algorithms with guaranteed accuracy that can handle functions with singularities or pathological behaviour like strong oscillation.
 Symbolicnumeric representations: reduce the cost of computing with algebraic numbers of large degree or height, compute with mixed algebraic and purely transcendental fields.
 $p$adic analysis: optimise $p$adic linear algebra and $p$adic commutative algebra (including Gröbner bases) with respect to precision loss and instabilities.
3.3 Next generation and postquantum cryptography
While the objects mentioned in Axis 1 may appear excessively abstract, when suitably instantiated, they become basic building blocks for next generation cryptosystems. First, these algebraic objects make it possible to construct quantumresistant public key cryptosystems, which may become indispensable to secure communications in a future where largescale quantum computers have become a reality. Second, the richness of these objects enables the construction of cryptographic schemes with advanced properties, such as homomorphic encryption, decentralised cryptography, secure multiparty computation and verifiable delay functions. The cryptosystems that will be studied in the team are related to (generalisations) of ideals and class groups in number fields: algebraic lattices, actions of class groups of orders in number fields and actions of groupoids constructed from quaternion algebras. Building and analysing these cryptosystems requires a deep understanding of the mathematical structures underlying them, which cannot simply be treated as black boxes.
The main topics of this theme will be:
 Isogenies: new cryptographic protocols from higher dimensional isogenies.
 Lattices: investigate the hardness of finding short vectors in algebraically structured lattices.
 Pairings and discrete logarithms, quantum algorithms to compute unit and class groups .
 Orders of number fields: algorithms for computing with orders in number fields, as well as regulators and class groups. These algorithms can be used to construct groups of unknown order, which find applications in advanced cryptographic primitives, for instance in the area of homomorphic encryption or threshold cryptography.
 Verifiable delay functions.
4 Application domains
Our main existing and future impact is through our software, notably Pari/GP, Flint (Arb, Calcium) and Mpc, which are world leaders in their respective domains. Pari/GP is the leading package used in number theory, and integrated into wider platforms like SageMath. Flint focus on lower level building blocks for number theory, like polynomial arithmetic, interval arithmetic (Arb) and symbolic computations (Calcium). Mpc, with its guarantees of correct rounding for basic complex arithmetic operations, operates on a lower level and thus has a larger scope. It serves as a reference for the GNU C library and is installed alongside GCC on each computer requiring the GNU Compiler Collection. The interval arithmetic of Arb provides a more flexible use case than Mpc, whence it has the widest potential of applications, far beyond the need of algorithmic number theory. It is already used in Mathematica and Maple, and a goal of the team will be to develop its reach even more.
The main impact of Axis 1, apart from the cryptographic applications, will be to give new tools to mathematicians to explore the world of the Langlands programme, construct objects explicitly and carry out experimentations, in particular via Pari/GP.
The main impact of Axis 2 will be the improvement of tools to handle precision better (floating point, $p$adic, interval arithmetic), broadening the scope outside the context of pure arithmetic. The focus of Axis 2 is different from scientific computing in that we require very high precision (hundreds to tens of thousands of digits), and if possible with certified approximation bounds.
Concerning Axis 3, the requirement by governmental agencies to have postquantum cryptographic solutions means that the civil society already needs to pivot towards such solutions. The NIST has an ongoing postquantum cryptography standardisation process. This is an international process and the Canari team will contribute to the analysis (and improvement) of the security of some of these schemes (notably the isogeny based ones and the ideal lattices ones).
5 Social and environmental responsibility
5.1 Footprint of research activities
The main footprint of our research activites are:
 The ecological impact of attending international conferences. We have signed the University of Bordeaux ecological chart saying that we should try to reduce travel and privilege train as much as possible. Some of us also signed a more restrictive commitment, saying that we will try to limit ourselves to 20 000km traveled by plane over a period of two years.1
 The impact of our computations. Some of our record computations (largest class polynomials, largest primality proof) require using a large cluster for a long time. To reduce this impact we aim to develop faster algorithms.
5.2 Impact of research results
Another possible impact of Axis 3 will be ecological. Moving blockchains from Proof of Work to Proof of Stake is key to reduce their ecological impact. Verifiable delay functions are a core component of proof of stake, so Axis 3 will play a small role in helping this transition. In the same vein, cryptography based on class groups makes it possible to reduce the bandwidth used for certain multiparty protocols.
6 Highlights of the year
Wessel van Woerden defended his PhD thesis, Lattice Cryptanalysis: from cryptanalysis to new foundations, February 2023, Leiden.
Élie Bouscatié defended his PhD thesis, Chiffrement compatible avec l'analyse de flux, December 2023.
6.1 Major releases
Flintsaw a new major release 3.0, merging Arb and Calcium.
6.2 Awards
The article 24 received the Eurocrypt honorable mention award.
7 New software, platforms, open data
7.1 New software
7.1.1 PARI/GP

Keyword:
Computational number theory

Functional Description:
Pari/Gp is a widely used computer algebra system designed for fast computations in number theory (factorisation, algebraic number theory, elliptic curves, modular forms ...), but it also contains a large number of other useful functions to compute with mathematical entities such as matrices, polynomials, power series, algebraic numbers, etc., and many transcendental functions.
 URL:

Contact:
Aurel Page

Participants:
Bill Allombert, Karim Belabas, Henri Cohen, Andreas Enge, Aurel Page

Partner:
CNRS
7.1.2 FLINT

Name:
Fast Library for Number Theory

Keywords:
Computer algebra, Computational number theory, Arithmetic

Functional Description:
FLINT is a C library for doing number theory. At its core, FLINT provides arithmetic in standard rings such as the integers, rationals, algebraic, real, complex and padic numbers, finite fields, and number fields. It also provides polynomials (univariate and multivariate), power series, and matrices.
FLINT covers a wide range of functionality: primality testing, integer factorisation, multivariate polynomial GCD and factorisation, FFTs, multimodular reconstruction, special functions, exact and approximate linear algebra, LLL, finite field embeddings, and more.
 URL:

Contact:
Fredrik Johansson

Partner:
Technische Universität Kaiserslautern (UniKL), Allemagne
7.1.3 GNU MPC

Keyword:
Arithmetic

Functional Description:
Mpc is a C library for the arithmetic of complex numbers with arbitrarily high precision and correct rounding of the result. It is built upon and follows the same principles as Mpfr. The library is written by Andreas Enge, Philippe Théveny and Paul Zimmermann.

Release Contributions:
Changes in version 1.3.1, released in December 2022:  Bug fix: It is again possible to include mpc.h without including stdio.h.
Changes in version 1.3.0 ("Ipomoea batatas"), released in December 2022:  New function: mpc_agm  New rounding modes "away from zero", indicated by the letter "A" and corresponding to MPFR_RNDA on the designated real or imaginary part.  New experimental ball arithmetic.  New experimental function: mpc_eta_fund  Bug fixes:  mpc_asin for asin(z) with small Re(z) and tiny Im(z)  mpc_pow_fr: sign of zero part of result when the base has up to sign the same real and imaginary part, and the exponent is an even positive integer  mpc_fma: the returned 'int' value was incorrect in some cases (indicating whether the rounded real/imaginary parts were smaller/equal/greater than the exact values), but the computed complex value was correct.  Remove the unmaintained Makefile.vc, build files for Visual Studio can be found at https://github.com/BrianGladman/mpc .
 URL:

Contact:
Andreas Enge

Participants:
Andreas Enge, Mickaël Gastineau, Paul Zimmermann, Philippe Théveny
7.1.4 Arb

Name:
Arb

Keywords:
MultiplePrecision, Interval arithmetic, Interval analysis, Computational number theory, Numerical algorithm

Functional Description:
C library for arbitraryprecision ball arithmetic
 URL:

Contact:
Fredrik Johansson
7.1.5 Calcium

Name:
Calcium

Keywords:
Computer algebra, Numerical analysis

Functional Description:
C library for exact computation with real and complex numbers

Contact:
Fredrik Johansson
7.1.6 SQISignHD

Keyword:
Cryptography

Functional Description:
Compact postquantum signature algorithm using isogenies in higher dimension.

Contact:
Damien Olivier Robert
7.1.7 ThetaIsogenies

Keyword:
Cryptography

Functional Description:
Fast computation of 2n̂ isogenies in dimension 2.
 URL:

Contact:
Damien Olivier Robert
7.1.8 Kummer Line

Keyword:
Cryptography

Functional Description:
Library for the arithmetic of Kummer lines (arithmetic, isogenies, pairings)
 URL:

Contact:
Damien Olivier Robert
7.1.9 CM

Keyword:
Arithmetic

Functional Description:
The Cm software implements the construction of ring class fields of imaginary quadratic number fields and of elliptic curves with complex multiplication via floating point approximations. It consists of libraries that can be called from within a C program and of executable command line applications.

Release Contributions:
Changes in version 0.4 ("Fitzebohnen"):  increase minimal version number for mpfrcx to 0.6.3 and for pari to 2.11.  add decomposition of the class field into a tower of prime degree extensions  add a fastECPP implementation, including a version for MPI
 URL:

Contact:
Andreas Enge

Participant:
Andreas Enge
8 New results
8.1 Higher dimensional number theory
Participants: Karim Belabas, Xavier Caruso, Henri Cohen, Pınar Kılıçer, Aurel Page.
Number fields
In 26, H. Cohen wrote a survey on Computational Number Theory.
In 5, K. Belabas, F. Diaz y Diaz and E. Friedman study special values of narrow ray class partial zeta functions.
In 28, B. Allombert and D. Mayer study capitulation of cubic number fields.
In 35, H. Cohen exhibits parametric continued fractions for some well known number theoretic constants.
The paper 12 by P. Kılıçer, M. Streng which list all CM quartic fields with CM class number one has been published.
The article 14, which gives faster quantum algorithms to compute unit groups of cyclotomic fields has been published in AFRICACRYPT 2023.
Drinfeld modules
Drinfeld modules can be considered as an analogue of elliptic curves when working over a function field over ${\mathbb{F}}_{q}$ instead of a number field. The ${\mathbb{F}}_{q}$linearity is a quite important additional feature, which often makes it possible to devise better algorithms. In 34, X. Caruso and Antoine Leudière use this yoga to design fast algorithm for computing the caracteristic polynomials and/or the norm of isogenies between Drinfeld modules over finite fields. With David Ayotte and Joseph Musleh, they also provide the first comprehensive implementation of Drinfeld modules in SageMath 4.
Deformations of Galois representations
X. Caruso, Agnès David and Ariane Mézard continued their study of the potentially Barsotti–Tate deformation rings of a Galois representation. Using the Breuil–Mézard conjecture, they showed in 8 that the gene entirely determine the special fibre of those deformation rings. In 25, they investigated the independence of their constructions with respect to the underlying prime number $p$ and propose a new programme of research, that they called the 1adic Langlands correspondence, for explaining these phenomena.
Algebraic differential equations
Alin Bostan, X .Caruso and Julien Roques wrote a survey 32 on the theory of linear differential equations over number fields and finite fields, focusing on algebraic criteria for the existence of algebraic solutions.
In 27, Boris Adamczewski, Alin Bostan, X. Caruso gave an effective proof of the multivariate version of Christol’s theorem about algebraic power series with coefficients in finite fields. This proof allows for sharp effective estimates on the algebraic degree of many functions in positive characteristic, including diagonals of multivariate algebraic power series.
Automorphic forms
In 42, A. Page and B. Wesolowski leverage the theory of automorphic forms (the Jacquet–Langlands correspondence) to prove a powerful equidistribution theorem for graphs of supersingular elliptic curves equipped with extra structure: they introduce a new categorytheoretic framework to describe suitable extra structures, prove a generalised Deuring correspondence for these structures (using adélic language), and relate them to structures coming from adélic groups, allowing the use of automorphic tools. The algorithmic and cryptographic consequences are described in Subsection 8.4.
8.2 Algorithms for number theory
Participants: Razvan Barbulescu, JeanMarc Couveignes.
In 13, Q. Liu gives an algorithm to compute the minimal Weierstrass equation of an hyperelliptic curve over principal ideal domains. This generalizes Tate's algorithm from elliptic curves to hyperelliptic curves.
In 30, R. Barbulescu and F. Jouve use the ElliottHalberstam conjecture to measure how ECM friendly an elliptic curve with complex multiplication is. The ECM method is a probabilistic integer factorisation method using elliptic curves, the probability of success can be improved by selecting suitable elliptic curves, and this paper investigates ECM friendly elliptic curves.
In 36, J.M. Couveignes and T. Ezome use the arithmetic and geometry of elliptic curves to study the complexity of multiplication of two elements in a finite field extension given by their coordinates in a normal basis.
8.3 Cryptography
Participants: Guilhem Castagnos, Élie Bouscatié.
In 7, Bouvier, Castagnos, Imbert and Laguillaumie introduce BICYCL, an Open Source C++ library that implements arithmetic in the ideal class groups of imaginary quadratic fields, together with a set of cryptographic primitives based on class groups. It is available at bicycl under the GNU General Public License version 3 or any later version. It provides significant speedups on the implementation of the arithmetic of class groups. Concerning cryptographic applications, BICYCL is orders of magnitude faster than any previous implementation of the Castagnos–Laguillaumie linearly homomorphic encryption scheme, making it faster than Paillier's encryption scheme at any security level. Linearly homomorphic encryption is the core of many multiparty computation protocols, sometimes involving a huge number of encryptions and homomorphic evaluations: class group based protocols become the best solution in terms of bandwidth and computational efficiency to rely upon.
Due to their use in cryptocurrencies, threshold ECDSA signatures have received much attention in recent years. Though efficient solutions now exist both for the two party, and the full threshold scenario, there is still much room for improvement, be it in terms of protocol functionality, strengthening security or further optimising efficiency.
In the past few months, a range of protocols have been published, allowing for a non interactive – and hence extremely efficient – signing protocol; providing new features, such as identifiable aborts (parties can be held accountable if they cause the protocol to fail), fairness in the honest majority setting (all parties receive output or nobody does) and other properties. In some cases, security is proven in the strong simulation based model. In 10, G. Castagnos, D. Catalano, F. Laguillaumie, F. Savasta and I. Tucker combine ideas from the aforementioned articles with the suggestion of Castagnos et al. (PKC 2020) to use the class group based CL framework so as to drastically reduce bandwidth consumption.
Building upon this latter protocol they present a new, maliciously secure, full threshold ECDSA protocol that achieves additional features without sacrificing efficiency. Their most basic protocol boasts a non interactive signature algorithm and identifiable aborts. They also propose a more advanced variant that achieves adaptive security (for the $n$outof$n$ case) and proactive security. The resulting constructions improve upon state of the art Paillier's based realisations achieving similar goals by up to a 10 factor in bandwidth consumption.
Functional encryption features secret keys, each associated with a key function $f$, which allow to directly recover $f\left(x\right)$ from an encryption of $x$, without learning anything more about $x$. This property is particularly useful when delegating data processing to a third party as it allows the latter to perform its task while ensuring minimum data leakage. However, this generic term conceals a great diversity in the cryptographic constructions that strongly differ according to the functions $f$ they support.
A recent series of works has focused on the ability to search a pattern within a data stream, which can be expressed as a function $f$. One of the conclusions of these works was that this function $f$ was not supported by the current stateoftheart, which incited their authors to propose a new primitive called Stream Encryption supporting Pattern Matching (SEPM). Some concrete constructions were proposed but with some limitations such as selective security or reliance on nonstandard assumptions.
In 16, É. Bouscatié, G. Castagnos and O. Sanders revisit the relations between this primitive and two major subclasses of functional encryption, namely Hidden Vector Encryption (HVE) and Inner Product Encryption (IPE). They indeed first exhibit a generic transformation from HVE to SEPM, which immediately yields new efficient SEPM constructions with better features than existing ones. Then, they revisit the relations between HVE and IPE and show that they can actually do better than the transformation proposed by Katz, Sahai and Waters in their seminal paper on predicate encryption. This allows to fully leverage the vast stateoftheart on IPE which contains adaptively secure constructions proven under standard assumptions. This results in countless new SEPM constructions, with all the features one can wish for. Beyond that, this work sheds a new light on the relations between IPE schemes and HVE schemes and in particular shows that some of the former are more suitable to construct the latter.
In 6, K. Belabas, T. Kleinjung, A. Sanso and B. Wesolowski show that in some particular class groups of quadratic imaginary orders, it is easier than expected to find elements of low order. This breaks an assumption used for VDF using class groups.
8.4 Isogeny based cryptography
Participants: Pierrick Dartois, Sabrina Kunzweiler, Aurel Page, Damien Robert, Benjamin Wesolowski.
The impossibility to hash to supersingular elliptic curves require a trusted setup to build a supersingular elliptic curve with unknown endomorphism ring. In 15, A. Basso, G. Codogni, D. Connolly, L. de Feo, B. Fouotsa, G. Lido, T. Morrison, L. Panny, S. Patranabis, and B. Wesolowski builds SECUER, a multipartite scheme to build such a curve, relying on a zeroknowledge isogeny proof built from pushforward diagrams.
In 20, L. de Feo, A. Leroux, P. Longa and B. Wesolowski improve the SQISign signature scheme by developing a new algorithm for the Deuring correspondance using endomorphisms to refresh the intermediate torsion.
A completely unexpected direction in isogeny based cryptography was the spectacular breaking of SIDH 47 using isogenies in dimension 2. This attack was originally heuristic and applying only to a very special starting curve, but was soon extended by L. Maino, C. Martindale, L. Panny, G. Pope and B. Wesolowski, ini 22 to a subexponential heuristic attack on all curves, and then in 24 by D. Robert to a proved polynomial attack in all cases by moving to dimensions 4 and 8.
Moving to higher dimension allows considerable flexibility in manipulating isogenies, thanks to the following embedding lemma proved in 24 using earlier work by Zarhin 50 and Kani 49: For every ${N}^{\text{'}}\u2a7eN$, an $N$isogeny $f$ in dimension $g$ can be embedded into an ${N}^{\text{'}}$isogeny $F$ in dimension $8g$ (and sometimes $4g$ or $2g$).
This powerful tool soon led the way to new algorithms. In 43, D. Robert proves that every isogeny admits an efficient representation, which allows for evaluation in polynomial time (in the logarithm of its degree). And in 44, he proves that the endomorphism ring of an ordinary elliptic curve can be computed in polynomial time given the factorisation of its conductor, and that canonical lifts of ordinary elliptic curves can be computed in polynomial time (among others). Such powerful results were completely unexpected (the previous best algorithms being subexponential time). This lead to a new point counting algorithm for elliptic curve $E/{\mathbb{F}}_{{p}^{n}}$, in $\tilde{O}({n}^{2}{log}^{8}p+n{log}^{11}p)$.
These new algorithms in turn led to new cryptosystems, using higher dimensional cryptography as a fundamental block. In 38, P. Dartois, A. Leroux, D. Robert and B. Wesolowski present the SQISignHD protocol, which has a much cleaner security proof than SQISign, even more compact signatures, and much faster signing times. The verification uses a ${2}^{n}$isogeny in dimension 4; such high degree smooth isogenies had never been computed until now.
With the rise of higher dimensional cryptography, optimising the speed of ${2}^{n}$isogenies is of paramount importance. The case of dimension 2 is tackled in 39 by P. Dartois, L. Maino, G. Pope and D. Robert, using optimised theta duplication formula to speed up ${2}^{n}$isogenies between product of two elliptic curves. Our SageMath implementation gains a factor 10 compared to using Richelot isogenies, and our low level Rust implementation a factor up to 40. In 17, T. Decru and S. Kunzweiler give faster formula for ${3}^{n}$isogenies in dimension two on the Jacobian model. The general case, by D. Lubicz and D. Robert of an arbitrary isogeny in any dimension has been published in 21.
In 29, S. Arpin, C. James, P. Dartois, J. Eriksen, K. Jonathan, P. Kutas, and B. Wesolowski, prove that the computing an orientation reduces in subexponential time to he equivalent decision problem.
In 42, A. Page and B. Wesolowski prove another algorithmic reduction, showing that being able to find a single endomorphism of an arbitrary supersingular elliptic curve is no easier than being able to find the entire endomorphism ring. As applications, they prove the collisionresistance of the CGL hash function and the soundness of the SQIsign identification scheme, under the standard assumption of hardness of the endomorphism ring problem.
In 19, L. Feo, B. Fouotsa, P. Kutas, A. Leroux, S. Merz, L. Panny, and B. Wesolowski introduce SCALLOP, a new commutative action isogeny scheme using orientations of supersingular elliptic curve. The idea is to build up an orientation by a quadratic order of large prime conductor to speed up computing the class group relations.
In 41, A. Page and D. Robert introduce Clapoti(s), a new algorithm to compute the class group action on an oriented elliptic curve in polynomial time. This solves a long standing problem in isogeny based cryptography: all existing algorithms were asymptotically subexponential.
8.5 Pairings
Participants: Damien Robert.
In 45, D. Robert gives a geometric interpretation of the Tate pairing on abelian varieties. This interpretation shows that the Tate pairing can be used to probe the Galois structure of the isogenous abelian variety, generalising some adhoc construction in the literature. It also solves a conjecture by Castryck and Decru on multiradical isogenies.
In 40, J. Gasnier and A. Guillevic revisit the generation of pairing friendly curves from an algebraic point of view.
8.6 Latticebased cryptography
Participants: Guilhem Mureau, Alice PelletMary, Wessel van Woerden.
In June 2023, the NIST started an additional postquantum signature standardization process.2 The objective of this new call is to standardize one or more postquantum signature scheme, different from the ones standardized so far. J. Bos, O. Bronchain,L. Ducas, S. Fehr, Y. Huang, T. Pornin, E. Postlethwaite, T. Prest, L. Pulles, and W. van Woerden submitted the Hawk signature scheme to this standardization process, which is based on the article 48 by L. Ducas, E. Postlethwaite, T. Prest, L. Pulles, and W. van Woerden.
The security of most cryptographic schemes based on lattices relies on the hardness of computing short vectors in lattices. Very often, the lattices in question enjoy some additional properties, which makes the cryptographic schemes based on them more efficient. An important question is then to understand how hard is the problem of finding short vectors in these lattice, which enjoy some additional structure.
A very common way to add structure to a lattice is to consider module lattices, that is, lattices that are also ${\mathcal{O}}_{K}$modules in some ${K}^{m}$, where $K$ is a number field and ${\mathcal{O}}_{K}$ is its ring of integers. Some of these modules may be free, meaning that they possess a basis, but most of them are not (they are finitely generated, but it is not possible to obtain a basis from a generating set). In 23, G. De Micheli, D. Micciancio, A. PelletMary and N. Tran showed that computing a short vector in free modules is as hard as computing a short vector in any module: if we have a polynomial time algorithm computing short vectors when given as input any free module, then there is a polynomial time algorithm computing short vectors when given as input any module (not necessarily free).
A special case of module lattices are ideal lattices, which are modules of rank $m=1$ (they live in $K$). In 18, J. Felderhoff, A. PelletMary, D. Stehlé, and B. Wesolowski proved a quantum reduction from finding short vectors in all ideals of a number field $K$, to finding short vectors in random prime ideals of small algebraic norm in the same field $K$. In other words, if finding short vectors in ideal lattices of $K$ is quantumly hard in the worstcase (i.e., there is no quantum algorithm solving this problem efficiently on all inputs), then finding a short vector in a uniformly chosen prime ideal of small algebraic norm is also hard.
8.7 Coding theory
Participants: Xavier Caruso, JeanMarc Couveignes, Fabrice Drain, Amaury Durand, Jean Gasnier.
X. Caruso continued his work towards the development of coding theory in the sumrank metric context. With A. Durand 9, he described the duals of MartinezPenas' linearized Reed–Solomon codes. In collaboration with Elena Berardini 31, he introduced a linearized version of Algebraic Geometry codes and studied its parameters; in particular, they showed that the codes they introduced beat the (sumrank analogue of the) Gilbert–Varshamov bound.
In 33, X. Caruso and F. Drain obtained a complete classification of selfdual skew cyclic and skew negacyclic codes. They also provided efficient algorithms for sampling and enumerating them.
Effective geometry of curves and applications
In 37, J.M. Couveignes and J. Gasnier study the effective aspects of group actions on algebraic curves and more precisely the $K\left[G\right]$structure of the linear spaces associated to equivariant divisors. They find simple criteria for such a space of sections to be a free $K\left[G\right]$module. In case $G$ is abelian, freeness is granted under mild conditions. This results in a much more compact representation of these spaces and more efficient ways of computing them. Over finite fields, abelian covers with large Galois groups are classified by geometric class field theory. Algorithms and existence results presented in this work provide efficient decompositions of the multiplication tensor in finite field extensions and also good geometric codes that can be encoded and decoded efficiently. In particular, excellent codes are constructed that can be encoded in quasilinear time and decoded in quasiquadratic time.
8.8 Analysis
Participants: AnneEdgar Wilke.
In 46, A.E. Wilke makes the analogy between between convexity and plurisubharmonicity in Banach spaces more precise.
8.9 Effective analysis and certified arithmetic
Participants: Fredrik Johansson.
In 11, F. Johansson presents improved algorithms for arbitraryprecision computation of the gamma function and related classical special functions.
9 Partnerships and cooperations
9.1 International research visitors
9.1.1 Visits of international scientists
Other international visits to the team
 Wouter Castryck, from KU Leuven (Belgium), visited the team for 2 weeks in January 2023.
The following international researchers have given a presentation in the Canari team seminar:
 Wouter Castryck (KU Leuven, Belgium)
 Donghyeok Lim (Yonsei University, Korea)
 Maxime Bombar (CWI)
 Stefano Marseglia (Utrecht University)
 Lorenzo Furio (Università di Pisa)
 Monika Trimoska (Eindhoven University of Technology)
 Yining Hu (Harbin Institute of Technology)
 Marc Houben (Leiden University)
9.2 National initiatives

PEPR Technologies Quantiques
Integrated project PQTLS: Postquantum padlock for web browser
with Inria teams Grace, Cosmiq, Prosecco Universities of Bordeaux, Rennes, Limoges, Versailles–St. Quentin, Rouen, St. Étienne, and ENS Lyon and CEA
2022–2027, total budget 4180k€, of which 456k€ for Bordeaux

PEPR Cybersécurité
Integrated project CRYPTANALYSE: Cryptanalysis of classical cryptographic primitives
with Inria teams Caramba, Cosmiq, Universities of Rennes, Amiens, Sorbonne, and CNRS
2023–2028, total budget 5000k€, of which about 90k€ for Bordeaux

HQI project (HPCQuantum Initiative, France 2030)
France Hybrid HPC Quantum Initiative, R&D et support
17 partners in France; we will mainly work with LIP6 and ENS de Lyon
2021–2027, 165k€ for Bordeaux

ANR AGDE
Arithmetic and geometry of discrete groups
with Toulouse, Paris
2021–2025, 45k€ for Bordeaux

ANR Ciao
Isogeny based cryptosystems, applications to verifiable delay functions and postquantum cryptography (PI D. Robert)
with Paris, Montpellier
2019–2024, 150k€ for Bordeaux

ANR/NSF Charm
Cryptographic hardness of module lattices
with Florida Atlantic, Cornell, ENS Lyon
2021–2024, 205k€ for Bordeaux

ANR NuSCAP
Numerical safety for computeraided proofs
with Lyon, Nantes, Paris, SophiaAntipolis, Toulouse
2021–2025

ANR PadLEfAn
$p$adic properties of $L$functions effective and analytic aspects
with Besançon, Caen
2022–2026

ANR Sangria
Secure distributed computation: cryptography, combinatorics and computer algebra
with Paris and région Occitanie
2021–2025

ANR TOTORO
Towards new assumptions in latticebased cryptography (PI A. PelletMary)
with Toulouse and Telecom Paris
2023–2027, 186k€

ANR ClapClap
Correspondance de Langlands $p$adique: une approche constructive et algorithmique (PI X. Caruso)
with ENS Lyon, Paris Rive Gauche, Rennes
2019–2023, 198 k€

ANR Flair
Familles de fonctions $L$: analyse, interactions, résultats effectifs
with Besançon
2017–2021
10 Dissemination
Participants: Bill Allombert, Razvan Barbulescu, Karim Belabas, Xavier Caruso, Guilhem Castagnos, Andreas Enge, JeanMarc Couveignes, Fredrik Johansson, Aurel Page, Alice PelletMary, Damien Robert.
10.1 Promoting scientific activities
10.1.1 Scientific events: organisation
Member of the organizing committees
 B. Allombert was an organiser of the COUNT conference at CIRM (Luminy, France).
10.1.2 Scientific events: selection
Member of the conference program committees
 A. Page
 LMFDB, Computation, and Number Theory – LuCaNT 2023
 A. PelletMary
 Public Key Cryptography – PKC 2023
 Asiacrypt 2023
10.1.3 Journal
Member of the editorial boards
 K. Belabas is an editor of Archiv der Mathematik since 2006.
 X. Caruso is an editor and one of the founders of the journal Annales Henri Lebesgue.
 X. Caruso is member of the scientific board for the Journal de Théorie des Nombres de Bordeaux since 2022.
 J.M. Couveignes is an editor of the Publications mathématiques de Besançon since 2019.
 J.M. Couveignes was an editor of the Journal de théorie des nombres de Bordeaux from 2019 to 2023.
 A. Enge is an editor of Designs, Codes and Cryptography since 2004.
 A. Page is an associate editor of the LMFDB since 2022.
10.1.4 Invited talks
 J.M. Couveignes
 The algebraic complexity of multiplication in finite field extensions, plenary talk, Explicit methods in automorphic forms and arithmetic geometry, (Dublin 2023).
 F. Johansson
 Computing special functions using integral representations, at Recent Trends in Computer Algebra (Lyon, 2023).
 The practical complexity of arbitraryprecision functions, at Recent Trends in Computer Algebra (Paris, 2023).
 A. Page
 Pari/GP, playing the Lfunctions game of number theorists at the workshop Recent Trends in Computer Algebra (Lyon, 2023).
 D. Robert
 Arithmetic and pairings on Kummer lines, Leuven isogeny days 4 (Leuven, October 2023).
 Efficient representation of isogenies, EWHAKMS International Workshop on Cryptography (Korea, July 2023).
 Applications of isogenies between abelian varieties to elliptic curves, Arithmétique en Plat Pays (Leuven, March 2023) and VaNTAGe Seminar (Online, December 2022).
 A. PelletMary
 Lattices in cryptography: cryptanalysis, constructions and reductions. Journées Code et Cryptographie 2023 (Najac, October 2023).
10.1.5 Research administration
 K. Belabas is Vice président en charge du numérique (vicepresident in charge of digital strategy and policies) at the University of Bordeaux since March 2022.
 K. Belabas was member of the scientific board of the Société Mathématique de France from 2017 to 2023.
 X. Caruso is vicehead of Institut de Mathématiques de Bordeaux, in charge of the IT department.
 X. Caruso was member of the Comité National des Universités from 2020 to 2023.
 J.M. Couveignes is Chargé de mission pour la sécurité numérique at the University of Bordeaux.
 D. Robert is Chargé de mission Développement logiciel at the Institut Mathématiques de Bordeaux since 2018.
 A. Page and A. Enge are members of the Conseil d'Administration of the Société Arithmétique de Bordeaux, which publishes the Journal de Théorie des Nombres de Bordeaux and provides financial support for the organisation of number theory events.
 A. Enge is an elected member of the CAP chercheurs at Inria since 2023.
 G. Castagnos was responsible for the bachelor programme in mathematics and informatics of the University of Bordeaux since 2018 to 2023.
10.2 Teaching  Supervision  Juries
 K. Belabas
 64h course on computer algebra, Master 2 (preparation for the Agrégation national competitive examination), University of Bordeaux
 35h course on quantum algorithms, Master 2, University of Bordeaux
 X. Caruso
 35h course on quantum computing, Master 2, University of Bordeaux
 minicourse on $p$adic random polynomials at the 12th SwissFrench Workshop in Algebraic Geometry (Charmey, 2023)
 G. Castagnos and D. Robert
 60h course on elliptic curve cryptography, Master 2, University of Bordeaux
 G. Castagnos
 60h course on cryptanalysis, 30h on advanced cryptography, Master 2, University of Bordeaux
 24h course on arithmetic and cryptography, Bachelor, University of Bordeaux
 J.M. Couveignes
 25h course on algorithmic arithmetics, Master, Université of Bordeaux
 160h course at CPBX (undegraduate program for student in engineering)
 A. Page
 27h exercise sessions on computer algebra, Master 2 (preparation for the Agrégation national competitive examination), University of Bordeaux
10.2.1 Supervision
 PhD: Élie Bouscatié, Conception d'algorithmes de chiffrement cherchable, defended December 2023, supervised by G. Castagnos
 PhD in progress: AnneEdgar Wilke, Enumerating integral orbits of prehomogeneous representations, since September 2019, supervised by K. Belabas.
 PhD in progress: Agathe Beaugrand, Conception de systèmes cryptographiques utilisant des groupes de classes de corps quadratiques, since September 2021, supervised by Guilhem Castagnos and Fabien Laguillaumie.
 PhD in progress: Fabrice Étienne, Techniques d'induction pour l'algorithmique des représentations galoisiennes, since September 2022, supervised by Aurel Page.
 PhD in progress: Nicolas Sarkis, Recherche de courbes planes de genre 2 adaptée à la factorisation des entiers, since September 2022, supervised by Razvan Barbulescu and Damien Robert.
 PhD in progress: Pierrick Dartois Improvement and security analysys of isogenybased cryptographic schemes, since September 2022, supervised by Damien Robert and Benjamin Wesolowski.
 PhD in progress: Jean Gasnier, Algorithmique des isogénies et applications, since October 2022, supervised by JeanMarc Couveignes.
 PhD in progress: Raphaël Pagès, Factorization of differential operators in positive characteristic, since September 2020, supervised by Alin Bostan and Xavier Caruso.
 PhD in progress: Fabrice Drain, Codes for the sumrank metric, since September 2023, supervised by Elena Berardini and Xavier Caruso.
 PhD in progress: Guilhem Mureau, Isomorphism of algebraic lattices, since September 2023, supervised by Alice PelletMary and Renaud Coulangeon.
10.2.2 Juries
 D. Robert
 Sulamithe Tsakou, Université de Picardie Jules Verne, 2023: Algebraic cryptanalysis of hyperelliptic curves based cryptosystems (report)
 B. Allombert
 Valentin Petit, Université de FrancheComté, 2023: Points spéciaux et modularité des courbes elliptiques définies sur $\mathbb{Q}$ et ${\mathbb{F}}_{q}\left(T\right)$ (committee)
 G. Castagnos
 Chloé Gravouil, Université Rennes 1, 2023: Boolean FaultResistant Masking and WhiteBoxability of Lightweight Cryptography (report)
 Anaïs Barthoulot, Université de Limoges, 2023: Advanced Encryption for the Sharing of Sensitive Data (report)
 J.M. Couveignes
 Béranger Séguin, Université de Lille, 2023: Geometry and Arithmetic of Components of Hurwitz Spaces (report)
 Eddy Brandon, Université de Dijon, 2023: Computational Approach to the Schottky Problem (committee)
10.3 Popularization
10.3.1 Internal or external Inria responsibilities
 R. Barbulescu organises each year the contest Alkindi and the TFJM${}^{2}$ (Tournoi des Jeunes Mathématiciennes et Mathématiciens).
 X. Caruso was in charge of the dissemination at Institut Mathématique de Bordeaux until 2023; he was then replaced by R. Barbulescu.
10.3.2 Education
 A. PelletMary participated as a lecturer to two CIMPA schools on postquantum cryptography (in Rabat in october, and in Pondicherry in December).
 A. Page gave a talk about cryptography for high school teachers during the IREM conference in Bordeaux in 2023.
10.3.3 Interventions
 X. Caruso and A. PelletMary moderated a workshop at the event Les échappées inattendues (organized by the local delegation of CNRS).
 X. Caruso realised an art exhibition on mathematics, see exth.
 X. Caruso animated a general audience conference and a Rencontre à l'heure du thé (meeting at tea time) at Maison Poincaré in Paris.
 X. Caruso coordinated a workshop Regard de géomètre (five interventions in a high school) and gave a talk for the final conference of this program.
 A. PelletMary animated a workshop during the week moi informaticienne moi mathématicienne for high school female students.
 A. Page gave general audience talks about cryptography during the Fête de la Science event (4 groups of highschool students).
11 Scientific production
11.1 Major publications
 1 inbookCan we dream of a 1adic Langlands correspondence?2313Mathematics Going ForwardLecture Notes in MathematicsSpringer International Publishing2023, 537560HALDOI
 2 inbookComputational Number Theory, Past, Present, and Future.2313Mathematics Going ForwardLecture Notes in MathematicsSpringer International Publishing2023, 561578HALDOI
 3 proceedingsD.Damien RobertBreaking SIDH in polynomial time.Advances in Cryptology – EUROCRYPT 202314008Lecture Notes in Computer ScienceSpringer Nature Switzerland; Springer Nature SwitzerlandMarch 2023, 472503HALDOI
11.2 Publications of the year
International journals
 4 articleDrinfeld modules in SageMath.ACM Communications in Computer Algebra572June 2023, 6571HALDOIback to text
 5 articleSpecial values of ray class partial zeta functions.International Journal of Number Theory1903April 2023, 481493HALDOIback to text
 6 articleA note on the low order assumption in class groups of imaginary quadratic number fields.Mathematical Cryptology312023, 4451HALback to text
 7 articleI want to ride my BICYCL: BICYCL Implements CryptographY in CLass groups.Journal of Cryptology363July 2023, 17HALDOIback to text
 8 articleCombinatorics of Serre weights in the potentially BarsottiTate setting.Moscow Journal of Combinatorics and Number Theory1212023, 1  56HALDOIback to text
 9 articleDuals of linearized ReedSolomon codes.Designs, Codes and Cryptography9112023, 241271HALDOIback to text
 10 articleBandwidthefficient threshold ECDSA revisited: Online/Offline Extensions, Identifiable Aborts Proactive and Adaptive Security.Theoretical Computer Science9392023, 78104HALDOIback to text
 11 articleArbitraryprecision computation of the gamma function.Maple Transactions31February 2023HALDOIback to text
 12 articleThe CM class number one problem for curves of genus 2.Research in Number Theory91March 2023, article 15HALDOIback to text
 13 articleComputing minimal Weierstrass equations of hyperelliptic curves.Research in Number Theory94October 2023, 76HALDOIback to text
International peerreviewed conferences
 14 inproceedingsThe special case of cyclotomic fields in quantum algorithms for unit groups.Progress in cryptology  AFRICACRYPT 2023Lecture notes in computer science (LNCS)AFRICACRYPT 202314064Progress in Cryptology – AFRICACRYPT 2023Soussa, TunisiaSpringerJuly 2023, 229HALback to text
 15 inproceedingsSupersingular Curves You Can Trust.Eurocrypt 2023Lyon, FranceApril 2023HALback to text
 16 inproceedingsPattern Matching in Encrypted Stream from Inner Product Encryption.Lecture Notes in Computer SciencePKC 2023  26th IACR International Conference on Practice and Theory of PublicKey Cryptography13940PublicKey Cryptography – PKC 2023Atlanta (Georgia), United StatesSpringer Nature SwitzerlandMay 2023, 774801HALDOIback to text

17
inproceedingsEfficient Computation of
$({3}^{n},{3}^{n})$ Isogenies.Lecture Notes in Computer ScienceAfricaCrypt 202314064Lecture Notes in Computer ScienceSousse, TunisiaJuly 2023, 5378HALDOIback to text  18 inproceedingsIdealSVP is Hard for SmallNorm Uniform Prime Ideals.Lecture Notes in Computer ScienceTheory of Cryptography, TCC 202314372Lecture Notes in Computer ScienceTaipei (Taiwan), TaiwanSpringer Nature SwitzerlandNovember 2023, 6392HALDOIback to text
 19 inproceedingsSCALLOP: scaling the CSIFiSh.PKC 202313940Lecture Notes in Computer ScienceAtlanta, United StatesSpringer Nature SwitzerlandMay 2023, 345375HALDOIback to text
 20 inproceedingsNew algorithms for the Deuring correspondence Towards practical and secure SQISign signatures.Eurocrypt 2023Lyon, FranceApril 2023HALback to text
 21 inproceedingsFast change of level and applications to isogenies.Research in Number TheoryANTS 2022  Fifteenth Algorithmic Number Theory Symposium91Bristol, United Kingdom2023, article n°7HALDOIback to text
 22 inproceedingsA Direct Key Recovery Attack on SIDH.Advances in Cryptology – EUROCRYPT 202314008Lecture Notes in Computer ScienceLyon, FranceSpringer Nature Switzerland; Springer Nature SwitzerlandApril 2023, 448471HALDOIback to text
 23 inproceedingsReductions from Module Lattices to Free Module Lattices, and Application to Dequantizing ModuleLLL.Advances in Cryptology – CRYPTO 2023.Crypto 202314085Lecture Notes in Computer ScienceSanta Barbara, United StatesSpringer Nature SwitzerlandAugust 2023, 836865HALDOIback to text
 24 inproceedingsBreaking SIDH in polynomial time.Advances in Cryptology – EUROCRYPT 202314008Lecture Notes in Computer ScienceLyon, FranceSpringer Nature Switzerland; Springer Nature Switzerland; Springer Nature SwitzerlandMarch 2023, 472503HALDOIback to textback to textback to text
Scientific book chapters
 25 inbookCan we dream of a 1adic Langlands correspondence?2313Mathematics Going ForwardLecture Notes in MathematicsSpringer International Publishing2023, 537560HALDOIback to text
 26 inbookComputational Number Theory, Past, Present, and Future.2313Mathematics Going ForwardLecture Notes in MathematicsSpringer International Publishing2023, 561578HALDOIback to text
Reports & preprints
 27 miscA sharper multivariate Christol's theorem with applications to diagonals and Hadamard products.June 2023HALback to text
 28 miscCyclic cubic number fields with harmonically balanced capitulation.December 2023HALback to text
 29 miscFinding Orientations of Supersingular Elliptic Curves and Quaternion Orders.2023HALDOIback to text
 30 miscECM And The ElliottHalberstam Conjecture For Quadratic Fields.January 2023HALback to text
 31 miscAlgebraic Geometry codes in the sumrank metric.March 2023HALback to text
 32 miscAlgebraic solutions of linear differential equations: an arithmetic approach.April 2023HALback to text
 33 miscSelfdual skew cyclic codes.June 2023HALback to text
 34 miscAlgorithms for computing norms and characteristic polynomials on general Drinfeld modules.December 2023HALback to text

35
miscParametric Continued Fractions for
${}^{2}$ ,$\left(3\right)$ , and other Constants.April 2023HALback to text  36 miscThe equivariant complexity of multiplication in finite field extensions.January 2023HALback to text
 37 miscExplicit RiemannRoch spaces in the Hilbert class field.September 2023HALback to text
 38 miscSQISignHD: New Dimensions in Cryptography.March 2023HALback to text
 39 miscAn Algorithmic Approach to (2, 2)isogenies in the Theta Model and Applications to Isogenybased Cryptography.November 2023HALback to text
 40 miscAn Algebraic Point of View on the Generation of PairingFriendly Curves.September 2023HALback to text
 41 miscIntroducing Clapoti(s): Evaluating the isogeny class group action in polynomial time.November 2023HALback to text
 42 miscThe supersingular Endomorphism Ring and One Endomorphism problems are equivalent.October 2023HALback to textback to text
 43 miscEvaluating isogenies in polylogarithmic time.2023HALback to text
 44 miscSome applications of higher dimensional isogenies to elliptic curves (overview of results).2023HALback to text
 45 miscThe geometric interpretation of the Tate pairing and its applications.November 2023HALback to text
 46 miscConvexity, plurisubharmonicity and the strong maximum modulus principle in Banach spaces.September 2023HALback to text
11.3 Cited publications
 47 inproceedingsAn efficient key recovery attack on SIDH.Annual International Conference on the Theory and Applications of Cryptographic TechniquesSpringer2023, 423447back to text
 48 inproceedingsHawk: Module LIP makes lattice signatures fast, compact and simple.International Conference on the Theory and Application of Cryptology and Information SecuritySpringer2022, 6594back to text
 49 articleThe number of curves of genus two with elliptic differentials..Journal für die reine und angewandte Mathematik4851997, 93122back to text
 50 articleA remark on endomorphisms of abelian varieties over function fields of finite characteristic.Mathematics of the USSRIzvestiya831974, 477back to text