2023Activity reportProject-TeamCANARI
RNSR: 202324429H- Research center Inria Centre at the University of Bordeaux
- In partnership with:CNRS, Université de Bordeaux
- Team name: Cryptography ANalysis and ARIthmetic
- In collaboration with:Institut de Mathématiques de Bordeaux (IMB)
- Domain:Algorithmics, Programming, Software and Architecture
- Theme:Algorithmics, Computer Algebra and Cryptology
Keywords
Computer Science and Digital Science
- A4.3.1. Public key cryptography
- A4.3.3. Cryptographic protocols
- A4.3.4. Quantum Cryptography
- A8.5. Number theory
- A8.10. Computer arithmetic
Other Research Topics and Application Domains
- B9.5.1. Computer science
- B9.5.2. Mathematics
- B9.8. Reproducibility
- B9.10. Privacy
1 Team members, visitors, external collaborators
Research Scientists
- Damien Olivier Robert [Team leader, INRIA, Senior Researcher, from Oct 2023, HDR]
- Razvan Barbulescu [CNRS, Researcher, from Jul 2023]
- Xavier Caruso [CNRS, Senior Researcher, from Jul 2023, HDR]
- Andreas Enge [INRIA, Senior Researcher, from Jul 2023, HDR]
- Fredrik Johansson [INRIA, Researcher, from Jul 2023]
- Aurel Page [INRIA, Researcher, from Jul 2023]
- Alice Pellet Mary [CNRS, Researcher, from Jul 2023]
Faculty Members
- Karim Belabas [UNIV BORDEAUX, Professor, from Jul 2023, HDR]
- Guilhem Castagnos [UNIV BORDEAUX, Associate Professor, from Jul 2023, HDR]
- Henri Cohen [UNIV BORDEAUX, Emeritus, from Jul 2023]
- Jean-Marc Couveignes [UNIV BORDEAUX, Professor, from Jul 2023, HDR]
- Qing Liu [UNIV BORDEAUX, Associate Professor Delegation, from Sep 2023]
Post-Doctoral Fellows
- Sabrina Kunzweiler [INRIA, Post-Doctoral Fellow, from Jul 2023]
- Wessel Van Woerden [UNIV BORDEAUX, Post-Doctoral Fellow, from Jul 2023]
PhD Students
- Agathe Beaugrand [UNIV BORDEAUX, from Jul 2023]
- Elie Bouscatie [ORANGE, CIFRE, from Jul 2023 until Nov 2023]
- Pierrick Dartois [IMT, from Jul 2023]
- Fabrice Etienne [UNIV BORDEAUX, from Jul 2023]
- Jean Gasnier [UNIV BORDEAUX, from Jul 2023]
- Guilhem Mureau [INRIA, from Sep 2023]
- Nicolas Sarkis [UNIV BORDEAUX, from Jul 2023]
- Anne-Edgar Wilke [UNIV BORDEAUX, ATER, from Jul 2023]
Technical Staff
- Bill Allombert [CNRS, Engineer, from Jul 2023]
Administrative Assistant
- Joelle Rodrigues [INRIA]
External Collaborators
- Luca De Feo [IBM RESEARCH EUROPE, from Jul 2023, HDR]
- Benjamin Wesolowski [CNRS, from Jul 2023]
2 Overall objectives
The primary goals of the Canari project are, firstly, to design
algorithmic solutions to manipulate the objects involved in the Langlands
programme, secondly to develop algorithmic tools to handle the necessary
arithmetic and analysis (real, complex and
The Langlands programme postulates deep relationships between objects of three apparently unrelated worlds: the automorphic world, the world of Galois representations, and the motivic world.
The automorphic world belongs to the realm of analysis and infinite-dimensional vector spaces: its main citizens are automorphic forms, which are certain smooth functions satisfying nice differential equations. The number-theoretic content comes from the domains of these functions: they are defined on so-called arithmetic manifolds, of which many classical objects are special cases: modular curves, moduli spaces of abelian varieties, the space of Euclidean lattices of a given dimension, Arakelov class groups, etc.
The world of Galois representations is about symmetry and algebra. The main
citizen is the group of all symmetries of the field of all algebraic numbers,
the absolute Galois group
The motivic world is about geometry. Its main citizens are algebraic varieties, that is, sets of solutions of polynomial equations, and their associated cohomologies. Important examples are algebraic curves and abelian varieties. One can classify varieties by discrete, or cohomological, invariants such as dimension and genus (integers). On some families of algebraic varieties, after fixing these discrete invariants, the family is classified by a continuous space which is itself an algebraic variety called a moduli space. Moduli spaces of curves and abelian varieties play a key role in number theory and in cryptography.
These worlds are tied together via the central notion of
A strong focus on the team is on making our algorithms available through open source software, notably Pari/GP, Flint (Arb, Calcium) and Mpc.
3 Research program
The team is organised around three axes. The goal of the first axis is to give a systematic computational treatment of objects from the Langlands programme, and to investigate algorithmic insight that can be gained by approching problems in computational number theory from the Langlands programme point of view.
These algorithms will be of two kinds:
exact or of analytic, approximated nature (
3.1 Algorithms for higher dimensional number theory
The goal of this axis is to design and implement efficient algorithms to enumerate, construct, represent, and compute with the fundamental objects of the Langlands programme and to explore their interactions. This will provide versatile tools for mathematicians to progress on difficult problems by directly manipulating intricate objects, and a collection of new problems and algorithms for cryptographers to use for the design of next-generation cryptographic primitives. Since many of these objects have a strong analytic flavour, the methods from our effective analysis axis will be vital.
The main topics of this theme will be:
- Automorphic forms: compute spaces of automorphic forms (Siegel and Hilbert modular forms, ...)
- Galois representations: compute Artin representations using tools
from representation theory, Iwasawa theory,
-adic Hodge theory. - Varieties: abelian varieties, curves of higher genus, Shimura varieties and moduli spaces, hypergeometric motives.
- Bridges from the Langlands programme.
3.2 Effective analysis
The goal of this axis is to develop algorithms
for efficient and reliable arithmetics in various fields (real, complex,
There is a wealth of research questions to address to guarantee convergence, optimal complexities and efficiency at different precisions, as well as the exactness of the results.
The main topics of this theme will be:
- Real and complex analysis: rigorous algorithms for evaluating holonomic functions. For analytic operations like limits, differentiation, summation and integration, develop algorithms with guaranteed accuracy that can handle functions with singularities or pathological behaviour like strong oscillation.
- Symbolic-numeric representations: reduce the cost of computing with algebraic numbers of large degree or height, compute with mixed algebraic and purely transcendental fields.
-
-adic analysis: optimise -adic linear algebra and -adic commutative algebra (including Gröbner bases) with respect to precision loss and instabilities.
3.3 Next generation and post-quantum cryptography
While the objects mentioned in Axis 1 may appear excessively abstract, when suitably instantiated, they become basic building blocks for next generation cryptosystems. First, these algebraic objects make it possible to construct quantum-resistant public key cryptosystems, which may become indispensable to secure communications in a future where large-scale quantum computers have become a reality. Second, the richness of these objects enables the construction of cryptographic schemes with advanced properties, such as homomorphic encryption, decentralised cryptography, secure multiparty computation and verifiable delay functions. The cryptosystems that will be studied in the team are related to (generalisations) of ideals and class groups in number fields: algebraic lattices, actions of class groups of orders in number fields and actions of groupoids constructed from quaternion algebras. Building and analysing these cryptosystems requires a deep understanding of the mathematical structures underlying them, which cannot simply be treated as black boxes.
The main topics of this theme will be:
- Isogenies: new cryptographic protocols from higher dimensional isogenies.
- Lattices: investigate the hardness of finding short vectors in algebraically structured lattices.
- Pairings and discrete logarithms, quantum algorithms to compute unit and class groups .
- Orders of number fields: algorithms for computing with orders in number fields, as well as regulators and class groups. These algorithms can be used to construct groups of unknown order, which find applications in advanced cryptographic primitives, for instance in the area of homomorphic encryption or threshold cryptography.
- Verifiable delay functions.
4 Application domains
Our main existing and future impact is through our software, notably Pari/GP, Flint (Arb, Calcium) and Mpc, which are world leaders in their respective domains. Pari/GP is the leading package used in number theory, and integrated into wider platforms like SageMath. Flint focus on lower level building blocks for number theory, like polynomial arithmetic, interval arithmetic (Arb) and symbolic computations (Calcium). Mpc, with its guarantees of correct rounding for basic complex arithmetic operations, operates on a lower level and thus has a larger scope. It serves as a reference for the GNU C library and is installed alongside GCC on each computer requiring the GNU Compiler Collection. The interval arithmetic of Arb provides a more flexible use case than Mpc, whence it has the widest potential of applications, far beyond the need of algorithmic number theory. It is already used in Mathematica and Maple, and a goal of the team will be to develop its reach even more.
The main impact of Axis 1, apart from the cryptographic applications, will be to give new tools to mathematicians to explore the world of the Langlands programme, construct objects explicitly and carry out experimentations, in particular via Pari/GP.
The main impact of Axis 2 will be the improvement of tools to handle
precision better (floating point,
Concerning Axis 3, the requirement by governmental agencies to have post-quantum cryptographic solutions means that the civil society already needs to pivot towards such solutions. The NIST has an ongoing post-quantum cryptography standardisation process. This is an international process and the Canari team will contribute to the analysis (and improvement) of the security of some of these schemes (notably the isogeny based ones and the ideal lattices ones).
5 Social and environmental responsibility
5.1 Footprint of research activities
The main footprint of our research activites are:
- The ecological impact of attending international conferences. We have signed the University of Bordeaux ecological chart saying that we should try to reduce travel and privilege train as much as possible. Some of us also signed a more restrictive commitment, saying that we will try to limit ourselves to 20 000km traveled by plane over a period of two years.1
- The impact of our computations. Some of our record computations (largest class polynomials, largest primality proof) require using a large cluster for a long time. To reduce this impact we aim to develop faster algorithms.
5.2 Impact of research results
Another possible impact of Axis 3 will be ecological. Moving blockchains from Proof of Work to Proof of Stake is key to reduce their ecological impact. Verifiable delay functions are a core component of proof of stake, so Axis 3 will play a small role in helping this transition. In the same vein, cryptography based on class groups makes it possible to reduce the bandwidth used for certain multiparty protocols.
6 Highlights of the year
Wessel van Woerden defended his PhD thesis, Lattice Cryptanalysis: from cryptanalysis to new foundations, February 2023, Leiden.
Élie Bouscatié defended his PhD thesis, Chiffrement compatible avec l'analyse de flux, December 2023.
6.1 Major releases
Flintsaw a new major release 3.0, merging Arb and Calcium.
6.2 Awards
The article 24 received the Eurocrypt honorable mention award.
7 New software, platforms, open data
7.1 New software
7.1.1 PARI/GP
-
Keyword:
Computational number theory
-
Functional Description:
Pari/Gp is a widely used computer algebra system designed for fast computations in number theory (factorisation, algebraic number theory, elliptic curves, modular forms ...), but it also contains a large number of other useful functions to compute with mathematical entities such as matrices, polynomials, power series, algebraic numbers, etc., and many transcendental functions.
- URL:
-
Contact:
Aurel Page
-
Participants:
Bill Allombert, Karim Belabas, Henri Cohen, Andreas Enge, Aurel Page
-
Partner:
CNRS
7.1.2 FLINT
-
Name:
Fast Library for Number Theory
-
Keywords:
Computer algebra, Computational number theory, Arithmetic
-
Functional Description:
FLINT is a C library for doing number theory. At its core, FLINT provides arithmetic in standard rings such as the integers, rationals, algebraic, real, complex and p-adic numbers, finite fields, and number fields. It also provides polynomials (univariate and multivariate), power series, and matrices.
FLINT covers a wide range of functionality: primality testing, integer factorisation, multivariate polynomial GCD and factorisation, FFTs, multimodular reconstruction, special functions, exact and approximate linear algebra, LLL, finite field embeddings, and more.
- URL:
-
Contact:
Fredrik Johansson
-
Partner:
Technische Universität Kaiserslautern (UniKL), Allemagne
7.1.3 GNU MPC
-
Keyword:
Arithmetic
-
Functional Description:
Mpc is a C library for the arithmetic of complex numbers with arbitrarily high precision and correct rounding of the result. It is built upon and follows the same principles as Mpfr. The library is written by Andreas Enge, Philippe Théveny and Paul Zimmermann.
-
Release Contributions:
Changes in version 1.3.1, released in December 2022: - Bug fix: It is again possible to include mpc.h without including stdio.h.
Changes in version 1.3.0 ("Ipomoea batatas"), released in December 2022: - New function: mpc_agm - New rounding modes "away from zero", indicated by the letter "A" and corresponding to MPFR_RNDA on the designated real or imaginary part. - New experimental ball arithmetic. - New experimental function: mpc_eta_fund - Bug fixes: - mpc_asin for asin(z) with small |Re(z)| and tiny |Im(z)| - mpc_pow_fr: sign of zero part of result when the base has up to sign the same real and imaginary part, and the exponent is an even positive integer - mpc_fma: the returned 'int' value was incorrect in some cases (indicating whether the rounded real/imaginary parts were smaller/equal/greater than the exact values), but the computed complex value was correct. - Remove the unmaintained Makefile.vc, build files for Visual Studio can be found at https://github.com/BrianGladman/mpc .
- URL:
-
Contact:
Andreas Enge
-
Participants:
Andreas Enge, Mickaël Gastineau, Paul Zimmermann, Philippe Théveny
7.1.4 Arb
-
Name:
Arb
-
Keywords:
Multiple-Precision, Interval arithmetic, Interval analysis, Computational number theory, Numerical algorithm
-
Functional Description:
C library for arbitrary-precision ball arithmetic
- URL:
-
Contact:
Fredrik Johansson
7.1.5 Calcium
-
Name:
Calcium
-
Keywords:
Computer algebra, Numerical analysis
-
Functional Description:
C library for exact computation with real and complex numbers
-
Contact:
Fredrik Johansson
7.1.6 SQISignHD
-
Keyword:
Cryptography
-
Functional Description:
Compact post-quantum signature algorithm using isogenies in higher dimension.
-
Contact:
Damien Olivier Robert
7.1.7 ThetaIsogenies
-
Keyword:
Cryptography
-
Functional Description:
Fast computation of 2n̂ isogenies in dimension 2.
- URL:
-
Contact:
Damien Olivier Robert
7.1.8 Kummer Line
-
Keyword:
Cryptography
-
Functional Description:
Library for the arithmetic of Kummer lines (arithmetic, isogenies, pairings)
- URL:
-
Contact:
Damien Olivier Robert
7.1.9 CM
-
Keyword:
Arithmetic
-
Functional Description:
The Cm software implements the construction of ring class fields of imaginary quadratic number fields and of elliptic curves with complex multiplication via floating point approximations. It consists of libraries that can be called from within a C program and of executable command line applications.
-
Release Contributions:
Changes in version 0.4 ("Fitzebohnen"): - increase minimal version number for mpfrcx to 0.6.3 and for pari to 2.11. - add decomposition of the class field into a tower of prime degree extensions - add a fastECPP implementation, including a version for MPI
- URL:
-
Contact:
Andreas Enge
-
Participant:
Andreas Enge
8 New results
8.1 Higher dimensional number theory
Participants: Karim Belabas, Xavier Caruso, Henri Cohen, Pınar Kılıçer, Aurel Page.
Number fields
In 26, H. Cohen wrote a survey on Computational Number Theory.
In 5, K. Belabas, F. Diaz y Diaz and E. Friedman study special values of narrow ray class partial zeta functions.
In 28, B. Allombert and D. Mayer study capitulation of cubic number fields.
In 35, H. Cohen exhibits parametric continued fractions for some well known number theoretic constants.
The paper 12 by P. Kılıçer, M. Streng which list all CM quartic fields with CM class number one has been published.
The article 14, which gives faster quantum algorithms to compute unit groups of cyclotomic fields has been published in AFRICACRYPT 2023.
Drinfeld modules
Drinfeld modules can be considered as an analogue of elliptic curves
when working over a function field over
Deformations of Galois representations
X. Caruso, Agnès David and Ariane Mézard continued their study
of the potentially Barsotti–Tate deformation rings of a Galois
representation.
Using the Breuil–Mézard conjecture, they showed
in 8 that the gene
entirely determine the special fibre of those deformation rings.
In 25, they investigated the independence
of their constructions with respect to the underlying prime
number
Algebraic differential equations
Alin Bostan, X .Caruso and Julien Roques wrote a survey 32 on the theory of linear differential equations over number fields and finite fields, focusing on algebraic criteria for the existence of algebraic solutions.
In 27, Boris Adamczewski, Alin Bostan, X. Caruso gave an effective proof of the multivariate version of Christol’s theorem about algebraic power series with coefficients in finite fields. This proof allows for sharp effective estimates on the algebraic degree of many functions in positive characteristic, including diagonals of multivariate algebraic power series.
Automorphic forms
In 42, A. Page and B. Wesolowski leverage the theory of automorphic forms (the Jacquet–Langlands correspondence) to prove a powerful equidistribution theorem for graphs of supersingular elliptic curves equipped with extra structure: they introduce a new category-theoretic framework to describe suitable extra structures, prove a generalised Deuring correspondence for these structures (using adélic language), and relate them to structures coming from adélic groups, allowing the use of automorphic tools. The algorithmic and cryptographic consequences are described in Subsection 8.4.
8.2 Algorithms for number theory
Participants: Razvan Barbulescu, Jean-Marc Couveignes.
In 13, Q. Liu gives an algorithm to compute the minimal Weierstrass equation of an hyperelliptic curve over principal ideal domains. This generalizes Tate's algorithm from elliptic curves to hyperelliptic curves.
In 30, R. Barbulescu and F. Jouve use the Elliott-Halberstam conjecture to measure how ECM friendly an elliptic curve with complex multiplication is. The ECM method is a probabilistic integer factorisation method using elliptic curves, the probability of success can be improved by selecting suitable elliptic curves, and this paper investigates ECM friendly elliptic curves.
In 36, J.-M. Couveignes and T. Ezome use the arithmetic and geometry of elliptic curves to study the complexity of multiplication of two elements in a finite field extension given by their coordinates in a normal basis.
8.3 Cryptography
Participants: Guilhem Castagnos, Élie Bouscatié.
In 7, Bouvier, Castagnos, Imbert and Laguillaumie introduce BICYCL, an Open Source C++ library that implements arithmetic in the ideal class groups of imaginary quadratic fields, together with a set of cryptographic primitives based on class groups. It is available at bicycl under the GNU General Public License version 3 or any later version. It provides significant speed-ups on the implementation of the arithmetic of class groups. Concerning cryptographic applications, BICYCL is orders of magnitude faster than any previous implementation of the Castagnos–Laguillaumie linearly homomorphic encryption scheme, making it faster than Paillier's encryption scheme at any security level. Linearly homomorphic encryption is the core of many multi-party computation protocols, sometimes involving a huge number of encryptions and homomorphic evaluations: class group based protocols become the best solution in terms of bandwidth and computational efficiency to rely upon.
Due to their use in crypto-currencies, threshold ECDSA signatures have received much attention in recent years. Though efficient solutions now exist both for the two party, and the full threshold scenario, there is still much room for improvement, be it in terms of protocol functionality, strengthening security or further optimising efficiency.
In the past few months, a range of protocols have been published, allowing for a non interactive – and hence extremely efficient – signing protocol; providing new features, such as identifiable aborts (parties can be held accountable if they cause the protocol to fail), fairness in the honest majority setting (all parties receive output or nobody does) and other properties. In some cases, security is proven in the strong simulation based model. In 10, G. Castagnos, D. Catalano, F. Laguillaumie, F. Savasta and I. Tucker combine ideas from the aforementioned articles with the suggestion of Castagnos et al. (PKC 2020) to use the class group based CL framework so as to drastically reduce bandwidth consumption.
Building upon this latter protocol they present a new, maliciously secure, full threshold ECDSA protocol that achieves additional features without sacrificing efficiency. Their most basic protocol boasts a non interactive signature algorithm and identifiable aborts. They also propose a more advanced variant that achieves adaptive security (for the
Functional encryption features secret keys, each associated with a key function
A recent series of works has focused on the ability to search a pattern within a data stream, which can be expressed as a function
In 16, É. Bouscatié, G. Castagnos and O. Sanders revisit the relations between this primitive and two major subclasses of functional encryption, namely Hidden Vector Encryption (HVE) and Inner Product Encryption (IPE). They indeed first exhibit a generic transformation from HVE to SEPM, which immediately yields new efficient SEPM constructions with better features than existing ones. Then, they revisit the relations between HVE and IPE and show that they can actually do better than the transformation proposed by Katz, Sahai and Waters in their seminal paper on predicate encryption. This allows to fully leverage the vast state-of-the-art on IPE which contains adaptively secure constructions proven under standard assumptions. This results in countless new SEPM constructions, with all the features one can wish for. Beyond that, this work sheds a new light on the relations between IPE schemes and HVE schemes and in particular shows that some of the former are more suitable to construct the latter.
In 6, K. Belabas, T. Kleinjung, A. Sanso and B. Wesolowski show that in some particular class groups of quadratic imaginary orders, it is easier than expected to find elements of low order. This breaks an assumption used for VDF using class groups.
8.4 Isogeny based cryptography
Participants: Pierrick Dartois, Sabrina Kunzweiler, Aurel Page, Damien Robert, Benjamin Wesolowski.
The impossibility to hash to supersingular elliptic curves require a trusted setup to build a supersingular elliptic curve with unknown endomorphism ring. In 15, A. Basso, G. Codogni, D. Connolly, L. de Feo, B. Fouotsa, G. Lido, T. Morrison, L. Panny, S. Patranabis, and B. Wesolowski builds SECUER, a multipartite scheme to build such a curve, relying on a zero-knowledge isogeny proof built from pushforward diagrams.
In 20, L. de Feo, A. Leroux, P. Longa and B. Wesolowski improve the SQISign signature scheme by developing a new algorithm for the Deuring correspondance using endomorphisms to refresh the intermediate torsion.
A completely unexpected direction in isogeny based cryptography was the spectacular breaking of SIDH 47 using isogenies in dimension 2. This attack was originally heuristic and applying only to a very special starting curve, but was soon extended by L. Maino, C. Martindale, L. Panny, G. Pope and B. Wesolowski, ini 22 to a subexponential heuristic attack on all curves, and then in 24 by D. Robert to a proved polynomial attack in all cases by moving to dimensions 4 and 8.
Moving to higher dimension allows considerable flexibility in manipulating
isogenies, thanks to the following embedding lemma proved in 24 using earlier work by Zarhin 50 and Kani 49:
For every
This powerful tool soon led the way to new algorithms.
In 43,
D. Robert proves that every isogeny admits an
efficient representation, which allows for evaluation in polynomial time
(in the logarithm of its degree).
And in 44, he proves that
the endomorphism ring of an ordinary elliptic curve can be
computed in polynomial time given the factorisation of its conductor,
and that canonical lifts of ordinary elliptic curves can be computed in polynomial
time (among others). Such powerful results were completely unexpected (the
previous best algorithms being subexponential time).
This lead to a new point counting algorithm for elliptic curve
These new algorithms in turn led to new cryptosystems, using higher
dimensional cryptography as a fundamental block.
In 38, P. Dartois, A. Leroux, D. Robert and
B. Wesolowski
present the SQISignHD protocol, which
has a much cleaner security proof than SQISign, even more compact
signatures, and much faster signing times.
The verification uses a
With the rise of higher dimensional cryptography, optimising the speed of
In 29, S. Arpin, C. James, P. Dartois, J. Eriksen, K. Jonathan, P. Kutas, and B. Wesolowski, prove that the computing an orientation reduces in subexponential time to he equivalent decision problem.
In 42, A. Page and B. Wesolowski prove another algorithmic reduction, showing that being able to find a single endomorphism of an arbitrary supersingular elliptic curve is no easier than being able to find the entire endomorphism ring. As applications, they prove the collision-resistance of the CGL hash function and the soundness of the SQIsign identification scheme, under the standard assumption of hardness of the endomorphism ring problem.
In 19, L. Feo, B. Fouotsa, P. Kutas, A. Leroux, S. Merz, L. Panny, and B. Wesolowski introduce SCALLOP, a new commutative action isogeny scheme using orientations of supersingular elliptic curve. The idea is to build up an orientation by a quadratic order of large prime conductor to speed up computing the class group relations.
In 41, A. Page and D. Robert introduce Clapoti(s), a new algorithm to compute the class group action on an oriented elliptic curve in polynomial time. This solves a long standing problem in isogeny based cryptography: all existing algorithms were asymptotically subexponential.
8.5 Pairings
Participants: Damien Robert.
In 45, D. Robert gives a geometric interpretation of the Tate pairing on abelian varieties. This interpretation shows that the Tate pairing can be used to probe the Galois structure of the isogenous abelian variety, generalising some ad-hoc construction in the literature. It also solves a conjecture by Castryck and Decru on multiradical isogenies.
In 40, J. Gasnier and A. Guillevic revisit the generation of pairing friendly curves from an algebraic point of view.
8.6 Lattice-based cryptography
Participants: Guilhem Mureau, Alice Pellet-Mary, Wessel van Woerden.
In June 2023, the NIST started an additional post-quantum signature standardization process.2 The objective of this new call is to standardize one or more post-quantum signature scheme, different from the ones standardized so far. J. Bos, O. Bronchain,L. Ducas, S. Fehr, Y. Huang, T. Pornin, E. Postlethwaite, T. Prest, L. Pulles, and W. van Woerden submitted the Hawk signature scheme to this standardization process, which is based on the article 48 by L. Ducas, E. Postlethwaite, T. Prest, L. Pulles, and W. van Woerden.
The security of most cryptographic schemes based on lattices relies on the hardness of computing short vectors in lattices. Very often, the lattices in question enjoy some additional properties, which makes the cryptographic schemes based on them more efficient. An important question is then to understand how hard is the problem of finding short vectors in these lattice, which enjoy some additional structure.
A very common way to add structure to a lattice is to consider module lattices, that is, lattices that are also
A special case of module lattices are ideal lattices, which are modules of rank
8.7 Coding theory
Participants: Xavier Caruso, Jean-Marc Couveignes, Fabrice Drain, Amaury Durand, Jean Gasnier.
X. Caruso continued his work towards the development of coding theory in the sum-rank metric context. With A. Durand 9, he described the duals of Martinez-Penas' linearized Reed–Solomon codes. In collaboration with Elena Berardini 31, he introduced a linearized version of Algebraic Geometry codes and studied its parameters; in particular, they showed that the codes they introduced beat the (sum-rank analogue of the) Gilbert–Varshamov bound.
In 33, X. Caruso and F. Drain obtained a complete classification of self-dual skew cyclic and skew negacyclic codes. They also provided efficient algorithms for sampling and enumerating them.
Effective geometry of curves and applications
In 37, J.-M. Couveignes and J. Gasnier study the effective aspects of group actions on algebraic curves
and more precisely the
8.8 Analysis
Participants: Anne-Edgar Wilke.
In 46, A.-E. Wilke makes the analogy between between convexity and plurisubharmonicity in Banach spaces more precise.
8.9 Effective analysis and certified arithmetic
Participants: Fredrik Johansson.
In 11, F. Johansson presents improved algorithms for arbitrary-precision computation of the gamma function and related classical special functions.
9 Partnerships and cooperations
9.1 International research visitors
9.1.1 Visits of international scientists
Other international visits to the team
- Wouter Castryck, from KU Leuven (Belgium), visited the team for 2 weeks in January 2023.
The following international researchers have given a presentation in the Canari team seminar:
- Wouter Castryck (KU Leuven, Belgium)
- Donghyeok Lim (Yonsei University, Korea)
- Maxime Bombar (CWI)
- Stefano Marseglia (Utrecht University)
- Lorenzo Furio (Università di Pisa)
- Monika Trimoska (Eindhoven University of Technology)
- Yining Hu (Harbin Institute of Technology)
- Marc Houben (Leiden University)
9.2 National initiatives
-
PEPR Technologies Quantiques
Integrated project PQ-TLS: Post-quantum padlock for web browser
with Inria teams Grace, Cosmiq, Prosecco Universities of Bordeaux, Rennes, Limoges, Versailles–St. Quentin, Rouen, St. Étienne, and ENS Lyon and CEA
2022–2027, total budget 4180k€, of which 456k€ for Bordeaux
-
PEPR Cybersécurité
Integrated project CRYPTANALYSE: Cryptanalysis of classical cryptographic primitives
with Inria teams Caramba, Cosmiq, Universities of Rennes, Amiens, Sorbonne, and CNRS
2023–2028, total budget 5000k€, of which about 90k€ for Bordeaux
-
HQI project (HPC-Quantum Initiative, France 2030)
France Hybrid HPC Quantum Initiative, R&D et support
17 partners in France; we will mainly work with LIP6 and ENS de Lyon
2021–2027, 165k€ for Bordeaux
-
ANR AGDE
Arithmetic and geometry of discrete groups
with Toulouse, Paris
2021–2025, 45k€ for Bordeaux
-
ANR Ciao
Isogeny based cryptosystems, applications to verifiable delay functions and post-quantum cryptography (PI D. Robert)
with Paris, Montpellier
2019–2024, 150k€ for Bordeaux
-
ANR/NSF Charm
Cryptographic hardness of module lattices
with Florida Atlantic, Cornell, ENS Lyon
2021–2024, 205k€ for Bordeaux
-
ANR NuSCAP
Numerical safety for computer-aided proofs
with Lyon, Nantes, Paris, Sophia-Antipolis, Toulouse
2021–2025
-
ANR PadLEfAn
-adic properties of -functions effective and analytic aspectswith Besançon, Caen
2022–2026
-
ANR Sangria
Secure distributed computation: cryptography, combinatorics and computer algebra
with Paris and région Occitanie
2021–2025
-
ANR TOTORO
Towards new assumptions in lattice-based cryptography (PI A. Pellet--Mary)
with Toulouse and Telecom Paris
2023–2027, 186k€
-
ANR ClapClap
Correspondance de Langlands
-adique: une approche constructive et algorithmique (PI X. Caruso)with ENS Lyon, Paris Rive Gauche, Rennes
2019–2023, 198 k€
-
ANR Flair
Familles de fonctions
: analyse, interactions, résultats effectifswith Besançon
2017–2021
10 Dissemination
Participants: Bill Allombert, Razvan Barbulescu, Karim Belabas, Xavier Caruso, Guilhem Castagnos, Andreas Enge, Jean-Marc Couveignes, Fredrik Johansson, Aurel Page, Alice Pellet-Mary, Damien Robert.
10.1 Promoting scientific activities
10.1.1 Scientific events: organisation
Member of the organizing committees
- B. Allombert was an organiser of the COUNT conference at CIRM (Luminy, France).
10.1.2 Scientific events: selection
Member of the conference program committees
- A. Page
- LMFDB, Computation, and Number Theory – LuCaNT 2023
- A. Pellet--Mary
- Public Key Cryptography – PKC 2023
- Asiacrypt 2023
10.1.3 Journal
Member of the editorial boards
- K. Belabas is an editor of Archiv der Mathematik since 2006.
- X. Caruso is an editor and one of the founders of the journal Annales Henri Lebesgue.
- X. Caruso is member of the scientific board for the Journal de Théorie des Nombres de Bordeaux since 2022.
- J.-M. Couveignes is an editor of the Publications mathématiques de Besançon since 2019.
- J.-M. Couveignes was an editor of the Journal de théorie des nombres de Bordeaux from 2019 to 2023.
- A. Enge is an editor of Designs, Codes and Cryptography since 2004.
- A. Page is an associate editor of the LMFDB since 2022.
10.1.4 Invited talks
- J.-M. Couveignes
- The algebraic complexity of multiplication in finite field extensions, plenary talk, Explicit methods in automorphic forms and arithmetic geometry, (Dublin 2023).
- F. Johansson
- Computing special functions using integral representations, at Recent Trends in Computer Algebra (Lyon, 2023).
- The practical complexity of arbitrary-precision functions, at Recent Trends in Computer Algebra (Paris, 2023).
- A. Page
- Pari/GP, playing the L-functions game of number theorists at the workshop Recent Trends in Computer Algebra (Lyon, 2023).
- D. Robert
- Arithmetic and pairings on Kummer lines, Leuven isogeny days 4 (Leuven, October 2023).
- Efficient representation of isogenies, EWHA-KMS International Workshop on Cryptography (Korea, July 2023).
- Applications of isogenies between abelian varieties to elliptic curves, Arithmétique en Plat Pays (Leuven, March 2023) and VaNTAGe Seminar (Online, December 2022).
- A. Pellet--Mary
- Lattices in cryptography: cryptanalysis, constructions and reductions. Journées Code et Cryptographie 2023 (Najac, October 2023).
10.1.5 Research administration
- K. Belabas is Vice président en charge du numérique (vice-president in charge of digital strategy and policies) at the University of Bordeaux since March 2022.
- K. Belabas was member of the scientific board of the Société Mathématique de France from 2017 to 2023.
- X. Caruso is vice-head of Institut de Mathématiques de Bordeaux, in charge of the IT department.
- X. Caruso was member of the Comité National des Universités from 2020 to 2023.
- J.-M. Couveignes is Chargé de mission pour la sécurité numérique at the University of Bordeaux.
- D. Robert is Chargé de mission Développement logiciel at the Institut Mathématiques de Bordeaux since 2018.
- A. Page and A. Enge are members of the Conseil d'Administration of the Société Arithmétique de Bordeaux, which publishes the Journal de Théorie des Nombres de Bordeaux and provides financial support for the organisation of number theory events.
- A. Enge is an elected member of the CAP chercheurs at Inria since 2023.
- G. Castagnos was responsible for the bachelor programme in mathematics and informatics of the University of Bordeaux since 2018 to 2023.
10.2 Teaching - Supervision - Juries
- K. Belabas
- 64h course on computer algebra, Master 2 (preparation for the Agrégation national competitive examination), University of Bordeaux
- 35h course on quantum algorithms, Master 2, University of Bordeaux
- X. Caruso
- 35h course on quantum computing, Master 2, University of Bordeaux
- mini-course on
-adic random polynomials at the 12th Swiss-French Workshop in Algebraic Geometry (Charmey, 2023)
- G. Castagnos and D. Robert
- 60h course on elliptic curve cryptography, Master 2, University of Bordeaux
- G. Castagnos
- 60h course on cryptanalysis, 30h on advanced cryptography, Master 2, University of Bordeaux
- 24h course on arithmetic and cryptography, Bachelor, University of Bordeaux
- J.-M. Couveignes
- 25h course on algorithmic arithmetics, Master, Université of Bordeaux
- 160h course at CPBX (undegraduate program for student in engineering)
- A. Page
- 27h exercise sessions on computer algebra, Master 2 (preparation for the Agrégation national competitive examination), University of Bordeaux
10.2.1 Supervision
- PhD: Élie Bouscatié, Conception d'algorithmes de chiffrement cherchable, defended December 2023, supervised by G. Castagnos
- PhD in progress: Anne-Edgar Wilke, Enumerating integral orbits of prehomogeneous representations, since September 2019, supervised by K. Belabas.
- PhD in progress: Agathe Beaugrand, Conception de systèmes cryptographiques utilisant des groupes de classes de corps quadratiques, since September 2021, supervised by Guilhem Castagnos and Fabien Laguillaumie.
- PhD in progress: Fabrice Étienne, Techniques d'induction pour l'algorithmique des représentations galoisiennes, since September 2022, supervised by Aurel Page.
- PhD in progress: Nicolas Sarkis, Recherche de courbes planes de genre 2 adaptée à la factorisation des entiers, since September 2022, supervised by Razvan Barbulescu and Damien Robert.
- PhD in progress: Pierrick Dartois Improvement and security analysys of isogeny-based cryptographic schemes, since September 2022, supervised by Damien Robert and Benjamin Wesolowski.
- PhD in progress: Jean Gasnier, Algorithmique des isogénies et applications, since October 2022, supervised by Jean-Marc Couveignes.
- PhD in progress: Raphaël Pagès, Factorization of differential operators in positive characteristic, since September 2020, supervised by Alin Bostan and Xavier Caruso.
- PhD in progress: Fabrice Drain, Codes for the sum-rank metric, since September 2023, supervised by Elena Berardini and Xavier Caruso.
- PhD in progress: Guilhem Mureau, Isomorphism of algebraic lattices, since September 2023, supervised by Alice Pellet--Mary and Renaud Coulangeon.
10.2.2 Juries
- D. Robert
- Sulamithe Tsakou, Université de Picardie Jules Verne, 2023: Algebraic cryptanalysis of hyperelliptic curves based cryptosystems (report)
- B. Allombert
- Valentin Petit, Université de Franche-Comté, 2023: Points
spéciaux et modularité des courbes elliptiques définies sur
et (committee)
- Valentin Petit, Université de Franche-Comté, 2023: Points
spéciaux et modularité des courbes elliptiques définies sur
- G. Castagnos
- Chloé Gravouil, Université Rennes 1, 2023: Boolean Fault-Resistant Masking and White-Boxability of Lightweight Cryptography (report)
- Anaïs Barthoulot, Université de Limoges, 2023: Advanced Encryption for the Sharing of Sensitive Data (report)
- J.-M. Couveignes
- Béranger Séguin, Université de Lille, 2023: Geometry and Arithmetic of Components of Hurwitz Spaces (report)
- Eddy Brandon, Université de Dijon, 2023: Computational Approach to the Schottky Problem (committee)
10.3 Popularization
10.3.1 Internal or external Inria responsibilities
- R. Barbulescu organises each year the contest Alkindi and the
TFJM
(Tournoi des Jeunes Mathématiciennes et Mathématiciens). - X. Caruso was in charge of the dissemination at Institut Mathématique de Bordeaux until 2023; he was then replaced by R. Barbulescu.
10.3.2 Education
- A. Pellet--Mary participated as a lecturer to two CIMPA schools on post-quantum cryptography (in Rabat in october, and in Pondicherry in December).
- A. Page gave a talk about cryptography for high school teachers during the IREM conference in Bordeaux in 2023.
10.3.3 Interventions
- X. Caruso and A. Pellet--Mary moderated a workshop at the event Les échappées inattendues (organized by the local delegation of CNRS).
- X. Caruso realised an art exhibition on mathematics, see exth.
- X. Caruso animated a general audience conference and a Rencontre à l'heure du thé (meeting at tea time) at Maison Poincaré in Paris.
- X. Caruso coordinated a workshop Regard de géomètre (five interventions in a high school) and gave a talk for the final conference of this program.
- A. Pellet--Mary animated a workshop during the week moi informaticienne moi mathématicienne for high school female students.
- A. Page gave general audience talks about cryptography during the Fête de la Science event (4 groups of high-school students).
11 Scientific production
11.1 Major publications
- 1 inbookCan we dream of a 1-adic Langlands correspondence?2313Mathematics Going ForwardLecture Notes in MathematicsSpringer International Publishing2023, 537-560HALDOI
- 2 inbookComputational Number Theory, Past, Present, and Future.2313Mathematics Going ForwardLecture Notes in MathematicsSpringer International Publishing2023, 561-578HALDOI
- 3 proceedingsD.Damien RobertBreaking SIDH in polynomial time.Advances in Cryptology – EUROCRYPT 202314008Lecture Notes in Computer ScienceSpringer Nature Switzerland; Springer Nature SwitzerlandMarch 2023, 472-503HALDOI
11.2 Publications of the year
International journals
- 4 articleDrinfeld modules in SageMath.ACM Communications in Computer Algebra572June 2023, 65-71HALDOIback to text
- 5 articleSpecial values of ray class partial zeta functions.International Journal of Number Theory1903April 2023, 481-493HALDOIback to text
- 6 articleA note on the low order assumption in class groups of imaginary quadratic number fields.Mathematical Cryptology312023, 44-51HALback to text
- 7 articleI want to ride my BICYCL: BICYCL Implements CryptographY in CLass groups.Journal of Cryptology363July 2023, 17HALDOIback to text
- 8 articleCombinatorics of Serre weights in the potentially Barsotti-Tate setting.Moscow Journal of Combinatorics and Number Theory1212023, 1 - 56HALDOIback to text
- 9 articleDuals of linearized Reed-Solomon codes.Designs, Codes and Cryptography9112023, 241-271HALDOIback to text
- 10 articleBandwidth-efficient threshold EC-DSA revisited: Online/Offline Extensions, Identifiable Aborts Proactive and Adaptive Security.Theoretical Computer Science9392023, 78-104HALDOIback to text
- 11 articleArbitrary-precision computation of the gamma function.Maple Transactions31February 2023HALDOIback to text
- 12 articleThe CM class number one problem for curves of genus 2.Research in Number Theory91March 2023, article 15HALDOIback to text
- 13 articleComputing minimal Weierstrass equations of hyperelliptic curves.Research in Number Theory94October 2023, 76HALDOIback to text
International peer-reviewed conferences
- 14 inproceedingsThe special case of cyclotomic fields in quantum algorithms for unit groups.Progress in cryptology -- AFRICACRYPT 2023Lecture notes in computer science (LNCS)AFRICACRYPT 202314064Progress in Cryptology – AFRICACRYPT 2023Soussa, TunisiaSpringerJuly 2023, 229HALback to text
- 15 inproceedingsSupersingular Curves You Can Trust.Eurocrypt 2023Lyon, FranceApril 2023HALback to text
- 16 inproceedingsPattern Matching in Encrypted Stream from Inner Product Encryption.Lecture Notes in Computer SciencePKC 2023 - 26th IACR International Conference on Practice and Theory of Public-Key Cryptography13940Public-Key Cryptography – PKC 2023Atlanta (Georgia), United StatesSpringer Nature SwitzerlandMay 2023, 774-801HALDOIback to text
-
17
inproceedingsEfficient Computation of
-Isogenies.Lecture Notes in Computer ScienceAfricaCrypt 202314064Lecture Notes in Computer ScienceSousse, TunisiaJuly 2023, 53-78HALDOIback to text - 18 inproceedingsIdeal-SVP is Hard for Small-Norm Uniform Prime Ideals.Lecture Notes in Computer ScienceTheory of Cryptography, TCC 202314372Lecture Notes in Computer ScienceTaipei (Taiwan), TaiwanSpringer Nature SwitzerlandNovember 2023, 63-92HALDOIback to text
- 19 inproceedingsSCALLOP: scaling the CSI-FiSh.PKC 202313940Lecture Notes in Computer ScienceAtlanta, United StatesSpringer Nature SwitzerlandMay 2023, 345-375HALDOIback to text
- 20 inproceedingsNew algorithms for the Deuring correspondence Towards practical and secure SQISign signatures.Eurocrypt 2023Lyon, FranceApril 2023HALback to text
- 21 inproceedingsFast change of level and applications to isogenies.Research in Number TheoryANTS 2022 - Fifteenth Algorithmic Number Theory Symposium91Bristol, United Kingdom2023, article n°7HALDOIback to text
- 22 inproceedingsA Direct Key Recovery Attack on SIDH.Advances in Cryptology – EUROCRYPT 202314008Lecture Notes in Computer ScienceLyon, FranceSpringer Nature Switzerland; Springer Nature SwitzerlandApril 2023, 448-471HALDOIback to text
- 23 inproceedingsReductions from Module Lattices to Free Module Lattices, and Application to Dequantizing Module-LLL.Advances in Cryptology – CRYPTO 2023.Crypto 202314085Lecture Notes in Computer ScienceSanta Barbara, United StatesSpringer Nature SwitzerlandAugust 2023, 836-865HALDOIback to text
- 24 inproceedingsBreaking SIDH in polynomial time.Advances in Cryptology – EUROCRYPT 202314008Lecture Notes in Computer ScienceLyon, FranceSpringer Nature Switzerland; Springer Nature Switzerland; Springer Nature SwitzerlandMarch 2023, 472-503HALDOIback to textback to textback to text
Scientific book chapters
- 25 inbookCan we dream of a 1-adic Langlands correspondence?2313Mathematics Going ForwardLecture Notes in MathematicsSpringer International Publishing2023, 537-560HALDOIback to text
- 26 inbookComputational Number Theory, Past, Present, and Future.2313Mathematics Going ForwardLecture Notes in MathematicsSpringer International Publishing2023, 561-578HALDOIback to text
Reports & preprints
- 27 miscA sharper multivariate Christol's theorem with applications to diagonals and Hadamard products.June 2023HALback to text
- 28 miscCyclic cubic number fields with harmonically balanced capitulation.December 2023HALback to text
- 29 miscFinding Orientations of Supersingular Elliptic Curves and Quaternion Orders.2023HALDOIback to text
- 30 miscECM And The Elliott-Halberstam Conjecture For Quadratic Fields.January 2023HALback to text
- 31 miscAlgebraic Geometry codes in the sum-rank metric.March 2023HALback to text
- 32 miscAlgebraic solutions of linear differential equations: an arithmetic approach.April 2023HALback to text
- 33 miscSelfdual skew cyclic codes.June 2023HALback to text
- 34 miscAlgorithms for computing norms and characteristic polynomials on general Drinfeld modules.December 2023HALback to text
-
35
miscParametric Continued Fractions for
, , and other Constants.April 2023HALback to text - 36 miscThe equivariant complexity of multiplication in finite field extensions.January 2023HALback to text
- 37 miscExplicit Riemann-Roch spaces in the Hilbert class field.September 2023HALback to text
- 38 miscSQISignHD: New Dimensions in Cryptography.March 2023HALback to text
- 39 miscAn Algorithmic Approach to (2, 2)-isogenies in the Theta Model and Applications to Isogeny-based Cryptography.November 2023HALback to text
- 40 miscAn Algebraic Point of View on the Generation of Pairing-Friendly Curves.September 2023HALback to text
- 41 miscIntroducing Clapoti(s): Evaluating the isogeny class group action in polynomial time.November 2023HALback to text
- 42 miscThe supersingular Endomorphism Ring and One Endomorphism problems are equivalent.October 2023HALback to textback to text
- 43 miscEvaluating isogenies in polylogarithmic time.2023HALback to text
- 44 miscSome applications of higher dimensional isogenies to elliptic curves (overview of results).2023HALback to text
- 45 miscThe geometric interpretation of the Tate pairing and its applications.November 2023HALback to text
- 46 miscConvexity, plurisubharmonicity and the strong maximum modulus principle in Banach spaces.September 2023HALback to text
11.3 Cited publications
- 47 inproceedingsAn efficient key recovery attack on SIDH.Annual International Conference on the Theory and Applications of Cryptographic TechniquesSpringer2023, 423--447back to text
- 48 inproceedingsHawk: Module LIP makes lattice signatures fast, compact and simple.International Conference on the Theory and Application of Cryptology and Information SecuritySpringer2022, 65--94back to text
- 49 articleThe number of curves of genus two with elliptic differentials..Journal für die reine und angewandte Mathematik4851997, 93--122back to text
- 50 articleA remark on endomorphisms of abelian varieties over function fields of finite characteristic.Mathematics of the USSR-Izvestiya831974, 477back to text