2023Activity reportProjectTeamCARAMBA
RNSR: 201622054G Research center Inria Centre at Université de Lorraine
 In partnership with:Université de Lorraine, CNRS
 Team name: Cryptology, arithmetic : algebraic methods for better algorithms
 In collaboration with:Laboratoire lorrain de recherche en informatique et ses applications (LORIA)
 Domain:Algorithmics, Programming, Software and Architecture
 Theme:Algorithmics, Computer Algebra and Cryptology
Keywords
Computer Science and Digital Science
 A1.1.2. Hardware accelerators (GPGPU, FPGA, etc.)
 A4.3.1. Public key cryptography
 A4.3.2. Secret key cryptography
 A4.8. Privacyenhancing technologies
 A6.2.7. High performance computing
 A7.1. Algorithms
 A7.1.4. Quantum algorithms
 A8.4. Computer Algebra
 A8.5. Number theory
 A8.10. Computer arithmetic
Other Research Topics and Application Domains
 B8.5. Smart society
 B9.5.1. Computer science
 B9.5.2. Mathematics
 B9.10. Privacy
1 Team members, visitors, external collaborators
Research Scientists
 Emmanuel Thomé [Team leader, INRIA, Senior Researcher, HDR]
 Xavier Bonnetain [INRIA, Researcher]
 Pierrick Gaudry [CNRS, Senior Researcher, HDR]
 Aurore Guillevic [INRIA, Researcher]
 Virginie Lallemand [CNRS, Researcher]
 Cécile Pierrot [INRIA, Researcher]
 PierreJean Spaenlehauer [INRIA, Researcher]
 Paul Zimmermann [INRIA, Senior Researcher, HDR]
Faculty Members
 Sébastien Duval [UL, Associate Professor]
 Marine Minier [UL, Professor Delegation, HDR]
PostDoctoral Fellows
 Paul Frixons [INRIA, PostDoctoral Fellow]
 Loïc Rouquette [UL, PostDoctoral Fellow, until Aug 2023]
PhD Students
 Haetham Al Aswad [INRIA]
 Marie Bolzer [CNRS, from Oct 2023]
 Medhi Kermaoui [INRIA, from Oct 2023]
 Antoine Leudière [INRIA]
 Léo Louistisserand [CNRS, from Oct 2023, (with PESTO team)]
 Ana Rodriguez Cordero [UL]
 Julien Soumier [INRIA, from Oct 2023]
 Quentin Yang [INRIA, until Sep 2023]
Interns and Apprentices
 Marie Bolzer [CNRS, Intern, from Feb 2023 until Aug 2023, M2 internship]
 Fatou Diao [UL, Intern, from Feb 2023 until Aug 2023, M2 internship]
 Mathis Georgel [UL, Intern, from May 2023 until Jun 2023]
 Medhi Kermaoui [INRIA, Intern, from Apr 2023 until Sep 2023, M2 internship]
 Kevin Lodovici [UL, Intern, from May 2023 until Jul 2023]
 Victor Matrat [UL, Intern, from Oct 2023]
 Tristan Parcollet [UL, Intern, from Jun 2023 until Aug 2023]
 Joseph Schlesinger [UL, Intern, from May 2023 until Jun 2023]
 Julien Soumier [INRIA, Intern, from Mar 2023 until Sep 2023, M2 internship]
 Lucas Villaume [UL, Intern, from Apr 2023 until Jul 2023]
Administrative Assistants
 Virginie Colnet [CNRS]
 Emmanuelle Deschamps [INRIA]
2 Overall objectives
Our research addresses the broad application domain of cryptography and cryptanalysis from the algorithmic perspective. We study all the algorithmic aspects, from the toplevel mathematical background down to the optimized highperformance software implementations. Several kinds of mathematical objects are commonly encountered in our research. Some basic ones are truly ubiquitous: integers, finite fields, polynomials, real and complex numbers. We also work with more structured objects such as number fields, algebraic curves, or polynomial systems.
The first axis (§3.1) of our research work studies these mathematical objects mostly for their own sake. Our expertise in computational mathematics and computer algebra allows us to contribute to the general algorithmic toolbox that makes these mathematical objects easy to work with in practice: computations with these objects must be effective and fast. A sizeable portion of our work in this domain is realized in the form of software projects, which are developed over long periods of time (GNU MPFR, for example, was initiated by members of our group several decades ago, and is still maintained and developed).
A second part of our work (axes §3.2 and §3.3) is centered on cryptographic motivations. Quite often, our work here happens to be rooted in exactly the same core competences as the ones we use in our first research axis. We consider the two facets of cryptology: cryptography and cryptanalysis. The key challenges are the assessment of the classical and quantum security of proposed cryptographic primitives (both public and secretkey), as well as the introduction of new cryptographic primitives, or the performance improvement of existing ones. While the basic principles of symmetric and asymmetric cryptography are rather different—indeed their names indicate different ways to handle the key—research in both domains is led by the same objective of finding the best tradeoffs between efficiency and security. In addition to this, both require to study design and analysis together as these two aspects nurture each other.
Our last research axis (§3.4) uses our cryptographic knowledge to connect to more real world concerns, in connection with topics closer to computer security. Longterm aspects of this part of our activity are practical and theoretical research on electronic voting, and practical impact on key sizes of our factoring and discrete logarithm record computations. More isolated works in this axis include for instance some works on whitebox cryptography, IoT or contacttracing. We also consider our growing activity on historical cryptography as part of this axis where cryptography is only one part of the study.
3 Research program
3.1 Research axis 1: mathematical objects
Several mathematical objects are pervasive in our research. We sometimes study them per se, but they also often play a key role as tools in other research topics. In particular, we study computer arithmetic, polynomial systems, linear algebra, algebraic curves and abelian varieties.
In the context of this research axis, we work on the key algorithms and mathematical results, as well as on the realization of these results in terms of software. In our approach, software is a key step in a feedback loop that goes from mathematics to algorithms, implementation, software, and back. By software here, we mean free and opensource software tools, often developed over several years, that can be used as dependable building blocks by us as well as by peers for reproducible research.
Our past and future topics in this research axis include the following.
 We seek algorithmic and practical improvements to the most basic algorithms in computer arithmetic. This includes for example the study of advanced algorithms for integer multiplication, and their practical reach, or refinements of the implementation and accuracy of elementary functions in arbitrary precision arithmetic. Our work includes mathematical reasoning, complexity analysis, and proofs of correctness.
 We initiated work (sometimes several years or even decades ago) on several software libraries for computer arithmetic, such as GNU MPFR, GNU MPC, GF2X, MPFQ, GMPECM, or more recently the COREMATH project. These libraries are typical of our research outputs in terms of software, and our new research results are regularly implemented in such libraries (either these libraries or new ones).
 We develop algorithms and software for the computation of essential properties of algebraic curves and abelian varieties like group structure, characteristic polynomials, rings of endomorphisms, or RiemannRoch spaces. This perspective towards effective algebra is also found in our interest in sparse polynomial systems, with a particular eye towards the specificities of their monomial structure. We explore possible ways to exploit this monomial structure in order to obtain faster algorithms for the computation of Gröbner bases.
Examples of publications in the recent past that illustrate our positioning on this research topic are 13, 35, 29, 7.
3.2 Research axis 2: secretkey cryptology
We study cryptographic and cryptanalytic aspects of secretkey primitives. We explore the following research directions in particular:
 We work on the formalization of various statistical cryptanalysis techniques, starting with boomerang attacks on which we recently gained strong expertise. We aim to properly define how to build such distinguishers and how to estimate their probability, two central points for cryptanalysts. We intend to explore the potential of alternative techniques, such as differentiallinear attacks for instance, to attack the most recent cipher primitives (such as the NIST lightweight AEAD ciphers, as well as others at various stages of their development).
 Beyond the classical linear and differential cryptanalysis techniques, we are interested in the automation of the analysis process by the development of tools based on constraint programming (CP), satisfiability (SAT) or mixed integer linear programming (MILP) settings.
 We also study new designs, and in particular new building blocks for future cryptographic primitives with design criteria that include resistance to advanced cryptanalysis techniques, using minimal resources.
 With the current progress of quantum computing, we need to know the security of cryptosystems against a quantum computer, especially for longterm security. Hence, we study quantum cryptanalysis. We focus on quantum algorithms that are the most distinct from classical algorithms, like the algorithms for the hidden subgroup problem, and on quantum variants of our classical cryptanalyses. This research direction is also connected to publickey cryptography.
Examples of publications in the recent past that illustrate our positioning on this research topic are 1, 2, 11, 16, 9.
3.3 Research axis 3: publickey cryptographic primitives
Our team has been studying the mathematical building blocks of publickey cryptography for a long time. More specifically, we have a longestablished record on the study of the publickey cryptographic primitives based on integer factorization and finite field discrete logarithm, as well as on algebraic curves, abelian varieties, and their applications in cryptography. Most of the time we study them from a classical (non quantum) angle.
The algorithmic framework of the Number Field Sieve (NFS) addresses both the integer factorization problem as well as the discrete logarithm problem over finite fields. We have numerous algorithmic contributions in this context, and develop software to illustrate them.
Several of our current research directions in publickey cryptography are strongly connected to our general expertise on NFS.
 We intend to improve the cryptanalysis techniques for various instances of the discrete logarithm problem with methods of the index calculus family. A good example of this research is our recent work on the Tower Number Field Sieve (TNFS), which touches upon algorithmic results related to number fields, to Galois theory, and to Euclidean lattices.
 We work on improving the practical reach of NFS as an algorithm for the factorization of RSA moduli or the computation of discrete logarithms in finite fields. We have established several computational records in this domain, and we seek further algorithmic improvements, or technological advances, that can contribute to pushing the feasibility limit further.
 None of our work on NFS would be possible without access to a dependable software implementation. To this end, we have been developing the CadoNFS software suite since 2007. CadoNFS is now the reference implementation of NFS, and is a crucial platform for developing prototype implementations for new ideas for the many subalgorithms of NFS. The continuation of its development is part of our research plan.
 In the specific context of ellipticcurve cryptography, and in particular pairingbased cryptography, our expertise allows us to provide insights on the balance between implementation efficiency and security of the pairing constructions. This research is connected to the numerous application domains of pairings such as, for example, the Succinct Noninteractive ARgument of Knowledge, (zkSNARKs).
In addition to the above, we also study other aspects of publickey cryptography, such as cryptographic constructions using isogenies between curves or more general algebraic structures, as well as their security. We have a strong record on this topic in general. The algorithmic toolbox to deal with such objects was enriched in 2022 with new practical results of Castryck–Decru, Robert, and Wesolowski. This topic is clearly in our research agenda.
As in the case of secretkey cryptology, some of our research work also takes into account quantum algorithms, and possibly the interplay of quantum and classical algorithms.
Examples of publications in the recent past that illustrate our positioning on this research topic are 3, 12, 8, as well as the CadoNFS software described in 6.1.2.
3.4 Research axis 4: implications in computer security and the real world
The questions that we address in our last research axis are less problemcentered than above, and rather revolve around how the different building blocks that we work with can be assembled, and whether this leads to impactful results in computer security.
 We have been working since 2016 on electronic voting, and our most visible work in this domain is Belenios, which is a protocol with a complete specification, a free software implementation, and a freeofcharge web platform that anyone can use to set up their elections. Some desirable properties in electronic voting are very hard to obtain in practice, and we contributed to theoretical research by proposing or analysing new schemes that could be used, while providing improved guarantees with respect to some of these difficult properties such as coercionresistance, castasintended, or accountability.
 Our public key work includes improvements of the Number Field Sieve algorithm, and we sometimes discuss the implications of this work in computer security, which is not necessarily the same angle. A good example is the Logjam attack in 2015, where the underlying cryptanalytic task (computing discrete logarithms in 512bit prime fields) is not exciting in itself, yet we showed that it was a key ingredient in an impactful research result. This positioning is also found in our more recent research.
Examples of publications in the recent past that illustrate our positioning on this research topic are 6, 5, 4, 10.
4 Application domains
4.1 Better awareness and avoidance of cryptanalytic threats
Our study of the Number Field Sieve algorithm and its variants aims to show how the threats underlying various supposedly hard problems are real. Our record computations, as well as new algorithms, contribute to having a scientifically accurate assessment of the feasibility limit for these problems, given academic computing resources. The data we provide in this way is a primary ingredient for government agencies whose purpose includes guidance for choosing of appropriate cryptographic primitives. For example the French ANSSI 1, German BSI, or the NIST 2 in the United States base their recommendations on such computational achievements.
The software we make available to achieve these cryptanalytic computations also allows us to give cost estimates for potential attacks on cryptographic systems that are taking the security/efficiency/legacy compatibility tradeoffs too lightly. Attacks such as LogJam 40 are understood as being serious concerns thanks to our convincing proofofconcepts. In the LogJam context, this impact has led to rapid worldwide security advisories and software updates that eventually defeat some potential intelligence threats and improve the confidentiality of communications.
4.2 Promotion of better cryptography
We also promote the switch to algebraic curves as cryptographic primitives. Those offer nice speed and excellent security, while primitives based on elementary number theory (integer factorization, discrete logarithm in finite fields), which underpin e.g., RSA, are gradually forced to adopt unwieldy key sizes so as to comply with the desired security guarantees of modern cryptography. Our contributions to the ultimate goal of having algebraic curves eventually take over the cryptographic landscape lie in our contributions to fast arithmetic, our contributions to the point counting problem, and more generally our expertise on the diverse surrounding mathematical objects, or on the special cases where the discrete logarithm problem is not hard enough and should be avoided.
We also promote cryptographically sound electronic voting, for which we develop the Belenios prototype software (licensed under the AGPL). It depends on research made in collaboration with the PESTO team, and provides stronger guarantees than the current state of the art.
4.3 Key software tools
The vast majority of our work is eventually realized as software. We can roughly categorize it into two groups. Some of our software covers truly fundamental objects, such as the GNU MPFR, GNU MPC, GF2X, or MPFQ packages. To their respective extent, these software packages are meant to be included or used in broader projects. For this reason, it is important that the license chosen for this software allows proper reuse, and we favor licenses such as the LGPL, which is not restrictive. We can measure the impact of this software by the way it is used in, e.g., the GNU Compiler Collection (GCC), Victor Shoup's Number Theory Library (NTL), or the Sage computer algebra system. The availability of these software packages in most Linux distributions is also a good measure of the impact of our work.
We also develop more specialized software. Our flagship software package is CadoNFS 47, and we also develop some others with various levels of maturity, such as GMPECM, CMH, or Belenios, aiming at quite diverse targets. Within the lifespan of the CARAMBA project, we expect more software packages of this kind to be developed, specialized towards tasks relevant to our research targets: important mathematical structures attached to genus 2 curves, generation of cryptographically secure curves, or tools for attacking cryptographically hard problems. Such software both illustrates our algorithms, and provides a base on which further research work can be established. Because of the very nature of these specialized software packages as research topics in their own right, needing both to borrow material from other projects, and being possible sources of inspiring material for others, it is again important that these be developed in a free and opensource development model.
5 Highlights of the year
The COREMATH project reached a significant milestone in 2023, with correctly rounded implementations of all mathematical functions in C99 and C23, in double precision.
5.1 Awards
Véronique Cortier (team PESTO) and Pierrick Gaudry were awarded the Grand Prix de l'Académie Lorraine des Sciences for their book entitled Le vote électronique 6.
6 New software, platforms, open data
6.1 New software
6.1.1 Belenios

Name:
Belenios  Verifiable online voting system

Keyword:
Evoting

Functional Description:
Belenios is an opensource online voting system that provides vote confidentiality and verifiability. Endtoend verifiability relies on the fact that the ballot box is public (voters can check that their ballots have been received) and on the fact that the tally is publicly verifiable (anyone can recount the votes). Vote confidentiality relies on the encryption of the votes and the distribution of the decryption key (no one detains the secret key).
Belenios supports various kind of elections. In the standard mode, Belenios supports simple elections where voters simply select one or more candidates. It also supports arbitrary counting functions at the cost of a slightly more complex tally procedure for the authorities. For example, Belenios supports Condorcet, STV, and Majority Judgement, where voters rank candidates and grade them.
Belenios is available in several languages for the voters as well as the administrators of an election. More languages can be freely added by users.

News of the Year:
In 2023, our platform was used to run about 1500 elections, with about 175,000 registered voters and 55,000 ballots counted.
Some of the improvements made during this year are invisible for users. This includes the use of elliptic curves instead of finite fields, as a base group where the discrete logarithm problem is supposed to be hard. Also, some modifications have been made, so that the server can handle larger elections. This was successfully tested, with a real election of more than 30,000 voters.
Other changes are visible to users. A new election administration interface based on a REST API is now available for betatesting to the users. Also, the voter's journey has been slightly simplified, without impact on security. Finally, the STV counting system for preferential voting is now fully supported.
 URL:

Contact:
Stéphane Glondu

Participants:
Pierrick Gaudry, Stéphane Glondu, Véronique Cortier

Partners:
CNRS, Inria
6.1.2 CADONFS

Name:
Crible Algébrique: Distribution, Optimisation  Number Field Sieve

Keywords:
Cryptography, Number theory

Functional Description:
CadoNFS is a complete implementation in C/C++ of the Number Field Sieve (NFS) algorithm for factoring integers and computing discrete logarithms in finite fields. It consists in various programs corresponding to all the phases of the algorithm, and a general script that runs them, possibly in parallel over a network of computers.

News of the Year:
In 2023, we worked on implementing in CadoNFS some of the ideas planned in the context of the Kleptomaniac ANR project. In particular, the "doublematrix" feature is under active development. We also worked on removing the dependency on the MPFQ software library, which we are no longer developing, in favor of a more maintainable approach.
 URL:

Contact:
Emmanuel Thomé

Participants:
Pierrick Gaudry, Emmanuel Thomé, Paul Zimmermann
6.1.3 Drinfeld modules in SageMath

Keywords:
Computer algebra, Number theory

Functional Description:
This project is an implementation, starting from scratch, of Drinfeld modules in SageMath. This module has been directly merged into SageMath with version 10.0, and keeps evolving.
Drinfeld modules are mathematical objects similar to elliptic curves, but in another setting, which is that of function fields.
The aim of this implementation is to provide researchers with all basic computational tools for Drinfeld modules, and to build a reliable basis for future, more sophisticated algorithms.
 URL:

Contact:
Antoine Leudière

Participant:
Antoine Leudière
6.1.4 TNFSalpha

Name:
alpha for the Tower Number Field Sieve algorithm

Keyword:
Cryptography

Functional Description:
This library implements a simulation tool for the tower number field sieve algorithm computing discrete logarithms in extension fields of small degree (tested up to 54). The library contains an implementation of the exact computation of alpha, the bias between the expected smoothness of an integer and the expected smoothness of a norm of an algebraic integer in a number field made of two extensions. The algorithm is a generalization to extensions of the exact implementation of alpha in the software CADONFS. The software contains an implementation of the Efunction of B. A. Murphy (Murphy's E) which estimates the quality of the polynomial selection step in TNFS through a simulation of the yield of the relation collection in the TNFS algorithm. Finally it contains a database of pairingfriendly curve seeds with the estimated level of security w.r.t a discrete logarithm computation in the corresponding finite field.
 URL:
 Publications:

Contact:
Aurore Guillevic

Participant:
Aurore Guillevic
6.1.5 COREMATH

Name:
COREMATH

Keywords:
Arithmetic code, Floatingpoint, Correct Rounding

Functional Description:
COREMATH Mission: provide ontheshelf opensource mathematical functions with correct rounding that can be integrated into current mathematical libraries (GNU libc, Intel Math Library, AMD Libm, Newlib, OpenLibm, Musl, Apple Libm, llvmlibc, CUDA libm, ROCm)

News of the Year:
In 2023, all doubleprecision (binary64) functions from the C99 and C23 standards were designed with correctrounding. These first implementations compete well in efficiency with the GNU libc or the Intel math library, which are not correctly rounded.
 URL:
 Publication:

Contact:
Paul Zimmermann

Participant:
Paul Zimmermann
6.1.6 GNUMPFR

Keywords:
MultiplePrecision, Floatingpoint, Correct Rounding

Functional Description:
GNU MPFR is an efficient arbitraryprecision floatingpoint library with welldefined semantics (copying the good ideas from the IEEE 754 standard), in particular correct rounding in 5 rounding modes. It provides about 100 mathematical functions, in addition to utility functions (assignments, conversions...). Special data (Not a Number, infinities, signed zeros) are handled like in the IEEE 754 standard. GNU MPFR is based on the mpn and mpz layers of the GMP library.
 URL:
 Publications:

Contact:
Vincent Lefèvre

Participants:
Guillaume Hanrot, Paul Zimmermann, Philippe Théveny, Vincent Lefèvre
7 New results
7.1 Mathematical objects
7.1.1 The COREMATH project
Participants: Paul Zimmermann.
The aim of the COREMATH project is to provide ontheshelf opensource mathematical functions with correct rounding that will be integrated into current mathematical libraries (GNU libc, Intel Math Library, AMD Libm, Newlib, OpenLibm, Musl, Apple Libm, llvmlibc, CUDA libm, ROCm). These functions are implemented in the C language and target the three IEEE 754 binary formats (single precision, double precision, quadruple precision), and also the extended double precision (significand of 64 bits). This project is motivated by the fact that current mathematical libraries are far from giving the best possible results, as demonstrated in 34.
The development of COREMATH forced us to revisit some classical algorithms, for example FastTwoSum in the context of directed rounding 37. In 2023, a full set of binary64 (doubleprecision) functions for the C99 and C23 standards was developed, with correctrounding, and efficiency close to that of the current mathematical libraries (GNU libc, Intel mathematical library, LLVM). In particular, efficient algorithms were designed and implemented for the power function 24. The long version of this article with full proofs is available 35, which enabled our colleagues Laurent Théry and Laurence Rideau (Inria SophiaAntipolis) to make a formal proof of the “fast path”.
7.1.2 Computing norms and characteristic polynomials on Drinfeld modules
Participants: Antoine Leudière.
Drinfeld modules are mathematical objects that lie at the intersection of number theory and computer science. They were introduced by Vladimir Drinfeld in 1974 to be the counterpart of elliptic curves in the setting of function fields. Drinfeld modules are now established as a standard tool for studying function fields.
We introduced new algorithms to compute characteristic polynomials of endomorphisms of Drinfeld modules, as well as norms of isogenies of Drinfeld modules 31. The former problem is a Drinfeld module equivalent to the problem of counting points on an elliptic curve; the latter is a generalization of the former. Works by Musleh and Schost already computed characteristic polynomials in a very specific case 45. Thanks to a new approach, our algorithms work in full generality and rely on simple linear algebra techniques. To our knowledge, it is also the first time that the problem of computing norms of isogenies is addressed.
We stress that in 2023, Schost and Musleh published an article in which they also compute characteristic polynomials of Drinfeld module endomorphisms 44. Their method, providing valuable insights, works for all endomorphisms and ranks. We provided a thorough comparison of the articles, and show that in many regimes, our algorithms are the fastest.
7.1.3 Drinfeld modules in SageMath
Participants: Antoine Leudière.
In April 2022, we began the firstever implementation of Drinfeld modules to be included in the standard distribution of SageMath. Our contribution was merged in March 2023 and made available with version 10.0. The implementation is thoroughly integrated within the SageMath ecosystem and includes all basic operations on Drinfeld modules and their morphisms, as well as implementations of the algorithms mentioned in the previous point. A software presentation of our work was accepted at the 2023 International Symposium on Symbolic and Algebraic Computation (ISSAC) 15.
7.1.4 Dimension results for sparse polynomial systems
Participants: PierreJean Spaenlehauer.
Polynomial systems arising in applications (for instance in cryptography) often feature monomial structures. Therefore, it is an important question to investigate how these structures can be used to speed up solving algorithms. This is the main topic of the collaboration between PierreJean Spaenlehauer and Matías Bender (EPI TROPICAL). Toric varieties built from polyhedral fans provide a way to homogenize such sparse structures. In 29, we study in which cases such homogenizations may introduce generically highdimensional artefacts that may harm the efficiency of the computations.
7.1.5 Search for worst cases
Participants: Paul Zimmermann.
To design correctlyrounded functions as in the COREMATH project, it is of utmost importance to know the “worst cases” of mathematical functions, i.e., inputs $x$ such that $f\left(x\right)$ has many zeros or ones after the round bit. Worst cases have been computed for the new C99 or C23 functions that have been developed in 2023. These worst cases are available from the COREMATH git repository, so that they can be used to check correctrounding of other mathematical libraries.
7.2 Secretkey cryptology
7.2.1 On boomerang attacks on quadratic Feistel ciphers: new results on KATAN and Simon
Participants: Xavier Bonnetain, Virginie Lallemand.
This article 16 studies the application of the cryptanalysis technique called the boomerang attack to ciphers following a Feistel construction and having a quadratic round function. We prove that many previously published papers give erroneous approximations of the probability of the distinguishers they use (most of the time it invalidates the attacks while in a few cases they are better than expected). We next propose a new SMT model that takes into account our findings and we are able to propose a 19round distinguisher of the cipher Simon32/64 that we convert into a 25round attack, which to the best of our knowledge reaches one more round than previously published results.
7.2.2 Flatness and structural analysis for the design of stream ciphers involving hybrid automata
Participants: Hamid Boukerrou, Marine Minier.
In 17, we deal with hybrid dynamical systems in the context of cybersecurity and Cyber–Physical Systems. It is shown how the design of a cipher, called selfsynchronizing stream cipher, can be recast as controltheoretic issues, in particular left inversion, flatness and structural analysis. From an automatic control point of view, the main contribution lies in a methodology to construct generic flat LPV systems. Beyond pure control theoretic matters, the design also addresses computational complexity and security concerns. Those considerations motivate a hybrid architecture involving switched automata. A ProofOfConcept example illustrates the design of a statistical selfsynchronizing stream cipher and the way how it operates to encrypt data flows. Those results and all the ones with the CRAN laboratory are also summarized in 26.
7.2.3 Finding many collisions via reusable quantum walks
Participants: Xavier Bonnetain.
This article 19 proposes an improved quantum algorithm to find multiple collisions. This new algorithm matches the lower bound for a large range of parameters. It has many direct cryptographic implications, such as impossible differentials in symmetric cryptography, or lattice sieving. In particular, thanks to our algorithm we obtain the most efficient generic heuristic algorithm for lattice reduction. It is a sieving algorithm with complexity ${2}^{0.2563d+o\left(d\right)}$, with $d$ the dimension of the lattice.
7.3 Publickey cryptology
7.3.1 Individual discrete logarithm with sublattice reduction
Participants: Haetham Al Aswad, Cécile Pierrot.
The work 14 deals with the splitting step in the number field sieve for finite fields of composite extension degree. The splitting step consists in finding an element $R$ with a smooth norm and such that the logarithm of the target $T$ can be easily deduced from the logarithm of $R$. The current state of the art takes advantage of latticereduction algorithms, such as LLL and BKZ in order to find such an element $R$. In this work, the authors explore the use of sublattices of the lattices usually used and perform experiments to validate this idea. Moreover, the authors give an asymptotic analysis of the individual logarithm step in NFS when LLL or BKZ are used as latticereduction in this new algorithm. This work is published in the journal Designs, Codes and Cryptography.
7.3.2 Discrete logarithm factory
Participants: Haetham Al Aswad, Cécile Pierrot, Emmanuel Thomé.
In 28 we generalize Coppersmith's factory's algorithm to compute discrete logarithms in several nonprime finite fields. The Number Field Sieve and its variants are the best algorithms to solve the discrete logarithm problem in finite fields (except for the weak small characteristic case). The Factory variant accelerates the computation when several prime fields are targeted. This article adapts the Factory variant to nonprime finite fields of medium and large characteristic. This idea is combined with two other variants of NFS, namely the tower and special variants. This combination improves the asymptotic complexity. Besides, this work provides estimates of the practicality of this method for 1024bit targets of extension degree 6: our findings indicate that the factory approach begins to pay off when the cryptanalysis target consists of a few dozen of such finite fields.
7.3.3 Discrete logarithm with Tower NFS
Participants: Gabrielle De Micheli, Pierrick Gaudry, Cécile Pierrot.
The long version 18 of a previous work published in Asiacrypt 2021 has been published in the Journal of Cryptology. This describes the use of lattice techniques to implement the Tower NFS technique efficiently for discrete logarithm computations in finite fields in the socalled medium characteristic range. This long version includes in particular a new algorithm for making use of automorphisms in the linear algebra phase, by choosing appropriate Schirokauer maps.
7.3.4 An algebraic point of view on the generation of pairingfriendly curves
Participants: Aurore Guillevic.
The paper 33 with Jean Gasnier from the CANARI Team (Bordeaux) is the achievement of Jean Gasnier's Masters internship in 2022 coadvised in Bordeaux by JeanMarc Couveignes and remotely from Denmark by Aurore Guillevic. It aims to generalize The Kachisa–Schaefer–Scott technique to find more pairingfriendly curves. The method allowed to obtain new curves for interesting embedding degrees, such as $k=20$. It also closed some deadends in the quest of finding primeorder pairingfriendly curves (only three constructions are known, the latest discovery being in 2005). It comes with two implementations, one written by Jean Gasnier to find curve families (see the CANARI team report and Subfield Method Gitlab Project), the other one to implement pairings on the new curves, see Pairings on Gasnier–Guillevic Curves Gitlab Project. The results were presented at the SIAMAG conference and the paper is under review.
7.4 Implications in computer security and the real world
7.4.1 Coercion resistance in evoting
Participants: Pierrick Gaudry, Quentin Yang.
In 22, we show that the JCJ evoting protocol that is the basis of many coercionresistant systems is flawed, in the sense that the tally phase leaks more information than it should. In some specific scenarios, this can give an advantage to a coercer. Therefore, we propose a new version of JCJ, CHide, which relies on the multiparty toolbox that we designed earlier in the context of tallyhiding 41. We also refine the existing formal definitions of coercionresistance, in order to highlight the flaw, and prove that CHide fixes the problem.
In another work related to coercion resistance 23, in collaboration with Université Catholique de Louvain, we explore the relations between the notions of coercion resistance, receipt freeness, and cast as intended. We show some impossibility results and propose adapting the security notions, to make possible some of the combinations of these properties.
7.4.2 Castasintended in evoting
Participants: Pierrick Gaudry, Stéphane Glondu.
The castasintended property in evoting means that the system remains secure, even if the device used by the voter is compromised: if malware is present on the voter's computer, the voter should still have the guarantee that the encrypted ballot that is sent to the server contains their intended choice. In 20 we propose a new approach for this question, based on an audit procedure made by the voter, that does not leak their choice, and will detect a fraudulent device, with a probability of at least onehalf. An attacker who would like to change many votes is likely to be detected.
7.4.3 Historical cryptology
Participants: Pierrick Gaudry, Cécile Pierrot, Paul Zimmermann.
An unknown and almost fully encrypted letter written in 1547 by Emperor Charles V to his ambassador at the French Court, Jean de SaintMauris, was identified in a public library, the Bibliothèque Stanislas (Nancy, France). As no decryption of this letter was previously published or even known, a team of cryptographers and historians gathered together to study the letter and its encryption system. First, multiple approaches and methods were tested in order to decipher the letter without any other specimen. Then, the letter has now been inserted within the whole correspondence between Charles and SaintMauris, and the key has been consolidated thanks to previous key reconstructions. Finally, the decryption effort enabled us to uncover the content of the letter and investigate more deeply both cryptanalysis challenges and encryption methods 25. This is joint work with Camille Desenclos (University of Picardie).
8 Bilateral contracts and grants with industry
8.1 Bilateral contracts with industry
8.1.1 Consulting with Swiss Post
Participants: Pierrick Gaudry.
Together with the PESTO team, we have a longterm consulting activity with Swiss Post on the evoting topic. In 2023 we started a new contract to help them design the next generation of their evoting protocol.
8.1.2 Verifiability during the French legislative elections
Participants: Pierrick Gaudry, Stéphane Glondu.
Together with the PESTO team, we had a contract with the French Ministry of Foreign Affairs (MEAE), in the context of the legislative elections, for which the French citizens from abroad had the possibility to vote over the Internet. We played the role of external thirdparty, as required by the CNIL recommendations for such highstake elections. While the contract was signed with the MEAE, it also involved interactions with the vendor of the solution (Voxaly), and the ANSSI who was the security advisor for the MEAE. In three districts, the 2022 elections were cancelled and therefore had to be done again in 2023.
This experiment of verifiability for a high stake election was documented and discussed in a research article that we published in the EVoteId conference 21.
8.2 Startup creation
8.2.1 Preparation of the VCast startup
Participants: Pierrick Gaudry, Stéphane Glondu.
In 2023, Stéphane Glondu joined the Inria Startup Studio program to prepare the creation of a society to exploit commercially the Belenios software. Michael Houalef, a person with a business background, joined the project. The society, called VCast, is to be launched in the first semester of 2024. Véronique Cortier (from PESTO) and Pierrick Gaudry, as cofounders of Belenios, were involved in the discussions concerning this creation.
9 Partnerships and cooperations
9.1 International research visitors
9.1.1 Visits of international scientists
Our team received several international visits in 2023 (at most a week in duration, and most often a day or two): Yixin Shen (Royal Holloway University of London), Katharina Boudgoust (Aarhus University), Keegan Ryan (University of California San Diego), Steven Galbraith (University of Auckland).
9.2 National initiatives
9.2.1 PEPR Quantique, project PQTLS
Participants: Xavier Bonnetain, PierreJean Spaenlehauer.
 Program: PEPR Quantique
 Project acronym: PQTLS
 Duration: 01/2022  12/2026
 Coordinator: Université de Rennes 1
 Other partners: Université de Limoges, Université de Rouen, Université de Bordeaux, Université de SaintQuentinen Yvelines, Université de SaintÉtienne, ENS de Lyon, Inria (GRACE, CARAMBA, COSMIQ, PROSECCO), CEA (Grenoble LETI), CNRS Labstic (Lorient).
Since 1996 and the discovery of Shor's algorithm, new quantum threats emerged against classical security protocols and cryptographic primitives. The objective of the PQTLS project is to design a quantumsafe version of the security layer of web protocols, via the integration of postquantum cryptographic primitives and the quantum cryptanalysis of existing systems. The project also aims at developing new techniques to compare existing primitives from the quantum viewpoint and at promoting arising solutions from academic and industrial research. The goal is to develop a large toolbox whose targets range from the mathematical foundations of postquantum cryptography to its concrete implementations.
Xavier Bonnetain is the national coordinator of the work package 5 "Quantum cryptanalysis".
PierreJean Spaenlehauer is the local scientific coordinator for the CARAMBA team.
9.2.2 PEPR Cybersécurité, project CRYPTANALYSE
Participants: Xavier Bonnetain, Sébastien Duval, Pierrick Gaudry, Aurore Guillevic, Virginie Lallemand, Marine Minier, Cécile Pierrot, Emmanuel Thomé.
 Program: PEPR Cybersécurité
 Duration: 10/2023  09/2028
 Coordinator: Inria
 Other partners: Inria (CARAMBA, COSMIQ, CANARI/LFANT, CAPSULE), CNRS (Loria, Irisa, LMV, IMB, LIP6, LJK), Université de Rennes, Université de Montpellier, Université de Picardie Jules Verne, Université de Versailles–SaintQuentin en Yvelines, Université de Bordeaux, Université Grenoble Alpes, Sorbonne Université.
Within the context of the national PEPR program “cybersecurité” (launched in 2021), a call for proposals was published in July 2023 to complement the set of topics with three new projects, among which one on the classical cryptanalysis of cryptographic primitives. We coordinated the nationwide answer to this call for proposals, submitted in September 2022, and the project was accepted on March 27, 2023. The project started on October 1, 2023.
Emmanuel Thomé and Gaëtan Leurent (Inria COSMIQ, Paris) lead the project. Several teams are involved. The project is divided into eight work packages, and the CARAMBA team is interested in most of them.
9.2.3 Projet ANR KLEPTOMANIAC
Participants: Pierrick Gaudry, Cécile Pierrot, PierreJean Spaenlehauer, Emmanuel Thomé, Paul Zimmermann.
 Program: ANR AAPG
 Project acronym: KLEPTOMANIAC
 Duration: 01/2022  12/2025
 Coordinator: Inria Nancy
 Other partners: ANSSI, LIP6
The RSA cryptosystem and the DiffieHellman key exchange protocol in finite fields were the first invented primitives of publickey cryptography.
It is hard to estimate the time and resources that are needed to factor an integer, and thereby how hard it is to break RSA. All regulatory bodies recommend that people either avoid RSA, or prefer large RSA key sizes for safety, above 2048 bits at least. In environments where computing power is plentiful, this recommendation is most often followed. Yet, it is a fact that we do rely on cryptography that uses smaller key sizes.
We plan to employ our expertise to provide solid hardness assessments for key sizes that are relevant today, and for which accuracy in the prediction is important. Our targets for accurate assessment are RSA1024 and DH1024 as well as specific discrete logarithmrelated problems that arise in the blockchain context. We also intend to develop simulation software that would enable more accurate estimates.
In 2023, the work on the “double matrix” subtask initiated in 2022 was continued, in collaboration with Charles Bouillaguet (Sorbonne University). This work is integrated into a branch of CadoNFS.
9.2.4 ANR Decrypt
Participants: Virginie Lallemand, Marine Minier.
 Program: ANR
 Project acronym: DECRYPT
 Duration: 01/2019  12/2023
 Coordinator: CARAMBA Team, LORIA
 Other partners: LIRIS (Lyon), LIMOS (ClermontFerrand), IRISA (Rennes), TASC (Nantes).
This project aimed to propose a declarative language dedicated to cryptanalytic problems in symmetric key cryptography using constraint programming (CP) to simplify the representation of attacks, to improve existing attacks and to build new cryptographic primitives that withstand these attacks. We also want to compare the different tools that can be used to solve these problems: SAT and MILP where the constraints are homogeneous and CP where the heterogeneous constraints can allow a more complex treatment.
One of the challenges of this project was to define global constraints dedicated to the case of symmetric cryptography.
Concerning constraint programming, this project defined new dedicated global constraints, improved the underlying filtering and solution search algorithms, and proposed dedicated explanations generated automatically. See the website for more information.
9.2.5 ANR OREO
Participants: Xavier Bonnetain, Sébastien Duval, Virginie Lallemand, Marine Minier.
 Program: ANR
 Project acronym: OREO
 Duration: 01/2023  12/2026
 Coordinator: Irisa (Rennes).
 Other partners: LORIA (Nancy), LMV (Versailles).
This ANR project focuses on the use of Mixed Integer Linear Programming (MILP) in symmetrickey cryptography, a direction that enjoyed rapid recognition in the symmetrickey community following the article by Mouha et al 43.
MILP models can be used both to design and attack ciphers, but the technique suffers from several limitations, some of which we plan to address in this project. In particular, we aim to explore how to handle more complex cryptographic problems than what is done so far (yet ensuring a reasonable solving time). This might imply finding how to improve the modelization techniques or considering different approaches like first solving approximated models.
9.2.6 Cooperation with ANSSI on evoting regulation
Participants: Pierrick Gaudry.
We participate in a working group led by ANSSI, the purpose of which is to help the governmental actors (CNIL, ANSSI) in defining the next documents regulating the use of electronic voting in France.
9.3 Regional initiatives
 Marine Minier is cosupervisor with Antoine Joux of the virtual cybersecurity center between CISPA and LORIA (20232026).
10 Dissemination
Participants: Xavier Bonnetain, Sébastien Duval, Pierrick Gaudry, Aurore Guillevic, Virginie Lallemand, Marine Minier, Cécile Pierrot, PierreJean Spaenlehauer, Emmanuel Thomé, Paul Zimmermann.
10.1 Promoting scientific activities
10.1.1 Scientific events: organisation
Member of the organizing committees
 Pierrick Gaudry, Paul Zimmermann and PierreJean Spaenlehauer organized the Rencontres de l’Arithmétique en Informatique Mathématique 2023 (RAIM 2023) at LORIA in Nancy. The RAIM is the main scientific event of the GTARITH of the CNRS GDRIM. Website: raim2023.loria.fr
 Aurore Guillevic organized a minisymposium on Elliptic curves and pairings in cryptography at the SIAMAG 2023 conference in Eindhoven, The Netherlands.
Member of the conference program committees
 Marine Minier was committee member of SPACE 2023, AfricaCrypt 2023, Indocrypt 2023, C2SI 2023.
 Aurore Guillevic was committee member of IMACC 2023, SAC 2023.
 Emmanuel Thomé was a program committee member of one of the workshops of the yearlong RTCA2023 series of workshops organized in Lyon and Paris in 2023.
 Xavier Bonnetain and Virginie Lallemand were committee members of ACNS 2023.
 Xavier Bonnetain and Pierrick Gaudry were committee members of Eurocrypt 2024.
 PierreJean Spaenlehauer is a member of the Scientific Committee of the Journées Nationales du Calcul Formel (JNCF), which is the main scientific event of the GTcalculformel of the CNRS GDRIM.
Member of the Conference Steering Committees
 Pierrick Gaudry is a member of the steering committee of the Elliptic Curve Cryptography (ECC) workshop.
10.1.2 Journal
Member of the editorial boards
 Xavier Bonnetain and Virginie Lallemand were members of the editorial board of IACR Transactions on Symmetric Cryptology (ToSC) Journal for 2023. This journal is the openaccess journal associated to the International Conference on Fast Software Encryption (FSE).
 Emmanuel Thomé is a member of the editorial board of the Journal of Algebra, dealing with the section on computational algebra.
Reviewer  reviewing activities
Members of the projectteam did their share in reviewing submissions to renowned conferences and journals. Actual publications venues are not disclosed for anonymity reasons.
10.1.3 Invited talks
 PierreJean Spaenlehauer was invited to give a talk at the Workshop Geometry of Polynomial System Solving, Optimization and Topology at Institut Henri Poincaré, Paris. (Workshop M5 of RTCA2023.)
 Marine Minier was invited to Journées de la Fédération Charles Hermite at Nancy, December 2023.
 Marine Minier was invited to the Codes Sources Seminar, Paris, February 2023.
 Emmanuel Thomé was invited to give a talk at RTCA2023 (workshop M3) in Lyon.
 Pierrick Gaudry was invited to give a talk at the Digistrust workshop, Nancy, December 2023.
 Pierrick Gaudry was invited to give a talk at the workshop in honor of Véronique Cortier, Nancy, January 2023.
 Aurore Guillevic was invited to give a talk at the WRACH 2023 workshop at Roscoff, France.
 Virginie Lallemand was invited to give a talk for the FrenchAmerican Doctoral Exchange (FADex) program on cybersecurity.
 Cécile Pierrot was invited to give a talk at Ecole de Guerre, an event organised by l'Académie des Sciences.
10.1.4 Leadership within the scientific community
 Cécile Pierrot is a member of the steering committee of the French working group Code and Cryptography.
 Pierrick Gaudry is a member of the Conseil Scientifique of GdR IM.
10.1.5 Scientific expertise
 Marine Minier was a member of comité de sélection 61MCF1719, Université de Toulouse; comité de sélection 27MCF1634, Université de Lorraine; comité de sélection 27MCF0073, Université ClermontAuvergne.
 Since November 2023, Marine Minier is a nominated member of the CNU 27.
 Emmanuel Thomé was a member of the recruitment panel for Inria Chargé de recherche and Starting Faculty positions at Inria Paris.
 Aurore Guillevic was a member of the comité de sélection 26MCF161, Université Grenoble Alpes.
 Pierrick Gaudry was a member of the comité de sélection 27MCF1053, Université de Montpellier.
10.1.6 Research administration
 PierreJean Spaenlehauer is a member of the Commission de Développement Technologique (CDT) of the Centre Inria de l'Université de Lorraine. From December 2023, he is the head of the CDT.
 Aurore Guillevic was a member of the COMIPERS (commission du personnel).
 Marine Minier was adjoint director of the LORIA Lab until September 2023.
 Pierrick Gaudry is head of the Department 1 of LORIA, since June 2023.
 Pierrick Gaudry was a member of the Commission de Mention Informatique (CMI) of the École doctorale IAEM, and a member of the Comité des utilisateurs des moyens de calcul INRIA.
 Pierrick Gaudry and Marine Minier are members of the steering committee of the LHS – Laboratoire Haute Sécurité of LORIA.
 Xavier Bonnetain is the local coordinator of the Inria activity reports for the Inria Centre at Université de Lorraine (among them, this very document).
 Paul Zimmermann is member of the scientific committee of the EXPLOR computing center (Université de Lorraine).
 Cécile Pierrot is a member of the Bureau du Comité des Projets (BCP) at Inria Nancy.
10.2 Teaching  Supervision  Juries
10.2.1 Teaching
Marine Minier obtained an half Inria Delegation in 2023.
 Bachelor
 Sébastien Duval, Algorithmique et Programmation 2, 40h eq. TD, L1 Informatique, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Sébastien Duval, Algorithmique et Programmation 3, 26h eq. TD, L2 Informatique, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Sébastien Duval, Mathématiques Discrètes 2, 16h eq. TD, L2 Informatique, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Sébastien Duval, Introduction à la sécurité et à la cryptographie, 20h eq. TD, L3 Informatique, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Marine Minier, Introduction à la sécurité et à la cryptographie, 35h eq. TD, L3, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Master
 Sébastien Duval, Introduction à la cryptographie, 12h eq. TD, M1 Informatique, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Sébastien Duval, Sécurité des Systèmes d'Information, 32h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Sébastien Duval, Sécurité des Applications Web, 32h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Marine Minier, Contrôle d'accès, 40h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Marine Minier, Intégration Méthodologique, 36h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Marine Minier Sécurité Informatique, 18h eq. TD, M2 droit IPIT, Université de Lorraine, France.
 Marine Minier Introduction à la cryptographie, 18h eq. TD, M1 Informatique, Université de Lorraine Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Marine Minier is head of the M2 SIRAV, Université de Lorraine, Faculté des sciences et technologies, VandœuvrelèsNancy, France.
 Engineering school
 Cécile Pierrot, Introduction to Cryptography, 57h eq. TD, Mastère spécialisé de cybersécurité, École des Mines de Nancy, France.
 Aurore Guillevic, Cryptographie avancée, 5A FISE IA2R (Master 2), 30h eq. TD, Université de Lorraine, Polytech Nancy, France.
 Xavier Bonnetain, Algorithmique et complexité, 50h eq. TD, 1ere année (L3), Université de Lorraine, École des Mines de Nancy, France.
10.2.2 Supervision
 Ph.D. completed: Quentin Yang, Résistance à la coercition en vote électronique : conception et analyse 27, defended in June 2023, Pierrick Gaudry and Véronique Cortier (PESTO team).
 Ph.D. completed: Hamid Boukerrou, Design of new finite state dynamical systems admitting a matrix representation: Application to cryptography 26, defended in April 2023, Marine Minier and Gilles Millerioux.
 Ph.D. in progress: Haetham Al Aswad, Number field sieve for discrete logarithm, since Oct. 2021, Cécile Pierrot and Emmanuel Thomé.
 Ph.D. in progress: Antoine Leudière, Isogenies of Drinfeld modules and postquantum cryptography, since Oct. 2021, PierreJean Spaenlehauer and Emmanuel Thomé.
 Ph.D. in progress: Ana Rodriguez Cordero, Design and Cryptanalysis of New Symmetric Key Cryptographic Primitives, since Oct. 2021, Virginie Lallemand and Marine Minier.
 Ph.D. in progress: Leo Louistisserand, Conception et analyse de protocoles de vote utilisés ou utilisables en pratique, since Oct. 2023, Pierrick Gaudry and Véronique Cortier (PESTO team).
 Ph.D. in progress: Marie Bolzer, Algorithmique et outils automatiques pour la construction et l'analyse de composants de cryptographie symétrique, since Oct. 2023, Sébastien Duval and Marine Minier.
 Ph.D. in progress: Medhi Kermaoui, Quantum cryptanalysis of publickey cryptosystems, since Oct. 2023, Xavier Bonnetain and Pierrick Gaudry.
 Ph.D. in progress: Julien Soumier, Algorithmic of Isogenies of Abelian Varieties and PostQuantum Cryptography, since Oct. 2023, PierreJean Spaenlehauer and Pierrick Gaudry.
10.2.3 Juries
 Marine Minier was President of the PhD Jury of Aina Toky Rasoamanana (June 2023, Institut Polytechnique de Paris); president of the PhD jury of Tristan Benoît (December 2023, Lorraine University).
 Marine Minier was reviewer of the HDR of Hélène Le Bouder (October 2023, Université de Rennes); reviewer of the PhD thesis of Nicolas David (November 2023, Sorbonne Université); reviewer of the PhD thesis of Pierre Galissant (Décember 2023, Université de VersaillesSaintQuentinenYvelines).
 Emmanuel Thomé was President of the HDR jury of Benjamin Smith (October 2023, Institut Polytechnique de Paris).
 Paul Zimmermann was reviewer of the PhD thesis of Mehdi El Arar (December 2023, Université ParisSaclay).
10.3 Popularization
The deciphering of the encrypted letter from Emperor Charles V (see §7.4.3) had a large media coverage, both in French and international media. To cite a few: the French television (France 2, France 3, BFM TV, Arte), the French radio (France Inter, Europe 1, France Info, France Culture), French newspapers (Le Monde, Le Point), an excellent video on Nota Bonus, some international media (The Guardian, Radio Canada, BBC, RTVE, The Scientist).
10.3.1 Internal or external Inria responsibilities
 Emmanuel Thomé was an elected member of the Inria Evaluation Committee until August 2023, and contributed to writing the summary of the fouryear term of the committee 30.
10.3.2 Education
 PierreJean Spaenlehauer and Paul Zimmermann participated in the MathEnJeans project. They supervised a group of teenagers from the Lycée Français Vauban du Luxembourg.
 Aurore Guillevic visited two classes at Saint Dié des Vosges and three at SaintLouis (HautRhin) for 1 scientifique 1 classe chiche.
 Aurore Guillevic participated to the Maths camp for high school female teenagers Cigognes in Ramonchamp, Vosges.
 Aurore Guillevic gave a talk at the MathsenJeans day in Nancy, May 2.
 Paul Zimmermann participated to the “Fête de la Science” in Bouxurulles, a small village 50 kilometers in the south of Nancy, where he presented the work on deciphering the letter from Emperor Charles V, and the new MATh.en.JEANS problem proposed for 20232024 (October 2023).
10.3.3 Interventions
 Pierrick Gaudry gave a talk at the Cycle de conférences Sciences et Société, on the topic of electronic voting, in January 2023, Polytech, Nancy.
 Lucas Villaume and Paul Zimmermann organized an animation on the encrypted letter from Emperor Charles V at the “Nuit européenne des chercheurs” (Metz, November 2023).
11 Scientific production
11.1 Major publications
 1 inproceedingsQuantum Linearization Attacks.ASIACRYPT 2021  27th Annual International Conference on the Theory and Application of Cryptology and Information Security13090Lecture Notes in Computer ScienceSingapore / Virtual, SingaporeSpringer International PublishingDecember 2021, 422452HALDOIback to text
 2 inproceedingsBeyond quadratic speedups in quantum attacks on symmetric schemes.Lecture Notes in Computer ScienceEUROCRYPT 2022  41st Annual International Conference on the Theory and Applications of Cryptographic TechniquesLNCS13277Advances in Cryptology – EUROCRYPT 2022Part IIITrondheim, NorwaySpringer International PublishingMay 2022, 315344HALDOIback to text
 3 inproceedingsComparing the difficulty of factorization and discrete logarithm: a 240digit experiment.Annual International Cryptology ConferenceAdvances in Cryptology – CRYPTO 202012171Lecture Notes in Computer ScienceSanta Barbara CA, United StatesSpringerAugust 2020, 6291HALDOIback to text
 4 articleThe State of the Art in Integer Factoring and Breaking PublicKey Cryptography.IEEE Security and Privacy Magazine202March 2022, 8086HALDOIback to text
 5 inbookBelenios: a simple private and verifiable electronic voting system.11565Foundations of Security, Protocols, and Equational Reasoning  Essays Dedicated to Catherine A. MeadowsLNCSSpringer2019, 214238HALDOIback to text
 6 bookLe vote électronique  les défis du secret et de la transparence.Odile JacobMay 2022HALback to textback to text
 7 articleFast integer multiplication using generalized Fermat primes.Mathematics of Computation883172019, 14491477HALDOIback to text
 8 inproceedingsFamilies of SNARKfriendly 2chains of elliptic curves.LNCSAdvances in Cryptology  EUROCRYPT 2022  41st Annual International Conference on the Theory and Applications of Cryptographic Techniques13276EUROCRYPT 2022Trondheim / Hybrid, NorwaySpringerMay 2022, 367396HALDOIback to text
 9 articleNontriangular selfsynchronizing stream ciphers.IEEE Transactions on Computers711January 2022, 134145HALDOIback to text
 10 inproceedingsA kilobit hidden SNFS discrete logarithm computation.Annual International Conference on the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology – EUROCRYPT 201710210Lecture Notes in Computer ScienceParis, FranceSpringer2017, 202231HALDOIback to text
 11 articleAutomatic Search of Rectangle Attacks on Feistel Ciphers: Application to WARP.IACR Transactions on Symmetric Cryptology20222June 2022, 113140HALDOIback to text
 12 articleLattice Enumeration and Automorphisms for Tower NFS: a 521bit Discrete Logarithm Computation.Journal of Cryptology2023HALDOIback to text
 13 inproceedingsThe COREMATH Project.ARITH 2022  29th IEEE Symposium on Computer Arithmeticvirtual, FranceSeptember 2022HALback to text
11.2 Publications of the year
International journals
 14 articleIndividual Discrete Logarithm with Sublattice Reduction.Designs, Codes and Cryptography9112September 2023, 40594091HALDOIback to text
 15 articleDrinfeld modules in SageMath.ACM Communications in Computer Algebra572June 2023, 6571HALDOIback to text
 16 articleOn Boomerang Attacks on Quadratic Feistel Ciphers: New results on KATAN and Simon.IACR Transactions on Symmetric Cryptology20233September 2023, 101145HALDOIback to textback to text
 17 articleFlatness and structural analysis for the design of stream ciphers involving hybrid automata.Nonlinear Analysis: Hybrid Systems52May 2024, 101443HALDOIback to text
 18 articleLattice Enumeration and Automorphisms for Tower NFS: a 521bit Discrete Logarithm Computation.Journal of Cryptology2023HALDOIback to text
International peerreviewed conferences
 19 inproceedingsFinding many Collisions via Reusable Quantum Walks: Application to Lattice Sieving.Lecture Notes in Computer ScienceEUROCRYPT 2023  International Conference on the Theory and Applications of Cryptographic Techniques14008Lecture Notes in Computer ScienceLyon, FranceSpringer Nature SwitzerlandApril 2023, 221251HALDOIback to text
 20 inproceedingsBelenios with cast as intended.Voting 2023  8th Workshop on Advances in Secure Electronic VotingBol, Brač, CroatiaMay 2023HALback to text
 21 inproceedingsFrench 2022 legislatives elections: a verifiability experiment.Proceedings EVoteId 2023The EVoteID Conference 2023Luxembourg City, LuxembourgOctober 2023HALback to text
 22 inproceedings Is the JCJ voting system really coercionresistant? 37th IEEE Computer Security Foundations Symposium (CSF) CSF 2024 Enschede, Netherlands IEEE 2024 HAL back to text
 23 inproceedings Can we cast a ballot as intended and be receipt free? IEEE Symposium on Security and Privacy 2024 San Francisco, United States May 2024 HAL back to text
 24 inproceedingsTowards a correctlyrounded and fast power function in binary64 arithmetic.2023 IEEE 30th Symposium on Computer Arithmetic (ARITH 2023)2023 IEEE 30th Symposium on Computer Arithmetic (ARITH)Portland, Oregon (USA), United States2023HALback to text
 25 inproceedingsDeciphering Charles Quint (A diplomatic letter from 1547).Linköping Electronic Conference Proceedings6th International Conference on Historical Cryptology, HistoCrypt195Munich, GermanyJune 2023, 148158HALDOIback to text
Doctoral dissertations and habilitation theses
 26 thesisDesign of new finite state dynamical systems admitting a matrix representation : Application to cryptography.Université de LorraineApril 2023HALback to textback to text
 27 thesisRésistance à la coercition en vote électronique : conception et analyse.Université de LorraineJune 2023HALback to text
Reports & preprints
 28 miscDiscrete Logarithm Factory.October 2023HALback to text
 29 miscDimension results for extremalgeneric polynomial systems over complete toric varieties.May 2023HALback to textback to text
 30 reportBilan de la mandature 20192023 de la Commission d'Évaluation Inria.InriaAugust 2023HALback to text
 31 miscAlgorithms for computing norms and characteristic polynomials on general Drinfeld modules.December 2023HALback to text
 32 miscQuantum Security of the UMTSAKA Protocol and its Primitives, Milenage and TUAK.December 2023HAL
 33 miscAn Algebraic Point of View on the Generation of PairingFriendly Curves.September 2023HALback to text
 34 miscAccuracy of Mathematical Functions in Single, Double, Extended Double and Quadruple Precision.September 2023HALback to text
 35 miscTowards a correctlyrounded and fast power function in binary64 arithmetic.July 2023HALback to textback to text
 36 miscBlock Cipher Doubling for a PostQuantum World.December 2023HAL
 37 miscNote on FastTwoSum with Directed Roundings.September 2023HALback to text
11.3 Other
Patents
 38 patentSecure method for data exchange between a terminal and a server.US Patent App. 17/777,906FranceJanuary 2023HAL
Softwares
 39 softwareGNU MPFR.4.2.0January 2023 lic: GNU General Public License.HALSoftware HeritageVCS
11.4 Cited publications
 40 inproceedingsImperfect Forward Secrecy: How DiffieHellman fails in practice.CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityDenver, Colorado, United StatesACMOctober 2015, 517HALDOIback to text
 41 inproceedingsA toolbox for verifiable tallyhiding evoting systems.ESORICS 2022  27th European Symposium on Research in Computer SecurityCopenhague, DenmarkSeptember 2022HALback to text
 42 inproceedingsFactorization of a 768bit RSA modulus.CRYPTO 20106223Lecture Notes in Comput. Sci.ProceedingsSpringerVerlag2010, 333350back to text
 43 inproceedingsDifferential and Linear Cryptanalysis Using MixedInteger Linear Programming.Information Security and Cryptology  7th International Conference, Inscrypt 2011, Beijing, China, November 30  December 3, 2011. Revised Selected Papers7537Lecture Notes in Computer ScienceSpringer2011, 5776URL: https://doi.org/10.1007/9783642347047_5DOIback to text
 44 inproceedingsComputing the Characteristic Polynomial of Endomorphisms of a finite Drinfeld Module using Crystalline Cohomology.Proceedings of the 2023 International Symposium on Symbolic and Algebraic ComputationISSAC '23New York, NY, USAAssociation for Computing MachineryJuly 2023, 461469URL: https://doi.org/10.1145/3597066.3597080DOIback to text
 45 articleComputing the Characteristic Polynomial of a Finite Rank Two Drinfeld Module.July 2019, 307314URL: https://dl.acm.org/doi/10.1145/3326229.3326256DOIback to text
 46 miscTransitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.First revision2011DOIback to text
 47 miscCADONFS, An Implementation of the Number Field Sieve Algorithm.Release 2.3.02017, URL: https://hal.inria.fr/hal02099620back to text
 48 miscRéférentiel général de sécurité, annexe B1.Version 2.042021, URL: https://www.ssi.gouv.fr/uploads/2021/03/anssiguidemecanismes_crypto2.04.pdfback to text