2023Activity reportProjectTeamGRACE
RNSR: 201221041Y Research center Inria Saclay Centre at Institut Polytechnique de Paris
 In partnership with:CNRS, Institut Polytechnique de Paris
 Team name: Geometry, arithmetic, algorithms, codes and encryption
 In collaboration with:Laboratoire d'informatique de l'école polytechnique (LIX)
 Domain:Algorithmics, Programming, Software and Architecture
 Theme:Algorithmics, Computer Algebra and Cryptology
Keywords
Computer Science and Digital Science
 A2.3.1. Embedded systems
 A4.2. Correcting codes
 A4.3.1. Public key cryptography
 A4.3.3. Cryptographic protocols
 A4.4. Security of equipment and software
 A4.6. Authentication
 A4.8. Privacyenhancing technologies
 A4.9. Security supervision
 A7.1. Algorithms
 A8.1. Discrete mathematics, combinatorics
 A8.4. Computer Algebra
 A8.5. Number theory
Other Research Topics and Application Domains
 B5.11. Quantum systems
 B6.4. Internet of things
 B6.6. Embedded systems
 B9.5.1. Computer science
 B9.5.2. Mathematics
 B9.10. Privacy
1 Team members, visitors, external collaborators
Research Scientists
 Alain Couvreur [Team leader, INRIA, Senior Researcher, HDR]
 Daniel Augot [INRIA, Senior Researcher, HDR]
 Thomas Debris [INRIA, Researcher]
 Benjamin Smith [INRIA, Researcher, HDR]
Faculty Members
 Olivier Blazy [LIX, Professor, HDR]
 Françoise LevyDitVehel [ENSTA, Professor, HDR]
 François Morain [Ecole Polytechnique, Professor, HDR]
PostDoctoral Fellows
 Matthieu Lequesne [INRIA, PostDoctoral Fellow, until Nov 2023]
 Rakhi Pratihar [INRIA, PostDoctoral Fellow, from May 2023]
 Bruno Sydney Sterner [INRIA, PostDoctoral Fellow, from Oct 2023]
 Natkamon Tovanich [LIX, PostDoctoral Fellow]
PhD Students
 Maxime Anvari [Ministère Armées]
 Nadja Aoutouf [INRIA, from Sep 2023]
 Anaïs Barthoulot [ORANGE, until Sep 2023]
 Maxime Bombar [LIX, until Aug 2023]
 Sana Boussam [THALES, CIFRE, from Mar 2023]
 Hugo Delavenne [LIX, from Sep 2023]
 Clément Ducros [UNIV PARIS]
 Shane Gibbons [CWI, from Mar 2023 until Apr 2023, Visitor]
 Anaelle Le Devehat [INRIA]
 Pierre Loisel [INRIA, from Sep 2023]
 Angelo Saadeh [TELECOM PARIS]
 Eric Sageloli [THALES, from Sep 2023]
 Nihan Tanısalı [INRIA, from Oct 2023]
Technical Staff
 Bruno Sydney Sterner [INRIA, Engineer, from Jul 2023 until Sep 2023]
Interns and Apprentices
 Pierre Loisel [INRIA, Intern, from Apr 2023 until Aug 2023]
 Elie Raspaud [INRIA, Intern, from Apr 2023 until Sep 2023]
Administrative Assistant
 Mariana De Almeida [INRIA, from Mar 2023]
External Collaborators
 Philippe Lebacque [UNIV FRANCHECOMTE]
 Tanguy Medevielle [UNIV RENNES I, from Dec 2023]
 Matthieu Rambaud [MINESPARISTECH, until Sep 2023]
 Guenael Renault [SGDSN]
2 Overall objectives
2.1 Scientific foundations
Grace combines expertise and deep knowledge in algorithmic number theory and algebraic geometry, to build and analyse (publickey) cryptosystems, design new error correcting codes, with realworld concerns like cybersecurity or blockchains (software and hardware implementations, secure implementations in constrained environments, countermeasures against side channel attacks, white box cryptography).
The foundations of Grace therefore lie in algorithmic number theory (fundamental algorithms primality, factorization), number fields, the arithmetic geometry of curves, algebraic geometry and the theory of algebraic codes.
Arithmetic Geometry is the meeting point of algebraic geometry and number theory: the study of geometric objects defined over arithmetic number systems. In our case, the most important objects are curves and their Jacobians over finite fields; these are fundamental to our applications in both coding theory and cryptology. Jacobians of curves are excellent candidates for cryptographic groups when constructing efficient instances of publickey cryptosystems, of which Diffie–Hellman key exchange is an instructive example.
Coding Theory studies originated with the idea of using redundancy in messages to protect them against noise and errors. While the last decade of the 20th century has seen the success of socalled iterative decoding methods, we see now many new ideas in the realm of algebraic coding, with the foremost example being list decoding, (zero knowledge or not) proofs of computation.
Part of the activities of the team are oriented towards postquantum cryptography, either based on elliptic curves (isogenies) or codebased. Also the team study relevant cryptography for the blockchain arena.
The group is strongly invested in cybersecurity: software security, secure hardware implementations, privacy, etc.
3 Research program
3.1 Algorithmic Number Theory
Participants: François Morain, Benjamin Smith, Antonin Leroux, Guénaël Renault.
Algorithmic Number Theory is concerned with replacing special cases with general algorithms to solve problems in number theory. In the Grace project, it appears in three main threads:
 fundamental algorithms for integers and polynomials (including primality and factorization);
 algorithms for finite fields (including discrete logarithms);
 algorithms for algebraic curves.
Clearly, we use computer algebra in many ways. Research in cryptology has motivated a renewed interest in Algorithmic Number Theory in recent decades—but the fundamental problems still exist per se. Indeed, while algorithmic number theory application in cryptanalysis is epitomized by applying factorization to breaking RSA public key, many other problems, are relevant to various area of computer science. Roughly speaking, the problems of the cryptological world are of bounded size, whereas Algorithmic Number Theory is also concerned with asymptotic results.
3.2 Arithmetic Geometry: Curves and their Jacobians
Participants: François Morain, Benjamin Smith, Antonin Leroux.
Theme: Arithmetic Geometry: Curves and their Jacobians Arithmetic Geometry is the meeting point of algebraic geometry and number theory: that is, the study of geometric objects defined over arithmetic number systems (such as the integers and finite fields). The fundamental objects for our applications in both coding theory and cryptology are curves and their Jacobians over finite fields.
An algebraic plane curve$\mathcal{X}$ over a field
$\mathbf{K}$ is defined by an equation
(Not every curve is planar—we may have more variables, and more defining equations—but from an algorithmic point of view, we can always reduce to the plane setting.) The genus${g}_{\mathcal{X}}$ of $\mathcal{X}$ is a nonnegative integer classifying the essential geometric complexity of $\mathcal{X}$; it depends on the degree of ${F}_{\mathcal{X}}$ and on the number of singularities of $\mathcal{X}$. The curve $\mathcal{X}$ is associated in a functorial way with an algebraic group ${J}_{\mathcal{X}}$, called the Jacobian of $\mathcal{X}$. The group ${J}_{\mathcal{X}}$ has a geometric structure: its elements correspond to points on a ${g}_{\mathcal{X}}$dimensional projective algebraic group variety. Typically, we do not compute with the equations defining this projective variety: there are too many of them, in too many variables, for this to be convenient. Instead, we use fast algorithms based on the representation in terms of classes of formal sums of points on $\mathcal{X}$.
The simplest curves with nontrivial Jacobians are curves of genus 1, known as elliptic curves; they are typically defined by equations of the form ${y}^{2}={x}^{3}+Ax+B$. Elliptic curves are particularly important given their central role in publickey cryptography over the past two decades. Curves of higher genus are important in both cryptography and coding theory.
3.3 CurveBased cryptology
Participants: Gustavo Banegas, François Morain, Benjamin Smith, Anaelle Le Devehat, Antonin Leroux.
Theme: CurveBased Cryptology
Jacobians of curves are excellent candidates for cryptographic groups when constructing efficient instances of publickey cryptosystems. Diffie–Hellman key exchange is an instructive example.
Suppose Alice and Bob want to establish a secure communication channel. Essentially, this means establishing a common secret key, which they will then use for encryption and decryption. Some decades ago, they would have exchanged this key in person, or through some trusted intermediary; in the modern, networked world, this is typically impossible, and in any case completely unscalable. Alice and Bob may be anonymous parties who want to do ebusiness, for example, in which case they cannot securely meet, and they have no way to be sure of each other's identities. Diffie–Hellman key exchange solves this problem. First, Alice and Bob publicly agree on a cryptographic group $G$ with a generator $P$ (of order $N$); then Alice secretly chooses an integer $a$ from $[1..N]$, and sends $aP$ to Bob. In the meantime, Bob secretly chooses an integer $b$ from $[1..N]$, and sends $bP$ to Alice. Alice then computes $a\left(bP\right)$, while Bob computes $b\left(aP\right)$; both have now computed $abP$, which becomes their shared secret key. The security of this key depends on the difficulty of computing $abP$ given $P$, $aP$, and $bP$; this is the Computational Diffie–Hellman Problem (CDHP). In practice, the CDHP corresponds to the Discrete Logarithm Problem (DLP), which is to determine $a$ given $P$ and $aP$.
This simple protocol has been in use, with only minor modifications, since the 1970s. The challenge is to create examples of groups $G$ with a relatively compact representation and an efficiently computable group law, and such that the DLP in $G$ is hard (ideally approaching the exponential difficulty of the DLP in an abstract group). The Pohlig–Hellman reduction shows that the DLP in $G$ is essentially only as hard as the DLP in its largest primeorder subgroup. We therefore look for compact and efficient groups of prime order.
The classic example of a group suitable for the Diffie–Hellman protocol is the multiplicative group of a finite field ${\mathbf{F}}_{q}$. There are two problems that render its usage somewhat less than ideal. First, it has too much structure: we have a subexponential Index Calculus attack on the DLP in this group, so while it is very hard, the DLP falls a long way short of the exponential difficulty of the DLP in an abstract group. Second, there is only one such group for each $q$: its subgroup treillis depends only on the factorization of $q1$, and requiring $q1$ to have a large prime factor eliminates many convenient choices of $q$.
This is where Jacobians of algebraic curves come into their own. First, elliptic curves and Jacobians of genus 2 curves do not have a subexponential index calculus algorithm: in particular, from the point of view of the DLP, a generic elliptic curve is currently as strong as a generic group of the same size. Second, they provide some diversity: we have many degrees of freedom in choosing curves over a fixed ${\mathbf{F}}_{q}$, with a consequent diversity of possible cryptographic group orders. Furthermore, an attack which leaves one curve vulnerable may not necessarily apply to other curves. Third, viewing a Jacobian as a geometric object rather than a pure group allows us to take advantage of a number of special features of Jacobians. These features include efficiently computable pairings, geometric transformations for optimised group laws, and the availability of efficiently computable noninteger endomorphisms for accelerated encryption and decryption.
3.4 Algebraic Coding Theory
Participants: Daniel Augot, Alain Couvreur, Françoise LevyDitVehel, Maxime Roméas, Sarah Bordage, Maxime Bombar, Clément Ducros.
Theme: Coding theory
Coding Theory studies originated with the idea of using redundancy in messages to protect against noise and errors. The last decade of the 20th century has seen the success of socalled iterative decoding methods, which enable us to get very close to the Shannon capacity. The capacity of a given channel is the best achievable transmission rate for reliable transmission. The consensus in the community is that this capacity is more easily reached with these iterative and probabilistic methods than with algebraic codes (such as Reed–Solomon codes).
However, algebraic coding is useful in settings other than the Shannon context. Indeed, the Shannon setting is a random case setting, and promises only a vanishing error probability. In contrast, the algebraic Hamming approach is a worst case approach: under combinatorial restrictions on the noise, the noise can be adversarial, with strictly zero errors.
These considerations are renewed by the topic of list decoding after the breakthrough of Guruswami and Sudan at the end of the nineties. List decoding relaxes the uniqueness requirement of decoding, allowing a small list of candidates to be returned instead of a single codeword. List decoding can reach a capacity close to the Shannon capacity, with zero failure, with small lists, in the adversarial case. The method of Guruswami and Sudan enabled list decoding of most of the main algebraic codes: Reed–Solomon codes and Algebraic–Geometry (AG) codes and new related constructions “capacityachieving list decodable codes”. These results open the way to applications against adversarial channels, which correspond to worst case settings in the classical computer science language.
Another avenue of our studies is AG codes over various geometric objects. Although Reed–Solomon codes are the best possible codes for a given alphabet, they are very limited in their length, which cannot exceed the size of the alphabet. AG codes circumvent this limitation, using the theory of algebraic curves over finite fields to construct long codes over a fixed alphabet. The striking result of Tsfasman–Vladut–Zink showed that codes better than random codes can be built this way, for medium to large alphabets. Disregarding the asymptotic aspects and considering only finite length, AG codes can be used either for longer codes with the same alphabet, or for codes with the same length with a smaller alphabet (and thus faster underlying arithmetic).
From a broader point of view, wherever Reed–Solomon codes are used, we can substitute AG codes with some benefits: either beating random constructions, or beating Reed–Solomon codes which are of bounded length for a given alphabet.
Another area of Algebraic Coding Theory with which we are more recently concerned is the one of Locally Decodable Codes. After having been first theoretically introduced, those codes now begin to find practical applications, most notably in cloudbased remote storage systems.
3.5 Postquantum cryptography
Participants: Gustavo Banegas, Maxime Bombar, Alain Couvreur, Thomas DebrisAlazard, Anaelle Le Devehat, Antonin Leroux, Benjamin Smith, O. Blazy.
Theme: Cryptography
A huge amount of work is being put into developing an efficient quantum computer. But even if the advent of such a computer may wait for decades, it is urgent to deploy postquantum cryptography (PQC), i.e: solutions on our current devices that are quantumsafe. Indeed, an attacker could store encrypted sessions and wait until a quantum computer is available to decrypt. In this context the National Institute of Standard Technology (NIST) has launched in 2017 (see this website) a call for standardizing publickey PQC schemes (key exchanges and signatures). Among the mathematical objects to design post quantum primives, one finds error correcting codes, Euclidean lattices and isogenies. Furthermore, in order to increase the diversity in the future postquantum standardized cryptosystems the NIST has launched in 2023 (see this website) a second call for standardization.
We are currently in the final step of the standardization of the NIST and most of the selected solutions are based on codes and lattices. These preliminary results tend to show that codes and lattices will be in a near future at the ground of our numerical security. If isogenies are less represented, they remain of deep interest since they appear to be the post quantum solution providing the smallest key sizes. The purpose of our research program is to bring closer these solutions for a postquantum security in order to improve their efficiency, diversity and to increase our trust in these propositions.
3.6 Proofs of Computation
Participants: Daniel Augot, Sarah Bordage, Youssef El Housni, François Morain.
Proofs of computation are cryptographic protocols which allow a prover to convince a verifier that a statement or an output of a computation is correct. The prover is untrusted in the sense that it may try to convince the verifier that a false statement is true. On the other hand the prover is computationnally restricted, and have very small prower: the proof should be short and easy to verify. They can be interactive or not.
While the topic originates back to 1990, several important steps towards praticality has been made in last decade, with efficient, reallife implementations and industrial deployments in the last years, thanks to huge fundings.
There are several cryptographic paths for designing such proof systems. Within Grace, two main techniques are investigated. The first one relies on elliptic curves and pairings, and produce very short (constantsize) proofs. Y. El Housni defended his PhD on this topic, in particular on the arithmetic and implementation aspects. The second techniques relies on algebraic coding theory, with smaller cryptographic assumptions (cryptographic hash functions), and is postquantum, but provides longer proofs.
D. Augot is advising Hugo Delavenne on the second topic, more precisely on the interplay on model of computations and so called arithmetization, to which is applied the cryptographic treatment itself (curvebased or codebased). D. Augot is also coadvisor of Tangue Medevielle with Jade Nardi (IRMAR, CNRS, Rennes) on the algebraic and coding side. Hugo Delavenne and Tanguy Medevielle are collaborating on the two facets of the topic.
4 Application domains
4.1 Application Domain: cybersecurity
Participants: Guénaël Renault, Benjamin Smith, François Morain, Alexis Challande, Simon Montoya, Maxime Anvari, Gustavo Banegas, O. Blazy.
We are interested in developing some interactions between cryptography and cybersecurity. In particular, we develop some researches in embedded security (side channels and fault attack), software security (finding vulnerability efficiently) and privacy (security of TOR).
4.2 Application Domain: blockchains
Participants: Daniel Augot.
While basic and standard blockchain ideas rely, on the cryptographic side, on very basic and standard cryptographic primitives like signatures and hash functions, more elaborate techniques from crypto can alleviate some shortcomings of blockchain, like the poor bandwith and the lack of privacy.
The topic of verifiable computation consists in verifying heavy computations done by a remote computer, using a lightweight computer which is not able to do the computation. The remore computer, called the prover, is allowed to provide a proof aside the result of the computation. This proof must be very short and fast to verify. It can also be made zeroknowledge, where the prover hides some inputs to the computation, and yet prove the result is correct.
These proofs allows to move data and computation off chain, pushing the burden to offchain servers that play the role of provers, who then commit short commitments of the updated data , accompanied by short proofs which are easy to verify onchain, where validators play the role of verifiers. This mecanism is called a rollup and is at the core of the proposed path for scaling Ethereum, a predominant blockchain, which will be “rollupcentric”.
Also Daniel Augot, together with Julien Prat (economist, ENSAE), is coleading a Polytechnique teaching and research “chair”, called Blockchain and B2B plaforms, funded by CapGemini, Caisse des dépots and NomadicLabs. This is patronage, which funded Sarah Bordage's PhD thesis. This gives visiblity and outreach beyond the academic sphere.
4.3 Cloud storage
Participants: Françoise LevyDitVehel, Maxime Roméas.
The team is concerned with several aspect of reliability and security of cloud storage, obtained mainly with tools from coding theory. On the privacy side, we build protocols for socalled Private Information Retrieval which enable a user to query a remote database for an entry, while not revealing his query. For instance, a user could query a service for stock quotes without revealing with company he is interested in. On the availability side, we study protocols for proofs of retrievability, which enable a user to get assurance that a huge file is still available on a remote server, with a low bandwith protocol which does not require to download the whole file. For instance, in a peertopeer distributed storage system, where nodes could be rewarded for storing data, they can be audited with proof of retrievability protocols to make sure they indeed hold the data.
We investigate these problems with algebraic coding theory for the effective constuction of protocols. To this respect, we mainly use locally decodable codes and in particular highrate lifted codes.
Maxime Roméas is a PhD student of the team. (PhD grant from IP Paris/Ecole Polytechnique for a 3year doctorate, Oct 2019Sept 2022). The subject of his thesis is "The Constructive Cryptography paradigm applied to Interactive Cryptographic Proofs".
The Constructive Cryptography framework, introduced by Maurer in 2011, redefines basic cryptographic primitives and protocols starting from discrete systems of three types (resources, converters, and distinguishers). This not only permits to construct them effectively, but also lighten and sharpen their security proofs. One strength of this model is its composability. The purpose of the PhD is to apply this model to rephrase existing interactive cryptographic proofs so as to assert their genuine security, as well as to design new proofs. The main concern here is security and privacy in Distributed Storage settings. Another axis of the PhD is to augment the CC model by, e.g., introducing new functionalities to a socalled Server Memory Resource.
5 Highlights of the year
5.1 Wave postquantum signatures
Participants: Alain Couvreur, Thomas DebrisAlazard, Benjamin Smith.
Wave is a postquantum signature scheme based on hard problems in coding theory, originally proposed by T. Debris–Alazard in his PhD thesis. In response to NIST's 2023 call for new postquantum signature schemes, we developed a full specification 39 and portable reference implementation software (see bil5053, in collaboration with Nicolas Sendrier of EPI COSMIQ, Gustavo Banegas of Qualcomm France, and Ruben Niederhagen of Academia Sinica) integrating theoretical and practical improvements from 41. with parameters meeting a range of standard postquantum security levels. The full submission is public and available for download from this website.
5.2 HDR's
Participants: B. Smith.
Benjamin Smith defended his Habilitation à diriger les recherches entitled: Advances in asymmetric cryptographic algorithms on October 6, 2023.
6 New software, platforms, open data
6.1 New software
6.1.1 snark2chains

Name:
Families of SNARKfriendly 2chains of elliptic curves

Keywords:
Cryptography, Cryptocurrency, Blockchain

Functional Description:
This library implements finite field and elliptic curve arithmetic for BN curves (BarretoNaehrig), BLS (BarretoLynnScott), KSS (KachisaSchaeferScott), and 2chains made of BW6 (BrezingWeng curves of embedding degree 6), CP8, CP12 (CocksPinch curves of embedding degree 8 and 12) for use with zksnarks (zeroknowledge succinct noninteractive argument of knowledge). The cryptographic applications are: pairing, scalar multiplication on the curves, hashing on the curves. The code is a proof of concept tied to two papers and is not optimized.
 URL:
 Publications:

Contact:
Aurore Guillevic
6.1.2 WaveSign

Name:
Wave Signatures: Reference Implementation

Keywords:
Postquantum, Digital signature, Cryptographic protocol, Cryptography

Functional Description:
This software provides a complete and functional reference implementation in C99 for Wave, a postquantum digital signature scheme based on hard problems in coding theory. Key generation, signing, and verification functions are provided, compliant with the API specified by NIST for their postquantum signature onramp call. The emphasis is on portability, rather than targeted optimizations.
 URL:

Contact:
Nicolas Sendrier

Partner:
Qualcomm France
7 New results
7.1 Post–quantum cryptography
7.1.1 Searchtodecision reductions in code–based cryptography
Participants: A. Couvreur, M. Bombar, T. Debris–Alazard.
The security of most code–based cryptosystem relies on the hardness of the so–called Decoding Problem. If its search version (Given a random linear code, and a noisy codeword, it should be hard to decode, i.e. to remove the error and recover the original message) is quite well understood, many proposals actually rely on the decision version which can be formulated as follows: Given a random linear code it should be hard to distinguish between a uniformly random vector of the ambiant space, and a noisy codeword. This decision version can be thought as the code–based analogue of the Decisional Diffie Hellman problem, and for general random linear codes both search and decision problem are known to be equivalent. Such a result is known as a search to decision reduction. However, for efficiency purposes, it is very appealing to use algebraically structured codes such as quasicyclic codes, that can be represented more compactly. In this situation, the hardness of the decision Decoding problem is only conjectured. On the other hand, one of the reasons of the success of lattice–based cryptography is that it benefits from a rich literature of security reductions for both general lattices and so–called structured lattices, i.e. lattices arising from orders of number fields.
In 44, based on a strong analogy between number fields and function fields, and especially using Carlitz modules which can be somehow considered as an analogue of cyclotomic number fields in positive characteristics, we introduce a new generic problem that we call Function Field Decoding Problem, and derive the first search to decision reduction in this context.
In 19, we revisit the tool called the OHCP framework (for Oracle with Hidden Center Problem) which has been introduced by Peikert et al. (STOC 2017) in the latticebased context. This framework has proved to be very useful as a black box inside reductions and we have adapted it in the codebased context by extracting its very essence, namely the Oracle Comparison Problem (OCP). It has yield to a new worstcase to averagecase searchtodecision reduction. We have then turned to the structured versions and explain why this is not as straightforward as for Euclidean lattices. If we fail to give a searchtodecision reduction for structured codes, we believe that our work opens the way towards new reductions for structured codes, given that the OHCP framework proved to be so powerful in latticebased cryptography. Furthermore, we also believe that this technique could be extended to codes endowed with other metrics, such as the rank metric, for which no reduction is known.
7.1.2 New algorithms to solve the generic decoding problem
Participants: T. Debris–Alazard.
The security of codebased cryptography relies primarily on the hardness of generic decoding with linear codes. The best generic decoding algorithms are all improvements of an old algorithm due to Prange: they are known under the name of information set decoders (ISD). A while ago, a generic decoding algorithm which does not belong to this family was proposed: statistical decoding. It is a randomized algorithm that requires the computation of a large set of paritychecks of moderate weight, and uses some kind of majority voting on these equations to recover the error we are looking for in the decoding problem. This algorithm was long forgotten because even the best variants of it performed poorly when compared to the simplest ISD algorithm. In 46, we revisit this old algorithm by using paritycheck equations in a more general way. Here the paritychecks are used to get LPN samples with a secret which is part of the error and the LPN noise is related to the weight of the paritychecks we produce. The corresponding LPN problem is then solved by standard Fourier techniques. By properly choosing the method of producing these low weight equations and the size of the LPN problem, we are able to outperform in this way significantly information set decoders at code rates smaller than 0.3. It gives for the first time after 60 years, a better decoding algorithm for a significant range which does not belong to the ISD family.
In 31 we revisit RLPNdecoding by noticing that, in this algorithm, decoding is in fact reduced to a sparseLPN problem, namely with a secret whose Hamming weight is small. Our new approach consists this time in making an additional reduction from sparseLPN to plainLPN with a coding approach inspired by codedBKW. It outperforms significantly the ISD's and RLPN for code rates smaller than 0.42. This algorithm can be viewed as the codebased cryptography cousin of recent dual attacks in latticebased cryptography. We depart completely from the traditional analysis of this kind of algorithm which uses a certain number of independence assumptions that have been strongly questioned recently in the latter domain. We give instead a formula for the LPN noise relying on duality which allows to analyze the behavior of the algorithm by relying only on the analysis of a certain weight distribution. By using only a minimal assumption whose validity has been verified experimentally we are able to justify the correctness of our algorithm. This key tool, namely the duality formula, can be readily adapted to the lattice setting and is shown to give a simple explanation for some phenomena observed on dual attacks in lattices.
7.1.3 Cryptanalysis
Participants: Alain Couvreur.
In 23, we propose a new attack on rank metric based encryption schemes by revisiting and extending Overbeck's attack. This novel approach involving the computation of code's stabilizer algebras and their ArtinWedderburn decomposition. This permitted in particular to break the system proposed in 48.
In another work 22, we proposed a new distinguisher on binary and $q$–ary Goppa codes: the codes used in NIST submission Classic McEliece which runs in the 4th round of NIST's standardisation process. Our distinguisher consists in reducing the Goppa distinguishing problem to a MinRank instance in a space of symmetric matrices. Despite, the obtained distinguisher works only on high rate Goppa codes and hence does not break Classic McEliece, this is a completely novel approach and the first result on binary Goppa codes cryptanalysis for over 10 years.
7.1.4 Isogeny evaluation algorithms over extension fields
Participants: Anaëlle Le Dévéhat, Benjamin Smith.
Consider the basic problem of efficiently evaluating an isogeny $\varphi :E\to E/H$ of elliptic curves over ${\mathbb{F}}_{q}$, where the kernel $H=\langle G\rangle $ is a cyclic group of odd (prime) order: given $E$, $G$, and one or more points $P$ on $E$, we want to compute $\varphi \left(P\right)$. This problem is at the heart of essentially all efficient implementations of groupaction and isogenybased postquantum cryptosystems, such as CSIDH. Algorithms based on Vélu's formulæ give an efficient solution to this problem when the kernel generator $G$ is defined over ${\mathbb{F}}_{q}$. However, for general isogenies, $G$ is only defined over some extension ${\mathbb{F}}_{{q}^{k}}$, even though the kernel subgroup $H=\langle G\rangle $ as a whole (and thus $\varphi $) is defined over the base field ${\mathbb{F}}_{q}$; and the performance of Vélustyle algorithms degrades rapidly as $k$ grows. In 29, joint work with our former postdoc Gustavo Banegas and former intern Valerie Gilchrist, we revisit the isogenyevaluation problem with a special focus on the case where $1\le k\le 12$. We improve Vélustyle isogeny evaluation for many cases where $k=1$ using special addition chains, and combine this with the action of Galois to give greater improvements when $k>1$.
7.2 Secure multiparty computation
Participants: Maxime Bombar, Alain Couvreur, Clément Ducros.
Secure Multiparty Computation is a famous paradigm where each player has secret data and are able to perform a computation involving all these secret data without getting more information than the result of the computation. Following the seminal work from Beaver 42, efficient secure multi party computation can be performed thanks to a precomputation step where the parties receive correlated pseudorandom strings called Oblivious Linear Evaluation (OLE). In 18, we proposed a new efficient construction of OLE's which security rests on a new problem called QuasiAbelian Syndrome Decoding. This new construction permits to construct very long pseudorandom correlated strings over small fields while the best construction up to now required to work over a very large field.
7.3 Verifiable computation
Participants: Daniel Augot.
Suppose a user of a small device requires a powerful computer to perform a heavy computation for him. The computation can not be performed by the device. After completion of the computation, the powerful computer reports a result. Suppose now that the user has not full confidence that the remote computer performs correctly or behaves honestly. How can the user be assured that the correct result has been returned to him, given that he can not redo the computation ?
The topic of verifiable computation deals with this issue. Essentially it is a cryptographic protocol where the prover (i.e. the remote computer) provides a proof to a waek verifier (i.e. the user) that a computation is correct. The protocol may be interactive, in which case there may be one or more rounds of interactions between the prover and the verifier, or non interactive, in which case the prover sends a proof that the computation is correct.
These protocols incorporate zeroknowledge variants, where the scenario is different. A service performs a computation on date, part of which remaining private (for instance statistics on citizen's incomes). It is possible for the service to prove the correctness of the result without revealing the data (which has to be committed anyway).
Two directions for building these protocols are discrete logarithms (and pairings) in elliptic curves or a coding theoretical setting (originating to the PCP theorem). Both variants admit a zeroknowledge version, and the core of the research is more on provable computation than the zeroknowledge aspect, which comes rather easily in comparison.
7.3.1 Verifiable computation based on coding theory
Participants: Daniel Augot, Tanguy Medevielle.
In the coding theoretic setting, these protocols are made popular, in particular in the blockchain area, under the name of (ZK)STARKS, Scalable Transparent Arguments of Knowledge, introduced in 2018. The short non interactive proofs are derived for protocols which are called IOPs Interactive Oracle Proofs, which are combination of IPs Interactive Proofs and PCPs Probabilistically Checkable Proofs, for combining the best of both worlds, and making PCPs pratical.
At the core of these protocols lies the following coding problem: how to decide, with high confidence, that a very long ambient word is close to a given code, while looking at very few coordinates of it.
An important issue is to have a smaller alphabet, and this can be done using algebraicgeometric codes. This was done by Sarah Bordage, Matthieu Lhotel, Jade Nardi and Hugues Randriambololona 45, using curves with a resoluble automorphims group, which enable to build codes which are foldable in way similar to the ReedSolomon codes with are folded in the "FRI" protocol 43. Their protocol has very good perfomance, akin to the ReedSolomon case. Towers of curves are considered for this construction, to enable good asymptotic results.
The internship of Tanguy Medevielle in Spring 2023 allowed to prove that these codes admit a quasi linear encoding algorithm under mild constraints.
7.4 Machine learning on private data using multiplication
Participants: Daniel Augot, Angelo Saadeh.
In collaboration with Matthieu Rambaud (Télécom Paris), Daniel Augot is advising Angelo Saadeh. The issue which is adressed is the following. Two parties each hold privately some distinct slices of common data. compute a logistic regression on the whole set of data, without each party revealing its data to the other party.
Computing a common output from inputs of several participants in the above is done in cryptography using MPC Secure Multiparty Computation, as introduced by Yao 49, and made recently practical, with several implementations. Yet, as classically observed in MPC, the actual result, when learned, may leak information about the secret inputs. The same problem occurs here, where the model may leak information about the data.
Thus it is natural to investigate the use of $\u03f5$differential privacy, introduced by 47 on top of MPC. This raises the concern of obtaining a reasonnable accuracy, since noise has been introduced with differential privacy. Preliminary tests have been done, using the functional mechanism of 50, that Angelo Saadeh implemented in PySyft, which is a library of cryptographic primitives building on the PyTorch machine learning platform and the obtained accuracy is actually good. A publication is in preparation.
A. Saadeh defended his thesis on these topics 27, with two accompanying publications 25, 37.
7.5 Cloud storage
Participants: Françoise LevyDitVehel.
During the period, we investigated the Updatable Encryption (UE) functionality. UE protocols allow a client, who outsourced his encrypted data, to make it updated by an untrusted server. To do so, the client generates a token, dependent on the old key and the new key, and gives it to the server to update all ciphertexts (ciphertextindependent setting); of course, the token should not reveal anything about the keys. An issue here, besides security, is maintaining the communication complexity as low as possible. The security definitions for UE schemes have been constantly updated since the seminal paper of D. Boneh in 2013. However, the security notion that is best suited for a paricular application remains unclear. We solved the problem in the ciphertextindependent setting. In particular, we proved that INDUERCCA security1 is the right notion for many practical UE schemes. As a consequence, we notably rectify a previously believed assertion, according to which INDUE security is stronger than INDENC+UPD notions, in that it hides the ages of ciphertexts. We show that this is true only when ciphertexts can leak at most once per epoch (an epoch being a time period between to key updates). We also give a clear description of postcompromise security guarantees of such schemes. This work has been submitted to Journal of Cryptology.
7.6 Algorithmic number theory
7.6.1 Modular polynomials
Participants: François Morain.
Basic isogeny computations require the use of modular polynomials in two ways. The roots of a modular polynomial first indicate the existence of curves isogenous to the curve of interest. Second, these isogenous curves are computed using explicit formulas involving derivatives of the modular polynomial, as first described by Atkin for two families of modular polynomials. The height of the polynomial is critical, since it is the dominant parameter in the complexity analysis of the various methods used to compute them. We started to investigate the theory and practice of modular polynomials, in search of smaller and easier families to be used for the efficient computation of isogenies. See the two preprints 35 and 36.
8 Bilateral contracts and grants with industry
8.1 Bilateral contracts with industry
Participants: Daniel Augot, Sarah Bordage, François Morain, Guénaël Renault, Benjamin Smith.
 Through École polytechnique, D. Augot is leader of a teaching and research chair on Blockchains "Blockchains and B2B platforms", funded by CapGemini, NomadicLabs and Caisse des dépôts, under the French patronage laws. This chair aims at fostering teaching and doing research in topics related to blockchains, from the points of view of both computer science and economics. This chair has a coleader, Julien Prat from the department of economics. This started in 2018, for a five years duration. Another mission of the chair is networking and outreach, (see this website). Sarah Bordage (PhD since 2019) was funded by this chair.
 B. Smith is coordinating Inria's involvement in the Bpifrancefunded HYPERFORM consortium, which aims to develop a pre and postquantum hybrid cryptographic reference platform. So far this project, which started in September 2023, is funding B. Sterner's postdoc.
9 Partnerships and cooperations
9.1 International initiatives
Shane Gibbons, PhD student from CWI Amsterdam Visitedthe team for one month in march 2023 in order to work on code and lattices equivalence problems.
9.2 European initiatives
9.2.1 Horizon Europe
ENCODE
ENCODE project on cordis.europa.eu

Title:
European Network in Coding Theory and Applications

Duration:
From March 1, 2023 to February 28, 2027

Partners:
 INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET AUTOMATIQUE (INRIA), France
 UNIVERSITY COLLEGE DUBLIN, NATIONAL UNIVERSITY OF IRELAND, DUBLIN (NUID UCD), Ireland
 WORLDLINE (WORLDLINE), France
 INSTITUT POLYTECHNIQUE DE PARIS, France
 Bitwards Oy, Finland
 AALTO KORKEAKOULUSAATIO SR (AALTO), Finland
 UNIVERSITE DE NEUCHATEL (UNINE), Switzerland
 DEUTSCHES ZENTRUM FUR LUFT  UND RAUMFAHRT EV (DLR), Germany
 NXP SEMICONDUCTORS NETHERLANDS BV, Netherlands
 WITHSECURE OYJ (WITHSECURE CORPORATION), Finland
 TECHNISCHE UNIVERSITEIT EINDHOVEN (TU/e), Netherlands
 Roseman Labs B.V. (Roseman Labs), Netherlands

Inria contact:
Francoise LevyditVehel
 Coordinator:

Summary:
Coding theory is a cornerstone of the mathematics of communications. It an interdisciplinary field, lying at the intersection of mathematics, computer science and electrical engineering. It is a fundamental tool of every system of digital communications, with applications to errorcorrection, distributed storage, wireless communications, secure multiparty computation and postquantum cryptography. The ENCODE doctoral network will focus on fundamentals and applications of coding theory to security, privacy and efficiency of distributed communication & computation. The DN will leverage the complementary expertise of 7 academic and 5 nonacademic partners, to guide its 8 DCs to address and solve deep problems in coding theory and its applications. The DN will offer a superior supervisory experience for each DC, who will each benefit from the expertise of multiple advisors in academia and industry. The nonacademic partners include 5 companies working at the cutting edge of cybersecurity, who will offer invaluable contributions to the training programme via hosting of DCs and input in advanced training sessions. DCs will be exposed to current technical challenges faced by industry and will have the opportunity to apply mathematics to tackle realworld problems during industrial secondments. ENCODE will create a unique training programme, designed to equip its DCs with the scientific tools and transferable skills required for them to become future leaders in the field, both in academia and in industry. The ENCODE programme will implement all EC Principles for Innovative Doctoral Training, adhere to best practice as outlined in the EU Charter & Code, the MSCA Green Charter, and ensure gender equality in all aspects of its activities, to create a lasting international, intersectoral, interdisciplinary doctoral network, dedicated to excellence in science, ethical standards & communications that will extend far beyond the DN.
QSNP

Title:
Quantum Secure Networks Partnership

Duration:
From March 1, 2023 to August 31, 2028

Partners:
 23 european academic partners
 18 european industry partners

Inria contact:
Olivier Blazy
 Coordinator:

Summary:
QSNP is a European Quantum Flagship project that aims to develop quantum cryptography technology to secure the transmission of information over the internet.
QSNP will contribute to the European sovereignty in quantum technology for cybersecurity protecting the privacy and the sensitive information of European citizens transmitted over the internet.
9.3 National initiatives
9.3.1 ANR CIAO
Participants: Benjamin Smith, Luca De Feo, Antonin Leroux, Mathilde Chenu.
ANR CIAO (Cryptography, Isogenies, and Abelian varieties Overwhelming) is a JCJC 2019 project, led by Damien Robert (Inria EP LFANT). This project, which started in October 2019, will examine applications of higherdimensional abelian varieties in isogenybased cryptography.
9.3.2 ANR COLA
Participants: Alain Couvreur, Thomas Debris–Alazard.
ANR COLA (An interface between COde and LAtticebased cryptography) is a project from (Appel à projets générique, Défi 9, Liberté et sécurité de l’Europe, de ses citoyens et de ses résidents, Axe 4 ; Cybersécurité). This project (ANR JCJC), starting in october 2021 led by Thomas DebrisAlazard focusses on bringing closer postquantum solutions based on codes and lattices to improve our trust in cryptanalysis and to open new perspectives in terms of design.
9.3.3 ANR BARRACUDA
Participants: Daniel Augot, Alain Couvreur, Françoise LevyditVehel.
BARRACUDA is a collaborative ANR project accepted in 2021 and led by A. Couvreur .
Website : barracuda.inria.fr
The project gathers specialists of coding and cryptology on one hand and specialists of number theory and algebraic geometry on the other hand. The objectives concern problems arising from modern cryptography which require the use of advanced algebra based objects and techniques. It concerns for instance mathematical problems with applications to distributed storage, multiparty computation or zero knowledge proofs for protocols.
9.3.4 ANR SANGRIA
Participants: Olivier Blazy.
SANGRIA is a collaborative ANR project accepted in 2021.
Website : lip6.fr/Damien.Vergnaud/projects/sangria/
The main scientific challenge of the SANGRIA (Secure distributed computAtioN  cryptoGRaphy, combinatorIcs and computer Algebra) project are (1) to construct specific protocols that take into account practical constraints and prove them secure, (2) to implement them and to improve the efficiency of existing protocols significantly. The SANGRIA project (for Secure distributed computAtioN: cryptoGRaphy, combinatorIcs and computer Algebra) aims to undertake research in these two aspects while combining research from cryptography, combinatorics and computer algebra. It is expected to impact central problems in secure distributed computation, while enriching the general landscape of cryptography.
9.3.5 ANR MobiS5
Participants: Olivier Blazy.
MobiS5 is a collaborative ANR project accepted in 2018.
Website : mobis5.limos.fr/
MobiS5 will aim to foresee and counter the threats posed in 5G architectures by the architectural modifications suggested in TR 22.86122.864. Concretely, we will provide a provablysecure cryptographic toolbox for 5G networks, validated formally and experimentally, responding to the needs of 5G architectures at three levels:
* Challenge 1: security in the network infrastructure and end points: including core network security and attack detection and prevention; * Challenge 2: cryptographic primitives and protocols, notably : a selection of basic primitives, an authenticated keyexchange protocol, tools to compute on encrypted data, and postquantum cryptographic countermeasures * Challenge 3: mobile applications, specifically in the usecase of a secure server that aids or processes outsourced computation; and the example of a smart home.
9.3.6 ANR CryptiQ
Participants: Olivier Blazy.
CryptiQ is a collaborative ANR project accepted in 2018.
The goal of the CryptiQ project is to major changes due to Quantum Computing by considering three plausible scenarios, from the closest to the furthest foreseeable future, depending on the means of the adversary and the honest parties. In the first scenario, the honest execution of protocols remains classical while the adversary may have oracle access to a quantum computer. This is the socalled postquantum cryptography, which is the best known setting. In the second scenario (quantumenhanced classical cryptography), we allow honest parties to have access to quantum technologies in order to achieve enhanced properties, but we restrict this access to those quantum technologies that are currently available (or that can be built in nearterm). The adversary is still allowed to use any quantum technology. Finally, in the third scenario (cryptography in a quantum world), we allow the most general quantum operations to an adversary and we consider that anybody can now have access to both quantum communication and computation.
9.3.7 PEPR sur les technologues quantiques  Projet intégré "Un cadenas postquantique pour les navigateurs web"
Participants: Alain Couvreur, Thomas Debris–Alazard, Benjamin Smith, Anaëlle Le Devehat, Matthieu Lequesne.
This projet intégré aims to develop post quantum cryptographic primitives in 5 years which would be implemented in an open source web browser. The evolution of cryptographic standards has already begun. The choice of new primitives will be made soon and the transition should be operated in a few years. The objective of the project is to play a crucial role in this evolution so that french researchers, which are already strongly implied in this process could influence the choice of cryptographic standards in the next years.
9.3.8 Inria Défi RIOTfp: Reconcile IoT and FutureProof Security
Participants: Benjamin Smith, Gustavo Banegas.
RIOTfp is a research project on cybersecurity targeting lowend, microcontrollerbased IoT devices, on which run operating systems such as RIOT and a lowpower network stack. It links the projectteams EVA, GRACE, PROSECCO, TRiBE, and TEA. Taking a global and practical approach, RIOTfp gathers partners planning to enhance RIOT with an array of security mechanisms. The main challenges tackled by RIOTfp are:
 developing highspeed, highsecurity, lowmemory IoT crypto primitives,
 providing guarantees for software execution on lowend IoT devices, and
 enabling secure IoT software updates and supplychain, over the network.
Beyond academic outcomes, the output of RIOTfp is open source code published, maintained and integrated in the open source ecosystem around RIOT. As such, RIOTfp strives to contribute usable building blocks for an open source IoT solution improving the typical functionality vs. risk tradeoff for endusers.
9.3.9 Inria AEx CACHAÇA
Participants: Benjamin Smith, Guenael Renault, Anaelle Le Devehat.
The Action Exploratoire CACHAÇA, led by Benjamin Smith and based at Campus Cyber, started in 2022. CACHAÇA aims to bring highassurance techniques from formal methods to the initial design and implementation phase for new postquantum cryptosystems, to produce fast, safe, and portable software implementations, especially for constrained environments such as IoT devices. Guenael Renault has associate researcher status, and so CACHAÇA is an anchorpoint for collaborations between GRACE and the Secure Components laboratory at ANSSI. It will also englobe GRACE's contribution to planned industrial consortia (expected to begin in 2023).
10 Dissemination
10.1 Promoting scientific activities
10.1.1 Scientific events: selection
Member of the conference program committees
 A. Couvreur was served on the PC of IEEE Information Theory Workshop 2023.
 B. Smith served on the PC of CRYPTO 2023.
 B. Smith served on the PC of IMACC 2023.
 B. Smith served on the PC of SAC 2023.
 D. Augot served on the PCs of:

O. Blazy served on the PCs of:
 Eurocrypt 2024;
 Selected Areas in Cryptography (SAC)2023;
 PQCrypto 2023;
 CTRSA 2024;
 ARES 2023;
 IMACCS 2023.
O. Blazy also served on the Jury of the Prix CNILInria 2023.
Reviewer
 A. Couvreur served as a reviewer for the conference Asiacrypt 2023.
10.1.2 Journal
Member of the editorial boards
 B. Smith became a member of the editorial board of IACR Communications in Cryptology.
 A. Couvreur became associate editor of SIAM Journal on Applied Algebra and Geometry (SIAGA)
 A. Couvreur is member of the editorial board of Publications Mathématiques de Besançon
 O. Blazy is on the editorial board of Computer Law and Security Review.
Reviewer  reviewing activities
 A. Couvreur served as a referee for the journal Cryptography and Communications, Designs Codes and Cryptography, Journal of Algebra, Journal of Pure and Applied Algebra, IEEE, Transactions on Information Theory, SIAM Journal on Applied Algebra and Geometry.
10.1.3 Invited talks
 A. Couvreur was invited to give a talk at the special session Algebraic coding theory and cryptography of the 29th Nordic Congress of Mathematicians
10.1.4 Leadership within the scientific community
 O. Blazy and A. Couvreur are coresponsible of the Groupe de Travail Codes et Cryptographie (C2) of the GdR's Informatique Mathématiques and Sécurité Informatique.
10.1.5 Scientific expertise
 A. Couvreur was referee for the PhD commitee of Mathieu Lhotel (Université de FrancheComté, 3/7/2023)
 A. Couvreur was referee for the PhD commitee of Thibauld Feneuil (Sorbonne Université, 23/10/2023)
 A. Couvreur was referee for the HDR commitee of Eleonora Guerrini (Université de Montpellier, 4/12/2023)
 O. Blazy was referee for the PhD commitee of Cyrius Nugier (Insa Toulouse, 04/07/2023)
 O. Blazy was referee for the PhD commitee of Vigile Dossou Yovo (Université d'AbomeyCalavi (Bénin), 09/08/2023)
 O. Blazy was referee for the PhD commitee of Lucas Prabel (Université de Rennes, 05/10/2023)
 O. Blazy was referee for the PhD committee of Elie Bouscatié (Université de Bordeaux, 19/12/2023)
10.1.6 Research administration
 D. Augot was member of a Comité de sélection for a Maître de conférence position at Université de Limoges.
 D. Augot was member of the scientific PhD jury of Institut Polytechnique de Paris (attributing PhD fundings in computer science).
 D. Augot was in the HCERÉS visiting committee of lab LIP6 (CNRS and Sciences Sorbonne Université), 2124 November 2023.

A. Couvreur
is elected member of Inria's Commission d'Évaluation. He served in the recruitment juries:
 CRCN Centre Inria de Lyon;
 DR2 National.
 A. Couvreur is coordiator for Inria of the Axis PQTLS of PEPR quantique and in charge of the work package on codebased cryptography with Philippe Gaborit (University of Limoges).
 B. Smith is in charge of the work package on isogenybased cryptography of the axis PQTLS of PEPR quantique.
 O. Blazy is a member of the Conseil Scientifique et Pédagogique for the EUR Tactic.
10.2 Teaching  Supervision  Juries
10.2.1 Teaching
 Licence :
 O. Blazy : CSE101: Introduction to Computer Programming (Tutorials), 58h, L1, École polytechnique, France
 M. Bombar : INF361: Introduction à l'informatique (tutorials), 40h (equiv TD), 1st year (L3), École polytechnique.
 T. Debris–Alazard , Exercises for INF361: “Introduction à l'informatique”, 15h (equiv TD), 1st year (L3), École polytechnique.
 F. Morain , Lectures for INF361: “Introduction à l'informatique”, 15h (equiv TD), 1st year (L3), École polytechnique. Coordinator of this module (350 students).
 B. Smith : CSE101: Introduction to Computer Programming, 31.5h, L1, École polytechnique, France
 B. Smith : CSE207: Introduction to Networks (Tutorials), 14h, L2, École polytechnique, France
 Master:
 D. Augot : lectures and Labs on crypto in blockchains, 24h, M2, École polytechnique, France.
 D. Augot designed with Julien Prat the cursus of a course in blockchains and economics, and made lectures on zeroknowledge.
 O. Blazy : Lectures and Labs for INF646: Introduction to formal methods, 20h, M2, École polytechnique, France
 Master : O. Blazy : Lectures and Labs for Authentification, VPN et Chiffrement, 6h, M2, Telecom Sud Paris, France
 T. Debris–Alazard , Lectures for INF587: “Introduction to quantum computer science”, 45h, École polytechnique.
 A. Couvreur and T. Debris–Alazard : Lectures in MPRI 2132: Error Correcting codes and applications to cryptography
 F. Morain , INF558, Lectures and labs Introduction to cryptology, 36h, M1, École Polytechnique
 F. LevyditVehel , Lectures on discrete maths, 21h, M1, ENSTA
 F. LevyditVehel , Lectures on cryptography, 24h, M2, ENSTA.
 Matthieu Lequesne , INF558, labs Introduction to cryptology, 36h, M1, École Polytechnique
 G. Renault : Lectures and Labs for INF565: Information Systems Security, 60h, M1, École polytechnique, France
 G. Renault : Lectures and Labs for INF648: Embedded security: sidechannel attacks; javacard, 60h, M2, École polytechnique, France
 Master : G. Renault : Coordinator for INF637: Reverse engineering vs Obfuscation, 2h, M2, École polytechnique, France
 B. Smith : INF568: Advanced Cryptography, 45h, M1, École polytechnique, France
 B. Smith : MPRI 2122: Algorithmes Arithmétiques pour la Cryptologie, 22.5h, M2, Master Parisien de Recherche en Informatique, France.
 Professional training:
 D. Augot gave a two hours lecture at SystemX.
10.2.2 Supervision
 Master : F. Morain is the scientific leader of the Master of Science and Technology Cybersecurity: Threats and Defense of École Polytechnique.
 Bachelor: O. Blazy is one of the academic advisor for the Computer Science Bachelor of École Polytechnique.
 Master : O. Blazy is one of the academic advisor of the new Master of Science and Technology Cybersecurity of École Polytechnique.
10.2.3 Juries
 T. Debris–Alazard was member of the jury for Gilles Kahn PhD award
 B. Smith was an examiner for the PhD of Marc Houben (KU Leuven, Belgium, 22/11/2023)
 D. Augot was a reviewer of the PhD of Simona Etinksi (Université Paris Cité, 28/6/2023)
 D. Augot was president of the PhD committee of Mathieu Lhotel (Université de FrancheComté, 3/7/2023)
 A. Couvreur was president for the PhD commiteed of Rocco Mora (Sorbonne université, 7/4/2023)
 A. Couvreur was member the PhD commitee of Mathieu Lhotel (Université de FrancheComté, 3/7/2023)
 A. Couvreur was member of the PhD commitee of Thibauld Feneuil (Sorbonne Université, 23/10/2023)
 A. Couvreur was member of the HDR commitee of Eleonora Guerrini (Université de Montpellier, 4/12/2023)
 O. Blazy was member for the PhD commitee of QuocHuy Vu (PanthéonAssas, 01/02/2023).
 O. Blazy was president for the PhD commitee of Cyrius Nugier (Insa Toulouse, 04/07/2023)
 O. Blazy was member for the PhD commitee of Vigile Dossou Yovo (Université d'AbomeyCalavi (Bénin), 09/08/2023)
 O. Blazy was president for the PhD commitee of Hugo Senet (PanthéonAssas, 22/09/2023).
 O. Blazy was member for the PhD commitee of Lucas Prabel (Université de Rennes, 05/10/2023)
 O. Blazy was member for the PhD committee of Elie Bouscatié (Université de Bordeaux, 19/12/2023)
10.3 Popularization
10.3.1 Internal or external Inria responsibilities

A. Couvreur
was référent médiation scientifique
of Inria Saclay research centre until september 2023.
In this context,
 he organised with the Service Communication et Médiation of Inria Saclay Les Rendezvous des Jeunes Mathématiciennes et Informaticiennes at Inria Saclay;
 he coordinated with the Service Communication et Médiation of Inria Saclay the La fête de la science at Institut Polytechnique de Paris and Université Paris Saclay
 O. Blazy is Référent Europe for the GDR Sécurité Informatique.
10.3.2 Articles and contents
 D. Augot was interviewed in a Polytechnique insights video on blockchains.
 O. Blazy gave numerous interview in national / international media about cybersecurity concerns, especially age verification / children onlinde protection. (L'Express, BFMTV, La Croix, Public Sénat, ...)
10.3.3 Interventions
 B. Smith gave the keynote at the 2023 BNP Paribas FRESH (Finance and Risk) teambuilding event on The transition to quantumsafe cryptography.
 B. Smith gave a keynote talk at the 2023 GFA Flag Attack (“the French–German CTF”) on The transition to quantumsafe cryptography
 A. Couvreur gave a popularization talk on the history of cryptography at the award ceremony of the Olympiades de Mathématiques de l'accadémie de Créteil.
 O. Blazy gave a presentation at the ERGA academy about age verification. (ERGA being the European Regulators Group for Audiovisual media).
11 Scientific production
11.1 Major publications
 1 articleEfficient multivariate lowdegree tests via interactive oracle proofs of proximity for polynomial codes.Designs, Codes and Cryptography2022HALDOI
 2 proceedingsG.Gustavo BanegasK.Koen ZandbergE.Emmanuel BaccelliA.Adrian HerrmannB.Benjamin SmithQuantumResistant Software Update Security on LowPower Networked Embedded Devices.13269Lecture Notes in Computer ScienceSpringer International PublishingJune 2022, 872891HALDOI
 3 inproceedingsHow fast do you heal? A taxonomy for postcompromise security in securechannel establishment.USENIX 2023  The 32nd USENIX Security SymposiumUSENIX 2023  The 32nd USENIX Security SymposiumAnaheim, United StatesAugust 2023HAL
 4 inproceedingsOn Codes and Learning With Errors over Function Fields.Lecture Notes in Computer ScienceCRYPTO 202213508Advances in Cryptology – CRYPTO 2022Santa Barbara (CA), United StatesSpringer Nature SwitzerlandOctober 2022, 513540HALDOI
 5 articleAn Algorithmic Reduction Theory for Binary Codes: LLL and more.IEEE Transactions on Information TheoryJanuary 2022HALDOI
 6 inproceedingsEfficient Proofs of Retrievability using Expander Codes.Cryptography and Network Security, CANS 2022Abu Dhabi, United Arab EmiratesNovember 2022HAL
 7 articleDeterministic factoring with oracles.Applicable Algebra in Engineering, Communication and ComputingSeptember 2021HALDOI
11.2 Publications of the year
International journals
 8 articleOn recovering block cipher secret keys in the cold boot attack setting.Cryptography and Communications  Discrete Structures, Boolean Functions and Sequences 2023HALDOI
 9 articleFaster Montgomery multiplication and MultiScalarMultiplication for SNARKs.IACR Transactions on Cryptographic Hardware and Embedded SystemsJune 2023, 504521HALDOI
 10 articleSmoothing Codes and Lattices: Systematic Study and New Bounds.IEEE Transactions on Information Theory699September 2023, 60066027HALDOI
 11 articleQuantum Reduction of Finding Short Code Vectors to the Decoding Problem.IEEE Transactions on Information Theory2023, 11HALDOI
 12 articleSimultaneous Rational Function Reconstruction with Errors: Handling Multiplicities and Poles.Journal of Symbolic Computation1162023, 345364HALDOI
International peerreviewed conferences
 13 inproceedingsDisorientation Faults in CSIDH.EUROCRYPT 2023: Advances in Cryptology – EUROCRYPT 202314008Lecture Notes in Computer ScienceLyon, FranceSpringer Nature SwitzerlandApril 2023, 310342HALDOI
 14 inproceedingsDually Computable Cryptographic Accumulators and Their Application to Attribute Based Encryption.Lecture Notes in Computer ScienceCANS 2023  Cryptology and Network SecurityLNCS14342Cryptology and Network Security 22nd International Conference, CANS 2023Augusta, United StatesSpringer Nature SingaporeOctober 2023, 538562HALDOI
 15 inproceedingsSecurity Assessment of NTRU Against NonProfiled SCA.CARDIS 2022  21st Smart Card Research and Advanced Application Conference13820Lecture Notes in Computer ScienceBirmingham, United KingdomSpringer International PublishingJanuary 2023, 248268HALDOI
 16 inproceedingsHow fast do you heal? A taxonomy for postcompromise security in securechannel establishment.Proceedings of the 32nd USENIX Conference on Security SymposiumUSENIX 2023  The 32nd USENIX Security Symposium1Anaheim, United StatesUSENIX AssociationAugust 2023, 59175934HAL
 17 inproceedingsEfficient Implementation of a PostQuantum Anonymous Credential Protocol.ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and SecurityARES 2023: The 18th International Conference on Availability, Reliability and SecurityBenevento, ItalyACMAugust 2023, 111HALDOI
 18 inproceedingsCorrelated Pseudorandomness from the Hardness of QuasiAbelian Decoding.Lecture Notes in Computer ScienceCRYPTO 2023  43rd Annual International Cryptology ConferenceLNCS14084Advances in Cryptology – CRYPTO 2023Santa Barbara, United StatesSpringer Nature SwitzerlandAugust 2023, 567601HALDOIback to text
 19 inproceedingsPseudorandomness of Decoding, Revisited: Adapting OHCP to CodeBased Cryptography.Lecture notes in Computer ScienceASIACRYPT 2023  International Conference on the Theory and Application of Cryptology and Information SecurityGuang Zhou, ChinaDecember 2023HALback to text
 20 inproceedingsPseudorandom Correlation Functions fromVariableDensity LPN, Revisited.26th IACR International Conference on Practice and Theory of PublicKey Cryptography13941Lecture Notes in Computer ScienceAtlanta, United StatesSpringer Nature SwitzerlandMay 2023, 221250HALDOI
 21 inproceedingsImproved decoding of symmetric rank metric errors.2023 IEEE Information Theory Workshop (ITW)SaintMalo, FranceIEEEDecember 2022, 238242HALDOI
 22 inproceedingsA new approach based on quadratic forms to attack the McEliece cryptosystem.ASIACRYPT 2023Guangzhou, ChinaSpringerDecember 2023HALback to text
 23 inproceedingsAn extension of Overbeck's attack with an application to cryptanalysis of Twisted Gabidulinbased schemes.Lecture Notes in Computer SciencePostQuantum Cryptography. PQCrypto 202314154Lecture Notes in Computer ScienceCollege Park, United StatesSpringer Nature SwitzerlandMay 2023, 337HALDOIback to text
 24 inproceedingsPairings in Rank1 Constraint Systems.ACNS2023  21st International Conference on Applied Cryptography and Network SecurityKyoto, JapanJune 2023HAL
 25 inproceedingsConfidential Truth Finding with MultiParty Computation.DEXA 2023  34th International Conference on Database and Expert Systems ApplicationsPenang, MalaysiaAugust 2023HALback to text
Doctoral dissertations and habilitation theses
 26 thesisStructured Codes for Cryptography: from Source of Hardness to Applications.École PolytechniqueDecember 2023HAL
 27 thesisApplications of secure multiparty computation in Machine Learning.Institut Polytechnique de ParisJune 2023HALback to text
 28 thesisAdvances in asymmetric cryptographic algorithms.Institut polytechnique de ParisOctober 2023HAL
Reports & preprints
 29 miscFast and Frobenius: Rational Isogeny Evaluation over Finite Fields.June 2023HALback to text
 30 miscDisorientation faults in CSIDH.2023HAL
 31 miscReduction from Sparse LPN to LPN, Dual Attack 3.0.December 2023HALback to text
 32 miscSQISignHD: New Dimensions in Cryptography.March 2023HAL
 33 miscWorst and average case hardness of decoding via smoothing bounds.December 2023HAL
 34 miscUpdatable Encryption from Group Actions.January 2024HAL
 35 miscComputing the CharlapColeyRobbins modular polynomials.February 2023HALback to text
 36 miscUsing the CharlapColeyRobbins polynomials for computing isogenies.March 2023HALback to text
 37 miscConfidential Truth Finding with MultiParty Computation (Extended Version).May 2023HALDOIback to text
 38 miscTowards Optimally Small Smoothness Bounds for CryptographicSized Twin Smooth Integers and its Isogenybased Applications.October 2023HAL
Other scientific publications
 39 miscWAVE: Round 1 Submission.June 2023HALback to text
11.3 Other
Educational activities
 40 unpublishedCodebased Cryptography: Lecture Notes.April 2023, DoctoralFranceHAL
11.4 Cited publications
 41 unpublishedWavelet: Codebased postquantum signatures with fast verification on microcontrollers.October 2021, working paper or preprintHALback to text
 42 inproceedingsEfficient Multiparty Protocols Using Circuit Randomization.Advances in Cryptology  CRYPTO '91Berlin, HeidelbergSpringer Berlin Heidelberg1992, 420432back to text
 43 inproceedingsFast ReedSolomon Interactive Oracle Proofs of Proximity.45th International Colloquium on Automata, Languages, and Programming, ICALP 2018, July 913, 2018, Prague, Czech Republic2018, 14:114:17back to text
 44 inproceedingsOn Codes and Learning With Errors over Function Fields.CRYPTO 202213508Advances in Cryptology  CRYPTO 2022Santa Barbara (CA), United StatesSpringer Nature SwitzerlandAugust 2022, 513540HALDOIback to text
 45 inproceedingsInteractive Oracle Proofs of Proximity to Algebraic Geometry Codes.CCC 2022  37th Computational Complexity ConferencePhiladelphie, United StatesJuly 2022, 30:130:45HALDOIback to text
 46 inproceedingsStatistical Decoding 2.0: Reducing Decoding to LPN.ASIACRYPT 2022  28th Annual International Conference on the Theory and Application of Cryptology and Information Security13794Lecture Notes in Computer ScienceTaipei, TaiwanSpringerDecember 2022, 477507HALDOIback to text
 47 inproceedingsCalibrating Noise to Sensitivity in Private Data Analysis.Theory of CryptographyBerlin, Heidelbergspringer2006, 265284back to text
 48 miscTwisted Gabidulin Codes in the GPT Cryptosystem.2018back to text
 49 inproceedingsProtocols for Secure Computations (Extended Abstract).FOCSIEEE Computer Society1982, 160164back to text
 50 articleFunctional mechanism: regression analysis under differential privacy.arXiv preprint arXiv:1208.02192012back to text