3.1 Algorithms for higher dimensional number theory

The goal of this axis is to design and implement efficient algorithms to enumerate, construct, represent, and compute with the fundamental objects of the Langlands programme and to explore their interactions. This will provide versatile tools for mathematicians to progress on difficult problems by directly manipulating intricate objects, and a collection of new problems and algorithms for cryptographers to use for the design of next-generation cryptographic primitives. Since many of these objects have a strong analytic flavour, the methods from our effective analysis axis will be vital.

The main topics of this theme will be:

• Automorphic forms: compute spaces of automorphic forms (Siegel and Hilbert modular forms, ...)
• Galois representations: compute Artin representations using tools from representation theory, Iwasawa theory, $p$-adic Hodge theory.
• Varieties: abelian varieties, curves of higher genus, Shimura varieties and moduli spaces, hypergeometric motives.
• Bridges from the Langlands programme.

3.2 Effective analysis

The goal of this axis is to develop algorithms for efficient and reliable arithmetics in various fields (real, complex, $p$-adic, finite), which is a prerequisite for computing with the number theoretical objects of both Axis 1 and Axis 3, and especially $L$-functions, which are analytic objects by nature (defined in terms of series and integrals). Beyond elementary arithmetic and linear and nonlinear algebra, we also frequently need effective algorithms in the realm of complex and $p$-adic analysis, including algorithms for solving differential equations.

There is a wealth of research questions to address to guarantee convergence, optimal complexities and efficiency at different precisions, as well as the exactness of the results.

The main topics of this theme will be:

• Real and complex analysis: rigorous algorithms for evaluating holonomic functions. For analytic operations like limits, differentiation, summation and integration, develop algorithms with guaranteed accuracy that can handle functions with singularities or pathological behaviour like strong oscillation.
• Symbolic-numeric representations: reduce the cost of computing with algebraic numbers of large degree or height, compute with mixed algebraic and purely transcendental fields.
• $p$-adic analysis: optimise $p$-adic linear algebra and $p$-adic commutative algebra (including Gröbner bases) with respect to precision loss and instabilities.

3.3 Next generation and post-quantum cryptography

While the objects mentioned in Axis 1 may appear excessively abstract, when suitably instantiated, they become basic building blocks for next generation cryptosystems. First, these algebraic objects make it possible to construct quantum-resistant public key cryptosystems, which may become indispensable to secure communications in a future where large-scale quantum computers have become a reality. Second, the richness of these objects enables the construction of cryptographic schemes with advanced properties, such as homomorphic encryption, decentralised cryptography, secure multiparty computation and verifiable delay functions. The cryptosystems that will be studied in the team are related to (generalisations) of ideals and class groups in number fields: algebraic lattices, actions of class groups of orders in number fields and actions of groupoids constructed from quaternion algebras. Building and analysing these cryptosystems requires a deep understanding of the mathematical structures underlying them, which cannot simply be treated as black boxes.

The main topics of this theme will be:

• Isogenies: new cryptographic protocols from higher dimensional isogenies.
• Lattices: investigate the hardness of finding short vectors in algebraically structured lattices.
• Pairings and discrete logarithms, quantum algorithms to compute unit and class groups .
• Orders of number fields: algorithms for computing with orders in number fields, as well as regulators and class groups. These algorithms can be used to construct groups of unknown order, which find applications in advanced cryptographic primitives, for instance in the area of homomorphic encryption or threshold cryptography.
• Verifiable delay functions.

5.1 Footprint of research activities

The main footprint of our research activites are:

• The ecological impact of attending international conferences. We have signed the University of Bordeaux ecological chart saying that we should try to reduce travel and privilege train as much as possible. Some of us also signed a more restrictive commitment, saying that we will try to limit ourselves to 20 000km traveled by plane over a period of two years.1
• The impact of our computations. Some of our record computations (largest class polynomials, largest primality proof) require using a large cluster for a long time. To reduce this impact we aim to develop faster algorithms.

5.2 Impact of research results

Another possible impact of Axis 3 will be ecological. Moving blockchains from Proof of Work to Proof of Stake is key to reduce their ecological impact. Verifiable delay functions are a core component of proof of stake, so Axis 3 will play a small role in helping this transition. In the same vein, cryptography based on class groups makes it possible to reduce the bandwidth used for certain multiparty protocols.

6.1 Awards

The Pari/GP software won the price Prix science ouverte du logiciel libre de la recherche from the ministère de l’Enseignement supérieur et de la Recherche in the category Communauté.

The paper 20 by P. Dartois, A. Leroux, D. Robert and B. Wesolowski won the best paper award of Eurocrypt 2024.

7.1 New software

8.1 Higher dimensional number theory

Participants: Xavier Caruso, Henri Cohen, Aurel Page.

In 34, A. Bartel and A. Page develop a new approach to the isospectrality of the orbifolds constructed by Vignéras.

In 51, H. Cohen explains how to accelerate continued fractions, and then in 50 he builds a database of continued fractions of polynomial type.

8.2 Algorithms for number theory

Participants: Razvan Barbulescu, Karim Belabas, Jean-Marc Couveignes, Andreas Enge, Fabrice Etienne.

In 22, A. Enge presents his implementation of the FastECPP algorithm for primality proving. He carries out a complexity analysis with particular emphasis on the parallelisation aspects and presents the parameter choices that have made possible the record of a primality proof for $({10}^{86453}-1)/9$ using his CM software 49. This free software has been used for 18 primality proofs out of the 20 largest primes without special properties referenced at https://­t5k.­org/­top20/­page.­php?id=27.

In 42, F. Etienne describes an algorithm to compute class groups by induction with generalised norm relations.

The paper 7 by R. Barbulescu and F. Jouve useing the Elliott-Halberstam conjecture to measure how ECM friendly an elliptic curve with complex multiplication is was published in Acta Arithmetica.

In 8, published in Mathematics of Computation, K. Belabas and D. Simon give an algorithm for power detection in number fields.

8.3 Cryptography

Participants: Guilhem Castagnos.

In 19, L. Braun, G. Castagnos, I. Damgård, F. Laguillaumie, K. Melissaris, C. Orlandi, I. Tucker present distributed key generation and decryption protocols for an additively homomorphic cryptosystem based on class groups, CL, improving on a similar system proposed by Braun, Damgård, and Orlandi at CRYPTO'23. Their key generation is similarly constant round but achieves lower communication complexity than the previous work. This improvement is in part the result of relaxing the reconstruction property required of the underlying integer verifiable secret sharing scheme. This eliminates the reliance on potentially costly proofs of knowledge in unknown order groups. They present a new method to batch zero-knowledge proofs in unknown order groups which strengthens these improvements. They also present a protocol which is proven secure against adaptive adversaries in the single inconsistent player (SIP) model. Theirs protocols are secure in the universal composability (UC) framework and provide guaranteed output delivery. They demonstrate the relative efficiency of our techniques by presenting the running times and communication costs associated with our implementation of the statically secure protocol and provide a direct comparison with alternate state of the art constructions.

8.4 Isogeny based cryptography

Participants: Bill Allombert, Pierrick Dartois, Sabrina Kunzweiler, Aurel Page, Damien Robert, Benjamin Wesolowski.

The paper 20, P. Dartois, A. Leroux, D. Robert and B. Wesolowski, which present the SQISignHD protocol, has been published in Eurocrypt 2024 and won the best paper awards.

The verification step of SQISignHD requires computing dimension 4 2e-isogenies. The algorithmic aspects of this task was tackled in 40 by P. Dartois, using theta coordinates.

In 18, published at Asiacrypt 2024, A. Basso, L. de Feo, P. Dartois, A. Leroux, L. Maino, G. Pope, D. Robert, and B. Wesolowski introduce the SQISign2d protocol (in its West variant). This version improves on the SQISignHD version by keeping the fast signature and strong security proof while improving significantly on the verification time.

In 44, S. Kunzweiler, L. Maino T. Moriya C. Petit, G. Pope D. Robert, M. Stopar and Y.B. Ti look at hash functions from isogeny graphs in dimension up to $g=3$. They show that dimension 3 is more efficient than dimension 1 or 2.

The paper 27, by D. Robert, written for the NuTMiC 2024 invited talk, contains a survey on the representation of isogenies. It notably focus on the recent HD representation, which allows to give an efficient representation of any isogeny, and which had tremendous impacts on the field of isogeny based cryptography.

In 47, D. Robert introduces MIKE (module isogeny key exchange) a new Non Interactive Key Exchange protocol, which combine the best advantages of CSIDH and full non commutative supersingular isogeny graphs.

Using commutative isogeny graphs, like in CSIDH, allow to build a NIKE. But the graphs result from a commutative group action (by ideals of a class group), and the protocol is susceptible to a subexponential quantum attack. The idea of exploiting non commutative supersingular graphs was used in SIDH, but the protocol relied on extra torsion information (due to the difficulty of building a NIKE on a non commutative graph), and was spectacularly broken in 2022.

The idea of MIKE is to replace the ideal action by a Hermitian module action to get the benefit of a nice NIKE without the subexponential attack. In 47, D. Robert shows that supersingular graphs fit into this framework via their Weil restriction, which can be described by a rank 2 module action.

In 31, B. Allombert, J-F. Biasse, J. K. Eriksen, P. Kutas, C. Leonardi, A .Page, R .Scheidler, M. T. Bagi give new efficient parameters for SCALLOP, an isogeny based (full) group action. The main difference compared to SCALLOP is that they start from a non trivial class group at the top of the volcano. This required a large class group computation, done via tweaks to the Pari/GP algorithm.

The paper 6 by S. Arpin, J. Clements, P .Dartois, J. K. Eriksen, P. Kutas and B Wesolowski on finding orientations was published in esigns, Codes and Cryptography.

The paper 17 by B. Wesolowski on attacking the isogeny path problems in Drinfeld modules was published in IACR Communications in Cryptology.

The paper 21 by P. Dartois, L. Maino, G. Pope and D. Robert, using optimised formula for $2^n$-isogenies in dimension 2 was published in Asiacrypt 2024.

The paper 26 by A. Page and B. Wesolowski on the equivalence between the one endomorphism and the full endomorphism problem for supersingular elliptic curves has been published in Eurocrypt 2024.

8.5 Elliptic curves and abelian varieties

Participants: Elena Berardini, Andreas Enge, Sabrina Kunzweiler, Aurel Page, Damien Robert, Nicolas Sarkis.

In 15, published at ANTS 2024, S. Kunzweiler and D. Robert give a new method, using deformation and higher dimensional isogenies, to compute modular polynomials on elliptic curves. The algorithm is quasi-linear and does not rely on any assumption.

In 16, published in IACR Communications in Cryptology, D. Robert and N. Sarkis improve some formulas for computing 2-isogenies between Kummer lines, notably on variants of the Montgomery models.

They use these results in 46 to give new (faster) formulas for scalar multiplications on Montgomery curves.

A. Enge and M. Streng have completely rewritten their preprint 41. Using Shimura reciprocity and quadratic forms over totally real number fields they provide an easy to implement algorithm for deciding whether special values of Siegel modular functions of higher level define moduli of polarised abelian varieties and lead to class invariants defining unramified abelian field extensions. In this case, they determine a complete set of Galois conjugates. They also examine in detail under which conditions the invariants are real.

In 37 E. Berardini, A. Giangreco–Maidana and S. Marseglia characterize abelian surfaces defined over finite fields containing no curves of genus less than or equal to 3. They complete and expand the characterisation of isogeny classes of abelian surfaces with no curves of genus up to 2, then show that for simple abelian surfaces, containing a curve of genus 3 is equivalent to admitting a polarisation of degree 4. Thanks to this result, they can use existing algorithms to check which isomorphism classes in the isogeny classes containing no genus 2 curves have a polarisation of degree 4. Besides, they describe absolutely irreducible genus 3 curves lying on abelian surfaces containing no curves of genus less than or equal to 2, and show that their number of rational points is far from the Serre–Weil bound.

The paper 14 by J. Kieffer, A. Page and D. Robert on computing isogenies from modular polynomials in dimension 2 was published in Journal of Algebra.

8.6 Pairings

Participants: Damien Robert, Jean Gasnier.

In 45, D. Robert give new formulas to compute pairings on elliptic curves and abelian varieties by developing the arithmetic of biextensions and cubical arithmetic.

In 43, J. Gasnier and A. Guillevic given an algebraic point of view on the generation of pairing-friendly curves.

8.7 Lattices and Lattice-based cryptography

Participants: Guilhem Mureau, Alice Pellet-Mary, Wessel van Woerden.

In June 2023, the NIST started an additional post-quantum signature standardization process.2 The objective of this new call is to standardize one or more post-quantum signature scheme, different from the ones standardized so far. Members of the Canari team have studied the security of some of the new submissions, based on lattices and codes.

In 24, published in Crypto 2024, Felicitas Hörmann and Wessel van Woerden described a polynomial time attack against a NIST submission called FuLeeca. This submission uses codes in the Lee metric, which make the algorithmic problems very similar to lattice problems. Exploiting this connection with lattices, the authors were able to exploit leakage from the signatures to obtain a key-recovery attack against the scheme.

In 25, Guilhem Mureau, Alice Pellet-Mary, Heorhii Pliatsok and Alexandre Wallet studied the hardness of the module lattice isomorphism problem (module-LIP), which serve as a foundation for the security of Hawk, another signature scheme submitted to the NIST competition. The authors showed that when instantiated over totally real fields, the module-LIP problem becomes easy, and can be heuristically solved in polynomial time (when the modules have rank 2). This does not threaten the Hawk signature scheme since they use modules over a totally complex field, which is not subject to the attack.

In 13, published in Acta Crystallographica, M. D. Sikirić and W. van Woerden give a Complete classification of six-dimensional iso-edge domains.

In 28, published in Asiacrypt 2024, W. van Woerden shows that dense and smooth lattices exist in any genus.

8.8 Quantum algorithms for cryptanalysis

Participants: Razvan Barbulescu.

In 32, Razvan Barbulescu, Muguel Barcau and Vicentiu Pasol extended Regev's quantum algorithm to elliptic curves. Indeed, the extension is not direct because there is no natural notion of smallness for the points of an elliptic curve over a finite field. The speedup with respect to Shor tends to infinity with the input size and corresponds to a speedup pf factor 4 for some curves of the NIST list.

In 33, Razvan Barbulescu and Gaëtan Bisson proposed a variant of Regev's algorithm for hyperelliptic curves. When the genus g is large the speed-up is $min(g,\sqrt{(}n))$ which corresponds to the full potential of Regev's idea when the genus is very large, i.e. $g\ge \sqrt{n}$. In cryptography only the case $g=2$ is used and they propos a different improvement in this case, obtaining a speedup by a factor 7 for a curve used in cryptography. The algorithm suggests that, for quantum computing, the hypperelliptic curves are slightly weaker than elliptic curves.

8.9 Coding theory

Participants: Elena Berardini, Xavier Caruso, Fabrice Drain.

In a series of paper 10, 35, E. Berardini and X. Caruso defined new families of codes for the sum-rank metric. They first introduced linearized versions of Algebraic Geometry codes and studied their parameter, showing in particular that the obtained codes beat the (sum-rank analogue of the) Gilbert–Varshamov bound. They also introduced a linearized analogue of Reed–Muller codes.

In 38, X. Caruso and F. Drain obtained a complete classification of self-dual skew cyclic and skew negacyclic codes. They also provided efficient algorithms for sampling and enumerating them.

In  9, E. Berardini, A. Caminata and A. Ravagnani investigate CSS and CSS-T quantum error-correcting codes from the point of view of their existence, rarity, and performance.

In 36, E. Berardini, R. Dastbasteh, J. Etxezarreta Martinez, S. Jain and O. Sanz Larrarte give a new construction of binary quantum codes that enables the generation of a CSS-T code from any given CSS code. Using this construction, they prove the existence of asymptotically good binary CSS-T codes, resolving a previously open problem in the literature.

8.10 Effective analysis and certified arithmetic

Participants: Fredrik Johansson.

In 23, F. Johansson and J. van der Hoeven gave efficient algorithms to take advantage of precomputations when evaluating elementary functions in multiple precision arithmetic.

In 48, L .Stempfle, A .James, J .Josse, T .Gauss, F .Johansson study interpretable machine learning models with missing data.

9.1 International research visitors

9.2 National initiatives

• PEPR Technologies Quantiques

  Integrated project PQ-TLS: Post-quantum padlock for web browser

  with Inria teams Grace, Cosmiq, Prosecco Universities of Bordeaux, Rennes, Limoges, Versailles–St. Quentin, Rouen, St. Étienne, and ENS Lyon and CEA

  2022–2027, total budget 4180k€, of which 456k€ for Bordeaux

• PEPR Cybersécurité

  Integrated project CRYPTANALYSE: Cryptanalysis of classical cryptographic primitives

  with Inria teams Caramba, Cosmiq, Universities of Rennes, Amiens, Sorbonne, and CNRS

  2023–2028, total budget 5000k€, of which about 90k€ for Bordeaux

• HQI project (HPC-Quantum Initiative, France 2030)

  France Hybrid HPC Quantum Initiative, R&D et support

  17 partners in France; we will mainly work with LIP6 and ENS de Lyon

  2021–2027, 165k€ for Bordeaux

• ANR AGDE

  Arithmetic and geometry of discrete groups

  with Toulouse, Paris

  2021–2025, 45k€ for Bordeaux

• ANR Ciao

  Isogeny based cryptosystems, applications to verifiable delay functions and post-quantum cryptography (PI D. Robert)

  with Paris, Montpellier

  2019–2024, 150k€ for Bordeaux

• ANR/NSF Charm

  Cryptographic hardness of module lattices

  with Florida Atlantic, Cornell, ENS Lyon

  2021–2024, 205k€ for Bordeaux

• ANR NuSCAP

  Numerical safety for computer-aided proofs

  with Lyon, Nantes, Paris, Sophia-Antipolis, Toulouse

  2021–2025

• ANR PadLEfAn

  $p$-adic properties of $L$-functions effective and analytic aspects

  with Besançon, Caen

  2022–2026

• ANR Sangria

  Secure distributed computation: cryptography, combinatorics and computer algebra

  with Paris and région Occitanie

  2021–2025

• ANR TOTORO

  Towards new assumptions in lattice-based cryptography (PI A. Pellet--Mary)

  with Toulouse and Telecom Paris

  2023–2027, 186k€

• PEPS

  Groupe des points des variétés abéliennes sur les corps finis

  E. Berardini and F. Campagna (LMBP, UCA)

  2024, 4000€

10.1 Promoting scientific activities

10.2 Teaching - Supervision - Juries

• Andreas Enge has given a series of lectures on elementary, analytic and algorithmic number theory at the CIMPA school Algèbre, géométrie algébrique et applications à la théorie de l'information in Douala (Cameroun) https://­douala2024.­gaati.­org/.
• Alice Pellet-Mary has given a series of lectures on lattice based cryptography at the same CIMPA school in Douala (Cameroun).
• Sabrina Kunzweiler gave a lecture at the autumn school in supersingular isogenies in Taipei (Taiwan).

• K. Belabas
  • 64h course on computer algebra, Master 2 (preparation for the Agrégation national competitive examination), University of Bordeaux
  • 35h course on quantum algorithms, Master 2, University of Bordeaux
• X. Caruso
  • 35h course on quantum computing, Master 2, University of Bordeaux
• G. Castagnos
  • 24h course on cryptology, Master 1, University of Bordeaux
  • 36h course on advanced cryptography, Master 2, University of Bordeaux
  • 35h course on algorithmics of integers and polynomials, Bachelor, University of Bordeaux
• J.-M. Couveignes
  • 25h course on algorithmic arithmetics, Master, Université of Bordeaux
  • 160h course at CPBX (undegraduate program for student in engineering)
• A. Page
  • 27h exercise sessions on computer algebra, Master 2 (preparation for the Agrégation national competitive examination), University of Bordeaux
• E. Berardini
  • 24h course on information theory, Master 1, University of Bordeaux
  • 16h course on arithmetic and cryptology, Licence 3, University of Bordeaux

10.3 Popularization

• X. Caruso gave a general audience talk “Les idéaux d'Emmy Noether” at the Bibliothèque Nationale de France in the programme Un texte, un mathématicien

11.1 Major publications

• 1 inbookX.Xavier Caruso, A.Agnès David and A.Ariane Mézard. Can we dream of a 1-adic Langlands correspondence?2313Mathematics Going ForwardLecture Notes in MathematicsSpringer International Publishing2023, 537-560HALDOI
• 2 articleX.Xavier Caruso and Q.Quentin Gazda. Computation of classical and $v$-adic $L$-series of $t$-motives.Research in Number Theory2024. In press. HAL
• 3 inbookH.Henri Cohen. Computational Number Theory, Past, Present, and Future.2313Mathematics Going ForwardLecture Notes in MathematicsSpringer International Publishing2023, 561-578HALDOI
• 4 inproceedingsP.Pierrick Dartois, A.Antonin Leroux, D.Damien Robert and B.Benjamin Wesolowski. SQIsignHD: New Dimensions in Cryptography.Eurocrypt 2024 - 43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques14651Lecture Notes in Computer ScienceZurich (CH), SwitzerlandSpringer Nature SwitzerlandApril 2024, 3-32HALDOI
• 5 proceedingsD.Damien Robert, eds. Breaking SIDH in polynomial time.Advances in Cryptology – EUROCRYPT 202314008Lecture Notes in Computer ScienceSpringer Nature Switzerland; Springer Nature SwitzerlandMarch 2023, 472-503HALDOI

11.2 Publications of the year

11.3 Cited publications

• 49 softwareversion 0.4.3 February 2024 Software Heritage back to text
• 50 miscH.Henri Cohen. A Database of Continued Fractions of Polynomial Type.2024, URL: https://arxiv.org/abs/2409.06086back to text
• 51 miscH.Henri Cohen. Apéry Acceleration of Continued Fractions.2024, URL: https://arxiv.org/abs/2401.17720back to text