2023Activity reportProject-TeamCARAMBA

6.1.1 Belenios

• Name:
  Belenios - Verifiable online voting system
• Keyword:
  E-voting
• Functional Description:

  Belenios is an open-source online voting system that provides vote confidentiality and verifiability. End-to-end verifiability relies on the fact that the ballot box is public (voters can check that their ballots have been received) and on the fact that the tally is publicly verifiable (anyone can recount the votes). Vote confidentiality relies on the encryption of the votes and the distribution of the decryption key (no one detains the secret key).

  Belenios supports various kind of elections. In the standard mode, Belenios supports simple elections where voters simply select one or more candidates. It also supports arbitrary counting functions at the cost of a slightly more complex tally procedure for the authorities. For example, Belenios supports Condorcet, STV, and Majority Judgement, where voters rank candidates and grade them.

  Belenios is available in several languages for the voters as well as the administrators of an election. More languages can be freely added by users.

• News of the Year:

  In 2023, our platform was used to run about 1500 elections, with about 175,000 registered voters and 55,000 ballots counted.

  Some of the improvements made during this year are invisible for users. This includes the use of elliptic curves instead of finite fields, as a base group where the discrete logarithm problem is supposed to be hard. Also, some modifications have been made, so that the server can handle larger elections. This was successfully tested, with a real election of more than 30,000 voters.

  Other changes are visible to users. A new election administration interface based on a REST API is now available for beta-testing to the users. Also, the voter's journey has been slightly simplified, without impact on security. Finally, the STV counting system for preferential voting is now fully supported.

• URL:
  https://­www.­belenios.­org/
• Contact:
  Stéphane Glondu
• Participants:
  Pierrick Gaudry, Stéphane Glondu, Véronique Cortier
• Partners:
  CNRS, Inria

6.1.2 CADO-NFS

• Name:
  Crible Algébrique: Distribution, Optimisation - Number Field Sieve
• Keywords:
  Cryptography, Number theory
• Functional Description:
  Cado-NFS is a complete implementation in C/C++ of the Number Field Sieve (NFS) algorithm for factoring integers and computing discrete logarithms in finite fields. It consists in various programs corresponding to all the phases of the algorithm, and a general script that runs them, possibly in parallel over a network of computers.
• News of the Year:
  In 2023, we worked on implementing in Cado-NFS some of the ideas planned in the context of the Kleptomaniac ANR project. In particular, the "double-matrix" feature is under active development. We also worked on removing the dependency on the MPFQ software library, which we are no longer developing, in favor of a more maintainable approach.
• URL:
  https://­cado-nfs.­inria.­fr/
• Contact:
  Emmanuel Thomé
• Participants:
  Pierrick Gaudry, Emmanuel Thomé, Paul Zimmermann

6.1.3 Drinfeld modules in SageMath

• Keywords:
  Computer algebra, Number theory
• Functional Description:

  This project is an implementation, starting from scratch, of Drinfeld modules in SageMath. This module has been directly merged into SageMath with version 10.0, and keeps evolving.

  Drinfeld modules are mathematical objects similar to elliptic curves, but in another setting, which is that of function fields.

  The aim of this implementation is to provide researchers with all basic computational tools for Drinfeld modules, and to build a reliable basis for future, more sophisticated algorithms.

• URL:
  https://­github.­com/­sagemath/­sage/­pull/­35026
• Contact:
  Antoine Leudière
• Participant:
  Antoine Leudière

6.1.4 TNFS-alpha

• Name:
  alpha for the Tower Number Field Sieve algorithm
• Keyword:
  Cryptography
• Functional Description:
  This library implements a simulation tool for the tower number field sieve algorithm computing discrete logarithms in extension fields of small degree (tested up to 54). The library contains an implementation of the exact computation of alpha, the bias between the expected smoothness of an integer and the expected smoothness of a norm of an algebraic integer in a number field made of two extensions. The algorithm is a generalization to extensions of the exact implementation of alpha in the software CADO-NFS. The software contains an implementation of the E-function of B. A. Murphy (Murphy's E) which estimates the quality of the polynomial selection step in TNFS through a simulation of the yield of the relation collection in the TNFS algorithm. Finally it contains a database of pairing-friendly curve seeds with the estimated level of security w.r.t a discrete logarithm computation in the corresponding finite field.
• URL:
  https://­gitlab.­inria.­fr/­tnfs-alpha/­alpha
• Publications:
  hal-03667798, hal-03371573, hal-02263098, hal-02396352
• Contact:
  Aurore Guillevic
• Participant:
  Aurore Guillevic

6.1.5 CORE-MATH

• Name:
  CORE-MATH
• Keywords:
  Arithmetic code, Floating-point, Correct Rounding
• Functional Description:
  CORE-MATH Mission: provide on-the-shelf open-source mathematical functions with correct rounding that can be integrated into current mathematical libraries (GNU libc, Intel Math Library, AMD Libm, Newlib, OpenLibm, Musl, Apple Libm, llvm-libc, CUDA libm, ROCm)
• News of the Year:
  In 2023, all double-precision (binary64) functions from the C99 and C23 standards were designed with correct-rounding. These first implementations compete well in efficiency with the GNU libc or the Intel math library, which are not correctly rounded.
• URL:
  https://­core-math.­gitlabpages.­inria.­fr/
• Publication:
  hal-03721525
• Contact:
  Paul Zimmermann
• Participant:
  Paul Zimmermann

6.1.6 GNU-MPFR

• Keywords:
  Multiple-Precision, Floating-point, Correct Rounding
• Functional Description:
  GNU MPFR is an efficient arbitrary-precision floating-point library with well-defined semantics (copying the good ideas from the IEEE 754 standard), in particular correct rounding in 5 rounding modes. It provides about 100 mathematical functions, in addition to utility functions (assignments, conversions...). Special data (Not a Number, infinities, signed zeros) are handled like in the IEEE 754 standard. GNU MPFR is based on the mpn and mpz layers of the GMP library.
• URL:
  https://­www.­mpfr.­org/
• Publications:
  hal-01394289, hal-01502326, inria-00069930, inria-00070174, inria-00103655, inria-00000026
• Contact:
  Vincent Lefèvre
• Participants:
  Guillaume Hanrot, Paul Zimmermann, Philippe Théveny, Vincent Lefèvre

7.1.1 The CORE-MATH project

Participants: Paul Zimmermann.

The aim of the CORE-MATH project is to provide on-the-shelf open-source mathematical functions with correct rounding that will be integrated into current mathematical libraries (GNU libc, Intel Math Library, AMD Libm, Newlib, OpenLibm, Musl, Apple Libm, llvm-libc, CUDA libm, ROCm). These functions are implemented in the C language and target the three IEEE 754 binary formats (single precision, double precision, quadruple precision), and also the extended double precision (significand of 64 bits). This project is motivated by the fact that current mathematical libraries are far from giving the best possible results, as demonstrated in 34.

The development of CORE-MATH forced us to revisit some classical algorithms, for example FastTwoSum in the context of directed rounding 37. In 2023, a full set of binary64 (double-precision) functions for the C99 and C23 standards was developed, with correct-rounding, and efficiency close to that of the current mathematical libraries (GNU libc, Intel mathematical library, LLVM). In particular, efficient algorithms were designed and implemented for the power function 24. The long version of this article with full proofs is available 35, which enabled our colleagues Laurent Théry and Laurence Rideau (Inria Sophia-Antipolis) to make a formal proof of the “fast path”.

7.1.2 Computing norms and characteristic polynomials on Drinfeld modules

Participants: Antoine Leudière.

Drinfeld modules are mathematical objects that lie at the intersection of number theory and computer science. They were introduced by Vladimir Drinfeld in 1974 to be the counterpart of elliptic curves in the setting of function fields. Drinfeld modules are now established as a standard tool for studying function fields.

We introduced new algorithms to compute characteristic polynomials of endomorphisms of Drinfeld modules, as well as norms of isogenies of Drinfeld modules 31. The former problem is a Drinfeld module equivalent to the problem of counting points on an elliptic curve; the latter is a generalization of the former. Works by Musleh and Schost already computed characteristic polynomials in a very specific case 45. Thanks to a new approach, our algorithms work in full generality and rely on simple linear algebra techniques. To our knowledge, it is also the first time that the problem of computing norms of isogenies is addressed.

We stress that in 2023, Schost and Musleh published an article in which they also compute characteristic polynomials of Drinfeld module endomorphisms 44. Their method, providing valuable insights, works for all endomorphisms and ranks. We provided a thorough comparison of the articles, and show that in many regimes, our algorithms are the fastest.

7.1.3 Drinfeld modules in SageMath

Participants: Antoine Leudière.

In April 2022, we began the first-ever implementation of Drinfeld modules to be included in the standard distribution of SageMath. Our contribution was merged in March 2023 and made available with version 10.0. The implementation is thoroughly integrated within the SageMath ecosystem and includes all basic operations on Drinfeld modules and their morphisms, as well as implementations of the algorithms mentioned in the previous point. A software presentation of our work was accepted at the 2023 International Symposium on Symbolic and Algebraic Computation (ISSAC) 15.

7.1.4 Dimension results for sparse polynomial systems

Participants: Pierre-Jean Spaenlehauer.

Polynomial systems arising in applications (for instance in cryptography) often feature monomial structures. Therefore, it is an important question to investigate how these structures can be used to speed up solving algorithms. This is the main topic of the collaboration between Pierre-Jean Spaenlehauer and Matías Bender (EPI TROPICAL). Toric varieties built from polyhedral fans provide a way to homogenize such sparse structures. In 29, we study in which cases such homogenizations may introduce generically high-dimensional artefacts that may harm the efficiency of the computations.

7.1.5 Search for worst cases

Participants: Paul Zimmermann.

To design correctly-rounded functions as in the CORE-MATH project, it is of utmost importance to know the “worst cases” of mathematical functions, i.e., inputs $x$ such that $f\left(x\right)$ has many zeros or ones after the round bit. Worst cases have been computed for the new C99 or C23 functions that have been developed in 2023. These worst cases are available from the CORE-MATH git repository, so that they can be used to check correct-rounding of other mathematical libraries.

7.2.1 On boomerang attacks on quadratic Feistel ciphers: new results on KATAN and Simon

Participants: Xavier Bonnetain, Virginie Lallemand.

This article 16 studies the application of the cryptanalysis technique called the boomerang attack to ciphers following a Feistel construction and having a quadratic round function. We prove that many previously published papers give erroneous approximations of the probability of the distinguishers they use (most of the time it invalidates the attacks while in a few cases they are better than expected). We next propose a new SMT model that takes into account our findings and we are able to propose a 19-round distinguisher of the cipher Simon-32/64 that we convert into a 25-round attack, which to the best of our knowledge reaches one more round than previously published results.

7.2.2 Flatness and structural analysis for the design of stream ciphers involving hybrid automata

Participants: Hamid Boukerrou, Marine Minier.

In 17, we deal with hybrid dynamical systems in the context of cybersecurity and Cyber–Physical Systems. It is shown how the design of a cipher, called self-synchronizing stream cipher, can be recast as control-theoretic issues, in particular left inversion, flatness and structural analysis. From an automatic control point of view, the main contribution lies in a methodology to construct generic flat LPV systems. Beyond pure control theoretic matters, the design also addresses computational complexity and security concerns. Those considerations motivate a hybrid architecture involving switched automata. A Proof-Of-Concept example illustrates the design of a statistical self-synchronizing stream cipher and the way how it operates to encrypt data flows. Those results and all the ones with the CRAN laboratory are also summarized in 26.

7.2.3 Finding many collisions via reusable quantum walks

Participants: Xavier Bonnetain.

This article 19 proposes an improved quantum algorithm to find multiple collisions. This new algorithm matches the lower bound for a large range of parameters. It has many direct cryptographic implications, such as impossible differentials in symmetric cryptography, or lattice sieving. In particular, thanks to our algorithm we obtain the most efficient generic heuristic algorithm for lattice reduction. It is a sieving algorithm with complexity $2^{0.2563d+o\left(d\right)}$, with $d$ the dimension of the lattice.

7.3.1 Individual discrete logarithm with sublattice reduction

Participants: Haetham Al Aswad, Cécile Pierrot.

The work 14 deals with the splitting step in the number field sieve for finite fields of composite extension degree. The splitting step consists in finding an element $R$ with a smooth norm and such that the logarithm of the target $T$ can be easily deduced from the logarithm of $R$. The current state of the art takes advantage of lattice-reduction algorithms, such as LLL and BKZ in order to find such an element $R$. In this work, the authors explore the use of sublattices of the lattices usually used and perform experiments to validate this idea. Moreover, the authors give an asymptotic analysis of the individual logarithm step in NFS when LLL or BKZ are used as lattice-reduction in this new algorithm. This work is published in the journal Designs, Codes and Cryptography.

7.3.2 Discrete logarithm factory

Participants: Haetham Al Aswad, Cécile Pierrot, Emmanuel Thomé.

In 28 we generalize Coppersmith's factory's algorithm to compute discrete logarithms in several non-prime finite fields. The Number Field Sieve and its variants are the best algorithms to solve the discrete logarithm problem in finite fields (except for the weak small characteristic case). The Factory variant accelerates the computation when several prime fields are targeted. This article adapts the Factory variant to non-prime finite fields of medium and large characteristic. This idea is combined with two other variants of NFS, namely the tower and special variants. This combination improves the asymptotic complexity. Besides, this work provides estimates of the practicality of this method for 1024-bit targets of extension degree 6: our findings indicate that the factory approach begins to pay off when the cryptanalysis target consists of a few dozen of such finite fields.

7.3.3 Discrete logarithm with Tower NFS

Participants: Gabrielle De Micheli, Pierrick Gaudry, Cécile Pierrot.

The long version 18 of a previous work published in Asiacrypt 2021 has been published in the Journal of Cryptology. This describes the use of lattice techniques to implement the Tower NFS technique efficiently for discrete logarithm computations in finite fields in the so-called medium characteristic range. This long version includes in particular a new algorithm for making use of automorphisms in the linear algebra phase, by choosing appropriate Schirokauer maps.

7.3.4 An algebraic point of view on the generation of pairing-friendly curves

Participants: Aurore Guillevic.

The paper 33 with Jean Gasnier from the CANARI Team (Bordeaux) is the achievement of Jean Gasnier's Masters internship in 2022 co-advised in Bordeaux by Jean-Marc Couveignes and remotely from Denmark by Aurore Guillevic. It aims to generalize The Kachisa–Schaefer–Scott technique to find more pairing-friendly curves. The method allowed to obtain new curves for interesting embedding degrees, such as $k=20$. It also closed some dead-ends in the quest of finding prime-order pairing-friendly curves (only three constructions are known, the latest discovery being in 2005). It comes with two implementations, one written by Jean Gasnier to find curve families (see the CANARI team report and Subfield Method Gitlab Project), the other one to implement pairings on the new curves, see Pairings on Gasnier–Guillevic Curves Gitlab Project. The results were presented at the SIAM-AG conference and the paper is under review.

7.4.1 Coercion resistance in e-voting

Participants: Pierrick Gaudry, Quentin Yang.

In 22, we show that the JCJ e-voting protocol that is the basis of many coercion-resistant systems is flawed, in the sense that the tally phase leaks more information than it should. In some specific scenarios, this can give an advantage to a coercer. Therefore, we propose a new version of JCJ, CHide, which relies on the multi-party toolbox that we designed earlier in the context of tally-hiding  41. We also refine the existing formal definitions of coercion-resistance, in order to highlight the flaw, and prove that CHide fixes the problem.

In another work related to coercion resistance 23, in collaboration with Université Catholique de Louvain, we explore the relations between the notions of coercion resistance, receipt freeness, and cast as intended. We show some impossibility results and propose adapting the security notions, to make possible some of the combinations of these properties.

7.4.2 Cast-as-intended in e-voting

Participants: Pierrick Gaudry, Stéphane Glondu.

The cast-as-intended property in e-voting means that the system remains secure, even if the device used by the voter is compromised: if malware is present on the voter's computer, the voter should still have the guarantee that the encrypted ballot that is sent to the server contains their intended choice. In 20 we propose a new approach for this question, based on an audit procedure made by the voter, that does not leak their choice, and will detect a fraudulent device, with a probability of at least one-half. An attacker who would like to change many votes is likely to be detected.

7.4.3 Historical cryptology

Participants: Pierrick Gaudry, Cécile Pierrot, Paul Zimmermann.

An unknown and almost fully encrypted letter written in 1547 by Emperor Charles V to his ambassador at the French Court, Jean de Saint-Mauris, was identified in a public library, the Bibliothèque Stanislas (Nancy, France). As no decryption of this letter was previously published or even known, a team of cryptographers and historians gathered together to study the letter and its encryption system. First, multiple approaches and methods were tested in order to decipher the letter without any other specimen. Then, the letter has now been inserted within the whole correspondence between Charles and Saint-Mauris, and the key has been consolidated thanks to previous key reconstructions. Finally, the decryption effort enabled us to uncover the content of the letter and investigate more deeply both cryptanalysis challenges and encryption methods 25. This is joint work with Camille Desenclos (University of Picardie).

8.1.1 Consulting with Swiss Post

Participants: Pierrick Gaudry.

Together with the PESTO team, we have a long-term consulting activity with Swiss Post on the e-voting topic. In 2023 we started a new contract to help them design the next generation of their e-voting protocol.

8.1.2 Verifiability during the French legislative elections

Participants: Pierrick Gaudry, Stéphane Glondu.

Together with the PESTO team, we had a contract with the French Ministry of Foreign Affairs (MEAE), in the context of the legislative elections, for which the French citizens from abroad had the possibility to vote over the Internet. We played the role of external third-party, as required by the CNIL recommendations for such high-stake elections. While the contract was signed with the MEAE, it also involved interactions with the vendor of the solution (Voxaly), and the ANSSI who was the security advisor for the MEAE. In three districts, the 2022 elections were cancelled and therefore had to be done again in 2023.

This experiment of verifiability for a high stake election was documented and discussed in a research article that we published in the E-Vote-Id conference 21.

8.2.1 Preparation of the VCast start-up

Participants: Pierrick Gaudry, Stéphane Glondu.

In 2023, Stéphane Glondu joined the Inria Startup Studio program to prepare the creation of a society to exploit commercially the Belenios software. Michael Houalef, a person with a business background, joined the project. The society, called VCast, is to be launched in the first semester of 2024. Véronique Cortier (from PESTO) and Pierrick Gaudry, as co-founders of Belenios, were involved in the discussions concerning this creation.

9.1.1 Visits of international scientists

Our team received several international visits in 2023 (at most a week in duration, and most often a day or two): Yixin Shen (Royal Holloway University of London), Katharina Boudgoust (Aarhus University), Keegan Ryan (University of California San Diego), Steven Galbraith (University of Auckland).

9.2.1 PEPR Quantique, project PQ-TLS

Participants: Xavier Bonnetain, Pierre-Jean Spaenlehauer.

• Program: PEPR Quantique
• Project acronym: PQ-TLS
• Duration: 01/2022 - 12/2026
• Coordinator: Université de Rennes 1
• Other partners: Université de Limoges, Université de Rouen, Université de Bordeaux, Université de Saint-Quentin-en Yvelines, Université de Saint-Étienne, ENS de Lyon, Inria (GRACE, CARAMBA, COSMIQ, PROSECCO), CEA (Grenoble LETI), CNRS Labstic (Lorient).

Since 1996 and the discovery of Shor's algorithm, new quantum threats emerged against classical security protocols and cryptographic primitives. The objective of the PQ-TLS project is to design a quantum-safe version of the security layer of web protocols, via the integration of post-quantum cryptographic primitives and the quantum cryptanalysis of existing systems. The project also aims at developing new techniques to compare existing primitives from the quantum viewpoint and at promoting arising solutions from academic and industrial research. The goal is to develop a large toolbox whose targets range from the mathematical foundations of post-quantum cryptography to its concrete implementations.

Xavier Bonnetain is the national coordinator of the work package 5 "Quantum cryptanalysis".

Pierre-Jean Spaenlehauer is the local scientific coordinator for the CARAMBA team.

9.2.2 PEPR Cybersécurité, project CRYPTANALYSE

Participants: Xavier Bonnetain, Sébastien Duval, Pierrick Gaudry, Aurore Guillevic, Virginie Lallemand, Marine Minier, Cécile Pierrot, Emmanuel Thomé.

• Program: PEPR Cybersécurité
• Duration: 10/2023 - 09/2028
• Coordinator: Inria
• Other partners: Inria (CARAMBA, COSMIQ, CANARI/LFANT, CAPSULE), CNRS (Loria, Irisa, LMV, IMB, LIP6, LJK), Université de Rennes, Université de Montpellier, Université de Picardie Jules Verne, Université de Versailles–Saint-Quentin en Yvelines, Université de Bordeaux, Université Grenoble Alpes, Sorbonne Université.

Within the context of the national PEPR program “cybersecurité” (launched in 2021), a call for proposals was published in July 2023 to complement the set of topics with three new projects, among which one on the classical cryptanalysis of cryptographic primitives. We coordinated the nationwide answer to this call for proposals, submitted in September 2022, and the project was accepted on March 27, 2023. The project started on October 1, 2023.

Emmanuel Thomé and Gaëtan Leurent (Inria COSMIQ, Paris) lead the project. Several teams are involved. The project is divided into eight work packages, and the CARAMBA team is interested in most of them.

9.2.3 Projet ANR KLEPTOMANIAC

Participants: Pierrick Gaudry, Cécile Pierrot, Pierre-Jean Spaenlehauer, Emmanuel Thomé, Paul Zimmermann.

• Program: ANR AAPG
• Project acronym: KLEPTOMANIAC
• Duration: 01/2022 - 12/2025
• Coordinator: Inria Nancy
• Other partners: ANSSI, LIP6

The RSA cryptosystem and the Diffie-Hellman key exchange protocol in finite fields were the first invented primitives of public-key cryptography.

It is hard to estimate the time and resources that are needed to factor an integer, and thereby how hard it is to break RSA. All regulatory bodies recommend that people either avoid RSA, or prefer large RSA key sizes for safety, above 2048 bits at least. In environments where computing power is plentiful, this recommendation is most often followed. Yet, it is a fact that we do rely on cryptography that uses smaller key sizes.

We plan to employ our expertise to provide solid hardness assessments for key sizes that are relevant today, and for which accuracy in the prediction is important. Our targets for accurate assessment are RSA-1024 and DH-1024 as well as specific discrete logarithm-related problems that arise in the blockchain context. We also intend to develop simulation software that would enable more accurate estimates.

In 2023, the work on the “double matrix” subtask initiated in 2022 was continued, in collaboration with Charles Bouillaguet (Sorbonne University). This work is integrated into a branch of Cado-NFS.

9.2.4 ANR Decrypt

Participants: Virginie Lallemand, Marine Minier.

• Program: ANR
• Project acronym: DECRYPT
• Duration: 01/2019 - 12/2023
• Coordinator: CARAMBA Team, LORIA
• Other partners: LIRIS (Lyon), LIMOS (Clermont-Ferrand), IRISA (Rennes), TASC (Nantes).

This project aimed to propose a declarative language dedicated to cryptanalytic problems in symmetric key cryptography using constraint programming (CP) to simplify the representation of attacks, to improve existing attacks and to build new cryptographic primitives that withstand these attacks. We also want to compare the different tools that can be used to solve these problems: SAT and MILP where the constraints are homogeneous and CP where the heterogeneous constraints can allow a more complex treatment.

One of the challenges of this project was to define global constraints dedicated to the case of symmetric cryptography.

Concerning constraint programming, this project defined new dedicated global constraints, improved the underlying filtering and solution search algorithms, and proposed dedicated explanations generated automatically. See the website for more information.

9.2.5 ANR OREO

Participants: Xavier Bonnetain, Sébastien Duval, Virginie Lallemand, Marine Minier.

• Program: ANR
• Project acronym: OREO
• Duration: 01/2023 - 12/2026
• Coordinator: Irisa (Rennes).
• Other partners: LORIA (Nancy), LMV (Versailles).

This ANR project focuses on the use of Mixed Integer Linear Programming (MILP) in symmetric-key cryptography, a direction that enjoyed rapid recognition in the symmetric-key community following the article by Mouha et al  43.

MILP models can be used both to design and attack ciphers, but the technique suffers from several limitations, some of which we plan to address in this project. In particular, we aim to explore how to handle more complex cryptographic problems than what is done so far (yet ensuring a reasonable solving time). This might imply finding how to improve the modelization techniques or considering different approaches like first solving approximated models.

9.2.6 Cooperation with ANSSI on e-voting regulation

Participants: Pierrick Gaudry.

We participate in a working group led by ANSSI, the purpose of which is to help the governmental actors (CNIL, ANSSI) in defining the next documents regulating the use of electronic voting in France.

10.1.1 Scientific events: organisation

10.1.2 Journal

10.1.3 Invited talks

• Pierre-Jean Spaenlehauer was invited to give a talk at the Workshop Geometry of Polynomial System Solving, Optimization and Topology at Institut Henri Poincaré, Paris. (Workshop M5 of RTCA2023.)
• Marine Minier was invited to Journées de la Fédération Charles Hermite at Nancy, December 2023.
• Marine Minier was invited to the Codes Sources Seminar, Paris, February 2023.
• Emmanuel Thomé was invited to give a talk at RTCA2023 (workshop M3) in Lyon.
• Pierrick Gaudry was invited to give a talk at the Digistrust workshop, Nancy, December 2023.
• Pierrick Gaudry was invited to give a talk at the workshop in honor of Véronique Cortier, Nancy, January 2023.
• Aurore Guillevic was invited to give a talk at the WRACH 2023 workshop at Roscoff, France.
• Virginie Lallemand was invited to give a talk for the French-American Doctoral Exchange (FADex) program on cybersecurity.
• Cécile Pierrot was invited to give a talk at Ecole de Guerre, an event organised by l'Académie des Sciences.

10.1.4 Leadership within the scientific community

• Cécile Pierrot is a member of the steering committee of the French working group Code and Cryptography.
• Pierrick Gaudry is a member of the Conseil Scientifique of GdR IM.

10.1.5 Scientific expertise

• Marine Minier was a member of comité de sélection 61MCF1719, Université de Toulouse; comité de sélection 27MCF1634, Université de Lorraine; comité de sélection 27MCF0073, Université Clermont-Auvergne.
• Since November 2023, Marine Minier is a nominated member of the CNU 27.
• Emmanuel Thomé was a member of the recruitment panel for Inria Chargé de recherche and Starting Faculty positions at Inria Paris.
• Aurore Guillevic was a member of the comité de sélection 26MCF161, Université Grenoble Alpes.
• Pierrick Gaudry was a member of the comité de sélection 27MCF1053, Université de Montpellier.

10.1.6 Research administration

• Pierre-Jean Spaenlehauer is a member of the Commission de Développement Technologique (CDT) of the Centre Inria de l'Université de Lorraine. From December 2023, he is the head of the CDT.
• Aurore Guillevic was a member of the COMIPERS (commission du personnel).
• Marine Minier was adjoint director of the LORIA Lab until September 2023.
• Pierrick Gaudry is head of the Department 1 of LORIA, since June 2023.
• Pierrick Gaudry was a member of the Commission de Mention Informatique (CMI) of the École doctorale IAEM, and a member of the Comité des utilisateurs des moyens de calcul INRIA.
• Pierrick Gaudry and Marine Minier are members of the steering committee of the LHS – Laboratoire Haute Sécurité of LORIA.
• Xavier Bonnetain is the local coordinator of the Inria activity reports for the Inria Centre at Université de Lorraine (among them, this very document).
• Paul Zimmermann is member of the scientific committee of the EXPLOR computing center (Université de Lorraine).
• Cécile Pierrot is a member of the Bureau du Comité des Projets (BCP) at Inria Nancy.

10.2.1 Teaching

Marine Minier obtained an half Inria Delegation in 2023.

• Bachelor
  • Sébastien Duval, Algorithmique et Programmation 2, 40h eq. TD, L1 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
  • Sébastien Duval, Algorithmique et Programmation 3, 26h eq. TD, L2 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
  • Sébastien Duval, Mathématiques Discrètes 2, 16h eq. TD, L2 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
  • Sébastien Duval, Introduction à la sécurité et à la cryptographie, 20h eq. TD, L3 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
  • Marine Minier, Introduction à la sécurité et à la cryptographie, 35h eq. TD, L3, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
• Master
  • Sébastien Duval, Introduction à la cryptographie, 12h eq. TD, M1 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
  • Sébastien Duval, Sécurité des Systèmes d'Information, 32h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
  • Sébastien Duval, Sécurité des Applications Web, 32h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
  • Marine Minier, Contrôle d'accès, 40h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
  • Marine Minier, Intégration Méthodologique, 36h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
  • Marine Minier Sécurité Informatique, 18h eq. TD, M2 droit IPIT, Université de Lorraine, France.
  • Marine Minier Introduction à la cryptographie, 18h eq. TD, M1 Informatique, Université de Lorraine Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
  • Marine Minier is head of the M2 SIRAV, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
• Engineering school
  • Cécile Pierrot, Introduction to Cryptography, 57h eq. TD, Mastère spécialisé de cybersécurité, École des Mines de Nancy, France.
  • Aurore Guillevic, Cryptographie avancée, 5A FISE IA2R (Master 2), 30h eq. TD, Université de Lorraine, Polytech Nancy, France.
  • Xavier Bonnetain, Algorithmique et complexité, 50h eq. TD, 1ere année (L3), Université de Lorraine, École des Mines de Nancy, France.

10.2.2 Supervision

• Ph.D. completed: Quentin Yang, Résistance à la coercition en vote électronique : conception et analyse 27, defended in June 2023, Pierrick Gaudry and Véronique Cortier (PESTO team).
• Ph.D. completed: Hamid Boukerrou, Design of new finite state dynamical systems admitting a matrix representation: Application to cryptography 26, defended in April 2023, Marine Minier and Gilles Millerioux.
• Ph.D. in progress: Haetham Al Aswad, Number field sieve for discrete logarithm, since Oct. 2021, Cécile Pierrot and Emmanuel Thomé.
• Ph.D. in progress: Antoine Leudière, Isogenies of Drinfeld modules and post-quantum cryptography, since Oct. 2021, Pierre-Jean Spaenlehauer and Emmanuel Thomé.
• Ph.D. in progress: Ana Rodriguez Cordero, Design and Cryptanalysis of New Symmetric Key Cryptographic Primitives, since Oct. 2021, Virginie Lallemand and Marine Minier.
• Ph.D. in progress: Leo Louistisserand, Conception et analyse de protocoles de vote utilisés ou utilisables en pratique, since Oct. 2023, Pierrick Gaudry and Véronique Cortier (PESTO team).
• Ph.D. in progress: Marie Bolzer, Algorithmique et outils automatiques pour la construction et l'analyse de composants de cryptographie symétrique, since Oct. 2023, Sébastien Duval and Marine Minier.
• Ph.D. in progress: Medhi Kermaoui, Quantum cryptanalysis of public-key cryptosystems, since Oct. 2023, Xavier Bonnetain and Pierrick Gaudry.
• Ph.D. in progress: Julien Soumier, Algorithmic of Isogenies of Abelian Varieties and Post-Quantum Cryptography, since Oct. 2023, Pierre-Jean Spaenlehauer and Pierrick Gaudry.

10.2.3 Juries

• Marine Minier was President of the PhD Jury of Aina Toky Rasoamanana (June 2023, Institut Polytechnique de Paris); president of the PhD jury of Tristan Benoît (December 2023, Lorraine University).
• Marine Minier was reviewer of the HDR of Hélène Le Bouder (October 2023, Université de Rennes); reviewer of the PhD thesis of Nicolas David (November 2023, Sorbonne Université); reviewer of the PhD thesis of Pierre Galissant (Décember 2023, Université de Versailles-Saint-Quentin-en-Yvelines).
• Emmanuel Thomé was President of the HDR jury of Benjamin Smith (October 2023, Institut Polytechnique de Paris).
• Paul Zimmermann was reviewer of the PhD thesis of Mehdi El Arar (December 2023, Université Paris-Saclay).

10.3.1 Internal or external Inria responsibilities

• Emmanuel Thomé was an elected member of the Inria Evaluation Committee until August 2023, and contributed to writing the summary of the four-year term of the committee 30.

10.3.2 Education

• Pierre-Jean Spaenlehauer and Paul Zimmermann participated in the Math-En-Jeans project. They supervised a group of teenagers from the Lycée Français Vauban du Luxembourg.
• Aurore Guillevic visited two classes at Saint Dié des Vosges and three at Saint-Louis (Haut-Rhin) for 1 scientifique 1 classe chiche.
• Aurore Guillevic participated to the Maths camp for high school female teenagers Cigognes in Ramonchamp, Vosges.
• Aurore Guillevic gave a talk at the Maths-en-Jeans day in Nancy, May 2.
• Paul Zimmermann participated to the “Fête de la Science” in Bouxurulles, a small village 50 kilometers in the south of Nancy, where he presented the work on deciphering the letter from Emperor Charles V, and the new MATh.en.JEANS problem proposed for 2023-2024 (October 2023).

10.3.3 Interventions

• Pierrick Gaudry gave a talk at the Cycle de conférences Sciences et Société, on the topic of electronic voting, in January 2023, Polytech, Nancy.
• Lucas Villaume and Paul Zimmermann organized an animation on the encrypted letter from Emperor Charles V at the “Nuit européenne des chercheurs” (Metz, November 2023).

International journals

• 14 articleH.Haetham Al Aswad and C.Cécile Pierrot. Individual Discrete Logarithm with Sublattice Reduction.Designs, Codes and Cryptography9112September 2023, 4059-4091HALDOIback to text
• 15 articleD.David Ayotte, X.Xavier Caruso, A.Antoine Leudière and J.Joseph Musleh. Drinfeld modules in SageMath.ACM Communications in Computer Algebra572June 2023, 65-71HALDOIback to text
• 16 articleX.Xavier Bonnetain and V.Virginie Lallemand. On Boomerang Attacks on Quadratic Feistel Ciphers: New results on KATAN and Simon.IACR Transactions on Symmetric Cryptology20233September 2023, 101-145HALDOIback to textback to text
• 17 articleH.Hamid Boukerrou, G.Gilles Millérioux, M.Marine Minier and T.Taha Boukhobza. Flatness and structural analysis for the design of stream ciphers involving hybrid automata.Nonlinear Analysis: Hybrid Systems52May 2024, 101443HALDOIback to text
• 18 articleG.Gabrielle de Micheli, P.Pierrick Gaudry and C.Cécile Pierrot. Lattice Enumeration and Automorphisms for Tower NFS: a 521-bit Discrete Logarithm Computation.Journal of Cryptology2023HALDOIback to text

International peer-reviewed conferences

• 19 inproceedingsX.Xavier Bonnetain, A.André Chailloux, A.André Schrottenloher and Y.Yixin Shen. Finding many Collisions via Reusable Quantum Walks: Application to Lattice Sieving.Lecture Notes in Computer ScienceEUROCRYPT 2023 - International Conference on the Theory and Applications of Cryptographic Techniques14008Lecture Notes in Computer ScienceLyon, FranceSpringer Nature SwitzerlandApril 2023, 221-251HALDOIback to text
• 20 inproceedingsV.Véronique Cortier, A.Alexandre Debant, P.Pierrick Gaudry and S.Stéphane Glondu. Belenios with cast as intended.Voting 2023 - 8th Workshop on Advances in Secure Electronic VotingBol, Brač, CroatiaMay 2023HALback to text
• 21 inproceedingsV.Véronique Cortier, P.Pierrick Gaudry, S.Stéphane Glondu and S.Sylvain Ruhault. French 2022 legislatives elections: a verifiability experiment.Proceedings E-Vote-Id 2023The E-Vote-ID Conference 2023Luxembourg City, LuxembourgOctober 2023HALback to text
• 22 inproceedings V.Véronique Cortier, P.Pierrick Gaudry and Q.Quentin Yang. Is the JCJ voting system really coercion-resistant? 37th IEEE Computer Security Foundations Symposium (CSF) CSF 2024 Enschede, Netherlands IEEE 2024 HAL back to text
• 23 inproceedings H.Henri Devillez, O.Olivier Pereira, T.Thomas Peters and Q.Quentin Yang. Can we cast a ballot as intended and be receipt free? IEEE Symposium on Security and Privacy 2024 San Francisco, United States May 2024 HAL back to text
• 24 inproceedingsT.Tom Hubrecht, C.-P.Claude-Pierre Jeannerod and P.Paul Zimmermann. Towards a correctly-rounded and fast power function in binary64 arithmetic.2023 IEEE 30th Symposium on Computer Arithmetic (ARITH 2023)2023 IEEE 30th Symposium on Computer Arithmetic (ARITH)Portland, Oregon (USA), United States2023HALback to text
• 25 inproceedingsC.Cécile Pierrot, C.Camille Desenclos, P.Pierrick Gaudry and P.Paul Zimmermann. Deciphering Charles Quint (A diplomatic letter from 1547).Linköping Electronic Conference Proceedings6th International Conference on Historical Cryptology, HistoCrypt195Munich, GermanyJune 2023, 148-158HALDOIback to text

Doctoral dissertations and habilitation theses

• 26 thesisH.Hamid Boukerrou. Design of new finite state dynamical systems admitting a matrix representation : Application to cryptography.Université de LorraineApril 2023HALback to textback to text
• 27 thesisQ.Quentin Yang. Résistance à la coercition en vote électronique : conception et analyse.Université de LorraineJune 2023HALback to text

Reports & preprints

• 28 miscH.Haetham Al Aswad, C.Cécile Pierrot and E.Emmanuel Thomé. Discrete Logarithm Factory.October 2023HALback to text
• 29 miscM. R.Matías R Bender and P.-J.Pierre-Jean Spaenlehauer. Dimension results for extremal-generic polynomial systems over complete toric varieties.May 2023HALback to textback to text
• 30 reportA.Anne Canteaut, M.Manuel Serrano, C.Céline Grandmont, G.Guillaume Pallez, V.Vincent Perrier, X.Xavier Rival and E.Emmanuel Thomé. Bilan de la mandature 2019-2023 de la Commission d'Évaluation Inria.InriaAugust 2023HALback to text
• 31 miscX.Xavier Caruso and A.Antoine Leudière. Algorithms for computing norms and characteristic polynomials on general Drinfeld modules.December 2023HALback to text
• 32 miscP.Paul Frixons, S.Sébastien Canard and L.Loïc Ferreira. Quantum Security of the UMTS-AKA Protocol and its Primitives, Milenage and TUAK.December 2023HAL
• 33 miscJ.Jean Gasnier and A.Aurore Guillevic. An Algebraic Point of View on the Generation of Pairing-Friendly Curves.September 2023HALback to text
• 34 miscB.Brian Gladman, V.Vincenzo Innocente and P.Paul Zimmermann. Accuracy of Mathematical Functions in Single, Double, Extended Double and Quadruple Precision.September 2023HALback to text
• 35 miscT.Tom Hubrecht, C.-P.Claude-Pierre Jeannerod and P.Paul Zimmermann. Towards a correctly-rounded and fast power function in binary64 arithmetic.July 2023HALback to textback to text
• 36 miscM.Maria Naya Plasencia, R.Ritam Bhaumik, A.André Chailloux, P.Paul Frixons and B.Bart Mennink. Block Cipher Doubling for a Post-Quantum World.December 2023HAL
• 37 miscP.Paul Zimmermann. Note on FastTwoSum with Directed Roundings.September 2023HALback to text

Patents

• 38 patentM.Marine Minier, S.Sandra Rasoamiaramanana and G.Gilles Macario-Rat. Secure method for data exchange between a terminal and a server.US Patent App. 17/777,906FranceJanuary 2023HAL

Softwares

• 39 softwareG.Guillaume Hanrot, P.Paul Zimmermann, V.Vincent Lefèvre, P.Patrick Pélissier and P.Philippe Théveny. GNU MPFR.4.2.0January 2023 lic: GNU General Public License.HALSoftware HeritageVCS