2024Activity reportProject-TeamCARAMBA
RNSR: 201622054G- Research center Inria Centre at Université de Lorraine
- In partnership with:Université de Lorraine, CNRS
- Team name: Cryptology, arithmetic : algebraic methods for better algorithms
- In collaboration with:Laboratoire lorrain de recherche en informatique et ses applications (LORIA)
- Domain:Algorithmics, Programming, Software and Architecture
- Theme:Algorithmics, Computer Algebra and Cryptology
Keywords
Computer Science and Digital Science
- A4.3.1. Public key cryptography
- A4.3.2. Secret key cryptography
- A4.8. Privacy-enhancing technologies
- A6.2.7. High performance computing
- A7.1. Algorithms
- A7.1.4. Quantum algorithms
- A8.4. Computer Algebra
- A8.5. Number theory
- A8.10. Computer arithmetic
Other Research Topics and Application Domains
- B8.5. Smart society
- B9.5.1. Computer science
- B9.5.2. Mathematics
- B9.10. Privacy
1 Team members, visitors, external collaborators
Research Scientists
- Emmanuel Thomé [Team leader, INRIA, Senior Researcher]
- Xavier Bonnetain [INRIA, Researcher]
- Clémence Bouvier [INRIA, Researcher, from Dec 2024]
- Pierrick Gaudry [CNRS, Senior Researcher]
- Aurore Guillevic [INRIA, Researcher, until Feb 2024]
- Jean Kieffer [CNRS, Researcher]
- Virginie Lallemand [CNRS, Researcher]
- Cécile Pierrot [INRIA, Researcher]
- Pierre Jean Spaenlehauer [INRIA, Researcher]
- Paul Zimmermann [INRIA, Senior Researcher]
Faculty Members
- Camille Desenclos [UNIV PICARDIE, Associate Professor Delegation, from Sep 2024]
- Sébastien Duval [UL, Associate Professor]
- Marine Minier [UL, Professor, from Sep 2024]
- Marine Minier [UL, Professor Delegation, until Aug 2024]
PhD Students
- Haetham Al Aswad [INRIA]
- Marie Bolzer [CNRS]
- Medhi Kermaoui [INRIA]
- Antoine Leudière [INRIA, until Sep 2024]
- Léo Louistisserand [CNRS]
- Ana Rodriguez Cordero [UL]
- Thierno Mamoudou Sabaly [CNRS, from Oct 2024]
- Julien Soumier [INRIA]
Interns and Apprentices
- Alexandre Benoist [INRIA, from Sep 2024 until Nov 2024]
- Alexandre Benoist [UL, Intern, from Mar 2024 until Jul 2024]
- Gaspard Charvy [ENS RENNES, Intern, from May 2024 until Jul 2024]
- Sélène Corbineau [ENS PARIS-SACLAY, Intern, from Jun 2024 until Aug 2024]
- Antonin Massart [CNRS, Intern, from Jun 2024 until Jul 2024]
- Victor Matrat [UL, Intern, until May 2024]
- Bryan Rakoto Dit Sedson [INRIA, Intern, from Jul 2024 until Aug 2024]
Administrative Assistants
- Nathalie Bethus [CNRS, from Mar 2024]
- Juline Brevillet [UL, until Nov 2024]
- Antoinette Courrier [CNRS]
- Emmanuelle Deschamps [INRIA]
- Gallown Nizard [UL, from Sep 2024]
Visiting Scientist
- Rocco Brunelli [UNIV ROME III, from Sep 2024]
2 Overall objectives
Our research addresses the broad application domain of cryptography and cryptanalysis from the algorithmic perspective. We study all the algorithmic aspects, from the top-level mathematical background down to optimized high-performance software implementations. Several kinds of mathematical objects are commonly encountered in our research. Some basic ones are truly ubiquitous: integers, finite fields, polynomials, real and complex numbers. We also work with more structured objects such as number fields, algebraic curves, or polynomial systems.
The first axis (§3.1) of our research work studies these mathematical objects mostly for their own sake. Our expertise in computational mathematics and computer algebra allows us to contribute to the general algorithmic toolbox that makes these mathematical objects easy to work with in practice: computations with these objects must be effective and fast. A sizeable portion of our work in this domain is realized in the form of software projects, which are developed over long periods of time (GNU MPFR, for example, was initiated by members of our group several decades ago, and is still maintained and developed).
A second part of our work (axes §3.2 and §3.3) is centered on cryptographic motivations. Our work in this axis is usually rooted in exactly the same core competences as the ones we use in our first research axis. We consider the two facets of cryptology: cryptography and cryptanalysis. The key challenges are the assessment of the classical and quantum security of proposed cryptographic primitives (both public- and secret-key), as well as the introduction of new cryptographic primitives, or the performance improvement of existing ones. While the basic principles of symmetric and asymmetric cryptography are rather different—indeed their names indicate different ways to handle the key—research in both domains is led by the same objective of finding the best trade-offs between efficiency and security. In addition to this, both require to study design and analysis together as these two aspects nurture each other.
Our last research axis (§3.4) uses our cryptographic knowledge to connect to more real world concerns, in connection with topics closer to computer security. Long-term aspects of this part of our activity are practical and theoretical research on electronic voting, and practical impact on key sizes of our factoring and discrete logarithm record computations. More isolated works in this axis include for instance some works on whitebox cryptography or on Internet of Things (IoT). We also consider our growing activity on historical cryptography as part of this axis where cryptography is only one part of the study.
3 Research program
3.1 Research axis 1: mathematical objects
Several mathematical objects are pervasive in our research. We sometimes study them per se, but they also play a key role as tools in other research topics. In particular, we study computer arithmetic, polynomial systems, linear algebra, algebraic curves and abelian varieties.
In the context of this research axis, we work on the key algorithms and mathematical results, as well as on the realization of these results in terms of software. In our approach, software is a key step in a feedback loop that goes from mathematics to algorithms, implementation, software, and back. By software here, we mean free and open-source software tools, often developed over several years, that can be used as dependable building blocks by us as well as by peers for reproducible research.
Our past and future topics in this research axis include the following:
- We seek algorithmic and practical improvements to the most basic algorithms in computer arithmetic. This includes for example the study of advanced algorithms for integer multiplication, and their practical reach, or refinements of the implementation and accuracy of elementary functions in arbitrary precision arithmetic. Our work includes mathematical reasoning, complexity analysis, and proofs of correctness.
- We initiated work (sometimes several years or even decades ago) on several software libraries for computer arithmetic, such as GNU MPFR, GNU MPC, GF2X, GMP-ECM, or more recently the CORE-MATH project. These libraries are typical of our research output in terms of software, and our new research results are regularly implemented in such libraries (either these libraries or new ones). We sometimes contribute to other open-source libraries such as FLINT.
- We develop algorithms and software for the computation of essential attributes of algebraic curves and abelian varieties such as Riemann-Roch spaces, group structures, isogenies, and characteristic polynomials. This perspective towards effective algebra is also found in our interest in sparse polynomial systems, with a particular eye towards exploiting specificities of their monomial structure to obtain faster algorithms for the computation of Gröbner bases. These algorithms often find applications in cryptography, and are sometimes a powerful tool from the perspective of research in mathematics as well.
Examples of publications in the recent past that illustrate our positioning on this research topic are 5, 32, 8, 45, 14, 56.
3.2 Research axis 2: secret-key cryptology
We study cryptographic and cryptanalytic aspects of secret-key primitives. We explore the following research directions in particular:
- We work on the formalization of various statistical cryptanalysis techniques, starting with boomerang attacks on which we recently gained strong expertise. We aim to properly define how to build such distinguishers and how to estimate their success probability, two central points for cryptanalysts. We intend to explore the potential of alternative techniques, such as differential-linear attacks for instance, to attack the most recent cipher primitives (such as the NIST lightweight AEAD ciphers, as well as others at various stages of their development).
- Beyond the classical linear and differential cryptanalysis techniques, we are interested in the automation of the analysis process by the development of tools based on constraint programming (CP), satisfiability (SAT) or mixed integer linear programming (MILP) settings.
- We also study new designs, and in particular new building blocks for future cryptographic primitives with design criteria that include resistance to advanced cryptanalysis techniques, using minimal resources.
- With the current progress of quantum computing, we need to assess the security of cryptosystems against a quantum computer, especially for long-term security. Hence, we study quantum cryptanalysis. We focus on quantum algorithms that are the most distinct from classical algorithms, like the algorithms for the hidden subgroup problem, and on quantum variants of our classical cryptanalyses. This research direction is also connected to public-key cryptography.
Examples of publications in the recent past that illustrate our positioning on this research topic are 41, 42, 51, 40, 47.
3.3 Research axis 3: public-key cryptographic primitives
Our team has been studying the mathematical building blocks of public-key cryptography for a long time. More specifically, we have a long-established record on the study of the public-key cryptographic primitives based on integer factorization and finite field discrete logarithm, as well as on algebraic curves, abelian varieties, and their applications in cryptography.
The algorithmic framework of the Number Field Sieve (NFS) addresses both the integer factorization problem as well as the discrete logarithm problem over finite fields. We have numerous algorithmic contributions in this context, and develop software to illustrate them.
Several of our current research directions in public-key cryptography are strongly connected to our general expertise on NFS:
- We intend to improve the cryptanalysis techniques for various instances of the discrete logarithm problem with methods of the index calculus family. A good example of this research is our recent work on the Tower Number Field Sieve (TNFS), which touches upon algorithmic results related to number fields, Galois theory, and Euclidean lattices.
- We work on improving the practical reach of NFS as an algorithm for the factorization of RSA moduli or the computation of discrete logarithms in finite fields. We have established several computational records in this domain, and we seek further algorithmic improvements, or technological advances, that can contribute to pushing the feasibility limit further.
- None of our work on NFS would be possible without access to a dependable software implementation. To this end, we have been developing the Cado-NFS software suite since 2007. Cado-NFS is now the reference implementation of NFS, and is a crucial platform for developing prototype implementations for new ideas for the many sub-algorithms of NFS. The continuation of its development is part of our research plan.
- In the specific context of elliptic-curve cryptography, and in particular pairing-based cryptography, our expertise allows us to provide insights on the balance between implementation efficiency and security of the pairing constructions. This research is connected to the numerous application domains of pairings such as, for example, the Succinct Non-interactive ARgument of Knowledge, (zk-SNARKs). With A. Guillevic having left the group on February 2024, this theme ended.
In addition to the above, we also study other aspects of public-key cryptography, such as cryptographic constructions using isogenies between elliptic curves or more general algebraic structures, as well as their security. We have a strong record on this topic in general. The algorithmic toolbox to deal with such objects was enriched in 2022 with new practical results of Castryck-Decru, Robert, and Wesolowski. This topic is clearly in our research agenda.
As in the case of secret-key cryptology, some of our research work also takes into account quantum algorithms, and possibly the interplay of quantum and classical algorithms.
Examples of publications in the recent past that illustrate our positioning on this research topic are 2, 52, as well as the Cado-NFS software described in 7.1.2.
3.4 Research axis 4: implications in computer security and the real world
The questions that we address in our last research axis are less problem-centered than above, and rather revolve around how the different building blocks that we work with can be assembled, and whether this leads to impactful results in computer security.
In particular, we work on the following topics:
- We have been working since 2016 on electronic voting, and our most visible work in this domain is Belenios, which is a protocol with a complete specification, a free software implementation, and a free-of-charge web platform that anyone can use to set up their elections. Some desirable properties in electronic voting are very hard to obtain in practice, and we contributed to theoretical research by proposing or analysing new schemes that could be used, while providing improved guarantees with respect to some of these difficult properties such as coercion-resistance, cast-as-intended, or accountability.
- Our public key work includes improvements of NFS, and we sometimes discuss the implications of this work in computer security, which is not necessarily the same angle. A good example is the Logjam attack in 2015, where the underlying cryptanalytic task (computing discrete logarithms in 512-bit prime fields) is not exciting in itself, yet we showed that it was a key ingredient in an impactful research result. This positioning is also found in our more recent research.
- We work in collaboration with project-team CARBONE on the interactions between cryptography and malwares. We study the current resilience of cryptographic secrets in environments compromised by malwares, and we propose countermeasures to protect cryptographic keys against such attackers.
Examples of publications in the recent past that illustrate our positioning on this research topic are 44, 4, 43, 48.
4 Application domains
4.1 Better awareness and avoidance of cryptanalytic threats
Our study of the Number Field Sieve algorithm and its variants aims to show how the threats underlying various supposedly hard problems are real. Our record computations, as well as new algorithms, contribute to having a scientifically accurate assessment of the feasibility limit for these problems, given academic computing resources. The data we provide in this way is a primary ingredient for government agencies whose purpose includes guidance for choosing of appropriate cryptographic primitives. For example the French ANSSI 1, German BSI, or the NIST 2 in the United States base their recommendations on such computational achievements.
The software we make available to achieve these cryptanalytic computations also allows us to give cost estimates for potential attacks on cryptographic systems that are taking the security/efficiency/legacy compatibility trade-offs too lightly. Attacks such as LogJam 38 are understood as being serious concerns thanks to our convincing proof-of-concepts. In the LogJam context, this impact has led to rapid worldwide security advisories and software updates that eventually defeat some potential intelligence threats and improve the confidentiality of communications.
4.2 Promotion of better cryptography
We also promote the switch to algebraic curves as cryptographic primitives. Those offer remarkable speed and excellent security, while primitives based on elementary number theory (integer factorization, discrete logarithm in finite fields), e.g., RSA, are gradually forced to adopt unwieldy key sizes to comply with the desired security guarantees of modern cryptography. Our contributions to the ultimate goal of having algebraic curves eventually take over the cryptographic landscape lie in a wide range of our research activities: contributions to fast arithmetic and to the point counting problem, expertise on the diverse surrounding mathematical objects, or on the special cases where the discrete logarithm problem is not hard enough and should be avoided.
We also promote cryptographically sound electronic voting, for which we develop the Belenios prototype software (licensed under the AGPL). It depends on research made in collaboration with the PESTO project-team, and provides stronger guarantees than the current state of the art.
4.3 Key software tools
The vast majority of our work is eventually realized as software. We can roughly categorize it into two groups: software covering fundamental objects and more specialized software.
Our software covering fundamental objects include GNU MPFR, GNU MPC, or GF2X packages. To their respective extent, these software packages are meant to be included or used in broader projects. For this reason, it is important that the license chosen for each software tool allows proper reuse, and we favor licenses such as the LGPL, which is not restrictive. We can measure the impact of each software tool by the way it is used in, e.g., the GNU Compiler Collection (GCC), Victor Shoup's Number Theory Library (NTL), or the Sage computer algebra system. The availability of these software packages in most Linux distributions is also a good measure of the impact of our work.
We also develop more specialized software, aiming at quite diverse targets. Our flagship software package is Cado-NFS 55, and we also develop some others with various levels of maturity, such as GMP-ECM or Belenios. Within the lifespan of the CARAMBA project, we expect more software packages of this kind to be developed, specialized towards tasks relevant to our research targets: important mathematical structures attached to genus 2 curves, generation of cryptographically secure curves, or tools for attacking cryptographically hard problems. Such software both illustrates our algorithms, and provides a base on which further research work can be established. Because of the very nature of these specialized software packages as research topics in their own right, needing both to borrow material from other projects, and being possible sources of inspiring material for others, it is again important that these be developed in a free and open-source development model.
5 Social and environmental responsibility
5.1 Footprint of research activities
- Marine Minier doesn't take the plane anymore but does all the things by train and bus.
6 Highlights of the year
Note : Readers are advised that the Institute does not endorse the text in the “Highlights of the year” section, which is the sole responsibility of the team leader.
- In December 2024, the Back in Time project, which involves members of the CARAMBA and ALMANACH project-teams, was awarded the innovation award as well as the Grand prize from the Historia magazine jury, see Prix Historia 2024.
- Google supported our research on CORE-MATH with an unrestricted gift of USD 50,000 in 2024.
- On a negative note, in Fall 2024, Inria signed its multi-year contract with the government, in the form of the Contrat d'objectifs, de moyens, et de performance (COMP). Irrespective of the actual content, we observe that this COMP cannot represent the views and aspirations of the research community at Inria since it was written by the Inria direction alone. Some informational meetings were indeed held in 2024, but those only touched upon small fragments of the COMP. Feedback from these meetings received scarce answers. An actual text version of the COMP was only shared in October once it had reached a nearly final form. In line with most researchers from Inria, we consider that this way of leading the institute is harmful to our research community.
7 New software, platforms, open data
7.1 New software
7.1.1 Belenios
-
Name:
Belenios - Verifiable online voting system
-
Keyword:
E-voting
-
Functional Description:
Belenios is an open-source online voting system that provides vote confidentiality and verifiability. End-to-end verifiability relies on the fact that the ballot box is public (voters can check that their ballots have been received) and on the fact that the tally is publicly verifiable (anyone can recount the votes). Vote confidentiality relies on the encryption of the votes and the distribution of the decryption key (no one detains the secret key).
Belenios supports various kind of elections. In the standard mode, Belenios supports simple elections where voters simply select one or more candidates. It also supports arbitrary counting functions at the cost of a slightly more complex tally procedure for the authorities. For example, Belenios supports Condorcet, STV, and Majority Judgement, where voters rank candidates and grade them.
Belenios is available in several languages for the voters as well as the administrators of an election. More languages can be freely added by users.
-
News of the Year:
In 2024, our platform was used to run about 1500 elections, with about 215,000 registered voters and 62,000 ballots counted.
The main change is the new interface for election administrators, based on a REST API, that is now the default interface. The source code have benefited from a lot of refactoring and removal of legacy code and this led to a major upgrade with Belenios 3.0.
The voter's journey has also been simplified since voters no longer have to enter their credential. Instead, it is now included in the (private) link to the election that is sent to them.
- URL:
-
Contact:
Stéphane Glondu
-
Participants:
Pierrick Gaudry, Stéphane Glondu, Véronique Cortier
-
Partners:
CNRS, Inria
7.1.2 CADO-NFS
-
Name:
Crible Algébrique: Distribution, Optimisation - Number Field Sieve
-
Keywords:
Cryptography, Number theory
-
Functional Description:
Cado-NFS is a complete implementation in C/C++ of the Number Field Sieve (NFS) algorithm for factoring integers and computing discrete logarithms in finite fields. It consists in various programs corresponding to all the phases of the algorithm, and a general script that runs them, possibly in parallel over a network of computers.
-
News of the Year:
In 2024, CADO-NFS evolved only a little bit, and most of the activity was around maintenance and code modernization.
- URL:
-
Contact:
Emmanuel Thomé
-
Participants:
Pierrick Gaudry, Emmanuel Thomé, Paul Zimmermann
7.1.3 CORE-MATH
-
Name:
CORE-MATH
-
Keywords:
Arithmetic code, Floating-point, Correct Rounding
-
Functional Description:
CORE-MATH Mission: provide on-the-shelf open-source mathematical functions with correct rounding that can be integrated into current mathematical libraries (GNU libc, Intel Math Library, AMD Libm, Newlib, OpenLibm, Musl, Apple Libm, llvm-libc, CUDA libm, ROCm)
-
News of the Year:
In 2024, new functions were implemented in double-extended precision: expl, cbrtl, log2l, rsqrtl, powl, as well as the single-precision sincosf function.
- URL:
- Publication:
-
Contact:
Paul Zimmermann
-
Participant:
Paul Zimmermann
7.1.4 GNU MPFR
-
Keywords:
Multiple-Precision, Floating-point, Correct Rounding
-
Functional Description:
GNU MPFR is an efficient arbitrary-precision floating-point library with well-defined semantics (copying the good ideas from the IEEE 754 standard), in particular correct rounding in 5 rounding modes. It provides about 100 mathematical functions, in addition to utility functions (assignments, conversions...). Special data (Not a Number, infinities, signed zeros) are handled like in the IEEE 754 standard. GNU MPFR is based on the mpn and mpz layers of the GMP library.
- URL:
- Publications:
-
Contact:
Vincent Lefèvre
-
Participants:
Guillaume Hanrot, Paul Zimmermann, Philippe Theveny, Vincent Lefèvre
7.1.5 Riemann theta functions in FLINT
-
Keywords:
Numerical algorithm, Number theory
-
Functional Description:
This FLINT module, called acb_theta, allows the user to numerically evaluate Riemann theta functions in any dimension, with certified error bounds in the context of FLINT's interval arithmetic (ex-Arb). This implementation performs a lot better than other state-of-the-art software (SageMath, Magma). Moreover, the algorithm used is quasi-linear in terms of the required precision. The goal of this module is to encourage the use of numerical computations on Riemann theta functions, in particular for applications in number theory.
-
News of the Year:
The acb_theta module is part of FLINT 3.1.0 since February 2024. Development continues to make the code faster and more reliable.
- URL:
-
Contact:
Jean Kieffer
-
Participant:
Jean Kieffer
7.2 New platforms
In the context of the CRYPTANALYSE project of PEPR Cybersécurité, a computer cluster was acquired (to be used by all teams in the project). This cluster was installed in Fall 2024, and has been operational since December 2024. It is part of the Inria Abaca (“moyens de calcul”) platform, and located in Nancy at the local datacenter (DCML, “Datacenter Mutualisé Lorrain”). The cluster comprises 16 node of 256 physical cores each, with 16TB total RAM and an Infiniband HDR interconnect.
8 New results
8.1 Mathematical objects
8.1.1 The CORE-MATH project
Participants: Sélène Corbineau, Paul Zimmermann.
The aim of the CORE-MATH project is to provide on-the-shelf open-source mathematical functions with correct rounding that will be integrated into current mathematical libraries (GNU libc, Intel Math Library, AMD Libm, Newlib, OpenLibm, Musl, Apple Libm, llvm-libc, CUDA libm, ROCm). These functions are implemented in the C language and target the three IEEE 754 binary formats (single precision, double precision, quadruple precision), and also the extended double precision (significand of 64 bits). This project is motivated by the fact that current mathematical libraries are far from giving the best possible results, as demonstrated in 31. Together with Nicolas Brisebarre, Guillaume Hanrot and Jean-Michel Muller (AriC project and Cryptolab), we study why correctly-rounded results are important, how they can be obtained and at what cost 26.
In 2024, first implementations in double-extended precision were published in CORE-MATH, and show that avoiding all internal computations with that format can yield very good performances 28. The preprint on the FastTwoSum algorithm 29 was extended to deal with the case when the first argument is smaller in absolute value than then second one. We extended this work with Claude-Pierre Jeannerod (AriC project-team, Inria Lyon) and completely revisited the study of the FastTwoSum algorithm, with improved upper bounds 33.
Related to CORE-MATH, a note on the accuracy of complex mathematical operations and functions was written with Paul Caprioli (High Performance Kernels LLC) and Vincenzo Innocente (CERN) 27. It demonstrates that even for simple operations on complex numbers (multiplication, division, power), some current compilers are far from giving a correctly-rounded result.
Several correctly-rounded single-precision functions from the CORE-MATH project have been integrated into the GNU C library (GNU libc), and will thus be available with release 2.41 of GNU libc, which will be published end of January 2025. The GNU libc is used in all Linux distributions. We expect that this adoption process will continue over the next few months and next releases of the GNU libc.
8.1.2 Dimension results for sparse polynomial systems
Participants: Pierre-Jean Spaenlehauer.
Polynomial systems arising in applications (for instance in cryptography) often feature monomial structures. Therefore, it is an important question to investigate how these structures can be used to speed up solving algorithms. This is the main topic of the collaboration between Pierre-Jean Spaenlehauer and Matías Bender (TROPICAL team). Toric varieties built from polyhedral fans provide a way to homogenize such sparse structures. In 8, we study in which cases such homogenizations may introduce generically high-dimensional artefacts that may harm the efficiency of the computations. In 2024, we have done the final revision of the paper, before its publication in the Journal of Algebra.
8.1.3 Computing isomorphisms between superspecial abelian surfaces
Participants: Pierrick Gaudry, Julien Soumier, Pierre-Jean Spaenlehauer.
Recent advances in isogeny-based post-quantum cryptography have shed light on
the importance of algorithms for abelian varieties of dimension
8.1.4 Search for worst cases
Participants: Paul Zimmermann.
To design correctly-rounded functions as in the CORE-MATH project, it is of
utmost importance to know the “worst cases” of mathematical functions, i.e.,
inputs
8.1.5 Fast evaluation of Riemann theta functions
Participants: Jean Kieffer.
The Riemann theta functions are a family of complex-analytic special functions
that are intimately related to the theory of abelian varieties (of any
dimension
In collaboration with Noam D. Elkies, we constructed a new, fast algorithm for
evaluating Riemann theta functions in any dimension
8.1.6 Point counting on abelian surfaces over finite fields
Participants: Alexandre Benoist, Jean Kieffer.
Given a genus 2 curve over a finite field of cryptographic size, it is still a computational challenge today to compute its number of points, a necessary step for classical cryptography based on hyperelliptic curves. While the Schoof–Elkies–Atkin (SEA) algorithm, which solves the problem in the case of elliptic curves, has been known for 30 years, its generalization to genus 2 has only recently been described in Jean Kieffer's Ph.D. thesis and a sizeable amount of work remains before its full implementation. One key step in this algorithm is to compute isogenies between Jacobians of genus 2 curves from modular polynomials, as explained in 14; implementing this algorithm beyond toy examples remains to be done. Further work was also carried out last year on another step, namely the evaluation of modular polynomials using theta functions, to incorporate recent results on Riemann theta functions 34.
During his M2 internship and subsequent fall internship, Alexandre Benoist was able to generalize a key result in the complexity analysis of SEA to higher dimensions, namely that there exist sufficiently many small-degree isogenies in a precise sense 25.
8.1.7 Isogeny classes of abelian surfaces over number fields
Participants: Jean Kieffer.
Another use for the fast algorithms to evaluate Riemann theta functions, more
geared towards fundamental arithmetic geometry, is to compute isogeny
classes. The situation for elliptic curves is well understood, so we consider
dimension 2: we fix a number field
In collaboration with Raymond van Bommel, Shiva Chidambaram and Edgar Costa, we
presented and implemented an algorithm solving this problem for genus 2 curves
over
8.1.8 Computing spaces of Siegel modular forms
Participants: Jean Kieffer.
In this joint project with Eran Assaf and Fabien Cléry, we investigate Siegel modular
forms, which are generalizations of the classical modular forms in number
theory. While classical modular forms may be viewed as invariants of elliptic
curves (i.e., functions whose input is an elliptic curve), Siegel modular forms
are invariants for principally polarized abelian varieties of any fixed
dimension
The theory is much less understood for
8.2 Secret-key cryptology
8.2.1 Improving generic attacks using exceptional functions
Participants: Xavier Bonnetain.
The article 19 explores the use of functions whose graph admits an exceptionally small cycle for various cryptanalyses.
First, we improve the generic attack against the Duplex authenticated encryption sponge mode from
8.2.2 On impossible boomerang attacks — application to Simon and SKINNYee
Participants: Xavier Bonnetain, Margarita Cordero, Virginie Lallemand, Marine Minier.
The impossible boomerang attack is a technique that uses impossible boomerang distinguishers to discard incorrect key guesses, in a similar manner to what is done in impossible differential attacks. In 9 we study possible extensions of the original technique of Jiqiang Lu by looking at finer-level contradictions that derive from boomerang switch constraints. For Sbox-based ciphers we show how to leverage the BCT theory and rely on a coefficient of value 0, while we show how similar ideas can be developed for bit-oriented ciphers and in particular quadratic Feistel ciphers. We propose two applications of our technique: a 23-round attack on Simon-32/64 and a 29-round attack of the recently-proposed tweakable block cipher SKINNYee. This last attack breaks two more rounds than the previous best known attack on SKINNYee.
8.2.3 A note on related-tweakey impossible differential attacks
Participants: Xavier Bonnetain, Virginie Lallemand.
In the note 10 we review the technique proposed at ToSC 2018 by Sadeghi et al. for attacks built upon several related-tweakey impossible differential trails and show that the technique is flawed. We describe how to fix the problem and provide generic formulas that estimate the time, data and memory complexity of such a process. We apply these to patch several papers that reused the flawed technique. Fortunately, the patched complexities are close to the wrong ones, and the same number of rounds can be attacked.
8.2.4 Masked iterate-fork-iterate: a new design paradigm for tweakable expanding pseudorandom function
Participants: Virginie Lallemand, Marine Minier.
In 17 we study fixed-length Tweakable PseudoRandom Function (TPRF) with large domain extension, a novel primitive that can bring high security and significant performance optimizations in symmetric schemes, such as (authenticated) encryption. We introduce a new design paradigm, derived from the Iterate-Fork-Iterate construction, in order to build
We also design two provably secure DAE (deterministic authenticated encryption) schemes: SAFE and ZAFE. Both schemes come with approximately
8.2.5 Single-query quantum hidden shift attacks
Participants: Xavier Bonnetain.
The article 11 proposes a new approach for quantum cryptanalysis that allows to leverage hidden shift properties from a single call to a function. This extends the scope of applicable constructions to ones where the shift changes at each query, at the expense of a very small individual success probability, meaning that multiple independent (and parallelizable) runs are needed. We give dedicated state-recovery attacks on the authenticated encryption schemes Rocca, Rocca-S, Tiaoxin-346 and AEGIS-128L. We stress that these attacks do not break any security claim of the authors, and do not threaten the schemes if the adversary only makes classical queries.
8.2.6 Automatic boomerang attacks search on Rijndael
Participants: Marine Minier.
In 15, we show how to adapt the model proposed in 2020 by Delaune et al. 46 for related-key boomerang attacks on the block cipher SKINNY to the Rijndael case. Rijndael is composed of 25 instances that could be seen as generalizations of the Advanced Encryption Standard. We detail our models and present the results we obtain concerning related-key boomerang attacks on Rijndael. Notably, we present a nine-round attack against Rijndael-128-160 (which has 11 rounds), which beats all previous cryptanalytic results against Rijdael-128-160.
8.2.7 Provable randomness over lightweight permutations
Participants: Marine Minier.
In 13, we look at the properties of tiny transformations employing permutations and a few field operations. That gives functions with few components, which can be safely used either as PRG building blocks or as a component in lightweight ciphers. At the end, we propose a PRG implementation with those components. Lastly, we formalize a key assumption over the system functions and give a theorem for the equivalence of some system instances.
8.3 Public-key cryptology
8.3.1 Discrete logarithm factory
Participants: Haetham Al Aswad, Cécile Pierrot, Emmanuel Thomé.
In 6, we generalize Coppersmith's Factory algorithm to compute discrete logarithms in several non-prime finite fields. NFS and its variants are the best algorithms to solve the discrete logarithm problem in finite fields (except for the weak small characteristic case). The Factory variant accelerates the computation when several prime fields are targeted. This article adapts the Factory variant to non-prime finite fields of medium and large characteristic. This idea is combined with two other variants of NFS, namely the tower and special variants. This combination improves the asymptotic complexity. Besides, this work provides estimates of the practicality of this method for 1024-bit targets of extension degree 6: our findings indicate that the factory approach begins to pay off when the cryptanalysis target consists of a few dozen of such finite fields. This work is published in the journal Communications in Cryptology.
8.3.2 Pairing-friendly elliptic curves
Participants: Aurore Guillevic.
The paper 7 is an overview of pairing-friendly elliptic curves at the (classical) 192-bit security level, that can be of interest for hybridation. It comes with a security analysis with respect to a discrete logarithm computation with the Tower Number Field Sieve algorithm (TNFS) in the target finite field of the elliptic curves. For practical considerations, the curves are implemented and benchmarked within the open-source library RELIC toolkit.
The paper 49 with Jean Gasnier from the CANARI team
(Bordeaux) is the achievement of Jean Gasnier's Masters internship in 2022
co-advised in Bordeaux by Jean-Marc Couveignes and remotely from Denmark by
Aurore Guillevic.
It aims to generalize the Kachisa–Schaefer–Scott technique to find new
parameterized families of pairing-friendly curves. The method allowed to obtain
new curves for interesting embedding degrees, such as
8.3.3 Quantum Lattice Enumeration in Limited Depth
Participants: Xavier Bonnetain.
Enumeration is, with sieving, one of the two main approaches to generic lattice reduction. Previous works proposed a quantum walk-based algorithm, and argued that contrary to the quantum counterparts of sieving, quantum enumeration achieves at least a quadratic asymptotic speedup like Grover search while not requiring exponential amounts of quantum-accessible classical memory. In 18, we explore how to bound below the cost of quantum lattice enumeration with extreme cylinder pruning, assuming a limit to the maximum depth that a quantum computation can achieve without decohering, with the objective of better understanding the practical applicability of quantum backtracking in lattice cryptanalysis.
8.4 Implications in computer security and the real world
8.4.1 Secure postal voting
Participants: Pierrick Gaudry, Léo Louistisserand.
In 30, we propose a new protocol, called Vote&Check, which is a postal voting scheme, in the sense that the voters receive their material by postal mail, and send back their vote by the same means, after having ticked the candidate of their choice.
For voters who have access to a computing device (mobile phone, personal computer) and to an Internet connection, they can do additional (and optional) checks that provide verifiability properties to them. Typically, they can verify that their ballot has arrived to its destination, and that it has been counted. Of course, this is done without losing vote secrecy.
More generally, a thorough analysis of the security properties is given in the paper, together with a formal proof of the claims, using the Proverif tool.
8.4.2 Cast-as-intended in e-voting
Participants: Pierrick Gaudry.
The cast-as-intended property in e-voting means that the system remains secure, even if the device used by the voter is compromised: if malware is present on the voter's computer, the voter should still have the guarantee that the encrypted ballot that is sent to the server contains their intended choice. The Belenios-CAI approach relies on an audit procedure made by the voter, that does not leak their choice, and will detect a fraudulent device, with a probability of at least one-half. In 20, we investigate the usability of this technique by typical voters. For this, we designed some improvements to the basic Belenios-CAI mechanism, and performed a user study. This shows that adding this mechanism reduces the usability score, but not to the point of making it unusable.
8.4.3 Belenios: the certification campaign
Participants: Pierrick Gaudry.
In 23, together with colleagues of Quarkslab, we present our work on the security evaluation of the Belenios voting solution as a Certification de Sécurité de Premier Niveau, the French simple alternative to Common Criteria. We present the steps taken by the LORIA, who designed Belenios, and Quarkslab, who carried out the evaluation, as well as our exchanges with the ANSSI, who coordinated everything. We also hope to start a more general discussion on how to evaluate the security of e-voting systems in practice, as they are difficult to compare with other types of software, and any vulnerability may have an impact at a large scale.
8.4.4 Cryptography and malware
Participants: Sébastien Duval.
In 39, we work with Matthieu Amet, Guillaume Bonfante and Oussama Ben Moussa from project-team CARBONE to study the interactions between cryptography and malware. By scrutinizing the real-world cryptography used in protocols such as HTTPS, SSH or GIT, we show that malware running on a compromised computer could recover some of the secret keys of the communications. We show how machine-learning techniques can help recognize the parts of a program's execution that manipulate secrets, and how it is then possible to recover the actual secrets in practice. We show the examples of identifying the cryptographic functions in an HTTPS connection, and of recovering the private key during an OpenSSL RSA key generation.
9 Bilateral contracts and grants with industry
9.1 Bilateral contracts with industry
9.1.1 Collaboration with Google on correct rounding
Participants: Paul Zimmermann.
Although this is not formalized by a contract, we maintain regular contacts (via monthly video conferences) with the LLVM/libc group (Google), in particular Tue Ly, discussing our different approaches for correct rounding of mathematical functions between CORE-MATH and LLVM/libc.
9.1.2 Consulting with Swiss Post
Participants: Pierrick Gaudry.
Together with the PESTO team, we have a long-term consulting activity with Swiss Post on the e-voting topic. In 2024 we have been working on the design of the next generation of their e-voting protocol. This is a long-term process, that involves interaction with the Federal Chancellery who coordinates the certification of the product for use in political elections.
9.1.3 Consulting with the BSI
Participants: Pierrick Gaudry.
The Bundesamt für Sicherheit in der Informationstechnik (BSI) has issued a call for a report on the mechanisms that are used or that could be used to ensure end-to-end verifiability in electronic voting. The CNRS was a partner of the consortium that answered the call. More specifically, we participated in the analysis of the efficiency criteria, to be used for evaluating the mechanisms.
10 Partnerships and cooperations
10.1 International research visitors
10.1.1 Visits of international scientists
Our team received several international visits in 2024 (at most a week in duration, and most often a day or two): Hosein Hadipour (Graz University of Technology), Travis Morrison (Virginia Tech), Nadia Heninger (UC San Diego), Peter Schwabe (MPI Bochum), Yuval Yarom (MPI Bochum).
Other international visits to the team
Rocco Brunelli
-
Status
Ph.D.
-
Institution of origin:
University of Roma
-
Country:
Italy
-
Dates:
04/09/2024-28/02/2025
-
Context of the visit:
work on TAGADA
-
Mobility program/type of mobility:
research stay
10.2 European initiatives
10.2.1 Horizon Europe
CARAMBA is part of the european consortium proposal PQ-MICs (HORIZON 2024) headed by KU Leuven, whose Inria coordinator is Damien Robert (CANARI team, Bordeaux). The aim of this project is to strengthen the post-quantum cryptographic transition by studying alternatives to lattices, namely multivariate systems, isogenies, and linear codes.
10.3 National initiatives
10.3.1 PEPR Quantique, project PQ-TLS
Participants: Xavier Bonnetain, Pierre-Jean Spaenlehauer.
- Program: PEPR Quantique
- Project acronym: PQ-TLS
- Duration: 01/2022 - 12/2026
- Coordinator: Université de Rennes 1
- Other partners: Université de Limoges, Université de Rouen, Université de Bordeaux, Université de Saint-Quentin-en Yvelines, Université de Saint-Étienne, ENS de Lyon, Inria (GRACE, CARAMBA, COSMIQ, PROSECCO), CEA (Grenoble LETI), CNRS Labstic (Lorient).
Since 1996 and the discovery of Shor's algorithm, new quantum threats emerged against classical security protocols and cryptographic primitives. The objective of the PQ-TLS project is to design a quantum-safe version of the security layer of web protocols, via the integration of post-quantum cryptographic primitives and the quantum cryptanalysis of existing systems. The project also aims at developing new techniques to compare existing primitives from the quantum viewpoint and at promoting arising solutions from academic and industrial research. The goal is to develop a large toolbox whose targets range from the mathematical foundations of post-quantum cryptography to its concrete implementations.
Xavier Bonnetain is the national coordinator of the work package 5 "Quantum cryptanalysis".
Pierre-Jean Spaenlehauer is the local scientific coordinator for the CARAMBA team.
10.3.2 PEPR Cybersécurité, project CRYPTANALYSE
Participants: Xavier Bonnetain, Sébastien Duval, Pierrick Gaudry, Aurore Guillevic, Virginie Lallemand, Marine Minier, Cécile Pierrot, Emmanuel Thomé.
- Program: PEPR Cybersécurité
- Duration: 10/2023 - 09/2028
- Coordinator: Inria
- Other partners: Inria (CARAMBA, COSMIQ, CANARI/LFANT, CAPSULE), CNRS (Loria, Irisa, LMV, IMB, LIP6, LJK), Université de Rennes, Université de Montpellier, Université de Picardie Jules Verne, Université de Versailles–Saint-Quentin en Yvelines, Université de Bordeaux, Université Grenoble Alpes, Sorbonne Université.
Within the context of the national PEPR program “cybersecurité” (launched in 2021), a call for proposals was published in July 2023 to complement the set of topics with three new projects, among which one on the classical cryptanalysis of cryptographic primitives. We coordinated the nationwide answer to this call for proposals, submitted in September 2022, and the project was accepted on March 27, 2023. The project started on October 1, 2023.
Emmanuel Thomé and Gaëtan Leurent (Inria COSMIQ, Paris) lead the project. Several teams are involved. The project is divided into eight work packages, and the CARAMBA team is involved in most of them.
10.3.3 Projet ANR KLEPTOMANIAC
Participants: Pierrick Gaudry, Cécile Pierrot, Pierre-Jean Spaenlehauer, Emmanuel Thomé, Paul Zimmermann.
- Program: ANR AAPG
- Project acronym: KLEPTOMANIAC
- Duration: 01/2022 - 12/2025
- Coordinator: Inria Nancy
- Other partners: ANSSI, LIP6
The RSA cryptosystem and the Diffie-Hellman key exchange protocol in finite fields were the first invented primitives of public-key cryptography.
It is hard to estimate the time and resources that are needed to factor an integer, and thereby how hard it is to break RSA. All regulatory bodies recommend that people either avoid RSA, or prefer large RSA key sizes for safety, above 2048 bits at least. In environments where computing power is plentiful, this recommendation is most often followed. Yet, it is a fact that we do rely on cryptography that uses smaller key sizes.
We plan to employ our expertise to provide solid hardness assessments for key sizes that are relevant today, and for which accuracy in the prediction is important. Our targets for accurate assessment are RSA-1024 and DH-1024 as well as specific discrete logarithm-related problems that arise in the blockchain context. We also intend to develop simulation software that would enable more accurate estimates.
10.3.4 ANR OREO
Participants: Xavier Bonnetain, Sébastien Duval, Virginie Lallemand, Marine Minier.
- Program: ANR
- Project acronym: OREO
- Duration: 01/2023 - 12/2026
- Coordinator: Irisa (Rennes).
- Other partners: LORIA (Nancy), LMV (Versailles).
This ANR project focuses on the use of Mixed Integer Linear Programming (MILP) in symmetric-key cryptography, a direction that enjoyed rapid recognition in the symmetric-key community following the article by Mouha et al. 53.
MILP models can be used both to design and attack ciphers, but the technique suffers from several limitations, some of which we plan to address in this project. In particular, we aim to explore how to handle more complex cryptographic problems than what is done so far (yet ensuring a reasonable solving time). This might imply finding how to improve the modelization techniques or considering different approaches like first solving approximated models.
10.3.5 Action exploratoire Back In Time
Participants: Pierrick Gaudry, Cécile Pierrot, Paul Zimmermann.
- Subject: Historical Cryptography
- Duration: October 2024 - 2026
- Coordinator: Cécile Pierrot
- Other partners: Inria Paris (ALMANACH), Université de Picardie.
BACK IN TIME brings together the expertise of researchers in three fields — artificial intelligence (ALMANACH team), cryptography (CARAMBA team) and history (Camille Desenclos) — to decipher encrypted historical documents. Given the sheer volume of data involved, our aim is to develop initial software to automate certain ancient decipherments.
10.3.6 Cooperation with ANSSI on e-voting regulation
Participants: Pierrick Gaudry.
We participate in a working group led by ANSSI, the purpose of which is to help the governmental actors (CNIL, ANSSI) in defining the next documents regulating the use of electronic voting in France.
10.3.7 ANR JCJC proposal MAVERIC
Participants: Jean Kieffer.
The ANR JCJC project MAVERIC (Modular forms and Abelian Varieties: Efficient and Rigorous Interval Computations) was submitted in 2024. The aim of this project is to continue exploring applications of rigorous numerical computations based on interval arithmetic (Riemann theta functions in particular) in arithmetic geometry, and to produce efficient implementations.
11 Dissemination
11.1 Promoting scientific activities
11.1.1 Scientific events: organisation
Member of the organizing committees
- Jean Kieffer is the local organizer for the CAIPI symposium to be held in Nancy on April 7-8, 2025.
- Cécile Pierrot is a member of the organizing committee of the work group "code et cryptographie".
11.1.2 Scientific events: selection
Chair of conference program committees
- Emmanuel Thomé was the chair of the program committee of Journées C2 2025.
Member of the conference program committees
- Xavier Bonnetain is a member of the scientific committee of the Loria security seminar.
- Xavier Bonnetain was a member of the Program Committees of EUROCRYPT 2025 and TQC 2024.
- Pierrick Gaudry was a member of the Program Committees of E-Vote-Id 2024.
- Aurore Guillevic was a member of the Program Committee of Selected Areas in Cryptography 2024.
- Virginie Lallemand was a member of the Program Committee of Selected Areas in Cryptography 2024 and of Workshop on Coding and Cryptography (WCC 2024).
- Marine Minier was a member of the Program Committee of Africacrypt 2024, Indocrypt 2024, CIFRIS 2024.
- Pierre-Jean Spaenlehauer is a member of the Scientific Committee of the Journées Nationales du Calcul Formel (JNCF), which is the main scientific event of the GT-calculformel of the CNRS GDR-IFM.
- Emmanuel Thomé was a member of the Program Committees of ASIACRYPT 2024 and EUROCRYPT 2025 (serving as Area Chair for Eurocrypt 2025).
11.1.3 Journal
Member of the editorial boards
- Xavier Bonnetain and Virginie Lallemand were members of the editorial board of IACR Transactions on Symmetric Cryptology (ToSC) Journal for 2024. This journal is the open-access journal associated to the International Conference on Fast Software Encryption (FSE).
- Pierrick Gaudry is a member of the editorial board of IACR Communications in Cryptology.
- Emmanuel Thomé is a member of the editorial board of the Journal of Algebra, dealing with the section on computational algebra.
Reviewer - reviewing activities.
Members of the project-team did their share in reviewing submissions to renowned conferences and journals. Actual publications venues are not disclosed for anonymity reasons.
11.1.4 Invited talks
- Xavier Bonnetain gave an invited lecture at the PQ-TLS Summer school 2024, Anglet, June 17–21, 2024.
- Aurore Guillevic gave an invited lecture at the Winter School of PEPR Cybersécurité, Autrans, January 29–February 2, 2024.
- Marine Minier gave an invited lecture at the doctoral school EJCIM.
- Cécile Pierrot gave an invited talk at the NORMANDIE 2024 conference.
- Cécile Pierrot gave an invited talk at the national code and crypto seminar.
- Emmanuel Thomé gave an invited talk at the Elliptic Curve Cryptography workshop 2024 (ECC 2024).
- Emmanuel Thomé participated in a round table during the Journées scientifiques du PEPR Cybersécurité and gave an invited talk at the PEPR Cyber day 2024.
- Emmanuel Thomé gave lectures at NIST (USA) and BSI (Germany) on integer factoring and discrete logarithms.
11.1.5 Leadership within the scientific community
- Pierrick Gaudry is co-head of the GdR Sécurité informatique
- Cécile Pierrot is a member of the steering committee of the French working group Codes and Cryptography.
- Emmanuel Thomé is co-PI of the Cryptanalyse project, part of the broader PEPR Cybersecurity initiative.
11.1.6 Scientific expertise
- Pierrick Gaudry was a member of the selection committee for an assistant professor position in section 27 at Université de Montpellier.
- Virginie Lallemand was a member of the selection committee for an assistant professor position in section 27 at Université de Grenoble.
- Marine Minier was a member of the selection committee for the assistant professor position 27MCF1128, Université de Clermont-Auvergne.
- Marine Minier is a nominated member of the CNU 27 (2023-2027).
- Marine Minier was a member of the HCERES committee of the evaluation of the MIS laboratory (Amiens, France, June-November 2024).
- Cécile Pierrot was president of the selection committee for research engineers at Inria Strasbourg (2 positions).
- Cécile Pierrot was a member of the selection committee for CR/ISFP positions at Inria Bordeaux.
- Emmanuel Thomé was the president of the selection committees of assistant professor positions 27MCF1050 and 27MCF0368 at Université de Lorraine.
11.1.7 Research administration
- Xavier Bonnetain is the local coordinator of the Inria activity reports for the Inria Centre at Université de Lorraine.
- Pierrick Gaudry is head of the Department 1 of LORIA, and, as such, member of the Scientific Council of LORIA.
- Pierrick Gaudry is a member of Comité des utilisateurs des moyens de calcul INRIA.
- Pierrick Gaudry and Marine Minier are members of the steering committee of the LHS – Laboratoire Haute Sécurité of LORIA.
- Virginie Lallemand is a member of the commission du personnel (COMIPERS).
- Cécile Pierrot is a member of Bureau du Comité des Projets (BCP) of Inria, Nancy.
- Cécile Pierrot is a member of the center committee Inria, Nancy.
- Pierre-Jean Spaenlehauer is head of the Commission de Développement Technologique (CDT) of the Centre Inria de l'Université de Lorraine.
- Emmanuel Thomé is a member of the Loria commission doctorants (COMIDOC), which oversees applications for PhD grants.
- Paul Zimmermann is member of the scientific committee of the EXPLOR computing center (Université de Lorraine).
11.2 Teaching - Supervision - Juries
11.2.1 Teaching
- Bachelor
- Sébastien Duval , Algorithmique et Complexité, 18h eq. TD, L2 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
- Sébastien Duval , Introduction à la cryptographie, 6h eq. TD, L3 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
- Sébastien Duval , Introduction à la sécurité, 20h eq. TD, L3 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
- Marine Minier , Introduction à la sécurité et à la cryptographie, 35h eq. TD, L3, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
- Master
- Sébastien Duval , Cryptographie, 12h eq. TD, M1 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
- Sébastien Duval , Sécurité des Systèmes d'Information, 64h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
- Sébastien Duval , Sécurité des Applications Web, 32h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
- Marine Minier , Contrôle d'accès, 40h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
- Marine Minier , Intégration Méthodologique, 36h eq. TD, M2 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
- Marine MinierSécurité Informatique, 18h eq. TD, M2 droit IPIT, Université de Lorraine, France.
- Marine MinierIntroduction à la cryptographie, 18h eq. TD, M1 Informatique, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
- Marine Minier is head of the M2 SIRAV, Université de Lorraine, Faculté des sciences et technologies, Vandœuvre-lès-Nancy, France.
- Graduate courses
- Jean Kieffer , Isogeny graphs of abelian varieties over finite fields, 24h eq. TD, Doctoral School in Science and Engineering, Université du Luxembourg, Luxembourg.
- Engineering school
- Xavier Bonnetain , Algorithmique et complexité, 30h eq. TD, 1ere année (L3), Université de Lorraine, École des Mines de Nancy, France.
- Sébastien Duval , Encadrement de projet de sécurité, 12h eq. TD, 5A, Université de Lorraine, Polytech Nancy, France.
- Jean Kieffer , Programmation et structures de données, 20h eq. TD, 1ere année (L3), Université de Lorraine, École des Mines de Nancy, France.
- Marine Minier , Cryptographie avancée, 5A FISE IA2R (Master 2), 30h eq. TD, Université de Lorraine, Polytech Nancy, France.
- Cécile Pierrot , Introduction to Cryptography, 57h eq. TD, Mastère spécialisé de cybersécurité, École des Mines de Nancy, France.
11.2.2 Supervision
- Ph.D. completed: Antoine Leudière, Isogenies of Drinfeld modules and post-quantum cryptography, defended in Sep. 2024, Pierre-Jean Spaenlehauer and Emmanuel Thomé .
- Ph.D. completed: Haetham Al Aswad, Number field sieve for discrete logarithm, defended in Dec. 2024, Cécile Pierrot and Emmanuel Thomé .
- Ph.D. in progress: Ana Rodriguez Cordero, Design and Cryptanalysis of New Symmetric Key Cryptographic Primitives, since Oct. 2021, Virginie Lallemand and Marine Minier .
- Ph.D. in progress: Léo Louistisserand, Conception et analyse de protocoles de vote utilisés ou utilisables en pratique, since Oct. 2023, Pierrick Gaudry and Véronique Cortier (PESTO team).
- Ph.D. in progress: Marie Bolzer, Algorithmique et outils automatiques pour la construction et l'analyse de composants de cryptographie symétrique, since Oct. 2023, Sébastien Duval and Marine Minier .
- Ph.D. in progress: Medhi Kermaoui, Quantum cryptanalysis of public-key cryptosystems, since Oct. 2023, Xavier Bonnetain and Pierrick Gaudry.
- Ph.D. in progress: Julien Soumier, Algorithmic of Isogenies of Abelian Varieties and Post-Quantum Cryptography, since Oct. 2023, Pierre-Jean Spaenlehauer and Pierrick Gaudry.
- Ph.D. in progress: Thierno Sabaly, Design and cryptanalysis of secret key schemes., since Oct. 2024, Marine Minier .
11.2.3 Juries
- Pierrick Gaudry was a member of the jury for the habilitation thesis of Benjamin Wesolowski (August 2024, Université de Lyon, France).
- Pierrick Gaudry was the president of the jury for the Ph.D. thesis of Abdelkarim Elassam (July 2024, Université de Lorraine, France).
- Virginie Lallemand was a member of the jury for the Ph.D. thesis of Rachelle Heim Boissier (October 2024, Université Paris-Saclay, France).
- Marine Minier was a reviewer for the Ph.D. thesis of Margot Funk (October 2024, Université de Versailles-Saint-Quentin-en-Yvelines, France).
- Marine Minier was the president of the jury for the habilitation thesis of Guillaume Moroz (December 2024, Université de Lorraine, France).
- Marine Minier was the president of the jury for the Ph.D. thesis of Maïwenn Racouchot (December 2024, Université de Lorraine, France).
- Marine Minier was a member of the jury for the Ph.D. thesis of Agathe Houzelot (October 2024, Université de Bordeaux, France).
- Pierre-Jean Spaenlehauer was an external reviewer for the Ph.D. thesis of Joseph Musleh (February 2024, University of Waterloo, Ontario, Canada).
- Emmanuel Thomé was an external reviewer for the Ph.D. thesis of Oisin Robinson (February 2024, University College Dublin).
- Emmanuel Thomé was a reviewer and the president of the jury for the Ph.D. thesis of Joël Felderhoff (November 2024, ENS Lyon).
- Paul Zimmermann was a member of the jury for the habilitation thesis of Guillaume Moroz (December 2024, Université de Lorraine, France).
11.2.4 Productions (articles, videos, podcasts, serious games, ...)
Cécile Pierrot wrote an article for The Conversation journal. She contributed to a 5 minutes video for the same website.
She took part in the scripting and filming of two documentaries about cryptography to be broadcast in 2025 on TF1 and Arte.
11.2.5 Participation in live events
- Cécile Pierrot participated to the "Journées du Matrimoine" at the science museum Feru des Sciences in Nancy. She gave three talks and she took part in three improvised theatrical performances with comedians.
- Cécile Pierrot gave a talk to a large audience at Montbéliard, for the Université Ouverte de Franche Comté and she took part in the Science and Society cycle at Polytech, Nancy.
- Cécile Pierrot helped welcome Math-en-Jeans students to the laboratory, and gave them a talk.
- Cécile Pierrot took part in the week-long course for secondary school girls Les Cigognes, in Ramonchamp, a small village in the Vosges.
- Paul Zimmermann participated in the Fête de la Science in Bouxurulles, a small village in the south of Nancy (October 2024).
11.2.6 Others science outreach relevant activities
- Cécile Pierrot spent a week working for a newspaper (The Conversation) in Paris, as part of a researcher/journalist exchange organised by the association AJSPI, "association des journalistes scientifiques de la presse d'information".
- Julien Soumier and Paul Zimmermann participated in the Math-En-Jeans project. They supervised a group of teenagers from the Lycée Français Vauban du Luxembourg.
12 Scientific production
12.1 Major publications
- 1 inproceedingsFinding many Collisions via Reusable Quantum Walks: Application to Lattice Sieving.Lecture Notes in Computer ScienceEUROCRYPT 2023 - International Conference on the Theory and Applications of Cryptographic Techniques14008Lecture Notes in Computer ScienceLyon, FranceSpringer Nature SwitzerlandApril 2023, 221-251HALDOI
- 2 inproceedingsComparing the difficulty of factorization and discrete logarithm: a 240-digit experiment.Annual International Cryptology ConferenceAdvances in Cryptology – CRYPTO 202012171Lecture Notes in Computer ScienceSanta Barbara CA, United StatesSpringerAugust 2020, 62-91HALDOIback to text
- 3 articleOn the Feistel Counterpart of the Boomerang Connectivity Table: Introduction and Analysis of the FBCT.IACR Transactions on Symmetric Cryptology20201May 2020, 331-362HALDOI
- 4 inbookBelenios: a simple private and verifiable electronic voting system.11565Foundations of Security, Protocols, and Equational Reasoning - Essays Dedicated to Catherine A. MeadowsLNCSSpringer2019, 214-238HALDOIback to text
- 5 inproceedingsThe CORE-MATH Project.2022 IEEE 29th Symposium on Computer Arithmetic (ARITH)ARITH 2022 - 29th IEEE Symposium on Computer Arithmeticvirtual, FranceIEEEDecember 2022, 26-34HALDOIback to text
12.2 Publications of the year
International journals
- 6 articleDiscrete Logarithm Factory.IACR Communications in Cryptology13October 2024HALDOIback to text
- 7 articleA short-list of pairing-friendly curves resistant to the Special TNFS algorithm at the 192-bit security level.IACR Communications in Cryptology13October 2024, 44HALback to text
- 8 articleDimension results for extremal-generic polynomial systems over complete toric varieties.Journal of Algebra6462024, 156-182HALDOIback to textback to text
- 9 articleOn Impossible Boomerang Attacks: Application to Simon and SKINNYee.IACR Transactions on Symmetric Cryptology20242June 2024, 222-253HALDOIback to text
- 10 articleA Note on Related-Tweakey Impossible Differential Attacks.IACR Communications in Cryptology13October 2024HALDOIback to text
- 11 articleSingle-Query Quantum Hidden Shift Attacks.IACR Transactions on Symmetric Cryptology20243September 2024, 266-297HALDOIback to text
- 12 articleFlatness and structural analysis for the design of stream ciphers involving hybrid automata.Nonlinear Analysis: Hybrid Systems52May 2024, 101443HALDOI
- 13 articleProvable randomness over lightweight permutations.Cryptography and Communications - Discrete Structures, Boolean Functions and Sequences 2025. In press. HALDOIback to text
- 14 articleComputing isogenies from modular equations in genus two.Journal of Algebra666March 2025, 331-386HALDOIback to textback to textback to text
- 15 articleAutomatic boomerang attacks search on Rijndael.Journal of Mathematical Cryptology181February 2024, 1-16HALDOIback to text
- 16 articleComputing a Group Action from the Class Field Theory of Imaginary Hyperelliptic Function Fields.Journal of Symbolic Computation1252024HALDOI
International peer-reviewed conferences
- 17 inproceedingsMasked Iterate-Fork-Iterate: A New Design Paradigm for Tweakable Expanding Pseudorandom Function.Lecture Notes in Computer ScienceApplied Cryptography and Network Security14584Lecture Notes in Computer ScienceAbu DHABI, United Arab EmiratesSpringer Nature SwitzerlandFebruary 2024, 433-459HALDOIback to text
- 18 inproceedingsQuantum Lattice Enumeration in Limited Depth.Advances in Cryptology – CRYPTO 202414925Lecture Notes in Computer ScienceSanta Barbara, United StatesSpringer Nature SwitzerlandAugust 2024, 72-106HALDOIback to text
- 19 inproceedingsImproving Generic Attacks Using Exceptional Functions.LNCSCRYPTO 2024 - 44th Annual International Cryptology Conference14923Santa Barbara, United StatesSpringer2024, 105-138HALDOIback to text
- 20 inproceedingsBelenios with cast-as-intended: towards a usable interface.SpringerEVote-ID 2024 - 9th International Joint Conference on Electronic VotingTerragona, SpainSpringerOctober 2024HALback to text
- 21 inproceedings Is the JCJ voting system really coercion-resistant? 37th IEEE Computer Security Foundations Symposium (CSF) CSF 2024 Enschede, Netherlands IEEE 2024 HAL
- 22 inproceedings Can we cast a ballot as intended and be receipt free? IEEE Symposium on Security and Privacy 2024 San Francisco, United States May 2024 HAL
National peer-reviewed Conferences
- 23 inproceedingsBelenios: the Certification Campaign.SSTIC 2024 - Symposium sur la sécurité des technologies de l'information et des communicationsRennes, FranceJune 2024HALback to text
Doctoral dissertations and habilitation theses
- 24 thesisMorphisms of Drinfeld Modules and their Algorithms.Université de LorraineSeptember 2024HAL
Reports & preprints
- 25 miscThe asymptotic distribution of Elkies primes for reductions of abelian varieties is Gaussian.November 2024HALback to text
- 26 misc Correctly-rounded evaluation of a function: why, how, and at what cost? May 2024 HAL back to text
- 27 miscAccuracy of Complex Mathematical Operations and Functions in Single and Double Precision.September 2024HALback to text
- 28 miscCorrect Rounding in Double Extended Precision.January 2025HALback to text
- 29 miscNote on FastTwoSum with Directed Roundings.July 2024HALback to text
- 30 miscVote&Check: Secure Postal Voting with Reduced Trust Assumptions.2024HALback to text
- 31 miscAccuracy of Mathematical Functions in Single, Double, Double Extended, and Quadruple Precision.August 2024HALback to text
- 32 miscTowards a correctly-rounded and fast power function in binary64 arithmetic.February 2024HALback to text
- 33 miscFastTwoSum revisited.January 2025HALback to text
- 34 miscEvaluating modular equations for abelian surfaces.June 2024HALback to text
- 35 miscSpanning isogeny classes of principally polarized abelian surfaces with RM.May 2024HALback to text
- 36 miscQuadratic Short Division.April 2024HAL
- 37 miscNote on the Veltkamp/Dekker Algorithms with Directed Roundings.February 2024HAL
12.3 Cited publications
- 38 inproceedingsImperfect Forward Secrecy: How Diffie-Hellman fails in practice.CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityDenver, Colorado, United StatesACMOctober 2015, 5--17HALDOIback to text
- 39 inproceedingsMonitoring the execution of cryptographic functions.Foundations and Practice of Security (FPS)Montréal (Québec), CanadaDecember 2024HALback to text
- 40 articleOn Boomerang Attacks on Quadratic Feistel Ciphers.IACR Transactions on Symmetric Cryptology20233September 2023, 101-145HALDOIback to text
- 41 inproceedingsQuantum Linearization Attacks.Lecture Notes in Computer Science13090Lecture Notes in Computer ScienceSingapore / Virtual, SingaporeSpringer International PublishingDecember 2021, 422-452HALDOIback to text
- 42 inproceedingsBeyond quadratic speedups in quantum attacks on symmetric schemes.Lecture Notes in Computer Science13277Advances in Cryptology -- EUROCRYPT 2022Part IIIColin BoydTrondheim, NorwaySpringer International PublishingMay 2022, 315-344HALDOIback to text
- 43 articleThe State of the Art in Integer Factoring and Breaking Public-Key Cryptography.IEEE Security and Privacy Magazine202March 2022, 80-86HALDOIback to text
- 44 bookLe vote électronique - les défis du secret et de la transparence.Préface de Gérard BerryOdile JacobMay 2022HALback to text
- 45 articleFast integer multiplication using generalized Fermat primes.Mathematics of Computation883172019, 1449-1477HALDOIback to text
- 46 articleCatching the Fastest Boomerangs Application to SKINNY.IACR Trans. Symmetric Cryptol.202042020, 104--129URL: https://doi.org/10.46586/tosc.v2020.i4.104-129back to text
- 47 articleNon-triangular self-synchronizing stream ciphers.IEEE Transactions on Computers711January 2022, 134-145HALDOIback to text
- 48 inproceedingsA kilobit hidden SNFS discrete logarithm computation.Annual International Conference on the Theory and Applications of Cryptographic Techniques10210Lecture Notes in Computer ScienceParis, FranceSpringerApril 2017, 202-231HALDOIback to text
- 49 unpublishedAn Algebraic Point of View on the Generation of Pairing-Friendly Curves.December 2024, working paper or preprintHALback to text
- 50 inproceedingsFactorization of a 768-bit RSA modulus.CRYPTO 20106223Lecture Notes in Comput. Sci.ProceedingsSpringer--Verlag2010, 333--350back to text
- 51 articleAutomatic Search of Rectangle Attacks on Feistel Ciphers: Application to WARP.IACR Transactions on Symmetric Cryptology20222June 2022, 113-140HALDOIback to text
- 52 articleLattice Enumeration and Automorphisms for Tower NFS: a 521-bit Discrete Logarithm Computation.Journal of CryptologyThis is the journal version of the article hal-03242324 published at Asiacrypt 20212023HALDOIback to text
- 53 inproceedingsDifferential and Linear Cryptanalysis Using Mixed-Integer Linear Programming.Information Security and Cryptology - 7th International Conference, Inscrypt 2011, Beijing, China, November 30 - December 3, 2011. Revised Selected Papers7537Lecture Notes in Computer ScienceSpringer2011, 57--76URL: https://doi.org/10.1007/978-3-642-34704-7_5DOIback to text
- 54 miscTransitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.First revision2011DOIback to text
- 55 miscCADO-NFS, An Implementation of the Number Field Sieve Algorithm.Release 2.3.02017, URL: https://hal.inria.fr/hal-02099620back to text
- 56 inproceedingsComputing isogeny classes of typical principally polarized abelian surfaces over the rationals.LMFDB, Computation, and Number TheoryLuCaNTICERM, ProvidenceAMS Contemp. Math.2024, 187--214back to textback to text
- 57 miscRéférentiel général de sécurité, annexe B1.Version 2.042021, URL: https://www.ssi.gouv.fr/uploads/2021/03/anssi-guide-mecanismes_crypto-2.04.pdfback to text