CARAMBA - 2023 - Rapport annuel d'activité (original) (raw)

2023Activity reportProject-TeamCARAMBA

RNSR: 201622054G

Keywords

Computer Science and Digital Science

1 Team members, visitors, external collaborators

Research Scientists

Faculty Members

Post-Doctoral Fellows

PhD Students

Interns and Apprentices

Administrative Assistants

2 Overall objectives

Our research addresses the broad application domain of cryptography and cryptanalysis from the algorithmic perspective. We study all the algorithmic aspects, from the top-level mathematical background down to the optimized high-performance software implementations. Several kinds of mathematical objects are commonly encountered in our research. Some basic ones are truly ubiquitous: integers, finite fields, polynomials, real and complex numbers. We also work with more structured objects such as number fields, algebraic curves, or polynomial systems.

The first axis (§3.1) of our research work studies these mathematical objects mostly for their own sake. Our expertise in computational mathematics and computer algebra allows us to contribute to the general algorithmic toolbox that makes these mathematical objects easy to work with in practice: computations with these objects must be effective and fast. A sizeable portion of our work in this domain is realized in the form of software projects, which are developed over long periods of time (GNU MPFR, for example, was initiated by members of our group several decades ago, and is still maintained and developed).

A second part of our work (axes §3.2 and §3.3) is centered on cryptographic motivations. Quite often, our work here happens to be rooted in exactly the same core competences as the ones we use in our first research axis. We consider the two facets of cryptology: cryptography and cryptanalysis. The key challenges are the assessment of the classical and quantum security of proposed cryptographic primitives (both public- and secret-key), as well as the introduction of new cryptographic primitives, or the performance improvement of existing ones. While the basic principles of symmetric and asymmetric cryptography are rather different—indeed their names indicate different ways to handle the key—research in both domains is led by the same objective of finding the best trade-offs between efficiency and security. In addition to this, both require to study design and analysis together as these two aspects nurture each other.

Our last research axis (§3.4) uses our cryptographic knowledge to connect to more real world concerns, in connection with topics closer to computer security. Long-term aspects of this part of our activity are practical and theoretical research on electronic voting, and practical impact on key sizes of our factoring and discrete logarithm record computations. More isolated works in this axis include for instance some works on whitebox cryptography, IoT or contact-tracing. We also consider our growing activity on historical cryptography as part of this axis where cryptography is only one part of the study.

3 Research program

3.1 Research axis 1: mathematical objects

Several mathematical objects are pervasive in our research. We sometimes study them per se, but they also often play a key role as tools in other research topics. In particular, we study computer arithmetic, polynomial systems, linear algebra, algebraic curves and abelian varieties.

In the context of this research axis, we work on the key algorithms and mathematical results, as well as on the realization of these results in terms of software. In our approach, software is a key step in a feedback loop that goes from mathematics to algorithms, implementation, software, and back. By software here, we mean free and open-source software tools, often developed over several years, that can be used as dependable building blocks by us as well as by peers for reproducible research.

Our past and future topics in this research axis include the following.

Examples of publications in the recent past that illustrate our positioning on this research topic are 13, 35, 29, 7.

3.2 Research axis 2: secret-key cryptology

We study cryptographic and cryptanalytic aspects of secret-key primitives. We explore the following research directions in particular:

Examples of publications in the recent past that illustrate our positioning on this research topic are 1, 2, 11, 16, 9.

3.3 Research axis 3: public-key cryptographic primitives

Our team has been studying the mathematical building blocks of public-key cryptography for a long time. More specifically, we have a long-established record on the study of the public-key cryptographic primitives based on integer factorization and finite field discrete logarithm, as well as on algebraic curves, abelian varieties, and their applications in cryptography. Most of the time we study them from a classical (non quantum) angle.

The algorithmic framework of the Number Field Sieve (NFS) addresses both the integer factorization problem as well as the discrete logarithm problem over finite fields. We have numerous algorithmic contributions in this context, and develop software to illustrate them.

Several of our current research directions in public-key cryptography are strongly connected to our general expertise on NFS.

In addition to the above, we also study other aspects of public-key cryptography, such as cryptographic constructions using isogenies between curves or more general algebraic structures, as well as their security. We have a strong record on this topic in general. The algorithmic toolbox to deal with such objects was enriched in 2022 with new practical results of Castryck–Decru, Robert, and Wesolowski. This topic is clearly in our research agenda.

As in the case of secret-key cryptology, some of our research work also takes into account quantum algorithms, and possibly the interplay of quantum and classical algorithms.

Examples of publications in the recent past that illustrate our positioning on this research topic are 3, 12, 8, as well as the Cado-NFS software described in 6.1.2.

3.4 Research axis 4: implications in computer security and the real world

The questions that we address in our last research axis are less problem-centered than above, and rather revolve around how the different building blocks that we work with can be assembled, and whether this leads to impactful results in computer security.

Examples of publications in the recent past that illustrate our positioning on this research topic are 6, 5, 4, 10.

4 Application domains

4.1 Better awareness and avoidance of cryptanalytic threats

Our study of the Number Field Sieve algorithm and its variants aims to show how the threats underlying various supposedly hard problems are real. Our record computations, as well as new algorithms, contribute to having a scientifically accurate assessment of the feasibility limit for these problems, given academic computing resources. The data we provide in this way is a primary ingredient for government agencies whose purpose includes guidance for choosing of appropriate cryptographic primitives. For example the French ANSSI 1, German BSI, or the NIST 2 in the United States base their recommendations on such computational achievements.

The software we make available to achieve these cryptanalytic computations also allows us to give cost estimates for potential attacks on cryptographic systems that are taking the security/efficiency/legacy compatibility trade-offs too lightly. Attacks such as LogJam 40are understood as being serious concerns thanks to our convincing proof-of-concepts. In the LogJam context, this impact has led to rapid worldwide security advisories and software updates that eventually defeat some potential intelligence threats and improve the confidentiality of communications.

4.2 Promotion of better cryptography

We also promote the switch to algebraic curves as cryptographic primitives. Those offer nice speed and excellent security, while primitives based on elementary number theory (integer factorization, discrete logarithm in finite fields), which underpin e.g., RSA, are gradually forced to adopt unwieldy key sizes so as to comply with the desired security guarantees of modern cryptography. Our contributions to the ultimate goal of having algebraic curves eventually take over the cryptographic landscape lie in our contributions to fast arithmetic, our contributions to the point counting problem, and more generally our expertise on the diverse surrounding mathematical objects, or on the special cases where the discrete logarithm problem is not hard enough and should be avoided.

We also promote cryptographically sound electronic voting, for which we develop the Belenios prototype software (licensed under the AGPL). It depends on research made in collaboration with the PESTO team, and provides stronger guarantees than the current state of the art.

4.3 Key software tools

The vast majority of our work is eventually realized as software. We can roughly categorize it into two groups. Some of our software covers truly fundamental objects, such as the GNU MPFR, GNU MPC, GF2X, or MPFQ packages. To their respective extent, these software packages are meant to be included or used in broader projects. For this reason, it is important that the license chosen for this software allows proper reuse, and we favor licenses such as the LGPL, which is not restrictive. We can measure the impact of this software by the way it is used in, e.g., the GNU Compiler Collection (GCC), Victor Shoup's Number Theory Library (NTL), or the Sage computer algebra system. The availability of these software packages in most Linux distributions is also a good measure of the impact of our work.

We also develop more specialized software. Our flagship software package is Cado-NFS 47, and we also develop some others with various levels of maturity, such as GMP-ECM, CMH, or Belenios, aiming at quite diverse targets. Within the lifespan of the CARAMBA project, we expect more software packages of this kind to be developed, specialized towards tasks relevant to our research targets: important mathematical structures attached to genus 2 curves, generation of cryptographically secure curves, or tools for attacking cryptographically hard problems. Such software both illustrates our algorithms, and provides a base on which further research work can be established. Because of the very nature of these specialized software packages as research topics in their own right, needing both to borrow material from other projects, and being possible sources of inspiring material for others, it is again important that these be developed in a free and open-source development model.

5 Highlights of the year

The CORE-MATH project reached a significant milestone in 2023, with correctly rounded implementations of all mathematical functions in C99 and C23, in double precision.

5.1 Awards

Véronique Cortier (team PESTO) and Pierrick Gaudry were awarded the Grand Prix de l'Académie Lorraine des Sciences for their book entitled Le vote électronique 6.

6 New software, platforms, open data

6.1 New software

6.1.1 Belenios

6.1.2 CADO-NFS

6.1.3 Drinfeld modules in SageMath

6.1.4 TNFS-alpha

6.1.5 CORE-MATH

6.1.6 GNU-MPFR

7 New results

7.1 Mathematical objects

7.1.1 The CORE-MATH project

Participants: Paul Zimmermann.

The aim of the CORE-MATHproject is to provide on-the-shelf open-source mathematical functions with correct rounding that will be integrated into current mathematical libraries (GNU libc, Intel Math Library, AMD Libm, Newlib, OpenLibm, Musl, Apple Libm, llvm-libc, CUDA libm, ROCm). These functions are implemented in the C language and target the three IEEE 754 binary formats (single precision, double precision, quadruple precision), and also the extended double precision (significand of 64 bits). This project is motivated by the fact that current mathematical libraries are far from giving the best possible results, as demonstrated in34.

The development of CORE-MATH forced us to revisit some classical algorithms, for example FastTwoSum in the context of directed rounding 37. In 2023, a full set of binary64 (double-precision) functions for the C99 and C23 standards was developed, with correct-rounding, and efficiency close to that of the current mathematical libraries (GNU libc, Intel mathematical library, LLVM). In particular, efficient algorithms were designed and implemented for the power function 24. The long version of this article with full proofs is available35, which enabled our colleagues Laurent Théry and Laurence Rideau (Inria Sophia-Antipolis) to make a formal proof of the “fast path”.

7.1.2 Computing norms and characteristic polynomials on Drinfeld modules

Participants: Antoine Leudière.

Drinfeld modules are mathematical objects that lie at the intersection of number theory and computer science. They were introduced by Vladimir Drinfeld in 1974 to be the counterpart of elliptic curves in the setting offunction fields. Drinfeld modules are now established as a standard tool for studying function fields.

We introduced new algorithms to compute characteristic polynomials ofendomorphisms of Drinfeld modules, as well as norms ofisogenies of Drinfeld modules 31. The former problem is a Drinfeld module equivalent to the problem of counting points on an elliptic curve; the latter is a generalization of the former. Works by Musleh and Schost already computed characteristic polynomials in a very specific case45. Thanks to a new approach, our algorithms work in full generality and rely on simple linear algebra techniques. To our knowledge, it is also the first time that the problem of computing norms of isogenies is addressed.

We stress that in 2023, Schost and Musleh published an article in which they also compute characteristic polynomials of Drinfeld module endomorphisms44. Their method, providing valuable insights, works for all endomorphisms and ranks. We provided a thorough comparison of the articles, and show that in many regimes, our algorithms are the fastest.

7.1.3 Drinfeld modules in SageMath

Participants: Antoine Leudière.

In April 2022, we began the first-ever implementation of Drinfeld modules to be included in the standard distribution of SageMath. Our contribution was merged in March 2023 and made available with version 10.0. The implementation is thoroughly integrated within the SageMath ecosystem and includes all basic operations on Drinfeld modules and their morphisms, as well as implementations of the algorithms mentioned in the previous point. A software presentation of our work was accepted at the 2023 International Symposium on Symbolic and Algebraic Computation (ISSAC) 15.

7.1.4 Dimension results for sparse polynomial systems

Participants: Pierre-Jean Spaenlehauer.

Polynomial systems arising in applications (for instance in cryptography) often feature monomial structures. Therefore, it is an important question to investigate how these structures can be used to speed up solving algorithms. This is the main topic of the collaboration between Pierre-Jean Spaenlehauer and Matías Bender (EPI TROPICAL). Toric varieties built from polyhedral fans provide a way to homogenize such sparse structures. In29, we study in which cases such homogenizations may introduce generically high-dimensional artefacts that may harm the efficiency of the computations.

7.1.5 Search for worst cases

Participants: Paul Zimmermann.

To design correctly-rounded functions as in the CORE-MATH project, it is of utmost importance to know the “worst cases” of mathematical functions, i.e., inputs x such that f(x) has many zeros or ones after the round bit. Worst cases have been computed for the new C99 or C23 functions that have been developed in 2023. These worst cases are available from the CORE-MATH git repository, so that they can be used to check correct-rounding of other mathematical libraries.

7.2 Secret-key cryptology

7.2.1 On boomerang attacks on quadratic Feistel ciphers: new results on KATAN and Simon

Participants: Xavier Bonnetain, Virginie Lallemand.

This article 16 studies the application of the cryptanalysis technique called the boomerang attack to ciphers following a Feistel construction and having a quadratic round function. We prove that many previously published papers give erroneous approximations of the probability of the distinguishers they use (most of the time it invalidates the attacks while in a few cases they are better than expected). We next propose a new SMT model that takes into account our findings and we are able to propose a 19-round distinguisher of the cipher Simon-32/64 that we convert into a 25-round attack, which to the best of our knowledge reaches one more round than previously published results.

7.2.2 Flatness and structural analysis for the design of stream ciphers involving hybrid automata

Participants: Hamid Boukerrou, Marine Minier.

In 17, we deal with hybrid dynamical systems in the context of cybersecurity and Cyber–Physical Systems. It is shown how the design of a cipher, called self-synchronizing stream cipher, can be recast as control-theoretic issues, in particular left inversion, flatness and structural analysis. From an automatic control point of view, the main contribution lies in a methodology to construct generic flat LPV systems. Beyond pure control theoretic matters, the design also addresses computational complexity and security concerns. Those considerations motivate a hybrid architecture involving switched automata. A Proof-Of-Concept example illustrates the design of a statistical self-synchronizing stream cipher and the way how it operates to encrypt data flows. Those results and all the ones with the CRAN laboratory are also summarized in 26.

7.2.3 Finding many collisions via reusable quantum walks

Participants: Xavier Bonnetain.

This article 19 proposes an improved quantum algorithm to find multiple collisions. This new algorithm matches the lower bound for a large range of parameters. It has many direct cryptographic implications, such as impossible differentials in symmetric cryptography, or lattice sieving. In particular, thanks to our algorithm we obtain the most efficient generic heuristic algorithm for lattice reduction. It is a sieving algorithm with complexity 20.2563d+o(d), with d the dimension of the lattice.

7.3 Public-key cryptology

7.3.1 Individual discrete logarithm with sublattice reduction

Participants: Haetham Al Aswad, Cécile Pierrot.

The work 14 deals with the splitting step in the number field sieve for finite fields of composite extension degree. The splitting step consists in finding an element R with a smooth norm and such that the logarithm of the target T can be easily deduced from the logarithm of R. The current state of the art takes advantage of lattice-reduction algorithms, such as LLL and BKZ in order to find such an element R. In this work, the authors explore the use of sublattices of the lattices usually used and perform experiments to validate this idea. Moreover, the authors give an asymptotic analysis of the individual logarithm step in NFS when LLL or BKZ are used as lattice-reduction in this new algorithm. This work is published in the journal Designs, Codes and Cryptography.

7.3.2 Discrete logarithm factory

Participants: Haetham Al Aswad, Cécile Pierrot, Emmanuel Thomé.

In 28 we generalize Coppersmith's factory's algorithm to compute discrete logarithms in several non-prime finite fields. The Number Field Sieve and its variants are the best algorithms to solve the discrete logarithm problem in finite fields (except for the weak small characteristic case). The Factory variant accelerates the computation when several prime fields are targeted. This article adapts the Factory variant to non-prime finite fields of medium and large characteristic. This idea is combined with two other variants of NFS, namely the tower and special variants. This combination improves the asymptotic complexity. Besides, this work provides estimates of the practicality of this method for 1024-bit targets of extension degree 6: our findings indicate that the factory approach begins to pay off when the cryptanalysis target consists of a few dozen of such finite fields.

7.3.3 Discrete logarithm with Tower NFS

Participants: Gabrielle De Micheli, Pierrick Gaudry, Cécile Pierrot.

The long version 18of a previous work published in Asiacrypt 2021 has been published in the Journal of Cryptology. This describes the use of lattice techniques to implement the Tower NFS technique efficiently for discrete logarithm computations in finite fields in the so-called medium characteristic range. This long version includes in particular a new algorithm for making use of automorphisms in the linear algebra phase, by choosing appropriate Schirokauer maps.

7.3.4 An algebraic point of view on the generation of pairing-friendly curves

Participants: Aurore Guillevic.

The paper 33 with Jean Gasnier from the CANARI Team (Bordeaux) is the achievement of Jean Gasnier's Masters internship in 2022 co-advised in Bordeaux by Jean-Marc Couveignes and remotely from Denmark by Aurore Guillevic. It aims to generalize The Kachisa–Schaefer–Scott technique to find more pairing-friendly curves. The method allowed to obtain new curves for interesting embedding degrees, such as k=20. It also closed some dead-ends in the quest of finding prime-order pairing-friendly curves (only three constructions are known, the latest discovery being in 2005). It comes with two implementations, one written by Jean Gasnier to find curve families (see the CANARI team report andSubfield Method Gitlab Project), the other one to implement pairings on the new curves, seePairings on Gasnier–Guillevic Curves Gitlab Project. The results were presented at theSIAM-AG conferenceand the paper is under review.

7.4 Implications in computer security and the real world

7.4.1 Coercion resistance in e-voting

Participants: Pierrick Gaudry, Quentin Yang.

In 22, we show that the JCJ e-voting protocol that is the basis of many coercion-resistant systems is flawed, in the sense that the tally phase leaks more information than it should. In some specific scenarios, this can give an advantage to a coercer. Therefore, we propose a new version of JCJ, CHide, which relies on the multi-party toolbox that we designed earlier in the context of tally-hiding 41. We also refine the existing formal definitions of coercion-resistance, in order to highlight the flaw, and prove that CHide fixes the problem.

In another work related to coercion resistance 23, in collaboration with Université Catholique de Louvain, we explore the relations between the notions of coercion resistance, receipt freeness, and cast as intended. We show some impossibility results and propose adapting the security notions, to make possible some of the combinations of these properties.

7.4.2 Cast-as-intended in e-voting

Participants: Pierrick Gaudry, Stéphane Glondu.

The cast-as-intended property in e-voting means that the system remains secure, even if the device used by the voter is compromised: if malware is present on the voter's computer, the voter should still have the guarantee that the encrypted ballot that is sent to the server contains their intended choice. In 20 we propose a new approach for this question, based on an audit procedure made by the voter, that does not leak their choice, and will detect a fraudulent device, with a probability of at least one-half. An attacker who would like to change many votes is likely to be detected.

7.4.3 Historical cryptology

Participants: Pierrick Gaudry, Cécile Pierrot, Paul Zimmermann.

An unknown and almost fully encrypted letter written in 1547 by Emperor Charles V to his ambassador at the French Court, Jean de Saint-Mauris, was identified in a public library, the Bibliothèque Stanislas (Nancy, France). As no decryption of this letter was previously published or even known, a team of cryptographers and historians gathered together to study the letter and its encryption system. First, multiple approaches and methods were tested in order to decipher the letter without any other specimen. Then, the letter has now been inserted within the whole correspondence between Charles and Saint-Mauris, and the key has been consolidated thanks to previous key reconstructions. Finally, the decryption effort enabled us to uncover the content of the letter and investigate more deeply both cryptanalysis challenges and encryption methods 25. This is joint work with Camille Desenclos (University of Picardie).

8 Bilateral contracts and grants with industry

8.1 Bilateral contracts with industry

8.1.1 Consulting with Swiss Post

Participants: Pierrick Gaudry.

Together with the PESTO team, we have a long-term consulting activity with Swiss Post on the e-voting topic. In 2023 we started a new contract to help them design the next generation of their e-voting protocol.

8.1.2 Verifiability during the French legislative elections

Participants: Pierrick Gaudry, Stéphane Glondu.

Together with the PESTO team, we had a contract with the French Ministry of Foreign Affairs (MEAE), in the context of the legislative elections, for which the French citizens from abroad had the possibility to vote over the Internet. We played the role of external third-party, as required by the CNIL recommendations for such high-stake elections. While the contract was signed with the MEAE, it also involved interactions with the vendor of the solution (Voxaly), and the ANSSI who was the security advisor for the MEAE. In three districts, the 2022 elections were cancelled and therefore had to be done again in 2023.

This experiment of verifiability for a high stake election was documented and discussed in a research article that we published in the E-Vote-Id conference 21.

8.2 Start-up creation

8.2.1 Preparation of the VCast start-up

Participants: Pierrick Gaudry, Stéphane Glondu.

In 2023, Stéphane Glondu joined the Inria Startup Studio program to prepare the creation of a society to exploit commercially the Belenios software. Michael Houalef, a person with a business background, joined the project. The society, called VCast, is to be launched in the first semester of 2024. Véronique Cortier (from PESTO) and Pierrick Gaudry, as co-founders of Belenios, were involved in the discussions concerning this creation.

9 Partnerships and cooperations

9.1 International research visitors

9.1.1 Visits of international scientists

Our team received several international visits in 2023 (at most a week in duration, and most often a day or two): Yixin Shen (Royal Holloway University of London), Katharina Boudgoust (Aarhus University), Keegan Ryan (University of California San Diego), Steven Galbraith (University of Auckland).

9.2 National initiatives

9.2.1 PEPR Quantique, project PQ-TLS

Participants: Xavier Bonnetain, Pierre-Jean Spaenlehauer.

Since 1996 and the discovery of Shor's algorithm, new quantum threats emerged against classical security protocols and cryptographic primitives. The objective of the PQ-TLS project is to design a quantum-safe version of the security layer of web protocols, via the integration of post-quantum cryptographic primitives and the quantum cryptanalysis of existing systems. The project also aims at developing new techniques to compare existing primitives from the quantum viewpoint and at promoting arising solutions from academic and industrial research. The goal is to develop a large toolbox whose targets range from the mathematical foundations of post-quantum cryptography to its concrete implementations.

Xavier Bonnetain is the national coordinator of the work package 5 "Quantum cryptanalysis".

Pierre-Jean Spaenlehauer is the local scientific coordinator for the CARAMBA team.

9.2.2 PEPR Cybersécurité, project CRYPTANALYSE

Participants: Xavier Bonnetain, Sébastien Duval, Pierrick Gaudry, Aurore Guillevic, Virginie Lallemand, Marine Minier, Cécile Pierrot, Emmanuel Thomé.

Within the context of the national PEPR program “cybersecurité” (launched in 2021), a call for proposals was published in July 2023 to complement the set of topics with three new projects, among which one on the classical cryptanalysis of cryptographic primitives. We coordinated the nationwide answer to this call for proposals, submitted in September 2022, and the project was accepted on March 27, 2023. The project started on October 1, 2023.

Emmanuel Thomé and Gaëtan Leurent (Inria COSMIQ, Paris) lead the project. Several teams are involved. The project is divided into eight work packages, and the CARAMBA team is interested in most of them.

9.2.3 Projet ANR KLEPTOMANIAC

Participants: Pierrick Gaudry, Cécile Pierrot, Pierre-Jean Spaenlehauer, Emmanuel Thomé, Paul Zimmermann.

The RSA cryptosystem and the Diffie-Hellman key exchange protocol in finite fields were the first invented primitives of public-key cryptography.

It is hard to estimate the time and resources that are needed to factor an integer, and thereby how hard it is to break RSA. All regulatory bodies recommend that people either avoid RSA, or prefer large RSA key sizes for safety, above 2048 bits at least. In environments where computing power is plentiful, this recommendation is most often followed. Yet, it is a fact that we do rely on cryptography that uses smaller key sizes.

We plan to employ our expertise to provide solid hardness assessments for key sizes that are relevant today, and for which accuracy in the prediction is important. Our targets for accurate assessment are RSA-1024 and DH-1024 as well as specific discrete logarithm-related problems that arise in the blockchain context. We also intend to develop simulation software that would enable more accurate estimates.

In 2023, the work on the “double matrix” subtask initiated in 2022 was continued, in collaboration with Charles Bouillaguet (Sorbonne University). This work is integrated into a branch of Cado-NFS.

9.2.4 ANR Decrypt

Participants: Virginie Lallemand, Marine Minier.

This project aimed to propose a declarative language dedicated to cryptanalytic problems in symmetric key cryptography using constraint programming (CP) to simplify the representation of attacks, to improve existing attacks and to build new cryptographic primitives that withstand these attacks. We also want to compare the different tools that can be used to solve these problems: SAT and MILP where the constraints are homogeneous and CP where the heterogeneous constraints can allow a more complex treatment.

One of the challenges of this project was to define global constraints dedicated to the case of symmetric cryptography.

Concerning constraint programming, this project defined new dedicated global constraints, improved the underlying filtering and solution search algorithms, and proposed dedicated explanations generated automatically. See the website for more information.

9.2.5 ANR OREO

Participants: Xavier Bonnetain, Sébastien Duval, Virginie Lallemand, Marine Minier.

This ANR project focuses on the use of Mixed Integer Linear Programming (MILP) in symmetric-key cryptography, a direction that enjoyed rapid recognition in the symmetric-key community following the article by Mouhaet al 43.

MILP models can be used both to design and attack ciphers, but the technique suffers from several limitations, some of which we plan to address in this project. In particular, we aim to explore how to handle more complex cryptographic problems than what is done so far (yet ensuring a reasonable solving time). This might imply finding how to improve the modelization techniques or considering different approaches like first solving approximated models.

9.2.6 Cooperation with ANSSI on e-voting regulation

Participants: Pierrick Gaudry.

We participate in a working group led by ANSSI, the purpose of which is to help the governmental actors (CNIL, ANSSI) in defining the next documents regulating the use of electronic voting in France.

9.3 Regional initiatives

10 Dissemination

Participants: Xavier Bonnetain, Sébastien Duval, Pierrick Gaudry, Aurore Guillevic, Virginie Lallemand, Marine Minier, Cécile Pierrot, Pierre-Jean Spaenlehauer, Emmanuel Thomé, Paul Zimmermann.

10.1 Promoting scientific activities

10.1.1 Scientific events: organisation

Member of the organizing committees
Member of the conference program committees
Member of the Conference Steering Committees

10.1.2 Journal

Member of the editorial boards
Reviewer - reviewing activities

Members of the project-team did their share in reviewing submissions to renowned conferences and journals. Actual publications venues are not disclosed for anonymity reasons.

10.1.3 Invited talks

10.1.4 Leadership within the scientific community

10.1.5 Scientific expertise

10.1.6 Research administration

10.2 Teaching - Supervision - Juries

10.2.1 Teaching

Marine Minier obtained an half Inria Delegation in 2023.

10.2.2 Supervision

10.2.3 Juries

10.3 Popularization

The deciphering of the encrypted letter from Emperor Charles V (see §7.4.3) had a large media coverage, both in French and international media. To cite a few: the French television (France 2, France 3, BFM TV, Arte), the French radio (France Inter, Europe 1, France Info, France Culture), French newspapers (Le Monde, Le Point), an excellent video on Nota Bonus, some international media (The Guardian, Radio Canada, BBC, RTVE, The Scientist).

10.3.1 Internal or external Inria responsibilities

10.3.2 Education

10.3.3 Interventions

11 Scientific production

11.1 Major publications

11.2 Publications of the year

International journals

International peer-reviewed conferences

Doctoral dissertations and habilitation theses

Reports & preprints

11.3 Other

Patents

Softwares

11.4 Cited publications