CARAMBA - 2020 - Rapport annuel d'activité (original) (raw)

2020

Activity report

Project-Team

CARAMBA

RNSR: 201622054G

CNRS, Université de Lorraine

Team name:

Cryptology, arithmetic : algebraic methods for better algorithms

Domain

Algorithmics, Programming, Software and Architecture

Algorithmics, Computer Algebra and Cryptology

Creation of the Team: 2016 January 01, updated into Project-Team: 2016 September 01

Keywords

Computer Science and Digital Science

1 Team members, visitors, external collaborators

Research Scientists

Faculty Member

Post-Doctoral Fellow

PhD Students

Interns and Apprentices

Administrative Assistants

Visiting Scientist

External Collaborators

2 Overall objectives

Our research addresses the broad application domain of cryptography and cryptanalysis from the algorithmic perspective. We study all the algorithmic aspects, from the top-level mathematical background down to the optimized high-performance software implementations. Several kinds of mathematical objects are commonly encountered in our research. Some basic ones are truly ubiquitous: integers, finite fields, polynomials, real and complex numbers. We also work with more structured objects such as number fields, algebraic curves, or polynomial systems. In all cases, our work is geared towards making computations with these objects effective and fast.

The two facets of cryptology—cryptography and cryptanalysis—are central to our research. The key challenges are the assessment of the security of proposed cryptographic primitives (both public- and secret-key), as well as the introduction of new cryptographic primitives, or the performance improvement of existing ones.

Our research connects to both symmetric and asymmetric key cryptography. While the basic principles of these domains are rather different—indeed their names indicate different handlings of the key—research in both domains is led by the same objective of finding the best trade-offs between efficiency and security. In addition to this, both require to study design and analysis together as these two aspects nurture each other.

Our research topics can be listed either with broad applications domains in mind (a very coarse-grain view would have us list them under cryptography and cryptanalysis), or more thematically (see Figure 1). Either way, we also identify a set of tools that we sometimes develop per se, but most often as ingredients towards goals that are set in the context of other themes. Following the “vertical” reading direction in Figure 1, our research topics are as follows.

Visual representation of the thematic organization of CARAMBA. Solid dots: major interaction; clear dots: minor interaction.

Figure 1:

Visual representation of the thematic organization of CARAMBA. Solid dots: major interaction; clear dots: minor interaction.

As a complement to the last point, we consider that the impact of our research on cryptology in general owes a lot to the publication of concrete practical results. We are strongly committed to making our algorithms available as software implementations. We thus have several long-term software development projects that are, and will remain, part of our research activity.

3 Research program

3.1 The Extended Family of the Number Field Sieve

The Number Field Sieve (NFS) has been the leading algorithm for factoring integers for more than 20 years, and its variants have been used to set records for discrete logarithms in finite fields. It is reasonable to understand NFS as a framework that can be used to solve various sorts of problems. Factoring integers and computing discrete logarithms are the most prominent for the cryptographic observer, but the same framework can also be applied to the computation of class groups.

The state of the art with NFS is built from numerous improvements of its inner steps. In terms of algorithmic improvements, the recent research activity on the NFS family has been rather intense. Several new algorithms have been discovered since 2014, notably for non-prime fields, and their practical reach has been demonstrated by actual experiments.

The algorithmic contributions of the CARAMBA members to NFS would hardly be possible without access to a dependable software implementation. To this end, members of the CARAMBA team have been developing the Cado-NFS software suite since 2007. Cado-NFS is now the most widely visible open-source implementation of NFS, and is a crucial platform for developing prototype implementations for new ideas for the many sub-algorithms of NFS. Cado-NFS is free software (LGPL) and follows an open development model, with publicly accessible development repository and regular software releases. Competing free software implementations exist, such as msieve, developed by J. Papadopoulos (whose last commit is from August 2018). In Lausanne, T. Kleinjung develops his own code base, which is unfortunately not public.

The work plan of CARAMBA on the topic of the Number Field Sieve algorithm and its cousins includes the following aspects:

3.2 Algebraic Curves for Cryptology

The challenges associated with algebraic curves in cryptology are diverse, because of the variety of mathematical objects to be considered. These challenges are also connected to each other. On the cryptographic side, efficiency matters. With the standardization of TLS 1.3 in 2018 33, the curves x25519 and x448 have entered the base specification of the standard. These curves were designed by academia and offer an excellent compromise between efficiency and security.

On the cryptanalytic side, the discrete logarithm problem on (Jacobians of) curves has resisted all attempts for many years. Among the currently active topics, the decomposition algorithms raise interesting problems related to polynomial system solving, as do attempts to solve the discrete logarithm problem on curves defined over binary fields. In particular, while it is generally accepted that the so-called Koblitz curves (base field extensions of curves defined over GF(2)) are likely to be a weak class among the various curve choices, no concrete attack supports this claim fully.

The research objectives of CARAMBA on the topic of algebraic curves for cryptology are as follows:

3.3 Symmetric Cryptography

Since the recruiting of Marine Minier in September 2016 as a Professor at the Université de Lorraine, and of Virginie Lallemand as a CNRS researcher in October 2018, a new research domain has emerged in the CARAMBA team: symmetric key cryptology. Accompanied in this adventure by non-permanent team members, we are tackling problems related to both design and analysis. A large part of our recent researches has been motivated by the Lightweight Cryptography Standardization Process of the NIST 1 that embodies a crucial challenge of the last decade: finding ciphers that are suitable for resource-constrained devices.

On a general note, the working program of CARAMBA in symmetric cryptography is defined as follows:

3.4 Computer Arithmetic

Computer arithmetic is part of the common background of all team members, and is naturally ubiquitous in our application domains. However involved the mathematical objects considered may be, dealing with them first requires to master more basic objects: integers, finite fields, polynomials, and real and complex floating-point numbers. Libraries such as GNU MP, GNU MPFR, GNU MPC do an excellent job for these, both for small and large sizes (we rarely, if ever, focus on small-precision floating-point data, which explains our lack of mention of libraries relevant to it).

Most of our involvement in subjects related to computer arithmetic is to be understood in connection to our applications to the Number Field Sieve and to abelian varieties. As such, much of the research work we envision will appear as side-effects of developments in these contexts. On the topic of arithmetic work per se:

3.5 Polynomial Systems

Systems of polynomial equations have been part of the cryptographic landscape for quite some time, with applications to the cryptanalysis of block and stream ciphers, as well as multivariate cryptographic primitives.

Polynomial systems arising from cryptology are usually not generic, in the sense that they have some distinct structural properties, such as symmetries, or bi-linearity for example. During the last decades, several results have shown that identifying and exploiting these structures can lead to dedicated Gröbner basis algorithms that can achieve large speedups compared to generic implementations 28, 29.

Solving polynomial systems is well done by existing software, and duplicating this effort is not relevant. However we develop test-bed open-source software for ideas relevant to the specific polynomial systems that arise in the context of our applications. The TinyGB software is our platform to test new ideas.

We aim to work on the topic of polynomial system solving in connection with our involvement in the aforementioned topics.

4 Application domains

4.1 Better Awareness and Avoidance of Cryptanalytic Threats

Our study of the Number Field Sieve family of algorithms aims at showing how the threats underlying various supposedly hard problems are real. Our record computations, as well as new algorithms, contribute to having a scientifically accurate assessment of the feasibility limit for these problems, given academic computing resources. The data we provide in this way is a primary ingredient for government agencies whose purpose includes guidance for the choice of appropriate cryptographic primitives. For example the French ANSSI 2, German BSI, or the NIST 3 in the United States base their recommendations on such computational achievements.

The software we make available to achieve these cryptanalytic computations also allows us to give cost estimates for potential attacks to cryptographic systems that are taking the security/efficiency/legacy compatibility trade-offs too lightly. Attacks such as LogJam 26are understood as being serious concerns thanks to our convincing proof-of-concepts. In the LogJam context, this impact has led to rapid worldwide security advisories and software updates that eventually defeat some potential intelligence threats and improve confidentiality of communications.

4.2 Promotion of Better Cryptography

We also promote the switch to algebraic curves as cryptographic primitives. Those offer nice speed and excellent security, while primitives based on elementary number theory (integer factorization, discrete logarithm in finite fields), which underpin e.g., RSA, are gradually forced to adopt unwieldy key sizes so as to comply with the desired security guarantees of modern cryptography. Our contributions to the ultimate goal of having algebraic curves eventually take over the cryptographic landscape lie in our contributions to fast arithmetic, our contributions to the point counting problem, and more generally our expertise on the diverse surrounding mathematical objects, or on the special cases where the discrete logarithm problem is not hard enough and should be avoided.

We also promote cryptographically sound electronic voting, for which we develop the Belenios prototype software (licensed under the AGPL). It depends on research made in collaboration with the PESTO team, and provides stronger guarantees than current state of the art.

4.3 Key Software Tools

The vast majority of our work is eventually realized as software. We can roughly categorize it in two groups. Some of our software covers truly fundamental objects, such as the GNU MPFR, GNU MPC, GF2X, or MPFQ packages. To their respective extent, these software packages are meant to be included or used in broader projects. For this reason, it is important that the license chosen for this software allows proper reuse, and we favor licenses such as the LGPL, which is not restrictive. We can measure the impact of this software by the way it is used in e.g., the GNU Compiler Collection (GCC), in Victor Shoup's Number Theory Library (NTL), or in the Sage computer algebra system. The availability of these software packages in most Linux distributions is also a good measure for the impact of our work.

We also develop more specialized software. Our flagship software package is Cado-NFS4, and we also develop some others with various levels of maturity, such as GMP-ECM, CMH, or Belenios, aiming at quite diverse targets. Within the lifespan of the CARAMBA project, we expect more software packages of this kind to be developed, specialized towards tasks relevant to our research targets: important mathematical structures attached to genus 2 curves, generation of cryptographically secure curves, or tools for attacking cryptographically hard problems. Such software both illustrates our algorithms, and provides a base on which further research work can be established. Because of the very nature of these specialized software packages as research topics in their own right, needing both to borrow material from other projects, and being possible source of inspiring material for others, it is again important that these be developed in a free and open-source development model.

5 Highlights of the year

On February 28th, 2020, the factorization of RSA-250 wasannounced.

6 New software and platforms

6.1 New software

6.1.1 Belenios

6.1.2 CADO-NFS

6.1.3 BW6-761

6.1.4 TNFS-alpha

6.2 New platforms

Since 2018, the CARAMBA team has been using in particular a computer cluster called grvingt, acquired in 2018. This equipment was funded by the CPER «CyberEntreprises» (French Ministry of Research, Région Grand Est, Inria, CNRS) and comprises a 64-node, 2,048-core cluster. This cluster is installed in the Inria facility. Other slightly older hardware (a medium-size cluster called grcinq from 2013, funded by ANR, and a special machine funded by the aforementioned CPER grant) is also installed in the same location, to form a coherent platform with about 3,000 cpu cores, 100 TB of storage, and specific machines for RAM-demanding computations. As a whole, this platform provides an excellent support for the computational part of the work done in CARAMBA. This platform is also embedded in the larger Grid'5000/Silecs platform (and accessible as a normal resource within this platform). Technical administration is done by the Grid'5000 staff.

This equipment has played a key role in the record factorization of RSA-240 done in February 2020, as well as the computation of discrete logarithms modulo a 240-digit prime, completed at the end of 2019.

7 New results

7.1 Algebraic Curves for Cryptology

7.1.1 Cocks-Pinch Curves of Embedding Degrees Five to Eight and Optimal Ate Pairing Computation

Participants: Aurore Guillevic, Simon Masson, Emmanuel Thomé.

The preprint version of 7 appeared in the report of 2019, this paper was published in 2020 in the journal Designs, Codes and Cryptography. In this work we explored a modification of the Cocks-Pinch method to generate pairing-friendly curves resistant to the Special-Tower-NFS algorithm (STNFS). We carefully estimated the cost of the STNFS attack for existing families of curves, and chose curves of embedding degree five to eight. For prime embedding degrees 5 and 7, our curves are naturally immune to the STNFS attack, but their performance level is not high. For composite embedding degrees 6 and 8 for which the TNFS attack applies, we chose the parameters from a family that is general enough to thwart the “special” variant STNFS; we also optimized these parameter choices so that these curves can have a reasonably efficient pairing computation, close with the very best possible curve choices.

7.1.2 A Short-List of Pairing-Friendly Curves Resistant to Special TNFS at the 128-bit Security Level

Participants: Aurore Guillevic.

The preprint version of 16 appeared in the report of 2019, this paper was published in 2020 in the proceedings of the (online) conference Public Key Cryptography, together with a 20' video athttps://youtube.com/watch?v=Nk69Ltmb5jY. This paper applies the refinements of the paper 8 to estimate the cost of the Special Tower NFS algorithm for particular pairing-friendly curves, whose target group is 𝔽pn, and where the characteristic is special, parameterized by a low degree polynomial. We show that with a new variant of the polynomial selection, the estimated cost is reduced, but stays above the theoretical bound of the Special NFS Lpn(1/3,(32/9)1/3). This variant does not apply to the Cocks-Pinch curves of 7. We list nine interesting pairing-friendly curves of embedding degrees between 10 and 16 at the 128-bit security level. This paper was completed with a webpage listing pairing-friendly curves athttps://members.loria.fr/AGuillevic/pairing-friendly-curves/.

7.1.3 Optimized and secure pairing-friendly elliptic curves suitable for one layer proof composition

Participants: Aurore Guillevic.

This work with Youssef El Housni, PhD student in the GRACE team at Inria Saclay and at EY–Ernst & Young (now at ConsenSys), selects a new elliptic curve for SNARKs (Succint Non-interactive ARguments of Knowledge) 14. The curve is named BW6-761 for a Brezing–Weng pairing-friendly curve of embedding degree 6 and defined over a 761-bit prime field. The curve is dedicated for recursive proofs of knowledge from Groth 30. The curve is coined with the elliptic curve BLS12-377, a Barreto–Lynn–Scott pairing-friendly curve over a 377-bit prime field 𝔽p. For recursive proofs, the prime subgroup order of the curve BW6-761 is p, the base field of the curve BLS12-377. The new curve BW6-761 is an improvement of the ZEXEcurve 27 and provides a faster arithmetic; in particular, faster scalar multiplication and much faster pairing computation, resulting in a 30–fold speed-up in Groth'16 proof verification in RUST. The curve is deployed in many SNARK libraries and listed inEthereum Improvement Proposals (EIP). The security estimate of the new curve uses 7 and8. This joint work will be continued in 2021.

7.1.4 A Practical Attack on ECDSA Implementations Using wNAF Representation

Participants: Gabrielle De Micheli, Cécile Pierrot, Rémi Piau.

The preprint version of 13 appeared in the report of 2019, this paper was published in 2020 in the proceedings of the (online) conference Africacrypt 2020. ECDSA is a widely deployed public key signature protocol that uses elliptic curves. One way of attacking ECDSA with wNAF implementation for the scalar multiplication is to perform a side-channel analysis to collect information, then use a lattice based method to recover the secret key. In 13, we re-investigate the construction of the lattice used in one of these methods, the Extended Hidden Number Problem (EHNP). We find the secret key with only 3 signatures, thus reaching the theoretical bound never achieved before. Our attack is more efficient than previous attacks, has better probability of success, and is still able to find the secret key with a small amount of erroneous traces, up to 2% of false digits.

7.1.5 Recovering cryptographic keys from partial information, by example

Participants: Gabrielle De Micheli.

Side-channel attacks targeting cryptography may leak only partial or indirect information about the secret keys. There are a variety of techniques in the literature for recovering secret keys from partial information. In this tutorial 22, we survey several of the main families of partial key recovery algorithms for RSA, (EC)DSA, and (elliptic curve) Diffie-Hellman, the public-key cryptosystems in common use today. We categorize the known techniques by the structure of the information that is learned by the attacker, and give simplified examples for each technique to illustrate the underlying ideas.

7.1.6 Modular polynomials on Hilbert surfaces

This article, written in 2017 when the first author was in the group has been published in 10.

7.2 The Number Field Sieve – High-Level Results

7.2.1 Comparing the difficulty of factorization and discrete logarithm: a 240-digit experiment

Participants: Aurore Guillevic, Pierrick Gaudry, Emmanuel Thomé, Paul Zimmermann.

In 1, we reported on our computational records that were completed at the end of 2019 (integer factorization and discrete logarithms for 240-digit, 795-bit key sizes) and beginning of 2020 (integer factorization for 250-digit, 829-bit key sizes). This work was made possible by a series of improvements in the Number Field Sieve algorithm, and by the flexibility of the Cado-NFS software implementation which enabled us to experiment with a vast variety of parameter selection strategies. Our conclusions are two-fold. First, our computations were much faster than expected. At the 240-digit (795-bit) level, we show that our computation of discrete logarithms took actually 25% less time (measured on identical hardware) than the time that was reported for the computation of discrete logarithms modulo a 232-digit (768-bit) prime. Second, we simultaneously computed two records of the same size, one on integer factoring, and one on discrete logarithms. This double achievement gives a crucial data point regarding how to compare these problems, which are of utmost importance for public-key cryptography. We show that contrary to the common belief that discrete logarithms are very considerably harder to compute than integer factoring for similar key sizes, the difference is only a factor of roughly 3 for 795-bit key sizes, which is much less than previously thought. This paper was published in the proceedings of the conference Crypto 2020.

We also wrote a non-technical article in French, which aims at dissemination towards a more general public 25.

7.2.2 Asymptotic complexities of discrete logarithm algorithms in pairing-relevant finite fields

Participants: Gabrielle De Micheli, Pierrick Gaudry, Cécile Pierrot.

In 2, we study the discrete logarithm problem at the boundary case between small and medium characteristic finite fields, which is precisely the area where finite fields used in pairing-based cryptosystems live. In order to evaluate the security of pairing-based protocols, we thoroughly analyze the complexity of all the algorithms that coexist at this boundary case. We adapt the Function Field Sieve to the particular case where the extension degree is composite, and show how to lower the complexity by working in a shifted function field. All this study finally allows us to give precise values for the characteristic asymptotically achieving the highest security level for pairings. Surprisingly enough, there exist special characteristics that are as secure as general ones. This paper was published in the proceedings of the conference Crypto 2020.

7.2.3 Refined Analysis of the Asymptotic Complexity of the Number Field Sieve

Participants: Aude Le Gluher, Pierre-Jean Spaenlehauer, Emmanuel Thomé.

In 23, we examine how it is possible to refine the asymptotic complexity of the Number Field Sieve. Its most commonly used expression, for the factorization of an n-bit integer, is of the formexp((1+o(1))f(n)). This (1+o(1)) factor is present for reasons that pertain to analytic number theoretic results. In practical terms however, this inaccuracy is problematic since it can swallow potentially huge factors. Yet, extrapolations on the hardness of integer factoring, or of finite field discrete logarithms, resort to setting o(1)=0 by lack of a better alternative. In 23, we try to see what hides behind o(1). On the positive side, we show that symbolic computation tools can be used to provide an asymptotic expansion to arbitrarily many terms. On the negative side, we show that this expansion is basically useless, aso(1) stands in fact for a series that diverges in a range that widely encompasses the practical range. A consequence of this is that predictions of the hardness of, say, 8000-bit RSA, given a data point for 800-bit RSA should be regarded with extreme care.

7.3 The Number Field Sieve – Implementation Results

7.3.1 New Discrete Logarithm Computation for the Medium Prime Case Using the Function Field Sieve

Participants: Emmanuel Thomé.

In 11, we study how the Function Field Sieve algorithm can extend to the medium prime range, and provide concrete experimental results for a kilobit finite field of 22-bit characteristic. The linear algebra step was manageable in this example thanks to the CARAMBA expertise. We also show that the linear algebra step can be expected to dominate in two chosen examples of slightly larger characteristic. This article was published in 2020 in the journal Advances in Mathematics of Communications.

7.3.2 Parallel Structured Gaussian Elimination for the Number Field Sieve

Participants: Paul Zimmermann.

Together with Charles Bouillaguet (now Sorbonne University, Paris, France), we completely re-designed the structured Gaussian elimination step of Cado-NFS (called merge). The new algorithm is fully parallel, and scales quite well. It was used for the new 240- and 250-digit record factorizations and discrete logarithm computations 1. The article describing the new parallel algorithm was finally accepted for publication in 2020, and will appear inMathematical Cryptology4.

7.4 Symmetric Cryptology

7.4.1 Cryptanalysis Results on Spook: Bringing Full-round Shadow-512 to the Light

Participants: Paul Huynh, Virginie Lallemand.

Together with Patrick Derbez5, María Naya-Plasencia, Léo Perrin and André Schrottenloher6 we found a series of structural properties on Spook, one of the second round candidates of the NIST Lightweight Cryptography Standardization process. In 3, we managed to extend these properties and to build practical distinguishers of the full 6-step version of the underlying permutations of Spook, namely Shadow-512 and Shadow-384. We also proposed practical forgeries with 4-step Shadow for the S1P mode of operation in the nonce misuse scenario, which is allowed by the CIML2 security game considered by the authors. Our findings have led the designers of Spook to propose a tweaked version of their candidate in order to improve the security margins. This paper was published in the proceedings of the conference Crypto 2020.

7.4.2 On the Feistel Counterpart of the Boomerang Connectivity Table: Introduction and Analysis of the FBCT

Participants: Hamid Boukerrou, Paul Huynh, Virginie Lallemand, Bimal Mandal, Marine Minier.

The article 5 involved all the team members working in symmetric cryptography. It studied how to adapt the BCT, a recent tool introduced to better estimate the strength of so-called boomerang distinguishers, to the case of Feistel constructions. We investigated the properties of the newly introduced table (that we call the FBCT) and showed that its coefficients are related to the second order derivative of the function at play. We compared the properties of the BCT and of the FBCT, and concluded with an extension to more rounds and with an application of the results. This article was published in Transactions on Symmetric Cryptology.

7.4.3 Analysis of Boolean Functions in a Restricted (Biased) Domain

Participants: Bimal Mandal.

This work 9 with Subhamoy Maitra and Dibyendu Roy7 and Thor Martinsen and Pantelimon Stanica8is a substantially revised and extended version of the paper “Tools in analyzing linear approximation for Boolean functions related to FLIP” that appeared in the proceedings of Indocrypt 2018 32. We proposed a technique to study the cryptographic properties of Boolean functions, whose inputs do not follow uniform distribution, and obtain a lower bound for the bias of the nonlinear filter function of FLIP by using a biased Walsh–Hadamard transform. Our results provided more accurate calculation of the biases of Boolean function over restricted domain, which help to determine the security parameter of FLIP type ciphers.

Participants: Marine Minier.

In 6, with David Gérault9, Pascal Lafourcade10, and Christine Solnon11, we improve existing Constraint Programming (CP) approaches for computing optimal related-key differential characteristics: we add new constraints that detect inconsistencies sooner, and we introduce a new decomposition of the problem in two steps. These improvements allow us to compute all optimal related-key differential characteristics for AES-128, AES-192 and AES-256 in a few hours. This article was published in 2020 in the journal Artificial Intelligence.

7.4.5 Participation in the NIST Lightweight Cryptography Standardization Process

Participants: Marine Minier, Paul Huynh, Virginie Lallemand.

The team is actively taking part in the lightweight cryptography standardization process of the NIST. The two major actions that have been taken are the following:

7.4.6 A White-Box Encryption Scheme using Physically Unclonable Functions

Participants: Marine Minier, Sandra Rasoamiaramanana.

When a cryptographic algorithm is executed in a potentially hostile environment, techniques of white-box cryptography are used to protect a secret key from a fully-privileged adversary. However, even if the adversary is not able to extract the secret key from the implementation, they might lift the entire white-box code and execute it (this is called a code lifting attack). In 17, we introduce an encryption scheme that can be implemented on an untrusted environment and is still secure even if the white-box code has been lifted. We base our proposal on a Physically Unclonable Function (PUF) to ensure the execution context of our so-called PUF-based encryption scheme. This way, the encryption is “locked” by a particular device. This article was published in the proceedings of the 17th International Conference on Security and Cryptography.

7.5 E-voting

7.5.1 How to fake zero-knowledge proofs, again

Participants: Véronique Cortier, Pierrick Gaudry, Quentin Yang.

In a short paper 12, contributed to the E-Vote-Id 2020 conference, we explain how, in the Belenios voting system, while not using the weak version of Fiat-Shamir, there is still a gap that allows to fake a zero-knowledge proof in certain circumstances. Therefore an attacker who corrupts the voting server and the decryption trustees could break verifiability.

7.5.2 Breaking the Encryption Scheme of the Moscow Internet Voting System

Participants: Pierrick Gaudry.

The article 15 has been published in the proceedings of the Financial Crypto conference. It was also presented as invited contribution at Real World Crypto 2020 and the Workshop on Attacks in Crypto (Satellite of the Crypto 2020 conference).

7.6 Other

7.6.1 Three Cousins of Recamán's Sequence

Participants: Paul Zimmermann.

Following a question of Neil Sloane, the author of the Online Encyclopedia of Integer Sequences (OEIS), Paul Zimmermann designed an efficient algorithm to compute the sequence C(n) defined inhttp://oeis.org/A332580: C(n) is the minimal positive k such that the concatenation of the decimal digits of n,n+1,...,n+k is divisible byn+k+1, or -1 if no such k exists. The new algorithm enabled to find the (previously unknown) values C(44)=2783191412912 and C(98)=218128159460 and other values for n≤1000. The corresponding article is submitted for publication in theFibonacci Quarterly24.

7.6.2 Le traçage anonyme, dangereux oxymore: Analyse de risques à destination des non-spécialistes

Participants: Pierrick Gaudry, Emmanuel Thomé.

The article 21, in French, examined the potential privacy implications of Covid-19 contact tracing systems that were to be deployed in various countries. We show that despite claims of “privacy by design”, privacy concerns do exist and cannot be dismissed light-heartedly.

8 Bilateral contracts and grants with industry

8.1 Bilateral contracts with industry

8.2 Bilateral grants with industry

9 Partnerships and cooperations

9.1 International initiatives

Informal international partners

Since January 2020 a virtual center for cybersecurity has been established between LORIA and CISPA in Saarbrucken (Germany). This virtual center is led by Marine Minier for LORIA and by Antoine Joux for CISPA.

9.2 International research visitors

9.2.1 Visits of international scientists

Santanu Sarkar from Indian Institute of Technology Bombay, visited our team until Feb 2020. His three-months stay was the opportunity to work with him on secret key cryptography.

9.3 National initiatives

9.3.1 FUI Industrial Partnership on Lightweight Cryptography

We have a contract with several partners dedicated to the definition of new lightweight cryptographic primitives for the IoT. Here is the main information about this partnership. See the web site for a full presentation.

9.3.2 ANR Decrypt

This project aims to propose a declarative language dedicated to cryptanalytic problems in symmetric key cryptography using constraint programming (CP) to simplify the representation of attacks, to improve existing attacks and to build new cryptographic primitives that withstand these attacks. We also want to compare the different tools that can be used to solve these problems: SAT and MILP where the constraints are homogeneous and CP where the heterogeneous constraints can allow a more complex treatment.

One of the challenges of this project will be to define global constraints dedicated to the case of symmetric cryptography.

Concerning constraint programming, this project will define new dedicated global constraints, will improve the underlying filtering and solution search algorithms, and will propose dedicated explanations generated automatically. See web site for more information.

10 Dissemination

10.1 Promoting scientific activities

10.1.1 Scientific events: selection

Member of the conference program committees
Member of the Conference Steering Committees
Reviewer

Members of the project-team did their share in reviewing submissions to renowned conferences and journals. Actual publications venues are not disclosed for anonymity reasons.

10.1.2 Journal

Member of the editorial boards
Reviewer - reviewing activities

Members of the project-team did their share in reviewing submissions to renowned conferences and journals. Actual publications venues are not disclosed for anonymity reasons.

10.1.3 Invited talks

10.1.4 Scientific expertise

10.1.5 Research administration

10.2 Teaching - Supervision - Juries

10.2.1 Teaching

10.2.2 Supervision

10.2.3 Juries

10.3 Popularization

10.3.1 Articles and contents

In connection with our recent factoring and discrete logarithm record computations, we wrote a non-technical article in French, which aims at dissemination towards a more general public 25.

10.3.2 Education

10.3.3 Interventions

Cécile Pierrot gave a wide audience talk about cryptography at La Cité des Sciences, Paris, for the the exhibition "Espions" - October 2019 to June 2021.

11 Scientific production

11.1 Major publications

11.2 Publications of the year

International journals

International peer-reviewed conferences

Doctoral dissertations and habilitation theses

Reports & preprints

Other scientific publications

11.3 Cited publications