IMB > Recherche > Séminaires

# Séminaire de Théorie Algorithmique des Nombres

Responsables : Razvan Barbulescu et Wessel Van Woerden

Page du séminaire

• Le 12 janvier 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Alain Couvreur LIX -- Inria Saclay
On the hardness of code equivalence problems in rank metric
In recent years, the notion of rank metric in the context of coding theory has known many interesting developments in terms of applications such as space time coding, network coding or public key cryptography. These applications raised the interest of the community for theoretical properties of this type of codes, such as the hardness of decoding in rank metric or better decoding algorithms. Among classical problems associated to codes for a given metric, the notion of code equivalence has always been of the greatest interest. In this talk, we discuss the hardness of the code equivalence problem in rank metric for $\mathbb F_{q^m}$--linear and general rank metric codes.
• Le 19 janvier 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Renaud Vilmart LSV -- Inria Saclay
Une introduction aux circuits quantiques et au ZX-calcul
• Le 26 janvier 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Mercedes Haiech Université Rennes 1
The Fundamental Theorem of Tropical Partial Differential Algebraic .Geometry
Given a partial differential equation (PDE), its solutions can be difficult, if not impossible, to describe. The purpose of the Fundamental theorem of tropical (partial) differential algebraic geometry is to extract from the equations certain properties of the solutions. More precisely, this theorem proves that the support of the solutions in $k[[t_1, \cdots, t_m]]$ (with $k$ a field of characteristic zero) can be obtained by solving a so-called tropicalized differential system.
• Le 2 février 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Bogdan Dina Ulm University
Isogenous hyperelliptic and non-hyperelliptic Jacobians with maximal complex multiplication
We analyze complex multiplication for Jacobians of curves of genus 3, as well as the resulting Shimura class groups and their subgroups corresponding to Galois conjugation over the reflex field. We combine our results with numerical methods to find CM fields $K$ for which there exist both hyperelliptic and non-hyperelliptic curves whose Jacobian has complex multiplication by $\mathbb{Z}_K$.
• Le 2 mars 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Jade Nardi Inria Saclay\, LIX
Explicit construction and parameters of projective toric codes
Toric codes, introduced by Hansen in 2002, generalize (weighted) Reed-Muller codes on other toric varieties than projective spaces. They consist of evaluation codes of monomials at tuples of non-zero coordinates, which correspond to the points on the dense torus contained in the associated toric variety. Our aim is to â€˜projectiviseâ€™ these codes, in the same spirit that turns a Reed-Muller codes into a projective one: we consider codes obtained by evaluating global sections on the whole set of the rational points of a toric variety. We focus on simplicial toric varieties, which come with a nice quotient description, and we give an explicit construction of projective codes on them, as well as a combinatorial way to determine their parameters. 'Projectivizing' toric codes opens new possibilities of getting codes with excellent parameters, by extending some champion classical toric codes geometrically.
• Le 9 mars 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Cécile Armana LMB\, Université de Franche-Comté
Bornes de Sturm pour des formes automorphes sur les corps de fonctions
Les bornes de Sturm indiquent combien de coefficients de Fourier successifs suffisent Ã  dÃ©terminer une forme modulaire. Pour les formes modulaires classiques, elles fournissent aussi des bornes sur le nombre d'opÃ©rateurs de Hecke engendrant l'algÃ¨bre du mÃªme nom. Cet exposÃ© propose d'Ã©tudier la situation pour certaines formes automorphes, dites de Drinfeld, sur les corps de fonctions. Il s'agit d'un travail en commun avec Fu-Tsun Wei (National Tsing-Hua University, TaÃ¯wan).
• Le 16 mars 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Vincent Neiger Université de Limoges
Deterministic computation of the characteristic polynomial in the time of matrix multiplication
This talk describes joint work with ClÃ©ment Pernet on an algorithm which computes the characteristic polynomial of a matrix over a field within the same asymptotic complexity, up to constant factors, as the multiplication of two square matrices. Previously, this was only achieved by resorting to genericity assumptions or randomization techniques, while the best known complexity bound with a general deterministic algorithm was obtained by Keller-Gehrig in 1985 and involves logarithmic factors. The new algorithm computes more generally the determinant of a univariate polynomial matrix in reduced form.
• Le 16 mars 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Vincent Neiger Université de Limoges
Deterministic computation of the characteristic polynomial in the time of matrix multiplication
This talk describes joint work with ClÃ©ment Pernet on an algorithm which computes the characteristic polynomial of a matrix over a field within the same asymptotic complexity, up to constant factors, as the multiplication of two square matrices. Previously, this was only achieved by resorting to genericity assumptions or randomization techniques, while the best known complexity bound with a general deterministic algorithm was obtained by Keller-Gehrig in 1985 and involves logarithmic factors. The new algorithm computes more generally the determinant of a univariate polynomial matrix in reduced form.
• Le 23 mars 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Samuel Le Fourn Institut Fourier\, Université Grenoble Alpes
Recherche de points entiers sur une variété modulaire de dimension 3
La dÃ©termination effective des points entiers sur des variÃ©tÃ©s algÃ©briques est un problÃ¨me difficile, surtout en dimension plus grande que 1. Dans cet exposÃ©, je prÃ©senterai briÃ¨vement deux approches naturelles pour les points entiers qui permettent dans des cas favorables de tous les trouver. En cherchant des raffinements de ces mÃ©thodes, on arrive Ã  des problÃ¨mes combinatoires intÃ©ressants, que je mettrai en valeur dans le cas prÃ©cis d'une variÃ©tÃ© "modulaire" de dimension 3, qu'on peut dÃ©finir par une Ã©quation quartique dans $\mathbb{P}^4$.
• Le 30 mars 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Charles Fougeron IRIF\, Université de Paris
Dynamiques des algorithmes de fraction continue multidimensionnels
MotivÃ©s par la richesse de l'algorithme de Gauss qui permet de calculer efficacement les meilleurs approximation d'un nombre rÃ©el par des rationnels, beaucoup de mathÃ©maticiens ont proposÃ© des gÃ©nÃ©ralisations de ces algorithmes pour approximer des vecteurs de dimension supÃ©rieure Ã  1. Citons pour exemple celui de PoincarÃ© introduit Ã  la fin du 19e siÃ¨cle ou ceux de Brun et Selmer Ã  la moitiÃ© du 20e siÃ¨cle.
• Le 6 avril 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Marc Masdeu Universitat Autònoma de Barcelona
Numerical experiments with plectic Stark--Heegner points
Let $E/F$ be an elliptic curve defined over a number field $F$, and let $K/F$ be a quadratic extension. If the analytic rank of $E(K)$ is one, one can often use Heegner points (or the more general Darmon points) to produce (at least conjecturally) a nontorsion generator of $E(K)$. If the analytic rank of $E(K)$ is larger than one, the problem of constructing algebraic points is still very open. In very recent work, Michele Fornea and Lennart Gehrmann have introduced certain $p$-adic quantities that may be conjecturally related to the existence of these points. In this talk I will explain their construction, and illustrate with some numerical experiments that we have been able to carry out that support their conjecture. This is joint work with Michele Fornea and Xevi Guitart.
• Le 27 avril 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Ann Kiefer Luxembourg Centre for Educational Testing
Property (FA) of the unit group of $2$-by-$2$ matrices over an order in a quaternion algebra
We study property (FA) and its hereditary version for unit groups of $2$-by-$2$ matrices over orders in totally definite quaternion algebras with rational centres. In particular we consider the three matrix rings over totally definite rational quaternion algebras that can appear as Wedderbrun-Artin components of a group ring $\mathbb{Q}G$.
• Le 4 mai 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Barinder Banwait Harish-Chandra Research Institute
Explicit isogenies of prime degree over quadratic fields
Let $K$ be a quadratic field which is not an imaginary quadratic field of class number one. We describe an algorithm to compute a superset of the set of primes $p$ for which there exists an elliptic curve over $K$ admitting a $K$-rational $p$-isogeny. Combining this algorithm with recent work on the determination of quadratic points on low-genus modular curves, we determine - conditional upon the Generalised Riemann Hypothesis - the above set of isogeny primes for several quadratic fields, providing the first such examples after Mazur's 1978 determination for $K = \mathbb{Q}$. We will give a live demo of the Sage and PARI/GP implementations of the algorithm.
• Le 11 mai 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Weiqiang Wen Inria Rennes\, Irisa
On algorithms for solving Euclidean lattice problems in cryptography
In this talk, we will try to review the state-of-the-art of the algorithms for solving the Euclidean lattice problems underlying cryptography. In more details, this talk contains two parts. In the first part, we will focus on the lattice problems such as approximate Shortest Vector Problem (approx-SVP) and the lattice reduction algorithms as the best known solving algorithms so far. In particular, I will present an improved enumeration-based lattice reduction algorithm, which is shown to be (potentially) relevant to cryptanalysis. In the second part, we will instead consider a quantum problem that is computationally equivalent to approx-SVP. By directly solving a quantum problem, we may expect to have a more powerful use of the quantum computation. However, the best known algorithms for solving approx-SVP via solving this quantum problem, is not better than lattice reduction yet.
• Le 18 mai 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Aurore Guillevic Inria Nancy\, Loria
Computing Murphy-alpha in the special tower number field sieve algorithm and applications to pairing-based cryptography
Pairings on elliptic curves are involved in signatures, NIZK, and recently in blockchains (ZK-SNARKS). These pairings take as input two points on an elliptic curve $E$ over a finite field, and output a value in an extension of that finite field. Usually for efficiency reasons, this extension degree is a power of 2 and 3 (such as 12, 18, 24), and moreover the characteristic of the finite field has a special form. The security relies on the hardness of computing discrete logarithms in the group of points of the curve and in the finite field extension.
• Le 25 mai 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Razvan Barbulescu CNRS\, IMB
Quelques conséquences du programme de Mazur sur la cryptographie
Les algorithmes de factorisation d'entiers et ceux de calcul de logarithmes discrets, adaptÃ©s aux tailles cryptographiques, ont deux Ã©tapes pertinentes pour notre exposÃ© : la sÃ©lection polynomiale et la cofactorisation. La premiÃ¨re consiste Ã  sÃ©lectionner deux polynÃ´mes homogÃ¨nes $F(x,y)$ et $G(x,y)$ dans $\mathbb{Z}[x,y]$ tels que les entiers de l'ensemble $\{F(a,b)G(a,b)\mid a,b\in\text{ un rectangle },\gcd(a,b)=1 \}$ contiennent le plus possible d'entiers $B$-friables (ayant tous les facteurs premiers infÃ©rieurs Ã  $B$). La deuxiÃ¨me consiste Ã  factoriser des entiers de la forme $F(a,b)$ et $G(a,b)$.
• Le 1er juin 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Andreas Enge\, Bill Allombert\, Fredrik Johansson Inria\, CNRS\, Inria
Présentation de l'équipe LFANT pour les stagiaires
• Le 8 juin 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Stéphane Ballet I2M\, Université Aix-Marseille
Optimization of the scalar complexity of Chudnovsky^2 multiplication algorithms in finite fields
We propose several constructions for the original multiplication algorithm of D.V. and G.V. Chudnovsky in order to improve its scalar complexity. We highlight the set of generic strategies who underlay the optimization of the scalar complexity, according to parameterizable criteria. As an example, we apply this analysis to the construction of type elliptic Chudnovsky2 multiplication algorithms for small extensions. As a case study, we significantly improve the Baum-Shokrollahi construction for multiplication in F256/F4.
• Le 15 juin 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Fabien Narbonne IRMAR\, Université de Rennes
Corps de modules des courbes de genre 2 à Jacobienne décomposée
• Le 22 juin 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Vandita Patel University of Manchester
Shifted powers in Lucas-Lehmer sequences
The explicit determination of perfect powers in (shifted) non-degenerate, integer, binary linear recurrence sequences has only been achieved in a handful of cases. In this talk, we combine bounds for linear forms in logarithms with results from the modularity of elliptic curves defined over totally real fields to explicitly determine all shifted powers by two in the Fibonacci sequence. A major obstacle that is overcome in this work is that the Hilbert newspace which we are interested in has dimension 6144. We will focus on how this space is computationally handled with respect to the underlying Diophantine equation. This is joint work with Mike Bennett (UBC) and Samir Siksek (Warwick).
• Le 29 juin 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Pierre Briaud Inria Paris
An algebraic approach to the Rank Support Learning problem
Rank-metric code-based cryptography relies on the hardness of decoding a random linear code in the rank metric. The Rank Support Learning problem (RSL) is a variant where an attacker has access to N decoding instances whose errors have the same support and wants to solve one of them. This problem is for instance used in the Durandal signature scheme. In this talk, we will present a new algebraic attack on RSL. We build upon Bardet et al., Asiacrypt 2020, where similar techniques are used to solve MinRank and RD. However, our analysis is simpler and overall our attack relies on very elementary assumptions compared to standard GrÃ¶bner bases attacks. In particular, our results show that key recovery attacks on Durandal are more efficient than was previously thought. This is joint work with Magali Bardet.
• Le 6 juillet 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Online
Anna Somoza IRMAR\, Université de Rennes 1
The Inverse Jacobian problem
To an algebraic curve $C$ over the complex numbers one can associate a non-negative integer $g$, the genus, as a measure of its complexity. One can also associate to $C$, via complex analysis, a $g\times g$ symmetric matrix $\Omega$ called period matrix. Because of the natural relation between $C$ and $\Omega$, one can obtain information about one by studying the other. Therefore, it makes sense to consider the inverse problem: Given a period matrix $\Omega$, can we compute a model for the associated curve $C$?
• Le 13 juillet 2021 à 15:00
• Séminaire de Théorie Algorithmique des Nombres
Salle de conférences
Jean Kieffer IMB
Équations modulaires en dimension supérieure, applications au calcul d'isogénies et au comptage de points

• Le 5 octobre 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Salle 2
Henri Cohen IMB
Algebraic values of the hypergeometric function
In this talk, I will study the general problem of when the value of the hypergeometric function $F(a,b;c;z)$ is algebraic, assuming $a$,$b$,$c$, and $z$ rational. The results involve modular forms and functions, complex multiplication, Shimura curves, and computer searches.
• Le 12 octobre 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Salle 2
Damien Robert IMB
Revisiter l'algorithme de Satoh de comptage de points en petite caractéristique par relèvement canonique
L'algorithme de Satoh de comptage de points sur les courbes elliptiques permet d'obtenir (aprÃ¨s des amÃ©liorations de Harvey) une complexitÃ© quasi-quadratique en le degrÃ© pour une (petite) caractÃ©ristique fixÃ©e $p$. Dans cet exposÃ© je passerai en revue plusieurs variantes de cet algorithme et ses extensions aux variÃ©tÃ©s abÃ©liennes. J'expliquerai ensuite comment on peut grandement simplifier l'implÃ©mentation de cet algorithme. L'implÃ©mentation dans Pari/GP du nouvel algorithme produit un gain d'un facteur 30 Ã  la fois de temps de calcul et de consommation mÃ©moire.
• Le 9 novembre 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Salle 2
Koen de Boer CWI Amsterdam
Sampling relatively near-prime ideals
We show a method to sample an element alpha from a given ideal I, such that their quotient ideal (alpha)/I is a (possibly large) prime times a smooth number ('near-prime') with reasonable probability. This method consists of 'randomizing' the ideal I by multiplying it with small primes (yielding J) and consequently sampling the element alpha from this randomized ideal J intersected with a large box. The probability that the quotient (alpha)/J is prime (i.e., that the quotient (alpha)/I is a near-prime) is tightly related to density results on prime ideals (prime ideal theorem). As an application we show an efficient way to compute power residue symbols for varying degree number fields.
• Le 16 novembre 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Salle 2
Benjamin Wesolowski CNRS\, IMB
SQISign: Compact Post-Quantum Signature from Quaternions and Isogenies
We will present the signature scheme SQISign, (for Short Quaternion and Isogeny Signature) exploiting isogeny graphs of supersingular elliptic curves. The signature and public key sizes combined are an order of magnitude smaller than all other post-quantum signature schemes. Its efficient implementation and security analysis open new research challenges.
• Le 23 novembre 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Salle 2
Aurel Page IMB
Norm relations and class group computations
When $L/K$ is a Galois extension of number fields with Galois group $G$, some invariants of $L$ can be related to those of its proper subfields. I will present some old and some new such relations, and an application to the computation of class groups of some large number fields. This is joint work with Jean-FranÃ§ois Biasse, Claus Fieker and Tommy Hofmann.
• Le 30 novembre 2021 à 10:00
• Séminaire de Théorie Algorithmique des Nombres
Salle 2
Katharina Boudgoust IRISA EMSEC\, Rennes
The partial Vandermonde knapsack problem
In my seminar I will do an introduction to the concept of essential dimension: roughly speaking, the essential dimension is a measure of how many independent parameters we need to describe some algebraic object. The concept of essential dimension was introduced by Buhler and Reichstein in 1995 and it is linked to an algebraic version of Hilbert's 13th problem. For a finite group $G$; the essential dimension measures how much one can compress a faithful representation of $G$. When $G$ is the symmetric group $S_n$ the essential dimension tells us how many independent parameters we need to write a generic polynomial of degree $n$ on a field $k$ of characteristic zero; equivalently, the essential dimension of $S_n$ computes the number of parameters needed to write a generating polynomial for separable field extensions of degree $n$. This is still an open problem for $n geq 8. Suprisingly, the analogue problem for inseparable field extensions has been solved explicitely. • Le 30 novembre 2021 à 10:00 • Séminaire de Théorie Algorithmique des Nombres Salle 2 Katharina Boudgoust IRISA EMSEC\, Rennes The partial Vandermonde knapsack problem This work contributes in the field of lattice-based cryptography, a research domain of public key cryptography that was initiated at the end of the 1990s by two different branches. On the one had, there have been proposals benefiting from strong theoretical connections to presumed hard worst-case lattice problems, leading to the development of public key cryptography based on the SIS (Short Integer Solution) and LWE (Learning With Errors) problems. On the other hand, very efficient schemes basing their security on average-case structured lattice problems have been introduced, the most popular among them is the NTRU encryption scheme. • Le 7 décembre 2021 à 10:00 • Séminaire de Théorie Algorithmique des Nombres Salle 386 Olivier Bernard IRISA EMSEC\, Rennes Log-S-unit lattices using Explicit Stickelberger Generators to solve Approx Ideal-SVP The Twisted-PHS algorithm to solve Approx-SVP for ideal lattices on any number field, based on the PHS algorithm by Pellet-Mary, Hanrot and StehlÃ© in 2019, was introduced in 2020. The authors performed experiments for prime conductors cyclotomic fields of degrees at most 70, reporting exact approximation factors reached in practice. The main obstacle for these experiments is the computation of a log-S-unit lattice, which requires classical subexponential time. • Le 14 décembre 2021 à 10:00 • Séminaire de Théorie Algorithmique des Nombres Online Xavier Goaoc Université de Lorraine\, LORIA Un phénomène de concentration en géométrie combinatoire Le type d'ordre d'une sÃ©quence de points du plan est une gÃ©nÃ©ralisation de la permutation associÃ©e Ã une sÃ©quence de nombres rÃ©els. Cette structure combinatoire encode de nombreuses propriÃ©tÃ©s gÃ©omÃ©triques de la sÃ©quence de points, par exemple le treillis des faces de son enveloppe convexe, ou encore les triangulations qu'elle supporte. • Le 4 janvier 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres Online Guillaume Moroz Inria\, LORIA New data structure for univariate polynomial approximation and applications to root isolation, numerical multipoint evaluation, and other problems We present a new data structure to approximate accurately and efficiently a polynomial$f$of degree$d$given as a list of coefficients. Its properties allow us to improve the state-of-the-art bounds on the bit complexity for the problems of root isolation and approximate multipoint evaluation. This data structure also leads to a new geometric criterion to detect ill-conditioned polynomials, implying notably that the standard condition number of the zeros of a polynomial is at least exponential in the number of roots of modulus less than$\frac{1}{2}$or greater than$2$. • Le 25 janvier 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres Online Céline Maistret University of Bristol Parity of ranks of abelian surfaces Let$K$be a number field and$A/K$an abelian surface. By the Mordell-Weil theorem, the group of$K$-rational points on$A$is finitely generated and as for elliptic curves, its rank is predicted by the Birch and Swinnerton-Dyer conjecture. A basic consequence of this conjecture is the parity conjecture: the sign of the functional equation of the$L$-series determines the parity of the rank of$A/K$. • Le 8 février 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres Online Elisa Lorenzo Garcia Université de Neuchâtel Reduction type of hyperelliptic curves in terms of the valuations of their invariants. In this talk we will first review the classical criteria to determine the (stable) reduction type of elliptic curves (Tate) and of genus 2 curves (Liu) in terms of the valuations of some particular combinations of their invariants. We will also revisit the theory of cluster pictures to determine the reduction type of hyperelliptic curves (Dokchitser's et al.). Via Mumford theta constants and Takase and Tomae's formulas we will be able to read the cluster picture information by looking at the valuations of some (Ã la Tsuyumine) invariants in the genus 3 case. We will also discuss the possible generalization of this strategy for any genus and some related open questions. • Le 8 mars 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres Online Elena Berardini Télécom Paris Calcul d'espaces de Riemann-Roch pour les codes géométriques Les codes de Reed-Solomon sont largement utilisÃ©s pour reprÃ©senter des donnÃ©es sous forme de vecteurs, de sorte que les donnÃ©es peuvent Ãªtre rÃ©cupÃ©rÃ©es mÃªme si certaines coordonnÃ©es des vecteurs sont corrompues. Ces codes ont de nombreuses propriÃ©tÃ©s. Leurs paramÃ¨tres sont optimaux. Ils permettent de reconstruire des coordonnÃ©es qui ont Ã©tÃ© effacÃ©es. Ils sont compatibles avec l'addition et la multiplication de donnÃ©es. NÃ©anmoins, ils souffrent de certaines limitations. Notamment, la taille de stockage des coordonnÃ©es des vecteurs augmente de maniÃ¨re logarithmique avec le nombre de coordonnÃ©es. Les codes dits gÃ©omÃ©triques gÃ©nÃ©ralisent les codes de Reed-Solomon en bÃ©nÃ©ficiant des mÃªmes propriÃ©tÃ©s, tout en Ã©tant libres de ces limitations. Par consÃ©quent, l'utilisation de codes gÃ©omÃ©triques apporte des gains de complexitÃ©, et s'avÃ¨re utile dans plusieurs applications telles que le calcul distribuÃ© sur les secrets et les preuves zero-knowledge. Les codes gÃ©omÃ©triques sont construits en Ã©valuant des familles de fonctions, appelÃ©es espaces de Riemann-Roch, en les points rationnels d'une courbe. Il s'ensuit que le calcul de ces espaces est crucial pour la mise en Å“uvre des codes gÃ©omÃ©triques. Dans cet exposÃ©, je prÃ©senterai un travail rÃ©cent en collaboration avec S. Abelard, A. Couvreur et G. Lecerf sur le calcul effectif des bases des espaces de Riemann-Roch de courbes. AprÃ¨s avoir rÃ©visÃ© l'Ã©tat de l'art sur le sujet, je discuterai des idÃ©es Ã la base de notre algorithme, en particulier la thÃ©orie de Brill-Noether et l'utilisation des expansions de Puiseux. Les courbes utilisÃ©es dans la construction des codes gÃ©omÃ©triques sont pour la plupart limitÃ©es Ã celles pour lesquelles les bases de Riemann-Roch sont dÃ©jÃ connues. Ce nouveau travail et ceux qui suivront, permettront la construction de codes gÃ©omÃ©triques Ã partir de courbes plus gÃ©nÃ©rales. • Le 15 mars 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres Salle 2 Pierrick Dartois Corps des mines\, Rennes 1 Cryptanalyse du protocole OSIDH Oriented Supersingular Isogeny Diffie-Hellman (OSIDH) est un Ã©change de clÃ© post-quantique proposÃ© par Leonardo ColÃ² et David Kohel en 2019. La construction repose sur lâ€™action du groupe de classe dâ€™un ordre quadratique imaginaire sur un espace de courbes elliptiques supersinguliÃ¨res et peut donc Ãªtre vue comme une gÃ©nÃ©ralisation du cÃ©lÃ¨bre Ã©change de clÃ© Ã base dâ€™isogÃ©nies CSIDH. Cependant, OSIDH est trÃ¨s diffÃ©rent de CSIDH dâ€™un point de vue algorithmique parce quâ€™OSIDH utilise des groupes de classe plus structurÃ©s que CSIDH. Comme lâ€™ont reconnu ColÃ² et Kohel eux-mÃªmes, cela rend OSIDH plus vulnÃ©rable aux attaques. Pour contourner cette faiblesse, ils ont proposÃ© une faÃ§on ingÃ©nieuse dâ€™effectuer lâ€™Ã©change de clÃ© en Ã©changeant de lâ€™information sur lâ€™action du groupe de classe au voisinage des courbes publiques, et ont conjecturÃ© que cette information additionnelle nâ€™impacterait pas la sÃ©curitÃ©. • Le 22 mars 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres Salle 2 Jean Kieffer Harvard University Schémas de Newton certifiés pour l'évaluation des fonctions thêta en petit genre Les fonctions thÃªta permettent de relier les points de vue algÃ©brique et analytique dans l'Ã©tude des variÃ©tÃ©s abÃ©liennes: ce sont des formes modulaires de Siegel qui fournissent des coordonnÃ©es sur ces variÃ©tÃ©s et leurs espaces de modules. Rendre ce lien effectif nÃ©cessite un algorithme efficace d'Ã©valuation de ces fonctions thÃªta en un point. Dupont, dans sa thÃ¨se (2006), a dÃ©crit un algorithme heuristique basÃ© sur la moyenne arithmÃ©tico-gÃ©omÃ©trique (AGM) et un schÃ©ma de Newton pour Ã©valuer certaines fonctions thÃªta en genre 1 et 2 en temps quasi-linÃ©aire en la prÃ©cision. Le but de cet exposÃ© est de montrer que l'on peut en fait obtenir un algorithme certifiÃ© dont la complexitÃ© est uniforme. Je discuterai Ã©galement des obstacles restants pour gÃ©nÃ©raliser ce rÃ©sultat en dimension supÃ©rieure. • Le 29 mars 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres Online Andreas Pieper Universität Ulm Constructing all genus 2 curves with supersingular Jacobian F. Oort showed that the moduli space of principally polarized supersingular abelian surfaces is a union of rational curves. This is proven by showing that every principally polarized supersingular abelian surface is the Jacobian of a fibre of one of the families of genus 2 curves$\pi: \mathcal{C}\rightarrow \mathbb{P}^1$constructed by L. Moret-Bailly. We present an algorithm that makes this construction effective: Given a point$x\in \mathbb{P}^1$we compute a hyperelliptic model of the fibre$\pi^{-1}(x)$. The algorithm uses Mumford's theory of theta groups to compute quotients by the group scheme$\alpha_p$. • Le 5 avril 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Damien Robert IMB Towards computing the canonical lift of an ordinary elliptic curve in medium characteristic Satoh's algorithm for counting the number of points of an elliptic curve$E/\mathbb F_q$with$q=p^n$is the fastest known algorithm when$p$is fixed: it computes the invertible eigenvalue$»$of the Frobenius to$p$-adic precision$m$in time$\tilde{O}(p^2 n m)$. Since by Hasse's bound, recovering$\chi_{\pi}$requires working at precision$m=O(n)$, the point counting complexity is of$\tilde{O}(p^2 n^2)$, quasi-quadratic in the degree$n$.Unfortunately, the term$p^2$in the complexity makes Satoh's algorithm suitable only for smaller$p$. For medium sized$p$, one can use Kedlaya's algorithm which cost$\tilde{O}(p n^2 m)$or a variant by Harvey's which cost$\tilde{O}(p^{1/2} n^{5/2} m + n^4 m)$, which have a better complexity on$p$but a worse one on$n$. For large$p$, the SEA algorithm costs$\tilde{O}(log^4 q)$.In this talk, we improve the dependency on$p$of Satoh's algorithm while retaining the dependency on$n$to bridge the gap towards medium characteristic. We develop a new algorithm with a complexity of$\tilde{O}(p n m)$. In the particular case where we are furthermore provided with a rational point of$p$-torsion, we even improve this complexity to$\tilde{O}(p^{1/2} n m)$.This is a joint work with Abdoulaye Maiga. • Le 12 avril 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Josué Tonelli-Cueto Inria Paris\, IMJ-PRG A p-adic Descartes solver: the Strassman solve Solving polynomials is a fundamental computational problem in mathematics. In the real setting, we can use Descartes' rule of signs to efficiently isolate the real roots of a square-free real polynomial. In this talk, we show how to translate this method into the p-adic worlds. We show how the p-adic analog of Descartes' rule of signs, Strassman's theorem, leads to an algorithm to isolate the p-adic roots of a square-free p-adic polynomial and provide some complexity estimates adapting the condition-based complexity framework from real/complex numerical algebraic geometry to the p-adic case. • Le 26 avril 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Lassina Dembélé King's College London "Correspondance de Langlands inertielle explicite pour${\nm GL}_2$et quelques applications arithmétiques" Dans cet exposé nous allons décrire une approche explicite qui permet de calculer les types automorphes inertiels pour${\rm GL}_2$. Nous donnerons ensuite quelques applications de cet algorithme à des problèmes diophantiens ou de nature arithmétique. • Le 3 mai 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Sergey Yurkevich University of Vienna\, Inria The generating function of the Yang-Zagier Numbers is algebraic In a recent paper Don Zagier mentions a mysterious integer sequence$(a_n) _{n \geq 0}$which arises from a solution of a topological ODE discovered by Marco Bertola, Boris Dubrovin and Di Yang. In my talk I show how to conjecture, prove and even quantify that$(a_n) _{n \geq 0}$actually admits an algebraic generating function which is therefore a very particular period. The methods are based on experimental mathematics and algorithmic ideas in differential Galois theory, which I will show in the interactive part of the talk. The presentation is based on joint work with A. Bostan and J.-A. Weil. • Le 17 mai 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Daniel Fiorilli Université Paris Saclay Résultats de type oméga pour les comptages de corps cubiques Il s'agit d'un travail en collaboration avec P. Cho, Y. Lee et A. Södergren. Depuis les travaux de Davenport-Heilbronn, beaucoup d'articles ont été ecrits donnant des estimations de plus en plus précises sur le comptage du nombre de corps cubiques de discriminant au plus X. Mentionnons par exemple les travaux de Belabas, Belabas-Bhargava-Pomerance, Bhargava-Shankar-Tsimerman, Taniguchi-Thorne et Bhargava-Taniguchi-Thorne. Dans cet exposé je parlerai d'un résultat négatif, qui montre que l'hypothèse de Riemann implique une limitation sur la plus petite taille possible du terme d'erreur dans ces estimations. Nous approchons la questions à partir de la théorie des petits zéros de fonctions$L$, en particulier la philosophie de Katz-Sarnak et les articles subséquents pour la famille des fonctions zeta de Dedekind de corps cubiques. Je présenterai aussi des résultats numériques obtenus avec pari/gp et le programme «cubic» de Belabas qui indiquent que notre résultat pourrait être optimal. • Le 18 mai 2022 à 14:30 • Séminaire de Théorie Algorithmique des Nombres - Wessel van Woerden CWI Amsterdam On the Lattice Isomorphism Problem, Quadratic Forms, Remarkable Lattices, and Cryptography A natural and recurring idea in the knapsack/lattice cryptography literature is to start from a lattice with remarkable decoding capability as your private key, and hide it somehow to make a public key. This is also how the code-based encryption scheme of McEliece (1978) proceeds.This idea has never worked out very well for lattices: ad-hoc approaches have been proposed, but they have been subject to ad-hoc attacks, using tricks beyond lattice reduction algorithms. On the other hand the framework offered by the Short Integer Solution (SIS) and Learning With Errors (LWE) problems, while convenient and well founded, remains frustrating from a coding perspective: the underlying decoding algorithms are rather trivial, with poor decoding performance.In this work, we provide generic realisations of this natural idea (independently of the chosen remarkable lattice) by basing cryptography on the Lattice Isomorphism Problem (LIP). More specifically, we provide:- a worst-case to average-case reduction for search-LIP and distinguish-LIP within an isomorphism class, by extending techniques of Haviv and Regev (SODA 2014).- a zero-knowledge proof of knowledge (ZKPoK) of an isomorphism. This implies an identification scheme based on search-LIP.- a key encapsulation mechanism (KEM) scheme and a hash-then-sign signature scheme, both based on distinguish-LIP.The purpose of this approach is for remarkable lattices to improve the security and performance of lattice-based cryptography. For example, decoding within poly-logarithmic factor from Minkowski's bound in a remarkable lattice would lead to a KEM resisting lattice attacks down to a poly-logarithmic approximation factor, provided that the dual lattice is also close to Minkowski's bound. Recent works have indeed reached such decoders for certain lattices (Chor-Rivest, Barnes-Sloan), but these do not perfectly fit our need as their duals have poor minimal distance. • Le 24 mai 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Alice Pellet-Mary CNRS/IMB Rigorous computation of class group and unit group Computing the class group and the unit group of a number field is a famous problem of algorithmic number theory. Recently, it has also become an important problem in cryptography, since it is used in multiple algorithms related to algebraic lattices.Subexponential time algorithms are known to solve this problem in any number fields, but they heavily rely on heuristics. The only non-heuristic (but still under ERH) known algorithm, due to Hafner and McCurley, is restricted to imaginary quadratic number fields.In this talk, we will see a rigorous subexponential time algorithm computing units and class group (and more generally S-units) in any number field, assuming the extended Riemann hypothesis.This is a joint work with Koen de Boer and Benjamin Wesolowski. • Le 31 mai 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Philippe Elbaz-Vincent Institut Fourier / Inria / IMB Sur quelques points, plus ou moins effectifs, de cohomologie des groupes arithmétiques Nous donnerons un panorama de certaines techniques et résultats pour le calcul de la cohomologie des groupes arithmétiques de rang$\ge 4$pour des anneaux d'entiers algébriques, ainsi que leurs applications arithmétiques et K-théoriques. Nous ferons ensuite un focus sur les méthodes utilisant le modèle de Voronoi (euclidien ou hermitien), ainsi que plusieurs améliorations algorithmiques. Nous préciserons certains résultats relatifs aux complexes de Voronoi et leurs cellules (pour$\mathrm{GL}_N$avec$N \geq 12$), ainsi qu'un travail en cours avec B. Allombert et R. Coulangeon sur les formes parfaites de rang$N$sur$\mathcal{O}_K$et la cohomologie de$\mathrm{GL}_N(\mathcal{O}_K)$pour certains anneaux d'entiers avec$N=4,5,6$. Nous mentionnerons aussi plusieurs problèmes ouverts relatifs à ces modèles. • Le 14 juin 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Antoine Leudière Université de Lorraine An explicit CRS-like action with Drinfeld modules L'une des pierres angulaires de la cryptographie des isogénies est l'action (dite CRS), simplement transitive, du groupe des classes d'un ordre d'un corps quadratique imaginaire, sur un certain ensemble de classes d'isomorphismes de courbes elliptiques ordinaires.L'échange de clé non-interactif basé sur cette action (espace homogène difficile) est relativement lent (de Feo, Kieffer, Smith, 2019) ; la structure du groupe (Beullens, Kleinjung, Vercauteren, 2019) est difficile à calculer. Pour palier à cela, nous décrivons une action, simplement transitive, de la jacobienne d'une courbe hyperelliptique imaginaire, sur un certain ensemble de classes d'isomorphismes de modules de Drinfeld. Après avoir motivé l'utilisation des modules de Drinfeld en lieu et place des courbes elliptiques, nous décrirons un algorithme efficace de calcul de l'action, ainsi que la récente attaque de Benjamin Wesolowski sur l'échange de clé donné par l'action. • Le 28 juin 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Andreas Enge Inria/IMB Implementing fastECPP in CM FastECPP is currently the fastest approach to prove the primality of general numbers, and has the additional benefit of creating certificates that can be checked independently and with a lower complexity. It crucially relies on the explicit construction of elliptic curves with complex multiplication.I will take you on a leisurely stroll through the different phases of the ECPP and fastECPP algorithms, with explanations of their complexity. We will then see the algorithmic choices I have made when integrating a parallelised implementation of fastECPP into my CM software, which has recently been used to prove the primality of a number of record size 50000 digits • Le 12 juillet 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Michael Monagan Simon Fraser University Computing with polynomials over algebraic number fields Let$K = \mathbb{Q}(\alpha_1,\dots,\alpha_k)$be an algebraic number field. We are interested in computing polynomial GCDs in$K[x]$and$K[x_1,\dots,x_n]$. Of course we also want to multiply, divide and factor polynomials over$K$. In$K[x]$we have the Euclidean algorithm but it "blows up"; there is a growth in the size of the rational numbers in the remainders. It is faster to compute the GCD modulo one or more primes and use the Chinese remainder theorem and rational number reconstruction. This leads to computing a GCD in$R[x]$where$R = K \pmod p$is usually not be a field; it is a finite ring.How do Computer Algebra Systems represent elements of$K$? How do Computer Algebra Systems compute GCDs in$K[x]$? What is the best way to do arithmetic in$R$? How can we compute a polynomial GCD in$K[x_1,\dots,x_n]$? In the talk we will try to answer these questions and we will present some timing benchmarks comparing our own C library for computing GCDs in$R[x]$with Maple and Magma. • Le 13 septembre 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Damien Robert Inria/IMB Breaking SIDH in polynomial time SIDH/SIKE was a post quantum key exchange mechanism based on isogenies between supersingular elliptic curves which was recently selected in July 5 2022 by NIST to advance to the fourth round of the PQC competition. It was soon after broken during the summer in a series of three papers by Castryck-Decru, Maino-Martindale and myself.The attacks all use the extra information on the torsion points used for the key exchange. We first review Petit's dimension 1 torsion point attack from 2017 which could only apply to unbalanced parameters. Then we explain how the dimension 2 attacks of Maino-Martindale and especially Castryck-Decru could break in heuristic (but in practice very effective) polynomial time some parameters, including the NIST submission where the starting curve$E: y^2=x^3+x$has explicit endomorphism$i$.Finally we explain how by going to dimension 8, we could break in proven quasi-linear time all parameters for SIKE.We will explain how the SIDH protocol worked at the beginning of the talk. We will see that the attack ultimately relies on a very simple 2x2 matrix computation! There will also be (hopefully) fun memes during the talk! • Le 20 septembre 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Fredrik Johansson Inria/IMB Faster computation of elementary functions Over a decade ago, Arnold Schönhage proposed a method to compute elementary functions (exp, log, sin, arctan, etc.) efficiently in "medium precision" (up to about 1000 digits) by reducing the argument using linear combinations of pairs of logarithms of primes or Gaussian primes. We generalize this approach to an arbitrary number of primes (which in practice may be 10-20 or more), using an efficient algorithm to solve the associated Diophantine approximation problem. Although theoretically slower than the arithmetic-geometric mean (AGM) by a logarithmic factor, this is now the fastest algorithm in practice to compute elementary functions from about 1000 digits up to millions of digits, giving roughly a factor-two speedup over previous methods. We also discuss the use of optimized Machin-like formulas for simultaneous computation of several logarithms or arctangents of rational numbers, which is required for precomputations. • Le 4 octobre 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres Pierrick Dartois\, Fabrice Etienne et Nicolas Sarkis null Présentation des nouveaux doctorants de l'équipe LFANT • Le 11 octobre 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Rémy Oudompheng - Computation of (3,3)-isogenies from a product of elliptic curves, in the style of 19th century geometry The method found by W. Castryck and T. Decru to break SIDH requires computing$(2^n,2^n)$-isogenies from a product of elliptic curves to another abelian surface (which is also a product), which are realized as degree 2 correspondences between curves.Transposing the attack to the other side of the SIDH exchange involves degree$(3,3)$-isogenies that can be evaluated using either theta functions, or divisors on genus 2 curves. Methods for the curve approach exist for the Jacobian case, but the case of a product of elliptic curves (Bröker, Howe, Lauter, Stevenhagen 2014) can be difficult to implement for cryptographically relevant field sizes due to various limitations in CAS such as SageMath/Singular.I will explain how traditional algebraic geometry can be called to the rescue to give a simple construction of the curve correspondence associated to the quotient of$E_1 \times E_2$by an isotropic$(3,3)$-kernel. This leads to a rather fast computation method relying only on elementary field operations and 2 square roots. The journey will bring back some memories of 19th century projective geometry. Theta function experts might recognize familiar objects in the geometric construction. • Le 18 octobre 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Èrell Gachon - Some Easy Instances of Ideal-SVP and Implications on the Partial Vandermonde Knapsack Problem In our article, we generalize the works of Pan et al. (Eurocrypt 21) and Porter et al. (ArXiv 21) and provide a simple condition under which an ideal lattice defines an easy instance of the shortest vector problem. Namely, we show that the more automorphisms stabilize the ideal, the easier it is to find a short vector in it. This observation was already made for prime ideals in Galois fields, and we generalize it to any ideal (whose prime factors are not ramified) of any number field. We then provide a cryptographic application of this result by showing that particular instances of the partial Vandermonde knapsack problem, also known as partial Fourier recovery problem, can be solved classically in polynomial time. • Le 25 octobre 2022 • Séminaire de Théorie Algorithmique des Nombres - Damien Robert Inria/IMB Evaluating isogenies in polylogarithmic time We explain how the « embedding lemma » used in the recents attacks against SIDH can be used constructively. Namely we show that every$N$-isogeny between abelian varieties over a finite field admits an efficient representation allowing for its evaluation in time polylogarithmic in$N$. Furthermore, using Vélu's formula for elliptic curves, or isogenies in the theta model for dimension$g>1$, this representation can be computed in time quasi-linear in$N^g$. • Le 8 novembre 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Anne-Edgar Wilke IMB Énumération des corps de nombres quartiques Fixons un entier$n \geq 2$, et, pour$X \geq 0$, soit$C_n(X)$l'ensemble des classes d'isomorphisme de corps de nombres de degré$n$et de discriminant inférieur à$X$en valeur absolue. La méthode de Hunter-Pohst permet d'énumérer$C_n(X)$en temps$O(X^{\frac{n + 2}{4} + epsilon})$. Pour$n \geq 3$, on s'attend à ce que cette complexité ne soit pas optimale : en effet, une conjecture classique, démontrée pour$n leq 5$, prévoit qu'il existe une constante$c_n \geq 0$telle que le cardinal de$C_n(X)$soit équivalent à$c_n X$. En utilisant une paramétrisation des corps cubiques due à Davenport et Heilbronn, Belabas a mis au point un algorithme énumérant$C_3(X)$en temps optimal$O(X^{1 + \epsilon})$. Je montrerai comment une paramétrisation des corps quartiques due à Bhargava permet de manière similaire d'énumérer$C_4(X)$en temps$O(X^{\frac{5}{4} + \epsilon})$. Je présenterai ensuite des résultats numériques, ainsi que des perspectives d'amélioration et de généralisation en degré supérieur. • Le 15 novembre 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Henri Cohen IMB A Pari/GP package for continued fractions I will describe with numerous examples a new Pari/GP package for infinite continued fractions which can in particular compute numerically the limit, the exact asymptotic speed of convergence (almost never given in the literature), accelerate continued fractions, and especially apply the powerful Apéry acceleration technique to almost all continued fractions, leading to hundreds of new ones. • Le 22 novembre 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Sulamithe Tsakou - Index calculus attacks on hyperelliptic curves with efficient endomorphism The security of many existing cryptographic systems relies on the difficulty of solving the discrete logarithm problem (DLP) in a group. For a generic group, we can solve this problem with many algorithms such as the baby-step-giant-step, the Pollard-rho or the Pohlig-Hellman algorithm. For a group with known structure, we use the index calculus algorithm to solve the discrete logarithm problem. Then, the DLP on the Jacobian of a hyperelliptic curve defined over a finite field$\mathbb{F}_{q^n}$with$n >1$are subject to index calculus attacks. After having chosen a convenient factor basis, the index calculus algorithm has three steps - the decomposition step in which we decompose a random point in the factor basis, the linear algebra step where we solve a matricial equation and the descent phase in which the discrete logarithm is deduced. The complexity of the algorithm crucially depends on the size of the factor basis, since this determines the probability for a point to be decomposed over the base and also the cost of the linear algebra step. Faugère et al (EC 2014) exploit the$2$-torsion point of the curve to reduce the size of the factor basis and then improve the complexity of the index calculus algorithm. In a similar manner, we exploit the endomorphism of the Jacobian to reduce the size of the factor base for certain families of ordinary elliptic curves and genus$2$hyperelliptic Jacobians defined over finite fields. This approach adds an extra cost when performing operation on the factor basis, but our benchmarks show that reducing the size of the factor base allows to have a gain on the total complexity of index calculus algorithm with respect to the generic attacks. • Le 29 novembre 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Elie Bouscatié - Searching substrings inside an encrypted stream of data ... without decrypting ! Outsourcing IT services has become very common worldwide for multiple reasons ranging from costs reduction to improved services. Whatever the actual reason is, the concrete consequence for the company that delegates such services is that a third party ends up with its data in clear because of the well-known limitations of standard encryption.Ideally, this third party should only learn the minimal information necessary for performing the requested processing, which has motivated the design of countless encryption schemes compatible with specific processing. Such schemes belong to the realm of functional encryption, where the third party recovers a function f(x) from an encryption of x without learning anything else about x, with minimal interaction. Of course, the function f, and hence the encryption scheme, strongly depends on the considered application, which explains the profusion of papers related to this topic. We will focus on the possibility to allow a third party to search the presence of chosen substrings of different lengths (and more !) at any position in the encryption of a stream of data. After an introduction to this problematic and to the associated security notion, we will take a look at the proof of security of one specific construction. • Le 6 décembre 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Léo Poyeton - Admissibility of filtered$(\varphi,N)$-modules Filtered$(\varphi,N)$-modules over a$p$-adic field$K$are semi-linear objects which are easy to define and can be implemented on a computer. The modules$D_{st}(V)$defined by$p$-adic Hodge theory, where$V$is a$p$-adic representation of the absolute Galois group of$K$, provide examples of filtered$(varphi,N)$-modules. When$V$is nice enough (semi-stable), the data of$D_{st}(V)$is sufficient to recover$V$. A necessary and sufficient condition for a filtered$(\varphi,N)$-module$D$to be written as$D_{st}(V)$for some semi-stable representation$V$is the condition of "admissibility" which imposes conditions on the way the different structures of the$(varphi,N)$-module interact with each other.In a joint work with Xavier Caruso, we try to provide an algorithm which takes a filtered$(\varphi,N)$-module as an input and outputs whether it is admissible or not. I will explain how we can implement filtered$(\varphi,N)$-modules on a computer and why this question is well posed. I will then present an algorithm which answers the question if the$(\varphi,N)$-module is nice enough and explain the difficulties we are facing both in this nice case and in the general case. • Le 13 décembre 2022 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Samuel Le Fourn - Points de torsion d'une variété abélienne dans des extensions d'un corps fixé Pour une variété abélienne A sur un corps de nombres K, on sait que pour toute extension finie L/K, le nombre c(L) de points de torsion de A(L) est fini par le théorème de Mordell-Weil. En fait, un résultat de Masser prédit que c(L) est polynomial en [L:K] (si on fixe A et K) avec un exposant g=dim A, et une conjecture de Hindry et Ratazzi de 2012 donne l'exposant optimal (plus petit que g en général) en fonction d'une certaine structure de la variété abélienne (liée à son groupe dit de Mumford-Tate)Dans cet exposé, je parlerai d'un travail commun avec Lombardo et Zywina dans lequel nous démontrons une forme inconditionnelle de cette conjecture (et cette conjecture en admettant la conjecture de Mumford-Tate), en insistant sur les résultats intermédiaires qui peuvent être d'intérêt indépendant pour la compréhension des représentations galoisiennes associées à des variétés abéliennes. • Le 17 janvier 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Wouter Castryck - Radical isogeny formulas In several applications one is interested in a fast computation of the codomain curve of a long chain of cyclic$N$-isogenies emanating from an elliptic curve E over a finite field$\mathbb F_q$, where$N = 2, 3, \ldots$is some small fixed integer coprime to$q$. The standard approach proceeds by finding a generator of the kernel of the first$N$-isogeny, computing its codomain via Vélu's formulas, then finding a generator of the kernel of the second$N$-isogeny, and so on. Finding these kernel generators is often the main bottleneck.In this talk I will explain a new approach to this problem, which was studied in joint work with Thomas Decru, Marc Houben and Frederik Vercauteren. We argue that Vélu's formulas can be augmented with explicit formulas for the coordinates of a generator of the kernel of an$N$-isogeny cyclically extending the previous isogeny. These formulas involve the extraction of an$N$-th root, therefore we call them "radical isogeny formulas". By varying which$N$-th root was chosen (i.e., by scaling the radical with different$N$-th roots of unity) one obtains the kernels of all possible such extensions. Asymptotically, in our main cases of interest this gives a speed-up by a factor 6 or 7 over previous methods.I will explain the existence of radical isogeny formulas, discuss methods to find them (the formulas become increasingly complicated for larger N), and pose some open questions. • Le 24 janvier 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Razvan Barbulescu CNRS/IMB The particular case of cyclotomic fields whencomputing unit groups by quantum algorithms The computation of unit and class groups in arbitrary degree number field is done in polynomial time in a similar fashion to the Shor's factoring algorithm. Contrary to the fixed degree case which was solved in 2001 by Hallgren and a follow-up paper of Schmidt and Vollmer (2005), the arbitrary degree case requires errors estimations and is solved by the conjunction of two papers, Eisenträger et al. (2014) and de Boer et al. (2020).In the particular case of cyclotomic fields we propose a version of the algorithm which makes use of cyclotomic units. Indeed, the Shor-like procedure of Eisenträger et al.'s algorithm produces random approximations of vectors in the dual of the lattice of units. In order to guarantee the correction of the algorithm, they have to do the computations in high precision and hence require a large amount of qubits. Thanks to the lattice of cyclotomic units, one can do the computations in smaller precision and reduce the number of qubits. • Le 31 janvier 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Wessel van Woerden IMB An Algorithmic Reduction Theory for Binary Codes, LLL and more We will discuss an adaptation of the algorithmic reduction theory of lattices to binary codes. This includes the celebrated LLL algorithm (Lenstra, Lenstra, Lovasz, 1982), as well as adaptations of associated algorithms such as the Nearest Plane Algorithm of Babai (1986). Interestingly, the adaptation of LLL to binary codes can be interpreted as an algorithmic version of the bound of Griesmer (1960) on the minimal distance of a code. • Le 7 février 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Andrea Lesavourey Irisa Calcul de racines de polynômes dans un corps de nombres Computing roots of elements is an important step when solving various tasks in computational number theory. It arises for example during the final step of the General Number Field Sieve~(Lenstra et al. 1993). This problem also intervenes during saturation processes while computing the class group or$S$-units of a number field (Biasse and Fieker). It is known from the seminal paper introducing the LLL algorithm that one can recover elements of a given number field$K$given approximations of one of their complex embeddings. This can be used to compute roots of polynomials. In the first part of this presentation, I will describe an extension of this approach that take advantage of a potential subfield$k$, which replace the decoding of one element of$K$by the decoding$[K:k]$elements of$k$, to the cost of search in a set of cardinality$d^{[K:k]}$where$d$is the degree of the targetted polynomial equation. We will also describe heuristic observations that are useful to speed-up computations.In the second part of the presentation, we will describe methods to compute$e$-th roots specifically. When$K$and$e$are such that there are infinitely many prime integers$p$such that$\forall mathfrak{p} \mid p, p^{f(\mathfrak{p}\mid p)} ot equiv1 \pmod e$, we reconstruct$x$from$x \pmod {p_1}, dots, x \pmod {p_r} $using a generalisation of Thomé's work on square-roots in the context of the NFS~(Thomé). When this good condition on$K$and$n$is not satisfied, one can adapt Couveignes' approach for square roots (Couveignes) to relative extensions of number fields$K/k$provided$[K:k]$is coprime to$e$and infinitely many prime integers$p$are such that each prime ideal$\mathfrak{p}$of$\mathcal{O}_k$above$p$is inert in$K$. • Le 14 février 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Maxime Plançon IBM Zürich Exploiting algebraic structure in probing security The so-called$\omega$-encoding, introduced by Goudarzi, Joux and Rivain (Asiacrypt 2018), generalizes the commonly used arithmetic encoding. By using the additionnal structure of this encoding, they proposed a masked multiplication gadget (GJR) with quasilinear (randomness and operations) complexity. A second contribution by Goudarzi, Prest, Rivain and Vergnaud in this line of research appeared in TCHES 2021. The authors revisited the aforementioned multiplication gadget (GPRV), and brought the IOS security notion for refresh gadgets to allow secure composition between probing secure gadgets.In this paper, we propose a follow up on GPRV. Our contribution stems from a single Lemma, linking algebra and probing security for a wide class of circuits, further exploiting the algebraic structure of$\omega$-encoding. On the theoretical side, we weaken the IOS notion into the KIOS notion, and we weaken the usual$t$-probing security into the RTIK security. The composition Theorem that we obtain by plugging together KIOS, RTIK still achieves region-probing security for composition of circuits.To substantiate our weaker definitions, we also provide examples of competitively efficient gadgets verifying our weaker security notions. Explicitly, we give 1) a refresh gadget that uses$d-1$random field elements to refresh a length$d$encoding that is KIOS but not IOS, and 2) multiplication gadgets asymptotically subquadratic in both randomness and complexity. While our algorithms outperform the ISW masked compiler asymptotically, their security proofs require a bounded number of shares for a fixed base field. • Le 21 février 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Floris Vermeulen KU Leuven Arithmetic equivalence and successive minima Two number fields are said to be arithmetically equivalent if they have the same Dedekind zeta function. The central question about arithmetic equivalence is to determine how "similar" arithmetically equivalent number fields are. That is, we would like to determine which arithmetic invariants, such as the degree, discriminant, signature, units, class number, etc., are the same, and which ones can differ. A key result about arithmetic equivalence is Gassmann's theorem, which allows one to answer such questions using Galois theory and representation theory.I will give a general introduction to arithmetic equivalence, discussing some of the main results such as Gassmann's theorem and giving examples. I will then introduce the successive minima of a number field, and show that arithmetically equivalent number fields have approximately the same successive minima. " • Le 8 mars 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Ross Paterson University of Bristol Elliptic Curves over Galois Number Fields As E varies among elliptic curves defined over the rational numbers, a theorem of Bhargava and Shankar shows that the average rank of the Mordell-Weil group$E(\mathbb Q)$is bounded. If we now fix a Galois number field K, how does the Mordell-Weil group E(K) behave on average as a Galois module? We will report on progress on this question, which is obtained by instead studying the associated p-Selmer groups of E/K as Galois modules.We construct some novel Selmer groups which describe certain invariants of these modules, and go on to study the behaviour of these new Selmer groups. This in turn allows us to give bounds for certain behaviour for the Mordell-Weil groups. • Le 14 mars 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Leonardo Colô Université Aix-Marseille Oriented Supersingular Elliptic Curves and Class Group Actions We recently defined an OSIDH protocol with Kohel (OSIDH) for oriented supersingular isogeny Diffie-Hellman by imposing the data of an orientation by an imaginary quadratic ring$\mathcal{O}$on the category of supersingular elliptic curves. Starting with an elliptic curve$E_0$oriented by a CM order$\mathcal{O}_K$of class number one, we push forward the class group action along an$\ell$-isogeny chains, on which the class group of an order$\mathcal{O}$of large index$\ell^n$in$\mathcal{O}_K$acts. The map from$\ell$-isogeny chains to its terminus forgets the structure of the orientation, and the original base curve$E_0$. For a sufficiently long random$ell$-isogeny chain, the terminal curve represents a generic supersingular elliptic curve.One of the advantages of working in this general framework is that the group action by$\mathrm{Cl}(\mathcal{O})$can be carried out effectively solely on the sequence of moduli points (such as$j$-invariants) on a modular curve, thereby avoiding expensive generic isogeny computations or the requirement of rational torsion points.The proposed attacks of Onuki (2021) and Dartois-De Feo (2021) and their analyses motivate the idea of enlarging the class group without touching the key space using clouds. In this talk we propose two approaches to augment$\mathrm{Cl}(\mathcal{O}_n(M))$in a way that no effective data is transmitted for a third party to compute cycle relations. In both cases, it comes down to an extension of the initial chain by the two parties separately. In particular, while the original OSIDH protocol made exclusive use of the class group action at split primes in$\mathcal{O}$, we extend the protocol to include descent in the eddies at non-split primes (inert or ramified) or at large primes which are not cost-effective for use for longer isogeny walks. " • Le 21 mars 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Mathieu Dutour Institute Rudjer Boskovic\, Croatia High dimensional computation of fundamental domains We have developed open-source software in C++ for computing with polyhedra, lattices, and related algebraic structures. We will shortly explain its design. Then we will explain how it was used for computing the dual structure of the$W(H_4)$polytope.Then we will consider another application to finding the fundamental domain of cocompact subgroups$G$of$\mathrm{SL}_n(\mathbb{R})$. The approach defines a cone associated with the group and a point$x\in \mathbb{R}^n$. It is a generalization of Venkov reduction theory for$\mathrm{GL}_n(\mathbb{Z})$. We recall the Poincaré Polyhedron Theorem which underlies these constructions.We give an iterative algorithm that allows computing a fundamental domain. The algorithm is based on linear programming, the Shortest Group Element (SGE) problem and combinatorics. We apply it to the Witte cocompact subgroup of$\mathrm{SL}_3(\mathbb{R})$defined by Witte for the cubic ring of discriminant$49$. • Le 28 mars 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Shane Gibbons CWI\, Netherlands Hull attacks on the Lattice Isomorphism Problem The lattice isomorphism problem (LIP) asks one to find an isometry between two lattices. It has recently been proposed as a foundation for cryptography in independent works. This problem is the lattice variant of the code equivalence problem, on which the notion of the hull of a code can lead to devastating attacks. In this talk I will present the cryptanalytic role of an adaptation of the hull to the lattice setting, which we call the s-hull. Specifically, we show that the hull can be helpful for geometric attacks, for certain lattices the minimal distance of the hull is relatively smaller than that of the original lattice, and this can be exploited. The attack cost remains exponential, but the constant in the exponent is halved. Our results suggests that one should be very considerate about the geometry of hulls when instantiating LIP for cryptography. They also point to unimodular lattices as attractive options, as they are equal to their own hulls. Remarkably, this is already the case in proposed instantiations, namely the trivial lattice$\mathbb{Z}^n$and the Barnes-Wall lattices. • Le 4 avril 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Jean Gillibert Université de Toulouse 2 Finite subgroups of$mathrm{PGL}_2(mathbb{Q})$and number fields with large class groups For each finite subgroup$G$of$\mathrm{PGL}_2(\mathbb{Q})$, and for each integer$n$coprime to$6$, we construct explicitly infinitely many Galois extensions of$\mathbb{Q}$with group$G$and whose ideal class group has$n$-rank at least$#G-1$. This gives new$n$-rank records for class groups of number fields. • Le 11 avril 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres - Henry Bambury ENS Ulm An inverse problem for isogeny volcanoes Supersingular isogeny graphs are very complicated and intricate, and are used extensively by cryptographers. On the other side of things, the structure of ordinary isogeny graphs is well understood connected components look like volcanoes. Throughout this talk we will explore the ordinary$\ell$-isogeny graph over$\mathbb{F}_p$for various prime numbers$\ell$and$p$, and answer the following question, given a volcano-shaped graph, can we always find an isogeny graph in which our volcano lives as a connected component? • Le 25 avril 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres online Alessandro Languasco University of Padova\, Italy Computing$L'(1,chi)/L(1,chi)$using special functions, their reflection formulae and the Fast Fourier Transform We will show how to combine the Fast Fourier Transform algorithm with the reflection formulae of the special functions involved in the computation of the values of$L(1,chi)$and$L'(1,chi)$, where$chi$runs over the Dirichlet characters modulo an odd prime number$q$. In this way, we will be able to reduce the memory requirements and to improve the computational cost of the whole procedure. Several applications to number-theoretic problems will be mentioned, like the study of the distribution of the Euler-Kronecker constants for the cyclotomic field and its subfields, the behaviour of$min_{chie chi_0} | L'(1,chi)/L(1,chi) |$, the study of the Kummer ratio for the first factor of the class number of the cyclotomic field and the Landau vs. Ramanujan problem for divisor sums and coefficients of cusp forms. Towards the end of the seminar we will tackle open problems both of theoretical and implementative nature. • Le 2 mai 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Sorina Ionica Université de Picardie Computing bad reduction for genus 3 curves with complex multiplication Goren and Lauter studied genus 2 curves whose Jacobians are absolutely simple and have complex multiplication (CM) by the ring of integers of a quartic CM-field, and showed that if such a curve has bad reduction to characteristic p then there is a solution to a certain embedding problem. An analogous formulation of the embedding problem for genus 3 does not suffice for explicitly computing all primes of bad reduction. We introduce a new problem called the Isogenous Embedding Problem (IEP), which we relate to the existence of primes of bad reduction. We propose an algorithm which computes effective solutions for this problem and exhibits a list of primes of bad reduction for genus 3 curves with CM. We ran this algorithm through different families of curves and were able to prove the reduction type of some particular curves at certain primes that were open cases in the literature. • Le 9 mai 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Sabrina Kunzweiler IMB Isogeny-based PAKE protocols The passwords that we use in our everyday life are often chosen to be easily memorable which evidently makes them vulnerable to attacks. This problem is addressed by password-authenticated key exchange (PAKE). The general idea of such a protocol is to enable two parties who share the same (potentially weak) password to establish a strong session key. Most PAKE protocols used today are based on Diffie-Hellman key exchange in prime order groups, hence they are not secure against quantum attackers. A promising candidate for replacing Diffie-Hellman key exchange in a post-quantum world is the Commutative-Supersingular-Isogeny-Diffie-Hellman (CSIDH) key exchange. In this talk, we introduce two novel PAKE protocols based on CSIDH. • Le 16 mai 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Wessel van Woerden IMB Perfect Quadratic Forms -- an Upper Bound and Challenges in Enumeration In 1908 Voronoi introduced an algorithm that solves the lattice packing problem in any dimension in finite time. Voronoi showed that any lattice with optimal packing density must correspond to a so- called perfect (quadratic) form and his algorithm enumerates the finitely many perfect forms up to similarity in a fixed dimension. However, the number of non-similar perfect forms and the comlexity of the algorithm grows quickly in the dimension and as a result Voronoi’s algorithm has only been completely executed up to dimension 8. We discuss an upper bound on the number of perfect forms and the challenges that arise for completing Voronoi's algorithm in dimension 9. • Le 23 mai 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres bâtiment Inria, salle Sophie Germain (304) Boris Fuoutsa EPFL\, Switzerland Beyond the SIDH Countermeasures During summer 2022, a series of three cryptanalysis papers lead to a polynomial time attack on SIKE, which was in the fourth round of the NIST standardisation process. In a recent work, we explored countermeasures avenue to the SIDH attacks, M-SIDH and MD-SIDH. These countermeasures, despite being slow and less compact (when compared to SIDH and other post-quantum schemes), come with new insights that may be of independent interest. In this talk, we will discuss an on-going work in which we use M-SIDH together with the SIDH attacks to design a trapdoor one way function. This trapdoor one way function can be leveraged to obtain a public key encryption scheme, most importantly, it can be used to design an Identity Based Encryption scheme. The main drawback is that the design is purely theoretical at the moment, since inverting the one way function requires computing isogenies in higher dimension of prime degree up to 5000 or even higher. • Le 30 mai 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Sarah Arpin University of Leiden\, Netherlands Adding Level Structure to Supersingular Elliptic Curve Isogeny Graphs The classical Deuring correspondence provides a roadmap between supersingular elliptic curves and the maximal orders which are isomorphic to their endomorphism rings. Building on this idea, we add the information of a cyclic subgroup of prime order N to supersingular elliptic curves, and prove a generalisation of the Deuring correspondence for these objects. We also study the resulting ell-isogeny graphs supersingular elliptic curve with level-N structure, and the corresponding graphs in the realm of quaternion algebras. The structure of the supersingular elliptic curve ell-isogeny graph underlies the security of a new zero-knowledge proof of isogeny knowledge. • Le 6 juin 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Daan van Gent (University of Leinden\, Netherlands The Closest Vector Problem for the lattice of algebraic integers Any number field comes with a natural inner product as in the theory of the geometry of numbers, so that any order becomes a lattice. We extend the definition of the inner product to$\overline{\mathbb{Q}}$, the algebraic closure of the rationals, and consider its maximal order$\overline{\mathbb{Z}}$, which has infinite rank, as an intrinsically interesting `lattice'. We will compute several lattice invariants and attempt to solve the Closest Vector Problem through proofs inspired by capacity theory. Adjacent to CVP is the problem of finding the Voronoi-relevant vectors, and we pose the challenge to compute all such vectors of degree 3. • Le 13 juin 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Mahshid Riahinia ENS de Lyon Constrained Pseudorandom Functions from Homomorphic Secret Sharing A Constrained pseudorandom function (CPRF) is a pseudorandom function that provides fine-grained access to the evaluation of the function. In other words, for a (possibly super-polynomial) subset of inputs, a constrained pseudorandom function allows us to derive a constrained key that enables evaluating the function on that subset of inputs while learning nothing beyond. We propose and analyze a simple strategy for constructing 1-key constrained pseudorandom functions from homomorphic secret sharing (HSS) protocols. This relation, in particular, leads to instantiations of CPRFs for various constraints and from various assumptions. In this talk, I present this strategy and briefly go over one of the instantiations. • Le 20 juin 2023 à 10:30 • Séminaire de Théorie Algorithmique des Nombres INRIA building, room George Bool 2 Canari team INRIA Meeting Canari team and Inria Bordeaux head team The LFANT seminar is canceled. Instead, there will be a recurrent meeting between the team members and the administrative direction. The meeting is not compulsory for the PdD students. • Le 27 juin 2023 à 10:00 • Séminaire de Théorie Algorithmique des Nombres salle 1 Agathe Houzelot Labri White-Box Implementations of ECDSA Cryptographic algorithms are primarily designed to be secure in the black-box model, where an attacker can only observe their input/output behavior. However in practice, algorithms are rarely executed in a completely isolated environment and additional information is often leaked. In the context of mobile applications or connected objects, devices often lack secure storage to protect secret keys, and their generally open execution environment exposes a large attack surface. This hostile environment is captured by the white-box attack model. While many white-box implementation of block ciphers have been published since 2002, asymmetric cryptosystems have been very little studied. In my PhD thesis, we got interested in white-box implementations of ECDSA. This led us to participate in the WhibOx Contest that was organized as part of the TCHES workshops in 2021. During three months, developpers were invited to submit ECDSA white-box implementations and attackers to try to break them. In this talk, I will introduce the white-box model before explaining the specificities of the ECDSA algorithm in this context. I will then present the different attacks that we used to break almost all the challenges of the WhibOx Contest. • Le 12 septembre 2023 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Pierrick Dartois IMB SQISignHD : Signing with higher dimensional isogenies. The SQISign isogeny-based post-quantum digital signature scheme introduced by De Feo, Kohel, Leroux, Petit and Wesolowski outputs very compact signatures at the expense of a high signature time. In this presentation, we recall how SQISign works and introduce a new scheme based on SQISign and the polynomial time torsion point attacks against SIDH due to Castryck, Decru, Maino, Martindale and Robert to sign with higher dimensional isogenies. This scheme remains to be implemented but we expect a significant signature time improvement, better security properties and signatures even more compact than in the original SQISign scheme. • Le 19 septembre 2023 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Xavier Caruso IMB Drinfeld modules in SageMath In this talk, I will briefly introduce Drinfeld modules which, in some sense, appears as a arithmetically meaningful analogue of elliptic curves in the context of function fields. I will then discuss an implementation of Drinfeld modules which was recently included in SageMath. (Joint work with David Ayotte, Antoine Leudière and Joseph Musleh.) • Le 26 septembre 2023 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Joël Felderhoff ENS Lyon Ideal-SVP is Hard for Small-Norm Uniform Prime Ideals The presumed hardness of the Shortest Vector Problem for ideal lattices (Ideal-SVP) has been a fruitful assumption to understand other assumptions on algebraic lattices and as a security foundation of cryptosystems. Gentry [CRYPTO’10] proved that Ideal-SVP enjoys a worst-case to average-case reduction, where the average-case distribution is the uniform distribution over the set of inverses of prime ideals of small algebraic norm (below d^O(d) for cyclotomic fields, where d refers to the field degree). De Boer et al. [CRYPTO’20] btained another random self-reducibility result for an average-case distribution involving integral ideals of norm 2^O(d^2). In this work, we show that Ideal-SVP for the uniform distribution over inverses of small-norm prime ideals reduces to Ideal-SVP for the uniform distribution over small-norm prime ideals. Combined with Gentry’s reduction, this leads to a worst-case to average-case reduction for the uniform distribution over the set of small-norm prime ideals. Using the reduction from Pellet-Mary and Stehlé [ASIACRYPT’21], this notably leads to the first distribution over NTRU instances with a polynomial modulus whose hardness is supported by a worst-case lattice problem. • Le 3 octobre 2023 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Jean Gasnier IMB An Algebraic Point of View on the Generation of Pairing-Friendly Elliptic Curves In 2010, Freeman, Scott, and Teske published a well-known taxonomy compiling the best known families of pairing-friendly elliptic curves. Since then, the research effort mostly shifted from the generation of pairing-friendly curves to the improvement of algorithms or the assessment of security parameters to resist the latest attacks on the discrete logarithm problem. Consequently, very few new families were discovered. However, the need of pairing-friendly curves of prime order in some new applications such as SNARKs has reignited the interest in the generation of pairing-friendly curves, with hope of finding families similar to the one discovered by Barreto and Naehrig. Building on the work of Kachisa, Schaefer, and Scott, we show that some elements of extensions of a cyclotomic field have a higher probability of generating a family of pairing-friendly curves. We present a general framework which embraces the KSS families and many of the other families in the taxonomy paper. We finally introduce a new family with embedding degree k=20 which we estimate to provide a faster Miller loop compared to KSS16 and KSS18 at the 192-bit security level. • Le 10 octobre 2023 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Wouter Rozendaal IMB A Renormalisation Decoder for Kitaev's Toric Quantum Code Kitaev's toric code is expected to be at the core of the first generation of quantum computers that will incorporate error protection. To make full use of the toric code, one requires an efficient decoding scheme that will process the classical information obtained from quantum syndrome measurements, so as to be able to regularly put arrays of qubits back into their intended states. The renormalisation decoders introduced by Duclos-Cianci and Poulin exhibit one of the best trade-offs between efficiency and speed. One feature that remained a mystery however, is their behaviour over adversarial channels, i.e. their worst-case behaviour. In this talk, we introduce a relatively natural and deterministic version of a renormalisation decoder and bound its error-correcting radius. • Le 24 octobre 2023 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Donghyeok Lim Korea On the Galois structure of units of totally real$p$-rational fields The Galois module structure of algebraic units is fundamental in number theory. However, its investigation is difficult because we need to understand arithmetic of number fields, and the integral representations of finite groups are difficult to classify. A number field is called$p$-rational if the Galois group of the maximal pro-$pp$-ramified extension is free pro-$p$. The$p$-rationality is known to be a condition that reduces the complexities in problems in number theory. In this talk, we explain our results on the implication of the existing theories on integral representations of finite groups (factor equivalence, regulator constant, Yakovlev diagram) on the algebraic units of totally real$p$-rational fields. This talk is based on the joint works with Z. Bouazzaoui, D. Burns, A. Kumon, and C. Maire. • Le 7 novembre 2023 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Maxime Bombar CWI Pseudorandom Correlation Generators from the Hardness of Decoding Codes over Group Algebras The main bottleneck of secure multiparty computation is the cost of the communication between all the parties. Nevertheless, it is known for a long time that if prior to the actual MPC protocol, all the parties share random field elements having a useful correlation such as random multiplication triples, or the so-called random Oblivious Linear Evaluations (OLE's), the parties can engage in a very efficient protocol. The goal is therefore to generate this large amount of correlated randomness. To achieve this goal, Boyle et al. recently introduced a new tool which they called "Pseudorandom Correlation Generators" (PCG's) and demonstrated how it can be used to generate and distribute a large amount of (pseudo)random OLE's to two parties, using minimal interactions, followed solely by local computations. This enables secure two-party computation with "silent preprocessing", which can be extended to N-party using "programmable" PCG's. Previous constructions of programmable PCG's for OLE's suffer from two downsides: (1) They only generate OLE's over large fields, and (2) They rely on a rather recent "splittable Ring-LPN" assumption which lacks from strong security foundations. In this talk, I will present a way to overcome both limitation by introducing the "Quasi-Abelian Decoding Problem" which generalises the well-known decoding problem of quasi-cyclic codes, and show how its hardness allows to build programmable PCG's for the OLE correlation over any field Fq (with q>2). Finally, if time permits, I will evoke some ideas towards the q=2 case, which involves some elements from the theory of Carlitz modules over F2(T). This is based on a joint work with Geoffroy Couteau, Alain Couvreur and Clément Ducros • Le 14 novembre 2023 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Stefano Marseglia Utrecht University Computing isomorphism classes and polarisations of abelian varieties over finite fields We consider abelian varieties over a finite field which are ordinary, or over a prime field, and which have commutative endomorphism algebra. Works of Deligne and Centeleghe-Stix allow us to describe these abelian varieties in terms of fractional ideals of an order in an étale algebra. I will explain how such descriptions can be exploited to explictly compute the abelian varieties up to isomorphism. Moreover, results by Howe give us a way to compute principal polarisations of the abelian varieties in the ordinary case. In a joint work with Bergström and Karemaker we extend these results to the prime field case. • Le 21 novembre 2023 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Lorenzo Furio University of Pisa Galois representations attached to elliptic curves and Serre's uniformity question The study of Galois representations attached to elliptic curves is a very fruitful branch of number theory, which led to the solution of very tough problems, such as Fermat's Last Theorem. Given a rational elliptic curve E, the representation \rho_{E,p} is described by the action of the absolute Galois group of \mathbb{Q} on the p-torsion points of E. In 1972 Serre proved that for every rational elliptic curve E without CM there is a constant N_E such that, for every prime p>N_E, the Galois representation \rho_{E,p} is surjective. In the same article, he asked whether the constant N_E is independent of the curve, and this became known as Serre's Uniformity Question. In this talk, I will discuss the current progress towards the answer to this question, in particular the Runge method for modular curves, developed by Bilu and Parent, and the recent improvements obtained via this method by Le Fourn--Lemos and Lombardo and the speaker. • Le 28 novembre 2023 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Monika Trimoska Eindhoven University of Technology Disorientation faults in CSIDH In this work, we investigate a new class of fault-injection attacks against the CSIDH family of cryptographic group actions. Our disorientation attacks effectively flip the direction of some isogeny steps, resulting in an incorrect output curve. The placement of the disorientation fault during the algorithm influences the distribution of the output curve in a key-dependent manner. We explain how an attacker can post-process a set of faulty outputs to fully recover the private key. We provide full details for attacking the original CSIDH proof-of-concept software as well as the CTIDH constant-time implementation. Finally, we present a set of lightweight countermeasures against the attack and discuss their security. This presentation will focus on analysing the graph of faulty curves formed in the post-processing stage and getting an intuition on how it can be used to infer constraints on the secret key. This is joint work with Gustavo Banegas, Juliane Krämer, Tanja Lange, Michael Meyer, Lorenz Panny, Krijn Reijnders and Jana Sotáková. • Le 5 décembre 2023 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Yining HU Harbin Institut of Technology\, China Automatic algebraic continued fractions in characteristic 2 In this talk I will first introduce automatic sequences and their link with algebraicity. Then I will present two families of automatic algebraic continued fractions in characteristic 2. • Le 12 décembre 2023 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Nicolas Sarkis IMB Computing 2-isogenies between Kummer lines One of the best arithmetics on elliptic curves involves Montgomery xz-coordinates, which are used in several cryptographic protocols such as ECDSA or ECDH. These coordinates also offer fast computations of 2- and 4-isogenies, used in several protocols like it was the case with SIDH, both for doubling and images of points, so improving isogeny formulas also improves scalar products on an elliptic curve. We realized there was a more general theory of Kummer lines under which xz-coordinates fall. In this talk, we will describe the general framework of Kummer lines, based on two families of examples: Montgomery xz-coordinates and theta models. We will then explain how to find 2-isogeny formulas, whether they were already known or new, and how we mixed them to improve elliptic curve arithmetic. • Le 19 décembre 2023 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Marc Houben Leiden University Netherlands Pairings, class groups, and how (not) to break isogeny-based cryptography Maps between elliptic curves, also called isogenies, are fixed once the image on sufficiently many points is known. Last year, a method was discovered that computationally recovers isogenies just by knowing information about their image points, leading to the break of the key-exchange scheme SIDH. Isogeny-based key-exchange proposals relying on class group actions, such as CSIDH, remain unaffected, because such image information is not directly available. Using the theory of pairings on elliptic curves, we show that sometimes one may recover such information anyway, and classify when this approach results in a key-recovery attack. • Le 16 janvier 2024 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Jean-Marc Couveignes IMB Effective aspects of Riemann-Roch spaces in the Hilbert class field Let$K$be a finite field,$X$and$Y$two curves over$K$, and$Y\rightarrow X$an unramified abelian cover with Galois group$G$. Let$D$be a divisor on$X$and$E$its pullback on$Y$. Under mild conditions the linear space associated with$E$is a free$K[G]$-module. We study the algorithmic aspects and applications of these modules. • Le 23 janvier 2024 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Vincent Neiger Sorbonne Université Faster modular composition of polynomials This talk is about algorithms for modular composition of univariate polynomials, and for computing minimal polynomials. For two univariate polynomials a and g over a commutative field, modular composition asks to compute h(a) mod g for some given h, while the minimal polynomial problem is to compute h of minimal degree such that h(a) = 0 mod g. We propose algorithms whose complexity bound improves upon previous algorithms and in particular upon Brent and Kung's approach (1978); the new complexity bound is subquadratic in the degree of g and a even when using cubic-time matrix multiplication. Our improvement comes from the fast computation of specific bases of bivariate ideals, and from efficient operations with these bases thanks to fast univariate polynomial matrix algorithms. We will also report on experimental results using the Polynomial Matrix Library. Contains joint work with Seung Gyu Hyun, Bruno Salvy, Eric Schost, Gilles Villard. • Le 30 janvier 2024 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Thomas Decru Brussels\, Belgium Algorithmic aspects of isogeny-based cryptography One of the main struggles of isogeny-based cryptographic protocols is that they are still relatively slow compared to other post-quantum candidate schemes. In this talk we will provide some info on why this is, and elaborate on some of the recent results and ongoing work in this direction. • Le 6 février 2024 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Christophe Levrat Télécom Paris l-adic point counting on surfaces: nearly almost halfway there? While point counting algorithms on algebraic curves over finite fields have been around for decades and seen considerable progress in the meantime, the question of counting points on algebraic surfaces without additional structure seems much more challenging. In this talk, we will present results concerning the classical l-adic method for surfaces fibered over the projective line, which was conjectured by Edixhoven and Couveignes to admit a polynomial-time complexity. This method boils down to computing the étale cohomology of a constructible sheaf: we will describe how to compute this cohomology once such a sheaf has been given, and outline a possible strategy that might allow to compute a usable description of this particular sheaf. • Le 13 février 2024 à 11:00 • Séminaire de Théorie Algorithmique des Nombres zoom 87807228123 Semyon Novoselov University of Kaliningrad Approx-SVP in multiquadratic ideal lattices Multiquadratic fields are exceptional objects in computational number theory. Many hard computational problems are significantly simpler there. This includes unit/class group and discrete logarithm computations, as well as computing short generators of principal ideals. However, there are still many open questions in the area. In this talk, I describe recent progress towards the next milestone -- the approximate shortest vector problem in non-principal ideal lattices. In particular, I present an algorithm for a central subroutine -- the discrete logarithm computation based on reduction of the problem to subfields • Le 20 février 2024 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Florette Martinez Lip6 Discussion autour du Générateur Sac à dos Le Générateur Sac à dos, proposé en 1985 par Rueppel et Massey est un générateur pseudo aléatoire (PRNG) qui combine un premier PRNG faible, le LFSR, et un problème dur ,le problème de la somme de sous-ensemble, dérivé du problème de sac à dos. Ce générateur a été attaqué avec succès par Knellwolf et Meyer en 2011. Je discuterais ici d'une variante plus efficace de ctette attaque et des différentes attaques que j'ai pu proposer avec Damien Vergnaud et Charles contre des variantes de ce générateur. • Le 27 février 2024 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Pierre Briaud Inria Paris Variants of the Decoding Problem and algebraic cryptanalysis The intractability of decoding generic linear codes is at the core of an important branch of post-quantum cryptography. In this context, the code is random by design or it is assumed to be so in the security reduction. This talk will focus on versions of the Decoding Problem where the error vector is structured, in general to achieve better performance. While combinatorial techniques such as Information Set Decoding are often the method of choice to attack these versions, I will describe the potential of algebraic algorithms. I will mostly consider the Regular Syndrome Decoding Problem and a paper presented at Eurocrypt 2023. I will also mention ongoing work on an assumption used in the CROSS submission to new call for signature schemes launched by NIST. • Le 5 mars 2024 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Yuri Bilu IMB Skolem meets Schanuel A linear recurrence of order~$r$over a number field~$K$is a map${U:\mathbb{Z}\to K}$satisfying a relation of the form $$U(n+r)=a_{r-1}U(n1)+ \cdots+ a_0U(n) \qquad (n\in \mathbb{Z}),$$ where${a_0, \ldots, a_{r-1}\in K}$and${a_0e 0}$. A linear recurrence is called simple if the characteristic polynomial${X^r-a_{r-1}X^{r-1}-\ldots- a_0}$has only simple roots, and non-degenerate if${\lambda/\lambda'}$is not a root of unity for any two distinct roots$\lambda, \lambda'$of the characteristic polynomial. The classical Theorem of Skolem-Mahler-Lech asserts that a non-degenerate linear recurrence may have at most finitely many zeros. However, all known proofs of this theorem are non-effective and do not produce any tool to determine the zeros. In this talk I will describe a simple algorithm that, when terminates, produces the rigorously certified list of zeros of a given simple linear recurrence. This algorithm always terminates subject to two celebrated conjectures: the$p$-adic Schanuel Conjecture, and the Exponential Local-Global Principle. We do not give any running time bound (even conditional to some conjectures), but the algorithm performs well in practice, and was implemented in the \textit{Skolem tool} $$\text{https://skolem.mpi-sws.org/}$$ that I will demonstrate. This is a joint work with Florian Luca, Joris Nieuwveld, Joël Ouaknine, David Purser and James Worrell. • Le 12 mars 2024 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Olivier Ruatta Université de Limoges Polynômes linéarisés et cryptographie en métrique rang • Le 19 mars 2024 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Rocco Mora CISPA TBA • Le 26 mars 2024 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Bastien Pacifico LIRMM TBA • Le 7 mai 2024 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Félix Huber Labri TBA • Le 14 mai 2024 à 11:00 • Séminaire de Théorie Algorithmique des Nombres salle 2 Oana Padurariu Max-Planck-Institut für Mathematik Bonn Bielliptic Shimura curves$X_0^D(N)\$ with nontrivial level
In this talk, I explain how we work towards completely classifying all bielliptic Shimura curves X_0^D(N) with nontrivial level N, extending a result of Rotger that provided such a classification for level one. This allows us to determine the list of all pairs (D,N) for which X_0^D(N) has infinitely many degree 2 points, up to 3 explicit possible exceptions. This is joint work with Frederick Saia.
• Le 28 mai 2024 à 11:00
• Séminaire de Théorie Algorithmique des Nombres
salle 2
Jérémie Berthomieu Sorbonne Université
TBA

• Le 11 juin 2024 à 11:00
• Séminaire de Théorie Algorithmique des Nombres
salle 2
Valentijn Karemaker Utrecht University\, The Netherlands
TBA

• Le 25 juin 2024 à 11:00
• Séminaire de Théorie Algorithmique des Nombres
salle 2
Maria Corte-Real Santos University College London
TBA

Afficher 2022 - 2021 - 2020 - 2019 - 2018 - 2017 - 2016 - 2015 - antérieurs