2025Activity‌​‌ reportTeamGRACE

7.1.1 snark-2-chains​​

• Name:
  Families of SNARK-friendly​​​‌ 2-chains of elliptic curves​
• Keywords:
  Cryptography, Cryptocurrency, Blockchain​‌
• Functional Description:
  This library​​ implements finite field and​​​‌ elliptic curve arithmetic for​ BN curves (Barreto-Naehrig), BLS​‌ (Barreto-Lynn-Scott), KSS (Kachisa-Schaefer-Scott), and​​ 2-chains made of BW6​​​‌ (Brezing-Weng curves of embedding​ degree 6), CP8, CP12​‌ (Cocks-Pinch curves of embedding​​ degree 8 and 12)​​​‌ for use with zk-snarks​ (zero-knowledge succinct non-interactive argument​‌ of knowledge). The cryptographic​​ applications are: pairing, scalar​​​‌ multiplication on the curves,​ hashing on the curves.​‌ The code is a​​ proof of concept tied​​​‌ to two papers and​ is not optimized.
• URL:​‌
  https://­gitlab.­inria.­fr/­zk-curves/­snark-2-chains
• Publications:
  hal-03667798,​​ hal-03371573
• Contact:
  Aurore Guillevic​​​‌

7.1.2 WaveSign

• Name:
  Wave​ Signatures: Reference Implementation
• Functional​‌ Description:
  This software provides​​ a complete and functional​​​‌ reference implementation in C99​ for Wave, a post-quantum​‌ digital signature scheme based​​ on hard problems in​​​‌ coding theory. Key generation,​ signing, and verification functions​‌ are provided, compliant with​​ the API specified by​​​‌ NIST for their post-quantum​ signature on-ramp call. The​‌ emphasis is on portability,​​ rather than targeted optimizations.​​​‌
• URL:
  https://­wave-sign.­org
• Contact:
  Nicolas​ Sendrier

8.1.1 Decoding​​​‌ of rank metric Reed–Muller​ codes

Participants: Alain Couvreur​‌, Rakhi Pratihar.​​

The notion of $\mathrm{\Theta ‌}$-polynomials over a finite​ abelian extension $𝕃$ of​‌ an arbitrary field $\mathrm{𝕂}$, where $\Theta =‌({\theta }_1,...,{\theta }_{\mathrm{m‌}})$ is a system​​ of generators for $\mathrm{G‌}:=\mathrm{Gal}(𝕃/𝕂)‌=\mathbb{Z}/{\mathrm{n}}_1\mathbb{Z}\times \cdots ‌\times \mathbb{Z}/{\mathrm{n}}_m\mathbb{Z}$, is​‌ a generalization of the​​ $q$-polynomials over finite​​​‌ fields introduced by Ore​ in 1933. A $\mathrm{\Theta ‌}$-monomial ${\theta }_1^{{\mathrm{i}}_1}\cdots {\theta }_{\mathrm{m‌}}^{i_m}$ describes the​ $m$-tuple $({\mathrm{i‌}}_1,...,i_m)\in ‌\mathbb{Z}/n_{\mathrm{1}}\mathbb{Z}\times \cdots \times ‌\mathbb{Z}/n_{\mathrm{m}}\mathbb{Z}$ and every element​​​‌ in the skew group​ algebra $𝕃\left[\mathrm{G‌}\right]$ have a unique​​ representation as a $\mathrm{\Theta ‌}$-polynomial

where ${deg}_{\mathrm{\Theta }}\left(P\right)\stackrel{\text{def}}{=‌}max\{{\mathrm{i}}_1+\cdots +‌i_m:{\mathrm{b}}_{(i_1,‌...,i_{\mathrm{m}})}\ne 0\}$. Keeping the analogy​​​‌ with classical Reed–Muller codes‌ defined as evaluation of‌​‌ multivariate polynomials of bounded​​ degree, Augot, Couvreur, Lauvazelle,​​​‌ and Neri 38 introduced‌ in 2021 the $\mathrm{\Theta ‌‌}$-Reed–Muller codes in the​​ rank metric as the​​​‌ $𝕃$-subspaces of $\mathrm{𝕃‌}\left[\mathrm{G}\right]$ as‌​‌ follows:

For $0<r\le {\sum }_{\mathrm{i‌}=1}^m(‌n_i-\mathrm{1‌‌})$, the $\mathrm{\Theta }$-Reed-Muller code of order​​​‌ $r$ and type $\mathrm{n‌}\stackrel{\text{def}}{=}({\mathrm{n‌‌}}_1,...,n_m)$ is​​​‌ defined as

In a joint work​​​‌ 13, Alain Couvreur‌ and Rakhi Pratihar address‌​‌ the following decoding problem​​ for $R{M}_{\mathrm{\Theta ‌}}(r,\mathrm{n‌})$:

Problem: Given‌​‌ $Y\in 𝕃[\mathrm{G}]$ such that​​​‌ $Y=C+‌E$ for some $\mathrm{C‌‌}\in {\mathrm{RM}}_{\theta }(r,𝐧)‌$ and $E\in \mathrm{𝕃‌}\left[\mathrm{G}\right]$ with‌​‌ $\mathrm{Rk}(E)=t=\lfloor ‌\frac{d-1}{\mathrm{2‌}}\rfloor$, where $\mathrm{d‌‌}$ is the minimum distance​​ of ${\mathrm{RM}}_{\theta }(‌r,𝐧)‌$, recover the pair‌​‌ $(C,\mathrm{E})$.

The authors​​​‌ give a method for‌ reconstructing the error $\mathrm{\Theta ‌‌}$-polynomial by recovering its​​ unknown coefficients by minor​​​‌ cancellations of the associated‌ $\mathrm{G}$-Dickson matrix, which‌​‌ leads to the following.​​

Theorem. Let $C$ be​​​‌ an element of ${\mathrm{RM‌}}_{\Theta }(r,‌‌𝐧)$ and $\mathrm{k}$ and $d$ denote the​​​‌ $𝕃$–dimension and the‌ minimum distance of ${\mathrm{RM‌‌}}_{\Theta }(r,𝐧)$, respectively.​​​‌ Let $Y=\mathrm{C‌}+E$ be the‌​‌ received polynomial for some​​ $E\in 𝕃[‌\mathrm{G}]$ with $\mathrm{Rk‌}\left(E\right)\le ‌‌\lfloor \frac{d-\mathrm{1}}{2}\rfloor$, then​​​‌ $C$ can be recovered‌ uniquely in $\stackrel{˜‌‌}{𝒪}{\left(\right|\mathrm{G}|}^4)$ operations in​​​‌ $𝕂$.

More recently,‌ in 19, they‌​‌ proposed an alternative decoding​​ algorithm in the specific​​​‌ case $\mathrm{G}={(‌\mathbb{Z}/2\mathrm{\mathbb{Z}‌‌})}^N$. This​​ new algorithm takes advantage​​​‌ of a recursive structure‌ of these codes which‌​‌ can be regarded as​​ a rank metric analogue​​​‌ of the famous Plotkin‌ $\left(u\right|\mathrm{u‌‌}+v)$ construction.​​ This new algorithm permits​​​‌ to achieve a better‌ complexity of $\stackrel{˜‌‌}{𝒪}(t^{\omega -1}{|\mathrm{G}|‌}^2)$, where‌ $t=\lfloor \frac{\mathrm{d‌‌}-1}{2}\rfloor $ and $\omega$ is the​​​‌ complexity exponent of matrix‌ multiplication.

8.1.2 Decoding Algorithms‌​‌ for Tensor Codes

Participants:​​ Alain Couvreur.

Tensor​​​‌ codes are a generalisation‌ of matrix codes. Such‌​‌ codes are defined as​​ subspaces of order-$\mathrm{r‌}$ tensors for which the‌ ambient space is endowed‌​‌ with the tensor-rank as​​ a metric. A class​​​‌ of these codes was‌ introduced by Roth who‌​‌ outlined a decoding algorithm​​​‌ for low tensor-rank errors​ for particular cases. They​‌ may be viewed as​​ a generalisation of the​​​‌ well-known Delsarte-Gabidulin-Roth maximum rank​ distance codes. In collaboration​‌ with Eimear Byrne and​​ Lucien François from University​​​‌ College Dublin, Alain Couvreur​ studied a generalised class​‌ of these codes. They​​ investigated the properties of​​​‌ these codes and outlined​ decoding techniques for different​‌ metrics that leverage their​​ tensor structure. They first​​​‌ considered a fibre-wise decoding​ approach, as each fibre​‌ of a codeword corresponds​​ to a Gabidulin codeword.​​​‌ They then gave a​ generalisation of Loidreau's decoding​‌ method that corrects errors​​ with properties constrained by​​​‌ the dimensions of the​ slice spaces and fibre​‌ spaces. The considered metrics​​ are upper bounded by​​​‌ the tensor-rank metric, and​ therefore these algorithms also​‌ decode tensor-rank weight errors.​​

8.2.1​​​‌ A Minrank-based Encryption Scheme​ à la Alekhnovich-Regev

Participants:​‌ Thomas Debris–Alazard.

In​​ a collaboration with researchers​​​‌ from Unversity of Limoges,​ Thomas Debris–Alazard designed the​‌ first Alekhnovich-Regev like encryption​​ scheme 33 with rank​​​‌ metric codes which are​ not ${𝔽}_{q^{\mathrm{m‌}}}$–linear.

The security of​​ this scheme is only​​​‌ based on the hardness​ of a slight variation​‌ of MinRank, the so-called​​ stationary-MinRank problem. This strong​​​‌ security guarantee has been​ reached by showing that​‌ stationary- MinRank benefits from​​ a search-to-decision reduction. The​​​‌ proposed scheme therefore brings​ a partial answer to​‌ the long-standing open question​​ of building an encryption​​​‌ scheme whose security relies​ solely on the hardness​‌ of MinRank. Furthermore, the​​ scheme is shown to​​​‌ be practical and competitive​ with other encryption schemes​‌ admitting the same kind​​ of security guarantees. The​​​‌ scheme is slightly less​ efficient than FrodoKEM, but​‌ much more efficient than​​ Alekhnovich and Regev’ original​​​‌ schemes, with possibilities of​ improvements by considering more​‌ structure, in the same​​ way as HQC and​​​‌ Kyber.

8.2.2 Miranda, a​ new post–quantum digital signature​‌

Participants: Alain Couvreur,​​ Thomas Debris–Alazard.

In​​​‌ a collaboration with researchers​ from Unversity of Limoges,​‌ Alain Couvreur and Thomas​​ Debris–Alazard designed Miranda 32​​​‌, the first family​ of full-domain-hash signatures based​‌ on matrix codes.

This​​ signature scheme fulfils the​​​‌ paradigm of Gentry, Peikert​ and Vaikuntanathan (GPV), which​‌ gives strong security guarantees.​​ The trapdoor is very​​​‌ simple and generic: if​ we propose it with​‌ matrix codes, it can​​ actually be instantiated in​​​‌ many other ways since​ it only involves a​‌ subcode of a decodable​​ code (or lattice) in​​​‌ a unique decoding regime​ of parameters. It is​‌ instantiated Miranda with the​​ famous family of Gabidulin​​​‌ codes represented as spaces​ of matrices and its​‌ security (in the EUF-CMA​​ security model) has been​​​‌ thoroughly studied.

What makes​ this signature particularly competitive​‌ is the very short​​ size of the signatures:​​​‌ for 128 bits of​ classical security, the signature​‌ sizes are as low​​ as 90 bytes for​​​‌ public key sizes are​ in the order of​‌ 2.6 megabytes.

8.2.3 Cryptanalysis​​ of Twisted Generalised Reed–Solomon​​​‌ codes

Participants: Alain Couvreur​, Rakhi Pratihar,​‌ Nihan Tanısalı.

Twisted​​ generalized Reed-Solomon (TGRS) codes​​ constitute an interesting family​​​‌ of evaluation codes, containing‌ a large class of‌​‌ maximum distance separable codes​​ non-equivalent to generalized Reed-​​​‌ Solomon (GRS) ones. Moreover,‌ the Schur squares of‌​‌ TGRS codes may be​​ much larger than those​​​‌ of GRS codes with‌ same dimension. Exploiting these‌​‌ structural differences, in 2018,​​ Beelen, Bossert, Puchinger and​​​‌ Rosenkilde 39 proposed a‌ subfamily of Maximum Distance‌​‌ Separable (MDS) Twisted Reed–Solomon​​ (TRS) codes over ${\mathrm{𝔽‌}}_q$ with $\ell$ twists‌ $q\approx n^{{\mathrm{2‌‌}}^{\ell }}$ for McEliece encryption,​​ claiming their resistance to​​​‌ both Sidelnikov Shestakov attack‌ 47 and Schur products–based‌​‌ attacks. In short, they​​ claimed these codes to​​​‌ resist to classical key‌ recovery attacks on McEliece‌​‌ encryption scheme instantiated with​​ Reed-Solomon (RS) or GRS​​​‌ codes. In 2020, Lavauzelle‌ and Renner 42 presented‌​‌ an original attack on​​ this system based on​​​‌ the computation of the‌ subfield subcode of the‌​‌ public TRS code. In​​ a collaboration with Ilaria​​​‌ Zappatore (University of Limoges),‌ Alain Couvreur , Rakhi‌​‌ Pratihar and Nihan Tanısalı​​ showed that the original​​​‌ claim on the resistance‌ of TRS and TGRS‌​‌ codes to Schur products​​ based–attacks was wrong. They​​​‌ identified a broad class‌ of codes including TRS‌​‌ and TGRS ones that​​ is distinguishable from random​​​‌ by computing the Schur‌ square of some shortening‌​‌ of the code. Then,​​ in the case of​​​‌ single twist (i.e.‌, $\ell =\mathrm{1‌‌}$), which is the​​ most efficient one in​​​‌ terms of decryption complexity,‌ they derived an attack.‌​‌ The technique is similar​​ to the distinguisher-based attacks​​​‌ of RS code-based systems‌ given by Couvreur, Gaborit,‌​‌ Gauthier-Umaña, Otmani, Tillich in​​ 2014 41.

8.2.4​​​‌ Highway to Hull: An‌ Algorithm for Solving the‌​‌ General Matrix Code Equivalence​​ Problem

Participants: Alain Couvreur​​​‌, Christophe Levrat.‌

The matrix code equivalence‌​‌ problem consists, given two​​ matrix spaces $𝒞,‌𝒟\subset {𝔽}_{\mathrm{q‌}}^{m\times n}$,‌​‌ of dimension $k$ ,​​ in finding invertible matrices​​​‌ $P\in {\text{GL}}_{\mathrm{m‌}}({𝔽}_q)‌‌$ and $Q\in {\text{GL}}_n\left({𝔽}_{\mathrm{q‌}}\right)$ such that $\mathrm{𝒟‌}=P𝒞{\mathrm{Q‌‌}}^{-1}$. Recent​​ signature schemes such as​​​‌ MEDS 40 and ALTEQ‌ 37 relate their security‌​‌ to the hardness of​​ this problem. Recent works​​​‌ by Narayanan, Qiao and‌ Tang 45 on the‌​‌ one hand and by​​ Ran and Samardjiska 46​​​‌ on the other hand‌ tackle this problem. The‌​‌ former is restricted to​​ the “cubic” case $\mathrm{k‌}=m=\mathrm{n‌}$ and succeeds in $\widetilde{\mathrm{𝒪‌‌}}\left(q^{\mathrm{k}/2}\right)$ operations.​​​‌ The latter is an‌ algebraic attack on the‌​‌ general problem whose complexity​​ is not fully understood​​​‌ and which succeeds only‌ on $𝒪(\mathrm{1‌‌}/q)$ instances.​​ In 18, Alain​​​‌ Couvreur and Christophe Levrat‌ present a novel algorithm‌​‌ which solves the problem​​ in the general case.​​​‌ Their approach consists in‌ reducing the problem to‌​‌ the matrix code conjugacy​​ problem, i.e. the case​​​‌ $P=Q$.‌ For the latter problem,‌​‌ similarly to the permutation​​​‌ code equivalence problem in​ Hamming metric, a natural​‌ invariant based on the​​ Hull of the code​​​‌ can be used. Next,​ the equivalence of codes​‌ can be deduced using​​ a usual list collision​​​‌ argument. For $k=m=n$,​‌ their algorithm achieves the​​ same time complexity as​​​‌ Narayanan et al. but​ with a lower space​‌ complexity. Moreover, their algorithm​​ extends to a much​​​‌ broader range of parameters.​

8.2.5 Compressed verification for​‌ post-quantum signatures

Participants: Gustavo​​ Souza–Banegas, Anaëlle Le​​​‌ Dévéhat, Benjamin Smith​.

Many signature applications-such​‌ as root certificates, secure​​ software updates, and authentication​​​‌ protocols-involve long-lived public keys​ that are transferred or​‌ installed once and then​​ used for many verifications.​​​‌ This key longevity makes​ post-quantum signature schemes with​‌ conservative assumptions (e.g., structure-free​​ lattices) attractive for long-term​​​‌ security. But many such​ schemes, especially those with​‌ short signatures, suffer from​​ extremely large public keys.​​​‌ Even in scenarios where​ bandwidth is not a​‌ major concern, large keys​​ increase storage costs and​​​‌ slow down verification. We​ address this problem in​‌ 17 with a method​​ to replace large public​​​‌ keys in GPV-style signatures​ with smaller, private verification​‌ keys. This significantly reduces​​ verifier storage and runtime​​​‌ while preserving security. Applied​ to the conservative, short-signature​‌ schemes Wave and Squirrels,​​ our method compresses Squirrels-I​​​‌ keys from 665 kB​ to 20.7 kB and​‌ Wave822 keys from 3.5​​ MB to 207.97 kB.​​​‌

8.2.6 Hardware acceleration for​ HQC with the Frobenius​‌ Additive FFT on a​​ RISC-V-based System-on-Chip

Participants: Antonio​​​‌ Ras, Guenaël Renault​, Benjamin Smith.​‌

HQC is a quantum-resistant​​ cryptographic key encapsulation mechanism,​​​‌ recently selected by NIST​ as a future standard.​‌ Polynomial multiplication is one​​ of the most critical​​​‌ operations in HQC. Due​ to side-channel security concerns,​‌ the previously-used sparse-dense method​​ was recently replaced by​​​‌ classical dense-dense multiplication implemented​ using Karatsuba’s algorithm. This​‌ change has made polynomial​​ multiplication the primary performance​​​‌ bottleneck, accounting for approximately​ 95% of the total​‌ execution time. In 24​​, we present an​​​‌ alternative polynomial multiplication technique​ for HQC: the Frobenius​‌ Additive Fast Fourier Transform​​ (FAFFT), which provides significant​​​‌ algorithmic-level performance improvements. We​ also present ANDROMEDA, the​‌ first state-ofthe-art hardware implementation​​ of FAFFT, and evaluate​​​‌ its performance impact by​ integrating our solution in​‌ a resourceconstrained RISC-V-based System-on-Chip​​ scenario. Experimental results show​​​‌ that our solution improves​ HQC performance by approximately​‌ 9.64× and 19.22× across​​ its security levels, making​​​‌ HQC more practical for​ real-world deployment.

8.2.7 Hardened​‌ CTIDH: Dummy-Free and Deterministic​​ CTIDH

Participants: Gustavo Souza–Banegas​​​‌.

CSIDH-like key exchange​ protocols offer strong post-quantum​‌ security based on conservative​​ assumptions, but efficient and​​​‌ secure implementations remain challenging​ due to timing and​‌ fault attacks. Constant-time variants​​ such as CTIDH and​​​‌ its deterministic successor dCTIDH​ mitigate timing leakage through​‌ batching and structured evaluation,​​ but still rely on​​​‌ dummy operations in differential​ addition chains and Matryoshka​‌ isogenies, which create exploitable​​ targets for fault injection.​​​‌ In 29, we​ present the first fully​‌ dummy-free implementation of dCTIDH-2048.​​ Our approach combines DACsHUND,​​ which enforces equal-length differential​​​‌ addition chains within each‌ batch without padding, with‌​‌ a reformulated dummy-free Matryoshka​​ structure that removes redundant​​​‌ multiplications while validating all‌ intermediate points. We show‌​‌ that very small primes​​ are incompatible with these​​​‌ constraints and propose new‌ parameter sets excluding them.‌​‌ The resulting implementations achieve​​ group-action costs of about​​​‌ 357k-362k ${𝔽}_p$ multiplications,‌ remaining close to dCTIDH-2048‌​‌ performance, outperforming CTIDH by​​ roughly 4-5%, and yielding​​​‌ the first CSIDH-like protocol‌ that is simultaneously deterministic,‌​‌ constant-time, and fully dummy-free.​​

8.3.1 Verifiable computation‌​‌ based on codes on​​ graphs

Participants: Daniel Augot​​​‌, Hugo Delavenne,‌ Tanguy Medevielle, Louise‌​‌ Lallemand.

In the​​ coding theoretic setting, SNARKS​​​‌ proof systems have been‌ made known, in particular‌​‌ in the blockchain area,​​ under the name of​​​‌ (ZK-)STARKS, Scalable Transparent Arguments‌ of Knowledge, introduced‌​‌ in 2018. These short​​ non interactive proofs are​​​‌ derived for protocols which‌ are called IOPs Interactive‌​‌ Oracle Proofs, which​​ are combination of IPs​​​‌ Interactive Proofs and PCPs‌ Probabilistically Checkable Proofs,‌​‌ for combining the best​​ of both worlds, and​​​‌ making PCPs pratical.

At‌ the core of these‌​‌ protocols lies the following​​ coding problem: how to​​​‌ decide, with high confidence,‌ that a very long‌​‌ ambient word is close​​ to a given code,​​​‌ while looking at very‌ few coordinates of it.‌​‌ The prominent method for​​​‌ doing this is the​ FRI protocol.

The standard​‌ FRI protocol deals with​​ Reed-Solomon codes defined over​​​‌ a field with contains​ roots of unity of​‌ large order divisible by​​ 2. This restricts a​​​‌ lot the domain of​ application to those where​‌ the designer can freely​​ choose the underlying field.​​​‌ However in many situations,​ the field is already​‌ a given, with very​​ few roots of unity,​​​‌ and the FRI protocol​ does not apply.

It​‌ is thus a important​​ topic in this domain​​​‌ to design promixity testing​ protocols which are field​‌ agnostic. For this, other​​ codes than the Reed-Solomon​​​‌ have to be investigated.​

An Interactive Oracle Proof​‌ of Proximity (IOPP) has​​ been designed for codes​​​‌ on graphs. The complexity​ parameters are comparable and​‌ there are no restrictions​​ on the field used.​​​‌

8.3.2 Asynchronous verifiable secret​ sharing with proof of​‌ promixity

Participants: Daniel Augot​​, Lola-Baie Mallordy,​​​‌ Olivier Blazy, Hugo​ Delavenne.

A secret​‌ sharing scheme allows a​​ dealer to distribute to​​​‌ other players shares of​ a secret. Then a​‌ large anough portion of​​ the players which mutualize​​​‌ their shares can recontruct​ the secret, whilex small​‌ sets of players have​​ no information about the​​​‌ secret.

A variant and​ more difficult of this​‌ protocol is the case​​ when some participants are​​​‌ adversarial. They may participate​ to the mutualization by​‌ giving wrong shares. It​​ is then well established​​​‌ that no more and​ one third of adversarial​‌ participants can be tolerated.​​

The case of a​​​‌ malicious dealer colluding with​ adversaries is also considered,​‌ and an solution can​​ also be established.

Going​​​‌ down to the network​ level, we can then​‌ consider an asynchronous setting,​​ where messages are not​​​‌ guaranteed to be delivered​ after a fixed period​‌ of time. In this​​ setting, the participants can​​​‌ be more active in​ the protocol, by gossiping​‌ information about their shares​​ which enable the particants​​​‌ to recover their share​ when they not receive​‌ their share in the​​ dealing phase.

We proposed​​​‌ a protocol using proximity​ testing to product of​‌ Reed-Solomon codes which can​​ cover this situation and​​​‌ which improves over the​ current solutions.

8.4.1 Modular​​ polynomials

Participants: François Morain​​​‌.

Basic isogeny computations​ require the use of​‌ modular polynomials in two​​ ways. The roots of​​​‌ a modular polynomial first​ indicate the existence of​‌ curves isogenous to the​​ curve of interest. Second,​​​‌ these isogenous curves are​ computed using explicit formulas​‌ involving derivatives of the​​ modular polynomial, as first​​​‌ described by Atkin for​ two families of modular​‌ polynomials. The height of​​ the polynomial is critical,​​​‌ since it is the​ dominant parameter in the​‌ complexity analysis of the​​ various methods used to​​​‌ compute them. In our​ investigations, we resumed some​‌ old work of Fricke,​​ see the two preprints​​​‌ 43 and 44.​ In particular, new formulas​‌ for the final isogeny​​ computation were worked out.​​​‌

8.4.2 Factoring over number​ fields

Participants: François Morain​‌.

This is an​​ exploratory topic aiming at​​ transposing classical integer factoring​​​‌ algorithms into the realm‌ of Euclidean number fields.‌​‌ The traditional strategy to​​ factor an integer of​​​‌ a number field is‌ to factor its norm‌​‌ over $\mathbb{Z}$ and then​​ finding the ideals dividing​​​‌ the original integer. Here,‌ we give some hints‌​‌ on factoring the number​​ without going to $\mathrm{\mathbb{Z}‌}$. This approach was‌ suggested following the solving‌​‌ of an ANSSI CTF.​​

8.4.3 Euclidean division algorithms​​​‌ over number fields

Participants:‌ François Morain.

Related‌​‌ to the preceding is​​ the quest for efficient​​​‌ Euclidean division algorithms in‌ number fields that are‌​‌ Euclidean. The idea is​​ to provide algorithms that​​​‌ are able to compute‌ small remainders in order‌​‌ to speed up division​​ in these fields. Some​​​‌ of these fields are‌ used in cryptographic applications.‌​‌ Several preprints are being​​ written on this topic,​​​‌ and one ready to‌ be submitted.

8.4.4 Simpler‌​‌ and faster general pairings​​ on elliptic curves

Participants:​​​‌ Benjamin Smith.

Pairings—bilinear‌ maps on groups constructed‌​‌ from elliptic curves—are fundamental​​ tools in public-key cryptography​​​‌ and in algorithmic number‌ theory in general. In‌​‌ 15, we show​​ that the classic Montgomery​​​‌ ladder algorithm for scalar‌ multiplication computes pairings as‌​‌ a by-product, and explain​​ how a small adjustment​​​‌ to the ladder can‌ give simple and efficient‌​‌ algorithms for the Weil​​ and Tate pairing on​​​‌ elliptic curves using cubical‌ arithmetic. We demonstrate‌​‌ the efficiency of these​​ cubical pairings in several​​​‌ applications from isogeny-based cryptography.‌ Cubical pairings are simpler‌​‌ and more performant than​​ pairings computed using Miller's​​​‌ algorithm: we get a‌ speed-up of over 40%‌​‌ for use-cases in SQIsign,​​ and a speed-up of​​​‌ about 7% for use-cases‌ in CSIDH.

8.4.5 Isogeny‌​‌ formulæ in dimension 2​​

Participants: Benjamin Smith.​​​‌

While the basic arithmetic‌ of genus-2 Jacobians and‌​‌ Kummer surfaces has matured,​​ and cryptographic applications have​​​‌ driven great improvements in‌ the efficiency of the‌​‌ resulting formulæ and algorithms,​​ the corresponding explicit theory​​​‌ of isogenies lags behind.‌ Just as elliptic isogenies‌​‌ factor naturally into compositions​​ of scalar multiplications and​​​‌ isogenies with prime cyclic‌ kernel (i.e., isomorphic to‌​‌ $\mathbb{Z}/N\mathrm{\mathbb{Z}}$ with $N$ prime), isogenies​​​‌ of abelian surfaces (including‌ Jacobians of genus-2 curves)‌​‌ decompose into compositions of​​ scalar multiplications and $(‌N,N)‌$-isogenies (with kernel isomorphic‌​‌ to ${(\mathbb{Z}/N\mathbb{Z})}^{\mathrm{2‌}}$. The fundamental task,‌ then, is to compute‌​‌ and evaluate prime $(N,N)‌$-isogenies. The problem is‌ especially relevant today given‌​‌ the role of genus-2​​ isogenies in isogeny-based cryptography,​​​‌ where they have been‌ the basis of both‌​‌ devastating attacks and radical​​ optimizations since 2022. The​​​‌ case $N=\mathrm{2‌}$ is classical: explicit methods‌​‌ and formulæ go back​​ to the 19th century,​​​‌ but the case of‌ prime $N>\mathrm{2‌‌}$ has proven more complicated.​​

In 12, we​​​‌ give a general method‌ for deriving explicit formulæ‌​‌ for isogenies of fast​​ Kummer surfaces—the most relevant​​​‌ surfaces for genus-2 isogeny-based‌ cryptography—exploiting their high symmetry‌​‌ to optimize the approach​​​‌ of Bruin, Flynn, and​ Testa. Our approach is​‌ elementary in the sense​​ that it avoids explicitly​​​‌ using the heavy machinery​ of theta functions (though​‌ of course theta functions​​ implicitly play a fundamental​​​‌ role behind the scenes).​ We apply these methods​‌ to give explicit examples​​ for $N=\mathrm{3‌}$ and 5.

10.1.1 Horizon​‌ Europe

10.2.1 ANR COLA​​​‌

Participants: Alain Couvreur,‌ Thomas Debris–Alazard, Johanna‌​‌ Loyer, Pierre Loisel​​.

ANR COLA (An​​​‌ interface between COde and‌ LAttice-based cryptography) is a‌​‌ project from (Appel​​ à projets générique, Défi​​​‌ 9, Liberté et sécurité‌ de l’Europe, de ses‌​‌ citoyens et de ses​​ résidents, Axe 4 ;​​​‌ Cybersécurité). This project‌ (ANR JCJC), starting in‌​‌ october 2021 led by​​ Thomas Debris-Alazard focusses on​​​‌ bringing closer post-quantum solutions‌ based on codes and‌​‌ lattices to improve our​​ trust in cryptanalysis and​​​‌ to open new perspectives‌ in terms of design.‌​‌

10.2.2 ANR BARRACUDA

Participants:​​ Daniel Augot, Alain​​​‌ Couvreur, Françoise Levy-dit-Vehel‌.

BARRACUDA is a‌​‌ collaborative ANR project accepted​​ in 2021 and led​​​‌ by Alain Couvreur .‌

Website : barracuda.inria.fr

The‌​‌ project gathers specialists of​​ coding and cryptology on​​​‌ one hand and specialists‌ of number theory and‌​‌ algebraic geometry on the​​ other hand. The objectives​​​‌ concern problems arising from‌ modern cryptography which require‌​‌ the use of advanced​​ algebra based objects and​​​‌ techniques. It concerns for‌ instance mathematical problems with‌​‌ applications to distributed storage,​​ multi-party computation or zero​​​‌ knowledge proofs for protocols.‌

10.2.3 ANR SANGRIA

Participants:‌​‌ Olivier Blazy.

SANGRIA​​ is a collaborative ANR​​​‌ project accepted in 2021.‌

Website : lip6.fr/Damien.Vergnaud/projects/sangria/

The‌​‌ main scientific challenge of​​ the SANGRIA (Secure distributed​​​‌ computAtioN - cryptoGRaphy, combinatorIcs‌ and computer Algebra) project‌​‌ are (1) to construct​​ specific protocols that take​​​‌ into account practical constraints‌ and prove them secure,‌​‌ (2) to implement them​​ and to improve the​​​‌ efficiency of existing protocols‌ significantly. The SANGRIA project‌​‌ (for Secure distributed computAtioN:​​ cryptoGRaphy, combinatorIcs and computer​​​‌ Algebra) aims to undertake‌ research in these two‌​‌ aspects while combining research​​ from cryptography, combinatorics and​​​‌ computer algebra. It is‌ expected to impact central‌​‌ problems in secure distributed​​​‌ computation, while enriching the​ general landscape of cryptography.​‌

10.2.4 ANR Priva-SiQ

Participants:​​ Benjamin Smith, Olivier​​​‌ Blazy, Thomas Debris–Alazard​.

Priva-Siq is a​‌ collaborative ANR project accepted​​ in 2023.

Website :​​​‌ anr.fr/Projet-ANR-23-CE39-0008

The Priva SIQ​ projects aims to manage​‌ threats to user-privacy in​​ secure-channel establishment, at all​​​‌ levels. In this project,​ the goal is to​‌ specifically tackle the following​​ threats:

• Interception: Privacy with​​​‌ respect to person-in-the-middle adversaries​ (exterior to the communication​‌ and aiming to track,​​ deanonymize, or identify an​​​‌ endpoint of the channel);​
• Subversion: Providing privacy-enhancing countermeasures​‌ against mass-surveillance attacks;
• Quantum​​ adversaries: Designing protocols that​​​‌ preserve both user-privacy and​ security against powerful quantum​‌ adversaries.

10.2.5 ANR TRUST​​

Participants: Olivier Blazy.​​​‌

Trust is a collaborative​ ANR project accepted in​‌ 2023.

Website : anr.fr/Project-ANR-23-CE39-0009​​

TRUST focuses on personal​​​‌ data protection measures to​ meet the objectives of​‌ the RGPD but also​​ the texts in preparation​​​‌ such as the "Data​ Act" or the "Data​‌ Governance Act". This project​​ aims to study and​​​‌ develop new security solutions,​ based on advanced cryptography,​‌ for use cases involving​​ the reuse of personal​​​‌ data. These use cases​ will present various configurations​‌ in terms of actors,​​ type of data and​​​‌ processing, opening the way​ to different technical and​‌ legal issues. This is​​ done in order to​​​‌ anticipate legal evolutions and​ prepare technical architectures to​‌ allow the reuse of​​ personal data in compliance​​​‌ with the various legal​ frameworks.

10.2.6 PEPR sur​‌ les technologues quantiques -​​ Projet intégré "Un cadenas​​​‌ post-quantique pour les navigateurs​ web"

Participants: Alain Couvreur​‌, Thomas Debris–Alazard,​​ Anaëlle Le Dévéhat,​​​‌ Rakhi Pratihar, Antonio​ Ras, Benjamin Smith​‌.

This projet intégré​​ aims to develop post​​​‌ quantum cryptographic primitives in​ 5 years which would​‌ be implemented in an​​ open source web browser.​​​‌ The evolution of cryptographic​ standards has already begun.​‌ The choice of new​​ primitives will be made​​​‌ soon and the transition​ should be operated in​‌ a few years. The​​ objective of the project​​​‌ is to play a​ crucial role in this​‌ evolution so that french​​ researchers, which are already​​​‌ strongly implied in this​ process could influence the​‌ choice of cryptographic standards​​ in the next years.​​​‌

10.2.7 Inria AEx CACHAÇA​

Participants: Anaëlle Le Dévéhat​‌, Guenaël Renault,​​ Benjamin Smith, Bruno​​​‌ Sterner.

The Action​ Exploratoire CACHAÇA, led by​‌ Benjamin Smith and based​​ at Campus Cyber, started​​​‌ in 2022. CACHAÇA aims​ to bring high-assurance techniques​‌ from formal methods to​​ the initial design and​​​‌ implementation phase for new​ postquantum cryptosystems, to produce​‌ fast, safe, and portable​​ software implementations, especially for​​​‌ constrained environments such as​ IoT devices. Guenael Renault​‌ has associate researcher status,​​ and so CACHAÇA is​​​‌ an anchor-point for collaborations​ between GRACE and the​‌ Secure Components laboratory at​​ ANSSI. It will also​​​‌ englobe GRACE's contribution to​ planned industrial consortia (expected​‌ to begin in 2023).​​

10.2.8 HYPERFORM

Participants: Martin​​​‌ Azon, Olivier Blazy​, Thomas Debris–Alazard,​‌ Sam Frengley, Rubén​​ Muñoz--Bertrand, Guenaël Renault​​, Nicolas Sarkis,​​​‌ Benjamin Smith, Bruno‌ Sterner, Alessandro Sferlazza‌​‌, Mieke Wessel.​​

Benjamin Smith is coordinating​​​‌ Inria's involvement in the‌ Bpifrance-funded HYPERFORM industrial consortium‌​‌ (2023–2026), which aims to​​ develop a pre- and​​​‌ post-quantum hybrid cryptographic reference‌ platform.

10.2.9 Sagafryca

Participants:‌​‌ Alain Couvreur, Christophe​​ Levrat.

In the​​​‌ context of Accord Cadre‌ ANSSI Inria, Alain‌​‌ Couvreur and Hugues Randriam​​ (ANSSI) obtained a 2-years​​​‌ post doc funding on‌ security analysis of post-quantum‌​‌ primitives with respect to​​ algebraic attacks.

10.2.10 PIQ​​​‌ project “tout-ZK

Participants: Daniel‌ Augot.

Zero-Knowledge (ZK)‌​‌ is a groundbreaking technology​​ with exciting applications, such​​​‌ as authenticating data and‌ combating disinformation. There has‌​‌ been an explosion of​​ ZK software, accompanied by​​​‌ significant investments. However, the‌ corresponding software landscape is‌​‌ fragmented, with industry players​​ often overstating performance claims.​​​‌ TOUT-ZK will assess the‌ real-life performance of various‌​‌ ZK software, provide code​​ for interoperability (composition) of​​​‌ ZK software, and enhance‌ the RISC-V architecture for‌​‌ ZK proofs.

The 24​​ months TOUT-zk project consists​​​‌ in massive evaluation with‌ significant proofs of concept.‌​‌ An initial use case,​​ "authenticated images," will serve​​​‌ as a baseline, and‌ industrial use cases will‌​‌ be actively investigated, including​​ watermarks, software vulnerabilities, and​​​‌ video games, for which‌ Daniel Augot has contacts.‌​‌

TOUT-zk will provide solid,​​ neutral software for assessments​​​‌ of ZK software in‌ real-life applications. This will‌​‌ benefit academia by offering​​ an environment for experiments​​​‌ and comparison, and also‌ industry by providing high-quality‌​‌ benchmarks and interfaces.

10.3.1​​​‌ European Digital Identity Wallet‌

Participants: Olivier Blazy.‌​‌

Olivier Blazy is part​​ of the french interministerial​​​‌ delegation in charge of‌ defending France position on‌​‌ the future european digital​​ identity wallet. This work​​​‌ follows the collaboration with‌ CNIL (the french DPA)‌​‌ on age verification.

11.1.1 Scientific events:‌ organisation

11.1.2 Scientific​​ events: selection

11.1.3 Journal​​​‌

11.1.4 Invited talks​‌

• Daniel Augot was invited​​ at the Institut mathématique​​​‌ de Rennes colloquium to​ speak about both boring​‌ and fancy cryptography in​​ blockchains
• Alain Couvreur was​​​‌ invited speaker for:
  • Workshop​ on the Mathematics of​‌ post–quantum cryptography (Zurich);
  • the​​ ceremony award of Prix​​​‌ Nexans (A PhD award​ from university of Neuchâtel).​‌
• Olivier Blazy was invited​​ speaker for:
  • Africacrypt 2025​​​‌(Rabat);
• Benjamin Smith was​ invited speaker for
  • SQIParty​‌ workshop on isogeny crypto​​ 2025 (Lleida, Espagne)
  • WRACH​​​‌ 2025: Workshop on Randomness​ and Arithmetics for Cryptographic​‌ Hardware (Roscoff)

11.1.5 Leadership​​ within the scientific community​​​‌

• Olivier Blazy is the​ Scientific Director of the​‌ CIEDS
• Olivier Blazy is​​ one of the pilot​​​‌ of the transverse action​ between the GDR Securité​‌ Informatique and the GDR​​ Internet, IA et Société.​​​‌

11.1.6 Research administration

• Daniel​ Augot is elected member​‌ of the scientific board​​ of INRIA
• Daniel Augot​​​‌ was member of the​ HCERES committee visiting Laboratoire​‌ Jean Kutzmann at IMAG​​ in Grenoble
• Daniel Augot​​​‌ is member of the​ PhD commmittee of Institut​‌ polytechnique de Paris
• Daniel​​ Augot was in the​​​‌ committee for hiring a​ professeur chargé de cours​‌ at École polytechnique
• Daniel​​ Augot was in the​​​‌ committe for hiring a​ maître de conférences at​‌ CY Cergy Paris Université​​
• Alain Couvreur is elected​​​‌ member of Inria's Commission​ d'évaluation. He served​‌ in the recruitment jury​​ CRCN of Inria centres​​​‌ of Lyon and Grenoble.​
• Alain Couvreur is coordinator​‌ for Inria of the​​ Axis PQ-TLS of PEPR​​​‌ quantique and in charge​ of the work package​‌ on code-based cryptography with​​ Philippe Gaborit (University of​​​‌ Limoges).
• Olivier Blazy was​ in a hiring committee​‌ for a maître de​​ conférences at Unversité Clermont​​​‌ Auvergne
• Olivier Blazy was​ presdient in a hiring​‌ committee for a professeur​​ at Ecole polytechnique

11.2.1 Teaching​​

• Licence:
  • Olivier Blazy :​​​‌ CSE101: Introduction to Computer​ Programming (Tutorials), 31.5h, L1,​‌ École polytechnique, France
  • François​​ Morain , Lectures for​​​‌ INF361: “Introduction à l'informatique”,​ 15h (equiv TD), 1st​‌ year (L3), École polytechnique.​​ Coordinator of this module​​​‌ (300 students).
  • Bruno Sterner​ , Tutorials for CSE103:​‌ Introduction to Algorithms,​​ 28h, L1, École polytechnique.​​​‌
  • Gustavo Souza–Banegas , Tutorials​ for CSC43042: Algorithmes pour​‌ l'analyse de données en​​ Python, 40h, L1,​​ École polytechnique.
• Master:
  • Daniel​​​‌ Augot designed with Julien‌ Prat the cursus of‌​‌ a course in blockchains​​ and economics, and made​​​‌ lectures on zero-knowledge.
  • Master‌ : Olivier Blazy :‌​‌ Lectures and Labs for​​ Authentification, VPN et Chiffrement​​​‌, 6h, M2, Telecom‌ Sud Paris, France
  • Thomas‌​‌ Debris–Alazard : Lectures for​​ CSC_51063_EP: “Information Theory”, 36h,​​​‌ M1, École Polytechnique
  • Thomas‌ Debris–Alazard : Lectures for‌​‌ MDC_51002_EP: “Quantum Information and​​ Computing”, 18h, M1, École​​​‌ Polytechnique
  • Thomas Debris–Alazard :‌ Lecture for CSC_52001_EP: “Advanced‌​‌ Topic in Quantum Computing​​ and Information”, École Polytechnique​​​‌
  • Alain Couvreur and Thomas‌ Debris–Alazard : Lectures in‌​‌ MPRI CODES: Error Correcting​​ codes and applications to​​​‌ cryptography
  • François Morain ,‌ CSC_51058_EP, Lectures and labs‌​‌ Introduction to cryptology,​​ 36h, M1, École Polytechnique​​​‌
  • François Morain , CSC_52074_EP,‌ Lectures and labs Capture‌​‌ the Flag!, 36h,​​ M1, École Polytechnique (new​​​‌ course starting january 2026)‌
  • Benjamin Smith : INF568:‌​‌ Advanced Cryptography, 45h,​​ M1, École polytechnique, France​​​‌
  • Benjamin Smith : MPRI‌ 2-12-2: Algorithmes Arithmétiques pour‌​‌ la Cryptologie, 22.5h,​​ M2, Master Parisien de​​​‌ Recherche en Informatique, France.‌
  • Daniel Augot : Structures‌​‌ de données distribuées, avec​​ un focus sur les​​​‌ blockchains (2024-2025), 8h,‌ M1 École polytechnique

11.2.2‌​‌ Leadership

• Olivier Blazy was:​​
  • vice-president of the Departement​​​‌ Informatique de l'X (DIX)‌
  • co-academic advisor of the‌​‌ Bachelor in Computer Science​​ de l'X (BX)
  • co-academic​​​‌ advisor of the MScT‌ in Cybersecurity de l'X‌​‌

11.2.3 Juries

• Daniel Augot​​ was president of the​​​‌ PhD jury of
  • Épiphane‌ Nouwetowa (Université de Rennes);‌​‌
• Alain Couvreur was president​​ of the PhD juries​​​‌ of
  • Eliana Carozza (Université‌ Paris Cité);
  • Jean Gasnier‌​‌ (Université de Bordeaux);
  • Martin​​ Scotti (Université Paris 8);​​​‌
  • Virgile Guémard (Sorbonne Université).‌
• Alain Couvreur was reviewer‌​‌ of the PhD theses​​ of
  • Épiphane Nouwetowa (Université​​​‌ de Rennes);
  • Jean Gasnier‌ (Université de Bordeaux);
  • Nicolas‌​‌ Saussay (Université de Limoges);​​
  • Pierre Pébereau (Sorbonne Université).​​​‌
• Alain Couvreur was reviewer‌ of the HDR of‌​‌
  • Yann Rotella (Université Versailles​​ Saint Quentin).
• Olivier Blazy​​​‌ was reviewer of the‌ PhD theses of
  • Guirec‌​‌ Lebrun (ENS)

• Benjamin Smith​​ was reviewer of the​​​‌ PhD theses of

  • James‌ Clements (University of Bristol,‌​‌ UK)
  • Youcef Mokrani (University​​ of Waterloo, Canada)

  and​​​‌ a member of the‌ PhD jury of

  • Yanis‌​‌ Belkheyar (Radboud Universiteit Nijmegen,​​ NL)
  • Valerie Gilchrist (Université​​​‌ Libre de Bruxelles, BE)‌
• Thomas Debris–Alazard was member‌​‌ of the PhD jury​​ of
  • Charles Meyer-Hilfiger

11.3.1 Productions‌ (articles, videos, podcasts, serious‌​‌ games, ...)

• Nadja Aoutouf​​ and Nihan Tanısalı published​​​‌ videos on coding theory‌ and secret sharing on‌​‌ the YouTube Channel Aliceandbob​​.

11.3.2 Participation in​​​‌ Live events

• Olivier Blazy‌ participated in a Pint‌​‌ of Science edition, to​​ present double-anynomity in the​​​‌ context of age verification.‌

11.3.3 Others science outreach‌​‌ relevant activities

• Olivier Blazy​​ participated did various media​​​‌ interventions about societal impact‌ of privacy related results.‌​‌ (France info, AFP, La​​ Croix, Science & Vie,​​​‌ BFM, France 2)

International journals​‌

• 7 articleV.Valentina​​ Astore, M.Martino​​​‌ Borello, M.Marco​ Calderini and F.Flavio​‌ Salizzoni. A geometric​​ invariant of linear rank-metric​​​‌ codes.SIAM Journal​ on Applied Algebra and​‌ Geometry94October​​ 2025, 741-764HAL​​​‌DOI
• 8 articleM.​Matteo Bonini, M.​‌Martino Borello and E.​​Eimear Byrne. The​​​‌ geometry of covering codes​ in the sum-rank metric​‌.Designs, Codes and​​ CryptographyApril 2025HAL​​​‌DOI
• 9 articleM.​Martino Borello, W.​‌Wolfgang Schmid and M.​​Martin Scotti. The​​​‌ geometry of intersecting codes​ and applications to additive​‌ combinatorics and factorization theory​​.Journal of Combinatorial​​​‌ Theory, Series A214​2025, 106023In​‌ press. HALDOI
• 10​​ articleS.Sana Boussam​​​‌, M.Mathieu Carbone​, B.Benoît Gérard​‌, G.Guénaël Renault​​ and G.Gabriel Zaid​​​‌. Optimal Dimensionality Reduction​ using Conditional Variational AutoEncoder​‌.IACR Transactions on​​ Cryptographic Hardware and Embedded​​​‌ Systems20253June​ 2025, 164-211HAL​‌DOI
• 11 articleA.​​André Chailloux and T.​​​‌Thomas Debris-Alazard. New​ Solutions to Delsarte’s Dual​‌ Linear Programs.IEEE​​ Transactions on Information Theory​​​‌711January 2025​, 297-316HALDOI​‌
• 12 articleM.Maria​​ Corte-Real Santos, C.​​​‌Craig Costello and B.​Benjamin Smith. Efficient​‌ $(3,\mathrm{3})$-isogenies on fast​​ Kummer surfaces.Research​​​‌ in Number Theory11‌1January 2025,‌​‌ 25HALDOIback​​ to text
• 13 article​​​‌A.Alain Couvreur and‌ R.Rakhi Pratihar.‌​‌ Decoding rank metric Reed-Muller​​ codes.IEEE Transactions​​​‌ on Information TheoryNovember‌ 2025. In press.‌​‌ HALDOIback to​​ text
• 14 articleC.​​​‌Christophe Levrat, T.‌Tanguy Medevielle and J.‌​‌Jade Nardi. A​​ divide-and-conquer sumcheck protocol.​​​‌IACR Communications in Cryptology‌212025.‌​‌ In press. HALDOI​​
• 15 articleG.Giacomo​​​‌ Pope, K.Krijn‌ Reijnders, D.Damien‌​‌ Robert, A.Alessandro​​ Sferlazza and B.Benjamin​​​‌ Smith. Simpler and‌ Faster Pairings from the‌​‌ Montgomery Ladder.IACR​​ Communications in Cryptology2025​​​‌2July 2025HAL‌DOIback to text‌​‌

International peer-reviewed conferences

• 16​​ inproceedingsD.Daniel Augot​​​‌, O.Olivier Blazy‌, H.Hugo Delavenne‌​‌ and L.-B.Lola-Baie Mallordy​​. Bivariate proximity test-based​​​‌ Asynchronous Verifiable Secret Sharing‌.AfricaCrypt 2025 -‌​‌ 16th International Conference on​​ Cryptology in Africa15651​​​‌Lecture Notes in Computer‌ ScienceRabat (Maroc), Morocco‌​‌Springer Nature SwitzerlandJuly​​ 2025, 319-342HAL​​​‌DOI
• 17 inproceedingsG.‌Gustavo Banegas, A.‌​‌Anaëlle Le Dévéhat and​​ B.Benjamin Smith.​​​‌ Compressed verification for post-quantum‌ signatures with long-term public‌​‌ keys.CANS 2025​​ - 24th International Conference​​​‌ on Cryptology and Network‌ Security16351Lecture Notes‌​‌ in Computer ScienceOsaka,​​ JapanSpringer Nature Singapore​​​‌November 2026, 3-26‌HALDOIback to‌​‌ text
• 18 inproceedingsA.​​Alain Couvreur and C.​​​‌Christophe Levrat. Highway‌ to Hull: An Algorithm‌​‌ for Solving the General​​ Matrix Code Equivalence Problem​​​‌.CRYPTO 2025 -‌ 45th annual international cryptology‌​‌ conference16000Lecture Notes​​ in Computer ScienceSanta​​​‌ Barbara, United StatesSpringer‌ Nature SwitzerlandAugust 2025‌​‌, 253-283HALDOI​​back to text
• 19​​​‌ inproceedingsA.Alain Couvreur‌ and R.Rakhi Pratihar‌​‌. Recursive decoding of​​ binary rank Reed-Muller codes​​​‌ and Plotkin construction for‌ matrix codes.2025‌​‌ IEEE International Symposium on​​ Information Theory (ISIT)Ann​​​‌ Arbor, United StatesIEEE‌June 2025, 1-6‌​‌HALDOIback to​​ text
• 20 inproceedingsA.​​​‌Alain Couvreur, R.‌Rakhi Pratihar, N.‌​‌Nihan Tanısalı and I.​​Ilaria Zappatore. On​​​‌ the structure of the‌ Schur squares of Twisted‌​‌ Generalized Reed-Solomon codes and​​ application to cryptanalysis.​​​‌Lecture Notes in Computer‌ SciencePost-Quantum Cryptography. PQCrypto‌​‌ 2025.15577Lecture Notes​​ in Computer ScienceTaipei,​​​‌ TaiwanSpringer Nature Switzerland‌March 2025, 3-34‌​‌HALDOI
• 21 inproceedings​​H.Hugo Delavenne and​​​‌ L.Louise Lallemand.‌ Codes on any Cayley‌​‌ Graph have an Interactive​​ Oracle Proof of Proximity​​​‌.Cryptology and Network‌ SecurityOsaka, JapanNovember‌​‌ 2025HALDOI
• 22​​ inproceedingsH.Hugo Delavenne​​​‌, É.Élina Roussel‌ and T.Tanguy Medevielle‌​‌. Interactive Oracle Proofs​​ of Proximity to Codes​​​‌ on Graphs.2025‌ IEEE International Symposium on‌​‌ Information Theory (ISIT)Ann​​ Arbor, United StatesIEEE​​​‌October 2025, 1-6‌HALDOI
• 23 inproceedings‌​‌L.Lucien François,​​​‌ E.Eimear Byrne and​ A.Alain Couvreur.​‌ Decoding Algorithms for Tensor​​ Codes.2025 IEEE​​​‌ International Symposium on Information​ Theory (ISIT)Ann Arbor,​‌ United StatesIEEEJune​​ 2025, 1-6HAL​​​‌DOI
• 24 inproceedingsA.​Antonio Ras, A.​‌Antoine Loiseau, M.​​Mikaël Carmona, S.​​​‌Simon Pontié, G.​Guénaël Renault, B.​‌Benjamin Smith and E.​​Emanuele Valea. Optimizing​​​‌ HQC using Frobenius Additive​ FFT on a RISC-V-based​‌ System-on-Chip.DSD/SEAA 2025​​ - 28th Euromicro Conference​​​‌ Series on Digital System​ Design2025 28th Euromicro​‌ Conference on Digital System​​ Design (DSD)Salerne, Italy​​​‌IEEE2025, 608-615​HALDOIback to​‌ text

Conferences without proceedings​​

• 25 inproceedingsM.Martin​​​‌ Bieri, O.Olivier​ Blazy, S.Solenn​‌ Brunet and J.Jérôme​​ Gorin. MAGICARPP: ModulAr​​​‌ GeneralIzed Check of Age​ Requirement while Preserving Privacy​‌.IAB/W3C 2025 -​​ Workshop on Age-Based Restrictions​​​‌ on Content AccessLondon,​ United KingdomOctober 2025​‌HAL

Edition (books, proceedings,​​ special issue of a​​​‌ journal)

• 26 proceedingsJ.-A.​Juan-Antonio Cordero-Fuertes, eds.​‌ EU Digital Technologies and​​ Policy Conference (EUDTP 2025)​​​‌ Abstracts and Contributions.​EU Digital Technologies and​‌ Policy (EUDTP) Conference 2025​​Bruxelles, BelgiumJune 2025​​​‌HAL

Doctoral dissertations and​ habilitation theses

• 27 thesis​‌A.Anaëlle Le Dévéhat​​. Designing Efficient, Practical​​​‌ and Secure Post-quantum Cryptosystems​.École polytechnique X​‌December 2025HAL

Reports​​ & preprints

• 28 misc​​​‌O.Osama Allabwani,​ O.Olivier Blazy,​‌ P.Pascal Lafourcade,​​ C.Charles Olivier-Anclin and​​​‌ O.Olivier Raynaud.​ Sanitizable Signatures with Different​‌ Admissibility Policies for Multiple​​ Sanitizers.December 2025​​​‌HALDOI
• 29 misc​G.Gustavo Banegas,​‌ A.Andreas Hellenbrand and​​ M.Matheus Saldanha.​​​‌ Hardened CTIDH: Dummy-Free and​ Deterministic CTIDH.December​‌ 2026, 194-215HAL​​DOIback to text​​​‌
• 30 miscD.Daniele​ Bartoli, M.Martino​‌ Borello, G.Giuseppe​​ Marino and M.Martin​​​‌ Scotti. Linear Rank-Metric​ Intersecting Codes.July​‌ 2025HAL
• 31 misc​​X.Xavier Bonnetain,​​​‌ J.Johanna Loyer,​ A.André Schrottenloher and​‌ Y.Yixin Shen.​​ A Tight Quantum Algorithm​​​‌ for Multiple Collision Search​.2025HAL
• 32​‌ miscA.Alain Couvreur​​, T.Thomas Debris-Alazard​​​‌, P.Philippe Gaborit​ and A.Adrien Vinçotte​‌. MIRANDA: short signatures​​ from a leakage-free full-domain-hash​​​‌ scheme.October 2025​HALback to text​‌
• 33 miscT.Thomas​​ Debris-Alazard, P.Philippe​​​‌ Gaborit, R.Romaric​ Neveu and O.Olivier​‌ Ruatta. A Minrank-based​​ Encryption Scheme à la​​​‌ Alekhnovich-Regev.2025HAL​DOIback to text​‌
• 34 miscS. R.​​Sudhir R. Ghorpade,​​​‌ T.Trygve Johnsen,​ R.Rati Ludhani and​‌ R.Rakhi Pratihar.​​ Higher weight spectra and​​​‌ Betti numbers of Reed-Muller​ codes $R{M}_{\mathrm{q‌}}(2,\mathrm{2})$.January 2025​​​‌HAL
• 35 miscC.​Christophe Levrat and R.​‌Rubén Muñoz--Bertrand. Effective​​ Artin-Schreier-Witt theory for curves​​​‌.October 2025HAL​
• 36 miscE.Erik​‌ Mulder, B.Bruno​​ Sterner and W.Wessel​​ van Woerden. Large​​​‌ smooth twins from short‌ lattice vectors.September‌​‌ 2025HAL