TANCis located in the Laboratoire d'Informatique de l'École polytechnique (LIX). The project was created on 2003-03-10.

The aim of the TANCproject is to promote the study, implementation and use of robust and verifiable asymmetric cryptosystems based on algorithmic number theory.

It is clear from this sentence that we combine high-level mathematics and efficient programming. Our main area of competence and interest is that of algebraic curves over finite fields, most notably the computational aspects of these objects, that appear as a substitute of good old-fashioned cryptography based on modular arithmetic. One of the reasons for this change is the key-size that is smaller for an equivalent security. We participate in the recent bio-diversity mood that tries to find substitutes for RSA, in case some attack would appear and destroy the products that employ it.

Whenever possible, we produce certificates (proofs) of validity for the objects and systems we build. For instance, an elliptic curve has many invariants, and their values need to be proved, since they may be difficult to compute.

Our research area includes:

Fundamental number theoretic algorithms: we are interested in primality proving algorithms based on elliptic curves (F. Morain being the world leader in this topic), integer factorization, and the computation of discrete logarithms over finite fields. These problems lie at the heart of the security of arithmetic based cryptosystems.

Algebraic curves over finite fields: the algorithmic problems that we tackle deal with the efficient computation of group laws on Jacobians of curves, evaluation of the cardinality of these objects, and the study of the security of the discrete logarithm problem in such groups. These topics are the crucial points to be solved for potential use in real crypto-products.

Complex multiplication: the theory of complex multiplication is a meeting point of algebra, complex analysis and algebraic geometry. Its applications range from primality proving to the efficient construction of elliptic or hyperelliptic cryptosystems.

As described in the name of our project, we aim at providing robust primitives for asymmetric cryptography. In recent years, we have made several attempts at coming closer to another part of
cryptology, by applying our knowledge to real life protocols. This has led
TANCto recruit two postdocs, one in the framework of ERCIM, and another one from INRIA. The idea was to hire two specialists on signature schemes in
which elliptic curves have a decisive impact, since they provide shorter signatures than traditional ones. We are currently trying to promote their use in environments where this could be
useful, namely
*ad hoc*networks.

Once considered beautiful but useless, arithmetic has proven incredibly efficient when asked to assist the creation of a new paradigm in cryptography. Old cryptography was mainly concerned
with
*symmetric techniques*: two principals wishing to communicate secretly had to share a common secret beforehand and this same secret was used both for encrypting the message and for
decrypting it. This way of communication is efficient enough when traffic is low, or when the principals can meet prior to communication.

It is clear that modern networks are too large for this to remain efficient any longer. Hence the need for cryptography without first contact. In theory, this is easy. Find two algorithms
Eand
Dthat are reciprocal (i.e.,
D(
E(
m)) =
m) and such that the knowledge of
Edoes not help in computing
D. Then
Eis dubbed a public key available to anyone, and
Dis the secret key, reserved to a user. When Alice wants to send an email to Bob, she uses his public key and can send him the encrypted message, without agreeing on a
common key beforehand. Though simplified and somewhat idealized, this is the heart of asymmetric cryptology. Apart from confidentiality, modern cryptography provides good solutions to the
signature problem, as well as some solutions for identifying all parties in protocols, thus enabling products to be usable on the
Internet(ssh, ssl/tls, etc.).

Of course, everything has to be presented in the modern language of complexity theory: computing
Eand
Dmust be doable in polynomial time; finding
Dfrom
Ealone should be possible only in, say, exponential time, without some secret knowledge.

Now, where do difficult problems come from? Mostly from arithmetical problems. There we find the integer factoring problem, the discrete logarithm problem, etc. Varying the groups appears to be important, since this provides some bio-diversity which is the key of the resistance to attacks from crypto-analysts. Among the groups proposed: finite fields, modular integers, algebraic curves, class groups, etc. All these now form cryptographic primitives that need to be assembled in protocols, and finally in commercial products.

Our activity is concerned with the beginning of this process: we are interested in difficult problems arising in computational number theory and the efficient construction of these primitives. TANCconcentrates on modular arithmetic, finite fields and algebraic curves.

We have a strong well-known reputation of breaking records whatever the subject is: constructing systems or breaking them, including primality proving, class polynomials, modular equations, computing cardinalities of algebraic curves, discrete logs, etc. This means writing programs and putting in all the work needed to make them run for weeks or months. An important part of our task is now to transform record programs into ones that can solve everyday life problems for current sizes of the parameters.

Efficiency is not our single concern. Certificates are again another one. By this, we mean that we provide proofs of the properties of the objects we build. The traditional example is that
of prime numbers, where certificates were introduced by Pratt in 1974. These certificates might be difficult to build, yet they are easy to check (by customers, say). We know how to do this for
elliptic curves, with the aim of establishing what we call an
**identity card**for a curve, including its cardinality together with the proof of its factorization, its group structure (with proven generators), discriminant (and factorization), class
number of the associated order. The theory is ready for this, algorithms not out of reach. This must be extended to other curves, and in several cases, the theory is almost ready or not at all,
and algorithms still to be found. This is one of the main problems we have to tackle in
TANC.

It is clear that more and more complex mathematics will be used in cryptology (see the recent algorithms that use
p-adic approaches). These cannot live if we do not implement them, and this is where we need more and more evolved algorithms, that are for the moment present in very
rare mathematical systems, like
Magmathat we use for this. It should be noted that some of our programs (an old version of ECPP, some parts of discrete log computations, cardinality
of curves) are now included in this system, as a result of our collaboration with the Sydney group. Once the algorithms work in
Magma, it is customary to rewrite them in C or C++ to gain speed.

One of the most used protocol is that of Diffie-Hellman that enables Alice and Bob to exchange a secret information over an insecure channel. Given a publicly known cyclic group
Gof generator
g, Alice sends
g^{a}for a random
ato Bob, and Bob responds with a random
g^{b}. Both Alice and Bob can now compute
g^{ab}and this is henceforth their common secret. Of course, this a schematic presentation, since real-life protocols based on this need more security properties. Being unable to recover
afrom
g^{a}(the discrete log problem –
*DLP*) is a major concern for the security of the scheme, and groups for which the
*DLP*is difficult must be favored. Therefore, groups are important, and
TANCconcentrates on algebraic curves, since they offer a very interesting alternative to finite fields, in which the
*DLP*can be broken by subexponential algorithms. Thus using curves a smaller key can be used, and this is very interesting as far as limited powered devices are concerned.

In order to build a cryptosystem based on an algebraic curve over a finite field, one needs to efficiently compute the group law (hence have a nice representation of the elements of the Jacobian of the curve). Next, computing the cardinality of the Jacobian is required, so that we can find generators of the group, or check the difficulty of the discrete logarithm in the group. Once the curve is built, one needs to test its security, for example how hard the discrete logarithm in this group is.

A curve that interests us is typically defined over a finite field
G F (
p
^{n})where
pis the characteristic of the field. Part of what follows does not depend on this setting, and can be used as is over the rationals, for instance.

The points of an elliptic curve
E(of equation
y^{2}=
x^{3}+
ax+
b, say) form an abelian group, that was thoroughly studied during the preceding millenium. Adding two points is usually done using what is called the
*tangent-and-chord*formulae. When dealing with a genus
gcurve (the elliptic case being
g= 1), the associated group is the Jacobian (set of
g-tuples of points modulo an equivalence relation), an object of dimension
g. Points are replaced by polynomial ideals. This requires the help of tools from effective commutative algebra, such as Gröbner bases or Hermite normal forms.

A. Enge and N. Gürel have worked with J. -C. Faugère and A. Basiri (LIP 6) on the arithmetic of superelliptic and
C_{a,
b}curves, the next complex class of algebraic curves after the well understood hyperelliptic ones. They have dramatically improved the existing algorithms and have found new algorithms
for superelliptic cubic curves, that is, curves of the form
y^{3}=
f(
x)with
d e g (
f)prime to 3 and at least 4
. They have generalized their work, in part based
on Gröbner basis computations, to
C_{3, 4}curves and have provided explicit formulae for realizing the group law using only operations in the underlying (finite) field
.

The great catalog of usable curves is complete, as a result of the work of TANC, notably in two ACI ( cryptocourbesand cryptologie p-adique) that are finished now.

Once the group law is tractable, one has to find means of computing the cardinality of the group, which is not an easy task in general. Of course, this has to be done as fast as possible, if changing the group very frequently in applications is imperative.

Two parameters enter the scene: the genus
gof the curve, and the characteristic
pof the underlying finite field. When
g= 1and
pis large, the only current known algorithm for computing the number of points of
E/ G F (
p)is that of Schoof–Elkies–Atkin. Thanks to the works of the project, world-widespread implementations are able to build cryptographically strong curves in less than
one minute on a standard PC.

When
pis small (one of the most interesting cases for hardware implementation in smart cards being
p= 2) the best current methods use
p-adic numbers, following the breakthrough of T. Satoh with a method working for
p5. The first version of this algorithm for
p= 2was proposed independently by M. Fouquet, P. Gaudry and R. Harley and by B. Skjernaa. J. -F. Mestre has designed the currently
fastest algorithm using the arithmetico-geometric mean (AGM) approach. Developed by R. Harley and P. Gaudry, it led to new world records. Then, P. Gaudry combined this method
together with other approaches, to make it competitive for cryptographic sizes
.

When
g>1and
pis large, polynomial time algorithms exist, but their implementation is not an easy task. P. Gaudry and É. Schost have modified the best existing algorithm
so as to make it more efficient. They were able to build the first random cryptographically strong genus 2 curves defined over a large prime field
. To get one step further, one needs to use genus
2 analogues of modular equations. After a theoretical study
, they are now investigating the practical use of
these equations.

When
p= 2,
p-adic algorithms led to striking new results. First, the AGM approach extends to the case
g= 2and is competitive in practice (only three times slower than in the case
g= 1). In another direction, Kedlaya has introduced a new approach, based on the Monsky-Washnitzer cohomology. His algorithm works originally when
p>2. P. Gaudry and N. Gürel implemented this algorithm and extended it to superelliptic curves, which had the effect of adding these curves to the list
of those usable in cryptography.

Closing the gap between small and large characteristic leads to pushing the
p-adic methods as far as possible. In this spirit, P. Gaudry and N. Gürel have adapted Kedlaya's algorithm and exhibited a linear complexity in
p, making it possible to reach a characteristic of around 1000 (see
). For larger
p's, one can use the Cartier-Manin operator. Recently, A. Bostan, P. Gaudry and É. Schost have found a much faster algorithm than currently known ones
. Primes
paround
10
^{9}are now doable.

Despite the achievements described above, random curves are sometimes difficult to use, since their cardinality is not easy to compute or useful instances are too rare to occur (curves for
pairings for instance). In some cases, curves with special properties can be used. For instance curves with
*complex multiplication*(in brief CM), whose cardinalities are easy to compute. For example, the elliptic curve defined over
GF(
p)of equation
y^{2}=
x^{3}+
xhas cardinality
p+ 1-2
u, when
p=
u^{2}+
v^{2}, and computing
uis easy.

The CM theory for genus 1 is well known and dates back to the middle of the nineteenth century (Kronecker, Weber, etc.). Its algorithmic part is also well understood, and recently more work
was done, largely by
TANC. Twenty years ago, this theory was applied by Atkin to the primality proving of arbitrary integers, yielding the ECPP algorithm developed ever
since by F. Morain. Though the decision problem
isPrime?was shown to be in
*P*(by the 2002 work of Agrawal, Kayal, Saxena), practical primality proving is still done only with ECPP.

These CM curves enabled A. Enge, R. Dupont and F. Morain to give an algorithm for building good curves that can be used in identity based cryptosystems (cf. infra).

CM curves are defined by algebraic integers, whose minimal polynomial has to be computed exactly, its coefficients being exact integers. The fastest algorithm to perform these computations requires a floating point evaluation of the roots of the polynomial to a high precision. F. Morain on the one hand and A. Enge (together with R. Schertz) on the other, have developed the use of new class invariants that characterize CM curves. The union of these two families is currently the best that can be achieved in the field (see ). Later, F. Morain and A. Enge have designed a fast method for the computation of the roots of this polynomial over a finite field using Galois theory . These invariants, together with this new algorithm, are incorporated in the working version of the program ECPP.

The theory of Complex Multiplication also exists for non-elliptic curves, but is more intricate, and only recently can we dream to use them. The first results in that direction are described below.

Our main field of applications is clearly that of telecommunications. We participate in the protection of information. We are proficient on a theoretical level, as well as ready to develop
applications using modern cryptologic techniques, with a main focus on elliptic curve cryptography. One potential application are cryptosystems in environments with limited resources as smart
cards, mobile phones or
*ad hoc*networks.

F. Morain has been continuously improving his primality proving algorithm called ECPP, originally developed in the early '90. Binaries for version 6.4.5 are available since 2001 on his web page. Proving the primality of a 512 bit number requires less than a second on a GHz PC. His personal record is about decimal digits, with the fast version he started developing in 2003.

The
`mpc`library, developed by A. Enge in collaboration with P. Zimmermann, implements the basic operations on complex numbers in arbitrary precision, which can be tuned to the
bit. This library is based on the multiprecision libraries
`gmp`and
`mpfr`. Each operation has a precise semantics, in such a way that the results do not depend on the underlying architecture. Several rounding modes are available. This software, licensed
under the GNU Lesser General Public License (LGPL), can be downloaded freely from the URL

http://www.lix.polytechnique.fr/Labo/Andreas.Enge/Software.html

The latest version 0.4.5 has been released in December 2005. This library is used in our team to build curves with complex multiplication, and is
*de facto*incorporated in the ECPP program.

We plan to make A. Enge's program that builds elliptic curves with complex multiplication available. This program is a very important building block for cryptographic purposes as well as for primality proving (fastECPP).

We have hired J. Milan as
*ingénieur associé*to help us with our programs. He first spent some time making a tour of publicly available platforms implementing the IEEE P-1363 cryptography standards. Following this
work, it appeared not interesting to add a new one to the list, and he switched to one of our other themes, namely writing software for which the results can be guaranteed.

His first task is to answer the question: How fast can we factor ``small'' integers, say around 200 bits (for elliptic curve related stuff), or 80 bits (as a tool in the implementation of more elaborate factorization algorithms). This forms the core of his library TIFA (Tools for Integer FActorisation), containing CFRAC and SIQS for a start.

F. Morain, helped by A. Enge and P. Gaudry, has been revisiting the SEA algorithm in genus 1, to see what was left to be improved since the last record, which was achieved
in 1995
. This led first to new easy records resulting
from Moore's law. The program was completely rewritten in NTL and new algorithms were introduced, concerning mainly the fast search for eigenvalues; this work was presented at ISSAC 2006
. Together with A. Bostan, B. Salvy
(from projet
ALGO), and É. Schost, F. Morain gave quasi-linear algorithms for computing the explicit form of a strict isogeny between two elliptic
curves, another important block in the SEA algorithm
. The new record is currently (September 2006)
for a prime
pof 2100 decimal digits (again compared to 500dd back in 1995).

This was made possible only because of A. Enge new algorithm
for computing modular equations of index greater
than 2000. The algorithm computes bivariate modular polynomials by an evaluation and interpolation approach and relies on the ability to rapidly evaluate modular functions in complex floating
point arguments (cf. Section
). It has a quasi-linear complexity with respect to its
output size, so that again the performance of the algorithm is limited by the size of the result: we have in fact been able to compute modular polynomials of degree larger than 10000 and of
size
16
G
Bby a parallelised implementation of the algorithm. Nevertheless, computing modular polynomials remains the stumbling block for new point counting records. Clearly,
to circumvent the memory problems, one would need an algorithm that directly obtains the polynomial specialised in one variable.

We plan to make our new implementation available as an extension to the NTL library.

During his postdoctoral stay in Sydney, N. Gürel worked with D. Kohel and R. Gerkmann on practical aspects of Dwork theory of
p-adic differential equations. Based on an unpublished article of N. Tsuzuki, they have constructed the Frobenius matrix of a general family of elliptic curves in
characteristic two. In particular, this matrix, whose coefficients are overconvergent series, gives a new point counting method in characteristic two. This work is still in progress.

Concerning the discrete logarithm problem on algebraic curves, the most promising algorithms rely on creating relations as smooth principal divisors on the curve and use linear algebra to
deduce the discrete logarithms. Two research directions can be distinguished, that are both pursued by our team. The first approach consists of deriving complexity results for the genus
tending to infinity and the size of the finite field growing only moderately. Typically, this results in algorithms of subexponential complexity
L(1/2). This direction has been pursued by A. Enge in his doctoral thesis and later in collaboration with P. Gaudry. The second approach consists in analysing
essentially the same algorithms for fixed genus, but with the field size tending to infinity. Typically, the outcome are exponential algorithms, but these may nevertheless be faster than
generic algorithms of square root complexity and thus consist a threat for the cryptographic use of algebraic curves. This approach has been founded by P. Gaudry in his doctoral thesis.

Making clever use of the notion of large primes, P. Gaudry, N. Thériault, E. Thomé and C. Diem have succeeded in lowering the complexity of the above mentioned discrete logarithm algorithms for fixed genus so much that curves of genus 5 or higher are definitely eliminated from cryptography . Curves of genus 1 or 2 are not affected, while those of genus 3 or 4 require the key size to be slightly increased and thus might survive in special situations.

A. Enge and P. Gaudry have exhibited a class of curves in which the discrete logarithm is attacked by a subexponential algorithm of complexity
L(1/3), for the very first time in algebraic curve cryptography
. This shows that the corresponding algebraic
curve cryptosystems, essentially based on
C_{a,
b}curves with the degrees in
Xand
Ygrowing in a special way with the genus, are no more secure than RSA and thus of no cryptographic interest.

The work of AKS motivated the work of F. Morain on a fast variant of ECPP, called fastECPP, which led him to gain one order of magnitude in the complexity of the problem (see ), reaching heuristically , compared to for the basic version. By comparison, the best proven version of AKS has complexity and has not been implemented so far; the best randomized version reaches the same bound but suffers from memory problems and is not competitive yet. F. Morain implemented fastECPP and was able to prove the primality of 10, 000decimal digit numbers , as opposed to 5, 000for the basic (historical) version. Continuously improving this algorithm, this led to new records in primality proving, some of which obtained with his co-authors J. Franke, T. Kleinjung and T. Wirth who developed their own programs. F. Morain set the current world record to 20,562 decimal digits early June 2006, as opposed to 15,071 two years before. This record was made possible using an updated MPI-based implementation of the algorithm and its distribution process on a cluster of 64-bit bi-processors (AMD Opteron(tm) Processor 250 at 2.39 GHz).

R. Dupont has investigated the complexity of the evaluation of some modular functions and forms (such as the elliptic modular function
jor the Dedekind eta function for example). High precision evaluation of such functions is at the core of algorithms to compute class polynomials (used in complex
multiplication) or modular polynomials (used in the SEA elliptic curve point counting algorithm).

Exploiting the deep connection between the arithmetic-geometric mean (AGM) and a special kind of modular forms known as theta constants, he devised an algorithm based on Newton iterations and the AGM that has quasi-optimal linear complexity. In order to certify the correctness of the result to a specified precision, a fine analysis of the algorithm and its complexity was necessary .

Using similar techniques, he has given a proven algorithm for the evaluation of the logarithm of complex numbers with quasi-optimal time complexity.

A. Enge has been able to analyze precisely the complexity of class polynomial computations via complex floating point approximations. In fact, this approach has recently been
challenged by algorithms using
p-adic liftings, that achieve a running time that is (up to logarithmic factors) linear in the output size. He has shown that the algorithm using complex numbers, in
its currently implemented form, has a slightly worse asymptotic complexity (polynomial with exponent
1.25). Using techniques from fast symbolic computation, namely multievaluation of polynomials, he has obtained an asymptotically optimal (up to
logarithmic factors) algorithm with floating point approximations. The implementation has shown, however, that in the currently practical range, the asymptotically fast algorithm is slower
than the previous one. This is due, on the one hand, to the multitude of algorithmic improvements introduced in
, and on the other hand, to the lack of
logarithmic factors and better constants.

Using R. Dupont's results described above, A. Enge has devised a second quasi-linear algorithm (that actually even saves a logarithmic factor in the complexity). Breaking the record for class polynomial computations, he has computed a polynomial of degree 100,000, the largest coefficient of which has almost 250,000 bits. For this enormous example, the asymptotically fast algorithm finally beats the one with exponent 1.25. The implementation is based on gmp, mpfr and mpc (see Section 5.2) and a library of A. Enge's for fast arithmetic with polynomials over multiprecision floating point numbers. It turns out that the algorithms are so optimized that the limiting factor becomes the memory consumption .

P. Gaudry, T. Houtmann, D. Kohel, C. Ritzenthaler and A. Weng , have designed a new approach to construct class polynomials of genus two curves having complex multiplication. The main feature of their method is the use of 2-adic numbers instead of complex floating-point approximations. Although that method suffers from limitations due to the fact that its initialisation highly depends of the splitting of 2 in the quartic CM field, the corresponding algorithm is very efficient compared to previous approach.

T. Houtmann worked on both the aspects for an alternative to
p-adic method and classical CM method. He improved the period matrices computation phase, collaborated with R. Dupont to improve the analytic phase and did work on
using the very method to generate hyperelliptic curves suitable for cryptography. As far as his work is advanced, he managed to compute a 132-degree Igusa class polynomial system.

R. Dupont has worked on adapting his algorithm to genus 2, which induces great theoretical and technical difficulties. He has studied a generalization of the AGM known as
Borchardt sequences, has proven the convergence of these sequences in a general setting, and has determined the set of limits such sequences have in genus 2. He has then developped an
algorithm for the fast evaluation of theta constants in genus 2, and as a byproduct obtains an algorithm to compute the Riemann matrix of a given hyperelliptic curve: given the equation
of such a curve, it computes a lattice
Lsuch that the Jacobian of the curve is isomorphic to
. These algorithms are both quasi-linear, and have been implemented (in
C, using
gmp).

Using these implementations, R. Dupont has began computing modular polynomials for groups of the form
_{0}(
p)in genus 2 (these polynomials link the genus 2
j-invariants of
p-isogenous curves). He computed the modular polynomials for
p= 2, which had never been done before, and did some partial computations for
p= 3(results are available at
http://www.lix.polytechnique.fr/Labo/Regis.Dupont).

He also studied more theoretically the main ingredient used in his algorithms in genus 2, a procedure known as Borchardt sequences. In particular, he proved a theorem that parametrizes the set of all possible limits of Borchardt sequences starting with a fixed 4-tuple.

Elliptic curves in cryptography have first been used to replace finite fields in protocols whose security relies on the discrete logarithm problem, essentially keeping the protocols as they are and substituting one algebraic structure for another. There are, however, new applications of elliptic curves that exploit specific additional structures that are not found in the finite field setting, for instance the Tate and Weil pairings.

Everybody knows that the most difficult problem in modern cryptography, and more precisely its would-be widespread use, is the key authentication problem, or more generally that of
authenticating principals on an open network. The ``classical'' approach to this problem is that of a
*public key infrastructure*(PKI), in which some centralized or distributed authority issues certificates for authenticating the different users. Another approach, less publicized, is
that of
*identity based cryptography*(ID), in which the public key of a user can be built very easily from his email address for instance. The cryptographic burden is then put on the shoulders
of the
*private key generator*(PKG) that must be contacted by the users privately to get their secret keys and open their emails. The ID approach can be substituted to the PKI approach in some
cases, where some form of ideal trustable PKG exists (private networks, etc.).

This ID idea is not new, but no efficient and robust protocol was known prior to the ideas of Boneh et al. using pairings on elliptic curves. R. Dupont and A. Enge have worked on such an ID-system. They have defined a notion of security for such a protocol and have given a proof of security of a generalization of a system of Sakai, Ohgishi and Kasahara's in this model .

With respect to signatures, a current area of research is related to the aggregation of different signatures on different messages. In many applications, it is desirable to be able to transform many signatures on different messages into a single signature, in such a way that the length of this (aggregate) signature is much less than the total length of the initial signatures. A recipient should be able to verify the correctness of all the initial signatures by using only the list of messages and the aggregate signature, ideally with less computational efforts than in the case where he must verify all the signatures one by one.

For traditional PKI-based signature schemes, some efficient proposals of aggregate signature schemes have been proposed , . In particular, in , the length of the resulting aggregate signature is constant, independent of the number of messages and the number of signers. This proposal uses bilinear pairings as a tool. Using RSA techniques, the obtained aggregate signatures have a length which is independent of the number of messages, but still linear with respect to the number of signers.

In the scenario of identity-based signatures, none of the existing signature schemes allows an efficient aggregation of signatures, in the sense that resulting aggregate signatures have a length which is always linear with respect to the number of messages. To partially solve this problem, Javier Herranz has proposed in a new identity-based signature scheme, which allows to obtain an aggregate signature whose length is independent of the number of messages, but linear with respect to the number of signers. In situations where one wants to aggregate many signatures coming from a small set of signers (even a unique signer) the length of the resulting signatures is simply constant.

To achieve specific properties desired in real-world applications of cryptography, variants of the classical digital signatures have been designed. Undeniable signatures and confirmer
signatures are examples of such variants. Directed signatures differ from the well-known confirmer signatures in that the signer has the simultaneous abilities to confirm, deny and
individually convert a signature. The universal conversion of these signatures has remained an open problem since their introduction in 1993. F. Laguillaumie, in collaboration with
Pascal Paillier (Gemplus) and Damien Vergnaud (Univ. Caen) provides in the Asiacrypt'05 paper "Universally Convertible Directed Signatures"
a positive answer to this quest by showing a
very efficient design for universally convertible directed signatures, both in terms of computational complexity and signature size. The construction relies on the so-called
xyz-trick, previously introduced by F. Laguillaumie and Damien Vergnaud, applicable to bilinear map groups.

F. Laguillaumie, in collaboration with Damien Vergnaud, also introduced a new undeniable signature scheme which is existentially unforgeable and anonymous under chosen message attacks in the standard model . The scheme is an embedding of Boneh and Boyen's recent short signature scheme in a group where the decisional Diffie-Hellman problem is assumed to be difficult. The anonymity of the scheme relies on a decisional variant of the strong Diffie-Hellman assumption, while its unforgeability relies on the strong Diffie-Hellman assumption.

Finally, J. Herranz and F. Laguillaumie proposed in a blind ring signature scheme based on pairings on algebraic curves. They formally prove the security (anonymity, blindness and unforgeability) of their scheme in the random oracle model, under quite standard assumptions. Blind ring signatures are useful, for instance, to design secure e-cash systems involving several banks.

In collaboration with David Galindo (Radboud University, Nijmegen, The Netherlands), Javier Herranz worked on
*token-controlled public key encryption schemes*. In such schemes, the sender encrypts messages by using the public key of the receiver together with a secret token, in such a way that
the receiver is able to decrypt the ciphertext only when the token is delivered. This provides a solution to situations where someone wants a receiver to obtain some confidential information
only when some condition is fulfilled, but he is afraid he could not encrypt the message when this condition (a date, an event) is already satisfied. The sender can encrypt the message in
advance and give the employed secret token to some external party (a lawyer, for example) under the requirement that this party will deliver the token to the intended receivers when the
stated condition holds.

The CESAM project is a contract of the ACI Sécurité Informatique, involving TANC, P. Gaudry from SPACES/CACAOand the crypto team at ENS. The goal of this project is to study cryptographic protocols involving elliptic curves, with a view towards specific environment where the resources (cpu, memory, bandwidth) are limited.

The curves that can be used in this protocol are not the same as the curves that are used in classical protocols, since the group orders of the curve and of the quadratic twist both need to be prime. A. Enge has made use of the complex multiplication approach presented above to generate such curves. Finding curves of cryptographic size (192 bits) is a matter of seconds with his implementation. A note is in preparation.

F. Morain and D. Augot ( CODES) participate in the ACI SERAC (SEcuRity models and protocols for Ad-hoC Networks), which started in september 2004. Their interest there is to understand the (new?) cryptographic needs required and to try to invent new trust models.

It is clear that the recent arrival of Hipercom(also a member of SERAC) at École polytechnique triggers new collaborations in that direction.

A collaboration between TANC(J. Herranz, F. Laguillaumie) and CODES (R. Bhaskar) via the SERAC project of the ACI S&I has led to .

Achieving secure routing in ad-hoc networks is a big challenge. The typical way to prevent or reduce the possible attacks is to use mechanisms to authenticate the origin of all messages. Standard (asymmetric) signature schemes provide these mechanisms, but may result in inefficient implementations, especially when many nodes (and so many signatures) are expected.

Some of these efficiency problems can be reduced with the use of aggregate signatures, which improve the length and the cost of managing many different signatures. In this article, they propose a new concept, aggregate designated verifier signature schemes, which can be implemented in a more efficient way than standard aggregate signatures (for example by using MACs). Such schemes can be sufficient to authenticate the establishment of routes in reactive protocols. Formal definitions for the new primitive and the required security properties are given. Moreover a specific and efficient scheme is proposed which uses MACs, and is proven secure in the random oracle model.

is an extension of their work in : they especially add the ID-based feature.

J. Herranz and F. Laguillaumie have given a series of lectures on digital signatures for the members of the SERAC project.

This corresponds to É. Brier's thesis on the use of (hyper-)elliptic curves in cryptology.

Together with the CODES project at INRIA Rocquencourt, the project TANCparticipates in ECRYPT, a NoE in the Information Society Technologies theme of the 6th European Framework Programme (FP6).

J. Herranz and F. Laguillaumie have participated in the AZTEC working group WG3 on asymmetric techniques with special properties on November 23–24.

F. Laguillaumie participated in the WG3 of NEO ECRYPT (July 16-17).

ACI SÉCURITÉ CESAM: elliptic curves for the security of mobile networks.

ACI SÉCURITÉ SERAC: SEcuRity models and protocols for Ad-hoC networks.

PAI "Procope" with the group "Algebra and Number Theory" of the TU-Berlin (Florian Heß).

F. Morain was in the program committee of ANTS-VII, held in Berlin, July 2006.

F. Laguillaumie participated to the program committee of the Workshop on Collaboration and Security (COLSEC'06), held at The 2006 International Symposium on Collaborative Technologies and Systems (CTS'06).

J. Herranz was in the committee of the Workshop ACIS'06: Applied Cryptography and Information Security (in conjuction with ICCSA'06), May 8-11, 2006, Glasgow, UK.

François Morain is the head of the 1st year course ``Introduction à l'informatique et à la programmation'' at École polytechnique. This year, he was also in charge of half the 2nd year course ``Informatique fondamentale'', together with J.-M. Steyaert. He gives a cryptology course in Majeure 2. He is vice-head of the Département d'Informatique. He has been representing École polytechnique in the Commission des Études of the Master MPRI, since its creation in 2004.

A. Enge has taught algorithmic number theory and elliptic and hyperelliptic curve cryptography in the MPRI Master. At École polytechnique, he has proposed computer science labs for the first year course ``Introduction à l'informatique'' and the third year cryptology course. He has also been responsible for a short course on C programming for third year students. He has supervised a bachelor and a first year master thesis.

F. Laguillaumie gave lectures on "Cryptographie : Théorie et Pratique" in the ``master M2 RADI - Université de Caen''. He also helped in the INF421 course at École polytechnique (36 hours of Java for recent beginners in year 2).

F. Morain: Calgary (his talk : The end of primality?) /Banff 2005-11-03 till 2005-11-10 (invited to a workshop, spoke about SEA++); in Séminaire Algo (29/05), he spoke about
*fast isogeny computations*. He attended ANTS-VII in Berlin (July 23–29).

F. Laguillaumie attended - Information Security ISC 2006 - Samos (Greece) - August 30 - September 2, 2006. He gave talks in Limoges, ENSTA, IRMAR/CELAR, Versailles St-Quentin-en-Yvelines.

J. Herranz attended the 'Journées de Sécurité INRIA', in Grenoble (France), December 12-14, 2005. He gave there the talk 'Cryptography and routing protocols'.

J. Milan attended the GForge seminar at INRIA Futurs on 2006-02-09.

T. Houtmann has given a talk in Eymoutiers (Journées <<Codes et Cryptographie>> 2006). He presented joint work with P. Gaudry, D. Kohel, C. Ritzenthaler and A. Weng in Shanghai (Asiacrypt'06). He was invited to Sydney. He attended ANTS-VII in Berlin, ECC2006 in Toronto, a workshop on computational aspects arising in algorithmic number theory and cryptography in Toronto and Indocrypt'06 in Calcutta.

A. Enge has been invited to give a talk entitled ``An
L(1/3)algorithm for the discrete logarithm problem in low degree curves'' at Elliptic Curve Cryptography ECC 2006 in Toronto. He has presented his results at the
Journées Nationales de Calcul Formel 2005 at Luminy, the Second Irsee Conference on Finite Geometries 2006 and the Ecrypt workshop ``Curves, isogenies and cryptologic applications'' at École
polytechnique. He has given seminar talks at the Technische Universität Berlin and the universities of Caen, Leiden and Limoges.

R. Dupont has given a talk on ``AGM et évaluation rapide de fonctions modulaires'' at the Séminaires CF et CAA at Limoges.

A. Enge and R. Dupont have presented INRIA at the Forum des métiers scientifiques at École polytechnique. During the welcoming seminar of INRIA, A. Enge has given an overview of the TANCproject.

A. Enge is editor of ``Designs, Codes and Cryptography''.

At the Second Irsee Conference on Finite Geometries in September 2006, A. Enge has been awarded a 2004 Kirkman Medal of the Institute for Combinatorics and its Applications. The medal recognises outstanding work by ICA members in their early research careers.

F. Morain was dubbed ``Chevalier des Palmes Académiques'' on January 19.

F. Morain for the defense of R. Dupont (07/04/06). F. Morain wrote a report for G. Castagnos (03/10/06).

A. Enge is a member of the International Relations Working Group (GTRI) at the Scientific and Technological Orientation Council (COST) of INRIA. As such, he regularly participates in the selection of postdoc positions for the European ERCIM consortium and of international Associated teams.

F. Morain was ``Directeur adjoint'' of the laboratory for the year 2005–2006. He has quit September this year for this was too much.

F. Morain represents INRIA in the ``Conseil d'UFR 929 Maths Université Paris 6'' since September 2005. F. Morain participated in the evaluation of the
*Unité de Mathématiques Appliquées*of ENSTA (05/07/06).