project proposal · project proposal title: curves, algebra, computer arithmetic, and so on...

Project Proposal

Title: Curves, Algebra, Computer Arithmetic, and so On

(Courbes, Algebre, Calculs, Arithmetique des Ordinateurs)

Acronym: CACAO

Scientific leader: Guillaume Hanrot

Proposed INRIA theme: Sym B

INRIA scientific and technological challenges:

Guaranteeing the reliability and security of software-prevalent systems

Keywords: Computer arithmetic, curves, linear algebra, cryptology

Contents

1 Team 4

2 Historical Preliminary 4

3 Overall Objectives 5

4 Algebraic Curves 64.1 Scientific Foundations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4.1.1 Curves and Cryptology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64.1.2 Genus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74.1.3 Jacobian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84.1.4 Curves over Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84.1.5 Discrete Logarithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4.2 State of the art . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94.2.1 Arithmetic in the Jacobian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94.2.2 Computing the Cardinality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104.2.3 Discrete Logarithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.2.4 Curves and Factoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144.2.5 Practical Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.3 Detailed Research Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.3.1 Short Term Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.3.2 Long Term Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174.3.3 Development of Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5 Linear Algebra and Lattices 185.1 Scientific Foundations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.1.1 Huge Linear Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185.1.2 Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5.2 State of the Art . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205.2.1 Large Linear Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205.2.2 Algorithms for Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

5.3 Detailed Research Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225.3.1 Short Term Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225.3.2 Long Term Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

6 Arithmetics 226.1 Scientific Foundations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

6.1.1 Basic Types and Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256.1.2 Integers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256.1.3 Integers Modulo n and Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 256.1.4 p-adic Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266.1.5 Floating-point Numbers and the IEEE-754 Standard . . . . . . . . . . . . . . . . . . 266.1.6 The Table Maker’s Dilemma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

6.2 State of the Art . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286.2.1 Integers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286.2.2 Floating-point numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286.2.3 Integers modulo n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286.2.4 p-adic numbers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296.2.5 The Table Maker’s dilemma. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

2

6.2.6 Littlewood’s cipher. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296.3 Detailed Research Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

6.3.1 Short Term Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306.3.2 Long Term Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316.3.3 Development of Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

7 Applications and Technological Transfer 327.1 Cryptology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327.2 Computational Number Theory Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

7.2.1 Magma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337.2.2 Pari/GP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

7.3 Arithmetics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

8 Positioning within the Scientific Community 348.1 Arithmetics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348.2 Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358.3 Linear Algebra and Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

9 National and International Collaborations 369.1 At INRIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

9.1.1 Preliminary remark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369.1.2 Salsa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369.1.3 Arenaire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369.1.4 TANC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379.1.5 Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379.1.6 Cassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379.1.7 Marelle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379.1.8 Scalapplix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389.1.9 CGAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

9.2 National . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389.3 International . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399.4 Participation in French or European Projects . . . . . . . . . . . . . . . . . . . . . . . . . . 39

10 Selected Publications from Team Members 39

A Short Vitae from Team Members 46A.1 Permanent Team Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46A.2 Non-permanent Team Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

B Existing software developed by the project-team 48

3

1 Team

• Head of project-team

– Guillaume Hanrot [research scientist, INRIA]

• Vice-head of project-team

– Paul Zimmermann [senior research scientist, INRIA]

• Administrative assistant

– Celine Simon [INRIA]

• Staff member

– Pierrick Gaudry, [research scientist, CNRS]

– Vincent Lefevre [research scientist, INRIA, until Sep. 2006]

– Emmanuel Thome [research scientist, INRIA]

– Marion Videau [associate professor, UHP, from Sep. 2006]

• Ph. D. students

– Laurent Fousse [teaching assistant, defense planned end 2006]

• Associate member

– Richard Brent [Australian National University, Canberra]

2 Historical Preliminary

The present section describes the circumstances and the history of the creation of the CACAOprojet, starting from the creation of the SPACES project.

The SPACES project was created around 2000, as a project-team joining people from Paris(LIP6) and Nancy (LORIA). It was working mainly on the subject of solving polynomial systemsand applications, and the Paris group was mainly interested by the polynomial side, whereas theNancy group was mainly dealing with arithmetical aspects. The project-team was initially only aproject-team from Unite de recherche Lorraine, but after some time it was finally also recognizedformally by Unite de recherche Rocquencourt.

A few years later, for various reason, a separation took place, and the Paris side started their ownproject-teams, SALSA. Since at the same time [ca. 09/2004], two people (P. Gaudry, E. Thome)had arrived or were arriving in the Nancy team, we thought necessary to start a new project-team.We took some time for reflexion, discussed with colleagues (mainly with colleagues from the TANCproject-team) and wrote together the proposal that follows.

4

3 Overall Objectives

The CACAO project-team has two concurring objectives:

• Studying the arithmetic of curves of small genus > 1, with in mind applications to cryptology,

• Improving the efficiency and the reliability of arithmetics in a very broad sense (i.e., thearithmetics of a wide variety of objects).

These two objectives strongly interplay. Arithmetics are, of course, at the core of optimizingalgorithms on curves, starting evidently with the arithmetic of curves themselves. On the otherhand, curves can sometimes be a tool for some arithmetical problems like integer factorization.

To reach these objectives, the project is structured along three axes: Curves, Arithmetics andLinear Algebra. The last one should be seen as an important tool for our main objectives, which iscentral enough so that we need to develop our own, dedicated algorithms and software to suit ourneeds.

More specifically, for each axis we are interested in the following problems:

• Algebraic Curves: the main issue here is to investigate curves of small genus > 1 overfinite fields (base field Fpn , for various p and n), i.e., mainly: to compute in the Jacobian ofa given curve, to be able to check that this variety is suitable for cryptography (cardinality,smoothness test) and to solve problems in those structures (discrete logarithm). Applicationsgo from number theory (integer factorization) to cryptography (an alternative to RSA).

• Arithmetics: we consider here algorithms working on multiple-precision integers, floating-points numbers, p-adic numbers and finite fields. For such basic data structures, we do notexpect new algorithms with better asymptotic behavior to be discovered; however, since thoseare first-class objects in all our computations, every speedup is most welcome, even by a factorof 2 !

• Linear Algebra and Lattices: Solving large linear systems is a key point of factoring anddiscrete logarithm algorithms, which we need to investigate if curves are to be applied incryptology. And lattices are central points of the new ideas that have emerged over the verylast years for several problems in computer arithmetic or discrete logarithms algorithms.

We thus consider here large sparse linear systems over a finite field, and lattice-reductionalgorithms. Although both classes of algorithms share the same input and output (matrices),at least with the current state of the art lattice basis reduction is by far less efficient than“classical” linear algebra (linear system solving, computing eigenvalues, eigenvectors, . . . ).However, it is believed that the real complexity of lattice reduction is much smaller thanwhat is currently known: it is one of our goals to shrink that gap.

In each of the three domains we focus on (algebraic curves, linear algebra and lattices, andarithmetics), we present the scientific foundations, the state of the art, and our research objectives,which are themselves organized into two parts: short term plans for which we already have clearviews of the difficulties involved and of the techniques which might allow us to overcome thosedifficulties, and medium-long term plans, which are subject to a greater scientific risk, and for someof them constitute scientific locks. The short term objectives should be attained in one or twoyears, whereas for the long term objectives, we do not expect positive results — if any — beforetwo years.

5

A note about parallelism. The reader might wonder why we do not mention explicitely par-allelism or distributed computing as a research theme. The reason is that most of the algorithmswe design can be run in “multi-sequential” mode, i.e. starting independent processes on differentprocessors, or independent threads on the same processor. In a few cases though, in particular forlinear algebra problems, using parallelism or distributed computing provides some speedup, andthen we explicitely mention it.

General remark. In all the course of the document, there are two types of references. Paperswritten by members of the project-team are refered to in the usual way, and the corresponding ref-erences are numerals, like this : [63]. The complete reference can be found in the final bibliography.On the other hand, other papers to which we refer appear as footnotes, and have alphanumeralreferences, like this[VD02]. The complete reference is then at the bottom of the page.

4 Algebraic Curves

4.1 Scientific Foundations

Though we are interested in curves by themselves, the applications to cryptology remain a motiva-tion to our researches. Therefore, we start by introducing these applications, since they mayserveas a guideline to the reader in this sometimes technical section.

4.1.1 Curves and Cryptology

The RSA cryptosystem — the de facto standard in public-key cryptography — requires large keys,at least 1024 bits currently. Algebraic curves offer a better level of security for a smaller key size,say 160 bits currently for elliptic curves. They are not specifically used as curves. In practice, a verygeneral construction due to El Gamal associates to any group a cryptosystem, this cryptosystembeing secure as soon as the so-called Diffie-Hellman problem is difficult:

Given g ∈ G, ga and gb for some integers a and b, compute gab.

Currently, the only way to attack this problem is to tackle the more difficult discrete logarithmproblem:

Given g ∈ G and ga, find a,

which, in the case of the El Gamal system, is equivalent to the so-called attack on the key (giventhe public part of the key, recover the secret part). We shall only discuss the discrete logarithmproblem in this document, since it is widely believed that the two problems are in fact equivalent.

This problem is easy when the underlying group is Z or (Z/NZ, +). Classically, multiplicativegroups of finite fields are used; however, they can be attacked by algorithms very similar to thoseexisting for factoring, and thus require the same key-size to ensure security.

[VD02] Vercauteren, F. and Denef, J. An extension of Kedlaya’s algorithm to Artin Schreier curves incharacteristic 2. In Fiecker, C. and Kohel, D., eds, ANTS-5, vol. 2369 of Lecture Notes in Comput.Sci., p. 308–323, 2002.

6

A trend initiated by Koblitz and Miller and followed by many others is to use as “cryptographicgroups” the group (“Jacobian”) associated by classical arithmetical geometry to a given algebraiccurve.

To use such a group for cryptographic applications, the key algorithmic points are the following:

• have an explicit description of the group and the group operation, as efficient as possible(the speed of ciphering and deciphering being directly linked to the efficiency of the groupoperation);

• undertake an as thorough as possible study of the security offered by those groups.

The second point should be again be split in two steps: study of the behavior of the group under“generic attacks” (avoiding small cardinality, avoiding cardinalities with no large prime factor), andtrying to devise “ad hoc” attacks. The first step amounts more or less to being able to computethe cardinality of the group; the second one to try as hard as possible to find a way to computediscrete logarithms in this group.

This section now proceeds as follows; we introduce the basic objects (curves and Jacobians) andtheir properties relevant to the following problems: group structure and arithmetic, cardinality,discrete logarithm.

Finally, and in a somewhat independent way, curves and their Jacobians can be used for integerfactorization; we shall also review that point.

4.1.2 Genus

We shall define an algebraic curve as the set of solutions over a given field K of an algebraicequation of the form F (x, y) = 0, to which we might have to adjoin some points at infinity (roughlycorresponding to the “asymptotic branches”).

Classical algebraic geometry associates an integral invariant, called the genus, to an algebraiccurve. This invariant classifies, in a precise meaning, curves according to their degree of complexity.Curves of genus 0 are simply conics. Curves of genus one, given with a rational point (in the senseof: defined over the base field), have become well-known as elliptic curves. To give a rough ideaof what the genus is, let us mention that if a plane curve is defined by an equation F (x, y) = 0with deg F = d, the genus of the curve is at most (d − 1)(d − 2)/2, with equality if and only ifthe curve is smooth, including at infinity. A curve of the type y2 = f(x) (hyperelliptic curves forcharacteristic 6= 2), yielding for deg f ≥ 4 a singularity at infinity, has genus at most b(d− 1)/2c,with equality if and only if f is square-free. One can show that any curve of genus 2 is hyperelliptic.A more general example is given by Cab curves. Those curves are defined by an irreducible equationP (x, y) = 0, where the x-degree and the y-degree of P are coprime integers b and a, and for allmonomials aijx

iyj of P with i 6= 0 and j 6= 0, one has ai + bj < ab. The genus of such a curve is(a− 1)(b− 1)/2.

For practical applications, we mostly use Cab curves, and in practice even mostly hyperellipticand superelliptic curves, which appear as a particular case of Cab curves, but for which more efficientalgorithms can be obtained. This means that from our point of view, the determination of the genusis a trivial problem. This is not the case in full generality where one has to study in a very carefulway the singularities of the curve.

7

4.1.3 Jacobian

A central role is played by a certain algebraic variety of higher dimension associated to a givencurve C, its Jacobian J(C), which comes with a natural group structure. We shall not define it,but rather state its most important properties:

1. C embeds as a sub-variety of J(C),

2. J(C) is an abelian variety, i.e., has an (abelian) group structure such that group operations(addition, inversion) can be written as rational functions of the coordinates.

3. if C has genus g, J(C) is a variety of dimension g (note that in full generality one only knowshow to embed it in a space of dimension 22g, i.e. to give many equations in 22g variablesrather than, for instance, one equation in g + 1 variables).

To illustrate this, let us mention that when g = 0, the Jacobian has dimension 0, and is hencefinite over K, an algebraic closure of the base field K. In the case of elliptic curves (g = 1) theJacobian is, as an algebraic curve, isomorphic to the curve.

The most important feature of the Jacobian is the fact that it comes with a natural group struc-ture, which is the key point for its uses in applications to primality, factorization, and cryptology.

4.1.4 Curves over Finite Fields

We intend to focus on the case K = Fq and its extensions, with subsidiarily a study of the caseswhere K is a number field or a local field, since those happen to be related to the previous one byreduction/lifting techniques (note that for questions related to factorization, see Section 4.2.4, wemight also have to use curves over K = Z/nZ for nonprime n).

In this setting, we first state what is probably the most important result for our applications:

Theorem (Hasse, Weil). Let C be a curve of genus g defined over a finite field Fq; defineZ(t, C) = exp(

∑n≥1 #C(Fqn)tn/n) ∈ Z[[t]]. Then:

• (Rationality) Z(t, C) = P (t)/[(1− t)(1− qt)], where P is a degree-2g polynomial with integercoefficients;

• (Functional equation) Z(1/(qt), C) = (qt)1−gZ(t, C);

• (Riemann hypothesis) All the roots of P have modulus 1/√

q.

Furthermore, the cardinality of the Jacobian is P (1), and one easily sees as a corollary of thetheorem that |#C(Fq)− (q + 1)| ≤ 2g

√q and (

√q− 1)g ≤ #J(Fq) ≤ (

√q + 1)g (the so-called Weil

bounds).The polynomial P (t) has several interpretations, which usually yield different strategies for

computing it. We shall review them in an informal way in section 4.2.Note that, as an easy consequence of the Hasse-Weil theorem (rationality + functional equation),

the function Z has g “degrees of freedom”, which means that the cardinality over any extension ofthe base field is fully determined by (and easily computable from) the cardinality over the first gextension fields.

8

4.1.5 Discrete Logarithm

In this part, we generalize slightly the setting, since we shall also discuss later some aspects ondiscrete logarithms over finite fields. We shall hence assume that G is an abelian group, where wewant to solve the equation

gx = h

where g, h are given elements from G, and the unknown x is an integer. This is known as thediscrete logarithm problem (DL for short). A first remark, due to Nechaev [Nec94], is that if oneuses only operations in the group, one needs at least (#G)1/2 operations to compute a discretelogarithm. One of the quests of cryptology is finding a so-called “Nechaev group”, for which thereare provably no algorithms for computing discrete logarithms faster than (#G)1/2; it currentlyappears that elliptic curves are the best candidates to be Nechaev groups, hence the interest incryptology.

On the other hand, two classical algorithms (Pollard’s ρ method and Shanks’ baby-step giant-step) allow one to compute a discrete logarithm in any group G in time O(#G1/2). The complexityof the “general discrete logarithm” is thus completely known. However, for a family of groups oreven a specific group, faster algorithms might exist. We shall discuss some of those algorithms inpart 4.2.3.

4.2 State of the art

4.2.1 Arithmetic in the Jacobian

As a group, the Jacobian is defined as a quotient of the free group generated by points; as anydefinition based on a quotient, it is not very tractable for explicit computations. It is necessaryto devise a specific representation of elements and specific algorithms to deal with computationsin the Jacobian. Though general methods exist [Heß02], the most interesting methods usually takeadvantage of the specific curve one is dealing with, or even of the specific model of the curve to geta more efficient algorithm.

In the case of elliptic curves, the problem is quite easy; the classical chord-and-tangent ruleyields by simple calculations easy-to-implement formulas. One can still improve somewhat uponthose formulas. The situation however is quite different as soon as higher genus curves are involved.

In the case of hyperelliptic curves, a now classical algorithm due to Cantor [Can87] explains howto implement efficiently arithmetic in their Jacobian; numerous improvements have been obtainedsince, including explicit formulas [Lan03,PWGP03] which are more efficient in practice than Cantor’salgorithm.

[Nec94] Nechaev, V. Complexity of a determinate algorithm for the discrete logarithm. Math. Notes,55(2):165–172, 1994.

[Heß02] Heß, F. Computing Riemann-Roch spaces in algebraic function fields and related topics. J. SymbolicComput., 33:425–445, 2002.

[Can87] Cantor, D. G. Computing in the Jacobian of a hyperelliptic curve. Math. Comp., 48(177):95–101,1987.

[Lan03] Lange, T. Formulae for arithmetic on genus 2 hyperelliptic curves, 2003. Preprint.[PWGP03] Pelzl, J., Wollinger, T., Guajardo, J., and Paar, C. Hyperelliptic curve cryptosystems: Closing

the performance gap to elliptic curves. In Walter, C. D., Koc, C. K., and Paar, C., eds, CHES2003, vol. 2779 of Lecture Notes in Comput. Sci., p. 351–365. Springer–Verlag, 2003. Proc. 5thInternational Workshop on Cryptographic Hardward and Embedded Systems, Sep. 8–10, 2003.

9

Another family of curves has received interest from the cryptology community in recent years,namely the Cab family. In that case, algorithms have been obtained by Arita [Ari99] using Grobnerbases computations, then for a sub-family, a more efficient method was devised by Galbraith,Paulus and Smart [GPS02] and a common setting was then found by Harasawa and Suzuki [HS00].Since then, more efficient algorithms were obtained by using suitable orderings for the Grobnerbasis computation in Arita’s method, and explicit formulas derived in some cases [BEFG].

4.2.2 Computing the Cardinality

The question of point counting over finite fields is of central importance for applications to cryp-tography, see Section 7.1. Recall that we are given an algebraic curve C of genus g, over a finitefield Fq, and we would like to count the number of points of the Jacobian of this curve.

First, we should mention two classical ways to somewhat reverse the problem, i.e., to constructthe curve and its number of points at the same time.

The first one (the so-called Koblitz curves [Kob90]) concerns finite fields of small characteristic.It amounts to use the remark following Hasse-Weil’s result, i.e., that knowing the cardinality ofthe curve over the first g extension fields yields the cardinality over any extension field in a verysimple manner. In practice, if q and g are small, #C(Fq), . . . , #C(Fg

q) can be computed by directenumeration of points (x, y). Thus, given a curve over Fq, computing its cardinality over Fqn iseasy in that case, but this restricts in an important way the set of curves that can be used (curvesdefined over a small field).

The second one concerns finite fields of large characteristic. It makes use of the theory ofcomplex multiplication. Roughly speaking, if p is a large prime number that can be written asp = (U2 + DV 2)/4, then an algorithmically subtle study of the field Q(

√−D) allows one to

construct elliptic curves of cardinality p + 1± U over Fp. This has been worked out by Atkin andMorain [AM93] with in mind applications to primality proving. Generalizations to higher genus arecurrently being worked out.

Those two methods are extremely efficient, especially the first one, but the main drawback isthat they introduce some unnecessary structure in the curves they construct; in particular, Koblitz’smethod yields curves with a large ring of automorphisms. This can be used to speed up discretelogarithm computations, and should thus be considered as a weakness from the cryptographic pointof view.

Let us now turn to actual point counting algorithms. Hasse-Weil’s theorem states that comput-ing a certain polynomial P (t) is enough to obtain the cardinality. There are several interpretations

[Ari99] Arita, S. Algorithms for computations in Jacobians of Cab curve and their application to discrete-log-based public key cryptosystems. In Proceedings of Conference on The Mathematics of Public KeyCryptography, Toronto, June 12–17, 1999.

[GPS02] Galbraith, S. D., Paulus, S., and Smart, N. P. Arithmetic on superelliptic curves. Math. Comp.,71(237):393–405, 2002.

[HS00] Harasawa, R. and Suzuki, J. Fast jacobian group arithmetic on Cab curves. In Bosma, W., ed,ANTS-IV, vol. 1838 of Lecture Notes in Comput. Sci., p. 359–376. Springer–Verlag, 2000.

[BEFG] Basiri, A., Enge, A., Faugere, J.-C., and Gurel, N. The arithmetic of Jacobian groups ofsuperelliptic cubics. To appear in Math. Comp.

[Kob90] Koblitz, N. Constructing elliptic curve cryptosystems in characteristic 2. In Menezes, A. J. andVanstone, S. A., eds, Advances in Cryptology – CRYPTO ’90, vol. 537 of Lecture Notes in Comput.Sci., p. 156–167. Springer–Verlag, 1990.

[AM93] Atkin, A. O. L. and Morain, F. Elliptic curves and primality proving. Math. Comp., 61(203):29–68,1993.

10

for the polynomial P (t), which yield different strategies for computing it. We review some of themin an informal way.

`-adic characterization. Let C be a curve defined over Fq = Fpn and J be its Jacobian. TheFrobenius map X 7→ Xq extends to an endomorphism F of J(Fq).

For any prime ` 6= p, the kernel of multiplication-by-` map on J(Fq), J [`] is a 2g-dimensionalZ/`Z-vector space, on which F acts linearly. Then P (t) mod ` is the characteristic polynomial ofthe restriction of F to J [`].

These properties extend to the case where ` is a prime power. Applying this for sufficientlymany prime powers `1, . . . , `n yields P (t) mod

∏`i, which eventually yields P , using Hasse-Weil’s

theorem to bound the coefficients of P . This is the idea behind Schoof’s algorithm [Sch85].From a theoretical point of view, Pila [Pil90] has proved that Schoof’s algorithm in its basic

version, as sketched above, extends mutatis mutandis to higher genus (there are in fact a lot ofthings to adapt including working out some kind of explicit representation for the Jacobian, whichis quite a tricky task).

From a practical point of view, the complexity of this algorithm is polynomial in p, but atleast exponential with the genus. The problem is that in genus g, the Z/`Z-vector space J [`] is ofdimension 2g; it is defined as the set of solutions in Fp of a polynomial system with 2g variablesand degree `2g. We thus have to perform computations modulo a zero-dimensional ideal of degree`2g. This is already intractable for g = 1 and ` large enough.

Further ideas, due to Elkies, Atkin, Couveignes, Morain, Lercier [Elk91,Atk92,CM94,Ler96] show howto reduce this to dimension 1 and degree l in the case of elliptic curves, for many l, and how tomake it work in small characteristic. These ideas remain to be extended to the case of higher genus;this has already been partly done recently, see [63, 86]; we intend to work in this direction, seeSection 4.3 for more details.

p-adic characterization. If E is an elliptic curve ovec Fq = Fpn , one can lift it to a curve E overK, where K is the unique (up to isomorphism) unramified extension of Qp of degree n. Then the

Frobenius map F also lifts to an endomorphism F of E, the characteristic polynomial of which isP (t).

Monsky-Washnitzer characterization. Monsky and Washnitzer have constructed a cohomol-ogy theory, which in the case of (this time affine) plane curves reduces to two cohomology vectorspaces H i(C/K) (with K as in the previous paragraph), i = 0, 1. Again, the Frobenius map F can

[Sch85] Schoof, R. Elliptic curves over finite fields and the computation of square roots mod p. Math. Comp.,44:483–494, 1985.

[Pil90] Pila, J. Frobenius maps of abelian varieties and finding roots of unity in finite fields. Math. Comp.,55(192):745–763, 1990.

[Elk91] Elkies, N. D. Explicit isogenies. Draft, 1991.[Atk92] Atkin, A. O. L. The number of points on an elliptic curve modulo a prime. Series of emails to the

NMBRTHRY mailing list. Available at http://listserv.nodak.edu/archives/nmbrthry.html, 1992.[CM94] Couveignes, J.-M. and Morain, F. Schoof’s algorithm and isogeny cycles. In Adleman, L. and

Huang, M.-D., eds, ANTS-I, vol. 877 of Lecture Notes in Comput. Sci., p. 43–58. Springer–Verlag,1994. 1st Algorithmic Number Theory Symposium - Cornell University, May 6–9, 1994.

[Ler96] Lercier, R. Computing isogenies in F2n . In Cohen, H., ed, Algorithmic Number Theory, vol. 1122of Lecture Notes in Comput. Sci., p. 197–212. Springer–Verlag, 1996.

11

be extended to linear actions Fi on H i(C/K) and the characteristic polynomial of F1 acting on H1

is simply (!) P (t).

While Schoof’s approach and its extensions do work for small characteristic, the latter twoapproaches, which have emerged in the last five years, largely outperform it in that case. Due tothe considerable evolution of this field of research, the cardinality problem can now be considered asalmost completely solved for small characteristic, at least as far as the order of magnitude usable incryptography is concerned. Essentially two algorithms are in competition: Satoh’s method and itsAGM variants (specific to genus 1, with some first work in genus 2 and 3, which describes an explicit

method to compute the curve E and the endomorphism F of the p-adic characterization) [Sat00,Har02,

LL] [13, 58] and Kedlaya’s method which works for hyperelliptic curves in full generality [Ked01,VD02]

and is even more flexible: it can be used for more general curves [60] or medium characteristic[15] (this method gives an algorithmically usable construction of Monsky-Washnitzer cohomologyspaces and of the action of F on them).

4.2.3 Discrete Logarithm

Recall at that point that there are “generic algorithms”, mainly Pollard’s ρ method or Shanks’ babystep-giant step, which in any group G allow one to compute discrete logarithms in time O(

√#G).

In the case of Jacobians of curves, at the time being, no other general algorithm is known. Thisis the key interest of curves for cryptology, and the reason for which rather small key give the samelevel of security that much larger keys in the case of RSA.

However, many ad hoc methods, which exploit (or demonstrate) the weakness of certain familiesof curves, exist. We turn to a short review of those methods, the main interest of which is to knowwhat should be avoided for cryptographical applications.

Pohlig-Hellman [PH78] – If the cardinal of the group G factors as #G =∏k

i=1 pαii , then the

problem can be reduced to αi discrete logarithm problems in a group of order pi for all i, simplyby killing everything but the pi-part of the element (take the #G/pi power of x), then the p2

i -part,and so on, successively for all i, and applying the Chinese remainder theorem. For groups whoseorder factors as many small prime factors (so-called smooth group order), this method turns thediscrete logarithm into an easy problem.

Index calculus – The index calculus idea is the root for a large number of discrete logarithm al-gorithms. In a nutshell, index calculus aims at building a presentation of the cyclic group generatedby g by generators and relations (though it may seem absurd since we already know a generator, g,and the corresponding relation g#G = 1); generators are obtained by taking “small” elements for

[Sat00] Satoh, T. The canonical lift of an ordinary elliptic curve over a finite field and its point counting. J.Ramanujan Math. Soc., 15:247–270, 2000.

[Har02] Harley, R. Advanced algorithms for arithmetic on curves. These, Universite Paris VII, 2002.[LL] Lercier, R. and Lubicz, D. A quasi quadratic time algorithm for hyperelliptic curve point counting.

Preprint.[Ked01] Kedlaya, K. S. Counting points on hyperelliptic curves using Monsky-Washnitzer cohomology. J.

Ramanujan Math. Soc., 16(4):323–338, 2001.[VD02] Vercauteren, F. and Denef, J. An extension of Kedlaya’s algorithm to Artin Schreier curves in

characteristic 2. In Fiecker, C. and Kohel, D., eds, ANTS-5, vol. 2369 of Lecture Notes in Comput.Sci., p. 308–323, 2002.

[PH78] Pohlig, S. and Hellman, M. An improved algorithm for computing logarithms over GF(p) and itscryptographic significance. IEEE Trans. Inform. Theory, IT–24:106–110, 1978.

12

a suitable definition of “smallness”, and relations are obtained by “factoring” random elements gb

over the set of generators. Once one has sufficiently many relations, the logarithm of the generatorscan be found by linear algebra. Afterwards, any element of the form hgt which factors over the setof generators allows one to recover the discrete logarithm of h.

For discrete logarithms over F∗p, we have natural candidates for generators, i.e., the classes

mod p of small integer primes. With some suitable adjustments [COS86], the index-calculus methodyields an algorithm of complexity L1/2(p), where Lα(p) = exp(O((log p)α(log log p)1−α)) is a scaleof complexities ranging from polynomial (α = 0) to exponential (α = 1) especially relevant forthe analysis of “smoothness-based” methods. More generally, similar ideas over F∗pn , using classesof polynomials of small degree as generators, possibly also with small coefficients, yield the samecomplexity in that case.

More subtle ideas, similar in spirit to the number field sieve algorithm for integer factorization(but using function fields instead of number fields in the small characteristic case), yield complexitiesof type L1/3

[Cop84,SWD96], but only in the cases where log n/ log log p stays away from the [1/2, 2]range. (The medium characteristic case where log n ∼ log log p is therefore excluded; in this case,only algorithms of complexity L1/2 are known.)

Jacobians of curves – The case of elliptic curves and of Jacobians is more subtle, since it isharder to find suitable notions of “smallness” such that relations are easy to find. A few ideas havebeen tried to this end, but without convincing results so far; we shall mainly mention the XEDNIidea [JKS+00] and more recently, Semaev’s idea [Sem04].

Concerning the successes, let us mention Gaudry’s effective version of Adleman-DeMarrais-Huang method [ADH94] [57], which has complexity O(q2) for fixed g = o(log q), L1/2 for g → ∞.Built on previous work due to Theriault [The03], a careful analysis of some standard variations allowedGaudry, Theriault and Thome [84] to prove that one can actually replace O(q2) by O(q2−2/g); if wecompare it with (#G)1/2 ≈ qg/2, we see that we have an attack with a better complexity as soon asg ≥ 3. In practice, one should not use curves of genus ≥ 4 for cryptography, and probably not curvesof genus 3. Note that this complexity is a “practical” one, i.e., the constants involved are smallenough to expect the comparison to be relevant already in the relatively small “cryptographicalrange” for q.

Apart from this general attack, only results for rather specific families of curves are known:

[COS86] Coppersmith, D., Odlyzko, A. M., and Schroeppel, R. Discrete logarithms in GF(p). Algorith-mica, 1:1–15, 1986.

[Cop84] Coppersmith, D. Fast evaluation of logarithms in fields of characteristic two. IEEE Trans. Inform.Theory, IT–30(4):587–594, 1984.

[SWD96] Schirokauer, O., Weber, D., and Denny, T. F. Discrete logarithms: The effectiveness of theindex calculus method. In Cohen, H., ed, ANTS-II, vol. 1122 of Lecture Notes in Comput. Sci., p.337–361. Springer–Verlag, 1996.

[JKS+00] Jacobson, M., Koblitz, N., Silverman, J., Stein, A., and Teske, E. Analysis of the Xednicalculus attack. Des. Codes Cryptogr., 20:41–64, 2000.

[Sem04] Semaev, I. Summation polynomials and the discrete logarithm problem on elliptic curves. Preprint,2004.

[ADH94] Adleman, L. M., DeMarrais, J., and Huang, M.-D. A subexponential algorithm for discretelogarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finitefields. In Adleman, L. M. and Huang, M.-D., eds, ANTS-I, vol. 877 of Lecture Notes in Comput.Sci., p. 28–40. Springer–Verlag, 1994. 1st Algorithmic Number Theory Symposium, Cornell University,May 6–9, 1994.

[The03] Theriault, N. Index calculus attack for hyperelliptic curves of small genus. In Laih, C., ed, Advancesin Cryptology – ASIACRYPT 2003, vol. 2894 of Lecture Notes in Comput. Sci. Springer-Verlag, 2003.

13

• Additive case: Over Fp, the pn-part of the Jacobian is explicitly isomorphic to Z/pnZ, henceif the base element x for the discrete logarithm problem is of order a power of p, the problemcan be solved in polynomial time (and in practice, is trivial). This was noticed simultaneouslyby Semaev, Smart and Satoh-Araki in the case of elliptic curves and subsequently generalizedto Jacobians by Ruck [Ruc99].

• Multiplicative case: In full generality, the Tate pairing can be used to reduce the discretelogarithm problem over a Jacobian of a curve over Fq to a discrete logarithm problem overFqk for some k, where k is the order of q in F∗` , for ` the largest prime factor of #J(Fq). See[MOV93] for elliptic curves and [FR94] for the general case.

• Weil’s descent: Let J(C) be the Jacobian of a curve of genus g over Fqn ; we can transform itinto an abelian variety over Fq of dimension ng, and look for curves on this abelian varietywith a sufficiently small definition field [Gal03] [16] so that the discrete logarithm problem onthat latter curve is easy.

• Small extension fields: This is a mix of Semaev’s ideas and Weil descent which is due toGaudry [81]: use index calculus on a curve over Fpk with small k > 1 by saying that smallelements are elements with the x-coordinate in Fp; trying to “factor” a given element overthis set of small elements then reduces to solving certain polynomial systems. This yields abetter algorithm than other approaches in some cases, mainly for k = 3, 4. This has veryrecently been extended and carefully analyzed by Diem, who proved that one could deduce asubexponential algorithm for Fqn when n grows as a certain function of q.

These attacks restrict the set of possible curves and fields, but in a very mild way: on thewhole, one should choose a curve over a prime field or an extension field of (not too small) primedegree, with cardinality having at least a large prime factor distinct from p. This prime factorshould be, say, of the order of magnitude of 2160. This implies, in practice, that for key generationin the cryptographical context, one should be able to compute roughly the cardinality of hundredsof curves to find a prime cardinal in a reasonable time (a few seconds), though in practice moresubtle ideas [LM95] [55] allow one to abort the computation of the cardinality of a curve at an earlystage if one detects that it might not be suitable for cryptographical use.

4.2.4 Curves and Factoring

We should also mention an important application of the arithmetic of (Jacobians of) curves tointeger arithmetic. Take an integer N and an abelian variety A defined over Q; we can study itsreduction modulo N . Assume now that N = N1N2, and let P be a point on A(Z/NZ), and P1 and

[Ruc99] Ruck, H. G. On the discrete logarithm in the divisor class group of curves. Math. Comp., 68(226):805–806, 1999.

[MOV93] Menezes, A., Okamoto, T., and Vanstone, S. A. Reducing elliptic curves logarithms to logarithmsin a finite field. IEEE Trans. Inform. Theory, 39(5):1639–1646, 1993.

[FR94] Frey, G. and Ruck, H.-G. A remark concerning m-divisibility and the discrete logarithm in thedivisor class group of curves. Math. Comp., 62(206):865–874, 1994.

[Gal03] Galbraith, S. D. Weil descent on jacobians. Discrete Appl. Math., 128:165–180, 2003.[LM95] Lercier, R. and Morain, F. Counting the number of points on elliptic curves over finite fields:

strategies and performances. In Guillou, L. C. and Quisquater, J.-J., eds, Advances in Cryptology– EUROCRYPT ’95, vol. 921 of Lecture Notes in Comput. Sci., p. 79–94, 1995.

14

P2 the reductions of P modulo N1 and N2. If the order of P1, say ω1, is distinct from the orderof P2, ω1P reduces to 0 modulo N1 but not modulo N2. If the neutral element on A is at infinity,this typically means that in some system of homogeneous coordinates, the last coordinate of ω1Pis divisible by N1 but not by N2; hence we can recover a nontrivial factor of N by a simple gcdcomputation.

Now, if we take a point P on A modulo N , if the order of P1 is B-smooth (i.e., has no primepower factors > B), then for ω =

∏qα≤B qα, one has ω1|ω. Thus computing ωP yields hopefully

a factor of N (if ω2 6 |ω). The algorithm (at least its first step) is thus: take a random point P ,compute ω ·P , check if this yields a factor of N . Otherwise, choose a new abelian variety. The ideaof using curves for integer factorization has been described initially by Lenstra in the case of ellipticcurves, and known as ECM (Elliptic Curve Method) [Len87]; one takes a “random” elliptic curveand a “random” point on it (the quotes meaning that we choose them for the ease of constructionor algorithmic suitability rather than with any kind of actual randomness in mind), and hope thatfor some prime factor p of N , the order of the group E(Z/pZ) is smooth, i.e., has only small primepower factors ≤ B. Then one computes (

∏qα≤B qα) · P , and checks whether the last homogeneous

coordinate of that point has a prime factor in common with N . Otherwise, one turns to a newcurve and a new point.

A rough version of the analysis runs as follows: the cardinalities of elliptic curves modulo p aredistributed in [p − 2

√p + 1, p + 2

√p + 1] according to the so-called Sato-Tate distribution. The

probability of success can then be estimated by the probability that picking an integer at randomin the latter interval according to the Sato-Tate law yields a smooth integer.

Modern implementations of ECM use a second phase, where the factor p is revealed if thegroup order has all its factors less than B1 — the above B — except one which may be as largeas B2. Most recent improvements on ECM concern that second phase, which can be efficientlyimplemented using fast polynomial arithmetic in (Z/NZ)[x]: multiplication, division, gcd, producttree, product remainder. Moreover, most of those operations can be reduced to arithmetic over Zusing Kronecker-Schonhage’s trick.

The hyperelliptic case has been left aside until now: though it lends itself much better to analysis[LPP93] (since the relative range of possible cardinalities is larger), from the practical point of viewthe probability of success is smaller than with an elliptic curve, whereas the arithmetical cost (andthus the time for checking one curve) is larger.

4.2.5 Practical Results

It might be interesting to give a few ideas of the computation time for several problems mentionedin the present document. The times given there do not necessarily reflect the most up-to-datecode and implementation, but are realistic. All the times are given assuming a cryptographicalsize curve (qg ≈ 2160) and all times have been scaled so as to mimic roughly a 3 GHz processor. Aquestion mark means that we are not aware on any work on the subject. The first line is the timefor a single arithmetic operation in the Jacobian, the second line is the time needed to computethe cardinality of the Jacobian when the base field is of large characteristic, the last one the timeto compute the cardinality of the Jacobian in small characteristic (here 2; algorithms work thesame in small odd characteristic, but for obvious hardware reasons they are slighly less efficient in

[Len87] Lenstra, Jr., H. W. Factoring integers with elliptic curves. Ann. of Math. (2), 126:649–673, 1987.[LPP93] Lenstra, Jr., H. W., Pila, J., and Pomerance, C. A hyperelliptic smoothness test, I. Philos.

Trans. Roy. Soc. London Ser. A, 345:397–408, 1993.

15

terms of computation time). Corresponding references are [63] for large characteristic, and [Ver03]

for characteristic 2 (except for g = 2).

elliptic hyperelliptic C34

genus g = 1 g = 2 g = 3 g = 3

arith. 0.3ms 0.4ms 0.7ms ? (see below)#J , large char. 22s (magma) 3h ? ?

#J , char. 2 < 0.1s < 0.5s 44s 45min

In the case of arithmetic of C34 curves, to our knowledge, there is currently no actual imple-mentation in a low-level language. The best formulas yield 2 inversions and 174 multiplicationsmodulo a 64-bit prime.

As for records concerning general discrete logarithm problems on curves, the main source is theCerticom challenge [Cer]. The record is currently the solution of a discrete logarithm problem on anelliptic curve over Fp with p a 109-bit prime, using 10000 computers (mostly PC) running during549 days. A similar problem over F2109 was solved using an amount of CPU time roughly twice aslarge.

As for elliptic curve factorization, due to the intrinsic probabilistic character of ECM, all onecan give is the expected time to find a factor of a given size. The following table gives timings forthe gmp-ecm software, release 5.0.3 [90], assuming an input number about three times as large asthe searched prime factor (this corresponds roughly to the threshold with the number field sieve):

factor size input size expected time40 120 45 hours50 150 105 days60 180 13 years70 210 400 years

Note: The current factorization record by ECM is a 58-digit factor, and the 60-digit barrier shouldbe reached soon.

4.3 Detailed Research Objectives

Permanent team members involved: Gaudry, Hanrot, Thome, Zimmermann.

PhD. students involved: Fousse, wrt. ECM aspects.

4.3.1 Short Term Objectives

Improving the arithmetic of the Jacobians of some families of curves. Among our goals,we intend to work on the arithmetic in the Jacobians of some specific families of algebraic curves.The families we have in mind are those described in section 4.1, namely hyperelliptic curves y2 +f(x)y = g(x), mostly of genus 2 (i.e., deg g ∈ {5, 6}).

[Ver03] Vercauteren, F. Computing zeta functions of curves over finite fields. Phd. thesis, KatholiekeUniversiteit Leuven, 2003.

[Cer] Certicom corp. The Certicom ECC challenge. Description at http://www.certicom.com/resources/ecc chall/challenge.html.

16

Though much has been done to optimize computations in these groups from an algorithmicpoint of view, deriving explicit formulas and working on the way to evaluate them might yield,for certain families of curves, improvements by some small constant factors. Since this point is abasic block of any algorithm working with curves over finite fields, any improvement has as a directconsequence faster ciphering but also (of course) faster attacks on curve-based cryptosystems, orfaster factoring.

Factoring with hyperelliptic curves. It seems to us that one could draw advantage of thestructure of the Jacobian of some specific hyperelliptic curves (those that they are product of twodistinct elliptic curves): on the one hand, the arithmetic is slightly more costly, on the other handone is able to work with two elliptic curves at the same time. In a nutshell, this means that everyattempt at factoring is slightly more costly, but on the other hand has a probability of success whichis twice larger. If we are able to reduce the arithmetical overhead to a factor < 2, this gives animprovement on the elliptic curve method. Of course, only fine-tuned implementation can validatethis idea, as always when one is discussing constant factors.

Faster factorization with elliptic curves. The ECM factoring method already uses families ofelliptic curves with specific properties (large rational torsion for instance) to force the cardinality ofthe curve to be divisible by small constant factors, thereby increasing the probability of smoothness.A plan would be to use families in which the arithmetic can be somewhat accelerated, especiallythe complexity of doubling a point (a basic block for exponentiation), at the expense of a smallerrational torsion. The tradeoff on that point is the opposite of the tradeoff on the former point: weexpect that faster arithmetic might compensate the (small) loss in terms of probability of success.

The main interest of the last two points is for “general purpose” factoring implementation,as those found in computer algebra systems, and not for RSA moduli factoring, which requirecompletely different, index-calculus based, methods.

4.3.2 Long Term Objectives

Large characteristic, genus 2. We intend to work on computing the cardinality of curves inthe case which, until now, remains the less well understood, namely the case where the base fieldis Z/pZ, with p a large prime, and the curve is of genus 2. Until now, the only way to performthis computation seems to be Schoof’s algorithm, suitably generalized. However, as mentionedpreviously, a straightforward implementation of Schoof’s algorithm does not perform well enough.There is thus a need to generalize the ideas which are successful in genus 1, due to Elkies-Atkin andothers. From a technical viewpoint, this amounts to compute particular polynomials associated tosmall primes `, called modular equations, in genus 2. Unfortunately, this computation, when donein a straightforward way, quickly becomes untractable, even for very small values of `. Somewhatdifferent ideas might overcome this difficulty, so as to reach more reasonable times for computingthe cardinality of the Jacobian of a genus 2 curve of cryptographic size. In practice, this meansmuch faster key generation for large characteristic curve-based cryptosystems. The scientific riskon that point remains reasonable, since we have a roadmap towards those results.

Discrete logarithm. We intend to go on studying discrete logarithms in general.This implies on the one hand studying discrete logarithms over finite fields and working on some

specific instances of it (small characteristic 6= 2). We intend to put some energy into the still badly

17

understood case of medium characteristic, though this is a subject with high scientific risk. Thoughsuch fields are not currently used in cryptology, it is important to try to understand if the discretelogarithm problem really is tougher in that setting (as current results might let one to think) or ifit is only that that case has not received enough attention.

We shall maintain an activity on discrete logarithms in Jacobian of curves. However, either tofind a better attack or to prove that no such attack exists, seems to require deep new ideas, and it isa highly competitive problem. This is thus a perspective with very high scientific risk. Remainingactive or at least aware on this subject is a key issue, since this is the only way to validate thesecurity of curve-based cryptosystems.

4.3.3 Development of Tools.

All the members of the project do, as a general policy, validate their algorithms in efficient imple-mentations. On these topics in particular, it is thus planned to extend the current NTLJac2 imple-mentation due to P. Gaudry [43] by including implementations of the new algorithms designed, andmostly of the computation of the cardinality in large characteristic. In a similar manner, gmp-ecmwill be extended to include the improvements coming from the study of the last two points of theshort-term objectives.

5 Linear Algebra and Lattices

Recall that Linear Algebra, though a research theme of the project-team, is not studied per se, butrather in view of needs coming from the two other main themes, ie. curves and arithmetics. Thisremark might help to understand the quite specific character of the problems that we intend tostudy.


We are interested in some aspects of effective linear algebra, mainly the solution of large (or evenhuge) linear systems, and lattice basis reduction.

5.1.1 Huge Linear Systems

Huge linear systems are frequently encountered as last steps of “index-calculus” (see below inSection 4.2.3) based algorithms. Those systems correspond to a particular presentation of theunderlying group by generators and relations; they are thus always defined on a base ring which isZ modulo the exponent of the group, typically Z/2Z in the case of factorization, Z/(qn− 1)Z whentrying to solve a discrete logarithm problem over F∗qn .

Those systems are often extremely sparse, meaning that they have a very small number ofnon-zero coefficients.

The classical, naive elimination algorithm of Gauss yields a complexity of O(n3), when thematrix considered has size n×n. However, if we assume that we can perform a matrix multiplicationin time O(nω), algorithms exist which lower this complexity to O(nω). Furthermore, if we makeassumptions on our matrix (mainly that it is sparse, meaning that a matrix-vector product can be

18

computed in time O(nθ) for some θ < 2), then specialized algorithms (Lanczos, Wiedemann [Wie86])relying only on evaluation of matrix-vector products yield a complexity of O(n1+θ), typically O(n2)for the very sparse matrices (θ = 1) that we often encounter.

5.1.2 Lattices

Many problems described in the other sections, but also numerous problems in computer algebraor algorithmic number theory, involve at some step the solution of a linear problem or the searchfor a short linear combination of vectors lying in a finite-dimensional Euclidean space. As examplesof this, we could cite factoring and discrete logarithms methods for the former, finding worst casesfor the Table Maker’s Dilemma in computer arithmetic for the latter (see Section 6.1.6).

Recall that a lattice is a discrete subgroup of Rn; such a subgroup is of finite type, hence free,and thus a lattice can be seen as the set of integral linear combinations of k ≤ n vectors of Rn.Such a module has a natural scalar product derived from the scalar product defined over Rn. Anequivalent way to define a lattice is by taking the particular Z-module Zk, along with a positivedefinite quadratic form.

When one deals with a Euclidean vector subspace of Rn, it is easy to identify good bases andcompute them: for instance, as far as the Euclidean structure is concerned, the best basis is anorthonormal one, and can be computed using, e.g., the Gram-Schmidt orthogonalization process,or Givens orthogonalization if numerical stability is an issue.

However, concerning lattices, the simple question of recognizing a “good” basis is already acomplicated issue. To mimic the Euclidean situation, we would like to have bases with short andsomewhat orthogonal vectors, but this is only possible to some extent. Furthermore, a theorem byAjtai states that computing the shortest vector of a lattice, or even finding a good approximationto it, is a NP-hard problem [Ajt98] (under randomized reductions). Note however that this problemremains polynomial if the dimension is fixed. Even for dimensions three and four, algorithms tocompute optimal (so-called Minkowski) bases are very recent [Val87] [68].

In 1982, Lenstra, Lenstra, and Lovasz [LLL82] defined the notion of a LLL-reduced basis anddescribed an algorithm to compute such a basis in polynomial time, namely O(n2 log M) linearalgebra steps (of type matrix-vector multiplication), or O(n4 log M) operations [Sch84] on coefficientsat most O(n log M), therefore giving a O(n6 log3 M) bit complexity if the underlying arithmetic isnaive.

The LLL algorithm has numerous applications in computer algebra (uni- and multivariate poly-nomial factorization [vH02]), computational number theory (representation of ideals in number field,

[Wie86] Wiedemann, D. H. Solving sparse linear equations over finite fields. IEEE Trans. Inform. Theory,IT–32(1):54–62, 1986.

[Ajt98] Ajtai, M. The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract).In Proc. of the 30th Symposium on the Theory of Computing, p. 10–19. ACM Press, 1998.

[Val87] Vallee, B. An affine point of view on minima finding in integer lattices of lower dimensions. InEUROCAL, p. 376–378, 1987.

[LLL82] Lenstra, A. K., Lenstra, H. W., and Lovasz, L. Factoring polynomials with rational coefficients.Mathematische Annalen, 261:515–534, 1982.

[Sch84] Schonhage, A. Factorization of univariate integer polynomials by diophantine approximation and animproved basis reduction algorithm. In Proc. of ICALP ’84, Lecture Notes in Comput. Sci., p. 436–447.Springer–Verlag, 1984.

[vH02] van Hoeij, M. Factoring polynomials and the knapsack problem. J. Number Theory, 95(2):167–189,2002.

19

linear algebra over rings, polynomial reduction [Coh93], pre- and postprocessing steps of some fac-torization algorithms, etc.), cryptology (see [JS98,NS01]) and even computer arithmetic [31].

It is also used (either LLL or its generalizations such as BKZ, which stands for Block Korkine-Zolotaref) as a preprocessing step or sometimes a building block for some computations withlattices, i.e., the problem of finding a shortest nonzero vector in a lattice (SVP) or the problem offinding a vector which is closest to a given point (CVP). These tasks are, for instance, at the coreof attacks again some cryptosystems like NTRU.

5.2 State of the Art

5.2.1 Large Linear Systems

Recall that the systems we are dealing with are usually systems with coefficients in a finite field,which is either small (F2), or quite a large prime field.

Lanczos’ method Given a symmetric matrix A and a vector x, Lanczos’ method computes, usingGram-Schmidt process, an orthogonal basis (w1, . . . , wn) of the subspace generated by {x, Ax, . . . ,Anx} for the scalar product [x, y] = (x|Ay). As soon as one finds an isotropic vector wi, i.e.,[wi, wi] = 0, one has wt

iAwi = 0. In our situation, we take A = BtB, where we want to find avector in the kernel of B; we thus have (wiB)tBwi = 0. Over a finite field this does not always implyBwi = 0, but this remains true with probability close to 1 over a finite ring of large characteristic.This approach works over F2 as well, but with some caution.

Wiedemann’s method Given a matrix A (not necessarily symmetric) and a vector x, Wiede-mann’s algorithm looks for a trivial linear combination of the vectors Aix, i ≥ 1. Such a relationcan be written as

∑ni=1 aiA

ix = 0. Now, if u =∑n

i=1 Ai−1x is a nonzero vector, we have Au = 0,and u is a vector of the kernel of A. The linear combination, in turn, is searched by choosing arandom vector y and computing the elements αi = yAix. If a relation of the type we are lookingfor exists, then αi is a linear recurring sequence of order n. Given 2n elements of the sequence,Berlekamp-Massey’s algorithm allows one to compute the coefficients of the recurrence. Thus, withO(n) matrix-vectors and O(n) vector-vector products, one hopes to recover a vector of the kernel.The overall complexity is thus, on average, O(n1+θ), as announced.

Parallel and distributed algorithms Algorithms for solving large sparse linear systems havebeen designed with implementation, and parallelism or distribution in mind, or both. The Lanczosand Wiedemann algorithms have “block” versions [Mon95,Cop94], which one can use in order to take

[Coh93] Cohen, H. A course in algorithmic algebraic number theory, vol. 138 of Graduate Texts in Mathematics.Springer–Verlag, 1993. Second corrected printing, 1995.

[JS98] Joux, A. and Stern, J. Lattice reduction: A toolbox for the cryptanalyst. J. Cryptology, 11:161–185,1998.

[NS01] Nguyen, P. and Stern, J. Lattice reduction in cryptology: An update. In Proc. of ANTS 4, vol.1838 of Lecture Notes in Comput. Sci., p. 85–112. Springer–Verlag, 2001.

[Mon95] Montgomery, P. L. A block Lanczos algorithm for finding dependencies over GF(2). In Guillou,L. C. and Quisquater, J.-J., eds, Advances in Cryptology – EUROCRYPT ’95, vol. 921 of LectureNotes in Comput. Sci., p. 106–120, 1995. Proc. International Conference on the Theory and Applicationof Cryptographic Techniques, Saint-Malo, France, May 1995.

[Cop94] Coppersmith, D. Solving linear equations over GF(2) via block Wiedemann algorithm. Math. Comp.,62(205):333–350, 1994.

20

advantage of an advanced computing facility, like a massively parallel computer, or a much cheaperresource like a computer cluster, which can be turned into an effective task force. A key problemis therefore the identification of the computational tasks which either can, or cannot be effectivelyspanned across many processors or machines. In the case of a computer cluster, evaluating the costof communications between nodes taking part to the computation is of course very important. Tothis regard, the different algorithms (block or non-block versions, Lanczos or Wiedemann) do notcompare equally. A variety of running times can be obtained depending on the exact characteristicsof the input system (size, density, definition field), the number of computing nodes, and on thechoice of certain parameters of the algorithms (for the block versions).

The block Wiedemann algorithm has been used by Thome [73, 89] in the course of solving a500, 000 × 500, 000 linear system defined over Fp, where p is a prime of 183 decimal digits. Thiscomputation was made feasible using an algorithm based on the Fast Fourier Transform (FFT),which permitted broader distribution of the computation [32].

Today, block versions of the Lanczos and Wiedemann algorithms are a necessity for who wantsto solve linear systems encountered in record-size factoring problems, discrete logarithm problems,or in some other cases. Yet, a precise account on the positive and negative sides of both blockalgorithms, and a formulation of their preferred setting, seems to be missing.

5.2.2 Algorithms for Lattices

Many fundamental problems concerning the LLL algorithm remain open. The most stringent ofthose is the use of intermediate floating-point computations. The problem is the following: the LLLalgorithm starts by computing a QR decomposition of its input, and mostly works on the uppertriangular matrix R. In most applications, the input has coefficients in Z, so that the matrix Rhas huge rational coefficients, which means huge arithmetical cost. However, replacing rationals byfloating-point approximations is at best a difficult matter since the basic operation (size-reduction)can be written as rij ← rij−brije which is numerically highly unstable. The main idea is then [SE94]

to detect huge precision loss and recompute exactly the corresponding coefficients, doing this theleast possible number of times. Various papers also deal with this problem, but mostly suggestingheuristics [BW00], or sometimes (subtly) flawed solutions [KS01].

We describe in more detail an application of LLL that has important relevance for our objec-tives but also has become an important tool in cryptanalysis over the last years, namely Cop-persmith’s method [Cop01]. Let P (x1, . . . , xn) be a polynomial defined over Z, and let N be aninteger. Given bounds (U1, . . . , Un) and M , we would like to find all n-uples (u1, . . . , un) with|ui| ≤ Ui and P (u1, . . . , un) = 0 mod N . Coppersmith answers this question in polynomial timeunder some restriction on (U1, . . . , Un, N); to do this, he constructs a sublattice of the idealI` = (NZ[x1, . . . , xn] + PZ[x1, . . . , xn])`, and looks for short vectors in this lattice. If we ob-tain n′ ≥ n vectors Qj small enough so as to guarantee that Qj(x1, . . . , xn) < N ` for all j and all

[SE94] Schnorr, C. P. and Euchner, M. Lattice basis reduction: improved practical algorithms and solvingsubset sum problems. Math. Programming, 66:181–199, 1994.

[BW00] Backes, W. and Wetzel, S. New results on lattice basis reduction in practice. In Bosma, W., ed,ANTS-IV, vol. 1838 of Lecture Notes in Comput. Sci., p. 135–152. Springer–Verlag, 2000. FourthAlgorithmic Number Theory Symposium, Leiden, The Netherlands, July 2000.

[KS01] Koy, H. and Schnorr, C. P. Segment LLL-reduction with floating point orthogonalization. InProceedings of CalC’01, vol. 2146 of Lecture Notes in Comput. Sci., p. 81–96. Springer–Verlag, 2001.

[Cop01] Coppersmith, D. Finding small solutions to small degree polynomials. In Proceedings of CALC’01,vol. 2146 of Lecture Notes in Comput. Sci., p. 20–31. Springer–Verlag, 2001.

21

n-uples xi with |xi| ≤ Ui, we then have P (x1, . . . , xn) = 0 mod N ⇒ Qj(x1, . . . , xn) = 0 mod N ` ⇒Qj(x1, . . . , xn) = 0.

Thus we get a (hopefully) zero-dimensional polynomial system over Q which can be reduced toa univariate equation over Q by one’s favorite elimination technique. A useful variant deals withthe problem where P (x1, . . . , xn) is no longer 0 mod N but instead has a large common factor withN .

The LLL algorithm is involved in the search for n small vectors in a lattice. We know thatit is guaranteed to yield at least one, hopefully n short vectors smaller than (up to small factors)det(L)1/ dim(L). This implies in particular that the choice of the sublattice should be especiallycareful, so as to yield a smallest possible determinant for the dimension. This choice has beenmade completely explicit in the univariate case (n = 1); even the bivariate case still needs somefine hand-tuning very specific to the underlying polynomial, not speaking of the higher dimensionalcase.


Permanent team members involved: Hanrot, Thome, Zimmermann.


Comparison of various linear algebra algorithms. We intend to develop implementations ofthe block Lanczos and block Wiedemann algorithms (partly updating existing code), including allthe relevant uses of asymptotically fast algorithms like the FFT. Based on these implementations,and on experimentation on existing computing resources, we intend to draw characterizations oflinear systems which are appropriate for either algorithm, and provide a rationale for tuning theirparameters. This point presents no scientific risk.


Coppersmith’s method. Recall that Coppersmith’s method uses lattice basis reduction algo-rithms in suitable lattices to find small solutions (xi) to multivariate equations P (xi) = 0 mod N .The univariate version of Coppersmith’s method is well understood, but even for the bivariate casea central question remains open: what is the best choice for the lattice involved, and how could oneconstruct it “on the fly”? This question has been addressed in certain cases but remains completelyopen in full generality. Another question is to find conditions which would guarantee the success ofthe method, i.e., that the short vectors returned by LLL really yield a zero-dimensional polynomialsystem. Again, this is easy in the univariate case and there is currently no idea on that point inthe multivariate case.

6 Arithmetics


Since our results are intended to be implemented on computers, and the overall objective is tospeed up real applications, an important point to consider is the type of processors on which ouralgorithms will be implemented. Thus, before describing the basic objects and state-of-the-art

22

algorithms in the arithmetics domain, we summarize the evolution of processors in the last years,and try to give a prospective point-of-view of their evolution in the future.

Entering the all 64-bit era. For about ten years, we have had a mixture of both 32-bit and64-bit processors, the pioneer 64-bit processors being Alpha (the EV4x series and successors) andMIPS (with the R1x000 series). As a consequence, on some processors, a better throughput wasobtained using floating-point numbers — with 53-bit significand — instead of integers — with 32bits — for multiple-precision arithmetic. Two famous examples are:

• floating-point expansions, i.e., representing a multiple-precision number by a sum of fixed-precision floating-point numbers, or simply storing large integers in base 253 instead of 232. Anexample is Bailey’s ARPREC multiple-precision library, which uses base 248 [BHLT04]; anotherexample is the Magma computer algebra software.

• complex Fast Fourier Transform (FFT). Instead of using a finite field, it is sometimes fasterto perform a FFT over the complex numbers, using double-precision floating-point num-bers as base format. The drawback of this approach — used for example in Woltman’sPrime95/mprime program to factor or prove primality of Mersenne numbers [Wol] — is that,due to roundoff errors, the result is usually not rigorously correct, due to a tradeoff betweenspeed and correctness.

The development of 32-bit processors has now slowed down; this is confirmed for example by thefact that since 2003, the clock rate of 32-bit processors is staying around 3 or 4 Ghz. More and morenew processors will have 64-bit words. So we expect an “all 64-bit era” starting in the near future,with processors like the Opteron from AMD and the Itanium from Intel/HP. As a consequence,“double-precision” floating-point numbers will not carry more precision than machine integers, andin fact less (53 bits instead of 64 bits). Thus we anticipate that multiple-precision arithmeticwill be mostly based on machine integers in the future, and floating-point based applications (likeexpansions or complex FFT) will vanish.

period integers floating-point numbersyesterday 32 bits 64 bits (53-bit significand)

today 32-64 bits 64 bits (53-bit significand)tomorrow 64 bits 64-128 bits (53- to 113-bit significand)

Figure 1: Expected evolution of the processor main formats.

Be ready for the quadruple precision. In parallel, we also believe that more and more appli-cations will require quadruple-precision floating-point numbers (128-bit format with 113-bit signif-icand), which will become de facto the new “double-word” format (the quad format, which was notdefined in IEEE-754 [IEE85], will be the largest format from the upcoming revision of that standard).

[BHLT04] Bailey, D. H., Hida, Y., Li, X. S., and Thomson, B. ARPREC: An arbitrary precision computationpackage. http://www.nersc.gov/∼dhbailey/dhbpapers, 2004.

[Wol] Woltman, G. GIMPS: The Great Internet Mersenne Prime Search. www.mersenne.org.[IEE85] IEEE standard for binary floating-point arithmetic. Tech. Rep. ANSI-IEEE Standard 754-1985, New

York, 1985. approved March 21, 1985: IEEE Standards Board, approved July 26, 1985: AmericanNational Standards Institute, 18 pages.

23

Some processor designers already anticipated such an evolution: the HPUX mathematical library— developed by Peter Markstein at HP — uses the quads as native format, the doubles beingbased on quads, and the floats on doubles. We expect this change to happen in say ten years (seeFig. 1). Then “doubles” will be deprecated and “quads” used instead, like “floats” are deprecatedtoday. This change will produce new challenges. Indeed, problems whose complexity is exponentialin the width n of the significand will require new algorithmic solutions. One such problem is the“Table Maker’s Dilemma” problem (TMD, see §6.1.6). It is unknown whether a polynomial-timealgorithm exists to solve it, but we expect the answer to be “no”. Moreover, we conjecture that theTMD admits a Θ(2n/2) lower bound. Considering that we currently can solve it with huge effortfor double-precision, we expect the quadruple precision to remain out of range for a while, unlesswe find a faster algorithm than the best current one of 23n/5, or we disprove the above conjecturedlower bound.

FFT enters the real world. Until 2000, most applications of fast multiplication using FastFourier Transform (FFT) were toy applications. A few exceptions are the GIMPS project fromGeorge Woltman, which uses highly-tuned FFT code to check primality of 2p− 1 for large prime p,and Montgomery’s “FFT extension” of ECM [Mon92]. From now on, we believe FFT-based multipli-cation will be more and more used, for example to speed up computations over Z[x] or (Z/nZ)[x]using Kronecker-Schonhage’s trick. In the same time, more and more applications will want to“cache” FFT transforms, to speed up computations with invariant operands. Other operations likedivision or square root will also require more work in the FFT-domain. In theory, a division ofa 2n-bit dividend by a n-bit divisor may be as fast as a product of two n-bit integers: indeed,assuming there is some way to “guess” the correct quotient, one just needs to multiply it by the di-visor and subtract to get the remainder. However, the currently best-known algorithms for divisioncost at least twice — or three times if the remainder is needed — as much as the correspondingmultiplication.

The end of Moore’s law. Moore’s law1 predicts that the computer clock rate increases by afactor of two every 18 months. It matches quite well the reality so far: the usual clock rate in 1986was 1 Mhz (e.g., the VAX 780, which was the one-MIPS reference), hence 18 years later Moore’slaw predicts a clock rate of 212 = 4096 Mhz, but in the end of 2004 Intel had to cancel the 4Ghzversion of the Pentium 4.2 However, Moore’s law ended with Intel’s Pentium M, which for the firsttime had a lower clock rate than its Pentium 4 predecessor. Of course, other techniques will stillbe used at the circuit level: multi-core processors, pipe-line, cache, instruction and data prefetch,and so on. Anyway, we expect the global speed-up due to hardware will decrease, which will givemore weight to software and algorithmic improvements.

1According to Paul Boutin, what Gordon Moore actually said in a 1965 issue of Electronics magazine was “Thecomplexity of minimum component costs has increased at a rate of roughly a factor of two per year”, which hecorrected to 18 months in the ’70s.

2See http://siepr.stanford.edu/news/Moores Law.html

[Mon92] Montgomery, P. L. An FFT Extension of the Elliptic Curve Method of Factorization. PhD thesis,University of California, Los Angeles, 1992. ftp.cwi.nl:/pub/pmontgom/ucladissertation.psl.gz.

24

6.1.1 Basic Types and Algorithms

We consider here the following arithmetics: integers, rational numbers, integers modulo a fixedmodulus n, finite fields, floating-point numbers and p-adic numbers. We can divide those numbersin two classes: exact numbers (integers, rationals, modular computations or finite fields), andinexact numbers (floating-point and p-adic numbers).

Algorithms on integers (respectively floating-point numbers) are very similar to those on poly-nomials (respectively Taylor or Laurent series). The main objective in that domain is to find newalgorithms that make operations on those numbers more efficient. These new algorithms may usean alternate number representation.

6.1.2 Integers

The integral types of the current processors have a width w of either 32 or 64 bits. This means thatone is, using hardware instructions, only able to compute modulo 232 or 264. An arbitrary precisioninteger is then usually represented under the form n =

∑li=0 ni2

iw, with ni a machine integer. Inalgorithmic terms, it means that a multiprecision integer is an array of machine integers. Naiveoperations can then be defined by using the classical “schoolbook methods” in base 2w, with linearcomplexity in the case of addition and subtraction, and quadratic complexity in the case of divisionand multiplication.

6.1.3 Integers Modulo n and Finite Fields

Integers modulo n are usually represented by the representative of their class in the interval [0, n−1]or sometimes ]−n/2, n/2].

Addition, subtraction and multiplication are obtained from the corresponding operation overthe integers, after reduction modulo n. This means that after each operation, a reduction modulon must be performed. This is not very costly in the case of addition and subtraction (where itimplies a single test and half the time another addition of subtraction), but implies a division inthe case of multiplication.

The modular division is a completely different operation, and amounts to compute a so-calledextended gcd of x and n, i.e., a pair a, b with ax + bn = 1. This is classically performed by theEuclidean algorithm or one of its variants, and is thus, in practice, by far the most costly operation.Many improvements in low-level algorithms are obtained by choosing suitable representations ofobjects which avoid divisions modulo n.

Finite fields can be separated in two types. Prime fields correspond to the integers modulo nfor prime n. Extension fields are algebraic extensions of those prime fields, i.e., Z/pZ[X] moduloan irreducible polynomial P (X). Elements of a non-prime finite field are thus often represented aspolynomials of elements of a prime field. This means that ideas from polynomial arithmetic can,and should be used.

A difficult case is the case when pdeg P (the cardinality of the field) is large whereas neither pnor deg P really are. The case where p is large is indeed a classical case where we have to deal witharithmetic with large integers, and fast algorithms exist in that case. The case where p is smalland deg P large corresponds to the realm of fast polynomial arithmetic. However, in the “middlerange”, neither p nor deg P are large enough to justify the use of fast techniques. This is also atthe core of some technical theoretical difficulties.

25

6.1.4 p-adic Numbers

A p-adic number is defined as the formal limit of a sequence (xn) of integers such that xi =xi+1 mod pi. One could think of it as a formal series

∑n≥0 anp

n, with an ∈ {0, . . . , p− 1}, thoughalternative representations are sometimes more efficient for some computations. In particular, ap-adic number given to the precision n is simply an element of Z/pnZ.

The p-adic numbers offer the capability of lifting information known in a finite field to a fieldof characteristic zero, keeping some structure information at the same time. They are extensivelyused by many algorithms in computer algebra and algorithms related to algebraic curves, togetherwith their extensions.

When we are trying to lift information from a nonprime finite field, say Fq for q = pn, weare led to introduce algebraic extensions of Zp; algebraic extensions of the p-adics can be of twotypes, unramified extensions and ramified extensions; roughly speaking, ramified extensions containfractional powers of p.

In practice, we are mostly interested in the case of small p and unramified extensions. Of lesserimportance are p-adic integers for large p, and extensions of these, because the algorithms we havein mind are generally not practical for large p. Yet, this is not necessarily the case for any possiblep-adic algorithm, hence this point of view may change. At present, our application realms do notcall for p-adic arithmetic requiring computations in ramified extensions, but this may change in thefuture as well.

6.1.5 Floating-point Numbers and the IEEE-754 Standard

When discussing inexact types, one stumbles very quickly on two critical difficulties:

• since approximation is inherent to the manipulation of inexact types, how should approxima-tion be performed? This amounts to defining the (necessarily) finite set of numbers that canbe exactly represented (format),

• even if the two operands of an operation can be exactly represented, in general the resultcannot be. How should one define the result of an operation (rounding)? This is the key fora precise and portable semantics of floating-point computations.

From now on, we shall focus on the floating-point numbers, which are the main inexact datatype, at least from the practical point of view.

Formats. A floating-point format is a quadruple (β, n, Emin, Emax); a floating-point number inthat format is of the form

±(b0.b1 . . . bn−1) · βe,

where β is the base — usually 2 or 10 —, n is the significand width, e ∈ [Emin, Emax] is the exponent,and the bi are the digits, 0 ≤ bi < β. The IEEE-754 standard defines four binary floating-pointformats (single precision, single-extended, double precision, double-extended), the single-extendedformat being obsolete:

format total width β significand width Emin Emax

single 32 2 24 −126 +127double 64 2 53 −1022 +1023

double-extended ≥ 79 2 ≥ 64 ≤ −16382 ≥ +16383

26

The on-going revision (754r) forgets about the single-extended and double-extended formats, anddefines a new quadruple precision format (binary128). It also defines new decimal formats:

format total width β significand width Emin Emax

binary128 128 2 113 −16382 +16383decimal32 32 10 7 −95 +96decimal64 64 10 16 −383 +384decimal128 128 10 34 −6143 +6144

Rounding. The IEEE-754 standard defines four rounding modes: rounding to zero, to +∞, to−∞, and to nearest-even. It requires that any of the four basic arithmetic operations (+,−,×,÷),and the square root, must be correctly rounded, i.e., the rounded value of a � b for � ∈ {+,−,×,÷}must be the closest one to the exact value (assuming that the inputs are exact) — as if one wereusing infinite precision — according to the rounding direction. (In case of an exact result lyingexactly in the middle of two consecutive machine numbers, the nearest-even mode chooses thatwith an even mantissa, i.e., ending with bn−1 = 0 in binary.)

6.1.6 The Table Maker’s Dilemma

Let f be a mathematical function (for example the exponential, the logarithm, or a trigonometricfunction), and a given floating-point format (β, n, Emin, Emax). Assume β = 2, i.e., a binary formatfor simplicity. Given a floating-point number x in that format, we want to determine the floating-point number y in that format — or in another output format — that is closest to f(x) for a givenrounding mode. In that case, we say that y ← f(x) is correctly rounded. The problem here is that wecannot compute an infinite number of bits of f(x). All we can do is to compute an approximationz to f(x) on m > n bits, with an error bounded by one ulp (unit in last place). Consider forexample the arc-tangent function, with the double-precision number x = 4621447055448553 · 2−11,and rounding to nearest. We have in binary:

arctan x = 1.1001001000011111101101010100010001000010010101001100

1000000000000000000000000000000000000000000000111011 . . . ,

where the first line contains 53 significant bits, and the second one has 45 consecutive zeros. Ifm ≤ 99, we’ll get as approximation z = 1.100 . . . 100︸︷︷︸

53

1000 . . . 000, which is exactly the middle of

two double-precision numbers, and therefore we will not be able to determine the correct roundingof arctan x. We say that x is a worst case for the arctan function and rounding to nearest. Sincea given format contains a finite number of numbers — at most 264 for double-precision —, themaximal working precision m required for any x in that format is finite. The Table Maker’sDilemma (TMD for short) consists in determining that maximal working precision mmax needed,which depends on f , the format and the rounding mode, and possibly the corresponding worstcases x. Once we know mmax, we can design an efficient routine to correctly round f as follows: (i)compute a mmax-bit approximation z to f(x), with an error of at most one ulp, (ii) round z.

27

6.2 State of the Art

6.2.1 Integers

Most basic algorithms for integers are believed to be optimal, up to constant factors. The maingoal here is thus to save on those constant factors. For the multiplication, one challenge is tofind the best algorithm for each input size; since the thresholds between the different algorithms(naive, Karatsuba, Toom-Cook, FFT) are machine-dependent, there is no theoretical answer tothat question. The same holds for the problem of finding which kind of FFT (Mersenne, Fermat,complex, Discrete Weighted Transform or DWT) is the fastest one for a given application or inputsize.

For the division, it is well known that it can be performed — as any algebraic operation —in a constant times that of the corresponding multiplication: for example, a n × n product cor-responds to a (2n)/n division. One main challenge is to decrease that constant factor, say d. Inthe naive (quadratic) range, we have d = 1, but already in the Karatsuba range, the best knownimplementation has d = 2 [BZ98]. (Van der Hoeven [vdH02] gives an algorithm with d = 1, howeverits implementation seems tricky, and its memory usage is superlinear.)

6.2.2 Floating-point numbers

Algorithms for floating-point numbers make great use from those for integers. Indeed, a binaryfloating-point number may be represented as an integer significand multiplied by 2e. Multiplicationof two floating-point numbers therefore reduces to the product of their significands; this productis in fact a short product, since only the high part is needed (assuming all numbers have the sameprecision). Despite some recent theoretical advances [25] [Mul00], no great practical speedup hasbeen obtained so far for the computation of a short product with respect to the correspondingplain product. The same holds for division, though extension of the ideas of the middle-product[22] to floating-point numbers might allow one to gain somewhat on division.

6.2.3 Integers modulo n.

A special case of integer division is when the divisor n is constant. This happens in particular inmodular or finite field computations (discrete logarithm and factorization via ECM for instance).There are basically two kinds of algorithms in that case: (i) Barrett’s division [Bar87] precomputes anapproximation to 1/n, which is used to get an approximation to the quotient, which after a secondproduct yields an approximate remainder, (ii) Montgomery’s reduction precomputes −1/n mod βk

(where the input n has k words in base β) which gives in two products the value of cβ−k mod n,for c having 2k words in base β. Both algorithms perform two products with operands of size equalto the size of n. These products are in fact short products, but according to the above remark, theglobal cost is close to that of two plain products. A speedup can be obtained in the FFT range,

[BZ98] Burnikel, C. and Ziegler, J. Fast recursive division. Research Report MPI-I-98-1-022, MPISaarbrucken, 1998.

[vdH02] van der Hoeven, J. Relax, but don’t be too lazy. J. Symbolic Comput., 34(6):479–542, 2002.[Mul00] Mulders, T. On short multiplications and divisions. Appl. Algebra Engrg. Comm. Comput.,

11(1):69–88, 2000.[Bar87] Barrett, P. Implementing the Rivest Shamir and Adleman public key encryption algorithm on a

standard digital signal processor. In Odlyzko, A. M., ed, Advances in Cryptology, Proceedings ofCrypto’86, vol. 263 of Lecture Notes in Comput. Sci., p. 311–323. Springer–Verlag, 1987.

28

where the second product (to obtain the remainder) produces a known high part (resp. low part)in Barrett’s division (resp. Montgomery’s reduction); using the fact that the FFT computes thatproduct modulo 2m ± 1, one can save a factor of two for that product, with a global gain of 25%.Together with caching the transform of the input n and of its approximate inverse, one approachesd = 1. These ideas still need to be implemented in common multiple-precision software.

6.2.4 p-adic numbers.

Recently, a large number of new “p-adic” algorithms for solving very concrete problems have beendesigned, notably for counting points on algebraic varieties defined over finite fields. The applicationof such algorithms to coding theory or cryptology is immediate, as this is a considerable aid forquickly setting up elliptic curve cryptosystems, or for finding good codes. Some of these algorithmshave been listed in Section 4.2.2.

In such algorithms, computations are carried out in “p-adic structures”, but this vague wordingreflects a relatively wide variety of mathematical structures (not unrelated to the underlying finitefield, of course). We are frequently led to computing in the ring of 2-adic integers, which can beregarded as the integers modulo 2n for some variable precision n. Also, just as extensions of F2 arevery common in computer algebra in general, the ring of integers of unramified extensions of 2-adicnumbers plays an important role.

6.2.5 The Table Maker’s dilemma.

Some instances of the TMD are easy. For example, for an algebraic function of total degree d, weget an upper bound of mmax ≤ dn + O(1) [LM01], which is attained when d = 2. Another easycase is the base conversion, where the TMD reduces to O(Emax−Emin) computations of continuedfractions [Hac04].

However, in general, and especially for non-algebraic functions, the TMD is a difficult problem,because we know no rigorous upper bound for m, or the corresponding upper bound is much toolarge. However, a quick-and-dirty statistical analysis shows that for a n-bit input format (includingthe exponent bits if needed), the worst case is about m ≈ 2n. But to determine a rigorousbound, the only known methods are based on exhaustive search. Basically, they compute a 2n-bitapproximation to f(x) for every x in the given format, and see how many consecutive zeros or onesappear after (or from) the round bit. This naive approach has complexity Θ(2n). Fortunately,faster — but still exponential — methods do exist. The first one is Lefevre’s algorithm [39, 66],with a complexity of 22n/3+ε. An improved algorithm of complexity 24n/7+ε is given in [31].

6.2.6 Littlewood’s cipher.

We describe here a generalization of the TMD, with some links to cryptography. Littlewoodsuggested a cipher based on the floating-point binary expansion of mathematical functions. Hisidea does not work as is, however a slight modification of his scheme provides a one-way function[30]:

[LM01] Lang, T. and Muller, J.-M. Bounds on runs of zeros and ones for algebraic functions. In Proceedingsof the 15th IEEE Symposium on Computer Arithmetic, p. 13–20. IEEE Computer Society, 2001.

[Hac04] Hack, M. On intermediate precision required for correctly-rounding decimal-to-binary floating-pointconversion. In Proceedings of RNC’6, Schloß Dagstuhl, Germany, November 15-17, 2004.

29

Challenge 1. Find x a 64-bit floating-point number, 1 < x < 2, such that:

1/x = 0. yyy . . . yyy︸︷︷︸64

1101000000111101101101110011001001101101110000110011111011011101 . . .

Challenge 2. Find x a 64-bit floating-point number, 1/2 < x < 1, such that:

sin x = 0. yyy . . . yyy︸︷︷︸64

0001110000001001011010101101101110100101001101010110100010001000 . . .

Challenges 1 and 2 are an extension of the TMD. Indeed, instead of looking for a run ofconsecutive zeros or ones after the first 64 bits of f(x), we are looking for a prescribed run. Hencethe algorithms used to solve the TMD can be applied here. Now the question is:

Can Challenges 1 and 2 be solved efficiently?

By “efficiently”, we mean in polynomial-time with respect to the significand width n (here n = 64).We do not know the answer to this question, however both answers — ’yes’ or ’no’ — are interesting.If the answer is ’yes’, this means we can solve the TMD efficiently, thus we can find worst cases fordirected rounding or rounding to nearest, and therefore build efficient implementations with correctrounding. If the answer is ’no’ — what we conjecture — then Challenges 1 and 2 give interestingcandidates for one-way functions.


Permanent team members involved: Gaudry, Hanrot, Lefevre, Thome, Zimmermann.

PhD. students involved: Fousse (reliable numerical integration).


Breaking the 64-bit barrier for the TMD. Using the work of [31], we plan to perform thefirst worst case computation in double-extended precision (64-bit significand), for the 2x function.Previous computations from Lefevre already required several months of computing time for thecase of the double-precision (53-bit significand). This work will demonstrate the efficiency of latticereduction in the hunt for worst cases, and the feasibility of such worst cases computations.

Simultaneous worst case search. We plan to extend the ideas of [31] to search for worst casesfor two functions simultaneously. This means that we are looking for floating-point numbers xthat are simultaneously worst cases for two functions f and g. An important application is Gal’s“accurate table method”, where f = sin and g = cos.

Correctly rounded numerical integration. We plan to extend the “correctly rounded” phi-losophy to numerical integration. The idea is to provide a correctly rounded value of an integral ofthe form: ∫ b

a

f(x)dx,

30

where the endpoints a and b are either floating-point numbers, or given by functions that computecorrectly-rounded approximations of them to any given precision — consider for example a =log 2 and b =

√2 —, and the function f is given by a routine that provides a correctly-rounded

approximation to f(x) for any floating-point number x in any precision. In addition, some auxiliaryinformation might be required, like bounds on the derivatives of f . This work will require to reviewthe classical quadrature schemes (Newton-Cotes, Gauss-Legendre, composed scheme), and for eachone, to perform a rigorous error analysis of (i) the mathematical error due to the integration scheme,(ii) the roundoff error when approximating the evaluation points and their weights, (iii) the roundofferror made when summing the point contributions. For the latter point, we will use previous workon floating-point summation [DH] [56].


Formal proof of floating-point algorithms. Several of the algorithms used in the mpfr libraryare quite complex. For example, the addition and subtraction, which are trivial for integers,are quite tricky to implement for floating-point numbers, especially when the operands and thedestination may have different significand widths [65]. Knuth said: Be careful, I only proved thecorrectness of this program, I did not test it!. We could say the contrary for mpfr: we did intensivelytest it, but did not prove its correctness. Some corner cases are surely still well hidden in the code,and only a formal proof could detect them.

Two-variable worst case search. Two-variable functions, like xy and arctan xy, are still out

of reach of current methods for the worst case search (see §6.1.6). One difficulty is that thenumber of possible inputs grows from 2n to 22n. Even for the single-precision format (24-bitsignificand), the worst case for xy is still unknown! As a consequence, it makes the implementationof correct rounding for those functions more difficult. We plan to adapt the lattice-reduction basedmethod from [31] to those two-variable functions. We do not expect the speedup to be as largeas for one-variable functions, however we believe the obtained algorithm will be faster than a one-dimensional search based on Lefevre’s method — the second variable being fixed — which wouldgive a complexity of ≈ 25n/3.

Book on multiple-precision arithmetic. This book, co-written with Richard Brent (Oxford),was started in 2003. It should contain one chapter on integers (almost finished), one chapter onintegers modulo n (we do not plan so far to cover general finite fields), one chapter on floating-point numbers (basic algorithms), and one final chapter on computing mathematical functions (forfloating-point numbers). It will be of interest for researchers and graduate students in the field,implementers and users of multiple-precision software.

6.3.3 Development of Tools

Finite field library. We have in mind the development of two tools, which both are needed anduseful for our research in algebraic curves. The first tool is a library for computing efficiently with

[DH] Demmel, J. and Hida, Y. Fast and accurate floating-point summation with application to compu-tational geometry. Numer. Algorithms. To appear. A previous version appeared in the Proceedingsof 10th GAMM-IMACS International Symposium on Scientific Computing, Computer Arithmetic, andValidated Numerics (SCAN 2002).

31

finite fields; this is a basic block for curves computations (arithmetic, cardinality) but might alsoserve to validate some of the theoretical researches.

p-adic arithmetic library. The second tool we have in mind is a library for dealing with p-adic numbers and their (mainly unramified) extensions, which implements arithmetic and basictranscendental p-adic functions. Efficient p-adic arithmetic is indeed crucial for most modernalgorithms which compute the cardinality of Jacobians in small to medium characteristic.

However, implementing p-adic algorithms quickly requires implementing a large amount of ad-vanced algorithms to perform basic tasks, like computing a definition polynomial. The need fora library is therefore important: one wants to focus on the main algorithm, and not on the otheradvanced algorithm, which are still crucial to the overall efficiency of the implementation. Existingcomputer algebra packages are not an option, because of efficiency. To satisfy the mentioned need,a major stumbling point appears: p-adic algorithms handle p-adic numbers belonging to rings ofvarious degree and precision. Designing a library to cope with a large number of parent structuresis a challenging task, especially when the goal is efficiency, and not genericity (in any case, notgenericity at the price of efficiency). We intend to overcome this difficulty, and provide an opti-mized C or C++ library for computing with p-adic numbers. This library exists already, but it iscurrently a draft undergoing evolution. More algorithms have to be implemented, and the designof the library has to be made more firm.

Of course, both libraries (finite field and p-adic) will be designed so as to interplay efficientlywith each other (recall that when one reduces Qp modulo p, one gets Fp; by reducing extensions ofQp, one gets extensions of Fp; reducing and lifting — think of Hensel’s lemma — are two frequentoperations in p-adic and finite field arithmetic).

Correctly rounded numerical integration. We plan to implement the algorithms describedabove in the short term objectives, 3rd paragraph, in a prototype software that will be able to giverigorous results for numerical integration, which current software do not, either in fixed or multipleprecision.

7 Applications and Technological Transfer

Our choice for transfering our results is via providing advanced prototypes of tools to the commu-nity. The main reason for this choice is that our work is mainly upstream-oriented. The efficientalgorithms and implementations that we provide can be transfered in other tools, the latter beingin turn transfered to industry.

We review in the sequel of this section our application domains.

7.1 Cryptology

The main application domain of our project is cryptology. As it has been mentioned several timesin this document, curves have taken an increasing importance in cryptology over the last ten years.Various works have shown the usability and the usefulness of elliptic curves in cryptology, standards[IEE] and real-world applications.

[IEE] IEEE. P1363: Standard specifications for public key cryptography. Available at http://www.manta.ieee.org/groups/1363/.

32

We collaborate with TANC on the goal to show that higher genus curves (mostly hyperellipticcurves of genus two) are also suitable for cryptology. This implies some work on three concreteobjectives, which are of course highly linked with our main theoretical objectives:

1. improvement of the arithmetic of those curves, so as to guarantee fast enough ciphering-deciphering;

2. fast key generation. This rests partly on fast computations in the curve, but mostly in theability to quickly compute the cardinality. Another approach (complex multiplication) isfollowed by the TANC project-team (see §9.1.4);

3. study of the security of hyperelliptic curves primitives. This implies attempts at solvingdiscrete logarithms problems in Jacobians using the best known techniques, so as to determinethe right key-size.

7.2 Computational Number Theory Systems

We have strong ties with several computational number theory systems, and code written bymembers of the project-team can be found in the Magma software and in the Pari/GP software.

7.2.1 Magma

Magma (http://magma.maths.usyd.edu.au/magma/) is the leading computational number theorysoftware. It also has some features of computer algebra (algebraic geometry, polynomial systemsolving) but not all of what is expected of a computer algebra system. It is developed by the teamof John Cannon in Sydney, and while it describes itself as a non-commercial system, it is sold tocover the development cost, porting and maintaining.

In many areas, programs originating from very specialized research works are ported intoMagma by their authors, who are invited in Sydney for this purpose. Several members of theproject-team have already visited Sydney; there has even been an official collaboration supportedby the French embassy in Sydney involving people from 3 groups in France (Toulouse, Palaiseau,Nancy) in 2000-2002. Gaudry, Thome, and Zimmermann have had the occasion to visit the Magmagroup in Sydney in 2001 in order to implement within Magma some code they had written for theirpersonal research (on computing the cardinality of Jacobians of hyperelliptic curves, on computingdiscrete logarithms in F2n , and on the ECM factorization algorithm, respectively). Occasions forcollaborations of this kind may come again in the future.

The Magma system now uses mpfr for its multiple-precision floating-point arithmetic.3

7.2.2 Pari/GP

Pari/GP is a computational number theory system which comes with a library which can be usedto access Pari functions within a C program. It has originally been developed at the Bordeaux 1university, and is currently maintained (and expanded) by Karim Belabas, from Orsay University.It is free (GPL) software. We sometimes use it for validation of our algorithms.

Again, some code written by members of the project has been incorporated into Pari.

3https://magma.maths.usyd.edu.au/magma/export/mpfr gmp.shtml

33

7.3 Arithmetics

Another indirect transfer is the usage of mpfr in GCC (Gnu Compiler Collection) for the gfor-tran compiler4. As far as we know, mpfr is currently used at compile-time, to convert expressionslike sin(3.1416) into binary double-precision, when the rounding mode can be statically determined.Finally, we should mention another usage of our software by the GCC team: gmp-ecm is used asefficiency test for release candidates of the gcc compiler, up from version 3.3.

The mpfr library is also used by the CGAL software, a library for computational geometrydeveloped at INRIA Sophia-Antipolis. The CGAL5 group is currenly only using it for convertingrationals to multi-precision floating-point numbers, but plans to write its own interval arithmeticatop of mpfr in the near future, since double-precision interval arithmetic quickly fails for itsproblems (e.g. circle intersections).

8 Positioning within the Scientific Community

In this section, by “competitor”, we mean a person who is working on the same questions that weintend to explore, and with which we have no undergoing collaboration. The term does not implyany hostility whatsoever, and in practice, most of those competitors were or will be, more or lesspunctually, collaborators.

8.1 Arithmetics

In the arithmetics domain, our main competitor is Dan Bernstein, who designed in the last yearssome clever algorithms (for example his “fast Newton” algorithms, or the new “scaled remaindertree” algorithm). As concerns software, one competitor is the Arithmos team headed by AnnieCuyt at University of Antwerp (Belgium), however we keep friendly contacts with them: theyare more concerned with base-independent arithmetic and — these last years — producing testcases, whereas we focus on binary arithmetic, and are more concerned with efficiency than general-purpose code, but still keeping correct rounding as common objective. There are several otherefficient libraries for multiple-precision floating-point computations (in particular Pari/GP), butthey usually do not provide correct rounding. A noticeable exception is the Maple software, whichimplements the four IEEE-754 rounding modes within its decimal floating-point arithmetic.

We had some discussions with the Maple developers — who already use GMP for integercomputations — to see how to use mpfr for floating-point computations. Indeed, mpfr is a lotfaster than Maple — up to 100 times for 100-digit computations — as shown by a comparison madeby P. Pelissier [88]. The main concern is due to the fact that Maple’s arithmetic is decimal: whenthe user types 0.1, it should be printed 0.1 and not 0.09999999999. This is in fact easy: assume theuser enters a decimal number x which gets internally rounded (to nearest) into a binary number y.We thus have |x− y| ≤ 1

2ulp(y). If ulp(y) < ulp(x), then |x− y| < 1

2ulp(x), which guarantees that

y will be printed back to x (still assuming rounding to nearest for the output routine). A sufficientcondition is p ≥ 1 + n log 10

log 2, where n is the user’s (decimal) precision and p the internal (binary)

precision. For 10 digits for example, an internal precision of 35 bits is sufficient.Another concurrent software is ARPREC, a revision and extension of Bailey’s MPFUN package

which provides multiple-precision integers, floating-point real and complex numbers. ARPREC

4Cf. thread Remove GMP in favor of MPFR at http://gcc.gnu.org/ml/fortran/2004-07/msg00005.html.5http://www.cgal.org

34

uses IEEE double-precision floating-point arithmetic as base word.In the decimal world, we should mention Java’s BigDecimal package6, which is specifically

designed for fixed-point computations — in particular business applications — and thus not suitedfor scientific computations; and Mike Colishaw’s (IBM) decimal implementation.

The IEEE-754 standard is currently under revision. Two members of our group follow the emaildiscussions about that revision. Together with the Arenaire project-team, we plan to actively takepart in those discussions, by attending one or two meetings of the revision committee.

8.2 Curves

The subject of curves of higher genus and their use in cryptology is a very active one; we have thusmany competitors on those topics. We have good relations and regular contacts with most of thosecompetitors, which allows us to have a rather good visibility and be sure that we are not workingon a specific point in direct competition with them; when this is the case most of the time therelations are good enough to ensure that competition will in practice become collaboration.

General concurrents on curves. A few teams have similar scopes to ours concerning curvesover finite fields, with in mind applications to cryptology. In France, one should mention R. Lercierand D. Lubicz at CELAR (Rennes) and J. M. Couveignes at Toulouse. Outside of France, ourmain “general” competitor is F. Vercauteren at Leuven (Belgium).

Apart from those, several teams have a strong record on some specific point of our objectives:here is a short description of who they are, topic by topic.

Efficient arithmetic. Our main concurrents on these subjects are the Bochum team (T. Lange,C. Paar, T. Wollinger). They had recently results on explicit formulas for the arithmetic of Jacobianof curves, on which we plan to work. However, we intend to investigate an approach which is ratherdifferent from theirs, based on the use of Θ functions, instead of optimizing Cantor’s algorithm.

Large characteristic, genus 2. This is a rather “quiet” subject, on which we know ourselvesno real competitors.

Discrete logarithm. Many people are working on the discrete logarithm problem, often witha moderate degree of implication, since, as mentioned previously, there seems to be a need for acompletely new idea on this subject. Among the most important concurrents, we might mentionG. Frey and his team (Essen).

8.3 Linear Algebra and Lattices

On the solution of linear systems, our themes are very specific (i.e., dedicated to very specific typesof linear systems, and also requiring a high expertise in huge distributed computations) and thusquite original in the community; we know of no competitor on this specific point. Concerninglattices, there have been several results over the last ten years on improving the complexity of theLLL-algorithm, for example by devising rigourous floating-point versions. These variants have beenproposed by C. P. Schnorr (Frankfurt), who is our main concurrent on this subject.

6http://java.sun.com/j2se/1.4.2/docs/guide/math/index.html

35

9 National and International Collaborations

9.1 At INRIA

9.1.1 Preliminary remark

Though many teams at INRIA are working on cryptology and security, we do not have links withall of them.

9.1.2 Salsa

All team members (except Gaudry) were previously members of the Spaces project-team, whichwas located both in Nancy and Paris. The researchers from Spaces-Paris created a new project-team, called Salsa, working mainly on polynomial systems, while the researchers from Spaces-Nancy made the current proposal. We expect to keep scientific relations with Salsa, either viathe resolution of polynomial systems (see §4.1.5 and §5.2.2), or via the software development orusage (in particular mpfr or the mpfi interval arithmetic library). This might also have impact oncryptoanalysis, though Salsa’s goals on this topic are rather different from ours, since they focus onquestions related to polynomial system solving (polynomial-based cryptography like HFE system,or some aspects of symmetric cryptography).

9.1.3 Arenaire

Our contacts with the Arenaire project-team, located at ENS-Lyon (INRIA Rhone-Alpes), goback in 1997, with two common research actions granted by INRIA (Calcul fiable in 1997-1999, thenAOC in 2000-2002). Thanks to those two actions, and especially to many discussions with membersfrom Arenaire, we started working in computer arithmetic. This collaboration is now regular,with common software (e.g., the mpfi library, co-written by Nathalie Revol from Arenaire, andFabrice Rouillier, a former member of our team), and common papers (e.g., the proposal for astandardization of mathematical functions in IEEE-754 [10]).

We split our work in the following manner:

• In the domain of computer arithmetic with correct rounding, the Arenaire team focuses onfixed-precision arithmetic (mainly double-precision), the aim being to design fast algorithmswith correct rounding, and to implement them in the crlibm library. For that purpose,they develop the scslib library, which performs fixed-point arithmetic on 8 words of 32-bits,providing a precision of about 200 bits.

• In that same domain, our team focuses on arbitrary-precision arithmetic. This means thatwe cannot use fixed-degree hard-coded polynomials like in crlibm, but we have to computepolynomial approximations “on the fly”, and for that reason we prefer Taylor expansions tomore accurate but more expensive approximations (minimax, on which Arenaire is work-ing). Also, it is not possible to take advantage of the knowledge of worst cases here, sincecomputing them is out-of-reach for more than 64 bits of precision.

One exception to that “splitting rule” is due to the fact that one of our team members, Lefevre,did his PhD in Arenaire before joining us in 2000. Since that time, we also work on the searchfor worst case in fixed precision, mainly in double-precision.

We might also have collaborations in the future with Arenaire for some of the aspects of ourwork in linear algebra and lattices.

36

9.1.4 TANC

We have strong natural ties with the TANC project-team of INRIA Futurs, located in Ecolepolytechnique at Palaiseau, since two permanent members did their PhD there (Gaudry – whocurrently holds a position in TANC, Thome) and another one made a one-year stay (Hanrot).

We share a common interest for algebraic curves and their applications to cryptology, and itis obvious that we should have important collaborations; for instance one PhD. student (NicolasGurel) was co-advised by Francois Morain and Hanrot, and one current PhD. student at the TANCproject is co-advised by Gaudry. Furthermore, two permanent members (Gaudry, Hanrot) sharea course in the MPRI (Master Parisien Recherche en Informatique) with members of the TANCprojects, as well as lectures at Ecole polytechnique.

However the scope of the Cacao project is slightly different.We are mainly interested in optimizing the arithmetic of the curves and some of the applications

of this arithmetic; this implies not only research on algebraic curves, but also upstream, hence thework in linear algebra, lattices, and arithmetic. This also implies important software development.

The TANC project-team, on the other hand, has a strong record on complex multiplicationtechniques and cardinality in general. With the exception of cardinality in large characteristic,which should be studied in collaboration since it requires techniques and expertise from the twoproject-teams, one could say that the TANC project-team works on the more advanced problemsand techniques, whereas the Cacao project works on the more fundamental problems, with efficientimplementations. This implies, of course, strong collaborations at the interface.

9.1.5 Codes

We participated together with the Codes project-team in the ARC “Courbes”. Today our collab-oration mainly focuses on finite fields arithmetic, since their present work in cryptology is mainlyoriented towards either error correcting codes based cryptology or symmetric cryptology.

9.1.6 Cassis

The Cassis project, located at INRIA-Lorraine, works in particular on formal methods to provethe security of cryptographical protocols. Though we both deal with cryptology, our viewpointsare currently quite far away from each other: Cassis is working with more-or-less ideal primitives(taking into account the most stringent algebraic properties of those primitives, but not theirpractical implementation) whereas we are working on the actual development on the mathematicalprimitives and are more concerned with the security of the mathematical primitive, not that of theprotocol.

We have been trying to initiate a collaboration; there is a common “ACI jeunes chercheurs”involving (among others) Veronique Cortier (Cassis) and Thome trying to combine both approaches.This part of our work is mostly prospective.

9.1.7 Marelle

Marelle is a project-team proposal at INRIA Sophia-Antipolis, with Yves Bertot, LaurenceRideau and Laurent Thery among its members. We keep very good links with those researcherssince the Common Research Action (CRA) “Arithmetique des Ordinateurs Certifiee” (2000-2002).We recently proposed with Marelle a research proposal to the EADS foundation: the goal is to design

37

formal proof of multiple-precision floating-point algorithms and programs that provide correctrounding, as those implemented in the MPFR library; the answer is pending.

9.1.8 Scalapplix

The linear systems we are faced with share a few characteristics with linear systems handled bythe SCALAPPLIX project-team: we both encounter large sparse linear systems. However, we aredealing with linear systems defined over finite fields, sometimes over the integers. We are hardly everlooking for numerical solutions of large systems defined over the real or complex field. Furthermore,density patterns for linear systems arising for integer factorization problems or discrete logarithmproblems are not suitable to adaptation of techniques like nested dissection which are common innumerical analysis.

At present, we have no scientific cooperation with the SCALAPPLIX group. However, tech-niques from numerical analysis may be useful in lattice-basis reduction, which may go throughfloating-point computations as intermediate steps. If needed, we may benefit from SCALAPPLIX’sexpertise for that matter.

9.1.9 CGAL

As mentioned previously, we have relations with the CGAL group at Sophia, through their use ofmpfr for part of the multiprecision computations in the CGAL library.

9.2 National

GDR ALP. The project-team is member of GDR ALP, a CNRS structure to animate the com-munity in the domains of algorithms, languages and programming.

GDR Theorie des nombres Some of the members of the project-team are also members ofGDR Theorie des nombres, a CNRS structure to animate the community in the domain of numbertheory.

Ecole polytechnique. We have strong links with Eric Schost, from the STIX laboratory at Ecolepolytechnique, and the project of computing cardinality in large characteristic, in particular, whichrequires polynomial system techniques, is a common project with him.

Ecole normale superieure (ENS). The work on lattices will be done in collaboration withPhong Nguyen, from the LIENS laboratory at ENS.

Institut Elie Cartan de Nancy (IECN). We have regular contacts with the mathematicslaboratory in Nancy, and occasional collaboration on topics of mutual interest. No permanentcollaboration is in place at the moment, but their expertise on smoothness (of integers and poly-nomials) might be of interest to the project-team.

GRIMM, Toulouse We have contacts with Jean-Marc Couveignes, from GRIMM laboratoryin Toulouse, with whom we applied for a PAI with the Magma team in Sydney. This PAI wasunfortunately rejected, but we still plan to collaborate on the topic of curves and cryptology.

38

A2X, Bordeaux We have regular contacts with the Pari/GP team, especially the person incharge, i.e. Karim Belabas, who has just been appointed professor in Bordeaux. This collaborationis mainly focused on contributed code to Pari/GP (Coppersmith method, code for diophantineequation solving) and interaction on multiprecision arithmetic.

9.3 International

Stockholm/GMP. Since 2000, our team made several contributions to the GNU MP (GMP forshort) library developed by Torbjorn Granlund (Swox company, Stockholm, Sweden). In particular,we contributed implementations of modular exponentiation, Montgomery’s multiplication, Toom-Cook 3-way multiplication, FFT multiplication, subquadratic division and square root [80]. Themain goal it to have the fastest known algorithms and implementations widely available throughGMP, not only in the FFT range, but in the whole subquadratic domain (Karatsuba, Toom-Cook).Torbjorn Granlund has visited us in March 2006, and will come again in December 2006 to workon these topics.

Oxford/Canberra. Since 2000, we keep a strong collaboration with Richard Brent at OxfordUniversity Computing Laboratory (OUCL), with several visits to and from Oxford. This collabo-ration started on the computation of primitive trinomials of large degree over F2 [4, 5, 49, 50], andcontinued with the project of writing a book describing the state of the art in multiple precisioncomputer arithmetic (integers, integers modulo n, floating-point numbers). Richard Brent movedto Canberra (Australia) in 2005. This makes visits less frequent, but the collaboration neverthelessremains very active.

Berlin. We have had in the past collaborations with Florian Hess, who was recently appointedas a professor at TU Berlin. We have a current project ”PAI” (programme d’action integre) withFlorian Hess’ team at TU Berlin, for working on the study of some techniques to attack the discretelogarithm problem on elliptic curves.

9.4 Participation in French or European Projects

Several team members did participate in INRIA cooperative research actions (ARCs in french)“calcul fiable” (reliable computing) and “arithmetique des ordinateurs certifiee” (certified computerarithmetic), and in the “ACI Cryptologie” granted by the French government to support researchin cryptology.

10 Selected Publications from Team Members

Articles

[1] Benito, M., Creyaufmuller, W., Varona, J. L., and Zimmermann, P. Aliquot sequence 3630ends after reaching 100 digits. Experiment. Math. 11, 2 (2002), 201–206.

[2] Bertot, Y., Magaud, N., and Zimmermann, P. A proof of GMP square root. J. Automat.Reason. 29 (2002), 225–252. Special Issue on Automating and Mechanising Mathematics: In honourof N.G. de Bruijn.

39

[3] Bilu, Y., Hanrot, G., and Voutier, P. Existence of primitive divisors of Lucas and Lehmersequences. J. Reine Angew. Math. 539 (2001), 75–122.

[4] Brent, R. P., Larvala, S., and Zimmermann, P. A fast algorithm for testing reducibility oftrinomials mod 2 and some new primitive trinomials of degree 3021377. Math. Comp. 72, 243 (2003),1443–1452.

[5] Brent, R. P., Larvala, S., and Zimmermann, P. A primitive trinomial of degree 6972593. Math.Comp. 74, 250 (Mar 2005), 1001–1002.

[6] Bugeaud, Y., and Hanrot, G. Un nouveau critere pour l’equation de Catalan. Mathematika 47(2000), 63–73.

[7] Bugeaud, Y., Hanrot, G., and Mignotte, M. Sur l’equation diophantienne (xn−1)/(x−1) = yq,III. Proc. London Math. Soc. 84 (2002), 59–78.

[8] Cerri, J.-P. Euclidean and inhomogeneous spectra of number fields with unit rank greater than 1.J. Reine Angew. Math. (2006), 49–62.

[9] Cerri, J.-P. Euclidean minima of totally real fields. algorithmic determination. Math. Comp. (toappear).

[10] Defour, D., Hanrot, G., Lefevre, V., Muller, J.-M., Revol, N., and Zimmermann, P.Proposal for a standardization of mathematical function implementation in floating-point arithmetic.Numer. Algorithms 37, 1–4 (2004), 367–375.

[11] Dubner, H., Forbes, T., Lygeros, N., Mizony, M., Nelson, H., and Zimmermann, P. Tenconsecutive primes in arithmetic progression. Math. Comp. 71, 239 (2002), 1323–1328.

[12] Enge, A., and Gaudry, P. A general framework for subexponential discrete logarithm algorithms.Acta Arith. 102 (2002), 83–103.

[13] Fouquet, M., Gaudry, P., and Harley, R. An extension of Satoh’s algorithm and its imple-mentation. J. Ramanujan Math. Soc. 15 (2000), 281–318.

[14] Fousse, L., Hanrot, G., Lefevre, V., Pelissier, P., and Zimmermann, P. MPFR: A multiple-precision binary floating-point library with correct rounding. ACM Trans. Math. Softw. (2006). toappear.

[15] Gaudry, P., and Gurel, N. Counting points in medium characteristic using Kedlaya’s algorithm.Experiment. Math. 12 (2003), 395–402.

[16] Gaudry, P., Heß F., and Smart, N. Constructive and destructive facets of Weil descent onelliptic curves. J. Cryptology 15 (2002), 19–46.

[17] Gaudry, P., and Schost, E. Modular equations for hyperelliptic curves. Math. Comp. 74 (2005),429–454.

[18] Gaudry, P., Schost, E., and Thiery, N. M. Evaluation properties of symmetric polynomials.International Journal of Algebra and Computation (2005). to appear.

[19] Gaudry, P., Thome, E., Theriault, N., and Diem, C. A double large prime variation for smallgenus hyperelliptic index calculus. Math. Comp. (2005). to appear.

[20] Gerard, Y., Debled-Rennesson, I., and Zimmermann, P. An elementary digital plane recog-nition algorithm. Discrete Appl. Math. 151, 1–3 (2005), 169–183.

40

[21] Hanrot, G. Solving Thue equations without the full unit group. Math. Comp. 69 (2000), 395–405.

[22] Hanrot, G., Quercia, M., and Zimmerman, P. The middle product algorithm, I. Speedingup the division and square root of power series. Appl. Algebra Engrg. Comm. Comput., 14 (2004),415–438.

[23] Hanrot, G., Rivat, J., Tenenbaum, G., and Zimmermann, P. Density results on floating-pointinvertible numbers. Theoret. Comput. Sci. 291, 2 (2003), 135–141.

[24] Hanrot, G., Saradha, N., and Shorey, T. Almost perfect powers in consecutive integers. ActaArith. 99 (2001), 13–25.

[25] Hanrot, G., and Zimmerman, P. A long note on Mulders’ short product. J. Symbolic Comput.,37 (2004), 391–401.

[26] Lefevre, V. Multiplication par une constante. Reseaux et Systemes Repartis, Calculateurs Par-alleles 13, 4–5 (2001), 465–484.

[27] Lefevre, V., and Muller, J.-M. L’erreur en arithmetique des ordinateurs. Le Temps des Savoirs,2 (Oct. 2000), 147–157.

[28] Lefevre, V., and Muller, J.-M. On-the-fly range reduction. Journal of VLSI Signal Processing33, 1 (Jan. 2003), 31–35.

[29] Rouillier, F., and Zimmermann, P. Efficient isolation of a polynomial real roots. J. Comput.Appl. Math. 162, 1 (2003), 33–50.

[30] Stehle, D. Breaking Littlewood’s cipher. Cryptologia 28 (2004), 341–357.

[31] Stehle, D., Zimmermann, P., and Lefevre, V. Searching worst cases of a one-variable functionusing lattice reduction. IEEE Transactions on Computers 54, 3 (Mar 2005), 340–346.

[32] Thome, E. Subquadratic computation of vector generating polynomials and improvement of theblock Wiedemann algorithm. J. Symbolic Comput. 33, 5 (2002), 757–775.

[33] Zimmermann, P. Arithmetique en precision arbitraire. Reseaux et Systemes Repartis, CalculateursParalleles 13, 4-5 (2001), 357–386.

[34] Zimmermann, P. 102098959. Gazette du CINES, 14 (2003).

[35] Zimmermann, P. Mpfr : vers un calcul flottant correct ? Interstices (2005). http://interstices.info/display.jsp?id=c 9345.

Theses

[36] Cerri, J.-P. Spectres euclidiens et inhomogenes des corps de nombres. These, Universite Henri-Poincare Nancy 1, 2005.

[37] Gaudry, P. Algorithmique des courbes hyperelliptiques et applications a la cryptologie. These, EcolePolytechnique, 2000.

[38] Hanrot, G. Quelques algorithmes en arithmetique. Habilitation a diriger des recherches, UniversiteHenri Poincare Nancy 1, 2005.

[39] Lefevre, V. Moyens arithmetiques pour un calcul fiable. These de doctorat, Ecole NormaleSuperieure de Lyon, 2000.

41

[40] Stehle, D. Algorithmique de la reduction de reseaux et application a la recherche de pires cas pourl’arrondi de fonctions mathematiques. These, Universite Henri-Poincare Nancy 1, 2005.

[41] Thome, E. Algorithmes de calcul de logarithme discret dans les corps finis. These, Ecole polytech-nique, 2003.

[42] Zimmermann, P. De l’algorithmique a l’arithmetique via le calcul formel. Habilitation a diriger desrecherches, Universite Henri Poincare Nancy 1, 2001.

Manuals

[43] Gaudry, P. NTLJac2, Tools for genus 2 Jacobians in NTL. http://www.lix.polytechnique.fr/Labo/Pierrick.Gaudry/NTLJac2/.

Proceedings

[44] Preneel, B., Ed. Advances in Cryptology – EUROCRYPT 2000 (2000), vol. 1807 of Lecture Notesin Comput. Sci., Springer–Verlag. Proc. International Conference on the Theory and Application ofCryptographic Techniques, Brugge, Belgium, May 2000.

In Books

[45] Hanrot, G. Journees X-UPS 2005. Presses de l’Ecole polytechnique, to appear, ch. Quelques ideessur l’algorithmique des equations diophantiennes.

[46] Zimmermann, P. Encyclopedia of Cryptography and Security. Springer, 2005, ch. The Elliptic CurveMethod. van Tilborg, Henk C.A. (Ed.).

Conference Communications

[47] Abbott, J., Shoup, V., and Zimmermann, P. Factorization in Z[X]: the searching phase. InProceedings of ISSAC’2000 (2000), C. Traverso, Ed., ACM Press, pp. 1–7.

[48] Bostan, A., Gaudry, P., and Schost, E. Linear recurrences with polynomial coefficients andcomputation of the Cartier-Manin operator on hyperelliptic curves. In Finite Fields and Applications,7th International Conference, Fq7 (2004), G. Mullen, A. Poli, and H. Stichtenoth, Eds., vol. 2948 ofLecture Notes in Comput. Sci., Springer-Verlag, pp. 40–58.

[49] Brent, R., and Zimmermann, P. Algorithms for finding almost irreducible and almost primitivetrinomials. In Primes and Misdemeanours: Lectures in Honour of the Sixtieth Birthday of HughCowie Williams (Banff, Canada, 2003), A. van der Poorten and A. Stein, Eds., The Fields Institute,Toronto. 12 pages. Invited paper. To be published by the AMS.

[50] Brent, R., and Zimmermann, P. Random number generators with period divisible by a Mersenneprime. In Proceedings of Computational Science and its Applications (ICCSA) (2003), no. 2667 inLecture Notes in Comput. Sci., Springer–Verlag, pp. 1–10. Invited paper.

[51] Calmet, J., and Lefevre, V. Toward the integration of numerical computations into the OMSCSframework. In Proceedings of the 7th International Workshop on Computer Algebra in ScientificComputing (CASC 2004) (Saint Petersburg, Russia, 2004), V. Ganzha, E. Mayr, and E. Vorozhtsov,Eds., pp. 71–79.

42

[52] Cavallar, S., Dodson, B., Lenstra, A. K., Lioen, W., Montgomery, P. L., Murphy,B., te Riele, H., Aardal, K., Gilchrist, J., Guillerm, G., Leyland, P., Marchand, J.,Morain, F., Muffett, A., Putnam, C., Putnam, C., and Zimmermann, P. Factorization of a512-bit RSA modulus. In Preneel [44], pp. 1–18. Proc. International Conference on the Theory andApplication of Cryptographic Techniques, Brugge, Belgium, May 2000.

[53] Chevassut, O., Fouque, P.-A., Gaudry, P., and +Pointcheval, D. The Twist-AUgmentedtechnique for key exchange. In PKC (2006), M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, Eds.,vol. 3958 of Lecture Notes in Comput. Sci., Springer-Verlag, pp. 410–426.

[54] de Dinechin, F., and Lefevre, V. Constant multiplier for FPGAs. In Second InternationalWorkshop on Engineering of Reconfigurable Hardware/Software Objects (ENREGLE 2000) (MonteCarlo Resort, Las Vegas, Nevada, USA, Jun. 2000). Also available as LIP research report 2000-18.

[55] Fouquet, M., Gaudry, P., and Harley, R. Finding secure curves with the Satoh-FGH algorithmand an early-abort strategy. In Advances in Cryptology – EUROCRYPT 2001 (2001), B. Pfitzmann,Ed., vol. 2045 of Lecture Notes in Comput. Sci., Springer-Verlag, pp. 14–29.

[56] Fousse, L., and Zimmermann, P. Accurate summation: Towards a simpler and formal proof. InProceedings of the RNC’5 conference (Real Numbers and Computers) (2003), pp. 97–108.

[57] Gaudry, P. An algorithm for solving the discrete log problem on hyperelliptic curves. In Preneel[44], pp. 19–34. Proc. International Conference on the Theory and Application of CryptographicTechniques, Brugge, Belgium, May 2000.

[58] Gaudry, P. A comparison and a combination of SST and AGM algorithms for counting points ofelliptic curves in characteristic 2. In Advances in Cryptology – ASIACRYPT 2002 (2002), Y. Zheng,Ed., vol. 2501 of Lecture Notes in Comput. Sci., Springer–Verlag, pp. 311–327.

[59] Gaudry, P. Chapter 7: Hyperelliptic curves and the HCDLP. In Advances in Elliptic CurveCryptography (2005), I. Blake, G. Seroussi, and N. Smart, Eds., vol. 317 of London MathematicalSociety Lecture Note Series, Cambridge University Press.

[60] Gaudry, P., and Gurel, N. An extension of Kedlaya’s algorithm to superelliptic curves. InAdvances in Cryptology – ASIACRYPT 2001 (2001), C. Boyd and E. Dawson, Eds., vol. 2248 ofLecture Notes in Comput. Sci., Springer–Verlag, pp. 480–494.

[61] Gaudry, P., and Harley, R. Counting points on hyperelliptic curves over finite fields. In ANTS-IV (2000), W. Bosma, Ed., vol. 1838 of Lecture Notes in Comput. Sci., Springer–Verlag, pp. 313–332.

[62] Gaudry, P., and Morain, F. Fast algorithms for computing the eigenvalue in the Schoof-Elkies-Atkin algorithm. In ISSAC (2006), ACM. To appear.

[63] Gaudry, P., and Schost, E. Construction of secure random curves of genus 2 over prime fields. InAdvances in Cryptology – EUROCRYPT 2004 (2004), C. Cachin and J. Camenisch, Eds., vol. 3027of Lecture Notes in Comput. Sci., Springer-Verlag, pp. 239–256.

[64] Hanrot, G., and Morain, F. Solvability by radicals from an algorithmic point of view. In ISSAC2001 (2001), B. Mourrain, Ed., ACM Press, pp. 175–182. Proc. International Symposium on Symbolicand Algebraic Computation, July 22–25, 2001, London, Ontario, Canada.

[65] Lefevre, V. The generic multiple-precision floating-point addition with exact rounding (as in theMPFR library). In Proceedings of RNC’6 (Schloß Dagstuhl, Germany, November 15-17, 2004).

43

[66] Lefevre, V., and Muller, J.-M. Worst cases for correct rounding of the elementary functions indouble precision. In Proceedings of the 15th IEEE Symposium on Computer Arithmetic (ARITH’15)(2001), N. Burgess and L. Ciminiera, Eds., IEEE Computer Society, pp. 111–118.

[67] Lefevre, V. Multiplication by an integer constant: Lower bounds on the code length. In Proceedingsof the 5th Conference on Real Numbers and Computers (Ecole Normale Superieure de Lyon, France,Sept. 2003), pp. 131–146.

[68] Nguyen, P. Q., and Stehle, D. Low-dimensional lattice basis reduction revisited (extendedabstract). In ANTS-VI (2004), vol. 1838, Springer–Verlag, pp. 338–357.

[69] Nguy˜en, P., and Stehle, D. Floating-point LLL revisited. In Proceedings of Eurocrypt 2005(2005), vol. 3494 of Lecture Notes in Comput. Sci., Springer, pp. 215–233.

[70] Stehle, D., Lefevre, V., and Zimmermann, P. Worst cases and lattice reduction. In Proceedingsof the 16th IEEE Symposium on Computer Arithmetic (2003), J.-C. Bajard and M. Schulte, Eds.,IEEE Computer Society, pp. 142–147.

[71] Stehle, D., and Zimmermann, P. A binary recursive gcd algorithm. In Proceedings of the In-ternational Symposium on Algorithmic Number Theory - ANTS VI, Burligton, US (2004), LectureNotes in Comput. Sci.

[72] Stehle, D., and Zimmermann, P. Gal’s accurate tables method revisited. In 17th IEEE Sympo-sium on Computer Arithmetic - ARITH’17, Cape Cod, MAS, USA (Jun 2005), IEEE, pp. 236–257.

[73] Thome, E. Computation of discrete logarithms in F2607 . In Advances in Cryptology – ASIACRYPT2001 (2001), C. Boyd and E. Dawson, Eds., vol. 2248 of Lecture Notes in Comput. Sci., Springer–Verlag, pp. 107–124.

[74] Thome, E. Fast computation of linear generators for matrix sequences and application to theblock Wiedemann algorithm. In ISSAC 2001 (2001), B. Mourrain, Ed., ACM Press, pp. 323–331.Proc. International Symposium on Symbolic and Algebraic Computation, July 22–25, 2001, London,Ontario, Canada.

[75] Zimmermann, P. Symbolic computation: Recent progress and new frontiers. In Proceedings ofSCAN’02 (2002). Invited talk.

[76] Zimmermann, P., and Dodson, B. 20 years of ECM. In Proceedings of the 7th Algorithmic NumberTheory Symposium (ANTS VII) (Berlin Heidelberg, 2006), F. Hess, S. Pauli, and M. Pohst, Eds.,vol. 4076 of Lecture Notes in Comput. Sci., Springer–Verlag, pp. 525–542.

Research Reports

[77] Belabas, K., Hanrot, G., and Zimmermann, P. Tuning and generalizing Van Hoeij’s algorithm.Research Report RR-4124, INRIA, 2001. 13 pages.

[78] Lefevre, V., and Zimmermann, P. Arithmetique flottante. Research Report RR-5105, INRIA,2004. 60 pages.

[79] Stehle, D., and Zimmermann, P. Gal’s accurate tables method revisited. Research Report RR-5359, INRIA, 2004. 23 pages.

[80] Zimmermann, P. Karatsuba square root. Research Report RR-3805, INRIA, 1999.

44

Unpublished

[81] Gaudry, P. Index calculus for abelian varieties and the elliptic curve discrete logarithm problem.Preprint. Available at http://eprint.iacr.org/2004/073/, Mar. 2004.

[82] Gaudry, P. Fast genus 2 arithmetic based on theta functions. Cryptology ePrint Archive: Report2005/314, 2005.

[83] Gaudry, P. Algorithmes de comptage de points d’une courbe definie sur un corps fini. Article desurvol, notes d’un cours donne a l’IHP. Preprint, 28 pages, 2006.

[84] Gaudry, P., Theriault, N., and Thome, E. A double large prime variation for small genushyperelliptic index calculus. Preprint. Available at http://eprint.iacr.org/2004/153/, Jul. 2004.

[85] Hanrot, G., Tenenbaum, G., and Wu, J. Moyennes de fonctions arithmetiques sur les entiersfriables. soumis, 34 pages, 2006.

Others

[86] Gaudry, P., and Schost, E. Cardinality of a genus 2 hyperelliptic curve over GF (5 · 1024 + 41).Email to the NMBRTHRY mailing list. Available at http://listserv.nodak.edu/archives/nmbrthry.html, 2002.

[87] Lefevre, V., Stehle, D., and Zimmermann, P. Worst cases for the exponential function in theieee 754r decimal64 format. http://hal.inria.fr/inria-00068731, 2006.

[88] Pelissier, P. Comparison of other software to MPFR. http://www.medicis.polytechnique.fr/∼pphd/mpfr/timings.html, 2004.

[89] Thome, E. Discrete logarithms in GF(2607). Email to the NMBRTHRY mailing list. Available athttp://listserv.nodak.edu/archives/nmbrthry.html, 2002.

[90] Zimmermann, P. GMP-ECM: a program to factor integers via ECM. http://www.loria.fr/∼zimmerma/records/ecmnet.html.

[91] Zimmermann, P. The elliptic curve method. Entry in the Encyclopedia of Information Security,2003. To appear. Editor Burt Kaliski. Published by Kluwer.

45

A Short Vitae from Team Members

A.1 Permanent Team Members

Pierrick GaudryBorn 1973/05/17CNRS Research Scientist

2005– CNRS research scientist (CR1) at LORIA.

2001–2005 CNRS research scientist (CR2) at LIX, Ecole polytechnique.

1998–2001 PhD. thesis at LIX (Ecole polytechnique), under the supervision of F. Morain.

1995 MSc. in computer science at Ecole polytechnique.

1993 Admission at Ecole normale superieure de Cachan.

Research interests: Computational number theory, cryptology.

Mobility

2000 One month stay at the IEM (Essen) in G. Frey’s team.

2001 Three months stay at University of Sydney in J. Cannon’s team.

2001 One month stay at University of Illinois at Urbana-Champaign in N. Boston’s team.

Responsabilites within the scientific Community

2003–2005 Vice-head of the TANC project-team at INRIA Futurs.

PhD. students

2004– Co-advisor (with F. Morain) of T. Houtmann PhD. thesis.

Guillaume HanrotBorn 1973/01/17INRIA Research Scientist

1998– INRIA research scientist (CR2, then CR1 from 2001) at INRIA Lorraine/LORIA.

1993–1997 PhD. thesis at A2X (Universite Bordeaux I), under the supervision of J.-M. Deshouillers.


1991 Admission at Ecole normale superieure.

Research interests: Computational number theory, diophantine equations, computer arithmetic.

Mobility

2003 Two weeks invitation at Schrodinger Institute, Wien, for a program in Analytic Num-ber Theory and Diophantine Equations.

1996 One month stay at Rutgers’ university, in H. Iwaniec’s team.


46

2004– Correspondant for INRIA of the SMF (Societe mathematique de France).

2004– Vice-president of the “Comite des projets” from INRIA-Lorraine.

2002–2004 Responsible of the PolyCrypt action supported by the ACI Cryptologie.

2002– Elected member from the INRIA Evaluation Board.

2002– Appointed member from the “Conseil de laboratoire” from LORIA.

2002– Co-organizer (with F. Rouillier and E. Schost) of the “Journees nationales de calculformel” at CIRM (Luminy).

PhD. students

2000–2003 Co-advisor (with F. Morain) of N. Gurel PhD. thesis.

2002– Co-advisor (with G. Tenenbaum) of J.-P. Cerri PhD. thesis.

Vincent LefevreBorn 1973/05/23INRIA research scientist

2000– INRIA research scientist (CR2, then CR1 from 2003) at INRIA Lorraine/LORIA.

1996–1999 PhD. thesis at LIP (ENS Lyon) under the supervision of J.-M. Muller.

1996 MSc. in computer science at ENS Lyon

1993 Admission at Ecole normale superieure de Lyon.

Research interests: Computer arithmetic

Mobility

1995 3 months stay at Odense University (Denmark) in P. Kornerup’s team.

2003 3 months stay at Karlsruhe University (Germany) in J. Calmet’ team.

Emmanuel ThomeBorn 1976/08/30INRIA Research Scientist

2003– INRIA research scientist (CR2) at LIX, Ecole polytechnique.

1999–2003 PhD. thesis at LIX (Ecole polytechnique), under the supervision of F. Morain.


1995 Admission at Ecole normale superieure.

Research interests: Linear algebra, computational number theory.

Mobility

1999–2000 One year stay at the University of Illinois at Chicago.

2001 Two months stay at University of Sydney.

47

Paul ZimmermannBorn 1964/11/13INRIA Senior Research Scientist

1998– INRIA senior research scientist (DR2) at INRIA Lorraine/LORIA.

1993–1998 INRIA research scientist at INRIA Lorraine/LORIA.

1991–1993 INRIA research scientist at INRIA Rocquencourt.

2001 “Habilitation a diriger des recherches”, University of Nancy 1 (UHP).

1988–1991 PhD. thesis at INRIA Rocquencourt, under the supervision of Ph. Flajolet.


1984 Admission at Ecole polytechnique.

Research interests: Analysis of algorithms, computer algebra, computer arithmetic.

Mobility

1994–1995 One year stay at Paderborn University (Germany), in the MuPAD group headed byB. Fuchssteiner.


2001–04 Vice-head of the Spaces project-team (head of the Nancy part).

2002– Member of the board of the GDR ALP, a CNRS structure created to animate thefrench community in Algorithms, Language and Programming.

2001– Member of the program committee of the ARITH conference.

1999–2001 Elected member from the INRIA Evaluation Board.

1997–99 Head of the PolKA project-team.

PhD. students

2003– Advisor of L. Fousse PhD. thesis.

2003– Advisor of D. Stehle PhD. thesis.

1994–1997 Advisor of F. Berthault PhD. thesis.

A.2 Non-permanent Team Members

Laurent Fousse graduated from Ecole normale superieure de Lyon, France, in 2003. Heis a PhD student working at LORIA, Nancy, France, on reliable numerical integration. Hismain interest is computer arithmetic.

PhD. topic: numerical integration with correct rounding.

B Existing software developed by the project-team

We describe here the main software tools developed by members of the project-team. These toolswill be used to implement, experiment and demonstrate the new algorithms designed by the project-team.

48

mpfr. mpfr is a library for multiple-precision binary floating-point computations, distributedunder the GNU Lesser General Public License (www.mpfr.org). This library is developed withinthe project-team since 1999, and the latest version is 2.1.1, released in February 2005. Severalmultiple-precision floating-point do exist. Among others, there are computer albebra systems likeMaple and Mathematica, and libraries like Pari/GP and NTL. What makes mpfr different is that itimplements correct rounding a la IEEE-754, provides special values like NaN (Not-a-Number) and±∞, and some mechanisms to control exceptions (underflow, overflow). mpfr also enables the userto control exactly the number of bits allocated for each floating-point variable; this number is notnecessarily a multiple of the number of bits per word — usually 32 or 64 on modern processors. Asa consequence, programs using the mpfr are portable and give identical results on any computer,either 32-bit or 64-bit.

The main objectives concerning the mpfr library are the following:

• implement new mathematical functions, for example those needed by software which now usempfr for their floating-point arithmetic, like Magma;

• design new high-level modules on top of mpfr, still with correct rounding of course. Examplesof such modules are: numerical quadrature (see §6.3.1), polynomial root solving, . . .

• construct formal proof of the algorithms used by mpfr, and also of the implementationof those algorithms in the C language. This would be achieved in collaboration with theMarelle team (see §9.1.7).

gmp-ecm. gmp-ecm is a program implementing the Elliptic Curve Method for integer factor-ization, and distributed under the GNU General Public License [90]. Other efficient ECM softwareare Montgomery’s ecmfft program, Woltman’s mprime program, and the Magma and Pari/GPimplementations. ecmfft did run on MIPS machines only, and is no longer maintained. mprimeis more efficient than gmp-ecm for stage 1 of ECM, because it contains highly tuned assemblercode; however, it only runs on x86-compatible platforms, and can only factor Mersenne and Fer-mat numbers (of the form 2n ± 1). Both mprime, Magma and Pari/GP implement a “classical”stage 2, with a bound B2 ∼ 100B1 with the optimal settings. In contrary, gmp-ecm stage 2 usesfast polynomial arithmetic (product and remainder, product- and remainder-tree), which enablesit to use a much larger stage 2 bound B2. An interface was designed, that enables one to performstage 1 using mprime, and stage 2 with gmp-ecm.

49

project proposal · project proposal title: curves, algebra, computer arithmetic, and so on...

Documents