Séminaire de Théorie Algorithmique des Nombres

Responsables : Razvan Barbulescu et Wessel Van Woerden

Le 4 janvier 2022 à 10:00

Online

Guillaume Moroz Inria\, LORIA

New data structure for univariate polynomial approximation and applications to root isolation, numerical multipoint evaluation, and other problems

We present a new data structure to approximate accurately and efficiently a polynomial $f$ of degree $d$ given as a list of coefficients. Its properties allow us to improve the state-of-the-art bounds on the bit complexity for the problems of root isolation and approximate multipoint evaluation. This data structure also leads to a new geometric criterion to detect ill-conditioned polynomials, implying notably that the standard condition number of the zeros of a polynomial is at least exponential in the number of roots of modulus less than $\frac{1}{2}$ or greater than $2$.

Le 25 janvier 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Online

Céline Maistret University of Bristol

Parity of ranks of abelian surfaces

Let $K$ be a number field and $A/K$ an abelian surface. By the Mordell-Weil theorem, the group of $K$-rational points on $A$ is finitely generated and as for elliptic curves, its rank is predicted by the Birch and Swinnerton-Dyer conjecture. A basic consequence of this conjecture is the parity conjecture: the sign of the functional equation of the $L$-series determines the parity of the rank of $A/K$.

Le 8 février 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Online

Elisa Lorenzo Garcia Université de Neuchâtel

Reduction type of hyperelliptic curves in terms of the valuations of their invariants.

In this talk we will first review the classical criteria to determine the (stable) reduction type of elliptic curves (Tate) and of genus 2 curves (Liu) in terms of the valuations of some particular combinations of their invariants. We will also revisit the theory of cluster pictures to determine the reduction type of hyperelliptic curves (Dokchitser's et al.). Via Mumford theta constants and Takase and Tomae's formulas we will be able to read the cluster picture information by looking at the valuations of some (Ã la Tsuyumine) invariants in the genus 3 case. We will also discuss the possible generalization of this strategy for any genus and some related open questions.

Le 8 mars 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Online

Elena Berardini Télécom Paris

Calcul d'espaces de Riemann-Roch pour les codes géométriques

Les codes de Reed-Solomon sont largement utilisÃ©s pour reprÃ©senter des donnÃ©es sous forme de vecteurs, de sorte que les donnÃ©es peuvent Ãªtre rÃ©cupÃ©rÃ©es mÃªme si certaines coordonnÃ©es des vecteurs sont corrompues. Ces codes ont de nombreuses propriÃ©tÃ©s. Leurs paramÃ¨tres sont optimaux. Ils permettent de reconstruire des coordonnÃ©es qui ont Ã©tÃ© effacÃ©es. Ils sont compatibles avec l'addition et la multiplication de donnÃ©es. NÃ©anmoins, ils souffrent de certaines limitations. Notamment, la taille de stockage des coordonnÃ©es des vecteurs augmente de maniÃ¨re logarithmique avec le nombre de coordonnÃ©es. Les codes dits gÃ©omÃ©triques gÃ©nÃ©ralisent les codes de Reed-Solomon en bÃ©nÃ©ficiant des mÃªmes propriÃ©tÃ©s, tout en Ã©tant libres de ces limitations. Par consÃ©quent, l'utilisation de codes gÃ©omÃ©triques apporte des gains de complexitÃ©, et s'avÃ¨re utile dans plusieurs applications telles que le calcul distribuÃ© sur les secrets et les preuves zero-knowledge. Les codes gÃ©omÃ©triques sont construits en Ã©valuant des familles de fonctions, appelÃ©es espaces de Riemann-Roch, en les points rationnels d'une courbe. Il s'ensuit que le calcul de ces espaces est crucial pour la mise en Å“uvre des codes gÃ©omÃ©triques. Dans cet exposÃ©, je prÃ©senterai un travail rÃ©cent en collaboration avec S. Abelard, A. Couvreur et G. Lecerf sur le calcul effectif des bases des espaces de Riemann-Roch de courbes. AprÃ¨s avoir rÃ©visÃ© l'Ã©tat de l'art sur le sujet, je discuterai des idÃ©es Ã la base de notre algorithme, en particulier la thÃ©orie de Brill-Noether et l'utilisation des expansions de Puiseux. Les courbes utilisÃ©es dans la construction des codes gÃ©omÃ©triques sont pour la plupart limitÃ©es Ã celles pour lesquelles les bases de Riemann-Roch sont dÃ©jÃ connues. Ce nouveau travail et ceux qui suivront, permettront la construction de codes gÃ©omÃ©triques Ã partir de courbes plus gÃ©nÃ©rales.

Le 15 mars 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Salle 2

Pierrick Dartois Corps des mines\, Rennes 1

Cryptanalyse du protocole OSIDH

Oriented Supersingular Isogeny Diffie-Hellman (OSIDH) est un Ã©change de clÃ© post-quantique proposÃ© par Leonardo ColÃ² et David Kohel en 2019. La construction repose sur lâ€™action du groupe de classe dâ€™un ordre quadratique imaginaire sur un espace de courbes elliptiques supersinguliÃ¨res et peut donc Ãªtre vue comme une gÃ©nÃ©ralisation du cÃ©lÃ¨bre Ã©change de clÃ© Ã base dâ€™isogÃ©nies CSIDH. Cependant, OSIDH est trÃ¨s diffÃ©rent de CSIDH dâ€™un point de vue algorithmique parce quâ€™OSIDH utilise des groupes de classe plus structurÃ©s que CSIDH. Comme lâ€™ont reconnu ColÃ² et Kohel eux-mÃªmes, cela rend OSIDH plus vulnÃ©rable aux attaques. Pour contourner cette faiblesse, ils ont proposÃ© une faÃ§on ingÃ©nieuse dâ€™effectuer lâ€™Ã©change de clÃ© en Ã©changeant de lâ€™information sur lâ€™action du groupe de classe au voisinage des courbes publiques, et ont conjecturÃ© que cette information additionnelle nâ€™impacterait pas la sÃ©curitÃ©.

Le 22 mars 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Salle 2

Jean Kieffer Harvard University

Schémas de Newton certifiés pour l'évaluation des fonctions thêta en petit genre

Les fonctions thÃªta permettent de relier les points de vue algÃ©brique et analytique dans l'Ã©tude des variÃ©tÃ©s abÃ©liennes: ce sont des formes modulaires de Siegel qui fournissent des coordonnÃ©es sur ces variÃ©tÃ©s et leurs espaces de modules. Rendre ce lien effectif nÃ©cessite un algorithme efficace d'Ã©valuation de ces fonctions thÃªta en un point. Dupont, dans sa thÃ¨se (2006), a dÃ©crit un algorithme heuristique basÃ© sur la moyenne arithmÃ©tico-gÃ©omÃ©trique (AGM) et un schÃ©ma de Newton pour Ã©valuer certaines fonctions thÃªta en genre 1 et 2 en temps quasi-linÃ©aire en la prÃ©cision. Le but de cet exposÃ© est de montrer que l'on peut en fait obtenir un algorithme certifiÃ© dont la complexitÃ© est uniforme. Je discuterai Ã©galement des obstacles restants pour gÃ©nÃ©raliser ce rÃ©sultat en dimension supÃ©rieure.

Le 29 mars 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Online

Andreas Pieper Universität Ulm

Constructing all genus 2 curves with supersingular Jacobian

F. Oort showed that the moduli space of principally polarized supersingular abelian surfaces is a union of rational curves. This is proven by showing that every principally polarized supersingular abelian surface is the Jacobian of a fibre of one of the families of genus 2 curves $\pi: \mathcal{C}\rightarrow \mathbb{P}^1$ constructed by L. Moret-Bailly. We present an algorithm that makes this construction effective: Given a point $x\in \mathbb{P}^1$ we compute a hyperelliptic model of the fibre $\pi^{-1}(x)$. The algorithm uses Mumford's theory of theta groups to compute quotients by the group scheme $\alpha_p$.

Le 5 avril 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Damien Robert IMB

Towards computing the canonical lift of an ordinary elliptic curve in medium characteristic

Satoh's algorithm for counting the number of points of an elliptic curve $E/\mathbb F_q$ with $q=p^n$ is the fastest known algorithm when $p$ is fixed: it computes the invertible eigenvalue $»$ of the Frobenius to $p$-adic precision $m$ in time $\tilde{O}(p^2 n m)$. Since by Hasse's bound, recovering $\chi_{\pi}$ requires working at precision $m=O(n)$, the point counting complexity is of $\tilde{O}(p^2 n^2)$, quasi-quadratic in the degree $n$.Unfortunately, the term $p^2$ in the complexity makes Satoh's algorithm suitable only for smaller $p$. For medium sized $p$, one can use Kedlaya's algorithm which cost $\tilde{O}(p n^2 m)$ or a variant by Harvey's which cost $\tilde{O}(p^{1/2} n^{5/2} m + n^4 m)$, which have a better complexity on $p$ but a worse one on $n$. For large $p$, the SEA algorithm costs $\tilde{O}(log^4 q)$.In this talk, we improve the dependency on $p$ of Satoh's algorithm while retaining the dependency on $n$ to bridge the gap towards medium characteristic. We develop a new algorithm with a complexity of $\tilde{O}(p n m)$. In the particular case where we are furthermore provided with a rational point of $p$-torsion, we even improve this complexity to $\tilde{O}(p^{1/2} n m)$.This is a joint work with Abdoulaye Maiga.

Le 12 avril 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Josué Tonelli-Cueto Inria Paris\, IMJ-PRG

A p-adic Descartes solver: the Strassman solve

Solving polynomials is a fundamental computational problem in mathematics. In the real setting, we can use Descartes' rule of signs to efficiently isolate the real roots of a square-free real polynomial. In this talk, we show how to translate this method into the p-adic worlds. We show how the p-adic analog of Descartes' rule of signs, Strassman's theorem, leads to an algorithm to isolate the p-adic roots of a square-free p-adic polynomial and provide some complexity estimates adapting the condition-based complexity framework from real/complex numerical algebraic geometry to the p-adic case.

Le 26 avril 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Lassina Dembélé King's College London

"Correspondance de Langlands inertielle explicite pour ${\nm GL}_2$ et quelques applications arithmétiques"

Dans cet exposé nous allons décrire une approche explicite qui permet de calculer les types automorphes inertiels pour ${\rm GL}_2$. Nous donnerons ensuite quelques applications de cet algorithme à des problèmes diophantiens ou de nature arithmétique.

Le 3 mai 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Sergey Yurkevich University of Vienna\, Inria

The generating function of the Yang-Zagier Numbers is algebraic

In a recent paper Don Zagier mentions a mysterious integer sequence $(a_n) _{n \geq 0}$ which arises from a solution of a topological ODE discovered by Marco Bertola, Boris Dubrovin and Di Yang. In my talk I show how to conjecture, prove and even quantify that $(a_n) _{n \geq 0}$ actually admits an algebraic generating function which is therefore a very particular period. The methods are based on experimental mathematics and algorithmic ideas in differential Galois theory, which I will show in the interactive part of the talk. The presentation is based on joint work with A. Bostan and J.-A. Weil.

Le 17 mai 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Daniel Fiorilli Université Paris Saclay

Résultats de type oméga pour les comptages de corps cubiques

Il s'agit d'un travail en collaboration avec P. Cho, Y. Lee et A. Södergren. Depuis les travaux de Davenport-Heilbronn, beaucoup d'articles ont été ecrits donnant des estimations de plus en plus précises sur le comptage du nombre de corps cubiques de discriminant au plus X. Mentionnons par exemple les travaux de Belabas, Belabas-Bhargava-Pomerance, Bhargava-Shankar-Tsimerman, Taniguchi-Thorne et Bhargava-Taniguchi-Thorne. Dans cet exposé je parlerai d'un résultat négatif, qui montre que l'hypothèse de Riemann implique une limitation sur la plus petite taille possible du terme d'erreur dans ces estimations. Nous approchons la questions à partir de la théorie des petits zéros de fonctions $L$, en particulier la philosophie de Katz-Sarnak et les articles subséquents pour la famille des fonctions zeta de Dedekind de corps cubiques. Je présenterai aussi des résultats numériques obtenus avec pari/gp et le programme «cubic» de Belabas qui indiquent que notre résultat pourrait être optimal.

Le 18 mai 2022 à 14:30

Séminaire de Théorie Algorithmique des Nombres

Wessel van Woerden CWI Amsterdam

On the Lattice Isomorphism Problem, Quadratic Forms, Remarkable Lattices, and Cryptography

A natural and recurring idea in the knapsack/lattice cryptography literature is to start from a lattice with remarkable decoding capability as your private key, and hide it somehow to make a public key. This is also how the code-based encryption scheme of McEliece (1978) proceeds.This idea has never worked out very well for lattices: ad-hoc approaches have been proposed, but they have been subject to ad-hoc attacks, using tricks beyond lattice reduction algorithms. On the other hand the framework offered by the Short Integer Solution (SIS) and Learning With Errors (LWE) problems, while convenient and well founded, remains frustrating from a coding perspective: the underlying decoding algorithms are rather trivial, with poor decoding performance.In this work, we provide generic realisations of this natural idea (independently of the chosen remarkable lattice) by basing cryptography on the Lattice Isomorphism Problem (LIP). More specifically, we provide:- a worst-case to average-case reduction for search-LIP and distinguish-LIP within an isomorphism class, by extending techniques of Haviv and Regev (SODA 2014).- a zero-knowledge proof of knowledge (ZKPoK) of an isomorphism. This implies an identification scheme based on search-LIP.- a key encapsulation mechanism (KEM) scheme and a hash-then-sign signature scheme, both based on distinguish-LIP.The purpose of this approach is for remarkable lattices to improve the security and performance of lattice-based cryptography. For example, decoding within poly-logarithmic factor from Minkowski's bound in a remarkable lattice would lead to a KEM resisting lattice attacks down to a poly-logarithmic approximation factor, provided that the dual lattice is also close to Minkowski's bound. Recent works have indeed reached such decoders for certain lattices (Chor-Rivest, Barnes-Sloan), but these do not perfectly fit our need as their duals have poor minimal distance.

Le 24 mai 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Alice Pellet-Mary CNRS/IMB

Rigorous computation of class group and unit group

Computing the class group and the unit group of a number field is a famous problem of algorithmic number theory. Recently, it has also become an important problem in cryptography, since it is used in multiple algorithms related to algebraic lattices.Subexponential time algorithms are known to solve this problem in any number fields, but they heavily rely on heuristics. The only non-heuristic (but still under ERH) known algorithm, due to Hafner and McCurley, is restricted to imaginary quadratic number fields.In this talk, we will see a rigorous subexponential time algorithm computing units and class group (and more generally S-units) in any number field, assuming the extended Riemann hypothesis.This is a joint work with Koen de Boer and Benjamin Wesolowski.

Le 31 mai 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Philippe Elbaz-Vincent Institut Fourier / Inria / IMB

Sur quelques points, plus ou moins effectifs, de cohomologie des groupes arithmétiques

Nous donnerons un panorama de certaines techniques et résultats pour le calcul de la cohomologie des groupes arithmétiques de rang $\ge 4$ pour des anneaux d'entiers algébriques, ainsi que leurs applications arithmétiques et K-théoriques. Nous ferons ensuite un focus sur les méthodes utilisant le modèle de Voronoi (euclidien ou hermitien), ainsi que plusieurs améliorations algorithmiques. Nous préciserons certains résultats relatifs aux complexes de Voronoi et leurs cellules (pour $\mathrm{GL}_N$ avec $N \geq 12$), ainsi qu'un travail en cours avec B. Allombert et R. Coulangeon sur les formes parfaites de rang $N$ sur $\mathcal{O}_K$ et la cohomologie de $\mathrm{GL}_N(\mathcal{O}_K)$ pour certains anneaux d'entiers avec $N=4,5,6$. Nous mentionnerons aussi plusieurs problèmes ouverts relatifs à ces modèles.

Le 14 juin 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Antoine Leudière Université de Lorraine

An explicit CRS-like action with Drinfeld modules

L'une des pierres angulaires de la cryptographie des isogénies est l'action (dite CRS), simplement transitive, du groupe des classes d'un ordre d'un corps quadratique imaginaire, sur un certain ensemble de classes d'isomorphismes de courbes elliptiques ordinaires.L'échange de clé non-interactif basé sur cette action (espace homogène difficile) est relativement lent (de Feo, Kieffer, Smith, 2019) ; la structure du groupe (Beullens, Kleinjung, Vercauteren, 2019) est difficile à calculer. Pour palier à cela, nous décrivons une action, simplement transitive, de la jacobienne d'une courbe hyperelliptique imaginaire, sur un certain ensemble de classes d'isomorphismes de modules de Drinfeld. Après avoir motivé l'utilisation des modules de Drinfeld en lieu et place des courbes elliptiques, nous décrirons un algorithme efficace de calcul de l'action, ainsi que la récente attaque de Benjamin Wesolowski sur l'échange de clé donné par l'action.

Le 28 juin 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Andreas Enge Inria/IMB

Implementing fastECPP in CM

FastECPP is currently the fastest approach to prove the primality of general numbers, and has the additional benefit of creating certificates that can be checked independently and with a lower complexity. It crucially relies on the explicit construction of elliptic curves with complex multiplication.I will take you on a leisurely stroll through the different phases of the ECPP and fastECPP algorithms, with explanations of their complexity. We will then see the algorithmic choices I have made when integrating a parallelised implementation of fastECPP into my CM software, which has recently been used to prove the primality of a number of record size 50000 digits

Le 12 juillet 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Michael Monagan Simon Fraser University

Computing with polynomials over algebraic number fields

Let $K = \mathbb{Q}(\alpha_1,\dots,\alpha_k)$ be an algebraic number field. We are interested in computing polynomial GCDs in $K[x]$ and $K[x_1,\dots,x_n]$. Of course we also want to multiply, divide and factor polynomials over $K$. In $K[x]$ we have the Euclidean algorithm but it "blows up"; there is a growth in the size of the rational numbers in the remainders. It is faster to compute the GCD modulo one or more primes and use the Chinese remainder theorem and rational number reconstruction. This leads to computing a GCD in $R[x]$ where $R = K \pmod p$ is usually not be a field; it is a finite ring.How do Computer Algebra Systems represent elements of $K$? How do Computer Algebra Systems compute GCDs in $K[x]$? What is the best way to do arithmetic in $R$? How can we compute a polynomial GCD in $K[x_1,\dots,x_n]$? In the talk we will try to answer these questions and we will present some timing benchmarks comparing our own C library for computing GCDs in $R[x]$ with Maple and Magma.

Le 13 septembre 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Damien Robert Inria/IMB

Breaking SIDH in polynomial time

SIDH/SIKE was a post quantum key exchange mechanism based on isogenies between supersingular elliptic curves which was recently selected in July 5 2022 by NIST to advance to the fourth round of the PQC competition. It was soon after broken during the summer in a series of three papers by Castryck-Decru, Maino-Martindale and myself.The attacks all use the extra information on the torsion points used for the key exchange. We first review Petit's dimension 1 torsion point attack from 2017 which could only apply to unbalanced parameters. Then we explain how the dimension 2 attacks of Maino-Martindale and especially Castryck-Decru could break in heuristic (but in practice very effective) polynomial time some parameters, including the NIST submission where the starting curve $E: y^2=x^3+x$ has explicit endomorphism $i$.Finally we explain how by going to dimension 8, we could break in proven quasi-linear time all parameters for SIKE.We will explain how the SIDH protocol worked at the beginning of the talk. We will see that the attack ultimately relies on a very simple 2x2 matrix computation! There will also be (hopefully) fun memes during the talk!

Le 20 septembre 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Fredrik Johansson Inria/IMB

Faster computation of elementary functions

Over a decade ago, Arnold Schönhage proposed a method to compute elementary functions (exp, log, sin, arctan, etc.) efficiently in "medium precision" (up to about 1000 digits) by reducing the argument using linear combinations of pairs of logarithms of primes or Gaussian primes. We generalize this approach to an arbitrary number of primes (which in practice may be 10-20 or more), using an efficient algorithm to solve the associated Diophantine approximation problem. Although theoretically slower than the arithmetic-geometric mean (AGM) by a logarithmic factor, this is now the fastest algorithm in practice to compute elementary functions from about 1000 digits up to millions of digits, giving roughly a factor-two speedup over previous methods. We also discuss the use of optimized Machin-like formulas for simultaneous computation of several logarithms or arctangents of rational numbers, which is required for precomputations.

Le 4 octobre 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Pierrick Dartois\, Fabrice Etienne et Nicolas Sarkis null

Présentation des nouveaux doctorants de l'équipe LFANT

Le 11 octobre 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Rémy Oudompheng -

Computation of (3,3)-isogenies from a product of elliptic curves, in the style of 19th century geometry

The method found by W. Castryck and T. Decru to break SIDH requires computing $(2^n,2^n)$-isogenies from a product of elliptic curves to another abelian surface (which is also a product), which are realized as degree 2 correspondences between curves.Transposing the attack to the other side of the SIDH exchange involves degree $(3,3)$-isogenies that can be evaluated using either theta functions, or divisors on genus 2 curves. Methods for the curve approach exist for the Jacobian case, but the case of a product of elliptic curves (Bröker, Howe, Lauter, Stevenhagen 2014) can be difficult to implement for cryptographically relevant field sizes due to various limitations in CAS such as SageMath/Singular.I will explain how traditional algebraic geometry can be called to the rescue to give a simple construction of the curve correspondence associated to the quotient of $E_1 \times E_2$ by an isotropic $(3,3)$-kernel. This leads to a rather fast computation method relying only on elementary field operations and 2 square roots. The journey will bring back some memories of 19th century projective geometry. Theta function experts might recognize familiar objects in the geometric construction.

Le 18 octobre 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Èrell Gachon -

Some Easy Instances of Ideal-SVP and Implications on the Partial Vandermonde Knapsack Problem

In our article, we generalize the works of Pan et al. (Eurocrypt 21) and Porter et al. (ArXiv 21) and provide a simple condition under which an ideal lattice defines an easy instance of the shortest vector problem. Namely, we show that the more automorphisms stabilize the ideal, the easier it is to find a short vector in it. This observation was already made for prime ideals in Galois fields, and we generalize it to any ideal (whose prime factors are not ramified) of any number field. We then provide a cryptographic application of this result by showing that particular instances of the partial Vandermonde knapsack problem, also known as partial Fourier recovery problem, can be solved classically in polynomial time.

Le 25 octobre 2022

Séminaire de Théorie Algorithmique des Nombres

Damien Robert Inria/IMB

Evaluating isogenies in polylogarithmic time

We explain how the « embedding lemma » used in the recents attacks against SIDH can be used constructively. Namely we show that every $N$-isogeny between abelian varieties over a finite field admits an efficient representation allowing for its evaluation in time polylogarithmic in $N$. Furthermore, using Vélu's formula for elliptic curves, or isogenies in the theta model for dimension $g>1$, this representation can be computed in time quasi-linear in $N^g$.

Le 8 novembre 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Anne-Edgar Wilke IMB

Énumération des corps de nombres quartiques

Fixons un entier $n \geq 2$, et, pour $X \geq 0$, soit $C_n(X)$ l'ensemble des classes d'isomorphisme de corps de nombres de degré $n$ et de discriminant inférieur à $X$ en valeur absolue. La méthode de Hunter-Pohst permet d'énumérer $C_n(X)$ en temps $O(X^{\frac{n + 2}{4} + epsilon})$. Pour $n \geq 3$, on s'attend à ce que cette complexité ne soit pas optimale : en effet, une conjecture classique, démontrée pour $n leq 5$, prévoit qu'il existe une constante $c_n \geq 0$ telle que le cardinal de $C_n(X)$ soit équivalent à $c_n X$. En utilisant une paramétrisation des corps cubiques due à Davenport et Heilbronn, Belabas a mis au point un algorithme énumérant $C_3(X)$ en temps optimal $O(X^{1 + \epsilon})$. Je montrerai comment une paramétrisation des corps quartiques due à Bhargava permet de manière similaire d'énumérer $C_4(X)$ en temps $O(X^{\frac{5}{4} + \epsilon})$. Je présenterai ensuite des résultats numériques, ainsi que des perspectives d'amélioration et de généralisation en degré supérieur.

Le 15 novembre 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Henri Cohen IMB

A Pari/GP package for continued fractions

I will describe with numerous examples a new Pari/GP package for infinite continued fractions which can in particular compute numerically the limit, the exact asymptotic speed of convergence (almost never given in the literature), accelerate continued fractions, and especially apply the powerful Apéry acceleration technique to almost all continued fractions, leading to hundreds of new ones.

Le 22 novembre 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Sulamithe Tsakou -

Index calculus attacks on hyperelliptic curves with efficient endomorphism

The security of many existing cryptographic systems relies on the difficulty of solving the discrete logarithm problem (DLP) in a group. For a generic group, we can solve this problem with many algorithms such as the baby-step-giant-step, the Pollard-rho or the Pohlig-Hellman algorithm. For a group with known structure, we use the index calculus algorithm to solve the discrete logarithm problem. Then, the DLP on the Jacobian of a hyperelliptic curve defined over a finite field $\mathbb{F}_{q^n}$ with $n >1$ are subject to index calculus attacks. After having chosen a convenient factor basis, the index calculus algorithm has three steps - the decomposition step in which we decompose a random point in the factor basis, the linear algebra step where we solve a matricial equation and the descent phase in which the discrete logarithm is deduced. The complexity of the algorithm crucially depends on the size of the factor basis, since this determines the probability for a point to be decomposed over the base and also the cost of the linear algebra step. Faugère et al (EC 2014) exploit the $2$-torsion point of the curve to reduce the size of the factor basis and then improve the complexity of the index calculus algorithm. In a similar manner, we exploit the endomorphism of the Jacobian to reduce the size of the factor base for certain families of ordinary elliptic curves and genus $2$ hyperelliptic Jacobians defined over finite fields. This approach adds an extra cost when performing operation on the factor basis, but our benchmarks show that reducing the size of the factor base allows to have a gain on the total complexity of index calculus algorithm with respect to the generic attacks.

Le 29 novembre 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Elie Bouscatié -

Searching substrings inside an encrypted stream of data ... without decrypting !

Outsourcing IT services has become very common worldwide for multiple reasons ranging from costs reduction to improved services. Whatever the actual reason is, the concrete consequence for the company that delegates such services is that a third party ends up with its data in clear because of the well-known limitations of standard encryption.Ideally, this third party should only learn the minimal information necessary for performing the requested processing, which has motivated the design of countless encryption schemes compatible with specific processing. Such schemes belong to the realm of functional encryption, where the third party recovers a function f(x) from an encryption of x without learning anything else about x, with minimal interaction. Of course, the function f, and hence the encryption scheme, strongly depends on the considered application, which explains the profusion of papers related to this topic. We will focus on the possibility to allow a third party to search the presence of chosen substrings of different lengths (and more !) at any position in the encryption of a stream of data. After an introduction to this problematic and to the associated security notion, we will take a look at the proof of security of one specific construction.

Le 6 décembre 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Léo Poyeton -

Admissibility of filtered $(\varphi,N)$-modules

Filtered $(\varphi,N)$-modules over a $p$-adic field $K$ are semi-linear objects which are easy to define and can be implemented on a computer. The modules $D_{st}(V)$ defined by $p$-adic Hodge theory, where $V$ is a $p$-adic representation of the absolute Galois group of $K$, provide examples of filtered $(varphi,N)$-modules. When $V$ is nice enough (semi-stable), the data of $D_{st}(V)$ is sufficient to recover $V$. A necessary and sufficient condition for a filtered $(\varphi,N)$-module $D$ to be written as $D_{st}(V)$ for some semi-stable representation $V$ is the condition of "admissibility" which imposes conditions on the way the different structures of the $(varphi,N)$-module interact with each other.In a joint work with Xavier Caruso, we try to provide an algorithm which takes a filtered $(\varphi,N)$-module as an input and outputs whether it is admissible or not. I will explain how we can implement filtered $(\varphi,N)$-modules on a computer and why this question is well posed. I will then present an algorithm which answers the question if the $(\varphi,N)$-module is nice enough and explain the difficulties we are facing both in this nice case and in the general case.

Le 13 décembre 2022 à 10:00

Séminaire de Théorie Algorithmique des Nombres

Samuel Le Fourn -

Points de torsion d'une variété abélienne dans des extensions d'un corps fixé

Pour une variété abélienne A sur un corps de nombres K, on sait que pour toute extension finie L/K, le nombre c(L) de points de torsion de A(L) est fini par le théorème de Mordell-Weil.
En fait, un résultat de Masser prédit que c(L) est polynomial en [L:K] (si on fixe A et K) avec un exposant g=dim A, et une conjecture de Hindry et Ratazzi de 2012 donne l'exposant optimal (plus petit que g en général) en fonction d'une certaine structure de la variété abélienne (liée à son groupe dit de Mumford-Tate)Dans cet exposé, je parlerai d'un travail commun avec Lombardo et Zywina dans lequel nous démontrons une forme inconditionnelle de cette conjecture (et cette conjecture en admettant la conjecture de Mumford-Tate), en insistant sur les résultats intermédiaires qui peuvent être d'intérêt indépendant pour la compréhension des représentations galoisiennes associées à des variétés abéliennes.

Afficher 2022 - 2021 - 2020 - 2019 - 2018 - 2017 - 2016 - 2015 - antérieurs

Séminaire de Théorie Algorithmique des Nombres

Institut de Mathématiques de Bordeaux UMR 5251