thesis/chap-conclusion.tex

85 lines
6.6 KiB
TeX
Raw Normal View History

2018-06-15 17:17:55 +00:00
\begin{comment}
\section %hack for vim-latexsuite
\end{comment}
2018-06-16 17:05:57 +00:00
In this thesis, we presented new cryptographic schemes that rely on lattice or pairing assumptions.
2018-06-15 17:17:55 +00:00
These contributions focus on the design and analysis of new cryptographic schemes that target privacy-preserving applications.
In pairing-based cryptography, we proposed a practical dynamic group signature scheme, for which security is well-understood.
It relies on broadly used assumptions with simple and constant-size descriptions which exist for more than ten years.
2018-06-16 17:05:57 +00:00
This work is also supported by an implementation in \texttt{C}.
2018-06-15 17:17:55 +00:00
The results in the lattice setting give rise to three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving cryptography.
Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that they are one step towards a quantum-secure privacy-friendly world.
2018-06-15 17:17:55 +00:00
On the road, improvements have been made in the state of the art of zero-knowledge proofs in the lattice setting by providing building blocks that, we believe, are of independent interest.
2018-06-16 17:05:57 +00:00
As of our signature with efficient protocols, it has already been used to design a lattice-based e-cash system~\cite{LLNW17}.
2018-06-15 17:17:55 +00:00
All these works are proven under strong security models under simple assumptions.
This provides a breeding ground for new theoretical constructions.
2018-06-15 17:17:55 +00:00
\section*{Open Problems}
2018-06-16 14:34:21 +00:00
The path of providing new cryptographic primitives and proving them is disseminated with pitfalls.
2018-06-16 17:05:57 +00:00
The most obvious questions that stem from this work are about how to tackle the trade-offs we made in the design of those primitives.
2018-06-15 17:17:55 +00:00
\begin{question}
Is it possible to build a fully-simulatable adaptive oblivious transfer with access control secure under $\LWE$ with polynomially large modulus?
2018-06-15 17:17:55 +00:00
\end{question}
In other words, is it possible to avoid the use of smudging to guarantee message-privacy in the adaptive oblivious transfer scheme of~\cref{ch:ot-lwe}.
As is, this issue arises from the use of Regev's encryption scheme, which does not guarantee this index privacy.
However, while finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}, they do not suffice in our setting because they wold leak the norm of the noise vector of ciphertexts.
2018-06-16 17:05:57 +00:00
Then, the main difficulty is to have zero-knowledge proofs compatible with the access control and the encryption layers.
2018-06-15 17:17:55 +00:00
2018-06-16 15:00:41 +00:00
\subsection*{Zero-Knowledge Proofs}
2018-06-15 17:17:55 +00:00
\begin{question}
2018-06-16 14:34:21 +00:00
Can we provide NIZK proofs in the standard model for all $\NP$ languages relying on standard $\LWE$ assumption only?
\end{question}
Extending the work of Groth, Ostrovsky and Sahai~\cite{GOS06} in the lattice setting would be a great improvement for lattice-based privacy-preserving cryptography.
This question remains open for more than $10$ years~\cite{KW18}.
Recent line of work makes steps forward in this direction~\cite{RSS18}, but rely on primitives that do not exist yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).
2018-06-16 14:34:21 +00:00
The Stern-like proof system we work on in during this thesis, despite being flexible enough to prove a large variety of statements, suffers from the stiffness of being combinatorial.
The choice of permutations used to ensure zero-knowledgeness (and thus witness-indistinguishability) is quite strict, and force the challenge space to be ternary.
2018-06-16 14:34:21 +00:00
This proves to be a real bottleneck in the efficiency of such proof systems.
\begin{question}
Is it possible to construct zero-knowledge protocols for average-case problems that take advantage of the geometry of lattices?
\end{question}
As explained in~\cref{ch:zka}, nowadays lattice-based proof systems for $\SIS$/$\LWE$ rely either on the additional structure lying in special families of lattices, or on the combinatorial nature of representations of lattices in terms of matrices.
If the natural structure of a lattice is a group, additive noise or witness-length restrictions forbid the use of standard group-based cryptography to undertake this problem.
However, lattices naturally carry a strong geometrical structure, as exploited in~\cite{MV03,PV08} to construct (interactive and non-interactive) zero-knowledge proofs for some worst-case lattice problems.
It may be an interesting question to see if the restricted geometry of average-case lattice problems can be exploited to provide such proofs.
%If these proof systems can be used after applying a transformation from average-case to worst-case problem, this methodology is highly inefficient and does not close the question.
2018-06-15 17:17:55 +00:00
2018-06-16 14:34:21 +00:00
As we explained in the introduction, advanced cryptography from lattices often suffers from the use of lattice trapdoors.
Thus, a natural question may be:
2018-06-16 15:00:41 +00:00
\subsection*{Cryptographic Constructions}
2018-06-16 14:34:21 +00:00
\begin{question}
2018-06-19 15:49:54 +00:00
Does an efficient trapdoor-free \textsf{(H)IBE} exists?
2018-06-16 14:34:21 +00:00
\end{question}
For instance, in the group encryption scheme of~\cref{ch:ge-lwe}, trapdoors are used in two places.
To have a secure public key encryption scheme under adaptive chosen-ciphertext attacks and for the signature scheme.
2018-06-19 15:49:54 +00:00
Both these primitives are induced by identity-based encryption: the Canetti-Halevi-Katz transform generically turns an \textsf{IBE} into a \textsf{IND-CCA2} \PKE~\cite{CHK04}, and signatures are directly implied from \textsf{IND-CPA-}secure \textsf{IBE}~\cite{BF01,BLS01}.
2018-06-19 15:45:22 +00:00
%Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public key encryption scheme still remains an open question.
2018-06-19 15:49:54 +00:00
Actually, a recent construction from Brakerski, Lombardi, Segev and Vaikuntanathan~\cite{BLSV18} gives a candidate which relies on garble circuits, and is fairly inefficient compared to \textsf{IBE}s with trapdoors.
2018-06-19 15:45:22 +00:00
Even the question of an \textsf{IND-CCA2} public key encryption still does not have a satisfactory response.
The construction of Peikert and Waters~\cite{PW08} is indeed trapdoor-free, but is still less efficient than trapdoor-based ones.
2018-06-16 14:34:21 +00:00
\begin{question}
2018-06-16 15:00:41 +00:00
Can we achieve better security proofs for cryptographic schemes?
2018-06-15 17:17:55 +00:00
\end{question}
2018-06-16 15:00:41 +00:00
2018-06-16 17:05:57 +00:00
Our work during this thesis also focuses on the security proofs of cryptographic schemes.
2018-06-16 15:00:41 +00:00
As explained in~\cref{ch:proofs}, it is important to rely on simple assumptions to prove strong security notions.
Given recent advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claimed before~\cite{DSYC18}.
Another line of work targets the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17,LJYP14,LPJY15,LSSS17}.
This improves the understanding of the links between cryptographic schemes and hardness assumptions, leading to more reliable constructions.