thesis/chap-conclusion.tex

\begin{comment}
\section %hack for vim-latexsuite
\end{comment}

In this thesis, we presented new cryptographic schemes that rely on lattice or pairing assumptions.
These contributions focus on the design and analysis of new cryptographic schemes that target privacy-preserving applications.

In pairing-based cryptography, we proposed a practical dynamic group signature scheme, for which security is well-understood.
It relies on broadly used assumptions with simple and constant-size descriptions which exist for more than ten years.
This work is also supported by an implementation in \texttt{C}.

The results in the lattice setting give rise to three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving cryptography.
Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that they are one step towards a quantum-secure privacy-friendly world.

On the road, improvements have been made in the state of the art of zero-knowledge proofs in the lattice setting by providing building blocks that, we believe, are of independent interest.
As of our signature with efficient protocols, it has already been used to design a lattice-based e-cash system~\cite{LLNW17}.

All these works are proven under strong security models under simple assumptions.
This provides a breeding ground for new theoretical constructions.

\section*{Open Problems}

The path of providing new cryptographic primitives and proving them is disseminated with pitfalls.
The most obvious questions that stem from this work are about how to tackle the trade-offs we made in the design of those primitives.

\begin{question}
  Is it possible to build a fully-simulatable adaptive oblivious transfer with access control secure under $\LWE$ with polynomially large modulus?
\end{question}

In other words, is it possible to avoid the use of smudging to guarantee message-privacy in the adaptive oblivious transfer scheme of~\cref{ch:ot-lwe}.
As is, this issue arises from the use of Regev's encryption scheme, which does not guarantee this index privacy.
However, while finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}, they do not suffice in our setting because they wold leak the norm of the noise vector of ciphertexts.
Then, the main difficulty is to have zero-knowledge proofs compatible with the access control and the encryption layers.

\subsection*{Zero-Knowledge Proofs}

\begin{question}
  Can we provide NIZK proofs in the standard model for all $\NP$ languages relying on standard $\LWE$ assumption only?
\end{question}

Extending the work of Groth, Ostrovsky and Sahai~\cite{GOS06} in the lattice setting would be a great improvement for lattice-based privacy-preserving cryptography.
This question remains open for more than $10$ years~\cite{KW18}.
Recent line of work makes steps forward in this direction~\cite{RSS18}, but rely on primitives that do not exist yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).

The Stern-like proof system we work on in during this thesis, despite being flexible enough to prove a large variety of statements, suffers from the stiffness of being combinatorial.
The choice of permutations used to ensure zero-knowledgeness (and thus witness-indistinguishability) is quite strict, and force the challenge space to be ternary.
This proves to be a real bottleneck in the efficiency of such proof systems.

\begin{question}
  Is it possible to construct zero-knowledge protocols for average-case problems that take advantage of the geometry of lattices?
\end{question}

As explained in~\cref{ch:zka}, nowadays lattice-based proof systems for $\SIS$/$\LWE$ rely either on the additional structure lying in special families of lattices, or on the combinatorial nature of representations of lattices in terms of matrices.
If the natural structure of a lattice is a group, additive noise or witness-length restrictions forbid the use of standard group-based cryptography to undertake this problem.
However, lattices naturally carry a strong geometrical structure, as exploited in~\cite{MV03,PV08} to construct (interactive and non-interactive) zero-knowledge proofs for some worst-case lattice problems.
It may be an interesting question to see if the restricted geometry of average-case lattice problems can be exploited to provide such proofs.
%If these proof systems can be used after applying a transformation from average-case to worst-case problem, this methodology is highly inefficient and does not close the question.

As we explained in the introduction, advanced cryptography from lattices often suffers from the use of lattice trapdoors.
Thus, a natural question may be:

\subsection*{Cryptographic Constructions}

\begin{question}
  Does an efficient trapdoor-free (H)IBE exists?
\end{question}

For instance, in the group encryption scheme of~\cref{ch:ge-lwe}, trapdoors are used in two places.
To have a secure public key encryption scheme under adaptive chosen-ciphertext attacks and for the signature scheme.
Both these primitives are induced by identity-based encryption: the Canetti-Halevi-Katz transform generically turns an IBE into a \textsf{IND-CCA2} \PKE~\cite{CHK04}, and signatures are directly implied from \textsf{IND-CPA-}secure IBE~\cite{BF01,BLS01}.
%Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public key encryption scheme still remains an open question.
Actually, a recent construction from Brakerski, Lombardi, Segev and Vaikuntanathan~\cite{BLSV18} gives a candidate which relies on garble circuits, and is fairly inefficient compared to IBEs with trapdoors.
Even the question of an \textsf{IND-CCA2} public key encryption still does not have a satisfactory response. 
The construction of Peikert and Waters~\cite{PW08} is indeed trapdoor-free, but is still less efficient than trapdoor-based ones.

\begin{question}
  Can we achieve better security proofs for cryptographic schemes?
\end{question}

Our work during this thesis also focuses on the security proofs of cryptographic schemes.
As explained in~\cref{ch:proofs}, it is important to rely on simple assumptions to prove strong security notions.
Given recent advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claimed before~\cite{DSYC18}.
Another line of work targets the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17,LJYP14,LPJY15,LSSS17}.
This improves the understanding of the links between cryptographic schemes and hardness assumptions, leading to more reliable constructions.
Conclusion 2018-06-15 17:17:55 +00:00			`\begin{comment}`
			`\section %hack for vim-latexsuite`
			`\end{comment}`

Corrections 2018-06-16 17:05:57 +00:00			`In this thesis, we presented new cryptographic schemes that rely on lattice or pairing assumptions.`
Conclusion 2018-06-15 17:17:55 +00:00			`These contributions focus on the design and analysis of new cryptographic schemes that target privacy-preserving applications.`

Corrections - WI - overfull hbox - other stuff 2018-06-19 15:26:01 +00:00			`In pairing-based cryptography, we proposed a practical dynamic group signature scheme, for which security is well-understood.`
			`It relies on broadly used assumptions with simple and constant-size descriptions which exist for more than ten years.`
Corrections 2018-06-16 17:05:57 +00:00			`This work is also supported by an implementation in \texttt{C}.`
Conclusion 2018-06-15 17:17:55 +00:00
Corrections - WI - overfull hbox - other stuff 2018-06-19 15:26:01 +00:00			`The results in the lattice setting give rise to three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving cryptography.`
			`Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that they are one step towards a quantum-secure privacy-friendly world.`
Conclusion 2018-06-15 17:17:55 +00:00
Corrections - WI - overfull hbox - other stuff 2018-06-19 15:26:01 +00:00			`On the road, improvements have been made in the state of the art of zero-knowledge proofs in the lattice setting by providing building blocks that, we believe, are of independent interest.`
Corrections 2018-06-16 17:05:57 +00:00			`As of our signature with efficient protocols, it has already been used to design a lattice-based e-cash system~\cite{LLNW17}.`
Conclusion 2018-06-15 17:17:55 +00:00
Corrections - WI - overfull hbox - other stuff 2018-06-19 15:26:01 +00:00			`All these works are proven under strong security models under simple assumptions.`
			`This provides a breeding ground for new theoretical constructions.`
Conclusion 2018-06-15 17:17:55 +00:00
			`\section*{Open Problems}`

Conclusion 2018-06-16 14:34:21 +00:00			`The path of providing new cryptographic primitives and proving them is disseminated with pitfalls.`
Corrections 2018-06-16 17:05:57 +00:00			`The most obvious questions that stem from this work are about how to tackle the trade-offs we made in the design of those primitives.`
Conclusion 2018-06-15 17:17:55 +00:00
			`\begin{question}`
Corrections - WI - overfull hbox - other stuff 2018-06-19 15:26:01 +00:00			`Is it possible to build a fully-simulatable adaptive oblivious transfer with access control secure under $\LWE$ with polynomially large modulus?`
Conclusion 2018-06-15 17:17:55 +00:00			`\end{question}`

Corrections - WI - overfull hbox - other stuff 2018-06-19 15:26:01 +00:00			`In other words, is it possible to avoid the use of smudging to guarantee message-privacy in the adaptive oblivious transfer scheme of~\cref{ch:ot-lwe}.`
			`As is, this issue arises from the use of Regev's encryption scheme, which does not guarantee this index privacy.`
			`However, while finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}, they do not suffice in our setting because they wold leak the norm of the noise vector of ciphertexts.`
Corrections 2018-06-16 17:05:57 +00:00			`Then, the main difficulty is to have zero-knowledge proofs compatible with the access control and the encryption layers.`
Conclusion 2018-06-15 17:17:55 +00:00
First version of conclusion 2018-06-16 15:00:41 +00:00			`\subsection*{Zero-Knowledge Proofs}`

Conclusion 2018-06-15 17:17:55 +00:00			`\begin{question}`
Conclusion 2018-06-16 14:34:21 +00:00			`Can we provide NIZK proofs in the standard model for all $\NP$ languages relying on standard $\LWE$ assumption only?`
			`\end{question}`

			`Extending the work of Groth, Ostrovsky and Sahai~\cite{GOS06} in the lattice setting would be a great improvement for lattice-based privacy-preserving cryptography.`
Corrections - WI - overfull hbox - other stuff 2018-06-19 15:26:01 +00:00			`This question remains open for more than $10$ years~\cite{KW18}.`
			`Recent line of work makes steps forward in this direction~\cite{RSS18}, but rely on primitives that do not exist yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).`
Conclusion 2018-06-16 14:34:21 +00:00
			`The Stern-like proof system we work on in during this thesis, despite being flexible enough to prove a large variety of statements, suffers from the stiffness of being combinatorial.`
Corrections - WI - overfull hbox - other stuff 2018-06-19 15:26:01 +00:00			`The choice of permutations used to ensure zero-knowledgeness (and thus witness-indistinguishability) is quite strict, and force the challenge space to be ternary.`
Conclusion 2018-06-16 14:34:21 +00:00			`This proves to be a real bottleneck in the efficiency of such proof systems.`

			`\begin{question}`
			`Is it possible to construct zero-knowledge protocols for average-case problems that take advantage of the geometry of lattices?`
			`\end{question}`

			`As explained in~\cref{ch:zka}, nowadays lattice-based proof systems for $\SIS$/$\LWE$ rely either on the additional structure lying in special families of lattices, or on the combinatorial nature of representations of lattices in terms of matrices.`
			`If the natural structure of a lattice is a group, additive noise or witness-length restrictions forbid the use of standard group-based cryptography to undertake this problem.`
			`However, lattices naturally carry a strong geometrical structure, as exploited in~\cite{MV03,PV08} to construct (interactive and non-interactive) zero-knowledge proofs for some worst-case lattice problems.`
			`It may be an interesting question to see if the restricted geometry of average-case lattice problems can be exploited to provide such proofs.`
Corrections - WI - overfull hbox - other stuff 2018-06-19 15:26:01 +00:00			`%If these proof systems can be used after applying a transformation from average-case to worst-case problem, this methodology is highly inefficient and does not close the question.`
Conclusion 2018-06-15 17:17:55 +00:00
Conclusion 2018-06-16 14:34:21 +00:00			`As we explained in the introduction, advanced cryptography from lattices often suffers from the use of lattice trapdoors.`
			`Thus, a natural question may be:`

First version of conclusion 2018-06-16 15:00:41 +00:00			`\subsection*{Cryptographic Constructions}`

Conclusion 2018-06-16 14:34:21 +00:00			`\begin{question}`
Corrections - WI - overfull hbox - other stuff 2018-06-19 15:26:01 +00:00			`Does an efficient trapdoor-free (H)IBE exists?`
Conclusion 2018-06-16 14:34:21 +00:00			`\end{question}`

			`For instance, in the group encryption scheme of~\cref{ch:ge-lwe}, trapdoors are used in two places.`
Corrections - WI - overfull hbox - other stuff 2018-06-19 15:26:01 +00:00			`To have a secure public key encryption scheme under adaptive chosen-ciphertext attacks and for the signature scheme.`
			`Both these primitives are induced by identity-based encryption: the Canetti-Halevi-Katz transform generically turns an IBE into a \textsf{IND-CCA2} \PKE~\cite{CHK04}, and signatures are directly implied from \textsf{IND-CPA-}secure IBE~\cite{BF01,BLS01}.`
Conclusion 2018-06-19 15:45:22 +00:00			`%Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public key encryption scheme still remains an open question.`
			`Actually, a recent construction from Brakerski, Lombardi, Segev and Vaikuntanathan~\cite{BLSV18} gives a candidate which relies on garble circuits, and is fairly inefficient compared to IBEs with trapdoors.`
			`Even the question of an \textsf{IND-CCA2} public key encryption still does not have a satisfactory response.`
			`The construction of Peikert and Waters~\cite{PW08} is indeed trapdoor-free, but is still less efficient than trapdoor-based ones.`
Conclusion 2018-06-16 14:34:21 +00:00
			`\begin{question}`
First version of conclusion 2018-06-16 15:00:41 +00:00			`Can we achieve better security proofs for cryptographic schemes?`
Conclusion 2018-06-15 17:17:55 +00:00			`\end{question}`
First version of conclusion 2018-06-16 15:00:41 +00:00
Corrections 2018-06-16 17:05:57 +00:00			`Our work during this thesis also focuses on the security proofs of cryptographic schemes.`
First version of conclusion 2018-06-16 15:00:41 +00:00			`As explained in~\cref{ch:proofs}, it is important to rely on simple assumptions to prove strong security notions.`
Corrections - WI - overfull hbox - other stuff 2018-06-19 15:26:01 +00:00			`Given recent advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claimed before~\cite{DSYC18}.`
			`Another line of work targets the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17,LJYP14,LPJY15,LSSS17}.`
			`This improves the understanding of the links between cryptographic schemes and hardness assumptions, leading to more reliable constructions.`