The results in the lattice setting give rise to three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving cryptography.
Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that they are one step towards a quantum-secure privacy-friendly world.
On the road, improvements have been made in the state of the art of zero-knowledge proofs in the lattice setting by providing building blocks that, we believe, are of independent interest.
In other words, is it possible to avoid the use of smudging to guarantee message-privacy in the adaptive oblivious transfer scheme of~\cref{ch:ot-lwe}.
As is, this issue arises from the use of Regev's encryption scheme, which does not guarantee this index privacy.
However, while finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}, they do not suffice in our setting because they wold leak the norm of the noise vector of ciphertexts.
Can we provide NIZK proofs in the standard model for all $\NP$ languages relying on standard $\LWE$ assumption only?
\end{question}
Extending the work of Groth, Ostrovsky and Sahai~\cite{GOS06} in the lattice setting would be a great improvement for lattice-based privacy-preserving cryptography.
This question remains open for more than $10$ years~\cite{KW18}.
Recent line of work makes steps forward in this direction~\cite{RSS18}, but rely on primitives that do not exist yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).
The Stern-like proof system we work on in during this thesis, despite being flexible enough to prove a large variety of statements, suffers from the stiffness of being combinatorial.
The choice of permutations used to ensure zero-knowledgeness (and thus witness-indistinguishability) is quite strict, and force the challenge space to be ternary.
This proves to be a real bottleneck in the efficiency of such proof systems.
\begin{question}
Is it possible to construct zero-knowledge protocols for average-case problems that take advantage of the geometry of lattices?
\end{question}
As explained in~\cref{ch:zka}, nowadays lattice-based proof systems for $\SIS$/$\LWE$ rely either on the additional structure lying in special families of lattices, or on the combinatorial nature of representations of lattices in terms of matrices.
If the natural structure of a lattice is a group, additive noise or witness-length restrictions forbid the use of standard group-based cryptography to undertake this problem.
However, lattices naturally carry a strong geometrical structure, as exploited in~\cite{MV03,PV08} to construct (interactive and non-interactive) zero-knowledge proofs for some worst-case lattice problems.
It may be an interesting question to see if the restricted geometry of average-case lattice problems can be exploited to provide such proofs.
%If these proof systems can be used after applying a transformation from average-case to worst-case problem, this methodology is highly inefficient and does not close the question.
To have a secure public key encryption scheme under adaptive chosen-ciphertext attacks and for the signature scheme.
Both these primitives are induced by identity-based encryption: the Canetti-Halevi-Katz transform generically turns an IBE into a \textsf{IND-CCA2}\PKE~\cite{CHK04}, and signatures are directly implied from \textsf{IND-CPA-}secure IBE~\cite{BF01,BLS01}.
%Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public key encryption scheme still remains an open question.
Actually, a recent construction from Brakerski, Lombardi, Segev and Vaikuntanathan~\cite{BLSV18} gives a candidate which relies on garble circuits, and is fairly inefficient compared to IBEs with trapdoors.
Even the question of an \textsf{IND-CCA2} public key encryption still does not have a satisfactory response.
The construction of Peikert and Waters~\cite{PW08} is indeed trapdoor-free, but is still less efficient than trapdoor-based ones.
Given recent advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claimed before~\cite{DSYC18}.
Another line of work targets the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17,LJYP14,LPJY15,LSSS17}.
This improves the understanding of the links between cryptographic schemes and hardness assumptions, leading to more reliable constructions.