Our work in the lattice work give rise of three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving primitives.
Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that it's one step toward a quantum-secure privacy-friendly world.
In the way of doing it, improvements have been made in the state of zero-knowledge proofs in the lattice setting as well as providing building blocks that, we believe, are of independent interest.
As of our signature with efficient protocols, which have been used to provide a lattice-based e-cash system~\cite{LLNW17}.
All these works are proven under strong security model within simple assumptions.
This made a breeding ground for new theoretical constructions, as well as going toward practicality.
Can we provide NIZK proofs in the standard model for all $\NP$ languages relying on standard $\LWE$ assumption only?
\end{question}
Extending the work of Groth, Ostrovsky and Sahai~\cite{GOS06} in the lattice setting would be a great improvement for lattice-based privacy-preserving cryptography.
Recent line of work goes toward this direction~\cite{RSS18}, but relies on non-existing primitive yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).
The Stern-like proof system we work on in during this thesis, despite being flexible enough to prove a large variety of statements, suffers from the stiffness of being combinatorial.
The choice of permutations used to ensure zero-knowledgeness (and so witness-indistinguishability) is quite strict, and force the challenge space to be ternary.
This proves to be a real bottleneck in the efficiency of such proof systems.
\begin{question}
Is it possible to construct zero-knowledge protocols for average-case problems that take advantage of the geometry of lattices?
\end{question}
As explained in~\cref{ch:zka}, nowadays lattice-based proof systems for $\SIS$/$\LWE$ rely either on the additional structure lying in special families of lattices, or on the combinatorial nature of representations of lattices in terms of matrices.
If the natural structure of a lattice is a group, additive noise or witness-length restrictions forbid the use of standard group-based cryptography to undertake this problem.
However, lattices naturally carry a strong geometrical structure, as exploited in~\cite{MV03,PV08} to construct (interactive and non-interactive) zero-knowledge proofs for some worst-case lattice problems.
It may be an interesting question to see if the restricted geometry of average-case lattice problems can be exploited to provide such proofs.
If these proof systems can be used after applying a transformation from average-case to worst-case problem, this methodology is highly inefficient and does not close the question.
As we explained in the introduction, advanced cryptography from lattices often suffers from the use of lattice trapdoors.
Thus, a natural question may be:
\begin{question}
Does a trapdoor-free (H)IBE exists?
\end{question}
For instance, in the group encryption scheme of~\cref{ch:ge-lwe}, trapdoors are used in two places.
To have a secure public key encryption scheme under adaptive active attacks and for the signature scheme.
Both these primitives are induced by identity-based encryption: the Canetti-Halevi-Katz transformations generically transform an IBE into a \textsf{IND-CCA2}\PKE~\cite{CHK04}, and signatures are directly implied from \textsf{IND-CPA-}secure IBE~\cite{BF01,BLS01}.
Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public key encryption scheme still remains an open question.