thesis/chap-introduction.tex

121 lines
12 KiB
TeX
Raw Normal View History

2018-06-13 16:12:40 +00:00
In the last two decades, the use of cryptography has shifted from military and commercial secrets to a broader public.
For instance, the Enigma machine had a design for military purpose, and another one for enterprise (Enigma A26).
As of now, about $60\%$ of the first million most visited websites propose an implementation of \texttt{https}, and so are most of the communications channels that electronic devices use (like \textit{Wifi Protected Access}).
At the same time, the growth of exchanged data and the sensitivity of this information make it more and more important to protect these data efficiently.
While we are reaching the Moore's law barrier, other threats exist against nowadays cryptosystems.
For instance, the eventuality of the existence of a quantum computer with sufficient memory~\cite{Sho99} would break most of real-world cryptographic implementations, which mostly rely on number-theoretic assumptions.
In this context, it becomes important to design cryptographic schemes that are believed to be quantum-resistant.
To address this problem, \textit{post-quantum cryptography} arose in the early 2000s.
The different candidates relies on different mathematical objects, such as lattices, error-correcting codes or systems of multivariate polynomials.
Recently, the National Institute of Standards and Technology (or \textit{NIST}) organised a competition to evaluates different post-quantum schemes for encryption and signatures~\cite{NIS17}.
In this competition, 82 protocols have been submitted out of which: 28 were lattice-based, 24 were code-based, 13 were multi-variate based, 4 were hash-based and the 13 left are categorized as ``other''.
Though, real-world cryptography mainly aim at digital signatures and encryption schemes, as the NIST competition emphasize it.
Meanwhile, research in cryptology proposes different solutions to respond to more specific problems, such as designing electronic-cash system\footnote{Which is not to be confuse with cryptocurrency\ldots}~\cite{CFN88}, which is the digital analogue of real money that are delivered by an authority (the bank) and for which the use remains non-traceable by anyone.
Such cryptographic constructions should moreover verifies some security requirements.
2018-06-14 16:14:32 +00:00
For instance, an encryption scheme has to hide a message in the presence of an eavesdropper, or even an active adversary.
2018-06-13 16:12:40 +00:00
To guarantee these requirements, we also make security proofs. They mainly state that a cryptographic scheme is secure if some problems remain hard.
2018-06-14 16:14:32 +00:00
At last but not least, the importance of privacy and data protection have been a hot topic in the last years, as reflects the development of the general data protection regulation law in 2016, which is finally implemented since may 25$^\text{th}$.
2018-06-13 16:12:40 +00:00
Hence, it looks appealing to have privacy-preserving cryptographic constructions that would ideally resist to the eventuality of a quantum computer.
Nevertheless, the construction of such protocols mainly relies on ``zero-knowledge proofs'', which is a 2-party protocol between a prover and a verifier where the prover should convince the verifier of a statement without leaking any piece of information about this statement.
In the context of post-quantum cryptography, such proofs systems are still limited in power or costly to implement.
\section{Privacy-Preserving Cryptography}
2018-06-14 16:14:32 +00:00
\label{se:privacy-preserving-crypto}
2018-06-13 16:12:40 +00:00
In this context, privacy-preserving refers to the fact that a primitive should provide some functionality while holding sensitive information private.
2018-06-14 16:14:32 +00:00
An example of such primitives are \textit{anonymous credentials}~\cite{Cha85,CL01}.
Informally, this primitive allows users to prove themselves to some verifiers without telling their identity, nor the pattern of their authentications.
To realize this, this system involves one (or more) credential issuer(s) and a set of users who have their own secret keys and pseudonyms that are bound to their secret.
2018-06-13 16:12:40 +00:00
Users can dynamically obtain credentials from an issuer that only knows users' pseudonyms and obliviously sign users' secret key as well as a set of attributes.
Later on, users can let themselves know to verifiers under a different pseudonym and demonstrate possession of a certification from the issuer, without revealing neither the signature nor the secret key.
This primitive thus allow a user to authenticate to a system, such as in anonymous access control, while preserving its anonymity.
In addition, the system is guaranteed that users indeed possess a valid credential.
2018-01-15 11:56:09 +00:00
2018-06-14 16:14:32 +00:00
Interest in privacy-based cryptography dates from the beginning of public-key cryptography~\cite{Rab81,Cha82,GM82,Cha85}.
A reason for that could be the similarities between the intention of cryptography and the requirements of privacy protection.
Moreover, the works of cryptographers in this field may have direct impact in term of services that may be enabled in the real-world.
Indeed, having a practical anonymous credential scheme will enable its use for access control in a way that may limit security flaws.
Whereas, nowadays implementations are based on more elementary building blocks, like signatures, which manipulations may lead to different security flaws~\cite{VP17}.
Similarly, \textit{advanced primitives} often involve simpler building blocks in their design.
The difference lies in that provable security gives a security guarantee together with the construction.
As explained before, these proofs make the security of a set of schemes to rely on hardness assumptions.
Thus, the security relies on the hardness of those assumptions, which are studied independently by cryptanalysts.
Hence, the security guarantee relies on the study of those assumptions. For example, the analysis of multilinear maps security in~\cite{CHL+15} made obsolete a large amount of candidates at this time.
This is why it is important to rely on well studied and simple assumptions as we will explain in~\cref{ch:proofs}.
In the context of this thesis, the cryptographic schemes we develop rely on lattices and bilinear maps over cyclic groups.
Lattice-based cryptography is used to go toward post-quantum cryptography, while the latter proves useful in the design of practical schemes.
The details of these two structures is given in~\cref{ch:structures}.
\subsection{Zero-knowledge Proofs}
As explained before, a basic building block for privacy-preserving cryptography are zero-knowledge proofs.
This interactive protocol requires the completeness, soundness and zero-knowledge properties. The completeness simply render the correctness of the protocol if everyone is honest. In the case of a dishonest prover, the soundness asks the probability that the verifier is convinced to be negligible. On the contrary, if the verifier is cheating, the zero-knowledge property guarantees that the prover's secret remains hidden.
In the case of identification schemes, the nature of the secret remains simple and solutions exists from multiple assumptions~\cite{Sch96,Ste96,KTX08,Lyu08}.
For more complex statements, as of proving correct computations, a separation appears between post-quantum schemes and number-theory-based schemes.
In the case of pairing-based cryptography, there exists non-interactive zero-knowledge proofs which can prove a large variety of statements~\cite{GOS06,GS08} without idealized assumptions.
Such proofs do not exist in the context of post-quantum cryptography yet.
In lattice-based cryptography, there are mainly two families of proofs: Schnorr-like proofs and Stern-like proofs, named after their respective authors.
The first family works on some structured lattices. Exploiting this structure allows for rather compact proofs, while the variety of statements is quite restricted.
The second family of proofs is combinatoric and works on the representation of lattice elements (as matrix and vectors).
By nature, these proofs are quite expensive in term of communication complexity.
However, they can be used to prove a wide variety of statements as we will explain in more detail along this thesis and especially in~\cref{sse:stern}.
More generally, zero-knowledge proofs are detailed in~\cref{ch:zka}.
\subsection{Signatures with Efficient Protocols}
To enable privacy-preserving functionalities, a possible way is to couple zero-knowledge proofs with signature schemes.
One of such signatures are \textit{signatures with efficient protocols}.
This primitive extends the functionalities of ordinary digital signature schemes in two manners: (i) it provides a protocol to allow a signer to obliviously sign a hidden message and (ii) users are able to prove knowledge of a hidden message-signature pair in a zero-knowledge fashion.
These two properties prove extremely useful when it comes to design efficient anonymity-related protocols such as anonymous credentials or e-cash.
The design of effective signatures with efficient protocols is thus important for privacy-preserving cryptography.
In this thesis, we provide two such signature schemes.
One, described in~\cref{ch:sigmasig}, is based on pairings and shift the~\cite{LPY15} signature scheme in the standard model to the ROM, aiming at efficiency.
The other, portrayed in~\cref{ch:gs-lwe}, adapts a variant of Boyen's signature on pairing along with the Kawachi, Tanaka and Xagawa commitment scheme to provide a lattice-based signature schemes that is compatible with Stern-like proofs.
This scheme have also been relaxed in the context of adaptive oblivious transfer where, in some places, it is only required to have random-message security instead of security against chosen-message security as described in~\cref{ch:ot-lwe}.
\section{Our Results}
In this thesis, we present several cryptographic constructions that preserve privacy.
These construction are the result of both improvement we made in the use of zero-knowledge proofs and the ability to prove the security of our constructions under simple assumptions.
We believe that these improvements on zero-knowledge proofs are of independent interest and that the given schemes are a first step toward quantum-secure privacy-preserving cryptography.
In the following, we detail four contributions that are developed in this thesis.
These results are taken from four articles: \cite{LMPY16,LLM+16,LLM+16a,LLM+17}.
\subsection{Dynamic Group Signatures and Anonymous Credentials}
In~\cref{pa:gs-ac}, we present two primitives: dynamic group signatures and anonymous credentials.
We already described the behavior of anonymous credential in~\cref{se:privacy-preserving-crypto}.
For dynamic group signatures, it is a primitive that allows a group of users to authenticate messages in the name of the group while remaining anonymous inside this group.
The users still remains accountable for their actions, as another authority is able to lift anonymity of misconducting users.
By itself, this primitive can be used to provide anonymous authentications while providing accountability (which is not the case with anonymous credentials).
For instance, in the internet of things, such as smart cars, it is important to provide authenticated communication channels as well as anonymity. For cars communication, if the exchanged data may not be sensitive, the identity of the driver could be.
We can imagine a scenario where some burglars eavesdrop some specific cars to know whenever a house is empty.
In this thesis, we present in~\cref{ch:sigmasig} pairing-based group signatures that aims at efficiency while relying on simple assumptions.
The resulting scheme shows competitive signature size with other schemes that relies on more ad-hoc assumptions, and its practicality is supported by an implementation.
This scheme is presented in~\cite{LMPY16}, which is joint work with Benoît Libert, Thomas Peters an Moti Yung presented at AsiaCCS'16.
In~\cref{ch:gs-lwe}, we present the first \textit{dynamic} group signature scheme that relies on lattice assumptions.
This have been made possible by adapting Stern-like proofs to behave well with a signature scheme: a variant of Boyen's signature~\cite{Boy10,BHJ+15}.
It results in a \textit{signature with efficient protocols} that is of independent interest. Further, it has been adapted in the design dynamic group encryption and adaptive oblivious transfer.
This work is described in~\cite{LLM+16}, made with Benoît Libert, San Ling, Khoa Nguyen and Huaxiong Wang, presented at Asiacrypt'16.
\subsection{Group Encryption}
Group encryption schemes are the encryption analogue of group signatures.
In this setting, a user wants to send a message to a group member, while keeping the recipient of the message hidden.
\subsection{Adaptive Oblivious Transfer}