fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Corrections

Browse Source
This commit is contained in:
Fabrice Mouhartem 2018-06-16 19:05:57 +02:00
parent 5df7a6aa93
commit 00ad910d51
2 changed files with 48 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
chap-conclusion.tex
View File

@ -2,18 +2,18 @@
\section %hack for vim-latexsuite
\end{comment}
In this thesis, we presented new cryptographic schemes that relies on lattice or pairing assumptions.
In this thesis, we presented new cryptographic schemes that rely on lattice or pairing assumptions.
These contributions focus on the design and analysis of new cryptographic schemes that target privacy-preserving applications.
In pairing-related cryptography, we propose a practical dynamic group signature scheme, for which security is well understood.
It relies on broadly used assumptions with simple statements that exists for more than ten years.
This work is also supported by an implementation in C.
In pairing-based cryptography, we propose a practical dynamic group signature scheme, for which security is well understood.
It relies on broadly used assumptions with simple statements which exist for more than ten years.
This work is also supported by an implementation in \texttt{C}.
Our work in the lattice work give rise of three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving primitives.
Our work in the lattice setting gives rise to three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving cryptography.
Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that it's one step toward a quantum-secure privacy-friendly world.
In the way of doing it, improvements have been made in the state of zero-knowledge proofs in the lattice setting as well as providing building blocks that, we believe, are of independent interest.
As of our signature with efficient protocols, which have been used to provide a lattice-based e-cash system~\cite{LLNW17}.
In the way of doing it, improvements have been made in the state of the art of zero-knowledge proofs in the lattice setting as well as providing building blocks that, we believe, are of independent interest.
As of our signature with efficient protocols, it has already been used to design a lattice-based e-cash system~\cite{LLNW17}.
All these works are proven under strong security model within simple assumptions.
This made a breeding ground for new theoretical constructions, as well as going toward practicality.
@ -21,16 +21,16 @@ This made a breeding ground for new theoretical constructions, as well as going
\section*{Open Problems}
The path of providing new cryptographic primitives and proving them is disseminated with pitfalls.
The most obvious questions that stem from this work are about how to tackle the compromises we made in the design of those primitives.
The most obvious questions that stem from this work are about how to tackle the trade-offs we made in the design of those primitives.
\begin{question}
Is it possible to build an adaptive oblivious transfer with access control secure under $\LWE$ with polynomially large modulus?
\end{question}
In other words, is it possible to avoid the use of smudging to guarantee message-privacy in the oblivious transfer scheme of~\cref{ch:ot-lwe}.
As is, this problem arises from the use of Regev's encryption scheme, which does not guarantee this message privacy.
As is, this issue arises from the use of Regev's encryption scheme, which does not guarantee this message privacy.
However, finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}.
Then, the main difficulty is to have compatible zero-knowledge proof with the access control and the encryption layers.
Then, the main difficulty is to have zero-knowledge proofs compatible with the access control and the encryption layers.
\subsection*{Zero-Knowledge Proofs}
@ -39,7 +39,7 @@ Then, the main difficulty is to have compatible zero-knowledge proof with the ac
\end{question}
Extending the work of Groth, Ostrovsky and Sahai~\cite{GOS06} in the lattice setting would be a great improvement for lattice-based privacy-preserving cryptography.
Recent line of work goes toward this direction~\cite{RSS18}, but relies on non-existing primitive yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).
Recent line of work goes toward this direction~\cite{RSS18}, but relies on primitives that do not exist yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).
The Stern-like proof system we work on in during this thesis, despite being flexible enough to prove a large variety of statements, suffers from the stiffness of being combinatorial.
The choice of permutations used to ensure zero-knowledgeness (and so witness-indistinguishability) is quite strict, and force the challenge space to be ternary.
@ -73,8 +73,8 @@ Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public ke
Can we achieve better security proofs for cryptographic schemes?
\end{question}
Our work during this thesis also focus on the proof of cryptographic schemes.
Our work during this thesis also focuses on the security proofs of cryptographic schemes.
As explained in~\cref{ch:proofs}, it is important to rely on simple assumptions to prove strong security notions.
Given the advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claim before~\cite{DSYC18}.
Another line of work looks at the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17}.
This improves the understanding of the link between the cryptographic scheme and the security assumption, leading to more reliable schemes.
Given recent advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claim before~\cite{DSYC18}.
Another line of work targets the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17}.
This improves the understanding of the links between cryptographic schemes and security assumptions, leading to more reliable constructions.

61
chap-introduction.tex
View File

@ -18,7 +18,7 @@ Meanwhile, ongoing research in cryptology proposes different solutions to addres
Cryptographic constructions should additionally verify some security requirements.
For instance, an encryption scheme has to hide a message in the presence of an eavesdropper, or even an active adversary who can alter some messages.
To guarantee these requirements, cryptographers make security proofs.
A proof mainly states that a given cryptographic scheme is secure if some problems remain hard.
A security proof mainly states that a given cryptographic scheme is secure if some problems remain hard.
At last but not least, the importance of privacy and data protection has been a hot topic in the last years, as reflects the development of the general data protection regulation law in 2016, which is implemented since may 25$^\text{th}$.
Hence, it looks appealing to have privacy-preserving cryptographic constructions which would ideally resist to the eventuality of a quantum computer.
@ -44,28 +44,32 @@ Indeed, having a practical anonymous credential scheme will enable its use for a
Whereas, nowadays implementations are based on more elementary building blocks, like signatures, which manipulations may lead to different security holes~\cite{VP17}.
Similarly, \textit{advanced primitives} often involve simpler building blocks in their design.
The difference lies in that provable security gives security guarantees together with the construction.
The difference lies in that provable security conveys security guarantees together with the construction.
As explained before, these proofs make the security of a set of schemes to rely on hardness assumptions.
Thus, the security relies on the hardness of those assumptions, which are studied independently by cryptanalysts.
Hence, the security guarantee relies on the study of those assumptions. For example, the analysis of multilinear maps security in~\cite{CHL+15} made obsolete a large amount of candidates at this time.This is why it is important to rely on well studied and simple assumptions as we will explain in~\cref{ch:proofs}.
Thus, the security relies on the hardness of those assumptions, which are independently studied by cryptanalysts.
Hence, the security is guaranteed by the study of those assumptions.
For example, the analysis of multilinear maps security in~\cite{CHL+15} made obsolete a large amount of candidates at this time.
This example reflects the importance of relying on well studied and simple assumptions as we will explain in~\cref{ch:proofs}.
In the context of this thesis, the cryptographic schemes we develop rely on lattices and bilinear maps over cyclic groups.
Lattice-based cryptography is used to go toward post-quantum cryptography, while the latter proves useful in the design of practical schemes.
The details of these two structures is given in~\cref{ch:structures}.
In the context of this thesis, the developed cryptographic schemes rely on lattices and bilinear maps over cyclic groups.
Lattice-based cryptography is used to step towards post-quantum cryptography, while the latter proves useful in the design of practical schemes.
The details of these two structures are given in~\cref{ch:structures}.
\subsection{Zero-knowledge Proofs}
As explained before, a basic building block for privacy-preserving cryptography are zero-knowledge proofs.
This interactive protocol requires the completeness, soundness and zero-knowledge properties. The completeness simply render the correctness of the protocol if everyone is honest. In the case of a dishonest prover, the soundness asks the probability that the verifier is convinced to be negligible. On the contrary, if the verifier is cheating, the zero-knowledge property guarantees that the prover's secret remains hidden.
As explained before, zero-knowledge proofs are a basic building block for privacy-preserving cryptography.
This interactive protocol requires the completeness, soundness and zero-knowledge properties.
The completeness simply renders the correctness of the protocol if everyone is honest. In the case of a dishonest prover, the soundness asks the probability that the verifier is convinced to be negligible.
On the contrary, if the verifier is cheating, the zero-knowledge property guarantees that the prover's secret remains hidden.
In the case of identification schemes, the nature of the secret remains simple and solutions exists from multiple assumptions~\cite{Sch96,Ste96,KTX08,Lyu08}.
For more complex statements, as of proving correct computations, a separation appears between post-quantum schemes and number-theory-based schemes.
For more complex statements, as of proving a correct computation, a separation appears between post-quantum schemes and number-theory-based schemes.
In the case of pairing-based cryptography, there exists non-interactive zero-knowledge proofs which can prove a large variety of statements~\cite{GOS06,GS08} without idealized assumptions.
Such proofs do not exist in the context of post-quantum cryptography yet.
Such proofs are still missing in the context of post-quantum cryptography.
In lattice-based cryptography, there are mainly two families of proofs: Schnorr-like proofs and Stern-like proofs, named after their respective authors.
In the lattice world, there are two main families of proofs: Schnorr-like proofs~\cite{Sch96} and Stern-like proofs~\cite{Ste96}, named after their respective authors.
The first family works on some structured lattices. Exploiting this structure allows for rather compact proofs, while the variety of statements is quite restricted.
The second family of proofs is combinatoric and works on the representation of lattice elements (as matrix and vectors).
The second kind of proofs is combinatorial and works on the representation of lattice elements (as matrix and vectors).
By nature, these proofs are quite expensive in term of communication complexity.
However, they can be used to prove a wide variety of statements as we will explain in more detail along this thesis and especially in~\cref{sse:stern}.
More generally, zero-knowledge proofs are detailed in~\cref{ch:zka}.
@ -79,14 +83,14 @@ This primitive extends the functionalities of ordinary digital signature schemes
These two properties prove extremely useful when it comes to design efficient anonymity-related protocols such as anonymous credentials or e-cash.
The design of effective signatures with efficient protocols is thus important for privacy-preserving cryptography.
In this thesis, we provide two such signature schemes.
One, described in~\cref{ch:sigmasig}, is based on pairings and shift the~\cite{LPY15} signature scheme in the standard model to the ROM, aiming at efficiency.
The other, portrayed in~\cref{ch:gs-lwe}, adapts a variant of Boyen's signature on pairing along with the Kawachi, Tanaka and Xagawa commitment scheme to provide a lattice-based signature schemes that is compatible with Stern-like proofs.
In this thesis, we provide two of these signature schemes.
One, described in~\cref{ch:sigmasig}, based on pairings, shifts the~\cite{LPY15} signature scheme to an idealized but acceptable model, aiming at practicality.
The other, portrayed in~\cref{ch:gs-lwe}, adapts a variant of Boyen's signature~\cite{Boy10,BHJ+15} on pairing along with the Kawachi, Tanaka and Xagawa commitment scheme~\cite{KTX08} to provide a lattice-based signature schemes that is compatible with Stern-like proofs.
This scheme have also been relaxed in the context of adaptive oblivious transfer where, in some places, it is only required to have random-message security instead of security against chosen-message security as described in~\cref{ch:ot-lwe}.
\section{Pairings and Lattices}
In this thesis, the presented constructions relies on the assumed hardness of assumptions on pairing-friendly groups and lattices.
In this thesis, the proposed constructions rely on the assumed hardness of assumptions over pairing-friendly groups and lattices.
These two objects have been used in cryptography since the early 2000s~\cite{SOK00,Reg05}.
Even since, they attracted many attentions from cryptographers, leading to multiple constructions in advanced cryptography (as in~\cite{Jou00,BBS04,BN06,GS08,LYJP14,LPQ17} for pairings, and~\cite{GPV08,ABB10,BV11,GSW13,dPLNS17} for lattices).
@ -113,7 +117,7 @@ If their construction relies on a simpler mathematical object, it does not reach
From an algebraic point of view, a lattice is a discrete subgroup of $\RR^n$.
This leads to a simple additive structure.
The core difference with number-theoretic cryptography, such as discrete-logarithm-based cryptography, is the existence of the geometrical structure of the lattice.
From this geometry rises some problems that are believed to withstand a quantum computer.
From this geometry rises some problems that are believed to withstand quantum computers.
Despite this apparently simple structure, some constructions are only known, as of today, to be possible under lattice assumptions, such as fully-homomorphic encryption~\cite{Gen09,GSW13}.
Versatility of lattice-based cryptography is possible through the existence of lattice trapdoors~\cite{GPV08,CHKP10,MP12}, as we explain in~\cref{sse:lattice-trapdoors}.
@ -121,17 +125,17 @@ Informally, the knowledge of a short basis for a lattice allows sampling short v
Furthermore, knowing such a short basis for a lattice described by $\mathbf{A} \in \ZZ_q^{n \times m}$ permits to generate a short basis for a superlattice generated by $[ \mathbf{A} \mid \mathbf{B}] \in \ZZ_q^{n \times m'}$.
An example of use for this last property is the Boyen signature scheme~\cite{Boy10}.
In this scheme, a signature for message $m$ is a short vector in the orthogonal lattice of the matrix $\mathbf A_m = [\mathbf{A} \mid \mathbf B_m]$, where $\mathbf B_m$ is publicly computable.
Hence, knowing a trapdoor for $\mathbf A$ makes the computation of this short vector possible, and the message is bind in the description of the lattice $\mathbf A_m$.
Indeed, some extra care have to be taken to avoid multiplicative attacks (if a signature is too short, doubling this signature may lead to a forgery).
Hence, knowing a trapdoor for $\mathbf A$ makes the computation of this short vector possible, and the message is bound in the description of the lattice $\mathbf A_m$.
Indeed, some extra cares have to be taken to avoid multiplicative attacks (if a signature is too short, doubling it leads to a forgery).
Still, the use of lattice trapdoors comes at a price, and it significantly decreases the efficiency of cryptographic designs that use them~\cite{Lyu12,LLNW16}.
Given that we provides the first lattice-based construction for the scheme we present, we did focus on providing provably-secure scheme under simple assumption.
Given that we provides the first lattice-based construction for the scheme we present, we focused on designing provably-secure scheme under simple assumptions.
\section{Our Results}
In this thesis, we present several cryptographic constructions that preserve privacy.
These construction are the result of both improvement we made in the use of zero-knowledge proofs and the ability to prove the security of our constructions under simple assumptions.
We believe that these improvements on zero-knowledge proofs are of independent interest and that the given schemes are a first step toward quantum-secure privacy-preserving cryptography.
These constructions are the result of both improvements we made in the use of zero-knowledge proofs and the ability to prove the security of our constructions under simple assumptions.
We believe that these advances on zero-knowledge proofs are of independent interest and that the given schemes are a step toward quantum-secure privacy-preserving cryptography.
In the following, we detail four contributions that are developed in this thesis.
These results are taken from four published articles: \cite{LMPY16,LLM+16,LLM+16a,LLM+17}.
@ -139,11 +143,11 @@ These results are taken from four published articles: \cite{LMPY16,LLM+16,LLM+16
In~\cref{pa:gs-ac}, we present two primitives: dynamic group signatures and anonymous credentials.
We already described the behavior of anonymous credential in~\cref{se:privacy-preserving-crypto}.
For dynamic group signatures, it is a primitive that allows a group of users to authenticate messages in the name of the group while remaining anonymous inside this group.
The users still remains accountable for their actions, as another authority is able to lift anonymity of misconducting users.
As of dynamic group signatures, they are a primitive that allows a group of users to authenticate messages on behalf of the group while remaining anonymous inside this group.
The users still remain accountable for their actions, as another authority knows a secret information that gives it the ability to lift anonymity of misconducting users.
By itself, this primitive can be used to provide anonymous authentications while providing accountability (which is not the case with anonymous credentials).
For instance, in the internet of things, such as smart cars, it is important to provide authenticated communication channels as well as anonymity. For cars communication, if the exchanged data may not be sensitive, the identity of the driver could be.
For instance, in the internet of things, such as smart cars, it is important to provide authenticated communication channels as well as anonymity. For car communications, if the exchanged data may not be sensitive alone, the identity of the driver could be.
We can imagine a scenario where some burglars eavesdrop some specific cars to know whenever a house is empty.
In this thesis, we present in~\cref{ch:sigmasig} pairing-based group signatures that aims at efficiency while relying on simple assumptions.
@ -152,8 +156,9 @@ This scheme is presented in~\cite{LMPY16}, which is joint work with Benoît Libe
\cref{ch:gs-lwe} presents the first \textit{dynamic} group signature scheme relying on lattice assumptions.
This have been made possible by adapting Stern-like proofs to behave well with a signature scheme: a variant of Boyen's signature~\cite{Boy10,BHJ+15}.
It results in a \textit{signature with efficient protocols} that is of independent interest. Further, it has been adapted in the design dynamic group encryption and adaptive oblivious transfer.
This work is described in~\cite{LLM+16}, made with Benoît Libert, San Ling, Khoa Nguyen and Huaxiong Wang, presented at Asiacrypt'16.
It results in a \textit{signature with efficient protocols} that is of independent interest.
Later, it has been adapted in the design dynamic group encryption and adaptive oblivious transfer.
This work is described in~\cite{LLM+16}, made with Benoît Libert, San Ling, Khoa Nguyen and Huaxiong Wang and presented at Asiacrypt'16.
\subsection{Group Encryption}