Modifications

chap-sigmasig.tex

@@ -1 +1 @@
-\chapter{Pairing-Based Dynamic Group Signatures}
+\chapter{Pairing-Based Dynamic Group Signatures} \label{ch:sigmasig}

macros.tex

@@ -9,6 +9,10 @@
 \newcommand{\GPVSample}{\textsf{GPVSample}\xspace}
 
 % Assumptions/Problems
+%% Pairings
+\newcommand{\DDH}{\textsf{DDH}\xspace}
+\newcommand{\SXDH}{\textsf{SXDH}\xspace}
+%% Lattices
 \newcommand{\SIS}{\textsf{SIS}\xspace}
 \newcommand{\LWE}{\textsf{LWE}\xspace}
 \newcommand{\SIVP}{\ensuremath{\textsf{SIVP}_\gamma}\xspace}
@@ -27,6 +31,7 @@
 \newcommand{\CC}{\xspace\ensuremath{\mathbb{C}}\xspace}
 \newcommand{\QQ}{\xspace\ensuremath{\mathbb{Q}}\xspace}
 \newcommand{\Zq}{\xspace\ensuremath{\mathbb{Z}_q}\xspace}
+%% Pairings
 \newcommand{\Zp}{\xspace\ensuremath{\mathbb{Z}_p}\xspace}
 \newcommand{\GG}{\xspace\ensuremath{\mathbb{G}}\xspace}
 \newcommand{\Gh}{\xspace\ensuremath{\hat{\mathbb{G}}}\xspace}

main.tex

@@ -4,9 +4,10 @@
 \usepackage[french,english]{babel}
 %\usepackage[UKenglish]{babel}
 \usepackage[T1]{fontenc}
-\usepackage{libertine}
 
 % Customization
+\usepackage{libertine}
+\usepackage{inconsolata}
 \chapterstyle{madsen}
 
 \usepackage{xcolor, graphicx}
@@ -65,8 +66,10 @@
 
 \cleardoublepage
 \tableofcontents
+
+\input symbols
 \mainmatter
-\pagestyle{plain}
+\pagestyle{ruled}
 
 \input chap-introduction 
 

sec-lattices.tex

@@ -2,6 +2,12 @@
 % \section{Lattice-Based Cryptography} %
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
+During the last decade, lattice-based cryptography has emerged as a promising candidate for post-quantum cryptography. 
+For example, on the first round of the NIST post-quantum competition, there are 28 out of 82 submissions from lattice-based cryptography~\cite{NIS17}. Lattice-based cryptography takes advantage of a simple mathematical structure (the lattices) in order to provide beyond encryption and signature cryptography. For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now.
+
+In the context of provable security, lattice assumptions benefits from a worst-case to average-case reduction~\cite{Reg05,GPV08,MP12}
+have been extensively studied~\cite{ADRS15,HK17}
+
 \subsection{Lattices and Hard Lattice Problems}
 \label{sse:lattice-problems}
 
@@ -21,8 +27,8 @@
     }
     \draw[very thick, green!80!black, ->] (v-9-4) -- (v-8-4);
     \draw[very thick, green!80!black, ->] (v-9-4) -- (v-9-5);
-    \draw[very thick, red!80!black, ->] (v-9-4) -- (v-15-5);
-    \draw[very thick, red!80!black, ->] (v-9-4) -- (v-18-3);
+    \draw[very thick, red!80!black, ->] (v-9-4)   -- (v-19-2);
+    \draw[very thick, red!80!black, ->] (v-9-4)   -- (v-18-2);
     \foreach \i in {0,1,...,10} {
       \draw[dotted, color=black!70] (v-0-\i) -- (v-20-\i);
     }
@@ -41,9 +47,9 @@ In the following, we work with $q$-ary lattices, for some prime $q$.
 \begin{definition} \label{de:qary-lattices}
   Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and   $\mathbf{u} \in \ZZ_q^n$, define
 \begin{align*}
-  \Lambda_q(\mathbf{A}) &\triangleq \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\
-  \Lambda_q^{\perp} (\mathbf{A}) &\triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\
-  \Lambda_q^{\mathbf{u}} (\mathbf{A}) &\triangleq  \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \}.
+  \Lambda_q(\mathbf{A})               & \triangleq \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\
+  \Lambda_q^{\perp} (\mathbf{A})      & \triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\
+  \Lambda_q^{\mathbf{u}} (\mathbf{A}) & \triangleq  \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \}.
 \end{align*}
 
 For any lattice point $\mathbf{t} \in \Lambda_q^{\mathbf{u}} (\mathbf{A})$, it holds that $\Lambda_q^{\mathbf{u}}(\mathbf{A})=\Lambda_q^{\perp}(\mathbf{A}) + \mathbf{t}$. Meaning that $\Lambda_q^{\mathbf{u}} (\mathbf{A}) $
@@ -56,7 +62,7 @@ The discrete Gaussian distribution of support~$L$, parameter~$\sigma$ and center
  $D_{L,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(L)$ for any $\mathbf{y} \in L$.
 We denote by  $D_{L,\sigma }(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$.
 
-In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem ($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution ($\SIS$) problem as explained later. These links are important because those are ``wost-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are are more suitable to design cryptographic schemes.
+In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem~($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. These links are important because those are ``wost-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are more suitable to design cryptographic schemes.
 
 In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).
 

sec-pairings.tex

@@ -2,7 +2,13 @@
                     % \section{Pairing-Based Cryptography} %
                     %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
-\subsection{Bilinear maps}
+Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round.
+Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}.
+Multiple constructions and parameter sets coexist for pairings.
+Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,BD17}.
+
+
+%\subsection{Bilinear maps}
 \begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings}
   A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$:
   \begin{enumerate}[\quad (i)]
@@ -12,4 +18,24 @@
   \end{enumerate}
 \end{definition}
 
-In practice, pairings are computed over 
+For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field.
+
+Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups.
+
+\begin{definition}[$\DDH$] \label{de:DDH}
+  Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following.
+  Given $(g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$.
+  The DDH assumption is the intractability of the problem for any $\PPT$ algorithm.
+\end{definition}
+
+This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption.
+
+\begin{definition}[$\SXDH$]
+  The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$.
+\end{definition}
+
+In Chapter~\ref{ch:sigmasig}, the security of the group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption.
+Moreover, this assumption is static, meaning that the size of the assumption is independent of any parameters, and is non-interactive, in the sense that it does not involve any oracle.
+
+This gives a stronger security guarantee for the security of schemes proven under this kind of assumptions.
+For instance, Cheon gave an attack against $q$-Strong Diffie-Hellmann problem for large values of $q$~\cite{Che06} (which usually represents the number of adversarial queries).

symbols.tex

@@ -0,0 +1,13 @@
+\chapter*{List of Symbols}
+\addcontentsline{toc}{chapter}{List of Symbols}
+
+\begin{tabular}{ll}
+  $\PPT$  & Probabilistic Polynomial Time        \\
+  PKE     & Public Key Encryption                \\
+  ZK      & Zero-Knowledge                       \\
+  $\SIS$  & Short Integer Solution               \\
+  $\LWE$  & Learning with Errors                 \\
+  $\SIVP$ & Shortest Independent Vectors Problem \\
+  $\DDH$  & Decisional Diffie-Hellman            \\
+  $\SXDH$ & Symmetric eXternal Diffie-Hellman
+\end{tabular}