diff --git a/chap-sigmasig.tex b/chap-sigmasig.tex index 06e9cc5..9a2f503 100644 --- a/chap-sigmasig.tex +++ b/chap-sigmasig.tex @@ -1 +1 @@ -\chapter{Pairing-Based Dynamic Group Signatures} +\chapter{Pairing-Based Dynamic Group Signatures} \label{ch:sigmasig} diff --git a/macros.tex b/macros.tex index 03596ce..bc49ba4 100644 --- a/macros.tex +++ b/macros.tex @@ -9,6 +9,10 @@ \newcommand{\GPVSample}{\textsf{GPVSample}\xspace} % Assumptions/Problems +%% Pairings +\newcommand{\DDH}{\textsf{DDH}\xspace} +\newcommand{\SXDH}{\textsf{SXDH}\xspace} +%% Lattices \newcommand{\SIS}{\textsf{SIS}\xspace} \newcommand{\LWE}{\textsf{LWE}\xspace} \newcommand{\SIVP}{\ensuremath{\textsf{SIVP}_\gamma}\xspace} @@ -27,6 +31,7 @@ \newcommand{\CC}{\xspace\ensuremath{\mathbb{C}}\xspace} \newcommand{\QQ}{\xspace\ensuremath{\mathbb{Q}}\xspace} \newcommand{\Zq}{\xspace\ensuremath{\mathbb{Z}_q}\xspace} +%% Pairings \newcommand{\Zp}{\xspace\ensuremath{\mathbb{Z}_p}\xspace} \newcommand{\GG}{\xspace\ensuremath{\mathbb{G}}\xspace} \newcommand{\Gh}{\xspace\ensuremath{\hat{\mathbb{G}}}\xspace} diff --git a/main.tex b/main.tex index 4f6a35e..ef8e195 100644 --- a/main.tex +++ b/main.tex @@ -4,9 +4,10 @@ \usepackage[french,english]{babel} %\usepackage[UKenglish]{babel} \usepackage[T1]{fontenc} -\usepackage{libertine} % Customization +\usepackage{libertine} +\usepackage{inconsolata} \chapterstyle{madsen} \usepackage{xcolor, graphicx} @@ -65,8 +66,10 @@ \cleardoublepage \tableofcontents + +\input symbols \mainmatter -\pagestyle{plain} +\pagestyle{ruled} \input chap-introduction diff --git a/sec-lattices.tex b/sec-lattices.tex index 36343e5..731eb7d 100644 --- a/sec-lattices.tex +++ b/sec-lattices.tex @@ -2,6 +2,12 @@ % \section{Lattice-Based Cryptography} % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +During the last decade, lattice-based cryptography has emerged as a promising candidate for post-quantum cryptography. +For example, on the first round of the NIST post-quantum competition, there are 28 out of 82 submissions from lattice-based cryptography~\cite{NIS17}. Lattice-based cryptography takes advantage of a simple mathematical structure (the lattices) in order to provide beyond encryption and signature cryptography. For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now. + +In the context of provable security, lattice assumptions benefits from a worst-case to average-case reduction~\cite{Reg05,GPV08,MP12} +have been extensively studied~\cite{ADRS15,HK17} + \subsection{Lattices and Hard Lattice Problems} \label{sse:lattice-problems} @@ -21,8 +27,8 @@ } \draw[very thick, green!80!black, ->] (v-9-4) -- (v-8-4); \draw[very thick, green!80!black, ->] (v-9-4) -- (v-9-5); - \draw[very thick, red!80!black, ->] (v-9-4) -- (v-15-5); - \draw[very thick, red!80!black, ->] (v-9-4) -- (v-18-3); + \draw[very thick, red!80!black, ->] (v-9-4) -- (v-19-2); + \draw[very thick, red!80!black, ->] (v-9-4) -- (v-18-2); \foreach \i in {0,1,...,10} { \draw[dotted, color=black!70] (v-0-\i) -- (v-20-\i); } @@ -41,9 +47,9 @@ In the following, we work with $q$-ary lattices, for some prime $q$. \begin{definition} \label{de:qary-lattices} Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and $\mathbf{u} \in \ZZ_q^n$, define \begin{align*} - \Lambda_q(\mathbf{A}) &\triangleq \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\ - \Lambda_q^{\perp} (\mathbf{A}) &\triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\ - \Lambda_q^{\mathbf{u}} (\mathbf{A}) &\triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \}. + \Lambda_q(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\ + \Lambda_q^{\perp} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\ + \Lambda_q^{\mathbf{u}} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \}. \end{align*} For any lattice point $\mathbf{t} \in \Lambda_q^{\mathbf{u}} (\mathbf{A})$, it holds that $\Lambda_q^{\mathbf{u}}(\mathbf{A})=\Lambda_q^{\perp}(\mathbf{A}) + \mathbf{t}$. Meaning that $\Lambda_q^{\mathbf{u}} (\mathbf{A}) $ @@ -56,7 +62,7 @@ The discrete Gaussian distribution of support~$L$, parameter~$\sigma$ and center $D_{L,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(L)$ for any $\mathbf{y} \in L$. We denote by $D_{L,\sigma }(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$. -In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem ($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution ($\SIS$) problem as explained later. These links are important because those are ``wost-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are are more suitable to design cryptographic schemes. +In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem~($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. These links are important because those are ``wost-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are more suitable to design cryptographic schemes. In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice). diff --git a/sec-pairings.tex b/sec-pairings.tex index ab27a68..1882b3a 100644 --- a/sec-pairings.tex +++ b/sec-pairings.tex @@ -2,7 +2,13 @@ % \section{Pairing-Based Cryptography} % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\subsection{Bilinear maps} +Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round. +Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}. +Multiple constructions and parameter sets coexist for pairings. +Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,BD17}. + + +%\subsection{Bilinear maps} \begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings} A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$: \begin{enumerate}[\quad (i)] @@ -12,4 +18,24 @@ \end{enumerate} \end{definition} -In practice, pairings are computed over +For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field. + +Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups. + +\begin{definition}[$\DDH$] \label{de:DDH} + Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following. + Given $(g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$. + The DDH assumption is the intractability of the problem for any $\PPT$ algorithm. +\end{definition} + +This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption. + +\begin{definition}[$\SXDH$] + The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$. +\end{definition} + +In Chapter~\ref{ch:sigmasig}, the security of the group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption. +Moreover, this assumption is static, meaning that the size of the assumption is independent of any parameters, and is non-interactive, in the sense that it does not involve any oracle. + +This gives a stronger security guarantee for the security of schemes proven under this kind of assumptions. +For instance, Cheon gave an attack against $q$-Strong Diffie-Hellmann problem for large values of $q$~\cite{Che06} (which usually represents the number of adversarial queries). diff --git a/symbols.tex b/symbols.tex new file mode 100644 index 0000000..54a5420 --- /dev/null +++ b/symbols.tex @@ -0,0 +1,13 @@ +\chapter*{List of Symbols} +\addcontentsline{toc}{chapter}{List of Symbols} + +\begin{tabular}{ll} + $\PPT$ & Probabilistic Polynomial Time \\ + PKE & Public Key Encryption \\ + ZK & Zero-Knowledge \\ + $\SIS$ & Short Integer Solution \\ + $\LWE$ & Learning with Errors \\ + $\SIVP$ & Shortest Independent Vectors Problem \\ + $\DDH$ & Decisional Diffie-Hellman \\ + $\SXDH$ & Symmetric eXternal Diffie-Hellman +\end{tabular}