fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Modifications

Browse Source
This commit is contained in:
Fabrice Mouhartem 2018-01-27 21:27:06 +01:00
parent 2b0f6ddf53
commit 0598c398ad
6 changed files with 64 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
chap-sigmasig.tex
View File

@ -1 +1 @@
\chapter{Pairing-Based Dynamic Group Signatures} \chapter{Pairing-Based Dynamic Group Signatures} \label{ch:sigmasig}

5
macros.tex
View File

@ -9,6 +9,10 @@
\newcommand{\GPVSample}{\textsf{GPVSample}\xspace} \newcommand{\GPVSample}{\textsf{GPVSample}\xspace}
% Assumptions/Problems % Assumptions/Problems
%% Pairings
\newcommand{\DDH}{\textsf{DDH}\xspace}
\newcommand{\SXDH}{\textsf{SXDH}\xspace}
%% Lattices
\newcommand{\SIS}{\textsf{SIS}\xspace} \newcommand{\SIS}{\textsf{SIS}\xspace}
\newcommand{\LWE}{\textsf{LWE}\xspace} \newcommand{\LWE}{\textsf{LWE}\xspace}
\newcommand{\SIVP}{\ensuremath{\textsf{SIVP}_\gamma}\xspace} \newcommand{\SIVP}{\ensuremath{\textsf{SIVP}_\gamma}\xspace}
@ -27,6 +31,7 @@
\newcommand{\CC}{\xspace\ensuremath{\mathbb{C}}\xspace} \newcommand{\CC}{\xspace\ensuremath{\mathbb{C}}\xspace}
\newcommand{\QQ}{\xspace\ensuremath{\mathbb{Q}}\xspace} \newcommand{\QQ}{\xspace\ensuremath{\mathbb{Q}}\xspace}
\newcommand{\Zq}{\xspace\ensuremath{\mathbb{Z}_q}\xspace} \newcommand{\Zq}{\xspace\ensuremath{\mathbb{Z}_q}\xspace}
%% Pairings
\newcommand{\Zp}{\xspace\ensuremath{\mathbb{Z}_p}\xspace} \newcommand{\Zp}{\xspace\ensuremath{\mathbb{Z}_p}\xspace}
\newcommand{\GG}{\xspace\ensuremath{\mathbb{G}}\xspace} \newcommand{\GG}{\xspace\ensuremath{\mathbb{G}}\xspace}
\newcommand{\Gh}{\xspace\ensuremath{\hat{\mathbb{G}}}\xspace} \newcommand{\Gh}{\xspace\ensuremath{\hat{\mathbb{G}}}\xspace}

7
main.tex
View File

@ -4,9 +4,10 @@
\usepackage[french,english]{babel} \usepackage[french,english]{babel}
%\usepackage[UKenglish]{babel} %\usepackage[UKenglish]{babel}
\usepackage[T1]{fontenc} \usepackage[T1]{fontenc}
\usepackage{libertine}
% Customization % Customization
\usepackage{libertine}
\usepackage{inconsolata}
\chapterstyle{madsen} \chapterstyle{madsen}
\usepackage{xcolor, graphicx} \usepackage{xcolor, graphicx}
@ -65,8 +66,10 @@
\cleardoublepage \cleardoublepage
\tableofcontents \tableofcontents
\input symbols
\mainmatter \mainmatter
\pagestyle{plain} \pagestyle{ruled}
\input chap-introduction \input chap-introduction

18
sec-lattices.tex
View File

@ -2,6 +2,12 @@
% \section{Lattice-Based Cryptography} % % \section{Lattice-Based Cryptography} %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
During the last decade, lattice-based cryptography has emerged as a promising candidate for post-quantum cryptography.
For example, on the first round of the NIST post-quantum competition, there are 28 out of 82 submissions from lattice-based cryptography~\cite{NIS17}. Lattice-based cryptography takes advantage of a simple mathematical structure (the lattices) in order to provide beyond encryption and signature cryptography. For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now.
In the context of provable security, lattice assumptions benefits from a worst-case to average-case reduction~\cite{Reg05,GPV08,MP12}
have been extensively studied~\cite{ADRS15,HK17}
\subsection{Lattices and Hard Lattice Problems} \subsection{Lattices and Hard Lattice Problems}
\label{sse:lattice-problems} \label{sse:lattice-problems}
@ -21,8 +27,8 @@
} }
\draw[very thick, green!80!black, ->] (v-9-4) -- (v-8-4); \draw[very thick, green!80!black, ->] (v-9-4) -- (v-8-4);
\draw[very thick, green!80!black, ->] (v-9-4) -- (v-9-5); \draw[very thick, green!80!black, ->] (v-9-4) -- (v-9-5);
\draw[very thick, red!80!black, ->] (v-9-4) -- (v-15-5); \draw[very thick, red!80!black, ->] (v-9-4) -- (v-19-2);
\draw[very thick, red!80!black, ->] (v-9-4) -- (v-18-3); \draw[very thick, red!80!black, ->] (v-9-4) -- (v-18-2);
\foreach \i in {0,1,...,10} { \foreach \i in {0,1,...,10} {
\draw[dotted, color=black!70] (v-0-\i) -- (v-20-\i); \draw[dotted, color=black!70] (v-0-\i) -- (v-20-\i);
} }
@ -41,9 +47,9 @@ In the following, we work with $q$-ary lattices, for some prime $q$.
\begin{definition} \label{de:qary-lattices} \begin{definition} \label{de:qary-lattices}
Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and $\mathbf{u} \in \ZZ_q^n$, define Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and $\mathbf{u} \in \ZZ_q^n$, define
\begin{align*} \begin{align*}
\Lambda_q(\mathbf{A}) &\triangleq \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\ \Lambda_q(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\
\Lambda_q^{\perp} (\mathbf{A}) &\triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\ \Lambda_q^{\perp} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{0}^n \bmod q \} \text{, and}\\
\Lambda_q^{\mathbf{u}} (\mathbf{A}) &\triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \}. \Lambda_q^{\mathbf{u}} (\mathbf{A}) & \triangleq \{\mathbf{e} \in \ZZ^m \mid \mathbf{A} \cdot \mathbf{e} = \mathbf{u} \bmod q \}.
\end{align*} \end{align*}
For any lattice point $\mathbf{t} \in \Lambda_q^{\mathbf{u}} (\mathbf{A})$, it holds that $\Lambda_q^{\mathbf{u}}(\mathbf{A})=\Lambda_q^{\perp}(\mathbf{A}) + \mathbf{t}$. Meaning that $\Lambda_q^{\mathbf{u}} (\mathbf{A}) $ For any lattice point $\mathbf{t} \in \Lambda_q^{\mathbf{u}} (\mathbf{A})$, it holds that $\Lambda_q^{\mathbf{u}}(\mathbf{A})=\Lambda_q^{\perp}(\mathbf{A}) + \mathbf{t}$. Meaning that $\Lambda_q^{\mathbf{u}} (\mathbf{A}) $
@ -56,7 +62,7 @@ The discrete Gaussian distribution of support~$L$, parameter~$\sigma$ and center
$D_{L,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(L)$ for any $\mathbf{y} \in L$. $D_{L,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(L)$ for any $\mathbf{y} \in L$.
We denote by $D_{L,\sigma }(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$. We denote by $D_{L,\sigma }(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$.
In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem ($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution ($\SIS$) problem as explained later. These links are important because those are ``wost-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are are more suitable to design cryptographic schemes. In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem~($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. These links are important because those are ``wost-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are more suitable to design cryptographic schemes.
In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice). In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).

30
sec-pairings.tex
View File

@ -2,7 +2,13 @@
% \section{Pairing-Based Cryptography} % % \section{Pairing-Based Cryptography} %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Bilinear maps} Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round.
Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}.
Multiple constructions and parameter sets coexist for pairings.
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,BD17}.
%\subsection{Bilinear maps}
\begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings} \begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings}
A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$: A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$:
\begin{enumerate}[\quad (i)] \begin{enumerate}[\quad (i)]
@ -12,4 +18,24 @@
\end{enumerate} \end{enumerate}
\end{definition} \end{definition}
In practice, pairings are computed over For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field.
Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups.
\begin{definition}[$\DDH$] \label{de:DDH}
Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following.
Given $(g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$.
The DDH assumption is the intractability of the problem for any $\PPT$ algorithm.
\end{definition}
This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption.
\begin{definition}[$\SXDH$]
The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$.
\end{definition}
In Chapter~\ref{ch:sigmasig}, the security of the group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption.
Moreover, this assumption is static, meaning that the size of the assumption is independent of any parameters, and is non-interactive, in the sense that it does not involve any oracle.
This gives a stronger security guarantee for the security of schemes proven under this kind of assumptions.
For instance, Cheon gave an attack against $q$-Strong Diffie-Hellmann problem for large values of $q$~\cite{Che06} (which usually represents the number of adversarial queries).

13
symbols.tex Normal file
View File

@ -0,0 +1,13 @@
\chapter*{List of Symbols}
\addcontentsline{toc}{chapter}{List of Symbols}
\begin{tabular}{ll}
$\PPT$ & Probabilistic Polynomial Time \\
PKE & Public Key Encryption \\
ZK & Zero-Knowledge \\
$\SIS$ & Short Integer Solution \\
$\LWE$ & Learning with Errors \\
$\SIVP$ & Shortest Independent Vectors Problem \\
$\DDH$ & Decisional Diffie-Hellman \\
$\SXDH$ & Symmetric eXternal Diffie-Hellman
\end{tabular}