Modifications
This commit is contained in:
parent
2b0f6ddf53
commit
0598c398ad
@ -1 +1 @@
|
||||
\chapter{Pairing-Based Dynamic Group Signatures}
|
||||
\chapter{Pairing-Based Dynamic Group Signatures} \label{ch:sigmasig}
|
||||
|
@ -9,6 +9,10 @@
|
||||
\newcommand{\GPVSample}{\textsf{GPVSample}\xspace}
|
||||
|
||||
% Assumptions/Problems
|
||||
%% Pairings
|
||||
\newcommand{\DDH}{\textsf{DDH}\xspace}
|
||||
\newcommand{\SXDH}{\textsf{SXDH}\xspace}
|
||||
%% Lattices
|
||||
\newcommand{\SIS}{\textsf{SIS}\xspace}
|
||||
\newcommand{\LWE}{\textsf{LWE}\xspace}
|
||||
\newcommand{\SIVP}{\ensuremath{\textsf{SIVP}_\gamma}\xspace}
|
||||
@ -27,6 +31,7 @@
|
||||
\newcommand{\CC}{\xspace\ensuremath{\mathbb{C}}\xspace}
|
||||
\newcommand{\QQ}{\xspace\ensuremath{\mathbb{Q}}\xspace}
|
||||
\newcommand{\Zq}{\xspace\ensuremath{\mathbb{Z}_q}\xspace}
|
||||
%% Pairings
|
||||
\newcommand{\Zp}{\xspace\ensuremath{\mathbb{Z}_p}\xspace}
|
||||
\newcommand{\GG}{\xspace\ensuremath{\mathbb{G}}\xspace}
|
||||
\newcommand{\Gh}{\xspace\ensuremath{\hat{\mathbb{G}}}\xspace}
|
||||
|
7
main.tex
7
main.tex
@ -4,9 +4,10 @@
|
||||
\usepackage[french,english]{babel}
|
||||
%\usepackage[UKenglish]{babel}
|
||||
\usepackage[T1]{fontenc}
|
||||
\usepackage{libertine}
|
||||
|
||||
% Customization
|
||||
\usepackage{libertine}
|
||||
\usepackage{inconsolata}
|
||||
\chapterstyle{madsen}
|
||||
|
||||
\usepackage{xcolor, graphicx}
|
||||
@ -65,8 +66,10 @@
|
||||
|
||||
\cleardoublepage
|
||||
\tableofcontents
|
||||
|
||||
\input symbols
|
||||
\mainmatter
|
||||
\pagestyle{plain}
|
||||
\pagestyle{ruled}
|
||||
|
||||
\input chap-introduction
|
||||
|
||||
|
@ -2,6 +2,12 @@
|
||||
% \section{Lattice-Based Cryptography} %
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
During the last decade, lattice-based cryptography has emerged as a promising candidate for post-quantum cryptography.
|
||||
For example, on the first round of the NIST post-quantum competition, there are 28 out of 82 submissions from lattice-based cryptography~\cite{NIS17}. Lattice-based cryptography takes advantage of a simple mathematical structure (the lattices) in order to provide beyond encryption and signature cryptography. For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now.
|
||||
|
||||
In the context of provable security, lattice assumptions benefits from a worst-case to average-case reduction~\cite{Reg05,GPV08,MP12}
|
||||
have been extensively studied~\cite{ADRS15,HK17}
|
||||
|
||||
\subsection{Lattices and Hard Lattice Problems}
|
||||
\label{sse:lattice-problems}
|
||||
|
||||
@ -21,8 +27,8 @@
|
||||
}
|
||||
\draw[very thick, green!80!black, ->] (v-9-4) -- (v-8-4);
|
||||
\draw[very thick, green!80!black, ->] (v-9-4) -- (v-9-5);
|
||||
\draw[very thick, red!80!black, ->] (v-9-4) -- (v-15-5);
|
||||
\draw[very thick, red!80!black, ->] (v-9-4) -- (v-18-3);
|
||||
\draw[very thick, red!80!black, ->] (v-9-4) -- (v-19-2);
|
||||
\draw[very thick, red!80!black, ->] (v-9-4) -- (v-18-2);
|
||||
\foreach \i in {0,1,...,10} {
|
||||
\draw[dotted, color=black!70] (v-0-\i) -- (v-20-\i);
|
||||
}
|
||||
@ -56,7 +62,7 @@ The discrete Gaussian distribution of support~$L$, parameter~$\sigma$ and center
|
||||
$D_{L,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(L)$ for any $\mathbf{y} \in L$.
|
||||
We denote by $D_{L,\sigma }(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$.
|
||||
|
||||
In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem ($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution ($\SIS$) problem as explained later. These links are important because those are ``wost-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are are more suitable to design cryptographic schemes.
|
||||
In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem~($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. These links are important because those are ``wost-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are more suitable to design cryptographic schemes.
|
||||
|
||||
In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).
|
||||
|
||||
|
@ -2,7 +2,13 @@
|
||||
% \section{Pairing-Based Cryptography} %
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
\subsection{Bilinear maps}
|
||||
Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round.
|
||||
Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}.
|
||||
Multiple constructions and parameter sets coexist for pairings.
|
||||
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,BD17}.
|
||||
|
||||
|
||||
%\subsection{Bilinear maps}
|
||||
\begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings}
|
||||
A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$:
|
||||
\begin{enumerate}[\quad (i)]
|
||||
@ -12,4 +18,24 @@
|
||||
\end{enumerate}
|
||||
\end{definition}
|
||||
|
||||
In practice, pairings are computed over
|
||||
For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field.
|
||||
|
||||
Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups.
|
||||
|
||||
\begin{definition}[$\DDH$] \label{de:DDH}
|
||||
Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following.
|
||||
Given $(g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$.
|
||||
The DDH assumption is the intractability of the problem for any $\PPT$ algorithm.
|
||||
\end{definition}
|
||||
|
||||
This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption.
|
||||
|
||||
\begin{definition}[$\SXDH$]
|
||||
The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$.
|
||||
\end{definition}
|
||||
|
||||
In Chapter~\ref{ch:sigmasig}, the security of the group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption.
|
||||
Moreover, this assumption is static, meaning that the size of the assumption is independent of any parameters, and is non-interactive, in the sense that it does not involve any oracle.
|
||||
|
||||
This gives a stronger security guarantee for the security of schemes proven under this kind of assumptions.
|
||||
For instance, Cheon gave an attack against $q$-Strong Diffie-Hellmann problem for large values of $q$~\cite{Che06} (which usually represents the number of adversarial queries).
|
||||
|
13
symbols.tex
Normal file
13
symbols.tex
Normal file
@ -0,0 +1,13 @@
|
||||
\chapter*{List of Symbols}
|
||||
\addcontentsline{toc}{chapter}{List of Symbols}
|
||||
|
||||
\begin{tabular}{ll}
|
||||
$\PPT$ & Probabilistic Polynomial Time \\
|
||||
PKE & Public Key Encryption \\
|
||||
ZK & Zero-Knowledge \\
|
||||
$\SIS$ & Short Integer Solution \\
|
||||
$\LWE$ & Learning with Errors \\
|
||||
$\SIVP$ & Shortest Independent Vectors Problem \\
|
||||
$\DDH$ & Decisional Diffie-Hellman \\
|
||||
$\SXDH$ & Symmetric eXternal Diffie-Hellman
|
||||
\end{tabular}
|
Loading…
Reference in New Issue
Block a user