From 0882fb5238f77a29f045f8867b1589a7c9d920d7 Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Fri, 15 Jun 2018 13:46:04 +0200 Subject: [PATCH] Introduction --- chap-introduction.tex | 60 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 53 insertions(+), 7 deletions(-) diff --git a/chap-introduction.tex b/chap-introduction.tex index 86b3725..2385610 100644 --- a/chap-introduction.tex +++ b/chap-introduction.tex @@ -4,7 +4,7 @@ As of now, about $60\%$ of the first million most visited websites propose an im At the same time, the growth of exchanged data and the sensitivity of this information make it more and more important to protect these data efficiently. While we are reaching the Moore's law barrier, other threats exist against nowadays cryptosystems. -For instance, the eventuality of the existence of a quantum computer with sufficient memory~\cite{Sho99} would break most of real-world cryptographic implementations, which mostly rely on number-theoretic assumptions. +For instance, the existence of a quantum computer with sufficient memory~\cite{Sho99} would break most of real-world cryptographic implementations, which mostly rely on number-theoretic assumptions. In this context, it becomes important to design cryptographic schemes that are believed to be quantum-resistant. To address this problem, \textit{post-quantum cryptography} arose in the early 2000s. @@ -46,14 +46,13 @@ Similarly, \textit{advanced primitives} often involve simpler building blocks in The difference lies in that provable security gives a security guarantee together with the construction. As explained before, these proofs make the security of a set of schemes to rely on hardness assumptions. Thus, the security relies on the hardness of those assumptions, which are studied independently by cryptanalysts. -Hence, the security guarantee relies on the study of those assumptions. For example, the analysis of multilinear maps security in~\cite{CHL+15} made obsolete a large amount of candidates at this time. -This is why it is important to rely on well studied and simple assumptions as we will explain in~\cref{ch:proofs}. +Hence, the security guarantee relies on the study of those assumptions. For example, the analysis of multilinear maps security in~\cite{CHL+15} made obsolete a large amount of candidates at this time.This is why it is important to rely on well studied and simple assumptions as we will explain in~\cref{ch:proofs}. In the context of this thesis, the cryptographic schemes we develop rely on lattices and bilinear maps over cyclic groups. Lattice-based cryptography is used to go toward post-quantum cryptography, while the latter proves useful in the design of practical schemes. The details of these two structures is given in~\cref{ch:structures}. -\subsection{Zero-knowledge Proofs} +\section{Zero-knowledge Proofs} As explained before, a basic building block for privacy-preserving cryptography are zero-knowledge proofs. This interactive protocol requires the completeness, soundness and zero-knowledge properties. The completeness simply render the correctness of the protocol if everyone is honest. In the case of a dishonest prover, the soundness asks the probability that the verifier is convinced to be negligible. On the contrary, if the verifier is cheating, the zero-knowledge property guarantees that the prover's secret remains hidden. @@ -70,7 +69,7 @@ By nature, these proofs are quite expensive in term of communication complexity. However, they can be used to prove a wide variety of statements as we will explain in more detail along this thesis and especially in~\cref{sse:stern}. More generally, zero-knowledge proofs are detailed in~\cref{ch:zka}. -\subsection{Signatures with Efficient Protocols} +\section{Signatures with Efficient Protocols} To enable privacy-preserving functionalities, a possible way is to couple zero-knowledge proofs with signature schemes. One of such signatures are \textit{signatures with efficient protocols}. @@ -114,7 +113,54 @@ This work is described in~\cite{LLM+16}, made with Benoît Libert, San Ling, Kho \subsection{Group Encryption} -Group encryption schemes are the encryption analogue of group signatures. -In this setting, a user wants to send a message to a group member, while keeping the recipient of the message hidden. +Group encryption schemes~\cite{KTY07} are the encryption analogue of group signatures. +In this setting, a user is willing to send a message to a group member, while keeping the recipient of the message hidden inside the group. +In order to keep user accountable for their actions, an opening authority is further empowered with some secret information allowing it to un-anonymize ciphertexts. + +More formally, a group signature scheme is a primitive allowing the sender to generate publicly verifiable proofs that: (1) the ciphertext is well-formed and intended to some registered group member who will be able to decrypt; (2) the opening authority will be able to identify the receiver if necessary; (3) the plaintext satisfies certain properties, such as being a witness for some public relation, or the private key that underlies a given public key. +In the model of Kiayias, Tsiounis and Yung~\cite{KTY07}, the message secrecy and anonymity properties are required to withstand active adversaries, which are granted access to decryption oracles in all security definitions. + +A natural application that comes up is to design a firewall to filter incoming all incoming encrypted emails except those intended for some certified organization members and the content of which is additionally guaranteed to satisfy certain requirements, like the absence of malware. +Furthermore, group encryption schemes are motivated by privacy applications such as anonymous trusted third party, key recovery mechanisms or oblivious retriever storage system. +In cloud storage services, group encryption enables privacy-preserving asynchronous transfers of encrypted datasets. +Namely, it allows users to archive encrypted datasets on remote servers while convincing those servers that the data is indeed intended to some anonymous certified client who has a valid account to the storage provider. +In case of suspicions on the archive's content, a judge should be able do identify the recipient of the archive. + +To tackle the problem of designing lattice-based group encryption, we needed to handle ``quadratic relations''. +Indeed, lattice-based zero-knowledge proof systems were able to handle only relations where witnesses are multiplied by a public value. +Let us recall that, in learning-with-errors schemes, an encryption have the form $\mathbf{A} \cdot \mathbf{s} + \mathbf{e} + \mathbf{m} \lceil \frac{q}{2} \rceil \bmod q$, where $\mathbf{A}$ is the recipient public-key. +As group encryption requires this public-key $\mathbf A$ to be private, a way to achieve this is to have a zero-knowledge proof system which handles relations where the witness is multiplied with a private matrix. + +We address this issue introducing new technique to handle this kind of relations. +These techniques based on a \textit{divide-and-conquer} strategy are described in~\cref{ch:ge-lwe}, as long as the construction of the group signature scheme proven fully-secure in the standard model. +This work have been presented at Asiacrypt'16~\cite{LLM+16a} and have been done with Benoît Libert, San Ling, Khoa Nguyen and Huaxiong Wang. \subsection{Adaptive Oblivious Transfer} + +Oblivious transfer is a primitive coined by Rabin~\cite{Rab81} and later extended by Even, Goldreich and Lempel~\cite{EGL85}. +It involves a server with a database of messages indexed from $1$ to $N$ and a receiver with a secret index $\rho$. +The protocol allows the receiver to retrieve the $\rho$-th message from the receiver without letting him infer anything on his choice. +Furthermore, the receiver only obtains the $\rho$-th message and learns nothing about the other messages. + +In its adaptive flavor~\cite{NP99}, oblivious transfer allows the receiver to interact $k$ times with the server to obtain $k$ messages in such a way that, each request may depend on the previously retrieved messages. + +From a theoretical point of view, oblivious transfer is known to be a \textit{complete building block} for cryptography in the sense that, if it can be realized, then any secure multiparty computation can be. +In its adaptive variant, oblivious transfer has applications in privacy-preserving access to sensitive databases (such as medical records or financial data) stored in an encrypted form on a remote server. + +In its basic form, (adaptive) oblivious transfer does not restrict in any way the population of users who can obtain specific records. +In many sensitive databases (e.g., DNA samples or patients' medical history), however, not all users should be able to dump the whole database. +It is thus crucial to protect the access to certain entries conditioned on the receiver holding suitable credentials delivered by authorities. +At the same time, privacy protection requires that authorized users should be able to query database records while leaking as little as possible about their interests or activities. + +This requirements is handled by extending the oblivious transfer with access control, as stated by Camenish, Dubovitskaya and Neven~\cite{CDN09}. +In this variant, each database record is protected by a different access control policy. +Based on their attributes, users can obtain credentials from pre-determined authorities, which entitle them to anonymously retrieve database records of which the access policy accepts their certified attributes. +During the transfer phase, the user demonstrates, in a zero-knowledge manner, possession of an attribute string compatible with the policy of a record in the database, as well as a credential for this attribute. +The only information that the database holder eventually learns is that some user retrieved some record which he was authorized to obtain. + +To achieve this, an important property is the expressiveness of such attribute system. +In other words, the system should be able to handle complex attribute policies while keeping time and memory consumption reasonable\footnote{\textit{Reasonable} here means (probabilistic) polynomial time}. +In this thesis, we propose in~\cref{ch:ot-lwe} a zero-knowledge protocol to efficiently treat any access policy that can be described with a logarithmic depth boolean circuit based on lattices, also known as $\mathsf{NC}1$. +In the context of adaptive oblivious transfer with access control, most of the schemes (based on pairing assumptions) manage to handle the case of conjunctions under reasonable assumptions. Under strong assumptions, however, the case of $\mathsf{NC}1$ can be taken care of. + +This joint work with Benoît Libert, San Ling, Khoa Nguyen and Huaxiong Wang was presented at Asiacrypt'17~\cite{LLM+17}.