remove trailing space
This commit is contained in:
parent
3b2ad6a2fd
commit
26dd440889
|
|
@ -21,7 +21,7 @@ If these primitives flourish in the context of number-theory-based cryptography
|
|||
The aforementioned protocol should also verify the following properties.
|
||||
\begin{description}
|
||||
\item[Completeness.] For any $(x, w) \in R$, $\Pr[ \langle P(x,w), V(x) \rangle = 1 ] \geq 1 - \negl[|\lambda|]$.
|
||||
\item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
|
||||
\item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
|
||||
$\Pr[\langle P^\star(x), V^\star(x) \rangle = 1] \leq s < 1 - \negl[|x|],$
|
||||
where $s$ is called the \textit{soundness error}.
|
||||
\item[Zero-Knowledge.] Let $\trans(\cdot, \cdot)$ be the transcript of the interaction during the proof.
|
||||
|
|
@ -33,7 +33,7 @@ If these primitives flourish in the context of number-theory-based cryptography
|
|||
|
||||
We can notice that the soundness error can be reduced by repeating the proof.
|
||||
|
||||
If in the definition of \textit{zero-knowledge} the two ensembles are the same, then the proof is \textit{perfect zero-knowledge}.
|
||||
If in the definition of \textit{zero-knowledge} the two ensembles are the same, then the proof is \textit{perfect zero-knowledge}.
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}
|
||||
|
|
@ -113,7 +113,7 @@ Commitment schemes~\cite{Blu81} are the digital equivalent of a safe. The goal i
|
|||
\]
|
||||
over the randomness of $\Commit$.
|
||||
\item[Binding.] For any $\ppt$ adversary $\adv$ against the binding experiment,
|
||||
\[
|
||||
\[
|
||||
\Pr\left[\Exp{\mathrm{binding}}{\adv}(\lambda) = 1 \right] \leq \negl[\lambda].
|
||||
\]
|
||||
\end{description}
|
||||
|
|
@ -129,7 +129,7 @@ Another useful primitives are the non-interactive version of zero-knowledge proo
|
|||
A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w) \in \mathcal L \times \mathcal R\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in \mathcal L$ and $w \in \mathcal R$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties.
|
||||
\begin{description}
|
||||
\item[Completeness.] For any $(x, w) \in R$, $\Pr[ V(x, P(x, w)) = 1 ] \geq 1 - \negl[|x|]$.
|
||||
\item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
|
||||
\item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
|
||||
$\Pr[V(x, P^\star(x)) = 1] < \negl[|x|].$
|
||||
\item[Zero-Knowledge.] There exists a $\ppt$ simulator $S$ such that the probability ensembles $\{(x, P(x, w)) \}_{(x,w) \in R}$ and $\{S(x)\}_{(x, w) \in R}$ are computationally indistinguishable.
|
||||
\end{description}
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ Let us now define more formally the notions of reduction and computability using
|
|||
A TM $M$ is said to \emph{compute} a function $f: \Sigma^\star \to \Gamma^\star$, if for any finite input $x \in \Sigma^\star$ on tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, $M$ halts in a finite number of steps with $f(x)$ written on its output tape $T_k$.
|
||||
|
||||
A TM $M$ is said to \emph{recognize} a language $L \subseteq \Sigma^\star$ if on a finite input $x \in \Sigma^\star$ written on its input tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, the machine $M$ eventually ends on the state $q_{halt}$ with $1$ written on its output tape if and only if $x \in L$.
|
||||
|
||||
|
||||
A TM $M$ is said to run in $T(n)$-time if, on any input $x$, it eventually stops within $T(|x|)$ steps.
|
||||
|
||||
A TM $M$ is said to run in $S(n)$-space if, on any input $x$, it eventually stops and had write at most $S(|x|)$ memory cells in its working tapes.
|
||||
|
|
@ -222,7 +222,7 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
|
|||
\procedure{$\Exp{\mathrm{EU-CMA}}{\adv}(\lambda)$}{
|
||||
(vk,sk) \gets \Sigma.\mathsf{keygen}(1^\lambda)\\
|
||||
\mathsf{st} \gets \emptyset; \ensemble{sign} = \emptyset\\
|
||||
\pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \oracle{sign}{sk,\cdot} ) \pcdo
|
||||
\pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \oracle{sign}{sk,\cdot} ) \pcdo
|
||||
;\\
|
||||
(m^\star, \sigma^\star) \gets \adv(\texttt{forge}, vk, \mathsf{st}) \\
|
||||
\pcreturn (vk, \ensemble{sign}, m^\star, \sigma^\star)
|
||||
|
|
@ -255,7 +255,7 @@ Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which
|
|||
|
||||
For EU-CMA, the advantage of an adversary $\adv$ is defined as
|
||||
\[
|
||||
\advantage{\textrm{EU-CMA}}{\adv}(\lambda)
|
||||
\advantage{\textrm{EU-CMA}}{\adv}(\lambda)
|
||||
\triangleq
|
||||
\Pr\left[ \Sigma.\mathsf{verif}(vk, m^\star, \sigma^\star) = \top~\land~ \sigma^\star \notin \ensemble{sign} \right].
|
||||
\]
|
||||
|
|
|
|||
2
main.tex
2
main.tex
|
|
@ -89,7 +89,7 @@
|
|||
\mainmatter
|
||||
\pagestyle{ruled}
|
||||
|
||||
\input chap-introduction
|
||||
\input chap-introduction
|
||||
|
||||
\part{Background}
|
||||
\label{pa:background}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
% \section{Lattice-Based Cryptography} %
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
During the last decade, lattice-based cryptography has emerged as a promising candidate for post-quantum cryptography.
|
||||
During the last decade, lattice-based cryptography has emerged as a promising candidate for post-quantum cryptography.
|
||||
For example, on the first round of the NIST post-quantum competition, there are 28 out of 82 submissions from lattice-based cryptography~\cite{NIS17}.
|
||||
Lattice-based cryptography takes advantage of a simple mathematical structure, the so-called lattices, in order to provide beyond encryption and signature cryptography.
|
||||
For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now.
|
||||
|
|
@ -82,9 +82,9 @@ In other words, it means that no polynomial time algorithms can solve those prob
|
|||
|
||||
\begin{definition}[The $\SIS$ and $\ISIS$ problem] \label{de:sis} \index{Lattices!Short Integer Solution} \index{Lattices!Inhomogeneous \SIS}
|
||||
Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$.
|
||||
The \textit{Short Integer Solution} problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$ with~$0 < \|\mathbf{x}\| \leq \beta$.
|
||||
The \textit{Short Integer Solution} problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample \U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$ with~$0 < \|\mathbf{x}\| \leq \beta$.
|
||||
|
||||
The \textit{Inhomogeneous Short Integer Solution}~$\ISIS_{n,m,q,\beta}$ problem is, given~$\mathbf{A} \sample U(\Zq^{n \times m})$ and $\mathbf u \in \Zq^n$, find~$\mathbf{x} \in \Lambda_q^{\mathbf u}(\mathbf A)$ with~$0 < \| \mathbf x \| \leq \beta$.
|
||||
The \textit{Inhomogeneous Short Integer Solution}~$\ISIS_{n,m,q,\beta}$ problem is, given~$\mathbf{A} \sample \U(\Zq^{n \times m})$ and $\mathbf u \in \Zq^n$, find~$\mathbf{x} \in \Lambda_q^{\mathbf u}(\mathbf A)$ with~$0 < \| \mathbf x \| \leq \beta$.
|
||||
\end{definition}
|
||||
|
||||
Evidences of the hardness of the $\SIS$ and $\ISIS$ assumptions are given by the following Lemma, which reduced these problems from $\SIVP$.
|
||||
|
|
@ -96,8 +96,8 @@ Evidences of the hardness of the $\SIS$ and $\ISIS$ assumptions are given by the
|
|||
|
||||
\begin{definition}[The $\LWE$ problem] \label{de:lwe} \index{Lattices!Learning With Errors}
|
||||
Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$.
|
||||
For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$.
|
||||
The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
|
||||
For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow \U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$.
|
||||
The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow \U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $\U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}
|
||||
|
|
@ -148,7 +148,7 @@ The following Lemma states that it is possible to efficiently compute a uniform~
|
|||
|
||||
\begin{lemma}[{\cite[Th.~3.2]{AP09}}]
|
||||
\label{le:TrapGen}
|
||||
There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ to~$U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq \bigO(\sqrt{n \log q})$.
|
||||
There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ to~$\U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq \bigO(\sqrt{n \log q})$.
|
||||
\end{lemma}
|
||||
|
||||
\noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MP12} proposed a more efficient approach for this combined task, which is to be be preferred in practice but, for the sake of simplicity, schemes are presented using $\TrapGen$ and $\GPVSample$ in this thesis.
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ In the aforementioned chapter, we also rely on the following assumption, which g
|
|||
\label{de:SDL} \index{Pairings!SDL}
|
||||
In bilinear groups $\bigl(\GG,\Gh,\GT^{}\bigr)$ of prime order $p$, the \emph {Symmetric Discrete Logarithm} ($\SDL$) problem consists in, given
|
||||
$\bigl(g,\hat{g},g^a_{},\hat{g}^a_{}\bigr) \in \bigl(\GG \times \Gh\bigr)^2_{}$
|
||||
where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$.
|
||||
where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$.
|
||||
\end{definition}
|
||||
|
||||
This assumption is still a static and non-interactive assumption.
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user