fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

remove trailing space

Browse Source
This commit is contained in:
Fabrice Mouhartem 2018-04-10 10:32:28 +02:00
parent 3b2ad6a2fd
commit 26dd440889
5 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
chap-ZK.tex
View File

@ -21,7 +21,7 @@ If these primitives flourish in the context of number-theory-based cryptography
The aforementioned protocol should also verify the following properties. The aforementioned protocol should also verify the following properties.
\begin{description} \begin{description}
\item[Completeness.] For any $(x, w) \in R$, $\Pr[ \langle P(x,w), V(x) \rangle = 1 ] \geq 1 - \negl[|\lambda|]$. \item[Completeness.] For any $(x, w) \in R$, $\Pr[ \langle P(x,w), V(x) \rangle = 1 ] \geq 1 - \negl[|\lambda|]$.
\item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$, \item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
$\Pr[\langle P^\star(x), V^\star(x) \rangle = 1] \leq s < 1 - \negl[|x|],$ $\Pr[\langle P^\star(x), V^\star(x) \rangle = 1] \leq s < 1 - \negl[|x|],$
where $s$ is called the \textit{soundness error}. where $s$ is called the \textit{soundness error}.
\item[Zero-Knowledge.] Let $\trans(\cdot, \cdot)$ be the transcript of the interaction during the proof. \item[Zero-Knowledge.] Let $\trans(\cdot, \cdot)$ be the transcript of the interaction during the proof.
@ -33,7 +33,7 @@ If these primitives flourish in the context of number-theory-based cryptography
We can notice that the soundness error can be reduced by repeating the proof. We can notice that the soundness error can be reduced by repeating the proof.
If in the definition of \textit{zero-knowledge} the two ensembles are the same, then the proof is \textit{perfect zero-knowledge}. If in the definition of \textit{zero-knowledge} the two ensembles are the same, then the proof is \textit{perfect zero-knowledge}.
\end{definition} \end{definition}
\begin{figure} \begin{figure}
@ -113,7 +113,7 @@ Commitment schemes~\cite{Blu81} are the digital equivalent of a safe. The goal i
\] \]
over the randomness of $\Commit$. over the randomness of $\Commit$.
\item[Binding.] For any $\ppt$ adversary $\adv$ against the binding experiment, \item[Binding.] For any $\ppt$ adversary $\adv$ against the binding experiment,
\[ \[
\Pr\left[\Exp{\mathrm{binding}}{\adv}(\lambda) = 1 \right] \leq \negl[\lambda]. \Pr\left[\Exp{\mathrm{binding}}{\adv}(\lambda) = 1 \right] \leq \negl[\lambda].
\] \]
\end{description} \end{description}
@ -129,7 +129,7 @@ Another useful primitives are the non-interactive version of zero-knowledge proo
A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w) \in \mathcal L \times \mathcal R\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in \mathcal L$ and $w \in \mathcal R$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties. A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w) \in \mathcal L \times \mathcal R\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in \mathcal L$ and $w \in \mathcal R$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties.
\begin{description} \begin{description}
\item[Completeness.] For any $(x, w) \in R$, $\Pr[ V(x, P(x, w)) = 1 ] \geq 1 - \negl[|x|]$. \item[Completeness.] For any $(x, w) \in R$, $\Pr[ V(x, P(x, w)) = 1 ] \geq 1 - \negl[|x|]$.
\item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$, \item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
$\Pr[V(x, P^\star(x)) = 1] < \negl[|x|].$ $\Pr[V(x, P^\star(x)) = 1] < \negl[|x|].$
\item[Zero-Knowledge.] There exists a $\ppt$ simulator $S$ such that the probability ensembles $\{(x, P(x, w)) \}_{(x,w) \in R}$ and $\{S(x)\}_{(x, w) \in R}$ are computationally indistinguishable. \item[Zero-Knowledge.] There exists a $\ppt$ simulator $S$ such that the probability ensembles $\{(x, P(x, w)) \}_{(x,w) \in R}$ and $\{S(x)\}_{(x, w) \in R}$ are computationally indistinguishable.
\end{description} \end{description}

6
chap-proofs.tex
View File

@ -42,7 +42,7 @@ Let us now define more formally the notions of reduction and computability using
A TM $M$ is said to \emph{compute} a function $f: \Sigma^\star \to \Gamma^\star$, if for any finite input $x \in \Sigma^\star$ on tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, $M$ halts in a finite number of steps with $f(x)$ written on its output tape $T_k$. A TM $M$ is said to \emph{compute} a function $f: \Sigma^\star \to \Gamma^\star$, if for any finite input $x \in \Sigma^\star$ on tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, $M$ halts in a finite number of steps with $f(x)$ written on its output tape $T_k$.
A TM $M$ is said to \emph{recognize} a language $L \subseteq \Sigma^\star$ if on a finite input $x \in \Sigma^\star$ written on its input tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, the machine $M$ eventually ends on the state $q_{halt}$ with $1$ written on its output tape if and only if $x \in L$. A TM $M$ is said to \emph{recognize} a language $L \subseteq \Sigma^\star$ if on a finite input $x \in \Sigma^\star$ written on its input tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, the machine $M$ eventually ends on the state $q_{halt}$ with $1$ written on its output tape if and only if $x \in L$.
A TM $M$ is said to run in $T(n)$-time if, on any input $x$, it eventually stops within $T(|x|)$ steps. A TM $M$ is said to run in $T(n)$-time if, on any input $x$, it eventually stops within $T(|x|)$ steps.
A TM $M$ is said to run in $S(n)$-space if, on any input $x$, it eventually stops and had write at most $S(|x|)$ memory cells in its working tapes. A TM $M$ is said to run in $S(n)$-space if, on any input $x$, it eventually stops and had write at most $S(|x|)$ memory cells in its working tapes.
@ -222,7 +222,7 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
\procedure{$\Exp{\mathrm{EU-CMA}}{\adv}(\lambda)$}{ \procedure{$\Exp{\mathrm{EU-CMA}}{\adv}(\lambda)$}{
(vk,sk) \gets \Sigma.\mathsf{keygen}(1^\lambda)\\ (vk,sk) \gets \Sigma.\mathsf{keygen}(1^\lambda)\\
\mathsf{st} \gets \emptyset; \ensemble{sign} = \emptyset\\ \mathsf{st} \gets \emptyset; \ensemble{sign} = \emptyset\\
\pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \oracle{sign}{sk,\cdot} ) \pcdo \pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \oracle{sign}{sk,\cdot} ) \pcdo
;\\ ;\\
(m^\star, \sigma^\star) \gets \adv(\texttt{forge}, vk, \mathsf{st}) \\ (m^\star, \sigma^\star) \gets \adv(\texttt{forge}, vk, \mathsf{st}) \\
\pcreturn (vk, \ensemble{sign}, m^\star, \sigma^\star) \pcreturn (vk, \ensemble{sign}, m^\star, \sigma^\star)
@ -255,7 +255,7 @@ Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which
For EU-CMA, the advantage of an adversary $\adv$ is defined as For EU-CMA, the advantage of an adversary $\adv$ is defined as
\[ \[
\advantage{\textrm{EU-CMA}}{\adv}(\lambda) \advantage{\textrm{EU-CMA}}{\adv}(\lambda)
\triangleq \triangleq
\Pr\left[ \Sigma.\mathsf{verif}(vk, m^\star, \sigma^\star) = \top~\land~ \sigma^\star \notin \ensemble{sign} \right]. \Pr\left[ \Sigma.\mathsf{verif}(vk, m^\star, \sigma^\star) = \top~\land~ \sigma^\star \notin \ensemble{sign} \right].
\] \]

2
main.tex
View File

@ -89,7 +89,7 @@
\mainmatter \mainmatter
\pagestyle{ruled} \pagestyle{ruled}
\input chap-introduction \input chap-introduction
\part{Background} \part{Background}
\label{pa:background} \label{pa:background}

12
sec-lattices.tex
View File

@ -2,7 +2,7 @@
% \section{Lattice-Based Cryptography} % % \section{Lattice-Based Cryptography} %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
During the last decade, lattice-based cryptography has emerged as a promising candidate for post-quantum cryptography. During the last decade, lattice-based cryptography has emerged as a promising candidate for post-quantum cryptography.
For example, on the first round of the NIST post-quantum competition, there are 28 out of 82 submissions from lattice-based cryptography~\cite{NIS17}. For example, on the first round of the NIST post-quantum competition, there are 28 out of 82 submissions from lattice-based cryptography~\cite{NIS17}.
Lattice-based cryptography takes advantage of a simple mathematical structure, the so-called lattices, in order to provide beyond encryption and signature cryptography. Lattice-based cryptography takes advantage of a simple mathematical structure, the so-called lattices, in order to provide beyond encryption and signature cryptography.
For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now. For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now.
@ -82,9 +82,9 @@ In other words, it means that no polynomial time algorithms can solve those prob
\begin{definition}[The $\SIS$ and $\ISIS$ problem] \label{de:sis} \index{Lattices!Short Integer Solution} \index{Lattices!Inhomogeneous \SIS} \begin{definition}[The $\SIS$ and $\ISIS$ problem] \label{de:sis} \index{Lattices!Short Integer Solution} \index{Lattices!Inhomogeneous \SIS}
Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$. Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$.
The \textit{Short Integer Solution} problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$ with~$0 < \|\mathbf{x}\| \leq \beta$. The \textit{Short Integer Solution} problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample \U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$ with~$0 < \|\mathbf{x}\| \leq \beta$.
The \textit{Inhomogeneous Short Integer Solution}~$\ISIS_{n,m,q,\beta}$ problem is, given~$\mathbf{A} \sample U(\Zq^{n \times m})$ and $\mathbf u \in \Zq^n$, find~$\mathbf{x} \in \Lambda_q^{\mathbf u}(\mathbf A)$ with~$0 < \| \mathbf x \| \leq \beta$. The \textit{Inhomogeneous Short Integer Solution}~$\ISIS_{n,m,q,\beta}$ problem is, given~$\mathbf{A} \sample \U(\Zq^{n \times m})$ and $\mathbf u \in \Zq^n$, find~$\mathbf{x} \in \Lambda_q^{\mathbf u}(\mathbf A)$ with~$0 < \| \mathbf x \| \leq \beta$.
\end{definition} \end{definition}
Evidences of the hardness of the $\SIS$ and $\ISIS$ assumptions are given by the following Lemma, which reduced these problems from $\SIVP$. Evidences of the hardness of the $\SIS$ and $\ISIS$ assumptions are given by the following Lemma, which reduced these problems from $\SIVP$.
@ -96,8 +96,8 @@ Evidences of the hardness of the $\SIS$ and $\ISIS$ assumptions are given by the
\begin{definition}[The $\LWE$ problem] \label{de:lwe} \index{Lattices!Learning With Errors} \begin{definition}[The $\LWE$ problem] \label{de:lwe} \index{Lattices!Learning With Errors}
Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$.
For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow \U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$.
The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow \U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $\U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
\end{definition} \end{definition}
\begin{figure} \begin{figure}
@ -148,7 +148,7 @@ The following Lemma states that it is possible to efficiently compute a uniform~
\begin{lemma}[{\cite[Th.~3.2]{AP09}}] \begin{lemma}[{\cite[Th.~3.2]{AP09}}]
\label{le:TrapGen} \label{le:TrapGen}
There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ to~$U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq \bigO(\sqrt{n \log q})$. There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$, $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such that~$\mathbf{A}$ is within statistical distance~$2^{-\Omega(n)}$ to~$\U(\ZZ_q^{n \times m})$, and~$\|\widetilde{\mathbf{T}_{\mathbf{A}}}\| \leq \bigO(\sqrt{n \log q})$.
\end{lemma} \end{lemma}
\noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MP12} proposed a more efficient approach for this combined task, which is to be be preferred in practice but, for the sake of simplicity, schemes are presented using $\TrapGen$ and $\GPVSample$ in this thesis. \noindent Lemma~\ref{le:TrapGen} is often combined with the sampler from Lemma~\ref{le:GPV}. Micciancio and Peikert~\cite{MP12} proposed a more efficient approach for this combined task, which is to be be preferred in practice but, for the sake of simplicity, schemes are presented using $\TrapGen$ and $\GPVSample$ in this thesis.

2
sec-pairings.tex
View File

@ -45,7 +45,7 @@ In the aforementioned chapter, we also rely on the following assumption, which g
\label{de:SDL} \index{Pairings!SDL} \label{de:SDL} \index{Pairings!SDL}
In bilinear groups $\bigl(\GG,\Gh,\GT^{}\bigr)$ of prime order $p$, the \emph {Symmetric Discrete Logarithm} ($\SDL$) problem consists in, given In bilinear groups $\bigl(\GG,\Gh,\GT^{}\bigr)$ of prime order $p$, the \emph {Symmetric Discrete Logarithm} ($\SDL$) problem consists in, given
$\bigl(g,\hat{g},g^a_{},\hat{g}^a_{}\bigr) \in \bigl(\GG \times \Gh\bigr)^2_{}$ $\bigl(g,\hat{g},g^a_{},\hat{g}^a_{}\bigr) \in \bigl(\GG \times \Gh\bigr)^2_{}$
where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$. where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$.
\end{definition} \end{definition}
This assumption is still a static and non-interactive assumption. This assumption is still a static and non-interactive assumption.