From 280d99008bec3901f84cbb38332145fb822c0d84 Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Wed, 4 Apr 2018 18:46:37 +0200 Subject: [PATCH] Add french TOC and ZK part --- abstract.tex | 2 + acknowledgements.tex | 3 ++ chap-GS-LWE.tex | 1 + chap-ZK.tex | 91 +++++++++++++++++++++++++++++++++++++++++++ chap-conclusion.tex | 1 + chap-introduction.tex | 1 + chap-proofs.tex | 8 +++- chap-sigmasig.tex | 1 + chap-structures.tex | 3 ++ fig-lwe-sis.tex | 37 ++++++++++++++++++ frtoc.tex | 11 ++++++ garde.tex | 4 +- macros.tex | 5 +++ main.tex | 13 ++++++- sec-lattices.tex | 17 ++++++-- sec-pairings.tex | 4 +- symbols.tex | 4 ++ these.bib | 8 ++++ 18 files changed, 203 insertions(+), 11 deletions(-) create mode 100644 fig-lwe-sis.tex create mode 100644 frtoc.tex diff --git a/abstract.tex b/abstract.tex index 551c0db..38c6747 100644 --- a/abstract.tex +++ b/abstract.tex @@ -1,6 +1,7 @@ % vim: spl=fr \chapter*{Résumé} \addcontentsline{toc}{chapter}{Résumé} +\addcontentsline{tof}{chapter}{Résumé} \begin{otherlanguage}{french} Dans cette thèse, nous étudions les constructions cryptographiques prouvées pour la protection de la vie privée. @@ -21,3 +22,4 @@ {\Huge \textbf{\textsf{Abstract}}} \flushleftright \addcontentsline{toc}{chapter}{Abstract} +\addcontentsline{tof}{chapter}{Résumé en anglais} diff --git a/acknowledgements.tex b/acknowledgements.tex index 76daa30..b148bcd 100644 --- a/acknowledgements.tex +++ b/acknowledgements.tex @@ -1,6 +1,9 @@ \thispagestyle{empty} \chapter*{Remerciements} \addcontentsline{toc}{chapter}{Remerciements} +\addcontentsline{tof}{chapter}{Remerciements} + +Merci. \begin{otherlanguage}{french} \end{otherlanguage} diff --git a/chap-GS-LWE.tex b/chap-GS-LWE.tex index 7032ea7..af43d34 100644 --- a/chap-GS-LWE.tex +++ b/chap-GS-LWE.tex @@ -1 +1,2 @@ \chapter{Lattice-Based Dynamic Group Signatures} +\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de réseaux euclidiens} diff --git a/chap-ZK.tex b/chap-ZK.tex index 03921fd..4965ce5 100644 --- a/chap-ZK.tex +++ b/chap-ZK.tex @@ -1,5 +1,96 @@ \chapter{Zero-Knowledge Arguments} +\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Arguments à divulgation nulle de connaissance} + +A \textit{zero-knowledge proof}~\cite{GMR85} (or \textbf{ZK proofs}) is an \textit{interactive proof} between a prover and a verifier at the end of which the verifier should be convinced of the truth of a statement (within some probability, called \emph{soundness error}), while the prover has the insurance that the verifier does not learn anything more that the authenticity of the statement. + +One of the early applications of ZK proofs in cryptography was for identification systems~\cite{FS86}. +The goal is for a user $A$ to prove the knowledge of a secret (such as a password) to user $B$ without revealing any piece of information about the secret, otherwise user $B$ would be able to impersonate $A$. +Since then, the use of zero-knowledge proofs is now widespread in privacy-enhancing cryptography:~anonymous credentials, group signatures, electronic voting, e-cash, \ldots + +If these primitives flourish in the context of number-theory-based cryptography (such as RSA groups or pairing groups), they are still elusive in the lattice world. In this section, we focus on presenting the different proofs systems in pairing and lattice-based cryptography. + +\section{Definitions} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définitions} + + +\begin{definition}[Zero-knowledge proofs and arguments] + \label{de:zk-proof} \index{Zero Knowledge!Proofs} \index{Zero Knowledge!Argument} + Let $R = \{ (x, w) \in \mathcal L \times \mathcal R \}$ be a binary relation. + A \textit{zero-knowledge proof} for a relation $R$ is an interactive protocol between a prover $P(x,w)$ and a verifier $V(x)$ where $V$ outputs a bit $b$ at the end of the interaction. + This is written as $\langle P(x,w) , V(x) \rangle = b$. + The aforementioned protocol should also verify the following properties. + \begin{description} + \item[Completeness.] For any $(x, w) \in R$, $\Pr[ \langle P(x,w), V(x) \rangle = 1 ] \geq 1 - \negl[|\lambda|]$. + \item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$, + $\Pr[\langle P^\star(x), V^\star(x) \rangle = 1] \leq s < 1 - \negl[|x|],$ + where $s$ is called the \textit{soundness error}. + \item[Zero-Knowledge.] Let $\trans(\cdot, \cdot)$ be the transcript of the interaction during the proof. + There exists a $\ppt$ simulator $S$ such that for all $\ppt$ algorithm $V^\star$, + $\{\trans(P(x, w), V^\star(x))\}_{(x,w) \in R}$ and $\{S^{V^\star}(x)\}_{(x,w) \in R}$ are computationally indistinguishable. + \end{description} + + If in the soundness definition, the adversary $P^\star$ is restricted to be a $\ppt$ algorithm, then the proof system is called an \textit{argument}. + + We can notice that the soundness error can be reduced by repeating the proof. +\end{definition} + +\begin{figure} + \centering + \footnotesize + \begin{tabular}{ccc} + $P(x,w)$ & & $V(x)$\\ + \hline + $(\cmt, \mathsf{st}_P) \gets P_1(x,w)$ & & \\ + & $\xrightarrow{\mathmakebox[2cm]{\cmt}}$ & \\ + & & $(\chall, \mathsf{st}_V) \gets V_1(x, \cmt)$ \\ + & $\xleftarrow{\mathmakebox[2cm]{\chall}}$ & \\ + $\rsp \gets P_2(x,w,\chall, \mathsf{st}_P)$ & & \\ + & $\xrightarrow{\mathmakebox[2cm]{\rsp}}$ & \\ + & & return $b = V_2(x, \chall, \rsp, \mathsf{st}_V)$ + \end{tabular} + \caption{$\Sigma$-protocol} \label{fig:sigma} +\end{figure} + +Zero-knowledge proofs also exists in a non-interactive version. + +\begin{definition}[Non Interactive Zero Knowledge] + \index{Zero Knowledge!NIZK} + \label{de:nizk-proofs} + A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w) \in \mathcal L \times \mathcal R\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in \mathcal L$ and $w \in \mathcal R$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties. + \begin{description} + \item[Completeness.] For any $(x, w) \in R$, $\Pr[ V(x, P(x, w)) = 1 ] \geq 1 - \negl[|x|]$. + \item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$, + $\Pr[V(x, P^\star(x)) = 1] < \negl[|x|].$ + \item[Zero-Knowledge.] There exists a $\ppt$ simulator $S$ such that the probability ensembles $\{(x, P(x, w)) \}_{(x,w) \in R}$ and $\{S(x)\}_{(x, w) \in R}$ are computationally indistinguishable. + \end{description} +\end{definition} + +In the random oracle model, it is possible to transform a ZK proof into an NIZK proof. This techniques is called the Fiat-Shamir transform. + +\begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}] + \index{Zero Knowledge!Fiat-Shamir Transform} + Let $(P, V)$ be a three-round zero-knowledge proof for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function. + + Let $\hat P$ be the following non-interactive prover that takes as inputs $x$ and $w$: + \begin{enumerate} + \item First run $P_1(x,w)$ to get a random commitment $\cmt$ and a state information $\mathsf{st}_P$; + \item Generate the challenge as $\chall \gets \mathcal H(\cmt)$; + \item Run $\rsp \gets P_2(x, w, \chall, \mathsf{st}_P)$; + \item Return the proof $\pi = (\cmt, \rsp)$. + \end{enumerate} + + And let $\hat V$ be the following non-interactive verifier that takes as inputs $x$ and $\pi$: + \begin{enumerate} + \item Parse $\pi$ as $(\cmt, \rsp)$; + \item Generate the challenge $\chall = \mathcal H(\cmt)$; + \item Return $V_2(x, \chall, \rsp, \emptyset)$. + \end{enumerate} + + Then $(\hat P, \hat V)$ forms a non-interactive zero-knowledge proof in the \ROM. +\end{definition} \section{Schnorr Proofs} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves de Schnorr} \section{Stern-like Proofs} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves à la Stern} diff --git a/chap-conclusion.tex b/chap-conclusion.tex index adcd79a..e569c97 100644 --- a/chap-conclusion.tex +++ b/chap-conclusion.tex @@ -1,2 +1,3 @@ \chapter*{Conclusion} \addcontentsline{toc}{part}{Conclusion} +\addcontentsline{tof}{part}{Conclusion} diff --git a/chap-introduction.tex b/chap-introduction.tex index a81b272..f9936ee 100644 --- a/chap-introduction.tex +++ b/chap-introduction.tex @@ -1,2 +1,3 @@ \chapter{Introduction} +\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Introduction} diff --git a/chap-proofs.tex b/chap-proofs.tex index ce3a9b6..f6d90bb 100644 --- a/chap-proofs.tex +++ b/chap-proofs.tex @@ -1,4 +1,5 @@ \chapter{Security Proofs in Cryptography} \label{ch:proofs} +\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Les preuves de sécurité en cryptographie} Provable security is a subfield of cryptography where constructions are proven secure with regards to a security model. To illustrate this notion, let us take the example of public-key encryption schemes. @@ -17,6 +18,7 @@ Then we will define these security models. % Security Reductions % %%%%%%%%%%%%%%%%%%%%%%% \section{Security Reductions} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Réductions de sécurité} Provable security providing constructions for which the security is guaranteed by a security proof, or \emph{security reduction}. The name ``reduction'' comes from computational complexity. @@ -129,9 +131,9 @@ To illustrate this, let us consider the two following assumptions: \end{definition} \begin{restatable}[Decisional Diffie-Hellman]{definition}{defDDH} - \index{Discrete Logarithm!Decisional Diffie-Hellman} \label{de:DDH} + \index{Discrete Logarithm!Decisional Diffie-Hellman} \label{de:DDH} Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following. - Given the tuple $(g, g_1^{}, g_2^{}, g_3^{}) = (g, g^a_{}, g^b{}, g^c_{}) \in \GG^4_{}$, the goal is to decide whether $c = ab$ or $c$ is sampled uniformly in $\GG$. + Given the tuple $\bigl(g, g_1^{}, g_2^{}, g_3^{}\bigr) = \bigl(g, g^a_{}, g^b{}, g^c_{}\bigr) \in \GG^4_{}$, the goal is to decide whether $c = ab$ or $c$ is sampled uniformly in $\GG$. The \textit{\DDH assumption} is the intractability of the problem for any $\ppt$ algorithm. \end{restatable} @@ -157,6 +159,7 @@ In other words, the context in which the proofs are made. This is the topic of the next section. \section{Random-Oracle Model and Standard Model} \label{se:models} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Modèle de l'oracle aléatoire et modèle standard} The most general model to do security proofs is the \textit{standard model}. In this model, nothing special is assumed, and every assumptions are explicit. @@ -194,6 +197,7 @@ We now have defined the security structure on which we are working on and the ba The following section explains how to define the security of a cryptographic primitive. \section{Security Games and Simulation-Based Security} \label{se:games-sim} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves par jeux et preuves par simulation} Up to now, we defined the structure on which security proofs works. Let us now define what we are proving. An example of what we are proving has been shown in Section~\ref{se:models} with cryptographic hash functions. diff --git a/chap-sigmasig.tex b/chap-sigmasig.tex index 9a2f503..b24b212 100644 --- a/chap-sigmasig.tex +++ b/chap-sigmasig.tex @@ -1 +1,2 @@ \chapter{Pairing-Based Dynamic Group Signatures} \label{ch:sigmasig} +\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages} diff --git a/chap-structures.tex b/chap-structures.tex index 522c36b..ebb3672 100644 --- a/chap-structures.tex +++ b/chap-structures.tex @@ -1,4 +1,5 @@ \chapter{Underlying Structures} +\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Structures sous-jacentes} \label{ch:structures} In the previous chapter, we saw that theoretical cryptography has to rely on \emph{computational hardness assumptions}. @@ -16,11 +17,13 @@ An example is the multiplicative homomorphism of the ElGamal cryptosystem which In this chapter, we describe the different structures on which the cryptography primitives we design in this thesis are based on, namely bilinear groups and lattices. \section{Pairing-Based Cryptography} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Cryptographie à base de couplage} \label{se:pairing} \input sec-pairings \section{Lattice-Based Cryptography} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Cryptographie à base de réseaux euclidiens} \label{se:lattices} \input sec-lattices diff --git a/fig-lwe-sis.tex b/fig-lwe-sis.tex new file mode 100644 index 0000000..a6a511a --- /dev/null +++ b/fig-lwe-sis.tex @@ -0,0 +1,37 @@ +\medskip +\hfill +\begin{minipage}[t]{.45\textwidth} + \textbf{$\LWE_{n,q,\chi}$ problem:}\\Given $m \geq 1$, \\[.5em] + $\left( + \begin{tikzpicture} + \tikzstyle{matA}=[fill=blue!10] + \tikzstyle{vecS}=[color=red!70!black] + \tikzstyle{vecE}=[color=orange!70!black] + \path[use as bounding box] (-2.1, .5) rectangle (2.4, 1.8); + \draw[matA, xshift=-2cm, yshift=.5cm] (0,0) rectangle node {$\mathbf{A}$} (1.5,1); + \node at (-.2, .75) {$,$}; + \draw[matA] (0,0) rectangle node {$\mathbf{A}^T_{}$} (1,1.5); + \draw[|-|, vecS] (1.2, 1.5) -- node[right] {$\mathbf s$} ++(0, -1); + \node at (1.8, .75) {$+$}; + \draw[|-|, vecE] (2.1, 1.5) -- node[right] {$\mathbf e$} ++ (0, -1.5); + \end{tikzpicture} + \right)$\\[.5em] + $\in \Zq^{n \times m} \times \Zq^{m}$, + find $\textcolor{red!70!black}{\mathbf{s}} \in \Zq^n.$ +\end{minipage} \hfill +\begin{minipage}[t]{.4\textwidth} + \textbf{$\SIS_{n,m,q,\beta}$ problem:}\\Given\\[.5em] + $\tikz[baseline=.3cm]{ \draw[fill=blue!10] (0,0) rectangle node {$\mathbf{A}$} (1.5,1); } \in \Zq^{n \times m},$ + find $\textcolor{red!70!black}{\mathbf x} \in \ZZ^m_{}$ such that\\[.5em] + $\begin{tikzpicture}[baseline=.25cm] + \tikzstyle{matA}=[fill=blue!10] + \tikzstyle{vecX}=[color=red!70!black] + \draw[matA] (0,0) rectangle node {$\mathbf{A}$} (1.5,1); + \draw[|-|, vecX] (1.7, 1) -- node[right] {$\mathbf x$} ++ (0, -1.5); + \node at (2.4, .25) {$=$}; + \draw[|-|] (2.8, 1) -- node[right] {$\mathbf 0^n$} ++ (0, -1); + \end{tikzpicture},$ and\\$0< \|\textcolor{red!70!black}{\mathbf x}\| \leq \beta$. +\end{minipage} +\hfill +\medskip + diff --git a/frtoc.tex b/frtoc.tex new file mode 100644 index 0000000..15a2a6d --- /dev/null +++ b/frtoc.tex @@ -0,0 +1,11 @@ +\makeatletter +\newcommand\frenchtableofcontents{% + \selectlanguage{french}% + \chapter*{\contentsname + \@mkboth{% + \MakeUppercase\contentsname}{\MakeUppercase\contentsname}}% + \@starttoc{tof}% + \addcontentsline{tof}{chapter}{\contentsname} + \selectlanguage{english}% + } + \makeatother diff --git a/garde.tex b/garde.tex index 938b726..c725314 100644 --- a/garde.tex +++ b/garde.tex @@ -75,9 +75,9 @@ Devant le jury composé de : %\bigskip -\textsc{Agrawal} Shweta, Professeure, Indian Institute of Technology \hfill Rapporteure +\textsc{Agrawal} Shweta, Professeure, Indian Institute of Technology (Madras, Inde) \hfill Rapporteur -Nom Prénom, grade/qualité, établissement/entreprise \hfill Rapporteur +\textsc{Pointcheval} David, Directeur de Recherche, CNRS et ENS \hfill Rapporteur Nom Prénom, grade/qualité, établissement/entreprise \hfill Examinateur diff --git a/macros.tex b/macros.tex index 3381963..2620229 100644 --- a/macros.tex +++ b/macros.tex @@ -17,6 +17,11 @@ \newcommand{\NIZK}{\textsf{NIZK}\xspace} \newcommand{\PKE}{\textsf{PKE}\xspace} \newcommand{\OT}{\textsf{OT}\xspace} +%% ZK +\newcommand{\trans}{\textsf{trans}\xspace} +\newcommand{\cmt}{\textsf{cmt}\xspace} +\newcommand{\chall}{\textsf{chall}\xspace} +\newcommand{\rsp}{\textsf{response}\xspace} % Assumptions/Problems %% Pairings diff --git a/main.tex b/main.tex index 0320e0d..62ad337 100644 --- a/main.tex +++ b/main.tex @@ -35,7 +35,7 @@ \setlength{\parskip}{5pt} \usepackage{enumerate} -\usepackage{amsmath, amssymb, mathrsfs} +\usepackage{amsmath, amssymb, mathrsfs, mathtools} \usepackage{amsthm} % For theorem style \usepackage{thmtools} \usepackage{thm-restate} @@ -54,6 +54,7 @@ \usepackage{pdfpages} \usepackage{xspace} +\input frtoc \input macros \title{Privacy-preserving cryptography from pairings and lattices} @@ -78,6 +79,8 @@ \input acknowledgements +\cleardoublepage +\frenchtableofcontents \cleardoublepage \tableofcontents @@ -88,6 +91,9 @@ \input chap-introduction \part{Background} +\label{pa:background} +\addcontentsline{tof}{part}{\protect\numberline{\thepart} Préliminaires} + \input chap-proofs \input chap-structures @@ -96,12 +102,14 @@ \part{Group Signatures and Anonymous Credentials} \label{pa:gs-ac} +\addcontentsline{tof}{part}{\protect\numberline{\thepart} Signatures de groupe et accréditations anonymes} \input chap-sigmasig \input chap-GS-LWE \part{Group Encryption and Adaptive Oblivious Transfer} +\addcontentsline{tof}{part}{\protect\numberline{\thepart} Chiffrement de groupe et transfert inconscient adaptatif} \input chap-GE-LWE @@ -111,8 +119,11 @@ \bibliographystyle{alphaabbr} \bibliography{these.bib} +\addcontentsline{tof}{part}{Bibliographie} \printindex +\addcontentsline{tof}{part}{Index en anglais} \backmatter \listoffigures +\addcontentsline{tof}{part}{Liste des figures} \end{document} % vim: spl=en diff --git a/sec-lattices.tex b/sec-lattices.tex index 5c725a4..f3bbdc3 100644 --- a/sec-lattices.tex +++ b/sec-lattices.tex @@ -14,6 +14,7 @@ This gives us a good confidence in the lattice-based assumptions (given the \emp \subsection{Lattices and Hard Lattice Problems} \label{sse:lattice-problems} +\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Réseaux euclidiens et problèmes difficiles} \begin{figure} \centering @@ -57,7 +58,7 @@ In order to work with lattices in cryptography, hard lattice problems have to be This problem reduces to the \textit{Learning With Errors}~($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. These links are important as those are ``worst-case to average-case'' reductions. -In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs. +In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to construct new cryptographic designs. On the other hand, the $\LWE$ and $\SIS$ assumptions ---\,which are ``average-case'' assumptions\,--- are more suitable to design cryptographic schemes. In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice). @@ -74,7 +75,7 @@ This leads us to the $\SIVP$ problem, which is finding a set of sufficiently sho For a dimension $n$ lattice described by a basis $\mathbf B \in \RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1 \| \leq \| v_2 \| \leq \ldots \leq \| v_n \|$ and $\|v_n\| \leq \gamma \cdot \lambda_n(\mathbf B)$. \end{definition} -As explained before, the hardness of this assumption for worst-case lattices implies the hardness of the following two assumptions in their average-case setting. +As explained before, the hardness of this assumption for worst-case lattices implies the hardness of the following two assumptions in their average-case setting, which are illustrated in Figure~\ref{fig:lwe-sis}. In other words, it means that no polynomial time algorithms can solve those problems with non-negligible probability and non-negligible advantage given that $\SIVP$ is hard. %As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively. @@ -93,6 +94,13 @@ For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribut The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$. \end{definition} +\begin{figure} + \centering + \input fig-lwe-sis + \caption{Illustration of the LWE and SIS problems.} + \label{fig:lwe-sis} +\end{figure} + If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\mathcal{O}}(nq/B)$, then there exists an efficient sampleable $B$-bounded distribution~$\chi$ ({i.e.}, $\chi$ outputs samples with norm at most $B$ with overwhelming probability) such that $\mathsf{LWE}_{n,q,\chi}$ is as least as hard as $\mathsf{SIVP}_{\gamma}$ (see, e.g., \cite{Reg05,Pei09,BLP+13}). % (see~\cite{Pei09,BLPRS13} for classical analogues). @@ -101,17 +109,18 @@ If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\m %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \subsection{Lattice Trapdoors} \label{sse:lattice-trapdoors} +\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Trappes d'un réseau euclidien} In this section, we state the different algorithms that use ``\textit{lattice trapdoors}''. A trapdoor for lattice $\Lambda$ is a \textit{short} basis of this lattice. The knowledge of such a basis allows to sample elements in $D_{\Lambda, \sigma}$ within some restrictions given in~\cref{le:GPV}. The existence of this sampler permits to solve hard lattice problems such as $\SIS$, which is assumed to be intractable in polynomial time. -Indeed,~\cref{le:TrapGen} shows that it is possible to sample a (close to) uniform matrix $\mathbf{A} \in \ZZ_q^{n \times m}$ along with a short basis for $\Lambda^\perp_{q}(\mathbf{A})$. +Indeed,~\cref{le:TrapGen} shows that it is possible to sample a (statistically close to) uniform matrix $\mathbf{A} \in \ZZ_q^{n \times m}$ along with a short basis for $\Lambda^\perp_{q}(\mathbf{A})$. Thus, a vector sampled in $D_{\Lambda^\perp_{q}(\mathbf{A}), \sigma}$, which is short with overwhelming probabilities according to~\cref{le:small}, is a solution to $\SIS_{n,m,q,\sigma \sqrt{n}}$. Gentry {\em et al.}~\cite{GPV08} showed that Gaussian distributions with lattice support can be sampled efficiently given a sufficiently short basis of the lattice. -\scbf{Notation.} Given a matrix $\mathbf{A}$, let $\widetilde{\mathbf{A}}$ be the Gram-Schmidt orthogonalization of $\mathbf{A}$. +\scbf{Recall.} Given a matrix $\mathbf{A}$, $\widetilde{\mathbf{A}}$ denotes the Gram-Schmidt orthogonalization of $\mathbf{A}$. \begin{lemma}[{\cite[Le.~2.3]{BLP+13}}] \label{le:GPV} diff --git a/sec-pairings.tex b/sec-pairings.tex index b9eb309..1438f43 100644 --- a/sec-pairings.tex +++ b/sec-pairings.tex @@ -43,8 +43,8 @@ In the aforementioned chapter, we also rely on the following assumption, which g \begin{definition}[$\SDL$] \label{de:SDL} \index{Pairings!SDL} - In bilinear groups $(\GG,\Gh,\GT^{})$ of prime order $p$, the \emph {Symmetric Discrete Logarithm} ($\SDL$) problem consists in, given - $(g,\hat{g},g^a,\hat{g}^a) \in \GG \times \Gh$ + In bilinear groups $\bigl(\GG,\Gh,\GT^{}\bigr)$ of prime order $p$, the \emph {Symmetric Discrete Logarithm} ($\SDL$) problem consists in, given + $\bigl(g,\hat{g},g^a_{},\hat{g}^a_{}\bigr) \in \bigl(\GG \times \Gh\bigr)^2_{}$ where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$. \end{definition} diff --git a/symbols.tex b/symbols.tex index 710f8c3..7285a61 100644 --- a/symbols.tex +++ b/symbols.tex @@ -1,11 +1,15 @@ \chapter*{List of Symbols} \addcontentsline{toc}{chapter}{List of Symbols} +\addcontentsline{tof}{chapter}{Liste des symboles et abréviations} \begin{tabular}{ll} \multicolumn{2}{l}{\scbf{General Notations}} \\ TM & Turing Machine \\ $\ppt$ & Probabilistic Polynomial Time \\ $\epsilon$ & empty word \\ + $\mathbf A$ & bold uppercase letters represent matrices\\ + $\mathbf b$ & bold lowercase letters represent vectors\\ + $\widetilde{\mathbf A}$ & Gram-Schmidt orthogonalization of matrix $\mathbf A$\\ [1ex] \multicolumn{2}{l}{\scbf{Protocols}} \\ $\PKE$ & Public Key Encryption \\ $\ZK$ & Zero-Knowledge \\ diff --git a/these.bib b/these.bib index 654296b..a47549c 100644 --- a/these.bib +++ b/these.bib @@ -2449,4 +2449,12 @@ publisher = {Springer}, } +@InProceedings{Blu86, + author = {Blum, Manuel}, + title = {How to prove a theorem so no one else can claim it}, + booktitle = {International Congress of Mathematicians}, + year = {1986}, + pages = {1444--1451}, +} + @Comment{jabref-meta: databaseType:bibtex;}