Add french TOC and ZK part

This commit is contained in:
Fabrice Mouhartem 2018-04-04 18:46:37 +02:00
parent 46d6a19111
commit 280d99008b
18 changed files with 203 additions and 11 deletions

View File

@ -1,6 +1,7 @@
% vim: spl=fr % vim: spl=fr
\chapter*{Résumé} \chapter*{Résumé}
\addcontentsline{toc}{chapter}{Résumé} \addcontentsline{toc}{chapter}{Résumé}
\addcontentsline{tof}{chapter}{Résumé}
\begin{otherlanguage}{french} \begin{otherlanguage}{french}
Dans cette thèse, nous étudions les constructions cryptographiques prouvées pour la protection de la vie privée. Dans cette thèse, nous étudions les constructions cryptographiques prouvées pour la protection de la vie privée.
@ -21,3 +22,4 @@
{\Huge \textbf{\textsf{Abstract}}} {\Huge \textbf{\textsf{Abstract}}}
\flushleftright \flushleftright
\addcontentsline{toc}{chapter}{Abstract} \addcontentsline{toc}{chapter}{Abstract}
\addcontentsline{tof}{chapter}{Résumé en anglais}

View File

@ -1,6 +1,9 @@
\thispagestyle{empty} \thispagestyle{empty}
\chapter*{Remerciements} \chapter*{Remerciements}
\addcontentsline{toc}{chapter}{Remerciements} \addcontentsline{toc}{chapter}{Remerciements}
\addcontentsline{tof}{chapter}{Remerciements}
Merci.
\begin{otherlanguage}{french} \begin{otherlanguage}{french}
\end{otherlanguage} \end{otherlanguage}

View File

@ -1 +1,2 @@
\chapter{Lattice-Based Dynamic Group Signatures} \chapter{Lattice-Based Dynamic Group Signatures}
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de réseaux euclidiens}

View File

@ -1,5 +1,96 @@
\chapter{Zero-Knowledge Arguments} \chapter{Zero-Knowledge Arguments}
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Arguments à divulgation nulle de connaissance}
A \textit{zero-knowledge proof}~\cite{GMR85} (or \textbf{ZK proofs}) is an \textit{interactive proof} between a prover and a verifier at the end of which the verifier should be convinced of the truth of a statement (within some probability, called \emph{soundness error}), while the prover has the insurance that the verifier does not learn anything more that the authenticity of the statement.
One of the early applications of ZK proofs in cryptography was for identification systems~\cite{FS86}.
The goal is for a user $A$ to prove the knowledge of a secret (such as a password) to user $B$ without revealing any piece of information about the secret, otherwise user $B$ would be able to impersonate $A$.
Since then, the use of zero-knowledge proofs is now widespread in privacy-enhancing cryptography:~anonymous credentials, group signatures, electronic voting, e-cash, \ldots
If these primitives flourish in the context of number-theory-based cryptography (such as RSA groups or pairing groups), they are still elusive in the lattice world. In this section, we focus on presenting the different proofs systems in pairing and lattice-based cryptography.
\section{Definitions}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définitions}
\begin{definition}[Zero-knowledge proofs and arguments]
\label{de:zk-proof} \index{Zero Knowledge!Proofs} \index{Zero Knowledge!Argument}
Let $R = \{ (x, w) \in \mathcal L \times \mathcal R \}$ be a binary relation.
A \textit{zero-knowledge proof} for a relation $R$ is an interactive protocol between a prover $P(x,w)$ and a verifier $V(x)$ where $V$ outputs a bit $b$ at the end of the interaction.
This is written as $\langle P(x,w) , V(x) \rangle = b$.
The aforementioned protocol should also verify the following properties.
\begin{description}
\item[Completeness.] For any $(x, w) \in R$, $\Pr[ \langle P(x,w), V(x) \rangle = 1 ] \geq 1 - \negl[|\lambda|]$.
\item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
$\Pr[\langle P^\star(x), V^\star(x) \rangle = 1] \leq s < 1 - \negl[|x|],$
where $s$ is called the \textit{soundness error}.
\item[Zero-Knowledge.] Let $\trans(\cdot, \cdot)$ be the transcript of the interaction during the proof.
There exists a $\ppt$ simulator $S$ such that for all $\ppt$ algorithm $V^\star$,
$\{\trans(P(x, w), V^\star(x))\}_{(x,w) \in R}$ and $\{S^{V^\star}(x)\}_{(x,w) \in R}$ are computationally indistinguishable.
\end{description}
If in the soundness definition, the adversary $P^\star$ is restricted to be a $\ppt$ algorithm, then the proof system is called an \textit{argument}.
We can notice that the soundness error can be reduced by repeating the proof.
\end{definition}
\begin{figure}
\centering
\footnotesize
\begin{tabular}{ccc}
$P(x,w)$ & & $V(x)$\\
\hline
$(\cmt, \mathsf{st}_P) \gets P_1(x,w)$ & & \\
& $\xrightarrow{\mathmakebox[2cm]{\cmt}}$ & \\
& & $(\chall, \mathsf{st}_V) \gets V_1(x, \cmt)$ \\
& $\xleftarrow{\mathmakebox[2cm]{\chall}}$ & \\
$\rsp \gets P_2(x,w,\chall, \mathsf{st}_P)$ & & \\
& $\xrightarrow{\mathmakebox[2cm]{\rsp}}$ & \\
& & return $b = V_2(x, \chall, \rsp, \mathsf{st}_V)$
\end{tabular}
\caption{$\Sigma$-protocol} \label{fig:sigma}
\end{figure}
Zero-knowledge proofs also exists in a non-interactive version.
\begin{definition}[Non Interactive Zero Knowledge]
\index{Zero Knowledge!NIZK}
\label{de:nizk-proofs}
A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w) \in \mathcal L \times \mathcal R\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in \mathcal L$ and $w \in \mathcal R$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties.
\begin{description}
\item[Completeness.] For any $(x, w) \in R$, $\Pr[ V(x, P(x, w)) = 1 ] \geq 1 - \negl[|x|]$.
\item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
$\Pr[V(x, P^\star(x)) = 1] < \negl[|x|].$
\item[Zero-Knowledge.] There exists a $\ppt$ simulator $S$ such that the probability ensembles $\{(x, P(x, w)) \}_{(x,w) \in R}$ and $\{S(x)\}_{(x, w) \in R}$ are computationally indistinguishable.
\end{description}
\end{definition}
In the random oracle model, it is possible to transform a ZK proof into an NIZK proof. This techniques is called the Fiat-Shamir transform.
\begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}]
\index{Zero Knowledge!Fiat-Shamir Transform}
Let $(P, V)$ be a three-round zero-knowledge proof for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function.
Let $\hat P$ be the following non-interactive prover that takes as inputs $x$ and $w$:
\begin{enumerate}
\item First run $P_1(x,w)$ to get a random commitment $\cmt$ and a state information $\mathsf{st}_P$;
\item Generate the challenge as $\chall \gets \mathcal H(\cmt)$;
\item Run $\rsp \gets P_2(x, w, \chall, \mathsf{st}_P)$;
\item Return the proof $\pi = (\cmt, \rsp)$.
\end{enumerate}
And let $\hat V$ be the following non-interactive verifier that takes as inputs $x$ and $\pi$:
\begin{enumerate}
\item Parse $\pi$ as $(\cmt, \rsp)$;
\item Generate the challenge $\chall = \mathcal H(\cmt)$;
\item Return $V_2(x, \chall, \rsp, \emptyset)$.
\end{enumerate}
Then $(\hat P, \hat V)$ forms a non-interactive zero-knowledge proof in the \ROM.
\end{definition}
\section{Schnorr Proofs} \section{Schnorr Proofs}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves de Schnorr}
\section{Stern-like Proofs} \section{Stern-like Proofs}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves à la Stern}

View File

@ -1,2 +1,3 @@
\chapter*{Conclusion} \chapter*{Conclusion}
\addcontentsline{toc}{part}{Conclusion} \addcontentsline{toc}{part}{Conclusion}
\addcontentsline{tof}{part}{Conclusion}

View File

@ -1,2 +1,3 @@
\chapter{Introduction} \chapter{Introduction}
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Introduction}

View File

@ -1,4 +1,5 @@
\chapter{Security Proofs in Cryptography} \label{ch:proofs} \chapter{Security Proofs in Cryptography} \label{ch:proofs}
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Les preuves de sécurité en cryptographie}
Provable security is a subfield of cryptography where constructions are proven secure with regards to a security model. Provable security is a subfield of cryptography where constructions are proven secure with regards to a security model.
To illustrate this notion, let us take the example of public-key encryption schemes. To illustrate this notion, let us take the example of public-key encryption schemes.
@ -17,6 +18,7 @@ Then we will define these security models.
% Security Reductions % % Security Reductions %
%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%
\section{Security Reductions} \section{Security Reductions}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Réductions de sécurité}
Provable security providing constructions for which the security is guaranteed by a security proof, or \emph{security reduction}. Provable security providing constructions for which the security is guaranteed by a security proof, or \emph{security reduction}.
The name ``reduction'' comes from computational complexity. The name ``reduction'' comes from computational complexity.
@ -129,9 +131,9 @@ To illustrate this, let us consider the two following assumptions:
\end{definition} \end{definition}
\begin{restatable}[Decisional Diffie-Hellman]{definition}{defDDH} \begin{restatable}[Decisional Diffie-Hellman]{definition}{defDDH}
\index{Discrete Logarithm!Decisional Diffie-Hellman} \label{de:DDH} \index{Discrete Logarithm!Decisional Diffie-Hellman} \label{de:DDH}
Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following. Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following.
Given the tuple $(g, g_1^{}, g_2^{}, g_3^{}) = (g, g^a_{}, g^b{}, g^c_{}) \in \GG^4_{}$, the goal is to decide whether $c = ab$ or $c$ is sampled uniformly in $\GG$. Given the tuple $\bigl(g, g_1^{}, g_2^{}, g_3^{}\bigr) = \bigl(g, g^a_{}, g^b{}, g^c_{}\bigr) \in \GG^4_{}$, the goal is to decide whether $c = ab$ or $c$ is sampled uniformly in $\GG$.
The \textit{\DDH assumption} is the intractability of the problem for any $\ppt$ algorithm. The \textit{\DDH assumption} is the intractability of the problem for any $\ppt$ algorithm.
\end{restatable} \end{restatable}
@ -157,6 +159,7 @@ In other words, the context in which the proofs are made.
This is the topic of the next section. This is the topic of the next section.
\section{Random-Oracle Model and Standard Model} \label{se:models} \section{Random-Oracle Model and Standard Model} \label{se:models}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Modèle de l'oracle aléatoire et modèle standard}
The most general model to do security proofs is the \textit{standard model}. The most general model to do security proofs is the \textit{standard model}.
In this model, nothing special is assumed, and every assumptions are explicit. In this model, nothing special is assumed, and every assumptions are explicit.
@ -194,6 +197,7 @@ We now have defined the security structure on which we are working on and the ba
The following section explains how to define the security of a cryptographic primitive. The following section explains how to define the security of a cryptographic primitive.
\section{Security Games and Simulation-Based Security} \label{se:games-sim} \section{Security Games and Simulation-Based Security} \label{se:games-sim}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves par jeux et preuves par simulation}
Up to now, we defined the structure on which security proofs works. Let us now define what we are proving. Up to now, we defined the structure on which security proofs works. Let us now define what we are proving.
An example of what we are proving has been shown in Section~\ref{se:models} with cryptographic hash functions. An example of what we are proving has been shown in Section~\ref{se:models} with cryptographic hash functions.

View File

@ -1 +1,2 @@
\chapter{Pairing-Based Dynamic Group Signatures} \label{ch:sigmasig} \chapter{Pairing-Based Dynamic Group Signatures} \label{ch:sigmasig}
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages}

View File

@ -1,4 +1,5 @@
\chapter{Underlying Structures} \chapter{Underlying Structures}
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Structures sous-jacentes}
\label{ch:structures} \label{ch:structures}
In the previous chapter, we saw that theoretical cryptography has to rely on \emph{computational hardness assumptions}. In the previous chapter, we saw that theoretical cryptography has to rely on \emph{computational hardness assumptions}.
@ -16,11 +17,13 @@ An example is the multiplicative homomorphism of the ElGamal cryptosystem which
In this chapter, we describe the different structures on which the cryptography primitives we design in this thesis are based on, namely bilinear groups and lattices. In this chapter, we describe the different structures on which the cryptography primitives we design in this thesis are based on, namely bilinear groups and lattices.
\section{Pairing-Based Cryptography} \section{Pairing-Based Cryptography}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Cryptographie à base de couplage}
\label{se:pairing} \label{se:pairing}
\input sec-pairings \input sec-pairings
\section{Lattice-Based Cryptography} \section{Lattice-Based Cryptography}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Cryptographie à base de réseaux euclidiens}
\label{se:lattices} \label{se:lattices}
\input sec-lattices \input sec-lattices

37
fig-lwe-sis.tex Normal file
View File

@ -0,0 +1,37 @@
\medskip
\hfill
\begin{minipage}[t]{.45\textwidth}
\textbf{$\LWE_{n,q,\chi}$ problem:}\\Given $m \geq 1$, \\[.5em]
$\left(
\begin{tikzpicture}
\tikzstyle{matA}=[fill=blue!10]
\tikzstyle{vecS}=[color=red!70!black]
\tikzstyle{vecE}=[color=orange!70!black]
\path[use as bounding box] (-2.1, .5) rectangle (2.4, 1.8);
\draw[matA, xshift=-2cm, yshift=.5cm] (0,0) rectangle node {$\mathbf{A}$} (1.5,1);
\node at (-.2, .75) {$,$};
\draw[matA] (0,0) rectangle node {$\mathbf{A}^T_{}$} (1,1.5);
\draw[|-|, vecS] (1.2, 1.5) -- node[right] {$\mathbf s$} ++(0, -1);
\node at (1.8, .75) {$+$};
\draw[|-|, vecE] (2.1, 1.5) -- node[right] {$\mathbf e$} ++ (0, -1.5);
\end{tikzpicture}
\right)$\\[.5em]
$\in \Zq^{n \times m} \times \Zq^{m}$,
find $\textcolor{red!70!black}{\mathbf{s}} \in \Zq^n.$
\end{minipage} \hfill
\begin{minipage}[t]{.4\textwidth}
\textbf{$\SIS_{n,m,q,\beta}$ problem:}\\Given\\[.5em]
$\tikz[baseline=.3cm]{ \draw[fill=blue!10] (0,0) rectangle node {$\mathbf{A}$} (1.5,1); } \in \Zq^{n \times m},$
find $\textcolor{red!70!black}{\mathbf x} \in \ZZ^m_{}$ such that\\[.5em]
$\begin{tikzpicture}[baseline=.25cm]
\tikzstyle{matA}=[fill=blue!10]
\tikzstyle{vecX}=[color=red!70!black]
\draw[matA] (0,0) rectangle node {$\mathbf{A}$} (1.5,1);
\draw[|-|, vecX] (1.7, 1) -- node[right] {$\mathbf x$} ++ (0, -1.5);
\node at (2.4, .25) {$=$};
\draw[|-|] (2.8, 1) -- node[right] {$\mathbf 0^n$} ++ (0, -1);
\end{tikzpicture},$ and\\$0< \|\textcolor{red!70!black}{\mathbf x}\| \leq \beta$.
\end{minipage}
\hfill
\medskip

11
frtoc.tex Normal file
View File

@ -0,0 +1,11 @@
\makeatletter
\newcommand\frenchtableofcontents{%
\selectlanguage{french}%
\chapter*{\contentsname
\@mkboth{%
\MakeUppercase\contentsname}{\MakeUppercase\contentsname}}%
\@starttoc{tof}%
\addcontentsline{tof}{chapter}{\contentsname}
\selectlanguage{english}%
}
\makeatother

View File

@ -75,9 +75,9 @@ Devant le jury composé de :
%\bigskip %\bigskip
\textsc{Agrawal} Shweta, Professeure, Indian Institute of Technology \hfill Rapporteure \textsc{Agrawal} Shweta, Professeure, Indian Institute of Technology (Madras, Inde) \hfill Rapporteur
Nom Prénom, grade/qualité, établissement/entreprise \hfill Rapporteur \textsc{Pointcheval} David, Directeur de Recherche, CNRS et ENS \hfill Rapporteur
Nom Prénom, grade/qualité, établissement/entreprise \hfill Examinateur Nom Prénom, grade/qualité, établissement/entreprise \hfill Examinateur

View File

@ -17,6 +17,11 @@
\newcommand{\NIZK}{\textsf{NIZK}\xspace} \newcommand{\NIZK}{\textsf{NIZK}\xspace}
\newcommand{\PKE}{\textsf{PKE}\xspace} \newcommand{\PKE}{\textsf{PKE}\xspace}
\newcommand{\OT}{\textsf{OT}\xspace} \newcommand{\OT}{\textsf{OT}\xspace}
%% ZK
\newcommand{\trans}{\textsf{trans}\xspace}
\newcommand{\cmt}{\textsf{cmt}\xspace}
\newcommand{\chall}{\textsf{chall}\xspace}
\newcommand{\rsp}{\textsf{response}\xspace}
% Assumptions/Problems % Assumptions/Problems
%% Pairings %% Pairings

View File

@ -35,7 +35,7 @@
\setlength{\parskip}{5pt} \setlength{\parskip}{5pt}
\usepackage{enumerate} \usepackage{enumerate}
\usepackage{amsmath, amssymb, mathrsfs} \usepackage{amsmath, amssymb, mathrsfs, mathtools}
\usepackage{amsthm} % For theorem style \usepackage{amsthm} % For theorem style
\usepackage{thmtools} \usepackage{thmtools}
\usepackage{thm-restate} \usepackage{thm-restate}
@ -54,6 +54,7 @@
\usepackage{pdfpages} \usepackage{pdfpages}
\usepackage{xspace} \usepackage{xspace}
\input frtoc
\input macros \input macros
\title{Privacy-preserving cryptography from pairings and lattices} \title{Privacy-preserving cryptography from pairings and lattices}
@ -78,6 +79,8 @@
\input acknowledgements \input acknowledgements
\cleardoublepage
\frenchtableofcontents
\cleardoublepage \cleardoublepage
\tableofcontents \tableofcontents
@ -88,6 +91,9 @@
\input chap-introduction \input chap-introduction
\part{Background} \part{Background}
\label{pa:background}
\addcontentsline{tof}{part}{\protect\numberline{\thepart} Préliminaires}
\input chap-proofs \input chap-proofs
\input chap-structures \input chap-structures
@ -96,12 +102,14 @@
\part{Group Signatures and Anonymous Credentials} \part{Group Signatures and Anonymous Credentials}
\label{pa:gs-ac} \label{pa:gs-ac}
\addcontentsline{tof}{part}{\protect\numberline{\thepart} Signatures de groupe et accréditations anonymes}
\input chap-sigmasig \input chap-sigmasig
\input chap-GS-LWE \input chap-GS-LWE
\part{Group Encryption and Adaptive Oblivious Transfer} \part{Group Encryption and Adaptive Oblivious Transfer}
\addcontentsline{tof}{part}{\protect\numberline{\thepart} Chiffrement de groupe et transfert inconscient adaptatif}
\input chap-GE-LWE \input chap-GE-LWE
@ -111,8 +119,11 @@
\bibliographystyle{alphaabbr} \bibliographystyle{alphaabbr}
\bibliography{these.bib} \bibliography{these.bib}
\addcontentsline{tof}{part}{Bibliographie}
\printindex \printindex
\addcontentsline{tof}{part}{Index en anglais}
\backmatter \backmatter
\listoffigures \listoffigures
\addcontentsline{tof}{part}{Liste des figures}
\end{document} \end{document}
% vim: spl=en % vim: spl=en

View File

@ -14,6 +14,7 @@ This gives us a good confidence in the lattice-based assumptions (given the \emp
\subsection{Lattices and Hard Lattice Problems} \subsection{Lattices and Hard Lattice Problems}
\label{sse:lattice-problems} \label{sse:lattice-problems}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Réseaux euclidiens et problèmes difficiles}
\begin{figure} \begin{figure}
\centering \centering
@ -57,7 +58,7 @@ In order to work with lattices in cryptography, hard lattice problems have to be
This problem reduces to the \textit{Learning With Errors}~($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. This problem reduces to the \textit{Learning With Errors}~($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later.
These links are important as those are ``worst-case to average-case'' reductions. These links are important as those are ``worst-case to average-case'' reductions.
In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to construct new cryptographic designs.
On the other hand, the $\LWE$ and $\SIS$ assumptions ---\,which are ``average-case'' assumptions\,--- are more suitable to design cryptographic schemes. On the other hand, the $\LWE$ and $\SIS$ assumptions ---\,which are ``average-case'' assumptions\,--- are more suitable to design cryptographic schemes.
In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice). In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).
@ -74,7 +75,7 @@ This leads us to the $\SIVP$ problem, which is finding a set of sufficiently sho
For a dimension $n$ lattice described by a basis $\mathbf B \in \RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1 \| \leq \| v_2 \| \leq \ldots \leq \| v_n \|$ and $\|v_n\| \leq \gamma \cdot \lambda_n(\mathbf B)$. For a dimension $n$ lattice described by a basis $\mathbf B \in \RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1 \| \leq \| v_2 \| \leq \ldots \leq \| v_n \|$ and $\|v_n\| \leq \gamma \cdot \lambda_n(\mathbf B)$.
\end{definition} \end{definition}
As explained before, the hardness of this assumption for worst-case lattices implies the hardness of the following two assumptions in their average-case setting. As explained before, the hardness of this assumption for worst-case lattices implies the hardness of the following two assumptions in their average-case setting, which are illustrated in Figure~\ref{fig:lwe-sis}.
In other words, it means that no polynomial time algorithms can solve those problems with non-negligible probability and non-negligible advantage given that $\SIVP$ is hard. In other words, it means that no polynomial time algorithms can solve those problems with non-negligible probability and non-negligible advantage given that $\SIVP$ is hard.
%As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively. %As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively.
@ -93,6 +94,13 @@ For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribut
The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
\end{definition} \end{definition}
\begin{figure}
\centering
\input fig-lwe-sis
\caption{Illustration of the LWE and SIS problems.}
\label{fig:lwe-sis}
\end{figure}
If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\mathcal{O}}(nq/B)$, then there exists an efficient sampleable $B$-bounded distribution~$\chi$ ({i.e.}, $\chi$ outputs samples with norm at most $B$ with overwhelming probability) such that $\mathsf{LWE}_{n,q,\chi}$ is as least as hard as $\mathsf{SIVP}_{\gamma}$ (see, e.g., \cite{Reg05,Pei09,BLP+13}). If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\mathcal{O}}(nq/B)$, then there exists an efficient sampleable $B$-bounded distribution~$\chi$ ({i.e.}, $\chi$ outputs samples with norm at most $B$ with overwhelming probability) such that $\mathsf{LWE}_{n,q,\chi}$ is as least as hard as $\mathsf{SIVP}_{\gamma}$ (see, e.g., \cite{Reg05,Pei09,BLP+13}).
% (see~\cite{Pei09,BLPRS13} for classical analogues). % (see~\cite{Pei09,BLPRS13} for classical analogues).
@ -101,17 +109,18 @@ If $q$ is a prime power, $B \geq \sqrt{n}\omega(\log n)$, $\gamma= \widetilde{\m
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Lattice Trapdoors} \subsection{Lattice Trapdoors}
\label{sse:lattice-trapdoors} \label{sse:lattice-trapdoors}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Trappes d'un réseau euclidien}
In this section, we state the different algorithms that use ``\textit{lattice trapdoors}''. In this section, we state the different algorithms that use ``\textit{lattice trapdoors}''.
A trapdoor for lattice $\Lambda$ is a \textit{short} basis of this lattice. A trapdoor for lattice $\Lambda$ is a \textit{short} basis of this lattice.
The knowledge of such a basis allows to sample elements in $D_{\Lambda, \sigma}$ within some restrictions given in~\cref{le:GPV}. The knowledge of such a basis allows to sample elements in $D_{\Lambda, \sigma}$ within some restrictions given in~\cref{le:GPV}.
The existence of this sampler permits to solve hard lattice problems such as $\SIS$, which is assumed to be intractable in polynomial time. The existence of this sampler permits to solve hard lattice problems such as $\SIS$, which is assumed to be intractable in polynomial time.
Indeed,~\cref{le:TrapGen} shows that it is possible to sample a (close to) uniform matrix $\mathbf{A} \in \ZZ_q^{n \times m}$ along with a short basis for $\Lambda^\perp_{q}(\mathbf{A})$. Indeed,~\cref{le:TrapGen} shows that it is possible to sample a (statistically close to) uniform matrix $\mathbf{A} \in \ZZ_q^{n \times m}$ along with a short basis for $\Lambda^\perp_{q}(\mathbf{A})$.
Thus, a vector sampled in $D_{\Lambda^\perp_{q}(\mathbf{A}), \sigma}$, which is short with overwhelming probabilities according to~\cref{le:small}, is a solution to $\SIS_{n,m,q,\sigma \sqrt{n}}$. Thus, a vector sampled in $D_{\Lambda^\perp_{q}(\mathbf{A}), \sigma}$, which is short with overwhelming probabilities according to~\cref{le:small}, is a solution to $\SIS_{n,m,q,\sigma \sqrt{n}}$.
Gentry {\em et al.}~\cite{GPV08} showed that Gaussian distributions with lattice support can be sampled efficiently given a sufficiently short basis of the lattice. Gentry {\em et al.}~\cite{GPV08} showed that Gaussian distributions with lattice support can be sampled efficiently given a sufficiently short basis of the lattice.
\scbf{Notation.} Given a matrix $\mathbf{A}$, let $\widetilde{\mathbf{A}}$ be the Gram-Schmidt orthogonalization of $\mathbf{A}$. \scbf{Recall.} Given a matrix $\mathbf{A}$, $\widetilde{\mathbf{A}}$ denotes the Gram-Schmidt orthogonalization of $\mathbf{A}$.
\begin{lemma}[{\cite[Le.~2.3]{BLP+13}}] \begin{lemma}[{\cite[Le.~2.3]{BLP+13}}]
\label{le:GPV} \label{le:GPV}

View File

@ -43,8 +43,8 @@ In the aforementioned chapter, we also rely on the following assumption, which g
\begin{definition}[$\SDL$] \begin{definition}[$\SDL$]
\label{de:SDL} \index{Pairings!SDL} \label{de:SDL} \index{Pairings!SDL}
In bilinear groups $(\GG,\Gh,\GT^{})$ of prime order $p$, the \emph {Symmetric Discrete Logarithm} ($\SDL$) problem consists in, given In bilinear groups $\bigl(\GG,\Gh,\GT^{}\bigr)$ of prime order $p$, the \emph {Symmetric Discrete Logarithm} ($\SDL$) problem consists in, given
$(g,\hat{g},g^a,\hat{g}^a) \in \GG \times \Gh$ $\bigl(g,\hat{g},g^a_{},\hat{g}^a_{}\bigr) \in \bigl(\GG \times \Gh\bigr)^2_{}$
where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$. where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$.
\end{definition} \end{definition}

View File

@ -1,11 +1,15 @@
\chapter*{List of Symbols} \chapter*{List of Symbols}
\addcontentsline{toc}{chapter}{List of Symbols} \addcontentsline{toc}{chapter}{List of Symbols}
\addcontentsline{tof}{chapter}{Liste des symboles et abréviations}
\begin{tabular}{ll} \begin{tabular}{ll}
\multicolumn{2}{l}{\scbf{General Notations}} \\ \multicolumn{2}{l}{\scbf{General Notations}} \\
TM & Turing Machine \\ TM & Turing Machine \\
$\ppt$ & Probabilistic Polynomial Time \\ $\ppt$ & Probabilistic Polynomial Time \\
$\epsilon$ & empty word \\ $\epsilon$ & empty word \\
$\mathbf A$ & bold uppercase letters represent matrices\\
$\mathbf b$ & bold lowercase letters represent vectors\\
$\widetilde{\mathbf A}$ & Gram-Schmidt orthogonalization of matrix $\mathbf A$\\
[1ex] \multicolumn{2}{l}{\scbf{Protocols}} \\ [1ex] \multicolumn{2}{l}{\scbf{Protocols}} \\
$\PKE$ & Public Key Encryption \\ $\PKE$ & Public Key Encryption \\
$\ZK$ & Zero-Knowledge \\ $\ZK$ & Zero-Knowledge \\

View File

@ -2449,4 +2449,12 @@
publisher = {Springer}, publisher = {Springer},
} }
@InProceedings{Blu86,
author = {Blum, Manuel},
title = {How to prove a theorem so no one else can claim it},
booktitle = {International Congress of Mathematicians},
year = {1986},
pages = {1444--1451},
}
@Comment{jabref-meta: databaseType:bibtex;} @Comment{jabref-meta: databaseType:bibtex;}