Typos
This commit is contained in:
@ -13,7 +13,7 @@ Recently, the National Institute of Standards and Technology (or \textit{NIST})
|
||||
In this competition, 82 protocols have been proposed out of which: 28 were lattice-based, 24 were code-based, 13 were multi-variate based, 4 were hash-based and the 13 left were categorized as ``other''.
|
||||
|
||||
Though, real-world cryptography mainly aims at designing digital signatures and encryption schemes, as illustrated by the NIST competition.
|
||||
Meanwhile, ongoing research in cryptology proposes different solutions to address more specific problems, such as the design of electronic-cash systems\footnote{Which is not to be confuse with cryptocurrency\ldots}~\cite{CFN88}, which are the digital analogue of real money. Coins are delivered by a central authority (the bank) and spendings remain untraceable. In case of misbehavior (such as double-spending), the identity of the cheater is revealed.
|
||||
Meanwhile, ongoing research in cryptology proposes different solutions to address more specific problems, such as the design of electronic-cash systems\footnote{Which is not to be confused with cryptocurrency\ldots}~\cite{CFN88}, which are the digital analogue of real money. Coins are delivered by a central authority (the bank) and spendings remain untraceable. In case of misbehavior (such as double-spending), the identity of the cheater is revealed.
|
||||
|
||||
Cryptographic constructions should additionally verify some security requirements.
|
||||
For instance, an encryption scheme has to hide a message in the presence of an eavesdropper, or even an active adversary who can alter some messages.
|
||||
@ -118,7 +118,7 @@ From an algebraic point of view, a lattice is a discrete subgroup of $\RR^n$,
|
||||
which leads to a simple additive structure.
|
||||
The core difference with number-theoretic cryptography, such as discrete-logarithm-based cryptography, is the existence of the geometrical structure of the lattice.
|
||||
From this geometry rises some problems that are believed to withstand quantum computers.
|
||||
Despite this apparently simple structure, some advanced primitives are only known, as of today, to be possible under lattice assumptions, such as fully-homomorphic encryption~\cite{Gen09,GSW13}.
|
||||
Despite this apparently simple structure, some advanced primitives are only known, as of today, to be possible under lattice assumptions, such as fully-homomorphic encryption~\cite{Gen09,BV11,GSW13}.
|
||||
|
||||
The versatility of lattice-based cryptography is enabled by the existence of lattice trapdoors~\cite{GPV08,CHKP10,MP12}, as we explain in~\cref{sse:lattice-trapdoors}.
|
||||
Informally, the knowledge of a short basis for a lattice allows sampling short vectors, which is believed to be hard without such a short basis.
|
||||
@ -126,7 +126,6 @@ Furthermore, knowing a short basis for the lattice $\{\mathbf{v} \in \ZZ^m \mid
|
||||
An application for this property is Boyen's signature scheme~\cite{Boy10}.
|
||||
In this scheme, a signature for message $m$ is a short vector in the orthogonal lattice of the matrix $\mathbf{A}_m = [\mathbf{A} \mid \mathbf{B}_m]$, where $\mathbf{B}_m$ is publicly computable.
|
||||
Hence, knowing a trapdoor for $\mathbf{A}$ makes the computation of this short vector possible, and the message is bound to the description of the lattice $\mathbf{A}_m$.
|
||||
Indeed, some extra care has to be taken to avoid multiplicative attacks.
|
||||
|
||||
Still, the use of lattice trapdoors comes at a price, as it significantly decreases the efficiency of cryptographic designs that use them~\cite{Lyu12,LLNW16}.
|
||||
Given that we provide the first lattice-based construction for the scheme we present, we focused on designing provably-secure scheme under well-studied assumptions.
|
||||
@ -152,7 +151,7 @@ We can imagine a scenario where some burglars eavesdrop a specific car to know w
|
||||
|
||||
In this thesis, we present in~\cref{ch:sigmasig} pairing-based group signatures that aims at efficiency while relying on simple assumptions.
|
||||
The resulting scheme shows competitive signature size with other schemes that rely on more ad-hoc assumptions, and its practicality is supported by an implementation.
|
||||
This scheme is presented in~\cite{LMPY16}, which is joint work with Benoît Libert, Thomas Peters an Moti Yung presented at AsiaCCS'16.
|
||||
This scheme is presented in~\cite{LMPY16}, which is joint work with Benoît Libert, Thomas Peters and Moti Yung presented at AsiaCCS'16.
|
||||
|
||||
\cref{ch:gs-lwe} presents the first \textit{dynamic} group signature scheme relying on lattice assumptions.
|
||||
This has been made possible by adapting Stern-like proofs to properly interact with a signature scheme: a variant of Boyen's signature~\cite{Boy10,BHJ+15}.
|
||||
@ -166,7 +165,7 @@ Group encryption schemes~\cite{KTY07} are the encryption analogue of group signa
|
||||
In this setting, a user is willing to send a message to a group member, while keeping the recipient of the message hidden inside the group.
|
||||
In order to keep user accountable for their actions, an opening authority is further empowered with some secret information allowing it to un-anonymize ciphertexts.
|
||||
|
||||
More formally, a group signature scheme is a primitive allowing the sender to generate publicly verifiable proofs that: (1) The ciphertext is well-formed and intended to some registered group member who will be able to decrypt; (2) The opening authority will be able to identify the receiver if necessary; (3) The plaintext satisfies certain properties, such as being a witness for some public relation, or the private key that underlies a given public key.
|
||||
More formally, a group signature scheme is a primitive allowing the sender to generate publicly verifiable proofs that: (1) The ciphertext is well-formed and intended to some registered group member who will be able to decrypt; (2) The opening authority will be able to identify the receiver if necessary; (3) The plaintext satisfies certain properties, such as being a witness for some public relation.
|
||||
In the model of Kiayias, Tsiounis and Yung~\cite{KTY07}, the message secrecy and anonymity properties are required to withstand active adversaries, which are granted access to decryption oracles in all security definitions.
|
||||
|
||||
A natural application is to allow a firewall to filter all incoming encrypted emails except those intended for some certified organization members and the content of which is additionally guaranteed to satisfy certain requirements, like the absence of malware.
|
||||
@ -188,7 +187,7 @@ This work have been presented at Asiacrypt'16~\cite{LLM+16a} and have been done
|
||||
|
||||
Oblivious transfer is a primitive coined by Rabin~\cite{Rab81} and later extended by Even, Goldreich and Lempel~\cite{EGL85}.
|
||||
It involves a server with a database of messages indexed from $1$ to $N$ and a receiver with a secret index $\rho \in \{1,\ldots,N\}$.
|
||||
The protocol allows the receiver to retrieve the $\rho$-th message from the receiver without letting him infer anything on his choice.
|
||||
The protocol allows the receiver to retrieve the $\rho$-th message from the database without letting it infer anything on his choice.
|
||||
Furthermore, the receiver only obtains the $\rho$-th message and learns nothing about the other messages.
|
||||
|
||||
In its adaptive flavor~\cite{NP99}, oblivious transfer allows the receiver to interact $k$ times with the server to obtain $k$ messages in such a way that, each request may depend on the previously retrieved messages.
|
||||
@ -201,7 +200,7 @@ In many sensitive databases (e.g., DNA samples or patients' medical history), ho
|
||||
It is thus crucial to protect the access to certain entries conditioned on the receiver holding suitable credentials delivered by authorities.
|
||||
At the same time, privacy protection requires that authorized users should be able to query database records while leaking as little as possible about their interests or activities.
|
||||
|
||||
This requirements is handled by endowing oblivious transfer with access control, as stated by Camenish, Dubovitskaya and Neven~\cite{CDN09}.
|
||||
These requirements are handled by endowing oblivious transfer with access control, as stated by Camenish, Dubovitskaya and Neven~\cite{CDN09}.
|
||||
In this variant, each database record is protected by a different access control policy.
|
||||
Based on their attributes, users can obtain credentials from pre-determined authorities, which entitle them to anonymously retrieve database records of which the access policy accepts their certified attributes.
|
||||
During the transfer phase, the user demonstrates, in a zero-knowledge manner, possession of an attribute string compatible with the policy of a record in the database, as well as a credential for this attribute.
|
||||
|
||||
Reference in New Issue
Block a user