Update
This commit is contained in:
parent
26a0198913
commit
413cfa5bc4
11
chap-ZK.tex
11
chap-ZK.tex
@ -1,13 +1,15 @@
|
|||||||
\chapter{Zero-Knowledge Arguments}
|
\chapter{Zero-Knowledge Arguments}
|
||||||
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Arguments à divulgation nulle de connaissance}
|
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Arguments à divulgation nulle de connaissance}
|
||||||
|
|
||||||
A \textit{zero-knowledge proof}~\cite{GMR85} (or \textbf{ZK proofs}) is an \textit{interactive proof} between a prover and a verifier at the end of which the verifier should be convinced of the truth of a statement (within some probability, called \emph{soundness error}), while the prover has the insurance that the verifier does not learn anything more that the authenticity of the statement.
|
A \textit{Zero-Knowledge proof}~\cite{GMR85} (or \textbf{ZK proofs}) is an \textit{interactive proof} between a prover and a verifier at the end of which the verifier should be convinced of the truth of a statement (within some probability, called \emph{soundness error}), while the prover is guaranteed that the verifier learns nothing more that the authenticity of the statement.
|
||||||
|
|
||||||
One of the early applications of ZK proofs in cryptography was for identification systems~\cite{FS86}.
|
One of the early applications of \ZK proofs in cryptography is for identification systems~\cite{FS86}.
|
||||||
The goal is for a user $A$ to prove the knowledge of a secret (such as a password) to user $B$ without revealing any piece of information about the secret, otherwise user $B$ would be able to impersonate $A$.
|
The goal is for a user $A$ to prove the knowledge of a secret (such as a password) to user $B$ without revealing any piece of information about the secret, otherwise user $B$ would be able to impersonate $A$.
|
||||||
Since then, the use of zero-knowledge proofs is now widespread in privacy-enhancing cryptography:~anonymous credentials, group signatures, electronic voting, e-cash, \ldots
|
Since then, the use of zero-knowledge proofs is now widespread in privacy-enhancing cryptography:~anonymous credentials, group signatures, electronic voting, e-cash, \ldots
|
||||||
|
|
||||||
If these primitives flourish in the context of number-theory-based cryptography (such as RSA groups or pairing groups), they are still elusive in the lattice world. In this section, we focus on presenting the different proofs systems in pairing and lattice-based cryptography.
|
If these primitives flourish in the context of number-theory-based cryptography (such as RSA groups or pairing groups), they are still elusive in the lattice world.
|
||||||
|
|
||||||
|
In this section, we first present the general principles and basic tools to handle \ZK proofs. Then we will describe two families of \ZK proofs that may prove useful in the context of pairing and lattice-based cryptography. Namely, the Schnorr-like proofs and the Stern-like proofs.
|
||||||
|
|
||||||
\section{Definitions}
|
\section{Definitions}
|
||||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définitions}
|
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définitions}
|
||||||
@ -25,7 +27,7 @@ If these primitives flourish in the context of number-theory-based cryptography
|
|||||||
$\Pr[\langle P^\star(x), V^\star(x) \rangle = 1] \leq s < 1 - \negl[|x|],$
|
$\Pr[\langle P^\star(x), V^\star(x) \rangle = 1] \leq s < 1 - \negl[|x|],$
|
||||||
where $s$ is called the \textit{soundness error}.
|
where $s$ is called the \textit{soundness error}.
|
||||||
\item[Zero-Knowledge.] Let $\trans(\cdot, \cdot)$ be the transcript of the interaction during the proof.
|
\item[Zero-Knowledge.] Let $\trans(\cdot, \cdot)$ be the transcript of the interaction during the proof.
|
||||||
There exists a $\ppt$ simulator $S$ such that for all $\ppt$ algorithm $V^\star$,
|
There exists a $\ppt$ simulator $S$ such that for all (possibly cheating) $\ppt$ verifier $V^\star$,
|
||||||
$\{\trans(P(x, w), V^\star(x))\}_{(x,w) \in R}$ and $\{S^{V^\star}(x)\}_{(x,w) \in R}$ are computationally indistinguishable.
|
$\{\trans(P(x, w), V^\star(x))\}_{(x,w) \in R}$ and $\{S^{V^\star}(x)\}_{(x,w) \in R}$ are computationally indistinguishable.
|
||||||
\end{description}
|
\end{description}
|
||||||
|
|
||||||
@ -187,6 +189,7 @@ For the sake of completeness, we can also mention $\NIZK$ in the standard model,
|
|||||||
\caption{The Schnorr $\Sigma$-protocol for discrete logarithm.}
|
\caption{The Schnorr $\Sigma$-protocol for discrete logarithm.}
|
||||||
\label{fig:schnorr-dlog}
|
\label{fig:schnorr-dlog}
|
||||||
\end{figure}
|
\end{figure}
|
||||||
|
\index{Zero Knowledge!Schnorr's protocol}
|
||||||
|
|
||||||
Schnorr's methodology to construct proofs is based on the $\Sigma$-protocol technique to design zero-knowledge proofs.
|
Schnorr's methodology to construct proofs is based on the $\Sigma$-protocol technique to design zero-knowledge proofs.
|
||||||
It has been introduced in order to prove the knowledge of a discrete logarithm (which can bee seen at the relation $R_{\mathsf{dlog}} = \{ (h, a) \in \GG \times \ZZ_p \mid h = g^a \}$ with $\GG = \langle g \rangle$ be a cyclic group of prime order $p\geq 2$) and is described in Figure~\ref{fig:schnorr-dlog}.
|
It has been introduced in order to prove the knowledge of a discrete logarithm (which can bee seen at the relation $R_{\mathsf{dlog}} = \{ (h, a) \in \GG \times \ZZ_p \mid h = g^a \}$ with $\GG = \langle g \rangle$ be a cyclic group of prime order $p\geq 2$) and is described in Figure~\ref{fig:schnorr-dlog}.
|
||||||
|
@ -14,7 +14,7 @@ An example is the multiplicative homomorphism of the ElGamal cryptosystem which
|
|||||||
%Then, the cyclic group structure of $\GG$ leads to the ability to compute a valid ciphertext for $M \cdot M'$ given ciphertexts $(c_1^{}, c_2^{})$ and $(c'_1, c'_2)$ of $M$ and $M'_{}$ respectively.
|
%Then, the cyclic group structure of $\GG$ leads to the ability to compute a valid ciphertext for $M \cdot M'$ given ciphertexts $(c_1^{}, c_2^{})$ and $(c'_1, c'_2)$ of $M$ and $M'_{}$ respectively.
|
||||||
%The resulting ciphertext is $(c_1^{} \cdot c'_1, c_2^{} \cdot c'_2) = (g^{r \cdot r'_{}}, M \cdot M' \cdot h^{r \cdot r'_{}})$
|
%The resulting ciphertext is $(c_1^{} \cdot c'_1, c_2^{} \cdot c'_2) = (g^{r \cdot r'_{}}, M \cdot M' \cdot h^{r \cdot r'_{}})$
|
||||||
|
|
||||||
In this chapter, we describe the different structures on which the cryptography primitives we design in this thesis are based on, namely bilinear groups and lattices.
|
In this chapter, we describe the different structures on which the cryptography primitives we design in this thesis are based on, namely bilinear groups and lattices, as well as related hardness assumptions.
|
||||||
|
|
||||||
\section{Pairing-Based Cryptography}
|
\section{Pairing-Based Cryptography}
|
||||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Cryptographie à base de couplage}
|
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Cryptographie à base de couplage}
|
||||||
|
@ -7,8 +7,8 @@ For example, on the first round of the NIST post-quantum competition, there are
|
|||||||
Lattice-based cryptography takes advantage of a simple mathematical structure, the so-called lattices, in order to provide beyond encryption and signature cryptography.
|
Lattice-based cryptography takes advantage of a simple mathematical structure, the so-called lattices, in order to provide beyond encryption and signature cryptography.
|
||||||
For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now.
|
For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now.
|
||||||
|
|
||||||
In the context of provable security, lattice assumptions benefits from a worst-case to average-case reduction~\cite{Reg05,GPV08,MP12,AFG14}.
|
In the context of provable security, lattice assumptions benefit from a worst-case to average-case reduction~\cite{Reg05,GPV08,MP12,AFG14}.
|
||||||
Concurrently, worst-case lattice problems have been extensively analysed in the last decade~\cite{ADS15,ADRS15,HK17}, both classically and quantumly.
|
Concurrently, worst-case lattice problems have been extensively analyzed in the last decade~\cite{ADS15,ADRS15,HK17}, both classically and quantumly.
|
||||||
|
|
||||||
This gives us a good confidence in the lattice-based assumptions (given the \emph{caveats} of Chapter~\ref{ch:proofs}) such as Learning with Errors ($\LWE$) and Short Integer Solutions ($\SIS$) that are defined in Section~\ref{sse:lattice-problems}. The rest of this section will describe some useful algorithms that relies on \emph{lattice trapdoors}.
|
This gives us a good confidence in the lattice-based assumptions (given the \emph{caveats} of Chapter~\ref{ch:proofs}) such as Learning with Errors ($\LWE$) and Short Integer Solutions ($\SIS$) that are defined in Section~\ref{sse:lattice-problems}. The rest of this section will describe some useful algorithms that relies on \emph{lattice trapdoors}.
|
||||||
|
|
||||||
|
@ -7,7 +7,7 @@ Since then, many constructions have been proposed for cryptographic construction
|
|||||||
Multiple constructions and parameter sets coexist for pairings.
|
Multiple constructions and parameter sets coexist for pairings.
|
||||||
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,MSS17,BD18}.
|
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,MSS17,BD18}.
|
||||||
|
|
||||||
In the following, we rely on the black-box definition of cryptographic pairings as bilinear maps, and on the assumed hardness of classical assumptions over pairings, namely $\SXDH$ and $\SDL$.
|
In the following, we rely on the black-box definition of cryptographic pairings as bilinear maps, and on the assumed hardness of classical constant-size assumptions over pairings, namely $\SXDH$ and $\SDL$.
|
||||||
|
|
||||||
|
|
||||||
%\subsection{Bilinear maps}
|
%\subsection{Bilinear maps}
|
||||||
|
@ -58,6 +58,7 @@ Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of
|
|||||||
|
|
||||||
A technique to relax the constraints on the \textsf{ZKAoK} of \cref{le:zk-ktx} is the so-called ``Decomposition-Extension'' technique~\cite{LNSW13}\cite{LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\ref{sse:stern}).
|
A technique to relax the constraints on the \textsf{ZKAoK} of \cref{le:zk-ktx} is the so-called ``Decomposition-Extension'' technique~\cite{LNSW13}\cite{LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\ref{sse:stern}).
|
||||||
|
|
||||||
|
\index{Lattices!Inhomogeneous \SIS}
|
||||||
To prove the knowledge of an \ISIS preimage, i.e.
|
To prove the knowledge of an \ISIS preimage, i.e.
|
||||||
the knowledge of a bounded vector $\mathbf{w} \in [-B,B]^m$ that satisfies relation~\eqref{eq:isis-stern-relation}, the goal is to rewrite $\mathbf w$ as $\bar{\mathbf w} = \mathbf K \cdot \mathbf w \bmod q$ with a public transfer matrix $\mathbf K$ such that $\bar{\mathbf w} \in \nbit^{m'}$ and of known numbers of elements equal to $j$ for $j \in \nbit$.
|
the knowledge of a bounded vector $\mathbf{w} \in [-B,B]^m$ that satisfies relation~\eqref{eq:isis-stern-relation}, the goal is to rewrite $\mathbf w$ as $\bar{\mathbf w} = \mathbf K \cdot \mathbf w \bmod q$ with a public transfer matrix $\mathbf K$ such that $\bar{\mathbf w} \in \nbit^{m'}$ and of known numbers of elements equal to $j$ for $j \in \nbit$.
|
||||||
This reduces to use \cref{le:zk-ktx} to prove the knowledge of $\bar{\mathbf w} \in \nbit^{m'}$ for public input $(\mathbf M \cdot \mathbf K, \mathbf v)$.
|
This reduces to use \cref{le:zk-ktx} to prove the knowledge of $\bar{\mathbf w} \in \nbit^{m'}$ for public input $(\mathbf M \cdot \mathbf K, \mathbf v)$.
|
||||||
@ -119,6 +120,7 @@ The resulting matrix $\mathbf{K}= \left[\mathbf{K}_{m,B}^{} \mid \mathbf 0^{m \t
|
|||||||
\caption{Stern-like \textsf{ZKAoK} for the relation $\mathrm{R_{abstract}}$.}
|
\caption{Stern-like \textsf{ZKAoK} for the relation $\mathrm{R_{abstract}}$.}
|
||||||
\label{fig:Interactive-Protocol}
|
\label{fig:Interactive-Protocol}
|
||||||
\end{figure}
|
\end{figure}
|
||||||
|
\index{Zero Knowledge!Stern's protocol}
|
||||||
|
|
||||||
|
|
||||||
Let $K$, $D$, $q$ be positive integers with $D \geq K$ and $q \geq 2$, and let $\mathsf{VALID}$ be a subset of $\mathbb{Z}^D$. Suppose that $\mathcal{S}$ is a finite set such that every element $\phi \in \mathcal{S}$ can be associated with a permutation $\Gamma_\phi \in \permutations_D$ satisfying the following conditions:
|
Let $K$, $D$, $q$ be positive integers with $D \geq K$ and $q \geq 2$, and let $\mathsf{VALID}$ be a subset of $\mathbb{Z}^D$. Suppose that $\mathcal{S}$ is a finite set such that every element $\phi \in \mathcal{S}$ can be associated with a permutation $\Gamma_\phi \in \permutations_D$ satisfying the following conditions:
|
||||||
|
Loading…
Reference in New Issue
Block a user