Corrections
- WI - overfull hbox - other stuff
This commit is contained in:
@ -5,18 +5,18 @@
|
||||
In this thesis, we presented new cryptographic schemes that rely on lattice or pairing assumptions.
|
||||
These contributions focus on the design and analysis of new cryptographic schemes that target privacy-preserving applications.
|
||||
|
||||
In pairing-based cryptography, we propose a practical dynamic group signature scheme, for which security is well understood.
|
||||
It relies on broadly used assumptions with simple statements which exist for more than ten years.
|
||||
In pairing-based cryptography, we proposed a practical dynamic group signature scheme, for which security is well-understood.
|
||||
It relies on broadly used assumptions with simple and constant-size descriptions which exist for more than ten years.
|
||||
This work is also supported by an implementation in \texttt{C}.
|
||||
|
||||
Our work in the lattice setting gives rise to three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving cryptography.
|
||||
Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that it's one step toward a quantum-secure privacy-friendly world.
|
||||
The results in the lattice setting give rise to three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving cryptography.
|
||||
Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that they are one step towards a quantum-secure privacy-friendly world.
|
||||
|
||||
In the way of doing it, improvements have been made in the state of the art of zero-knowledge proofs in the lattice setting as well as providing building blocks that, we believe, are of independent interest.
|
||||
On the road, improvements have been made in the state of the art of zero-knowledge proofs in the lattice setting by providing building blocks that, we believe, are of independent interest.
|
||||
As of our signature with efficient protocols, it has already been used to design a lattice-based e-cash system~\cite{LLNW17}.
|
||||
|
||||
All these works are proven under strong security model within simple assumptions.
|
||||
This made a breeding ground for new theoretical constructions, as well as going toward practicality.
|
||||
All these works are proven under strong security models under simple assumptions.
|
||||
This provides a breeding ground for new theoretical constructions.
|
||||
|
||||
\section*{Open Problems}
|
||||
|
||||
@ -24,12 +24,12 @@ The path of providing new cryptographic primitives and proving them is dissemina
|
||||
The most obvious questions that stem from this work are about how to tackle the trade-offs we made in the design of those primitives.
|
||||
|
||||
\begin{question}
|
||||
Is it possible to build an adaptive oblivious transfer with access control secure under $\LWE$ with polynomially large modulus?
|
||||
Is it possible to build a fully-simulatable adaptive oblivious transfer with access control secure under $\LWE$ with polynomially large modulus?
|
||||
\end{question}
|
||||
|
||||
In other words, is it possible to avoid the use of smudging to guarantee message-privacy in the oblivious transfer scheme of~\cref{ch:ot-lwe}.
|
||||
As is, this issue arises from the use of Regev's encryption scheme, which does not guarantee this message privacy.
|
||||
However, finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}.
|
||||
In other words, is it possible to avoid the use of smudging to guarantee message-privacy in the adaptive oblivious transfer scheme of~\cref{ch:ot-lwe}.
|
||||
As is, this issue arises from the use of Regev's encryption scheme, which does not guarantee this index privacy.
|
||||
However, while finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}, they do not suffice in our setting because they wold leak the norm of the noise vector of ciphertexts.
|
||||
Then, the main difficulty is to have zero-knowledge proofs compatible with the access control and the encryption layers.
|
||||
|
||||
\subsection*{Zero-Knowledge Proofs}
|
||||
@ -39,10 +39,11 @@ Then, the main difficulty is to have zero-knowledge proofs compatible with the a
|
||||
\end{question}
|
||||
|
||||
Extending the work of Groth, Ostrovsky and Sahai~\cite{GOS06} in the lattice setting would be a great improvement for lattice-based privacy-preserving cryptography.
|
||||
Recent line of work goes toward this direction~\cite{RSS18}, but relies on primitives that do not exist yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).
|
||||
This question remains open for more than $10$ years~\cite{KW18}.
|
||||
Recent line of work makes steps forward in this direction~\cite{RSS18}, but rely on primitives that do not exist yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).
|
||||
|
||||
The Stern-like proof system we work on in during this thesis, despite being flexible enough to prove a large variety of statements, suffers from the stiffness of being combinatorial.
|
||||
The choice of permutations used to ensure zero-knowledgeness (and so witness-indistinguishability) is quite strict, and force the challenge space to be ternary.
|
||||
The choice of permutations used to ensure zero-knowledgeness (and thus witness-indistinguishability) is quite strict, and force the challenge space to be ternary.
|
||||
This proves to be a real bottleneck in the efficiency of such proof systems.
|
||||
|
||||
\begin{question}
|
||||
@ -53,7 +54,7 @@ As explained in~\cref{ch:zka}, nowadays lattice-based proof systems for $\SIS$/$
|
||||
If the natural structure of a lattice is a group, additive noise or witness-length restrictions forbid the use of standard group-based cryptography to undertake this problem.
|
||||
However, lattices naturally carry a strong geometrical structure, as exploited in~\cite{MV03,PV08} to construct (interactive and non-interactive) zero-knowledge proofs for some worst-case lattice problems.
|
||||
It may be an interesting question to see if the restricted geometry of average-case lattice problems can be exploited to provide such proofs.
|
||||
If these proof systems can be used after applying a transformation from average-case to worst-case problem, this methodology is highly inefficient and does not close the question.
|
||||
%If these proof systems can be used after applying a transformation from average-case to worst-case problem, this methodology is highly inefficient and does not close the question.
|
||||
|
||||
As we explained in the introduction, advanced cryptography from lattices often suffers from the use of lattice trapdoors.
|
||||
Thus, a natural question may be:
|
||||
@ -61,12 +62,12 @@ Thus, a natural question may be:
|
||||
\subsection*{Cryptographic Constructions}
|
||||
|
||||
\begin{question}
|
||||
Does a trapdoor-free (H)IBE exists?
|
||||
Does an efficient trapdoor-free (H)IBE exists?
|
||||
\end{question}
|
||||
|
||||
For instance, in the group encryption scheme of~\cref{ch:ge-lwe}, trapdoors are used in two places.
|
||||
To have a secure public key encryption scheme under adaptive active attacks and for the signature scheme.
|
||||
Both these primitives are induced by identity-based encryption: the Canetti-Halevi-Katz transformations generically transform an IBE into a \textsf{IND-CCA2} \PKE~\cite{CHK04}, and signatures are directly implied from \textsf{IND-CPA-}secure IBE~\cite{BF01,BLS01}.
|
||||
To have a secure public key encryption scheme under adaptive chosen-ciphertext attacks and for the signature scheme.
|
||||
Both these primitives are induced by identity-based encryption: the Canetti-Halevi-Katz transform generically turns an IBE into a \textsf{IND-CCA2} \PKE~\cite{CHK04}, and signatures are directly implied from \textsf{IND-CPA-}secure IBE~\cite{BF01,BLS01}.
|
||||
Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public key encryption scheme still remains an open question.
|
||||
|
||||
\begin{question}
|
||||
@ -75,6 +76,6 @@ Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public ke
|
||||
|
||||
Our work during this thesis also focuses on the security proofs of cryptographic schemes.
|
||||
As explained in~\cref{ch:proofs}, it is important to rely on simple assumptions to prove strong security notions.
|
||||
Given recent advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claim before~\cite{DSYC18}.
|
||||
Another line of work targets the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17}.
|
||||
This improves the understanding of the links between cryptographic schemes and security assumptions, leading to more reliable constructions.
|
||||
Given recent advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claimed before~\cite{DSYC18}.
|
||||
Another line of work targets the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17,LJYP14,LPJY15,LSSS17}.
|
||||
This improves the understanding of the links between cryptographic schemes and hardness assumptions, leading to more reliable constructions.
|
||||
|
||||
Reference in New Issue
Block a user