From 44f65c6f6c5b9416de3e30a61c391fb1d368c754 Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Sun, 19 Aug 2018 16:07:38 -0700 Subject: [PATCH] Corrections David --- abstract.tex | 6 +++--- acknowledgements.tex | 2 +- chap-ZK.tex | 2 +- chap-introduction.tex | 4 ++-- chap-proofs.tex | 4 ++-- chap-sigmasig.tex | 8 ++++---- main.tex | 2 +- sec-lattices.tex | 2 +- sec-pairings.tex | 2 +- 9 files changed, 16 insertions(+), 16 deletions(-) diff --git a/abstract.tex b/abstract.tex index 607570a..5309fdb 100644 --- a/abstract.tex +++ b/abstract.tex @@ -5,13 +5,13 @@ \begin{otherlanguage}{french} Dans cette thèse, nous étudions les constructions cryptographiques prouvées pour la protection de la vie privée. - Pour cela nous nous sommes intéressés aux preuves et arguments à divulgation nulles de connaissance et leurs applications. + Pour cela nous nous sommes intéressés aux preuves et arguments à divulgation nulle de connaissance et leurs applications. Un exemple de ces constructions est la signature de groupe. Ce protocole a pour but de permettre à un utilisateur de s'authentifier comme appartenant à un groupe, sans révéler son identité. - Afin que les utilisateurs restent responsable de leurs agissements, une autorité indépendante est capable de lever l'anonymat d'un utilisateur en cas de litige. + Afin que les utilisateurs restent responsables de leurs agissements, une autorité indépendante est capable de lever l'anonymat d'un utilisateur en cas de litige. Une telle construction peut ainsi être utilisée, par exemple, dans les systèmes de transport en commun. Un utilisateur qui rentre dans un bus prouve ainsi son appartenance aux utilisateurs possédant un abonnement valide, sans révéler qui il est, et évitant ainsi que la société de transport ne le trace. En revanche, en cas d'incident sur le réseau, la société peut faire appel à la police pour lever l'anonymat des usagers présents au moment de l'incident. Nous avons proposé deux constructions de ces signatures de groupe, prouvées sûres sous des hypothèses simples dans le monde des couplages et des réseaux euclidiens. Dans la continuité de ces travaux, nous avons aussi proposé la première construction de chiffrement de groupe (l'équivalent de la signature de groupe pour le chiffrement) à base de réseaux euclidiens. - Finalement, ces travaux nous ont amené à la construction d'un schéma de transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens. + Finalement, ces travaux nous ont amenés à la construction d'un schéma de transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens. Ces constructions à base de réseaux ont été rendues possibles par des améliorations successives de l'expressivité du protocole de Stern, qui reposait initialement sur la difficulté du problème du décodage de syndrome. \end{otherlanguage} \clearpage diff --git a/acknowledgements.tex b/acknowledgements.tex index b148bcd..3e3a964 100644 --- a/acknowledgements.tex +++ b/acknowledgements.tex @@ -3,7 +3,7 @@ \addcontentsline{toc}{chapter}{Remerciements} \addcontentsline{tof}{chapter}{Remerciements} -Merci. +I would like to thank \begin{otherlanguage}{french} \end{otherlanguage} diff --git a/chap-ZK.tex b/chap-ZK.tex index 82bc8df..9d95928 100644 --- a/chap-ZK.tex +++ b/chap-ZK.tex @@ -135,7 +135,7 @@ The former is, that once a message is committed, it is impossible to know what i \begin{definition}[Commitment schemes] \index{Commitment scheme} \label{de:commitment} - A \textit{commitment scheme} is given by a triple of algorithms $(\Setup, \Commit, \Open)$ that act as follows: + A \textit{commitment scheme} is given by a triple of algorithms $(\Setup, \Commit, \Verify)$ that act as follows: \begin{description} \item[\textsf{Setup}$(1^\lambda)$:] This algorithm outputs the commitment scheme's common public parameters~$\param$. \item[\textsf{Commit}$(\param, M)$:] From a message $M$ and parameters $\param$, this algorithms outputs a commitment $\com$ and an opening $\open$. The randomness $\rho$ used in the commitment is sometimes made explicit. diff --git a/chap-introduction.tex b/chap-introduction.tex index 2cd9a1f..7a574e1 100644 --- a/chap-introduction.tex +++ b/chap-introduction.tex @@ -58,7 +58,7 @@ The details of these two structures are given in~\cref{ch:structures}. \subsection{Zero-Knowledge Proofs} As explained before, zero-knowledge proofs are a basic building block for privacy-preserving cryptography. -They requires completeness, soundness and zero-knowledge properties. +They require completeness, soundness and zero-knowledge properties. Completeness captures the correctness of the protocol if everyone is honest. In the case of a dishonest prover, soundness asks the probability that the verifier is convinced to be negligible. On the contrary, if the verifier is cheating, the zero-knowledge property guarantees that the prover's secret remains hidden. @@ -169,7 +169,7 @@ In order to keep user accountable for their actions, an opening authority is fur More formally, a group signature scheme is a primitive allowing the sender to generate publicly verifiable proofs that: (1) The ciphertext is well-formed and intended to some registered group member who will be able to decrypt; (2) The opening authority will be able to identify the receiver if necessary; (3) The plaintext satisfies certain properties, such as being a witness for some public relation, or the private key that underlies a given public key. In the model of Kiayias, Tsiounis and Yung~\cite{KTY07}, the message secrecy and anonymity properties are required to withstand active adversaries, which are granted access to decryption oracles in all security definitions. -A natural application is to allow a firewall to filter incoming all incoming encrypted emails except those intended for some certified organization members and the content of which is additionally guaranteed to satisfy certain requirements, like the absence of malware. +A natural application is to allow a firewall to filter all incoming encrypted emails except those intended for some certified organization members and the content of which is additionally guaranteed to satisfy certain requirements, like the absence of malware. Furthermore, group encryption schemes are motivated by privacy applications such as anonymous trusted third parties, key recovery mechanisms or oblivious retriever storage system. In cloud storage services, group encryption enables privacy-preserving asynchronous transfers of encrypted datasets. Namely, it allows users to archive encrypted datasets on remote servers while convincing those servers that the data is indeed intended to some anonymous certified client who has a valid account to the storage provider. diff --git a/chap-proofs.tex b/chap-proofs.tex index 0d1970b..81e6ef6 100644 --- a/chap-proofs.tex +++ b/chap-proofs.tex @@ -104,7 +104,7 @@ Namely, if a problem is easier than another problem in \textsf{P} (resp. \textsf Until know, we mainly focus on the running time of the algorithms. In cryptology, it is also important to consider the success probability of algorithms: -an attack is successful if the probability that it succeed is noticeable. +an attack is successful if the probability that it succeeds is noticeable. \index{Landau notations} \begin{definition}[Landau notations] @@ -320,7 +320,7 @@ Bai, Langlois, Lepoint, Stehlé and Steinfeld~\cite{BLL+15} observed that the R We notice that security definitions for signature scheme are not indistinguishability-based experiments, but search experiments (i.e., the adversary has to output a string rather than distinguishing between two experiments by outputting a single bit). The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns via signature queries. -Those signature queries are handled by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the oracle's behavior may be omitted in the rest of this thesis for the sake of readability. +Those signature queries are handled by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and adds $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the oracle's behavior may be omitted in the rest of this thesis for the sake of readability. \index{Signatures!EU-CMA} For EU-CMA, the advantage of an adversary $\adv$ is defined as diff --git a/chap-sigmasig.tex b/chap-sigmasig.tex index 52e2a32..35c29f2 100644 --- a/chap-sigmasig.tex +++ b/chap-sigmasig.tex @@ -18,7 +18,7 @@ To illustrate this multi-criteria quality evaluation, we can see that Camenisch Pointcheval and Sanders~\cite{PS18} improved this signature to go down to $\bigO(1)$ group elements for an $\ell$-block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations). We note that besides the scheme presented in this section, we are only aware of two schemes based on fixed-size assumptions: (1) A variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups. -Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime-order groups: for equivalent security levels, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting. +Due to this assumption, the groups that are used are inherently bigger and lead to less efficient representations than in prime-order groups: for equivalent security levels, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting. (2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} that unfortunately does not support ``randomizable signature'', which is an important property in privacy-enhancing cryptography. An application of this property is, in the context of group signatures, the re-randomization of credentials accross distinct privacy-preserving authentication. In this chapter, we describe a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well-studied assumption. @@ -299,7 +299,7 @@ The above signature scheme is existentially unforgeable under chosen-message att $\Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda)$. Putting the above altogether, the probability $\Pr[S_0]$ is upper-bounded by \begin{multline*} \advantage{\DDH}{\Gh}(\lambda) + \frac{1}{p} + Q \left( \advantage{\DDH}{\GG}(\lambda) + \frac{1}{p} \right) + \advantage{\DDH}{\GG}(\lambda) \\ - < (Q + 2) \cdot \left( \advantage{\mathrm{SXDH}{\GG, \Gh}}(\lambda) + \frac{1}{p} \right). + < (Q + 2) \cdot \left( \advantage{\mathrm{SXDH}}{\GG, \Gh}(\lambda) + \frac{1}{p} \right). \end{multline*} \end{proof} @@ -1401,9 +1401,9 @@ We stress that the proofs can be easily adapted to the case where the opening a & $\GG$ & $\Zp$ & bits & & & \\ \hline Ours & $7$ & $3$ & $2560$ bits& \textsf{SXDH} + \textsf{SDL} & Dynamic & CCA \\ \hline - Boneh-Boyen-Shacham & $3$ & $6$ & $2304$ bits & \textsf{SDH} + \textsf{DLIN} & Static & CPA \\ \hline + Boneh-Boyen-Shacham & $3$ & $6$ & $2304$ bits & $q$-\textsf{SDH} + \textsf{DLIN} & Static & CPA \\ \hline - Delerabl\'ee-Pointcheval & $4$ & $5$ & $2304$ bits & \textsf{SDH} + \textsf{XDH} & Dynamic & CCA \\ \hline + Delerabl\'ee-Pointcheval & $4$ & $5$ & $2304$ bits & $q$-\textsf{SDH} + \textsf{XDH} & Dynamic & CCA \\ \hline Bichsel {\em et al.} & $3$ & $2$ &$1280$ bits & \textsf{LRSW} + \textsf{SDL} & Dynamic & CCA- \\ \hline Pointcheval-Sanders & $2$ & $2$ & $1024$ bits & \textsf{LRSW} & Dynamic & CCA- \\ \hline diff --git a/main.tex b/main.tex index 4bf2b79..5d2ac8f 100644 --- a/main.tex +++ b/main.tex @@ -99,7 +99,7 @@ \input abstract -%\input acknowledgements +\input acknowledgements %\cleardoublepage %\frenchtableofcontents diff --git a/sec-lattices.tex b/sec-lattices.tex index 268afec..571ce15 100644 --- a/sec-lattices.tex +++ b/sec-lattices.tex @@ -44,7 +44,7 @@ In the following, we work with $q$-ary lattices, for some prime number $q$, defi For a lattice~$\Lambda$, a vector $\mathbf{c} \in \RR^n$ and a real~$\sigma>0$, define the distribution function $\rho_{\sigma,\mathbf{c}}(\mathbf{x}) \triangleq \exp(-\pi\|\mathbf{x}- \mathbf{c} \|^2/\sigma^2)$. The discrete Gaussian distribution of support~$\Lambda$, parameter~$\sigma$ and center $\mathbf{c}$ is defined as - $D_{\Lambda,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(\Lambda)$ for any $\mathbf{y} \in \Lambda$. + $D_{\Lambda,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(\Lambda)$ for any $\mathbf{y} \in \Lambda$, where $\rho_{\sigma, \mathbf{c}}(\Lambda) \triangleq \sum_{\mathbf x \in \Lambda} \rho_{\sigma, \mathbf{c}}(\mathbf{x})$. We denote by $D_{\Lambda,\sigma}(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$. \end{definition} diff --git a/sec-pairings.tex b/sec-pairings.tex index b4c5f78..59ee8f7 100644 --- a/sec-pairings.tex +++ b/sec-pairings.tex @@ -34,7 +34,7 @@ The advantages of the best $\ppt$ adversary against $\DDH$ in group $\GG$ and $\ In \cref{ch:sigmasig}, the security of our group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption. Moreover, this assumption is static, meaning that the size of the assumption is independent of the number of queries made py the adversary or any feature (e.g., the maximal number of users) of the system, and is non-interactive, in the sense that it does not involve any oracle. -This gives us stronger confidente in the security of schemes proven under this kind of assumptions. +This gives us stronger confidence in the security of schemes proven under this kind of assumptions. For instance, Cheon gave an attack against the $q$-Strong Diffie-Hellmann problem for large values of $q$~\cite{Che06} (which usually represents the number of adversarial queries). In \cref{ch:sigmasig}, we also rely on the following assumption, which generalizes the Discrete Logarithm problem to asymmetric groups.