Corrections David
This commit is contained in:
parent
13474a1adb
commit
44f65c6f6c
@ -5,13 +5,13 @@
|
||||
|
||||
\begin{otherlanguage}{french}
|
||||
Dans cette thèse, nous étudions les constructions cryptographiques prouvées pour la protection de la vie privée.
|
||||
Pour cela nous nous sommes intéressés aux preuves et arguments à divulgation nulles de connaissance et leurs applications.
|
||||
Pour cela nous nous sommes intéressés aux preuves et arguments à divulgation nulle de connaissance et leurs applications.
|
||||
Un exemple de ces constructions est la signature de groupe. Ce protocole a pour but de permettre à un utilisateur de s'authentifier comme appartenant à un groupe, sans révéler son identité.
|
||||
Afin que les utilisateurs restent responsable de leurs agissements, une autorité indépendante est capable de lever l'anonymat d'un utilisateur en cas de litige.
|
||||
Afin que les utilisateurs restent responsables de leurs agissements, une autorité indépendante est capable de lever l'anonymat d'un utilisateur en cas de litige.
|
||||
Une telle construction peut ainsi être utilisée, par exemple, dans les systèmes de transport en commun. Un utilisateur qui rentre dans un bus prouve ainsi son appartenance aux utilisateurs possédant un abonnement valide, sans révéler qui il est, et évitant ainsi que la société de transport ne le trace. En revanche, en cas d'incident sur le réseau, la société peut faire appel à la police pour lever l'anonymat des usagers présents au moment de l'incident.
|
||||
Nous avons proposé deux constructions de ces signatures de groupe, prouvées sûres sous des hypothèses simples dans le monde des couplages et des réseaux euclidiens.
|
||||
Dans la continuité de ces travaux, nous avons aussi proposé la première construction de chiffrement de groupe (l'équivalent de la signature de groupe pour le chiffrement) à base de réseaux euclidiens.
|
||||
Finalement, ces travaux nous ont amené à la construction d'un schéma de transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens.
|
||||
Finalement, ces travaux nous ont amenés à la construction d'un schéma de transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens.
|
||||
Ces constructions à base de réseaux ont été rendues possibles par des améliorations successives de l'expressivité du protocole de Stern, qui reposait initialement sur la difficulté du problème du décodage de syndrome.
|
||||
\end{otherlanguage}
|
||||
\clearpage
|
||||
|
@ -3,7 +3,7 @@
|
||||
\addcontentsline{toc}{chapter}{Remerciements}
|
||||
\addcontentsline{tof}{chapter}{Remerciements}
|
||||
|
||||
Merci.
|
||||
I would like to thank
|
||||
|
||||
\begin{otherlanguage}{french}
|
||||
\end{otherlanguage}
|
||||
|
@ -135,7 +135,7 @@ The former is, that once a message is committed, it is impossible to know what i
|
||||
|
||||
\begin{definition}[Commitment schemes] \index{Commitment scheme}
|
||||
\label{de:commitment}
|
||||
A \textit{commitment scheme} is given by a triple of algorithms $(\Setup, \Commit, \Open)$ that act as follows:
|
||||
A \textit{commitment scheme} is given by a triple of algorithms $(\Setup, \Commit, \Verify)$ that act as follows:
|
||||
\begin{description}
|
||||
\item[\textsf{Setup}$(1^\lambda)$:] This algorithm outputs the commitment scheme's common public parameters~$\param$.
|
||||
\item[\textsf{Commit}$(\param, M)$:] From a message $M$ and parameters $\param$, this algorithms outputs a commitment $\com$ and an opening $\open$. The randomness $\rho$ used in the commitment is sometimes made explicit.
|
||||
|
@ -58,7 +58,7 @@ The details of these two structures are given in~\cref{ch:structures}.
|
||||
\subsection{Zero-Knowledge Proofs}
|
||||
|
||||
As explained before, zero-knowledge proofs are a basic building block for privacy-preserving cryptography.
|
||||
They requires completeness, soundness and zero-knowledge properties.
|
||||
They require completeness, soundness and zero-knowledge properties.
|
||||
Completeness captures the correctness of the protocol if everyone is honest. In the case of a dishonest prover, soundness asks the probability that the verifier is convinced to be negligible.
|
||||
On the contrary, if the verifier is cheating, the zero-knowledge property guarantees that the prover's secret remains hidden.
|
||||
|
||||
@ -169,7 +169,7 @@ In order to keep user accountable for their actions, an opening authority is fur
|
||||
More formally, a group signature scheme is a primitive allowing the sender to generate publicly verifiable proofs that: (1) The ciphertext is well-formed and intended to some registered group member who will be able to decrypt; (2) The opening authority will be able to identify the receiver if necessary; (3) The plaintext satisfies certain properties, such as being a witness for some public relation, or the private key that underlies a given public key.
|
||||
In the model of Kiayias, Tsiounis and Yung~\cite{KTY07}, the message secrecy and anonymity properties are required to withstand active adversaries, which are granted access to decryption oracles in all security definitions.
|
||||
|
||||
A natural application is to allow a firewall to filter incoming all incoming encrypted emails except those intended for some certified organization members and the content of which is additionally guaranteed to satisfy certain requirements, like the absence of malware.
|
||||
A natural application is to allow a firewall to filter all incoming encrypted emails except those intended for some certified organization members and the content of which is additionally guaranteed to satisfy certain requirements, like the absence of malware.
|
||||
Furthermore, group encryption schemes are motivated by privacy applications such as anonymous trusted third parties, key recovery mechanisms or oblivious retriever storage system.
|
||||
In cloud storage services, group encryption enables privacy-preserving asynchronous transfers of encrypted datasets.
|
||||
Namely, it allows users to archive encrypted datasets on remote servers while convincing those servers that the data is indeed intended to some anonymous certified client who has a valid account to the storage provider.
|
||||
|
@ -104,7 +104,7 @@ Namely, if a problem is easier than another problem in \textsf{P} (resp. \textsf
|
||||
|
||||
Until know, we mainly focus on the running time of the algorithms.
|
||||
In cryptology, it is also important to consider the success probability of algorithms:
|
||||
an attack is successful if the probability that it succeed is noticeable.
|
||||
an attack is successful if the probability that it succeeds is noticeable.
|
||||
|
||||
\index{Landau notations}
|
||||
\begin{definition}[Landau notations]
|
||||
@ -320,7 +320,7 @@ Bai, Langlois, Lepoint, Stehlé and Steinfeld~\cite{BLL+15} observed that the R
|
||||
We notice that security definitions for signature scheme are not indistinguishability-based experiments, but search experiments (i.e., the adversary has to output a string rather than distinguishing between two experiments by outputting a single bit).
|
||||
The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns via signature queries.
|
||||
|
||||
Those signature queries are handled by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the oracle's behavior may be omitted in the rest of this thesis for the sake of readability.
|
||||
Those signature queries are handled by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and adds $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the oracle's behavior may be omitted in the rest of this thesis for the sake of readability.
|
||||
|
||||
\index{Signatures!EU-CMA}
|
||||
For EU-CMA, the advantage of an adversary $\adv$ is defined as
|
||||
|
@ -18,7 +18,7 @@ To illustrate this multi-criteria quality evaluation, we can see that Camenisch
|
||||
Pointcheval and Sanders~\cite{PS18} improved this signature to go down to $\bigO(1)$ group elements for an $\ell$-block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations).
|
||||
|
||||
We note that besides the scheme presented in this section, we are only aware of two schemes based on fixed-size assumptions: (1) A variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups.
|
||||
Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime-order groups: for equivalent security levels, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting.
|
||||
Due to this assumption, the groups that are used are inherently bigger and lead to less efficient representations than in prime-order groups: for equivalent security levels, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting.
|
||||
(2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} that unfortunately does not support ``randomizable signature'', which is an important property in privacy-enhancing cryptography. An application of this property is, in the context of group signatures, the re-randomization of credentials accross distinct privacy-preserving authentication.
|
||||
|
||||
In this chapter, we describe a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well-studied assumption.
|
||||
@ -299,7 +299,7 @@ The above signature scheme is existentially unforgeable under chosen-message att
|
||||
$\Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda)$. Putting the above altogether, the probability $\Pr[S_0]$ is upper-bounded by
|
||||
\begin{multline*}
|
||||
\advantage{\DDH}{\Gh}(\lambda) + \frac{1}{p} + Q \left( \advantage{\DDH}{\GG}(\lambda) + \frac{1}{p} \right) + \advantage{\DDH}{\GG}(\lambda) \\
|
||||
< (Q + 2) \cdot \left( \advantage{\mathrm{SXDH}{\GG, \Gh}}(\lambda) + \frac{1}{p} \right).
|
||||
< (Q + 2) \cdot \left( \advantage{\mathrm{SXDH}}{\GG, \Gh}(\lambda) + \frac{1}{p} \right).
|
||||
\end{multline*}
|
||||
\end{proof}
|
||||
|
||||
@ -1401,9 +1401,9 @@ We stress that the proofs can be easily adapted to the case where the opening a
|
||||
& $\GG$ & $\Zp$ & bits & & &
|
||||
\\ \hline
|
||||
Ours & $7$ & $3$ & $2560$ bits& \textsf{SXDH} + \textsf{SDL} & Dynamic & CCA \\ \hline
|
||||
Boneh-Boyen-Shacham & $3$ & $6$ & $2304$ bits & \textsf{SDH} + \textsf{DLIN} & Static & CPA \\ \hline
|
||||
Boneh-Boyen-Shacham & $3$ & $6$ & $2304$ bits & $q$-\textsf{SDH} + \textsf{DLIN} & Static & CPA \\ \hline
|
||||
|
||||
Delerabl\'ee-Pointcheval & $4$ & $5$ & $2304$ bits & \textsf{SDH} + \textsf{XDH} & Dynamic & CCA \\ \hline
|
||||
Delerabl\'ee-Pointcheval & $4$ & $5$ & $2304$ bits & $q$-\textsf{SDH} + \textsf{XDH} & Dynamic & CCA \\ \hline
|
||||
Bichsel {\em et al.} & $3$ & $2$ &$1280$ bits & \textsf{LRSW} + \textsf{SDL} & Dynamic & CCA- \\ \hline
|
||||
Pointcheval-Sanders & $2$ & $2$ & $1024$ bits & \textsf{LRSW} & Dynamic & CCA- \\ \hline
|
||||
|
||||
|
2
main.tex
2
main.tex
@ -99,7 +99,7 @@
|
||||
|
||||
\input abstract
|
||||
|
||||
%\input acknowledgements
|
||||
\input acknowledgements
|
||||
|
||||
%\cleardoublepage
|
||||
%\frenchtableofcontents
|
||||
|
@ -44,7 +44,7 @@ In the following, we work with $q$-ary lattices, for some prime number $q$, defi
|
||||
For a lattice~$\Lambda$, a vector $\mathbf{c} \in \RR^n$ and a real~$\sigma>0$, define the distribution function
|
||||
$\rho_{\sigma,\mathbf{c}}(\mathbf{x}) \triangleq \exp(-\pi\|\mathbf{x}- \mathbf{c} \|^2/\sigma^2)$.
|
||||
The discrete Gaussian distribution of support~$\Lambda$, parameter~$\sigma$ and center $\mathbf{c}$ is defined as
|
||||
$D_{\Lambda,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(\Lambda)$ for any $\mathbf{y} \in \Lambda$.
|
||||
$D_{\Lambda,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(\Lambda)$ for any $\mathbf{y} \in \Lambda$, where $\rho_{\sigma, \mathbf{c}}(\Lambda) \triangleq \sum_{\mathbf x \in \Lambda} \rho_{\sigma, \mathbf{c}}(\mathbf{x})$.
|
||||
We denote by $D_{\Lambda,\sigma}(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$.
|
||||
\end{definition}
|
||||
|
||||
|
@ -34,7 +34,7 @@ The advantages of the best $\ppt$ adversary against $\DDH$ in group $\GG$ and $\
|
||||
In \cref{ch:sigmasig}, the security of our group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption.
|
||||
Moreover, this assumption is static, meaning that the size of the assumption is independent of the number of queries made py the adversary or any feature (e.g., the maximal number of users) of the system, and is non-interactive, in the sense that it does not involve any oracle.
|
||||
|
||||
This gives us stronger confidente in the security of schemes proven under this kind of assumptions.
|
||||
This gives us stronger confidence in the security of schemes proven under this kind of assumptions.
|
||||
For instance, Cheon gave an attack against the $q$-Strong Diffie-Hellmann problem for large values of $q$~\cite{Che06} (which usually represents the number of adversarial queries).
|
||||
|
||||
In \cref{ch:sigmasig}, we also rely on the following assumption, which generalizes the Discrete Logarithm problem to asymmetric groups.
|
||||
|
Loading…
Reference in New Issue
Block a user