Corrections in introduction
This commit is contained in:
parent
62ba512f18
commit
5df7a6aa93
@ -1,49 +1,50 @@
|
||||
In the last fifty years, the use of cryptography has shifted from military and commercial secrets to a broader public.
|
||||
For instance, the Enigma machine had a design for military purpose, and another one for enterprise (Enigma A26).
|
||||
As of now, about $60\%$ of the first million most visited websites propose an implementation of \texttt{https}, and so are most of the communications channels that electronic devices use (like \textit{Wifi Protected Access}).
|
||||
For instance, the Enigma machine had a design for military purposes, and another one for companies (Enigma A26).
|
||||
As of today, about $60\%$ of the first million most visited websites propose encrypted and authenticated communications (via \texttt{https}), and so are most of the communications channels used by electronic devices (like \textit{Wifi Protected Access}).
|
||||
|
||||
At the same time, the growth of exchanged data and the sensitivity of this information make it more and more important to protect these data efficiently.
|
||||
At the same time, the growth of exchanged data and the sensitivity of transferred information make the urge of procecting these data efficiently even more critical.
|
||||
While we are reaching the Moore's law barrier, other threats exist against nowadays cryptosystems.
|
||||
For instance, the existence of a quantum computer with sufficient memory~\cite{Sho99} would break most of real-world cryptographic implementations, which mostly rely on number-theoretic assumptions.
|
||||
In this context, it becomes important to design cryptographic schemes that are believed to be quantum-resistant.
|
||||
For instance, the existence of a quantum computer with sufficient memory~\cite{Sho99} would break most of real-world cryptographic designs, which mostly rely on number-theoretic assumptions.
|
||||
In this context, it is crucial to design cryptographic schemes that are believed to be quantum-resistant.
|
||||
|
||||
To address this problem, \textit{post-quantum cryptography} arose in the early 2000s.
|
||||
The different candidates relies on different mathematical objects, such as lattices, error-correcting codes or systems of multivariate polynomials.
|
||||
Recently, the National Institute of Standards and Technology (or \textit{NIST}) organised a competition to evaluates different post-quantum schemes for encryption and signatures~\cite{NIS17}.
|
||||
In this competition, 82 protocols have been submitted out of which: 28 were lattice-based, 24 were code-based, 13 were multi-variate based, 4 were hash-based and the 13 left are categorized as ``other''.
|
||||
The different candidates rely on several mathematical objects, such as lattices, error-correcting codes, systems of multivariate polynomials, etc.
|
||||
Recently, the National Institute of Standards and Technology (or \textit{NIST}) organized a competition to evaluate different post-quantum schemes for encryption and signatures~\cite{NIS17}.
|
||||
In this competition, 82 protocols have been proposed out of which: 28 were lattice-based, 24 were code-based, 13 were multi-variate based, 4 were hash-based and the 13 left were categorized as ``other''.
|
||||
|
||||
Though, real-world cryptography mainly aim at digital signatures and encryption schemes, as the NIST competition emphasize it.
|
||||
Meanwhile, research in cryptology proposes different solutions to respond to more specific problems, such as designing electronic-cash system\footnote{Which is not to be confuse with cryptocurrency\ldots}~\cite{CFN88}, which is the digital analogue of real money that are delivered by an authority (the bank) and for which the use remains non-traceable by anyone.
|
||||
Though, real-world cryptography mainly aims at designing digital signatures and encryption schemes, as illustrated by the NIST competition.
|
||||
Meanwhile, ongoing research in cryptology proposes different solutions to address more specific problems, such as the design of electronic-cash systems\footnote{Which is not to be confuse with cryptocurrency\ldots}~\cite{CFN88}, which are the digital analogue of real money. Coins are delivered by a central authority (the bank) and spendings remain non-traceable. In case of misbehavior (such as double-spending), the identity of the cheater is revealed.
|
||||
|
||||
Such cryptographic constructions should moreover verifies some security requirements.
|
||||
For instance, an encryption scheme has to hide a message in the presence of an eavesdropper, or even an active adversary.
|
||||
To guarantee these requirements, we also make security proofs. They mainly state that a cryptographic scheme is secure if some problems remain hard.
|
||||
Cryptographic constructions should additionally verify some security requirements.
|
||||
For instance, an encryption scheme has to hide a message in the presence of an eavesdropper, or even an active adversary who can alter some messages.
|
||||
To guarantee these requirements, cryptographers make security proofs.
|
||||
A proof mainly states that a given cryptographic scheme is secure if some problems remain hard.
|
||||
|
||||
At last but not least, the importance of privacy and data protection have been a hot topic in the last years, as reflects the development of the general data protection regulation law in 2016, which is finally implemented since may 25$^\text{th}$.
|
||||
Hence, it looks appealing to have privacy-preserving cryptographic constructions that would ideally resist to the eventuality of a quantum computer.
|
||||
Nevertheless, the construction of such protocols mainly relies on ``zero-knowledge proofs'', which is a 2-party protocol between a prover and a verifier where the prover should convince the verifier of a statement without leaking any piece of information about this statement.
|
||||
In the context of post-quantum cryptography, such proofs systems are still limited in power or costly to implement.
|
||||
At last but not least, the importance of privacy and data protection has been a hot topic in the last years, as reflects the development of the general data protection regulation law in 2016, which is implemented since may 25$^\text{th}$.
|
||||
Hence, it looks appealing to have privacy-preserving cryptographic constructions which would ideally resist to the eventuality of a quantum computer.
|
||||
Nevertheless, the design of such protocols crucially relies on ``zero-knowledge proofs''. These are a 2-party protocol between a prover and a verifier where the prover should convince the verifier of a statement without leaking any piece of information about this statement.
|
||||
In the context of post-quantum cryptography, such proofs systems are still limited in power or costly in terms of time, memory and communication consumptions.
|
||||
|
||||
\section{Privacy-Preserving Cryptography}
|
||||
\label{se:privacy-preserving-crypto}
|
||||
|
||||
In this context, privacy-preserving refers to the fact that a primitive should provide some functionality while holding sensitive information private.
|
||||
In this context, `privacy-preserving' refers to the ability of a primitive to provide some functionalities while holding sensitive information private.
|
||||
An example of such primitives are \textit{anonymous credentials}~\cite{Cha85,CL01}.
|
||||
Informally, this primitive allows users to prove themselves to some verifiers without telling their identity, nor the pattern of their authentications.
|
||||
To realize this, this system involves one (or more) credential issuer(s) and a set of users who have their own secret keys and pseudonyms that are bound to their secret.
|
||||
Users can dynamically obtain credentials from an issuer that only knows users' pseudonyms and obliviously sign users' secret key as well as a set of attributes.
|
||||
Later on, users can let themselves know to verifiers under a different pseudonym and demonstrate possession of a certification from the issuer, without revealing neither the signature nor the secret key.
|
||||
This primitive thus allow a user to authenticate to a system, such as in anonymous access control, while preserving its anonymity.
|
||||
This primitive thus allows a user to authenticate to a system, such as in anonymous access control, while preserving its anonymity.
|
||||
In addition, the system is guaranteed that users indeed possess a valid credential.
|
||||
|
||||
Interest in privacy-based cryptography dates from the beginning of public-key cryptography~\cite{Rab81,Cha82,GM82,Cha85}.
|
||||
A reason for that could be the similarities between the intention of cryptography and the requirements of privacy protection.
|
||||
Moreover, the works of cryptographers in this field may have direct impact in term of services that may be enabled in the real-world.
|
||||
Indeed, having a practical anonymous credential scheme will enable its use for access control in a way that may limit security flaws.
|
||||
Whereas, nowadays implementations are based on more elementary building blocks, like signatures, which manipulations may lead to different security flaws~\cite{VP17}.
|
||||
Interests in privacy-based cryptography date from the beginning of public-key cryptography~\cite{Rab81,Cha82,GM82,Cha85}.
|
||||
A reason for that could be the similarities between the motivations of cryptography and the requirements of privacy protection.
|
||||
Additionally, the cryptographers' work in this field may have direct consequences in term of services that could be developed in the real-world.
|
||||
Indeed, having a practical anonymous credential scheme will enable its use for access controls in a way that may limit security flaws.
|
||||
Whereas, nowadays implementations are based on more elementary building blocks, like signatures, which manipulations may lead to different security holes~\cite{VP17}.
|
||||
|
||||
Similarly, \textit{advanced primitives} often involve simpler building blocks in their design.
|
||||
The difference lies in that provable security gives a security guarantee together with the construction.
|
||||
The difference lies in that provable security gives security guarantees together with the construction.
|
||||
As explained before, these proofs make the security of a set of schemes to rely on hardness assumptions.
|
||||
Thus, the security relies on the hardness of those assumptions, which are studied independently by cryptanalysts.
|
||||
Hence, the security guarantee relies on the study of those assumptions. For example, the analysis of multilinear maps security in~\cite{CHL+15} made obsolete a large amount of candidates at this time.This is why it is important to rely on well studied and simple assumptions as we will explain in~\cref{ch:proofs}.
|
||||
|
Loading…
Reference in New Issue
Block a user