Corrections in introduction

This commit is contained in:
Fabrice Mouhartem 2018-06-16 18:21:27 +02:00
parent 62ba512f18
commit 5df7a6aa93

View File

@ -1,49 +1,50 @@
In the last fifty years, the use of cryptography has shifted from military and commercial secrets to a broader public.
For instance, the Enigma machine had a design for military purpose, and another one for enterprise (Enigma A26).
As of now, about $60\%$ of the first million most visited websites propose an implementation of \texttt{https}, and so are most of the communications channels that electronic devices use (like \textit{Wifi Protected Access}).
For instance, the Enigma machine had a design for military purposes, and another one for companies (Enigma A26).
As of today, about $60\%$ of the first million most visited websites propose encrypted and authenticated communications (via \texttt{https}), and so are most of the communications channels used by electronic devices (like \textit{Wifi Protected Access}).
At the same time, the growth of exchanged data and the sensitivity of this information make it more and more important to protect these data efficiently.
At the same time, the growth of exchanged data and the sensitivity of transferred information make the urge of procecting these data efficiently even more critical.
While we are reaching the Moore's law barrier, other threats exist against nowadays cryptosystems.
For instance, the existence of a quantum computer with sufficient memory~\cite{Sho99} would break most of real-world cryptographic implementations, which mostly rely on number-theoretic assumptions.
In this context, it becomes important to design cryptographic schemes that are believed to be quantum-resistant.
For instance, the existence of a quantum computer with sufficient memory~\cite{Sho99} would break most of real-world cryptographic designs, which mostly rely on number-theoretic assumptions.
In this context, it is crucial to design cryptographic schemes that are believed to be quantum-resistant.
To address this problem, \textit{post-quantum cryptography} arose in the early 2000s.
The different candidates relies on different mathematical objects, such as lattices, error-correcting codes or systems of multivariate polynomials.
Recently, the National Institute of Standards and Technology (or \textit{NIST}) organised a competition to evaluates different post-quantum schemes for encryption and signatures~\cite{NIS17}.
In this competition, 82 protocols have been submitted out of which: 28 were lattice-based, 24 were code-based, 13 were multi-variate based, 4 were hash-based and the 13 left are categorized as ``other''.
The different candidates rely on several mathematical objects, such as lattices, error-correcting codes, systems of multivariate polynomials, etc.
Recently, the National Institute of Standards and Technology (or \textit{NIST}) organized a competition to evaluate different post-quantum schemes for encryption and signatures~\cite{NIS17}.
In this competition, 82 protocols have been proposed out of which: 28 were lattice-based, 24 were code-based, 13 were multi-variate based, 4 were hash-based and the 13 left were categorized as ``other''.
Though, real-world cryptography mainly aim at digital signatures and encryption schemes, as the NIST competition emphasize it.
Meanwhile, research in cryptology proposes different solutions to respond to more specific problems, such as designing electronic-cash system\footnote{Which is not to be confuse with cryptocurrency\ldots}~\cite{CFN88}, which is the digital analogue of real money that are delivered by an authority (the bank) and for which the use remains non-traceable by anyone.
Though, real-world cryptography mainly aims at designing digital signatures and encryption schemes, as illustrated by the NIST competition.
Meanwhile, ongoing research in cryptology proposes different solutions to address more specific problems, such as the design of electronic-cash systems\footnote{Which is not to be confuse with cryptocurrency\ldots}~\cite{CFN88}, which are the digital analogue of real money. Coins are delivered by a central authority (the bank) and spendings remain non-traceable. In case of misbehavior (such as double-spending), the identity of the cheater is revealed.
Such cryptographic constructions should moreover verifies some security requirements.
For instance, an encryption scheme has to hide a message in the presence of an eavesdropper, or even an active adversary.
To guarantee these requirements, we also make security proofs. They mainly state that a cryptographic scheme is secure if some problems remain hard.
Cryptographic constructions should additionally verify some security requirements.
For instance, an encryption scheme has to hide a message in the presence of an eavesdropper, or even an active adversary who can alter some messages.
To guarantee these requirements, cryptographers make security proofs.
A proof mainly states that a given cryptographic scheme is secure if some problems remain hard.
At last but not least, the importance of privacy and data protection have been a hot topic in the last years, as reflects the development of the general data protection regulation law in 2016, which is finally implemented since may 25$^\text{th}$.
Hence, it looks appealing to have privacy-preserving cryptographic constructions that would ideally resist to the eventuality of a quantum computer.
Nevertheless, the construction of such protocols mainly relies on ``zero-knowledge proofs'', which is a 2-party protocol between a prover and a verifier where the prover should convince the verifier of a statement without leaking any piece of information about this statement.
In the context of post-quantum cryptography, such proofs systems are still limited in power or costly to implement.
At last but not least, the importance of privacy and data protection has been a hot topic in the last years, as reflects the development of the general data protection regulation law in 2016, which is implemented since may 25$^\text{th}$.
Hence, it looks appealing to have privacy-preserving cryptographic constructions which would ideally resist to the eventuality of a quantum computer.
Nevertheless, the design of such protocols crucially relies on ``zero-knowledge proofs''. These are a 2-party protocol between a prover and a verifier where the prover should convince the verifier of a statement without leaking any piece of information about this statement.
In the context of post-quantum cryptography, such proofs systems are still limited in power or costly in terms of time, memory and communication consumptions.
\section{Privacy-Preserving Cryptography}
\label{se:privacy-preserving-crypto}
In this context, privacy-preserving refers to the fact that a primitive should provide some functionality while holding sensitive information private.
In this context, `privacy-preserving' refers to the ability of a primitive to provide some functionalities while holding sensitive information private.
An example of such primitives are \textit{anonymous credentials}~\cite{Cha85,CL01}.
Informally, this primitive allows users to prove themselves to some verifiers without telling their identity, nor the pattern of their authentications.
To realize this, this system involves one (or more) credential issuer(s) and a set of users who have their own secret keys and pseudonyms that are bound to their secret.
Users can dynamically obtain credentials from an issuer that only knows users' pseudonyms and obliviously sign users' secret key as well as a set of attributes.
Later on, users can let themselves know to verifiers under a different pseudonym and demonstrate possession of a certification from the issuer, without revealing neither the signature nor the secret key.
This primitive thus allow a user to authenticate to a system, such as in anonymous access control, while preserving its anonymity.
This primitive thus allows a user to authenticate to a system, such as in anonymous access control, while preserving its anonymity.
In addition, the system is guaranteed that users indeed possess a valid credential.
Interest in privacy-based cryptography dates from the beginning of public-key cryptography~\cite{Rab81,Cha82,GM82,Cha85}.
A reason for that could be the similarities between the intention of cryptography and the requirements of privacy protection.
Moreover, the works of cryptographers in this field may have direct impact in term of services that may be enabled in the real-world.
Indeed, having a practical anonymous credential scheme will enable its use for access control in a way that may limit security flaws.
Whereas, nowadays implementations are based on more elementary building blocks, like signatures, which manipulations may lead to different security flaws~\cite{VP17}.
Interests in privacy-based cryptography date from the beginning of public-key cryptography~\cite{Rab81,Cha82,GM82,Cha85}.
A reason for that could be the similarities between the motivations of cryptography and the requirements of privacy protection.
Additionally, the cryptographers' work in this field may have direct consequences in term of services that could be developed in the real-world.
Indeed, having a practical anonymous credential scheme will enable its use for access controls in a way that may limit security flaws.
Whereas, nowadays implementations are based on more elementary building blocks, like signatures, which manipulations may lead to different security holes~\cite{VP17}.
Similarly, \textit{advanced primitives} often involve simpler building blocks in their design.
The difference lies in that provable security gives a security guarantee together with the construction.
The difference lies in that provable security gives security guarantees together with the construction.
As explained before, these proofs make the security of a set of schemes to rely on hardness assumptions.
Thus, the security relies on the hardness of those assumptions, which are studied independently by cryptanalysts.
Hence, the security guarantee relies on the study of those assumptions. For example, the analysis of multilinear maps security in~\cite{CHL+15} made obsolete a large amount of candidates at this time.This is why it is important to rely on well studied and simple assumptions as we will explain in~\cref{ch:proofs}.