Corrections in introduction
This commit is contained in:
		| @@ -1,49 +1,50 @@ | ||||
| In the last fifty years, the use of cryptography has shifted from military and commercial secrets to a broader public. | ||||
| For instance, the Enigma machine had a design for military purpose, and another one for enterprise (Enigma A26). | ||||
| As of now, about $60\%$ of the first million most visited websites propose an implementation of \texttt{https}, and so are most of the communications channels that electronic devices use (like \textit{Wifi Protected Access}). | ||||
| For instance, the Enigma machine had a design for military purposes, and another one for companies (Enigma A26). | ||||
| As of today, about $60\%$ of the first million most visited websites propose encrypted and authenticated communications (via \texttt{https}), and so are most of the communications channels used by electronic devices (like \textit{Wifi Protected Access}). | ||||
|  | ||||
| At the same time, the growth of exchanged data and the sensitivity of this information make it more and more important to protect these data efficiently. | ||||
| At the same time, the growth of exchanged data and the sensitivity of transferred information make the urge of procecting these data efficiently even more critical. | ||||
| While we are reaching the Moore's law barrier, other threats exist against nowadays cryptosystems. | ||||
| For instance, the existence of a quantum computer with sufficient memory~\cite{Sho99} would break most of real-world cryptographic implementations, which mostly rely on number-theoretic assumptions. | ||||
| In this context, it becomes important to design cryptographic schemes that are believed to be quantum-resistant. | ||||
| For instance, the existence of a quantum computer with sufficient memory~\cite{Sho99} would break most of real-world cryptographic designs, which mostly rely on number-theoretic assumptions. | ||||
| In this context, it is crucial to design cryptographic schemes that are believed to be quantum-resistant. | ||||
|  | ||||
| To address this problem, \textit{post-quantum cryptography} arose in the early 2000s. | ||||
| The different candidates relies on different mathematical objects, such as lattices, error-correcting codes or systems of multivariate polynomials. | ||||
| Recently, the National Institute of Standards and Technology (or \textit{NIST}) organised a competition to evaluates different post-quantum schemes for encryption and signatures~\cite{NIS17}. | ||||
| In this competition, 82 protocols have been submitted out of which: 28 were lattice-based, 24 were code-based, 13 were multi-variate based, 4 were hash-based and the 13 left are categorized as ``other''. | ||||
| The different candidates rely on several mathematical objects, such as lattices, error-correcting codes, systems of multivariate polynomials, etc. | ||||
| Recently, the National Institute of Standards and Technology (or \textit{NIST}) organized a competition to evaluate different post-quantum schemes for encryption and signatures~\cite{NIS17}. | ||||
| In this competition, 82 protocols have been proposed out of which: 28 were lattice-based, 24 were code-based, 13 were multi-variate based, 4 were hash-based and the 13 left were categorized as ``other''. | ||||
|  | ||||
| Though, real-world cryptography mainly aim at digital signatures and encryption schemes, as the NIST competition emphasize it. | ||||
| Meanwhile, research in cryptology proposes different solutions to respond to more specific problems, such as designing electronic-cash system\footnote{Which is not to be confuse with cryptocurrency\ldots}~\cite{CFN88}, which is the digital analogue of real money that are delivered by an authority (the bank) and for which the use remains non-traceable by anyone. | ||||
| Though, real-world cryptography mainly aims at designing digital signatures and encryption schemes, as illustrated by the NIST competition.  | ||||
| Meanwhile, ongoing research in cryptology proposes different solutions to address more specific problems, such as the design of electronic-cash systems\footnote{Which is not to be confuse with cryptocurrency\ldots}~\cite{CFN88}, which are the digital analogue of real money. Coins are delivered by a central authority (the bank) and spendings remain non-traceable. In case of misbehavior (such as double-spending), the identity of the cheater is revealed. | ||||
|  | ||||
| Such cryptographic constructions should moreover verifies some security requirements. | ||||
| For instance, an encryption scheme has to hide a message in the presence of an eavesdropper, or even an active adversary. | ||||
| To guarantee these requirements, we also make security proofs. They mainly state that a cryptographic scheme is secure if some problems remain hard. | ||||
| Cryptographic constructions should additionally verify some security requirements. | ||||
| For instance, an encryption scheme has to hide a message in the presence of an eavesdropper, or even an active adversary who can alter some messages. | ||||
| To guarantee these requirements, cryptographers make security proofs. | ||||
| A proof mainly states that a given cryptographic scheme is secure if some problems remain hard. | ||||
|  | ||||
| At last but not least, the importance of privacy and data protection have been a hot topic in the last years, as reflects the development of the general data protection regulation law in 2016, which is finally implemented since may 25$^\text{th}$. | ||||
| Hence, it looks appealing to have privacy-preserving cryptographic constructions that would ideally resist to the eventuality of a quantum computer. | ||||
| Nevertheless, the construction of such protocols mainly relies on ``zero-knowledge proofs'', which is a 2-party protocol between a prover and a verifier where the prover should convince the verifier of a statement without leaking any piece of information about this statement. | ||||
| In the context of post-quantum cryptography, such proofs systems are still limited in power or costly to implement. | ||||
| At last but not least, the importance of privacy and data protection has been a hot topic in the last years, as reflects the development of the general data protection regulation law in 2016, which is implemented since may 25$^\text{th}$. | ||||
| Hence, it looks appealing to have privacy-preserving cryptographic constructions which would ideally resist to the eventuality of a quantum computer. | ||||
| Nevertheless, the design of such protocols crucially relies on ``zero-knowledge proofs''. These are a 2-party protocol between a prover and a verifier where the prover should convince the verifier of a statement without leaking any piece of information about this statement. | ||||
| In the context of post-quantum cryptography, such proofs systems are still limited in power or costly in terms of time, memory and communication consumptions. | ||||
|  | ||||
| \section{Privacy-Preserving Cryptography} | ||||
| \label{se:privacy-preserving-crypto} | ||||
|  | ||||
| In this context, privacy-preserving refers to the fact that a primitive should provide some functionality while holding sensitive information private. | ||||
| In this context, `privacy-preserving' refers to the ability of a primitive to provide some functionalities while holding sensitive information private. | ||||
| An example of such primitives are \textit{anonymous credentials}~\cite{Cha85,CL01}. | ||||
| Informally, this primitive allows users to prove themselves to some verifiers without telling their identity, nor the pattern of their authentications. | ||||
| To realize this, this system involves one (or more) credential issuer(s) and a set of users who have their own secret keys and pseudonyms that are bound to their secret. | ||||
| Users can dynamically obtain credentials from an issuer that only knows users' pseudonyms and obliviously sign users' secret key as well as a set of attributes. | ||||
| Later on, users can let themselves know to verifiers under a different pseudonym and demonstrate possession of a certification from the issuer, without revealing neither the signature nor the secret key. | ||||
| This primitive thus allow a user to authenticate to a system, such as in anonymous access control, while preserving its anonymity. | ||||
| This primitive thus allows a user to authenticate to a system, such as in anonymous access control, while preserving its anonymity. | ||||
| In addition, the system is guaranteed that users indeed possess a valid credential. | ||||
|  | ||||
| Interest in privacy-based cryptography dates from the beginning of public-key cryptography~\cite{Rab81,Cha82,GM82,Cha85}. | ||||
| A reason for that could be the similarities between the intention of cryptography and the requirements of privacy protection. | ||||
| Moreover, the works of cryptographers in this field may have direct impact in term of services that may be enabled in the real-world. | ||||
| Indeed, having a practical anonymous credential scheme will enable its use for access control in a way that may limit security flaws. | ||||
| Whereas, nowadays implementations are based on more elementary building blocks, like signatures, which manipulations may lead to different security flaws~\cite{VP17}. | ||||
| Interests in privacy-based cryptography date from the beginning of public-key cryptography~\cite{Rab81,Cha82,GM82,Cha85}. | ||||
| A reason for that could be the similarities between the motivations of cryptography and the requirements of privacy protection. | ||||
| Additionally, the cryptographers' work in this field may have direct consequences in term of services that could be developed in the real-world. | ||||
| Indeed, having a practical anonymous credential scheme will enable its use for access controls in a way that may limit security flaws. | ||||
| Whereas, nowadays implementations are based on more elementary building blocks, like signatures, which manipulations may lead to different security holes~\cite{VP17}. | ||||
|  | ||||
| Similarly, \textit{advanced primitives} often involve simpler building blocks in their design. | ||||
| The difference lies in that provable security gives a security guarantee together with the construction. | ||||
| The difference lies in that provable security gives security guarantees together with the construction. | ||||
| As explained before, these proofs make the security of a set of schemes to rely on hardness assumptions. | ||||
| Thus, the security relies on the hardness of those assumptions, which are studied independently by cryptanalysts. | ||||
| Hence, the security guarantee relies on the study of those assumptions. For example, the analysis of multilinear maps security in~\cite{CHL+15} made obsolete a large amount of candidates at this time.This is why it is important to rely on well studied and simple assumptions as we will explain in~\cref{ch:proofs}. | ||||
|   | ||||
		Reference in New Issue
	
	Block a user