Intro
This commit is contained in:
parent
c21d318455
commit
8468eb1c0a
|
|
@ -1,4 +1,4 @@
|
|||
In the last two decades, the use of cryptography has shifted from military and commercial secrets to a broader public.
|
||||
In the last fifty years, the use of cryptography has shifted from military and commercial secrets to a broader public.
|
||||
For instance, the Enigma machine had a design for military purpose, and another one for enterprise (Enigma A26).
|
||||
As of now, about $60\%$ of the first million most visited websites propose an implementation of \texttt{https}, and so are most of the communications channels that electronic devices use (like \textit{Wifi Protected Access}).
|
||||
|
||||
|
|
@ -52,7 +52,7 @@ In the context of this thesis, the cryptographic schemes we develop rely on latt
|
|||
Lattice-based cryptography is used to go toward post-quantum cryptography, while the latter proves useful in the design of practical schemes.
|
||||
The details of these two structures is given in~\cref{ch:structures}.
|
||||
|
||||
\section{Zero-knowledge Proofs}
|
||||
\subsection{Zero-knowledge Proofs}
|
||||
|
||||
As explained before, a basic building block for privacy-preserving cryptography are zero-knowledge proofs.
|
||||
This interactive protocol requires the completeness, soundness and zero-knowledge properties. The completeness simply render the correctness of the protocol if everyone is honest. In the case of a dishonest prover, the soundness asks the probability that the verifier is convinced to be negligible. On the contrary, if the verifier is cheating, the zero-knowledge property guarantees that the prover's secret remains hidden.
|
||||
|
|
@ -69,7 +69,7 @@ By nature, these proofs are quite expensive in term of communication complexity.
|
|||
However, they can be used to prove a wide variety of statements as we will explain in more detail along this thesis and especially in~\cref{sse:stern}.
|
||||
More generally, zero-knowledge proofs are detailed in~\cref{ch:zka}.
|
||||
|
||||
\section{Signatures with Efficient Protocols}
|
||||
\subsection{Signatures with Efficient Protocols}
|
||||
|
||||
To enable privacy-preserving functionalities, a possible way is to couple zero-knowledge proofs with signature schemes.
|
||||
One of such signatures are \textit{signatures with efficient protocols}.
|
||||
|
|
@ -83,13 +83,56 @@ One, described in~\cref{ch:sigmasig}, is based on pairings and shift the~\cite{L
|
|||
The other, portrayed in~\cref{ch:gs-lwe}, adapts a variant of Boyen's signature on pairing along with the Kawachi, Tanaka and Xagawa commitment scheme to provide a lattice-based signature schemes that is compatible with Stern-like proofs.
|
||||
This scheme have also been relaxed in the context of adaptive oblivious transfer where, in some places, it is only required to have random-message security instead of security against chosen-message security as described in~\cref{ch:ot-lwe}.
|
||||
|
||||
\section{Pairings and Lattices}
|
||||
|
||||
In this thesis, the presented constructions relies on the assumed hardness of assumptions on pairing-friendly groups and lattices.
|
||||
These two objects have been used in cryptography since the early 2000s~\cite{SOK00,Reg05}.
|
||||
Even since, they attracted many attentions from cryptographers, leading to multiple constructions in advanced cryptography (as in~\cite{Jou00,BBS04,BN06,GS08,LYJP14,LPQ17} for pairings, and~\cite{GPV08,ABB10,BV11,GSW13,dPLNS17} for lattices).
|
||||
|
||||
\subsection{Pairing-Based Cryptography}
|
||||
|
||||
A pairing is a bilinear map from two cyclic groups to a target group.
|
||||
This bilinear property provides a rich structure to groups that are compatible with such a map.
|
||||
It is then not surprising to see the variety of schemes that stems from pairing-based cryptography.
|
||||
In the context of privacy-based cryptography, an important breakthrough was the introduction of the Groth-Sahai proofs~\cite{GOS06,GS08} that allows to prove in a non-interactive zero-knowledge fashion a large class of statements in the standard model.
|
||||
For instance, Groth-Sahai proofs have been used in group signatures and anonymous-credential schemes~\cite{Gro07,BCKL08,BCC+09}.
|
||||
|
||||
In the context of this thesis, however, our pairing-based construction focus on practicality
|
||||
Thus, it is instantiated in the random oracle model, where Schnorr's proof are made non-interactive through the Fiat-Shamir transform when the statement to prove is simple enough.
|
||||
|
||||
Recently, a line of work in cryptanalysis of bilinear maps~\cite{KB16,MSS17,BD18} leads to a change in the panorama of practical pairing-based cryptography.
|
||||
This affects us in the sense that the parameter size have to be changed in order to achieve the same security level.
|
||||
|
||||
Nevertheless, pairing-based cryptography offers a nice tradeoff between its capabilities and efficiency.
|
||||
As an example, we can cite the work of Döttling and Garg~\cite{DG17}, who closed the problem of providing an identity-based encryption scheme which only relies on the decisional Diffie-Hellman assumption (it is an assumption on cyclic groups that does not need pairings, as defined in~\cref{de:DDH}).
|
||||
If their construction relies on a simpler mathematical object, it does not reach the efficiency of pairing-based ones~\cite{BB04}.
|
||||
|
||||
\subsection{Lattice-Based Cryptography}
|
||||
|
||||
From an algebraic point of view, a lattice is a discrete subgroup of $\RR^n$.
|
||||
This leads to a simple additive structure.
|
||||
The core difference with number-theoretic cryptography, such as discrete-logarithm-based cryptography, is the existence of the geometrical structure of the lattice.
|
||||
From this geometry rises some problems that are believed to withstand a quantum computer.
|
||||
Despite this apparently simple structure, some constructions are only known, as of today, to be possible under lattice assumptions, such as fully-homomorphic encryption~\cite{Gen09,GSW13}.
|
||||
|
||||
One property that makes lattice-based cryptography so versatile is the existence of lattice trapdoors~\cite{GPV08,CHKP10,MP12} as we will explain in~\cref{sse:lattice-trapdoors}.
|
||||
Informally, the knowledge of a short basis for a lattice allows sampling short vectors, which is believed to be hard without knowing such a short basis.
|
||||
Furthermore, knowing such a short basis for a lattice described by $\mathbf{A} \in \ZZ_q^{n \times m}$ permits to generate a short basis for a superlattice generated by $[ \mathbf{A} \mid \mathbf{B}] \in \ZZ_q^{n \times m'}$.
|
||||
An example of use for this last property is the Boyen signature scheme~\cite{Boy10}.
|
||||
In this scheme, a signature for message $m$ is a short vector in the orthogonal lattice of the matrix $\mathbf A_m = [\mathbf{A} \mid \mathbf B_m]$, where $\mathbf B_m$ is publicly computable.
|
||||
Hence, knowing a trapdoor for $\mathbf A$ makes the computation of this short vector possible, and the message is bind in the description of the lattice $\mathbf A_m$.
|
||||
Indeed, some extra care have to be taken to avoid multiplicative attacks (if a signature is too short, doubling this signature may lead to a forgery).
|
||||
|
||||
Still, the use of lattice trapdoors comes at a price, and it significantly decreases the efficiency of cryptographic designs that use them~\cite{Lyu12,LLNW16}.
|
||||
Given that we provides the first lattice-based construction for the scheme we present, we were focusing on providing them under simple assumptions.
|
||||
|
||||
\section{Our Results}
|
||||
|
||||
In this thesis, we present several cryptographic constructions that preserve privacy.
|
||||
These construction are the result of both improvement we made in the use of zero-knowledge proofs and the ability to prove the security of our constructions under simple assumptions.
|
||||
We believe that these improvements on zero-knowledge proofs are of independent interest and that the given schemes are a first step toward quantum-secure privacy-preserving cryptography.
|
||||
In the following, we detail four contributions that are developed in this thesis.
|
||||
These results are taken from four articles: \cite{LMPY16,LLM+16,LLM+16a,LLM+17}.
|
||||
These results are taken from four published articles: \cite{LMPY16,LLM+16,LLM+16a,LLM+17}.
|
||||
|
||||
\subsection{Dynamic Group Signatures and Anonymous Credentials}
|
||||
|
||||
|
|
@ -106,7 +149,7 @@ In this thesis, we present in~\cref{ch:sigmasig} pairing-based group signatures
|
|||
The resulting scheme shows competitive signature size with other schemes that relies on more ad-hoc assumptions, and its practicality is supported by an implementation.
|
||||
This scheme is presented in~\cite{LMPY16}, which is joint work with Benoît Libert, Thomas Peters an Moti Yung presented at AsiaCCS'16.
|
||||
|
||||
In~\cref{ch:gs-lwe}, we present the first \textit{dynamic} group signature scheme that relies on lattice assumptions.
|
||||
\cref{ch:gs-lwe} presents the first \textit{dynamic} group signature scheme relying on lattice assumptions.
|
||||
This have been made possible by adapting Stern-like proofs to behave well with a signature scheme: a variant of Boyen's signature~\cite{Boy10,BHJ+15}.
|
||||
It results in a \textit{signature with efficient protocols} that is of independent interest. Further, it has been adapted in the design dynamic group encryption and adaptive oblivious transfer.
|
||||
This work is described in~\cite{LLM+16}, made with Benoît Libert, San Ling, Khoa Nguyen and Huaxiong Wang, presented at Asiacrypt'16.
|
||||
|
|
|
|||
Loading…
Reference in New Issue