diff --git a/chap-introduction.tex b/chap-introduction.tex index 2385610..c531ff6 100644 --- a/chap-introduction.tex +++ b/chap-introduction.tex @@ -1,4 +1,4 @@ -In the last two decades, the use of cryptography has shifted from military and commercial secrets to a broader public. +In the last fifty years, the use of cryptography has shifted from military and commercial secrets to a broader public. For instance, the Enigma machine had a design for military purpose, and another one for enterprise (Enigma A26). As of now, about $60\%$ of the first million most visited websites propose an implementation of \texttt{https}, and so are most of the communications channels that electronic devices use (like \textit{Wifi Protected Access}). @@ -52,7 +52,7 @@ In the context of this thesis, the cryptographic schemes we develop rely on latt Lattice-based cryptography is used to go toward post-quantum cryptography, while the latter proves useful in the design of practical schemes. The details of these two structures is given in~\cref{ch:structures}. -\section{Zero-knowledge Proofs} +\subsection{Zero-knowledge Proofs} As explained before, a basic building block for privacy-preserving cryptography are zero-knowledge proofs. This interactive protocol requires the completeness, soundness and zero-knowledge properties. The completeness simply render the correctness of the protocol if everyone is honest. In the case of a dishonest prover, the soundness asks the probability that the verifier is convinced to be negligible. On the contrary, if the verifier is cheating, the zero-knowledge property guarantees that the prover's secret remains hidden. @@ -69,7 +69,7 @@ By nature, these proofs are quite expensive in term of communication complexity. However, they can be used to prove a wide variety of statements as we will explain in more detail along this thesis and especially in~\cref{sse:stern}. More generally, zero-knowledge proofs are detailed in~\cref{ch:zka}. -\section{Signatures with Efficient Protocols} +\subsection{Signatures with Efficient Protocols} To enable privacy-preserving functionalities, a possible way is to couple zero-knowledge proofs with signature schemes. One of such signatures are \textit{signatures with efficient protocols}. @@ -83,13 +83,56 @@ One, described in~\cref{ch:sigmasig}, is based on pairings and shift the~\cite{L The other, portrayed in~\cref{ch:gs-lwe}, adapts a variant of Boyen's signature on pairing along with the Kawachi, Tanaka and Xagawa commitment scheme to provide a lattice-based signature schemes that is compatible with Stern-like proofs. This scheme have also been relaxed in the context of adaptive oblivious transfer where, in some places, it is only required to have random-message security instead of security against chosen-message security as described in~\cref{ch:ot-lwe}. +\section{Pairings and Lattices} + +In this thesis, the presented constructions relies on the assumed hardness of assumptions on pairing-friendly groups and lattices. +These two objects have been used in cryptography since the early 2000s~\cite{SOK00,Reg05}. +Even since, they attracted many attentions from cryptographers, leading to multiple constructions in advanced cryptography (as in~\cite{Jou00,BBS04,BN06,GS08,LYJP14,LPQ17} for pairings, and~\cite{GPV08,ABB10,BV11,GSW13,dPLNS17} for lattices). + +\subsection{Pairing-Based Cryptography} + +A pairing is a bilinear map from two cyclic groups to a target group. +This bilinear property provides a rich structure to groups that are compatible with such a map. +It is then not surprising to see the variety of schemes that stems from pairing-based cryptography. +In the context of privacy-based cryptography, an important breakthrough was the introduction of the Groth-Sahai proofs~\cite{GOS06,GS08} that allows to prove in a non-interactive zero-knowledge fashion a large class of statements in the standard model. +For instance, Groth-Sahai proofs have been used in group signatures and anonymous-credential schemes~\cite{Gro07,BCKL08,BCC+09}. + +In the context of this thesis, however, our pairing-based construction focus on practicality +Thus, it is instantiated in the random oracle model, where Schnorr's proof are made non-interactive through the Fiat-Shamir transform when the statement to prove is simple enough. + +Recently, a line of work in cryptanalysis of bilinear maps~\cite{KB16,MSS17,BD18} leads to a change in the panorama of practical pairing-based cryptography. +This affects us in the sense that the parameter size have to be changed in order to achieve the same security level. + +Nevertheless, pairing-based cryptography offers a nice tradeoff between its capabilities and efficiency. +As an example, we can cite the work of Döttling and Garg~\cite{DG17}, who closed the problem of providing an identity-based encryption scheme which only relies on the decisional Diffie-Hellman assumption (it is an assumption on cyclic groups that does not need pairings, as defined in~\cref{de:DDH}). +If their construction relies on a simpler mathematical object, it does not reach the efficiency of pairing-based ones~\cite{BB04}. + +\subsection{Lattice-Based Cryptography} + +From an algebraic point of view, a lattice is a discrete subgroup of $\RR^n$. +This leads to a simple additive structure. +The core difference with number-theoretic cryptography, such as discrete-logarithm-based cryptography, is the existence of the geometrical structure of the lattice. +From this geometry rises some problems that are believed to withstand a quantum computer. +Despite this apparently simple structure, some constructions are only known, as of today, to be possible under lattice assumptions, such as fully-homomorphic encryption~\cite{Gen09,GSW13}. + +One property that makes lattice-based cryptography so versatile is the existence of lattice trapdoors~\cite{GPV08,CHKP10,MP12} as we will explain in~\cref{sse:lattice-trapdoors}. +Informally, the knowledge of a short basis for a lattice allows sampling short vectors, which is believed to be hard without knowing such a short basis. +Furthermore, knowing such a short basis for a lattice described by $\mathbf{A} \in \ZZ_q^{n \times m}$ permits to generate a short basis for a superlattice generated by $[ \mathbf{A} \mid \mathbf{B}] \in \ZZ_q^{n \times m'}$. +An example of use for this last property is the Boyen signature scheme~\cite{Boy10}. +In this scheme, a signature for message $m$ is a short vector in the orthogonal lattice of the matrix $\mathbf A_m = [\mathbf{A} \mid \mathbf B_m]$, where $\mathbf B_m$ is publicly computable. +Hence, knowing a trapdoor for $\mathbf A$ makes the computation of this short vector possible, and the message is bind in the description of the lattice $\mathbf A_m$. +Indeed, some extra care have to be taken to avoid multiplicative attacks (if a signature is too short, doubling this signature may lead to a forgery). + +Still, the use of lattice trapdoors comes at a price, and it significantly decreases the efficiency of cryptographic designs that use them~\cite{Lyu12,LLNW16}. +Given that we provides the first lattice-based construction for the scheme we present, we were focusing on providing them under simple assumptions. + \section{Our Results} In this thesis, we present several cryptographic constructions that preserve privacy. These construction are the result of both improvement we made in the use of zero-knowledge proofs and the ability to prove the security of our constructions under simple assumptions. We believe that these improvements on zero-knowledge proofs are of independent interest and that the given schemes are a first step toward quantum-secure privacy-preserving cryptography. In the following, we detail four contributions that are developed in this thesis. -These results are taken from four articles: \cite{LMPY16,LLM+16,LLM+16a,LLM+17}. +These results are taken from four published articles: \cite{LMPY16,LLM+16,LLM+16a,LLM+17}. \subsection{Dynamic Group Signatures and Anonymous Credentials} @@ -106,7 +149,7 @@ In this thesis, we present in~\cref{ch:sigmasig} pairing-based group signatures The resulting scheme shows competitive signature size with other schemes that relies on more ad-hoc assumptions, and its practicality is supported by an implementation. This scheme is presented in~\cite{LMPY16}, which is joint work with Benoît Libert, Thomas Peters an Moti Yung presented at AsiaCCS'16. -In~\cref{ch:gs-lwe}, we present the first \textit{dynamic} group signature scheme that relies on lattice assumptions. +\cref{ch:gs-lwe} presents the first \textit{dynamic} group signature scheme relying on lattice assumptions. This have been made possible by adapting Stern-like proofs to behave well with a signature scheme: a variant of Boyen's signature~\cite{Boy10,BHJ+15}. It results in a \textit{signature with efficient protocols} that is of independent interest. Further, it has been adapted in the design dynamic group encryption and adaptive oblivious transfer. This work is described in~\cite{LLM+16}, made with Benoît Libert, San Ling, Khoa Nguyen and Huaxiong Wang, presented at Asiacrypt'16.