fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Intro

Browse Source
This commit is contained in:
Fabrice Mouhartem 2018-06-15 18:07:48 +02:00
parent c21d318455
commit 8468eb1c0a
1 changed files with 48 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
chap-introduction.tex
View File

@ -1,4 +1,4 @@
In the last two decades, the use of cryptography has shifted from military and commercial secrets to a broader public. In the last fifty years, the use of cryptography has shifted from military and commercial secrets to a broader public.
For instance, the Enigma machine had a design for military purpose, and another one for enterprise (Enigma A26). For instance, the Enigma machine had a design for military purpose, and another one for enterprise (Enigma A26).
As of now, about $60\%$ of the first million most visited websites propose an implementation of \texttt{https}, and so are most of the communications channels that electronic devices use (like \textit{Wifi Protected Access}). As of now, about $60\%$ of the first million most visited websites propose an implementation of \texttt{https}, and so are most of the communications channels that electronic devices use (like \textit{Wifi Protected Access}).
@ -52,7 +52,7 @@ In the context of this thesis, the cryptographic schemes we develop rely on latt
Lattice-based cryptography is used to go toward post-quantum cryptography, while the latter proves useful in the design of practical schemes. Lattice-based cryptography is used to go toward post-quantum cryptography, while the latter proves useful in the design of practical schemes.
The details of these two structures is given in~\cref{ch:structures}. The details of these two structures is given in~\cref{ch:structures}.
\section{Zero-knowledge Proofs} \subsection{Zero-knowledge Proofs}
As explained before, a basic building block for privacy-preserving cryptography are zero-knowledge proofs. As explained before, a basic building block for privacy-preserving cryptography are zero-knowledge proofs.
This interactive protocol requires the completeness, soundness and zero-knowledge properties. The completeness simply render the correctness of the protocol if everyone is honest. In the case of a dishonest prover, the soundness asks the probability that the verifier is convinced to be negligible. On the contrary, if the verifier is cheating, the zero-knowledge property guarantees that the prover's secret remains hidden. This interactive protocol requires the completeness, soundness and zero-knowledge properties. The completeness simply render the correctness of the protocol if everyone is honest. In the case of a dishonest prover, the soundness asks the probability that the verifier is convinced to be negligible. On the contrary, if the verifier is cheating, the zero-knowledge property guarantees that the prover's secret remains hidden.
@ -69,7 +69,7 @@ By nature, these proofs are quite expensive in term of communication complexity.
However, they can be used to prove a wide variety of statements as we will explain in more detail along this thesis and especially in~\cref{sse:stern}. However, they can be used to prove a wide variety of statements as we will explain in more detail along this thesis and especially in~\cref{sse:stern}.
More generally, zero-knowledge proofs are detailed in~\cref{ch:zka}. More generally, zero-knowledge proofs are detailed in~\cref{ch:zka}.
\section{Signatures with Efficient Protocols} \subsection{Signatures with Efficient Protocols}
To enable privacy-preserving functionalities, a possible way is to couple zero-knowledge proofs with signature schemes. To enable privacy-preserving functionalities, a possible way is to couple zero-knowledge proofs with signature schemes.
One of such signatures are \textit{signatures with efficient protocols}. One of such signatures are \textit{signatures with efficient protocols}.
@ -83,13 +83,56 @@ One, described in~\cref{ch:sigmasig}, is based on pairings and shift the~\cite{L
The other, portrayed in~\cref{ch:gs-lwe}, adapts a variant of Boyen's signature on pairing along with the Kawachi, Tanaka and Xagawa commitment scheme to provide a lattice-based signature schemes that is compatible with Stern-like proofs. The other, portrayed in~\cref{ch:gs-lwe}, adapts a variant of Boyen's signature on pairing along with the Kawachi, Tanaka and Xagawa commitment scheme to provide a lattice-based signature schemes that is compatible with Stern-like proofs.
This scheme have also been relaxed in the context of adaptive oblivious transfer where, in some places, it is only required to have random-message security instead of security against chosen-message security as described in~\cref{ch:ot-lwe}. This scheme have also been relaxed in the context of adaptive oblivious transfer where, in some places, it is only required to have random-message security instead of security against chosen-message security as described in~\cref{ch:ot-lwe}.
\section{Pairings and Lattices}
In this thesis, the presented constructions relies on the assumed hardness of assumptions on pairing-friendly groups and lattices.
These two objects have been used in cryptography since the early 2000s~\cite{SOK00,Reg05}.
Even since, they attracted many attentions from cryptographers, leading to multiple constructions in advanced cryptography (as in~\cite{Jou00,BBS04,BN06,GS08,LYJP14,LPQ17} for pairings, and~\cite{GPV08,ABB10,BV11,GSW13,dPLNS17} for lattices).
\subsection{Pairing-Based Cryptography}
A pairing is a bilinear map from two cyclic groups to a target group.
This bilinear property provides a rich structure to groups that are compatible with such a map.
It is then not surprising to see the variety of schemes that stems from pairing-based cryptography.
In the context of privacy-based cryptography, an important breakthrough was the introduction of the Groth-Sahai proofs~\cite{GOS06,GS08} that allows to prove in a non-interactive zero-knowledge fashion a large class of statements in the standard model.
For instance, Groth-Sahai proofs have been used in group signatures and anonymous-credential schemes~\cite{Gro07,BCKL08,BCC+09}.
In the context of this thesis, however, our pairing-based construction focus on practicality
Thus, it is instantiated in the random oracle model, where Schnorr's proof are made non-interactive through the Fiat-Shamir transform when the statement to prove is simple enough.
Recently, a line of work in cryptanalysis of bilinear maps~\cite{KB16,MSS17,BD18} leads to a change in the panorama of practical pairing-based cryptography.
This affects us in the sense that the parameter size have to be changed in order to achieve the same security level.
Nevertheless, pairing-based cryptography offers a nice tradeoff between its capabilities and efficiency.
As an example, we can cite the work of Döttling and Garg~\cite{DG17}, who closed the problem of providing an identity-based encryption scheme which only relies on the decisional Diffie-Hellman assumption (it is an assumption on cyclic groups that does not need pairings, as defined in~\cref{de:DDH}).
If their construction relies on a simpler mathematical object, it does not reach the efficiency of pairing-based ones~\cite{BB04}.
\subsection{Lattice-Based Cryptography}
From an algebraic point of view, a lattice is a discrete subgroup of $\RR^n$.
This leads to a simple additive structure.
The core difference with number-theoretic cryptography, such as discrete-logarithm-based cryptography, is the existence of the geometrical structure of the lattice.
From this geometry rises some problems that are believed to withstand a quantum computer.
Despite this apparently simple structure, some constructions are only known, as of today, to be possible under lattice assumptions, such as fully-homomorphic encryption~\cite{Gen09,GSW13}.
One property that makes lattice-based cryptography so versatile is the existence of lattice trapdoors~\cite{GPV08,CHKP10,MP12} as we will explain in~\cref{sse:lattice-trapdoors}.
Informally, the knowledge of a short basis for a lattice allows sampling short vectors, which is believed to be hard without knowing such a short basis.
Furthermore, knowing such a short basis for a lattice described by $\mathbf{A} \in \ZZ_q^{n \times m}$ permits to generate a short basis for a superlattice generated by $[ \mathbf{A} \mid \mathbf{B}] \in \ZZ_q^{n \times m'}$.
An example of use for this last property is the Boyen signature scheme~\cite{Boy10}.
In this scheme, a signature for message $m$ is a short vector in the orthogonal lattice of the matrix $\mathbf A_m = [\mathbf{A} \mid \mathbf B_m]$, where $\mathbf B_m$ is publicly computable.
Hence, knowing a trapdoor for $\mathbf A$ makes the computation of this short vector possible, and the message is bind in the description of the lattice $\mathbf A_m$.
Indeed, some extra care have to be taken to avoid multiplicative attacks (if a signature is too short, doubling this signature may lead to a forgery).
Still, the use of lattice trapdoors comes at a price, and it significantly decreases the efficiency of cryptographic designs that use them~\cite{Lyu12,LLNW16}.
Given that we provides the first lattice-based construction for the scheme we present, we were focusing on providing them under simple assumptions.
\section{Our Results} \section{Our Results}
In this thesis, we present several cryptographic constructions that preserve privacy. In this thesis, we present several cryptographic constructions that preserve privacy.
These construction are the result of both improvement we made in the use of zero-knowledge proofs and the ability to prove the security of our constructions under simple assumptions. These construction are the result of both improvement we made in the use of zero-knowledge proofs and the ability to prove the security of our constructions under simple assumptions.
We believe that these improvements on zero-knowledge proofs are of independent interest and that the given schemes are a first step toward quantum-secure privacy-preserving cryptography. We believe that these improvements on zero-knowledge proofs are of independent interest and that the given schemes are a first step toward quantum-secure privacy-preserving cryptography.
In the following, we detail four contributions that are developed in this thesis. In the following, we detail four contributions that are developed in this thesis.
These results are taken from four articles: \cite{LMPY16,LLM+16,LLM+16a,LLM+17}. These results are taken from four published articles: \cite{LMPY16,LLM+16,LLM+16a,LLM+17}.
\subsection{Dynamic Group Signatures and Anonymous Credentials} \subsection{Dynamic Group Signatures and Anonymous Credentials}
@ -106,7 +149,7 @@ In this thesis, we present in~\cref{ch:sigmasig} pairing-based group signatures
The resulting scheme shows competitive signature size with other schemes that relies on more ad-hoc assumptions, and its practicality is supported by an implementation. The resulting scheme shows competitive signature size with other schemes that relies on more ad-hoc assumptions, and its practicality is supported by an implementation.
This scheme is presented in~\cite{LMPY16}, which is joint work with Benoît Libert, Thomas Peters an Moti Yung presented at AsiaCCS'16. This scheme is presented in~\cite{LMPY16}, which is joint work with Benoît Libert, Thomas Peters an Moti Yung presented at AsiaCCS'16.
In~\cref{ch:gs-lwe}, we present the first \textit{dynamic} group signature scheme that relies on lattice assumptions. \cref{ch:gs-lwe} presents the first \textit{dynamic} group signature scheme relying on lattice assumptions.
This have been made possible by adapting Stern-like proofs to behave well with a signature scheme: a variant of Boyen's signature~\cite{Boy10,BHJ+15}. This have been made possible by adapting Stern-like proofs to behave well with a signature scheme: a variant of Boyen's signature~\cite{Boy10,BHJ+15}.
It results in a \textit{signature with efficient protocols} that is of independent interest. Further, it has been adapted in the design dynamic group encryption and adaptive oblivious transfer. It results in a \textit{signature with efficient protocols} that is of independent interest. Further, it has been adapted in the design dynamic group encryption and adaptive oblivious transfer.
This work is described in~\cite{LLM+16}, made with Benoît Libert, San Ling, Khoa Nguyen and Huaxiong Wang, presented at Asiacrypt'16. This work is described in~\cite{LLM+16}, made with Benoît Libert, San Ling, Khoa Nguyen and Huaxiong Wang, presented at Asiacrypt'16.