Modifications

This commit is contained in:
Fabrice Mouhartem 2018-04-30 14:54:55 +02:00
parent 73e934e564
commit c642ac2903
8 changed files with 77 additions and 22 deletions

View File

@ -1,7 +1,7 @@
In this Part, we will present two constructions for dynamic group signatures. In this Part, we will present two constructions for dynamic group signatures.
The construction that will be explained in \cref{ch:sigmasig} is an adaptation of the Libert, Peters and Yung short group signature in the standard model from classical pairing assumptions~\cite{LPY15} into the random oracle model to gain efficiency, while keeping the assumptions simple. The construction that will be explained in \cref{ch:sigmasig} is an adaptation of the Libert, Peters and Yung short group signature in the standard model from classical pairing assumptions~\cite{LPY15} into the random oracle model to gain efficiency, while keeping the assumptions simple.
This gives us a constant-size group signature scheme that is competitive with other construction based on less standard assumptions. This gives us a constant-size group signature scheme that is shown to be competitive with other constructions based on less standard assumptions.
An implementation is available and the timing are detailed in \cref{ch:sigmasig}. An implementation is available and detailed in \cref{ch:sigmasig}.
The second construction, described in \cref{ch:gs-lwe}, is a lattice-based dynamic group signature where the scheme from Ling, Nguyen and Wang~\cite{LNW15} for static groups has been improved to match requirements for dynamic groups. The second construction, described in \cref{ch:gs-lwe}, is a lattice-based dynamic group signature where the scheme from Ling, Nguyen and Wang~\cite{LNW15} for static groups has been improved to match requirements for dynamic groups.
This construction has been the first fully secure group signature scheme from lattices. This construction has been the first fully secure group signature scheme from lattices.
@ -68,6 +68,7 @@ membership secret, $\scr_i$.
%\paragraph{Syntax.} %\paragraph{Syntax.}
We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that the system will be able to handle. We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that the system will be able to handle.
\begin{definition}[Dynamic Group Signature] \begin{definition}[Dynamic Group Signature]
\index{Dynamic group signatures}
A \emph{dynamic group signature} scheme consists of the algorithms or protocols $(\Setup, \mathsf{Join}, \Sign, \Verify, \Open)$ described as follows. A \emph{dynamic group signature} scheme consists of the algorithms or protocols $(\Setup, \mathsf{Join}, \Sign, \Verify, \Open)$ described as follows.
\begin{description} \begin{description}
@ -272,6 +273,7 @@ security properties are formalized as follows.
\subsection{Security Against Misidentification Attacks} \subsection{Security Against Misidentification Attacks}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Sécurité face aux attaques par identification incorrecte} \addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Sécurité face aux attaques par identification incorrecte}
\label{sec:RGSdefsecMisId} \label{sec:RGSdefsecMisId}
\index{Dynamic group signatures!Mis-identifications}
\begin{figure}[H] \begin{figure}[H]
\centering \centering
@ -313,6 +315,7 @@ adversarially-controlled user.
\subsection{Non-Frameability} \subsection{Non-Frameability}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Sécurité face aux attaques ciblées} \addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Sécurité face aux attaques ciblées}
\label{sec:RGSdefsecMonFrame} \label{sec:RGSdefsecMonFrame}
\index{Dynamic group signatures!Non frameability}
\begin{figure}[H] \begin{figure}[H]
\centering \centering
@ -369,6 +372,7 @@ The adversary eventually aims at framing an honest group member.
\subsection{Full Anonymity} \subsection{Full Anonymity}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Anonymat complet} \addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Anonymat complet}
\label{sec:RGSdefsecAnon} \label{sec:RGSdefsecAnon}
\index{Dynamic group signatures!anonymity}
\begin{figure}[H] \begin{figure}[H]
\centering \centering

View File

@ -162,6 +162,7 @@ It is then possible to use this hash function $h_{\mathbf{A}}$ to construct the
\subsection{Non Interactive Proofs} \subsection{Non Interactive Proofs}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves non interactives} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves non interactives}
\label{sse:zk-nizk}
Another useful primitives are the non-interactive version of zero-knowledge proofs. Another useful primitives are the non-interactive version of zero-knowledge proofs.
@ -177,7 +178,7 @@ Another useful primitives are the non-interactive version of zero-knowledge proo
\end{description} \end{description}
\end{definition} \end{definition}
In the random oracle model, it is possible to transform a ZK proof into an NIZK proof. This techniques is called the Fiat-Shamir transform. In the random oracle model~\cite{PS96,GT03}, it is possible to transform a ZK proof into an NIZK proof~\cite{FS86}. This techniques is called the Fiat-Shamir transform.
\begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}] \begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}]
\index{Zero Knowledge!Fiat-Shamir Transform} \index{Zero Knowledge!Fiat-Shamir Transform}
@ -204,7 +205,8 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK
For the sake of completeness, we can also mention $\NIZK$ in the standard model, such at Groth-Sahai proofs~\cite{GOS06,GS08} for bilinear groups, but these will not be used in the context of this thesis. For the sake of completeness, we can also mention $\NIZK$ in the standard model, such at Groth-Sahai proofs~\cite{GOS06,GS08} for bilinear groups, but these will not be used in the context of this thesis.
In the trusted setup model described in \cref{se:games-sim}, there are also another type of $\NIZK$ proofs that are useful for us, for instance in \cref{ch:sigmasig}. In the trusted setup model described in \cref{se:games-sim}, there are also another type of $\NIZK$ proofs that are useful for us, for instance in \cref{ch:sigmasig}.
Namely, the quasi-adaptive \NIZK (\QANIZK)~\cite{JR13} which are \NIZK where the common reference string $\crs$ may depend on the language for which proofs have to be generated. A formal definition can be found in~\cite{JR13,KW15,LPJY13}, where completeness, soundness and zero-knowledge properties are adapted to take into account the \crs. Namely, the quasi-adaptive \NIZK (\QANIZK)~\cite{JR13} which are \NIZK where the common reference string $\crs$ may depend on the language for which proofs have to be generated (in other sense, the distribution $D_\crs$ is a function of the language we want to prove). A formal definition can be found in~\cite{JR13,KW15,LPJY13}, where completeness, soundness and zero-knowledge properties are adapted to take into account the \crs.
\index{Zero Knowledge!QANIZK}
\section{Schnorr Proofs} \section{Schnorr Proofs}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves de Schnorr} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves de Schnorr}

View File

@ -1,3 +1 @@
\chapter{Introduction}
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Introduction}

View File

@ -281,6 +281,7 @@ This security notion illustrates that no malicious collusions of users and the a
The security definition of $\indcpa$ is defined as an indistinguishability game. The security definition of $\indcpa$ is defined as an indistinguishability game.
The first security definition for $\PKE$ was although a simulation-based definition~\cite{GM84}. The first security definition for $\PKE$ was although a simulation-based definition~\cite{GM84}.
In this context, instead of distinguishing between two messages, the goal is to distinguish between two different environments. In this context, instead of distinguishing between two messages, the goal is to distinguish between two different environments.
\index{Universal Composability}
In the following we will use the \emph{Real world}/\emph{Ideal world} paradigm~\cite{Can01} to describe those different environments. In the following we will use the \emph{Real world}/\emph{Ideal world} paradigm~\cite{Can01} to describe those different environments.
Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ --\,in the \emph{Real world}\,-- that interacts with a challenger $\cdv$ Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ --\,in the \emph{Real world}\,-- that interacts with a challenger $\cdv$
there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ --\,in the \emph{Ideal world}\,-- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ is replaced by a trusted third party in the \emph{Ideal word}. there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ --\,in the \emph{Ideal world}\,-- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ is replaced by a trusted third party in the \emph{Ideal word}.

View File

@ -4,25 +4,34 @@
%------------------------------------------------- %-------------------------------------------------
In this Chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction~\cite{BR93}. In this Chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction~\cite{BR93}.
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove knowledge of the signature of a commited message as well as proving possession of a hidden message-signature pair in a zero-knowledge manner. Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures which come with companion zero-knowledge proofs that allow a signature holder to prove knowledge of the signature of a commited message as well as proving possession of a hidden message-signature pair in a zero-knowledge manner.
This building block proved useful in the design of many efficient anonymity-related protocols as anonymous credentials~\cite{CL01}, which is similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority). This building block proved useful in the design of many efficient anonymity-related protocols such as anonymous credentials~\cite{CL01}, which are similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the simplicity of the assumptions it relies on. As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the simplicity of the assumptions it relies on.
Before the works described in this Chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, Oka06}. Before the works described in this Chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, Oka06}.
To illustrate this multi-criteria quality evaluation, we can see that Camenisch and Lysyanskaya proposed a signature scheme that is secure in pairing-friendly groups but relies on the non-interactive LRSW assumption~\cite{LRSW99}; but this signature scheme requires $\mathcal{O}(n)$ group elements to encode an $\ell$-block message. To illustrate this multi-criteria quality evaluation, we can see that Camenisch and Lysyanskaya proposed a signature scheme that is secure in pairing-friendly groups but relies on the non-interactive LRSW assumption~\cite{LRSW99}; but this signature scheme requires $\mathcal{O}(n)$ group elements to encode an $\ell$-block message.
Pointcheval and Sanders improved this signature to go down to $\bigO(1)$ group elements for an $\ell$-block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations). Pointcheval and Sanders improved this signature to go down to $\bigO(1)$ group elements for an $\ell$-block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations).
We note that beside the scheme presented in this section, we are only aware of two schemes based on a fixed-size assumption: (1) a variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups. We note that beside the scheme presented in this section, we are only aware of two schemes based on fixed-size assumptions: (1) a variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups.
Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime order groups: for equivalent security level, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting. Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime order groups: for equivalent security level, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting.
(2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} which unfortunately does not support ``randomizable signature'', which is an important property in privacy-enhancing cryptography. An application of this property is, in the context of group signatures, the re-randomization of credentials accross distinct privacy-preserving authentication. (2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} which unfortunately does not support ``randomizable signature'', which is an important property in privacy-enhancing cryptography. An application of this property is, in the context of group signatures, the re-randomization of credentials accross distinct privacy-preserving authentication.
In this Chapter, we provide a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well studied assumption. In this Chapter, we provide a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well studied assumption.
Namely, the security of our scheme relies on the \SXDH assumption in groups of prime order with a bilinear map. Namely, the security of our scheme relies on the \SXDH assumption in groups of prime order with a bilinear map.
From an efficiency point of view, the signature size for an $\ell$-block message consists of only $4$ groups elements. From an efficiency point of view, the signature for an $\ell$-block message consists of only $4$ groups elements.
This signature length is made possible by using $\QANIZK$ This signature length is made possible by using efficient $\QANIZK$ arguments -- as presented in~\cref{sse:zk-nizk} and formally defined in~\cite{JR13} -- to prove the belonging to some linear subspace spanned by the rows of a matrix.
For this purpose, it was shown that for this specific task, the size of the argument may be independent of the dimension of the considered subspace~\cite{JR14,LPJY14,KW15}.
The signature scheme described in this chapter (\cref{scal-sig}) crucially takes advantage of this observation as $\ell$-block messages are certified using a $\QANIZK$ argument for a subspace of dimension $\bigO(\ell)$.
This construction natively supports efficient protocols to enhance privacy as described in \cref{new-proto}. Hence, our signature scheme enables the design of an efficient anonymous credentials system based on the sole \SXDH assumption.
As another showcase for this signature, we also design another primitives.
Namely, a dynamic group signature scheme, as described in \cref{ch:gs-background}, which is practical and relies on simple assumptions (namely \SXDH and \SDL).
This construction is competitive both in term of signature size and computation time with the best solutions based on non-interactive assumptions~\cite{BBS04,DP06} (in these cases, the Strong Diffie-Hellman assumption~\cite{BB04}).
Concretely, at the 128-bits security, each signature fits within $320$ bytes while providing the strongest sense of anonymity (meaning the definition in \cref{sec:RGSdefsecAnon}).
In this Chapter, we will first recall the useful building blocks that are used to design and prove our signature scheme that supports efficient protocols in the~\cite{CL02a} fashion. Then we describe this scheme and we next give the construction and the proof for the group signature scheme for dynamically growing groups. Finally, we show the experimental results we obtain for this group signature scheme.
%-------------------------------------------------- %--------------------------------------------------
\section{Building blocks} \section{Building blocks}
@ -111,7 +120,7 @@ Moreover, we show that their scheme remains unforgeable under the $\SXDH$ assump
\setlength{\arraycolsep}{0.3em}\def\arraystretch{1.3} \setlength{\arraycolsep}{0.3em}\def\arraystretch{1.3}
\left(\begin{array}{c|c|c|c} \left(\begin{array}{c|c|c|c}
g & \mathbf{1}_{{}_{\ell+1}} & \mathbf{1}_{{}_{\ell+1}} & h \\ \hline g & \mathbf{1}_{{}_{\ell+1}} & \mathbf{1}_{{}_{\ell+1}} & h \\ \hline
\vec{v}^\top & g^{\mathbf{I_{\ell+1}}} & h^{\mathbf{I_{\ell+1}}} \vec{v}^\top & g^{\mathbf{I}_{\ell+1}} & h^{\mathbf{I}_{\ell+1}}
& \mathbf{1}_{{}_{\ell+1}}^\top & \mathbf{1}_{{}_{\ell+1}}^\top
\end{array}\right) , \end{array}\right) ,
\end{equation} \end{equation}
@ -1023,8 +1032,8 @@ This results in a modified opening algorithm which takes $O(N)$ in the worst-cas
%--------------------------------------------------------------------- %---------------------------------------------------------------------
\subsection{Security} \subsection{Security}
The security of the above dynamic group signature scheme, namely full anonymity, security against mis-identifications and security against framing attacks that are defined in \cref{sse:gs-sec-notions} are expressed in \cref{th:sgsig-anonymity}, \cref{th:sgsig-mis-identification} and~\cref{th:sgsig-non-frameability} respectively. The security of the above dynamic group signature scheme, namely full anonymity, security against misidentifications and security against framing attacks that are defined in \cref{sse:gs-sec-notions} are expressed in \cref{th:sgsig-anonymity}, \cref{th:sgsig-mis-identification} and~\cref{th:sgsig-non-frameability} respectively.
The security relies on the \SXDH assumption for anonymity and mis-identification, and on the \SDL assumption for non-frameability. The security relies on the \SXDH assumption for anonymity and misidentification, and on the \SDL assumption for non-frameability.
\begin{theorem} \label{th:sgsig-anonymity} \begin{theorem} \label{th:sgsig-anonymity}
If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. % If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %
@ -1205,7 +1214,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
\begin{theorem} \label{th:sgsig-mis-identification} \begin{theorem} \label{th:sgsig-mis-identification}
In the ROM, the scheme is secure against In the ROM, the scheme is secure against
mis-identification attacks under the $\SXDH$ assumption in $(\GG,\Gh)$. misidentification attacks under the $\SXDH$ assumption in $(\GG,\Gh)$.
\end{theorem} \end{theorem}
% %
\begin{proof} \begin{proof}
@ -1216,7 +1225,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
the reduction can extract witnesses of which knowledge is demonstrated by the signature of knowledge.\\ the reduction can extract witnesses of which knowledge is demonstrated by the signature of knowledge.\\
%After the extraction, the reduction can then call the corresponding oracles to simulate the game without having %After the extraction, the reduction can then call the corresponding oracles to simulate the game without having
%information it does not hold. %information it does not hold.
\indent Let us assume an attacker $\adv$ against the mis-identification game that wins with non-negligible \indent Let us assume an attacker $\adv$ against the misidentification game that wins with non-negligible
probability $\varepsilon$. We build an adversary $\bdv$ against the chosen-message security of the signature probability $\varepsilon$. We build an adversary $\bdv$ against the chosen-message security of the signature
scheme of section~\ref{scal-sig}. \medskip scheme of section~\ref{scal-sig}. \medskip
\\ \\
@ -1417,13 +1426,31 @@ Their scheme provides signatures composed of only $2$ group elements in $\GG$ an
Our main contribution compared to these schemes is to provide size-comparable signatures --\,we recall that our scheme is Our main contribution compared to these schemes is to provide size-comparable signatures --\,we recall that our scheme is
composed of $7$ group elements and $3$ scalars in $\Zp$\,-- while relying on standard, constant-size assumptions. composed of $7$ group elements and $3$ scalars in $\Zp$\,-- while relying on standard, constant-size assumptions.
Moreover, we can notice that we can save one element in $\GG$ at the expense of a linear-time opening algorithm in the Moreover, we can notice that we can save one element in $\GG$ at the expense of a linear-time opening algorithm in the
number $N$ of group users (like \cite{BCN+10}). number $\Ngs$ of group users (like \cite{BCN+10}).
%On the other hand, the comparison of computational cost is not straightforward, as it is not clear if the computation of $e(x^\alpha, \hat x) \cdot e(y^\beta, \hat y)$ is easier than the computation %On the other hand, the comparison of computational cost is not straightforward, as it is not clear if the computation of $e(x^\alpha, \hat x) \cdot e(y^\beta, \hat y)$ is easier than the computation
\section{Implementation results} \section{Experimental Results}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Résultats d'implantation} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Résultats expérimentaux}
An implementation of the aforementioned group signature scheme has been made in \texttt{C} using the \textit{Relic toolkit} for pairing-based cryptography~\cite{AG} and is available at~\url{https://gforge.inria.fr/projects/sigmasig-c/}. An implementation of the aforementioned group signature scheme has been made in \texttt{C} using the \textit{Relic toolkit} for pairing-based cryptography~\cite{AG} and is available at the following address:~\url{https://gforge.inria.fr/projects/sigmasig-c/}.
The relic toolkit provides implementation for pairing computations, hash functions implementations (here SHA-256) as well as benchmarking macros. The relic toolkit provides implementation for pairing computations, hash functions implementations (here SHA-256) as well as benchmarking macros.
The benchmarking was made on a single-core of an \textit{Intel\textregistered{} Core\texttrademark{} i5-7500 CPU @ 3.40GHz} (Kaby Lake architecture) with 6MB of cache.
To implement pairings, the relic library implements the Barreto-Naehrig~\cite{BN06} curve over a 256 bits curve.
Figures are available in Table~\ref{ta:sigmasig-figures}.
\begin{table}
\centering
\begin{tabular}{|c|r|r|}
\hline
\textbf{Algorithm/Protocol} & \textbf{Our scheme} & \textbf{Standard deviation}\\
\hline \hline
\textsf{Keygen} & 9.70 ms & 2.18 ms \\ \hline
\textsf{Join} & 23.16 ms & 0.11 ms \\ \hline
\textsf{Sign} & 15.70 ms & 0.04 ms \\ \hline
\textsf{Verify} & 26.91 ms & 0.04 ms \\ \hline
\end{tabular}
\caption{Experimental results for the Pairing-Base group signature scheme}
\label{ta:sigmasig-figures}
\end{table}

View File

@ -116,5 +116,21 @@
\newcommand{\ID}{\ensuremath{\mathsf{ID}}\xspace} \newcommand{\ID}{\ensuremath{\mathsf{ID}}\xspace}
% Other % Other
\newcommand{\TODO}{\textbf{\textcolor{red}{TODO}}} \newcommand{\TODO}{\textbf{\textcolor{red}{TODO}}\xspace}
%added by Khoa
\newcommand{\xddots}{%
\raise 4pt \hbox {.}
\mkern 6mu
\raise 1pt \hbox {.}
\mkern 6mu
\raise -2pt \hbox {.}
}
\newcommand{\xddotss}{%
\raise 15pt \hbox {.}
\mkern 6mu
\raise 1pt \hbox {.}
\mkern 6mu
\raise -8pt \hbox {.}
}

View File

@ -4,6 +4,8 @@
%% Highlight overfull hbox %% Highlight overfull hbox
\overfullrule=1mm \overfullrule=1mm
%% Show labels
%\usepackage{showkeys}
\usepackage[utf8x]{inputenc} \usepackage[utf8x]{inputenc}
\usepackage[french,english]{babel} \usepackage[french,english]{babel}
@ -27,7 +29,7 @@
\usepackage{multirow} \usepackage{multirow}
\usepackage[pagebackref]{hyperref} \usepackage[pagebackref]{hyperref}
\renewcommand*{\backref}[1]{} \renewcommand*{\backref}[1]{}
\renewcommand*{\backrefalt}[4]{\small Citations: \S{}~#4} \renewcommand*{\backrefalt}[4]{\small Citations: \S{}~#2}
\hypersetup{colorlinks=true, linkcolor=black!50!blue, urlcolor=black!50!red, citecolor=black!50!green, breaklinks=true} \hypersetup{colorlinks=true, linkcolor=black!50!blue, urlcolor=black!50!red, citecolor=black!50!green, breaklinks=true}
\hypersetup{pdftitle={Privacy-preserving cryptography from pairings and lattices}, \hypersetup{pdftitle={Privacy-preserving cryptography from pairings and lattices},
pdfauthor={Fabrice Mouhartem}, pdfauthor={Fabrice Mouhartem},
@ -98,6 +100,10 @@
\mainmatter \mainmatter
\pagestyle{ruled} \pagestyle{ruled}
\chapter{Introduction}
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Introduction}
\label{ch:introduction}
\input chap-introduction \input chap-introduction
\cleardoublepage \cleardoublepage

View File

@ -11,6 +11,7 @@
$\mathbf{b}$ & bold lowercase letters represent column vectors \\ $\mathbf{b}$ & bold lowercase letters represent column vectors \\
$\widetilde{\mathbf{A}}$ & Gram-Schmidt orthogonalization of matrix $\mathbf{A}$ \\ $\widetilde{\mathbf{A}}$ & Gram-Schmidt orthogonalization of matrix $\mathbf{A}$ \\
$\mathbf{A}^T_{}, \mathbf{u}^T_{}$ & the transpose of a matrix or a vector respectively \\ $\mathbf{A}^T_{}, \mathbf{u}^T_{}$ & the transpose of a matrix or a vector respectively \\
$\mathbf{I}_n$ & the $n$ dimension identity matrix in $\RR^{n \times n}$ \\
$\U(S)$ & If $S$ is a finite set, $\U(S)$ denotes the uniform distribution over $S$\\ $\U(S)$ & If $S$ is a finite set, $\U(S)$ denotes the uniform distribution over $S$\\
$\Pr[E]$ & Probability that an event $E$ occurs \\ $\Pr[E]$ & Probability that an event $E$ occurs \\
[1ex] \multicolumn{2}{l}{\scbf{Usual sets}} \\ [1ex] \multicolumn{2}{l}{\scbf{Usual sets}} \\