From d6adc217eb40f1b39703bfb4bb27c90ea756b9ef Mon Sep 17 00:00:00 2001
From: Fabrice Mouhartem <fabrice.mouhartem@ens-lyon.org>
Date: Fri, 2 Feb 2018 16:09:02 +0100
Subject: [PATCH] Index

---
 sec-lattices.tex | 15 ++++++++-------
 sec-pairings.tex | 19 +++++++++++++------
 2 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/sec-lattices.tex b/sec-lattices.tex
index b43a4c3..d3f6549 100644
--- a/sec-lattices.tex
+++ b/sec-lattices.tex
@@ -22,7 +22,7 @@ A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear comb
 We can notice that this basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis}.
 In the following, we work with $q$-ary lattices, for some prime $q$.
 
-\begin{definition} \label{de:qary-lattices}
+\begin{definition} \label{de:qary-lattices} \index{Lattices}
   Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and   $\mathbf{u} \in \ZZ_q^n$, define
 \begin{align*}
   \Lambda_q(\mathbf{A})               & \triangleq \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\
@@ -58,7 +58,7 @@ Which lead us to the $\SIVP$ problem, which is finding a set of sufficiently sho
 
 As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively.
 
-\begin{definition}[The SIS problem]
+\begin{definition}[The SIS problem] \label{de:sis} \index{Lattices!Short Integer Solution}
   Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$. The Short Integer
   Solution problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample
   U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$
@@ -68,7 +68,8 @@ As explained before, we will rely on the assumption that both algorithmic proble
 If~$q \geq \sqrt{n} \beta$ and~$m,\beta \leq \mathsf{poly}(n)$, then $\SIS_{n,m,q,\beta}$ is at least as hard as
 standard worst-case lattice problem $\mathsf{SIVP}_\gamma$ with~$\gamma = \softO(\beta\sqrt{n})$
 (see, e.g., \cite[Se.~9]{GPV08}).
-\begin{definition}[The LWE problem]
+
+\begin{definition}[The LWE problem] \label{de:lwe} \index{Lattices!Learning With Errors}
 Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow  U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
 \end{definition}
 
@@ -84,7 +85,7 @@ given a sufficiently short basis of the lattice.
 
 \begin{lemma}[{\cite[Le.~2.3]{BLP+13}}]
 \label{le:GPV}
-There exists a $\PPT$ (probabilistic polynomial-time) algorithm $\GPVSample$ that takes as inputs a
+There exists a $\ppt$ (probabilistic polynomial-time) algorithm $\GPVSample$ that takes as inputs a
 basis~$\mathbf{B}$ of a lattice~$\Lambda \subseteq \ZZ^n$ and a
 rational~$\sigma \geq  \|\widetilde{\mathbf{B}}\| \cdot \Omega(\sqrt{\log n})$,
 and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$.
@@ -96,7 +97,7 @@ and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$.
 
 \begin{lemma}[{\cite[Th.~3.2]{AP09}}]
 \label{le:TrapGen}
-There exists a $\PPT$ algorithm $\TrapGen$ that takes as inputs $1^n$,
+There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$,
 $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and
 outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a
 basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such
@@ -113,7 +114,7 @@ We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ
 submatrix is~$\mathbf{A}$.
 
 \begin{lemma}[{\cite[Le.~3.2]{CHKP10}}]\label{lem:extbasis}
-  There exists a $\PPT$ algorithm $\ExtBasis$ that takes as inputs a
+  There exists a $\ppt$ algorithm $\ExtBasis$ that takes as inputs a
   matrix~$\mathbf{B} \in \ZZ_q^{n \times m' }$ whose first~$m$ columns
   span~$\ZZ_q^n$, and a basis~$\mathbf{T}_{\mathbf{A}}$
   of~$\Lambda_q^{\perp}(\mathbf{A})$ where~$\mathbf{A}$ is the left~$n \times
@@ -126,7 +127,7 @@ submatrix is~$\mathbf{A}$.
 an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting.
 
 \begin{lemma}[{\cite[Th.~19]{ABB10}}]\label{lem:sampler}
-  There exists a $\PPT$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$,
+  There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$,
   a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf u \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \|
   \widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf A ~ &~ \mathbf A
   \cdot \mathbf R + \mathbf C \end{array} \right]\cdot \mathbf b = \mathbf u \bmod q$ and with distribution statistically close to $D_{L,\sigma}$ where $L$ denotes the shifted
diff --git a/sec-pairings.tex b/sec-pairings.tex
index 9f63820..2ab620c 100644
--- a/sec-pairings.tex
+++ b/sec-pairings.tex
@@ -5,13 +5,13 @@
 Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round.
 Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}.
 Multiple constructions and parameter sets coexist for pairings.
-Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,BD17}.
+Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,MSS17,BD18}.
 
 In the following, we rely on the black-box definition of cryptographic pairings as bilinear maps, and on the assumed hardness of a classical assumption over pairings, namely $\SXDH$.
 
 
 %\subsection{Bilinear maps}
-\begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings}
+\begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings} \index{Pairings}
   A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$:
   \begin{enumerate}[\quad (i)]
     \item bilinearity: for any $a, b \in \Zp$, we have $e(g^a, \hat{g}^b) = e(g^b, \hat{g}^a) = e(g, \hat{g})^{ab}$.
@@ -22,17 +22,24 @@ In the following, we rely on the black-box definition of cryptographic pairings
 
 For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field.
 
-Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups.
+Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups,
+%defined in Definition~\ref{de:DDH}.
+defined as follows.
 
-\begin{definition}[$\DDH$] \label{de:DDH}
+\begin{definition}[$\DDH$] \label{de:DDH} \index{Discrete Logarithm!Decisional Diffie-Hellman}
   Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following.
   Given $(g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$.
-  The DDH assumption is the intractability of the problem for any $\PPT$ algorithm.
+
+  The DDH assumption is the intractability of the problem for any $\ppt$ algorithm.
+
+  Let us now define the $\DDH$ language as
+  $L_\DDH = \bigl\{ (g, g^a, g^b, g^{c}) \in \GG^4 \mid c = a \cdot b \bigr\}.$
+  Thus the $\DDH$ problem is equivalently the question of whether $L_\DDH \in \mathsf{PP}$ or not.
 \end{definition}
 
 This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption.
 
-\begin{definition}[{$\SXDH$~\cite[As.~1]{BGdMM05}}]
+\begin{definition}[{$\SXDH$~\cite[As.~1]{BGdMM05}}] \index{Pairings!Symmetric external Diffie-Hellman (SXDH)}
   The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$.
 \end{definition}