fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Index

Browse Source
This commit is contained in:
Fabrice Mouhartem 2018-02-02 16:09:02 +01:00
parent 664fa6ccd8
commit d6adc217eb
2 changed files with 21 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
sec-lattices.tex
View File

@ -22,7 +22,7 @@ A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear comb
We can notice that this basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis}. We can notice that this basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis}.
In the following, we work with $q$-ary lattices, for some prime $q$. In the following, we work with $q$-ary lattices, for some prime $q$.
\begin{definition} \label{de:qary-lattices} \begin{definition} \label{de:qary-lattices} \index{Lattices}
Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and $\mathbf{u} \in \ZZ_q^n$, define Let~$m \geq n \geq 1$, a prime~$q \geq 2$, $\mathbf{A} \in \ZZ_q^{n \times m}$ and $\mathbf{u} \in \ZZ_q^n$, define
\begin{align*} \begin{align*}
\Lambda_q(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\ \Lambda_q(\mathbf{A}) & \triangleq \{ \mathbf{e} \in \ZZ^m \mid \exists \mathbf{s} \in \ZZ_q^n ~\text{ s.t. }~\mathbf{A}^T \cdot \mathbf{s} = \mathbf{e} \bmod q \} \text{ as well as}\\
@ -58,7 +58,7 @@ Which lead us to the $\SIVP$ problem, which is finding a set of sufficiently sho
As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively. As explained before, we will rely on the assumption that both algorithmic problems below are hard. Meaning that no (probabilistic) polynomial time algorithms can solve them with non-negligible probability and non-negligible advantage, respectively.
\begin{definition}[The SIS problem] \begin{definition}[The SIS problem] \label{de:sis} \index{Lattices!Short Integer Solution}
Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$. The Short Integer Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$. The Short Integer
Solution problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample Solution problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample
U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$ U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$
@ -68,7 +68,8 @@ As explained before, we will rely on the assumption that both algorithmic proble
If~$q \geq \sqrt{n} \beta$ and~$m,\beta \leq \mathsf{poly}(n)$, then $\SIS_{n,m,q,\beta}$ is at least as hard as If~$q \geq \sqrt{n} \beta$ and~$m,\beta \leq \mathsf{poly}(n)$, then $\SIS_{n,m,q,\beta}$ is at least as hard as
standard worst-case lattice problem $\mathsf{SIVP}_\gamma$ with~$\gamma = \softO(\beta\sqrt{n})$ standard worst-case lattice problem $\mathsf{SIVP}_\gamma$ with~$\gamma = \softO(\beta\sqrt{n})$
(see, e.g., \cite[Se.~9]{GPV08}). (see, e.g., \cite[Se.~9]{GPV08}).
\begin{definition}[The LWE problem]
\begin{definition}[The LWE problem] \label{de:lwe} \index{Lattices!Learning With Errors}
Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$. Let $n,m \geq 1$, $q \geq 2$, and let $\chi$ be a probability distribution on~$\mathbb{Z}$. For $\mathbf{s} \in \mathbb{Z}_q^n$, let $A_{\mathbf{s}, \chi}$ be the distribution obtained by sampling $\mathbf{a} \hookleftarrow U(\mathbb{Z}_q^n)$ and $e \hookleftarrow \chi$, and outputting $(\mathbf{a}, \mathbf{a}^T\cdot\mathbf{s} + e) \in \mathbb{Z}_q^n \times \mathbb{Z}_q$. The Learning With Errors problem $\mathsf{LWE}_{n,q,\chi}$ asks to distinguish~$m$ samples chosen according to $\mathcal{A}_{\mathbf{s},\chi}$ (for $\mathbf{s} \hookleftarrow U(\mathbb{Z}_q^n)$) and $m$ samples chosen according to $U(\mathbb{Z}_q^n \times \mathbb{Z}_q)$.
\end{definition} \end{definition}
@ -84,7 +85,7 @@ given a sufficiently short basis of the lattice.
\begin{lemma}[{\cite[Le.~2.3]{BLP+13}}] \begin{lemma}[{\cite[Le.~2.3]{BLP+13}}]
\label{le:GPV} \label{le:GPV}
There exists a $\PPT$ (probabilistic polynomial-time) algorithm $\GPVSample$ that takes as inputs a There exists a $\ppt$ (probabilistic polynomial-time) algorithm $\GPVSample$ that takes as inputs a
basis~$\mathbf{B}$ of a lattice~$\Lambda \subseteq \ZZ^n$ and a basis~$\mathbf{B}$ of a lattice~$\Lambda \subseteq \ZZ^n$ and a
rational~$\sigma \geq \|\widetilde{\mathbf{B}}\| \cdot \Omega(\sqrt{\log n})$, rational~$\sigma \geq \|\widetilde{\mathbf{B}}\| \cdot \Omega(\sqrt{\log n})$,
and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$. and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$.
@ -96,7 +97,7 @@ and outputs vectors~$\mathbf{b} \in L$ with distribution~$D_{L,\sigma}$.
\begin{lemma}[{\cite[Th.~3.2]{AP09}}] \begin{lemma}[{\cite[Th.~3.2]{AP09}}]
\label{le:TrapGen} \label{le:TrapGen}
There exists a $\PPT$ algorithm $\TrapGen$ that takes as inputs $1^n$, There exists a $\ppt$ algorithm $\TrapGen$ that takes as inputs $1^n$,
$1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and $1^m$ and an integer~$q \geq 2$ with~$m \geq \Omega(n \log q)$, and
outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a outputs a matrix~$\mathbf{A} \in \ZZ_q^{n \times m}$ and a
basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such basis~$\mathbf{T}_{\mathbf{A}}$ of~$\Lambda_q^{\perp}(\mathbf{A})$ such
@ -113,7 +114,7 @@ We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ
submatrix is~$\mathbf{A}$. submatrix is~$\mathbf{A}$.
\begin{lemma}[{\cite[Le.~3.2]{CHKP10}}]\label{lem:extbasis} \begin{lemma}[{\cite[Le.~3.2]{CHKP10}}]\label{lem:extbasis}
There exists a $\PPT$ algorithm $\ExtBasis$ that takes as inputs a There exists a $\ppt$ algorithm $\ExtBasis$ that takes as inputs a
matrix~$\mathbf{B} \in \ZZ_q^{n \times m' }$ whose first~$m$ columns matrix~$\mathbf{B} \in \ZZ_q^{n \times m' }$ whose first~$m$ columns
span~$\ZZ_q^n$, and a basis~$\mathbf{T}_{\mathbf{A}}$ span~$\ZZ_q^n$, and a basis~$\mathbf{T}_{\mathbf{A}}$
of~$\Lambda_q^{\perp}(\mathbf{A})$ where~$\mathbf{A}$ is the left~$n \times of~$\Lambda_q^{\perp}(\mathbf{A})$ where~$\mathbf{A}$ is the left~$n \times
@ -126,7 +127,7 @@ submatrix is~$\mathbf{A}$.
an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting. an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting.
\begin{lemma}[{\cite[Th.~19]{ABB10}}]\label{lem:sampler} \begin{lemma}[{\cite[Th.~19]{ABB10}}]\label{lem:sampler}
There exists a $\PPT$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$, There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$,
a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf u \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \| a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf u \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \|
\widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf A ~ &~ \mathbf A \widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf A ~ &~ \mathbf A
\cdot \mathbf R + \mathbf C \end{array} \right]\cdot \mathbf b = \mathbf u \bmod q$ and with distribution statistically close to $D_{L,\sigma}$ where $L$ denotes the shifted \cdot \mathbf R + \mathbf C \end{array} \right]\cdot \mathbf b = \mathbf u \bmod q$ and with distribution statistically close to $D_{L,\sigma}$ where $L$ denotes the shifted

19
sec-pairings.tex
View File

@ -5,13 +5,13 @@
Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round. Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round.
Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}. Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}.
Multiple constructions and parameter sets coexist for pairings. Multiple constructions and parameter sets coexist for pairings.
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,BD17}. Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,MSS17,BD18}.
In the following, we rely on the black-box definition of cryptographic pairings as bilinear maps, and on the assumed hardness of a classical assumption over pairings, namely $\SXDH$. In the following, we rely on the black-box definition of cryptographic pairings as bilinear maps, and on the assumed hardness of a classical assumption over pairings, namely $\SXDH$.
%\subsection{Bilinear maps} %\subsection{Bilinear maps}
\begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings} \begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings} \index{Pairings}
A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$: A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$:
\begin{enumerate}[\quad (i)] \begin{enumerate}[\quad (i)]
\item bilinearity: for any $a, b \in \Zp$, we have $e(g^a, \hat{g}^b) = e(g^b, \hat{g}^a) = e(g, \hat{g})^{ab}$. \item bilinearity: for any $a, b \in \Zp$, we have $e(g^a, \hat{g}^b) = e(g^b, \hat{g}^a) = e(g, \hat{g})^{ab}$.
@ -22,17 +22,24 @@ In the following, we rely on the black-box definition of cryptographic pairings
For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field. For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field.
Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups. Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups,
%defined in Definition~\ref{de:DDH}.
defined as follows.
\begin{definition}[$\DDH$] \label{de:DDH} \begin{definition}[$\DDH$] \label{de:DDH} \index{Discrete Logarithm!Decisional Diffie-Hellman}
Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following. Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following.
Given $(g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$. Given $(g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$.
The DDH assumption is the intractability of the problem for any $\PPT$ algorithm.
The DDH assumption is the intractability of the problem for any $\ppt$ algorithm.
Let us now define the $\DDH$ language as
$L_\DDH = \bigl\{ (g, g^a, g^b, g^{c}) \in \GG^4 \mid c = a \cdot b \bigr\}.$
Thus the $\DDH$ problem is equivalently the question of whether $L_\DDH \in \mathsf{PP}$ or not.
\end{definition} \end{definition}
This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption. This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption.
\begin{definition}[{$\SXDH$~\cite[As.~1]{BGdMM05}}] \begin{definition}[{$\SXDH$~\cite[As.~1]{BGdMM05}}] \index{Pairings!Symmetric external Diffie-Hellman (SXDH)}
The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$. The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$.
\end{definition} \end{definition}