fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chap: -> ch:

Browse Source
This commit is contained in:
Fabrice Mouhartem 2018-02-16 15:54:03 +01:00
parent 4521358a63
commit df47d3b441
3 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
chap-proofs.tex
View File

@ -1,4 +1,4 @@
\chapter{Security Proofs in Cryptography} \label{chap:proofs}
\chapter{Security Proofs in Cryptography} \label{ch:proofs}
Provable security is a subfield of cryptography where constructions are proven secure with regards to a security model.
To illustrate this notion, let us take the example of public-key encryption schemes.
@ -111,7 +111,7 @@ an attack is successful if the probability that it succeed is noticeable.
Once that we define the notions related to the core of the proof, we have to define the objects on what we work on.
Namely, defining what we want to prove, and the hypotheses on which we rely, also called ``hardness assumption''.
The details of the hardness assumptions we use are given in Chapter~\ref{chap:structures}.
The details of the hardness assumptions we use are given in Chapter~\ref{ch:structures}.
Nevertheless, some notions are common to these and are evoked here.
The confidence one can put in a hardness assumption depends on many criteria.

2
chap-structures.tex
View File

@ -1,5 +1,5 @@
\chapter{Underlying Structures}
\label{chap:structures}
\label{ch:structures}
In the previous chapter, we saw that theoretical cryptography has to rely on \emph{computational hardness assumptions}.
Beside \emph{information theory-base cryptography}, most hardness assumptions are built on top of algebraic structures.

16
sec-lattices.tex
View File

@ -3,10 +3,14 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
During the last decade, lattice-based cryptography has emerged as a promising candidate for post-quantum cryptography.
For example, on the first round of the NIST post-quantum competition, there are 28 out of 82 submissions from lattice-based cryptography~\cite{NIS17}. Lattice-based cryptography takes advantage of a simple mathematical structure (the lattices) in order to provide beyond encryption and signature cryptography. For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now.
For example, on the first round of the NIST post-quantum competition, there are 28 out of 82 submissions from lattice-based cryptography~\cite{NIS17}.
Lattice-based cryptography takes advantage of a simple mathematical structure, the so-called lattices, in order to provide beyond encryption and signature cryptography.
For instance, fully homomorphic encryption~\cite{Gen09,GSW13} are only possible in the lattice-based world for now.
In the context of provable security, lattice assumptions benefits from a worst-case to average-case reduction~\cite{Reg05,GPV08,MP12}.
Worst-case lattice problems have been extensively studied in the last past years~\cite{ADRS15,HK17}.
In the context of provable security, lattice assumptions benefits from a worst-case to average-case reduction~\cite{Reg05,GPV08,MP12,AFG14}.
Concurrently, worst-case lattice problems have been extensively analysed in the last decade~\cite{ADS15,ADRS15,HK17}, both classically and quantumly.
This gives us a good confidence in the lattice-based assumptions (given the \emph{caveats} of Chapter~\ref{ch:proofs}) such as Learning with Errors ($\LWE$) and Short Integer Solutions ($\SIS$) that are defined in Section~\ref{sse:lattice-problems}. The rest of this section will describe some useful algorithms that relies on \emph{lattice trapdoors}.
\subsection{Lattices and Hard Lattice Problems}
\label{sse:lattice-problems}
@ -18,8 +22,8 @@ Worst-case lattice problems have been extensively studied in the last past years
\label{fig:lattice-basis}
\end{figure}
A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear combinations of some linearly independent basis vectors~$(\mathbf{b}_i)_{i\leq n}$ belonging to some~$\RR^n_{}$.
We can notice that this basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis}.
A (full-rank) lattice~$\Lambda$ is defined as the set of all integer linear combinations of some linearly independent basis vectors~$(\mathbf{b}_i^{})^{}_{1\leq i \leq n}$ belonging to some~$\RR^n_{}$.
A lattice's basis is not unique, as illustrated in Figure~\ref{fig:lattice-basis}.
In the following, we work with $q$-ary lattices, for some prime $q$.
\begin{definition} \label{de:qary-lattices} \index{Lattices}
@ -40,7 +44,7 @@ The discrete Gaussian distribution of support~$L$, parameter~$\sigma$ and center
$D_{L,\sigma,\mathbf{c}}(\mathbf{y}) = \rho_{\sigma,\mathbf{c}}(\mathbf{y})/\rho_{\sigma,\mathbf{c}}(L)$ for any $\mathbf{y} \in L$.
We denote by $D_{L,\sigma }(\mathbf{y}) $ the distribution centered in $\mathbf{c}=\mathbf{0}$.
In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem~($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. These links are important because those are ``wost-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are more suitable to design cryptographic schemes.
In order to work with lattices in cryptography, it is useful to define hard lattice problems. In the following we define the shortest Independent Vectors Problem~($\SIVP$). This problem reduces to the Learning With Errors ($\LWE$) problems and the Short Integer Solution~($\SIS$) problem as explained later. These links are important because those are ``worst-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to build new cryptographic designs, while the $\LWE$ and $\SIS$ assumptions are ``average-case'' assumptions, are more suitable to design cryptographic schemes.
In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).