Conclusion

This commit is contained in:
Fabrice Mouhartem 2018-06-20 19:30:15 +02:00
parent c2acf57040
commit e123fa3683

View File

@ -38,7 +38,7 @@ Then, the main difficulty is to have zero-knowledge proofs compatible with the a
Our adaptive oblivious transfer scheme relies on zero-knowledge proofs to hedge against malicious adversaries.
The security proofs take advantage of the fact that the proofs can be rewound to extract a witness (as described in~\cref{de:pok}).
The Peikert-Vaikuntanathan-Waters~\cite{PVW08} construction, based on dual-mode encryption, achieves $1$-out-of-$2$ composable oblivious transfer (which can be generalized to $1$-out-of-$2^t$ OT), without relying on zero-knowledge proofs, but it does not implies OT with adaptive queries (i.e., where each index $\rho_i$ may depend on previous transfers $\rho_1, \ldots, \rho_{i-1}$).
The Peikert-Vaikuntanathan-Waters~\cite{PVW08} construction, based on dual-mode encryption, achieves $1$-out-of-$2$ composable oblivious transfer (which can be generalized to $1$-out-of-$2^t$ OT), without relying on zero-knowledge proofs, but it does not implies OT with adaptive queries (i.e., where each index $\rho_i$ may depend on messages received in previous transfers).
Actually, the use of $\ZK$ proofs is not impossible in this setting, as shown by the pairing-based construction of Green and Hohenberger~\cite{GH08}.
However, this protocol uses the trapdoor extractability of Groth-Sahai proofs~\cite{GS08} to achieve straight-line extraction. It is not known to be possible in the lattice setting.
@ -48,7 +48,7 @@ However, this protocol uses the trapdoor extractability of Groth-Sahai proofs~\c
Another privacy-preserving primitive is compact e-cash~\cite{Cha82,Cha83,CHL05a}. As explained in the introduction, it is the digital equivalent of real-life money.
A body of research followed its introduction~\cite{CFN88,OO91,CP92,FY93,Oka95,Tsi97}, and the first compact realization was given by Camenisch, Hohenberger and Lysyanskaya~\cite{CHL05a} (``compact'' means that the complexity of coin transfers is at most logarithmic in the value of withdrawn wallets).
Before the work of Libert, Ling, Nguyen and Wang~\cite{LLNW17}, all compact construction were based on discrete-logarithm-based technique.
Before the work of Libert, Ling, Nguyen and Wang~\cite{LLNW17}, all compact constructions were based on discrete-logarithm-based technique.
This construction still suffers from efficiency issues akin to the problem we met in this thesis.
It is thus interesting to improve the efficiency of this scheme and obtain viable constructions of anonymous e-cash from post-quantum assumptions.
@ -73,7 +73,7 @@ This turns out to be a real bottleneck in the efficiency of such proof systems.
This question can be restated as ``can we combine the expressivity of Stern-like proofs with the efficiency of Schnorr-like proof with rejection sampling?''.
For Stern-like proofs, decreasing the soundness error from $2/3$ to $1/2$ would already be an interesting improvements with a direct impact on all lattice-based schemes presented in this thesis.
Recall that \textit{soundness error} is the probability that a cheating prover convinces an honest verifier of a false statement. As long as it is noticeably different from $1$, it is possible to make the soundness negligible by repeating the protocol.
Recall that \textit{soundness error} is the probability that a cheating prover convinces an honest verifier of a false statement. As long as it is noticeably different from $1$, it is possible to make the soundness error negligible by repeating the protocol a sufficient number of times.
Likewise, isogeny-based proof systems~\cite{JDF11,GPS17} suffer from similar issues as the challenge space is small (binary).
The $2/3$ soundness error is also present in~\cite{IKOS07},
which is a technique to obtain zero-knowledge proofs relying on secure multi-party computation.