fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Corrections chap-structures

Browse Source
This commit is contained in:
Fabrice Mouhartem
2018-06-12 14:16:01 +02:00
parent 71e9abec4c
commit efde1d281b
3 changed files with 52 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
sec-pairings.tex
View File

@ -2,13 +2,13 @@
% \section{Pairing-Based Cryptography} %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round.
Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{BBS04}.
Pairing-based cryptography was introduced by Sakai, Ohgishi and Kasahara~\cite{SOK00} to generalize Diffie-Hellman key exchange to three users in one round.
Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signatures~\cite{BBS04}.
Multiple constructions and parameter sets coexist for pairings.
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,MSS17,BD18}.
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis requires to reassess the security level of pairing-based cryptography~\cite{KB16,MSS17,BD18}.
In the following, we rely on the black-box definition of cryptographic pairings as bilinear maps, and on the assumed hardness of classical constant-size assumptions over pairings, namely $\SXDH$ and $\SDL$.
The notations $1_{\GG}^{}$, $1_{\Gh}^{}$ and $1_{\GT}^{}$ denote the unit element in $\GG$, $\Gh$ and $\GT$ respectively.
In the following, we adopt black-box definitions of cryptographic pairings as bilinear maps, and on the assumed hardness of classical constant-size assumptions over pairing-friendly groups, namely $\SXDH$ and $\SDL$.
The notations $1_{\GG}^{}$, $1_{\Gh}^{}$ and $1_{\GT}^{}$ denote the identity elements in $\GG$, $\Gh$ and $\GT$ respectively.
\begin{restatable}[Pairings~\cite{BSS05}]{definition}{defPairings} \label{de:pairings} \index{Pairings}
A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$:
@ -19,14 +19,11 @@ The notations $1_{\GG}^{}$, $1_{\Gh}^{}$ and $1_{\GT}^{}$ denote the unit elemen
\end{enumerate}
\end{restatable}
For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field.
For cryptographic purposes, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field.
The most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups,
described in \cref{de:DDH} and recalled here.
\defDDH*
This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption.
described in \cref{de:DDH}.
This hypothesis is used to defined the $\SXDH$ assumption~\cite{Sco02} as follows.
\begin{restatable}[{$\SXDH$~\cite[As.~1]{BGdMM05}}]{definition}{defSXDH} \index{Pairings!SXDH} \label{de:SXDH}
The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$.
@ -34,13 +31,13 @@ This hypothesis, from which the Diffie-Hellman key exchange relies its security
The advantages of the best $\ppt$ adversary against $\DDH$ in group $\GG$ and $\Gh$ are written $\advantage{\DDH}{\GG}$ and $\advantage{\DDH}{\Gh}$ respectively. Both of those quantities are assumed negligible under the $\SXDH$ assumption.
In \cref{ch:sigmasig}, the security of the group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption.
Moreover, this assumption is static, meaning that the size of the assumption is independent of any parameters, and is non-interactive, in the sense that it does not involve any oracle.
In \cref{ch:sigmasig}, the security of our group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption.
Moreover, this assumption is static, meaning that the size of the assumption is independent of the number of queries made py the adversary or any feature (e.g., the maximal number of users) of the system, and is non-interactive, in the sense that it does not involve any oracle.
This gives a stronger security guarantee for the security of schemes proven under this kind of assumptions.
For instance, Cheon gave an attack against $q$-Strong Diffie-Hellmann problem for large values of $q$~\cite{Che06} (which usually represents the number of adversarial queries).
This gives us stronger confidente in the security of schemes proven under this kind of assumptions.
For instance, Cheon gave an attack against the $q$-Strong Diffie-Hellmann problem for large values of $q$~\cite{Che06} (which usually represents the number of adversarial queries).
In the aforementioned chapter, we also rely on the following assumption, which generalizes the Discrete Logarithm problem to asymmetric groups.
In \cref{ch:sigmasig}, we also rely on the following assumption, which generalizes the Discrete Logarithm problem to asymmetric groups.
\begin{restatable}[$\SDL$]{definition}{defSDL}
\label{de:SDL} \index{Pairings!SDL}
@ -49,4 +46,4 @@ In the aforementioned chapter, we also rely on the following assumption, which g
where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$.
\end{restatable}
This assumption is also static and non-interactive.
Like $\SXDH$, this assumption is also static (i.e., constant-size) and non-interactive.