From fe6e5a653434e8b2c36e14f0dd282831dc89f2e7 Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Fri, 15 Jun 2018 18:26:49 +0200 Subject: [PATCH] Intro --- chap-introduction.tex | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/chap-introduction.tex b/chap-introduction.tex index c531ff6..57b0412 100644 --- a/chap-introduction.tex +++ b/chap-introduction.tex @@ -115,7 +115,7 @@ The core difference with number-theoretic cryptography, such as discrete-logarit From this geometry rises some problems that are believed to withstand a quantum computer. Despite this apparently simple structure, some constructions are only known, as of today, to be possible under lattice assumptions, such as fully-homomorphic encryption~\cite{Gen09,GSW13}. -One property that makes lattice-based cryptography so versatile is the existence of lattice trapdoors~\cite{GPV08,CHKP10,MP12} as we will explain in~\cref{sse:lattice-trapdoors}. +Versatility of lattice-based cryptography is possible through the existence of lattice trapdoors~\cite{GPV08,CHKP10,MP12}, as we explain in~\cref{sse:lattice-trapdoors}. Informally, the knowledge of a short basis for a lattice allows sampling short vectors, which is believed to be hard without knowing such a short basis. Furthermore, knowing such a short basis for a lattice described by $\mathbf{A} \in \ZZ_q^{n \times m}$ permits to generate a short basis for a superlattice generated by $[ \mathbf{A} \mid \mathbf{B}] \in \ZZ_q^{n \times m'}$. An example of use for this last property is the Boyen signature scheme~\cite{Boy10}. @@ -124,7 +124,7 @@ Hence, knowing a trapdoor for $\mathbf A$ makes the computation of this short ve Indeed, some extra care have to be taken to avoid multiplicative attacks (if a signature is too short, doubling this signature may lead to a forgery). Still, the use of lattice trapdoors comes at a price, and it significantly decreases the efficiency of cryptographic designs that use them~\cite{Lyu12,LLNW16}. -Given that we provides the first lattice-based construction for the scheme we present, we were focusing on providing them under simple assumptions. +Given that we provides the first lattice-based construction for the scheme we present, we did focus on providing provably-secure scheme under simple assumption. \section{Our Results} @@ -202,7 +202,7 @@ During the transfer phase, the user demonstrates, in a zero-knowledge manner, po The only information that the database holder eventually learns is that some user retrieved some record which he was authorized to obtain. To achieve this, an important property is the expressiveness of such attribute system. -In other words, the system should be able to handle complex attribute policies while keeping time and memory consumption reasonable\footnote{\textit{Reasonable} here means (probabilistic) polynomial time}. +In other words, the system should be able to handle complex attribute policies while keeping time and memory consumption reasonable\footnote{Here, ``\textit{reasonable}'' means (probabilistic) polynomial time}. In this thesis, we propose in~\cref{ch:ot-lwe} a zero-knowledge protocol to efficiently treat any access policy that can be described with a logarithmic depth boolean circuit based on lattices, also known as $\mathsf{NC}1$. In the context of adaptive oblivious transfer with access control, most of the schemes (based on pairing assumptions) manage to handle the case of conjunctions under reasonable assumptions. Under strong assumptions, however, the case of $\mathsf{NC}1$ can be taken care of.