This commit is contained in:
Fabrice Mouhartem 2018-06-15 18:26:49 +02:00
parent 7a50ab1ab5
commit fe6e5a6534

View File

@ -115,7 +115,7 @@ The core difference with number-theoretic cryptography, such as discrete-logarit
From this geometry rises some problems that are believed to withstand a quantum computer. From this geometry rises some problems that are believed to withstand a quantum computer.
Despite this apparently simple structure, some constructions are only known, as of today, to be possible under lattice assumptions, such as fully-homomorphic encryption~\cite{Gen09,GSW13}. Despite this apparently simple structure, some constructions are only known, as of today, to be possible under lattice assumptions, such as fully-homomorphic encryption~\cite{Gen09,GSW13}.
One property that makes lattice-based cryptography so versatile is the existence of lattice trapdoors~\cite{GPV08,CHKP10,MP12} as we will explain in~\cref{sse:lattice-trapdoors}. Versatility of lattice-based cryptography is possible through the existence of lattice trapdoors~\cite{GPV08,CHKP10,MP12}, as we explain in~\cref{sse:lattice-trapdoors}.
Informally, the knowledge of a short basis for a lattice allows sampling short vectors, which is believed to be hard without knowing such a short basis. Informally, the knowledge of a short basis for a lattice allows sampling short vectors, which is believed to be hard without knowing such a short basis.
Furthermore, knowing such a short basis for a lattice described by $\mathbf{A} \in \ZZ_q^{n \times m}$ permits to generate a short basis for a superlattice generated by $[ \mathbf{A} \mid \mathbf{B}] \in \ZZ_q^{n \times m'}$. Furthermore, knowing such a short basis for a lattice described by $\mathbf{A} \in \ZZ_q^{n \times m}$ permits to generate a short basis for a superlattice generated by $[ \mathbf{A} \mid \mathbf{B}] \in \ZZ_q^{n \times m'}$.
An example of use for this last property is the Boyen signature scheme~\cite{Boy10}. An example of use for this last property is the Boyen signature scheme~\cite{Boy10}.
@ -124,7 +124,7 @@ Hence, knowing a trapdoor for $\mathbf A$ makes the computation of this short ve
Indeed, some extra care have to be taken to avoid multiplicative attacks (if a signature is too short, doubling this signature may lead to a forgery). Indeed, some extra care have to be taken to avoid multiplicative attacks (if a signature is too short, doubling this signature may lead to a forgery).
Still, the use of lattice trapdoors comes at a price, and it significantly decreases the efficiency of cryptographic designs that use them~\cite{Lyu12,LLNW16}. Still, the use of lattice trapdoors comes at a price, and it significantly decreases the efficiency of cryptographic designs that use them~\cite{Lyu12,LLNW16}.
Given that we provides the first lattice-based construction for the scheme we present, we were focusing on providing them under simple assumptions. Given that we provides the first lattice-based construction for the scheme we present, we did focus on providing provably-secure scheme under simple assumption.
\section{Our Results} \section{Our Results}
@ -202,7 +202,7 @@ During the transfer phase, the user demonstrates, in a zero-knowledge manner, po
The only information that the database holder eventually learns is that some user retrieved some record which he was authorized to obtain. The only information that the database holder eventually learns is that some user retrieved some record which he was authorized to obtain.
To achieve this, an important property is the expressiveness of such attribute system. To achieve this, an important property is the expressiveness of such attribute system.
In other words, the system should be able to handle complex attribute policies while keeping time and memory consumption reasonable\footnote{\textit{Reasonable} here means (probabilistic) polynomial time}. In other words, the system should be able to handle complex attribute policies while keeping time and memory consumption reasonable\footnote{Here, ``\textit{reasonable}'' means (probabilistic) polynomial time}.
In this thesis, we propose in~\cref{ch:ot-lwe} a zero-knowledge protocol to efficiently treat any access policy that can be described with a logarithmic depth boolean circuit based on lattices, also known as $\mathsf{NC}1$. In this thesis, we propose in~\cref{ch:ot-lwe} a zero-knowledge protocol to efficiently treat any access policy that can be described with a logarithmic depth boolean circuit based on lattices, also known as $\mathsf{NC}1$.
In the context of adaptive oblivious transfer with access control, most of the schemes (based on pairing assumptions) manage to handle the case of conjunctions under reasonable assumptions. Under strong assumptions, however, the case of $\mathsf{NC}1$ can be taken care of. In the context of adaptive oblivious transfer with access control, most of the schemes (based on pairing assumptions) manage to handle the case of conjunctions under reasonable assumptions. Under strong assumptions, however, the case of $\mathsf{NC}1$ can be taken care of.