thesis/chap-conclusion.tex

\begin{comment}
\section %hack for vim-latexsuite
\end{comment}

In this thesis, we presented new cryptographic schemes that rely on lattice or pairing assumptions.
These contributions focus on the design and analysis of new cryptographic schemes that target privacy-preserving applications.

In pairing-based cryptography, we propose a practical dynamic group signature scheme, for which security is well understood.
It relies on broadly used assumptions with simple statements which exist for more than ten years.
This work is also supported by an implementation in \texttt{C}.

Our work in the lattice setting gives rise to three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving cryptography.
Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that it's one step toward a quantum-secure privacy-friendly world.

In the way of doing it, improvements have been made in the state of the art of zero-knowledge proofs in the lattice setting as well as providing building blocks that, we believe, are of independent interest.
As of our signature with efficient protocols, it has already been used to design a lattice-based e-cash system~\cite{LLNW17}.

All these works are proven under strong security model within simple assumptions.
This made a breeding ground for new theoretical constructions, as well as going toward practicality.

\section*{Open Problems}

The path of providing new cryptographic primitives and proving them is disseminated with pitfalls.
The most obvious questions that stem from this work are about how to tackle the trade-offs we made in the design of those primitives.

\begin{question}
  Is it possible to build an adaptive oblivious transfer with access control secure under $\LWE$ with polynomially large modulus?
\end{question}

In other words, is it possible to avoid the use of smudging to guarantee message-privacy in the oblivious transfer scheme of~\cref{ch:ot-lwe}.
As is, this issue arises from the use of Regev's encryption scheme, which does not guarantee this message privacy.
However, finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}.
Then, the main difficulty is to have zero-knowledge proofs compatible with the access control and the encryption layers.

\subsection*{Zero-Knowledge Proofs}

\begin{question}
  Can we provide NIZK proofs in the standard model for all $\NP$ languages relying on standard $\LWE$ assumption only?
\end{question}

Extending the work of Groth, Ostrovsky and Sahai~\cite{GOS06} in the lattice setting would be a great improvement for lattice-based privacy-preserving cryptography.
Recent line of work goes toward this direction~\cite{RSS18}, but relies on primitives that do not exist yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).

The Stern-like proof system we work on in during this thesis, despite being flexible enough to prove a large variety of statements, suffers from the stiffness of being combinatorial.
The choice of permutations used to ensure zero-knowledgeness (and so witness-indistinguishability) is quite strict, and force the challenge space to be ternary.
This proves to be a real bottleneck in the efficiency of such proof systems.

\begin{question}
  Is it possible to construct zero-knowledge protocols for average-case problems that take advantage of the geometry of lattices?
\end{question}

As explained in~\cref{ch:zka}, nowadays lattice-based proof systems for $\SIS$/$\LWE$ rely either on the additional structure lying in special families of lattices, or on the combinatorial nature of representations of lattices in terms of matrices.
If the natural structure of a lattice is a group, additive noise or witness-length restrictions forbid the use of standard group-based cryptography to undertake this problem.
However, lattices naturally carry a strong geometrical structure, as exploited in~\cite{MV03,PV08} to construct (interactive and non-interactive) zero-knowledge proofs for some worst-case lattice problems.
It may be an interesting question to see if the restricted geometry of average-case lattice problems can be exploited to provide such proofs.
If these proof systems can be used after applying a transformation from average-case to worst-case problem, this methodology is highly inefficient and does not close the question.

As we explained in the introduction, advanced cryptography from lattices often suffers from the use of lattice trapdoors.
Thus, a natural question may be:

\subsection*{Cryptographic Constructions}

\begin{question}
  Does a trapdoor-free (H)IBE exists?
\end{question}

For instance, in the group encryption scheme of~\cref{ch:ge-lwe}, trapdoors are used in two places.
To have a secure public key encryption scheme under adaptive active attacks and for the signature scheme.
Both these primitives are induced by identity-based encryption: the Canetti-Halevi-Katz transformations generically transform an IBE into a \textsf{IND-CCA2} \PKE~\cite{CHK04}, and signatures are directly implied from \textsf{IND-CPA-}secure IBE~\cite{BF01,BLS01}.
Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public key encryption scheme still remains an open question.

\begin{question}
  Can we achieve better security proofs for cryptographic schemes?
\end{question}

Our work during this thesis also focuses on the security proofs of cryptographic schemes.
As explained in~\cref{ch:proofs}, it is important to rely on simple assumptions to prove strong security notions.
Given recent advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claim before~\cite{DSYC18}.
Another line of work targets the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17}.
This improves the understanding of the links between cryptographic schemes and security assumptions, leading to more reliable constructions.